Wazuh_logs

[cisspUser01]

I'm seeing this error on the lme-wazuh-manager log:
025-02-18T19:34:27.601Z ERROR [publisher_pipeline_output] pipeline/output.go:154 Failed to connect to backoff(elasticsearch(https://lme-elasticsearch:9200)): 401 Unauthorized: {"error":{"root_cause":[{"type":"security_exception","reason":"unable to authenticate user [elastic] for REST request [/]","header":{"WWW-Authenticate":["Basic realm="security", charset="UTF-8"","Bearer realm="security"","ApiKey"]}}],"type":"security_exception","reason":"unable to authenticate user [elastic] for REST request [/]","header":{"WWW-Authenticate":["Basic realm="security", charset="UTF-8"","Bearer realm="security"","ApiKey"]}},"status":401}

[aarz-snl]

this may actually point to your issues even moreso than the dupe agents.

If you can't authenticate to elasticsearch then you can't send data to be displayed. Give me a moment to get some commands to you this afternoon

[aarz-snl]

run this command for me:

sudo -i podman exec lme-wazuh-manager env | grep -i -E "index"

Make note of the username and password thats being set inside your container for indexer username and password

next run this from the LME path with all the downloaded files:

./LME/scripts/extract_secrets.sh -p

look for where it says Exported elastic:

That should include your password.

These passwords should match. If not then something went wrong during install.

[cisspUser01]

Yes both matched. ***@***.*** From: Andrew Arz ***@***.***> Sent: Tuesday, February 18, 2025 4:04 PM To: cisagov/LME ***@***.***> Cc: Chenh Hong ***@***.***>; Author ***@***.***> Subject: Re: [cisagov/LME] Wazuh_logs (Discussion #593) Glantz External Email Warning: Thoroughly review all content of this email before responding, clicking on any links, or opening any attachments. If anything looks strange please delete the email and contact Glantz IT run this command for me: sudo -i podman exec lme-wazuh-manager env | grep -i -E "index" Make note of the username and password thats being set inside your container for indexer username and password next run this from the LME path with all the downloaded files: ./LME/scripts/extract_secrets.sh -p look for where it says Exported elastic: That should include your password. These passwords should match. If not then something went wrong during install. — Reply to this email directly, view it on GitHub<#593 (comment)>, or unsubscribe<https://github.com/notifications/unsubscribe-auth/BPUNJIATSJUO5TYBZTQ733L2QON25AVCNFSM6AAAAABXMOOCEKVHI2DSMVQWIX3LMV43URDJONRXK43TNFXW4Q3PNVWWK3TUHMYTEMRUGIZDAMA>. You are receiving this because you authored the thread.Message ID: ***@***.******@***.***>> Chenh Hong Network/Security Administrator Glantz 2501 Constant Comment Place Louisville, KY 40299 Tel: 502.568.4429 [https://s3.amazonaws.com/glantz/glantz/content/website/1.1025eSig.png]<https://www.nglantz.com/search?searchString=3551&sid=FZPGNHRUATOU&facets=fg_series%7Cfg_series_3551RAProSlide&facets=fg_series%7Cfg_series_3551RA&trk=901> Shop at Glantz<https://www.nglantz.com> [https://s3.amazonaws.com/glantz/glantz/content/website/facebook-colorful-logo.png]<https://www.facebook.com/GlantzSignSupplies/> [https://s3.amazonaws.com/glantz/glantz/content/website/instagram-colorful-logo.png] <https://www.instagram.com/glantzsignsupplies/> [https://s3.amazonaws.com/glantz/glantz/content/website/linkedin-colorful-logo.png] <https://www.linkedin.com/company/1303642?trk=tyah&trkInfo=tarId%3A1410786353426%2Ctas%3An%20gl%2Cidx%3A2-2-7> [https://s3.amazonaws.com/glantz/glantz/content/website/youtube-colorful-logo.png] ***@***.***> Disclaimer posted by 766HGC3dXXQ167

[aarz-snl]

test connectivity from wazuh:

sudo -i podman exec -it lme-wazuh-manager /bin/bash

You are now inside the wazuh container

curl -k -u 'elastic:password' -X GET "https://lme-elasticsearch:9200"

Use the password you got from the extract passwords script

This should return a json with no errors.

[cisspUser01]

Ok I see the issue: I changed the user elastic password to something I can remember when logging into the website. When I use the password that extract from the script it failed. But when I use the password I changed to, it work. So question is, I cannot change that password? I have to use the extract password to log into the website? If so, can I just change it back to it? ***@***.*** Thank you, From: Andrew Arz ***@***.***> Sent: Thursday, February 20, 2025 10:55 AM To: cisagov/LME ***@***.***> Cc: Chenh Hong ***@***.***>; Author ***@***.***> Subject: Re: [cisagov/LME] Wazuh_logs (Discussion #593) Glantz External Email Warning: Thoroughly review all content of this email before responding, clicking on any links, or opening any attachments. If anything looks strange please delete the email and contact Glantz IT test connectivity from wazuh: sudo -i podman exec -it lme-wazuh-manager /bin/bash You are now inside the wazuh container curl -k -u 'elastic:password' -X GET "https://lme-elasticsearch:9200" Use the password you got from the extract passwords script This should return a json with no errors. — Reply to this email directly, view it on GitHub<#593 (comment)>, or unsubscribe<https://github.com/notifications/unsubscribe-auth/BPUNJIC4QKDXDXR36IJ3OSL2QX3G7AVCNFSM6AAAAABXMOOCEKVHI2DSMVQWIX3LMV43URDJONRXK43TNFXW4Q3PNVWWK3TUHMYTEMRWGUZTIOI>. You are receiving this because you authored the thread.Message ID: ***@***.******@***.***>> Chenh Hong Network/Security Administrator Glantz 2501 Constant Comment Place Louisville, KY 40299 Tel: 502.568.4429 [https://s3.amazonaws.com/glantz/glantz/content/website/1.1025eSig.png]<https://www.nglantz.com/search?searchString=3551&sid=FZPGNHRUATOU&facets=fg_series%7Cfg_series_3551RAProSlide&facets=fg_series%7Cfg_series_3551RA&trk=901> Shop at Glantz<https://www.nglantz.com> [https://s3.amazonaws.com/glantz/glantz/content/website/facebook-colorful-logo.png]<https://www.facebook.com/GlantzSignSupplies/> [https://s3.amazonaws.com/glantz/glantz/content/website/instagram-colorful-logo.png] <https://www.instagram.com/glantzsignsupplies/> [https://s3.amazonaws.com/glantz/glantz/content/website/linkedin-colorful-logo.png] <https://www.linkedin.com/company/1303642?trk=tyah&trkInfo=tarId%3A1410786353426%2Ctas%3An%20gl%2Cidx%3A2-2-7> [https://s3.amazonaws.com/glantz/glantz/content/website/youtube-colorful-logo.png] ***@***.***> Disclaimer posted by 766HGC3dXXQ167

[aarz-snl]

You'll probably want to change the password back to the password from extract passwords yes.

What happens is thats an encrypted file thats referenced when starting, creating and restarting the containers. So, all of your running containers reference the passwords securely stored in there.

[aarz-snl]

You may be able to change the password and then also change the password in the encrypted file that stores passwords-

I just haven't tested that out yet so i can't say for certain it will work

[cisspUser01]

After I change the password back to the extract password from the script. Wazuh dashboard display some data. There are a lot of options on the Wazuh dashboards-security events-vulnerabilities-malware detection and incident response. Do you have any recommendation on data I should display? Thank you, From: Andrew Arz ***@***.***> Sent: Thursday, February 20, 2025 3:17 PM To: cisagov/LME ***@***.***> Cc: Chenh Hong ***@***.***>; Author ***@***.***> Subject: Re: [cisagov/LME] Wazuh_logs (Discussion #593) Glantz External Email Warning: Thoroughly review all content of this email before responding, clicking on any links, or opening any attachments. If anything looks strange please delete the email and contact Glantz IT You'll probably wont to change the password back to the password from extract passwords yes. What happens is thats an encrypted file thats referenced when starting, creating and restarting the containers. So, all of your running containers reference the passwords securely stored in there. — Reply to this email directly, view it on GitHub<#593 (comment)>, or unsubscribe<https://github.com/notifications/unsubscribe-auth/BPUNJIH7RE4U27GEPJ6DQ4D2QYZ3TAVCNFSM6AAAAABXMOOCEKVHI2DSMVQWIX3LMV43URDJONRXK43TNFXW4Q3PNVWWK3TUHMYTEMRWHAYDGOA>. You are receiving this because you authored the thread.Message ID: ***@***.******@***.***>> Chenh Hong Network/Security Administrator Glantz 2501 Constant Comment Place Louisville, KY 40299 Tel: 502.568.4429 [https://s3.amazonaws.com/glantz/glantz/content/website/1.1025eSig.png]<https://www.nglantz.com/search?searchString=3551&sid=FZPGNHRUATOU&facets=fg_series%7Cfg_series_3551RAProSlide&facets=fg_series%7Cfg_series_3551RA&trk=901> Shop at Glantz<https://www.nglantz.com> [https://s3.amazonaws.com/glantz/glantz/content/website/facebook-colorful-logo.png]<https://www.facebook.com/GlantzSignSupplies/> [https://s3.amazonaws.com/glantz/glantz/content/website/instagram-colorful-logo.png] <https://www.instagram.com/glantzsignsupplies/> [https://s3.amazonaws.com/glantz/glantz/content/website/linkedin-colorful-logo.png] <https://www.linkedin.com/company/1303642?trk=tyah&trkInfo=tarId%3A1410786353426%2Ctas%3An%20gl%2Cidx%3A2-2-7> [https://s3.amazonaws.com/glantz/glantz/content/website/youtube-colorful-logo.png] ***@***.***> Disclaimer posted by 766HGC3dXXQ167

[aarz-snl]

The data you should display is already done. You'll want to brush up on kibana and KQL to further filter the data. Everything is clickable though. So, you can click a single machine and filter just events from that machine.

[aarz-snl]

you'll also see the critical wazuh alerts ( i believe listed as 12 or above ) will be called out specifically if they happen

[aarz-snl]

dont forget to use your other dashboards as well. the ones specfiically designed for sysmon like User Security 2.0

This is where you can see newwork connections, running processes, etc - windows machines only for these dashboards

[cisspUser01]

I saw lots of data in there. are you guys going to have another webinar about how to use/explore/navigate/setup alerts via elastalert on Kibana dashboard? Thank you, From: Andrew Arz ***@***.***> Sent: Monday, February 24, 2025 11:59 AM To: cisagov/LME ***@***.***> Cc: Chenh Hong ***@***.***>; Author ***@***.***> Subject: Re: [cisagov/LME] Wazuh_logs (Discussion #593) Glantz External Email Warning: Thoroughly review all content of this email before responding, clicking on any links, or opening any attachments. If anything looks strange please delete the email and contact Glantz IT dont forget to use your other dashboards as well. the ones specfiically designed for sysmon like User Security 2.0 — Reply to this email directly, view it on GitHub<#593 (comment)>, or unsubscribe<https://github.com/notifications/unsubscribe-auth/BPUNJIEKN62WEABV5MF2P532RNFVPAVCNFSM6AAAAABXMOOCEKVHI2DSMVQWIX3LMV43URDJONRXK43TNFXW4Q3PNVWWK3TUHMYTEMZQGMZTMNA>. You are receiving this because you authored the thread.Message ID: ***@***.******@***.***>> Chenh Hong Network/Security Administrator Glantz 2501 Constant Comment Place Louisville, KY 40299 Tel: 502.568.4429 [https://s3.amazonaws.com/glantz/glantz/content/website/1.1025eSig.png]<https://www.nglantz.com/search?searchString=3551&sid=FZPGNHRUATOU&facets=fg_series%7Cfg_series_3551RAProSlide&facets=fg_series%7Cfg_series_3551RA&trk=901> Shop at Glantz<https://www.nglantz.com> [https://s3.amazonaws.com/glantz/glantz/content/website/facebook-colorful-logo.png]<https://www.facebook.com/GlantzSignSupplies/> [https://s3.amazonaws.com/glantz/glantz/content/website/instagram-colorful-logo.png] <https://www.instagram.com/glantzsignsupplies/> [https://s3.amazonaws.com/glantz/glantz/content/website/linkedin-colorful-logo.png] <https://www.linkedin.com/company/1303642?trk=tyah&trkInfo=tarId%3A1410786353426%2Ctas%3An%20gl%2Cidx%3A2-2-7> [https://s3.amazonaws.com/glantz/glantz/content/website/youtube-colorful-logo.png] ***@***.***> Disclaimer posted by 766HGC3dXXQ167