Missing alerts/security events in dashboard, alerts.log filled with events, Mitre alerts could not be fetched too
560 views
Skip to first unread message
Marco
Aug 19, 2022, 3:31:58 AM8/19/22
to wa...@googlegroups.com
Hello guys,
I'm new working with wazu and really appreciate your hard work.
Two days ago I installed thre wazu as described in Quickstart https://documentation.wazuh.com/current/quickstart.html
Some details on what version in place:
Wazuh App Version 4.3.6 App revision 4307
OS: Debian 11 latest
Filebeat Output:
elasticsearch: https://127.0.0.1:9200...
parse url... OK
connection...
parse host... OK
dns lookup... OK
addresses: 127.0.0.1
dial up... OK
TLS...
security: server's certificate chain verification is enabled
handshake... OK
TLS version: TLSv1.3
dial up... OK
talk to server... OK
version: 7.10.2
parse url... OK
connection...
parse host... OK
dns lookup... OK
addresses: 127.0.0.1
dial up... OK
TLS...
security: server's certificate chain verification is enabled
handshake... OK
TLS version: TLSv1.3
dial up... OK
talk to server... OK
version: 7.10.2
Added some Windows Agents to wazuh and they got alerts logged onto the wazuh server /var/ossec/log/alerts.log but are not displayed under dashboard security events.
There are no results.....
Also noticed when trying to start den Mitre Att&ck Framework I'll get error on fetching Mitre Alerts.
full error:
_callee3$@https://192.168.50.222/1/bundles/plugin/wazuh/wazuh.chunk.9.js:5:2452582
tryCatch@https://192.168.50.222/1/bundles/plugin/indexManagementDashboards/indexManagementDashboards.plugin.js:1:94916
invoke@https://192.168.50.222/1/bundles/plugin/indexManagementDashboards/indexManagementDashboards.plugin.js:1:98875
defineIteratorMethods/</<@https://192.168.50.222/1/bundles/plugin/indexManagementDashboards/indexManagementDashboards.plugin.js:1:96055
techniques_asyncGeneratorStep@https://192.168.50.222/1/bundles/plugin/wazuh/wazuh.chunk.9.js:5:2443725
_next@https://192.168.50.222/1/bundles/plugin/wazuh/wazuh.chunk.9.js:5:2444075
Stuck on these errors and did not find any help on the web. Hope you can help in resolving the issue. Thanks.
Many regards.Marco
Agbeyemi Samuel Damilola
Aug 19, 2022, 3:54:38 AM8/19/22
to Wazuh mailing list
Hello 0x23marco,
hope you are doing well and thanks for using Wazuh!
If the agent status is Active on dashboard but you do not see any alerts generated for the agent it could mean that the data is not reaching the Wazuh-indexer. Can you please run the nexts command and share the results:
# systemctl status filebeat
# filebeat test output
And also can you check your Index Management from the Management tab of Kibana to check if your index has actually a size different from 0? And please check the date on the Wazuh-Manager and see if it is approximately the same that you have on your system (sysmon).
You can check the date on the Wazuh-Manager with the next command:
# date
Thanks
Marco
Aug 19, 2022, 4:14:58 AM8/19/22
to Wazuh mailing list
Hello
agbeyem,
thanks for your fast response on my issue. To recap I used the Quickstart for wazu....
That command....
# curl -sO https://packages.wazuh.com/4.3/wazuh-install.sh && sudo bash ./wazuh-install.sh -a
#filebeat test output
elasticsearch: https://127.0.0.1:9200...
parse url... OK
connection...
parse host... OK
dns lookup... OK
addresses: 127.0.0.1
dial up... OK
TLS...
security: server's certificate chain verification is enabled
handshake... OK
TLS version: TLSv1.3
dial up... OK
talk to server... OK
version: 7.10.2
parse url... OK
connection...
parse host... OK
dns lookup... OK
addresses: 127.0.0.1
dial up... OK
TLS...
security: server's certificate chain verification is enabled
handshake... OK
TLS version: TLSv1.3
dial up... OK
talk to server... OK
version: 7.10.2
# date
Local time: Fr 2022-08-19 10:03:18 CEST
Universal time: Fr 2022-08-19 08:03:18 UTC
RTC time: Fr 2022-08-19 08:03:18
Time zone: Europe/Berlin (CEST, +0200)
System clock synchronized: yes
NTP service: active
Universal time: Fr 2022-08-19 08:03:18 UTC
RTC time: Fr 2022-08-19 08:03:18
Time zone: Europe/Berlin (CEST, +0200)
System clock synchronized: yes
NTP service: active
# systemctl status filebeat => fails but there's no /etc/filebeat or anything else - weired.
● filebeat.service - Filebeat sends log files to Logstash or directly to Elasticsearch.
Loaded: loaded (/lib/systemd/system/filebeat.service; enabled; vendor preset: enabled)
Active: failed (Result: exit-code) since Wed 2022-08-17 15:34:09 CEST; 1 day 18h ago
Docs: https://www.elastic.co/products/beats/filebeat
Process: 48086 ExecStart=/usr/share/filebeat/bin/filebeat --environment systemd $BEAT_LOG_OPTS $BEAT_CONFIG_OPTS $BEAT_PATH_OPTS (code=exited, status=1/FAILURE)
Main PID: 48086 (code=exited, status=1/FAILURE)
CPU: 50ms
Aug 17 15:34:09 ALTLOG01 systemd[1]: filebeat.service: Scheduled restart job, restart counter is at 9.
Aug 17 15:34:09 ALTLOG01 systemd[1]: Stopped Filebeat sends log files to Logstash or directly to Elasticsearch..
Aug 17 15:34:09 ALTLOG01 systemd[1]: filebeat.service: Start request repeated too quickly.
Aug 17 15:34:09 ALTLOG01 systemd[1]: filebeat.service: Failed with result 'exit-code'.
Aug 17 15:34:09 ALTLOG01 systemd[1]: Failed to start Filebeat sends log files to Logstash or directly to Elasticsearch..
Loaded: loaded (/lib/systemd/system/filebeat.service; enabled; vendor preset: enabled)
Active: failed (Result: exit-code) since Wed 2022-08-17 15:34:09 CEST; 1 day 18h ago
Docs: https://www.elastic.co/products/beats/filebeat
Process: 48086 ExecStart=/usr/share/filebeat/bin/filebeat --environment systemd $BEAT_LOG_OPTS $BEAT_CONFIG_OPTS $BEAT_PATH_OPTS (code=exited, status=1/FAILURE)
Main PID: 48086 (code=exited, status=1/FAILURE)
CPU: 50ms
Aug 17 15:34:09 ALTLOG01 systemd[1]: filebeat.service: Scheduled restart job, restart counter is at 9.
Aug 17 15:34:09 ALTLOG01 systemd[1]: Stopped Filebeat sends log files to Logstash or directly to Elasticsearch..
Aug 17 15:34:09 ALTLOG01 systemd[1]: filebeat.service: Start request repeated too quickly.
Aug 17 15:34:09 ALTLOG01 systemd[1]: filebeat.service: Failed with result 'exit-code'.
Aug 17 15:34:09 ALTLOG01 systemd[1]: Failed to start Filebeat sends log files to Logstash or directly to Elasticsearch..
Did not find any management tab of kibana on the navigation
Is there any Installlog where I can check the issues or missing components - looks to me as if there's missing some important things, right?
Regards
Marco
Marco
Aug 19, 2022, 4:22:38 AM8/19/22
to Wazuh mailing list
# tail -n100 /var/log/filebeat/filebeat
2022-08-19T10:20:15.383+0200 INFO instance/beat.go:653 Beat ID: fb4dc389-1076-4731-9df1-94c98733045e
2022-08-19T10:20:15.383+0200 INFO [seccomp] seccomp/seccomp.go:124 Syscall filter successfully installed
2022-08-19T10:20:15.383+0200 INFO [beat] instance/beat.go:981 Beat info {"system_info": {"beat": {"path": {"config": "/etc/filebeat", "data": "/var/lib/filebeat", "home": "/usr/share/filebeat", "logs": "/var/log/filebeat"}, "type": "filebeat", "uuid": "fb4dc389-1076-4731-9df1-94c98733045e"}}}
2022-08-19T10:20:15.383+0200 INFO [beat] instance/beat.go:990 Build info {"system_info": {"build": {"commit": "aacf9ecd9c494aa0908f61fbca82c906b16562a8", "libbeat": "7.10.2", "time": "2021-01-12T22:10:33.000Z", "version": "7.10.2"}}}
2022-08-19T10:20:15.383+0200 INFO [beat] instance/beat.go:993 Go runtime info {"system_info": {"go": {"os":"linux","arch":"amd64","max_procs":8,"version":"go1.14.12"}}}
2022-08-19T10:20:15.384+0200 INFO [beat] instance/beat.go:997 Host info {"system_info": {"host": {"architecture":"x86_64","boot_time":"2022-08-17T14:31:36+02:00","containerized":false,"name":"ALTLOG01","ip":["127.0.0.1/8","::1/128","192.168.50.222/24"],"kernel_version":"5.10.0-17-amd64","mac":["00:50:56:84:57:3b"],"os":{"family":"debian","platform":"debian","name":"Debian GNU/Linux","version":"11 (bullseye)","major":11,"minor":0,"patch":0,"codename":"bullseye"},"timezone":"CEST","timezone_offset_sec":7200,"id":"25ca70b09c294c1c8e883f3d9d7b95a4"}}}
2022-08-19T10:20:15.384+0200 INFO [beat] instance/beat.go:1026 Process info {"system_info": {"process": {"capabilities": {"inheritable":null,"permitted":["chown","dac_override","dac_read_search","fowner","fsetid","kill","setgid","setuid","setpcap","linux_immutable","net_bind_service","net_broadcast","net_admin","net_raw","ipc_lock","ipc_owner","sys_module","sys_rawio","sys_chroot","sys_ptrace","sys_pacct","sys_admin","sys_boot","sys_nice","sys_resource","sys_time","sys_tty_config","mknod","lease","audit_write","audit_control","setfcap","mac_override","mac_admin","syslog","wake_alarm","block_suspend","audit_read","38","39","40"],"effective":["chown","dac_override","dac_read_search","fowner","fsetid","kill","setgid","setuid","setpcap","linux_immutable","net_bind_service","net_broadcast","net_admin","net_raw","ipc_lock","ipc_owner","sys_module","sys_rawio","sys_chroot","sys_ptrace","sys_pacct","sys_admin","sys_boot","sys_nice","sys_resource","sys_time","sys_tty_config","mknod","lease","audit_write","audit_control","setfcap","mac_override","mac_admin","syslog","wake_alarm","block_suspend","audit_read","38","39","40"],"bounding":["chown","dac_override","dac_read_search","fowner","fsetid","kill","setgid","setuid","setpcap","linux_immutable","net_bind_service","net_broadcast","net_admin","net_raw","ipc_lock","ipc_owner","sys_module","sys_rawio","sys_chroot","sys_ptrace","sys_pacct","sys_admin","sys_boot","sys_nice","sys_resource","sys_time","sys_tty_config","mknod","lease","audit_write","audit_control","setfcap","mac_override","mac_admin","syslog","wake_alarm","block_suspend","audit_read","38","39","40"],"ambient":null}, "cwd": "/", "exe": "/usr/share/filebeat/bin/filebeat", "name": "filebeat", "pid": 69496, "ppid": 1, "seccomp": {"mode":"filter","no_new_privs":true}, "start_time": "2022-08-19T10:20:14.380+0200"}}}
2022-08-19T10:20:15.384+0200 INFO instance/beat.go:299 Setup Beat: filebeat; Version: 7.10.2
2022-08-19T10:20:15.385+0200 INFO eslegclient/connection.go:99 elasticsearch url: https://127.0.0.1:9200
2022-08-19T10:20:15.385+0200 INFO [publisher] pipeline/module.go:113 Beat name: ALTLOG01
2022-08-19T10:20:15.385+0200 INFO instance/beat.go:424 filebeat stopped.
2022-08-19T10:20:15.388+0200 ERROR instance/beat.go:956 Exiting: Error getting filesets for module wazuh: open /usr/share/filebeat/module/wazuh: no such file or directory
2022-08-19T10:20:15.383+0200 INFO [seccomp] seccomp/seccomp.go:124 Syscall filter successfully installed
2022-08-19T10:20:15.383+0200 INFO [beat] instance/beat.go:981 Beat info {"system_info": {"beat": {"path": {"config": "/etc/filebeat", "data": "/var/lib/filebeat", "home": "/usr/share/filebeat", "logs": "/var/log/filebeat"}, "type": "filebeat", "uuid": "fb4dc389-1076-4731-9df1-94c98733045e"}}}
2022-08-19T10:20:15.383+0200 INFO [beat] instance/beat.go:990 Build info {"system_info": {"build": {"commit": "aacf9ecd9c494aa0908f61fbca82c906b16562a8", "libbeat": "7.10.2", "time": "2021-01-12T22:10:33.000Z", "version": "7.10.2"}}}
2022-08-19T10:20:15.383+0200 INFO [beat] instance/beat.go:993 Go runtime info {"system_info": {"go": {"os":"linux","arch":"amd64","max_procs":8,"version":"go1.14.12"}}}
2022-08-19T10:20:15.384+0200 INFO [beat] instance/beat.go:997 Host info {"system_info": {"host": {"architecture":"x86_64","boot_time":"2022-08-17T14:31:36+02:00","containerized":false,"name":"ALTLOG01","ip":["127.0.0.1/8","::1/128","192.168.50.222/24"],"kernel_version":"5.10.0-17-amd64","mac":["00:50:56:84:57:3b"],"os":{"family":"debian","platform":"debian","name":"Debian GNU/Linux","version":"11 (bullseye)","major":11,"minor":0,"patch":0,"codename":"bullseye"},"timezone":"CEST","timezone_offset_sec":7200,"id":"25ca70b09c294c1c8e883f3d9d7b95a4"}}}
2022-08-19T10:20:15.384+0200 INFO [beat] instance/beat.go:1026 Process info {"system_info": {"process": {"capabilities": {"inheritable":null,"permitted":["chown","dac_override","dac_read_search","fowner","fsetid","kill","setgid","setuid","setpcap","linux_immutable","net_bind_service","net_broadcast","net_admin","net_raw","ipc_lock","ipc_owner","sys_module","sys_rawio","sys_chroot","sys_ptrace","sys_pacct","sys_admin","sys_boot","sys_nice","sys_resource","sys_time","sys_tty_config","mknod","lease","audit_write","audit_control","setfcap","mac_override","mac_admin","syslog","wake_alarm","block_suspend","audit_read","38","39","40"],"effective":["chown","dac_override","dac_read_search","fowner","fsetid","kill","setgid","setuid","setpcap","linux_immutable","net_bind_service","net_broadcast","net_admin","net_raw","ipc_lock","ipc_owner","sys_module","sys_rawio","sys_chroot","sys_ptrace","sys_pacct","sys_admin","sys_boot","sys_nice","sys_resource","sys_time","sys_tty_config","mknod","lease","audit_write","audit_control","setfcap","mac_override","mac_admin","syslog","wake_alarm","block_suspend","audit_read","38","39","40"],"bounding":["chown","dac_override","dac_read_search","fowner","fsetid","kill","setgid","setuid","setpcap","linux_immutable","net_bind_service","net_broadcast","net_admin","net_raw","ipc_lock","ipc_owner","sys_module","sys_rawio","sys_chroot","sys_ptrace","sys_pacct","sys_admin","sys_boot","sys_nice","sys_resource","sys_time","sys_tty_config","mknod","lease","audit_write","audit_control","setfcap","mac_override","mac_admin","syslog","wake_alarm","block_suspend","audit_read","38","39","40"],"ambient":null}, "cwd": "/", "exe": "/usr/share/filebeat/bin/filebeat", "name": "filebeat", "pid": 69496, "ppid": 1, "seccomp": {"mode":"filter","no_new_privs":true}, "start_time": "2022-08-19T10:20:14.380+0200"}}}
2022-08-19T10:20:15.384+0200 INFO instance/beat.go:299 Setup Beat: filebeat; Version: 7.10.2
2022-08-19T10:20:15.385+0200 INFO eslegclient/connection.go:99 elasticsearch url: https://127.0.0.1:9200
2022-08-19T10:20:15.385+0200 INFO [publisher] pipeline/module.go:113 Beat name: ALTLOG01
2022-08-19T10:20:15.385+0200 INFO instance/beat.go:424 filebeat stopped.
2022-08-19T10:20:15.388+0200 ERROR instance/beat.go:956 Exiting: Error getting filesets for module wazuh: open /usr/share/filebeat/module/wazuh: no such file or directory
Marco
Aug 19, 2022, 7:23:48 AM8/19/22
to Wazuh mailing list
Status Update:
Resolved the issue. Missing certificates because of ssl/tls encryption leads to an uncomplete installation of wazuh. Just reinstalled it. Now everythin' works as designed.
Reply all
Reply to author
Forward
0 new messages