wazuh-dbd[14041] CRITICAL: (1202): Configuration error at 'etc/ossec.conf

[RAIAN MORETTI]

We've been trying for days to save Wazuh alerts and such in a MySQL DB in another server. We seemed to have found a way to do that by using daemon wazuh-dbd. However, whenever we run the "wazu-dbd -df" command we get critical error in the configuration file. A wrong path is shown for the configuration file ("etc/ossec.conf"), given our ossec.conf file is located at "var/ossec/etc".
The file location is somehow recognized since the MySQL server is accessed and some data is inserted into it.

Here's a screenshot of what happens every time we try to solve the problem:

We're running Wazuh 4.3 on Ubuntu 20.04.4

[Facundo Mayon]

Hey Raian, Thanks for use Wazuh ! 

Just to clarify the ossec.conf file is OK, on the console it's displayed the relative path: "etc/ossec.conf" where the absolute path is: "var/ossec/etc/ossec.conf" So, the problem seems that It's related to another issue

On the screenshot, you attached I can see that there is a syntax identified on a rule.

Could you please share your ossec.conf file and the permissions assigned to this file, the rule that is failing.

Also to analyze better the problem please execute the following command: cat var/ossec/logs/ossec.log | grep -i -E "error|critical|warning|fatal"

Regards 

Facundo.

[RAIAN MORETTI]

Thanks for ur answer, Facundo. I really appreciate it!

I've attached the screenshot showing the permissions associated with the 'ossec.conf' file, I've also attached the file itself (changed ip to xx.xx.xx.xx) and 'ossec.log' file as requested.

Thank you, 

Raian.

[Facundo Mayon]

Thanks Raian, I'll analyze this info.

Just to know, did you have installed wazuh 4.3.0 or any newest version?

[RAIAN MORETTI]

Yes, I did. We're running 4.3.4 version

[Facundo Mayon]

Hi Raian ! 

Okay ! I continue analyzing this issue. Please for feature responses publish the message for all. 

Our responses could help someone with the same issue.

I'll back ASAP.

Regards

--
You received this message because you are subscribed to a topic in the Google Groups "Wazuh mailing list" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/wazuh/K1nGAoOMvQc/unsubscribe.
To unsubscribe from this group and all its topics, send an email to wazuh+un...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/554ad06e-9852-424b-bb27-f4dd996b48f5n%40googlegroups.com.

--

Facundo Mayon QA Software Engineer The Open Source Security Platform

[Facundo Mayon]

Hi Raian, good afternoon.
Sorry for the delay, after sharing your issue with the rest of the team they had discover an issue related to your problem.
I left you here the issue link: https://github.com/wazuh/wazuh/issues/14081.
We are working hard to solve this.
You can track the issue status with the link I sent you before.

Hope this info could be helpful.

Thanks again for using Wazuh.

Regards. Facundo

[RAIAN MORETTI]

Hi Facundo! Thanks for replying.

While you guys work on the issue, are you aware of any version of wazuh on which this error wouldn't happen?
A version with full MySQL support?

Sincerely,

Raian

[Facundo Mayon]

Hi Raian, good morning.

[Facundo Mayon]

Regarding your problem I can't say certainty when the issue will be fixed. 

But you can look for the issue I sent the link before to track the work on it :)

Hope this info could helps.

Regards.

Facundo