if you follow the step-by-step guide to install wazuh, you will also get to the step “securing your wazuh installation” in which a command is provided to replace all the default passwords:
/usr/share/wazuh-indexer/plugins/opensearch-security/tools/wazuh-passwords-tool.sh --change-all --admin-user wazuh --admin-password wazuh
# The output of the previous command is something like:
INFO: The password for user admin is yWOzmNA.?Aoc+rQfDBcF71KZp?1xd7IO
INFO: The password for user kibanaserver is nUa+66zY.eDF*2rRl5GKdgLxvgYQA+wo
INFO: The password for user kibanaro is 0jHq.4i*VAgclnqFiXvZ5gtQq1D5LCcL
INFO: The password for user logstash is hWW6U45rPoCT?oR.r.Baw2qaWz2iH8Ml
INFO: The password for user readall is PNt5K+FpKDMO2TlxJ6Opb2D0mYl*I7FQ
INFO: The password for user snapshotrestore is +GGz2noZZr2qVUK7xbtqjUup049tvLq.
WARNING: Wazuh indexer passwords changed. Remember to update the password in the Wazuh dashboard and Filebeat nodes if necessary, and restart the services.
INFO: The password for Wazuh API user wazuh is JYWz5Zdb3Yq+uOzOPyUU4oat0n60VmWI
INFO: The password for Wazuh API user wazuh-wui is +fLddaCiZePxh24*?jC0nyNmgMGCKE+2
INFO: Updated wazuh-wui user password in wazuh dashboard. Remember to restart the service.
Then if you go back to your dashboard URL you’ll get a 500 error.
It’s simply because the wazuh keystore doesn’t have the good admin password. If you have a look to the filebeat: /etc/filebeat/filebeat.yml
#/etc/filebeat/filebeat.yml # Wazuh - Filebeat configuration file output.elasticsearch: hosts: ["127.0.0.1:9200"] protocol: https username: ${username} password: ${password} ssl.certificate_authorities: ... ...
The two variables ${username} and ${password} come from the wazuh keystore, after updating the all the password with the previous command you have to update the wazuh password in the keystore. The wazuh username should not have changed, it’s admin. But you can set it agan in case…
/var/ossec/bin/wazuh-keystore -f indexer -k username -v admin /var/ossec/bin/wazuh-keystore -f indexer -k password -v yWOzmNA.?Aoc+rQfDBcF71KZp?1xd7IO # The password comes from the output of the previous command
Now go back to the wazuh dashboard URL: it works!
Leave a Reply