Release 4.3.0 - Manual tests - Demo environment

[juliamagan]

The following issue aims to run the specified test for the current release candidate, report the results, and open new issues for any encountered errors.

Test information

Test name	Demo environment
Category	Wazuh App
Deployment option	Demo environment
Main release issue	wazuh/wazuh#10954
Release candidate #	RC7

Test tasks

• (T1): - No errors or warnings found in logs
• (T2): - The daemons are running with the correct user
• (T3): - The status of the Wazuh Indexer clusters is as expected.
• (T4): - No errors in the browser's developer console when browsing the App
• (T5): - Alerts are being generated for each of the modules configured for this purpose.
• (T6): - No warning symbols in Discover when expanding a document.

Conclusion 🔵

Amazon Linux, RHEL and CentOS logs are related to https://github.com/wazuh/wazuh-automation/issues/800.
Debian and Ubuntu logs are related to https://github.com/wazuh/wazuh-automation/issues/801.
Windows logs are related to https://github.com/wazuh/wazuh-automation/issues/802.
Managers' logs were fixed in https://github.com/wazuh/wazuh-automation/issues/803. However, more logs were found, and we have created https://github.com/wazuh/wazuh-automation/issues/813.
More error and warning logs were found in wazuh-indexer, we have created wazuh/wazuh-packages#1511.

Open issues

• The agent's name remains in the menu when we change environment wazuh-dashboard-plugins#4131
• Warning and error logs found in wazuh-indexer in demo environment wazuh-packages#1511
• https://github.com/wazuh/wazuh-automation/issues/813
• Error logs found in wazuh-dashboard wazuh-dashboard-plugins#4133

Auditors validation

The definition of done for this one is the validation of the conclusions and the test results from all auditors.

All checks from below must be accepted in order to close this issue.

• @jmv74211
• @alberpilot
• @gdiazlo

[juliamagan]

Task 1: No errors or warnings found in logs

Agents

Amazon Linux 🟡

• journalctl -xe -u wazuh-agent.service:

may 03 17:08:54 ip-10-0-1-127.us-west-1.compute.internal systemd[1]: Stopping Wazuh agent...
-- Subject: Unit wazuh-agent.service has begun shutting down
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
-- 
-- Unit wazuh-agent.service has begun shutting down.
may 03 17:08:54 ip-10-0-1-127.us-west-1.compute.internal env[15183]: Killing wazuh-modulesd...
may 03 17:08:55 ip-10-0-1-127.us-west-1.compute.internal env[15183]: Killing wazuh-logcollector...
may 03 17:08:55 ip-10-0-1-127.us-west-1.compute.internal env[15183]: Killing wazuh-syscheckd...
may 03 17:08:55 ip-10-0-1-127.us-west-1.compute.internal env[15183]: Killing wazuh-agentd...
may 03 17:08:55 ip-10-0-1-127.us-west-1.compute.internal env[15183]: Killing wazuh-execd...
may 03 17:08:55 ip-10-0-1-127.us-west-1.compute.internal env[15183]: Wazuh v4.3.0 Stopped
may 03 17:08:55 ip-10-0-1-127.us-west-1.compute.internal systemd[1]: Starting Wazuh agent...
-- Subject: Unit wazuh-agent.service has begun start-up
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
-- 
-- Unit wazuh-agent.service has begun starting up.
may 03 17:08:55 ip-10-0-1-127.us-west-1.compute.internal env[15248]: Starting Wazuh v4.3.0...
may 03 17:08:55 ip-10-0-1-127.us-west-1.compute.internal env[15248]: Started wazuh-execd...
may 03 17:08:56 ip-10-0-1-127.us-west-1.compute.internal env[15248]: Started wazuh-agentd...
may 03 17:08:57 ip-10-0-1-127.us-west-1.compute.internal env[15248]: Started wazuh-syscheckd...
may 03 17:08:58 ip-10-0-1-127.us-west-1.compute.internal env[15248]: Started wazuh-logcollector...
may 03 17:08:59 ip-10-0-1-127.us-west-1.compute.internal crontab[15411]: (root) LIST (root)
may 03 17:08:59 ip-10-0-1-127.us-west-1.compute.internal env[15248]: Started wazuh-modulesd...
may 03 17:09:01 ip-10-0-1-127.us-west-1.compute.internal env[15248]: Completed.
may 03 17:09:01 ip-10-0-1-127.us-west-1.compute.internal systemd[1]: Started Wazuh agent.
-- Subject: Unit wazuh-agent.service has finished start-up
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
-- 
-- Unit wazuh-agent.service has finished starting up.
-- 
-- The start-up result is done.

• egrep -i "ERROR|WARNING" /var/ossec/logs/ossec.log:

[root@ip-10-0-1-127 wazuh-user]# egrep -i "ERROR|WARNING" /var/ossec/logs/ossec.log
2022/05/04 08:02:29 wazuh-logcollector: WARNING: (1958): Log file '/var/log/messages' is duplicated.
2022/05/04 08:02:29 wazuh-logcollector: WARNING: (1958): Log file '/var/log/secure' is duplicated.
2022/05/04 08:02:29 wazuh-logcollector: WARNING: (1958): Log file '/var/log/maillog' is duplicated.

• systemctl status wazuh-agent -l:

[root@ip-10-0-1-127 wazuh-user]# systemctl status wazuh-agent -l
● wazuh-agent.service - Wazuh agent
   Loaded: loaded (/usr/lib/systemd/system/wazuh-agent.service; enabled; vendor preset: disabled)
   Active: active (running) since mar 2022-05-03 17:09:01 UTC; 14h ago
  Process: 15183 ExecStop=/usr/bin/env /var/ossec/bin/wazuh-control stop (code=exited, status=0/SUCCESS)
  Process: 15248 ExecStart=/usr/bin/env /var/ossec/bin/wazuh-control start (code=exited, status=0/SUCCESS)
   CGroup: /system.slice/wazuh-agent.service
           ├─15275 /var/ossec/bin/wazuh-execd
           ├─15284 /var/ossec/bin/wazuh-agentd
           ├─15299 /var/ossec/bin/wazuh-syscheckd
           ├─15312 /var/ossec/bin/wazuh-logcollector
           └─15335 /var/ossec/bin/wazuh-modulesd

may 03 17:08:55 ip-10-0-1-127.us-west-1.compute.internal systemd[1]: Starting Wazuh agent...
may 03 17:08:55 ip-10-0-1-127.us-west-1.compute.internal env[15248]: Starting Wazuh v4.3.0...
may 03 17:08:55 ip-10-0-1-127.us-west-1.compute.internal env[15248]: Started wazuh-execd...
may 03 17:08:56 ip-10-0-1-127.us-west-1.compute.internal env[15248]: Started wazuh-agentd...
may 03 17:08:57 ip-10-0-1-127.us-west-1.compute.internal env[15248]: Started wazuh-syscheckd...
may 03 17:08:58 ip-10-0-1-127.us-west-1.compute.internal env[15248]: Started wazuh-logcollector...
may 03 17:08:59 ip-10-0-1-127.us-west-1.compute.internal crontab[15411]: (root) LIST (root)
may 03 17:08:59 ip-10-0-1-127.us-west-1.compute.internal env[15248]: Started wazuh-modulesd...
may 03 17:09:01 ip-10-0-1-127.us-west-1.compute.internal env[15248]: Completed.
may 03 17:09:01 ip-10-0-1-127.us-west-1.compute.internal systemd[1]: Started Wazuh agent.

• /var/ossec/bin/wazuh-control status:

[root@ip-10-0-1-127 wazuh-user]# /var/ossec/bin/wazuh-control status
wazuh-modulesd is running...
wazuh-logcollector is running...
wazuh-syscheckd is running...
wazuh-agentd is running...
wazuh-execd is running...

RHEL 🔴

• journalctl -xe -u wazuh-agent.service:

may 03 17:32:11 ip-10-0-1-217.us-west-1.compute.internal systemd[1]: Stopping Wazuh agent...
-- Subject: Unit wazuh-agent.service has begun shutting down
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
-- 
-- Unit wazuh-agent.service has begun shutting down.
may 03 17:32:11 ip-10-0-1-217.us-west-1.compute.internal env[30609]: Killing wazuh-modulesd...
may 03 17:32:11 ip-10-0-1-217.us-west-1.compute.internal env[30609]: Killing wazuh-logcollector...
may 03 17:32:11 ip-10-0-1-217.us-west-1.compute.internal env[30609]: Killing wazuh-syscheckd...
may 03 17:32:11 ip-10-0-1-217.us-west-1.compute.internal env[30609]: Killing wazuh-agentd...
may 03 17:32:11 ip-10-0-1-217.us-west-1.compute.internal env[30609]: Killing wazuh-execd...
may 03 17:32:12 ip-10-0-1-217.us-west-1.compute.internal env[30609]: Wazuh v4.3.0 Stopped
may 03 17:32:12 ip-10-0-1-217.us-west-1.compute.internal systemd[1]: Stopped Wazuh agent.
-- Subject: Unit wazuh-agent.service has finished shutting down
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
-- 
-- Unit wazuh-agent.service has finished shutting down.
may 03 17:32:12 ip-10-0-1-217.us-west-1.compute.internal systemd[1]: Starting Wazuh agent...
-- Subject: Unit wazuh-agent.service has begun start-up
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
-- 
-- Unit wazuh-agent.service has begun starting up.
may 03 17:32:12 ip-10-0-1-217.us-west-1.compute.internal env[30696]: Starting Wazuh v4.3.0...
may 03 17:32:13 ip-10-0-1-217.us-west-1.compute.internal env[30696]: Started wazuh-execd...
may 03 17:32:14 ip-10-0-1-217.us-west-1.compute.internal env[30696]: Started wazuh-agentd...
may 03 17:32:15 ip-10-0-1-217.us-west-1.compute.internal env[30696]: Started wazuh-syscheckd...
may 03 17:32:16 ip-10-0-1-217.us-west-1.compute.internal env[30696]: Started wazuh-logcollector...
may 03 17:32:16 ip-10-0-1-217.us-west-1.compute.internal osqueryd[30806]: osqueryd started [version=4.3.0]
may 03 17:32:17 ip-10-0-1-217.us-west-1.compute.internal env[30696]: Started wazuh-modulesd...
may 03 17:32:19 ip-10-0-1-217.us-west-1.compute.internal env[30696]: Completed.
may 03 17:32:19 ip-10-0-1-217.us-west-1.compute.internal systemd[1]: Started Wazuh agent.
-- Subject: Unit wazuh-agent.service has finished start-up
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
-- 
-- Unit wazuh-agent.service has finished starting up.
-- 
-- The start-up result is done.

• egrep -i "ERROR|WARNING" /var/ossec/logs/ossec.log:

[root@ip-10-0-1-217 wazuh-user]# egrep -i "ERROR|WARNING" /var/ossec/logs/ossec.log
2022/05/04 08:01:13 wazuh-logcollector: WARNING: (1958): Log file '/var/log/messages' is duplicated.
2022/05/04 08:01:13 wazuh-logcollector: WARNING: (1958): Log file '/var/log/secure' is duplicated.
2022/05/04 08:01:13 wazuh-logcollector: WARNING: (1958): Log file '/var/log/maillog' is duplicated.
2022/05/04 08:01:13 wazuh-logcollector: INFO: (1950): Analyzing file: '/var/log/httpd/error_log'.
2022/05/04 08:01:14 wazuh-modulesd:oscap: ERROR: Internal error. Exiting...

• systemctl status wazuh-agent -l:

[root@ip-10-0-1-217 wazuh-user]# systemctl status wazuh-agent -l
● wazuh-agent.service - Wazuh agent
   Loaded: loaded (/usr/lib/systemd/system/wazuh-agent.service; enabled; vendor preset: disabled)
   Active: active (running) since mar 2022-05-03 17:32:19 UTC; 14h ago
  Process: 30609 ExecStop=/usr/bin/env /var/ossec/bin/wazuh-control stop (code=exited, status=0/SUCCESS)
  Process: 30696 ExecStart=/usr/bin/env /var/ossec/bin/wazuh-control start (code=exited, status=0/SUCCESS)
    Tasks: 53
   Memory: 183.9M
   CGroup: /system.slice/wazuh-agent.service
           ├─30723 /var/ossec/bin/wazuh-execd
           ├─30735 /var/ossec/bin/wazuh-agentd
           ├─30750 /var/ossec/bin/wazuh-syscheckd
           ├─30763 /var/ossec/bin/wazuh-logcollector
           ├─30787 /var/ossec/bin/wazuh-modulesd
           ├─30803 python3 wodles/docker/DockerListener
           ├─30806 /usr/bin/osqueryd --config_path=/etc/osquery/osquery.conf
           └─30814 /usr/bin/osqueryd                                        

may 03 17:32:12 ip-10-0-1-217.us-west-1.compute.internal systemd[1]: Starting Wazuh agent...
may 03 17:32:12 ip-10-0-1-217.us-west-1.compute.internal env[30696]: Starting Wazuh v4.3.0...
may 03 17:32:13 ip-10-0-1-217.us-west-1.compute.internal env[30696]: Started wazuh-execd...
may 03 17:32:14 ip-10-0-1-217.us-west-1.compute.internal env[30696]: Started wazuh-agentd...
may 03 17:32:15 ip-10-0-1-217.us-west-1.compute.internal env[30696]: Started wazuh-syscheckd...
may 03 17:32:16 ip-10-0-1-217.us-west-1.compute.internal env[30696]: Started wazuh-logcollector...
may 03 17:32:16 ip-10-0-1-217.us-west-1.compute.internal osqueryd[30806]: osqueryd started [version=4.3.0]
may 03 17:32:17 ip-10-0-1-217.us-west-1.compute.internal env[30696]: Started wazuh-modulesd...
may 03 17:32:19 ip-10-0-1-217.us-west-1.compute.internal env[30696]: Completed.
may 03 17:32:19 ip-10-0-1-217.us-west-1.compute.internal systemd[1]: Started Wazuh agent.

• /var/ossec/bin/wazuh-control status:

[root@ip-10-0-1-217 wazuh-user]# /var/ossec/bin/wazuh-control status
wazuh-modulesd is running...
wazuh-logcollector is running...
wazuh-syscheckd is running...
wazuh-agentd is running...
wazuh-execd is running...

Ubuntu 🔴

• journalctl -xe -u wazuh-agent.service:

May 04 07:52:24 ip-10-0-1-187 systemd[1]: Stopping Wazuh agent...
-- Subject: Unit wazuh-agent.service has begun shutting down
-- Defined-By: systemd
-- Support: http://www.ubuntu.com/support
-- 
-- Unit wazuh-agent.service has begun shutting down.
May 04 07:52:24 ip-10-0-1-187 env[6520]: Killing wazuh-modulesd...
May 04 07:52:24 ip-10-0-1-187 env[6520]: Killing wazuh-logcollector...
May 04 07:52:24 ip-10-0-1-187 env[6520]: Killing wazuh-syscheckd...
May 04 07:52:24 ip-10-0-1-187 env[6520]: Killing wazuh-agentd...
May 04 07:52:24 ip-10-0-1-187 env[6520]: Killing wazuh-execd...
May 04 07:52:24 ip-10-0-1-187 env[6520]: Wazuh v4.3.0 Stopped
May 04 07:52:24 ip-10-0-1-187 systemd[1]: Stopped Wazuh agent.
-- Subject: Unit wazuh-agent.service has finished shutting down
-- Defined-By: systemd
-- Support: http://www.ubuntu.com/support
-- 
-- Unit wazuh-agent.service has finished shutting down.
May 04 07:52:24 ip-10-0-1-187 systemd[1]: Starting Wazuh agent...
-- Subject: Unit wazuh-agent.service has begun start-up
-- Defined-By: systemd
-- Support: http://www.ubuntu.com/support
-- 
-- Unit wazuh-agent.service has begun starting up.
May 04 07:52:24 ip-10-0-1-187 env[6575]: Starting Wazuh v4.3.0...
May 04 07:52:25 ip-10-0-1-187 env[6575]: Started wazuh-execd...
May 04 07:52:26 ip-10-0-1-187 env[6575]: Started wazuh-agentd...
May 04 07:52:27 ip-10-0-1-187 env[6575]: Started wazuh-syscheckd...
May 04 07:52:28 ip-10-0-1-187 env[6575]: Started wazuh-logcollector...
May 04 07:52:29 ip-10-0-1-187 env[6575]: Started wazuh-modulesd...
May 04 07:52:31 ip-10-0-1-187 env[6575]: Completed.
May 04 07:52:31 ip-10-0-1-187 systemd[1]: Started Wazuh agent.
-- Subject: Unit wazuh-agent.service has finished start-up
-- Defined-By: systemd
-- Support: http://www.ubuntu.com/support
-- 
-- Unit wazuh-agent.service has finished starting up.
-- 
-- The start-up result is RESULT.

• egrep -i "ERROR|WARNING" /var/ossec/logs/ossec.log:

root@ip-10-0-1-187:/home/wazuh-user# egrep -i "ERROR|WARNING" /var/ossec/logs/ossec.log
2022/05/04 07:52:27 wazuh-logcollector: ERROR: (1103): Could not open file '/var/log/messages' due to [(2)-(No such file or directory)].
2022/05/04 07:52:27 wazuh-logcollector: ERROR: (1103): Could not open file '/var/log/secure' due to [(2)-(No such file or directory)].
2022/05/04 07:52:27 wazuh-logcollector: ERROR: (1103): Could not open file '/var/log/maillog' due to [(2)-(No such file or directory)].

• systemctl status wazuh-agent -l:

root@ip-10-0-1-187:/home/wazuh-user# systemctl status wazuh-agent -l
● wazuh-agent.service - Wazuh agent
   Loaded: loaded (/usr/lib/systemd/system/wazuh-agent.service; enabled; vendor preset: enabled)
   Active: active (running) since Wed 2022-05-04 07:52:31 UTC; 7min ago
  Process: 6520 ExecStop=/usr/bin/env /var/ossec/bin/wazuh-control stop (code=exited, status=0/SUCCESS)
  Process: 6575 ExecStart=/usr/bin/env /var/ossec/bin/wazuh-control start (code=exited, status=0/SUCCESS)
    Tasks: 31 (limit: 1125)
   CGroup: /system.slice/wazuh-agent.service
           ├─6625 /var/ossec/bin/wazuh-execd
           ├─6636 /var/ossec/bin/wazuh-agentd
           ├─6651 /var/ossec/bin/wazuh-syscheckd
           ├─6664 /var/ossec/bin/wazuh-logcollector
           └─6681 /var/ossec/bin/wazuh-modulesd

May 04 07:52:24 ip-10-0-1-187 systemd[1]: Starting Wazuh agent...
May 04 07:52:24 ip-10-0-1-187 env[6575]: Starting Wazuh v4.3.0...
May 04 07:52:25 ip-10-0-1-187 env[6575]: Started wazuh-execd...
May 04 07:52:26 ip-10-0-1-187 env[6575]: Started wazuh-agentd...
May 04 07:52:27 ip-10-0-1-187 env[6575]: Started wazuh-syscheckd...
May 04 07:52:28 ip-10-0-1-187 env[6575]: Started wazuh-logcollector...
May 04 07:52:29 ip-10-0-1-187 env[6575]: Started wazuh-modulesd...
May 04 07:52:31 ip-10-0-1-187 env[6575]: Completed.
May 04 07:52:31 ip-10-0-1-187 systemd[1]: Started Wazuh agent.

• /var/ossec/bin/wazuh-control status:

root@ip-10-0-1-187:/home/wazuh-user# /var/ossec/bin/wazuh-control status
wazuh-modulesd is running...
wazuh-logcollector is running...
wazuh-syscheckd is running...
wazuh-agentd is running...
wazuh-execd is running...

Centos 🟡

• journalctl -xe -u wazuh-agent.service:

may 04 08:05:17 ip-10-0-1-106.us-west-1.compute.internal systemd[1]: Stopping Wazuh agent...
-- Subject: Unit wazuh-agent.service has begun shutting down
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
-- 
-- Unit wazuh-agent.service has begun shutting down.
may 04 08:05:17 ip-10-0-1-106.us-west-1.compute.internal env[18322]: Killing wazuh-modulesd...
may 04 08:05:17 ip-10-0-1-106.us-west-1.compute.internal env[18322]: Killing wazuh-logcollector...
may 04 08:05:17 ip-10-0-1-106.us-west-1.compute.internal env[18322]: Killing wazuh-syscheckd...
may 04 08:05:17 ip-10-0-1-106.us-west-1.compute.internal env[18322]: Killing wazuh-agentd...
may 04 08:05:17 ip-10-0-1-106.us-west-1.compute.internal env[18322]: Killing wazuh-execd...
may 04 08:05:17 ip-10-0-1-106.us-west-1.compute.internal env[18322]: Wazuh v4.3.0 Stopped
may 04 08:05:17 ip-10-0-1-106.us-west-1.compute.internal systemd[1]: Stopped Wazuh agent.
-- Subject: Unit wazuh-agent.service has finished shutting down
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
-- 
-- Unit wazuh-agent.service has finished shutting down.
may 04 08:05:17 ip-10-0-1-106.us-west-1.compute.internal systemd[1]: Starting Wazuh agent...
-- Subject: Unit wazuh-agent.service has begun start-up
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
-- 
-- Unit wazuh-agent.service has begun starting up.
may 04 08:05:18 ip-10-0-1-106.us-west-1.compute.internal env[18387]: Starting Wazuh v4.3.0...
may 04 08:05:19 ip-10-0-1-106.us-west-1.compute.internal env[18387]: Started wazuh-execd...
may 04 08:05:20 ip-10-0-1-106.us-west-1.compute.internal env[18387]: Started wazuh-agentd...
may 04 08:05:21 ip-10-0-1-106.us-west-1.compute.internal env[18387]: Started wazuh-syscheckd...
may 04 08:05:22 ip-10-0-1-106.us-west-1.compute.internal env[18387]: Started wazuh-logcollector...
may 04 08:05:23 ip-10-0-1-106.us-west-1.compute.internal env[18387]: Started wazuh-modulesd...
may 04 08:05:25 ip-10-0-1-106.us-west-1.compute.internal env[18387]: Completed.
may 04 08:05:25 ip-10-0-1-106.us-west-1.compute.internal systemd[1]: Started Wazuh agent.
-- Subject: Unit wazuh-agent.service has finished start-up
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
-- 
-- Unit wazuh-agent.service has finished starting up.
-- 
-- The start-up result is done.

• egrep -i "ERROR|WARNING" /var/ossec/logs/ossec.log:

[root@ip-10-0-1-106 wazuh-user]# egrep -i "ERROR|WARNING" /var/ossec/logs/ossec.log
2022/05/04 08:05:21 wazuh-logcollector: WARNING: (1958): Log file '/var/log/messages' is duplicated.
2022/05/04 08:05:21 wazuh-logcollector: WARNING: (1958): Log file '/var/log/secure' is duplicated.
2022/05/04 08:05:21 wazuh-logcollector: WARNING: (1958): Log file '/var/log/maillog' is duplicated.

• systemctl status wazuh-agent -l:

[root@ip-10-0-1-106 wazuh-user]# systemctl status wazuh-agent -l
● wazuh-agent.service - Wazuh agent
   Loaded: loaded (/usr/lib/systemd/system/wazuh-agent.service; enabled; vendor preset: disabled)
   Active: active (running) since mié 2022-05-04 08:05:25 UTC; 1min 20s ago
  Process: 18322 ExecStop=/usr/bin/env /var/ossec/bin/wazuh-control stop (code=exited, status=0/SUCCESS)
  Process: 18387 ExecStart=/usr/bin/env /var/ossec/bin/wazuh-control start (code=exited, status=0/SUCCESS)
   CGroup: /system.slice/wazuh-agent.service
           ├─18414 /var/ossec/bin/wazuh-execd
           ├─18426 /var/ossec/bin/wazuh-agentd
           ├─18441 /var/ossec/bin/wazuh-syscheckd
           ├─18456 /var/ossec/bin/wazuh-logcollector
           └─18476 /var/ossec/bin/wazuh-modulesd

may 04 08:05:17 ip-10-0-1-106.us-west-1.compute.internal systemd[1]: Stopped Wazuh agent.
may 04 08:05:17 ip-10-0-1-106.us-west-1.compute.internal systemd[1]: Starting Wazuh agent...
may 04 08:05:18 ip-10-0-1-106.us-west-1.compute.internal env[18387]: Starting Wazuh v4.3.0...
may 04 08:05:19 ip-10-0-1-106.us-west-1.compute.internal env[18387]: Started wazuh-execd...
may 04 08:05:20 ip-10-0-1-106.us-west-1.compute.internal env[18387]: Started wazuh-agentd...
may 04 08:05:21 ip-10-0-1-106.us-west-1.compute.internal env[18387]: Started wazuh-syscheckd...
may 04 08:05:22 ip-10-0-1-106.us-west-1.compute.internal env[18387]: Started wazuh-logcollector...
may 04 08:05:23 ip-10-0-1-106.us-west-1.compute.internal env[18387]: Started wazuh-modulesd...
may 04 08:05:25 ip-10-0-1-106.us-west-1.compute.internal env[18387]: Completed.
may 04 08:05:25 ip-10-0-1-106.us-west-1.compute.internal systemd[1]: Started Wazuh agent.

• /var/ossec/bin/wazuh-control status:

[root@ip-10-0-1-106 wazuh-user]# /var/ossec/bin/wazuh-control status
wazuh-modulesd is running...
wazuh-logcollector is running...
wazuh-syscheckd is running...
wazuh-agentd is running...
wazuh-execd is running...

Debian 🔴

• journalctl -xe -u wazuh-agent.service:

may 04 08:08:14 ip-10-0-1-185 systemd[1]: Stopping Wazuh agent...
-- Subject: Unit wazuh-agent.service has begun shutting down
-- Defined-By: systemd
-- Support: https://www.debian.org/support
-- 
-- Unit wazuh-agent.service has begun shutting down.
may 04 08:08:14 ip-10-0-1-185 env[9536]: Killing wazuh-modulesd...
may 04 08:08:14 ip-10-0-1-185 env[9536]: Killing wazuh-logcollector...
may 04 08:08:14 ip-10-0-1-185 env[9536]: Killing wazuh-syscheckd...
may 04 08:08:14 ip-10-0-1-185 env[9536]: Killing wazuh-agentd...
may 04 08:08:14 ip-10-0-1-185 env[9536]: Killing wazuh-execd...
may 04 08:08:14 ip-10-0-1-185 env[9536]: Wazuh v4.3.0 Stopped
may 04 08:08:14 ip-10-0-1-185 systemd[1]: Stopped Wazuh agent.
-- Subject: Unit wazuh-agent.service has finished shutting down
-- Defined-By: systemd
-- Support: https://www.debian.org/support
-- 
-- Unit wazuh-agent.service has finished shutting down.
may 04 08:08:14 ip-10-0-1-185 systemd[1]: Starting Wazuh agent...
-- Subject: Unit wazuh-agent.service has begun start-up
-- Defined-By: systemd
-- Support: https://www.debian.org/support
-- 
-- Unit wazuh-agent.service has begun starting up.
may 04 08:08:14 ip-10-0-1-185 env[9591]: Starting Wazuh v4.3.0...
may 04 08:08:15 ip-10-0-1-185 env[9591]: Started wazuh-execd...
may 04 08:08:16 ip-10-0-1-185 env[9591]: Started wazuh-agentd...
may 04 08:08:17 ip-10-0-1-185 env[9591]: Started wazuh-syscheckd...
may 04 08:08:18 ip-10-0-1-185 env[9591]: Started wazuh-logcollector...
may 04 08:08:19 ip-10-0-1-185 env[9591]: Started wazuh-modulesd...
may 04 08:08:21 ip-10-0-1-185 env[9591]: Completed.
may 04 08:08:21 ip-10-0-1-185 systemd[1]: Started Wazuh agent.
-- Subject: Unit wazuh-agent.service has finished start-up
-- Defined-By: systemd
-- Support: https://www.debian.org/support
-- 
-- Unit wazuh-agent.service has finished starting up.
-- 
-- The start-up result is done.

• egrep -i "ERROR|WARNING" /var/ossec/logs/ossec.log:

root@ip-10-0-1-185:/home/wazuh-user# egrep -i "ERROR|WARNING" /var/ossec/logs/ossec.log
2022/05/04 08:08:17 wazuh-logcollector: ERROR: (1103): Could not open file '/var/log/secure' due to [(2)-(No such file or directory)].
2022/05/04 08:08:17 wazuh-logcollector: ERROR: (1103): Could not open file '/var/log/maillog' due to [(2)-(No such file or directory)].

• systemctl status wazuh-agent -l:

root@ip-10-0-1-185:/home/wazuh-user# systemctl status wazuh-agent -l
● wazuh-agent.service - Wazuh agent
   Loaded: loaded (/usr/lib/systemd/system/wazuh-agent.service; enabled; vendor preset: enabled)
   Active: active (running) since Wed 2022-05-04 08:08:21 UTC; 1min 27s ago
  Process: 9536 ExecStop=/usr/bin/env /var/ossec/bin/wazuh-control stop (code=exited, status=0/SUCCESS)
  Process: 9591 ExecStart=/usr/bin/env /var/ossec/bin/wazuh-control start (code=exited, status=0/SUCCESS)
    Tasks: 31 (limit: 4915)
   CGroup: /system.slice/wazuh-agent.service
           ├─9615 /var/ossec/bin/wazuh-execd
           ├─9626 /var/ossec/bin/wazuh-agentd
           ├─9640 /var/ossec/bin/wazuh-syscheckd
           ├─9657 /var/ossec/bin/wazuh-logcollector
           └─9696 /var/ossec/bin/wazuh-modulesd

may 04 08:08:14 ip-10-0-1-185 systemd[1]: Stopped Wazuh agent.
may 04 08:08:14 ip-10-0-1-185 systemd[1]: Starting Wazuh agent...
may 04 08:08:14 ip-10-0-1-185 env[9591]: Starting Wazuh v4.3.0...
may 04 08:08:15 ip-10-0-1-185 env[9591]: Started wazuh-execd...
may 04 08:08:16 ip-10-0-1-185 env[9591]: Started wazuh-agentd...
may 04 08:08:17 ip-10-0-1-185 env[9591]: Started wazuh-syscheckd...
may 04 08:08:18 ip-10-0-1-185 env[9591]: Started wazuh-logcollector...
may 04 08:08:19 ip-10-0-1-185 env[9591]: Started wazuh-modulesd...
may 04 08:08:21 ip-10-0-1-185 env[9591]: Completed.
may 04 08:08:21 ip-10-0-1-185 systemd[1]: Started Wazuh agent.

• /var/ossec/bin/wazuh-control status:

root@ip-10-0-1-185:/home/wazuh-user# /var/ossec/bin/wazuh-control status
wazuh-modulesd is running...
wazuh-logcollector is running...
wazuh-syscheckd is running...
wazuh-agentd is running...
wazuh-execd is running...

Windows 🔴

• EventViewer:

Log Name:      System
Source:        Service Control Manager
Date:          5/3/2022 5:32:23 PM
Event ID:      7036
Task Category: None
Level:         Information
Keywords:      Classic
User:          N/A
Computer:      EC2AMAZ-L45ASS8
Description:
The Wazuh service entered the running state.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="Service Control Manager" Guid="{555908d1-a6d7-4695-8e1e-26931d2012f4}" EventSourceName="Service Control Manager" />
    <EventID Qualifiers="16384">7036</EventID>
    <Version>0</Version>
    <Level>4</Level>
    <Task>0</Task>
    <Opcode>0</Opcode>
    <Keywords>0x8080000000000000</Keywords>
    <TimeCreated SystemTime="2022-05-03T17:32:23.545426300Z" />
    <EventRecordID>84474</EventRecordID>
    <Correlation />
    <Execution ProcessID="600" ThreadID="2956" />
    <Channel>System</Channel>
    <Computer>EC2AMAZ-L45ASS8</Computer>
    <Security />
  </System>
  <EventData>
    <Data Name="param1">Wazuh</Data>
    <Data Name="param2">running</Data>
    <Binary>570061007A00750068005300760063002F0034000000</Binary>
  </EventData>
</Event>

Log Name:      System
Source:        Service Control Manager
Date:          5/3/2022 5:32:23 PM
Event ID:      7036
Task Category: None
Level:         Information
Keywords:      Classic
User:          N/A
Computer:      EC2AMAZ-L45ASS8
Description:
The Wazuh service entered the stopped state.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="Service Control Manager" Guid="{555908d1-a6d7-4695-8e1e-26931d2012f4}" EventSourceName="Service Control Manager" />
    <EventID Qualifiers="16384">7036</EventID>
    <Version>0</Version>
    <Level>4</Level>
    <Task>0</Task>
    <Opcode>0</Opcode>
    <Keywords>0x8080000000000000</Keywords>
    <TimeCreated SystemTime="2022-05-03T17:32:23.000406400Z" />
    <EventRecordID>84473</EventRecordID>
    <Correlation />
    <Execution ProcessID="600" ThreadID="2956" />
    <Channel>System</Channel>
    <Computer>EC2AMAZ-L45ASS8</Computer>
    <Security />
  </System>
  <EventData>
    <Data Name="param1">Wazuh</Data>
    <Data Name="param2">stopped</Data>
    <Binary>570061007A00750068005300760063002F0031000000</Binary>
  </EventData>
</Event>

• egrep -i "ERROR|WARNING| /var/ossec/logs/ossec.log:

2022/05/04 00:00:38 wazuh-agent: ERROR: (1103): Could not open file 'C:\inetpub\logs\LogFiles\W3SVC1\u_ex220504.log' due to [(2)-(The system cannot find the file specified.)].
2022/05/04 00:01:43 wazuh-agent: ERROR: (1103): Could not open file 'C:\inetpub\logs\LogFiles\W3SVC1\u_ex220504.log' due to [(2)-(The system cannot find the file specified.)].
2022/05/04 00:02:48 wazuh-agent: ERROR: (1103): Could not open file 'C:\inetpub\logs\LogFiles\W3SVC1\u_ex220504.log' due to [(2)-(The system cannot find the file specified.)].
2022/05/04 00:03:52 wazuh-agent: ERROR: (1103): Could not open file 'C:\inetpub\logs\LogFiles\W3SVC1\u_ex220504.log' due to [(2)-(The system cannot find the file specified.)].
2022/05/04 00:04:57 wazuh-agent: ERROR: (1103): Could not open file 'C:\inetpub\logs\LogFiles\W3SVC1\u_ex220504.log' due to [(2)-(The system cannot find the file specified.)].
2022/05/04 00:06:02 wazuh-agent: ERROR: (1103): Could not open file 'C:\inetpub\logs\LogFiles\W3SVC1\u_ex220504.log' due to [(2)-(The system cannot find the file specified.)].
2022/05/04 00:07:07 wazuh-agent: ERROR: (1103): Could not open file 'C:\inetpub\logs\LogFiles\W3SVC1\u_ex220504.log' due to [(2)-(The system cannot find the file specified.)].
2022/05/04 00:08:12 wazuh-agent: ERROR: (1103): Could not open file 'C:\inetpub\logs\LogFiles\W3SVC1\u_ex220504.log' due to [(2)-(The system cannot find the file specified.)].

• Agent is running:

Managers

Master env 1 🔴

• journalctl -xe -u wazuh-manager.service:

may 04 08:44:16 wazuh-manager-master-0 systemd[1]: Stopping Wazuh manager...
-- Subject: Unit wazuh-manager.service has begun shutting down
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
-- 
-- Unit wazuh-manager.service has begun shutting down.
may 04 08:44:16 wazuh-manager-master-0 env[1040]: Killing wazuh-clusterd...
may 04 08:44:17 wazuh-manager-master-0 env[1040]: Killing wazuh-modulesd...
may 04 08:44:17 wazuh-manager-master-0 env[1040]: Killing wazuh-monitord...
may 04 08:44:17 wazuh-manager-master-0 env[1040]: Killing wazuh-logcollector...
may 04 08:44:17 wazuh-manager-master-0 env[1040]: Killing wazuh-remoted...
may 04 08:44:17 wazuh-manager-master-0 env[1040]: Killing wazuh-syscheckd...
may 04 08:44:17 wazuh-manager-master-0 env[1040]: Killing wazuh-analysisd...
may 04 08:44:17 wazuh-manager-master-0 env[1040]: wazuh-maild not running...
may 04 08:44:17 wazuh-manager-master-0 env[1040]: Killing wazuh-execd...
may 04 08:44:17 wazuh-manager-master-0 env[1040]: Killing wazuh-db...
may 04 08:44:18 wazuh-manager-master-0 env[1040]: Killing wazuh-authd...
may 04 08:44:19 wazuh-manager-master-0 env[1040]: wazuh-agentlessd not running...
may 04 08:44:19 wazuh-manager-master-0 env[1040]: Killing wazuh-integratord...
may 04 08:44:19 wazuh-manager-master-0 env[1040]: wazuh-dbd not running...
may 04 08:44:19 wazuh-manager-master-0 env[1040]: wazuh-csyslogd not running...
may 04 08:44:19 wazuh-manager-master-0 env[1040]: Killing wazuh-apid...
may 04 08:44:19 wazuh-manager-master-0 env[1040]: Wazuh v4.3.0 Stopped
may 04 08:44:19 wazuh-manager-master-0 systemd[1]: Starting Wazuh manager...
-- Subject: Unit wazuh-manager.service has begun start-up
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
-- 
-- Unit wazuh-manager.service has begun starting up.
may 04 08:44:21 wazuh-manager-master-0 env[1186]: 2022/05/04 08:44:21 wazuh-modulesd: WARNING: The <ignore_time> tag at module 'vulnerability-detector' is deprecated for version newer than 4.3.
may 04 08:44:21 wazuh-manager-master-0 env[1186]: Starting Wazuh v4.3.0...
may 04 08:44:24 wazuh-manager-master-0 env[1186]: Started wazuh-apid...
may 04 08:44:24 wazuh-manager-master-0 env[1186]: Started wazuh-csyslogd...
may 04 08:44:24 wazuh-manager-master-0 env[1186]: Started wazuh-dbd...
may 04 08:44:24 wazuh-manager-master-0 env[1186]: Started wazuh-integratord...
may 04 08:44:24 wazuh-manager-master-0 env[1186]: Started wazuh-agentlessd...
may 04 08:44:25 wazuh-manager-master-0 env[1186]: Started wazuh-authd...
may 04 08:44:26 wazuh-manager-master-0 env[1186]: Started wazuh-db...
may 04 08:44:27 wazuh-manager-master-0 env[1186]: Started wazuh-execd...
may 04 08:44:28 wazuh-manager-master-0 env[1186]: Started wazuh-analysisd...
may 04 08:44:29 wazuh-manager-master-0 env[1186]: Started wazuh-syscheckd...
may 04 08:44:31 wazuh-manager-master-0 env[1186]: Started wazuh-remoted...
may 04 08:44:32 wazuh-manager-master-0 env[1186]: Started wazuh-logcollector...
may 04 08:44:33 wazuh-manager-master-0 env[1186]: Started wazuh-monitord...
may 04 08:44:33 wazuh-manager-master-0 env[1186]: 2022/05/04 08:44:33 wazuh-modulesd: WARNING: The <ignore_time> tag at module 'vulnerability-detector' is deprecated for version newer than 4.3.
may 04 08:44:34 wazuh-manager-master-0 env[1186]: Started wazuh-modulesd...
may 04 08:44:35 wazuh-manager-master-0 env[1186]: Started wazuh-clusterd...
may 04 08:44:37 wazuh-manager-master-0 env[1186]: Completed.
may 04 08:44:37 wazuh-manager-master-0 crontab[1638]: (root) LIST (root)
may 04 08:44:37 wazuh-manager-master-0 systemd[1]: Started Wazuh manager.
-- Subject: Unit wazuh-manager.service has finished start-up
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
-- 
-- Unit wazuh-manager.service has finished starting up.
-- 
-- The start-up result is done.

• egrep -i "ERROR|WARNING" /var/ossec/logs/ossec.log:

[root@wazuh-manager-master-0 wazuh-user]# egrep -i "ERROR|WARNING" /var/ossec/logs/ossec.log
2022/05/04 05:33:03 wazuh-analysisd: ERROR: The new permissions could not be added to the JSON alert.
2022/05/04 08:02:04 wazuh-analysisd: WARNING: Mitre Technique ID 'T1492' not found in database.
2022/05/04 08:27:28 wazuh-analysisd: WARNING: Mitre Technique ID 'T1533.004' not found in database.
2022/05/04 08:44:21 wazuh-modulesd: WARNING: The <ignore_time> tag at module 'vulnerability-detector' is deprecated for version newer than 4.3.

• egrep -i "ERROR|WARNING" /var/ossec/logs/cluster.log:

[root@wazuh-manager-master-0 wazuh-user]# egrep -i "ERROR|WARNING" /var/ossec/logs/cluster.log
[root@wazuh-manager-master-0 wazuh-user]#  

• systemctl status wazuh-manager -l:

[root@wazuh-manager-master-0 wazuh-user]# systemctl status wazuh-manager -l
● wazuh-manager.service - Wazuh manager
   Loaded: loaded (/usr/lib/systemd/system/wazuh-manager.service; enabled; vendor preset: disabled)
   Active: active (running) since mié 2022-05-04 08:44:37 UTC; 3min 42s ago
  Process: 1040 ExecStop=/usr/bin/env /var/ossec/bin/wazuh-control stop (code=exited, status=0/SUCCESS)
  Process: 1186 ExecStart=/usr/bin/env /var/ossec/bin/wazuh-control start (code=exited, status=0/SUCCESS)
   CGroup: /system.slice/wazuh-manager.service
           ├─1244 /var/ossec/framework/python/bin/python3 /var/ossec/api/scripts/wazuh-apid.py
           ├─1270 /var/ossec/bin/wazuh-integratord
           ├─1289 /var/ossec/bin/wazuh-authd
           ├─1306 /var/ossec/bin/wazuh-db
           ├─1318 /var/ossec/framework/python/bin/python3 /var/ossec/api/scripts/wazuh-apid.py
           ├─1321 /var/ossec/framework/python/bin/python3 /var/ossec/api/scripts/wazuh-apid.py
           ├─1336 /var/ossec/bin/wazuh-execd
           ├─1362 /var/ossec/bin/wazuh-analysisd
           ├─1374 /var/ossec/bin/wazuh-syscheckd
           ├─1394 /var/ossec/bin/wazuh-remoted
           ├─1427 /var/ossec/bin/wazuh-logcollector
           ├─1451 /var/ossec/bin/wazuh-monitord
           ├─1500 /var/ossec/bin/wazuh-modulesd
           ├─1607 /var/ossec/framework/python/bin/python3 /var/ossec/framework/scripts/wazuh-clusterd.py
           ├─1609 /var/ossec/framework/python/bin/python3 /var/ossec/framework/scripts/wazuh-clusterd.py
           ├─1612 /var/ossec/framework/python/bin/python3 /var/ossec/framework/scripts/wazuh-clusterd.py
           ├─2039 /bin/sh wodles/aws/aws-s3 --bucket wazuh-aws-wodle --access_key ############# --secret_key ################ --trail_prefix vpc --only_logs_after 2020-MAY-01 --type vpcflow
           └─2046 /var/ossec/framework/python/bin/python3 /var/ossec/wodles/aws/aws-s3.py --bucket wazuh-aws-wodle --access_key ################ --secret_key ##################### --trail_prefix vpc --only_logs_after 2020-MAY-01 --type vpcflow

may 04 08:44:29 wazuh-manager-master-0 env[1186]: Started wazuh-syscheckd...
may 04 08:44:31 wazuh-manager-master-0 env[1186]: Started wazuh-remoted...
may 04 08:44:32 wazuh-manager-master-0 env[1186]: Started wazuh-logcollector...
may 04 08:44:33 wazuh-manager-master-0 env[1186]: Started wazuh-monitord...
may 04 08:44:33 wazuh-manager-master-0 env[1186]: 2022/05/04 08:44:33 wazuh-modulesd: WARNING: The <ignore_time> tag at module 'vulnerability-detector' is deprecated for version newer than 4.3.
may 04 08:44:34 wazuh-manager-master-0 env[1186]: Started wazuh-modulesd...
may 04 08:44:35 wazuh-manager-master-0 env[1186]: Started wazuh-clusterd...
may 04 08:44:37 wazuh-manager-master-0 env[1186]: Completed.
may 04 08:44:37 wazuh-manager-master-0 crontab[1638]: (root) LIST (root)
may 04 08:44:37 wazuh-manager-master-0 systemd[1]: Started Wazuh manager.

• /var/ossec/bin/wazuh-control status:

[root@wazuh-manager-master-0 wazuh-user]# /var/ossec/bin/wazuh-control status
wazuh-clusterd is running...
wazuh-modulesd is running...
wazuh-monitord is running...
wazuh-logcollector is running...
wazuh-remoted is running...
wazuh-syscheckd is running...
wazuh-analysisd is running...
wazuh-maild not running...
wazuh-execd is running...
wazuh-db is running...
wazuh-authd is running...
wazuh-agentlessd not running...
wazuh-integratord is running...
wazuh-dbd not running...
wazuh-csyslogd not running...
wazuh-apid is running...

• filebeat test ouput:

[root@wazuh-manager-master-0 wazuh-user]# filebeat test output
elasticsearch: https://10.0.2.209:9200...
  parse url... OK
  connection...
    parse host... OK
    dns lookup... OK
    addresses: 10.0.2.209
    dial up... OK
  TLS...
    security: server's certificate chain verification is enabled
    handshake... OK
    TLS version: TLSv1.3
    dial up... OK
  talk to server... OK
  version: 7.10.2
elasticsearch: https://10.0.2.85:9200...
  parse url... OK
  connection...
    parse host... OK
    dns lookup... OK
    addresses: 10.0.2.85
    dial up... OK
  TLS...
    security: server's certificate chain verification is enabled
    handshake... OK
    TLS version: TLSv1.3
    dial up... OK
  talk to server... OK
  version: 7.10.2
elasticsearch: https://10.0.2.125:9200...
  parse url... OK
  connection...
    parse host... OK
    dns lookup... OK
    addresses: 10.0.2.125
    dial up... OK
  TLS...
    security: server's certificate chain verification is enabled
    handshake... OK
    TLS version: TLSv1.3
    dial up... OK
  talk to server... OK
  version: 7.10.2

Worker env 1 🟡

• journalctl -xe -u wazuh-manager.service:

-- Unit wazuh-manager.service has begun shutting down.
may 04 08:50:07 wazuh-manager-worker-0 env[26161]: Killing wazuh-clusterd...
may 04 08:50:07 wazuh-manager-worker-0 env[26161]: Killing wazuh-modulesd...
may 04 08:50:07 wazuh-manager-worker-0 env[26161]: Killing wazuh-monitord...
may 04 08:50:07 wazuh-manager-worker-0 env[26161]: Killing wazuh-logcollector...
may 04 08:50:07 wazuh-manager-worker-0 env[26161]: Killing wazuh-remoted...
may 04 08:50:07 wazuh-manager-worker-0 env[26161]: Killing wazuh-syscheckd...
may 04 08:50:07 wazuh-manager-worker-0 env[26161]: Killing wazuh-analysisd...
may 04 08:50:07 wazuh-manager-worker-0 env[26161]: wazuh-maild not running...
may 04 08:50:07 wazuh-manager-worker-0 env[26161]: Killing wazuh-execd...
may 04 08:50:08 wazuh-manager-worker-0 env[26161]: Killing wazuh-db...
may 04 08:50:08 wazuh-manager-worker-0 env[26161]: wazuh-authd not running...
may 04 08:50:08 wazuh-manager-worker-0 env[26161]: wazuh-agentlessd not running...
may 04 08:50:08 wazuh-manager-worker-0 env[26161]: Killing wazuh-integratord...
may 04 08:50:08 wazuh-manager-worker-0 env[26161]: wazuh-dbd not running...
may 04 08:50:08 wazuh-manager-worker-0 env[26161]: wazuh-csyslogd not running...
may 04 08:50:08 wazuh-manager-worker-0 env[26161]: Killing wazuh-apid...
may 04 08:50:09 wazuh-manager-worker-0 env[26161]: Wazuh v4.3.0 Stopped
may 04 08:50:09 wazuh-manager-worker-0 systemd[1]: Starting Wazuh manager...
-- Subject: Unit wazuh-manager.service has begun start-up
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
-- 
-- Unit wazuh-manager.service has begun starting up.
may 04 08:50:09 wazuh-manager-worker-0 env[26291]: 2022/05/04 08:50:09 wazuh-analysisd: WARNING: (7616): List 'etc/lists/amazon/aws-eventnames' could not be loaded. Rule '80202' will be ignored.
may 04 08:50:09 wazuh-manager-worker-0 env[26291]: 2022/05/04 08:50:09 wazuh-analysisd: WARNING: (7606): Signature ID '80202' was not found. Invalid 'if_sid'. Rule '80203' will be ignored.
may 04 08:50:09 wazuh-manager-worker-0 env[26291]: 2022/05/04 08:50:09 wazuh-analysisd: WARNING: (7606): Signature ID '80203' was not found. Invalid 'if_sid'. Rule '80250' will be ignored.
may 04 08:50:09 wazuh-manager-worker-0 env[26291]: 2022/05/04 08:50:09 wazuh-analysisd: WARNING: (7606): Signature ID '80202' was not found. Invalid 'if_sid'. Rule '80251' will be ignored.
may 04 08:50:09 wazuh-manager-worker-0 env[26291]: 2022/05/04 08:50:09 wazuh-analysisd: WARNING: (7606): Signature ID '80251' was not found. Invalid 'if_matched_sid'. Rule '80252' will be ignored.
may 04 08:50:09 wazuh-manager-worker-0 env[26291]: 2022/05/04 08:50:09 wazuh-analysisd: WARNING: (7606): Signature ID '80202' was not found. Invalid 'if_sid'. Rule '80253' will be ignored.
may 04 08:50:09 wazuh-manager-worker-0 env[26291]: 2022/05/04 08:50:09 wazuh-analysisd: WARNING: (7606): Signature ID '80253' was not found. Invalid 'if_sid'. Rule '80254' will be ignored.
may 04 08:50:09 wazuh-manager-worker-0 env[26291]: 2022/05/04 08:50:09 wazuh-analysisd: WARNING: (7606): Signature ID '80254' was not found. Invalid 'if_matched_sid'. Rule '80255' will be ignored.
may 04 08:50:10 wazuh-manager-worker-0 env[26291]: 2022/05/04 08:50:10 wazuh-modulesd: WARNING: The <ignore_time> tag at module 'vulnerability-detector' is deprecated for version newer than 4.3.
may 04 08:50:10 wazuh-manager-worker-0 env[26291]: Starting Wazuh v4.3.0...
may 04 08:50:13 wazuh-manager-worker-0 env[26291]: Started wazuh-apid...
may 04 08:50:13 wazuh-manager-worker-0 env[26291]: Started wazuh-csyslogd...
may 04 08:50:13 wazuh-manager-worker-0 env[26291]: Started wazuh-dbd...
may 04 08:50:13 wazuh-manager-worker-0 env[26291]: Started wazuh-integratord...
may 04 08:50:13 wazuh-manager-worker-0 env[26291]: Started wazuh-agentlessd...
may 04 08:50:14 wazuh-manager-worker-0 env[26291]: Started wazuh-db...
may 04 08:50:15 wazuh-manager-worker-0 env[26291]: Started wazuh-execd...
may 04 08:50:16 wazuh-manager-worker-0 env[26291]: Started wazuh-analysisd...
may 04 08:50:17 wazuh-manager-worker-0 env[26291]: Started wazuh-syscheckd...
may 04 08:50:18 wazuh-manager-worker-0 env[26291]: Started wazuh-remoted...
may 04 08:50:19 wazuh-manager-worker-0 env[26291]: Started wazuh-logcollector...
may 04 08:50:21 wazuh-manager-worker-0 env[26291]: Started wazuh-monitord...
may 04 08:50:21 wazuh-manager-worker-0 env[26291]: 2022/05/04 08:50:21 wazuh-modulesd: WARNING: The <ignore_time> tag at module 'vulnerability-detector' is deprecated for version newer than 4.3.
may 04 08:50:22 wazuh-manager-worker-0 crontab[26655]: (root) LIST (root)
may 04 08:50:22 wazuh-manager-worker-0 env[26291]: Started wazuh-modulesd...
may 04 08:50:22 wazuh-manager-worker-0 env[26291]: Started wazuh-clusterd...
may 04 08:50:24 wazuh-manager-worker-0 env[26291]: Completed.
may 04 08:50:24 wazuh-manager-worker-0 systemd[1]: Started Wazuh manager.
-- Subject: Unit wazuh-manager.service has finished start-up
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
-- 
-- Unit wazuh-manager.service has finished starting up.
-- 
-- The start-up result is done.

• egrep -i "ERROR|WARNING" /var/ossec/logs/ossec.log:

[root@wazuh-manager-worker-0 wazuh-user]# egrep -i "ERROR|WARNING" /var/ossec/logs/ossec.log
2022/05/04 08:49:57 wazuh-modulesd:vulnerability-detector: WARNING: (5515): Agent '004' software could not be requested.
2022/05/04 08:50:09 wazuh-analysisd: WARNING: (7616): List 'etc/lists/amazon/aws-eventnames' could not be loaded. Rule '80202' will be ignored.
2022/05/04 08:50:09 wazuh-analysisd: WARNING: (7606): Signature ID '80202' was not found. Invalid 'if_sid'. Rule '80203' will be ignored.
2022/05/04 08:50:09 wazuh-analysisd: WARNING: (7606): Signature ID '80203' was not found. Invalid 'if_sid'. Rule '80250' will be ignored.
2022/05/04 08:50:09 wazuh-analysisd: WARNING: (7606): Signature ID '80202' was not found. Invalid 'if_sid'. Rule '80251' will be ignored.
2022/05/04 08:50:09 wazuh-analysisd: WARNING: (7606): Signature ID '80251' was not found. Invalid 'if_matched_sid'. Rule '80252' will be ignored.
2022/05/04 08:50:09 wazuh-analysisd: WARNING: (7606): Signature ID '80202' was not found. Invalid 'if_sid'. Rule '80253' will be ignored.
2022/05/04 08:50:09 wazuh-analysisd: WARNING: (7606): Signature ID '80253' was not found. Invalid 'if_sid'. Rule '80254' will be ignored.
2022/05/04 08:50:09 wazuh-analysisd: WARNING: (7606): Signature ID '80254' was not found. Invalid 'if_matched_sid'. Rule '80255' will be ignored.
2022/05/04 08:50:10 wazuh-modulesd: WARNING: The <ignore_time> tag at module 'vulnerability-detector' is deprecated for version newer than 4.3.
2022/05/04 08:50:11 wazuh-testrule: WARNING: (7616): List 'etc/lists/amazon/aws-eventnames' could not be loaded. Rule '80202' will be ignored.
2022/05/04 08:50:11 wazuh-testrule: WARNING: (7606): Signature ID '80202' was not found. Invalid 'if_sid'. Rule '80203' will be ignored.
2022/05/04 08:50:11 wazuh-testrule: WARNING: (7606): Signature ID '80203' was not found. Invalid 'if_sid'. Rule '80250' will be ignored.
2022/05/04 08:50:11 wazuh-testrule: WARNING: (7606): Signature ID '80202' was not found. Invalid 'if_sid'. Rule '80251' will be ignored.
2022/05/04 08:50:11 wazuh-testrule: WARNING: (7606): Signature ID '80251' was not found. Invalid 'if_matched_sid'. Rule '80252' will be ignored.
2022/05/04 08:50:11 wazuh-testrule: WARNING: (7606): Signature ID '80202' was not found. Invalid 'if_sid'. Rule '80253' will be ignored.
2022/05/04 08:50:11 wazuh-testrule: WARNING: (7606): Signature ID '80253' was not found. Invalid 'if_sid'. Rule '80254' will be ignored.
2022/05/04 08:50:11 wazuh-testrule: WARNING: (7606): Signature ID '80254' was not found. Invalid 'if_matched_sid'. Rule '80255' will be ignored.
2022/05/04 08:50:15 wazuh-analysisd: WARNING: (7616): List 'etc/lists/amazon/aws-eventnames' could not be loaded. Rule '80202' will be ignored.
2022/05/04 08:50:15 wazuh-analysisd: WARNING: (7606): Signature ID '80202' was not found. Invalid 'if_sid'. Rule '80203' will be ignored.
2022/05/04 08:50:15 wazuh-analysisd: WARNING: (7606): Signature ID '80203' was not found. Invalid 'if_sid'. Rule '80250' will be ignored.
2022/05/04 08:50:15 wazuh-analysisd: WARNING: (7606): Signature ID '80202' was not found. Invalid 'if_sid'. Rule '80251' will be ignored.
2022/05/04 08:50:15 wazuh-analysisd: WARNING: (7606): Signature ID '80251' was not found. Invalid 'if_matched_sid'. Rule '80252' will be ignored.
2022/05/04 08:50:15 wazuh-analysisd: WARNING: (7606): Signature ID '80202' was not found. Invalid 'if_sid'. Rule '80253' will be ignored.
2022/05/04 08:50:15 wazuh-analysisd: WARNING: (7606): Signature ID '80253' was not found. Invalid 'if_sid'. Rule '80254' will be ignored.
2022/05/04 08:50:15 wazuh-analysisd: WARNING: (7606): Signature ID '80254' was not found. Invalid 'if_matched_sid'. Rule '80255' will be ignored.
2022/05/04 08:50:21 wazuh-modulesd: WARNING: The <ignore_time> tag at module 'vulnerability-detector' is deprecated for version newer than 4.3.

• egrep -i "ERROR|WARNING" /var/ossec/logs/cluster.log:

[root@wazuh-manager-worker-0 wazuh-user]# egrep -i "ERROR|WARNING" /var/ossec/logs/cluster.log
2022/05/04 08:44:26 ERROR: [Local Server] [Main] Could not connect to master. Trying again in 10 seconds.  

This error is expected because we restarted the master node before.

• systemctl status wazuh-manager -l:

[root@wazuh-manager-worker-0 wazuh-user]# systemctl status wazuh-manager -l
● wazuh-manager.service - Wazuh manager
   Loaded: loaded (/usr/lib/systemd/system/wazuh-manager.service; enabled; vendor preset: disabled)
   Active: active (running) since mié 2022-05-04 08:50:24 UTC; 3min 34s ago
  Process: 26161 ExecStop=/usr/bin/env /var/ossec/bin/wazuh-control stop (code=exited, status=0/SUCCESS)
  Process: 26291 ExecStart=/usr/bin/env /var/ossec/bin/wazuh-control start (code=exited, status=0/SUCCESS)
   CGroup: /system.slice/wazuh-manager.service
           ├─26349 /var/ossec/framework/python/bin/python3 /var/ossec/api/scripts/wazuh-apid.py
           ├─26372 /var/ossec/bin/wazuh-integratord
           ├─26392 /var/ossec/bin/wazuh-db
           ├─26416 /var/ossec/bin/wazuh-execd
           ├─26418 /var/ossec/framework/python/bin/python3 /var/ossec/api/scripts/wazuh-apid.py
           ├─26421 /var/ossec/framework/python/bin/python3 /var/ossec/api/scripts/wazuh-apid.py
           ├─26437 /var/ossec/bin/wazuh-analysisd
           ├─26448 /var/ossec/bin/wazuh-syscheckd
           ├─26470 /var/ossec/bin/wazuh-remoted
           ├─26502 /var/ossec/bin/wazuh-logcollector
           ├─26527 /var/ossec/bin/wazuh-monitord
           ├─26573 /var/ossec/bin/wazuh-modulesd
           ├─26705 /var/ossec/framework/python/bin/python3 /var/ossec/framework/scripts/wazuh-clusterd.py
           └─26915 /var/ossec/framework/python/bin/python3 /var/ossec/framework/scripts/wazuh-clusterd.py

may 04 08:50:17 wazuh-manager-worker-0 env[26291]: Started wazuh-syscheckd...
may 04 08:50:18 wazuh-manager-worker-0 env[26291]: Started wazuh-remoted...
may 04 08:50:19 wazuh-manager-worker-0 env[26291]: Started wazuh-logcollector...
may 04 08:50:21 wazuh-manager-worker-0 env[26291]: Started wazuh-monitord...
may 04 08:50:21 wazuh-manager-worker-0 env[26291]: 2022/05/04 08:50:21 wazuh-modulesd: WARNING: The <ignore_time> tag at module 'vulnerability-detector' is deprecated for version newer than 4.3.
may 04 08:50:22 wazuh-manager-worker-0 crontab[26655]: (root) LIST (root)
may 04 08:50:22 wazuh-manager-worker-0 env[26291]: Started wazuh-modulesd...
may 04 08:50:22 wazuh-manager-worker-0 env[26291]: Started wazuh-clusterd...
may 04 08:50:24 wazuh-manager-worker-0 env[26291]: Completed.
may 04 08:50:24 wazuh-manager-worker-0 systemd[1]: Started Wazuh manager.

• /var/ossec/bin/wazuh-control status:

[root@wazuh-manager-worker-0 wazuh-user]# /var/ossec/bin/wazuh-control status
wazuh-clusterd is running...
wazuh-modulesd is running...
wazuh-monitord is running...
wazuh-logcollector is running...
wazuh-remoted is running...
wazuh-syscheckd is running...
wazuh-analysisd is running...
wazuh-maild not running...
wazuh-execd is running...
wazuh-db is running...
wazuh-authd not running...
wazuh-agentlessd not running...
wazuh-integratord is running...
wazuh-dbd not running...
wazuh-csyslogd not running...
wazuh-apid is running...

• filebeat test output:

[root@wazuh-manager-worker-0 wazuh-user]# filebeat test output
elasticsearch: https://10.0.2.209:9200...
  parse url... OK
  connection...
    parse host... OK
    dns lookup... OK
    addresses: 10.0.2.209
    dial up... OK
  TLS...
    security: server's certificate chain verification is enabled
    handshake... OK
    TLS version: TLSv1.3
    dial up... OK
  talk to server... OK
  version: 7.10.2
elasticsearch: https://10.0.2.85:9200...
  parse url... OK
  connection...
    parse host... OK
    dns lookup... OK
    addresses: 10.0.2.85
    dial up... OK
  TLS...
    security: server's certificate chain verification is enabled
    handshake... OK
    TLS version: TLSv1.3
    dial up... OK
  talk to server... OK
  version: 7.10.2
elasticsearch: https://10.0.2.125:9200...
  parse url... OK
  connection...
    parse host... OK
    dns lookup... OK
    addresses: 10.0.2.125
    dial up... OK
  TLS...
    security: server's certificate chain verification is enabled
    handshake... OK
    TLS version: TLSv1.3
    dial up... OK
  talk to server... OK
  version: 7.10.2

Master env 2 🟡

• journalctl -xe -u wazuh-manager.service:

may 04 08:56:21 wazuh-manager-master-0 systemd[1]: Stopping Wazuh manager...
-- Subject: Unit wazuh-manager.service has begun shutting down
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
-- 
-- Unit wazuh-manager.service has begun shutting down.
may 04 08:56:21 wazuh-manager-master-0 env[30029]: Killing wazuh-clusterd...
may 04 08:56:21 wazuh-manager-master-0 env[30029]: Killing wazuh-modulesd...
may 04 08:56:21 wazuh-manager-master-0 env[30029]: Killing wazuh-monitord...
may 04 08:56:21 wazuh-manager-master-0 env[30029]: Killing wazuh-logcollector...
may 04 08:56:21 wazuh-manager-master-0 env[30029]: Killing wazuh-remoted...
may 04 08:56:21 wazuh-manager-master-0 env[30029]: Killing wazuh-syscheckd...
may 04 08:56:22 wazuh-manager-master-0 env[30029]: Killing wazuh-analysisd...
may 04 08:56:22 wazuh-manager-master-0 env[30029]: wazuh-maild not running...
may 04 08:56:22 wazuh-manager-master-0 env[30029]: Killing wazuh-execd...
may 04 08:56:22 wazuh-manager-master-0 env[30029]: Killing wazuh-db...
may 04 08:56:23 wazuh-manager-master-0 env[30029]: Killing wazuh-authd...
may 04 08:56:23 wazuh-manager-master-0 env[30029]: wazuh-agentlessd not running...
may 04 08:56:23 wazuh-manager-master-0 env[30029]: Killing wazuh-integratord...
may 04 08:56:23 wazuh-manager-master-0 env[30029]: wazuh-dbd not running...
may 04 08:56:23 wazuh-manager-master-0 env[30029]: wazuh-csyslogd not running...
may 04 08:56:23 wazuh-manager-master-0 env[30029]: Killing wazuh-apid...
may 04 08:56:24 wazuh-manager-master-0 env[30029]: Wazuh v4.3.0 Stopped
may 04 08:56:24 wazuh-manager-master-0 systemd[1]: Starting Wazuh manager...
-- Subject: Unit wazuh-manager.service has begun start-up
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
-- 
-- Unit wazuh-manager.service has begun starting up.
may 04 08:56:26 wazuh-manager-master-0 env[30183]: 2022/05/04 08:56:26 wazuh-modulesd: WARNING: The <ignore_time> tag at module 'vulnerability-detector' is deprecated for version newer than 4.3.
may 04 08:56:27 wazuh-manager-master-0 env[30183]: Starting Wazuh v4.3.0...
may 04 08:56:30 wazuh-manager-master-0 env[30183]: Started wazuh-apid...
may 04 08:56:30 wazuh-manager-master-0 env[30183]: Started wazuh-csyslogd...
may 04 08:56:30 wazuh-manager-master-0 env[30183]: Started wazuh-dbd...
may 04 08:56:30 wazuh-manager-master-0 env[30183]: Started wazuh-integratord...
may 04 08:56:30 wazuh-manager-master-0 env[30183]: Started wazuh-agentlessd...
may 04 08:56:31 wazuh-manager-master-0 env[30183]: Started wazuh-authd...
may 04 08:56:32 wazuh-manager-master-0 env[30183]: Started wazuh-db...
may 04 08:56:33 wazuh-manager-master-0 env[30183]: Started wazuh-execd...
may 04 08:56:34 wazuh-manager-master-0 env[30183]: Started wazuh-analysisd...
may 04 08:56:35 wazuh-manager-master-0 env[30183]: Started wazuh-syscheckd...
may 04 08:56:37 wazuh-manager-master-0 env[30183]: Started wazuh-remoted...
may 04 08:56:38 wazuh-manager-master-0 env[30183]: Started wazuh-logcollector...
may 04 08:56:39 wazuh-manager-master-0 env[30183]: Started wazuh-monitord...
may 04 08:56:39 wazuh-manager-master-0 env[30183]: 2022/05/04 08:56:39 wazuh-modulesd: WARNING: The <ignore_time> tag at module 'vulnerability-detector' is deprecated for version newer than 4.3.
may 04 08:56:40 wazuh-manager-master-0 env[30183]: Started wazuh-modulesd...
may 04 08:56:41 wazuh-manager-master-0 env[30183]: Started wazuh-clusterd...
may 04 08:56:43 wazuh-manager-master-0 env[30183]: Completed.
may 04 08:56:43 wazuh-manager-master-0 systemd[1]: Started Wazuh manager.
-- Subject: Unit wazuh-manager.service has finished start-up
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
-- 
-- Unit wazuh-manager.service has finished starting up.
-- 
-- The start-up result is done.
may 04 08:56:44 wazuh-manager-master-0 crontab[30616]: (root) LIST (root)

• egrep -i "ERROR|WARNING" /var/ossec/logs/ossec.log:

[root@wazuh-manager-master-0 wazuh-user]# egrep -i "ERROR|WARNING" /var/ossec/logs/ossec.log:
2022/05/04 08:56:26 wazuh-modulesd: WARNING: The <ignore_time> tag at module 'vulnerability-detector' is deprecated for version newer than 4.3.
2022/05/04 08:56:39 wazuh-modulesd: WARNING: The <ignore_time> tag at module 'vulnerability-detector' is deprecated for version newer than 4.3.

• egrep -i "ERROR|WARNING" /var/ossec/logs/cluster.log:

[root@wazuh-manager-master-0 wazuh-user]# egrep -i "ERROR|WARNING" /var/ossec/logs/cluster.log
[root@wazuh-manager-master-0 wazuh-user]# 

• systemctl status wazuh-manager -l:

[root@wazuh-manager-master-0 wazuh-user]# systemctl status wazuh-manager -l
● wazuh-manager.service - Wazuh manager
   Loaded: loaded (/usr/lib/systemd/system/wazuh-manager.service; enabled; vendor preset: disabled)
   Active: active (running) since mié 2022-05-04 08:56:43 UTC; 1min 37s ago
  Process: 30029 ExecStop=/usr/bin/env /var/ossec/bin/wazuh-control stop (code=exited, status=0/SUCCESS)
  Process: 30183 ExecStart=/usr/bin/env /var/ossec/bin/wazuh-control start (code=exited, status=0/SUCCESS)
   CGroup: /system.slice/wazuh-manager.service
           ├─30239 /var/ossec/framework/python/bin/python3 /var/ossec/api/scripts/wazuh-apid.py
           ├─30265 /var/ossec/bin/wazuh-integratord
           ├─30284 /var/ossec/bin/wazuh-authd
           ├─30301 /var/ossec/bin/wazuh-db
           ├─30315 /var/ossec/framework/python/bin/python3 /var/ossec/api/scripts/wazuh-apid.py
           ├─30318 /var/ossec/framework/python/bin/python3 /var/ossec/api/scripts/wazuh-apid.py
           ├─30333 /var/ossec/bin/wazuh-execd
           ├─30348 /var/ossec/bin/wazuh-analysisd
           ├─30360 /var/ossec/bin/wazuh-syscheckd
           ├─30381 /var/ossec/bin/wazuh-remoted
           ├─30413 /var/ossec/bin/wazuh-logcollector
           ├─30432 /var/ossec/bin/wazuh-monitord
           ├─30480 /var/ossec/bin/wazuh-modulesd
           ├─30588 /var/ossec/framework/python/bin/python3 /var/ossec/framework/scripts/wazuh-clusterd.py
           ├─30596 /var/ossec/framework/python/bin/python3 /var/ossec/framework/scripts/wazuh-clusterd.py
           ├─30599 /var/ossec/framework/python/bin/python3 /var/ossec/framework/scripts/wazuh-clusterd.py
           ├─30895 /bin/sh wodles/aws/aws-s3 --bucket wazuh-aws-wodle --access_key ################## --secret_key ###################### --trail_prefix vpc --only_logs_after 2020-MAY-01 --type vpcflow
           └─30902 /var/ossec/framework/python/bin/python3 /var/ossec/wodles/aws/aws-s3.py --bucket wazuh-aws-wodle --access_key ############ --secret_key ############### --trail_prefix vpc --only_logs_after 2020-MAY-01 --type vpcflow

may 04 08:56:35 wazuh-manager-master-0 env[30183]: Started wazuh-syscheckd...
may 04 08:56:37 wazuh-manager-master-0 env[30183]: Started wazuh-remoted...
may 04 08:56:38 wazuh-manager-master-0 env[30183]: Started wazuh-logcollector...
may 04 08:56:39 wazuh-manager-master-0 env[30183]: Started wazuh-monitord...
may 04 08:56:39 wazuh-manager-master-0 env[30183]: 2022/05/04 08:56:39 wazuh-modulesd: WARNING: The <ignore_time> tag at module 'vulnerability-detector' is deprecated for version newer than 4.3.
may 04 08:56:40 wazuh-manager-master-0 env[30183]: Started wazuh-modulesd...
may 04 08:56:41 wazuh-manager-master-0 env[30183]: Started wazuh-clusterd...
may 04 08:56:43 wazuh-manager-master-0 env[30183]: Completed.
may 04 08:56:43 wazuh-manager-master-0 systemd[1]: Started Wazuh manager.
may 04 08:56:44 wazuh-manager-master-0 crontab[30616]: (root) LIST (root)

• /var/ossec/bin/wazuh-control status:

[root@wazuh-manager-master-0 wazuh-user]# /var/ossec/bin/wazuh-control status
wazuh-clusterd is running...
wazuh-modulesd is running...
wazuh-monitord is running...
wazuh-logcollector is running...
wazuh-remoted is running...
wazuh-syscheckd is running...
wazuh-analysisd is running...
wazuh-maild not running...
wazuh-execd is running...
wazuh-db is running...
wazuh-authd is running...
wazuh-agentlessd not running...
wazuh-integratord is running...
wazuh-dbd not running...
wazuh-csyslogd not running...
wazuh-apid is running...

• filebeat test output:

[root@wazuh-manager-master-0 wazuh-user]# filebeat test output
elasticsearch: https://10.0.2.209:9200...
  parse url... OK
  connection...
    parse host... OK
    dns lookup... OK
    addresses: 10.0.2.209
    dial up... OK
  TLS...
    security: server's certificate chain verification is enabled
    handshake... OK
    TLS version: TLSv1.3
    dial up... OK
  talk to server... OK
  version: 7.10.2
elasticsearch: https://10.0.2.85:9200...
  parse url... OK
  connection...
    parse host... OK
    dns lookup... OK
    addresses: 10.0.2.85
    dial up... OK
  TLS...
    security: server's certificate chain verification is enabled
    handshake... OK
    TLS version: TLSv1.3
    dial up... OK
  talk to server... OK
  version: 7.10.2
elasticsearch: https://10.0.2.125:9200...
  parse url... OK
  connection...
    parse host... OK
    dns lookup... OK
    addresses: 10.0.2.125
    dial up... OK
  TLS...
    security: server's certificate chain verification is enabled
    handshake... OK
    TLS version: TLSv1.3
    dial up... OK
  talk to server... OK
  version: 7.10.2

Wazuh Indexer

Bootstrap 🔴

• journalctl -xe -u wazuh-indexer.service:

may 04 08:17:50 ip-10-0-2-125.us-west-1.compute.internal systemd-entrypoint[19152]: Exception in thread "Attach Listener" Agent failed to start!
may 04 08:48:01 ip-10-0-2-125.us-west-1.compute.internal systemd-entrypoint[19152]: Exception in thread "Attach Listener" Agent failed to start!
may 04 09:17:53 ip-10-0-2-125.us-west-1.compute.internal systemd[1]: Stopping Wazuh-indexer...
-- Subject: Unit wazuh-indexer.service has begun shutting down
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
-- 
-- Unit wazuh-indexer.service has begun shutting down.
may 04 09:17:54 ip-10-0-2-125.us-west-1.compute.internal systemd[1]: Starting Wazuh-indexer...
-- Subject: Unit wazuh-indexer.service has begun start-up
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
-- 
-- Unit wazuh-indexer.service has begun starting up.
may 04 09:18:09 ip-10-0-2-125.us-west-1.compute.internal systemd-entrypoint[16738]: Exception in thread "Attach Listener" Agent failed to start!
may 04 09:18:10 ip-10-0-2-125.us-west-1.compute.internal systemd-entrypoint[16738]: WARNING: An illegal reflective access operation has occurred
may 04 09:18:10 ip-10-0-2-125.us-west-1.compute.internal systemd-entrypoint[16738]: WARNING: Illegal reflective access by io.protostuff.runtime.PolymorphicThrowableSchema (file:/usr/share/wazuh-indexer/plugins/o
may 04 09:18:10 ip-10-0-2-125.us-west-1.compute.internal systemd-entrypoint[16738]: WARNING: Please consider reporting this to the maintainers of io.protostuff.runtime.PolymorphicThrowableSchema
may 04 09:18:10 ip-10-0-2-125.us-west-1.compute.internal systemd-entrypoint[16738]: WARNING: Use --illegal-access=warn to enable warnings of further illegal reflective access operations
may 04 09:18:10 ip-10-0-2-125.us-west-1.compute.internal systemd-entrypoint[16738]: WARNING: All illegal access operations will be denied in a future release
may 04 09:18:15 ip-10-0-2-125.us-west-1.compute.internal systemd[1]: Started Wazuh-indexer.
-- Subject: Unit wazuh-indexer.service has finished start-up
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
-- 
-- Unit wazuh-indexer.service has finished starting up.
-- 
-- The start-up result is done.

• egrep -i "ERROR|WARNING" /var/log/wazuh-indexer/wazuh.log:

[2022-05-04T08:40:50,436][ERROR][o.o.s.s.h.n.SecuritySSLNettyHttpServerTransport] [node-3] Exception during establishing a SSL connection: javax.net.ssl.SSLHandshakeException: Client requested protocol SSLv3 is not enabled or supported in server context
[2022-05-04T08:44:36,501][ERROR][o.o.s.s.h.n.SecuritySSLNettyHttpServerTransport] [node-3] Exception during establishing a SSL connection: io.netty.handler.ssl.NotSslRecordException: not an SSL/TLS record: 474554202f5f616c696173657320485454502f312e310d0a486f73743a2035322e35322e3134372e33373a393230300d0a557365722d4167656e743a204d6f7a696c6c612f352e30207a677261622f302e780d0a4163636570743a202a2f2a0d0a4163636570742d456e636f64696e673a20677a69700d0a0d0a
[2022-05-04T08:53:00,611][ERROR][o.o.s.s.h.n.SecuritySSLNettyHttpServerTransport] [node-3] Exception during establishing a SSL connection: io.netty.handler.ssl.NotSslRecordException: not an SSL/TLS record: 474554202f5f73746174732f696e646963657320485454502f312e310d0a486f73743a2035322e35322e3134372e33373a393230300d0a557365722d4167656e743a204d6f7a696c6c612f352e30207a677261622f302e780d0a4163636570743a202a2f2a0d0a4163636570742d456e636f64696e673a20677a69700d0a0d0a
[2022-05-04T08:57:18,206][ERROR][o.o.s.s.h.n.SecuritySSLNettyHttpServerTransport] [node-3] Exception during establishing a SSL connection: io.netty.handler.ssl.NotSslRecordException: not an SSL/TLS record: 474554202f5f737461747320485454502f312e310d0a486f73743a2035322e35322e3134372e33373a393230300d0a436f6e6e656374696f6e3a20636c6f73650d0a4163636570742d456e636f64696e673a20677a69700d0a557365722d4167656e743a204d6f7a696c6c612f352e3020284d6163696e746f73683b20496e74656c204d6163204f5320582031305f31315f3529204170706c655765624b69742f3533372e333620284b48544d4c2c206c696b65204765636b6f29204368726f6d652f35302e302e323636312e313032205361666172692f3533372e33360d0a0d0a
[2022-05-04T08:57:18,209][ERROR][o.o.s.s.h.n.SecuritySSLNettyHttpServerTransport] [node-3] Exception during establishing a SSL connection: io.netty.handler.ssl.NotSslRecordException: not an SSL/TLS record: 474554202f2a2f5f73657474696e677320485454502f312e310d0a486f73743a2035322e35322e3134372e33373a393230300d0a436f6e6e656374696f6e3a20636c6f73650d0a4163636570742d456e636f64696e673a20677a69700d0a557365722d4167656e743a204d6f7a696c6c612f352e3020284d6163696e746f73683b20496e74656c204d6163204f5320582031305f31315f3529204170706c655765624b69742f3533372e333620284b48544d4c2c206c696b65204765636b6f29204368726f6d652f35302e302e323636312e313032205361666172692f3533372e33360d0a0d0a
[2022-05-04T08:57:18,213][ERROR][o.o.s.s.h.n.SecuritySSLNettyHttpServerTransport] [node-3] Exception during establishing a SSL connection: io.netty.handler.ssl.NotSslRecordException: not an SSL/TLS record: 474554202f5f6e6f64657320485454502f312e310d0a486f73743a2035322e35322e3134372e33373a393230300d0a436f6e6e656374696f6e3a20636c6f73650d0a4163636570742d456e636f64696e673a20677a69700d0a557365722d4167656e743a204d6f7a696c6c612f352e3020284d6163696e746f73683b20496e74656c204d6163204f5320582031305f31315f3529204170706c655765624b69742f3533372e333620284b48544d4c2c206c696b65204765636b6f29204368726f6d652f35302e302e323636312e313032205361666172692f3533372e33360d0a0d0a
[2022-05-04T08:57:18,216][ERROR][o.o.s.s.h.n.SecuritySSLNettyHttpServerTransport] [node-3] Exception during establishing a SSL connection: io.netty.handler.ssl.NotSslRecordException: not an SSL/TLS record: 474554202f20485454502f312e310d0a486f73743a2035322e35322e3134372e33373a393230300d0a436f6e6e656374696f6e3a20636c6f73650d0a4163636570742d456e636f64696e673a20677a69700d0a557365722d4167656e743a204d6f7a696c6c612f352e3020284d6163696e746f73683b20496e74656c204d6163204f5320582031305f31315f3529204170706c655765624b69742f3533372e333620284b48544d4c2c206c696b65204765636b6f29204368726f6d652f35302e302e323636312e313032205361666172692f3533372e33360d0a0d0a
[2022-05-04T08:57:42,330][ERROR][o.o.s.s.h.n.SecuritySSLNettyHttpServerTransport] [node-3] Exception during establishing a SSL connection: io.netty.handler.ssl.NotSslRecordException: not an SSL/TLS record: 474554202f5f636c75737465722f6865616c74683f6c6576656c3d696e646963657320485454502f312e310d0a486f73743a2035322e35322e3134372e33373a393230300d0a557365722d4167656e743a204d6f7a696c6c612f352e30207a677261622f302e780d0a4163636570743a202a2f2a0d0a4163636570742d456e636f64696e673a20677a69700d0a0d0a
[2022-05-04T09:14:16,912][ERROR][o.o.s.s.h.n.SecuritySSLNettyHttpServerTransport] [node-3] Exception during establishing a SSL connection: io.netty.handler.ssl.NotSslRecordException: not an SSL/TLS record: 474554202f5f73746174757320485454502f312e310d0a486f73743a2035322e35322e3134372e33373a393230300d0a557365722d4167656e743a204d6f7a696c6c612f352e30207a677261622f302e780d0a4163636570743a202a2f2a0d0a4163636570742d456e636f64696e673a20677a69700d0a0d0a
[2022-05-04T09:17:59,309][INFO ][o.o.n.Node               ] [node-3] JVM arguments [-Xshare:auto, -Dopensearch.networkaddress.cache.ttl=60, -Dopensearch.networkaddress.cache.negative.ttl=10, -XX:+AlwaysPreTouch, -Xss1m, -Djava.awt.headless=true, -Dfile.encoding=UTF-8, -Djna.nosys=true, -XX:-OmitStackTraceInFastThrow, -XX:+ShowCodeDetailsInExceptionMessages, -Dio.netty.noUnsafe=true, -Dio.netty.noKeySetOptimization=true, -Dio.netty.recycler.maxCapacityPerThread=0, -Dio.netty.allocator.numDirectArenas=0, -Dlog4j.shutdownHookEnabled=false, -Dlog4j2.disable.jmx=true, -Djava.locale.providers=SPI,COMPAT, -Xms3948m, -Xmx3948m, -XX:+UseG1GC, -XX:G1ReservePercent=25, -XX:InitiatingHeapOccupancyPercent=30, -Djava.io.tmpdir=/tmp/opensearch-5513364696324844172, -XX:+HeapDumpOnOutOfMemoryError, -XX:HeapDumpPath=data, -XX:ErrorFile=/var/log/wazuh-indexer/hs_err_pid%p.log, -Xlog:gc*,gc+age=trace,safepoint:file=/var/log/wazuh-indexer/gc.log:utctime,pid,tags:filecount=32,filesize=64m, -Dclk.tck=100, -Djdk.attach.allowAttachSelf=true, -Djava.security.policy=file:///usr/share/wazuh-indexer/plugins/opensearch-performance-analyzer/pa_config/opensearch_security.policy, -XX:MaxDirectMemorySize=2069889024, -Dopensearch.path.home=/usr/share/wazuh-indexer, -Dopensearch.path.conf=/etc/wazuh-indexer, -Dopensearch.distribution.type=rpm, -Dopensearch.bundled_jdk=true]
[2022-05-04T09:18:09,281][ERROR][o.o.s.a.s.SinkProvider   ] [node-3] Default endpoint could not be created, auditlog will not work properly.

• systemctl status wazuh-indexer -l:

[root@ip-10-0-2-125 wazuh-user]# systemctl status wazuh-indexer -l
● wazuh-indexer.service - Wazuh-indexer
   Loaded: loaded (/usr/lib/systemd/system/wazuh-indexer.service; enabled; vendor preset: disabled)
   Active: active (running) since mié 2022-05-04 09:18:15 UTC; 3min 34s ago
     Docs: https://documentation.wazuh.com
 Main PID: 16738 (java)
   CGroup: /system.slice/wazuh-indexer.service
           └─16738 /usr/share/wazuh-indexer/jdk/bin/java -Xshare:auto -Dopensearch.networkaddress.cache.ttl=60 -Dopensearch.networkaddress.cache.negative.ttl=10 -XX:+AlwaysPreTouch -Xss1m -Djava.awt.headless=true -Dfile.encoding=UTF-8 -Djna.nosys=true -XX:-OmitStackTraceInFastThrow -XX:+ShowCodeDetailsInExceptionMessages -Dio.netty.noUnsafe=true -Dio.netty.noKeySetOptimization=true -Dio.netty.recycler.maxCapacityPerThread=0 -Dio.netty.allocator.numDirectArenas=0 -Dlog4j.shutdownHookEnabled=false -Dlog4j2.disable.jmx=true -Djava.locale.providers=SPI,COMPAT -Xms3948m -Xmx3948m -XX:+UseG1GC -XX:G1ReservePercent=25 -XX:InitiatingHeapOccupancyPercent=30 -Djava.io.tmpdir=/tmp/opensearch-5513364696324844172 -XX:+HeapDumpOnOutOfMemoryError -XX:HeapDumpPath=data -XX:ErrorFile=/var/log/wazuh-indexer/hs_err_pid%p.log -Xlog:gc*,gc+age=trace,safepoint:file=/var/log/wazuh-indexer/gc.log:utctime,pid,tags:filecount=32,filesize=64m -Dclk.tck=100 -Djdk.attach.allowAttachSelf=true -Djava.security.policy=file:///usr/share/wazuh-indexer/plugins/opensearch-performance-analyzer/pa_config/opensearch_security.policy -XX:MaxDirectMemorySize=2069889024 -Dopensearch.path.home=/usr/share/wazuh-indexer -Dopensearch.path.conf=/etc/wazuh-indexer -Dopensearch.distribution.type=rpm -Dopensearch.bundled_jdk=true -cp /usr/share/wazuh-indexer/lib/* org.opensearch.bootstrap.OpenSearch -p /run/wazuh-indexer/wazuh-indexer.pid --quiet

may 04 09:17:54 ip-10-0-2-125.us-west-1.compute.internal systemd[1]: Starting Wazuh-indexer...
may 04 09:18:09 ip-10-0-2-125.us-west-1.compute.internal systemd-entrypoint[16738]: Exception in thread "Attach Listener" Agent failed to start!
may 04 09:18:10 ip-10-0-2-125.us-west-1.compute.internal systemd-entrypoint[16738]: WARNING: An illegal reflective access operation has occurred
may 04 09:18:10 ip-10-0-2-125.us-west-1.compute.internal systemd-entrypoint[16738]: WARNING: Illegal reflective access by io.protostuff.runtime.PolymorphicThrowableSchema (file:/usr/share/wazuh-indexer/plugins/opensearch-anomaly-detection/protostuff-runtime-1.7.4.jar) to field java.lang.Throwable.cause
may 04 09:18:10 ip-10-0-2-125.us-west-1.compute.internal systemd-entrypoint[16738]: WARNING: Please consider reporting this to the maintainers of io.protostuff.runtime.PolymorphicThrowableSchema
may 04 09:18:10 ip-10-0-2-125.us-west-1.compute.internal systemd-entrypoint[16738]: WARNING: Use --illegal-access=warn to enable warnings of further illegal reflective access operations
may 04 09:18:10 ip-10-0-2-125.us-west-1.compute.internal systemd-entrypoint[16738]: WARNING: All illegal access operations will be denied in a future release
may 04 09:18:15 ip-10-0-2-125.us-west-1.compute.internal systemd[1]: Started Wazuh-indexer.

Master B 🔴

• journalctl -xe -u wazuh-indexer.service:

may 04 08:47:42 ip-10-0-2-85.us-west-1.compute.internal systemd-entrypoint[18812]: Exception in thread "Attach Listener" Agent failed to start!
may 04 09:17:53 ip-10-0-2-85.us-west-1.compute.internal systemd-entrypoint[18812]: Exception in thread "Attach Listener" Agent failed to start!
may 04 09:23:44 ip-10-0-2-85.us-west-1.compute.internal systemd[1]: Stopping Wazuh-indexer...
-- Subject: Unit wazuh-indexer.service has begun shutting down
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
-- 
-- Unit wazuh-indexer.service has begun shutting down.
may 04 09:23:45 ip-10-0-2-85.us-west-1.compute.internal systemd[1]: Starting Wazuh-indexer...
-- Subject: Unit wazuh-indexer.service has begun start-up
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
-- 
-- Unit wazuh-indexer.service has begun starting up.
may 04 09:24:00 ip-10-0-2-85.us-west-1.compute.internal systemd-entrypoint[21286]: WARNING: An illegal reflective access operation has occurred
may 04 09:24:00 ip-10-0-2-85.us-west-1.compute.internal systemd-entrypoint[21286]: WARNING: Illegal reflective access by io.protostuff.runtime.PolymorphicThrowableSchema (file:/usr/share/wazuh-indexer/plugins/op
may 04 09:24:00 ip-10-0-2-85.us-west-1.compute.internal systemd-entrypoint[21286]: WARNING: Please consider reporting this to the maintainers of io.protostuff.runtime.PolymorphicThrowableSchema
may 04 09:24:00 ip-10-0-2-85.us-west-1.compute.internal systemd-entrypoint[21286]: WARNING: Use --illegal-access=warn to enable warnings of further illegal reflective access operations
may 04 09:24:00 ip-10-0-2-85.us-west-1.compute.internal systemd-entrypoint[21286]: WARNING: All illegal access operations will be denied in a future release
may 04 09:24:01 ip-10-0-2-85.us-west-1.compute.internal systemd-entrypoint[21286]: Exception in thread "Attach Listener" Agent failed to start!
may 04 09:24:06 ip-10-0-2-85.us-west-1.compute.internal systemd[1]: Started Wazuh-indexer.
-- Subject: Unit wazuh-indexer.service has finished start-up
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
-- 
-- Unit wazuh-indexer.service has finished starting up.
-- 
-- The start-up result is done.

• egrep -i "ERROR|WARNING" /var/log/wazuh-indexer/wazuh.log:

[2022-05-04T09:16:44,829][ERROR][o.o.s.s.h.n.SecuritySSLNettyHttpServerTransport] [node-2] Exception during establishing a SSL connection: io.netty.handler.ssl.NotSslRecordException: not an SSL/TLS record: 48454c500d0a
[2022-05-04T09:16:44,967][ERROR][o.o.s.s.h.n.SecuritySSLNettyHttpServerTransport] [node-2] Exception during establishing a SSL connection: javax.net.ssl.SSLHandshakeException: Client requested protocol SSLv3 is not enabled or supported in server context
[2022-05-04T09:23:50,650][INFO ][o.o.n.Node               ] [node-2] JVM arguments [-Xshare:auto, -Dopensearch.networkaddress.cache.ttl=60, -Dopensearch.networkaddress.cache.negative.ttl=10, -XX:+AlwaysPreTouch, -Xss1m, -Djava.awt.headless=true, -Dfile.encoding=UTF-8, -Djna.nosys=true, -XX:-OmitStackTraceInFastThrow, -XX:+ShowCodeDetailsInExceptionMessages, -Dio.netty.noUnsafe=true, -Dio.netty.noKeySetOptimization=true, -Dio.netty.recycler.maxCapacityPerThread=0, -Dio.netty.allocator.numDirectArenas=0, -Dlog4j.shutdownHookEnabled=false, -Dlog4j2.disable.jmx=true, -Djava.locale.providers=SPI,COMPAT, -Xms3948m, -Xmx3948m, -XX:+UseG1GC, -XX:G1ReservePercent=25, -XX:InitiatingHeapOccupancyPercent=30, -Djava.io.tmpdir=/tmp/opensearch-4567178945924237329, -XX:+HeapDumpOnOutOfMemoryError, -XX:HeapDumpPath=data, -XX:ErrorFile=/var/log/wazuh-indexer/hs_err_pid%p.log, -Xlog:gc*,gc+age=trace,safepoint:file=/var/log/wazuh-indexer/gc.log:utctime,pid,tags:filecount=32,filesize=64m, -Dclk.tck=100, -Djdk.attach.allowAttachSelf=true, -Djava.security.policy=file:///usr/share/wazuh-indexer/plugins/opensearch-performance-analyzer/pa_config/opensearch_security.policy, -XX:MaxDirectMemorySize=2069889024, -Dopensearch.path.home=/usr/share/wazuh-indexer, -Dopensearch.path.conf=/etc/wazuh-indexer, -Dopensearch.distribution.type=rpm, -Dopensearch.bundled_jdk=true]
[2022-05-04T09:24:00,307][ERROR][o.o.s.a.s.SinkProvider   ] [node-2] Default endpoint could not be created, auditlog will not work properly.

• systemctl status wazuh-indexer -l:

[root@ip-10-0-2-85 wazuh-user]# systemctl status wazuh-indexer -l
● wazuh-indexer.service - Wazuh-indexer
   Loaded: loaded (/usr/lib/systemd/system/wazuh-indexer.service; enabled; vendor preset: disabled)
   Active: active (running) since mié 2022-05-04 09:24:06 UTC; 1min 33s ago
     Docs: https://documentation.wazuh.com
 Main PID: 21286 (java)
   CGroup: /system.slice/wazuh-indexer.service
           └─21286 /usr/share/wazuh-indexer/jdk/bin/java -Xshare:auto -Dopensearch.networkaddress.cache.ttl=60 -Dopensearch.networkaddress.cache.negative.ttl=10 -XX:+AlwaysPreTouch -Xss1m -Djava.awt.headless=true -Dfile.encoding=UTF-8 -Djna.nosys=true -XX:-OmitStackTraceInFastThrow -XX:+ShowCodeDetailsInExceptionMessages -Dio.netty.noUnsafe=true -Dio.netty.noKeySetOptimization=true -Dio.netty.recycler.maxCapacityPerThread=0 -Dio.netty.allocator.numDirectArenas=0 -Dlog4j.shutdownHookEnabled=false -Dlog4j2.disable.jmx=true -Djava.locale.providers=SPI,COMPAT -Xms3948m -Xmx3948m -XX:+UseG1GC -XX:G1ReservePercent=25 -XX:InitiatingHeapOccupancyPercent=30 -Djava.io.tmpdir=/tmp/opensearch-4567178945924237329 -XX:+HeapDumpOnOutOfMemoryError -XX:HeapDumpPath=data -XX:ErrorFile=/var/log/wazuh-indexer/hs_err_pid%p.log -Xlog:gc*,gc+age=trace,safepoint:file=/var/log/wazuh-indexer/gc.log:utctime,pid,tags:filecount=32,filesize=64m -Dclk.tck=100 -Djdk.attach.allowAttachSelf=true -Djava.security.policy=file:///usr/share/wazuh-indexer/plugins/opensearch-performance-analyzer/pa_config/opensearch_security.policy -XX:MaxDirectMemorySize=2069889024 -Dopensearch.path.home=/usr/share/wazuh-indexer -Dopensearch.path.conf=/etc/wazuh-indexer -Dopensearch.distribution.type=rpm -Dopensearch.bundled_jdk=true -cp /usr/share/wazuh-indexer/lib/* org.opensearch.bootstrap.OpenSearch -p /run/wazuh-indexer/wazuh-indexer.pid --quiet

may 04 09:23:45 ip-10-0-2-85.us-west-1.compute.internal systemd[1]: Starting Wazuh-indexer...
may 04 09:24:00 ip-10-0-2-85.us-west-1.compute.internal systemd-entrypoint[21286]: WARNING: An illegal reflective access operation has occurred
may 04 09:24:00 ip-10-0-2-85.us-west-1.compute.internal systemd-entrypoint[21286]: WARNING: Illegal reflective access by io.protostuff.runtime.PolymorphicThrowableSchema (file:/usr/share/wazuh-indexer/plugins/opensearch-anomaly-detection/protostuff-runtime-1.7.4.jar) to field java.lang.Throwable.cause
may 04 09:24:00 ip-10-0-2-85.us-west-1.compute.internal systemd-entrypoint[21286]: WARNING: Please consider reporting this to the maintainers of io.protostuff.runtime.PolymorphicThrowableSchema
may 04 09:24:00 ip-10-0-2-85.us-west-1.compute.internal systemd-entrypoint[21286]: WARNING: Use --illegal-access=warn to enable warnings of further illegal reflective access operations
may 04 09:24:00 ip-10-0-2-85.us-west-1.compute.internal systemd-entrypoint[21286]: WARNING: All illegal access operations will be denied in a future release
may 04 09:24:01 ip-10-0-2-85.us-west-1.compute.internal systemd-entrypoint[21286]: Exception in thread "Attach Listener" Agent failed to start!
may 04 09:24:06 ip-10-0-2-85.us-west-1.compute.internal systemd[1]: Started Wazuh-indexer.

Master C 🔴

• journalctl -xe -u wazuh-indexer.service:

may 04 08:48:38 ip-10-0-2-209.us-west-1.compute.internal systemd-entrypoint[19957]: Exception in thread "Attach Listener" Agent failed to start!
may 04 09:18:49 ip-10-0-2-209.us-west-1.compute.internal systemd-entrypoint[19957]: Exception in thread "Attach Listener" Agent failed to start!
may 04 09:26:28 ip-10-0-2-209.us-west-1.compute.internal systemd[1]: Stopping Wazuh-indexer...
-- Subject: Unit wazuh-indexer.service has begun shutting down
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
-- 
-- Unit wazuh-indexer.service has begun shutting down.
may 04 09:26:29 ip-10-0-2-209.us-west-1.compute.internal systemd[1]: Starting Wazuh-indexer...
-- Subject: Unit wazuh-indexer.service has begun start-up
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
-- 
-- Unit wazuh-indexer.service has begun starting up.
may 04 09:26:43 ip-10-0-2-209.us-west-1.compute.internal systemd-entrypoint[23515]: Exception in thread "Attach Listener" Agent failed to start!
may 04 09:26:44 ip-10-0-2-209.us-west-1.compute.internal systemd-entrypoint[23515]: WARNING: An illegal reflective access operation has occurred
may 04 09:26:44 ip-10-0-2-209.us-west-1.compute.internal systemd-entrypoint[23515]: WARNING: Illegal reflective access by io.protostuff.runtime.PolymorphicThrowableSchema (file:/usr/share/wazuh-indexer/plugins/o
may 04 09:26:44 ip-10-0-2-209.us-west-1.compute.internal systemd-entrypoint[23515]: WARNING: Please consider reporting this to the maintainers of io.protostuff.runtime.PolymorphicThrowableSchema
may 04 09:26:44 ip-10-0-2-209.us-west-1.compute.internal systemd-entrypoint[23515]: WARNING: Use --illegal-access=warn to enable warnings of further illegal reflective access operations
may 04 09:26:44 ip-10-0-2-209.us-west-1.compute.internal systemd-entrypoint[23515]: WARNING: All illegal access operations will be denied in a future release
may 04 09:26:50 ip-10-0-2-209.us-west-1.compute.internal systemd[1]: Started Wazuh-indexer.
-- Subject: Unit wazuh-indexer.service has finished start-up
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
-- 
-- Unit wazuh-indexer.service has finished starting up.
-- 
-- The start-up result is done.

• egrep -i "ERROR|WARNING" /var/log/wazuh-indexer/wazuh.log:

[2022-05-04T08:51:28,825][ERROR][o.o.s.s.h.n.SecuritySSLNettyHttpServerTransport] [node-1] Exception during establishing a SSL connection: javax.net.ssl.SSLHandshakeException: Client requested protocol SSLv3 is not enabled or supported in server context
[2022-05-04T08:53:12,122][ERROR][o.o.s.s.h.n.SecuritySSLNettyHttpServerTransport] [node-1] Exception during establishing a SSL connection: io.netty.handler.ssl.NotSslRecordException: not an SSL/TLS record: 474554202f5f73746174732f696e646963657320485454502f312e310d0a486f73743a2035342e3137372e3231302e3137353a393230300d0a557365722d4167656e743a204d6f7a696c6c612f352e30207a677261622f302e780d0a4163636570743a202a2f2a0d0a4163636570742d456e636f64696e673a20677a69700d0a0d0a
[2022-05-04T08:57:28,241][ERROR][o.o.s.s.h.n.SecuritySSLNettyHttpServerTransport] [node-1] Exception during establishing a SSL connection: io.netty.handler.ssl.NotSslRecordException: not an SSL/TLS record: 474554202f20485454502f312e310d0a486f73743a2035342e3137372e3231302e3137353a393230300d0a557365722d4167656e743a204d6f7a696c6c612f352e302028636f6d70617469626c653b2043656e737973496e73706563742f312e313b202b68747470733a2f2f61626f75742e63656e7379732e696f2f290d0a4163636570743a202a2f2a0d0a4163636570742d456e636f64696e673a20677a69700d0a0d0a
[2022-05-04T08:57:29,336][ERROR][o.o.s.s.h.n.SecuritySSLNettyHttpServerTransport] [node-1] Exception during establishing a SSL connection: java.net.SocketException: Connection reset
[2022-05-04T08:58:01,182][ERROR][o.o.s.s.h.n.SecuritySSLNettyHttpServerTransport] [node-1] Exception during establishing a SSL connection: io.netty.handler.ssl.NotSslRecordException: not an SSL/TLS record: 474554202f5f636c75737465722f6865616c74683f6c6576656c3d696e646963657320485454502f312e310d0a486f73743a2035342e3137372e3231302e3137353a393230300d0a557365722d4167656e743a204d6f7a696c6c612f352e30207a677261622f302e780d0a4163636570743a202a2f2a0d0a4163636570742d456e636f64696e673a20677a69700d0a0d0a
[2022-05-04T09:14:21,347][ERROR][o.o.s.s.h.n.SecuritySSLNettyHttpServerTransport] [node-1] Exception during establishing a SSL connection: io.netty.handler.ssl.NotSslRecordException: not an SSL/TLS record: 474554202f5f73746174757320485454502f312e310d0a486f73743a2035342e3137372e3231302e3137353a393230300d0a557365722d4167656e743a204d6f7a696c6c612f352e30207a677261622f302e780d0a4163636570743a202a2f2a0d0a4163636570742d456e636f64696e673a20677a69700d0a0d0a
[2022-05-04T09:26:33,991][INFO ][o.o.n.Node               ] [node-1] JVM arguments [-Xshare:auto, -Dopensearch.networkaddress.cache.ttl=60, -Dopensearch.networkaddress.cache.negative.ttl=10, -XX:+AlwaysPreTouch, -Xss1m, -Djava.awt.headless=true, -Dfile.encoding=UTF-8, -Djna.nosys=true, -XX:-OmitStackTraceInFastThrow, -XX:+ShowCodeDetailsInExceptionMessages, -Dio.netty.noUnsafe=true, -Dio.netty.noKeySetOptimization=true, -Dio.netty.recycler.maxCapacityPerThread=0, -Dio.netty.allocator.numDirectArenas=0, -Dlog4j.shutdownHookEnabled=false, -Dlog4j2.disable.jmx=true, -Djava.locale.providers=SPI,COMPAT, -Xms3948m, -Xmx3948m, -XX:+UseG1GC, -XX:G1ReservePercent=25, -XX:InitiatingHeapOccupancyPercent=30, -Djava.io.tmpdir=/tmp/opensearch-15123537735382070843, -XX:+HeapDumpOnOutOfMemoryError, -XX:HeapDumpPath=data, -XX:ErrorFile=/var/log/wazuh-indexer/hs_err_pid%p.log, -Xlog:gc*,gc+age=trace,safepoint:file=/var/log/wazuh-indexer/gc.log:utctime,pid,tags:filecount=32,filesize=64m, -Dclk.tck=100, -Djdk.attach.allowAttachSelf=true, -Djava.security.policy=file:///usr/share/wazuh-indexer/plugins/opensearch-performance-analyzer/pa_config/opensearch_security.policy, -XX:MaxDirectMemorySize=2069889024, -Dopensearch.path.home=/usr/share/wazuh-indexer, -Dopensearch.path.conf=/etc/wazuh-indexer, -Dopensearch.distribution.type=rpm, -Dopensearch.bundled_jdk=true]
[2022-05-04T09:26:44,108][ERROR][o.o.s.a.s.SinkProvider   ] [node-1] Default endpoint could not be created, auditlog will not work properly.

• systemctl status wazuh-indexer -l:

[root@ip-10-0-2-209 wazuh-user]# systemctl status wazuh-indexer -l
● wazuh-indexer.service - Wazuh-indexer
   Loaded: loaded (/usr/lib/systemd/system/wazuh-indexer.service; enabled; vendor preset: disabled)
   Active: active (running) since mié 2022-05-04 09:26:50 UTC; 1min 27s ago
     Docs: https://documentation.wazuh.com
 Main PID: 23515 (java)
   CGroup: /system.slice/wazuh-indexer.service
           └─23515 /usr/share/wazuh-indexer/jdk/bin/java -Xshare:auto -Dopensearch.networkaddress.cache.ttl=60 -Dopensearch.networkaddress.cache.negative.ttl=10 -XX:+AlwaysPreTouch -Xss1m -Djava.awt.headless=true -Dfile.encoding=UTF-8 -Djna.nosys=true -XX:-OmitStackTraceInFastThrow -XX:+ShowCodeDetailsInExceptionMessages -Dio.netty.noUnsafe=true -Dio.netty.noKeySetOptimization=true -Dio.netty.recycler.maxCapacityPerThread=0 -Dio.netty.allocator.numDirectArenas=0 -Dlog4j.shutdownHookEnabled=false -Dlog4j2.disable.jmx=true -Djava.locale.providers=SPI,COMPAT -Xms3948m -Xmx3948m -XX:+UseG1GC -XX:G1ReservePercent=25 -XX:InitiatingHeapOccupancyPercent=30 -Djava.io.tmpdir=/tmp/opensearch-15123537735382070843 -XX:+HeapDumpOnOutOfMemoryError -XX:HeapDumpPath=data -XX:ErrorFile=/var/log/wazuh-indexer/hs_err_pid%p.log -Xlog:gc*,gc+age=trace,safepoint:file=/var/log/wazuh-indexer/gc.log:utctime,pid,tags:filecount=32,filesize=64m -Dclk.tck=100 -Djdk.attach.allowAttachSelf=true -Djava.security.policy=file:///usr/share/wazuh-indexer/plugins/opensearch-performance-analyzer/pa_config/opensearch_security.policy -XX:MaxDirectMemorySize=2069889024 -Dopensearch.path.home=/usr/share/wazuh-indexer -Dopensearch.path.conf=/etc/wazuh-indexer -Dopensearch.distribution.type=rpm -Dopensearch.bundled_jdk=true -cp /usr/share/wazuh-indexer/lib/* org.opensearch.bootstrap.OpenSearch -p /run/wazuh-indexer/wazuh-indexer.pid --quiet

may 04 09:26:29 ip-10-0-2-209.us-west-1.compute.internal systemd[1]: Starting Wazuh-indexer...
may 04 09:26:43 ip-10-0-2-209.us-west-1.compute.internal systemd-entrypoint[23515]: Exception in thread "Attach Listener" Agent failed to start!
may 04 09:26:44 ip-10-0-2-209.us-west-1.compute.internal systemd-entrypoint[23515]: WARNING: An illegal reflective access operation has occurred
may 04 09:26:44 ip-10-0-2-209.us-west-1.compute.internal systemd-entrypoint[23515]: WARNING: Illegal reflective access by io.protostuff.runtime.PolymorphicThrowableSchema (file:/usr/share/wazuh-indexer/plugins/opensearch-anomaly-detection/protostuff-runtime-1.7.4.jar) to field java.lang.Throwable.cause
may 04 09:26:44 ip-10-0-2-209.us-west-1.compute.internal systemd-entrypoint[23515]: WARNING: Please consider reporting this to the maintainers of io.protostuff.runtime.PolymorphicThrowableSchema
may 04 09:26:44 ip-10-0-2-209.us-west-1.compute.internal systemd-entrypoint[23515]: WARNING: Use --illegal-access=warn to enable warnings of further illegal reflective access operations
may 04 09:26:44 ip-10-0-2-209.us-west-1.compute.internal systemd-entrypoint[23515]: WARNING: All illegal access operations will be denied in a future release
may 04 09:26:50 ip-10-0-2-209.us-west-1.compute.internal systemd[1]: Started Wazuh-indexer.

Wazuh Dashboard

wazuh-indexer 🔴

• journalctl -xe -u wazuh-indexer.service:

may 04 08:54:30 ip-10-0-0-107.us-west-1.compute.internal systemd-entrypoint[21307]: Exception in thread "Attach Listener" Agent failed to start!
may 04 09:24:41 ip-10-0-0-107.us-west-1.compute.internal systemd-entrypoint[21307]: Exception in thread "Attach Listener" Agent failed to start!
may 04 09:31:35 ip-10-0-0-107.us-west-1.compute.internal systemd[1]: Stopping Wazuh-indexer...
-- Subject: Unit wazuh-indexer.service has begun shutting down
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
-- 
-- Unit wazuh-indexer.service has begun shutting down.
may 04 09:31:36 ip-10-0-0-107.us-west-1.compute.internal systemd[1]: Starting Wazuh-indexer...
-- Subject: Unit wazuh-indexer.service has begun start-up
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
-- 
-- Unit wazuh-indexer.service has begun starting up.
may 04 09:31:52 ip-10-0-0-107.us-west-1.compute.internal systemd-entrypoint[24466]: Exception in thread "Attach Listener" Agent failed to start!
may 04 09:31:53 ip-10-0-0-107.us-west-1.compute.internal systemd-entrypoint[24466]: WARNING: An illegal reflective access operation has occurred
may 04 09:31:53 ip-10-0-0-107.us-west-1.compute.internal systemd-entrypoint[24466]: WARNING: Illegal reflective access by io.protostuff.runtime.PolymorphicThrowableSchema (file:/usr/share/wazuh-indexer/plugins/o
may 04 09:31:53 ip-10-0-0-107.us-west-1.compute.internal systemd-entrypoint[24466]: WARNING: Please consider reporting this to the maintainers of io.protostuff.runtime.PolymorphicThrowableSchema
may 04 09:31:53 ip-10-0-0-107.us-west-1.compute.internal systemd-entrypoint[24466]: WARNING: Use --illegal-access=warn to enable warnings of further illegal reflective access operations
may 04 09:31:53 ip-10-0-0-107.us-west-1.compute.internal systemd-entrypoint[24466]: WARNING: All illegal access operations will be denied in a future release
may 04 09:31:58 ip-10-0-0-107.us-west-1.compute.internal systemd[1]: Started Wazuh-indexer.
-- Subject: Unit wazuh-indexer.service has finished start-up
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
-- 
-- Unit wazuh-indexer.service has finished starting up.
-- 
-- The start-up result is done.

• egrep -i "ERROR|WARNING" /var/log/wazuh-indexer/wazuh.log:

[root@ip-10-0-0-107 wazuh-user]# egrep -i "ERROR|WARNING" /var/log/wazuh-indexer/wazuh.log
[2022-05-04T09:31:41,457][INFO ][o.o.n.Node               ] [node-7] JVM arguments [-Xshare:auto, -Dopensearch.networkaddress.cache.ttl=60, -Dopensearch.networkaddress.cache.negative.ttl=10, -XX:+AlwaysPreTouch, -Xss1m, -Djava.awt.headless=true, -Dfile.encoding=UTF-8, -Djna.nosys=true, -XX:-OmitStackTraceInFastThrow, -XX:+ShowCodeDetailsInExceptionMessages, -Dio.netty.noUnsafe=true, -Dio.netty.noKeySetOptimization=true, -Dio.netty.recycler.maxCapacityPerThread=0, -Dio.netty.allocator.numDirectArenas=0, -Dlog4j.shutdownHookEnabled=false, -Dlog4j2.disable.jmx=true, -Djava.locale.providers=SPI,COMPAT, -Xms2560m, -Xmx2560m, -XX:+UseG1GC, -XX:G1ReservePercent=25, -XX:InitiatingHeapOccupancyPercent=30, -Djava.io.tmpdir=/tmp/opensearch-14437330058389193133, -XX:+HeapDumpOnOutOfMemoryError, -XX:HeapDumpPath=data, -XX:ErrorFile=/var/log/wazuh-indexer/hs_err_pid%p.log, -Xlog:gc*,gc+age=trace,safepoint:file=/var/log/wazuh-indexer/gc.log:utctime,pid,tags:filecount=32,filesize=64m, -Dclk.tck=100, -Djdk.attach.allowAttachSelf=true, -Djava.security.policy=file:///usr/share/wazuh-indexer/plugins/opensearch-performance-analyzer/pa_config/opensearch_security.policy, -XX:MaxDirectMemorySize=1342177280, -Dopensearch.path.home=/usr/share/wazuh-indexer, -Dopensearch.path.conf=/etc/wazuh-indexer, -Dopensearch.distribution.type=rpm, -Dopensearch.bundled_jdk=true]
[2022-05-04T09:31:52,361][ERROR][o.o.s.a.s.SinkProvider   ] [node-7] Default endpoint could not be created, auditlog will not work properly.

• systemctl status wazuh-indexer -l:

[root@ip-10-0-0-107 wazuh-user]# systemctl status wazuh-indexer -l
● wazuh-indexer.service - Wazuh-indexer
   Loaded: loaded (/usr/lib/systemd/system/wazuh-indexer.service; enabled; vendor preset: disabled)
   Active: active (running) since mié 2022-05-04 09:31:58 UTC; 1min 9s ago
     Docs: https://documentation.wazuh.com
 Main PID: 24466 (java)
   CGroup: /system.slice/wazuh-indexer.service
           └─24466 /usr/share/wazuh-indexer/jdk/bin/java -Xshare:auto -Dopensearch.networkaddress.cache.ttl=60 -Dopensearch.networkaddress.cache.negative.ttl=10 -XX:+AlwaysPreTouch -Xss1m -Djava.awt.headless=true -Dfile.encoding=UTF-8 -Djna.nosys=true -XX:-OmitStackTraceInFastThrow -XX:+ShowCodeDetailsInExceptionMessages -Dio.netty.noUnsafe=true -Dio.netty.noKeySetOptimization=true -Dio.netty.recycler.maxCapacityPerThread=0 -Dio.netty.allocator.numDirectArenas=0 -Dlog4j.shutdownHookEnabled=false -Dlog4j2.disable.jmx=true -Djava.locale.providers=SPI,COMPAT -Xms2560m -Xmx2560m -XX:+UseG1GC -XX:G1ReservePercent=25 -XX:InitiatingHeapOccupancyPercent=30 -Djava.io.tmpdir=/tmp/opensearch-14437330058389193133 -XX:+HeapDumpOnOutOfMemoryError -XX:HeapDumpPath=data -XX:ErrorFile=/var/log/wazuh-indexer/hs_err_pid%p.log -Xlog:gc*,gc+age=trace,safepoint:file=/var/log/wazuh-indexer/gc.log:utctime,pid,tags:filecount=32,filesize=64m -Dclk.tck=100 -Djdk.attach.allowAttachSelf=true -Djava.security.policy=file:///usr/share/wazuh-indexer/plugins/opensearch-performance-analyzer/pa_config/opensearch_security.policy -XX:MaxDirectMemorySize=1342177280 -Dopensearch.path.home=/usr/share/wazuh-indexer -Dopensearch.path.conf=/etc/wazuh-indexer -Dopensearch.distribution.type=rpm -Dopensearch.bundled_jdk=true -cp /usr/share/wazuh-indexer/lib/* org.opensearch.bootstrap.OpenSearch -p /run/wazuh-indexer/wazuh-indexer.pid --quiet

may 04 09:31:36 ip-10-0-0-107.us-west-1.compute.internal systemd[1]: Starting Wazuh-indexer...
may 04 09:31:52 ip-10-0-0-107.us-west-1.compute.internal systemd-entrypoint[24466]: Exception in thread "Attach Listener" Agent failed to start!
may 04 09:31:53 ip-10-0-0-107.us-west-1.compute.internal systemd-entrypoint[24466]: WARNING: An illegal reflective access operation has occurred
may 04 09:31:53 ip-10-0-0-107.us-west-1.compute.internal systemd-entrypoint[24466]: WARNING: Illegal reflective access by io.protostuff.runtime.PolymorphicThrowableSchema (file:/usr/share/wazuh-indexer/plugins/opensearch-anomaly-detection/protostuff-runtime-1.7.4.jar) to field java.lang.Throwable.cause
may 04 09:31:53 ip-10-0-0-107.us-west-1.compute.internal systemd-entrypoint[24466]: WARNING: Please consider reporting this to the maintainers of io.protostuff.runtime.PolymorphicThrowableSchema
may 04 09:31:53 ip-10-0-0-107.us-west-1.compute.internal systemd-entrypoint[24466]: WARNING: Use --illegal-access=warn to enable warnings of further illegal reflective access operations
may 04 09:31:53 ip-10-0-0-107.us-west-1.compute.internal systemd-entrypoint[24466]: WARNING: All illegal access operations will be denied in a future release
may 04 09:31:58 ip-10-0-0-107.us-west-1.compute.internal systemd[1]: Started Wazuh-indexer.

wazuh-dashboard 🔴

• journalctl -xe -u wazuh-dashboard.service:

may 04 09:33:40 ip-10-0-0-107.us-west-1.compute.internal systemd[1]: Stopping wazuh-dashboard...
-- Subject: Unit wazuh-dashboard.service has begun shutting down
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
-- 
-- Unit wazuh-dashboard.service has begun shutting down.
may 04 09:33:40 ip-10-0-0-107.us-west-1.compute.internal opensearch-dashboards[1753]: {"type":"log","@timestamp":"2022-05-04T09:33:40Z","tags":["info","plugins-system"],"pid":1753,"message":"Stopping all plugins
may 04 09:33:40 ip-10-0-0-107.us-west-1.compute.internal systemd[1]: Started wazuh-dashboard.
-- Subject: Unit wazuh-dashboard.service has finished start-up
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
-- 
-- Unit wazuh-dashboard.service has finished starting up.
-- 
-- The start-up result is done.
may 04 09:33:40 ip-10-0-0-107.us-west-1.compute.internal systemd[1]: Starting wazuh-dashboard...
-- Subject: Unit wazuh-dashboard.service has begun start-up
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
-- 
-- Unit wazuh-dashboard.service has begun starting up.
may 04 09:33:46 ip-10-0-0-107.us-west-1.compute.internal opensearch-dashboards[26314]: {"type":"log","@timestamp":"2022-05-04T09:33:46Z","tags":["info","plugins-service"],"pid":26314,"message":"Plugin \"visTypeX
may 04 09:33:46 ip-10-0-0-107.us-west-1.compute.internal opensearch-dashboards[26314]: {"type":"log","@timestamp":"2022-05-04T09:33:46Z","tags":["info","plugins-system"],"pid":26314,"message":"Setting up [45] pl
may 04 09:33:47 ip-10-0-0-107.us-west-1.compute.internal opensearch-dashboards[26314]: {"type":"log","@timestamp":"2022-05-04T09:33:47Z","tags":["info","savedobjects-service"],"pid":26314,"message":"Waiting unti
may 04 09:33:47 ip-10-0-0-107.us-west-1.compute.internal opensearch-dashboards[26314]: {"type":"log","@timestamp":"2022-05-04T09:33:47Z","tags":["info","savedobjects-service"],"pid":26314,"message":"Starting sav
may 04 09:33:47 ip-10-0-0-107.us-west-1.compute.internal opensearch-dashboards[26314]: {"type":"log","@timestamp":"2022-05-04T09:33:47Z","tags":["info","savedobjects-service"],"pid":26314,"message":"Creating ind
may 04 09:33:48 ip-10-0-0-107.us-west-1.compute.internal opensearch-dashboards[26314]: {"type":"log","@timestamp":"2022-05-04T09:33:48Z","tags":["info","savedobjects-service"],"pid":26314,"message":"Migrating .k
may 04 09:33:48 ip-10-0-0-107.us-west-1.compute.internal opensearch-dashboards[26314]: {"type":"log","@timestamp":"2022-05-04T09:33:48Z","tags":["info","savedobjects-service"],"pid":26314,"message":"Pointing ali
may 04 09:33:48 ip-10-0-0-107.us-west-1.compute.internal opensearch-dashboards[26314]: {"type":"log","@timestamp":"2022-05-04T09:33:48Z","tags":["info","savedobjects-service"],"pid":26314,"message":"Finished in 
may 04 09:33:48 ip-10-0-0-107.us-west-1.compute.internal opensearch-dashboards[26314]: {"type":"log","@timestamp":"2022-05-04T09:33:48Z","tags":["info","plugins-system"],"pid":26314,"message":"Starting [45] plug
may 04 09:33:49 ip-10-0-0-107.us-west-1.compute.internal opensearch-dashboards[26314]: {"type":"log","@timestamp":"2022-05-04T09:33:49Z","tags":["listening","info"],"pid":26314,"message":"Server running at https
may 04 09:33:50 ip-10-0-0-107.us-west-1.compute.internal opensearch-dashboards[26314]: {"type":"log","@timestamp":"2022-05-04T09:33:50Z","tags":["info","http","server","OpenSearchDashboards"],"pid":26314,"messag

• systemctl status wazuh-dashboard -l:

[root@ip-10-0-0-107 wazuh-user]# systemctl status wazuh-dashboard -l
● wazuh-dashboard.service - wazuh-dashboard
   Loaded: loaded (/etc/systemd/system/wazuh-dashboard.service; enabled; vendor preset: disabled)
   Active: active (running) since mié 2022-05-04 09:33:40 UTC; 3min 38s ago
 Main PID: 26314 (node)
   CGroup: /system.slice/wazuh-dashboard.service
           └─26314 /usr/share/wazuh-dashboard/bin/../node/bin/node --no-warnings --max-http-header-size=65536 --unhandled-rejections=warn /usr/share/wazuh-dashboard/bin/../src/cli/dist -c /etc/wazuh-dashboard/opensearch_dashboards.yml

may 04 09:34:12 ip-10-0-0-107.us-west-1.compute.internal opensearch-dashboards[26314]: {"type":"response","@timestamp":"2022-05-04T09:34:12Z","tags":["access:console"],"pid":26314,"method":"post","statusCode":200,"req":{"url":"/api/console/proxy?path=_template&method=GET","method":"post","headers":{"host":"10.0.0.107:5601","connection":"close","content-length":"0","accept":"text/plain, */*; q=0.01","osd-xsrf":"opensearchDashboards","user-agent":"Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.41 Safari/537.36","osd-version":"1.2.0","sec-gpc":"1","origin":"https://demo-430-rc7-wazuh.com","sec-fetch-site":"same-origin","sec-fetch-mode":"cors","sec-fetch-dest":"empty","referer":"https://demo-430-rc7-wazuh.com/app/dev_tools","accept-encoding":"gzip, deflate, br","accept-language":"en-US,en;q=0.9"},"remoteAddress":"10.0.0.107","userAgent":"Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.41 Safari/537.36","referer":"https://demo-430-rc7-wazuh.com/app/dev_tools"},"res":{"statusCode":200,"responseTime":39,"contentLength":9},"message":"POST /api/console/proxy?path=_template&method=GET 200 39ms - 9.0B"}
may 04 09:35:13 ip-10-0-0-107.us-west-1.compute.internal opensearch-dashboards[26314]: {"type":"response","@timestamp":"2022-05-04T09:35:13Z","tags":["access:console"],"pid":26314,"method":"post","statusCode":200,"req":{"url":"/api/console/proxy?path=_aliases&method=GET","method":"post","headers":{"host":"10.0.0.107:5601","connection":"close","content-length":"0","accept":"text/plain, */*; q=0.01","osd-xsrf":"opensearchDashboards","user-agent":"Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.41 Safari/537.36","osd-version":"1.2.0","sec-gpc":"1","origin":"https://demo-430-rc7-wazuh.com","sec-fetch-site":"same-origin","sec-fetch-mode":"cors","sec-fetch-dest":"empty","referer":"https://demo-430-rc7-wazuh.com/app/dev_tools","accept-encoding":"gzip, deflate, br","accept-language":"en-US,en;q=0.9"},"remoteAddress":"10.0.0.107","userAgent":"Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.41 Safari/537.36","referer":"https://demo-430-rc7-wazuh.com/app/dev_tools"},"res":{"statusCode":200,"responseTime":40,"contentLength":9},"message":"POST /api/console/proxy?path=_aliases&method=GET 200 40ms - 9.0B"}
may 04 09:35:13 ip-10-0-0-107.us-west-1.compute.internal opensearch-dashboards[26314]: {"type":"response","@timestamp":"2022-05-04T09:35:13Z","tags":["access:console"],"pid":26314,"method":"post","statusCode":200,"req":{"url":"/api/console/proxy?path=_mapping&method=GET","method":"post","headers":{"host":"10.0.0.107:5601","connection":"close","content-length":"0","accept":"text/plain, */*; q=0.01","osd-xsrf":"opensearchDashboards","user-agent":"Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.41 Safari/537.36","osd-version":"1.2.0","sec-gpc":"1","origin":"https://demo-430-rc7-wazuh.com","sec-fetch-site":"same-origin","sec-fetch-mode":"cors","sec-fetch-dest":"empty","referer":"https://demo-430-rc7-wazuh.com/app/dev_tools","accept-encoding":"gzip, deflate, br","accept-language":"en-US,en;q=0.9"},"remoteAddress":"10.0.0.107","userAgent":"Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.41 Safari/537.36","referer":"https://demo-430-rc7-wazuh.com/app/dev_tools"},"res":{"statusCode":200,"responseTime":79,"contentLength":9},"message":"POST /api/console/proxy?path=_mapping&method=GET 200 79ms - 9.0B"}
may 04 09:35:13 ip-10-0-0-107.us-west-1.compute.internal opensearch-dashboards[26314]: {"type":"response","@timestamp":"2022-05-04T09:35:13Z","tags":["access:console"],"pid":26314,"method":"post","statusCode":200,"req":{"url":"/api/console/proxy?path=_template&method=GET","method":"post","headers":{"host":"10.0.0.107:5601","connection":"close","content-length":"0","accept":"text/plain, */*; q=0.01","osd-xsrf":"opensearchDashboards","user-agent":"Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.41 Safari/537.36","osd-version":"1.2.0","sec-gpc":"1","origin":"https://demo-430-rc7-wazuh.com","sec-fetch-site":"same-origin","sec-fetch-mode":"cors","sec-fetch-dest":"empty","referer":"https://demo-430-rc7-wazuh.com/app/dev_tools","accept-encoding":"gzip, deflate, br","accept-language":"en-US,en;q=0.9"},"remoteAddress":"10.0.0.107","userAgent":"Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.41 Safari/537.36","referer":"https://demo-430-rc7-wazuh.com/app/dev_tools"},"res":{"statusCode":200,"responseTime":26,"contentLength":9},"message":"POST /api/console/proxy?path=_template&method=GET 200 26ms - 9.0B"}
may 04 09:36:14 ip-10-0-0-107.us-west-1.compute.internal opensearch-dashboards[26314]: {"type":"response","@timestamp":"2022-05-04T09:36:14Z","tags":["access:console"],"pid":26314,"method":"post","statusCode":200,"req":{"url":"/api/console/proxy?path=_mapping&method=GET","method":"post","headers":{"host":"10.0.0.107:5601","connection":"close","content-length":"0","accept":"text/plain, */*; q=0.01","osd-xsrf":"opensearchDashboards","user-agent":"Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.41 Safari/537.36","osd-version":"1.2.0","sec-gpc":"1","origin":"https://demo-430-rc7-wazuh.com","sec-fetch-site":"same-origin","sec-fetch-mode":"cors","sec-fetch-dest":"empty","referer":"https://demo-430-rc7-wazuh.com/app/dev_tools","accept-encoding":"gzip, deflate, br","accept-language":"en-US,en;q=0.9"},"remoteAddress":"10.0.0.107","userAgent":"Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.41 Safari/537.36","referer":"https://demo-430-rc7-wazuh.com/app/dev_tools"},"res":{"statusCode":200,"responseTime":66,"contentLength":9},"message":"POST /api/console/proxy?path=_mapping&method=GET 200 66ms - 9.0B"}
may 04 09:36:15 ip-10-0-0-107.us-west-1.compute.internal opensearch-dashboards[26314]: {"type":"response","@timestamp":"2022-05-04T09:36:15Z","tags":["access:console"],"pid":26314,"method":"post","statusCode":200,"req":{"url":"/api/console/proxy?path=_aliases&method=GET","method":"post","headers":{"host":"10.0.0.107:5601","connection":"close","content-length":"0","accept":"text/plain, */*; q=0.01","osd-xsrf":"opensearchDashboards","user-agent":"Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.41 Safari/537.36","osd-version":"1.2.0","sec-gpc":"1","origin":"https://demo-430-rc7-wazuh.com","sec-fetch-site":"same-origin","sec-fetch-mode":"cors","sec-fetch-dest":"empty","referer":"https://demo-430-rc7-wazuh.com/app/dev_tools","accept-encoding":"gzip, deflate, br","accept-language":"en-US,en;q=0.9"},"remoteAddress":"10.0.0.107","userAgent":"Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.41 Safari/537.36","referer":"https://demo-430-rc7-wazuh.com/app/dev_tools"},"res":{"statusCode":200,"responseTime":21,"contentLength":9},"message":"POST /api/console/proxy?path=_aliases&method=GET 200 21ms - 9.0B"}
may 04 09:36:15 ip-10-0-0-107.us-west-1.compute.internal opensearch-dashboards[26314]: {"type":"response","@timestamp":"2022-05-04T09:36:15Z","tags":["access:console"],"pid":26314,"method":"post","statusCode":200,"req":{"url":"/api/console/proxy?path=_template&method=GET","method":"post","headers":{"host":"10.0.0.107:5601","connection":"close","content-length":"0","accept":"text/plain, */*; q=0.01","osd-xsrf":"opensearchDashboards","user-agent":"Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.41 Safari/537.36","osd-version":"1.2.0","sec-gpc":"1","origin":"https://demo-430-rc7-wazuh.com","sec-fetch-site":"same-origin","sec-fetch-mode":"cors","sec-fetch-dest":"empty","referer":"https://demo-430-rc7-wazuh.com/app/dev_tools","accept-encoding":"gzip, deflate, br","accept-language":"en-US,en;q=0.9"},"remoteAddress":"10.0.0.107","userAgent":"Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.41 Safari/537.36","referer":"https://demo-430-rc7-wazuh.com/app/dev_tools"},"res":{"statusCode":200,"responseTime":27,"contentLength":9},"message":"POST /api/console/proxy?path=_template&method=GET 200 27ms - 9.0B"}
may 04 09:37:16 ip-10-0-0-107.us-west-1.compute.internal opensearch-dashboards[26314]: {"type":"response","@timestamp":"2022-05-04T09:37:16Z","tags":["access:console"],"pid":26314,"method":"post","statusCode":200,"req":{"url":"/api/console/proxy?path=_mapping&method=GET","method":"post","headers":{"host":"10.0.0.107:5601","connection":"close","content-length":"0","accept":"text/plain, */*; q=0.01","osd-xsrf":"opensearchDashboards","user-agent":"Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.41 Safari/537.36","osd-version":"1.2.0","sec-gpc":"1","origin":"https://demo-430-rc7-wazuh.com","sec-fetch-site":"same-origin","sec-fetch-mode":"cors","sec-fetch-dest":"empty","referer":"https://demo-430-rc7-wazuh.com/app/dev_tools","accept-encoding":"gzip, deflate, br","accept-language":"en-US,en;q=0.9"},"remoteAddress":"10.0.0.107","userAgent":"Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.41 Safari/537.36","referer":"https://demo-430-rc7-wazuh.com/app/dev_tools"},"res":{"statusCode":200,"responseTime":93,"contentLength":9},"message":"POST /api/console/proxy?path=_mapping&method=GET 200 93ms - 9.0B"}
may 04 09:37:17 ip-10-0-0-107.us-west-1.compute.internal opensearch-dashboards[26314]: {"type":"response","@timestamp":"2022-05-04T09:37:17Z","tags":["access:console"],"pid":26314,"method":"post","statusCode":200,"req":{"url":"/api/console/proxy?path=_aliases&method=GET","method":"post","headers":{"host":"10.0.0.107:5601","connection":"close","content-length":"0","accept":"text/plain, */*; q=0.01","osd-xsrf":"opensearchDashboards","user-agent":"Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.41 Safari/537.36","osd-version":"1.2.0","sec-gpc":"1","origin":"https://demo-430-rc7-wazuh.com","sec-fetch-site":"same-origin","sec-fetch-mode":"cors","sec-fetch-dest":"empty","referer":"https://demo-430-rc7-wazuh.com/app/dev_tools","accept-encoding":"gzip, deflate, br","accept-language":"en-US,en;q=0.9"},"remoteAddress":"10.0.0.107","userAgent":"Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.41 Safari/537.36","referer":"https://demo-430-rc7-wazuh.com/app/dev_tools"},"res":{"statusCode":200,"responseTime":20,"contentLength":9},"message":"POST /api/console/proxy?path=_aliases&method=GET 200 20ms - 9.0B"}
may 04 09:37:17 ip-10-0-0-107.us-west-1.compute.internal opensearch-dashboards[26314]: {"type":"response","@timestamp":"2022-05-04T09:37:17Z","tags":["access:console"],"pid":26314,"method":"post","statusCode":200,"req":{"url":"/api/console/proxy?path=_template&method=GET","method":"post","headers":{"host":"10.0.0.107:5601","connection":"close","content-length":"0","accept":"text/plain, */*; q=0.01","osd-xsrf":"opensearchDashboards","user-agent":"Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.41 Safari/537.36","osd-version":"1.2.0","sec-gpc":"1","origin":"https://demo-430-rc7-wazuh.com","sec-fetch-site":"same-origin","sec-fetch-mode":"cors","sec-fetch-dest":"empty","referer":"https://demo-430-rc7-wazuh.com/app/dev_tools","accept-encoding":"gzip, deflate, br","accept-language":"en-US,en;q=0.9"},"remoteAddress":"10.0.0.107","userAgent":"Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.41 Safari/537.36","referer":"https://demo-430-rc7-wazuh.com/app/dev_tools"},"res":{"statusCode":200,"responseTime":28,"contentLength":9},"message":"POST /api/console/proxy?path=_template&method=GET 200 28ms - 9.0B"}

• /usr/share/wazuh-dashboard/data/wazuh/logs/wazuhapp.log

{"date":"2022-05-03T16:48:31.065Z","level":"info","location":"initialize","message":"Wazuh dashboard index: .kibana"}
{"date":"2022-05-03T16:48:31.065Z","level":"info","location":"initialize","message":"App revision: 4301-1"}
{"date":"2022-05-03T16:48:31.066Z","level":"info","location":"initialize","message":"Total RAM: 7897MB"}
{"date":"2022-05-03T16:48:32.479Z","level":"error","location":"monitoring:getApiInfo","message":"connect ECONNREFUSED 10.0.0.226:55000"}
{"date":"2022-05-03T16:48:54.789Z","level":"info","location":"initialize","message":"Wazuh dashboard index: .kibana"}
{"date":"2022-05-03T16:48:54.790Z","level":"info","location":"initialize","message":"App revision: 4301-1"}
{"date":"2022-05-03T16:48:54.790Z","level":"info","location":"initialize","message":"Total RAM: 7897MB"}
{"date":"2022-05-03T16:48:55.348Z","level":"error","location":"monitoring:getApiInfo","message":"connect ECONNREFUSED 10.0.0.226:55000"}
{"date":"2022-05-03T17:03:24.459Z","level":"info","location":"initialize","message":"Wazuh dashboard index: .kibana"}
{"date":"2022-05-03T17:03:24.459Z","level":"info","location":"initialize","message":"App revision: 4301-1"}
{"date":"2022-05-03T17:03:24.459Z","level":"info","location":"initialize","message":"Total RAM: 7897MB"}
{"date":"2022-05-03T17:05:23.921Z","level":"info","location":"initialize","message":"Wazuh dashboard index: .kibana"}
{"date":"2022-05-03T17:05:23.921Z","level":"info","location":"initialize","message":"App revision: 4301-1"}
{"date":"2022-05-03T17:05:23.922Z","level":"info","location":"initialize","message":"Total RAM: 7897MB"}
{"date":"2022-05-03T17:10:01.102Z","level":"error","location":"cron-scheduler|SaveDocument","message":"resource_already_exists_exception"}
{"date":"2022-05-04T08:01:07.238Z","level":"error","location":"wazuh-api:makeRequest","data":{"title":"Bad Request","detail":"Error in wazuhdb request: Cannot execute SQL query","remediation":"Make sure the request is correct","dapi_errors":{"master":{"error":"Error in wazuhdb request: Cannot execute SQL query"}},"error":2003}}
{"date":"2022-05-04T08:01:12.512Z","level":"error","location":"wazuh-api:makeRequest","data":{"title":"Bad Request","detail":"Error in wazuhdb request: Cannot execute SQL query","remediation":"Make sure the request is correct","dapi_errors":{"master":{"error":"Error in wazuhdb request: Cannot execute SQL query"}},"error":2003}}
{"date":"2022-05-04T08:01:39.343Z","level":"error","location":"wazuh-api:makeRequest","data":{"title":"Bad Request","detail":"Error in wazuhdb request: Cannot execute SQL query","remediation":"Make sure the request is correct","dapi_errors":{"master":{"error":"Error in wazuhdb request: Cannot execute SQL query"}},"error":2003}}
{"date":"2022-05-04T09:33:49.058Z","level":"info","location":"initialize","message":"Wazuh dashboard index: .kibana"}
{"date":"2022-05-04T09:33:49.058Z","level":"info","location":"initialize","message":"App revision: 4301-1"}
{"date":"2022-05-04T09:33:49.059Z","level":"info","location":"initialize","message":"Total RAM: 7897MB"}
{"date":"2022-05-04T10:05:22.699Z","level":"error","location":"wazuh-api:makeRequest","data":{"title":"Wazuh Internal Error","detail":"Timeout executing API request","dapi_errors":{"master":{"error":"Timeout executing API request","logfile":"WAZUH_HOME/logs/api.log"}},"error":3021}}

---

Status
🔴	Errors were found
🟡	Warnings were found
🟢	No errors or warnings were found

[juliamagan]

Task 2: The daemons are running with the correct user

Agents

Amazon Linux 🟢

root     17711  0.0  0.2  37708  2904 ?        Sl   08:02   0:00 /var/ossec/bin/wazuh-execd
wazuh    17723  0.0  0.5 263692  5312 ?        Sl   08:02   0:01 /var/ossec/bin/wazuh-agentd
root     17738  0.1  0.8 203680  8276 ?        SNl  08:02   0:09 /var/ossec/bin/wazuh-syscheckd
root     17752  0.0  0.4 480228  4752 ?        Sl   08:02   0:00 /var/ossec/bin/wazuh-logcollector
root     17774  0.0  1.5 740780 15256 ?        Sl   08:02   0:01 /var/ossec/bin/wazuh-modulesd

RHEL 🟢

root     17096  0.0  0.0  35528  1632 ?        Sl   08:01   0:00 /var/ossec/bin/wazuh-execd
wazuh    17108  0.0  0.0 261252  3092 ?        Sl   08:01   0:04 /var/ossec/bin/wazuh-agentd
root     17123  0.3  0.1 480540  7108 ?        SNl  08:01   0:24 /var/ossec/bin/wazuh-syscheckd
root     17136  0.0  0.0 477936  2628 ?        Sl   08:01   0:02 /var/ossec/bin/wazuh-logcollector
root     17160  0.0  0.9 1033464 35152 ?       Sl   08:01   0:04 /var/ossec/bin/wazuh-modulesd

Ubuntu 🟢

root      6625  0.0  0.3  42736  3216 ?        Sl   07:52   0:00 /var/ossec/bin/wazuh-execd
wazuh     6636  0.0  0.5 268672  5560 ?        Sl   07:52   0:02 /var/ossec/bin/wazuh-agentd
root      6651  0.1  0.8 273712  8224 ?        SNl  07:52   0:08 /var/ossec/bin/wazuh-syscheckd
root      6664  0.0  0.4 485128  4632 ?        Sl   07:52   0:00 /var/ossec/bin/wazuh-logcollector
root      6681  0.0  1.4 748320 14116 ?        Sl   07:52   0:01 /var/ossec/bin/wazuh-modulesd

Centos 🟢

root     18414  0.0  0.1  35436  1472 ?        Sl   08:05   0:00 /var/ossec/bin/wazuh-execd
wazuh    18426  0.0  0.3 326796  3156 ?        Sl   08:05   0:01 /var/ossec/bin/wazuh-agentd
root     18441  0.1  0.5 266688  5280 ?        SNl  08:05   0:09 /var/ossec/bin/wazuh-syscheckd
root     18456  0.0  0.2 477812  2320 ?        Sl   08:05   0:01 /var/ossec/bin/wazuh-logcollector
root     18476  0.0  2.6 738416 26016 ?        Sl   08:05   0:02 /var/ossec/bin/wazuh-modulesd

Debian 🟢

root      9615  0.0  0.2  41412  2664 ?        Sl   08:08   0:00 /var/ossec/bin/wazuh-execd
wazuh     9626  0.0  0.5 267436  5316 ?        Sl   08:08   0:02 /var/ossec/bin/wazuh-agentd
root      9640  0.0  0.7 272220  7404 ?        SNl  08:08   0:06 /var/ossec/bin/wazuh-syscheckd
root      9657  0.0  0.4 484060  4248 ?        Sl   08:08   0:00 /var/ossec/bin/wazuh-logcollector
root      9696  0.0  1.2 744888 12772 ?        Sl   08:08   0:01 /var/ossec/bin/wazuh-modules

Windows 🟢

wazuh-agent.exe                788 WazuhSvc

Managers

Master env 1 🟢

wazuh     1244  0.4  2.6 829808 105060 ?       Sl   08:44   0:23 /var/ossec/framework/python/bin/python3 /var/ossec/api/scripts/wazuh-apid.py
wazuh     1270  0.5  0.0  38440  3936 ?        Sl   08:44   0:27 /var/ossec/bin/wazuh-integratord
root      1289  0.2  0.1 259704  4872 ?        Sl   08:44   0:11 /var/ossec/bin/wazuh-authd
wazuh     1306  0.3  0.6 775168 26172 ?        Sl   08:44   0:15 /var/ossec/bin/wazuh-db
wazuh     1318  0.2  1.9 333360 77764 ?        S    08:44   0:13 /var/ossec/framework/python/bin/python3 /var/ossec/api/scripts/wazuh-apid.py
wazuh     1321  0.3  1.5 465596 61956 ?        S    08:44   0:18 /var/ossec/framework/python/bin/python3 /var/ossec/api/scripts/wazuh-apid.py
root      1336  0.0  0.0  38480  3052 ?        Sl   08:44   0:00 /var/ossec/bin/wazuh-execd
wazuh     1362  9.5  2.4 1292644 98124 ?       Sl   08:44   7:50 /var/ossec/bin/wazuh-analysisd
root      1374  0.2  0.1 269792  7868 ?        SNl  08:44   0:12 /var/ossec/bin/wazuh-syscheckd
wazuh     1394  0.4  0.1 1186632 6336 ?        Sl   08:44   0:23 /var/ossec/bin/wazuh-remoted
root      1427  0.0  0.1 480880  4488 ?        Sl   08:44   0:00 /var/ossec/bin/wazuh-logcollector
wazuh     1451  0.0  0.0  38452  2948 ?        Sl   08:44   0:00 /var/ossec/bin/wazuh-monitord
root      1500  8.0  5.2 1335788 209048 ?      Sl   08:44   6:35 /var/ossec/bin/wazuh-modulesd
wazuh     1607  0.1  1.4 444416 56688 ?        Sl   08:44   0:06 /var/ossec/framework/python/bin/python3 /var/ossec/framework/scripts/wazuh-clusterd.py
wazuh     1609  0.0  1.0 279744 41776 ?        S    08:44   0:03 /var/ossec/framework/python/bin/python3 /var/ossec/framework/scripts/wazuh-clusterd.py
wazuh     1612  0.0  1.0 361672 42296 ?        S    08:44   0:03 /var/ossec/framework/python/bin/python3 /var/ossec/framework/scripts/wazuh-clusterd.py

Worker env 1 🟢

wazuh    26349  0.2  2.3 740916 94904 ?        Sl   08:50   0:11 /var/ossec/framework/python/bin/python3 /var/ossec/api/scripts/wazuh-apid.py
wazuh    26372  0.0  0.0  38432  3336 ?        Sl   08:50   0:00 /var/ossec/bin/wazuh-integratord
wazuh    26392  0.0  0.3 775160 11988 ?        Sl   08:50   0:03 /var/ossec/bin/wazuh-db
root     26416  0.0  0.0  38480  3128 ?        Sl   08:50   0:00 /var/ossec/bin/wazuh-execd
wazuh    26418  0.0  1.4 309352 57120 ?        S    08:50   0:00 /var/ossec/framework/python/bin/python3 /var/ossec/api/scripts/wazuh-apid.py
wazuh    26421  0.0  1.4 464008 59656 ?        S    08:50   0:00 /var/ossec/framework/python/bin/python3 /var/ossec/api/scripts/wazuh-apid.py
wazuh    26437  0.0  0.7 1292508 30728 ?       Sl   08:50   0:01 /var/ossec/bin/wazuh-analysisd
root     26448  0.2  0.2 204128  8488 ?        SNl  08:50   0:11 /var/ossec/bin/wazuh-syscheckd
wazuh    26470  0.1  0.1 522992  4596 ?        Sl   08:50   0:06 /var/ossec/bin/wazuh-remoted
root     26502  0.0  0.1 480872  4980 ?        Sl   08:50   0:00 /var/ossec/bin/wazuh-logcollector
wazuh    26527  0.0  0.0  38456  3188 ?        Sl   08:50   0:00 /var/ossec/bin/wazuh-monitord
root     26573  3.3  4.4 1074932 176756 ?      Sl   08:50   2:28 /var/ossec/bin/wazuh-modulesd
wazuh    26705  0.1  1.4 590524 59140 ?        Sl   08:50   0:04 /var/ossec/framework/python/bin/python3 /var/ossec/framework/scripts/wazuh-clusterd.py
wazuh    26915  0.0  1.1 287436 45492 ?        S    08:50   0:01 /var/ossec/framework/python/bin/python3 /var/ossec/framework/scripts/wazuh-clusterd.py
wazuh    27728  0.0  1.2 443060 51460 ?        S    08:55   0:00 /var/ossec/framework/python/bin/python3 /var/ossec/framework/scripts/wazuh-clusterd.py

Master env 2 🟢

wazuh    30239  0.3  2.4 820584 99696 ?        Sl   08:56   0:15 /var/ossec/framework/python/bin/python3 /var/ossec/api/scripts/wazuh-apid.py
wazuh    30265  0.5  0.0  38440  3308 ?        Sl   08:56   0:21 /var/ossec/bin/wazuh-integratord
root     30284  0.2  0.1 194172  5724 ?        Sl   08:56   0:08 /var/ossec/bin/wazuh-authd
wazuh    30301  0.0  0.3 709636 11976 ?        Sl   08:56   0:03 /var/ossec/bin/wazuh-db
wazuh    30315  0.0  1.5 317628 61956 ?        S    08:56   0:00 /var/ossec/framework/python/bin/python3 /var/ossec/api/scripts/wazuh-apid.py
wazuh    30318  0.2  1.5 465332 63216 ?        S    08:56   0:09 /var/ossec/framework/python/bin/python3 /var/ossec/api/scripts/wazuh-apid.py
root     30333  0.0  0.0  38480  3192 ?        Sl   08:56   0:00 /var/ossec/bin/wazuh-execd
wazuh    30348  9.5  2.3 1292536 93816 ?       Sl   08:56   6:24 /var/ossec/bin/wazuh-analysisd
root     30360  0.3  0.2 269784  8276 ?        SNl  08:56   0:13 /var/ossec/bin/wazuh-syscheckd
wazuh    30381  0.1  0.1 1178432 6592 ?        Sl   08:56   0:06 /var/ossec/bin/wazuh-remoted
root     30413  0.0  0.1 480880  4996 ?        Sl   08:56   0:00 /var/ossec/bin/wazuh-logcollector
wazuh    30432  0.0  0.0  38452  3156 ?        Sl   08:56   0:00 /var/ossec/bin/wazuh-monitord
root     30480  5.1  5.3 1335788 212088 ?      Sl   08:56   3:26 /var/ossec/bin/wazuh-modulesd
wazuh    30588  0.0  1.1 427684 45568 ?        Sl   08:56   0:01 /var/ossec/framework/python/bin/python3 /var/ossec/framework/scripts/wazuh-clusterd.py
wazuh    30596  0.0  1.0 279736 42864 ?        S    08:56   0:01 /var/ossec/framework/python/bin/python3 /var/ossec/framework/scripts/wazuh-clusterd.py
wazuh    30599  0.0  1.0 361664 42448 ?        S    08:56   0:01 /var/ossec/framework/python/bin/python3 /var/ossec/framework/scripts/wazuh-clusterd.py

Wazuh Indexer

Bootstrap 🟢

wazuh-i+ 16738 22.2 56.6 7709944 4581176 ?     Ssl  09:17   9:50 /usr/share/wazuh-indexer/jdk/bin/java -Xshare:auto -Dopensearch.networkaddress.cache.ttl=60 -Dopensearch.networkaddress.cache.negative.ttl=10 -XX:+AlwaysPreTouch -Xss1m -Djava.awt.headless=true -Dfile.encoding=UTF-8 -Djna.nosys=true -XX:-OmitStackTraceInFastThrow -XX:+ShowCodeDetailsInExceptionMessages -Dio.netty.noUnsafe=true -Dio.netty.noKeySetOptimization=true -Dio.netty.recycler.maxCapacityPerThread=0 -Dio.netty.allocator.numDirectArenas=0 -Dlog4j.shutdownHookEnabled=false -Dlog4j2.disable.jmx=true -Djava.locale.providers=SPI,COMPAT -Xms3948m -Xmx3948m -XX:+UseG1GC -XX:G1ReservePercent=25 -XX:InitiatingHeapOccupancyPercent=30 -Djava.io.tmpdir=/tmp/opensearch-5513364696324844172 -XX:+HeapDumpOnOutOfMemoryError -XX:HeapDumpPath=data -XX:ErrorFile=/var/log/wazuh-indexer/hs_err_pid%p.log -Xlog:gc*,gc+age=trace,safepoint:file=/var/log/wazuh-indexer/gc.log:utctime,pid,tags:filecount=32,filesize=64m -Dclk.tck=100 -Djdk.attach.allowAttachSelf=true -Djava.security.policy=file:///usr/share/wazuh-indexer/plugins/opensearch-performance-analyzer/pa_config/opensearch_security.policy -XX:MaxDirectMemorySize=2069889024 -Dopensearch.path.home=/usr/share/wazuh-indexer -Dopensearch.path.conf=/etc/wazuh-indexer -Dopensearch.distribution.type=rpm -Dopensearch.bundled_jdk=true -cp /usr/share/wazuh-indexer/lib/* org.opensearch.bootstrap.OpenSearch -p /run/wazuh-indexer/wazuh-indexer.pid --quiet

Master B 🟢

wazuh-i+ 21286 29.6 56.5 8024464 4572708 ?     Ssl  09:23   9:14 /usr/share/wazuh-indexer/jdk/bin/java -Xshare:auto -Dopensearch.networkaddress.cache.ttl=60 -Dopensearch.networkaddress.cache.negative.ttl=10 -XX:+AlwaysPreTouch -Xss1m -Djava.awt.headless=true -Dfile.encoding=UTF-8 -Djna.nosys=true -XX:-OmitStackTraceInFastThrow -XX:+ShowCodeDetailsInExceptionMessages -Dio.netty.noUnsafe=true -Dio.netty.noKeySetOptimization=true -Dio.netty.recycler.maxCapacityPerThread=0 -Dio.netty.allocator.numDirectArenas=0 -Dlog4j.shutdownHookEnabled=false -Dlog4j2.disable.jmx=true -Djava.locale.providers=SPI,COMPAT -Xms3948m -Xmx3948m -XX:+UseG1GC -XX:G1ReservePercent=25 -XX:InitiatingHeapOccupancyPercent=30 -Djava.io.tmpdir=/tmp/opensearch-4567178945924237329 -XX:+HeapDumpOnOutOfMemoryError -XX:HeapDumpPath=data -XX:ErrorFile=/var/log/wazuh-indexer/hs_err_pid%p.log -Xlog:gc*,gc+age=trace,safepoint:file=/var/log/wazuh-indexer/gc.log:utctime,pid,tags:filecount=32,filesize=64m -Dclk.tck=100 -Djdk.attach.allowAttachSelf=true -Djava.security.policy=file:///usr/share/wazuh-indexer/plugins/opensearch-performance-analyzer/pa_config/opensearch_security.policy -XX:MaxDirectMemorySize=2069889024 -Dopensearch.path.home=/usr/share/wazuh-indexer -Dopensearch.path.conf=/etc/wazuh-indexer -Dopensearch.distribution.type=rpm -Dopensearch.bundled_jdk=true -cp /usr/share/wazuh-indexer/lib/* org.opensearch.bootstrap.OpenSearch -p /run/wazuh-indexer/wazuh-indexer.pid --quiet

Master C 🟢

wazuh-i+ 23515 34.0 56.7 8253716 4588592 ?     Ssl  09:26   9:20 /usr/share/wazuh-indexer/jdk/bin/java -Xshare:auto -Dopensearch.networkaddress.cache.ttl=60 -Dopensearch.networkaddress.cache.negative.ttl=10 -XX:+AlwaysPreTouch -Xss1m -Djava.awt.headless=true -Dfile.encoding=UTF-8 -Djna.nosys=true -XX:-OmitStackTraceInFastThrow -XX:+ShowCodeDetailsInExceptionMessages -Dio.netty.noUnsafe=true -Dio.netty.noKeySetOptimization=true -Dio.netty.recycler.maxCapacityPerThread=0 -Dio.netty.allocator.numDirectArenas=0 -Dlog4j.shutdownHookEnabled=false -Dlog4j2.disable.jmx=true -Djava.locale.providers=SPI,COMPAT -Xms3948m -Xmx3948m -XX:+UseG1GC -XX:G1ReservePercent=25 -XX:InitiatingHeapOccupancyPercent=30 -Djava.io.tmpdir=/tmp/opensearch-15123537735382070843 -XX:+HeapDumpOnOutOfMemoryError -XX:HeapDumpPath=data -XX:ErrorFile=/var/log/wazuh-indexer/hs_err_pid%p.log -Xlog:gc*,gc+age=trace,safepoint:file=/var/log/wazuh-indexer/gc.log:utctime,pid,tags:filecount=32,filesize=64m -Dclk.tck=100 -Djdk.attach.allowAttachSelf=true -Djava.security.policy=file:///usr/share/wazuh-indexer/plugins/opensearch-performance-analyzer/pa_config/opensearch_security.policy -XX:MaxDirectMemorySize=2069889024 -Dopensearch.path.home=/usr/share/wazuh-indexer -Dopensearch.path.conf=/etc/wazuh-indexer -Dopensearch.distribution.type=rpm -Dopensearch.bundled_jdk=true -cp /usr/share/wazuh-indexer/lib/* org.opensearch.bootstrap.OpenSearch -p /run/wazuh-indexer/wazuh-indexer.pid --quiet

Wazuh Dashboard

wazuh-indexer 🟢

wazuh-i+ 24466 28.4 37.6 6410500 3041900 ?     Ssl  09:31   5:37 /usr/share/wazuh-indexer/jdk/bin/java -Xshare:auto -Dopensearch.networkaddress.cache.ttl=60 -Dopensearch.networkaddress.cache.negative.ttl=10 -XX:+AlwaysPreTouch -Xss1m -Djava.awt.headless=true -Dfile.encoding=UTF-8 -Djna.nosys=true -XX:-OmitStackTraceInFastThrow -XX:+ShowCodeDetailsInExceptionMessages -Dio.netty.noUnsafe=true -Dio.netty.noKeySetOptimization=true -Dio.netty.recycler.maxCapacityPerThread=0 -Dio.netty.allocator.numDirectArenas=0 -Dlog4j.shutdownHookEnabled=false -Dlog4j2.disable.jmx=true -Djava.locale.providers=SPI,COMPAT -Xms2560m -Xmx2560m -XX:+UseG1GC -XX:G1ReservePercent=25 -XX:InitiatingHeapOccupancyPercent=30 -Djava.io.tmpdir=/tmp/opensearch-14437330058389193133 -XX:+HeapDumpOnOutOfMemoryError -XX:HeapDumpPath=data -XX:ErrorFile=/var/log/wazuh-indexer/hs_err_pid%p.log -Xlog:gc*,gc+age=trace,safepoint:file=/var/log/wazuh-indexer/gc.log:utctime,pid,tags:filecount=32,filesize=64m -Dclk.tck=100 -Djdk.attach.allowAttachSelf=true -Djava.security.policy=file:///usr/share/wazuh-indexer/plugins/opensearch-performance-analyzer/pa_config/opensearch_security.policy -XX:MaxDirectMemorySize=1342177280 -Dopensearch.path.home=/usr/share/wazuh-indexer -Dopensearch.path.conf=/etc/wazuh-indexer -Dopensearch.distribution.type=rpm -Dopensearch.bundled_jdk=true -cp /usr/share/wazuh-indexer/lib/* org.opensearch.bootstrap.OpenSearch -p /run/wazuh-indexer/wazuh-indexer.pid --quiet

wazuh-dashboard 🟢

wazuh-d+ 26314  1.5  2.0 1004420 162976 ?      Ssl  09:33   0:16 /usr/share/wazuh-dashboard/bin/../node/bin/node --no-warnings --max-http-header-size=65536 --unhandled-rejections=warn /usr/share/wazuh-dashboard/bin/../src/cli/dist -c /etc/wazuh-dashboard/opensearch_dashboards.yml

[juliamagan]

Task 3: The status of the Wazuh Indexer clusters is as expected. 🟢

[root@ip-10-0-2-85 wazuh-user]# curl -k -u USER:PASS https://10.0.2.85:9200/_cat/nodes?v
ip         heap.percent ram.percent cpu load_1m load_5m load_15m node.role master name
10.0.2.85            27          82   8    0.00    0.00     0.02 dimr      -      node-2
10.0.0.107           40          85   7    0.02    0.02     0.07 dimr      -      node-7
10.0.2.209            9          83   9    0.00    0.02     0.07 dimr      -      node-1
10.0.2.125           31          88   7    0.00    0.00     0.03 dimr      *      node-3

[juliamagan]

Task 4: No errors in the browser's developer console when browsing the App

No errors other than the ones found here have been found. However, there are errors that we couldn't reproduce:

• TypeError in Management/Rules wazuh-dashboard-plugins#4105
• TypeError in System Auditing menu wazuh-dashboard-plugins#4093
• TypeError in Github/AWS/GCP modules wazuh-dashboard-plugins#4095

[juliamagan]

Tasks 5 and 6 couldn't be tested because the environment changed. However, they have been tested in demo.wazuh.info and the results were the same as in #2819, except:

• Github, Google Cloud, OpenSCAP and CIS-CAT events are not being generated in environment 1.

[alberpilot]

From the CICD team, errors analyzed belong to the deployment, not the product.