security talk & philosophizing



Wazuh: When things go wrong

Wazuh is a great EDR (Endpoint Detection and Response) system. It’s free, easy to setup, which I’ve covered in another post:

When things go wrong

You may set up a wazuh server, and forget about it. Or perhaps you’ve lost track of it and get it back online only to discover the UI isn’t loading. So here are some quick things to check with Wazuh:

Wazuh Manager Status

On an ubuntu install, you can check if the Wazuh manager is running fine by running:

sudo systemctl status wazuh-manager

It should return some output with a green status for “active (running)”. If not, restart it with:

sudo systemctl restart wazuh-manager

After waiting a few minutes after start, re-run the status check. It should be up now.

Wazuh Dashboard Status

Check the Wazuh dashboard status with:

sudo systemctl status wazuh-dashboard

If it’s not showing a value like “active (running)” then restart it with:

sudo systemctl restart wazuh-dashboard

Remember to use HTTPS

Unless you provide your own cert, Wazuh will use its own self-signed. In other words, if the manager and dashboard services are running, you may still find the UI isn’t loading. Make sure you are pointing to:

https://[wazuh server ip]

If it’s a self-signed cert, you’ll likely get a page saying something about this is dangerous and you should “go back” but you’ll need to click “advanced” and choose to continue to trust your Wazuh server.