Changing the default password of Wazuh users

We recommend changing the default Wazuh user's password to improve security.

There are two types of users on Wazuh Docker environments:

Follow the steps below to change the password of these Wazuh users.

Note

Depending on your Wazuh Docker stack, you must run the commands from the wazuh-docker/single-node or wazuh-docker/multi-node directory.

Wazuh indexer user

The Wazuh indexer has the admin and kibanaserver users by default. You can access the Wazuh dashboard using either the admin or kibanaserver user credentials.

To change these credentials, you must:

Warning

  • You can only change one user's password at a time.

  • If you have custom users, add them to the config/wazuh_indexer/internal_users.yml file in the deployment model directory. Otherwise, executing this procedure deletes them.

Logging out of your Wazuh dashboard

You must log out of your Wazuh dashboard before starting the password change process. If you don't, persistent session cookies will cause errors when accessing Wazuh after changing user passwords.

Setting the new password in the Docker Compose file

Note

If your password contains the $ character, you must escape it by doubling it. For example, to set the password Secret$Password in the docker-compose.yml file, write it as Secret$$Password.

  1. Open the docker-compose.yml file. Change all occurrences of the old password with the new one. For example, for a single-node stack:

    ...
    services:
        wazuh.manager:
        ...
        environment:
            - INDEXER_URL=https://wazuh.indexer:9200
            - INDEXER_USERNAME=admin
            - INDEXER_PASSWORD=SecretPassword
            - FILEBEAT_SSL_VERIFICATION_MODE=full
            - SSL_CERTIFICATE_AUTHORITIES=/etc/ssl/root-ca.pem
            - SSL_CERTIFICATE=/etc/ssl/filebeat.pem
            - SSL_KEY=/etc/ssl/filebeat.key
            - API_USERNAME=wazuh-wui
            - API_PASSWORD=MyS3cr37P450r.*-
        ...
        wazuh.indexer:
        ...
        environment:
            - "OPENSEARCH_JAVA_OPTS=-Xms1024m -Xmx1024m"
        ...
        wazuh.dashboard:
        ...
        environment:
            - INDEXER_USERNAME=admin
            - INDEXER_PASSWORD=SecretPassword
            - WAZUH_API_URL=https://wazuh.manager
            - DASHBOARD_USERNAME=kibanaserver
            - DASHBOARD_PASSWORD=kibanaserver
            - API_USERNAME=wazuh-wui
            - API_PASSWORD=MyS3cr37P450r.*-
        ...
    

Setting a new hash

Follow the steps below to generate and set a new password hash for your Wazuh users.

  1. Stop the stack if it's running:

    # docker compose down
    
  2. Run this command to generate the hash for your new password:

    # docker run --rm -ti wazuh/wazuh-indexer:4.12.0 bash /usr/share/wazuh-indexer/plugins/opensearch-security/tools/hash.sh
    

    Once the container launches, input the new password and press Enter.

  3. Copy the generated hash.

  4. Open the config/wazuh_indexer/internal_users.yml file. Locate the block for the user whose password you want to change.

  5. Replace <NEW_HASH> with your hash values.

    ...
    
    admin:
      hash: "<NEW_HASH>"
      reserved: true
      backend_roles:
      - "admin"
      description: "Demo admin user"
    
    ...
    

    Save the changes.

Applying the changes

After updating docker-compose.yml file, restart the Wazuh Docker stack and reapply settings using the securityadmin.sh tool.

  1. Start the deployment stack.

    # docker compose up -d
    
  2. Run docker ps and note the name of the first Wazuh indexer container. For example, single-node-wazuh.indexer-1, or multi-node-wazuh1.indexer-1.

  3. Run docker exec -it <WAZUH_INDEXER_CONTAINER_NAME> bash to access the container. Replace <WAZUH_INDEXER_CONTAINER_NAME> with the Wazuh indexer container name. For example, use single-node-wazuh.indexer-1 for the single-node stack and multi-node-wazuh1.indexer-1 for the multi-node stack:

    # docker exec -it single-node-wazuh.indexer-1 bash
    
  4. Set the following variables:

    export INSTALLATION_DIR=/usr/share/wazuh-indexer
    CACERT=$INSTALLATION_DIR/certs/root-ca.pem
    KEY=$INSTALLATION_DIR/certs/admin-key.pem
    CERT=$INSTALLATION_DIR/certs/admin.pem
    export JAVA_HOME=/usr/share/wazuh-indexer/jdk
    
  5. Wait for the Wazuh indexer to initialize properly. The waiting time can vary from one to five minutes. It depends on the size of the cluster, the assigned resources, and the network speed. Then, run the securityadmin.sh script to apply all changes.

    $ bash /usr/share/wazuh-indexer/plugins/opensearch-security/tools/securityadmin.sh -cd /usr/share/wazuh-indexer/opensearch-security/ -nhnv -cacert  $CACERT -cert $CERT -key $KEY -p 9200 -icl
    
  6. Exit the Wazuh indexer container. Refresh the Wazuh dashboard and log in with the new credentials.

Wazuh server API users

The wazuh-wui user is the default user for connecting to the Wazuh server API. Follow these steps to change the password.

Warning

The password for Wazuh server API users must be between 8 and 64 characters long and contain at least one uppercase and lowercase letter, number, and symbol. The Wazuh manager service will fail to start if these requirements are unmet.

  1. Open the config/wazuh_dashboard/wazuh.yml file and modify the value of the password parameter.

    ...
    hosts:
      - 1513629884013:
          url: "https://wazuh.manager"
          port: 55000
          username: wazuh-wui
    
         password: "MyS3cr37P450r.*-"
    
         run_as: false
    ...
    
  2. Open the docker-compose.yml file. Change all occurrences of the old password with the new one.

    ...
    services:
      wazuh.manager:
        ...
        environment:
          - INDEXER_URL=https://wazuh.indexer:9200
          - INDEXER_USERNAME=admin
          - INDEXER_PASSWORD=SecretPassword
          - FILEBEAT_SSL_VERIFICATION_MODE=full
          - SSL_CERTIFICATE_AUTHORITIES=/etc/ssl/root-ca.pem
          - SSL_CERTIFICATE=/etc/ssl/filebeat.pem
          - SSL_KEY=/etc/ssl/filebeat.key
          - API_USERNAME=wazuh-wui
         - API_PASSWORD=MyS3cr37P450r.*-
    
     ...
      wazuh.dashboard:
        ...
        environment:
          - INDEXER_USERNAME=admin
          - INDEXER_PASSWORD=SecretPassword
          - WAZUH_API_URL=https://wazuh.manager
          - DASHBOARD_USERNAME=kibanaserver
          - DASHBOARD_PASSWORD=kibanaserver
          - API_USERNAME=wazuh-wui
    
         - API_PASSWORD=MyS3cr37P450r.*-
    
     ...
    
  3. Recreate the Wazuh containers:

    # docker compose down
    # docker compose up -d
    

Refer to logging in to the Wazuh server API via the command line to learn more.