Agent configuration displayed in Kibana App is wrong

[maxverro]

Kibana System Info:
App version: 3.4.0
App revision: 0400
Install date: Jun 21, 2018 1:34:53 PM

Agent System Info
DIRECTORY="/var/ossec/"
NAME="Wazuh"
VERSION="v3.4.0"
REVISION="3410"
DATE="Mon Jul 30 11:34:07 EDT 2018"
TYPE="agent"

Manager System Info
DIRECTORY="/var/ossec/"
NAME="Wazuh"
VERSION="v3.4.0"
REVISION="3410"
DATE="Mon Jul 30 16:26:33 EDT 2018"
TYPE="server"

Issue:
In the Kibana App, when I look at the configuration for an agent its wrong. It displays the configuration of the first (I think) profile in the agent.conf file. Even if it's not a valid profile for the agent. The ws_nginx profile seems to be applied. The ws_omnivox does not seem to be applied according to logs. Although it's the only configuration showing up in the Kibana app.

Here is the actual monitored and ignored directories (according to ossec.log)

root@dw-vbrain-42-a:/var/ossec/logs# grep syscheck -r | grep INFO
ossec.log:2018/08/01 04:45:30 ossec-syscheckd: INFO: Pausing syscheck real-time monitoring.
ossec.log:2018/08/01 04:45:30 ossec-syscheckd: INFO: Starting syscheck scan.
ossec.log:2018/08/01 04:52:37 ossec-syscheckd: INFO: Ending syscheck scan.
ossec.log:2018/08/01 04:52:37 ossec-syscheckd: INFO: Resuming syscheck real-time monitoring.
ossec.log:2018/08/01 04:52:38 ossec-syscheckd: INFO: Pausing syscheck real-time monitoring.
ossec.log:2018/08/01 04:53:13 ossec-syscheckd: INFO: Resuming syscheck real-time monitoring.
ossec.log:2018/08/01 09:34:35 ossec-syscheckd: INFO: (1225): SIGNAL [(15)-(Terminated)] Received. Exit Cleaning...
ossec.log:2018/08/01 09:34:38 ossec-syscheckd: INFO: Started (pid: 21135).
ossec.log:2018/08/01 09:34:38 ossec-syscheckd: INFO: Monitoring directory: '/var/ossec/etc/shared', with options perm | size | owner | group | md5sum | sha1sum | sha256sum | realtime | mtime | inode.
ossec.log:2018/08/01 09:34:38 ossec-syscheckd: INFO: Monitoring directory: '/root', with options perm | size | owner | group | md5sum | sha1sum | sha256sum | report_changes | mtime | inode.
ossec.log:2018/08/01 09:34:38 ossec-syscheckd: INFO: Monitoring directory: '/boot', with options perm | size | owner | group | md5sum | sha1sum | sha256sum | report_changes | mtime | inode.
ossec.log:2018/08/01 09:34:38 ossec-syscheckd: INFO: Monitoring directory: '/etc', with options perm | size | owner | group | md5sum | sha1sum | sha256sum | report_changes | mtime | inode.
ossec.log:2018/08/01 09:34:38 ossec-syscheckd: INFO: Monitoring directory: '/usr/local/etc', with options perm | size | owner | group | md5sum | sha1sum | sha256sum | report_changes | mtime | inode.
ossec.log:2018/08/01 09:34:38 ossec-syscheckd: INFO: Monitoring directory: '/var/opt', with options perm | size | owner | group | md5sum | sha1sum | sha256sum | report_changes | mtime | inode.
ossec.log:2018/08/01 09:34:38 ossec-syscheckd: INFO: Monitoring directory: '/var/lib', with options perm | size | owner | group | md5sum | sha1sum | sha256sum | report_changes | mtime | inode.
ossec.log:2018/08/01 09:34:38 ossec-syscheckd: INFO: Monitoring directory: '/bin', with options perm | size | owner | group | md5sum | sha1sum | sha256sum | report_changes | mtime | inode.
ossec.log:2018/08/01 09:34:38 ossec-syscheckd: INFO: Monitoring directory: '/sbin', with options perm | size | owner | group | md5sum | sha1sum | sha256sum | report_changes | mtime | inode.
ossec.log:2018/08/01 09:34:38 ossec-syscheckd: INFO: Monitoring directory: '/usr/bin', with options perm | size | owner | group | md5sum | sha1sum | sha256sum | report_changes | mtime | inode.
ossec.log:2018/08/01 09:34:38 ossec-syscheckd: INFO: Monitoring directory: '/usr/sbin', with options perm | size | owner | group | md5sum | sha1sum | sha256sum | report_changes | mtime | inode.
ossec.log:2018/08/01 09:34:38 ossec-syscheckd: INFO: Monitoring directory: '/usr/local/bin', with options perm | size | owner | group | md5sum | sha1sum | sha256sum | report_changes | mtime | inode.
ossec.log:2018/08/01 09:34:38 ossec-syscheckd: INFO: Monitoring directory: '/usr/local/sbin', with options perm | size | owner | group | md5sum | sha1sum | sha256sum | report_changes | mtime | inode.
ossec.log:2018/08/01 09:34:38 ossec-syscheckd: INFO: Monitoring directory: '/opt/bin', with options perm | size | owner | group | md5sum | sha1sum | sha256sum | report_changes | mtime | inode.
ossec.log:2018/08/01 09:34:38 ossec-syscheckd: INFO: Monitoring directory: '/opt/sbin', with options perm | size | owner | group | md5sum | sha1sum | sha256sum | report_changes | mtime | inode.
ossec.log:2018/08/01 09:34:38 ossec-syscheckd: INFO: Monitoring directory: '/lib', with options perm | size | owner | group | md5sum | sha1sum | sha256sum | report_changes | mtime | inode.
ossec.log:2018/08/01 09:34:38 ossec-syscheckd: INFO: Monitoring directory: '/usr/lib', with options perm | size | owner | group | md5sum | sha1sum | sha256sum | report_changes | mtime | inode.
ossec.log:2018/08/01 09:34:38 ossec-syscheckd: INFO: Monitoring directory: '/usr/local/lib', with options perm | size | owner | group | md5sum | sha1sum | sha256sum | report_changes | mtime | inode.
ossec.log:2018/08/01 09:34:38 ossec-syscheckd: INFO: Monitoring directory: '/lib64', with options perm | size | owner | group | md5sum | sha1sum | sha256sum | report_changes | mtime | inode.
ossec.log:2018/08/01 09:34:38 ossec-syscheckd: INFO: Monitoring directory: '/usr/lib64', with options perm | size | owner | group | md5sum | sha1sum | sha256sum | report_changes | mtime | inode.
ossec.log:2018/08/01 09:34:38 ossec-syscheckd: INFO: Ignoring: '/etc/mtab'
ossec.log:2018/08/01 09:34:38 ossec-syscheckd: INFO: Ignoring: '/etc/mnttab'
ossec.log:2018/08/01 09:34:38 ossec-syscheckd: INFO: Ignoring: '/etc/hosts.deny'
ossec.log:2018/08/01 09:34:38 ossec-syscheckd: INFO: Ignoring: '/etc/mail/statistics'
ossec.log:2018/08/01 09:34:38 ossec-syscheckd: INFO: Ignoring: '/etc/random-seed'
ossec.log:2018/08/01 09:34:38 ossec-syscheckd: INFO: Ignoring: '/etc/random.seed'
ossec.log:2018/08/01 09:34:38 ossec-syscheckd: INFO: Ignoring: '/etc/adjtime'
ossec.log:2018/08/01 09:34:38 ossec-syscheckd: INFO: Ignoring: '/etc/httpd/logs'
ossec.log:2018/08/01 09:34:38 ossec-syscheckd: INFO: Ignoring: '/etc/utmpx'
ossec.log:2018/08/01 09:34:38 ossec-syscheckd: INFO: Ignoring: '/etc/wtmpx'
ossec.log:2018/08/01 09:34:38 ossec-syscheckd: INFO: Ignoring: '/etc/cups/certs'
ossec.log:2018/08/01 09:34:38 ossec-syscheckd: INFO: Ignoring: '/etc/dumpdates'
ossec.log:2018/08/01 09:34:38 ossec-syscheckd: INFO: Ignoring: '/etc/svc/volatile'
ossec.log:2018/08/01 09:34:38 ossec-syscheckd: INFO: No diff for file: '/etc/ssl/private.key'
ossec.log:2018/08/01 09:34:38 ossec-syscheckd: INFO: Directory set for real time monitoring: '/var/ossec/etc/shared'.
ossec.log:2018/08/01 09:34:53 ossec-syscheckd: INFO: Syscheck scan frequency: 43200 seconds
ossec.log:2018/08/01 09:35:08 ossec-syscheckd: INFO: Starting syscheck scan (forwarding database).
ossec.log:2018/08/01 09:35:08 ossec-syscheckd: INFO: Starting syscheck database (pre-scan).
ossec.log:2018/08/01 09:35:08 ossec-syscheckd: INFO: Initializing real time file monitoring engine.
ossec.log:2018/08/01 09:42:28 ossec-syscheckd: INFO: Real time file monitoring engine started.
ossec.log:2018/08/01 09:42:28 ossec-syscheckd: INFO: Finished creating syscheck database (pre-scan completed).
ossec.log:2018/08/01 09:42:33 ossec-syscheckd: INFO: Ending syscheck scan (forwarding database).

Here is the actual logs being collected (according to ossec.log)

root@dw-vbrain-42-a:/var/ossec/logs# grep ossec-logcollector -r | grep INFO
ossec.log:2018/08/01 08:03:53 ossec-logcollector: INFO: Agent is now online. Process unlocked, continuing...
ossec.log:2018/08/01 09:34:35 ossec-logcollector: INFO: (1225): SIGNAL [(15)-(Terminated)] Received. Exit Cleaning...
ossec.log:2018/08/01 09:34:41 ossec-logcollector: INFO: (1950): Analyzing file: '/var/log/syslog'.
ossec.log:2018/08/01 09:34:41 ossec-logcollector: INFO: (1950): Analyzing file: '/var/log/auth.log'.
ossec.log:2018/08/01 09:34:41 ossec-logcollector: INFO: (1950): Analyzing file: '/var/log/ufw.log'.
ossec.log:2018/08/01 09:34:41 ossec-logcollector: INFO: (1950): Analyzing file: '/var/log/audit/audit.log'.
ossec.log:2018/08/01 09:34:41 ossec-logcollector: INFO: Monitoring output of command(360): df -P
ossec.log:2018/08/01 09:34:41 ossec-logcollector: INFO: Monitoring full output of command(360): netstat -tln | grep -v 127.0.0.1 | sort
ossec.log:2018/08/01 09:34:41 ossec-logcollector: INFO: Monitoring full output of command(360): last -n 20
ossec.log:2018/08/01 09:34:41 ossec-logcollector: INFO: Monitoring full output of command(360): ufw status numbered
ossec.log:2018/08/01 09:34:41 ossec-logcollector: INFO: (1950): Analyzing file: '/var/log/nginx/access.log'.
ossec.log:2018/08/01 09:34:41 ossec-logcollector: INFO: (1950): Analyzing file: '/var/log/nginx/error.log'.
ossec.log:2018/08/01 09:34:41 ossec-logcollector: INFO: Started (pid: 21140).
ossec.log:2018/08/01 09:34:53 ossec-logcollector: INFO: Agent is now online. Process unlocked, continuing...

Here is what I see in the Kibana App

In the ossec.conf, the profiles are

<ossec_config>
  <client>


    <server>
      <address>server_IP</address>

      <port>1514</port>


      <protocol>tcp</protocol>

    </server>



    <config-profile>dax_brain, ws_nginx</config-profile>


    <auto_restart>yes</auto_restart>
  </client>

The agent.conf

<agent_config profile="ws_omnivox">
  <syscheck>
    <auto_ignore>no</auto_ignore>
    <alert_new_files>yes</alert_new_files>
    <!-- Frequency that syscheck is executed -- default every 20 hours -->
    <frequency>43200</frequency>
    <scan_on_start>yes</scan_on_start>

    <!-- Directories to check  (perform all possible verifications) -->


    <directories check_all="yes" report_changes="yes">D:</directories>



    <!-- Files/directories to ignore -->


    <ignore>D:/O...ox/Ap...lle/Omnigarde</ignore>

    <ignore>D:/O...ox/Ap...lle/Email</ignore>

    <ignore>D:/O...ox/Ap...lle/Task</ignore>

    <ignore>D:/O...ox/Ap...lle/runipconfig.bat</ignore>

    <ignore>D:/O...ox/Ap...lle/runtasklist.bat</ignore>

    <ignore>D:/O...ox/DLL</ignore>

    <ignore>D:/O...ox/DLL/Er...rd.log</ignore>

    <ignore>D:/O...ox/DLL/O...rd.Log</ignore>

    <ignore>D:/O...ox/Temp</ignore>





    <!-- Files no diff -->



  </syscheck>

    <localfile>
       <log_format>iis</log_format>

       <location>F:\Log\W3SVC1\u_ex%y%m%d.log</location>

    </localfile>






</agent_config>

<agent_config profile="ws_nginx">
  <syscheck>
    <auto_ignore>no</auto_ignore>
    <alert_new_files>yes</alert_new_files>
    <!-- Frequency that syscheck is executed -- default every 20 hours -->
    <frequency>43200</frequency>
    <scan_on_start>yes</scan_on_start>

    <!-- Directories to check  (perform all possible verifications) -->


    <!-- Files/directories to ignore -->

    <!-- Files no diff -->

  </syscheck>

    <localfile>
       <log_format>apache</log_format>

       <location>/var/log/nginx/access.log</location>

    </localfile>

    <localfile>
       <log_format>apache</log_format>

       <location>/var/log/nginx/error.log</location>

    </localfile>

</agent_config>

<agent_config profile="ws_apache">
  <syscheck>
    <auto_ignore>no</auto_ignore>
    <alert_new_files>yes</alert_new_files>
    <!-- Frequency that syscheck is executed -- default every 20 hours -->
    <frequency>43200</frequency>
    <scan_on_start>yes</scan_on_start>

    <!-- Directories to check  (perform all possible verifications) -->

    <!-- Files/directories to ignore -->


    <!-- Files no diff -->

  </syscheck>

    <localfile>
       <log_format>apache</log_format>

       <location>/var/log/apache2/access.log</location>

    </localfile>

    <localfile>
       <log_format>apache</log_format>

       <location>/var/log/apache2/error.log</location>

    </localfile>

</agent_config>

<agent_config profile="node_elasticsearch">
  <syscheck>
    <auto_ignore>no</auto_ignore>
    <alert_new_files>yes</alert_new_files>
    <!-- Frequency that syscheck is executed -- default every 20 hours -->
    <frequency>43200</frequency>
    <scan_on_start>yes</scan_on_start>

    <!-- Directories to check  (perform all possible verifications) -->

    <!-- Files/directories to ignore -->


    <ignore>/var/lib/elasticsearch/nodes/0/indices/</ignore>

    <!-- Files no diff -->
  </syscheck>

</agent_config>

[havidarou]

Hi @maxverro ,

you are right, configuration shown in the Wazuh app is not always correct.

Right now is very difficult for us to show the real configuration for the agent.

In a future release we'll be able to do it as Wazuh core will provide us with that information.

Best regards.

[maxverro]

Thank you @havidarou,

I think it would be much better to display the ossec.conf don't you think? Displaying info about a profile which is not even used by that agent really made me freak out at fist.

[havidarou]

You are probably right.

We are focusing now in other aspects waiting for that future release, but we'll take it into consideration.

Regards.

[maxverro]

Thank you. If this is already on the roadmap this issue can be closed.

[JuanjiJG]

Hello @maxverro,

Yes, it is on our roadmap, but for now, we can't give you specific ETAs for this feature. You can track this feature's progress here: #373

I'll proceed to close this issue.

Regards,
Juanjo