-
Notifications
You must be signed in to change notification settings - Fork 1.5k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Release 4.8.0 - Alpha 2 - Specific systems #21394
Comments
Analysis Report - AMI 🟡Logs 🟡
# journalctl -r -u wazuh-dashboard | grep -i -E "error|critical|fatal|warning"
Jan 12 10:01:26 wazuh-server opensearch-dashboards[5413]: {"type":"log","@timestamp":"2024-01-12T10:01:26Z","tags":["error","plugins","securityDashboards"],"pid":5413,"message":"Failed authentication: Error: Authentication Exception"}
Jan 12 10:00:54 wazuh-server opensearch-dashboards[5413]: {"type":"log","@timestamp":"2024-01-12T10:00:54Z","tags":["error","plugins","securityDashboards"],"pid":5413,"message":"Failed authentication: Error: Authentication Exception"}
Jan 12 10:00:46 wazuh-server opensearch-dashboards[5413]: {"type":"log","@timestamp":"2024-01-12T10:00:46Z","tags":["error","plugins","securityDashboards"],"pid":5413,"message":"Failed authentication: Error: Authentication Exception"}
Jan 12 09:59:42 wazuh-server opensearch-dashboards[5413]: {"type":"error","@timestamp":"2024-01-12T09:59:42Z","tags":["connection","client","error"],"pid":5413,"level":"error","error":{"message":"140511668950912:error:14094418:SSL routines:ssl3_read_bytes:tlsv1 alert unknown ca:../deps/openssl/openssl/ssl/record/rec_layer_s3.c:1563:SSL alert number 48\n","name":"Error","stack":"Error: 140511668950912:error:14094418:SSL routines:ssl3_read_bytes:tlsv1 alert unknown ca:../deps/openssl/openssl/ssl/record/rec_layer_s3.c:1563:SSL alert number 48\n","code":"ERR_SSL_TLSV1_ALERT_UNKNOWN_CA"},"message":"140511668950912:error:14094418:SSL routines:ssl3_read_bytes:tlsv1 alert unknown ca:../deps/openssl/openssl/ssl/record/rec_layer_s3.c:1563:SSL alert number 48\n"}
Jan 12 09:55:40 wazuh-server opensearch-dashboards[2586]: {"type":"log","@timestamp":"2024-01-12T09:55:40Z","tags":["error","opensearch","data"],"pid":2586,"message":"[ResponseError]: Response Error"}
Jan 12 09:55:38 wazuh-server opensearch-dashboards[2586]: {"type":"log","@timestamp":"2024-01-12T09:55:38Z","tags":["error","opensearch","data"],"pid":2586,"message":"[ResponseError]: Response Error"}
Jan 12 09:55:35 wazuh-server opensearch-dashboards[2586]: {"type":"log","@timestamp":"2024-01-12T09:55:35Z","tags":["error","opensearch","data"],"pid":2586,"message":"[ResponseError]: Response Error"}
Jan 12 09:55:33 wazuh-server opensearch-dashboards[2586]: {"type":"log","@timestamp":"2024-01-12T09:55:33Z","tags":["error","opensearch","data"],"pid":2586,"message":"[ResponseError]: Response Error"}
Jan 12 09:55:30 wazuh-server opensearch-dashboards[2586]: {"type":"log","@timestamp":"2024-01-12T09:55:30Z","tags":["error","opensearch","data"],"pid":2586,"message":"[ResponseError]: Response Error"}
Jan 12 09:55:28 wazuh-server opensearch-dashboards[2586]: {"type":"log","@timestamp":"2024-01-12T09:55:28Z","tags":["error","opensearch","data"],"pid":2586,"message":"[ResponseError]: Response Error"}
Jan 12 09:55:25 wazuh-server opensearch-dashboards[2586]: {"type":"log","@timestamp":"2024-01-12T09:55:25Z","tags":["error","opensearch","data"],"pid":2586,"message":"[ConnectionError]: connect ECONNREFUSED 127.0.0.1:9200"}
Jan 12 09:55:23 wazuh-server opensearch-dashboards[2586]: {"type":"log","@timestamp":"2024-01-12T09:55:23Z","tags":["error","opensearch","data"],"pid":2586,"message":"[ConnectionError]: connect ECONNREFUSED 127.0.0.1:9200"}
Jan 12 09:55:20 wazuh-server opensearch-dashboards[2586]: {"type":"log","@timestamp":"2024-01-12T09:55:20Z","tags":["error","opensearch","data"],"pid":2586,"message":"[ConnectionError]: connect ECONNREFUSED 127.0.0.1:9200"}
Jan 12 09:55:18 wazuh-server opensearch-dashboards[2586]: {"type":"log","@timestamp":"2024-01-12T09:55:18Z","tags":["error","opensearch","data"],"pid":2586,"message":"[ConnectionError]: connect ECONNREFUSED 127.0.0.1:9200"}
Jan 12 09:55:15 wazuh-server opensearch-dashboards[2586]: {"type":"log","@timestamp":"2024-01-12T09:55:15Z","tags":["error","opensearch","data"],"pid":2586,"message":"[ConnectionError]: connect ECONNREFUSED 127.0.0.1:9200"}
Jan 12 09:55:13 wazuh-server opensearch-dashboards[2586]: {"type":"log","@timestamp":"2024-01-12T09:55:13Z","tags":["error","savedobjects-service"],"pid":2586,"message":"Unable to retrieve version information from OpenSearch nodes."}
Jan 12 09:55:13 wazuh-server opensearch-dashboards[2586]: {"type":"log","@timestamp":"2024-01-12T09:55:13Z","tags":["error","opensearch","data"],"pid":2586,"message":"[ConnectionError]: connect ECONNREFUSED 127.0.0.1:9200"}
# journalctl -r -u wazuh-indexer | grep -i -E "error|critical|fatal|warning"
Jan 12 09:54:24 wazuh-server systemd-entrypoint[3100]: at org.opensearch.cli.Command.mainWithoutErrorHandling(Command.java:138)
Jan 12 09:54:24 wazuh-server systemd-entrypoint[3100]: ERROR StatusConsoleListener Could not define attribute view on path "/var/log/wazuh-indexer/wazuh-cluster.log" got access denied ("java.lang.RuntimePermission" "accessUserInformation")
Jan 12 09:54:24 wazuh-server systemd-entrypoint[3100]: at org.opensearch.cli.Command.mainWithoutErrorHandling(Command.java:138)
Jan 12 09:54:24 wazuh-server systemd-entrypoint[3100]: ERROR StatusConsoleListener Could not define attribute view on path "/var/log/wazuh-indexer/wazuh-cluster_server.json" got access denied ("java.lang.RuntimePermission" "accessUserInformation")
Jan 12 09:54:24 wazuh-server systemd-entrypoint[3100]: WARNING: System::setSecurityManager will be removed in a future release
Jan 12 09:54:24 wazuh-server systemd-entrypoint[3100]: WARNING: Please consider reporting this to the maintainers of org.opensearch.bootstrap.Security
Jan 12 09:54:24 wazuh-server systemd-entrypoint[3100]: WARNING: System::setSecurityManager has been called by org.opensearch.bootstrap.Security (file:/usr/share/wazuh-indexer/lib/opensearch-2.10.0.jar)
Jan 12 09:54:24 wazuh-server systemd-entrypoint[3100]: WARNING: A terminally deprecated method in java.lang.System has been called
Jan 12 09:54:09 wazuh-server systemd-entrypoint[3100]: WARNING: System::setSecurityManager will be removed in a future release
Jan 12 09:54:09 wazuh-server systemd-entrypoint[3100]: WARNING: Please consider reporting this to the maintainers of org.opensearch.bootstrap.OpenSearch
Jan 12 09:54:09 wazuh-server systemd-entrypoint[3100]: WARNING: System::setSecurityManager has been called by org.opensearch.bootstrap.OpenSearch (file:/usr/share/wazuh-indexer/lib/opensearch-2.10.0.jar)
Jan 12 09:54:09 wazuh-server systemd-entrypoint[3100]: WARNING: A terminally deprecated method in java.lang.System has been called
# grep -R -i -E "error|critical|fatal|warning" /var/log/wazuh-indexer/
/var/log/wazuh-indexer/wazuh-cluster_server.json:{"type": "server", "timestamp": "2024-01-12T09:54:24,546Z", "level": "INFO", "component": "o.o.n.Node", "cluster.name": "wazuh-cluster", "node.name": "node-1", "message": "JVM arguments [-Xshare:auto, -Dopensearch.networkaddress.cache.ttl=60, -Dopensearch.networkaddress.cache.negative.ttl=10, -XX:+AlwaysPreTouch, -Xss1m, -Djava.awt.headless=true, -Dfile.encoding=UTF-8, -Djna.nosys=true, -XX:-OmitStackTraceInFastThrow, -XX:+ShowCodeDetailsInExceptionMessages, -Dio.netty.noUnsafe=true, -Dio.netty.noKeySetOptimization=true, -Dio.netty.recycler.maxCapacityPerThread=0, -Dio.netty.allocator.numDirectArenas=0, -Dlog4j.shutdownHookEnabled=false, -Dlog4j2.disable.jmx=true, -Djava.locale.providers=SPI,COMPAT, -Xms1964m, -Xmx1964m, -XX:+UseG1GC, -XX:G1ReservePercent=25, -XX:InitiatingHeapOccupancyPercent=30, -Djava.io.tmpdir=/tmp/opensearch-6518941897775988647, -XX:+HeapDumpOnOutOfMemoryError, -XX:HeapDumpPath=/var/lib/wazuh-indexer, -XX:ErrorFile=/var/log/wazuh-indexer/hs_err_pid%p.log, -Xlog:gc*,gc+age=trace,safepoint:file=/var/log/wazuh-indexer/gc.log:utctime,pid,tags:filecount=32,filesize=64m, -Dclk.tck=100, -Djdk.attach.allowAttachSelf=true, -Djava.security.policy=file:///etc/wazuh-indexer/opensearch-performance-analyzer/opensearch_security.policy, --add-opens=jdk.attach/sun.tools.attach=ALL-UNNAMED, -XX:MaxDirectMemorySize=1029701632, -Dopensearch.path.home=/usr/share/wazuh-indexer, -Dopensearch.path.conf=/etc/wazuh-indexer, -Dopensearch.distribution.type=rpm, -Dopensearch.bundled_jdk=true]" }
/var/log/wazuh-indexer/wazuh-cluster_server.json:{"type": "server", "timestamp": "2024-01-12T09:55:20,231Z", "level": "ERROR", "component": "o.o.s.a.s.SinkProvider", "cluster.name": "wazuh-cluster", "node.name": "node-1", "message": "Default endpoint could not be created, auditlog will not work properly." }
/var/log/wazuh-indexer/wazuh-cluster_server.json:{"type": "server", "timestamp": "2024-01-12T09:55:27,621Z", "level": "ERROR", "component": "o.o.i.i.ManagedIndexCoordinator", "cluster.name": "wazuh-cluster", "node.name": "node-1", "message": "Failed to get ISM policies with templates: Failed to execute phase [query], all shards failed", "cluster.uuid": "6nknf0IHRt2xJ3JhBbuuBw", "node.id": "N8JWbeeaR5KLBuioF3-HTA" }
/var/log/wazuh-indexer/wazuh-cluster_server.json:{"type": "server", "timestamp": "2024-01-12T09:55:27,760Z", "level": "ERROR", "component": "o.o.s.a.BackendRegistry", "cluster.name": "wazuh-cluster", "node.name": "node-1", "message": "Not yet initialized (you may need to run securityadmin)", "cluster.uuid": "6nknf0IHRt2xJ3JhBbuuBw", "node.id": "N8JWbeeaR5KLBuioF3-HTA" }
/var/log/wazuh-indexer/wazuh-cluster_server.json:{"type": "server", "timestamp": "2024-01-12T09:55:28,305Z", "level": "ERROR", "component": "o.o.s.c.ConfigurationLoaderSecurity7", "cluster.name": "wazuh-cluster", "node.name": "node-1", "message": "Failure No shard available for [org.opensearch.action.get.MultiGetShardRequest@64ef241] retrieving configuration for [INTERNALUSERS, ACTIONGROUPS, CONFIG, ROLES, ROLESMAPPING, TENANTS, NODESDN, WHITELIST, ALLOWLIST, AUDIT] (index=.opendistro_security)", "cluster.uuid": "6nknf0IHRt2xJ3JhBbuuBw", "node.id": "N8JWbeeaR5KLBuioF3-HTA" }
/var/log/wazuh-indexer/wazuh-cluster_server.json:{"type": "server", "timestamp": "2024-01-12T09:55:28,306Z", "level": "ERROR", "component": "o.o.s.c.ConfigurationLoaderSecurity7", "cluster.name": "wazuh-cluster", "node.name": "node-1", "message": "Failure No shard available for [org.opensearch.action.get.MultiGetShardRequest@64ef241] retrieving configuration for [INTERNALUSERS, ACTIONGROUPS, CONFIG, ROLES, ROLESMAPPING, TENANTS, NODESDN, WHITELIST, ALLOWLIST, AUDIT] (index=.opendistro_security)", "cluster.uuid": "6nknf0IHRt2xJ3JhBbuuBw", "node.id": "N8JWbeeaR5KLBuioF3-HTA" }
/var/log/wazuh-indexer/wazuh-cluster_server.json:{"type": "server", "timestamp": "2024-01-12T09:55:28,306Z", "level": "ERROR", "component": "o.o.s.c.ConfigurationLoaderSecurity7", "cluster.name": "wazuh-cluster", "node.name": "node-1", "message": "Failure No shard available for [org.opensearch.action.get.MultiGetShardRequest@64ef241] retrieving configuration for [INTERNALUSERS, ACTIONGROUPS, CONFIG, ROLES, ROLESMAPPING, TENANTS, NODESDN, WHITELIST, ALLOWLIST, AUDIT] (index=.opendistro_security)", "cluster.uuid": "6nknf0IHRt2xJ3JhBbuuBw", "node.id": "N8JWbeeaR5KLBuioF3-HTA" }
/var/log/wazuh-indexer/wazuh-cluster_server.json:{"type": "server", "timestamp": "2024-01-12T09:55:28,306Z", "level": "ERROR", "component": "o.o.s.c.ConfigurationLoaderSecurity7", "cluster.name": "wazuh-cluster", "node.name": "node-1", "message": "Failure No shard available for [org.opensearch.action.get.MultiGetShardRequest@64ef241] retrieving configuration for [INTERNALUSERS, ACTIONGROUPS, CONFIG, ROLES, ROLESMAPPING, TENANTS, NODESDN, WHITELIST, ALLOWLIST, AUDIT] (index=.opendistro_security)", "cluster.uuid": "6nknf0IHRt2xJ3JhBbuuBw", "node.id": "N8JWbeeaR5KLBuioF3-HTA" }
/var/log/wazuh-indexer/wazuh-cluster_server.json:{"type": "server", "timestamp": "2024-01-12T09:55:28,306Z", "level": "ERROR", "component": "o.o.s.c.ConfigurationLoaderSecurity7", "cluster.name": "wazuh-cluster", "node.name": "node-1", "message": "Failure No shard available for [org.opensearch.action.get.MultiGetShardRequest@64ef241] retrieving configuration for [INTERNALUSERS, ACTIONGROUPS, CONFIG, ROLES, ROLESMAPPING, TENANTS, NODESDN, WHITELIST, ALLOWLIST, AUDIT] (index=.opendistro_security)", "cluster.uuid": "6nknf0IHRt2xJ3JhBbuuBw", "node.id": "N8JWbeeaR5KLBuioF3-HTA" }
/var/log/wazuh-indexer/wazuh-cluster_server.json:{"type": "server", "timestamp": "2024-01-12T09:55:28,307Z", "level": "ERROR", "component": "o.o.s.c.ConfigurationLoaderSecurity7", "cluster.name": "wazuh-cluster", "node.name": "node-1", "message": "Failure No shard available for [org.opensearch.action.get.MultiGetShardRequest@64ef241] retrieving configuration for [INTERNALUSERS, ACTIONGROUPS, CONFIG, ROLES, ROLESMAPPING, TENANTS, NODESDN, WHITELIST, ALLOWLIST, AUDIT] (index=.opendistro_security)", "cluster.uuid": "6nknf0IHRt2xJ3JhBbuuBw", "node.id": "N8JWbeeaR5KLBuioF3-HTA" }
/var/log/wazuh-indexer/wazuh-cluster_server.json:{"type": "server", "timestamp": "2024-01-12T09:55:28,307Z", "level": "ERROR", "component": "o.o.s.c.ConfigurationLoaderSecurity7", "cluster.name": "wazuh-cluster", "node.name": "node-1", "message": "Failure No shard available for [org.opensearch.action.get.MultiGetShardRequest@64ef241] retrieving configuration for [INTERNALUSERS, ACTIONGROUPS, CONFIG, ROLES, ROLESMAPPING, TENANTS, NODESDN, WHITELIST, ALLOWLIST, AUDIT] (index=.opendistro_security)", "cluster.uuid": "6nknf0IHRt2xJ3JhBbuuBw", "node.id": "N8JWbeeaR5KLBuioF3-HTA" }
/var/log/wazuh-indexer/wazuh-cluster_server.json:{"type": "server", "timestamp": "2024-01-12T09:55:28,307Z", "level": "ERROR", "component": "o.o.s.c.ConfigurationLoaderSecurity7", "cluster.name": "wazuh-cluster", "node.name": "node-1", "message": "Failure No shard available for [org.opensearch.action.get.MultiGetShardRequest@64ef241] retrieving configuration for [INTERNALUSERS, ACTIONGROUPS, CONFIG, ROLES, ROLESMAPPING, TENANTS, NODESDN, WHITELIST, ALLOWLIST, AUDIT] (index=.opendistro_security)", "cluster.uuid": "6nknf0IHRt2xJ3JhBbuuBw", "node.id": "N8JWbeeaR5KLBuioF3-HTA" }
/var/log/wazuh-indexer/wazuh-cluster_server.json:{"type": "server", "timestamp": "2024-01-12T09:55:28,307Z", "level": "ERROR", "component": "o.o.s.c.ConfigurationLoaderSecurity7", "cluster.name": "wazuh-cluster", "node.name": "node-1", "message": "Failure No shard available for [org.opensearch.action.get.MultiGetShardRequest@64ef241] retrieving configuration for [INTERNALUSERS, ACTIONGROUPS, CONFIG, ROLES, ROLESMAPPING, TENANTS, NODESDN, WHITELIST, ALLOWLIST, AUDIT] (index=.opendistro_security)", "cluster.uuid": "6nknf0IHRt2xJ3JhBbuuBw", "node.id": "N8JWbeeaR5KLBuioF3-HTA" }
/var/log/wazuh-indexer/wazuh-cluster_server.json:{"type": "server", "timestamp": "2024-01-12T09:55:28,307Z", "level": "ERROR", "component": "o.o.s.c.ConfigurationLoaderSecurity7", "cluster.name": "wazuh-cluster", "node.name": "node-1", "message": "Failure No shard available for [org.opensearch.action.get.MultiGetShardRequest@64ef241] retrieving configuration for [INTERNALUSERS, ACTIONGROUPS, CONFIG, ROLES, ROLESMAPPING, TENANTS, NODESDN, WHITELIST, ALLOWLIST, AUDIT] (index=.opendistro_security)", "cluster.uuid": "6nknf0IHRt2xJ3JhBbuuBw", "node.id": "N8JWbeeaR5KLBuioF3-HTA" }
/var/log/wazuh-indexer/wazuh-cluster_server.json:{"type": "server", "timestamp": "2024-01-12T09:55:28,412Z", "level": "ERROR", "component": "o.o.s.a.BackendRegistry", "cluster.name": "wazuh-cluster", "node.name": "node-1", "message": "Not yet initialized (you may need to run securityadmin)", "cluster.uuid": "6nknf0IHRt2xJ3JhBbuuBw", "node.id": "N8JWbeeaR5KLBuioF3-HTA" }
/var/log/wazuh-indexer/wazuh-cluster_server.json:{"type": "server", "timestamp": "2024-01-12T09:55:28,430Z", "level": "ERROR", "component": "o.o.s.a.BackendRegistry", "cluster.name": "wazuh-cluster", "node.name": "node-1", "message": "Not yet initialized (you may need to run securityadmin)", "cluster.uuid": "6nknf0IHRt2xJ3JhBbuuBw", "node.id": "N8JWbeeaR5KLBuioF3-HTA" }
/var/log/wazuh-indexer/wazuh-cluster_server.json:{"type": "server", "timestamp": "2024-01-12T09:55:28,434Z", "level": "ERROR", "component": "o.o.s.a.BackendRegistry", "cluster.name": "wazuh-cluster", "node.name": "node-1", "message": "Not yet initialized (you may need to run securityadmin)", "cluster.uuid": "6nknf0IHRt2xJ3JhBbuuBw", "node.id": "N8JWbeeaR5KLBuioF3-HTA" }
/var/log/wazuh-indexer/wazuh-cluster_server.json:{"type": "server", "timestamp": "2024-01-12T09:55:28,447Z", "level": "ERROR", "component": "o.o.s.a.BackendRegistry", "cluster.name": "wazuh-cluster", "node.name": "node-1", "message": "Not yet initialized (you may need to run securityadmin)", "cluster.uuid": "6nknf0IHRt2xJ3JhBbuuBw", "node.id": "N8JWbeeaR5KLBuioF3-HTA" }
/var/log/wazuh-indexer/wazuh-cluster_server.json:{"type": "server", "timestamp": "2024-01-12T09:55:30,841Z", "level": "ERROR", "component": "o.o.s.a.BackendRegistry", "cluster.name": "wazuh-cluster", "node.name": "node-1", "message": "Not yet initialized (you may need to run securityadmin)", "cluster.uuid": "6nknf0IHRt2xJ3JhBbuuBw", "node.id": "N8JWbeeaR5KLBuioF3-HTA" }
/var/log/wazuh-indexer/wazuh-cluster_server.json:{"type": "server", "timestamp": "2024-01-12T09:55:30,844Z", "level": "ERROR", "component": "o.o.s.a.BackendRegistry", "cluster.name": "wazuh-cluster", "node.name": "node-1", "message": "Not yet initialized (you may need to run securityadmin)", "cluster.uuid": "6nknf0IHRt2xJ3JhBbuuBw", "node.id": "N8JWbeeaR5KLBuioF3-HTA" }
/var/log/wazuh-indexer/wazuh-cluster_server.json:{"type": "server", "timestamp": "2024-01-12T09:55:30,846Z", "level": "ERROR", "component": "o.o.s.a.BackendRegistry", "cluster.name": "wazuh-cluster", "node.name": "node-1", "message": "Not yet initialized (you may need to run securityadmin)", "cluster.uuid": "6nknf0IHRt2xJ3JhBbuuBw", "node.id": "N8JWbeeaR5KLBuioF3-HTA" }
/var/log/wazuh-indexer/wazuh-cluster_server.json:{"type": "server", "timestamp": "2024-01-12T09:55:30,849Z", "level": "ERROR", "component": "o.o.s.a.BackendRegistry", "cluster.name": "wazuh-cluster", "node.name": "node-1", "message": "Not yet initialized (you may need to run securityadmin)", "cluster.uuid": "6nknf0IHRt2xJ3JhBbuuBw", "node.id": "N8JWbeeaR5KLBuioF3-HTA" }
/var/log/wazuh-indexer/wazuh-cluster_server.json:{"type": "server", "timestamp": "2024-01-12T09:55:33,343Z", "level": "ERROR", "component": "o.o.s.a.BackendRegistry", "cluster.name": "wazuh-cluster", "node.name": "node-1", "message": "Not yet initialized (you may need to run securityadmin)", "cluster.uuid": "6nknf0IHRt2xJ3JhBbuuBw", "node.id": "N8JWbeeaR5KLBuioF3-HTA" }
/var/log/wazuh-indexer/wazuh-cluster_server.json:{"type": "server", "timestamp": "2024-01-12T09:55:33,345Z", "level": "ERROR", "component": "o.o.s.a.BackendRegistry", "cluster.name": "wazuh-cluster", "node.name": "node-1", "message": "Not yet initialized (you may need to run securityadmin)", "cluster.uuid": "6nknf0IHRt2xJ3JhBbuuBw", "node.id": "N8JWbeeaR5KLBuioF3-HTA" }
/var/log/wazuh-indexer/wazuh-cluster_server.json:{"type": "server", "timestamp": "2024-01-12T09:55:33,348Z", "level": "ERROR", "component": "o.o.s.a.BackendRegistry", "cluster.name": "wazuh-cluster", "node.name": "node-1", "message": "Not yet initialized (you may need to run securityadmin)", "cluster.uuid": "6nknf0IHRt2xJ3JhBbuuBw", "node.id": "N8JWbeeaR5KLBuioF3-HTA" }
/var/log/wazuh-indexer/wazuh-cluster_server.json:{"type": "server", "timestamp": "2024-01-12T09:55:33,350Z", "level": "ERROR", "component": "o.o.s.a.BackendRegistry", "cluster.name": "wazuh-cluster", "node.name": "node-1", "message": "Not yet initialized (you may need to run securityadmin)", "cluster.uuid": "6nknf0IHRt2xJ3JhBbuuBw", "node.id": "N8JWbeeaR5KLBuioF3-HTA" }
/var/log/wazuh-indexer/wazuh-cluster_server.json:{"type": "server", "timestamp": "2024-01-12T09:55:35,845Z", "level": "ERROR", "component": "o.o.s.a.BackendRegistry", "cluster.name": "wazuh-cluster", "node.name": "node-1", "message": "Not yet initialized (you may need to run securityadmin)", "cluster.uuid": "6nknf0IHRt2xJ3JhBbuuBw", "node.id": "N8JWbeeaR5KLBuioF3-HTA" }
/var/log/wazuh-indexer/wazuh-cluster_server.json:{"type": "server", "timestamp": "2024-01-12T09:55:35,848Z", "level": "ERROR", "component": "o.o.s.a.BackendRegistry", "cluster.name": "wazuh-cluster", "node.name": "node-1", "message": "Not yet initialized (you may need to run securityadmin)", "cluster.uuid": "6nknf0IHRt2xJ3JhBbuuBw", "node.id": "N8JWbeeaR5KLBuioF3-HTA" }
/var/log/wazuh-indexer/wazuh-cluster_server.json:{"type": "server", "timestamp": "2024-01-12T09:55:35,852Z", "level": "ERROR", "component": "o.o.s.a.BackendRegistry", "cluster.name": "wazuh-cluster", "node.name": "node-1", "message": "Not yet initialized (you may need to run securityadmin)", "cluster.uuid": "6nknf0IHRt2xJ3JhBbuuBw", "node.id": "N8JWbeeaR5KLBuioF3-HTA" }
/var/log/wazuh-indexer/wazuh-cluster_server.json:{"type": "server", "timestamp": "2024-01-12T09:55:35,864Z", "level": "ERROR", "component": "o.o.s.a.BackendRegistry", "cluster.name": "wazuh-cluster", "node.name": "node-1", "message": "Not yet initialized (you may need to run securityadmin)", "cluster.uuid": "6nknf0IHRt2xJ3JhBbuuBw", "node.id": "N8JWbeeaR5KLBuioF3-HTA" }
/var/log/wazuh-indexer/wazuh-cluster_server.json:{"type": "server", "timestamp": "2024-01-12T09:55:38,346Z", "level": "ERROR", "component": "o.o.s.a.BackendRegistry", "cluster.name": "wazuh-cluster", "node.name": "node-1", "message": "Not yet initialized (you may need to run securityadmin)", "cluster.uuid": "6nknf0IHRt2xJ3JhBbuuBw", "node.id": "N8JWbeeaR5KLBuioF3-HTA" }
/var/log/wazuh-indexer/wazuh-cluster_server.json:{"type": "server", "timestamp": "2024-01-12T09:55:38,349Z", "level": "ERROR", "component": "o.o.s.a.BackendRegistry", "cluster.name": "wazuh-cluster", "node.name": "node-1", "message": "Not yet initialized (you may need to run securityadmin)", "cluster.uuid": "6nknf0IHRt2xJ3JhBbuuBw", "node.id": "N8JWbeeaR5KLBuioF3-HTA" }
/var/log/wazuh-indexer/wazuh-cluster_server.json:{"type": "server", "timestamp": "2024-01-12T09:55:38,351Z", "level": "ERROR", "component": "o.o.s.a.BackendRegistry", "cluster.name": "wazuh-cluster", "node.name": "node-1", "message": "Not yet initialized (you may need to run securityadmin)", "cluster.uuid": "6nknf0IHRt2xJ3JhBbuuBw", "node.id": "N8JWbeeaR5KLBuioF3-HTA" }
/var/log/wazuh-indexer/wazuh-cluster_server.json:{"type": "server", "timestamp": "2024-01-12T09:55:38,356Z", "level": "ERROR", "component": "o.o.s.a.BackendRegistry", "cluster.name": "wazuh-cluster", "node.name": "node-1", "message": "Not yet initialized (you may need to run securityadmin)", "cluster.uuid": "6nknf0IHRt2xJ3JhBbuuBw", "node.id": "N8JWbeeaR5KLBuioF3-HTA" }
/var/log/wazuh-indexer/wazuh-cluster_server.json:{"type": "server", "timestamp": "2024-01-12T09:55:40,849Z", "level": "ERROR", "component": "o.o.s.a.BackendRegistry", "cluster.name": "wazuh-cluster", "node.name": "node-1", "message": "Not yet initialized (you may need to run securityadmin)", "cluster.uuid": "6nknf0IHRt2xJ3JhBbuuBw", "node.id": "N8JWbeeaR5KLBuioF3-HTA" }
/var/log/wazuh-indexer/wazuh-cluster_server.json:{"type": "server", "timestamp": "2024-01-12T09:55:40,852Z", "level": "ERROR", "component": "o.o.s.a.BackendRegistry", "cluster.name": "wazuh-cluster", "node.name": "node-1", "message": "Not yet initialized (you may need to run securityadmin)", "cluster.uuid": "6nknf0IHRt2xJ3JhBbuuBw", "node.id": "N8JWbeeaR5KLBuioF3-HTA" }
/var/log/wazuh-indexer/wazuh-cluster_server.json:{"type": "server", "timestamp": "2024-01-12T09:55:40,854Z", "level": "ERROR", "component": "o.o.s.a.BackendRegistry", "cluster.name": "wazuh-cluster", "node.name": "node-1", "message": "Not yet initialized (you may need to run securityadmin)", "cluster.uuid": "6nknf0IHRt2xJ3JhBbuuBw", "node.id": "N8JWbeeaR5KLBuioF3-HTA" }
/var/log/wazuh-indexer/wazuh-cluster_server.json:{"type": "server", "timestamp": "2024-01-12T09:55:40,856Z", "level": "ERROR", "component": "o.o.s.a.BackendRegistry", "cluster.name": "wazuh-cluster", "node.name": "node-1", "message": "Not yet initialized (you may need to run securityadmin)", "cluster.uuid": "6nknf0IHRt2xJ3JhBbuuBw", "node.id": "N8JWbeeaR5KLBuioF3-HTA" }
/var/log/wazuh-indexer/wazuh-cluster.log:[2024-01-12T09:54:24,546][INFO ][o.o.n.Node ] [node-1] JVM arguments [-Xshare:auto, -Dopensearch.networkaddress.cache.ttl=60, -Dopensearch.networkaddress.cache.negative.ttl=10, -XX:+AlwaysPreTouch, -Xss1m, -Djava.awt.headless=true, -Dfile.encoding=UTF-8, -Djna.nosys=true, -XX:-OmitStackTraceInFastThrow, -XX:+ShowCodeDetailsInExceptionMessages, -Dio.netty.noUnsafe=true, -Dio.netty.noKeySetOptimization=true, -Dio.netty.recycler.maxCapacityPerThread=0, -Dio.netty.allocator.numDirectArenas=0, -Dlog4j.shutdownHookEnabled=false, -Dlog4j2.disable.jmx=true, -Djava.locale.providers=SPI,COMPAT, -Xms1964m, -Xmx1964m, -XX:+UseG1GC, -XX:G1ReservePercent=25, -XX:InitiatingHeapOccupancyPercent=30, -Djava.io.tmpdir=/tmp/opensearch-6518941897775988647, -XX:+HeapDumpOnOutOfMemoryError, -XX:HeapDumpPath=/var/lib/wazuh-indexer, -XX:ErrorFile=/var/log/wazuh-indexer/hs_err_pid%p.log, -Xlog:gc*,gc+age=trace,safepoint:file=/var/log/wazuh-indexer/gc.log:utctime,pid,tags:filecount=32,filesize=64m, -Dclk.tck=100, -Djdk.attach.allowAttachSelf=true, -Djava.security.policy=file:///etc/wazuh-indexer/opensearch-performance-analyzer/opensearch_security.policy, --add-opens=jdk.attach/sun.tools.attach=ALL-UNNAMED, -XX:MaxDirectMemorySize=1029701632, -Dopensearch.path.home=/usr/share/wazuh-indexer, -Dopensearch.path.conf=/etc/wazuh-indexer, -Dopensearch.distribution.type=rpm, -Dopensearch.bundled_jdk=true]
/var/log/wazuh-indexer/wazuh-cluster.log:[2024-01-12T09:55:20,231][ERROR][o.o.s.a.s.SinkProvider ] [node-1] Default endpoint could not be created, auditlog will not work properly.
/var/log/wazuh-indexer/wazuh-cluster.log:[2024-01-12T09:55:27,621][ERROR][o.o.i.i.ManagedIndexCoordinator] [node-1] Failed to get ISM policies with templates: Failed to execute phase [query], all shards failed
/var/log/wazuh-indexer/wazuh-cluster.log:[2024-01-12T09:55:27,760][ERROR][o.o.s.a.BackendRegistry ] [node-1] Not yet initialized (you may need to run securityadmin)
/var/log/wazuh-indexer/wazuh-cluster.log:[2024-01-12T09:55:28,305][ERROR][o.o.s.c.ConfigurationLoaderSecurity7] [node-1] Failure No shard available for [org.opensearch.action.get.MultiGetShardRequest@64ef241] retrieving configuration for [INTERNALUSERS, ACTIONGROUPS, CONFIG, ROLES, ROLESMAPPING, TENANTS, NODESDN, WHITELIST, ALLOWLIST, AUDIT] (index=.opendistro_security)
/var/log/wazuh-indexer/wazuh-cluster.log:[2024-01-12T09:55:28,306][ERROR][o.o.s.c.ConfigurationLoaderSecurity7] [node-1] Failure No shard available for [org.opensearch.action.get.MultiGetShardRequest@64ef241] retrieving configuration for [INTERNALUSERS, ACTIONGROUPS, CONFIG, ROLES, ROLESMAPPING, TENANTS, NODESDN, WHITELIST, ALLOWLIST, AUDIT] (index=.opendistro_security)
/var/log/wazuh-indexer/wazuh-cluster.log:[2024-01-12T09:55:28,306][ERROR][o.o.s.c.ConfigurationLoaderSecurity7] [node-1] Failure No shard available for [org.opensearch.action.get.MultiGetShardRequest@64ef241] retrieving configuration for [INTERNALUSERS, ACTIONGROUPS, CONFIG, ROLES, ROLESMAPPING, TENANTS, NODESDN, WHITELIST, ALLOWLIST, AUDIT] (index=.opendistro_security)
/var/log/wazuh-indexer/wazuh-cluster.log:[2024-01-12T09:55:28,306][ERROR][o.o.s.c.ConfigurationLoaderSecurity7] [node-1] Failure No shard available for [org.opensearch.action.get.MultiGetShardRequest@64ef241] retrieving configuration for [INTERNALUSERS, ACTIONGROUPS, CONFIG, ROLES, ROLESMAPPING, TENANTS, NODESDN, WHITELIST, ALLOWLIST, AUDIT] (index=.opendistro_security)
/var/log/wazuh-indexer/wazuh-cluster.log:[2024-01-12T09:55:28,306][ERROR][o.o.s.c.ConfigurationLoaderSecurity7] [node-1] Failure No shard available for [org.opensearch.action.get.MultiGetShardRequest@64ef241] retrieving configuration for [INTERNALUSERS, ACTIONGROUPS, CONFIG, ROLES, ROLESMAPPING, TENANTS, NODESDN, WHITELIST, ALLOWLIST, AUDIT] (index=.opendistro_security)
/var/log/wazuh-indexer/wazuh-cluster.log:[2024-01-12T09:55:28,307][ERROR][o.o.s.c.ConfigurationLoaderSecurity7] [node-1] Failure No shard available for [org.opensearch.action.get.MultiGetShardRequest@64ef241] retrieving configuration for [INTERNALUSERS, ACTIONGROUPS, CONFIG, ROLES, ROLESMAPPING, TENANTS, NODESDN, WHITELIST, ALLOWLIST, AUDIT] (index=.opendistro_security)
/var/log/wazuh-indexer/wazuh-cluster.log:[2024-01-12T09:55:28,307][ERROR][o.o.s.c.ConfigurationLoaderSecurity7] [node-1] Failure No shard available for [org.opensearch.action.get.MultiGetShardRequest@64ef241] retrieving configuration for [INTERNALUSERS, ACTIONGROUPS, CONFIG, ROLES, ROLESMAPPING, TENANTS, NODESDN, WHITELIST, ALLOWLIST, AUDIT] (index=.opendistro_security)
/var/log/wazuh-indexer/wazuh-cluster.log:[2024-01-12T09:55:28,307][ERROR][o.o.s.c.ConfigurationLoaderSecurity7] [node-1] Failure No shard available for [org.opensearch.action.get.MultiGetShardRequest@64ef241] retrieving configuration for [INTERNALUSERS, ACTIONGROUPS, CONFIG, ROLES, ROLESMAPPING, TENANTS, NODESDN, WHITELIST, ALLOWLIST, AUDIT] (index=.opendistro_security)
/var/log/wazuh-indexer/wazuh-cluster.log:[2024-01-12T09:55:28,307][ERROR][o.o.s.c.ConfigurationLoaderSecurity7] [node-1] Failure No shard available for [org.opensearch.action.get.MultiGetShardRequest@64ef241] retrieving configuration for [INTERNALUSERS, ACTIONGROUPS, CONFIG, ROLES, ROLESMAPPING, TENANTS, NODESDN, WHITELIST, ALLOWLIST, AUDIT] (index=.opendistro_security)
/var/log/wazuh-indexer/wazuh-cluster.log:[2024-01-12T09:55:28,307][ERROR][o.o.s.c.ConfigurationLoaderSecurity7] [node-1] Failure No shard available for [org.opensearch.action.get.MultiGetShardRequest@64ef241] retrieving configuration for [INTERNALUSERS, ACTIONGROUPS, CONFIG, ROLES, ROLESMAPPING, TENANTS, NODESDN, WHITELIST, ALLOWLIST, AUDIT] (index=.opendistro_security)
/var/log/wazuh-indexer/wazuh-cluster.log:[2024-01-12T09:55:28,412][ERROR][o.o.s.a.BackendRegistry ] [node-1] Not yet initialized (you may need to run securityadmin)
/var/log/wazuh-indexer/wazuh-cluster.log:[2024-01-12T09:55:28,430][ERROR][o.o.s.a.BackendRegistry ] [node-1] Not yet initialized (you may need to run securityadmin)
/var/log/wazuh-indexer/wazuh-cluster.log:[2024-01-12T09:55:28,434][ERROR][o.o.s.a.BackendRegistry ] [node-1] Not yet initialized (you may need to run securityadmin)
/var/log/wazuh-indexer/wazuh-cluster.log:[2024-01-12T09:55:28,447][ERROR][o.o.s.a.BackendRegistry ] [node-1] Not yet initialized (you may need to run securityadmin)
/var/log/wazuh-indexer/wazuh-cluster.log:[2024-01-12T09:55:30,841][ERROR][o.o.s.a.BackendRegistry ] [node-1] Not yet initialized (you may need to run securityadmin)
/var/log/wazuh-indexer/wazuh-cluster.log:[2024-01-12T09:55:30,844][ERROR][o.o.s.a.BackendRegistry ] [node-1] Not yet initialized (you may need to run securityadmin)
/var/log/wazuh-indexer/wazuh-cluster.log:[2024-01-12T09:55:30,846][ERROR][o.o.s.a.BackendRegistry ] [node-1] Not yet initialized (you may need to run securityadmin)
/var/log/wazuh-indexer/wazuh-cluster.log:[2024-01-12T09:55:30,849][ERROR][o.o.s.a.BackendRegistry ] [node-1] Not yet initialized (you may need to run securityadmin)
/var/log/wazuh-indexer/wazuh-cluster.log:[2024-01-12T09:55:33,343][ERROR][o.o.s.a.BackendRegistry ] [node-1] Not yet initialized (you may need to run securityadmin)
/var/log/wazuh-indexer/wazuh-cluster.log:[2024-01-12T09:55:33,345][ERROR][o.o.s.a.BackendRegistry ] [node-1] Not yet initialized (you may need to run securityadmin)
/var/log/wazuh-indexer/wazuh-cluster.log:[2024-01-12T09:55:33,348][ERROR][o.o.s.a.BackendRegistry ] [node-1] Not yet initialized (you may need to run securityadmin)
/var/log/wazuh-indexer/wazuh-cluster.log:[2024-01-12T09:55:33,350][ERROR][o.o.s.a.BackendRegistry ] [node-1] Not yet initialized (you may need to run securityadmin)
/var/log/wazuh-indexer/wazuh-cluster.log:[2024-01-12T09:55:35,845][ERROR][o.o.s.a.BackendRegistry ] [node-1] Not yet initialized (you may need to run securityadmin)
/var/log/wazuh-indexer/wazuh-cluster.log:[2024-01-12T09:55:35,848][ERROR][o.o.s.a.BackendRegistry ] [node-1] Not yet initialized (you may need to run securityadmin)
/var/log/wazuh-indexer/wazuh-cluster.log:[2024-01-12T09:55:35,852][ERROR][o.o.s.a.BackendRegistry ] [node-1] Not yet initialized (you may need to run securityadmin)
/var/log/wazuh-indexer/wazuh-cluster.log:[2024-01-12T09:55:35,864][ERROR][o.o.s.a.BackendRegistry ] [node-1] Not yet initialized (you may need to run securityadmin)
/var/log/wazuh-indexer/wazuh-cluster.log:[2024-01-12T09:55:38,346][ERROR][o.o.s.a.BackendRegistry ] [node-1] Not yet initialized (you may need to run securityadmin)
/var/log/wazuh-indexer/wazuh-cluster.log:[2024-01-12T09:55:38,349][ERROR][o.o.s.a.BackendRegistry ] [node-1] Not yet initialized (you may need to run securityadmin)
/var/log/wazuh-indexer/wazuh-cluster.log:[2024-01-12T09:55:38,351][ERROR][o.o.s.a.BackendRegistry ] [node-1] Not yet initialized (you may need to run securityadmin)
/var/log/wazuh-indexer/wazuh-cluster.log:[2024-01-12T09:55:38,356][ERROR][o.o.s.a.BackendRegistry ] [node-1] Not yet initialized (you may need to run securityadmin)
/var/log/wazuh-indexer/wazuh-cluster.log:[2024-01-12T09:55:40,849][ERROR][o.o.s.a.BackendRegistry ] [node-1] Not yet initialized (you may need to run securityadmin)
/var/log/wazuh-indexer/wazuh-cluster.log:[2024-01-12T09:55:40,852][ERROR][o.o.s.a.BackendRegistry ] [node-1] Not yet initialized (you may need to run securityadmin)
/var/log/wazuh-indexer/wazuh-cluster.log:[2024-01-12T09:55:40,854][ERROR][o.o.s.a.BackendRegistry ] [node-1] Not yet initialized (you may need to run securityadmin)
/var/log/wazuh-indexer/wazuh-cluster.log:[2024-01-12T09:55:40,856][ERROR][o.o.s.a.BackendRegistry ] [node-1] Not yet initialized (you may need to run securityadmin)
# grep -i -E "error|critical|fatal|warning" /var/ossec/logs/ossec.log Filebeat Test 🟢# filebeat test output
elasticsearch: https://localhost:9200...
parse url... OK
connection...
parse host... OK
dns lookup... OK
addresses: 127.0.0.1
dial up... OK
TLS...
security: server's certificate chain verification is enabled
handshake... OK
TLS version: TLSv1.2
dial up... OK
talk to server... OK
version: 7.10.2 Wazuh Indexer Cluster 🟢# curl -k -u admin:pass https://127.0.0.1:9200
{
"name" : "node-1",
"cluster_name" : "wazuh-cluster",
"cluster_uuid" : "6nknf0IHRt2xJ3JhBbuuBw",
"version" : {
"number" : "7.10.2",
"build_type" : "rpm",
"build_hash" : "eee49cb340edc6c4d489bcd9324dda571fc8dc03",
"build_date" : "2023-09-20T23:54:29.889267151Z",
"build_snapshot" : false,
"lucene_version" : "9.7.0",
"minimum_wire_compatibility_version" : "7.10.0",
"minimum_index_compatibility_version" : "7.0.0"
},
"tagline" : "The OpenSearch Project: https://opensearch.org/"
}
# curl -k -u admin:pass https://127.0.0.1:9200/_cat/nodes?v
ip heap.percent ram.percent cpu load_1m load_5m load_15m node.role node.roles cluster_manager name
127.0.0.1 17 97 5 0.03 0.15 0.31 dimr cluster_manager,data,ingest,remote_cluster_client * node-1
# curl -k -u admin:pass https://127.0.0.1:9200/_cluster/health?pretty
{
"cluster_name" : "wazuh-cluster",
"status" : "green",
"timed_out" : false,
"number_of_nodes" : 1,
"number_of_data_nodes" : 1,
"discovered_master" : true,
"discovered_cluster_manager" : true,
"active_primary_shards" : 16,
"active_shards" : 16,
"relocating_shards" : 0,
"initializing_shards" : 0,
"unassigned_shards" : 0,
"delayed_unassigned_shards" : 0,
"number_of_pending_tasks" : 0,
"number_of_in_flight_fetch" : 0,
"task_max_waiting_in_queue_millis" : 0,
"active_shards_percent_as_number" : 100.0
} Users 🟢# grep -R "wazuh" /etc/group
wheel:x:10:wazuh-user
wazuh-user:x:1001:
wazuh-indexer:x:993:
wazuh:x:992:wazuh
wazuh-dashboard:x:991:wazuh-dashboard
# grep -R "wazuh" /etc/passwd
wazuh-user:x:1001:1001::/home/wazuh-user:/bin/bash
wazuh-indexer:x:995:993:wazuh-indexer user:/usr/share/wazuh-indexer:/sbin/nologin
wazuh:x:994:992::/var/ossec:/sbin/nologin
wazuh-dashboard:x:993:991::/usr/share/wazuh-dashboard/:/sbin/nologin Versions 🟢# /var/ossec/bin/wazuh-control info
WAZUH_VERSION="v4.8.0"
WAZUH_REVISION="40802"
WAZUH_TYPE="server"
# cat /usr/share/wazuh-indexer/VERSION
4.8.0
# cat /usr/share/wazuh-dashboard/VERSION
4.8.0
# cat /usr/share/wazuh-dashboard/package.json
{
"name": "opensearch-dashboards",
"description": "OpenSearch Dashboards is a browser based analytics and search dashboard for OpenSearch. OpenSearch Dashboards is a snap to setup and start using. OpenSearch Dashboards strives to be easy to get started with, while also being flexible and powerful, just like OpenSearch.",
"keywords": [
"opensearch-dashboards",
"opensearch",
"logstash",
"analytics",
"visualizations",
"dashboards",
"dashboarding"
],
"version": "2.10.0",
"branch": "2.x",
"build": {
"number": 48002,
"sha": "c1120d93e2ee647977f917a1249258a622d4eb5b",
"distributable": true,
"release": true
},
"repository": {
"type": "git",
"url": "https://github.com/opensearch-project/opensearch-dashboards.git"
},
"engines": {
"node": ">=14.20.1 <19"
}
} Processes 🟢# ps -ef | grep wazuh
root 2864 1 0 09:53 ? 00:00:00 /sbin/dhclient -q -lf /var/lib/dhclient/dhclient--eth0.lease -pf /var/run/dhclient-eth0.pid -H wazuh-server eth0
root 2904 1 0 09:53 ? 00:00:00 /sbin/dhclient -6 -nw -lf /var/lib/dhclient/dhclient6--eth0.lease -pf /var/run/dhclient6-eth0.pid eth0 -H wazuh-server
wazuh-i+ 3100 1 5 09:53 ? 00:01:06 /usr/share/wazuh-indexer/jdk/bin/java -Xshare:auto -Dopensearch.networkaddress.cache.ttl=60 -Dopensearch.networkaddress.cache.negative.ttl=10 -XX:+AlwaysPreTouch -Xss1m -Djava.awt.headless=true -Dfile.encoding=UTF-8 -Djna.nosys=true -XX:-OmitStackTraceInFastThrow -XX:+ShowCodeDetailsInExceptionMessages -Dio.netty.noUnsafe=true -Dio.netty.noKeySetOptimization=true -Dio.netty.recycler.maxCapacityPerThread=0 -Dio.netty.allocator.numDirectArenas=0 -Dlog4j.shutdownHookEnabled=false -Dlog4j2.disable.jmx=true -Djava.locale.providers=SPI,COMPAT -Xms1964m -Xmx1964m -XX:+UseG1GC -XX:G1ReservePercent=25 -XX:InitiatingHeapOccupancyPercent=30 -Djava.io.tmpdir=/tmp/opensearch-6518941897775988647 -XX:+HeapDumpOnOutOfMemoryError -XX:HeapDumpPath=/var/lib/wazuh-indexer -XX:ErrorFile=/var/log/wazuh-indexer/hs_err_pid%p.log -Xlog:gc*,gc+age=trace,safepoint:file=/var/log/wazuh-indexer/gc.log:utctime,pid,tags:filecount=32,filesize=64m -Dclk.tck=100 -Djdk.attach.allowAttachSelf=true -Djava.security.policy=file:///etc/wazuh-indexer/opensearch-performance-analyzer/opensearch_security.policy --add-opens=jdk.attach/sun.tools.attach=ALL-UNNAMED -XX:MaxDirectMemorySize=1029701632 -Dopensearch.path.home=/usr/share/wazuh-indexer -Dopensearch.path.conf=/etc/wazuh-indexer -Dopensearch.distribution.type=rpm -Dopensearch.bundled_jdk=true -cp /usr/share/wazuh-indexer/lib/* org.opensearch.bootstrap.OpenSearch -p /run/wazuh-indexer/wazuh-indexer.pid --quiet
wazuh 3495 1 0 09:54 ? 00:00:08 /var/ossec/framework/python/bin/python3 /var/ossec/api/scripts/wazuh-apid.py
wazuh 3496 3495 0 09:54 ? 00:00:00 /var/ossec/framework/python/bin/python3 /var/ossec/api/scripts/wazuh-apid.py
wazuh 3499 3495 0 09:54 ? 00:00:03 /var/ossec/framework/python/bin/python3 /var/ossec/api/scripts/wazuh-apid.py
wazuh 3502 3495 0 09:54 ? 00:00:00 /var/ossec/framework/python/bin/python3 /var/ossec/api/scripts/wazuh-apid.py
root 3545 1 0 09:54 ? 00:00:00 /var/ossec/bin/wazuh-authd
wazuh 3562 1 0 09:54 ? 00:00:01 /var/ossec/bin/wazuh-db
root 3588 1 0 09:54 ? 00:00:00 /var/ossec/bin/wazuh-execd
wazuh 3604 1 0 09:54 ? 00:00:01 /var/ossec/bin/wazuh-analysisd
root 3617 1 0 09:54 ? 00:00:10 /var/ossec/bin/wazuh-syscheckd
wazuh 3635 1 0 09:54 ? 00:00:01 /var/ossec/bin/wazuh-remoted
root 3674 1 0 09:54 ? 00:00:00 /var/ossec/bin/wazuh-logcollector
wazuh 3727 1 0 09:54 ? 00:00:00 /var/ossec/bin/wazuh-monitord
root 3749 1 0 09:54 ? 00:00:01 /var/ossec/bin/wazuh-modulesd
wazuh-d+ 5413 1 1 09:55 ? 00:00:11 /usr/share/wazuh-dashboard/node/fallback/bin/node --no-warnings --max-http-header-size=65536 --unhandled-rejections=warn /usr/share/wazuh-dashboard/src/cli/dist
root 5559 3140 0 09:55 ? 00:00:00 sshd: wazuh-user [priv]
wazuh-u+ 5661 5559 0 09:55 ? 00:00:00 sshd: wazuh-user@pts/0
wazuh-u+ 5672 5661 0 09:55 pts/0 00:00:00 -bash
root 6353 6241 0 10:14 pts/0 00:00:00 grep --color=auto wazuh
# /var/ossec/bin/wazuh-control status
wazuh-clusterd not running...
wazuh-modulesd is running...
wazuh-monitord is running...
wazuh-logcollector is running...
wazuh-remoted is running...
wazuh-syscheckd is running...
wazuh-analysisd is running...
wazuh-maild not running...
wazuh-execd is running...
wazuh-db is running...
wazuh-authd is running...
wazuh-agentlessd not running...
wazuh-integratord not running...
wazuh-dbd not running...
wazuh-csyslogd not running...
wazuh-apid is running... SSH Root Access Denied 🟢$ ssh -i "Ephemeral.pem" root@MANAGER_IP
Please login as the user "wazuh-user" rather than the user "root". SSH wazuh-user Access Allowed 🟢$ ssh -i "Ephemeral.pem" wazuh-user@MANAGER_IP
wwwwww. wwwwwww. wwwwwww.
wwwwwww. wwwwwww. wwwwwww.
wwwwww. wwwwwwwww. wwwwwww.
wwwwwww. wwwwwwwww. wwwwwww.
wwwwww. wwwwwwwwwww. wwwwwww.
wwwwwww. wwwwwwwwwww. wwwwwww.
wwwwww. wwwwww.wwwwww. wwwwwww.
wwwwwww. wwwww. wwwwww. wwwwwww.
wwwwww. wwwwww. wwwwww. wwwwwww.
wwwwwww. wwwww. wwwwww. wwwwwww.
wwwwww. wwwwww. wwwwww.wwwwwww.
wwwwwww.wwwww. wwwwww.wwwwwww.
wwwwwwwwwwww. wwwwwwwwwwww.
wwwwwwwwwww. wwwwwwwwwwww. oooooo
wwwwwwwwww. wwwwwwwwww. oooooooo
wwwwwwwww. wwwwwwwwww. oooooooooo
wwwwwwww. wwwwwwww. oooooooooo
wwwwwww. wwwwwwww. oooooooo
wwwwww. wwwwww. oooooo
WAZUH Open Source Security Platform
https://wazuh.com Production Repositories 🟢[wazuh-user@wazuh-server ~]$ cat /etc/yum.repos.d/wazuh.repo
[wazuh]
gpgcheck=1
gpgkey=https://packages.wazuh.com/key/GPG-KEY-WAZUH
enabled=1
name=EL-${releasever} - Wazuh
baseurl=https://packages.wazuh.com/4.x/yum/
protect=1 Indexer - journalctl
WUI
|
Analysis report - OVAOVA - Check system 🟢NAME="Amazon Linux"
VERSION="2"
ID="amzn"
ID_LIKE="centos rhel fedora"
VERSION_ID="2"
PRETTY_NAME="Amazon Linux 2"
ANSI_COLOR="0;33"
CPE_NAME="cpe:2.3:o:amazon:amazon_linux:2"
HOME_URL="https://amazonlinux.com/"
SUPPORT_END="2025-06-30"
[wazuh-user@wazuh-server ~]$ sudo su OVA - Check Wazuh agent connection 🟢
{"timestamp":"2024-01-15T15:43:29.317+0000","rule":{"level":9,"description":"SCA summary: CIS Microsoft Windows 11 Enterprise Benchmark v2.0.0: Score less than 30% (27)","id":"19005","firedtimes":1,"mail":false,"groups":["sca"],"gdpr":["IV_35.7.d"],"pci_dss":["2.2"],"nist_800_53":["CM.1"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"001","name":"Caprica","ip":"192.168.1.134"},"manager":{"name":"wazuh-server"},"id":"1705333409.2108934","decoder":{"name":"sca"},"data":{"sca":{"type":"summary","scan_id":"1279491199","policy":"CIS Microsoft Windows 11 Enterprise Benchmark v2.0.0","description":"This document provides prescriptive guidance for establishing a secure configuration posture for Microsoft Windows 11. Please note that the rules provide accurate results for Windows 11 Operating Systems with the System language set to English. The SCA policy will work with other languages but the results will be less accurate due to some of the rules that depend on the System language.","policy_id":"cis_win11_enterprise_22H2","passed":"128","failed":"331","invalid":"12","total_checks":"471","score":"27","file":"cis_win11_enterprise.yml"}},"location":"sca"}
{"timestamp":"2024-01-15T15:43:29.317+0000","rule":{"level":9,"description":"SCA summary: CIS Microsoft Windows 11 Enterprise Benchmark v2.0.0: Score less than 30% (27)","id":"19005","firedtimes":1,"mail":false,"groups":["sca"],"gdpr":["IV_35.7.d"],"pci_dss":["2.2"],"nist_800_53":["CM.1"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"001","name":"Caprica","ip":"192.168.1.134"},"manager":{"name":"wazuh-server"},"id":"1705333409.2108934","decoder":{"name":"sca"},"data":{"sca":{"type":"summary","scan_id":"1279491199","policy":"CIS Microsoft Windows 11 Enterprise Benchmark v2.0.0","description":"This document provides prescriptive guidance for establishing a secure configuration posture for Microsoft Windows 11. Please note that the rules provide accurate results for Windows 11 Operating Systems with the System language set to English. The SCA policy will work with other languages but the results will be less accurate due to some of the rules that depend on the System language.","policy_id":"cis_win11_enterprise_22H2","passed":"128","failed":"331","invalid":"12","total_checks":"471","score":"27","file":"cis_win11_enterprise.yml"}},"location":"sca"} Wazuh processes 🟢
Versions 🟢
Users 🟢
OVA - WUI 🟢
Dark mode OVA - Logs 🟡 :
OVA - Filebeat Tests 🟢
OVA - Wazuh Indexer Cluster 🟢
OVA - No root ssh access 🟢
|
Analysis Report - Solaris 11 SPARCSystem Info 🟢xbmk@sossp104:~$ hostname
sossp104
xbmk@sossp104:~$ uname -a
SunOS sossp104 5.11 11.3 sun4v sparc sun4v Installation 🟢Installation xbmk@sossp104:~$ curl -O https://packages-dev.wazuh.com/pre-release/solaris/sparc/11/wazuh-agent_v4.8.0-sol11-sparc.p5p
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--: 0 6320k 0 29683 0 0 49676 0 0:02:10 --:--:-- 0:02:100 6320k 100 6320k 0 0 5478k 0 0:00:01 0:00:01 --:--:-- 5787k
root@sossp104:~# pkg install -g wazuh-agent_v4.8.0-sol11-sparc.p5p wazuh-agent
Packages to install: 1
Services to change: 1
Create boot environment: No
Create backup boot environment: No
DOWNLOAD PKGS FILES XFER (MB) SPEED
Completed 1/1 119/119 5.8/5.8 28.3M/s
PHASE ITEMS
Installing new actions 175/175
Updating package state database Done
Updating package cache 0/0
Updating image state Done
Creating fast lookup database Done
Updating package cache 2/2
root@sossp104:~# Change Agent IP root@sossp104:~# vi /var/ossec/etc/ossec.conf
root@sossp104:~# cat /var/ossec/etc/ossec.conf | grep address
<address>xx.xxx.xx.xxx</address> Start Agent root@sossp104:~# /var/ossec/bin/wazuh-control start
Starting Wazuh v4.8.0...
Started wazuh-execd...
Started wazuh-agentd...
Started wazuh-syscheckd...
Started wazuh-logcollector...
Started wazuh-modulesd...
Completed.
root@sossp104:~# Agent Info root@sossp104:~# /var/ossec/bin/wazuh-control status
wazuh-modulesd is running...
wazuh-logcollector is running...
wazuh-syscheckd is running...
wazuh-agentd is running...
wazuh-execd is running...
root@sossp104:~# Check Agent in Manager root@ip-xxx-xx-xx-xxx:/home/ubuntu# /var/ossec/bin/agent_control -i 010
Wazuh agent_control. Agent information:
Agent ID: 010
Agent Name: sossp104
IP address: any
Status: Active
Operating system: SunOS |sossp104 |5.11 |11.3 |sun4v
Client version: Wazuh v4.8.0
Configuration hash: ab73af41699f13fdd81903b5f23d8d00
Shared file hash: 4a8724b20dee0124ff9656783c490c4e
Last keep alive: 1705344677
Syscheck last started at: Mon Jan 15 18:45:17 2024
Syscheck last ended at: Mon Jan 15 18:45:38 2024
root@ip-xxx-xx-xx-xxx:/home/ubuntu# No Errors Present in the Agent root@sossp104:~# /usr/xpg4/bin/grep -Ei "ERROR|CRITICAL|FATAL|WARNING" /var/ossec/logs/ossec.log | wc -l
0 No Errors Present in the Manager root@ip-xxx-xx-xx-xxx:/home/ubuntu# grep -Ei "ERROR|CRITICAL|FATAL|WARNING" /var/ossec/logs/ossec.log | wc -l
0 Check Users and Groups 🟢root@sossp104:~# cat /etc/passwd | grep wazuh
wazuh:x:7:13:& User:/:
root@sossp104:~# cat /etc/group | grep wazuh
wazuh::13:
root@sossp104:~# Generate Alerts 🟢TCP 🟢Agent is Connected Through TCP root@sossp104:~# grep -i "tcp" /var/ossec/logs/ossec.log
2024/01/15 12:45:09 wazuh-agentd: INFO: Trying to connect to server ([xx.xxx.xx.xxx]:1514/tcp).
2024/01/15 12:45:09 wazuh-agentd: INFO: (4102): Connected to the server ([xx.xxx.xx.xxx]:1514/tcp).
2024/01/15 12:45:16 wazuh-agentd: INFO: Trying to connect to server ([xx.xxx.xx.xxx]:1514/tcp).
2024/01/15 12:45:16 wazuh-agentd: INFO: (4102): Connected to the server ([xx.xxx.xx.xxx]:1514/tcp). Alerts are correctly generated for the agent - Expected logs root@ip-xxx-xx-xx-xxx:/home/ubuntu# grep sossp104 /var/ossec/logs/alerts/alerts.json
{"timestamp":"2024-01-15T18:45:30.559+0000","rule":{"level":3,"description":"New wazuh agent connected.","id":"501","firedtimes":1,"mail":false,"groups":["ossec"],"pci_dss":["10.6.1"],"gpg13":["10.1"],"gdpr":["IV_35.7.d"],"hipaa":["164.312.b"],"nist_800_53":["AU.6"],"tsc":["CC7.2","CC7.3"]},"agent":{"id":"010","name":"sossp104"},"manager":{"name":"ip-xxx-xx-xx-xxx"},"id":"1705344330.98131","full_log":"ossec: Agent started: 'sossp104->any'.","decoder":{"parent":"ossec","name":"ossec"},"data":{"extra_data":"sossp104->any"},"location":"wazuh-agent"}
{"timestamp":"2024-01-15T18:45:34.739+0000","rule":{"level":3,"description":"Wazuh agent stopped.","id":"506","mitre":{"id":["T1562.001"],"tactic":["Defense Evasion"],"technique":["Disable or Modify Tools"]},"firedtimes":1,"mail":false,"groups":["ossec"],"pci_dss":["10.6.1","10.2.6"],"gpg13":["10.1"],"gdpr":["IV_35.7.d"],"hipaa":["164.312.b"],"nist_800_53":["AU.6","AU.14","AU.5"],"tsc":["CC7.2","CC7.3","CC6.8"]},"agent":{"id":"010","name":"sossp104"},"manager":{"name":"ip-172-31-43-159"},"id":"1705344334.98402","full_log":"ossec: Agent stopped: 'sossp104->any'.","decoder":{"parent":"ossec","name":"ossec"},"data":{"extra_data":"sossp104->any"},"location":"wazuh-remoted"}
{"timestamp":"2024-01-15T18:45:37.108+0000","rule":{"level":3,"description":"Wazuh agent started.","id":"503","firedtimes":1,"mail":false,"groups":["ossec"],"pci_dss":["10.6.1","10.2.6"],"gpg13":["10.1"],"gdpr":["IV_35.7.d"],"hipaa":["164.312.b"],"nist_800_53":["AU.6","AU.14","AU.5"],"tsc":["CC7.2","CC7.3","CC6.8"]},"agent":{"id":"010","name":"sossp104"},"manager":{"name":"ip-xxx-xx-xx-xxx"},"id":"1705344337.98729","full_log":"ossec: Agent started: 'sossp104->any'.","decoder":{"parent":"ossec","name":"ossec"},"data":{"extra_data":"sossp104->any"},"location":"wazuh-agent"}
{"timestamp":"2024-01-15T18:45:44.954+0000","rule":{"level":7,"description":"Host-based anomaly detection event (rootcheck).","id":"510","firedtimes":1,"mail":false,"groups":["ossec","rootcheck"],"pci_dss":["10.6.1"],"gdpr":["IV_35.7.d"]},"agent":{"id":"010","name":"sossp104","ip":"yyy.yyy.yyy.yyy"},"manager":{"name":"ip-xxx-xx-xx-xxx"},"id":"1705344344.99054","full_log":"Trojaned version of file '/bin/kill' detected. Signature used: '/dev/[ab,d-k,m-z]|/dev/[F-Z]|/dev/[A-D]|/dev/[0-9]|proc\\.h|bash|tmp' (Generic).","decoder":{"name":"rootcheck"},"data":{"title":"Trojaned version of file detected.","file":"/bin/kill"},"location":"rootcheck"}
{"timestamp":"2024-01-15T18:45:44.981+0000","rule":{"level":7,"description":"Host-based anomaly detection event (rootcheck).","id":"510","firedtimes":2,"mail":false,"groups":["ossec","rootcheck"],"pci_dss":["10.6.1"],"gdpr":["IV_35.7.d"]},"agent":{"id":"010","name":"sossp104","ip":"yyy.yyy.yyy.yyy"},"manager":{"name":"ip-xxx-xx-xx-xxx"},"id":"1705344344.99453","full_log":"Trojaned version of file '/usr/bin/kill' detected. Signature used: '/dev/[ab,d-k,m-z]|/dev/[F-Z]|/dev/[A-D]|/dev/[0-9]|proc\\.h|bash|tmp' (Generic).","decoder":{"name":"rootcheck"},"data":{"title":"Trojaned version of file detected.","file":"/usr/bin/kill"},"location":"rootcheck"}
{"timestamp":"2024-01-15T18:45:47.750+0000","rule":{"level":7,"description":"CVE-2011-0064 affects pango","id":"23504","firedtimes":1,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"010","name":"sossp104","ip":"yyy.yyy.yyy.yyy"},"manager":{"name":"ip-xxx-xx-xx-xxx"},"id":"1705344347.99860","decoder":{"name":"json"},"data":{"vulnerability":{"assigner":"mitre","cve":"CVE-2011-0064","cvss":{"cvss2":{"base_score":"6.800000","vector":{"access_complexity":"MEDIUM","authentication":"NONE","availability":"PARTIAL","confidentiality_impact":"PARTIAL","integrity_impact":"PARTIAL"}}},"enumeration":"CVE","package":{"architecture":"sparc","condition":"Package equal to 1.28.3","name":"pango","source":" ","version":"1.28.3"},"published":"2011-03-07T21:00:01Z","rationale":"The hb_buffer_ensure function in hb-buffer.c in HarfBuzz, as used in Pango 1.28.3, Firefox, and other products, does not verify that memory reallocations succeed, which allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) or possibly execute arbitrary code via crafted OpenType font data that triggers use of an incorrect index.","reference":"http://cgit.freedesktop.org/harfbuzz/commit/?id=a6a79df5fe2ed2cd307e7a991346faee164e70d9, https://bugzilla.redhat.com/show_bug.cgi?id=678563, https://build.opensuse.org/request/show/63070, http://secunia.com/advisories/43559, http://secunia.com/advisories/43572, http://secunia.com/advisories/43578, http://www.vupen.com/english/advisories/2011/0543, http://www.vupen.com/english/advisories/2011/0555, http://www.vupen.com/english/advisories/2011/0558, http://lists.fedoraproject.org/pipermail/package-announce/2011-March/056065.html, http://lists.opensuse.org/opensuse-security-announce/2011-04/msg00000.html, http://secunia.com/advisories/43800, http://securitytracker.com/id?1025145, http://www.debian.org/security/2011/dsa-2178, http://www.mandriva.com/security/advisories?name=MDVSA-2011:040, http://www.redhat.com/support/errata/RHSA-2011-0309.html, http://www.securityfocus.com/bid/46632, http://www.ubuntu.com/usn/USN-1082-1, http://www.vupen.com/english/advisories/2011/0584, http://www.vupen.com/english/advisories/2011/0683, https://bugzilla.mozilla.org/show_bug.cgi?id=606997, https://bugzilla.novell.com/show_bug.cgi?id=672502, https://exchange.xforce.ibmcloud.com/vulnerabilities/65770","severity":"Medium","status":"Active","title":"CVE-2011-0064 affects pango","type":"Packages","updated":"2021-07-14T15:41:29Z"}},"location":"vulnerability-detector"}
{"timestamp":"2024-01-15T18:45:47.760+0000","rule":{"level":10,"description":"CVE-2011-0020 affects pango","id":"23505","firedtimes":1,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"010","name":sossp104","ip":"yyy.yyy.yyy.yyy"},"manager":{"name":"ip-xxx-xx-xx-xxx"},"id":"1705344347.104757","decoder":{"name":"json"},"data":{"vulnerability":{"assigner":"redhat","cve":"CVE-2011-0020","cvss":{"cvss2":{"base_score":"7.600000","vector":{"access_complexity":"HIGH","authentication":"NONE","availability":"COMPLETE","confidentiality_impact":"COMPLETE","integrity_impact":"COMPLETE"}}},"cwe_reference":"CWE-119","enumeration":"CVE","package":{"architecture":"sparc","condition":"Package less than or equal to 1.28.3","name":"pango","source":" ","version":"1.28.3"},"published":"2011-01-24T18:00:03Z","rationale":"Heap-based buffer overflow in the pango_ft2_font_render_box_glyph function in pango/pangoft2-render.c in libpango in Pango 1.28.3 and earlier, when the FreeType2 backend is enabled, allows user-assisted remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted font file, related to the glyph box for an FT_Bitmap object.","reference":"http://openwall.com/lists/oss-security/2011/01/18/6, http://openwall.com/lists/oss-security/2011/01/20/2, https://bugs.launchpad.net/ubuntu/+source/pango1.0/+bug/696616, https://bugzilla.redhat.com/show_bug.cgi?id=671122, http://www.vupen.com/english/advisories/2011/0186, http://lists.opensuse.org/opensuse-security-announce/2011-04/msg00000.html, http://osvdb.org/70596, http://secunia.com/advisories/42934, http://secunia.com/advisories/43100, http://www.redhat.com/support/errata/RHSA-2011-0180.html, http://www.securityfocus.com/bid/45842, http://www.securitytracker.com/id?1024994, http://www.vupen.com/english/advisories/2011/0238, https://bugzilla.gnome.org/show_bug.cgi?id=639882, https://exchange.xforce.ibmcloud.com/vulnerabilities/64832","severity":"High","status":"Active","title":"CVE-2011-0020 affects pango","type":"Packages","updated":"2023-02-13T03:22:38Z"}},"location":"vulnerability-detector"}
{"timestamp":"2024-01-15T18:45:48.315+0000","rule":{"level":3,"description":"CIS Benchmark for Oracle Solaris 11 v1.1.0: Disable Local-only Graphical Login Environment","id":"19008","firedtimes":1,"mail":false,"groups":["sca"],"gdpr":["IV_35.7.d"],"pci_dss":["2.2"],"nist_800_53":["CM.1"],"tsc":["CC7.1","CC7.2"],"cis":["2.1"]},"agent":{"id":"010","name":"sossp104","ip":"yyy.yyy.yyy.yyy"},"manager":{"name":"ip-xxx-xx-xx-xxx"},"id":"1705344348.108826","decoder":{"name":"sca"},"data":{"sca":{"type":"check","scan_id":"27726","policy":"CIS Benchmark for Oracle Solaris 11 v1.1.0","check":{"id":"8000","title":"Disable Local-only Graphical Login Environment","description":"The graphical login service provides the capability of logging into the system using an X- windows type interface from the console. If graphical login access for the console is required, leave the service in local-only mode.","rationale":"This service should be disabled if it is not required.","remediation":"To disable this service, run the following command: # svcadm disable svc:/application/graphical-login/gdm:default","compliance":{"cis":"2.1"},"command":["svcs -xv svc:/application/graphical-login/gdm:default"],"result":"passed"}}},"location":"sca"}
No Errors in Agent Logs root@sossp104:~# grep -i "ERROR|CRITICAL|FATAL|WARNING" /var/ossec/logs/ossec.log | wc -l
0
root@sossp104:~# UDP🟢Agent is Connected Through UDP
root@sossp104:~# sed 's/tcp/udp/g' /var/ossec/etc/ossec.conf > /var/ossec/etc/ossec.conf.new && mv /var/ossec/etc/ossec.conf.new /var/ossec/etc/ossec.conf
root@sossp104:~# grep udp /var/ossec/etc/ossec.conf
<protocol>udp</protocol>
root@sossp104:~# /var/ossec/bin/wazuh-control restart
Killing wazuh-modulesd...
Killing wazuh-logcollector...
Killing wazuh-syscheckd...
Killing wazuh-agentd...
Killing wazuh-execd...
Wazuh v4.8.0 Stopped
Starting Wazuh v4.8.0...
Started wazuh-execd...
Started wazuh-agentd...
Started wazuh-syscheckd...
Started wazuh-logcollector...
Started wazuh-modulesd...
Completed.
root@sossp104:~# grep "udp" /var/ossec/logs/ossec.log
2024/01/15 13:11:59 wazuh-agentd: INFO: Trying to connect to server ([xx.xxx.xx.xxx]:1514/udp).
2024/01/15 13:11:59 wazuh-agentd: INFO: (4102): Connected to the server ([xx.xxx.xx.xxx]:1514/udp). Alerts are Correctly Generated for the Agent root@ip-xxx-xx-xx-xxx:/home/ubuntu# grep sossp104 /var/ossec/logs/alerts/alerts.json
{"timestamp":"2024-01-15T18:45:30.559+0000","rule":{"level":3,"description":"New wazuh agent connected.","id":"501","firedtimes":1,"mail":false,"groups":["ossec"],"pci_dss":["10.6.1"],"gpg13":["10.1"],"gdpr":["IV_35.7.d"],"hipaa":["164.312.b"],"nist_800_53":["AU.6"],"tsc":["CC7.2","CC7.3"]},"agent":{"id":"010","name":"sossp104"},"manager":{"name":"ip-172-31-43-159"},"id":"1705344330.98131","full_log":"ossec: Agent started: 'sossp104->any'.","decoder":{"parent":"ossec","name":"ossec"},"data":{"extra_data":"sossp104->any"},"location":"wazuh-agent"}
{"timestamp":"2024-01-15T18:45:34.739+0000","rule":{"level":3,"description":"Wazuh agent stopped.","id":"506","mitre":{"id":["T1562.001"],"tactic":["Defense Evasion"],"technique":["Disable or Modify Tools"]},"firedtimes":1,"mail":false,"groups":["ossec"],"pci_dss":["10.6.1","10.2.6"],"gpg13":["10.1"],"gdpr":["IV_35.7.d"],"hipaa":["164.312.b"],"nist_800_53":["AU.6","AU.14","AU.5"],"tsc":["CC7.2","CC7.3","CC6.8"]},"agent":{"id":"010","name":"sossp104"},"manager":{"name":"ip-xxx-xx-xx-xxx"},"id":"1705344334.98402","full_log":"ossec: Agent stopped: 'sossp104->any'.","decoder":{"parent":"ossec","name":"ossec"},"data":{"extra_data":"sossp104->any"},"location":"wazuh-remoted"}
{"timestamp":"2024-01-15T18:45:37.108+0000","rule":{"level":3,"description":"Wazuh agent started.","id":"503","firedtimes":1,"mail":false,"groups":["ossec"],"pci_dss":["10.6.1","10.2.6"],"gpg13":["10.1"],"gdpr":["IV_35.7.d"],"hipaa":["164.312.b"],"nist_800_53":["AU.6","AU.14","AU.5"],"tsc":["CC7.2","CC7.3","CC6.8"]},"agent":{"id":"010","name":"sossp104"},"manager":{"name":"ip-172-31-43-159"},"id":"1705344337.98729","full_log":"ossec: Agent started: 'sossp104->any'.","decoder":{"parent":"ossec","name":"ossec"},"data":{"extra_data":"sossp104->any"},"location":"wazuh-agent"}
{"timestamp":"2024-01-15T18:45:44.954+0000","rule":{"level":7,"description":"Host-based anomaly detection event (rootcheck).","id":"510","firedtimes":1,"mail":false,"groups":["ossec","rootcheck"],"pci_dss":["10.6.1"],"gdpr":["IV_35.7.d"]},"agent":{"id":"010","name":"sossp104","ip":"yyy.yyy.yyy.yyy"},"manager":{"name":"ip-xxx-xx-xx-xxx"},"id":"1705344344.99054","full_log":"Trojaned version of file '/bin/kill' detected. Signature used: '/dev/[ab,d-k,m-z]|/dev/[F-Z]|/dev/[A-D]|/dev/[0-9]|proc\\.h|bash|tmp' (Generic).","decoder":{"name":"rootcheck"},"data":{"title":"Trojaned version of file detected.","file":"/bin/kill"},"location":"rootcheck"}
{"timestamp":"2024-01-15T18:45:44.981+0000","rule":{"level":7,"description":"Host-based anomaly detection event (rootcheck).","id":"510","firedtimes":2,"mail":false,"groups":["ossec","rootcheck"],"pci_dss":["10.6.1"],"gdpr":["IV_35.7.d"]},"agent":{"id":"010","name":"sossp104","ip":"yyy.yyy.yyy.yyy"},"manager":{"name":"ip-xxx-xx-xx-xxx"},"id":"1705344344.99453","full_log":"Trojaned version of file '/usr/bin/kill' detected. Signature used: '/dev/[ab,d-k,m-z]|/dev/[F-Z]|/dev/[A-D]|/dev/[0-9]|proc\\.h|bash|tmp' (Generic).","decoder":{"name":"rootcheck"},"data":{"title":"Trojaned version of file detected.","file":"/usr/bin/kill"},"location":"rootcheck"}
{"timestamp":"2024-01-15T18:45:47.750+0000","rule":{"level":7,"description":"CVE-2011-0064 affects pango","id":"23504","firedtimes":1,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"010","name":"sossp104","ip":"yyy.yyy.yyy.yyy"},"manager":{"name":"ip-xxx-xx-xx-xxx"},"id":"1705344347.99860","decoder":{"name":"json"},"data":{"vulnerability":{"assigner":"mitre","cve":"CVE-2011-0064","cvss":{"cvss2":{"base_score":"6.800000","vector":{"access_complexity":"MEDIUM","authentication":"NONE","availability":"PARTIAL","confidentiality_impact":"PARTIAL","integrity_impact":"PARTIAL"}}},"enumeration":"CVE","package":{"architecture":"sparc","condition":"Package equal to 1.28.3","name":"pango","source":" ","version":"1.28.3"},"published":"2011-03-07T21:00:01Z","rationale":"The hb_buffer_ensure function in hb-buffer.c in HarfBuzz, as used in Pango 1.28.3, Firefox, and other products, does not verify that memory reallocations succeed, which allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) or possibly execute arbitrary code via crafted OpenType font data that triggers use of an incorrect index.","reference":"http://cgit.freedesktop.org/harfbuzz/commit/?id=a6a79df5fe2ed2cd307e7a991346faee164e70d9, https://bugzilla.redhat.com/show_bug.cgi?id=678563, https://build.opensuse.org/request/show/63070, http://secunia.com/advisories/43559, http://secunia.com/advisories/43572, http://secunia.com/advisories/43578, http://www.vupen.com/english/advisories/2011/0543, http://www.vupen.com/english/advisories/2011/0555, http://www.vupen.com/english/advisories/2011/0558, http://lists.fedoraproject.org/pipermail/package-announce/2011-March/056065.html, http://lists.opensuse.org/opensuse-security-announce/2011-04/msg00000.html, http://secunia.com/advisories/43800, http://securitytracker.com/id?1025145, http://www.debian.org/security/2011/dsa-2178, http://www.mandriva.com/security/advisories?name=MDVSA-2011:040, http://www.redhat.com/support/errata/RHSA-2011-0309.html, http://www.securityfocus.com/bid/46632, http://www.ubuntu.com/usn/USN-1082-1, http://www.vupen.com/english/advisories/2011/0584, http://www.vupen.com/english/advisories/2011/0683, https://bugzilla.mozilla.org/show_bug.cgi?id=606997, https://bugzilla.novell.com/show_bug.cgi?id=672502, https://exchange.xforce.ibmcloud.com/vulnerabilities/65770","severity":"Medium","status":"Active","title":"CVE-2011-0064 affects pango","type":"Packages","updated":"2021-07-14T15:41:29Z"}},"location":"vulnerability-detector"}
{"timestamp":"2024-01-15T18:45:47.760+0000","rule":{"level":10,"description":"CVE-2011-0020 affects pango","id":"23505","firedtimes":1,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"010","name":sossp104","ip":"yyy.yyy.yyy.yyy"},"manager":{"name":"ip-xxx-xx-xx-xxx"},"id":"1705344347.104757","decoder":{"name":"json"},"data":{"vulnerability":{"assigner":"redhat","cve":"CVE-2011-0020","cvss":{"cvss2":{"base_score":"7.600000","vector":{"access_complexity":"HIGH","authentication":"NONE","availability":"COMPLETE","confidentiality_impact":"COMPLETE","integrity_impact":"COMPLETE"}}},"cwe_reference":"CWE-119","enumeration":"CVE","package":{"architecture":"sparc","condition":"Package less than or equal to 1.28.3","name":"pango","source":" ","version":"1.28.3"},"published":"2011-01-24T18:00:03Z","rationale":"Heap-based buffer overflow in the pango_ft2_font_render_box_glyph function in pango/pangoft2-render.c in libpango in Pango 1.28.3 and earlier, when the FreeType2 backend is enabled, allows user-assisted remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted font file, related to the glyph box for an FT_Bitmap object.","reference":"http://openwall.com/lists/oss-security/2011/01/18/6, http://openwall.com/lists/oss-security/2011/01/20/2, https://bugs.launchpad.net/ubuntu/+source/pango1.0/+bug/696616, https://bugzilla.redhat.com/show_bug.cgi?id=671122, http://www.vupen.com/english/advisories/2011/0186, http://lists.opensuse.org/opensuse-security-announce/2011-04/msg00000.html, http://osvdb.org/70596, http://secunia.com/advisories/42934, http://secunia.com/advisories/43100, http://www.redhat.com/support/errata/RHSA-2011-0180.html, http://www.securityfocus.com/bid/45842, http://www.securitytracker.com/id?1024994, http://www.vupen.com/english/advisories/2011/0238, https://bugzilla.gnome.org/show_bug.cgi?id=639882, https://exchange.xforce.ibmcloud.com/vulnerabilities/64832","severity":"High","status":"Active","title":"CVE-2011-0020 affects pango","type":"Packages","updated":"2023-02-13T03:22:38Z"}},"location":"vulnerability-detector"}
No Errors in Agent Logs root@sossp104:~# grep -i "ERROR|CRITICAL|FATAL|WARNING" /var/ossec/logs/ossec.log | wc -l
0 Removal 🟢root@sossp104:~# /var/ossec/bin/wazuh-control stop
Killing wazuh-modulesd...
Killing wazuh-logcollector...
Killing wazuh-syscheckd...
Killing wazuh-agentd...
Killing wazuh-execd...
Wazuh v4.8.0 Stopped
root@sossp104:~# pkg uninstall wazuh-agent
Packages to remove: 1
Services to change: 1
Create boot environment: No
Create backup boot environment: No
PHASE ITEMS
Removing old actions 222/222
Updating package state database Done
Updating package cache 1/1
Updating image state Done
Creating fast lookup database Done
Updating package cache 2/2
The following unexpected or editable files and directories were
salvaged while executing the requested package operation; they
have been moved to the displayed location in the image:
ar/ossec/etc/client.keys -> /var/pkg/lost+found/var/ossec/etc/client.keys-20240115T132031Z
ar/ossec/etc/ossec.conf -> /var/pkg/lost+found/var/ossec/etc/ossec.conf-20240115T132031Z
ar/ossec/ruleset/sca -> /var/pkg/lost+found/var/ossec/ruleset/sca-20240115T132031Z
ar/ossec/queue/syscollector/db -> /var/pkg/lost+found/var/ossec/queue/syscollector/db-20240115T132031Z
ar/ossec/queue/sockets -> /var/pkg/lost+found/var/ossec/queue/sockets-20240115T132031Z
ar/ossec/queue/rids -> /var/pkg/lost+found/var/ossec/queue/rids-20240115T132031Z
ar/ossec/queue/logcollector -> /var/pkg/lost+found/var/ossec/queue/logcollector-20240115T132031Z
ar/ossec/queue/fim/db -> /var/pkg/lost+found/var/ossec/queue/fim/db-20240115T132031Z
ar/ossec/queue/alerts -> /var/pkg/lost+found/var/ossec/queue/alerts-20240115T132031Z
ar/ossec/etc/shared -> /var/pkg/lost+found/var/ossec/etc/shared-20240115T132031Z
root@sossp104:~# groupdel wazuh
root@sossp104:~# Upgrade from 4.7.2 to 4.8.0 🟢Install wazuh 4.7.2 on agent root@sossp104:~# curl -O https://packages-dev.wazuh.com/pre-release/solaris/sparc/11/wazuh-agent_v4.7.2-sol11-
sparc.p5p
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 6270k 100 6270k 0 0 5805k 0 0:00:01 0:00:01 --:--:-- 5977k
root@sossp104:~# pkg install -g wazuh-agent_v4.7.2-sol11-sparc.p5p wazuh-agent
Packages to install: 1
Services to change: 1
Create boot environment: No
Create backup boot environment: No
DOWNLOAD PKGS FILES XFER (MB) SPEED
Completed 1/1 98/98 5.8/5.8 32.9M/s
PHASE ITEMS
Installing new actions 151/151
Updating package state database Done
Updating package cache 0/0
Updating image state Done
Creating fast lookup database Done
Updating package cache 2/2 Change IP root@sossp104:~# vi /var/ossec/etc/ossec.conf
root@sossp104:~# cat /var/ossec/etc/ossec.conf | grep address
<address>xx.xxx.xx.xxx</address>
root@sossp104:~# Start Agent root@sossp104:~# /var/ossec/bin/wazuh-control start
Starting Wazuh v4.7.2...
Started wazuh-execd...
Started wazuh-agentd...
Started wazuh-syscheckd...
Started wazuh-logcollector...
Started wazuh-modulesd...
Completed. Check Wazuh Manager root@ip-xxx-xx-xx-xxx:/home/ubuntu# /var/ossec/bin/agent_control -i 011
Wazuh agent_control. Agent information:
Agent ID: 011
Agent Name: sossp104
IP address: any
Status: Active
Operating system: SunOS |sossp104 |5.11 |11.3 |sun4v
Client version: Wazuh v4.7.2
Configuration hash: ab73af41699f13fdd81903b5f23d8d00
Shared file hash: 4a8724b20dee0124ff9656783c490c4e
Last keep alive: 1705405240
Syscheck last started at: Tue Jan 16 11:37:32 2024
Syscheck last ended at: Tue Jan 16 11:37:39 2024
root@ip-xxx-xx-xx-xxx:/home/ubuntu# Upgrade to Wazuh 4.8.0 root@sossp104:~# pkg install -g wazuh-agent_v4.8.0-sol11-sparc.p5p wazuh-agent
Packages to update: 1
Create boot environment: No
Create backup boot environment: Yes
DOWNLOAD PKGS FILES XFER (MB) SPEED
Completed 1/1 57/57 5.0/5.0 41.1M/s
PHASE ITEMS
Installing new actions 24/24
Updating modified actions 38/38
Updating package state database Done
Updating package cache 1/1
Updating image state Done
Creating fast lookup database Done
Updating package cache 2/2 Check and restart Status root@sossp104:~# /var/ossec/bin/wazuh-control status
wazuh-modulesd is running...
wazuh-logcollector is running...
wazuh-syscheckd is running...
wazuh-agentd is running...
wazuh-execd is running...
root@sossp104:~# /var/ossec/bin/wazuh-control restart
Killing wazuh-modulesd...
Killing wazuh-logcollector...
Killing wazuh-syscheckd...
Killing wazuh-agentd...
Killing wazuh-execd...
Wazuh v4.8.0 Stopped
Starting Wazuh v4.8.0...
Started wazuh-execd...
Started wazuh-agentd...
Started wazuh-syscheckd...
Started wazuh-logcollector...
Started wazuh-modulesd...
Completed.
Check Manager root@ip-xxx-xx-xx-xxx:/home/ubuntu# /var/ossec/bin/agent_control -i 011
Wazuh agent_control. Agent information:
Agent ID: 011
Agent Name: sossp104
IP address: any
Status: Active
Operating system: SunOS |sossp104 |5.11 |11.3 |sun4v
Client version: Wazuh v4.8.0
Configuration hash: ab73af41699f13fdd81903b5f23d8d00
Shared file hash: 4a8724b20dee0124ff9656783c490c4e
Last keep alive: 1705405620
Syscheck last started at: Tue Jan 16 11:46:32 2024
Syscheck last ended at: Tue Jan 16 11:46:39 2024
root@ip-xxx-xx-xx-xxx:/home/ubuntu# |
Analysis report - PPC64EL 🔴Resources: https://github.com/wazuh/internal-devel-requests/issues/695 🟢 CentOS 7 🟢System info
Fresh install 🟢
Removal 🟢
Upgrade from 4.7.2 🟢
Debian Stretch 🔴System info
Fresh install 🟢
Removal 🔴
Upgrade from 4.7.2 🟢
|
Analysis report - AIX 🟢System info 🟢bash-4.4$ hostname
soaxp089
bash-4.4$ uname -a
AIX soaxp089 1 6 00CADA644C00 Installation 🟢Installation curl -O -k https://packages-dev.wazuh.com/pre-release/aix/wazuh-agent-4.8.0-1.aix.ppc.rpm
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 13.4M 100 13.4M 0 0 9699k 0 0:00:01 0:00:01 --:--:-- 9706k
# bash-4.4# WAZUH_MANAGER="OBFUSCATED_MANAGER_IP" rpm -ivh wazuh-agent-4.8.0-1.aix.ppc.rpm
wazuh-agent ##################################################
bash-4.4# rpm -qi wazuh-agent
Name : wazuh-agent Relocations: (not relocateable)
Version : 4.8.0 Vendor: Wazuh, Inc <info@wazuh.com>
Release : 1 Build Date: Wed Jan 10 14:59:42 2024
Install date: Mon Jan 15 12:33:27 2024 Build Host: soaxp089
Group : System Environment/Daemons Source RPM: wazuh-agent-4.8.0-1.src.rpm
Size : 64928716 License: GPL
Packager : Wazuh, Inc <info@wazuh.com>
URL : https://www.wazuh.com/
Summary : The Wazuh agent, used for threat detection, incident response and integrity monitoring.
Description :
Wazuh is an open source security monitoring solution for threat detection, integrity monitoring, incident response and compliance.
# bash-4.4# /var/ossec/bin/wazuh-control info
WAZUH_VERSION="v4.8.0"
WAZUH_REVISION="40802"
WAZUH_TYPE="agent" Manager IP
Start Agent
[root@wazuh-server ~]# /var/ossec/bin/agent_control -i 001
Wazuh agent_control. Agent information:
Agent ID: 001
Agent Name: soaxp089
IP address: any
Status: Active
Operating system: AIX |soaxp089 |1 |6 |00CADA644C00
Client version: Wazuh v4.8.0
Configuration hash: ab73af41699f13fdd81903b5f23d8d00
Shared file hash: 4a8724b20dee0124ff9656783c490c4e
Last keep alive: 1705345063
Syscheck last started at: Mon Jan 15 18:38:47 2024
Syscheck last ended at: Mon Jan 15 18:38:54 2024
Errors Present in the Agent (expected) bash-4.4# grep -E "ERROR|WARNING" /var/ossec/logs/ossec.log
2024/01/15 12:38:39 wazuh-agentd: ERROR: (1137): Lost connection with manager. Setting lock.
2024/01/15 12:46:32 wazuh-agentd: ERROR: (1137): Lost connection with manager. Setting lock.
2024/01/15 12:46:32 wazuh-agentd: ERROR: (1216): Unable to connect to '[OBFUSCATED_MANAGER_IP]:1514/tcp': 'Connection refused'.
2024/01/15 12:46:33 wazuh-syscheckd: WARNING: Process locked due to agent is offline. Waiting for connection... Generate alerts 🟢TCP 🟢Agent info bash-4.4# grep protocol /var/ossec/etc/ossec.conf
<protocol>tcp</protocol>
bash-4.4# /var/ossec/bin/wazuh-control start
Starting Wazuh v4.8.0...
Started wazuh-execd...
Started wazuh-agentd...
Started wazuh-syscheckd...
Started wazuh-logcollector...
Started wazuh-modulesd...
Completed.
bash-4.4# grep tcp /var/ossec/etc/ossec.conf
2024/01/15 12:38:36 wazuh-agentd: INFO: Trying to connect to server ([OBFUSCATED_MANAGER_IP]:1514/tcp).
2024/01/15 12:38:36 wazuh-agentd: INFO: (4102): Connected to the server ([OBFUSCATED_MANAGER_IP]:1514/tcp). Manager alerts {"timestamp":"2024-01-15T18:56:56.027+0000","rule":{"level":9,"description":"SCA summary: System audit for Unix based systems: Score less than 30% (0)","id":"19005","firedtimes":2,"mail":false,"groups":["sca"],"gdpr":["IV_35.7.d"],"pci_dss":["2.2"],"nist_800_53":["CM.1"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"001","name":"soaxp089","ip":"192.168.253.89"},"manager":{"name":"wazuh-server"},"id":"1705345016.78532","decoder":{"name":"sca"},"data":{"sca":{"type":"summary","scan_id":"15439","policy":"System audit for Unix based systems","description":"Guidance for establishing a secure configuration for Unix based systems.","policy_id":"unix_audit","passed":"0","failed":"10","invalid":"13","total_checks":"23","score":"0","file":"sca_unix_audit.yml"}},"location":"sca"} UDP 🟢Agent info bash-4.4# grep protocol /var/ossec/etc/ossec.conf
<protocol>udp</protocol>
bash-4.4# /var/ossec/bin/wazuh-control restart
Killing wazuh-modulesd...
Killing wazuh-logcollector...
Killing wazuh-syscheckd...
Killing wazuh-agentd...
Killing wazuh-execd...
Wazuh v4.8.0 Stopped
Starting Wazuh v4.8.0...
Started wazuh-execd...
Started wazuh-agentd...
Started wazuh-syscheckd...
Started wazuh-logcollector...
Started wazuh-modulesd...
Completed.
bash-4.4# grep udp /var/ossec/logs/ossec.log
2024/01/15 12:52:36 wazuh-agentd: INFO: Trying to connect to server ([OBFUSCATED_MANAGER_IP]:1514/udp).
2024/01/15 12:52:36 wazuh-agentd: INFO: (4102): Connected to the server ([OBFUSCATED_MANAGER_IP]:1514/udp).
Manager alerts
Removal 🟡bash-4.4# rpm -e wazuh-agent
rmdir of /var/ossec/tmp/src/init failed: No such file or directory
rmdir of /var/ossec/tmp/etc/templates/config/generic/localfile-logs failed: No such file or directory
rmdir of /var/ossec/tmp/etc/templates/config/generic failed: No such file or directory
rmdir of /var/ossec/tmp/etc/templates/config failed: No such file or directory
rmdir of /var/ossec/tmp/etc/templates failed: No such file or directory
cannot remove /var/ossec/queue/syscollector/db - directory not empty
cannot remove /var/ossec/queue/syscollector - directory not empty
cannot remove /var/ossec/queue/logcollector - directory not empty
cannot remove /var/ossec/queue/fim/db - directory not empty
cannot remove /var/ossec/queue/fim - directory not empty
cannot remove /var/ossec/queue - directory not empty
removal of /var/ossec/logs/ossec.json failed: No such file or directory
cannot remove /var/ossec/etc/shared - directory not empty
cannot remove /var/ossec/etc - directory not empty
cannot remove /var/ossec - directory not empty Known issues: Upgrade 🟢Installation of 4.7.2 agent bash-4.4# curl -O -k https://packages.wazuh.com/4.x/aix/wazuh-agent-4.7.2-1.aix.ppc.rpm
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 13.5M 100 13.5M 0 0 10.7M 0 0:00:01 0:00:01 --:--:-- 10.7M
bash-4.4# rpm -qi wazuh-agent
Name : wazuh-agent Relocations: (not relocateable)
Version : 4.7.2 Vendor: Wazuh, Inc <info@wazuh.com>
Release : 1 Build Date: Fri Jan 5 13:48:22 2024
Install date: Mon Jan 15 13:02:28 2024 Build Host: soaxp132
Group : System Environment/Daemons Source RPM: wazuh-agent-4.7.2-1.src.rpm
Size : 65073461 License: GPL
Packager : Wazuh, Inc <info@wazuh.com>
URL : https://www.wazuh.com/
Summary : The Wazuh agent, used for threat detection, incident response and integrity monitoring.
Description :
Wazuh is an open source security monitoring solution for threat detection, integrity monitoring, incident response and compliance.
bash-4.4# /var/ossec/bin/wazuh-control info
WAZUH_VERSION="v4.7.2"
WAZUH_REVISION="40711"
WAZUH_TYPE="agent"
bash-4.4# /var/ossec/bin/wazuh-control start
Starting Wazuh v4.7.2...
Started wazuh-execd...
Started wazuh-agentd...
Started wazuh-syscheckd...
Started wazuh-logcollector...
Started wazuh-modulesd...
Completed.
Manager perspective of 4.7.2 [root@wazuh-server ~]# /var/ossec/bin/agent_control -i 002
Wazuh agent_control. Agent information:
Agent ID: 002
Agent Name: soaxp089
IP address: any
Status: Active
Operating system: AIX |soaxp089 |1 |6 |00CADA644C00
Client version: Wazuh v4.7.2
Configuration hash: ab73af41699f13fdd81903b5f23d8d00
Shared file hash: 4a8724b20dee0124ff9656783c490c4e
Last keep alive: 1705348851
Syscheck last started at: Mon Jan 15 19:31:09 2024
Syscheck last ended at: Mon Jan 15 19:31:16 2024
Agent upgrade to 4.8.0 # rpm -U wazuh-agent-4.8.0-1.aix.ppc.rpm
bash-4.4# rpm -qi wazuh-agent
Name : wazuh-agent Relocations: (not relocateable)
Version : 4.8.0 Vendor: Wazuh, Inc <info@wazuh.com>
Release : 1 Build Date: Wed Jan 10 14:59:42 2024
Install date: Mon Jan 15 13:44:57 2024 Build Host: soaxp089
Group : System Environment/Daemons Source RPM: wazuh-agent-4.8.0-1.src.rpm
Size : 64928716 License: GPL
Packager : Wazuh, Inc <info@wazuh.com>
URL : https://www.wazuh.com/
Summary : The Wazuh agent, used for threat detection, incident response and integrity monitoring.
Description :
Wazuh is an open source security monitoring solution for threat detection, integrity monitoring, incident response and compliance.
Manager perspective of 4.8.0 after upgrade [root@wazuh-server ~]# /var/ossec/bin/agent_control -i 002
Wazuh agent_control. Agent information:
Agent ID: 002
Agent Name: soaxp089
IP address: any
Status: Active
Operating system: AIX |soaxp089 |1 |6 |00CADA644C00
Client version: Wazuh v4.8.0
Configuration hash: ab73af41699f13fdd81903b5f23d8d00
Shared file hash: 4a8724b20dee0124ff9656783c490c4e
Last keep alive: 1705349016
Syscheck last started at: Mon Jan 15 19:45:00 2024
Syscheck last ended at: Mon Jan 15 19:45:10 2024
Check users and groups 🟢
Errors and warnings 🟢Errors expected due to duplicate enrollment during testing. Fixed after using force auth feature
|
Analysis report - Solaris 10 SPARC 🟢System info
Fresh install 🟢
Removal 🟢
Upgrade from 4.7.2 🟢
|
Analysis Report - HP-UX 🟢Access Bash (Root) 🟢su
/usr/local/bin/bash
export PATH=$PATH:/usr/local/bin/
bash-4.4# System Info 🟢# uname -a
bash-4.4$ uname -a
HP-UX sovmh336 B.11.31 U ia64 0936332656 unlimited-user license Installation 🟢Installation bash-4.4# curl -sOk https://packages-dev.wazuh.com/pre-release/hp-ux/wazuh-agent-4.8.0-1-hpux-11v3-ia64.tar
bash-4.4# groupadd wazuh
bash-4.4# useradd -G wazuh wazuh
# tar -xvf wazuh-agent-4.8.0-1-hpux-11v3-ia64.tar
x /var/ossec/logs/ossec.log, 0 bytes, 0 tape blocks
x /var/ossec/logs/ossec.json, 0 bytes, 0 tape blocks
x /var/ossec/logs/active-responses.log, 0 bytes, 0 tape blocks
x /var/ossec/bin/wazuh-logcollector, 1951776 bytes, 3813 tape blocks
x /var/ossec/bin/wazuh-syscheckd, 2095296 bytes, 4093 tape blocks
x /var/ossec/bin/wazuh-execd, 1814768 bytes, 3545 tape blocks
x /var/ossec/bin/manage_agents, 570928 bytes, 1116 tape blocks
x /var/ossec/bin/wazuh-control, 7144 bytes, 14 tape blocks
x /var/ossec/bin/wazuh-modulesd, 1745024 bytes, 3409 tape blocks
x /var/ossec/bin/wazuh-agentd, 1886768 bytes, 3686 tape blocks
x /var/ossec/bin/agent-auth, 571900 bytes, 1117 tape blocks
x /var/ossec/lib/libwazuhext.so, 9804464 bytes, 19150 tape blocks
x /var/ossec/lib/libwazuhshared.so, 355672 bytes, 695 tape blocks
x /var/ossec/lib/libdbsync.so, 1315532 bytes, 2570 tape blocks
x /var/ossec/lib/librsync.so, 892076 bytes, 1743 tape blocks
x /var/ossec/lib/libsysinfo.so, 798880 bytes, 1561 tape blocks
x /var/ossec/lib/libfimdb.so, 1266648 bytes, 2474 tape blocks
x /var/ossec/lib/libstdc++.so.6.28, 27064832 bytes, 52861 tape blocks
x /var/ossec/lib/libgcc_s.so.0, 448764 bytes, 877 tape blocks
x /var/ossec/lib/libstdc++.so.6 symbolic link to /var/ossec/lib/libstdc++.so.6.28
x /var/ossec/lib/libstdc++.so symbolic link to /var/ossec/lib/libstdc++.so.6.28
x /var/ossec/lib/libgcc_s.so symbolic link to /var/ossec/lib/libgcc_s.so.0
x /var/ossec/queue/syscollector/norm_config.json, 4206 bytes, 9 tape blocks
x /var/ossec/ruleset/sca/cis_hpux_11i_bastille.yml, 94882 bytes, 186 tape blocks
x /var/ossec/ruleset/sca/cis_hpux_11i.yml, 86160 bytes, 169 tape blocks
x /var/ossec/wodles/__init__.py, 0 bytes, 0 tape blocks
x /var/ossec/wodles/utils.py, 3567 bytes, 7 tape blocks
x /var/ossec/wodles/aws/buckets_s3/aws_bucket.py, 41658 bytes, 82 tape blocks
x /var/ossec/wodles/aws/buckets_s3/cloudtrail.py, 1889 bytes, 4 tape blocks
x /var/ossec/wodles/aws/buckets_s3/config.py, 8844 bytes, 18 tape blocks
x /var/ossec/wodles/aws/buckets_s3/guardduty.py, 4353 bytes, 9 tape blocks
x /var/ossec/wodles/aws/buckets_s3/__init__.py, 462 bytes, 1 tape blocks
x /var/ossec/wodles/aws/buckets_s3/load_balancers.py, 5729 bytes, 12 tape blocks
x /var/ossec/wodles/aws/buckets_s3/server_access.py, 9151 bytes, 18 tape blocks
x /var/ossec/wodles/aws/buckets_s3/umbrella.py, 2718 bytes, 6 tape blocks
x /var/ossec/wodles/aws/buckets_s3/vpcflow.py, 11310 bytes, 23 tape blocks
x /var/ossec/wodles/aws/buckets_s3/waf.py, 2897 bytes, 6 tape blocks
x /var/ossec/wodles/aws/services/aws_service.py, 5955 bytes, 12 tape blocks
x /var/ossec/wodles/aws/services/cloudwatchlogs.py, 24429 bytes, 48 tape blocks
x /var/ossec/wodles/aws/services/__init__.py, 166 bytes, 1 tape blocks
x /var/ossec/wodles/aws/services/inspector.py, 6373 bytes, 13 tape blocks
x /var/ossec/wodles/aws/subscribers/__init__.py, 201 bytes, 1 tape blocks
x /var/ossec/wodles/aws/subscribers/sqs_queue.py, 6214 bytes, 13 tape blocks
x /var/ossec/wodles/aws/subscribers/s3_log_handler.py, 10502 bytes, 21 tape blocks
x /var/ossec/wodles/aws/subscribers/sqs_message_processor.py, 1825 bytes, 4 tape blocks
x /var/ossec/wodles/aws/aws-s3, 9407 bytes, 19 tape blocks
x /var/ossec/wodles/aws/__init__.py, 0 bytes, 0 tape blocks
x /var/ossec/wodles/aws/aws_tools.py, 17232 bytes, 34 tape blocks
x /var/ossec/wodles/aws/wazuh_integration.py, 22966 bytes, 45 tape blocks
x /var/ossec/wodles/gcloud/pubsub/subscriber.py, 6085 bytes, 12 tape blocks
x /var/ossec/wodles/gcloud/buckets/bucket.py, 12735 bytes, 25 tape blocks
x /var/ossec/wodles/gcloud/buckets/access_logs.py, 1870 bytes, 4 tape blocks
x /var/ossec/wodles/gcloud/gcloud, 4513 bytes, 9 tape blocks
x /var/ossec/wodles/gcloud/integration.py, 3119 bytes, 7 tape blocks
x /var/ossec/wodles/gcloud/tools.py, 4420 bytes, 9 tape blocks
x /var/ossec/wodles/gcloud/exceptions.py, 4704 bytes, 10 tape blocks
x /var/ossec/wodles/docker/DockerListener, 5111 bytes, 10 tape blocks
x /var/ossec/wodles/azure/azure-logs, 38690 bytes, 76 tape blocks
x /var/ossec/wodles/azure/orm.py, 10097 bytes, 20 tape blocks
x /var/ossec/etc/TIMEZONE, 21 bytes, 1 tape blocks
x /var/ossec/etc/internal_options.conf, 14293 bytes, 28 tape blocks
x /var/ossec/etc/local_internal_options.conf, 320 bytes, 1 tape blocks
x /var/ossec/etc/client.keys, 0 bytes, 0 tape blocks
x /var/ossec/etc/ossec.conf, 4816 bytes, 10 tape blocks
x /var/ossec/etc/shared/cis_apache2224_rcl.txt, 28411 bytes, 56 tape blocks
x /var/ossec/etc/shared/cis_debian_linux_rcl.txt, 12576 bytes, 25 tape blocks
x /var/ossec/etc/shared/cis_mysql5-6_community_rcl.txt, 7609 bytes, 15 tape blocks
x /var/ossec/etc/shared/cis_mysql5-6_enterprise_rcl.txt, 10297 bytes, 21 tape blocks
x /var/ossec/etc/shared/cis_rhel5_linux_rcl.txt, 35781 bytes, 70 tape blocks
x /var/ossec/etc/shared/cis_rhel6_linux_rcl.txt, 33870 bytes, 67 tape blocks
x /var/ossec/etc/shared/cis_rhel7_linux_rcl.txt, 36957 bytes, 73 tape blocks
x /var/ossec/etc/shared/cis_rhel_linux_rcl.txt, 17658 bytes, 35 tape blocks
x /var/ossec/etc/shared/cis_sles11_linux_rcl.txt, 34376 bytes, 68 tape blocks
x /var/ossec/etc/shared/cis_sles12_linux_rcl.txt, 35081 bytes, 69 tape blocks
x /var/ossec/etc/shared/cis_win2012r2_domainL1_rcl.txt, 94877 bytes, 186 tape blocks
x /var/ossec/etc/shared/cis_win2012r2_domainL2_rcl.txt, 28006 bytes, 55 tape blocks
x /var/ossec/etc/shared/cis_win2012r2_memberL1_rcl.txt, 100530 bytes, 197 tape blocks
x /var/ossec/etc/shared/cis_win2012r2_memberL2_rcl.txt, 376002 bytes, 735 tape blocks
x /var/ossec/etc/shared/rootkit_files.txt, 16174 bytes, 32 tape blocks
x /var/ossec/etc/shared/rootkit_trojans.txt, 5548 bytes, 11 tape blocks
x /var/ossec/etc/shared/system_audit_rcl.txt, 4466 bytes, 9 tape blocks
x /var/ossec/etc/shared/system_audit_ssh.txt, 3285 bytes, 7 tape blocks
x /var/ossec/etc/shared/win_applications_rcl.txt, 5214 bytes, 11 tape blocks
x /var/ossec/etc/shared/win_audit_rcl.txt, 4277 bytes, 9 tape blocks
x /var/ossec/etc/shared/win_malware_rcl.txt, 7314 bytes, 15 tape blocks
x /var/ossec/etc/wpk_root.pem, 1367 bytes, 3 tape blocks
x /var/ossec/active-response/bin/restart.sh, 695 bytes, 2 tape blocks
x /var/ossec/active-response/bin/kaspersky.py, 14491 bytes, 29 tape blocks
x /var/ossec/active-response/bin/firewall-drop, 70216 bytes, 138 tape blocks
x /var/ossec/active-response/bin/default-firewall-drop, 70216 bytes, 138 tape blocks
x /var/ossec/active-response/bin/pf, 70064 bytes, 137 tape blocks
x /var/ossec/active-response/bin/npf, 69864 bytes, 137 tape blocks
x /var/ossec/active-response/bin/ipfw, 69888 bytes, 137 tape blocks
x /var/ossec/active-response/bin/firewalld-drop, 69864 bytes, 137 tape blocks
x /var/ossec/active-response/bin/disable-account, 69856 bytes, 137 tape blocks
x /var/ossec/active-response/bin/host-deny, 69976 bytes, 137 tape blocks
x /var/ossec/active-response/bin/ip-customblock, 69824 bytes, 137 tape blocks
x /var/ossec/active-response/bin/restart-wazuh, 69716 bytes, 137 tape blocks
x /var/ossec/active-response/bin/route-null, 69856 bytes, 137 tape blocks
x /var/ossec/active-response/bin/kaspersky, 69724 bytes, 137 tape blocks
x /var/ossec/active-response/bin/wazuh-slack, 70028 bytes, 137 tape blocks
x /var/ossec/agentless/main.exp, 2453 bytes, 5 tape blocks
x /var/ossec/agentless/register_host.sh, 2406 bytes, 5 tape blocks
x /var/ossec/agentless/ssh.exp, 1476 bytes, 3 tape blocks
x /var/ossec/agentless/ssh_asa-fwsmconfig_diff, 5283 bytes, 11 tape blocks
x /var/ossec/agentless/ssh_foundry_diff, 5403 bytes, 11 tape blocks
x /var/ossec/agentless/ssh_generic_diff, 898 bytes, 2 tape blocks
x /var/ossec/agentless/ssh_integrity_check_bsd, 1091 bytes, 3 tape blocks
x /var/ossec/agentless/ssh_integrity_check_linux, 1099 bytes, 3 tape blocks
x /var/ossec/agentless/ssh_nopass.exp, 1616 bytes, 4 tape blocks
x /var/ossec/agentless/ssh_pixconfig_diff, 5265 bytes, 11 tape blocks
x /var/ossec/agentless/sshlogin.exp, 915 bytes, 2 tape blocks
x /var/ossec/agentless/su.exp, 1381 bytes, 3 tape blocks
x /sbin/init.d/wazuh-agent, 691 bytes, 2 tape blocks
x /sbin/rc2.d/S97wazuh-agent symbolic link to /sbin/init.d/wazuh-agent
x /sbin/rc3.d/S97wazuh-agent symbolic link to /sbin/init.d/wazuh-agent Change Agent IP bash-4.4# sed "s/MANAGER_IP/OBFUSCATED_MANAGER_IP/g" /var/ossec/etc/ossec.conf > /var/ossec/etc/ossec.conf.new && mv /var/ossec/etc/ossec.conf.new /var/ossec/etc/ossec.conf Start Agent # /var/ossec/bin/wazuh-control start
Starting Wazuh v4.8.0...
Started wazuh-execd...
Started wazuh-agentd...
Started wazuh-syscheckd...
Started wazuh-logcollector...
Started wazuh-modulesd...
Completed. Agent Info # /var/ossec/bin/wazuh-control info
WAZUH_VERSION="v4.8.0"
WAZUH_REVISION="40802"
WAZUH_TYPE="agent" Check Agent in Manager [root@wazuh-server ~]# /var/ossec/bin/agent_control -i 004
Wazuh agent_control. Agent information:
Agent ID: 004
Agent Name: sovmh336
IP address: any
Status: Active
Operating system: HP-UX |sovmh336 |B.11.31 |U |ia64
Client version: Wazuh v4.8.0
Configuration hash: ab73af41699f13fdd81903b5f23d8d00
Shared file hash: 4a8724b20dee0124ff9656783c490c4e
Last keep alive: 1705351463
Syscheck last started at: Mon Jan 15 19:39:35 2024
Syscheck last ended at: Mon Jan 15 19:40:32 2024
No Errors Present in the Agent bash-4.4# grep -Ei "ERROR|CRITICAL|FATAL|WARNING" /var/ossec/logs/ossec.log | wc -l
0 No Errors Present in the Manager [root@wazuh-server wazuh-user]# grep -Ei "ERROR|CRITICAL|FATAL|WARNING" /var/ossec/logs/ossec.log | wc -l
0 Generate Alerts 🟢TCP 🟢Agent is Connected Through TCP # grep -i "tcp" /var/ossec/logs/ossec.log
2024/01/15 13:39:29 wazuh-agentd: INFO: Trying to connect to server ([OBFUSCATED_MANAGER_IP]:1514/tcp).
2024/01/15 13:39:29 wazuh-agentd: INFO: (4102): Connected to the server ([OBFUSCATED_MANAGER_IP]:1514/tcp).
2024/01/15 13:39:34 wazuh-agentd: INFO: Trying to connect to server ([OBFUSCATED_MANAGER_IP]:1514/tcp).
2024/01/15 13:39:34 wazuh-agentd: INFO: (4102): Connected to the server ([OBFUSCATED_MANAGER_IP]:1514/tcp). Alerts are correctly generated for the agent - Expected logs {"timestamp":"2024-01-15T20:44:14.643+0000","rule":{"level":7,"description":"Host-based anomaly detection event (rootcheck).","id":"510","firedtimes":12,"mail":false,"groups":["ossec","rootcheck"],"pci_dss":["10.6.1"],"gdpr":["IV_35.7.d"]},"agent":{"id":"004","name":"sovmh336","ip":"192.168.253.36"},"manager":{"name":"wazuh-server"},"id":"1705351454.11312989","full_log":"File '/tmp/.kc.trace' is owned by root and has written permissions to anyone.","decoder":{"name":"rootcheck"},"data":{"title":"File is owned by root and has written permissions to anyone.","file":"/tmp/.kc.trace"},"location":"rootcheck"} UDP 🟢Agent is Connected Through UDP bash-4.4# sed 's/tcp/udp/g' /var/ossec/etc/ossec.conf > /var/ossec/etc/ossec.conf.new && mv /var/ossec/etc/ossec.conf.new /var/ossec/etc/ossec.conf
bash-4.4# grep udp /var/ossec/etc/ossec.conf
<protocol>udp</protocol>
# /var/ossec/bin/wazuh-control restart
Killing wazuh-modulesd...
Killing wazuh-logcollector...
Killing wazuh-syscheckd...
Killing wazuh-agentd...
Killing wazuh-execd...
Wazuh v4.8.0 Stopped
Starting Wazuh v4.8.0...
Started wazuh-execd...
Started wazuh-agentd...
Started wazuh-syscheckd...
Started wazuh-logcollector...
Started wazuh-modulesd...
Completed.
# grep -i "udp" /var/ossec/logs/ossec.log
2024/01/15 13:43:12 wazuh-agentd: INFO: Trying to connect to server ([OBFUSCATED_MANAGER_IP]:1514/udp).
2024/01/15 13:43:12 wazuh-agentd: INFO: (4102): Connected to the server ([OBFUSCATED_MANAGER_IP]:1514/udp).
#
Alerts are Correctly Generated for the Agent {"timestamp":"2024-01-15T20:47:03.723+0000","rule":{"level":7,"description":"Host-based anomaly detection event (rootcheck).","id":"510","firedtimes":14,"mail":false,"groups":["ossec","rootcheck"],"pci_dss":["10.6.1"],"gdpr":["IV_35.7.d"]},"agent":{"id":"004","name":"sovmh336","ip":"192.168.253.36"},"manager":{"name":"wazuh-server"},"id":"1705351623.11342192","full_log":"File '/tmp/.kc.trace' is owned by root and has written permissions to anyone.","decoder":{"name":"rootcheck"},"data":{"title":"File is owned by root and has written permissions to anyone.","file":"/tmp/.kc.trace"},"location":"rootcheck"} No Errors in Agent Logs # grep -Ei "ERROR|CRITICAL|FATAL|WARNING" /var/ossec/logs/ossec.log | wc -l
0 Removal 🟢# /var/ossec/bin/wazuh-control stop
Killing wazuh-modulesd...
Killing wazuh-logcollector...
Killing wazuh-syscheckd...
Killing wazuh-agentd...
Killing wazuh-execd...
Wazuh v4.8.0 Stopped
# groupdel wazuh
# userdel wazuh
# rm -rf /var/ossec
# cat /etc/passwd | grep wazuh
# cat /etc/passwd | grep wazuh Upgrade 4.7.2 -> 4.8.0 🟢
Manager
Upgrade
Check agent in wazuh server [root@wazuh-server ~]# /var/ossec/bin/agent_control -i 004
Wazuh agent_control. Agent information:
Agent ID: 004
Agent Name: sovmh336
IP address: any
Status: Active
Operating system: HP-UX |sovmh336 |B.11.31 |U |ia64
Client version: Wazuh v4.8.0
Configuration hash: ab73af41699f13fdd81903b5f23d8d00
Shared file hash: 4a8724b20dee0124ff9656783c490c4e
Last keep alive: 1705351463
Syscheck last started at: Mon Jan 15 20:01:04 2024
Syscheck last ended at: Mon Jan 15 20:03:18 2024
Check Users and Groups 🟢# cat /etc/passwd | grep wazuh
wazuh:*:108:20::/home/wazuh:/sbin/sh
# cat /etc/group | grep wazuh
wazuh::105:wazuh |
LGTM! |
LGTM |
Packages tests metrics information
Build packages
Test packages
PPC64EL packages
OVA/AMI specific tests
Status legend:
⚫ - Pending/In progress
⚪ - Skipped
🔴 - Rejected
🟡 - Ready to review
🟢 - Approved
Testing considerations
PPC64EL
systems must be done inside a container.PPC64EL
Debian, installingprocps
may be required if it is not present in the container.Conclusion 🔴
New Issues
wazuh-states-vulnerabilities
Index missing on Wazuh 4.8.0-alpha2 AIO Installations (AMI - OVA - AIO) #21413Known Issues
Auditor's validation
In order to close and proceed with the release or the next candidate version, the following auditors must give the green light to this RC.
The text was updated successfully, but these errors were encountered: