Release 4.9.1 - RC 1 - Specific systems #25845

wazuhci · 2024-09-20T20:33:51Z

Packages tests metrics information


Main release stage issue	#25833
Main packages metrics issue	#25839
Version	4.9.1
Release stage	RC 1
Tag	https://github.com/wazuh/wazuh/tree/v4.9.1-rc1

Build packages

System	Status	Build
AIX	🟢	https://ci.wazuh.info/job/Packages_builder_special/1090/
HPUX	🔴	https://ci.wazuh.info/job/Packages_builder_special/1096/
S10 SPARC	🟢	https://ci.wazuh.info/job/Packages_builder_special/1092/
S11 SPARC	🟢	https://ci.wazuh.info/job/Packages_builder_special/1093/
OVA	🟢	https://ci.wazuh.info/job/Packages_Builder_OVA/
AMI	🟢	https://ci.wazuh.info/job/Packages_Builder_AMI/

Test packages

System	Build	Install	Deployment install	Upgrade	Remove	TCP	UDP	Errors found	Warnings found	Alerts found	Check users
AIX	🟢	🟢	🟢	🟢	🟡	🟢	🟢	🟢	🟢	🟢	🟢
HP-UX	🟢	🟢	---	🟢	🟢	🟢	🟢	🟢	🟢	🟢	🟢
S10 SPARC	🟢	🟢	---	🟢	🟢	🟢	🟢	🟢	🟢	🟢	🟢
S11 SPARC	🟢	🟢	---	🟢	🟡	🟢	🟢	🟢	🟢	🟢	🟢
OVA	🟢	🟢	---	---	---	🟢	🟢	🔴	🟡	🟢	🟢
AMI	🟢	🟢	---	---	---	🟢	🟢	🔴	🟡	🟢	🟢

OVA/AMI specific tests

System	Filebeat test	Cluster green/yellow	Production repositories	UI Access	No SSH root access	SSH user access	Wazuh dashboard/APP version	Dashboard/Indexer VERSION file
OVA	🟢	🟢	🟢	🟢	🟢	🟢	🟢	🟢
AMI	🟢	🟢	🟢	🟢	🟢	🟢	🟢	🟢

Status legend:

⚫ - Not started/In progress
⚪ - Skipped
🔴 - Found new errors/bugs/failures
🟡 - Found known errors/bugs/failures
🟢 - All tests passed

Conclusion 🔴

The tests were successful. Logs were found in indexer that have not been seen in previous stages or previous versions in both OVA and AMI, which were reported and will await analysis. The rest of the errors are known.

Known issues:

New issues:

A bug has also been found when closing the package creation pipeline on HP-UX and it has been reported:

https://github.com/wazuh/wazuh-jenkins/issues/6976

--

Auditor's validation

In order to close and proceed with the release or the next candidate version, the following auditors must give the green light to this RC.

@davidjiglesias

The text was updated successfully, but these errors were encountered:

pro-akim · 2024-09-23T12:48:55Z

Solaris SPARC 11.3 🟡

System Info 🟢

root@sossp103:~# hostname
sossp103
root@sossp103:~# uname -a
SunOS sossp103 5.11 11.3 sun4v sparc sun4v

Installation without Variables 🟢

Wazuh agent

root@sossp103:~# curl -sO https://packages-dev.wazuh.com/pre-release/solaris/sparc/11/wazuh-agent_v4.9.1-sol11-sparc.p5p
root@sossp103:~# ls -ltr
total 14420
-rw-r--r--   1 ugsfi    root         166 sep 23 04:52 local.cshrc
-rw-r--r--   1 ugsfi    root         131 sep 23 04:52 local.profile
-rw-r--r--   1 ugsfi    root         170 sep 23 04:52 local.login
-rw-r--r--   1 root     root     7260160 sep 23 07:34 wazuh-agent_v4.9.1-sol11-sparc.p5p

root@sossp103:~# pkg install -g wazuh-agent_v4.9.1-sol11-sparc.p5p wazuh-agent
           Packages to install:  1
            Services to change:  1
       Create boot environment: No
Create backup boot environment: No

DOWNLOAD                                PKGS         FILES    XFER (MB)   SPEED
Completed                                1/1       126/126      6.5/6.5 29.4M/s

PHASE                                          ITEMS
Installing new actions                       184/184
Updating package state database                 Done 
Updating package cache                           0/0 
Updating image state                            Done 
Creating fast lookup database                   Done 
Updating package cache                           2/2 

root@sossp103:~# nano /var/ossec/etc/ossec.conf 
root@sossp103:~# grep address /var/ossec/etc/ossec.conf
      <address>xx.xx.xx.xx</address>


root@sossp103:~# /var/ossec/bin/wazuh-control start
Starting Wazuh v4.9.1...
Started wazuh-execd...
Started wazuh-agentd...
Started wazuh-syscheckd...
Started wazuh-logcollector...
Started wazuh-modulesd...
Completed.
root@sossp103:~# /var/ossec/bin/wazuh-control info
WAZUH_VERSION="v4.9.1"
WAZUH_REVISION="40910"
WAZUH_TYPE="agent"

root@sossp103:~# ps -ef | grep wazuh
    root 21618 21435   0 07:37:09 pts/1       0:00 grep wazuh
   wazuh 21542     1   0 07:36:51 ?           0:00 /var/ossec/bin/wazuh-agentd
    root 21532     1   0 07:36:50 ?           0:00 /var/ossec/bin/wazuh-execd
    root 21553     1   0 07:36:52 ?           0:00 /var/ossec/bin/wazuh-syscheckd
    root 21560     1   0 07:36:52 ?           0:00 /var/ossec/bin/wazuh-logcollector
    root 21570     1   0 07:36:53 ?           0:01 /var/ossec/bin/wazuh-modulesd

Wazuh server

[root@wazuh-server wazuh-user]# /var/ossec/bin/agent_control -l

Wazuh agent_control. List of available agents:
   ID: 000, Name: wazuh-server (server), IP: 127.0.0.1, Active/Local
   ID: 004, Name: sossp103, IP: any, Active

List of agentless devices:

[root@wazuh-server wazuh-user]# /var/ossec/bin/agent_control -i 004

Wazuh agent_control. Agent information:
   Agent ID:   004
   Agent Name: sossp103
   IP address: any
   Status:     Active

   Operating system:    SunOS |sossp103 |5.11 |11.3 |sun4v
   Client version:      Wazuh v4.9.1
   Configuration hash:  ab73af41699f13fdd81903b5f23d8d00
   Shared file hash:    4a8724b20dee0124ff9656783c490c4e
   Last keep alive:     1727095051

   Syscheck last started at:  Mon Sep 23 12:37:18 2024 (Scan in progress)
   Syscheck last ended at:    Unknown

Generate Alerts (TCP & UDP) 🟢

Wazuh Agent (TCP)

root@sossp103:~# grep "tcp" /var/ossec/logs/ossec.log
2024/09/23 07:37:10 wazuh-agentd: INFO: Trying to connect to server ([xx.xx.xx.xx]:1514/tcp).
2024/09/23 07:37:10 wazuh-agentd: INFO: (4102): Connected to the server ([xx.xx.xx.xx]:1514/tcp).
2024/09/23 07:37:17 wazuh-agentd: INFO: Trying to connect to server ([xx.xx.xx.xx]:1514/tcp).
2024/09/23 07:37:17 wazuh-agentd: INFO: (4102): Connected to the server ([xx.xx.xx.xx]:1514/tcp).

Wazuh Server (TCP)

{"timestamp":"2024-09-23T12:37:42.835+0000","rule":{"level":3,"description":"CIS Benchmark for Oracle Solaris 11 v1.1.0: Ensure root PATH Integrity","id":"19008","firedtimes":16,"mail":false,"groups":["sca"],"gdpr":["IV_35.7.d"],"pci_dss":["2.2"],"nist_800_53":["CM.1"],"tsc":["CC7.1","CC7.2"],"cis":["9.6"]},"agent":{"id":"004","name":"sossp103","ip":"192.168.253.103"},"manager":{"name":"wazuh-server"},"id":"1727095062.483245","decoder":{"name":"sca"},"data":{"sca":{"type":"check","scan_id":"31292","policy":"CIS Benchmark for Oracle Solaris 11 v1.1.0","check":{"id":"8049","title":"Ensure root PATH Integrity","description":"The root user can execute any command on the system and could be tricked into executing programs if the PATH is not set correctly.","rationale":"Including the current working directory (.) or any other writable directory in root's executable path makes it likely that an attacker can gain superuser access by forcing an administrator operating as root to execute a malcode, such as a Trojan horse program.","remediation":"Correct or justify any items discovered in the Audit step.","compliance":{"cis":"9.6"},"file":["/etc/profile","/root/.profile","/root/.bashrc"],"result":"passed"}}},"location":"sca"}
{"timestamp":"2024-09-23T12:37:49.846+0000","rule":{"level":7,"description":"SCA summary: CIS Benchmark for Oracle Solaris 11 v1.1.0: Score less than 50% (31)","id":"19004","firedtimes":1,"mail":false,"groups":["sca"],"gdpr":["IV_35.7.d"],"pci_dss":["2.2"],"nist_800_53":["CM.1"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"004","name":"sossp103","ip":"192.168.253.103"},"manager":{"name":"wazuh-server"},"id":"1727095069.485301","decoder":{"name":"sca"},"data":{"sca":{"type":"summary","scan_id":"31292","policy":"CIS Benchmark for Oracle Solaris 11 v1.1.0","description":"This document, CIS Oracle Solaris 11 Benchmark v1.1.0, provides prescriptive guidance for establishing a secure configuration posture for Oracle Solaris 11 on both x86 and SPARC platforms. This guide was tested against  Solaris 11 11/11 release, updated to the Software Repository Update 5 (SRU5). As of the publication of this document, Solaris 11 11/11 SRU5 is the latest available support update for the Solaris 11 OS. The recommendations included in this document may need to be adjusted for future Solaris 11 updates.","policy_id":"cis_solaris11","passed":"16","failed":"35","invalid":"0","total_checks":"51","score":"31","file":"cis_solaris11.yml"}},"location":"sca"}

Wazuh Agent (UDP)

root@sossp103:~# grep "udp" /var/ossec/etc/ossec.conf 
      <protocol>udp</protocol>


root@sossp103:~# /var/ossec/bin/wazuh-control restart
Killing wazuh-modulesd... 
Killing wazuh-logcollector... 
Killing wazuh-syscheckd... 
Killing wazuh-agentd... 
Killing wazuh-execd... 
Wazuh v4.9.1 Stopped
Starting Wazuh v4.9.1...
Started wazuh-execd...
Started wazuh-agentd...
Started wazuh-syscheckd...
Started wazuh-logcollector...
Started wazuh-modulesd...
Completed.

root@sossp103:~# grep "udp" /var/ossec/logs/ossec.log
2024/09/23 07:38:30 wazuh-agentd: INFO: Trying to connect to server ([xx.xx.xx.xx]:1514/udp).
2024/09/23 07:38:30 wazuh-agentd: INFO: (4102): Connected to the server ([xx.xx.xx.xx]:1514/udp).
2024/09/23 07:39:14 wazuh-agentd: INFO: Trying to connect to server ([xx.xx.xx.xx]:1514/udp).
2024/09/23 07:39:14 wazuh-agentd: INFO: (4102): Connected to the server ([xx.xx.xx.xx]:1514/udp).

Wazuh Server (UDP)

{"timestamp":"2024-09-23T12:39:37.237+0000","rule":{"level":7,"description":"Host-based anomaly detection event (rootcheck).","id":"510","firedtimes":79,"mail":false,"groups":["ossec","rootcheck"],"pci_dss":["10.6.1"],"gdpr":["IV_35.7.d"]},"agent":{"id":"004","name":"sossp103","ip":"192.168.253.103"},"manager":{"name":"wazuh-server"},"id":"1727095177.489473","full_log":"Trojaned version of file '/bin/kill' detected. Signature used: '/dev/[ab,d-k,m-z]|/dev/[F-Z]|/dev/[A-D]|/dev/[0-9]|proc\\.h|bash|tmp' (Generic).","decoder":{"name":"rootcheck"},"data":{"title":"Trojaned version of file detected.","file":"/bin/kill"},"location":"rootcheck"}
{"timestamp":"2024-09-23T12:39:37.243+0000","rule":{"level":7,"description":"Host-based anomaly detection event (rootcheck).","id":"510","firedtimes":80,"mail":false,"groups":["ossec","rootcheck"],"pci_dss":["10.6.1"],"gdpr":["IV_35.7.d"]},"agent":{"id":"004","name":"sossp103","ip":"192.168.253.103"},"manager":{"name":"wazuh-server"},"id":"1727095177.489873","full_log":"Trojaned version of file '/usr/bin/kill' detected. Signature used: '/dev/[ab,d-k,m-z]|/dev/[F-Z]|/dev/[A-D]|/dev/[0-9]|proc\\.h|bash|tmp' (Generic).","decoder":{"name":"rootcheck"},"data":{"title":"Trojaned version of file detected.","file":"/usr/bin/kill"},"location":"rootcheck"}

Removal 🟡

root@sossp103:~# /var/ossec/bin/wazuh-control stop
Killing wazuh-modulesd... 
Killing wazuh-logcollector... 
Killing wazuh-syscheckd... 
Killing wazuh-agentd... 
Killing wazuh-execd... 
Wazuh v4.9.1 Stopped
root@sossp103:~# pkg uninstall wazuh-agent
            Packages to remove:  1
            Services to change:  1
       Create boot environment: No
Create backup boot environment: No

PHASE                                          ITEMS
Removing old actions                         233/233
Updating package state database                 Done 
Updating package cache                           1/1 
Updating image state                            Done 
Creating fast lookup database                   Done 
Updating package cache                           2/2 

The following unexpected or editable files and directories were
salvaged while executing the requested package operation; they
have been moved to the displayed location in the image:

  ar/ossec/etc/client.keys -> /var/pkg/lost+found/var/ossec/etc/client.keys-20240902T103413Z
  ar/ossec/etc/ossec.conf -> /var/pkg/lost+found/var/ossec/etc/ossec.conf-20240902T103413Z
  ar/ossec/ruleset/sca -> /var/pkg/lost+found/var/ossec/ruleset/sca-20240902T103413Z
  ar/ossec/queue/syscollector/db -> /var/pkg/lost+found/var/ossec/queue/syscollector/db-20240902T103413Z
  ar/ossec/queue/sockets -> /var/pkg/lost+found/var/ossec/queue/sockets-20240902T103413Z
  ar/ossec/queue/rids -> /var/pkg/lost+found/var/ossec/queue/rids-20240902T103413Z
  ar/ossec/queue/logcollector -> /var/pkg/lost+found/var/ossec/queue/logcollector-20240902T103413Z
  ar/ossec/queue/fim/db -> /var/pkg/lost+found/var/ossec/queue/fim/db-20240902T103413Z
  ar/ossec/queue/alerts -> /var/pkg/lost+found/var/ossec/queue/alerts-20240902T103413Z
  ar/ossec/etc/shared -> /var/pkg/lost+found/var/ossec/etc/shared-20240902T103413Z

root@sossp103:~# grep wazuh /etc/group 
wazuh::13:
root@sossp103:~# grep wazuh /etc/passwd | wc -l
       0
root@sossp103:~# groupdel wazuh
root@sossp103:~# groupdel ossec
UX: groupdel: ERROR: ossec does not exist.

Not remove the wazuh group, reported in: wazuh/wazuh-packages#3053

Upgrade 🟢

Install previous version:

root@sossp103:~# curl -sO https://packages-dev.wazuh.com/pre-release/solaris/sparc/11/wazuh-agent_v4.9.0-sol11-sparc.p5p
root@sossp103:~# ls -ltr
total 28789
-rw-r--r--   1 ugsfi    root         166 sep 23 04:52 local.cshrc
-rw-r--r--   1 ugsfi    root         131 sep 23 04:52 local.profile
-rw-r--r--   1 ugsfi    root         170 sep 23 04:52 local.login
-rw-r--r--   1 root     root     7260160 sep 23 07:34 wazuh-agent_v4.9.1-sol11-sparc.p5p
-rw-r--r--   1 root     root     7260160 sep 23 07:42 wazuh-agent_v4.9.0-sol11-sparc.p5p

root@sossp103:~# pkg install -g wazuh-agent_v4.9.0-sol11-sparc.p5p wazuh-agent
           Packages to install:  1
            Services to change:  1
       Create boot environment: No
Create backup boot environment: No

DOWNLOAD                                PKGS         FILES    XFER (MB)   SPEED
Completed                                1/1       126/126      6.5/6.5 28.9M/s

PHASE                                          ITEMS
Installing new actions                       184/184
Updating package state database                 Done 
Updating package cache                           0/0 
Updating image state                            Done 
Creating fast lookup database                   Done 
Updating package cache                           2/2
root@sossp103:~# nano /var/ossec/etc/ossec.conf
root@sossp103:~# grep address /var/ossec/etc/ossec.conf
      <address>xx.xx.xx.xx</address>


root@sossp103:~# /var/ossec/bin/wazuh-control start
Starting Wazuh v4.9.0...
Started wazuh-execd...
Started wazuh-agentd...
Started wazuh-syscheckd...
Started wazuh-logcollector...
Started wazuh-modulesd...
Completed.

root@sossp103:~# ps -ef | grep wazuh
    root 23955     1   0 07:44:18 ?           0:00 /var/ossec/bin/wazuh-logcollector
    root 23965     1   0 07:44:19 ?           0:01 /var/ossec/bin/wazuh-modulesd
    root 23924     1   0 07:44:14 ?           0:00 /var/ossec/bin/wazuh-execd
    root 23945     1   0 07:44:17 ?           0:00 /var/ossec/bin/wazuh-syscheckd
   wazuh 23934     1   0 07:44:15 ?           0:00 /var/ossec/bin/wazuh-agentd
    root 24008 21435   0 07:44:24 pts/1       0:00 grep wazuh

root@sossp103:~# /var/ossec/bin/wazuh-control info
WAZUH_VERSION="v4.9.0"
WAZUH_REVISION="40907"
WAZUH_TYPE="agent"

[root@wazuh-server wazuh-user]# /var/ossec/bin/agent_control -l

Wazuh agent_control. List of available agents:
   ID: 000, Name: wazuh-server (server), IP: 127.0.0.1, Active/Local
   ID: 005, Name: sossp103, IP: any, Active

List of agentless devices:

[root@wazuh-server wazuh-user]# /var/ossec/bin/agent_control -i 005

Wazuh agent_control. Agent information:
   Agent ID:   005
   Agent Name: sossp103
   IP address: any
   Status:     Active

   Operating system:    SunOS |sossp103 |5.11 |11.3 |sun4v
   Client version:      Wazuh v4.9.0
   Configuration hash:  ab73af41699f13fdd81903b5f23d8d00
   Shared file hash:    4a8724b20dee0124ff9656783c490c4e
   Last keep alive:     1727095504

   Syscheck last started at:  Mon Sep 23 12:44:42 2024
   Syscheck last ended at:    Mon Sep 23 12:44:49 2024

Upgrade

root@sossp103:~# /var/ossec/bin/wazuh-control stop
Killing wazuh-modulesd... 
Killing wazuh-logcollector... 
Killing wazuh-syscheckd... 
Killing wazuh-agentd... 
Killing wazuh-execd... 
Wazuh v4.9.0 Stopped

root@sossp103:~# pkg install -g wazuh-agent_v4.9.1-sol11-sparc.p5p wazuh-agent
            Packages to update:   1
       Create boot environment:  No
Create backup boot environment: Yes

DOWNLOAD                                PKGS         FILES    XFER (MB)   SPEED
Completed                                1/1         19/19      5.6/5.6 78.0M/s

PHASE                                          ITEMS
Updating modified actions                      21/21
Updating package state database                 Done 
Updating package cache                           1/1 
Updating image state                            Done 
Creating fast lookup database                   Done 
Updating package cache                           2/2 


root@sossp103:~# /var/ossec/bin/wazuh-control start
Starting Wazuh v4.9.1...
Started wazuh-execd...
Started wazuh-agentd...
Started wazuh-syscheckd...
Started wazuh-logcollector...
Started wazuh-modulesd...
Completed.

root@sossp103:~# /var/ossec/bin/wazuh-control info
WAZUH_VERSION="v4.9.1"
WAZUH_REVISION="40910"
WAZUH_TYPE="agent"

root@sossp103:~# ps -ef | grep wazuh
   wazuh 25255     1   0 07:46:37 ?           0:00 /var/ossec/bin/wazuh-agentd
    root 25283     1   0 07:46:40 ?           0:01 /var/ossec/bin/wazuh-modulesd
    root 25245     1   0 07:46:36 ?           0:00 /var/ossec/bin/wazuh-execd
    root 25386 21435   0 07:46:57 pts/1       0:00 grep wazuh
    root 25273     1   0 07:46:38 ?           0:00 /var/ossec/bin/wazuh-logcollector
    root 25266     1  20 07:46:38 ?           0:17 /var/ossec/bin/wazuh-syscheckd


root@sossp103:~# grep  "ERROR|WARNING|CRITICAL" /var/ossec/logs/ossec.log
root@sossp103:~# grep  "ERROR|WARNING|CRITICAL" /var/ossec/logs/ossec.log | wc -l
       0
root@sossp103:~#

[root@wazuh-server wazuh-user]# /var/ossec/bin/agent_control -l

Wazuh agent_control. List of available agents:
   ID: 000, Name: wazuh-server (server), IP: 127.0.0.1, Active/Local
   ID: 005, Name: sossp103, IP: any, Active

List of agentless devices:

[root@wazuh-server wazuh-user]# /var/ossec/bin/agent_control -i 005

Wazuh agent_control. Agent information:
   Agent ID:   005
   Agent Name: sossp103
   IP address: any
   Status:     Active

   Operating system:    SunOS |sossp103 |5.11 |11.3 |sun4v
   Client version:      Wazuh v4.9.1
   Configuration hash:  ab73af41699f13fdd81903b5f23d8d00
   Shared file hash:    4a8724b20dee0124ff9656783c490c4e
   Last keep alive:     1727095660

   Syscheck last started at:  Mon Sep 23 12:46:38 2024
   Syscheck last ended at:    Mon Sep 23 12:46:45 2024

Check Users and Groups 🟢

root@sossp103:~# cat /etc/passwd | grep wazuh
wazuh:x:7:13:& User:/:

root@sossp103:~# cat /etc/group | grep wazuh
wazuh::13:

Know issues

Solaris 11 does not remove the group in Solaris 11.3 wazuh-packages#3053

pro-akim · 2024-09-23T12:49:16Z

AIX 🟡

System info 🟢

# hostname
soaxp136
# uname -a
AIX soaxp136 1 6 00CADA644C00

Installation with variables 🟢

Wazuh agent

# WAZUH_MANAGER="172.31.36.80" rpm -ivh wazuh-agent-4.9.1-1.aix.ppc.rpm
wazuh-agent                 ##################################################

# /var/ossec/bin/wazuh-control info
WAZUH_VERSION="v4.9.1"
WAZUH_REVISION="40910"
WAZUH_TYPE="agent"


# grep address /var/ossec/etc/ossec.conf
      <address>X.X.X.X</address>
      
# /var/ossec/bin/wazuh-control start
Starting Wazuh v4.9.1...
Started wazuh-execd...
Started wazuh-agentd...
Started wazuh-syscheckd...
Started wazuh-logcollector...
Started wazuh-modulesd...
Completed.

# grep "ERROR" /var/ossec/logs/ossec.log  | wc -l
       0

Wazuh server

[root@wazuh-server wazuh-user]# /var/ossec/bin/agent_control -l

Wazuh agent_control. List of available agents:
   ID: 000, Name: wazuh-server (server), IP: 127.0.0.1, Active/Local
   ID: 001, Name: soaxp136, IP: any, Active

List of agentless devices:

[root@wazuh-server wazuh-user]# /var/ossec/bin/agent_control -i 001

Wazuh agent_control. Agent information:
   Agent ID:   001
   Agent Name: soaxp136
   IP address: any
   Status:     Active

   Operating system:    AIX |soaxp136 |1 |6 |00CADA644C00
   Client version:      Wazuh v4.9.1
   Configuration hash:  ab73af41699f13fdd81903b5f23d8d00
   Shared file hash:    4a8724b20dee0124ff9656783c490c4e
   Last keep alive:     1727092930

   Syscheck last started at:  Mon Sep 23 12:00:41 2024
   Syscheck last ended at:    Mon Sep 23 12:00:49 2024

Removal 🟡

Known Issue: wazuh/wazuh-packages#607

# rpm -e wazuh-agent   
rmdir of /var/ossec/tmp/src/init failed: No such file or directory
rmdir of /var/ossec/tmp/etc/templates/config/generic/localfile-logs failed: No such file or directory
rmdir of /var/ossec/tmp/etc/templates/config/generic failed: No such file or directory
rmdir of /var/ossec/tmp/etc/templates/config failed: No such file or directory
rmdir of /var/ossec/tmp/etc/templates failed: No such file or directory
cannot remove /var/ossec/queue/syscollector/db - directory not empty
cannot remove /var/ossec/queue/syscollector - directory not empty
cannot remove /var/ossec/queue/logcollector - directory not empty
cannot remove /var/ossec/queue/fim/db - directory not empty
cannot remove /var/ossec/queue/fim - directory not empty
cannot remove /var/ossec/queue - directory not empty
removal of /var/ossec/logs/ossec.json failed: No such file or directory
cannot remove /var/ossec/etc/shared - directory not empty
cannot remove /var/ossec/etc - directory not empty
cannot remove /var/ossec - directory not empty


# rm -rf /var/ossec

# ps -ef | grep wazuh | wc -l
       0

Installation without variables 🟢

Wazuh agent

# rpm -ivh wazuh-agent-4.9.1-1.aix.ppc.rpm 
wazuh-agent                 ##################################################

# grep address /var/ossec/etc/ossec.conf
      <address>MANAGER_IP</address>

# sed 's/MANAGER_IP/xx.xx.xx.xx/g' /var/ossec/etc/ossec.conf > /var/ossec/etc/ossec.conf.tmp

# mv /var/ossec/etc/ossec.conf.tmp /var/ossec/etc/ossec.conf

# grep address /var/ossec/etc/ossec.conf
      <address>xx.xx.xx.xx</address>


# /var/ossec/bin/wazuh-control info
WAZUH_VERSION="v4.9.1"
WAZUH_REVISION="40910"
WAZUH_TYPE="agent"
# 


# /var/ossec/bin/wazuh-control start
Starting Wazuh v4.9.1...
Started wazuh-execd...
Started wazuh-agentd...
Started wazuh-syscheckd...
Started wazuh-logcollector...
Started wazuh-modulesd...
Completed.

# ps -ef | grep wazuh
    root  8126634        1   0 07:06:36      -  0:00 /var/ossec/bin/wazuh-execd
    root 11141214        1   1 07:06:37      -  0:00 /var/ossec/bin/wazuh-modulesd
    root 11206758        1   0 07:06:37      -  0:00 /var/ossec/bin/wazuh-logcollector
   wazuh 11272294        1   1 07:06:36      -  0:00 /var/ossec/bin/wazuh-agentd
    root 11534462        1   0 07:06:37      -  0:00 /var/ossec/bin/wazuh-syscheckd

Wazuh server

[root@wazuh-server wazuh-user]# /var/ossec/bin/agent_control -l

Wazuh agent_control. List of available agents:
   ID: 000, Name: wazuh-server (server), IP: 127.0.0.1, Active/Local
   ID: 002, Name: soaxp136, IP: any, Active

List of agentless devices:

[root@wazuh-server wazuh-user]# /var/ossec/bin/agent_control -i 002

Wazuh agent_control. Agent information:
   Agent ID:   002
   Agent Name: soaxp136
   IP address: any
   Status:     Disconnected

   Operating system:    AIX |soaxp136 |1 |6 |00CADA644C00
   Client version:      Wazuh v4.9.1
   Configuration hash:  (null)
   Shared file hash:    x
   Last keep alive:     1727093243

   Syscheck last started at:  Mon Sep 23 12:07:24 2024 (Scan in progress)
   Syscheck last ended at:    Unknown

Generate alerts (TCP & UDP) 🟢

TCP
Wazuh Agent

# grep "tcp" /var/ossec/logs/ossec.log 
2024/09/23 07:07:23 wazuh-agentd: INFO: Trying to connect to server ([xx.xx.xx.xx]:1514/tcp).
2024/09/23 07:07:23 wazuh-agentd: INFO: (4102): Connected to the server ([xx.xx.xx.xx]:1514/tcp).
2024/09/23 07:07:32 wazuh-agentd: INFO: Trying to connect to server ([xx.xx.xx.xx]:1514/tcp).
2024/09/23 07:07:32 wazuh-agentd: INFO: (4102): Connected to the server ([xx.xx.xx.xx]:1514/tcp).

TCP
Wazuh Server

{"timestamp":"2024-09-23T12:07:46.429+0000","rule":{"level":9,"description":"SCA summary: System audit for Unix based systems: Score less than 30% (0)","id":"19005","firedtimes":3,"mail":false,"groups":["sca"],"gdpr":["IV_35.7.d"],"pci_dss":["2.2"],"nist_800_53":["CM.1"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"002","name":"soaxp136","ip":"192.168.253.136"},"manager":{"name":"wazuh-server"},"id":"1727093266.186848","decoder":{"name":"sca"},"data":{"sca":{"type":"summary","scan_id":"30086","policy":"System audit for Unix based systems","description":"Guidance for establishing a secure configuration for Unix based systems.","policy_id":"unix_audit","passed":"0","failed":"10","invalid":"13","total_checks":"23","score":"0","file":"sca_unix_audit.yml"}},"location":"sca"}
{"timestamp":"2024-09-23T12:07:55.683+0000","rule":{"level":9,"description":"SCA summary: System audit for Unix based systems: Score less than 30% (0)","id":"19005","firedtimes":4,"mail":false,"groups":["sca"],"gdpr":["IV_35.7.d"],"pci_dss":["2.2"],"nist_800_53":["CM.1"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"002","name":"soaxp136","ip":"192.168.253.136"},"manager":{"name":"wazuh-server"},"id":"1727093275.187942","decoder":{"name":"sca"},"data":{"sca":{"type":"summary","scan_id":"30086","policy":"System audit for Unix based systems","description":"Guidance for establishing a secure configuration for Unix based systems.","policy_id":"unix_audit","passed":"0","failed":"10","invalid":"13","total_checks":"23","score":"0","file":"sca_unix_audit.yml"}},"location":"sca"}

UDP
Wazuh Agent

# sed 's/<protocol>tcp<\/protocol>/<protocol>udp<\/protocol>/g' /var/ossec/etc/ossec.conf > /var/ossec/etc/ossec.conf.tmp
# 
# mv /var/ossec/etc/ossec.conf.tmp /var/ossec/etc/ossec.conf
# grep protocol /var/ossec/etc/ossec.conf
      <protocol>udp</protocol>


# /var/ossec/bin/wazuh-control restart
Killing wazuh-modulesd... 
Killing wazuh-logcollector... 
Killing wazuh-syscheckd... 
Killing wazuh-agentd... 
Killing wazuh-execd... 
Wazuh v4.9.1 Stopped
Starting Wazuh v4.9.1...
Started wazuh-execd...
Started wazuh-agentd...
Started wazuh-syscheckd...
Started wazuh-logcollector...
Started wazuh-modulesd...
Completed.

# grep -Ei "udp" /var/ossec/logs/ossec.log
2024/09/23 07:10:08 wazuh-agentd: INFO: Trying to connect to server ([xx.xx.xx.xx]:1514/udp).
2024/09/23 07:10:08 wazuh-agentd: INFO: (4102): Connected to the server ([xx.xx.xx.xx]:1514/udp).

UDP
Wazuh Server

{"timestamp":"2024-09-23T12:10:14.038+0000","rule":{"level":7,"description":"Host-based anomaly detection event (rootcheck).","id":"510","firedtimes":41,"mail":false,"groups":["ossec","rootcheck"],"pci_dss":["10.6.1"],"gdpr":["IV_35.7.d"]},"agent":{"id":"002","name":"soaxp136","ip":"192.168.253.136"},"manager":{"name":"wazuh-server"},"id":"1727093414.220167","full_log":"File '/tmp/.com_ibm_tools_attach/_master' is owned by root and has written permissions to anyone.","decoder":{"name":"rootcheck"},"data":{"title":"File is owned by root and has written permissions to anyone.","file":"/tmp/.com_ibm_tools_attach/_master"},"location":"rootcheck"}
{"timestamp":"2024-09-23T12:10:14.040+0000","rule":{"level":7,"description":"Host-based anomaly detection event (rootcheck).","id":"510","firedtimes":42,"mail":false,"groups":["ossec","rootcheck"],"pci_dss":["10.6.1"],"gdpr":["IV_35.7.d"]},"agent":{"id":"002","name":"soaxp136","ip":"192.168.253.136"},"manager":{"name":"wazuh-server"},"id":"1727093414.220572","full_log":"File '/tmp/.com_ibm_tools_attach/_notifier' is owned by root and has written permissions to anyone.","decoder":{"name":"rootcheck"},"data":{"title":"File is owned by root and has written permissions to anyone.","file":"/tmp/.com_ibm_tools_attach/_notifier"},"location":"rootcheck"}

Check users and groups 🟢

# cat /etc/passwd | grep wazuh
wazuh:*:209:1::/home/wazuh:/usr/bin/ksh
# cat /etc/group | grep wazuh
wazuh:!:208:wazuh

Errors and warnings 🟢

# grep -iE "err|warn|crit" /var/ossec/logs/ossec.log | wc -l
       0

Upgrade 🟢

Install previous version:

# WAZUH_MANAGER="xx.xx.xx.xx" rpm -ivh wazuh-agent-4.9.0-1.aix.ppc.rpm 
wazuh-agent                 ##################################################

# /var/ossec/bin/wazuh-control start
Starting Wazuh v4.9.0...
Started wazuh-execd...
Started wazuh-agentd...
Started wazuh-syscheckd...
Started wazuh-logcollector...
Started wazuh-modulesd...
Completed.

# /var/ossec/bin/wazuh-control info 
WAZUH_VERSION="v4.9.0"
WAZUH_REVISION="40907"
WAZUH_TYPE="agent"


# ps -ef | grep wazuh
    root  4980782        1   0 07:15:23      -  0:00 /var/ossec/bin/wazuh-modulesd
    root  7798884        1  42 07:15:23      -  0:10 /var/ossec/bin/wazuh-syscheckd
   wazuh 10748014        1   1 07:15:22      -  0:00 /var/ossec/bin/wazuh-agentd
    root 10813478        1   0 07:15:22      -  0:00 /var/ossec/bin/wazuh-execd
    root 12517522        1   0 07:15:23      -  0:00 /var/ossec/bin/wazuh-logcollector

[root@wazuh-server wazuh-user]# /var/ossec/bin/agent_control -i 003

Wazuh agent_control. Agent information:
   Agent ID:   003
   Agent Name: soaxp136
   IP address: any
   Status:     Active

   Operating system:    AIX |soaxp136 |1 |6 |00CADA644C00
   Client version:      Wazuh v4.9.0
   Configuration hash:  ab73af41699f13fdd81903b5f23d8d00
   Shared file hash:    4a8724b20dee0124ff9656783c490c4e
   Last keep alive:     1727093742

   Syscheck last started at:  Mon Sep 23 12:15:23 2024
   Syscheck last ended at:    Mon Sep 23 12:15:30 2024

Upgrade:

# rpm -U wazuh-agent-4.9.1-1.aix.ppc.rpm

# /var/ossec/bin/wazuh-control status
wazuh-modulesd is running...
wazuh-logcollector is running...
wazuh-syscheckd is running...
wazuh-agentd is running...
wazuh-execd is running...

# /var/ossec/bin/wazuh-control info
WAZUH_VERSION="v4.9.1"
WAZUH_REVISION="40910"
WAZUH_TYPE="agent"


# grep -iE "err|warn|crit" /var/ossec/logs/ossec.log | wc -l
       0

[root@wazuh-server wazuh-user]# /var/ossec/bin/agent_control -i 003

Wazuh agent_control. Agent information:
   Agent ID:   003
   Agent Name: soaxp136
   IP address: any
   Status:     Active

   Operating system:    AIX |soaxp136 |1 |6 |00CADA644C00
   Client version:      Wazuh v4.9.1
   Configuration hash:  ab73af41699f13fdd81903b5f23d8d00
   Shared file hash:    4a8724b20dee0124ff9656783c490c4e
   Last keep alive:     1727093839

   Syscheck last started at:  Mon Sep 23 12:16:10 2024
   Syscheck last ended at:    Mon Sep 23 12:16:21 2024

Known issues

Error in AIX agent uninstallation wazuh-packages#607

pro-akim · 2024-09-23T13:40:59Z

Solaris SPARC 10 🟢

System Info 🟢

# hostname
sossp109
# uname -a
SunOS sossp109 5.10 Generic_147147-26 sun4v sparc sun4v

Installation without Variables 🟢

Wazuh agent

# pkgadd -d wazuh-agent_v4.9.1-sol10-sparc.pkg wazuh-agent

Processing package instance <wazuh-agent> from </export/home/owciel/wazuh-agent_v4.9.1-sol10-sparc.pkg>

Wazuh - Wazuh unifies historically separate functions into a single agent and platform architecture. Providing protection for public clouds, private clouds, and on-premise data centers.(sparc) 4.9.1
Wazuh, Inc <[email protected]>
## Executing checkinstall script.
## Processing package information.
## Processing system information.
## Verifying disk space requirements.
## Checking for setuid/setgid programs.

This package contains scripts which will be executed with super-user
permission during the process of installing this package.

Do you want to continue with the installation of <wazuh-agent> [y,n,?] y

Installing Wazuh - Wazuh unifies historically separate functions into a single agent and platform architecture. Providing protection for public clouds, private clouds, and on-premise data centers. as <wazuh-agent>

## Executing preinstall script.
## Installing part 1 of 1.
/etc/init.d/wazuh-agent
/etc/rc2.d/S97wazuh-agent <symbolic link>
/etc/rc3.d/S97wazuh-agent <symbolic link>
/var/ossec/active-response/bin/default-firewall-drop
/var/ossec/active-response/bin/disable-account
/var/ossec/active-response/bin/firewall-drop
/var/ossec/active-response/bin/firewalld-drop
/var/ossec/active-response/bin/host-deny
/var/ossec/active-response/bin/ip-customblock
/var/ossec/active-response/bin/ipfw
/var/ossec/active-response/bin/kaspersky
/var/ossec/active-response/bin/kaspersky.py
/var/ossec/active-response/bin/npf
/var/ossec/active-response/bin/pf
/var/ossec/active-response/bin/restart-wazuh
/var/ossec/active-response/bin/restart.sh
/var/ossec/active-response/bin/route-null
/var/ossec/active-response/bin/wazuh-slack
/var/ossec/agentless/main.exp
/var/ossec/agentless/register_host.sh
/var/ossec/agentless/ssh.exp
/var/ossec/agentless/ssh_asa-fwsmconfig_diff
/var/ossec/agentless/ssh_foundry_diff
/var/ossec/agentless/ssh_generic_diff
/var/ossec/agentless/ssh_integrity_check_bsd
/var/ossec/agentless/ssh_integrity_check_linux
/var/ossec/agentless/ssh_nopass.exp
/var/ossec/agentless/ssh_pixconfig_diff
/var/ossec/agentless/sshlogin.exp
/var/ossec/agentless/su.exp
/var/ossec/bin/agent-auth
/var/ossec/bin/manage_agents
/var/ossec/bin/wazuh-agentd
/var/ossec/bin/wazuh-control
/var/ossec/bin/wazuh-execd
/var/ossec/bin/wazuh-logcollector
/var/ossec/bin/wazuh-modulesd
/var/ossec/bin/wazuh-syscheckd
/var/ossec/etc/TIMEZONE
/var/ossec/etc/client.keys
/var/ossec/etc/internal_options.conf
/var/ossec/etc/local_internal_options.conf
/var/ossec/etc/ossec.conf
/var/ossec/etc/shared/cis_apache2224_rcl.txt
/var/ossec/etc/shared/cis_debian_linux_rcl.txt
/var/ossec/etc/shared/cis_mysql5-6_community_rcl.txt
/var/ossec/etc/shared/cis_mysql5-6_enterprise_rcl.txt
/var/ossec/etc/shared/cis_rhel5_linux_rcl.txt
/var/ossec/etc/shared/cis_rhel6_linux_rcl.txt
/var/ossec/etc/shared/cis_rhel7_linux_rcl.txt
/var/ossec/etc/shared/cis_rhel_linux_rcl.txt
/var/ossec/etc/shared/cis_sles11_linux_rcl.txt
/var/ossec/etc/shared/cis_sles12_linux_rcl.txt
/var/ossec/etc/shared/cis_win2012r2_domainL1_rcl.txt
/var/ossec/etc/shared/cis_win2012r2_domainL2_rcl.txt
/var/ossec/etc/shared/cis_win2012r2_memberL1_rcl.txt
/var/ossec/etc/shared/cis_win2012r2_memberL2_rcl.txt
/var/ossec/etc/shared/rootkit_files.txt
/var/ossec/etc/shared/rootkit_trojans.txt
/var/ossec/etc/shared/system_audit_rcl.txt
/var/ossec/etc/shared/system_audit_ssh.txt
/var/ossec/etc/shared/win_applications_rcl.txt
/var/ossec/etc/shared/win_audit_rcl.txt
/var/ossec/etc/shared/win_malware_rcl.txt
/var/ossec/etc/wpk_root.pem
/var/ossec/lib/libdbsync.so
/var/ossec/lib/libfimdb.so
/var/ossec/lib/libgcc_s.so.1
/var/ossec/lib/librsync.so
/var/ossec/lib/libstdc++.so.6
/var/ossec/lib/libsyscollector.so
/var/ossec/lib/libsysinfo.so
/var/ossec/lib/libwazuhext.so
/var/ossec/lib/libwazuhshared.so
/var/ossec/logs/active-responses.log
/var/ossec/logs/ossec.json
/var/ossec/logs/ossec.log
/var/ossec/queue/syscollector/norm_config.json
/var/ossec/ruleset/sca/sca_unix_audit.yml
/var/ossec/wodles/__init__.py
/var/ossec/wodles/aws/__init__.py
/var/ossec/wodles/aws/aws-s3
/var/ossec/wodles/aws/aws_tools.py
/var/ossec/wodles/aws/buckets_s3/__init__.py
/var/ossec/wodles/aws/buckets_s3/aws_bucket.py
/var/ossec/wodles/aws/buckets_s3/cloudtrail.py
/var/ossec/wodles/aws/buckets_s3/config.py
/var/ossec/wodles/aws/buckets_s3/guardduty.py
/var/ossec/wodles/aws/buckets_s3/load_balancers.py
/var/ossec/wodles/aws/buckets_s3/server_access.py
/var/ossec/wodles/aws/buckets_s3/umbrella.py
/var/ossec/wodles/aws/buckets_s3/vpcflow.py
/var/ossec/wodles/aws/buckets_s3/waf.py
/var/ossec/wodles/aws/services/__init__.py
/var/ossec/wodles/aws/services/aws_service.py
/var/ossec/wodles/aws/services/cloudwatchlogs.py
/var/ossec/wodles/aws/services/inspector.py
/var/ossec/wodles/aws/subscribers/__init__.py
/var/ossec/wodles/aws/subscribers/s3_log_handler.py
/var/ossec/wodles/aws/subscribers/sqs_message_processor.py
/var/ossec/wodles/aws/subscribers/sqs_queue.py
/var/ossec/wodles/aws/wazuh_integration.py
/var/ossec/wodles/azure/azure-logs
/var/ossec/wodles/azure/azure_services/__init__.py
/var/ossec/wodles/azure/azure_services/analytics.py
/var/ossec/wodles/azure/azure_services/graph.py
/var/ossec/wodles/azure/azure_services/storage.py
/var/ossec/wodles/azure/azure_utils.py
/var/ossec/wodles/azure/db/__init__.py
/var/ossec/wodles/azure/db/orm.py
/var/ossec/wodles/azure/db/utils.py
/var/ossec/wodles/docker/DockerListener
/var/ossec/wodles/gcloud/buckets/access_logs.py
/var/ossec/wodles/gcloud/buckets/bucket.py
/var/ossec/wodles/gcloud/exceptions.py
/var/ossec/wodles/gcloud/gcloud
/var/ossec/wodles/gcloud/integration.py
/var/ossec/wodles/gcloud/pubsub/subscriber.py
/var/ossec/wodles/gcloud/tools.py
/var/ossec/wodles/utils.py
[ verifying class <none> ]
## Executing postinstall script.

Installation of <wazuh-agent> was successful.




# sed 's|<address>MANAGER_IP</address>|<address>xx.xxx.xx.xx</address>|' /var/ossec/etc/ossec.conf > /var/ossec/etc/ossec.conf.tmp && mv /var/ossec/etc/ossec.conf.tmp /var/ossec/etc/ossec.conf
# cat /var/ossec/etc/ossec.conf | grep address
      <address>xx.xxx.xx.xx</address>



# /var/ossec/bin/wazuh-control start
Starting Wazuh v4.9.1...
Started wazuh-execd...
Started wazuh-agentd...
Started wazuh-syscheckd...
Started wazuh-logcollector...
Started wazuh-modulesd...
Completed.

# /var/ossec/bin/wazuh-control info 
WAZUH_VERSION="v4.9.1"
WAZUH_REVISION="40910"
WAZUH_TYPE="agent"




# ps -ef | grep wazuh
    root   878     1   0 14:45:46 ?           0:00 /var/ossec/bin/wazuh-logcollector
    root   871     1   0 14:45:46 ?           0:00 /var/ossec/bin/wazuh-syscheckd
   wazuh   859     1   0 14:45:45 ?           0:00 /var/ossec/bin/wazuh-agentd
    root   920   738   0 14:46:01 pts/1       0:00 grep wazuh
    root   885     1   0 14:45:46 ?           0:02 /var/ossec/bin/wazuh-modulesd
    root   852     1   0 14:45:45 ?           0:00 /var/ossec/bin/wazuh-execd

Wazuh server

[root@wazuh-server wazuh-user]# /var/ossec/bin/agent_control -l

Wazuh agent_control. List of available agents:
   ID: 000, Name: wazuh-server (server), IP: 127.0.0.1, Active/Local

List of agentless devices:

[root@wazuh-server wazuh-user]# /var/ossec/bin/agent_control -l

Wazuh agent_control. List of available agents:
   ID: 000, Name: wazuh-server (server), IP: 127.0.0.1, Active/Local
   ID: 006, Name: sossp177, IP: any, Active

List of agentless devices:

[root@wazuh-server wazuh-user]# /var/ossec/bin/agent_control -i 006

Wazuh agent_control. Agent information:
   Agent ID:   006
   Agent Name: sossp177
   IP address: any
   Status:     Active

   Operating system:    SunOS |sossp177 |5.10 |Generic_147147-26 |sun4v
   Client version:      Wazuh v4.9.1
   Configuration hash:  ab73af41699f13fdd81903b5f23d8d00
   Shared file hash:    4a8724b20dee0124ff9656783c490c4e
   Last keep alive:     1727099213

   Syscheck last started at:  Mon Sep 23 19:46:09 2024 (Scan in progress)
   Syscheck last ended at:    Unknown

Generate Alerts (TCP & UDP) 🟢

Wazuh Agent (TCP)

# grep "tcp" /var/ossec/logs/ossec.log 
2024/09/23 14:46:05 wazuh-agentd: INFO: Trying to connect to server ([xx.xxx.xx.xx]:1514/tcp).
2024/09/23 14:46:05 wazuh-agentd: INFO: (4102): Connected to the server ([xx.xxx.xx.xx]:1514/tcp).
2024/09/23 14:46:07 wazuh-agentd: INFO: Trying to connect to server ([xx.xxx.xx.xx]:1514/tcp).
2024/09/23 14:46:08 wazuh-agentd: INFO: (4102): Connected to the server ([xx.xxx.xx.xx]:1514/tcp).

Wazuh Server (TCP)

{"timestamp":"2024-09-23T13:47:02.474+0000","rule":{"level":7,"description":"Host-based anomaly detection event (rootcheck).","id":"510","firedtimes":1,"mail":false,"groups":["ossec","rootcheck"],"pci_dss":["10.6.1"],"gdpr":["IV_35.7.d"]},"agent":{"id":"006","name":"sossp177","ip":"192.168.253.177"},"manager":{"name":"wazuh-server"},"id":"1727099222.688508","full_log":"File '/tmp/.X11-pipe/X0' is owned by root and has written permissions to anyone.","decoder":{"name":"rootcheck"},"data":{"title":"File is owned by root and has written permissions to anyone.","file":"/tmp/.X11-pipe/X0"},"location":"rootcheck"}
{"timestamp":"2024-09-23T13:47:06.095+0000","rule":{"level":7,"description":"SCA summary: System audit for Unix based systems: Score less than 50% (45)","id":"19004","firedtimes":2,"mail":false,"groups":["sca"],"gdpr":["IV_35.7.d"],"pci_dss":["2.2"],"nist_800_53":["CM.1"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"006","name":"sossp177","ip":"192.168.253.177"},"manager":{"name":"wazuh-server"},"id":"1727099226.688879","decoder":{"name":"sca"},"data":{"sca":{"type":"summary","scan_id":"31123","policy":"System audit for Unix based systems","description":"Guidance for establishing a secure configuration for Unix based systems.","policy_id":"unix_audit","passed":"5","failed":"6","invalid":"12","total_checks":"23","score":"45","file":"sca_unix_audit.yml"}},"location":"sca"}

Wazuh Agent (UDP)

# sed 's|<protocol>tcp</protocol>|<protocol>udp</protocol>|' /var/ossec/etc/ossec.conf > /var/ossec/etc/ossec.conf.tmp && mv /var/ossec/etc/ossec.conf.tmp /var/ossec/etc/ossec.conf
# cat /var/ossec/etc/ossec.conf |grep protocol
      <protocol>udp</protocol>



# /var/ossec/bin/wazuh-control restart
Killing wazuh-modulesd... 
Killing wazuh-logcollector... 
Killing wazuh-syscheckd... 
Killing wazuh-agentd... 
Killing wazuh-execd... 
Wazuh v4.9.1 Stopped
Starting Wazuh v4.9.1...
Started wazuh-execd...
Started wazuh-agentd...
Started wazuh-syscheckd...
Started wazuh-logcollector...
Started wazuh-modulesd...
Completed.

# ps -ef | grep wazuh
   wazuh  1725     1   0 14:47:17 ?           0:00 /var/ossec/bin/wazuh-agentd
    root  1715     1   0 14:47:16 ?           0:00 /var/ossec/bin/wazuh-execd
    root  1781   738   0 14:47:23 pts/1       0:00 grep wazuh
    root  1737     1   7 14:47:18 ?           0:07 /var/ossec/bin/wazuh-syscheckd
    root  1751     1   1 14:47:18 ?           0:02 /var/ossec/bin/wazuh-modulesd
    root  1744     1   0 14:47:18 ?           0:00 /var/ossec/bin/wazuh-logcollector




# grep "udp" /var/ossec/logs/ossec.log
2024/09/23 14:47:16 wazuh-agentd: INFO: Trying to connect to server ([xx.xxx.xx.xx]:1514/udp).
2024/09/23 14:47:16 wazuh-agentd: INFO: (4102): Connected to the server ([xx.xxx.xx.xx]:1514/udp).

Wazuh Server (UDP)

{"timestamp":"2024-09-23T13:47:51.781+0000","rule":{"level":3,"description":"Wazuh agent started.","id":"503","firedtimes":2,"mail":false,"groups":["ossec"],"pci_dss":["10.6.1","10.2.6"],"gpg13":["10.1"],"gdpr":["IV_35.7.d"],"hipaa":["164.312.b"],"nist_800_53":["AU.6","AU.14","AU.5"],"tsc":["CC7.2","CC7.3","CC6.8"]},"agent":{"id":"006","name":"sossp177","ip":"192.168.253.177"},"manager":{"name":"wazuh-server"},"id":"1727099271.690336","full_log":"ossec: Agent started: 'sossp177->any'.","decoder":{"parent":"ossec","name":"ossec"},"data":{"extra_data":"sossp177->any"},"location":"wazuh-agent"}
{"timestamp":"2024-09-23T13:47:58.850+0000","rule":{"level":7,"description":"Host-based anomaly detection event (rootcheck).","id":"510","firedtimes":2,"mail":false,"groups":["ossec","rootcheck"],"pci_dss":["10.6.1"],"gdpr":["IV_35.7.d"]},"agent":{"id":"006","name":"sossp177","ip":"192.168.253.177"},"manager":{"name":"wazuh-server"},"id":"1727099278.690662","full_log":"File '/tmp/.X11-pipe/X0' is owned by root and has written permissions to anyone.","decoder":{"name":"rootcheck"},"data":{"title":"File is owned by root and has written permissions to anyone.","file":"/tmp/.X11-pipe/X0"},"location":"rootcheck"}

Removal 🟢

# pkgrm wazuh-agent

The following package is currently installed:
   wazuh-agent  Wazuh - Wazuh unifies historically separate functions into a single agent and platform architecture. Providing protection for public clouds, private clouds, and on-premise data centers.
                (sparc) 4.9.1

Do you want to remove this package? [y,n,?,q] y

## Removing installed package instance <wazuh-agent>

This package contains scripts which will be executed with super-user
permission during the process of removing this package.

Do you want to continue with the removal of this package [y,n,?,q] y
## Verifying package <wazuh-agent> dependencies in global zone
## Processing package information.
## Executing preremove script.
Killing wazuh-modulesd... 
Killing wazuh-logcollector... 
Killing wazuh-syscheckd... 
Killing wazuh-agentd... 
Killing wazuh-execd... 
Wazuh v4.9.1 Stopped
## Removing pathnames in class <none>
/var/ossec/wodles/utils.py
/var/ossec/wodles/gcloud/tools.py
/var/ossec/wodles/gcloud/pubsub/subscriber.py
/var/ossec/wodles/gcloud/pubsub
/var/ossec/wodles/gcloud/integration.py
/var/ossec/wodles/gcloud/gcloud
/var/ossec/wodles/gcloud/exceptions.py
/var/ossec/wodles/gcloud/buckets/bucket.py
/var/ossec/wodles/gcloud/buckets/access_logs.py
/var/ossec/wodles/gcloud/buckets
/var/ossec/wodles/gcloud
/var/ossec/wodles/docker/DockerListener
/var/ossec/wodles/docker
/var/ossec/wodles/azure/db/utils.py
/var/ossec/wodles/azure/db/orm.py
/var/ossec/wodles/azure/db/__init__.py
/var/ossec/wodles/azure/db
/var/ossec/wodles/azure/azure_utils.py
/var/ossec/wodles/azure/azure_services/storage.py
/var/ossec/wodles/azure/azure_services/graph.py
/var/ossec/wodles/azure/azure_services/analytics.py
/var/ossec/wodles/azure/azure_services/__init__.py
/var/ossec/wodles/azure/azure_services
/var/ossec/wodles/azure/azure-logs
/var/ossec/wodles/azure
/var/ossec/wodles/aws/wazuh_integration.py
/var/ossec/wodles/aws/subscribers/sqs_queue.py
/var/ossec/wodles/aws/subscribers/sqs_message_processor.py
/var/ossec/wodles/aws/subscribers/s3_log_handler.py
/var/ossec/wodles/aws/subscribers/__init__.py
/var/ossec/wodles/aws/subscribers
/var/ossec/wodles/aws/services/inspector.py
/var/ossec/wodles/aws/services/cloudwatchlogs.py
/var/ossec/wodles/aws/services/aws_service.py
/var/ossec/wodles/aws/services/__init__.py
/var/ossec/wodles/aws/services
/var/ossec/wodles/aws/buckets_s3/waf.py
/var/ossec/wodles/aws/buckets_s3/vpcflow.py
/var/ossec/wodles/aws/buckets_s3/umbrella.py
/var/ossec/wodles/aws/buckets_s3/server_access.py
/var/ossec/wodles/aws/buckets_s3/load_balancers.py
/var/ossec/wodles/aws/buckets_s3/guardduty.py
/var/ossec/wodles/aws/buckets_s3/config.py
/var/ossec/wodles/aws/buckets_s3/cloudtrail.py
/var/ossec/wodles/aws/buckets_s3/aws_bucket.py
/var/ossec/wodles/aws/buckets_s3/__init__.py
/var/ossec/wodles/aws/buckets_s3
/var/ossec/wodles/aws/aws_tools.py
/var/ossec/wodles/aws/aws-s3
/var/ossec/wodles/aws/__init__.py
/var/ossec/wodles/aws
/var/ossec/wodles/__init__.py
/var/ossec/wodles
/var/ossec/var/wodles
/var/ossec/var/upgrade
/var/ossec/var/selinux
/var/ossec/var/run
/var/ossec/var/incoming
/var/ossec/var
/var/ossec/tmp
/var/ossec/ruleset/sca/sca_unix_audit.yml
/var/ossec/ruleset/sca
/var/ossec/ruleset
/var/ossec/queue/syscollector/norm_config.json
/var/ossec/queue/syscollector/db <non-empty directory not removed>
/var/ossec/queue/syscollector <non-empty directory not removed>
/var/ossec/queue/sockets <non-empty directory not removed>
/var/ossec/queue/rids <non-empty directory not removed>
/var/ossec/queue/logcollector <non-empty directory not removed>
/var/ossec/queue/fim/db <non-empty directory not removed>
/var/ossec/queue/fim <non-empty directory not removed>
/var/ossec/queue/diff
/var/ossec/queue/alerts <non-empty directory not removed>
/var/ossec/queue <non-empty directory not removed>
/var/ossec/logs/wazuh
/var/ossec/logs/ossec.log
/var/ossec/logs/ossec.json
/var/ossec/logs/active-responses.log
/var/ossec/logs
/var/ossec/lib/libwazuhshared.so
/var/ossec/lib/libwazuhext.so
/var/ossec/lib/libsysinfo.so
/var/ossec/lib/libsyscollector.so
/var/ossec/lib/libstdc++.so.6
/var/ossec/lib/librsync.so
/var/ossec/lib/libgcc_s.so.1
/var/ossec/lib/libfimdb.so
/var/ossec/lib/libdbsync.so
/var/ossec/lib
/var/ossec/etc/wpk_root.pem
/var/ossec/etc/shared/win_malware_rcl.txt
/var/ossec/etc/shared/win_audit_rcl.txt
/var/ossec/etc/shared/win_applications_rcl.txt
/var/ossec/etc/shared/system_audit_ssh.txt
/var/ossec/etc/shared/system_audit_rcl.txt
/var/ossec/etc/shared/rootkit_trojans.txt
/var/ossec/etc/shared/rootkit_files.txt
/var/ossec/etc/shared/cis_win2012r2_memberL2_rcl.txt
/var/ossec/etc/shared/cis_win2012r2_memberL1_rcl.txt
/var/ossec/etc/shared/cis_win2012r2_domainL2_rcl.txt
/var/ossec/etc/shared/cis_win2012r2_domainL1_rcl.txt
/var/ossec/etc/shared/cis_sles12_linux_rcl.txt
/var/ossec/etc/shared/cis_sles11_linux_rcl.txt
/var/ossec/etc/shared/cis_rhel_linux_rcl.txt
/var/ossec/etc/shared/cis_rhel7_linux_rcl.txt
/var/ossec/etc/shared/cis_rhel6_linux_rcl.txt
/var/ossec/etc/shared/cis_rhel5_linux_rcl.txt
/var/ossec/etc/shared/cis_mysql5-6_enterprise_rcl.txt
/var/ossec/etc/shared/cis_mysql5-6_community_rcl.txt
/var/ossec/etc/shared/cis_debian_linux_rcl.txt
/var/ossec/etc/shared/cis_apache2224_rcl.txt
/var/ossec/etc/shared <non-empty directory not removed>
/var/ossec/etc/ossec.conf
/var/ossec/etc/local_internal_options.conf
/var/ossec/etc/internal_options.conf
/var/ossec/etc/client.keys
/var/ossec/etc/TIMEZONE
/var/ossec/etc <non-empty directory not removed>
/var/ossec/bin/wazuh-syscheckd
/var/ossec/bin/wazuh-modulesd
/var/ossec/bin/wazuh-logcollector
/var/ossec/bin/wazuh-execd
/var/ossec/bin/wazuh-control
/var/ossec/bin/wazuh-agentd
/var/ossec/bin/manage_agents
/var/ossec/bin/agent-auth
/var/ossec/bin
/var/ossec/backup
/var/ossec/agentless/su.exp
/var/ossec/agentless/sshlogin.exp
/var/ossec/agentless/ssh_pixconfig_diff
/var/ossec/agentless/ssh_nopass.exp
/var/ossec/agentless/ssh_integrity_check_linux
/var/ossec/agentless/ssh_integrity_check_bsd
/var/ossec/agentless/ssh_generic_diff
/var/ossec/agentless/ssh_foundry_diff
/var/ossec/agentless/ssh_asa-fwsmconfig_diff
/var/ossec/agentless/ssh.exp
/var/ossec/agentless/register_host.sh
/var/ossec/agentless/main.exp
/var/ossec/agentless
/var/ossec/active-response/bin/wazuh-slack
/var/ossec/active-response/bin/route-null
/var/ossec/active-response/bin/restart.sh
/var/ossec/active-response/bin/restart-wazuh
/var/ossec/active-response/bin/pf
/var/ossec/active-response/bin/npf
/var/ossec/active-response/bin/kaspersky.py
/var/ossec/active-response/bin/kaspersky
/var/ossec/active-response/bin/ipfw
/var/ossec/active-response/bin/ip-customblock
/var/ossec/active-response/bin/host-deny
/var/ossec/active-response/bin/firewalld-drop
/var/ossec/active-response/bin/firewall-drop
/var/ossec/active-response/bin/disable-account
/var/ossec/active-response/bin/default-firewall-drop
/var/ossec/active-response/bin
/var/ossec/active-response
/var/ossec/.ssh
/var/ossec <non-empty directory not removed>
/etc/rc3.d/S97wazuh-agent
/etc/rc2.d/S97wazuh-agent
/etc/init.d/wazuh-agent
## Executing postremove script.
## Updating system information.

Removal of <wazuh-agent> was successful.
 


# ps -ef | grep wazuh
    root  2267   738   0 14:48:41 pts/1       0:00 grep wazuh


# ls /var/ossec/
etc    queue

# rm -rf /var/ossec/
# ls /var/ossec/  
/var/ossec/: No such file or directory

Upgrade 🟢

Install previous version:

# pkgadd -d wazuh-agent_v4.9.0-sol10-sparc.pkg wazuh-agent

Processing package instance <wazuh-agent> from </export/home/owciel/wazuh-agent_v4.9.0-sol10-sparc.pkg>

Wazuh - Wazuh unifies historically separate functions into a single agent and platform architecture. Providing protection for public clouds, private clouds, and on-premise data centers.(sparc) 4.9.0
Wazuh, Inc <[email protected]>
## Executing checkinstall script.
## Processing package information.
## Processing system information.
## Verifying disk space requirements.
## Checking for conflicts with packages already installed.
## Checking for setuid/setgid programs.

This package contains scripts which will be executed with super-user
permission during the process of installing this package.

Do you want to continue with the installation of <wazuh-agent> [y,n,?] y

Installing Wazuh - Wazuh unifies historically separate functions into a single agent and platform architecture. Providing protection for public clouds, private clouds, and on-premise data centers. as <wazuh-agent>

## Executing preinstall script.
## Installing part 1 of 1.
/etc/init.d/wazuh-agent
/etc/rc2.d/S97wazuh-agent <symbolic link>
/etc/rc3.d/S97wazuh-agent <symbolic link>
/var/ossec/active-response/bin/default-firewall-drop
/var/ossec/active-response/bin/disable-account
/var/ossec/active-response/bin/firewall-drop
/var/ossec/active-response/bin/firewalld-drop
/var/ossec/active-response/bin/host-deny
/var/ossec/active-response/bin/ip-customblock
/var/ossec/active-response/bin/ipfw
/var/ossec/active-response/bin/kaspersky
/var/ossec/active-response/bin/kaspersky.py
/var/ossec/active-response/bin/npf
/var/ossec/active-response/bin/pf
/var/ossec/active-response/bin/restart-wazuh
/var/ossec/active-response/bin/restart.sh
/var/ossec/active-response/bin/route-null
/var/ossec/active-response/bin/wazuh-slack
/var/ossec/agentless/main.exp
/var/ossec/agentless/register_host.sh
/var/ossec/agentless/ssh.exp
/var/ossec/agentless/ssh_asa-fwsmconfig_diff
/var/ossec/agentless/ssh_foundry_diff
/var/ossec/agentless/ssh_generic_diff
/var/ossec/agentless/ssh_integrity_check_bsd
/var/ossec/agentless/ssh_integrity_check_linux
/var/ossec/agentless/ssh_nopass.exp
/var/ossec/agentless/ssh_pixconfig_diff
/var/ossec/agentless/sshlogin.exp
/var/ossec/agentless/su.exp
/var/ossec/bin/agent-auth
/var/ossec/bin/manage_agents
/var/ossec/bin/wazuh-agentd
/var/ossec/bin/wazuh-control
/var/ossec/bin/wazuh-execd
/var/ossec/bin/wazuh-logcollector
/var/ossec/bin/wazuh-modulesd
/var/ossec/bin/wazuh-syscheckd
/var/ossec/etc/TIMEZONE
/var/ossec/etc/client.keys
/var/ossec/etc/internal_options.conf
/var/ossec/etc/local_internal_options.conf
/var/ossec/etc/ossec.conf
/var/ossec/etc/shared/cis_apache2224_rcl.txt
/var/ossec/etc/shared/cis_debian_linux_rcl.txt
/var/ossec/etc/shared/cis_mysql5-6_community_rcl.txt
/var/ossec/etc/shared/cis_mysql5-6_enterprise_rcl.txt
/var/ossec/etc/shared/cis_rhel5_linux_rcl.txt
/var/ossec/etc/shared/cis_rhel6_linux_rcl.txt
/var/ossec/etc/shared/cis_rhel7_linux_rcl.txt
/var/ossec/etc/shared/cis_rhel_linux_rcl.txt
/var/ossec/etc/shared/cis_sles11_linux_rcl.txt
/var/ossec/etc/shared/cis_sles12_linux_rcl.txt
/var/ossec/etc/shared/cis_win2012r2_domainL1_rcl.txt
/var/ossec/etc/shared/cis_win2012r2_domainL2_rcl.txt
/var/ossec/etc/shared/cis_win2012r2_memberL1_rcl.txt
/var/ossec/etc/shared/cis_win2012r2_memberL2_rcl.txt
/var/ossec/etc/shared/rootkit_files.txt
/var/ossec/etc/shared/rootkit_trojans.txt
/var/ossec/etc/shared/system_audit_rcl.txt
/var/ossec/etc/shared/system_audit_ssh.txt
/var/ossec/etc/shared/win_applications_rcl.txt
/var/ossec/etc/shared/win_audit_rcl.txt
/var/ossec/etc/shared/win_malware_rcl.txt
/var/ossec/etc/wpk_root.pem
/var/ossec/lib/libdbsync.so
/var/ossec/lib/libfimdb.so
/var/ossec/lib/libgcc_s.so.1
/var/ossec/lib/librsync.so
/var/ossec/lib/libstdc++.so.6
/var/ossec/lib/libsyscollector.so
/var/ossec/lib/libsysinfo.so
/var/ossec/lib/libwazuhext.so
/var/ossec/lib/libwazuhshared.so
/var/ossec/logs/active-responses.log
/var/ossec/logs/ossec.json
/var/ossec/logs/ossec.log
/var/ossec/queue/syscollector/norm_config.json
/var/ossec/ruleset/sca/sca_unix_audit.yml
/var/ossec/wodles/__init__.py
/var/ossec/wodles/aws/__init__.py
/var/ossec/wodles/aws/aws-s3
/var/ossec/wodles/aws/aws_tools.py
/var/ossec/wodles/aws/buckets_s3/__init__.py
/var/ossec/wodles/aws/buckets_s3/aws_bucket.py
/var/ossec/wodles/aws/buckets_s3/cloudtrail.py
/var/ossec/wodles/aws/buckets_s3/config.py
/var/ossec/wodles/aws/buckets_s3/guardduty.py
/var/ossec/wodles/aws/buckets_s3/load_balancers.py
/var/ossec/wodles/aws/buckets_s3/server_access.py
/var/ossec/wodles/aws/buckets_s3/umbrella.py
/var/ossec/wodles/aws/buckets_s3/vpcflow.py
/var/ossec/wodles/aws/buckets_s3/waf.py
/var/ossec/wodles/aws/services/__init__.py
/var/ossec/wodles/aws/services/aws_service.py
/var/ossec/wodles/aws/services/cloudwatchlogs.py
/var/ossec/wodles/aws/services/inspector.py
/var/ossec/wodles/aws/subscribers/__init__.py
/var/ossec/wodles/aws/subscribers/s3_log_handler.py
/var/ossec/wodles/aws/subscribers/sqs_message_processor.py
/var/ossec/wodles/aws/subscribers/sqs_queue.py
/var/ossec/wodles/aws/wazuh_integration.py
/var/ossec/wodles/azure/azure-logs
/var/ossec/wodles/azure/azure_services/__init__.py
/var/ossec/wodles/azure/azure_services/analytics.py
/var/ossec/wodles/azure/azure_services/graph.py
/var/ossec/wodles/azure/azure_services/storage.py
/var/ossec/wodles/azure/azure_utils.py
/var/ossec/wodles/azure/db/__init__.py
/var/ossec/wodles/azure/db/orm.py
/var/ossec/wodles/azure/db/utils.py
/var/ossec/wodles/docker/DockerListener
/var/ossec/wodles/gcloud/buckets/access_logs.py
/var/ossec/wodles/gcloud/buckets/bucket.py
/var/ossec/wodles/gcloud/exceptions.py
/var/ossec/wodles/gcloud/gcloud
/var/ossec/wodles/gcloud/integration.py
/var/ossec/wodles/gcloud/pubsub/subscriber.py
/var/ossec/wodles/gcloud/tools.py
/var/ossec/wodles/utils.py
[ verifying class <none> ]
## Executing postinstall script.

Installation of <wazuh-agent> was successful.




# sed 's|<address>MANAGER_IP</address>|<address>xx.xx.xx.xx</address>|' /var/ossec/etc/ossec.conf > /var/ossec/etc/ossec.conf.tmp && mv /var/ossec/etc/ossec.conf.tmp /var/ossec/etc/ossec.conf
# grep addres /var/ossec/etc/ossec.conf
      <address>xx.xxx.xx.xx</address>

# /var/ossec/bin/wazuh-control start
Starting Wazuh v4.9.0...
Started wazuh-execd...
Started wazuh-agentd...
Started wazuh-syscheckd...
Started wazuh-logcollector...
Started wazuh-modulesd...
Completed.

# /var/ossec/bin/wazuh-control info
WAZUH_VERSION="v4.9.0"
WAZUH_REVISION="40907"
WAZUH_TYPE="agent"



# ps -ef | grep wazuh
    root  3899     1   9 14:51:03 ?           0:10 /var/ossec/bin/wazuh-syscheckd
    root  3908     1   0 14:51:03 ?           0:00 /var/ossec/bin/wazuh-logcollector
    root  3917     1   0 14:51:04 ?           0:02 /var/ossec/bin/wazuh-modulesd
    root  3875     1   0 14:51:02 ?           0:00 /var/ossec/bin/wazuh-execd
    root  3991   738   0 14:51:11 pts/1       0:00 grep wazuh
   wazuh  3882     1   0 14:51:02 ?           0:00 /var/ossec/bin/wazuh-agentd

[root@wazuh-server wazuh-user]# /var/ossec/bin/agent_control -i 007

Wazuh agent_control. Agent information:
   Agent ID:   007
   Agent Name: sossp177
   IP address: any
   Status:     Active

   Operating system:    SunOS |sossp177 |5.10 |Generic_147147-26 |sun4v
   Client version:      Wazuh v4.9.0
   Configuration hash:  ab73af41699f13fdd81903b5f23d8d00
   Shared file hash:    4a8724b20dee0124ff9656783c490c4e
   Last keep alive:     1727099516

   Syscheck last started at:  Mon Sep 23 19:51:02 2024
   Syscheck last ended at:    Mon Sep 23 19:51:09 2024

Upgrade

# /var/ossec/bin/wazuh-control stop
Killing wazuh-modulesd... 
Process wazuh-modulesd couldn't be terminated. It will be killed.
Killing wazuh-logcollector... 
Killing wazuh-syscheckd... 
Killing wazuh-agentd... 
Killing wazuh-execd... 
Wazuh v4.9.0 Stopped


# pkgrm wazuh-agent

The following package is currently installed:
   wazuh-agent  Wazuh - Wazuh unifies historically separate functions into a single agent and platform architecture. Providing protection for public clouds, private clouds, and on-premise data centers.
                (sparc) 4.9.0

Do you want to remove this package? [y,n,?,q] y

## Removing installed package instance <wazuh-agent>

This package contains scripts which will be executed with super-user
permission during the process of removing this package.

Do you want to continue with the removal of this package [y,n,?,q] y
## Verifying package <wazuh-agent> dependencies in global zone
## Processing package information.
## Executing preremove script.
wazuh-modulesd not running...
wazuh-logcollector not running...
wazuh-syscheckd not running...
wazuh-agentd not running...
wazuh-execd not running...
Wazuh v4.9.0 Stopped
## Removing pathnames in class <none>
/var/ossec/wodles/utils.py
/var/ossec/wodles/gcloud/tools.py
/var/ossec/wodles/gcloud/pubsub/subscriber.py
/var/ossec/wodles/gcloud/pubsub
/var/ossec/wodles/gcloud/integration.py
/var/ossec/wodles/gcloud/gcloud
/var/ossec/wodles/gcloud/exceptions.py
/var/ossec/wodles/gcloud/buckets/bucket.py
/var/ossec/wodles/gcloud/buckets/access_logs.py
/var/ossec/wodles/gcloud/buckets
/var/ossec/wodles/gcloud
/var/ossec/wodles/docker/DockerListener
/var/ossec/wodles/docker
/var/ossec/wodles/azure/db/utils.py
/var/ossec/wodles/azure/db/orm.py
/var/ossec/wodles/azure/db/__init__.py
/var/ossec/wodles/azure/db
/var/ossec/wodles/azure/azure_utils.py
/var/ossec/wodles/azure/azure_services/storage.py
/var/ossec/wodles/azure/azure_services/graph.py
/var/ossec/wodles/azure/azure_services/analytics.py
/var/ossec/wodles/azure/azure_services/__init__.py
/var/ossec/wodles/azure/azure_services
/var/ossec/wodles/azure/azure-logs
/var/ossec/wodles/azure
/var/ossec/wodles/aws/wazuh_integration.py
/var/ossec/wodles/aws/subscribers/sqs_queue.py
/var/ossec/wodles/aws/subscribers/sqs_message_processor.py
/var/ossec/wodles/aws/subscribers/s3_log_handler.py
/var/ossec/wodles/aws/subscribers/__init__.py
/var/ossec/wodles/aws/subscribers
/var/ossec/wodles/aws/services/inspector.py
/var/ossec/wodles/aws/services/cloudwatchlogs.py
/var/ossec/wodles/aws/services/aws_service.py
/var/ossec/wodles/aws/services/__init__.py
/var/ossec/wodles/aws/services
/var/ossec/wodles/aws/buckets_s3/waf.py
/var/ossec/wodles/aws/buckets_s3/vpcflow.py
/var/ossec/wodles/aws/buckets_s3/umbrella.py
/var/ossec/wodles/aws/buckets_s3/server_access.py
/var/ossec/wodles/aws/buckets_s3/load_balancers.py
/var/ossec/wodles/aws/buckets_s3/guardduty.py
/var/ossec/wodles/aws/buckets_s3/config.py
/var/ossec/wodles/aws/buckets_s3/cloudtrail.py
/var/ossec/wodles/aws/buckets_s3/aws_bucket.py
/var/ossec/wodles/aws/buckets_s3/__init__.py
/var/ossec/wodles/aws/buckets_s3
/var/ossec/wodles/aws/aws_tools.py
/var/ossec/wodles/aws/aws-s3
/var/ossec/wodles/aws/__init__.py
/var/ossec/wodles/aws
/var/ossec/wodles/__init__.py
/var/ossec/wodles
/var/ossec/var/wodles
/var/ossec/var/upgrade
/var/ossec/var/selinux
/var/ossec/var/run
/var/ossec/var/incoming
/var/ossec/var
/var/ossec/tmp
/var/ossec/ruleset/sca/sca_unix_audit.yml
/var/ossec/ruleset/sca
/var/ossec/ruleset
/var/ossec/queue/syscollector/norm_config.json
/var/ossec/queue/syscollector/db <non-empty directory not removed>
/var/ossec/queue/syscollector <non-empty directory not removed>
/var/ossec/queue/sockets <non-empty directory not removed>
/var/ossec/queue/rids <non-empty directory not removed>
/var/ossec/queue/logcollector <non-empty directory not removed>
/var/ossec/queue/fim/db <non-empty directory not removed>
/var/ossec/queue/fim <non-empty directory not removed>
/var/ossec/queue/diff
/var/ossec/queue/alerts <non-empty directory not removed>
/var/ossec/queue <non-empty directory not removed>
/var/ossec/logs/wazuh
/var/ossec/logs/ossec.log
/var/ossec/logs/ossec.json
/var/ossec/logs/active-responses.log
/var/ossec/logs
/var/ossec/lib/libwazuhshared.so
/var/ossec/lib/libwazuhext.so
/var/ossec/lib/libsysinfo.so
/var/ossec/lib/libsyscollector.so
/var/ossec/lib/libstdc++.so.6
/var/ossec/lib/librsync.so
/var/ossec/lib/libgcc_s.so.1
/var/ossec/lib/libfimdb.so
/var/ossec/lib/libdbsync.so
/var/ossec/lib
/var/ossec/etc/wpk_root.pem
/var/ossec/etc/shared/win_malware_rcl.txt
/var/ossec/etc/shared/win_audit_rcl.txt
/var/ossec/etc/shared/win_applications_rcl.txt
/var/ossec/etc/shared/system_audit_ssh.txt
/var/ossec/etc/shared/system_audit_rcl.txt
/var/ossec/etc/shared/rootkit_trojans.txt
/var/ossec/etc/shared/rootkit_files.txt
/var/ossec/etc/shared/cis_win2012r2_memberL2_rcl.txt
/var/ossec/etc/shared/cis_win2012r2_memberL1_rcl.txt
/var/ossec/etc/shared/cis_win2012r2_domainL2_rcl.txt
/var/ossec/etc/shared/cis_win2012r2_domainL1_rcl.txt
/var/ossec/etc/shared/cis_sles12_linux_rcl.txt
/var/ossec/etc/shared/cis_sles11_linux_rcl.txt
/var/ossec/etc/shared/cis_rhel_linux_rcl.txt
/var/ossec/etc/shared/cis_rhel7_linux_rcl.txt
/var/ossec/etc/shared/cis_rhel6_linux_rcl.txt
/var/ossec/etc/shared/cis_rhel5_linux_rcl.txt
/var/ossec/etc/shared/cis_mysql5-6_enterprise_rcl.txt
/var/ossec/etc/shared/cis_mysql5-6_community_rcl.txt
/var/ossec/etc/shared/cis_debian_linux_rcl.txt
/var/ossec/etc/shared/cis_apache2224_rcl.txt
/var/ossec/etc/shared <non-empty directory not removed>
/var/ossec/etc/ossec.conf
/var/ossec/etc/local_internal_options.conf
/var/ossec/etc/internal_options.conf
/var/ossec/etc/client.keys
/var/ossec/etc/TIMEZONE
/var/ossec/etc <non-empty directory not removed>
/var/ossec/bin/wazuh-syscheckd
/var/ossec/bin/wazuh-modulesd
/var/ossec/bin/wazuh-logcollector
/var/ossec/bin/wazuh-execd
/var/ossec/bin/wazuh-control
/var/ossec/bin/wazuh-agentd
/var/ossec/bin/manage_agents
/var/ossec/bin/agent-auth
/var/ossec/bin
/var/ossec/backup
/var/ossec/agentless/su.exp
/var/ossec/agentless/sshlogin.exp
/var/ossec/agentless/ssh_pixconfig_diff
/var/ossec/agentless/ssh_nopass.exp
/var/ossec/agentless/ssh_integrity_check_linux
/var/ossec/agentless/ssh_integrity_check_bsd
/var/ossec/agentless/ssh_generic_diff
/var/ossec/agentless/ssh_foundry_diff
/var/ossec/agentless/ssh_asa-fwsmconfig_diff
/var/ossec/agentless/ssh.exp
/var/ossec/agentless/register_host.sh
/var/ossec/agentless/main.exp
/var/ossec/agentless
/var/ossec/active-response/bin/wazuh-slack
/var/ossec/active-response/bin/route-null
/var/ossec/active-response/bin/restart.sh
/var/ossec/active-response/bin/restart-wazuh
/var/ossec/active-response/bin/pf
/var/ossec/active-response/bin/npf
/var/ossec/active-response/bin/kaspersky.py
/var/ossec/active-response/bin/kaspersky
/var/ossec/active-response/bin/ipfw
/var/ossec/active-response/bin/ip-customblock
/var/ossec/active-response/bin/host-deny
/var/ossec/active-response/bin/firewalld-drop
/var/ossec/active-response/bin/firewall-drop
/var/ossec/active-response/bin/disable-account
/var/ossec/active-response/bin/default-firewall-drop
/var/ossec/active-response/bin
/var/ossec/active-response
/var/ossec/.ssh
/var/ossec <non-empty directory not removed>
/etc/rc3.d/S97wazuh-agent
/etc/rc2.d/S97wazuh-agent
/etc/init.d/wazuh-agent
## Executing postremove script.
## Updating system information.

Removal of <wazuh-agent> was successful.
 

# rm -rf /var/ossec
# pkgadd -d wazuh-agent_v4.9.1-sol10-sparc.pkg wazuh-agent

Processing package instance <wazuh-agent> from </export/home/jxshxu/wazuh-agent_v4.9.1-sol10-sparc.pkg>

Wazuh - Wazuh unifies historically separate functions into a single agent and platform architecture. Providing protection for public clouds, private clouds, and on-premise data centers.(sparc) 4.9.1
Wazuh, Inc <[email protected]>
## Executing checkinstall script.
## Processing package information.
## Processing system information.
## Verifying disk space requirements.
## Checking for conflicts with packages already installed.
## Checking for setuid/setgid programs.

This package contains scripts which will be executed with super-user
permission during the process of installing this package.

Do you want to continue with the installation of <wazuh-agent> [y,n,?] y

Installing Wazuh - Wazuh unifies historically separate functions into a single agent and platform architecture. Providing protection for public clouds, private clouds, and on-premise data centers. as <wazuh-agent>

## Executing preinstall script.
## Installing part 1 of 1.
/etc/init.d/wazuh-agent
/etc/rc2.d/S97wazuh-agent <symbolic link>
/etc/rc3.d/S97wazuh-agent <symbolic link>
/var/ossec/active-response/bin/default-firewall-drop
/var/ossec/active-response/bin/disable-account
/var/ossec/active-response/bin/firewall-drop
/var/ossec/active-response/bin/firewalld-drop
/var/ossec/active-response/bin/host-deny
/var/ossec/active-response/bin/ip-customblock
/var/ossec/active-response/bin/ipfw
/var/ossec/active-response/bin/kaspersky
/var/ossec/active-response/bin/kaspersky.py
/var/ossec/active-response/bin/npf
/var/ossec/active-response/bin/pf
/var/ossec/active-response/bin/restart-wazuh
/var/ossec/active-response/bin/restart.sh
/var/ossec/active-response/bin/route-null
/var/ossec/active-response/bin/wazuh-slack
/var/ossec/agentless/main.exp
/var/ossec/agentless/register_host.sh
/var/ossec/agentless/ssh.exp
/var/ossec/agentless/ssh_asa-fwsmconfig_diff
/var/ossec/agentless/ssh_foundry_diff
/var/ossec/agentless/ssh_generic_diff
/var/ossec/agentless/ssh_integrity_check_bsd
/var/ossec/agentless/ssh_integrity_check_linux
/var/ossec/agentless/ssh_nopass.exp
/var/ossec/agentless/ssh_pixconfig_diff
/var/ossec/agentless/sshlogin.exp
/var/ossec/agentless/su.exp
/var/ossec/bin/agent-auth
/var/ossec/bin/manage_agents
/var/ossec/bin/wazuh-agentd
/var/ossec/bin/wazuh-control
/var/ossec/bin/wazuh-execd
/var/ossec/bin/wazuh-logcollector
/var/ossec/bin/wazuh-modulesd
/var/ossec/bin/wazuh-syscheckd
/var/ossec/etc/TIMEZONE
/var/ossec/etc/client.keys
/var/ossec/etc/internal_options.conf
/var/ossec/etc/local_internal_options.conf
/var/ossec/etc/ossec.conf
/var/ossec/etc/shared/cis_apache2224_rcl.txt
/var/ossec/etc/shared/cis_debian_linux_rcl.txt
/var/ossec/etc/shared/cis_mysql5-6_community_rcl.txt
/var/ossec/etc/shared/cis_mysql5-6_enterprise_rcl.txt
/var/ossec/etc/shared/cis_rhel5_linux_rcl.txt
/var/ossec/etc/shared/cis_rhel6_linux_rcl.txt
/var/ossec/etc/shared/cis_rhel7_linux_rcl.txt
/var/ossec/etc/shared/cis_rhel_linux_rcl.txt
/var/ossec/etc/shared/cis_sles11_linux_rcl.txt
/var/ossec/etc/shared/cis_sles12_linux_rcl.txt
/var/ossec/etc/shared/cis_win2012r2_domainL1_rcl.txt
/var/ossec/etc/shared/cis_win2012r2_domainL2_rcl.txt
/var/ossec/etc/shared/cis_win2012r2_memberL1_rcl.txt
/var/ossec/etc/shared/cis_win2012r2_memberL2_rcl.txt
/var/ossec/etc/shared/rootkit_files.txt
/var/ossec/etc/shared/rootkit_trojans.txt
/var/ossec/etc/shared/system_audit_rcl.txt
/var/ossec/etc/shared/system_audit_ssh.txt
/var/ossec/etc/shared/win_applications_rcl.txt
/var/ossec/etc/shared/win_audit_rcl.txt
/var/ossec/etc/shared/win_malware_rcl.txt
/var/ossec/etc/wpk_root.pem
/var/ossec/lib/libdbsync.so
/var/ossec/lib/libfimdb.so
/var/ossec/lib/libgcc_s.so.1
/var/ossec/lib/librsync.so
/var/ossec/lib/libstdc++.so.6
/var/ossec/lib/libsyscollector.so
/var/ossec/lib/libsysinfo.so
/var/ossec/lib/libwazuhext.so
/var/ossec/lib/libwazuhshared.so
/var/ossec/logs/active-responses.log
/var/ossec/logs/ossec.json
/var/ossec/logs/ossec.log
/var/ossec/queue/syscollector/norm_config.json
/var/ossec/ruleset/sca/sca_unix_audit.yml
/var/ossec/wodles/__init__.py
/var/ossec/wodles/aws/__init__.py
/var/ossec/wodles/aws/aws-s3
/var/ossec/wodles/aws/aws_tools.py
/var/ossec/wodles/aws/buckets_s3/__init__.py
/var/ossec/wodles/aws/buckets_s3/aws_bucket.py
/var/ossec/wodles/aws/buckets_s3/cloudtrail.py
/var/ossec/wodles/aws/buckets_s3/config.py
/var/ossec/wodles/aws/buckets_s3/guardduty.py
/var/ossec/wodles/aws/buckets_s3/load_balancers.py
/var/ossec/wodles/aws/buckets_s3/server_access.py
/var/ossec/wodles/aws/buckets_s3/umbrella.py
/var/ossec/wodles/aws/buckets_s3/vpcflow.py
/var/ossec/wodles/aws/buckets_s3/waf.py
/var/ossec/wodles/aws/services/__init__.py
/var/ossec/wodles/aws/services/aws_service.py
/var/ossec/wodles/aws/services/cloudwatchlogs.py
/var/ossec/wodles/aws/services/inspector.py
/var/ossec/wodles/aws/subscribers/__init__.py
/var/ossec/wodles/aws/subscribers/s3_log_handler.py
/var/ossec/wodles/aws/subscribers/sqs_message_processor.py
/var/ossec/wodles/aws/subscribers/sqs_queue.py
/var/ossec/wodles/aws/wazuh_integration.py
/var/ossec/wodles/azure/azure-logs
/var/ossec/wodles/azure/azure_services/__init__.py
/var/ossec/wodles/azure/azure_services/analytics.py
/var/ossec/wodles/azure/azure_services/graph.py
/var/ossec/wodles/azure/azure_services/storage.py
/var/ossec/wodles/azure/azure_utils.py
/var/ossec/wodles/azure/db/__init__.py
/var/ossec/wodles/azure/db/orm.py
/var/ossec/wodles/azure/db/utils.py
/var/ossec/wodles/docker/DockerListener
/var/ossec/wodles/gcloud/buckets/access_logs.py
/var/ossec/wodles/gcloud/buckets/bucket.py
/var/ossec/wodles/gcloud/exceptions.py
/var/ossec/wodles/gcloud/gcloud
/var/ossec/wodles/gcloud/integration.py
/var/ossec/wodles/gcloud/pubsub/subscriber.py
/var/ossec/wodles/gcloud/tools.py
/var/ossec/wodles/utils.py
[ verifying class <none> ]
## Executing postinstall script.

Installation of <wazuh-agent> was successful.

# sed 's|<address>MANAGER_IP</address>|<address>xx.xx.xx.xx/address>|' /var/ossec/etc/ossec.conf > /var/ossec/etc/ossec.conf.tmp && mv /var/ossec/etc/ossec.conf.tmp /var/ossec/etc/ossec.conf
# /var/ossec/bin/wazuh-control start
Starting Wazuh v4.9.1...
Started wazuh-execd...
Started wazuh-agentd...
Started wazuh-syscheckd...
Started wazuh-logcollector...
Started wazuh-modulesd...
Completed.

# /var/ossec/bin/wazuh-control info
WAZUH_VERSION="v4.9.1"
WAZUH_REVISION="40910"
WAZUH_TYPE="agent"



# /var/ossec/bin/wazuh-control status
wazuh-modulesd is running...
wazuh-logcollector is running...
wazuh-syscheckd is running...
wazuh-agentd is running...
wazuh-execd is running...
# ps -ef | grep wazuh
    root  4419     1   0 14:52:59 ?           0:00 /var/ossec/bin/wazuh-syscheckd
    root  4426     1   0 14:52:59 ?           0:00 /var/ossec/bin/wazuh-logcollector
    root  4490   738   0 14:53:19 pts/1       0:00 grep wazuh
    root  4433     1   0 14:52:59 ?           0:01 /var/ossec/bin/wazuh-modulesd
   wazuh  4407     1   0 14:52:58 ?           0:00 /var/ossec/bin/wazuh-agentd
    root  4397     1   0 14:52:57 ?           0:00 /var/ossec/bin/wazuh-execd



# grep  "ERROR|WARNING|CRITICAL" /var/ossec/logs/ossec.log
# grep  "ERROR|WARNING|CRITICAL" /var/ossec/logs/ossec.log | wc -l
       0

[root@wazuh-server wazuh-user]# /var/ossec/bin/agent_control -i 008

Wazuh agent_control. Agent information:
   Agent ID:   008
   Agent Name: sossp177
   IP address: any
   Status:     Active

   Operating system:    SunOS |sossp177 |5.10 |Generic_147147-26 |sun4v
   Client version:      Wazuh v4.9.1
   Configuration hash:  ab73af41699f13fdd81903b5f23d8d00
   Shared file hash:    4a8724b20dee0124ff9656783c490c4e
   Last keep alive:     1727099710

   Syscheck last started at:  Mon Sep 23 19:54:27 2024 (Scan in progress)
   Syscheck last ended at:    Unknown

Check Users and Groups 🟢

# cat /etc/passwd | grep wazuh
wazuh:x:46203:57447::/var/ossec:/bin/false
# cat /etc/group | grep wazuh
wazuh::57447:

pro-akim · 2024-09-23T16:42:23Z

Analysis report - HP-UX 🟢

System info 🟢

# hostname
sovmh346
# uname -a
HP-UX sovmh346 B.11.31 U ia64 4040410032 unlimited-user license

Installation without variables 🟢

Wazuh agent

$ /usr/local/bin/curl https://packages-dev.wazuh.com/pre-release/hp-ux/wazuh-agent-4.9.1-1-hpux-11v3-ia64.tar.gz                                <
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100 16.4M  100 16.4M    0     0  2811k      0  0:00:06  0:00:06 --:--:-- 2876k



# groupadd wazuh   
# useradd -G wazuh wazuh

# /usr/local/bin/gzip -d wazuh-agent-4.9.1-1-hpux-11v3-ia64.tar.gz   
# tar -xvf wazuh-agent-4.9.1-1-hpux-11v3-ia64.tar
x /var/ossec/logs/ossec.log, 0 bytes, 0 tape blocks
x /var/ossec/logs/ossec.json, 0 bytes, 0 tape blocks
x /var/ossec/logs/active-responses.log, 0 bytes, 0 tape blocks
x /var/ossec/bin/wazuh-logcollector, 1954704 bytes, 3818 tape blocks
x /var/ossec/bin/wazuh-syscheckd, 2162880 bytes, 4225 tape blocks
x /var/ossec/bin/wazuh-execd, 1882148 bytes, 3677 tape blocks
x /var/ossec/bin/manage_agents, 571088 bytes, 1116 tape blocks
x /var/ossec/bin/wazuh-control, 7144 bytes, 14 tape blocks
x /var/ossec/bin/wazuh-modulesd, 1812408 bytes, 3540 tape blocks
x /var/ossec/bin/wazuh-agentd, 1954196 bytes, 3817 tape blocks
x /var/ossec/bin/agent-auth, 572136 bytes, 1118 tape blocks
x /var/ossec/lib/libwazuhext.so, 15675204 bytes, 30616 tape blocks
x /var/ossec/lib/libwazuhshared.so, 355668 bytes, 695 tape blocks
x /var/ossec/lib/libdbsync.so, 1315532 bytes, 2570 tape blocks
x /var/ossec/lib/librsync.so, 892104 bytes, 1743 tape blocks
x /var/ossec/lib/libsysinfo.so, 864892 bytes, 1690 tape blocks
x /var/ossec/lib/libfimdb.so, 1267328 bytes, 2476 tape blocks
x /var/ossec/lib/libstdc++.so.6.28, 27064832 bytes, 52861 tape blocks
x /var/ossec/lib/libgcc_s.so.0, 448764 bytes, 877 tape blocks
x /var/ossec/lib/libstdc++.so.6 symbolic link to /var/ossec/lib/libstdc++.so.6.28
x /var/ossec/lib/libstdc++.so symbolic link to /var/ossec/lib/libstdc++.so.6.28
x /var/ossec/lib/libgcc_s.so symbolic link to /var/ossec/lib/libgcc_s.so.0
x /var/ossec/queue/syscollector/norm_config.json, 4206 bytes, 9 tape blocks
x /var/ossec/ruleset/sca/cis_hpux_11i_bastille.yml, 94882 bytes, 186 tape blocks
x /var/ossec/ruleset/sca/cis_hpux_11i.yml, 86160 bytes, 169 tape blocks
x /var/ossec/wodles/__init__.py, 177 bytes, 1 tape blocks
x /var/ossec/wodles/utils.py, 3567 bytes, 7 tape blocks
x /var/ossec/wodles/aws/buckets_s3/aws_bucket.py, 42403 bytes, 83 tape blocks
x /var/ossec/wodles/aws/buckets_s3/cloudtrail.py, 1889 bytes, 4 tape blocks
x /var/ossec/wodles/aws/buckets_s3/config.py, 10519 bytes, 21 tape blocks
x /var/ossec/wodles/aws/buckets_s3/guardduty.py, 4356 bytes, 9 tape blocks
x /var/ossec/wodles/aws/buckets_s3/__init__.py, 640 bytes, 2 tape blocks
x /var/ossec/wodles/aws/buckets_s3/load_balancers.py, 5729 bytes, 12 tape blocks
x /var/ossec/wodles/aws/buckets_s3/server_access.py, 9261 bytes, 19 tape blocks
x /var/ossec/wodles/aws/buckets_s3/umbrella.py, 2841 bytes, 6 tape blocks
x /var/ossec/wodles/aws/buckets_s3/vpcflow.py, 11323 bytes, 23 tape blocks
x /var/ossec/wodles/aws/buckets_s3/waf.py, 3012 bytes, 6 tape blocks
x /var/ossec/wodles/aws/services/aws_service.py, 6222 bytes, 13 tape blocks
x /var/ossec/wodles/aws/services/cloudwatchlogs.py, 24992 bytes, 49 tape blocks
x /var/ossec/wodles/aws/services/__init__.py, 344 bytes, 1 tape blocks
x /var/ossec/wodles/aws/services/inspector.py, 6953 bytes, 14 tape blocks
x /var/ossec/wodles/aws/subscribers/__init__.py, 380 bytes, 1 tape blocks
x /var/ossec/wodles/aws/subscribers/sqs_queue.py, 6217 bytes, 13 tape blocks
x /var/ossec/wodles/aws/subscribers/s3_log_handler.py, 14729 bytes, 29 tape blocks
x /var/ossec/wodles/aws/subscribers/sqs_message_processor.py, 1825 bytes, 4 tape blocks
x /var/ossec/wodles/aws/aws-s3, 9833 bytes, 20 tape blocks
x /var/ossec/wodles/aws/__init__.py, 177 bytes, 1 tape blocks
x /var/ossec/wodles/aws/aws_tools.py, 17341 bytes, 34 tape blocks
x /var/ossec/wodles/aws/wazuh_integration.py, 23023 bytes, 45 tape blocks
x /var/ossec/wodles/gcloud/pubsub/subscriber.py, 6085 bytes, 12 tape blocks
x /var/ossec/wodles/gcloud/buckets/bucket.py, 12735 bytes, 25 tape blocks
x /var/ossec/wodles/gcloud/buckets/access_logs.py, 1870 bytes, 4 tape blocks
x /var/ossec/wodles/gcloud/gcloud, 4741 bytes, 10 tape blocks
x /var/ossec/wodles/gcloud/integration.py, 3119 bytes, 7 tape blocks
x /var/ossec/wodles/gcloud/tools.py, 4420 bytes, 9 tape blocks
x /var/ossec/wodles/gcloud/exceptions.py, 4704 bytes, 10 tape blocks
x /var/ossec/wodles/docker/DockerListener, 5111 bytes, 10 tape blocks
x /var/ossec/wodles/azure/azure_services/__init__.py, 0 bytes, 0 tape blocks
x /var/ossec/wodles/azure/azure_services/analytics.py, 8961 bytes, 18 tape blocks
x /var/ossec/wodles/azure/azure_services/graph.py, 7635 bytes, 15 tape blocks
x /var/ossec/wodles/azure/azure_services/storage.py, 10123 bytes, 20 tape blocks
x /var/ossec/wodles/azure/db/__init__.py, 0 bytes, 0 tape blocks
x /var/ossec/wodles/azure/db/orm.py, 10600 bytes, 21 tape blocks
x /var/ossec/wodles/azure/db/utils.py, 4014 bytes, 8 tape blocks
x /var/ossec/wodles/azure/azure-logs, 1466 bytes, 3 tape blocks
x /var/ossec/wodles/azure/azure_utils.py, 13823 bytes, 27 tape blocks
x /var/ossec/etc/TIMEZONE, 21 bytes, 1 tape blocks
x /var/ossec/etc/internal_options.conf, 14480 bytes, 29 tape blocks
x /var/ossec/etc/local_internal_options.conf, 320 bytes, 1 tape blocks
x /var/ossec/etc/client.keys, 0 bytes, 0 tape blocks
x /var/ossec/etc/ossec.conf, 4904 bytes, 10 tape blocks
x /var/ossec/etc/shared/cis_apache2224_rcl.txt, 28411 bytes, 56 tape blocks
x /var/ossec/etc/shared/cis_debian_linux_rcl.txt, 12576 bytes, 25 tape blocks
x /var/ossec/etc/shared/cis_mysql5-6_community_rcl.txt, 7609 bytes, 15 tape blocks
x /var/ossec/etc/shared/cis_mysql5-6_enterprise_rcl.txt, 10297 bytes, 21 tape blocks
x /var/ossec/etc/shared/cis_rhel5_linux_rcl.txt, 35781 bytes, 70 tape blocks
x /var/ossec/etc/shared/cis_rhel6_linux_rcl.txt, 33870 bytes, 67 tape blocks
x /var/ossec/etc/shared/cis_rhel7_linux_rcl.txt, 36957 bytes, 73 tape blocks
x /var/ossec/etc/shared/cis_rhel_linux_rcl.txt, 17658 bytes, 35 tape blocks
x /var/ossec/etc/shared/cis_sles11_linux_rcl.txt, 34376 bytes, 68 tape blocks
x /var/ossec/etc/shared/cis_sles12_linux_rcl.txt, 35081 bytes, 69 tape blocks
x /var/ossec/etc/shared/cis_win2012r2_domainL1_rcl.txt, 94877 bytes, 186 tape blocks
x /var/ossec/etc/shared/cis_win2012r2_domainL2_rcl.txt, 28006 bytes, 55 tape blocks
x /var/ossec/etc/shared/cis_win2012r2_memberL1_rcl.txt, 100530 bytes, 197 tape blocks
x /var/ossec/etc/shared/cis_win2012r2_memberL2_rcl.txt, 376002 bytes, 735 tape blocks
x /var/ossec/etc/shared/rootkit_files.txt, 16174 bytes, 32 tape blocks
x /var/ossec/etc/shared/rootkit_trojans.txt, 5548 bytes, 11 tape blocks
x /var/ossec/etc/shared/system_audit_rcl.txt, 4466 bytes, 9 tape blocks
x /var/ossec/etc/shared/system_audit_ssh.txt, 3285 bytes, 7 tape blocks
x /var/ossec/etc/shared/win_applications_rcl.txt, 5214 bytes, 11 tape blocks
x /var/ossec/etc/shared/win_audit_rcl.txt, 4277 bytes, 9 tape blocks
x /var/ossec/etc/shared/win_malware_rcl.txt, 7314 bytes, 15 tape blocks
x /var/ossec/etc/wpk_root.pem, 1367 bytes, 3 tape blocks
x /var/ossec/active-response/bin/restart.sh, 695 bytes, 2 tape blocks
x /var/ossec/active-response/bin/kaspersky.py, 14491 bytes, 29 tape blocks
x /var/ossec/active-response/bin/firewall-drop, 70216 bytes, 138 tape blocks
x /var/ossec/active-response/bin/default-firewall-drop, 70216 bytes, 138 tape blocks
x /var/ossec/active-response/bin/pf, 70064 bytes, 137 tape blocks
x /var/ossec/active-response/bin/npf, 69864 bytes, 137 tape blocks
x /var/ossec/active-response/bin/ipfw, 69888 bytes, 137 tape blocks
x /var/ossec/active-response/bin/firewalld-drop, 69864 bytes, 137 tape blocks
x /var/ossec/active-response/bin/disable-account, 69856 bytes, 137 tape blocks
x /var/ossec/active-response/bin/host-deny, 69976 bytes, 137 tape blocks
x /var/ossec/active-response/bin/ip-customblock, 69824 bytes, 137 tape blocks
x /var/ossec/active-response/bin/restart-wazuh, 69716 bytes, 137 tape blocks
x /var/ossec/active-response/bin/route-null, 69856 bytes, 137 tape blocks
x /var/ossec/active-response/bin/kaspersky, 69724 bytes, 137 tape blocks
x /var/ossec/active-response/bin/wazuh-slack, 70028 bytes, 137 tape blocks
x /var/ossec/agentless/main.exp, 2453 bytes, 5 tape blocks
x /var/ossec/agentless/register_host.sh, 2406 bytes, 5 tape blocks
x /var/ossec/agentless/ssh.exp, 1476 bytes, 3 tape blocks
x /var/ossec/agentless/ssh_asa-fwsmconfig_diff, 5283 bytes, 11 tape blocks
x /var/ossec/agentless/ssh_foundry_diff, 5403 bytes, 11 tape blocks
x /var/ossec/agentless/ssh_generic_diff, 898 bytes, 2 tape blocks
x /var/ossec/agentless/ssh_integrity_check_bsd, 1091 bytes, 3 tape blocks
x /var/ossec/agentless/ssh_integrity_check_linux, 1099 bytes, 3 tape blocks
x /var/ossec/agentless/ssh_nopass.exp, 1616 bytes, 4 tape blocks
x /var/ossec/agentless/ssh_pixconfig_diff, 5265 bytes, 11 tape blocks
x /var/ossec/agentless/sshlogin.exp, 915 bytes, 2 tape blocks
x /var/ossec/agentless/su.exp, 1381 bytes, 3 tape blocks
x /sbin/init.d/wazuh-agent, 691 bytes, 2 tape blocks
x /sbin/rc2.d/S97wazuh-agent symbolic link to /sbin/init.d/wazuh-agent
x /sbin/rc3.d/S97wazuh-agent symbolic link to /sbin/init.d/wazuh-agent


# cat /var/ossec/etc/ossec.conf | grep address
      <address>MANAGER_IP</address>
# sed 's/MANAGER_IP/xx.xx.xxx.xx/g' /var/ossec/etc/ossec.conf > /var/ossec/etc/ossec.conf.tmp
# 
# mv /var/ossec/etc/ossec.conf.tmp /var/ossec/etc/ossec.conf
# grep address /var/ossec/etc/ossec.conf
      <address>xx.xx.xxx.xx</address>

# /var/ossec/bin/wazuh-control restart
wazuh-modulesd not running...
wazuh-logcollector not running...
wazuh-syscheckd not running...
wazuh-agentd not running...
wazuh-execd not running...
Wazuh v4.9.1 Stopped
Starting Wazuh v4.9.1...
Started wazuh-execd...
Started wazuh-agentd...
Started wazuh-syscheckd...
Started wazuh-logcollector...
Started wazuh-modulesd...
Completed.


#  /var/ossec/bin/wazuh-control info 
WAZUH_VERSION="v4.9.1"
WAZUH_REVISION="40910"
WAZUH_TYPE="agent"

Wazuh server

[root@wazuh-server wazuh-user]# /var/ossec/bin/agent_control -l

Wazuh agent_control. List of available agents:
   ID: 000, Name: wazuh-server (server), IP: 127.0.0.1, Active/Local
   ID: 008, Name: sossp177, IP: any, Active
   ID: 014, Name: macos-14, IP: any, Disconnected
   ID: 015, Name: sovmh346, IP: any, Active

List of agentless devices:

[root@wazuh-server wazuh-user]# /var/ossec/bin/agent_control -i 015

Wazuh agent_control. Agent information:
   Agent ID:   015
   Agent Name: sovmh346
   IP address: any
   Status:     Active

   Operating system:    HP-UX |sovmh346 |B.11.31 |U |ia64
   Client version:      Wazuh v4.9.1
   Configuration hash:  ab73af41699f13fdd81903b5f23d8d00
   Shared file hash:    4a8724b20dee0124ff9656783c490c4e
   Last keep alive:     1727107406

   Syscheck last started at:  Mon Sep 23 18:42:26 2024 (Scan in progress)
   Syscheck last ended at:    Unknown

Generate alerts (TCP & UDP) 🟢

TCP
Wazuh Agent

# grep -Ei "tcp" /var/ossec/logs/ossec.log
2024/09/23 13:42:21 wazuh-agentd: INFO: Trying to connect to server ([xx.xx.xxx.xx]:1514/tcp).
2024/09/23 13:42:21 wazuh-agentd: INFO: (4102): Connected to the server ([xx.xx.xxx.xx]:1514/tcp).
2024/09/23 13:42:25 wazuh-agentd: INFO: Trying to connect to server ([xx.xx.xxx.xx]:1514/tcp).
2024/09/23 13:42:25 wazuh-agentd: INFO: (4102): Connected to the server ([xx.xx.xxx.xx]:1514/tcp).

TCP
Wazuh Server

{"timestamp":"2024-09-23T16:03:17.639+0000","rule":{"level":3,"description":"Wazuh agent started.","id":"503","firedtimes":1,"mail":false,"groups":["ossec"],"pci_dss":["10.6.1","10.2.6"],"gpg13":["10.1"],"gdpr":["IV_35.7.d"],"hipaa":["164.312.b"],"nist_800_53":["AU.6","AU.14","AU.5"],"tsc":["CC7.2","CC7.3","CC6.8"]},"agent":{"id":"015","name":"sovmh346"},"manager":{"name":"wazuh-server"},"id":"1727107397.2285981","full_log":"ossec: Agent started: 'sovmh346->any'.","decoder":{"parent":"ossec","name":"ossec"},"data":{"extra_data":"sovmh346->any"},"location":"wazuh-agent"}
{"timestamp":"2024-09-23T16:03:17.824+0000","rule":{"level":3,"description":"Wazuh agent disconnected.","id":"504","mitre":{"id":["T1562.001"],"tactic":["Defense Evasion"],"technique":["Disable or Modify Tools"]},"firedtimes":1,"mail":false,"groups":["ossec"],"pci_dss":["10.6.1","10.2.6"],"gpg13":["10.1"],"gdpr":["IV_35.7.d"],"hipaa":["164.312.b"],"nist_800_53":["AU.6","AU.14","AU.5"],"tsc":["CC7.2","CC7.3","CC6.8"]},"agent":{"id":"014","name":"macos-14","ip":"10.211.55.252"},"manager":{"name":"wazuh-server"},"id":"1727107397.2286308","full_log":"ossec: Agent disconnected: 'macos-14-any'.","decoder":{"name":"ossec"},"location":"wazuh-monitord"}

UDP
Wazuh Agent

# sed 's/tcp/udp/g' /var/ossec/etc/ossec.conf > /var/ossec/etc/ossec.conf.tmp
# mv /var/ossec/etc/ossec.conf.tmp /var/ossec/etc/ossec.conf
# grep udp /var/ossec/etc/ossec.conf
      <protocol>udp</protocol>

# /var/ossec/bin/wazuh-control restart
Killing wazuh-modulesd... 
Killing wazuh-logcollector... 
Killing wazuh-syscheckd... 
Killing wazuh-agentd... 
Killing wazuh-execd... 
Wazuh v4.9.1 Stopped
Starting Wazuh v4.9.1...
Started wazuh-execd...
Started wazuh-agentd...
Started wazuh-syscheckd...
Started wazuh-logcollector...
Started wazuh-modulesd...
Completed.
    
# grep -Ei "udp" /var/ossec/logs/ossec.log
2024/09/23 14:19:16 wazuh-agentd: INFO: Trying to connect to server ([xx.xx.xxx.xx]:1514/udp).
2024/09/23 14:19:16 wazuh-agentd: INFO: (4102): Connected to the server ([xx.xx.xxx.xx]:1514/udp).

[root@wazuh-server wazuh-user]# /var/ossec/bin/agent_control -l

Wazuh agent_control. List of available agents:
   ID: 000, Name: wazuh-server (server), IP: 127.0.0.1, Active/Local
   ID: 008, Name: sossp177, IP: any, Active
   ID: 014, Name: macos-14, IP: any, Disconnected
   ID: 015, Name: sovmh346, IP: any, Active

List of agentless devices:


[root@wazuh-server wazuh-user]# /var/ossec/bin/agent_control -l

Wazuh agent_control. List of available agents:
   ID: 000, Name: wazuh-server (server), IP: 127.0.0.1, Active/Local
   ID: 008, Name: sossp177, IP: any, Active
   ID: 014, Name: macos-14, IP: any, Disconnected
   ID: 015, Name: sovmh346, IP: any, Active

List of agentless devices:

Check users and groups 🟢

# cat /etc/passwd | grep wazuh
wazuh:*:108:20::/home/wazuh:/sbin/sh
# cat /etc/group | grep wazuh
wazuh::105:wazuh

Errors and warnings 🟢

Note: The error messages encountered are due to forgetting to delete the agent from the manager. They are expected messages

# grep -iE "err|warn|crit" /var/ossec/logs/ossec.log
2024/09/23 13:45:27 wazuh-agentd: ERROR: Duplicate agent name: sovmh346 (from manager)
2024/09/23 13:45:27 wazuh-agentd: ERROR: Unable to add agent (from manager)
2024/09/23 13:45:37 wazuh-agentd: WARNING: (4101): Waiting for server reply (not started). Tried: 'xx.xx.xxx.xx'. Ensure that the manager version is 'v4.9.1' or higher.
2024/09/23 13:45:37 wazuh-agentd: WARNING: Unable to connect to any server.
2024/09/23 13:46:40 wazuh-agentd: ERROR: Duplicate agent name: sovmh346 (from manager)
2024/09/23 13:46:40 wazuh-agentd: ERROR: Unable to add agent (from manager)
2024/09/23 13:46:50 wazuh-agentd: WARNING: (4101): Waiting for server reply (not started). Tried: 'xx.xx.xxx.xx'. Ensure that the manager version is 'v4.9.1' or higher.
2024/09/23 13:46:50 wazuh-agentd: WARNING: Unable to connect to any server.
2024/09/23 13:49:17 wazuh-agentd: ERROR: Duplicate agent name: sovmh346 (from manager)
2024/09/23 13:49:17 wazuh-agentd: ERROR: Unable to add agent (from manager)
2024/09/23 13:49:27 wazuh-agentd: WARNING: (4101): Waiting for server reply (not started). Tried: 'xx.xx.xxx.xx'. Ensure that the manager version is 'v4.9.1' or higher.
2024/09/23 13:49:27 wazuh-agentd: WARNING: Unable to connect to any server.

#  grep -iE "err|warn|crit" /var/ossec/logs/ossec.log | wc -l
12

Removal 🟢

# /var/ossec/bin/wazuh-control stop
Killing wazuh-modulesd... 
Killing wazuh-logcollector... 
Killing wazuh-syscheckd... 
Killing wazuh-agentd... 
Killing wazuh-execd... 
Wazuh v4.9.1 Stopped
# groupdel wazuh
# userdel wazuh
# rm -rf /var/ossec

Upgrade 🟢

Install previous version:

# /usr/local/bin/curl -O -k https://packages-dev.wazuh.com//pre-release/hp-ux/wazuh-agent-4.9.0-1-hpux-11v3-ia64.tar.gz                                 <
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100 16.4M  100 16.4M    0     0  2810k      0  0:00:06  0:00:06 --:--:-- 2901k

# groupadd wazuh
# useradd -G wazuh wazuh

# /usr/local/bin/gzip -d wazuh-agent-4.9.0-1-hpux-11v3-ia64.tar.gz   
# /usr/local/bin/gzip -d wazuh-agent-4.9.0-1-hpux-11v3-ia64.tar.gz   
# tar -xvf wazuh-agent-4.9.0-1-hpux-11v3-ia64.tar
x /var/ossec/logs/ossec.log, 0 bytes, 0 tape blocks
x /var/ossec/logs/ossec.json, 0 bytes, 0 tape blocks
x /var/ossec/logs/active-responses.log, 0 bytes, 0 tape blocks
x /var/ossec/bin/wazuh-logcollector, 1954696 bytes, 3818 tape blocks
x /var/ossec/bin/wazuh-syscheckd, 2162900 bytes, 4225 tape blocks
x /var/ossec/bin/wazuh-execd, 1882132 bytes, 3677 tape blocks
x /var/ossec/bin/manage_agents, 571080 bytes, 1116 tape blocks
x /var/ossec/bin/wazuh-control, 7144 bytes, 14 tape blocks
x /var/ossec/bin/wazuh-modulesd, 1812400 bytes, 3540 tape blocks
x /var/ossec/bin/wazuh-agentd, 1954188 bytes, 3817 tape blocks
x /var/ossec/bin/agent-auth, 572128 bytes, 1118 tape blocks
x /var/ossec/lib/libwazuhext.so, 15675204 bytes, 30616 tape blocks
x /var/ossec/lib/libwazuhshared.so, 355660 bytes, 695 tape blocks
x /var/ossec/lib/libdbsync.so, 1315532 bytes, 2570 tape blocks
x /var/ossec/lib/librsync.so, 892088 bytes, 1743 tape blocks
x /var/ossec/lib/libsysinfo.so, 864876 bytes, 1690 tape blocks
x /var/ossec/lib/libfimdb.so, 1267320 bytes, 2476 tape blocks
x /var/ossec/lib/libstdc++.so.6.28, 27064832 bytes, 52861 tape blocks
x /var/ossec/lib/libgcc_s.so.0, 448764 bytes, 877 tape blocks
x /var/ossec/lib/libstdc++.so.6 symbolic link to /var/ossec/lib/libstdc++.so.6.28
x /var/ossec/lib/libstdc++.so symbolic link to /var/ossec/lib/libstdc++.so.6.28
x /var/ossec/lib/libgcc_s.so symbolic link to /var/ossec/lib/libgcc_s.so.0
x /var/ossec/queue/syscollector/norm_config.json, 4206 bytes, 9 tape blocks
x /var/ossec/ruleset/sca/cis_hpux_11i_bastille.yml, 94882 bytes, 186 tape blocks
x /var/ossec/ruleset/sca/cis_hpux_11i.yml, 86160 bytes, 169 tape blocks
x /var/ossec/wodles/__init__.py, 177 bytes, 1 tape blocks
x /var/ossec/wodles/utils.py, 3567 bytes, 7 tape blocks
x /var/ossec/wodles/aws/buckets_s3/aws_bucket.py, 41976 bytes, 82 tape blocks
x /var/ossec/wodles/aws/buckets_s3/cloudtrail.py, 1889 bytes, 4 tape blocks
x /var/ossec/wodles/aws/buckets_s3/config.py, 8936 bytes, 18 tape blocks
x /var/ossec/wodles/aws/buckets_s3/guardduty.py, 4356 bytes, 9 tape blocks
x /var/ossec/wodles/aws/buckets_s3/__init__.py, 640 bytes, 2 tape blocks
x /var/ossec/wodles/aws/buckets_s3/load_balancers.py, 5729 bytes, 12 tape blocks
x /var/ossec/wodles/aws/buckets_s3/server_access.py, 9261 bytes, 19 tape blocks
x /var/ossec/wodles/aws/buckets_s3/umbrella.py, 2841 bytes, 6 tape blocks
x /var/ossec/wodles/aws/buckets_s3/vpcflow.py, 11323 bytes, 23 tape blocks
x /var/ossec/wodles/aws/buckets_s3/waf.py, 3012 bytes, 6 tape blocks
x /var/ossec/wodles/aws/services/aws_service.py, 6222 bytes, 13 tape blocks
x /var/ossec/wodles/aws/services/cloudwatchlogs.py, 24992 bytes, 49 tape blocks
x /var/ossec/wodles/aws/services/__init__.py, 344 bytes, 1 tape blocks
x /var/ossec/wodles/aws/services/inspector.py, 6953 bytes, 14 tape blocks
x /var/ossec/wodles/aws/subscribers/__init__.py, 380 bytes, 1 tape blocks
x /var/ossec/wodles/aws/subscribers/sqs_queue.py, 6217 bytes, 13 tape blocks
x /var/ossec/wodles/aws/subscribers/s3_log_handler.py, 14493 bytes, 29 tape blocks
x /var/ossec/wodles/aws/subscribers/sqs_message_processor.py, 1825 bytes, 4 tape blocks
x /var/ossec/wodles/aws/aws-s3, 9833 bytes, 20 tape blocks
x /var/ossec/wodles/aws/__init__.py, 177 bytes, 1 tape blocks
x /var/ossec/wodles/aws/aws_tools.py, 17341 bytes, 34 tape blocks
x /var/ossec/wodles/aws/wazuh_integration.py, 23035 bytes, 45 tape blocks
x /var/ossec/wodles/gcloud/pubsub/subscriber.py, 6085 bytes, 12 tape blocks
x /var/ossec/wodles/gcloud/buckets/bucket.py, 12735 bytes, 25 tape blocks
x /var/ossec/wodles/gcloud/buckets/access_logs.py, 1870 bytes, 4 tape blocks
x /var/ossec/wodles/gcloud/gcloud, 4741 bytes, 10 tape blocks
x /var/ossec/wodles/gcloud/integration.py, 3119 bytes, 7 tape blocks
x /var/ossec/wodles/gcloud/tools.py, 4420 bytes, 9 tape blocks
x /var/ossec/wodles/gcloud/exceptions.py, 4704 bytes, 10 tape blocks
x /var/ossec/wodles/docker/DockerListener, 5111 bytes, 10 tape blocks
x /var/ossec/wodles/azure/azure_services/__init__.py, 0 bytes, 0 tape blocks
x /var/ossec/wodles/azure/azure_services/analytics.py, 8961 bytes, 18 tape blocks
x /var/ossec/wodles/azure/azure_services/graph.py, 7635 bytes, 15 tape blocks
x /var/ossec/wodles/azure/azure_services/storage.py, 10123 bytes, 20 tape blocks
x /var/ossec/wodles/azure/db/__init__.py, 0 bytes, 0 tape blocks
x /var/ossec/wodles/azure/db/orm.py, 10600 bytes, 21 tape blocks
x /var/ossec/wodles/azure/db/utils.py, 4014 bytes, 8 tape blocks
x /var/ossec/wodles/azure/azure-logs, 1466 bytes, 3 tape blocks
x /var/ossec/wodles/azure/azure_utils.py, 13823 bytes, 27 tape blocks
x /var/ossec/etc/TIMEZONE, 21 bytes, 1 tape blocks
x /var/ossec/etc/internal_options.conf, 14480 bytes, 29 tape blocks
x /var/ossec/etc/local_internal_options.conf, 320 bytes, 1 tape blocks
x /var/ossec/etc/client.keys, 0 bytes, 0 tape blocks
x /var/ossec/etc/ossec.conf, 4904 bytes, 10 tape blocks
x /var/ossec/etc/shared/cis_apache2224_rcl.txt, 28411 bytes, 56 tape blocks
x /var/ossec/etc/shared/cis_debian_linux_rcl.txt, 12576 bytes, 25 tape blocks
x /var/ossec/etc/shared/cis_mysql5-6_community_rcl.txt, 7609 bytes, 15 tape blocks
x /var/ossec/etc/shared/cis_mysql5-6_enterprise_rcl.txt, 10297 bytes, 21 tape blocks
x /var/ossec/etc/shared/cis_rhel5_linux_rcl.txt, 35781 bytes, 70 tape blocks
x /var/ossec/etc/shared/cis_rhel6_linux_rcl.txt, 33870 bytes, 67 tape blocks
x /var/ossec/etc/shared/cis_rhel7_linux_rcl.txt, 36957 bytes, 73 tape blocks
x /var/ossec/etc/shared/cis_rhel_linux_rcl.txt, 17658 bytes, 35 tape blocks
x /var/ossec/etc/shared/cis_sles11_linux_rcl.txt, 34376 bytes, 68 tape blocks
x /var/ossec/etc/shared/cis_sles12_linux_rcl.txt, 35081 bytes, 69 tape blocks
x /var/ossec/etc/shared/cis_win2012r2_domainL1_rcl.txt, 94877 bytes, 186 tape blocks
x /var/ossec/etc/shared/cis_win2012r2_domainL2_rcl.txt, 28006 bytes, 55 tape blocks
x /var/ossec/etc/shared/cis_win2012r2_memberL1_rcl.txt, 100530 bytes, 197 tape blocks
x /var/ossec/etc/shared/cis_win2012r2_memberL2_rcl.txt, 376002 bytes, 735 tape blocks
x /var/ossec/etc/shared/rootkit_files.txt, 16174 bytes, 32 tape blocks
x /var/ossec/etc/shared/rootkit_trojans.txt, 5548 bytes, 11 tape blocks
x /var/ossec/etc/shared/system_audit_rcl.txt, 4466 bytes, 9 tape blocks
x /var/ossec/etc/shared/system_audit_ssh.txt, 3285 bytes, 7 tape blocks
x /var/ossec/etc/shared/win_applications_rcl.txt, 5214 bytes, 11 tape blocks
x /var/ossec/etc/shared/win_audit_rcl.txt, 4277 bytes, 9 tape blocks
x /var/ossec/etc/shared/win_malware_rcl.txt, 7314 bytes, 15 tape blocks
x /var/ossec/etc/wpk_root.pem, 1367 bytes, 3 tape blocks
x /var/ossec/active-response/bin/restart.sh, 695 bytes, 2 tape blocks
x /var/ossec/active-response/bin/kaspersky.py, 14491 bytes, 29 tape blocks
x /var/ossec/active-response/bin/firewall-drop, 70216 bytes, 138 tape blocks
x /var/ossec/active-response/bin/default-firewall-drop, 70216 bytes, 138 tape blocks
x /var/ossec/active-response/bin/pf, 70064 bytes, 137 tape blocks
x /var/ossec/active-response/bin/npf, 69864 bytes, 137 tape blocks
x /var/ossec/active-response/bin/ipfw, 69888 bytes, 137 tape blocks
x /var/ossec/active-response/bin/firewalld-drop, 69864 bytes, 137 tape blocks
x /var/ossec/active-response/bin/disable-account, 69856 bytes, 137 tape blocks
x /var/ossec/active-response/bin/host-deny, 69976 bytes, 137 tape blocks
x /var/ossec/active-response/bin/ip-customblock, 69824 bytes, 137 tape blocks
x /var/ossec/active-response/bin/restart-wazuh, 69716 bytes, 137 tape blocks
x /var/ossec/active-response/bin/route-null, 69856 bytes, 137 tape blocks
x /var/ossec/active-response/bin/kaspersky, 69724 bytes, 137 tape blocks
x /var/ossec/active-response/bin/wazuh-slack, 70028 bytes, 137 tape blocks
x /var/ossec/agentless/main.exp, 2453 bytes, 5 tape blocks
x /var/ossec/agentless/register_host.sh, 2406 bytes, 5 tape blocks
x /var/ossec/agentless/ssh.exp, 1476 bytes, 3 tape blocks
x /var/ossec/agentless/ssh_asa-fwsmconfig_diff, 5283 bytes, 11 tape blocks
x /var/ossec/agentless/ssh_foundry_diff, 5403 bytes, 11 tape blocks
x /var/ossec/agentless/ssh_generic_diff, 898 bytes, 2 tape blocks
x /var/ossec/agentless/ssh_integrity_check_bsd, 1091 bytes, 3 tape blocks
x /var/ossec/agentless/ssh_integrity_check_linux, 1099 bytes, 3 tape blocks
x /var/ossec/agentless/ssh_nopass.exp, 1616 bytes, 4 tape blocks
x /var/ossec/agentless/ssh_pixconfig_diff, 5265 bytes, 11 tape blocks
x /var/ossec/agentless/sshlogin.exp, 915 bytes, 2 tape blocks
x /var/ossec/agentless/su.exp, 1381 bytes, 3 tape blocks
x /sbin/init.d/wazuh-agent, 691 bytes, 2 tape blocks
x /sbin/rc2.d/S97wazuh-agent symbolic link to /sbin/init.d/wazuh-agent
x /sbin/rc3.d/S97wazuh-agent symbolic link to /sbin/init.d/wazuh-agent















# cat /var/ossec/etc/ossec.conf | grep address
      <address>MANAGER_IP</address>
# sed 's/MANAGER_IP/xx.xx.xxx.xx/g' /var/ossec/etc/ossec.conf > /var/ossec/etc/ossec.conf.tmp
# 
# mv /var/ossec/etc/ossec.conf.tmp /var/ossec/etc/ossec.conf
# grep address /var/ossec/etc/ossec.conf
      <address>xx.xx.xxx.xx</address>

  
# /var/ossec/bin/wazuh-control restart
wazuh-modulesd not running...
wazuh-logcollector not running...
wazuh-syscheckd not running...
wazuh-agentd not running...
wazuh-execd not running...
Wazuh v4.9.0 Stopped
Starting Wazuh v4.9.0...
Started wazuh-execd...
Started wazuh-agentd...
Started wazuh-syscheckd...
Started wazuh-logcollector...
Started wazuh-modulesd...
Completed.


# /var/ossec/bin/wazuh-control info 
WAZUH_VERSION="v4.9.0"
WAZUH_REVISION="40907"
WAZUH_TYPE="agent"

[root@wazuh-server wazuh-user]# /var/ossec/bin/agent_control -i 016

Wazuh agent_control. Agent information:
   Agent ID:   016
   Agent Name: sovmh346
   IP address: any
   Status:     Active

   Operating system:    HP-UX |sovmh346 |B.11.31 |U |ia64
   Client version:      Wazuh v4.9.0
   Configuration hash:  ab73af41699f13fdd81903b5f23d8d00
   Shared file hash:    4a8724b20dee0124ff9656783c490c4e
   Last keep alive:     1727108130

   Syscheck last started at:  Mon Sep 23 18:54:40 2024 (Scan in progress)
   Syscheck last ended at:    Unknown

Upgrade:

# /var/ossec/bin/wazuh-control stop
Killing wazuh-modulesd... 
Killing wazuh-logcollector... 
Killing wazuh-syscheckd... 
Killing wazuh-agentd... 
Killing wazuh-execd... 
Wazuh v4.9.0 Stopped


# cp /var/ossec/etc/ossec.conf ~/ossec.conf.bk
# cp /var/ossec/etc/client.keys ~/client.keys.bk
# tar -xvf wazuh-agent-4.9.1-1-hpux-11v3-ia64.tar
x /var/ossec/logs/ossec.log, 0 bytes, 0 tape blocks
x /var/ossec/logs/ossec.json, 0 bytes, 0 tape blocks
x /var/ossec/logs/active-responses.log, 0 bytes, 0 tape blocks
x /var/ossec/bin/wazuh-logcollector, 1954704 bytes, 3818 tape blocks
x /var/ossec/bin/wazuh-syscheckd, 2162880 bytes, 4225 tape blocks
x /var/ossec/bin/wazuh-execd, 1882148 bytes, 3677 tape blocks
x /var/ossec/bin/manage_agents, 571088 bytes, 1116 tape blocks
x /var/ossec/bin/wazuh-control, 7144 bytes, 14 tape blocks
x /var/ossec/bin/wazuh-modulesd, 1812408 bytes, 3540 tape blocks
x /var/ossec/bin/wazuh-agentd, 1954196 bytes, 3817 tape blocks
x /var/ossec/bin/agent-auth, 572136 bytes, 1118 tape blocks
x /var/ossec/lib/libwazuhext.so, 15675204 bytes, 30616 tape blocks
x /var/ossec/lib/libwazuhshared.so, 355668 bytes, 695 tape blocks
x /var/ossec/lib/libdbsync.so, 1315532 bytes, 2570 tape blocks
x /var/ossec/lib/librsync.so, 892104 bytes, 1743 tape blocks
x /var/ossec/lib/libsysinfo.so, 864892 bytes, 1690 tape blocks
x /var/ossec/lib/libfimdb.so, 1267328 bytes, 2476 tape blocks
x /var/ossec/lib/libstdc++.so.6.28, 27064832 bytes, 52861 tape blocks
x /var/ossec/lib/libgcc_s.so.0, 448764 bytes, 877 tape blocks
x /var/ossec/lib/libstdc++.so.6 symbolic link to /var/ossec/lib/libstdc++.so.6.28
x /var/ossec/lib/libstdc++.so symbolic link to /var/ossec/lib/libstdc++.so.6.28
x /var/ossec/lib/libgcc_s.so symbolic link to /var/ossec/lib/libgcc_s.so.0
x /var/ossec/queue/syscollector/norm_config.json, 4206 bytes, 9 tape blocks
x /var/ossec/ruleset/sca/cis_hpux_11i_bastille.yml, 94882 bytes, 186 tape blocks
x /var/ossec/ruleset/sca/cis_hpux_11i.yml, 86160 bytes, 169 tape blocks
x /var/ossec/wodles/__init__.py, 177 bytes, 1 tape blocks
x /var/ossec/wodles/utils.py, 3567 bytes, 7 tape blocks
x /var/ossec/wodles/aws/buckets_s3/aws_bucket.py, 42403 bytes, 83 tape blocks
x /var/ossec/wodles/aws/buckets_s3/cloudtrail.py, 1889 bytes, 4 tape blocks
x /var/ossec/wodles/aws/buckets_s3/config.py, 10519 bytes, 21 tape blocks
x /var/ossec/wodles/aws/buckets_s3/guardduty.py, 4356 bytes, 9 tape blocks
x /var/ossec/wodles/aws/buckets_s3/__init__.py, 640 bytes, 2 tape blocks
x /var/ossec/wodles/aws/buckets_s3/load_balancers.py, 5729 bytes, 12 tape blocks
x /var/ossec/wodles/aws/buckets_s3/server_access.py, 9261 bytes, 19 tape blocks
x /var/ossec/wodles/aws/buckets_s3/umbrella.py, 2841 bytes, 6 tape blocks
x /var/ossec/wodles/aws/buckets_s3/vpcflow.py, 11323 bytes, 23 tape blocks
x /var/ossec/wodles/aws/buckets_s3/waf.py, 3012 bytes, 6 tape blocks
x /var/ossec/wodles/aws/services/aws_service.py, 6222 bytes, 13 tape blocks
x /var/ossec/wodles/aws/services/cloudwatchlogs.py, 24992 bytes, 49 tape blocks
x /var/ossec/wodles/aws/services/__init__.py, 344 bytes, 1 tape blocks
x /var/ossec/wodles/aws/services/inspector.py, 6953 bytes, 14 tape blocks
x /var/ossec/wodles/aws/subscribers/__init__.py, 380 bytes, 1 tape blocks
x /var/ossec/wodles/aws/subscribers/sqs_queue.py, 6217 bytes, 13 tape blocks
x /var/ossec/wodles/aws/subscribers/s3_log_handler.py, 14729 bytes, 29 tape blocks
x /var/ossec/wodles/aws/subscribers/sqs_message_processor.py, 1825 bytes, 4 tape blocks
x /var/ossec/wodles/aws/aws-s3, 9833 bytes, 20 tape blocks
x /var/ossec/wodles/aws/__init__.py, 177 bytes, 1 tape blocks
x /var/ossec/wodles/aws/aws_tools.py, 17341 bytes, 34 tape blocks
x /var/ossec/wodles/aws/wazuh_integration.py, 23023 bytes, 45 tape blocks
x /var/ossec/wodles/gcloud/pubsub/subscriber.py, 6085 bytes, 12 tape blocks
x /var/ossec/wodles/gcloud/buckets/bucket.py, 12735 bytes, 25 tape blocks
x /var/ossec/wodles/gcloud/buckets/access_logs.py, 1870 bytes, 4 tape blocks
x /var/ossec/wodles/gcloud/gcloud, 4741 bytes, 10 tape blocks
x /var/ossec/wodles/gcloud/integration.py, 3119 bytes, 7 tape blocks
x /var/ossec/wodles/gcloud/tools.py, 4420 bytes, 9 tape blocks
x /var/ossec/wodles/gcloud/exceptions.py, 4704 bytes, 10 tape blocks
x /var/ossec/wodles/docker/DockerListener, 5111 bytes, 10 tape blocks
x /var/ossec/wodles/azure/azure_services/__init__.py, 0 bytes, 0 tape blocks
x /var/ossec/wodles/azure/azure_services/analytics.py, 8961 bytes, 18 tape blocks
x /var/ossec/wodles/azure/azure_services/graph.py, 7635 bytes, 15 tape blocks
x /var/ossec/wodles/azure/azure_services/storage.py, 10123 bytes, 20 tape blocks
x /var/ossec/wodles/azure/db/__init__.py, 0 bytes, 0 tape blocks
x /var/ossec/wodles/azure/db/orm.py, 10600 bytes, 21 tape blocks
x /var/ossec/wodles/azure/db/utils.py, 4014 bytes, 8 tape blocks
x /var/ossec/wodles/azure/azure-logs, 1466 bytes, 3 tape blocks
x /var/ossec/wodles/azure/azure_utils.py, 13823 bytes, 27 tape blocks
x /var/ossec/etc/TIMEZONE, 21 bytes, 1 tape blocks
x /var/ossec/etc/internal_options.conf, 14480 bytes, 29 tape blocks
x /var/ossec/etc/local_internal_options.conf, 320 bytes, 1 tape blocks
x /var/ossec/etc/client.keys, 0 bytes, 0 tape blocks
x /var/ossec/etc/ossec.conf, 4904 bytes, 10 tape blocks
x /var/ossec/etc/shared/cis_apache2224_rcl.txt, 28411 bytes, 56 tape blocks
x /var/ossec/etc/shared/cis_debian_linux_rcl.txt, 12576 bytes, 25 tape blocks
x /var/ossec/etc/shared/cis_mysql5-6_community_rcl.txt, 7609 bytes, 15 tape blocks
x /var/ossec/etc/shared/cis_mysql5-6_enterprise_rcl.txt, 10297 bytes, 21 tape blocks
x /var/ossec/etc/shared/cis_rhel5_linux_rcl.txt, 35781 bytes, 70 tape blocks
x /var/ossec/etc/shared/cis_rhel6_linux_rcl.txt, 33870 bytes, 67 tape blocks
x /var/ossec/etc/shared/cis_rhel7_linux_rcl.txt, 36957 bytes, 73 tape blocks
x /var/ossec/etc/shared/cis_rhel_linux_rcl.txt, 17658 bytes, 35 tape blocks
x /var/ossec/etc/shared/cis_sles11_linux_rcl.txt, 34376 bytes, 68 tape blocks
x /var/ossec/etc/shared/cis_sles12_linux_rcl.txt, 35081 bytes, 69 tape blocks
x /var/ossec/etc/shared/cis_win2012r2_domainL1_rcl.txt, 94877 bytes, 186 tape blocks
x /var/ossec/etc/shared/cis_win2012r2_domainL2_rcl.txt, 28006 bytes, 55 tape blocks
x /var/ossec/etc/shared/cis_win2012r2_memberL1_rcl.txt, 100530 bytes, 197 tape blocks
x /var/ossec/etc/shared/cis_win2012r2_memberL2_rcl.txt, 376002 bytes, 735 tape blocks
x /var/ossec/etc/shared/rootkit_files.txt, 16174 bytes, 32 tape blocks
x /var/ossec/etc/shared/rootkit_trojans.txt, 5548 bytes, 11 tape blocks
x /var/ossec/etc/shared/system_audit_rcl.txt, 4466 bytes, 9 tape blocks
x /var/ossec/etc/shared/system_audit_ssh.txt, 3285 bytes, 7 tape blocks
x /var/ossec/etc/shared/win_applications_rcl.txt, 5214 bytes, 11 tape blocks
x /var/ossec/etc/shared/win_audit_rcl.txt, 4277 bytes, 9 tape blocks
x /var/ossec/etc/shared/win_malware_rcl.txt, 7314 bytes, 15 tape blocks
x /var/ossec/etc/wpk_root.pem, 1367 bytes, 3 tape blocks
x /var/ossec/active-response/bin/restart.sh, 695 bytes, 2 tape blocks
x /var/ossec/active-response/bin/kaspersky.py, 14491 bytes, 29 tape blocks
x /var/ossec/active-response/bin/firewall-drop, 70216 bytes, 138 tape blocks
x /var/ossec/active-response/bin/default-firewall-drop, 70216 bytes, 138 tape blocks
x /var/ossec/active-response/bin/pf, 70064 bytes, 137 tape blocks
x /var/ossec/active-response/bin/npf, 69864 bytes, 137 tape blocks
x /var/ossec/active-response/bin/ipfw, 69888 bytes, 137 tape blocks
x /var/ossec/active-response/bin/firewalld-drop, 69864 bytes, 137 tape blocks
x /var/ossec/active-response/bin/disable-account, 69856 bytes, 137 tape blocks
x /var/ossec/active-response/bin/host-deny, 69976 bytes, 137 tape blocks
x /var/ossec/active-response/bin/ip-customblock, 69824 bytes, 137 tape blocks
x /var/ossec/active-response/bin/restart-wazuh, 69716 bytes, 137 tape blocks
x /var/ossec/active-response/bin/route-null, 69856 bytes, 137 tape blocks
x /var/ossec/active-response/bin/kaspersky, 69724 bytes, 137 tape blocks
x /var/ossec/active-response/bin/wazuh-slack, 70028 bytes, 137 tape blocks
x /var/ossec/agentless/main.exp, 2453 bytes, 5 tape blocks
x /var/ossec/agentless/register_host.sh, 2406 bytes, 5 tape blocks
x /var/ossec/agentless/ssh.exp, 1476 bytes, 3 tape blocks
x /var/ossec/agentless/ssh_asa-fwsmconfig_diff, 5283 bytes, 11 tape blocks
x /var/ossec/agentless/ssh_foundry_diff, 5403 bytes, 11 tape blocks
x /var/ossec/agentless/ssh_generic_diff, 898 bytes, 2 tape blocks
x /var/ossec/agentless/ssh_integrity_check_bsd, 1091 bytes, 3 tape blocks
x /var/ossec/agentless/ssh_integrity_check_linux, 1099 bytes, 3 tape blocks
x /var/ossec/agentless/ssh_nopass.exp, 1616 bytes, 4 tape blocks
x /var/ossec/agentless/ssh_pixconfig_diff, 5265 bytes, 11 tape blocks
x /var/ossec/agentless/sshlogin.exp, 915 bytes, 2 tape blocks
x /var/ossec/agentless/su.exp, 1381 bytes, 3 tape blocks
x /sbin/init.d/wazuh-agent, 691 bytes, 2 tape blocks
x /sbin/rc2.d/S97wazuh-agent symbolic link to /sbin/init.d/wazuh-agent
x /sbin/rc3.d/S97wazuh-agent symbolic link to /sbin/init.d/wazuh-agent

# mv ~/ossec.conf.bk /var/ossec/etc/ossec.conf
# chown root:wazuh /var/ossec/etc/ossec.conf
# mv ~/client.keys.bk /var/ossec/etc/client.keys
# chown root:wazuh /var/ossec/etc/client.keys


# /var/ossec/bin/wazuh-control start
Starting Wazuh v4.9.1...
Started wazuh-execd...
Started wazuh-agentd...
Started wazuh-syscheckd...
Started wazuh-logcollector...
Started wazuh-modulesd...
Completed.

# /var/ossec/bin/wazuh-control info 
WAZUH_VERSION="v4.9.1"
WAZUH_REVISION="40910"
WAZUH_TYPE="agent"


# grep -iE "err|warn|crit" /var/ossec/logs/ossec.log
# grep -iE "err|warn|crit" /var/ossec/logs/ossec.log | wc -l
0

[root@wazuh-server wazuh-user]# /var/ossec/bin/agent_control -i 016

Wazuh agent_control. Agent information:
   Agent ID:   016
   Agent Name: sovmh346
   IP address: any
   Status:     Active

   Operating system:    HP-UX |sovmh346 |B.11.31 |U |ia64
   Client version:      Wazuh v4.9.1
   Configuration hash:  ab73af41699f13fdd81903b5f23d8d00
   Shared file hash:    4a8724b20dee0124ff9656783c490c4e
   Last keep alive:     1727108727

   Syscheck last started at:  Mon Sep 23 19:04:06 2024 (Scan in progress)
   Syscheck last ended at:    Mon Sep 23 18:55:11 2024

pro-akim · 2024-09-23T16:42:56Z

Analysis Report - AMI 🔴

WUI 🟢

Loading Screen

Login Screen

Credentials & Health Check

Overview

Version

Analysis Report - AMI 🔴

WUI 🟢

Loading Screen

Login Screen

Credentials & Health Check

Overview

Version

Logs 🔴

Wazuh Dashboard - journalctl 🟡

Reported: Unexpected Parse Error "Pause on PRI/Upgrade" in logs wazuh-packages#2449 - Known issue

[root@wazuh-server wazuh-user]# journalctl -r -u wazuh-dashboard | grep -i -E "error|critical|fatal|warning"
sep 23 12:54:04 wazuh-server opensearch-dashboards[5325]: {"type":"error","@timestamp":"2024-09-23T12:54:04Z","tags":["connection","client","error"],"pid":5325,"level":"error","error":{"message":"140166815971200:error:141CF06C:SSL routines:tls_parse_ctos_key_share:bad key share:../deps/openssl/openssl/ssl/statem/extensions_srvr.c:698:\n","name":"Error","stack":"Error: 140166815971200:error:141CF06C:SSL routines:tls_parse_ctos_key_share:bad key share:../deps/openssl/openssl/ssl/statem/extensions_srvr.c:698:\n","code":"ERR_SSL_BAD_KEY_SHARE"},"message":"140166815971200:error:141CF06C:SSL routines:tls_parse_ctos_key_share:bad key share:../deps/openssl/openssl/ssl/statem/extensions_srvr.c:698:\n"}
sep 23 12:54:04 wazuh-server opensearch-dashboards[5325]: {"type":"error","@timestamp":"2024-09-23T12:54:04Z","tags":["connection","client","error"],"pid":5325,"level":"error","error":{"message":"140166815971200:error:142090C1:SSL routines:tls_early_post_process_client_hello:no shared cipher:../deps/openssl/openssl/ssl/statem/statem_srvr.c:1781:\n","name":"Error","stack":"Error: 140166815971200:error:142090C1:SSL routines:tls_early_post_process_client_hello:no shared cipher:../deps/openssl/openssl/ssl/statem/statem_srvr.c:1781:\n","code":"ERR_SSL_NO_SHARED_CIPHER"},"message":"140166815971200:error:142090C1:SSL routines:tls_early_post_process_client_hello:no shared cipher:../deps/openssl/openssl/ssl/statem/statem_srvr.c:1781:\n"}
sep 23 12:54:01 wazuh-server opensearch-dashboards[5325]: {"type":"error","@timestamp":"2024-09-23T12:54:01Z","tags":["connection","client","error"],"pid":5325,"level":"error","error":{"message":"140166815971200:error:1417A0C1:SSL routines:tls_post_process_client_hello:no shared cipher:../deps/openssl/openssl/ssl/statem/statem_srvr.c:2285:\n","name":"Error","stack":"Error: 140166815971200:error:1417A0C1:SSL routines:tls_post_process_client_hello:no shared cipher:../deps/openssl/openssl/ssl/statem/statem_srvr.c:2285:\n","code":"ERR_SSL_NO_SHARED_CIPHER"},"message":"140166815971200:error:1417A0C1:SSL routines:tls_post_process_client_hello:no shared cipher:../deps/openssl/openssl/ssl/statem/statem_srvr.c:2285:\n"}
sep 23 12:51:27 wazuh-server opensearch-dashboards[5325]: {"type":"error","@timestamp":"2024-09-23T12:51:27Z","tags":["connection","client","error"],"pid":5325,"level":"error","error":{"message":"140166815971200:error:1417A0C1:SSL routines:tls_post_process_client_hello:no shared cipher:../deps/openssl/openssl/ssl/statem/statem_srvr.c:2285:\n","name":"Error","stack":"Error: 140166815971200:error:1417A0C1:SSL routines:tls_post_process_client_hello:no shared cipher:../deps/openssl/openssl/ssl/statem/statem_srvr.c:2285:\n","code":"ERR_SSL_NO_SHARED_CIPHER"},"message":"140166815971200:error:1417A0C1:SSL routines:tls_post_process_client_hello:no shared cipher:../deps/openssl/openssl/ssl/statem/statem_srvr.c:2285:\n"}
sep 23 12:50:57 wazuh-server opensearch-dashboards[5325]: {"type":"error","@timestamp":"2024-09-23T12:50:57Z","tags":["connection","client","error"],"pid":5325,"level":"error","error":{"message":"140166815971200:error:1420918C:SSL routines:tls_early_post_process_client_hello:version too low:../deps/openssl/openssl/ssl/statem/statem_srvr.c:1686:\n","name":"Error","stack":"Error: 140166815971200:error:1420918C:SSL routines:tls_early_post_process_client_hello:version too low:../deps/openssl/openssl/ssl/statem/statem_srvr.c:1686:\n","code":"ERR_SSL_VERSION_TOO_LOW"},"message":"140166815971200:error:1420918C:SSL routines:tls_early_post_process_client_hello:version too low:../deps/openssl/openssl/ssl/statem/statem_srvr.c:1686:\n"}
sep 23 12:47:15 wazuh-server opensearch-dashboards[5325]: {"type":"error","@timestamp":"2024-09-23T12:47:15Z","tags":["connection","client","error"],"pid":5325,"level":"error","error":{"message":"140166815971200:error:141CF06C:SSL routines:tls_parse_ctos_key_share:bad key share:../deps/openssl/openssl/ssl/statem/extensions_srvr.c:698:\n","name":"Error","stack":"Error: 140166815971200:error:141CF06C:SSL routines:tls_parse_ctos_key_share:bad key share:../deps/openssl/openssl/ssl/statem/extensions_srvr.c:698:\n","code":"ERR_SSL_BAD_KEY_SHARE"},"message":"140166815971200:error:141CF06C:SSL routines:tls_parse_ctos_key_share:bad key share:../deps/openssl/openssl/ssl/statem/extensions_srvr.c:698:\n"}
sep 23 12:46:42 wazuh-server opensearch-dashboards[5325]: {"type":"error","@timestamp":"2024-09-23T12:46:42Z","tags":["connection","client","error"],"pid":5325,"level":"error","error":{"message":"140166815971200:error:142090C1:SSL routines:tls_early_post_process_client_hello:no shared cipher:../deps/openssl/openssl/ssl/statem/statem_srvr.c:1781:\n","name":"Error","stack":"Error: 140166815971200:error:142090C1:SSL routines:tls_early_post_process_client_hello:no shared cipher:../deps/openssl/openssl/ssl/statem/statem_srvr.c:1781:\n","code":"ERR_SSL_NO_SHARED_CIPHER"},"message":"140166815971200:error:142090C1:SSL routines:tls_early_post_process_client_hello:no shared cipher:../deps/openssl/openssl/ssl/statem/statem_srvr.c:1781:\n"}
sep 23 12:43:23 wazuh-server opensearch-dashboards[5325]: {"type":"error","@timestamp":"2024-09-23T12:43:23Z","tags":["connection","client","error"],"pid":5325,"level":"error","error":{"message":"140166815971200:error:1417A0C1:SSL routines:tls_post_process_client_hello:no shared cipher:../deps/openssl/openssl/ssl/statem/statem_srvr.c:2285:\n","name":"Error","stack":"Error: 140166815971200:error:1417A0C1:SSL routines:tls_post_process_client_hello:no shared cipher:../deps/openssl/openssl/ssl/statem/statem_srvr.c:2285:\n","code":"ERR_SSL_NO_SHARED_CIPHER"},"message":"140166815971200:error:1417A0C1:SSL routines:tls_post_process_client_hello:no shared cipher:../deps/openssl/openssl/ssl/statem/statem_srvr.c:2285:\n"}
sep 23 11:20:01 wazuh-server opensearch-dashboards[5325]: 
sep 23 14:22:59 wazuh-server opensearch-dashboards[5325]: {"type":"error","@timestamp":"2024-09-23T14:22:59Z","tags":["connection","client","error"],"pid":5325,"level":"error","error":{"message":"140166815971200:error:14094418:SSL routines:ssl3_read_bytes:tlsv1 alert unknown ca:../deps/openssl/openssl/ssl/record/rec_layer_s3.c:1563:SSL alert number 48\n","name":"Error","stack":"Error: 140166815971200:error:14094418:SSL routines:ssl3_read_bytes:tlsv1 alert unknown ca:../deps/openssl/openssl/ssl/record/rec_layer_s3.c:1563:SSL alert number 48\n","code":"ERR_SSL_TLSV1_ALERT_UNKNOWN_CA"},"message":"140166815971200:error:14094418:SSL routines:ssl3_read_bytes:tlsv1 alert unknown ca:../deps/openssl/openssl/ssl/record/rec_layer_s3.c:1563:SSL alert number 48\n"}
sep 23 14:22:58 wazuh-server opensearch-dashboards[5325]: {"type":"error","@timestamp":"2024-09-23T14:22:58Z","tags":["connection","client","error"],"pid":5325,"level":"error","error":{"message":"140166815971200:error:14094418:SSL routines:ssl3_read_bytes:tlsv1 alert unknown ca:../deps/openssl/openssl/ssl/record/rec_layer_s3.c:1563:SSL alert number 48\n","name":"Error","stack":"Error: 140166815971200:error:14094418:SSL routines:ssl3_read_bytes:tlsv1 alert unknown ca:../deps/openssl/openssl/ssl/record/rec_layer_s3.c:1563:SSL alert number 48\n","code":"ERR_SSL_TLSV1_ALERT_UNKNOWN_CA"},"message":"140166815971200:error:14094418:SSL routines:ssl3_read_bytes:tlsv1 alert unknown ca:../deps/openssl/openssl/ssl/record/rec_layer_s3.c:1563:SSL alert number 48\n"}
sep 23 14:21:46 wazuh-server opensearch-dashboards[5325]: {"type":"error","@timestamp":"2024-09-23T14:21:46Z","tags":["connection","client","error"],"pid":5325,"level":"error","error":{"message":"140166815971200:error:14094418:SSL routines:ssl3_read_bytes:tlsv1 alert unknown ca:../deps/openssl/openssl/ssl/record/rec_layer_s3.c:1563:SSL alert number 48\n","name":"Error","stack":"Error: 140166815971200:error:14094418:SSL routines:ssl3_read_bytes:tlsv1 alert unknown ca:../deps/openssl/openssl/ssl/record/rec_layer_s3.c:1563:SSL alert number 48\n","code":"ERR_SSL_TLSV1_ALERT_UNKNOWN_CA"},"message":"140166815971200:error:14094418:SSL routines:ssl3_read_bytes:tlsv1 alert unknown ca:../deps/openssl/openssl/ssl/record/rec_layer_s3.c:1563:SSL alert number 48\n"}
sep 23 14:21:46 wazuh-server opensearch-dashboards[5325]: {"type":"error","@timestamp":"2024-09-23T14:21:46Z","tags":["connection","client","error"],"pid":5325,"level":"error","error":{"message":"140166815971200:error:14094418:SSL routines:ssl3_read_bytes:tlsv1 alert unknown ca:../deps/openssl/openssl/ssl/record/rec_layer_s3.c:1563:SSL alert number 48\n","name":"Error","stack":"Error: 140166815971200:error:14094418:SSL routines:ssl3_read_bytes:tlsv1 alert unknown ca:../deps/openssl/openssl/ssl/record/rec_layer_s3.c:1563:SSL alert number 48\n","code":"ERR_SSL_TLSV1_ALERT_UNKNOWN_CA"},"message":"140166815971200:error:14094418:SSL routines:ssl3_read_bytes:tlsv1 alert unknown ca:../deps/openssl/openssl/ssl/record/rec_layer_s3.c:1563:SSL alert number 48\n"}
sep 23 14:20:26 wazuh-server opensearch-dashboards[5325]: {"type":"error","@timestamp":"2024-09-23T14:20:26Z","tags":["connection","client","error"],"pid":5325,"level":"error","error":{"message":"140166815971200:error:14094418:SSL routines:ssl3_read_bytes:tlsv1 alert unknown ca:../deps/openssl/openssl/ssl/record/rec_layer_s3.c:1563:SSL alert number 48\n","name":"Error","stack":"Error: 140166815971200:error:14094418:SSL routines:ssl3_read_bytes:tlsv1 alert unknown ca:../deps/openssl/openssl/ssl/record/rec_layer_s3.c:1563:SSL alert number 48\n","code":"ERR_SSL_TLSV1_ALERT_UNKNOWN_CA"},"message":"140166815971200:error:14094418:SSL routines:ssl3_read_bytes:tlsv1 alert unknown ca:../deps/openssl/openssl/ssl/record/rec_layer_s3.c:1563:SSL alert number 48\n"}
sep 23 14:15:00 wazuh-server opensearch-dashboards[5325]: {"type":"log","@timestamp":"2024-09-23T14:15:00Z","tags":["error","plugins","wazuh","monitoring"],"pid":5325,"message":"connect ECONNREFUSED 127.0.0.1:55000"}
sep 23 14:15:00 wazuh-server opensearch-dashboards[5325]: {"type":"log","@timestamp":"2024-09-23T14:15:00Z","tags":["error","plugins","wazuh","cron-scheduler"],"pid":5325,"message":"Error: connect ECONNREFUSED 127.0.0.1:55000"}
sep 23 14:15:00 wazuh-server opensearch-dashboards[5325]: {"type":"log","@timestamp":"2024-09-23T14:15:00Z","tags":["error","plugins","wazuh","cron-scheduler"],"pid":5325,"message":"Error: connect ECONNREFUSED 127.0.0.1:55000"}
sep 23 12:54:02 wazuh-server opensearch-dashboards[5325]: {"type":"error","@timestamp":"2024-09-23T12:54:02Z","tags":["connection","client","error"],"pid":5325,"level":"error","error":{"message":"140166815971200:error:14209102:SSL routines:tls_early_post_process_client_hello:unsupported protocol:../deps/openssl/openssl/ssl/statem/statem_srvr.c:1686:\n","name":"Error","stack":"Error: 140166815971200:error:14209102:SSL routines:tls_early_post_process_client_hello:unsupported protocol:../deps/openssl/openssl/ssl/statem/statem_srvr.c:1686:\n","code":"ERR_SSL_UNSUPPORTED_PROTOCOL"},"message":"140166815971200:error:14209102:SSL routines:tls_early_post_process_client_hello:unsupported protocol:../deps/openssl/openssl/ssl/statem/statem_srvr.c:1686:\n"}
sep 23 12:45:02 wazuh-server opensearch-dashboards[5325]: 
{"type":"error","@timestamp":"2024-09-23T12:45:02Z","tags":["connection","client","error"],"pid":5325,"level":"error","error":{"message":"140166815971200:error:14209102:SSL routines:tls_early_post_process_client_hello:unsupported protocol:../deps/openssl/openssl/ssl/statem/statem_srvr.c:1686:\n","name":"Error","stack":"Error: 140166815971200:error:14209102:SSL routines:tls_early_post_process_client_hello:unsupported protocol:../deps/openssl/openssl/ssl/statem/statem_srvr.c:1686:\n","code":"ERR_SSL_UNSUPPORTED_PROTOCOL"},"message":"140166815971200:error:14209102:SSL routines:tls_early_post_process_client_hello:unsupported protocol:../deps/openssl/openssl/ssl/statem/statem_srvr.c:1686:\n"}
{"type":"log","@timestamp":"2024-09-23T11:20:01Z","tags":["error","opensearch","data"],"pid":5325,"message":"[resource_already_exists_exception]: index [wazuh-statistics-2024.39w/Vcm1M6eyQqaDyoogzB1_TA] already exists"}
sep 23 11:18:27 wazuh-server opensearch-dashboards[5325]: {"type":"log","@timestamp":"2024-09-23T11:18:27Z","tags":["warning","cross-compatibility-service"],"pid":5325,"message":"Starting cross compatibility service"}
sep 23 11:17:12 wazuh-server opensearch-dashboards[1818]: {"type":"log","@timestamp":"2024-09-23T11:17:12Z","tags":["warning","cross-compatibility-service"],"pid":1818,"message":"Starting cross compatibility service"}
sep 23 11:17:08 wazuh-server opensearch-dashboards[1818]: {"type":"log","@timestamp":"2024-09-23T11:17:08Z","tags":["error","opensearch","data"],"pid":1818,"message":"[ResponseError]: Response Error"}
sep 23 11:17:06 wazuh-server opensearch-dashboards[1818]: {"type":"log","@timestamp":"2024-09-23T11:17:06Z","tags":["error","opensearch","data"],"pid":1818,"message":"[ResponseError]: Response Error"}
sep 23 11:17:03 wazuh-server opensearch-dashboards[1818]: {"type":"log","@timestamp":"2024-09-23T11:17:03Z","tags":["error","opensearch","data"],"pid":1818,"message":"[ResponseError]: Response Error"}
sep 23 11:17:01 wazuh-server opensearch-dashboards[1818]: {"type":"log","@timestamp":"2024-09-23T11:17:01Z","tags":["error","opensearch","data"],"pid":1818,"message":"[ResponseError]: Response Error"}
sep 23 11:16:58 wazuh-server opensearch-dashboards[1818]: {"type":"log","@timestamp":"2024-09-23T11:16:58Z","tags":["error","opensearch","data"],"pid":1818,"message":"[ResponseError]: Response Error"}
sep 23 11:16:56 wazuh-server opensearch-dashboards[1818]: {"type":"log","@timestamp":"2024-09-23T11:16:56Z","tags":["error","opensearch","data"],"pid":1818,"message":"[ResponseError]: Response Error"}
sep 23 11:16:53 wazuh-server opensearch-dashboards[1818]: {"type":"log","@timestamp":"2024-09-23T11:16:53Z","tags":["error","opensearch","data"],"pid":1818,"message":"[ConnectionError]: connect ECONNREFUSED 127.0.0.1:9200"}
sep 23 11:16:51 wazuh-server opensearch-dashboards[1818]: {"type":"log","@timestamp":"2024-09-23T11:16:51Z","tags":["error","opensearch","data"],"pid":1818,"message":"[ConnectionError]: connect ECONNREFUSED 127.0.0.1:9200"}
sep 23 11:16:48 wazuh-server opensearch-dashboards[1818]: {"type":"log","@timestamp":"2024-09-23T11:16:48Z","tags":["error","opensearch","data"],"pid":1818,"message":"[ConnectionError]: connect ECONNREFUSED 127.0.0.1:9200"}
sep 23 11:16:46 wazuh-server opensearch-dashboards[1818]: {"type":"log","@timestamp":"2024-09-23T11:16:46Z","tags":["error","opensearch","data"],"pid":1818,"message":"[ConnectionError]: connect ECONNREFUSED 127.0.0.1:9200"}
sep 23 11:16:43 wazuh-server opensearch-dashboards[1818]: {"type":"log","@timestamp":"2024-09-23T11:16:43Z","tags":["error","opensearch","data"],"pid":1818,"message":"[ConnectionError]: connect ECONNREFUSED 127.0.0.1:9200"}
sep 23 11:16:41 wazuh-server opensearch-dashboards[1818]: {"type":"log","@timestamp":"2024-09-23T11:16:41Z","tags":["error","opensearch","data"],"pid":1818,"message":"[ConnectionError]: connect ECONNREFUSED 127.0.0.1:9200"}
sep 23 11:16:38 wazuh-server opensearch-dashboards[1818]: {"type":"log","@timestamp":"2024-09-23T11:16:38Z","tags":["error","opensearch","data"],"pid":1818,"message":"[ConnectionError]: connect ECONNREFUSED 127.0.0.1:9200"}
sep 23 11:16:36 wazuh-server opensearch-dashboards[1818]: {"type":"log","@timestamp":"2024-09-23T11:16:36Z","tags":["error","opensearch","data"],"pid":1818,"message":"[ConnectionError]: connect ECONNREFUSED 127.0.0.1:9200"}
sep 23 11:16:33 wazuh-server opensearch-dashboards[1818]: {"type":"log","@timestamp":"2024-09-23T11:16:33Z","tags":["error","savedobjects-service"],"pid":1818,"message":"Unable to retrieve version information from OpenSearch nodes."}
sep 23 11:16:33 wazuh-server opensearch-dashboards[1818]: {"type":"log","@timestamp":"2024-09-23T11:16:33Z","tags":["error","opensearch","data"],"pid":1818,"message":"[ConnectionError]: connect ECONNREFUSED 127.0.0.1:9200"}

Wazuh Indexer - journalctl 🔴

Expected messages

[root@wazuh-server wazuh-user]# journalctl -r -u wazuh-indexer | grep -i -E "error|critical|fatal|warning"
sep 23 11:15:34 wazuh-server systemd-entrypoint[2339]: WARNING: System::setSecurityManager will be removed in a future release
sep 23 11:15:34 wazuh-server systemd-entrypoint[2339]: WARNING: Please consider reporting this to the maintainers of org.opensearch.bootstrap.Security
sep 23 11:15:34 wazuh-server systemd-entrypoint[2339]: WARNING: System::setSecurityManager has been called by org.opensearch.bootstrap.Security (file:/usr/share/wazuh-indexer/lib/opensearch-2.13.0.jar)
sep 23 11:15:34 wazuh-server systemd-entrypoint[2339]: WARNING: A terminally deprecated method in java.lang.System has been called
sep 23 11:15:28 wazuh-server systemd-entrypoint[2339]: WARNING: COMPAT locale provider will be removed in a future release
sep 23 11:15:25 wazuh-server systemd-entrypoint[2339]: WARNING: System::setSecurityManager will be removed in a future release
sep 23 11:15:25 wazuh-server systemd-entrypoint[2339]: WARNING: Please consider reporting this to the maintainers of org.opensearch.bootstrap.OpenSearch
sep 23 11:15:25 wazuh-server systemd-entrypoint[2339]: WARNING: System::setSecurityManager has been called by org.opensearch.bootstrap.OpenSearch (file:/usr/share/wazuh-indexer/lib/opensearch-2.13.0.jar)
sep 23 11:15:25 wazuh-server systemd-entrypoint[2339]: WARNING: A terminally deprecated method in java.lang.System has been called

Executing:

[root@wazuh-server wazuh-user]# grep -R -i -E "error|critical|fatal|warning" /var/log/wazuh-indexer/

Expected messages:

/var/log/wazuh-indexer/wazuh-cluster_server.json:{"type": "server", "timestamp": "2024-09-23T11:15:34,480
Z", "level": "INFO", "component": "o.o.n.Node", "cluster.name": "wazuh-cluster", "node.name": "node-1", "
message": "JVM arguments [-Xshare:auto, -Dopensearch.networkaddress.cache.ttl=60, -Dopensearch.networkadd
ress.cache.negative.ttl=10, -XX:+AlwaysPreTouch, -Xss1m, -Djava.awt.headless=true, -Dfile.encoding=UTF-8,
 -Djna.nosys=true, -XX:-OmitStackTraceInFastThrow, -XX:+ShowCodeDetailsInExceptionMessages, -Dio.netty.no
Unsafe=true, -Dio.netty.noKeySetOptimization=true, -Dio.netty.recycler.maxCapacityPerThread=0, -Dio.netty
.allocator.numDirectArenas=0, -Dlog4j.shutdownHookEnabled=false, -Dlog4j2.disable.jmx=true, -Djava.securi
ty.manager=allow, -Djava.locale.providers=SPI,COMPAT, -Xms3941m, -Xmx3941m, -XX:+UseG1GC, -XX:G1ReservePe
rcent=25, -XX:InitiatingHeapOccupancyPercent=30, -Djava.io.tmpdir=/var/log/wazuh-indexer/tmp, -XX:+HeapDu
mpOnOutOfMemoryError, -XX:HeapDumpPath=/var/lib/wazuh-indexer, -XX:ErrorFile=/var/log/wazuh-indexer/hs_er
r_pid%p.log, -Xlog:gc*,gc+age=trace,safepoint:file=/var/log/wazuh-indexer/gc.log:utctime,pid,tags:filecou
nt=32,filesize=64m, -Djava.security.manager=allow, -Djava.util.concurrent.ForkJoinPool.common.threadFacto
ry=org.opensearch.secure_sm.SecuredForkJoinWorkerThreadFactory, -Dclk.tck=100, -Djdk.attach.allowAttachSe
lf=true, -Djava.security.policy=file:///etc/wazuh-indexer/opensearch-performance-analyzer/opensearch_secu
rity.policy, --add-opens=jdk.attach/sun.tools.attach=ALL-UNNAMED, -XX:MaxDirectMemorySize=2066743296, -Do
pensearch.path.home=/usr/share/wazuh-indexer, -Dopensearch.path.conf=/etc/wazuh-indexer, -Dopensearch.dis
tribution.type=rpm, -Dopensearch.bundled_jdk=true]" }

Reported: MX bean missing: G1 Concurrent GC error message wazuh-indexer#328 - Known issue

/var/log/wazuh-indexer/wazuh-cluster_server.json:{"type": "server", "timestamp": "2024-09-23T11:16:18,919
Z", "level": "ERROR", "component": "o.o.p.c.j.GCMetrics", "cluster.name": "wazuh-cluster", "node.name": "
node-1", "message": "MX bean missing: G1 Concurrent GC" }

Reported: Modify the security configuration steps to avoid securityadmin use wazuh-packages#1968 - Known issue

/var/log/wazuh-indexer/wazuh-cluster_server.json:{"type": "server", "timestamp": "2024-09-23T11:16:55,500
Z", "level": "ERROR", "component": "o.o.s.c.ConfigurationLoaderSecurity7", "cluster.name": "wazuh-cluster

Reported: Cache_MaxSize warning messages wazuh-indexer#329 - Known issue

/var/log/wazuh-indexer/wazuh-cluster_server.json:{"type": "server", "timestamp": "2024-09-23T11:16:58,922
Z", "level": "WARN", "component": "o.o.p.c.u.JsonConverter", "cluster.name": "wazuh-cluster", "node.name"
: "node-1", "message": "Json Mapping Error: Cannot invoke \"java.lang.Long.longValue()\" because \"this.c
acheMaxSize\" is null (through reference chain: org.opensearch.performanceanalyzer.collectors.CacheConfig
MetricsCollector$CacheMaxSizeStatus[\"Cache_MaxSize\"])", "cluster.uuid": "sE0P5OfeS2S_K3uBZ9bNnA", "node
.id": "xUrv4X77Se2U2JXZ697WFQ"  }

Reported: [BUG] Received fatal alert: unknown_ca error message was found wazuh-indexer#427 - New issue

/var/log/wazuh-indexer/wazuh-cluster_server.json:{"type": "server", "timestamp": "2024-09-23T12:00:34,095
Z", "level": "ERROR", "component": "o.o.s.s.h.n.SecuritySSLNettyHttpServerTransport", "cluster.name": "wa
zuh-cluster", "node.name": "node-1", "message": "Exception during establishing a SSL connection: javax.ne
t.ssl.SSLHandshakeException: Received fatal alert: unknown_ca", "cluster.uuid": "sE0P5OfeS2S_K3uBZ9bNnA",
 "node.id": "xUrv4X77Se2U2JXZ697WFQ" , 
/var/log/wazuh-indexer/wazuh-cluster_server.json:"stacktrace": ["javax.net.ssl.SSLHandshakeException: Rec
eived fatal alert: unknown_ca",
/var/log/wazuh-indexer/wazuh-cluster_server.json:"at java.base/sun.security.ssl.TransportContext.fatal(Tr
ansportContext.java:365) ~[?:?]",
/var/log/wazuh-indexer/wazuh-cluster_server.json:"stacktrace": ["io.netty.handler.codec.DecoderException:
 javax.net.ssl.SSLHandshakeException: Received fatal alert: unknown_ca",

Wazuh Server 🔴

Note: Messages about has not been disconnected long enough to be replaced and doesn't comply with the registration time to be removed. were expected. These messages arose because an attempt was made to reconnect a reinstalled agent without previously removing it from the manager.

[root@wazuh-server wazuh-user]# grep -iE "ERROR|WARNING|CRITICAL" /var/ossec/logs/ossec.log

Reported: Warning message in vulnerability-scanner about empty package name #24905 - Known issue

2024/09/23 11:16:09 indexer-connector: WARNING: IndexerConnector initialization failed for index 'wazuh-states-vulnerabilities-wazuh-server', retrying until the connection is successful.
2024/09/23 11:17:48 indexer-connector: WARNING: IndexerConnector initialization failed for index 'wazuh-states-vulnerabilities-wazuh-server', retrying until the connection is successful.

Reported: SSH key is not OK in VD E2E tests #25919 - New issue

2024/09/23 12:00:34 indexer-connector: ERROR: SSL peer certificate or SSH remote key was not OK, status code: -1.
2024/09/23 12:07:25 indexer-connector: ERROR: SSL peer certificate or SSH remote key was not OK, status code: -1.
2024/09/23 12:15:13 indexer-connector: ERROR: SSL peer certificate or SSH remote key was not OK, status code: -1.
2024/09/23 12:37:34 indexer-connector: ERROR: SSL peer certificate or SSH remote key was not OK, status code: -1.
2024/09/23 12:44:58 indexer-connector: ERROR: SSL peer certificate or SSH remote key was not OK, status code: -1.
2024/09/23 13:46:46 indexer-connector: ERROR: SSL peer certificate or SSH remote key was not OK, status code: -1.
2024/09/23 13:51:34 indexer-connector: ERROR: SSL peer certificate or SSH remote key was not OK, status code: -1.
2024/09/23 13:55:06 indexer-connector: ERROR: SSL peer certificate or SSH remote key was not OK, status code: -1.
2024/09/23 13:58:25 indexer-connector: ERROR: SSL peer certificate or SSH remote key was not OK, status code: -1.
2024/09/23 14:03:11 indexer-connector: ERROR: SSL peer certificate or SSH remote key was not OK, status code: -1.
2024/09/23 14:08:06 indexer-connector: ERROR: SSL peer certificate or SSH remote key was not OK, status code: -1.
2024/09/23 14:16:04 indexer-connector: ERROR: SSL peer certificate or SSH remote key was not OK, status code: -1.
2024/09/23 14:30:36 indexer-connector: ERROR: SSL peer certificate or SSH remote key was not OK, status code: -1.
2024/09/23 14:36:48 indexer-connector: ERROR: SSL peer certificate or SSH remote key was not OK, status code: -1.
2024/09/23 14:43:31 indexer-connector: ERROR: SSL peer certificate or SSH remote key was not OK, status code: -1.

2024/09/23 12:00:34 indexer-connector: WARNING: Failed to sync agent '001' with the indexer.
2024/09/23 12:06:36 wazuh-authd: WARNING: Duplicate name 'soaxp136', rejecting enrollment. Agent '001' has not been disconnected long enough to be replaced.
2024/09/23 12:06:41 wazuh-authd: WARNING: Duplicate name 'soaxp136', rejecting enrollment. Agent '001' has not been disconnected long enough to be replaced.
2024/09/23 12:06:51 wazuh-authd: WARNING: Duplicate name 'soaxp136', rejecting enrollment. Agent '001' has not been disconnected long enough to be replaced.
2024/09/23 12:07:25 indexer-connector: WARNING: Failed to sync agent '002' with the indexer.
2024/09/23 12:14:29 wazuh-authd: WARNING: Duplicate name 'soaxp136', rejecting enrollment. Agent '002' has not been disconnected long enough to be replaced.
2024/09/23 12:14:35 wazuh-authd: WARNING: Duplicate name 'soaxp136', rejecting enrollment. Agent '002' has not been disconnected long enough to be replaced.
2024/09/23 12:15:13 indexer-connector: WARNING: Failed to sync agent '003' with the indexer.
2024/09/23 12:37:34 indexer-connector: WARNING: Failed to sync agent '004' with the indexer.
2024/09/23 12:42:46 manage_agents: ERROR: 9011: Agent ID not found
2024/09/23 12:44:58 indexer-connector: WARNING: Failed to sync agent '005' with the indexer.
2024/09/23 13:46:46 indexer-connector: WARNING: Failed to sync agent '006' with the indexer.
2024/09/23 13:50:51 wazuh-authd: WARNING: Duplicate name 'sossp177', rejecting enrollment. Agent '006' has not been disconnected long enough to be replaced.
2024/09/23 13:50:56 wazuh-authd: WARNING: Duplicate name 'sossp177', rejecting enrollment. Agent '006' has not been disconnected long enough to be replaced.
2024/09/23 13:51:07 wazuh-authd: WARNING: Duplicate name 'sossp177', rejecting enrollment. Agent '006' has not been disconnected long enough to be replaced.

2024/09/23 13:51:34 indexer-connector: WARNING: Failed to sync agent '007' with the indexer.
2024/09/23 13:53:33 wazuh-authd: WARNING: Duplicate name 'sossp177', rejecting enrollment. Agent '007' has not been disconnected long enough to be replaced.
2024/09/23 13:53:38 wazuh-authd: WARNING: Duplicate name 'sossp177', rejecting enrollment. Agent '007' has not been disconnected long enough to be replaced.
2024/09/23 13:53:48 wazuh-authd: WARNING: Duplicate name 'sossp177', rejecting enrollment. Agent '007' has not been disconnected long enough to be replaced.
2024/09/23 13:54:03 wazuh-authd: WARNING: Duplicate name 'sossp177', rejecting enrollment. Agent '007' has not been disconnected long enough to be replaced.
2024/09/23 13:54:23 wazuh-authd: WARNING: Duplicate name 'sossp177', rejecting enrollment. Agent '007' has not been disconnected long enough to be replaced.
2024/09/23 13:55:03 manage_agents: ERROR: 9011: Agent ID not found

2024/09/23 13:55:06 indexer-connector: WARNING: Failed to sync agent '008' with the indexer.

2024/09/23 13:58:25 indexer-connector: WARNING: Failed to sync agent '009' with the indexer.
2024/09/23 13:59:55 wazuh-authd: WARNING: Duplicate name 'macos-14', rejecting enrollment. Agent '009' has not been disconnected long enough to be replaced.
2024/09/23 14:00:00 wazuh-authd: WARNING: Duplicate name 'macos-14', rejecting enrollment. Agent '009' has not been disconnected long enough to be replaced.
2024/09/23 14:00:11 wazuh-authd: WARNING: Duplicate name 'macos-14', rejecting enrollment. Agent '009' has not been disconnected long enough to be replaced.
2024/09/23 14:00:26 wazuh-authd: WARNING: Duplicate name 'macos-14', rejecting enrollment. Agent '009' has not been disconnected long enough to be replaced.
2024/09/23 14:00:46 wazuh-authd: WARNING: Duplicate name 'macos-14', rejecting enrollment. Agent '009' has not been disconnected long enough to be replaced.
2024/09/23 14:01:11 wazuh-authd: WARNING: Duplicate name 'macos-14', rejecting enrollment. Agent '009' has not been disconnected long enough to be replaced.
2024/09/23 14:01:41 wazuh-authd: WARNING: Duplicate name 'macos-14', rejecting enrollment. Agent '009' has not been disconnected long enough to be replaced.
2024/09/23 14:02:17 wazuh-authd: WARNING: Duplicate name 'macos-14', rejecting enrollment. Agent '009' has not been disconnected long enough to be replaced.
2024/09/23 14:03:11 indexer-connector: WARNING: Failed to sync agent '010' with the indexer.
2024/09/23 14:08:06 indexer-connector: WARNING: Failed to sync agent '011' with the indexer.
2024/09/23 14:14:15 wazuh-authd: WARNING: Duplicate name 'sossp177', rejecting enrollment. Agent '008' has not been disconnected long enough to be replaced.
2024/09/23 14:14:15 wazuh-authd: WARNING: Duplicate name 'macos-14', rejecting enrollment. Agent '011' has not been disconnected long enough to be replaced.
2024/09/23 14:15:05 wazuh-authd: WARNING: Duplicate name 'sossp177', rejecting enrollment. Agent '008' has not been disconnected long enough to be replaced.
2024/09/23 14:15:06 wazuh-authd: WARNING: Duplicate name 'macos-14', rejecting enrollment. Agent '011' has not been disconnected long enough to be replaced.
2024/09/23 14:15:55 wazuh-authd: WARNING: Duplicate name 'sossp177', rejecting enrollment. Agent '008' has not been disconnected long enough to be replaced.
2024/09/23 14:16:04 indexer-connector: WARNING: Failed to sync agent '011' with the indexer.
2024/09/23 14:16:46 wazuh-authd: WARNING: Duplicate name 'sossp177', rejecting enrollment. Agent '008' has not been disconnected long enough to be replaced.
2024/09/23 14:17:36 wazuh-authd: WARNING: Duplicate name 'sossp177', rejecting enrollment. Agent '008' has not been disconnected long enough to be replaced.
2024/09/23 14:18:26 wazuh-authd: WARNING: Duplicate name 'sossp177', rejecting enrollment. Agent '008' has not been disconnected long enough to be replaced.
2024/09/23 14:19:16 wazuh-authd: WARNING: Duplicate name 'sossp177', rejecting enrollment. Agent '008' has not been disconnected long enough to be replaced.
2024/09/23 14:20:07 wazuh-authd: WARNING: Duplicate name 'sossp177', rejecting enrollment. Agent '008' has not been disconnected long enough to be replaced.
2024/09/23 14:20:57 wazuh-authd: WARNING: Duplicate name 'sossp177', rejecting enrollment. Agent '008' has not been disconnected long enough to be replaced.
2024/09/23 14:21:47 wazuh-authd: WARNING: Duplicate name 'sossp177', rejecting enrollment. Agent '008' has not been disconnected long enough to be replaced.
2024/09/23 14:22:37 wazuh-authd: WARNING: Duplicate name 'sossp177', rejecting enrollment. Agent '008' has not been disconnected long enough to be replaced.
2024/09/23 14:23:28 wazuh-authd: WARNING: Duplicate name 'sossp177', rejecting enrollment. Agent '008' has not been disconnected long enough to be replaced.
2024/09/23 14:24:18 wazuh-authd: WARNING: Duplicate name 'sossp177', rejecting enrollment. Agent '008' has not been disconnected long enough to be replaced.
2024/09/23 14:25:08 wazuh-authd: WARNING: Duplicate name 'sossp177', rejecting enrollment. Agent '008' has not been disconnected long enough to be replaced.
2024/09/23 14:25:59 wazuh-authd: WARNING: Duplicate name 'sossp177', rejecting enrollment. Agent '008' has not been disconnected long enough to be replaced.
2024/09/23 14:26:49 wazuh-authd: WARNING: Duplicate name 'sossp177', rejecting enrollment. Agent '008' has not been disconnected long enough to be replaced.
2024/09/23 14:27:13 wazuh-authd: WARNING: Duplicate name 'macos-14', rejecting enrollment. Agent '012' doesn't comply with the registration time to be removed.
2024/09/23 14:27:39 wazuh-authd: WARNING: Duplicate name 'sossp177', rejecting enrollment. Agent '008' has not been disconnected long enough to be replaced.
2024/09/23 14:28:29 wazuh-authd: WARNING: Duplicate name 'sossp177', rejecting enrollment. Agent '008' has not been disconnected long enough to be replaced.
2024/09/23 14:28:41 wazuh-authd: WARNING: Duplicate name 'macos-14', rejecting enrollment. Agent '012' doesn't comply with the registration time to be removed.
2024/09/23 14:29:20 wazuh-authd: WARNING: Duplicate name 'sossp177', rejecting enrollment. Agent '008' has not been disconnected long enough to be replaced.
2024/09/23 14:29:31 wazuh-authd: WARNING: Duplicate name 'macos-14', rejecting enrollment. Agent '012' doesn't comply with the registration time to be removed.
2024/09/23 14:30:10 wazuh-authd: WARNING: Duplicate name 'sossp177', rejecting enrollment. Agent '008' has not been disconnected long enough to be replaced.
2024/09/23 14:30:22 wazuh-authd: WARNING: Duplicate name 'macos-14', rejecting enrollment. Agent '012' doesn't comply with the registration time to be removed.
2024/09/23 14:30:36 indexer-connector: WARNING: Failed to sync agent '012' with the indexer.
2024/09/23 14:31:00 wazuh-authd: WARNING: Duplicate name 'sossp177', rejecting enrollment. Agent '008' has not been disconnected long enough to be replaced.
2024/09/23 14:31:50 wazuh-authd: WARNING: Duplicate name 'sossp177', rejecting enrollment. Agent '008' has not been disconnected long enough to be replaced.
2024/09/23 14:32:41 wazuh-authd: WARNING: Duplicate name 'sossp177', rejecting enrollment. Agent '008' has not been disconnected long enough to be replaced.
2024/09/23 14:33:31 wazuh-authd: WARNING: Duplicate name 'sossp177', rejecting enrollment. Agent '008' has not been disconnected long enough to be replaced.
2024/09/23 14:34:21 wazuh-authd: WARNING: Duplicate name 'sossp177', rejecting enrollment. Agent '008' has not been disconnected long enough to be replaced.
2024/09/23 14:35:11 wazuh-authd: WARNING: Duplicate name 'sossp177', rejecting enrollment. Agent '008' has not been disconnected long enough to be replaced.
2024/09/23 14:36:02 wazuh-authd: WARNING: Duplicate name 'sossp177', rejecting enrollment. Agent '008' has not been disconnected long enough to be replaced.
2024/09/23 14:36:48 indexer-connector: WARNING: Failed to sync agent '013' with the indexer.
2024/09/23 14:36:52 wazuh-authd: WARNING: Duplicate name 'sossp177', rejecting enrollment. Agent '008' has not been disconnected long enough to be replaced.
2024/09/23 14:37:42 wazuh-authd: WARNING: Duplicate name 'sossp177', rejecting enrollment. Agent '008' has not been disconnected long enough to be replaced.
2024/09/23 14:38:32 wazuh-authd: WARNING: Duplicate name 'sossp177', rejecting enrollment. Agent '008' has not been disconnected long enough to be replaced.
2024/09/23 14:39:23 wazuh-authd: WARNING: Duplicate name 'sossp177', rejecting enrollment. Agent '008' has not been disconnected long enough to be replaced.
2024/09/23 14:40:13 wazuh-authd: WARNING: Duplicate name 'sossp177', rejecting enrollment. Agent '008' has not been disconnected long enough to be replaced.
2024/09/23 14:41:03 wazuh-authd: WARNING: Duplicate name 'sossp177', rejecting enrollment. Agent '008' has not been disconnected long enough to be replaced.
2024/09/23 14:41:54 wazuh-authd: WARNING: Duplicate name 'sossp177', rejecting enrollment. Agent '008' has not been disconnected long enough to be replaced.
2024/09/23 14:42:44 wazuh-authd: WARNING: Duplicate name 'sossp177', rejecting enrollment. Agent '008' has not been disconnected long enough to be replaced.
2024/09/23 14:43:31 indexer-connector: WARNING: Failed to sync agent '013' with the indexer.

Filebeat Test 🟢

[root@wazuh-server wazuh-user]# filebeat test output
elasticsearch: https://127.0.0.1:9200...
  parse url... OK
  connection...
    parse host... OK
    dns lookup... OK
    addresses: 127.0.0.1
    dial up... OK
  TLS...
    security: server's certificate chain verification is enabled
    handshake... OK
    TLS version: TLSv1.2
    dial up... OK
  talk to server... OK
  version: 7.10.2

Wazuh Indexer Cluster 🟢

[root@wazuh-server wazuh-user]# curl -k -u admin:password https://127.0.0.1:9200
{
  "name" : "node-1",
  "cluster_name" : "wazuh-cluster",
  "cluster_uuid" : "sE0P5OfeS2S_K3uBZ9bNnA",
  "version" : {
    "number" : "7.10.2",
    "build_type" : "rpm",
    "build_hash" : "44213e57352e29e68206cc34e9ab3a377bebd983",
    "build_date" : "2024-09-20T13:18:25.050429Z",
    "build_snapshot" : false,
    "lucene_version" : "9.10.0",
    "minimum_wire_compatibility_version" : "7.10.0",
    "minimum_index_compatibility_version" : "7.0.0"
  },
  "tagline" : "The OpenSearch Project: https://opensearch.org/"
}


[root@wazuh-server wazuh-user]# curl -k -u admin:password https://127.0.0.1:9200/_cat/nodes?v
ip        heap.percent ram.percent cpu load_1m load_5m load_15m node.role node.roles                                        cluster_manager name
127.0.0.1           10          97   4    0.17    0.11     0.03 dimr      cluster_manager,data,ingest,remote_cluster_client *               node-1



[root@wazuh-server wazuh-user]# curl -k -u admin:password https://127.0.0.1:9200/_cluster/health?pretty
{
  "cluster_name" : "wazuh-cluster",
  "status" : "green",
  "timed_out" : false,
  "number_of_nodes" : 1,
  "number_of_data_nodes" : 1,
  "discovered_master" : true,
  "discovered_cluster_manager" : true,
  "active_primary_shards" : 11,
  "active_shards" : 11,
  "relocating_shards" : 0,
  "initializing_shards" : 0,
  "unassigned_shards" : 0,
  "delayed_unassigned_shards" : 0,
  "number_of_pending_tasks" : 0,
  "number_of_in_flight_fetch" : 0,
  "task_max_waiting_in_queue_millis" : 0,
  "active_shards_percent_as_number" : 100.0
}

Users 🟢

[root@wazuh-server wazuh-user]# grep -R "wazuh" /etc/group
wheel:x:10:wazuh-user
wazuh-user:x:1001:
wazuh-indexer:x:993:
wazuh:x:992:wazuh
wazuh-dashboard:x:991:wazuh-dashboard


[root@wazuh-server wazuh-user]# grep -R "wazuh" /etc/passwd
wazuh-user:x:1001:1001::/home/wazuh-user:/bin/bash
wazuh-indexer:x:995:993:wazuh-indexer user/group:/home/wazuh-indexer:/sbin/nologin
wazuh:x:994:992::/var/ossec:/sbin/nologin
wazuh-dashboard:x:993:991::/usr/share/wazuh-dashboard/:/sbin/nologin

Versions 🟢

[root@wazuh-server wazuh-user]# /var/ossec/bin/wazuh-control info
WAZUH_VERSION="v4.9.1"
WAZUH_REVISION="40910"
WAZUH_TYPE="server"


[root@wazuh-server wazuh-user]# cat /usr/share/wazuh-indexer/VERSION
4.9.1
[root@wazuh-server wazuh-user]# cat /usr/share/wazuh-dashboard/VERSION
4.9.1
[root@wazuh-server wazuh-user]# cat /usr/share/wazuh-dashboard/package.json
{
  "name": "opensearch-dashboards",
  "description": "OpenSearch Dashboards is a browser based analytics and search dashboard for OpenSearch. OpenSearch Dashboards is a snap to setup and start using. OpenSearch Dashboards strives to be easy to get started with, while also being flexible and powerful, just like OpenSearch.",
  "keywords": [
    "opensearch-dashboards",
    "opensearch",
    "logstash",
    "analytics",
    "visualizations",
    "dashboards",
    "dashboarding"
  ],
  "version": "2.13.0",
  "branch": "2.x",
  "build": {
    "number": "49101",
    "sha": "4abde2652a27a40b6f0518e0c436a53aee98c84a",
    "distributable": true,
    "release": true
  },
  "wazuh": {
    "version": "4.9.1",
    "revision": "1"
  },
  "repository": {
    "type": "git",
    "url": "https://github.com/opensearch-project/opensearch-dashboards.git"
  },
  "engines": {
    "node": ">=14.20.1 <19"
  }
}

Processes 🟢

[root@wazuh-server wazuh-user]# ps -ef | grep wazuh
root      2095     1  0 11:14 ?        00:00:00 /sbin/dhclient -q -lf /var/lib/dhclient/dhclient--eth0.lease -pf /var/run/dhclient-eth0.pid -H wazuh-server eth0
root      2135     1  0 11:14 ?        00:00:00 /sbin/dhclient -6 -nw -lf /var/lib/dhclient/dhclient6--eth0.lease -pf /var/run/dhclient6-eth0.pid eth0 -H wazuh-server
wazuh-i+  2339     1  2 11:15 ?        00:05:23 /usr/share/wazuh-indexer/jdk/bin/java -Xshare:auto -Dopensearch.networkaddress.cache.ttl=60 -Dopensearch.networkaddress.cache.negative.ttl=10 -XX:+AlwaysPreTouch -Xss1m -Djava.awt.headless=true -Dfile.encoding=UTF-8 -Djna.nosys=true -XX:-OmitStackTraceInFastThrow -XX:+ShowCodeDetailsInExceptionMessages -Dio.netty.noUnsafe=true -Dio.netty.noKeySetOptimization=true -Dio.netty.recycler.maxCapacityPerThread=0 -Dio.netty.allocator.numDirectArenas=0 -Dlog4j.shutdownHookEnabled=false -Dlog4j2.disable.jmx=true -Djava.security.manager=allow -Djava.locale.providers=SPI,COMPAT -Xms3941m -Xmx3941m -XX:+UseG1GC -XX:G1ReservePercent=25 -XX:InitiatingHeapOccupancyPercent=30 -Djava.io.tmpdir=/var/log/wazuh-indexer/tmp -XX:+HeapDumpOnOutOfMemoryError -XX:HeapDumpPath=/var/lib/wazuh-indexer -XX:ErrorFile=/var/log/wazuh-indexer/hs_err_pid%p.log -Xlog:gc*,gc+age=trace,safepoint:file=/var/log/wazuh-indexer/gc.log:utctime,pid,tags:filecount=32,filesize=64m -Djava.security.manager=allow -Djava.util.concurrent.ForkJoinPool.common.threadFactory=org.opensearch.secure_sm.SecuredForkJoinWorkerThreadFactory -Dclk.tck=100 -Djdk.attach.allowAttachSelf=true -Djava.security.policy=file:///etc/wazuh-indexer/opensearch-performance-analyzer/opensearch_security.policy --add-opens=jdk.attach/sun.tools.attach=ALL-UNNAMED -XX:MaxDirectMemorySize=2066743296 -Dopensearch.path.home=/usr/share/wazuh-indexer -Dopensearch.path.conf=/etc/wazuh-indexer -Dopensearch.distribution.type=rpm -Dopensearch.bundled_jdk=true -cp /usr/share/wazuh-indexer/lib/* org.opensearch.bootstrap.OpenSearch -p /run/wazuh-indexer/wazuh-indexer.pid --quiet
wazuh-d+  5325     1  0 11:17 ?        00:00:50 /usr/share/wazuh-dashboard/node/fallback/bin/node /usr/share/wazuh-dashboard/src/cli/dist
root      5959 17708  0 15:21 pts/1    00:00:00 /bin/sh /var/ossec/bin/agent_upgrade -a 014 -f /home/wazuh-user/wazuh_agent_v4.9.1_macos_intel64.pkg.wpk -F
root      5968  5959  0 15:21 pts/1    00:00:03 /var/ossec/framework/python/bin/python3 /var/ossec/framework/scripts/agent_upgrade.py -a 014 -f /home/wazuh-user/wazuh_agent_v4.9.1_macos_intel64.pkg.wpk -F
root      5970  5968  0 15:21 pts/1    00:00:00 /var/ossec/framework/python/bin/python3 /var/ossec/framework/scripts/agent_upgrade.py -a 014 -f /home/wazuh-user/wazuh_agent_v4.9.1_macos_intel64.pkg.wpk -F
root      6880  2660  0 11:46 ?        00:00:00 sshd: wazuh-user [priv]
wazuh-u+  6912  6880  0 11:46 ?        00:00:02 sshd: wazuh-user@pts/0
wazuh-u+  6913  6912  0 11:46 pts/0    00:00:00 -bash
root     17639  6936  0 15:34 pts/0    00:00:00 grep --color=auto wazuh
root     17667  2660  0 13:54 ?        00:00:00 sshd: wazuh-user [priv]
wazuh-u+ 17684 17667  0 13:54 ?        00:00:00 sshd: wazuh-user@pts/1
wazuh-u+ 17685 17684  0 13:54 pts/1    00:00:00 -bash
root     22092  6936  0 14:29 pts/0    00:00:00 grep --color=auto -R -i -E error|critical|fatal|warning /var/log/wazuh-indexer/
root     22150  6936  0 14:37 pts/0    00:00:00 grep --color=auto -R -i -E error|critical|fatal|warning /var/log/wazuh-indexer/
root     22153  6936  0 14:38 pts/0    00:00:00 grep --color=auto -R -i -E error|critical|fatal /var/log/wazuh-indexer/
wazuh    22519     1  0 14:42 ?        00:00:15 /var/ossec/framework/python/bin/python3 /var/ossec/api/scripts/wazuh_apid.py
wazuh    22520 22519  0 14:42 ?        00:00:00 /var/ossec/framework/python/bin/python3 /var/ossec/api/scripts/wazuh_apid.py
wazuh    22523 22519  0 14:42 ?        00:00:01 /var/ossec/framework/python/bin/python3 /var/ossec/api/scripts/wazuh_apid.py
wazuh    22526 22519  0 14:43 ?        00:00:00 /var/ossec/framework/python/bin/python3 /var/ossec/api/scripts/wazuh_apid.py
root     22569     1  0 14:43 ?        00:00:07 /var/ossec/bin/wazuh-authd
wazuh    22587     1  0 14:43 ?        00:00:04 /var/ossec/bin/wazuh-db
root     22613     1  0 14:43 ?        00:00:00 /var/ossec/bin/wazuh-execd
wazuh    22628     1  0 14:43 ?        00:00:03 /var/ossec/bin/wazuh-analysisd
root     22640     1  0 14:43 ?        00:00:14 /var/ossec/bin/wazuh-syscheckd
wazuh    22688     1  0 14:43 ?        00:00:29 /var/ossec/bin/wazuh-remoted
root     22724     1  0 14:43 ?        00:00:00 /var/ossec/bin/wazuh-logcollector
wazuh    22744     1  0 14:43 ?        00:00:00 /var/ossec/bin/wazuh-monitord
root     22765     1  0 14:43 ?        00:00:10 /var/ossec/bin/wazuh-modulesd


[root@wazuh-server wazuh-user]# /var/ossec/bin/wazuh-control status
wazuh-clusterd not running...
wazuh-modulesd is running...
wazuh-monitord is running...
wazuh-logcollector is running...
wazuh-remoted is running...
wazuh-syscheckd is running...
wazuh-analysisd is running...
wazuh-maild not running...
wazuh-execd is running...
wazuh-db is running...
wazuh-authd is running...
wazuh-agentlessd not running...
wazuh-integratord not running...
wazuh-dbd not running...
wazuh-csyslogd not running...
wazuh-apid is running...

SSH Root Access Denied 🟢

akim@akim-PC:~/Desktop/personal$ ssh -i idr-1594.pem -p 2200 [email protected]
Please login as the user "wazuh-user" rather than the user "root".

SSH wazuh-user Access Allowed 🟢

akim@akim-PC:~/Desktop/personal$ ssh -i idr-xxx.pem -p 2200 [email protected]
Last login: Mon Sep 23 15:36:36 2024 from 78.red-81-36-27.dynamicip.rima-tde.net


wwwwww.           wwwwwww.          wwwwwww.
wwwwwww.          wwwwwww.          wwwwwww.
 wwwwww.         wwwwwwwww.        wwwwwww.
 wwwwwww.        wwwwwwwww.        wwwwwww.
  wwwwww.       wwwwwwwwwww.      wwwwwww.
  wwwwwww.      wwwwwwwwwww.      wwwwwww.
   wwwwww.     wwwwww.wwwwww.    wwwwwww.
   wwwwwww.    wwwww. wwwwww.    wwwwwww.
    wwwwww.   wwwwww.  wwwwww.  wwwwwww.
    wwwwwww.  wwwww.   wwwwww.  wwwwwww.
     wwwwww. wwwwww.    wwwwww.wwwwwww.
     wwwwwww.wwwww.     wwwwww.wwwwwww.
      wwwwwwwwwwww.      wwwwwwwwwwww.
      wwwwwwwwwww.       wwwwwwwwwwww.      oooooo
       wwwwwwwwww.        wwwwwwwwww.      oooooooo
       wwwwwwwww.         wwwwwwwwww.     oooooooooo
        wwwwwwww.          wwwwwwww.      oooooooooo
        wwwwwww.           wwwwwwww.       oooooooo
         wwwwww.            wwwwww.         oooooo


         WAZUH Open Source Security Platform
                  https://wazuh.com

Production Repositories 🟢

[root@wazuh-server wazuh-user]# cat /etc/yum.repos.d/wazuh.repo
[wazuh]
gpgcheck=1
gpgkey=https://packages.wazuh.com/key/GPG-KEY-WAZUH
enabled=1
name=EL-${releasever} - Wazuh
baseurl=https://packages.wazuh.com/4.x/yum/
protect=1

TCP and UDP 🟢

Tested with AIX/HP-UX/Solaris SPARC

Logs 🔴

Wazuh Dashboard - journalctl 🟡

Reported: Unexpected Parse Error "Pause on PRI/Upgrade" in logs wazuh-packages#2449 - Known issue

[root@wazuh-server wazuh-user]# journalctl -r -u wazuh-dashboard | grep -i -E "error|critical|fatal|warning"
sep 23 12:54:04 wazuh-server opensearch-dashboards[5325]: {"type":"error","@timestamp":"2024-09-23T12:54:04Z","tags":["connection","client","error"],"pid":5325,"level":"error","error":{"message":"140166815971200:error:141CF06C:SSL routines:tls_parse_ctos_key_share:bad key share:../deps/openssl/openssl/ssl/statem/extensions_srvr.c:698:\n","name":"Error","stack":"Error: 140166815971200:error:141CF06C:SSL routines:tls_parse_ctos_key_share:bad key share:../deps/openssl/openssl/ssl/statem/extensions_srvr.c:698:\n","code":"ERR_SSL_BAD_KEY_SHARE"},"message":"140166815971200:error:141CF06C:SSL routines:tls_parse_ctos_key_share:bad key share:../deps/openssl/openssl/ssl/statem/extensions_srvr.c:698:\n"}
sep 23 12:54:04 wazuh-server opensearch-dashboards[5325]: {"type":"error","@timestamp":"2024-09-23T12:54:04Z","tags":["connection","client","error"],"pid":5325,"level":"error","error":{"message":"140166815971200:error:142090C1:SSL routines:tls_early_post_process_client_hello:no shared cipher:../deps/openssl/openssl/ssl/statem/statem_srvr.c:1781:\n","name":"Error","stack":"Error: 140166815971200:error:142090C1:SSL routines:tls_early_post_process_client_hello:no shared cipher:../deps/openssl/openssl/ssl/statem/statem_srvr.c:1781:\n","code":"ERR_SSL_NO_SHARED_CIPHER"},"message":"140166815971200:error:142090C1:SSL routines:tls_early_post_process_client_hello:no shared cipher:../deps/openssl/openssl/ssl/statem/statem_srvr.c:1781:\n"}
sep 23 12:54:01 wazuh-server opensearch-dashboards[5325]: {"type":"error","@timestamp":"2024-09-23T12:54:01Z","tags":["connection","client","error"],"pid":5325,"level":"error","error":{"message":"140166815971200:error:1417A0C1:SSL routines:tls_post_process_client_hello:no shared cipher:../deps/openssl/openssl/ssl/statem/statem_srvr.c:2285:\n","name":"Error","stack":"Error: 140166815971200:error:1417A0C1:SSL routines:tls_post_process_client_hello:no shared cipher:../deps/openssl/openssl/ssl/statem/statem_srvr.c:2285:\n","code":"ERR_SSL_NO_SHARED_CIPHER"},"message":"140166815971200:error:1417A0C1:SSL routines:tls_post_process_client_hello:no shared cipher:../deps/openssl/openssl/ssl/statem/statem_srvr.c:2285:\n"}
sep 23 12:51:27 wazuh-server opensearch-dashboards[5325]: {"type":"error","@timestamp":"2024-09-23T12:51:27Z","tags":["connection","client","error"],"pid":5325,"level":"error","error":{"message":"140166815971200:error:1417A0C1:SSL routines:tls_post_process_client_hello:no shared cipher:../deps/openssl/openssl/ssl/statem/statem_srvr.c:2285:\n","name":"Error","stack":"Error: 140166815971200:error:1417A0C1:SSL routines:tls_post_process_client_hello:no shared cipher:../deps/openssl/openssl/ssl/statem/statem_srvr.c:2285:\n","code":"ERR_SSL_NO_SHARED_CIPHER"},"message":"140166815971200:error:1417A0C1:SSL routines:tls_post_process_client_hello:no shared cipher:../deps/openssl/openssl/ssl/statem/statem_srvr.c:2285:\n"}
sep 23 12:50:57 wazuh-server opensearch-dashboards[5325]: {"type":"error","@timestamp":"2024-09-23T12:50:57Z","tags":["connection","client","error"],"pid":5325,"level":"error","error":{"message":"140166815971200:error:1420918C:SSL routines:tls_early_post_process_client_hello:version too low:../deps/openssl/openssl/ssl/statem/statem_srvr.c:1686:\n","name":"Error","stack":"Error: 140166815971200:error:1420918C:SSL routines:tls_early_post_process_client_hello:version too low:../deps/openssl/openssl/ssl/statem/statem_srvr.c:1686:\n","code":"ERR_SSL_VERSION_TOO_LOW"},"message":"140166815971200:error:1420918C:SSL routines:tls_early_post_process_client_hello:version too low:../deps/openssl/openssl/ssl/statem/statem_srvr.c:1686:\n"}
sep 23 12:47:15 wazuh-server opensearch-dashboards[5325]: {"type":"error","@timestamp":"2024-09-23T12:47:15Z","tags":["connection","client","error"],"pid":5325,"level":"error","error":{"message":"140166815971200:error:141CF06C:SSL routines:tls_parse_ctos_key_share:bad key share:../deps/openssl/openssl/ssl/statem/extensions_srvr.c:698:\n","name":"Error","stack":"Error: 140166815971200:error:141CF06C:SSL routines:tls_parse_ctos_key_share:bad key share:../deps/openssl/openssl/ssl/statem/extensions_srvr.c:698:\n","code":"ERR_SSL_BAD_KEY_SHARE"},"message":"140166815971200:error:141CF06C:SSL routines:tls_parse_ctos_key_share:bad key share:../deps/openssl/openssl/ssl/statem/extensions_srvr.c:698:\n"}
sep 23 12:46:42 wazuh-server opensearch-dashboards[5325]: {"type":"error","@timestamp":"2024-09-23T12:46:42Z","tags":["connection","client","error"],"pid":5325,"level":"error","error":{"message":"140166815971200:error:142090C1:SSL routines:tls_early_post_process_client_hello:no shared cipher:../deps/openssl/openssl/ssl/statem/statem_srvr.c:1781:\n","name":"Error","stack":"Error: 140166815971200:error:142090C1:SSL routines:tls_early_post_process_client_hello:no shared cipher:../deps/openssl/openssl/ssl/statem/statem_srvr.c:1781:\n","code":"ERR_SSL_NO_SHARED_CIPHER"},"message":"140166815971200:error:142090C1:SSL routines:tls_early_post_process_client_hello:no shared cipher:../deps/openssl/openssl/ssl/statem/statem_srvr.c:1781:\n"}
sep 23 12:43:23 wazuh-server opensearch-dashboards[5325]: {"type":"error","@timestamp":"2024-09-23T12:43:23Z","tags":["connection","client","error"],"pid":5325,"level":"error","error":{"message":"140166815971200:error:1417A0C1:SSL routines:tls_post_process_client_hello:no shared cipher:../deps/openssl/openssl/ssl/statem/statem_srvr.c:2285:\n","name":"Error","stack":"Error: 140166815971200:error:1417A0C1:SSL routines:tls_post_process_client_hello:no shared cipher:../deps/openssl/openssl/ssl/statem/statem_srvr.c:2285:\n","code":"ERR_SSL_NO_SHARED_CIPHER"},"message":"140166815971200:error:1417A0C1:SSL routines:tls_post_process_client_hello:no shared cipher:../deps/openssl/openssl/ssl/statem/statem_srvr.c:2285:\n"}
sep 23 11:20:01 wazuh-server opensearch-dashboards[5325]: 
sep 23 14:22:59 wazuh-server opensearch-dashboards[5325]: {"type":"error","@timestamp":"2024-09-23T14:22:59Z","tags":["connection","client","error"],"pid":5325,"level":"error","error":{"message":"140166815971200:error:14094418:SSL routines:ssl3_read_bytes:tlsv1 alert unknown ca:../deps/openssl/openssl/ssl/record/rec_layer_s3.c:1563:SSL alert number 48\n","name":"Error","stack":"Error: 140166815971200:error:14094418:SSL routines:ssl3_read_bytes:tlsv1 alert unknown ca:../deps/openssl/openssl/ssl/record/rec_layer_s3.c:1563:SSL alert number 48\n","code":"ERR_SSL_TLSV1_ALERT_UNKNOWN_CA"},"message":"140166815971200:error:14094418:SSL routines:ssl3_read_bytes:tlsv1 alert unknown ca:../deps/openssl/openssl/ssl/record/rec_layer_s3.c:1563:SSL alert number 48\n"}
sep 23 14:22:58 wazuh-server opensearch-dashboards[5325]: {"type":"error","@timestamp":"2024-09-23T14:22:58Z","tags":["connection","client","error"],"pid":5325,"level":"error","error":{"message":"140166815971200:error:14094418:SSL routines:ssl3_read_bytes:tlsv1 alert unknown ca:../deps/openssl/openssl/ssl/record/rec_layer_s3.c:1563:SSL alert number 48\n","name":"Error","stack":"Error: 140166815971200:error:14094418:SSL routines:ssl3_read_bytes:tlsv1 alert unknown ca:../deps/openssl/openssl/ssl/record/rec_layer_s3.c:1563:SSL alert number 48\n","code":"ERR_SSL_TLSV1_ALERT_UNKNOWN_CA"},"message":"140166815971200:error:14094418:SSL routines:ssl3_read_bytes:tlsv1 alert unknown ca:../deps/openssl/openssl/ssl/record/rec_layer_s3.c:1563:SSL alert number 48\n"}
sep 23 14:21:46 wazuh-server opensearch-dashboards[5325]: {"type":"error","@timestamp":"2024-09-23T14:21:46Z","tags":["connection","client","error"],"pid":5325,"level":"error","error":{"message":"140166815971200:error:14094418:SSL routines:ssl3_read_bytes:tlsv1 alert unknown ca:../deps/openssl/openssl/ssl/record/rec_layer_s3.c:1563:SSL alert number 48\n","name":"Error","stack":"Error: 140166815971200:error:14094418:SSL routines:ssl3_read_bytes:tlsv1 alert unknown ca:../deps/openssl/openssl/ssl/record/rec_layer_s3.c:1563:SSL alert number 48\n","code":"ERR_SSL_TLSV1_ALERT_UNKNOWN_CA"},"message":"140166815971200:error:14094418:SSL routines:ssl3_read_bytes:tlsv1 alert unknown ca:../deps/openssl/openssl/ssl/record/rec_layer_s3.c:1563:SSL alert number 48\n"}
sep 23 14:21:46 wazuh-server opensearch-dashboards[5325]: {"type":"error","@timestamp":"2024-09-23T14:21:46Z","tags":["connection","client","error"],"pid":5325,"level":"error","error":{"message":"140166815971200:error:14094418:SSL routines:ssl3_read_bytes:tlsv1 alert unknown ca:../deps/openssl/openssl/ssl/record/rec_layer_s3.c:1563:SSL alert number 48\n","name":"Error","stack":"Error: 140166815971200:error:14094418:SSL routines:ssl3_read_bytes:tlsv1 alert unknown ca:../deps/openssl/openssl/ssl/record/rec_layer_s3.c:1563:SSL alert number 48\n","code":"ERR_SSL_TLSV1_ALERT_UNKNOWN_CA"},"message":"140166815971200:error:14094418:SSL routines:ssl3_read_bytes:tlsv1 alert unknown ca:../deps/openssl/openssl/ssl/record/rec_layer_s3.c:1563:SSL alert number 48\n"}
sep 23 14:20:26 wazuh-server opensearch-dashboards[5325]: {"type":"error","@timestamp":"2024-09-23T14:20:26Z","tags":["connection","client","error"],"pid":5325,"level":"error","error":{"message":"140166815971200:error:14094418:SSL routines:ssl3_read_bytes:tlsv1 alert unknown ca:../deps/openssl/openssl/ssl/record/rec_layer_s3.c:1563:SSL alert number 48\n","name":"Error","stack":"Error: 140166815971200:error:14094418:SSL routines:ssl3_read_bytes:tlsv1 alert unknown ca:../deps/openssl/openssl/ssl/record/rec_layer_s3.c:1563:SSL alert number 48\n","code":"ERR_SSL_TLSV1_ALERT_UNKNOWN_CA"},"message":"140166815971200:error:14094418:SSL routines:ssl3_read_bytes:tlsv1 alert unknown ca:../deps/openssl/openssl/ssl/record/rec_layer_s3.c:1563:SSL alert number 48\n"}
sep 23 14:15:00 wazuh-server opensearch-dashboards[5325]: {"type":"log","@timestamp":"2024-09-23T14:15:00Z","tags":["error","plugins","wazuh","monitoring"],"pid":5325,"message":"connect ECONNREFUSED 127.0.0.1:55000"}
sep 23 14:15:00 wazuh-server opensearch-dashboards[5325]: {"type":"log","@timestamp":"2024-09-23T14:15:00Z","tags":["error","plugins","wazuh","cron-scheduler"],"pid":5325,"message":"Error: connect ECONNREFUSED 127.0.0.1:55000"}
sep 23 14:15:00 wazuh-server opensearch-dashboards[5325]: {"type":"log","@timestamp":"2024-09-23T14:15:00Z","tags":["error","plugins","wazuh","cron-scheduler"],"pid":5325,"message":"Error: connect ECONNREFUSED 127.0.0.1:55000"}
sep 23 12:54:02 wazuh-server opensearch-dashboards[5325]: {"type":"error","@timestamp":"2024-09-23T12:54:02Z","tags":["connection","client","error"],"pid":5325,"level":"error","error":{"message":"140166815971200:error:14209102:SSL routines:tls_early_post_process_client_hello:unsupported protocol:../deps/openssl/openssl/ssl/statem/statem_srvr.c:1686:\n","name":"Error","stack":"Error: 140166815971200:error:14209102:SSL routines:tls_early_post_process_client_hello:unsupported protocol:../deps/openssl/openssl/ssl/statem/statem_srvr.c:1686:\n","code":"ERR_SSL_UNSUPPORTED_PROTOCOL"},"message":"140166815971200:error:14209102:SSL routines:tls_early_post_process_client_hello:unsupported protocol:../deps/openssl/openssl/ssl/statem/statem_srvr.c:1686:\n"}
sep 23 12:45:02 wazuh-server opensearch-dashboards[5325]: 
{"type":"error","@timestamp":"2024-09-23T12:45:02Z","tags":["connection","client","error"],"pid":5325,"level":"error","error":{"message":"140166815971200:error:14209102:SSL routines:tls_early_post_process_client_hello:unsupported protocol:../deps/openssl/openssl/ssl/statem/statem_srvr.c:1686:\n","name":"Error","stack":"Error: 140166815971200:error:14209102:SSL routines:tls_early_post_process_client_hello:unsupported protocol:../deps/openssl/openssl/ssl/statem/statem_srvr.c:1686:\n","code":"ERR_SSL_UNSUPPORTED_PROTOCOL"},"message":"140166815971200:error:14209102:SSL routines:tls_early_post_process_client_hello:unsupported protocol:../deps/openssl/openssl/ssl/statem/statem_srvr.c:1686:\n"}
{"type":"log","@timestamp":"2024-09-23T11:20:01Z","tags":["error","opensearch","data"],"pid":5325,"message":"[resource_already_exists_exception]: index [wazuh-statistics-2024.39w/Vcm1M6eyQqaDyoogzB1_TA] already exists"}
sep 23 11:18:27 wazuh-server opensearch-dashboards[5325]: {"type":"log","@timestamp":"2024-09-23T11:18:27Z","tags":["warning","cross-compatibility-service"],"pid":5325,"message":"Starting cross compatibility service"}
sep 23 11:17:12 wazuh-server opensearch-dashboards[1818]: {"type":"log","@timestamp":"2024-09-23T11:17:12Z","tags":["warning","cross-compatibility-service"],"pid":1818,"message":"Starting cross compatibility service"}
sep 23 11:17:08 wazuh-server opensearch-dashboards[1818]: {"type":"log","@timestamp":"2024-09-23T11:17:08Z","tags":["error","opensearch","data"],"pid":1818,"message":"[ResponseError]: Response Error"}
sep 23 11:17:06 wazuh-server opensearch-dashboards[1818]: {"type":"log","@timestamp":"2024-09-23T11:17:06Z","tags":["error","opensearch","data"],"pid":1818,"message":"[ResponseError]: Response Error"}
sep 23 11:17:03 wazuh-server opensearch-dashboards[1818]: {"type":"log","@timestamp":"2024-09-23T11:17:03Z","tags":["error","opensearch","data"],"pid":1818,"message":"[ResponseError]: Response Error"}
sep 23 11:17:01 wazuh-server opensearch-dashboards[1818]: {"type":"log","@timestamp":"2024-09-23T11:17:01Z","tags":["error","opensearch","data"],"pid":1818,"message":"[ResponseError]: Response Error"}
sep 23 11:16:58 wazuh-server opensearch-dashboards[1818]: {"type":"log","@timestamp":"2024-09-23T11:16:58Z","tags":["error","opensearch","data"],"pid":1818,"message":"[ResponseError]: Response Error"}
sep 23 11:16:56 wazuh-server opensearch-dashboards[1818]: {"type":"log","@timestamp":"2024-09-23T11:16:56Z","tags":["error","opensearch","data"],"pid":1818,"message":"[ResponseError]: Response Error"}
sep 23 11:16:53 wazuh-server opensearch-dashboards[1818]: {"type":"log","@timestamp":"2024-09-23T11:16:53Z","tags":["error","opensearch","data"],"pid":1818,"message":"[ConnectionError]: connect ECONNREFUSED 127.0.0.1:9200"}
sep 23 11:16:51 wazuh-server opensearch-dashboards[1818]: {"type":"log","@timestamp":"2024-09-23T11:16:51Z","tags":["error","opensearch","data"],"pid":1818,"message":"[ConnectionError]: connect ECONNREFUSED 127.0.0.1:9200"}
sep 23 11:16:48 wazuh-server opensearch-dashboards[1818]: {"type":"log","@timestamp":"2024-09-23T11:16:48Z","tags":["error","opensearch","data"],"pid":1818,"message":"[ConnectionError]: connect ECONNREFUSED 127.0.0.1:9200"}
sep 23 11:16:46 wazuh-server opensearch-dashboards[1818]: {"type":"log","@timestamp":"2024-09-23T11:16:46Z","tags":["error","opensearch","data"],"pid":1818,"message":"[ConnectionError]: connect ECONNREFUSED 127.0.0.1:9200"}
sep 23 11:16:43 wazuh-server opensearch-dashboards[1818]: {"type":"log","@timestamp":"2024-09-23T11:16:43Z","tags":["error","opensearch","data"],"pid":1818,"message":"[ConnectionError]: connect ECONNREFUSED 127.0.0.1:9200"}
sep 23 11:16:41 wazuh-server opensearch-dashboards[1818]: {"type":"log","@timestamp":"2024-09-23T11:16:41Z","tags":["error","opensearch","data"],"pid":1818,"message":"[ConnectionError]: connect ECONNREFUSED 127.0.0.1:9200"}
sep 23 11:16:38 wazuh-server opensearch-dashboards[1818]: {"type":"log","@timestamp":"2024-09-23T11:16:38Z","tags":["error","opensearch","data"],"pid":1818,"message":"[ConnectionError]: connect ECONNREFUSED 127.0.0.1:9200"}
sep 23 11:16:36 wazuh-server opensearch-dashboards[1818]: {"type":"log","@timestamp":"2024-09-23T11:16:36Z","tags":["error","opensearch","data"],"pid":1818,"message":"[ConnectionError]: connect ECONNREFUSED 127.0.0.1:9200"}
sep 23 11:16:33 wazuh-server opensearch-dashboards[1818]: {"type":"log","@timestamp":"2024-09-23T11:16:33Z","tags":["error","savedobjects-service"],"pid":1818,"message":"Unable to retrieve version information from OpenSearch nodes."}
sep 23 11:16:33 wazuh-server opensearch-dashboards[1818]: {"type":"log","@timestamp":"2024-09-23T11:16:33Z","tags":["error","opensearch","data"],"pid":1818,"message":"[ConnectionError]: connect ECONNREFUSED 127.0.0.1:9200"}

Wazuh Indexer - journalctl 🔴

Expected messages

[root@wazuh-server wazuh-user]# journalctl -r -u wazuh-indexer | grep -i -E "error|critical|fatal|warning"
sep 23 11:15:34 wazuh-server systemd-entrypoint[2339]: WARNING: System::setSecurityManager will be removed in a future release
sep 23 11:15:34 wazuh-server systemd-entrypoint[2339]: WARNING: Please consider reporting this to the maintainers of org.opensearch.bootstrap.Security
sep 23 11:15:34 wazuh-server systemd-entrypoint[2339]: WARNING: System::setSecurityManager has been called by org.opensearch.bootstrap.Security (file:/usr/share/wazuh-indexer/lib/opensearch-2.13.0.jar)
sep 23 11:15:34 wazuh-server systemd-entrypoint[2339]: WARNING: A terminally deprecated method in java.lang.System has been called
sep 23 11:15:28 wazuh-server systemd-entrypoint[2339]: WARNING: COMPAT locale provider will be removed in a future release
sep 23 11:15:25 wazuh-server systemd-entrypoint[2339]: WARNING: System::setSecurityManager will be removed in a future release
sep 23 11:15:25 wazuh-server systemd-entrypoint[2339]: WARNING: Please consider reporting this to the maintainers of org.opensearch.bootstrap.OpenSearch
sep 23 11:15:25 wazuh-server systemd-entrypoint[2339]: WARNING: System::setSecurityManager has been called by org.opensearch.bootstrap.OpenSearch (file:/usr/share/wazuh-indexer/lib/opensearch-2.13.0.jar)
sep 23 11:15:25 wazuh-server systemd-entrypoint[2339]: WARNING: A terminally deprecated method in java.lang.System has been called

Executing:

[root@wazuh-server wazuh-user]# grep -R -i -E "error|critical|fatal|warning" /var/log/wazuh-indexer/

Expected messages:

/var/log/wazuh-indexer/wazuh-cluster_server.json:{"type": "server", "timestamp": "2024-09-23T11:15:34,480
Z", "level": "INFO", "component": "o.o.n.Node", "cluster.name": "wazuh-cluster", "node.name": "node-1", "
message": "JVM arguments [-Xshare:auto, -Dopensearch.networkaddress.cache.ttl=60, -Dopensearch.networkadd
ress.cache.negative.ttl=10, -XX:+AlwaysPreTouch, -Xss1m, -Djava.awt.headless=true, -Dfile.encoding=UTF-8,
 -Djna.nosys=true, -XX:-OmitStackTraceInFastThrow, -XX:+ShowCodeDetailsInExceptionMessages, -Dio.netty.no
Unsafe=true, -Dio.netty.noKeySetOptimization=true, -Dio.netty.recycler.maxCapacityPerThread=0, -Dio.netty
.allocator.numDirectArenas=0, -Dlog4j.shutdownHookEnabled=false, -Dlog4j2.disable.jmx=true, -Djava.securi
ty.manager=allow, -Djava.locale.providers=SPI,COMPAT, -Xms3941m, -Xmx3941m, -XX:+UseG1GC, -XX:G1ReservePe
rcent=25, -XX:InitiatingHeapOccupancyPercent=30, -Djava.io.tmpdir=/var/log/wazuh-indexer/tmp, -XX:+HeapDu
mpOnOutOfMemoryError, -XX:HeapDumpPath=/var/lib/wazuh-indexer, -XX:ErrorFile=/var/log/wazuh-indexer/hs_er
r_pid%p.log, -Xlog:gc*,gc+age=trace,safepoint:file=/var/log/wazuh-indexer/gc.log:utctime,pid,tags:filecou
nt=32,filesize=64m, -Djava.security.manager=allow, -Djava.util.concurrent.ForkJoinPool.common.threadFacto
ry=org.opensearch.secure_sm.SecuredForkJoinWorkerThreadFactory, -Dclk.tck=100, -Djdk.attach.allowAttachSe
lf=true, -Djava.security.policy=file:///etc/wazuh-indexer/opensearch-performance-analyzer/opensearch_secu
rity.policy, --add-opens=jdk.attach/sun.tools.attach=ALL-UNNAMED, -XX:MaxDirectMemorySize=2066743296, -Do
pensearch.path.home=/usr/share/wazuh-indexer, -Dopensearch.path.conf=/etc/wazuh-indexer, -Dopensearch.dis
tribution.type=rpm, -Dopensearch.bundled_jdk=true]" }

Reported: MX bean missing: G1 Concurrent GC error message wazuh-indexer#328 - Known issue

/var/log/wazuh-indexer/wazuh-cluster_server.json:{"type": "server", "timestamp": "2024-09-23T11:16:18,919
Z", "level": "ERROR", "component": "o.o.p.c.j.GCMetrics", "cluster.name": "wazuh-cluster", "node.name": "
node-1", "message": "MX bean missing: G1 Concurrent GC" }

Reported: Modify the security configuration steps to avoid securityadmin use wazuh-packages#1968 - Known issue

/var/log/wazuh-indexer/wazuh-cluster_server.json:{"type": "server", "timestamp": "2024-09-23T11:16:55,500
Z", "level": "ERROR", "component": "o.o.s.c.ConfigurationLoaderSecurity7", "cluster.name": "wazuh-cluster

Reported: Cache_MaxSize warning messages wazuh-indexer#329 - Known issue

/var/log/wazuh-indexer/wazuh-cluster_server.json:{"type": "server", "timestamp": "2024-09-23T11:16:58,922
Z", "level": "WARN", "component": "o.o.p.c.u.JsonConverter", "cluster.name": "wazuh-cluster", "node.name"
: "node-1", "message": "Json Mapping Error: Cannot invoke \"java.lang.Long.longValue()\" because \"this.c
acheMaxSize\" is null (through reference chain: org.opensearch.performanceanalyzer.collectors.CacheConfig
MetricsCollector$CacheMaxSizeStatus[\"Cache_MaxSize\"])", "cluster.uuid": "sE0P5OfeS2S_K3uBZ9bNnA", "node
.id": "xUrv4X77Se2U2JXZ697WFQ"  }

Reported: [BUG] Received fatal alert: unknown_ca error message was found wazuh-indexer#427 - New issue

/var/log/wazuh-indexer/wazuh-cluster_server.json:{"type": "server", "timestamp": "2024-09-23T12:00:34,095
Z", "level": "ERROR", "component": "o.o.s.s.h.n.SecuritySSLNettyHttpServerTransport", "cluster.name": "wa
zuh-cluster", "node.name": "node-1", "message": "Exception during establishing a SSL connection: javax.ne
t.ssl.SSLHandshakeException: Received fatal alert: unknown_ca", "cluster.uuid": "sE0P5OfeS2S_K3uBZ9bNnA",
 "node.id": "xUrv4X77Se2U2JXZ697WFQ" , 
/var/log/wazuh-indexer/wazuh-cluster_server.json:"stacktrace": ["javax.net.ssl.SSLHandshakeException: Rec
eived fatal alert: unknown_ca",
/var/log/wazuh-indexer/wazuh-cluster_server.json:"at java.base/sun.security.ssl.TransportContext.fatal(Tr
ansportContext.java:365) ~[?:?]",
/var/log/wazuh-indexer/wazuh-cluster_server.json:"stacktrace": ["io.netty.handler.codec.DecoderException:
 javax.net.ssl.SSLHandshakeException: Received fatal alert: unknown_ca",

Wazuh Server 🔴

Note: Messages about has not been disconnected long enough to be replaced, SSL peer certificate or SSH remote key was not OK, status code: -1. and doesn't comply with the registration time to be removed. were expected. These messages arose because an attempt was made to reconnect a reinstalled agent without previously removing it from the manager.

[root@wazuh-server wazuh-user]# grep -iE "ERROR|WARNING|CRITICAL" /var/ossec/logs/ossec.log

Reported: Warning message in vulnerability-scanner about empty package name #24905 - Known issue

2024/09/23 11:16:09 indexer-connector: WARNING: IndexerConnector initialization failed for index 'wazuh-states-vulnerabilities-wazuh-server', retrying until the connection is successful.
2024/09/23 11:17:48 indexer-connector: WARNING: IndexerConnector initialization failed for index 'wazuh-states-vulnerabilities-wazuh-server', retrying until the connection is successful.

Reported: SSH key is not OK in VD E2E tests #25919 - New issue

2024/09/23 12:00:34 indexer-connector: ERROR: SSL peer certificate or SSH remote key was not OK, status code: -1.
2024/09/23 12:07:25 indexer-connector: ERROR: SSL peer certificate or SSH remote key was not OK, status code: -1.
2024/09/23 12:15:13 indexer-connector: ERROR: SSL peer certificate or SSH remote key was not OK, status code: -1.
2024/09/23 12:37:34 indexer-connector: ERROR: SSL peer certificate or SSH remote key was not OK, status code: -1.
2024/09/23 12:44:58 indexer-connector: ERROR: SSL peer certificate or SSH remote key was not OK, status code: -1.
2024/09/23 13:46:46 indexer-connector: ERROR: SSL peer certificate or SSH remote key was not OK, status code: -1.
2024/09/23 13:51:34 indexer-connector: ERROR: SSL peer certificate or SSH remote key was not OK, status code: -1.
2024/09/23 13:55:06 indexer-connector: ERROR: SSL peer certificate or SSH remote key was not OK, status code: -1.
2024/09/23 13:58:25 indexer-connector: ERROR: SSL peer certificate or SSH remote key was not OK, status code: -1.
2024/09/23 14:03:11 indexer-connector: ERROR: SSL peer certificate or SSH remote key was not OK, status code: -1.
2024/09/23 14:08:06 indexer-connector: ERROR: SSL peer certificate or SSH remote key was not OK, status code: -1.
2024/09/23 14:16:04 indexer-connector: ERROR: SSL peer certificate or SSH remote key was not OK, status code: -1.
2024/09/23 14:30:36 indexer-connector: ERROR: SSL peer certificate or SSH remote key was not OK, status code: -1.
2024/09/23 14:36:48 indexer-connector: ERROR: SSL peer certificate or SSH remote key was not OK, status code: -1.
2024/09/23 14:43:31 indexer-connector: ERROR: SSL peer certificate or SSH remote key was not OK, status code: -1.

2024/09/23 12:00:34 indexer-connector: WARNING: Failed to sync agent '001' with the indexer.
2024/09/23 12:06:36 wazuh-authd: WARNING: Duplicate name 'soaxp136', rejecting enrollment. Agent '001' has not been disconnected long enough to be replaced.
2024/09/23 12:06:41 wazuh-authd: WARNING: Duplicate name 'soaxp136', rejecting enrollment. Agent '001' has not been disconnected long enough to be replaced.
2024/09/23 12:06:51 wazuh-authd: WARNING: Duplicate name 'soaxp136', rejecting enrollment. Agent '001' has not been disconnected long enough to be replaced.
2024/09/23 12:07:25 indexer-connector: WARNING: Failed to sync agent '002' with the indexer.
2024/09/23 12:14:29 wazuh-authd: WARNING: Duplicate name 'soaxp136', rejecting enrollment. Agent '002' has not been disconnected long enough to be replaced.
2024/09/23 12:14:35 wazuh-authd: WARNING: Duplicate name 'soaxp136', rejecting enrollment. Agent '002' has not been disconnected long enough to be replaced.
2024/09/23 12:15:13 indexer-connector: WARNING: Failed to sync agent '003' with the indexer.
2024/09/23 12:37:34 indexer-connector: WARNING: Failed to sync agent '004' with the indexer.
2024/09/23 12:42:46 manage_agents: ERROR: 9011: Agent ID not found
2024/09/23 12:44:58 indexer-connector: WARNING: Failed to sync agent '005' with the indexer.
2024/09/23 13:46:46 indexer-connector: WARNING: Failed to sync agent '006' with the indexer.
2024/09/23 13:50:51 wazuh-authd: WARNING: Duplicate name 'sossp177', rejecting enrollment. Agent '006' has not been disconnected long enough to be replaced.
2024/09/23 13:50:56 wazuh-authd: WARNING: Duplicate name 'sossp177', rejecting enrollment. Agent '006' has not been disconnected long enough to be replaced.
2024/09/23 13:51:07 wazuh-authd: WARNING: Duplicate name 'sossp177', rejecting enrollment. Agent '006' has not been disconnected long enough to be replaced.
2024/09/23 13:51:34 indexer-connector: WARNING: Failed to sync agent '007' with the indexer.
2024/09/23 13:53:33 wazuh-authd: WARNING: Duplicate name 'sossp177', rejecting enrollment. Agent '007' has not been disconnected long enough to be replaced.
2024/09/23 13:53:38 wazuh-authd: WARNING: Duplicate name 'sossp177', rejecting enrollment. Agent '007' has not been disconnected long enough to be replaced.
2024/09/23 13:53:48 wazuh-authd: WARNING: Duplicate name 'sossp177', rejecting enrollment. Agent '007' has not been disconnected long enough to be replaced.
2024/09/23 13:54:03 wazuh-authd: WARNING: Duplicate name 'sossp177', rejecting enrollment. Agent '007' has not been disconnected long enough to be replaced.
2024/09/23 13:54:23 wazuh-authd: WARNING: Duplicate name 'sossp177', rejecting enrollment. Agent '007' has not been disconnected long enough to be replaced.
2024/09/23 13:55:03 manage_agents: ERROR: 9011: Agent ID not found
2024/09/23 13:55:06 indexer-connector: WARNING: Failed to sync agent '008' with the indexer.
2024/09/23 13:58:25 indexer-connector: WARNING: Failed to sync agent '009' with the indexer.
2024/09/23 13:59:55 wazuh-authd: WARNING: Duplicate name 'macos-14', rejecting enrollment. Agent '009' has not been disconnected long enough to be replaced.
2024/09/23 14:00:00 wazuh-authd: WARNING: Duplicate name 'macos-14', rejecting enrollment. Agent '009' has not been disconnected long enough to be replaced.
2024/09/23 14:00:11 wazuh-authd: WARNING: Duplicate name 'macos-14', rejecting enrollment. Agent '009' has not been disconnected long enough to be replaced.
2024/09/23 14:00:26 wazuh-authd: WARNING: Duplicate name 'macos-14', rejecting enrollment. Agent '009' has not been disconnected long enough to be replaced.
2024/09/23 14:00:46 wazuh-authd: WARNING: Duplicate name 'macos-14', rejecting enrollment. Agent '009' has not been disconnected long enough to be replaced.
2024/09/23 14:01:11 wazuh-authd: WARNING: Duplicate name 'macos-14', rejecting enrollment. Agent '009' has not been disconnected long enough to be replaced.
2024/09/23 14:01:41 wazuh-authd: WARNING: Duplicate name 'macos-14', rejecting enrollment. Agent '009' has not been disconnected long enough to be replaced.
2024/09/23 14:02:17 wazuh-authd: WARNING: Duplicate name 'macos-14', rejecting enrollment. Agent '009' has not been disconnected long enough to be replaced.
2024/09/23 14:03:11 indexer-connector: WARNING: Failed to sync agent '010' with the indexer.
2024/09/23 14:08:06 indexer-connector: WARNING: Failed to sync agent '011' with the indexer.
2024/09/23 14:14:15 wazuh-authd: WARNING: Duplicate name 'sossp177', rejecting enrollment. Agent '008' has not been disconnected long enough to be replaced.
2024/09/23 14:14:15 wazuh-authd: WARNING: Duplicate name 'macos-14', rejecting enrollment. Agent '011' has not been disconnected long enough to be replaced.
2024/09/23 14:15:05 wazuh-authd: WARNING: Duplicate name 'sossp177', rejecting enrollment. Agent '008' has not been disconnected long enough to be replaced.
2024/09/23 14:15:06 wazuh-authd: WARNING: Duplicate name 'macos-14', rejecting enrollment. Agent '011' has not been disconnected long enough to be replaced.
2024/09/23 14:15:55 wazuh-authd: WARNING: Duplicate name 'sossp177', rejecting enrollment. Agent '008' has not been disconnected long enough to be replaced.
2024/09/23 14:16:04 indexer-connector: WARNING: Failed to sync agent '011' with the indexer.
2024/09/23 14:16:46 wazuh-authd: WARNING: Duplicate name 'sossp177', rejecting enrollment. Agent '008' has not been disconnected long enough to be replaced.
2024/09/23 14:17:36 wazuh-authd: WARNING: Duplicate name 'sossp177', rejecting enrollment. Agent '008' has not been disconnected long enough to be replaced.
2024/09/23 14:18:26 wazuh-authd: WARNING: Duplicate name 'sossp177', rejecting enrollment. Agent '008' has not been disconnected long enough to be replaced.
2024/09/23 14:19:16 wazuh-authd: WARNING: Duplicate name 'sossp177', rejecting enrollment. Agent '008' has not been disconnected long enough to be replaced.
2024/09/23 14:20:07 wazuh-authd: WARNING: Duplicate name 'sossp177', rejecting enrollment. Agent '008' has not been disconnected long enough to be replaced.
2024/09/23 14:20:57 wazuh-authd: WARNING: Duplicate name 'sossp177', rejecting enrollment. Agent '008' has not been disconnected long enough to be replaced.
2024/09/23 14:21:47 wazuh-authd: WARNING: Duplicate name 'sossp177', rejecting enrollment. Agent '008' has not been disconnected long enough to be replaced.
2024/09/23 14:22:37 wazuh-authd: WARNING: Duplicate name 'sossp177', rejecting enrollment. Agent '008' has not been disconnected long enough to be replaced.
2024/09/23 14:23:28 wazuh-authd: WARNING: Duplicate name 'sossp177', rejecting enrollment. Agent '008' has not been disconnected long enough to be replaced.
2024/09/23 14:24:18 wazuh-authd: WARNING: Duplicate name 'sossp177', rejecting enrollment. Agent '008' has not been disconnected long enough to be replaced.
2024/09/23 14:25:08 wazuh-authd: WARNING: Duplicate name 'sossp177', rejecting enrollment. Agent '008' has not been disconnected long enough to be replaced.
2024/09/23 14:25:59 wazuh-authd: WARNING: Duplicate name 'sossp177', rejecting enrollment. Agent '008' has not been disconnected long enough to be replaced.
2024/09/23 14:26:49 wazuh-authd: WARNING: Duplicate name 'sossp177', rejecting enrollment. Agent '008' has not been disconnected long enough to be replaced.
2024/09/23 14:27:13 wazuh-authd: WARNING: Duplicate name 'macos-14', rejecting enrollment. Agent '012' doesn't comply with the registration time to be removed.
2024/09/23 14:27:39 wazuh-authd: WARNING: Duplicate name 'sossp177', rejecting enrollment. Agent '008' has not been disconnected long enough to be replaced.
2024/09/23 14:28:29 wazuh-authd: WARNING: Duplicate name 'sossp177', rejecting enrollment. Agent '008' has not been disconnected long enough to be replaced.
2024/09/23 14:28:41 wazuh-authd: WARNING: Duplicate name 'macos-14', rejecting enrollment. Agent '012' doesn't comply with the registration time to be removed.
2024/09/23 14:29:20 wazuh-authd: WARNING: Duplicate name 'sossp177', rejecting enrollment. Agent '008' has not been disconnected long enough to be replaced.
2024/09/23 14:29:31 wazuh-authd: WARNING: Duplicate name 'macos-14', rejecting enrollment. Agent '012' doesn't comply with the registration time to be removed.
2024/09/23 14:30:10 wazuh-authd: WARNING: Duplicate name 'sossp177', rejecting enrollment. Agent '008' has not been disconnected long enough to be replaced.
2024/09/23 14:30:22 wazuh-authd: WARNING: Duplicate name 'macos-14', rejecting enrollment. Agent '012' doesn't comply with the registration time to be removed.
2024/09/23 14:30:36 indexer-connector: WARNING: Failed to sync agent '012' with the indexer.
2024/09/23 14:31:00 wazuh-authd: WARNING: Duplicate name 'sossp177', rejecting enrollment. Agent '008' has not been disconnected long enough to be replaced.
2024/09/23 14:31:50 wazuh-authd: WARNING: Duplicate name 'sossp177', rejecting enrollment. Agent '008' has not been disconnected long enough to be replaced.
2024/09/23 14:32:41 wazuh-authd: WARNING: Duplicate name 'sossp177', rejecting enrollment. Agent '008' has not been disconnected long enough to be replaced.
2024/09/23 14:33:31 wazuh-authd: WARNING: Duplicate name 'sossp177', rejecting enrollment. Agent '008' has not been disconnected long enough to be replaced.
2024/09/23 14:34:21 wazuh-authd: WARNING: Duplicate name 'sossp177', rejecting enrollment. Agent '008' has not been disconnected long enough to be replaced.
2024/09/23 14:35:11 wazuh-authd: WARNING: Duplicate name 'sossp177', rejecting enrollment. Agent '008' has not been disconnected long enough to be replaced.
2024/09/23 14:36:02 wazuh-authd: WARNING: Duplicate name 'sossp177', rejecting enrollment. Agent '008' has not been disconnected long enough to be replaced.
2024/09/23 14:36:48 indexer-connector: WARNING: Failed to sync agent '013' with the indexer.
2024/09/23 14:36:52 wazuh-authd: WARNING: Duplicate name 'sossp177', rejecting enrollment. Agent '008' has not been disconnected long enough to be replaced.
2024/09/23 14:37:42 wazuh-authd: WARNING: Duplicate name 'sossp177', rejecting enrollment. Agent '008' has not been disconnected long enough to be replaced.
2024/09/23 14:38:32 wazuh-authd: WARNING: Duplicate name 'sossp177', rejecting enrollment. Agent '008' has not been disconnected long enough to be replaced.
2024/09/23 14:39:23 wazuh-authd: WARNING: Duplicate name 'sossp177', rejecting enrollment. Agent '008' has not been disconnected long enough to be replaced.
2024/09/23 14:40:13 wazuh-authd: WARNING: Duplicate name 'sossp177', rejecting enrollment. Agent '008' has not been disconnected long enough to be replaced.
2024/09/23 14:41:03 wazuh-authd: WARNING: Duplicate name 'sossp177', rejecting enrollment. Agent '008' has not been disconnected long enough to be replaced.
2024/09/23 14:41:54 wazuh-authd: WARNING: Duplicate name 'sossp177', rejecting enrollment. Agent '008' has not been disconnected long enough to be replaced.
2024/09/23 14:42:44 wazuh-authd: WARNING: Duplicate name 'sossp177', rejecting enrollment. Agent '008' has not been disconnected long enough to be replaced.
2024/09/23 14:43:31 indexer-connector: WARNING: Failed to sync agent '013' with the indexer.

Filebeat Test 🟢

[root@wazuh-server wazuh-user]# filebeat test output
elasticsearch: https://127.0.0.1:9200...
  parse url... OK
  connection...
    parse host... OK
    dns lookup... OK
    addresses: 127.0.0.1
    dial up... OK
  TLS...
    security: server's certificate chain verification is enabled
    handshake... OK
    TLS version: TLSv1.2
    dial up... OK
  talk to server... OK
  version: 7.10.2

Wazuh Indexer Cluster 🟢

[root@wazuh-server wazuh-user]# curl -k -u admin:password https://127.0.0.1:9200
{
  "name" : "node-1",
  "cluster_name" : "wazuh-cluster",
  "cluster_uuid" : "sE0P5OfeS2S_K3uBZ9bNnA",
  "version" : {
    "number" : "7.10.2",
    "build_type" : "rpm",
    "build_hash" : "44213e57352e29e68206cc34e9ab3a377bebd983",
    "build_date" : "2024-09-20T13:18:25.050429Z",
    "build_snapshot" : false,
    "lucene_version" : "9.10.0",
    "minimum_wire_compatibility_version" : "7.10.0",
    "minimum_index_compatibility_version" : "7.0.0"
  },
  "tagline" : "The OpenSearch Project: https://opensearch.org/"
}


[root@wazuh-server wazuh-user]# curl -k -u admin:password https://127.0.0.1:9200/_cat/nodes?v
ip        heap.percent ram.percent cpu load_1m load_5m load_15m node.role node.roles                                        cluster_manager name
127.0.0.1           10          97   4    0.17    0.11     0.03 dimr      cluster_manager,data,ingest,remote_cluster_client *               node-1



[root@wazuh-server wazuh-user]# curl -k -u admin:password https://127.0.0.1:9200/_cluster/health?pretty
{
  "cluster_name" : "wazuh-cluster",
  "status" : "green",
  "timed_out" : false,
  "number_of_nodes" : 1,
  "number_of_data_nodes" : 1,
  "discovered_master" : true,
  "discovered_cluster_manager" : true,
  "active_primary_shards" : 11,
  "active_shards" : 11,
  "relocating_shards" : 0,
  "initializing_shards" : 0,
  "unassigned_shards" : 0,
  "delayed_unassigned_shards" : 0,
  "number_of_pending_tasks" : 0,
  "number_of_in_flight_fetch" : 0,
  "task_max_waiting_in_queue_millis" : 0,
  "active_shards_percent_as_number" : 100.0
}

Users 🟢

[root@wazuh-server wazuh-user]# grep -R "wazuh" /etc/group
wheel:x:10:wazuh-user
wazuh-user:x:1001:
wazuh-indexer:x:993:
wazuh:x:992:wazuh
wazuh-dashboard:x:991:wazuh-dashboard


[root@wazuh-server wazuh-user]# grep -R "wazuh" /etc/passwd
wazuh-user:x:1001:1001::/home/wazuh-user:/bin/bash
wazuh-indexer:x:995:993:wazuh-indexer user/group:/home/wazuh-indexer:/sbin/nologin
wazuh:x:994:992::/var/ossec:/sbin/nologin
wazuh-dashboard:x:993:991::/usr/share/wazuh-dashboard/:/sbin/nologin

Versions 🟢

[root@wazuh-server wazuh-user]# /var/ossec/bin/wazuh-control info
WAZUH_VERSION="v4.9.1"
WAZUH_REVISION="40910"
WAZUH_TYPE="server"


[root@wazuh-server wazuh-user]# cat /usr/share/wazuh-indexer/VERSION
4.9.1
[root@wazuh-server wazuh-user]# cat /usr/share/wazuh-dashboard/VERSION
4.9.1
[root@wazuh-server wazuh-user]# cat /usr/share/wazuh-dashboard/package.json
{
  "name": "opensearch-dashboards",
  "description": "OpenSearch Dashboards is a browser based analytics and search dashboard for OpenSearch. OpenSearch Dashboards is a snap to setup and start using. OpenSearch Dashboards strives to be easy to get started with, while also being flexible and powerful, just like OpenSearch.",
  "keywords": [
    "opensearch-dashboards",
    "opensearch",
    "logstash",
    "analytics",
    "visualizations",
    "dashboards",
    "dashboarding"
  ],
  "version": "2.13.0",
  "branch": "2.x",
  "build": {
    "number": "49101",
    "sha": "4abde2652a27a40b6f0518e0c436a53aee98c84a",
    "distributable": true,
    "release": true
  },
  "wazuh": {
    "version": "4.9.1",
    "revision": "1"
  },
  "repository": {
    "type": "git",
    "url": "https://github.com/opensearch-project/opensearch-dashboards.git"
  },
  "engines": {
    "node": ">=14.20.1 <19"
  }
}

Processes 🟢

[root@wazuh-server wazuh-user]# ps -ef | grep wazuh
root      2095     1  0 11:14 ?        00:00:00 /sbin/dhclient -q -lf /var/lib/dhclient/dhclient--eth0.lease -pf /var/run/dhclient-eth0.pid -H wazuh-server eth0
root      2135     1  0 11:14 ?        00:00:00 /sbin/dhclient -6 -nw -lf /var/lib/dhclient/dhclient6--eth0.lease -pf /var/run/dhclient6-eth0.pid eth0 -H wazuh-server
wazuh-i+  2339     1  2 11:15 ?        00:05:23 /usr/share/wazuh-indexer/jdk/bin/java -Xshare:auto -Dopensearch.networkaddress.cache.ttl=60 -Dopensearch.networkaddress.cache.negative.ttl=10 -XX:+AlwaysPreTouch -Xss1m -Djava.awt.headless=true -Dfile.encoding=UTF-8 -Djna.nosys=true -XX:-OmitStackTraceInFastThrow -XX:+ShowCodeDetailsInExceptionMessages -Dio.netty.noUnsafe=true -Dio.netty.noKeySetOptimization=true -Dio.netty.recycler.maxCapacityPerThread=0 -Dio.netty.allocator.numDirectArenas=0 -Dlog4j.shutdownHookEnabled=false -Dlog4j2.disable.jmx=true -Djava.security.manager=allow -Djava.locale.providers=SPI,COMPAT -Xms3941m -Xmx3941m -XX:+UseG1GC -XX:G1ReservePercent=25 -XX:InitiatingHeapOccupancyPercent=30 -Djava.io.tmpdir=/var/log/wazuh-indexer/tmp -XX:+HeapDumpOnOutOfMemoryError -XX:HeapDumpPath=/var/lib/wazuh-indexer -XX:ErrorFile=/var/log/wazuh-indexer/hs_err_pid%p.log -Xlog:gc*,gc+age=trace,safepoint:file=/var/log/wazuh-indexer/gc.log:utctime,pid,tags:filecount=32,filesize=64m -Djava.security.manager=allow -Djava.util.concurrent.ForkJoinPool.common.threadFactory=org.opensearch.secure_sm.SecuredForkJoinWorkerThreadFactory -Dclk.tck=100 -Djdk.attach.allowAttachSelf=true -Djava.security.policy=file:///etc/wazuh-indexer/opensearch-performance-analyzer/opensearch_security.policy --add-opens=jdk.attach/sun.tools.attach=ALL-UNNAMED -XX:MaxDirectMemorySize=2066743296 -Dopensearch.path.home=/usr/share/wazuh-indexer -Dopensearch.path.conf=/etc/wazuh-indexer -Dopensearch.distribution.type=rpm -Dopensearch.bundled_jdk=true -cp /usr/share/wazuh-indexer/lib/* org.opensearch.bootstrap.OpenSearch -p /run/wazuh-indexer/wazuh-indexer.pid --quiet
wazuh-d+  5325     1  0 11:17 ?        00:00:50 /usr/share/wazuh-dashboard/node/fallback/bin/node /usr/share/wazuh-dashboard/src/cli/dist
root      5959 17708  0 15:21 pts/1    00:00:00 /bin/sh /var/ossec/bin/agent_upgrade -a 014 -f /home/wazuh-user/wazuh_agent_v4.9.1_macos_intel64.pkg.wpk -F
root      5968  5959  0 15:21 pts/1    00:00:03 /var/ossec/framework/python/bin/python3 /var/ossec/framework/scripts/agent_upgrade.py -a 014 -f /home/wazuh-user/wazuh_agent_v4.9.1_macos_intel64.pkg.wpk -F
root      5970  5968  0 15:21 pts/1    00:00:00 /var/ossec/framework/python/bin/python3 /var/ossec/framework/scripts/agent_upgrade.py -a 014 -f /home/wazuh-user/wazuh_agent_v4.9.1_macos_intel64.pkg.wpk -F
root      6880  2660  0 11:46 ?        00:00:00 sshd: wazuh-user [priv]
wazuh-u+  6912  6880  0 11:46 ?        00:00:02 sshd: wazuh-user@pts/0
wazuh-u+  6913  6912  0 11:46 pts/0    00:00:00 -bash
root     17639  6936  0 15:34 pts/0    00:00:00 grep --color=auto wazuh
root     17667  2660  0 13:54 ?        00:00:00 sshd: wazuh-user [priv]
wazuh-u+ 17684 17667  0 13:54 ?        00:00:00 sshd: wazuh-user@pts/1
wazuh-u+ 17685 17684  0 13:54 pts/1    00:00:00 -bash
root     22092  6936  0 14:29 pts/0    00:00:00 grep --color=auto -R -i -E error|critical|fatal|warning /var/log/wazuh-indexer/
root     22150  6936  0 14:37 pts/0    00:00:00 grep --color=auto -R -i -E error|critical|fatal|warning /var/log/wazuh-indexer/
root     22153  6936  0 14:38 pts/0    00:00:00 grep --color=auto -R -i -E error|critical|fatal /var/log/wazuh-indexer/
wazuh    22519     1  0 14:42 ?        00:00:15 /var/ossec/framework/python/bin/python3 /var/ossec/api/scripts/wazuh_apid.py
wazuh    22520 22519  0 14:42 ?        00:00:00 /var/ossec/framework/python/bin/python3 /var/ossec/api/scripts/wazuh_apid.py
wazuh    22523 22519  0 14:42 ?        00:00:01 /var/ossec/framework/python/bin/python3 /var/ossec/api/scripts/wazuh_apid.py
wazuh    22526 22519  0 14:43 ?        00:00:00 /var/ossec/framework/python/bin/python3 /var/ossec/api/scripts/wazuh_apid.py
root     22569     1  0 14:43 ?        00:00:07 /var/ossec/bin/wazuh-authd
wazuh    22587     1  0 14:43 ?        00:00:04 /var/ossec/bin/wazuh-db
root     22613     1  0 14:43 ?        00:00:00 /var/ossec/bin/wazuh-execd
wazuh    22628     1  0 14:43 ?        00:00:03 /var/ossec/bin/wazuh-analysisd
root     22640     1  0 14:43 ?        00:00:14 /var/ossec/bin/wazuh-syscheckd
wazuh    22688     1  0 14:43 ?        00:00:29 /var/ossec/bin/wazuh-remoted
root     22724     1  0 14:43 ?        00:00:00 /var/ossec/bin/wazuh-logcollector
wazuh    22744     1  0 14:43 ?        00:00:00 /var/ossec/bin/wazuh-monitord
root     22765     1  0 14:43 ?        00:00:10 /var/ossec/bin/wazuh-modulesd


[root@wazuh-server wazuh-user]# /var/ossec/bin/wazuh-control status
wazuh-clusterd not running...
wazuh-modulesd is running...
wazuh-monitord is running...
wazuh-logcollector is running...
wazuh-remoted is running...
wazuh-syscheckd is running...
wazuh-analysisd is running...
wazuh-maild not running...
wazuh-execd is running...
wazuh-db is running...
wazuh-authd is running...
wazuh-agentlessd not running...
wazuh-integratord not running...
wazuh-dbd not running...
wazuh-csyslogd not running...
wazuh-apid is running...

SSH Root Access Denied 🟢

akim@akim-PC:~/Desktop/personal$ ssh -i idr-1594.pem -p 2200 [email protected]
Please login as the user "wazuh-user" rather than the user "root".

SSH wazuh-user Access Allowed 🟢

akim@akim-PC:~/Desktop/personal$ ssh -i idr-xxx.pem -p 2200 [email protected]
Last login: Mon Sep 23 15:36:36 2024 from 78.red-81-36-27.dynamicip.rima-tde.net


wwwwww.           wwwwwww.          wwwwwww.
wwwwwww.          wwwwwww.          wwwwwww.
 wwwwww.         wwwwwwwww.        wwwwwww.
 wwwwwww.        wwwwwwwww.        wwwwwww.
  wwwwww.       wwwwwwwwwww.      wwwwwww.
  wwwwwww.      wwwwwwwwwww.      wwwwwww.
   wwwwww.     wwwwww.wwwwww.    wwwwwww.
   wwwwwww.    wwwww. wwwwww.    wwwwwww.
    wwwwww.   wwwwww.  wwwwww.  wwwwwww.
    wwwwwww.  wwwww.   wwwwww.  wwwwwww.
     wwwwww. wwwwww.    wwwwww.wwwwwww.
     wwwwwww.wwwww.     wwwwww.wwwwwww.
      wwwwwwwwwwww.      wwwwwwwwwwww.
      wwwwwwwwwww.       wwwwwwwwwwww.      oooooo
       wwwwwwwwww.        wwwwwwwwww.      oooooooo
       wwwwwwwww.         wwwwwwwwww.     oooooooooo
        wwwwwwww.          wwwwwwww.      oooooooooo
        wwwwwww.           wwwwwwww.       oooooooo
         wwwwww.            wwwwww.         oooooo


         WAZUH Open Source Security Platform
                  https://wazuh.com

Production Repositories 🟢

[root@wazuh-server wazuh-user]# cat /etc/yum.repos.d/wazuh.repo
[wazuh]
gpgcheck=1
gpgkey=https://packages.wazuh.com/key/GPG-KEY-WAZUH
enabled=1
name=EL-${releasever} - Wazuh
baseurl=https://packages.wazuh.com/4.x/yum/
protect=1

TCP and UDP 🟢

Tested with AIX/HP-UX/Solaris SPARC

Known issues

New issues:

pro-akim · 2024-09-24T10:48:18Z

Analysis Report - OVA 🔴

WUI 🟢

Loading Screen

Login Screen

Credentials & Health Check

Overview

Version

Logs 🔴

Wazuh Dashboard - journalctl 🟡

Running:

[root@wazuh-server wazuh-user]# journalctl -r -u wazuh-dashboard | grep -i -E "error|critical|fatal|warning"

Reported: Unexpected Parse Error "Pause on PRI/Upgrade" in logs wazuh-packages#2449 - Known issue

sep 24 10:06:45 wazuh-server opensearch-dashboards[2397]: {"type":"error","@timestamp":"2024-09-24T10:06:45Z","tags":["connection","client","error"],"pid":2397,"level":"error","error":{"message":"139771575605120:error:14094418:SSL routines:ssl3_read_bytes:tlsv1 alert unknown ca:../deps/openssl/openssl/ssl/record/rec_layer_s3.c:1563:SSL alert number 48\n","name":"Error","stack":"Error: 139771575605120:error:14094418:SSL routines:ssl3_read_bytes:tlsv1 alert unknown ca:../deps/openssl/openssl/ssl/record/rec_layer_s3.c:1563:SSL alert number 48\n","code":"ERR_SSL_TLSV1_ALERT_UNKNOWN_CA"},"message":"139771575605120:error:14094418:SSL routines:ssl3_read_bytes:tlsv1 alert unknown ca:../deps/openssl/openssl/ssl/record/rec_layer_s3.c:1563:SSL alert number 48\n"}
sep 24 10:05:09 wazuh-server opensearch-dashboards[2397]: {"type":"log","@timestamp":"2024-09-24T10:05:09Z","tags":["warning","cross-compatibility-service"],"pid":2397,"message":"Starting cross compatibility service"}
sep 24 10:05:06 wazuh-server opensearch-dashboards[2397]: {"type":"log","@timestamp":"2024-09-24T10:05:06Z","tags":["error","opensearch","data"],"pid":2397,"message":"[ResponseError]: Response Error"}
sep 24 10:05:03 wazuh-server opensearch-dashboards[2397]: {"type":"log","@timestamp":"2024-09-24T10:05:03Z","tags":["error","opensearch","data"],"pid":2397,"message":"[ResponseError]: Response Error"}
sep 24 10:05:01 wazuh-server opensearch-dashboards[2397]: {"type":"log","@timestamp":"2024-09-24T10:05:01Z","tags":["error","opensearch","data"],"pid":2397,"message":"[ResponseError]: Response Error"}
sep 24 10:04:58 wazuh-server opensearch-dashboards[2397]: {"type":"log","@timestamp":"2024-09-24T10:04:58Z","tags":["error","opensearch","data"],"pid":2397,"message":"[ResponseError]: Response Error"}
sep 24 10:04:56 wazuh-server opensearch-dashboards[2397]: {"type":"log","@timestamp":"2024-09-24T10:04:56Z","tags":["error","opensearch","data"],"pid":2397,"message":"[ResponseError]: Response Error"}
sep 24 10:04:53 wazuh-server opensearch-dashboards[2397]: {"type":"log","@timestamp":"2024-09-24T10:04:53Z","tags":["error","opensearch","data"],"pid":2397,"message":"[ResponseError]: Response Error"}
sep 24 10:04:51 wazuh-server opensearch-dashboards[2397]: {"type":"log","@timestamp":"2024-09-24T10:04:51Z","tags":["error","opensearch","data"],"pid":2397,"message":"[ConnectionError]: connect ECONNREFUSED 127.0.0.1:9200"}
sep 24 10:04:48 wazuh-server opensearch-dashboards[2397]: {"type":"log","@timestamp":"2024-09-24T10:04:48Z","tags":["error","opensearch","data"],"pid":2397,"message":"[ConnectionError]: connect ECONNREFUSED 127.0.0.1:9200"}
sep 24 10:04:46 wazuh-server opensearch-dashboards[2397]: {"type":"log","@timestamp":"2024-09-24T10:04:46Z","tags":["error","opensearch","data"],"pid":2397,"message":"[ConnectionError]: connect ECONNREFUSED 127.0.0.1:9200"}
sep 24 12:04:42 wazuh-server opensearch-dashboards[2397]: {"type":"log","@timestamp":"2024-09-24T12:04:42Z","tags":["error","opensearch","data"],"pid":2397,"message":"[ConnectionError]: connect ECONNREFUSED 127.0.0.1:9200"}
sep 24 12:04:39 wazuh-server opensearch-dashboards[2397]: {"type":"log","@timestamp":"2024-09-24T12:04:39Z","tags":["error","opensearch","data"],"pid":2397,"message":"[ConnectionError]: connect ECONNREFUSED 127.0.0.1:9200"}
sep 24 12:04:37 wazuh-server opensearch-dashboards[2397]: {"type":"log","@timestamp":"2024-09-24T12:04:37Z","tags":["error","opensearch","data"],"pid":2397,"message":"[ConnectionError]: connect ECONNREFUSED 127.0.0.1:9200"}
sep 24 12:04:34 wazuh-server opensearch-dashboards[2397]: {"type":"log","@timestamp":"2024-09-24T12:04:34Z","tags":["error","opensearch","data"],"pid":2397,"message":"[ConnectionError]: connect ECONNREFUSED 127.0.0.1:9200"}
sep 24 12:04:32 wazuh-server opensearch-dashboards[2397]: {"type":"log","@timestamp":"2024-09-24T12:04:32Z","tags":["error","opensearch","data"],"pid":2397,"message":"[ConnectionError]: connect ECONNREFUSED 127.0.0.1:9200"}
sep 24 12:04:29 wazuh-server opensearch-dashboards[2397]: {"type":"log","@timestamp":"2024-09-24T12:04:29Z","tags":["error","opensearch","data"],"pid":2397,"message":"[ConnectionError]: connect ECONNREFUSED 127.0.0.1:9200"}
sep 24 12:04:27 wazuh-server opensearch-dashboards[2397]: {"type":"log","@timestamp":"2024-09-24T12:04:27Z","tags":["error","opensearch","data"],"pid":2397,"message":"[ConnectionError]: connect ECONNREFUSED 127.0.0.1:9200"}
sep 24 12:04:24 wazuh-server opensearch-dashboards[2397]: {"type":"log","@timestamp":"2024-09-24T12:04:24Z","tags":["error","opensearch","data"],"pid":2397,"message":"[ConnectionError]: connect ECONNREFUSED 127.0.0.1:9200"}
sep 24 12:04:22 wazuh-server opensearch-dashboards[2397]: {"type":"log","@timestamp":"2024-09-24T12:04:22Z","tags":["error","opensearch","data"],"pid":2397,"message":"[ConnectionError]: connect ECONNREFUSED 127.0.0.1:9200"}
sep 24 12:04:19 wazuh-server opensearch-dashboards[2397]: {"type":"log","@timestamp":"2024-09-24T12:04:19Z","tags":["error","savedobjects-service"],"pid":2397,"message":"Unable to retrieve version information from OpenSearch nodes."}
sep 24 12:04:19 wazuh-server opensearch-dashboards[2397]: {"type":"log","@timestamp":"2024-09-24T12:04:19Z","tags":["error","opensearch","data"],"pid":2397,"message":"[ConnectionError]: connect ECONNREFUSED 127.0.0.1:9200"}

Wazuh Indexer - journalctl 🟢

[root@wazuh-server wazuh-user]# journalctl -r -u wazuh-indexer | grep -i -E "error|critical|fatal|warning"
sep 24 12:04:25 wazuh-server systemd-entrypoint[3983]: WARNING: System::setSecurityManager will be removed in a future release
sep 24 12:04:25 wazuh-server systemd-entrypoint[3983]: WARNING: Please consider reporting this to the maintainers of org.opensearch.bootstrap.Security
sep 24 12:04:25 wazuh-server systemd-entrypoint[3983]: WARNING: System::setSecurityManager has been called by org.opensearch.bootstrap.Security (file:/usr/share/wazuh-indexer/lib/opensearch-2.13.0.jar)
sep 24 12:04:25 wazuh-server systemd-entrypoint[3983]: WARNING: A terminally deprecated method in java.lang.System has been called
sep 24 12:04:24 wazuh-server systemd-entrypoint[3983]: WARNING: COMPAT locale provider will be removed in a future release
sep 24 12:04:23 wazuh-server systemd-entrypoint[3983]: WARNING: System::setSecurityManager will be removed in a future release
sep 24 12:04:23 wazuh-server systemd-entrypoint[3983]: WARNING: Please consider reporting this to the maintainers of org.opensearch.bootstrap.OpenSearch
sep 24 12:04:23 wazuh-server systemd-entrypoint[3983]: WARNING: System::setSecurityManager has been called by org.opensearch.bootstrap.OpenSearch (file:/usr/share/wazuh-indexer/lib/opensearch-2.13.0.jar)
sep 24 12:04:23 wazuh-server systemd-entrypoint[3983]: WARNING: A terminally deprecated method in java.lang.System has been called

Wazuh Indexer 🔴

Expected messages:

[root@wazuh-server wazuh-user]# grep -R -i -E "error|critical|fatal|warning" /var/log/wazuh-indexer/
/var/log/wazuh-indexer/wazuh-cluster_server.json:{"type": "server", "timestamp": "2024-09-24T11:58:29,31
2Z", "level": "INFO", "component": "o.o.n.Node", "cluster.name": "wazuh-cluster", "node.name": "node-1",
 "message": "JVM arguments [-Xshare:auto, -Dopensearch.networkaddress.cache.ttl=60, -Dopensearch.network
address.cache.negative.ttl=10, -XX:+AlwaysPreTouch, -Xss1m, -Djava.awt.headless=true, -Dfile.encoding=UT
F-8, -Djna.nosys=true, -XX:-OmitStackTraceInFastThrow, -XX:+ShowCodeDetailsInExceptionMessages, -Dio.net
ty.noUnsafe=true, -Dio.netty.noKeySetOptimization=true, -Dio.netty.recycler.maxCapacityPerThread=0, -Dio
.netty.allocator.numDirectArenas=0, -Dlog4j.shutdownHookEnabled=false, -Dlog4j2.disable.jmx=true, -Djava
.security.manager=allow, -Djava.locale.providers=SPI,COMPAT, -Xms3981m, -Xmx3981m, -XX:+UseG1GC, -XX:G1R
eservePercent=25, -XX:InitiatingHeapOccupancyPercent=30, -Djava.io.tmpdir=/var/log/wazuh-indexer/tmp, -X
X:+HeapDumpOnOutOfMemoryError, -XX:HeapDumpPath=/var/lib/wazuh-indexer, -XX:ErrorFile=/var/log/wazuh-ind
exer/hs_err_pid%p.log, -Xlog:gc*,gc+age=trace,safepoint:file=/var/log/wazuh-indexer/gc.log:utctime,pid,t
ags:filecount=32,filesize=64m, -Djava.security.manager=allow, -Djava.util.concurrent.ForkJoinPool.common
.threadFactory=org.opensearch.secure_sm.SecuredForkJoinWorkerThreadFactory, -Dclk.tck=100, -Djdk.attach.
allowAttachSelf=true, -Djava.security.policy=file:///etc/wazuh-indexer/opensearch-performance-analyzer/o
pensearch_security.policy, --add-opens=jdk.attach/sun.tools.attach=ALL-UNNAMED, -XX:MaxDirectMemorySize=
2087714816, -Dopensearch.path.home=/usr/share/wazuh-indexer, -Dopensearch.path.conf=/etc/wazuh-indexer, 
-Dopensearch.distribution.type=rpm, -Dopensearch.bundled_jdk=true]" }

Reported: [BUG] Failure No shard available log was found in OVA testing wazuh-indexer#428 - New issue

/var/log/wazuh-indexer/wazuh-cluster_server.json:{"type": "server", "timestamp": "2024-09-24T09:59:02,01
7Z", "level": "ERROR", "component": "o.o.s.c.ConfigurationLoaderSecurity7", "cluster.name": "wazuh-clust
er", "node.name": "node-1", "message": "Failure No shard available for [org.opensearch.action.get.MultiG
etShardRequest@68fbb520] retrieving configuration for [INTERNALUSERS, ACTIONGROUPS, CONFIG, ROLES, ROLES
MAPPING, TENANTS, NODESDN, WHITELIST, ALLOWLIST, AUDIT] (index=.opendistro_security)", "cluster.uuid": "
qB1wd91WRASFqR8W4dH_2w", "node.id": "SvZ1vXs0SVeh9AuvjmYTwA"  }

/var/log/wazuh-indexer/wazuh-cluster_server.json:{"type": "server", "timestamp": "2024-09-24T09:59:02,01
7Z", "level": "ERROR", "component": "o.o.s.c.ConfigurationLoaderSecurity7", "cluster.name": "wazuh-clust
er", "node.name": "node-1", "message": "Failure No shard available for [org.opensearch.action.get.MultiG
etShardRequest@68fbb520] retrieving configuration for [INTERNALUSERS, ACTIONGROUPS, CONFIG, ROLES, ROLES
MAPPING, TENANTS, NODESDN, WHITELIST, ALLOWLIST, AUDIT] (index=.opendistro_security)", "cluster.uuid": "
qB1wd91WRASFqR8W4dH_2w", "node.id": "SvZ1vXs0SVeh9AuvjmYTwA"  }

/var/log/wazuh-indexer/wazuh-cluster_server.json:{"type": "server", "timestamp": "2024-09-24T09:59:02,01
7Z", "level": "ERROR", "component": "o.o.s.c.ConfigurationLoaderSecurity7", "cluster.name": "wazuh-clust
er", "node.name": "node-1", "message": "Failure No shard available for [org.opensearch.action.get.MultiG
etShardRequest@68fbb520] retrieving configuration for [INTERNALUSERS, ACTIONGROUPS, CONFIG, ROLES, ROLES
MAPPING, TENANTS, NODESDN, WHITELIST, ALLOWLIST, AUDIT] (index=.opendistro_security)", "cluster.uuid": "
qB1wd91WRASFqR8W4dH_2w", "node.id": "SvZ1vXs0SVeh9AuvjmYTwA"  }

/var/log/wazuh-indexer/wazuh-cluster_server.json:{"type": "server", "timestamp": "2024-09-24T09:59:02,01
7Z", "level": "ERROR", "component": "o.o.s.c.ConfigurationLoaderSecurity7", "cluster.name": "wazuh-clust
er", "node.name": "node-1", "message": "Failure No shard available for [org.opensearch.action.get.MultiG
etShardRequest@68fbb520] retrieving configuration for [INTERNALUSERS, ACTIONGROUPS, CONFIG, ROLES, ROLES
MAPPING, TENANTS, NODESDN, WHITELIST, ALLOWLIST, AUDIT] (index=.opendistro_security)", "cluster.uuid": "
qB1wd91WRASFqR8W4dH_2w", "node.id": "SvZ1vXs0SVeh9AuvjmYTwA"  }

/var/log/wazuh-indexer/wazuh-cluster_server.json:{"type": "server", "timestamp": "2024-09-24T09:59:02,01
7Z", "level": "ERROR", "component": "o.o.s.c.ConfigurationLoaderSecurity7", "cluster.name": "wazuh-clust
er", "node.name": "node-1", "message": "Failure No shard available for [org.opensearch.action.get.MultiG
etShardRequest@68fbb520] retrieving configuration for [INTERNALUSERS, ACTIONGROUPS, CONFIG, ROLES, ROLES
MAPPING, TENANTS, NODESDN, WHITELIST, ALLOWLIST, AUDIT] (index=.opendistro_security)", "cluster.uuid": "
qB1wd91WRASFqR8W4dH_2w", "node.id": "SvZ1vXs0SVeh9AuvjmYTwA"  }

/var/log/wazuh-indexer/wazuh-cluster_server.json:{"type": "server", "timestamp": "2024-09-24T09:59:02,01
8Z", "level": "ERROR", "component": "o.o.s.c.ConfigurationLoaderSecurity7", "cluster.name": "wazuh-clust
er", "node.name": "node-1", "message": "Failure No shard available for [org.opensearch.action.get.MultiG
etShardRequest@68fbb520] retrieving configuration for [INTERNALUSERS, ACTIONGROUPS, CONFIG, ROLES, ROLES
MAPPING, TENANTS, NODESDN, WHITELIST, ALLOWLIST, AUDIT] (index=.opendistro_security)", "cluster.uuid": "
qB1wd91WRASFqR8W4dH_2w", "node.id": "SvZ1vXs0SVeh9AuvjmYTwA"  }

/var/log/wazuh-indexer/wazuh-cluster_server.json:{"type": "server", "timestamp": "2024-09-24T09:59:02,01
8Z", "level": "ERROR", "component": "o.o.s.c.ConfigurationLoaderSecurity7", "cluster.name": "wazuh-clust
er", "node.name": "node-1", "message": "Failure No shard available for [org.opensearch.action.get.MultiG
etShardRequest@68fbb520] retrieving configuration for [INTERNALUSERS, ACTIONGROUPS, CONFIG, ROLES, ROLES
MAPPING, TENANTS, NODESDN, WHITELIST, ALLOWLIST, AUDIT] (index=.opendistro_security)", "cluster.uuid": "
qB1wd91WRASFqR8W4dH_2w", "node.id": "SvZ1vXs0SVeh9AuvjmYTwA"  }

/var/log/wazuh-indexer/wazuh-cluster_server.json:{"type": "server", "timestamp": "2024-09-24T09:59:02,01
8Z", "level": "ERROR", "component": "o.o.s.c.ConfigurationLoaderSecurity7", "cluster.name": "wazuh-clust
er", "node.name": "node-1", "message": "Failure No shard available for [org.opensearch.action.get.MultiG
etShardRequest@68fbb520] retrieving configuration for [INTERNALUSERS, ACTIONGROUPS, CONFIG, ROLES, ROLES
MAPPING, TENANTS, NODESDN, WHITELIST, ALLOWLIST, AUDIT] (index=.opendistro_security)", "cluster.uuid": "
qB1wd91WRASFqR8W4dH_2w", "node.id": "SvZ1vXs0SVeh9AuvjmYTwA"  }

/var/log/wazuh-indexer/wazuh-cluster_server.json:{"type": "server", "timestamp": "2024-09-24T09:59:02,01
8Z", "level": "ERROR", "component": "o.o.s.c.ConfigurationLoaderSecurity7", "cluster.name": "wazuh-clust
er", "node.name": "node-1", "message": "Failure No shard available for [org.opensearch.action.get.MultiG
etShardRequest@68fbb520] retrieving configuration for [INTERNALUSERS, ACTIONGROUPS, CONFIG, ROLES, ROLES
MAPPING, TENANTS, NODESDN, WHITELIST, ALLOWLIST, AUDIT] (index=.opendistro_security)", "cluster.uuid": "
qB1wd91WRASFqR8W4dH_2w", "node.id": "SvZ1vXs0SVeh9AuvjmYTwA"  }

Reported: Modify the security configuration steps to avoid securityadmin use wazuh-packages#1968 - Known issue

/var/log/wazuh-indexer/wazuh-cluster_server.json:{"type": "server", "timestamp": "2024-09-24T09:58:51,91
7Z", "level": "ERROR", "component": "o.o.s.a.s.SinkProvider", "cluster.name": "wazuh-cluster", "node.nam
e": "node-1", "message": "Default endpoint could not be created, auditlog will not work properly." }
/var/log/wazuh-indexer/wazuh-cluster_server.json:{"type": "server", "timestamp": "2024-09-24T09:59:02,01
6Z", "level": "ERROR", "component": "o.o.s.c.ConfigurationLoaderSecurity7", "cluster.name": "wazuh-clust
er", "node.name": "node-1", "message": "Failure No shard available for [org.opensearch.action.get.MultiG
etShardRequest@68fbb520] retrieving configuration for [INTERNALUSERS, ACTIONGROUPS, CONFIG, ROLES, ROLES
MAPPING, TENANTS, NODESDN, WHITELIST, ALLOWLIST, AUDIT] (index=.opendistro_security)", "cluster.uuid": "
qB1wd91WRASFqR8W4dH_2w", "node.id": "SvZ1vXs0SVeh9AuvjmYTwA"  }

Reported: https://github.com/wazuh/internal-devel-requests/issues/1261 - Known issue

/var/log/wazuh-indexer/wazuh-cluster_server.json:{"type": "server", "timestamp": "2024-09-24T09:59:03,32
5Z", "level": "ERROR", "component": "o.o.s.a.BackendRegistry", "cluster.name": "wazuh-cluster", "node.na
me": "node-1", "message": "Not yet initialized (you may need to run securityadmin)", "cluster.uuid": "qB
1wd91WRASFqR8W4dH_2w", "node.id": "SvZ1vXs0SVeh9AuvjmYTwA"  }

/var/log/wazuh-indexer/wazuh-cluster_server.json:{"type": "server", "timestamp": "2024-09-24T09:59:03,39
2Z", "level": "ERROR", "component": "o.o.s.a.BackendRegistry", "cluster.name": "wazuh-cluster", "node.na
me": "node-1", "message": "Not yet initialized (you may need to run securityadmin)", "cluster.uuid": "qB
1wd91WRASFqR8W4dH_2w", "node.id": "SvZ1vXs0SVeh9AuvjmYTwA"  }

/var/log/wazuh-indexer/wazuh-cluster_server.json:{"type": "server", "timestamp": "2024-09-24T09:59:03,40
3Z", "level": "ERROR", "component": "o.o.s.a.BackendRegistry", "cluster.name": "wazuh-cluster", "node.na
me": "node-1", "message": "Not yet initialized (you may need to run securityadmin)", "cluster.uuid": "qB
1wd91WRASFqR8W4dH_2w", "node.id": "SvZ1vXs0SVeh9AuvjmYTwA"  }

/var/log/wazuh-indexer/wazuh-cluster_server.json:{"type": "server", "timestamp": "2024-09-24T09:59:03,40
7Z", "level": "ERROR", "component": "o.o.s.a.BackendRegistry", "cluster.name": "wazuh-cluster", "node.na

Wazuh Server 🟢

[root@wazuh-server wazuh-user]# grep -iE "ERROR|WARNING|CRITICAL" /var/ossec/logs/ossec.log
2024/09/24 11:58:39 indexer-connector: WARNING: IndexerConnector initialization failed for index 'wazuh-states-vulnerabilities-wazuh-server', retrying until the connection is successful.
2024/09/24 12:04:39 indexer-connector: WARNING: IndexerConnector initialization failed for index 'wazuh-states-vulnerabilities-wazuh-server', retrying until the connection is successful.

Filebeat Test 🟢

[root@wazuh-server wazuh-user]# filebeat test output
elasticsearch: https://127.0.0.1:9200...
  parse url... OK
  connection...
    parse host... OK
    dns lookup... OK
    addresses: 127.0.0.1
    dial up... OK
  TLS...
    security: server's certificate chain verification is enabled
    handshake... OK
    TLS version: TLSv1.2
    dial up... OK
  talk to server... OK
  version: 7.10.2

Wazuh Indexer Cluster 🟢

[root@wazuh-server wazuh-user]# curl -k -u admin:admin https://127.0.0.1:9200
{
  "name" : "node-1",
  "cluster_name" : "wazuh-cluster",
  "cluster_uuid" : "qB1wd91WRASFqR8W4dH_2w",
  "version" : {
    "number" : "7.10.2",
    "build_type" : "rpm",
    "build_hash" : "44213e57352e29e68206cc34e9ab3a377bebd983",
    "build_date" : "2024-09-20T13:18:25.050429Z",
    "build_snapshot" : false,
    "lucene_version" : "9.10.0",
    "minimum_wire_compatibility_version" : "7.10.0",
    "minimum_index_compatibility_version" : "7.0.0"
  },
  "tagline" : "The OpenSearch Project: https://opensearch.org/"
}

[root@wazuh-server wazuh-user]# curl -k -u admin:admin https://127.0.0.1:9200/_cat/nodes?v
ip        heap.percent ram.percent cpu load_1m load_5m load_15m node.role node.roles                                        cluster_manager name
127.0.0.1            2          78   4    0.14    0.30     0.29 dimr      cluster_manager,data,ingest,remote_cluster_client *               node-1

[root@wazuh-server wazuh-user]# curl -k -u admin:admin https://127.0.0.1:9200/_cluster/health?pretty
{
  "cluster_name" : "wazuh-cluster",
  "status" : "green",
  "timed_out" : false,
  "number_of_nodes" : 1,
  "number_of_data_nodes" : 1,
  "discovered_master" : true,
  "discovered_cluster_manager" : true,
  "active_primary_shards" : 10,
  "active_shards" : 10,
  "relocating_shards" : 0,
  "initializing_shards" : 0,
  "unassigned_shards" : 0,
  "delayed_unassigned_shards" : 0,
  "number_of_pending_tasks" : 0,
  "number_of_in_flight_fetch" : 0,
  "task_max_waiting_in_queue_millis" : 0,
  "active_shards_percent_as_number" : 100.0
}

Users 🟢

[root@wazuh-server wazuh-user]# grep -R "wazuh" /etc/group
wheel:x:10:wazuh-user
wazuh-user:x:1000:
wazuh-indexer:x:993:
wazuh:x:992:wazuh
wazuh-dashboard:x:991:wazuh-dashboard

[root@wazuh-server wazuh-user]# grep -R "wazuh" /etc/passwd
wazuh-user:x:1000:1000::/home/wazuh-user:/bin/bash
wazuh-indexer:x:995:993:wazuh-indexer user/group:/home/wazuh-indexer:/sbin/nologin
wazuh:x:994:992::/var/ossec:/sbin/nologin
wazuh-dashboard:x:993:991::/usr/share/wazuh-dashboard/:/sbin/nologin

Versions 🟢

[root@wazuh-server wazuh-user]# /var/ossec/bin/wazuh-control info
WAZUH_VERSION="v4.9.1"
WAZUH_REVISION="40910"
WAZUH_TYPE="server"

[root@wazuh-server wazuh-user]# cat /usr/share/wazuh-indexer/VERSION
4.9.1
[root@wazuh-server wazuh-user]# cat /usr/share/wazuh-dashboard/VERSION
4.9.1
[root@wazuh-server wazuh-user]# cat /usr/share/wazuh-dashboard/package.json
{
  "name": "opensearch-dashboards",
  "description": "OpenSearch Dashboards is a browser based analytics and search dashboard for OpenSearch. OpenSearch Dashboards is a snap to setup and start using. OpenSearch Dashboards strives to be easy to get started with, while also being flexible and powerful, just like OpenSearch.",
  "keywords": [
    "opensearch-dashboards",
    "opensearch",
    "logstash",
    "analytics",
    "visualizations",
    "dashboards",
    "dashboarding"
  ],
  "version": "2.13.0",
  "branch": "2.x",
  "build": {
    "number": "49101",
    "sha": "4abde2652a27a40b6f0518e0c436a53aee98c84a",
    "distributable": true,
    "release": true
  },
  "wazuh": {
    "version": "4.9.1",
    "revision": "1"
  },
  "repository": {
    "type": "git",
    "url": "https://github.com/opensearch-project/opensearch-dashboards.git"
  },
  "engines": {
    "node": ">=14.20.1 <19"
  }
}

Processes 🟢

[root@wazuh-server wazuh-user]# ps -ef | grep wazuh
wazuh-d+  2397     1  2 10:04 ?        00:00:17 /usr/share/wazuh-dashboard/node/fallback/bin/node /usr/share/wazuh-dashboard/src/cli/dist
root      3609     1  0 10:04 ?        00:00:00 /sbin/dhclient -1 -q -lf /var/lib/dhclient/dhclient--eth0.lease -pf /var/run/dhclient-eth0.pid -H wazuh-server eth0
wazuh-i+  3983     1  9 10:04 ?        00:01:20 /usr/share/wazuh-indexer/jdk/bin/java -Xshare:auto -Dopensearch.networkaddress.cache.ttl=60 -Dopensearch.networkaddress.cache.negative.ttl=10 -XX:+AlwaysPreTouch -Xss1m -Djava.awt.headless=true -Dfile.encoding=UTF-8 -Djna.nosys=true -XX:-OmitStackTraceInFastThrow -XX:+ShowCodeDetailsInExceptionMessages -Dio.netty.noUnsafe=true -Dio.netty.noKeySetOptimization=true -Dio.netty.recycler.maxCapacityPerThread=0 -Dio.netty.allocator.numDirectArenas=0 -Dlog4j.shutdownHookEnabled=false -Dlog4j2.disable.jmx=true -Djava.security.manager=allow -Djava.locale.providers=SPI,COMPAT -Xms3981m -Xmx3981m -XX:+UseG1GC -XX:G1ReservePercent=25 -XX:InitiatingHeapOccupancyPercent=30 -Djava.io.tmpdir=/var/log/wazuh-indexer/tmp -XX:+HeapDumpOnOutOfMemoryError -XX:HeapDumpPath=/var/lib/wazuh-indexer -XX:ErrorFile=/var/log/wazuh-indexer/hs_err_pid%p.log -Xlog:gc*,gc+age=trace,safepoint:file=/var/log/wazuh-indexer/gc.log:utctime,pid,tags:filecount=32,filesize=64m -Djava.security.manager=allow -Djava.util.concurrent.ForkJoinPool.common.threadFactory=org.opensearch.secure_sm.SecuredForkJoinWorkerThreadFactory -Dclk.tck=100 -Djdk.attach.allowAttachSelf=true -Djava.security.policy=file:///etc/wazuh-indexer/opensearch-performance-analyzer/opensearch_security.policy --add-opens=jdk.attach/sun.tools.attach=ALL-UNNAMED -XX:MaxDirectMemorySize=2087714816 -Dopensearch.path.home=/usr/share/wazuh-indexer -Dopensearch.path.conf=/etc/wazuh-indexer -Dopensearch.distribution.type=rpm -Dopensearch.bundled_jdk=true -cp /usr/share/wazuh-indexer/lib/* org.opensearch.bootstrap.OpenSearch -p /run/wazuh-indexer/wazuh-indexer.pid --quiet
root      4004     1  0 10:04 ?        00:00:00 login -- wazuh-user
wazuh     5567     1  1 10:04 ?        00:00:12 /var/ossec/framework/python/bin/python3 /var/ossec/api/scripts/wazuh_apid.py
wazuh     5575  5567  0 10:04 ?        00:00:01 /var/ossec/framework/python/bin/python3 /var/ossec/api/scripts/wazuh_apid.py
wazuh     5579  5567  0 10:04 ?        00:00:04 /var/ossec/framework/python/bin/python3 /var/ossec/api/scripts/wazuh_apid.py
wazuh     5582  5567  0 10:04 ?        00:00:00 /var/ossec/framework/python/bin/python3 /var/ossec/api/scripts/wazuh_apid.py
root      5746     1  0 10:04 ?        00:00:00 /var/ossec/bin/wazuh-authd
wazuh     5937     1  0 10:04 ?        00:00:01 /var/ossec/bin/wazuh-db
wazuh-u+  6031  4004  0 10:04 tty1     00:00:00 -bash
root      6159     1  0 10:04 ?        00:00:00 /var/ossec/bin/wazuh-execd
wazuh     6280     1  0 10:04 ?        00:00:01 /var/ossec/bin/wazuh-analysisd
root      6389     1  1 10:04 ?        00:00:13 /var/ossec/bin/wazuh-syscheckd
wazuh     6595     1  0 10:04 ?        00:00:00 /var/ossec/bin/wazuh-remoted
root      6760     1  0 10:04 ?        00:00:00 /var/ossec/bin/wazuh-logcollector
wazuh     6917     1  0 10:04 ?        00:00:00 /var/ossec/bin/wazuh-monitord
root      7093     1  0 10:04 ?        00:00:01 /var/ossec/bin/wazuh-modulesd
root     13472  3990  0 10:04 ?        00:00:00 sshd: wazuh-user [priv]
wazuh-u+ 14552 13472  0 10:05 ?        00:00:00 sshd: wazuh-user@pts/0
wazuh-u+ 14555 14552  0 10:05 pts/0    00:00:00 -bash
root     19693 15952  0 10:19 pts/0    00:00:00 grep --color=auto wazuh

[root@wazuh-server wazuh-user]# /var/ossec/bin/wazuh-control status
wazuh-clusterd not running...
wazuh-modulesd is running...
wazuh-monitord is running...
wazuh-logcollector is running...
wazuh-remoted is running...
wazuh-syscheckd is running...
wazuh-analysisd is running...
wazuh-maild not running...
wazuh-execd is running...
wazuh-db is running...
wazuh-authd is running...
wazuh-agentlessd not running...
wazuh-integratord not running...
wazuh-dbd not running...
wazuh-csyslogd not running...
wazuh-apid is running...

SSH Root Access Denied 🟢

akim@akim-PC:~$ ssh [email protected]
[email protected]'s password: 
Permission denied, please try again.
[email protected]'s password: 
Permission denied, please try again.
[email protected]'s password: 
[email protected]: Permission denied (publickey,gssapi-keyex,gssapi-with-mic,password).

SSH wazuh-user Access Allowed 🟢

akim@akim-PC:~$ ssh [email protected]
[email protected]'s password: 
Last login: Tue Sep 24 10:05:05 2024 from 192.168.1.101
wwwwww.           wwwwwww.          wwwwwww.
wwwwwww.          wwwwwww.          wwwwwww.
 wwwwww.         wwwwwwwww.        wwwwwww.
 wwwwwww.        wwwwwwwww.        wwwwwww.
  wwwwww.       wwwwwwwwwww.      wwwwwww.
  wwwwwww.      wwwwwwwwwww.      wwwwwww.
   wwwwww.     wwwwww.wwwwww.    wwwwwww.
   wwwwwww.    wwwww. wwwwww.    wwwwwww.
    wwwwww.   wwwwww.  wwwwww.  wwwwwww.
    wwwwwww.  wwwww.   wwwwww.  wwwwwww.
     wwwwww. wwwwww.    wwwwww.wwwwwww.
     wwwwwww.wwwww.     wwwwww.wwwwwww.
      wwwwwwwwwwww.      wwwwwwwwwwww.
      wwwwwwwwwww.       wwwwwwwwwwww.      oooooo
       wwwwwwwwww.        wwwwwwwwww.      oooooooo
       wwwwwwwww.         wwwwwwwwww.     oooooooooo
        wwwwwwww.          wwwwwwww.      oooooooooo
        wwwwwww.           wwwwwwww.       oooooooo
         wwwwww.            wwwwww.         oooooo


         WAZUH Open Source Security Platform
                  https://wazuh.com


[wazuh-user@wazuh-server ~]$

Production Repositories 🟢

[root@wazuh-server wazuh-user]# cat /etc/yum.repos.d/wazuh.repo
[wazuh]
gpgcheck=1
gpgkey=https://packages.wazuh.com/key/GPG-KEY-WAZUH
enabled=1
name=EL-${releasever} - Wazuh
baseurl=https://packages.wazuh.com/4.x/yum/
protect=1

TCP and UDP 🟢

TCP

Wazuh server:

[root@wazuh-server wazuh-user]# egrep protocol /var/ossec/etc/ossec.conf
    <protocol>tcp</protocol>

Agent:

root@mediumubuntu:/home/vagrant# egrep tcp /var/ossec/logs/ossec.log
2024/09/24 10:32:18 wazuh-agentd: INFO: Trying to connect to server ([xx.xx.xxx.xx]:1514/tcp).
2024/09/24 10:32:18 wazuh-agentd: INFO: (4102): Connected to the server ([xx.xx.xxx.xx]:1514/tcp).
2024/09/24 10:32:22 wazuh-agentd: INFO: Trying to connect to server ([xx.xx.xxx.xx]:1514/tcp).
2024/09/24 10:32:22 wazuh-agentd: INFO: (4102): Connected to the server ([xx.xx.xxx.xx]:1514/tcp).

Alerts:

{"timestamp":"2024-09-24T10:32:34.470+0000","rule":{"level":3,"description":"CIS Ubuntu Linux 20.04 LTS Benchmark v2.0.0: Ensure root is the only UID 0 account.","id":"19008","firedtimes":84,"mail":false,"groups":["sca"],"gdpr":["IV_35.7.d"],"pci_dss":["2.2"],"nist_800_53":["CM.1"],"tsc":["CC7.1","CC7.2"],"cis":["6.2.10"],"mitre_mitigations":["M1026"],"mitre_tactics":["TA0001"],"mitre_techniques":["T1548"]},"agent":{"id":"001","name":"ubuntu-agent","ip":"10.0.2.15"},"manager":{"name":"wazuh-server"},"id":"1727173954.818752","decoder":{"name":"sca"},"data":{"sca":{"type":"check","scan_id":"1546427550","policy":"CIS Ubuntu Linux 20.04 LTS Benchmark v2.0.0","check":{"id":"19209","title":"Ensure root is the only UID 0 account.","description":"Any account with UID 0 has superuser privileges on the system.","rationale":"This access must be limited to only the default root account and only from the system console. Administrative access must be through an unprivileged account using an approved mechanism as noted in Item 5.6 Ensure access to the su command is restricted.","remediation":"Remove any users other than root with UID 0 or assign them a new UID if appropriate.","compliance":{"cis":"6.2.10","mitre_mitigations":"M1026","mitre_tactics":"TA0001","mitre_techniques":"T1548"},"file":["/etc/passwd"],"result":"passed"}}},"location":"sca"}
{"timestamp":"2024-09-24T10:32:41.495+0000","rule":{"level":7,"description":"SCA summary: CIS Ubuntu Linux 20.04 LTS Benchmark v2.0.0: Score less than 50% (43)","id":"19004","firedtimes":1,"mail":false,"groups":["sca"],"gdpr":["IV_35.7.d"],"pci_dss":["2.2"],"nist_800_53":["CM.1"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"001","name":"ubuntu-agent","ip":"10.0.2.15"},"manager":{"name":"wazuh-server"},"id":"1727173961.820753","decoder":{"name":"sca"},"data":{"sca":{"type":"summary","scan_id":"1546427550","policy":"CIS Ubuntu Linux 20.04 LTS Benchmark v2.0.0","description":"This document provides prescriptive guidance for establishing a secure configuration posture for Ubuntu Linux 20.04 LTS.","policy_id":"cis_ubuntu20-04","passed":"84","failed":"107","invalid":"19","total_checks":"210","score":"43","file":"cis_ubuntu20-04.yml"}},"location":"sca"}
{"timestamp":"2024-09-24T10:32:52.906+0000","rule":{"level":7,"description":"SCA summary: CIS Ubuntu Linux 20.04 LTS Benchmark v2.0.0: Score less than 50% (43)","id":"19004","firedtimes":2,"mail":false,"groups":["sca"],"gdpr":["IV_35.7.d"],"pci_dss":["2.2"],"nist_800_53":["CM.1"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"001","name":"ubuntu-agent","ip":"10.0.2.15"},"manager":{"name":"wazuh-server"},"id":"1727173972.822036","decoder":{"name":"sca"},"data":{"sca":{"type":"summary","scan_id":"1546427550","policy":"CIS Ubuntu Linux 20.04 LTS Benchmark v2.0.0","description":"This document provides prescriptive guidance for establishing a secure configuration posture for Ubuntu Linux 20.04 LTS.","policy_id":"cis_ubuntu20-04","passed":"84","failed":"107","invalid":"19","total_checks":"210","score":"43","file":"cis_ubuntu20-04.yml"}},"location":"sca"}

UDP

Wazuh server:

[root@wazuh-server wazuh-user]# egrep protocol /var/ossec/etc/ossec.conf
    <protocol>udp</protocol>

Agent:

root@mediumubuntu:/home/vagrant# egrep udp /var/ossec/logs/ossec.log
2024/09/24 10:33:30 wazuh-agentd: INFO: Trying to connect to server ([xx.xx.xxx.xx]:1514/udp).
2024/09/24 10:33:30 wazuh-agentd: INFO: (4102): Connected to the server ([xx.xx.xxx.xx]:1514/udp).

Alerts:

{"timestamp":"2024-09-24T10:32:52.906+0000","rule":{"level":7,"description":"SCA summary: CIS Ubuntu Linux 20.04 LTS Benchmark v2.0.0: Score less than 50% (43)","id":"19004","firedtimes":2,"mail":false,"groups":["sca"],"gdpr":["IV_35.7.d"],"pci_dss":["2.2"],"nist_800_53":["CM.1"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"001","name":"ubuntu-agent","ip":"10.0.2.15"},"manager":{"name":"wazuh-server"},"id":"1727173972.822036","decoder":{"name":"sca"},"data":{"sca":{"type":"summary","scan_id":"1546427550","policy":"CIS Ubuntu Linux 20.04 LTS Benchmark v2.0.0","description":"This document provides prescriptive guidance for establishing a secure configuration posture for Ubuntu Linux 20.04 LTS.","policy_id":"cis_ubuntu20-04","passed":"84","failed":"107","invalid":"19","total_checks":"210","score":"43","file":"cis_ubuntu20-04.yml"}},"location":"sca"}
{"timestamp":"2024-09-24T10:33:31.283+0000","rule":{"level":3,"description":"Wazuh agent stopped.","id":"506","mitre":{"id":["T1562.001"],"tactic":["Defense Evasion"],"technique":["Disable or Modify Tools"]},"firedtimes":2,"mail":false,"groups":["ossec"],"pci_dss":["10.6.1","10.2.6"],"gpg13":["10.1"],"gdpr":["IV_35.7.d"],"hipaa":["164.312.b"],"nist_800_53":["AU.6","AU.14","AU.5"],"tsc":["CC7.2","CC7.3","CC6.8"]},"agent":{"id":"001","name":"ubuntu-agent","ip":"10.0.2.15"},"manager":{"name":"wazuh-server"},"id":"1727174011.823337","full_log":"ossec: Agent stopped: 'ubuntu-agent->any'.","decoder":{"parent":"ossec","name":"ossec"},"data":{"extra_data":"ubuntu-agent->any"},"location":"wazuh-remoted"}
{"timestamp":"2024-09-24T10:33:31.672+0000","rule":{"level":3,"description":"Wazuh agent started.","id":"503","firedtimes":2,"mail":false,"groups":["ossec"],"pci_dss":["10.6.1","10.2.6"],"gpg13":["10.1"],"gdpr":["IV_35.7.d"],"hipaa":["164.312.b"],"nist_800_53":["AU.6","AU.14","AU.5"],"tsc":["CC7.2","CC7.3","CC6.8"]},"agent":{"id":"001","name":"ubuntu-agent","ip":"10.0.2.15"},"manager":{"name":"wazuh-server"},"id":"1727174011.823673","full_log":"ossec: Agent started: 'ubuntu-agent->any'.","decoder":{"parent":"ossec","name":"ossec"},"data":{"extra_data":"ubuntu-agent->any"},"location":"wazuh-agent"}

----

Known issues

New issues:

[BUG] Failure No shard available log was found in OVA testing wazuh-indexer#428

hossam1522 · 2024-09-25T15:34:55Z

LGTM!

wazuhci added level/subtask type/test labels Sep 20, 2024

wazuhci mentioned this issue Sep 20, 2024

Release 4.9.1 - RC 1 - Packages tests #25839

Closed

1 task

pro-akim self-assigned this Sep 23, 2024

This was referenced Sep 24, 2024

[BUG] Received fatal alert: unknown_ca error message was found wazuh/wazuh-indexer#427

Closed

[BUG] Failure No shard available log was found in OVA testing wazuh/wazuh-indexer#428

Closed

This was referenced Sep 24, 2024

SSH key is not OK in VD E2E tests wazuh/wazuh-qa#5770

Closed

SSH key is not OK in VD E2E tests #25919

Closed

rauldpm closed this as completed Sep 25, 2024

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Release 4.9.1 - RC 1 - Specific systems #25845

Release 4.9.1 - RC 1 - Specific systems #25845

wazuhci commented Sep 20, 2024 •

edited by rauldpm

Loading

pro-akim commented Sep 23, 2024

pro-akim commented Sep 23, 2024 •

edited

Loading

pro-akim commented Sep 23, 2024 •

edited

Loading

pro-akim commented Sep 23, 2024 •

edited

Loading

pro-akim commented Sep 23, 2024 •

edited

Loading

Analysis Report - AMI 🔴

Wazuh Dashboard - journalctl 🟡

Wazuh Indexer - journalctl 🔴

Wazuh Server 🔴

Wazuh Dashboard - journalctl 🟡

Wazuh Indexer - journalctl 🔴

Wazuh Server 🔴

pro-akim commented Sep 24, 2024 •

edited

Loading

Wazuh Dashboard - journalctl 🟡

Wazuh Indexer - journalctl 🟢

Wazuh Indexer 🔴

Wazuh Server 🟢

TCP

UDP

hossam1522 commented Sep 25, 2024

Release 4.9.1 - RC 1 - Specific systems #25845

Release 4.9.1 - RC 1 - Specific systems #25845

Comments

wazuhci commented Sep 20, 2024 • edited by rauldpm Loading

Packages tests metrics information

Build packages

Test packages

OVA/AMI specific tests

Conclusion 🔴

Auditor's validation

pro-akim commented Sep 23, 2024

Solaris SPARC 11.3 🟡

Know issues

pro-akim commented Sep 23, 2024 • edited Loading

AIX 🟡

Known issues

pro-akim commented Sep 23, 2024 • edited Loading

Solaris SPARC 10 🟢

pro-akim commented Sep 23, 2024 • edited Loading

Analysis report - HP-UX 🟢

pro-akim commented Sep 23, 2024 • edited Loading

Analysis Report - AMI 🔴

Analysis Report - AMI 🔴

Wazuh Dashboard - journalctl 🟡

Wazuh Indexer - journalctl 🔴

Wazuh Server 🔴

Wazuh Dashboard - journalctl 🟡

Wazuh Indexer - journalctl 🔴

Wazuh Server 🔴

Known issues

New issues:

pro-akim commented Sep 24, 2024 • edited Loading

Analysis Report - OVA 🔴

Wazuh Dashboard - journalctl 🟡

Wazuh Indexer - journalctl 🟢

Wazuh Indexer 🔴

Wazuh Server 🟢

TCP

UDP

Known issues

hossam1522 commented Sep 25, 2024

wazuhci commented Sep 20, 2024 •

edited by rauldpm

Loading

pro-akim commented Sep 23, 2024 •

edited

Loading

pro-akim commented Sep 23, 2024 •

edited

Loading

pro-akim commented Sep 23, 2024 •

edited

Loading

pro-akim commented Sep 23, 2024 •

edited

Loading

pro-akim commented Sep 24, 2024 •

edited

Loading