Incorrect last scan dates.

[Marcio Costa]

Hello team:

In Kibana -> Wazuh App dashboard, all clients and manager are active, but when I click in some client or in the manager, the last rootcheck and syscheck dates are not correct.
Thank you by any help.

Bellow the log in the client:

2017/05/03 09:02:28 ossec-logcollector: INFO: Started (pid: 19316).
2017/05/03 09:03:28 ossec-syscheckd: INFO: Starting syscheck scan (forwarding database).
2017/05/03 09:03:28 ossec-syscheckd: INFO: Starting syscheck database (pre-scan).
2017/05/03 09:04:39 ossec-logcollector(1904): INFO: File not available, ignoring it: '/var/ossec/logs/active-responses.log'.
2017/05/03 09:14:44 ossec-syscheckd: INFO: Finished creating syscheck database (pre-scan completed).
2017/05/03 09:14:56 ossec-syscheckd: INFO: Ending syscheck scan (forwarding database).
2017/05/03 09:15:16 rootcheck: INFO: Starting rootcheck scan.
2017/05/03 09:33:05 rootcheck: INFO: Ending rootcheck scan.

The kibana screen for this client:

[Santiago Bassett]

Hi Marcio,

what version of the App are you using? I believe we don't keep track of those times anymore, as the server doesn't really have a good way of providing that information.

Here is how my dashboard for an agent looks like:

And here ist he App version:

I hope that helps,

Santiago.

--
You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+unsubscribe@googlegroups.com.
To post to this group, send email to wa...@googlegroups.com.
Visit this group at https://groups.google.com/group/wazuh.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/523e7a71-1444-45b2-b975-b66febb90d0d%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Santiago Bassett]

Actually it looks like a later version adds the scan times. Mine is not the latest, so I would need to look more into the issue.

[Marcio Costa]

Version

App version 2.0.0

Install date 2017-05-02T18:40:16.571Z

Revision 0333

Only when the agent was added the dates are updated. After it, only the last keep alive date/time still updated.

All agents and server have the port 1514/udp port open.

Bellow the ossec.log at an agent; I conclude that the checks are still working correctly daily.

2017/05/03 09:03:28 ossec-syscheckd: INFO: Starting syscheck scan (forwarding database).
2017/05/03 09:03:28 ossec-syscheckd: INFO: Starting syscheck database (pre-scan).
2017/05/03 09:04:39 ossec-logcollector(1904): INFO: File not available, ignoring it: '/var/ossec/logs/active-responses.log'.
2017/05/03 09:14:44 ossec-syscheckd: INFO: Finished creating syscheck database (pre-scan completed).
2017/05/03 09:14:56 ossec-syscheckd: INFO: Ending syscheck scan (forwarding database).
2017/05/03 09:15:16 rootcheck: INFO: Starting rootcheck scan.
2017/05/03 09:33:05 rootcheck: INFO: Ending rootcheck scan.

2017/05/03 20:18:05 ossec-syscheckd: INFO: Starting syscheck scan.
2017/05/03 20:30:19 ossec-syscheckd: INFO: Ending syscheck scan.
2017/05/04 05:35:19 rootcheck: INFO: Starting rootcheck scan.
2017/05/04 05:55:44 rootcheck: INFO: Ending rootcheck scan.
2017/05/04 07:30:44 ossec-syscheckd: INFO: Starting syscheck scan.
2017/05/04 07:42:59 ossec-syscheckd: INFO: Ending syscheck scan.

Best regards.

[Jesus Linares]

Hi Marcio,

we found the issue. The API is getting the wrong date. It is fixed here: https://github.com/wazuh/wazuh-api/commit/c3d7a49b5a571c74b46d3b5d0d7cbd4f8240f8aa.

The fix will be available in the next release. Meanwhile, you can edit the file /var/ossec/api/framework/wazuh/syscheck.py and change:

• Line 124: date_last instead of date_first.
• Line 130: date_last instead of date_first.

Thanks.

Regards.

[Marcio Costa]

Hi Team.
Working again.
Thank you.

[Marcio Costa]

Hi team.

I believe that the file /var/ossec/api/framework/wazuh/rootcheck.py, lines 340 and 346 must be changed from date_first to date_last to show the correct date too.

SELECT max(date_last)

Regards.

[Victor Fernandez]

Hi Marcio,

we also detected the problem and it has been already fixed: https://github.com/wazuh/wazuh-api/commit/df52d82cebf1d0848d3bffa391aeb01d1fd0a55f

Thank you very much for your feedback and notifying us.

Best regards.

Victor.

--

You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+unsubscribe@googlegroups.com.
To post to this group, send email to wa...@googlegroups.com.
Visit this group at https://groups.google.com/group/wazuh.

To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/52d78f39-fcc3-407f-b009-392cc78618a5%40googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

--

Victor M. Fernandez-Castro

IT Security Engineer

Wazuh Inc.

[Alex]

Hello team,

I am running wazuh in docker and I am using your wazuh/wazuh image.

I have noticed that the bug described above is not solved in this image because the image pulls the master branch of wazuh-api. The fixes are for now only pushed to the master branch. When do you plan to update the stable one?

Greetings!

[Jesus Linares]

Hi Alex,

We are running the latest tests for v2.0.1, so it will be released soon. I can't give you an exact date.

Regards.