Not being able to access a SIEM (Wazuh) VM web dashboard from a different VM

Question

Not being able to access a SIEM (Wazuh) VM web dashboard from a different VM

Gui De Almeida 0

In summary, I have an Ubuntu VM running a SIEM (Wazuh) server, I have a second VM (Windows) as an agent, which is in the same virtual network and subnet. I can ping both machines from either VM's, everything is good, EXCEPT I am unable to login to the SIEM browser's dashboard from the second VM (Agent), only from the first VM (SIEM), the dashboard is the locahost IP address.

I am sure it has to do with something on Azure's end, I am able to reproduce everything on my local computer hypervisor and access the dashboard from any local VM.

Steps I took:

Make sure they're both on the same vnet and subnet.
Create and make sure NSG's are correctly setup, necessary ports/addresses are opened.
Ensure Ubuntu's and Window's firewalls are setup as well.
Make sure Wazuh (SIEM) setup is configured correctly.

I do not know what else to do, am I missing something? Do I have to create an app gateway to access the VM's SIEM web dashboard?

Any help leading me to the right direction would be greatly appreciated!

Thank you!

1 answer

Your answer

Answer 1

KapilAnanth-MSFT 49,616 Microsoft Employee Moderator

@Gui De Almeida ,

Welcome to the Microsoft Q&A Platform. Thank you for reaching out & I hope you are doing well.

From your verbatim,

I see you are using a 3rd party SIEM Tool in a Linux VM
And you are not able to access the dashboard of this 3rd party SIEM Tool from another VM in same VNET

As next steps,

Does the 3rd party provide any documentation for configuring this in Azure environment?
- Can you share the document please?
May I ask on which port this dashboard listens to?
- (I believe this should be 443/80 - but please confirm)
I see you mentioned ICMP Ping is successful. But what about TCPPing?
- From the Windows VM, you can run the following in Powershell to test TCP Port
- Test-NetConnection -ComputerName "<3rdPartySIEMVMPrivateIP>" -Port <PortAtWhich3rdPartySIEMVMListensTo>
- And share the results
To check if there are any platform level blocking (NSG/UDR level), you can try NSG diagnostics or IP flow verify
- Run this in both the VMs - Inbound for 3rd party SIEM VM and Outbound for the Windows VM.
- And share the results of IP flow verify for both

Cheers,

Kapil

Gui De Almeida 0 Reputation points

2024-10-11T19:34:10.9966667+00:00

Hey @KapilAnanth-MSFT ,

Thank you for the help, I have done some more digging and I am starting to believe it's something on the SIEMS's end instead of my previous thought that it was something on Azure's end. Still trying to troubleshoot further though.

I did try PSPING and the result I got was "The remote computer refused the network connection.",

I have a total of four VM's, two Windows and two Ubuntus, one Ubuntu as the server and all the other three are as agents. All of them under the same NSG, firewall on host level are also configured similiarly. Being on the same vnet they can conduct nslookup and ping.

Surprisingly, when I tried the server's locahost with specific port (:80) it worked on my other Ubuntu machine, even though the Wazuh dashboard says it's port 443. Other then that, the SIEM is working perfectly, except for the fact that I am unable to access it through the Windows VM's.

So now I only need to figure out why the two Windows are the only ones not being able to connect to the web dashboard. Will try your recommendations and share the results.

Regarding Azure documentation, this is all they have as far as Azure, Wazuh on Azure.

Again, thank you!
KapilAnanth-MSFT 49,616 Reputation points Microsoft Employee Moderator

2024-10-14T14:43:09.53+00:00

@Gui De Almeida , You're welcome

Sure. Let us know how it goes.

Share via

Not being able to access a SIEM (Wazuh) VM web dashboard from a different VM

1 answer

Your answer