search

wazuh / wazuh-api

Wazuh - RESTful API
https://wazuh.com
GNU General Public License v2.0
69 stars 57 forks source link

Wazuh could not be recovered. #483

Closed mailtovyom closed 4 years ago

mailtovyom commented 4 years ago

Hi ,

I am facing issue that whenever i open kibana web console and go to Wazuh, it show me Wazuh could not be recovered. when i restart /var/ossecc/bin/ossecc-control restart - after that it start working but after 5-10 minute it again show message wazuh could not be recovered.

Please help me to resolve this.

sandroded commented 4 years ago

I have the same issue, but it started only after upgrade to 3.12. It helps to restart wazuh-manager and wazuh-api services.
I don't see any errors in the ossec.log. And in the api log it shows 1017 error: WazuhAPI 2020-04-18 10:00:01 wazuh_manager_api_user: [::ffff:127.0.0.1] GET /agents/?offset=0&limit=1&q=id!%3D000 - 200 - error: '1017'. WazuhAPI 2020-04-18 10:00:01 wazuh_manager_api_user: [::ffff:127.0.0.1] GET /cluster/status? - 200 - error: '1017'.

AdriiiPRodri commented 4 years ago

Hello @mailtovyom and @sandroded,

We apologize for the late response. It is possible that both errors are related. Error 1017 means that some essential Wazuh daemon is not working. The essential daemos for Wazuh are the following: 'wazuh-modulesd', 'ossec-analysisd', 'ossec-execd', 'wazuh-db'. Therefore, looking at the API log we can see that the API service is working.

In order to help you better, I would need to have more information:

When this problem arises, to find out which daemon is failing we will execute this command and copy the result here: ps -edf | grep ossec

Once we identify the daemon we will proceed to put the daemon into debug mode. In the following link we have more information about this process Wazuh internal-options

Finally, we restart Wazuh and wait for the error to show up. Once it shows up we execute the following command and copy the result here: tail -n100 /var/ossec/logs/ossec.log | grep IDENTIFIED_DAEMON

Let's see if the logs can help us find the issue here. If you have any questions or problems with the process, please do not hesitate to ask.

Best regards, Adrián Peña

davidjiglesias commented 4 years ago

Hello @mailtovyom and @sandroded ,

I close this issue for inactivity. If you have more questions related to this topic or any other one, I suggest joining our Slack channel and be part of our community: https://wazuh.com/community/join-us-on-slack/

Kind regards,

David J. Iglesias