vulnerability detection does not work
334 views
Skip to first unread message
Piotr
Jul 16, 2024, 5:33:53 AM7/16/24
to Wazuh | Mailing List
Hello Wazuh Team :)
I upgraded Wazuh from version 4.7.5 to 4.8.0 and vulnerability detection does not work. The upgrade was performed according to the instructions https://documentation.wazuh.com/current/upgrade-guide/upgrading-central-components.html
In section "Configuring vulnerability detection"
there is information about Add the new <vulnerability-detection> block and remove the old <vulnerability-detector> if it exist. I pasted the <vulnerability-detection> that is provided and deleted the <vulnerability-detector> along with the entire configuration. The module does not work for me at the moment. I have the message as in the screenshot.
I would like it to work also with Oracle Linux virtual machines. I previously had this configuration
<vulnerabilities-detector>
...
<!-- RedHat OS vulnerabilities -->
<provider name="redhat">
<enabled>yes</enabled>
<os>5</os>
<os>6</os>
<os>7</os>
<os>8</os>
<os>9</os>
<os allow="Oracle Linux-7">7</os>
<os allow="Oracle Linux-8">8</os>
<os allow="Oracle Linux-9">9</os>
<update_interval>1h</update_interval>
</provider>
<provider name="redhat">
<enabled>yes</enabled>
<os>5</os>
<os>6</os>
<os>7</os>
<os>8</os>
<os>9</os>
<os allow="Oracle Linux-7">7</os>
<os allow="Oracle Linux-8">8</os>
<os allow="Oracle Linux-9">9</os>
<update_interval>1h</update_interval>
</provider>
Please help :)
Regards
Stuti Gupta
Jul 16, 2024, 6:04:32 AM7/16/24
to Wazuh | Mailing List
Hi piotr
Please make sure to update <vulnerability-detection> and <indexer> block in /var/ossec/etc/ossec.conf in version 4.8.0. You can find the Vulnerability Detection settings in the Wazuh server configuration file at `/var/ossec/etc/ossec.conf`.
<vulnerability-detection>
<enabled>yes</enabled>
<index-status>yes</index-status>
<feed-update-interval>60m</feed-update-interval>
</vulnerability-detection>
<indexer>
<enabled>yes</enabled>
<hosts>
<host>https://0.0.0.0:9200</host>
</hosts>
<ssl>
<certificate_authorities>
<ca>/etc/filebeat/certs/root-ca.pem</ca>
</certificate_authorities>
<certificate>/etc/filebeat/certs/filebeat.pem</certificate>
<key>/etc/filebeat/certs/filebeat-key.pem</key>
</ssl>
</indexer>
Replace `0.0.0.0` with the indexer IP in the Filebeat config file, For example:
output.elasticsearch.hosts:
- 127.0.0.1:9200
Wazuh indexer node's IP address or hostname. If you have a Wazuh indexer cluster, add a `<host>` entry for each one of your nodes. For example, in a two-node configuration:
<hosts>
<host>https://10.0.0.1:9200</host>
<host>https://10.0.0.2:9200</host>
</hosts>
Check the certificate name:
ll /etc/filebeat/certs
Verify the Filebeat certificate name and path are correct and update the `<indexer>` block in `/var/ossec/etc/ossec.conf` accordingly.
Save the Wazuh indexer username and password into the Wazuh manager keystore using the Wazuh-keystore tool:
/var/ossec/bin/wazuh-keystore -f indexer -k username -v <INDEXER_USERNAME>
/var/ossec/bin/wazuh-keystore -f indexer -k password -v <INDEXER_PASSWORD>
After that, save the configuration and restart the manager/cluster using the command:
systemctl restart wazuh-manager
Refer: https://documentation.wazuh.com/current/user-manual/capabilities/vulnerability-detection/configuring-scans.html
https://documentation.wazuh.com/current/upgrade-guide/troubleshooting.html
If that does not work I would ask you what you see in the ossec.log file. cat /var/ossec/logs/ossec.log Also, share the output of the command:
cat /var/ossec/etc/ossec.conf | grep "<indexer>" -A12
Hope this helps
Please make sure to update <vulnerability-detection> and <indexer> block in /var/ossec/etc/ossec.conf in version 4.8.0. You can find the Vulnerability Detection settings in the Wazuh server configuration file at `/var/ossec/etc/ossec.conf`.
<vulnerability-detection>
<enabled>yes</enabled>
<index-status>yes</index-status>
<feed-update-interval>60m</feed-update-interval>
</vulnerability-detection>
<indexer>
<enabled>yes</enabled>
<hosts>
<host>https://0.0.0.0:9200</host>
</hosts>
<ssl>
<certificate_authorities>
<ca>/etc/filebeat/certs/root-ca.pem</ca>
</certificate_authorities>
<certificate>/etc/filebeat/certs/filebeat.pem</certificate>
<key>/etc/filebeat/certs/filebeat-key.pem</key>
</ssl>
</indexer>
Replace `0.0.0.0` with the indexer IP in the Filebeat config file, For example:
output.elasticsearch.hosts:
- 127.0.0.1:9200
Wazuh indexer node's IP address or hostname. If you have a Wazuh indexer cluster, add a `<host>` entry for each one of your nodes. For example, in a two-node configuration:
<hosts>
<host>https://10.0.0.1:9200</host>
<host>https://10.0.0.2:9200</host>
</hosts>
Check the certificate name:
ll /etc/filebeat/certs
Verify the Filebeat certificate name and path are correct and update the `<indexer>` block in `/var/ossec/etc/ossec.conf` accordingly.
Save the Wazuh indexer username and password into the Wazuh manager keystore using the Wazuh-keystore tool:
/var/ossec/bin/wazuh-keystore -f indexer -k username -v <INDEXER_USERNAME>
/var/ossec/bin/wazuh-keystore -f indexer -k password -v <INDEXER_PASSWORD>
After that, save the configuration and restart the manager/cluster using the command:
systemctl restart wazuh-manager
Refer: https://documentation.wazuh.com/current/user-manual/capabilities/vulnerability-detection/configuring-scans.html
https://documentation.wazuh.com/current/upgrade-guide/troubleshooting.html
If that does not work I would ask you what you see in the ossec.log file. cat /var/ossec/logs/ossec.log Also, share the output of the command:
cat /var/ossec/etc/ossec.conf | grep "<indexer>" -A12
Hope this helps
Piotr
Jul 18, 2024, 1:28:38 AM7/18/24
to Wazuh | Mailing List
Hi Stuti,
thank you very much for your reply.
I corrected the configuration, but it still doesn't work.
I ran debug for a moment (/var/ossec/logs/ossec.log):
indexer-connector: WARNING: IndexerConnector initialization failed for index 'wazuh-states-vulnerabilities-wazuh-server', retrying until the connection is successful.
Unable to initialize IndexerConnector for index 'wazuh-states-vulnerabilities-wazuh-server': HTTP response code said error (Status code: 401). Retrying in 2 seconds.
Unable to initialize IndexerConnector for index 'wazuh-states-vulnerabilities-wazuh-server': HTTP response code said error (Status code: 401). Retrying in 2 seconds.
I think there is a problem with the following, because I use a password
with special characters. The password command only succeeded when I
entered '<pass-with-special-char>' but still doesn't work.
/var/ossec/bin/wazuh-keystore -f indexer -k username -v <INDEXER_USERNAME>
/var/ossec/bin/wazuh-keystore -f indexer -k password -v
'<pass-with-special-char>'
<indexer>
<enabled>yes</enabled>
<hosts>
<enabled>yes</enabled>
<hosts>
<host>https://127.0.0.1:9200</host>
</hosts>
<ssl>
<certificate_authorities>
<ca>/etc/filebeat/certs/root-ca.pem</ca>
</certificate_authorities>
<certificate>/etc/filebeat/certs/wazuh-server.pem</certificate>
<key>/etc/filebeat/certs/wazuh-server-key.pem</key>
</ssl>
</indexer>
<key>/etc/filebeat/certs/wazuh-server-key.pem</key>
</ssl>
</indexer>
ls -alh /etc/filebeat/certs/
total 12K
dr--------. 2 root root 77 Jul 10 2023 .
drwxr-xr-x. 4 root root 131 Jul 10 2023 ..
-r--------. 1 root root 1.2K Jul 10 2023 root-ca.pem
-r--------. 1 root root 1.7K Jul 10 2023 wazuh-server-key.pem
-r--------. 1 root root 1.3K Jul 10 2023 wazuh-server.pem
total 12K
dr--------. 2 root root 77 Jul 10 2023 .
drwxr-xr-x. 4 root root 131 Jul 10 2023 ..
-r--------. 1 root root 1.2K Jul 10 2023 root-ca.pem
-r--------. 1 root root 1.7K Jul 10 2023 wazuh-server-key.pem
-r--------. 1 root root 1.3K Jul 10 2023 wazuh-server.pem
cat /etc/filebeat/filebeat.yml
# Wazuh - Filebeat configuration file
output.elasticsearch.hosts:
- 127.0.0.1:9200
# - <elasticsearch_ip_node_2>:9200
# - <elasticsearch_ip_node_3>:9200
output.elasticsearch:
protocol: https
username: ${username}
# password: ${password}
password: ${wazuh_admin}
ssl.certificate_authorities:
- /etc/filebeat/certs/root-ca.pem
ssl.certificate: "/etc/filebeat/certs/wazuh-server.pem"
ssl.key: "/etc/filebeat/certs/wazuh-server-key.pem"
setup.template.json.enabled: true
setup.template.json.path: '/etc/filebeat/wazuh-template.json'
setup.template.json.name: 'wazuh'
setup.ilm.overwrite: true
setup.ilm.enabled: false
filebeat.modules:
- module: wazuh
alerts:
enabled: true
archives:
enabled: false
logging.level: info
logging.to_files: true
logging.files:
path: /var/log/filebeat
name: filebeat
keepfiles: 7
permissions: 0644
logging.metrics.enabled: false
seccomp:
default_action: allow
syscalls:
- action: allow
names:
- rseq
# Wazuh - Filebeat configuration file
output.elasticsearch.hosts:
- 127.0.0.1:9200
# - <elasticsearch_ip_node_2>:9200
# - <elasticsearch_ip_node_3>:9200
output.elasticsearch:
protocol: https
username: ${username}
# password: ${password}
password: ${wazuh_admin}
ssl.certificate_authorities:
- /etc/filebeat/certs/root-ca.pem
ssl.certificate: "/etc/filebeat/certs/wazuh-server.pem"
ssl.key: "/etc/filebeat/certs/wazuh-server-key.pem"
setup.template.json.enabled: true
setup.template.json.path: '/etc/filebeat/wazuh-template.json'
setup.template.json.name: 'wazuh'
setup.ilm.overwrite: true
setup.ilm.enabled: false
filebeat.modules:
- module: wazuh
alerts:
enabled: true
archives:
enabled: false
logging.level: info
logging.to_files: true
logging.files:
path: /var/log/filebeat
name: filebeat
keepfiles: 7
permissions: 0644
logging.metrics.enabled: false
seccomp:
default_action: allow
syscalls:
- action: allow
names:
- rseq
Stuti Gupta
Jul 18, 2024, 3:51:40 AM7/18/24
to Wazuh | Mailing List
If that does not work I would ask you what you see in the ossec.log file. cat /var/ossec/logs/ossec.log Also, share the output of the command:
cat /var/ossec/etc/ossec.conf | grep "<indexer>" -A12
Piotr
Jul 18, 2024, 4:19:39 AM7/18/24
to Wazuh | Mailing List
cat /var/ossec/etc/ossec.conf | grep "<indexer>" -A12
<indexer>
<enabled>yes</enabled>
<hosts>
<host>https://127.0.0.1:9200</host>
</hosts>
<ssl>
<certificate_authorities>
<ca>/etc/filebeat/certs/root-ca.pem</ca>
</certificate_authorities>
<certificate>/etc/filebeat/certs/wazuh-server.pem</certificate>
<key>/etc/filebeat/certs/wazuh-server-key.pem</key>
</ssl>
</indexer>
<enabled>yes</enabled>
<hosts>
<host>https://127.0.0.1:9200</host>
</hosts>
<ssl>
<certificate_authorities>
<ca>/etc/filebeat/certs/root-ca.pem</ca>
</certificate_authorities>
<certificate>/etc/filebeat/certs/wazuh-server.pem</certificate>
<key>/etc/filebeat/certs/wazuh-server-key.pem</key>
</ssl>
</indexer>
ls -lah /etc/filebeat/certs/
total 12K
dr--------. 2 root root 77 Jul 10 2023 .
drwxr-xr-x. 4 root root 131 Jul 10 2023 ..
-r--------. 1 root root 1.2K Jul 10 2023 root-ca.pem
-r--------. 1 root root 1.7K Jul 10 2023 wazuh-server-key.pem
-r--------. 1 root root 1.3K Jul 10 2023 wazuh-server.pem
cat /var/ossec/logs/ossec.log
2024/07/18 00:00:10 wazuh-monitord: INFO: Starting new log after rotation.
2024/07/18 00:17:49 sca: INFO: Starting Security Configuration Assessment scan.
2024/07/18 00:17:49 sca: INFO: Starting evaluation of policy: '/var/ossec/ruleset/sca/cis_centos7_linux.yml'
2024/07/18 00:18:02 wazuh-syscheckd: INFO: (6008): File integrity monitoring scan started.
2024/07/18 00:18:05 sca: INFO: Evaluation finished for policy '/var/ossec/ruleset/sca/cis_centos7_linux.yml'
2024/07/18 00:18:05 sca: INFO: Security Configuration Assessment scan finished. Duration: 16 seconds.
2024/07/18 00:18:06 wazuh-syscheckd: INFO: (6009): File integrity monitoring scan ended.
2024/07/18 00:20:31 rootcheck: INFO: Starting rootcheck scan.
2024/07/18 00:21:26 rootcheck: INFO: Ending rootcheck scan.
2024/07/18 00:22:35 wazuh-modulesd:syscollector: INFO: Starting evaluation.
2024/07/18 00:22:43 wazuh-modulesd:syscollector: INFO: Evaluation finished.
2024/07/18 01:22:44 wazuh-modulesd:syscollector: INFO: Starting evaluation.
2024/07/18 01:22:51 wazuh-modulesd:syscollector: INFO: Evaluation finished.
2024/07/18 02:22:52 wazuh-modulesd:syscollector: INFO: Starting evaluation.
2024/07/18 02:22:59 wazuh-modulesd:syscollector: INFO: Evaluation finished.
2024/07/18 03:23:00 wazuh-modulesd:syscollector: INFO: Starting evaluation.
2024/07/18 03:23:07 wazuh-modulesd:syscollector: INFO: Evaluation finished.
2024/07/18 04:23:08 wazuh-modulesd:syscollector: INFO: Starting evaluation.
2024/07/18 04:23:15 wazuh-modulesd:syscollector: INFO: Evaluation finished.
2024/07/18 05:23:16 wazuh-modulesd:syscollector: INFO: Starting evaluation.
2024/07/18 05:23:23 wazuh-modulesd:syscollector: INFO: Evaluation finished.
2024/07/18 06:23:24 wazuh-modulesd:syscollector: INFO: Starting evaluation.
2024/07/18 06:23:31 wazuh-modulesd:syscollector: INFO: Evaluation finished.
2024/07/18 07:23:32 wazuh-modulesd:syscollector: INFO: Starting evaluation.
2024/07/18 07:23:39 wazuh-modulesd:syscollector: INFO: Evaluation finished.
2024/07/18 08:17:36 wazuh-modulesd:syscollector: INFO: Stop received for Syscollector.
2024/07/18 08:17:36 wazuh-modulesd:syscollector: INFO: Module finished.
2024/07/18 08:17:36 wazuh-modulesd:vulnerability-scanner: INFO: Stopping vulnerability_scanner module.
2024/07/18 08:17:37 indexer-connector: WARNING: Failed to sync agent '010' with the indexer.
2024/07/18 08:17:37 wazuh-monitord: INFO: (1225): SIGNAL [(15)-(Terminated)] Received. Exit Cleaning...
2024/07/18 08:17:37 wazuh-logcollector: INFO: (1225): SIGNAL [(15)-(Terminated)] Received. Exit Cleaning...
2024/07/18 08:17:37 wazuh-remoted: INFO: (1225): SIGNAL [(15)-(Terminated)] Received. Exit Cleaning...
2024/07/18 08:17:37 wazuh-remoted: INFO: (1225): SIGNAL [(15)-(Terminated)] Received. Exit Cleaning...
2024/07/18 08:17:37 wazuh-syscheckd: INFO: (1756): Shutdown received. Releasing resources.
2024/07/18 08:17:37 wazuh-syscheckd: INFO: (1225): SIGNAL [(15)-(Terminated)] Received. Exit Cleaning...
2024/07/18 08:17:38 wazuh-analysisd: INFO: (1225): SIGNAL [(15)-(Terminated)] Received. Exit Cleaning...
2024/07/18 08:17:38 wazuh-execd: INFO: (1314): Shutdown received. Deleting responses.
2024/07/18 08:17:38 wazuh-execd: INFO: (1225): SIGNAL [(15)-(Terminated)] Received. Exit Cleaning...
2024/07/18 08:17:38 wazuh-db: INFO: (1225): SIGNAL [(15)-(Terminated)] Received. Exit Cleaning...
2024/07/18 08:17:39 wazuh-db: INFO: Graceful process shutdown.
2024/07/18 08:17:39 wazuh-authd: INFO: (1225): SIGNAL [(15)-(Terminated)] Received. Exit Cleaning...
2024/07/18 08:17:40 wazuh-authd: INFO: Exiting...
2024/07/18 08:17:43 wazuh-modulesd:router: INFO: Loaded router module.
2024/07/18 08:17:43 wazuh-modulesd:content_manager: INFO: Loaded content_manager module.
2024/07/18 08:17:47 wazuh-csyslogd: INFO: Remote syslog server not configured. Clean exit.
2024/07/18 08:17:47 wazuh-dbd: INFO: Database not configured. Clean exit.
2024/07/18 08:17:47 wazuh-integratord: INFO: Remote integrations not configured. Clean exit.
2024/07/18 08:17:47 wazuh-agentlessd: INFO: Not configured. Exiting.
2024/07/18 08:17:47 wazuh-authd: INFO: Started (pid: 29378).
2024/07/18 08:17:47 wazuh-authd: INFO: Accepting connections on port 1515. No password required.
2024/07/18 08:17:47 wazuh-authd: INFO: Setting network timeout to 1.000000 sec.
2024/07/18 08:17:47 wazuh-db: INFO: Started (pid: 29392).
2024/07/18 08:17:48 wazuh-execd: INFO: Started (pid: 29418).
2024/07/18 08:17:49 wazuh-syscheckd: INFO: Started (pid: 29443).
2024/07/18 08:17:49 wazuh-syscheckd: INFO: (6003): Monitoring path: '/bin', with options 'size | permissions | owner | group | mtime | inode | hash_md5 | hash_sha1 | hash_sha256 | scheduled'.
2024/07/18 08:17:49 wazuh-syscheckd: INFO: (6003): Monitoring path: '/boot', with options 'size | permissions | owner | group | mtime | inode | hash_md5 | hash_sha1 | hash_sha256 | scheduled'.
2024/07/18 08:17:49 wazuh-syscheckd: INFO: (6003): Monitoring path: '/etc', with options 'size | permissions | owner | group | mtime | inode | hash_md5 | hash_sha1 | hash_sha256 | scheduled'.
2024/07/18 08:17:49 wazuh-syscheckd: INFO: (6003): Monitoring path: '/sbin', with options 'size | permissions | owner | group | mtime | inode | hash_md5 | hash_sha1 | hash_sha256 | scheduled'.
2024/07/18 08:17:49 wazuh-syscheckd: INFO: (6003): Monitoring path: '/usr/bin', with options 'size | permissions | owner | group | mtime | inode | hash_md5 | hash_sha1 | hash_sha256 | scheduled'.
2024/07/18 08:17:49 wazuh-syscheckd: INFO: (6003): Monitoring path: '/usr/sbin', with options 'size | permissions | owner | group | mtime | inode | hash_md5 | hash_sha1 | hash_sha256 | scheduled'.
2024/07/18 08:17:49 wazuh-syscheckd: INFO: (6206): Ignore 'file' entry '/etc/mtab'
2024/07/18 08:17:49 wazuh-syscheckd: INFO: (6206): Ignore 'file' entry '/etc/hosts.deny'
2024/07/18 08:17:49 wazuh-syscheckd: INFO: (6206): Ignore 'file' entry '/etc/mail/statistics'
2024/07/18 08:17:49 wazuh-syscheckd: INFO: (6206): Ignore 'file' entry '/etc/random-seed'
2024/07/18 08:17:49 wazuh-syscheckd: INFO: (6206): Ignore 'file' entry '/etc/random.seed'
2024/07/18 08:17:49 wazuh-syscheckd: INFO: (6206): Ignore 'file' entry '/etc/adjtime'
2024/07/18 08:17:49 wazuh-syscheckd: INFO: (6206): Ignore 'file' entry '/etc/httpd/logs'
2024/07/18 08:17:49 wazuh-syscheckd: INFO: (6206): Ignore 'file' entry '/etc/utmpx'
2024/07/18 08:17:49 wazuh-syscheckd: INFO: (6206): Ignore 'file' entry '/etc/wtmpx'
2024/07/18 08:17:49 wazuh-syscheckd: INFO: (6206): Ignore 'file' entry '/etc/cups/certs'
2024/07/18 08:17:49 wazuh-syscheckd: INFO: (6206): Ignore 'file' entry '/etc/dumpdates'
2024/07/18 08:17:49 wazuh-syscheckd: INFO: (6206): Ignore 'file' entry '/etc/svc/volatile'
2024/07/18 08:17:49 wazuh-syscheckd: INFO: (6207): Ignore 'file' sregex '.log$|.swp$'
2024/07/18 08:17:49 wazuh-syscheckd: INFO: (6004): No diff for file: '/etc/ssl/private.key'
2024/07/18 08:17:49 wazuh-syscheckd: INFO: (6000): Starting daemon...
2024/07/18 08:17:49 wazuh-syscheckd: INFO: (6010): File integrity monitoring scan frequency: 43200 seconds
2024/07/18 08:17:49 wazuh-syscheckd: INFO: (6008): File integrity monitoring scan started.
2024/07/18 08:17:49 rootcheck: INFO: Starting rootcheck scan.
2024/07/18 08:17:49 wazuh-analysisd: INFO: Total rules enabled: '6786'
2024/07/18 08:17:49 wazuh-analysisd: INFO: Started (pid: 29430).
2024/07/18 08:17:49 wazuh-analysisd: INFO: (7200): Logtest started
2024/07/18 08:17:49 wazuh-analysisd: INFO: EPS limit disabled
2024/07/18 08:17:50 wazuh-remoted: INFO: Remote syslog allowed from: '10.80.253.254/32'
2024/07/18 08:17:50 wazuh-remoted: INFO: Started (pid: 29511). Listening on port 514/UDP (syslog).
2024/07/18 08:17:50 wazuh-remoted: INFO: Started (pid: 29510). Listening on port 1514/TCP (secure).
2024/07/18 08:17:50 wazuh-remoted: INFO: (1410): Reading authentication keys file.
2024/07/18 08:17:51 wazuh-logcollector: INFO: Monitoring output of command(360): df -P
2024/07/18 08:17:51 wazuh-logcollector: INFO: Monitoring full output of command(360): netstat -tulpn | sed 's/\([[:alnum:]]\+\)\ \+[[:digit:]]\+\ \+[[:digit:]]\+\ \+\(.*\):\([[:digit:]]*\)\ \+\([0-9\.\:\*]\+\).\+\ \([[:digit:]]*\/[[:alnum:]\-]*\).*/\1 \2 == \3 == \4 \5/' | sort -k 4 -g | sed 's/ == \(.*\) ==/:\1/' | sed 1,2d
2024/07/18 08:17:51 wazuh-logcollector: INFO: Monitoring full output of command(360): last -n 20
2024/07/18 08:17:51 wazuh-logcollector: INFO: (1950): Analyzing file: '/var/log/audit/audit.log'.
2024/07/18 08:17:51 wazuh-logcollector: INFO: (1950): Analyzing file: '/var/ossec/logs/active-responses.log'.
2024/07/18 08:17:51 wazuh-logcollector: INFO: (1950): Analyzing file: '/var/log/messages'.
2024/07/18 08:17:51 wazuh-logcollector: INFO: (1950): Analyzing file: '/var/log/secure'.
2024/07/18 08:17:51 wazuh-logcollector: INFO: (1950): Analyzing file: '/var/log/maillog'.
2024/07/18 08:17:51 wazuh-logcollector: INFO: Started (pid: 29547).
2024/07/18 08:17:52 wazuh-monitord: INFO: Started (pid: 29566).
2024/07/18 08:17:53 wazuh-syscheckd: INFO: (6009): File integrity monitoring scan ended.
2024/07/18 08:17:53 wazuh-syscheckd: INFO: FIM sync module started.
2024/07/18 08:17:53 wazuh-modulesd:router: INFO: Loaded router module.
2024/07/18 08:17:53 wazuh-modulesd:content_manager: INFO: Loaded content_manager module.
2024/07/18 08:17:53 wazuh-modulesd: INFO: Started (pid: 29624).
2024/07/18 08:17:53 wazuh-modulesd:agent-upgrade: INFO: (8153): Module Agent Upgrade started.
2024/07/18 08:17:53 wazuh-modulesd:osquery: INFO: Module disabled. Exiting...
2024/07/18 08:17:53 wazuh-modulesd:ciscat: INFO: Module disabled. Exiting...
2024/07/18 08:17:53 sca: INFO: Module started.
2024/07/18 08:17:53 wazuh-modulesd:vulnerability-scanner: INFO: Starting vulnerability_scanner module.
2024/07/18 08:17:53 wazuh-modulesd:router: INFO: Starting router module.
2024/07/18 08:17:53 sca: INFO: Loaded policy '/var/ossec/ruleset/sca/cis_centos7_linux.yml'
2024/07/18 08:17:53 wazuh-modulesd:content_manager: INFO: Starting content_manager module.
2024/07/18 08:17:53 sca: INFO: Starting Security Configuration Assessment scan.
2024/07/18 08:17:53 wazuh-modulesd:database: INFO: Module started.
2024/07/18 08:17:53 wazuh-modulesd:download: INFO: Module started.
2024/07/18 08:17:53 wazuh-modulesd:control: INFO: Starting control thread.
2024/07/18 08:17:53 wazuh-modulesd:task-manager: INFO: (8200): Module Task Manager started.
2024/07/18 08:17:53 sca: INFO: Starting evaluation of policy: '/var/ossec/ruleset/sca/cis_centos7_linux.yml'
2024/07/18 08:17:53 wazuh-modulesd:syscollector: INFO: Module started.
2024/07/18 08:17:53 wazuh-modulesd:syscollector: INFO: Starting evaluation.
2024/07/18 08:17:54 wazuh-modulesd:syscollector: INFO: Evaluation finished.
2024/07/18 08:17:55 wazuh-modulesd:vulnerability-scanner: INFO: Vulnerability scanner module started
2024/07/18 08:17:59 indexer-connector: WARNING: IndexerConnector initialization failed for index 'wazuh-states-vulnerabilities-wazuh-server', retrying until the connection is successful.
2024/07/18 08:18:10 sca: INFO: Evaluation finished for policy '/var/ossec/ruleset/sca/cis_centos7_linux.yml'
2024/07/18 08:18:10 sca: INFO: Security Configuration Assessment scan finished. Duration: 17 seconds.
2024/07/18 00:00:10 wazuh-monitord: INFO: Starting new log after rotation.
2024/07/18 00:17:49 sca: INFO: Starting Security Configuration Assessment scan.
2024/07/18 00:17:49 sca: INFO: Starting evaluation of policy: '/var/ossec/ruleset/sca/cis_centos7_linux.yml'
2024/07/18 00:18:02 wazuh-syscheckd: INFO: (6008): File integrity monitoring scan started.
2024/07/18 00:18:05 sca: INFO: Evaluation finished for policy '/var/ossec/ruleset/sca/cis_centos7_linux.yml'
2024/07/18 00:18:05 sca: INFO: Security Configuration Assessment scan finished. Duration: 16 seconds.
2024/07/18 00:18:06 wazuh-syscheckd: INFO: (6009): File integrity monitoring scan ended.
2024/07/18 00:20:31 rootcheck: INFO: Starting rootcheck scan.
2024/07/18 00:21:26 rootcheck: INFO: Ending rootcheck scan.
2024/07/18 00:22:35 wazuh-modulesd:syscollector: INFO: Starting evaluation.
2024/07/18 00:22:43 wazuh-modulesd:syscollector: INFO: Evaluation finished.
2024/07/18 01:22:44 wazuh-modulesd:syscollector: INFO: Starting evaluation.
2024/07/18 01:22:51 wazuh-modulesd:syscollector: INFO: Evaluation finished.
2024/07/18 02:22:52 wazuh-modulesd:syscollector: INFO: Starting evaluation.
2024/07/18 02:22:59 wazuh-modulesd:syscollector: INFO: Evaluation finished.
2024/07/18 03:23:00 wazuh-modulesd:syscollector: INFO: Starting evaluation.
2024/07/18 03:23:07 wazuh-modulesd:syscollector: INFO: Evaluation finished.
2024/07/18 04:23:08 wazuh-modulesd:syscollector: INFO: Starting evaluation.
2024/07/18 04:23:15 wazuh-modulesd:syscollector: INFO: Evaluation finished.
2024/07/18 05:23:16 wazuh-modulesd:syscollector: INFO: Starting evaluation.
2024/07/18 05:23:23 wazuh-modulesd:syscollector: INFO: Evaluation finished.
2024/07/18 06:23:24 wazuh-modulesd:syscollector: INFO: Starting evaluation.
2024/07/18 06:23:31 wazuh-modulesd:syscollector: INFO: Evaluation finished.
2024/07/18 07:23:32 wazuh-modulesd:syscollector: INFO: Starting evaluation.
2024/07/18 07:23:39 wazuh-modulesd:syscollector: INFO: Evaluation finished.
2024/07/18 08:17:36 wazuh-modulesd:syscollector: INFO: Stop received for Syscollector.
2024/07/18 08:17:36 wazuh-modulesd:syscollector: INFO: Module finished.
2024/07/18 08:17:36 wazuh-modulesd:vulnerability-scanner: INFO: Stopping vulnerability_scanner module.
2024/07/18 08:17:37 indexer-connector: WARNING: Failed to sync agent '010' with the indexer.
2024/07/18 08:17:37 wazuh-monitord: INFO: (1225): SIGNAL [(15)-(Terminated)] Received. Exit Cleaning...
2024/07/18 08:17:37 wazuh-logcollector: INFO: (1225): SIGNAL [(15)-(Terminated)] Received. Exit Cleaning...
2024/07/18 08:17:37 wazuh-remoted: INFO: (1225): SIGNAL [(15)-(Terminated)] Received. Exit Cleaning...
2024/07/18 08:17:37 wazuh-remoted: INFO: (1225): SIGNAL [(15)-(Terminated)] Received. Exit Cleaning...
2024/07/18 08:17:37 wazuh-syscheckd: INFO: (1756): Shutdown received. Releasing resources.
2024/07/18 08:17:37 wazuh-syscheckd: INFO: (1225): SIGNAL [(15)-(Terminated)] Received. Exit Cleaning...
2024/07/18 08:17:38 wazuh-analysisd: INFO: (1225): SIGNAL [(15)-(Terminated)] Received. Exit Cleaning...
2024/07/18 08:17:38 wazuh-execd: INFO: (1314): Shutdown received. Deleting responses.
2024/07/18 08:17:38 wazuh-execd: INFO: (1225): SIGNAL [(15)-(Terminated)] Received. Exit Cleaning...
2024/07/18 08:17:38 wazuh-db: INFO: (1225): SIGNAL [(15)-(Terminated)] Received. Exit Cleaning...
2024/07/18 08:17:39 wazuh-db: INFO: Graceful process shutdown.
2024/07/18 08:17:39 wazuh-authd: INFO: (1225): SIGNAL [(15)-(Terminated)] Received. Exit Cleaning...
2024/07/18 08:17:40 wazuh-authd: INFO: Exiting...
2024/07/18 08:17:43 wazuh-modulesd:router: INFO: Loaded router module.
2024/07/18 08:17:43 wazuh-modulesd:content_manager: INFO: Loaded content_manager module.
2024/07/18 08:17:47 wazuh-csyslogd: INFO: Remote syslog server not configured. Clean exit.
2024/07/18 08:17:47 wazuh-dbd: INFO: Database not configured. Clean exit.
2024/07/18 08:17:47 wazuh-integratord: INFO: Remote integrations not configured. Clean exit.
2024/07/18 08:17:47 wazuh-agentlessd: INFO: Not configured. Exiting.
2024/07/18 08:17:47 wazuh-authd: INFO: Started (pid: 29378).
2024/07/18 08:17:47 wazuh-authd: INFO: Accepting connections on port 1515. No password required.
2024/07/18 08:17:47 wazuh-authd: INFO: Setting network timeout to 1.000000 sec.
2024/07/18 08:17:47 wazuh-db: INFO: Started (pid: 29392).
2024/07/18 08:17:48 wazuh-execd: INFO: Started (pid: 29418).
2024/07/18 08:17:49 wazuh-syscheckd: INFO: Started (pid: 29443).
2024/07/18 08:17:49 wazuh-syscheckd: INFO: (6003): Monitoring path: '/bin', with options 'size | permissions | owner | group | mtime | inode | hash_md5 | hash_sha1 | hash_sha256 | scheduled'.
2024/07/18 08:17:49 wazuh-syscheckd: INFO: (6003): Monitoring path: '/boot', with options 'size | permissions | owner | group | mtime | inode | hash_md5 | hash_sha1 | hash_sha256 | scheduled'.
2024/07/18 08:17:49 wazuh-syscheckd: INFO: (6003): Monitoring path: '/etc', with options 'size | permissions | owner | group | mtime | inode | hash_md5 | hash_sha1 | hash_sha256 | scheduled'.
2024/07/18 08:17:49 wazuh-syscheckd: INFO: (6003): Monitoring path: '/sbin', with options 'size | permissions | owner | group | mtime | inode | hash_md5 | hash_sha1 | hash_sha256 | scheduled'.
2024/07/18 08:17:49 wazuh-syscheckd: INFO: (6003): Monitoring path: '/usr/bin', with options 'size | permissions | owner | group | mtime | inode | hash_md5 | hash_sha1 | hash_sha256 | scheduled'.
2024/07/18 08:17:49 wazuh-syscheckd: INFO: (6003): Monitoring path: '/usr/sbin', with options 'size | permissions | owner | group | mtime | inode | hash_md5 | hash_sha1 | hash_sha256 | scheduled'.
2024/07/18 08:17:49 wazuh-syscheckd: INFO: (6206): Ignore 'file' entry '/etc/mtab'
2024/07/18 08:17:49 wazuh-syscheckd: INFO: (6206): Ignore 'file' entry '/etc/hosts.deny'
2024/07/18 08:17:49 wazuh-syscheckd: INFO: (6206): Ignore 'file' entry '/etc/mail/statistics'
2024/07/18 08:17:49 wazuh-syscheckd: INFO: (6206): Ignore 'file' entry '/etc/random-seed'
2024/07/18 08:17:49 wazuh-syscheckd: INFO: (6206): Ignore 'file' entry '/etc/random.seed'
2024/07/18 08:17:49 wazuh-syscheckd: INFO: (6206): Ignore 'file' entry '/etc/adjtime'
2024/07/18 08:17:49 wazuh-syscheckd: INFO: (6206): Ignore 'file' entry '/etc/httpd/logs'
2024/07/18 08:17:49 wazuh-syscheckd: INFO: (6206): Ignore 'file' entry '/etc/utmpx'
2024/07/18 08:17:49 wazuh-syscheckd: INFO: (6206): Ignore 'file' entry '/etc/wtmpx'
2024/07/18 08:17:49 wazuh-syscheckd: INFO: (6206): Ignore 'file' entry '/etc/cups/certs'
2024/07/18 08:17:49 wazuh-syscheckd: INFO: (6206): Ignore 'file' entry '/etc/dumpdates'
2024/07/18 08:17:49 wazuh-syscheckd: INFO: (6206): Ignore 'file' entry '/etc/svc/volatile'
2024/07/18 08:17:49 wazuh-syscheckd: INFO: (6207): Ignore 'file' sregex '.log$|.swp$'
2024/07/18 08:17:49 wazuh-syscheckd: INFO: (6004): No diff for file: '/etc/ssl/private.key'
2024/07/18 08:17:49 wazuh-syscheckd: INFO: (6000): Starting daemon...
2024/07/18 08:17:49 wazuh-syscheckd: INFO: (6010): File integrity monitoring scan frequency: 43200 seconds
2024/07/18 08:17:49 wazuh-syscheckd: INFO: (6008): File integrity monitoring scan started.
2024/07/18 08:17:49 rootcheck: INFO: Starting rootcheck scan.
2024/07/18 08:17:49 wazuh-analysisd: INFO: Total rules enabled: '6786'
2024/07/18 08:17:49 wazuh-analysisd: INFO: Started (pid: 29430).
2024/07/18 08:17:49 wazuh-analysisd: INFO: (7200): Logtest started
2024/07/18 08:17:49 wazuh-analysisd: INFO: EPS limit disabled
2024/07/18 08:17:50 wazuh-remoted: INFO: Remote syslog allowed from: '10.80.253.254/32'
2024/07/18 08:17:50 wazuh-remoted: INFO: Started (pid: 29511). Listening on port 514/UDP (syslog).
2024/07/18 08:17:50 wazuh-remoted: INFO: Started (pid: 29510). Listening on port 1514/TCP (secure).
2024/07/18 08:17:50 wazuh-remoted: INFO: (1410): Reading authentication keys file.
2024/07/18 08:17:51 wazuh-logcollector: INFO: Monitoring output of command(360): df -P
2024/07/18 08:17:51 wazuh-logcollector: INFO: Monitoring full output of command(360): netstat -tulpn | sed 's/\([[:alnum:]]\+\)\ \+[[:digit:]]\+\ \+[[:digit:]]\+\ \+\(.*\):\([[:digit:]]*\)\ \+\([0-9\.\:\*]\+\).\+\ \([[:digit:]]*\/[[:alnum:]\-]*\).*/\1 \2 == \3 == \4 \5/' | sort -k 4 -g | sed 's/ == \(.*\) ==/:\1/' | sed 1,2d
2024/07/18 08:17:51 wazuh-logcollector: INFO: Monitoring full output of command(360): last -n 20
2024/07/18 08:17:51 wazuh-logcollector: INFO: (1950): Analyzing file: '/var/log/audit/audit.log'.
2024/07/18 08:17:51 wazuh-logcollector: INFO: (1950): Analyzing file: '/var/ossec/logs/active-responses.log'.
2024/07/18 08:17:51 wazuh-logcollector: INFO: (1950): Analyzing file: '/var/log/messages'.
2024/07/18 08:17:51 wazuh-logcollector: INFO: (1950): Analyzing file: '/var/log/secure'.
2024/07/18 08:17:51 wazuh-logcollector: INFO: (1950): Analyzing file: '/var/log/maillog'.
2024/07/18 08:17:51 wazuh-logcollector: INFO: Started (pid: 29547).
2024/07/18 08:17:52 wazuh-monitord: INFO: Started (pid: 29566).
2024/07/18 08:17:53 wazuh-syscheckd: INFO: (6009): File integrity monitoring scan ended.
2024/07/18 08:17:53 wazuh-syscheckd: INFO: FIM sync module started.
2024/07/18 08:17:53 wazuh-modulesd:router: INFO: Loaded router module.
2024/07/18 08:17:53 wazuh-modulesd:content_manager: INFO: Loaded content_manager module.
2024/07/18 08:17:53 wazuh-modulesd: INFO: Started (pid: 29624).
2024/07/18 08:17:53 wazuh-modulesd:agent-upgrade: INFO: (8153): Module Agent Upgrade started.
2024/07/18 08:17:53 wazuh-modulesd:osquery: INFO: Module disabled. Exiting...
2024/07/18 08:17:53 wazuh-modulesd:ciscat: INFO: Module disabled. Exiting...
2024/07/18 08:17:53 sca: INFO: Module started.
2024/07/18 08:17:53 wazuh-modulesd:vulnerability-scanner: INFO: Starting vulnerability_scanner module.
2024/07/18 08:17:53 wazuh-modulesd:router: INFO: Starting router module.
2024/07/18 08:17:53 sca: INFO: Loaded policy '/var/ossec/ruleset/sca/cis_centos7_linux.yml'
2024/07/18 08:17:53 wazuh-modulesd:content_manager: INFO: Starting content_manager module.
2024/07/18 08:17:53 sca: INFO: Starting Security Configuration Assessment scan.
2024/07/18 08:17:53 wazuh-modulesd:database: INFO: Module started.
2024/07/18 08:17:53 wazuh-modulesd:download: INFO: Module started.
2024/07/18 08:17:53 wazuh-modulesd:control: INFO: Starting control thread.
2024/07/18 08:17:53 wazuh-modulesd:task-manager: INFO: (8200): Module Task Manager started.
2024/07/18 08:17:53 sca: INFO: Starting evaluation of policy: '/var/ossec/ruleset/sca/cis_centos7_linux.yml'
2024/07/18 08:17:53 wazuh-modulesd:syscollector: INFO: Module started.
2024/07/18 08:17:53 wazuh-modulesd:syscollector: INFO: Starting evaluation.
2024/07/18 08:17:54 wazuh-modulesd:syscollector: INFO: Evaluation finished.
2024/07/18 08:17:55 wazuh-modulesd:vulnerability-scanner: INFO: Vulnerability scanner module started
2024/07/18 08:17:59 indexer-connector: WARNING: IndexerConnector initialization failed for index 'wazuh-states-vulnerabilities-wazuh-server', retrying until the connection is successful.
2024/07/18 08:18:10 sca: INFO: Evaluation finished for policy '/var/ossec/ruleset/sca/cis_centos7_linux.yml'
2024/07/18 08:18:10 sca: INFO: Security Configuration Assessment scan finished. Duration: 17 seconds.
Stuti Gupta
Jul 19, 2024, 4:14:31 AM7/19/24
to Wazuh | Mailing List
Hi
the warning:
indexer-connector: WARNING: IndexerConnector initialization failed for index 'wazuh-states-vulnerabilities-wazuh-server', retrying until the connection is successful.
Suggested that
IndexerConnector is not connected yet
Please make sure you have Saved the right Wazuh indexer username and password into the Wazuh manager keystore using the Wazuh-keystore tool:
/var/ossec/bin/wazuh-keystore -f indexer -k username -v <INDEXER_USERNAME>
/var/ossec/bin/wazuh-keystore -f indexer -k password -v <INDEXER_PASSWORD>
Please stop your manager
set wazuh_modules.debug=2 in you /var/ossec/etc/internal_options.conf
the warning:
indexer-connector: WARNING: IndexerConnector initialization failed for index 'wazuh-states-vulnerabilities-wazuh-server', retrying until the connection is successful.
Please make sure you have Saved the right Wazuh indexer username and password into the Wazuh manager keystore using the Wazuh-keystore tool:
/var/ossec/bin/wazuh-keystore -f indexer -k username -v <INDEXER_USERNAME>
/var/ossec/bin/wazuh-keystore -f indexer -k password -v <INDEXER_PASSWORD>
Please stop your manager
set wazuh_modules.debug=2 in you /var/ossec/etc/internal_options.conf
Piotr
Jul 19, 2024, 9:14:08 AM7/19/24
to Stuti Gupta, Wazuh | Mailing List
Hi,
In
/var/ossec/bin/wazuh-keystore -f indexer -k username -v <INDEXER_USERNAME>
/var/ossec/bin/wazuh-keystore -f indexer -k password -v <INDEXER_PASSWORD>
/var/ossec/bin/wazuh-keystore -f indexer -k password -v <INDEXER_PASSWORD>
I must add my admin account? Because I did.
ossec.log with run wazuh_modules.debug=2 in attachment.
Best Regads,
Piotr
--
You received this message because you are subscribed to a topic in the Google Groups "Wazuh | Mailing List" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/wazuh/Hd_MAvDT9j0/unsubscribe.
To unsubscribe from this group and all its topics, send an email to wazuh+un...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/73726c19-4122-4dca-8aaa-285845eb691dn%40googlegroups.com.
Stuti Gupta
Jul 22, 2024, 6:28:20 AM7/22/24
to Wazuh | Mailing List
It still shows the same error: Unable to initialize IndexerConnector for index 'wazuh-states-vulnerabilities-wazuh-server': HTTP response code said error (Status code: 401)
You will encounter this error if the admin username, password, or certificate paths and names are incorrect. You can use the following curl command to check if everything is configured as expected:
curl -u <user>:<pass> --cacert <path.pem> --cert <path-client.pem> --key <path-client-key.pem> -X GET "https://<indexer-IP>:9200/_cluster/health"
if everything is correct then the output will be similar to:
{"cluster_name":"wazuh-cluster","status":"green","timed_out":false,"number_of_nodes":1,"number_of_data_nodes":1,"discovered_master":true,"discovered_cluster_m
anager":true,"active_primary_shards":35,"active_shards":35,"relocating_shards":0,"initializing_shards":0,"unassigned_shards":0,"delayed_unassigned_shards":0,"
number_of_pending_tasks":0,"number_of_in_flight_fetch":0,"task_max_waiting_in_queue_millis":0,"active_shards_percent_as_number":100.0}
Please share the output of this command
Hope to hear from you soon
You will encounter this error if the admin username, password, or certificate paths and names are incorrect. You can use the following curl command to check if everything is configured as expected:
curl -u <user>:<pass> --cacert <path.pem> --cert <path-client.pem> --key <path-client-key.pem> -X GET "https://<indexer-IP>:9200/_cluster/health"
if everything is correct then the output will be similar to:
{"cluster_name":"wazuh-cluster","status":"green","timed_out":false,"number_of_nodes":1,"number_of_data_nodes":1,"discovered_master":true,"discovered_cluster_m
anager":true,"active_primary_shards":35,"active_shards":35,"relocating_shards":0,"initializing_shards":0,"unassigned_shards":0,"delayed_unassigned_shards":0,"
number_of_pending_tasks":0,"number_of_in_flight_fetch":0,"task_max_waiting_in_queue_millis":0,"active_shards_percent_as_number":100.0}
Please share the output of this command
Hope to hear from you soon
Piotr
Jul 23, 2024, 5:47:24 AM7/23/24
to Wazuh | Mailing List
Hello,
this Issue is resolved :)
The problem was the password, even though I entered the correct one. After generating a new password and saving it using wazuh-passwords-tool.sh, everything works :)
Output for You comamnd:
{"cluster_name":"wazuh-cluster","status":"green","timed_out":false,"number_of_nodes":1,"number_of_data_nodes":1,"discovered_master":true,"discovered_cluster_manager":true,"active_primary_shards":1035,"active_shards":1035,"relocating_shards":0,"initializing_shards":0,"unassigned_shards":0,"delayed_unassigned_shards":0,"number_of_pending_tasks":0,"number_of_in_flight_fetch":0,"task_max_waiting_in_queue_millis":0,"active_shards_percent_as_number":100.0}
The previous password contained unwanted special characters, e.g:
curl -u admin:QB0;TO^"2F*-lahPKrc;.t --cacert /etc/filebeat/certs/root-ca.pem --cert /etc/filebeat/certs/wazuh-server.pem --key /etc/filebeat/certs/wazuh-server-key.pem -X GET "https://127.0.0.1:9200/_cluster/health"
>
>
>
>
>
>
>
>
>
>
Thank You very much :)
Best Regards
Piotr
Stuti Gupta
Jul 24, 2024, 1:03:16 AM7/24/24
to Wazuh | Mailing List
Glad to know it works
Reply all
Reply to author
Forward
0 new messages