Wazuh App - Authorization Exception

[mathieu83470]

Hello,

I have exactly the same issue of this case (#968) but i can't disable Xpack , anyone know to resolve it?
In kibana.yml => I use "elastic" user
In kibana UI => Logged with same "elastic" user

Error message : {"message":"2001 - [security_exception] action [indices:data/read/search] is unauthorized for user [kibana]","code":2001,"statusCode":500}

In kibana log - Initialization:

In kibana log - Accessing to wazuh-app:

Kibana version : 6.4.0
Wazuh-app version : Tested with 3.6.0 and 3.6.1 with same results

Thanks for your help

[jesusgn90]

Hi @mathieu83470 ,

First of all, I want to say that we are supporting up to Wazuh v3.8.2 and Kibana v6.6.0. In any case, could you paste the same as #968 (comment) , please?

Regards

[mathieu83470]

Hi @jesusgn90

Thanks but for now I can't upgrade Elastick stack to 6.6!
I'm exactly in the same configuration of @Fl4nker (#968) except i can't disable xpack for security reasons.

This is my config 🥇

And I don't understand this log :

[jesusgn90]

Uncomment the next line:

https://github.com/wazuh/wazuh-kibana-app/blob/bb9b1de686b75d73bf36226ac63e858f69f05f4c/config.yml#L75

The file is located under /usr/share/kibana/plugins/wazuh/config.yml

So it should look like this:

xpack.rbac.enabled: true 

Restart Kibana:

systemctl restart kibana

Regards

[mathieu83470]

Unfortunately, it was already done with same results....

[jesusgn90]

Hello again @mathieu83470 ,

Please, execute the next curl commands:

curl -X GET "localhost:9200/_xpack/license"
curl -X GET "localhost:9200/_xpack/license/trial_status"

Where localhost is your Elasticsearch node that Kibana is pointing to.

Regards

[mathieu83470]

Hello @jesusgn90

Thanks for your time! We have a gold license...

Regards

[jesusgn90]

Hi @mathieu83470 I think I got it, you are using a Wazuh app a version older than a fixed app we released for 6.4.2 (#998). You are probably facing an issue with X-Pack we have for 3.6 and 6.4.0 / 6.4.1

Edit the file under /usr/share/kibana/plugins/wazuh/server/lib/elastic-wrapper.js

Look for a function named updateWazuhIndexDocument

Replace the next line:

const data = await this.elasticRequest.callWithRequest(req, 'search', {

with this:

const data = await this.elasticRequest.callWithInternalUser('search', {

Save it and restart Kibana:

# chown -R kibana:kibana /usr/share/kibana/plugins
# systemctl restart kibana

Best regards

[jesusgn90]

Those lines are not the desired lines, the line I was talking about is https://github.com/wazuh/wazuh-kibana-app/blob/bb9b1de686b75d73bf36226ac63e858f69f05f4c/server/lib/elastic-wrapper.js#L498, that line must be const data = await this.elasticRequest.callWithInternalUser('search', { for your version. So please, undo your changes and follow my instructions from #1203 (comment)

Kind regards,
Jesús

[mathieu83470]

Ok, sorry for the misunderstanding.
I did it with no effects... :-(

[jesusgn90]

Hello again @mathieu83470 , sorry for the late response.

Please, can you paste the output from the next commands?

cat /usr/share/kibana/plugins/wazuh/server/lib/elastic-wrapper.js | grep updateWazuhIndex -A16
cat /etc/kibana/kibana.yml # Replace passwords with ****

Thanks!

[mathieu83470]

Hello @jesusgn90

Thanks for your help

[jesusgn90]

All seems fine, the issue comes from the internal app indices (.wazuh and .wazuh-version).

Please paste the output of the next command:

curl localhost:9200/.wazuh,.wazuh-version/_settings?pretty

Example output:

{
  ".wazuh" : {
    "settings" : {
      "index" : {
        "number_of_shards" : "1",
        "provided_name" : ".wazuh",
        "creation_date" : "1549060666239",
        "number_of_replicas" : "0",
        "uuid" : "nA61yOZyQIKLkxYH9JxirQ",
        "version" : {
          "created" : "6060099"
        }
      }
    }
  },
  ".wazuh-version" : {
    "settings" : {
      "index" : {
        "creation_date" : "1549060666430",
        "number_of_shards" : "1",
        "number_of_replicas" : "0",
        "uuid" : "DRRHumAYRsayUEv5gSWF2A",
        "version" : {
          "created" : "6060099"
        },
        "provided_name" : ".wazuh-version"
      }
    }
  }
}

I'm asking for that because Elasticsearch sometimes blocks certain indices, in that case you'll see an entry like the next one:

        "blocks" : {
          "read_only_allow_delete" : "true"
        },

If it appears in your output, use this comment to unlock those indices:

curl -XPUT 'http://localhost:9200/_settings' -H 'Content-Type: application/json' -d' { "index": { "blocks": { "read_only_allow_delete": "false" } } } '

Where localhost is always the Elasticsearch host you provided in kibana.yml.

Regards

[mathieu83470]

They are not created...

At startup I have "Error creating index" error logs

[jesusgn90]

That's right, I was thinking about the .wazuh index... well, at this point, I need to research about your issue more in deep, let me debug a bit your version in a lab environment, adjusting even more my settings in order to have a very similar environment because something weird is happening under the hood that I'm not getting so clear.

I'll get back to you as soon as possible.

Regards

[mathieu83470]

Thanks a lot

Maybe we can also try to upgrade ELK stack to 6.6 and re-install new version of wazuh app.

For your information, to install wazuh app I had to follow this procedure : #664 (comment)
(after hours blocked on "Optimizing and caching bundles..." screen)

[jesusgn90]

Well, in any case, that's not the solution, I'm building a similar environment so I can debug properly what's happening to you.

We are not planning to backport any change to 6.4.X but that version worked for other users (just replacing the line a suggested some comments ago), so I want to hunt what's happening to your environment.

[jesusgn90]

In the meantime, could you try to open a new "incognito" window on your browser? or just "clear all site data" in order to avoid a cookie/session issue related to Kibana itself.

[mathieu83470]

Same problem in private navigation

[jesusgn90]

Follow up @mathieu83470 :

Working app using simple auth and the user elastic both sides (kibana.yml + UI login).

Wazuh 3.6.1 - Elastic 6.4.0

Now I'm going to apply extra settings from your configuration.

[jesusgn90]

Hello again @mathieu83470 , I've been testing your configuration, this is my own:

server.host: "0.0.0.0"
xpack.security.enabled: true
xpack.security.encryptionKey: "something_at_least_32_characters"
xpack.security.secureCookies: true
elasticsearch.url: "http://172.16.1.2:9200"
elasticsearch.username: "elastic"
elasticsearch.password: "elastic"
server.ssl.enabled: true
server.ssl.certificate: /tmp/host.crt
server.ssl.key: /tmp/host.key
logging.dest: /var/log/kibana/kibana.log
logging.verbose: true
elasticsearch.ssl.certificateAuthorities: [ "/tmp/hostCA.crt" ]

All is working for me, can not reproduce your situation.

Tried to access the Wazuh app, deleted multiple times .wazuh and .wazuh-version... So my last thought is about a reverse proxy (NGINX or something similar) and headers being missing when passing through the proxy... The way how Kibana server is communicating with Elastic server.

[mathieu83470]

Hello @jesusgn90

Thanks again for your help.
I think we will try to upgrade ELK stack quickly, I cross fingers it will work with last version.
I let you know

[jesusgn90]

Ok @mathieu83470 , closing this ticket since you are not planning to continue the troubleshooting. Open a new ticket if you found any more troubles.

Regards!