Remove a few blocks from Wazuh Agent conf file

smit patel

unread,

Jul 29, 2021, 6:19:31 AM7/29/21

to Wazuh mailing list

Hi Team,

I am looking for, how to remove Security, Application etc blocks from Wazuh Agent conf file from Wazuh Manager?

Please refer attached snapshot for Wazuh Agent conf file which I would like to remove (Highlighted in red colour) from Wazuh Manger or I would say from centrally.

Thanks in Advance.

loggvds x.PNG

Julia Magan Rodriguez

unread,

Jul 29, 2021, 10:33:50 AM7/29/21

to Wazuh mailing list

Hello,

It is not possible to delete modules in the agent configuration right now. We have some issues opened about this here:
https://github.com/wazuh/wazuh/issues/6882
https://github.com/wazuh/wazuh/issues/3737

But some options could help:

Use an external software management tool to change the agent configuration
Create your custom WPK package changing the default configuration of the agent to the one you desire. If you tell me your Wazuh agent version, OS, and the ossec.conf you want, I could do it for you.

smit patel

unread,

Jul 30, 2021, 1:43:34 AM7/30/21

to Wazuh mailing list

Sure, Thanks for help.

Version Information:

cat /var/ossec/etc/ossec-init.conf | grep VERSION

VERSION="v4.0.4"

I want to remove below modules for now.

==> Application

==> Security

==> System

Thanks,

Smit

smit patel

unread,

Aug 2, 2021, 2:38:15 AM8/2/21

to Wazuh mailing list

Hi,

when you get change please have a look at this.

Thanks in advance

Julia Magan Rodriguez

unread,

Aug 5, 2021, 6:04:33 AM8/5/21

to Wazuh mailing list

Hello,

Sorry for the late response. I have attached de wpk package, you will have to download it in your wazuh manager and unzip it. For installing it you have two options:

Run /var/ossec/bin/agent_upgrade -a <AGENT_ID> -F -f <PATH_TO_WPK_PACKAGE> -x upgrade.bat
(Recommended) Using the API:

First of all, you need to place the wpk package in /var/ossec. Now, you can start with the update:
- Get the TOKEN:
  
  TOKEN=$(curl -u <USER>:<PASSWORD> -k -X GET "https://localhost:55000/security/user/authenticate?raw=true")
- Run the custom upgrade:
  
  curl -k -X PUT "https://localhost:55000/agents/upgrade_custom?agents_list=<AGENT_ID>&file_path=/var/ossec/wazuh_agent_v4.0.4-4.0.4.custom_windows.wpk&pretty=true" -H "Authorization: Bearer $TOKEN"

You can check the update result with:

curl -k -X GET "https://localhost:55000/agents/upgrade_result?agents_list=<AGENT_ID>&pretty=true" -H Authorization: Bearer $TOKEN"

I also recommend you check the upgrade folder in /var/ossec, there you will be able to find the file upgrade.log and it should look like this:

2021-08-05 09:11:47Z - Current version: v4.0.4 2021-08-05 09:11:47Z - Generating backup.
2021-08-05 09:11:47Z - Trying to stop Wazuh service again. Remaining attempts: 5.
2021-08-05 09:11:49Z - Starting upgrade processs.
2021-08-05 09:11:49Z - Waiting for the installation end.
2021-08-05 09:11:51Z - Waiting for the installation end.
2021-08-05 09:11:53Z - Waiting for the installation end.
2021-08-05 09:11:55Z - Waiting for the installation end.
2021-08-05 09:11:57Z - Waiting for the installation end.
2021-08-05 09:11:59Z - Restarting Wazuh service.
2021-08-05 09:11:59Z - Installation finished.
2021-08-05 09:11:59Z - Process ID: 1164
2021-08-05 09:11:59Z - Reading status file: status='connected'
2021-08-05 09:11:59Z - Upgrade finished successfully.
2021-08-05 09:11:59Z - New version: v4.0.4

wazuh_agent_v4.0.4-4.0.4.custom_windows.zip

smit patel

unread,

Aug 5, 2021, 6:50:46 AM8/5/21

to Wazuh mailing list

No problem.Thank you for the update. I will try this and update you.

smit patel

unread,

Aug 5, 2021, 7:44:03 AM8/5/21

to Wazuh mailing list

Hi,

I am trying this but getting an error, can you please have a look at this when you get change.

netstat -nap | grep 55000

tcp 0 0 0.0.0.0:55000 0.0.0.0:* LISTEN 3884/python3

Command:

curl -k -X PUT "https://localhost:55000/agents/upgrade_custom?agents_list=001&file_path=/var/ossec/wazuh_agent_v4.0.4-4.0.4.custom_windows.wpk&pretty=true" -H "Authorization: Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJpc3MiOiJ3YXp1aCIsImF1ZCI6IldhenVoIEFQSSBSRVNUIiwibmJmIjoxNjI4MTYyMDU4LCJleHAiOjE2MjgxNjI5NTgsInN1YiI6IndhenVoIiwicnVuX2FzIjpmYWxzZSwicmJhY19yb2xlcyI6WzFdLCJyYmFjX21vZGUiOiJ3aGl0ZSJ9.IiPMWFK8CoqEh542eyB7fD6QUPWcR_4t3XeX-9QNHQE"

Error:

{"title": "Not Found", "detail": "404: Not Found"}

Am I missing something?

Julia Magan Rodriguez

unread,

Aug 6, 2021, 7:32:54 AM8/6/21

to Wazuh mailing list

Hello,

Sorry, I sent you the command for Wazuh version 4.1.5, the right commands for version 4.0.4 would be:

Run the upgrade:

curl -k -X PUT "https://localhost:55000/agents/<AGENT_ID>/upgrade_custom?file_path=/var/ossec/wazuh_agent_v4.0.4-4.0.4.custom_windows.wpk&pretty=true" -H "Authorization: Bearer $TOKEN"

Check the result:

curl -k -X GET "https://localhost:55000/agents/<AGENT_ID>/upgrade_result?pretty=true" -H "Authorization: Bearer $TOKEN"

Also, if you have run TOKEN=$(curl -u wazuh:wazuh -k -X GET "https://localhost:55000/security/user/authenticate?raw=true") to get the TOKEN, you don’t need to write it in the above commands, just with $TOKEN would be enough.

smit patel

unread,

Aug 6, 2021, 7:34:10 AM8/6/21

to Julia Magan Rodriguez, Wazuh mailing list

Sure, No problem. I will check and update you.

--
You received this message because you are subscribed to a topic in the Google Groups "Wazuh mailing list" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/wazuh/cUi3G-p4NSM/unsubscribe.
To unsubscribe from this group and all its topics, send an email to wazuh+un...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/cc84c1e8-b234-4baf-aab4-8947bd069127n%40googlegroups.com.

--

Thanks,

Smit

smit patel

unread,

Aug 6, 2021, 9:24:36 AM8/6/21

to Wazuh mailing list

Hi,

Sorry to bother you again, I am getting this error.

curl -k -X GET "https://172.168.1.24:55000/agents/085/upgrade_result?pretty=true" -H "Authorization: Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1Ni9.eyJpc3MiOiJ3YXp1aCIsImF1ZCI6IldhenVoIEFQSSBSRVNUIiwibmJmIjoxNjI4MjU1Mjc5LCJleHAiOjE2MjgyNTYxNzksInN1YiI6IndhenVoIiwicnVuX2FzIjpmYWxzZSwicmJhY19yb2xlcyI6WzFdLCJyYmFjX21vZGUiOiJ3aGl0ZSJ9.2fjmItxc_6kcjffQb50s69p_rUZxlVRpm6eQiiMpIPU"

{"title": "Wazuh Internal Error", "detail": "Timeout executing API request", "dapi_errors": {"node01": {"error": "Timeout executing API request", "logfile": "WAZUH_HOME/logs/api.log"}}, "error": 3021}

Error:

2021/08/06 18:41:16 ERROR: Timeout executing API request

Traceback (most recent call last):

File "/var/ossec/framework/python/lib/python3.8/site-packages/wazuh-4.0.4-py3.8.egg/wazuh/core/cluster/dapi/dapi.py", line 234, in execute_local_request

data = await asyncio.wait_for(task, timeout=timeout)

File "/var/ossec/framework/python/lib/python3.8/asyncio/tasks.py", line 490, in wait_for

raise exceptions.TimeoutError()

asyncio.exceptions.TimeoutError

During handling of the above exception, another exception occurred:

Traceback (most recent call last):

File "/var/ossec/framework/python/lib/python3.8/site-packages/wazuh-4.0.4-py3.8.egg/wazuh/core/cluster/dapi/dapi.py", line 236, in execute_local_request

raise exception.WazuhInternalError(3021)

wazuh.core.exception.WazuhInternalError: Error 3021 - Timeout executing API request

Thanks,

Smit

Julia Magan Rodriguez

unread,

Aug 10, 2021, 11:02:14 AM8/10/21

to Wazuh mailing list

Hello,

I have tried to reproduce your error but it wasn’t possible. Those errors usually are produced by a problem with the connection between the API and Wazuh. Did you try to send the request a few more times? Could you take a look to /var/ossec/logs/api.log and check if there is any error produced?

If you check the C:\Program Files (x86)\ossec-agent\upgrade\upgrade.log did the agent update? Did the configuration change as you desired?

smit patel

unread,

Aug 12, 2021, 5:52:31 AM8/12/21

to Wazuh mailing list

Thank you

Reply all

Reply to author

Forward