Wazuh-Indexer Opensearch to graylog - Host not verified

ShahidAkhterSec · January 11, 2023, 11:08am

Before you post: Your responses to these questions will help the community help you. Please complete this template if you’re asking a support question.
Don’t forget to select tags to help index your topic!

1. Describe your incident:

I am unable to integrate wazuh-indexer opensearch with Graylog

2. Describe your environment:
Wazuh AWS AMI - OpenSearch
Graylog latest version
Both on aws , two different Instances

OS Information:
Ubuntu
Package Version:
Latest Graylog 5.0
Service logs, configurations, and environment variables:
2023-01-11T11:01:24.511Z INFO [VersionProbe] Elasticsearch is not available. Retry #619
2023-01-11T11:01:29.518Z ERROR [VersionProbe] Unable to retrieve version from Elasticsearch node: Hostname 172.22.22.22 not verified:
certificate: sha256—keyyyyyyyyyyyyyyhere
DN: CN=wazuh-indexer, OU=Wazuh, O=Wazuh, L=California, C=US
subjectAltNames: [127.0.0.1]. - Hostname 172.22.22.22 not verified:
certificate: sha256—keyyyyyyyyyyyyyyhere
DN: CN=wazuh-indexer, OU=Wazuh, O=Wazuh, L=California, C=US
subjectAltNames: [127.0.0.1].
2023-01-11T11:01:29.519Z INFO [VersionProbe] Elasticsearch is not available. Retry #620
^C

3. What steps have you already taken to try and solve the problem?

Tried root-ca certificate of Wazuh-indexer and added it in trusted certs in graylog

4. How can the community help?

how can i perform this process?

Helpful Posting Tips: Tips for Posting Questions that Get Answers [Hold down CTRL and link on link to open tips documents in a separate tab]

kpearson · January 11, 2023, 11:25am

The issue lies here:

DN: CN=wazuh-indexer, OU=Wazuh, O=Wazuh, L=California, C=US
subjectAltNames: [127.0.0.1]. - Hostname 172.22.22.22 not verified:
certificate: sha256—keyyyyyyyyyyyyyyhere

You are using TLS but your certificate doesn’t have the hostname you are trying to connect to in the SAN, you must add 172.22.22.22 or the actual hostname into your SAN of the certificate and then connect to it correctly.

ShahidAkhterSec · January 11, 2023, 12:22pm

i have created certificate again , and added it , now getting this error:

nable to retrieve version from Elasticsearch node: PKIX path validation failed: java.security.cert.CertPathValidatorException: Path does not chain with any of the trust anchors. - Path does not chain with any of the trust anchors.

kpearson · January 11, 2023, 12:41pm

Did you add the full chain of certificates to the Graylog keystore or only the new certificate?

ShahidAkhterSec · January 11, 2023, 1:02pm

I have used this process ,
mkdir /etc/graylog/server/certs
cp -a /usr/lib/jvm/java-11-openjdk-amd64/lib/security/cacerts /etc/graylog/server/certs/cacerts
keytool -importcert -keystore /etc/graylog/server/certs/cacerts -storepass changeit -alias root_ca -file /etc/graylog/server/certs/rootCA.crt

in here, rootCA.crt file is copied from wazuh-indexer.

How can i add full chain if i havent?

kpearson · January 11, 2023, 1:39pm

Did you edit /ect/default/graylog-server to point the JVM to your custom truststore? See the bottom of Using HTTPS

In order for the JVM to pick up the new trust store, it has to be started with the JVM parameter -Djavax.net.ssl.trustStore=/path/to/cacerts.jks . If you’ve been using another password to encrypt the JVM trust store than the default changeit , you additionally have to set the JVM parameter -Djavax.net.ssl.trustStorePassword=secret .

ShahidAkhterSec · January 11, 2023, 1:54pm

I have this configuration.

Path to the java executable.

JAVA=/usr/bin/java

Default Java options for heap and garbage collection.

GRAYLOG_SERVER_JAVA_OPTS=“-Xms1g -Xmx1g -XX:NewRatio=1 -server -XX:+ResizeTLAB -XX:-OmitStackTraceInFastThrow”

Avoid endless loop with some TLSv1.3 implementations.

GRAYLOG_SERVER_JAVA_OPTS=“$GRAYLOG_SERVER_JAVA_OPTS -Djdk.tls.acknowledgeCloseNotify=true”

Fix for log4j CVE-2021-44228

#GRAYLOG_SERVER_JAVA_OPTS=“$GRAYLOG_SERVER_JAVA_OPTS -Dlog4j2.formatMsgNoLookups=true”
GRAYLOG_SERVER_JAVA_OPTS=“$GRAYLOG_SERVER_JAVA_OPTS -Dlog4j2.formatMsgNoLookups=true -Djavax.net.ssl.trustStore=/etc/graylog/server/certs/cacerts -Djavax.net.ssl.trustStorePassword=changeit”

Pass some extra args to graylog-server. (i.e. “-d” to enable debug mode)

GRAYLOG_SERVER_ARGS=“”

Program that will be used to wrap the graylog-server command. Useful to

support programs like authbind.

GRAYLOG_COMMAND_WRAPPER=“”

ShahidAkhterSec · January 12, 2023, 7:28am

Tried certification renewal etc. Nothing works.
@kpearson Any Update?

kpearson · January 12, 2023, 2:47pm

The only thing I can think of, off the top of my head is checking that the root rootCA.crt file you imported is marked as trusted in the keystore and matches the same one that signed your new certificate, you could also just directly import the wazuh indexer certificate and see if that does anything. It’s hard to tell exactly what’s going wrong because the error is clear that the JVM can’t validate the certificate to a trusted authority but I’m not sure why.

ramindia · January 12, 2023, 8:42pm

Can you post :

cat /etc/wazuh-indexer/opensearch.yml | egrep -v “^\s*(#|$)”

#openssl x509 -subject -nameopt RFC2253 -noout -in yourcert.pem (this should be your cert PEM)

Also refer below discussion to fix the issue :

system · January 26, 2023, 8:42pm

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Integrating graylog with wazuh cluster Graylog Central (peer support) elastic	3	1099	February 16, 2023
Problem in Connection Between Graylog and Wazuh Indexer (Opensearch Fork) Graylog Central (peer support)	4	1154	March 5, 2024
Graylog 5.0 with Wazuh Indexer Graylog Central (peer support)	12	7546	June 6, 2023
Error Parsing Wazuh data Graylog Central (peer support)	4	149	August 3, 2024
Integrating wazuh indexer with Graylog Graylog Central (peer support)	10	6002	November 28, 2022