wazuh-modulesd not running...wazuh-modulesd: ERROR: Unknown module 'syscollector'

1,523 views
Skip to first unread message

Adiel Jesus Navarro Rosado

unread,
Jun 27, 2018, 7:26:23 PM6/27/18
to wa...@googlegroups.com

I tried to enable vulnerability scan in an agent using the next configuration:

 

<wodle name="open-scap">

    <disabled>no</disabled>

    <timeout>1800</timeout>

    <interval>1d</interval>

    <scan-on-start>yes</scan-on-start>

 

    <content type="xccdf" path="ssg-centos-7-ds.xml">

      <profile>xccdf_org.ssgproject.content_profile_pci-dss</profile>

      <profile>xccdf_org.ssgproject.content_profile_common</profile>

    </content>

  </wodle>

 

<wodle name="syscollector">

  <disabled>no</disabled>

  <interval>1h</interval>

  <scan_on_start>yes</scan_on_start>

  <hardware>yes</hardware>

  <os>yes</os>

  <packages>yes</packages>

</wodle>

 

But Ossec.log shows the next message:

 

wazuh-modulesd: ERROR: Unknown module 'syscollector'

 

And the services shows the next status:

 

/var/ossec/bin/ossec-control status

ossec-logcollector is running...

ossec-syscheckd is running...

ossec-agentd is running...

ossec-execd is running...

wazuh-modulesd not running...

 

 

 

 

 

On the Wazuh Manager I got the next configuration:

 

<wodle name="vulnerability-detector">

    <disabled>no</disabled>

    <interval>1d</interval>

    <run_on_start>yes</run_on_start>

    <update_ubuntu_oval interval="60m" version="16,14">yes</update_ubuntu_oval>

    <update_redhat_oval interval="60m" version="7,6">yes</update_redhat_oval>

  </wodle>

 

 

/var/ossec/bin/ossec-control status

wazuh-clusterd not running...

ossec-monitord is running...

ossec-logcollector is running...

ossec-remoted is running...

ossec-syscheckd is running...

ossec-analysisd is running...

ossec-maild not running...

ossec-execd is running...

wazuh-modulesd is running...

wazuh-db is running...

ossec-csyslogd is running...

 

 

wazuh-modulesd:vulnerability-detector: INFO: (5461): Starting Ubuntu Trusty DB update...

wazuh-modulesd:vulnerability-detector: INFO: (5461): Starting Ubuntu Xenial DB update...

wazuh-modulesd:vulnerability-detector: INFO: (5461): Starting Ubuntu Trusty DB update...

wazuh-modulesd:vulnerability-detector: INFO: (5461): Starting Red Hat Enterprise Linux 6 DB update...

wazuh-modulesd:vulnerability-detector: INFO: (5461): Starting Red Hat Enterprise Linux 7 DB update...

rafael...@wazuh.com

unread,
Jun 28, 2018, 3:21:19 AM6/28/18
to Wazuh mailing list
Hi Adiel,

your configuration seems to be ok. What version of the Wazuh agent are you using? What operating system is the agent running on?

Do you have syscollector enabled on the manager as well?

You can copy the same syscollector woodle configuration from the manager to the agent, restart the agent and see what happens.

Best regards.

Adiel Jesus Navarro Rosado

unread,
Jun 28, 2018, 10:33:32 AM6/28/18
to rafael...@wazuh.com, Wazuh mailing list

Hi Rafael.

 

I replicate the config for syscollection in the manager and restart the services on the manager and agent.

In the agent, wazuh-modulesd still not running...  and still sending the same error: 2018/06/28 09:28:18 wazuh-modulesd: ERROR: Unknown module 'syscollector'

--
You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.
To post to this group, send email to wa...@googlegroups.com.
Visit this group at https://groups.google.com/group/wazuh.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/1dc0f679-bb07-4ffa-9e6b-9d778be688ba%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Adiel Jesus Navarro Rosado

unread,
Jun 28, 2018, 10:38:06 AM6/28/18
to rafael...@wazuh.com, Wazuh mailing list

 

Hi Rafael.

 

I replicate the config for syscollection in the manager and restart the services on the manager and agent.

In the agent, wazuh-modulesd still not running...  and still sending the same error: 2018/06/28 09:28:18 wazuh-modulesd: ERROR: Unknown module 'syscollector'

Agent is running in CentOS Linux 7

Agent version: Wazuh v3.3.0

 

 

 

 

 

De: wa...@googlegroups.com [mailto:wa...@googlegroups.com] En nombre de rafael...@wazuh.com
Enviado el: jueves, 28 de junio de 2018 02:21 a.m.
Para: Wazuh mailing list
Asunto: [SOCIAL NETWORK] Re: wazuh-modulesd not running...wazuh-modulesd: ERROR: Unknown module 'syscollector'

 

Hi Adiel,

--

Adiel Jesus Navarro Rosado

unread,
Jun 28, 2018, 10:56:48 AM6/28/18
to rafael...@wazuh.com, Wazuh mailing list

 

Hi Rafael.

 

I replicate the config for syscollection in the manager and restart the services on the manager and agent.

In the agent, wazuh-modulesd still not running...  and still sending the same error: 2018/06/28 09:28:18 wazuh-modulesd: ERROR: Unknown module 'syscollector'

Agent is running in CentOS Linux 7

Agent version: Wazuh v3.3.0

 

Additional, when I restart the agent, send the next messages:

 

Starting Wazuh v3.3.0 (maintained by Wazuh Inc.)...

2018/06/28 09:49:21 wazuh-modulesd: ERROR: Unknown module 'vulnerability-detector'

2018/06/28 09:49:21 wazuh-modulesd: ERROR: Unknown module 'syscollector'

 

 

 

De: wa...@googlegroups.com [mailto:wa...@googlegroups.com] En nombre de rafael...@wazuh.com
Enviado el: jueves, 28 de junio de 2018 02:21 a.m.
Para: Wazuh mailing list
Asunto: [SOCIAL NETWORK] Re: wazuh-modulesd not running...wazuh-modulesd: ERROR: Unknown module 'syscollector'

 

Hi Adiel,

--

rafael...@wazuh.com

unread,
Jun 29, 2018, 3:20:18 AM6/29/18
to Wazuh mailing list
Hi Adiel,

you seem to  have installed a Wazuh version that doesn't support syscollector. That version is for CentOS 5.

Have you installed a CentOS 5 package on a CentOS 7?

Best regards.

On Thursday, June 28, 2018 at 1:26:23 AM UTC+2, Adiel Jesus Navarro Rosado wrote:

Adiel Jesus Navarro Rosado

unread,
Jun 29, 2018, 10:35:50 AM6/29/18
to rafael...@wazuh.com, Wazuh mailing list

NO, is CentOS 7

 

 

 

De: wa...@googlegroups.com [mailto:wa...@googlegroups.com] En nombre de rafael...@wazuh.com
Enviado el: viernes, 29 de junio de 2018 02:20 a.m.
Para: Wazuh mailing list
Asunto: [SOCIAL NETWORK] Re: wazuh-modulesd not running...wazuh-modulesd: ERROR: Unknown module 'syscollector'

 

Hi Adiel,

--

You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.
To post to this group, send email to wa...@googlegroups.com.
Visit this group at https://groups.google.com/group/wazuh.

rafael...@wazuh.com

unread,
Jul 3, 2018, 3:31:32 AM7/3/18
to Wazuh mailing list
Hi Adiel,

can you please to download and install this package: https://packages.wazuh.com/3.x/yum/wazuh-agent-3.3.0-1.x86_64.rpm

Tell me if this solves your problem.

Best regards.

On Thursday, June 28, 2018 at 1:26:23 AM UTC+2, Adiel Jesus Navarro Rosado wrote:

Adiel Jesus Navarro Rosado

unread,
Jul 3, 2018, 7:23:59 PM7/3/18
to rafael...@wazuh.com, Wazuh mailing list

What is this rpm? An agent?

 

This is not overwrite the agent installed?

 

 

 

De: wa...@googlegroups.com [mailto:wa...@googlegroups.com] En nombre de rafael...@wazuh.com
Enviado el: martes, 03 de julio de 2018 02:32 a.m.
Para: Wazuh mailing list
Asunto: [SOCIAL NETWORK] Re: wazuh-modulesd not running...wazuh-modulesd: ERROR: Unknown module 'syscollector'

 

Hi Adiel,

--

You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.
To post to this group, send email to wa...@googlegroups.com.
Visit this group at https://groups.google.com/group/wazuh.

rafael...@wazuh.com

unread,
Jul 4, 2018, 3:23:39 AM7/4/18
to Wazuh mailing list
Hi Adiel,

yes it is an agent for CentOS, and yes it will overwrite your existing agent.

If you need a guide on how to install rpm packages you can follow this guide: https://access.redhat.com/solutions/1189

Best regards.

On Thursday, June 28, 2018 at 1:26:23 AM UTC+2, Adiel Jesus Navarro Rosado wrote:

Adiel Jesus Navarro Rosado

unread,
Jul 4, 2018, 10:40:55 AM7/4/18
to rafael...@wazuh.com, Wazuh mailing list

Its necessary uninstall the agent?

How can I do this?

 

 

 

De: wa...@googlegroups.com [mailto:wa...@googlegroups.com] En nombre de rafael...@wazuh.com
Enviado el: miércoles, 04 de julio de 2018 02:24 a.m.
Para: Wazuh mailing list
Asunto: [SOCIAL NETWORK] Re: wazuh-modulesd not running...wazuh-modulesd: ERROR: Unknown module 'syscollector'

 

Hi Adiel,

--

You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.
To post to this group, send email to wa...@googlegroups.com.
Visit this group at https://groups.google.com/group/wazuh.

Adiel Jesus Navarro Rosado

unread,
Jul 4, 2018, 10:46:11 AM7/4/18
to rafael...@wazuh.com, Wazuh mailing list

Why should I install the agent again?

 

When I configure the repository, I follow the instructions of Wazuh Docs for install Wazuh Agent on CentOS:

 

 

Is not the correct version for CentOS 7?

 

De: wa...@googlegroups.com [mailto:wa...@googlegroups.com] En nombre de rafael...@wazuh.com
Enviado el: miércoles, 04 de julio de 2018 02:24 a.m.
Para: Wazuh mailing list
Asunto: [SOCIAL NETWORK] Re: wazuh-modulesd not running...wazuh-modulesd: ERROR: Unknown module 'syscollector'

 

Hi Adiel,

--

Adiel Jesus Navarro Rosado

unread,
Jul 4, 2018, 11:19:46 AM7/4/18
to rafael...@wazuh.com, Wazuh mailing list

According with the system info I got installed this version of Wazuh Agent:

 

wazuh-agent.x86_64 0:3.3.0-1

 

 

 

Is it not the same version that they ask me to reinstall?

 

can you please to download and install this package: https://packages.wazuh.com/3.x/yum/wazuh-agent-3.3.0-1.x86_64.rpm

 

 

Is not necessary to run deploy_vuls.sh script?

 

 

De: Adiel Jesus Navarro Rosado
Enviado el: miércoles, 04 de julio de 2018 09:46 a.m.
Para: 'rafael...@wazuh.com'; Wazuh mailing list
Asunto: RE: [SOCIAL NETWORK] Re: wazuh-modulesd not running...wazuh-modulesd: ERROR: Unknown module 'syscollector'
Importancia: Alta

 

Why should I install the agent again?

 

When I configure the repository, I follow the instructions of Wazuh Docs for install Wazuh Agent on CentOS:

 

 

Is not the correct version for CentOS 7?

 

De: wa...@googlegroups.com [mailto:wa...@googlegroups.com] En nombre de rafael...@wazuh.com
Enviado el: miércoles, 04 de julio de 2018 02:24 a.m.
Para: Wazuh mailing list
Asunto: [SOCIAL NETWORK] Re: wazuh-modulesd not running...wazuh-modulesd: ERROR: Unknown module 'syscollector'

 

Hi Adiel,

--

rafael...@wazuh.com

unread,
Jul 4, 2018, 1:10:08 PM7/4/18
to Wazuh mailing list
Hi Adiel,

yes is the same agent version that you have.

Maybe your syscollector configuration has some incorrect character.

Can you please try this configuration?

<wodle name="syscollector">
<disabled>no</disabled>
<interval>1h</interval>
<scan_on_start>yes</scan_on_start>
<hardware>yes</hardware>
<os>yes</os>
<network>yes</network>
</wodle>

Best regards.

On Thursday, June 28, 2018 at 1:26:23 AM UTC+2, Adiel Jesus Navarro Rosado wrote:

Adiel Jesus Navarro Rosado

unread,
Jul 4, 2018, 1:47:27 PM7/4/18
to rafael...@wazuh.com, Wazuh mailing list

I tried the recommended configuration, but still send the same messages on the agent:

 

[root@PORS ~]# /var/ossec/bin/ossec-control start

Starting Wazuh v3.3.0 (maintained by Wazuh Inc.)...

2018/07/04 12:39:48 wazuh-modulesd: ERROR: Unknown module 'vulnerability-detector'

2018/07/04 12:39:48 wazuh-modulesd: ERROR: Unknown module 'syscollector'

Started wazuh-modulesd...

Started ossec-execd...

2018/07/04 12:39:48 ossec-agentd: INFO: Using notify time: 60 and max time to reconnect: 300

Started ossec-agentd...

Started ossec-syscheckd...

Started ossec-logcollector...

 

[root@PORS ~]# /var/ossec/bin/ossec-control status

ossec-logcollector is running...

ossec-syscheckd is running...

ossec-agentd is running...

ossec-execd is running...

wazuh-modulesd not running...

 

De: wa...@googlegroups.com [mailto:wa...@googlegroups.com] En nombre de rafael...@wazuh.com
Enviado el: miércoles, 04 de julio de 2018 12:10 p.m.
Para: Wazuh mailing list
Asunto: [SOCIAL NETWORK] Re: wazuh-modulesd not running...wazuh-modulesd: ERROR: Unknown module 'syscollector'

 

Hi Adiel,

--

You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.
To post to this group, send email to wa...@googlegroups.com.
Visit this group at https://groups.google.com/group/wazuh.

Chema Martinez

unread,
Jul 5, 2018, 10:25:18 AM7/5/18
to Adiel Jesus Navarro Rosado, rafael...@wazuh.com, Wazuh mailing list
Hi Adiel,

Could you please paste here your Syscollector configuration to check it in our agents?

It would be useful to see the content of the file "/etc/ossec-init.conf" to check the revision number of your version.

In addition, it is normal that the agent doesn't recognize the Vulnerability detector module since its a module implemented for the manager only.

Best regards,
Chema.

Chema Martinez | IT Engineer — Wazuh, Inc.

To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+unsubscribe@googlegroups.com.


To post to this group, send email to wa...@googlegroups.com.
Visit this group at https://groups.google.com/group/wazuh.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/62171db2-eb8f-427c-a7d1-77836e395201%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

--
You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+unsubscribe@googlegroups.com.

To post to this group, send email to wa...@googlegroups.com.
Visit this group at https://groups.google.com/group/wazuh.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/c38e47bc32194dc294cc5a05461aed1e%40RLEXTL04.amx.net.

Adiel Jesus Navarro Rosado

unread,
Jul 5, 2018, 10:56:14 AM7/5/18
to Chema Martinez, rafael...@wazuh.com, Wazuh mailing list

<wodle name="syscollector">

    <disabled>no</disabled>

    <interval>1h</interval>

    <scan_on_start>yes</scan_on_start>

    <hardware>yes</hardware>

    <os>yes</os>

    <packets>yes</packets>

</wodle>

 

 

# more ossec-init.conf

DIRECTORY="/var/ossec"

NAME="Wazuh"

VERSION="v3.3.0"

REVISION="3313"

DATE="Fri Jun  8 20:22:46 UTC 2018"

TYPE="agent"

To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.

--
You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.

To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.


To post to this group, send email to wa...@googlegroups.com.
Visit this group at https://groups.google.com/group/wazuh.

 

--

You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.

To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.


To post to this group, send email to wa...@googlegroups.com.
Visit this group at https://groups.google.com/group/wazuh.

Adiel Jesus Navarro Rosado

unread,
Jul 5, 2018, 11:07:41 AM7/5/18
to Chema Martinez, rafael...@wazuh.com, Wazuh mailing list

Is necessary to run deploy_vuls.sh script for the agent?

 

De: Adiel Jesus Navarro Rosado

Enviado el: jueves, 05 de julio de 2018 09:56 a.m.
Para: 'Chema Martinez'
CC: rafael...@wazuh.com; Wazuh mailing list

Asunto: RE: [SOCIAL NETWORK] Re: [SOCIAL NETWORK] Re: wazuh-modulesd not running...wazuh-modulesd: ERROR: Unknown module 'syscollector'

 

<wodle name="syscollector">

    <disabled>no</disabled>

    <interval>1h</interval>

    <scan_on_start>yes</scan_on_start>

    <hardware>yes</hardware>

    <os>yes</os>

    <packets>yes</packets>

</wodle>

 

 

# more ossec-init.conf

DIRECTORY="/var/ossec"

NAME="Wazuh"

VERSION="v3.3.0"

REVISION="3313"

DATE="Fri Jun  8 20:22:46 UTC 2018"

TYPE="agent"

 

 

De: wa...@googlegroups.com [mailto:wa...@googlegroups.com] En nombre de Chema Martinez


Enviado el: jueves, 05 de julio de 2018 09:25 a.m.
Para: Adiel Jesus Navarro Rosado

To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.

--
You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.

To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.


To post to this group, send email to wa...@googlegroups.com.
Visit this group at https://groups.google.com/group/wazuh.

 

--

You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.

To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.


To post to this group, send email to wa...@googlegroups.com.
Visit this group at https://groups.google.com/group/wazuh.

Chema Martinez

unread,
Jul 9, 2018, 9:15:41 AM7/9/18
to Adiel Jesus Navarro Rosado, rafael...@wazuh.com, Wazuh mailing list
Hi Adiel,

I think that you installed a wrong package in your CentOS 7 agent, maybe the CentOS 5 package without the Syscollector module built.

Please, try to update your agent with the correct package for CentOS 7 located at wazuh-agent-3.3.1-1.x86_64.rpm. It includes the Syscollector module.

In addition, to run the packages scan you have to set the <packages> tag in the configuration instead of <packets>.

Regards,
Chema.

Chema Martinez | IT Engineer — Wazuh, Inc.

To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+unsubscribe@googlegroups.com.

--
You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.

To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+unsubscribe@googlegroups.com.


To post to this group, send email to wa...@googlegroups.com.
Visit this group at https://groups.google.com/group/wazuh.

--
You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+unsubscribe@googlegroups.com.

To post to this group, send email to wa...@googlegroups.com.
Visit this group at https://groups.google.com/group/wazuh.
Reply all
Reply to author
Forward
0 new messages