Wodle Commands have stopped

[M Jones]

HI,

I have wodle commands that run to retrieve Microsoft API logs but for some reason they have stopped working to schedule. It should run every hour but instead it runs a couple of times and stops. It restarts after i restart the manager but then a couple of hours later does the same thing. This is happening on at least 8 of my instances.

[Juan Nicolás Asselle]

Hello,

Thank you for using Wazuh!

Could you please provide me the next information in order to figure out what’s happening?

• Wazuh version
• OS
• Wodle configuration
• If it is possible, set wazuh_modules.debug=2 in /var/ossec/etc/local_internal_options.conf, try to reproduce the problem and send me log extraction related to wazuh-modulesd:command entries from ossec.log.

Thank you and I wait for this information to move forward.

Regards,
Nico

​

[M Jones]

HI Juan,

Wazuh: Wazuh 4.1.5

OS: Ubuntu 20.04.2 LTS

Wodle conf: 

<wodle name="command">

    <disabled>no</disabled>

    <command>/root/office_365.py --contentType DLP.All Audit.General Audit.AzureActiveDirectory Audit.SharePoint Audit.Exchange --hours 1 --tenantId  <secretcode>   --clientId  <secretcode>   --clientSecret <secretcode> </command>

    <interval>1h</interval>

    <ignore_output>yes</ignore_output>

    <run_on_start>yes</run_on_start>

    <timeout>0</timeout>

  </wodle>

I have set the debugger but when you look into the logs there is no wodle command option but there was before. Its still running and does it every hour for 2 hours then stops running.