Wazuh Windows agent remote upgrade error version v4.3.8 #15089

khangcnttspkt · 2022-10-07T06:42:46Z

Wazuh version	Component	Install type	Install method	Platform
4.3.8	Wazuh component	Agent	Packages	Windows

Hi every body,
I install wazuh-agent version 4.3.4 on windows with path "C:\Program Files (x86)\wazuh-agent",

After remote uprade to v4.3.8, agent auto install with path default "C:\Program Files (x86)\ossec-agent",

And then all data on queue is empty => wazuh-agent service on client start failed.

with logs

2022/10/07 13:39:59 wazuh-agent: ERROR: Couldn't create SQLite database 'queue/fim/db/fim.db': unable to open database file (14)
2022/10/07 13:39:59 wazuh-agent: CRITICAL: (6698): Creating Data Structure: sqlite3 db. Exiting.
2022/10/07 13:39:59 wazuh-agent: INFO: Received exit signal. Starting exit process.
2022/10/07 13:39:59 wazuh-agent: INFO: Set pending exit signal.
2022/10/07 13:39:59 wazuh-modulesd:syscollector: INFO: Stop received for Syscollector.
2022/10/07 13:39:59 wazuh-agent: INFO: Exit completed successfully.
2022/10/07 13:39:59 wazuh-agent: INFO: (1314): Shutdown received. Deleting responses.
2022/10/07 13:39:59 wazuh-modulesd:osquery: INFO: Module disabled. Exiting...

Before version v4.3.8 I remote upgrade with no error.

pereyra-m · 2022-10-17T16:31:22Z

Hello @khangcnttspkt !

It seems that something happened during the upgrade, and that folder is now empty when it shouldn't be.
Didn't the manager report any error during the remote upgrade? Can you share the full ossec.log file of the agent containing the logs of the day of the upgrade?

As a workaround, you could try to create again the required folders, to allow the agent to create the databases and properly run:

queue/syscollector/db
queue/fim/db
queue/logcollector
queue/diff

Regards.

khangcnttspkt · 2022-10-18T07:35:51Z

Hello @khangcnttspkt !

It seems that something happened during the upgrade, and that folder is now empty when it shouldn't be. Didn't the manager report any error during the remote upgrade? Can you share the full ossec.log file of the agent containing the logs of the day of the upgrade?

As a workaround, you could try to create again the required folders, to allow the agent to create the databases and properly run:

queue/syscollector/db

queue/fim/db

queue/logcollector

queue/diff

Regards.

Hi @pereyra-m ,

Here are my logs:

2022/10/05 00:00:10 wazuh-agent: INFO: Starting new log after rotation. 2022/10/05 00:24:04 wazuh-modulesd:syscollector: INFO: Starting evaluation. 2022/10/05 00:24:04 wazuh-modulesd:syscollector: INFO: Evaluation finished. 2022/10/05 01:00:11 wazuh-agent: ERROR: (1137): Lost connection with manager. Setting lock. 2022/10/05 01:00:11 wazuh-agent: INFO: Closing connection to server (192.168.105.118:1514/tcp). 2022/10/05 01:00:11 wazuh-agent: INFO: Trying to connect to server (192.168.105.118:1514/tcp). 2022/10/05 01:00:12 wazuh-agent: WARNING: Process locked due to agent is offline. Waiting for connection... 2022/10/05 01:00:12 wazuh-agent: ERROR: (1216): Unable to connect to '192.168.105.118:1514/tcp': 'No connection could be made because the target machine actively refused it.'. 2022/10/05 01:00:22 wazuh-agent: INFO: Trying to connect to server (192.168.105.118:1514/tcp). 2022/10/05 01:00:23 wazuh-agent: ERROR: (1216): Unable to connect to '192.168.105.118:1514/tcp': 'No connection could be made because the target machine actively refused it.'. 2022/10/05 01:00:33 wazuh-agent: INFO: Trying to connect to server (192.168.105.118:1514/tcp). 2022/10/05 01:00:33 wazuh-agent: INFO: (4102): Connected to the server (192.168.105.118:1514/tcp). 2022/10/05 01:00:33 wazuh-agent: INFO: Server responded. Releasing lock. 2022/10/05 01:00:37 wazuh-agent: INFO: Agent is now online. Process unlocked, continuing... 2022/10/05 01:24:05 wazuh-modulesd:syscollector: INFO: Starting evaluation. 2022/10/05 01:24:06 wazuh-modulesd:syscollector: INFO: Evaluation finished. 2022/10/05 02:24:07 wazuh-modulesd:syscollector: INFO: Starting evaluation. 2022/10/05 02:24:07 wazuh-modulesd:syscollector: INFO: Evaluation finished. 2022/10/05 03:23:51 sca: INFO: Starting Security Configuration Assessment scan. 2022/10/05 03:23:51 sca: INFO: Starting evaluation of policy: 'C:\Program Files (x86)\wazuh-agent\ruleset\sca\cis_win2019.yml' 2022/10/05 03:23:54 sca: INFO: Evaluation finished for policy 'C:\Program Files (x86)\wazuh-agent\ruleset\sca\cis_win2019.yml' 2022/10/05 03:23:54 sca: INFO: Starting evaluation of policy: 'C:\Program Files (x86)\wazuh-agent\ruleset\sca\sca_win_audit.yml' 2022/10/05 03:23:57 sca: INFO: Evaluation finished for policy 'C:\Program Files (x86)\wazuh-agent\ruleset\sca\sca_win_audit.yml' 2022/10/05 03:23:57 sca: INFO: Security Configuration Assessment scan finished. Duration: 6 seconds. 2022/10/05 03:23:58 rootcheck: INFO: Starting rootcheck scan. 2022/10/05 03:23:58 rootcheck: ERROR: No winmalware file: './shared/win_malware_rcl.txt' 2022/10/05 03:23:58 rootcheck: ERROR: No winapps file: './shared/win_applications_rcl.txt' 2022/10/05 03:24:03 rootcheck: INFO: Ending rootcheck scan. 2022/10/05 03:24:08 wazuh-modulesd:syscollector: INFO: Starting evaluation. 2022/10/05 03:24:09 wazuh-modulesd:syscollector: INFO: Evaluation finished. 2022/10/05 03:24:39 wazuh-agent: INFO: (6008): File integrity monitoring scan started. 2022/10/05 03:25:35 wazuh-agent: INFO: (6009): File integrity monitoring scan ended. 2022/10/05 04:24:10 wazuh-modulesd:syscollector: INFO: Starting evaluation. 2022/10/05 04:24:10 wazuh-modulesd:syscollector: INFO: Evaluation finished. 2022/10/05 05:24:11 wazuh-modulesd:syscollector: INFO: Starting evaluation. 2022/10/05 05:24:11 wazuh-modulesd:syscollector: INFO: Evaluation finished. 2022/10/05 06:24:12 wazuh-modulesd:syscollector: INFO: Starting evaluation. 2022/10/05 06:24:13 wazuh-modulesd:syscollector: INFO: Evaluation finished. 2022/10/05 07:24:14 wazuh-modulesd:syscollector: INFO: Starting evaluation. 2022/10/05 07:24:14 wazuh-modulesd:syscollector: INFO: Evaluation finished. 2022/10/05 08:24:15 wazuh-modulesd:syscollector: INFO: Starting evaluation. 2022/10/05 08:24:16 wazuh-modulesd:syscollector: INFO: Evaluation finished. 2022/10/05 09:24:17 wazuh-modulesd:syscollector: INFO: Starting evaluation. 2022/10/05 09:24:17 wazuh-modulesd:syscollector: INFO: Evaluation finished. 2022/10/05 10:24:18 wazuh-modulesd:syscollector: INFO: Starting evaluation. 2022/10/05 10:24:18 wazuh-modulesd:syscollector: INFO: Evaluation finished. 2022/10/05 11:24:19 wazuh-modulesd:syscollector: INFO: Starting evaluation. 2022/10/05 11:24:20 wazuh-modulesd:syscollector: INFO: Evaluation finished. 2022/10/05 12:24:21 wazuh-modulesd:syscollector: INFO: Starting evaluation. 2022/10/05 12:24:21 wazuh-modulesd:syscollector: INFO: Evaluation finished. 2022/10/05 13:24:22 wazuh-modulesd:syscollector: INFO: Starting evaluation. 2022/10/05 13:24:23 wazuh-modulesd:syscollector: INFO: Evaluation finished. 2022/10/05 14:24:24 wazuh-modulesd:syscollector: INFO: Starting evaluation. 2022/10/05 14:24:24 wazuh-modulesd:syscollector: INFO: Evaluation finished. 2022/10/05 15:23:51 sca: INFO: Starting Security Configuration Assessment scan. 2022/10/05 15:23:51 sca: INFO: Starting evaluation of policy: 'C:\Program Files (x86)\wazuh-agent\ruleset\sca\cis_win2019.yml' 2022/10/05 15:23:54 sca: INFO: Evaluation finished for policy 'C:\Program Files (x86)\wazuh-agent\ruleset\sca\cis_win2019.yml' 2022/10/05 15:23:54 sca: INFO: Starting evaluation of policy: 'C:\Program Files (x86)\wazuh-agent\ruleset\sca\sca_win_audit.yml' 2022/10/05 15:23:57 sca: INFO: Evaluation finished for policy 'C:\Program Files (x86)\wazuh-agent\ruleset\sca\sca_win_audit.yml' 2022/10/05 15:23:57 sca: INFO: Security Configuration Assessment scan finished. Duration: 6 seconds. 2022/10/05 15:24:04 rootcheck: INFO: Starting rootcheck scan. 2022/10/05 15:24:04 rootcheck: ERROR: No winmalware file: './shared/win_malware_rcl.txt' 2022/10/05 15:24:04 rootcheck: ERROR: No winapps file: './shared/win_applications_rcl.txt' 2022/10/05 15:24:09 rootcheck: INFO: Ending rootcheck scan. 2022/10/05 15:24:25 wazuh-modulesd:syscollector: INFO: Starting evaluation. 2022/10/05 15:24:25 wazuh-modulesd:syscollector: INFO: Evaluation finished. 2022/10/05 15:25:36 wazuh-agent: INFO: (6008): File integrity monitoring scan started. 2022/10/05 15:26:30 wazuh-agent: INFO: (6009): File integrity monitoring scan ended. 2022/10/05 16:24:27 wazuh-modulesd:syscollector: INFO: Starting evaluation. 2022/10/05 16:24:27 wazuh-modulesd:syscollector: INFO: Evaluation finished. 2022/10/05 17:24:28 wazuh-modulesd:syscollector: INFO: Starting evaluation. 2022/10/05 17:24:28 wazuh-modulesd:syscollector: INFO: Evaluation finished. 2022/10/05 18:24:29 wazuh-modulesd:syscollector: INFO: Starting evaluation. 2022/10/05 18:24:30 wazuh-modulesd:syscollector: INFO: Evaluation finished. 2022/10/05 19:24:31 wazuh-modulesd:syscollector: INFO: Starting evaluation. 2022/10/05 19:24:31 wazuh-modulesd:syscollector: INFO: Evaluation finished. 2022/10/05 19:43:33 wazuh-agent: ERROR: (1137): Lost connection with manager. Setting lock. 2022/10/05 19:43:33 wazuh-agent: INFO: Closing connection to server (192.168.105.118:1514/tcp). 2022/10/05 19:43:33 wazuh-agent: INFO: Trying to connect to server (192.168.105.118:1514/tcp). 2022/10/05 19:43:33 wazuh-agent: WARNING: Process locked due to agent is offline. Waiting for connection... 2022/10/05 19:43:34 wazuh-agent: ERROR: (1216): Unable to connect to '192.168.105.118:1514/tcp': 'No connection could be made because the target machine actively refused it.'. 2022/10/05 19:43:44 wazuh-agent: INFO: Trying to connect to server (192.168.105.118:1514/tcp). 2022/10/05 19:44:05 wazuh-agent: ERROR: (1216): Unable to connect to '192.168.105.118:1514/tcp': 'A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond.'. 2022/10/05 19:44:15 wazuh-agent: INFO: Trying to connect to server (192.168.105.118:1514/tcp). 2022/10/05 19:44:36 wazuh-agent: ERROR: (1216): Unable to connect to '192.168.105.118:1514/tcp': 'A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond.'. 2022/10/05 19:44:46 wazuh-agent: INFO: Trying to connect to server (192.168.105.118:1514/tcp). 2022/10/05 19:44:51 wazuh-agent: ERROR: (1216): Unable to connect to '192.168.105.118:1514/tcp': 'No connection could be made because the target machine actively refused it.'. 2022/10/05 19:45:01 wazuh-agent: INFO: Trying to connect to server (192.168.105.118:1514/tcp). 2022/10/05 19:45:02 wazuh-agent: ERROR: (1216): Unable to connect to '192.168.105.118:1514/tcp': 'No connection could be made because the target machine actively refused it.'. 2022/10/05 19:45:02 wazuh-agent: INFO: Requesting a key from server: 192.168.105.118 2022/10/05 19:45:02 wazuh-agent: INFO: No authentication password provided 2022/10/05 19:45:02 wazuh-agent: INFO: Using agent name as: FPTMON99E_107.200 2022/10/05 19:45:02 wazuh-agent: INFO: Waiting for server reply 2022/10/05 19:45:02 wazuh-agent: ERROR: Duplicate agent name: FPTMON99E_107.200 (from manager) 2022/10/05 19:45:02 wazuh-agent: ERROR: Unable to add agent (from manager) 2022/10/05 19:45:06 wazuh-agent: WARNING: Process locked due to agent is offline. Waiting for connection... 2022/10/05 19:45:12 wazuh-agent: WARNING: (4101): Waiting for server reply (not started). Tried: '192.168.105.118'. 2022/10/05 19:45:12 wazuh-agent: WARNING: Unable to connect to any server. 2022/10/05 19:45:12 wazuh-agent: INFO: Trying to connect to server (192.168.105.118:1514/tcp). 2022/10/05 19:45:12 wazuh-agent: INFO: (4102): Connected to the server (192.168.105.118:1514/tcp). 2022/10/05 19:45:12 wazuh-agent: INFO: Server responded. Releasing lock. 2022/10/05 19:45:14 wazuh-agent: INFO: Agent is now online. Process unlocked, continuing... 2022/10/05 19:45:16 wazuh-agent: INFO: Agent is now online. Process unlocked, continuing... 2022/10/05 20:24:32 wazuh-modulesd:syscollector: INFO: Starting evaluation. 2022/10/05 20:24:32 wazuh-modulesd:syscollector: INFO: Evaluation finished. 2022/10/05 21:24:34 wazuh-modulesd:syscollector: INFO: Starting evaluation. 2022/10/06 10:30:15 wazuh-agent: INFO: Using notify time: 10 and max time to reconnect: 60 2022/10/06 10:30:15 wazuh-agent: INFO: (1410): Reading authentication keys file. 2022/10/06 10:30:15 wazuh-agent: INFO: Started (pid: 10420). 2022/10/06 10:30:15 wazuh-agent: INFO: Server IP Address: 192.168.105.118 2022/10/06 10:30:15 wazuh-agent: INFO: Using AES as encryption method. 2022/10/06 10:30:15 wazuh-agent: INFO: Trying to connect to server (192.168.105.118:1514/tcp). 2022/10/06 10:30:15 wazuh-agent: INFO: (4102): Connected to the server (192.168.105.118:1514/tcp). 2022/10/06 10:30:15 rootcheck: INFO: Started (pid: 10420). 2022/10/06 10:30:15 wazuh-agent: INFO: (6002): Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Software\Classes\batfile', with options 'size | permissions | owner | group | mtime | hash_md5 | hash_sha1 | hash_sha256' 2022/10/06 10:30:15 wazuh-agent: INFO: (6002): Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Software\Classes\cmdfile', with options 'size | permissions | owner | group | mtime | hash_md5 | hash_sha1 | hash_sha256' 2022/10/06 10:30:15 wazuh-agent: INFO: (6002): Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Software\Classes\comfile', with options 'size | permissions | owner | group | mtime | hash_md5 | hash_sha1 | hash_sha256' 2022/10/06 10:30:15 wazuh-agent: INFO: (6002): Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Software\Classes\exefile', with options 'size | permissions | owner | group | mtime | hash_md5 | hash_sha1 | hash_sha256' 2022/10/06 10:30:15 wazuh-agent: INFO: (6002): Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Software\Classes\piffile', with options 'size | permissions | owner | group | mtime | hash_md5 | hash_sha1 | hash_sha256' 2022/10/06 10:30:15 wazuh-agent: INFO: (6002): Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Software\Classes\AllFilesystemObjects', with options 'size | permissions | owner | group | mtime | hash_md5 | hash_sha1 | hash_sha256' 2022/10/06 10:30:15 wazuh-agent: INFO: (6002): Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Software\Classes\Directory', with options 'size | permissions | owner | group | mtime | hash_md5 | hash_sha1 | hash_sha256' 2022/10/06 10:30:15 wazuh-agent: INFO: (6002): Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Software\Classes\Folder', with options 'size | permissions | owner | group | mtime | hash_md5 | hash_sha1 | hash_sha256' 2022/10/06 10:30:15 wazuh-agent: INFO: (6002): Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Software\Classes\Protocols [x64]', with options 'size | permissions | owner | group | mtime | hash_md5 | hash_sha1 | hash_sha256' 2022/10/06 10:30:15 wazuh-agent: INFO: (6002): Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Software\Classes\Protocols', with options 'size | permissions | owner | group | mtime | hash_md5 | hash_sha1 | hash_sha256' 2022/10/06 10:30:15 wazuh-agent: INFO: (6002): Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Software\Policies [x64]', with options 'size | permissions | owner | group | mtime | hash_md5 | hash_sha1 | hash_sha256' 2022/10/06 10:30:15 wazuh-agent: INFO: (6002): Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Software\Policies', with options 'size | permissions | owner | group | mtime | hash_md5 | hash_sha1 | hash_sha256' 2022/10/06 10:30:15 wazuh-agent: INFO: (6002): Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Security', with options 'size | permissions | owner | group | mtime | hash_md5 | hash_sha1 | hash_sha256' 2022/10/06 10:30:15 wazuh-agent: INFO: (6002): Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer [x64]', with options 'size | permissions | owner | group | mtime | hash_md5 | hash_sha1 | hash_sha256' 2022/10/06 10:30:15 wazuh-agent: INFO: (6002): Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer', with options 'size | permissions | owner | group | mtime | hash_md5 | hash_sha1 | hash_sha256' 2022/10/06 10:30:15 wazuh-agent: INFO: WPK verification with CA is disabled. 2022/10/06 10:30:15 wazuh-agent: INFO: (6002): Monitoring registry entry: 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services', with options 'size | permissions | owner | group | mtime | hash_md5 | hash_sha1 | hash_sha256' 2022/10/06 10:30:15 wazuh-modulesd:agent-upgrade: INFO: (8153): Module Agent Upgrade started. 2022/10/06 10:30:15 sca: INFO: Module started. 2022/10/06 10:30:15 wazuh-agent: INFO: (6002): Monitoring registry entry: 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\KnownDLLs', with options 'size | permissions | owner | group | mtime | hash_md5 | hash_sha1 | hash_sha256' 2022/10/06 10:30:15 wazuh-agent: INFO: (6002): Monitoring registry entry: 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurePipeServers\winreg', with options 'size | permissions | owner | group | mtime | hash_md5 | hash_sha1 | hash_sha256' 2022/10/06 10:30:15 wazuh-agent: INFO: Windows version is 6.0 or newer. (Microsoft Windows Server 2019 Standard [Ver: 10.0.17763] - Wazuh v4.3.4). 2022/10/06 10:30:15 wazuh-agent: INFO: (6002): Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run [x64]', with options 'size | permissions | owner | group | mtime | hash_md5 | hash_sha1 | hash_sha256' 2022/10/06 10:30:15 wazuh-agent: INFO: (6002): Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run', with options 'size | permissions | owner | group | mtime | hash_md5 | hash_sha1 | hash_sha256' 2022/10/06 10:30:15 sca: INFO: Loaded policy 'C:\Program Files (x86)\wazuh-agent\ruleset\sca\cis_win2019.yml' 2022/10/06 10:30:15 wazuh-agent: INFO: (6002): Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce [x64]', with options 'size | permissions | owner | group | mtime | hash_md5 | hash_sha1 | hash_sha256' 2022/10/06 10:30:15 wazuh-agent: INFO: (1951): Analyzing event log: 'Application'. 2022/10/06 10:30:15 sca: INFO: Loaded policy 'C:\Program Files (x86)\wazuh-agent\ruleset\sca\sca_win_audit.yml' 2022/10/06 10:30:15 wazuh-agent: INFO: (6002): Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce', with options 'size | permissions | owner | group | mtime | hash_md5 | hash_sha1 | hash_sha256' 2022/10/06 10:30:15 wazuh-agent: INFO: (1951): Analyzing event log: 'Security'. 2022/10/06 10:30:15 sca: INFO: Starting Security Configuration Assessment scan. 2022/10/06 10:30:15 wazuh-agent: INFO: (6002): Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnceEx', with options 'size | permissions | owner | group | mtime | hash_md5 | hash_sha1 | hash_sha256' 2022/10/06 10:30:15 wazuh-agent: INFO: (6002): Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\URL [x64]', with options 'size | permissions | owner | group | mtime | hash_md5 | hash_sha1 | hash_sha256' 2022/10/06 10:30:15 wazuh-agent: INFO: (1951): Analyzing event log: 'System'. 2022/10/06 10:30:15 wazuh-agent: INFO: (6002): Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\URL', with options 'size | permissions | owner | group | mtime | hash_md5 | hash_sha1 | hash_sha256' 2022/10/06 10:30:15 wazuh-agent: INFO: (6002): Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies [x64]', with options 'size | permissions | owner | group | mtime | hash_md5 | hash_sha1 | hash_sha256' 2022/10/06 10:30:15 wazuh-agent: INFO: (1950): Analyzing file: 'active-response\active-responses.log'. 2022/10/06 10:30:15 wazuh-agent: INFO: (6002): Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies', with options 'size | permissions | owner | group | mtime | hash_md5 | hash_sha1 | hash_sha256' 2022/10/06 10:30:15 wazuh-agent: INFO: (6002): Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows [x64]', with options 'size | permissions | owner | group | mtime | hash_md5 | hash_sha1 | hash_sha256' 2022/10/06 10:30:15 wazuh-agent: INFO: (6002): Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows', with options 'size | permissions | owner | group | mtime | hash_md5 | hash_sha1 | hash_sha256' 2022/10/06 10:30:15 wazuh-agent: INFO: (6002): Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon [x64]', with options 'size | permissions | owner | group | mtime | hash_md5 | hash_sha1 | hash_sha256' 2022/10/06 10:30:15 wazuh-agent: INFO: (6002): Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon', with options 'size | permissions | owner | group | mtime | hash_md5 | hash_sha1 | hash_sha256' 2022/10/06 10:30:15 wazuh-agent: INFO: (6002): Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Active Setup\Installed Components [x64]', with options 'size | permissions | owner | group | mtime | hash_md5 | hash_sha1 | hash_sha256' 2022/10/06 10:30:15 wazuh-agent: INFO: (6002): Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Active Setup\Installed Components', with options 'size | permissions | owner | group | mtime | hash_md5 | hash_sha1 | hash_sha256' 2022/10/06 10:30:15 wazuh-agent: INFO: (6003): Monitoring path: 'c:\programdata\microsoft\windows\start menu\programs\startup', with options 'size | permissions | owner | group | mtime | inode | hash_md5 | hash_sha1 | hash_sha256 | attributes | realtime'. 2022/10/06 10:30:15 wazuh-agent: INFO: (6003): Monitoring path: 'c:\windows', with options 'size | permissions | owner | group | mtime | inode | hash_md5 | hash_sha1 | hash_sha256 | attributes | scheduled'. 2022/10/06 10:30:15 wazuh-agent: INFO: (6003): Monitoring path: 'c:\windows\sysnative', with options 'size | permissions | owner | group | mtime | inode | hash_md5 | hash_sha1 | hash_sha256 | attributes | scheduled'. 2022/10/06 10:30:15 wazuh-agent: INFO: (6003): Monitoring path: 'c:\windows\sysnative\drivers\etc', with options 'size | permissions | owner | group | mtime | inode | hash_md5 | hash_sha1 | hash_sha256 | attributes | scheduled'. 2022/10/06 10:30:15 wazuh-agent: INFO: (6003): Monitoring path: 'c:\windows\sysnative\wbem', with options 'size | permissions | owner | group | mtime | inode | hash_md5 | hash_sha1 | hash_sha256 | attributes | scheduled'. 2022/10/06 10:30:15 wazuh-agent: INFO: (6003): Monitoring path: 'c:\windows\sysnative\windowspowershell\v1.0', with options 'size | permissions | owner | group | mtime | inode | hash_md5 | hash_sha1 | hash_sha256 | attributes | scheduled'. 2022/10/06 10:30:15 wazuh-agent: INFO: (6003): Monitoring path: 'c:\windows\system32', with options 'size | permissions | owner | group | mtime | inode | hash_md5 | hash_sha1 | hash_sha256 | attributes | scheduled'. 2022/10/06 10:30:15 wazuh-agent: INFO: (6003): Monitoring path: 'c:\windows\system32\drivers\etc', with options 'size | permissions | owner | group | mtime | inode | hash_md5 | hash_sha1 | hash_sha256 | attributes | scheduled'. 2022/10/06 10:30:15 wazuh-agent: INFO: (6003): Monitoring path: 'c:\windows\system32\wbem', with options 'size | permissions | owner | group | mtime | inode | hash_md5 | hash_sha1 | hash_sha256 | attributes | scheduled'. 2022/10/06 10:30:15 wazuh-agent: INFO: (6003): Monitoring path: 'c:\windows\system32\windowspowershell\v1.0', with options 'size | permissions | owner | group | mtime | inode | hash_md5 | hash_sha1 | hash_sha256 | attributes | scheduled'. 2022/10/06 10:30:15 wazuh-agent: INFO: (6206): Ignore 'file' entry 'c:\programdata\microsoft\windows\start menu\programs\startup\desktop.ini' 2022/10/06 10:30:15 wazuh-agent: INFO: (6207): Ignore 'file' sregex '.log$|.htm$|.jpg$|.png$|.chm$|.pnf$|.evtx$' 2022/10/06 10:30:15 wazuh-agent: INFO: (6206): Ignore 'registry' entry 'HKEY_LOCAL_MACHINE\Security\Policy\Secrets' 2022/10/06 10:30:15 wazuh-agent: INFO: (6206): Ignore 'registry' entry 'HKEY_LOCAL_MACHINE\Security\SAM\Domains\Account\Users' 2022/10/06 10:30:15 wazuh-agent: INFO: (6206): Ignore 'registry' entry 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\MpsSvc\Parameters\AppCs' 2022/10/06 10:30:15 wazuh-agent: INFO: (6206): Ignore 'registry' entry 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\MpsSvc\Parameters\PortKeywords\DHCP' 2022/10/06 10:30:15 wazuh-agent: INFO: (6206): Ignore 'registry' entry 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\MpsSvc\Parameters\PortKeywords\IPTLSIn' 2022/10/06 10:30:15 wazuh-agent: INFO: (6206): Ignore 'registry' entry 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\MpsSvc\Parameters\PortKeywords\IPTLSOut' 2022/10/06 10:30:15 wazuh-agent: INFO: (6206): Ignore 'registry' entry 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\MpsSvc\Parameters\PortKeywords\RPC-EPMap' 2022/10/06 10:30:15 wazuh-agent: INFO: (6206): Ignore 'registry' entry 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\MpsSvc\Parameters\PortKeywords\Teredo' 2022/10/06 10:30:15 wazuh-agent: INFO: (6206): Ignore 'registry' entry 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\PolicyAgent\Parameters\Cache' 2022/10/06 10:30:15 wazuh-agent: INFO: (6206): Ignore 'registry' entry 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnceEx' 2022/10/06 10:30:15 wazuh-agent: INFO: (6206): Ignore 'registry' entry 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\ADOVMPPackage\Final' 2022/10/06 10:30:15 wazuh-agent: INFO: (6207): Ignore 'registry' sregex '\Enum$' 2022/10/06 10:30:15 wazuh-agent: INFO: Started (pid: 10420). 2022/10/06 10:30:15 sca: INFO: Starting evaluation of policy: 'C:\Program Files (x86)\wazuh-agent\ruleset\sca\cis_win2019.yml' 2022/10/06 10:30:15 wazuh-modulesd:osquery: INFO: Module disabled. Exiting... 2022/10/06 10:30:15 wazuh-modulesd:ciscat: INFO: Module disabled. Exiting... 2022/10/06 10:30:15 wazuh-modulesd:syscollector: INFO: Module started. 2022/10/06 10:30:15 wazuh-modulesd:syscollector: INFO: Starting evaluation. 2022/10/06 10:30:15 wazuh-agent: INFO: Started (pid: 10420). 2022/10/06 10:30:16 wazuh-modulesd:syscollector: INFO: Evaluation finished. 2022/10/06 10:30:16 wazuh-agent: INFO: (6000): Starting daemon... 2022/10/06 10:30:16 rootcheck: INFO: Starting rootcheck scan. 2022/10/06 10:30:16 wazuh-agent: INFO: (6010): File integrity monitoring scan frequency: 43200 seconds 2022/10/06 10:30:16 wazuh-agent: INFO: (6008): File integrity monitoring scan started. 2022/10/06 10:30:16 rootcheck: ERROR: No winmalware file: './shared/win_malware_rcl.txt' 2022/10/06 10:30:16 rootcheck: ERROR: No winapps file: './shared/win_applications_rcl.txt' 2022/10/06 10:30:18 sca: INFO: Evaluation finished for policy 'C:\Program Files (x86)\wazuh-agent\ruleset\sca\cis_win2019.yml' 2022/10/06 10:30:18 sca: INFO: Starting evaluation of policy: 'C:\Program Files (x86)\wazuh-agent\ruleset\sca\sca_win_audit.yml' 2022/10/06 10:30:21 rootcheck: INFO: Ending rootcheck scan. 2022/10/06 10:30:21 sca: INFO: Evaluation finished for policy 'C:\Program Files (x86)\wazuh-agent\ruleset\sca\sca_win_audit.yml' 2022/10/06 10:30:21 sca: INFO: Security Configuration Assessment scan finished. Duration: 6 seconds. 2022/10/06 10:31:02 wazuh-agent: INFO: (6009): File integrity monitoring scan ended. 2022/10/06 10:31:02 wazuh-agent: INFO: (6012): Real-time file integrity monitoring started. 2022/10/06 11:30:17 wazuh-modulesd:syscollector: INFO: Starting evaluation. 2022/10/06 11:30:17 wazuh-modulesd:syscollector: INFO: Evaluation finished. 2022/10/06 12:30:18 wazuh-modulesd:syscollector: INFO: Starting evaluation. 2022/10/06 12:30:19 wazuh-modulesd:syscollector: INFO: Evaluation finished. 2022/10/06 13:30:20 wazuh-modulesd:syscollector: INFO: Starting evaluation. 2022/10/06 13:30:20 wazuh-modulesd:syscollector: INFO: Evaluation finished. 2022/10/06 14:30:21 wazuh-modulesd:syscollector: INFO: Starting evaluation. 2022/10/06 14:30:21 wazuh-modulesd:syscollector: INFO: Evaluation finished. 2022/10/06 15:30:22 wazuh-modulesd:syscollector: INFO: Starting evaluation. 2022/10/06 15:30:23 wazuh-modulesd:syscollector: INFO: Evaluation finished. 2022/10/06 15:45:01 wazuh-agent: INFO: WPK verification with CA is disabled. 2022/10/06 15:45:01 wazuh-modulesd:agent-upgrade: INFO: (8154): Module Agent Upgrade finished. 2022/10/06 15:45:01 wazuh-agent: INFO: Agent is restarting due to shared configuration changes. 2022/10/06 15:45:01 wazuh-agent: INFO: Received exit signal. Starting exit process. 2022/10/06 15:45:01 wazuh-agent: INFO: Set pending exit signal. 2022/10/06 15:45:01 wazuh-modulesd:syscollector: INFO: Stop received for Syscollector. 2022/10/06 15:45:01 wazuh-modulesd:syscollector: INFO: Module finished. 2022/10/06 15:45:01 wazuh-agent: INFO: Exit completed successfully. 2022/10/06 15:45:01 wazuh-agent: INFO: (1314): Shutdown received. Deleting responses. 2022/10/06 15:45:02 wazuh-agent: INFO: Using notify time: 10 and max time to reconnect: 60 2022/10/06 15:45:02 wazuh-agent: INFO: (1410): Reading authentication keys file. 2022/10/06 15:45:02 wazuh-agent: INFO: Started (pid: 10828). 2022/10/06 15:45:02 wazuh-agent: INFO: Server IP Address: 192.168.105.118 2022/10/06 15:45:02 wazuh-agent: INFO: Using AES as encryption method. 2022/10/06 15:45:02 wazuh-agent: INFO: Trying to connect to server (192.168.105.118:1514/tcp). 2022/10/06 15:45:02 wazuh-agent: INFO: (4102): Connected to the server (192.168.105.118:1514/tcp). 2022/10/06 15:45:02 rootcheck: INFO: Started (pid: 10828). 2022/10/06 15:45:02 wazuh-agent: INFO: (6002): Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Software\Classes\batfile', with options 'size | permissions | owner | group | mtime | hash_md5 | hash_sha1 | hash_sha256' 2022/10/06 15:45:02 wazuh-agent: INFO: (6002): Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Software\Classes\cmdfile', with options 'size | permissions | owner | group | mtime | hash_md5 | hash_sha1 | hash_sha256' 2022/10/06 15:45:02 wazuh-agent: INFO: (6002): Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Software\Classes\comfile', with options 'size | permissions | owner | group | mtime | hash_md5 | hash_sha1 | hash_sha256' 2022/10/06 15:45:02 wazuh-agent: INFO: (6002): Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Software\Classes\exefile', with options 'size | permissions | owner | group | mtime | hash_md5 | hash_sha1 | hash_sha256' 2022/10/06 15:45:02 wazuh-agent: INFO: (6002): Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Software\Classes\piffile', with options 'size | permissions | owner | group | mtime | hash_md5 | hash_sha1 | hash_sha256' 2022/10/06 15:45:02 wazuh-agent: INFO: (6002): Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Software\Classes\AllFilesystemObjects', with options 'size | permissions | owner | group | mtime | hash_md5 | hash_sha1 | hash_sha256' 2022/10/06 15:45:02 wazuh-agent: INFO: (6002): Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Software\Classes\Directory', with options 'size | permissions | owner | group | mtime | hash_md5 | hash_sha1 | hash_sha256' 2022/10/06 15:45:02 wazuh-agent: INFO: (6002): Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Software\Classes\Folder', with options 'size | permissions | owner | group | mtime | hash_md5 | hash_sha1 | hash_sha256' 2022/10/06 15:45:02 wazuh-agent: INFO: (6002): Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Software\Classes\Protocols [x64]', with options 'size | permissions | owner | group | mtime | hash_md5 | hash_sha1 | hash_sha256' 2022/10/06 15:45:02 wazuh-agent: INFO: (6002): Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Software\Classes\Protocols', with options 'size | permissions | owner | group | mtime | hash_md5 | hash_sha1 | hash_sha256' 2022/10/06 15:45:02 wazuh-agent: INFO: (6002): Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Software\Policies [x64]', with options 'size | permissions | owner | group | mtime | hash_md5 | hash_sha1 | hash_sha256' 2022/10/06 15:45:02 wazuh-agent: INFO: (6002): Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Software\Policies', with options 'size | permissions | owner | group | mtime | hash_md5 | hash_sha1 | hash_sha256' 2022/10/06 15:45:02 wazuh-agent: INFO: (6002): Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Security', with options 'size | permissions | owner | group | mtime | hash_md5 | hash_sha1 | hash_sha256' 2022/10/06 15:45:02 wazuh-agent: INFO: (6002): Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer [x64]', with options 'size | permissions | owner | group | mtime | hash_md5 | hash_sha1 | hash_sha256' 2022/10/06 15:45:02 wazuh-agent: INFO: (6002): Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer', with options 'size | permissions | owner | group | mtime | hash_md5 | hash_sha1 | hash_sha256' 2022/10/06 15:45:02 wazuh-agent: INFO: (6002): Monitoring registry entry: 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services', with options 'size | permissions | owner | group | mtime | hash_md5 | hash_sha1 | hash_sha256' 2022/10/06 15:45:02 wazuh-agent: INFO: (6002): Monitoring registry entry: 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\KnownDLLs', with options 'size | permissions | owner | group | mtime | hash_md5 | hash_sha1 | hash_sha256' 2022/10/06 15:45:02 wazuh-agent: INFO: WPK verification with CA is disabled. 2022/10/06 15:45:02 wazuh-agent: INFO: (6002): Monitoring registry entry: 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurePipeServers\winreg', with options 'size | permissions | owner | group | mtime | hash_md5 | hash_sha1 | hash_sha256' 2022/10/06 15:45:02 sca: INFO: Module started. 2022/10/06 15:45:02 wazuh-modulesd:agent-upgrade: INFO: (8153): Module Agent Upgrade started. 2022/10/06 15:45:02 wazuh-agent: INFO: (6002): Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run [x64]', with options 'size | permissions | owner | group | mtime | hash_md5 | hash_sha1 | hash_sha256' 2022/10/06 15:45:02 wazuh-agent: INFO: Windows version is 6.0 or newer. (Microsoft Windows Server 2019 Standard [Ver: 10.0.17763] - Wazuh v4.3.4). 2022/10/06 15:45:02 wazuh-agent: INFO: (6002): Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run', with options 'size | permissions | owner | group | mtime | hash_md5 | hash_sha1 | hash_sha256' 2022/10/06 15:45:02 wazuh-agent: INFO: (6002): Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce [x64]', with options 'size | permissions | owner | group | mtime | hash_md5 | hash_sha1 | hash_sha256' 2022/10/06 15:45:02 sca: INFO: Loaded policy 'C:\Program Files (x86)\wazuh-agent\ruleset\sca\cis_win2019.yml' 2022/10/06 15:45:02 wazuh-agent: INFO: (6002): Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce', with options 'size | permissions | owner | group | mtime | hash_md5 | hash_sha1 | hash_sha256' 2022/10/06 15:45:02 wazuh-modulesd:osquery: INFO: Module disabled. Exiting... 2022/10/06 15:45:02 wazuh-modulesd:ciscat: INFO: Module disabled. Exiting... 2022/10/06 15:45:02 wazuh-agent: INFO: (6002): Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnceEx', with options 'size | permissions | owner | group | mtime | hash_md5 | hash_sha1 | hash_sha256' 2022/10/06 15:45:02 sca: INFO: Loaded policy 'C:\Program Files (x86)\wazuh-agent\ruleset\sca\sca_win_audit.yml' 2022/10/06 15:45:02 wazuh-agent: INFO: (1951): Analyzing event log: 'Application'. 2022/10/06 15:45:02 wazuh-agent: INFO: (6002): Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\URL [x64]', with options 'size | permissions | owner | group | mtime | hash_md5 | hash_sha1 | hash_sha256' 2022/10/06 15:45:02 sca: INFO: Starting Security Configuration Assessment scan. 2022/10/06 15:45:02 wazuh-agent: INFO: (1951): Analyzing event log: 'Security'. 2022/10/06 15:45:02 wazuh-agent: INFO: (6002): Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\URL', with options 'size | permissions | owner | group | mtime | hash_md5 | hash_sha1 | hash_sha256' 2022/10/06 15:45:02 wazuh-agent: INFO: (6002): Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies [x64]', with options 'size | permissions | owner | group | mtime | hash_md5 | hash_sha1 | hash_sha256' 2022/10/06 15:45:02 wazuh-agent: INFO: (1951): Analyzing event log: 'System'. 2022/10/06 15:45:02 wazuh-agent: INFO: (6002): Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies', with options 'size | permissions | owner | group | mtime | hash_md5 | hash_sha1 | hash_sha256' 2022/10/06 15:45:02 wazuh-agent: INFO: (1950): Analyzing file: 'active-response\active-responses.log'. 2022/10/06 15:45:02 wazuh-agent: INFO: (6002): Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows [x64]', with options 'size | permissions | owner | group | mtime | hash_md5 | hash_sha1 | hash_sha256' 2022/10/06 15:45:02 wazuh-agent: INFO: (6002): Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows', with options 'size | permissions | owner | group | mtime | hash_md5 | hash_sha1 | hash_sha256' 2022/10/06 15:45:02 wazuh-agent: INFO: (6002): Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon [x64]', with options 'size | permissions | owner | group | mtime | hash_md5 | hash_sha1 | hash_sha256' 2022/10/06 15:45:02 wazuh-agent: INFO: (6002): Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon', with options 'size | permissions | owner | group | mtime | hash_md5 | hash_sha1 | hash_sha256' 2022/10/06 15:45:02 wazuh-modulesd:syscollector: INFO: Module started. 2022/10/06 15:45:02 wazuh-agent: INFO: (6002): Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Active Setup\Installed Components [x64]', with options 'size | permissions | owner | group | mtime | hash_md5 | hash_sha1 | hash_sha256' 2022/10/06 15:45:02 wazuh-agent: INFO: Started (pid: 10828). 2022/10/06 15:45:02 wazuh-modulesd:syscollector: INFO: Starting evaluation. 2022/10/06 15:45:02 wazuh-agent: INFO: (6002): Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Active Setup\Installed Components', with options 'size | permissions | owner | group | mtime | hash_md5 | hash_sha1 | hash_sha256' 2022/10/06 15:45:02 wazuh-agent: INFO: (6003): Monitoring path: 'c:\programdata\microsoft\windows\start menu\programs\startup', with options 'size | permissions | owner | group | mtime | inode | hash_md5 | hash_sha1 | hash_sha256 | attributes | realtime'. 2022/10/06 15:45:02 wazuh-agent: INFO: (6003): Monitoring path: 'c:\windows', with options 'size | permissions | owner | group | mtime | inode | hash_md5 | hash_sha1 | hash_sha256 | attributes | scheduled'. 2022/10/06 15:45:02 wazuh-agent: INFO: (6003): Monitoring path: 'c:\windows\sysnative', with options 'size | permissions | owner | group | mtime | inode | hash_md5 | hash_sha1 | hash_sha256 | attributes | scheduled'. 2022/10/06 15:45:02 wazuh-agent: INFO: (6003): Monitoring path: 'c:\windows\sysnative\drivers\etc', with options 'size | permissions | owner | group | mtime | inode | hash_md5 | hash_sha1 | hash_sha256 | attributes | scheduled'. 2022/10/06 15:45:02 wazuh-agent: INFO: (6003): Monitoring path: 'c:\windows\sysnative\wbem', with options 'size | permissions | owner | group | mtime | inode | hash_md5 | hash_sha1 | hash_sha256 | attributes | scheduled'. 2022/10/06 15:45:02 wazuh-agent: INFO: (6003): Monitoring path: 'c:\windows\sysnative\windowspowershell\v1.0', with options 'size | permissions | owner | group | mtime | inode | hash_md5 | hash_sha1 | hash_sha256 | attributes | scheduled'. 2022/10/06 15:45:02 wazuh-agent: INFO: (6003): Monitoring path: 'c:\windows\system32', with options 'size | permissions | owner | group | mtime | inode | hash_md5 | hash_sha1 | hash_sha256 | attributes | scheduled'. 2022/10/06 15:45:02 wazuh-agent: INFO: (6003): Monitoring path: 'c:\windows\system32\drivers\etc', with options 'size | permissions | owner | group | mtime | inode | hash_md5 | hash_sha1 | hash_sha256 | attributes | scheduled'. 2022/10/06 15:45:02 wazuh-agent: INFO: (6003): Monitoring path: 'c:\windows\system32\wbem', with options 'size | permissions | owner | group | mtime | inode | hash_md5 | hash_sha1 | hash_sha256 | attributes | scheduled'. 2022/10/06 15:45:02 wazuh-agent: INFO: (6003): Monitoring path: 'c:\windows\system32\windowspowershell\v1.0', with options 'size | permissions | owner | group | mtime | inode | hash_md5 | hash_sha1 | hash_sha256 | attributes | scheduled'. 2022/10/06 15:45:02 wazuh-agent: INFO: (6206): Ignore 'file' entry 'c:\programdata\microsoft\windows\start menu\programs\startup\desktop.ini' 2022/10/06 15:45:02 wazuh-agent: INFO: (6207): Ignore 'file' sregex '.log$|.htm$|.jpg$|.png$|.chm$|.pnf$|.evtx$' 2022/10/06 15:45:02 wazuh-agent: INFO: (6206): Ignore 'registry' entry 'HKEY_LOCAL_MACHINE\Security\Policy\Secrets' 2022/10/06 15:45:02 wazuh-agent: INFO: (6206): Ignore 'registry' entry 'HKEY_LOCAL_MACHINE\Security\SAM\Domains\Account\Users' 2022/10/06 15:45:02 wazuh-agent: INFO: (6206): Ignore 'registry' entry 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\MpsSvc\Parameters\AppCs' 2022/10/06 15:45:02 wazuh-agent: INFO: (6206): Ignore 'registry' entry 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\MpsSvc\Parameters\PortKeywords\DHCP' 2022/10/06 15:45:02 wazuh-agent: INFO: (6206): Ignore 'registry' entry 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\MpsSvc\Parameters\PortKeywords\IPTLSIn' 2022/10/06 15:45:02 wazuh-agent: INFO: (6206): Ignore 'registry' entry 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\MpsSvc\Parameters\PortKeywords\IPTLSOut' 2022/10/06 15:45:02 wazuh-agent: INFO: (6206): Ignore 'registry' entry 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\MpsSvc\Parameters\PortKeywords\RPC-EPMap' 2022/10/06 15:45:02 wazuh-agent: INFO: (6206): Ignore 'registry' entry 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\MpsSvc\Parameters\PortKeywords\Teredo' 2022/10/06 15:45:02 wazuh-agent: INFO: (6206): Ignore 'registry' entry 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\PolicyAgent\Parameters\Cache' 2022/10/06 15:45:02 wazuh-agent: INFO: (6206): Ignore 'registry' entry 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnceEx' 2022/10/06 15:45:02 wazuh-agent: INFO: (6206): Ignore 'registry' entry 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\ADOVMPPackage\Final' 2022/10/06 15:45:02 wazuh-agent: INFO: (6207): Ignore 'registry' sregex '\Enum$' 2022/10/06 15:45:02 wazuh-agent: INFO: Started (pid: 10828). 2022/10/06 15:45:02 sca: INFO: Starting evaluation of policy: 'C:\Program Files (x86)\wazuh-agent\ruleset\sca\cis_win2019.yml' 2022/10/06 15:45:02 wazuh-modulesd:syscollector: INFO: Evaluation finished. 2022/10/06 15:45:02 rootcheck: INFO: Starting rootcheck scan. 2022/10/06 15:45:02 wazuh-agent: INFO: (6000): Starting daemon... 2022/10/06 15:45:02 wazuh-agent: INFO: (6010): File integrity monitoring scan frequency: 43200 seconds 2022/10/06 15:45:02 wazuh-agent: INFO: (6008): File integrity monitoring scan started. 2022/10/06 15:45:02 rootcheck: ERROR: No winmalware file: './shared/win_malware_rcl.txt' 2022/10/06 15:45:02 rootcheck: ERROR: No winapps file: './shared/win_applications_rcl.txt' 2022/10/06 15:45:05 sca: INFO: Evaluation finished for policy 'C:\Program Files (x86)\wazuh-agent\ruleset\sca\cis_win2019.yml' 2022/10/06 15:45:05 sca: INFO: Starting evaluation of policy: 'C:\Program Files (x86)\wazuh-agent\ruleset\sca\sca_win_audit.yml' 2022/10/06 15:45:08 rootcheck: INFO: Ending rootcheck scan. 2022/10/06 15:45:08 sca: INFO: Evaluation finished for policy 'C:\Program Files (x86)\wazuh-agent\ruleset\sca\sca_win_audit.yml' 2022/10/06 15:45:08 sca: INFO: Security Configuration Assessment scan finished. Duration: 6 seconds. 2022/10/06 15:45:50 wazuh-agent: INFO: (6009): File integrity monitoring scan ended. 2022/10/06 15:45:50 wazuh-agent: INFO: (6012): Real-time file integrity monitoring started. 2022/10/06 15:48:50 wazuh-agent: WARNING: No root CA defined to verify file 'incoming\wazuh_agent_v4.3.8_windows.wpk'. 2022/10/06 15:49:03 wazuh-agent: INFO: Received exit signal. Starting exit process. 2022/10/06 15:49:03 wazuh-agent: INFO: Set pending exit signal. 2022/10/06 15:49:03 wazuh-modulesd:syscollector: INFO: Stop received for Syscollector. 2022/10/06 15:49:03 wazuh-modulesd:syscollector: INFO: Module finished. 2022/10/06 15:49:03 wazuh-agent: INFO: Exit completed successfully. 2022/10/06 15:49:03 wazuh-agent: INFO: (1314): Shutdown received. Deleting responses. 2022/10/06 15:49:11 wazuh-agent: INFO: Using notify time: 10 and max time to reconnect: 60 2022/10/06 15:49:11 wazuh-agent: INFO: (1410): Reading authentication keys file. 2022/10/06 15:49:11 wazuh-agent: INFO: Started (pid: 12120). 2022/10/06 15:49:11 wazuh-agent: INFO: Server IP Address: 192.168.105.118 2022/10/06 15:49:11 wazuh-agent: INFO: Using AES as encryption method. 2022/10/06 15:49:11 wazuh-agent: INFO: Trying to connect to server (192.168.105.118:1514/tcp). 2022/10/06 15:49:11 wazuh-agent: INFO: (4102): Connected to the server (192.168.105.118:1514/tcp). 2022/10/06 15:49:11 rootcheck: INFO: Started (pid: 12120). 2022/10/06 15:49:11 wazuh-agent: INFO: (6002): Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Software\Classes\batfile', with options 'size | permissions | owner | group | mtime | hash_md5 | hash_sha1 | hash_sha256' 2022/10/06 15:49:11 wazuh-agent: INFO: (6002): Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Software\Classes\cmdfile', with options 'size | permissions | owner | group | mtime | hash_md5 | hash_sha1 | hash_sha256' 2022/10/06 15:49:11 wazuh-agent: INFO: (6002): Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Software\Classes\comfile', with options 'size | permissions | owner | group | mtime | hash_md5 | hash_sha1 | hash_sha256' 2022/10/06 15:49:11 wazuh-agent: INFO: (6002): Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Software\Classes\exefile', with options 'size | permissions | owner | group | mtime | hash_md5 | hash_sha1 | hash_sha256' 2022/10/06 15:49:11 wazuh-agent: INFO: (6002): Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Software\Classes\piffile', with options 'size | permissions | owner | group | mtime | hash_md5 | hash_sha1 | hash_sha256' 2022/10/06 15:49:11 wazuh-agent: INFO: (6002): Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Software\Classes\AllFilesystemObjects', with options 'size | permissions | owner | group | mtime | hash_md5 | hash_sha1 | hash_sha256' 2022/10/06 15:49:11 wazuh-agent: INFO: (6002): Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Software\Classes\Directory', with options 'size | permissions | owner | group | mtime | hash_md5 | hash_sha1 | hash_sha256' 2022/10/06 15:49:11 wazuh-agent: INFO: (6002): Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Software\Classes\Folder', with options 'size | permissions | owner | group | mtime | hash_md5 | hash_sha1 | hash_sha256' 2022/10/06 15:49:11 wazuh-agent: INFO: (6002): Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Software\Classes\Protocols [x64]', with options 'size | permissions | owner | group | mtime | hash_md5 | hash_sha1 | hash_sha256' 2022/10/06 15:49:11 wazuh-agent: INFO: (6002): Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Software\Classes\Protocols', with options 'size | permissions | owner | group | mtime | hash_md5 | hash_sha1 | hash_sha256' 2022/10/06 15:49:11 wazuh-agent: INFO: (6002): Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Software\Policies [x64]', with options 'size | permissions | owner | group | mtime | hash_md5 | hash_sha1 | hash_sha256' 2022/10/06 15:49:11 wazuh-agent: INFO: (6002): Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Software\Policies', with options 'size | permissions | owner | group | mtime | hash_md5 | hash_sha1 | hash_sha256' 2022/10/06 15:49:11 wazuh-agent: INFO: (6002): Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Security', with options 'size | permissions | owner | group | mtime | hash_md5 | hash_sha1 | hash_sha256' 2022/10/06 15:49:11 wazuh-agent: INFO: (6002): Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer [x64]', with options 'size | permissions | owner | group | mtime | hash_md5 | hash_sha1 | hash_sha256' 2022/10/06 15:49:11 wazuh-agent: INFO: (6002): Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer', with options 'size | permissions | owner | group | mtime | hash_md5 | hash_sha1 | hash_sha256' 2022/10/06 15:49:11 wazuh-agent: INFO: WPK verification with CA is disabled. 2022/10/06 15:49:11 wazuh-agent: INFO: (6002): Monitoring registry entry: 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services', with options 'size | permissions | owner | group | mtime | hash_md5 | hash_sha1 | hash_sha256' 2022/10/06 15:49:11 wazuh-agent: INFO: (6002): Monitoring registry entry: 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\KnownDLLs', with options 'size | permissions | owner | group | mtime | hash_md5 | hash_sha1 | hash_sha256' 2022/10/06 15:49:11 sca: INFO: Module started. 2022/10/06 15:49:11 wazuh-modulesd:agent-upgrade: INFO: (8153): Module Agent Upgrade started. 2022/10/06 15:49:11 wazuh-agent: INFO: (6002): Monitoring registry entry: 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurePipeServers\winreg', with options 'size | permissions | owner | group | mtime | hash_md5 | hash_sha1 | hash_sha256' 2022/10/06 15:49:11 wazuh-agent: INFO: Windows version is 6.0 or newer. (Microsoft Windows Server 2019 Standard [Ver: 10.0.17763] - Wazuh v4.3.8). 2022/10/06 15:49:11 wazuh-agent: INFO: (6002): Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run [x64]', with options 'size | permissions | owner | group | mtime | hash_md5 | hash_sha1 | hash_sha256' 2022/10/06 15:49:11 wazuh-agent: INFO: (6002): Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run', with options 'size | permissions | owner | group | mtime | hash_md5 | hash_sha1 | hash_sha256' 2022/10/06 15:49:11 sca: INFO: Loaded policy 'C:\Program Files (x86)\wazuh-agent\ruleset\sca\cis_win2019.yml' 2022/10/06 15:49:11 wazuh-agent: INFO: (6002): Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce [x64]', with options 'size | permissions | owner | group | mtime | hash_md5 | hash_sha1 | hash_sha256' 2022/10/06 15:49:11 sca: INFO: Loaded policy 'C:\Program Files (x86)\wazuh-agent\ruleset\sca\sca_win_audit.yml' 2022/10/06 15:49:11 wazuh-agent: INFO: (1951): Analyzing event log: 'Application'. 2022/10/06 15:49:11 wazuh-agent: INFO: (6002): Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce', with options 'size | permissions | owner | group | mtime | hash_md5 | hash_sha1 | hash_sha256' 2022/10/06 15:49:11 sca: INFO: Starting Security Configuration Assessment scan. 2022/10/06 15:49:11 wazuh-agent: INFO: (6002): Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnceEx', with options 'size | permissions | owner | group | mtime | hash_md5 | hash_sha1 | hash_sha256' 2022/10/06 15:49:11 wazuh-agent: INFO: (1951): Analyzing event log: 'Security'. 2022/10/06 15:49:11 wazuh-agent: INFO: (6002): Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\URL [x64]', with options 'size | permissions | owner | group | mtime | hash_md5 | hash_sha1 | hash_sha256' 2022/10/06 15:49:11 wazuh-agent: INFO: (6002): Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\URL', with options 'size | permissions | owner | group | mtime | hash_md5 | hash_sha1 | hash_sha256' 2022/10/06 15:49:11 wazuh-agent: INFO: (1951): Analyzing event log: 'System'. 2022/10/06 15:49:11 wazuh-agent: INFO: (6002): Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies [x64]', with options 'size | permissions | owner | group | mtime | hash_md5 | hash_sha1 | hash_sha256' 2022/10/06 15:49:11 wazuh-agent: INFO: (6002): Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies', with options 'size | permissions | owner | group | mtime | hash_md5 | hash_sha1 | hash_sha256' 2022/10/06 15:49:11 wazuh-agent: INFO: (1950): Analyzing file: 'active-response\active-responses.log'. 2022/10/06 15:49:11 wazuh-agent: INFO: (6002): Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows [x64]', with options 'size | permissions | owner | group | mtime | hash_md5 | hash_sha1 | hash_sha256' 2022/10/06 15:49:11 wazuh-agent: INFO: (6002): Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows', with options 'size | permissions | owner | group | mtime | hash_md5 | hash_sha1 | hash_sha256' 2022/10/06 15:49:11 wazuh-agent: INFO: (6002): Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon [x64]', with options 'size | permissions | owner | group | mtime | hash_md5 | hash_sha1 | hash_sha256' 2022/10/06 15:49:11 wazuh-agent: INFO: (6002): Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon', with options 'size | permissions | owner | group | mtime | hash_md5 | hash_sha1 | hash_sha256' 2022/10/06 15:49:11 wazuh-agent: INFO: (6002): Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Active Setup\Installed Components [x64]', with options 'size | permissions | owner | group | mtime | hash_md5 | hash_sha1 | hash_sha256' 2022/10/06 15:49:11 wazuh-agent: INFO: (6002): Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Active Setup\Installed Components', with options 'size | permissions | owner | group | mtime | hash_md5 | hash_sha1 | hash_sha256' 2022/10/06 15:49:11 wazuh-agent: INFO: (6003): Monitoring path: 'c:\programdata\microsoft\windows\start menu\programs\startup', with options 'size | permissions | owner | group | mtime | inode | hash_md5 | hash_sha1 | hash_sha256 | attributes | realtime'. 2022/10/06 15:49:11 wazuh-agent: INFO: (6003): Monitoring path: 'c:\windows', with options 'size | permissions | owner | group | mtime | inode | hash_md5 | hash_sha1 | hash_sha256 | attributes | scheduled'. 2022/10/06 15:49:11 wazuh-agent: INFO: (6003): Monitoring path: 'c:\windows\sysnative', with options 'size | permissions | owner | group | mtime | inode | hash_md5 | hash_sha1 | hash_sha256 | attributes | scheduled'. 2022/10/06 15:49:11 wazuh-agent: INFO: (6003): Monitoring path: 'c:\windows\sysnative\drivers\etc', with options 'size | permissions | owner | group | mtime | inode | hash_md5 | hash_sha1 | hash_sha256 | attributes | scheduled'. 2022/10/06 15:49:11 wazuh-agent: INFO: (6003): Monitoring path: 'c:\windows\sysnative\wbem', with options 'size | permissions | owner | group | mtime | inode | hash_md5 | hash_sha1 | hash_sha256 | attributes | scheduled'. 2022/10/06 15:49:11 wazuh-agent: INFO: (6003): Monitoring path: 'c:\windows\sysnative\windowspowershell\v1.0', with options 'size | permissions | owner | group | mtime | inode | hash_md5 | hash_sha1 | hash_sha256 | attributes | scheduled'. 2022/10/06 15:49:11 wazuh-agent: INFO: (6003): Monitoring path: 'c:\windows\system32', with options 'size | permissions | owner | group | mtime | inode | hash_md5 | hash_sha1 | hash_sha256 | attributes | scheduled'. 2022/10/06 15:49:11 wazuh-agent: INFO: (6003): Monitoring path: 'c:\windows\system32\drivers\etc', with options 'size | permissions | owner | group | mtime | inode | hash_md5 | hash_sha1 | hash_sha256 | attributes | scheduled'. 2022/10/06 15:49:11 wazuh-agent: INFO: (6003): Monitoring path: 'c:\windows\system32\wbem', with options 'size | permissions | owner | group | mtime | inode | hash_md5 | hash_sha1 | hash_sha256 | attributes | scheduled'. 2022/10/06 15:49:11 wazuh-agent: INFO: (6003): Monitoring path: 'c:\windows\system32\windowspowershell\v1.0', with options 'size | permissions | owner | group | mtime | inode | hash_md5 | hash_sha1 | hash_sha256 | attributes | scheduled'. 2022/10/06 15:49:11 wazuh-agent: INFO: (6206): Ignore 'file' entry 'c:\programdata\microsoft\windows\start menu\programs\startup\desktop.ini' 2022/10/06 15:49:11 wazuh-agent: INFO: (6207): Ignore 'file' sregex '.log$|.htm$|.jpg$|.png$|.chm$|.pnf$|.evtx$' 2022/10/06 15:49:11 wazuh-agent: INFO: (6206): Ignore 'registry' entry 'HKEY_LOCAL_MACHINE\Security\Policy\Secrets' 2022/10/06 15:49:11 wazuh-agent: INFO: (6206): Ignore 'registry' entry 'HKEY_LOCAL_MACHINE\Security\SAM\Domains\Account\Users' 2022/10/06 15:49:11 wazuh-agent: INFO: (6206): Ignore 'registry' entry 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\MpsSvc\Parameters\AppCs' 2022/10/06 15:49:11 wazuh-agent: INFO: (6206): Ignore 'registry' entry 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\MpsSvc\Parameters\PortKeywords\DHCP' 2022/10/06 15:49:11 wazuh-agent: INFO: (6206): Ignore 'registry' entry 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\MpsSvc\Parameters\PortKeywords\IPTLSIn' 2022/10/06 15:49:11 wazuh-agent: INFO: (6206): Ignore 'registry' entry 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\MpsSvc\Parameters\PortKeywords\IPTLSOut' 2022/10/06 15:49:11 wazuh-agent: INFO: (6206): Ignore 'registry' entry 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\MpsSvc\Parameters\PortKeywords\RPC-EPMap' 2022/10/06 15:49:11 wazuh-agent: INFO: (6206): Ignore 'registry' entry 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\MpsSvc\Parameters\PortKeywords\Teredo' 2022/10/06 15:49:11 wazuh-agent: INFO: (6206): Ignore 'registry' entry 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\PolicyAgent\Parameters\Cache' 2022/10/06 15:49:11 wazuh-agent: INFO: (6206): Ignore 'registry' entry 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnceEx' 2022/10/06 15:49:11 wazuh-agent: INFO: (6206): Ignore 'registry' entry 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\ADOVMPPackage\Final' 2022/10/06 15:49:11 wazuh-agent: INFO: (6207): Ignore 'registry' sregex '\Enum$' 2022/10/06 15:49:11 wazuh-agent: INFO: Started (pid: 12120). 2022/10/06 15:49:11 sca: INFO: Starting evaluation of policy: 'C:\Program Files (x86)\wazuh-agent\ruleset\sca\cis_win2019.yml' 2022/10/06 15:49:11 wazuh-modulesd:osquery: INFO: Module disabled. Exiting... 2022/10/06 15:49:11 wazuh-modulesd:ciscat: INFO: Module disabled. Exiting... 2022/10/06 15:49:11 wazuh-agent: INFO: Received exit signal. Starting exit process. 2022/10/06 15:49:11 wazuh-agent: INFO: Set pending exit signal. 2022/10/06 15:49:11 wazuh-modulesd:syscollector: INFO: Stop received for Syscollector. 2022/10/06 15:49:11 wazuh-agent: INFO: Started (pid: 12120). 2022/10/06 15:49:11 wazuh-modulesd:syscollector: INFO: Module started. 2022/10/06 15:49:11 wazuh-modulesd:syscollector: INFO: Starting evaluation. 2022/10/06 15:49:11 wazuh-agent: INFO: (6000): Starting daemon... 2022/10/06 15:49:11 rootcheck: INFO: Starting rootcheck scan. 2022/10/06 15:49:11 wazuh-agent: INFO: (6010): File integrity monitoring scan frequency: 43200 seconds 2022/10/06 15:49:11 wazuh-agent: INFO: (6008): File integrity monitoring scan started. 2022/10/06 15:49:11 wazuh-modulesd:syscollector: INFO: Evaluation finished. 2022/10/06 15:49:11 wazuh-modulesd:syscollector: INFO: Module finished. 2022/10/06 15:49:11 wazuh-agent: INFO: Exit completed successfully. 2022/10/06 15:49:11 wazuh-agent: INFO: (1314): Shutdown received. Deleting responses. 2022/10/06 15:49:49 wazuh-agent: INFO: Found (WazuhSvc) service is not running. 2022/10/06 15:49:49 wazuh-agent: INFO: Successfully removed (WazuhSvc) from the service database. 2022/10/06 15:49:49 wazuh-agent: INFO: Successfully added to the service database. 2022/10/06 15:49:49 wazuh-agent: INFO: Using notify time: 10 and max time to reconnect: 60 2022/10/06 15:49:50 wazuh-agent: INFO: (1410): Reading authentication keys file. 2022/10/06 15:49:50 wazuh-agent: INFO: Started (pid: 2596). 2022/10/06 15:49:50 wazuh-agent: INFO: Server IP Address: 192.168.105.118 2022/10/06 15:49:50 wazuh-agent: INFO: Using AES as encryption method. 2022/10/06 15:49:50 wazuh-agent: INFO: Trying to connect to server (192.168.105.118:1514/tcp). 2022/10/06 15:49:50 wazuh-agent: INFO: (4102): Connected to the server (192.168.105.118:1514/tcp). 2022/10/06 15:49:50 rootcheck: INFO: Started (pid: 2596). 2022/10/06 15:49:50 wazuh-agent: INFO: (6002): Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Software\Classes\batfile', with options 'size | permissions | owner | group | mtime | hash_md5 | hash_sha1 | hash_sha256' 2022/10/06 15:49:50 wazuh-agent: INFO: (6002): Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Software\Classes\cmdfile', with options 'size | permissions | owner | group | mtime | hash_md5 | hash_sha1 | hash_sha256' 2022/10/06 15:49:50 wazuh-agent: INFO: (6002): Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Software\Classes\comfile', with options 'size | permissions | owner | group | mtime | hash_md5 | hash_sha1 | hash_sha256' 2022/10/06 15:49:50 wazuh-agent: INFO: (6002): Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Software\Classes\exefile', with options 'size | permissions | owner | group | mtime | hash_md5 | hash_sha1 | hash_sha256' 2022/10/06 15:49:50 wazuh-agent: INFO: (6002): Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Software\Classes\piffile', with options 'size | permissions | owner | group | mtime | hash_md5 | hash_sha1 | hash_sha256' 2022/10/06 15:49:50 wazuh-agent: INFO: (6002): Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Software\Classes\AllFilesystemObjects', with options 'size | permissions | owner | group | mtime | hash_md5 | hash_sha1 | hash_sha256' 2022/10/06 15:49:50 wazuh-agent: INFO: (6002): Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Software\Classes\Directory', with options 'size | permissions | owner | group | mtime | hash_md5 | hash_sha1 | hash_sha256' 2022/10/06 15:49:50 wazuh-agent: INFO: (6002): Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Software\Classes\Folder', with options 'size | permissions | owner | group | mtime | hash_md5 | hash_sha1 | hash_sha256' 2022/10/06 15:49:50 wazuh-agent: INFO: (6002): Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Software\Classes\Protocols [x64]', with options 'size | permissions | owner | group | mtime | hash_md5 | hash_sha1 | hash_sha256' 2022/10/06 15:49:50 sca: INFO: Could not open the default SCA ruleset folder 'ruleset\sca\': No such file or directory 2022/10/06 15:49:50 wazuh-agent: INFO: (6002): Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Software\Classes\Protocols', with options 'size | permissions | owner | group | mtime | hash_md5 | hash_sha1 | hash_sha256' 2022/10/06 15:49:50 wazuh-agent: INFO: (6002): Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Software\Policies [x64]', with options 'size | permissions | owner | group | mtime | hash_md5 | hash_sha1 | hash_sha256' 2022/10/06 15:49:50 wazuh-agent: INFO: (6002): Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Software\Policies', with options 'size | permissions | owner | group | mtime | hash_md5 | hash_sha1 | hash_sha256' 2022/10/06 15:49:50 wazuh-agent: INFO: WPK verification with CA is disabled. 2022/10/06 15:49:50 wazuh-agent: INFO: (6002): Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Security', with options 'size | permissions | owner | group | mtime | hash_md5 | hash_sha1 | hash_sha256' 2022/10/06 15:49:50 wazuh-modulesd:agent-upgrade: INFO: (8153): Module Agent Upgrade started. 2022/10/06 15:49:50 sca: INFO: Module started. 2022/10/06 15:49:50 wazuh-agent: INFO: Windows version is 6.0 or newer. (Microsoft Windows Server 2019 Standard [Ver: 10.0.17763] - Wazuh v4.3.4). 2022/10/06 15:49:50 wazuh-agent: INFO: (6002): Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer [x64]', with options 'size | permissions | owner | group | mtime | hash_md5 | hash_sha1 | hash_sha256' 2022/10/06 15:49:50 sca: INFO: No policies defined. Exiting. 2022/10/06 15:49:50 wazuh-agent: INFO: (6002): Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer', with options 'size | permissions | owner | group | mtime | hash_md5 | hash_sha1 | hash_sha256' 2022/10/06 15:49:50 wazuh-agent: INFO: (6002): Monitoring registry entry: 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services', with options 'size | permissions | owner | group | mtime | hash_md5 | hash_sha1 | hash_sha256' 2022/10/06 15:49:50 wazuh-agent: INFO: (6002): Monitoring registry entry: 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\KnownDLLs', with options 'size | permissions | owner | group | mtime | hash_md5 | hash_sha1 | hash_sha256' 2022/10/06 15:49:50 wazuh-agent: INFO: (1951): Analyzing event log: 'Application'. 2022/10/06 15:49:50 wazuh-agent: INFO: (6002): Monitoring registry entry: 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurePipeServers\winreg', with options 'size | permissions | owner | group | mtime | hash_md5 | hash_sha1 | hash_sha256' 2022/10/06 15:49:50 wazuh-agent: INFO: (6002): Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run [x64]', with options 'size | permissions | owner | group | mtime | hash_md5 | hash_sha1 | hash_sha256' 2022/10/06 15:49:50 wazuh-agent: INFO: (1951): Analyzing event log: 'Security'. 2022/10/06 15:49:50 wazuh-agent: INFO: (6002): Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run', with options 'size | permissions | owner | group | mtime | hash_md5 | hash_sha1 | hash_sha256' 2022/10/06 15:49:50 wazuh-agent: INFO: (6002): Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce [x64]', with options 'size | permissions | owner | group | mtime | hash_md5 | hash_sha1 | hash_sha256' 2022/10/06 15:49:50 wazuh-agent: INFO: (1951): Analyzing event log: 'System'. 2022/10/06 15:49:50 wazuh-agent: INFO: (6002): Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce', with options 'size | permissions | owner | group | mtime | hash_md5 | hash_sha1 | hash_sha256' 2022/10/06 15:49:50 wazuh-agent: INFO: (6002): Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnceEx', with options 'size | permissions | owner | group | mtime | hash_md5 | hash_sha1 | hash_sha256' 2022/10/06 15:49:50 wazuh-agent: ERROR: (1103): Could not open file 'active-response\active-responses.log' due to [(2)-(The system cannot find the file specified.)]. 2022/10/06 15:49:50 wazuh-agent: INFO: (6002): Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\URL [x64]', with options 'size | permissions | owner | group | mtime | hash_md5 | hash_sha1 | hash_sha256' 2022/10/06 15:49:50 wazuh-agent: INFO: (1950): Analyzing file: 'active-response\active-responses.log'. 2022/10/06 15:49:50 wazuh-agent: INFO: (6002): Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\URL', with options 'size | permissions | owner | group | mtime | hash_md5 | hash_sha1 | hash_sha256' 2022/10/06 15:49:50 wazuh-agent: INFO: (6002): Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies [x64]', with options 'size | permissions | owner | group | mtime | hash_md5 | hash_sha1 | hash_sha256' 2022/10/06 15:49:50 wazuh-agent: INFO: (6002): Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies', with options 'size | permissions | owner | group | mtime | hash_md5 | hash_sha1 | hash_sha256' 2022/10/06 15:49:50 wazuh-agent: INFO: (6002): Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows [x64]', with options 'size | permissions | owner | group | mtime | hash_md5 | hash_sha1 | hash_sha256' 2022/10/06 15:49:50 wazuh-agent: INFO: (6002): Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows', with options 'size | permissions | owner | group | mtime | hash_md5 | hash_sha1 | hash_sha256' 2022/10/06 15:49:50 wazuh-agent: INFO: WPK verification with CA is disabled. 2022/10/06 15:49:50 wazuh-agent: INFO: (6002): Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon [x64]', with options 'size | permissions | owner | group | mtime | hash_md5 | hash_sha1 | hash_sha256' 2022/10/06 15:49:50 wazuh-modulesd:agent-upgrade: INFO: (8154): Module Agent Upgrade finished. 2022/10/06 15:49:50 wazuh-agent: INFO: (6002): Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon', with options 'size | permissions | owner | group | mtime | hash_md5 | hash_sha1 | hash_sha256' 2022/10/06 15:49:50 wazuh-agent: INFO: (6002): Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Active Setup\Installed Components [x64]', with options 'size | permissions | owner | group | mtime | hash_md5 | hash_sha1 | hash_sha256' 2022/10/06 15:49:50 wazuh-agent: INFO: (6002): Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Active Setup\Installed Components', with options 'size | permissions | owner | group | mtime | hash_md5 | hash_sha1 | hash_sha256' 2022/10/06 15:49:50 wazuh-agent: INFO: Agent is restarting due to shared configuration changes. 2022/10/06 15:49:50 wazuh-agent: INFO: (6003): Monitoring path: 'c:\programdata\microsoft\windows\start menu\programs\startup', with options 'size | permissions | owner | group | mtime | inode | hash_md5 | hash_sha1 | hash_sha256 | attributes | realtime'. 2022/10/06 15:49:50 wazuh-agent: INFO: (6003): Monitoring path: 'c:\windows', with options 'size | permissions | owner | group | mtime | inode | hash_md5 | hash_sha1 | hash_sha256 | attributes | scheduled'. 2022/10/06 15:49:50 wazuh-agent: ERROR: At WCOM restart: Cannot execute restart process 2022/10/06 15:49:50 wazuh-agent: INFO: (6003): Monitoring path: 'c:\windows\sysnative', with options 'size | permissions | owner | group | mtime | inode | hash_md5 | hash_sha1 | hash_sha256 | attributes | scheduled'. 2022/10/06 15:49:50 wazuh-agent: INFO: (6003): Monitoring path: 'c:\windows\sysnative\drivers\etc', with options 'size | permissions | owner | group | mtime | inode | hash_md5 | hash_sha1 | hash_sha256 | attributes | scheduled'. 2022/10/06 15:49:50 wazuh-agent: INFO: (6003): Monitoring path: 'c:\windows\sysnative\wbem', with options 'size | permissions | owner | group | mtime | inode | hash_md5 | hash_sha1 | hash_sha256 | attributes | scheduled'. 2022/10/06 15:49:50 wazuh-agent: INFO: (6003): Monitoring path: 'c:\windows\sysnative\windowspowershell\v1.0', with options 'size | permissions | owner | group | mtime | inode | hash_md5 | hash_sha1 | hash_sha256 | attributes | scheduled'. 2022/10/06 15:49:50 wazuh-agent: INFO: (6003): Monitoring path: 'c:\windows\system32', with options 'size | permissions | owner | group | mtime | inode | hash_md5 | hash_sha1 | hash_sha256 | attributes | scheduled'. 2022/10/06 15:49:50 wazuh-agent: INFO: (6003): Monitoring path: 'c:\windows\system32\drivers\etc', with options 'size | permissions | owner | group | mtime | inode | hash_md5 | hash_sha1 | hash_sha256 | attributes | scheduled'. 2022/10/06 15:49:50 wazuh-agent: INFO: (6003): Monitoring path: 'c:\windows\system32\wbem', with options 'size | permissions | owner | group | mtime | inode | hash_md5 | hash_sha1 | hash_sha256 | attributes | scheduled'. 2022/10/06 15:49:50 wazuh-agent: INFO: (6003): Monitoring path: 'c:\windows\system32\windowspowershell\v1.0', with options 'size | permissions | owner | group | mtime | inode | hash_md5 | hash_sha1 | hash_sha256 | attributes | scheduled'. 2022/10/06 15:49:50 wazuh-agent: INFO: (6206): Ignore 'file' entry 'c:\programdata\microsoft\windows\start menu\programs\startup\desktop.ini' 2022/10/06 15:49:50 wazuh-agent: INFO: (6207): Ignore 'file' sregex '.log$|.htm$|.jpg$|.png$|.chm$|.pnf$|.evtx$' 2022/10/06 15:49:50 wazuh-agent: INFO: (6206): Ignore 'registry' entry 'HKEY_LOCAL_MACHINE\Security\Policy\Secrets' 2022/10/06 15:49:50 wazuh-agent: INFO: (6206): Ignore 'registry' entry 'HKEY_LOCAL_MACHINE\Security\SAM\Domains\Account\Users' 2022/10/06 15:49:50 wazuh-agent: INFO: (6206): Ignore 'registry' entry 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\MpsSvc\Parameters\AppCs' 2022/10/06 15:49:50 wazuh-agent: INFO: (6206): Ignore 'registry' entry 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\MpsSvc\Parameters\PortKeywords\DHCP' 2022/10/06 15:49:50 wazuh-agent: INFO: (6206): Ignore 'registry' entry 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\MpsSvc\Parameters\PortKeywords\IPTLSIn' 2022/10/06 15:49:50 wazuh-agent: INFO: (6206): Ignore 'registry' entry 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\MpsSvc\Parameters\PortKeywords\IPTLSOut' 2022/10/06 15:49:50 wazuh-agent: INFO: (6206): Ignore 'registry' entry 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\MpsSvc\Parameters\PortKeywords\RPC-EPMap' 2022/10/06 15:49:50 wazuh-agent: INFO: (6206): Ignore 'registry' entry 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\MpsSvc\Parameters\PortKeywords\Teredo' 2022/10/06 15:49:50 wazuh-agent: INFO: (6206): Ignore 'registry' entry 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\PolicyAgent\Parameters\Cache' 2022/10/06 15:49:50 wazuh-agent: INFO: (6206): Ignore 'registry' entry 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnceEx' 2022/10/06 15:49:50 wazuh-agent: INFO: (6206): Ignore 'registry' entry 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\ADOVMPPackage\Final' 2022/10/06 15:49:50 wazuh-agent: INFO: (6207): Ignore 'registry' sregex '\Enum$' 2022/10/06 15:49:50 wazuh-agent: INFO: Started (pid: 2596). 2022/10/06 15:49:50 wazuh-agent: ERROR: Couldn't create SQLite database 'queue/fim/db/fim.db': unable to open database file (14) 2022/10/06 15:49:50 wazuh-agent: CRITICAL: (6698): Creating Data Structure: sqlite3 db. Exiting. 2022/10/06 15:49:50 wazuh-agent: INFO: Received exit signal. Starting exit process. 2022/10/06 15:49:50 wazuh-agent: INFO: Set pending exit signal. 2022/10/06 15:49:50 wazuh-modulesd:syscollector: INFO: Stop received for Syscollector. 2022/10/06 15:49:50 wazuh-agent: INFO: Exit completed successfully. 2022/10/06 15:49:50 wazuh-agent: INFO: (1314): Shutdown received. Deleting responses. 2022/10/06 15:49:50 wazuh-modulesd:osquery: INFO: Module disabled. Exiting... 2022/10/07 13:39:58 wazuh-agent: INFO: Using notify time: 10 and max time to reconnect: 60 2022/10/07 13:39:58 wazuh-agent: INFO: (1410): Reading authentication keys file. 2022/10/07 13:39:58 wazuh-agent: INFO: Started (pid: 16180). 2022/10/07 13:39:58 wazuh-agent: INFO: Server IP Address: 192.168.105.118 2022/10/07 13:39:59 wazuh-agent: INFO: Using AES as encryption method. 2022/10/07 13:39:59 wazuh-agent: INFO: Trying to connect to server (192.168.105.118:1514/tcp). 2022/10/07 13:39:59 wazuh-agent: INFO: (4102): Connected to the server (192.168.105.118:1514/tcp). 2022/10/07 13:39:59 rootcheck: INFO: Started (pid: 16180). 2022/10/07 13:39:59 wazuh-agent: INFO: (6002): Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Software\Classes\batfile', with options 'size | permissions | owner | group | mtime | hash_md5 | hash_sha1 | hash_sha256' 2022/10/07 13:39:59 wazuh-agent: INFO: (6002): Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Software\Classes\cmdfile', with options 'size | permissions | owner | group | mtime | hash_md5 | hash_sha1 | hash_sha256' 2022/10/07 13:39:59 wazuh-agent: INFO: (6002): Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Software\Classes\comfile', with options 'size | permissions | owner | group | mtime | hash_md5 | hash_sha1 | hash_sha256' 2022/10/07 13:39:59 wazuh-agent: INFO: (6002): Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Software\Classes\exefile', with options 'size | permissions | owner | group | mtime | hash_md5 | hash_sha1 | hash_sha256' 2022/10/07 13:39:59 wazuh-agent: INFO: (6002): Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Software\Classes\piffile', with options 'size | permissions | owner | group | mtime | hash_md5 | hash_sha1 | hash_sha256' 2022/10/07 13:39:59 wazuh-agent: INFO: (6002): Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Software\Classes\AllFilesystemObjects', with options 'size | permissions | owner | group | mtime | hash_md5 | hash_sha1 | hash_sha256' 2022/10/07 13:39:59 wazuh-agent: INFO: (6002): Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Software\Classes\Directory', with options 'size | permissions | owner | group | mtime | hash_md5 | hash_sha1 | hash_sha256' 2022/10/07 13:39:59 wazuh-agent: INFO: (6002): Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Software\Classes\Folder', with options 'size | permissions | owner | group | mtime | hash_md5 | hash_sha1 | hash_sha256' 2022/10/07 13:39:59 wazuh-agent: INFO: (6002): Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Software\Classes\Protocols [x64]', with options 'size | permissions | owner | group | mtime | hash_md5 | hash_sha1 | hash_sha256' 2022/10/07 13:39:59 wazuh-agent: INFO: (6002): Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Software\Classes\Protocols', with options 'size | permissions | owner | group | mtime | hash_md5 | hash_sha1 | hash_sha256' 2022/10/07 13:39:59 sca: INFO: Could not open the default SCA ruleset folder 'ruleset\sca\': No such file or directory 2022/10/07 13:39:59 wazuh-agent: INFO: (6002): Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Software\Policies [x64]', with options 'size | permissions | owner | group | mtime | hash_md5 | hash_sha1 | hash_sha256' 2022/10/07 13:39:59 wazuh-agent: INFO: (6002): Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Software\Policies', with options 'size | permissions | owner | group | mtime | hash_md5 | hash_sha1 | hash_sha256' 2022/10/07 13:39:59 wazuh-agent: INFO: (6002): Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Security', with options 'size | permissions | owner | group | mtime | hash_md5 | hash_sha1 | hash_sha256' 2022/10/07 13:39:59 wazuh-agent: INFO: (6002): Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer [x64]', with options 'size | permissions | owner | group | mtime | hash_md5 | hash_sha1 | hash_sha256' 2022/10/07 13:39:59 wazuh-agent: INFO: WPK verification with CA is disabled. 2022/10/07 13:39:59 wazuh-agent: INFO: (6002): Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer', with options 'size | permissions | owner | group | mtime | hash_md5 | hash_sha1 | hash_sha256' 2022/10/07 13:39:59 wazuh-modulesd:agent-upgrade: INFO: (8153): Module Agent Upgrade started. 2022/10/07 13:39:59 sca: INFO: Module started. 2022/10/07 13:39:59 wazuh-agent: INFO: (6002): Monitoring registry entry: 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services', with options 'size | permissions | owner | group | mtime | hash_md5 | hash_sha1 | hash_sha256' 2022/10/07 13:39:59 wazuh-agent: INFO: Windows version is 6.0 or newer. (Microsoft Windows Server 2019 Standard [Ver: 10.0.17763] - Wazuh v4.3.4). 2022/10/07 13:39:59 sca: INFO: No policies defined. Exiting. 2022/10/07 13:39:59 wazuh-agent: INFO: (6002): Monitoring registry entry: 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\KnownDLLs', with options 'size | permissions | owner | group | mtime | hash_md5 | hash_sha1 | hash_sha256' 2022/10/07 13:39:59 wazuh-agent: INFO: (6002): Monitoring registry entry: 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurePipeServers\winreg', with options 'size | permissions | owner | group | mtime | hash_md5 | hash_sha1 | hash_sha256' 2022/10/07 13:39:59 wazuh-agent: INFO: (6002): Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run [x64]', with options 'size | permissions | owner | group | mtime | hash_md5 | hash_sha1 | hash_sha256' 2022/10/07 13:39:59 wazuh-agent: INFO: (1951): Analyzing event log: 'Application'. 2022/10/07 13:39:59 wazuh-agent: INFO: (6002): Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run', with options 'size | permissions | owner | group | mtime | hash_md5 | hash_sha1 | hash_sha256' 2022/10/07 13:39:59 wazuh-agent: INFO: (6002): Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce [x64]', with options 'size | permissions | owner | group | mtime | hash_md5 | hash_sha1 | hash_sha256' 2022/10/07 13:39:59 wazuh-agent: INFO: (1951): Analyzing event log: 'Security'. 2022/10/07 13:39:59 wazuh-agent: INFO: (6002): Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce', with options 'size | permissions | owner | group | mtime | hash_md5 | hash_sha1 | hash_sha256' 2022/10/07 13:39:59 wazuh-agent: INFO: (1951): Analyzing event log: 'System'. 2022/10/07 13:39:59 wazuh-agent: INFO: (6002): Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnceEx', with options 'size | permissions | owner | group | mtime | hash_md5 | hash_sha1 | hash_sha256' 2022/10/07 13:39:59 wazuh-agent: INFO: (6002): Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\URL [x64]', with options 'size | permissions | owner | group | mtime | hash_md5 | hash_sha1 | hash_sha256' 2022/10/07 13:39:59 wazuh-agent: INFO: (6002): Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\URL', with options 'size | permissions | owner | group | mtime | hash_md5 | hash_sha1 | hash_sha256' 2022/10/07 13:39:59 wazuh-agent: ERROR: (1103): Could not open file 'active-response\active-responses.log' due to [(2)-(The system cannot find the file specified.)]. 2022/10/07 13:39:59 wazuh-agent: INFO: (6002): Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies [x64]', with options 'size | permissions | owner | group | mtime | hash_md5 | hash_sha1 | hash_sha256' 2022/10/07 13:39:59 wazuh-agent: INFO: (1950): Analyzing file: 'active-response\active-responses.log'. 2022/10/07 13:39:59 wazuh-agent: INFO: (6002): Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies', with options 'size | permissions | owner | group | mtime | hash_md5 | hash_sha1 | hash_sha256' 2022/10/07 13:39:59 wazuh-agent: INFO: (6002): Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows [x64]', with options 'size | permissions | owner | group | mtime | hash_md5 | hash_sha1 | hash_sha256' 2022/10/07 13:39:59 wazuh-agent: INFO: (6002): Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows', with options 'size | permissions | owner | group | mtime | hash_md5 | hash_sha1 | hash_sha256' 2022/10/07 13:39:59 wazuh-agent: INFO: (6002): Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon [x64]', with options 'size | permissions | owner | group | mtime | hash_md5 | hash_sha1 | hash_sha256' 2022/10/07 13:39:59 wazuh-agent: INFO: (6002): Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon', with options 'size | permissions | owner | group | mtime | hash_md5 | hash_sha1 | hash_sha256' 2022/10/07 13:39:59 wazuh-agent: INFO: (6002): Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Active Setup\Installed Components [x64]', with options 'size | permissions | owner | group | mtime | hash_md5 | hash_sha1 | hash_sha256' 2022/10/07 13:39:59 wazuh-agent: INFO: (6002): Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Active Setup\Installed Components', with options 'size | permissions | owner | group | mtime | hash_md5 | hash_sha1 | hash_sha256' 2022/10/07 13:39:59 wazuh-agent: INFO: (6003): Monitoring path: 'c:\programdata\microsoft\windows\start menu\programs\startup', with options 'size | permissions | owner | group | mtime | inode | hash_md5 | hash_sha1 | hash_sha256 | attributes | realtime'. 2022/10/07 13:39:59 wazuh-agent: INFO: (6003): Monitoring path: 'c:\windows', with options 'size | permissions | owner | group | mtime | inode | hash_md5 | hash_sha1 | hash_sha256 | attributes | scheduled'. 2022/10/07 13:39:59 wazuh-agent: INFO: (6003): Monitoring path: 'c:\windows\sysnative', with options 'size | permissions | owner | group | mtime | inode | hash_md5 | hash_sha1 | hash_sha256 | attributes | scheduled'. 2022/10/07 13:39:59 wazuh-agent: INFO: (6003): Monitoring path: 'c:\windows\sysnative\drivers\etc', with options 'size | permissions | owner | group | mtime | inode | hash_md5 | hash_sha1 | hash_sha256 | attributes | scheduled'. 2022/10/07 13:39:59 wazuh-agent: INFO: (6003): Monitoring path: 'c:\windows\sysnative\wbem', with options 'size | permissions | owner | group | mtime | inode | hash_md5 | hash_sha1 | hash_sha256 | attributes | scheduled'. 2022/10/07 13:39:59 wazuh-agent: INFO: (6003): Monitoring path: 'c:\windows\sysnative\windowspowershell\v1.0', with options 'size | permissions | owner | group | mtime | inode | hash_md5 | hash_sha1 | hash_sha256 | attributes | scheduled'. 2022/10/07 13:39:59 wazuh-agent: INFO: (6003): Monitoring path: 'c:\windows\system32', with options 'size | permissions | owner | group | mtime | inode | hash_md5 | hash_sha1 | hash_sha256 | attributes | scheduled'. 2022/10/07 13:39:59 wazuh-agent: INFO: (6003): Monitoring path: 'c:\windows\system32\drivers\etc', with options 'size | permissions | owner | group | mtime | inode | hash_md5 | hash_sha1 | hash_sha256 | attributes | scheduled'. 2022/10/07 13:39:59 wazuh-agent: INFO: (6003): Monitoring path: 'c:\windows\system32\wbem', with options 'size | permissions | owner | group | mtime | inode | hash_md5 | hash_sha1 | hash_sha256 | attributes | scheduled'. 2022/10/07 13:39:59 wazuh-agent: INFO: (6003): Monitoring path: 'c:\windows\system32\windowspowershell\v1.0', with options 'size | permissions | owner | group | mtime | inode | hash_md5 | hash_sha1 | hash_sha256 | attributes | scheduled'. 2022/10/07 13:39:59 wazuh-agent: INFO: (6206): Ignore 'file' entry 'c:\programdata\microsoft\windows\start menu\programs\startup\desktop.ini' 2022/10/07 13:39:59 wazuh-agent: INFO: (6207): Ignore 'file' sregex '.log$|.htm$|.jpg$|.png$|.chm$|.pnf$|.evtx$' 2022/10/07 13:39:59 wazuh-agent: INFO: (6206): Ignore 'registry' entry 'HKEY_LOCAL_MACHINE\Security\Policy\Secrets' 2022/10/07 13:39:59 wazuh-agent: INFO: (6206): Ignore 'registry' entry 'HKEY_LOCAL_MACHINE\Security\SAM\Domains\Account\Users' 2022/10/07 13:39:59 wazuh-agent: INFO: (6206): Ignore 'registry' entry 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\MpsSvc\Parameters\AppCs' 2022/10/07 13:39:59 wazuh-agent: INFO: (6206): Ignore 'registry' entry 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\MpsSvc\Parameters\PortKeywords\DHCP' 2022/10/07 13:39:59 wazuh-agent: INFO: (6206): Ignore 'registry' entry 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\MpsSvc\Parameters\PortKeywords\IPTLSIn' 2022/10/07 13:39:59 wazuh-agent: INFO: (6206): Ignore 'registry' entry 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\MpsSvc\Parameters\PortKeywords\IPTLSOut' 2022/10/07 13:39:59 wazuh-agent: INFO: (6206): Ignore 'registry' entry 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\MpsSvc\Parameters\PortKeywords\RPC-EPMap' 2022/10/07 13:39:59 wazuh-agent: INFO: (6206): Ignore 'registry' entry 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\MpsSvc\Parameters\PortKeywords\Teredo' 2022/10/07 13:39:59 wazuh-agent: INFO: (6206): Ignore 'registry' entry 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\PolicyAgent\Parameters\Cache' 2022/10/07 13:39:59 wazuh-agent: INFO: (6206): Ignore 'registry' entry 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnceEx' 2022/10/07 13:39:59 wazuh-agent: INFO: (6206): Ignore 'registry' entry 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\ADOVMPPackage\Final' 2022/10/07 13:39:59 wazuh-agent: INFO: (6207): Ignore 'registry' sregex '\Enum$' 2022/10/07 13:39:59 wazuh-agent: INFO: Started (pid: 16180). 2022/10/07 13:39:59 wazuh-agent: ERROR: Couldn't create SQLite database 'queue/fim/db/fim.db': unable to open database file (14) 2022/10/07 13:39:59 wazuh-agent: CRITICAL: (6698): Creating Data Structure: sqlite3 db. Exiting. 2022/10/07 13:39:59 wazuh-agent: INFO: Received exit signal. Starting exit process. 2022/10/07 13:39:59 wazuh-agent: INFO: Set pending exit signal. 2022/10/07 13:39:59 wazuh-modulesd:syscollector: INFO: Stop received for Syscollector. 2022/10/07 13:39:59 wazuh-agent: INFO: Exit completed successfully. 2022/10/07 13:39:59 wazuh-agent: INFO: (1314): Shutdown received. Deleting responses. 2022/10/07 13:39:59 wazuh-modulesd:osquery: INFO: Module disabled. Exiting... 2022/10/16 04:06:27 wazuh-agent: INFO: Using notify time: 10 and max time to reconnect: 60 2022/10/16 04:06:27 wazuh-agent: INFO: (1410): Reading authentication keys file. 2022/10/16 04:06:27 wazuh-agent: INFO: Started (pid: 3204). 2022/10/16 04:06:28 wazuh-agent: INFO: Server IP Address: 192.168.105.118 2022/10/16 04:06:28 rootcheck: INFO: Started (pid: 3204). 2022/10/16 04:06:28 wazuh-agent: INFO: (6002): Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Software\Classes\batfile', with options 'size | permissions | owner | group | mtime | hash_md5 | hash_sha1 | hash_sha256' 2022/10/16 04:06:28 wazuh-agent: INFO: (6002): Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Software\Classes\cmdfile', with options 'size | permissions | owner | group | mtime | hash_md5 | hash_sha1 | hash_sha256' 2022/10/16 04:06:28 wazuh-agent: INFO: (6002): Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Software\Classes\comfile', with options 'size | permissions | owner | group | mtime | hash_md5 | hash_sha1 | hash_sha256' 2022/10/16 04:06:28 wazuh-agent: INFO: (6002): Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Software\Classes\exefile', with options 'size | permissions | owner | group | mtime | hash_md5 | hash_sha1 | hash_sha256' 2022/10/16 04:06:28 wazuh-agent: INFO: (6002): Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Software\Classes\piffile', with options 'size | permissions | owner | group | mtime | hash_md5 | hash_sha1 | hash_sha256' 2022/10/16 04:06:28 wazuh-agent: INFO: (6002): Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Software\Classes\AllFilesystemObjects', with options 'size | permissions | owner | group | mtime | hash_md5 | hash_sha1 | hash_sha256' 2022/10/16 04:06:28 wazuh-agent: INFO: (6002): Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Software\Classes\Directory', with options 'size | permissions | owner | group | mtime | hash_md5 | hash_sha1 | hash_sha256' 2022/10/16 04:06:28 wazuh-agent: INFO: (6002): Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Software\Classes\Folder', with options 'size | permissions | owner | group | mtime | hash_md5 | hash_sha1 | hash_sha256' 2022/10/16 04:06:28 wazuh-agent: INFO: (6002): Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Software\Classes\Protocols [x64]', with options 'size | permissions | owner | group | mtime | hash_md5 | hash_sha1 | hash_sha256' 2022/10/16 04:06:28 wazuh-agent: INFO: (6002): Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Software\Classes\Protocols', with options 'size | permissions | owner | group | mtime | hash_md5 | hash_sha1 | hash_sha256' 2022/10/16 04:06:28 wazuh-agent: INFO: (6002): Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Software\Policies [x64]', with options 'size | permissions | owner | group | mtime | hash_md5 | hash_sha1 | hash_sha256' 2022/10/16 04:06:28 wazuh-agent: INFO: (6002): Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Software\Policies', with options 'size | permissions | owner | group | mtime | hash_md5 | hash_sha1 | hash_sha256' 2022/10/16 04:06:28 wazuh-agent: INFO: (6002): Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Security', with options 'size | permissions | owner | group | mtime | hash_md5 | hash_sha1 | hash_sha256' 2022/10/16 04:06:28 wazuh-agent: INFO: (6002): Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer [x64]', with options 'size | permissions | owner | group | mtime | hash_md5 | hash_sha1 | hash_sha256' 2022/10/16 04:06:28 wazuh-agent: INFO: (6002): Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer', with options 'size | permissions | owner | group | mtime | hash_md5 | hash_sha1 | hash_sha256' 2022/10/16 04:06:28 wazuh-agent: INFO: (6002): Monitoring registry entry: 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services', with options 'size | permissions | owner | group | mtime | hash_md5 | hash_sha1 | hash_sha256' 2022/10/16 04:06:28 wazuh-agent: INFO: (6002): Monitoring registry entry: 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\KnownDLLs', with options 'size | permissions | owner | group | mtime | hash_md5 | hash_sha1 | hash_sha256' 2022/10/16 04:06:28 wazuh-agent: INFO: (6002): Monitoring registry entry: 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurePipeServers\winreg', with options 'size | permissions | owner | group | mtime | hash_md5 | hash_sha1 | hash_sha256' 2022/10/16 04:06:28 wazuh-agent: INFO: (6002): Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run [x64]', with options 'size | permissions | owner | group | mtime | hash_md5 | hash_sha1 | hash_sha256' 2022/10/16 04:06:28 wazuh-agent: INFO: (6002): Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run', with options 'size | permissions | owner | group | mtime | hash_md5 | hash_sha1 | hash_sha256' 2022/10/16 04:06:28 wazuh-agent: INFO: (6002): Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce [x64]', with options 'size | permissions | owner | group | mtime | hash_md5 | hash_sha1 | hash_sha256' 2022/10/16 04:06:28 wazuh-agent: INFO: (6002): Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce', with options 'size | permissions | owner | group | mtime | hash_md5 | hash_sha1 | hash_sha256' 2022/10/16 04:06:28 wazuh-agent: INFO: (6002): Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnceEx', with options 'size | permissions | owner | group | mtime | hash_md5 | hash_sha1 | hash_sha256' 2022/10/16 04:06:28 wazuh-agent: INFO: (6002): Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\URL [x64]', with options 'size | permissions | owner | group | mtime | hash_md5 | hash_sha1 | hash_sha256' 2022/10/16 04:06:28 wazuh-agent: INFO: (6002): Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\URL', with options 'size | permissions | owner | group | mtime | hash_md5 | hash_sha1 | hash_sha256' 2022/10/16 04:06:28 wazuh-agent: INFO: (6002): Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies [x64]', with options 'size | permissions | owner | group | mtime | hash_md5 | hash_sha1 | hash_sha256' 2022/10/16 04:06:28 wazuh-agent: INFO: (6002): Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies', with options 'size | permissions | owner | group | mtime | hash_md5 | hash_sha1 | hash_sha256' 2022/10/16 04:06:28 wazuh-agent: INFO: (6002): Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows [x64]', with options 'size | permissions | owner | group | mtime | hash_md5 | hash_sha1 | hash_sha256' 2022/10/16 04:06:28 wazuh-agent: INFO: (6002): Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows', with options 'size | permissions | owner | group | mtime | hash_md5 | hash_sha1 | hash_sha256' 2022/10/16 04:06:28 wazuh-agent: INFO: (6002): Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon [x64]', with options 'size | permissions | owner | group | mtime | hash_md5 | hash_sha1 | hash_sha256' 2022/10/16 04:06:28 wazuh-agent: INFO: (6002): Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon', with options 'size | permissions | owner | group | mtime | hash_md5 | hash_sha1 | hash_sha256' 2022/10/16 04:06:28 wazuh-agent: INFO: (6002): Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Active Setup\Installed Components [x64]', with options 'size | permissions | owner | group | mtime | hash_md5 | hash_sha1 | hash_sha256' 2022/10/16 04:06:28 wazuh-agent: INFO: (6002): Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Active Setup\Installed Components', with options 'size | permissions | owner | group | mtime | hash_md5 | hash_sha1 | hash_sha256' 2022/10/16 04:06:28 wazuh-agent: INFO: (6003): Monitoring path: 'c:\programdata\microsoft\windows\start menu\programs\startup', with options 'size | permissions | owner | group | mtime | inode | hash_md5 | hash_sha1 | hash_sha256 | attributes | realtime'. 2022/10/16 04:06:28 wazuh-agent: INFO: (6003): Monitoring path: 'c:\windows', with options 'size | permissions | owner | group | mtime | inode | hash_md5 | hash_sha1 | hash_sha256 | attributes | scheduled'. 2022/10/16 04:06:28 wazuh-agent: INFO: (6003): Monitoring path: 'c:\windows\sysnative', with options 'size | permissions | owner | group | mtime | inode | hash_md5 | hash_sha1 | hash_sha256 | attributes | scheduled'. 2022/10/16 04:06:28 wazuh-agent: INFO: (6003): Monitoring path: 'c:\windows\sysnative\drivers\etc', with options 'size | permissions | owner | group | mtime | inode | hash_md5 | hash_sha1 | hash_sha256 | attributes | scheduled'. 2022/10/16 04:06:28 wazuh-agent: INFO: (6003): Monitoring path: 'c:\windows\sysnative\wbem', with options 'size | permissions | owner | group | mtime | inode | hash_md5 | hash_sha1 | hash_sha256 | attributes | scheduled'. 2022/10/16 04:06:28 wazuh-agent: INFO: (6003): Monitoring path: 'c:\windows\sysnative\windowspowershell\v1.0', with options 'size | permissions | owner | group | mtime | inode | hash_md5 | hash_sha1 | hash_sha256 | attributes | scheduled'. 2022/10/16 04:06:28 wazuh-agent: INFO: (6003): Monitoring path: 'c:\windows\system32', with options 'size | permissions | owner | group | mtime | inode | hash_md5 | hash_sha1 | hash_sha256 | attributes | scheduled'. 2022/10/16 04:06:28 wazuh-agent: INFO: (6003): Monitoring path: 'c:\windows\system32\drivers\etc', with options 'size | permissions | owner | group | mtime | inode | hash_md5 | hash_sha1 | hash_sha256 | attributes | scheduled'. 2022/10/16 04:06:28 wazuh-agent: INFO: (6003): Monitoring path: 'c:\windows\system32\wbem', with options 'size | permissions | owner | group | mtime | inode | hash_md5 | hash_sha1 | hash_sha256 | attributes | scheduled'. 2022/10/16 04:06:28 wazuh-agent: INFO: (6003): Monitoring path: 'c:\windows\system32\windowspowershell\v1.0', with options 'size | permissions | owner | group | mtime | inode | hash_md5 | hash_sha1 | hash_sha256 | attributes | scheduled'. 2022/10/16 04:06:28 wazuh-agent: INFO: (6206): Ignore 'file' entry 'c:\programdata\microsoft\windows\start menu\programs\startup\desktop.ini' 2022/10/16 04:06:28 wazuh-agent: INFO: (6207): Ignore 'file' sregex '.log$|.htm$|.jpg$|.png$|.chm$|.pnf$|.evtx$' 2022/10/16 04:06:28 wazuh-agent: INFO: (6206): Ignore 'registry' entry 'HKEY_LOCAL_MACHINE\Security\Policy\Secrets' 2022/10/16 04:06:28 wazuh-agent: INFO: (6206): Ignore 'registry' entry 'HKEY_LOCAL_MACHINE\Security\SAM\Domains\Account\Users' 2022/10/16 04:06:28 wazuh-agent: INFO: (6206): Ignore 'registry' entry 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\MpsSvc\Parameters\AppCs' 2022/10/16 04:06:28 wazuh-agent: INFO: (6206): Ignore 'registry' entry 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\MpsSvc\Parameters\PortKeywords\DHCP' 2022/10/16 04:06:28 wazuh-agent: INFO: (6206): Ignore 'registry' entry 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\MpsSvc\Parameters\PortKeywords\IPTLSIn' 2022/10/16 04:06:28 wazuh-agent: INFO: (6206): Ignore 'registry' entry 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\MpsSvc\Parameters\PortKeywords\IPTLSOut' 2022/10/16 04:06:28 wazuh-agent: INFO: (6206): Ignore 'registry' entry 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\MpsSvc\Parameters\PortKeywords\RPC-EPMap' 2022/10/16 04:06:28 wazuh-agent: INFO: (6206): Ignore 'registry' entry 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\MpsSvc\Parameters\PortKeywords\Teredo' 2022/10/16 04:06:28 wazuh-agent: INFO: (6206): Ignore 'registry' entry 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\PolicyAgent\Parameters\Cache' 2022/10/16 04:06:28 wazuh-agent: INFO: (6206): Ignore 'registry' entry 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnceEx' 2022/10/16 04:06:28 wazuh-agent: INFO: (6206): Ignore 'registry' entry 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\ADOVMPPackage\Final' 2022/10/16 04:06:28 wazuh-agent: INFO: (6207): Ignore 'registry' sregex '\Enum$' 2022/10/16 04:06:28 wazuh-agent: INFO: Started (pid: 3204). 2022/10/16 04:06:28 wazuh-agent: INFO: Using AES as encryption method. 2022/10/16 04:06:28 wazuh-agent: INFO: Trying to connect to server (192.168.105.118:1514/tcp). 2022/10/16 04:06:28 wazuh-agent: INFO: (4102): Connected to the server (192.168.105.118:1514/tcp). 2022/10/16 04:06:29 wazuh-agent: ERROR: Couldn't create SQLite database 'queue/fim/db/fim.db': unable to open database file (14) 2022/10/16 04:06:29 wazuh-agent: CRITICAL: (6698): Creating Data Structure: sqlite3 db. Exiting. 2022/10/16 04:06:29 wazuh-agent: INFO: Received exit signal. Starting exit process. 2022/10/16 04:06:29 wazuh-agent: INFO: Set pending exit signal. 2022/10/16 04:06:29 wazuh-agent: INFO: Exit completed successfully. 2022/10/16 04:06:29 wazuh-agent: INFO: (1314): Shutdown received. Deleting responses.

After that, windows service recreate with path default "C:\Program Files (x86)\ossec-agent", how I remote upgrade my wazuh-agent with custom path "C:\Program Files (x86)\wazuh-agent" like previous version.

pereyra-m · 2022-10-19T18:49:56Z

Hello again @khangcnttspkt .

I was making some tests but when I install the Windos agent in a custom location and perform a remote upgrade, the process is successful.
Also, the logs you provided doesn't seem to show details about the the failed upgrade process.

Was the agent able to start after creating the corresponding folders?
Regards.

khangcnttspkt · 2022-10-24T09:58:54Z

Hello again @khangcnttspkt .

I was making some tests but when I install the Windos agent in a custom location and perform a remote upgrade, the process is successful. Also, the logs you provided doesn't seem to show details about the the failed upgrade process.

Was the agent able to start after creating the corresponding folders? Regards.

Hi @pereyra-m ,

Here are my upgrade.log file

2022-10-06 16:36:36Z - Current version: v4.3.4. 2022-10-06 16:36:36Z - Generating backup. 2022-10-06 16:36:36Z - Backing up Wazuh home files. 2022-10-06 16:36:38Z - Searching Wazuh-Agent cached MSI through the registry. 2022-10-06 16:36:38Z - Backing up Wazuh-Agent cached MSI: "C:\Windows\Installer\831b1ac7.msi". 2022-10-06 16:36:39Z - Trying to stop Wazuh service again. Remaining attempts: 5. 2022-10-06 16:36:41Z - Starting upgrade processs. 2022-10-06 16:36:42Z - Waiting for the Wazuh-Agent installation to end. 2022-10-06 16:36:44Z - Waiting for the Wazuh-Agent installation to end. 2022-10-06 16:36:46Z - Restarting Wazuh-Agent service. 2022-10-06 16:36:46Z - Installation finished. 2022-10-06 16:36:56Z - Process ID: . 2022-10-06 16:37:16Z - Reading status file: . 2022-10-06 16:37:16Z - Upgrade failed: Restoring former installation. 2022-10-06 16:37:17Z - Performing the Wazuh-Agent uninstall using: "MsiExec.exe /X{046060DF-E7E4-4395-B6D7-50F0FA90756E} /quiet". 2022-10-06 16:37:25Z - Excecuting former Wazuh-Agent MSI: ".\backup\831b1ac7.msi". 2022-10-06 16:37:27Z - Waiting for the installation to end. 2022-10-06 16:37:30Z - Restoring former Wazuh-Agent home files. 2022-10-06 16:37:31Z - Current version: v4.3.4. 2022-10-06 16:37:31Z - Installing Wazuh service. 2022-10-06 16:37:31Z - Starting Wazuh-Agent service.
After create folder in "C:\Program Files (x86)\wazuh-agent":
queue/syscollector/db
queue/fim/db
queue/logcollector
queue/diff

I remote upgrade success, but it install in "C:\Program Files (x86)\ossec-agent" and Windows service replace with "C:\Program Files (x86)\ossec-agent" path.

If I unistall wazuh-agent and fresh install again with version v4.3.4 with custom path, I can success remote upgrade without errror.

But with wazuh-agent was installed, I remote upgrade failed, I try to remote upgrade with many windows server in my system but same error.

pereyra-m · 2022-10-24T20:52:03Z

Hello again @khangcnttspkt !

I'm still making tests about your issue. When I install the agent in a custom location it is always upgraded successfully without changing the path.
On the other side, I think I don't understand this comment. Are you unable to reproduce the issue?

If I unistall wazuh-agent and fresh install again with version v4.3.4 with custom path, I can success remote upgrade without errror.

But about the errors you have in the rest of the servers, did you update the CA in the agents? See issue #14715 for more details.
Basically, the certificate that is distributed with the agents has expired, so you need to update it manually if you want to upgrade Wazuh to version 4.3.8 or newer.

Regards.

pereyra-m self-assigned this Oct 17, 2022

pereyra-m added the reporter/community label Oct 17, 2022

sebasfalcone closed this as completed Jun 18, 2024

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Wazuh Windows agent remote upgrade error version v4.3.8 #15089

Wazuh Windows agent remote upgrade error version v4.3.8 #15089

khangcnttspkt commented Oct 7, 2022

pereyra-m commented Oct 17, 2022

khangcnttspkt commented Oct 18, 2022

pereyra-m commented Oct 19, 2022

khangcnttspkt commented Oct 24, 2022

pereyra-m commented Oct 24, 2022

Wazuh Windows agent remote upgrade error version v4.3.8 #15089

Wazuh Windows agent remote upgrade error version v4.3.8 #15089

Comments

khangcnttspkt commented Oct 7, 2022

pereyra-m commented Oct 17, 2022

khangcnttspkt commented Oct 18, 2022

pereyra-m commented Oct 19, 2022

khangcnttspkt commented Oct 24, 2022

pereyra-m commented Oct 24, 2022