-
Notifications
You must be signed in to change notification settings - Fork 1.5k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Release 4.8.0 - RC 1 - Specific systems #23261
Comments
Analysis report - AIX 🟢System info 🟢# hostname
soaxp126
# uname -a
AIX soaxp126 1 6 00CADA644C00 Installation with variables 🟢
# curl -O -k https://packages-dev.wazuh.com/pre-release/aix/wazuh-agent-4.8.0-1.aix.ppc.rpm
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 14.3M 100 14.3M 0 0 10.4M 0 0:00:01 0:00:01 --:--:-- 10.4M
# WAZUH_MANAGER="X.X.X.X" rpm -ivh wazuh-agent-4.8.0-1.aix.ppc.rpm
wazuh-agent ##################################################
# /var/ossec/bin/wazuh-control start
Starting Wazuh v4.8.0...
Started wazuh-execd...
Started wazuh-agentd...
Started wazuh-syscheckd...
Started wazuh-logcollector...
Started wazuh-modulesd...
Completed.
# /var/ossec/bin/wazuh-control info
WAZUH_VERSION="v4.8.0"
WAZUH_REVISION="40809"
WAZUH_TYPE="agent"
# grep address /var/ossec/etc/ossec.conf
<address>X.X.X.X</address>
[root@wazuh-server wazuh-user]# /var/ossec/bin/agent_control -i 001
Wazuh agent_control. Agent information:
Agent ID: 001
Agent Name: soaxp126
IP address: any
Status: Active
Operating system: AIX |soaxp126 |1 |6 |00CADA644C00
Client version: Wazuh v4.8.0
Configuration hash: ab73af41699f13fdd81903b5f23d8d00
Shared file hash: 4a8724b20dee0124ff9656783c490c4e
Last keep alive: 1714994997
Syscheck last started at: Mon May 6 11:29:28 2024
Syscheck last ended at: Mon May 6 11:29:35 2024
Installation without variables 🟢
# rpm -ivh wazuh-agent-4.8.0-1.aix.ppc.rpm
wazuh-agent ##################################################
# vi /var/ossec/etc/ossec.conf
# /var/ossec/bin/wazuh-control start
Starting Wazuh v4.8.0...
Started wazuh-execd...
Started wazuh-agentd...
Started wazuh-syscheckd...
Started wazuh-logcollector...
Started wazuh-modulesd...
Completed. # /var/ossec/bin/wazuh-control info
WAZUH_VERSION="v4.8.0"
WAZUH_REVISION="40809"
WAZUH_TYPE="agent"
[root@wazuh-server wazuh-user]# /var/ossec/bin/agent_control -i 002
Wazuh agent_control. Agent information:
Agent ID: 002
Agent Name: soaxp126
IP address: any
Status: Active
Operating system: AIX |soaxp126 |1 |6 |00CADA644C00
Client version: Wazuh v4.8.0
Configuration hash: ab73af41699f13fdd81903b5f23d8d00
Shared file hash: 4a8724b20dee0124ff9656783c490c4e
Last keep alive: 1714995383
Syscheck last started at: Mon May 6 11:35:04 2024
Syscheck last ended at: Mon May 6 11:35:11 2024
Generate alerts (TCP & UDP) 🟢
# grep -Ei "tcp" /var/ossec/logs/ossec.log
2024/05/06 06:34:56 wazuh-agentd: INFO: Trying to connect to server ([X.X.X.X]:1514/tcp).
2024/05/06 06:34:56 wazuh-agentd: INFO: (4102): Connected to the server ([X.X.X.X]:1514/tcp).
2024/05/06 06:35:03 wazuh-agentd: INFO: Trying to connect to server ([X.X.X.X]:1514/tcp).
2024/05/06 06:35:03 wazuh-agentd: INFO: (4102): Connected to the server ([X.X.X.X]:1514/tcp).
2024/05/06 06:35:06 wazuh-agentd: INFO: Closing connection to server ([X.X.X.X]:1514/tcp).
2024/05/06 06:35:06 wazuh-agentd: INFO: Trying to connect to server ([X.X.X.X]:1514/tcp).
2024/05/06 06:35:06 wazuh-agentd: INFO: (4102): Connected to the server ([X.X.X.X]:1514/tcp).
# grep udp /var/ossec/etc/ossec.conf
<protocol>udp</protocol>
# /var/ossec/bin/wazuh-control restart
Killing wazuh-modulesd...
Killing wazuh-logcollector...
Killing wazuh-syscheckd...
Killing wazuh-agentd...
Killing wazuh-execd...
Wazuh v4.8.0 Stopped
Starting Wazuh v4.8.0...
Started wazuh-execd...
Started wazuh-agentd...
Started wazuh-syscheckd...
Started wazuh-logcollector...
Started wazuh-modulesd...
Completed.
# grep -Ei "udp" /var/ossec/logs/ossec.log
2024/05/06 06:38:44 wazuh-agentd: INFO: Trying to connect to server ([X.X.X.X]:1514/udp).
2024/05/06 06:38:44 wazuh-agentd: INFO: (4102): Connected to the server ([X.X.X.X]:1514/udp).
Removal 🟢# rpm -e wazuh-agent
rmdir of /var/ossec/tmp/src/init failed: No such file or directory
rmdir of /var/ossec/tmp/etc/templates/config/generic/localfile-logs failed: No such file or directory
rmdir of /var/ossec/tmp/etc/templates/config/generic failed: No such file or directory
rmdir of /var/ossec/tmp/etc/templates/config failed: No such file or directory
rmdir of /var/ossec/tmp/etc/templates failed: No such file or directory
cannot remove /var/ossec/queue/syscollector/db - directory not empty
cannot remove /var/ossec/queue/syscollector - directory not empty
cannot remove /var/ossec/queue/logcollector - directory not empty
cannot remove /var/ossec/queue/fim/db - directory not empty
cannot remove /var/ossec/queue/fim - directory not empty
cannot remove /var/ossec/queue - directory not empty
removal of /var/ossec/logs/ossec.json failed: No such file or directory
cannot remove /var/ossec/etc/shared - directory not empty
cannot remove /var/ossec/etc - directory not empty
cannot remove /var/ossec - directory not empty Check users and groups 🟢# cat /etc/passwd | grep wazuh
wazuh:*:211:1::/home/wazuh:/usr/bin/ksh
# cat /etc/group | grep wazuh
wazuh:!:209:wazuh
Errors and warnings 🟢# grep -iE "err|warn|crit" /var/ossec/logs/ossec.log
# grep -iE "err|warn|crit" /var/ossec/logs/ossec.log | wc -l
0 Upgrade 🟢
# curl -O -k https://packages.wazuh.com/4.x/aix/wazuh-agent-4.7.4-1.aix.ppc.rpm
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 13.5M 100 13.5M 0 0 10.4M 0 0:00:01 0:00:01 --:--:-- 10.4M
# WAZUH_MANAGER="X.X.X.X" rpm -ivh wazuh-agent-4.7.4-1.aix.ppc.rpm
wazuh-agent ##################################################
# /var/ossec/bin/wazuh-control start
Starting Wazuh v4.7.4...
Started wazuh-execd...
Started wazuh-agentd...
Started wazuh-syscheckd...
Started wazuh-logcollector...
Started wazuh-modulesd...
Completed.
# /var/ossec/bin/wazuh-control info
WAZUH_VERSION="v4.7.4"
WAZUH_REVISION="40717"
WAZUH_TYPE="agent" [root@wazuh-server wazuh-user]# /var/ossec/bin/agent_control -i 003
Wazuh agent_control. Agent information:
Agent ID: 003
Agent Name: soaxp126
IP address: any
Status: Active
Operating system: AIX |soaxp126 |1 |6 |00CADA644C00
Client version: Wazuh v4.7.4
Configuration hash: ab73af41699f13fdd81903b5f23d8d00
Shared file hash: 4a8724b20dee0124ff9656783c490c4e
Last keep alive: 1714995940
Syscheck last started at: Mon May 6 11:45:21 2024
Syscheck last ended at: Mon May 6 11:45:28 2024
# rpm -U wazuh-agent-4.8.0-1.aix.ppc.rpm
# /var/ossec/bin/wazuh-control status
wazuh-modulesd is running...
wazuh-logcollector is running...
wazuh-syscheckd is running...
wazuh-agentd is running...
wazuh-execd is running...
# /var/ossec/bin/wazuh-control info
WAZUH_VERSION="v4.8.0"
WAZUH_REVISION="40809"
WAZUH_TYPE="agent"
# grep -iE "err|warn|crit" /var/ossec/logs/ossec.log
2024/05/06 06:45:23 wazuh-agentd: ERROR: (1137): Lost connection with manager. Setting lock.
# grep -iE "err|warn|crit" /var/ossec/logs/ossec.log | wc -l
1
[root@wazuh-server wazuh-user]# /var/ossec/bin/agent_control -i 003
Wazuh agent_control. Agent information:
Agent ID: 003
Agent Name: soaxp126
IP address: any
Status: Active
Operating system: AIX |soaxp126 |1 |6 |00CADA644C00
Client version: Wazuh v4.8.0
Configuration hash: ab73af41699f13fdd81903b5f23d8d00
Shared file hash: 4a8724b20dee0124ff9656783c490c4e
Last keep alive: 1714996206
Syscheck last started at: Mon May 6 11:47:07 2024
Syscheck last ended at: Mon May 6 11:47:17 2024
|
Analysis report - Solaris 10 🟢System info 🟢# hostname
sossp109
# uname -a
SunOS sossp109 5.10 Generic_147147-26 sun4v sparc sun4v
Installation without variables 🟢
# /opt/csw/bin/curl -O https://packages-dev.wazuh.com/pre-release/solaris/sparc/10/wazuh-agent_v4.8.0-sol10-sparc.pkg
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
0 17.4M 0 7672 0 0 17243 0 0:17:43 --:--:-- 0:17:43 17240
100 17.4M 100 17.4M 0 0 7035k 0 0:00:02 0:00:02 --:--:-- 7036k
# pkgadd -d wazuh-agent_v4.8.0-sol10-sparc.pkg wazuh-agent
Processing package instance <wazuh-agent> from </wazuh-agent_v4.8.0-sol10-sparc.pkg>
Wazuh - Wazuh unifies historically separate functions into a single agent and platform architecture. Providing protection for public clouds, private clouds, and on-premise data centers.(sparc) 4.8.0
Wazuh, Inc <info@wazuh.com>
## Executing checkinstall script.
## Processing package information.
## Processing system information.
## Verifying disk space requirements.
## Checking for conflicts with packages already installed.
## Checking for setuid/setgid programs.
This package contains scripts which will be executed with super-user
permission during the process of installing this package.
Do you want to continue with the installation of <wazuh-agent> [y,n,?] y
Installing Wazuh - Wazuh unifies historically separate functions into a single agent and platform architecture. Providing protection for public clouds, private clouds, and on-premise data centers. as <wazuh-agent>
## Executing preinstall script.
## Installing part 1 of 1.
/etc/init.d/wazuh-agent
/etc/rc2.d/S97wazuh-agent <symbolic link>
/etc/rc3.d/S97wazuh-agent <symbolic link>
/var/ossec/active-response/bin/default-firewall-drop
/var/ossec/active-response/bin/disable-account
/var/ossec/active-response/bin/firewall-drop
/var/ossec/active-response/bin/firewalld-drop
/var/ossec/active-response/bin/host-deny
/var/ossec/active-response/bin/ip-customblock
/var/ossec/active-response/bin/ipfw
/var/ossec/active-response/bin/kaspersky
/var/ossec/active-response/bin/kaspersky.py
/var/ossec/active-response/bin/npf
/var/ossec/active-response/bin/pf
/var/ossec/active-response/bin/restart-wazuh
/var/ossec/active-response/bin/restart.sh
/var/ossec/active-response/bin/route-null
/var/ossec/active-response/bin/wazuh-slack
/var/ossec/agentless/main.exp
/var/ossec/agentless/register_host.sh
/var/ossec/agentless/ssh.exp
/var/ossec/agentless/ssh_asa-fwsmconfig_diff
/var/ossec/agentless/ssh_foundry_diff
/var/ossec/agentless/ssh_generic_diff
/var/ossec/agentless/ssh_integrity_check_bsd
/var/ossec/agentless/ssh_integrity_check_linux
/var/ossec/agentless/ssh_nopass.exp
/var/ossec/agentless/ssh_pixconfig_diff
/var/ossec/agentless/sshlogin.exp
/var/ossec/agentless/su.exp
/var/ossec/bin/agent-auth
/var/ossec/bin/manage_agents
/var/ossec/bin/wazuh-agentd
/var/ossec/bin/wazuh-control
/var/ossec/bin/wazuh-execd
/var/ossec/bin/wazuh-logcollector
/var/ossec/bin/wazuh-modulesd
/var/ossec/bin/wazuh-syscheckd
/var/ossec/etc/TIMEZONE
/var/ossec/etc/client.keys
/var/ossec/etc/internal_options.conf
/var/ossec/etc/local_internal_options.conf
/var/ossec/etc/ossec.conf
/var/ossec/etc/shared/cis_apache2224_rcl.txt
/var/ossec/etc/shared/cis_debian_linux_rcl.txt
/var/ossec/etc/shared/cis_mysql5-6_community_rcl.txt
/var/ossec/etc/shared/cis_mysql5-6_enterprise_rcl.txt
/var/ossec/etc/shared/cis_rhel5_linux_rcl.txt
/var/ossec/etc/shared/cis_rhel6_linux_rcl.txt
/var/ossec/etc/shared/cis_rhel7_linux_rcl.txt
/var/ossec/etc/shared/cis_rhel_linux_rcl.txt
/var/ossec/etc/shared/cis_sles11_linux_rcl.txt
/var/ossec/etc/shared/cis_sles12_linux_rcl.txt
/var/ossec/etc/shared/cis_win2012r2_domainL1_rcl.txt
/var/ossec/etc/shared/cis_win2012r2_domainL2_rcl.txt
/var/ossec/etc/shared/cis_win2012r2_memberL1_rcl.txt
/var/ossec/etc/shared/cis_win2012r2_memberL2_rcl.txt
/var/ossec/etc/shared/rootkit_files.txt
/var/ossec/etc/shared/rootkit_trojans.txt
/var/ossec/etc/shared/system_audit_rcl.txt
/var/ossec/etc/shared/system_audit_ssh.txt
/var/ossec/etc/shared/win_applications_rcl.txt
/var/ossec/etc/shared/win_audit_rcl.txt
/var/ossec/etc/shared/win_malware_rcl.txt
/var/ossec/etc/wpk_root.pem
/var/ossec/lib/libdbsync.so
/var/ossec/lib/libfimdb.so
/var/ossec/lib/libgcc_s.so.1
/var/ossec/lib/librsync.so
/var/ossec/lib/libstdc++.so.6
/var/ossec/lib/libsyscollector.so
/var/ossec/lib/libsysinfo.so
/var/ossec/lib/libwazuhext.so
/var/ossec/lib/libwazuhshared.so
/var/ossec/logs/active-responses.log
/var/ossec/logs/ossec.json
/var/ossec/logs/ossec.log
/var/ossec/queue/syscollector/norm_config.json
/var/ossec/ruleset/sca/sca_unix_audit.yml
/var/ossec/wodles/__init__.py
/var/ossec/wodles/aws/__init__.py
/var/ossec/wodles/aws/aws-s3
/var/ossec/wodles/aws/aws_tools.py
/var/ossec/wodles/aws/buckets_s3/__init__.py
/var/ossec/wodles/aws/buckets_s3/aws_bucket.py
/var/ossec/wodles/aws/buckets_s3/cloudtrail.py
/var/ossec/wodles/aws/buckets_s3/config.py
/var/ossec/wodles/aws/buckets_s3/guardduty.py
/var/ossec/wodles/aws/buckets_s3/load_balancers.py
/var/ossec/wodles/aws/buckets_s3/server_access.py
/var/ossec/wodles/aws/buckets_s3/umbrella.py
/var/ossec/wodles/aws/buckets_s3/vpcflow.py
/var/ossec/wodles/aws/buckets_s3/waf.py
/var/ossec/wodles/aws/services/__init__.py
/var/ossec/wodles/aws/services/aws_service.py
/var/ossec/wodles/aws/services/cloudwatchlogs.py
/var/ossec/wodles/aws/services/inspector.py
/var/ossec/wodles/aws/subscribers/__init__.py
/var/ossec/wodles/aws/subscribers/s3_log_handler.py
/var/ossec/wodles/aws/subscribers/sqs_message_processor.py
/var/ossec/wodles/aws/subscribers/sqs_queue.py
/var/ossec/wodles/aws/wazuh_integration.py
/var/ossec/wodles/azure/azure-logs
/var/ossec/wodles/azure/orm.py
/var/ossec/wodles/docker/DockerListener
/var/ossec/wodles/gcloud/buckets/access_logs.py
/var/ossec/wodles/gcloud/buckets/bucket.py
/var/ossec/wodles/gcloud/exceptions.py
/var/ossec/wodles/gcloud/gcloud
/var/ossec/wodles/gcloud/integration.py
/var/ossec/wodles/gcloud/pubsub/subscriber.py
/var/ossec/wodles/gcloud/tools.py
/var/ossec/wodles/utils.py
[ verifying class <none> ]
## Executing postinstall script.
Installation of <wazuh-agent> was successful.
bash-3.2# /var/ossec/bin/wazuh-control start
Starting Wazuh v4.8.0...
Started wazuh-execd...
Started wazuh-agentd...
Started wazuh-syscheckd...
Started wazuh-logcollector...
Started wazuh-modulesd...
Completed.
bash-3.2# /var/ossec/bin/wazuh-control info
WAZUH_VERSION="v4.8.0"
WAZUH_REVISION="40809"
WAZUH_TYPE="agent"
[root@wazuh-server wazuh-user]# /var/ossec/bin/agent_control -i 004
Wazuh agent_control. Agent information:
Agent ID: 004
Agent Name: sossp109
IP address: any
Status: Active
Operating system: SunOS |sossp109 |5.10 |Generic_147147-26 |sun4v
Client version: Wazuh v4.8.0
Configuration hash: ab73af41699f13fdd81903b5f23d8d00
Shared file hash: 4a8724b20dee0124ff9656783c490c4e
Last keep alive: 1715009549
Syscheck last started at: Mon May 6 15:32:05 2024
Syscheck last ended at: Mon May 6 15:32:24 2024 Generate alerts (TCP & UDP) 🟢
bash-3.2# egrep "tcp" /var/ossec/logs/ossec.log
2024/05/06 10:32:02 wazuh-agentd: INFO: Trying to connect to server ([X.X.X.X]:1514/tcp).
2024/05/06 10:32:02 wazuh-agentd: INFO: (4102): Connected to the server ([X.X.X.X]:1514/tcp).
2024/05/06 10:32:04 wazuh-agentd: INFO: Trying to connect to server ([X.X.X.X]:1514/tcp).
2024/05/06 10:32:04 wazuh-agentd: INFO: (4102): Connected to the server ([X.X.X.X]:1514/tcp).
{"timestamp":"2024-05-06T15:32:33.640+0000","rule":{"level":7,"description":"SCA summary: System audit for Unix based systems: Score less than 50% (45)","id":"19004","firedtimes":2,"mail":false,"groups":["sca"],"gdpr":["IV_35.7.d"],"pci_dss":["2.2"],"nist_800_53":["CM.1"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"004","name":"sossp109","ip":"192.168.253.109"},"manager":{"name":"wazuh-server"},"id":"1715009553.293206","decoder":{"name":"sca"},"data":{"sca":{"type":"summary","scan_id":"19567","policy":"System audit for Unix based systems","description":"Guidance for establishing a secure configuration for Unix based systems.","policy_id":"unix_audit","passed":"5","failed":"6","invalid":"12","total_checks":"23","score":"45","file":"sca_unix_audit.yml"}},"location":"sca"}
bash-3.2# grep udp /var/ossec/etc/ossec.conf
<protocol>udp</protocol>
bash-3.2# /var/ossec/bin/wazuh-control restart
Killing wazuh-modulesd...
Killing wazuh-logcollector...
Killing wazuh-syscheckd...
Killing wazuh-agentd...
Killing wazuh-execd...
Wazuh v4.8.0 Stopped
Starting Wazuh v4.8.0...
Started wazuh-execd...
Started wazuh-agentd...
Started wazuh-syscheckd...
Started wazuh-logcollector...
Started wazuh-modulesd...
Completed.
bash-3.2# grep "udp" /var/ossec/logs/ossec.log
2024/05/06 10:34:56 wazuh-agentd: INFO: Trying to connect to server ([X.X.X.X]:1514/udp).
2024/05/06 10:34:56 wazuh-agentd: INFO: (4102): Connected to the server ([X.X.X.X]:1514/udp).
Removal 🟢bash-3.2# pkgrm wazuh-agent
The following package is currently installed:
wazuh-agent Wazuh - Wazuh unifies historically separate functions into a single agent and platform architecture. Providing protection for public clouds, private clouds, and on-premise data centers.
(sparc) 4.8.0
Do you want to remove this package? [y,n,?,q] y
## Removing installed package instance <wazuh-agent>
This package contains scripts which will be executed with super-user
permission during the process of removing this package.
Do you want to continue with the removal of this package [y,n,?,q] y
## Verifying package <wazuh-agent> dependencies in global zone
## Processing package information.
## Executing preremove script.
Killing wazuh-modulesd...
Killing wazuh-logcollector...
Killing wazuh-syscheckd...
Killing wazuh-agentd...
Killing wazuh-execd...
Wazuh v4.8.0 Stopped
## Removing pathnames in class <none>
/var/ossec/wodles/utils.py
/var/ossec/wodles/gcloud/tools.py
/var/ossec/wodles/gcloud/pubsub/subscriber.py
/var/ossec/wodles/gcloud/pubsub
/var/ossec/wodles/gcloud/integration.py
/var/ossec/wodles/gcloud/gcloud
/var/ossec/wodles/gcloud/exceptions.py
/var/ossec/wodles/gcloud/buckets/bucket.py
/var/ossec/wodles/gcloud/buckets/access_logs.py
/var/ossec/wodles/gcloud/buckets
/var/ossec/wodles/gcloud
/var/ossec/wodles/docker/DockerListener
/var/ossec/wodles/docker
/var/ossec/wodles/azure/orm.py
/var/ossec/wodles/azure/azure-logs
/var/ossec/wodles/azure
/var/ossec/wodles/aws/wazuh_integration.py
/var/ossec/wodles/aws/subscribers/sqs_queue.py
/var/ossec/wodles/aws/subscribers/sqs_message_processor.py
/var/ossec/wodles/aws/subscribers/s3_log_handler.py
/var/ossec/wodles/aws/subscribers/__init__.py
/var/ossec/wodles/aws/subscribers
/var/ossec/wodles/aws/services/inspector.py
/var/ossec/wodles/aws/services/cloudwatchlogs.py
/var/ossec/wodles/aws/services/aws_service.py
/var/ossec/wodles/aws/services/__init__.py
/var/ossec/wodles/aws/services
/var/ossec/wodles/aws/buckets_s3/waf.py
/var/ossec/wodles/aws/buckets_s3/vpcflow.py
/var/ossec/wodles/aws/buckets_s3/umbrella.py
/var/ossec/wodles/aws/buckets_s3/server_access.py
/var/ossec/wodles/aws/buckets_s3/load_balancers.py
/var/ossec/wodles/aws/buckets_s3/guardduty.py
/var/ossec/wodles/aws/buckets_s3/config.py
/var/ossec/wodles/aws/buckets_s3/cloudtrail.py
/var/ossec/wodles/aws/buckets_s3/aws_bucket.py
/var/ossec/wodles/aws/buckets_s3/__init__.py
/var/ossec/wodles/aws/buckets_s3
/var/ossec/wodles/aws/aws_tools.py
/var/ossec/wodles/aws/aws-s3
/var/ossec/wodles/aws/__init__.py
/var/ossec/wodles/aws
/var/ossec/wodles/__init__.py
/var/ossec/wodles
/var/ossec/var/wodles
/var/ossec/var/upgrade
/var/ossec/var/selinux
/var/ossec/var/run
/var/ossec/var/incoming
/var/ossec/var
/var/ossec/tmp
/var/ossec/ruleset/sca/sca_unix_audit.yml
/var/ossec/ruleset/sca
/var/ossec/ruleset
/var/ossec/queue/syscollector/norm_config.json
/var/ossec/queue/syscollector/db <non-empty directory not removed>
/var/ossec/queue/syscollector <non-empty directory not removed>
/var/ossec/queue/sockets <non-empty directory not removed>
/var/ossec/queue/rids <non-empty directory not removed>
/var/ossec/queue/logcollector <non-empty directory not removed>
/var/ossec/queue/fim/db <non-empty directory not removed>
/var/ossec/queue/fim <non-empty directory not removed>
/var/ossec/queue/diff
/var/ossec/queue/alerts <non-empty directory not removed>
/var/ossec/queue <non-empty directory not removed>
/var/ossec/logs/wazuh
/var/ossec/logs/ossec.log
/var/ossec/logs/ossec.json
/var/ossec/logs/active-responses.log
/var/ossec/logs
/var/ossec/lib/libwazuhshared.so
/var/ossec/lib/libwazuhext.so
/var/ossec/lib/libsysinfo.so
/var/ossec/lib/libsyscollector.so
/var/ossec/lib/libstdc++.so.6
/var/ossec/lib/librsync.so
/var/ossec/lib/libgcc_s.so.1
/var/ossec/lib/libfimdb.so
/var/ossec/lib/libdbsync.so
/var/ossec/lib
/var/ossec/etc/wpk_root.pem
/var/ossec/etc/shared/win_malware_rcl.txt
/var/ossec/etc/shared/win_audit_rcl.txt
/var/ossec/etc/shared/win_applications_rcl.txt
/var/ossec/etc/shared/system_audit_ssh.txt
/var/ossec/etc/shared/system_audit_rcl.txt
/var/ossec/etc/shared/rootkit_trojans.txt
/var/ossec/etc/shared/rootkit_files.txt
/var/ossec/etc/shared/cis_win2012r2_memberL2_rcl.txt
/var/ossec/etc/shared/cis_win2012r2_memberL1_rcl.txt
/var/ossec/etc/shared/cis_win2012r2_domainL2_rcl.txt
/var/ossec/etc/shared/cis_win2012r2_domainL1_rcl.txt
/var/ossec/etc/shared/cis_sles12_linux_rcl.txt
/var/ossec/etc/shared/cis_sles11_linux_rcl.txt
/var/ossec/etc/shared/cis_rhel_linux_rcl.txt
/var/ossec/etc/shared/cis_rhel7_linux_rcl.txt
/var/ossec/etc/shared/cis_rhel6_linux_rcl.txt
/var/ossec/etc/shared/cis_rhel5_linux_rcl.txt
/var/ossec/etc/shared/cis_mysql5-6_enterprise_rcl.txt
/var/ossec/etc/shared/cis_mysql5-6_community_rcl.txt
/var/ossec/etc/shared/cis_debian_linux_rcl.txt
/var/ossec/etc/shared/cis_apache2224_rcl.txt
/var/ossec/etc/shared <non-empty directory not removed>
/var/ossec/etc/ossec.conf
/var/ossec/etc/local_internal_options.conf
/var/ossec/etc/internal_options.conf
/var/ossec/etc/client.keys
/var/ossec/etc/TIMEZONE
/var/ossec/etc <non-empty directory not removed>
/var/ossec/bin/wazuh-syscheckd
/var/ossec/bin/wazuh-modulesd
/var/ossec/bin/wazuh-logcollector
/var/ossec/bin/wazuh-execd
/var/ossec/bin/wazuh-control
/var/ossec/bin/wazuh-agentd
/var/ossec/bin/manage_agents
/var/ossec/bin/agent-auth
/var/ossec/bin
/var/ossec/backup
/var/ossec/agentless/su.exp
/var/ossec/agentless/sshlogin.exp
/var/ossec/agentless/ssh_pixconfig_diff
/var/ossec/agentless/ssh_nopass.exp
/var/ossec/agentless/ssh_integrity_check_linux
/var/ossec/agentless/ssh_integrity_check_bsd
/var/ossec/agentless/ssh_generic_diff
/var/ossec/agentless/ssh_foundry_diff
/var/ossec/agentless/ssh_asa-fwsmconfig_diff
/var/ossec/agentless/ssh.exp
/var/ossec/agentless/register_host.sh
/var/ossec/agentless/main.exp
/var/ossec/agentless
/var/ossec/active-response/bin/wazuh-slack
/var/ossec/active-response/bin/route-null
/var/ossec/active-response/bin/restart.sh
/var/ossec/active-response/bin/restart-wazuh
/var/ossec/active-response/bin/pf
/var/ossec/active-response/bin/npf
/var/ossec/active-response/bin/kaspersky.py
/var/ossec/active-response/bin/kaspersky
/var/ossec/active-response/bin/ipfw
/var/ossec/active-response/bin/ip-customblock
/var/ossec/active-response/bin/host-deny
/var/ossec/active-response/bin/firewalld-drop
/var/ossec/active-response/bin/firewall-drop
/var/ossec/active-response/bin/disable-account
/var/ossec/active-response/bin/default-firewall-drop
/var/ossec/active-response/bin
/var/ossec/active-response
/var/ossec/.ssh
/var/ossec <non-empty directory not removed>
/etc/rc3.d/S97wazuh-agent
/etc/rc2.d/S97wazuh-agent
/etc/init.d/wazuh-agent
## Executing postremove script.
## Updating system information.
Removal of <wazuh-agent> was successful.
Check users and groups 🟢bash-3.2# cat /etc/passwd | grep wazuh
wazuh:x:61561:57447::/var/ossec:/bin/false
bash-3.2# cat /etc/group | grep wazuh
wazuh::57447: Errors and warnings 🟢bash-3.2# grep "ERROR|WARNING|CRITICAL" /var/ossec/logs/ossec.log
bash-3.2# grep "ERROR|WARNING|CRITICAL" /var/ossec/logs/ossec.log | wc -l
0
Upgrade 🟢
bash-3.2# /opt/csw/bin/curl -O https://packages.wazuh.com/4.x/solaris/sparc/10/wazuh-agent_v4.7.4-sol10-sparc.pkg
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 15.7M 100 15.7M 0 0 6298k 0 0:00:02 0:00:02 --:--:-- 6300k
bash-3.2# pkgadd -d wazuh-agent_v4.7.4-sol10-sparc.pkg wazuh-agent
Processing package instance <wazuh-agent> from </wazuh-agent_v4.7.4-sol10-sparc.pkg>
Wazuh - Wazuh unifies historically separate functions into a single agent and platform architecture. Providing protection for public clouds, private clouds, and on-premise data centers.(sparc) 4.7.4
Wazuh, Inc <info@wazuh.com>
## Executing checkinstall script.
## Processing package information.
## Processing system information.
## Verifying disk space requirements.
## Checking for conflicts with packages already installed.
## Checking for setuid/setgid programs.
This package contains scripts which will be executed with super-user
permission during the process of installing this package.
Do you want to continue with the installation of <wazuh-agent> [y,n,?] y
Installing Wazuh - Wazuh unifies historically separate functions into a single agent and platform architecture. Providing protection for public clouds, private clouds, and on-premise data centers. as <wazuh-agent>
## Executing preinstall script.
## Installing part 1 of 1.
/etc/init.d/wazuh-agent
/etc/rc2.d/S97wazuh-agent <symbolic link>
/etc/rc3.d/S97wazuh-agent <symbolic link>
/var/ossec/active-response/bin/default-firewall-drop
/var/ossec/active-response/bin/disable-account
/var/ossec/active-response/bin/firewall-drop
/var/ossec/active-response/bin/firewalld-drop
/var/ossec/active-response/bin/host-deny
/var/ossec/active-response/bin/ip-customblock
/var/ossec/active-response/bin/ipfw
/var/ossec/active-response/bin/kaspersky
/var/ossec/active-response/bin/kaspersky.py
/var/ossec/active-response/bin/npf
/var/ossec/active-response/bin/pf
/var/ossec/active-response/bin/restart-wazuh
/var/ossec/active-response/bin/restart.sh
/var/ossec/active-response/bin/route-null
/var/ossec/active-response/bin/wazuh-slack
/var/ossec/agentless/main.exp
/var/ossec/agentless/register_host.sh
/var/ossec/agentless/ssh.exp
/var/ossec/agentless/ssh_asa-fwsmconfig_diff
/var/ossec/agentless/ssh_foundry_diff
/var/ossec/agentless/ssh_generic_diff
/var/ossec/agentless/ssh_integrity_check_bsd
/var/ossec/agentless/ssh_integrity_check_linux
/var/ossec/agentless/ssh_nopass.exp
/var/ossec/agentless/ssh_pixconfig_diff
/var/ossec/agentless/sshlogin.exp
/var/ossec/agentless/su.exp
/var/ossec/bin/agent-auth
/var/ossec/bin/manage_agents
/var/ossec/bin/wazuh-agentd
/var/ossec/bin/wazuh-control
/var/ossec/bin/wazuh-execd
/var/ossec/bin/wazuh-logcollector
/var/ossec/bin/wazuh-modulesd
/var/ossec/bin/wazuh-syscheckd
/var/ossec/etc/TIMEZONE
/var/ossec/etc/client.keys
/var/ossec/etc/internal_options.conf
/var/ossec/etc/local_internal_options.conf
/var/ossec/etc/ossec.conf
/var/ossec/etc/shared/cis_apache2224_rcl.txt
/var/ossec/etc/shared/cis_debian_linux_rcl.txt
/var/ossec/etc/shared/cis_mysql5-6_community_rcl.txt
/var/ossec/etc/shared/cis_mysql5-6_enterprise_rcl.txt
/var/ossec/etc/shared/cis_rhel5_linux_rcl.txt
/var/ossec/etc/shared/cis_rhel6_linux_rcl.txt
/var/ossec/etc/shared/cis_rhel7_linux_rcl.txt
/var/ossec/etc/shared/cis_rhel_linux_rcl.txt
/var/ossec/etc/shared/cis_sles11_linux_rcl.txt
/var/ossec/etc/shared/cis_sles12_linux_rcl.txt
/var/ossec/etc/shared/cis_win2012r2_domainL1_rcl.txt
/var/ossec/etc/shared/cis_win2012r2_domainL2_rcl.txt
/var/ossec/etc/shared/cis_win2012r2_memberL1_rcl.txt
/var/ossec/etc/shared/cis_win2012r2_memberL2_rcl.txt
/var/ossec/etc/shared/rootkit_files.txt
/var/ossec/etc/shared/rootkit_trojans.txt
/var/ossec/etc/shared/system_audit_rcl.txt
/var/ossec/etc/shared/system_audit_ssh.txt
/var/ossec/etc/shared/win_applications_rcl.txt
/var/ossec/etc/shared/win_audit_rcl.txt
/var/ossec/etc/shared/win_malware_rcl.txt
/var/ossec/etc/wpk_root.pem
/var/ossec/lib/libdbsync.so
/var/ossec/lib/libfimdb.so
/var/ossec/lib/libgcc_s.so.1
/var/ossec/lib/librsync.so
/var/ossec/lib/libstdc++.so.6
/var/ossec/lib/libsyscollector.so
/var/ossec/lib/libsysinfo.so
/var/ossec/lib/libwazuhext.so
/var/ossec/lib/libwazuhshared.so
/var/ossec/logs/active-responses.log
/var/ossec/logs/ossec.json
/var/ossec/logs/ossec.log
/var/ossec/queue/syscollector/norm_config.json
/var/ossec/ruleset/sca/sca_unix_audit.yml
/var/ossec/wodles/__init__.py
/var/ossec/wodles/aws/aws-s3
/var/ossec/wodles/azure/azure-logs
/var/ossec/wodles/azure/orm.py
/var/ossec/wodles/docker/DockerListener
/var/ossec/wodles/gcloud/buckets/access_logs.py
/var/ossec/wodles/gcloud/buckets/bucket.py
/var/ossec/wodles/gcloud/exceptions.py
/var/ossec/wodles/gcloud/gcloud
/var/ossec/wodles/gcloud/integration.py
/var/ossec/wodles/gcloud/pubsub/subscriber.py
/var/ossec/wodles/gcloud/tools.py
/var/ossec/wodles/utils.py
[ verifying class <none> ]
## Executing postinstall script.
Installation of <wazuh-agent> was successful.
bash-3.2# /var/ossec/bin/wazuh-control start
Starting Wazuh v4.7.4...
Started wazuh-execd...
Started wazuh-agentd...
Started wazuh-syscheckd...
Started wazuh-logcollector...
Started wazuh-modulesd...
Completed.
bash-3.2# /var/ossec/bin/wazuh-control info
WAZUH_VERSION="v4.7.4"
WAZUH_REVISION="40717"
WAZUH_TYPE="agent"
X.X.X.X[root@wazuh-server wazuh-user]# /var/ossec/bin/agent_control -i 005
Wazuh agent_control. Agent information:
Agent ID: 005
Agent Name: sossp109
IP address: any
Status: Active
Operating system: SunOS |sossp109 |5.10 |Generic_147147-26 |sun4v
Client version: Wazuh v4.7.4
Configuration hash: ab73af41699f13fdd81903b5f23d8d00
Shared file hash: 4a8724b20dee0124ff9656783c490c4e
Last keep alive: 1715010296
Syscheck last started at: Mon May 6 15:44:51 2024
Syscheck last ended at: Mon May 6 15:44:57 2024
bash-3.2# /var/ossec/bin/wazuh-control stop
Killing wazuh-modulesd...
Killing wazuh-logcollector...
Killing wazuh-syscheckd...
Killing wazuh-agentd...
Killing wazuh-execd...
Wazuh v4.7.4 Stopped
bash-3.2# cp /var/ossec/etc/ossec.conf ~/ossec.conf.bk
bash-3.2# cp /var/ossec/etc/client.keys ~/client.keys.bk
bash-3.2# pkgrm wazuh-agent
The following package is currently installed:
wazuh-agent Wazuh - Wazuh unifies historically separate functions into a single agent and platform architecture. Providing protection for public clouds, private clouds, and on-premise data centers.
(sparc) 4.7.4
Do you want to remove this package? [y,n,?,q] y
## Removing installed package instance <wazuh-agent>
This package contains scripts which will be executed with super-user
permission during the process of removing this package.
Do you want to continue with the removal of this package [y,n,?,q] y
## Verifying package <wazuh-agent> dependencies in global zone
## Processing package information.
## Executing preremove script.
wazuh-modulesd not running...
wazuh-logcollector not running...
wazuh-syscheckd not running...
wazuh-agentd not running...
wazuh-execd not running...
Wazuh v4.7.4 Stopped
## Removing pathnames in class <none>
/var/ossec/wodles/utils.py
/var/ossec/wodles/gcloud/tools.py
/var/ossec/wodles/gcloud/pubsub/subscriber.py
/var/ossec/wodles/gcloud/pubsub
/var/ossec/wodles/gcloud/integration.py
/var/ossec/wodles/gcloud/gcloud
/var/ossec/wodles/gcloud/exceptions.py
/var/ossec/wodles/gcloud/buckets/bucket.py
/var/ossec/wodles/gcloud/buckets/access_logs.py
/var/ossec/wodles/gcloud/buckets
/var/ossec/wodles/gcloud
/var/ossec/wodles/docker/DockerListener
/var/ossec/wodles/docker
/var/ossec/wodles/azure/orm.py
/var/ossec/wodles/azure/azure-logs
/var/ossec/wodles/azure
/var/ossec/wodles/aws/aws-s3
/var/ossec/wodles/aws
/var/ossec/wodles/__init__.py
/var/ossec/wodles
/var/ossec/var/wodles
/var/ossec/var/upgrade
/var/ossec/var/selinux
/var/ossec/var/run
/var/ossec/var/incoming
/var/ossec/var
/var/ossec/tmp
/var/ossec/ruleset/sca/sca_unix_audit.yml
/var/ossec/ruleset/sca
/var/ossec/ruleset
/var/ossec/queue/syscollector/norm_config.json
/var/ossec/queue/syscollector/db <non-empty directory not removed>
/var/ossec/queue/syscollector <non-empty directory not removed>
/var/ossec/queue/sockets <non-empty directory not removed>
/var/ossec/queue/rids <non-empty directory not removed>
/var/ossec/queue/logcollector <non-empty directory not removed>
/var/ossec/queue/fim/db <non-empty directory not removed>
/var/ossec/queue/fim <non-empty directory not removed>
/var/ossec/queue/diff
/var/ossec/queue/alerts <non-empty directory not removed>
/var/ossec/queue <non-empty directory not removed>
/var/ossec/logs/wazuh
/var/ossec/logs/ossec.log
/var/ossec/logs/ossec.json
/var/ossec/logs/active-responses.log
/var/ossec/logs
/var/ossec/lib/libwazuhshared.so
/var/ossec/lib/libwazuhext.so
/var/ossec/lib/libsysinfo.so
/var/ossec/lib/libsyscollector.so
/var/ossec/lib/libstdc++.so.6
/var/ossec/lib/librsync.so
/var/ossec/lib/libgcc_s.so.1
/var/ossec/lib/libfimdb.so
/var/ossec/lib/libdbsync.so
/var/ossec/lib
/var/ossec/etc/wpk_root.pem
/var/ossec/etc/shared/win_malware_rcl.txt
/var/ossec/etc/shared/win_audit_rcl.txt
/var/ossec/etc/shared/win_applications_rcl.txt
/var/ossec/etc/shared/system_audit_ssh.txt
/var/ossec/etc/shared/system_audit_rcl.txt
/var/ossec/etc/shared/rootkit_trojans.txt
/var/ossec/etc/shared/rootkit_files.txt
/var/ossec/etc/shared/cis_win2012r2_memberL2_rcl.txt
/var/ossec/etc/shared/cis_win2012r2_memberL1_rcl.txt
/var/ossec/etc/shared/cis_win2012r2_domainL2_rcl.txt
/var/ossec/etc/shared/cis_win2012r2_domainL1_rcl.txt
/var/ossec/etc/shared/cis_sles12_linux_rcl.txt
/var/ossec/etc/shared/cis_sles11_linux_rcl.txt
/var/ossec/etc/shared/cis_rhel_linux_rcl.txt
/var/ossec/etc/shared/cis_rhel7_linux_rcl.txt
/var/ossec/etc/shared/cis_rhel6_linux_rcl.txt
/var/ossec/etc/shared/cis_rhel5_linux_rcl.txt
/var/ossec/etc/shared/cis_mysql5-6_enterprise_rcl.txt
/var/ossec/etc/shared/cis_mysql5-6_community_rcl.txt
/var/ossec/etc/shared/cis_debian_linux_rcl.txt
/var/ossec/etc/shared/cis_apache2224_rcl.txt
/var/ossec/etc/shared <non-empty directory not removed>
/var/ossec/etc/ossec.conf
/var/ossec/etc/local_internal_options.conf
/var/ossec/etc/internal_options.conf
/var/ossec/etc/client.keys
/var/ossec/etc/TIMEZONE
/var/ossec/etc <non-empty directory not removed>
/var/ossec/bin/wazuh-syscheckd
/var/ossec/bin/wazuh-modulesd
/var/ossec/bin/wazuh-logcollector
/var/ossec/bin/wazuh-execd
/var/ossec/bin/wazuh-control
/var/ossec/bin/wazuh-agentd
/var/ossec/bin/manage_agents
/var/ossec/bin/agent-auth
/var/ossec/bin
/var/ossec/backup
/var/ossec/agentless/su.exp
/var/ossec/agentless/sshlogin.exp
/var/ossec/agentless/ssh_pixconfig_diff
/var/ossec/agentless/ssh_nopass.exp
/var/ossec/agentless/ssh_integrity_check_linux
/var/ossec/agentless/ssh_integrity_check_bsd
/var/ossec/agentless/ssh_generic_diff
/var/ossec/agentless/ssh_foundry_diff
/var/ossec/agentless/ssh_asa-fwsmconfig_diff
/var/ossec/agentless/ssh.exp
/var/ossec/agentless/register_host.sh
/var/ossec/agentless/main.exp
/var/ossec/agentless
/var/ossec/active-response/bin/wazuh-slack
/var/ossec/active-response/bin/route-null
/var/ossec/active-response/bin/restart.sh
/var/ossec/active-response/bin/restart-wazuh
/var/ossec/active-response/bin/pf
/var/ossec/active-response/bin/npf
/var/ossec/active-response/bin/kaspersky.py
/var/ossec/active-response/bin/kaspersky
/var/ossec/active-response/bin/ipfw
/var/ossec/active-response/bin/ip-customblock
/var/ossec/active-response/bin/host-deny
/var/ossec/active-response/bin/firewalld-drop
/var/ossec/active-response/bin/firewall-drop
/var/ossec/active-response/bin/disable-account
/var/ossec/active-response/bin/default-firewall-drop
/var/ossec/active-response/bin
/var/ossec/active-response
/var/ossec/.ssh
/var/ossec <non-empty directory not removed>
/etc/rc3.d/S97wazuh-agent
/etc/rc2.d/S97wazuh-agent
/etc/init.d/wazuh-agent
## Executing postremove script.
## Updating system information.
Removal of <wazuh-agent> was successful.
bash-3.2# rm -rf /var/ossec
bash-3.2# pkgadd -d wazuh-agent_v4.8.0-sol10-sparc.pkg wazuh-agent
Processing package instance <wazuh-agent> from </wazuh-agent_v4.8.0-sol10-sparc.pkg>
Wazuh - Wazuh unifies historically separate functions into a single agent and platform architecture. Providing protection for public clouds, private clouds, and on-premise data centers.(sparc) 4.8.0
Wazuh, Inc <info@wazuh.com>
## Executing checkinstall script.
## Processing package information.
## Processing system information.
## Verifying disk space requirements.
## Checking for conflicts with packages already installed.
## Checking for setuid/setgid programs.
This package contains scripts which will be executed with super-user
permission during the process of installing this package.
Do you want to continue with the installation of <wazuh-agent> [y,n,?] y
Installing Wazuh - Wazuh unifies historically separate functions into a single agent and platform architecture. Providing protection for public clouds, private clouds, and on-premise data centers. as <wazuh-agent>
## Executing preinstall script.
## Installing part 1 of 1.
/etc/init.d/wazuh-agent
/etc/rc2.d/S97wazuh-agent <symbolic link>
/etc/rc3.d/S97wazuh-agent <symbolic link>
/var/ossec/active-response/bin/default-firewall-drop
/var/ossec/active-response/bin/disable-account
/var/ossec/active-response/bin/firewall-drop
/var/ossec/active-response/bin/firewalld-drop
/var/ossec/active-response/bin/host-deny
/var/ossec/active-response/bin/ip-customblock
/var/ossec/active-response/bin/ipfw
/var/ossec/active-response/bin/kaspersky
/var/ossec/active-response/bin/kaspersky.py
/var/ossec/active-response/bin/npf
/var/ossec/active-response/bin/pf
/var/ossec/active-response/bin/restart-wazuh
/var/ossec/active-response/bin/restart.sh
/var/ossec/active-response/bin/route-null
/var/ossec/active-response/bin/wazuh-slack
/var/ossec/agentless/main.exp
/var/ossec/agentless/register_host.sh
/var/ossec/agentless/ssh.exp
/var/ossec/agentless/ssh_asa-fwsmconfig_diff
/var/ossec/agentless/ssh_foundry_diff
/var/ossec/agentless/ssh_generic_diff
/var/ossec/agentless/ssh_integrity_check_bsd
/var/ossec/agentless/ssh_integrity_check_linux
/var/ossec/agentless/ssh_nopass.exp
/var/ossec/agentless/ssh_pixconfig_diff
/var/ossec/agentless/sshlogin.exp
/var/ossec/agentless/su.exp
/var/ossec/bin/agent-auth
/var/ossec/bin/manage_agents
/var/ossec/bin/wazuh-agentd
/var/ossec/bin/wazuh-control
/var/ossec/bin/wazuh-execd
/var/ossec/bin/wazuh-logcollector
/var/ossec/bin/wazuh-modulesd
/var/ossec/bin/wazuh-syscheckd
/var/ossec/etc/TIMEZONE
/var/ossec/etc/client.keys
/var/ossec/etc/internal_options.conf
/var/ossec/etc/local_internal_options.conf
/var/ossec/etc/ossec.conf
/var/ossec/etc/shared/cis_apache2224_rcl.txt
/var/ossec/etc/shared/cis_debian_linux_rcl.txt
/var/ossec/etc/shared/cis_mysql5-6_community_rcl.txt
/var/ossec/etc/shared/cis_mysql5-6_enterprise_rcl.txt
/var/ossec/etc/shared/cis_rhel5_linux_rcl.txt
/var/ossec/etc/shared/cis_rhel6_linux_rcl.txt
/var/ossec/etc/shared/cis_rhel7_linux_rcl.txt
/var/ossec/etc/shared/cis_rhel_linux_rcl.txt
/var/ossec/etc/shared/cis_sles11_linux_rcl.txt
/var/ossec/etc/shared/cis_sles12_linux_rcl.txt
/var/ossec/etc/shared/cis_win2012r2_domainL1_rcl.txt
/var/ossec/etc/shared/cis_win2012r2_domainL2_rcl.txt
/var/ossec/etc/shared/cis_win2012r2_memberL1_rcl.txt
/var/ossec/etc/shared/cis_win2012r2_memberL2_rcl.txt
/var/ossec/etc/shared/rootkit_files.txt
/var/ossec/etc/shared/rootkit_trojans.txt
/var/ossec/etc/shared/system_audit_rcl.txt
/var/ossec/etc/shared/system_audit_ssh.txt
/var/ossec/etc/shared/win_applications_rcl.txt
/var/ossec/etc/shared/win_audit_rcl.txt
/var/ossec/etc/shared/win_malware_rcl.txt
/var/ossec/etc/wpk_root.pem
/var/ossec/lib/libdbsync.so
/var/ossec/lib/libfimdb.so
/var/ossec/lib/libgcc_s.so.1
/var/ossec/lib/librsync.so
/var/ossec/lib/libstdc++.so.6
/var/ossec/lib/libsyscollector.so
/var/ossec/lib/libsysinfo.so
/var/ossec/lib/libwazuhext.so
/var/ossec/lib/libwazuhshared.so
/var/ossec/logs/active-responses.log
/var/ossec/logs/ossec.json
/var/ossec/logs/ossec.log
/var/ossec/queue/syscollector/norm_config.json
/var/ossec/ruleset/sca/sca_unix_audit.yml
/var/ossec/wodles/__init__.py
/var/ossec/wodles/aws/__init__.py
/var/ossec/wodles/aws/aws-s3
/var/ossec/wodles/aws/aws_tools.py
/var/ossec/wodles/aws/buckets_s3/__init__.py
/var/ossec/wodles/aws/buckets_s3/aws_bucket.py
/var/ossec/wodles/aws/buckets_s3/cloudtrail.py
/var/ossec/wodles/aws/buckets_s3/config.py
/var/ossec/wodles/aws/buckets_s3/guardduty.py
/var/ossec/wodles/aws/buckets_s3/load_balancers.py
/var/ossec/wodles/aws/buckets_s3/server_access.py
/var/ossec/wodles/aws/buckets_s3/umbrella.py
/var/ossec/wodles/aws/buckets_s3/vpcflow.py
/var/ossec/wodles/aws/buckets_s3/waf.py
/var/ossec/wodles/aws/services/__init__.py
/var/ossec/wodles/aws/services/aws_service.py
/var/ossec/wodles/aws/services/cloudwatchlogs.py
/var/ossec/wodles/aws/services/inspector.py
/var/ossec/wodles/aws/subscribers/__init__.py
/var/ossec/wodles/aws/subscribers/s3_log_handler.py
/var/ossec/wodles/aws/subscribers/sqs_message_processor.py
/var/ossec/wodles/aws/subscribers/sqs_queue.py
/var/ossec/wodles/aws/wazuh_integration.py
/var/ossec/wodles/azure/azure-logs
/var/ossec/wodles/azure/orm.py
/var/ossec/wodles/docker/DockerListener
/var/ossec/wodles/gcloud/buckets/access_logs.py
/var/ossec/wodles/gcloud/buckets/bucket.py
/var/ossec/wodles/gcloud/exceptions.py
/var/ossec/wodles/gcloud/gcloud
/var/ossec/wodles/gcloud/integration.py
/var/ossec/wodles/gcloud/pubsub/subscriber.py
/var/ossec/wodles/gcloud/tools.py
/var/ossec/wodles/utils.py
[ verifying class <none> ]
## Executing postinstall script.
Installation of <wazuh-agent> was successful.
bash-3.2# mv ~/ossec.conf.bk /var/ossec/etc/ossec.conf
bash-3.2# chown root:wazuh /var/ossec/etc/ossec.conf
bash-3.2# mv ~/client.keys.bk /var/ossec/etc/client.keys
bash-3.2# chown root:wazuh /var/ossec/etc/client.keys
bash-3.2# /var/ossec/bin/wazuh-control start
Starting Wazuh v4.8.0...
Started wazuh-execd...
Started wazuh-agentd...
Started wazuh-syscheckd...
Started wazuh-logcollector...
Started wazuh-modulesd...
Completed.
bash-3.2# /var/ossec/bin/wazuh-control info
WAZUH_VERSION="v4.8.0"
WAZUH_REVISION="40809"
WAZUH_TYPE="agent"
[root@wazuh-server wazuh-user]# /var/ossec/bin/agent_control -i 005
Wazuh agent_control. Agent information:
Agent ID: 005
Agent Name: sossp109
IP address: any
Status: Active
Operating system: SunOS |sossp109 |5.10 |Generic_147147-26 |sun4v
Client version: Wazuh v4.8.0
Configuration hash: ab73af41699f13fdd81903b5f23d8d00
Shared file hash: 4a8724b20dee0124ff9656783c490c4e
Last keep alive: 1715011160
Syscheck last started at: Mon May 6 15:47:45 2024
Syscheck last ended at: Mon May 6 15:47:51 2024
|
Analysis report - Solaris 11 🟢System info 🟢root@sossp104:~# hostname
sossp104
root@sossp104:~# uname -a
SunOS sossp104 5.11 11.3 sun4v sparc sun4v
Installation without variables 🟢
root@sossp104:~# curl -O https://packages-dev.wazuh.com/pre-release/solaris/sparc/11/wazuh-agent_v4.8.0-sol11-sparc.p5p
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 7030k 100 7030k 0 0 5790k 0 0:00:01 0:00:01 --:--:-- 5947k root@sossp104:~# pkg install -g wazuh-agent_v4.8.0-sol11-sparc.p5p wazuh-agent
Creating Plan (Evaluating mediators): /
Packages to install: 1
Services to change: 1
Create boot environment: No
Create backup boot environment: No
DOWNLOAD PKGS FILES XFER (MB) SPEED
Completed 1/1 119/119 6.5/6.5 29.7M/s
PHASE ITEMS
Installing new actions 175/175
Updating package state database Done
Updating package cache 0/0
Updating image state Done
Creating fast lookup database Done
Updating package cache 2/2
root@sossp104:~# /var/ossec/bin/wazuh-control start
Starting Wazuh v4.8.0...
Started wazuh-execd...
Started wazuh-agentd...
Started wazuh-syscheckd...
Started wazuh-logcollector...
Started wazuh-modulesd...
Completed.
root@sossp104:~# /var/ossec/bin/wazuh-control info
WAZUH_VERSION="v4.8.0"
WAZUH_REVISION="40809"
WAZUH_TYPE="agent"
[root@wazuh-server wazuh-user]# /var/ossec/bin/agent_control -i 006
Wazuh agent_control. Agent information:
Agent ID: 006
Agent Name: sossp104
IP address: any
Status: Active
Operating system: SunOS |sossp104 |5.11 |11.3 |sun4v
Client version: Wazuh v4.8.0
Configuration hash: ab73af41699f13fdd81903b5f23d8d00
Shared file hash: 4a8724b20dee0124ff9656783c490c4e
Last keep alive: 1715012336
Syscheck last started at: Mon May 6 16:12:48 2024
Syscheck last ended at: Mon May 6 16:14:58 2024
Generate alerts (TCP & UDP) 🟢
root@sossp104:~# grep "tcp" /var/ossec/logs/ossec.log
2024/05/06 11:12:38 wazuh-agentd: INFO: Trying to connect to server ([X.X.X.X]:1514/tcp).
2024/05/06 11:12:38 wazuh-agentd: INFO: (4102): Connected to the server ([X.X.X.X]:1514/tcp).
2024/05/06 11:12:47 wazuh-agentd: INFO: Trying to connect to server ([X.X.X.X]:1514/tcp).
2024/05/06 11:12:47 wazuh-agentd: INFO: (4102): Connected to the server ([X.X.X.X]:1514/tcp).
{"timestamp":"2024-05-06T16:13:07.785+0000","rule":{"level":7,"description":"Host-based anomaly detection event (rootcheck).","id":"510","firedtimes":2,"mail":false,"groups":["ossec","rootcheck"],"pci_dss":["10.6.1"],"gdpr":["IV_35.7.d"]},"agent":{"id":"006","name":"sossp104","ip":"192.168.253.104"},"manager":{"name":"wazuh-server"},"id":"1715011987.492883","full_log":"Trojaned version of file '/usr/bin/kill' detected. Signature used: '/dev/[ab,d-k,m-z]|/dev/[F-Z]|/dev/[A-D]|/dev/[0-9]|proc\\.h|bash|tmp' (Generic).","decoder":{"name":"rootcheck"},"data":{"title":"Trojaned version of file detected.","file":"/usr/bin/kill"},"location":"rootcheck"}
root@sossp104:~# grep udp /var/ossec/etc/ossec.conf
<protocol>udp</protocol>
root@sossp104:~# /var/ossec/bin/wazuh-control restart
Killing wazuh-modulesd...
Killing wazuh-logcollector...
Killing wazuh-syscheckd...
Killing wazuh-agentd...
Killing wazuh-execd...
Wazuh v4.8.0 Stopped
Starting Wazuh v4.8.0...
Started wazuh-execd...
Started wazuh-agentd...
Started wazuh-syscheckd...
Started wazuh-logcollector...
Started wazuh-modulesd...
Completed.
root@sossp104:~# grep "udp" /var/ossec/logs/ossec.log
2024/05/06 11:20:36 wazuh-agentd: INFO: Trying to connect to server ([X.X.X.X]:1514/udp).
2024/05/06 11:20:36 wazuh-agentd: INFO: (4102): Connected to the server ([X.X.X.X]:1514/udp).
Removal 🟢root@sossp104:~# /var/ossec/bin/wazuh-control stop
Killing wazuh-modulesd...
Killing wazuh-logcollector...
Killing wazuh-syscheckd...
Killing wazuh-agentd...
Killing wazuh-execd...
Wazuh v4.8.0 Stopped
root@sossp104:~# pkg uninstall wazuh-agent
Packages to remove: 1
Services to change: 1
Create boot environment: No
Create backup boot environment: No
PHASE ITEMS
Removing old actions 222/222
Updating package state database Done
Updating package cache 1/1
Updating image state Done
Creating fast lookup database Done
Updating package cache 2/2
The following unexpected or editable files and directories were
salvaged while executing the requested package operation; they
have been moved to the displayed location in the image:
ar/ossec/etc/client.keys -> /var/pkg/lost+found/var/ossec/etc/client.keys-20240506T112544Z
ar/ossec/etc/ossec.conf -> /var/pkg/lost+found/var/ossec/etc/ossec.conf-20240506T112544Z
ar/ossec/ruleset/sca -> /var/pkg/lost+found/var/ossec/ruleset/sca-20240506T112544Z
ar/ossec/queue/syscollector/db -> /var/pkg/lost+found/var/ossec/queue/syscollector/db-20240506T112544Z
ar/ossec/queue/sockets -> /var/pkg/lost+found/var/ossec/queue/sockets-20240506T112544Z
ar/ossec/queue/rids -> /var/pkg/lost+found/var/ossec/queue/rids-20240506T112544Z
ar/ossec/queue/logcollector -> /var/pkg/lost+found/var/ossec/queue/logcollector-20240506T112544Z
ar/ossec/queue/fim/db -> /var/pkg/lost+found/var/ossec/queue/fim/db-20240506T112544Z
ar/ossec/queue/alerts -> /var/pkg/lost+found/var/ossec/queue/alerts-20240506T112544Z
ar/ossec/etc/shared -> /var/pkg/lost+found/var/ossec/etc/shared-20240506T112544Z
Check users and groups 🟢root@sossp104:~# cat /etc/passwd | grep wazuh
wazuh:x:7:13:& User:/:
root@sossp104:~# cat /etc/group | grep wazuh
wazuh::13: Errors and warnings 🟢root@sossp104:~# grep "ERROR|WARNING|CRITICAL" /var/ossec/logs/ossec.log
root@sossp104:~# grep "ERROR|WARNING|CRITICAL" /var/ossec/logs/ossec.log | wc -l
0
Upgrade 🟢
root@sossp104:~# curl -O https://packages.wazuh.com/4.x/solaris/sparc/11/wazuh-agent_v4.7.4-sol11-sparc.p5p
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 6270k 100 6270k 0 0 5717k 0 0:00:01 0:00:01 --:--:-- 5887k
root@sossp104:~# pkg install -g wazuh-agent_v4.7.4-sol11-sparc.p5p wazuh-agent
Packages to install: 1
Services to change: 1
Create boot environment: No
Create backup boot environment: No
DOWNLOAD PKGS FILES XFER (MB) SPEED
Completed 1/1 98/98 5.8/5.8 0B/s
PHASE ITEMS
Installing new actions 151/151
Updating package state database Done
Updating package cache 0/0
Updating image state Done
Creating fast lookup database Done
Updating package cache 2/2
root@sossp104:~# /var/ossec/bin/wazuh-control start
Starting Wazuh v4.7.4...
Started wazuh-execd...
Started wazuh-agentd...
Started wazuh-syscheckd...
Started wazuh-logcollector...
Started wazuh-modulesd...
Completed.
root@sossp104:~# /var/ossec/bin/wazuh-control info
WAZUH_VERSION="v4.7.4"
WAZUH_REVISION="40717"
WAZUH_TYPE="agent"
[root@wazuh-server wazuh-user]# /var/ossec/bin/agent_control -i 007
Wazuh agent_control. Agent information:
Agent ID: 007
Agent Name: sossp104
IP address: any
Status: Active
Operating system: SunOS |sossp104 |5.11 |11.3 |sun4v
Client version: Wazuh v4.7.4
Configuration hash: ab73af41699f13fdd81903b5f23d8d00
Shared file hash: 4a8724b20dee0124ff9656783c490c4e
Last keep alive: 1715013660
Syscheck last started at: Mon May 6 16:40:42 2024
Syscheck last ended at: Mon May 6 16:40:48 2024
root@sossp104:~# /var/ossec/bin/wazuh-control stop
Killing wazuh-modulesd...
Killing wazuh-logcollector...
Killing wazuh-syscheckd...
Killing wazuh-agentd...
Killing wazuh-execd...
Wazuh v4.7.4 Stopped
root@sossp104:~# pkg install -g wazuh-agent_v4.8.0-sol11-sparc.p5p wazuh-agent
Packages to update: 1
Create boot environment: No
Create backup boot environment: Yes
DOWNLOAD PKGS FILES XFER (MB) SPEED
Completed 1/1 57/57 5.7/5.7 44.9M/s
PHASE ITEMS
Installing new actions 24/24
Updating modified actions 38/38
Updating package state database Done
Updating package cache 1/1
Updating image state Done
Creating fast lookup database Done
Updating package cache 2/2
root@sossp104:~# /var/ossec/bin/wazuh-control start
Starting Wazuh v4.8.0...
Started wazuh-execd...
Started wazuh-agentd...
Started wazuh-syscheckd...
Started wazuh-logcollector...
Started wazuh-modulesd...
Completed.
root@sossp104:~# /var/ossec/bin/wazuh-control info
WAZUH_VERSION="v4.8.0"
WAZUH_REVISION="40809"
WAZUH_TYPE="agent"
[root@wazuh-server wazuh-user]# /var/ossec/bin/agent_control -i 007
Wazuh agent_control. Agent information:
Agent ID: 007
Agent Name: sossp104
IP address: any
Status: Active
Operating system: SunOS |sossp104 |5.11 |11.3 |sun4v
Client version: Wazuh v4.8.0
Configuration hash: ab73af41699f13fdd81903b5f23d8d00
Shared file hash: 4a8724b20dee0124ff9656783c490c4e
Last keep alive: 1715014109
Syscheck last started at: Mon May 6 16:47:30 2024
Syscheck last ended at: Mon May 6 16:47:37 2024
|
Analysis report - Debian Stretch PPC64EL 🟢System info
Installation with variables 🟢
root@b15135db48bf:~# curl -O https://packages-dev.wazuh.com/pre-release/apt/pool/main/w/wazuh-agent/wazuh-agent_4.8.0-1_ppc64el.deb
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 6305k 100 6305k 0 0 14.3M 0 --:--:-- --:--:-- --:--:-- 14.3M
root@b15135db48bf:~# WAZUH_MANAGER="X.X.X.X" apt-get install ./wazuh-agent_4.8.0-1_ppc64el.deb
Reading package lists... Done
Building dependency tree
Reading state information... Done
Note, selecting 'wazuh-agent' instead of './wazuh-agent_4.8.0-1_ppc64el.deb'
The following additional packages will be installed:
bzip2 dh-python distro-info-data file libmagic-mgc libmagic1 libmpdec2 libpython3-stdlib
libpython3.5-minimal libpython3.5-stdlib libreadline7 libsqlite3-0 lsb-release mime-support python3
python3-minimal python3.5 python3.5-minimal readline-common xz-utils
Suggested packages:
bzip2-doc libdpkg-perl lsb python3-doc python3-tk python3-venv python3.5-venv python3.5-doc binutils
binfmt-support readline-doc
The following NEW packages will be installed:
bzip2 dh-python distro-info-data file libmagic-mgc libmagic1 libmpdec2 libpython3-stdlib
libpython3.5-minimal libpython3.5-stdlib libreadline7 libsqlite3-0 lsb-release mime-support python3
python3-minimal python3.5 python3.5-minimal readline-common wazuh-agent xz-utils
0 upgraded, 21 newly installed, 0 to remove and 3 not upgraded.
Need to get 6437 kB/12.9 MB of archives.
After this operation, 76.3 MB of additional disk space will be used.
Do you want to continue? [Y/n] y
Get:1 /root/wazuh-agent_4.8.0-1_ppc64el.deb wazuh-agent ppc64el 4.8.0-1 [6457 kB]
Get:2 http://archive.debian.org/debian stretch/main ppc64el libpython3.5-minimal ppc64el 3.5.3-1+deb9u1 [574 kB]
Get:3 http://archive.debian.org/debian stretch/main ppc64el python3.5-minimal ppc64el 3.5.3-1+deb9u1 [1704 kB]
Get:4 http://archive.debian.org/debian stretch/main ppc64el python3-minimal ppc64el 3.5.3-1 [35.3 kB]
Get:5 http://archive.debian.org/debian stretch/main ppc64el mime-support all 3.60 [36.7 kB]
Get:6 http://archive.debian.org/debian stretch/main ppc64el libmpdec2 ppc64el 2.4.2-1 [81.9 kB]
Get:7 http://archive.debian.org/debian stretch/main ppc64el readline-common all 7.0-3 [70.4 kB]
Get:8 http://archive.debian.org/debian stretch/main ppc64el libreadline7 ppc64el 7.0-3 [139 kB]
Get:9 http://archive.debian.org/debian stretch/main ppc64el libsqlite3-0 ppc64el 3.16.2-5+deb9u1 [525 kB]
Get:10 http://archive.debian.org/debian stretch/main ppc64el libpython3.5-stdlib ppc64el 3.5.3-1+deb9u1 [2179 kB]
Get:11 http://archive.debian.org/debian stretch/main ppc64el python3.5 ppc64el 3.5.3-1+deb9u1 [229 kB]
Get:12 http://archive.debian.org/debian stretch/main ppc64el libpython3-stdlib ppc64el 3.5.3-1 [18.6 kB]
Get:13 http://archive.debian.org/debian stretch/main ppc64el dh-python all 2.20170125 [86.8 kB]
Get:14 http://archive.debian.org/debian stretch/main ppc64el python3 ppc64el 3.5.3-1 [21.6 kB]
Get:15 http://archive.debian.org/debian stretch/main ppc64el bzip2 ppc64el 1.0.6-8.1 [46.3 kB]
Get:16 http://archive.debian.org/debian stretch/main ppc64el libmagic-mgc ppc64el 1:5.30-1+deb9u3 [222 kB]
Get:17 http://archive.debian.org/debian stretch/main ppc64el libmagic1 ppc64el 1:5.30-1+deb9u3 [108 kB]
Get:18 http://archive.debian.org/debian stretch/main ppc64el file ppc64el 1:5.30-1+deb9u3 [64.4 kB]
Get:19 http://archive.debian.org/debian stretch/main ppc64el xz-utils ppc64el 5.2.2-1.2+b1 [262 kB]
Get:20 http://archive.debian.org/debian stretch/main ppc64el distro-info-data all 0.36 [5810 B]
Get:21 http://archive.debian.org/debian stretch/main ppc64el lsb-release all 9.20161125 [27.1 kB]
Fetched 6437 kB in 10s (590 kB/s)
perl: warning: Setting locale failed.
perl: warning: Please check that your locale settings:
LANGUAGE = (unset),
LC_ALL = (unset),
LC_TIME = "es_ES.UTF-8",
LC_MONETARY = "es_ES.UTF-8",
LC_ADDRESS = "es_ES.UTF-8",
LC_TELEPHONE = "es_ES.UTF-8",
LC_NAME = "es_ES.UTF-8",
LC_MEASUREMENT = "es_ES.UTF-8",
LC_IDENTIFICATION = "es_ES.UTF-8",
LC_NUMERIC = "es_ES.UTF-8",
LC_PAPER = "es_ES.UTF-8",
LANG = "en_US.UTF-8"
are supported and installed on your system.
perl: warning: Falling back to the standard locale ("C").
debconf: delaying package configuration, since apt-utils is not installed
Selecting previously unselected package libpython3.5-minimal:ppc64el.
(Reading database ... 11722 files and directories currently installed.)
Preparing to unpack .../00-libpython3.5-minimal_3.5.3-1+deb9u1_ppc64el.deb ...
Unpacking libpython3.5-minimal:ppc64el (3.5.3-1+deb9u1) ...
Selecting previously unselected package python3.5-minimal.
Preparing to unpack .../01-python3.5-minimal_3.5.3-1+deb9u1_ppc64el.deb ...
Unpacking python3.5-minimal (3.5.3-1+deb9u1) ...
Selecting previously unselected package python3-minimal.
Preparing to unpack .../02-python3-minimal_3.5.3-1_ppc64el.deb ...
Unpacking python3-minimal (3.5.3-1) ...
Selecting previously unselected package mime-support.
Preparing to unpack .../03-mime-support_3.60_all.deb ...
Unpacking mime-support (3.60) ...
Selecting previously unselected package libmpdec2:ppc64el.
Preparing to unpack .../04-libmpdec2_2.4.2-1_ppc64el.deb ...
Unpacking libmpdec2:ppc64el (2.4.2-1) ...
Selecting previously unselected package readline-common.
Preparing to unpack .../05-readline-common_7.0-3_all.deb ...
Unpacking readline-common (7.0-3) ...
Selecting previously unselected package libreadline7:ppc64el.
Preparing to unpack .../06-libreadline7_7.0-3_ppc64el.deb ...
Unpacking libreadline7:ppc64el (7.0-3) ...
Selecting previously unselected package libsqlite3-0:ppc64el.
Preparing to unpack .../07-libsqlite3-0_3.16.2-5+deb9u1_ppc64el.deb ...
Unpacking libsqlite3-0:ppc64el (3.16.2-5+deb9u1) ...
Selecting previously unselected package libpython3.5-stdlib:ppc64el.
Preparing to unpack .../08-libpython3.5-stdlib_3.5.3-1+deb9u1_ppc64el.deb ...
Unpacking libpython3.5-stdlib:ppc64el (3.5.3-1+deb9u1) ...
Selecting previously unselected package python3.5.
Preparing to unpack .../09-python3.5_3.5.3-1+deb9u1_ppc64el.deb ...
Unpacking python3.5 (3.5.3-1+deb9u1) ...
Selecting previously unselected package libpython3-stdlib:ppc64el.
Preparing to unpack .../10-libpython3-stdlib_3.5.3-1_ppc64el.deb ...
Unpacking libpython3-stdlib:ppc64el (3.5.3-1) ...
Selecting previously unselected package dh-python.
Preparing to unpack .../11-dh-python_2.20170125_all.deb ...
Unpacking dh-python (2.20170125) ...
Setting up libpython3.5-minimal:ppc64el (3.5.3-1+deb9u1) ...
Setting up python3.5-minimal (3.5.3-1+deb9u1) ...
Setting up python3-minimal (3.5.3-1) ...
Selecting previously unselected package python3.
(Reading database ... 12694 files and directories currently installed.)
Preparing to unpack .../0-python3_3.5.3-1_ppc64el.deb ...
Unpacking python3 (3.5.3-1) ...
Selecting previously unselected package bzip2.
Preparing to unpack .../1-bzip2_1.0.6-8.1_ppc64el.deb ...
Unpacking bzip2 (1.0.6-8.1) ...
Selecting previously unselected package libmagic-mgc.
Preparing to unpack .../2-libmagic-mgc_1%3a5.30-1+deb9u3_ppc64el.deb ...
Unpacking libmagic-mgc (1:5.30-1+deb9u3) ...
Selecting previously unselected package libmagic1:ppc64el.
Preparing to unpack .../3-libmagic1_1%3a5.30-1+deb9u3_ppc64el.deb ...
Unpacking libmagic1:ppc64el (1:5.30-1+deb9u3) ...
Selecting previously unselected package file.
Preparing to unpack .../4-file_1%3a5.30-1+deb9u3_ppc64el.deb ...
Unpacking file (1:5.30-1+deb9u3) ...
Selecting previously unselected package xz-utils.
Preparing to unpack .../5-xz-utils_5.2.2-1.2+b1_ppc64el.deb ...
Unpacking xz-utils (5.2.2-1.2+b1) ...
Selecting previously unselected package distro-info-data.
Preparing to unpack .../6-distro-info-data_0.36_all.deb ...
Unpacking distro-info-data (0.36) ...
Selecting previously unselected package lsb-release.
Preparing to unpack .../7-lsb-release_9.20161125_all.deb ...
Unpacking lsb-release (9.20161125) ...
Selecting previously unselected package wazuh-agent.
Preparing to unpack .../8-wazuh-agent_4.8.0-1_ppc64el.deb ...
Unpacking wazuh-agent (4.8.0-1) ...
Setting up readline-common (7.0-3) ...
Setting up mime-support (3.60) ...
Setting up libreadline7:ppc64el (7.0-3) ...
Setting up distro-info-data (0.36) ...
Setting up libmagic-mgc (1:5.30-1+deb9u3) ...
Setting up bzip2 (1.0.6-8.1) ...
Setting up libmagic1:ppc64el (1:5.30-1+deb9u3) ...
Processing triggers for libc-bin (2.24-11+deb9u4) ...
Setting up xz-utils (5.2.2-1.2+b1) ...
update-alternatives: using /usr/bin/xz to provide /usr/bin/lzma (lzma) in auto mode
Processing triggers for systemd (232-25+deb9u12) ...
Setting up libsqlite3-0:ppc64el (3.16.2-5+deb9u1) ...
Setting up libmpdec2:ppc64el (2.4.2-1) ...
Setting up libpython3.5-stdlib:ppc64el (3.5.3-1+deb9u1) ...
Setting up file (1:5.30-1+deb9u3) ...
Setting up python3.5 (3.5.3-1+deb9u1) ...
Setting up libpython3-stdlib:ppc64el (3.5.3-1) ...
Setting up python3 (3.5.3-1) ...
running python rtupdate hooks for python3.5...
running python post-rtupdate hooks for python3.5...
Setting up lsb-release (9.20161125) ...
Setting up dh-python (2.20170125) ...
Setting up wazuh-agent (4.8.0-1) ...
Processing triggers for libc-bin (2.24-11+deb9u4) ...
Processing triggers for systemd (232-25+deb9u12) ...
N: Download is performed unsandboxed as root as file '/root/wazuh-agent_4.8.0-1_ppc64el.deb' couldn't be accessed by user '_apt'. - pkgAcquire::Run (13: Permission denied)
root@b15135db48bf:~# /var/ossec/bin/wazuh-control start
Starting Wazuh v4.8.0...
Started wazuh-execd...
Started wazuh-agentd...
Started wazuh-syscheckd...
Started wazuh-logcollector...
Started wazuh-modulesd...
Completed.
root@b15135db48bf:~# /var/ossec/bin/wazuh-control info
WAZUH_VERSION="v4.8.0"
WAZUH_REVISION="40809"
WAZUH_TYPE="agent"
root@b15135db48bf:~# grep address /var/ossec/etc/ossec.conf
<address>X.X.X.X</address>
[root@wazuh-server wazuh-user]# /var/ossec/bin/agent_control -i 008
Wazuh agent_control. Agent information:
Agent ID: 008
Agent Name: b15135db48bf
IP address: any
Status: Active
Operating system: Linux |b15135db48bf |4.9.0-13-powerpc64le |#1 SMP Debian 4.9.228-1 (2020-07-05) |ppc64le
Client version: Wazuh v4.8.0
Configuration hash: ab73af41699f13fdd81903b5f23d8d00
Shared file hash: 4a8724b20dee0124ff9656783c490c4e
Last keep alive: 1715068559
Syscheck last started at: Tue May 7 07:55:20 2024
Syscheck last ended at: Tue May 7 07:55:33 2024
Installation without variables 🟢
root@b15135db48bf:~# apt-get install ./wazuh-agent_4.8.0-1_ppc64el.deb
Reading package lists... Done
Building dependency tree
Reading state information... Done
Note, selecting 'wazuh-agent' instead of './wazuh-agent_4.8.0-1_ppc64el.deb'
The following NEW packages will be installed:
wazuh-agent
0 upgraded, 1 newly installed, 0 to remove and 3 not upgraded.
Need to get 0 B/6457 kB of archives.
After this operation, 40.4 MB of additional disk space will be used.
Get:1 /root/wazuh-agent_4.8.0-1_ppc64el.deb wazuh-agent ppc64el 4.8.0-1 [6457 kB]
perl: warning: Setting locale failed.
perl: warning: Please check that your locale settings:
LANGUAGE = (unset),
LC_ALL = (unset),
LC_TIME = "es_ES.UTF-8",
LC_MONETARY = "es_ES.UTF-8",
LC_ADDRESS = "es_ES.UTF-8",
LC_TELEPHONE = "es_ES.UTF-8",
LC_NAME = "es_ES.UTF-8",
LC_MEASUREMENT = "es_ES.UTF-8",
LC_IDENTIFICATION = "es_ES.UTF-8",
LC_NUMERIC = "es_ES.UTF-8",
LC_PAPER = "es_ES.UTF-8",
LANG = "en_US.UTF-8"
are supported and installed on your system.
perl: warning: Falling back to the standard locale ("C").
debconf: delaying package configuration, since apt-utils is not installed
Selecting previously unselected package wazuh-agent.
(Reading database ... 12838 files and directories currently installed.)
Preparing to unpack .../wazuh-agent_4.8.0-1_ppc64el.deb ...
Unpacking wazuh-agent (4.8.0-1) ...
Setting up wazuh-agent (4.8.0-1) ...
Processing triggers for libc-bin (2.24-11+deb9u4) ...
Processing triggers for systemd (232-25+deb9u12) ...
N: Download is performed unsandboxed as root as file '/root/wazuh-agent_4.8.0-1_ppc64el.deb' couldn't be accessed by user '_apt'. - pkgAcquire::Run (13: Permission denied)
root@b15135db48bf:~# vim /var/ossec/etc/ossec.conf
root@b15135db48bf:~# /var/ossec/bin/wazuh-control start
Starting Wazuh v4.8.0...
Started wazuh-execd...
Started wazuh-agentd...
Started wazuh-syscheckd...
Started wazuh-logcollector...
Started wazuh-modulesd...
Completed.
root@b15135db48bf:~# /var/ossec/bin/wazuh-control info
WAZUH_VERSION="v4.8.0"
WAZUH_REVISION="40809"
WAZUH_TYPE="agent"
[root@wazuh-server wazuh-user]# /var/ossec/bin/agent_control -i 009
Wazuh agent_control. Agent information:
Agent ID: 009
Agent Name: b15135db48bf
IP address: any
Status: Active
Operating system: Linux |b15135db48bf |4.9.0-13-powerpc64le |#1 SMP Debian 4.9.228-1 (2020-07-05) |ppc64le
Client version: Wazuh v4.8.0
Configuration hash: ab73af41699f13fdd81903b5f23d8d00
Shared file hash: 4a8724b20dee0124ff9656783c490c4e
Last keep alive: 1715068952
Syscheck last started at: Tue May 7 08:02:33 2024
Syscheck last ended at: Tue May 7 08:02:35 2024
Generate alerts (TCP & UDP) 🟢
root@b15135db48bf:~# grep -Ei "tcp" /var/ossec/logs/ossec.log
2024/05/07 08:02:26 wazuh-agentd: INFO: Trying to connect to server ([X.X.X.X]:1514/tcp).
2024/05/07 08:02:26 wazuh-agentd: INFO: (4102): Connected to the server ([X.X.X.X]:1514/tcp).
2024/05/07 08:02:32 wazuh-agentd: INFO: Trying to connect to server ([X.X.X.X]:1514/tcp).
2024/05/07 08:02:32 wazuh-agentd: INFO: (4102): Connected to the server ([X.X.X.X]:1514/tcp).
2024/05/07 08:02:45 wazuh-agentd: INFO: Closing connection to server ([X.X.X.X]:1514/tcp).
2024/05/07 08:02:45 wazuh-agentd: INFO: Trying to connect to server ([X.X.X.X]:1514/tcp).
2024/05/07 08:02:45 wazuh-agentd: INFO: (4102): Connected to the server ([X.X.X.X]:1514/tcp).
2024/05/07 08:02:50 wazuh-agentd: INFO: Closing connection to server ([X.X.X.X]:1514/tcp).
2024/05/07 08:02:50 wazuh-agentd: INFO: Trying to connect to server ([X.X.X.X]:1514/tcp).
2024/05/07 08:02:50 wazuh-agentd: INFO: (4102): Connected to the server ([X.X.X.X]:1514/tcp).
{"timestamp":"2024-05-07T08:03:02.311+0000","rule":{"level":7,"description":"SCA summary: CIS Debian Linux 9 Benchmark v1.0.1: Score less than 50% (39)","id":"19004","firedtimes":1,"mail":false,"groups":["sca"],"gdpr":["IV_35.7.d"],"pci_dss":["2.2"],"nist_800_53":["CM.1"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"009","name":"b15135db48bf","ip":"172.17.0.2"},"manager":{"name":"wazuh-server"},"id":"1715068982.1127469","decoder":{"name":"sca"},"data":{"sca":{"type":"summary","scan_id":"1203457508","policy":"CIS Debian Linux 9 Benchmark v1.0.1","description":"This document provides prescriptive guidance for establishing a secure configuration posture for Debian Linux 9.","policy_id":"cis_debian9","passed":"58","failed":"89","invalid":"28","total_checks":"175","score":"39","file":"cis_debian9.yml"}},"location":"sca"}
root@b15135db48bf:~# vim /var/ossec/etc/ossec.conf
root@b15135db48bf:~# /var/ossec/bin/wazuh-control restart
Killing wazuh-modulesd...
Killing wazuh-logcollector...
Killing wazuh-syscheckd...
Killing wazuh-agentd...
Killing wazuh-execd...
Wazuh v4.8.0 Stopped
Starting Wazuh v4.8.0...
Started wazuh-execd...
Started wazuh-agentd...
Started wazuh-syscheckd...
Started wazuh-logcollector...
Started wazuh-modulesd...
Completed.
root@b15135db48bf:~# grep -Ei "udp" /var/ossec/logs/ossec.log
2024/05/07 08:04:10 wazuh-agentd: INFO: Trying to connect to server ([X.X.X.X]:1514/udp).
2024/05/07 08:04:10 wazuh-agentd: INFO: (4102): Connected to the server ([X.X.X.X]:1514/udp).
{"timestamp":"2024-05-07T08:04:31.232+0000","rule":{"level":7,"description":"SCA summary: CIS Debian Linux 9 Benchmark v1.0.1: Score less than 50% (39)","id":"19004","firedtimes":2,"mail":false,"groups":["sca"],"gdpr":["IV_35.7.d"],"pci_dss":["2.2"],"nist_800_53":["CM.1"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"009","name":"b15135db48bf","ip":"172.17.0.2"},"manager":{"name":"wazuh-server"},"id":"1715069071.1177913","decoder":{"name":"sca"},"data":{"sca":{"type":"summary","scan_id":"1941082158","policy":"CIS Debian Linux 9 Benchmark v1.0.1","description":"This document provides prescriptive guidance for establishing a secure configuration posture for Debian Linux 9.","policy_id":"cis_debian9","passed":"58","failed":"89","invalid":"28","total_checks":"175","score":"39","file":"cis_debian9.yml"}},"location":"sca"} Removal 🟢root@b15135db48bf:~# apt-get remove wazuh-agent
Reading package lists... Done
Building dependency tree
Reading state information... Done
The following packages were automatically installed and are no longer required:
bzip2 dh-python distro-info-data file libmagic-mgc libmagic1 libmpdec2 libpython3-stdlib
libpython3.5-minimal libpython3.5-stdlib libreadline7 libsqlite3-0 lsb-release mime-support python3
python3-minimal python3.5 python3.5-minimal readline-common xz-utils
Use 'apt autoremove' to remove them.
The following packages will be REMOVED:
wazuh-agent
0 upgraded, 0 newly installed, 1 to remove and 3 not upgraded.
After this operation, 40.4 MB disk space will be freed.
Do you want to continue? [Y/n] y
perl: warning: Setting locale failed.
perl: warning: Please check that your locale settings:
LANGUAGE = (unset),
LC_ALL = (unset),
LC_TIME = "es_ES.UTF-8",
LC_MONETARY = "es_ES.UTF-8",
LC_ADDRESS = "es_ES.UTF-8",
LC_TELEPHONE = "es_ES.UTF-8",
LC_NAME = "es_ES.UTF-8",
LC_MEASUREMENT = "es_ES.UTF-8",
LC_IDENTIFICATION = "es_ES.UTF-8",
LC_NUMERIC = "es_ES.UTF-8",
LC_PAPER = "es_ES.UTF-8",
LANG = "en_US.UTF-8"
are supported and installed on your system.
perl: warning: Falling back to the standard locale ("C").
(Reading database ... 13245 files and directories currently installed.)
Removing wazuh-agent (4.8.0-1) ...
Processing triggers for libc-bin (2.24-11+deb9u4) ...
root@b15135db48bf:~# apt-get remove --purge wazuh-agent
Reading package lists... Done
Building dependency tree
Reading state information... Done
The following packages were automatically installed and are no longer required:
bzip2 dh-python distro-info-data file libmagic-mgc libmagic1 libmpdec2 libpython3-stdlib
libpython3.5-minimal libpython3.5-stdlib libreadline7 libsqlite3-0 lsb-release mime-support python3
python3-minimal python3.5 python3.5-minimal readline-common xz-utils
Use 'apt autoremove' to remove them.
The following packages will be REMOVED:
wazuh-agent*
0 upgraded, 0 newly installed, 1 to remove and 3 not upgraded.
After this operation, 0 B of additional disk space will be used.
Do you want to continue? [Y/n] y
perl: warning: Setting locale failed.
perl: warning: Please check that your locale settings:
LANGUAGE = (unset),
LC_ALL = (unset),
LC_TIME = "es_ES.UTF-8",
LC_MONETARY = "es_ES.UTF-8",
LC_ADDRESS = "es_ES.UTF-8",
LC_TELEPHONE = "es_ES.UTF-8",
LC_NAME = "es_ES.UTF-8",
LC_MEASUREMENT = "es_ES.UTF-8",
LC_IDENTIFICATION = "es_ES.UTF-8",
LC_NUMERIC = "es_ES.UTF-8",
LC_PAPER = "es_ES.UTF-8",
LANG = "en_US.UTF-8"
are supported and installed on your system.
perl: warning: Falling back to the standard locale ("C").
(Reading database ... 12852 files and directories currently installed.)
Purging configuration files for wazuh-agent (4.8.0-1) ...
Processing triggers for systemd (232-25+deb9u12) ...
Check users and groups 🟢
Errors and warnings 🟢
Upgrade 🟢
root@b15135db48bf:~# curl -O https://packages.wazuh.com/4.x/apt/pool/main/w/wazuh-agent/wazuh-agent_4.7.4-1_ppc64el.deb
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 5591k 100 5591k 0 0 12.8M 0 --:--:-- --:--:-- --:--:-- 12.9M
root@b15135db48bf:~# WAZUH_MANAGER="X.X.X.X" apt-get install ./wazuh-agent_4.7.4-1_ppc64el.deb
Reading package lists... Done
Building dependency tree
Reading state information... Done
Note, selecting 'wazuh-agent' instead of './wazuh-agent_4.7.4-1_ppc64el.deb'
The following NEW packages will be installed:
wazuh-agent
0 upgraded, 1 newly installed, 0 to remove and 3 not upgraded.
Need to get 0 B/5726 kB of archives.
After this operation, 37.1 MB of additional disk space will be used.
Get:1 /root/wazuh-agent_4.7.4-1_ppc64el.deb wazuh-agent ppc64el 4.7.4-1 [5726 kB]
perl: warning: Setting locale failed.
perl: warning: Please check that your locale settings:
LANGUAGE = (unset),
LC_ALL = (unset),
LC_TIME = "es_ES.UTF-8",
LC_MONETARY = "es_ES.UTF-8",
LC_ADDRESS = "es_ES.UTF-8",
LC_TELEPHONE = "es_ES.UTF-8",
LC_NAME = "es_ES.UTF-8",
LC_MEASUREMENT = "es_ES.UTF-8",
LC_IDENTIFICATION = "es_ES.UTF-8",
LC_NUMERIC = "es_ES.UTF-8",
LC_PAPER = "es_ES.UTF-8",
LANG = "en_US.UTF-8"
are supported and installed on your system.
perl: warning: Falling back to the standard locale ("C").
debconf: delaying package configuration, since apt-utils is not installed
Selecting previously unselected package wazuh-agent.
(Reading database ... 14648 files and directories currently installed.)
Preparing to unpack .../wazuh-agent_4.7.4-1_ppc64el.deb ...
Unpacking wazuh-agent (4.7.4-1) ...
Setting up wazuh-agent (4.7.4-1) ...
Processing triggers for libc-bin (2.24-11+deb9u4) ...
Processing triggers for systemd (232-25+deb9u12) ...
N: Download is performed unsandboxed as root as file '/root/wazuh-agent_4.7.4-1_ppc64el.deb' couldn't be accessed by user '_apt'. - pkgAcquire::Run (13: Permission denied)
root@b15135db48bf:~# /var/ossec/bin/wazuh-control start
Starting Wazuh v4.7.4...
Started wazuh-execd...
Started wazuh-agentd...
Started wazuh-syscheckd...
Started wazuh-logcollector...
Started wazuh-modulesd...
Completed.
root@b15135db48bf:~# /var/ossec/bin/wazuh-control info
WAZUH_VERSION="v4.7.4"
WAZUH_REVISION="40717"
WAZUH_TYPE="agent"
[root@wazuh-server wazuh-user]# /var/ossec/bin/agent_control -i 010
Wazuh agent_control. Agent information:
Agent ID: 010
Agent Name: b15135db48bf
IP address: any
Status: Active
Operating system: Linux |b15135db48bf |4.9.0-13-powerpc64le |#1 SMP Debian 4.9.228-1 (2020-07-05) |ppc64le
Client version: Wazuh v4.7.4
Configuration hash: ab73af41699f13fdd81903b5f23d8d00
Shared file hash: 4a8724b20dee0124ff9656783c490c4e
Last keep alive: 1715069439
Syscheck last started at: Tue May 7 08:10:39 2024
Syscheck last ended at: Tue May 7 08:10:41 2024
root@b15135db48bf:~# curl -s https://packages.wazuh.com/key/GPG-KEY-WAZUH | gpg --no-default-keyring --keyring gnupg-ring:/usr/share/keyrings/wazuh.gpg --import && chmod 644 /usr/share/keyrings/wazuh.gpg
gpg: keyring '/usr/share/keyrings/wazuh.gpg' created
gpg: directory '/root/.gnupg' created
gpg: /root/.gnupg/trustdb.gpg: trustdb created
gpg: key 96B3EE5F29111145: public key "Wazuh.com (Wazuh Signing Key) <support@wazuh.com>" imported
gpg: Total number processed: 1
gpg: imported: 1
root@b15135db48bf:~# echo "deb [signed-by=/usr/share/keyrings/wazuh.gpg] https://packages-dev.wazuh.com/pre-release/apt/ unstable main" | tee -a /etc/apt/sources.list.d/wazuh.list
deb [signed-by=/usr/share/keyrings/wazuh.gpg] https://packages-dev.wazuh.com/pre-release/apt/ unstable main
root@b15135db48bf:~# apt-get update
Ign:1 http://archive.debian.org/debian stretch InRelease
Hit:2 http://archive.debian.org/debian stretch Release
Get:4 https://packages-dev.wazuh.com/pre-release/apt unstable InRelease [17.3 kB]
Get:5 https://packages-dev.wazuh.com/pre-release/apt unstable/main ppc64el Packages [8121 B]
Fetched 25.4 kB in 0s (39.4 kB/s)
Reading package lists... Done
root@b15135db48bf:~# apt-get install wazuh-agent
Reading package lists... Done
Building dependency tree
Reading state information... Done
The following packages will be upgraded:
wazuh-agent
1 upgraded, 0 newly installed, 0 to remove and 3 not upgraded.
Need to get 6457 kB of archives.
After this operation, 3280 kB of additional disk space will be used.
Get:1 https://packages-dev.wazuh.com/pre-release/apt unstable/main ppc64el wazuh-agent ppc64el 4.8.0-1 [6457 kB]
Fetched 6457 kB in 0s (10.7 MB/s)
perl: warning: Setting locale failed.
perl: warning: Please check that your locale settings:
LANGUAGE = (unset),
LC_ALL = (unset),
LC_TIME = "es_ES.UTF-8",
LC_MONETARY = "es_ES.UTF-8",
LC_ADDRESS = "es_ES.UTF-8",
LC_TELEPHONE = "es_ES.UTF-8",
LC_NAME = "es_ES.UTF-8",
LC_MEASUREMENT = "es_ES.UTF-8",
LC_IDENTIFICATION = "es_ES.UTF-8",
LC_NUMERIC = "es_ES.UTF-8",
LC_PAPER = "es_ES.UTF-8",
LANG = "en_US.UTF-8"
are supported and installed on your system.
perl: warning: Falling back to the standard locale ("C").
debconf: delaying package configuration, since apt-utils is not installed
(Reading database ... 15241 files and directories currently installed.)
Preparing to unpack .../wazuh-agent_4.8.0-1_ppc64el.deb ...
Unpacking wazuh-agent (4.8.0-1) over (4.7.4-1) ...
Setting up wazuh-agent (4.8.0-1) ...
Processing triggers for libc-bin (2.24-11+deb9u4) ...
Processing triggers for systemd (232-25+deb9u12) ...
root@b15135db48bf:~# /var/ossec/bin/wazuh-control status
wazuh-modulesd is running...
wazuh-logcollector is running...
wazuh-syscheckd is running...
wazuh-agentd is running...
wazuh-execd is running...
root@b15135db48bf:~# /var/ossec/bin/wazuh-control info
WAZUH_VERSION="v4.8.0"
WAZUH_REVISION="40809"
WAZUH_TYPE="agent"
[root@wazuh-server wazuh-user]# /var/ossec/bin/agent_control -i 010
Wazuh agent_control. Agent information:
Agent ID: 010
Agent Name: b15135db48bf
IP address: any
Status: Active
Operating system: Linux |b15135db48bf |4.9.0-13-powerpc64le |#1 SMP Debian 4.9.228-1 (2020-07-05) |ppc64le
Client version: Wazuh v4.8.0
Configuration hash: ab73af41699f13fdd81903b5f23d8d00
Shared file hash: 4a8724b20dee0124ff9656783c490c4e
Last keep alive: 1715069901
Syscheck last started at: Tue May 7 08:17:32 2024
Syscheck last ended at: Tue May 7 08:17:33 2024
|
Analysis report - CentOS 7 PPC64EL 🟢System info
Installation with variables 🟢
[root@5a4317d62f7b ~]# curl -O https://packages-dev.wazuh.com/pre-release/yum/wazuh-agent-4.8.0-1.ppc64le.rpm
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 7994k 100 7994k 0 0 2469k 0 0:00:03 0:00:03 --:--:-- 2470k
[root@5a4317d62f7b ~]# WAZUH_MANAGER="X.X.X.X" yum install ./wazuh-agent-4.8.0-1.ppc64le.rpm
Failed to set locale, defaulting to C
Loaded plugins: fastestmirror, ovl
Examining ./wazuh-agent-4.8.0-1.ppc64le.rpm: wazuh-agent-4.8.0-1.ppc64le
Marking ./wazuh-agent-4.8.0-1.ppc64le.rpm to be installed
Resolving Dependencies
--> Running transaction check
---> Package wazuh-agent.ppc64le 0:4.8.0-1 will be installed
--> Finished Dependency Resolution
Dependencies Resolved
========================================================================================================
Package Arch Version Repository Size
========================================================================================================
Installing:
wazuh-agent ppc64le 4.8.0-1 /wazuh-agent-4.8.0-1.ppc64le 36 M
Transaction Summary
========================================================================================================
Install 1 Package
Total size: 36 M
Installed size: 36 M
Is this ok [y/d/N]: y
Downloading packages:
Running transaction check
Running transaction test
Transaction test succeeded
Running transaction
Installing : wazuh-agent-4.8.0-1.ppc64le 1/1
Verifying : wazuh-agent-4.8.0-1.ppc64le 1/1
Installed:
wazuh-agent.ppc64le 0:4.8.0-1
Complete!
[root@5a4317d62f7b ~]# /var/ossec/bin/wazuh-control start
Starting Wazuh v4.8.0...
Started wazuh-execd...
Started wazuh-agentd...
Started wazuh-syscheckd...
Started wazuh-logcollector...
Started wazuh-modulesd...
Completed.
[root@5a4317d62f7b ~]# /var/ossec/bin/wazuh-control info
WAZUH_VERSION="v4.8.0"
WAZUH_REVISION="40809"
WAZUH_TYPE="agent"
[root@5a4317d62f7b ~]# grep address /var/ossec/etc/ossec.conf
<address>X.X.X.X</address>
[root@wazuh-server wazuh-user]# /var/ossec/bin/agent_control -i 011
Wazuh agent_control. Agent information:
Agent ID: 011
Agent Name: 5a4317d62f7b
IP address: any
Status: Pending
Operating system: Linux |5a4317d62f7b |3.10.0-1160.71.1.el7.ppc64le |#1 SMP Tue Jun 28 18:34:40 UTC 2022 |ppc64le
Client version: Wazuh v4.8.0
Configuration hash: ab73af41699f13fdd81903b5f23d8d00
Shared file hash: 4a8724b20dee0124ff9656783c490c4e
Last keep alive: 1715070318
Syscheck last started at: Tue May 7 08:24:55 2024
Syscheck last ended at: Tue May 7 08:25:21 2024
Installation without variables 🟢
[root@5a4317d62f7b ~]# yum install ./wazuh-agent-4.8.0-1.ppc64le.rpm
Failed to set locale, defaulting to C
Loaded plugins: fastestmirror, ovl
Examining ./wazuh-agent-4.8.0-1.ppc64le.rpm: wazuh-agent-4.8.0-1.ppc64le
Marking ./wazuh-agent-4.8.0-1.ppc64le.rpm to be installed
Resolving Dependencies
--> Running transaction check
---> Package wazuh-agent.ppc64le 0:4.8.0-1 will be installed
--> Finished Dependency Resolution
Dependencies Resolved
========================================================================================================
Package Arch Version Repository Size
========================================================================================================
Installing:
wazuh-agent ppc64le 4.8.0-1 /wazuh-agent-4.8.0-1.ppc64le 36 M
Transaction Summary
========================================================================================================
Install 1 Package
Total size: 36 M
Installed size: 36 M
Is this ok [y/d/N]: y
Downloading packages:
Running transaction check
Running transaction test
Transaction test succeeded
Running transaction
Installing : wazuh-agent-4.8.0-1.ppc64le 1/1
Verifying : wazuh-agent-4.8.0-1.ppc64le 1/1
Installed:
wazuh-agent.ppc64le 0:4.8.0-1
Complete!
[root@5a4317d62f7b ~]# vim /var/ossec/etc/ossec.conf
-bash: vim: command not found
[root@5a4317d62f7b ~]# vi /var/ossec/etc/ossec.conf
[root@5a4317d62f7b ~]# /var/ossec/bin/wazuh-control start
Starting Wazuh v4.8.0...
Started wazuh-execd...
Started wazuh-agentd...
Started wazuh-syscheckd...
Started wazuh-logcollector...
Started wazuh-modulesd...
Completed.
[root@5a4317d62f7b ~]# /var/ossec/bin/wazuh-control info
WAZUH_VERSION="v4.8.0"
WAZUH_REVISION="40809"
WAZUH_TYPE="agent"
[root@wazuh-server wazuh-user]# /var/ossec/bin/agent_control -i 012
Wazuh agent_control. Agent information:
Agent ID: 012
Agent Name: 5a4317d62f7b
IP address: any
Status: Active
Operating system: Linux |5a4317d62f7b |3.10.0-1160.71.1.el7.ppc64le |#1 SMP Tue Jun 28 18:34:40 UTC 2022 |ppc64le
Client version: Wazuh v4.8.0
Configuration hash: ab73af41699f13fdd81903b5f23d8d00
Shared file hash: 4a8724b20dee0124ff9656783c490c4e
Last keep alive: 1715070829
Syscheck last started at: Tue May 7 08:33:49 2024
Syscheck last ended at: Tue May 7 08:33:51 2024
Generate alerts (TCP & UDP) 🟢
[root@5a4317d62f7b ~]# grep -Ei "tcp" /var/ossec/logs/ossec.log
2024/05/07 08:33:42 wazuh-agentd: INFO: Trying to connect to server ([X.X.X.X]:1514/tcp).
2024/05/07 08:33:42 wazuh-agentd: INFO: (4102): Connected to the server ([X.X.X.X]:1514/tcp).
2024/05/07 08:33:48 wazuh-agentd: INFO: Trying to connect to server ([X.X.X.X]:1514/tcp).
2024/05/07 08:33:48 wazuh-agentd: INFO: (4102): Connected to the server ([X.X.X.X]:1514/tcp).
2024/05/07 08:34:05 wazuh-agentd: INFO: Closing connection to server ([X.X.X.X]:1514/tcp).
2024/05/07 08:34:05 wazuh-agentd: INFO: Trying to connect to server ([X.X.X.X]:1514/tcp).
2024/05/07 08:34:05 wazuh-agentd: INFO: (4102): Connected to the server ([X.X.X.X]:1514/tcp).
{"timestamp":"2024-05-07T08:34:15.888+0000","rule":{"level":3,"description":"CIS CentOS Linux 7 Benchmark v3.0.0: Ensure shadow group is empty.","id":"19008","firedtimes":236,"mail":false,"groups":["sca"],"gdpr":["IV_35.7.d"],"pci_dss":["2.2","2.2.3"],"nist_800_53":["CM.1","CM.1"],"tsc":["CC7.1","CC7.2","CC5.2"],"cis":["6.2.18"],"cis_csc":["5.1"],"gpg_13":["4.3"],"gdpr_IV":["35.7.d"],"hipaa":["164.312.b"],"cis_level":["1"]},"agent":{"id":"012","name":"5a4317d62f7b","ip":"172.17.0.2"},"manager":{"name":"wazuh-server"},"id":"1715070855.2738847","decoder":{"name":"sca"},"data":{"sca":{"type":"check","scan_id":"1703781396","policy":"CIS CentOS Linux 7 Benchmark v3.0.0","check":{"id":"6195","title":"Ensure shadow group is empty.","description":"The shadow group allows system programs which require access the ability to read the /etc/shadow file. No users should be assigned to the shadow group","rationale":"Any users assigned to the shadow group would be granted read access to the /etc/shadow file. If attackers can gain read access to the /etc/shadow file, they can easily runa password cracking program against the hashed passwords to break them. Other security information that is stored in the /etc/shadow file (such as expiration) could also be useful to subvert additional user accounts.","remediation":"Remove any legacy '+' entries from /etc/shadow if they exist.","compliance":{"cis":"6.2.18","cis_csc":"5.1","pci_dss":"2.2.3","nist_800_53":"CM.1","gpg_13":"4.3","gdpr_IV":"35.7.d","hipaa":"164.312.b","tsc":"CC5.2","cis_level":"1"},"command":["grep -E ^shadow:[^:]*:[^:]*:[^:]+ /etc/group"],"result":"passed"}}},"location":"sca"}
[root@5a4317d62f7b ~]# vi /var/ossec/etc/ossec.conf
[root@5a4317d62f7b ~]# /var/ossec/bin/wazuh-control restart
Killing wazuh-modulesd...
Killing wazuh-logcollector...
Killing wazuh-syscheckd...
Killing wazuh-agentd...
Killing wazuh-execd...
Wazuh v4.8.0 Stopped
Starting Wazuh v4.8.0...
Started wazuh-execd...
Started wazuh-agentd...
Started wazuh-syscheckd...
Started wazuh-logcollector...
Started wazuh-modulesd...
Completed.
[root@5a4317d62f7b ~]# grep -Ei "udp" /var/ossec/logs/ossec.log
2024/05/07 08:35:07 wazuh-agentd: INFO: Trying to connect to server ([X.X.X.X]:1514/udp).
2024/05/07 08:35:07 wazuh-agentd: INFO: (4102): Connected to the server ([X.X.X.X]:1514/udp).
{"timestamp":"2024-05-07T08:35:24.559+0000","rule":{"level":3,"description":"CIS CentOS Linux 7 Benchmark v3.0.0: Ensure default group for the root account is GID 0.","id":"19008","firedtimes":238,"mail":false,"groups":["sca"],"gdpr":["IV_35.7.d"],"pci_dss":["2.2","8.2"],"nist_800_53":["CM.1"],"tsc":["CC7.1","CC7.2","CC6.1"],"cis":["5.4.3"],"cis_csc":["5.1"],"cis_level":["1"]},"agent":{"id":"012","name":"5a4317d62f7b","ip":"172.17.0.2"},"manager":{"name":"wazuh-server"},"id":"1715070924.2815184","decoder":{"name":"sca"},"data":{"sca":{"type":"check","scan_id":"716391465","policy":"CIS CentOS Linux 7 Benchmark v3.0.0","check":{"id":"6180","title":"Ensure default group for the root account is GID 0.","description":"The usermod command can be used to specify which group the root user belongs to. This affects permissions of files that are created by the root user.","rationale":"Using GID 0 for the root account helps prevent root -owned files from accidentally becoming accessible to non-privileged users.","remediation":"Run the following command to set the root user default group to GID 0: usermod -g 0 root","compliance":{"cis":"5.4.3","cis_csc":"5.1","pci_dss":"8.2","tsc":"CC6.1","cis_level":"1"},"file":["/etc/passwd"],"result":"passed"}}},"location":"sca"} Removal 🟢[root@5a4317d62f7b ~]# yum remove wazuh-agent
Failed to set locale, defaulting to C
Loaded plugins: fastestmirror, ovl
Resolving Dependencies
--> Running transaction check
---> Package wazuh-agent.ppc64le 0:4.8.0-1 will be erased
--> Finished Dependency Resolution
Dependencies Resolved
========================================================================================================
Package Arch Version Repository Size
========================================================================================================
Removing:
wazuh-agent ppc64le 4.8.0-1 @/wazuh-agent-4.8.0-1.ppc64le 36 M
Transaction Summary
========================================================================================================
Remove 1 Package
Installed size: 36 M
Is this ok [y/N]: y
Downloading packages:
Running transaction check
Running transaction test
Transaction test succeeded
Running transaction
Erasing : wazuh-agent-4.8.0-1.ppc64le 1/1
warning: /var/ossec/etc/ossec.conf saved as /var/ossec/etc/ossec.conf.rpmsave
warning: /var/ossec/etc/client.keys saved as /var/ossec/etc/client.keys.rpmsave
Verifying : wazuh-agent-4.8.0-1.ppc64le 1/1
Removed:
wazuh-agent.ppc64le 0:4.8.0-1
Complete!
Check users and groups 🟢
Errors and warnings 🟢
Upgrade 🟢
[root@5a4317d62f7b ~]# curl -O https://packages.wazuh.com/4.x/yum/wazuh-agent-4.7.4-1.ppc64le.rpm
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 7043k 100 7043k 0 0 9806k 0 --:--:-- --:--:-- --:--:-- 9809k
[root@5a4317d62f7b ~]# WAZUH_MANAGER="X.X.X.X" yum install ./wazuh-agent-4.7.4-1.ppc64le.rpm
Failed to set locale, defaulting to C
Loaded plugins: fastestmirror, ovl
Examining ./wazuh-agent-4.7.4-1.ppc64le.rpm: wazuh-agent-4.7.4-1.ppc64le
Marking ./wazuh-agent-4.7.4-1.ppc64le.rpm to be installed
Resolving Dependencies
--> Running transaction check
---> Package wazuh-agent.ppc64le 0:4.7.4-1 will be installed
--> Finished Dependency Resolution
Dependencies Resolved
====================================================================================================
Package Arch Version Repository Size
====================================================================================================
Installing:
wazuh-agent ppc64le 4.7.4-1 /wazuh-agent-4.7.4-1.ppc64le 32 M
Transaction Summary
====================================================================================================
Install 1 Package
Total size: 32 M
Installed size: 32 M
Is this ok [y/d/N]: y
Downloading packages:
Running transaction check
Running transaction test
Transaction test succeeded
Running transaction
Installing : wazuh-agent-4.7.4-1.ppc64le 1/1
Verifying : wazuh-agent-4.7.4-1.ppc64le 1/1
Installed:
wazuh-agent.ppc64le 0:4.7.4-1
Complete!
[root@5a4317d62f7b ~]# /var/ossec/bin/wazuh-control start
Starting Wazuh v4.7.4...
Started wazuh-execd...
Started wazuh-agentd...
Started wazuh-syscheckd...
Started wazuh-logcollector...
Started wazuh-modulesd...
Completed.
[root@5a4317d62f7b ~]# /var/ossec/bin/wazuh-control info
WAZUH_VERSION="v4.7.4"
WAZUH_REVISION="40717"
WAZUH_TYPE="agent"
[root@wazuh-server wazuh-user]# /var/ossec/bin/agent_control -i 013
Wazuh agent_control. Agent information:
Agent ID: 013
Agent Name: 5a4317d62f7b
IP address: any
Status: Active
Operating system: Linux |5a4317d62f7b |3.10.0-1160.71.1.el7.ppc64le |#1 SMP Tue Jun 28 18:34:40 UTC 2022 |ppc64le
Client version: Wazuh v4.7.4
Configuration hash: ab73af41699f13fdd81903b5f23d8d00
Shared file hash: 4a8724b20dee0124ff9656783c490c4e
Last keep alive: 1715071164
Syscheck last started at: Tue May 7 08:39:24 2024
Syscheck last ended at: Tue May 7 08:39:26 2024
[root@5a4317d62f7b ~]# rpm --import https://packages.wazuh.com/key/GPG-KEY-WAZUH
[root@5a4317d62f7b ~]# cat > /etc/yum.repos.d/wazuh.repo << EOF
> [wazuh]
> gpgcheck=1
> gpgkey=https://packages.wazuh.com/key/GPG-KEY-WAZUH
> enabled=1
> name=EL-\$releasever - Wazuh
> baseurl=https://packages-dev.wazuh.com/pre-release/yum/
> protect=1
> EOF
[root@5a4317d62f7b ~]# yum clean all
Failed to set locale, defaulting to C
Loaded plugins: fastestmirror, ovl
Cleaning repos: base extras updates wazuh
Cleaning up list of fastest mirrors
[root@5a4317d62f7b ~]# yum upgrade wazuh-agent
Failed to set locale, defaulting to C
Loaded plugins: fastestmirror, ovl
Determining fastest mirrors
* base: mirrors.xtom.com
* extras: mirrors.xtom.com
* updates: mirrors.xtom.com
base | 3.6 kB 00:00:00
extras | 2.9 kB 00:00:00
updates | 2.9 kB 00:00:00
wazuh | 3.4 kB 00:00:00
(1/5): base/7/ppc64le/group_gz | 153 kB 00:00:00
(2/5): extras/7/ppc64le/primary_db | 233 kB 00:00:00
(3/5): base/7/ppc64le/primary_db | 4.8 MB 00:00:00
(4/5): updates/7/ppc64le/primary_db | 21 MB 00:00:00
(5/5): wazuh/primary_db | 462 kB 00:00:00
Resolving Dependencies
--> Running transaction check
---> Package wazuh-agent.ppc64le 0:4.7.4-1 will be updated
---> Package wazuh-agent.ppc64le 0:4.8.0-1 will be an update
--> Finished Dependency Resolution
Dependencies Resolved
====================================================================================================
Package Arch Version Repository Size
====================================================================================================
Updating:
wazuh-agent ppc64le 4.8.0-1 wazuh 7.8 M
Transaction Summary
====================================================================================================
Upgrade 1 Package
Total download size: 7.8 M
Is this ok [y/d/N]: y
Downloading packages:
Delta RPMs disabled because /usr/bin/applydeltarpm not installed.
wazuh-agent-4.8.0-1.ppc64le.rpm | 7.8 MB 00:00:00
Running transaction check
Running transaction test
Transaction test succeeded
Running transaction
Updating : wazuh-agent-4.8.0-1.ppc64le 1/2
Cleanup : wazuh-agent-4.7.4-1.ppc64le 2/2
Verifying : wazuh-agent-4.8.0-1.ppc64le 1/2
Verifying : wazuh-agent-4.7.4-1.ppc64le 2/2
Updated:
wazuh-agent.ppc64le 0:4.8.0-1
Complete!
[root@5a4317d62f7b ~]# /var/ossec/bin/wazuh-control status
wazuh-modulesd is running...
wazuh-logcollector is running...
wazuh-syscheckd is running...
wazuh-agentd is running...
wazuh-execd is running...
[root@5a4317d62f7b ~]# /var/ossec/bin/wazuh-control info
WAZUH_VERSION="v4.8.0"
WAZUH_REVISION="40809"
WAZUH_TYPE="agent"
[root@wazuh-server wazuh-user]# /var/ossec/bin/agent_control -i 013
Wazuh agent_control. Agent information:
Agent ID: 013
Agent Name: 5a4317d62f7b
IP address: any
Status: Active
Operating system: Linux |5a4317d62f7b |3.10.0-1160.71.1.el7.ppc64le |#1 SMP Tue Jun 28 18:34:40 UTC 2022 |ppc64le
Client version: Wazuh v4.8.0
Configuration hash: ab73af41699f13fdd81903b5f23d8d00
Shared file hash: 4a8724b20dee0124ff9656783c490c4e
Last keep alive: 1715071323
Syscheck last started at: Tue May 7 08:41:24 2024
Syscheck last ended at: Tue May 7 08:41:26 2024
|
Analysis Report - AMI 🟡Logs 🟡
[root@wazuh-server wazuh-user]# journalctl -r -u wazuh-dashboard | grep -i -E "error|critical|fatal|warning"
may 07 10:10:28 wazuh-server opensearch-dashboards[5530]: {"type":"error","@timestamp":"2024-05-07T10:10:28Z","tags":["connection","client","error"],"pid":5530,"level":"error","error":{"message":"139832918595456:error:14094418:SSL routines:ssl3_read_bytes:tlsv1 alert unknown ca:../deps/openssl/openssl/ssl/record/rec_layer_s3.c:1563:SSL alert number 48\n","name":"Error","stack":"Error: 139832918595456:error:14094418:SSL routines:ssl3_read_bytes:tlsv1 alert unknown ca:../deps/openssl/openssl/ssl/record/rec_layer_s3.c:1563:SSL alert number 48\n","code":"ERR_SSL_TLSV1_ALERT_UNKNOWN_CA"},"message":"139832918595456:error:14094418:SSL routines:ssl3_read_bytes:tlsv1 alert unknown ca:../deps/openssl/openssl/ssl/record/rec_layer_s3.c:1563:SSL alert number 48\n"}
may 07 09:42:18 wazuh-server opensearch-dashboards[5530]: {"type":"error","@timestamp":"2024-05-07T09:42:18Z","tags":["connection","client","error"],"pid":5530,"level":"error","error":{"message":"139832918595456:error:14094418:SSL routines:ssl3_read_bytes:tlsv1 alert unknown ca:../deps/openssl/openssl/ssl/record/rec_layer_s3.c:1563:SSL alert number 48\n","name":"Error","stack":"Error: 139832918595456:error:14094418:SSL routines:ssl3_read_bytes:tlsv1 alert unknown ca:../deps/openssl/openssl/ssl/record/rec_layer_s3.c:1563:SSL alert number 48\n","code":"ERR_SSL_TLSV1_ALERT_UNKNOWN_CA"},"message":"139832918595456:error:14094418:SSL routines:ssl3_read_bytes:tlsv1 alert unknown ca:../deps/openssl/openssl/ssl/record/rec_layer_s3.c:1563:SSL alert number 48\n"}
may 07 06:40:24 wazuh-server opensearch-dashboards[5530]: {"type":"error","@timestamp":"2024-05-07T06:40:24Z","tags":["connection","client","error"],"pid":5530,"level":"error","error":{"message":"139832918595456:error:141CF06C:SSL routines:tls_parse_ctos_key_share:bad key share:../deps/openssl/openssl/ssl/statem/extensions_srvr.c:698:\n","name":"Error","stack":"Error: 139832918595456:error:141CF06C:SSL routines:tls_parse_ctos_key_share:bad key share:../deps/openssl/openssl/ssl/statem/extensions_srvr.c:698:\n","code":"ERR_SSL_BAD_KEY_SHARE"},"message":"139832918595456:error:141CF06C:SSL routines:tls_parse_ctos_key_share:bad key share:../deps/openssl/openssl/ssl/statem/extensions_srvr.c:698:\n"}
may 07 06:40:24 wazuh-server opensearch-dashboards[5530]: {"type":"error","@timestamp":"2024-05-07T06:40:24Z","tags":["connection","client","error"],"pid":5530,"level":"error","error":{"message":"139832918595456:error:142090C1:SSL routines:tls_early_post_process_client_hello:no shared cipher:../deps/openssl/openssl/ssl/statem/statem_srvr.c:1781:\n","name":"Error","stack":"Error: 139832918595456:error:142090C1:SSL routines:tls_early_post_process_client_hello:no shared cipher:../deps/openssl/openssl/ssl/statem/statem_srvr.c:1781:\n","code":"ERR_SSL_NO_SHARED_CIPHER"},"message":"139832918595456:error:142090C1:SSL routines:tls_early_post_process_client_hello:no shared cipher:../deps/openssl/openssl/ssl/statem/statem_srvr.c:1781:\n"}
may 07 06:40:23 wazuh-server opensearch-dashboards[5530]: {"type":"error","@timestamp":"2024-05-07T06:40:23Z","tags":["connection","client","error"],"pid":5530,"level":"error","error":{"message":"139832918595456:error:14209102:SSL routines:tls_early_post_process_client_hello:unsupported protocol:../deps/openssl/openssl/ssl/statem/statem_srvr.c:1686:\n","name":"Error","stack":"Error: 139832918595456:error:14209102:SSL routines:tls_early_post_process_client_hello:unsupported protocol:../deps/openssl/openssl/ssl/statem/statem_srvr.c:1686:\n","code":"ERR_SSL_UNSUPPORTED_PROTOCOL"},"message":"139832918595456:error:14209102:SSL routines:tls_early_post_process_client_hello:unsupported protocol:../deps/openssl/openssl/ssl/statem/statem_srvr.c:1686:\n"}
may 07 06:40:23 wazuh-server opensearch-dashboards[5530]: {"type":"error","@timestamp":"2024-05-07T06:40:23Z","tags":["connection","client","error"],"pid":5530,"level":"error","error":{"message":"139832918595456:error:1417A0C1:SSL routines:tls_post_process_client_hello:no shared cipher:../deps/openssl/openssl/ssl/statem/statem_srvr.c:2285:\n","name":"Error","stack":"Error: 139832918595456:error:1417A0C1:SSL routines:tls_post_process_client_hello:no shared cipher:../deps/openssl/openssl/ssl/statem/statem_srvr.c:2285:\n","code":"ERR_SSL_NO_SHARED_CIPHER"},"message":"139832918595456:error:1417A0C1:SSL routines:tls_post_process_client_hello:no shared cipher:../deps/openssl/openssl/ssl/statem/statem_srvr.c:2285:\n"}
may 07 06:18:37 wazuh-server opensearch-dashboards[5530]: {"type":"error","@timestamp":"2024-05-07T06:18:37Z","tags":["connection","client","error"],"pid":5530,"level":"error","error":{"message":"139832918595456:error:14209102:SSL routines:tls_early_post_process_client_hello:unsupported protocol:../deps/openssl/openssl/ssl/statem/statem_srvr.c:1686:\n","name":"Error","stack":"Error: 139832918595456:error:14209102:SSL routines:tls_early_post_process_client_hello:unsupported protocol:../deps/openssl/openssl/ssl/statem/statem_srvr.c:1686:\n","code":"ERR_SSL_UNSUPPORTED_PROTOCOL"},"message":"139832918595456:error:14209102:SSL routines:tls_early_post_process_client_hello:unsupported protocol:../deps/openssl/openssl/ssl/statem/statem_srvr.c:1686:\n"}
may 07 05:35:04 wazuh-server opensearch-dashboards[5530]: {"type":"error","@timestamp":"2024-05-07T05:35:04Z","tags":["connection","client","error"],"pid":5530,"level":"error","error":{"message":"139832918595456:error:14209102:SSL routines:tls_early_post_process_client_hello:unsupported protocol:../deps/openssl/openssl/ssl/statem/statem_srvr.c:1686:\n","name":"Error","stack":"Error: 139832918595456:error:14209102:SSL routines:tls_early_post_process_client_hello:unsupported protocol:../deps/openssl/openssl/ssl/statem/statem_srvr.c:1686:\n","code":"ERR_SSL_UNSUPPORTED_PROTOCOL"},"message":"139832918595456:error:14209102:SSL routines:tls_early_post_process_client_hello:unsupported protocol:../deps/openssl/openssl/ssl/statem/statem_srvr.c:1686:\n"}
may 07 04:52:58 wazuh-server opensearch-dashboards[5530]: {"type":"error","@timestamp":"2024-05-07T04:52:58Z","tags":["connection","client","error"],"pid":5530,"level":"error","error":{"message":"139832918595456:error:1417A0C1:SSL routines:tls_post_process_client_hello:no shared cipher:../deps/openssl/openssl/ssl/statem/statem_srvr.c:2285:\n","name":"Error","stack":"Error: 139832918595456:error:1417A0C1:SSL routines:tls_post_process_client_hello:no shared cipher:../deps/openssl/openssl/ssl/statem/statem_srvr.c:2285:\n","code":"ERR_SSL_NO_SHARED_CIPHER"},"message":"139832918595456:error:1417A0C1:SSL routines:tls_post_process_client_hello:no shared cipher:../deps/openssl/openssl/ssl/statem/statem_srvr.c:2285:\n"}
may 07 03:30:13 wazuh-server opensearch-dashboards[5530]: {"type":"error","@timestamp":"2024-05-07T03:30:13Z","tags":["connection","client","error"],"pid":5530,"level":"error","error":{"message":"139832918595456:error:14209102:SSL routines:tls_early_post_process_client_hello:unsupported protocol:../deps/openssl/openssl/ssl/statem/statem_srvr.c:1686:\n","name":"Error","stack":"Error: 139832918595456:error:14209102:SSL routines:tls_early_post_process_client_hello:unsupported protocol:../deps/openssl/openssl/ssl/statem/statem_srvr.c:1686:\n","code":"ERR_SSL_UNSUPPORTED_PROTOCOL"},"message":"139832918595456:error:14209102:SSL routines:tls_early_post_process_client_hello:unsupported protocol:../deps/openssl/openssl/ssl/statem/statem_srvr.c:1686:\n"}
may 07 00:42:28 wazuh-server opensearch-dashboards[5530]: {"type":"error","@timestamp":"2024-05-07T00:42:28Z","tags":["connection","client","error"],"pid":5530,"level":"error","error":{"message":"139832918595456:error:141CF06C:SSL routines:tls_parse_ctos_key_share:bad key share:../deps/openssl/openssl/ssl/statem/extensions_srvr.c:698:\n","name":"Error","stack":"Error: 139832918595456:error:141CF06C:SSL routines:tls_parse_ctos_key_share:bad key share:../deps/openssl/openssl/ssl/statem/extensions_srvr.c:698:\n","code":"ERR_SSL_BAD_KEY_SHARE"},"message":"139832918595456:error:141CF06C:SSL routines:tls_parse_ctos_key_share:bad key share:../deps/openssl/openssl/ssl/statem/extensions_srvr.c:698:\n"}
may 07 00:42:28 wazuh-server opensearch-dashboards[5530]: {"type":"error","@timestamp":"2024-05-07T00:42:28Z","tags":["connection","client","error"],"pid":5530,"level":"error","error":{"message":"139832918595456:error:142090C1:SSL routines:tls_early_post_process_client_hello:no shared cipher:../deps/openssl/openssl/ssl/statem/statem_srvr.c:1781:\n","name":"Error","stack":"Error: 139832918595456:error:142090C1:SSL routines:tls_early_post_process_client_hello:no shared cipher:../deps/openssl/openssl/ssl/statem/statem_srvr.c:1781:\n","code":"ERR_SSL_NO_SHARED_CIPHER"},"message":"139832918595456:error:142090C1:SSL routines:tls_early_post_process_client_hello:no shared cipher:../deps/openssl/openssl/ssl/statem/statem_srvr.c:1781:\n"}
may 07 00:42:27 wazuh-server opensearch-dashboards[5530]: {"type":"error","@timestamp":"2024-05-07T00:42:27Z","tags":["connection","client","error"],"pid":5530,"level":"error","error":{"message":"139832918595456:error:14209102:SSL routines:tls_early_post_process_client_hello:unsupported protocol:../deps/openssl/openssl/ssl/statem/statem_srvr.c:1686:\n","name":"Error","stack":"Error: 139832918595456:error:14209102:SSL routines:tls_early_post_process_client_hello:unsupported protocol:../deps/openssl/openssl/ssl/statem/statem_srvr.c:1686:\n","code":"ERR_SSL_UNSUPPORTED_PROTOCOL"},"message":"139832918595456:error:14209102:SSL routines:tls_early_post_process_client_hello:unsupported protocol:../deps/openssl/openssl/ssl/statem/statem_srvr.c:1686:\n"}
may 07 00:42:26 wazuh-server opensearch-dashboards[5530]: {"type":"error","@timestamp":"2024-05-07T00:42:26Z","tags":["connection","client","error"],"pid":5530,"level":"error","error":{"message":"139832918595456:error:1417A0C1:SSL routines:tls_post_process_client_hello:no shared cipher:../deps/openssl/openssl/ssl/statem/statem_srvr.c:2285:\n","name":"Error","stack":"Error: 139832918595456:error:1417A0C1:SSL routines:tls_post_process_client_hello:no shared cipher:../deps/openssl/openssl/ssl/statem/statem_srvr.c:2285:\n","code":"ERR_SSL_NO_SHARED_CIPHER"},"message":"139832918595456:error:1417A0C1:SSL routines:tls_post_process_client_hello:no shared cipher:../deps/openssl/openssl/ssl/statem/statem_srvr.c:2285:\n"}
may 07 00:40:10 wazuh-server opensearch-dashboards[5530]: {"type":"error","@timestamp":"2024-05-07T00:40:10Z","tags":["connection","client","error"],"pid":5530,"level":"error","error":{"message":"139832918595456:error:1417A0C1:SSL routines:tls_post_process_client_hello:no shared cipher:../deps/openssl/openssl/ssl/statem/statem_srvr.c:2285:\n","name":"Error","stack":"Error: 139832918595456:error:1417A0C1:SSL routines:tls_post_process_client_hello:no shared cipher:../deps/openssl/openssl/ssl/statem/statem_srvr.c:2285:\n","code":"ERR_SSL_NO_SHARED_CIPHER"},"message":"139832918595456:error:1417A0C1:SSL routines:tls_post_process_client_hello:no shared cipher:../deps/openssl/openssl/ssl/statem/statem_srvr.c:2285:\n"}
may 07 00:39:34 wazuh-server opensearch-dashboards[5530]: {"type":"error","@timestamp":"2024-05-07T00:39:34Z","tags":["connection","client","error"],"pid":5530,"level":"error","error":{"message":"139832918595456:error:1420918C:SSL routines:tls_early_post_process_client_hello:version too low:../deps/openssl/openssl/ssl/statem/statem_srvr.c:1686:\n","name":"Error","stack":"Error: 139832918595456:error:1420918C:SSL routines:tls_early_post_process_client_hello:version too low:../deps/openssl/openssl/ssl/statem/statem_srvr.c:1686:\n","code":"ERR_SSL_VERSION_TOO_LOW"},"message":"139832918595456:error:1420918C:SSL routines:tls_early_post_process_client_hello:version too low:../deps/openssl/openssl/ssl/statem/statem_srvr.c:1686:\n"}
may 06 23:31:01 wazuh-server opensearch-dashboards[5530]: {"type":"error","@timestamp":"2024-05-06T23:31:01Z","tags":["connection","client","error"],"pid":5530,"level":"error","error":{"message":"139832918595456:error:14209102:SSL routines:tls_early_post_process_client_hello:unsupported protocol:../deps/openssl/openssl/ssl/statem/statem_srvr.c:1686:\n","name":"Error","stack":"Error: 139832918595456:error:14209102:SSL routines:tls_early_post_process_client_hello:unsupported protocol:../deps/openssl/openssl/ssl/statem/statem_srvr.c:1686:\n","code":"ERR_SSL_UNSUPPORTED_PROTOCOL"},"message":"139832918595456:error:14209102:SSL routines:tls_early_post_process_client_hello:unsupported protocol:../deps/openssl/openssl/ssl/statem/statem_srvr.c:1686:\n"}
may 06 21:42:06 wazuh-server opensearch-dashboards[5530]: {"type":"error","@timestamp":"2024-05-06T21:42:06Z","tags":["connection","client","error"],"pid":5530,"level":"error","error":{"message":"139832918595456:error:1420918C:SSL routines:tls_early_post_process_client_hello:version too low:../deps/openssl/openssl/ssl/statem/statem_srvr.c:1686:\n","name":"Error","stack":"Error: 139832918595456:error:1420918C:SSL routines:tls_early_post_process_client_hello:version too low:../deps/openssl/openssl/ssl/statem/statem_srvr.c:1686:\n","code":"ERR_SSL_VERSION_TOO_LOW"},"message":"139832918595456:error:1420918C:SSL routines:tls_early_post_process_client_hello:version too low:../deps/openssl/openssl/ssl/statem/statem_srvr.c:1686:\n"}
may 06 20:23:15 wazuh-server opensearch-dashboards[5530]: {"type":"error","@timestamp":"2024-05-06T20:23:15Z","tags":["connection","client","error"],"pid":5530,"level":"error","error":{"message":"139832918595456:error:141CF06C:SSL routines:tls_parse_ctos_key_share:bad key share:../deps/openssl/openssl/ssl/statem/extensions_srvr.c:698:\n","name":"Error","stack":"Error: 139832918595456:error:141CF06C:SSL routines:tls_parse_ctos_key_share:bad key share:../deps/openssl/openssl/ssl/statem/extensions_srvr.c:698:\n","code":"ERR_SSL_BAD_KEY_SHARE"},"message":"139832918595456:error:141CF06C:SSL routines:tls_parse_ctos_key_share:bad key share:../deps/openssl/openssl/ssl/statem/extensions_srvr.c:698:\n"}
may 06 20:23:15 wazuh-server opensearch-dashboards[5530]: {"type":"error","@timestamp":"2024-05-06T20:23:15Z","tags":["connection","client","error"],"pid":5530,"level":"error","error":{"message":"139832918595456:error:142090C1:SSL routines:tls_early_post_process_client_hello:no shared cipher:../deps/openssl/openssl/ssl/statem/statem_srvr.c:1781:\n","name":"Error","stack":"Error: 139832918595456:error:142090C1:SSL routines:tls_early_post_process_client_hello:no shared cipher:../deps/openssl/openssl/ssl/statem/statem_srvr.c:1781:\n","code":"ERR_SSL_NO_SHARED_CIPHER"},"message":"139832918595456:error:142090C1:SSL routines:tls_early_post_process_client_hello:no shared cipher:../deps/openssl/openssl/ssl/statem/statem_srvr.c:1781:\n"}
may 06 20:23:14 wazuh-server opensearch-dashboards[5530]: {"type":"error","@timestamp":"2024-05-06T20:23:14Z","tags":["connection","client","error"],"pid":5530,"level":"error","error":{"message":"139832918595456:error:14209102:SSL routines:tls_early_post_process_client_hello:unsupported protocol:../deps/openssl/openssl/ssl/statem/statem_srvr.c:1686:\n","name":"Error","stack":"Error: 139832918595456:error:14209102:SSL routines:tls_early_post_process_client_hello:unsupported protocol:../deps/openssl/openssl/ssl/statem/statem_srvr.c:1686:\n","code":"ERR_SSL_UNSUPPORTED_PROTOCOL"},"message":"139832918595456:error:14209102:SSL routines:tls_early_post_process_client_hello:unsupported protocol:../deps/openssl/openssl/ssl/statem/statem_srvr.c:1686:\n"}
may 06 20:23:13 wazuh-server opensearch-dashboards[5530]: {"type":"error","@timestamp":"2024-05-06T20:23:13Z","tags":["connection","client","error"],"pid":5530,"level":"error","error":{"message":"139832918595456:error:1417A0C1:SSL routines:tls_post_process_client_hello:no shared cipher:../deps/openssl/openssl/ssl/statem/statem_srvr.c:2285:\n","name":"Error","stack":"Error: 139832918595456:error:1417A0C1:SSL routines:tls_post_process_client_hello:no shared cipher:../deps/openssl/openssl/ssl/statem/statem_srvr.c:2285:\n","code":"ERR_SSL_NO_SHARED_CIPHER"},"message":"139832918595456:error:1417A0C1:SSL routines:tls_post_process_client_hello:no shared cipher:../deps/openssl/openssl/ssl/statem/statem_srvr.c:2285:\n"}
may 06 20:22:43 wazuh-server opensearch-dashboards[5530]: {"type":"error","@timestamp":"2024-05-06T20:22:43Z","tags":["connection","client","error"],"pid":5530,"level":"error","error":{"message":"139832918595456:error:14209102:SSL routines:tls_early_post_process_client_hello:unsupported protocol:../deps/openssl/openssl/ssl/statem/statem_srvr.c:1686:\n","name":"Error","stack":"Error: 139832918595456:error:14209102:SSL routines:tls_early_post_process_client_hello:unsupported protocol:../deps/openssl/openssl/ssl/statem/statem_srvr.c:1686:\n","code":"ERR_SSL_UNSUPPORTED_PROTOCOL"},"message":"139832918595456:error:14209102:SSL routines:tls_early_post_process_client_hello:unsupported protocol:../deps/openssl/openssl/ssl/statem/statem_srvr.c:1686:\n"}
may 06 19:22:48 wazuh-server opensearch-dashboards[5530]: {"type":"error","@timestamp":"2024-05-06T19:22:48Z","tags":["connection","client","error"],"pid":5530,"level":"error","error":{"message":"139832918595456:error:14094412:SSL routines:ssl3_read_bytes:sslv3 alert bad certificate:../deps/openssl/openssl/ssl/record/rec_layer_s3.c:1563:SSL alert number 42\n","name":"Error","stack":"Error: 139832918595456:error:14094412:SSL routines:ssl3_read_bytes:sslv3 alert bad certificate:../deps/openssl/openssl/ssl/record/rec_layer_s3.c:1563:SSL alert number 42\n","code":"ERR_SSL_SSLV3_ALERT_BAD_CERTIFICATE"},"message":"139832918595456:error:14094412:SSL routines:ssl3_read_bytes:sslv3 alert bad certificate:../deps/openssl/openssl/ssl/record/rec_layer_s3.c:1563:SSL alert number 42\n"}
may 06 12:47:18 wazuh-server opensearch-dashboards[5530]: {"type":"error","@timestamp":"2024-05-06T12:47:18Z","tags":["connection","client","error"],"pid":5530,"level":"error","error":{"message":"139832918595456:error:14209102:SSL routines:tls_early_post_process_client_hello:unsupported protocol:../deps/openssl/openssl/ssl/statem/statem_srvr.c:1686:\n","name":"Error","stack":"Error: 139832918595456:error:14209102:SSL routines:tls_early_post_process_client_hello:unsupported protocol:../deps/openssl/openssl/ssl/statem/statem_srvr.c:1686:\n","code":"ERR_SSL_UNSUPPORTED_PROTOCOL"},"message":"139832918595456:error:14209102:SSL routines:tls_early_post_process_client_hello:unsupported protocol:../deps/openssl/openssl/ssl/statem/statem_srvr.c:1686:\n"}
may 06 12:24:58 wazuh-server opensearch-dashboards[5530]: {"type":"error","@timestamp":"2024-05-06T12:24:58Z","tags":["connection","client","error"],"pid":5530,"level":"error","error":{"message":"139832918595456:error:141CF06C:SSL routines:tls_parse_ctos_key_share:bad key share:../deps/openssl/openssl/ssl/statem/extensions_srvr.c:698:\n","name":"Error","stack":"Error: 139832918595456:error:141CF06C:SSL routines:tls_parse_ctos_key_share:bad key share:../deps/openssl/openssl/ssl/statem/extensions_srvr.c:698:\n","code":"ERR_SSL_BAD_KEY_SHARE"},"message":"139832918595456:error:141CF06C:SSL routines:tls_parse_ctos_key_share:bad key share:../deps/openssl/openssl/ssl/statem/extensions_srvr.c:698:\n"}
may 06 12:24:58 wazuh-server opensearch-dashboards[5530]: {"type":"error","@timestamp":"2024-05-06T12:24:58Z","tags":["connection","client","error"],"pid":5530,"level":"error","error":{"message":"139832918595456:error:142090C1:SSL routines:tls_early_post_process_client_hello:no shared cipher:../deps/openssl/openssl/ssl/statem/statem_srvr.c:1781:\n","name":"Error","stack":"Error: 139832918595456:error:142090C1:SSL routines:tls_early_post_process_client_hello:no shared cipher:../deps/openssl/openssl/ssl/statem/statem_srvr.c:1781:\n","code":"ERR_SSL_NO_SHARED_CIPHER"},"message":"139832918595456:error:142090C1:SSL routines:tls_early_post_process_client_hello:no shared cipher:../deps/openssl/openssl/ssl/statem/statem_srvr.c:1781:\n"}
may 06 12:24:56 wazuh-server opensearch-dashboards[5530]: {"type":"error","@timestamp":"2024-05-06T12:24:56Z","tags":["connection","client","error"],"pid":5530,"level":"error","error":{"message":"139832918595456:error:14209102:SSL routines:tls_early_post_process_client_hello:unsupported protocol:../deps/openssl/openssl/ssl/statem/statem_srvr.c:1686:\n","name":"Error","stack":"Error: 139832918595456:error:14209102:SSL routines:tls_early_post_process_client_hello:unsupported protocol:../deps/openssl/openssl/ssl/statem/statem_srvr.c:1686:\n","code":"ERR_SSL_UNSUPPORTED_PROTOCOL"},"message":"139832918595456:error:14209102:SSL routines:tls_early_post_process_client_hello:unsupported protocol:../deps/openssl/openssl/ssl/statem/statem_srvr.c:1686:\n"}
may 06 12:24:54 wazuh-server opensearch-dashboards[5530]: {"type":"error","@timestamp":"2024-05-06T12:24:54Z","tags":["connection","client","error"],"pid":5530,"level":"error","error":{"message":"139832918595456:error:1417A0C1:SSL routines:tls_post_process_client_hello:no shared cipher:../deps/openssl/openssl/ssl/statem/statem_srvr.c:2285:\n","name":"Error","stack":"Error: 139832918595456:error:1417A0C1:SSL routines:tls_post_process_client_hello:no shared cipher:../deps/openssl/openssl/ssl/statem/statem_srvr.c:2285:\n","code":"ERR_SSL_NO_SHARED_CIPHER"},"message":"139832918595456:error:1417A0C1:SSL routines:tls_post_process_client_hello:no shared cipher:../deps/openssl/openssl/ssl/statem/statem_srvr.c:2285:\n"}
may 06 11:03:33 wazuh-server opensearch-dashboards[5530]: {"type":"error","@timestamp":"2024-05-06T11:03:33Z","tags":["connection","client","error"],"pid":5530,"level":"error","error":{"message":"139832918595456:error:141CF06C:SSL routines:tls_parse_ctos_key_share:bad key share:../deps/openssl/openssl/ssl/statem/extensions_srvr.c:698:\n","name":"Error","stack":"Error: 139832918595456:error:141CF06C:SSL routines:tls_parse_ctos_key_share:bad key share:../deps/openssl/openssl/ssl/statem/extensions_srvr.c:698:\n","code":"ERR_SSL_BAD_KEY_SHARE"},"message":"139832918595456:error:141CF06C:SSL routines:tls_parse_ctos_key_share:bad key share:../deps/openssl/openssl/ssl/statem/extensions_srvr.c:698:\n"}
may 06 11:03:30 wazuh-server opensearch-dashboards[5530]: {"type":"error","@timestamp":"2024-05-06T11:03:30Z","tags":["connection","client","error"],"pid":5530,"level":"error","error":{"message":"139832918595456:error:142090C1:SSL routines:tls_early_post_process_client_hello:no shared cipher:../deps/openssl/openssl/ssl/statem/statem_srvr.c:1781:\n","name":"Error","stack":"Error: 139832918595456:error:142090C1:SSL routines:tls_early_post_process_client_hello:no shared cipher:../deps/openssl/openssl/ssl/statem/statem_srvr.c:1781:\n","code":"ERR_SSL_NO_SHARED_CIPHER"},"message":"139832918595456:error:142090C1:SSL routines:tls_early_post_process_client_hello:no shared cipher:../deps/openssl/openssl/ssl/statem/statem_srvr.c:1781:\n"}
may 06 11:03:26 wazuh-server opensearch-dashboards[5530]: {"type":"error","@timestamp":"2024-05-06T11:03:26Z","tags":["connection","client","error"],"pid":5530,"level":"error","error":{"message":"139832918595456:error:14209102:SSL routines:tls_early_post_process_client_hello:unsupported protocol:../deps/openssl/openssl/ssl/statem/statem_srvr.c:1686:\n","name":"Error","stack":"Error: 139832918595456:error:14209102:SSL routines:tls_early_post_process_client_hello:unsupported protocol:../deps/openssl/openssl/ssl/statem/statem_srvr.c:1686:\n","code":"ERR_SSL_UNSUPPORTED_PROTOCOL"},"message":"139832918595456:error:14209102:SSL routines:tls_early_post_process_client_hello:unsupported protocol:../deps/openssl/openssl/ssl/statem/statem_srvr.c:1686:\n"}
may 06 11:03:23 wazuh-server opensearch-dashboards[5530]: {"type":"error","@timestamp":"2024-05-06T11:03:23Z","tags":["connection","client","error"],"pid":5530,"level":"error","error":{"message":"139832918595456:error:1417A0C1:SSL routines:tls_post_process_client_hello:no shared cipher:../deps/openssl/openssl/ssl/statem/statem_srvr.c:2285:\n","name":"Error","stack":"Error: 139832918595456:error:1417A0C1:SSL routines:tls_post_process_client_hello:no shared cipher:../deps/openssl/openssl/ssl/statem/statem_srvr.c:2285:\n","code":"ERR_SSL_NO_SHARED_CIPHER"},"message":"139832918595456:error:1417A0C1:SSL routines:tls_post_process_client_hello:no shared cipher:../deps/openssl/openssl/ssl/statem/statem_srvr.c:2285:\n"}
may 06 09:55:24 wazuh-server opensearch-dashboards[5530]: {"type":"error","@timestamp":"2024-05-06T09:55:24Z","tags":["connection","client","error"],"pid":5530,"level":"error","error":{"message":"139832918595456:error:14209102:SSL routines:tls_early_post_process_client_hello:unsupported protocol:../deps/openssl/openssl/ssl/statem/statem_srvr.c:1686:\n","name":"Error","stack":"Error: 139832918595456:error:14209102:SSL routines:tls_early_post_process_client_hello:unsupported protocol:../deps/openssl/openssl/ssl/statem/statem_srvr.c:1686:\n","code":"ERR_SSL_UNSUPPORTED_PROTOCOL"},"message":"139832918595456:error:14209102:SSL routines:tls_early_post_process_client_hello:unsupported protocol:../deps/openssl/openssl/ssl/statem/statem_srvr.c:1686:\n"}
may 06 09:49:44 wazuh-server opensearch-dashboards[5530]: {"type":"error","@timestamp":"2024-05-06T09:49:44Z","tags":["connection","client","error"],"pid":5530,"level":"error","error":{"message":"139832918595456:error:1408F10B:SSL routines:ssl3_get_record:wrong version number:../deps/openssl/openssl/ssl/record/ssl3_record.c:332:\n","name":"Error","stack":"Error: 139832918595456:error:1408F10B:SSL routines:ssl3_get_record:wrong version number:../deps/openssl/openssl/ssl/record/ssl3_record.c:332:\n","code":"ERR_SSL_WRONG_VERSION_NUMBER"},"message":"139832918595456:error:1408F10B:SSL routines:ssl3_get_record:wrong version number:../deps/openssl/openssl/ssl/record/ssl3_record.c:332:\n"}
may 06 09:27:34 wazuh-server opensearch-dashboards[5530]: {"type":"error","@timestamp":"2024-05-06T09:27:34Z","tags":["connection","client","error"],"pid":5530,"level":"error","error":{"message":"139832918595456:error:14209102:SSL routines:tls_early_post_process_client_hello:unsupported protocol:../deps/openssl/openssl/ssl/statem/statem_srvr.c:1686:\n","name":"Error","stack":"Error: 139832918595456:error:14209102:SSL routines:tls_early_post_process_client_hello:unsupported protocol:../deps/openssl/openssl/ssl/statem/statem_srvr.c:1686:\n","code":"ERR_SSL_UNSUPPORTED_PROTOCOL"},"message":"139832918595456:error:14209102:SSL routines:tls_early_post_process_client_hello:unsupported protocol:../deps/openssl/openssl/ssl/statem/statem_srvr.c:1686:\n"}
may 06 09:19:27 wazuh-server opensearch-dashboards[1811]: {"type":"log","@timestamp":"2024-05-06T09:19:27Z","tags":["error","opensearch","data"],"pid":1811,"message":"[ResponseError]: Response Error"}
may 06 09:19:24 wazuh-server opensearch-dashboards[1811]: {"type":"log","@timestamp":"2024-05-06T09:19:24Z","tags":["error","opensearch","data"],"pid":1811,"message":"[ResponseError]: Response Error"}
may 06 09:19:22 wazuh-server opensearch-dashboards[1811]: {"type":"log","@timestamp":"2024-05-06T09:19:22Z","tags":["error","opensearch","data"],"pid":1811,"message":"[ResponseError]: Response Error"}
may 06 09:19:19 wazuh-server opensearch-dashboards[1811]: {"type":"log","@timestamp":"2024-05-06T09:19:19Z","tags":["error","opensearch","data"],"pid":1811,"message":"[ResponseError]: Response Error"}
may 06 09:19:17 wazuh-server opensearch-dashboards[1811]: {"type":"log","@timestamp":"2024-05-06T09:19:17Z","tags":["error","opensearch","data"],"pid":1811,"message":"[ResponseError]: Response Error"}
may 06 09:19:15 wazuh-server opensearch-dashboards[1811]: {"type":"log","@timestamp":"2024-05-06T09:19:15Z","tags":["error","opensearch","data"],"pid":1811,"message":"[ResponseError]: Response Error"}
may 06 09:19:12 wazuh-server opensearch-dashboards[1811]: {"type":"log","@timestamp":"2024-05-06T09:19:12Z","tags":["error","opensearch","data"],"pid":1811,"message":"[ConnectionError]: connect ECONNREFUSED 127.0.0.1:9200"}
may 06 09:19:09 wazuh-server opensearch-dashboards[1811]: {"type":"log","@timestamp":"2024-05-06T09:19:09Z","tags":["error","opensearch","data"],"pid":1811,"message":"[ConnectionError]: connect ECONNREFUSED 127.0.0.1:9200"}
may 06 09:19:07 wazuh-server opensearch-dashboards[1811]: {"type":"log","@timestamp":"2024-05-06T09:19:07Z","tags":["error","opensearch","data"],"pid":1811,"message":"[ConnectionError]: connect ECONNREFUSED 127.0.0.1:9200"}
may 06 09:19:04 wazuh-server opensearch-dashboards[1811]: {"type":"log","@timestamp":"2024-05-06T09:19:04Z","tags":["error","opensearch","data"],"pid":1811,"message":"[ConnectionError]: connect ECONNREFUSED 127.0.0.1:9200"}
may 06 09:19:02 wazuh-server opensearch-dashboards[1811]: {"type":"log","@timestamp":"2024-05-06T09:19:02Z","tags":["error","opensearch","data"],"pid":1811,"message":"[ConnectionError]: connect ECONNREFUSED 127.0.0.1:9200"}
may 06 09:18:59 wazuh-server opensearch-dashboards[1811]: {"type":"log","@timestamp":"2024-05-06T09:18:59Z","tags":["error","opensearch","data"],"pid":1811,"message":"[ConnectionError]: connect ECONNREFUSED 127.0.0.1:9200"}
may 06 09:18:57 wazuh-server opensearch-dashboards[1811]: {"type":"log","@timestamp":"2024-05-06T09:18:57Z","tags":["error","opensearch","data"],"pid":1811,"message":"[ConnectionError]: connect ECONNREFUSED 127.0.0.1:9200"}
may 06 09:18:54 wazuh-server opensearch-dashboards[1811]: {"type":"log","@timestamp":"2024-05-06T09:18:54Z","tags":["error","opensearch","data"],"pid":1811,"message":"[ConnectionError]: connect ECONNREFUSED 127.0.0.1:9200"}
may 06 09:18:52 wazuh-server opensearch-dashboards[1811]: {"type":"log","@timestamp":"2024-05-06T09:18:52Z","tags":["error","opensearch","data"],"pid":1811,"message":"[ConnectionError]: connect ECONNREFUSED 127.0.0.1:9200"}
may 06 09:18:49 wazuh-server opensearch-dashboards[1811]: {"type":"log","@timestamp":"2024-05-06T09:18:49Z","tags":["error","opensearch","data"],"pid":1811,"message":"[ConnectionError]: connect ECONNREFUSED 127.0.0.1:9200"}
may 06 09:18:47 wazuh-server opensearch-dashboards[1811]: {"type":"log","@timestamp":"2024-05-06T09:18:47Z","tags":["error","opensearch","data"],"pid":1811,"message":"[ConnectionError]: connect ECONNREFUSED 127.0.0.1:9200"}
may 06 09:18:44 wazuh-server opensearch-dashboards[1811]: {"type":"log","@timestamp":"2024-05-06T09:18:44Z","tags":["error","opensearch","data"],"pid":1811,"message":"[ConnectionError]: connect ECONNREFUSED 127.0.0.1:9200"}
may 06 09:18:42 wazuh-server opensearch-dashboards[1811]: {"type":"log","@timestamp":"2024-05-06T09:18:42Z","tags":["error","savedobjects-service"],"pid":1811,"message":"Unable to retrieve version information from OpenSearch nodes."}
may 06 09:18:42 wazuh-server opensearch-dashboards[1811]: {"type":"log","@timestamp":"2024-05-06T09:18:42Z","tags":["error","opensearch","data"],"pid":1811,"message":"[ConnectionError]: connect ECONNREFUSED 127.0.0.1:9200"}
[root@wazuh-server wazuh-user]# journalctl -r -u wazuh-indexer | grep -i -E "error|critical|fatal|warning"
may 07 00:00:00 wazuh-server systemd-entrypoint[2327]: ERROR StatusConsoleListener Could not define attribute view on path "/var/log/wazuh-indexer/wazuh-cluster.log" got access denied ("java.lang.RuntimePermission" "accessUserInformation")
may 07 00:00:00 wazuh-server systemd-entrypoint[2327]: ERROR StatusConsoleListener Could not define attribute view on path "/var/log/wazuh-indexer/wazuh-cluster_server.json" got access denied ("java.lang.RuntimePermission" "accessUserInformation")
may 06 09:17:57 wazuh-server systemd-entrypoint[2327]: at org.opensearch.cli.Command.mainWithoutErrorHandling(Command.java:138)
may 06 09:17:57 wazuh-server systemd-entrypoint[2327]: ERROR StatusConsoleListener Could not define attribute view on path "/var/log/wazuh-indexer/wazuh-cluster.log" got access denied ("java.lang.RuntimePermission" "accessUserInformation")
may 06 09:17:57 wazuh-server systemd-entrypoint[2327]: at org.opensearch.cli.Command.mainWithoutErrorHandling(Command.java:138)
may 06 09:17:57 wazuh-server systemd-entrypoint[2327]: ERROR StatusConsoleListener Could not define attribute view on path "/var/log/wazuh-indexer/wazuh-cluster_server.json" got access denied ("java.lang.RuntimePermission" "accessUserInformation")
may 06 09:17:56 wazuh-server systemd-entrypoint[2327]: WARNING: System::setSecurityManager will be removed in a future release
may 06 09:17:56 wazuh-server systemd-entrypoint[2327]: WARNING: Please consider reporting this to the maintainers of org.opensearch.bootstrap.Security
may 06 09:17:56 wazuh-server systemd-entrypoint[2327]: WARNING: System::setSecurityManager has been called by org.opensearch.bootstrap.Security (file:/usr/share/wazuh-indexer/lib/opensearch-2.10.0.jar)
may 06 09:17:56 wazuh-server systemd-entrypoint[2327]: WARNING: A terminally deprecated method in java.lang.System has been called
may 06 09:17:36 wazuh-server systemd-entrypoint[2327]: WARNING: System::setSecurityManager will be removed in a future release
may 06 09:17:36 wazuh-server systemd-entrypoint[2327]: WARNING: Please consider reporting this to the maintainers of org.opensearch.bootstrap.OpenSearch
may 06 09:17:36 wazuh-server systemd-entrypoint[2327]: WARNING: System::setSecurityManager has been called by org.opensearch.bootstrap.OpenSearch (file:/usr/share/wazuh-indexer/lib/opensearch-2.10.0.jar)
may 06 09:17:36 wazuh-server systemd-entrypoint[2327]: WARNING: A terminally deprecated method in java.lang.System has been called
[root@wazuh-server wazuh-user]# grep -R -i -E "error|critical|fatal|warning" /var/log/wazuh-indexer/
/var/log/wazuh-indexer/wazuh-cluster_server.json:{"type": "server", "timestamp": "2024-05-07T09:19:13,876Z", "level": "ERROR", "component": "o.o.a.a.AlertIndices", "cluster.name": "wazuh-cluster", "node.name": "node-1", "message": "info deleteOldIndices", "cluster.uuid": "m7MH9oKeSU-WRy0VYZjzFA", "node.id": "Iagsn0KOTky14LI39RsyMg" }
/var/log/wazuh-indexer/wazuh-cluster_server.json:{"type": "server", "timestamp": "2024-05-07T09:19:13,878Z", "level": "ERROR", "component": "o.o.a.a.AlertIndices", "cluster.name": "wazuh-cluster", "node.name": "node-1", "message": "info deleteOldIndices", "cluster.uuid": "m7MH9oKeSU-WRy0VYZjzFA", "node.id": "Iagsn0KOTky14LI39RsyMg" }
/var/log/wazuh-indexer/wazuh-cluster.log:[2024-05-07T09:19:13,876][ERROR][o.o.a.a.AlertIndices ] [node-1] info deleteOldIndices
/var/log/wazuh-indexer/wazuh-cluster.log:[2024-05-07T09:19:13,878][ERROR][o.o.a.a.AlertIndices ] [node-1] info deleteOldIndices
/var/log/wazuh-indexer/wazuh-cluster.log:[2024-02-27T12:11:57,227][ERROR][o.o.s.a.s.SinkProvider ] [node-1] Default endpoint could not be created, auditlog will not work properly.
/var/log/wazuh-indexer/wazuh-cluster.log:[2024-02-27T12:12:17,852][ERROR][o.o.s.c.ConfigurationLoaderSecurity7] [node-1] Failure No shard available for [org.opensearch.action.get.MultiGetShardRequest@4db6f045] retrieving configuration for [INTERNALUSERS, ACTIONGROUPS, CONFIG, ROLES, ROLESMAPPING, TENANTS, NODESDN, WHITELIST, ALLOWLIST, AUDIT] (index=.opendistro_security)
/var/log/wazuh-indexer/wazuh-cluster.log:[2024-02-27T12:12:17,852][ERROR][o.o.s.c.ConfigurationLoaderSecurity7] [node-1] Failure No shard available for [org.opensearch.action.get.MultiGetShardRequest@4db6f045] retrieving configuration for [INTERNALUSERS, ACTIONGROUPS, CONFIG, ROLES, ROLESMAPPING, TENANTS, NODESDN, WHITELIST, ALLOWLIST, AUDIT] (index=.opendistro_security)
2024/05/07 10:11:17 wazuh-remoted: WARNING: Unexpected message (hex): '22236950662804ffffff3bff49ffffffffff30ffff2f69ffffff164e03ffff6fffffffffff605757ff1dff20ff5dffffffffff65ff5d0744ff1d645dffff353767ffffff5c283555ff5dffffffff1c25ff2fffff505b01ff4434ffff0effff12ffffff24ffffffff23ffffffffffff4c3245ffffff7dff58196c20ffff38ff6cff3b7dff16ff294376111d61ffff0eff44ffffffff2228ff541b6bff6fffff461c18ffff23ff79ff285dff68354cffffff79342cffffffff69ff3bff0fffff282933ff4eff18ff7aff3d4c205429491a6f414051ff78ffff46071a1e146fffff49ffff24ffffffffff1bff0f386dff0f4313ffffff78601364ffffffffffff72386affffff6714ff16ffff5cffffff02175e6cff70ff444662ff6c2e104bffff103dffff2f38ffffff120fffff57ffffff4c4fff12ffffffffff1a1fffffff20ffffff5412ff28ff29ffff665affffff13ffffffffff29ff46ffffffffff786bffffffff0eff10ffffffff43291d22236950662804ffffff3bff49ffffffffff30ffff2f69ffffff164e03ffff6fffffffffff605757ff1dff20ff5dffffffffff65ff5d0744ff1d645dffff353767ffffff5c283555ff5dffffffff1c25ff2fffff505b01ff4434ffff0effff12ffffff24ffffffff23ffffffffffff4c3245ffffff7dff58196c20ffff38ff6cff3b7dff16ff294376111d61ffff0eff44ffffffff2228ff541b6bff6fffff461c18ffff23ff79ff285dff68354cffffff79342cffffffff69ff3bff0fffff282933ff4eff18ff7aff3d4c205429491a6f414051ff78ffff46071a1e146fffff49ffff24ffffffffff1bff0f386dff0f4313ffffff78601364ffffffffffff72386affffff6714ff16ffff5cffffff02175e6cff70ff444662ff6c2e104bffff103dffff2f38ffffff120fffff57ffffff4c4fff12ffffffffff1a1fffffff20ffffff5412ff28ff29ffff665affffff13ffffffffff29ff46ffffffffff786bffffffff0eff10ffffffff43291d22236950662804ffffff3bff49ffffffffff30ffff2f69ffffff164e03ffff6fffffffffff605757ff1dff20ff5dffffffffff65ff5d0744ff1d645dffff353767ffffff5c283555ff5dffffffff1c25ff2fffff505b01ff4434ffff0effff12ffffff24ffffffff23ffffffffffff4c3245ffffff7dff58196c20ffff38ff6cff3b7dff16ff294376111d61ffff0eff44ffffffff2228ff541b6bff6fffff461c18ffff23ff79ff285dff68354cffffff79342cffffffff69ff3bff0fffff282933ff4eff18ff7aff3d4c205429491a6f414051ff78ffff46071a1e146fffff49ffff24ffffffffff1bff0f386dff0f4313ffffff78601364ffffffffffff72386affffff6714ff16ffff5cffffff02175e6cff70ff444662ff6c2e104bffff103dffff'
2024/05/07 10:11:17 wazuh-remoted: WARNING: Too big message size from socket [36]. Filebeat Test 🟢[root@wazuh-server wazuh-user]# filebeat test output
elasticsearch: https://127.0.0.1:9200...
parse url... OK
connection...
parse host... OK
dns lookup... OK
addresses: 127.0.0.1
dial up... OK
TLS...
security: server's certificate chain verification is enabled
handshake... OK
TLS version: TLSv1.2
dial up... OK
talk to server... OK
version: 7.10.2 Wazuh Indexer Cluster 🟢[root@wazuh-server wazuh-user]# curl -k -u admin:pass https://127.0.0.1:9200
{
"name" : "node-1",
"cluster_name" : "wazuh-cluster",
"cluster_uuid" : "m7MH9oKeSU-WRy0VYZjzFA",
"version" : {
"number" : "7.10.2",
"build_type" : "rpm",
"build_hash" : "eee49cb340edc6c4d489bcd9324dda571fc8dc03",
"build_date" : "2023-09-20T23:54:29.889267151Z",
"build_snapshot" : false,
"lucene_version" : "9.7.0",
"minimum_wire_compatibility_version" : "7.10.0",
"minimum_index_compatibility_version" : "7.0.0"
},
"tagline" : "The OpenSearch Project: https://opensearch.org/"
}
[root@wazuh-server wazuh-user]# curl -k -u admin:pass https://127.0.0.1:9200/_cat/nodes?v
ip heap.percent ram.percent cpu load_1m load_5m load_15m node.role node.roles cluster_manager name
127.0.0.1 61 97 1 0.01 0.03 0.04 dimr cluster_manager,data,ingest,remote_cluster_client * node-1
[root@wazuh-server wazuh-user]# curl -k -u admin:pass https://127.0.0.1:9200/_cluster/health?pretty
{
"cluster_name" : "wazuh-cluster",
"status" : "green",
"timed_out" : false,
"number_of_nodes" : 1,
"number_of_data_nodes" : 1,
"discovered_master" : true,
"discovered_cluster_manager" : true,
"active_primary_shards" : 14,
"active_shards" : 14,
"relocating_shards" : 0,
"initializing_shards" : 0,
"unassigned_shards" : 0,
"delayed_unassigned_shards" : 0,
"number_of_pending_tasks" : 0,
"number_of_in_flight_fetch" : 0,
"task_max_waiting_in_queue_millis" : 0,
"active_shards_percent_as_number" : 100.0
}
Users 🟢[root@wazuh-server wazuh-user]# grep -R "wazuh" /etc/group
wheel:x:10:wazuh-user
wazuh-user:x:1001:
wazuh-indexer:x:993:
wazuh:x:992:wazuh
wazuh-dashboard:x:991:wazuh-dashboard
[root@wazuh-server wazuh-user]# grep -R "wazuh" /etc/passwd
wazuh-user:x:1001:1001::/home/wazuh-user:/bin/bash
wazuh-indexer:x:995:993:wazuh-indexer user:/usr/share/wazuh-indexer:/sbin/nologin
wazuh:x:994:992::/var/ossec:/sbin/nologin
wazuh-dashboard:x:993:991::/usr/share/wazuh-dashboard/:/sbin/nologin
Versions 🟢[root@wazuh-server wazuh-user]# /var/ossec/bin/wazuh-control info
WAZUH_VERSION="v4.8.0"
WAZUH_REVISION="40809"
WAZUH_TYPE="server"
[root@wazuh-server wazuh-user]# cat /usr/share/wazuh-indexer/VERSION
4.8.0
[root@wazuh-server wazuh-user]# cat /usr/share/wazuh-dashboard/VERSION
4.8.0
[root@wazuh-server wazuh-user]# cat /usr/share/wazuh-dashboard/package.json
{
"name": "opensearch-dashboards",
"description": "OpenSearch Dashboards is a browser based analytics and search dashboard for OpenSearch. OpenSearch Dashboards is a snap to setup and start using. OpenSearch Dashboards strives to be easy to get started with, while also being flexible and powerful, just like OpenSearch.",
"keywords": [
"opensearch-dashboards",
"opensearch",
"logstash",
"analytics",
"visualizations",
"dashboards",
"dashboarding"
],
"version": "2.10.0",
"branch": "2.x",
"build": {
"number": 48009,
"sha": "c1120d93e2ee647977f917a1249258a622d4eb5b",
"distributable": true,
"release": true
},
"repository": {
"type": "git",
"url": "https://github.com/opensearch-project/opensearch-dashboards.git"
},
"engines": {
"node": ">=14.20.1 <19"
}
}
Processes 🟢# ps -ef | grep wazuh
[root@wazuh-server wazuh-user]# ps -ef | grep wazuh
root 2091 1 0 may06 ? 00:00:00 /sbin/dhclient -q -lf /var/lib/dhclient/dhclient--eth0.lease -pf /var/run/dhclient-eth0.pid -H wazuh-server eth0
root 2131 1 0 may06 ? 00:00:00 /sbin/dhclient -6 -nw -lf /var/lib/dhclient/dhclient6--eth0.lease -pf /var/run/dhclient6-eth0.pid eth0 -H wazuh-server
wazuh-i+ 2327 1 0 may06 ? 00:08:38 /usr/share/wazuh-indexer/jdk/bin/java -Xshare:auto -Dopensearch.networkaddress.cache.ttl=60 -Dopensearch.networkaddress.cache.negative.ttl=10 -XX:+AlwaysPreTouch -Xss1m -Djava.awt.headless=true -Dfile.encoding=UTF-8 -Djna.nosys=true -XX:-OmitStackTraceInFastThrow -XX:+ShowCodeDetailsInExceptionMessages -Dio.netty.noUnsafe=true -Dio.netty.noKeySetOptimization=true -Dio.netty.recycler.maxCapacityPerThread=0 -Dio.netty.allocator.numDirectArenas=0 -Dlog4j.shutdownHookEnabled=false -Dlog4j2.disable.jmx=true -Djava.locale.providers=SPI,COMPAT -Xms3941m -Xmx3941m -XX:+UseG1GC -XX:G1ReservePercent=25 -XX:InitiatingHeapOccupancyPercent=30 -Djava.io.tmpdir=/tmp/opensearch-12830181436784623402 -XX:+HeapDumpOnOutOfMemoryError -XX:HeapDumpPath=/var/lib/wazuh-indexer -XX:ErrorFile=/var/log/wazuh-indexer/hs_err_pid%p.log -Xlog:gc*,gc+age=trace,safepoint:file=/var/log/wazuh-indexer/gc.log:utctime,pid,tags:filecount=32,filesize=64m -Dclk.tck=100 -Djdk.attach.allowAttachSelf=true -Djava.security.policy=file:///etc/wazuh-indexer/opensearch-performance-analyzer/opensearch_security.policy --add-opens=jdk.attach/sun.tools.attach=ALL-UNNAMED -XX:MaxDirectMemorySize=2066743296 -Dopensearch.path.home=/usr/share/wazuh-indexer -Dopensearch.path.conf=/etc/wazuh-indexer -Dopensearch.distribution.type=rpm -Dopensearch.bundled_jdk=true -cp /usr/share/wazuh-indexer/lib/* org.opensearch.bootstrap.OpenSearch -p /run/wazuh-indexer/wazuh-indexer.pid --quiet
wazuh-d+ 5530 1 0 may06 ? 00:02:36 /usr/share/wazuh-dashboard/node/fallback/bin/node --no-warnings --max-http-header-size=65536 --unhandled-rejections=warn /usr/share/wazuh-dashboard/src/cli/dist
root 19323 2691 0 may06 ? 00:00:00 sshd: wazuh-user [priv]
wazuh-u+ 19340 19323 0 may06 ? 00:00:00 sshd: wazuh-user@pts/0
wazuh-u+ 19341 19340 0 may06 pts/0 00:00:00 -bash
root 26845 2691 0 08:44 ? 00:00:00 sshd: wazuh-user [priv]
wazuh-u+ 26862 26845 0 08:44 ? 00:00:00 sshd: wazuh-user@pts/1
wazuh-u+ 26863 26862 0 08:44 pts/1 00:00:00 -bash
wazuh 27593 1 1 10:10 ? 00:00:14 /var/ossec/framework/python/bin/python3 /var/ossec/api/scripts/wazuh-apid.py
wazuh 27594 27593 0 10:10 ? 00:00:00 /var/ossec/framework/python/bin/python3 /var/ossec/api/scripts/wazuh-apid.py
wazuh 27597 27593 0 10:10 ? 00:00:06 /var/ossec/framework/python/bin/python3 /var/ossec/api/scripts/wazuh-apid.py
wazuh 27600 27593 0 10:10 ? 00:00:00 /var/ossec/framework/python/bin/python3 /var/ossec/api/scripts/wazuh-apid.py
root 27644 1 0 10:10 ? 00:00:02 /var/ossec/bin/wazuh-authd
wazuh 27661 1 0 10:10 ? 00:00:01 /var/ossec/bin/wazuh-db
root 27687 1 0 10:10 ? 00:00:00 /var/ossec/bin/wazuh-execd
wazuh 27702 1 0 10:10 ? 00:00:04 /var/ossec/bin/wazuh-analysisd
root 27715 1 1 10:10 ? 00:00:12 /var/ossec/bin/wazuh-syscheckd
wazuh 27763 1 0 10:10 ? 00:00:01 /var/ossec/bin/wazuh-remoted
root 27798 1 0 10:10 ? 00:00:00 /var/ossec/bin/wazuh-logcollector
wazuh 27822 1 0 10:10 ? 00:00:00 /var/ossec/bin/wazuh-monitord
root 27843 1 0 10:10 ? 00:00:01 /var/ossec/bin/wazuh-modulesd
root 29568 19364 0 10:28 pts/0 00:00:00 grep --color=auto wazuh
[root@wazuh-server wazuh-user]# /var/ossec/bin/wazuh-control status
wazuh-clusterd not running...
wazuh-modulesd is running...
wazuh-monitord is running...
wazuh-logcollector is running...
wazuh-remoted is running...
wazuh-syscheckd is running...
wazuh-analysisd is running...
wazuh-maild not running...
wazuh-execd is running...
wazuh-db is running...
wazuh-authd is running...
wazuh-agentlessd not running...
wazuh-integratord not running...
wazuh-dbd not running...
wazuh-csyslogd not running...
wazuh-apid is running...
SSH Root Access Denied 🟢juliamagan@pop-os:~/Downloads$ ssh -i idr-1117.pem -p 2200 root@X.X.X.X
Please login as the user "wazuh-user" rather than the user "root".
Connection to X.X.X.X closed. SSH wazuh-user Access Allowed 🟢juliamagan@pop-os:~/Downloads$ ssh -i idr-1117.pem -p 2200 wazuh-user@X.X.X.X
Last login: Tue May 7 08:44:04 2024 from 33.red-81-38-118.dynamicip.rima-tde.net
wwwwww. wwwwwww. wwwwwww.
wwwwwww. wwwwwww. wwwwwww.
wwwwww. wwwwwwwww. wwwwwww.
wwwwwww. wwwwwwwww. wwwwwww.
wwwwww. wwwwwwwwwww. wwwwwww.
wwwwwww. wwwwwwwwwww. wwwwwww.
wwwwww. wwwwww.wwwwww. wwwwwww.
wwwwwww. wwwww. wwwwww. wwwwwww.
wwwwww. wwwwww. wwwwww. wwwwwww.
wwwwwww. wwwww. wwwwww. wwwwwww.
wwwwww. wwwwww. wwwwww.wwwwwww.
wwwwwww.wwwww. wwwwww.wwwwwww.
wwwwwwwwwwww. wwwwwwwwwwww.
wwwwwwwwwww. wwwwwwwwwwww. oooooo
wwwwwwwwww. wwwwwwwwww. oooooooo
wwwwwwwww. wwwwwwwwww. oooooooooo
wwwwwwww. wwwwwwww. oooooooooo
wwwwwww. wwwwwwww. oooooooo
wwwwww. wwwwww. oooooo
WAZUH Open Source Security Platform
https://wazuh.com
[wazuh-user@wazuh-server ~]$ Production Repositories 🟢[root@wazuh-server wazuh-user]# cat /etc/yum.repos.d/wazuh.repo
[wazuh]
gpgcheck=1
gpgkey=https://packages.wazuh.com/key/GPG-KEY-WAZUH
enabled=1
name=EL-${releasever} - Wazuh
baseurl=https://packages.wazuh.com/4.x/yum/
protect=1 TCP and UDPTCP, UDP and alerts have been tested before since this was the manager used for the previous agents. |
Analysis report - HP-UX 🔴System info 🟢bash-4.4# hostname
sovmh349
bash-4.4# uname -a
HP-UX sovmh349 B.11.31 U ia64 2082618356 unlimited-user license Installation without variables 🔴
bash-4.4# /usr/local/bin/curl -O -k https://packages-dev.wazuh.com/pre-release/hp-ux/wazuh-agent-4.8.0>
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 58.1M 100 58.1M 0 0 3305k 0 0:00:18 0:00:18 --:--:-- 3438k
bash-4.4# groupadd wazuh
bash-4.4# useradd -G wazuh wazuh
bash-4.4# tar -xvf wazuh-agent-4.8.0-1-hpux-11v3-ia64.tar
x /var/ossec/logs/ossec.log, 0 bytes, 0 tape blocks
x /var/ossec/logs/ossec.json, 0 bytes, 0 tape blocks
x /var/ossec/logs/active-responses.log, 0 bytes, 0 tape blocks
x /var/ossec/bin/wazuh-logcollector, 1951956 bytes, 3813 tape blocks
x /var/ossec/bin/wazuh-syscheckd, 2095304 bytes, 4093 tape blocks
x /var/ossec/bin/wazuh-execd, 1814956 bytes, 3545 tape blocks
x /var/ossec/bin/manage_agents, 571064 bytes, 1116 tape blocks
x /var/ossec/bin/wazuh-control, 7144 bytes, 14 tape blocks
x /var/ossec/bin/wazuh-modulesd, 1745208 bytes, 3409 tape blocks
x /var/ossec/bin/wazuh-agentd, 1886936 bytes, 3686 tape blocks
x /var/ossec/bin/agent-auth, 572052 bytes, 1118 tape blocks
x /var/ossec/lib/libwazuhext.so, 15675204 bytes, 30616 tape blocks
x /var/ossec/lib/libwazuhshared.so, 355660 bytes, 695 tape blocks
x /var/ossec/lib/libdbsync.so, 1315532 bytes, 2570 tape blocks
x /var/ossec/lib/librsync.so, 892088 bytes, 1743 tape blocks
x /var/ossec/lib/libsysinfo.so, 798672 bytes, 1560 tape blocks
x /var/ossec/lib/libfimdb.so, 1266648 bytes, 2474 tape blocks
x /var/ossec/lib/libstdc++.so.6.28, 27064832 bytes, 52861 tape blocks
x /var/ossec/lib/libgcc_s.so.0, 448764 bytes, 877 tape blocks
x /var/ossec/lib/libstdc++.so.6 symbolic link to /var/ossec/lib/libstdc++.so.6.28
x /var/ossec/lib/libstdc++.so symbolic link to /var/ossec/lib/libstdc++.so.6.28
x /var/ossec/lib/libgcc_s.so symbolic link to /var/ossec/lib/libgcc_s.so.0
x /var/ossec/queue/syscollector/norm_config.json, 4206 bytes, 9 tape blocks
x /var/ossec/ruleset/sca/cis_hpux_11i_bastille.yml, 94882 bytes, 186 tape blocks
x /var/ossec/ruleset/sca/cis_hpux_11i.yml, 86160 bytes, 169 tape blocks
x /var/ossec/wodles/__init__.py, 0 bytes, 0 tape blocks
x /var/ossec/wodles/utils.py, 3567 bytes, 7 tape blocks
x /var/ossec/wodles/aws/buckets_s3/aws_bucket.py, 41705 bytes, 82 tape blocks
x /var/ossec/wodles/aws/buckets_s3/cloudtrail.py, 1889 bytes, 4 tape blocks
x /var/ossec/wodles/aws/buckets_s3/config.py, 8844 bytes, 18 tape blocks
x /var/ossec/wodles/aws/buckets_s3/guardduty.py, 4353 bytes, 9 tape blocks
x /var/ossec/wodles/aws/buckets_s3/__init__.py, 462 bytes, 1 tape blocks
x /var/ossec/wodles/aws/buckets_s3/load_balancers.py, 5729 bytes, 12 tape blocks
x /var/ossec/wodles/aws/buckets_s3/server_access.py, 9254 bytes, 19 tape blocks
x /var/ossec/wodles/aws/buckets_s3/umbrella.py, 2718 bytes, 6 tape blocks
x /var/ossec/wodles/aws/buckets_s3/vpcflow.py, 11310 bytes, 23 tape blocks
x /var/ossec/wodles/aws/buckets_s3/waf.py, 2897 bytes, 6 tape blocks
x /var/ossec/wodles/aws/services/aws_service.py, 6109 bytes, 12 tape blocks
x /var/ossec/wodles/aws/services/cloudwatchlogs.py, 24429 bytes, 48 tape blocks
x /var/ossec/wodles/aws/services/__init__.py, 166 bytes, 1 tape blocks
x /var/ossec/wodles/aws/services/inspector.py, 6909 bytes, 14 tape blocks
x /var/ossec/wodles/aws/subscribers/__init__.py, 201 bytes, 1 tape blocks
x /var/ossec/wodles/aws/subscribers/sqs_queue.py, 6214 bytes, 13 tape blocks
x /var/ossec/wodles/aws/subscribers/s3_log_handler.py, 10502 bytes, 21 tape blocks
x /var/ossec/wodles/aws/subscribers/sqs_message_processor.py, 1825 bytes, 4 tape blocks
x /var/ossec/wodles/aws/aws-s3, 9801 bytes, 20 tape blocks
x /var/ossec/wodles/aws/__init__.py, 0 bytes, 0 tape blocks
x /var/ossec/wodles/aws/aws_tools.py, 17232 bytes, 34 tape blocks
x /var/ossec/wodles/aws/wazuh_integration.py, 22966 bytes, 45 tape blocks
x /var/ossec/wodles/gcloud/pubsub/subscriber.py, 6085 bytes, 12 tape blocks
x /var/ossec/wodles/gcloud/buckets/bucket.py, 12735 bytes, 25 tape blocks
x /var/ossec/wodles/gcloud/buckets/access_logs.py, 1870 bytes, 4 tape blocks
x /var/ossec/wodles/gcloud/gcloud, 4513 bytes, 9 tape blocks
x /var/ossec/wodles/gcloud/integration.py, 3119 bytes, 7 tape blocks
x /var/ossec/wodles/gcloud/tools.py, 4420 bytes, 9 tape blocks
x /var/ossec/wodles/gcloud/exceptions.py, 4704 bytes, 10 tape blocks
x /var/ossec/wodles/docker/DockerListener, 5111 bytes, 10 tape blocks
x /var/ossec/wodles/azure/azure-logs, 38690 bytes, 76 tape blocks
x /var/ossec/wodles/azure/orm.py, 10097 bytes, 20 tape blocks
x /var/ossec/etc/TIMEZONE, 21 bytes, 1 tape blocks
x /var/ossec/etc/internal_options.conf, 14430 bytes, 29 tape blocks
x /var/ossec/etc/local_internal_options.conf, 320 bytes, 1 tape blocks
x /var/ossec/etc/client.keys, 0 bytes, 0 tape blocks
x /var/ossec/etc/ossec.conf, 4816 bytes, 10 tape blocks
x /var/ossec/etc/shared/cis_apache2224_rcl.txt, 28411 bytes, 56 tape blocks
x /var/ossec/etc/shared/cis_debian_linux_rcl.txt, 12576 bytes, 25 tape blocks
x /var/ossec/etc/shared/cis_mysql5-6_community_rcl.txt, 7609 bytes, 15 tape blocks
x /var/ossec/etc/shared/cis_mysql5-6_enterprise_rcl.txt, 10297 bytes, 21 tape blocks
x /var/ossec/etc/shared/cis_rhel5_linux_rcl.txt, 35781 bytes, 70 tape blocks
x /var/ossec/etc/shared/cis_rhel6_linux_rcl.txt, 33870 bytes, 67 tape blocks
x /var/ossec/etc/shared/cis_rhel7_linux_rcl.txt, 36957 bytes, 73 tape blocks
x /var/ossec/etc/shared/cis_rhel_linux_rcl.txt, 17658 bytes, 35 tape blocks
x /var/ossec/etc/shared/cis_sles11_linux_rcl.txt, 34376 bytes, 68 tape blocks
x /var/ossec/etc/shared/cis_sles12_linux_rcl.txt, 35081 bytes, 69 tape blocks
x /var/ossec/etc/shared/cis_win2012r2_domainL1_rcl.txt, 94877 bytes, 186 tape blocks
x /var/ossec/etc/shared/cis_win2012r2_domainL2_rcl.txt, 28006 bytes, 55 tape blocks
x /var/ossec/etc/shared/cis_win2012r2_memberL1_rcl.txt, 100530 bytes, 197 tape blocks
x /var/ossec/etc/shared/cis_win2012r2_memberL2_rcl.txt, 376002 bytes, 735 tape blocks
x /var/ossec/etc/shared/rootkit_files.txt, 16174 bytes, 32 tape blocks
x /var/ossec/etc/shared/rootkit_trojans.txt, 5548 bytes, 11 tape blocks
x /var/ossec/etc/shared/system_audit_rcl.txt, 4466 bytes, 9 tape blocks
x /var/ossec/etc/shared/system_audit_ssh.txt, 3285 bytes, 7 tape blocks
x /var/ossec/etc/shared/win_applications_rcl.txt, 5214 bytes, 11 tape blocks
x /var/ossec/etc/shared/win_audit_rcl.txt, 4277 bytes, 9 tape blocks
x /var/ossec/etc/shared/win_malware_rcl.txt, 7314 bytes, 15 tape blocks
x /var/ossec/etc/wpk_root.pem, 1367 bytes, 3 tape blocks
x /var/ossec/active-response/bin/restart.sh, 695 bytes, 2 tape blocks
x /var/ossec/active-response/bin/kaspersky.py, 14491 bytes, 29 tape blocks
x /var/ossec/active-response/bin/firewall-drop, 70216 bytes, 138 tape blocks
x /var/ossec/active-response/bin/default-firewall-drop, 70216 bytes, 138 tape blocks
x /var/ossec/active-response/bin/pf, 70064 bytes, 137 tape blocks
x /var/ossec/active-response/bin/npf, 69864 bytes, 137 tape blocks
x /var/ossec/active-response/bin/ipfw, 69888 bytes, 137 tape blocks
x /var/ossec/active-response/bin/firewalld-drop, 69864 bytes, 137 tape blocks
x /var/ossec/active-response/bin/disable-account, 69856 bytes, 137 tape blocks
x /var/ossec/active-response/bin/host-deny, 69976 bytes, 137 tape blocks
x /var/ossec/active-response/bin/ip-customblock, 69824 bytes, 137 tape blocks
x /var/ossec/active-response/bin/restart-wazuh, 69716 bytes, 137 tape blocks
x /var/ossec/active-response/bin/route-null, 69856 bytes, 137 tape blocks
x /var/ossec/active-response/bin/kaspersky, 69724 bytes, 137 tape blocks
x /var/ossec/active-response/bin/wazuh-slack, 70028 bytes, 137 tape blocks
x /var/ossec/agentless/main.exp, 2453 bytes, 5 tape blocks
x /var/ossec/agentless/register_host.sh, 2406 bytes, 5 tape blocks
x /var/ossec/agentless/ssh.exp, 1476 bytes, 3 tape blocks
x /var/ossec/agentless/ssh_asa-fwsmconfig_diff, 5283 bytes, 11 tape blocks
x /var/ossec/agentless/ssh_foundry_diff, 5403 bytes, 11 tape blocks
x /var/ossec/agentless/ssh_generic_diff, 898 bytes, 2 tape blocks
x /var/ossec/agentless/ssh_integrity_check_bsd, 1091 bytes, 3 tape blocks
x /var/ossec/agentless/ssh_integrity_check_linux, 1099 bytes, 3 tape blocks
x /var/ossec/agentless/ssh_nopass.exp, 1616 bytes, 4 tape blocks
x /var/ossec/agentless/ssh_pixconfig_diff, 5265 bytes, 11 tape blocks
x /var/ossec/agentless/sshlogin.exp, 915 bytes, 2 tape blocks
x /var/ossec/agentless/su.exp, 1381 bytes, 3 tape blocks
x /sbin/init.d/wazuh-agent, 691 bytes, 2 tape blocks
x /sbin/rc2.d/S97wazuh-agent symbolic link to /sbin/init.d/wazuh-agent
x /sbin/rc3.d/S97wazuh-agent symbolic link to /sbin/init.d/wazuh-agent
bash-4.4# /var/ossec/bin/wazuh-control start
Starting Wazuh v4.8.0...
Started wazuh-execd...
Started wazuh-agentd...
Started wazuh-syscheckd...
Started wazuh-logcollector...
Started wazuh-modulesd...
Completed.
bash-4.4# /var/ossec/bin/wazuh-control info
WAZUH_VERSION="v4.8.0"
WAZUH_REVISION="40809"
WAZUH_TYPE="agent"
🔴
|
Analysis Report - OVA 🟡Check System 🟢
[wazuh-user@wazuh-server ~]$ cat /etc/os-release
NAME="Amazon Linux"
VERSION="2"
ID="amzn"
ID_LIKE="centos rhel fedora"
VERSION_ID="2"
PRETTY_NAME="Amazon Linux 2"
ANSI_COLOR="0;33"
CPE_NAME="cpe:2.3:o:amazon:amazon_linux:2"
HOME_URL="https://amazonlinux.com/"
SUPPORT_END="2025-06-30"
[wazuh-user@wazuh-server ~]$ ps aux | grep wazuh
wazuh-d+ 2032 0.6 1.9 1019964 157016 ? Ssl 11:24 0:06 /usr/share/wazuh-dashboard/node/fallback/bin/node --no-warnings --max-http-header-size=65536 --unhandled-rejections=warn /usr/share/wazuh-dashboard/src/cli/dist
root 4445 0.0 0.0 98672 3692 ? Ss 11:24 0:00 /sbin/dhclient -1 -q -lf /var/lib/dhclient/dhclient--eth0.lease -pf /var/run/dhclient-eth0.pid -H wazuh-server eth0
wazuh-i+ 4989 5.2 56.5 8276940 4608392 ? Ssl 11:24 0:53 /usr/share/wazuh-indexer/jdk/bin/java -Xshare:auto -Dopensearch.networkaddress.cache.ttl=60 -Dopensearch.networkaddress.cache.negative.ttl=10 -XX:+AlwaysPreTouch -Xss1m -Djava.awt.headless=true -Dfile.encoding=UTF-8 -Djna.nosys=true -XX:-OmitStackTraceInFastThrow -XX:+ShowCodeDetailsInExceptionMessages -Dio.netty.noUnsafe=true -Dio.netty.noKeySetOptimization=true -Dio.netty.recycler.maxCapacityPerThread=0 -Dio.netty.allocator.numDirectArenas=0 -Dlog4j.shutdownHookEnabled=false -Dlog4j2.disable.jmx=true -Djava.locale.providers=SPI,COMPAT -Xms3981m -Xmx3981m -XX:+UseG1GC -XX:G1ReservePercent=25 -XX:InitiatingHeapOccupancyPercent=30 -Djava.io.tmpdir=/tmp/opensearch-10951774042572470084 -XX:+HeapDumpOnOutOfMemoryError -XX:HeapDumpPath=/var/lib/wazuh-indexer -XX:ErrorFile=/var/log/wazuh-indexer/hs_err_pid%p.log -Xlog:gc*,gc+age=trace,safepoint:file=/var/log/wazuh-indexer/gc.log:utctime,pid,tags:filecount=32,filesize=64m -Dclk.tck=100 -Djdk.attach.allowAttachSelf=true -Djava.security.policy=file:///etc/wazuh-indexer/opensearch-performance-analyzer/opensearch_security.policy --add-opens=jdk.attach/sun.tools.attach=ALL-UNNAMED -XX:MaxDirectMemorySize=2087714816 -Dopensearch.path.home=/usr/share/wazuh-indexer -Dopensearch.path.conf=/etc/wazuh-indexer -Dopensearch.distribution.type=rpm -Dopensearch.bundled_jdk=true -cp /usr/share/wazuh-indexer/lib/* org.opensearch.bootstrap.OpenSearch -p /run/wazuh-indexer/wazuh-indexer.pid --quiet
root 5009 0.0 0.0 86424 3848 ? Ss 11:24 0:00 login -- wazuh-user
wazuh 6257 0.2 1.3 1003820 108944 ? Sl 11:24 0:02 /var/ossec/framework/python/bin/python3 /var/ossec/api/scripts/wazuh-apid.py
wazuh 6261 0.0 0.7 283288 61028 ? S 11:24 0:00 /var/ossec/framework/python/bin/python3 /var/ossec/api/scripts/wazuh-apid.py
wazuh 6264 0.0 0.8 369968 69324 ? S 11:24 0:00 /var/ossec/framework/python/bin/python3 /var/ossec/api/scripts/wazuh-apid.py
wazuh 6268 0.0 0.7 511656 58336 ? S 11:24 0:00 /var/ossec/framework/python/bin/python3 /var/ossec/api/scripts/wazuh-apid.py
root 6364 0.0 0.0 131592 5820 ? Sl 11:24 0:00 /var/ossec/bin/wazuh-authd
wazuh 6397 0.0 0.2 871960 18256 ? Sl 11:24 0:00 /var/ossec/bin/wazuh-db
root 7016 0.0 0.0 41320 3960 ? Sl 11:24 0:00 /var/ossec/bin/wazuh-execd
wazuh 7396 0.0 0.3 1442140 28552 ? Sl 11:24 0:00 /var/ossec/bin/wazuh-analysisd
root 8040 0.7 0.1 360280 13872 ? SNl 11:24 0:07 /var/ossec/bin/wazuh-syscheckd
wazuh 8059 0.0 0.1 627108 11064 ? Sl 11:24 0:00 /var/ossec/bin/wazuh-remoted
root 8656 0.0 0.0 483716 5144 ? Sl 11:24 0:00 /var/ossec/bin/wazuh-logcollector
wazuh 8762 0.0 0.0 41384 4232 ? Sl 11:24 0:00 /var/ossec/bin/wazuh-monitord
root 8899 9.3 2.6 1006664 217580 ? Sl 11:24 1:35 /var/ossec/bin/wazuh-modulesd
wazuh-u+ 14357 0.0 0.0 124864 3920 tty1 Ss+ 11:24 0:00 -bash
root 18927 0.0 0.1 150628 9076 ? Ss 11:25 0:00 sshd: wazuh-user [priv]
wazuh-u+ 18931 0.0 0.0 150628 4808 ? S 11:25 0:00 sshd: wazuh-user@pts/0
wazuh-u+ 18932 0.0 0.0 124864 4276 pts/0 Ss 11:25 0:00 -bash
wazuh-u+ 19004 0.0 0.0 162292 4348 pts/0 R+ 11:41 0:00 ps aux
wazuh-u+ 19005 0.0 0.0 119416 916 pts/0 S+ 11:41 0:00 grep --color=auto wazuh
[root@wazuh-server wazuh-user]# /var/ossec/bin/wazuh-control info
WAZUH_VERSION="v4.8.0"
WAZUH_REVISION="40809"
WAZUH_TYPE="server"
[root@wazuh-server wazuh-user]# cat /usr/share/wazuh-indexer/VERSION
4.8.0
[root@wazuh-server wazuh-user]# cat /usr/share/wazuh-dashboard/VERSION
4.8.0
[root@wazuh-server wazuh-user]# cat /usr/share/wazuh-dashboard/package.json
{
"name": "opensearch-dashboards",
"description": "OpenSearch Dashboards is a browser based analytics and search dashboard for OpenSearch. OpenSearch Dashboards is a snap to setup and start using. OpenSearch Dashboards strives to be easy to get started with, while also being flexible and powerful, just like OpenSearch.",
"keywords": [
"opensearch-dashboards",
"opensearch",
"logstash",
"analytics",
"visualizations",
"dashboards",
"dashboarding"
],
"version": "2.10.0",
"branch": "2.x",
"build": {
"number": 48009,
"sha": "c1120d93e2ee647977f917a1249258a622d4eb5b",
"distributable": true,
"release": true
},
"repository": {
"type": "git",
"url": "https://github.com/opensearch-project/opensearch-dashboards.git"
},
"engines": {
"node": ">=14.20.1 <19"
}
} Users 🟢[root@wazuh-server wazuh-user]# grep -R "wazuh" /etc/group
wheel:x:10:wazuh-user
wazuh-user:x:1000:
wazuh-indexer:x:993:
wazuh:x:992:wazuh
wazuh-dashboard:x:991:wazuh-dashboard
[root@wazuh-server wazuh-user]# grep -R "wazuh" /etc/passwd
wazuh-user:x:1000:1000::/home/wazuh-user:/bin/bash
wazuh-indexer:x:995:993:wazuh-indexer user:/usr/share/wazuh-indexer:/sbin/nologin
wazuh:x:994:992::/var/ossec:/sbin/nologin
wazuh-dashboard:x:993:991::/usr/share/wazuh-dashboard/:/sbin/nologin Logs 🟡
[root@wazuh-server wazuh-user]# journalctl -r -u wazuh-dashboard | grep -i -E "error|critical|fatal|warning"
may 07 11:45:01 wazuh-server opensearch-dashboards[2032]: {"type":"log","@timestamp":"2024-05-07T11:45:01Z","tags":["error","opensearch","data"],"pid":2032,"message":"[resource_already_exists_exception]: index [wazuh-statistics-2024.19w/YGdFoFh5RFmYXMic2EAOkA] already exists"}
may 07 11:43:48 wazuh-server opensearch-dashboards[2032]: {"type":"error","@timestamp":"2024-05-07T11:43:48Z","tags":["connection","client","error"],"pid":2032,"level":"error","error":{"message":"140485350938496:error:14094418:SSL routines:ssl3_read_bytes:tlsv1 alert unknown ca:../deps/openssl/openssl/ssl/record/rec_layer_s3.c:1563:SSL alert number 48\n","name":"Error","stack":"Error: 140485350938496:error:14094418:SSL routines:ssl3_read_bytes:tlsv1 alert unknown ca:../deps/openssl/openssl/ssl/record/rec_layer_s3.c:1563:SSL alert number 48\n","code":"ERR_SSL_TLSV1_ALERT_UNKNOWN_CA"},"message":"140485350938496:error:14094418:SSL routines:ssl3_read_bytes:tlsv1 alert unknown ca:../deps/openssl/openssl/ssl/record/rec_layer_s3.c:1563:SSL alert number 48\n"}
may 07 11:24:46 wazuh-server opensearch-dashboards[2032]: {"type":"log","@timestamp":"2024-05-07T11:24:46Z","tags":["error","opensearch","data"],"pid":2032,"message":"[ResponseError]: Response Error"}
may 07 11:24:43 wazuh-server opensearch-dashboards[2032]: {"type":"log","@timestamp":"2024-05-07T11:24:43Z","tags":["error","opensearch","data"],"pid":2032,"message":"[ConnectionError]: connect ECONNREFUSED 127.0.0.1:9200"}
may 07 11:24:41 wazuh-server opensearch-dashboards[2032]: {"type":"log","@timestamp":"2024-05-07T11:24:41Z","tags":["error","opensearch","data"],"pid":2032,"message":"[ConnectionError]: connect ECONNREFUSED 127.0.0.1:9200"}
may 07 11:24:38 wazuh-server opensearch-dashboards[2032]: {"type":"log","@timestamp":"2024-05-07T11:24:38Z","tags":["error","opensearch","data"],"pid":2032,"message":"[ConnectionError]: connect ECONNREFUSED 127.0.0.1:9200"}
may 07 11:24:36 wazuh-server opensearch-dashboards[2032]: {"type":"log","@timestamp":"2024-05-07T11:24:36Z","tags":["error","opensearch","data"],"pid":2032,"message":"[ConnectionError]: connect ECONNREFUSED 127.0.0.1:9200"}
may 07 11:24:33 wazuh-server opensearch-dashboards[2032]: {"type":"log","@timestamp":"2024-05-07T11:24:33Z","tags":["error","opensearch","data"],"pid":2032,"message":"[ConnectionError]: connect ECONNREFUSED 127.0.0.1:9200"}
may 07 11:24:31 wazuh-server opensearch-dashboards[2032]: {"type":"log","@timestamp":"2024-05-07T11:24:31Z","tags":["error","opensearch","data"],"pid":2032,"message":"[ConnectionError]: connect ECONNREFUSED 127.0.0.1:9200"}
may 07 13:24:28 wazuh-server opensearch-dashboards[2032]: {"type":"log","@timestamp":"2024-05-07T13:24:28Z","tags":["error","opensearch","data"],"pid":2032,"message":"[ConnectionError]: connect ECONNREFUSED 127.0.0.1:9200"}
may 07 13:24:25 wazuh-server opensearch-dashboards[2032]: {"type":"log","@timestamp":"2024-05-07T13:24:25Z","tags":["error","opensearch","data"],"pid":2032,"message":"[ConnectionError]: connect ECONNREFUSED 127.0.0.1:9200"}
may 07 13:24:23 wazuh-server opensearch-dashboards[2032]: {"type":"log","@timestamp":"2024-05-07T13:24:23Z","tags":["error","opensearch","data"],"pid":2032,"message":"[ConnectionError]: connect ECONNREFUSED 127.0.0.1:9200"}
may 07 13:24:20 wazuh-server opensearch-dashboards[2032]: {"type":"log","@timestamp":"2024-05-07T13:24:20Z","tags":["error","opensearch","data"],"pid":2032,"message":"[ConnectionError]: connect ECONNREFUSED 127.0.0.1:9200"}
may 07 13:24:18 wazuh-server opensearch-dashboards[2032]: {"type":"log","@timestamp":"2024-05-07T13:24:18Z","tags":["error","savedobjects-service"],"pid":2032,"message":"Unable to retrieve version information from OpenSearch nodes."}
may 07 13:24:18 wazuh-server opensearch-dashboards[2032]: {"type":"log","@timestamp":"2024-05-07T13:24:18Z","tags":["error","opensearch","data"],"pid":2032,"message":"[ConnectionError]: connect ECONNREFUSED 127.0.0.1:9200"}
[root@wazuh-server wazuh-user]# journalctl -r -u wazuh-indexer | grep -i -E "error|critical|fatal|warning"
may 07 11:24:34 wazuh-server systemd-entrypoint[4989]: at org.opensearch.cli.Command.mainWithoutErrorHandling(Command.java:138)
may 07 11:24:34 wazuh-server systemd-entrypoint[4989]: ERROR StatusConsoleListener Could not define attribute view on path "/var/log/wazuh-indexer/wazuh-cluster.log" got access denied ("java.lang.RuntimePermission" "accessUserInformation")
may 07 11:24:34 wazuh-server systemd-entrypoint[4989]: at org.opensearch.cli.Command.mainWithoutErrorHandling(Command.java:138)
may 07 11:24:34 wazuh-server systemd-entrypoint[4989]: ERROR StatusConsoleListener Could not define attribute view on path "/var/log/wazuh-indexer/wazuh-cluster_server.json" got access denied ("java.lang.RuntimePermission" "accessUserInformation")
may 07 11:24:34 wazuh-server systemd-entrypoint[4989]: WARNING: System::setSecurityManager will be removed in a future release
may 07 11:24:34 wazuh-server systemd-entrypoint[4989]: WARNING: Please consider reporting this to the maintainers of org.opensearch.bootstrap.Security
may 07 11:24:34 wazuh-server systemd-entrypoint[4989]: WARNING: System::setSecurityManager has been called by org.opensearch.bootstrap.Security (file:/usr/share/wazuh-indexer/lib/opensearch-2.10.0.jar)
may 07 11:24:34 wazuh-server systemd-entrypoint[4989]: WARNING: A terminally deprecated method in java.lang.System has been called
may 07 11:24:33 wazuh-server systemd-entrypoint[4989]: WARNING: System::setSecurityManager will be removed in a future release
may 07 11:24:33 wazuh-server systemd-entrypoint[4989]: WARNING: Please consider reporting this to the maintainers of org.opensearch.bootstrap.OpenSearch
may 07 11:24:33 wazuh-server systemd-entrypoint[4989]: WARNING: System::setSecurityManager has been called by org.opensearch.bootstrap.OpenSearch (file:/usr/share/wazuh-indexer/lib/opensearch-2.10.0.jar)
may 07 11:24:33 wazuh-server systemd-entrypoint[4989]: WARNING: A terminally deprecated method in java.lang.System has been called
[root@wazuh-server wazuh-user]# grep -R -i -E "error|critical|fatal|warning" /var/log/wazuh-indexer/
/var/log/wazuh-indexer/wazuh-cluster_server.json:{"type": "server", "timestamp": "2024-05-07T11:24:34,517Z", "level": "INFO", "component": "o.o.n.Node", "cluster.name": "wazuh-cluster", "node.name": "node-1", "message": "JVM arguments [-Xshare:auto, -Dopensearch.networkaddress.cache.ttl=60, -Dopensearch.networkaddress.cache.negative.ttl=10, -XX:+AlwaysPreTouch, -Xss1m, -Djava.awt.headless=true, -Dfile.encoding=UTF-8, -Djna.nosys=true, -XX:-OmitStackTraceInFastThrow, -XX:+ShowCodeDetailsInExceptionMessages, -Dio.netty.noUnsafe=true, -Dio.netty.noKeySetOptimization=true, -Dio.netty.recycler.maxCapacityPerThread=0, -Dio.netty.allocator.numDirectArenas=0, -Dlog4j.shutdownHookEnabled=false, -Dlog4j2.disable.jmx=true, -Djava.locale.providers=SPI,COMPAT, -Xms3981m, -Xmx3981m, -XX:+UseG1GC, -XX:G1ReservePercent=25, -XX:InitiatingHeapOccupancyPercent=30, -Djava.io.tmpdir=/tmp/opensearch-10951774042572470084, -XX:+HeapDumpOnOutOfMemoryError, -XX:HeapDumpPath=/var/lib/wazuh-indexer, -XX:ErrorFile=/var/log/wazuh-indexer/hs_err_pid%p.log, -Xlog:gc*,gc+age=trace,safepoint:file=/var/log/wazuh-indexer/gc.log:utctime,pid,tags:filecount=32,filesize=64m, -Dclk.tck=100, -Djdk.attach.allowAttachSelf=true, -Djava.security.policy=file:///etc/wazuh-indexer/opensearch-performance-analyzer/opensearch_security.policy, --add-opens=jdk.attach/sun.tools.attach=ALL-UNNAMED, -XX:MaxDirectMemorySize=2087714816, -Dopensearch.path.home=/usr/share/wazuh-indexer, -Dopensearch.path.conf=/etc/wazuh-indexer, -Dopensearch.distribution.type=rpm, -Dopensearch.bundled_jdk=true]" }
/var/log/wazuh-indexer/wazuh-cluster_server.json:{"type": "server", "timestamp": "2024-05-07T11:24:42,994Z", "level": "ERROR", "component": "o.o.s.a.s.SinkProvider", "cluster.name": "wazuh-cluster", "node.name": "node-1", "message": "Default endpoint could not be created, auditlog will not work properly." }
/var/log/wazuh-indexer/wazuh-cluster_server.json:{"type": "server", "timestamp": "2024-05-07T11:24:46,686Z", "level": "ERROR", "component": "o.o.s.a.BackendRegistry", "cluster.name": "wazuh-cluster", "node.name": "node-1", "message": "Not yet initialized (you may need to run securityadmin)", "cluster.uuid": "Ov7qbabSQdC4Ogs2SziHWA", "node.id": "I3vrV2VcRRac-JflBF5T_Q" }
/var/log/wazuh-indexer/wazuh-cluster_server.json:{"type": "server", "timestamp": "2024-05-07T11:24:46,711Z", "level": "ERROR", "component": "o.o.s.a.BackendRegistry", "cluster.name": "wazuh-cluster", "node.name": "node-1", "message": "Not yet initialized (you may need to run securityadmin)", "cluster.uuid": "Ov7qbabSQdC4Ogs2SziHWA", "node.id": "I3vrV2VcRRac-JflBF5T_Q" }
/var/log/wazuh-indexer/wazuh-cluster_server.json:{"type": "server", "timestamp": "2024-05-07T11:24:46,714Z", "level": "ERROR", "component": "o.o.s.a.BackendRegistry", "cluster.name": "wazuh-cluster", "node.name": "node-1", "message": "Not yet initialized (you may need to run securityadmin)", "cluster.uuid": "Ov7qbabSQdC4Ogs2SziHWA", "node.id": "I3vrV2VcRRac-JflBF5T_Q" }
/var/log/wazuh-indexer/wazuh-cluster_server.json:{"type": "server", "timestamp": "2024-05-07T11:24:46,716Z", "level": "ERROR", "component": "o.o.s.a.BackendRegistry", "cluster.name": "wazuh-cluster", "node.name": "node-1", "message": "Not yet initialized (you may need to run securityadmin)", "cluster.uuid": "Ov7qbabSQdC4Ogs2SziHWA", "node.id": "I3vrV2VcRRac-JflBF5T_Q" }
/var/log/wazuh-indexer/wazuh-cluster_server.json:{"type": "server", "timestamp": "2024-05-07T11:24:46,759Z", "level": "ERROR", "component": "o.o.s.a.BackendRegistry", "cluster.name": "wazuh-cluster", "node.name": "node-1", "message": "Not yet initialized (you may need to run securityadmin)", "cluster.uuid": "Ov7qbabSQdC4Ogs2SziHWA", "node.id": "I3vrV2VcRRac-JflBF5T_Q" }
/var/log/wazuh-indexer/wazuh-cluster.log:[2024-05-07T11:24:34,517][INFO ][o.o.n.Node ] [node-1] JVM arguments [-Xshare:auto, -Dopensearch.networkaddress.cache.ttl=60, -Dopensearch.networkaddress.cache.negative.ttl=10, -XX:+AlwaysPreTouch, -Xss1m, -Djava.awt.headless=true, -Dfile.encoding=UTF-8, -Djna.nosys=true, -XX:-OmitStackTraceInFastThrow, -XX:+ShowCodeDetailsInExceptionMessages, -Dio.netty.noUnsafe=true, -Dio.netty.noKeySetOptimization=true, -Dio.netty.recycler.maxCapacityPerThread=0, -Dio.netty.allocator.numDirectArenas=0, -Dlog4j.shutdownHookEnabled=false, -Dlog4j2.disable.jmx=true, -Djava.locale.providers=SPI,COMPAT, -Xms3981m, -Xmx3981m, -XX:+UseG1GC, -XX:G1ReservePercent=25, -XX:InitiatingHeapOccupancyPercent=30, -Djava.io.tmpdir=/tmp/opensearch-10951774042572470084, -XX:+HeapDumpOnOutOfMemoryError, -XX:HeapDumpPath=/var/lib/wazuh-indexer, -XX:ErrorFile=/var/log/wazuh-indexer/hs_err_pid%p.log, -Xlog:gc*,gc+age=trace,safepoint:file=/var/log/wazuh-indexer/gc.log:utctime,pid,tags:filecount=32,filesize=64m, -Dclk.tck=100, -Djdk.attach.allowAttachSelf=true, -Djava.security.policy=file:///etc/wazuh-indexer/opensearch-performance-analyzer/opensearch_security.policy, --add-opens=jdk.attach/sun.tools.attach=ALL-UNNAMED, -XX:MaxDirectMemorySize=2087714816, -Dopensearch.path.home=/usr/share/wazuh-indexer, -Dopensearch.path.conf=/etc/wazuh-indexer, -Dopensearch.distribution.type=rpm, -Dopensearch.bundled_jdk=true]
/var/log/wazuh-indexer/wazuh-cluster.log:[2024-05-07T11:24:42,994][ERROR][o.o.s.a.s.SinkProvider ] [node-1] Default endpoint could not be created, auditlog will not work properly.
/var/log/wazuh-indexer/wazuh-cluster.log:[2024-05-07T11:24:46,686][ERROR][o.o.s.a.BackendRegistry ] [node-1] Not yet initialized (you may need to run securityadmin)
/var/log/wazuh-indexer/wazuh-cluster.log:[2024-05-07T11:24:46,711][ERROR][o.o.s.a.BackendRegistry ] [node-1] Not yet initialized (you may need to run securityadmin)
/var/log/wazuh-indexer/wazuh-cluster.log:[2024-05-07T11:24:46,714][ERROR][o.o.s.a.BackendRegistry ] [node-1] Not yet initialized (you may need to run securityadmin)
/var/log/wazuh-indexer/wazuh-cluster.log:[2024-05-07T11:24:46,716][ERROR][o.o.s.a.BackendRegistry ] [node-1] Not yet initialized (you may need to run securityadmin)
/var/log/wazuh-indexer/wazuh-cluster.log:[2024-05-07T11:24:46,759][ERROR][o.o.s.a.BackendRegistry ] [node-1] Not yet initialized (you may need to run securityadmin)
[root@wazuh-server wazuh-user]# grep -i -E "error|critical|fatal|warning" /var/ossec/logs/ossec.log
2024/05/07 11:24:32 indexer-connector: WARNING: IndexerConnector initialization failed for index 'wazuh-states-vulnerabilities', retrying until the connection is successful.
2024/05/07 11:24:34 indexer-connector: WARNING: Failed to sync agent '000' with the indexer. Filebeat Test 🟢[root@wazuh-server wazuh-user]# filebeat test output
elasticsearch: https://127.0.0.1:9200...
parse url... OK
connection...
parse host... OK
dns lookup... OK
addresses: 127.0.0.1
dial up... OK
TLS...
security: server's certificate chain verification is enabled
handshake... OK
TLS version: TLSv1.2
dial up... OK
talk to server... OK
version: 7.10.2 Wazuh Indexer Cluster 🟢[root@wazuh-server wazuh-user]# curl -k -u admin:admin https://127.0.0.1:9200
{
"name" : "node-1",
"cluster_name" : "wazuh-cluster",
"cluster_uuid" : "Ov7qbabSQdC4Ogs2SziHWA",
"version" : {
"number" : "7.10.2",
"build_type" : "rpm",
"build_hash" : "eee49cb340edc6c4d489bcd9324dda571fc8dc03",
"build_date" : "2023-09-20T23:54:29.889267151Z",
"build_snapshot" : false,
"lucene_version" : "9.7.0",
"minimum_wire_compatibility_version" : "7.10.0",
"minimum_index_compatibility_version" : "7.0.0"
},
"tagline" : "The OpenSearch Project: https://opensearch.org/"
}
[root@wazuh-server wazuh-user]# curl -k -u admin:admin https://127.0.0.1:9200/_cat/nodes?v
ip heap.percent ram.percent cpu load_1m load_5m load_15m node.role node.roles cluster_manager name
127.0.0.1 3 98 1 0.00 0.07 0.10 dimr cluster_manager,data,ingest,remote_cluster_client * node-1
[root@wazuh-server wazuh-user]# curl -k -u admin:admin https://127.0.0.1:9200/_cluster/health?pretty
{
"cluster_name" : "wazuh-cluster",
"status" : "green",
"timed_out" : false,
"number_of_nodes" : 1,
"number_of_data_nodes" : 1,
"discovered_master" : true,
"discovered_cluster_manager" : true,
"active_primary_shards" : 11,
"active_shards" : 11,
"relocating_shards" : 0,
"initializing_shards" : 0,
"unassigned_shards" : 0,
"delayed_unassigned_shards" : 0,
"number_of_pending_tasks" : 0,
"number_of_in_flight_fetch" : 0,
"task_max_waiting_in_queue_millis" : 0,
"active_shards_percent_as_number" : 100.0
}
No Root SSH Access 🟢juliamagan@pop-os:~$ ssh root@192.168.1.57
root@192.168.1.57's password:
Permission denied, please try again.
root@192.168.1.57's password:
Permission denied, please try again.
root@192.168.1.57's password:
root@192.168.1.57: Permission denied (publickey,gssapi-keyex,gssapi-with-mic,password). Installation - Agent 🟢
root@ubuntu-jammy:/home/vagrant# wget https://packages-dev.wazuh.com/pre-release/apt/pool/main/w/wazuh-agent/wazuh-agent_4.8.0-1_amd64.deb && sudo WAZUH_MANAGER='192.168.1.57' WAZUH_AGENT_NAME='ubuntu_agent' dpkg -i ./wazuh-agent_4.8.0-1_amd64.deb
--2024-05-07 12:04:19-- https://packages-dev.wazuh.com/pre-release/apt/pool/main/w/wazuh-agent/wazuh-agent_4.8.0-1_amd64.deb
Resolving packages-dev.wazuh.com (packages-dev.wazuh.com)... 52.84.66.124, 52.84.66.126, 52.84.66.65, ...
Connecting to packages-dev.wazuh.com (packages-dev.wazuh.com)|52.84.66.124|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 10271520 (9.8M) [binary/octet-stream]
Saving to: ‘wazuh-agent_4.8.0-1_amd64.deb’
wazuh-agent_4.8.0-1_amd64 100%[=====================================>] 9.79M 25.7MB/s in 0.4s
2024-05-07 12:04:20 (25.7 MB/s) - ‘wazuh-agent_4.8.0-1_amd64.deb’ saved [10271520/10271520]
Selecting previously unselected package wazuh-agent.
(Reading database ... 64052 files and directories currently installed.)
Preparing to unpack .../wazuh-agent_4.8.0-1_amd64.deb ...
Unpacking wazuh-agent (4.8.0-1) ...
Setting up wazuh-agent (4.8.0-1) ...
root@ubuntu-jammy:/home/vagrant# sudo systemctl daemon-reload
sudo systemctl enable wazuh-agent
sudo systemctl start wazuh-agent
Created symlink /etc/systemd/system/multi-user.target.wants/wazuh-agent.service → /lib/systemd/system/wazuh-agent.service.
root@ubuntu-jammy:/home/vagrant# /var/ossec/bin/wazuh-control status
wazuh-modulesd is running...
wazuh-logcollector is running...
wazuh-syscheckd is running...
wazuh-agentd is running...
wazuh-execd is running...
root@ubuntu-jammy:/home/vagrant# /var/ossec/bin/wazuh-control info
WAZUH_VERSION="v4.8.0"
WAZUH_REVISION="40809"
WAZUH_TYPE="agent"
TCP, UDP and alerts 🟢TCP
[root@wazuh-server wazuh-user]# egrep tcp /var/ossec/etc/ossec.conf
<protocol>tcp,udp</protocol>
root@ubuntu-jammy:/home/vagrant# egrep tcp /var/ossec/logs/ossec.log
2024/05/07 12:05:19 wazuh-agentd: INFO: Trying to connect to server ([192.168.1.57]:1514/tcp).
2024/05/07 12:05:19 wazuh-agentd: INFO: (4102): Connected to the server ([192.168.1.57]:1514/tcp).
{"timestamp":"2024-05-07T12:05:42.350+0000","rule":{"level":7,"description":"SCA summary: CIS Ubuntu Linux 22.04 LTS Benchmark v1.0.0.: Score less than 50% (42)","id":"19004","firedtimes":1,"mail":false,"groups":["sca"],"gdpr":["IV_35.7.d"],"pci_dss":["2.2"],"nist_800_53":["CM.1"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"001","name":"ubuntu_agent","ip":"192.168.1.60"},"manager":{"name":"wazuh-server"},"id":"1715083542.667469","decoder":{"name":"sca"},"data":{"sca":{"type":"summary","scan_id":"1507681415","policy":"CIS Ubuntu Linux 22.04 LTS Benchmark v1.0.0.","description":"This document provides prescriptive guidance for establishing a secure configuration posture for Ubuntu Linux 22.04 LTS based on CIS benchmark for Ubuntu Linux 22.04 LTS.","policy_id":"cis_ubuntu22-04","passed":"76","failed":"104","invalid":"2","total_checks":"182","score":"42","file":"cis_ubuntu22-04.yml"}},"location":"sca"} UDP
[root@wazuh-server wazuh-user]# egrep tcp /var/ossec/etc/ossec.conf
<protocol>tcp,udp</protocol>
root@ubuntu-jammy:/home/vagrant# egrep udp /var/ossec/logs/ossec.log
2024/05/07 12:10:41 wazuh-agentd: INFO: Trying to connect to server ([192.168.1.57]:1514/udp).
2024/05/07 12:10:41 wazuh-agentd: INFO: (4102): Connected to the server ([192.168.1.57]:1514/udp).
{"timestamp":"2024-05-07T12:10:43.110+0000","rule":{"level":7,"description":"Host-based anomaly detection event (rootcheck).","id":"510","firedtimes":2,"mail":false,"groups":["ossec","rootcheck"],"pci_dss":["10.6.1"],"gdpr":["IV_35.7.d"]},"agent":{"id":"001","name":"ubuntu_agent","ip":"192.168.1.60"},"manager":{"name":"wazuh-server"},"id":"1715083843.671952","full_log":"Trojaned version of file '/usr/bin/diff' detected. Signature used: 'bash|^/bin/sh|file\\.h|proc\\.h|/dev/[^n]|^/bin/.*sh' (Generic).","decoder":{"name":"rootcheck"},"data":{"title":"Trojaned version of file detected.","file":"/usr/bin/diff"},"location":"rootcheck"} |
GJ, but the errors and warnings of the OVA and AMI logs should be indicated by placing the yellow circle 🟡 at the conclusion of the issue. |
LGTM |
Packages tests metrics information
Build packages
Test packages
PPC64EL packages
OVA/AMI specific tests
Status legend:
⚫ - Pending/In progress
⚪ - Skipped
🔴 - Rejected
🟡 - Approved with known issues
🟢 - Approved
Testing considerations
PPC64EL
systems must be done inside a container.PPC64EL
Debian, installingprocps
may be required if it is not present in the container.Conclusion 🔴
New issues
Known issues
Too big message size from socket
after receiving a Wazuh agent message #17596Auditor's validation
In order to close and proceed with the release or the next candidate version, the following auditors must give the green light to this RC.
The text was updated successfully, but these errors were encountered: