Wazuh Docker 4.8.0 Manager "Could not bind delta field local_port from ports scan"

[Aleksi Bovellan]

Hi, I'm running the latest 4.8.0 version of Wazuh Docker in an Ubuntu Server machine, which also has the latest apt updates. Wazuh Docker was installed there using the official guides, and then changing new passwords/hashes and some rule configs and so on. But overall Wazuh Docker seems to work perfectly: the web gui is responsive, it gets data from all agents, and shows all that data nicely in the web gui. In the host Ubuntu machine there is also an up-to-date Wazuh Agent (4.8.0) running to keep an eye of that host machine itself, and it naturally talks back to the actual Wazuh Docker in those Docker containers inside it.

However, in that Ubuntu host machine running the command "docker logs single-node_wazuh.manager_1" gives interesting and seemingly periodic errors which are shown below. It'd be nice to solve this root problem somehow, although Wazuh continues to operate well, but the flood of errors is just a bit concerning. They also seem oddly periodic in nature and timing.  Any ideas, anyone..? And there are a LOT of these in the log, so I've snipped just some examples here:

"2024/06/14 00:58:33 :router: ERROR: Error sending message to provider: Error parsing message, 1: 476: error: invalid number: "14ba"

2024/06/14 00:58:33 wazuh-db: ERROR: (5216): DB(003) Could not bind delta field 'local_port' from 'ports' scan.

2024/06/14 01:59:08 :router: ERROR: Error sending message to provider: Error parsing message, 1: 468: error: invalid number: "14ba"

2024/06/14 01:59:08 :router: ERROR: Error sending message to provider: Error parsing message, 1: 459: error: invalid number: "null"

2024/06/14 01:59:08 :router: ERROR: Error sending message to provider: Error parsing message, 1: 467: error: invalid number: "null"

2024/06/14 01:59:09 wazuh-db: ERROR: (5216): DB(003) Could not bind delta field 'local_port' from 'ports' scan.

2024/06/14 02:59:49 :router: ERROR: Error sending message to provider: Error parsing message, 1: 468: error: invalid number: "14ba"

2024/06/14 02:59:49 :router: ERROR: Error sending message to provider: Error parsing message, 1: 459: error: invalid number: "null"

2024/06/14 02:59:50 :router: ERROR: Error sending message to provider: Error parsing message, 1: 467: error: invalid number: "null"

2024/06/14 02:59:50 wazuh-db: ERROR: (5216): DB(003) Could not bind delta field 'local_port' from 'ports' scan.

2024/06/14 04:00:31 wazuh-db: ERROR: (5216): DB(003) Could not bind delta field 'local_port' from 'ports' scan.

2024/06/14 04:00:31 :router: ERROR: Error sending message to provider: Error parsing message, 1: 461: error: invalid number: "14ba"

2024/06/14 04:00:31 wazuh-db: ERROR: (5216): DB(003) Could not bind delta field 'local_port' from 'ports' scan.

2024/06/14 04:00:31 :router: ERROR: Error sending message to provider: Error parsing message, 1: 468: error: invalid number: "14ba"

2024/06/14 04:00:31 :router: ERROR: Error sending message to provider: Error parsing message, 1: 459: error: invalid number: "null"

2024/06/14 05:01:13 wazuh-db: ERROR: (5216): DB(003) Could not bind delta field 'local_port' from 'ports' scan.

2024/06/14 05:01:13 :router: ERROR: Error sending message to provider: Error parsing message, 1: 468: error: invalid number: "14ba"

2024/06/14 05:01:13 :router: ERROR: Error sending message to provider: Error parsing message, 1: 459: error: invalid number: "null"

2024/06/14 05:01:13 :router: ERROR: Error sending message to provider: Error parsing message, 1: 467: error: invalid number: "null""

Very weird. I can't think that these could be related to ufw firewall settings either, as it allows all inbound ports and more used by Wazuh: 443, 514, 1514, 1515, 9200, 55000.

-----------------------------------

Also on another note: hopefully Wazuh Agent in OPNsense OS (plugin "os-wazuh-agent"), which shows as operating system "BSD 13.2" in Wazuh gui, would begin to support "Vulnerability Detection" and "Configuration Assessment" features in some future. They already work perfectly for that Ubuntu Server, Windows (not including virtual machines though) and MacOS. Currently those two features are not operative for OPNsense, as Wazuh gui states "Module not supported by agent", but other features work well with it and transfer data to Wazuh nicely.

Thanks to all devs, you rock,

Aleksi

[Jorge Eduardo Molas]

Hi Aleksi! I will be working on your case and trying to replicate it. I will get back to you shortly.
I have one question: Was Wazuh 4.8.0 in Docker freshly installed or was it upgraded from another version?
Regards!

[Jorge Eduardo Molas]

Hello again!
I have shared your logs with the team for debugging your case.
Aside from the query regarding whether your Wazuh installation with Docker is fresh or updated, the errors may be related to agents with lower versions.

Can you check this from the Wazuh dashboard or by the command ./agent_control -i 001?
Let me know!
Thank you! Regards!

[Aleksi Bovellan]

Hi Jorge!

I'm so sorry for the delay in my answer. Here's all possible information for your questions - I hope - and please ask if you need anything further. :) I will try to react a lot, lot, quicker in the future. You can also contact me directly if you wish at: aleksi . bovellan (at) gmail . com

-----------------------------------

- I've had previous Wazuh Docker installations on this host Ubuntu Server machine, one at a time of course, but not anymore, as this current Wazuh Docker installation for version 4.8.0 was done fresh from scratch. Before this latest installation, I deleted the old Wazuh Docker directories all together, and Docker images, networks, and settings, and then used the official Wazuh Docker repo for "docker upping" its single-node directory. I've just found it a bit easier and a surer bet to get the latest Wazuh version working right away, if I do it from scratch like that every time.

-  This is Wazuh Docker version 4.8.0 from the official repo. All my listed Wazuh agents are also version 4.8.0 - with the exception of agent 003, which is on another computer running OPNsense and it's the OPNsense's own built-in plug-in Wazuh Agent (os-wazuh-agent). That OPNsense's Wazuh agent identifies as version 4.7.4 in Wazuh's GUI, even after all possible OPNsense's updates. Anyway, all my other listed agents are confirmed to be 4.8.0.

- After this Wazuh Docker installation was completed, I replaced some user passwords (indexer, api, dashboard, admin) and their hashes in the relevant Wazuh config files. I also created some custom rule changes following the documentation to create a local_rules.xml file, to change some occured alerts' levels into different levels, to better suite my network's behavior. This has been working fine, at least with no apparent problems.

- Additional information: the Ubuntu Server host machine (Linux 5.15.0-112-generic #122-Ubuntu SMP x86_64 GNU/Linux - latest APT updates and upgrades) which runs this Wazuh Docker (4.8.0), also runs its own Wazuh Agent (4.8.0) outside of those containers, to keep an eye on the host machine itself. The agent has reported back into the Wazuh's GUI some noticed dangerous Python permissions inside those Wazuh Docker container folders, which are related to the Wazuh Docker's Python files. So, I created custom files, that run when the Wazuh Docker is upped/started, to solve those reported Python permission alerts received from the host machine's agent. With these custom files below, those Wazuh GUI received alerts seized to trigger anymore and the problem was solved. Just to let you know about that too. These files are "entrypoint.sh", which runs for Wazuh Manager when I "docker up" the Wazuh single-node, linked here: https://pastebin.com/7w8L506Y, and sometimes I also manually execute from outside the Wazuh Docker containers a "fix_permissions_on_host.sh" file, like here: https://pastebin.com/dUZFSWPX

- The host Ubuntu Server machine is running ClamAV and FreshClam periodically outside of the Wazuh Docker containers, just in case. Here is its sudo crontab repeater for Clam scans, if it might be releated to those repeating Wazuh errors in the Manager's log:

0 10 * * 3,7 (echo "Scan started at $(date +\%Y-\%m-\%d\ \%H:\%M:\%S)"; clamscan -ri / --exclude-dir=/sys/ --exclude-dir=/proc/ --exclude-dir=/dev/ --quiet; echo "Scan completed at $(date +\%Y-\%m-\%d\ \%H:\%M:\%S). No issues found if no other output above.") | tee -a /var/log/clamav/clamscan_$(date +\%Y-\%m-\%d).log | grep FOUND >> /var/log/clamav/clamscan_found_$(date +\%Y-\%m-\%d).log

-----------------------------------

Hopefully these details might help you in some way. In case you'd need the latest Wazuh Manager errors logs from a second ago, the problem seems to continue, so here they are: https://pastebin.com/Tizt5sWn

All the best,

Aleksi :)

[Xavier Mertens]

Hi,

I'm facing exactly the same type of errors in my ossec.log. How did you solve this problem? (if it was solved)

Tx!