Agents part of multiple groups

298 views
Skip to first unread message

unknown man

unread,
Oct 23, 2019, 4:14:43 AM10/23/19
to wa...@googlegroups.com
Hello,

I have a requirement that my agents based on the environment (production or dev and prod with fim enabled) has to be part of specific group.
So when I add a agent to wazuh, I need to map them to either DEV, PROD, or PROD with FIM apart from Default group.
I have created group and added them successfully, I can find that agent with FIM enabled is taking agent.conf and its is also doing integrity scanning. I confirmed that by checking ossec.log. But when I checked an agent status with FIM enabled in Kibana, it shows FIM is Disabled.

I have checked merged.mg and I see that the agent_conf is configuration as attached.
Can you help and tell me where is the problem?

for testing, I have a group assignment as below.

Default -> DEV -> Wazuh-fim
Kibana version is 7.2

merged.mg.txt

Juan Pablo Saez

unread,
Oct 23, 2019, 10:42:01 AM10/23/19
to Wazuh mailing list
Hello unknown man,

I have created group and added them successfully, I can find that agent with FIM enabled is taking agent.conf and its is also doing integrity scanning. I confirmed that by checking ossec.log. But when I checked an agent status with FIM enabled in Kibana, it shows FIM is Disabled.


If I get you well, you create a group, you add agents to this group and then you set Syscheck scan through the agent.conf in these agents. By checking ossec.log you know that the scan is working but when you look at Kibana you see FIM disabled in these particular agents. Please confirm that this is your use case.
  • Could you please verify your agent.conf files syntax using /var/ossec/bin/verify-agent-conf?
  • Is this the dialog saying you that FIM is disabled?

1.png







Greetings, JP Sáez

unknown man

unread,
Oct 23, 2019, 11:40:16 PM10/23/19
to Juan Pablo Saez, Wazuh mailing list
Hello Juan,

Thanks for the reply.
My problem exactly as you mentioned.

image.png

I tried to execute the curl command you shared and I received the below output. I tried the same command to couple of other agents and I received the same message.
I am not sure why for some host I am receiving this message.
{
   "error": 1000,
   "message": "Internal error"
}

Execute the command to couple of other agents and I received the below output and it has syscheck disabled which is correct.
{
   "error": 0,
   "data": {
      "syscheck": {
         "disabled": "yes",
         "frequency": 43200,
         "skip_nfs": "yes",
         "restart_audit": "yes",
         "scan_on_start": "yes",
         "directories": [],
         "nodiff": [
            "/etc/ssl/private.key"
         ],
         "ignore": []
      }
   }
}

Agent.conf output shows all OK.

verify-agent-conf: Verifying [/var/ossec/etc/shared/wazuh-fim/agent.conf]
verify-agent-conf: OK

verify-agent-conf: Verifying [/var/ossec/etc/shared/dev/agent.conf]
verify-agent-conf: OK

verify-agent-conf: Verifying [/var/ossec/etc/shared/default/agent.conf]
verify-agent-conf: OK

verify-agent-conf: Verifying [/var/ossec/etc/shared/prd/agent.conf]
verify-agent-conf: OK

verify-agent-conf: Verifying [/var/ossec/etc/shared/stg/agent.conf]
verify-agent-conf: OK

Our deployment is Wazuh EKS Cluster.

--
You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/004e63cf-1f59-47f7-af8e-39c1ed9812e0%40googlegroups.com.

Juan Pablo Saez

unread,
Oct 24, 2019, 4:08:37 AM10/24/19
to Wazuh mailing list
Hello again unknown Man,


 I forgot to ask you a little deeper about the Kibana disabled dialog. In your image above I can't see the center area. 


is the "Configuration not available one"?

syscheck_notReachable.png






Or can you see the details as in the example below?

syscheck_Disabled.png




Could you please check if other API calls also retrieve that error? i.e:
curl -u foo:bar -k -X GET "http://127.0.0.1:55000/agents/AGENT_ID/config/wmodules/wmodules?pretty"


Also, enabling the Wazuh API debug mode would be useful to discover what is happening. You should follow these steps:
  • You should access the Wazuh API configuration file /var/ossec/api/configuration/config.js and switch the config.logs value from "info" to "debug"
  • After changing the config.logs value, you should restart the wazuh-api service: systemctl restart wazuh-api
Let me know how it goes. Greetings,

JP Sáez
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+unsubscribe@googlegroups.com.

unknown man

unread,
Oct 24, 2019, 4:33:57 AM10/24/19
to Juan Pablo Saez, Wazuh mailing list
Hello Juan,

I am getting Configuration Not available in Kibana.
Also tried to run the curl to collect other details and that also gives me the same result as before.

The Curl command works only when I execute from worker pod. So can you tell whether I need to update the config.js in worker pods? and which file I can view the debug logs? Is it in api.log?

Regards,
Aravind



To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.

--
You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/6ea7ebdb-114e-48c0-8159-664931cc6dbe%40googlegroups.com.

Juan Pablo Saez

unread,
Oct 24, 2019, 6:31:15 AM10/24/19
to Wazuh mailing list
Hello again unknown man,
  • You should send all the API requests to the master manager IP. The workers API shouldn't be used. I think you executed the curl command in a worker pod using the localhost IP. 
    • Firstly, please, make sure that the master pod is reachable from the outside and correctly receive and response API calls. The 55000 port should be reachable so you can send API calls.(Wazuh required ports https://documentation.wazuh.com/3.10/getting-started/architecture.html#wazuh)
    • Did you enter the master or worker API details in Kibana Wazuh app?(You should use the master details)
Let's make the API work so we can keep troubleshooting your initial question.

Greetings, JP Sáez
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+unsubscribe@googlegroups.com.

--
You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+unsubscribe@googlegroups.com.

unknown man

unread,
Oct 24, 2019, 7:18:32 AM10/24/19
to Juan Pablo Saez, Wazuh mailing list
Hello Juan,

thanks for the clarification.

I was able to execute from Master-Manager and its gives me the same output as earlier.
I was using a wrong authentication which was the issue.

Kibana is pointing to manager-master.

So i have to enable "debug" in manager-master if I am not mistaken.
And can you tell where will I see the log output.


To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.

--
You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.

--
You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/94cc90bd-8896-4589-ad24-dfa5e9dda78f%40googlegroups.com.

Juan Pablo Saez

unread,
Oct 24, 2019, 8:15:58 AM10/24/19
to Wazuh mailing list
Hello,

Yes, I think the API debug mode can help us a bit in finding what is causing the issue:
  •  You should set config.logs to "debug" in the master manager /var/ossec/api/configuration/config.js file. 
  • Then is time to restart the wazuh-api using # systemctl restart wazuh-api 
  • Now you should be able to see the API logs in /var/ossec/logs/api.log
After sorting the API issues, could you try to launch again the sycheck configuration API call? 
Greetings, JP Sáez

To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+unsubscribe@googlegroups.com.

--
You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+unsubscribe@googlegroups.com.

--
You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+unsubscribe@googlegroups.com.

unknown man

unread,
Oct 25, 2019, 12:02:37 AM10/25/19
to Juan Pablo Saez, Wazuh mailing list
Hello

I have received the below error in debug mode.

WazuhAPI 2019-10-25 03:37:39 xxxxx: CMD - STDOUT: 54 bytes
WazuhAPI 2019-10-25 03:37:39 xxxxx: Invalid version format.
WazuhAPI 2019-10-25 03:37:39 xxxxx: [::ffff:127.0.0.1] GET /agents/180/config/syscheck/syscheck?pretty - 200 - error: '1000'.
WazuhAPI 2019-10-25 03:39:09 xxxxx: ::ffff:127.0.0.1 GET /agents/:agent_id/config/:component/:configuration
WazuhAPI 2019-10-25 03:39:09 xxxxx: CMD - Command: /var/ossec/framework/python/bin/python3 args:/var/ossec/api/models/wazuh-api.py stdin:{"function":"/agents/:agent_id/config/:component/:configuration","arguments":{"agent_id":"180","component":"syscheck","configuration":"syscheck","wait_for_complete":false},"ossec_path":"/var/ossec"}
WazuhAPI 2019-10-25 03:39:10 xxxxx: CMD - Exit code: 0
WazuhAPI 2019-10-25 03:39:10 xxxxx: CMD - STDOUT:
---
{"message": "Invalid version format.", "error": 1000}
---

Regards,
Aravind

To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.

--
You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.

--
You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.

--
You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/7fadbc1d-f801-449e-93ec-9a2f1ed8e898%40googlegroups.com.

unknown man

unread,
Oct 25, 2019, 4:25:47 AM10/25/19
to Juan Pablo Saez, Wazuh mailing list
Hello Juan,

I was going through some blogs and GitHub comments.
It looks like a bug but didn't get what to be done to solve the problem.


Juan Pablo Saez

unread,
Oct 25, 2019, 6:59:11 AM10/25/19
to Wazuh mailing list
Hello Aravin (not unknown anymore),

After reading the API debug logs, I think this is a version problem(Wazuh manager version <= 3.9.0 && Wazuh agent version >= 3.10.0 . Could you check the Wazuh manager and that agent version?
# To find the Wazuh Manager and the Linux agent version:
# cat /etc/ossec-init.conf

#The windows agent version can be found inside the agent directory in the further path:
# C\:Program Files (x86)\ossec-agent\VERSION


Let me know your versions. If this is the problem adjusting the versions should be enough.

Greetings, JP Sáez
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+unsubscribe@googlegroups.com.

--
You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+unsubscribe@googlegroups.com.

--
You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+unsubscribe@googlegroups.com.

--
You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+unsubscribe@googlegroups.com.

unknown man

unread,
Oct 27, 2019, 8:12:10 AM10/27/19
to Juan Pablo Saez, Wazuh mailing list
Hello Juan,

Exactly as you said.
The details are as below.

Agent Info
---------------
NAME="Wazuh"
VERSION="v3.10.2"
REVISION="31014"
TYPE="agent"

Manager Info
----------------
NAME="Wazuh"
VERSION="v3.9.5"
REVISION="3937"
TYPE="server"

Regards,
Aravind

To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.

--
You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.

--
You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.

--
You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.

--
You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/4197e5f6-aa77-4731-ab0d-b0ec988f1d65%40googlegroups.com.

unknown man

unread,
Oct 28, 2019, 10:13:41 PM10/28/19
to Juan Pablo Saez, Wazuh mailing list
Hello Juan,

Can you suggest the next step to adjust the version?

Regards
Aravind

Juan Pablo Saez

unread,
Oct 29, 2019, 4:07:05 AM10/29/19
to Wazuh mailing list
Hello Aravind,

Sorry for my late reply, I was AFK yesterday. 
Let me know if you get stuck during the upgrade process. 

Greetings, JP Sáez

To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+unsubscribe@googlegroups.com.

--
You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+unsubscribe@googlegroups.com.

--
You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+unsubscribe@googlegroups.com.

--
You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+unsubscribe@googlegroups.com.

--
You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+unsubscribe@googlegroups.com.
Reply all
Reply to author
Forward
0 new messages