Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Release 4.4.0 - RC 2 - E2E UX tests - Demo environment #16418

Closed
9 tasks done
juliamagan opened this issue Mar 17, 2023 · 8 comments
Closed
9 tasks done

Release 4.4.0 - RC 2 - E2E UX tests - Demo environment #16418

juliamagan opened this issue Mar 17, 2023 · 8 comments
Assignees
Labels

Comments

@juliamagan
Copy link
Member

juliamagan commented Mar 17, 2023

The following issue aims to run the specified test for the current release candidate, report the results, and open new issues for any encountered errors.

Test information

Test name Demo environment
Category Wazuh App
Deployment option Demo environment
Previous testing issue #16152
Main release issue #16390
Main E2E UX test issue #16420
Release candidate # RC 2

Test description

  • (T1): - No errors or warnings found in logs
  • (T2): - The daemons are running with the correct user
  • (T3): - The status of the Wazuh Indexer clusters is as expected.
  • (T4): - No errors in the browser's developer console when browsing the App
  • (T5): - Alerts are being generated for each of the modules configured for this purpose
  • (T6): - No warning symbols in Discover when expanding a document
  • (T7): - Alert generated

Test report procedure

All test results must have one of the following statuses:

🟢 All checks passed.
🔴 There is at least one failed result.
🟡 There is at least one expected failure or skipped test and no failures.

Conclusions

Detected issues and previously reported:

Status Test Failure type Notes
🟡 No errors or warnings found in logs
🟢 The daemons are running with the correct user
🟢 The status of the Wazuh Indexer clusters is as expected
🟡 No errors in the browser's developer console when browsing the App
🟡 Alerts are being generated for each of the modules configured for this purpose App
🟢 No warning symbols in Discover when expanding a document
🟢 Generate an alert and check it in the web UI

Auditors' validation

The definition of done for this one is the validation of the conclusions and the test results from all auditors.

All checks from below must be accepted in order to close this issue.

@juliamagan juliamagan added team/qa subteam/qa-main release test/4.4.0 Issues related to testing for v4.4.0 labels Mar 17, 2023
@juliamagan juliamagan self-assigned this Mar 17, 2023
@juliamagan juliamagan moved this from Triage to Todo in Release 4.4.0 Mar 17, 2023
@juliamagan
Copy link
Member Author

juliamagan commented Mar 17, 2023

Task 1: No errors or warnings found in logs

Agents

Amazon Linux 🟢
  • journalctl -xe -u wazuh-agent.service:
mar 17 14:56:12 X.X.X.X env[20000]: Wazuh v4.4.0 Stopped
mar 17 14:56:12 X.X.X.X systemd[1]: Stopped Wazuh agent.
-- Subject: Unit wazuh-agent.service has finished shutting down
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
--
-- Unit wazuh-agent.service has finished shutting down.
mar 17 14:56:12 X.X.X.X systemd[1]: Starting Wazuh agent...
-- Subject: Unit wazuh-agent.service has begun start-up
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
--
-- Unit wazuh-agent.service has begun starting up.
mar 17 14:56:12 X.X.X.X env[20065]: Starting Wazuh v4.4.0...
mar 17 14:56:13 X.X.X.X env[20065]: Started wazuh-execd...
mar 17 14:56:14 X.X.X.X env[20065]: Started wazuh-agentd...
mar 17 14:56:15 X.X.X.X env[20065]: Started wazuh-syscheckd...
mar 17 14:56:16 X.X.X.X env[20065]: Started wazuh-logcollector...
mar 17 14:56:17 X.X.X.X env[20065]: Started wazuh-modulesd...
mar 17 14:56:19 X.X.X.X env[20065]: Completed.
mar 17 14:56:19 X.X.X.X systemd[1]: Started Wazuh agent.
-- Subject: Unit wazuh-agent.service has finished start-up
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
--
-- Unit wazuh-agent.service has finished starting up.
--
-- The start-up result is done.
  • egrep -i "ERROR|WARNING" /var/ossec/logs/ossec.log:

  • systemctl status wazuh-agent -l:
● wazuh-agent.service - Wazuh agent
   Loaded: loaded (/usr/lib/systemd/system/wazuh-agent.service; enabled; vendor preset: disabled)
   Active: active (running) since vie 2023-03-17 14:56:19 UTC; 43s ago
  Process: 20000 ExecStop=/usr/bin/env /var/ossec/bin/wazuh-control stop (code=exited, status=0/SUCCESS)
  Process: 20065 ExecStart=/usr/bin/env /var/ossec/bin/wazuh-control start (code=exited, status=0/SUCCESS)
   CGroup: /system.slice/wazuh-agent.service
           ├─20094 /var/ossec/bin/wazuh-execd
           ├─20106 /var/ossec/bin/wazuh-agentd
           ├─20121 /var/ossec/bin/wazuh-syscheckd
           ├─20135 /var/ossec/bin/wazuh-logcollector
           └─20157 /var/ossec/bin/wazuh-modulesd

mar 17 14:56:12 X.X.X.X systemd[1]: Starting Wazuh agent...
mar 17 14:56:12 X.X.X.X env[20065]: Starting Wazuh v4.4.0...
mar 17 14:56:13 X.X.X.X env[20065]: Started wazuh-execd...
mar 17 14:56:14 X.X.X.X env[20065]: Started wazuh-agentd...
mar 17 14:56:15 X.X.X.X env[20065]: Started wazuh-syscheckd...
mar 17 14:56:16 X.X.X.X env[20065]: Started wazuh-logcollector...
mar 17 14:56:17 X.X.X.X env[20065]: Started wazuh-modulesd...
mar 17 14:56:19 X.X.X.X env[20065]: Completed.
mar 17 14:56:19 X.X.X.X systemd[1]: Started Wazuh agent.
  • /var/ossec/bin/wazuh-control status:
wazuh-modulesd is running...
wazuh-logcollector is running...
wazuh-syscheckd is running...
wazuh-agentd is running...
wazuh-execd is running...
RHEL 🟢
  • journalctl -xe -u wazuh-agent.service:
mar 17 14:58:49 X.X.X.X env[31609]: Wazuh v4.4.0 Stopped
mar 17 14:58:49 X.X.X.X systemd[1]: Stopped Wazuh agent.
-- Subject: Unit wazuh-agent.service has finished shutting down
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
--
-- Unit wazuh-agent.service has finished shutting down.
mar 17 14:58:49 X.X.X.X systemd[1]: Starting Wazuh agent...
-- Subject: Unit wazuh-agent.service has begun start-up
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
--
-- Unit wazuh-agent.service has begun starting up.
mar 17 14:58:49 X.X.X.X env[31696]: Starting Wazuh v4.4.0...
mar 17 14:58:50 X.X.X.X env[31696]: Started wazuh-execd...
mar 17 14:58:51 X.X.X.X env[31696]: Started wazuh-agentd...
mar 17 14:58:51 X.X.X.X env[31696]: Started wazuh-syscheckd...
mar 17 14:58:53 X.X.X.X env[31696]: Started wazuh-logcollector...
mar 17 14:58:53 X.X.X.X osqueryd[31800]: osqueryd started [version=4.4.0]
mar 17 14:58:54 X.X.X.X env[31696]: Started wazuh-modulesd...
mar 17 14:58:56 X.X.X.X env[31696]: Completed.
mar 17 14:58:56 X.X.X.X systemd[1]: Started Wazuh agent.
-- Subject: Unit wazuh-agent.service has finished start-up
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
--
-- Unit wazuh-agent.service has finished starting up.
--
-- The start-up result is done.
  • egrep -i "ERROR|WARNING" /var/ossec/logs/ossec.log:
  • systemctl status wazuh-agent -l:
● wazuh-agent.service - Wazuh agent
   Loaded: loaded (/usr/lib/systemd/system/wazuh-agent.service; enabled; vendor preset: disabled)
   Active: active (running) since vie 2023-03-17 14:58:56 UTC; 45s ago
  Process: 31609 ExecStop=/usr/bin/env /var/ossec/bin/wazuh-control stop (code=exited, status=0/SUCCESS)
  Process: 31696 ExecStart=/usr/bin/env /var/ossec/bin/wazuh-control start (code=exited, status=0/SUCCESS)
    Tasks: 53
   Memory: 171.1M
   CGroup: /system.slice/wazuh-agent.service
           ├─31723 /var/ossec/bin/wazuh-execd
           ├─31735 /var/ossec/bin/wazuh-agentd
           ├─31750 /var/ossec/bin/wazuh-syscheckd
           ├─31759 /var/ossec/bin/wazuh-logcollector
           ├─31778 /var/ossec/bin/wazuh-modulesd
           ├─31793 python3 wodles/docker/DockerListener
           ├─31800 /usr/bin/osqueryd --config_path=/etc/osquery/osquery.conf
           └─31810 /usr/bin/osqueryd

mar 17 14:58:49 X.X.X.X systemd[1]: Starting Wazuh agent...
mar 17 14:58:49 X.X.X.X env[31696]: Starting Wazuh v4.4.0...
mar 17 14:58:50 X.X.X.X env[31696]: Started wazuh-execd...
mar 17 14:58:51 X.X.X.X env[31696]: Started wazuh-agentd...
mar 17 14:58:51 X.X.X.X env[31696]: Started wazuh-syscheckd...
mar 17 14:58:53 X.X.X.X env[31696]: Started wazuh-logcollector...
mar 17 14:58:53 X.X.X.X osqueryd[31800]: osqueryd started [version=4.4.0]
mar 17 14:58:54 X.X.X.X env[31696]: Started wazuh-modulesd...
mar 17 14:58:56 X.X.X.X env[31696]: Completed.
mar 17 14:58:56 X.X.X.X systemd[1]: Started Wazuh agent.
  • /var/ossec/bin/wazuh-control status:
wazuh-modulesd is running...
wazuh-logcollector is running...
wazuh-syscheckd is running...
wazuh-agentd is running...
wazuh-execd is running...
Ubuntu 🟢
  • journalctl -xe -u wazuh-agent.service:
Mar 17 15:02:15 X.X.X.X env[6949]: Wazuh v4.4.0 Stopped
Mar 17 15:02:15 X.X.X.X systemd[1]: Stopped Wazuh agent.
-- Subject: Unit wazuh-agent.service has finished shutting down
-- Defined-By: systemd
-- Support: http://www.ubuntu.com/support
--
-- Unit wazuh-agent.service has finished shutting down.
Mar 17 15:02:15 X.X.X.X systemd[1]: Starting Wazuh agent...
-- Subject: Unit wazuh-agent.service has begun start-up
-- Defined-By: systemd
-- Support: http://www.ubuntu.com/support
--
-- Unit wazuh-agent.service has begun starting up.
Mar 17 15:02:15 X.X.X.X env[7003]: Starting Wazuh v4.4.0...
Mar 17 15:02:16 X.X.X.X env[7003]: Started wazuh-execd...
Mar 17 15:02:17 X.X.X.X env[7003]: Started wazuh-agentd...
Mar 17 15:02:18 X.X.X.X env[7003]: Started wazuh-syscheckd...
Mar 17 15:02:19 X.X.X.X env[7003]: Started wazuh-logcollector...
Mar 17 15:02:20 X.X.X.X env[7003]: Started wazuh-modulesd...
Mar 17 15:02:22 X.X.X.X env[7003]: Completed.
Mar 17 15:02:22 X.X.X.X systemd[1]: Started Wazuh agent.
-- Subject: Unit wazuh-agent.service has finished start-up
-- Defined-By: systemd
-- Support: http://www.ubuntu.com/support
--
-- Unit wazuh-agent.service has finished starting up.
--
-- The start-up result is RESULT.
  • egrep -i "ERROR|WARNING" /var/ossec/logs/ossec.log:
  • systemctl status wazuh-agent -l:
● wazuh-agent.service - Wazuh agent
   Loaded: loaded (/usr/lib/systemd/system/wazuh-agent.service; enabled; vendor preset: enabled)
   Active: active (running) since Fri 2023-03-17 15:02:22 UTC; 30s ago
  Process: 6949 ExecStop=/usr/bin/env /var/ossec/bin/wazuh-control stop (code=exited, status=0/SUCCESS)
  Process: 7003 ExecStart=/usr/bin/env /var/ossec/bin/wazuh-control start (code=exited, status=0/SUCCESS)
    Tasks: 31 (limit: 1125)
   CGroup: /system.slice/wazuh-agent.service
           ├─7052 /var/ossec/bin/wazuh-execd
           ├─7063 /var/ossec/bin/wazuh-agentd
           ├─7077 /var/ossec/bin/wazuh-syscheckd
           ├─7091 /var/ossec/bin/wazuh-logcollector
           └─7107 /var/ossec/bin/wazuh-modulesd

Mar 17 15:02:15 X.X.X.X systemd[1]: Starting Wazuh agent...
Mar 17 15:02:15 X.X.X.X env[7003]: Starting Wazuh v4.4.0...
Mar 17 15:02:16 X.X.X.X env[7003]: Started wazuh-execd...
Mar 17 15:02:17 X.X.X.X env[7003]: Started wazuh-agentd...
Mar 17 15:02:18 X.X.X.X env[7003]: Started wazuh-syscheckd...
Mar 17 15:02:19 X.X.X.X env[7003]: Started wazuh-logcollector...
Mar 17 15:02:20 X.X.X.X env[7003]: Started wazuh-modulesd...
Mar 17 15:02:22 X.X.X.X env[7003]: Completed.
Mar 17 15:02:22 X.X.X.X systemd[1]: Started Wazuh agent.
  • /var/ossec/bin/wazuh-control status:
wazuh-modulesd is running...
wazuh-logcollector is running...
wazuh-syscheckd is running...
wazuh-agentd is running...
wazuh-execd is running...
Centos 🟢
  • journalctl -xe -u wazuh-agent.service:
mar 17 15:06:27 X.X.X.X env[19606]: Wazuh v4.4.0 Stopped
mar 17 15:06:27 X.X.X.X systemd[1]: Stopped Wazuh agent.
-- Subject: Unit wazuh-agent.service has finished shutting down
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
--
-- Unit wazuh-agent.service has finished shutting down.
mar 17 15:06:27 X.X.X.X systemd[1]: Starting Wazuh agent...
-- Subject: Unit wazuh-agent.service has begun start-up
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
--
-- Unit wazuh-agent.service has begun starting up.
mar 17 15:06:28 X.X.X.X env[19671]: Starting Wazuh v4.4.0...
mar 17 15:06:29 X.X.X.X env[19671]: Started wazuh-execd...
mar 17 15:06:30 X.X.X.X env[19671]: Started wazuh-agentd...
mar 17 15:06:31 X.X.X.X env[19671]: Started wazuh-syscheckd...
mar 17 15:06:32 X.X.X.X env[19671]: Started wazuh-logcollector...
mar 17 15:06:33 X.X.X.X env[19671]: Started wazuh-modulesd...
mar 17 15:06:35 X.X.X.X env[19671]: Completed.
mar 17 15:06:35 X.X.X.X systemd[1]: Started Wazuh agent.
-- Subject: Unit wazuh-agent.service has finished start-up
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
--
-- Unit wazuh-agent.service has finished starting up.
--
-- The start-up result is done.
  • egrep -i "ERROR|WARNING" /var/ossec/logs/ossec.log:
  • systemctl status wazuh-agent -l:
● wazuh-agent.service - Wazuh agent
   Loaded: loaded (/usr/lib/systemd/system/wazuh-agent.service; enabled; vendor preset: disabled)
   Active: active (running) since vie 2023-03-17 15:06:35 UTC; 44s ago
  Process: 19606 ExecStop=/usr/bin/env /var/ossec/bin/wazuh-control stop (code=exited, status=0/SUCCESS)
  Process: 19671 ExecStart=/usr/bin/env /var/ossec/bin/wazuh-control start (code=exited, status=0/SUCCESS)
   CGroup: /system.slice/wazuh-agent.service
           ├─19698 /var/ossec/bin/wazuh-execd
           ├─19710 /var/ossec/bin/wazuh-agentd
           ├─19725 /var/ossec/bin/wazuh-syscheckd
           ├─19739 /var/ossec/bin/wazuh-logcollector
           └─19760 /var/ossec/bin/wazuh-modulesd

mar 17 15:06:27 X.X.X.X systemd[1]: Stopped Wazuh agent.
mar 17 15:06:27 X.X.X.X systemd[1]: Starting Wazuh agent...
mar 17 15:06:28 X.X.X.X env[19671]: Starting Wazuh v4.4.0...
mar 17 15:06:29 X.X.X.X env[19671]: Started wazuh-execd...
mar 17 15:06:30 X.X.X.X env[19671]: Started wazuh-agentd...
mar 17 15:06:31 X.X.X.X env[19671]: Started wazuh-syscheckd...
mar 17 15:06:32 X.X.X.X env[19671]: Started wazuh-logcollector...
mar 17 15:06:33 X.X.X.X env[19671]: Started wazuh-modulesd...
mar 17 15:06:35 X.X.X.X env[19671]: Completed.
mar 17 15:06:35 X.X.X.X systemd[1]: Started Wazuh agent.
  • /var/ossec/bin/wazuh-control status:
wazuh-modulesd is running...
wazuh-logcollector is running...
wazuh-syscheckd is running...
wazuh-agentd is running...
wazuh-execd is running...
Debian 🟢
  • journalctl -xe -u wazuh-agent.service:
Mar 17 15:08:59 X.X.X.X env[12605]: Wazuh v4.4.0 Stopped
Mar 17 15:08:59 X.X.X.X systemd[1]: wazuh-agent.service: Succeeded.
░░ Subject: Unit succeeded
░░ Defined-By: systemd
░░ Support: https://www.debian.org/support
░░
░░ The unit wazuh-agent.service has successfully entered the 'dead' state.
Mar 17 15:08:59 X.X.X.X systemd[1]: Stopped Wazuh agent.
░░ Subject: A stop job for unit wazuh-agent.service has finished
░░ Defined-By: systemd
░░ Support: https://www.debian.org/support
░░
░░ A stop job for unit wazuh-agent.service has finished.
░░
░░ The job identifier is 4050 and the job result is done.
Mar 17 15:08:59 X.X.X.X systemd[1]: wazuh-agent.service: Consumed 1min 17.577s CPU time.
░░ Subject: Resources consumed by unit runtime
░░ Defined-By: systemd
░░ Support: https://www.debian.org/support
░░
░░ The unit wazuh-agent.service completed and consumed the indicated resources.
Mar 17 15:08:59 X.X.X.X systemd[1]: Starting Wazuh agent...
░░ Subject: A start job for unit wazuh-agent.service has begun execution
░░ Defined-By: systemd
░░ Support: https://www.debian.org/support
░░
░░ A start job for unit wazuh-agent.service has begun execution.
░░
░░ The job identifier is 4050.
Mar 17 15:08:59 X.X.X.X env[12659]: Starting Wazuh v4.4.0...
Mar 17 15:09:00 X.X.X.X env[12659]: Started wazuh-execd...
Mar 17 15:09:01 X.X.X.X env[12659]: Started wazuh-agentd...
Mar 17 15:09:02 X.X.X.X env[12659]: Started wazuh-syscheckd...
Mar 17 15:09:03 X.X.X.X env[12659]: Started wazuh-logcollector...
Mar 17 15:09:04 X.X.X.X env[12659]: Started wazuh-modulesd...
Mar 17 15:09:06 X.X.X.X env[12659]: Completed.
Mar 17 15:09:06 X.X.X.X systemd[1]: Started Wazuh agent.
░░ Subject: A start job for unit wazuh-agent.service has finished successfully
░░ Defined-By: systemd
░░ Support: https://www.debian.org/support
░░
░░ A start job for unit wazuh-agent.service has finished successfully.
░░
░░ The job identifier is 4050.
  • egrep -i "ERROR|WARNING" /var/ossec/logs/ossec.log:
  • systemctl status wazuh-agent -l:
● wazuh-agent.service - Wazuh agent
     Loaded: loaded (/lib/systemd/system/wazuh-agent.service; enabled; vendor preset: enabled)
     Active: active (running) since Fri 2023-03-17 15:09:06 UTC; 36s ago
    Process: 12659 ExecStart=/usr/bin/env /var/ossec/bin/wazuh-control start (code=exited, status=0/SUCCESS)
      Tasks: 31 (limit: 1123)
     Memory: 18.6M
        CPU: 8.370s
     CGroup: /system.slice/wazuh-agent.service
             ├─12681 /var/ossec/bin/wazuh-execd
             ├─12692 /var/ossec/bin/wazuh-agentd
             ├─12706 /var/ossec/bin/wazuh-syscheckd
             ├─12722 /var/ossec/bin/wazuh-logcollector
             └─12739 /var/ossec/bin/wazuh-modulesd

Mar 17 15:08:59 X.X.X.X systemd[1]: Starting Wazuh agent...
Mar 17 15:08:59 X.X.X.X env[12659]: Starting Wazuh v4.4.0...
Mar 17 15:09:00 X.X.X.X env[12659]: Started wazuh-execd...
Mar 17 15:09:01 X.X.X.X env[12659]: Started wazuh-agentd...
Mar 17 15:09:02 X.X.X.X env[12659]: Started wazuh-syscheckd...
Mar 17 15:09:03 X.X.X.X env[12659]: Started wazuh-logcollector...
Mar 17 15:09:04 X.X.X.X env[12659]: Started wazuh-modulesd...
Mar 17 15:09:06 X.X.X.X env[12659]: Completed.
Mar 17 15:09:06 X.X.X.X systemd[1]: Started Wazuh agent.
  • /var/ossec/bin/wazuh-control status:
wazuh-modulesd is running...
wazuh-logcollector is running...
wazuh-syscheckd is running...
wazuh-agentd is running...
wazuh-execd is running...
Windows 🟢
  • EventViewer:
Log Name:      System
Source:        Service Control Manager
Date:          3/17/2023 3:18:44 PM
Event ID:      7036
Task Category: None
Level:         Information
Keywords:      Classic
User:          N/A
Computer:      EC2AMAZ-HRKNKNC
Description:
The Wazuh service entered the stopped state.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="Service Control Manager" Guid="{555908d1-a6d7-4695-8e1e-26931d2012f4}" EventSourceName="Service Control Manager" />
    <EventID Qualifiers="16384">7036</EventID>
    <Version>0</Version>
    <Level>4</Level>
    <Task>0</Task>
    <Opcode>0</Opcode>
    <Keywords>0x8080000000000000</Keywords>
    <TimeCreated SystemTime="2023-03-17T15:18:44.191223300Z" />
    <EventRecordID>109342</EventRecordID>
    <Correlation />
    <Execution ProcessID="596" ThreadID="2028" />
    <Channel>System</Channel>
    <Computer>EC2AMAZ-HRKNKNC</Computer>
    <Security />
  </System>
  <EventData>
    <Data Name="param1">Wazuh</Data>
    <Data Name="param2">stopped</Data>
    <Binary>570061007A00750068005300760063002F0031000000</Binary>
  </EventData>
</Event>

Log Name:      System
Source:        Service Control Manager
Date:          3/17/2023 3:18:44 PM
Event ID:      7036
Task Category: None
Level:         Information
Keywords:      Classic
User:          N/A
Computer:      EC2AMAZ-HRKNKNC
Description:
The Wazuh service entered the running state.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="Service Control Manager" Guid="{555908d1-a6d7-4695-8e1e-26931d2012f4}" EventSourceName="Service Control Manager" />
    <EventID Qualifiers="16384">7036</EventID>
    <Version>0</Version>
    <Level>4</Level>
    <Task>0</Task>
    <Opcode>0</Opcode>
    <Keywords>0x8080000000000000</Keywords>
    <TimeCreated SystemTime="2023-03-17T15:18:44.598104400Z" />
    <EventRecordID>109343</EventRecordID>
    <Correlation />
    <Execution ProcessID="596" ThreadID="2028" />
    <Channel>System</Channel>
    <Computer>EC2AMAZ-HRKNKNC</Computer>
    <Security />
  </System>
  <EventData>
    <Data Name="param1">Wazuh</Data>
    <Data Name="param2">running</Data>
    <Binary>570061007A00750068005300760063002F0034000000</Binary>
  </EventData>
</Event>
  • egrep -i "ERROR|WARNING" /var/ossec/logs/ossec.log:
  • Agent is running:

win-running

Managers

Master env 1 🟡

Warnings from before this test found:

2023/03/17 02:34:36 wazuh-remoted: WARNING: Too big message size from socket [19].
2023/03/17 02:34:36 wazuh-remoted: WARNING: Too big message size from socket [19].
2023/03/17 03:41:16 wazuh-remoted: WARNING: Too big message size from socket [22].
2023/03/17 03:41:16 wazuh-remoted: WARNING: Too big message size from socket [22].

Known error fixed in 4.5.0:

2023/03/17 06:39:13 wazuh-analysisd: ERROR: The new permissions could not be added to the JSON alert.

Some warnings were found in aws-s3, but they should not be a problem:

2023/03/17 13:08:53 wazuh-modulesd:aws-s3: WARNING: Interval overtaken.

  • journalctl -xe -u wazuh-manager.service:
mar 17 15:29:13 wazuh-manager-master-0 env[6640]: Wazuh v4.4.0 Stopped
mar 17 15:29:13 wazuh-manager-master-0 systemd[1]: Stopped Wazuh manager.
-- Subject: Unit wazuh-manager.service has finished shutting down
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
--
-- Unit wazuh-manager.service has finished shutting down.
mar 17 15:29:13 wazuh-manager-master-0 systemd[1]: Starting Wazuh manager...
-- Subject: Unit wazuh-manager.service has begun start-up
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
--
-- Unit wazuh-manager.service has begun starting up.
mar 17 15:29:14 wazuh-manager-master-0 env[6798]: 2023/03/17 15:29:14 wazuh-modulesd: INFO: At module 'azure-logs': No request tag defined. Setting it randomly...
mar 17 15:29:15 wazuh-manager-master-0 env[6798]: Starting Wazuh v4.4.0...
mar 17 15:29:18 wazuh-manager-master-0 env[6798]: Started wazuh-apid...
mar 17 15:29:18 wazuh-manager-master-0 env[6798]: Started wazuh-csyslogd...
mar 17 15:29:18 wazuh-manager-master-0 env[6798]: Started wazuh-dbd...
mar 17 15:29:18 wazuh-manager-master-0 env[6798]: Started wazuh-integratord...
mar 17 15:29:18 wazuh-manager-master-0 env[6798]: Started wazuh-agentlessd...
mar 17 15:29:19 wazuh-manager-master-0 env[6798]: Started wazuh-authd...
mar 17 15:29:20 wazuh-manager-master-0 env[6798]: Started wazuh-db...
mar 17 15:29:21 wazuh-manager-master-0 env[6798]: Started wazuh-execd...
mar 17 15:29:22 wazuh-manager-master-0 env[6798]: Started wazuh-analysisd...
mar 17 15:29:23 wazuh-manager-master-0 env[6798]: Started wazuh-syscheckd...
mar 17 15:29:24 wazuh-manager-master-0 env[6798]: Started wazuh-remoted...
mar 17 15:29:25 wazuh-manager-master-0 env[6798]: Started wazuh-logcollector...
mar 17 15:29:26 wazuh-manager-master-0 env[6798]: Started wazuh-monitord...
mar 17 15:29:26 wazuh-manager-master-0 env[6798]: 2023/03/17 15:29:26 wazuh-modulesd: INFO: At module 'azure-logs': No request tag defined. Setting it randomly...
mar 17 15:29:27 wazuh-manager-master-0 env[6798]: Started wazuh-modulesd...
mar 17 15:29:28 wazuh-manager-master-0 env[6798]: Started wazuh-clusterd...
mar 17 15:29:30 wazuh-manager-master-0 crontab[7245]: (root) LIST (root)
mar 17 15:29:30 wazuh-manager-master-0 env[6798]: Completed.
mar 17 15:29:30 wazuh-manager-master-0 systemd[1]: Started Wazuh manager.
-- Subject: Unit wazuh-manager.service has finished start-up
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
--
-- Unit wazuh-manager.service has finished starting up.
--
-- The start-up result is done.
  • egrep -i "ERROR|WARNING" /var/ossec/logs/ossec.log:
2023/03/17 02:34:36 wazuh-remoted: WARNING: Too big message size from socket [19].
2023/03/17 02:34:36 wazuh-remoted: WARNING: Too big message size from socket [19].
2023/03/17 03:41:16 wazuh-remoted: WARNING: Too big message size from socket [22].
2023/03/17 03:41:16 wazuh-remoted: WARNING: Too big message size from socket [22].
2023/03/17 06:39:13 wazuh-analysisd: ERROR: The new permissions could not be added to the JSON alert.
2023/03/17 13:08:53 wazuh-modulesd:aws-s3: WARNING: Interval overtaken.
  • egrep -i "ERROR|WARNING" /var/ossec/logs/cluster.log:
  • systemctl status wazuh-manager -l:
● wazuh-manager.service - Wazuh manager
   Loaded: loaded (/usr/lib/systemd/system/wazuh-manager.service; enabled; vendor preset: disabled)
   Active: active (running) since vie 2023-03-17 15:29:30 UTC; 1min 52s ago
  Process: 6640 ExecStop=/usr/bin/env /var/ossec/bin/wazuh-control stop (code=exited, status=0/SUCCESS)
  Process: 6798 ExecStart=/usr/bin/env /var/ossec/bin/wazuh-control start (code=exited, status=0/SUCCESS)
   CGroup: /system.slice/wazuh-manager.service
           ├─6858 /var/ossec/framework/python/bin/python3 /var/ossec/api/scripts/wazuh-apid.py
           ├─6884 /var/ossec/bin/wazuh-integratord
           ├─6903 /var/ossec/bin/wazuh-authd
           ├─6920 /var/ossec/bin/wazuh-db
           ├─6933 /var/ossec/framework/python/bin/python3 /var/ossec/api/scripts/wazuh-apid.py
           ├─6936 /var/ossec/framework/python/bin/python3 /var/ossec/api/scripts/wazuh-apid.py
           ├─6951 /var/ossec/bin/wazuh-execd
           ├─6966 /var/ossec/bin/wazuh-analysisd
           ├─6978 /var/ossec/bin/wazuh-syscheckd
           ├─6999 /var/ossec/bin/wazuh-remoted
           ├─7032 /var/ossec/bin/wazuh-logcollector
           ├─7050 /var/ossec/bin/wazuh-monitord
           ├─7100 /var/ossec/bin/wazuh-modulesd
           ├─7218 /var/ossec/framework/python/bin/python3 /var/ossec/framework/scripts/wazuh_clusterd.py
           ├─7230 /var/ossec/framework/python/bin/python3 /var/ossec/framework/scripts/wazuh_clusterd.py
           ├─7233 /var/ossec/framework/python/bin/python3 /var/ossec/framework/scripts/wazuh_clusterd.py
           ├─7487 /bin/sh wodles/aws/aws-s3 --bucket wazuh-aws-wodle --aws_profile prod --trail_prefix vpc --only_logs_after 2020-MAY-01 --type vpcflow
           └─7494 /var/ossec/framework/python/bin/python3 /var/ossec/wodles/aws/aws-s3.py --bucket wazuh-aws-wodle --aws_profile prod --trail_prefix vpc --only_logs_after 2020-MAY-01 --type vpcflow

mar 17 15:29:23 wazuh-manager-master-0 env[6798]: Started wazuh-syscheckd...
mar 17 15:29:24 wazuh-manager-master-0 env[6798]: Started wazuh-remoted...
mar 17 15:29:25 wazuh-manager-master-0 env[6798]: Started wazuh-logcollector...
mar 17 15:29:26 wazuh-manager-master-0 env[6798]: Started wazuh-monitord...
mar 17 15:29:26 wazuh-manager-master-0 env[6798]: 2023/03/17 15:29:26 wazuh-modulesd: INFO: At module 'azure-logs': No request tag defined. Setting it randomly...
mar 17 15:29:27 wazuh-manager-master-0 env[6798]: Started wazuh-modulesd...
mar 17 15:29:28 wazuh-manager-master-0 env[6798]: Started wazuh-clusterd...
mar 17 15:29:30 wazuh-manager-master-0 crontab[7245]: (root) LIST (root)
mar 17 15:29:30 wazuh-manager-master-0 env[6798]: Completed.
mar 17 15:29:30 wazuh-manager-master-0 systemd[1]: Started Wazuh manager.
  • /var/ossec/bin/wazuh-control status:
wazuh-clusterd is running...
wazuh-modulesd is running...
wazuh-monitord is running...
wazuh-logcollector is running...
wazuh-remoted is running...
wazuh-syscheckd is running...
wazuh-analysisd is running...
wazuh-maild not running...
wazuh-execd is running...
wazuh-db is running...
wazuh-authd is running...
wazuh-agentlessd not running...
wazuh-integratord is running...
wazuh-dbd not running...
wazuh-csyslogd not running...
wazuh-apid is running...
  • filebeat test output:
elasticsearch: https://10.0.2.6:9200...
  parse url... OK
  connection...
    parse host... OK
    dns lookup... OK
    addresses: 10.0.2.6
    dial up... OK
  TLS...
    security: server's certificate chain verification is enabled
    handshake... OK
    TLS version: TLSv1.3
    dial up... OK
  talk to server... OK
  version: 7.10.2
elasticsearch: https://10.0.2.52:9200...
  parse url... OK
  connection...
    parse host... OK
    dns lookup... OK
    addresses: 10.0.2.52
    dial up... OK
  TLS...
    security: server's certificate chain verification is enabled
    handshake... OK
    TLS version: TLSv1.3
    dial up... OK
  talk to server... OK
  version: 7.10.2
elasticsearch: https://10.0.2.181:9200...
  parse url... OK
  connection...
    parse host... OK
    dns lookup... OK
    addresses: 10.0.2.181
    dial up... OK
  TLS...
    security: server's certificate chain verification is enabled
    handshake... OK
    TLS version: TLSv1.3
    dial up... OK
  talk to server... OK
  version: 7.10.2
Worker env 1 🟢
  • journalctl -xe -u wazuh-manager.service:
mar 17 15:34:54 wazuh-manager-worker-0 env[30011]: Wazuh v4.4.0 Stopped
mar 17 15:34:54 wazuh-manager-worker-0 systemd[1]: Stopped Wazuh manager.
-- Subject: Unit wazuh-manager.service has finished shutting down
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
--
-- Unit wazuh-manager.service has finished shutting down.
mar 17 15:34:54 wazuh-manager-worker-0 systemd[1]: Starting Wazuh manager...
-- Subject: Unit wazuh-manager.service has begun start-up
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
--
-- Unit wazuh-manager.service has begun starting up.
mar 17 15:34:56 wazuh-manager-worker-0 env[30146]: Starting Wazuh v4.4.0...
mar 17 15:34:59 wazuh-manager-worker-0 env[30146]: Started wazuh-apid...
mar 17 15:34:59 wazuh-manager-worker-0 env[30146]: Started wazuh-csyslogd...
mar 17 15:34:59 wazuh-manager-worker-0 env[30146]: Started wazuh-dbd...
mar 17 15:34:59 wazuh-manager-worker-0 env[30146]: Started wazuh-integratord...
mar 17 15:34:59 wazuh-manager-worker-0 env[30146]: Started wazuh-agentlessd...
mar 17 15:35:00 wazuh-manager-worker-0 env[30146]: Started wazuh-db...
mar 17 15:35:01 wazuh-manager-worker-0 env[30146]: Started wazuh-execd...
mar 17 15:35:02 wazuh-manager-worker-0 env[30146]: Started wazuh-analysisd...
mar 17 15:35:03 wazuh-manager-worker-0 env[30146]: Started wazuh-syscheckd...
mar 17 15:35:04 wazuh-manager-worker-0 env[30146]: Started wazuh-remoted...
mar 17 15:35:05 wazuh-manager-worker-0 env[30146]: Started wazuh-logcollector...
mar 17 15:35:06 wazuh-manager-worker-0 env[30146]: Started wazuh-monitord...
mar 17 15:35:08 wazuh-manager-worker-0 crontab[30517]: (root) LIST (root)
mar 17 15:35:08 wazuh-manager-worker-0 env[30146]: Started wazuh-modulesd...
mar 17 15:35:08 wazuh-manager-worker-0 env[30146]: Started wazuh-clusterd...
mar 17 15:35:10 wazuh-manager-worker-0 env[30146]: Completed.
mar 17 15:35:10 wazuh-manager-worker-0 systemd[1]: Started Wazuh manager.
-- Subject: Unit wazuh-manager.service has finished start-up
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
--
-- Unit wazuh-manager.service has finished starting up.
--
-- The start-up result is done.
  • egrep -i "ERROR|WARNING" /var/ossec/logs/ossec.log:
  • egrep -i "ERROR|WARNING" /var/ossec/logs/cluster.log:
2023/03/17 15:29:19 ERROR: [Local Server] [Main] Could not connect to master. Trying again in 10 seconds.

This error is expected because we restarted the master node before.

  • systemctl status wazuh-manager -l:
● wazuh-manager.service - Wazuh manager
   Loaded: loaded (/usr/lib/systemd/system/wazuh-manager.service; enabled; vendor preset: disabled)
   Active: active (running) since vie 2023-03-17 15:35:10 UTC; 1min 5s ago
  Process: 30011 ExecStop=/usr/bin/env /var/ossec/bin/wazuh-control stop (code=exited, status=0/SUCCESS)
  Process: 30146 ExecStart=/usr/bin/env /var/ossec/bin/wazuh-control start (code=exited, status=0/SUCCESS)
   CGroup: /system.slice/wazuh-manager.service
           ├─30206 /var/ossec/framework/python/bin/python3 /var/ossec/api/scripts/wazuh-apid.py
           ├─30232 /var/ossec/bin/wazuh-integratord
           ├─30248 /var/ossec/bin/wazuh-db
           ├─30274 /var/ossec/bin/wazuh-execd
           ├─30289 /var/ossec/bin/wazuh-analysisd
           ├─30290 /var/ossec/framework/python/bin/python3 /var/ossec/api/scripts/wazuh-apid.py
           ├─30293 /var/ossec/framework/python/bin/python3 /var/ossec/api/scripts/wazuh-apid.py
           ├─30307 /var/ossec/bin/wazuh-syscheckd
           ├─30327 /var/ossec/bin/wazuh-remoted
           ├─30361 /var/ossec/bin/wazuh-logcollector
           ├─30380 /var/ossec/bin/wazuh-monitord
           ├─30431 /var/ossec/bin/wazuh-modulesd
           ├─30573 /var/ossec/framework/python/bin/python3 /var/ossec/framework/scripts/wazuh_clusterd.py
           └─30744 /var/ossec/framework/python/bin/python3 /var/ossec/framework/scripts/wazuh_clusterd.py

mar 17 15:35:02 wazuh-manager-worker-0 env[30146]: Started wazuh-analysisd...
mar 17 15:35:03 wazuh-manager-worker-0 env[30146]: Started wazuh-syscheckd...
mar 17 15:35:04 wazuh-manager-worker-0 env[30146]: Started wazuh-remoted...
mar 17 15:35:05 wazuh-manager-worker-0 env[30146]: Started wazuh-logcollector...
mar 17 15:35:06 wazuh-manager-worker-0 env[30146]: Started wazuh-monitord...
mar 17 15:35:08 wazuh-manager-worker-0 crontab[30517]: (root) LIST (root)
mar 17 15:35:08 wazuh-manager-worker-0 env[30146]: Started wazuh-modulesd...
mar 17 15:35:08 wazuh-manager-worker-0 env[30146]: Started wazuh-clusterd...
mar 17 15:35:10 wazuh-manager-worker-0 env[30146]: Completed.
mar 17 15:35:10 wazuh-manager-worker-0 systemd[1]: Started Wazuh manager.
  • /var/ossec/bin/wazuh-control status:
wazuh-clusterd is running...
wazuh-modulesd is running...
wazuh-monitord is running...
wazuh-logcollector is running...
wazuh-remoted is running...
wazuh-syscheckd is running...
wazuh-analysisd is running...
wazuh-maild not running...
wazuh-execd is running...
wazuh-db is running...
wazuh-authd not running...
wazuh-agentlessd not running...
wazuh-integratord is running...
wazuh-dbd not running...
wazuh-csyslogd not running...
wazuh-apid is running...
  • filebeat test output:
elasticsearch: https://10.0.2.6:9200...
  parse url... OK
  connection...
    parse host... OK
    dns lookup... OK
    addresses: 10.0.2.6
    dial up... OK
  TLS...
    security: server's certificate chain verification is enabled
    handshake... OK
    TLS version: TLSv1.3
    dial up... OK
  talk to server... OK
  version: 7.10.2
elasticsearch: https://10.0.2.52:9200...
  parse url... OK
  connection...
    parse host... OK
    dns lookup... OK
    addresses: 10.0.2.52
    dial up... OK
  TLS...
    security: server's certificate chain verification is enabled
    handshake... OK
    TLS version: TLSv1.3
    dial up... OK
  talk to server... OK
  version: 7.10.2
elasticsearch: https://10.0.2.181:9200...
  parse url... OK
  connection...
    parse host... OK
    dns lookup... OK
    addresses: 10.0.2.181
    dial up... OK
  TLS...
    security: server's certificate chain verification is enabled
    handshake... OK
    TLS version: TLSv1.3
    dial up... OK
  talk to server... OK
  version: 7.10.2
Master env 2 🟡

Some warnings were found in aws-s3, but they should not be a problem:

2023/03/17 13:08:41 wazuh-modulesd:aws-s3: WARNING: Interval overtaken.

  • journalctl -xe -u wazuh-manager.service:
mar 17 15:49:12 wazuh-manager-master-0 env[3174]: Wazuh v4.4.0 Stopped
mar 17 15:49:12 wazuh-manager-master-0 systemd[1]: Stopped Wazuh manager.
-- Subject: Unit wazuh-manager.service has finished shutting down
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
--
-- Unit wazuh-manager.service has finished shutting down.
mar 17 15:49:12 wazuh-manager-master-0 systemd[1]: Starting Wazuh manager...
-- Subject: Unit wazuh-manager.service has begun start-up
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
--
-- Unit wazuh-manager.service has begun starting up.
mar 17 15:49:14 wazuh-manager-master-0 env[3323]: 2023/03/17 15:49:14 wazuh-modulesd: INFO: At module 'azure-logs': No request tag defined. Setting it randomly...
mar 17 15:49:14 wazuh-manager-master-0 env[3323]: Starting Wazuh v4.4.0...
mar 17 15:49:17 wazuh-manager-master-0 env[3323]: Started wazuh-apid...
mar 17 15:49:17 wazuh-manager-master-0 env[3323]: Started wazuh-csyslogd...
mar 17 15:49:17 wazuh-manager-master-0 env[3323]: Started wazuh-dbd...
mar 17 15:49:17 wazuh-manager-master-0 env[3323]: Started wazuh-integratord...
mar 17 15:49:17 wazuh-manager-master-0 env[3323]: Started wazuh-agentlessd...
mar 17 15:49:18 wazuh-manager-master-0 env[3323]: Started wazuh-authd...
mar 17 15:49:19 wazuh-manager-master-0 env[3323]: Started wazuh-db...
mar 17 15:49:20 wazuh-manager-master-0 env[3323]: Started wazuh-execd...
mar 17 15:49:22 wazuh-manager-master-0 env[3323]: Started wazuh-analysisd...
mar 17 15:49:23 wazuh-manager-master-0 env[3323]: Started wazuh-syscheckd...
mar 17 15:49:24 wazuh-manager-master-0 env[3323]: Started wazuh-remoted...
mar 17 15:49:25 wazuh-manager-master-0 env[3323]: Started wazuh-logcollector...
mar 17 15:49:26 wazuh-manager-master-0 env[3323]: Started wazuh-monitord...
mar 17 15:49:26 wazuh-manager-master-0 env[3323]: 2023/03/17 15:49:26 wazuh-modulesd: INFO: At module 'azure-logs': No request tag defined. Setting it randomly...
mar 17 15:49:27 wazuh-manager-master-0 env[3323]: Started wazuh-modulesd...
mar 17 15:49:28 wazuh-manager-master-0 env[3323]: Started wazuh-clusterd...
mar 17 15:49:30 wazuh-manager-master-0 env[3323]: Completed.
mar 17 15:49:30 wazuh-manager-master-0 systemd[1]: Started Wazuh manager.
-- Subject: Unit wazuh-manager.service has finished start-up
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
--
-- Unit wazuh-manager.service has finished starting up.
--
-- The start-up result is done.
  • egrep -i "ERROR|WARNING" /var/ossec/logs/ossec.log:
2023/03/17 13:08:41 wazuh-modulesd:aws-s3: WARNING: Interval overtaken.
  • egrep -i "ERROR|WARNING" /var/ossec/logs/cluster.log:
  • systemctl status wazuh-manager -l:
● wazuh-manager.service - Wazuh manager
   Loaded: loaded (/usr/lib/systemd/system/wazuh-manager.service; enabled; vendor preset: disabled)
   Active: active (running) since vie 2023-03-17 15:49:30 UTC; 1min 8s ago
  Process: 3174 ExecStop=/usr/bin/env /var/ossec/bin/wazuh-control stop (code=exited, status=0/SUCCESS)
  Process: 3323 ExecStart=/usr/bin/env /var/ossec/bin/wazuh-control start (code=exited, status=0/SUCCESS)
   CGroup: /system.slice/wazuh-manager.service
           ├─3384 /var/ossec/framework/python/bin/python3 /var/ossec/api/scripts/wazuh-apid.py
           ├─3414 /var/ossec/bin/wazuh-integratord
           ├─3429 /var/ossec/bin/wazuh-authd
           ├─3446 /var/ossec/bin/wazuh-db
           ├─3459 /var/ossec/framework/python/bin/python3 /var/ossec/api/scripts/wazuh-apid.py
           ├─3462 /var/ossec/framework/python/bin/python3 /var/ossec/api/scripts/wazuh-apid.py
           ├─3477 /var/ossec/bin/wazuh-execd
           ├─3492 /var/ossec/bin/wazuh-analysisd
           ├─3504 /var/ossec/bin/wazuh-syscheckd
           ├─3524 /var/ossec/bin/wazuh-remoted
           ├─3557 /var/ossec/bin/wazuh-logcollector
           ├─3577 /var/ossec/bin/wazuh-monitord
           ├─3626 /var/ossec/bin/wazuh-modulesd
           ├─3744 /var/ossec/framework/python/bin/python3 /var/ossec/framework/scripts/wazuh_clusterd.py
           ├─3762 /var/ossec/framework/python/bin/python3 /var/ossec/framework/scripts/wazuh_clusterd.py
           ├─3765 /var/ossec/framework/python/bin/python3 /var/ossec/framework/scripts/wazuh_clusterd.py
           ├─4019 /bin/sh wodles/aws/aws-s3 --bucket wazuh-aws-wodle --aws_profile prod --trail_prefix vpc --only_logs_after 2020-MAY-01 --type vpcflow
           └─4026 /var/ossec/framework/python/bin/python3 /var/ossec/wodles/aws/aws-s3.py --bucket wazuh-aws-wodle --aws_profile prod --trail_prefix vpc --only_logs_after 2020-MAY-01 --type vpcflow

mar 17 15:49:22 wazuh-manager-master-0 env[3323]: Started wazuh-analysisd...
mar 17 15:49:23 wazuh-manager-master-0 env[3323]: Started wazuh-syscheckd...
mar 17 15:49:24 wazuh-manager-master-0 env[3323]: Started wazuh-remoted...
mar 17 15:49:25 wazuh-manager-master-0 env[3323]: Started wazuh-logcollector...
mar 17 15:49:26 wazuh-manager-master-0 env[3323]: Started wazuh-monitord...
mar 17 15:49:26 wazuh-manager-master-0 env[3323]: 2023/03/17 15:49:26 wazuh-modulesd: INFO: At module 'azure-logs': No request tag defined. Setting it randomly...
mar 17 15:49:27 wazuh-manager-master-0 env[3323]: Started wazuh-modulesd...
mar 17 15:49:28 wazuh-manager-master-0 env[3323]: Started wazuh-clusterd...
mar 17 15:49:30 wazuh-manager-master-0 env[3323]: Completed.
mar 17 15:49:30 wazuh-manager-master-0 systemd[1]: Started Wazuh manager.
  • /var/ossec/bin/wazuh-control status:
wazuh-clusterd is running...
wazuh-modulesd is running...
wazuh-monitord is running...
wazuh-logcollector is running...
wazuh-remoted is running...
wazuh-syscheckd is running...
wazuh-analysisd is running...
wazuh-maild not running...
wazuh-execd is running...
wazuh-db is running...
wazuh-authd is running...
wazuh-agentlessd not running...
wazuh-integratord is running...
wazuh-dbd not running...
wazuh-csyslogd not running...
wazuh-apid is running...
  • filebeat test output:
elasticsearch: https://10.0.2.6:9200...
  parse url... OK
  connection...
    parse host... OK
    dns lookup... OK
    addresses: 10.0.2.6
    dial up... OK
  TLS...
    security: server's certificate chain verification is enabled
    handshake... OK
    TLS version: TLSv1.3
    dial up... OK
  talk to server... OK
  version: 7.10.2
elasticsearch: https://10.0.2.52:9200...
  parse url... OK
  connection...
    parse host... OK
    dns lookup... OK
    addresses: 10.0.2.52
    dial up... OK
  TLS...
    security: server's certificate chain verification is enabled
    handshake... OK
    TLS version: TLSv1.3
    dial up... OK
  talk to server... OK
  version: 7.10.2
elasticsearch: https://10.0.2.181:9200...
  parse url... OK
  connection...
    parse host... OK
    dns lookup... OK
    addresses: 10.0.2.181
    dial up... OK
  TLS...
    security: server's certificate chain verification is enabled
    handshake... OK
    TLS version: TLSv1.3
    dial up... OK
  talk to server... OK
  version: 7.10.2

Wazuh Indexer

Node-1 🟡

Known error found:

[2023-03-20T09:54:28,829][ERROR][o.o.s.a.s.SinkProvider   ] [node-3] Default endpoint could not be created, auditlog will not work properly.

Known warnings found:

mar 20 09:54:17 X.X.X.X systemd-entrypoint[2795]: WARNING: A terminally deprecated method in java.lang.System has been called
mar 20 09:54:17 X.X.X.X systemd-entrypoint[2795]: WARNING: System::setSecurityManager has been called by org.opensearch.bootstrap.Security (file:/usr/share/wazuh-indexer/lib/opensearch-2.4.1.jar)
mar 20 09:54:17 X.X.X.X systemd-entrypoint[2795]: WARNING: Please consider reporting this to the maintainers of org.opensearch.bootstrap.Security
mar 20 09:54:17 X.X.X.X systemd-entrypoint[2795]: WARNING: System::setSecurityManager will be removed in a future release

  • journalctl -xe -u wazuh-indexer.service:
mar 20 09:54:12 X.X.X.X systemd[1]: Stopping Wazuh-indexer...
-- Subject: Unit wazuh-indexer.service has begun shutting down
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
-- 
-- Unit wazuh-indexer.service has begun shutting down.
mar 20 09:54:12 X.X.X.X systemd[1]: Stopped Wazuh-indexer.
-- Subject: Unit wazuh-indexer.service has finished shutting down
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
-- 
-- Unit wazuh-indexer.service has finished shutting down.
mar 20 09:54:12 X.X.X.X systemd[1]: Starting Wazuh-indexer...
-- Subject: Unit wazuh-indexer.service has begun start-up
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
-- 
-- Unit wazuh-indexer.service has begun starting up.
mar 20 09:54:15 X.X.X.X systemd-entrypoint[2795]: WARNING: A terminally deprecated method in java.lang.System has been called
mar 20 09:54:15 X.X.X.X systemd-entrypoint[2795]: WARNING: System::setSecurityManager has been called by org.opensearch.bootstrap.OpenSearch (file:/usr/share/wazuh-indexer/lib/op
mar 20 09:54:15 X.X.X.X systemd-entrypoint[2795]: WARNING: Please consider reporting this to the maintainers of org.opensearch.bootstrap.OpenSearch
mar 20 09:54:15 X.X.X.X systemd-entrypoint[2795]: WARNING: System::setSecurityManager will be removed in a future release
mar 20 09:54:17 X.X.X.X systemd-entrypoint[2795]: WARNING: A terminally deprecated method in java.lang.System has been called
mar 20 09:54:17 X.X.X.X systemd-entrypoint[2795]: WARNING: System::setSecurityManager has been called by org.opensearch.bootstrap.Security (file:/usr/share/wazuh-indexer/lib/open
mar 20 09:54:17 X.X.X.X systemd-entrypoint[2795]: WARNING: Please consider reporting this to the maintainers of org.opensearch.bootstrap.Security
mar 20 09:54:17 X.X.X.X systemd-entrypoint[2795]: WARNING: System::setSecurityManager will be removed in a future release
mar 20 09:54:35 X.X.X.X systemd[1]: Started Wazuh-indexer.
-- Subject: Unit wazuh-indexer.service has finished start-up
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
-- 
-- Unit wazuh-indexer.service has finished starting up.
-- 
-- The start-up result is done.
  • egrep -i "ERROR|WARNING" /var/log/wazuh-indexer/wazuh.log:
[2023-03-20T09:54:28,829][ERROR][o.o.s.a.s.SinkProvider   ] [node-3] Default endpoint could not be created, auditlog will not work properly.
  • systemctl status wazuh-indexer -l:
● wazuh-indexer.service - Wazuh-indexer
   Loaded: loaded (/usr/lib/systemd/system/wazuh-indexer.service; enabled; vendor preset: disabled)
   Active: active (running) since lun 2023-03-20 09:54:35 UTC; 53s ago
     Docs: https://documentation.wazuh.com
 Main PID: 2795 (java)
   CGroup: /system.slice/wazuh-indexer.service
           └─2795 /usr/share/wazuh-indexer/jdk/bin/java -Xshare:auto -Dopensearch.networkaddress.cache.ttl=60 -Dopensearch.networkaddress.cache.negative.ttl=10 -XX:+AlwaysPreTouch -Xss1m -Djava.awt.headless=true -Dfile.encoding=UTF-8 -Djna.nosys=true -XX:-OmitStackTraceInFastThrow -XX:+ShowCodeDetailsInExceptionMessages -Dio.netty.noUnsafe=true -Dio.netty.noKeySetOptimization=true -Dio.netty.recycler.maxCapacityPerThread=0 -Dio.netty.allocator.numDirectArenas=0 -Dlog4j.shutdownHookEnabled=false -Dlog4j2.disable.jmx=true -Djava.locale.providers=SPI,COMPAT -Xms3948m -Xmx3948m -XX:+UseG1GC -XX:G1ReservePercent=25 -XX:InitiatingHeapOccupancyPercent=30 -Djava.io.tmpdir=/tmp/opensearch-3800559285174684303 -XX:+HeapDumpOnOutOfMemoryError -XX:HeapDumpPath=data -XX:ErrorFile=/var/log/wazuh-indexer/hs_err_pid%p.log -Xlog:gc*,gc+age=trace,safepoint:file=/var/log/wazuh-indexer/gc.log:utctime,pid,tags:filecount=32,filesize=64m -Dclk.tck=100 -Djdk.attach.allowAttachSelf=true -Djava.security.policy=file:///usr/share/wazuh-indexer/plugins/opensearch-performance-analyzer/pa_config/opensearch_security.policy -XX:MaxDirectMemorySize=2069889024 -Dopensearch.path.home=/usr/share/wazuh-indexer -Dopensearch.path.conf=/etc/wazuh-indexer -Dopensearch.distribution.type=rpm -Dopensearch.bundled_jdk=true -cp /usr/share/wazuh-indexer/lib/* org.opensearch.bootstrap.OpenSearch -p /run/wazuh-indexer/wazuh-indexer.pid --quiet

mar 20 09:54:12 X.X.X.X systemd[1]: Starting Wazuh-indexer...
mar 20 09:54:15 X.X.X.X systemd-entrypoint[2795]: WARNING: A terminally deprecated method in java.lang.System has been called
mar 20 09:54:15 X.X.X.X systemd-entrypoint[2795]: WARNING: System::setSecurityManager has been called by org.opensearch.bootstrap.OpenSearch (file:/usr/share/wazuh-indexer/lib/opensearch-2.4.1.jar)
mar 20 09:54:15 X.X.X.X systemd-entrypoint[2795]: WARNING: Please consider reporting this to the maintainers of org.opensearch.bootstrap.OpenSearch
mar 20 09:54:15 X.X.X.X systemd-entrypoint[2795]: WARNING: System::setSecurityManager will be removed in a future release
mar 20 09:54:17 X.X.X.X systemd-entrypoint[2795]: WARNING: A terminally deprecated method in java.lang.System has been called
mar 20 09:54:17 X.X.X.X systemd-entrypoint[2795]: WARNING: System::setSecurityManager has been called by org.opensearch.bootstrap.Security (file:/usr/share/wazuh-indexer/lib/opensearch-2.4.1.jar)
mar 20 09:54:17 X.X.X.X systemd-entrypoint[2795]: WARNING: Please consider reporting this to the maintainers of org.opensearch.bootstrap.Security
mar 20 09:54:17 X.X.X.X systemd-entrypoint[2795]: WARNING: System::setSecurityManager will be removed in a future release
mar 20 09:54:35 X.X.X.X systemd[1]: Started Wazuh-indexer.
Node-2 🟡

Known error found:

[2023-03-20T09:58:14,319][ERROR][o.o.s.a.s.SinkProvider   ] [node-2] Default endpoint could not be created, auditlog will not work properly.

Known warnings found:

mar 20 09:58:03 X.X.X.X systemd-entrypoint[1805]: WARNING: A terminally deprecated method in java.lang.System has been called
mar 20 09:58:03 X.X.X.X systemd-entrypoint[1805]: WARNING: System::setSecurityManager has been called by org.opensearch.bootstrap.Security (file:/usr/share/wazuh-indexer/lib/opensearch-2.4.1.jar)
mar 20 09:58:03 X.X.X.X systemd-entrypoint[1805]: WARNING: Please consider reporting this to the maintainers of org.opensearch.bootstrap.Security
mar 20 09:58:03 X.X.X.X systemd-entrypoint[1805]: WARNING: System::setSecurityManager will be removed in a future release

  • journalctl -xe -u wazuh-indexer.service:
mar 20 09:57:58 X.X.X.X systemd[1]: Stopping Wazuh-indexer...
-- Subject: Unit wazuh-indexer.service has begun shutting down
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
-- 
-- Unit wazuh-indexer.service has begun shutting down.
mar 20 09:57:58 X.X.X.X systemd[1]: Stopped Wazuh-indexer.
-- Subject: Unit wazuh-indexer.service has finished shutting down
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
-- 
-- Unit wazuh-indexer.service has finished shutting down.
mar 20 09:57:58 X.X.X.X systemd[1]: Starting Wazuh-indexer...
-- Subject: Unit wazuh-indexer.service has begun start-up
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
-- 
-- Unit wazuh-indexer.service has begun starting up.
mar 20 09:58:01 X.X.X.X systemd-entrypoint[1805]: WARNING: A terminally deprecated method in java.lang.System has been called
mar 20 09:58:01 X.X.X.X systemd-entrypoint[1805]: WARNING: System::setSecurityManager has been called by org.opensearch.bootstrap.OpenSearch (file:/usr/share/wazuh-indexer/lib/ope
mar 20 09:58:01 X.X.X.X systemd-entrypoint[1805]: WARNING: Please consider reporting this to the maintainers of org.opensearch.bootstrap.OpenSearch
mar 20 09:58:01 X.X.X.X systemd-entrypoint[1805]: WARNING: System::setSecurityManager will be removed in a future release
mar 20 09:58:03 X.X.X.X systemd-entrypoint[1805]: WARNING: A terminally deprecated method in java.lang.System has been called
mar 20 09:58:03 X.X.X.X systemd-entrypoint[1805]: WARNING: System::setSecurityManager has been called by org.opensearch.bootstrap.Security (file:/usr/share/wazuh-indexer/lib/opens
mar 20 09:58:03 X.X.X.X systemd-entrypoint[1805]: WARNING: Please consider reporting this to the maintainers of org.opensearch.bootstrap.Security
mar 20 09:58:03 X.X.X.X systemd-entrypoint[1805]: WARNING: System::setSecurityManager will be removed in a future release
mar 20 09:58:21 X.X.X.X systemd[1]: Started Wazuh-indexer.
-- Subject: Unit wazuh-indexer.service has finished start-up
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
-- 
-- Unit wazuh-indexer.service has finished starting up.
-- 
-- The start-up result is done.
  • egrep -i "ERROR|WARNING" /var/log/wazuh-indexer/wazuh.log:
[2023-03-20T09:58:14,319][ERROR][o.o.s.a.s.SinkProvider   ] [node-2] Default endpoint could not be created, auditlog will not work properly.
  • systemctl status wazuh-indexer -l:
● wazuh-indexer.service - Wazuh-indexer
   Loaded: loaded (/usr/lib/systemd/system/wazuh-indexer.service; enabled; vendor preset: disabled)
   Active: active (running) since lun 2023-03-20 09:58:21 UTC; 41s ago
     Docs: https://documentation.wazuh.com
 Main PID: 1805 (java)
   CGroup: /system.slice/wazuh-indexer.service
           └─1805 /usr/share/wazuh-indexer/jdk/bin/java -Xshare:auto -Dopensearch.networkaddress.cache.ttl=60 -Dopensearch.networkaddress.cache.negative.ttl=10 -XX:+AlwaysPreTouch -Xss1m -Djava.awt.headless=true -Dfile.encoding=UTF-8 -Djna.nosys=true -XX:-OmitStackTraceInFastThrow -XX:+ShowCodeDetailsInExceptionMessages -Dio.netty.noUnsafe=true -Dio.netty.noKeySetOptimization=true -Dio.netty.recycler.maxCapacityPerThread=0 -Dio.netty.allocator.numDirectArenas=0 -Dlog4j.shutdownHookEnabled=false -Dlog4j2.disable.jmx=true -Djava.locale.providers=SPI,COMPAT -Xms3948m -Xmx3948m -XX:+UseG1GC -XX:G1ReservePercent=25 -XX:InitiatingHeapOccupancyPercent=30 -Djava.io.tmpdir=/tmp/opensearch-1244110647506288690 -XX:+HeapDumpOnOutOfMemoryError -XX:HeapDumpPath=data -XX:ErrorFile=/var/log/wazuh-indexer/hs_err_pid%p.log -Xlog:gc*,gc+age=trace,safepoint:file=/var/log/wazuh-indexer/gc.log:utctime,pid,tags:filecount=32,filesize=64m -Dclk.tck=100 -Djdk.attach.allowAttachSelf=true -Djava.security.policy=file:///usr/share/wazuh-indexer/plugins/opensearch-performance-analyzer/pa_config/opensearch_security.policy -XX:MaxDirectMemorySize=2069889024 -Dopensearch.path.home=/usr/share/wazuh-indexer -Dopensearch.path.conf=/etc/wazuh-indexer -Dopensearch.distribution.type=rpm -Dopensearch.bundled_jdk=true -cp /usr/share/wazuh-indexer/lib/* org.opensearch.bootstrap.OpenSearch -p /run/wazuh-indexer/wazuh-indexer.pid --quiet

mar 20 09:57:58 X.X.X.X systemd[1]: Starting Wazuh-indexer...
mar 20 09:58:01 X.X.X.X systemd-entrypoint[1805]: WARNING: A terminally deprecated method in java.lang.System has been called
mar 20 09:58:01 X.X.X.X systemd-entrypoint[1805]: WARNING: System::setSecurityManager has been called by org.opensearch.bootstrap.OpenSearch (file:/usr/share/wazuh-indexer/lib/opensearch-2.4.1.jar)
mar 20 09:58:01 X.X.X.X systemd-entrypoint[1805]: WARNING: Please consider reporting this to the maintainers of org.opensearch.bootstrap.OpenSearch
mar 20 09:58:01 X.X.X.X systemd-entrypoint[1805]: WARNING: System::setSecurityManager will be removed in a future release
mar 20 09:58:03 X.X.X.X systemd-entrypoint[1805]: WARNING: A terminally deprecated method in java.lang.System has been called
mar 20 09:58:03 X.X.X.X systemd-entrypoint[1805]: WARNING: System::setSecurityManager has been called by org.opensearch.bootstrap.Security (file:/usr/share/wazuh-indexer/lib/opensearch-2.4.1.jar)
mar 20 09:58:03 X.X.X.X systemd-entrypoint[1805]: WARNING: Please consider reporting this to the maintainers of org.opensearch.bootstrap.Security
mar 20 09:58:03 X.X.X.X systemd-entrypoint[1805]: WARNING: System::setSecurityManager will be removed in a future release
mar 20 09:58:21 X.X.X.X systemd[1]: Started Wazuh-indexer.
Node-3 🟡

Some known errors from before this test were found:

[2023-03-20T05:54:55,018][ERROR][o.o.a.a.AlertIndices     ] [node-1] info deleteOldIndices
[2023-03-20T05:54:55,018][ERROR][o.o.a.a.AlertIndices     ] [node-1] info deleteOldIndices
[2023-03-20T05:54:55,077][ERROR][o.o.s.i.DetectorIndexManagementService] [node-1] info deleteOldIndices
[2023-03-20T05:54:55,077][ERROR][o.o.s.i.DetectorIndexManagementService] [node-1] info deleteOldIndices

Known error found:

[2023-03-20T10:00:48,499][ERROR][o.o.s.a.s.SinkProvider   ] [node-1] Default endpoint could not be created, auditlog will not work properly.

Known warnings found:

mar 20 10:00:38 X.X.X.X systemd-entrypoint[2914]: WARNING: A terminally deprecated method in java.lang.System has been called
mar 20 10:00:38 X.X.X.X systemd-entrypoint[2914]: WARNING: System::setSecurityManager has been called by org.opensearch.bootstrap.Security (file:/usr/share/wazuh-indexer/lib/opensearch-2.4.1.jar)
mar 20 10:00:38 X.X.X.X systemd-entrypoint[2914]: WARNING: Please consider reporting this to the maintainers of org.opensearch.bootstrap.Security
mar 20 10:00:38 X.X.X.X systemd-entrypoint[2914]: WARNING: System::setSecurityManager will be removed in a future release

  • journalctl -xe -u wazuh-indexer.service:
mar 20 10:00:32 X.X.X.X systemd[1]: Stopping Wazuh-indexer...
-- Subject: Unit wazuh-indexer.service has begun shutting down
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
-- 
-- Unit wazuh-indexer.service has begun shutting down.
mar 20 10:00:32 X.X.X.X systemd[1]: Stopped Wazuh-indexer.
-- Subject: Unit wazuh-indexer.service has finished shutting down
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
-- 
-- Unit wazuh-indexer.service has finished shutting down.
mar 20 10:00:32 X.X.X.X systemd[1]: Starting Wazuh-indexer...
-- Subject: Unit wazuh-indexer.service has begun start-up
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
-- 
-- Unit wazuh-indexer.service has begun starting up.
mar 20 10:00:35 X.X.X.X systemd-entrypoint[2914]: WARNING: A terminally deprecated method in java.lang.System has been called
mar 20 10:00:35 X.X.X.X systemd-entrypoint[2914]: WARNING: System::setSecurityManager has been called by org.opensearch.bootstrap.OpenSearch (file:/usr/share/wazuh-indexer/lib/open
mar 20 10:00:35 X.X.X.X systemd-entrypoint[2914]: WARNING: Please consider reporting this to the maintainers of org.opensearch.bootstrap.OpenSearch
mar 20 10:00:35 X.X.X.X systemd-entrypoint[2914]: WARNING: System::setSecurityManager will be removed in a future release
mar 20 10:00:38 X.X.X.X systemd-entrypoint[2914]: WARNING: A terminally deprecated method in java.lang.System has been called
mar 20 10:00:38 X.X.X.X systemd-entrypoint[2914]: WARNING: System::setSecurityManager has been called by org.opensearch.bootstrap.Security (file:/usr/share/wazuh-indexer/lib/opense
mar 20 10:00:38 X.X.X.X systemd-entrypoint[2914]: WARNING: Please consider reporting this to the maintainers of org.opensearch.bootstrap.Security
mar 20 10:00:38 X.X.X.X systemd-entrypoint[2914]: WARNING: System::setSecurityManager will be removed in a future release
mar 20 10:00:55 X.X.X.X systemd[1]: Started Wazuh-indexer.
-- Subject: Unit wazuh-indexer.service has finished start-up
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
-- 
-- Unit wazuh-indexer.service has finished starting up.
-- 
-- The start-up result is done.
  • egrep -i "ERROR|WARNING" /var/log/wazuh-indexer/wazuh.log:
[2023-03-20T05:54:55,018][ERROR][o.o.a.a.AlertIndices     ] [node-1] info deleteOldIndices
[2023-03-20T05:54:55,018][ERROR][o.o.a.a.AlertIndices     ] [node-1] info deleteOldIndices
[2023-03-20T05:54:55,077][ERROR][o.o.s.i.DetectorIndexManagementService] [node-1] info deleteOldIndices
[2023-03-20T05:54:55,077][ERROR][o.o.s.i.DetectorIndexManagementService] [node-1] info deleteOldIndices
[2023-03-20T10:00:48,499][ERROR][o.o.s.a.s.SinkProvider   ] [node-1] Default endpoint could not be created, auditlog will not work properly.
  • systemctl status wazuh-indexer -l:
● wazuh-indexer.service - Wazuh-indexer
   Loaded: loaded (/usr/lib/systemd/system/wazuh-indexer.service; enabled; vendor preset: disabled)
   Active: active (running) since lun 2023-03-20 10:00:55 UTC; 1min 11s ago
     Docs: https://documentation.wazuh.com
 Main PID: 2914 (java)
   CGroup: /system.slice/wazuh-indexer.service
           └─2914 /usr/share/wazuh-indexer/jdk/bin/java -Xshare:auto -Dopensearch.networkaddress.cache.ttl=60 -Dopensearch.networkaddress.cache.negative.ttl=10 -XX:+AlwaysPreTouch -Xss1m -Djava.awt.headless=true -Dfile.encoding=UTF-8 -Djna.nosys=true -XX:-OmitStackTraceInFastThrow -XX:+ShowCodeDetailsInExceptionMessages -Dio.netty.noUnsafe=true -Dio.netty.noKeySetOptimization=true -Dio.netty.recycler.maxCapacityPerThread=0 -Dio.netty.allocator.numDirectArenas=0 -Dlog4j.shutdownHookEnabled=false -Dlog4j2.disable.jmx=true -Djava.locale.providers=SPI,COMPAT -Xms3948m -Xmx3948m -XX:+UseG1GC -XX:G1ReservePercent=25 -XX:InitiatingHeapOccupancyPercent=30 -Djava.io.tmpdir=/tmp/opensearch-6125364092210826457 -XX:+HeapDumpOnOutOfMemoryError -XX:HeapDumpPath=data -XX:ErrorFile=/var/log/wazuh-indexer/hs_err_pid%p.log -Xlog:gc*,gc+age=trace,safepoint:file=/var/log/wazuh-indexer/gc.log:utctime,pid,tags:filecount=32,filesize=64m -Dclk.tck=100 -Djdk.attach.allowAttachSelf=true -Djava.security.policy=file:///usr/share/wazuh-indexer/plugins/opensearch-performance-analyzer/pa_config/opensearch_security.policy -XX:MaxDirectMemorySize=2069889024 -Dopensearch.path.home=/usr/share/wazuh-indexer -Dopensearch.path.conf=/etc/wazuh-indexer -Dopensearch.distribution.type=rpm -Dopensearch.bundled_jdk=true -cp /usr/share/wazuh-indexer/lib/* org.opensearch.bootstrap.OpenSearch -p /run/wazuh-indexer/wazuh-indexer.pid --quiet

mar 20 10:00:32 X.X.X.X systemd[1]: Starting Wazuh-indexer...
mar 20 10:00:35 X.X.X.X systemd-entrypoint[2914]: WARNING: A terminally deprecated method in java.lang.System has been called
mar 20 10:00:35 X.X.X.X systemd-entrypoint[2914]: WARNING: System::setSecurityManager has been called by org.opensearch.bootstrap.OpenSearch (file:/usr/share/wazuh-indexer/lib/opensearch-2.4.1.jar)
mar 20 10:00:35 X.X.X.X systemd-entrypoint[2914]: WARNING: Please consider reporting this to the maintainers of org.opensearch.bootstrap.OpenSearch
mar 20 10:00:35 X.X.X.X systemd-entrypoint[2914]: WARNING: System::setSecurityManager will be removed in a future release
mar 20 10:00:38 X.X.X.X systemd-entrypoint[2914]: WARNING: A terminally deprecated method in java.lang.System has been called
mar 20 10:00:38 X.X.X.X systemd-entrypoint[2914]: WARNING: System::setSecurityManager has been called by org.opensearch.bootstrap.Security (file:/usr/share/wazuh-indexer/lib/opensearch-2.4.1.jar)
mar 20 10:00:38 X.X.X.X systemd-entrypoint[2914]: WARNING: Please consider reporting this to the maintainers of org.opensearch.bootstrap.Security
mar 20 10:00:38 X.X.X.X systemd-entrypoint[2914]: WARNING: System::setSecurityManager will be removed in a future release
mar 20 10:00:55 X.X.X.X systemd[1]: Started Wazuh-indexer.

Wazuh Dashboard

wazuh-indexer 🟡

Known error found:

[2023-03-20T10:06:54,603][ERROR][o.o.s.a.s.SinkProvider   ] [node-7] Default endpoint could not be created, auditlog will not work properly.

Known warnings found:

mar 20 10:06:43 X.X.X.X systemd-entrypoint[2518]: WARNING: A terminally deprecated method in java.lang.System has been called
mar 20 10:06:43 X.X.X.X systemd-entrypoint[2518]: WARNING: System::setSecurityManager has been called by org.opensearch.bootstrap.Security (file:/usr/share/wazuh-indexer/lib/opensearch-2.4.1.jar)
mar 20 10:06:43 X.X.X.X systemd-entrypoint[2518]: WARNING: Please consider reporting this to the maintainers of org.opensearch.bootstrap.Security
mar 20 10:06:43 X.X.X.X systemd-entrypoint[2518]: WARNING: System::setSecurityManager will be removed in a future release

  • journalctl -xe -u wazuh-indexer.service:
mar 20 10:06:38 X.X.X.X systemd[1]: Stopping Wazuh-indexer...
-- Subject: Unit wazuh-indexer.service has begun shutting down
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
-- 
-- Unit wazuh-indexer.service has begun shutting down.
mar 20 10:06:39 X.X.X.X systemd[1]: Stopped Wazuh-indexer.
-- Subject: Unit wazuh-indexer.service has finished shutting down
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
-- 
-- Unit wazuh-indexer.service has finished shutting down.
mar 20 10:06:39 X.X.X.X systemd[1]: Starting Wazuh-indexer...
-- Subject: Unit wazuh-indexer.service has begun start-up
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
-- 
-- Unit wazuh-indexer.service has begun starting up.
mar 20 10:06:41 X.X.X.X systemd-entrypoint[2518]: WARNING: A terminally deprecated method in java.lang.System has been called
mar 20 10:06:41 X.X.X.X systemd-entrypoint[2518]: WARNING: System::setSecurityManager has been called by org.opensearch.bootstrap.OpenSearch (file:/usr/share/wazuh-indexer/lib/op
mar 20 10:06:41 X.X.X.X systemd-entrypoint[2518]: WARNING: Please consider reporting this to the maintainers of org.opensearch.bootstrap.OpenSearch
mar 20 10:06:41 X.X.X.X systemd-entrypoint[2518]: WARNING: System::setSecurityManager will be removed in a future release
mar 20 10:06:43 X.X.X.X systemd-entrypoint[2518]: WARNING: A terminally deprecated method in java.lang.System has been called
mar 20 10:06:43 X.X.X.X systemd-entrypoint[2518]: WARNING: System::setSecurityManager has been called by org.opensearch.bootstrap.Security (file:/usr/share/wazuh-indexer/lib/open
mar 20 10:06:43 X.X.X.X systemd-entrypoint[2518]: WARNING: Please consider reporting this to the maintainers of org.opensearch.bootstrap.Security
mar 20 10:06:43 X.X.X.X systemd-entrypoint[2518]: WARNING: System::setSecurityManager will be removed in a future release
mar 20 10:07:01 X.X.X.X systemd[1]: Started Wazuh-indexer.
-- Subject: Unit wazuh-indexer.service has finished start-up
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
-- 
-- Unit wazuh-indexer.service has finished starting up.
-- 
-- The start-up result is done.
  • egrep -i "ERROR|WARNING" /var/log/wazuh-indexer/wazuh.log:
[2023-03-20T10:06:54,603][ERROR][o.o.s.a.s.SinkProvider   ] [node-7] Default endpoint could not be created, auditlog will not work properly.
  • systemctl status wazuh-indexer -l:
● wazuh-indexer.service - Wazuh-indexer
   Loaded: loaded (/usr/lib/systemd/system/wazuh-indexer.service; enabled; vendor preset: disabled)
   Active: active (running) since lun 2023-03-20 10:07:01 UTC; 51s ago
     Docs: https://documentation.wazuh.com
 Main PID: 2518 (java)
   CGroup: /system.slice/wazuh-indexer.service
           └─2518 /usr/share/wazuh-indexer/jdk/bin/java -Xshare:auto -Dopensearch.networkaddress.cache.ttl=60 -Dopensearch.networkaddress.cache.negative.ttl=10 -XX:+AlwaysPreTouch -Xss1m -Djava.awt.headless=true -Dfile.encoding=UTF-8 -Djna.nosys=true -XX:-OmitStackTraceInFastThrow -XX:+ShowCodeDetailsInExceptionMessages -Dio.netty.noUnsafe=true -Dio.netty.noKeySetOptimization=true -Dio.netty.recycler.maxCapacityPerThread=0 -Dio.netty.allocator.numDirectArenas=0 -Dlog4j.shutdownHookEnabled=false -Dlog4j2.disable.jmx=true -Djava.locale.providers=SPI,COMPAT -Xms2560m -Xmx2560m -XX:+UseG1GC -XX:G1ReservePercent=25 -XX:InitiatingHeapOccupancyPercent=30 -Djava.io.tmpdir=/tmp/opensearch-13387377462608418200 -XX:+HeapDumpOnOutOfMemoryError -XX:HeapDumpPath=data -XX:ErrorFile=/var/log/wazuh-indexer/hs_err_pid%p.log -Xlog:gc*,gc+age=trace,safepoint:file=/var/log/wazuh-indexer/gc.log:utctime,pid,tags:filecount=32,filesize=64m -Dclk.tck=100 -Djdk.attach.allowAttachSelf=true -Djava.security.policy=file:///usr/share/wazuh-indexer/plugins/opensearch-performance-analyzer/pa_config/opensearch_security.policy -XX:MaxDirectMemorySize=1342177280 -Dopensearch.path.home=/usr/share/wazuh-indexer -Dopensearch.path.conf=/etc/wazuh-indexer -Dopensearch.distribution.type=rpm -Dopensearch.bundled_jdk=true -cp /usr/share/wazuh-indexer/lib/* org.opensearch.bootstrap.OpenSearch -p /run/wazuh-indexer/wazuh-indexer.pid --quiet

mar 20 10:06:39 X.X.X.X systemd[1]: Starting Wazuh-indexer...
mar 20 10:06:41 X.X.X.X systemd-entrypoint[2518]: WARNING: A terminally deprecated method in java.lang.System has been called
mar 20 10:06:41 X.X.X.X systemd-entrypoint[2518]: WARNING: System::setSecurityManager has been called by org.opensearch.bootstrap.OpenSearch (file:/usr/share/wazuh-indexer/lib/opensearch-2.4.1.jar)
mar 20 10:06:41 X.X.X.X systemd-entrypoint[2518]: WARNING: Please consider reporting this to the maintainers of org.opensearch.bootstrap.OpenSearch
mar 20 10:06:41 X.X.X.X systemd-entrypoint[2518]: WARNING: System::setSecurityManager will be removed in a future release
mar 20 10:06:43 X.X.X.X systemd-entrypoint[2518]: WARNING: A terminally deprecated method in java.lang.System has been called
mar 20 10:06:43 X.X.X.X systemd-entrypoint[2518]: WARNING: System::setSecurityManager has been called by org.opensearch.bootstrap.Security (file:/usr/share/wazuh-indexer/lib/opensearch-2.4.1.jar)
mar 20 10:06:43 X.X.X.X systemd-entrypoint[2518]: WARNING: Please consider reporting this to the maintainers of org.opensearch.bootstrap.Security
mar 20 10:06:43 X.X.X.X systemd-entrypoint[2518]: WARNING: System::setSecurityManager will be removed in a future release
mar 20 10:07:01 X.X.X.X systemd[1]: Started Wazuh-indexer.
wazuh-dashboard 🟢
  • journalctl -xe -u wazuh-dashboard.service:
mar 20 10:09:46 X.X.X.X systemd[1]: Stopping wazuh-dashboard...
-- Subject: Unit wazuh-dashboard.service has begun shutting down
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
-- 
-- Unit wazuh-dashboard.service has begun shutting down.
mar 20 10:09:46 X.X.X.X opensearch-dashboards[14629]: {"type":"log","@timestamp":"2023-03-20T10:09:46Z","tags":["info","plugins-system"],"pid":14629,"message":"Stopping all plugi
mar 20 10:09:46 X.X.X.X systemd[1]: Stopped wazuh-dashboard.
-- Subject: Unit wazuh-dashboard.service has finished shutting down
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
-- 
-- Unit wazuh-dashboard.service has finished shutting down.
mar 20 10:09:46 X.X.X.X systemd[1]: Started wazuh-dashboard.
-- Subject: Unit wazuh-dashboard.service has finished start-up
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
-- 
-- Unit wazuh-dashboard.service has finished starting up.
-- 
-- The start-up result is done.
mar 20 10:09:52 X.X.X.X opensearch-dashboards[2786]: {"type":"log","@timestamp":"2023-03-20T10:09:52Z","tags":["info","plugins-service"],"pid":2786,"message":"Plugin \"dataSource
mar 20 10:09:52 X.X.X.X opensearch-dashboards[2786]: {"type":"log","@timestamp":"2023-03-20T10:09:52Z","tags":["info","plugins-service"],"pid":2786,"message":"Plugin \"dataSource
mar 20 10:09:52 X.X.X.X opensearch-dashboards[2786]: {"type":"log","@timestamp":"2023-03-20T10:09:52Z","tags":["info","plugins-service"],"pid":2786,"message":"Plugin \"visTypeXy\
mar 20 10:09:52 X.X.X.X opensearch-dashboards[2786]: {"type":"log","@timestamp":"2023-03-20T10:09:52Z","tags":["warning","config","deprecation"],"pid":2786,"message":"\"opensearc
mar 20 10:09:52 X.X.X.X opensearch-dashboards[2786]: {"type":"log","@timestamp":"2023-03-20T10:09:52Z","tags":["info","plugins-system"],"pid":2786,"message":"Setting up [45] plug
mar 20 10:09:53 X.X.X.X opensearch-dashboards[2786]: {"type":"log","@timestamp":"2023-03-20T10:09:53Z","tags":["info","savedobjects-service"],"pid":2786,"message":"Waiting until 
mar 20 10:09:53 X.X.X.X opensearch-dashboards[2786]: {"type":"log","@timestamp":"2023-03-20T10:09:53Z","tags":["info","savedobjects-service"],"pid":2786,"message":"Starting saved
  • systemctl status wazuh-dashboard -l:
● wazuh-dashboard.service - wazuh-dashboard
   Loaded: loaded (/etc/systemd/system/wazuh-dashboard.service; enabled; vendor preset: disabled)
   Active: active (running) since lun 2023-03-20 10:09:46 UTC; 42s ago
 Main PID: 2786 (node)
   CGroup: /system.slice/wazuh-dashboard.service
           └─2786 /usr/share/wazuh-dashboard/bin/../node/bin/node --no-warnings --max-http-header-size=65536 --unhandled-rejections=warn /usr/share/wazuh-dashboard/bin/../src/cli/dist -c /etc/wazuh-dashboard/opensearch_dashboards.yml

mar 20 10:09:52 X.X.X.X opensearch-dashboards[2786]: {"type":"log","@timestamp":"2023-03-20T10:09:52Z","tags":["info","plugins-system"],"pid":2786,"message":"Setting up [45] plugins: [alertingDashboards,usageCollection,opensearchDashboardsUsageCollection,opensearchDashboardsLegacy,mapsLegacy,share,opensearchUiShared,legacyExport,embeddable,expressions,data,home,console,apmOss,management,indexPatternManagement,advancedSettings,savedObjects,reportsDashboards,indexManagementDashboards,dashboard,visualizations,visTypeVega,visTypeTimeline,timeline,visTypeTable,visTypeMarkdown,visBuilder,tileMap,regionMap,customImportMapDashboards,inputControlVis,ganttChartDashboards,visualize,notificationsDashboards,charts,visTypeVislib,visTypeTimeseries,visTypeTagcloud,visTypeMetric,discover,savedObjectsManagement,securityDashboards,wazuh,bfetch]"}
mar 20 10:09:53 X.X.X.X opensearch-dashboards[2786]: {"type":"log","@timestamp":"2023-03-20T10:09:53Z","tags":["info","savedobjects-service"],"pid":2786,"message":"Waiting until all OpenSearch nodes are compatible with OpenSearch Dashboards before starting saved objects migrations..."}
mar 20 10:09:53 X.X.X.X opensearch-dashboards[2786]: {"type":"log","@timestamp":"2023-03-20T10:09:53Z","tags":["info","savedobjects-service"],"pid":2786,"message":"Starting saved objects migrations"}
mar 20 10:09:53 X.X.X.X opensearch-dashboards[2786]: {"type":"log","@timestamp":"2023-03-20T10:09:53Z","tags":["info","savedobjects-service"],"pid":2786,"message":"Creating index .kibana_2."}
mar 20 10:09:54 X.X.X.X opensearch-dashboards[2786]: {"type":"log","@timestamp":"2023-03-20T10:09:54Z","tags":["info","savedobjects-service"],"pid":2786,"message":"Migrating .kibana_1 saved objects to .kibana_2"}
mar 20 10:09:54 X.X.X.X opensearch-dashboards[2786]: {"type":"log","@timestamp":"2023-03-20T10:09:54Z","tags":["info","savedobjects-service"],"pid":2786,"message":"Pointing alias .kibana to .kibana_2."}
mar 20 10:09:55 X.X.X.X opensearch-dashboards[2786]: {"type":"log","@timestamp":"2023-03-20T10:09:55Z","tags":["info","savedobjects-service"],"pid":2786,"message":"Finished in 1138ms."}
mar 20 10:09:55 X.X.X.X opensearch-dashboards[2786]: {"type":"log","@timestamp":"2023-03-20T10:09:55Z","tags":["info","plugins-system"],"pid":2786,"message":"Starting [45] plugins: [alertingDashboards,usageCollection,opensearchDashboardsUsageCollection,opensearchDashboardsLegacy,mapsLegacy,share,opensearchUiShared,legacyExport,embeddable,expressions,data,home,console,apmOss,management,indexPatternManagement,advancedSettings,savedObjects,reportsDashboards,indexManagementDashboards,dashboard,visualizations,visTypeVega,visTypeTimeline,timeline,visTypeTable,visTypeMarkdown,visBuilder,tileMap,regionMap,customImportMapDashboards,inputControlVis,ganttChartDashboards,visualize,notificationsDashboards,charts,visTypeVislib,visTypeTimeseries,visTypeTagcloud,visTypeMetric,discover,savedObjectsManagement,securityDashboards,wazuh,bfetch]"}
mar 20 10:09:55 X.X.X.X opensearch-dashboards[2786]: {"type":"log","@timestamp":"2023-03-20T10:09:55Z","tags":["listening","info"],"pid":2786,"message":"Server running at https://0.0.0.0:5601"}
mar 20 10:09:55 X.X.X.X opensearch-dashboards[2786]: {"type":"log","@timestamp":"2023-03-20T10:09:55Z","tags":["info","http","server","OpenSearchDashboards"],"pid":2786,"message":"http server running at https://0.0.0.0:5601"}
  • egrep -iE "err|warn" /usr/share/wazuh-dashboard/data/wazuh/logs/wazuhapp.log

@juliamagan
Copy link
Member Author

juliamagan commented Mar 17, 2023

Task 2: The daemons are running with the correct user

Agents

Amazon Linux 🟢
root     20094  0.0  0.3  38560  3380 ?        Sl   14:56   0:00 /var/ossec/bin/wazuh-execd
wazuh    20106  0.0  0.5 264552  5796 ?        Sl   14:56   0:00 /var/ossec/bin/wazuh-agentd
root     20121 10.2  0.8 204524  8220 ?        SNl  14:56   0:08 /var/ossec/bin/wazuh-syscheckd
root     20135  0.0  0.4 481012  4400 ?        Sl   14:56   0:00 /var/ossec/bin/wazuh-logcollector
root     20157  0.4  1.3 742908 13548 ?        Sl   14:56   0:00 /var/ossec/bin/wazuh-modulesd
RHEL 🟢
root     31723  0.0  0.0  36372  1888 ?        Sl   14:58   0:00 /var/ossec/bin/wazuh-execd
wazuh    31735  1.0  0.1 262176  5312 ?        Sl   14:58   0:00 /var/ossec/bin/wazuh-agentd
root     31750 33.8  0.1 481360  6940 ?        SNl  14:58   0:24 /var/ossec/bin/wazuh-syscheckd
root     31759  0.0  0.0 478780  3024 ?        Sl   14:58   0:00 /var/ossec/bin/wazuh-logcollector
root     31778  3.1  0.7 1027316 28064 ?       Sl   14:58   0:02 /var/ossec/bin/wazuh-modulesd
Ubuntu 🟢
root      7052  0.0  0.3  43572  3612 ?        Sl   15:02   0:00 /var/ossec/bin/wazuh-execd
wazuh     7063  0.2  0.5 269480  5836 ?        Sl   15:02   0:00 /var/ossec/bin/wazuh-agentd
root      7077  4.1  0.8 274640  8284 ?        SNl  15:02   0:08 /var/ossec/bin/wazuh-syscheckd
root      7091  0.0  0.4 485984  4580 ?        Sl   15:02   0:00 /var/ossec/bin/wazuh-logcollector
root      7107  0.2  1.4 750160 14016 ?        Sl   15:02   0:00 /var/ossec/bin/wazuh-modulesd
Centos 🟢
root     19698  0.0  0.1  36280  1740 ?        Sl   15:06   0:00 /var/ossec/bin/wazuh-execd
wazuh    19710  0.0  0.3 262096  3256 ?        Sl   15:06   0:00 /var/ossec/bin/wazuh-agentd
root     19725 10.8  0.5 201992  5316 ?        SNl  15:06   0:09 /var/ossec/bin/wazuh-syscheckd
root     19739  0.0  1.0 478656 10692 ?        Sl   15:06   0:00 /var/ossec/bin/wazuh-logcollector
root     19760  0.9  1.5 740460 15048 ?        Sl   15:06   0:00 /var/ossec/bin/wazuh-modulesd
Debian 🟢
root       12681  0.0  0.3  24436  3176 ?        Sl   15:08   0:00 /var/ossec/bin/wazuh-execd
wazuh      12692  0.4  0.7 246320  7736 ?        Sl   15:08   0:00 /var/ossec/bin/wazuh-agentd
root       12706  7.7  0.7 255484  7612 ?        SNl  15:09   0:05 /var/ossec/bin/wazuh-syscheckd
root       12722  0.0  0.4 466840  4212 ?        Sl   15:09   0:00 /var/ossec/bin/wazuh-logcollector
root       12739  0.4  1.4 728748 14500 ?        Sl   15:09   0:00 /var/ossec/bin/wazuh-modulesd
Windows 🟢
wazuh-agent.exe               1500 WazuhSvc

Managers

Master env 1 🟢
wazuh     6858  5.4  2.6 830404 105112 ?       Sl   15:29   0:13 /var/ossec/framework/python/bin/python3 /var/ossec/api/scripts/wazuh-apid.py
wazuh     6884  0.0  0.0  39352  3772 ?        Sl   15:29   0:00 /var/ossec/bin/wazuh-integratord
root      6903  0.2  0.1 195040  5200 ?        Sl   15:29   0:00 /var/ossec/bin/wazuh-authd
wazuh     6920  0.1  0.2 850632 11060 ?        Sl   15:29   0:00 /var/ossec/bin/wazuh-db
wazuh     6933  0.0  1.5 322248 60648 ?        S    15:29   0:00 /var/ossec/framework/python/bin/python3 /var/ossec/api/scripts/wazuh-apid.py
wazuh     6936  0.3  1.6 470780 64132 ?        S    15:29   0:00 /var/ossec/framework/python/bin/python3 /var/ossec/api/scripts/wazuh-apid.py
root      6951  0.0  0.1  39396  3996 ?        Sl   15:29   0:00 /var/ossec/bin/wazuh-execd
wazuh     6966  0.7  0.8 1294452 32064 ?       Sl   15:29   0:01 /var/ossec/bin/wazuh-analysisd
root      6978  4.8  0.2 270556  8516 ?        SNl  15:29   0:11 /var/ossec/bin/wazuh-syscheckd
wazuh     6999  0.4  0.1 458320  4904 ?        Sl   15:29   0:01 /var/ossec/bin/wazuh-remoted
root      7032  0.0  0.1 481868  4836 ?        Sl   15:29   0:00 /var/ossec/bin/wazuh-logcollector
wazuh     7050  0.0  0.0  39372  3800 ?        Sl   15:29   0:00 /var/ossec/bin/wazuh-monitord
root      7100 23.0  0.8 531872 32516 ?        Sl   15:29   0:55 /var/ossec/bin/wazuh-modulesd
wazuh     7218  0.4  1.3 453948 53284 ?        Sl   15:29   0:01 /var/ossec/framework/python/bin/python3 /var/ossec/framework/scripts/wazuh_clusterd.py
wazuh     7230  0.0  1.1 289028 44932 ?        S    15:29   0:00 /var/ossec/framework/python/bin/python3 /var/ossec/framework/scripts/wazuh_clusterd.py
wazuh     7233  0.0  1.1 370956 45160 ?        S    15:29   0:00 /var/ossec/framework/python/bin/python3 /var/ossec/framework/scripts/wazuh_clusterd.py
root      7487  0.0  0.0 124104  3136 ?        SNs  15:29   0:00 /bin/sh wodles/aws/aws-s3 --bucket wazuh-aws-wodle --aws_profile prod --trail_prefix vpc --only_logs_after 2020-MAY-01 --type vpcflow
root      7494  6.1  2.1 304700 87076 ?        SN   15:29   0:13 /var/ossec/framework/python/bin/python3 /var/ossec/wodles/aws/aws-s3.py --bucket wazuh-aws-wodle --aws_profile prod --trail_prefix vpc --only_logs_after 2020-MAY-01 --type vpcflow
Worker env 1 🟢
wazuh    30206  8.5  2.5 750744 99820 ?        Sl   15:34   0:13 /var/ossec/framework/python/bin/python3 /var/ossec/api/scripts/wazuh-apid.py
wazuh    30232  0.0  0.0  39344  3788 ?        Sl   15:34   0:00 /var/ossec/bin/wazuh-integratord
wazuh    30248  0.2  0.2 850612 11168 ?        Sl   15:34   0:00 /var/ossec/bin/wazuh-db
root     30274  0.0  0.0  39388  3820 ?        Sl   15:35   0:00 /var/ossec/bin/wazuh-execd
wazuh    30289  1.0  0.7 1294400 29984 ?       Sl   15:35   0:01 /var/ossec/bin/wazuh-analysisd
wazuh    30290  0.0  1.4 315324 58300 ?        S    15:35   0:00 /var/ossec/framework/python/bin/python3 /var/ossec/api/scripts/wazuh-apid.py
wazuh    30293  0.0  1.5 404444 60860 ?        S    15:35   0:00 /var/ossec/framework/python/bin/python3 /var/ossec/api/scripts/wazuh-apid.py
root     30307  7.2  0.2 205000  8440 ?        SNl  15:35   0:11 /var/ossec/bin/wazuh-syscheckd
wazuh    30327  0.2  0.1 458308  4832 ?        Sl   15:35   0:00 /var/ossec/bin/wazuh-remoted
root     30361  0.0  0.1 416252  4748 ?        Sl   15:35   0:00 /var/ossec/bin/wazuh-logcollector
wazuh    30380  0.0  0.0  39360  3720 ?        Sl   15:35   0:00 /var/ossec/bin/wazuh-monitord
root     30431 35.7  0.8 490892 33748 ?        Sl   15:35   0:53 /var/ossec/bin/wazuh-modulesd
wazuh    30573  0.5  1.3 448352 53344 ?        Sl   15:35   0:00 /var/ossec/framework/python/bin/python3 /var/ossec/framework/scripts/wazuh_clusterd.py
wazuh    30744  0.0  1.1 295948 46188 ?        S    15:35   0:00 /var/ossec/framework/python/bin/python3 /var/ossec/framework/scripts/wazuh_clusterd.py
Master env 2 🟢
wazuh     3384 11.1  2.6 830400 105108 ?       Sl   15:49   0:12 /var/ossec/framework/python/bin/python3 /var/ossec/api/scripts/wazuh-apid.py
wazuh     3414  0.0  0.0  39356  3840 ?        Sl   15:49   0:00 /var/ossec/bin/wazuh-integratord
root      3429  0.2  0.1 195040  5300 ?        Sl   15:49   0:00 /var/ossec/bin/wazuh-authd
wazuh     3446  0.2  0.2 785096 10716 ?        Sl   15:49   0:00 /var/ossec/bin/wazuh-db
wazuh     3459  0.0  1.5 322248 60380 ?        S    15:49   0:00 /var/ossec/framework/python/bin/python3 /var/ossec/api/scripts/wazuh-apid.py
wazuh     3462  0.4  1.6 470800 64024 ?        S    15:49   0:00 /var/ossec/framework/python/bin/python3 /var/ossec/api/scripts/wazuh-apid.py
root      3477  0.0  0.0  39400  3896 ?        Sl   15:49   0:00 /var/ossec/bin/wazuh-execd
wazuh     3492  1.5  0.7 1294448 31356 ?       Sl   15:49   0:01 /var/ossec/bin/wazuh-analysisd
root      3504 10.2  0.2 270564  8436 ?        SNl  15:49   0:11 /var/ossec/bin/wazuh-syscheckd
wazuh     3524  0.1  0.1 720468  7132 ?        Sl   15:49   0:00 /var/ossec/bin/wazuh-remoted
root      3557  0.0  0.1 481864  4904 ?        Sl   15:49   0:00 /var/ossec/bin/wazuh-logcollector
wazuh     3577  0.0  0.0  39376  3728 ?        Sl   15:49   0:00 /var/ossec/bin/wazuh-monitord
root      3626 66.8  0.8 531872 34276 ?        Sl   15:49   1:10 /var/ossec/bin/wazuh-modulesd
wazuh     3744  0.5  1.2 436448 48336 ?        Sl   15:49   0:00 /var/ossec/framework/python/bin/python3 /var/ossec/framework/scripts/wazuh_clusterd.py
wazuh     3762  0.0  1.1 288984 44868 ?        S    15:49   0:00 /var/ossec/framework/python/bin/python3 /var/ossec/framework/scripts/wazuh_clusterd.py
wazuh     3765  0.0  1.1 370912 44716 ?        S    15:49   0:00 /var/ossec/framework/python/bin/python3 /var/ossec/framework/scripts/wazuh_clusterd.py
root      4019  0.0  0.0 124104  3244 ?        SNs  15:49   0:00 /bin/sh wodles/aws/aws-s3 --bucket wazuh-aws-wodle --aws_profile prod --trail_prefix vpc --only_logs_after 2020-MAY-01 --type vpcflow
root      4026  7.5  2.1 304700 87032 ?        RN   15:49   0:07 /var/ossec/framework/python/bin/python3 /var/ossec/wodles/aws/aws-s3.py --bucket wazuh-aws-wodle --aws_profile prod --trail_prefix vpc --only_logs_after 2020-MAY-01 --type vpcflow

Wazuh Indexer

Node-1 🟢
wazuh-i+  2795 39.6 55.6 7331760 4500100 ?     Ssl  09:54   1:01 /usr/share/wazuh-indexer/jdk/bin/java -Xshare:auto -Dopensearch.networkaddress.cache.ttl=60 -Dopensearch.networkaddress.cache.negative.ttl=10 -XX:+AlwaysPreTouch -Xss1m -Djava.awt.headless=true -Dfile.encoding=UTF-8 -Djna.nosys=true -XX:-OmitStackTraceInFastThrow -XX:+ShowCodeDetailsInExceptionMessages -Dio.netty.noUnsafe=true -Dio.netty.noKeySetOptimization=true -Dio.netty.recycler.maxCapacityPerThread=0 -Dio.netty.allocator.numDirectArenas=0 -Dlog4j.shutdownHookEnabled=false -Dlog4j2.disable.jmx=true -Djava.locale.providers=SPI,COMPAT -Xms3948m -Xmx3948m -XX:+UseG1GC -XX:G1ReservePercent=25 -XX:InitiatingHeapOccupancyPercent=30 -Djava.io.tmpdir=/tmp/opensearch-3800559285174684303 -XX:+HeapDumpOnOutOfMemoryError -XX:HeapDumpPath=data -XX:ErrorFile=/var/log/wazuh-indexer/hs_err_pid%p.log -Xlog:gc*,gc+age=trace,safepoint:file=/var/log/wazuh-indexer/gc.log:utctime,pid,tags:filecount=32,filesize=64m -Dclk.tck=100 -Djdk.attach.allowAttachSelf=true -Djava.security.policy=file:///usr/share/wazuh-indexer/plugins/opensearch-performance-analyzer/pa_config/opensearch_security.policy -XX:MaxDirectMemorySize=2069889024 -Dopensearch.path.home=/usr/share/wazuh-indexer -Dopensearch.path.conf=/etc/wazuh-indexer -Dopensearch.distribution.type=rpm -Dopensearch.bundled_jdk=true -cp /usr/share/wazuh-indexer/lib/* org.opensearch.bootstrap.OpenSearch -p /run/wazuh-indexer/wazuh-indexer.pid --quiet
Node-2 🟢
wazuh-i+  1805 69.2 55.5 7274116 4492108 ?     Ssl  09:57   0:56 /usr/share/wazuh-indexer/jdk/bin/java -Xshare:auto -Dopensearch.networkaddress.cache.ttl=60 -Dopensearch.networkaddress.cache.negative.ttl=10 -XX:+AlwaysPreTouch -Xss1m -Djava.awt.headless=true -Dfile.encoding=UTF-8 -Djna.nosys=true -XX:-OmitStackTraceInFastThrow -XX:+ShowCodeDetailsInExceptionMessages -Dio.netty.noUnsafe=true -Dio.netty.noKeySetOptimization=true -Dio.netty.recycler.maxCapacityPerThread=0 -Dio.netty.allocator.numDirectArenas=0 -Dlog4j.shutdownHookEnabled=false -Dlog4j2.disable.jmx=true -Djava.locale.providers=SPI,COMPAT -Xms3948m -Xmx3948m -XX:+UseG1GC -XX:G1ReservePercent=25 -XX:InitiatingHeapOccupancyPercent=30 -Djava.io.tmpdir=/tmp/opensearch-1244110647506288690 -XX:+HeapDumpOnOutOfMemoryError -XX:HeapDumpPath=data -XX:ErrorFile=/var/log/wazuh-indexer/hs_err_pid%p.log -Xlog:gc*,gc+age=trace,safepoint:file=/var/log/wazuh-indexer/gc.log:utctime,pid,tags:filecount=32,filesize=64m -Dclk.tck=100 -Djdk.attach.allowAttachSelf=true -Djava.security.policy=file:///usr/share/wazuh-indexer/plugins/opensearch-performance-analyzer/pa_config/opensearch_security.policy -XX:MaxDirectMemorySize=2069889024 -Dopensearch.path.home=/usr/share/wazuh-indexer -Dopensearch.path.conf=/etc/wazuh-indexer -Dopensearch.distribution.type=rpm -Dopensearch.bundled_jdk=true -cp /usr/share/wazuh-indexer/lib/* org.opensearch.bootstrap.OpenSearch -p /run/wazuh-indexer/wazuh-indexer.pid --quiet
Node-3 🟢
wazuh-i+  2914 21.1 55.4 7204948 4486576 ?     Ssl  10:00   1:01 /usr/share/wazuh-indexer/jdk/bin/java -Xshare:auto -Dopensearch.networkaddress.cache.ttl=60 -Dopensearch.networkaddress.cache.negative.ttl=10 -XX:+AlwaysPreTouch -Xss1m -Djava.awt.headless=true -Dfile.encoding=UTF-8 -Djna.nosys=true -XX:-OmitStackTraceInFastThrow -XX:+ShowCodeDetailsInExceptionMessages -Dio.netty.noUnsafe=true -Dio.netty.noKeySetOptimization=true -Dio.netty.recycler.maxCapacityPerThread=0 -Dio.netty.allocator.numDirectArenas=0 -Dlog4j.shutdownHookEnabled=false -Dlog4j2.disable.jmx=true -Djava.locale.providers=SPI,COMPAT -Xms3948m -Xmx3948m -XX:+UseG1GC -XX:G1ReservePercent=25 -XX:InitiatingHeapOccupancyPercent=30 -Djava.io.tmpdir=/tmp/opensearch-6125364092210826457 -XX:+HeapDumpOnOutOfMemoryError -XX:HeapDumpPath=data -XX:ErrorFile=/var/log/wazuh-indexer/hs_err_pid%p.log -Xlog:gc*,gc+age=trace,safepoint:file=/var/log/wazuh-indexer/gc.log:utctime,pid,tags:filecount=32,filesize=64m -Dclk.tck=100 -Djdk.attach.allowAttachSelf=true -Djava.security.policy=file:///usr/share/wazuh-indexer/plugins/opensearch-performance-analyzer/pa_config/opensearch_security.policy -XX:MaxDirectMemorySize=2069889024 -Dopensearch.path.home=/usr/share/wazuh-indexer -Dopensearch.path.conf=/etc/wazuh-indexer -Dopensearch.distribution.type=rpm -Dopensearch.bundled_jdk=true -cp /usr/share/wazuh-indexer/lib/* org.opensearch.bootstrap.OpenSearch -p /run/wazuh-indexer/wazuh-indexer.pid --quiet

Wazuh Dashboard

wazuh-indexer 🟢
wazuh-i+  2518 41.7 37.2 5825444 3008236 ?     Ssl  10:06   0:53 /usr/share/wazuh-indexer/jdk/bin/java -Xshare:auto -Dopensearch.networkaddress.cache.ttl=60 -Dopensearch.networkaddress.cache.negative.ttl=10 -XX:+AlwaysPreTouch -Xss1m -Djava.awt.headless=true -Dfile.encoding=UTF-8 -Djna.nosys=true -XX:-OmitStackTraceInFastThrow -XX:+ShowCodeDetailsInExceptionMessages -Dio.netty.noUnsafe=true -Dio.netty.noKeySetOptimization=true -Dio.netty.recycler.maxCapacityPerThread=0 -Dio.netty.allocator.numDirectArenas=0 -Dlog4j.shutdownHookEnabled=false -Dlog4j2.disable.jmx=true -Djava.locale.providers=SPI,COMPAT -Xms2560m -Xmx2560m -XX:+UseG1GC -XX:G1ReservePercent=25 -XX:InitiatingHeapOccupancyPercent=30 -Djava.io.tmpdir=/tmp/opensearch-13387377462608418200 -XX:+HeapDumpOnOutOfMemoryError -XX:HeapDumpPath=data -XX:ErrorFile=/var/log/wazuh-indexer/hs_err_pid%p.log -Xlog:gc*,gc+age=trace,safepoint:file=/var/log/wazuh-indexer/gc.log:utctime,pid,tags:filecount=32,filesize=64m -Dclk.tck=100 -Djdk.attach.allowAttachSelf=true -Djava.security.policy=file:///usr/share/wazuh-indexer/plugins/opensearch-performance-analyzer/pa_config/opensearch_security.policy -XX:MaxDirectMemorySize=1342177280 -Dopensearch.path.home=/usr/share/wazuh-indexer -Dopensearch.path.conf=/etc/wazuh-indexer -Dopensearch.distribution.type=rpm -Dopensearch.bundled_jdk=true -cp /usr/share/wazuh-indexer/lib/* org.opensearch.bootstrap.OpenSearch -p /run/wazuh-indexer/wazuh-indexer.pid --quiet
wazuh-dashboard 🟢
wazuh-d+ 14629  0.1  2.3 1051956 191836 ?      Ssl  mar16   9:23 /usr/share/wazuh-dashboard/bin/../node/bin/node --no-warnings --max-http-header-size=65536 --unhandled-rejections=warn /usr/share/wazuh-dashboard/bin/../src/cli/dist -c /etc/wazuh-dashboard/opensearch_dashboards.yml

@juliamagan juliamagan moved this from Todo to In Progress in Release 4.4.0 Mar 17, 2023
@juliamagan
Copy link
Member Author

Task 3: The status of the Wazuh Indexer clusters is as expected. 🟢

curl -k -u USER:PASS https://10.0.0.120:9200/_cat/nodes?v
ip         heap.percent ram.percent cpu load_1m load_5m load_15m node.role node.roles                                        cluster_manager name
10.0.0.120           11          84   5    0.18    0.18     0.10 dimr      cluster_manager,data,ingest,remote_cluster_client -               node-7
10.0.2.6             10          85   3    0.05    0.05     0.04 dimr      cluster_manager,data,ingest,remote_cluster_client -               node-1
10.0.2.181           12          80   3    0.04    0.07     0.06 dimr      cluster_manager,data,ingest,remote_cluster_client -               node-3
10.0.2.52            10          85   3    0.17    0.12     0.06 dimr      cluster_manager,data,ingest,remote_cluster_client *               node-2

@juliamagan
Copy link
Member Author

Task 4 - No errors in the browser's developer console when browsing the App 🟡

Some errors or warnings have been found that have been reported previously:

@juliamagan
Copy link
Member Author

juliamagan commented Mar 20, 2023

Task 5: Alerts are being generated for each of the modules configured for this purpose 🟡

These are the modules configured in environment 1:

env1

In addition, Osquery is configured, and we can see events in these modules too.

These are the modules configured in environment 2:

env2

We can see events generated in all of them except System Auditing and Policy monitoring, but they are enabled by default in the app and disabled in the configuration. In addition, we can't see events for Docker Listener or Virustotal. Docker listener isn't configured in this environment, but Virustotal is:

virustotal-2

@juliamagan
Copy link
Member Author

Task 6: No warning symbols in Discover when expanding a document. 🟢

After performing several tests both in Discover and in different modules, we have not been able to find any warning.

@juliamagan
Copy link
Member Author

Task 7: Generate an alert and check it in the web UI 🟢

Invalid ssh connection to Amazon Linux agent:

juliamagan@pop-os:~$ ssh [email protected]
[email protected]'s password:
Permission denied, please try again.
[email protected]'s password:
Permission denied, please try again.
[email protected]'s password:
[email protected]: Permission denied (publickey,gssapi-keyex,gssapi-with-mic,password).

Generated alerts:

invalid

Alert info
{
  "_index": "wazuh-alerts-4.x-env-2-2023.03.20",
  "_id": "f2a-_oYB394EQRsXb9R6",
  "_version": 1,
  "_score": null,
  "_source": {
    "predecoder": {
      "hostname": "ip-10-0-1-63",
      "program_name": "sshd",
      "timestamp": "Mar 20 11:18:48"
    },
    "cluster": {
      "node": "master",
      "name": "wazuh2"
    },
    "agent": {
      "ip": "10.0.1.63",
      "name": "Amazon",
      "id": "001"
    },
    "data": {
      "srcuser": "invalid-user",
      "srcip": "81.40.74.147",
      "srcport": "50198"
    },
    "manager": {
      "name": "wazuh-manager-master-0"
    },
    "rule": {
      "mail": false,
      "level": 5,
      "hipaa": [
        "164.312.b"
      ],
      "pci_dss": [
        "10.2.4",
        "10.2.5",
        "10.6.1"
      ],
      "tsc": [
        "CC6.1",
        "CC6.8",
        "CC7.2",
        "CC7.3"
      ],
      "description": "sshd: Attempt to login using a non-existent user",
      "groups": [
        "syslog",
        "sshd",
        "authentication_failed",
        "invalid_login"
      ],
      "nist_800_53": [
        "AU.14",
        "AC.7",
        "AU.6"
      ],
      "gdpr": [
        "IV_35.7.d",
        "IV_32.2"
      ],
      "firedtimes": 1,
      "mitre": {
        "technique": [
          "Password Guessing",
          "SSH",
          "Valid Accounts"
        ],
        "id": [
          "T1110.001",
          "T1021.004",
          "T1078"
        ],
        "tactic": [
          "Credential Access",
          "Lateral Movement",
          "Defense Evasion",
          "Persistence",
          "Privilege Escalation",
          "Initial Access"
        ]
      },
      "id": "5710",
      "gpg13": [
        "7.1"
      ]
    },
    "decoder": {
      "parent": "sshd",
      "name": "sshd"
    },
    "full_log": "Mar 20 11:18:48 ip-10-0-1-63 sshd[15375]: Invalid user invalid-user from 81.40.74.147 port 50198",
    "input": {
      "type": "log"
    },
    "location": "/var/log/secure",
    "id": "1679311129.22860973",
    "GeoLocation": {
      "city_name": "Cordova",
      "country_name": "Spain",
      "region_name": "Cordoba",
      "location": {
        "lon": -4.7727,
        "lat": 37.8916
      }
    },
    "timestamp": "2023-03-20T11:18:49.305+0000"
  },
  "fields": {
    "timestamp": [
      "2023-03-20T11:18:49.305Z"
    ]
  },
  "highlight": {
    "cluster.name": [
      "@opensearch-dashboards-highlighted-field@wazuh2@/opensearch-dashboards-highlighted-field@"
    ],
    "agent.id": [
      "@opensearch-dashboards-highlighted-field@001@/opensearch-dashboards-highlighted-field@"
    ]
  },
  "sort": [
    1679311129305
  ]
}

@juliamagan juliamagan moved this from In Progress to In Review in Release 4.4.0 Mar 20, 2023
@jmv74211
Copy link
Contributor

Closing conclusion 👍🏼

No stopper has been found. Some small known issues have continued to be detected (see conclusion of #16418 (comment)) that have been fixed in later versions, or that are not really entirely up to us.

As an aspect to mention, in environment 2 we found no System Auditing and Policy monitoring, Docker Listener and Virustotal events (no test use cases will have been released by the CICD team in that environment).

@github-project-automation github-project-automation bot moved this from In Review to Done in Release 4.4.0 Mar 22, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
No open projects
Status: Done
Development

No branches or pull requests

3 participants