Vulnerability Management module Stuck with errors
226 views
Skip to first unread message
Heverton Muller
Sep 11, 2024, 12:39:02 AM9/11/24
to Wazuh | Mailing List
Hi, since the 4.8 update my vulnerability management module stuck, does not update or do anything, when i run (cat /var/ossec/logs/ossec. log | grep -i -E "error |warn")
I get the errors:
wazuh-remoted: WARNING: Agent key already in use: agent ID '084'
wazuh-remoted: WARNING: Agent key already in use: agent ID '084'
wazuh-remoted: WARNING: Agent key already in use: agent ID '039'
wazuh-remoted: WARNING: Agent key already in use: agent ID '039'
wazuh-remoted: ERROR: IP address family '0': 'AF_UNSPEC' not supported.
wazuh-remoted: WARNING: Package dropped. Could not append data into buffer.
wazuh-remoted: WARNING: Package dropped. Could not append data into buffer.
wazuh-authd: WARNING: Duplicate name 'RG2SRV0114', rejecting enrollment. Agent '035' can't be replaced since it is not di
sconnected.
wazuh-authd: WARNING: Duplicate name 'RG2SRV0488', rejecting enrollment. Agent '169' can't be replaced since it is not di
sconnected.
wazuh-authd: WARNING: Duplicate name 'RG2SRV0015', rejecting enrollment. Agent '069' can't be replaced since it is not di
sconnected.
indexer-connector: WARNING: IndexerConnector initialization failed for index 'wazuh-states-vulnerabilities-rg2srv0469', r
etrying until the connection is successful.
wazuh-modulesd:vulnerability-scanner: ERROR: VulnerabilityScannerFacade :: start: Failed to open RocksDB database. Reason:
While opening a file for sequentially reading: queue/vd/event/MANIFEST-000005: No such file or directory.
indexer-connector: WARNING: IndexerConnector initialization failed for index 'wazuh-states-vulnerabilities-rg2srv0469', r
etrying until the connection is successful.
wazuh-modulesd: vulnerability-scanner: ERROR: VulnerabilityScannerFacade :: start: Failed to open RocksDB database. Reason:
While opening a file for sequentially reading: queue/vd/event/MANIFEST-000005: No such file or directory.
wazuh-remoted: WARNING: Agent key already in use: agent ID '084'
wazuh-remoted: WARNING: Agent key already in use: agent ID '039'
wazuh-remoted: WARNING: Agent key already in use: agent ID '039'
wazuh-remoted: ERROR: IP address family '0': 'AF_UNSPEC' not supported.
wazuh-remoted: WARNING: Package dropped. Could not append data into buffer.
wazuh-remoted: WARNING: Package dropped. Could not append data into buffer.
wazuh-authd: WARNING: Duplicate name 'RG2SRV0114', rejecting enrollment. Agent '035' can't be replaced since it is not di
sconnected.
wazuh-authd: WARNING: Duplicate name 'RG2SRV0488', rejecting enrollment. Agent '169' can't be replaced since it is not di
sconnected.
wazuh-authd: WARNING: Duplicate name 'RG2SRV0015', rejecting enrollment. Agent '069' can't be replaced since it is not di
sconnected.
indexer-connector: WARNING: IndexerConnector initialization failed for index 'wazuh-states-vulnerabilities-rg2srv0469', r
etrying until the connection is successful.
wazuh-modulesd:vulnerability-scanner: ERROR: VulnerabilityScannerFacade :: start: Failed to open RocksDB database. Reason:
While opening a file for sequentially reading: queue/vd/event/MANIFEST-000005: No such file or directory.
indexer-connector: WARNING: IndexerConnector initialization failed for index 'wazuh-states-vulnerabilities-rg2srv0469', r
etrying until the connection is successful.
wazuh-modulesd: vulnerability-scanner: ERROR: VulnerabilityScannerFacade :: start: Failed to open RocksDB database. Reason:
While opening a file for sequentially reading: queue/vd/event/MANIFEST-000005: No such file or directory.
Someone can help me? thank you.
Stuti Gupta
Sep 11, 2024, 2:42:47 AM9/11/24
to Wazuh | Mailing List
Hi
Muller
wazuh-modulesd: vulnerability-scanner: ERROR: VulnerabilityScannerFacade :: start: Failed to open RocksDB database. Reason:While opening a file for sequentially reading: queue/vd/event/MANIFEST-000005: No such file or directory.
This is an ongoing issue and our team is already working on it, and I believe it will be resolved in 4.10.0. We apologize for any inconvenience this might have caused.
For now, I can suggest you to follow this workaround:
Stop the manager.
Remove the /var/ossec/queue/vd/event/ folder.
Start the manager.
Once the manager is running, wait for the feed update to complete.
Avoid restarting the manager during the feed update.
If this solution does not resolve the issue, we will need to wait for the 4.10.0 update.
Please do keep track of the open issue for any progress.
Github link:
https://github.com/wazuh/wazuh/issues/24151
Duplicate name 'RG2SRV0114', rejecting enrollment. Agent '035' can't be replaced since it is not disconnected.
As the log warning describes, it is not possible to register a new agent if its name is identical to another already registered. There are multiple ways to avoid/fix this. I list some of them below:
Delete the existing agent
Using the API: DELETE /agents
Remove agent using the CLI :
You could run this command in your Wazuh Manager to list all your registered agents:
/var/ossec/bin/manage_agents -l
And then delete the one you need using its ID:
/var/ossec/bin/manage_agents -r <ID>
Set a different name in the enrollment configuration
This option consists of your new agent registering with auto-enrollment using a different name. To achieve this, you will need to add a <name></name> tag with a different name into the enrollment section of your agent's ossec.conf.
<client>
...
<enrollment>
<agent_name>EXAMPLE_NAME</agent_name>
...
</enrollment>
</client>
Register the agent manually
The last option is to register the agent manually, specifying a different name from the one that already exists. To do this, you'll need to run something similar to this on your agent :
/var/ossec/bin/agent-auth -m <manager_IP> -A <agent_name>
https://documentation.wazuh.com/current/user-manual/agent/agent-enrollment/troubleshooting.html#invalid-agent-name-for-enrollment
indexer-connector: WARNING: IndexerConnector initialization failed for index 'wazuh-states-vulnerabilities-rg2srv0469', retrying until the connection is successful.
Please ensure that you update the <vulnerability-detection> and <indexer> blocks in /var/ossec/etc/ossec.conf for version 4.8.0. The Vulnerability Detection settings can be found in the Wazuh server configuration file located at /var/ossec/etc/ossec.conf. According to this: https://documentation.wazuh.com/current/user-manual/capabilities/vulnerability-detection/configuring-scans.html
Replace 0.0.0.0 with the indexer IP in the Filebeat config file, For example:
output.elasticsearch.hosts:
- 127.0.0.1:9200
Wazuh indexer node's IP address or hostname. If you have a Wazuh indexer cluster, add a <host> entry for each one of your nodes. For example, in a two-node configuration:
<hosts>
<host>https://10.0.0.1:9200/</host>
<host>https://10.0.0.2:9200/</host>
</hosts>
Check the certificate name: ll /etc/filebeat/certs Verify the Filebeat certificate name and path are correct and update the <indexer> block in /var/ossec/etc/ossec.conf accordingly.
Save the Wazuh indexer username and password into the Wazuh manager keystore using the Wazuh-keystore tool:
/var/ossec/bin/wazuh-keystore -f indexer -k username -v <INDEXER_USERNAME>
/var/ossec/bin/wazuh-keystore -f indexer -k password -v <INDEXER_PASSWORD>
You can use this command to verify the certificate paths, names, and indexer ip: curl -u <user>:<pass> --cacert <path.pem> --cert <path-client.pem> --key <path-client-key.pem> -X GET "https://<IP>:9200/_cluster/health"
Note: use filebeat certs path
After that, save the configuration and restart the manager/cluster using the command: systemctl restart wazuh-manager
To get more information if the error persists, temporarily enable wazuh_modules.debug=2 in /var/ossec/etc/local_internal_options.conf . Restart the wazuh-manager and share the /var/ossec/logs/ossec.logRefer: https://documentation.wazuh.com/current/upgrade-guide/troubleshooting.html
Hope to hear from you soon
wazuh-modulesd: vulnerability-scanner: ERROR: VulnerabilityScannerFacade :: start: Failed to open RocksDB database. Reason:While opening a file for sequentially reading: queue/vd/event/MANIFEST-000005: No such file or directory.
For now, I can suggest you to follow this workaround:
Stop the manager.
Remove the /var/ossec/queue/vd/event/ folder.
Start the manager.
Once the manager is running, wait for the feed update to complete.
Avoid restarting the manager during the feed update.
If this solution does not resolve the issue, we will need to wait for the 4.10.0 update.
Please do keep track of the open issue for any progress.
Github link:
https://github.com/wazuh/wazuh/issues/24151
Duplicate name 'RG2SRV0114', rejecting enrollment. Agent '035' can't be replaced since it is not disconnected.
Delete the existing agent
Using the API: DELETE /agents
Remove agent using the CLI :
You could run this command in your Wazuh Manager to list all your registered agents:
/var/ossec/bin/manage_agents -l
And then delete the one you need using its ID:
/var/ossec/bin/manage_agents -r <ID>
Set a different name in the enrollment configuration
This option consists of your new agent registering with auto-enrollment using a different name. To achieve this, you will need to add a <name></name> tag with a different name into the enrollment section of your agent's ossec.conf.
<client>
...
<enrollment>
<agent_name>EXAMPLE_NAME</agent_name>
...
</enrollment>
</client>
Register the agent manually
The last option is to register the agent manually, specifying a different name from the one that already exists. To do this, you'll need to run something similar to this on your agent :
/var/ossec/bin/agent-auth -m <manager_IP> -A <agent_name>
https://documentation.wazuh.com/current/user-manual/agent/agent-enrollment/troubleshooting.html#invalid-agent-name-for-enrollment
indexer-connector: WARNING: IndexerConnector initialization failed for index 'wazuh-states-vulnerabilities-rg2srv0469', retrying until the connection is successful.
Please ensure that you update the <vulnerability-detection> and <indexer> blocks in /var/ossec/etc/ossec.conf for version 4.8.0. The Vulnerability Detection settings can be found in the Wazuh server configuration file located at /var/ossec/etc/ossec.conf. According to this: https://documentation.wazuh.com/current/user-manual/capabilities/vulnerability-detection/configuring-scans.html
Replace 0.0.0.0 with the indexer IP in the Filebeat config file, For example:
output.elasticsearch.hosts:
- 127.0.0.1:9200
Wazuh indexer node's IP address or hostname. If you have a Wazuh indexer cluster, add a <host> entry for each one of your nodes. For example, in a two-node configuration:
<hosts>
<host>https://10.0.0.1:9200/</host>
<host>https://10.0.0.2:9200/</host>
</hosts>
Check the certificate name: ll /etc/filebeat/certs Verify the Filebeat certificate name and path are correct and update the <indexer> block in /var/ossec/etc/ossec.conf accordingly.
Save the Wazuh indexer username and password into the Wazuh manager keystore using the Wazuh-keystore tool:
/var/ossec/bin/wazuh-keystore -f indexer -k username -v <INDEXER_USERNAME>
/var/ossec/bin/wazuh-keystore -f indexer -k password -v <INDEXER_PASSWORD>
You can use this command to verify the certificate paths, names, and indexer ip: curl -u <user>:<pass> --cacert <path.pem> --cert <path-client.pem> --key <path-client-key.pem> -X GET "https://<IP>:9200/_cluster/health"
Note: use filebeat certs path
After that, save the configuration and restart the manager/cluster using the command: systemctl restart wazuh-manager
To get more information if the error persists, temporarily enable wazuh_modules.debug=2 in /var/ossec/etc/local_internal_options.conf . Restart the wazuh-manager and share the /var/ossec/logs/ossec.logRefer: https://documentation.wazuh.com/current/upgrade-guide/troubleshooting.html
Hope to hear from you soon
Reply all
Reply to author
Forward
0 new messages