Wazuh FIM scan failed

[Hoang Thanh Khuyen]

Hi Wazuh team,

i enabled wazuh module FIM on Windows Server2016 x64 in order to monitoring folder.

my environment:

Server Centos 9 stream : Wazuh Manager, Wazuh Indexer and Wazuh Dashboard (Wazuh 4.5.2)

Agent: Windows 2016 x64 - Agent version 4.5.2.

FIM configuration in attachment.

  1 - Could you please help verify my FIM configuration, is there something wrong in configuration ?

  2 - After FIM scan for some hours the wazuh agent crash and stop working ( Please see attachment )

-------------------------------------------------------------------------------------

Fault bucket , type 0
Event Name: APPCRASH
Response: Not available
Cab Id: 0

Problem signature:
P1: wazuh-agent.exe
P2: 1.0.0.0
P3: 64f6dc81
P4: wazuh-agent.exe
P5: 1.0.0.0
P6: 64f6dc81
P7: c00000fd
P8: 000bcc4c
P9:
P10:

Attached files:
\\?\C:\Windows\Temp\WER5A85.tmp.appcompat.txt
\\?\C:\Windows\Temp\WER5CB8.tmp.WERInternalMetadata.xml
\\?\C:\Windows\Temp\WER5CD8.tmp.WERDataCollectionFailure.txt

These files may be available here:
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_wazuh-agent.exe_e5e34538dc256c3f9fd9775ffb3ff58d20998b_11aab8ae_cab_39a25cd5

Analysis symbol:
Rechecking for solution: 0
Report Id: 72494ff7-f681-4fb1-b031-fd572f933ec2
Report Status: 4
Hashed bucket: 

--------------------------------------------------------------------------------------------------------------------------------------------

Fault bucket 1840703613274146299, type 1
Event Name: APPCRASH
Response: Not available
Cab Id: 0

Problem signature:
P1: wazuh-agent.exe
P2: 1.0.0.0
P3: 64f6dc81
P4: wazuh-agent.exe
P5: 1.0.0.0
P6: 64f6dc81
P7: c00000fd
P8: 000bcc4c
P9:
P10:

Attached files:
\\?\C:\Windows\Temp\WER5A85.tmp.appcompat.txt
\\?\C:\Windows\Temp\WER5CB8.tmp.WERInternalMetadata.xml
\\?\C:\Windows\Temp\WER5CD8.tmp.WERDataCollectionFailure.txt

These files may be available here:
C:\ProgramData\Microsoft\Windows\WER\ReportArchive\AppCrash_wazuh-agent.exe_e5e34538dc256c3f9fd9775ffb3ff58d20998b_11aab8ae_306e6cb4

Analysis symbol:
Rechecking for solution: 0
Report Id: 72494ff7-f681-4fb1-b031-fd572f933ec2
Report Status: 0

[Hoang Thanh Khuyen]

Could you please help ,

Thanks so much for your kindly support.

[Santiago Bassett]

Our devel team will look into it and be back to you soon. The agent crashing is definitely not normal.

Thanks for reporting the issue.

--
You received this message because you are subscribed to the Google Groups "Wazuh | Mailing List" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/b7bd5687-6712-43c2-aa92-9848b962fe85n%40googlegroups.com.

[Octavio Valle López]

Hi Hoang Thanh Khuyen!

In order to obtain the exact line in the code that causes the problem, we need to install a special version of Wazuh (wazuh-agent-4.5.2-40521.msi), which will help collect the crash forensic information.
Download wazuh-agent-4.5.2-40521.msi, install it, and register your agent with your manager.

Then unzip the other .zip (enable_wazuh_dumps.zip) and run the .reg file.

Then restart the Wazuh agent and reproduce the issue, when the agent fails again, a core dump(.dmp) will be saved in C:\CrashDumps. Please upload it here.

With this .dmp file, we can fix the problem and release a package with the fix ready.

Thank you

[Hoang Thanh Khuyen]

Hi  Octavio,

i have just done new installation package and run FIM again, Do i need to manual create folder C:\CrashDumps for wazuh agent ?

i will update you soon .

Thanks so much, 

[Hoang Thanh Khuyen]

Hi Octavio,

Please find wazuh agent dump in link

Thanks,  

[Octavio Valle López]

Hi Hoang Than Khuyen

After a complete analysis of the situation, we found that you are using a very long path, which causes the product to behave incorrectly.

Wazuh handles paths of up to 260 characters on Windows (https://learn.microsoft.com/en-us/windows/win32/fileio/maximum-file-path-limitation?tabs=registry) and you are using longer paths, for example in the dump I identified one in D:\dept I recommend that you use shorter paths or set a recursion_level for the d:\dept configuration, with a low limit.

We are analyzing fixing this situation.

I will create an issue to track the situation and I will inform you so you can track the progress of the fix.

Thanks

[Hoang Thanh Khuyen]

Hi Octavio,

Thank so much for your advice , i have enabled Windows Long Paths support following Microsoft link.

I would like to know will Wazuh agent can handle more than 260 characters if windows long paths was enable ?

Best Regards,

[Octavio Valle López]

Hi Hoang Thanh Khuyen!

The fix that prevents the issue will be delivered in 4.6.0, but this does not mean that those folders will be able to be monitored, only the process will not close / crash.
https://github.com/wazuh/wazuh/issues/19206

For long paths support, Please follow the issue:

https://github.com/wazuh/wazuh/issues/11583

[Hoang Thanh Khuyen]

Hi Octavio,

Limit recursion_level working well, i have monitoring Wazuh agent for some days and it stop crashing.

Module FIM also work well.

Many thanks to you and Wazuh team .

Best Regards,