Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

API is failing with 400 code #629

Open
Thorgrym opened this issue Mar 25, 2024 · 1 comment
Open

API is failing with 400 code #629

Thorgrym opened this issue Mar 25, 2024 · 1 comment

Comments

@Thorgrym
Copy link

Hello, I have the exact same issue that is in this google groups from 2 years ago :
https://groups.google.com/g/wazuh/c/-FTAUtq6-j8

When I enable the Vulnerability detector in the ossec.conf of my wazuh manager master sometimes the request to the API with an "unknown_user" and then start failing with error 400.
The only way to make wazuh work again after is restarting the wazuh manager.

Here are the api logs of the manager :

2024/03/25 11:35:54 INFO: wazuh-wui 10.2.0.7 "GET /cluster/status" with parameters {} and body {} done in 0.023s: 200
2024/03/25 11:35:54 INFO: wazuh-wui 10.2.0.7 "GET /cluster/wazuh-manager-master/configuration/request/remote" with parameters {} and body {} done in 0.098s: 200
2024/03/25 11:35:54 INFO: wazuh-wui 10.2.0.7 "GET /cluster/wazuh-manager-master/configuration/auth/auth" with parameters {} and body {} done in 0.125s: 200
2024/03/25 11:35:54 INFO: wazuh-wui 10.2.0.7 "GET /groups" with parameters {} and body {} done in 0.022s: 200
2024/03/25 11:40:00 INFO: unknown_user 10.2.0.7 "GET /cluster/nodes" with parameters {"select": "name"} and body {} done in 0.017s: 400
2024/03/25 11:40:00 INFO: unknown_user 10.2.0.7 "GET /cluster/nodes" with parameters {"select": "name"} and body {} done in 0.007s: 400
2024/03/25 11:45:00 INFO: unknown_user 10.2.0.7 "GET /cluster/nodes" with parameters {"select": "name"} and body {} done in 0.013s: 400
2024/03/25 11:45:00 INFO: unknown_user 10.2.0.7 "GET /cluster/status" with parameters {} and body {} done in 0.007s: 400
2024/03/25 11:45:00 INFO: unknown_user 10.2.0.7 "GET /cluster/nodes" with parameters {"select": "name"} and body {} done in 0.014s: 400
2024/03/25 11:50:00 INFO: unknown_user 10.2.0.7 "GET /cluster/nodes" with parameters {"select": "name"} and body {} done in 0.014s: 400
2024/03/25 11:50:00 INFO: unknown_user 10.2.0.7 "GET /cluster/nodes" with parameters {"select": "name"} and body {} done in 0.008s: 400
2024/03/25 11:55:00 INFO: unknown_user 10.2.0.7 "GET /cluster/nodes" with parameters {"select": "name"} and body {} done in 0.010s: 401
2024/03/25 11:55:00 INFO: unknown_user 10.2.0.7 "GET /cluster/nodes" with parameters {"select": "name"} and body {} done in 0.003s: 401
2024/03/25 11:55:00 INFO: wazuh-wui 10.2.0.7 "POST /security/user/authenticate" with parameters {} and body {} done in 0.007s: 400
2024/03/25 11:55:00 INFO: wazuh-wui 10.2.0.7 "POST /security/user/authenticate" with parameters {} and body {} done in 0.005s: 400
2024/03/25 12:00:00 INFO: unknown_user 10.2.0.7 "GET /cluster/status" with parameters {} and body {} done in 0.007s: 401
2024/03/25 12:00:01 INFO: unknown_user 10.2.0.7 "GET /cluster/nodes" with parameters {"select": "name"} and body {} done in 0.006s: 401
2024/03/25 12:00:01 INFO: unknown_user 10.2.0.7 "GET /cluster/nodes" with parameters {"select": "name"} and body {} done in 0.009s: 401
2024/03/25 12:00:01 INFO: wazuh-wui 10.2.0.7 "POST /security/user/authenticate" with parameters {} and body {} done in 0.008s: 400
2024/03/25 12:00:01 INFO: wazuh-wui 10.2.0.7 "POST /security/user/authenticate" with parameters {} and body {} done in 0.006s: 400
2024/03/25 12:00:01 INFO: wazuh-wui 10.2.0.7 "POST /security/user/authenticate" with parameters {} and body {} done in 0.006s: 400
2024/03/25 12:05:00 INFO: unknown_user 10.2.0.7 "GET /cluster/nodes" with parameters {"select": "name"} and body {} done in 0.007s: 401
2024/03/25 12:05:00 INFO: unknown_user 10.2.0.7 "GET /cluster/nodes" with parameters {"select": "name"} and body {} done in 0.003s: 401
2024/03/25 12:05:00 INFO: wazuh-wui 10.2.0.7 "POST /security/user/authenticate" with parameters {} and body {} done in 0.007s: 400
2024/03/25 12:05:00 INFO: wazuh-wui 10.2.0.7 "POST /security/user/authenticate" with parameters {} and body {} done in 0.005s: 400
2024/03/25 12:10:00 INFO: unknown_user 10.2.0.7 "GET /cluster/nodes" with parameters {"select": "name"} and body {} done in 0.008s: 401
2024/03/25 12:10:00 INFO: unknown_user 10.2.0.7 "GET /cluster/nodes" with parameters {"select": "name"} and body {} done in 0.003s: 401
2024/03/25 12:10:00 INFO: wazuh-wui 10.2.0.7 "POST /security/user/authenticate" with parameters {} and body {} done in 0.008s: 400
2024/03/25 12:10:00 INFO: wazuh-wui 10.2.0.7 "POST /security/user/authenticate" with parameters {} and body {} done in 0.005s: 400
2024/03/25 12:15:00 INFO: unknown_user 10.2.0.7 "GET /cluster/status" with parameters {} and body {} done in 0.009s: 401

Here is th result of service wazuh-manager status when everything is fine :

wazuh-clusterd is running...
wazuh-modulesd is running...
wazuh-monitord is running...
wazuh-logcollector is running...
wazuh-remoted is running...
wazuh-syscheckd is running...
wazuh-analysisd is running...
wazuh-maild not running...
wazuh-execd is running...
wazuh-db is running...
wazuh-authd is running...
wazuh-agentlessd not running...
wazuh-integratord not running...
wazuh-dbd not running...
wazuh-csyslogd not running...
wazuh-apid is running...

And after the API stop responding :

wazuh-clusterd is running...
wazuh-modulesd not running...
wazuh-monitord is running...
wazuh-logcollector is running...
wazuh-remoted is running...
wazuh-syscheckd is running...
wazuh-analysisd is running...
wazuh-maild not running...
wazuh-execd is running...
wazuh-db is running...
wazuh-authd is running...
wazuh-agentlessd not running...
wazuh-integratord not running...
wazuh-dbd not running...
wazuh-csyslogd not running...
wazuh-apid is running...

We see that modulesd stopped, I also did a status at the moment of the API failure and got that wazuh-modulesd: Process 21214 not used by Wazuh, removing...

Here I can provide the last log in ossec.log just before the crash of the API :

2024/03/25 12:35:47 rootcheck: INFO: Ending rootcheck scan.
2024/03/25 12:42:23 wazuh-modulesd:vulnerability-detector: INFO: (5430): The update of the 'Ubuntu Xenial' feed finished successfully.
2024/03/25 12:42:23 wazuh-modulesd:vulnerability-detector: INFO: (5400): Starting 'Ubuntu Bionic' database update.
2024/03/25 12:47:13 wazuh-db: ERROR: sqlite3_step(): UNIQUE constraint failed: sca_scan_info.id
2024/03/25 12:51:00 wazuh-modulesd:vulnerability-detector: INFO: (5430): The update of the 'Ubuntu Bionic' feed finished successfully.
2024/03/25 12:51:00 wazuh-modulesd:vulnerability-detector: INFO: (5400): Starting 'Ubuntu Focal' database update.
2024/03/25 12:58:06 wazuh-modulesd:vulnerability-detector: INFO: (5430): The update of the 'Ubuntu Focal' feed finished successfully.
2024/03/25 12:58:06 wazuh-modulesd:vulnerability-detector: INFO: (5400): Starting 'Ubuntu Jammy' database update.
2024/03/25 13:04:09 wazuh-modulesd:vulnerability-detector: INFO: (5430): The update of the 'Ubuntu Jammy' feed finished successfully.
2024/03/25 13:04:09 wazuh-modulesd:vulnerability-detector: INFO: (5400): Starting 'Debian Buster' database update.

Thanks
@estefanocreare
Copy link

I'm facing this issue as well.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@estefanocreare @Thorgrym