wazuh-remoted error attributes makedefs.out
226 views
Skip to first unread message
German DiCasas
Jun 18, 2024, 4:34:50 PM6/18/24
to Wazuh | Mailing List
Hi team,
I have a ubuntu server 5.15.0-112 with wazuh 4.7.5 all in one installation and every 10 seconds I have a log on ossec.log related to:
2024/06/18 17:30:34 wazuh-remoted: ERROR: Unable to get entry attributes 'etc/shared/etc/postfix/makedefs.out'
2024/06/18 17:30:34 wazuh-remoted: ERROR: Unable to get entry attributes 'etc/shared/etc/postfix/makedefs.out'
What is that? all works fine but I have that error. Until now I have not been able to identify what the error could be.
Regards,
German
Samson Olugbenga Idowu
Jun 19, 2024, 4:14:29 AM6/19/24
to Wazuh | Mailing List
Hello German,
Thank you for choosing Wazuh.
From the error message you shared, I deduced that you are monitoring a postfix directory on a remote endpoint.
This configuration is most-likely done on a Wazuh agent to monitor the `etc/shared/etc/postfix/makedefs.out` directory.
This error is generated because that directory is unreachable.
To turn off this error, you can simply remove the configuration from the Wazuh agent ossec.conf file, or you can ensure that this directory is recreated.
If you require further assistance, please reach out.
Regards,
Samson.
Thank you for choosing Wazuh.
From the error message you shared, I deduced that you are monitoring a postfix directory on a remote endpoint.
This configuration is most-likely done on a Wazuh agent to monitor the `etc/shared/etc/postfix/makedefs.out` directory.
This error is generated because that directory is unreachable.
To turn off this error, you can simply remove the configuration from the Wazuh agent ossec.conf file, or you can ensure that this directory is recreated.
If you require further assistance, please reach out.
Regards,
Samson.
German DiCasas
Jun 19, 2024, 9:24:41 AM6/19/24
to Wazuh | Mailing List
Hi Samsom, thanks. I checked but I cant find it. What else can be?
I get others errors related:
2024/06/19 09:41:44 wazuh-remoted: ERROR: Unable to get entry attributes 'etc/shared/etc/postfix/makedefs.out'
2024/06/19 09:42:13 wazuh-remoted: ERROR: Invalid shared file 'etc/shared/var/ossec/api/configuration/security/rbac.db'. Ignoring it.
2024/06/19 09:42:13 wazuh-remoted: ERROR: Unable to open file 'etc/shared/var/ossec/api/configuration/ssl/server.crt' due to [(13)-(Permission denied)].
2024/06/19 09:42:13 wazuh-remoted: ERROR: Invalid shared file 'etc/shared/var/ossec/api/configuration/ssl/server.crt'. Ignoring it.
2024/06/19 09:42:13 wazuh-remoted: ERROR: Unable to open file 'etc/shared/var/ossec/api/configuration/ssl/server.key' due to [(13)-(Permission denied)].
2024/06/19 09:42:13 wazuh-remoted: ERROR: Invalid shared file 'etc/shared/var/ossec/api/configuration/ssl/server.key'. Ignoring it.
2024/06/19 09:42:13 wazuh-remoted: ERROR: Unable to open file 'etc/shared/var/ossec/etc/sslmanager.cert' due to [(13)-(Permission denied)].
2024/06/19 09:42:13 wazuh-remoted: ERROR: Invalid shared file 'etc/shared/var/ossec/etc/sslmanager.cert'. Ignoring it.
2024/06/19 09:42:13 wazuh-remoted: ERROR: Unable to open file 'etc/shared/var/ossec/etc/sslmanager.key' due to [(13)-(Permission denied)].
2024/06/19 09:42:13 wazuh-remoted: ERROR: Invalid shared file 'etc/shared/var/ossec/etc/sslmanager.key'. Ignoring it.
2024/06/19 09:42:13 wazuh-remoted: ERROR: Unable to open file: 'etc/shared/var/merged.mg' due to [(13)-(Permission denied)].
2024/06/19 09:42:13 wazuh-remoted: ERROR: Unable to open file 'etc/shared/etc/filebeat/filebeat.yml' due to [(13)-(Permission denied)].
2024/06/19 09:42:13 wazuh-remoted: ERROR: Invalid shared file 'etc/shared/etc/filebeat/filebeat.yml'. Ignoring it.
2024/06/19 09:42:13 wazuh-remoted: ERROR: Unable to get entry attributes 'etc/shared/etc/postfix/makedefs.out'
2024/06/19 09:42:13 wazuh-remoted: ERROR: Unable to open file: 'etc/shared/etc/merged.mg' due to [(13)-(Permission denied)].
2024/06/19 09:42:23 wazuh-remoted: ERROR: Unable to get entry attributes 'etc/shared/etc/postfix/makedefs.out'
2024/06/19 09:41:44 wazuh-remoted: ERROR: Unable to get entry attributes 'etc/shared/etc/postfix/makedefs.out'
2024/06/19 09:42:13 wazuh-remoted: ERROR: Invalid shared file 'etc/shared/var/ossec/api/configuration/security/rbac.db'. Ignoring it.
2024/06/19 09:42:13 wazuh-remoted: ERROR: Unable to open file 'etc/shared/var/ossec/api/configuration/ssl/server.crt' due to [(13)-(Permission denied)].
2024/06/19 09:42:13 wazuh-remoted: ERROR: Invalid shared file 'etc/shared/var/ossec/api/configuration/ssl/server.crt'. Ignoring it.
2024/06/19 09:42:13 wazuh-remoted: ERROR: Unable to open file 'etc/shared/var/ossec/api/configuration/ssl/server.key' due to [(13)-(Permission denied)].
2024/06/19 09:42:13 wazuh-remoted: ERROR: Invalid shared file 'etc/shared/var/ossec/api/configuration/ssl/server.key'. Ignoring it.
2024/06/19 09:42:13 wazuh-remoted: ERROR: Unable to open file 'etc/shared/var/ossec/etc/sslmanager.cert' due to [(13)-(Permission denied)].
2024/06/19 09:42:13 wazuh-remoted: ERROR: Invalid shared file 'etc/shared/var/ossec/etc/sslmanager.cert'. Ignoring it.
2024/06/19 09:42:13 wazuh-remoted: ERROR: Unable to open file 'etc/shared/var/ossec/etc/sslmanager.key' due to [(13)-(Permission denied)].
2024/06/19 09:42:13 wazuh-remoted: ERROR: Invalid shared file 'etc/shared/var/ossec/etc/sslmanager.key'. Ignoring it.
2024/06/19 09:42:13 wazuh-remoted: ERROR: Unable to open file: 'etc/shared/var/merged.mg' due to [(13)-(Permission denied)].
2024/06/19 09:42:13 wazuh-remoted: ERROR: Unable to open file 'etc/shared/etc/filebeat/filebeat.yml' due to [(13)-(Permission denied)].
2024/06/19 09:42:13 wazuh-remoted: ERROR: Invalid shared file 'etc/shared/etc/filebeat/filebeat.yml'. Ignoring it.
2024/06/19 09:42:13 wazuh-remoted: ERROR: Unable to get entry attributes 'etc/shared/etc/postfix/makedefs.out'
2024/06/19 09:42:13 wazuh-remoted: ERROR: Unable to open file: 'etc/shared/etc/merged.mg' due to [(13)-(Permission denied)].
2024/06/19 09:42:23 wazuh-remoted: ERROR: Unable to get entry attributes 'etc/shared/etc/postfix/makedefs.out'
On debug mode of remoted.debug=2
2024/06/19 10:04:19 wazuh-remoted[82324] manager.c:1145 at validate_shared_files(): DEBUG: Could not open directory 'etc/shared/etc/filebeat/certs'
2024/06/19 10:04:19 wazuh-remoted[82324] manager.c:1186 at validate_shared_files(): ERROR: Unable to get entry attributes 'etc/shared/etc/postfix/makedefs.out'
2024/06/19 10:04:19 wazuh-remoted[82324] manager.c:1186 at validate_shared_files(): ERROR: Unable to get entry attributes 'etc/shared/etc/postfix/makedefs.out'
and my folder and files of those paths (server side). Are ok the permissions?
root@wazuh:/home/miususario# ls -la /var/ossec/etc/shared/etc/filebeat/
total 524
drwxr-xr-x 4 root root 4096 nov 21 2023 .
drwxr-xr-x 4 root root 4096 jun 14 16:49 ..
dr-x------ 2 root root 4096 ago 2 2023 certs
-rw-r--r-- 1 root root 297349 ene 12 2021 fields.yml
-rw-r--r-- 1 root root 91838 ene 12 2021 filebeat.reference.yml
-rw------- 1 root root 986 ago 2 2023 filebeat.yml
drwxr-xr-x 2 root root 4096 ago 2 2023 modules.d
-rw-r--r-- 1 root root 59407 nov 21 2023 wazuh-template.json
-rw-r--r-- 1 root root 58530 ago 2 2023 wazuh-template.json.Original
root@wazuh:/home/miususario# ls -la /var/ossec/etc/shared/etc/filebeat/certs/
total 20
dr-x------ 2 root root 4096 ago 2 2023 .
drwxr-xr-x 4 root root 4096 nov 21 2023 ..
-r-------- 1 root root 1204 ago 2 2023 root-ca.pem
-r-------- 1 root root 1704 ago 2 2023 wazuh-server-key.pem
-r-------- 1 root root 1285 ago 2 2023 wazuh-server.pem
total 524
drwxr-xr-x 4 root root 4096 nov 21 2023 .
drwxr-xr-x 4 root root 4096 jun 14 16:49 ..
dr-x------ 2 root root 4096 ago 2 2023 certs
-rw-r--r-- 1 root root 297349 ene 12 2021 fields.yml
-rw-r--r-- 1 root root 91838 ene 12 2021 filebeat.reference.yml
-rw------- 1 root root 986 ago 2 2023 filebeat.yml
drwxr-xr-x 2 root root 4096 ago 2 2023 modules.d
-rw-r--r-- 1 root root 59407 nov 21 2023 wazuh-template.json
-rw-r--r-- 1 root root 58530 ago 2 2023 wazuh-template.json.Original
root@wazuh:/home/miususario# ls -la /var/ossec/etc/shared/etc/filebeat/certs/
total 20
dr-x------ 2 root root 4096 ago 2 2023 .
drwxr-xr-x 4 root root 4096 nov 21 2023 ..
-r-------- 1 root root 1204 ago 2 2023 root-ca.pem
-r-------- 1 root root 1704 ago 2 2023 wazuh-server-key.pem
-r-------- 1 root root 1285 ago 2 2023 wazuh-server.pem
root@ wazuh :/home/ miususario # ls -la /var/ossec/etc/shared/etc/
total 16
drwxr-xr-x 4 root root 4096 jun 14 16:49 .
drwxrwx--- 6 root wazuh 4096 jun 14 18:18 ..
drwxr-xr-x 4 root root 4096 nov 21 2023 filebeat
drwxr-xr-x 5 root root 4096 jun 18 17:45 postfix
total 16
drwxr-xr-x 4 root root 4096 jun 14 16:49 .
drwxrwx--- 6 root wazuh 4096 jun 14 18:18 ..
drwxr-xr-x 4 root root 4096 nov 21 2023 filebeat
drwxr-xr-x 5 root root 4096 jun 18 17:45 postfix
root@
wazuh :/home/miususario # ls -la /var/ossec/etc/shared/etc/postfix/
total 124
drwxr-xr-x 5 root root 4096 jun 18 17:45 .
drwxr-xr-x 4 root root 4096 jun 14 16:49 ..
-rw-r--r-- 1 root root 60 nov 9 2023 dynamicmaps.cf
drwxr-xr-x 2 root root 4096 abr 10 2023 dynamicmaps.cf.d
-rw-r--r-- 1 root root 27120 feb 4 06:48 main.cf.proto
lrwxrwxrwx 1 root root 31 nov 9 2023 makedefs.out -> /usr/share/postfix/makedefs.out
-rw-r--r-- 1 root root 6524 nov 9 2023 master.cf
-rw-r--r-- 1 root root 6524 feb 4 06:48 master.cf.proto
-rw-r--r-- 1 root root 10268 abr 10 2023 postfix-files
drwxr-xr-x 2 root root 4096 abr 10 2023 postfix-files.d
-rwxr-xr-x 1 root root 11031 abr 10 2023 postfix-script
-rwxr-xr-x 1 root root 29872 abr 10 2023 post-install
drwxr-xr-x 2 root root 4096 abr 10 2023 sasl
Let me know what you think...
total 124
drwxr-xr-x 5 root root 4096 jun 18 17:45 .
drwxr-xr-x 4 root root 4096 jun 14 16:49 ..
-rw-r--r-- 1 root root 60 nov 9 2023 dynamicmaps.cf
drwxr-xr-x 2 root root 4096 abr 10 2023 dynamicmaps.cf.d
-rw-r--r-- 1 root root 27120 feb 4 06:48 main.cf.proto
lrwxrwxrwx 1 root root 31 nov 9 2023 makedefs.out -> /usr/share/postfix/makedefs.out
-rw-r--r-- 1 root root 6524 nov 9 2023 master.cf
-rw-r--r-- 1 root root 6524 feb 4 06:48 master.cf.proto
-rw-r--r-- 1 root root 10268 abr 10 2023 postfix-files
drwxr-xr-x 2 root root 4096 abr 10 2023 postfix-files.d
-rwxr-xr-x 1 root root 11031 abr 10 2023 postfix-script
-rwxr-xr-x 1 root root 29872 abr 10 2023 post-install
drwxr-xr-x 2 root root 4096 abr 10 2023 sasl
Let me know what you think...
Regards
German
Samson Olugbenga Idowu
Jun 20, 2024, 5:01:14 PM6/20/24
to Wazuh | Mailing List
Hello German,
From your command outputs, I can see that only the root user has permission to the /var/ossec/etc/* directory. The wazuh user is meant to be an owner of the directory.
You can make the wazuh user an owner by running the following command: chown -R root:wazuh /var/ossec/etc/*
You can make the wazuh user an owner by running the following command: chown -R root:wazuh /var/ossec/etc/*
You can also extend similar permission to the other directories relating to Wazuh to fix the error.
Do let me know if this works.
We also recommend that you upgrade to the latest Wazuh version 4.8.0 to enjoy some of our latest features.
Do let me know if this works.
We also recommend that you upgrade to the latest Wazuh version 4.8.0 to enjoy some of our latest features.
Regards,
Samson.
German DiCasas
Jun 24, 2024, 4:36:11 PM6/24/24
to Wazuh | Mailing List
Samsom,
I did and th eproblem persist.
now I have this logs:
2024/06/24 17:26:45 wazuh-remoted: ERROR: Unable to get entry attributes 'etc/shared/etc/postfix/makedefs.out'
2024/06/24 17:26:45 wazuh-remoted: WARNING: Could not open directory 'etc/shared/DC'. Group folder was deleted.
now I have this logs:
2024/06/24 17:26:45 wazuh-remoted: ERROR: Unable to get entry attributes 'etc/shared/etc/postfix/makedefs.out'
2024/06/24 17:26:45 wazuh-remoted: WARNING: Could not open directory 'etc/shared/DC'. Group folder was deleted.
ls -la /var/ossec/etc/shared/etc/postfix/
total 124
total 124
drwxr-xr-x 5 root wazuh 4096 jun 18 17:45 .
drwxr-xr-x 4 root wazuh 4096 jun 14 16:49 ..
-rw-r--r-- 1 root wazuh 60 nov 9 2023 dynamicmaps.cf
drwxr-xr-x 2 root wazuh 4096 abr 10 2023 dynamicmaps.cf.d
-rw-r--r-- 1 root wazuh 27120 feb 4 06:48 main.cf.proto
lrwxrwxrwx 1 root wazuh 31 nov 9 2023 makedefs.out -> /usr/share/postfix/makedefs.out
-rw-r--r-- 1 root wazuh 6524 nov 9 2023 master.cf
-rw-r--r-- 1 root wazuh 6524 feb 4 06:48 master.cf.proto
-rw-r--r-- 1 root wazuh 10268 abr 10 2023 postfix-files
drwxr-xr-x 2 root wazuh 4096 abr 10 2023 postfix-files.d
-rwxr-xr-x 1 root wazuh 11031 abr 10 2023 postfix-script
-rwxr-xr-x 1 root wazuh 29872 abr 10 2023 post-install
drwxr-xr-x 2 root wazuh 4096 abr 10 2023 sasl
drwxr-xr-x 4 root wazuh 4096 jun 14 16:49 ..
-rw-r--r-- 1 root wazuh 60 nov 9 2023 dynamicmaps.cf
drwxr-xr-x 2 root wazuh 4096 abr 10 2023 dynamicmaps.cf.d
-rw-r--r-- 1 root wazuh 27120 feb 4 06:48 main.cf.proto
lrwxrwxrwx 1 root wazuh 31 nov 9 2023 makedefs.out -> /usr/share/postfix/makedefs.out
-rw-r--r-- 1 root wazuh 6524 nov 9 2023 master.cf
-rw-r--r-- 1 root wazuh 6524 feb 4 06:48 master.cf.proto
-rw-r--r-- 1 root wazuh 10268 abr 10 2023 postfix-files
drwxr-xr-x 2 root wazuh 4096 abr 10 2023 postfix-files.d
-rwxr-xr-x 1 root wazuh 11031 abr 10 2023 postfix-script
-rwxr-xr-x 1 root wazuh 29872 abr 10 2023 post-install
drwxr-xr-x 2 root wazuh 4096 abr 10 2023 sasl
root@siem:/var/ossec/etc/shared# ls -la
total 32
drwxrwx--- 6 root wazuh 4096 jun 24 16:52 .
drwxrwx--- 7 wazuh wazuh 4096 jun 24 17:08 ..
-rw-rw---- 1 root wazuh 76 nov 11 2022 agent-template.conf
-rw-r----- 1 root wazuh 228 jun 24 17:08 ar.conf
drwx------ 2 root wazuh 4096 jun 12 11:02 DC
drwxrwx--- 2 root wazuh 4096 oct 25 2023 default
drwxr-xr-x 4 root wazuh 4096 jun 14 16:49 etc
total 32
drwxrwx--- 6 root wazuh 4096 jun 24 16:52 .
drwxrwx--- 7 wazuh wazuh 4096 jun 24 17:08 ..
-rw-rw---- 1 root wazuh 76 nov 11 2022 agent-template.conf
-rw-r----- 1 root wazuh 228 jun 24 17:08 ar.conf
drwx------ 2 root wazuh 4096 jun 12 11:02 DC
drwxrwx--- 2 root wazuh 4096 oct 25 2023 default
drwxr-xr-x 4 root wazuh 4096 jun 14 16:49 etc
Also I did the upgrade too,(4.8),but now the dashboard dont start. I did the upgrade process "https://documentation.wazuh.com/current/upgrade-guide/upgrading-central-components.html". I did all steps , but the dashboard do not start.
systemctl status wazuh-dashboard
× wazuh-dashboard.service - wazuh-dashboard
Loaded: loaded (/etc/systemd/system/wazuh-dashboard.service; enabled; vendor preset: enabled)
Active: failed (Result: exit-code) since Mon 2024-06-24 17:26:01 -03; 4min 15s ago
Process: 710050 ExecStart=/usr/share/wazuh-dashboard/bin/opensearch-dashboards (code=exited, status=1/FAILURE)
Main PID: 710050 (code=exited, status=1/FAILURE)
CPU: 5.898s
jun 24 17:26:01 siem opensearch-dashboards[710050]: at InnerSubscriber._next (/usr/share/wazuh-dashboard/node_modules/rxjs/internal/InnerSubscriber.js:28:21)
jun 24 17:26:01 siem opensearch-dashboards[710050]: at InnerSubscriber.Subscriber.next (/usr/share/wazuh-dashboard/node_modules/rxjs/internal/Subscriber.js:66:18)
jun 24 17:26:01 siem opensearch-dashboards[710050]: at MapSubscriber._next (/usr/share/wazuh-dashboard/node_modules/rxjs/internal/operators/map.js:55:26)
jun 24 17:26:01 siem opensearch-dashboards[710050]: at MapSubscriber.Subscriber.next (/usr/share/wazuh-dashboard/node_modules/rxjs/internal/Subscriber.js:66:18)
jun 24 17:26:01 siem opensearch-dashboards[710050]: at DistinctUntilChangedSubscriber._next (/usr/share/wazuh-dashboard/node_modules/rxjs/internal/operators/distinctUntilChanged.js:69:30)
jun 24 17:26:01 siem opensearch-dashboards[710050]: at DistinctUntilChangedSubscriber.Subscriber.next (/usr/share/wazuh-dashboard/node_modules/rxjs/internal/Subscriber.js:66:18)
jun 24 17:26:01 siem opensearch-dashboards[710050]: at MapSubscriber._next (/usr/share/wazuh-dashboard/node_modules/rxjs/internal/operators/map.js:55:26)
jun 24 17:26:01 siem systemd[1]: wazuh-dashboard.service: Main process exited, code=exited, status=1/FAILURE
jun 24 17:26:01 siem systemd[1]: wazuh-dashboard.service: Failed with result 'exit-code'.
jun 24 17:26:01 siem systemd[1]: wazuh-dashboard.service: Consumed 5.898s CPU time.
× wazuh-dashboard.service - wazuh-dashboard
Loaded: loaded (/etc/systemd/system/wazuh-dashboard.service; enabled; vendor preset: enabled)
Active: failed (Result: exit-code) since Mon 2024-06-24 17:26:01 -03; 4min 15s ago
Process: 710050 ExecStart=/usr/share/wazuh-dashboard/bin/opensearch-dashboards (code=exited, status=1/FAILURE)
Main PID: 710050 (code=exited, status=1/FAILURE)
CPU: 5.898s
jun 24 17:26:01 siem opensearch-dashboards[710050]: at InnerSubscriber._next (/usr/share/wazuh-dashboard/node_modules/rxjs/internal/InnerSubscriber.js:28:21)
jun 24 17:26:01 siem opensearch-dashboards[710050]: at InnerSubscriber.Subscriber.next (/usr/share/wazuh-dashboard/node_modules/rxjs/internal/Subscriber.js:66:18)
jun 24 17:26:01 siem opensearch-dashboards[710050]: at MapSubscriber._next (/usr/share/wazuh-dashboard/node_modules/rxjs/internal/operators/map.js:55:26)
jun 24 17:26:01 siem opensearch-dashboards[710050]: at MapSubscriber.Subscriber.next (/usr/share/wazuh-dashboard/node_modules/rxjs/internal/Subscriber.js:66:18)
jun 24 17:26:01 siem opensearch-dashboards[710050]: at DistinctUntilChangedSubscriber._next (/usr/share/wazuh-dashboard/node_modules/rxjs/internal/operators/distinctUntilChanged.js:69:30)
jun 24 17:26:01 siem opensearch-dashboards[710050]: at DistinctUntilChangedSubscriber.Subscriber.next (/usr/share/wazuh-dashboard/node_modules/rxjs/internal/Subscriber.js:66:18)
jun 24 17:26:01 siem opensearch-dashboards[710050]: at MapSubscriber._next (/usr/share/wazuh-dashboard/node_modules/rxjs/internal/operators/map.js:55:26)
jun 24 17:26:01 siem systemd[1]: wazuh-dashboard.service: Main process exited, code=exited, status=1/FAILURE
jun 24 17:26:01 siem systemd[1]: wazuh-dashboard.service: Failed with result 'exit-code'.
jun 24 17:26:01 siem systemd[1]: wazuh-dashboard.service: Consumed 5.898s CPU time.
Regards,
German
German DiCasas
Jun 25, 2024, 5:17:16 PM6/25/24
to Wazuh | Mailing List
Hi team,
cat /var/log/filebeat/filebeat | grep -i -E "error|warn"
2024-06-25T18:00:52.845-0300 WARN [elasticsearch] elasticsearch/client.go:408 Cannot index event publisher.Event{Content:beat.Event{Timestamp:time.Time{wall:0xc196e9e0f16c5392, ext:292488974115, loc:(*time.Location)(0x42417a0)}, Meta:{"pipeline":"filebeat-7.10.2-wazuh-alerts-pipeline"}, Fields:{"agent":{"ephemeral_id":"1c6a94c3-cbcf-49f9-96c3-a4f441ef8a5a","hostname":"siem","id":"e25effab-11b6-4ede-80c6-a6ddf5bfd38e","name":"siem","type":"filebeat","version":"7.10.2"},"ecs":{"version":"1.6.0"},"event":{"dataset":"wazuh.alerts","module":"wazuh"},"fields":{"index_prefix":"wazuh-alerts-4.x-"},"fileset":{"name":"alerts"},"host":{"name":"siem"},"input":{"type":"log"},"log":{"file":{"path":"/var/ossec/logs/alerts/alerts.json"},"offset":352396278},"message":"{\"timestamp\":\"2024-06-25T18:00:51.022-0300\",\"rule\":{\"level\":3,\"description\":\"load average metrics\",\"id\":\"100018\",\"firedtimes\":2,\"mail\":false,\"groups\":[\"performance_metric\"]},\"agent\":{\"id\":\"000\",\"name\":\"siem\"},\"manager\":{\"name\":\"siem\"},\"id\":\"1719349251.514899479\",\"full_log\":\"Jun 25 18:00:51 siem load_average_check: ossec: output: 'load_average_metrics':\\n1,16, 1,47, 1,49\",\"predecoder\":{\"program_name\":\"load_average_check\",\"timestamp\":\"Jun 25 18:00:51\",\"hostname\":\"siem\"},\"decoder\":{\"parent\":\"load_average_check\",\"name\":\"load_average_check\"},\"data\":{\"1min_loadAverage\":\"1,16\",\"5mins_loadAverage\":\"1,47\",\"15mins_loadAverage\":\"1,49\"},\"location\":\"load_average_metrics\"}","service":{"type":"wazuh"}}, Private:file.State{Id:"native::5250834-64768", PrevId:"", Finished:false, Fileinfo:(*os.fileStat)(0xc0001c91e0), Source:"/var/ossec/logs/alerts/alerts.json", Offset:352396966, Timestamp:time.Time{wall:0xc196e997dad37188, ext:109856018, loc:(*time.Location)(0x42417a0)}, TTL:-1, Type:"log", Meta:map[string]string(nil), FileStateOS:file.StateOS{Inode:0x501f12, Device:0xfd00}, IdentifierName:"native"}, TimeSeries:false}, Flags:0x1, Cache:publisher.EventCache{m:common.MapStr(nil)}} (status=400): {"type":"mapper_parsing_exception","reason":"failed to parse field [data.5mins_loadAverage] of type [double] in document with id 'ragzUZAB3Gw1JP-ZksPj'. Preview of field's value: '1,47'","caused_by":{"type":"number_format_exception","reason":"For input string: \"1,47\""}}
Let me know what you thinks of the error.
I restored a backup for the last error of upgradeto 4.8 until fix the issue. THe server is working fine but I have that error log. I did a cat /var/log/wazuh-indexer/wazuh-cluster.log | grep -iE 'WARN|ERR' and get this:
[2024-06-25T17:54:51,923][INFO ][o.o.n.Node ] [node-1] JVM arguments [-Xshare:auto, -Dopensearch.networkaddress.cache.ttl=60, -Dopensearch.networkaddress.cache.negative.ttl=10, -XX:+AlwaysPreTouch, -Xss1m, -Djava.awt.headless=true, -Dfile.encoding=UTF-8, -Djna.nosys=true, -XX:-OmitStackTraceInFastThrow, -XX:+ShowCodeDetailsInExceptionMessages, -Dio.netty.noUnsafe=true, -Dio.netty.noKeySetOptimization=true, -Dio.netty.recycler.maxCapacityPerThread=0, -Dio.netty.allocator.numDirectArenas=0, -Dlog4j.shutdownHookEnabled=false, -Dlog4j2.disable.jmx=true, -Djava.locale.providers=SPI,COMPAT, -Xms6g, -Xmx6g, -XX:+UseG1GC, -XX:G1ReservePercent=25, -XX:InitiatingHeapOccupancyPercent=30, -Djava.io.tmpdir=/tmp/opensearch-6054602579876123289, -XX:+HeapDumpOnOutOfMemoryError, -XX:HeapDumpPath=/var/lib/wazuh-indexer, -XX:ErrorFile=/var/log/wazuh-indexer/hs_err_pid%p.log, -Xlog:gc*,gc+age=trace,safepoint:file=/var/log/wazuh-indexer/gc.log:utctime,pid,tags:filecount=32,filesize=64m, -Dclk.tck=100, -Djdk.attach.allowAttachSelf=true, -Djava.security.policy=file:///etc/wazuh-indexer/opensearch-performance-analyzer/opensearch_security.policy, --add-opens=jdk.attach/sun.tools.attach=ALL-UNNAMED, -XX:MaxDirectMemorySize=3221225472, -Dopensearch.path.home=/usr/share/wazuh-indexer, -Dopensearch.path.conf=/etc/wazuh-indexer, -Dopensearch.distribution.type=rpm, -Dopensearch.bundled_jdk=true]
[2024-06-25T17:54:58,866][WARN ][o.o.s.c.Salt ] [node-1] If you plan to use field masking pls configure compliance salt e1ukloTsQlOgPquJ to be a random string of 16 chars length identical on all nodes
[2024-06-25T17:54:58,898][ERROR][o.o.s.a.s.SinkProvider ] [node-1] Default endpoint could not be created, auditlog will not work properly.
[2024-06-25T17:54:58,899][WARN ][o.o.s.a.r.AuditMessageRouter] [node-1] No default storage available, audit log may not work properly. Please check configuration.
[2024-06-25T17:55:01,074][WARN ][o.o.g.DanglingIndicesState] [node-1] gateway.auto_import_dangling_indices is disabled, dangling indices will not be automatically detected or imported and must be managed manually
[2024-06-25T17:55:02,973][ERROR][o.o.s.t.SecurityRequestHandler] [node-1] OpenSearchException[Transport client authentication no longer supported.]
[2024-06-25T17:55:02,979][ERROR][o.o.s.t.SecurityRequestHandler] [node-1] OpenSearchException[Transport client authentication no longer supported.]
[2024-06-25T17:55:02,985][WARN ][o.o.d.HandshakingTransportAddressConnector] [node-1] handshake failed for [connectToRemoteMasterNode[[::1]:9300]]
at org.opensearch.transport.RequestHandlerRegistry.processMessageReceived(RequestHandlerRegistry.java:106) ~[opensearch-2.8.0.jar:2.8.0]
[2024-06-25T17:55:02,985][WARN ][o.o.d.HandshakingTransportAddressConnector] [node-1] handshake failed for [connectToRemoteMasterNode[127.0.0.1:9300]]
at org.opensearch.transport.RequestHandlerRegistry.processMessageReceived(RequestHandlerRegistry.java:106) ~[opensearch-2.8.0.jar:2.8.0]
[2024-06-25T17:55:03,176][WARN ][o.o.p.c.s.h.ConfigOverridesClusterSettingHandler] [node-1] Config override setting update called with empty string. Ignoring.
[2024-06-25T17:55:03,698][WARN ][o.o.o.i.ObservabilityIndex] [node-1] message: index [.opensearch-observability/S5Iu5XO-SvuK8ugCjA6m8Q] already exists
[2024-06-25T17:55:03,710][ERROR][o.o.i.i.ManagedIndexCoordinator] [node-1] get managed-index failed: NoShardAvailableActionException[No shard available for [org.opensearch.action.get.MultiGetShardRequest@62b70b00]]
[2024-06-25T17:55:03,749][ERROR][o.o.i.i.ManagedIndexCoordinator] [node-1] Failed to get ISM policies with templates: Failed to execute phase [query], all shards failed
[2024-06-25T17:55:04,235][ERROR][o.o.s.c.ConfigurationLoaderSecurity7] [node-1] Failure No shard available for [org.opensearch.action.get.MultiGetShardRequest@5bcebbb9] retrieving configuration for [INTERNALUSERS, ACTIONGROUPS, CONFIG, ROLES, ROLESMAPPING, TENANTS, NODESDN, WHITELIST, ALLOWLIST, AUDIT] (index=.opendistro_security)
[2024-06-25T17:54:51,923][INFO ][o.o.n.Node ] [node-1] JVM arguments [-Xshare:auto, -Dopensearch.networkaddress.cache.ttl=60, -Dopensearch.networkaddress.cache.negative.ttl=10, -XX:+AlwaysPreTouch, -Xss1m, -Djava.awt.headless=true, -Dfile.encoding=UTF-8, -Djna.nosys=true, -XX:-OmitStackTraceInFastThrow, -XX:+ShowCodeDetailsInExceptionMessages, -Dio.netty.noUnsafe=true, -Dio.netty.noKeySetOptimization=true, -Dio.netty.recycler.maxCapacityPerThread=0, -Dio.netty.allocator.numDirectArenas=0, -Dlog4j.shutdownHookEnabled=false, -Dlog4j2.disable.jmx=true, -Djava.locale.providers=SPI,COMPAT, -Xms6g, -Xmx6g, -XX:+UseG1GC, -XX:G1ReservePercent=25, -XX:InitiatingHeapOccupancyPercent=30, -Djava.io.tmpdir=/tmp/opensearch-6054602579876123289, -XX:+HeapDumpOnOutOfMemoryError, -XX:HeapDumpPath=/var/lib/wazuh-indexer, -XX:ErrorFile=/var/log/wazuh-indexer/hs_err_pid%p.log, -Xlog:gc*,gc+age=trace,safepoint:file=/var/log/wazuh-indexer/gc.log:utctime,pid,tags:filecount=32,filesize=64m, -Dclk.tck=100, -Djdk.attach.allowAttachSelf=true, -Djava.security.policy=file:///etc/wazuh-indexer/opensearch-performance-analyzer/opensearch_security.policy, --add-opens=jdk.attach/sun.tools.attach=ALL-UNNAMED, -XX:MaxDirectMemorySize=3221225472, -Dopensearch.path.home=/usr/share/wazuh-indexer, -Dopensearch.path.conf=/etc/wazuh-indexer, -Dopensearch.distribution.type=rpm, -Dopensearch.bundled_jdk=true]
[2024-06-25T17:54:58,866][WARN ][o.o.s.c.Salt ] [node-1] If you plan to use field masking pls configure compliance salt e1ukloTsQlOgPquJ to be a random string of 16 chars length identical on all nodes
[2024-06-25T17:54:58,898][ERROR][o.o.s.a.s.SinkProvider ] [node-1] Default endpoint could not be created, auditlog will not work properly.
[2024-06-25T17:54:58,899][WARN ][o.o.s.a.r.AuditMessageRouter] [node-1] No default storage available, audit log may not work properly. Please check configuration.
[2024-06-25T17:55:01,074][WARN ][o.o.g.DanglingIndicesState] [node-1] gateway.auto_import_dangling_indices is disabled, dangling indices will not be automatically detected or imported and must be managed manually
[2024-06-25T17:55:02,973][ERROR][o.o.s.t.SecurityRequestHandler] [node-1] OpenSearchException[Transport client authentication no longer supported.]
[2024-06-25T17:55:02,979][ERROR][o.o.s.t.SecurityRequestHandler] [node-1] OpenSearchException[Transport client authentication no longer supported.]
[2024-06-25T17:55:02,985][WARN ][o.o.d.HandshakingTransportAddressConnector] [node-1] handshake failed for [connectToRemoteMasterNode[[::1]:9300]]
at org.opensearch.transport.RequestHandlerRegistry.processMessageReceived(RequestHandlerRegistry.java:106) ~[opensearch-2.8.0.jar:2.8.0]
[2024-06-25T17:55:02,985][WARN ][o.o.d.HandshakingTransportAddressConnector] [node-1] handshake failed for [connectToRemoteMasterNode[127.0.0.1:9300]]
at org.opensearch.transport.RequestHandlerRegistry.processMessageReceived(RequestHandlerRegistry.java:106) ~[opensearch-2.8.0.jar:2.8.0]
[2024-06-25T17:55:03,176][WARN ][o.o.p.c.s.h.ConfigOverridesClusterSettingHandler] [node-1] Config override setting update called with empty string. Ignoring.
[2024-06-25T17:55:03,698][WARN ][o.o.o.i.ObservabilityIndex] [node-1] message: index [.opensearch-observability/S5Iu5XO-SvuK8ugCjA6m8Q] already exists
[2024-06-25T17:55:03,710][ERROR][o.o.i.i.ManagedIndexCoordinator] [node-1] get managed-index failed: NoShardAvailableActionException[No shard available for [org.opensearch.action.get.MultiGetShardRequest@62b70b00]]
[2024-06-25T17:55:03,749][ERROR][o.o.i.i.ManagedIndexCoordinator] [node-1] Failed to get ISM policies with templates: Failed to execute phase [query], all shards failed
[2024-06-25T17:55:04,235][ERROR][o.o.s.c.ConfigurationLoaderSecurity7] [node-1] Failure No shard available for [org.opensearch.action.get.MultiGetShardRequest@5bcebbb9] retrieving configuration for [INTERNALUSERS, ACTIONGROUPS, CONFIG, ROLES, ROLESMAPPING, TENANTS, NODESDN, WHITELIST, ALLOWLIST, AUDIT] (index=.opendistro_security)
[2024-06-25T17:55:16,315][ERROR][o.o.s.a.BackendRegistry ] [node-1] Not yet initialized (you may need to run securityadmin)
with the comand
cat /var/log/filebeat/filebeat | grep -i -E "error|warn"
2024-06-25T18:00:52.845-0300 WARN [elasticsearch] elasticsearch/client.go:408 Cannot index event publisher.Event{Content:beat.Event{Timestamp:time.Time{wall:0xc196e9e0f16c5392, ext:292488974115, loc:(*time.Location)(0x42417a0)}, Meta:{"pipeline":"filebeat-7.10.2-wazuh-alerts-pipeline"}, Fields:{"agent":{"ephemeral_id":"1c6a94c3-cbcf-49f9-96c3-a4f441ef8a5a","hostname":"siem","id":"e25effab-11b6-4ede-80c6-a6ddf5bfd38e","name":"siem","type":"filebeat","version":"7.10.2"},"ecs":{"version":"1.6.0"},"event":{"dataset":"wazuh.alerts","module":"wazuh"},"fields":{"index_prefix":"wazuh-alerts-4.x-"},"fileset":{"name":"alerts"},"host":{"name":"siem"},"input":{"type":"log"},"log":{"file":{"path":"/var/ossec/logs/alerts/alerts.json"},"offset":352396278},"message":"{\"timestamp\":\"2024-06-25T18:00:51.022-0300\",\"rule\":{\"level\":3,\"description\":\"load average metrics\",\"id\":\"100018\",\"firedtimes\":2,\"mail\":false,\"groups\":[\"performance_metric\"]},\"agent\":{\"id\":\"000\",\"name\":\"siem\"},\"manager\":{\"name\":\"siem\"},\"id\":\"1719349251.514899479\",\"full_log\":\"Jun 25 18:00:51 siem load_average_check: ossec: output: 'load_average_metrics':\\n1,16, 1,47, 1,49\",\"predecoder\":{\"program_name\":\"load_average_check\",\"timestamp\":\"Jun 25 18:00:51\",\"hostname\":\"siem\"},\"decoder\":{\"parent\":\"load_average_check\",\"name\":\"load_average_check\"},\"data\":{\"1min_loadAverage\":\"1,16\",\"5mins_loadAverage\":\"1,47\",\"15mins_loadAverage\":\"1,49\"},\"location\":\"load_average_metrics\"}","service":{"type":"wazuh"}}, Private:file.State{Id:"native::5250834-64768", PrevId:"", Finished:false, Fileinfo:(*os.fileStat)(0xc0001c91e0), Source:"/var/ossec/logs/alerts/alerts.json", Offset:352396966, Timestamp:time.Time{wall:0xc196e997dad37188, ext:109856018, loc:(*time.Location)(0x42417a0)}, TTL:-1, Type:"log", Meta:map[string]string(nil), FileStateOS:file.StateOS{Inode:0x501f12, Device:0xfd00}, IdentifierName:"native"}, TimeSeries:false}, Flags:0x1, Cache:publisher.EventCache{m:common.MapStr(nil)}} (status=400): {"type":"mapper_parsing_exception","reason":"failed to parse field [data.5mins_loadAverage] of type [double] in document with id 'ragzUZAB3Gw1JP-ZksPj'. Preview of field's value: '1,47'","caused_by":{"type":"number_format_exception","reason":"For input string: \"1,47\""}}
Let me know what you thinks of the error.
Regards
German
Samson Olugbenga Idowu
Jun 28, 2024, 12:42:13 PM6/28/24
to Wazuh | Mailing List
Hello,
To fix the first error, you have to initialize your Wazuh indexer cluster by running the following script:
/usr/share/wazuh-indexer/bin/indexer-security-init.sh
Regarding the second error, I noticed you are trying to monitor system resources for Linux. I suggest you go thorugh the configuration steps for monitoring linux resources. In particular, pay attention to the section that modifies the Wazuh template and reindex. This will likely fix the error.
Regards,
Samson.
To fix the first error, you have to initialize your Wazuh indexer cluster by running the following script:
/usr/share/wazuh-indexer/bin/indexer-security-init.sh
Regarding the second error, I noticed you are trying to monitor system resources for Linux. I suggest you go thorugh the configuration steps for monitoring linux resources. In particular, pay attention to the section that modifies the Wazuh template and reindex. This will likely fix the error.
Regards,
Samson.
Reply all
Reply to author
Forward
0 new messages