Remove filebeat references and replace wazuh.yml to opensearch_dashboards.yml in the password tool

[Enaraque]

Description

On the one hand, the Filebeat references have been removed from the password tool.

On the other hand, starting from version 5.0, the file /usr/share/wazuh-dashboard/data/wazuh/config/wazuh.yml will no longer exist, as mentioned in this issue. For this reason, its references have been replaced with opensearch_dashboards.yml, which is where the API host configuration will now be defined.

Tests 🧪

Several tests have been executed to verify that everything works correctly.

1. First, the password file was generated, confirming that there are no longer any references to Filebeat.

   Passwords file

   [root@wazuh wazuh-user]# bash wazuh-password-tool.sh -gf wazuh-passwords3.txt
   
   [root@wazuh wazuh-user]# cat wazuh-passwords3.txt 
   # Admin user for the web user interface and Wazuh indexer. Use this user to log in to Wazuh dashboard
     indexer_username: 'admin'
     indexer_password: 'h3xzUXSfUYHVhdr3wkJF.i+SU?G+yfVG'
   
   # Anomaly detection user for the web user interface
     indexer_username: 'anomalyadmin'
     indexer_password: 'TdVTl?uLk5ty?yFCdY?GuH7KY637c3N*'
   
   # Wazuh dashboard user for establishing the connection with Wazuh indexer
     indexer_username: 'kibanaserver'
     indexer_password: 'pwczxu8iI30bGrkH.b*wQ4UGOuWtGyCB'
   
   # Regular Dashboard user, only has read permissions to all indices and all permissions on the .kibana index
     indexer_username: 'kibanaro'
     indexer_password: 'txFCfw+I2w7qGo2*i9e.EFdMUCZofh2q'
   
   # User used by Logstash to send processed logs to the Wazuh indexer
     indexer_username: 'logstash'
     indexer_password: '?f?s1Tp.jDU6e.fQepsSjrQXLf5vQjRI'
   
   # User with READ access to all indices
     indexer_username: 'readall'
     indexer_password: 'K55?n0D4PAEBNdxS9MMJxNwPp6tx0tfx'
   
   # User with permissions to perform snapshot and restore operations
     indexer_username: 'snapshotrestore'
     indexer_password: '1wd3loXI?Adjq7UBl9hUymDTyx2BUoID'
   
   # Password for wazuh API user
     api_username: 'wazuh'
     api_password: 'MstKTAfLs5UXiWSORTfMl1dY23CDg.UP'
   
   # Password for wazuh-wui API user
     api_username: 'wazuh-wui'
     api_password: 'LVFzKzt5z+64jNfZXNGee1YYP0kR9L+Z'

2. Second, all passwords were changed, including the API passwords.

   Changing passwords proccess

   [root@wazuh wazuh-user]# bash wazuh-password-tool.sh -A -au wazuh -ap F6vAQXY5yVPG15e9ja5TP1G0+oxr3U*t -a -f wazuh-passwords3.txt
   15/12/2025 16:27:05 INFO: Updating the internal users.
   15/12/2025 16:27:13 INFO: A backup of the internal users has been saved in the /etc/wazuh-indexer/internalusers-backup folder.
   15/12/2025 16:28:03 INFO: The password for user admin is h3xzUXSfUYHVhdr3wkJF.i+SU?G+yfVG
   15/12/2025 16:28:03 INFO: The password for user anomalyadmin is TdVTl?uLk5ty?yFCdY?GuH7KY637c3N*
   15/12/2025 16:28:03 INFO: The password for user kibanaserver is pwczxu8iI30bGrkH.b*wQ4UGOuWtGyCB
   15/12/2025 16:28:03 INFO: The password for user kibanaro is txFCfw+I2w7qGo2*i9e.EFdMUCZofh2q
   15/12/2025 16:28:03 INFO: The password for user logstash is ?f?s1Tp.jDU6e.fQepsSjrQXLf5vQjRI
   15/12/2025 16:28:03 INFO: The password for user readall is K55?n0D4PAEBNdxS9MMJxNwPp6tx0tfx
   15/12/2025 16:28:03 INFO: The password for user snapshotrestore is 1wd3loXI?Adjq7UBl9hUymDTyx2BUoID
   15/12/2025 16:28:03 WARNING: Wazuh indexer passwords changed. Remember to update the password in the Wazuh dashboard, Wazuh server and the Wazuh server nodes if necessary, and restart the services.
   15/12/2025 16:28:04 INFO: The password for Wazuh API user wazuh is MstKTAfLs5UXiWSORTfMl1dY23CDg.UP
   15/12/2025 16:28:05 INFO: The password for Wazuh API user wazuh-wui is LVFzKzt5z+64jNfZXNGee1YYP0kR9L+Z
   15/12/2025 16:28:05 INFO: Updated wazuh-wui user password in wazuh dashboard. Remember to restart the service.

3. When attempting to obtain the API token using the new password, the token is successfully retrieved.

   Testing api connection

   [root@wazuh wazuh-user]# curl -s -u wazuh:MstKTAfLs5UXiWSORTfMl1dY23CDg.UP -k -X POST "https://localhost:55000/security/user/authenticate?raw=true" --max-time 300 --retry 5 --retry-delay 5
   eyJhbGciOiJFUzUxMiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJ3YXp1aCIsImF1ZCI6IldhenVoIEFQSSBSRVNUIiwibmJmIjoxNzY1ODE2Mjc3LCJleHAiOjE3NjU4MTcxNzcsInN1YiI6IndhenVoIiwicnVuX2FzIjpmYWxzZSwicmJhY19yb2xlcyI6WzFdLCJyYmFjX21vZGUiOiJ3aGl0ZSJ9.AajMTQJMHXKkPtRkWfYIDfcNuo3JmKuICJCsK4gOmcm8xk0ERXnyHrEer7H02sj0TroGoEsyHd9QshR5fYHNFheTAPhemxGwDhtTPMsA0o2iRonYxLPlqS4pe5HEIMsx1_BcvWFNvDdOHyEdFbbuthTZPvHR3G0gie-W7MrYQeu71fqm

4. We verified that the password for wazuh-wui was correctly updated in opensearch_dashboards.yml.

   Check wazuh-wui password

   [root@wazuh wazuh-user]# cat /etc/wazuh-dashboard/opensearch_dashboards.yml
   server.host: 0.0.0.0
   server.port: 443
   opensearch.hosts: https://localhost:9200
   opensearch.ssl.verificationMode: certificate
   #opensearch.username:
   #opensearch.password:
   opensearch.requestHeadersAllowlist: ["securitytenant","Authorization"]
   opensearch_security.multitenancy.enabled: false
   opensearch_security.readonly_mode.roles: ["kibana_read_only"]
   server.ssl.enabled: true
   server.ssl.key: "/etc/wazuh-dashboard/certs/dashboard-key.pem"
   server.ssl.certificate: "/etc/wazuh-dashboard/certs/dashboard.pem"
   opensearch.ssl.certificateAuthorities: ["/etc/wazuh-dashboard/certs/root-ca.pem"]
   uiSettings.overrides.defaultRoute: /app/wz-home
   # Session expiration settings
   opensearch_security.cookie.ttl: 900000
   opensearch_security.session.ttl: 900000
   opensearch_security.session.keepalive: true
   
   # Define the Wazuh server hosts
   wazuh_core.hosts:
     default:
       url: https://localhost
       port: 55000
       username: wazuh-wui
       password: "LVFzKzt5z+64jNfZXNGee1YYP0kR9L+Z"
       run_as: false

5. Lastly, after restarting the services, the dashboard can be accessed using the new admin user password.

   Dashboard landing page