Closed davidcr01 closed 5 months ago
With the new Wazuh manager package created, the following test has been performed:
It has been observed the following error:
Will create 'wazuh' index template
ERROR: /etc/wazuh-indexer/wazuh-template.json not found
Will create index templates to configure the alias
SUCC: 'wazuh-alerts' template created or updated
SUCC: 'wazuh-archives' template created or updated
Will create the 'rollover_policy' policy
SUCC: 'rollover_policy' policy created
Will create initial indices for the aliases
SUCC: 'wazuh-alerts' write index created
SUCC: 'wazuh-archives' write index created
SUCC: Indexer ISM initialization finished successfully.
This error is related to the ISM script execution. It seems that the wazuh-template.json
is not included in the Wazuh indexer package. This is reproduced because the deployment is using an old Wazuh indexer package
The health-check was completely successfully:
I noticed the following errors in the ossec.log
file:
2024/02/01 10:44:56 keystore: ERROR: Could not find key 'password at column 'indexer'.
2024/02/01 10:44:56 keystore: ERROR: Could not find key 'password at column 'indexer'.
2024/02/01 10:44:56 wazuh-modulesd:vulnerability-scanner: ERROR: VulnerabilityScannerFacade::start: Could not find key 'password at column 'indexer'.
This error is generated because the indexer password is inserted after the Wazuh dashboard installation when the passwords change. To avoid this, the password will be inserted when the Wazuh manager is installed, but this password will be overwritten when changing the passwords.
After a new test, this error is not generated anymore:
root@ubuntu22:/home/vagrant# cat /var/ossec/logs/ossec.log | grep ERROR
root@ubuntu22:/home/vagrant# nano wazuh-install
Commit: https://github.com/wazuh/wazuh-packages/pull/2802/commits/a1386cc9f776217fe0efa9343a0e56a3fc85aab8
:green_circle: The complete distributed installation was performed correctly.
Description
Related: https://github.com/wazuh/internal-devel-requests/issues/707
Due to the refactoring of the Vulnerability Detector module, the configuration of the indexer has changed. These changes in the WIA and WPT were done here: https://github.com/wazuh/wazuh-packages/pull/2777. Now, these changes must be modified again.
We can assume that the
username
and thepassword
tag will be removed from theossec.conf
file in this issue, so it is not necessary to remove them explicitly in the mentioned tool.Changes
The following code should be removed: https://github.com/wazuh/wazuh-packages/blob/e2ff0288f6a734a93446e590fddbc52d97511da1/unattended_installer/passwords_tool/passwordsFunctions.sh#L60
It should be replaced to a call to the
wazuh-keystore
tool in order to change the password of the indexer user.As the WPT is inserted in the WIA, the only change must be done in the WPT and it will be propagated to the WIA.
With further details of the new tool, the chages may change and be more precise.