Wazuh App in Splunk just stops working!

rufftruffles commented 5 years ago

I've everything setup correctly and it was fine and showing all logs etc, once I clicked the agent host, it went crazy and threw some errors and got me to the API page, the api shows disabled, when I try to click refresh it says: Unreachable API

I've tested from the splunk server the api is working fine:

root@splunk:~# curl -u api:XXXXX http://XXX.91.XXX.XXX:55000/?pretty
{
   "error": 0,
   "data": {
      "msg": "Welcome to Wazuh HIDS API",
      "api_version": "v3.7.1",
      "hostname": "server.XXX.com",
      "timestamp": "Sun Dec 09 2018 19:29:21 GMT+0000 (GMT)"
   }
}

It doesn't let me delete the API, throws: Cannot remove API

If I try to add a new API, it shows the following error logs in log file:

{ "date": "2018-12-09 19:34:19,717" , "level": "ERROR" , "message": "Error at get document DB: Extra data: line 1 column 13 - line 1 column 271 (char 12 - 270)" }
{ "date": "2018-12-09 19:34:19,717" , "level": "ERROR" , "message": "Error in get_apis endpoint: Extra data: line 1 column 13 - line 1 column 271 (char 12 - 270)" }
{ "date": "2018-12-09 19:34:20,030" , "level": "ERROR" , "message": "Error at get document DB: Extra data: line 1 column 13 - line 1 column 271 (char 12 - 270)" }
{ "date": "2018-12-09 19:34:20,030" , "level": "ERROR" , "message": "Error making API request: Extra data: line 1 column 13 - line 1 column 271 (char 12 - 270)" }
{ "date": "2018-12-09 19:34:20,353" , "level": "ERROR" , "message": "Error at get document DB: Extra data: line 1 column 13 - line 1 column 271 (char 12 - 270)" }
{ "date": "2018-12-09 19:34:20,353" , "level": "ERROR" , "message": "Error in get_apis endpoint: Extra data: line 1 column 13 - line 1 column 271 (char 12 - 270)" }
{ "date": "2018-12-09 19:34:20,663" , "level": "ERROR" , "message": "Error at get document DB: Extra data: line 1 column 13 - line 1 column 271 (char 12 - 270)" }
{ "date": "2018-12-09 19:34:20,663" , "level": "ERROR" , "message": "Error making API request: Extra data: line 1 column 13 - line 1 column 271 (char 12 - 270)" }
{ "date": "2018-12-09 19:34:20,975" , "level": "ERROR" , "message": "Error at get all documents DB module: Extra data: line 1 column 13 - line 1 column 271 (char 12 - 270)" }
{ "date": "2018-12-09 19:34:20,975" , "level": "ERROR" , "message": "{"error": "Extra data: line 1 column 13 - line 1 column 271 (char 12 - 270)"}" }

any ideas whats causing this issue?

rufftruffles commented 5 years ago

{ "date": "2018-12-09 19:44:52,101" , "level": "ERROR" , "message": "Error at get document DB: Extra data: line 1 column 13 - line 1 column 271 (char 12 - 270)" }
{ "date": "2018-12-09 19:44:52,103" , "level": "ERROR" , "message": "Error in get_apis endpoint: Extra data: line 1 column 13 - line 1 column 271 (char 12 - 270)" }
{ "date": "2018-12-09 19:44:52,419" , "level": "ERROR" , "message": "Error at get document DB: Extra data: line 1 column 13 - line 1 column 271 (char 12 - 270)" }
{ "date": "2018-12-09 19:44:52,420" , "level": "ERROR" , "message": "Error making API request: Extra data: line 1 column 13 - line 1 column 271 (char 12 - 270)" }
{ "date": "2018-12-09 19:44:52,739" , "level": "ERROR" , "message": "Error at get document DB: Extra data: line 1 column 13 - line 1 column 271 (char 12 - 270)" }
{ "date": "2018-12-09 19:44:52,739" , "level": "ERROR" , "message": "Error in get_apis endpoint: Extra data: line 1 column 13 - line 1 column 271 (char 12 - 270)" }
{ "date": "2018-12-09 19:44:53,044" , "level": "ERROR" , "message": "Error at get document DB: Extra data: line 1 column 13 - line 1 column 271 (char 12 - 270)" }
{ "date": "2018-12-09 19:44:53,044" , "level": "ERROR" , "message": "Error making API request: Extra data: line 1 column 13 - line 1 column 271 (char 12 - 270)" }
{ "date": "2018-12-09 19:44:53,350" , "level": "ERROR" , "message": "Error at get all documents DB module: Extra data: line 1 column 13 - line 1 column 271 (char 12 - 270)" }
{ "date": "2018-12-09 19:44:53,351" , "level": "ERROR" , "message": "{"error": "Extra data: line 1 column 13 - line 1 column 271 (char 12 - 270)"}" }
{ "date": "2018-12-09 19:44:56,833" , "level": "ERROR" , "message": "Error at get document DB: Extra data: line 1 column 13 - line 1 column 271 (char 12 - 270)" }
{ "date": "2018-12-09 19:44:56,833" , "level": "ERROR" , "message": "Error in get_apis endpoint: Extra data: line 1 column 13 - line 1 column 271 (char 12 - 270)" }
{ "date": "2018-12-09 19:44:57,146" , "level": "ERROR" , "message": "Error at get document DB: Extra data: line 1 column 13 - line 1 column 271 (char 12 - 270)" }
{ "date": "2018-12-09 19:44:57,146" , "level": "ERROR" , "message": "Error making API request: Extra data: line 1 column 13 - line 1 column 271 (char 12 - 270)" }
{ "date": "2018-12-09 19:45:02,087" , "level": "ERROR" , "message": "Error at get document DB: Extra data: line 1 column 13 - line 1 column 271 (char 12 - 270)" }
{ "date": "2018-12-09 19:45:02,087" , "level": "ERROR" , "message": "Error in get_apis endpoint: Extra data: line 1 column 13 - line 1 column 271 (char 12 - 270)" }
{ "date": "2018-12-09 19:45:02,392" , "level": "ERROR" , "message": "Error at get document DB: Extra data: line 1 column 13 - line 1 column 271 (char 12 - 270)" }
{ "date": "2018-12-09 19:45:02,392" , "level": "ERROR" , "message": "Error making API request: Extra data: line 1 column 13 - line 1 column 271 (char 12 - 270)" }
{ "date": "2018-12-09 19:45:08,040" , "level": "ERROR" , "message": "Error at get document DB: Extra data: line 1 column 13 - line 1 column 271 (char 12 - 270)" }
{ "date": "2018-12-09 19:45:08,040" , "level": "ERROR" , "message": "Error in get_apis endpoint: Extra data: line 1 column 13 - line 1 column 271 (char 12 - 270)" }
{ "date": "2018-12-09 19:45:08,345" , "level": "ERROR" , "message": "Error at get document DB: Extra data: line 1 column 13 - line 1 column 271 (char 12 - 270)" }
{ "date": "2018-12-09 19:45:08,345" , "level": "ERROR" , "message": "Error making API request: Extra data: line 1 column 13 - line 1 column 271 (char 12 - 270)" }

manuasir commented 5 years ago

Hi @abunasar ,

In order to reproduce this issue, could you please indicate your operating system, your Splunk architecture and your Wazuh architecture here? Also, are you behind any reverse proxy? Please, paste here any console error output in your browser if exists.

Additionally, are you using the app for the first time? Maybe, if you just upgraded the app something went wrong during the process. I'll be waiting for your feedback.

On the other hand, it'd be helpful if you could curl the following requests to the Wazuh API from the Splunk machine:

curl -u api:XXXXX http://XXX.91.XXX.XXX:55000/agents/<agent-id>?pretty
curl -u api:XXXXX http://XXX.91.XXX.XXX:55000/agents/cluster/status?pretty
curl -u api:XXXXX http://XXX.91.XXX.XXX:55000/agents?pretty

Please, tell us if any of those returned error.

Cheers, Manu

jesusgn90 commented 5 years ago

Hi @abunasar , this problem is solved in https://github.com/wazuh/wazuh-splunk/pull/420. In any case, if you need the package right now we can help you to apply the patch to your current app.

I'm going to close this ticket, but can still ask us on this ticket or you can open a new ticket. Thanks in advance.

Best regards, Jesús

wazuh / wazuh-splunk

Wazuh App in Splunk just stops working! #402