Introduction

While trying to set Wazuh up at day job, getting up and running should have been easy, it was not. These are the issues, that I have run into and how to fix them, as well as recommendations for Wazuh to improve the situation for everyone, no matter what network setup they have.

Wazuh Certs Creator Image

I kept getting issues with it not being able to download the wazuh-certs-tool.sh from Wazuh’s package repo url. I had to have it be part of the container build that I custom generated and also remove the if statement where it will exit out if it cannot download it in entrypoint.sh.

Doing this allowed it to then run correctly, I get why they decided to do the approach that they(Wazuh) did, but I think it’s not the right move as evident of the trouble I ran into, I will say that it did work fine in my home network though.

Recommendation 1

Have the wazuh-certs-tool.sh be part of the image by default, so it will work correctly in any network setup.

Updating Default Passwords

This was way harder to work out than it should have been due to the documentation missing information. What helped give me some clues to what I was doing wrong was found from this open issue here.

Once you have updated all the passwords for the following users in the docker-compose.yml;

  • admin
  • wazuh-wui - make sure to not have a password with the following in it ='" and you will be fine.
  • kibanaserver

you now need to update the following locations, this will apply to multi-node as well;

  • config/wazuh_dashboard/wazuh.yml
  • config/wazuh_indexer/internal_users.yml - see step below for updating this file.

Bcrypt Hash Required

To be able to update the admin and kibanaserver you need to update the hashes. In the config/wazuh_indexer/internal_users.yml it says the location of the tool to update it, except it does not exist. use the following code to create the hashes;

#!/usr/bin/env python3
import bcrypt
 
salt = bcrypt.gensalt()
pass_prompt = input('Enter your password: ')
passwd = f'{pass_prompt}'.encode('utf-8')
hashed_passwd = bcrypt.hashpw(passwd, salt)
 
print('\r', hashed_passwd.decode('utf-8'))

You can now update the hashes in that file, and you are then now ready to do docker-compose up -d

Recommendation 2

Include the above python code in the same location as the docker-compose.yml file.

Wazuh Documentation

Wazuh needs to make it easier to A. find the information on updating the password details and the locations for it B. do A after adding any missing information as currently there is room for improvement.