This article will cover how to install Wazuh server on Ubuntu 22.04, 20.04, 18.04. Wazuh server is a free, open-source security monitoring tool that uses Elastic stack (ELK) . It is used to monitor security events at an application and OS level. You can therefore be able to get information about threat detection, incident response and integrity monitoring. In this tutorial, we shall be deploy Wazuh on a single-node Ubuntu host, with ELK installed on the same host.
You can use Wazuh for the following applications:
- Security analysis
- Log analysis
- Vulnerability detection
- Container security
- Cloud security
The minimum hardware requirements are as below:
- 4 GB of RAM
- 2 CPU cores
Recommended specs are:
- 16 GB of RAM
- 8 CPU cores
Step 1: Install Wazuh Server
Install the packages below needed for the running of Wazuh Manager.
sudo apt update
sudo apt install vim curl apt-transport-https unzip wget libcap2-bin software-properties-common lsb-release gnupg2
Option 1: Automated install of Wazuh Server using script
The fastest way to install Wazuh on a single host is by using a script that automatically detects OS type and performs a health check to verify that the available system resources meet the minimal requirements.
Download the script to your Ubuntu system where Wazuh server is installed
curl -sO https://packages.wazuh.com/4.7/wazuh-install.sh
Once the script is downloaded run it:
sudo bash ./wazuh-install.sh -a
Installation process should take few minutes to complete:
15/04/2024 11:19:46 INFO: Starting Wazuh installation assistant. Wazuh version: 4.7.3
15/04/2024 11:19:46 INFO: Verbose logging redirected to /var/log/wazuh-install.log
15/04/2024 11:19:53 INFO: Wazuh web interface port will be 443.
15/04/2024 11:19:58 INFO: --- Dependencies ----
15/04/2024 11:19:58 INFO: Installing apt-transport-https.
15/04/2024 11:20:05 INFO: Wazuh repository added.
15/04/2024 11:20:05 INFO: --- Configuration files ---
15/04/2024 11:20:05 INFO: Generating configuration files.
15/04/2024 11:20:07 INFO: Created wazuh-install-files.tar. It contains the Wazuh cluster key, certificates, and passwords necessary for installation.
15/04/2024 11:20:07 INFO: --- Wazuh indexer ---
15/04/2024 11:20:07 INFO: Starting Wazuh indexer installation.
15/04/2024 11:21:11 INFO: Wazuh indexer installation finished.
15/04/2024 11:21:11 INFO: Wazuh indexer post-install configuration finished.
15/04/2024 11:21:11 INFO: Starting service wazuh-indexer.
15/04/2024 11:21:29 INFO: wazuh-indexer service started.
15/04/2024 11:21:29 INFO: Initializing Wazuh indexer cluster security settings.
15/04/2024 11:21:39 INFO: Wazuh indexer cluster initialized.
15/04/2024 11:21:39 INFO: --- Wazuh server ---
15/04/2024 11:21:39 INFO: Starting the Wazuh manager installation.
15/04/2024 11:22:40 INFO: Wazuh manager installation finished.
15/04/2024 11:22:40 INFO: Starting service wazuh-manager.
15/04/2024 11:22:56 INFO: wazuh-manager service started.
15/04/2024 11:22:56 INFO: Starting Filebeat installation.
15/04/2024 11:23:04 INFO: Filebeat installation finished.
15/04/2024 11:23:05 INFO: Filebeat post-install configuration finished.
15/04/2024 11:23:05 INFO: Starting service filebeat.
15/04/2024 11:23:06 INFO: filebeat service started.
15/04/2024 11:23:06 INFO: --- Wazuh dashboard ---
15/04/2024 11:23:06 INFO: Starting Wazuh dashboard installation.
15/04/2024 11:24:03 INFO: Wazuh dashboard installation finished.
15/04/2024 11:24:03 INFO: Wazuh dashboard post-install configuration finished.
15/04/2024 11:24:03 INFO: Starting service wazuh-dashboard.
15/04/2024 11:24:04 INFO: wazuh-dashboard service started.
15/04/2024 11:24:33 INFO: Initializing Wazuh dashboard web application.
15/04/2024 11:24:34 INFO: Wazuh dashboard web application initialized.
15/04/2024 11:24:34 INFO: --- Summary ---
15/04/2024 11:24:34 INFO: You can access the web interface https://<wazuh-dashboard-ip>:443
User: admin
Password: i9d96ly0D9*AObwGdJ7eq07OANoxq?0*
15/04/2024 11:24:34 INFO: Installation finished.
Take note of access credentials:
15/04/2024 11:24:34 INFO: You can access the web interface https://<wazuh-dashboard-ip>:443
User: admin
Password: i9d96ly0D9*AObwGdJ7eq07OANoxq?0*
Access the portal at https://<serverip>
on your web browser and login

Input username and password

You should now get access to Wazuh Web dashboard.

Option 2: Install Wazuh Server using manual steps (not recommended)
The steps below will guide us on how to setup Wazuh server on Ubuntu. This is long and too manual for ordinary users.
- Add GPG key
curl -fsSL https://packages.wazuh.com/key/GPG-KEY-WAZUH|sudo gpg --dearmor -o /etc/apt/trusted.gpg.d/wazuh.gpg
2. Add Wazuh repository
echo "deb https://packages.wazuh.com/4.x/apt/ stable main" | sudo tee /etc/apt/sources.list.d/wazuh.list
3. Update system
sudo apt update
4. Install Wazuh Manager
sudo apt install wazuh-manager
5. Start and enable service
sudo systemctl daemon-reload
sudo systemctl enable --now wazuh-manager
Check status for Wazuh manager and confirm if it is up and running
systemctl status wazuh-manager
Check service status:
systemctl status wazuh-manager
Install ELK Stack
Install Elasticsearch from Open Distro, a highly scalable full-text search engine. This package offers advanced security, alerting, deep performance analysis, index management and many more features.
sudo apt install elasticsearch-oss opendistroforelasticsearch
Download a custom configuration file for /etc/elasticsearch/elasticsearch.yml
as shown below:
sudo curl -so /etc/elasticsearch/elasticsearch.yml https://packages.wazuh.com/resources/4.2/open-distro/elasticsearch/7.x/elasticsearch_all_in_one.yml
Configure Kibana roles and users with the templates below:
sudo curl -so /usr/share/elasticsearch/plugins/opendistro_security/securityconfig/roles.yml https://packages.wazuh.com/resources/4.2/open-distro/elasticsearch/roles/roles.yml
sudo curl -so /usr/share/elasticsearch/plugins/opendistro_security/securityconfig/roles_mapping.yml https://packages.wazuh.com/resources/4.2/open-distro/elasticsearch/roles/roles_mapping.yml
sudo curl -so /usr/share/elasticsearch/plugins/opendistro_security/securityconfig/internal_users.yml https://packages.wazuh.com/resources/4.2/open-distro/elasticsearch/roles/internal_users.yml
The commands above adds the following users for Kibana:
- Wazuh_user – Will be used for users who need read-only access to the Wazuh Kibana plugin.
- Wazuh_admin – For users who need administrative privileges
Two additional roles are also created to give the users appropriate permissions.
- wazuh_ui_user – provides wazuh_user permissions to read the Wazuh’s indices.
- wazuh_ui_admin – allows wazuh_admins to perform read/write, management and indexing on wazuh indices.
Install Certificates
We can setup certificates to be used for TLS communication between Elasticsearch and Wazuh.
1. Remove demo certs
sudo rm -f /etc/elasticsearch/{esnode-key.pem,esnode.pem,kirk-key.pem,kirk.pem,root-ca.pem}
2. Download the wazuh-cert-tool.sh
:
sudo su -
curl -so ~/wazuh-cert-tool.sh https://packages.wazuh.com/resources/4.2/open-distro/tools/certificate-utility/wazuh-cert-tool.sh
curl -so ~/instances.yml https://packages.wazuh.com/resources/4.2/open-distro/tools/certificate-utility/instances_aio.yml
3. Run the wazuh-cert-tool.sh to create the certificates:
# bash ~/wazuh-cert-tool.sh
02/28/2024 22:43:19 INFO: Configuration file found. Creating certificates...
02/28/2024 22:43:20 INFO: Creating the Elasticsearch certificates...
02/28/2024 22:43:20 INFO: Creating Wazuh server certificates...
02/28/2024 22:43:20 INFO: Creating Kibana certificate...
02/28/2024 22:43:20 INFO: Certificates creation finished. They can be found in ~/certs.
4. Move the Elasticsearch certificates to their corresponding location:
mkdir /etc/elasticsearch/certs/
mv ~/certs/elasticsearch* /etc/elasticsearch/certs/
mv ~/certs/admin* /etc/elasticsearch/certs/
cp ~/certs/root-ca* /etc/elasticsearch/certs/
5. Mitigate Apache Log4j2 Remote Code Execution (RCE) vulnerability
Add the following configuration to mitigate Apache Log4j2 Remote Code Execution (RCE) vulnerability – CVE-2021-44228 – ESA-2021-31.
mkdir -p /etc/elasticsearch/jvm.options.d
echo '-Dlog4j2.formatMsgNoLookups=true' > /etc/elasticsearch/jvm.options.d/disabledlog4j.options
chmod 2750 /etc/elasticsearch/jvm.options.d/disabledlog4j.options
chown root:elasticsearch /etc/elasticsearch/jvm.options.d/disabledlog4j.options
6. Enable and start the Elasticsearch service:
systemctl daemon-reload
systemctl enable elasticsearch
systemctl start elasticsearch
Check Elasticsearch service status:
systemctl status elasticsearch
Run the Elasticsearch securityadmin
script to load the new certificates information and start the cluster:
export JAVA_HOME=/usr/share/elasticsearch/jdk/ && /usr/share/elasticsearch/plugins/opendistro_security/tools/securityadmin.sh -cd /usr/share/elasticsearch/plugins/opendistro_security/securityconfig/ -nhnv -cacert /etc/elasticsearch/certs/root-ca.pem -cert /etc/elasticsearch/certs/admin.pem -key /etc/elasticsearch/certs/admin-key.pem
Command execution output:
Open Distro Security Admin v7
Will connect to localhost:9300 ... done
Connected as CN=admin,OU=Docu,O=Wazuh,L=California,C=US
Elasticsearch Version: 7.10.2
Open Distro Security Version: 1.13.1.0
Contacting elasticsearch cluster 'elasticsearch' and wait for YELLOW clusterstate ...
Clustername: elasticsearch
Clusterstate: GREEN
Number of nodes: 1
Number of data nodes: 1
.opendistro_security index does not exists, attempt to create it ... done (0-all replicas)
Populate config from /usr/share/elasticsearch/plugins/opendistro_security/securityconfig/
Will update '_doc/config' with /usr/share/elasticsearch/plugins/opendistro_security/securityconfig/config.yml
SUCC: Configuration for 'config' created or updated
Will update '_doc/roles' with /usr/share/elasticsearch/plugins/opendistro_security/securityconfig/roles.yml
SUCC: Configuration for 'roles' created or updated
Will update '_doc/rolesmapping' with /usr/share/elasticsearch/plugins/opendistro_security/securityconfig/roles_mapping.yml
SUCC: Configuration for 'rolesmapping' created or updated
Will update '_doc/internalusers' with /usr/share/elasticsearch/plugins/opendistro_security/securityconfig/internal_users.yml
SUCC: Configuration for 'internalusers' created or updated
Will update '_doc/actiongroups' with /usr/share/elasticsearch/plugins/opendistro_security/securityconfig/action_groups.yml
SUCC: Configuration for 'actiongroups' created or updated
Will update '_doc/tenants' with /usr/share/elasticsearch/plugins/opendistro_security/securityconfig/tenants.yml
SUCC: Configuration for 'tenants' created or updated
Will update '_doc/nodesdn' with /usr/share/elasticsearch/plugins/opendistro_security/securityconfig/nodes_dn.yml
SUCC: Configuration for 'nodesdn' created or updated
Will update '_doc/whitelist' with /usr/share/elasticsearch/plugins/opendistro_security/securityconfig/whitelist.yml
SUCC: Configuration for 'whitelist' created or updated
Will update '_doc/audit' with /usr/share/elasticsearch/plugins/opendistro_security/securityconfig/audit.yml
SUCC: Configuration for 'audit' created or updated
Done with success
Run the command below to confirm that the installation was successful:
curl -XGET https://localhost:9200 -u admin:admin -k
The response should be as follows:
{
"name" : "node-1",
"cluster_name" : "elasticsearch",
"cluster_uuid" : "42mc1BAjQaOpVo4p3Xz5lA",
"version" : {
"number" : "7.10.2",
"build_flavor" : "oss",
"build_type" : "deb",
"build_hash" : "747e1cc71def077253878a59143c1f785afa92b9",
"build_date" : "2021-01-13T00:42:12.435326Z",
"build_snapshot" : false,
"lucene_version" : "8.7.0",
"minimum_wire_compatibility_version" : "6.8.0",
"minimum_index_compatibility_version" : "6.0.0-beta1"
},
"tagline" : "You Know, for Search"
}
Install Filebeat on Ubuntu
Filebeat is used to ship alerts and events from Wazuh server to Elasticsearch.
sudo apt install filebeat
Download the the filebeat configuration file below that will be used to forward wazuh alerts to Elasticsearch
curl -so /etc/filebeat/filebeat.yml https://packages.wazuh.com/resources/4.2/open-distro/filebeat/7.x/filebeat_all_in_one.yml
Download the alerts template with the command below for Elasticsearch:
curl -so /etc/filebeat/wazuh-template.json https://raw.githubusercontent.com/wazuh/wazuh/4.2/extensions/elasticsearch/7.x/wazuh-template.json
chmod go+r /etc/filebeat/wazuh-template.json
Download the Wazuh FIlebeat module:
curl -s https://packages.wazuh.com/4.x/filebeat/wazuh-filebeat-0.1.tar.gz | tar -xvz -C /usr/share/filebeat/module
Copy the Elasticsearch certificates to /etc/filebeat/certs
mkdir /etc/filebeat/certs
cp ~/certs/root-ca.pem /etc/filebeat/certs/
mv ~/certs/filebeat* /etc/filebeat/certs/
Start and enable Filebeat service
systemctl daemon-reload
systemctl enable --now filebeat
Confirm Filebeat configuration by the command below:
# filebeat test output
elasticsearch: https://127.0.0.1:9200...
parse url... OK
connection...
parse host... OK
dns lookup... OK
addresses: 127.0.0.1
dial up... OK
TLS...
security: server's certificate chain verification is enabled
handshake... OK
TLS version: TLSv1.3
dial up... OK
talk to server... OK
version: 7.10.2
Install Kibana on Ubuntu
Kibana is the web interface that helps us visualize and analyze the events stored in Elasticsearch.
Use the command below to install Kibana on Ubuntu
apt install opendistroforelasticsearch-kibana
Download the Configuration file for Kibana
curl -so /etc/kibana/kibana.yml https://packages.wazuh.com/resources/4.2/open-distro/kibana/7.x/kibana_all_in_one.yml
Create data directory for Kibana
mkdir /usr/share/kibana/data
chown -R kibana:kibana /usr/share/kibana/data
Install the Wazuh Kibana plugin.
cd /usr/share/kibana
sudo -u kibana /usr/share/kibana/bin/kibana-plugin install https://packages.wazuh.com/4.x/ui/kibana/wazuh_kibana-4.2.5_7.10.2-1.zip
Sample execution output:
Attempting to transfer from https://packages.wazuh.com/4.x/ui/kibana/wazuh_kibana-4.2.5_7.10.2-1.zip
Transferring 33111704 bytes....................
Transfer complete
Retrieving metadata from plugin archive
Extracting plugin archive
Extraction complete
Plugin installation complete
Copy the Elasticsearch certificates to /etc/kibana/certs
:
mkdir /etc/kibana/certs
cp ~/certs/root-ca.pem /etc/kibana/certs/
mv ~/certs/kibana* /etc/kibana/certs/
chown kibana:kibana /etc/kibana/certs/*
Bind Kibana’s socket to priviledged port 443:
setcap 'cap_net_bind_service=+ep' /usr/share/kibana/node/bin/node
Start and enable Kibana service
systemctl daemon-reload
systemctl enable --now kibana
Allow Kibana through the firewall
sudo ufw allow 443/tcp
You can now access your wazuh kibana interface via
URL: https://<wazuh_server_ip>
user: admin
password: admin

You can login and proceed to see the available metrics from Wazuh:

Step 2: Configure Wazuh Agents
Wazuh agent is deployed on the endpoint systems such as Windows, Linux, and macOS to collect events and all security related data. The agent will then forward collected data to Wazuh server for threat detection and analysis. The agent can also analyze collected logs on the system, and extract valuable information relating to security for more analysis.
You can obtain commands that are to be run on the agent machine under Wazuh –> Agents

Choose “Deploy new agent” option.

In the next section you will choose:
- OS type and CPU architecture for it (Intel or ARM)
- Wazuh server address as deployed in step 1 – Public or private IPv4 address depending on the setup
- Agent name assigned to the agent. Best practice is to pick agent hostname (FQDN)

Next run the commands given to install and configured agent on your endpoint device.

Don’t forget to run the commands to start and enable the service.
Step 3: Analyze events and logs
If you click on Home icon you will get to the default dashboard. Choose the agent to review.

In the next screen you can switch between menu sections to analyze events and filter.

With the above steps, we have successfully setup Wazuh server on Ubuntu. Visit official Wazuh Documentation website to have a deeper understanding on Wazuh components, configurations and customizations that can be done to better secure your infrastructure and services.
Cheers and please check out other interesting articles on the site.
- How To Install Wazuh server on CentOS 8
- Forward Server logs and metrics to Elasticsearch using Beats
Very nice how to, but I did run into a problem. At the kibana install, after I downloaded the config, I ran
sudo chown -R kibana:kibana /usr/share/kibana/optimize
I get “chown: cannot access ‘/usr/share/kibana/optimize’: No such file or directory”
But I think more importantly when I try in download the plugin with’
cd /usr/share/kibana
sudo -u kibana /usr/share/kibana/bin/kibana-plugin install https://packages.wazuh.com/4.x/ui/kibana/wazuh_kibana-4.0.4_7.9.1-1.zip
I get,
Plugin installation was unsuccessful due to error “No kibana plugins found in archive”
Any thought on how to get this plugin installed?
Thanks
Hi Dan, check the updated link for the plugin in the article.
For me, “sudo systemctl enable –now elasticsearch” results in:
Synchronizing state of elasticsearch.service with SysV service script with /lib/systemd/systemd-sysv-install.
Executing: /lib/systemd/systemd-sysv-install enable elasticsearch
Job for elasticsearch.service failed because a timeout was exceeded.
See “systemctl status elasticsearch.service” and “journalctl -xe” for details.
HI,
I am getting following ERROR how to proceed to next step
wazuh@wazuh:/home$ sudo mkdir /etc/elasticsearch/certs && cd /etc/elasticsearch/certs
bash: cd: /etc/elasticsearch/certs: Permission denied
This is now fixed. Follow along updated contents.
i am stucked on this stage as well. could you advise please?
See updated guide
HI,
I am getting following error
wazuh@wazuh:/etc/elasticsearch/certs$ sudo systemctl enable –now elasticsearch Synchronizing state of elasticsearch.service with SysV service script with /lib/systemd/systemd-sysv-install.
Executing: /lib/systemd/systemd-sysv-install enable elasticsearch
Job for elasticsearch.service failed because a timeout was exceeded.
See “systemctl status elasticsearch.service” and “journalctl -xe” for details.
wazuh@wazuh:/etc/elasticsearch/certs$ systemctl status elasticsearch.service
● elasticsearch.service – Elasticsearch
Loaded: loaded (/lib/systemd/system/elasticsearch.service; enabled; vendor preset: enabled)
Active: failed (Result: timeout) since Tue 2022-02-15 04:57:03 UTC; 16s ago
Docs: https://www.elastic.co
Process: 77555 ExecStart=/usr/share/elasticsearch/bin/systemd-entrypoint -p ${PID_DIR}/elasticsearch.pid –quiet (code=exited, sta>
Main PID: 77555 (code=exited, status=143)
Feb 15 04:55:57 wazuh systemd-entrypoint[77555]: at org.elasticsearch.bootstrap.Elasticsearch.execute(Elasticsearch.java:161)
Feb 15 04:55:57 wazuh systemd-entrypoint[77555]: at org.elasticsearch.cli.EnvironmentAwareCommand.execute(EnvironmentAwareComm>
Feb 15 04:55:57 wazuh systemd-entrypoint[77555]: at org.elasticsearch.cli.Command.mainWithoutErrorHandling(Command.java:127)
Feb 15 04:55:57 wazuh systemd-entrypoint[77555]: at org.elasticsearch.cli.Command.main(Command.java:90)
Feb 15 04:55:57 wazuh systemd-entrypoint[77555]: at org.elasticsearch.bootstrap.Elasticsearch.main(Elasticsearch.java:126)
Feb 15 04:55:57 wazuh systemd-entrypoint[77555]: at org.elasticsearch.bootstrap.Elasticsearch.main(Elasticsearch.java:92)
Feb 15 04:55:57 wazuh systemd-entrypoint[77555]: For complete error details, refer to the log at /var/log/elasticsearch/elasticsearch.>
Feb 15 04:57:03 wazuh systemd[1]: elasticsearch.service: start operation timed out. Terminating.
Feb 15 04:57:03 wazuh systemd[1]: elasticsearch.service: Failed with result ‘timeout’.
Feb 15 04:57:03 wazuh systemd[1]: Failed to start Elasticsearch.
lines 1-17/17 (END)
● elasticsearch.service – Elasticsearch
Loaded: loaded (/lib/systemd/system/elasticsearch.service; enabled; vendor preset: enabled)
Active: failed (Result: timeout) since Tue 2022-02-15 04:57:03 UTC; 16s ago
Docs: https://www.elastic.co
Process: 77555 ExecStart=/usr/share/elasticsearch/bin/systemd-entrypoint -p ${PID_DIR}/elasticsearch.pid –quiet (code=exited, stat>
Main PID: 77555 (code=exited, status=143)
Feb 15 04:55:57 wazuh systemd-entrypoint[77555]: at org.elasticsearch.bootstrap.Elasticsearch.execute(Elasticsearch.java:161)
Feb 15 04:55:57 wazuh systemd-entrypoint[77555]: at org.elasticsearch.cli.EnvironmentAwareCommand.execute(EnvironmentAwareComma>
Feb 15 04:55:57 wazuh systemd-entrypoint[77555]: at org.elasticsearch.cli.Command.mainWithoutErrorHandling(Command.java:127)
Feb 15 04:55:57 wazuh systemd-entrypoint[77555]: at org.elasticsearch.cli.Command.main(Command.java:90)
Feb 15 04:55:57 wazuh systemd-entrypoint[77555]: at org.elasticsearch.bootstrap.Elasticsearch.main(Elasticsearch.java:126)
Feb 15 04:55:57 wazuh systemd-entrypoint[77555]: at org.elasticsearch.bootstrap.Elasticsearch.main(Elasticsearch.java:92)
Feb 15 04:55:57 wazuh systemd-entrypoint[77555]: For complete error details, refer to the log at /var/log/elasticsearch/elasticsearch.l>
Feb 15 04:57:03 wazuh systemd[1]: elasticsearch.service: start operation timed out. Terminating.
Feb 15 04:57:03 wazuh systemd[1]: elasticsearch.service: Failed with result ‘timeout’.
Feb 15 04:57:03 wazuh systemd[1]: Failed to start Elasticsearch.
try updated article and let us know if it works for you.
Hi,
I am getting following error
wazuhadmin@wazuh:/home$ sudo mkdir /etc/elasticsearch/certs && cd /etc/elasticsearch/certs
bash: cd: /etc/elasticsearch/certs: Permission denied
wazuhadmn@wazuh:/home$
Thank you
Please check updated post.
al reiniciar mi servidor no cargar mi la interfaz web del wazuh, que puede estar pasando.
¿Verificó el estado de su servicio después de reiniciar el servidor y si está vinculado al puerto?
Seguramente que elasticsearch no está activo:
sudo systemctl status elasticsearch
Si sale inactivo o con algún error entonces:
sudo systemctl restart elasticsearch
Y ya podrá acceder a la interfaz web
Un saludo
Hello,
I get the error that the wazuh api is offline (invalid credentials)
All is started do you have any idea?
I get this error: INFO: Checking API host id [default]…
INFO: Could not connect to API id [default]: 3099 – ERROR3099 – Invalid credentials
I get to:
Run the Elasticsearch securityadmin script to load the new certificates information and start the cluster:
export JAVA_HOME=/usr/share/elasticsearch/jdk/ && /usr/share/elasticsearch/plugins/opendistro_security/tools/securityadmin.sh -cd /usr/share/elasticsearch/plugins/opendistro_security/securityconfig/ -nhnv -cacert /etc/elasticsearch/certs/root-ca.pem -cert /etc/elasticsearch/certs/admin.pem -key /etc/elasticsearch/certs/admin-key.pem
And get:
Open Distro Security Admin v7
Will connect to localhost:9300 … done
18:49:26.405 [elasticsearch[_client_][transport_worker][T#1]] ERROR com.amazon.opendistroforelasticsearch.security.ssl.transport.OpenDistroSecuritySSLNettyTransport – Exception during establishing a SSL connection: javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at sun.security.ssl.Alert.createSSLException(Alert.java:131) ~[?:?]
at sun.security.ssl.TransportContext.fatal(TransportContext.java:369) ~[?:?]
at sun.security.ssl.TransportContext.fatal(TransportContext.java:312) ~[?:?]
at sun.security.ssl.TransportContext.fatal(TransportContext.java:307) ~[?:?]
at sun.security.ssl.CertificateMessage$T13CertificateConsumer.checkServerCerts(CertificateMessage.java:1357) ~[?:?]
at sun.security.ssl.CertificateMessage$T13CertificateConsumer.onConsumeCertificate(CertificateMessage.java:1232) ~[?:?]
at sun.security.ssl.CertificateMessage$T13CertificateConsumer.consume(CertificateMessage.java:1175) ~[?:?]
at sun.security.ssl.SSLHandshake.consume(SSLHandshake.java:396) ~[?:?]
at sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:480) ~[?:?]
at sun.security.ssl.SSLEngineImpl$DelegatedTask$DelegatedAction.run(SSLEngineImpl.java:1267) ~[?:?]
at sun.security.ssl.SSLEngineImpl$DelegatedTask$DelegatedAction.run(SSLEngineImpl.java:1254) ~[?:?]
at java.security.AccessController.doPrivileged(AccessController.java:691) ~[?:?]
at sun.security.ssl.SSLEngineImpl$DelegatedTask.run(SSLEngineImpl.java:1199) ~[?:?]
at io.netty.handler.ssl.SslHandler.runAllDelegatedTasks(SslHandler.java:1542) ~[netty-handler-4.1.49.Final.jar:4.1.49.Final]
at io.netty.handler.ssl.SslHandler.runDelegatedTasks(SslHandler.java:1556) ~[netty-handler-4.1.49.Final.jar:4.1.49.Final]
at io.netty.handler.ssl.SslHandler.unwrap(SslHandler.java:1440) ~[netty-handler-4.1.49.Final.jar:4.1.49.Final]
at io.netty.handler.ssl.SslHandler.decodeJdkCompatible(SslHandler.java:1267) ~[netty-handler-4.1.49.Final.jar:4.1.49.Final]
at io.netty.handler.ssl.SslHandler.decode(SslHandler.java:1314) ~[netty-handler-4.1.49.Final.jar:4.1.49.Final]
at io.netty.handler.codec.ByteToMessageDecoder.decodeRemovalReentryProtection(ByteToMessageDecoder.java:501) ~[netty-codec-4.1.49.Final.jar:4.1.49.Final]
at io.netty.handler.codec.ByteToMessageDecoder.callDecode(ByteToMessageDecoder.java:440) ~[netty-codec-4.1.49.Final.jar:4.1.49.Final]
at io.netty.handler.codec.ByteToMessageDecoder.channelRead(ByteToMessageDecoder.java:276) ~[netty-codec-4.1.49.Final.jar:4.1.49.Final]
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:379) [netty-transport-4.1.49.Final.jar:4.1.49.Final]
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:365) [netty-transport-4.1.49.Final.jar:4.1.49.Final]
at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:357) [netty-transport-4.1.49.Final.jar:4.1.49.Final]
at io.netty.channel.DefaultChannelPipeline$HeadContext.channelRead(DefaultChannelPipeline.java:1410) [netty-transport-4.1.49.Final.jar:4.1.49.Final]
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:379) [netty-transport-4.1.49.Final.jar:4.1.49.Final]
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:365) [netty-transport-4.1.49.Final.jar:4.1.49.Final]
at io.netty.channel.DefaultChannelPipeline.fireChannelRead(DefaultChannelPipeline.java:919) [netty-transport-4.1.49.Final.jar:4.1.49.Final]
at io.netty.channel.nio.AbstractNioByteChannel$NioByteUnsafe.read(AbstractNioByteChannel.java:163) [netty-transport-4.1.49.Final.jar:4.1.49.Final]
at io.netty.channel.nio.NioEventLoop.processSelectedKey(NioEventLoop.java:714) [netty-transport-4.1.49.Final.jar:4.1.49.Final]
at io.netty.channel.nio.NioEventLoop.processSelectedKeysOptimized(NioEventLoop.java:650) [netty-transport-4.1.49.Final.jar:4.1.49.Final]
at io.netty.channel.nio.NioEventLoop.processSelectedKeys(NioEventLoop.java:576) [netty-transport-4.1.49.Final.jar:4.1.49.Final]
at io.netty.channel.nio.NioEventLoop.run(NioEventLoop.java:493) [netty-transport-4.1.49.Final.jar:4.1.49.Final]
at io.netty.util.concurrent.SingleThreadEventExecutor$4.run(SingleThreadEventExecutor.java:989) [netty-common-4.1.49.Final.jar:4.1.49.Final]
at io.netty.util.internal.ThreadExecutorMap$2.run(ThreadExecutorMap.java:74) [netty-common-4.1.49.Final.jar:4.1.49.Final]
at java.lang.Thread.run(Thread.java:832) [?:?]
Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:439) ~[?:?]
at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:306) ~[?:?]
at sun.security.validator.Validator.validate(Validator.java:264) ~[?:?]
at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:285) ~[?:?]
at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:144) ~[?:?]
at sun.security.ssl.CertificateMessage$T13CertificateConsumer.checkServerCerts(CertificateMessage.java:1335) ~[?:?]
… 31 more
Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:141) ~[?:?]
at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:126) ~[?:?]
at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:297) ~[?:?]
at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:434) ~[?:?]
at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:306) ~[?:?]
at sun.security.validator.Validator.validate(Validator.java:264) ~[?:?]
at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:285) ~[?:?]
at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:144) ~[?:?]
at sun.security.ssl.CertificateMessage$T13CertificateConsumer.checkServerCerts(CertificateMessage.java:1335) ~[?:?]
… 31 more
ERR: Cannot connect to Elasticsearch. Please refer to elasticsearch logfile for more information
Trace:
NoNodeAvailableException[None of the configured nodes are available: [{#transport#-1}{-efRmOx6SQmGbg5Z3hRirA}{localhost}{127.0.0.1:9300}]]
at org.elasticsearch.client.transport.TransportClientNodesService.ensureNodesAreAvailable(TransportClientNodesService.java:352)
at org.elasticsearch.client.transport.TransportClientNodesService.execute(TransportClientNodesService.java:248)
at org.elasticsearch.client.transport.TransportProxyClient.execute(TransportProxyClient.java:57)
at org.elasticsearch.client.transport.TransportClient.doExecute(TransportClient.java:391)
at org.elasticsearch.client.support.AbstractClient.execute(AbstractClient.java:412)
at org.elasticsearch.client.support.AbstractClient.execute(AbstractClient.java:401)
at com.amazon.opendistroforelasticsearch.security.tools.OpenDistroSecurityAdmin.execute(OpenDistroSecurityAdmin.java:524)
at com.amazon.opendistroforelasticsearch.security.tools.OpenDistroSecurityAdmin.main(OpenDistroSecurityAdmin.java:157)
Hi, I’m not getting any data from the agents, only the inventory, but non file integrity events, someone have the solution?
I am also getting an error when trying to start elastic search daemon. I never liked elastic search, it is a pain to get it up and running no matter in what format.
× elasticsearch.service – Elasticsearch
Loaded: loaded (/lib/systemd/system/elasticsearch.service; enabled; preset:
enabled)
Active: failed (Result: timeout) since Sat 2024-04-13 15:14:09 CEST; 16s ago
Docs: https://www.elastic.co
Process: 1339431 ExecStart=/usr/share/elasticsearch/bin/systemd-entrypoint -p ${PID_DIR}/elasticsearch.pid –quiet (code=exited, status=143)
Main PID: 1339431 (code=exited, status=143)
CPU: 30.801s
Apr 13 15:13:02 systemd-entrypoint[1339431]: at org.elasticsearch.cli.EnvironmentAwareCommand.execute(EnvironmentAwareCommand.java:86)
Apr 13 15:13:02 systemd-entrypoint[1339431]: at org.elasticsearch.cli.Command.mainWithoutErrorHandling(Command.java:127)
Apr 13 15:13:02 systemd-entrypoint[1339431]: at org.elasticsearch.cli.Command.main(Command.java:90)
Apr 13 15:13:02 systemd-entrypoint[1339431]: at org.elasticsearch.bootstrap.Elasticsearch.main(Elasticsearch.java:126)
Apr 13 15:13:02 systemd-entrypoint[1339431]: at org.elasticsearch.bootstrap.Elasticsearch.main(Elasticsearch.java:92)
Apr 13 15:13:02 systemd-entrypoint[1339431]: For complete error details, refer to the log at /var/log/elasticsearch/elasticsearch.log
Apr 13 15:14:09 systemd[1]: elasticsearch.service: start operation timed out. Terminating.
Apr 13 15:14:09 systemd[1]: elasticsearch.service: Failed with result ‘timeout’.
Apr 13 15:14:09 systemd[1]: Failed to start elasticsearch.service – Elasticsearch.
Apr 13 15:14:09 systemd[1]: elasticsearch.service: Consumed 30.801s CPU time.
and the logfile as instructed in systemctl status is not there