No events for SCA rule group

[Daniel D'Angeli]

Hi,

Wazuh Server / Agent on 4.2.5

i have multiple agents running windows and i correctly view the passed tests etc.

But when i go to the Events tab on the Wazuh App nothing shows up.

Looking in the discover for the rule.groups: sca doesnt show me anything in both the alerts and archives index.

Any tips?

Regards,

Daniel D.

[Mercedes Fernández Argüelles]

Hi Daniel,

Are you able to see the SCA tab in the UI? You should go to Wazuh>Agents and select one of the agents that has SCA enabled ang click on the SCA tab:

Could you also share the following information to troubleshoot this?

• The ossec.conf file of one of the agents
• Custom SCA policies if you are using any
• Output of grep -i -E "err|warn" /var/ossec/logs/ossec.log on the agent.

Best regards!

Mercedes.

[Daniel D'Angeli]

Hi,

im able to see the SCA tab, and as you can see the tests are here with every detail needed.

But when i click on the Events tab, nothinhg shows up.

The output of the command you gave me is this

You can find attached the ossec.conf of the agent

Regards,

Daniel D.

[Mercedes Fernández Argüelles]

Hi Daniel,

A few more questions to keep troubleshooting this:

• Are the agents generating other alerts in your manager? You could check this with:
    grep 'agent":{"id":"001"' /var/ossec/logs/alerts/alerts.log
    grep <agent-name> /var/ossec/logs/archives/archives.log
  
• Just to verity, this two commands return nothing, right?
    grep sca /var/ossec/logs/alerts/alerts.log
    grep sca /var/ossec/logs/archives/archives.log
  
• What version of wazuh-manager, wazuh-agent, ODFE/Elasticsearch and Kibana are you using?
• From the manager, output of:

• 
     grep -i -E "err|warn" /var/ossec/logs/ossec.log

• Content of the SCA rules in the Fail category from the SCA tab.
• Your manager's ossec.conf file.
• Output of:
    ll /var/ossec/ruleset/rules/0570-sca_rules.xml
  
• And lastly, do you have any custom rules or decoders that related to SCA? 

I'll be waiting for your answer 🙂

Mercedes

[Daniel D'Angeli]

Hi Mercedes,

Yes the agent is correctly generating other alerts.

The commands returns everything with the letters "SCA" in it so it's not a viable grep.

The grep for err/warn returns this:

2021/12/23 09:13:10 wazuh-analysisd: WARNING: Mitre Technique ID 'T1595' not found in database.
2021/12/23 09:13:11 wazuh-analysisd: WARNING: Mitre Technique ID 'T1595' not found in database.
2021/12/23 09:13:11 wazuh-analysisd: WARNING: Mitre Technique ID 'T1595' not found in database.
2021/12/23 09:13:14 wazuh-analysisd: WARNING: Mitre Technique ID 'T1595' not found in database.
2021/12/23 09:13:14 wazuh-analysisd: WARNING: Mitre Technique ID 'T1595' not found in database.

The output of  ll /var/ossec/ruleset/rules/0570-sca_rules.xml returns this:

-rw-r-----. 1 root ossec 4288 Nov 12 20:50 /var/ossec/ruleset/rules/0570-sca_rules.xml

The content of the Fail tab in the SCA returns this:

Im using Wazuh Manager / Agent 4.2.5 and ODFE 1.13.2

We dont have any decoder or rules related to the SCA, but only a custom decoder and rule for the fortigate FW.

You can find attached the fortigate decode and the manager's ossec.conf

Regards,

Daniel D.

[Mercedes Fernández Argüelles]

Hi Daniel,

We'll be setting modulesd debug mode to get further information on the agent and check the manager again. To do so, add the following line to your agent's /var/ossec/etc/local_internal_options.conf:

  modulesd.debug = 2

After that, restart the agent to apply the changes and trigger an SCA scan. Once that's done, please share the output of the following commands:

• From the agent:
  grep -v scan /var/ossec/logs/ossec.log | grep sca
  
• From the manager:
  grep "\->sca" /var/ossec/logs/archives/archives.log
  

Mercedes.