GDPR API not working

[JoshBuch]

Dear team, recently I had setup the Wazuh SIEM system. The system is up and running and working fine but there is one problem. In the regulatory compliance section all the APIs PCI-DSS, HIPAA, NIST are working except the GDPR one. When clicked on, it shows "Server did not respond /api/gdpr/all" or sometimes it does not display anything and just shows "fetching data". Please help regarding the above issue.

[pablotr9]

Hi @JoshBuch ,

Could you please specify the Wazuh version and the version of your Elasticsearch? We need some more information to give you further assistance, so please enable the debug log level in both Wazuh API and Wazuh UI for Kibana, I'll explain to you how to do that:

1. Enable Debug mode in Wazuh UI:

   • Edit the wazuh.yml (/usr/share/kibana/plugins/wazuh/wazuh.yml) and replace this line: #logs.level: info with: logs.level: debug
   • Then restart Kibana ( once your problem is fixed you can disable the debug mode by setting the log level to info back again)

2. Enable Debug mode in Wazuh API: Edit config.js file. (/var/ossec/api/configuration/config.js) and replace this line: config.logs = "info"; with config.logs = "debug"; Now restart Wazuh manager and Wazuh API:

   systemctl restart wazuh-manager
   systemctl restart wazuh-api

   We now have enabled the debug mode in both Wazuh UI and Wazuh API, so let's now try accessing the Wazuh UI and go the GDPR section, then check the logs.

Wazuh UI logs: tail -n 50 /usr/share/kibana/optimize/wazuh-logs/wazuhapp.log Wazuh API logs: tail -n 50 /var/ossec/logs/api.log

Please paste the output in a file and attach it to your reply, so we can give you further assistance.

Best Regards, Pablo Torres

[JoshBuch]

The wazuh version I'm using is 3.11.1 and the version of elasticsearch being used in 7.5.0 Wazuh_UI_Logs.txt Wazuh_API.txt

[pablotr9]

Hi @JoshBuch ,

Thanks for your reply. I can't see any error log in that last Wazuh_API file, let's get some more logs. Please now, access to the GDPR dashboard, and once you get the "Server did not respond /api/gdpr/all" send me again the result of this command in a new file attached to your reply.

tail -n 500 /var/ossec/logs/api.log

Sorry for any inconvenience

Best Regards, Pablo Torres

[JoshBuch]

Hi @pablotr9 I tried the above mentioned steps, but there is no mention of gdpr in the api.log file.

[pablotr9]

Hi @JoshBuch ,

Ok, let's do so more checks to find out why are you getting that error. Please run this request and paste the output to your reply: curl -u user:password http://WAZUH-IP:55000/rules/gdpr Let's also check the endpoint that fails /api/gdpr/all: curl KIBANA-IP:5601/api/gdpr/all

Regards, Pablo Torres

[JoshBuch]

Hi @pablotr9 sorry for the late reply. The output of the first command is: {"error":0,"data":{"items":["II_5.1.f","IV_30.1.g","IV_32.2","IV_35.7.d"],"totalItems":4}} and that of the second command is: {"II_5.1.f":"Ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services, verifying its modifications, accesses, locations and guarantee the safety of them.File sharing protection and file sharing technologies that meet the requirements of data protection.","III_14.2.c":" Restrict the processing of personal data temporarily.","III_17":" Permanently erase personal information of a subject.","IV_24.2":"Be able to demonstrate compliance with the GDPR by complying with data protection policies.","IV_28":" Ensure data protection during processing, through technical and organizational measures.","IV_30.1.g":"It is necessary to keep all processing activities documented, to carry out an inventory of data from beginning to end and an audit, in order to know all the places where personal and sensitive data are located, processed, stored or transmitted.","IV_32.1.c":"Data Loss Prevention (DLP) capabilities to examine data flows and identify personal data that is not subject to adequate safeguards or authorizations. DLP tools can block or quarantine such data flows. Classify current data appropriately to determine specific categories of data that will be subject to the GDPR.","IV_32.2":"Account management tools that closely monitor actions taken by standard administrators and users who use standard or privileged account credentials are required to control access to data. ","IV_33":" Notify the supervisory authority of a violation of the data in 72 hours and in certain cases, the injured parties.","IV_35.1":"Perform a data protection impact evaluation for high risk processes. Implement appropriate technical measures to safeguard the rights and freedoms of data subjects, informed by an assessment of the risks to these rights and freedoms.","IV_35.7.d":"Capabilities for identification, blocking and forensic investigation of data breaches by malicious actors, through compromised credentials, unauthorized network access, persistent threats and verification of the correct operation of all components.Network perimeter and endpoint security tools to prevent unauthorized access to the network, prevent the entry of unwanted data types and malicious threats. Anti-malware and anti-ransomware to prevent malware and ransomware threats from entering your devices.A behavioral analysis that uses machine intelligence to identify people who do anomalous things on the network, in order to give early visibility and alert employees who start to become corrupt."}

Regards, Josh

[pablotr9]

Hi @JoshBuch ,

Both requests look OK. It doesn't seem that there's something wrong with GDPR as both API requests are showing the right output. The error might be in another component, we will need some more information.

1. You get the error every time you access the GDPR dashboard or just some times randomly? Is everything working right in the Wazuh UI (Overview, Agents, DevTools, Management...)? The error Server did not respond .. doesn't give us much information, it can be caused by multiple reasons.
2. Let's check some more error logs, could you please open the browser DevTools? Go to Wazuh UI in Kibana, then press F12 to open it in Chrome and Firefox, if you are using Safari please check this link. This will open a new window, now that the browser DevTools are opened, please access the GDPR dashboard and make sure that you get the error you mentioned. Once you get the error please check the console tab in the browser DevTools and check if you have any error in there as shown in my example screenshot (if so, please attach it to your reply)
3. Now, with the help of the browser DevTools again, we will check the Network tab. Click on the Network tab and then navigate again to the GDPR dashboard (please make sure that you get the error, otherwise it won't give us any information). You will see in that tab tons of requests, if any of these requests fail it will be highlighted in red. If you see any of the requests failing, please click on it and check the response subtab to get more information. Check this example screenshot:
4. Now the last thing I would like to check is the API logs (once again), please paste the output of this command in a file and attach it to your reply. As I said, make sure that you make the GDPR fail before running this command: cat /var/ossec/logs/api.log | grep -i error

Thank you. I look forward to hearing from you.

Kind Regards, Pablo Torres

[JoshBuch]

Hi @pablotr9 , regarding the above steps:

1. I get the error everytime when I access the GDPR dashboard, however for the other compliance dashboards (HIPAA, PCI DSS, NIST), the data loads up normally.

2. As for the above mentioned second step, there is no output in the console tab in devtools.

3. I am attaching a screenshot for this step for your reference.

4. I am also attaching the log file for your reference. Wazuh_API.txt

Regards, Josh

[pablotr9]

Hi @JoshBuch ,

Thanks again for your reply, indeed that's a really weird behavior, everything seems to be working correctly, there are no error logs neither in the browser nor in Wazuh API.

You are using Wazuh 3.11.1 with Elasticsearch and Kibana 7.5.0? We don't have any package of Wazuh 3.11.1 compatible with Kibana 7.5.0, here you can find a list of version compatibility of Wazuh UI with Kibana (for Wazuh 3.11.1 you should use Kibana 7.5.1). So what we will do now is reinstalling the Wazuh UI for Kibana to check if that is the cause of this problem.

1. The latest version of Kibana is 7.5.2 (released yesterday), so I recommend you to update Elasticsearch and Kibana to the latest version.
2. Wazuh 3.11.2 was also released a few days ago with some [important fixes], so it's highly recommended to upgrade Wazuh-manager and Wazuh API as well. You can find a guide to the 2 previous steps here: https://documentation.wazuh.com/3.11/upgrade-guide/index.html .
3. Either you decide to upgrade your environment or not, these steps must be followed to reinstall the Wazuh UI:
   • Stop Kibana systemctl stop kibana
   • Remove the app using kibana-plugin tool: /usr/share/kibana/bin/kibana-plugin remove wazuh
   • Remove generated bundles: rm -rf /usr/share/kibana/optimize/bundles
   • Update file permissions (This will avoid several errors prior to updating the app): chown -R kibana:kibana /usr/share/kibana/optimize chown -R kibana:kibana /usr/share/kibana/plugins
     • Install the app : sudo -u kibana /usr/share/kibana/bin/kibana-plugin install https://packages.wazuh.com/wazuhapp/wazuhapp-3.11.2_7.5.2.zip (notice that this command will install Wazuh plugin v3.11.2-7.5.2, change it if you are using a different version, you can find the full list of packages here)
   • Restart Kibana, and test again the Wazuh UI (check that all dashboards can be visualized correctly)

Please let me know if you have any trouble reinstalling the Wazuh UI,

Best Regards, Pablo Torres

[JoshBuch]

Hi @pablotr9 , sorry actually I made a mistake in giving you the elasticsearch version. The elasticsearch and kibana version I am using is 7.5.1

[pablotr9]

Ok, could you try reinstalling the Wazuh UI as explained in step 3? maybe some files were corrupted during the installation. As I said I highly recommend you upgrading to the latest version as some important bugs were fixed in that version, it won't really take you too long to upgrade it.

[JoshBuch]

Okay cool, I will try that in some time. Thank you for your quick and constant reponses.

Regards, Josh

[juankaromo]

Hi @JoshBuch

I'm closing this issue for inactivity. If you keep having this problem or have any other or any doubt, please do not hesitate to open a new issue.

Regards,

[katherinelim]

I've experienced this issue while using the Wazuh OVA - https://packages.wazuh.com/vm/wazuh3.11.4_7.6.0.ova

Steps to reproduce:

• Import Wazuh OVA and run VM in Virtualbox
• Install agents on other hosts
• Open the Wazuh app in Kibana and click on GDPR on the Overview page
• Notice "Server dit not respond (api/gdpr/all)" message

PCI DSS, HIPAA and NIST 800-53 are working.

[pablotr9]

Hi @katherinelim !

Could you please enable the debug log level in your Wazuh API? so we can get more information about what is happening You can enable the Debug mode in Wazuh API:

• Edit config.js file. (/var/ossec/api/configuration/config.js) and replace this line: config.logs = "info"; with config.logs = "debug"; Now restart Wazuh manager and Wazuh API:

  systemctl restart wazuh-manager
  systemctl restart wazuh-api

  Now try to access any of the PCI DSS/HIPAA/NIST 800-53/GDPR Dashboards and then please attach the output of the Wazuh API logs to your reply,

• Get Wazuh API logs: tail -n 200 /var/ossec/logs/api.log

EDIT Meanwhile, I will install the OVA package you sent me to check that everything is ok in it, thanks for reporting it. I just installed the OVA package you shared with us and followed the steps to reproduce it, (run OVA, install agents on other hosts, open GDPR...) and everything is working fine. Apart from the Wazuh API logs, could you please give us some more information about the agents you installed (version) and the operating system they were installed on? Thanks!

Best Regards,

[katherinelim]

Hi @pablotr9

Attached is the API log after reloading the Wazuh screen in the browser and then clicking GDPR and seeing "Server did not respond (/api/gdpr/all)"

api.log

The agents installed are version v3.11.4 and the Ubuntu OS version is 18.04.4 LTS.

I also used tail -f /var/ossec/logs/api.log while at debug log level and clicking on GDPR did not produce any logs.

[katherinelim]

Hi @pablotr9

I managed to solve the issue.

While moving the mouse pointer over the GDPR dashboard area, I noticed there was some host output.

There was a browser plugin that might affect the drawing of the page. I switched off uBlock Origin (adblock plugin) and the GDPR dashboard displayed successfully.

You can close this issue. Thank you for the help!

[pablotr9]

Hi @katherinelim!

Glad to see it's successfully working! good to know that some browser plugins can cause some errors displaying Regulatory Compliance dashboards thanks for the info!

If you have any other question, please feel free to open a new issue or you can also join our Slack channel or our Google mailing list here

Kind Regards,