Hello Aram,
It seems the Endpoint you are trying to use in the curl
command does not exist:
curl -k -X GET "https://wazuh-mgr1:55000/cluster/agents"
The correct endpoint should be:
curl -k -X GET "https://wazuh-mgr1:55000/agents"
You can check this in the API Reference for more information about it.
One thing I would like you to check is that the WazuhDB has the proper permission and ownership:
root@theshire:~# ls -l /var/ossec/queue/db/
-rw-r----- 1 ossec ossec 57344 Aug 16 19:55 global.db
-rw-r----- 1 ossec ossec 16928 Aug 16 19:55 global.db-journal
srw-rw---- 1 ossec ossec 0 Aug 16 17:54 wdb
root@theshire:~# ls -l /var/ossec/queue/db/wdb
srw-rw---- 1 ossec ossec 0 Aug 16 17:54 /var/ossec/queue/db/wdb
Another thing that you can check is if the database is accessible:
root@theshire:~# sqlite3 /var/ossec/queue/db/global.db
SQLite version 3.27.2 2019-02-25 16:06:06
Enter ".help" for usage hints.
sqlite> .tables
agent belongs group info labels metadata
sqlite> select * from agent;
0|theshire|127.0.0.1|127.0.0.1||Debian GNU/Linux|10|10||buster||debian|Linux |theshire |4.19.0-16-amd64 |#1 SMP Debian 4.19.181-1 (2021-03-19) |x86_64|x86_64|Wazuh v4.1.5|||theshire||1619802068|253402300799||synced|active
2|oel83|10.10.10.152|any|183a13aa7944792a2babd9c0a99f8030db825bb51e98c7ea1dc5f778b9b63238|Oracle Linux Server|8.3|8|3|||ol|Linux |oel83 |5.4.17-2011.7.4.el8uek.x86_64 |#2 SMP Fri Oct 2 14:39:04 PDT 2020 |x86_64|x86_
....
....
If it is all ok, we would need you to put the logs in debug and send us the logs when you replicate the issue:
In the Wazuh Manager go to /var/ossec/etc/local_internal_options.conf
and add this configuration:
wazuh_db.debug=2
Reference
Also the API, by going to and adding the lines:
logs:
level: "debug"
path: "logs/api.log"
Please send us the result of the api.log
and the ossec.log
present in the /var/ossec/etc
folder after replicating the issue.
Errata:
The logs are in the /var/ossec/logs
folder.
I look forward to your feedback.
Hello Aram,
If you don’t have too many groups created, you can delete de global.db
and restart the Wazuh Manager to re-create the database.
Otherwise, it would be finding the groups in the table that are wrong and erase them.
Hello Aram,
Another workaround could be finding the agent-groups
files that could be with some error. For that, you can do a grep
in the agent-groups
folder and erasing the files listed:
root@theshire:~# grep ERROR /var/ossec/queue/agent-groups/*
/var/ossec/queue/agent-groups/019:ERROR
Remove those files and restart the Wazuh Manager.
Please let me know if that helps you, if not I will need you to share your log files to analyze them.
I look forward to your feedback.
Kind Regards
Hello Aram,
It is not mandatory to use port 443, you can use the port you want/need, you just need to specify it in the kibana.yml
file and restart the Kibana Service.
I hope you can solve your issue.
Hello Aram,
My apologies for the delay.
I was checking the logs you sent, and in the API logs it is reflected the error log:
2021/09/17 12:27:07 INFO: wazuh-wui x.x.x.x "GET /agents" with parameters {"offset": "500", "limit": "500", "q": "id!=000"} and body {} done in 16.962s: 500
2021/09/17 12:27:07 ERROR: Error retrieving data from Wazuh DB: Error 2007 - Error retrieving data from Wazuh DB
But no errors like you show from September 15 are in the ossec.log
you sent.
Could you please put the API in debug and then execute the following request in Wazuh > _Tools > API Console?
GET /agents
{
"offset": "500",
"limit": "500",
"q": "id!=000"
}
Please send the API logs from the moment you execute this, and also the ossec.log
lines.
Thank you in advance!
Hello Aram,
I’ve been analyzing this, and it is pretty weird, because we don’t see any errors in the ossec.log
, just a few warnings, but nothing to be worried.
I am thinking in a performance issue, something related to a lack of resources, so I would like to check the resources available. For that, I will need that you check some things for me:
free -h
top
cat /var/ossec/var/run/ossec-remoted.state
I hope this information could be helpful in solving your issue.--
You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/3c0f6705-94d7-4686-843c-4d1fb1626e92n%40googlegroups.com.
☁ Abraham Cruz Sustaita
On Oct 22, 2021, at 14:18, Aram <pro.ara...@gmail.com> wrote:
Hi Abraham and Dario,
You received this message because you are subscribed to a topic in the Google Groups "Wazuh mailing list" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/wazuh/KRQgvbX64uE/unsubscribe.
To unsubscribe from this group and all its topics, send an email to wazuh+un...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/6e7d05ee-a724-4592-a8fe-4d6a65cd20f9n%40googlegroups.com.