Wazuh SIEM - Wapiti Labs

Issue #1: KVM Virtualization Error

TASK ERROR: KVM virtualisation configured, but not available.
Either disable in VM configuration or enable in BIOS.

Cause: Virtualization was disabled in the ThinkCenter BIOS.

✅ Fix: Entered BIOS (F1 at boot) and enabled:

Intel Virtualization Technology
VT-d

Issue #2: GRUB Rescue Mode

error: invalid arch-independent ELF magic.
Entering rescue mode...
grub rescue>

Cause: Direct VDI import changed disk geometry. GRUB couldn't find its configuration. The disk used GPT/UEFI partitioning which didn't translate well.

✅ Fix: After 6+ hours of recovery attempts, a fresh install was the only solution.

Issue #3: TestDisk Recovery (6+ Hours)

TestDisk found duplicate partitions but ultimately reported:
"Can't open filesystem. Filesystem seems damaged."

Details:

Quick Search found one partition with limited directories (missing /home, /var, /usr)
Deeper Search found two identical partitions
Made one Primary (P), kept other Deleted (D)
Wrote partition table, but still couldn't mount

✅ Conclusion: The partition was too damaged. Fresh install was faster than recovery.

Issue #4: Indexer Failed to Start

Error opening log file '/var/log/wazuh-indexer/gc.log': No such file or directory
Could not create the Java Virtual Machine.

Cause: Missing log directory and JVM configuration issues.

✅ Fix:

                        # Create log directory
                        sudo mkdir -p /var/log/wazuh-indexer
                        sudo chown -R wazuh-indexer:wazuh-indexer /var/log/wazuh-indexer
                    

Issue #5: HTTP 429 "Too Many Requests"

3002 - Request failed with status code 429

Cause: Indexer memory exhaustion. JVM heap was too small (1GB) for the workload.

✅ Fix: Increased JVM heap size:

                        sudo nano /etc/wazuh-indexer/jvm.options
                        
                        # Changed from:
                        -Xms1g
                        -Xmx1g
                        
                        # To:
                        -Xms4g
                        -Xmx4g
                        
                        sudo systemctl restart wazuh-indexer
                    

Issue #6: Indexer Not Listening on Port 9200

curl: (7) Failed to connect to localhost port 9200: Connection refused

Cause: Indexer service was running but not binding to the port correctly. Missing http.port in config.

✅ Fix: Added explicit port configuration:

                        sudo nano /etc/wazuh-indexer/opensearch.yml
                        # Add: http.port: 9200
                        
                        sudo systemctl restart wazuh-indexer
                    

Issue #7: API Authentication Failed

"Invalid username or password" even with correct credentials

The confusion:

Dashboard config had placeholder password instead of generated one
Password tool gave "user does not exist" errors
Certificate method failed with key permissions

✅ Fix: Found actual password in installation logs:

                        sudo cat /var/log/wazuh-install.log | grep -A 5 "Password"
                        
                        # Updated dashboard config
                        sudo nano /usr/share/wazuh-dashboard/data/wazuh/config/wazuh.yml
                        
                        sudo systemctl restart wazuh-dashboard

Issue #8: Java Permission Errors

access denied ("java.io.FilePermission" "/var/log" "read")

Cause: Java security policy blocking file access.

✅ Fix: Added permission to security policy:

                        sudo nano /etc/wazuh-indexer/opensearch-performance-analyzer/opensearch_security.policy
                        # Add: permission java.lang.RuntimePermission "accessUserInformation";
                    

Issue #9: Agent Connection Failure

ERROR: Unable to add agent (from manager)
Invalid group: defaultWAZUH_AGENT_NAME=debian-web

Cause: Missing space in environment variable caused group name to merge with agent name.

✅ Fix: Reinstalled agent with correct syntax:

                        sudo apt-get remove --purge wazuh-agent -y
                        sudo rm -rf /var/ossec/
                        
                        # Correct: SPACE between variables
                        sudo WAZUH_MANAGER='[MANAGER_IP]' dpkg -i wazuh-agent_4.7.5-1_amd64.deb
                    

🛡️ Wazuh SIEM Project

📌 Overview

🏗️ Architecture

⚙️ Current Setup

🚨 Migration Issues Faced

Issue #1: KVM Virtualization Error

Issue #2: GRUB Rescue Mode

Issue #3: TestDisk Recovery (6+ Hours)

Issue #4: Indexer Failed to Start

Issue #5: HTTP 429 "Too Many Requests"

Issue #6: Indexer Not Listening on Port 9200

Issue #7: API Authentication Failed

Issue #8: Java Permission Errors

Issue #9: Agent Connection Failure

✅ Current Status

📋 Migration Journey

📊 Quick Reference Commands

📝 Key Lessons Learned