Closed DMHS closed 6 years ago
manuasir
commented
6 years ago Hello @DMHS ,
Could you please show up here a snapshot of your Global Configuration view? Maybe the 'base ip' and 'base port' fields weren't filled correctly with the IP and port of the machine where Splunk Enterprise is running.
Regards
DMHS
commented
6 years ago Hi manuasir,
Here is a screenshot of the Global Configuration view. I have changed the username and password to default for purpose of the screenshot.
Also, here is a screenshot of a succesful curl from the Splunk box to the Wazuh box.
Thank you.
manuasir
commented
6 years ago Hi @DMHS ,
Everything seems to be correct in Global configuration, so let's check a few different things. For knowing the context better, could you please show up here your Wazuh App for Splunk version? You can get it by listing the 'app.conf' file:
cat $SPLUNK_HOME/etc/apps/wazuh/default/app.conf
Also, let's check the App backend connectivity. Please, perform a curl to this endpoint example as following:
http://<BASE-IP>:<BASE-PORT>/en-US/custom/wazuh/manager/status?ip=<API-IP>&port=<API-PORT>&user=<API-USER>&pass=<API-PASS>
Try that curl command with 'http' and also with 'https' and please show up the results here.
Aditionally, it would be really helpful if you can navigate to any tab that use Wazuh API, such Manager->Manager status with the development console opened in your browser, it's usually opened with F12 key. Please, post here any error in the console too.
Thank you for your patience, Kind regards
DMHS
commented
6 years ago app.conf
curl command with http
curl command with https
Manager Status
DMHS
commented
6 years ago I have a feeling that it has to do with my Splunk instance using HTTPS. Also, I am using a dev license if that matters.
manuasir
commented
6 years ago @DMHS Sorry, I forgot to mention that please use the curl argument between double quotes like this:
curl "http://<BASE-IP>:<BASE-PORT>/en-US/custom/wazuh/manager/status?ip=<API-IP>&port=<API-PORT>&user=<API-USER>&pass=<API-PASS>"Otherwise it fails. Kind regargs
DMHS
commented
6 years ago Ok, sorry about that.
curl with http
curl with https
DMHS
commented
6 years ago If I set Splunk to use http for the web GUI then the Wazuh app connects to the Wazuh API. When it is set to HTTPS it does not work.
manuasir
commented
6 years ago Hello again @DMHS
As we suspected, this is a HTTPS related error due to a bug. I'm tagging this issue as a bug to include in the upcoming release along with some new improvements, and I will personally let you know when it was ready with the instructions for the upgrading. Sorry for the inconvenience.
Kind regards
DMHS
commented
6 years ago Sounds good. Thank you very much for your help.
manuasir
commented
6 years ago Hello @DMHS ,
As you see I marked this issue as closed since it's fixed in the last v2.2.0 release. You can follow these steps in order to upgrade to the new app version:
$SPLUNK_HOME/bin/splunk stoprm -rf $SPLUNK_HOME/etc/apps/wazuh/unzip wazuh-3.2.2-2.2.0.zip -d $SPLUNK_HOME/etc/apps/$SPLUNK_HOME/bin/splunk startNotice that any index will be deleted or modify along this process, also remember that $SPLUNK_HOME is a reference to your Splunk base directory, by default /opt/splunk/. Change it in accordance with your installation if changed. I'd like to thank you for your report and please, do not hesitate to open another issue if needed.
Regards, Manu
DMHS
commented
6 years ago Thank you for the update. I appreciate the work you are doing.
I have installed the Splunk app and setup the index and universal forwarder according to the documentation. Splunk is indexing data from the Wazuh Manager instance and that is populating 'Top Alerts' overview tab in the Splunk App.
When I enter the Wazuh API credentials into the Global Configuration tab of the Splunk App no data is populated in the 'Manager Status' page nor the 'Agents Summary' page.
I can curl the 55000 Wazuh API port from the Splunk instance. What am I missing here? Any help is appreciated. Thank you.