Password management
Note
If you deployed Wazuh on Docker, read Change the password of Wazuh users for specific instructions.
Learn how to use the Wazuh passwords tool to manage your passwords. This tool allows you to change the passwords of both the Wazuh indexer users, also known as internal users, and the Wazuh manager API users.
Among the Wazuh indexer users, it is worth mentioning the following:
admin: is the default administrator user. It's used to log in to the web interface and for communications between Filebeat and the Wazuh indexer. If you change the admin password, you must update it in Filebeat and the Wazuh server.
kibanaserver: is used for communications between the Wazuh dashboard and the Wazuh indexer. If you change the kibanaserver password, you must update it in the Wazuh dashboard.
On the other hand, the Wazuh manager API has two default users:
wazuh: is the default Wazuh manager API administrator user.
wazuh-wui: is an admin user used for communications between Wazuh dashboard and the Wazuh manager API. If you change the wazuh-wui password, you must update it in the Wazuh dashboard.
If you use the tool in an all-in-one deployment, it automatically updates the passwords where necessary. If you use it in a distributed environment, depending on the user whose password you change, you may have to update the password on other components. See Changing the passwords in a distributed environment for more details.
The passwords tool is embedded in the Wazuh indexer under /usr/share/wazuh-indexer/plugins/opensearch-security/tools/
. You can use the embedded version or download it with the following command:
# curl -so wazuh-passwords-tool.sh https://packages.wazuh.com/4.9/wazuh-passwords-tool.sh
All the available options to run the script are:
Options |
Purpose |
---|---|
-a / --change-all |
Changes all the Wazuh indexer and Wazuh API user passwords and prints them on screen. To change API passwords -au|--admin-user and -ap|--admin-password are required. |
-A, --api |
Change the Wazuh API password given the current password. Requires -u|--user, and -p|--password, -au|--admin-user and -ap|--admin-password. |
-au,--admin-user <adminUser> |
Admin user for the Wazuh API. Required for changing the Wazuh API passwords. Requires -A|--api. |
-ap, --admin-password <adminPassword> |
Password for the Wazuh API admin user. Required for changing the Wazuh API passwords. Requires -A|--api. |
-u / --user <user> |
Indicates the name of the user whose password will be changed. If no password is specified, it will generate a random one. |
-p / --password <password> |
Indicates the new password. Must be used with option -u. |
-c / --cert <route-admin-certificate> |
Indicates route to the admin certificate. |
-k / --certkey <route-admin-certificate-key> |
Indicates route to the admin certificate key. |
-v / --verbose |
Shows the complete script execution output. |
-f / --file <password_file.yml> |
Changes the passwords for the ones given in the file. Wazuh indexer users must have this format:
Wazuh API users must have this format:
|
-gf, --generate-file <passwords.wazuh> |
Generate password file with random passwords for standard users. |
-h / --help |
Shows help. |
Changing the password for single user
To change the password for a single Wazuh indexer user, run the script with the -u
option and indicate the new password with the option -p
. The password must have a length between 8 and 64 characters and contain at least one upper case letter, one lower case letter, a number and one of the following symbols: .*+?-
. If no password is specified, the script will generate a random one.
# bash wazuh-passwords-tool.sh -u admin -p Secr3tP4ssw*rdINFO: Generating password hash WARNING: Password changed. Remember to update the password in the Wazuh dashboard and Filebeat nodes if necessary, and restart the services.
If you use the tool in an all-in-one deployment, it automatically updates the passwords where necessary. If you use it in a distributed environment, depending on the user whose password you change, you may have to update the password on other components. See Changing the passwords in a distributed environment for more details.
If you want to change the password for a Wazuh manager API user, run the script on a Wazuh server node and use option -A, --api
. Alternatively, you can change the Wazuh manager API passwords following the instructions in the Securing the Wazuh API documentation.
Changing the passwords for all users
To generate and change passwords for all the Wazuh indexer users, run the script with the -a
option:
# bash wazuh-passwords-tool.sh -aINFO: Wazuh API admin credentials not provided, Wazuh API passwords not changed. INFO: The password for user admin is kwd139yG?YoIK?lRnqcXQ4R4gJDlAqKn INFO: The password for user kibanaserver is Bu1WIELh9RdRlf*oGjinN1?yhF6XzA7V INFO: The password for user kibanaro is 7kZvau11cPn6Y1SbOsdr8Kwr*BRiK3u+ INFO: The password for user logstash is SUbk4KTmLl*geQbUg0c5tyfwahjDMhx5 INFO: The password for user readall is ?w*Itj1Lgz.5w.C7vOw0Kxi7G94G8bG* INFO: The password for user snapshotrestore is Z6UXgM8Sr0bfV.i*6yPPEUY3H6Du2rdz WARNING: Wazuh indexer passwords changed. Remember to update the password in the Wazuh dashboard, Wazuh server, and Filebeat nodes if necessary, and restart the services.
If you use the tool in an all-in-one deployment, it automatically updates the passwords where necessary. If you use it in a distributed environment, you have to update the password on other components. See Changing the passwords in a distributed environment for more details.
On an all-in-one deployment, use options -a
, -au
and -ap
to also change the passwords for all the Wazuh indexer and the Wazuh manager API users.
# sudo bash wazuh-passwords-tool.sh -a -au wazuh -ap KTb+Md+rR74J2yHfoGGnFGHGm03GadyuINFO: The password for user admin is Wkw+b2rM6BEOwUmGfr*m*i1ithWw.dg2 INFO: The password for user kibanaserver is 5Y0lIfCwmjkus9nWAAVxMInI+Eth25hr INFO: The password for user kibanaro is kJG7fHX18.UJIZoNip5nDo*34DN+cGBL INFO: The password for user logstash is wuabgegtKsQABems5RNJfV0AOmxT?81T INFO: The password for user readall is gKSuQFGG.Sa0L9gzJX5WZHPP3Y4Es+sU INFO: The password for user snapshotrestore is UdyI8ToXkgVCNOPfJ*FX*a5vybeB.rUw WARNING: Wazuh indexer passwords changed. Remember to update the password in the Wazuh dashboard, Wazuh server, and Filebeat nodes if necessary, and restart the services. INFO: The password for Wazuh API user wazuh is zG0yTsAiettOXWEB79Aca1jbQ5.UeW3M INFO: The password for Wazuh API user wazuh-wui is JmKiaCBQo?4Ne0yrM4+n7kGdXGfCmVjO INFO: Updated wazuh-wui user password in wazuh dashboard. Remember to restart the service.
Changing the passwords using a formatted file
Use a formatted file to indicate the passwords and run the script with the -f
option followed by the file path. Use the following pattern to indicate the users and passwords in the formatted file.
For Wazuh indexer users:
# Description indexer_username: <user> indexer_password: <password>
For Wazuh manager API users:
# Description api_username: <user> api_password: <password>
If the -a
option is used in combination with the -f
option, all users not included in the file are given a random password.
The options -au
and -ap
are necessary to change the passwords for the API users.
Changing the passwords in a distributed environment
Follow the instructions below to change the passwords for all the Wazuh indexer users as well as the Wazuh manager API users.
On any Wazuh indexer node, use the Wazuh passwords tool to change the passwords of the Wazuh indexer users.
# /usr/share/wazuh-indexer/plugins/opensearch-security/tools/wazuh-passwords-tool.sh --change-all
INFO: Wazuh API admin credentials not provided, Wazuh API passwords not changed. INFO: The password for user admin is wcAny.XUwOVWHFy.+7tW9l8gUW1L8N3j INFO: The password for user kibanaserver is qy6fBrNOI4fD9yR9.Oj03?pihN6Ejfpp INFO: The password for user kibanaro is Nj*sSXSxwntrx3O7m8ehrgdHkxCc0dna INFO: The password for user logstash is nQg1Qw0nIQFZXUJc8r8+zHVrkelch33h INFO: The password for user readall is s0iWAei?RXObSDdibBfzSgXdhZCD9kH4 INFO: The password for user snapshotrestore is Mb2EHw8SIc1d.oz.nM?dHiPBGk7s?UZB WARNING: Wazuh indexer passwords changed. Remember to update the password in the Wazuh dashboard, Wazuh server, and Filebeat nodes if necessary, and restart the services.
On your Wazuh server master node, download the Wazuh passwords tool and use it to change the passwords of the Wazuh API users. Replace
<WAZUH_PASSWORD>
with the wazuh user password.# curl -sO https://packages.wazuh.com/4.9/wazuh-passwords-tool.sh # bash wazuh-passwords-tool.sh --api --change-all --admin-user wazuh --admin-password <WAZUH_PASSWORD>
INFO: The password for Wazuh API user wazuh is ivLOfmj7.jL6*7Ev?UJoFjrkGy9t6Je. INFO: The password for Wazuh API user wazuh-wui is fL+f?sFRPEv5pYRE559rqy9b6G4Z5pVi
If you've set up a user other than
admin
for Filebeat, manually add the username and password using the following commands. Replace<CUSTOM_USERNAME>
and<CUSTOM_PASSWORD>
with your custom username and password.# echo <CUSTOM_USERNAME> | filebeat keystore add username --stdin --force # echo <CUSTOM_PASSWORD> | filebeat keystore add password --stdin --force
Restart Filebeat to apply the changes.
# systemctl restart filebeat
# service filebeat restart
On your Wazuh dashboard node, run the following command to update the kibanaserver password in the Wazuh dashboard keystore. Replace
<KIBANASERVER_PASSWORD>
with the random password generated in the first step.# echo <KIBANASERVER_PASSWORD> | /usr/share/wazuh-dashboard/bin/opensearch-dashboards-keystore --allow-root add -f --stdin opensearch.password
Update the
/usr/share/wazuh-dashboard/data/wazuh/config/wazuh.yml
configuration file with the new wazuh-wui password generated in the second step.hosts: - default: url: https://127.0.0.1 port: 55000 username: wazuh-wui password: "<wazuh-wui-password>" run_as: false
Restart the Wazuh dashboard to apply the changes.
# systemctl restart wazuh-dashboard
# service wazuh-dashboard restart