wazuh-manager service state
760 views
Skip to first unread message
Steven Paugh
Feb 23, 2023, 8:15:43 AM2/23/23
to Wazuh mailing list
Hello everyone,
I have recently continued my takeover of Wazuh from a prior engineer who built this a year or so ago. Working on integrating wazuh with 'TheHive' I started to notice that the master, and worker nodes all have the wazuh-manager service inactive (dead).
Do we expect this behavior?
Thank you,
-Steven
Mariano Koremblum
Feb 23, 2023, 9:12:34 AM2/23/23
to Wazuh mailing list
Hi Steven,
If the service is down then the manager is probably not running.
Are you familiar with Linux systems? Can you check if any Wazuh process is running even though the service is down? Did you try to start them?
I will be waiting for your reply,
Mariano Koremblum
Steven Paugh
Feb 23, 2023, 9:17:13 AM2/23/23
to Wazuh mailing list
Thanks for the reply Mariano!
Using ps -elf | grep wazuh I get the following on the manager master:
ps -elf | grep wazuh
5 S wazuh 62845 1 0 80 0 - 165554 - 12:36 ? 00:00:10 /var/ossec/framework/python/bin/python3 /var/ossec/api/scripts/wazuh-apid.py
5 S root 62884 1 0 80 0 - 45071 - 12:36 ? 00:00:32 /var/ossec/bin/wazuh-authd
5 S wazuh 62900 1 0 80 0 - 173916 - 12:36 ? 00:00:10 /var/ossec/bin/wazuh-db
5 S wazuh 62914 62845 0 80 0 - 39709 - 12:36 ? 00:00:00 /var/ossec/framework/python/bin/python3 /var/ossec/api/scripts/wazuh-apid.py
5 S wazuh 62917 62845 0 80 0 - 76713 - 12:36 ? 00:00:06 /var/ossec/framework/python/bin/python3 /var/ossec/api/scripts/wazuh-apid.py
5 S root 62929 1 0 80 0 - 6130 - 12:36 ? 00:00:00 /var/ossec/bin/wazuh-execd
5 S wazuh 62943 1 0 80 0 - 429808 - 12:36 ? 00:00:01 /var/ossec/bin/wazuh-analysisd
5 S root 63040 1 0 90 10 - 63653 - 12:36 ? 00:00:03 /var/ossec/bin/wazuh-syscheckd
5 S wazuh 63058 1 0 80 0 - 127262 - 12:36 ? 00:00:08 /var/ossec/bin/wazuh-remoted
5 S root 63073 1 0 80 0 - 116742 - 12:36 ? 00:00:00 /var/ossec/bin/wazuh-logcollector
5 S wazuh 63108 1 0 80 0 - 6139 - 12:36 ? 00:00:00 /var/ossec/bin/wazuh-monitord
5 S root 63126 1 0 80 0 - 349451 - 12:36 ? 00:00:14 /var/ossec/bin/wazuh-modulesd
5 S wazuh 63243 1 0 80 0 - 69348 - 12:36 ? 00:00:36 /var/ossec/framework/python/bin/python3 /var/ossec/framework/scripts/wazuh-clusterd.py
5 S wazuh 63267 63243 0 80 0 - 30466 - 12:37 ? 00:00:04 /var/ossec/framework/python/bin/python3 /var/ossec/framework/scripts/wazuh-clusterd.py
5 S wazuh 63270 63243 0 80 0 - 67332 - 12:37 ? 00:00:04 /var/ossec/framework/python/bin/python3 /var/ossec/framework/scripts/wazuh-clusterd.py
0 R root 63504 63489 0 80 0 - 828 - 14:14 pts/7 00:00:00 grep --color=auto wazuh
ps -elf | grep wazuh
5 S wazuh 62845 1 0 80 0 - 165554 - 12:36 ? 00:00:10 /var/ossec/framework/python/bin/python3 /var/ossec/api/scripts/wazuh-apid.py
5 S root 62884 1 0 80 0 - 45071 - 12:36 ? 00:00:32 /var/ossec/bin/wazuh-authd
5 S wazuh 62900 1 0 80 0 - 173916 - 12:36 ? 00:00:10 /var/ossec/bin/wazuh-db
5 S wazuh 62914 62845 0 80 0 - 39709 - 12:36 ? 00:00:00 /var/ossec/framework/python/bin/python3 /var/ossec/api/scripts/wazuh-apid.py
5 S wazuh 62917 62845 0 80 0 - 76713 - 12:36 ? 00:00:06 /var/ossec/framework/python/bin/python3 /var/ossec/api/scripts/wazuh-apid.py
5 S root 62929 1 0 80 0 - 6130 - 12:36 ? 00:00:00 /var/ossec/bin/wazuh-execd
5 S wazuh 62943 1 0 80 0 - 429808 - 12:36 ? 00:00:01 /var/ossec/bin/wazuh-analysisd
5 S root 63040 1 0 90 10 - 63653 - 12:36 ? 00:00:03 /var/ossec/bin/wazuh-syscheckd
5 S wazuh 63058 1 0 80 0 - 127262 - 12:36 ? 00:00:08 /var/ossec/bin/wazuh-remoted
5 S root 63073 1 0 80 0 - 116742 - 12:36 ? 00:00:00 /var/ossec/bin/wazuh-logcollector
5 S wazuh 63108 1 0 80 0 - 6139 - 12:36 ? 00:00:00 /var/ossec/bin/wazuh-monitord
5 S root 63126 1 0 80 0 - 349451 - 12:36 ? 00:00:14 /var/ossec/bin/wazuh-modulesd
5 S wazuh 63243 1 0 80 0 - 69348 - 12:36 ? 00:00:36 /var/ossec/framework/python/bin/python3 /var/ossec/framework/scripts/wazuh-clusterd.py
5 S wazuh 63267 63243 0 80 0 - 30466 - 12:37 ? 00:00:04 /var/ossec/framework/python/bin/python3 /var/ossec/framework/scripts/wazuh-clusterd.py
5 S wazuh 63270 63243 0 80 0 - 67332 - 12:37 ? 00:00:04 /var/ossec/framework/python/bin/python3 /var/ossec/framework/scripts/wazuh-clusterd.py
0 R root 63504 63489 0 80 0 - 828 - 14:14 pts/7 00:00:00 grep --color=auto wazuh
The wazuh UI and services all seem to be working fine from a overall perspective.
If you think it's worth it, I can check all the worker nodes as well!
Respectfully,
-Steven
Mariano Koremblum
Feb 23, 2023, 11:06:22 AM2/23/23
to Wazuh mailing list
Yes please, just to check if they are all running, also if you can run the following commands and share the outputs with us (on every node if possible):
- 1st:# history | grep "wazuh-control"
- 2nd:# /var/ossec/bin/wazuh-control status
regards
Steven Paugh
Feb 23, 2023, 11:17:49 AM2/23/23
to Wazuh mailing list
Master:
# history | grep "wazuh-control"
27 history | grep "wazuh-control"
# /var/ossec/bin/wazuh-control status
wazuh-clusterd is running...
wazuh-modulesd is running...
wazuh-monitord is running...
wazuh-logcollector is running...
wazuh-remoted is running...
wazuh-syscheckd is running...
wazuh-analysisd is running...
wazuh-maild not running...
wazuh-execd is running...
wazuh-db is running...
wazuh-authd is running...
wazuh-agentlessd not running...
wazuh-integratord not running...
wazuh-dbd not running...
wazuh-csyslogd not running...
wazuh-apid is running...
# history | grep "wazuh-control"
27 history | grep "wazuh-control"
# /var/ossec/bin/wazuh-control status
wazuh-clusterd is running...
wazuh-modulesd is running...
wazuh-monitord is running...
wazuh-logcollector is running...
wazuh-remoted is running...
wazuh-syscheckd is running...
wazuh-analysisd is running...
wazuh-maild not running...
wazuh-execd is running...
wazuh-db is running...
wazuh-authd is running...
wazuh-agentlessd not running...
wazuh-integratord not running...
wazuh-dbd not running...
wazuh-csyslogd not running...
wazuh-apid is running...
Worker1:
# history | grep "wazuh-control"
8 history | grep "wazuh-control"
8 history | grep "wazuh-control"
# /var/ossec/bin/wazuh-control status
wazuh-clusterd is running...
wazuh-modulesd is running...
wazuh-monitord is running...
wazuh-logcollector is running...
wazuh-remoted is running...
wazuh-syscheckd is running...
wazuh-analysisd is running...
wazuh-maild not running...
wazuh-execd is running...
wazuh-db is running...
wazuh-authd is running...
wazuh-agentlessd not running...
wazuh-integratord is running...
wazuh-dbd not running...
wazuh-csyslogd not running...
wazuh-apid is running...
wazuh-clusterd is running...
wazuh-modulesd is running...
wazuh-monitord is running...
wazuh-logcollector is running...
wazuh-remoted is running...
wazuh-syscheckd is running...
wazuh-analysisd is running...
wazuh-maild not running...
wazuh-execd is running...
wazuh-db is running...
wazuh-authd is running...
wazuh-agentlessd not running...
wazuh-integratord is running...
wazuh-dbd not running...
wazuh-csyslogd not running...
wazuh-apid is running...
Worker2:
# history | grep "wazuh-control"
5 history | grep "wazuh-control"
5 history | grep "wazuh-control"
# /var/ossec/bin/wazuh-control status
wazuh-clusterd is running...
wazuh-modulesd is running...
wazuh-monitord is running...
wazuh-logcollector is running...
wazuh-remoted is running...
wazuh-syscheckd is running...
wazuh-analysisd is running...
wazuh-maild not running...
wazuh-execd is running...
wazuh-db is running...
wazuh-authd is running...
wazuh-agentlessd not running...
wazuh-integratord is running...
wazuh-dbd not running...
wazuh-csyslogd not running...
wazuh-apid is running...
wazuh-clusterd is running...
wazuh-modulesd is running...
wazuh-monitord is running...
wazuh-logcollector is running...
wazuh-remoted is running...
wazuh-syscheckd is running...
wazuh-analysisd is running...
wazuh-maild not running...
wazuh-execd is running...
wazuh-db is running...
wazuh-authd is running...
wazuh-agentlessd not running...
wazuh-integratord is running...
wazuh-dbd not running...
wazuh-csyslogd not running...
wazuh-apid is running...
Worker3:
# history | grep "wazuh-control"
4 history | grep "wazuh-control"
4 history | grep "wazuh-control"
# /var/ossec/bin/wazuh-control status
wazuh-clusterd is running...
wazuh-modulesd is running...
wazuh-monitord is running...
wazuh-logcollector is running...
wazuh-remoted is running...
wazuh-syscheckd is running...
wazuh-analysisd is running...
wazuh-maild not running...
wazuh-execd is running...
wazuh-db is running...
wazuh-authd is running...
wazuh-agentlessd not running...
wazuh-integratord is running...
wazuh-dbd not running...
wazuh-csyslogd not running...
wazuh-apid is running...
wazuh-clusterd is running...
wazuh-modulesd is running...
wazuh-monitord is running...
wazuh-logcollector is running...
wazuh-remoted is running...
wazuh-syscheckd is running...
wazuh-analysisd is running...
wazuh-maild not running...
wazuh-execd is running...
wazuh-db is running...
wazuh-authd is running...
wazuh-agentlessd not running...
wazuh-integratord is running...
wazuh-dbd not running...
wazuh-csyslogd not running...
wazuh-apid is running...
I left the indexers and dashboard out. Let me know if they need added!
Thank you again for the help on this!
-Steven
Mariano Koremblum
Feb 23, 2023, 12:25:45 PM2/23/23
to Wazuh mailing list
Well, I don't know your whole configuration or how were the servers deployed, but they seem to be working just fine.
Do you notice any irregular functioning? Is something not working as expected? Are these nodes restarted frequently or have they been restarted recently?
Please, let us know,
Regards
Please, let us know,
Regards
Mariano Koremblum
Feb 23, 2023, 12:28:21 PM2/23/23
to Wazuh mailing list
Additionally, you may check if the service is enabled on the nodes by running the following command:
# systemctl is-enabled wazuh-manager.serviceSteven Paugh
Feb 23, 2023, 12:42:07 PM2/23/23
to Wazuh mailing list
I probably should have elaborated the reason I asked. Sorry!
I setup the integration for TheHive and when trying to restart the wazuh-manager service to get the changes into effect I saw it was dead.
I'm not seeing any alerts in TheHive yet. So assumably it is either a config issue on my side, or this service being dead is not updating the manager master to accept this configuration.
On that note, should I move the integration section I added to the Manager to the worker nodes as well? I'm still not quite up to speed on how the configs need to be configured between manager and worker nodes.
Steven Paugh
Feb 23, 2023, 12:47:00 PM2/23/23
to Wazuh mailing list
Manager service is actually disabled as well.
# systemctl is-enabled wazuh-manager.service
disabled
disabled
If there are no negative results foreseeable for this I will leave it as is!
Mariano Koremblum
Feb 23, 2023, 1:03:52 PM2/23/23
to Wazuh mailing list
Every time you change something on the ossec.conf file you should restart your manager for the new configurations to take effect. You may try to enable the service (or investigate why is it not enabled) by running the command systemctl enable wazuh-manager.service, this is particularly useful for the service to automatically start when a node restart is performed. If not, unless there is some start-up script that turns the Wazuh manager on, a manual execution of it would be needed.
Regards
Steven Paugh
Feb 23, 2023, 2:34:43 PM2/23/23
to Wazuh mailing list
All services started after enabling. No issues so far. Thank you for the help!
Mariano Koremblum
Feb 23, 2023, 4:07:01 PM2/23/23
to Wazuh mailing list
You are welcome Steven!
Do not hesitate to reach out again whenever you need us :)
Best regards,
Mariano Koremblum
Reply all
Reply to author
Forward
0 new messages