Fortigate Wazuh Integration
2,962 views
Skip to first unread message
Burak Dartar
Jan 11, 2022, 6:34:32 AM1/11/22
to Wazuh mailing list
Hi Guys,
<ruleset>
<!-- Default ruleset -->
<decoder_dir>ruleset/decoders</decoder_dir>
<rule_dir>ruleset/rules</rule_dir>
<rule_exclude>0215-policy_rules.xml</rule_exclude>
<list>etc/lists/audit-keys</list>
<list>etc/lists/amazon/aws-eventnames</list>
<list>etc/lists/security-eventchannel</list>
<!-- User-defined ruleset -->
<decoder_dir>etc/decoders</decoder_dir>
<rule_dir>etc/rules</rule_dir>
</ruleset>
<rule_test>
<enabled>yes</enabled>
<threads>1</threads>
<max_sessions>64</max_sessions>
<session_timeout>15m</session_timeout>
</rule_test>
I need help.
I did
Step 1 Enabled syslog in Fortigate firewall to forward log.
Step 2 Added remote port 514 in ossec.conf
Step 2 Added remote port 514 in ossec.conf
<ossec_config>
<global>
<jsonout_output>yes</jsonout_output>
<alerts_log>yes</alerts_log>
<logall>yes</logall>
<logall_json>yes</logall_json>
<email_notification>no</email_notification>
<smtp_server>smtp.example.wazuh.com</smtp_server>
<email_from>oss...@example.wazuh.com</email_from>
<email_to>reci...@example.wazuh.com</email_to>
<email_maxperhour>12</email_maxperhour>
<email_log_source>alerts.log</email_log_source>
<agents_disconnection_time>10m</agents_disconnection_time>
<agents_disconnection_alert_time>0</agents_disconnection_alert_time>
</global>
<alerts>
<log_alert_level>1</log_alert_level>
<email_alert_level>12</email_alert_level>
</alerts>
<global>
<jsonout_output>yes</jsonout_output>
<alerts_log>yes</alerts_log>
<logall>yes</logall>
<logall_json>yes</logall_json>
<email_notification>no</email_notification>
<smtp_server>smtp.example.wazuh.com</smtp_server>
<email_from>oss...@example.wazuh.com</email_from>
<email_to>reci...@example.wazuh.com</email_to>
<email_maxperhour>12</email_maxperhour>
<email_log_source>alerts.log</email_log_source>
<agents_disconnection_time>10m</agents_disconnection_time>
<agents_disconnection_alert_time>0</agents_disconnection_alert_time>
</global>
<alerts>
<log_alert_level>1</log_alert_level>
<email_alert_level>12</email_alert_level>
</alerts>
<remote>
<connection>syslog</connection>
<port>514</port>
<protocol>udp</protocol>
<allowed-ips>0.0.0.0/0</allowed-ips>
<local_ip>xx.xx.xx.xx</local_ip>
</remote>
<connection>syslog</connection>
<port>514</port>
<protocol>udp</protocol>
<allowed-ips>0.0.0.0/0</allowed-ips>
<local_ip>xx.xx.xx.xx</local_ip>
</remote>
<ruleset>
<!-- Default ruleset -->
<decoder_dir>ruleset/decoders</decoder_dir>
<rule_dir>ruleset/rules</rule_dir>
<rule_exclude>0215-policy_rules.xml</rule_exclude>
<list>etc/lists/audit-keys</list>
<list>etc/lists/amazon/aws-eventnames</list>
<list>etc/lists/security-eventchannel</list>
<!-- User-defined ruleset -->
<decoder_dir>etc/decoders</decoder_dir>
<rule_dir>etc/rules</rule_dir>
</ruleset>
<rule_test>
<enabled>yes</enabled>
<threads>1</threads>
<max_sessions>64</max_sessions>
<session_timeout>15m</session_timeout>
</rule_test>
Step 3 Updated configuration as per recommendation
Step 4 Restarted Wazuh manager
Step 4 Restarted Wazuh manager
Now I getting log but not decode and i am gettin error, .You can see bellow.
{
"_index": "wazuh-alerts-4.x-2022.01.11",
"_type": "_doc",
"_id": "6pfnSH4BA7KOwDQ7URx8",
"_version": 1,
"_score": null,
"_source": {
"input": {
"type": "log"
},
"agent": {
"name": "wazuh-manager",
"id": "000"
},
"manager": {
"name": "wazuh-manager"
},
"rule": {
"firedtimes": 2336,
"mail": false,
"level": 2,
"description": "Unknown problem somewhere in the system.",
"groups": [
"syslog",
"errors"
],
"id": "1002",
"gpg13": [
"4.3"
]
},
"location": "XXXXXXXXX",
"decoder": {},
"id": "1641900624.3746240",
"full_log": "date=2022-01-11 time=14:30:23 devname=\"FG-AIU-01\" devid=\"XXXXXX\" logid=\"0316013056\" type=\"utm\" subtype=\"webfilter\" eventtype=\"ftgd_blk\" level=\"warning\" vd=\"root\" eventtime=1641900623571840486 tz=\"+0300\" policyid=151 sessionid=1485044636 srcip=XXXXXXX srcport=57608 srcintf=\"XXXXXXX\" srcintfrole=\"lan\" dstip=XXXXXX dstport=443 dstintf=\"faillover-wan\" dstintfrole=\"wan\" proto=6 service=\"HTTPS\" hostname=\"XXXXXXX\" profile=\"Student - Web Filter\" action=\"blocked\" reqtype=\"direct\" url=\"https://XXXXXXX/\" sentbyte=157 rcvdbyte=0 direction=\"outgoing\" msg=\"URL belongs to a denied category in policy\" method=\"domain\" cat=24 catdesc=\"File Sharing and Storage\"",
"timestamp": "2022-01-11T11:30:24.156+0000"
},
"fields": {
"timestamp": [
"2022-01-11T11:30:24.156Z"
]
},
"highlight": {
"manager.name": [
"@kibana-highlighted-field@wazuh-manager@/kibana-highlighted-field@"
]
},
"sort": [
1641900624156
]
}
Can you help me?
John Soliani
Jan 11, 2022, 10:32:47 AM1/11/22
to Wazuh mailing list
Hello,
Thank you for using Wazuh!
I see all good here, you have configured correctly the device, it's sending data to the manager and the full_log looks complete! The problem here is that Wazuh doesn't have a decoder to understand the log. We have custom basic rules that are triggered based on keywords in the log, just to show a basic detection. The rule.ID 1002 probably found the "denied" word in your log and triggered an alert lv.2, this is not an error, it's expected behavior.
We'll need to adjust the decoders to work with your device. Let me take a look at others Fortigate devices and see if we can create a sibling decoder to join the rules we have for those devices or if we'll need new decoders and new rules. Thankfully, you've sent a sample to work with, so I can test it in my lab.
I'll come back to you as soon as I can.
John.-
We'll need to adjust the decoders to work with your device. Let me take a look at others Fortigate devices and see if we can create a sibling decoder to join the rules we have for those devices or if we'll need new decoders and new rules. Thankfully, you've sent a sample to work with, so I can test it in my lab.
I'll come back to you as soon as I can.
John.-
John Soliani
Jan 11, 2022, 12:04:45 PM1/11/22
to Wazuh mailing list
Hi,
decoder name="fortigate-firewall-v3">
<prematch>^date=\S+ time=\.+ devname=\S+ devid=\S+ logid=\S+ type=\S+ subtype=\S+ </prematch>
</decoder>
We can add a sibling decoder to the actual Fortigate decoder so we use those rules to generate alerts. The difference is that your logs have a different syntax, they use " to declare the value while the stock decoder, doesn't have the variable between " characters.
Create a new file in /var/ossec/etc/decoders pick a name, I would use fortigate_custom.xml and add this sibling decoder:
decoder name="fortigate-firewall-v3">
<prematch>^date=\S+ time=\.+ devname=\S+ devid=\S+ logid=\S+ type=\S+ subtype=\S+ </prematch>
</decoder>
<decoder name="fortigate-firewall-v3-child">
<parent>fortigate-firewall-v3</parent>
<regex>^date=(\S+) time=(\.+) devname="(\S+)" devid="(\S+)" logid="(\S+)" type="(\S+)" subtype="(\S+)" </regex>
<order>date, time, devname, devid, logid, type, subtype</order>
</decoder>
<decoder name="fortigate-firewall-v3-child">
<parent>fortigate-firewall-v3</parent>
<regex offset="after_parent"> srcip=(\S+) </regex>
<order>srcip</order>
</decoder>
<decoder name="fortigate-firewall-v3-child">
<parent>fortigate-firewall-v3</parent>
<regex offset="after_parent"> proto=(\d+) </regex>
<order>protocol</order>
</decoder>
<decoder name="fortigate-firewall-v3-child">
<parent>fortigate-firewall-v3</parent>
<regex offset="after_regex"> msg="(\.+)" </regex>
<order>message</order>
</decoder>
<parent>fortigate-firewall-v3</parent>
<regex>^date=(\S+) time=(\.+) devname="(\S+)" devid="(\S+)" logid="(\S+)" type="(\S+)" subtype="(\S+)" </regex>
<order>date, time, devname, devid, logid, type, subtype</order>
</decoder>
<decoder name="fortigate-firewall-v3-child">
<parent>fortigate-firewall-v3</parent>
<regex offset="after_parent"> srcip=(\S+) </regex>
<order>srcip</order>
</decoder>
<decoder name="fortigate-firewall-v3-child">
<parent>fortigate-firewall-v3</parent>
<regex offset="after_parent"> proto=(\d+) </regex>
<order>protocol</order>
</decoder>
<decoder name="fortigate-firewall-v3-child">
<parent>fortigate-firewall-v3</parent>
<regex offset="after_regex"> msg="(\.+)" </regex>
<order>message</order>
</decoder>
Explanation: we use the same name of the stock decoder, fortigate-firewall-v3 to indicate it's a sibling decoder, then we adjust the prematch so it matches against the format of your logs and also, I've created some child decoders to show you how to extract data you need from the log easily after the parent creation. So we have now these variables date, time, devname, devid, logid, type, subtype, srcip, protocol and message. It is recommended to create one definition/child for each variable, since their order could vary and that won't affect the results.
In logtest tool, with the sample you sent, we can see this result:
**Phase 1: Completed pre-decoding.
full event: 'date=2022-01-11 time=14:30:23 devname="FG-AIU-01" devid="XXXXXX" logid="0316013056" type="utm" subtype="webfilter" eventtype="ftgd_blk" level="warning" vd="root" eventtime=1641900623571840486 tz="+0300" policyid=151 sessionid=1485044636 srcip=XXXXXXX srcport=57608 srcintf="XXXXXXX" srcintfrole="lan" dstip=XXXXXX dstport=443 dstintf="faillover-wan" dstintfrole="wan" proto=6 service="HTTPS" hostname="XXXXXXX" profile="Student - Web Filter" action="blocked" reqtype="direct" url="https://XXXXXXX/" sentbyte=157 rcvdbyte=0 direction="outgoing" msg="URL belongs to a denied category in policy" method="domain" cat=24 catdesc="File Sharing and Storage"'
timestamp: '(null)'
hostname: 'CentOS71'
program_name: '(null)'
log: 'date=2022-01-11 time=14:30:23 devname="FG-AIU-01" devid="XXXXXX" logid="0316013056" type="utm" subtype="webfilter" eventtype="ftgd_blk" level="warning" vd="root" eventtime=1641900623571840486 tz="+0300" policyid=151 sessionid=1485044636 srcip=XXXXXXX srcport=57608 srcintf="XXXXXXX" srcintfrole="lan" dstip=XXXXXX dstport=443 dstintf="faillover-wan" dstintfrole="wan" proto=6 service="HTTPS" hostname="XXXXXXX" profile="Student - Web Filter" action="blocked" reqtype="direct" url="https://XXXXXXX/" sentbyte=157 rcvdbyte=0 direction="outgoing" msg="URL belongs to a denied category in policy" method="domain" cat=24 catdesc="File Sharing and Storage"'
**Phase 2: Completed decoding.
decoder: 'fortigate-firewall-v3'
date: '2022-01-11'
time: '14:30:23'
devname: 'FG-AIU-01'
devid: 'XXXXXX'
logid: '0316013056'
type: 'utm'
subtype: 'webfilter'
srcip: 'XXXXXXX'
protocol: '6'
message: 'URL belongs to a denied category in policy'
**Phase 3: Completed filtering (rules).
Rule id: '81603'
Level: '0'
Description: 'Fortigate messages grouped.'
full event: 'date=2022-01-11 time=14:30:23 devname="FG-AIU-01" devid="XXXXXX" logid="0316013056" type="utm" subtype="webfilter" eventtype="ftgd_blk" level="warning" vd="root" eventtime=1641900623571840486 tz="+0300" policyid=151 sessionid=1485044636 srcip=XXXXXXX srcport=57608 srcintf="XXXXXXX" srcintfrole="lan" dstip=XXXXXX dstport=443 dstintf="faillover-wan" dstintfrole="wan" proto=6 service="HTTPS" hostname="XXXXXXX" profile="Student - Web Filter" action="blocked" reqtype="direct" url="https://XXXXXXX/" sentbyte=157 rcvdbyte=0 direction="outgoing" msg="URL belongs to a denied category in policy" method="domain" cat=24 catdesc="File Sharing and Storage"'
timestamp: '(null)'
hostname: 'CentOS71'
program_name: '(null)'
log: 'date=2022-01-11 time=14:30:23 devname="FG-AIU-01" devid="XXXXXX" logid="0316013056" type="utm" subtype="webfilter" eventtype="ftgd_blk" level="warning" vd="root" eventtime=1641900623571840486 tz="+0300" policyid=151 sessionid=1485044636 srcip=XXXXXXX srcport=57608 srcintf="XXXXXXX" srcintfrole="lan" dstip=XXXXXX dstport=443 dstintf="faillover-wan" dstintfrole="wan" proto=6 service="HTTPS" hostname="XXXXXXX" profile="Student - Web Filter" action="blocked" reqtype="direct" url="https://XXXXXXX/" sentbyte=157 rcvdbyte=0 direction="outgoing" msg="URL belongs to a denied category in policy" method="domain" cat=24 catdesc="File Sharing and Storage"'
**Phase 2: Completed decoding.
decoder: 'fortigate-firewall-v3'
date: '2022-01-11'
time: '14:30:23'
devname: 'FG-AIU-01'
devid: 'XXXXXX'
logid: '0316013056'
type: 'utm'
subtype: 'webfilter'
srcip: 'XXXXXXX'
protocol: '6'
message: 'URL belongs to a denied category in policy'
**Phase 3: Completed filtering (rules).
Rule id: '81603'
Level: '0'
Description: 'Fortigate messages grouped.'
As you can see, a Fortigate stock rule caught the event, which means that the sibling is working properly.
If you add all the variables from the log to the decoder, you'll be able to match any kind of rules based on this data.
Hope this helps,
John.-
John.-
John Soliani
Jan 11, 2022, 12:07:50 PM1/11/22
to Wazuh mailing list
One last thing, do not forget to assign the right permissions and ownership to the file with:
# chown ossec:ossec /var/ossec/etc/decoders/fortigate_custom.xml
# chmod 660 /var/ossec/etc/decoders/fortigate_custom.xml
Regards,
John.-
Regards,
John.-
Burak Dartar
Jan 12, 2022, 12:51:51 AM1/12/22
to John Soliani, Wazuh mailing list
Hi John,
Thank your for supporting. I added above decoder that service stopped. I think so it encountered some problem.
BR
Burak Dartar
On 11 Jan 2022, at 20:07, John Soliani <john.s...@wazuh.com> wrote:
One last thing, do not forget to assign the right permissions and ownership to the file with:
--
You received this message because you are subscribed to a topic in the Google Groups "Wazuh mailing list" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/wazuh/VDvz2k6pL90/unsubscribe.
To unsubscribe from this group and all its topics, send an email to wazuh+un...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/b2914abb-e85a-44f1-92c8-87b79ea1e0abn%40googlegroups.com.
John Soliani
Jan 14, 2022, 5:55:22 PM1/14/22
to Wazuh mailing list
Hey Burak,
Have you set the right ownership and permissions to the file?
Could you tell me the errors you see in the ossec.log file?
# chown ossec:ossec /var/ossec/etc/decoders/<FileName>.xml
# chmod 660 /var/ossec/etc/decoders/<FileName>.xml
# grep ERRO /var/ossec/logs/ossec.log
If you remove the new file in the etc/decoders folder, is the manager starting correctly?
# systemctl restart wazuh-manager
# systemctl status wazuh-manager
Regards,
John.-
John.-
Burak Dartar
Jan 16, 2022, 1:54:45 AM1/16/22
to Wazuh mailing list
Hi John,
[wazuh@wazuh-manager ~]$ systemctl restart wazuh-manager
==== AUTHENTICATING FOR org.freedesktop.systemd1.manage-units ===
Authentication is required to manage system services or units.
Authenticating as: wazuh
Password:
==== AUTHENTICATION COMPLETE ===
Job for wazuh-manager.service failed because the control process exited with error code. See "systemctl status wazuh-manager.service" and "journalctl -xe" for details.
[wazuh@wazuh-manager ~]$ systemctl status wazuh-manager
● wazuh-manager.service - Wazuh manager
Loaded: loaded (/usr/lib/systemd/system/wazuh-manager.service; enabled; vendor preset: disabled)
Active: failed (Result: exit-code) since Sun 2022-01-16 06:53:52 UTC; 12s ago
Process: 4905 ExecStop=/usr/bin/env /var/ossec/bin/wazuh-control stop (code=exited, status=1/FAILURE)
Process: 4977 ExecStart=/usr/bin/env /var/ossec/bin/wazuh-control start (code=exited, status=1/FAILURE)
CGroup: /system.slice/wazuh-manager.service
├─26998 /var/ossec/framework/python/bin/python3 /var/ossec/api/scripts/wazuh-apid.py
├─27038 /var/ossec/bin/wazuh-authd
├─27057 /var/ossec/bin/wazuh-db
├─27083 /var/ossec/bin/wazuh-execd
├─27195 /var/ossec/bin/wazuh-syscheckd
├─27213 /var/ossec/bin/wazuh-remoted
├─27215 /var/ossec/bin/wazuh-remoted
├─27249 /var/ossec/bin/wazuh-logcollector
├─27259 /var/ossec/bin/wazuh-monitord
└─27270 /var/ossec/bin/wazuh-modulesd
Jan 16 06:53:52 wazuh-manager env[4977]: 2022/01/16 06:53:52 wazuh-modulesd: CRITICAL: Couldn't create PID file: (No space left on device)
Jan 16 06:53:52 wazuh-manager env[4977]: 2022/01/16 06:53:52 wazuh-modulesd: ERROR: Couldn't delete PID file.
Jan 16 06:53:52 wazuh-manager env[4977]: wazuh-modulesd: Configuration error. Exiting
Jan 16 06:53:52 wazuh-manager env[4977]: touch: cannot touch ‘/var/ossec/var/run/wazuh-modulesd.failed’: No space left on device
==== AUTHENTICATING FOR org.freedesktop.systemd1.manage-units ===
Authentication is required to manage system services or units.
Authenticating as: wazuh
Password:
==== AUTHENTICATION COMPLETE ===
Job for wazuh-manager.service failed because the control process exited with error code. See "systemctl status wazuh-manager.service" and "journalctl -xe" for details.
[wazuh@wazuh-manager ~]$ systemctl status wazuh-manager
● wazuh-manager.service - Wazuh manager
Loaded: loaded (/usr/lib/systemd/system/wazuh-manager.service; enabled; vendor preset: disabled)
Active: failed (Result: exit-code) since Sun 2022-01-16 06:53:52 UTC; 12s ago
Process: 4905 ExecStop=/usr/bin/env /var/ossec/bin/wazuh-control stop (code=exited, status=1/FAILURE)
Process: 4977 ExecStart=/usr/bin/env /var/ossec/bin/wazuh-control start (code=exited, status=1/FAILURE)
CGroup: /system.slice/wazuh-manager.service
├─26998 /var/ossec/framework/python/bin/python3 /var/ossec/api/scripts/wazuh-apid.py
├─27038 /var/ossec/bin/wazuh-authd
├─27057 /var/ossec/bin/wazuh-db
├─27083 /var/ossec/bin/wazuh-execd
├─27195 /var/ossec/bin/wazuh-syscheckd
├─27213 /var/ossec/bin/wazuh-remoted
├─27215 /var/ossec/bin/wazuh-remoted
├─27249 /var/ossec/bin/wazuh-logcollector
├─27259 /var/ossec/bin/wazuh-monitord
└─27270 /var/ossec/bin/wazuh-modulesd
Jan 16 06:53:52 wazuh-manager env[4977]: 2022/01/16 06:53:52 wazuh-modulesd: CRITICAL: Couldn't create PID file: (No space left on device)
Jan 16 06:53:52 wazuh-manager env[4977]: 2022/01/16 06:53:52 wazuh-modulesd: ERROR: Couldn't delete PID file.
Jan 16 06:53:52 wazuh-manager env[4977]: wazuh-modulesd: Configuration error. Exiting
Jan 16 06:53:52 wazuh-manager env[4977]: touch: cannot touch ‘/var/ossec/var/run/wazuh-modulesd.failed’: No space left on device
15 Ocak 2022 Cumartesi tarihinde saat 01:55:22 UTC+3 itibarıyla john.s...@wazuh.com şunları yazdı:
Burak Dartar
Jan 16, 2022, 2:51:04 AM1/16/22
to Wazuh mailing list
Hi John:
I encounter the "Kibana is not ready"
Jan 12 13:27:30 wazuh-manager filebeat: 2022-01-12T13:27:30.384Z#011ERROR#011[publisher_pipeline_output]#011pipeline/output.go:180#011failed to publish events: temporary bulk send failure
Jan 12 13:27:31 wazuh-manager filebeat: 2022-01-12T13:27:31.806Z#011ERROR#011[publisher_pipeline_output]#011pipeline/output.go:180#011failed to publish events: temporary bulk send failure
Jan 12 13:27:33 wazuh-manager filebeat: 2022-01-12T13:27:33.443Z#011ERROR#011[publisher_pipeline_output]#011pipeline/output.go:180#011failed to publish events: temporary bulk send failure
Jan 12 13:27:34 wazuh-manager filebeat: 2022-01-12T13:27:34.813Z#011ERROR#011[publisher_pipeline_output]#011pipeline/output.go:180#011failed to publish events: temporary bulk send failure
Jan 12 13:27:36 wazuh-manager filebeat: 2022-01-12T13:27:36.106Z#011ERROR#011[publisher_pipeline_output]#011pipeline/output.go:180#011failed to publish events: temporary bulk send failure
Jan 12 13:27:37 wazuh-manager filebeat: 2022-01-12T13:27:37.518Z#011ERROR#011[publisher_pipeline_output]#011pipeline/output.go:180#011failed to publish events: temporary bulk send failure
Jan 12 13:27:38 wazuh-manager filebeat: 2022-01-12T13:27:38.573Z#011ERROR#011[publisher_pipeline_output]#011pipeline/output.go:180#011failed to publish events: temporary bulk send failure
Jan 12 13:27:40 wazuh-manager filebeat: 2022-01-12T13:27:40.157Z#011ERROR#011[publisher_pipeline_output]#011pipeline/output.go:180#011failed to publish events: temporary bulk send failure
Jan 12 13:27:41 wazuh-manager filebeat: 2022-01-12T13:27:41.687Z#011ERROR#011[publisher_pipeline_output]#011pipeline/output.go:180#011failed to publish events: temporary bulk send failure
Jan 12 13:27:43 wazuh-manager filebeat: 2022-01-12T13:27:43.029Z#011ERROR#011[publisher_pipeline_output]#011pipeline/output.go:180#011failed to publish events: temporary bulk send failure
Jan 12 13:27:44 wazuh-manager filebeat: 2022-01-12T13:27:44.675Z#011ERROR#011[publisher_pipeline_output]#011pipeline/output.go:180#011failed to publish events: temporary bulk send failure
Jan 12 13:27:46 wazuh-manager filebeat: 2022-01-12T13:27:46.333Z#011ERROR#011[publisher_pipeline_output]#011pipeline/output.go:180#011failed to publish events: temporary bulk send failure
Jan 12 13:27:47 wazuh-manager filebeat: 2022-01-12T13:27:47.747Z#011ERROR#011[publisher_pipeline_output]#011pipeline/output.go:180#011failed to publish events: temporary bulk send failure
Jan 12 13:27:49 wazuh-manager filebeat: 2022-01-12T13:27:49.305Z#011ERROR#011[publisher_pipeline_output]#011pipeline/output.go:180#011failed to publish events: temporary bulk send failure
Jan 16 07:18:12 wazuh-manager kernel: BERT: Boot Error Record Table support is disabled. Enable it by using bert_enable as kernel parameter.
Jan 16 07:18:14 wazuh-manager performance-analyzer-agent-cli: OpenJDK 64-Bit Server VM warning: Option InitialBootClassLoaderMetaspaceSize was deprecated in version 15.0 and will likely be removed in a future release.
Jan 16 07:18:15 wazuh-manager performance-analyzer-agent-cli: ERROR StatusLogger Reconfiguration failed: No configuration found for '73d16e93' at 'null' in 'null'
Jan 16 07:18:15 wazuh-manager performance-analyzer-agent-cli: 07:18:15.846 [main] ERROR com.amazon.opendistro.elasticsearch.performanceanalyzer.config.PluginSettings - Loading config file /usr/share/elasticsearch/plugins/opendistro-performance-analyzer/pa_config/performance-analyzer.properties failed with error: com.amazon.opendistro.elasticsearch.performanceanalyzer.config.ConfigFileException: java.io.FileNotFoundException: /usr/share/elasticsearch/plugins/opendistro-performance-analyzer/pa_config/performance-analyzer.properties (No such file or directory). Disabling plugin.
Jan 16 07:18:15 wazuh-manager performance-analyzer-agent-cli: 07:18:15.850 [main] ERROR com.amazon.opendistro.elasticsearch.performanceanalyzer.PerformanceAnalyzerApp - Performance analyzer app stopped due to invalid config status.
Jan 16 07:18:15 wazuh-manager performance-analyzer-agent-cli: 07:18:15.851 [main] ERROR com.amazon.opendistro.elasticsearch.performanceanalyzer.collectors.StatsCollector - Error in loading metadata for fileLocation: agent-stats-metadata
Jan 16 07:18:19 wazuh-manager vboxadd: depmod: ERROR: openat(/lib/modules/3.10.0-1160.49.1.el7.x86_64, modules.builtin.bin.tmp, 1101, 644): No space left on device
Jan 16 07:18:19 wazuh-manager vboxadd: depmod: ERROR: openat(/lib/modules/3.10.0-1160.49.1.el7.x86_64, modules.devname.tmp, 1101, 644): No space left on device
Jan 16 07:18:20 wazuh-manager filebeat: 2022-01-16T07:18:20.161Z#011ERROR#011instance/beat.go:956#011Exiting: unable to lock data path: open /var/lib/filebeat/filebeat.lock: no space left on device
Jan 16 07:18:22 wazuh-manager filebeat: 2022-01-16T07:18:22.532Z#011ERROR#011[publisher_pipeline_output]#011pipeline/output.go:154#011Failed to connect to backoff(elasticsearch(https://127.0.0.1:9200)): Get "https://127.0.0.1:9200": dial tcp 127.0.0.1:9200: connect: connection refused
Jan 16 07:18:24 wazuh-manager kibana: {"type":"log","@timestamp":"2022-01-16T07:18:24Z","tags":["warning","config","deprecation"],"pid":458,"message":"\"server.defaultRoute\" is deprecated and has been replaced by \"uiSettings.overrides.defaultRoute\""}
Jan 16 07:18:24 wazuh-manager filebeat: 2022-01-16T07:18:24.587Z#011ERROR#011[publisher_pipeline_output]#011pipeline/output.go:154#011Failed to connect to backoff(elasticsearch(https://127.0.0.1:9200)): Get "https://127.0.0.1:9200": dial tcp 127.0.0.1:9200: connect: connection refused
Jan 16 07:18:24 wazuh-manager kibana: {"type":"log","@timestamp":"2022-01-16T07:18:24Z","tags":["error","elasticsearch","data"],"pid":458,"message":"[ConnectionError]: connect ECONNREFUSED 127.0.0.1:9200"}
Jan 16 07:18:24 wazuh-manager kibana: {"type":"log","@timestamp":"2022-01-16T07:18:24Z","tags":["error","savedobjects-service"],"pid":458,"message":"Unable to retrieve version information from Elasticsearch nodes."}
Jan 16 07:18:27 wazuh-manager kibana: {"type":"log","@timestamp":"2022-01-16T07:18:27Z","tags":["error","elasticsearch","data"],"pid":458,"message":"[ConnectionError]: connect ECONNREFUSED 127.0.0.1:9200"}
Jan 16 07:18:29 wazuh-manager kibana: {"type":"log","@timestamp":"2022-01-16T07:18:29Z","tags":["error","elasticsearch","data"],"pid":458,"message":"[ConnectionError]: connect ECONNREFUSED 127.0.0.1:9200"}
Jan 16 07:18:30 wazuh-manager filebeat: 2022-01-16T07:18:30.785Z#011ERROR#011[publisher_pipeline_output]#011pipeline/output.go:154#011Failed to connect to backoff(elasticsearch(https://127.0.0.1:9200)): Get "https://127.0.0.1:9200": dial tcp 127.0.0.1:9200: connect: connection refused
Jan 16 07:18:32 wazuh-manager filebeat: 2022-01-16T07:18:32.622Z#011ERROR#011[publisher_pipeline_output]#011pipeline/output.go:180#011failed to publish events: temporary bulk send failure
Jan 16 07:18:33 wazuh-manager systemd-entrypoint: 2022-01-16 07:18:33,438 elasticsearch[node-1][transport_worker][T#4] ERROR Unable to write to stream /var/log/elasticsearch/wazuh-cluster_server.json for appender rolling org.apache.logging.log4j.core.appender.AppenderLoggingException: Error writing to stream /var/log/elasticsearch/wazuh-cluster_server.json
[wazuh@wazuh-manager ~]$ sudo curl "http://localhost:9200/_cat/indices?v" | grep kibana
Jan 12 13:27:31 wazuh-manager filebeat: 2022-01-12T13:27:31.806Z#011ERROR#011[publisher_pipeline_output]#011pipeline/output.go:180#011failed to publish events: temporary bulk send failure
Jan 12 13:27:33 wazuh-manager filebeat: 2022-01-12T13:27:33.443Z#011ERROR#011[publisher_pipeline_output]#011pipeline/output.go:180#011failed to publish events: temporary bulk send failure
Jan 12 13:27:34 wazuh-manager filebeat: 2022-01-12T13:27:34.813Z#011ERROR#011[publisher_pipeline_output]#011pipeline/output.go:180#011failed to publish events: temporary bulk send failure
Jan 12 13:27:36 wazuh-manager filebeat: 2022-01-12T13:27:36.106Z#011ERROR#011[publisher_pipeline_output]#011pipeline/output.go:180#011failed to publish events: temporary bulk send failure
Jan 12 13:27:37 wazuh-manager filebeat: 2022-01-12T13:27:37.518Z#011ERROR#011[publisher_pipeline_output]#011pipeline/output.go:180#011failed to publish events: temporary bulk send failure
Jan 12 13:27:38 wazuh-manager filebeat: 2022-01-12T13:27:38.573Z#011ERROR#011[publisher_pipeline_output]#011pipeline/output.go:180#011failed to publish events: temporary bulk send failure
Jan 12 13:27:40 wazuh-manager filebeat: 2022-01-12T13:27:40.157Z#011ERROR#011[publisher_pipeline_output]#011pipeline/output.go:180#011failed to publish events: temporary bulk send failure
Jan 12 13:27:41 wazuh-manager filebeat: 2022-01-12T13:27:41.687Z#011ERROR#011[publisher_pipeline_output]#011pipeline/output.go:180#011failed to publish events: temporary bulk send failure
Jan 12 13:27:43 wazuh-manager filebeat: 2022-01-12T13:27:43.029Z#011ERROR#011[publisher_pipeline_output]#011pipeline/output.go:180#011failed to publish events: temporary bulk send failure
Jan 12 13:27:44 wazuh-manager filebeat: 2022-01-12T13:27:44.675Z#011ERROR#011[publisher_pipeline_output]#011pipeline/output.go:180#011failed to publish events: temporary bulk send failure
Jan 12 13:27:46 wazuh-manager filebeat: 2022-01-12T13:27:46.333Z#011ERROR#011[publisher_pipeline_output]#011pipeline/output.go:180#011failed to publish events: temporary bulk send failure
Jan 12 13:27:47 wazuh-manager filebeat: 2022-01-12T13:27:47.747Z#011ERROR#011[publisher_pipeline_output]#011pipeline/output.go:180#011failed to publish events: temporary bulk send failure
Jan 12 13:27:49 wazuh-manager filebeat: 2022-01-12T13:27:49.305Z#011ERROR#011[publisher_pipeline_output]#011pipeline/output.go:180#011failed to publish events: temporary bulk send failure
Jan 16 07:18:12 wazuh-manager kernel: BERT: Boot Error Record Table support is disabled. Enable it by using bert_enable as kernel parameter.
Jan 16 07:18:14 wazuh-manager performance-analyzer-agent-cli: OpenJDK 64-Bit Server VM warning: Option InitialBootClassLoaderMetaspaceSize was deprecated in version 15.0 and will likely be removed in a future release.
Jan 16 07:18:15 wazuh-manager performance-analyzer-agent-cli: ERROR StatusLogger Reconfiguration failed: No configuration found for '73d16e93' at 'null' in 'null'
Jan 16 07:18:15 wazuh-manager performance-analyzer-agent-cli: 07:18:15.846 [main] ERROR com.amazon.opendistro.elasticsearch.performanceanalyzer.config.PluginSettings - Loading config file /usr/share/elasticsearch/plugins/opendistro-performance-analyzer/pa_config/performance-analyzer.properties failed with error: com.amazon.opendistro.elasticsearch.performanceanalyzer.config.ConfigFileException: java.io.FileNotFoundException: /usr/share/elasticsearch/plugins/opendistro-performance-analyzer/pa_config/performance-analyzer.properties (No such file or directory). Disabling plugin.
Jan 16 07:18:15 wazuh-manager performance-analyzer-agent-cli: 07:18:15.850 [main] ERROR com.amazon.opendistro.elasticsearch.performanceanalyzer.PerformanceAnalyzerApp - Performance analyzer app stopped due to invalid config status.
Jan 16 07:18:15 wazuh-manager performance-analyzer-agent-cli: 07:18:15.851 [main] ERROR com.amazon.opendistro.elasticsearch.performanceanalyzer.collectors.StatsCollector - Error in loading metadata for fileLocation: agent-stats-metadata
Jan 16 07:18:19 wazuh-manager vboxadd: depmod: ERROR: openat(/lib/modules/3.10.0-1160.49.1.el7.x86_64, modules.builtin.bin.tmp, 1101, 644): No space left on device
Jan 16 07:18:19 wazuh-manager vboxadd: depmod: ERROR: openat(/lib/modules/3.10.0-1160.49.1.el7.x86_64, modules.devname.tmp, 1101, 644): No space left on device
Jan 16 07:18:20 wazuh-manager filebeat: 2022-01-16T07:18:20.161Z#011ERROR#011instance/beat.go:956#011Exiting: unable to lock data path: open /var/lib/filebeat/filebeat.lock: no space left on device
Jan 16 07:18:22 wazuh-manager filebeat: 2022-01-16T07:18:22.532Z#011ERROR#011[publisher_pipeline_output]#011pipeline/output.go:154#011Failed to connect to backoff(elasticsearch(https://127.0.0.1:9200)): Get "https://127.0.0.1:9200": dial tcp 127.0.0.1:9200: connect: connection refused
Jan 16 07:18:24 wazuh-manager kibana: {"type":"log","@timestamp":"2022-01-16T07:18:24Z","tags":["warning","config","deprecation"],"pid":458,"message":"\"server.defaultRoute\" is deprecated and has been replaced by \"uiSettings.overrides.defaultRoute\""}
Jan 16 07:18:24 wazuh-manager filebeat: 2022-01-16T07:18:24.587Z#011ERROR#011[publisher_pipeline_output]#011pipeline/output.go:154#011Failed to connect to backoff(elasticsearch(https://127.0.0.1:9200)): Get "https://127.0.0.1:9200": dial tcp 127.0.0.1:9200: connect: connection refused
Jan 16 07:18:24 wazuh-manager kibana: {"type":"log","@timestamp":"2022-01-16T07:18:24Z","tags":["error","elasticsearch","data"],"pid":458,"message":"[ConnectionError]: connect ECONNREFUSED 127.0.0.1:9200"}
Jan 16 07:18:24 wazuh-manager kibana: {"type":"log","@timestamp":"2022-01-16T07:18:24Z","tags":["error","savedobjects-service"],"pid":458,"message":"Unable to retrieve version information from Elasticsearch nodes."}
Jan 16 07:18:27 wazuh-manager kibana: {"type":"log","@timestamp":"2022-01-16T07:18:27Z","tags":["error","elasticsearch","data"],"pid":458,"message":"[ConnectionError]: connect ECONNREFUSED 127.0.0.1:9200"}
Jan 16 07:18:29 wazuh-manager kibana: {"type":"log","@timestamp":"2022-01-16T07:18:29Z","tags":["error","elasticsearch","data"],"pid":458,"message":"[ConnectionError]: connect ECONNREFUSED 127.0.0.1:9200"}
Jan 16 07:18:30 wazuh-manager filebeat: 2022-01-16T07:18:30.785Z#011ERROR#011[publisher_pipeline_output]#011pipeline/output.go:154#011Failed to connect to backoff(elasticsearch(https://127.0.0.1:9200)): Get "https://127.0.0.1:9200": dial tcp 127.0.0.1:9200: connect: connection refused
Jan 16 07:18:32 wazuh-manager filebeat: 2022-01-16T07:18:32.622Z#011ERROR#011[publisher_pipeline_output]#011pipeline/output.go:180#011failed to publish events: temporary bulk send failure
Jan 16 07:18:33 wazuh-manager systemd-entrypoint: 2022-01-16 07:18:33,438 elasticsearch[node-1][transport_worker][T#4] ERROR Unable to write to stream /var/log/elasticsearch/wazuh-cluster_server.json for appender rolling org.apache.logging.log4j.core.appender.AppenderLoggingException: Error writing to stream /var/log/elasticsearch/wazuh-cluster_server.json
[wazuh@wazuh-manager ~]$ sudo curl "http://localhost:9200/_cat/indices?v" | grep kibana
16 Ocak 2022 Pazar tarihinde saat 09:54:45 UTC+3 itibarıyla Burak Dartar şunları yazdı:
Reply all
Reply to author
Forward
0 new messages