Errors with FIM (syscheck) after updating to 3.7

805 views

Skip to first unread message

Carlos Lopez

unread,

Nov 13, 2018, 3:44:01 AM11/13/18

to wa...@googlegroups.com

Hi all,

I have upgraded my Wazuh's cluster (6 nodes) and I see these errors related to new FIM module:

2018/11/13 08:38:03 wazuh-modulesd:database: ERROR: Couldn't get database status for agent '0'.
2018/11/13 08:38:07 wazuh-modulesd:database: ERROR: Couldn't get database status for agent '0'.
2018/11/13 08:38:07 wazuh-modulesd:database: ERROR: Couldn't get database status for agent '0'.
2018/11/13 08:38:07 wazuh-modulesd:database: ERROR: Couldn't get database status for agent '0'.
2018/11/13 08:38:08 wazuh-modulesd:database: ERROR: Couldn't get database status for agent '0'.
2018/11/13 08:38:08 wazuh-modulesd:database: ERROR: Couldn't get database status for agent '0'.
2018/11/13 08:38:08 wazuh-modulesd:database: ERROR: Couldn't get database status for agent '0'.
2018/11/13 08:38:08 wazuh-modulesd:database: ERROR: Couldn't get database status for agent '0'.
2018/11/13 08:38:08 wazuh-modulesd:database: ERROR: Couldn't get database status for agent '0'.

Previosuly to upgrade, I have removed the content inside /var/ossec/queue/syscheck. I don't need to migrate previous syscheck info. Is it mandatory to run fim_migrate script?

Regards,
C. L. Martinez

Carlos Lopez

unread,

Nov 13, 2018, 4:05:14 AM11/13/18

to wa...@googlegroups.com

Uhmm ... maybe this error is related to Wazuh's cluster workers ... At this moment I only have raised the master node...

Regards,
C. L. Martinez
________________________________________
From: wa...@googlegroups.com <wa...@googlegroups.com> on behalf of Carlos Lopez <clo...@outlook.com>
Sent: 13 November 2018 09:43
To: wa...@googlegroups.com
Subject: Errors with FIM (syscheck) after updating to 3.7

Hi all,

Regards,
C. L. Martinez

--
You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.
To post to this group, send email to wa...@googlegroups.com.
Visit this group at https://groups.google.com/group/wazuh.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/CWLP265MB15718BAC6DEDDE30051C7C3CDBC20%40CWLP265MB1571.GBRP265.PROD.OUTLOOK.COM.
For more options, visit https://groups.google.com/d/optout.
</clo...@outlook.com></wa...@googlegroups.com>

Carlos Lopez

unread,

Nov 13, 2018, 4:11:31 AM11/13/18

to wa...@googlegroups.com

Ufff!!! ... More errors, and they seems bad:

2018/11/13 08:40:37 wazuh-modulesd:database: ERROR: Couldn't get database status for agent '0'.
2018/11/13 09:06:06 wazuh-db: ERROR: at wdb_netaddr_insert(): sqlite3_step(): UNIQUE constraint failed: sys_netaddr.scan_id, sys_netaddr.proto, sys_netaddr.address
2018/11/13 09:06:06 wazuh-db: ERROR: Unable to update 'sys_netaddr' table for agent '001'
2018/11/13 09:06:06 ossec-analysisd: ERROR: at sc_send_db(): received: 'err Cannot save netaddr information.'
2018/11/13 09:06:06 ossec-analysisd: ERROR: Unable to send netinfo message to Wazuh DB.
2018/11/13 09:06:06 wazuh-db: ERROR: at wdb_netaddr_insert(): sqlite3_step(): UNIQUE constraint failed: sys_netaddr.scan_id, sys_netaddr.proto, sys_netaddr.address
2018/11/13 09:06:06 wazuh-db: ERROR: Unable to update 'sys_netaddr' table for agent '001'
2018/11/13 09:06:06 ossec-analysisd: ERROR: at sc_send_db(): received: 'err Cannot save netaddr information.'
2018/11/13 09:06:06 ossec-analysisd: ERROR: Unable to send netinfo message to Wazuh DB.

Regards,
C. L. Martinez
________________________________________
From: wa...@googlegroups.com <wa...@googlegroups.com> on behalf of Carlos Lopez <clo...@outlook.com>

Sent: 13 November 2018 10:05
To: wa...@googlegroups.com
Subject: Re: Errors with FIM (syscheck) after updating to 3.7

Hi all,

Regards,
C. L. Martinez

To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/CWLP265MB1571914D36916051AEA17F97DBC20%40CWLP265MB1571.GBRP265.PROD.OUTLOOK.COM.

Carlos Lopez

unread,

Nov 14, 2018, 2:24:14 AM11/14/18

to wa...@googlegroups.com

Could it be that this error arises from using IPv6?

Regards,
C. L. Martinez
________________________________________
From: wa...@googlegroups.com <wa...@googlegroups.com> on behalf of Carlos Lopez <clo...@outlook.com>

Sent: 13 November 2018 10:11

Hi all,

Regards,
C. L. Martinez

To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/CWLP265MB15714F3E3B50426A4F4F8AA0DBC20%40CWLP265MB1571.GBRP265.PROD.OUTLOOK.COM.

Pedro Sánchez

unread,

Nov 14, 2018, 3:15:51 PM11/14/18

to clo...@outlook.com, wa...@googlegroups.com

Hi Carlos,

IPv6 is supported by Syscollector, I don't think it is related.

Regarding the latest errors you sent, I think they are caused by a wrong upgrade process, the databases are supposed to be updated to the new schemas.

Analysisd is decoding the Syscollector events (inventory) and sending them to WazuhDB to be stored, looks like WazuhDB cannot save the events due to table constraints and conflicts.

Probably resetting those databases will be a good way to get this fix.

Manager side:

systemctl stop wazuh-manager
rm -rf /var/ossec/queue/db/*
rm -rf /var/ossec/queue/db/.*
rm -rf /var/ossec/var/db/*
rm -rf /var/ossec/var/db/.*
systemctl start wazuh-manager

About your first email, no, it is not necessary to run the fim_upgrade script and I would say it is not related to the errors you are facing.

What I believe those errors are derivated as well of the upgrade, the DB is not being regenerated properly and it is searching for an agent that does not exist or it was not been included yet.

I hope you can give us more feedback after cleaning the databases as I wrote above.

Thanks for the feedback, regards,

Pedro de Castro.

To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/CWLP265MB1571E9848B76586236D1D2C5DBC30%40CWLP265MB1571.GBRP265.PROD.OUTLOOK.COM.

Carlos Lopez

unread,

Nov 16, 2018, 2:08:22 AM11/16/18

to Pedro Sánchez, wa...@googlegroups.com

Uhmm ... I think it's been worse:

2018/11/16 07:03:30 wazuh-modulesd: ERROR: Couldn't create database 'var/db/agents/000-localhost.db'.
2018/11/16 07:03:30 wazuh-modulesd: ERROR: Couldn't create SQLite database 'var/db/agents/000-localhost.db'
2018/11/16 07:03:30 wazuh-modulesd:database: ERROR: Couldn't open database for file '/var/ossec/queue/rootcheck/rootcheck'.
2018/11/16 07:03:35 wazuh-modulesd: ERROR: Couldn't create database 'var/db/agents/000-localhost.db'.
2018/11/16 07:03:35 wazuh-modulesd: ERROR: Couldn't create SQLite database 'var/db/agents/000-localhost.db'
2018/11/16 07:03:35 wazuh-modulesd:database: ERROR: Couldn't open database for file '/var/ossec/queue/rootcheck/rootcheck'.
2018/11/16 07:03:35 wazuh-modulesd: ERROR: Couldn't create database 'var/db/agents/000-localhost.db'.
2018/11/16 07:03:35 wazuh-modulesd: ERROR: Couldn't create SQLite database 'var/db/agents/000-localhost.db'
2018/11/16 07:03:35 wazuh-modulesd:database: ERROR: Couldn't open database for file '/var/ossec/queue/rootcheck/rootcheck'.
2018/11/16 07:03:35 wazuh-modulesd: ERROR: Couldn't create database 'var/db/agents/000-localhost.db'.
2018/11/16 07:03:35 wazuh-modulesd: ERROR: Couldn't create SQLite database 'var/db/agents/000-localhost.db'
2018/11/16 07:03:35 wazuh-modulesd:database: ERROR: Couldn't open database for file '/var/ossec/queue/rootcheck/rootcheck'.
2018/11/16 07:04:00 rootcheck: INFO: Ending rootcheck scan.
2018/11/16 07:04:00 wazuh-modulesd: ERROR: Couldn't create database 'var/db/agents/000-localhost.db'.
2018/11/16 07:04:00 wazuh-modulesd: ERROR: Couldn't create SQLite database 'var/db/agents/000-localhost.db'
2018/11/16 07:04:00 wazuh-modulesd:database: ERROR: Couldn't open database for file '/var/ossec/queue/rootcheck/rootcheck'.
2018/11/16 07:06:18 wazuh-db: ERROR: at wdb_netaddr_insert(): sqlite3_step(): UNIQUE constraint failed: sys_netaddr.scan_id, sys_netaddr.proto, sys_netaddr.address
2018/11/16 07:06:18 wazuh-db: ERROR: Unable to update 'sys_netaddr' table for agent '001'
2018/11/16 07:06:18 ossec-analysisd: ERROR: at sc_send_db(): received: 'err Cannot save netaddr information.'
2018/11/16 07:06:18 ossec-analysisd: ERROR: Unable to send netinfo message to Wazuh DB.
2018/11/16 07:06:18 wazuh-db: ERROR: at wdb_netaddr_insert(): sqlite3_step(): UNIQUE constraint failed: sys_netaddr.scan_id, sys_netaddr.proto, sys_netaddr.address
2018/11/16 07:06:18 wazuh-db: ERROR: Unable to update 'sys_netaddr' table for agent '001'
2018/11/16 07:06:18 ossec-analysisd: ERROR: at sc_send_db(): received: 'err Cannot save netaddr information.'
2018/11/16 07:06:18 ossec-analysisd: ERROR: Unable to send netinfo message to Wazuh DB.

Regards,
C. L. Martinez
________________________________________

From: Pedro Sánchez <pe...@wazuh.com>
Sent: 14 November 2018 21:15
To: clo...@outlook.com
Cc: wa...@googlegroups.com

Subject: Re: Errors with FIM (syscheck) after updating to 3.7

Hi Carlos,

IPv6 is supported by Syscollector, I don't think it is related.

[image.png]

Regarding the latest errors you sent, I think they are caused by a wrong upgrade process, the databases are supposed to be updated to the new schemas.
Analysisd is decoding the Syscollector events (inventory) and sending them to WazuhDB to be stored, looks like WazuhDB cannot save the events due to table constraints and conflicts.
Probably resetting those databases will be a good way to get this fix.

Manager side:

systemctl stop wazuh-manager
rm -rf /var/ossec/queue/db/*
rm -rf /var/ossec/queue/db/.*
rm -rf /var/ossec/var/db/*
rm -rf /var/ossec/var/db/.*
systemctl start wazuh-manager

About your first email, no, it is not necessary to run the fim_upgrade script and I would say it is not related to the errors you are facing.
What I believe those errors are derivated as well of the upgrade, the DB is not being regenerated properly and it is searching for an agent that does not exist or it was not been included yet.

I hope you can give us more feedback after cleaning the databases as I wrote above.

Thanks for the feedback, regards,
Pedro de Castro.

On Tue, Nov 13, 2018 at 11:24 PM Carlos Lopez <clo...@outlook.com<mailto:clo...@outlook.com>> wrote:
Could it be that this error arises from using IPv6?

Regards,
C. L. Martinez
________________________________________

From: wa...@googlegroups.com<mailto:wa...@googlegroups.com> <wa...@googlegroups.com<mailto:wa...@googlegroups.com>> on behalf of Carlos Lopez <clo...@outlook.com<mailto:clo...@outlook.com>>

Sent: 13 November 2018 10:11

To: wa...@googlegroups.com<mailto:wa...@googlegroups.com>

Subject: Re: Errors with FIM (syscheck) after updating to 3.7

Ufff!!! ... More errors, and they seems bad:

Regards,
C. L. Martinez
________________________________________

From: wa...@googlegroups.com<mailto:wa...@googlegroups.com> <wa...@googlegroups.com<mailto:wa...@googlegroups.com>> on behalf of Carlos Lopez <clo...@outlook.com<mailto:clo...@outlook.com>>

Sent: 13 November 2018 10:05

To: wa...@googlegroups.com<mailto:wa...@googlegroups.com>

Subject: Re: Errors with FIM (syscheck) after updating to 3.7

Uhmm ... maybe this error is related to Wazuh's cluster workers ... At this moment I only have raised the master node...

Regards,
C. L. Martinez
________________________________________

From: wa...@googlegroups.com<mailto:wa...@googlegroups.com> <wa...@googlegroups.com<mailto:wa...@googlegroups.com>> on behalf of Carlos Lopez <clo...@outlook.com<mailto:clo...@outlook.com>>

Sent: 13 November 2018 09:43

To: wa...@googlegroups.com<mailto:wa...@googlegroups.com>

Subject: Errors with FIM (syscheck) after updating to 3.7

Hi all,

I have upgraded my Wazuh's cluster (6 nodes) and I see these errors related to new FIM module:

Previosuly to upgrade, I have removed the content inside /var/ossec/queue/syscheck. I don't need to migrate previous syscheck info. Is it mandatory to run fim_migrate script?

Regards,
C. L. Martinez

--
You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.

To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com<mailto:wazuh%2bunsu...@googlegroups.com>.
To post to this group, send email to wa...@googlegroups.com<mailto:wa...@googlegroups.com>.

Visit this group at https://groups.google.com/group/wazuh.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/CWLP265MB15718BAC6DEDDE30051C7C3CDBC20%40CWLP265MB1571.GBRP265.PROD.OUTLOOK.COM.
For more options, visit https://groups.google.com/d/optout.

</mailto:wa...@googlegroups.com></mailto:wazuh%2bunsu...@googlegroups.com></mailto:wa...@googlegroups.com></clo...@outlook.com<mailto:clo...@outlook.com>></wa...@googlegroups.com<mailto:wa...@googlegroups.com>>

--
You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.

Visit this group at https://groups.google.com/group/wazuh.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/CWLP265MB1571914D36916051AEA17F97DBC20%40CWLP265MB1571.GBRP265.PROD.OUTLOOK.COM.
For more options, visit https://groups.google.com/d/optout.

</mailto:wa...@googlegroups.com></mailto:wazuh%2bunsu...@googlegroups.com></mailto:wa...@googlegroups.com></mailto:wa...@googlegroups.com></clo...@outlook.com<mailto:clo...@outlook.com>></wa...@googlegroups.com<mailto:wa...@googlegroups.com>>

--
You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.

Visit this group at https://groups.google.com/group/wazuh.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/CWLP265MB15714F3E3B50426A4F4F8AA0DBC20%40CWLP265MB1571.GBRP265.PROD.OUTLOOK.COM.
For more options, visit https://groups.google.com/d/optout.

--
You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.

Visit this group at https://groups.google.com/group/wazuh.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/CWLP265MB1571E9848B76586236D1D2C5DBC30%40CWLP265MB1571.GBRP265.PROD.OUTLOOK.COM.
For more options, visit https://groups.google.com/d/optout.

</mailto:wa...@googlegroups.com></mailto:wazuh%2bunsu...@googlegroups.com></mailto:wa...@googlegroups.com></clo...@outlook.com<mailto:clo...@outlook.com></pe...@wazuh.com>

Carlos Lopez

unread,

Nov 16, 2018, 3:00:57 AM11/16/18

to Pedro Sánchez, wa...@googlegroups.com

Ok, creating the dir /var/ossec/var/db/agents, the problem is solved.

Regards,
C. L. Martinez
________________________________________

From: wa...@googlegroups.com <wa...@googlegroups.com> on behalf of Carlos Lopez <clo...@outlook.com>
Sent: 16 November 2018 08:08
To: Pedro Sánchez

Hi Carlos,

[image.png]

Manager side:

Hi all,

Regards,
C. L. Martinez

To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.
To post to this group, send email to wa...@googlegroups.com.

Visit this group at https://groups.google.com/group/wazuh.

To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/CWLP265MB1571D648C4FFAAB47CFDDB31DBDD0%40CWLP265MB1571.GBRP265.PROD.OUTLOOK.COM.

For more options, visit https://groups.google.com/d/optout.

</clo...@outlook.com></wa...@googlegroups.com>

Carlos Lopez

unread,

Nov 16, 2018, 3:42:36 AM11/16/18

to Pedro Sánchez, wa...@googlegroups.com

Uhmm ... I've spoken too fast. The problem persists:

2018/11/16 07:37:55 wazuh-modulesd:syscollector: INFO: Evaluation finished.
2018/11/16 08:06:18 wazuh-db: ERROR: at wdb_netaddr_insert(): sqlite3_step(): UNIQUE constraint failed: sys_netaddr.scan_id, sys_netaddr.proto, sys_netaddr.address
2018/11/16 08:06:18 wazuh-db: ERROR: Unable to update 'sys_netaddr' table for agent '001'
2018/11/16 08:06:18 ossec-analysisd: ERROR: at sc_send_db(): received: 'err Cannot save netaddr information.'
2018/11/16 08:06:18 ossec-analysisd: ERROR: Unable to send netinfo message to Wazuh DB.
2018/11/16 08:06:18 wazuh-db: ERROR: at wdb_netaddr_insert(): sqlite3_step(): UNIQUE constraint failed: sys_netaddr.scan_id, sys_netaddr.proto, sys_netaddr.address
2018/11/16 08:06:18 wazuh-db: ERROR: Unable to update 'sys_netaddr' table for agent '001'
2018/11/16 08:06:18 ossec-analysisd: ERROR: at sc_send_db(): received: 'err Cannot save netaddr information.'
2018/11/16 08:06:18 ossec-analysisd: ERROR: Unable to send netinfo message to Wazuh DB.

Regards,
C. L. Martinez
________________________________________

From: wa...@googlegroups.com <wa...@googlegroups.com> on behalf of Carlos Lopez <clo...@outlook.com>

Sent: 16 November 2018 09:00

Hi Carlos,

[image.png]

Manager side:

Hi all,

Regards,
C. L. Martinez

To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/CWLP265MB15712DCC29FE29E4A6E73879DBDD0%40CWLP265MB1571.GBRP265.PROD.OUTLOOK.COM.

Borja Arroba

unread,

Nov 16, 2018, 4:14:31 AM11/16/18

to clo...@outlook.com, Pedro Sanchez, wa...@googlegroups.com

Hello, Carlos.

I’m going to try to lend a hand here.

We can take out the content of the DB to see what happens.

sqlite3 /var/ossec/queue/db/001.db
select * from sys_netaddr

Then, by enabling debug mode in wazuh-db we can see why we are trying to insert a tuple that already exists:

Enable debug mode:

echo wazuh_db.debug=2 >> “/var/ossec/etc/local_internal_options.conf”

This setting could flod the log, remember to delete the line after this test.

Advance until you find the error:

grep wazuh-db /var/ossec/logs/ossec.log |more

Just before this, we should see a message like this:

2018/11/16 09:28:31 wazuh-db: DEBUG: Executing query: netaddr save 2083708580|1|xxxx::xxxx:xxxxx:xxxx:xxxx|ffff:ffff:ffff:ffff::|NULL

Could you show us which is the insertion that gives the error and the previous content of the DDBB? Hide the sensitive data you deem appropriate.

Thanks, regards.

To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/CWLP265MB1571A1B814CF9C12CD39AD51DBDD0%40CWLP265MB1571.GBRP265.PROD.OUTLOOK.COM.

Carlos Lopez

unread,

Nov 19, 2018, 3:16:41 AM11/19/18

to Borja Arroba, Pedro Sanchez, wa...@googlegroups.com

Hi Borja,

Here is the output:

SQLite version 3.7.17 2013-05-20 00:56:22
Enter ".help" for instructions
Enter SQL statements terminated with a ";"
sqlite> select * from sys_netaddr
...> ;
221214075|ipv6|fe80::210:e0ff:fe0e:dfc|ffff:ffff:ffff:ffff::|
221214075|ipv4|10.2.23.11|255.255.255.0|10.2.23.255

But I think I've found the problem. This agent acts an IDS host and it has 5 nics. One of these nics is for management, the others are for sniffing ... If I disable IPv6 for sniffing interfaces, there is no error ... Enabling IPv6 in all interaces the error is generated.

Does make sense?

Regards,
C. L. Martinez
________________________________________

From: Borja Arroba <borja....@wazuh.com>
Sent: 16 November 2018 10:14
To: clo...@outlook.com
Cc: Pedro Sanchez; wa...@googlegroups.com

Subject: Re: Errors with FIM (syscheck) after updating to 3.7

Hello, Carlos.

I’m going to try to lend a hand here.

We can take out the content of the DB to see what happens.

sqlite3 /var/ossec/queue/db/001.db
select * from sys_netaddr

Then, by enabling debug mode in wazuh-db we can see why we are trying to insert a tuple that already exists:

Enable debug mode:

echo wazuh_db.debug=2 >> “/var/ossec/etc/local_internal_options.conf”

This setting could flod the log, remember to delete the line after this test.

Advance until you find the error:

grep wazuh-db /var/ossec/logs/ossec.log |more

Just before this, we should see a message like this:

2018/11/16 09:28:31 wazuh-db: DEBUG: Executing query: netaddr save 2083708580|1|xxxx::xxxx:xxxxx:xxxx:xxxx|ffff:ffff:ffff:ffff::|NULL

Could you show us which is the insertion that gives the error and the previous content of the DDBB? Hide the sensitive data you deem appropriate.

Thanks, regards.

On Fri, 16 Nov 2018 at 09:42, Carlos Lopez <clo...@outlook.com<mailto:clo...@outlook.com>> wrote:
Uhmm ... I've spoken too fast. The problem persists:

Regards,
C. L. Martinez
________________________________________

From: wa...@googlegroups.com<mailto:wa...@googlegroups.com> <wa...@googlegroups.com<mailto:wa...@googlegroups.com>> on behalf of Carlos Lopez <clo...@outlook.com<mailto:clo...@outlook.com>>

Sent: 16 November 2018 09:00
To: Pedro Sánchez

Cc: wa...@googlegroups.com<mailto:wa...@googlegroups.com>

Subject: Re: Errors with FIM (syscheck) after updating to 3.7

Ok, creating the dir /var/ossec/var/db/agents, the problem is solved.

Regards,
C. L. Martinez
________________________________________

From: wa...@googlegroups.com<mailto:wa...@googlegroups.com> <wa...@googlegroups.com<mailto:wa...@googlegroups.com>> on behalf of Carlos Lopez <clo...@outlook.com<mailto:clo...@outlook.com>>

Sent: 16 November 2018 08:08
To: Pedro Sánchez

Cc: wa...@googlegroups.com<mailto:wa...@googlegroups.com>

Subject: Re: Errors with FIM (syscheck) after updating to 3.7

Uhmm ... I think it's been worse:

From: Pedro Sánchez <pe...@wazuh.com<mailto:pe...@wazuh.com>>

Sent: 14 November 2018 21:15

To: clo...@outlook.com<mailto:clo...@outlook.com>
Cc: wa...@googlegroups.com<mailto:wa...@googlegroups.com>

Subject: Re: Errors with FIM (syscheck) after updating to 3.7

Hi Carlos,

IPv6 is supported by Syscollector, I don't think it is related.

[image.png]

Manager side:

systemctl stop wazuh-manager
rm -rf /var/ossec/queue/db/*
rm -rf /var/ossec/queue/db/.*
rm -rf /var/ossec/var/db/*
rm -rf /var/ossec/var/db/.*
systemctl start wazuh-manager

I hope you can give us more feedback after cleaning the databases as I wrote above.

Thanks for the feedback, regards,
Pedro de Castro.

On Tue, Nov 13, 2018 at 11:24 PM Carlos Lopez <clo...@outlook.com<mailto:clo...@outlook.com><mailto:clo...@outlook.com<mailto:clo...@outlook.com>>> wrote:
Could it be that this error arises from using IPv6?

Regards,
C. L. Martinez
________________________________________

From: wa...@googlegroups.com<mailto:wa...@googlegroups.com><mailto:wa...@googlegroups.com<mailto:wa...@googlegroups.com>> <wa...@googlegroups.com<mailto:wa...@googlegroups.com><mailto:wa...@googlegroups.com<mailto:wa...@googlegroups.com>>> on behalf of Carlos Lopez <clo...@outlook.com<mailto:clo...@outlook.com><mailto:clo...@outlook.com<mailto:clo...@outlook.com>>>

Sent: 13 November 2018 10:11

To: wa...@googlegroups.com<mailto:wa...@googlegroups.com><mailto:wa...@googlegroups.com<mailto:wa...@googlegroups.com>>

Subject: Re: Errors with FIM (syscheck) after updating to 3.7

Ufff!!! ... More errors, and they seems bad:

Regards,
C. L. Martinez
________________________________________

Sent: 13 November 2018 10:05

To: wa...@googlegroups.com<mailto:wa...@googlegroups.com><mailto:wa...@googlegroups.com<mailto:wa...@googlegroups.com>>

Subject: Re: Errors with FIM (syscheck) after updating to 3.7

Uhmm ... maybe this error is related to Wazuh's cluster workers ... At this moment I only have raised the master node...

Regards,
C. L. Martinez
________________________________________

Sent: 13 November 2018 09:43

To: wa...@googlegroups.com<mailto:wa...@googlegroups.com><mailto:wa...@googlegroups.com<mailto:wa...@googlegroups.com>>

Subject: Errors with FIM (syscheck) after updating to 3.7

Hi all,

I have upgraded my Wazuh's cluster (6 nodes) and I see these errors related to new FIM module:

Previosuly to upgrade, I have removed the content inside /var/ossec/queue/syscheck. I don't need to migrate previous syscheck info. Is it mandatory to run fim_migrate script?

Regards,
C. L. Martinez

--
You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.

To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com<mailto:wazuh%2bunsu...@googlegroups.com><mailto:wazuh%2bunsu...@googlegroups.com<mailto:wazuh%252buns...@googlegroups.com>>.
To post to this group, send email to wa...@googlegroups.com<mailto:wa...@googlegroups.com><mailto:wa...@googlegroups.com<mailto:wa...@googlegroups.com>>.

--
You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.

--
You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.

--
You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.

--
You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com<mailto:wazuh%2bunsu...@googlegroups.com>.
To post to this group, send email to wa...@googlegroups.com<mailto:wa...@googlegroups.com>.
Visit this group at https://groups.google.com/group/wazuh.

To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/CWLP265MB1571D648C4FFAAB47CFDDB31DBDD0%40CWLP265MB1571.GBRP265.PROD.OUTLOOK.COM.
For more options, visit https://groups.google.com/d/optout.

--
You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com<mailto:wazuh%2bunsu...@googlegroups.com>.
To post to this group, send email to wa...@googlegroups.com<mailto:wa...@googlegroups.com>.
Visit this group at https://groups.google.com/group/wazuh.

To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/CWLP265MB15712DCC29FE29E4A6E73879DBDD0%40CWLP265MB1571.GBRP265.PROD.OUTLOOK.COM.
For more options, visit https://groups.google.com/d/optout.

--
You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com<mailto:wazuh%2bunsu...@googlegroups.com>.
To post to this group, send email to wa...@googlegroups.com<mailto:wa...@googlegroups.com>.
Visit this group at https://groups.google.com/group/wazuh.

To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/CWLP265MB1571A1B814CF9C12CD39AD51DBDD0%40CWLP265MB1571.GBRP265.PROD.OUTLOOK.COM.
For more options, visit https://groups.google.com/d/optout.

</mailto:wa...@googlegroups.com></mailto:wazuh%2bunsu...@googlegroups.com></mailto:wa...@googlegroups.com></clo...@outlook.com<mailto:clo...@outlook.com></borja....@wazuh.com>

Borja Arroba

unread,

Nov 19, 2018, 4:44:38 AM11/19/18

to clo...@outlook.com, wa...@googlegroups.com

Hello Carlos.

Yes, it seems that certain settings can cause this error. We’re going to create an issue in the wazuh repository to solve it. Could you send us the generated record with wazuh_db.debug=2 (internal_options.conf) and an output from the commandifconfig to see this specific case?

cat /var/ossec/logs/ossec.log |grep wazuh-db
ifconfig

You can send it privately if necessary.
Thanks. Regards.

Borja Arroba

unread,

Nov 19, 2018, 6:33:30 AM11/19/18

to clo...@outlook.com, wa...@googlegroups.com

Hi Carlos

We have created an issue to correct it, you can follow the progress on:

https://github.com/wazuh/wazuh/issues/1904

Thanks to the reports, we fixed that as soon as possible.

Regards.

Reply all

Reply to author

Forward

0 new messages