Agent executes script, but manager dont recieve events

[Wazuh | Mailing List]

I'm running script on agent to collect data about vulnerabilities and generating an alert for each vulnerability. But, for some reason, dont see any alerts generated.

/var/ossec/etc/shared/default/agent.conf:

<agent_config os="Windows">
        <wodle name="syscollector">
                <disabled>no</disabled>
                <interval>1h</interval>
                <os>yes</os>
                <packages>yes</packages>
                <hotfixes>yes</hotfixes>
        </wodle>
</agent_config>

<agent_config os="Linux">

<wodle name="command">
 <disabled>no</disabled>
 <tag>trivy-image-scan</tag>
 <command>/bin/bash /var/ossec/etc/shared/trivy.sh</command>
 <interval>1m</interval>
 <ignore_output>no</ignore_output>
 <run_on_start>yes</run_on_start>
 <skip_verification>yes</skip_verification>
 <timeout>0</timeout>
 </wodle>

<wodle name="syscollector">
<disabled>no</disabled>
<interval>1h</interval>
<os>yes</os>
<packages>yes</packages>
<hotfixes>yes</hotfixes>
</wodle>

</agent_config>

/var/trivy.sh:

#!/bin/bash
vulnsJson=$(trivy image httpd --format json --severity HIGH,CRITICAL -q --server http://192.168.1.202:4954 | jq -c '.Results[] | .Vulnerabilities')
for row in $(echo "${vulnsJson}" | jq -r '.[] | @base64'); do
    _jq() {
     echo ${row} | base64 --decode | jq -r ${1}
    }
   echo $(_jq '.')
done

Script runs utility to collect vulnerabilities from 'httpd' image and transfers it to wazuh manager by 'echo'. Example of output:

{ "VulnerabilityID": "CVE-2023-31484", "PkgID": "perl...@5.36.0-7", "PkgName": "perl-base", "InstalledVersion": "5.36.0-7", "Status": "affected", "Layer": { "DiffID": "sha256:a2d7501dfb3541f3d736125cdfd748618194f60cbb5c63f4de67a92530899628" }, "SeveritySource": "nvd", "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2023-31484", "DataSource": { "ID": "debian", "Name": "Debian Security Tracker", "URL": "https://salsa.debian.org/security-tracker-team/security-tracker" }, "Title": "CPAN.pm before 2.35 does not verify TLS certificates when downloading distributions over HTTPS", "Description": "CPAN.pm before 2.35 does not verify TLS certificates when downloading distributions over HTTPS.", "Severity": "HIGH", "CweIDs": [ "CWE-295" ], "CVSS": { "nvd": { "V3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "V3Score": 8.1 }, "redhat": { "V3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N", "V3Score": 7.4 } }, "References": [ "http://www.openwall.com/lists/oss-security/2023/04/29/1", "http://www.openwall.com/lists/oss-security/2023/05/03/3", "http://www.openwall.com/lists/oss-security/2023/05/03/5", "http://www.openwall.com/lists/oss-security/2023/05/07/2", "https://access.redhat.com/security/cve/CVE-2023-31484", "https://blog.hackeriet.no/perl-http-tiny-insecure-tls-default-affects-cpan-modules/", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-31484", "https://github.com/andk/cpanpm/commit/9c98370287f4e709924aee7c58ef21c85289a7f0 (2.35-TRIAL)", "https://github.com/andk/cpanpm/pull/175", "https://lists.fedoraproject.org/archives/list/package-...@lists.fedoraproject.org/message/BM6UW55CNFUTNGD5ZRKGUKKKFDJGMFHL/", "https://lists.fedoraproject.org/archives/list/package-...@lists.fedoraproject.org/message/LEGCEOKFJVBJ2QQ6S2H4NAEWTUERC7SB/", "https://metacpan.org/dist/CPAN/changes", "https://nvd.nist.gov/vuln/detail/CVE-2023-31484", "https://ubuntu.com/security/notices/USN-6112-1", "https://ubuntu.com/security/notices/USN-6112-2", "https://www.cve.org/CVERecord?id=CVE-2023-31484", "https://www.openwall.com/lists/oss-security/2023/04/18/14" ], "PublishedDate": "2023-04-29T00:15:00Z", "LastModifiedDate": "2023-08-02T15:28:00Z" }

Manager correctly parsing it, checked with 'wazuh-logtest':

[Wazuh | Mailing List]

Well, I can see alerts is generated in /var/ossec/log/alerts/alerts.log:

But cant see any events related to my agent(actually, cant see any alerts at all)
Maybe it somehow dont bind this alert to my agent?

вторник, 19 сентября 2023 г. в 11:12:49 UTC+3, Wazuh | Mailing List:

[Wazuh | Mailing List]

I think, there is some problems with parsing this json. Cant see any information related to source ip, source hostname

вторник, 19 сентября 2023 г. в 11:19:16 UTC+3, Wazuh | Mailing List:

[Anthony Faruna]

Hello 

Thank you for using Wazuh

Please let me know if you have already figured out the reason for your initial query. 

Regards

--
You received this message because you are subscribed to the Google Groups "Wazuh | Mailing List" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/465fb1bb-f531-4738-91a0-0c0040e487acn%40googlegroups.com.

[Alex V.]

Hi Anthony
I figured out by watching "alerts.json", that alerts are generating, but cant see any of them in dashboard. Stil have no idea, why this is happening

вторник, 19 сентября 2023 г. в 16:26:19 UTC+3, Anthony Faruna:

[Anthony Faruna]

Hello Alex

Please can you let me know how you deployed your Wazuh?

Also, please check the filebeat process and configuration using filebeat test output command

A common problem is that if you are running the wazuh-manager, wazuh-indexer and wazuh-dashboard in the same host, that host doesn’t have enough resources, so the wazuh-indexer services will not work correctly. Please check this (you can check the hardware recommendations for each component in the wazuh documentation. For example, https://documentation.wazuh.com/current/installation-guide/wazuh-indexer/index.html).

Let’s check if there is any unwanted status or error in wazuh-indexer:

• Check if the wazuh-indexer service is running:

systemctl status wazuh-indexer

• Run the following requests to confirm that the installation is successful.

curl -k -u <user>:<password> https://<WAZUH_INDEXER_IP>:9200 curl -k -u <user>:<password> https://<WAZUH_INDEXER_IP>:9200/_cluster/health?pretty

• Run both commands and check if there are any errors in the logs:

journalctl -u wazuh-indexer -e grep "ERROR" /var/log/wazuh-indexer/wazuh-cluster.log

• Check if the wazuh alert index for the current date has been created in wazuh-indexer and if that index has any document (alerts).

curl -k -u <user>:<password> https://<WAZUH_INDEXER_IP>:9200/_cat/indices/wazuh-alerts-4.x-*

 Please check all the above steps and let me know the results.

Regards

To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/15d46d40-461f-4d55-a8c3-0b5f737947e7n%40googlegroups.com.

[Alex V.]

Now another error appeared:

INFO: Current API id [default] INFO: Checking current API id [default]... INFO: Current API id [default] has some problem: 3002 - Request failed with status code 429 INFO: Getting API hosts... ERROR: Error connecting to API: 2001 - Unexpected end of JSON input INFO: Removed [navigate] cookie ERROR: Error connecting to API: 2001 - Unexpected end of JSON input

среда, 20 сентября 2023 г. в 22:28:28 UTC+3, Anthony Faruna:

[Anthony Faruna]

Hello Alex

Please provide the following information

1. Did you install  Wazuhmanager on one server and cannot access it using the API from another host?
2. Please share logs from your manager if there is any error.
tail /var/ossec/logs/ossec.log
cat /var/ossec/logs/ossec.log | grep -iE "ERROR|WARN"
3. Check if the Wazuh manager is active and running by running this command.
systemctl status wazuh-manager

I will be expecting your feedback

Best Regards

To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/f144106c-53d9-43a7-9954-cc19df2c9825n%40googlegroups.com.

[Alex V.]

Hi Anthony!
Deleting wazuh-registry.json file helped, and events is coming now. Thank you for help!
Refernce: https://github.com/wazuh/wazuh/issues/8095

четверг, 21 сентября 2023 г. в 23:45:19 UTC+3, Anthony Faruna:

[Anthony Faruna]

Hello Alex

I'm glad to know your issue has been resolved

Best Regards

To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/235c04fc-7a85-47d7-8a47-aa64df42fde0n%40googlegroups.com.