Error related to puppet module for wazuh agent agent.pp

[Rolly-M]

Wazuh version	Component	Install type	Install method	Platform
4.8.0 - RC1	Wazuh component	Agent	Puppet	Amazon linux 2023

I am working on the E2E UX tests - Deployment with Puppet for Release 4.8.0 - RC 1 and encountering an error. When running the puppet agent to install the wazuh agent, I get the error below.

Notice: Catalog compiled by puppet-master.ec2.internal
Error: Could not retrieve catalog from remote server: Error 500 on SERVER: Server Error: Evaluation Error: Unknown variable: 'wazuh::params_agent::ossec_service_provider'. (file: /etc/puppetlabs/code/environments/production/modules/wazuh/manifests/agent.pp, line: 581, column: 24) on node wazuh-agent.ec2.internal
Warning: Not using cache on failed catalog
Error: Could not retrieve catalog; skipping run

[vcerenu]

Descrption

The error was related to the service provider configuration that we made for all Linux operating systems. The Amazon Linux family of operating systems did not have any assigned service provider, which is stored in the ossec_service_provider variable.

A service provider compatible with all Amazon Linux operating systems was assigned, which is systemd.

Tests

Amazon Linux 2023

[root@ip-172-31-10-86 ~]# puppet agent -t
Info: Using environment 'production'
Info: Retrieving pluginfacts
Info: Retrieving plugin
Info: Loading facts
Notice: Requesting catalog from ip-172-31-13-33:8140 (172.31.13.33)
Notice: Catalog compiled by ip-172-31-13-33.ec2.internal
Info: Caching catalog for ip-172-31-10-86.ec2.internal
Info: Applying configuration version '1715263210'
Notice: /Stage[main]/Wazuh::Agent/Package[wazuh-agent]/ensure: created (corrective)
Notice: /Stage[main]/Wazuh::Agent/Concat[agent_ossec.conf]/File[/var/ossec/etc/ossec.conf]/content: 
--- /var/ossec/etc/ossec.conf	2024-05-09 14:00:15.090885068 +0000
+++ /tmp/puppet-file20240509-10445-fgha4p	2024-05-09 14:00:42.061070237 +0000
@@ -1,23 +1,22 @@
-<!--
-  Wazuh - Agent - Default configuration for amzn 1
-  More info at: https://documentation.wazuh.com
-  Mailing list: https://groups.google.com/forum/#!forum/wazuh
--->
-
 <ossec_config>
   <client>
-    <server>
-      <address>MANAGER_IP</address>
-      <port>1514</port>
-      <protocol>tcp</protocol>
-    </server>
-    <config-profile>amzn, amzn1</config-profile>
+  <server>
+    <address>172.31.13.33</address>
+    <protocol>tcp</protocol>
+    <port>1514</port>
+    <max_retries>5</max_retries>
+    <retry_interval>5</retry_interval>
+  </server>
     <notify_time>10</notify_time>
     <time-reconnect>60</time-reconnect>
-    <auto_restart>yes</auto_restart>
     <crypto_method>aes</crypto_method>
+    <auto_restart>yes</auto_restart>
   </client>
 
+  <logging>
+    <log_format>plain</log_format>
+  </logging>
+
   <client_buffer>
     <!-- Agent buffer options -->
     <disabled>no</disabled>
@@ -25,8 +24,9 @@
     <events_per_second>500</events_per_second>
   </client_buffer>
 
-  <!-- Policy monitoring -->
-  <rootcheck>
+
+
+<rootcheck>
     <disabled>no</disabled>
     <check_files>yes</check_files>
     <check_trojans>yes</check_trojans>
@@ -35,155 +35,142 @@
     <check_pids>yes</check_pids>
     <check_ports>yes</check_ports>
     <check_if>yes</check_if>
-
-    <!-- Frequency that rootcheck is executed - every 12 hours -->
-    <frequency>43200</frequency>
-
-    <rootkit_files>etc/shared/rootkit_files.txt</rootkit_files>
-    <rootkit_trojans>etc/shared/rootkit_trojans.txt</rootkit_trojans>
-
+    <frequency>36000</frequency>
+    <rootkit_files>/var/ossec/etc/shared/rootkit_files.txt</rootkit_files>
+    <rootkit_trojans>/var/ossec/etc/shared/rootkit_trojans.txt</rootkit_trojans>
     <skip_nfs>yes</skip_nfs>
-  </rootcheck>
+</rootcheck>
 
-  <wodle name="cis-cat">
+<wodle name="open-scap">
     <disabled>yes</disabled>
     <timeout>1800</timeout>
     <interval>1d</interval>
     <scan-on-start>yes</scan-on-start>
 
+</wodle>
+<wodle name="cis-cat">    
+    <disabled>yes</disabled>
+    <timeout>1800</timeout>
+    <interval>1d</interval>
+    <scan-on-start>yes</scan-on-start>
     <java_path>wodles/java</java_path>
     <ciscat_path>wodles/ciscat</ciscat_path>
-  </wodle>
+</wodle>
 
-  <!-- Osquery integration -->
-  <wodle name="osquery">
+
+<wodle name="osquery">
     <disabled>yes</disabled>
     <run_daemon>yes</run_daemon>
+    <bin_path>/usr/bin/osqueryd</bin_path>
     <log_path>/var/log/osquery/osqueryd.results.log</log_path>
     <config_path>/etc/osquery/osquery.conf</config_path>
     <add_labels>yes</add_labels>
-  </wodle>
+</wodle>
 
-  <!-- System inventory -->
-  <wodle name="syscollector">
-    <disabled>no</disabled>
-    <interval>1h</interval>
-    <scan_on_start>yes</scan_on_start>
-    <hardware>yes</hardware>
-    <os>yes</os>
-    <network>yes</network>
-    <packages>yes</packages>
-    <ports all="no">yes</ports>
-    <processes>yes</processes>
-
-    <!-- Database synchronization settings -->
-    <synchronization>
-      <max_eps>10</max_eps>
-    </synchronization>
-  </wodle>
+  
+<wodle name="syscollector">
+  <disabled>no</disabled>
+  <interval>1h</interval>
+  <scan_on_start>yes</scan_on_start>
+  <hardware>yes</hardware>
+  <os>yes</os>
+  <network>yes</network>
+  <packages>yes</packages>
+  <ports all="no">yes</ports>
+  <processes>yes</processes>
+</wodle>
 
-  <sca>
+ 
+<sca>
     <enabled>yes</enabled>
     <scan_on_start>yes</scan_on_start>
     <interval>12h</interval>
     <skip_nfs>yes</skip_nfs>
+  
   </sca>
+    
+  
+<syscheck>
+  <disabled>no</disabled>
+  <frequency>43200</frequency>
+  <scan_on_start>yes</scan_on_start>
+  <process_priority>10</process_priority>
+  <synchronization>
+    <enabled>yes</enabled>
+    <interval>5m</interval>
+    <max_interval>1h</max_interval>
+    <max_eps>10</max_eps>
+  </synchronization>
+
+  <directories check_all="yes" >/etc,/usr/bin,/usr/sbin</directories>
+  <directories check_all="yes" >/bin,/sbin,/boot</directories>
+  <ignore>/etc/mtab</ignore>
+  <ignore>/etc/hosts.deny</ignore>
+  <ignore>/etc/mail/statistics</ignore>
+  <ignore>/etc/random-seed</ignore>
+  <ignore>/etc/random.seed</ignore>
+  <ignore>/etc/adjtime</ignore>
+  <ignore>/etc/httpd/logs</ignore>
+  <ignore>/etc/utmpx</ignore>
+  <ignore>/etc/wtmpx</ignore>
+  <ignore>/etc/cups/certs</ignore>
+  <ignore>/etc/dumpdates</ignore>
+  <ignore>/etc/svc/volatile</ignore>
+  <ignore>/sys/kernel/security</ignore>
+  <ignore>/sys/kernel/debug</ignore>
+  <ignore>/dev/core</ignore>
+  <ignore type="sregex">^/proc</ignore>
+  <ignore type="sregex">.log$|.swp$</ignore>
+  <nodiff>/etc/ssl/private.key</nodiff>
+  <skip_nfs>yes</skip_nfs>
+</syscheck>
 
-  <!-- File integrity monitoring -->
-  <syscheck>
-    <disabled>no</disabled>
-
-    <!-- Frequency that syscheck is executed default every 12 hours -->
-    <frequency>43200</frequency>
-
-    <scan_on_start>yes</scan_on_start>
 
-    <!-- Directories to check  (perform all possible verifications) -->
-    <directories>/etc,/usr/bin,/usr/sbin</directories>
-    <directories>/bin,/sbin,/boot</directories>
-
-    <!-- Files/directories to ignore -->
-    <ignore>/etc/mtab</ignore>
-    <ignore>/etc/hosts.deny</ignore>
-    <ignore>/etc/mail/statistics</ignore>
-    <ignore>/etc/random-seed</ignore>
-    <ignore>/etc/random.seed</ignore>
-    <ignore>/etc/adjtime</ignore>
-    <ignore>/etc/httpd/logs</ignore>
-    <ignore>/etc/utmpx</ignore>
-    <ignore>/etc/wtmpx</ignore>
-    <ignore>/etc/cups/certs</ignore>
-    <ignore>/etc/dumpdates</ignore>
-    <ignore>/etc/svc/volatile</ignore>
 
-    <!-- File types to ignore -->
-    <ignore type="sregex">.log$|.swp$</ignore>
 
-    <!-- Check the file, but never compute the diff -->
-    <nodiff>/etc/ssl/private.key</nodiff>
 
-    <skip_nfs>yes</skip_nfs>
-    <skip_dev>yes</skip_dev>
-    <skip_proc>yes</skip_proc>
-    <skip_sys>yes</skip_sys>
-
-    <!-- Nice value for Syscheck process -->
-    <process_priority>10</process_priority>
-
-    <!-- Maximum output throughput -->
-    <max_eps>50</max_eps>
-
-    <!-- Database synchronization settings -->
-    <synchronization>
-      <enabled>yes</enabled>
-      <interval>5m</interval>
-      <max_eps>10</max_eps>
-    </synchronization>
-  </syscheck>
+  <localfile>
+    <log_format>audit</log_format>
+    <location>/var/log/audit/audit.log</location>
+  </localfile>
+  <localfile>
+    <log_format>syslog</log_format>
+    <location>/var/ossec/logs/active-responses.log</location>
+  </localfile>
+  <localfile>
+    <log_format>syslog</log_format>
+    <location>/var/log/messages</location>
+  </localfile>
+  <localfile>
+    <log_format>syslog</log_format>
+    <location>/var/log/secure</location>
+  </localfile>
+  <localfile>
+    <log_format>syslog</log_format>
+    <location>/var/log/maillog</location>
+  </localfile>
 
-  <!-- Log analysis -->
   <localfile>
     <log_format>command</log_format>
     <command>df -P</command>
     <frequency>360</frequency>
   </localfile>
-
   <localfile>
     <log_format>full_command</log_format>
     <command>netstat -tulpn | sed 's/\([[:alnum:]]\+\)\ \+[[:digit:]]\+\ \+[[:digit:]]\+\ \+\(.*\):\([[:digit:]]*\)\ \+\([0-9\.\:\*]\+\).\+\ \([[:digit:]]*\/[[:alnum:]\-]*\).*/\1 \2 == \3 == \4 \5/' | sort -k 4 -g | sed 's/ == \(.*\) ==/:\1/' | sed 1,2d</command>
     <alias>netstat listening ports</alias>
     <frequency>360</frequency>
   </localfile>
-
   <localfile>
     <log_format>full_command</log_format>
     <command>last -n 20</command>
     <frequency>360</frequency>
   </localfile>
 
-  <!-- Active response -->
+
   <active-response>
     <disabled>no</disabled>
-    <ca_store>etc/wpk_root.pem</ca_store>
+    <ca_store>/var/ossec/etc/wpk_root.pem</ca_store>
     <ca_verification>yes</ca_verification>
   </active-response>
-
-  <!-- Choose between "plain", "json", or "plain,json" for the format of internal logs -->
-  <logging>
-    <log_format>plain</log_format>
-  </logging>
-
-</ossec_config>
-
-<ossec_config>
-  <localfile>
-    <log_format>audit</log_format>
-    <location>/var/log/audit/audit.log</location>
-  </localfile>
-
-  <localfile>
-    <log_format>syslog</log_format>
-    <location>/var/ossec/logs/active-responses.log</location>
-  </localfile>
-
-</ossec_config>
+</ossec_config>
\ No newline at end of file

Info: Computing checksum on file /var/ossec/etc/ossec.conf
Info: /Stage[main]/Wazuh::Agent/Concat[agent_ossec.conf]/File[/var/ossec/etc/ossec.conf]: Filebucketed /var/ossec/etc/ossec.conf to puppet with sum a9728eb489b7c14f075d1aca5dba3d8c918536e51203d3fbea50a5b491327ad9
Notice: /Stage[main]/Wazuh::Agent/Concat[agent_ossec.conf]/File[/var/ossec/etc/ossec.conf]/content: 

Notice: /Stage[main]/Wazuh::Agent/Concat[agent_ossec.conf]/File[/var/ossec/etc/ossec.conf]/content: content changed '{sha256}a9728eb489b7c14f075d1aca5dba3d8c918536e51203d3fbea50a5b491327ad9' to '{sha256}6a0cffbae9632a2c9f4901d421829afe31a774b913084bafd4534925c14e55b2' (corrective)
Notice: /Stage[main]/Wazuh::Agent/Concat[agent_ossec.conf]/File[/var/ossec/etc/ossec.conf]/mode: mode changed '0660' to '0640' (corrective)
Info: Concat[agent_ossec.conf]: Scheduling refresh of Service[wazuh-agent]
Notice: /Stage[main]/Wazuh::Agent/Exec[agent-auth-linux]/returns: executed successfully (corrective)
Info: /Stage[main]/Wazuh::Agent/Exec[agent-auth-linux]: Scheduling refresh of Service[wazuh-agent]
Notice: /Stage[main]/Wazuh::Agent/Service[wazuh-agent]/ensure: ensure changed 'stopped' to 'running' (corrective)
Info: /Stage[main]/Wazuh::Agent/Service[wazuh-agent]: Unscheduling refresh on Service[wazuh-agent]
Notice: Applied catalog in 38.12 seconds
[root@ip-172-31-10-86 ~]# 

Amazon Linux 2

[root@ip-172-31-6-176 ~]# puppet agent -t
Info: Using environment 'production'
Info: Retrieving pluginfacts
Info: Retrieving plugin
Info: Loading facts
Notice: Requesting catalog from ip-172-31-13-33:8140 (172.31.13.33)
Notice: Catalog compiled by ip-172-31-13-33.ec2.internal
Info: Caching catalog for ip-172-31-6-176.ec2.internal
Info: Applying configuration version '1715263218'
Notice: /Stage[main]/Wazuh::Agent/Package[wazuh-agent]/ensure: created (corrective)
Notice: /Stage[main]/Wazuh::Agent/Concat[agent_ossec.conf]/File[/var/ossec/etc/ossec.conf]/content: 
--- /var/ossec/etc/ossec.conf	2024-05-09 14:00:24.383478808 +0000
+++ /tmp/puppet-file20240509-3105-1nb946g	2024-05-09 14:00:24.895492838 +0000
@@ -1,23 +1,22 @@
-<!--
-  Wazuh - Agent - Default configuration for amzn 2
-  More info at: https://documentation.wazuh.com
-  Mailing list: https://groups.google.com/forum/#!forum/wazuh
--->
-
 <ossec_config>
   <client>
-    <server>
-      <address>MANAGER_IP</address>
-      <port>1514</port>
-      <protocol>tcp</protocol>
-    </server>
-    <config-profile>amzn, amzn2</config-profile>
+  <server>
+    <address>172.31.13.33</address>
+    <protocol>tcp</protocol>
+    <port>1514</port>
+    <max_retries>5</max_retries>
+    <retry_interval>5</retry_interval>
+  </server>
     <notify_time>10</notify_time>
     <time-reconnect>60</time-reconnect>
-    <auto_restart>yes</auto_restart>
     <crypto_method>aes</crypto_method>
+    <auto_restart>yes</auto_restart>
   </client>
 
+  <logging>
+    <log_format>plain</log_format>
+  </logging>
+
   <client_buffer>
     <!-- Agent buffer options -->
     <disabled>no</disabled>
@@ -25,8 +24,9 @@
     <events_per_second>500</events_per_second>
   </client_buffer>
 
-  <!-- Policy monitoring -->
-  <rootcheck>
+
+
+<rootcheck>
     <disabled>no</disabled>
     <check_files>yes</check_files>
     <check_trojans>yes</check_trojans>
@@ -35,170 +35,142 @@
     <check_pids>yes</check_pids>
     <check_ports>yes</check_ports>
     <check_if>yes</check_if>
-
-    <!-- Frequency that rootcheck is executed - every 12 hours -->
-    <frequency>43200</frequency>
-
-    <rootkit_files>etc/shared/rootkit_files.txt</rootkit_files>
-    <rootkit_trojans>etc/shared/rootkit_trojans.txt</rootkit_trojans>
-
+    <frequency>36000</frequency>
+    <rootkit_files>/var/ossec/etc/shared/rootkit_files.txt</rootkit_files>
+    <rootkit_trojans>/var/ossec/etc/shared/rootkit_trojans.txt</rootkit_trojans>
     <skip_nfs>yes</skip_nfs>
-  </rootcheck>
+</rootcheck>
 
-  <wodle name="cis-cat">
+<wodle name="open-scap">
     <disabled>yes</disabled>
     <timeout>1800</timeout>
     <interval>1d</interval>
     <scan-on-start>yes</scan-on-start>
 
+</wodle>
+<wodle name="cis-cat">    
+    <disabled>yes</disabled>
+    <timeout>1800</timeout>
+    <interval>1d</interval>
+    <scan-on-start>yes</scan-on-start>
     <java_path>wodles/java</java_path>
     <ciscat_path>wodles/ciscat</ciscat_path>
-  </wodle>
+</wodle>
+
 
-  <!-- Osquery integration -->
-  <wodle name="osquery">
+<wodle name="osquery">
     <disabled>yes</disabled>
     <run_daemon>yes</run_daemon>
+    <bin_path>/usr/bin/osqueryd</bin_path>
     <log_path>/var/log/osquery/osqueryd.results.log</log_path>
     <config_path>/etc/osquery/osquery.conf</config_path>
     <add_labels>yes</add_labels>
-  </wodle>
+</wodle>
 
-  <!-- System inventory -->
-  <wodle name="syscollector">
-    <disabled>no</disabled>
-    <interval>1h</interval>
-    <scan_on_start>yes</scan_on_start>
-    <hardware>yes</hardware>
-    <os>yes</os>
-    <network>yes</network>
-    <packages>yes</packages>
-    <ports all="no">yes</ports>
-    <processes>yes</processes>
-
-    <!-- Database synchronization settings -->
-    <synchronization>
-      <max_eps>10</max_eps>
-    </synchronization>
-  </wodle>
+  
+<wodle name="syscollector">
+  <disabled>no</disabled>
+  <interval>1h</interval>
+  <scan_on_start>yes</scan_on_start>
+  <hardware>yes</hardware>
+  <os>yes</os>
+  <network>yes</network>
+  <packages>yes</packages>
+  <ports all="no">yes</ports>
+  <processes>yes</processes>
+</wodle>
 
-  <sca>
+ 
+<sca>
     <enabled>yes</enabled>
     <scan_on_start>yes</scan_on_start>
     <interval>12h</interval>
     <skip_nfs>yes</skip_nfs>
+  
   </sca>
+    
+  
+<syscheck>
+  <disabled>no</disabled>
+  <frequency>43200</frequency>
+  <scan_on_start>yes</scan_on_start>
+  <process_priority>10</process_priority>
+  <synchronization>
+    <enabled>yes</enabled>
+    <interval>5m</interval>
+    <max_interval>1h</max_interval>
+    <max_eps>10</max_eps>
+  </synchronization>
+
+  <directories check_all="yes" >/etc,/usr/bin,/usr/sbin</directories>
+  <directories check_all="yes" >/bin,/sbin,/boot</directories>
+  <ignore>/etc/mtab</ignore>
+  <ignore>/etc/hosts.deny</ignore>
+  <ignore>/etc/mail/statistics</ignore>
+  <ignore>/etc/random-seed</ignore>
+  <ignore>/etc/random.seed</ignore>
+  <ignore>/etc/adjtime</ignore>
+  <ignore>/etc/httpd/logs</ignore>
+  <ignore>/etc/utmpx</ignore>
+  <ignore>/etc/wtmpx</ignore>
+  <ignore>/etc/cups/certs</ignore>
+  <ignore>/etc/dumpdates</ignore>
+  <ignore>/etc/svc/volatile</ignore>
+  <ignore>/sys/kernel/security</ignore>
+  <ignore>/sys/kernel/debug</ignore>
+  <ignore>/dev/core</ignore>
+  <ignore type="sregex">^/proc</ignore>
+  <ignore type="sregex">.log$|.swp$</ignore>
+  <nodiff>/etc/ssl/private.key</nodiff>
+  <skip_nfs>yes</skip_nfs>
+</syscheck>
 
-  <!-- File integrity monitoring -->
-  <syscheck>
-    <disabled>no</disabled>
-
-    <!-- Frequency that syscheck is executed default every 12 hours -->
-    <frequency>43200</frequency>
 
-    <scan_on_start>yes</scan_on_start>
 
-    <!-- Directories to check  (perform all possible verifications) -->
-    <directories>/etc,/usr/bin,/usr/sbin</directories>
-    <directories>/bin,/sbin,/boot</directories>
-
-    <!-- Files/directories to ignore -->
-    <ignore>/etc/mtab</ignore>
-    <ignore>/etc/hosts.deny</ignore>
-    <ignore>/etc/mail/statistics</ignore>
-    <ignore>/etc/random-seed</ignore>
-    <ignore>/etc/random.seed</ignore>
-    <ignore>/etc/adjtime</ignore>
-    <ignore>/etc/httpd/logs</ignore>
-    <ignore>/etc/utmpx</ignore>
-    <ignore>/etc/wtmpx</ignore>
-    <ignore>/etc/cups/certs</ignore>
-    <ignore>/etc/dumpdates</ignore>
-    <ignore>/etc/svc/volatile</ignore>
 
-    <!-- File types to ignore -->
-    <ignore type="sregex">.log$|.swp$</ignore>
 
-    <!-- Check the file, but never compute the diff -->
-    <nodiff>/etc/ssl/private.key</nodiff>
-
-    <skip_nfs>yes</skip_nfs>
-    <skip_dev>yes</skip_dev>
-    <skip_proc>yes</skip_proc>
-    <skip_sys>yes</skip_sys>
-
-    <!-- Nice value for Syscheck process -->
-    <process_priority>10</process_priority>
-
-    <!-- Maximum output throughput -->
-    <max_eps>50</max_eps>
-
-    <!-- Database synchronization settings -->
-    <synchronization>
-      <enabled>yes</enabled>
-      <interval>5m</interval>
-      <max_eps>10</max_eps>
-    </synchronization>
-  </syscheck>
+  <localfile>
+    <log_format>audit</log_format>
+    <location>/var/log/audit/audit.log</location>
+  </localfile>
+  <localfile>
+    <log_format>syslog</log_format>
+    <location>/var/ossec/logs/active-responses.log</location>
+  </localfile>
+  <localfile>
+    <log_format>syslog</log_format>
+    <location>/var/log/messages</location>
+  </localfile>
+  <localfile>
+    <log_format>syslog</log_format>
+    <location>/var/log/secure</location>
+  </localfile>
+  <localfile>
+    <log_format>syslog</log_format>
+    <location>/var/log/maillog</location>
+  </localfile>
 
-  <!-- Log analysis -->
   <localfile>
     <log_format>command</log_format>
     <command>df -P</command>
     <frequency>360</frequency>
   </localfile>
-
   <localfile>
     <log_format>full_command</log_format>
     <command>netstat -tulpn | sed 's/\([[:alnum:]]\+\)\ \+[[:digit:]]\+\ \+[[:digit:]]\+\ \+\(.*\):\([[:digit:]]*\)\ \+\([0-9\.\:\*]\+\).\+\ \([[:digit:]]*\/[[:alnum:]\-]*\).*/\1 \2 == \3 == \4 \5/' | sort -k 4 -g | sed 's/ == \(.*\) ==/:\1/' | sed 1,2d</command>
     <alias>netstat listening ports</alias>
     <frequency>360</frequency>
   </localfile>
-
   <localfile>
     <log_format>full_command</log_format>
     <command>last -n 20</command>
     <frequency>360</frequency>
   </localfile>
 
-  <!-- Active response -->
+
   <active-response>
     <disabled>no</disabled>
-    <ca_store>etc/wpk_root.pem</ca_store>
+    <ca_store>/var/ossec/etc/wpk_root.pem</ca_store>
     <ca_verification>yes</ca_verification>
   </active-response>
-
-  <!-- Choose between "plain", "json", or "plain,json" for the format of internal logs -->
-  <logging>
-    <log_format>plain</log_format>
-  </logging>
-
-</ossec_config>
-
-<ossec_config>
-  <localfile>
-    <log_format>audit</log_format>
-    <location>/var/log/audit/audit.log</location>
-  </localfile>
-
-  <localfile>
-    <log_format>syslog</log_format>
-    <location>/var/ossec/logs/active-responses.log</location>
-  </localfile>
-
-  <localfile>
-    <log_format>syslog</log_format>
-    <location>/var/log/messages</location>
-  </localfile>
-
-  <localfile>
-    <log_format>syslog</log_format>
-    <location>/var/log/secure</location>
-  </localfile>
-
-  <localfile>
-    <log_format>syslog</log_format>
-    <location>/var/log/maillog</location>
-  </localfile>
-
-</ossec_config>
+</ossec_config>
\ No newline at end of file

Info: Computing checksum on file /var/ossec/etc/ossec.conf
Info: /Stage[main]/Wazuh::Agent/Concat[agent_ossec.conf]/File[/var/ossec/etc/ossec.conf]: Filebucketed /var/ossec/etc/ossec.conf to puppet with sum 472c229cd666a5036bc50c818c7428000176220fcde65ff75978a281cf52d29f
Notice: /Stage[main]/Wazuh::Agent/Concat[agent_ossec.conf]/File[/var/ossec/etc/ossec.conf]/content: 

Notice: /Stage[main]/Wazuh::Agent/Concat[agent_ossec.conf]/File[/var/ossec/etc/ossec.conf]/content: content changed '{sha256}472c229cd666a5036bc50c818c7428000176220fcde65ff75978a281cf52d29f' to '{sha256}6a0cffbae9632a2c9f4901d421829afe31a774b913084bafd4534925c14e55b2' (corrective)
Notice: /Stage[main]/Wazuh::Agent/Concat[agent_ossec.conf]/File[/var/ossec/etc/ossec.conf]/mode: mode changed '0660' to '0640' (corrective)
Info: Concat[agent_ossec.conf]: Scheduling refresh of Service[wazuh-agent]
Notice: /Stage[main]/Wazuh::Agent/Exec[agent-auth-linux]/returns: executed successfully (corrective)
Info: /Stage[main]/Wazuh::Agent/Exec[agent-auth-linux]: Scheduling refresh of Service[wazuh-agent]
Notice: /Stage[main]/Wazuh::Agent/Service[wazuh-agent]/ensure: ensure changed 'stopped' to 'running' (corrective)
Info: /Stage[main]/Wazuh::Agent/Service[wazuh-agent]: Unscheduling refresh on Service[wazuh-agent]
Notice: Applied catalog in 13.33 seconds
[root@ip-172-31-6-176 ~]#