various wazuh 4.9 errors
279 views
Skip to first unread message
leon appel
Sep 11, 2024, 8:47:08 AM9/11/24
to Wazuh | Mailing List
Hi
I have tried to overcome some issues with the JVM size and passwords that would not generate and just have a flashing cursor by upgrading to 4.9 with Ubuntu 22.04 patch 4, however I am now dealing with other issues
The alerts are not updating with azure or graph items
These are some of the event entries I have come across
Azure logs
Sep 11, 2024 @ 14:26:38.000 azure ERROR Error: An error occurred while trying to obtain the authentication token: HTTPSConnectionPool(host='login.microsoftonline.com', port=443): Max retries exceeded with url: /contoso.onmicrosoft.com/oauth2/v2.0/token (Caused by ConnectTimeoutError(<urllib3.connection.HTTPSConnection object at 0x79f09a04cee0>, 'Connection to login.microsoftonline.com timed out. (connect timeout=10)'))
Sep 11, 2024 @ 14:25:18.000 azure INFO Database integrity check finished
Sep 11, 2024 @ 14:25:18.000 azure INFO Azure Graph starting.
Sep 11, 2024 @ 14:25:18.000 azure DEBUG Graph: Using the auth file /var/ossec/wodles/azure/graph_credentials.txt for authentication
Sep 11, 2024 @ 14:25:18.000 azure INFO Graph: Getting authentication token.
Sep 11, 2024 @ 14:25:17.000 azure ERROR Error: An error occurred while trying to obtain the authentication token: HTTPSConnectionPool(host='login.microsoftonline.com', port=443): Max retries exceeded with url: /contoso.onmicrosoft.com/oauth2/v2.0/token (Caused by ConnectTimeoutError(<urllib3.connection.HTTPSConnection object at 0x790d29f48ee0>, 'Connection to login.microsoftonline.com timed out. (connect timeout=10)'))
Wazuh-modulesd
Sep 11, 2024 @ 14:29:30.000 wazuh-modulesd DEBUG curl_easy_perform() failed: Timeout was reached
Sep 11, 2024 @ 14:28:30.000 wazuh-modulesd DEBUG curl_easy_perform() failed: Timeout was reached
wazuh-modulesd:azure-logs
Sep 11, 2024 @ 14:30:41.000 wazuh-modulesd:azure-logs ERROR azure-ad-graph: Returned error code: '1'.
Sep 11, 2024 @ 14:30:41.000 wazuh-modulesd:azure-logs INFO Checking database integrity
Sep 11, 2024 @ 14:30:41.000 wazuh-modulesd:azure-logs INFO Finished Graphs log collection for request 'azure-ad-graph'.
Sep 11, 2024 @ 14:30:41.000 wazuh-modulesd:azure-logs INFO Finished Graphs log collection for the domain 'contoso.onmicrosoft.com'.
Sep 11, 2024 @ 14:30:41.000 wazuh-modulesd:azure-logs DEBUG Fetching logs finished.
Sep 11, 2024 @ 14:30:41.000 wazuh-modulesd:azure-logs WARNING Interval overtaken.
Sep 11, 2024 @ 14:30:41.000 wazuh-modulesd:azure-logs INFO Starting fetching of logs.
Sep 11, 2024 @ 14:30:41.000 wazuh-modulesd:azure-logs INFO Starting Graphs log collection for the domain 'contoso.onmicrosoft.com'.
Sep 11, 2024 @ 14:30:41.000 wazuh-modulesd:azure-logs DEBUG Creating argument list.
Sep 11, 2024 @ 14:30:41.000 wazuh-modulesd:azure-logs DEBUG Launching command: wodles/azure/azure-logs --graph --graph_auth_path /var/ossec/wodles/azure/graph_credentials.txt --graph_tenant_domain contoso.onmicrosoft.com --graph_tag microsoft-entra_id --graph_query 'auditLogs/signIns' --debug 2
wazuh-modulesd:ms-graph
Sep 11, 2024 @ 14:31:30.000 wazuh-modulesd:ms-graph WARNING No response received when attempting to obtain access token.
Sep 11, 2024 @ 14:31:30.000 wazuh-modulesd:ms-graph INFO Obtaining access token.
Sep 11, 2024 @ 14:31:30.000 wazuh-modulesd:ms-graph DEBUG Microsoft Graph API Access Token URL: 'https://login.microsoftonline.com/205cb9c8-6d96-394v-9e13-61ec0376d06b/oauth2/v2.0/token'
Sep 11, 2024 @ 14:30:30.000 wazuh-modulesd:ms-graph WARNING No response received when attempting to obtain access token.
wazuh-modulesd:office365 (Note: I can get a token manually)
Sep 11, 2024 @ 14:31:30.000 wazuh-modulesd:office365 DEBUG Scanning tenant: '205cb9c8-6d96-394v-9e13-61ec0376d06b'
Sep 11, 2024 @ 14:31:30.000 wazuh-modulesd:office365 DEBUG Office 365 API access token URL: 'https://login.microsoftonline.com/205cb9c8-6d96-394v-9e13-61ec0376d06b/oauth2/v2.0/token'
Sep 11, 2024 @ 14:30:30.000 wazuh-modulesd:office365 DEBUG Unknown error while getting access token.
wazuh-cluster.log
[2024-09-11T13:35:11,447][WARN ][o.o.s.a.BackendRegistry ] [node-1] Authentication finally failed for admin from 10.80.192.120:52196
[2024-09-11T13:35:12,900][WARN ][o.o.p.c.u.JsonConverter ] [node-1] Json Mapping Error: Cannot invoke "java.lang.Long.longValue()" because "this.cacheMaxSize" is null (through reference chain: org.opensearch.performanceanalyzer.collectors.CacheConfigMetricsCollector$CacheMaxSizeStatus["Cache_MaxSize"])
[2024-09-11T13:36:37,906][WARN ][o.o.p.c.u.JsonConverter ] [node-1] Json Mapping Error: Cannot invoke "java.lang.Long.longValue()" because "this.cacheMaxSize" is null (through reference chain: org.opensearch.performanceanalyzer.collectors.CacheConfigMetricsCollector$CacheMaxSizeStatus["Cache_MaxSize"])
[2024-09-11T13:36:42,906][WARN ][o.o.p.c.u.JsonConverter ] [node-1] Json Mapping Error: Cannot invoke "java.lang.Long.longValue()" because "this.cacheMaxSize" is null (through reference chain: org.opensearch.performanceanalyzer.collectors.CacheConfigMetricsCollector$CacheMaxSizeStatus["Cache_MaxSize"])
[2024-09-11T13:36:47,542][INFO ][o.o.j.s.JobScheduler ] [node-1] Will delay 34792 miliseconds for next execution of job wazuh-alerts-4.x-2024.08.31
[2024-09-11T13:36:47,907][WARN ][o.o.p.c.u.JsonConverter ] [node-1] Json Mapping Error: Cannot invoke "java.lang.Long.longValue()" because "this.cacheMaxSize" is null (through reference chain: org.opensearch.performanceanalyzer.collectors.CacheConfigMetricsCollector$CacheMaxSizeStatus["Cache_MaxSize"])
[2024-09-11T13:36:48,430][INFO ][o.o.i.i.ManagedIndexRunner] [node-1] Executing attempt_transition_step for wazuh-alerts-4.x-2024.08.31
[2024-09-11T13:36:48,430][INFO ][o.o.i.i.ManagedIndexRunner] [node-1] Finished executing attempt_transition_step for wazuh-alerts-4.x-2024.08.31
[2024-09-11T13:36:52,908][WARN ][o.o.p.c.u.JsonConverter ] [node-1] Json Mapping Error: Cannot invoke "java.lang.Long.longValue()" because "this.cacheMaxSize" is null (through reference chain: org.opensearch.performanceanalyzer.collectors.CacheConfigMetricsCollector$CacheMaxSizeStatus["Cache_MaxSize"])
Sep 11, 2024 @ 14:26:38.000 azure ERROR Error: An error occurred while trying to obtain the authentication token: HTTPSConnectionPool(host='login.microsoftonline.com', port=443): Max retries exceeded with url: /contoso.onmicrosoft.com/oauth2/v2.0/token (Caused by ConnectTimeoutError(<urllib3.connection.HTTPSConnection object at 0x79f09a04cee0>, 'Connection to login.microsoftonline.com timed out. (connect timeout=10)'))
Sep 11, 2024 @ 14:25:18.000 azure INFO Database integrity check finished
Sep 11, 2024 @ 14:25:18.000 azure INFO Azure Graph starting.
Sep 11, 2024 @ 14:25:18.000 azure DEBUG Graph: Using the auth file /var/ossec/wodles/azure/graph_credentials.txt for authentication
Sep 11, 2024 @ 14:25:18.000 azure INFO Graph: Getting authentication token.
Sep 11, 2024 @ 14:25:17.000 azure ERROR Error: An error occurred while trying to obtain the authentication token: HTTPSConnectionPool(host='login.microsoftonline.com', port=443): Max retries exceeded with url: /contoso.onmicrosoft.com/oauth2/v2.0/token (Caused by ConnectTimeoutError(<urllib3.connection.HTTPSConnection object at 0x790d29f48ee0>, 'Connection to login.microsoftonline.com timed out. (connect timeout=10)'))
Wazuh-modulesd
Sep 11, 2024 @ 14:29:30.000 wazuh-modulesd DEBUG curl_easy_perform() failed: Timeout was reached
Sep 11, 2024 @ 14:28:30.000 wazuh-modulesd DEBUG curl_easy_perform() failed: Timeout was reached
wazuh-modulesd:azure-logs
Sep 11, 2024 @ 14:30:41.000 wazuh-modulesd:azure-logs ERROR azure-ad-graph: Returned error code: '1'.
Sep 11, 2024 @ 14:30:41.000 wazuh-modulesd:azure-logs INFO Checking database integrity
Sep 11, 2024 @ 14:30:41.000 wazuh-modulesd:azure-logs INFO Finished Graphs log collection for request 'azure-ad-graph'.
Sep 11, 2024 @ 14:30:41.000 wazuh-modulesd:azure-logs INFO Finished Graphs log collection for the domain 'contoso.onmicrosoft.com'.
Sep 11, 2024 @ 14:30:41.000 wazuh-modulesd:azure-logs DEBUG Fetching logs finished.
Sep 11, 2024 @ 14:30:41.000 wazuh-modulesd:azure-logs WARNING Interval overtaken.
Sep 11, 2024 @ 14:30:41.000 wazuh-modulesd:azure-logs INFO Starting fetching of logs.
Sep 11, 2024 @ 14:30:41.000 wazuh-modulesd:azure-logs INFO Starting Graphs log collection for the domain 'contoso.onmicrosoft.com'.
Sep 11, 2024 @ 14:30:41.000 wazuh-modulesd:azure-logs DEBUG Creating argument list.
Sep 11, 2024 @ 14:30:41.000 wazuh-modulesd:azure-logs DEBUG Launching command: wodles/azure/azure-logs --graph --graph_auth_path /var/ossec/wodles/azure/graph_credentials.txt --graph_tenant_domain contoso.onmicrosoft.com --graph_tag microsoft-entra_id --graph_query 'auditLogs/signIns' --debug 2
wazuh-modulesd:ms-graph
Sep 11, 2024 @ 14:31:30.000 wazuh-modulesd:ms-graph WARNING No response received when attempting to obtain access token.
Sep 11, 2024 @ 14:31:30.000 wazuh-modulesd:ms-graph INFO Obtaining access token.
Sep 11, 2024 @ 14:31:30.000 wazuh-modulesd:ms-graph DEBUG Microsoft Graph API Access Token URL: 'https://login.microsoftonline.com/205cb9c8-6d96-394v-9e13-61ec0376d06b/oauth2/v2.0/token'
Sep 11, 2024 @ 14:30:30.000 wazuh-modulesd:ms-graph WARNING No response received when attempting to obtain access token.
wazuh-modulesd:office365 (Note: I can get a token manually)
Sep 11, 2024 @ 14:31:30.000 wazuh-modulesd:office365 DEBUG Scanning tenant: '205cb9c8-6d96-394v-9e13-61ec0376d06b'
Sep 11, 2024 @ 14:31:30.000 wazuh-modulesd:office365 DEBUG Office 365 API access token URL: 'https://login.microsoftonline.com/205cb9c8-6d96-394v-9e13-61ec0376d06b/oauth2/v2.0/token'
Sep 11, 2024 @ 14:30:30.000 wazuh-modulesd:office365 DEBUG Unknown error while getting access token.
wazuh-cluster.log
[2024-09-11T13:35:11,447][WARN ][o.o.s.a.BackendRegistry ] [node-1] Authentication finally failed for admin from 10.80.192.120:52196
[2024-09-11T13:35:12,900][WARN ][o.o.p.c.u.JsonConverter ] [node-1] Json Mapping Error: Cannot invoke "java.lang.Long.longValue()" because "this.cacheMaxSize" is null (through reference chain: org.opensearch.performanceanalyzer.collectors.CacheConfigMetricsCollector$CacheMaxSizeStatus["Cache_MaxSize"])
[2024-09-11T13:36:37,906][WARN ][o.o.p.c.u.JsonConverter ] [node-1] Json Mapping Error: Cannot invoke "java.lang.Long.longValue()" because "this.cacheMaxSize" is null (through reference chain: org.opensearch.performanceanalyzer.collectors.CacheConfigMetricsCollector$CacheMaxSizeStatus["Cache_MaxSize"])
[2024-09-11T13:36:42,906][WARN ][o.o.p.c.u.JsonConverter ] [node-1] Json Mapping Error: Cannot invoke "java.lang.Long.longValue()" because "this.cacheMaxSize" is null (through reference chain: org.opensearch.performanceanalyzer.collectors.CacheConfigMetricsCollector$CacheMaxSizeStatus["Cache_MaxSize"])
[2024-09-11T13:36:47,542][INFO ][o.o.j.s.JobScheduler ] [node-1] Will delay 34792 miliseconds for next execution of job wazuh-alerts-4.x-2024.08.31
[2024-09-11T13:36:47,907][WARN ][o.o.p.c.u.JsonConverter ] [node-1] Json Mapping Error: Cannot invoke "java.lang.Long.longValue()" because "this.cacheMaxSize" is null (through reference chain: org.opensearch.performanceanalyzer.collectors.CacheConfigMetricsCollector$CacheMaxSizeStatus["Cache_MaxSize"])
[2024-09-11T13:36:48,430][INFO ][o.o.i.i.ManagedIndexRunner] [node-1] Executing attempt_transition_step for wazuh-alerts-4.x-2024.08.31
[2024-09-11T13:36:48,430][INFO ][o.o.i.i.ManagedIndexRunner] [node-1] Finished executing attempt_transition_step for wazuh-alerts-4.x-2024.08.31
[2024-09-11T13:36:52,908][WARN ][o.o.p.c.u.JsonConverter ] [node-1] Json Mapping Error: Cannot invoke "java.lang.Long.longValue()" because "this.cacheMaxSize" is null (through reference chain: org.opensearch.performanceanalyzer.collectors.CacheConfigMetricsCollector$CacheMaxSizeStatus["Cache_MaxSize"])
Any help will be much appreciated as I am about ready to wipe and start again
Matías Mercado
Sep 12, 2024, 5:29:19 PM9/12/24
to Wazuh | Mailing List
Hello!
Seems like you have an authentication problem. You should check your Azure credentials and also the ossec.conf file with the configuration, please take a look at this section of the documentation: https://documentation.wazuh.com/current/cloud-security/azure/activity-services/prerequisites/credentials.html
After the initial release of 4.9 we found a few minor issues and later that day we release a new hotfix for that issues. Could you please tell me if you are using 4.9 or 4.9.1?
Regards,
Matías
Matías
leon appel
Sep 12, 2024, 6:27:56 PM9/12/24
to Wazuh | Mailing List
Hi
I got this error initially in the logs
Timestamp:time.Time{wall:0xc1b0a61e07d3cdeb, ext:23545181138992, loc:(*time.Location)(0x42417a0)}, TTL:-1, Type:"log", Meta:map[string]string(nil), FileStateOS:file.StateOS{Inode:0x280172, Device:0xfc01}, IdentifierName:"native"}, TimeSeries:false}, Flags:0x1, Cache:publisher.EventCache{m:common.MapStr(nil)}} (status=400): {"type":"mapper_parsing_exception","reason":"failed to parse field [data.status] of type [keyword] in document with id '7kYm5pEBEc5-s8obldDV'. Preview of field's value: '{failureReason=Other., errorCode=0, additionalDetails=null}'","caused_by":{"type":"illegal_state_exception","reason":"Can't get text on a START_OBJECT at 1:4633"}
then Updated the template (MS-Graph)
"resource": {
"type": "keyword"
},
"status": {
"enabled": false
},
"tenantId": {
"type": "keyword"
Now get this in the cluster log
I am aware the cacheMaxSize error has been reported by other people on version 4.9 on this forum
[2024-09-12T17:57:26,975][WARN ][o.o.p.c.u.JsonConverter ] [node-1] Json Mapping Error: Cannot invoke "java.lang.Long.longValue()" because "this.cacheMaxSize" is null (through reference chain: org.opensearch.performanceanalyzer.collectors.CacheConfigMetricsCollector$CacheMaxSizeStatus["Cache_MaxSize"])
[2024-09-12T17:57:31,975][WARN ][o.o.p.c.u.JsonConverter ] [node-1] Json Mapping Error: Cannot invoke "java.lang.Long.longValue()" because "this.cacheMaxSize" is null (through reference chain: org.opensearch.performanceanalyzer.collectors.CacheConfigMetricsCollector$CacheMaxSizeStatus["Cache_MaxSize"])
[2024-09-12T17:57:32,465][INFO ][o.o.j.s.JobSweeper ] [node-1] Running full sweep
[2024-09-12T17:57:36,270][INFO ][o.o.j.s.JobScheduler ] [node-1] Will delay 119646 miliseconds for next execution of job wazuh-alerts-4.x-2024.08.15
[2024-09-12T17:57:36,737][INFO ][o.o.i.i.ManagedIndexRunner] [node-1] Executing attempt_transition_step for wazuh-alerts-4.x-2024.08.15
[2024-09-12T17:57:36,737][INFO ][o.o.i.i.ManagedIndexRunner] [node-1] Finished executing attempt_transition_step for wazuh-alerts-4.x-2024.08.15
[2024-09-12T17:57:36,976][WARN ][o.o.p.c.u.JsonConverter ] [node-1] Json Mapping Error: Cannot invoke "java.lang.Long.longValue()" because "this.cacheMaxSize" is null (through reference chain: org.opensearch.performanceanalyzer.collectors.CacheConfigMetricsCollector$CacheMaxSizeStatus["Cache_MaxSize"])
ossec log is reporting the following
2024/09/12 18:02:51 azure: ERROR: Error: An error occurred while trying to obtain the authentication token: HTTPSConnectionPool(host='login.microsoftonline.com', port=443): Max retries exceeded with url: /contoso.onmicrosoft.com/oauth2/v2.0/token (Caused by ConnectTimeoutError(<urllib3.connection.HTTPSConnection object at 0x75291bf48d30>, 'Connection to login.microsoftonline.com timed out. (connect timeout=10)'))
2024/09/12 18:02:51 wazuh-modulesd:azure-logs[2491] wm_azure.c:276 at wm_azure_graphs(): INFO: Finished Graphs log collection for request 'microsoft-entra_id'.
2024/09/12 18:02:51 wazuh-modulesd:azure-logs[2491] wm_azure.c:209 at wm_azure_graphs(): DEBUG: Creating argument list.
2024/09/12 18:02:51 wazuh-modulesd:azure-logs[2491] wm_azure.c:259 at wm_azure_graphs(): DEBUG: Launching command: wodles/azure/azure-logs --graph --graph_auth_path /var/ossec/wodles/azure/graph_credentials.txt --graph_tenant_domain contoso.onmicrosoft.com --graph_tag azure-ad-graph --graph_query 'auditLogs/directoryAudits' --graph_time_offset 1d --debug 2
2024/09/12 18:04:12 wazuh-modulesd:azure-logs[2491] wm_azure.c:263 at wm_azure_graphs(): ERROR: azure-ad-graph: Returned error code: '1'.
2024/09/12 18:04:12 wazuh-modulesd:azure-logs[2491] wm_azure.c:264 at wm_azure_graphs(): DEBUG: OUTPUT: 2024/09/12 18:02:52 azure: INFO: Checking database integrity
2024/09/12 18:02:52 azure: INFO: Database integrity check finished
2024/09/12 18:02:52 azure: INFO: Azure Graph starting.
2024/09/12 18:02:52 azure: DEBUG: Graph: Using the auth file /var/ossec/wodles/azure/graph_credentials.txt for authentication
2024/09/12 18:02:52 azure: INFO: Graph: Getting authentication token.
2024/09/12 18:04:12 azure: ERROR: Error: An error occurred while trying to obtain the authentication token: HTTPSConnectionPool(host='login.microsoftonline.com', port=443): Max retries exceeded with url: /contoso.onmicrosoft.com/oauth2/v2.0/token (Caused by ConnectTimeoutError(<urllib3.connection.HTTPSConnection object at 0x771e46b48d30>, 'Connection to login.microsoftonline.com timed out. (connect timeout=10)'))
2024/09/12 18:04:12 wazuh-modulesd:azure-logs[2491] wm_azure.c:276 at wm_azure_graphs(): INFO: Finished Graphs log collection for request 'azure-ad-graph'.
2024/09/12 18:04:12 wazuh-modulesd:azure-logs[2491] wm_azure.c:87 at wm_azure_main(): INFO: Finished Graphs log collection for the domain 'contoso.onmicrosoft.com'.
2024/09/12 18:04:12 wazuh-modulesd:azure-logs[2491] wm_azure.c:100 at wm_azure_main(): DEBUG: Fetching logs finished.
2024/09/12 18:04:12 wazuh-modulesd:azure-logs[2491] wm_azure.c:70 at wm_azure_main(): DEBUG: Sleeping until: 2024/09/12 18:06:30
2024/09/12 18:05:30 wazuh-modulesd:office365[2491] wm_office365.c:320 at wm_office365_execute_scan(): DEBUG: Scanning tenant: '205cb9c8-6d96-8888-9e13-61ec0376d06b'
2024/09/12 18:05:30 wazuh-modulesd:office365[2491] wm_office365.c:554 at wm_office365_get_access_token(): DEBUG: Office 365 API access token URL: 'https://login.microsoftonline.com/205cb9c8-6d96-8888-9e13-61ec0376d06b/oauth2/v2.0/token'
You have new mail in /var/mail/root
I tested the graph/azure authentication manually and that succeeds
I got this error initially in the logs
Timestamp:time.Time{wall:0xc1b0a61e07d3cdeb, ext:23545181138992, loc:(*time.Location)(0x42417a0)}, TTL:-1, Type:"log", Meta:map[string]string(nil), FileStateOS:file.StateOS{Inode:0x280172, Device:0xfc01}, IdentifierName:"native"}, TimeSeries:false}, Flags:0x1, Cache:publisher.EventCache{m:common.MapStr(nil)}} (status=400): {"type":"mapper_parsing_exception","reason":"failed to parse field [data.status] of type [keyword] in document with id '7kYm5pEBEc5-s8obldDV'. Preview of field's value: '{failureReason=Other., errorCode=0, additionalDetails=null}'","caused_by":{"type":"illegal_state_exception","reason":"Can't get text on a START_OBJECT at 1:4633"}
then Updated the template (MS-Graph)
"resource": {
"type": "keyword"
},
"status": {
"enabled": false
},
"tenantId": {
"type": "keyword"
Now get this in the cluster log
I am aware the cacheMaxSize error has been reported by other people on version 4.9 on this forum
[2024-09-12T17:57:26,975][WARN ][o.o.p.c.u.JsonConverter ] [node-1] Json Mapping Error: Cannot invoke "java.lang.Long.longValue()" because "this.cacheMaxSize" is null (through reference chain: org.opensearch.performanceanalyzer.collectors.CacheConfigMetricsCollector$CacheMaxSizeStatus["Cache_MaxSize"])
[2024-09-12T17:57:31,975][WARN ][o.o.p.c.u.JsonConverter ] [node-1] Json Mapping Error: Cannot invoke "java.lang.Long.longValue()" because "this.cacheMaxSize" is null (through reference chain: org.opensearch.performanceanalyzer.collectors.CacheConfigMetricsCollector$CacheMaxSizeStatus["Cache_MaxSize"])
[2024-09-12T17:57:32,465][INFO ][o.o.j.s.JobSweeper ] [node-1] Running full sweep
[2024-09-12T17:57:36,270][INFO ][o.o.j.s.JobScheduler ] [node-1] Will delay 119646 miliseconds for next execution of job wazuh-alerts-4.x-2024.08.15
[2024-09-12T17:57:36,737][INFO ][o.o.i.i.ManagedIndexRunner] [node-1] Executing attempt_transition_step for wazuh-alerts-4.x-2024.08.15
[2024-09-12T17:57:36,737][INFO ][o.o.i.i.ManagedIndexRunner] [node-1] Finished executing attempt_transition_step for wazuh-alerts-4.x-2024.08.15
[2024-09-12T17:57:36,976][WARN ][o.o.p.c.u.JsonConverter ] [node-1] Json Mapping Error: Cannot invoke "java.lang.Long.longValue()" because "this.cacheMaxSize" is null (through reference chain: org.opensearch.performanceanalyzer.collectors.CacheConfigMetricsCollector$CacheMaxSizeStatus["Cache_MaxSize"])
ossec log is reporting the following
2024/09/12 18:02:51 azure: ERROR: Error: An error occurred while trying to obtain the authentication token: HTTPSConnectionPool(host='login.microsoftonline.com', port=443): Max retries exceeded with url: /contoso.onmicrosoft.com/oauth2/v2.0/token (Caused by ConnectTimeoutError(<urllib3.connection.HTTPSConnection object at 0x75291bf48d30>, 'Connection to login.microsoftonline.com timed out. (connect timeout=10)'))
2024/09/12 18:02:51 wazuh-modulesd:azure-logs[2491] wm_azure.c:276 at wm_azure_graphs(): INFO: Finished Graphs log collection for request 'microsoft-entra_id'.
2024/09/12 18:02:51 wazuh-modulesd:azure-logs[2491] wm_azure.c:209 at wm_azure_graphs(): DEBUG: Creating argument list.
2024/09/12 18:02:51 wazuh-modulesd:azure-logs[2491] wm_azure.c:259 at wm_azure_graphs(): DEBUG: Launching command: wodles/azure/azure-logs --graph --graph_auth_path /var/ossec/wodles/azure/graph_credentials.txt --graph_tenant_domain contoso.onmicrosoft.com --graph_tag azure-ad-graph --graph_query 'auditLogs/directoryAudits' --graph_time_offset 1d --debug 2
2024/09/12 18:04:12 wazuh-modulesd:azure-logs[2491] wm_azure.c:263 at wm_azure_graphs(): ERROR: azure-ad-graph: Returned error code: '1'.
2024/09/12 18:04:12 wazuh-modulesd:azure-logs[2491] wm_azure.c:264 at wm_azure_graphs(): DEBUG: OUTPUT: 2024/09/12 18:02:52 azure: INFO: Checking database integrity
2024/09/12 18:02:52 azure: INFO: Database integrity check finished
2024/09/12 18:02:52 azure: INFO: Azure Graph starting.
2024/09/12 18:02:52 azure: DEBUG: Graph: Using the auth file /var/ossec/wodles/azure/graph_credentials.txt for authentication
2024/09/12 18:02:52 azure: INFO: Graph: Getting authentication token.
2024/09/12 18:04:12 azure: ERROR: Error: An error occurred while trying to obtain the authentication token: HTTPSConnectionPool(host='login.microsoftonline.com', port=443): Max retries exceeded with url: /contoso.onmicrosoft.com/oauth2/v2.0/token (Caused by ConnectTimeoutError(<urllib3.connection.HTTPSConnection object at 0x771e46b48d30>, 'Connection to login.microsoftonline.com timed out. (connect timeout=10)'))
2024/09/12 18:04:12 wazuh-modulesd:azure-logs[2491] wm_azure.c:276 at wm_azure_graphs(): INFO: Finished Graphs log collection for request 'azure-ad-graph'.
2024/09/12 18:04:12 wazuh-modulesd:azure-logs[2491] wm_azure.c:87 at wm_azure_main(): INFO: Finished Graphs log collection for the domain 'contoso.onmicrosoft.com'.
2024/09/12 18:04:12 wazuh-modulesd:azure-logs[2491] wm_azure.c:100 at wm_azure_main(): DEBUG: Fetching logs finished.
2024/09/12 18:04:12 wazuh-modulesd:azure-logs[2491] wm_azure.c:70 at wm_azure_main(): DEBUG: Sleeping until: 2024/09/12 18:06:30
2024/09/12 18:05:30 wazuh-modulesd:office365[2491] wm_office365.c:320 at wm_office365_execute_scan(): DEBUG: Scanning tenant: '205cb9c8-6d96-8888-9e13-61ec0376d06b'
2024/09/12 18:05:30 wazuh-modulesd:office365[2491] wm_office365.c:554 at wm_office365_get_access_token(): DEBUG: Office 365 API access token URL: 'https://login.microsoftonline.com/205cb9c8-6d96-8888-9e13-61ec0376d06b/oauth2/v2.0/token'
You have new mail in /var/mail/root
I tested the graph/azure authentication manually and that succeeds
leon appel
Sep 13, 2024, 12:58:34 PM9/13/24
to Wazuh | Mailing List
Hi
I have not been able to resolve the outstanding issues with Azure logs since the upgrade to 4.9.1
Thanks in advance
Leon
leon appel
Sep 13, 2024, 2:22:19 PM9/13/24
to Wazuh | Mailing List
Hi
The issues is now resolved by updating the proxy config /etc/systemd/system/multi-user.target.wants/wazuh-manager.service and removing it from the OS. In version 4.8 I had to place it in the OS
[Service]
Type=forking
EnvironmentFile=/etc/ossec-init.conf
Environment="https_proxy=http://<proxy_IP:port>"
Environment="http_proxy="http://<proxy_IP:port>"
LimitNOFILE=65536
Thanks
Leon
Matías Mercado
Sep 13, 2024, 2:48:24 PM9/13/24
to Wazuh | Mailing List
Hi,
Great news then. Next time, this command will help with the debug of this problem.
/var/ossec/wodles/azure/azure-logs --graph --graph_auth_path /var/ossec/wodles/azure/graph_credentials.txt --graph_tenant_domain contoso.onmicrosoft.com --graph_tag azure-ad-graph --graph_query 'auditLogs/directoryAudits' --graph_time_offset 1d --debug 2
I will leave it here if other person have a similar problem.
Regards,
Matías.
Matías.
Reply all
Reply to author
Forward
0 new messages