Wazuh-agents downgrade
1,302 views
Skip to first unread message
Fremie Mico
Aug 3, 2023, 6:25:59 AM8/3/23
to Wazuh mailing list
Our latest software package update on ubuntu upgraded the versions of our wazuh-agents as well. Doing so it disconnected all the wazuh-agents that we have.
/var/ossec/bin/agent_upgrade -a [ID] -dF -v v4.2.6
I've skimmed through most of the conversations here and the options I've found are the ff:
1. do it via wazuh-manager
/var/ossec/bin/agent_upgrade -a [ID] -dF -v v4.2.6
# << we need 4.2.6 this is what we have on managers and workers
2. Do it via packages. I've checked wazuh docuguides and the latest it shows for 4.2 is version 4.2.7. Checked github packages as well and i've found this.
dpkg -i wazuh-agent_4.2.6_amd64.deb?
But has only tag as "Manager" can this package also work on wazuh-agents?
Fremie Mico
Aug 3, 2023, 6:30:28 AM8/3/23
to Wazuh mailing list
Forgot to put in on option 1 I did it but I was getting an error so I had to opt out to 2nd option
this was the error i'm getting
Internal error:
Traceback (most recent call last):
File "/var/ossec/framework/scripts/agent_upgrade.py", line 220, in <module>
main()
File "/var/ossec/framework/scripts/agent_upgrade.py", line 186, in main
result = send_command(function=upgrade_agents, command=create_command())
File "/var/ossec/framework/scripts/agent_upgrade.py", line 115, in send_command
return raise_if_exc(pool.submit(run, dapi.distribute_function()).result())
File "/var/ossec/framework/python/lib/python3.9/site-packages/api-4.2.6-py3.9.egg/api/util.py", line 294, in raise_if_exc
_create_problem(obj)
File "/var/ossec/framework/python/lib/python3.9/site-packages/api-4.2.6-py3.9.egg/api/util.py", line 275, in _create_problem
raise ProblemException(status=400 if not code else code, type=exc.type, title=exc.title, detail=exc.message,
connexion.exceptions.ProblemException
During handling of the above exception, another exception occurred:
Traceback (most recent call last):
File "/var/ossec/framework/scripts/agent_upgrade.py", line 227, in <module>
if args.debug:
AttributeError: 'Namespace' object has no attribute 'debug'
Traceback (most recent call last):
File "/var/ossec/framework/scripts/agent_upgrade.py", line 220, in <module>
main()
File "/var/ossec/framework/scripts/agent_upgrade.py", line 186, in main
result = send_command(function=upgrade_agents, command=create_command())
File "/var/ossec/framework/scripts/agent_upgrade.py", line 115, in send_command
return raise_if_exc(pool.submit(run, dapi.distribute_function()).result())
File "/var/ossec/framework/python/lib/python3.9/site-packages/api-4.2.6-py3.9.egg/api/util.py", line 294, in raise_if_exc
_create_problem(obj)
File "/var/ossec/framework/python/lib/python3.9/site-packages/api-4.2.6-py3.9.egg/api/util.py", line 275, in _create_problem
raise ProblemException(status=400 if not code else code, type=exc.type, title=exc.title, detail=exc.message,
connexion.exceptions.ProblemException
During handling of the above exception, another exception occurred:
Traceback (most recent call last):
File "/var/ossec/framework/scripts/agent_upgrade.py", line 227, in <module>
if args.debug:
AttributeError: 'Namespace' object has no attribute 'debug'
victor....@wazuh.com
Aug 3, 2023, 8:23:26 AM8/3/23
to Wazuh mailing list
Hello Fremie Mico,
I regret to inform you that the first option is not feasible because your agents are already disconnected. As a result, the manager cannot downgrade them remotely. We have the following alternatives:
- Upgrade your manager to the new agent version.
- Downgrade your agents via packages.
The recommended approach is to upgrade your manager. If that's not feasible, you can directly downgrade your agent using the 4.2.6 packages. These packages are stored in the repository, so you can install them directly using your package manager. For example, using apt:
apt-get install wazuh-agent=4.2.6-1
Before performing this step, ensure that you have added the Wazuh repository. You can find detailed instructions on how to add the Wazuh repository here: Link to Wazuh Repository Documentation
Alternatively, you can download the packages directly from the links provided in the documentation. Make sure to change the final package name to the desired version. For example, for the Ubuntu agent package:
Link to Wazuh Agent 4.2.6-1 (amd64.deb)
To avoid encountering this situation in the future, you can disable the Wazuh repository to prevent accidental upgrades using the following commands:
sed -i "s/^deb/#deb/" /etc/apt/sources.list.d/wazuh.list
apt-get update
Alternatively, you can set the package state to "hold." This action stops updates, but you can still upgrade it manually using apt-get install:
echo "wazuh-agent hold" | dpkg --set-selections
If you have any questions, feel free to ask.
Fremie Mico
Aug 3, 2023, 8:41:32 AM8/3/23
to victor....@wazuh.com, Wazuh mailing list
Hi Victor,
Thanks for getting back to me.
It did downgrade the wazuh-agent to 4.2.6 but i somewhat encountered an error while doing so
Thanks for getting back to me.
I may have jumped the gun early. From what you mentioned, yeah doing option #1 did not work out. I switched to option #2 then done the following:
sudo apt update
sudo apt install wazuh-agent=4.2.6-1
It did downgrade the wazuh-agent to 4.2.6 but i somewhat encountered an error while doing so
Here's the error
dpkg: warning: downgrading wazuh-agent from 4.4.5-1 to 4.2.6-1
(Reading database ... 43137 files and directories currently installed.)
Preparing to unpack .../wazuh-agent_4.2.6-1_amd64.deb ...
Unpacking wazuh-agent (4.2.6-1) over (4.4.5-1) ...
Setting up wazuh-agent (4.2.6-1) ...
Configuration file '/etc/systemd/system/wazuh-agent.service'
==> Deleted (by you or by a script) since installation.
==> Package distributor has shipped an updated version.
==> Keeping old config file as default.
Installing new version of config file /etc/init.d/wazuh-agent ...
dpkg: error processing package wazuh-agent (--configure):
installed wazuh-agent package post-installation script subprocess returned error exit status 1
Processing triggers for systemd (245.4-4ubuntu3.22) ...
Errors were encountered while processing:
wazuh-agent
E: Sub-process /usr/bin/dpkg returned an error code (1)
(Reading database ... 43137 files and directories currently installed.)
Preparing to unpack .../wazuh-agent_4.2.6-1_amd64.deb ...
Unpacking wazuh-agent (4.2.6-1) over (4.4.5-1) ...
Setting up wazuh-agent (4.2.6-1) ...
Configuration file '/etc/systemd/system/wazuh-agent.service'
==> Deleted (by you or by a script) since installation.
==> Package distributor has shipped an updated version.
==> Keeping old config file as default.
Installing new version of config file /etc/init.d/wazuh-agent ...
dpkg: error processing package wazuh-agent (--configure):
installed wazuh-agent package post-installation script subprocess returned error exit status 1
Processing triggers for systemd (245.4-4ubuntu3.22) ...
Errors were encountered while processing:
wazuh-agent
E: Sub-process /usr/bin/dpkg returned an error code (1)
sudo systemctl status wazuh-agent.service
● wazuh-agent.service - Wazuh agent
Loaded: loaded (/lib/systemd/system/wazuh-agent.service; enabled; vendor preset: enabled)
Active: failed (Result: exit-code) since Thu 2023-08-03 13:41:19 UTC; 1min 28s ago
Process: 3117590 ExecStart=/usr/bin/env /var/ossec/bin/wazuh-control start (code=exited, status=1/FAILURE)
Tasks: 2 (limit: 96492)
Memory: 8.8M
CGroup: /system.slice/wazuh-agent.service
└─3111081 /var/ossec/bin/wazuh-execd
Aug 03 13:41:08 node10 systemd[1]: Starting Wazuh agent...
Aug 03 13:41:08 node5 env[3117590]: Starting Wazuh v4.2.6...
Aug 03 13:41:09 node5 env[3117590]: wazuh-execd already running...
Aug 03 13:41:19 node5 env[3117590]: wazuh-agentd did not start
Aug 03 13:41:19 node5 systemd[1]: wazuh-agent.service: Control process exited, code=exited, status=1/FAILURE
Aug 03 13:41:19 node5 systemd[1]: wazuh-agent.service: Failed with result 'exit-code'.
Aug 03 13:41:19 node5 systemd[1]: Failed to start Wazuh agent.
● wazuh-agent.service - Wazuh agent
Loaded: loaded (/lib/systemd/system/wazuh-agent.service; enabled; vendor preset: enabled)
Active: failed (Result: exit-code) since Thu 2023-08-03 13:41:19 UTC; 1min 28s ago
Process: 3117590 ExecStart=/usr/bin/env /var/ossec/bin/wazuh-control start (code=exited, status=1/FAILURE)
Tasks: 2 (limit: 96492)
Memory: 8.8M
CGroup: /system.slice/wazuh-agent.service
└─3111081 /var/ossec/bin/wazuh-execd
Aug 03 13:41:08 node10 systemd[1]: Starting Wazuh agent...
Aug 03 13:41:08 node5 env[3117590]: Starting Wazuh v4.2.6...
Aug 03 13:41:09 node5 env[3117590]: wazuh-execd already running...
Aug 03 13:41:19 node5 env[3117590]: wazuh-agentd did not start
Aug 03 13:41:19 node5 systemd[1]: wazuh-agent.service: Control process exited, code=exited, status=1/FAILURE
Aug 03 13:41:19 node5 systemd[1]: wazuh-agent.service: Failed with result 'exit-code'.
Aug 03 13:41:19 node5 systemd[1]: Failed to start Wazuh agent.
--
You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/5f90e081-be1d-4dbe-9296-93a9e95137a6n%40googlegroups.com.
victor....@wazuh.com
Aug 4, 2023, 3:48:42 AM8/4/23
to Wazuh mailing list
Apologies for the inconvenience. It appears that downgrading from version 4.4 is not officially supported, and doing so may result in unstable environments.
To resolve this issue, the best course of action is to back up your agent files, uninstall your current agent and finally install the desired version. You can follow this documentation for guidance on backing up your agent data https://documentation.wazuh.com/current/user-manual/files-backup/creating/wazuh-agent.html
After creating a backup, proceed to uninstall your current agent and then install the packages for the desired version as mentioned in my previous message.
The agent_upgrade binary documentation might be a bit confusing. To address this, I have opened an issue requesting the removal of the downgrade reference. You can find it here: https://github.com/wazuh/wazuh/issues/18227
Thank you for your understanding and valuable feedback. If you have any further questions or concerns, don't hesitate to reach out.
To resolve this issue, the best course of action is to back up your agent files, uninstall your current agent and finally install the desired version. You can follow this documentation for guidance on backing up your agent data https://documentation.wazuh.com/current/user-manual/files-backup/creating/wazuh-agent.html
After creating a backup, proceed to uninstall your current agent and then install the packages for the desired version as mentioned in my previous message.
The agent_upgrade binary documentation might be a bit confusing. To address this, I have opened an issue requesting the removal of the downgrade reference. You can find it here: https://github.com/wazuh/wazuh/issues/18227
Thank you for your understanding and valuable feedback. If you have any further questions or concerns, don't hesitate to reach out.
Fremie Mico
Aug 5, 2023, 1:30:20 AM8/5/23
to Wazuh mailing list
Thanks Victor.
We did try the following
we backed up /var/ossec as a whole with sudo cp -rp /var/ossec /var/ossec_backup
wazuh-agent.service - Wazuh agent
Loaded: loaded (/lib/systemd/system/wazuh-agent.service; enabled; vendor preset: enabled)
TS #2
systemctl status wazuh-agent.service
● wazuh-agent.service - Wazuh agent
Loaded: loaded (/lib/systemd/system/wazuh-agent.service; enabled; vendor preset: enabled)
We did try the following
we backed up /var/ossec as a whole with sudo cp -rp /var/ossec /var/ossec_backup
TS #1
uninstalled and reinstalled the wazuh-agent
sudo apt remove wazuh-agent
wget https://packages.wazuh.com/4.x/apt/pool/main/w/wazuh-agent/wazuh-agent_4.2.6-1_amd64.deb
uninstalled and reinstalled the wazuh-agent
sudo apt remove wazuh-agent
wget https://packages.wazuh.com/4.x/apt/pool/main/w/wazuh-agent/wazuh-agent_4.2.6-1_amd64.deb
sudo dpkg -i wazuh-agent_4.2.6-1_amd64.deb
Installation worked smoothly, did not get any errors. However there is a slight issue. We copied back everything from the back up and it resulted to this.
wazuh-agent v4.2.6 installed but on the status ~ systemctl status wazuh-agent
we are getting this
Installation worked smoothly, did not get any errors. However there is a slight issue. We copied back everything from the back up and it resulted to this.
wazuh-agent v4.2.6 installed but on the status ~ systemctl status wazuh-agent
we are getting this
wazuh-agent.service - Wazuh agent
Loaded: loaded (/lib/systemd/system/wazuh-agent.service; enabled; vendor preset: enabled)
Active: active (running) since Fri 2023-08-04 14:19:14 UTC; 8s ago
Process: 3645337 ExecStart=/usr/bin/env /var/ossec/bin/wazuh-control start (code=exited, status=0/SUCCESS)
Tasks: 64 (limit: 96492)
Memory: 52.3M
CGroup: /system.slice/wazuh-agent.service
├─3497973 /var/ossec/bin/wazuh-execd
├─3645382 /var/ossec/bin/wazuh-execd
├─3645431 /var/ossec/bin/wazuh-agentd
├─3645468 /var/ossec/bin/wazuh-syscheckd
├─3645616 /var/ossec/bin/wazuh-logcollector
└─3645678 /var/ossec/bin/wazuh-modulesd
Aug 04 14:19:07 node5 systemd[1]: Starting Wazuh agent...
Aug 04 14:19:07 node5 env[3645337]: Starting Wazuh v4.4.5...
Aug 04 14:19:08 node5 env[3645337]: Started wazuh-execd...
Aug 04 14:19:09 node5 env[3645337]: Started wazuh-agentd...
Aug 04 14:19:10 node5 env[3645337]: Started wazuh-syscheckd...
Aug 04 14:19:11 node5 env[3645337]: Started wazuh-logcollector...
Aug 04 14:19:12 node5 env[3645337]: Started wazuh-modulesd...
Aug 04 14:19:14 node5 env[3645337]: Completed.
Aug 04 14:19:14 node5 systemd[1]: Started Wazuh agent.
Process: 3645337 ExecStart=/usr/bin/env /var/ossec/bin/wazuh-control start (code=exited, status=0/SUCCESS)
Tasks: 64 (limit: 96492)
Memory: 52.3M
CGroup: /system.slice/wazuh-agent.service
├─3497973 /var/ossec/bin/wazuh-execd
├─3645382 /var/ossec/bin/wazuh-execd
├─3645431 /var/ossec/bin/wazuh-agentd
├─3645468 /var/ossec/bin/wazuh-syscheckd
├─3645616 /var/ossec/bin/wazuh-logcollector
└─3645678 /var/ossec/bin/wazuh-modulesd
Aug 04 14:19:07 node5 systemd[1]: Starting Wazuh agent...
Aug 04 14:19:07 node5 env[3645337]: Starting Wazuh v4.4.5...
Aug 04 14:19:08 node5 env[3645337]: Started wazuh-execd...
Aug 04 14:19:09 node5 env[3645337]: Started wazuh-agentd...
Aug 04 14:19:10 node5 env[3645337]: Started wazuh-syscheckd...
Aug 04 14:19:11 node5 env[3645337]: Started wazuh-logcollector...
Aug 04 14:19:12 node5 env[3645337]: Started wazuh-modulesd...
Aug 04 14:19:14 node5 env[3645337]: Completed.
Aug 04 14:19:14 node5 systemd[1]: Started Wazuh agent.
TS #2
We uninstalled wazuh agent again and followed the installation steps .. This time we just copied the files that was indicated on the link you provided
sudo cp /var/ossec_backup/etc/client.keys /var/ossec/etc/client.keys
sudo cp /var/ossec_backup/etc/ossec.conf /var/ossec/etc/ossec.conf
sudo cp /var/ossec_backup/etc/internal_options.conf /var/ossec/etc/internal_options.conf
sudo cp /var/ossec_backup/etc/local_internal_options.conf /var/ossec/etc/local_internal_options.conf
sudo cp /var/ossec_backup/etc/wpk_root.pem /var/ossec/etc/wpk_root.pem
sudo cp -r /var/ossec_backup/logs/. /var/ossec/logs
sudo cp -r /var/ossec_backup/queue/rids/. /var/ossec/queue/rids
sudo cp /var/ossec_backup/etc/ossec.conf /var/ossec/etc/ossec.conf
sudo cp /var/ossec_backup/etc/internal_options.conf /var/ossec/etc/internal_options.conf
sudo cp /var/ossec_backup/etc/local_internal_options.conf /var/ossec/etc/local_internal_options.conf
sudo cp /var/ossec_backup/etc/wpk_root.pem /var/ossec/etc/wpk_root.pem
sudo cp -r /var/ossec_backup/logs/. /var/ossec/logs
sudo cp -r /var/ossec_backup/queue/rids/. /var/ossec/queue/rids
These are the only files we copied back and when we start back wazuh-agent it's getting an error
systemctl start wazuh-agent
Job for wazuh-agent.service failed because the control process exited with error code.
See "systemctl status wazuh-agent.service" and "journalctl -xe" for details.
Job for wazuh-agent.service failed because the control process exited with error code.
See "systemctl status wazuh-agent.service" and "journalctl -xe" for details.
systemctl status wazuh-agent.service
● wazuh-agent.service - Wazuh agent
Loaded: loaded (/lib/systemd/system/wazuh-agent.service; enabled; vendor preset: enabled)
Active: failed (Result: exit-code) since Sat 2023-08-05 05:22:24 UTC; 12s ago
Process: 342930 ExecStart=/usr/bin/env /var/ossec/bin/wazuh-control start (code=exited, status=1/FAILURE)
Tasks: 6 (limit: 96492)
Memory: 51.5M
CGroup: /system.slice/wazuh-agent.service
├─ 325851 /var/ossec/bin/wazuh-execd
├─ 342954 /var/ossec/bin/wazuh-execd
└─3497973 /var/ossec/bin/wazuh-execd
Aug 05 05:22:13 node5 systemd[1]: Starting Wazuh agent...
Aug 05 05:22:13 node5 env[342930]: Starting Wazuh v4.2.6...
Aug 05 05:22:14 node5 env[342930]: Started wazuh-execd...
Aug 05 05:22:24 node5 env[342930]: wazuh-agentd did not start
Aug 05 05:22:24 node5 systemd[1]: wazuh-agent.service: Control process exited, code=exited, status=1/FAILURE
Aug 05 05:22:24 node5 systemd[1]: wazuh-agent.service: Failed with result 'exit-code'.
Aug 05 05:22:24 node5 systemd[1]: Failed to start Wazuh agent.
Process: 342930 ExecStart=/usr/bin/env /var/ossec/bin/wazuh-control start (code=exited, status=1/FAILURE)
Tasks: 6 (limit: 96492)
Memory: 51.5M
CGroup: /system.slice/wazuh-agent.service
├─ 325851 /var/ossec/bin/wazuh-execd
├─ 342954 /var/ossec/bin/wazuh-execd
└─3497973 /var/ossec/bin/wazuh-execd
Aug 05 05:22:13 node5 systemd[1]: Starting Wazuh agent...
Aug 05 05:22:13 node5 env[342930]: Starting Wazuh v4.2.6...
Aug 05 05:22:14 node5 env[342930]: Started wazuh-execd...
Aug 05 05:22:24 node5 env[342930]: wazuh-agentd did not start
Aug 05 05:22:24 node5 systemd[1]: wazuh-agent.service: Control process exited, code=exited, status=1/FAILURE
Aug 05 05:22:24 node5 systemd[1]: wazuh-agent.service: Failed with result 'exit-code'.
Aug 05 05:22:24 node5 systemd[1]: Failed to start Wazuh agent.
Any ideas as to what's causing the issue?
Fremie Mico
Aug 7, 2023, 8:47:47 AM8/7/23
to Wazuh mailing list
Bumping Thread Conversation for updates
victor....@wazuh.com
Aug 9, 2023, 4:25:47 AM8/9/23
to Wazuh mailing list
Would you kindly review the /var/ossec/logs/ossec.log file of your agent for any associated errors or warnings? Doing so will greatly assist us in accurately assessing the current status of your agent.
Fremie Mico
Aug 9, 2023, 6:42:06 AM8/9/23
to Wazuh mailing list
This is true to both my backup and the current /var/ossec/logs/ossec.log ~ /var/ossec_backup/logs/ossec.log .. just a difference in dates
This is both true on both instance I guess since, the logs I copied was from the upgraded version v4.4.5 and not the previous one v.4.2.6 .. I'm getting requesting key from server | trying to connect to server | closing connection to server on a loop. Maybe because it really can't communicate towards wazuh-manager/worker since it has a difference in versions v4.4.5 vs v4.2.6.
Does this help? or do you need some more details to figure this one out?
2023/08/09 00:00:10 wazuh-agentd: INFO: Starting new log after rotation.
2023/08/09 00:00:54 wazuh-agentd: INFO: Closing connection to server ([12.101.1.111]:33613/tcp).
2023/08/09 00:00:54 wazuh-agentd: INFO: Trying to connect to server ([12.101.1.111]:33613/tcp).
2023/08/09 00:02:04 wazuh-agentd: INFO: Closing connection to server ([12.101.1.111]:33613/tcp).
2023/08/09 00:02:04 wazuh-agentd: INFO: Trying to connect to server ([12.101.1.111]:33613/tcp).
2023/08/09 00:03:04 wazuh-agentd: INFO: Requesting a key from server: 12.101.1.111
2023/08/09 00:03:04 wazuh-agentd: ERROR: (1208): Unable to connect to enrollment service at '[12.101.1.111]:1616'
2023/08/09 00:03:14 wazuh-agentd: WARNING: (4101): Waiting for server reply (not started). Tried: '12.101.1.111'.
2023/08/09 00:03:14 wazuh-agentd: WARNING: Unable to connect to any server.
2023/08/09 00:03:14 wazuh-agentd: INFO: Closing connection to server ([12.101.1.111]:33613/tcp).
2023/08/09 00:03:14 wazuh-agentd: INFO: Trying to connect to server ([12.101.1.111]:33613/tcp).
2023/08/09 00:04:24 wazuh-agentd: INFO: Closing connection to server ([12.101.1.111]:33613/tcp).
2023/08/09 00:04:24 wazuh-agentd: INFO: Trying to connect to server ([12.101.1.111]:33613/tcp).
2023/08/09 00:05:34 wazuh-agentd: INFO: Closing connection to server ([12.101.1.111]:33613/tcp).
2023/08/09 00:05:34 wazuh-agentd: INFO: Trying to connect to server ([12.101.1.111]:33613/tcp).
2023/08/09 00:06:44 wazuh-agentd: INFO: Closing connection to server ([12.101.1.111]:33613/tcp).
2023/08/09 00:06:44 wazuh-agentd: INFO: Trying to connect to server ([12.101.1.111]:33613/tcp).
2023/08/09 00:07:54 wazuh-agentd: INFO: Closing connection to server ([12.101.1.111]:33613/tcp).
2023/08/09 00:07:54 wazuh-agentd: INFO: Trying to connect to server ([12.101.1.111]:33613/tcp).
2023/08/09 00:08:54 wazuh-agentd: INFO: Requesting a key from server: 12.101.1.111
2023/08/09 00:08:54 wazuh-agentd: ERROR: (1208): Unable to connect to enrollment service at '[12.101.1.111]:1616'
2023/08/09 00:09:04 wazuh-agentd: WARNING: (4101): Waiting for server reply (not started). Tried: '12.101.1.111'.
2023/08/09 00:09:04 wazuh-agentd: WARNING: Unable to connect to any server.
2023/08/09 00:09:04 wazuh-agentd: INFO: Closing connection to server ([12.101.1.111]:33613/tcp).
2023/08/09 00:09:04 wazuh-agentd: INFO: Trying to connect to server ([12.101.1.111]:33613/tcp).
2023/08/09 00:10:14 wazuh-agentd: INFO: Closing connection to server ([12.101.1.111]:33613/tcp).
2023/08/09 00:10:14 wazuh-agentd: INFO: Trying to connect to server ([12.101.1.111]:33613/tcp).
2023/08/09 00:11:24 wazuh-agentd: INFO: Closing connection to server ([12.101.1.111]:33613/tcp).
2023/08/09 00:11:24 wazuh-agentd: INFO: Trying to connect to server ([12.101.1.111]:33613/tcp).
2023/08/09 00:12:34 wazuh-agentd: INFO: Closing connection to server ([12.101.1.111]:33613/tcp).
2023/08/09 00:12:34 wazuh-agentd: INFO: Trying to connect to server ([12.101.1.111]:33613/tcp).
2023/08/09 00:13:44 wazuh-agentd: INFO: Closing connection to server ([12.101.1.111]:33613/tcp).
2023/08/09 00:13:44 wazuh-agentd: INFO: Trying to connect to server ([12.101.1.111]:33613/tcp).
2023/08/09 00:14:44 wazuh-agentd: INFO: Requesting a key from server: 12.101.1.111
2023/08/09 00:14:44 wazuh-agentd: ERROR: (1208): Unable to connect to enrollment service at '[12.101.1.111]:1616'
2023/08/09 00:14:54 wazuh-agentd: WARNING: (4101): Waiting for server reply (not started). Tried: '12.101.1.111'.
2023/08/09 00:14:54 wazuh-agentd: WARNING: Unable to connect to any server.
2023/08/09 00:14:54 wazuh-agentd: INFO: Closing connection to server ([12.101.1.111]:33613/tcp).
2023/08/09 00:14:54 wazuh-agentd: INFO: Trying to connect to server ([12.101.1.111]:33613/tcp).
2023/08/09 00:16:04 wazuh-agentd: INFO: Closing connection to server ([12.101.1.111]:33613/tcp).
2023/08/09 00:16:04 wazuh-agentd: INFO: Trying to connect to server ([12.101.1.111]:33613/tcp).
2023/08/09 00:17:14 wazuh-agentd: INFO: Closing connection to server ([12.101.1.111]:33613/tcp).
2023/08/09 00:17:14 wazuh-agentd: INFO: Trying to connect to server ([12.101.1.111]:33613/tcp).
2023/08/09 00:18:24 wazuh-agentd: INFO: Closing connection to server ([12.101.1.111]:33613/tcp).
2023/08/09 00:18:24 wazuh-agentd: INFO: Trying to connect to server ([12.101.1.111]:33613/tcp).
2023/08/09 00:19:35 wazuh-agentd: INFO: Closing connection to server ([12.101.1.111]:33613/tcp).
2023/08/09 00:19:35 wazuh-agentd: INFO: Trying to connect to server ([12.101.1.111]:33613/tcp).
2023/08/09 00:20:35 wazuh-agentd: INFO: Requesting a key from server: 12.101.1.111
2023/08/09 00:00:54 wazuh-agentd: INFO: Closing connection to server ([12.101.1.111]:33613/tcp).
2023/08/09 00:00:54 wazuh-agentd: INFO: Trying to connect to server ([12.101.1.111]:33613/tcp).
2023/08/09 00:02:04 wazuh-agentd: INFO: Closing connection to server ([12.101.1.111]:33613/tcp).
2023/08/09 00:02:04 wazuh-agentd: INFO: Trying to connect to server ([12.101.1.111]:33613/tcp).
2023/08/09 00:03:04 wazuh-agentd: INFO: Requesting a key from server: 12.101.1.111
2023/08/09 00:03:04 wazuh-agentd: ERROR: (1208): Unable to connect to enrollment service at '[12.101.1.111]:1616'
2023/08/09 00:03:14 wazuh-agentd: WARNING: (4101): Waiting for server reply (not started). Tried: '12.101.1.111'.
2023/08/09 00:03:14 wazuh-agentd: WARNING: Unable to connect to any server.
2023/08/09 00:03:14 wazuh-agentd: INFO: Closing connection to server ([12.101.1.111]:33613/tcp).
2023/08/09 00:03:14 wazuh-agentd: INFO: Trying to connect to server ([12.101.1.111]:33613/tcp).
2023/08/09 00:04:24 wazuh-agentd: INFO: Closing connection to server ([12.101.1.111]:33613/tcp).
2023/08/09 00:04:24 wazuh-agentd: INFO: Trying to connect to server ([12.101.1.111]:33613/tcp).
2023/08/09 00:05:34 wazuh-agentd: INFO: Closing connection to server ([12.101.1.111]:33613/tcp).
2023/08/09 00:05:34 wazuh-agentd: INFO: Trying to connect to server ([12.101.1.111]:33613/tcp).
2023/08/09 00:06:44 wazuh-agentd: INFO: Closing connection to server ([12.101.1.111]:33613/tcp).
2023/08/09 00:06:44 wazuh-agentd: INFO: Trying to connect to server ([12.101.1.111]:33613/tcp).
2023/08/09 00:07:54 wazuh-agentd: INFO: Closing connection to server ([12.101.1.111]:33613/tcp).
2023/08/09 00:07:54 wazuh-agentd: INFO: Trying to connect to server ([12.101.1.111]:33613/tcp).
2023/08/09 00:08:54 wazuh-agentd: INFO: Requesting a key from server: 12.101.1.111
2023/08/09 00:08:54 wazuh-agentd: ERROR: (1208): Unable to connect to enrollment service at '[12.101.1.111]:1616'
2023/08/09 00:09:04 wazuh-agentd: WARNING: (4101): Waiting for server reply (not started). Tried: '12.101.1.111'.
2023/08/09 00:09:04 wazuh-agentd: WARNING: Unable to connect to any server.
2023/08/09 00:09:04 wazuh-agentd: INFO: Closing connection to server ([12.101.1.111]:33613/tcp).
2023/08/09 00:09:04 wazuh-agentd: INFO: Trying to connect to server ([12.101.1.111]:33613/tcp).
2023/08/09 00:10:14 wazuh-agentd: INFO: Closing connection to server ([12.101.1.111]:33613/tcp).
2023/08/09 00:10:14 wazuh-agentd: INFO: Trying to connect to server ([12.101.1.111]:33613/tcp).
2023/08/09 00:11:24 wazuh-agentd: INFO: Closing connection to server ([12.101.1.111]:33613/tcp).
2023/08/09 00:11:24 wazuh-agentd: INFO: Trying to connect to server ([12.101.1.111]:33613/tcp).
2023/08/09 00:12:34 wazuh-agentd: INFO: Closing connection to server ([12.101.1.111]:33613/tcp).
2023/08/09 00:12:34 wazuh-agentd: INFO: Trying to connect to server ([12.101.1.111]:33613/tcp).
2023/08/09 00:13:44 wazuh-agentd: INFO: Closing connection to server ([12.101.1.111]:33613/tcp).
2023/08/09 00:13:44 wazuh-agentd: INFO: Trying to connect to server ([12.101.1.111]:33613/tcp).
2023/08/09 00:14:44 wazuh-agentd: INFO: Requesting a key from server: 12.101.1.111
2023/08/09 00:14:44 wazuh-agentd: ERROR: (1208): Unable to connect to enrollment service at '[12.101.1.111]:1616'
2023/08/09 00:14:54 wazuh-agentd: WARNING: (4101): Waiting for server reply (not started). Tried: '12.101.1.111'.
2023/08/09 00:14:54 wazuh-agentd: WARNING: Unable to connect to any server.
2023/08/09 00:14:54 wazuh-agentd: INFO: Closing connection to server ([12.101.1.111]:33613/tcp).
2023/08/09 00:14:54 wazuh-agentd: INFO: Trying to connect to server ([12.101.1.111]:33613/tcp).
2023/08/09 00:16:04 wazuh-agentd: INFO: Closing connection to server ([12.101.1.111]:33613/tcp).
2023/08/09 00:16:04 wazuh-agentd: INFO: Trying to connect to server ([12.101.1.111]:33613/tcp).
2023/08/09 00:17:14 wazuh-agentd: INFO: Closing connection to server ([12.101.1.111]:33613/tcp).
2023/08/09 00:17:14 wazuh-agentd: INFO: Trying to connect to server ([12.101.1.111]:33613/tcp).
2023/08/09 00:18:24 wazuh-agentd: INFO: Closing connection to server ([12.101.1.111]:33613/tcp).
2023/08/09 00:18:24 wazuh-agentd: INFO: Trying to connect to server ([12.101.1.111]:33613/tcp).
2023/08/09 00:19:35 wazuh-agentd: INFO: Closing connection to server ([12.101.1.111]:33613/tcp).
2023/08/09 00:19:35 wazuh-agentd: INFO: Trying to connect to server ([12.101.1.111]:33613/tcp).
2023/08/09 00:20:35 wazuh-agentd: INFO: Requesting a key from server: 12.101.1.111
This is both true on both instance I guess since, the logs I copied was from the upgraded version v4.4.5 and not the previous one v.4.2.6 .. I'm getting requesting key from server | trying to connect to server | closing connection to server on a loop. Maybe because it really can't communicate towards wazuh-manager/worker since it has a difference in versions v4.4.5 vs v4.2.6.
Does this help? or do you need some more details to figure this one out?
Fremie Mico
Aug 10, 2023, 10:11:13 AM8/10/23
to Wazuh mailing list
Was able to find one server that was connected to our wazuh-manager before the wazuh-agents upgrade happened. When I checked the wazuh-agent for this server was not upgraded and stayed at v4.2.6
Theoretically when I restart this said server this should work right? Since both wazuh-agent and the wazuh-manager/worker is on the same version which is 4.2.6
Theoretically when I restart this said server this should work right? Since both wazuh-agent and the wazuh-manager/worker is on the same version which is 4.2.6
why is it that when I did restart/stop~start it didn't do anything?
systemctl status wazuh-agent
● wazuh-agent.service - Wazuh agent
Loaded: loaded (/lib/systemd/system/wazuh-agent.service; disabled; vendor preset: enabled)
Active: active (running) since Thu 2023-08-10 13:48:57 UTC; 1min 6s ago
Process: 3676023 ExecStart=/usr/bin/env /var/ossec/bin/wazuh-control start (code=exited, status=0/SUCCESS)
Tasks: 63 (limit: 72869)
Memory: 19.7M
CGroup: /system.slice/wazuh-agent.service
├─3676045 /var/ossec/bin/wazuh-execd
├─3676056 /var/ossec/bin/wazuh-agentd
├─3676069 /var/ossec/bin/wazuh-syscheckd
├─3676102 /var/ossec/bin/wazuh-logcollector
└─3676119 /var/ossec/bin/wazuh-modulesd
Aug 10 13:48:50 sec-node10 systemd[1]: Starting Wazuh agent...
Aug 10 13:48:50 sec-node10 env[3676023]: Starting Wazuh v4.2.6...
Aug 10 13:48:51 sec-node10 env[3676023]: Started wazuh-execd...
Aug 10 13:48:52 sec-node10 env[3676023]: Started wazuh-agentd...
Aug 10 13:48:53 sec-node10 env[3676023]: Started wazuh-syscheckd...
Aug 10 13:48:54 sec-node10 env[3676023]: Started wazuh-logcollector...
Aug 10 13:48:55 sec-node10 env[3676023]: Started wazuh-modulesd...
Aug 10 13:48:57 sec-node10 env[3676023]: Completed.
Aug 10 13:48:57 sec-node10 systemd[1]: Started Wazuh agent.
● wazuh-agent.service - Wazuh agent
Loaded: loaded (/lib/systemd/system/wazuh-agent.service; disabled; vendor preset: enabled)
Active: active (running) since Thu 2023-08-10 13:48:57 UTC; 1min 6s ago
Process: 3676023 ExecStart=/usr/bin/env /var/ossec/bin/wazuh-control start (code=exited, status=0/SUCCESS)
Tasks: 63 (limit: 72869)
Memory: 19.7M
CGroup: /system.slice/wazuh-agent.service
├─3676045 /var/ossec/bin/wazuh-execd
├─3676056 /var/ossec/bin/wazuh-agentd
├─3676069 /var/ossec/bin/wazuh-syscheckd
├─3676102 /var/ossec/bin/wazuh-logcollector
└─3676119 /var/ossec/bin/wazuh-modulesd
Aug 10 13:48:50 sec-node10 systemd[1]: Starting Wazuh agent...
Aug 10 13:48:50 sec-node10 env[3676023]: Starting Wazuh v4.2.6...
Aug 10 13:48:51 sec-node10 env[3676023]: Started wazuh-execd...
Aug 10 13:48:52 sec-node10 env[3676023]: Started wazuh-agentd...
Aug 10 13:48:53 sec-node10 env[3676023]: Started wazuh-syscheckd...
Aug 10 13:48:54 sec-node10 env[3676023]: Started wazuh-logcollector...
Aug 10 13:48:55 sec-node10 env[3676023]: Started wazuh-modulesd...
Aug 10 13:48:57 sec-node10 env[3676023]: Completed.
Aug 10 13:48:57 sec-node10 systemd[1]: Started Wazuh agent.
I checked the logs and here are some of the lines on it.
2023/08/10 13:47:01 wazuh-agentd: INFO: Requesting a key from server: 12.104.5.111
2023/08/10 13:47:01 wazuh-agentd: INFO: No authentication password provided
2023/08/10 13:47:01 wazuh-agentd: INFO: Using agent name as: sec-node10
2023/08/10 13:47:01 wazuh-agentd: INFO: Waiting for server reply
2023/08/10 13:47:01 wazuh-agentd: ERROR: Invalid password (from manager)
2023/08/10 13:47:01 wazuh-agentd: ERROR: Unable to add agent (from manager)
2023/08/10 13:47:11 wazuh-agentd: WARNING: (4101): Waiting for server reply (not started). Tried: '12.104.5.111'.
2023/08/10 13:47:11 wazuh-agentd: WARNING: Unable to connect to any server.
2023/08/10 13:47:11 wazuh-agentd: INFO: Closing connection to server (12.104.5.111:35415/tcp).
2023/08/10 13:47:11 wazuh-agentd: INFO: Trying to connect to server (12.104.5.111:35415/tcp).
2023/08/10 13:48:21 wazuh-agentd: INFO: Closing connection to server (12.104.5.111:35415/tcp).
2023/08/10 13:48:21 wazuh-agentd: INFO: Trying to connect to server (12.104.5.111:35415/tcp).
2023/08/10 13:48:49 wazuh-modulesd:syscollector: INFO: Stop received for Syscollector.
2023/08/10 13:48:49 wazuh-modulesd:syscollector: INFO: Module finished.
2023/08/10 13:48:50 wazuh-logcollector: INFO: (1225): SIGNAL [(15)-(Terminated)] Received. Exit Cleaning...
2023/08/10 13:48:50 wazuh-syscheckd: INFO: (1225): SIGNAL [(15)-(Terminated)] Received. Exit Cleaning...
2023/08/10 13:48:50 wazuh-agentd: INFO: (1225): SIGNAL [(15)-(Terminated)] Received. Exit Cleaning...
2023/08/10 13:48:50 wazuh-execd: INFO: (1314): Shutdown received. Deleting responses.
2023/08/10 13:48:50 wazuh-execd: INFO: (1225): SIGNAL [(15)-(Terminated)] Received. Exit Cleaning...
2023/08/10 13:48:50 wazuh-execd: INFO: Started (pid: 3676045).
2023/08/10 13:48:51 wazuh-agentd: INFO: (1410): Reading authentication keys file.
2023/08/10 13:48:51 wazuh-agentd: INFO: Using notify time: 10 and max time to reconnect: 60
2023/08/10 13:48:51 wazuh-agentd: INFO: Version detected -> Linux |sec-node10 |5.15.0-76-generic |#83~20.04.1-Ubuntu SMP Wed Jun 21 20:23:31 UTC 2023 |x86_64 [Ubuntu|ubuntu: 20.04.6 LTS (Focal Fossa)] - Wazuh v4.2.6
2023/08/10 13:48:51 wazuh-agentd: INFO: Started (pid: 4271236).
2023/08/10 13:48:51 wazuh-agentd: INFO: Server IP Address: 12.104.5.111
2023/08/10 13:48:51 wazuh-agentd: INFO: Using AES as encryption method.
2023/08/10 13:48:51 wazuh-agentd: INFO: Trying to connect to server (12.104.5.111:35415/tcp).
2023/08/10 13:48:52 wazuh-syscheckd: INFO: Started (pid: 3676069).
2023/08/10 13:48:52 wazuh-syscheckd: INFO: (6003): Monitoring path: '/bin', with options 'size | permissions | owner | group | mtime | inode | hash_md5 | hash_sha1 | hash_sha256 | scheduled'.
2023/08/10 13:48:52 wazuh-syscheckd: INFO: (6003): Monitoring path: '/boot', with options 'size | permissions | owner | group | mtime | inode | hash_md5 | hash_sha1 | hash_sha256 | scheduled'.
2023/08/10 13:48:52 wazuh-syscheckd: INFO: (6003): Monitoring path: '/etc', with options 'size | permissions | owner | group | mtime | inode | hash_md5 | hash_sha1 | hash_sha256 | scheduled'.
2023/08/10 13:48:52 wazuh-syscheckd: INFO: (6003): Monitoring path: '/sbin', with options 'size | permissions | owner | group | mtime | inode | hash_md5 | hash_sha1 | hash_sha256 | scheduled'.
2023/08/10 13:48:52 wazuh-syscheckd: INFO: (6003): Monitoring path: '/usr/bin', with options 'size | permissions | owner | group | mtime | inode | hash_md5 | hash_sha1 | hash_sha256 | scheduled'.
2023/08/10 13:48:52 wazuh-syscheckd: INFO: (6003): Monitoring path: '/usr/sbin', with options 'size | permissions | owner | group | mtime | inode | hash_md5 | hash_sha1 | hash_sha256 | scheduled'.
2023/08/10 13:48:52 wazuh-syscheckd: INFO: (6206): Ignore 'file' entry '/etc/mtab'
2023/08/10 13:48:52 wazuh-syscheckd: INFO: (6206): Ignore 'file' entry '/etc/hosts.deny'
2023/08/10 13:48:52 wazuh-syscheckd: INFO: (6206): Ignore 'file' entry '/etc/mail/statistics'
2023/08/10 13:48:52 wazuh-syscheckd: INFO: (6206): Ignore 'file' entry '/etc/random-seed'
2023/08/10 13:48:52 wazuh-syscheckd: INFO: (6206): Ignore 'file' entry '/etc/random.seed'
2023/08/10 13:48:52 wazuh-syscheckd: INFO: (6206): Ignore 'file' entry '/etc/adjtime'
2023/08/10 13:48:52 wazuh-syscheckd: INFO: (6206): Ignore 'file' entry '/etc/httpd/logs'
2023/08/10 13:48:52 wazuh-syscheckd: INFO: (6206): Ignore 'file' entry '/etc/utmpx'
2023/08/10 13:48:52 wazuh-syscheckd: INFO: (6206): Ignore 'file' entry '/etc/wtmpx'
2023/08/10 13:48:52 wazuh-syscheckd: INFO: (6206): Ignore 'file' entry '/etc/cups/certs'
2023/08/10 13:48:52 wazuh-syscheckd: INFO: (6206): Ignore 'file' entry '/etc/dumpdates'
2023/08/10 13:48:52 wazuh-syscheckd: INFO: (6206): Ignore 'file' entry '/etc/svc/volatile'
2023/08/10 13:48:52 wazuh-syscheckd: INFO: (6207): Ignore 'file' sregex '.log$|.swp$'
2023/08/10 13:48:52 wazuh-syscheckd: INFO: (6004): No diff for file: '/etc/ssl/private.key'
2023/08/10 13:48:52 wazuh-syscheckd: INFO: (6000): Starting daemon...
2023/08/10 13:48:52 wazuh-syscheckd: INFO: (6010): File integrity monitoring scan frequency: 43200 seconds
2023/08/10 13:48:52 wazuh-syscheckd: INFO: (6008): File integrity monitoring scan started.
2023/08/10 13:48:53 wazuh-logcollector: INFO: Monitoring output of command(360): df -P
2023/08/10 13:48:53 wazuh-logcollector: INFO: Monitoring full output of command(360): netstat -tulpn | sed 's/\([[:alnum:]]\+\)\ \+[[:digit:]]\+\ \+[[:digit:]]\+\ \+\(.*\):\([[:digit:]]*\)\ \+\([0-9\.\:\*]\+\).\+\ \([[:digit:]]*\/[[:alnum:]\-]*\).*/\1 \2 == \3 == \4 \5/' | sort -k 4 -g | sed 's/ == \(.*\) ==/:\1/' | sed 1,2d
2023/08/10 13:48:53 wazuh-logcollector: INFO: Monitoring full output of command(360): last -n 20
2023/08/10 13:48:53 wazuh-logcollector: INFO: (1950): Analyzing file: '/var/ossec/logs/active-responses.log'.
2023/08/10 13:48:53 wazuh-logcollector: ERROR: (1103): Could not open file '/var/log/auth.log' due to [(2)-(No such file or directory)].
2023/08/10 13:48:53 wazuh-logcollector: INFO: (1950): Analyzing file: '/var/log/auth.log'.
2023/08/10 13:48:53 wazuh-logcollector: ERROR: (1103): Could not open file '/var/log/syslog' due to [(2)-(No such file or directory)].
2023/08/10 13:48:53 wazuh-logcollector: INFO: (1950): Analyzing file: '/var/log/syslog'.
2023/08/10 13:48:53 wazuh-logcollector: INFO: (1950): Analyzing file: '/var/log/dpkg.log'.
2023/08/10 13:48:53 wazuh-logcollector: ERROR: (1103): Could not open file '/var/log/kern.log' due to [(2)-(No such file or directory)].
2023/08/10 13:48:53 wazuh-logcollector: INFO: (1950): Analyzing file: '/var/log/kern.log'.
2023/08/10 13:48:53 wazuh-logcollector: INFO: Started (pid: 3676102).
2023/08/10 13:48:54 wazuh-modulesd: INFO: Started (pid: 3676119).
2023/08/10 13:48:54 wazuh-modulesd:agent-upgrade: INFO: (8153): Module Agent Upgrade started.
2023/08/10 13:48:54 wazuh-modulesd:ciscat: INFO: Module disabled. Exiting...
2023/08/10 13:48:54 wazuh-modulesd:osquery: INFO: Module disabled. Exiting...
2023/08/10 13:48:54 sca: INFO: Module started.
2023/08/10 13:48:54 wazuh-modulesd:control: INFO: Starting control thread.
2023/08/10 13:48:54 sca: INFO: Loaded policy '/var/ossec/ruleset/sca/cis_debian10.yml'
2023/08/10 13:48:54 sca: INFO: Starting Security Configuration Assessment scan.
2023/08/10 13:48:54 wazuh-modulesd:syscollector: INFO: Module started.
2023/08/10 13:48:54 wazuh-modulesd:syscollector: INFO: Starting evaluation.
2023/08/10 13:48:54 sca: INFO: Starting evaluation of policy: '/var/ossec/ruleset/sca/cis_debian10.yml'
2023/08/10 13:48:55 wazuh-modulesd:syscollector: INFO: Evaluation finished.
2023/08/10 13:50:01 wazuh-agentd: INFO: Closing connection to server (12.104.5.111:35415/tcp).
2023/08/10 13:50:01 wazuh-agentd: INFO: Trying to connect to server (12.104.5.111:35415/tcp).
2023/08/10 13:51:11 wazuh-agentd: INFO: Closing connection to server (12.104.5.111:35415/tcp).
2023/08/10 13:51:11 wazuh-agentd: INFO: Trying to connect to server (12.104.5.111:35415/tcp).
2023/08/10 13:52:21 wazuh-agentd: INFO: Closing connection to server (12.104.5.111:35415/tcp).
2023/08/10 13:52:21 wazuh-agentd: INFO: Trying to connect to server (12.104.5.111:35415/tcp).
2023/08/10 13:53:31 wazuh-agentd: INFO: Closing connection to server (12.104.5.111:35415/tcp).
2023/08/10 13:53:31 wazuh-agentd: INFO: Trying to connect to server (12.104.5.111:35415/tcp).
2023/08/10 13:54:32 wazuh-agentd: INFO: Requesting a key from server: 12.104.5.111
2023/08/10 13:54:32 wazuh-agentd: INFO: No authentication password provided
2023/08/10 13:54:32 wazuh-agentd: INFO: Using agent name as: sec-node10
2023/08/10 13:54:32 wazuh-agentd: INFO: Waiting for server reply
2023/08/10 13:54:32 wazuh-agentd: ERROR: Invalid password (from manager)
2023/08/10 13:54:32 wazuh-agentd: ERROR: Unable to add agent (from manager)
2023/08/10 13:54:42 wazuh-agentd: WARNING: (4101): Waiting for server reply (not started). Tried: '12.104.5.111'.
2023/08/10 13:54:42 wazuh-agentd: WARNING: Unable to connect to any server.
2023/08/10 13:54:42 wazuh-agentd: INFO: Closing connection to server (12.104.5.111:35415/tcp).
2023/08/10 13:54:42 wazuh-agentd: INFO: Trying to connect to server (12.104.5.111:35415/tcp).
2023/08/10 13:55:52 wazuh-agentd: INFO: Closing connection to server (12.104.5.111:35415/tcp).
2023/08/10 13:55:52 wazuh-agentd: INFO: Trying to connect to server (12.104.5.111:35415/tcp).
2023/08/10 13:57:02 wazuh-agentd: INFO: Closing connection to server (12.104.5.111:35415/tcp).
2023/08/10 13:57:02 wazuh-agentd: INFO: Trying to connect to server (12.104.5.111:35415/tcp).
2023/08/10 13:57:26 wazuh-logcollector: INFO: (1904): File not available, ignoring it: '/var/log/auth.log'.
2023/08/10 13:57:26 wazuh-logcollector: INFO: (1904): File not available, ignoring it: '/var/log/syslog'.
2023/08/10 13:57:26 wazuh-logcollector: INFO: (1904): File not available, ignoring it: '/var/log/kern.log'.
2023/08/10 13:57:33 wazuh-modulesd:syscollector: INFO: Stop received for Syscollector.
2023/08/10 13:57:33 wazuh-modulesd:syscollector: INFO: Module finished.
2023/08/10 13:57:34 wazuh-logcollector: INFO: (1225): SIGNAL [(15)-(Terminated)] Received. Exit Cleaning...
2023/08/10 13:57:34 wazuh-syscheckd: INFO: (1225): SIGNAL [(15)-(Terminated)] Received. Exit Cleaning...
2023/08/10 13:57:34 wazuh-agentd: INFO: (1225): SIGNAL [(15)-(Terminated)] Received. Exit Cleaning...
2023/08/10 13:57:34 wazuh-execd: INFO: (1314): Shutdown received. Deleting responses.
2023/08/10 13:57:34 wazuh-execd: INFO: (1225): SIGNAL [(15)-(Terminated)] Received. Exit Cleaning...
2023/08/10 13:57:41 wazuh-execd: INFO: Started (pid: 3681520).
2023/08/10 13:57:42 wazuh-agentd: INFO: (1410): Reading authentication keys file.
2023/08/10 13:57:42 wazuh-agentd: INFO: Using notify time: 10 and max time to reconnect: 60
2023/08/10 13:57:42 wazuh-agentd: INFO: Version detected -> Linux |sec-node10 |5.15.0-76-generic |#83~20.04.1-Ubuntu SMP Wed Jun 21 20:23:31 UTC 2023 |x86_64 [Ubuntu|ubuntu: 20.04.6 LTS (Focal Fossa)] - Wazuh v4.2.6
2023/08/10 13:57:42 wazuh-agentd: INFO: Started (pid: 3681535).
2023/08/10 13:57:42 wazuh-agentd: INFO: Server IP Address: 12.104.5.111
2023/08/10 13:57:42 wazuh-agentd: INFO: Using AES as encryption method.
2023/08/10 13:57:42 wazuh-agentd: INFO: Trying to connect to server (12.104.5.111:35415/tcp).
2023/08/10 13:57:43 wazuh-syscheckd: INFO: Started (pid: 3681570).
2023/08/10 13:57:43 wazuh-syscheckd: INFO: (6003): Monitoring path: '/bin', with options 'size | permissions | owner | group | mtime | inode | hash_md5 | hash_sha1 | hash_sha256 | scheduled'.
2023/08/10 13:57:43 wazuh-syscheckd: INFO: (6003): Monitoring path: '/boot', with options 'size | permissions | owner | group | mtime | inode | hash_md5 | hash_sha1 | hash_sha256 | scheduled'.
2023/08/10 13:57:43 wazuh-syscheckd: INFO: (6003): Monitoring path: '/etc', with options 'size | permissions | owner | group | mtime | inode | hash_md5 | hash_sha1 | hash_sha256 | scheduled'.
2023/08/10 13:57:43 wazuh-syscheckd: INFO: (6003): Monitoring path: '/sbin', with options 'size | permissions | owner | group | mtime | inode | hash_md5 | hash_sha1 | hash_sha256 | scheduled'.
2023/08/10 13:57:43 wazuh-syscheckd: INFO: (6003): Monitoring path: '/usr/bin', with options 'size | permissions | owner | group | mtime | inode | hash_md5 | hash_sha1 | hash_sha256 | scheduled'.
2023/08/10 13:57:43 wazuh-syscheckd: INFO: (6003): Monitoring path: '/usr/sbin', with options 'size | permissions | owner | group | mtime | inode | hash_md5 | hash_sha1 | hash_sha256 | scheduled'.
2023/08/10 13:57:43 wazuh-syscheckd: INFO: (6206): Ignore 'file' entry '/etc/mtab'
2023/08/10 13:57:43 wazuh-syscheckd: INFO: (6206): Ignore 'file' entry '/etc/hosts.deny'
2023/08/10 13:57:43 wazuh-syscheckd: INFO: (6206): Ignore 'file' entry '/etc/mail/statistics'
2023/08/10 13:57:43 wazuh-syscheckd: INFO: (6206): Ignore 'file' entry '/etc/random-seed'
2023/08/10 13:57:43 wazuh-syscheckd: INFO: (6206): Ignore 'file' entry '/etc/random.seed'
2023/08/10 13:57:43 wazuh-syscheckd: INFO: (6206): Ignore 'file' entry '/etc/adjtime'
2023/08/10 13:57:43 wazuh-syscheckd: INFO: (6206): Ignore 'file' entry '/etc/httpd/logs'
2023/08/10 13:57:43 wazuh-syscheckd: INFO: (6206): Ignore 'file' entry '/etc/utmpx'
2023/08/10 13:57:43 wazuh-syscheckd: INFO: (6206): Ignore 'file' entry '/etc/wtmpx'
2023/08/10 13:57:43 wazuh-syscheckd: INFO: (6206): Ignore 'file' entry '/etc/cups/certs'
2023/08/10 13:57:43 wazuh-syscheckd: INFO: (6206): Ignore 'file' entry '/etc/dumpdates'
2023/08/10 13:57:43 wazuh-syscheckd: INFO: (6206): Ignore 'file' entry '/etc/svc/volatile'
2023/08/10 13:57:43 wazuh-syscheckd: INFO: (6207): Ignore 'file' sregex '.log$|.swp$'
2023/08/10 13:57:43 wazuh-syscheckd: INFO: (6004): No diff for file: '/etc/ssl/private.key'
2023/08/10 13:57:43 wazuh-syscheckd: INFO: (6000): Starting daemon...
2023/08/10 13:57:43 wazuh-syscheckd: INFO: (6010): File integrity monitoring scan frequency: 43200 seconds
2023/08/10 13:57:43 wazuh-syscheckd: INFO: (6008): File integrity monitoring scan started.
2023/08/10 13:57:44 wazuh-logcollector: INFO: Monitoring output of command(360): df -P
2023/08/10 13:57:44 wazuh-logcollector: INFO: Monitoring full output of command(360): netstat -tulpn | sed 's/\([[:alnum:]]\+\)\ \+[[:digit:]]\+\ \+[[:digit:]]\+\ \+\(.*\):\([[:digit:]]*\)\ \+\([0-9\.\:\*]\+\).\+\ \([[:digit:]]*\/[[:alnum:]\-]*\).*/\1 \2 == \3 == \4 \5/' | sort -k 4 -g | sed 's/ == \(.*\) ==/:\1/' | sed 1,2d
2023/08/10 13:57:44 wazuh-logcollector: INFO: Monitoring full output of command(360): last -n 20
2023/08/10 13:57:44 wazuh-logcollector: INFO: (1950): Analyzing file: '/var/ossec/logs/active-responses.log'.
2023/08/10 13:57:44 wazuh-logcollector: ERROR: (1103): Could not open file '/var/log/auth.log' due to [(2)-(No such file or directory)].
2023/08/10 13:57:44 wazuh-logcollector: INFO: (1950): Analyzing file: '/var/log/auth.log'.
2023/08/10 13:57:44 wazuh-logcollector: ERROR: (1103): Could not open file '/var/log/syslog' due to [(2)-(No such file or directory)].
2023/08/10 13:57:44 wazuh-logcollector: INFO: (1950): Analyzing file: '/var/log/syslog'.
2023/08/10 13:57:44 wazuh-logcollector: INFO: (1950): Analyzing file: '/var/log/dpkg.log'.
2023/08/10 13:57:44 wazuh-logcollector: ERROR: (1103): Could not open file '/var/log/kern.log' due to [(2)-(No such file or directory)].
2023/08/10 13:57:44 wazuh-logcollector: INFO: (1950): Analyzing file: '/var/log/kern.log'.
2023/08/10 13:57:44 wazuh-logcollector: INFO: Started (pid: 3681585).
2023/08/10 13:57:45 wazuh-modulesd: INFO: Started (pid: 3681637).
2023/08/10 13:57:45 wazuh-modulesd:agent-upgrade: INFO: (8153): Module Agent Upgrade started.
2023/08/10 13:57:45 wazuh-modulesd:ciscat: INFO: Module disabled. Exiting...
2023/08/10 13:57:45 wazuh-modulesd:osquery: INFO: Module disabled. Exiting...
2023/08/10 13:57:45 sca: INFO: Module started.
2023/08/10 13:57:45 wazuh-modulesd:control: INFO: Starting control thread.
2023/08/10 13:57:45 sca: INFO: Loaded policy '/var/ossec/ruleset/sca/cis_debian10.yml'
2023/08/10 13:57:45 sca: INFO: Starting Security Configuration Assessment scan.
2023/08/10 13:57:45 wazuh-modulesd:syscollector: INFO: Module started.
2023/08/10 13:57:45 wazuh-modulesd:syscollector: INFO: Starting evaluation.
2023/08/10 13:57:45 sca: INFO: Starting evaluation of policy: '/var/ossec/ruleset/sca/cis_debian10.yml'
2023/08/10 13:57:46 wazuh-modulesd:syscollector: INFO: Evaluation finished.
2023/08/10 13:47:01 wazuh-agentd: INFO: No authentication password provided
2023/08/10 13:47:01 wazuh-agentd: INFO: Using agent name as: sec-node10
2023/08/10 13:47:01 wazuh-agentd: INFO: Waiting for server reply
2023/08/10 13:47:01 wazuh-agentd: ERROR: Invalid password (from manager)
2023/08/10 13:47:01 wazuh-agentd: ERROR: Unable to add agent (from manager)
2023/08/10 13:47:11 wazuh-agentd: WARNING: (4101): Waiting for server reply (not started). Tried: '12.104.5.111'.
2023/08/10 13:47:11 wazuh-agentd: WARNING: Unable to connect to any server.
2023/08/10 13:47:11 wazuh-agentd: INFO: Closing connection to server (12.104.5.111:35415/tcp).
2023/08/10 13:47:11 wazuh-agentd: INFO: Trying to connect to server (12.104.5.111:35415/tcp).
2023/08/10 13:48:21 wazuh-agentd: INFO: Closing connection to server (12.104.5.111:35415/tcp).
2023/08/10 13:48:21 wazuh-agentd: INFO: Trying to connect to server (12.104.5.111:35415/tcp).
2023/08/10 13:48:49 wazuh-modulesd:syscollector: INFO: Stop received for Syscollector.
2023/08/10 13:48:49 wazuh-modulesd:syscollector: INFO: Module finished.
2023/08/10 13:48:50 wazuh-logcollector: INFO: (1225): SIGNAL [(15)-(Terminated)] Received. Exit Cleaning...
2023/08/10 13:48:50 wazuh-syscheckd: INFO: (1225): SIGNAL [(15)-(Terminated)] Received. Exit Cleaning...
2023/08/10 13:48:50 wazuh-agentd: INFO: (1225): SIGNAL [(15)-(Terminated)] Received. Exit Cleaning...
2023/08/10 13:48:50 wazuh-execd: INFO: (1314): Shutdown received. Deleting responses.
2023/08/10 13:48:50 wazuh-execd: INFO: (1225): SIGNAL [(15)-(Terminated)] Received. Exit Cleaning...
2023/08/10 13:48:50 wazuh-execd: INFO: Started (pid: 3676045).
2023/08/10 13:48:51 wazuh-agentd: INFO: (1410): Reading authentication keys file.
2023/08/10 13:48:51 wazuh-agentd: INFO: Using notify time: 10 and max time to reconnect: 60
2023/08/10 13:48:51 wazuh-agentd: INFO: Version detected -> Linux |sec-node10 |5.15.0-76-generic |#83~20.04.1-Ubuntu SMP Wed Jun 21 20:23:31 UTC 2023 |x86_64 [Ubuntu|ubuntu: 20.04.6 LTS (Focal Fossa)] - Wazuh v4.2.6
2023/08/10 13:48:51 wazuh-agentd: INFO: Started (pid: 4271236).
2023/08/10 13:48:51 wazuh-agentd: INFO: Server IP Address: 12.104.5.111
2023/08/10 13:48:51 wazuh-agentd: INFO: Using AES as encryption method.
2023/08/10 13:48:51 wazuh-agentd: INFO: Trying to connect to server (12.104.5.111:35415/tcp).
2023/08/10 13:48:52 wazuh-syscheckd: INFO: Started (pid: 3676069).
2023/08/10 13:48:52 wazuh-syscheckd: INFO: (6003): Monitoring path: '/bin', with options 'size | permissions | owner | group | mtime | inode | hash_md5 | hash_sha1 | hash_sha256 | scheduled'.
2023/08/10 13:48:52 wazuh-syscheckd: INFO: (6003): Monitoring path: '/boot', with options 'size | permissions | owner | group | mtime | inode | hash_md5 | hash_sha1 | hash_sha256 | scheduled'.
2023/08/10 13:48:52 wazuh-syscheckd: INFO: (6003): Monitoring path: '/etc', with options 'size | permissions | owner | group | mtime | inode | hash_md5 | hash_sha1 | hash_sha256 | scheduled'.
2023/08/10 13:48:52 wazuh-syscheckd: INFO: (6003): Monitoring path: '/sbin', with options 'size | permissions | owner | group | mtime | inode | hash_md5 | hash_sha1 | hash_sha256 | scheduled'.
2023/08/10 13:48:52 wazuh-syscheckd: INFO: (6003): Monitoring path: '/usr/bin', with options 'size | permissions | owner | group | mtime | inode | hash_md5 | hash_sha1 | hash_sha256 | scheduled'.
2023/08/10 13:48:52 wazuh-syscheckd: INFO: (6003): Monitoring path: '/usr/sbin', with options 'size | permissions | owner | group | mtime | inode | hash_md5 | hash_sha1 | hash_sha256 | scheduled'.
2023/08/10 13:48:52 wazuh-syscheckd: INFO: (6206): Ignore 'file' entry '/etc/mtab'
2023/08/10 13:48:52 wazuh-syscheckd: INFO: (6206): Ignore 'file' entry '/etc/hosts.deny'
2023/08/10 13:48:52 wazuh-syscheckd: INFO: (6206): Ignore 'file' entry '/etc/mail/statistics'
2023/08/10 13:48:52 wazuh-syscheckd: INFO: (6206): Ignore 'file' entry '/etc/random-seed'
2023/08/10 13:48:52 wazuh-syscheckd: INFO: (6206): Ignore 'file' entry '/etc/random.seed'
2023/08/10 13:48:52 wazuh-syscheckd: INFO: (6206): Ignore 'file' entry '/etc/adjtime'
2023/08/10 13:48:52 wazuh-syscheckd: INFO: (6206): Ignore 'file' entry '/etc/httpd/logs'
2023/08/10 13:48:52 wazuh-syscheckd: INFO: (6206): Ignore 'file' entry '/etc/utmpx'
2023/08/10 13:48:52 wazuh-syscheckd: INFO: (6206): Ignore 'file' entry '/etc/wtmpx'
2023/08/10 13:48:52 wazuh-syscheckd: INFO: (6206): Ignore 'file' entry '/etc/cups/certs'
2023/08/10 13:48:52 wazuh-syscheckd: INFO: (6206): Ignore 'file' entry '/etc/dumpdates'
2023/08/10 13:48:52 wazuh-syscheckd: INFO: (6206): Ignore 'file' entry '/etc/svc/volatile'
2023/08/10 13:48:52 wazuh-syscheckd: INFO: (6207): Ignore 'file' sregex '.log$|.swp$'
2023/08/10 13:48:52 wazuh-syscheckd: INFO: (6004): No diff for file: '/etc/ssl/private.key'
2023/08/10 13:48:52 wazuh-syscheckd: INFO: (6000): Starting daemon...
2023/08/10 13:48:52 wazuh-syscheckd: INFO: (6010): File integrity monitoring scan frequency: 43200 seconds
2023/08/10 13:48:52 wazuh-syscheckd: INFO: (6008): File integrity monitoring scan started.
2023/08/10 13:48:53 wazuh-logcollector: INFO: Monitoring output of command(360): df -P
2023/08/10 13:48:53 wazuh-logcollector: INFO: Monitoring full output of command(360): netstat -tulpn | sed 's/\([[:alnum:]]\+\)\ \+[[:digit:]]\+\ \+[[:digit:]]\+\ \+\(.*\):\([[:digit:]]*\)\ \+\([0-9\.\:\*]\+\).\+\ \([[:digit:]]*\/[[:alnum:]\-]*\).*/\1 \2 == \3 == \4 \5/' | sort -k 4 -g | sed 's/ == \(.*\) ==/:\1/' | sed 1,2d
2023/08/10 13:48:53 wazuh-logcollector: INFO: Monitoring full output of command(360): last -n 20
2023/08/10 13:48:53 wazuh-logcollector: INFO: (1950): Analyzing file: '/var/ossec/logs/active-responses.log'.
2023/08/10 13:48:53 wazuh-logcollector: ERROR: (1103): Could not open file '/var/log/auth.log' due to [(2)-(No such file or directory)].
2023/08/10 13:48:53 wazuh-logcollector: INFO: (1950): Analyzing file: '/var/log/auth.log'.
2023/08/10 13:48:53 wazuh-logcollector: ERROR: (1103): Could not open file '/var/log/syslog' due to [(2)-(No such file or directory)].
2023/08/10 13:48:53 wazuh-logcollector: INFO: (1950): Analyzing file: '/var/log/syslog'.
2023/08/10 13:48:53 wazuh-logcollector: INFO: (1950): Analyzing file: '/var/log/dpkg.log'.
2023/08/10 13:48:53 wazuh-logcollector: ERROR: (1103): Could not open file '/var/log/kern.log' due to [(2)-(No such file or directory)].
2023/08/10 13:48:53 wazuh-logcollector: INFO: (1950): Analyzing file: '/var/log/kern.log'.
2023/08/10 13:48:53 wazuh-logcollector: INFO: Started (pid: 3676102).
2023/08/10 13:48:54 wazuh-modulesd: INFO: Started (pid: 3676119).
2023/08/10 13:48:54 wazuh-modulesd:agent-upgrade: INFO: (8153): Module Agent Upgrade started.
2023/08/10 13:48:54 wazuh-modulesd:ciscat: INFO: Module disabled. Exiting...
2023/08/10 13:48:54 wazuh-modulesd:osquery: INFO: Module disabled. Exiting...
2023/08/10 13:48:54 sca: INFO: Module started.
2023/08/10 13:48:54 wazuh-modulesd:control: INFO: Starting control thread.
2023/08/10 13:48:54 sca: INFO: Loaded policy '/var/ossec/ruleset/sca/cis_debian10.yml'
2023/08/10 13:48:54 sca: INFO: Starting Security Configuration Assessment scan.
2023/08/10 13:48:54 wazuh-modulesd:syscollector: INFO: Module started.
2023/08/10 13:48:54 wazuh-modulesd:syscollector: INFO: Starting evaluation.
2023/08/10 13:48:54 sca: INFO: Starting evaluation of policy: '/var/ossec/ruleset/sca/cis_debian10.yml'
2023/08/10 13:48:55 wazuh-modulesd:syscollector: INFO: Evaluation finished.
2023/08/10 13:50:01 wazuh-agentd: INFO: Closing connection to server (12.104.5.111:35415/tcp).
2023/08/10 13:50:01 wazuh-agentd: INFO: Trying to connect to server (12.104.5.111:35415/tcp).
2023/08/10 13:51:11 wazuh-agentd: INFO: Closing connection to server (12.104.5.111:35415/tcp).
2023/08/10 13:51:11 wazuh-agentd: INFO: Trying to connect to server (12.104.5.111:35415/tcp).
2023/08/10 13:52:21 wazuh-agentd: INFO: Closing connection to server (12.104.5.111:35415/tcp).
2023/08/10 13:52:21 wazuh-agentd: INFO: Trying to connect to server (12.104.5.111:35415/tcp).
2023/08/10 13:53:31 wazuh-agentd: INFO: Closing connection to server (12.104.5.111:35415/tcp).
2023/08/10 13:53:31 wazuh-agentd: INFO: Trying to connect to server (12.104.5.111:35415/tcp).
2023/08/10 13:54:32 wazuh-agentd: INFO: Requesting a key from server: 12.104.5.111
2023/08/10 13:54:32 wazuh-agentd: INFO: No authentication password provided
2023/08/10 13:54:32 wazuh-agentd: INFO: Using agent name as: sec-node10
2023/08/10 13:54:32 wazuh-agentd: INFO: Waiting for server reply
2023/08/10 13:54:32 wazuh-agentd: ERROR: Invalid password (from manager)
2023/08/10 13:54:32 wazuh-agentd: ERROR: Unable to add agent (from manager)
2023/08/10 13:54:42 wazuh-agentd: WARNING: (4101): Waiting for server reply (not started). Tried: '12.104.5.111'.
2023/08/10 13:54:42 wazuh-agentd: WARNING: Unable to connect to any server.
2023/08/10 13:54:42 wazuh-agentd: INFO: Closing connection to server (12.104.5.111:35415/tcp).
2023/08/10 13:54:42 wazuh-agentd: INFO: Trying to connect to server (12.104.5.111:35415/tcp).
2023/08/10 13:55:52 wazuh-agentd: INFO: Closing connection to server (12.104.5.111:35415/tcp).
2023/08/10 13:55:52 wazuh-agentd: INFO: Trying to connect to server (12.104.5.111:35415/tcp).
2023/08/10 13:57:02 wazuh-agentd: INFO: Closing connection to server (12.104.5.111:35415/tcp).
2023/08/10 13:57:02 wazuh-agentd: INFO: Trying to connect to server (12.104.5.111:35415/tcp).
2023/08/10 13:57:26 wazuh-logcollector: INFO: (1904): File not available, ignoring it: '/var/log/auth.log'.
2023/08/10 13:57:26 wazuh-logcollector: INFO: (1904): File not available, ignoring it: '/var/log/syslog'.
2023/08/10 13:57:26 wazuh-logcollector: INFO: (1904): File not available, ignoring it: '/var/log/kern.log'.
2023/08/10 13:57:33 wazuh-modulesd:syscollector: INFO: Stop received for Syscollector.
2023/08/10 13:57:33 wazuh-modulesd:syscollector: INFO: Module finished.
2023/08/10 13:57:34 wazuh-logcollector: INFO: (1225): SIGNAL [(15)-(Terminated)] Received. Exit Cleaning...
2023/08/10 13:57:34 wazuh-syscheckd: INFO: (1225): SIGNAL [(15)-(Terminated)] Received. Exit Cleaning...
2023/08/10 13:57:34 wazuh-agentd: INFO: (1225): SIGNAL [(15)-(Terminated)] Received. Exit Cleaning...
2023/08/10 13:57:34 wazuh-execd: INFO: (1314): Shutdown received. Deleting responses.
2023/08/10 13:57:34 wazuh-execd: INFO: (1225): SIGNAL [(15)-(Terminated)] Received. Exit Cleaning...
2023/08/10 13:57:41 wazuh-execd: INFO: Started (pid: 3681520).
2023/08/10 13:57:42 wazuh-agentd: INFO: (1410): Reading authentication keys file.
2023/08/10 13:57:42 wazuh-agentd: INFO: Using notify time: 10 and max time to reconnect: 60
2023/08/10 13:57:42 wazuh-agentd: INFO: Version detected -> Linux |sec-node10 |5.15.0-76-generic |#83~20.04.1-Ubuntu SMP Wed Jun 21 20:23:31 UTC 2023 |x86_64 [Ubuntu|ubuntu: 20.04.6 LTS (Focal Fossa)] - Wazuh v4.2.6
2023/08/10 13:57:42 wazuh-agentd: INFO: Started (pid: 3681535).
2023/08/10 13:57:42 wazuh-agentd: INFO: Server IP Address: 12.104.5.111
2023/08/10 13:57:42 wazuh-agentd: INFO: Using AES as encryption method.
2023/08/10 13:57:42 wazuh-agentd: INFO: Trying to connect to server (12.104.5.111:35415/tcp).
2023/08/10 13:57:43 wazuh-syscheckd: INFO: Started (pid: 3681570).
2023/08/10 13:57:43 wazuh-syscheckd: INFO: (6003): Monitoring path: '/bin', with options 'size | permissions | owner | group | mtime | inode | hash_md5 | hash_sha1 | hash_sha256 | scheduled'.
2023/08/10 13:57:43 wazuh-syscheckd: INFO: (6003): Monitoring path: '/boot', with options 'size | permissions | owner | group | mtime | inode | hash_md5 | hash_sha1 | hash_sha256 | scheduled'.
2023/08/10 13:57:43 wazuh-syscheckd: INFO: (6003): Monitoring path: '/etc', with options 'size | permissions | owner | group | mtime | inode | hash_md5 | hash_sha1 | hash_sha256 | scheduled'.
2023/08/10 13:57:43 wazuh-syscheckd: INFO: (6003): Monitoring path: '/sbin', with options 'size | permissions | owner | group | mtime | inode | hash_md5 | hash_sha1 | hash_sha256 | scheduled'.
2023/08/10 13:57:43 wazuh-syscheckd: INFO: (6003): Monitoring path: '/usr/bin', with options 'size | permissions | owner | group | mtime | inode | hash_md5 | hash_sha1 | hash_sha256 | scheduled'.
2023/08/10 13:57:43 wazuh-syscheckd: INFO: (6003): Monitoring path: '/usr/sbin', with options 'size | permissions | owner | group | mtime | inode | hash_md5 | hash_sha1 | hash_sha256 | scheduled'.
2023/08/10 13:57:43 wazuh-syscheckd: INFO: (6206): Ignore 'file' entry '/etc/mtab'
2023/08/10 13:57:43 wazuh-syscheckd: INFO: (6206): Ignore 'file' entry '/etc/hosts.deny'
2023/08/10 13:57:43 wazuh-syscheckd: INFO: (6206): Ignore 'file' entry '/etc/mail/statistics'
2023/08/10 13:57:43 wazuh-syscheckd: INFO: (6206): Ignore 'file' entry '/etc/random-seed'
2023/08/10 13:57:43 wazuh-syscheckd: INFO: (6206): Ignore 'file' entry '/etc/random.seed'
2023/08/10 13:57:43 wazuh-syscheckd: INFO: (6206): Ignore 'file' entry '/etc/adjtime'
2023/08/10 13:57:43 wazuh-syscheckd: INFO: (6206): Ignore 'file' entry '/etc/httpd/logs'
2023/08/10 13:57:43 wazuh-syscheckd: INFO: (6206): Ignore 'file' entry '/etc/utmpx'
2023/08/10 13:57:43 wazuh-syscheckd: INFO: (6206): Ignore 'file' entry '/etc/wtmpx'
2023/08/10 13:57:43 wazuh-syscheckd: INFO: (6206): Ignore 'file' entry '/etc/cups/certs'
2023/08/10 13:57:43 wazuh-syscheckd: INFO: (6206): Ignore 'file' entry '/etc/dumpdates'
2023/08/10 13:57:43 wazuh-syscheckd: INFO: (6206): Ignore 'file' entry '/etc/svc/volatile'
2023/08/10 13:57:43 wazuh-syscheckd: INFO: (6207): Ignore 'file' sregex '.log$|.swp$'
2023/08/10 13:57:43 wazuh-syscheckd: INFO: (6004): No diff for file: '/etc/ssl/private.key'
2023/08/10 13:57:43 wazuh-syscheckd: INFO: (6000): Starting daemon...
2023/08/10 13:57:43 wazuh-syscheckd: INFO: (6010): File integrity monitoring scan frequency: 43200 seconds
2023/08/10 13:57:43 wazuh-syscheckd: INFO: (6008): File integrity monitoring scan started.
2023/08/10 13:57:44 wazuh-logcollector: INFO: Monitoring output of command(360): df -P
2023/08/10 13:57:44 wazuh-logcollector: INFO: Monitoring full output of command(360): netstat -tulpn | sed 's/\([[:alnum:]]\+\)\ \+[[:digit:]]\+\ \+[[:digit:]]\+\ \+\(.*\):\([[:digit:]]*\)\ \+\([0-9\.\:\*]\+\).\+\ \([[:digit:]]*\/[[:alnum:]\-]*\).*/\1 \2 == \3 == \4 \5/' | sort -k 4 -g | sed 's/ == \(.*\) ==/:\1/' | sed 1,2d
2023/08/10 13:57:44 wazuh-logcollector: INFO: Monitoring full output of command(360): last -n 20
2023/08/10 13:57:44 wazuh-logcollector: INFO: (1950): Analyzing file: '/var/ossec/logs/active-responses.log'.
2023/08/10 13:57:44 wazuh-logcollector: ERROR: (1103): Could not open file '/var/log/auth.log' due to [(2)-(No such file or directory)].
2023/08/10 13:57:44 wazuh-logcollector: INFO: (1950): Analyzing file: '/var/log/auth.log'.
2023/08/10 13:57:44 wazuh-logcollector: ERROR: (1103): Could not open file '/var/log/syslog' due to [(2)-(No such file or directory)].
2023/08/10 13:57:44 wazuh-logcollector: INFO: (1950): Analyzing file: '/var/log/syslog'.
2023/08/10 13:57:44 wazuh-logcollector: INFO: (1950): Analyzing file: '/var/log/dpkg.log'.
2023/08/10 13:57:44 wazuh-logcollector: ERROR: (1103): Could not open file '/var/log/kern.log' due to [(2)-(No such file or directory)].
2023/08/10 13:57:44 wazuh-logcollector: INFO: (1950): Analyzing file: '/var/log/kern.log'.
2023/08/10 13:57:44 wazuh-logcollector: INFO: Started (pid: 3681585).
2023/08/10 13:57:45 wazuh-modulesd: INFO: Started (pid: 3681637).
2023/08/10 13:57:45 wazuh-modulesd:agent-upgrade: INFO: (8153): Module Agent Upgrade started.
2023/08/10 13:57:45 wazuh-modulesd:ciscat: INFO: Module disabled. Exiting...
2023/08/10 13:57:45 wazuh-modulesd:osquery: INFO: Module disabled. Exiting...
2023/08/10 13:57:45 sca: INFO: Module started.
2023/08/10 13:57:45 wazuh-modulesd:control: INFO: Starting control thread.
2023/08/10 13:57:45 sca: INFO: Loaded policy '/var/ossec/ruleset/sca/cis_debian10.yml'
2023/08/10 13:57:45 sca: INFO: Starting Security Configuration Assessment scan.
2023/08/10 13:57:45 wazuh-modulesd:syscollector: INFO: Module started.
2023/08/10 13:57:45 wazuh-modulesd:syscollector: INFO: Starting evaluation.
2023/08/10 13:57:45 sca: INFO: Starting evaluation of policy: '/var/ossec/ruleset/sca/cis_debian10.yml'
2023/08/10 13:57:46 wazuh-modulesd:syscollector: INFO: Evaluation finished.
Hi Victor, maybe you can make some sense into this. I'm not that well versed on what seems to be the problem. Thanks
Fremie Mico
Aug 15, 2023, 10:32:02 PM8/15/23
to Wazuh mailing list
Bumping thread convo for possible updates
Reply all
Reply to author
Forward
0 new messages