Shared config is not correctly sync'ed in v4.1.5

415 views
Skip to first unread message

Carlos Lopez

unread,
May 18, 2021, 3:55:00 AM5/18/21
to wa...@googlegroups.com
HI all.

 I am encountering major configuration synchronisation problems for shared config in version 4.1.5. The configuration is not updated correctly for macOS, Windows and Ubuntu platforms (in any of their versions) and this is creating serious problems of congruence and integrity config in the agents.

 As an example for macOS agents. Currently, these are the files that should be synchronised across all macOS agents (I am using a cluster architecture):

In wazuh master server:
root@wazuhmaster:/var/ossec/etc/shared/macos# ls -al
total 200
drwxrwx---  3 ossec  ossec   241 May 18 07:23 .
drwxrwx--- 12 root   ossec   190 May 16 07:41 ..
-rw-r-----  1 ossec  ossec  4462 May 16 07:53 agent.conf
lrwxrwxrwx  1 root   root     53 May 14 06:53 com.custom.wazuhaddons.plist -> ../../configs/os/macos/com.custom.wazuhaddons.plist
lrwxrwxrwx  1 root   root     38 May 14 06:53 create_tasks.sh -> ../../configs/os/macos/create_tasks.sh
lrwxrwxrwx  1 root   root     41 May 13 07:11 hardening_macos.sh -> ../../configs/os/macos/hardening_macos.sh
lrwxrwxrwx  1 root   root     40 May 14 06:53 install_addons.sh -> ../../configs/os/macos/install_addons.sh
lrwxrwxrwx  1 root   root     31 Feb 26 07:18 macos_cis_yml -> ../../configs/cis/macos_cis_yml
-rw-rw----  1 ossecr ossec 98781 May 18 07:23 merged.mg
drwxrwx---  2 root   ossec    53 Apr  6 09:31 osquery
lrwxrwxrwx  1 root   root     28 Feb 24 15:41 rootkit_files.txt -> ../default/rootkit_files.txt
lrwxrwxrwx  1 root   root     30 Feb 24 15:41 rootkit_trojans.txt -> ../default/rootkit_trojans.txt

Wazuh worker nodes:
root@wazuhwork01:/var/ossec/etc/shared/macos# ls -al
total 100
drwxrwx---  2 ossec ossec    23 May 17 09:12 .
drwxrwx--- 12 root  ossec   190 May 11 06:37 ..
-rw-rw----  1 ossec ossec 98781 May 17 09:12 merged.mg

In macOS agents (all of them):
macosdsk01:shared root# ls -al
total 416
drwxrwx---  14 root   ossec    448 May 13 15:34 .
drwxrwx---   9 ossec  ossec    288 May 13 15:34 ..
-rw-rw----   1 root   ossec   4471 May 17 11:12 agent.conf
-rw-rw----   1 root   ossec     77 May 17 11:12 ar.conf
-rw-rw----   1 root   ossec    523 May 17 11:12 com.custom.wazuhaddons.plist
-rw-rw----   1 root   ossec   1167 May 17 11:12 create_tasks.sh
-rw-rw----   1 root   ossec    160 May 17 11:12 hardening_macos_staging.sh
-rw-rw----   1 root   ossec   1406 May 17 11:12 install_addons.sh
-rw-rw----   1 root   ossec    898 May 13 15:34 install_osquery_macos.sh
-rw-rw----   1 root   ossec  65531 May 17 11:12 macos_cis_yml
-rw-rw----   1 root   ossec  93221 May 17 11:12 merged.mg
drwxr-x---   4 root   ossec    128 May 13 15:34 osquery
-rw-rw----   1 root   ossec  16179 May 17 11:12 rootkit_files.txt
-rw-rw----   1 root   ossec    454 May 13 15:34 update_wazuh_agent.sh
macosdsk01:shared root# pwd
/Library/Ossec/etc/shared

As you can see, old files appear that should not be in use or synchronised to any agent.

On the other hand, the merged.mg md5 sums do not match between agents and servers.

root@wazuhwork01:/var/ossec/etc/shared/macos# md5sum merged.mg
b9e71d5f76c17ea12441c8b916e2673d  merged.mg
root@wazuhwork01:/var/ossec/etc/shared/macos

root@wazuhmaster:/var/ossec/etc/shared/macos# md5sum merged.mg
b9e71d5f76c17ea12441c8b916e2673d  merged.mg
root@wazuhmaster:/var/ossec/etc/shared/macos

macosdsk01:shared root# md5 merged.mg
MD5 (merged.mg) = 536a5665d1f533d70a733e005f29f6df
macosdsk01:shared root#

This inconsistency causes multiple errors in several defined wodles as well as in the monitoring of several event files.

The only platform I've seen shared config sync works is in RHEL, but on all the others it doesn't: macOS, Windows and Ubuntu.

Best regards,
C. L. Martinez

Carlos Lopez

unread,
May 19, 2021, 8:48:07 AM5/19/21
to wa...@googlegroups.com
Any input regarding this issue?

________________________________________
From: wa...@googlegroups.com <wa...@googlegroups.com> on behalf of Carlos Lopez <clo...@outlook.com>
Sent: 18 May 2021 09:54
To: wa...@googlegroups.com
Subject: Shared config is not correctly sync'ed in v4.1.5

HI all.

I am encountering major configuration synchronisation problems for shared config in version 4.1.5. The configuration is not updated correctly for macOS, Windows and Ubuntu platforms (in any of their versions) and this is creating serious problems of congruence and integrity config in the agents.

As an example for macOS agents. Currently, these are the files that should be synchronised across all macOS agents (I am using a cluster architecture):

In wazuh master server:
root@wazuhmaster:/var/ossec/etc/shared/macos# ls -al
total 200
drwxrwx--- 3 ossec ossec 241 May 18 07:23 .
drwxrwx--- 12 root ossec 190 May 16 07:41 ..
-rw-r----- 1 ossec ossec 4462 May 16 07:53 agent.conf
lrwxrwxrwx 1 root root 53 May 14 06:53 com.custom.wazuhaddons.plist -> ../../configs/os/macos/com.custom.wazuhaddons.plist
lrwxrwxrwx 1 root root 38 May 14 06:53 create_tasks.sh -> ../../configs/os/macos/create_tasks.sh
lrwxrwxrwx 1 root root 41 May 13 07:11 hardening_macos.sh -> ../../configs/os/macos/hardening_macos.sh
lrwxrwxrwx 1 root root 40 May 14 06:53 install_addons.sh -> ../../configs/os/macos/install_addons.sh
lrwxrwxrwx 1 root root 31 Feb 26 07:18 macos_cis_yml -> ../../configs/cis/macos_cis_yml

-rw-rw---- 1 ossecr ossec 98781 May 18 07:23 merged.mg<http://merged.mg/>


--
You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com<mailto:wazuh+un...@googlegroups.com>.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/4CFAE784-24A4-4A2C-8251-218C7C0D654A%40outlook.com<https://groups.google.com/d/msgid/wazuh/4CFAE784-24A4-4A2C-8251-218C7C0D654A%40outlook.com?utm_medium=email&utm_source=footer>.

Carlos Lopez

unread,
May 27, 2021, 2:14:37 AM5/27/21
to wa...@googlegroups.com
No news? Exists some option that I need to check?

Best regards,
C. L. Martinez

> To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/PR3PR07MB661746883CB301157FEDC73DDB2B9%40PR3PR07MB6617.eurprd07.prod.outlook.com.

Matias Ezequiel Moreno

unread,
May 27, 2021, 11:16:32 AM5/27/21
to Wazuh mailing list
Hi Carlos, how are you?
First of all, sorry for the late response.
To provide better support, could you verify to which agent_groups the agents that are having the problem belong?

Here I share a guide that details what are the requirements to be able to correctly synchronize

Regards 
Matias

Carlos Lopez

unread,
May 27, 2021, 11:22:39 AM5/27/21
to Matias Ezequiel Moreno, wa...@googlegroups.com
Hi Matias,

 This issue appears on all groups defined in my Wazuh infrastructure. I have verified all my shared confs with this guide and they are correct.


Best regards,
C. L. Martinez
--
You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.

Carlos Lopez

unread,
Jun 3, 2021, 4:30:50 AM6/3/21
to Matias Ezequiel Moreno, wa...@googlegroups.com
Hi all,

Any news regarding this issue?

________________________________________
From: wa...@googlegroups.com <wa...@googlegroups.com> on behalf of Carlos Lopez <clo...@outlook.com>

Sent: 27 May 2021 17:22
To: Matias Ezequiel Moreno
Cc: wa...@googlegroups.com
Subject: Re: Shared config is not correctly sync'ed in v4.1.5

Hi Matias,

This issue appears on all groups defined in my Wazuh infrastructure. I have verified all my shared confs with this guide and they are correct.


Best regards,
C. L. Martinez

On 27 May 2021, at 17:16, Matias Ezequiel Moreno <matias...@wazuh.com<mailto:matias...@wazuh.com>> wrote:

Hi Carlos, how are you?
First of all, sorry for the late response.
To provide better support, could you verify to which agent_groups the agents that are having the problem belong?

Here I share a guide<https://documentation.wazuh.com/current/user-manual/reference/centralized-configuration.html?highlight=shared> that details what are the requirements to be able to correctly synchronize

Regards
Matias
On Tuesday, May 18, 2021 at 4:55:00 AM UTC-3 Carlos Lopez wrote:
HI all.

I am encountering major configuration synchronisation problems for shared config in version 4.1.5. The configuration is not updated correctly for macOS, Windows and Ubuntu platforms (in any of their versions) and this is creating serious problems of congruence and integrity config in the agents.

As an example for macOS agents. Currently, these are the files that should be synchronised across all macOS agents (I am using a cluster architecture):

In wazuh master server:
root@wazuhmaster:/var/ossec/etc/shared/macos# ls -al
total 200
drwxrwx--- 3 ossec ossec 241 May 18 07:23 .
drwxrwx--- 12 root ossec 190 May 16 07:41 ..
-rw-r----- 1 ossec ossec 4462 May 16 07:53 agent.conf
lrwxrwxrwx 1 root root 53 May 14 06:53 com.custom.wazuhaddons.plist -> ../../configs/os/macos/com.custom.wazuhaddons.plist
lrwxrwxrwx 1 root root 38 May 14 06:53 create_tasks.sh -> ../../configs/os/macos/create_tasks.sh
lrwxrwxrwx 1 root root 41 May 13 07:11 hardening_macos.sh -> ../../configs/os/macos/hardening_macos.sh
lrwxrwxrwx 1 root root 40 May 14 06:53 install_addons.sh -> ../../configs/os/macos/install_addons.sh
lrwxrwxrwx 1 root root 31 Feb 26 07:18 macos_cis_yml -> ../../configs/cis/macos_cis_yml

-rw-rw---- 1 ossecr ossec 98781 May 18 07:23 merged.mg<http://merged.mg/>


drwxrwx--- 2 root ossec 53 Apr 6 09:31 osquery
lrwxrwxrwx 1 root root 28 Feb 24 15:41 rootkit_files.txt -> ../default/rootkit_files.txt
lrwxrwxrwx 1 root root 30 Feb 24 15:41 rootkit_trojans.txt -> ../default/rootkit_trojans.txt

Wazuh worker nodes:
root@wazuhwork01:/var/ossec/etc/shared/macos# ls -al
total 100
drwxrwx--- 2 ossec ossec 23 May 17 09:12 .
drwxrwx--- 12 root ossec 190 May 11 06:37 ..

-rw-rw---- 1 ossec ossec 98781 May 17 09:12 merged.mg<http://merged.mg/>

In macOS agents (all of them):
macosdsk01:shared root# ls -al
total 416
drwxrwx--- 14 root ossec 448 May 13 15:34 .
drwxrwx--- 9 ossec ossec 288 May 13 15:34 ..
-rw-rw---- 1 root ossec 4471 May 17 11:12 agent.conf
-rw-rw---- 1 root ossec 77 May 17 11:12 ar.conf
-rw-rw---- 1 root ossec 523 May 17 11:12 com.custom.wazuhaddons.plist
-rw-rw---- 1 root ossec 1167 May 17 11:12 create_tasks.sh
-rw-rw---- 1 root ossec 160 May 17 11:12 hardening_macos_staging.sh
-rw-rw---- 1 root ossec 1406 May 17 11:12 install_addons.sh
-rw-rw---- 1 root ossec 898 May 13 15:34 install_osquery_macos.sh
-rw-rw---- 1 root ossec 65531 May 17 11:12 macos_cis_yml

-rw-rw---- 1 root ossec 93221 May 17 11:12 merged.mg<http://merged.mg/>


drwxr-x--- 4 root ossec 128 May 13 15:34 osquery
-rw-rw---- 1 root ossec 16179 May 17 11:12 rootkit_files.txt
-rw-rw---- 1 root ossec 454 May 13 15:34 update_wazuh_agent.sh
macosdsk01:shared root# pwd
/Library/Ossec/etc/shared

As you can see, old files appear that should not be in use or synchronised to any agent.

On the other hand, the merged.mg<http://merged.mg/> md5 sums do not match between agents and servers.

root@wazuhwork01:/var/ossec/etc/shared/macos# md5sum merged.mg<http://merged.mg/>
b9e71d5f76c17ea12441c8b916e2673d merged.mg<http://merged.mg/>
root@wazuhwork01:/var/ossec/etc/shared/macos

root@wazuhmaster:/var/ossec/etc/shared/macos# md5sum merged.mg<http://merged.mg/>
b9e71d5f76c17ea12441c8b916e2673d merged.mg<http://merged.mg/>
root@wazuhmaster:/var/ossec/etc/shared/macos

macosdsk01:shared root# md5 merged.mg<http://merged.mg/>
MD5 (merged.mg<http://merged.mg/>) = 536a5665d1f533d70a733e005f29f6df
macosdsk01:shared root#

This inconsistency causes multiple errors in several defined wodles as well as in the monitoring of several event files.

The only platform I've seen shared config sync works is in RHEL, but on all the others it doesn't: macOS, Windows and Ubuntu.

Best regards,
C. L. Martinez


--
You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.

To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com<mailto:wazuh+un...@googlegroups.com>.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/747b650f-8c62-4786-8c25-0a3776af2363n%40googlegroups.com<https://groups.google.com/d/msgid/wazuh/747b650f-8c62-4786-8c25-0a3776af2363n%40googlegroups.com?utm_medium=email&utm_source=footer>.


--
You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.

To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com<mailto:wazuh+un...@googlegroups.com>.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/6FE451DF-71A5-414C-A944-284160B68730%40outlook.com<https://groups.google.com/d/msgid/wazuh/6FE451DF-71A5-414C-A944-284160B68730%40outlook.com?utm_medium=email&utm_source=footer>.

Carlos Lopez

unread,
Jul 20, 2021, 6:17:04 AM7/20/21
to Matias Ezequiel Moreno, wa...@googlegroups.com
Hi all,

No news?? It is quite complicated to manage shared configurations if production versions are maintained at the same time as bad versions.

________________________________________
From: wa...@googlegroups.com <wa...@googlegroups.com> on behalf of Carlos Lopez <clo...@outlook.com>

Sent: 03 June 2021 10:30

Hi all,

Hi Matias,

To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/PR3PR07MB66177F1E0C83E484A04CB3B7DB3C9%40PR3PR07MB6617.eurprd07.prod.outlook.com.

Matias Ezequiel Moreno

unread,
Jul 22, 2021, 8:26:00 AM7/22/21
to Wazuh mailing list

Hi, thanks for using Wazuh, sorry for the delay in replying to you,
to help you, let me ask the team again about your problem.
Thanks for your patience, I will answer you as quickly as possible.
Best!

Matias Ezequiel Moreno

unread,
Jul 23, 2021, 10:48:35 AM7/23/21
to Wazuh mailing list

Hi Carlos,
There reviewing a little more about your topic in inquiring with the team, we can see that the owner and the group of the files that you want to synchronize correspond to the root user, could you try to change them to ossec user? I leave you a guide that can help you Changing the Owner, Group, and Permissions

Could you also check what errors appear in the /var/ossec/log/ossec.log file of the manager node?

Regards 
Matias

Carlos Lopez

unread,
Jul 26, 2021, 2:04:54 AM7/26/21
to Matias Ezequiel Moreno, wa...@googlegroups.com
Hi Matias,

 All files belongs to ossec:ossec user and group. Files in /var/ossec/etc/shared/macos, for example, are softlinks to original files …


Best regards,
C. L. Martinez

Matias Ezequiel Moreno

unread,
Jul 27, 2021, 3:09:51 PM7/27/21
to Wazuh mailing list
Hi Carlos, could you share what errors appear in the file /var/ossec/log/ossec.log?
Best regards,
Matias

Carlos Lopez

unread,
Jul 28, 2021, 2:06:41 AM7/28/21
to Matias Ezequiel Moreno, Wazuh mailing list
Hi Matias,

There is no errors in ossec.log ... I have not detected any problem in sync process regarding when new files are created in manager side. But the old files that are deleted in the shared directory of the manager, continue on the client side.

________________________________________
From: wa...@googlegroups.com <wa...@googlegroups.com> on behalf of Matias Ezequiel Moreno <matias...@wazuh.com>
Sent: 27 July 2021 21:09
To: Wazuh mailing list


Subject: Re: Shared config is not correctly sync'ed in v4.1.5

Hi Carlos, could you share what errors appear in the file /var/ossec/log/ossec.log?


Best regards,
Matias
On Monday, July 26, 2021 at 3:04:54 AM UTC-3 Carlos Lopez wrote:
Hi Matias,

All files belongs to ossec:ossec user and group. Files in /var/ossec/etc/shared/macos, for example, are softlinks to original files …


Best regards,
C. L. Martinez
On 23 Jul 2021, at 16:48, Matias Ezequiel Moreno <matias...@wazuh.com> wrote:


Hi Carlos,
There reviewing a little more about your topic in inquiring with the team, we can see that the owner and the group of the files that you want to synchronize correspond to the root user, could you try to change them to ossec user? I leave you a guide that can help you Changing the Owner, Group, and Permissions<https://www.oreilly.com/library/view/running-linux-third/156592469X/ch04s14.html>


Hi all,


Hi Matias,

-rw-rw---- 1 ossecr ossec 98781 May 18 07:23 merged.mg<http://merged.mg/><http://merged.mg/>


drwxrwx--- 2 root ossec 53 Apr 6 09:31 osquery
lrwxrwxrwx 1 root root 28 Feb 24 15:41 rootkit_files.txt -> ../default/rootkit_files.txt
lrwxrwxrwx 1 root root 30 Feb 24 15:41 rootkit_trojans.txt -> ../default/rootkit_trojans.txt


Wazuh worker nodes:
root@wazuhwork01:/var/ossec/etc/shared/macos# ls -al
total 100
drwxrwx--- 2 ossec ossec 23 May 17 09:12 .
drwxrwx--- 12 root ossec 190 May 11 06:37 ..

-rw-rw---- 1 ossec ossec 98781 May 17 09:12 merged.mg<http://merged.mg/><http://merged.mg/>


In macOS agents (all of them):
macosdsk01:shared root# ls -al
total 416
drwxrwx--- 14 root ossec 448 May 13 15:34 .
drwxrwx--- 9 ossec ossec 288 May 13 15:34 ..
-rw-rw---- 1 root ossec 4471 May 17 11:12 agent.conf
-rw-rw---- 1 root ossec 77 May 17 11:12 ar.conf
-rw-rw---- 1 root ossec 523 May 17 11:12 com.custom.wazuhaddons.plist
-rw-rw---- 1 root ossec 1167 May 17 11:12 create_tasks.sh
-rw-rw---- 1 root ossec 160 May 17 11:12 hardening_macos_staging.sh
-rw-rw---- 1 root ossec 1406 May 17 11:12 install_addons.sh
-rw-rw---- 1 root ossec 898 May 13 15:34 install_osquery_macos.sh
-rw-rw---- 1 root ossec 65531 May 17 11:12 macos_cis_yml

-rw-rw---- 1 root ossec 93221 May 17 11:12 merged.mg<http://merged.mg/><http://merged.mg/>


drwxr-x--- 4 root ossec 128 May 13 15:34 osquery
-rw-rw---- 1 root ossec 16179 May 17 11:12 rootkit_files.txt
-rw-rw---- 1 root ossec 454 May 13 15:34 update_wazuh_agent.sh
macosdsk01:shared root# pwd
/Library/Ossec/etc/shared


As you can see, old files appear that should not be in use or synchronised to any agent.


On the other hand, the merged.mg<http://merged.mg/><http://merged.mg/> md5 sums do not match between agents and servers.


root@wazuhwork01:/var/ossec/etc/shared/macos# md5sum merged.mg<http://merged.mg/><http://merged.mg/>
b9e71d5f76c17ea12441c8b916e2673d merged.mg<http://merged.mg/><http://merged.mg/>
root@wazuhwork01:/var/ossec/etc/shared/macos


root@wazuhmaster:/var/ossec/etc/shared/macos# md5sum merged.mg<http://merged.mg/><http://merged.mg/>
b9e71d5f76c17ea12441c8b916e2673d merged.mg<http://merged.mg/><http://merged.mg/>
root@wazuhmaster:/var/ossec/etc/shared/macos


macosdsk01:shared root# md5 merged.mg<http://merged.mg/><http://merged.mg/>
MD5 (merged.mg<http://merged.mg/><http://merged.mg/>) = 536a5665d1f533d70a733e005f29f6df
macosdsk01:shared root#


This inconsistency causes multiple errors in several defined wodles as well as in the monitoring of several event files.


The only platform I've seen shared config sync works is in RHEL, but on all the others it doesn't: macOS, Windows and Ubuntu.


Best regards,
C. L. Martinez


--
You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com<mailto:wazuh+un...@googlegroups.com>.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/747b650f-8c62-4786-8c25-0a3776af2363n%40googlegroups.com<https://groups.google.com/d/msgid/wazuh/747b650f-8c62-4786-8c25-0a3776af2363n%40googlegroups.com?utm_medium=email&utm_source=footer>.


--
You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com<mailto:wazuh+un...@googlegroups.com>.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/6FE451DF-71A5-414C-A944-284160B68730%40outlook.com<https://groups.google.com/d/msgid/wazuh/6FE451DF-71A5-414C-A944-284160B68730%40outlook.com?utm_medium=email&utm_source=footer>.


--
You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.

To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/PR3PR07MB66177F1E0C83E484A04CB3B7DB3C9%40PR3PR07MB6617.eurprd07.prod.outlook.com.


--
You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/98997350-39cc-43c5-86fb-638a48d2a65cn%40googlegroups.com<https://groups.google.com/d/msgid/wazuh/98997350-39cc-43c5-86fb-638a48d2a65cn%40googlegroups.com?utm_medium=email&utm_source=footer>.


--
You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com<mailto:wazuh+un...@googlegroups.com>.

To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/39733f38-dc2e-4f0a-a08e-a06caa32a52an%40googlegroups.com<https://groups.google.com/d/msgid/wazuh/39733f38-dc2e-4f0a-a08e-a06caa32a52an%40googlegroups.com?utm_medium=email&utm_source=footer>.

Matias Ezequiel Moreno

unread,
Jul 28, 2021, 11:01:42 AM7/28/21
to Wazuh mailing list
Hi Carlos, here again.

Consulting with the team and doing some more tests regarding this problem. 
We found a possible solution, instead of using soft links, could you use hard links or normal files? 
Could you try to make those changes and tell us how it went?

Best regards

Carlos Lopez

unread,
Jul 29, 2021, 1:57:17 AM7/29/21
to Matias Ezequiel Moreno, Wazuh mailing list
Good morning Matias,

Sure. I have tried with hardlinks on manager side, but same result. Old files are not removed in agent side:

macbook:shared root# ls -al


total 416
drwxrwx--- 14 root ossec 448 May 13 15:34 .
drwxrwx--- 9 ossec ossec 288 May 13 15:34 ..

-rw-rw---- 1 root ossec 4580 Jul 22 09:01 agent.conf
-rw-rw---- 1 root ossec 77 Jul 22 09:01 ar.conf
-rw-rw---- 1 root ossec 1198 Jul 22 09:01 create_tasks.sh
-rw-rw---- 1 root ossec 160 Jul 22 09:01 hardening_macos_staging.sh
-rw-rw---- 1 root ossec 1406 Jul 22 09:01 install_addons.sh


-rw-rw---- 1 root ossec 898 May 13 15:34 install_osquery_macos.sh

-rw-rw---- 1 root ossec 65531 Jul 22 09:01 macos_cis_yml
-rw-rw---- 1 root ossec 93361 Jul 22 09:01 merged.mg


drwxr-x--- 4 root ossec 128 May 13 15:34 osquery

-rw-rw---- 1 root ossec 16179 Jul 22 09:01 rootkit_files.txt


-rw-rw---- 1 root ossec 454 May 13 15:34 update_wazuh_agent.sh

File update_wazuh_agent.sh and install_osquery_macos.sh should not be there....

Regards.


________________________________________
From: wa...@googlegroups.com <wa...@googlegroups.com> on behalf of Matias Ezequiel Moreno <matias...@wazuh.com>

Sent: 28 July 2021 17:01

Hi Carlos, here again.

Best regards

Hi all,

Hi Matias,

-rw-rw---- 1 ossecr ossec 98781 May 18 07:23 merged.mg<http://merged.mg><http://merged.mg/><http://merged.mg/>

drwxrwx--- 2 root ossec 53 Apr 6 09:31 osquery
lrwxrwxrwx 1 root root 28 Feb 24 15:41 rootkit_files.txt -> ../default/rootkit_files.txt
lrwxrwxrwx 1 root root 30 Feb 24 15:41 rootkit_trojans.txt -> ../default/rootkit_trojans.txt

Wazuh worker nodes:
root@wazuhwork01:/var/ossec/etc/shared/macos# ls -al
total 100
drwxrwx--- 2 ossec ossec 23 May 17 09:12 .
drwxrwx--- 12 root ossec 190 May 11 06:37 ..

-rw-rw---- 1 ossec ossec 98781 May 17 09:12 merged.mg<http://merged.mg><http://merged.mg/><http://merged.mg/>

In macOS agents (all of them):
macosdsk01:shared root# ls -al
total 416
drwxrwx--- 14 root ossec 448 May 13 15:34 .
drwxrwx--- 9 ossec ossec 288 May 13 15:34 ..
-rw-rw---- 1 root ossec 4471 May 17 11:12 agent.conf
-rw-rw---- 1 root ossec 77 May 17 11:12 ar.conf
-rw-rw---- 1 root ossec 523 May 17 11:12 com.custom.wazuhaddons.plist
-rw-rw---- 1 root ossec 1167 May 17 11:12 create_tasks.sh
-rw-rw---- 1 root ossec 160 May 17 11:12 hardening_macos_staging.sh
-rw-rw---- 1 root ossec 1406 May 17 11:12 install_addons.sh
-rw-rw---- 1 root ossec 898 May 13 15:34 install_osquery_macos.sh
-rw-rw---- 1 root ossec 65531 May 17 11:12 macos_cis_yml

-rw-rw---- 1 root ossec 93221 May 17 11:12 merged.mg<http://merged.mg><http://merged.mg/><http://merged.mg/>

drwxr-x--- 4 root ossec 128 May 13 15:34 osquery
-rw-rw---- 1 root ossec 16179 May 17 11:12 rootkit_files.txt
-rw-rw---- 1 root ossec 454 May 13 15:34 update_wazuh_agent.sh
macosdsk01:shared root# pwd
/Library/Ossec/etc/shared

As you can see, old files appear that should not be in use or synchronised to any agent.

On the other hand, the merged.mg<http://merged.mg><http://merged.mg/><http://merged.mg/> md5 sums do not match between agents and servers.

root@wazuhwork01:/var/ossec/etc/shared/macos# md5sum merged.mg<http://merged.mg><http://merged.mg/><http://merged.mg/>
b9e71d5f76c17ea12441c8b916e2673d merged.mg<http://merged.mg><http://merged.mg/><http://merged.mg/>
root@wazuhwork01:/var/ossec/etc/shared/macos

root@wazuhmaster:/var/ossec/etc/shared/macos# md5sum merged.mg<http://merged.mg><http://merged.mg/><http://merged.mg/>
b9e71d5f76c17ea12441c8b916e2673d merged.mg<http://merged.mg><http://merged.mg/><http://merged.mg/>
root@wazuhmaster:/var/ossec/etc/shared/macos

macosdsk01:shared root# md5 merged.mg<http://merged.mg><http://merged.mg/><http://merged.mg/>
MD5 (merged.mg<http://merged.mg><http://merged.mg/><http://merged.mg/>) = 536a5665d1f533d70a733e005f29f6df
macosdsk01:shared root#

To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/63350baf-144e-4053-a20c-a51fcae91fb8n%40googlegroups.com<https://groups.google.com/d/msgid/wazuh/63350baf-144e-4053-a20c-a51fcae91fb8n%40googlegroups.com?utm_medium=email&utm_source=footer>.

Matias Ezequiel Moreno

unread,
Aug 5, 2021, 9:49:07 AM8/5/21
to Wazuh mailing list
Hi Carlos, it's me again.

Reviewing your case again, I can understand then that the problem is that you cannot delete the old files, right?
If you add new files, the synchronization works correctly, is this correct?
in any case the synchronization flow of the merged.mg file is: Master -> Workers -> Agents reporting to the worker.

Therefore, first of all we are going to verify if the cluster synchronization is working, for this, we are going to check the agent's merged.mg
A colleague of mine shared a script with me, which is responsible for asking for the list of groups of an agent and determining which is the path (in multi-groups or shared) of the merged.mg file that corresponds to the agent

The way to use it is:
python3 get_merged_path.py <agent_id>

for example:
root@wazuh-master:~# python3 get_merged_path.py 1
The merged file that should be sent to the agent 1 is: /var/ossec/var/multigroups/142d8f76/merged.mg

Now you should check if the above merged.mg file is the same in master and worker

for example:
cmp --silent master_merged.mg worker1_merged.mg || echo "files are different"

With the aforementioned we can rule out synchronization problems in the cluster.

Could you run GET /agents/{agent_id}/group/is_sync in wazuh Menu/tools/api console and show me the result?

I attach the aforementioned script.

Best Regards.
get_merged_path.py

Carlos Lopez

unread,
Aug 10, 2021, 3:00:41 AM8/10/21
to Matias Ezequiel Moreno, Wazuh mailing list

Hi Matias,

 

Regarding your question:

If you add new files, the synchronization works correctly, is this correct? No. New files are sync’ed but old files remains in client shared dir.

 

Output commands:

 

root@wazuh-master:~# cmp --silent /var/ossec/etc/shared/macos/merged.mg /tmp/worker01/merged.mg
root@wazuh-master:~#

 

 

root@wazuh-master:~# curl -k -X GET https://localhost:55000/agents/009/group/is_sync -H  "Authorization: Bearer $TOKEN"
{"data": {"affected_items": [{"id": "009", "synced": true}], "total_affected_items": 1, "total_failed_items": 0, "failed_items": []}, "message": "Sync info was returned for all selected agents", "error": 0}

 

As you can see synchronization works ok …. But old files remains in client …

 

Thanks for your help.

Matias Ezequiel Moreno

unread,
Aug 13, 2021, 10:03:29 AM8/13/21
to Wazuh mailing list
Hi Carlos, it's me again.

I have consulted with the team again, regarding your problem and we realize that it is an error that is also reported in this Issue #7326
In conclusion, when an agent belongs to a single group, deletion works perfectly.
The problem is when the agent belongs to more than one group, this forms a multi-group, and the manager manages it differently, here is a link to the official documentation where he talks a bit about multi-groups 

Basically when an agent belongs to more than one group, the files contained in each group are merged into the /var/ossec/var/multigroups/<id> folder, this in the end is what is shared with the agent.
The problem is that when we delete a file from the folder of any group, that deletion is not being propagated to the multi-group that makes up that group.

To solve this problem, development is required, a temporary solution until this is permanently solved is, manually delete the unwanted files, first in the individual groups and then in the multi-group folder. So they should disappear from the agents.
Let me know if you can solve the problem, if not, do not hesitate to contact me again.

Best Regards.
Matias Moreno
Reply all
Reply to author
Forward
0 new messages