Check Wazuh-Manager compatibility with new version Red Hat Enterprise Linux 9.4

[mjcr99]

Description

Hello team, this issue is to check the full compatibility of Wazuh Manager on the newfound version of Red Hat Enterprise Linux 9.4 operating system.

OSs checks issue: #23311

For this, it is necessary to perform the following tests to check that everything works as expected:

• Wazuh-manager installation.
• Enrollment and connectivity with an agent.
• Centralized configuration work correctly.
• FIM: Decoding and filtering of correct alerts from FIM.
• SCA: Policy support.
• Syscollector: Complete inventory.
• Vulnerability Detector: Vulnerability support.
• Active Response.
• Logcollector: Decoding and filtering of correct alerts from Logcollector.
• csyslogd module. Testing forwards alerts via syslog.
• agentless functionality, at the moment, is not possible to test it, wait until redesign: Agentless redesign #14406
• maild functionality, Check an email alerts.
• clusterd functionality. Check two nodes cluster with master and worker, use nginx as load balancer to connect an agent.
• integratord functionality. Check Virustotal integration alerts.

[mjcr99]

Testing

🟢 Wazuh-manager installation

Manager installed at the RHEL 9.4 machine by following this guide.Using a the vagrant box: nikomarinov/RHEL.
curl -sO https://packages.wazuh.com/4.7/wazuh-install.sh && sudo bash ./wazuh-install.sh -a

Installation logs

[root@localhost vagrant]# curl -sO https://packages.wazuh.com/4.7/wazuh-install.sh && sudo bash ./wazuh-install.sh -a
08/05/2024 12:24:49 INFO: Starting Wazuh installation assistant. Wazuh version: 4.7.4
08/05/2024 12:24:49 INFO: Verbose logging redirected to /var/log/wazuh-install.log
08/05/2024 12:25:00 INFO: --- Dependencies ---
08/05/2024 12:25:00 INFO: Installing lsof.
08/05/2024 12:25:15 ERROR: Your system does not meet the recommended minimum hardware requirements of 4Gb of RAM and 2 CPU cores. If you want to proceed with the installation use the -i option to ignore these requirements.
[root@localhost vagrant]# curl -sO https://packages.wazuh.com/4.7/wazuh-install.sh && sudo bash ./wazuh-install.sh -a -i
08/05/2024 12:25:21 INFO: Starting Wazuh installation assistant. Wazuh version: 4.7.4
08/05/2024 12:25:21 INFO: Verbose logging redirected to /var/log/wazuh-install.log
08/05/2024 12:25:32 WARNING: Hardware and system checks ignored.
08/05/2024 12:25:32 INFO: Wazuh web interface port will be 443.
08/05/2024 12:25:34 WARNING: The system has Firewalld enabled. Please ensure that traffic is allowed on these ports: 1515, 1514, 443.
08/05/2024 12:25:35 INFO: Wazuh repository added.
08/05/2024 12:25:35 INFO: --- Configuration files ---
08/05/2024 12:25:35 INFO: Generating configuration files.
08/05/2024 12:25:37 INFO: Created wazuh-install-files.tar. It contains the Wazuh cluster key, certificates, and passwords necessary for installation.
08/05/2024 12:25:37 INFO: --- Wazuh indexer ---
08/05/2024 12:25:37 INFO: Starting Wazuh indexer installation.
08/05/2024 12:27:19 INFO: Wazuh indexer installation finished.
08/05/2024 12:27:19 INFO: Wazuh indexer post-install configuration finished.
08/05/2024 12:27:19 INFO: Starting service wazuh-indexer.
08/05/2024 12:27:35 INFO: wazuh-indexer service started.
08/05/2024 12:27:35 INFO: Initializing Wazuh indexer cluster security settings.
08/05/2024 12:27:46 INFO: Wazuh indexer cluster initialized.
08/05/2024 12:27:46 INFO: --- Wazuh server ---
08/05/2024 12:27:46 INFO: Starting the Wazuh manager installation.
08/05/2024 12:28:43 INFO: Wazuh manager installation finished.
08/05/2024 12:28:43 INFO: Starting service wazuh-manager.
08/05/2024 12:29:02 INFO: wazuh-manager service started.
08/05/2024 12:29:02 INFO: Starting Filebeat installation.
08/05/2024 12:29:11 INFO: Filebeat installation finished.
08/05/2024 12:29:12 INFO: Filebeat post-install configuration finished.
08/05/2024 12:29:12 INFO: Starting service filebeat.
08/05/2024 12:29:12 INFO: filebeat service started.
08/05/2024 12:29:12 INFO: --- Wazuh dashboard ---
08/05/2024 12:29:12 INFO: Starting Wazuh dashboard installation.
08/05/2024 12:31:11 INFO: Wazuh dashboard installation finished.
08/05/2024 12:31:11 INFO: Wazuh dashboard post-install configuration finished.
08/05/2024 12:31:11 INFO: Starting service wazuh-dashboard.
08/05/2024 12:31:12 INFO: wazuh-dashboard service started.
08/05/2024 12:31:45 INFO: Initializing Wazuh dashboard web application.
08/05/2024 12:31:47 INFO: Wazuh dashboard web application initialized.
08/05/2024 12:31:47 INFO: --- Summary ---
08/05/2024 12:31:47 INFO: You can access the web interface https://<wazuh-dashboard-ip>:443
    User: admin
    Password: ---
08/05/2024 12:31:47 INFO: Installation finished.

🟢 Enrollment and connectivity with an agent

It was needed to disable the firewall to get the agent to connect:
systemctl stop firewalld

Connection logs

2024/05/08 12:48:51 wazuh-authd: INFO: New connection from 192.168.56.106
2024/05/08 12:48:51 wazuh-authd: INFO: Received request for a new agent (agent3-ubu22) from: 192.168.56.106
2024/05/08 12:48:51 wazuh-authd: INFO: Agent key generated for 'agent3-ubu22' (requested by any)
2024/05/08 12:48:55 wazuh-remoted: INFO: (1409): Authentication file changed. Updating.
2024/05/08 12:48:55 wazuh-remoted: INFO: (1410): Reading authentication keys file.

🟢 Centralized configuration work correctly

Edit /var/ossec/etc/shared/default/agent.conf

agent.conf

  GNU nano 5.6.1                                   /var/ossec/etc/shared/default/agent.conf                                             
<agent_config>
<syscheck>
    <directories realtime="yes">/test</directories>
  </syscheck>
</agent_config>

Log in the agent side after edit agent.conf in the manager

2024/05/08 09:51:35 wazuh-modulesd:syscollector: INFO: Module finished.
2024/05/08 09:51:35 wazuh-logcollector: INFO: (1225): SIGNAL [(15)-(Terminated)] Received. Exit Cleaning...
2024/05/08 09:51:35 wazuh-syscheckd: INFO: (1756): Shutdown received. Releasing resources.
2024/05/08 09:51:35 wazuh-syscheckd: INFO: (1225): SIGNAL [(15)-(Terminated)] Received. Exit Cleaning...
2024/05/08 09:51:35 wazuh-agentd: INFO: (1225): SIGNAL [(15)-(Terminated)] Received. Exit Cleaning...
2024/05/08 09:51:36 wazuh-execd: INFO: (1314): Shutdown received. Deleting responses.
2024/05/08 09:51:36 wazuh-execd: INFO: (1225): SIGNAL [(15)-(Terminated)] Received. Exit Cleaning...
2024/05/08 09:51:37 wazuh-execd: INFO: Started (pid: 5232).
2024/05/08 09:51:38 wazuh-agentd: INFO: (1410): Reading authentication keys file.
2024/05/08 09:51:38 wazuh-agentd: INFO: Using notify time: 10 and max time to reconnect: 60
2024/05/08 09:51:38 wazuh-agentd: INFO: Version detected -> Linux |agent3-ubu22 |5.15.0-25-generic |#25-Ubuntu SMP Wed Mar 30 15:54:22 UTC 2022 |x86_64 [Ubuntu|ubuntu: 22.04 (Jammy Jellyfish)] - Wazuh v4.7.4
2024/05/08 09:51:38 wazuh-agentd: INFO: Started (pid: 5243).
2024/05/08 09:51:38 wazuh-agentd: INFO: Using AES as encryption method.
2024/05/08 09:51:38 wazuh-agentd: INFO: Trying to connect to server ([192.168.56.208]:1514/tcp).
2024/05/08 09:51:38 wazuh-agentd: ERROR: (1216): Unable to connect to '[192.168.56.208]:1514/tcp': 'Connection refused'.
2024/05/08 09:51:39 wazuh-syscheckd: INFO: Started (pid: 5256).
2024/05/08 09:51:39 wazuh-syscheckd: INFO: (6003): Monitoring path: '/bin', with options 'size | permissions | owner | group | mtime | inode | hash_md5 | hash_sha1 | hash_sha256 | scheduled'.
2024/05/08 09:51:39 wazuh-syscheckd: INFO: (6003): Monitoring path: '/boot', with options 'size | permissions | owner | group | mtime | inode | hash_md5 | hash_sha1 | hash_sha256 | scheduled'.
2024/05/08 09:51:39 wazuh-syscheckd: INFO: (6003): Monitoring path: '/etc', with options 'size | permissions | owner | group | mtime | inode | hash_md5 | hash_sha1 | hash_sha256 | scheduled'.
2024/05/08 09:51:39 wazuh-syscheckd: INFO: (6003): Monitoring path: '/sbin', with options 'size | permissions | owner | group | mtime | inode | hash_md5 | hash_sha1 | hash_sha256 | scheduled'.
2024/05/08 09:51:39 wazuh-syscheckd: INFO: (6003): Monitoring path: '/test', with options 'size | permissions | owner | group | mtime | inode | hash_md5 | hash_sha1 | hash_sha256 | realtime'.
2024/05/08 09:51:39 wazuh-syscheckd: INFO: (6003): Monitoring path: '/usr/bin', with options 'size | permissions | owner | group | mtime | inode | hash_md5 | hash_sha1 | hash_sha256 | scheduled'.
2024/05/08 09:51:39 wazuh-syscheckd: INFO: (6003): Monitoring path: '/usr/sbin', with options 'size | permissions | owner | group | mtime | inode | hash_md5 | hash_sha1 | hash_sha256 | scheduled'.

🟢 FIM: Decoding and filtering of correct alerts from FIM

Alert from FIM

** Alert 1715162257.1218782: - ossec,syscheck,syscheck_entry_modified,syscheck_file,pci_dss_11.5,gpg13_4.11,gdpr_II_5.1.f,hipaa_164.312.c.1,hipaa_164.312.c.2,nist_800_53_SI.7,tsc_PI1.4,tsc_PI1.5,tsc_CC6.1,tsc_CC6.8,tsc_CC7.2,tsc_CC7.3,
2024 May 08 12:57:37 (agent3-ubu22) any->syscheck
Rule: 550 (level 7) -> 'Integrity checksum changed.'
File '/test/file1' modified
Mode: realtime
Changed attributes: mtime
Old modification time was: '1715162052', now it is '1715162256'

Attributes:
 - Size: 0
 - Permissions: rw-r--r--
 - Date: Wed May  8 12:57:36 2024
 - Inode: 2359298
 - User: root (0)
 - Group: root (0)
 - MD5: d41d8cd98f00b204e9800998ecf8427e
 - SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709
 - SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

🟢 SCA: Policy support

SCA is officially supported on RHEL 9. Default configuration was used.

Connection logs

2024/05/08 12:28:58 sca: INFO: Module started.
2024/05/08 12:28:58 sca: INFO: Loaded policy '/var/ossec/ruleset/sca/cis_rhel9_linux.yml'
2024/05/08 12:28:58 wazuh-modulesd:ciscat: INFO: Module disabled. Exiting...
2024/05/08 12:28:58 wazuh-modulesd:task-manager: INFO: (8200): Module Task Manager started.
2024/05/08 12:28:58 sca: INFO: Starting Security Configuration Assessment scan.
2024/05/08 12:28:58 wazuh-modulesd:control: INFO: Starting control thread.
2024/05/08 12:28:58 wazuh-modulesd:download: INFO: Module started.
2024/05/08 12:28:58 wazuh-modulesd:database: INFO: Module started.
2024/05/08 12:28:58 wazuh-modulesd:syscollector: INFO: Module started.
2024/05/08 12:28:58 wazuh-modulesd:syscollector: INFO: Starting evaluation.
2024/05/08 12:28:59 sca: INFO: Starting evaluation of policy: '/var/ossec/ruleset/sca/cis_rhel9_linux.yml'
2024/05/08 12:29:00 wazuh-modulesd:syscollector: INFO: Evaluation finished.
2024/05/08 12:29:04 wazuh-syscheckd: INFO: (6009): File integrity monitoring scan ended.
2024/05/08 12:29:04 wazuh-syscheckd: INFO: FIM sync module started.
2024/05/08 12:29:10 sca: INFO: Evaluation finished for policy '/var/ossec/ruleset/sca/cis_rhel9_linux.yml'
2024/05/08 12:29:10 sca: INFO: Security Configuration Assessment scan finished. Duration: 12 seconds.

Dashboard SCA section

🟢 Syscollector

Configuration by default.

Inventory from an agent Ubuntu 22

🟢 Vulnerability detector

Configuration

<vulnerability-detector>
    <enabled>yes</enabled>
    <interval>5m</interval>
    <min_full_scan_interval>6h</min_full_scan_interval>
    <run_on_start>yes</run_on_start>
...
    <!-- RedHat OS vulnerabilities -->
    <provider name="redhat">
      <enabled>yes</enabled>
      <os>5</os>
      <os>6</os>
      <os>7</os>
      <os>8</os>
      <os>9</os>
      <update_interval>1h</update_interval>
    </provider>

Vulnerability alert

** Alert 1715163468.7305875: - vulnerability-detector,gdpr_IV_35.7.d,pci_dss_11.2.1,pci_dss_11.2.3,tsc_CC7.1,tsc_CC7.2,
2024 May 08 13:17:48 (agent3-ubu22) any->vulnerability-detector
Rule: 23505 (level 10) -> 'CVE-2022-1621 affects vim-runtime'
{"vulnerability":{"package":{"name":"vim-runtime","source":"vim","version":"2:8.2.3995-1ubuntu2","architecture":"all","condition":"Package less than 2:8.2.3995-1ubuntu2.1"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"medium","authentication":"none","confidentiality_impact":"partial","integrity_impact":"partial","availability":"partial"},"base_score":6.8,"exploitability_score":8.6,"impact_score":6.4},"cvss3":{"vector":{"attack_vector":"local","access_complexity":"low","privileges_required":"none","user_interaction":"required","scope":"unchanged","confidentiality_impact":"high","integrity_impact":"high","availability":"high"},"base_score":7.8,"exploitability_score":1.8,"impact_score":5.9}},"cve":"CVE-2022-1621","title":"CVE-2022-1621 affects vim-runtime","rationale":"Heap buffer overflow in vim_strncpy find_word in GitHub repository vim/vim prior to 8.2.4919. This vulnerability is capable of crashing software, Bypass Protection Mechanism, Modify Memory, and possible remote execution","severity":"High","published":"2022-05-10","updated":"2023-11-07","cwe_reference":"CWE-122","status":"Active","type":"PACKAGE","references":["http://seclists.org/fulldisclosure/2022/Oct/28","http://seclists.org/fulldisclosure/2022/Oct/41","https://github.com/vim/vim/commit/7c824682d2028432ee082703ef0ab399867a089b","https://huntr.dev/bounties/520ce714-bfd2-4646-9458-f52cd22bb2fb","https://lists.debian.org/debian-lts-announce/2022/05/msg00022.html","https://lists.debian.org/debian-lts-announce/2022/11/msg00032.html","https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HIP7KG7TVS5YF3QREAY2GOGUT3YUBZAI/","https://security.gentoo.org/glsa/202208-32","https://security.gentoo.org/glsa/202305-16","https://support.apple.com/kb/HT213488","https://nvd.nist.gov/vuln/detail/CVE-2022-1621","https://ubuntu.com/security/notices/USN-5460-1","https://ubuntu.com/security/notices/USN-5613-1","https://www.cve.org/CVERecord?id=CVE-2022-1621"],"assigner":"security@huntr.dev"}}
vulnerability.package.name: vim-runtime
vulnerability.package.source: vim
vulnerability.package.version: 2:8.2.3995-1ubuntu2
vulnerability.package.architecture: all
vulnerability.package.condition: Package less than 2:8.2.3995-1ubuntu2.1
vulnerability.cvss.cvss2.vector.attack_vector: network
vulnerability.cvss.cvss2.vector.access_complexity: medium
vulnerability.cvss.cvss2.vector.authentication: none
vulnerability.cvss.cvss2.vector.confidentiality_impact: partial
vulnerability.cvss.cvss2.vector.integrity_impact: partial
vulnerability.cvss.cvss2.vector.availability: partial
vulnerability.cvss.cvss2.base_score: 6.800000
vulnerability.cvss.cvss2.exploitability_score: 8.600000
vulnerability.cvss.cvss2.impact_score: 6.400000
vulnerability.cvss.cvss3.vector.attack_vector: local
vulnerability.cvss.cvss3.vector.access_complexity: low
vulnerability.cvss.cvss3.vector.privileges_required: none
vulnerability.cvss.cvss3.vector.user_interaction: required
vulnerability.cvss.cvss3.vector.scope: unchanged
vulnerability.cvss.cvss3.vector.confidentiality_impact: high
vulnerability.cvss.cvss3.vector.integrity_impact: high
vulnerability.cvss.cvss3.vector.availability: high
vulnerability.cvss.cvss3.base_score: 7.800000
vulnerability.cvss.cvss3.exploitability_score: 1.800000
vulnerability.cvss.cvss3.impact_score: 5.900000
vulnerability.cve: CVE-2022-1621
vulnerability.title: CVE-2022-1621 affects vim-runtime
vulnerability.rationale: Heap buffer overflow in vim_strncpy find_word in GitHub repository vim/vim prior to 8.2.4919. This vulnerability is capable of crashing software, Bypass Protection Mechanism, Modify Memory, and possible remote execution
vulnerability.severity: High
vulnerability.published: 2022-05-10
vulnerability.updated: 2023-11-07
vulnerability.cwe_reference: CWE-122
vulnerability.status: Active
vulnerability.type: PACKAGE
vulnerability.references: ["http://seclists.org/fulldisclosure/2022/Oct/28", "http://seclists.org/fulldisclosure/2022/Oct/41", "https://github.com/vim/vim/commit/7c824682d2028432ee082703ef0ab399867a089b", "https://huntr.dev/bounties/520ce714-bfd2-4646-9458-f52cd22bb2fb", "https://lists.debian.org/debian-lts-announce/2022/05/msg00022.html", "https://lists.debian.org/debian-lts-announce/2022/11/msg00032.html", "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HIP7KG7TVS5YF3QREAY2GOGUT3YUBZAI/", "https://security.gentoo.org/glsa/202208-32", "https://security.gentoo.org/glsa/202305-16", "https://support.apple.com/kb/HT213488", "https://nvd.nist.gov/vuln/detail/CVE-2022-1621", "https://ubuntu.com/security/notices/USN-5460-1", "https://ubuntu.com/security/notices/USN-5613-1", "https://www.cve.org/CVERecord?id=CVE-2022-1621"]
vulnerability.assigner: security@huntr.dev


** Alert 1715185003.679304: - vulnerability-detector,gdpr_IV_35.7.d,pci_dss_11.2.1,pci_dss_11.2.3,tsc_CC7.1,tsc_CC7.2,
2024 May 08 19:16:43 (localhost.localdomain) 127.0.0.1->vulnerability-detector
Rule: 23503 (level 5) -> 'CVE-2022-47010 affects binutils'
{"vulnerability":{"package":{"name":"binutils","version":"2.35.2-43.el9","architecture":"x86_64","condition":"Package unfixed"},"cvss":{"cvss3":{"vector":{"attack_vector":"local","access_complexity":"low","privileges_required":"none","user_interaction":"required","scope":"unchanged","confidentiality_impact":"none","integrity_impact":"none","availability":"high"},"base_score":5.5,"exploitability_score":1.8,"impact_score":3.6}},"cve":"CVE-2022-47010","title":"CVE-2022-47010 affects binutils","rationale":"An issue was discovered function pr_function_type in prdbg.c in Binutils 2.34 thru 2.38, allows attackers to cause a denial of service due to memory leaks.","severity":"Low","published":"2023-08-22","updated":"2023-08-26","cwe_reference":"CWE-401","status":"Active","type":"PACKAGE","bugzilla_references":["https://bugzilla.redhat.com/show_bug.cgi?id=2233988"],"references":["https://sourceware.org/bugzilla/show_bug.cgi?id=29262","https://nvd.nist.gov/vuln/detail/CVE-2022-47010","https://access.redhat.com/security/cve/CVE-2022-47010"],"assigner":"cve@mitre.org"}}
vulnerability.package.name: binutils
vulnerability.package.version: 2.35.2-43.el9
vulnerability.package.architecture: x86_64
vulnerability.package.condition: Package unfixed
vulnerability.cvss.cvss3.vector.attack_vector: local
vulnerability.cvss.cvss3.vector.access_complexity: low
vulnerability.cvss.cvss3.vector.privileges_required: none
vulnerability.cvss.cvss3.vector.user_interaction: required
vulnerability.cvss.cvss3.vector.scope: unchanged
vulnerability.cvss.cvss3.vector.confidentiality_impact: none
vulnerability.cvss.cvss3.vector.integrity_impact: none
vulnerability.cvss.cvss3.vector.availability: high
vulnerability.cvss.cvss3.base_score: 5.500000
vulnerability.cvss.cvss3.exploitability_score: 1.800000
vulnerability.cvss.cvss3.impact_score: 3.600000
vulnerability.cve: CVE-2022-47010
vulnerability.title: CVE-2022-47010 affects binutils
vulnerability.rationale: An issue was discovered function pr_function_type in prdbg.c in Binutils 2.34 thru 2.38, allows attackers to cause a denial of service due to memory leaks.
vulnerability.severity: Low
vulnerability.published: 2023-08-22
vulnerability.updated: 2023-08-26
vulnerability.cwe_reference: CWE-401
vulnerability.status: Active
vulnerability.type: PACKAGE
vulnerability.bugzilla_references: ["https://bugzilla.redhat.com/show_bug.cgi?id=2233988"]
vulnerability.references: ["https://sourceware.org/bugzilla/show_bug.cgi?id=29262", "https://nvd.nist.gov/vuln/detail/CVE-2022-47010", "https://access.redhat.com/security/cve/CVE-2022-47010"]
vulnerability.assigner: cve@mitre.org

🟢 Active response

Use case: Restarting the Wazuh agent with active response

Manager ossec.conf configuration:

  <active-response>
    <command>restart-wazuh</command>
    <location>local</location>
    <rules_id>550</rules_id>
  </active-response>

Force a FIM modify alert (id 550) to get the restart.sh script executed with active response:

Results

Manager's alerts

** Alert 1715166818.7689060: - restart,
2024 May 08 14:13:38 (agent3-ubu22) any->syscheck
Rule: 100009 (level 5) -> 'Changes made to the agent configuration file - /var/ossec/etc/ossec.conf'
File '/var/ossec/etc/ossec.conf' modified
Mode: realtime
Changed attributes: size,mtime,md5,sha1,sha256
Size changed from '5681' to '5682'
Old modification time was: '1715166684', now it is '1715166818'
Old md5sum was: '78a1bd39c2a113fb967c85371acab4a7'
New md5sum is : '2c280e1d64b0afb47049ec3798910c58'
Old sha1sum was: 'd118c0b6a5d478098065e77bde5b57da9dcb6b80'
New sha1sum is : '3d7eb2bc0fb7916653978643b87df308447bbc8b'
Old sha256sum was: 'bdcd8471121275592c217368c48ce512c05de86c062009585c27240c6dd31fd9'
New sha256sum is : '818f7fa2bc631064c2762547f864c4a5521e625d4ec48c7a2a4f0bee93ef9502'

Attributes:
 - Size: 5682
 - Permissions: rw-rw----
 - Date: Wed May  8 14:13:38 2024
 - Inode: 1574517
 - User: root (0)
 - Group: wazuh (113)
 - MD5: 2c280e1d64b0afb47049ec3798910c58
 - SHA1: 3d7eb2bc0fb7916653978643b87df308447bbc8b
 - SHA256: 818f7fa2bc631064c2762547f864c4a5521e625d4ec48c7a2a4f0bee93ef9502

** Alert 1715166848.7690161: - ossec,pci_dss_10.6.1,pci_dss_10.2.6,gpg13_10.1,gdpr_IV_35.7.d,hipaa_164.312.b,nist_800_53_AU.6,nist_800_53_AU.14,nist_800_53_AU.5,tsc_CC7.2,tsc_CC7.3,tsc_CC6.8,
2024 May 08 14:14:08 (agent3-ubu22) any->wazuh-remoted
Rule: 506 (level 3) -> 'Wazuh agent stopped.'
ossec: Agent stopped: 'agent3-ubu22->any'.

** Alert 1715166851.7690498: - ossec,pci_dss_10.6.1,pci_dss_10.2.6,gpg13_10.1,gdpr_IV_35.7.d,hipaa_164.312.b,nist_800_53_AU.6,nist_800_53_AU.14,nist_800_53_AU.5,tsc_CC7.2,tsc_CC7.3,tsc_CC6.8,
2024 May 08 14:14:11 (agent3-ubu22) any->wazuh-agent
Rule: 503 (level 3) -> 'Wazuh agent started.'
ossec: Agent started: 'agent3-ubu22->any'.

Active response log

root@agent3-ubu22:/home/vagrant# cat /var/ossec/logs/active-responses.log 

Wed May  8 11:10:41 UTC 2024 active-response/bin/restart.sh agent    
2024/05/08 11:13:38 active-response/bin/restart-wazuh: Starting
2024/05/08 11:13:38 active-response/bin/restart-wazuh: {"version":1,"origin":{"name":"node01","module":"wazuh-execd"},"command":"add","parameters":{"extra_args":[],"alert":{"timestamp":"2024-05-08T14:13:38.725+0300","rule":{"level":5,"description":"Changes made to the agent configuration file - /var/ossec/etc/ossec.conf","id":"100009","firedtimes":1,"mail":false,"groups":["restart"]},"agent":{"id":"001","name":"agent3-ubu22","ip":"192.168.56.106"},"manager":{"name":"localhost.localdomain"},"id":"1715166818.7689060","full_log":"File '/var/ossec/etc/ossec.conf' modified\nMode: realtime\nChanged attributes: size,mtime,md5,sha1,sha256\nSize changed from '5681' to '5682'\nOld modification time was: '1715166684', now it is '1715166818'\nOld md5sum was: '78a1bd39c2a113fb967c85371acab4a7'\nNew md5sum is : '2c280e1d64b0afb47049ec3798910c58'\nOld sha1sum was: 'd118c0b6a5d478098065e77bde5b57da9dcb6b80'\nNew sha1sum is : '3d7eb2bc0fb7916653978643b87df308447bbc8b'\nOld sha256sum was: 'bdcd8471121275592c217368c48ce512c05de86c062009585c27240c6dd31fd9'\nNew sha256sum is : '818f7fa2bc631064c2762547f864c4a5521e625d4ec48c7a2a4f0bee93ef9502'\n","syscheck":{"path":"/var/ossec/etc/ossec.conf","mode":"realtime","size_before":"5681","size_after":"5682","perm_after":"rw-rw----","uid_after":"0","gid_after":"113","md5_before":"78a1bd39c2a113fb967c85371acab4a7","md5_after":"2c280e1d64b0afb47049ec3798910c58","sha1_before":"d118c0b6a5d478098065e77bde5b57da9dcb6b80","sha1_after":"3d7eb2bc0fb7916653978643b87df308447bbc8b","sha256_before":"bdcd8471121275592c217368c48ce512c05de86c062009585c27240c6dd31fd9","sha256_after":"818f7fa2bc631064c2762547f864c4a5521e625d4ec48c7a2a4f0bee93ef9502","uname_after":"root","gname_after":"wazuh","mtime_before":"2024-05-08T14:11:24","mtime_after":"2024-05-08T14:13:38","inode_after":1574517,"changed_attributes":["size","mtime","md5","sha1","sha256"],"event":"modified"},"decoder":{"name":"syscheck_integrity_changed"},"location":"syscheck"},"program":"active-response/bin/restart-wazuh"}}

2024/05/08 11:14:17 active-response/bin/restart-wazuh: Ended

🟢 csyslogd module

Link to the docu guide: https://documentation.wazuh.com/current/user-manual/manager/manual-syslog-output.html
Link to syslog_output config: https://documentation.wazuh.com/current/user-manual/reference/ossec-conf/syslog-output.html#reference-ossec-syslog-output

Configuration in the manager

<syslog_output>
  <server>192.168.56.52</server>
  <level>3</level>
  <format>json</format>
</syslog_output>

Manager log

2024/05/08 14:27:25 wazuh-csyslogd: INFO: Started (pid: 8695).
2024/05/08 14:27:25 wazuh-csyslogd: INFO: Forwarding alerts via syslog to: '192.168.56.106:514'.

Rsyslog server configuration and results

Done in a Ubuntu 22 VM.

Edit rsyslog file:
/etc/rsyslog.conf

Uncomment tcp config lines:

# provides UDP syslog reception
module(load="imudp")
input(type="imudp" port="514")

Disable firewall:
systemctl stop firewalld.service

Restart rsyslog:
systemctl restart rsyslog

Alert received in rsyslog server in /var/log/message:

Dec 14 12:22:12 rhel9 ossec: {"timestamp":"2023-12-14T12:22:12.714+0000","rule":{"level":7,"description":"Listened ports status (netstat) changed (new port opened or closed).","id":"533","firedtimes":2,"mail":false,"groups":["ossec"],"pci_dss":["10.2.7","10.6.1"],"gpg13":["10.1"],"gdpr":["IV_35.7.d"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AU.6"],"tsc":["CC6.8","CC7.2","CC7.3"]},"agent":{"id":"002","name":"centos8","ip":"192.168.56.52"},"manager":{"name":"rhel9"},"id":"1702556532.8056183","previous_output":"Previous output:\nossec: output: 'netstat listening ports':\ntcp 0.0.0.0:22 0.0.0.0:* 918/sshd\ntcp6 :::22 :::* 918/sshd\nudp 127.0.0.1:323 0.0.0.0:* 847/chronyd\nudp6 ::1:323 :::* 847/chronyd\ntcp 0.0.0.0:514 0.0.0.0:* 4590/rsyslogd\ntcp6 :::514 :::* 4590/rsyslogd","full_log":"ossec: output: 'netstat listening ports':\ntcp 0.0.0.0:22 0.0.0.0:* 918/sshd\ntcp6 :::22 :::* 918/sshd\nudp 127.0.0.1:323 0.0.0.0:* 847/chronyd\nudp6 ::1:323 :::* 847/chronyd\ntcp 0.0.0.0:514 0.0.0.0:* 4713/rsyslogd\ntcp6 :::514 :::* 4713/rsyslogd\nudp 0.0.0.0:514 0.0.0.0:* 4713/rsyslogd\nudp6 :::514 :::* 4713/rsyslogd","decoder":{"name":"ossec"},"previous_log":"ossec: output: 'netstat listening ports':\ntcp 0.0.0.0:22 0.0.0.0:* 918/sshd\ntcp6 :::22 :::* 918/sshd\nudp 127.0.0.1:323 0.0.0.0:* 847/chronyd\nudp6 ::1:323 :::* 847/chronyd\ntcp 0.0.0.0:514 0.0.0.0:* 4590/rsyslogd\ntcp6 :::514 :::* 4590/rsyslogd","location":"netstat listening ports"}

🟢 maild module

Postfix installation

Link to the docu guide:
https://documentation.wazuh.com/current/user-manual/manager/manual-email-report/smtp-authentication.html

• Install postfix and deps:
  yum update && yum install postfix mailx cyrus-sasl cyrus-sasl-plain

• Edit postfix configuration:
  /etc/postfix/main.cf

• Add this block for centOS systems:

relayhost = [smtp.gmail.com]:587
smtp_sasl_auth_enable = yes
smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
smtp_sasl_security_options = noanonymous
smtp_tls_CAfile = /etc/ssl/certs/ca-bundle.crt
smtp_use_tls = yes
compatibility_level = 2

• If the postfix server is not in the same local host where manager is, you have to edit this lines in the postfix config file too:

inet_interfaces = all
mynetworks = 192.168.56.24 #(IP address of the VM where wazuh-manager is installed)

• Add to postfix the password related to your gmail account.
  Note: The password must be an App Password. App Passwords can only be used with accounts that have 2-Step Verification turned on.

echo [smtp.gmail.com]:587 USERNAME@gmail.com:PASSWORD > /etc/postfix/sasl_passwd
postmap /etc/postfix/sasl_passwd
chmod 400 /etc/postfix/sasl_passwd
chown root:root /etc/postfix/sasl_passwd /etc/postfix/sasl_passwd.db
chmod 0600 /etc/postfix/sasl_passwd /etc/postfix/sasl_passwd.db
systemctl restart postfix

• To check postfix logs:

journalctl -u postfix -f

Configuration in the manager

• Edit the smtp_server field with your IP addres of the VM where postfix is installed:

  <global>
    <jsonout_output>yes</jsonout_output>
    <alerts_log>yes</alerts_log>
    <logall>no</logall>
    <logall_json>no</logall_json>
    <email_notification>yes</email_notification>
    <smtp_server>localhost</smtp_server>
    <email_from>manuel.cano@wazuh.com</email_from>
    <email_to>manuel.cano@wazuh.com</email_to>
    <email_maxperhour>12</email_maxperhour>
    <email_log_source>alerts.log</email_log_source>
    <agents_disconnection_time>10m</agents_disconnection_time>
    <agents_disconnection_alert_time>0</agents_disconnection_alert_time>
  </global>

  <alerts>
    <log_alert_level>3</log_alert_level>
    <email_alert_level>3</email_alert_level>
  </alerts>

Restart manager and generate some FIM modified event (rule id 550 set in the configuration).

Results

• Logs in postfix:

journalctl -u postfix -f

[root@localhost vagrant]# journalctl -u postfix -f
May 08 14:53:54 localhost.localdomain postfix/smtp[16337]: ADBF0105D0F: to=<manuel.cano@wazuh.com>, relay=smtp.gmail.com[64.233.167.108]:587, delay=1.6, delays=0.06/0.08/0.74/0.73, dsn=2.0.0, status=sent (250 2.0.0 OK  1715169234 5b1f17b1804b1-41f88110ff8sm20657595e9.38 - gsmtp)
May 08 14:53:54 localhost.localdomain postfix/qmgr[11501]: ADBF0105D0F: removed
May 08 14:54:22 localhost.localdomain postfix/smtpd[16330]: connect from localhost[127.0.0.1]
May 08 14:54:22 localhost.localdomain postfix/smtpd[16330]: AC9161000DE: client=localhost[127.0.0.1]
May 08 14:54:22 localhost.localdomain postfix/cleanup[16336]: AC9161000DE: message-id=<20240508115422.AC9161000DE@localhost.localdomain>
May 08 14:54:22 localhost.localdomain postfix/smtpd[16330]: disconnect from localhost[127.0.0.1] helo=1 mail=1 rcpt=1 data=1 quit=1 commands=5
May 08 14:54:22 localhost.localdomain postfix/qmgr[11501]: AC9161000DE: from=<manuel.cano@wazuh.com>, size=999, nrcpt=1 (queue active)
May 08 14:54:22 localhost.localdomain postfix/smtp[16337]: connect to smtp.gmail.com[2a00:1450:400c:c06::6d]:587: Network is unreachable
May 08 14:54:23 localhost.localdomain postfix/smtp[16337]: AC9161000DE: to=<manuel.cano@wazuh.com>, relay=smtp.gmail.com[64.233.167.108]:587, delay=1.3, delays=0.05/0/0.52/0.68, dsn=2.0.0, status=sent (250 2.0.0 OK  1715169263 q14-20020a05600c46ce00b004182b87aaacsm2056291wmo.14 - gsmtp)
May 08 14:54:23 localhost.localdomain postfix/qmgr[11501]: AC9161000DE: removed

🔴 -> 🟢 clusterd module

See #23312 (comment)

nginx installation

Link to the docu guide:
https://documentation.wazuh.com/current/user-manual/manager/manual-email-report/smtp-authentication.html

• Install nginx:
  yum install yum-utils
nano /etc/yum.repos.d/nginx.repo Add this block:

[nginx-stable]
name=nginx stable repo
baseurl=http://nginx.org/packages/centos/$releasever/$basearch/
gpgcheck=1
enabled=1
gpgkey=https://nginx.org/keys/nginx_signing.key
module_hotfixes=true

[nginx-mainline]
name=nginx mainline repo
baseurl=http://nginx.org/packages/mainline/centos/$releasever/$basearch/
gpgcheck=1
enabled=0
gpgkey=https://nginx.org/keys/nginx_signing.key
module_hotfixes=true

yum-config-manager --enable nginx-mainline
yum install nginx

• Edit nginx configuration:
  nano /etc/nginx/nginx.conf Add this block editing IPs address:

stream {
    upstream cluster {
        hash $remote_addr consistent;
        server <WAZUH-MASTER-IP>:1514;
        server <WAZUH-WORKER1-IP>:1514;
    }
    upstream master {
        server <WAZUH-MASTER-IP>:1515;
    }
    server {
        listen 1514;
        proxy_pass cluster;
    }
    server {
        listen 1515;
        proxy_pass master;
    }
}

With this configuration:

[root@localhost vagrant]# cat /etc/nginx/nginx.conf

user  nginx;
worker_processes  auto;

error_log  /var/log/nginx/error.log notice;
pid        /var/run/nginx.pid;


events {
    worker_connections  1024;
}


http {
    include       /etc/nginx/mime.types;
    default_type  application/octet-stream;

    log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
                      '$status $body_bytes_sent "$http_referer" '
                      '"$http_user_agent" "$http_x_forwarded_for"';

    access_log  /var/log/nginx/access.log  main;

    sendfile        on;
    tcp_nopush     on;

    keepalive_timeout  65;

    gzip  on;

    include /etc/nginx/conf.d/*.conf;
}


stream {
    upstream cluster {
        hash $remote_addr consistent;
        server 192.168.56.208:1514;
        server 192.168.56.100:1514;
    }
    upstream master {
        server 192.168.56.208:1515;
    }
    server {
        listen 1514;
        proxy_pass cluster;
    }
    server {
        listen 1515;
        proxy_pass master;
    }
}

The following problem is arising:

[root@localhost vagrant]# nginx -c /etc/nginx/nginx.conf
nginx: [emerg] bind() to 0.0.0.0:1514 failed (98: Address already in use)
nginx: [emerg] bind() to 0.0.0.0:1515 failed (98: Address already in use)
nginx: [emerg] bind() to 0.0.0.0:1514 failed (98: Address already in use)
nginx: [emerg] bind() to 0.0.0.0:1515 failed (98: Address already in use)
nginx: [emerg] bind() to 0.0.0.0:1514 failed (98: Address already in use)
nginx: [emerg] bind() to 0.0.0.0:1515 failed (98: Address already in use)
nginx: [emerg] bind() to 0.0.0.0:1514 failed (98: Address already in use)
nginx: [emerg] bind() to 0.0.0.0:1515 failed (98: Address already in use)
nginx: [emerg] bind() to 0.0.0.0:1514 failed (98: Address already in use)
nginx: [emerg] bind() to 0.0.0.0:1515 failed (98: Address already in use)
nginx: [emerg] still could not bind()
[root@localhost vagrant]# systemctl status nginx
× nginx.service - nginx - high performance web server
     Loaded: loaded (/usr/lib/systemd/system/nginx.service; disabled; preset: disabled)
     Active: failed (Result: exit-code) since Wed 2024-05-08 15:38:47 EEST; 1h 5min ago
       Docs: http://nginx.org/en/docs/
    Process: 17247 ExecStart=/usr/sbin/nginx -c /etc/nginx/nginx.conf (code=exited, status=1/FAILURE)
        CPU: 18ms

May 08 15:38:47 localhost.localdomain systemd[1]: Starting nginx - high performance web server...
May 08 15:38:47 localhost.localdomain nginx[17247]: nginx: [emerg] bind() to 0.0.0.0:1514 failed (13: Permission denied)
May 08 15:38:47 localhost.localdomain systemd[1]: nginx.service: Control process exited, code=exited, status=1/FAILURE
May 08 15:38:47 localhost.localdomain systemd[1]: nginx.service: Failed with result 'exit-code'.
May 08 15:38:47 localhost.localdomain systemd[1]: Failed to start nginx - high performance web server.

Install another wazuh-manager to create the cluster

Results

🟢 integratord module

Virustotal integration

Link: https://documentation.wazuh.com/current/user-manual/manager/manual-integration.html#virustotal

• Manager configuration:

<integration>
  <name>virustotal</name>
  <api_key>API_KEY</api_key> <!-- Replace with your VirusTotal API key -->
  <group>syscheck</group>
  <alert_format>json</alert_format>
</integration>

• API KEY request: https://www.virustotal.com/gui/my-apikey
• Restart manager
• Generate syscheck event, and check virustotal analysis alert:

** Alert 1715178187.11332461: mail  - ossec,syscheck,syscheck_entry_added,syscheck_file,pci_dss_11.5,gpg13_4.11,gdpr_II_5.1.f,hipaa_164.312.c.1,hipaa_164.312.c.2,nist_800_53_SI.7,tsc_PI1.4,tsc_PI1.5,tsc_CC6.1,tsc_CC6.8,tsc_CC7.2,tsc_CC7.3,
2024 May 08 17:23:07 (agent3-ubu22) any->syscheck
Rule: 554 (level 5) -> 'File added to the system.'
File '/test/file2' added
Mode: realtime

Attributes:
 - Size: 0
 - Permissions: rw-r--r--
 - Date: Wed May  8 17:23:07 2024
 - Inode: 2359300
 - User: root (0)
 - Group: root (0)
 - MD5: d41d8cd98f00b204e9800998ecf8427e
 - SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709
 - SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

** Alert 1715178189.11333149: mail  - virustotal,
2024 May 08 17:23:09 (agent3-ubu22) 192.168.56.106->virustotal
Rule: 87104 (level 3) -> 'VirusTotal: Alert - /test/file2 - No positives found'
{"virustotal": {"found": 1, "malicious": 0, "source": {"alert_id": "1715178187.11332461", "file": "/test/file2", "md5": "d41d8cd98f00b204e9800998ecf8427e", "sha1": "da39a3ee5e6b4b0d3255bfef95601890afd80709"}, "sha1": "da39a3ee5e6b4b0d3255bfef95601890afd80709", "scan_date": "2024-05-08 14:17:22", "positives": 0, "total": 48, "permalink": "https://www.virustotal.com/gui/file/e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855/detection/f-e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855-1715177842"}, "integration": "virustotal"}
virustotal.found: 1
virustotal.malicious: 0
virustotal.source.alert_id: 1715178187.11332461
virustotal.source.file: /test/file2
virustotal.source.md5: d41d8cd98f00b204e9800998ecf8427e
virustotal.source.sha1: da39a3ee5e6b4b0d3255bfef95601890afd80709
virustotal.sha1: da39a3ee5e6b4b0d3255bfef95601890afd80709
virustotal.scan_date: 2024-05-08 14:17:22
virustotal.positives: 0
virustotal.total: 48
virustotal.permalink: https://www.virustotal.com/gui/file/e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855/detection/f-e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855-1715177842
integration: virustotal

• Check a dummy file that generate a possitive threat alert, download from here: https://documentation.wazuh.com/current/proof-of-concept-guide/detect-remove-malware-virustotal.html#id2

** Alert 1715178336.11334533: mail  - ossec,syscheck,syscheck_entry_added,syscheck_file,pci_dss_11.5,gpg13_4.11,gdpr_II_5.1.f,hipaa_164.312.c.1,hipaa_164.312.c.2,nist_800_53_SI.7,tsc_PI1.4,tsc_PI1.5,tsc_CC6.1,tsc_CC6.8,tsc_CC7.2,tsc_CC7.3,
2024 May 08 17:25:36 (agent3-ubu22) any->syscheck
Rule: 554 (level 5) -> 'File added to the system.'
File '/test/eicar.com.txt' added
Mode: realtime

Attributes:
 - Size: 68
 - Permissions: rw-r--r--
 - Date: Wed May  8 17:25:13 2024
 - Inode: 1444251
 - User: root (0)
 - Group: root (0)
 - MD5: 44d88612fea8a8f36de82e1278abb02f
 - SHA1: 3395856ce81f2b7382dee72602f798b642f14140
 - SHA256: 275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f

** Alert 1715178339.11335230: mail  - virustotal,pci_dss_10.6.1,pci_dss_11.4,gdpr_IV_35.7.d,
2024 May 08 17:25:39 (agent3-ubu22) 192.168.56.106->virustotal
Rule: 87105 (level 12) -> 'VirusTotal: Alert - /test/eicar.com.txt - 54 engines detected this file'
{"virustotal": {"found": 1, "malicious": 1, "source": {"alert_id": "1715178336.11334533", "file": "/test/eicar.com.txt", "md5": "44d88612fea8a8f36de82e1278abb02f", "sha1": "3395856ce81f2b7382dee72602f798b642f14140"}, "sha1": "3395856ce81f2b7382dee72602f798b642f14140", "scan_date": "2024-05-08 14:04:47", "positives": 54, "total": 58, "permalink": "https://www.virustotal.com/gui/file/275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f/detection/f-275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f-1715177087"}, "integration": "virustotal"}
virustotal.found: 1
virustotal.malicious: 1
virustotal.source.alert_id: 1715178336.11334533
virustotal.source.file: /test/eicar.com.txt
virustotal.source.md5: 44d88612fea8a8f36de82e1278abb02f
virustotal.source.sha1: 3395856ce81f2b7382dee72602f798b642f14140
virustotal.sha1: 3395856ce81f2b7382dee72602f798b642f14140
virustotal.scan_date: 2024-05-08 14:04:47
virustotal.positives: 54
virustotal.total: 58
virustotal.permalink: https://www.virustotal.com/gui/file/275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f/detection/f-275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f-1715177087
integration: virustotal

[mjcr99]

🔴 -> 🟢 clusterd module

To avoid the nginx installation problem this test has been performed without using a Load Balancer, following this documentation.

Cluster configuration block in master node

  <cluster>
    <name>wazuh</name>
    <node_name>master-node</node_name>
    <key>7f0fb8da5d78dd01671cf8713e6c5ed5</key>
    <node_type>master</node_type>
    <port>1516</port>
    <bind_addr>0.0.0.0</bind_addr>
    <nodes>
        <node>192.168.56.208</node>
    </nodes>
    <hidden>no</hidden>
    <disabled>no</disabled>
</cluster>

Cluster configuration block in worker node

<cluster>
    <name>wazuh</name>
    <node_name>worker01-node</node_name>
    <key>7f0fb8da5d78dd01671cf8713e6c5ed5</key>
    <node_type>worker</node_type>
    <port>1516</port>
    <bind_addr>0.0.0.0</bind_addr>
    <nodes>
        <node>192.168.56.208</node>
    </nodes>
    <hidden>no</hidden>
    <disabled>no</disabled>
</cluster>

Agent enrollment logs with worker node

2024/05/09 17:20:13 wazuh-agentd: INFO: Requesting a key from server: 192.168.56.100
2024/05/09 17:20:13 wazuh-agentd: INFO: No authentication password provided
2024/05/09 17:20:13 wazuh-agentd: INFO: Using agent name as: agent-rhel9.4
2024/05/09 17:20:13 wazuh-agentd: INFO: Waiting for server reply
2024/05/09 17:20:13 wazuh-agentd: INFO: Valid key received
2024/05/09 17:20:13 wazuh-agentd: INFO: Waiting 20 seconds before server connection
2024/05/09 17:20:33 wazuh-agentd: INFO: (1410): Reading authentication keys file.
2024/05/09 17:20:33 wazuh-agentd: INFO: Closing connection to server ([192.168.56.100]:1514/tcp).
2024/05/09 17:20:33 wazuh-agentd: INFO: Trying to connect to server ([192.168.56.100]:1514/tcp).
2024/05/09 17:20:33 wazuh-agentd: INFO: (4102): Connected to the server ([192.168.56.100]:1514/tcp).
2024/05/09 17:20:34 wazuh-syscheckd: INFO: Agent is now online. Process unlocked, continuing...

Cluster and listed agent visualization

[root@localhost vagrant]# /var/ossec/bin/agent_control -l

Wazuh agent_control. List of available agents:
   ID: 000, Name: localhost.localdomain (server), IP: 127.0.0.1, Active/Local
   ID: 001, Name: agent3-ubu22, IP: any, Disconnected
   ID: 002, Name: agent-rhel9.4, IP: any, Active

List of agentless devices:

[root@localhost vagrant]# /var/ossec/bin/cluster_control -l
NAME           TYPE    VERSION  ADDRESS         
master-node    master  4.7.4    192.168.56.208  
worker01-node  worker  4.7.4    192.168.56.100  
[root@localhost vagrant]# /var/ossec/bin/agent_control -l

Wazuh agent_control. List of available agents:
   ID: 000, Name: localhost.localdomain (server), IP: 127.0.0.1, Active/Local
   ID: 001, Name: agent3-ubu22, IP: any, Disconnected
   ID: 002, Name: agent-rhel9.4, IP: any, Active

List of agentless devices:

[MarcelKemp]

LGTM.