Syscollector Inventory Not Working For All Agents
282 views
Skip to first unread message
Danny
May 31, 2024, 5:43:16 AM5/31/24
to Wazuh | Mailing List
This is sort of random, which is making it hard to troubleshoot. The Syscollector - Inventory isn't working for all the agents, even though I'm using centralized configs. All of our servers are Rocky Linux 8 VMs, patched to the latest updates, and I'm running the latest Wazuh version (RPMs).
On the Wazuh server:
sudo vim -c 'set filetype=xml' /var/ossec/etc/shared/default/agent.conf
<agent_config profile="TEST">
<wodle name="syscollector">
<disabled>no</disabled>
<interval>1h</interval>
<scan_on_start>yes</scan_on_start>
<hardware>yes</hardware>
<os>yes</os>
<network>yes</network>
<packages>yes</packages>
<ports all="no">yes</ports>
<processes>yes</processes>
</wodle>
<disabled>no</disabled>
<interval>1h</interval>
<scan_on_start>yes</scan_on_start>
<hardware>yes</hardware>
<os>yes</os>
<network>yes</network>
<packages>yes</packages>
<ports all="no">yes</ports>
<processes>yes</processes>
</wodle>
</agent_config>
sudo systemctl restart wazuh-manager.service
On the agents:
sudo systemctl restart wazuh-agent
...and made sure /var/ossec/etc/shared/agent.conf was updated properly. Watched the logs and I see:
2024/05/30 20:08:25 wazuh-modulesd:syscollector: INFO: Starting evaluation.
2024/05/30 20:08:28 wazuh-modulesd:syscollector: INFO: Evaluation finished.
2024/05/30 20:08:28 wazuh-modulesd:syscollector: INFO: Evaluation finished.
Wait an hour or so, and then check the API, but most of the agents keep coming back with:
"scan": {
"id": 0,
"time": "2023-10-18T11:40:47+00:00"
},
"id": 0,
"time": "2023-10-18T11:40:47+00:00"
},
Some, very few though, are working correctly, and come back with:
"scan": {
"id": 0,
"time": "2024-05-30T14:45:08+00:00"
},
"id": 0,
"time": "2024-05-30T14:45:08+00:00"
},
Not sure what else to check. Any suggestions?
Danny
Jun 4, 2024, 5:31:32 AM6/4/24
to Wazuh | Mailing List
OK, a little more troubleshooting, and it would appear this is strictly an API issue. If I check the local.db file:
sudo sqlite3 /var/ossec/queue/syscollector/db/local.db
...and then install a new package (example sqlite3) I see that file show up in local.db
So then I checked the agent ID database on the Wazuh server, and sure enough, the new package is there as well, with an updated scan time:
sudo sqlite3 /var/ossec/queue/db/291.db "SELECT scan_time,DATETIME(install_time,'unixepoch') as install_time,name,version FROM sys_programs WHERE name LIKE 'sqlite%' LIMIT 2"2024/05/30 14:44:42|2024-04-12 12:59:39|sqlite-libs|3.26.0-19.el8_9
2024/06/03 13:52:37|2024-06-03 13:35:36|sqlite|3.26.0-19.el8_9
Interesting to note, the original file sqlite-libs did not change the "scan time", only the newer package has the updated scan_time. Why isn't the scan_time being updated?
Also, why is the API not showing the sqlite package getting installed?
curl -s -k -X GET "https://localhost:55000/syscollector/$AGENTID/$PROPERTY?pretty=true" -H "Authorization: Bearer $TOKEN" | grep -e '"name":' | grep sqlite
"name": "sqlite-libs",
"name": "sqlite-libs",
Gonzalo Membrillo Solbes
Jun 14, 2024, 3:22:31 AM6/14/24
to Wazuh | Mailing List
Hello Danny,
As you mention, it appears that it is an API problem since it should be able to get these changes from the local DB when performing the query. Just to clarify a few thing, are you able to see the correct agent inventory from the Dashboard UI?
If the correct information is being displayed there, then the API is also obtaining the correct information. In which case, we would have to see why it's not able to get the updated information from the DB when being queried directly. In order to do so, it would be interesting to see the /var/ossec/logs/api.log file immediately after making such a request.
Regards,
Gonzalo
Reply all
Reply to author
Forward
0 new messages