Wazuh ossec.conf and agent.conf
2,085 views
Skip to first unread message
Cláudio Lopes
May 30, 2022, 1:02:03 PM5/30/22
to Wazuh mailing list
Hello guys,
I did tried disable on agent.conf disable wazuh sniffing the logs. Because i want just use for FIM.
Rule: 512 (level 3) -> 'Windows Audit event.'
Windows Audit: Null sessions allowed {PCI_DSS: 11.4}.
I did tried disable on agent.conf disable wazuh sniffing the logs. Because i want just use for FIM.
I have used config for neutralize default config in ossec.conf. Overwrite that config with agent.conf. But I continuous receiving audit alerts and eventchannel alerts.
<ossec_config>
<localfile>
<log_format>audit</log_format>
<location>/var/log/audit/audit.log</location>
</localfile>
<localfile>
<log_format>syslog</log_format>
<location>/var/ossec/logs/active-responses.log</location>
</localfile>
<localfile>
<log_format>syslog</log_format>
<location>/var/log/messages</location>
</localfile>
<localfile>
<log_format>syslog</log_format>
<location>/var/log/secure</location>
</localfile>
<localfile>
<log_format>syslog</log_format>
<location>/var/log/maillog</location>
</localfile>
<localfile>
<log_format>audit</log_format>
<location>/var/log/audit/audit.log</location>
</localfile>
<localfile>
<log_format>syslog</log_format>
<location>/var/ossec/logs/active-responses.log</location>
</localfile>
<localfile>
<log_format>syslog</log_format>
<location>/var/log/messages</location>
</localfile>
<localfile>
<log_format>syslog</log_format>
<location>/var/log/secure</location>
</localfile>
<localfile>
<log_format>syslog</log_format>
<location>/var/log/maillog</location>
</localfile>
and
<localfile>
<location>Application</location>
<log_format>eventchannel</log_format>
<ignore_binaries>yes</ignore_binaries>
</localfile>
<localfile>
<location>Security</location>
<log_format>eventchannel</log_format>
<ignore_binaries>yes</ignore_binaries>
</localfile>
<localfile>
<location>System</location>
<log_format>eventchannel</log_format>
<ignore_binaries>yes</ignore_binaries>
</localfile>
<localfile>
<location>active-response\active-responses.log</location>
<log_format>syslog</log_format>
<ignore_binaries>yes</ignore_binaries>
</localfile>
<location>Application</location>
<log_format>eventchannel</log_format>
<ignore_binaries>yes</ignore_binaries>
</localfile>
<localfile>
<location>Security</location>
<log_format>eventchannel</log_format>
<ignore_binaries>yes</ignore_binaries>
</localfile>
<localfile>
<location>System</location>
<log_format>eventchannel</log_format>
<ignore_binaries>yes</ignore_binaries>
</localfile>
<localfile>
<location>active-response\active-responses.log</location>
<log_format>syslog</log_format>
<ignore_binaries>yes</ignore_binaries>
</localfile>
I used that configuration in agent.conf, But still received this alerts:
** Alert 1653929035.20368435: - windows,windows_application,
2022 May 30 17:43:55 xxxxxxxxxxx. xxxxxxxxxxx>EventChannel
Rule: 60798 (level 3) -> 'The database engine attached a database'
2022 May 30 17:43:55 xxxxxxxxxxx. xxxxxxxxxxx>EventChannel
Rule: 60798 (level 3) -> 'The database engine attached a database'
** Alert 1653927007.19674474: - windows,windows_security,pci_dss_10.6.1,gdpr_IV_35.7.d,hipaa_164.312.b,nist_800_53_AU.6,tsc_CC7.2,tsc_CC7.3,
Rule: 512 (level 3) -> 'Windows Audit event.'
Windows Audit: Null sessions allowed {PCI_DSS: 11.4}.
** Alert 1653926465.19584553: - syslog,proftpd,connection_attempt,pci_dss_10.2.5,gdpr_IV_32.2,hipaa_164.312.b,nist_800_53_AU.14,nist_800_53_AC.7,tsc_CC6.8,tsc_CC7.2,tsc_CC7.3,
2022 May 30 17:01:05 (lxxxxxxxxxxxxxxxx) xxxxxxxxxxxxxxxxx->/var/log/messages
Rule: 11201 (level 3) -> 'proftpd: FTP session opened.'
2022 May 30 17:01:05 (lxxxxxxxxxxxxxxxx) xxxxxxxxxxxxxxxxx->/var/log/messages
Rule: 11201 (level 3) -> 'proftpd: FTP session opened.'
What I do to Wazuh agent never get Audit.log , Messages.log for anything?
Hanes Nahuel Sciarrone
May 30, 2022, 3:32:19 PM5/30/22
to Wazuh mailing list
Hi Claudio
I hope you are well. Thanks for using Wazuh and sharing your question with the community. From what I understand you want to use the centralized configuration to replace the default configuration in ossec.conf, Am I rigth? Please follow these steps and share with me the agent and manager log.
- Could you please set agent.remote_conf=1 in agent's local_internal_options.conf file? This file is located in C:\Program file (x86)\ossec-agent
- Could you check for configuration errors? For this you should run the executable /var/ossec/bin/verify-agent-conf in the manager.
Please can you make these changes and let me know if the problem still occurs?
Best regards
Hanes
Cláudio Lopes
Jun 1, 2022, 5:24:39 AM6/1/22
to Wazuh mailing list
Hello, Hanes.
Thank for you answear.
1. It's was configured like enabled before.
2. Files it's ok.
agent.conf overwrite ossec.conf right? But still receive logs like audit.log and loggout and logging logs from secure logs.
I am try create a config for get FIM. Sometimes someone forget delete the default config on ossec.conf. Because it I want use agent.conf for "block" default configuration.
Do you can understand what i want?
Can you help me?
Hanes Nahuel Sciarrone
Jun 1, 2022, 10:11:05 AM6/1/22
to Wazuh mailing list
Hi Claudio
- Could you validate that the alerts you receive and want to ignore are generated for the localfile configuration?
- Do you have a group in the manager or all the agents are in the default group?
Regarding the question, if the agent.conf overwrite the ossec.conf, actually, there is a merge between these files, not an overwrite. Could you share with me the ossec.log of the manager and an agent you want to send the agent.conf? Could you send me the full alert you want to ignore? With the full alert maybe I could find the functionality that generates it.
Best regards
Hanes
Cláudio Lopes
Jun 1, 2022, 10:33:58 AM6/1/22
to Wazuh mailing list
Hello,
Yes, I was show for you my ossec.conf with configuration default and my frustrated try for overwrite it with ignore_binaries in agent.conf.
Exemple alerts:
** Alert 1654093065.13103407: - pam,syslog,pci_dss_10.2.5,gpg13_7.8,gpg13_7.9,gdpr_IV_32.2,hipaa_164.312.b,nist_800_53_AU.14,nist_800_53_AC.7,tsc_CC6.8,tsc_CC7.2,tsc_CC7.3,
2022 Jun 01 15:17:45 (hostname) ip->/var/log/secure
Rule: 5502 (level 3) -> 'PAM: Login session closed.'
User: grid
Jun 1 15:17:44 hostname sshd[8397]: pam_unix(sshd:session): session closed for user grid
** Alert 1654093065.13103817: - syslog,sshd,authentication_success,pci_dss_10.2.5,gpg13_7.1,gpg13_7.2,gdpr_IV_32.2,hipaa_164.312.b,nist_800_53_AU.14,nist_800_53_AC.7,tsc_CC6.8,tsc_CC7.2,tsc_CC7.3,
2022 Jun 01 15:17:45 (hostname) ip->/var/log/secure
Rule: 5715 (level 3) -> 'sshd: authentication success.'
Src IP: 172.23.106.225
User: grid
Jun 1 15:17:44 hostname sshd[8426]: Accepted publickey for grid from 172.23.106.225 port 15623 ssh2: RSA SHA256:reqhPAqTaRiZS41fmxWrKHAjHsqG9ByiY
2022 Jun 01 15:17:45 (hostname) ip->/var/log/secure
Rule: 5502 (level 3) -> 'PAM: Login session closed.'
User: grid
Jun 1 15:17:44 hostname sshd[8397]: pam_unix(sshd:session): session closed for user grid
** Alert 1654093065.13103817: - syslog,sshd,authentication_success,pci_dss_10.2.5,gpg13_7.1,gpg13_7.2,gdpr_IV_32.2,hipaa_164.312.b,nist_800_53_AU.14,nist_800_53_AC.7,tsc_CC6.8,tsc_CC7.2,tsc_CC7.3,
2022 Jun 01 15:17:45 (hostname) ip->/var/log/secure
Rule: 5715 (level 3) -> 'sshd: authentication success.'
Src IP: 172.23.106.225
User: grid
Jun 1 15:17:44 hostname sshd[8426]: Accepted publickey for grid from 172.23.106.225 port 15623 ssh2: RSA SHA256:reqhPAqTaRiZS41fmxWrKHAjHsqG9ByiY
** Alert 1653882482.3374317: - windows,windows_security,group_changed,win_group_changed,pci_dss_8.1.2,pci_dss_10.2.5,gpg13_7.10,gdpr_IV_35.7.d,gdpr_IV_32.2,hipaa_164.312.a.2.I,hipaa_164.312.a.2.II,hipaa_164.312.b,nist_800_53_AC.2,nist_800_53_IA.4,nist_800_53_AU.14,nist_800_53_AC.7,tsc_CC6.8,tsc_CC7.2,tsc_CC7.3,
2022 May 30 04:48:02 (x) ip->EventChannel
Rule: 60147 (level 5) -> 'Security Enabled Local Group Changed'
{"win":{"system":{"providerName":"Microsoft-Windows-Security-Auditing","providerGuid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","eventID":"4735","version":"0","level":"0","task":"13826","opcode":"0","keywords":"0x8020000000000000","systemTime":"2022-05-30T03:48:01.505797900Z","eventRecordID":"19084425121","processID":"716","threadID":"21816","channel":"Security","computer":","severityValue":"AUDIT_SUCCESS","message":"\"A security-enabled local group was changed.\r\n\r\nSubject:\r\n\tSecurity ID:\t\tS-1-5-18\r\n\tAccount Name:\t\hostname$\r\n\tAccount Domain:\t\\r\n\tLogon ID:\t\t0x3E7\r\n\r\nGroup:\r\n\tSecurity ID:\t\tS-1-5-32-544\r\n\tGroup Name:\t\tAdministrators\r\n\tGroup Domain:\t\tBuiltin\r\n\r\nChanged Attributes:\r\n\tSAM Account Name:\t-\r\n\tSID History:\t\t-\r\n\r\nAdditional Information:\r\n\tPrivileges:\t\t-\""},"eventdata":{"targetUserName":"Administrators","targetDomainName":"Builtin","targetSid":"S-1-5-32-544","subjectUserSid":"S-1-5-18","subjectUserName":"hostname$","subjectDomainName":"teste","subjectLogonId":"0x3e7"}}}
win.system.providerName: Microsoft-Windows-Security-Auditing
win.system.providerGuid: {2434555-33-4994-A5BA-899098}
win.system.eventID: 4735
win.system.version: 0
win.system.level: 0
win.system.task: 13826
win.system.opcode: 0
win.system.keywords: 0x8020000000000000
win.system.systemTime: 2022-05-30T03:48:01.505797900Z
win.system.eventRecordID: 19084425121
win.system.processID: 716
win.system.threadID: 21816
win.system.channel: Security
win.system.computer: hostname
win.system.severityValue: AUDIT_SUCCESS
win.system.message: "A security-enabled local group was changed.
** Alert 1653882350.3371821: - audit,audit_selinux,pci_dss_10.6.1,gdpr_IV_35.7.d,gdpr_IV_30.1.g,hipaa_164.312.b,nist_800_53_AU.6,tsc_CC7.2,tsc_CC7.3,
2022 May 30 04:45:50 (hostname ) ip ->/var/log/audit/audit.log
Rule: 80730 (level 3) -> 'Auditd: SELinux permission check'
type=AVC msg=audit(1653882350.031:1264819938): avc: denied { read write } for pid=96244 comm="chronyc" path=path" dev="dm-8" ino=1616837 scontext=unconfined_u:unconfined_r:chronyc_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:unlabeled_t:s0 tclass=fifo_file permissive=0
audit.type: AVC
audit.id: 12648193338
audit.pid: 96244
audit.command: chronyc
2022 May 30 04:48:02 (x) ip->EventChannel
Rule: 60147 (level 5) -> 'Security Enabled Local Group Changed'
{"win":{"system":{"providerName":"Microsoft-Windows-Security-Auditing","providerGuid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","eventID":"4735","version":"0","level":"0","task":"13826","opcode":"0","keywords":"0x8020000000000000","systemTime":"2022-05-30T03:48:01.505797900Z","eventRecordID":"19084425121","processID":"716","threadID":"21816","channel":"Security","computer":","severityValue":"AUDIT_SUCCESS","message":"\"A security-enabled local group was changed.\r\n\r\nSubject:\r\n\tSecurity ID:\t\tS-1-5-18\r\n\tAccount Name:\t\hostname$\r\n\tAccount Domain:\t\\r\n\tLogon ID:\t\t0x3E7\r\n\r\nGroup:\r\n\tSecurity ID:\t\tS-1-5-32-544\r\n\tGroup Name:\t\tAdministrators\r\n\tGroup Domain:\t\tBuiltin\r\n\r\nChanged Attributes:\r\n\tSAM Account Name:\t-\r\n\tSID History:\t\t-\r\n\r\nAdditional Information:\r\n\tPrivileges:\t\t-\""},"eventdata":{"targetUserName":"Administrators","targetDomainName":"Builtin","targetSid":"S-1-5-32-544","subjectUserSid":"S-1-5-18","subjectUserName":"hostname$","subjectDomainName":"teste","subjectLogonId":"0x3e7"}}}
win.system.providerName: Microsoft-Windows-Security-Auditing
win.system.providerGuid: {2434555-33-4994-A5BA-899098}
win.system.eventID: 4735
win.system.version: 0
win.system.level: 0
win.system.task: 13826
win.system.opcode: 0
win.system.keywords: 0x8020000000000000
win.system.systemTime: 2022-05-30T03:48:01.505797900Z
win.system.eventRecordID: 19084425121
win.system.processID: 716
win.system.threadID: 21816
win.system.channel: Security
win.system.computer: hostname
win.system.severityValue: AUDIT_SUCCESS
win.system.message: "A security-enabled local group was changed.
** Alert 1653882350.3371821: - audit,audit_selinux,pci_dss_10.6.1,gdpr_IV_35.7.d,gdpr_IV_30.1.g,hipaa_164.312.b,nist_800_53_AU.6,tsc_CC7.2,tsc_CC7.3,
2022 May 30 04:45:50 (hostname ) ip ->/var/log/audit/audit.log
Rule: 80730 (level 3) -> 'Auditd: SELinux permission check'
type=AVC msg=audit(1653882350.031:1264819938): avc: denied { read write } for pid=96244 comm="chronyc" path=path" dev="dm-8" ino=1616837 scontext=unconfined_u:unconfined_r:chronyc_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:unlabeled_t:s0 tclass=fifo_file permissive=0
audit.type: AVC
audit.id: 12648193338
audit.pid: 96244
audit.command: chronyc
--------------------------------------------------------------------------------------
The only log i would like receive is Checksum logs.
agent log:
2022/06/01 10:10:44 wazuh-modulesd:syscollector: ERROR: stoi
2022/06/01 10:10:45 wazuh-modulesd:syscollector: INFO: Evaluation finished.
2022/06/01 11:10:45 wazuh-modulesd:syscollector: INFO: Starting evaluation.
2022/06/01 11:10:48 wazuh-modulesd:syscollector: ERROR: stoi
2022/06/01 11:10:48 wazuh-modulesd:syscollector: INFO: Evaluation finished.
2022/06/01 12:10:49 wazuh-modulesd:syscollector: INFO: Starting evaluation.
2022/06/01 12:10:54 wazuh-modulesd:syscollector: ERROR: stoi
2022/06/01 12:10:54 wazuh-modulesd:syscollector: INFO: Evaluation finished.
2022/06/01 13:10:55 wazuh-modulesd:syscollector: INFO: Starting evaluation.
2022/06/01 13:10:56 wazuh-modulesd:syscollector: ERROR: stoi
2022/06/01 13:10:56 wazuh-modulesd:syscollector: INFO: Evaluation finished.
2022/06/01 13:11:52 rootcheck: INFO: Starting rootcheck scan.
2022/06/01 13:13:10 rootcheck: INFO: Ending rootcheck scan.
2022/06/01 13:14:58 wazuh-syscheckd: INFO: (6008): File integrity monitoring scan started.
2022/06/01 13:17:26 wazuh-syscheckd: INFO: (6009): File integrity monitoring scan ended.
2022/06/01 14:10:57 wazuh-modulesd:syscollector: INFO: Starting evaluation.
2022/06/01 14:11:01 wazuh-modulesd:syscollector: ERROR: stoi
2022/06/01 14:11:01 wazuh-modulesd:syscollector: INFO: Evaluation finished.
2022/06/01 15:11:02 wazuh-modulesd:syscollector: INFO: Starting evaluation.
2022/06/01 15:11:04 wazuh-modulesd:syscollector: ERROR: stoi
2022/06/01 15:11:04 wazuh-modulesd:syscollector: INFO: Evaluation finished.
2022/06/01 10:10:45 wazuh-modulesd:syscollector: INFO: Evaluation finished.
2022/06/01 11:10:45 wazuh-modulesd:syscollector: INFO: Starting evaluation.
2022/06/01 11:10:48 wazuh-modulesd:syscollector: ERROR: stoi
2022/06/01 11:10:48 wazuh-modulesd:syscollector: INFO: Evaluation finished.
2022/06/01 12:10:49 wazuh-modulesd:syscollector: INFO: Starting evaluation.
2022/06/01 12:10:54 wazuh-modulesd:syscollector: ERROR: stoi
2022/06/01 12:10:54 wazuh-modulesd:syscollector: INFO: Evaluation finished.
2022/06/01 13:10:55 wazuh-modulesd:syscollector: INFO: Starting evaluation.
2022/06/01 13:10:56 wazuh-modulesd:syscollector: ERROR: stoi
2022/06/01 13:10:56 wazuh-modulesd:syscollector: INFO: Evaluation finished.
2022/06/01 13:11:52 rootcheck: INFO: Starting rootcheck scan.
2022/06/01 13:13:10 rootcheck: INFO: Ending rootcheck scan.
2022/06/01 13:14:58 wazuh-syscheckd: INFO: (6008): File integrity monitoring scan started.
2022/06/01 13:17:26 wazuh-syscheckd: INFO: (6009): File integrity monitoring scan ended.
2022/06/01 14:10:57 wazuh-modulesd:syscollector: INFO: Starting evaluation.
2022/06/01 14:11:01 wazuh-modulesd:syscollector: ERROR: stoi
2022/06/01 14:11:01 wazuh-modulesd:syscollector: INFO: Evaluation finished.
2022/06/01 15:11:02 wazuh-modulesd:syscollector: INFO: Starting evaluation.
2022/06/01 15:11:04 wazuh-modulesd:syscollector: ERROR: stoi
2022/06/01 15:11:04 wazuh-modulesd:syscollector: INFO: Evaluation finished.
server log
2022/06/01 00:00:10 wazuh-monitord: INFO: Starting new log after rotation.
2022/06/01 00:42:47 wazuh-modulesd:syscollector: INFO: Starting evaluation.
2022/06/01 00:42:47 wazuh-modulesd:syscollector: INFO: Evaluation finished.
2022/06/01 01:42:48 wazuh-modulesd:syscollector: INFO: Starting evaluation.
2022/06/01 01:42:48 wazuh-modulesd:syscollector: INFO: Evaluation finished.
2022/06/01 02:42:49 wazuh-modulesd:syscollector: INFO: Starting evaluation.
2022/06/01 02:42:49 wazuh-modulesd:syscollector: INFO: Evaluation finished.
2022/06/01 03:42:50 wazuh-modulesd:syscollector: INFO: Starting evaluation.
2022/06/01 03:42:50 wazuh-modulesd:syscollector: INFO: Evaluation finished.
2022/06/01 04:42:51 wazuh-modulesd:syscollector: INFO: Starting evaluation.
2022/06/01 04:42:51 wazuh-modulesd:syscollector: INFO: Evaluation finished.
2022/06/01 05:42:16 sca: INFO: Starting Security Configuration Assessment scan.
2022/06/01 05:42:16 sca: INFO: Starting evaluation of policy: '/var/ossec/ruleset/sca/cis_rhel8_linux.yml'
2022/06/01 05:42:29 sca: INFO: Evaluation finished for policy '/var/ossec/ruleset/sca/cis_rhel8_linux.yml'
2022/06/01 05:42:29 sca: INFO: Security Configuration Assessment scan finished. Duration: 13 seconds.
2022/06/01 05:42:52 wazuh-modulesd:syscollector: INFO: Starting evaluation.
2022/06/01 05:42:52 wazuh-modulesd:syscollector: INFO: Evaluation finished.
2022/06/01 05:44:03 rootcheck: INFO: Starting rootcheck scan.
2022/06/01 05:44:08 rootcheck: ERROR: No unixaudit file: '/var/ossec/etc/shared/system_audit_rcl.txt'
2022/06/01 05:44:08 rootcheck: ERROR: No unixaudit file: '/var/ossec/etc/shared/cis_debian_linux_rcl.txt'
2022/06/01 05:44:08 rootcheck: ERROR: No unixaudit file: '/var/ossec/etc/shared/cis_rhel_linux_rcl.txt'
2022/06/01 05:44:08 rootcheck: ERROR: No unixaudit file: '/var/ossec/etc/shared/cis_rhel5_linux_rcl.txt'
2022/06/01 05:44:38 rootcheck: INFO: Ending rootcheck scan.
2022/06/01 06:42:53 wazuh-modulesd:syscollector: INFO: Starting evaluation.
2022/06/01 06:42:53 wazuh-modulesd:syscollector: INFO: Evaluation finished.
2022/06/01 07:42:54 wazuh-modulesd:syscollector: INFO: Starting evaluation.
2022/06/01 07:42:54 wazuh-modulesd:syscollector: INFO: Evaluation finished.
2022/06/01 08:42:55 wazuh-modulesd:syscollector: INFO: Starting evaluation.
2022/06/01 08:42:55 wazuh-modulesd:syscollector: INFO: Evaluation finished.
2022/06/01 09:42:56 wazuh-modulesd:syscollector: INFO: Starting evaluation.
2022/06/01 09:42:56 wazuh-modulesd:syscollector: INFO: Evaluation finished.
2022/06/01 10:42:57 wazuh-modulesd:syscollector: INFO: Starting evaluation.
2022/06/01 10:42:57 wazuh-modulesd:syscollector: INFO: Evaluation finished.
2022/06/01 11:42:58 wazuh-modulesd:syscollector: INFO: Starting evaluation.
2022/06/01 11:42:58 wazuh-modulesd:syscollector: INFO: Evaluation finished.
2022/06/01 12:42:59 wazuh-modulesd:syscollector: INFO: Starting evaluation.
2022/06/01 12:42:59 wazuh-modulesd:syscollector: INFO: Evaluation finished.
2022/06/01 13:42:20 wazuh-syscheckd: INFO: (6008): File integrity monitoring scan started.
2022/06/01 13:42:23 wazuh-syscheckd: INFO: (6009): File integrity monitoring scan ended.
2022/06/01 13:43:00 wazuh-modulesd:syscollector: INFO: Starting evaluation.
2022/06/01 13:43:00 wazuh-modulesd:syscollector: INFO: Evaluation finished.
2022/06/01 14:43:01 wazuh-modulesd:syscollector: INFO: Starting evaluation.
2022/06/01 14:43:01 wazuh-modulesd:syscollector: INFO: Evaluation finished.
2022/06/01 00:42:47 wazuh-modulesd:syscollector: INFO: Starting evaluation.
2022/06/01 00:42:47 wazuh-modulesd:syscollector: INFO: Evaluation finished.
2022/06/01 01:42:48 wazuh-modulesd:syscollector: INFO: Starting evaluation.
2022/06/01 01:42:48 wazuh-modulesd:syscollector: INFO: Evaluation finished.
2022/06/01 02:42:49 wazuh-modulesd:syscollector: INFO: Starting evaluation.
2022/06/01 02:42:49 wazuh-modulesd:syscollector: INFO: Evaluation finished.
2022/06/01 03:42:50 wazuh-modulesd:syscollector: INFO: Starting evaluation.
2022/06/01 03:42:50 wazuh-modulesd:syscollector: INFO: Evaluation finished.
2022/06/01 04:42:51 wazuh-modulesd:syscollector: INFO: Starting evaluation.
2022/06/01 04:42:51 wazuh-modulesd:syscollector: INFO: Evaluation finished.
2022/06/01 05:42:16 sca: INFO: Starting Security Configuration Assessment scan.
2022/06/01 05:42:16 sca: INFO: Starting evaluation of policy: '/var/ossec/ruleset/sca/cis_rhel8_linux.yml'
2022/06/01 05:42:29 sca: INFO: Evaluation finished for policy '/var/ossec/ruleset/sca/cis_rhel8_linux.yml'
2022/06/01 05:42:29 sca: INFO: Security Configuration Assessment scan finished. Duration: 13 seconds.
2022/06/01 05:42:52 wazuh-modulesd:syscollector: INFO: Starting evaluation.
2022/06/01 05:42:52 wazuh-modulesd:syscollector: INFO: Evaluation finished.
2022/06/01 05:44:03 rootcheck: INFO: Starting rootcheck scan.
2022/06/01 05:44:08 rootcheck: ERROR: No unixaudit file: '/var/ossec/etc/shared/system_audit_rcl.txt'
2022/06/01 05:44:08 rootcheck: ERROR: No unixaudit file: '/var/ossec/etc/shared/cis_debian_linux_rcl.txt'
2022/06/01 05:44:08 rootcheck: ERROR: No unixaudit file: '/var/ossec/etc/shared/cis_rhel_linux_rcl.txt'
2022/06/01 05:44:08 rootcheck: ERROR: No unixaudit file: '/var/ossec/etc/shared/cis_rhel5_linux_rcl.txt'
2022/06/01 05:44:38 rootcheck: INFO: Ending rootcheck scan.
2022/06/01 06:42:53 wazuh-modulesd:syscollector: INFO: Starting evaluation.
2022/06/01 06:42:53 wazuh-modulesd:syscollector: INFO: Evaluation finished.
2022/06/01 07:42:54 wazuh-modulesd:syscollector: INFO: Starting evaluation.
2022/06/01 07:42:54 wazuh-modulesd:syscollector: INFO: Evaluation finished.
2022/06/01 08:42:55 wazuh-modulesd:syscollector: INFO: Starting evaluation.
2022/06/01 08:42:55 wazuh-modulesd:syscollector: INFO: Evaluation finished.
2022/06/01 09:42:56 wazuh-modulesd:syscollector: INFO: Starting evaluation.
2022/06/01 09:42:56 wazuh-modulesd:syscollector: INFO: Evaluation finished.
2022/06/01 10:42:57 wazuh-modulesd:syscollector: INFO: Starting evaluation.
2022/06/01 10:42:57 wazuh-modulesd:syscollector: INFO: Evaluation finished.
2022/06/01 11:42:58 wazuh-modulesd:syscollector: INFO: Starting evaluation.
2022/06/01 11:42:58 wazuh-modulesd:syscollector: INFO: Evaluation finished.
2022/06/01 12:42:59 wazuh-modulesd:syscollector: INFO: Starting evaluation.
2022/06/01 12:42:59 wazuh-modulesd:syscollector: INFO: Evaluation finished.
2022/06/01 13:42:20 wazuh-syscheckd: INFO: (6008): File integrity monitoring scan started.
2022/06/01 13:42:23 wazuh-syscheckd: INFO: (6009): File integrity monitoring scan ended.
2022/06/01 13:43:00 wazuh-modulesd:syscollector: INFO: Starting evaluation.
2022/06/01 13:43:00 wazuh-modulesd:syscollector: INFO: Evaluation finished.
2022/06/01 14:43:01 wazuh-modulesd:syscollector: INFO: Starting evaluation.
2022/06/01 14:43:01 wazuh-modulesd:syscollector: INFO: Evaluation finished.
you can help me with informations ?
Hanes Nahuel Sciarrone
Jun 1, 2022, 11:29:09 AM6/1/22
to Wazuh mailing list
Hi Claudio
Best regards
Hanes
I need the complete ossec.log not the partial one because I want to see if there is any information about the centralized configuration. Could you send it to me?
Best regards
Hanes
Cláudio Lopes
Jun 1, 2022, 12:16:26 PM6/1/22
to Wazuh mailing list
2022/06/01 17:06:47 wazuh-modulesd:syscollector: INFO: Stop received for Syscollector.
2022/06/01 17:06:47 wazuh-modulesd:syscollector: INFO: Module finished.
2022/06/01 17:06:47 wazuh-monitord: INFO: (1225): SIGNAL [(15)-(Terminated)] Received. Exit Cleaning...
2022/06/01 17:06:47 wazuh-logcollector: INFO: (1225): SIGNAL [(15)-(Terminated)] Received. Exit Cleaning...
2022/06/01 17:06:47 wazuh-remoted: INFO: (1225): SIGNAL [(15)-(Terminated)] Received. Exit Cleaning...
2022/06/01 17:06:47 wazuh-db: ERROR: at run_worker(): at recv(): Connection reset by peer (104)
2022/06/01 17:06:47 wazuh-syscheckd: INFO: (1225): SIGNAL [(15)-(Terminated)] Received. Exit Cleaning...
2022/06/01 17:06:47 wazuh-analysisd: INFO: (1225): SIGNAL [(15)-(Terminated)] Received. Exit Cleaning...
2022/06/01 17:06:47 wazuh-execd: INFO: (1314): Shutdown received. Deleting responses.
2022/06/01 17:06:47 wazuh-execd: INFO: (1225): SIGNAL [(15)-(Terminated)] Received. Exit Cleaning...
2022/06/01 17:06:47 wazuh-db: INFO: (1225): SIGNAL [(15)-(Terminated)] Received. Exit Cleaning...
2022/06/01 17:06:48 wazuh-authd: INFO: (1225): SIGNAL [(15)-(Terminated)] Received. Exit Cleaning...
2022/06/01 17:06:49 wazuh-authd: INFO: Exiting...
2022/06/01 17:06:49 wazuh-csyslogd: INFO: (1225): SIGNAL [(15)-(Terminated)] Received. Exit Cleaning...
2022/06/01 17:06:56 wazuh-csyslogd: INFO: Started (pid: 698737).
2022/06/01 17:06:56 wazuh-csyslogd: INFO: Forwarding alerts via syslog to: 'ip'.
2022/06/01 17:06:56 wazuh-dbd: INFO: Database not configured. Clean exit.
2022/06/01 17:06:56 wazuh-integratord: INFO: Remote integrations not configured. Clean exit.
2022/06/01 17:06:56 wazuh-agentlessd: INFO: Not configured. Exiting.
2022/06/01 17:06:56 wazuh-authd: INFO: Started (pid: 698769).
2022/06/01 17:06:56 wazuh-authd: INFO: Accepting connections on port 1515.
2022/06/01 17:06:56 wazuh-authd: INFO: Setting network timeout to 1.000000 sec.
2022/06/01 17:06:57 wazuh-db: INFO: Started (pid: 698785).
2022/06/01 17:06:58 wazuh-execd: INFO: Started (pid: 698810).
2022/06/01 17:06:59 wazuh-analysisd: INFO: Total rules enabled: '3889'
2022/06/01 17:06:59 wazuh-analysisd: INFO: Started (pid: 698824).
2022/06/01 17:06:59 wazuh-analysisd: INFO: (7200): Logtest started
2022/06/01 17:07:00 wazuh-syscheckd: WARNING: The check_unixaudit option is deprecated in favor of the SCA module.
2022/06/01 17:07:00 wazuh-syscheckd: INFO: Started (pid: 698886).
2022/06/01 17:07:00 wazuh-syscheckd: INFO: (6003): Monitoring path: '/bin', with options 'size | permissions | owner | group | mtime | inode | hash_md5 | hash_sha1 | hash_sha256 | scheduled'.
2022/06/01 17:07:00 wazuh-syscheckd: INFO: (6003): Monitoring path: '/boot', with options 'size | permissions | owner | group | mtime | inode | hash_md5 | hash_sha1 | hash_sha256 | scheduled'.
2022/06/01 17:07:00 wazuh-syscheckd: INFO: (6003): Monitoring path: '/etc', with options 'size | permissions | owner | group | mtime | inode | hash_md5 | hash_sha1 | hash_sha256 | scheduled'.
2022/06/01 17:07:00 wazuh-syscheckd: INFO: (6003): Monitoring path: '/sbin', with options 'size | permissions | owner | group | mtime | inode | hash_md5 | hash_sha1 | hash_sha256 | scheduled'.
2022/06/01 17:07:00 wazuh-syscheckd: INFO: (6003): Monitoring path: '/usr/bin', with options 'size | permissions | owner | group | mtime | inode | hash_md5 | hash_sha1 | hash_sha256 | scheduled'.
2022/06/01 17:07:00 wazuh-syscheckd: INFO: (6003): Monitoring path: '/usr/sbin', with options 'size | permissions | owner | group | mtime | inode | hash_md5 | hash_sha1 | hash_sha256 | scheduled'.
2022/06/01 17:07:00 wazuh-syscheckd: INFO: (6206): Ignore 'file' entry '/etc/logs/gpg/random_seed'
2022/06/01 17:07:00 wazuh-syscheckd: INFO: (6206): Ignore 'file' entry '/etc/mtab'
2022/06/01 17:07:00 wazuh-syscheckd: INFO: (6206): Ignore 'file' entry '/etc/mnttab'
2022/06/01 17:07:00 wazuh-syscheckd: INFO: (6206): Ignore 'file' entry '/etc/hosts.deny'
2022/06/01 17:07:00 wazuh-syscheckd: INFO: (6206): Ignore 'file' entry '/etc/mail/statistics'
2022/06/01 17:07:00 wazuh-syscheckd: INFO: (6206): Ignore 'file' entry '/etc/random-seed'
2022/06/01 17:07:00 wazuh-syscheckd: INFO: (6206): Ignore 'file' entry '/etc/adjtime'
2022/06/01 17:07:00 wazuh-syscheckd: INFO: (6206): Ignore 'file' entry '/etc/httpd/logs'
2022/06/01 17:07:00 wazuh-syscheckd: INFO: (6206): Ignore 'file' entry '/etc/utmpx'
2022/06/01 17:07:00 wazuh-syscheckd: INFO: (6206): Ignore 'file' entry '/etc/wtmpx'
2022/06/01 17:07:00 wazuh-syscheckd: INFO: (6206): Ignore 'file' entry '/etc/cups/certs'
2022/06/01 17:07:00 wazuh-syscheckd: INFO: (6206): Ignore 'file' entry '/etc/dumpdates'
2022/06/01 17:07:00 wazuh-syscheckd: INFO: (6206): Ignore 'file' entry '/etc/svc/volatile'
2022/06/01 17:07:00 wazuh-syscheckd: INFO: (6207): Ignore 'file' sregex '.log$|.swp$'
2022/06/01 17:07:00 wazuh-syscheckd: INFO: (6004): No diff for file: '/etc/ssl/private.key'
2022/06/01 17:07:00 wazuh-syscheckd: INFO: (6000): Starting daemon...
2022/06/01 17:07:00 wazuh-syscheckd: INFO: (6010): File integrity monitoring scan frequency: 79200 seconds
2022/06/01 17:07:00 wazuh-syscheckd: INFO: (6008): File integrity monitoring scan started.
2022/06/01 17:07:00 rootcheck: INFO: Starting rootcheck scan.
2022/06/01 17:07:01 wazuh-remoted: INFO: Started (pid: 698904). Listening on port 1514/TCP,UDP (secure).
2022/06/01 17:07:01 wazuh-remoted: ERROR: Invalid shared file 'ossec.zip2' in group 'default'. Ignoring it.
2022/06/01 17:07:01 wazuh-remoted: INFO: (1410): Reading authentication keys file.
2022/06/01 17:07:02 wazuh-logcollector: INFO: Monitoring output of command(360): df -P
2022/06/01 17:07:02 wazuh-logcollector: INFO: Monitoring full output of command(360): netstat -tulpn | sed 's/\([[:alnum:]]\+\)\ \+[[:digit:]]\+\ \+[[:digit:]]\+\ \+\(.*\):\([[:digit:]]*\)\ \+\([0-9\.\:\*]\+\).\+\ \([[:digit:]]*\/[[:alnum:]\-]*\).*/\1 \2 == \3 == \4 \5/' | sort -k 4 -g | sed 's/ == \(.*\) ==/:\1/' | sed 1,2d
2022/06/01 17:07:02 wazuh-logcollector: INFO: Monitoring full output of command(360): last -n 20
2022/06/01 17:07:02 wazuh-monitord: INFO: Started (pid: 698982).
2022/06/01 17:07:02 wazuh-logcollector: INFO: (1950): Analyzing file: '/var/log/audit/audit.log'.
2022/06/01 17:07:02 wazuh-logcollector: INFO: (1950): Analyzing file: '/var/ossec/logs/active-responses.log'.
2022/06/01 17:07:02 wazuh-logcollector: INFO: (1950): Analyzing file: '/var/log/messages'.
2022/06/01 17:07:02 wazuh-logcollector: INFO: (1950): Analyzing file: '/var/log/secure'.
2022/06/01 17:07:02 wazuh-logcollector: INFO: (1950): Analyzing file: '/var/log/maillog'.
2022/06/01 17:07:02 wazuh-logcollector: INFO: Started (pid: 698967).
2022/06/01 17:07:03 wazuh-modulesd: INFO: Started (pid: 699125).
2022/06/01 17:07:03 wazuh-modulesd:agent-upgrade: INFO: (8153): Module Agent Upgrade started.
2022/06/01 17:07:03 wazuh-modulesd:osquery: INFO: Module disabled. Exiting...
2022/06/01 17:07:03 sca: INFO: Module started.
2022/06/01 17:07:03 sca: INFO: Loaded policy '/var/ossec/ruleset/sca/cis_rhel8_linux.yml'
2022/06/01 17:07:03 wazuh-modulesd:ciscat: INFO: Module disabled. Exiting...
2022/06/01 17:07:03 sca: INFO: Starting Security Configuration Assessment scan.
2022/06/01 17:07:03 wazuh-modulesd:database: INFO: Module started.
2022/06/01 17:07:03 wazuh-modulesd:control: INFO: Starting control thread.
2022/06/01 17:07:03 wazuh-modulesd:download: INFO: Module started.
2022/06/01 17:07:03 wazuh-modulesd:task-manager: INFO: (8200): Module Task Manager started.
2022/06/01 17:07:03 wazuh-modulesd:syscollector: INFO: Module started.
2022/06/01 17:07:03 wazuh-modulesd:syscollector: INFO: Starting evaluation.
2022/06/01 17:07:03 sca: INFO: Starting evaluation of policy: '/var/ossec/ruleset/sca/cis_rhel8_linux.yml'
2022/06/01 17:07:03 wazuh-syscheckd: INFO: (6009): File integrity monitoring scan ended.
2022/06/01 17:07:03 wazuh-modulesd:syscollector: INFO: Evaluation finished.
2022/06/01 17:07:06 rootcheck: ERROR: No unixaudit file: '/var/ossec/etc/shared/system_audit_rcl.txt'
2022/06/01 17:07:06 rootcheck: ERROR: No unixaudit file: '/var/ossec/etc/shared/cis_debian_linux_rcl.txt'
2022/06/01 17:07:06 rootcheck: ERROR: No unixaudit file: '/var/ossec/etc/shared/cis_rhel_linux_rcl.txt'
2022/06/01 17:07:06 rootcheck: ERROR: No unixaudit file: '/var/ossec/etc/shared/cis_rhel5_linux_rcl.txt'
2022/06/01 17:07:15 sca: INFO: Evaluation finished for policy '/var/ossec/ruleset/sca/cis_rhel8_linux.yml'
2022/06/01 17:07:15 sca: INFO: Security Configuration Assessment scan finished. Duration: 12 seconds.
2022/06/01 17:07:38 rootcheck: INFO: Ending rootcheck scan.
2022/06/01 17:06:47 wazuh-modulesd:syscollector: INFO: Module finished.
2022/06/01 17:06:47 wazuh-monitord: INFO: (1225): SIGNAL [(15)-(Terminated)] Received. Exit Cleaning...
2022/06/01 17:06:47 wazuh-logcollector: INFO: (1225): SIGNAL [(15)-(Terminated)] Received. Exit Cleaning...
2022/06/01 17:06:47 wazuh-remoted: INFO: (1225): SIGNAL [(15)-(Terminated)] Received. Exit Cleaning...
2022/06/01 17:06:47 wazuh-db: ERROR: at run_worker(): at recv(): Connection reset by peer (104)
2022/06/01 17:06:47 wazuh-syscheckd: INFO: (1225): SIGNAL [(15)-(Terminated)] Received. Exit Cleaning...
2022/06/01 17:06:47 wazuh-analysisd: INFO: (1225): SIGNAL [(15)-(Terminated)] Received. Exit Cleaning...
2022/06/01 17:06:47 wazuh-execd: INFO: (1314): Shutdown received. Deleting responses.
2022/06/01 17:06:47 wazuh-execd: INFO: (1225): SIGNAL [(15)-(Terminated)] Received. Exit Cleaning...
2022/06/01 17:06:47 wazuh-db: INFO: (1225): SIGNAL [(15)-(Terminated)] Received. Exit Cleaning...
2022/06/01 17:06:48 wazuh-authd: INFO: (1225): SIGNAL [(15)-(Terminated)] Received. Exit Cleaning...
2022/06/01 17:06:49 wazuh-authd: INFO: Exiting...
2022/06/01 17:06:49 wazuh-csyslogd: INFO: (1225): SIGNAL [(15)-(Terminated)] Received. Exit Cleaning...
2022/06/01 17:06:56 wazuh-csyslogd: INFO: Started (pid: 698737).
2022/06/01 17:06:56 wazuh-csyslogd: INFO: Forwarding alerts via syslog to: 'ip'.
2022/06/01 17:06:56 wazuh-dbd: INFO: Database not configured. Clean exit.
2022/06/01 17:06:56 wazuh-integratord: INFO: Remote integrations not configured. Clean exit.
2022/06/01 17:06:56 wazuh-agentlessd: INFO: Not configured. Exiting.
2022/06/01 17:06:56 wazuh-authd: INFO: Started (pid: 698769).
2022/06/01 17:06:56 wazuh-authd: INFO: Accepting connections on port 1515.
2022/06/01 17:06:56 wazuh-authd: INFO: Setting network timeout to 1.000000 sec.
2022/06/01 17:06:57 wazuh-db: INFO: Started (pid: 698785).
2022/06/01 17:06:58 wazuh-execd: INFO: Started (pid: 698810).
2022/06/01 17:06:59 wazuh-analysisd: INFO: Total rules enabled: '3889'
2022/06/01 17:06:59 wazuh-analysisd: INFO: Started (pid: 698824).
2022/06/01 17:06:59 wazuh-analysisd: INFO: (7200): Logtest started
2022/06/01 17:07:00 wazuh-syscheckd: WARNING: The check_unixaudit option is deprecated in favor of the SCA module.
2022/06/01 17:07:00 wazuh-syscheckd: INFO: Started (pid: 698886).
2022/06/01 17:07:00 wazuh-syscheckd: INFO: (6003): Monitoring path: '/bin', with options 'size | permissions | owner | group | mtime | inode | hash_md5 | hash_sha1 | hash_sha256 | scheduled'.
2022/06/01 17:07:00 wazuh-syscheckd: INFO: (6003): Monitoring path: '/boot', with options 'size | permissions | owner | group | mtime | inode | hash_md5 | hash_sha1 | hash_sha256 | scheduled'.
2022/06/01 17:07:00 wazuh-syscheckd: INFO: (6003): Monitoring path: '/etc', with options 'size | permissions | owner | group | mtime | inode | hash_md5 | hash_sha1 | hash_sha256 | scheduled'.
2022/06/01 17:07:00 wazuh-syscheckd: INFO: (6003): Monitoring path: '/sbin', with options 'size | permissions | owner | group | mtime | inode | hash_md5 | hash_sha1 | hash_sha256 | scheduled'.
2022/06/01 17:07:00 wazuh-syscheckd: INFO: (6003): Monitoring path: '/usr/bin', with options 'size | permissions | owner | group | mtime | inode | hash_md5 | hash_sha1 | hash_sha256 | scheduled'.
2022/06/01 17:07:00 wazuh-syscheckd: INFO: (6003): Monitoring path: '/usr/sbin', with options 'size | permissions | owner | group | mtime | inode | hash_md5 | hash_sha1 | hash_sha256 | scheduled'.
2022/06/01 17:07:00 wazuh-syscheckd: INFO: (6206): Ignore 'file' entry '/etc/logs/gpg/random_seed'
2022/06/01 17:07:00 wazuh-syscheckd: INFO: (6206): Ignore 'file' entry '/etc/mtab'
2022/06/01 17:07:00 wazuh-syscheckd: INFO: (6206): Ignore 'file' entry '/etc/mnttab'
2022/06/01 17:07:00 wazuh-syscheckd: INFO: (6206): Ignore 'file' entry '/etc/hosts.deny'
2022/06/01 17:07:00 wazuh-syscheckd: INFO: (6206): Ignore 'file' entry '/etc/mail/statistics'
2022/06/01 17:07:00 wazuh-syscheckd: INFO: (6206): Ignore 'file' entry '/etc/random-seed'
2022/06/01 17:07:00 wazuh-syscheckd: INFO: (6206): Ignore 'file' entry '/etc/adjtime'
2022/06/01 17:07:00 wazuh-syscheckd: INFO: (6206): Ignore 'file' entry '/etc/httpd/logs'
2022/06/01 17:07:00 wazuh-syscheckd: INFO: (6206): Ignore 'file' entry '/etc/utmpx'
2022/06/01 17:07:00 wazuh-syscheckd: INFO: (6206): Ignore 'file' entry '/etc/wtmpx'
2022/06/01 17:07:00 wazuh-syscheckd: INFO: (6206): Ignore 'file' entry '/etc/cups/certs'
2022/06/01 17:07:00 wazuh-syscheckd: INFO: (6206): Ignore 'file' entry '/etc/dumpdates'
2022/06/01 17:07:00 wazuh-syscheckd: INFO: (6206): Ignore 'file' entry '/etc/svc/volatile'
2022/06/01 17:07:00 wazuh-syscheckd: INFO: (6207): Ignore 'file' sregex '.log$|.swp$'
2022/06/01 17:07:00 wazuh-syscheckd: INFO: (6004): No diff for file: '/etc/ssl/private.key'
2022/06/01 17:07:00 wazuh-syscheckd: INFO: (6000): Starting daemon...
2022/06/01 17:07:00 wazuh-syscheckd: INFO: (6010): File integrity monitoring scan frequency: 79200 seconds
2022/06/01 17:07:00 wazuh-syscheckd: INFO: (6008): File integrity monitoring scan started.
2022/06/01 17:07:00 rootcheck: INFO: Starting rootcheck scan.
2022/06/01 17:07:01 wazuh-remoted: INFO: Started (pid: 698904). Listening on port 1514/TCP,UDP (secure).
2022/06/01 17:07:01 wazuh-remoted: ERROR: Invalid shared file 'ossec.zip2' in group 'default'. Ignoring it.
2022/06/01 17:07:01 wazuh-remoted: INFO: (1410): Reading authentication keys file.
2022/06/01 17:07:02 wazuh-logcollector: INFO: Monitoring output of command(360): df -P
2022/06/01 17:07:02 wazuh-logcollector: INFO: Monitoring full output of command(360): netstat -tulpn | sed 's/\([[:alnum:]]\+\)\ \+[[:digit:]]\+\ \+[[:digit:]]\+\ \+\(.*\):\([[:digit:]]*\)\ \+\([0-9\.\:\*]\+\).\+\ \([[:digit:]]*\/[[:alnum:]\-]*\).*/\1 \2 == \3 == \4 \5/' | sort -k 4 -g | sed 's/ == \(.*\) ==/:\1/' | sed 1,2d
2022/06/01 17:07:02 wazuh-logcollector: INFO: Monitoring full output of command(360): last -n 20
2022/06/01 17:07:02 wazuh-monitord: INFO: Started (pid: 698982).
2022/06/01 17:07:02 wazuh-logcollector: INFO: (1950): Analyzing file: '/var/log/audit/audit.log'.
2022/06/01 17:07:02 wazuh-logcollector: INFO: (1950): Analyzing file: '/var/ossec/logs/active-responses.log'.
2022/06/01 17:07:02 wazuh-logcollector: INFO: (1950): Analyzing file: '/var/log/messages'.
2022/06/01 17:07:02 wazuh-logcollector: INFO: (1950): Analyzing file: '/var/log/secure'.
2022/06/01 17:07:02 wazuh-logcollector: INFO: (1950): Analyzing file: '/var/log/maillog'.
2022/06/01 17:07:02 wazuh-logcollector: INFO: Started (pid: 698967).
2022/06/01 17:07:03 wazuh-modulesd: INFO: Started (pid: 699125).
2022/06/01 17:07:03 wazuh-modulesd:agent-upgrade: INFO: (8153): Module Agent Upgrade started.
2022/06/01 17:07:03 wazuh-modulesd:osquery: INFO: Module disabled. Exiting...
2022/06/01 17:07:03 sca: INFO: Module started.
2022/06/01 17:07:03 sca: INFO: Loaded policy '/var/ossec/ruleset/sca/cis_rhel8_linux.yml'
2022/06/01 17:07:03 wazuh-modulesd:ciscat: INFO: Module disabled. Exiting...
2022/06/01 17:07:03 sca: INFO: Starting Security Configuration Assessment scan.
2022/06/01 17:07:03 wazuh-modulesd:database: INFO: Module started.
2022/06/01 17:07:03 wazuh-modulesd:control: INFO: Starting control thread.
2022/06/01 17:07:03 wazuh-modulesd:download: INFO: Module started.
2022/06/01 17:07:03 wazuh-modulesd:task-manager: INFO: (8200): Module Task Manager started.
2022/06/01 17:07:03 wazuh-modulesd:syscollector: INFO: Module started.
2022/06/01 17:07:03 wazuh-modulesd:syscollector: INFO: Starting evaluation.
2022/06/01 17:07:03 sca: INFO: Starting evaluation of policy: '/var/ossec/ruleset/sca/cis_rhel8_linux.yml'
2022/06/01 17:07:03 wazuh-syscheckd: INFO: (6009): File integrity monitoring scan ended.
2022/06/01 17:07:03 wazuh-modulesd:syscollector: INFO: Evaluation finished.
2022/06/01 17:07:06 rootcheck: ERROR: No unixaudit file: '/var/ossec/etc/shared/system_audit_rcl.txt'
2022/06/01 17:07:06 rootcheck: ERROR: No unixaudit file: '/var/ossec/etc/shared/cis_debian_linux_rcl.txt'
2022/06/01 17:07:06 rootcheck: ERROR: No unixaudit file: '/var/ossec/etc/shared/cis_rhel_linux_rcl.txt'
2022/06/01 17:07:06 rootcheck: ERROR: No unixaudit file: '/var/ossec/etc/shared/cis_rhel5_linux_rcl.txt'
2022/06/01 17:07:15 sca: INFO: Evaluation finished for policy '/var/ossec/ruleset/sca/cis_rhel8_linux.yml'
2022/06/01 17:07:15 sca: INFO: Security Configuration Assessment scan finished. Duration: 12 seconds.
2022/06/01 17:07:38 rootcheck: INFO: Ending rootcheck scan.
ossec.log agentes:
2022/06/01 17:07:37 wazuh-logcollector: INFO: (1225): SIGNAL [(15)-(Terminated)] Received. Exit Cleaning...
2022/06/01 17:07:37 wazuh-syscheckd: INFO: (1225): SIGNAL [(15)-(Terminated)] Received. Exit Cleaning...
2022/06/01 17:07:37 wazuh-agentd: INFO: (1225): SIGNAL [(15)-(Terminated)] Received. Exit Cleaning...
2022/06/01 17:07:37 wazuh-execd: INFO: (1314): Shutdown received. Deleting responses.
2022/06/01 17:07:37 wazuh-execd: INFO: (1225): SIGNAL [(15)-(Terminated)] Received. Exit Cleaning...
2022/06/01 17:07:37 wazuh-agentd: WARNING: The <server-ip> tag is deprecated, please use <server><address> instead.
2022/06/01 17:07:37 wazuh-logcollector: ERROR: Remote commands are not accepted from the manager. Ignoring it on the agent.conf
2022/06/01 17:07:37 wazuh-logcollector: ERROR: Remote commands are not accepted from the manager. Ignoring it on the agent.conf
2022/06/01 17:07:37 wazuh-logcollector: ERROR: Remote commands are not accepted from the manager. Ignoring it on the agent.conf
2022/06/01 17:07:37 wazuh-execd: INFO: Started (pid: 3414866).
2022/06/01 17:07:38 wazuh-agentd: WARNING: The <server-ip> tag is deprecated, please use <server><address> instead.
2022/06/01 17:07:38 wazuh-agentd: INFO: (1410): Reading authentication keys file.
2022/06/01 17:07:38 wazuh-agentd: INFO: Using notify time: 10 and max time to reconnect: 60
2022/06/01 17:07:38 wazuh-agentd: INFO: Version detected -> Linux |hostname |4.18.0-305.17.1.el8_4.x86_64 |#1 SMP Mon Aug 30 07:26:31 EDT 2021 |x86_64 [Red Hat Enterprise Linux|rhel: 8.4 (Ootpa)] - Wazuh v4.2.6
2022/06/01 17:07:38 wazuh-agentd: INFO: Started (pid: 3414893).
2022/06/01 17:07:38 wazuh-agentd: INFO: Agent buffer disabled.
2022/06/01 17:07:38 wazuh-agentd: INFO: Server IP Address: ip
2022/06/01 17:07:38 wazuh-agentd: INFO: Using AES as encryption method.
2022/06/01 17:07:38 wazuh-agentd: INFO: Trying to connect to server (ip:1514/tcp).
2022/06/01 17:07:38 wazuh-agentd: INFO: (4102): Connected to the server (ip:1514/tcp).
2022/06/01 17:07:39 wazuh-syscheckd: WARNING: The check_unixaudit option is deprecated in favor of the SCA module.
2022/06/01 17:07:39 wazuh-syscheckd: INFO: Started (pid: 3414918).
2022/06/01 17:07:39 wazuh-syscheckd: INFO: (6003): Monitoring path: '/bin', with options 'size | permissions | owner | group | mtime | inode | hash_md5 | hash_sha1 | hash_sha256 | scheduled'.
2022/06/01 17:07:39 wazuh-syscheckd: INFO: (6003): Monitoring path: '/boot', with options 'size | permissions | owner | group | mtime | inode | hash_md5 | hash_sha1 | hash_sha256 | scheduled'.
2022/06/01 17:07:39 wazuh-syscheckd: INFO: (6003): Monitoring path: '/etc', with options 'size | permissions | owner | group | mtime | inode | hash_md5 | hash_sha1 | hash_sha256 | scheduled'.
2022/06/01 17:07:39 wazuh-syscheckd: INFO: (6003): Monitoring path: '/etc/hosts', with options 'size | permissions | owner | group | mtime | inode | hash_md5 | hash_sha1 | hash_sha256 | report_changes | scheduled'.
2022/06/01 17:07:39 wazuh-syscheckd: INFO: (6003): Monitoring path: '/lib', with options 'size | permissions | owner | group | mtime | inode | hash_md5 | hash_sha1 | hash_sha256 | scheduled'.
2022/06/01 17:07:39 wazuh-syscheckd: INFO: (6003): Monitoring path: '/sbin', with options 'size | permissions | owner | group | mtime | inode | hash_md5 | hash_sha1 | hash_sha256 | scheduled'.
2022/06/01 17:07:39 wazuh-syscheckd: INFO: (6003): Monitoring path: '/usr', with options 'size | permissions | owner | group | mtime | inode | hash_md5 | hash_sha1 | hash_sha256 | scheduled'.
2022/06/01 17:07:39 wazuh-syscheckd: INFO: (6003): Monitoring path: '/usr/bin', with options 'size | permissions | owner | group | mtime | inode | hash_md5 | hash_sha1 | hash_sha256 | scheduled'.
2022/06/01 17:07:39 wazuh-syscheckd: INFO: (6003): Monitoring path: '/usr/sbin', with options 'size | permissions | owner | group | mtime | inode | hash_md5 | hash_sha1 | hash_sha256 | scheduled'.
2022/06/01 17:07:39 wazuh-syscheckd: INFO: (6206): Ignore 'file' entry '/etc/mtab'
2022/06/01 17:07:39 wazuh-syscheckd: INFO: (6206): Ignore 'file' entry '/etc/hosts.deny'
2022/06/01 17:07:39 wazuh-syscheckd: INFO: (6206): Ignore 'file' entry '/etc/mail/statistics'
2022/06/01 17:07:39 wazuh-syscheckd: INFO: (6206): Ignore 'file' entry '/etc/random-seed'
2022/06/01 17:07:39 wazuh-syscheckd: INFO: (6206): Ignore 'file' entry '/etc/random.seed'
2022/06/01 17:07:39 wazuh-syscheckd: INFO: (6206): Ignore 'file' entry '/etc/adjtime'
2022/06/01 17:07:39 wazuh-syscheckd: INFO: (6206): Ignore 'file' entry '/etc/httpd/logs'
2022/06/01 17:07:39 wazuh-syscheckd: INFO: (6206): Ignore 'file' entry '/etc/utmpx'
2022/06/01 17:07:39 wazuh-syscheckd: INFO: (6206): Ignore 'file' entry '/etc/wtmpx'
2022/06/01 17:07:39 wazuh-syscheckd: INFO: (6206): Ignore 'file' entry '/etc/cups/certs'
2022/06/01 17:07:39 wazuh-syscheckd: INFO: (6206): Ignore 'file' entry '/etc/dumpdates'
2022/06/01 17:07:39 wazuh-syscheckd: INFO: (6206): Ignore 'file' entry '/etc/svc/volatile'
2022/06/01 17:07:39 wazuh-syscheckd: INFO: (6206): Ignore 'file' entry '/etc/mnttab'
2022/06/01 17:07:39 wazuh-syscheckd: INFO: (6206): Ignore 'file' entry '/usr/scripts/logs'
2022/06/01 17:07:39 wazuh-syscheckd: INFO: (6207): Ignore 'file' sregex '.log$|.swp$'
2022/06/01 17:07:39 wazuh-syscheckd: INFO: (6004): No diff for file: '/etc/ssl/private.key'
2022/06/01 17:07:39 rootcheck: INFO: Starting rootcheck scan.
2022/06/01 17:07:39 wazuh-syscheckd: INFO: (6000): Starting daemon...
2022/06/01 17:07:39 wazuh-syscheckd: INFO: (6010): File integrity monitoring scan frequency: 79200 seconds
2022/06/01 17:07:39 wazuh-syscheckd: INFO: (6008): File integrity monitoring scan started.
2022/06/01 17:07:40 wazuh-logcollector: ERROR: Remote commands are not accepted from the manager. Ignoring it on the agent.conf
2022/06/01 17:07:40 wazuh-logcollector: ERROR: Remote commands are not accepted from the manager. Ignoring it on the agent.conf
2022/06/01 17:07:40 wazuh-logcollector: ERROR: Remote commands are not accepted from the manager. Ignoring it on the agent.conf
2022/06/01 17:07:40 wazuh-modulesd: INFO: Started (pid: 3414945).
2022/06/01 17:07:40 wazuh-modulesd:agent-upgrade: INFO: (8153): Module Agent Upgrade started.
2022/06/01 17:07:40 wazuh-modulesd:ciscat: INFO: Module disabled. Exiting...
2022/06/01 17:07:40 wazuh-modulesd:osquery: INFO: Module disabled. Exiting...
2022/06/01 17:07:40 sca: INFO: Module disabled. Exiting.
2022/06/01 17:07:40 wazuh-modulesd:control: INFO: Starting control thread.
2022/06/01 17:07:40 wazuh-modulesd:syscollector: INFO: Module started.
2022/06/01 17:07:40 wazuh-modulesd:syscollector: INFO: Starting evaluation.
2022/06/01 17:07:41 wazuh-modulesd:syscollector: ERROR: stoi
2022/06/01 17:07:41 wazuh-modulesd:syscollector: INFO: Evaluation finished.
2022/06/01 17:08:53 wazuh-logcollector: INFO: Monitoring output of command(360): df -P
2022/06/01 17:08:53 wazuh-logcollector: INFO: Monitoring full output of command(360): netstat -tulpn | sed 's/\([[:alnum:]]\+\)\ \+[[:digit:]]\+\ \+[[:digit:]]\+\ \+\(.*\):\([[:digit:]]*\)\ \+\([0-9\.\:\*]\+\).\+\ \([[:digit:]]*\/[[:alnum:]\-]*\).*/\1 \2 == \3 == \4 \5/' | sort -k 4 -g | sed 's/ == \(.*\) ==/:\1/' | sed 1,2d
2022/06/01 17:08:53 wazuh-logcollector: INFO: Monitoring full output of command(360): last -n 20
2022/06/01 17:08:53 wazuh-logcollector: WARNING: (1958): Log file '/var/log/audit/audit.log' is duplicated.
2022/06/01 17:08:53 wazuh-logcollector: WARNING: (1958): Log file '/var/ossec/logs/active-responses.log' is duplicated.
2022/06/01 17:08:53 wazuh-logcollector: WARNING: (1958): Log file '/var/log/messages' is duplicated.
2022/06/01 17:08:53 wazuh-logcollector: WARNING: (1958): Log file '/var/log/secure' is duplicated.
2022/06/01 17:08:53 wazuh-logcollector: WARNING: (1958): Log file '/var/log/maillog' is duplicated.
2022/06/01 17:08:53 wazuh-logcollector: INFO: (1950): Analyzing file: '/var/log/audit/audit.log'.
2022/06/01 17:08:53 wazuh-logcollector: INFO: (1950): Analyzing file: '/var/ossec/logs/active-responses.log'.
2022/06/01 17:08:53 wazuh-logcollector: INFO: (1950): Analyzing file: '/var/log/messages'.
2022/06/01 17:08:53 wazuh-logcollector: INFO: (1950): Analyzing file: '/var/log/secure'.
2022/06/01 17:08:53 wazuh-logcollector: INFO: (1950): Analyzing file: '/var/log/maillog'.
2022/06/01 17:08:53 wazuh-logcollector: INFO: Started (pid: 3414937).
2022/06/01 17:08:55 wazuh-logcollector: WARNING: Target 'agent' message queue is full (1024). Log lines may be lost.
2022/06/01 17:09:21 rootcheck: INFO: Ending rootcheck scan.
2022/06/01 17:10:58 wazuh-syscheckd: INFO: (6009): File integrity monitoring scan ended.
2022/06/01 17:07:37 wazuh-syscheckd: INFO: (1225): SIGNAL [(15)-(Terminated)] Received. Exit Cleaning...
2022/06/01 17:07:37 wazuh-agentd: INFO: (1225): SIGNAL [(15)-(Terminated)] Received. Exit Cleaning...
2022/06/01 17:07:37 wazuh-execd: INFO: (1314): Shutdown received. Deleting responses.
2022/06/01 17:07:37 wazuh-execd: INFO: (1225): SIGNAL [(15)-(Terminated)] Received. Exit Cleaning...
2022/06/01 17:07:37 wazuh-agentd: WARNING: The <server-ip> tag is deprecated, please use <server><address> instead.
2022/06/01 17:07:37 wazuh-logcollector: ERROR: Remote commands are not accepted from the manager. Ignoring it on the agent.conf
2022/06/01 17:07:37 wazuh-logcollector: ERROR: Remote commands are not accepted from the manager. Ignoring it on the agent.conf
2022/06/01 17:07:37 wazuh-logcollector: ERROR: Remote commands are not accepted from the manager. Ignoring it on the agent.conf
2022/06/01 17:07:37 wazuh-execd: INFO: Started (pid: 3414866).
2022/06/01 17:07:38 wazuh-agentd: WARNING: The <server-ip> tag is deprecated, please use <server><address> instead.
2022/06/01 17:07:38 wazuh-agentd: INFO: (1410): Reading authentication keys file.
2022/06/01 17:07:38 wazuh-agentd: INFO: Using notify time: 10 and max time to reconnect: 60
2022/06/01 17:07:38 wazuh-agentd: INFO: Version detected -> Linux |hostname |4.18.0-305.17.1.el8_4.x86_64 |#1 SMP Mon Aug 30 07:26:31 EDT 2021 |x86_64 [Red Hat Enterprise Linux|rhel: 8.4 (Ootpa)] - Wazuh v4.2.6
2022/06/01 17:07:38 wazuh-agentd: INFO: Started (pid: 3414893).
2022/06/01 17:07:38 wazuh-agentd: INFO: Agent buffer disabled.
2022/06/01 17:07:38 wazuh-agentd: INFO: Server IP Address: ip
2022/06/01 17:07:38 wazuh-agentd: INFO: Using AES as encryption method.
2022/06/01 17:07:38 wazuh-agentd: INFO: Trying to connect to server (ip:1514/tcp).
2022/06/01 17:07:38 wazuh-agentd: INFO: (4102): Connected to the server (ip:1514/tcp).
2022/06/01 17:07:39 wazuh-syscheckd: WARNING: The check_unixaudit option is deprecated in favor of the SCA module.
2022/06/01 17:07:39 wazuh-syscheckd: INFO: Started (pid: 3414918).
2022/06/01 17:07:39 wazuh-syscheckd: INFO: (6003): Monitoring path: '/bin', with options 'size | permissions | owner | group | mtime | inode | hash_md5 | hash_sha1 | hash_sha256 | scheduled'.
2022/06/01 17:07:39 wazuh-syscheckd: INFO: (6003): Monitoring path: '/boot', with options 'size | permissions | owner | group | mtime | inode | hash_md5 | hash_sha1 | hash_sha256 | scheduled'.
2022/06/01 17:07:39 wazuh-syscheckd: INFO: (6003): Monitoring path: '/etc', with options 'size | permissions | owner | group | mtime | inode | hash_md5 | hash_sha1 | hash_sha256 | scheduled'.
2022/06/01 17:07:39 wazuh-syscheckd: INFO: (6003): Monitoring path: '/etc/hosts', with options 'size | permissions | owner | group | mtime | inode | hash_md5 | hash_sha1 | hash_sha256 | report_changes | scheduled'.
2022/06/01 17:07:39 wazuh-syscheckd: INFO: (6003): Monitoring path: '/lib', with options 'size | permissions | owner | group | mtime | inode | hash_md5 | hash_sha1 | hash_sha256 | scheduled'.
2022/06/01 17:07:39 wazuh-syscheckd: INFO: (6003): Monitoring path: '/sbin', with options 'size | permissions | owner | group | mtime | inode | hash_md5 | hash_sha1 | hash_sha256 | scheduled'.
2022/06/01 17:07:39 wazuh-syscheckd: INFO: (6003): Monitoring path: '/usr', with options 'size | permissions | owner | group | mtime | inode | hash_md5 | hash_sha1 | hash_sha256 | scheduled'.
2022/06/01 17:07:39 wazuh-syscheckd: INFO: (6003): Monitoring path: '/usr/bin', with options 'size | permissions | owner | group | mtime | inode | hash_md5 | hash_sha1 | hash_sha256 | scheduled'.
2022/06/01 17:07:39 wazuh-syscheckd: INFO: (6003): Monitoring path: '/usr/sbin', with options 'size | permissions | owner | group | mtime | inode | hash_md5 | hash_sha1 | hash_sha256 | scheduled'.
2022/06/01 17:07:39 wazuh-syscheckd: INFO: (6206): Ignore 'file' entry '/etc/mtab'
2022/06/01 17:07:39 wazuh-syscheckd: INFO: (6206): Ignore 'file' entry '/etc/hosts.deny'
2022/06/01 17:07:39 wazuh-syscheckd: INFO: (6206): Ignore 'file' entry '/etc/mail/statistics'
2022/06/01 17:07:39 wazuh-syscheckd: INFO: (6206): Ignore 'file' entry '/etc/random-seed'
2022/06/01 17:07:39 wazuh-syscheckd: INFO: (6206): Ignore 'file' entry '/etc/random.seed'
2022/06/01 17:07:39 wazuh-syscheckd: INFO: (6206): Ignore 'file' entry '/etc/adjtime'
2022/06/01 17:07:39 wazuh-syscheckd: INFO: (6206): Ignore 'file' entry '/etc/httpd/logs'
2022/06/01 17:07:39 wazuh-syscheckd: INFO: (6206): Ignore 'file' entry '/etc/utmpx'
2022/06/01 17:07:39 wazuh-syscheckd: INFO: (6206): Ignore 'file' entry '/etc/wtmpx'
2022/06/01 17:07:39 wazuh-syscheckd: INFO: (6206): Ignore 'file' entry '/etc/cups/certs'
2022/06/01 17:07:39 wazuh-syscheckd: INFO: (6206): Ignore 'file' entry '/etc/dumpdates'
2022/06/01 17:07:39 wazuh-syscheckd: INFO: (6206): Ignore 'file' entry '/etc/svc/volatile'
2022/06/01 17:07:39 wazuh-syscheckd: INFO: (6206): Ignore 'file' entry '/etc/mnttab'
2022/06/01 17:07:39 wazuh-syscheckd: INFO: (6206): Ignore 'file' entry '/usr/scripts/logs'
2022/06/01 17:07:39 wazuh-syscheckd: INFO: (6207): Ignore 'file' sregex '.log$|.swp$'
2022/06/01 17:07:39 wazuh-syscheckd: INFO: (6004): No diff for file: '/etc/ssl/private.key'
2022/06/01 17:07:39 rootcheck: INFO: Starting rootcheck scan.
2022/06/01 17:07:39 wazuh-syscheckd: INFO: (6000): Starting daemon...
2022/06/01 17:07:39 wazuh-syscheckd: INFO: (6010): File integrity monitoring scan frequency: 79200 seconds
2022/06/01 17:07:39 wazuh-syscheckd: INFO: (6008): File integrity monitoring scan started.
2022/06/01 17:07:40 wazuh-logcollector: ERROR: Remote commands are not accepted from the manager. Ignoring it on the agent.conf
2022/06/01 17:07:40 wazuh-logcollector: ERROR: Remote commands are not accepted from the manager. Ignoring it on the agent.conf
2022/06/01 17:07:40 wazuh-logcollector: ERROR: Remote commands are not accepted from the manager. Ignoring it on the agent.conf
2022/06/01 17:07:40 wazuh-modulesd: INFO: Started (pid: 3414945).
2022/06/01 17:07:40 wazuh-modulesd:agent-upgrade: INFO: (8153): Module Agent Upgrade started.
2022/06/01 17:07:40 wazuh-modulesd:ciscat: INFO: Module disabled. Exiting...
2022/06/01 17:07:40 wazuh-modulesd:osquery: INFO: Module disabled. Exiting...
2022/06/01 17:07:40 sca: INFO: Module disabled. Exiting.
2022/06/01 17:07:40 wazuh-modulesd:control: INFO: Starting control thread.
2022/06/01 17:07:40 wazuh-modulesd:syscollector: INFO: Module started.
2022/06/01 17:07:40 wazuh-modulesd:syscollector: INFO: Starting evaluation.
2022/06/01 17:07:41 wazuh-modulesd:syscollector: ERROR: stoi
2022/06/01 17:07:41 wazuh-modulesd:syscollector: INFO: Evaluation finished.
2022/06/01 17:08:53 wazuh-logcollector: INFO: Monitoring output of command(360): df -P
2022/06/01 17:08:53 wazuh-logcollector: INFO: Monitoring full output of command(360): netstat -tulpn | sed 's/\([[:alnum:]]\+\)\ \+[[:digit:]]\+\ \+[[:digit:]]\+\ \+\(.*\):\([[:digit:]]*\)\ \+\([0-9\.\:\*]\+\).\+\ \([[:digit:]]*\/[[:alnum:]\-]*\).*/\1 \2 == \3 == \4 \5/' | sort -k 4 -g | sed 's/ == \(.*\) ==/:\1/' | sed 1,2d
2022/06/01 17:08:53 wazuh-logcollector: INFO: Monitoring full output of command(360): last -n 20
2022/06/01 17:08:53 wazuh-logcollector: WARNING: (1958): Log file '/var/log/audit/audit.log' is duplicated.
2022/06/01 17:08:53 wazuh-logcollector: WARNING: (1958): Log file '/var/ossec/logs/active-responses.log' is duplicated.
2022/06/01 17:08:53 wazuh-logcollector: WARNING: (1958): Log file '/var/log/messages' is duplicated.
2022/06/01 17:08:53 wazuh-logcollector: WARNING: (1958): Log file '/var/log/secure' is duplicated.
2022/06/01 17:08:53 wazuh-logcollector: WARNING: (1958): Log file '/var/log/maillog' is duplicated.
2022/06/01 17:08:53 wazuh-logcollector: INFO: (1950): Analyzing file: '/var/log/audit/audit.log'.
2022/06/01 17:08:53 wazuh-logcollector: INFO: (1950): Analyzing file: '/var/ossec/logs/active-responses.log'.
2022/06/01 17:08:53 wazuh-logcollector: INFO: (1950): Analyzing file: '/var/log/messages'.
2022/06/01 17:08:53 wazuh-logcollector: INFO: (1950): Analyzing file: '/var/log/secure'.
2022/06/01 17:08:53 wazuh-logcollector: INFO: (1950): Analyzing file: '/var/log/maillog'.
2022/06/01 17:08:53 wazuh-logcollector: INFO: Started (pid: 3414937).
2022/06/01 17:08:55 wazuh-logcollector: WARNING: Target 'agent' message queue is full (1024). Log lines may be lost.
2022/06/01 17:09:21 rootcheck: INFO: Ending rootcheck scan.
2022/06/01 17:10:58 wazuh-syscheckd: INFO: (6009): File integrity monitoring scan ended.
I would want wazuh-logcollector not working.
Thats logs is better?
Hanes Nahuel Sciarrone
Jun 1, 2022, 2:00:32 PM6/1/22
to Wazuh mailing list
Hi Claudio
These logs are still partial. I need you to send me the complete ossec.log file, please attach the logs to the email. However, with the logs, I could tell you that the centralized configuration is apparently working because there are these logs.
2022/06/01 17:08:53 wazuh-logcollector: INFO: Monitoring full output of command(360): last -n 20
2022/06/01 17:08:53 wazuh-logcollector: WARNING: (1958): Log file '/var/log/audit/audit.log' is duplicated.
2022/06/01 17:08:53 wazuh-logcollector: WARNING: (1958): Log file '/var/ossec/logs/active-responses.log' is duplicated.
2022/06/01 17:08:53 wazuh-logcollector: WARNING: (1958): Log file '/var/log/messages' is duplicated.
2022/06/01 17:08:53 wazuh-logcollector: WARNING: (1958): Log file '/var/log/secure' is duplicated.
2022/06/01 17:08:53 wazuh-logcollector: WARNING: (1958): Log file '/var/log/maillog' is duplicated.
2022/06/01 17:08:53 wazuh-logcollector: INFO: (1950): Analyzing file: '/var/log/audit/audit.log'.
2022/06/01 17:08:53 wazuh-logcollector: INFO: (1950): Analyzing file: '/var/ossec/logs/active-responses.log'.
2022/06/01 17:08:53 wazuh-logcollector: INFO: (1950): Analyzing file: '/var/log/messages'.
2022/06/01 17:08:53 wazuh-logcollector: INFO: (1950): Analyzing file: '/var/log/secure'.
2022/06/01 17:08:53 wazuh-logcollector: INFO: (1950): Analyzing file: '/var/log/maillog'.
2022/06/01 17:08:53 wazuh-logcollector: WARNING: (1958): Log file '/var/log/audit/audit.log' is duplicated.
2022/06/01 17:08:53 wazuh-logcollector: WARNING: (1958): Log file '/var/ossec/logs/active-responses.log' is duplicated.
2022/06/01 17:08:53 wazuh-logcollector: WARNING: (1958): Log file '/var/log/messages' is duplicated.
2022/06/01 17:08:53 wazuh-logcollector: WARNING: (1958): Log file '/var/log/secure' is duplicated.
2022/06/01 17:08:53 wazuh-logcollector: WARNING: (1958): Log file '/var/log/maillog' is duplicated.
2022/06/01 17:08:53 wazuh-logcollector: INFO: (1950): Analyzing file: '/var/log/audit/audit.log'.
2022/06/01 17:08:53 wazuh-logcollector: INFO: (1950): Analyzing file: '/var/ossec/logs/active-responses.log'.
2022/06/01 17:08:53 wazuh-logcollector: INFO: (1950): Analyzing file: '/var/log/messages'.
2022/06/01 17:08:53 wazuh-logcollector: INFO: (1950): Analyzing file: '/var/log/secure'.
2022/06/01 17:08:53 wazuh-logcollector: INFO: (1950): Analyzing file: '/var/log/maillog'.
And I remember that you changed the localfile setting in the agent.conf, am I right?
<localfile>
<location>Application</location>
<log_format>eventchannel</log_format>
<ignore_binaries>yes</ignore_binaries>
</localfile>
<localfile>
<location>Security</location>
<log_format>eventchannel</log_format>
<ignore_binaries>yes</ignore_binaries>
</localfile>
<localfile>
<location>System</location>
<log_format>eventchannel</log_format>
<ignore_binaries>yes</ignore_binaries>
</localfile>
<localfile>
<location>active-response\active-responses.log</location>
<log_format>syslog</log_format>
<ignore_binaries>yes</ignore_binaries>
</localfile>
<location>Application</location>
<log_format>eventchannel</log_format>
<ignore_binaries>yes</ignore_binaries>
</localfile>
<localfile>
<location>Security</location>
<log_format>eventchannel</log_format>
<ignore_binaries>yes</ignore_binaries>
</localfile>
<localfile>
<location>System</location>
<log_format>eventchannel</log_format>
<ignore_binaries>yes</ignore_binaries>
</localfile>
<localfile>
<location>active-response\active-responses.log</location>
<log_format>syslog</log_format>
<ignore_binaries>yes</ignore_binaries>
</localfile>
When you attach the complete logs I will be able to give you more information.
Best regards
Hanes
Reply all
Reply to author
Forward
0 new messages