events stop reporting on new Quickstart setup
288 views
Skip to first unread message
Gordon O'Brien
Jul 1, 2022, 12:29:31 PM7/1/22
to Wazuh mailing list
Hi
I have built a single Wazuh server using the quickstart deployment on Ubuntu 22.04
All seemed to be working great initially but then Security events etc stopped getting logged.
I tried to find the ElasticSearch instance but there is no service by that name yet there is something listening on port 9200.
However if I run:
curl -XGET localhost:9200
OR
curl -XGET localhost:9200/_cat/indices?v
I always get this response
curl: (52) Empty reply from server
which from what I have read is incorrect.
I re-run the quickstart installer and Wazuh would collect events briefly again and then stop.
Any suggestions on where to start with this?
thanks
victor....@wazuh.com
Jul 4, 2022, 3:32:14 AM7/4/22
to Wazuh mailing list
Hello Gordon,
I tried to find the ElasticSearch instance but there is no service by that name yet there is something listening on port 9200.
Since 4.3 wazuh has used the Wazuh indexer as a full-text search and analytics engine. So you should search that process instead
systemctl status wazuh-indexer
Regarding your issue, It is essential to check the status of all the components of Wazuh in order to troubleshoot this case. Please, check the following:
- The status of the manager and its logs:
systemctl status wazuh-manager&&egrep -E "ERROR|WARNING" /var/ossec/logs/ossec.log. Also, ensure the manager is still generating alerts in the/var/ossec/logs/alerts/alerts.log
- The status of the wazuh-indexer:
systemctl status wazuh-indexer&&cat /var/log/wazuh-indexer/wazuh-cluster.log | grep -i -E "error|warn". In case your indexer is running, check if it is working correctly using the following command:
curl -k -u admin:admin https://<WAZUH_INDEXER_IP>:9200
- Dashboard:
journalctl -u wazuh-dashboard
Probably there is some error in your indexer configuration, please send back all this information and we will help you with this issue.
Gordon O'Brien
Jul 4, 2022, 11:52:22 AM7/4/22
to Wazuh mailing list
Thanks for your suggestions Victor.
Below are my findings:
So it seems wazuh-indexer is running with a few noted errors:
systemctl status wazuh-indexer
* wazuh-indexer.service - Wazuh-indexer
Loaded: loaded (/lib/systemd/system/wazuh-indexer.service; enabled; vendor preset: enabled)
Active: active (running) since Fri 2022-07-01 18:07:41 UTC; 2 days ago
Docs: https://documentation.wazuh.com
Main PID: 146 (java)
Tasks: 110 (limit: 232003)
Memory: 8.9G
CPU: 52min 2.824s
CGroup: /system.slice/wazuh-indexer.service
`-146 /usr/share/wazuh-indexer/jdk/bin/java -Xshare:auto -Dopensearch.networkaddress.cache.ttl=60 -Dopensearch.networkaddress.cache.negative.ttl=10 -XX:+AlwaysPr>
Jul 01 18:07:20 wazuh systemd[1]: Starting Wazuh-indexer...
Jul 01 18:07:37 wazuh systemd-entrypoint[146]: WARNING: An illegal reflective access operation has occurred
Jul 01 18:07:37 wazuh systemd-entrypoint[146]: WARNING: Illegal reflective access by io.protostuff.runtime.PolymorphicThrowableSchema (file:/usr/share/wazuh-indexer/plugins/o>
Jul 01 18:07:37 wazuh systemd-entrypoint[146]: WARNING: Please consider reporting this to the maintainers of io.protostuff.runtime.PolymorphicThrowableSchema
Jul 01 18:07:37 wazuh systemd-entrypoint[146]: WARNING: Use --illegal-access=warn to enable warnings of further illegal reflective access operations
Jul 01 18:07:37 wazuh systemd-entrypoint[146]: WARNING: All illegal access operations will be denied in a future release
Jul 01 18:07:41 wazuh systemd[1]: Started Wazuh-indexer.
* wazuh-indexer.service - Wazuh-indexer
Loaded: loaded (/lib/systemd/system/wazuh-indexer.service; enabled; vendor preset: enabled)
Active: active (running) since Fri 2022-07-01 18:07:41 UTC; 2 days ago
Docs: https://documentation.wazuh.com
Main PID: 146 (java)
Tasks: 110 (limit: 232003)
Memory: 8.9G
CPU: 52min 2.824s
CGroup: /system.slice/wazuh-indexer.service
`-146 /usr/share/wazuh-indexer/jdk/bin/java -Xshare:auto -Dopensearch.networkaddress.cache.ttl=60 -Dopensearch.networkaddress.cache.negative.ttl=10 -XX:+AlwaysPr>
Jul 01 18:07:20 wazuh systemd[1]: Starting Wazuh-indexer...
Jul 01 18:07:37 wazuh systemd-entrypoint[146]: WARNING: An illegal reflective access operation has occurred
Jul 01 18:07:37 wazuh systemd-entrypoint[146]: WARNING: Illegal reflective access by io.protostuff.runtime.PolymorphicThrowableSchema (file:/usr/share/wazuh-indexer/plugins/o>
Jul 01 18:07:37 wazuh systemd-entrypoint[146]: WARNING: Please consider reporting this to the maintainers of io.protostuff.runtime.PolymorphicThrowableSchema
Jul 01 18:07:37 wazuh systemd-entrypoint[146]: WARNING: Use --illegal-access=warn to enable warnings of further illegal reflective access operations
Jul 01 18:07:37 wazuh systemd-entrypoint[146]: WARNING: All illegal access operations will be denied in a future release
Jul 01 18:07:41 wazuh systemd[1]: Started Wazuh-indexer.
Wazuh Manager Status:
systemctl status wazuh-manager
* wazuh-manager.service - Wazuh manager
Loaded: loaded (/lib/systemd/system/wazuh-manager.service; enabled; vendor preset: enabled)
Active: active (running) since Fri 2022-07-01 18:07:37 UTC; 2 days ago
Process: 148 ExecStart=/usr/bin/env /var/ossec/bin/wazuh-control start (code=exited, status=0/SUCCESS)
Tasks: 176 (limit: 232003)
Memory: 1.9G
CPU: 2h 57min 44.209s
CGroup: /system.slice/wazuh-manager.service
|-602 /var/ossec/framework/python/bin/python3 /var/ossec/api/scripts/wazuh-apid.py
|-642 /var/ossec/bin/wazuh-authd
|-658 /var/ossec/bin/wazuh-db
|-682 /var/ossec/bin/wazuh-execd
|-696 /var/ossec/bin/wazuh-analysisd
|-699 /var/ossec/framework/python/bin/python3 /var/ossec/api/scripts/wazuh-apid.py
|-702 /var/ossec/framework/python/bin/python3 /var/ossec/api/scripts/wazuh-apid.py
|-719 /var/ossec/bin/wazuh-syscheckd
|-822 /var/ossec/bin/wazuh-remoted
|-860 /var/ossec/bin/wazuh-logcollector
|-878 /var/ossec/bin/wazuh-monitord
`-893 /var/ossec/bin/wazuh-modulesd
Jul 01 18:07:29 wazuh env[148]: Started wazuh-execd...
Jul 01 18:07:29 wazuh env[694]: 2022/07/01 18:07:29 wazuh-analysisd: ERROR: Could not set resource limit for file descriptors to 458752: Operation not permitted (1)
Jul 01 18:07:30 wazuh env[148]: Started wazuh-analysisd...
Jul 01 18:07:31 wazuh env[148]: Started wazuh-syscheckd...
Jul 01 18:07:32 wazuh env[148]: Started wazuh-remoted...
Jul 01 18:07:33 wazuh env[148]: Started wazuh-logcollector...
Jul 01 18:07:34 wazuh env[148]: Started wazuh-monitord...
Jul 01 18:07:35 wazuh env[148]: Started wazuh-modulesd...
Jul 01 18:07:37 wazuh env[148]: Completed.
Jul 01 18:07:37 wazuh systemd[1]: Started Wazuh manager.
* wazuh-manager.service - Wazuh manager
Loaded: loaded (/lib/systemd/system/wazuh-manager.service; enabled; vendor preset: enabled)
Active: active (running) since Fri 2022-07-01 18:07:37 UTC; 2 days ago
Process: 148 ExecStart=/usr/bin/env /var/ossec/bin/wazuh-control start (code=exited, status=0/SUCCESS)
Tasks: 176 (limit: 232003)
Memory: 1.9G
CPU: 2h 57min 44.209s
CGroup: /system.slice/wazuh-manager.service
|-602 /var/ossec/framework/python/bin/python3 /var/ossec/api/scripts/wazuh-apid.py
|-642 /var/ossec/bin/wazuh-authd
|-658 /var/ossec/bin/wazuh-db
|-682 /var/ossec/bin/wazuh-execd
|-696 /var/ossec/bin/wazuh-analysisd
|-699 /var/ossec/framework/python/bin/python3 /var/ossec/api/scripts/wazuh-apid.py
|-702 /var/ossec/framework/python/bin/python3 /var/ossec/api/scripts/wazuh-apid.py
|-719 /var/ossec/bin/wazuh-syscheckd
|-822 /var/ossec/bin/wazuh-remoted
|-860 /var/ossec/bin/wazuh-logcollector
|-878 /var/ossec/bin/wazuh-monitord
`-893 /var/ossec/bin/wazuh-modulesd
Jul 01 18:07:29 wazuh env[148]: Started wazuh-execd...
Jul 01 18:07:29 wazuh env[694]: 2022/07/01 18:07:29 wazuh-analysisd: ERROR: Could not set resource limit for file descriptors to 458752: Operation not permitted (1)
Jul 01 18:07:30 wazuh env[148]: Started wazuh-analysisd...
Jul 01 18:07:31 wazuh env[148]: Started wazuh-syscheckd...
Jul 01 18:07:32 wazuh env[148]: Started wazuh-remoted...
Jul 01 18:07:33 wazuh env[148]: Started wazuh-logcollector...
Jul 01 18:07:34 wazuh env[148]: Started wazuh-monitord...
Jul 01 18:07:35 wazuh env[148]: Started wazuh-modulesd...
Jul 01 18:07:37 wazuh env[148]: Completed.
Jul 01 18:07:37 wazuh systemd[1]: Started Wazuh manager.
egrep -E "ERROR|WARNING" /var/ossec/logs/ossec.log ::
egrep -E "ERROR|WARNING" /var/ossec/logs/ossec.log
2022/07/04 07:59:44 wazuh-remoted: WARNING: (1408): Invalid ID 003 for the source ip: 'xxx.xxx.xxx.xxx' (name 'unknown').
2022/07/04 07:59:54 wazuh-remoted: WARNING: (1408): Invalid ID 003 for the source ip: 'xxx.xxx.xxx.xxx' (name 'unknown').
2022/07/04 08:00:04 wazuh-remoted: WARNING: (1408): Invalid ID 003 for the source ip: 'xxx.xxx.xxx.xxx' (name 'unknown').
2022/07/04 08:00:14 wazuh-remoted: WARNING: (1408): Invalid ID 003 for the source ip: 'xxx.xxx.xxx.xxx' (name 'unknown').
2022/07/04 08:00:24 wazuh-remoted: WARNING: (1408): Invalid ID 003 for the source ip: 'xxx.xxx.xxx.xxx' (name 'unknown').
2022/07/04 08:00:45 wazuh-remoted: WARNING: Package dropped. Could not append data into buffer.
2022/07/04 07:59:44 wazuh-remoted: WARNING: (1408): Invalid ID 003 for the source ip: 'xxx.xxx.xxx.xxx' (name 'unknown').
2022/07/04 07:59:54 wazuh-remoted: WARNING: (1408): Invalid ID 003 for the source ip: 'xxx.xxx.xxx.xxx' (name 'unknown').
2022/07/04 08:00:04 wazuh-remoted: WARNING: (1408): Invalid ID 003 for the source ip: 'xxx.xxx.xxx.xxx' (name 'unknown').
2022/07/04 08:00:14 wazuh-remoted: WARNING: (1408): Invalid ID 003 for the source ip: 'xxx.xxx.xxx.xxx' (name 'unknown').
2022/07/04 08:00:24 wazuh-remoted: WARNING: (1408): Invalid ID 003 for the source ip: 'xxx.xxx.xxx.xxx' (name 'unknown').
2022/07/04 08:00:45 wazuh-remoted: WARNING: Package dropped. Could not append data into buffer.
Alerts are still being logged into /var/ossec/logs/alerts/alerts.log
cat /var/log/wazuh-indexer/wazuh-cluster.log | grep -i -E "error|warn" ::
No errors or warnings returned
curl -k -u admin:admin https://<WAZUH_INDEXER_IP>:9200
This command returns nothing - (no output or error) when using '127.0.0.1' or 'localhost'
It returns "Connection Refused" when using the interface IP address (192.168.xxx.xxx)
victor....@wazuh.com
Jul 5, 2022, 3:35:51 AM7/5/22
to Wazuh mailing list
Regarding your shared logs:
Jul 01 18:07:29 wazuh env[694]: 2022/07/01 18:07:29 wazuh-analysisd: ERROR: Could not set resource limit for file descriptors to 458752: Operation not permitted (1)
It seems that when analysisd tried to set the limit this was already reached, and this probably cause this error. If you see this error is still happening please, add the following configuration to your local internal options (/var/ossec/etc/local_internal_options.conf), and share the manager’s ossec.log:
analysisd.debug=2
2022/07/04 07:59:44 wazuh-remoted: WARNING: (1408): Invalid ID 003 for the source ip: ‘xxx.xxx.xxx.xxx’ (name ‘unknown’).
This warning is caused when an agent previously registered tries to register with a new manager. It is not related to the problem
curl -k -u admin:admin https://:9200
This command returns nothing - (no output or error) when using ‘127.0.0.1’ or ‘localhost’
It returns “Connection Refused” when using the interface IP address (192.168.xxx.xxx)
After the finish installing Wazuh using the quickstart documentation a User/Password should be provided:
INFO: --- Summary ---
INFO: You can access the web interface https://<wazuh-dashboard-ip>
User: admin
Password: <ADMIN_PASSWORD>
INFO: Installation finished.
Please use them to check if your wazuh-indexer is running:
root@centos6:/home/vagrant# curl -k -u admin:o590TPrh0lUZytzWrOB+XuBJaIP7Yd.B https://localhost:9200
{
"name" : "node-1",
"cluster_name" : "wazuh-cluster",
"cluster_uuid" : "AhyF7n2gR6m1AdEL5iBMGQ",
"version" : {
"number" : "7.10.2",
"build_type" : "rpm",
"build_hash" : "e505b10357c03ae8d26d675172402f2f2144ef0f",
"build_date" : "2022-01-14T03:38:06.881862Z",
"build_snapshot" : false,
"lucene_version" : "8.10.1",
"minimum_wire_compatibility_version" : "6.8.0",
"minimum_index_compatibility_version" : "6.0.0-beta1"
},
"tagline" : "The OpenSearch Project: https://opensearch.org/"
}
Also, please share the following information to replicate exactly your case:
- Wazuh version
- Check if filebeat is running correctly:
filebeat test output
- Wazuh dashboard logs
systemctl status wazuh-dashboard
Gordon O'Brien
Jul 5, 2022, 7:50:57 AM7/5/22
to Wazuh mailing list
Ah of course the admin password 🙄
{
"name" : "node-1",
"cluster_name" : "wazuh-cluster",
"name" : "node-1",
"cluster_name" : "wazuh-cluster",
"cluster_uuid" : "20Fnamj-QP-BDLlfD3px5w",
"version" : {
"number" : "7.10.2",
"build_type" : "rpm",
"build_hash" : "e505b10357c03ae8d26d675172402f2f2144ef0f",
"build_date" : "2022-01-14T03:38:06.881862Z",
"build_snapshot" : false,
"lucene_version" : "8.10.1",
"minimum_wire_compatibility_version" : "6.8.0",
"minimum_index_compatibility_version" : "6.0.0-beta1"
},
"tagline" : "The OpenSearch Project: https://opensearch.org/"
}
Wazuh version: {"WAZUH_VERSION":"v4.3.5"},{"WAZUH_REVISION":"40317"},{"WAZUH_TYPE":"server"}
Filebeat running OK:
filebeat test output
elasticsearch: https://127.0.0.1:9200...
parse url... OK
connection...
parse host... OK
dns lookup... OK
addresses: 127.0.0.1
dial up... OK
TLS...
security: server's certificate chain verification is enabled
handshake... OK
TLS version: TLSv1.3
dial up... OK
talk to server... OK
version: 7.10.2
elasticsearch: https://127.0.0.1:9200...
parse url... OK
connection...
parse host... OK
dns lookup... OK
addresses: 127.0.0.1
dial up... OK
TLS...
security: server's certificate chain verification is enabled
handshake... OK
TLS version: TLSv1.3
dial up... OK
talk to server... OK
version: 7.10.2
systemctl status wazuh-dashboard:
* wazuh-dashboard.service - wazuh-dashboard
Loaded: loaded (/etc/systemd/system/wazuh-dashboard.service; enabled; vendor preset: enabled)
Active: active (running) since Fri 2022-07-01 18:07:19 UTC; 3 days ago
Main PID: 108 (node)
Tasks: 11 (limit: 232003)
Memory: 200.3M
CPU: 8min 17.813s
CGroup: /system.slice/wazuh-dashboard.service
`-108 /usr/share/wazuh-dashboard/bin/../node/bin/node --no-warnings --max-http-header-size=65536 --unhandled-rejections=warn /usr/share/wazuh-dashboard/bin/../src/cli/dist -c /etc/wazuh-dashboard/>
Jul 05 09:14:56 wazuh opensearch-dashboards[108]: {"type":"response","@timestamp":"2022-07-05T09:14:56Z","tags":[],"pid":108,"method":"get","statusCode":200,"req":{"url":"/ui/favicons/favicon.ico","method":"ge>
Jul 05 09:14:56 wazuh opensearch-dashboards[108]: {"type":"response","@timestamp":"2022-07-05T09:14:56Z","tags":[],"pid":108,"method":"get","statusCode":200,"req":{"url":"/ui/fonts/inter_ui/Inter-UI-Light-BETA>
Jul 05 09:14:56 wazuh opensearch-dashboards[108]: {"type":"response","@timestamp":"2022-07-05T09:14:56Z","tags":[],"pid":108,"method":"get","statusCode":200,"req":{"url":"/ui/fonts/inter_ui/Inter-UI-Bold.woff2>
Jul 05 09:14:57 wazuh opensearch-dashboards[108]: {"type":"response","@timestamp":"2022-07-05T09:14:56Z","tags":[],"pid":108,"method":"post","statusCode":200,"req":{"url":"/api/request","method":"post","header>
Jul 05 09:14:57 wazuh opensearch-dashboards[108]: {"type":"response","@timestamp":"2022-07-05T09:14:56Z","tags":[],"pid":108,"method":"post","statusCode":200,"req":{"url":"/api/request","method":"post","header>
Jul 05 09:14:57 wazuh opensearch-dashboards[108]: {"type":"response","@timestamp":"2022-07-05T09:14:56Z","tags":[],"pid":108,"method":"post","statusCode":200,"req":{"url":"/api/request","method":"post","header>
Jul 05 09:14:57 wazuh opensearch-dashboards[108]: {"type":"response","@timestamp":"2022-07-05T09:14:56Z","tags":[],"pid":108,"method":"post","statusCode":200,"req":{"url":"/api/check-stored-api","method":"post>
Jul 05 09:14:57 wazuh opensearch-dashboards[108]: {"type":"response","@timestamp":"2022-07-05T09:14:57Z","tags":[],"pid":108,"method":"get","statusCode":200,"req":{"url":"/ui/favicons/favicon.ico","method":"ge>
Jul 05 09:15:24 wazuh opensearch-dashboards[108]: {"type":"response","@timestamp":"2022-07-05T09:15:24Z","tags":[],"pid":108,"method":"get","statusCode":200,"req":{"url":"/plugins/wazuh/assets/images/themes/li>
Jul 05 09:15:24 wazuh opensearch-dashboards[108]: {"type":"response","@timestamp":"2022-07-05T09:15:24Z","tags":[],"pid":108,"method":"get","statusCode":200,"req":{"url":"/ui/default_branding/opensearch_mark_d>
Loaded: loaded (/etc/systemd/system/wazuh-dashboard.service; enabled; vendor preset: enabled)
Active: active (running) since Fri 2022-07-01 18:07:19 UTC; 3 days ago
Main PID: 108 (node)
Tasks: 11 (limit: 232003)
Memory: 200.3M
CPU: 8min 17.813s
CGroup: /system.slice/wazuh-dashboard.service
`-108 /usr/share/wazuh-dashboard/bin/../node/bin/node --no-warnings --max-http-header-size=65536 --unhandled-rejections=warn /usr/share/wazuh-dashboard/bin/../src/cli/dist -c /etc/wazuh-dashboard/>
Jul 05 09:14:56 wazuh opensearch-dashboards[108]: {"type":"response","@timestamp":"2022-07-05T09:14:56Z","tags":[],"pid":108,"method":"get","statusCode":200,"req":{"url":"/ui/favicons/favicon.ico","method":"ge>
Jul 05 09:14:56 wazuh opensearch-dashboards[108]: {"type":"response","@timestamp":"2022-07-05T09:14:56Z","tags":[],"pid":108,"method":"get","statusCode":200,"req":{"url":"/ui/fonts/inter_ui/Inter-UI-Light-BETA>
Jul 05 09:14:56 wazuh opensearch-dashboards[108]: {"type":"response","@timestamp":"2022-07-05T09:14:56Z","tags":[],"pid":108,"method":"get","statusCode":200,"req":{"url":"/ui/fonts/inter_ui/Inter-UI-Bold.woff2>
Jul 05 09:14:57 wazuh opensearch-dashboards[108]: {"type":"response","@timestamp":"2022-07-05T09:14:56Z","tags":[],"pid":108,"method":"post","statusCode":200,"req":{"url":"/api/request","method":"post","header>
Jul 05 09:14:57 wazuh opensearch-dashboards[108]: {"type":"response","@timestamp":"2022-07-05T09:14:56Z","tags":[],"pid":108,"method":"post","statusCode":200,"req":{"url":"/api/request","method":"post","header>
Jul 05 09:14:57 wazuh opensearch-dashboards[108]: {"type":"response","@timestamp":"2022-07-05T09:14:56Z","tags":[],"pid":108,"method":"post","statusCode":200,"req":{"url":"/api/request","method":"post","header>
Jul 05 09:14:57 wazuh opensearch-dashboards[108]: {"type":"response","@timestamp":"2022-07-05T09:14:56Z","tags":[],"pid":108,"method":"post","statusCode":200,"req":{"url":"/api/check-stored-api","method":"post>
Jul 05 09:14:57 wazuh opensearch-dashboards[108]: {"type":"response","@timestamp":"2022-07-05T09:14:57Z","tags":[],"pid":108,"method":"get","statusCode":200,"req":{"url":"/ui/favicons/favicon.ico","method":"ge>
Jul 05 09:15:24 wazuh opensearch-dashboards[108]: {"type":"response","@timestamp":"2022-07-05T09:15:24Z","tags":[],"pid":108,"method":"get","statusCode":200,"req":{"url":"/plugins/wazuh/assets/images/themes/li>
Jul 05 09:15:24 wazuh opensearch-dashboards[108]: {"type":"response","@timestamp":"2022-07-05T09:15:24Z","tags":[],"pid":108,"method":"get","statusCode":200,"req":{"url":"/ui/default_branding/opensearch_mark_d>
ossec.log:
2022/07/05 10:09:01 wazuh-modulesd:syscollector: INFO: Starting evaluation.
2022/07/05 10:09:02 wazuh-modulesd:syscollector: INFO: Evaluation finished.
2022/07/05 10:11:52 wazuh-modulesd:vulnerability-detector: INFO: (5431): Starting vulnerability scan.
2022/07/05 10:11:52 wazuh-modulesd:vulnerability-detector: INFO: (5450): Analyzing agent '007' vulnerabilities.
2022/07/05 10:11:52 wazuh-modulesd:vulnerability-detector: INFO: (5471): Finished vulnerability assessment for agent '007'
2022/07/05 10:11:52 wazuh-modulesd:vulnerability-detector: INFO: (5450): Analyzing agent '008' vulnerabilities.
2022/07/05 10:11:52 wazuh-modulesd:vulnerability-detector: INFO: (5471): Finished vulnerability assessment for agent '008'
2022/07/05 10:11:52 wazuh-modulesd:vulnerability-detector: INFO: (5472): Vulnerability scan finished.
2022/07/05 10:16:52 wazuh-modulesd:vulnerability-detector: INFO: (5431): Starting vulnerability scan.
2022/07/05 10:16:52 wazuh-modulesd:vulnerability-detector: INFO: (5450): Analyzing agent '007' vulnerabilities.
2022/07/05 10:16:52 wazuh-modulesd:vulnerability-detector: INFO: (5471): Finished vulnerability assessment for agent '007'
2022/07/05 10:16:52 wazuh-modulesd:vulnerability-detector: INFO: (5450): Analyzing agent '008' vulnerabilities.
2022/07/05 10:16:52 wazuh-modulesd:vulnerability-detector: INFO: (5471): Finished vulnerability assessment for agent '008'
2022/07/05 10:16:52 wazuh-modulesd:vulnerability-detector: INFO: (5472): Vulnerability scan finished.
2022/07/05 10:21:52 wazuh-modulesd:vulnerability-detector: INFO: (5431): Starting vulnerability scan.
2022/07/05 10:21:52 wazuh-modulesd:vulnerability-detector: INFO: (5450): Analyzing agent '007' vulnerabilities.
2022/07/05 10:21:52 wazuh-modulesd:vulnerability-detector: INFO: (5471): Finished vulnerability assessment for agent '007'
2022/07/05 10:21:52 wazuh-modulesd:vulnerability-detector: INFO: (5450): Analyzing agent '008' vulnerabilities.
2022/07/05 10:21:52 wazuh-modulesd:vulnerability-detector: INFO: (5471): Finished vulnerability assessment for agent '008'
2022/07/05 10:21:52 wazuh-modulesd:vulnerability-detector: INFO: (5472): Vulnerability scan finished.
2022/07/05 10:26:52 wazuh-modulesd:vulnerability-detector: INFO: (5431): Starting vulnerability scan.
2022/07/05 10:26:52 wazuh-modulesd:vulnerability-detector: INFO: (5450): Analyzing agent '007' vulnerabilities.
2022/07/05 10:26:52 wazuh-modulesd:vulnerability-detector: INFO: (5471): Finished vulnerability assessment for agent '007'
2022/07/05 10:26:52 wazuh-modulesd:vulnerability-detector: INFO: (5450): Analyzing agent '008' vulnerabilities.
2022/07/05 10:26:52 wazuh-modulesd:vulnerability-detector: INFO: (5471): Finished vulnerability assessment for agent '008'
2022/07/05 10:26:52 wazuh-modulesd:vulnerability-detector: INFO: (5472): Vulnerability scan finished.
2022/07/05 10:31:52 wazuh-modulesd:vulnerability-detector: INFO: (5431): Starting vulnerability scan.
2022/07/05 10:31:52 wazuh-modulesd:vulnerability-detector: INFO: (5450): Analyzing agent '007' vulnerabilities.
2022/07/05 10:31:52 wazuh-modulesd:vulnerability-detector: INFO: (5471): Finished vulnerability assessment for agent '007'
2022/07/05 10:31:53 wazuh-modulesd:vulnerability-detector: INFO: (5450): Analyzing agent '008' vulnerabilities.
2022/07/05 10:31:53 wazuh-modulesd:vulnerability-detector: INFO: (5471): Finished vulnerability assessment for agent '008'
2022/07/05 10:31:53 wazuh-modulesd:vulnerability-detector: INFO: (5472): Vulnerability scan finished.
2022/07/05 10:36:53 wazuh-modulesd:vulnerability-detector: INFO: (5431): Starting vulnerability scan.
2022/07/05 10:36:53 wazuh-modulesd:vulnerability-detector: INFO: (5450): Analyzing agent '007' vulnerabilities.
2022/07/05 10:36:53 wazuh-modulesd:vulnerability-detector: INFO: (5471): Finished vulnerability assessment for agent '007'
2022/07/05 10:36:53 wazuh-modulesd:vulnerability-detector: INFO: (5450): Analyzing agent '008' vulnerabilities.
2022/07/05 10:36:53 wazuh-modulesd:vulnerability-detector: INFO: (5471): Finished vulnerability assessment for agent '008'
2022/07/05 10:36:53 wazuh-modulesd:vulnerability-detector: INFO: (5472): Vulnerability scan finished.
2022/07/05 10:41:53 wazuh-modulesd:vulnerability-detector: INFO: (5431): Starting vulnerability scan.
2022/07/05 10:41:53 wazuh-modulesd:vulnerability-detector: INFO: (5450): Analyzing agent '007' vulnerabilities.
2022/07/05 10:41:53 wazuh-modulesd:vulnerability-detector: INFO: (5471): Finished vulnerability assessment for agent '007'
2022/07/05 10:41:53 wazuh-modulesd:vulnerability-detector: INFO: (5450): Analyzing agent '008' vulnerabilities.
2022/07/05 10:41:53 wazuh-modulesd:vulnerability-detector: INFO: (5471): Finished vulnerability assessment for agent '008'
2022/07/05 10:41:53 wazuh-modulesd:vulnerability-detector: INFO: (5472): Vulnerability scan finished.
2022/07/05 10:45:33 wazuh-modulesd:vulnerability-detector: INFO: (5400): Starting 'Ubuntu Trusty' database update.
2022/07/05 10:46:01 wazuh-modulesd:vulnerability-detector: INFO: (5430): The update of the 'Ubuntu Trusty' feed finished successfully.
2022/07/05 10:46:53 wazuh-modulesd:vulnerability-detector: INFO: (5431): Starting vulnerability scan.
2022/07/05 10:46:53 wazuh-modulesd:vulnerability-detector: INFO: (5450): Analyzing agent '007' vulnerabilities.
2022/07/05 10:51:53 wazuh-modulesd:vulnerability-detector: INFO: (5450): Analyzing agent '007' vulnerabilities.
2022/07/05 10:51:53 wazuh-modulesd:vulnerability-detector: INFO: (5471): Finished vulnerability assessment for agent '007'
2022/07/05 10:51:53 wazuh-modulesd:vulnerability-detector: INFO: (5450): Analyzing agent '008' vulnerabilities.
2022/07/05 10:51:53 wazuh-modulesd:vulnerability-detector: INFO: (5471): Finished vulnerability assessment for agent '008'
2022/07/05 10:51:53 wazuh-modulesd:vulnerability-detector: INFO: (5472): Vulnerability scan finished.
2022/07/05 10:54:00 wazuh-modulesd:vulnerability-detector: INFO: (5400): Starting 'Ubuntu Bionic' database update.
2022/07/05 10:54:04 wazuh-modulesd:vulnerability-detector: INFO: (5430): The update of the 'Ubuntu Bionic' feed finished successfully.
2022/07/05 10:54:27 wazuh-modulesd:vulnerability-detector: INFO: (5400): Starting 'Ubuntu Focal' database update.
2022/07/05 10:54:53 wazuh-modulesd:vulnerability-detector: INFO: (5430): The update of the 'Ubuntu Focal' feed finished successfully.
2022/07/05 10:54:53 wazuh-modulesd:vulnerability-detector: INFO: (5400): Starting 'Debian Stretch' database update.
2022/07/05 10:54:54 wazuh-modulesd:vulnerability-detector: INFO: (5430): The update of the 'Debian Stretch' feed finished successfully.
2022/07/05 10:54:54 wazuh-modulesd:vulnerability-detector: INFO: (5400): Starting 'Debian Buster' database update.
2022/07/05 10:54:55 wazuh-modulesd:vulnerability-detector: INFO: (5430): The update of the 'Debian Buster' feed finished successfully.
2022/07/05 10:55:03 wazuh-modulesd:vulnerability-detector: INFO: (5400): Starting 'Debian Bullseye' database update.
2022/07/05 10:55:04 wazuh-modulesd:vulnerability-detector: INFO: (5430): The update of the 'Debian Bullseye' feed finished successfully.
2022/07/05 10:56:51 wazuh-modulesd:vulnerability-detector: INFO: (5400): Starting 'National Vulnerability Database' database update.
2022/07/05 10:56:56 wazuh-modulesd:vulnerability-detector: INFO: (5430): The update of the 'National Vulnerability Database' feed finished successfully.
2022/07/05 10:56:56 wazuh-modulesd:vulnerability-detector: INFO: (5400): Starting 'Microsoft Security Update' database update.
2022/07/05 10:56:56 wazuh-modulesd:vulnerability-detector: INFO: (5430): The update of the 'Microsoft Security Update' feed finished successfully.
2022/07/05 10:56:57 wazuh-modulesd:vulnerability-detector: INFO: (5431): Starting vulnerability scan.
2022/07/05 10:56:57 wazuh-modulesd:vulnerability-detector: INFO: (5450): Analyzing agent '007' vulnerabilities.
2022/07/05 10:56:57 wazuh-modulesd:vulnerability-detector: INFO: (5471): Finished vulnerability assessment for agent '007'
2022/07/05 10:56:57 wazuh-modulesd:vulnerability-detector: INFO: (5450): Analyzing agent '008' vulnerabilities.
2022/07/05 10:56:57 wazuh-modulesd:vulnerability-detector: INFO: (5471): Finished vulnerability assessment for agent '008'
2022/07/05 10:56:57 wazuh-modulesd:vulnerability-detector: INFO: (5472): Vulnerability scan finished.
2022/07/05 11:01:57 wazuh-modulesd:vulnerability-detector: INFO: (5431): Starting vulnerability scan.
2022/07/05 11:01:57 wazuh-modulesd:vulnerability-detector: INFO: (5450): Analyzing agent '007' vulnerabilities.
2022/07/05 11:01:57 wazuh-modulesd:vulnerability-detector: INFO: (5471): Finished vulnerability assessment for agent '007'
2022/07/05 11:01:57 wazuh-modulesd:vulnerability-detector: INFO: (5450): Analyzing agent '008' vulnerabilities.
2022/07/05 11:01:57 wazuh-modulesd:vulnerability-detector: INFO: (5471): Finished vulnerability assessment for agent '008'
2022/07/05 11:01:57 wazuh-modulesd:vulnerability-detector: INFO: (5472): Vulnerability scan finished.
2022/07/05 11:06:57 wazuh-modulesd:vulnerability-detector: INFO: (5431): Starting vulnerability scan.
2022/07/05 11:06:57 wazuh-modulesd:vulnerability-detector: INFO: (5450): Analyzing agent '007' vulnerabilities.
2022/07/05 11:06:57 wazuh-modulesd:vulnerability-detector: INFO: (5471): Finished vulnerability assessment for agent '007'
2022/07/05 11:06:57 wazuh-modulesd:vulnerability-detector: INFO: (5450): Analyzing agent '008' vulnerabilities.
2022/07/05 11:06:57 wazuh-modulesd:vulnerability-detector: INFO: (5471): Finished vulnerability assessment for agent '008'
2022/07/05 11:06:57 wazuh-modulesd:vulnerability-detector: INFO: (5472): Vulnerability scan finished.
2022/07/05 11:09:02 wazuh-modulesd:syscollector: INFO: Starting evaluation.
2022/07/05 11:09:03 wazuh-modulesd:syscollector: INFO: Evaluation finished.
2022/07/05 10:09:02 wazuh-modulesd:syscollector: INFO: Evaluation finished.
2022/07/05 10:11:52 wazuh-modulesd:vulnerability-detector: INFO: (5431): Starting vulnerability scan.
2022/07/05 10:11:52 wazuh-modulesd:vulnerability-detector: INFO: (5450): Analyzing agent '007' vulnerabilities.
2022/07/05 10:11:52 wazuh-modulesd:vulnerability-detector: INFO: (5471): Finished vulnerability assessment for agent '007'
2022/07/05 10:11:52 wazuh-modulesd:vulnerability-detector: INFO: (5450): Analyzing agent '008' vulnerabilities.
2022/07/05 10:11:52 wazuh-modulesd:vulnerability-detector: INFO: (5471): Finished vulnerability assessment for agent '008'
2022/07/05 10:11:52 wazuh-modulesd:vulnerability-detector: INFO: (5472): Vulnerability scan finished.
2022/07/05 10:16:52 wazuh-modulesd:vulnerability-detector: INFO: (5431): Starting vulnerability scan.
2022/07/05 10:16:52 wazuh-modulesd:vulnerability-detector: INFO: (5450): Analyzing agent '007' vulnerabilities.
2022/07/05 10:16:52 wazuh-modulesd:vulnerability-detector: INFO: (5471): Finished vulnerability assessment for agent '007'
2022/07/05 10:16:52 wazuh-modulesd:vulnerability-detector: INFO: (5450): Analyzing agent '008' vulnerabilities.
2022/07/05 10:16:52 wazuh-modulesd:vulnerability-detector: INFO: (5471): Finished vulnerability assessment for agent '008'
2022/07/05 10:16:52 wazuh-modulesd:vulnerability-detector: INFO: (5472): Vulnerability scan finished.
2022/07/05 10:21:52 wazuh-modulesd:vulnerability-detector: INFO: (5431): Starting vulnerability scan.
2022/07/05 10:21:52 wazuh-modulesd:vulnerability-detector: INFO: (5450): Analyzing agent '007' vulnerabilities.
2022/07/05 10:21:52 wazuh-modulesd:vulnerability-detector: INFO: (5471): Finished vulnerability assessment for agent '007'
2022/07/05 10:21:52 wazuh-modulesd:vulnerability-detector: INFO: (5450): Analyzing agent '008' vulnerabilities.
2022/07/05 10:21:52 wazuh-modulesd:vulnerability-detector: INFO: (5471): Finished vulnerability assessment for agent '008'
2022/07/05 10:21:52 wazuh-modulesd:vulnerability-detector: INFO: (5472): Vulnerability scan finished.
2022/07/05 10:26:52 wazuh-modulesd:vulnerability-detector: INFO: (5431): Starting vulnerability scan.
2022/07/05 10:26:52 wazuh-modulesd:vulnerability-detector: INFO: (5450): Analyzing agent '007' vulnerabilities.
2022/07/05 10:26:52 wazuh-modulesd:vulnerability-detector: INFO: (5471): Finished vulnerability assessment for agent '007'
2022/07/05 10:26:52 wazuh-modulesd:vulnerability-detector: INFO: (5450): Analyzing agent '008' vulnerabilities.
2022/07/05 10:26:52 wazuh-modulesd:vulnerability-detector: INFO: (5471): Finished vulnerability assessment for agent '008'
2022/07/05 10:26:52 wazuh-modulesd:vulnerability-detector: INFO: (5472): Vulnerability scan finished.
2022/07/05 10:31:52 wazuh-modulesd:vulnerability-detector: INFO: (5431): Starting vulnerability scan.
2022/07/05 10:31:52 wazuh-modulesd:vulnerability-detector: INFO: (5450): Analyzing agent '007' vulnerabilities.
2022/07/05 10:31:52 wazuh-modulesd:vulnerability-detector: INFO: (5471): Finished vulnerability assessment for agent '007'
2022/07/05 10:31:53 wazuh-modulesd:vulnerability-detector: INFO: (5450): Analyzing agent '008' vulnerabilities.
2022/07/05 10:31:53 wazuh-modulesd:vulnerability-detector: INFO: (5471): Finished vulnerability assessment for agent '008'
2022/07/05 10:31:53 wazuh-modulesd:vulnerability-detector: INFO: (5472): Vulnerability scan finished.
2022/07/05 10:36:53 wazuh-modulesd:vulnerability-detector: INFO: (5431): Starting vulnerability scan.
2022/07/05 10:36:53 wazuh-modulesd:vulnerability-detector: INFO: (5450): Analyzing agent '007' vulnerabilities.
2022/07/05 10:36:53 wazuh-modulesd:vulnerability-detector: INFO: (5471): Finished vulnerability assessment for agent '007'
2022/07/05 10:36:53 wazuh-modulesd:vulnerability-detector: INFO: (5450): Analyzing agent '008' vulnerabilities.
2022/07/05 10:36:53 wazuh-modulesd:vulnerability-detector: INFO: (5471): Finished vulnerability assessment for agent '008'
2022/07/05 10:36:53 wazuh-modulesd:vulnerability-detector: INFO: (5472): Vulnerability scan finished.
2022/07/05 10:41:53 wazuh-modulesd:vulnerability-detector: INFO: (5431): Starting vulnerability scan.
2022/07/05 10:41:53 wazuh-modulesd:vulnerability-detector: INFO: (5450): Analyzing agent '007' vulnerabilities.
2022/07/05 10:41:53 wazuh-modulesd:vulnerability-detector: INFO: (5471): Finished vulnerability assessment for agent '007'
2022/07/05 10:41:53 wazuh-modulesd:vulnerability-detector: INFO: (5450): Analyzing agent '008' vulnerabilities.
2022/07/05 10:41:53 wazuh-modulesd:vulnerability-detector: INFO: (5471): Finished vulnerability assessment for agent '008'
2022/07/05 10:41:53 wazuh-modulesd:vulnerability-detector: INFO: (5472): Vulnerability scan finished.
2022/07/05 10:45:33 wazuh-modulesd:vulnerability-detector: INFO: (5400): Starting 'Ubuntu Trusty' database update.
2022/07/05 10:46:01 wazuh-modulesd:vulnerability-detector: INFO: (5430): The update of the 'Ubuntu Trusty' feed finished successfully.
2022/07/05 10:46:53 wazuh-modulesd:vulnerability-detector: INFO: (5431): Starting vulnerability scan.
2022/07/05 10:46:53 wazuh-modulesd:vulnerability-detector: INFO: (5450): Analyzing agent '007' vulnerabilities.
2022/07/05 10:51:53 wazuh-modulesd:vulnerability-detector: INFO: (5450): Analyzing agent '007' vulnerabilities.
2022/07/05 10:51:53 wazuh-modulesd:vulnerability-detector: INFO: (5471): Finished vulnerability assessment for agent '007'
2022/07/05 10:51:53 wazuh-modulesd:vulnerability-detector: INFO: (5450): Analyzing agent '008' vulnerabilities.
2022/07/05 10:51:53 wazuh-modulesd:vulnerability-detector: INFO: (5471): Finished vulnerability assessment for agent '008'
2022/07/05 10:51:53 wazuh-modulesd:vulnerability-detector: INFO: (5472): Vulnerability scan finished.
2022/07/05 10:54:00 wazuh-modulesd:vulnerability-detector: INFO: (5400): Starting 'Ubuntu Bionic' database update.
2022/07/05 10:54:04 wazuh-modulesd:vulnerability-detector: INFO: (5430): The update of the 'Ubuntu Bionic' feed finished successfully.
2022/07/05 10:54:27 wazuh-modulesd:vulnerability-detector: INFO: (5400): Starting 'Ubuntu Focal' database update.
2022/07/05 10:54:53 wazuh-modulesd:vulnerability-detector: INFO: (5430): The update of the 'Ubuntu Focal' feed finished successfully.
2022/07/05 10:54:53 wazuh-modulesd:vulnerability-detector: INFO: (5400): Starting 'Debian Stretch' database update.
2022/07/05 10:54:54 wazuh-modulesd:vulnerability-detector: INFO: (5430): The update of the 'Debian Stretch' feed finished successfully.
2022/07/05 10:54:54 wazuh-modulesd:vulnerability-detector: INFO: (5400): Starting 'Debian Buster' database update.
2022/07/05 10:54:55 wazuh-modulesd:vulnerability-detector: INFO: (5430): The update of the 'Debian Buster' feed finished successfully.
2022/07/05 10:55:03 wazuh-modulesd:vulnerability-detector: INFO: (5400): Starting 'Debian Bullseye' database update.
2022/07/05 10:55:04 wazuh-modulesd:vulnerability-detector: INFO: (5430): The update of the 'Debian Bullseye' feed finished successfully.
2022/07/05 10:56:51 wazuh-modulesd:vulnerability-detector: INFO: (5400): Starting 'National Vulnerability Database' database update.
2022/07/05 10:56:56 wazuh-modulesd:vulnerability-detector: INFO: (5430): The update of the 'National Vulnerability Database' feed finished successfully.
2022/07/05 10:56:56 wazuh-modulesd:vulnerability-detector: INFO: (5400): Starting 'Microsoft Security Update' database update.
2022/07/05 10:56:56 wazuh-modulesd:vulnerability-detector: INFO: (5430): The update of the 'Microsoft Security Update' feed finished successfully.
2022/07/05 10:56:57 wazuh-modulesd:vulnerability-detector: INFO: (5431): Starting vulnerability scan.
2022/07/05 10:56:57 wazuh-modulesd:vulnerability-detector: INFO: (5450): Analyzing agent '007' vulnerabilities.
2022/07/05 10:56:57 wazuh-modulesd:vulnerability-detector: INFO: (5471): Finished vulnerability assessment for agent '007'
2022/07/05 10:56:57 wazuh-modulesd:vulnerability-detector: INFO: (5450): Analyzing agent '008' vulnerabilities.
2022/07/05 10:56:57 wazuh-modulesd:vulnerability-detector: INFO: (5471): Finished vulnerability assessment for agent '008'
2022/07/05 10:56:57 wazuh-modulesd:vulnerability-detector: INFO: (5472): Vulnerability scan finished.
2022/07/05 11:01:57 wazuh-modulesd:vulnerability-detector: INFO: (5431): Starting vulnerability scan.
2022/07/05 11:01:57 wazuh-modulesd:vulnerability-detector: INFO: (5450): Analyzing agent '007' vulnerabilities.
2022/07/05 11:01:57 wazuh-modulesd:vulnerability-detector: INFO: (5471): Finished vulnerability assessment for agent '007'
2022/07/05 11:01:57 wazuh-modulesd:vulnerability-detector: INFO: (5450): Analyzing agent '008' vulnerabilities.
2022/07/05 11:01:57 wazuh-modulesd:vulnerability-detector: INFO: (5471): Finished vulnerability assessment for agent '008'
2022/07/05 11:01:57 wazuh-modulesd:vulnerability-detector: INFO: (5472): Vulnerability scan finished.
2022/07/05 11:06:57 wazuh-modulesd:vulnerability-detector: INFO: (5431): Starting vulnerability scan.
2022/07/05 11:06:57 wazuh-modulesd:vulnerability-detector: INFO: (5450): Analyzing agent '007' vulnerabilities.
2022/07/05 11:06:57 wazuh-modulesd:vulnerability-detector: INFO: (5471): Finished vulnerability assessment for agent '007'
2022/07/05 11:06:57 wazuh-modulesd:vulnerability-detector: INFO: (5450): Analyzing agent '008' vulnerabilities.
2022/07/05 11:06:57 wazuh-modulesd:vulnerability-detector: INFO: (5471): Finished vulnerability assessment for agent '008'
2022/07/05 11:06:57 wazuh-modulesd:vulnerability-detector: INFO: (5472): Vulnerability scan finished.
2022/07/05 11:09:02 wazuh-modulesd:syscollector: INFO: Starting evaluation.
2022/07/05 11:09:03 wazuh-modulesd:syscollector: INFO: Evaluation finished.
victor....@wazuh.com
Jul 7, 2022, 3:55:57 AM7/7/22
to Wazuh mailing list
Everything seems to be working correctly.
Let’s check if there are alerts in Wazuh indexer. Run the following command:curl https://localhost:9200/_cat/indices/wazuh-alerts-* -u admin:o590TPrh0lUZytzWrOB+XuBJaIP7Yd.B -k
If you do not see any Wazuh-related index, you have no alerts stored in the Wazuh indexer.
Also, if your alerts do not appear in the Security Events pannel, please, check the used time period, ensuring that there are indeed alerts for that interval of time.
How long does it take for your environment to stop showing logs on the dashboard?
Gordon O'Brien
Aug 20, 2022, 8:31:50 AM8/20/22
to Wazuh mailing list
As a follow up to this. I ended up installing 3 separate servers for the indexer, manager and dashboard.
Everything works as expected without any issues.
Reply all
Reply to author
Forward
0 new messages