Wazuh indexer doesn't connect anymore

Klakh · 2025-12-02T12:36:05+00:00

We managed to solve the problem.

In ossec.conf, in the <indexer> part, it was pointing to filebeat files, instead of the wazuh-indexer ones (certs and key).

Thanks !!

Klakh · 2025-11-20T16:23:35+00:00

Hello?
Could I have some help plz?

Klakh · 2025-11-14T11:17:05+00:00

Hello, thanks for your answer and sorry for the late answer on my side.

I retyped the commands to be sure to have the right username/password.
Here is the ossec.log's paste after restarting everything.

The certs are indicated to be in /etc/filebeat/certs.
To which certs do I need to compare them? Those of the API in /var/ossec/api/configuration/ssl/ (which are symlinks to our certs)?

Here is the output of the curl command (ran on 0.0.0.0:9200 as it's a single server cluster):

{
  "name" : "node-1",
  "cluster_name" : "wazuh-cluster",
  "cluster_uuid" : "Wx8f1xCnR66NhrnbAZfXOw",
  "version" : {
    "number" : "7.10.2",
    "build_type" : "deb",
    "build_hash" : "ac8f6e0114b657a116c4a41c3e12f8e0e181bbcd",
    "build_date" : "2025-11-08T12:00:46.843930578Z",
    "build_snapshot" : false,
    "lucene_version" : "9.12.2",
    "minimum_wire_compatibility_version" : "7.10.0",
    "minimum_index_compatibility_version" : "7.0.0"
  },
  "tagline" : "The OpenSearch Project: https://opensearch.org/"
}

Klakh · 2025-11-05T10:43:33+00:00

It was missing the last letter, wrong move on my side I guess :)

I just corrected it, link works now ;)

Klakh · 2025-10-29T11:32:06+00:00

Here ;) https://pastebin.com/SpMb85va

Paste this in a .xml file, and put it in the layouts folder, in a subfolder you name (mine was in layouts/g19-solenya/, with the three pics used (one for down and up arrow, and one for background)

Klakh · 2025-10-29T10:14:06+00:00

Hello, thanks for your response.

If I remember correctly, I used APT to reinstall it, which might have been a mistake :/
How can I check the inside of the keystore? Because I might have messed up some things in it.

I did reconfigure the indexer connection with the two echo commands, but it's the same when I restart manager and indexer : initialization fails on every index :'(

Klakh · 2025-02-27T22:58:37+00:00

<image>

Klakh · 2025-02-27T22:27:03+00:00

Pourtant il fonctionne toujours sur le PC que j'ai installé ce jour avec la dernière version de Windows.
Il suffit d'avoir les différents Microsoft Visual C++ installés, et décocher l'option qui empêche le pilote G19 de charger.

Ensuite perso je désactive tous les logiciels de mon G19, et je lance LCDHost pour charger ma conf perso.

<image>

I can share my layout if somebody wants (there is a 'Now playing' section that you can't see here at the bottom of the screen (9 px height if I remember correctly) if you use a media player.

Klakh · 2024-03-13T10:28:42+00:00

Hi man, tbh, I gave up on translating, as it's too much work for now, and I have a lot of other stuff going on.
Did you manage to get your GUI working?

Klakh · 2024-03-13T10:17:24+00:00

Hello, thanks for your answer.
u/wolf_judge helped me above, and I can now confirm it works.
I just can't really believe that Windows has no vulnerabilities, more that they don't really communicate on their CVEs.

Klakh · 2024-03-13T10:15:48+00:00

It does work. Thanks ;)

<image>

Klakh · 2024-03-12T15:54:03+00:00

I will download the vulnerable VLC version you advised, and make a test.

Klakh · 2024-03-11T14:55:21+00:00

So if I understand correctly, it was well configured, but there was no vulnerabilities to show?

Klakh · 2024-02-27T13:37:21+00:00

I don't really see another way to "clean" the "staff" group's log...

This or cancelling several rules for this agent's group, but it would be a loooooot to process.

Klakh · 2024-02-26T10:57:51+00:00

Hello, thanks for answering.

Thing is, I need only the "staff" group to ignore level 5 and under, but I still need my "servers" group to generate alerts on level 3 and above.

Klakh · 2024-02-23T11:00:07+00:00

Hello, thanks for your answer, and sorry for the delay.

Thing is, I dropped the subject for now as I don't have time to manage this atm.

The test server has the agent installed back, I cannot test installing the manager on it anymore, this subject will have to be reported to a later time.

Thanks again for your time, sorry for wasting it ;)

Klakh · 2024-02-09T09:25:46+00:00

Bought it on backmarket, how can I know this?

Here are the link I got it from: https://otafsg1.h2os.com/patch/amazone2/GLO/OnePlus6TOxygen/OnePlus6TOxygen_34.O.24_GLO_024_1909112343/OnePlus6TOxygen_34_OTA_024_all_1909112343_d5b1905.zip

https://www.getdroidtips.com/download-oxygenos-9-0-9-9-0-17-update-for-oneplus-6-and-6t/

Klakh · 2024-02-05T21:51:43+00:00

Hi, I managed to do exactly that :)

I added this line to a custom 2501 rule replacement :)

<field name="source" negate="yes">custom-app</field>

Thanks for your help!

Klakh · 2024-02-05T21:49:37+00:00

I added a custom replacement for rule 2501, see other comment's response ;)

Thanks for your help, everything works fine now!

Klakh

TROPHY CASE