Failed to start wazuh manager

[Rabail Naseer]

Hi Team,

I have update wazuh manager from 4.0 to 4.1.5 and after update wazuh manager is failed to start

output of systemctl status wazuh-manager

● wazuh-manager.service - Wazuh manager

   Loaded: loaded (/usr/lib/systemd/system/wazuh-manager.service; enabled; vendor preset: disabled)

   Active: failed (Result: exit-code) since Thu 2021-05-20 17:12:48 PKT; 18s ago

  Process: 2687 ExecStart=/usr/bin/env ${DIRECTORY}/bin/ossec-control start (code=exited, status=1/FAILURE)

May 20 17:12:46 manager systemd[1]: Starting Wazuh manager...

May 20 17:12:48 manager env[2687]: 2021/05/20 17:12:48 ossec-analysisd: ERROR: rules_op: Invalid root element "sca".Only "group" is allowed

May 20 17:12:48 manager env[2687]: 2021/05/20 17:12:48 ossec-analysisd: CRITICAL: (1220): Error loading the rules: 'etc/rules/new.xml'.

May 20 17:12:48 manager env[2687]: ossec-analysisd: Configuration error. Exiting

May 20 17:12:48 manager systemd[1]: wazuh-manager.service: control process exited, code=exited status=1

May 20 17:12:48 manager systemd[1]: Failed to start Wazuh manager.

May 20 17:12:48 manager systemd[1]: Unit wazuh-manager.service entered failed state.

May 20 17:12:48 manager systemd[1]: wazuh-manager.service failed.

[Bin Do Tuan Anh]

Hi, 

It seems like you have an error in the file /var/ossec/etc/rules/new.xml. Can you please share the content of that rule file so we can troubleshoot the issue? 

Kind regards,

Bin. 

[Rabail Naseer]

below is the screen short of  /var/ossec/etc/rules/new.xml 

[Bin Do Tuan Anh]

Hi, 

I can see that you have added the Centralized configuration to the rules file, and it caused the issue that you have. 

To add the Centralized configuration you will need to add the content of that new.xml (and it should not be in the folder that it is right now) to this file /var/ossec/etc/shared/<name-of-the-group>/agent.conf (as a <name-of-the-group>for example it can be default, as by default all the agents are in that group). And please keep in mind that in the Centralized configuration you should have the syntax like this:

<agent_config> 

   <sca>

        ....

   </sca>

</agent_config>

 For more details about Centralized configuration you can check it here: 

- https://documentation.wazuh.com/current/user-manual/reference/centralized-configuration.html

- https://wazuh.com/blog/agent-groups-and-centralized-configuration/

The folder /var/ossec/etc/rules/ is designed for custom rules. You should add new rules or overwrite the default ones in that folder. For more information I would recommend you to check these pages: 

- https://documentation.wazuh.com/current/user-manual/ruleset/custom.html

- https://wazuh.com/blog/creating-decoders-and-rules-from-scratch/

Please let me know if you need further assistance or if the issue persists. 

Kind regards,

Bin. 

[Rabail Naseer]

Hello do,

I have delete the new.xml file from /var/ossec/etc/rules and add the new.xml configuration to /var/ossec/etc/shared/default/agent.conf and then start the service.Now its working perfectly.

Thank you for your quick and positive response.