Problem when try to update user using securityadmin.sh

Versions (relevant - OpenSearch/Dashboard/Server OS/Browser): Using Wazuh version 4.12.0

Describe the issue: Hello, I’m using Wazuh that uses Opensearch in the backend. When I was trying to update my admin Wazuh password, I wrongly used the securityadmin.sh and created a new user with my password. (Was my first time using this script).

Now, I receive this logs in /var/log/wazuh-indexer/wazuh-cluster.log:
[2025-11-11T16:36:52,201][WARN ][o.o.s.a.BackendRegistry ] [node-1] Authentication finally failed for password@123 from 127.0.0.1:44788

Also I updated keystore and I think that it caused the issue. How can I remove this user that actually has the username as the password?

When I list the stored keys. It doesn’t show any users or passowrds:

Hey @Joao ,

Did you check internal users? How did you create the user?

Leeroy.

Hi Leeroy, yes. The internalusers.yml file is stored in /etc/wazuh-indexer/opensearch-security, but I can’t see this user there…

That’s the log:

Also I used this at the time to create the user:
echo <CUSTOM_USERNAME> | filebeat keystore add username --stdin --force
echo <CUSTOM_PASSWORD> | filebeat keystore add password --stdin --force

Hey @Joao ,

You can run curl and check both internal users and wazuh users.

Wazuh

curl -k -H "Authorization: Bearer $TOKEN" \
     https://localhost:55000/security/users | jq

Internal users

curl -k --cert ./admin.pem \
     --key ./admin-key.pem \
     https://localhost:9200/_plugins/_security/api/internalusers | jq

Also if you update the internal users and re run security admin it will override the incorrect run and create the new user correctly which should fix your issue. I have tested this in Wazuh and it worked as expected.

Leeroy.

On this if you do a filbert keystore list and see the user of issue, you can issue a remove, then add it correctly if needed after.

filebeat keystore remove username
filebeat keystore remove password

Leeroy.