Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Review changes in the Wazuh indexer upgrade #2460

Closed
rauldpm opened this issue Sep 18, 2023 · 3 comments
Closed

Review changes in the Wazuh indexer upgrade #2460

rauldpm opened this issue Sep 18, 2023 · 3 comments
Assignees
@rauldpm
Labels
level/task Subtask issue type/research

Comments

@rauldpm
Copy link
Member

rauldpm commented Sep 18, 2023

Description

It is necessary to review the upgrade of the Wazuh indexer 4.6.0 (2.8.0) package, changes have been detected in the following files:

Installing new version of config file /etc/wazuh-indexer/opensearch-notifications-core/notifications-core.yml ...
Installing new version of config file /etc/wazuh-indexer/opensearch-performance-analyzer/log4j2.xml ...
Installing new version of config file /etc/wazuh-indexer/opensearch-performance-analyzer/opensearch_security.policy ...
Installing new version of config file /etc/wazuh-indexer/opensearch-performance-analyzer/rca.conf ...
Installing new version of config file /etc/wazuh-indexer/opensearch-performance-analyzer/rca_cluster_manager.conf ...
Installing new version of config file /etc/wazuh-indexer/opensearch-performance-analyzer/rca_idle_cluster_manager.conf ...
Installing new version of config file /etc/wazuh-indexer/opensearch-security/config.yml

It is necessary to justify the change to these files and take the necessary actions to maintain the file if the change is not desired.
@rauldpm rauldpm added level/task Subtask issue type/change Change requested labels Sep 18, 2023
@rauldpm rauldpm self-assigned this Sep 18, 2023
This was referenced Sep 18, 2023
Closed
Closed
@rauldpm
Copy link
Member Author

rauldpm commented Sep 18, 2023
edited

Update report - Wazuh indexer upgrade 4.5.2 -> 4.6.0

Changes upgrading from 4.5.2 to 4.6.0:

4.5.2 code

4.6.0 changes
/etc/wazuh-indexer/opensearch-notifications-core/notifications-core.yml 
size_limit: 10000
minimum_header_length: 100

size_limit: 10000000
minimum_header_length: 160
/etc/wazuh-indexer/opensearch-performance-analyzer/log4j2.xml 
<RollingFile name="PerformanceAnalyzerLog" 
fileName="/tmp/PerformanceAnalyzer.log"
filePattern="/tmp/PerformanceAnalyzer.log.%d{yyyy-MM-dd}-%i.gz" 
immediateFlush="true" append="true">

<RollingFile name="PerformanceAnalyzerLog"
fileName="${sys:opensearch.path.home:-/tmp}/logs/PerformanceAnalyzer.log"
filePattern="${sys:opensearch.path.home:-/tmp}/logs/PerformanceAnalyzer.log.%d{yyyy-MM-dd}-%i.gz"
 immediateFlush="true" append="true">

 <Delete basePath="/tmp">

<Delete basePath="${sys:opensearch.path.home:-/tmp}/logs">

<RollingFile name="StatsLog" 
fileName="/tmp/performance_analyzer_agent_stats.log" filePattern="/tmp/performance_analyzer_agent_stats.log.%d{yyyy-MM-dd}-%i.gz" 
immediateFlush="true" append="true">

<RollingFile name="StatsLog"
fileName="${sys:opensearch.path.home:-/tmp}/logs/performance_analyzer_agent_stats.log"
filePattern="${sys:opensearch.path.home:-/tmp}/logs/performance_analyzer_agent_stats.log.%d{yyyy-MM-dd}-%i.gz" immediateFlush="true" append="true">

<Delete basePath="/tmp">

<Delete basePath="${sys:opensearch.path.home:-/tmp}/logs/">
/etc/wazuh-indexer/opensearch-performance-analyzer/opensearch_security.policy 
grant {
    permission java.lang.management.ManagementPermission "control";
    permission java.net.SocketPermission "localhost:9600","connect,resolve";
};

grant {
    permission java.lang.management.ManagementPermission "control";
    permission java.net.SocketPermission "localhost:9600","connect,resolve";
    permission java.lang.RuntimePermission "getClassLoader";
};
/etc/wazuh-indexer/opensearch-performance-analyzer/rca.conf 
    "hot-shard-rca": {
      "cpu-utilization" : 0.01,
      "io-total-throughput-in-bytes" : 250000.0,
      "io-total-syscallrate-per-second" : 0.1
    },

    "hot-shard-rca": {
      "cpu-utilization" : 0.015,
      "heap-alloc-rate-in-bytes" : 1400000.0,
      "top-k-consumers" : 50
    },

  "muted-rcas": [
    "HotShardRca",
    "HotShardClusterRca"
  ],

  "muted-rcas": [
  ],
/etc/wazuh-indexer/opensearch-performance-analyzer/rca_cluster_manager.conf 
    "hot-shard-rca": {
      "cpu-utilization" : 0.01,
      "io-total-throughput-in-bytes" : 250000.0,
      "io-total-syscallrate-per-second" : 0.1
    },

    "hot-shard-rca": {
      "cpu-utilization" : 0.015,
      "heap-alloc-rate-in-bytes" : 1400000.0,
      "top-k-consumers" : 50
    },

    "hot-shard-cluster-rca": {
      "cpu-utilization-cluster-percentage" : 0.3,
      "io-total-throughput-cluster-percentage" : 0.3,
      "io-total-syscallrate-cluster-percentage" : 0.3
    },

    "hot-shard-cluster-rca": {
      "cpu-utilization-cluster-percentage" : 0.3,
      "heap-alloc-rate-cluster-percentage" : 0.3
    },

  "muted-rcas": [
    "HotShardRca",
    "HotShardClusterRca"
  ],

  "muted-rcas": [
  ],
/etc/wazuh-indexer/opensearch-performance-analyzer/rca_idle_cluster_manager.conf 
    "hot-shard-rca": {
      "cpu-utilization" : 0.01,
      "io-total-throughput-in-bytes" : 250000.0,
      "io-total-syscallrate-per-second" : 0.1
    },

    "hot-shard-rca": {
      "cpu-utilization" : 0.015,
      "heap-alloc-rate-in-bytes" : 1400000.0,
      "top-k-consumers" : 50
    },

    "hot-shard-cluster-rca": {
      "cpu-utilization-cluster-percentage" : 0.3,
      "io-total-throughput-cluster-percentage" : 0.3,
      "io-total-syscallrate-cluster-percentage" : 0.3
    },

    "hot-shard-cluster-rca": {
      "cpu-utilization-cluster-percentage" : 0.3,
      "heap-alloc-rate-cluster-percentage" : 0.3
    },

  "muted-rcas": [
    "HotShardRca",
    "HotShardClusterRca"
  ],

  "muted-rcas": [
  ],
/etc/wazuh-indexer/opensearch-security/config.yml 
#multitenancy_enabled: true
#server_username: kibanaserver

#multitenancy_enabled: true
#private_tenant_enabled: true
#default_tenant: ""
#server_username: kibanaserver

jwt_url_parameter: null
roles_key: null

jwt_url_parameter: null
jwt_clock_skew_tolerance_seconds: 30
roles_key: null

#max_blocked_clients: 100000
#max_tracked_clients: 100000

#max_blocked_clients: 100000
  • In the case of RPM, the update of these files is expected since:
    • If the file marked as config is not modified on disk, the update will install the new version of the file
    • If the file marked as config is modified on disk, the update will keep the same file, and the new version will create a .rpmnew file with the most updated file
    • https://rpm-packaging-guide.github.io/
  • It is necessary to determine if we really want not to introduce these changes
  • After a meeting with @havidarou and @fcaffieri it was concluded that we do not have real control over these files, so we must maintain the new modifications for the correct functioning of the package. The use of an old configuration with a new one could lead to incorrect operation of the package and it is the user's responsibility to analyze and modify said files if they have been modified.
  • The DEBIAN package is being tested
    • The same changes have been detected
  • No action is required on the packages

@rauldpm rauldpm mentioned this issue Sep 18, 2023
Closed
@rauldpm rauldpm added type/research and removed type/change Change requested labels Sep 18, 2023
@Deblintrake09
Copy link
Contributor

LGTM! 🚀

@fcaffieri
Copy link
Member

LGTM

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@rauldpm rauldpm

Labels
level/task Subtask issue type/research
Projects
No open projects
Release 4.6.0
Status: Done
Milestone
No milestone
Development

No branches or pull requests
3 participants
@Deblintrake09 @rauldpm @fcaffieri