wazuh-syscheckd: INFO: (6678): No directory provided for syscheck to monitor.

[Utku Erinc Guduk]

Hello,

Wish y'all great day!

First of all I've noticed that I cannot check the events on FIM module.

After I checked the manager server logs I've detected INFO logs below.

All my agent services and manager services are up.

• wazuh-syscheckd: INFO: (6678): No directory provided for syscheck to monitor.
• wazuh-syscheckd: INFO: (6001): File integrity monitoring disabled.

Best Regards,

[Antonio Kim (Wazuh)]

Hi Utku!
Thanks for using Wazuh!

Doing some research about your case, I could find the following information:
- https://groups.google.com/g/wazuh/c/TI7dOPuR_Mw
- https://groups.google.com/g/ossec-list/c/quowbKdTAh8

Maybe it can be related to some typo error.

In case that you could not find the point.
I wish to ask you some questions:

1. Is it a fresh install?

2. Was the FIM module working well before?
3. Could you share me the ossec.conf of the agent and of the manager?

Regards

Antonio

[Utku Erinc Guduk]

Hi Antonio!

Thanks a lot for the fast response!

I've already checked those articles, but I was not able to run this command below.

verify-agent-conf /var/ossec/etc/shared/fbsd/agent.conf

About your questions;

1.  It has been more than 1 year. Not a fresh install.
2. FIM was working well. I think it has started to occure on 1st of September 2023.
3. You may find the related files attached.

Best Regards,

Utku

16 Ocak 2024 Salı tarihinde saat 14:45:10 UTC+3 itibarıyla Antonio Kim (Wazuh) şunları yazdı:

[Antonio Kim (Wazuh)]

I can see that in (manager) ossec.conf you do not have directories to check.

On the other hand, in (agent) ossec.conf, you have:
<directories check_all="yes" realtime="yes" whodata="yes" report_changes="yes">/some/path</directories> 

<directories check_all="yes" realtime="yes" whodata="yes" report_changes="yes">/some/path</directories>

Does that directory exist in your agent?

I would recommend you to rollback your fim configuration and test it using the following use case: https://documentation.wazuh.com/current/user-manual/capabilities/file-integrity/use-cases/reporting-file-changes.html

Please let me know if you could do it.

[Utku Erinc Guduk]

Hi Antonio,

I've added directories to manager ossec.conf file. Now, the error log seems gone. Thanks a lot for your support.

The agent server belongs to my client that is why they wanted me to hide the paths for company policy I guess.

However, I have still problem the monitoring Events on Wazuh browser. I am able to monitor Last Modified date on Inventory tab but I cannot monitor Events and Dashboard. Even though some of the agent is up, the connection seems to be disconnected.

Best Regards,

Utku

16 Ocak 2024 Salı tarihinde saat 15:58:32 UTC+3 itibarıyla Antonio Kim (Wazuh) şunları yazdı:

[Antonio Kim (Wazuh)]

Can you check if in alerts.json of the manager you can see the events?

[Antonio Kim (Wazuh)]

On the other hand.. are you using a multi-host wazuh or all in one ova/ami?

Thanks for your answers.

Antonio

[Utku Erinc Guduk]

Yeah, I can. Correct date, correct file.

Best Regards,

Utku

16 Ocak 2024 Salı tarihinde saat 17:06:24 UTC+3 itibarıyla Antonio Kim (Wazuh) şunları yazdı:

[Antonio Kim (Wazuh)]

Mm...

You will need to do some Dashboard troubleshooting to check why the alerts are being generated but are not present in the dashboard.

Here you have some documentation to do it: https://documentation.wazuh.com/current/user-manual/wazuh-dashboard/troubleshooting.html

Please let me know if you can find the root-cause or let me know if I can help you work on it.

Antonio

[Antonio Kim (Wazuh)]

On the other hand, having a conversation with some Wazuh internal team, I can inform you that:

The UI gets FIM data in two ways: from the wazuh-alerts index and from the API. It does not check the Wazuh alerts from the server. So to debug this problem we would need to check if the API or if the wazuh-alerts index has FIM data.

Please let me know.

I could find this method to check the API:
https://documentation.wazuh.com/current/user-manual/api/reference.html#operation/api.controllers.syscheck_controller.get_syscheck_agent

[Utku Erinc Guduk]

Hi Antonio,

I did some research; all the requests gets 200 and I think root-cause something about wazuh-alerts indexes. I run across the error log below.

[2024-01-16T16:32:29,353][ERROR][o.o.i.i.ManagedIndexCoordinator] [node-1] get managed-index failed: [.opendistro-ism-config] IndexNotFoundException[no such index [.opendistro-ism-config]]

Best Regards,

Utku

16 Ocak 2024 Salı tarihinde saat 18:30:33 UTC+3 itibarıyla Antonio Kim (Wazuh) şunları yazdı:

[Antonio Kim (Wazuh)]

I could find this information about that error:

https://groups.google.com/g/wazuh/c/vygLVxjl3nE

Maybe it can be related.

Regards

Antonio

[Utku Erinc Guduk]

Hi Antonio,

I found another log, I think I've reached the maximum number of shards. Could you please help me to increase it?

Best Regards,

Utku

17 Ocak 2024 Çarşamba tarihinde saat 12:30:25 UTC+3 itibarıyla Antonio Kim (Wazuh) şunları yazdı:

[Antonio Kim (Wazuh)]

Hi Uktu,

Hope you are doing well and sorry for the delay.
You can check this documentation to reset the shards:

https://groups.google.com/g/wazuh/c/DEtJC15Stqk/m/NRIVuElKAAAJ

Hope this works for you.

Please let me know.

Antonio