wazuh-ansible icon indicating copy to clipboard operation
wazuh-ansible copied to clipboard

Published 20 hours ago verified publisher icon wazuh

filebeat indexer_security_user / indexer_security_password unused?

Open joschneid opened this issue 2 years ago • 5 comments

Hi there,

I did just a fresh "all in one"-installation and set/changed the three passwords indexer_security_password, indexer_admin_password, dashboard_password in my group_vars. With that filebeat is not able to authenticate against the wazuh-indexer after a restart.

A short search showed that the according variable for the filebeat user "indexer_security_user" isn't used anywhere in the code, except in the filebeat config. So it's no wonder that it can't loging with specified user/password. Shouldn't this getting setup somehow like kibanaserver with his dashboard_password in roles/wazuh/wazuh-indexer/templates/internal_users.yml.j2? Or am I missing something?

Regards,

joschneid avatar Aug 31 '22 11:08 joschneid

Hi @joschneid. The indexer_security_password should be the same password as indexer_admin_password (it is the password used for the Indexer's admin user). Did you change the password before running the AIO playbook for the first time? What Ansible roles did you execute after the password (variables) change? You need to execute the Indexer and Filebeat roles after the password variables change in order to make it work:

  • This task will configure the Internal Users file with the indexer_admin_password.
  • This task will run the securityadmin script using the internal_users.yml configuration.
  • Then with this task the filebeat.yml will be configured with the indexer_security_password (that should be the same as indexer_admin_password).

NOTE: if you execute again the roles, you might lose custom configurations made after the previous execution.

teddytpc1 avatar Sep 12 '22 14:09 teddytpc1

Hi @teddytpc1 ,

thx for your explanation. I also noticed that you have to use the same password. But you also have to use admin as indexer_security_user, am I right? I don't see the point of a separate user for Filebeat as it is never entered in the internal_users.yml. So you could also use variable indexer_admin_password and indexer_admin_password in the filebeat config.

Or do I understand the mechanism wrong?

joschneid avatar Sep 14 '22 07:09 joschneid

Hi @joschneid. Yes, it is the same admin user. As the variables are defined for each role they have different names in order to distinguish which one you are setting. So you will have to set each of them. If you use the indexer_admin_password and indexer_admin_password for the filebeat role, they will have no effect, and that might lead to an unwanted behavior.

teddytpc1 avatar Sep 14 '22 12:09 teddytpc1

Okay, as long as everything works as expected, it's fine with me. Maybe the whole thing would be worth a note in the readme, that if you change one of them you need to change the other to the same value. Thx for your anwsers.

joschneid avatar Sep 14 '22 13:09 joschneid

Ok, I will add the note. Thanks.

teddytpc1 avatar Sep 14 '22 13:09 teddytpc1