mail and vulnerability-detection not getting when agnet in worker node

Kirijan J

unread,

Sep 25, 2024, 3:00:47 AM9/25/24

to Wazuh | Mailing List

Hi Team,

We have the Wazuh Cluster Setup.

MASTER_IP --- running wazuh-manager wazuh-indexer filebeat

WORKER_IP --- running wazuh-manager wazuh-indexer filebeat

Alert mail triggring when the agent in the master node. if it's in worker node mail not triggering. And vulnerability-detection also same. Getting data when agent in master node.

if it's in worker node dv data not getting in wazuh-states-vulnerabilities-wazuh.

# cat /var/ossec/etc/ossec.conf

<ossec_config>
<global>
<jsonout_output>yes</jsonout_output>
<alerts_log>yes</alerts_log>
<logall>no</logall>
<logall_json>yes</logall_json>
<email_notification>yes</email_notification>
<smtp_server>localhost</smtp_server>
<email_from>te...@gmail.com</email_from>
<email_to>te...@gmail.com</email_to>
<email_maxperhour>12</email_maxperhour>
<email_log_source>alerts.log</email_log_source>
<agents_disconnection_time>10m</agents_disconnection_time>
<agents_disconnection_alert_time>0</agents_disconnection_alert_time>
<update_check>yes</update_check>
</global>

<vulnerability-detection>
<enabled>yes</enabled>
<index-status>yes</index-status>
<feed-update-interval>60m</feed-update-interval>
</vulnerability-detection>

<indexer>
<enabled>yes</enabled>
<hosts>
<host>https://MASTER_IP:9200</host>
<host>https://SLAVE_IP:9200</host>
</hosts>
<ssl>
<certificate_authorities>
<ca>/etc/filebeat/certs/root-ca.pem</ca>
</certificate_authorities>
<certificate>/etc/filebeat/certs/filebeat.pem</certificate>
<key>/etc/filebeat/certs/filebeat-key.pem</key>
</ssl>
</indexer>

<cluster>
<name>wazuh</name>
<node_name>hids-master</node_name>
<node_type>master</node_type>
<key>4576c57f1f235fca97bec4014cb2d542</key>
<port>1516</port>
<bind_addr>0.0.0.0</bind_addr>
<nodes>
<node>MASTER_IP</node>
</nodes>
<hidden>no</hidden>
<disabled>no</disabled>
</cluster>

# cat /var/ossec/etc/ossec.conf

<global>
<jsonout_output>yes</jsonout_output>
<alerts_log>yes</alerts_log>
<logall>no</logall>
<logall_json>no</logall_json>
<email_notification>no</email_notification>
<smtp_server>smtp.example.wazuh.com</smtp_server>
<email_from>wa...@example.wazuh.com</email_from>
<email_to>reci...@example.wazuh.com</email_to>
<email_maxperhour>12</email_maxperhour>
<email_log_source>alerts.log</email_log_source>
<agents_disconnection_time>10m</agents_disconnection_time>
<agents_disconnection_alert_time>0</agents_disconnection_alert_time>
<update_check>yes</update_check>
</global>

<alerts>
<log_alert_level>3</log_alert_level>
<email_alert_level>12</email_alert_level>
</alerts>

<vulnerability-detection>
<enabled>yes</enabled>
<index-status>yes</index-status>
<feed-update-interval>60m</feed-update-interval>
</vulnerability-detection>

<indexer>
<enabled>yes</enabled>
<hosts>
<host>https://MASTER_IP:9200</host>
<host>https://SLAVE_IP:9200</host>
</hosts>
<ssl>
<certificate_authorities>
<ca>/etc/filebeat/certs/root-ca.pem</ca>
</certificate_authorities>
<certificate>/etc/filebeat/certs/filebeat.pem</certificate>
<key>/etc/filebeat/certs/filebeat-key.pem</key>
</ssl>
</indexer>

<cluster>
<name>wazuh</name>
<node_name>hids-slave</node_name>
<node_type>worker</node_type>
<key>4576c57f1f235fca97bec4014cb2d542</key>
<port>1516</port>
<bind_addr>0.0.0.0</bind_addr>
<nodes>
<node>MASTER_IP</node>
</nodes>
<hidden>no</hidden>
<disabled>no</disabled>
</cluster>

# /var/ossec/bin/wazuh-control status
wazuh-clusterd is running...
wazuh-modulesd is running...
wazuh-monitord is running...
wazuh-logcollector is running...
wazuh-remoted is running...
wazuh-syscheckd is running...
wazuh-analysisd is running...
wazuh-maild is running...
wazuh-execd is running...
wazuh-db is running...
wazuh-authd is running...
wazuh-agentlessd not running...
wazuh-integratord not running...
wazuh-dbd not running...
wazuh-csyslogd not running...
wazuh-apid is running...

# /var/ossec/bin/wazuh-control status
wazuh-clusterd is running...
wazuh-modulesd is running...
wazuh-monitord is running...
wazuh-logcollector is running...
wazuh-remoted is running...
wazuh-syscheckd is running...
wazuh-analysisd is running...
wazuh-maild not running...
wazuh-execd is running...
wazuh-db is running...
wazuh-authd is running...
wazuh-agentlessd not running...
wazuh-integratord not running...
wazuh-dbd not running...
wazuh-csyslogd not running...
wazuh-apid is running...

Thanks,

Kirijan J

Benjamin Nworah

unread,

Sep 25, 2024, 11:13:50 AM9/25/24

to Wazuh | Mailing List

Hello Kirijan,

Reviewing the content of /var/ssec/etc/ossec.conf of the worker node, I see that the attribute <email_notification> (as shown below) is set to no. Kindly replace with yes .

# cat /var/ossec/etc/ossec.conf

<smtp_server>x.x..x.x/smtp_server>

For the Vulnerability detection, please replace the values of <host> with the IP address of your Wazuh indexers

<indexer>
<enabled>yes</enabled>
<hosts>
<host>https://MASTER_IP:9200</host>
<host>https://SLAVE_IP:9200</host>
</hosts>

Additionally, you must save the Wazuh indexer username and password into the Wazuh manager keystore using Wazuh-keystore tool

/var/ossec/bin/wazuh-keystore -f indexer -k username -v <INDEXER_USERNAME>
/var/ossec/bin/wazuh-keystore -f indexer -k password -v <INDEXER_PASSWORD>

Finally, restart the Wazuh manager

systemctl restart wazuh-manager

Please let me know if this helps.

Regards,

Aadithya Kiran

unread,

Dec 9, 2024, 5:35:59 AM12/9/24

to Wazuh | Mailing List

<indexer>
<enabled>yes</enabled>
<hosts>
<host>https://MASTER_IP:9200</host>
<host>https://SLAVE_IP:9200</host>
</hosts>

I have indexer installed on a separate machine which is only one , and master is installed on one machine and slave is installed on another machine , so total 3 machines , so should i give my indexer IP which having that one machine IP or should i give my manager Master and slave IP ??

Reply all

Reply to author

Forward