Vulnerability detection seems to be disabled or has a problem.
3,457 views
Skip to first unread message
Anders Johansson
Jun 17, 2024, 3:34:52 AM6/17/24
to Wazuh | Mailing List
Hi,
I have the following message in wazuh "Vulnerability detection seems to be disabled or has a problem"
And in the logs i see - "wazuh-analysisd: ERROR: Too many fields for JSON decoder."
Also see this in the logs:
And in the logs i see - "wazuh-analysisd: ERROR: Too many fields for JSON decoder."
Also see this in the logs:
And after checking the debug log i see:
Im running a cluster installed with ansible with 3 index nodes With seperate Manager, worker and Dashboard node.
And this after going from 4.7.4 to 4.8.0.
Any suggestions ?
And this after going from 4.7.4 to 4.8.0.
Any suggestions ?
Best regards,
//Anders
Stuti Gupta
Jun 17, 2024, 5:40:08 AM6/17/24
to Wazuh | Mailing List
Hi Henrique
Can you please verify that have you followed the vulnerability detection module https://documentation.wazuh.com/current/user-manual/capabilities/vulnerability-detection/configuring-scans.html.
Please make sure to update the <vulnerability-detection> and <indexer> block in /var/ossec/etc/ossec.conf in version 4.8.0.
Replace `0.0.0.0` with the indexer IP in the Filebeat config file, For example:
output.elasticsearch.hosts:
- 127.0.0.1:9200
Wazuh indexer node's IP address or hostname. If you have a Wazuh indexer cluster, add a `<host>` entry for each one of your nodes. For example, in a two-node configuration:
<hosts>
<host>https://10.0.0.1:9200</host>
<host>https://10.0.0.2:9200</host>
</hosts>
Check the certificate name:
ll /etc/filebeat/certs
Verify the Filebeat certificate name and path are correct and update the `<indexer>` block in `/var/ossec/etc/ossec.conf` accordingly.
In case the certs is missing you can extract that from wazuh-certificates.tar that is created at the time of generating certs
Save the Wazuh indexer username and password into the Wazuh manager keystore using the Wazuh-keystore tool:
/var/ossec/bin/wazuh-keystore -f indexer -k username -v <INDEXER_USERNAME>
/var/ossec/bin/wazuh-keystore -f indexer -k password -v <INDEXER_PASSWORD>
After that, save the configuration and restart the manager/cluster using the command:
systemctl restart wazuh-manager
If this didnt resolve the issue then please share the output of the following command
Can you please verify that have you followed the vulnerability detection module https://documentation.wazuh.com/current/user-manual/capabilities/vulnerability-detection/configuring-scans.html.
Please make sure to update the <vulnerability-detection> and <indexer> block in /var/ossec/etc/ossec.conf in version 4.8.0.
Replace `0.0.0.0` with the indexer IP in the Filebeat config file, For example:
output.elasticsearch.hosts:
- 127.0.0.1:9200
Wazuh indexer node's IP address or hostname. If you have a Wazuh indexer cluster, add a `<host>` entry for each one of your nodes. For example, in a two-node configuration:
<hosts>
<host>https://10.0.0.1:9200</host>
<host>https://10.0.0.2:9200</host>
</hosts>
Check the certificate name:
ll /etc/filebeat/certs
Verify the Filebeat certificate name and path are correct and update the `<indexer>` block in `/var/ossec/etc/ossec.conf` accordingly.
In case the certs is missing you can extract that from wazuh-certificates.tar that is created at the time of generating certs
Save the Wazuh indexer username and password into the Wazuh manager keystore using the Wazuh-keystore tool:
/var/ossec/bin/wazuh-keystore -f indexer -k username -v <INDEXER_USERNAME>
/var/ossec/bin/wazuh-keystore -f indexer -k password -v <INDEXER_PASSWORD>
After that, save the configuration and restart the manager/cluster using the command:
systemctl restart wazuh-manager
If this didnt resolve the issue then please share the output of the following command
cat /var/ossec/logs/ossec.log | grep vul
Refer: https://documentation.wazuh.com/current/upgrade-guide/troubleshooting.html
As for The error 'wazuh-analysisd: ERROR: Too many fields for JSON decoder' typically occurs when there are too many fields in the JSON message being processed by the Wazuh manager. This can happen when there is a large amount of data being sent to wazuh. To fix this issue, you can try increasing the analysisd.decoder_order_size parameter in the Wazuh manager configuration file.
/var/ossec/etc/local_internal_options.conf : https://documentation.wazuh.com/current/user-manual/reference/internal-options.html#analysisd
This parameter determines the maximum number of fields in a decoder.
Keep in mind that increasing this value may also increase the CPU and memory usage of the manager.
Once you have made the necessary changes, restart the Wazuh manager and check if the error persists.
I hope to help you, let me know if you have anything.
Regards.
Hope to hear from you soon
Refer: https://documentation.wazuh.com/current/upgrade-guide/troubleshooting.html
As for The error 'wazuh-analysisd: ERROR: Too many fields for JSON decoder' typically occurs when there are too many fields in the JSON message being processed by the Wazuh manager. This can happen when there is a large amount of data being sent to wazuh. To fix this issue, you can try increasing the analysisd.decoder_order_size parameter in the Wazuh manager configuration file.
/var/ossec/etc/local_internal_options.conf : https://documentation.wazuh.com/current/user-manual/reference/internal-options.html#analysisd
This parameter determines the maximum number of fields in a decoder.
Keep in mind that increasing this value may also increase the CPU and memory usage of the manager.
Once you have made the necessary changes, restart the Wazuh manager and check if the error persists.
I hope to help you, let me know if you have anything.
Regards.
Hope to hear from you soon
Michael White
Jun 18, 2024, 4:12:45 AM6/18/24
to Wazuh | Mailing List
I am getting the same notification that vulnerability detection is disabled or has a problem. I followed the configuration instructions but am confused when I get to this portion,
"Save the Wazuh indexer username and password into the Wazuh manager keystore using the Wazuh-keystore tool:
/var/ossec/bin/wazuh-keystore -f indexer -k username -v <INDEXER_USERNAME>
/var/ossec/bin/wazuh-keystore -f indexer -k password -v <INDEXER_PASSWORD>"
/var/ossec/bin/wazuh-keystore -f indexer -k username -v <INDEXER_USERNAME>
/var/ossec/bin/wazuh-keystore -f indexer -k password -v <INDEXER_PASSWORD>"
Is this a new account I am creating or is this username and password created during installation?
Stuti Gupta
Jun 18, 2024, 5:31:51 AM6/18/24
to Wazuh | Mailing List
Hi Michael White
Saving the Wazuh indexer username and password into the Wazuh manager keystore using the Wazuh-keystore tool is important because it ensures secure storage and retrieval of these credentials by the Wazuh manager.
/var/ossec/bin/wazuh-keystore -f indexer -k username -v <INDEXER_USERNAME>
/var/ossec/bin/wazuh-keystore -f indexer -k password -v <INDEXER_PASSWORD>
The default step-by-step installation credentials are admin: admin
Refer: https://documentation.wazuh.com/current/user-manual/user-administration/password-management.html
Hope this helps
Saving the Wazuh indexer username and password into the Wazuh manager keystore using the Wazuh-keystore tool is important because it ensures secure storage and retrieval of these credentials by the Wazuh manager.
/var/ossec/bin/wazuh-keystore -f indexer -k username -v <INDEXER_USERNAME>
/var/ossec/bin/wazuh-keystore -f indexer -k password -v <INDEXER_PASSWORD>
Refer: https://documentation.wazuh.com/current/user-manual/user-administration/password-management.html
Hope this helps
Przemysław Michalczyk
Jun 18, 2024, 8:37:03 AM6/18/24
to Wazuh | Mailing List
I managed to remove the Warning in /var/ossec/logs/ossec.log :
WARNING: No username and password found in the keystore, using default values.
By:
"/var/ossec/bin/wazuh-keystore -f indexer -k username -v <INDEXER_USERNAME>
/var/ossec/bin/wazuh-keystore -f indexer -k password -v <INDEXER_PASSWORD>
The default step-by-step installation credentials are admin: admin "
but I still have a problem with:
indexer-connector: WARNING: IndexerConnector initialization failed for index 'wazuh-states-vulnerabilities-wazuh', retrying until the connection is successful.
2024/06/18 12:02:34 wazuh-modulesd:content-updater: ERROR: Action for 'vulnerability_feed_manager' failed: Orchestration run failed: Error -1 from server: SSL peer certificate or SSH remote key was not OK
after updating to wazuh 4.8.0 in the directory I have only:
/etc/filebeat/certs# ls
root-ca.pem wazuh-server-key.pem wazuh-server.pem
WARNING: No username and password found in the keystore, using default values.
By:
"/var/ossec/bin/wazuh-keystore -f indexer -k username -v <INDEXER_USERNAME>
/var/ossec/bin/wazuh-keystore -f indexer -k password -v <INDEXER_PASSWORD>
The default step-by-step installation credentials are admin: admin "
indexer-connector: WARNING: IndexerConnector initialization failed for index 'wazuh-states-vulnerabilities-wazuh', retrying until the connection is successful.
after updating to wazuh 4.8.0 in the directory I have only:
/etc/filebeat/certs# ls
root-ca.pem wazuh-server-key.pem wazuh-server.pem
Renzo Geelhoed
Jun 18, 2024, 8:37:15 AM6/18/24
to Wazuh | Mailing List
Hi,
I have 3 certificates in /etc/filebeat/certs but no filebeat.key file. You stated:
In case the certs is missing you can extract that from wazuh-certificates.tar that is created at the time of generating certs .
I cannot find this .tar file. Where is it suppose to reside? I have these certs:
root@wazuh03:/etc/filebeat/certs# ls
filebeat-key.pem filebeat.pem root-ca.pem
filebeat-key.pem filebeat.pem root-ca.pem
So no filebeat.key.
Kind regards,
Renzo
Op dinsdag 18 juni 2024 om 11:31:51 UTC+2 schreef Stuti Gupta:
Michael White
Jun 19, 2024, 4:17:05 AM6/19/24
to Wazuh | Mailing List
On my installation the certs in the /etc/filebeat/certs/ directory are as follows. I renamed them in ossec.conf and it didn't change anything, I am still getting the indexer-connector error.
-r-------- 1 root root 1204 May 13 14:41 root-ca.pem
-r-------- 1 root root 1704 May 13 14:41 wazuh-server-key.pem
-r-------- 1 root root 1285 May 13 14:41 wazuh-server.pem
-r-------- 1 root root 1704 May 13 14:41 wazuh-server-key.pem
-r-------- 1 root root 1285 May 13 14:41 wazuh-server.pem
Message has been deleted
Maha
Jun 24, 2024, 7:04:20 AM6/24/24
to Wazuh | Mailing List
Hi,
Did you solve the issue. I'm facing issue with the same thing.
Thanks.
Fabio Peruchi
Aug 26, 2024, 1:13:45 AM8/26/24
to Wazuh | Mailing List
I am facing the same issue. Do you have a solution for this?
Stuti Gupta
Aug 27, 2024, 3:33:34 AM8/27/24
to Wazuh | Mailing List
For the your issue, please open another thread so we can track it better, which will also help other team members.
Reply all
Reply to author
Forward
0 new messages