Wazuh 3.6.0 Error

[Dmitriy]

Yestarday, I upgraded Wazuh from 3.2.0 into Docker.

After upgrade I upgraded and connected all agent from WazuhAPI by bash script. 

Wazuh Manager writing that all agents is connected, but I did'n see any logs.

Now, I did'n have some logs and when I try to open some logs I see ERROR:

AGENTS. Error. 3013 - Error in database request: no such table: pm_events.

[Juanjo Jiménez]

Hello Dmitriy, and sorry for the late response.

Some users have reported the same error, and the team is aware of this and working on fixing it as soon as possible. In the meantime, we would like to get more information about this. Could you please tell me what were you doing on the app to get this error message? Which section did you try to open (Overview, Agents, a specific agent and its visualizations, etc)?

This way we can try to narrow the part of our code which is throwing that error message.

Thanks for your patience.

Regards,

Juanjo

--
You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.
To post to this group, send email to wa...@googlegroups.com.
Visit this group at https://groups.google.com/group/wazuh.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/7595fd7b-938b-484f-9136-9f78e84594cb%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Dmitriy]

Hello. I get error when I open Agents and choosen the agent.

[Pedro Sánchez]

Hi Dmitriy,

Were you able to solve the issue? Could you elaborate a little bit the error you are getting?

We have an open issue with this subject, check it here: https://github.com/wazuh/wazuh/issues/1205

You need to create the table pm_events for those DBs which were not upgraded properly.

sqlite3 /var/ossec/var/db/agents/000-localhost.db
sqlite> CREATE TABLE IF NOT EXISTS pm_event (
    id INTEGER PRIMARY KEY AUTOINCREMENT,
    date_first TEXT,
    date_last TEXT,
    log TEXT,
    pci_dss TEXT,
    cis TEXT
);

I hope it helps,

Pedro 'snaow' Sanchez de Castro.

On Fri, Sep 7, 2018 at 2:59 PM Dmitriy <zak...@yandex.ru> wrote:

Hello. I get error when I open Agents and choosen the agent.

--
You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.
To post to this group, send email to wa...@googlegroups.com.
Visit this group at https://groups.google.com/group/wazuh.

To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/302135a8-4bd0-4736-b309-ecf3ff98ab3a%40googlegroups.com.

[Dmitriy]

Thank you. 

Sorry for long answer, I couldn't verify it.

What do you mean 

: DBs which were not upgraded properly. ?

How DBs upgraded properly? 

I did new installing of WAzuh into Docker without volumes.

So, I created a table into all DB's, and it resolved this issue.

I think that the problem in the sсript that creates DB when agent joins.

вторник, 11 сентября 2018 г., 17:56:02 UTC+3 пользователь Pedro Sanchez написал:

Hi Dmitriy,

Were you able to solve the issue? Could you elaborate a little bit the error you are getting?

We have an open issue with this subject, check it here: https://github.com/wazuh/wazuh/issues/1205

You need to create the table pm_events for those DBs which were not upgraded properly.

sqlite3 /var/ossec/var/db/agents/000-localhost.db
sqlite> CREATE TABLE IF NOT EXISTS pm_event (
    id INTEGER PRIMARY KEY AUTOINCREMENT,
    date_first TEXT,
    date_last TEXT,
    log TEXT,
    pci_dss TEXT,
    cis TEXT
);

I hope it helps,

Pedro 'snaow' Sanchez de Castro.

On Fri, Sep 7, 2018 at 2:59 PM Dmitriy <zak...@yandex.ru> wrote:

Hello. I get error when I open Agents and choosen the agent.

--
You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.

To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+unsubscribe@googlegroups.com.

[Dmitriy]

It solved only one issue.

The other issue, I don't see logs into Kibana.

Into agent I see

active-responses.log

for example. 

If I do

tail -f /var/ossec/logs/alerts/alerts.log

I see logs, but into Kibana I can't see logs.

понедельник, 17 сентября 2018 г., 15:04:52 UTC+3 пользователь Dmitriy написал:

[Pedro Sánchez]

Hi Dimitriy,

I am glad you don't have anymore the "pm_events" error, looks like the DB was re-created when you reinstall/upgrade the agent.

Regarding the missing alerts in your Kibana interface, we should review other components involved, if your Manager is generating alerts (alerts.json) something is not working right in Filebeat(optional) -> Logstash -> Elasticsearch -> Kibana

Are you using a single-host or a distributed architecture? Execute the following command and paste the output:

lsof /var/ossec/logs/alerts/alerts.json

Expected output:

COMMAND    PID  USER   FD   TYPE DEVICE SIZE/OFF   NODE NAME
ossec-ana 8213 ossec   10w   REG    8,1    11146 930742 /var/ossec/logs/alerts/alerts.json

Check Logstash logs searching for errors or warnings:

cat /var/log/logstash/logstash-plain.log | grep -i -E "error|warn" 

Check Elasticsearch indices:

curl -XGET localhost:9200/_cat/indices?v  

 

I hope you can send us back the outputs of the above commands.

Best regards,

Pedro.

To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.

To post to this group, send email to wa...@googlegroups.com.
Visit this group at https://groups.google.com/group/wazuh.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/302135a8-4bd0-4736-b309-ecf3ff98ab3a%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

--

You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.

To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.

To post to this group, send email to wa...@googlegroups.com.
Visit this group at https://groups.google.com/group/wazuh.

To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/4d253711-cae6-43cb-8062-7fdfb88d8296%40googlegroups.com.

[Dmitriy]

Are you using a single-host or a distributed architecture?

I'm using docker architecture. Every component (wazuh, kibana,elastic, logstash) is using diff container.

root@wazuh-manager:/var/ossec/logs/alerts# lsof alerts.json

COMMAND  PID USER   FD   TYPE DEVICE  SIZE/

OFF      NODE NAME
filebeat 100 root    3r   REG    9,2 940340471 102631541 alerts.json

Some logs of logstash:

dt logs --tail=100 logstash | grep -i -E "error|warn"

logstash_1       | [2018-09-18T14:41:26,624][WARN ][logstash.outputs.elasticsearch] You are using a deprecated config setting "document_type" set in elasticsearch. Deprecated settings will continue to work, but are scheduled for removal from logstash in the future. Document types are being deprecated in Elasticsearch 6.0, and removed entirely in 7.0. You should avoid this feature If you have any questions about this, please visit the #logstash channel on freenode irc. {:name=>"document_type", :plugin=><LogStash::Outputs::ElasticSearch bulk_path=>"/_xpack/monitoring/_bulk?system_id=logstash&system_api_version=2&interval=1s", hosts=>[http://elasticsearch:9200], sniffing=>false, manage_template=>false, id=>"51f66c9ec66feb8fd59be1157c335c1ddc5fb856d2b248254ae6add289cea7b7", document_type=>"%{[@metadata][document_type]}", enable_metric=>true, codec=><LogStash::Codecs::Plain id=>"plain_dca61363-82d2-4da6-be20-97a50410eac9", enable_metric=>true, charset=>"UTF-8">, workers=>1, template_name=>"logstash", template_overwrite=>false, doc_as_upsert=>false, script_type=>"inline", script_lang=>"painless", script_var_name=>"event", scripted_upsert=>false, retry_initial_interval=>2, retry_max_interval=>64, retry_on_conflict=>1, action=>"index", ssl_certificate_verification=>true, sniffing_delay=>5, timeout=>60, pool_max=>1000, pool_max_per_route=>100, resurrect_delay=>5, validate_after_inactivity=>10000, http_compression=>false>}
logstash_1       | [2018-09-18T14:41:27,136][WARN ][logstash.outputs.elasticsearch] Restored connection to ES instance {:url=>"http://elasticsearch:9200/"}
logstash_1       | [2018-09-18T14:41:27,189][WARN ][logstash.outputs.elasticsearch] Detected a 6.x and above cluster: the `type` event field won't be used to determine the document _type {:es_version=>6}
logstash_1       | [2018-09-18T14:41:27,311][WARN ][logstash.licensechecker.licensereader] Restored connection to ES instance {:url=>"http://elasticsearch:9200/"}
logstash_1       | [2018-09-18T14:41:27,320][WARN ][logstash.licensechecker.licensereader] Detected a 6.x and above cluster: the `type` event field won't be used to determine the document _type {:es_version=>6}
logstash_1       | [2018-09-18T14:41:54,281][WARN ][logstash.config.source.multilocal] Ignoring the 'pipelines.yml' file because modules or command line options are specified
logstash_1       | [2018-09-18T14:41:54,768][WARN ][logstash.monitoringextension.pipelineregisterhook] xpack.monitoring.enabled has not been defined, but found elasticsearch configuration. Please explicitly set `xpack.monitoring.enabled: true` in logstash.yml

Elasticsearch indices:

root@cs30975:/www/wazuh# curl -X GET "172.21.0.3:9200/_cat/indices?v"

health status index                           uuid                   pri rep docs.count docs.deleted store.size pri.store.size
green  open   .monitoring-kibana-6-2018.09.17 DckGkW4XR4aSIsNTgvAP3Q   1   0       8606            0      2.2mb          2.2mb
yellow open   wazuh-monitoring-3.x-2018.08.30 bmktsLBkQh-14mJFdezclQ   5   1         12            0    173.4kb        173.4kb
yellow open   wazuh-monitoring-3.x-2018.09.07 DlnR-RU4TK-WJMFvPvnD1g   5   1        192            0    444.7kb        444.7kb
yellow open   wazuh-monitoring-3.x-2018.09.14 dx9oD3NjRfWSN6Q5dvkzew   5   1        192            0    376.3kb        376.3kb
yellow open   elastalert_status_silence       5mJzXErQRGCg1cUTr7Pa1w   5   1          0            0      1.2kb          1.2kb
yellow open   elastalert_status               I5bH_IG0QbSJ_ulmwY04yA   5   1          0            0      1.2kb          1.2kb
green  open   .monitoring-es-6-2018.09.12     IaczK_9URvO8eLSV7mCb-A   1   0     351970         2260      172mb          172mb
yellow open   wazuh-monitoring-3.x-2018.09.02 we8jUmjBTPCga4OeFw-aJw   5   1        192            0    539.3kb        539.3kb
yellow open   wazuh-monitoring-3.x-2018.09.03 FU1cw0PnQk6Sr9dFN8pNVA   5   1        192            0      362kb          362kb
yellow open   .wazuh                          X_mqp6wPRCejBAKu_6oFpw   5   1          1            0     11.6kb         11.6kb
yellow open   wazuh-monitoring-3.x-2018.09.09 h4XlCW6_TUmM_FUcxnZyDw   5   1        192            0    377.4kb        377.4kb
yellow open   wazuh-monitoring-3.x-2018.09.10 O0sGLcbHRUqOAZ3CjYODUg   5   1        192            0    274.4kb        274.4kb
yellow open   wazuh-monitoring-3.x-2018.09.04 1L96Kt-1TAmNEsL8iAWuqg   5   1        192            0    326.5kb        326.5kb
yellow open   wazuh-monitoring-3.x-2018.09.06 yE2gGHCkS96C0g7QwW_wHQ   5   1        192            0    623.6kb        623.6kb
green  open   .monitoring-kibana-6-2018.09.13 eK1rIo_WRmyPzmxVi9iUYw   1   0       8640            0        2mb            2mb
green  open   .monitoring-es-6-2018.09.14     9lo7VythR92i43Fp_UQf5A   1   0     369752         2706    176.9mb        176.9mb
green  open   .monitoring-kibana-6-2018.09.14 gVBf39m8TzmzDwNi0Ncrow   1   0       8639            0      1.9mb          1.9mb
yellow open   wazuh-monitoring-3.x-2018.09.18 7WZ1mUolQsiAFkkv_Vd8QQ   5   1        120            0    370.1kb        370.1kb
green  open   .monitoring-es-6-2018.09.17     4qINqvBnS_SQwG66ltBbbQ   1   0     396219         3312    185.3mb        185.3mb
green  open   .monitoring-kibana-6-2018.09.12 H_t1tBOCSP-oKp-hjGTogA   1   0       8639            0      1.9mb          1.9mb
green  open   .monitoring-kibana-6-2018.09.18 rQfrxnx8RqWf-rGLC1_ESQ   1   0       5342            0      1.2mb          1.2mb
green  open   .monitoring-es-6-2018.09.13     zmxGCadbT_m1oUI6XkMvfA   1   0     360862         2360    179.9mb        179.9mb
yellow open   .kibana                         LHRI48ooShmO70AjW6adQQ   5   1          3            0     43.6kb         43.6kb
yellow open   wazuh-monitoring-3.x-2018.09.15 9IY7L_C6ShWCMo3iKSOigQ   5   1        192            0    344.5kb        344.5kb
yellow open   wazuh-monitoring-3.x-2018.09.13 tGS1D-ndSFawNmzU5CYh2Q   5   1        192            0    580.3kb        580.3kb
yellow open   elastalert_status_error         s9kLqzwxR6a4aF_3OYA1gg   5   1          0            0      1.2kb          1.2kb
yellow open   .wazuh-version                  C_hehCjbSsKQ1F_UxZXVcA   1   1          1            0      5.1kb          5.1kb
yellow open   wazuh-monitoring-3.x-2018.09.16 N2CWbsLzS--_Uoo_aCGxDw   5   1        192            0    504.6kb        504.6kb
yellow open   wazuh-monitoring-3.x-2018.08.31 kP10Y98AS66NG-r9FG_rzA   5   1        118            0      427kb          427kb
yellow open   wazuh-monitoring-3.x-2018.09.12 er62L8-aQEuSdgyOd1lYBg   5   1        192            0    461.3kb        461.3kb
yellow open   wazuh-monitoring-3.x-2018.09.01 KgcH0U_BTuiF8aMDZ4GaTA   5   1        192            0    274.5kb        274.5kb
green  open   .monitoring-kibana-6-2018.09.15 xDUfA1r6SsqkMVLsWOOAXQ   1   0       8640            0        2mb            2mb
green  open   .monitoring-es-6-2018.09.18     a9YZfQsNRP-MbKHcbn_oRQ   1   0     251030         4004      134mb          134mb
yellow open   wazuh-monitoring-3.x-2018.09.05 b0Q3Jf2_TzSEL3dlxQOGsA   5   1        192            0    579.5kb        579.5kb
yellow open   wazuh-monitoring-3.x-2018.09.08 1Skc6mlrR3q1XXmq99MdfQ   5   1        192            0    588.7kb        588.7kb
yellow open   elastalert_status_status        dY-1zTxcQ-GTwCAHRm0GNw   5   1     892542            0    117.8mb        117.8mb
green  open   .monitoring-kibana-6-2018.09.16 3aOxo5iCTOKwXA6Bd1Prqg   1   0       8640            0      1.9mb          1.9mb
yellow open   elastalert_status_past          olJ0PEeYSomDM47qHsDxyg   5   1          0            0      1.2kb          1.2kb
green  open   .monitoring-es-6-2018.09.16     E2r8eqABQpyqs90iIQ8opw   1   0     387530         3192    192.3mb        192.3mb
green  open   .monitoring-es-6-2018.09.15     Dv4XvvvSQHGI_1WcdwK5XA   1   0     378599         3328    187.2mb        187.2mb
yellow open   wazuh-monitoring-3.x-2018.09.17 JPozrSOfR3CDVIEJc72tbg   5   1        208            0    351.4kb        351.4kb
yellow open   wazuh-monitoring-3.x-2018.09.11 Ciy97E5AStSHYMpOtF8ZZg   5   1        192            0    379.3kb        379.3kb

I see that Logstash think that Elasticsearch working into xpack mode. So, How can I disable xpack mode of Elastalert into docker-compose.yml ?

вторник, 18 сентября 2018 г., 17:09:00 UTC+3 пользователь Pedro Sanchez написал:

To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+unsubscribe@googlegroups.com.

To post to this group, send email to wa...@googlegroups.com.
Visit this group at https://groups.google.com/group/wazuh.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/302135a8-4bd0-4736-b309-ecf3ff98ab3a%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

--
You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.

To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+unsubscribe@googlegroups.com.

[Dmitriy]

Thank you for the tip. 

I solved this problem by changing configuration of Elasticsearch into docker-compose.yml file.

Into environment of elasticsearch I addeded this:

        - xpack.security.enabled=false
        - xpack.monitoring.enabled=false
        - xpack.ml.enabled=false
        - xpack.watcher.enabled=false
        - xpack.graph.enabled=false

вторник, 18 сентября 2018 г., 17:56:53 UTC+3 пользователь Dmitriy написал:

yellow open   wazuh-monitoring-3.x-2018.09.04 1L96Kt-1TAmNEsL8iAWuqg   <span style="col