Wazuh manager get failed
325 views
Skip to first unread message
Umair .3632
Nov 20, 2024, 8:59:12 AM11/20/24
to Wazuh | Mailing List
root@siem-cydeatech:/home/cydeatech# systemctl start wazuh-manager
Job for wazuh-manager.service failed because the control process exited with error code.
See "systemctl status wazuh-manager.service" and "journalctl -xeu wazuh-manager.service" for details.
------------------------------------------------
journalctl -xeu wazuh-manager.service
░░ The job identifier is 610.
Nov 20 18:53:59 siem-cydeatech env[3505]: 2024/11/20 13:53:59 wazuh-analysisd: ERROR: (1226): Error reading XML file 'etc/os>
Nov 20 18:53:59 siem-cydeatech env[3402]: wazuh-analysisd: Configuration error. Exiting
Nov 20 18:53:59 siem-cydeatech systemd[1]: wazuh-manager.service: Control process exited, code=exited, status=1/FAILURE
░░ Subject: Unit process exited
░░ Defined-By: systemd
░░ Support: http://www.ubuntu.com/support
░░
░░ An ExecStart= process belonging to unit wazuh-manager.service has exited.
░░
░░ The process' exit code is 'exited' and its exit status is 1.
Nov 20 18:53:59 siem-cydeatech systemd[1]: wazuh-manager.service: Failed with result 'exit-code'.
░░ Subject: Unit failed
░░ Defined-By: systemd
░░ Support: http://www.ubuntu.com/support
░░
░░ The unit wazuh-manager.service has entered the 'failed' state with result 'exit-code'.
Nov 20 18:53:59 siem-cydeatech systemd[1]: Failed to start Wazuh manager.
░░ Subject: A start job for unit wazuh-manager.service has failed
░░ Defined-By: systemd
░░ Support: http://www.ubuntu.com/support
░░
░░ A start job for unit wazuh-manager.service has finished with a failure.
░░
░░ The job identifier is 610 and the job result is failed.
Nov 20 18:53:59 siem-cydeatech systemd[1]: wazuh-manager.service: Consumed 1.248s CPU time.
░░ Subject: Resources consumed by unit runtime
░░ Defined-By: systemd
░░ Support: http://www.ubuntu.com/support
░░
░░ The unit wazuh-manager.service completed and consumed the indicated resources.
---------------------------------
systemctl start wazuh-dashboard
root@siem-cydeatech:/home/cydeatech# tail -n 50 /var/ossec/logs/ossec.log
2024/11/20 17:08:19 wazuh-authd: ERROR: Unable to connect to socket 'queue/db/wdb'.
2024/11/20 17:08:19 wazuh-authd: ERROR: Unable to connect to socket 'queue/db/wdb'.
2024/11/20 17:08:19 wazuh-authd: ERROR: Unable to connect to socket 'queue/db/wdb'
2024/11/20 17:08:19 wazuh-authd: ERROR: Error querying Wazuh DB to get the agent's 37 information.
2024/11/20 17:08:19 wazuh-authd: WARNING: Duplicate name 'IPAMSGL-2020', rejecting enrollment. Failed to get agent-info for agent '037'
2024/11/20 17:08:19 wazuh-authd: INFO: New connection from 10.0.0.0
2024/11/20 17:08:19 wazuh-authd: INFO: Received request for a new agent (CRM-test) from: 10.6.236.36
2024/11/20 17:08:19 wazuh-authd: INFO: Cannot find 'queue/db/wdb'. Waiting 1 seconds to reconnect.
2024/11/20 17:08:20 wazuh-authd: INFO: Cannot find 'queue/db/wdb'. Waiting 2 seconds to reconnect.
2024/11/20 17:08:22 wazuh-authd: INFO: Cannot find 'queue/db/wdb'. Waiting 3 seconds to reconnect.
2024/11/20 17:08:25 wazuh-authd: ERROR: Unable to connect to socket 'queue/db/wdb'.
2024/11/20 17:08:25 wazuh-authd: ERROR: Unable to connect to socket 'queue/db/wdb'.
2024/11/20 17:08:25 wazuh-authd: ERROR: Unable to connect to socket 'queue/db/wdb'
2024/11/20 17:08:25 wazuh-authd: ERROR: Error querying Wazuh DB to get the agent's 28 information.
2024/11/20 17:08:25 wazuh-authd: WARNING: Duplicate name 'CRM-test', rejecting enrollment. Failed to get agent-info for agent '028'
Job for wazuh-manager.service failed because the control process exited with error code.
See "systemctl status wazuh-manager.service" and "journalctl -xeu wazuh-manager.service" for details.
------------------------------------------------
journalctl -xeu wazuh-manager.service
░░ The job identifier is 610.
Nov 20 18:53:59 siem-cydeatech env[3505]: 2024/11/20 13:53:59 wazuh-analysisd: ERROR: (1226): Error reading XML file 'etc/os>
Nov 20 18:53:59 siem-cydeatech env[3402]: wazuh-analysisd: Configuration error. Exiting
Nov 20 18:53:59 siem-cydeatech systemd[1]: wazuh-manager.service: Control process exited, code=exited, status=1/FAILURE
░░ Subject: Unit process exited
░░ Defined-By: systemd
░░ Support: http://www.ubuntu.com/support
░░
░░ An ExecStart= process belonging to unit wazuh-manager.service has exited.
░░
░░ The process' exit code is 'exited' and its exit status is 1.
Nov 20 18:53:59 siem-cydeatech systemd[1]: wazuh-manager.service: Failed with result 'exit-code'.
░░ Subject: Unit failed
░░ Defined-By: systemd
░░ Support: http://www.ubuntu.com/support
░░
░░ The unit wazuh-manager.service has entered the 'failed' state with result 'exit-code'.
Nov 20 18:53:59 siem-cydeatech systemd[1]: Failed to start Wazuh manager.
░░ Subject: A start job for unit wazuh-manager.service has failed
░░ Defined-By: systemd
░░ Support: http://www.ubuntu.com/support
░░
░░ A start job for unit wazuh-manager.service has finished with a failure.
░░
░░ The job identifier is 610 and the job result is failed.
Nov 20 18:53:59 siem-cydeatech systemd[1]: wazuh-manager.service: Consumed 1.248s CPU time.
░░ Subject: Resources consumed by unit runtime
░░ Defined-By: systemd
░░ Support: http://www.ubuntu.com/support
░░
░░ The unit wazuh-manager.service completed and consumed the indicated resources.
---------------------------------
systemctl start wazuh-dashboard
root@siem-cydeatech:/home/cydeatech# tail -n 50 /var/ossec/logs/ossec.log
2024/11/20 17:08:19 wazuh-authd: ERROR: Unable to connect to socket 'queue/db/wdb'.
2024/11/20 17:08:19 wazuh-authd: ERROR: Unable to connect to socket 'queue/db/wdb'.
2024/11/20 17:08:19 wazuh-authd: ERROR: Unable to connect to socket 'queue/db/wdb'
2024/11/20 17:08:19 wazuh-authd: ERROR: Error querying Wazuh DB to get the agent's 37 information.
2024/11/20 17:08:19 wazuh-authd: WARNING: Duplicate name 'IPAMSGL-2020', rejecting enrollment. Failed to get agent-info for agent '037'
2024/11/20 17:08:19 wazuh-authd: INFO: New connection from 10.0.0.0
2024/11/20 17:08:19 wazuh-authd: INFO: Received request for a new agent (CRM-test) from: 10.6.236.36
2024/11/20 17:08:19 wazuh-authd: INFO: Cannot find 'queue/db/wdb'. Waiting 1 seconds to reconnect.
2024/11/20 17:08:20 wazuh-authd: INFO: Cannot find 'queue/db/wdb'. Waiting 2 seconds to reconnect.
2024/11/20 17:08:22 wazuh-authd: INFO: Cannot find 'queue/db/wdb'. Waiting 3 seconds to reconnect.
2024/11/20 17:08:25 wazuh-authd: ERROR: Unable to connect to socket 'queue/db/wdb'.
2024/11/20 17:08:25 wazuh-authd: ERROR: Unable to connect to socket 'queue/db/wdb'.
2024/11/20 17:08:25 wazuh-authd: ERROR: Unable to connect to socket 'queue/db/wdb'
2024/11/20 17:08:25 wazuh-authd: ERROR: Error querying Wazuh DB to get the agent's 28 information.
2024/11/20 17:08:25 wazuh-authd: WARNING: Duplicate name 'CRM-test', rejecting enrollment. Failed to get agent-info for agent '028'
Santiago Padilla Alvarez
Nov 20, 2024, 9:30:22 AM11/20/24
to Wazuh | Mailing List
Hi!
Several things:
- The manager cannot read its main configuration file because of an XML parsing error.
- wazuh-authd is falling because it depends on wazuh-db, which is not running because the manager is not up.
- The logs also show warnings about duplicate agent names. You can solve it by listing registered agents with /var/ossec/bin/agent_control -l and remove duplicate agents with /var/ossec/bin/manage_agents
Regarding the manager error, you can solve it in several ways, first look for any unclosed tags, typos, or malformed XML structures.
You can help yourself with an online web page that verifies XML or with the xmllint tool.
You can use the following command: xmllint /var/ossec/etc/ossec.conf --noout
If there are errors, xmllint will display them, indicating the line and column numbers where the problems are.
If the syntax is correct, it will return nothing.
Remember to restart once the configuration has been changed.
I hope you find it helpful,
best regards!
Several things:
- The manager cannot read its main configuration file because of an XML parsing error.
- wazuh-authd is falling because it depends on wazuh-db, which is not running because the manager is not up.
- The logs also show warnings about duplicate agent names. You can solve it by listing registered agents with /var/ossec/bin/agent_control -l and remove duplicate agents with /var/ossec/bin/manage_agents
Regarding the manager error, you can solve it in several ways, first look for any unclosed tags, typos, or malformed XML structures.
You can help yourself with an online web page that verifies XML or with the xmllint tool.
You can use the following command: xmllint /var/ossec/etc/ossec.conf --noout
If there are errors, xmllint will display them, indicating the line and column numbers where the problems are.
If the syntax is correct, it will return nothing.
Remember to restart once the configuration has been changed.
I hope you find it helpful,
best regards!
Umair .3632
Nov 20, 2024, 9:43:06 AM11/20/24
to Santiago Padilla Alvarez, Wazuh | Mailing List
Hi team,
I checked the conf file there is no error in it.
I also try to list the wazuh agent it not listed as mentioned that manager services failed.
--
You received this message because you are subscribed to a topic in the Google Groups "Wazuh | Mailing List" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/wazuh/dk5C2DROnnw/unsubscribe.
To unsubscribe from this group and all its topics, send an email to wazuh+un...@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/wazuh/87944975-a626-4acd-aeae-8ab6206dbaf5n%40googlegroups.com.
Santiago Padilla Alvarez
Nov 20, 2024, 10:38:59 AM11/20/24
to Wazuh | Mailing List
Hi!
Reviewing your logs, apparently in the logs you have passed, this line is incomplete “ERROR: (1226): Error reading XML file 'etc/os”
The full path to the file that has the error does not appear.
Can you check and pass me that complete log? The XML error is from that file.
Any news let us know,
Thanks!
Umair .3632
Nov 21, 2024, 6:04:25 AM11/21/24
to Wazuh | Mailing List
please find the detail below
/home/cydeatech# journalctl -xeu wazuh-manager.service | tail -n 50
░░ Defined-By: systemd
░░ Support: http://www.ubuntu.com/support
░░
░░ The unit wazuh-manager.service has entered the 'failed' state with result 'exit-code'.
Nov 21 12:30:43 siem-cydeatech systemd[1]: Failed to start Wazuh manager.
░░ Subject: A start job for unit wazuh-manager.service has failed
░░ Defined-By: systemd
░░ Support: http://www.ubuntu.com/support
░░
░░ A start job for unit wazuh-manager.service has finished with a failure.
░░
░░ The job identifier is 2632 and the job result is failed.
Nov 21 15:53:55 siem-cydeatech systemd[1]: Starting Wazuh manager...
░░ Subject: A start job for unit wazuh-manager.service has begun execution░░ A start job for unit wazuh-manager.service has begun execution.
░░
░░ The job identifier is 2784.
Nov 21 15:53:57 siem-cydeatech env[138470]: 2024/11/21 10:53:57 wazuh-analysisd: ERROR: (1226): Error reading XML file 'etc/ossec.conf': (line 0).
Nov 21 15:53:57 siem-cydeatech env[138432]: wazuh-analysisd: Configuration error. Exiting
Nov 21 15:53:57 siem-cydeatech systemd[1]: wazuh-manager.service: Control process exited, code=exited, status=1/FAILURE
░░ Subject: Unit process exited
░░ Defined-By: systemd
░░ Support: http://www.ubuntu.com/support
░░
░░ An ExecStart= process belonging to unit wazuh-manager.service has exited.
░░
░░ The process' exit code is 'exited' and its exit status is 1.
Nov 21 15:53:57 siem-cydeatech systemd[1]: wazuh-manager.service: Failed with result 'exit-code'.
░░ Subject: Unit failed
░░ Defined-By: systemd
░░ Support: http://www.ubuntu.com/support
░░
░░ The unit wazuh-manager.service has entered the 'failed' state with result 'exit-code'.
Nov 21 15:53:57 siem-cydeatech systemd[1]: Failed to start Wazuh manager.
░░ Subject: A start job for unit wazuh-manager.service has failed
░░ Defined-By: systemd
░░ Support: http://www.ubuntu.com/support
░░
░░ A start job for unit wazuh-manager.service has finished with a failure.
░░
░░ The job identifier is 2784 and the job result is failed.
Nov 21 15:53:57 siem-cydeatech systemd[1]: wazuh-manager.service: Consumed 1.001s CPU time.
░░ Subject: Resources consumed by unit runtime
░░ Defined-By: systemd
░░ Support: http://www.ubuntu.com/support
░░
░░ The unit wazuh-manager.service completed and consumed the indicated resources.
root@siem-cydeatech:/home/cydeatech#
/home/cydeatech# journalctl -xeu wazuh-manager.service | tail -n 50
░░ Defined-By: systemd
░░ Support: http://www.ubuntu.com/support
░░
░░ The unit wazuh-manager.service has entered the 'failed' state with result 'exit-code'.
░░ Subject: A start job for unit wazuh-manager.service has failed
░░ Defined-By: systemd
░░ Support: http://www.ubuntu.com/support
░░
░░ A start job for unit wazuh-manager.service has finished with a failure.
░░
Nov 21 15:53:55 siem-cydeatech systemd[1]: Starting Wazuh manager...
░░ Subject: A start job for unit wazuh-manager.service has begun execution░░ A start job for unit wazuh-manager.service has begun execution.
░░
░░ The job identifier is 2784.
Nov 21 15:53:57 siem-cydeatech env[138470]: 2024/11/21 10:53:57 wazuh-analysisd: ERROR: (1226): Error reading XML file 'etc/ossec.conf': (line 0).
Nov 21 15:53:57 siem-cydeatech env[138432]: wazuh-analysisd: Configuration error. Exiting
Nov 21 15:53:57 siem-cydeatech systemd[1]: wazuh-manager.service: Control process exited, code=exited, status=1/FAILURE
░░ Subject: Unit process exited
░░ Defined-By: systemd
░░ Support: http://www.ubuntu.com/support
░░
░░ An ExecStart= process belonging to unit wazuh-manager.service has exited.
░░
░░ The process' exit code is 'exited' and its exit status is 1.
░░ Subject: Unit failed
░░ Defined-By: systemd
░░ Support: http://www.ubuntu.com/support
░░
░░ The unit wazuh-manager.service has entered the 'failed' state with result 'exit-code'.
░░ Subject: A start job for unit wazuh-manager.service has failed
░░ Defined-By: systemd
░░ Support: http://www.ubuntu.com/support
░░
░░ A start job for unit wazuh-manager.service has finished with a failure.
░░
Nov 21 15:53:57 siem-cydeatech systemd[1]: wazuh-manager.service: Consumed 1.001s CPU time.
░░ Subject: Resources consumed by unit runtime
░░ Defined-By: systemd
░░ Support: http://www.ubuntu.com/support
░░
░░ The unit wazuh-manager.service completed and consumed the indicated resources.
Santiago Padilla Alvarez
Nov 21, 2024, 7:53:15 AM11/21/24
to Wazuh | Mailing List
Hi!
can you please pass me the following information?
1.- The output of this command: ls -l /var/ossec/etc/ossec.conf
2.- The complete file (hides sensitive information like ips addresses)
I am waiting for any news to follow up on this help,
Best regards!
can you please pass me the following information?
1.- The output of this command: ls -l /var/ossec/etc/ossec.conf
2.- The complete file (hides sensitive information like ips addresses)
I am waiting for any news to follow up on this help,
Best regards!
Umair .3632
Nov 21, 2024, 11:37:37 PM11/21/24
to Wazuh | Mailing List
home/cydeatech# ls -l /var/ossec/etc/ossec.conf
-rw-r--r-- 1 root root 6950 Nov 21 16:38 /var/ossec/etc/ossec.conf
/home/cydeatech# cat /var/ossec/etc/ossec.conf
<!-- Wazuh - Manager - Default configuration for ubuntu 22.04 -->
<!-- More info at: https://documentation.wazuh.com -->
<!-- Mailing list: https://groups.google.com/forum/#!forum/wazuh -->
<ossec_config>
<global>
<jsonout_output>yes</jsonout_output>
<alerts_log>yes</alerts_log>
<logall>yes</logall>
<logall_json>no</logall_json>
<email_notification>no</email_notification>
<smtp_server>smtp.example.wazuh.com</smtp_server>
<email_from>wa...@example.wazuh.com</email_from>
<email_to>reci...@example.wazuh.com</email_to>
<email_maxperhour>12</email_maxperhour>
<email_log_source>alerts.log</email_log_source>
<agents_disconnection_time>10m</agents_disconnection_time>
<agents_disconnection_alert_time>0</agents_disconnection_alert_time>
</global>
<alerts>
<log_alert_level>3</log_alert_level>
<email_alert_level>12</email_alert_level>
</alerts>
<logging>
<log_format>plain</log_format>
</logging>
<remote>
<connection>secure</connection>
<port>1514</port>
<protocol>tcp</protocol>
<queue_size>131072</queue_size>
</remote>
<remote>
<connection>syslog</connection>
<port>514</port>
<protocol>udp</protocol>
<allowed-ips>0.0.0.0/24</allowed-ips>
<local_ip>0.0.0.0</local_ip>
</remote>
<rootcheck>
<disabled>no</disabled>
<check_files>yes</check_files>
<check_trojans>yes</check_trojans>
<check_dev>yes</check_dev>
<check_sys>yes</check_sys>
<check_pids>yes</check_pids>
<check_ports>yes</check_ports>
<check_if>yes</check_if>
<frequency>43200</frequency>
<rootkit_files>etc/rootcheck/rootkit_files.txt</rootkit_files>
<rootkit_trojans>etc/rootcheck/rootkit_trojans.txt</rootkit_trojans>
<skip_nfs>yes</skip_nfs>
</rootcheck>
<wodle name="cis-cat">
<disabled>yes</disabled>
<timeout>1800</timeout>
<interval>1d</interval>
<scan-on-start>yes</scan-on-start>
<java_path>wodles/java</java_path>
<ciscat_path>wodles/ciscat</ciscat_path>
</wodle>
<wodle name="osquery">
<disabled>no</disabled>
<run_daemon>yes</run_daemon>
<log_path>/var/log/osquery/osqueryd.results.log</log_path>
<config_path>/etc/osquery/osquery.conf</config_path>
<add_labels>yes</add_labels>
</wodle>
<wodle name="syscollector">
<disabled>no</disabled>
<interval>1h</interval>
<scan_on_start>yes</scan_on_start>
<hardware>yes</hardware>
<os>yes</os>
<network>yes</network>
<packages>yes</packages>
<ports all="no">yes</ports>
<processes>yes</processes>
<synchronization>
<max_eps>10</max_eps>
</synchronization>
</wodle>
<sca>
<enabled>yes</enabled>
<scan_on_start>yes</scan_on_start>
<interval>12h</interval>
<skip_nfs>yes</skip_nfs>
</sca>
<vulnerability-detector>
<enabled>yes</enabled>
<interval>5m</interval>
<min_full_scan_interval>6h</min_full_scan_interval>
<run_on_start>yes</run_on_start>
<provider name="canonical">
<enabled>yes</enabled>
<os>trusty</os>
<os>xenial</os>
<os>bionic</os>
<os>focal</os>
<os>jammy</os>
<update_interval>1h</update_interval>
</provider>
<provider name="debian">
<enabled>yes</enabled>
<os>buster</os>
<os>bullseye</os>
<os>bookworm</os>
<update_interval>1h</update_interval>
</provider>
<provider name="redhat">
<enabled>yes</enabled>
<os>5</os>
<os>6</os>
<os>7</os>
<os>8</os>
<os>9</os>
<update_interval>1h</update_interval>
</provider>
<provider name="alas">
<enabled>yes</enabled>
<os>amazon-linux</os>
<os>amazon-linux-2</os>
<os>amazon-linux-2022</os>
<os>amazon-linux-2023</os>
<update_interval>1h</update_interval>
</provider>
<provider name="suse">
<enabled>yes</enabled>
<os>11-server</os>
<os>11-desktop</os>
<os>12-server</os>
<os>12-desktop</os>
<os>15-server</os>
<os>15-desktop</os>
<update_interval>1h</update_interval>
</provider>
<provider name="arch">
<enabled>yes</enabled>
<update_interval>1h</update_interval>
</provider>
<provider name="almalinux">
<enabled>yes</enabled>
<os>8</os>
<os>9</os>
<update_interval>1h</update_interval>
</provider>
<provider name="msu">
<enabled>yes</enabled>
<update_interval>1h</update_interval>
</provider>
<provider name="nvd">
<enabled>yes</enabled>
<update_interval>1h</update_interval>
</provider>
</vulnerability-detector>
<syscheck>
<disabled>no</disabled>
<frequency>43200</frequency>
<scan_on_start>yes</scan_on_start>
<alert_new_files>yes</alert_new_files>
<auto_ignore frequency="10" timeframe="3600">no</auto_ignore>
<directories>/etc,/usr/bin,/usr/sbin</directories>
<directories>/bin,/sbin,/boot</directories>
<ignore>/etc/mtab</ignore>
<ignore>/etc/hosts.deny</ignore>
<ignore>/etc/mail/statistics</ignore>
<ignore>/etc/random-seed</ignore>
<ignore>/etc/random.seed</ignore>
<ignore>/etc/adjtime</ignore>
<ignore>/etc/httpd/logs</ignore>
<ignore>/etc/utmpx</ignore>
<ignore>/etc/wtmpx</ignore>
<ignore>/etc/cups/certs</ignore>
<ignore>/etc/dumpdates</ignore>
<ignore>/etc/svc/volatile</ignore>
<ignore type="sregex">.log$|.swp$</ignore>
<nodiff>/etc/ssl/private.key</nodiff>
<skip_nfs>yes</skip_nfs>
<skip_dev>yes</skip_dev>
<skip_proc>yes</skip_proc>
<skip_sys>yes</skip_sys>
<process_priority>10</process_priority>
<max_eps>50</max_eps>
<synchronization>
<enabled>yes</enabled>
<interval>5m</interval>
<max_eps>10</max_eps>
</synchronization>
</syscheck>
<global>
<white_list>127.0.0.1</white_list>
<white_list>^localhost.localdomain$</white_list>
<white_list>127.0.0.53</white_list>
</global>
<command>
<name>disable-account</name>
<executable>disable-account</executable>
<timeout_allowed>yes</timeout_allowed>
</command>
<command>
<name>restart-wazuh</name>
<executable>restart-wazuh</executable>
</command>
<command>
<name>firewall-drop</name>
<executable>firewall-drop</executable>
<timeout_allowed>yes</timeout_allowed>
</command>
<command>
<name>host-deny</name>
<executable>host-deny</executable>
<timeout_allowed>yes</timeout_allowed>
</command>
<command>
<name>route-null</name>
<executable>route-null</executable>
<timeout_allowed>yes</timeout_allowed>
</command>
<command>
<name>log-alert</name>
<executable>log-alert</executable>
<timeout_allowed>no</timeout_allowed>
</command>
<command>
<name>run-shell</name>
<executable>run-shell</executable>
<timeout_allowed>no</timeout_allowed>
</command>
</ossec_config>
/home/cydeatech#
/home/cydeatech# xmllint /var/ossec/etc/ossec.conf --noout
:/home/cydeatech#
as my storage has getting full so i use this command is it possible it is due to this command
Truncate or delete the oversized log file. Use the following command to truncate it without removing the file
> /var/lib/docker/containers/9b7c3c84962f508146a5473c42af11e656141327c4f691428c63a8adac3dda03/9b7c3c84962f508146a5473c42af11e656141327c4f691428c63a8adac3dda03-json.log
-rw-r--r-- 1 root root 6950 Nov 21 16:38 /var/ossec/etc/ossec.conf
/home/cydeatech# cat /var/ossec/etc/ossec.conf
<!-- Wazuh - Manager - Default configuration for ubuntu 22.04 -->
<!-- More info at: https://documentation.wazuh.com -->
<!-- Mailing list: https://groups.google.com/forum/#!forum/wazuh -->
<ossec_config>
<global>
<jsonout_output>yes</jsonout_output>
<alerts_log>yes</alerts_log>
<logall>yes</logall>
<logall_json>no</logall_json>
<email_notification>no</email_notification>
<smtp_server>smtp.example.wazuh.com</smtp_server>
<email_from>wa...@example.wazuh.com</email_from>
<email_to>reci...@example.wazuh.com</email_to>
<email_maxperhour>12</email_maxperhour>
<email_log_source>alerts.log</email_log_source>
<agents_disconnection_time>10m</agents_disconnection_time>
<agents_disconnection_alert_time>0</agents_disconnection_alert_time>
</global>
<alerts>
<log_alert_level>3</log_alert_level>
<email_alert_level>12</email_alert_level>
</alerts>
<logging>
<log_format>plain</log_format>
</logging>
<remote>
<connection>secure</connection>
<port>1514</port>
<protocol>tcp</protocol>
<queue_size>131072</queue_size>
</remote>
<remote>
<connection>syslog</connection>
<port>514</port>
<protocol>udp</protocol>
<allowed-ips>0.0.0.0/24</allowed-ips>
<local_ip>0.0.0.0</local_ip>
</remote>
<rootcheck>
<disabled>no</disabled>
<check_files>yes</check_files>
<check_trojans>yes</check_trojans>
<check_dev>yes</check_dev>
<check_sys>yes</check_sys>
<check_pids>yes</check_pids>
<check_ports>yes</check_ports>
<check_if>yes</check_if>
<frequency>43200</frequency>
<rootkit_files>etc/rootcheck/rootkit_files.txt</rootkit_files>
<rootkit_trojans>etc/rootcheck/rootkit_trojans.txt</rootkit_trojans>
<skip_nfs>yes</skip_nfs>
</rootcheck>
<wodle name="cis-cat">
<disabled>yes</disabled>
<timeout>1800</timeout>
<interval>1d</interval>
<scan-on-start>yes</scan-on-start>
<java_path>wodles/java</java_path>
<ciscat_path>wodles/ciscat</ciscat_path>
</wodle>
<wodle name="osquery">
<disabled>no</disabled>
<run_daemon>yes</run_daemon>
<log_path>/var/log/osquery/osqueryd.results.log</log_path>
<config_path>/etc/osquery/osquery.conf</config_path>
<add_labels>yes</add_labels>
</wodle>
<wodle name="syscollector">
<disabled>no</disabled>
<interval>1h</interval>
<scan_on_start>yes</scan_on_start>
<hardware>yes</hardware>
<os>yes</os>
<network>yes</network>
<packages>yes</packages>
<ports all="no">yes</ports>
<processes>yes</processes>
<synchronization>
<max_eps>10</max_eps>
</synchronization>
</wodle>
<sca>
<enabled>yes</enabled>
<scan_on_start>yes</scan_on_start>
<interval>12h</interval>
<skip_nfs>yes</skip_nfs>
</sca>
<vulnerability-detector>
<enabled>yes</enabled>
<interval>5m</interval>
<min_full_scan_interval>6h</min_full_scan_interval>
<run_on_start>yes</run_on_start>
<provider name="canonical">
<enabled>yes</enabled>
<os>trusty</os>
<os>xenial</os>
<os>bionic</os>
<os>focal</os>
<os>jammy</os>
<update_interval>1h</update_interval>
</provider>
<provider name="debian">
<enabled>yes</enabled>
<os>buster</os>
<os>bullseye</os>
<os>bookworm</os>
<update_interval>1h</update_interval>
</provider>
<provider name="redhat">
<enabled>yes</enabled>
<os>5</os>
<os>6</os>
<os>7</os>
<os>8</os>
<os>9</os>
<update_interval>1h</update_interval>
</provider>
<provider name="alas">
<enabled>yes</enabled>
<os>amazon-linux</os>
<os>amazon-linux-2</os>
<os>amazon-linux-2022</os>
<os>amazon-linux-2023</os>
<update_interval>1h</update_interval>
</provider>
<provider name="suse">
<enabled>yes</enabled>
<os>11-server</os>
<os>11-desktop</os>
<os>12-server</os>
<os>12-desktop</os>
<os>15-server</os>
<os>15-desktop</os>
<update_interval>1h</update_interval>
</provider>
<provider name="arch">
<enabled>yes</enabled>
<update_interval>1h</update_interval>
</provider>
<provider name="almalinux">
<enabled>yes</enabled>
<os>8</os>
<os>9</os>
<update_interval>1h</update_interval>
</provider>
<provider name="msu">
<enabled>yes</enabled>
<update_interval>1h</update_interval>
</provider>
<provider name="nvd">
<enabled>yes</enabled>
<update_interval>1h</update_interval>
</provider>
</vulnerability-detector>
<syscheck>
<disabled>no</disabled>
<frequency>43200</frequency>
<scan_on_start>yes</scan_on_start>
<alert_new_files>yes</alert_new_files>
<auto_ignore frequency="10" timeframe="3600">no</auto_ignore>
<directories>/etc,/usr/bin,/usr/sbin</directories>
<directories>/bin,/sbin,/boot</directories>
<ignore>/etc/mtab</ignore>
<ignore>/etc/hosts.deny</ignore>
<ignore>/etc/mail/statistics</ignore>
<ignore>/etc/random-seed</ignore>
<ignore>/etc/random.seed</ignore>
<ignore>/etc/adjtime</ignore>
<ignore>/etc/httpd/logs</ignore>
<ignore>/etc/utmpx</ignore>
<ignore>/etc/wtmpx</ignore>
<ignore>/etc/cups/certs</ignore>
<ignore>/etc/dumpdates</ignore>
<ignore>/etc/svc/volatile</ignore>
<ignore type="sregex">.log$|.swp$</ignore>
<nodiff>/etc/ssl/private.key</nodiff>
<skip_nfs>yes</skip_nfs>
<skip_dev>yes</skip_dev>
<skip_proc>yes</skip_proc>
<skip_sys>yes</skip_sys>
<process_priority>10</process_priority>
<max_eps>50</max_eps>
<synchronization>
<enabled>yes</enabled>
<interval>5m</interval>
<max_eps>10</max_eps>
</synchronization>
</syscheck>
<global>
<white_list>127.0.0.1</white_list>
<white_list>^localhost.localdomain$</white_list>
<white_list>127.0.0.53</white_list>
</global>
<command>
<name>disable-account</name>
<executable>disable-account</executable>
<timeout_allowed>yes</timeout_allowed>
</command>
<command>
<name>restart-wazuh</name>
<executable>restart-wazuh</executable>
</command>
<command>
<name>firewall-drop</name>
<executable>firewall-drop</executable>
<timeout_allowed>yes</timeout_allowed>
</command>
<command>
<name>host-deny</name>
<executable>host-deny</executable>
<timeout_allowed>yes</timeout_allowed>
</command>
<command>
<name>route-null</name>
<executable>route-null</executable>
<timeout_allowed>yes</timeout_allowed>
</command>
<command>
<name>log-alert</name>
<executable>log-alert</executable>
<timeout_allowed>no</timeout_allowed>
</command>
<command>
<name>run-shell</name>
<executable>run-shell</executable>
<timeout_allowed>no</timeout_allowed>
</command>
</ossec_config>
/home/cydeatech#
/home/cydeatech# xmllint /var/ossec/etc/ossec.conf --noout
:/home/cydeatech#
as my storage has getting full so i use this command is it possible it is due to this command
Truncate or delete the oversized log file. Use the following command to truncate it without removing the file
> /var/lib/docker/containers/9b7c3c84962f508146a5473c42af11e656141327c4f691428c63a8adac3dda03/9b7c3c84962f508146a5473c42af11e656141327c4f691428c63a8adac3dda03-json.log
Santiago Padilla Alvarez
Nov 22, 2024, 7:55:41 AM11/22/24
to Wazuh | Mailing List
Hi!
You need to change ownership of ossec.conf file. Set the owner to root and the group to wazuh.
sudo chown root:wazuh /var/ossec/etc/ossec.conf
Also, set permissions to 660. This gives read and writes permissions to the owner (root) and the group (wazuh)
sudo chmod 660 /var/ossec/etc/ossec.conf
Verify the changes again with: ls -l /var/ossec/etc/ossec.conf
You should see something like that: -rw-rw---- 1 root wazuh ... ossec.conf
Finally, remember to restart the manager with sudo systemctl restart wazuh-manager
I hope you find it helpful!
Best regards!
You need to change ownership of ossec.conf file. Set the owner to root and the group to wazuh.
sudo chown root:wazuh /var/ossec/etc/ossec.conf
Also, set permissions to 660. This gives read and writes permissions to the owner (root) and the group (wazuh)
sudo chmod 660 /var/ossec/etc/ossec.conf
Verify the changes again with: ls -l /var/ossec/etc/ossec.conf
You should see something like that: -rw-rw---- 1 root wazuh ... ossec.conf
Finally, remember to restart the manager with sudo systemctl restart wazuh-manager
I hope you find it helpful!
Best regards!
Umair .3632
Nov 24, 2024, 11:54:38 PM11/24/24
to Wazuh | Mailing List
Dear Team,
Still there, issue still persist.
root@# sudo chown root:wazuh /var/ossec/etc/ossec.conf
root@# sudo chmod 660 /var/ossec/etc/ossec.conf
root@# ls -l /var/ossec/etc/ossec.conf
-rw-rw---- 1 root wazuh 6950 Nov 21 16:38 /var/ossec/etc/ossec.conf
root@# sudo systemctl restart wazuh-manager
Job for wazuh-manager.service failed because the control process exited with error code.
See "systemctl status wazuh-manager.service" and "journalctl -xeu wazuh-manager.service" for details.
root@#
Still there, issue still persist.
root@# sudo chown root:wazuh /var/ossec/etc/ossec.conf
root@# sudo chmod 660 /var/ossec/etc/ossec.conf
root@# ls -l /var/ossec/etc/ossec.conf
-rw-rw---- 1 root wazuh 6950 Nov 21 16:38 /var/ossec/etc/ossec.conf
root@# sudo systemctl restart wazuh-manager
Job for wazuh-manager.service failed because the control process exited with error code.
See "systemctl status wazuh-manager.service" and "journalctl -xeu wazuh-manager.service" for details.
Santiago Padilla Alvarez
Nov 25, 2024, 6:43:41 AM11/25/24
to Wazuh | Mailing List
Hi!
After the permissions change and after the restart, can you please pass me the following information again (but after the restart).
Regards!
After the permissions change and after the restart, can you please pass me the following information again (but after the restart).
- sudo systemctl status wazuh-manager.service
- sudo journalctl -xeu wazuh-manager.service
- sudo tail -n 50 /var/ossec/logs/ossec.log
Regards!
Umair .3632
Nov 26, 2024, 12:01:59 AM11/26/24
to Wazuh | Mailing List
/home/cydeatech# systemctl start wazuh-manager
Job for wazuh-manager.service failed because the control process exited with error code.
See "systemctl status wazuh-manager.service" and "journalctl -xeu wazuh-manager.service" for details.
/home/cydeatech# systemctl status wazuh-manager.serviceJob for wazuh-manager.service failed because the control process exited with error code.
See "systemctl status wazuh-manager.service" and "journalctl -xeu wazuh-manager.service" for details.
× wazuh-manager.service - Wazuh manager
Loaded: loaded (/lib/systemd/system/wazuh-manager.service; enabled; vendor preset: enabled)
Active: failed (Result: exit-code) since Tue 2024-11-26 09:57:46 PKT; 16s ago
Process: 267330 ExecStart=/usr/bin/env /var/ossec/bin/wazuh-control start (code=exited, status=1/FAILURE)
CPU: 995ms
Nov 26 09:57:43 siem-cydeatech systemd[1]: Starting Wazuh manager...
Nov 26 09:57:46 siem-cydeatech env[267373]: 2024/11/26 04:57:46 wazuh-analysisd: ERROR: (1226): Error reading XML file 'etc/>
Nov 26 09:57:46 siem-cydeatech env[267330]: wazuh-analysisd: Configuration error. Exiting
Nov 26 09:57:46 siem-cydeatech systemd[1]: wazuh-manager.service: Control process exited, code=exited, status=1/FAILURE
Nov 26 09:57:46 siem-cydeatech systemd[1]: wazuh-manager.service: Failed with result 'exit-code'.
Nov 26 09:57:46 siem-cydeatech systemd[1]: Failed to start Wazuh manager.
...skipping...
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
× wazuh-manager.service - Wazuh manager
Loaded: loaded (/lib/systemd/system/wazuh-manager.service; enabled; vendor preset: enabled)
Active: failed (Result: exit-code) since Tue 2024-11-26 09:57:46 PKT; 16s ago
Process: 267330 ExecStart=/usr/bin/env /var/ossec/bin/wazuh-control start (code=exited, status=1/FAILURE)
CPU: 995ms
Nov 26 09:57:43 siem-cydeatech systemd[1]: Starting Wazuh manager...
Nov 26 09:57:46 siem-cydeatech env[267373]: 2024/11/26 04:57:46 wazuh-analysisd: ERROR: (1226): Error reading XML file 'etc/>
Nov 26 09:57:46 siem-cydeatech env[267330]: wazuh-analysisd: Configuration error. Exiting
Nov 26 09:57:46 siem-cydeatech systemd[1]: wazuh-manager.service: Control process exited, code=exited, status=1/FAILURE
Nov 26 09:57:46 siem-cydeatech systemd[1]: wazuh-manager.service: Failed with result 'exit-code'.
Nov 26 09:57:46 siem-cydeatech systemd[1]: Failed to start Wazuh manager.
/home/cydeatech# journalctl -xeu wazuh-manager.service
░░ Subject: A start job for unit wazuh-manager.service has begun execution
░░ Defined-By: systemd
░░ Support: http://www.ubuntu.com/support
░░
░░ A start job for unit wazuh-manager.service has begun execution.
░░
Nov 26 09:57:46 siem-cydeatech env[267373]: 2024/11/26 04:57:46 wazuh-analysisd: ERROR: (1226): Error reading XML file 'etc/>
Nov 26 09:57:46 siem-cydeatech env[267330]: wazuh-analysisd: Configuration error. Exiting
Nov 26 09:57:46 siem-cydeatech systemd[1]: wazuh-manager.service: Control process exited, code=exited, status=1/FAILURE
░░ Subject: Unit process exited
░░ Defined-By: systemd
░░ Support: http://www.ubuntu.com/support
░░
░░ An ExecStart= process belonging to unit wazuh-manager.service has exited.
░░
░░ The process' exit code is 'exited' and its exit status is 1.
░░ Subject: Unit failed
░░ Defined-By: systemd
░░ Support: http://www.ubuntu.com/support
░░
░░ The unit wazuh-manager.service has entered the 'failed' state with result 'exit-code'.
░░ Subject: A start job for unit wazuh-manager.service has failed
░░ Defined-By: systemd
░░ Support: http://www.ubuntu.com/support
░░
░░ A start job for unit wazuh-manager.service has finished with a failure.
░░
/home/cydeatech# tail -n 50 /var/ossec/logs/ossec.log
2024/11/20 17:08:19 wazuh-authd: ERROR: Unable to connect to socket 'queue/db/wdb'.
2024/11/20 17:08:19 wazuh-authd: ERROR: Unable to connect to socket 'queue/db/wdb'
2024/11/20 17:08:19 wazuh-authd: ERROR: Error querying Wazuh DB to get the agent's 37 information.
2024/11/20 17:08:19 wazuh-authd: WARNING: Duplicate name 'IPAMSGL-2020', rejecting enrollment. Failed to get agent-info for agent '037'
2024/11/20 17:08:19 wazuh-authd: INFO: New connection from 10.0.0.0
2024/11/20 17:08:19 wazuh-authd: INFO: Received request for a new agent (CRM-test) from: 10..0.0.02024/11/20 17:08:19 wazuh-authd: WARNING: Duplicate name 'IPAMSGL-2020', rejecting enrollment. Failed to get agent-info for agent '037'
2024/11/20 17:08:19 wazuh-authd: INFO: New connection from 10.0.0.0
2024/11/20 17:08:19 wazuh-authd: INFO: Cannot find 'queue/db/wdb'. Waiting 1 seconds to reconnect.
2024/11/20 17:08:20 wazuh-authd: INFO: Cannot find 'queue/db/wdb'. Waiting 2 seconds to reconnect.
2024/11/20 17:08:22 wazuh-authd: INFO: Cannot find 'queue/db/wdb'. Waiting 3 seconds to reconnect.
2024/11/20 17:08:25 wazuh-authd: ERROR: Unable to connect to socket 'queue/db/wdb'.
2024/11/20 17:08:25 wazuh-authd: ERROR: Unable to connect to socket 'queue/db/wdb'.
2024/11/20 17:08:25 wazuh-authd: ERROR: Unable to connect to socket 'queue/db/wdb'
2024/11/20 17:08:25 wazuh-authd: ERROR: Error querying Wazuh DB to get the agent's 28 information.
2024/11/20 17:08:25 wazuh-authd: WARNING: Duplicate name 'CRM-test', rejecting enrollment. Failed to get agent-info for agent '028'
2024/11/20 17:08:25 wazuh-authd: INFO: Received request for a new agent (Staging-Server2) from: 10.0.0.0
2024/11/20 17:08:25 wazuh-authd: INFO: Cannot find 'queue/db/wdb'. Waiting 1 seconds to reconnect.
2024/11/20 17:08:26 wazuh-authd: INFO: Cannot find 'queue/db/wdb'. Waiting 2 seconds to reconnect.
2024/11/20 17:08:28 wazuh-authd: INFO: Cannot find 'queue/db/wdb'. Waiting 3 seconds to reconnect.
2024/11/20 17:08:31 wazuh-authd: ERROR: Unable to connect to socket 'queue/db/wdb'.
2024/11/20 17:08:31 wazuh-authd: ERROR: Unable to connect to socket 'queue/db/wdb'.
2024/11/20 17:08:31 wazuh-authd: ERROR: Unable to connect to socket 'queue/db/wdb'
2024/11/20 17:08:31 wazuh-authd: ERROR: Error querying Wazuh DB to get the agent's 12 information.
2024/11/20 17:08:31 wazuh-authd: WARNING: Duplicate name 'Staging-Server2', rejecting enrollment. Failed to get agent-info for agent '012'
2024/11/20 17:08:31 wazuh-authd: INFO: New connection from 10.0.0.0.0
2024/11/20 17:08:31 wazuh-authd: INFO: Received request for a new agent (WIN-6UAVTM8LKND) from: 10.0.0.0.0
2024/11/20 17:08:31 wazuh-authd: INFO: Cannot find 'queue/db/wdb'. Waiting 1 seconds to reconnect.
2024/11/20 17:08:32 wazuh-authd: INFO: Cannot find 'queue/db/wdb'. Waiting 2 seconds to reconnect.
2024/11/20 17:08:34 wazuh-authd: INFO: Cannot find 'queue/db/wdb'. Waiting 3 seconds to reconnect.
2024/11/20 17:08:37 wazuh-authd: ERROR: Unable to connect to socket 'queue/db/wdb'.
2024/11/20 17:08:37 wazuh-authd: ERROR: Unable to connect to socket 'queue/db/wdb'.
2024/11/20 17:08:37 wazuh-authd: ERROR: Unable to connect to socket 'queue/db/wdb'
2024/11/20 17:08:37 wazuh-authd: ERROR: Error querying Wazuh DB to get the agent's 33 information.
2024/11/20 17:08:37 wazuh-authd: WARNING: Duplicate name 'WIN-6UAVTM8LKND', rejecting enrollment. Failed to get agent-info for agent '033'
2024/11/20 17:08:37 wazuh-authd: INFO: New connection from 10.0.0.0.0
2024/11/20 17:08:37 wazuh-authd: INFO: Received request for a new agent (UAT-Members) from: 10.0.0.0.0
2024/11/20 17:08:37 wazuh-authd: INFO: Cannot find 'queue/db/wdb'. Waiting 1 seconds to reconnect.
2024/11/20 17:08:38 wazuh-authd: INFO: Cannot find 'queue/db/wdb'. Waiting 2 seconds to reconnect.
2024/11/20 17:08:40 wazuh-authd: INFO: Cannot find 'queue/db/wdb'. Waiting 3 seconds to reconnect.
2024/11/20 17:08:43 wazuh-authd: ERROR: Unable to connect to socket 'queue/db/wdb'.
2024/11/20 17:08:43 wazuh-authd: ERROR: Unable to connect to socket 'queue/db/wdb'.
2024/11/20 17:08:43 wazuh-authd: ERROR: Unable to connect to socket 'queue/db/wdb'
2024/11/20 17:08:43 wazuh-authd: ERROR: Error querying Wazuh DB to get the agent's 29 information.
2024/11/20 17:08:43 wazuh-authd: WARNING: Duplicate name 'UAT-Members', rejecting enrollment. Failed to get agent-info for agent '029'
2024/11/20 17:08:43 wazuh-authd: INFO: New connection from 10.0.0.0.0
2024/11/20 17:08:43 wazuh-authd: INFO: Received request for a new agent (IVR-live-srv) from: 10.0.0.0.0
2024/11/20 17:08:43 wazuh-authd: INFO: Cannot find 'queue/db/wdb'. Waiting 1 seconds to reconnect.
2024/11/20 17:08:44 wazuh-authd: INFO: Cannot find 'queue/db/wdb'. Waiting 2 seconds to reconnect.
2024/11/20 17:08:46 wazuh-authd: INFO: Cannot find 'queue/db/wdb'. Waiting 3 seconds to reconnect.
2024/11/21 16:37:12 wazuh-csyslogd: ERROR: (1226): Error reading XML file 'etc/ossec.conf': (line 0).
/home/cydeatech#
Santiago Padilla Alvarez
Nov 26, 2024, 6:23:28 AM11/26/24
to Wazuh | Mailing List
Hi!
Several things:
1) What version of the manager are you using? I have seen that you have in the configuration file (/var/ossec/etc/ossec.conf) <vulnerability-detector> that changed from 4.8.0 to <vulnerability-detection>.
In case you are using a version 4.8.0 or higher I leave here the documentation so you can change it.
2) To get more information in the logs about what exactly is happening we can activate debug mode.
You must execute the following command in the manager: echo 'wazuh_modules.debug=2' >> /var/ossec/etc/local_internal_options.conf
This command puts this line wazuh_modules.debug=2 in the file /var/ossec/etc/local_internal_options.conf, so if you ever want to remove the debug mode you only have to delete this line from the file.
After executing the command, restart the manager again with sudo systemctl restart wazuh-manager. And once restarted, please check and pass me the logs located in /var/ossec/logs/ossec.log
Please let us know if you have any news,
Thank you!
Several things:
1) What version of the manager are you using? I have seen that you have in the configuration file (/var/ossec/etc/ossec.conf) <vulnerability-detector> that changed from 4.8.0 to <vulnerability-detection>.
In case you are using a version 4.8.0 or higher I leave here the documentation so you can change it.
2) To get more information in the logs about what exactly is happening we can activate debug mode.
You must execute the following command in the manager: echo 'wazuh_modules.debug=2' >> /var/ossec/etc/local_internal_options.conf
This command puts this line wazuh_modules.debug=2 in the file /var/ossec/etc/local_internal_options.conf, so if you ever want to remove the debug mode you only have to delete this line from the file.
After executing the command, restart the manager again with sudo systemctl restart wazuh-manager. And once restarted, please check and pass me the logs located in /var/ossec/logs/ossec.log
Please let us know if you have any news,
Thank you!
Umair .3632
Nov 27, 2024, 3:30:19 AM11/27/24
to Wazuh | Mailing List
/home/cydeatech# /var/ossec/bin/wazuh-control info
WAZUH_VERSION="v4.7.3"
WAZUH_REVISION="40714"
WAZUH_TYPE="server"
/home/cydeatech# echo 'wazuh_modules.debug=2' >> /var/ossec/etc/local_internal_options.conf
----------------------------------------------------
/home/cydeatech# sudo systemctl restart wazuh-manager
Job for wazuh-manager.service failed because the control process exited with error code.
See "systemctl status wazuh-manager.service" and "journalctl -xeu wazuh-manager.service" for details.
-------------------------------------------------------
/home/cydeatech# tail -n 200 /var/ossec/logs/ossec.log
2024/11/20 17:06:48 wazuh-authd: ERROR: Unable to connect to socket 'queue/db/wdb'.
2024/11/20 17:06:48 wazuh-authd: ERROR: Unable to connect to socket 'queue/db/wdb'
2024/11/20 17:06:48 wazuh-authd: ERROR: Error querying Wazuh DB to get the agent's 45 information.
2024/11/20 17:06:48 wazuh-authd: WARNING: Duplicate name 'myhcm', rejecting enrollment. Failed to get agent-info for agent '045'
2024/11/20 17:06:48 wazuh-authd: INFO: New connection from 10.0.0.0
2024/11/20 17:06:48 wazuh-authd: INFO: Received request for a new agent (ALLIED-2021) from: 10.0.0.0
2024/11/20 17:06:48 wazuh-authd: INFO: Cannot find 'queue/db/wdb'. Waiting 1 seconds to reconnect.
2024/11/20 17:06:49 wazuh-authd: INFO: Cannot find 'queue/db/wdb'. Waiting 2 seconds to reconnect.
2024/11/20 17:06:51 wazuh-authd: INFO: Cannot find 'queue/db/wdb'. Waiting 3 seconds to reconnect.
2024/11/20 17:06:54 wazuh-authd: ERROR: Unable to connect to socket 'queue/db/wdb'.
2024/11/20 17:06:54 wazuh-authd: ERROR: Unable to connect to socket 'queue/db/wdb'.
2024/11/20 17:06:54 wazuh-authd: ERROR: Unable to connect to socket 'queue/db/wdb'
2024/11/20 17:06:54 wazuh-authd: ERROR: Error querying Wazuh DB to get the agent's 3 information.
2024/11/20 17:06:54 wazuh-authd: WARNING: Duplicate name 'ALLIED-2021', rejecting enrollment. Failed to get agent-info for agent '003'
2024/11/20 17:06:54 wazuh-authd: INFO: New connection from 10.0.0.0
2024/11/20 17:06:54 wazuh-authd: INFO: Received request for a new agent (MSCRM-Adfs) from: 10.0.0.0
2024/11/20 17:06:54 wazuh-authd: INFO: Cannot find 'queue/db/wdb'. Waiting 1 seconds to reconnect.
2024/11/20 17:06:55 wazuh-authd: INFO: Cannot find 'queue/db/wdb'. Waiting 2 seconds to reconnect.
2024/11/20 17:06:57 wazuh-authd: INFO: Cannot find 'queue/db/wdb'. Waiting 3 seconds to reconnect.
2024/11/20 17:07:00 wazuh-authd: ERROR: Unable to connect to socket 'queue/db/wdb'.
2024/11/20 17:07:00 wazuh-authd: ERROR: Unable to connect to socket 'queue/db/wdb'.
2024/11/20 17:07:00 wazuh-authd: ERROR: Unable to connect to socket 'queue/db/wdb'
2024/11/20 17:07:00 wazuh-authd: ERROR: Error querying Wazuh DB to get the agent's 32 information.
2024/11/20 17:07:00 wazuh-authd: WARNING: Duplicate name 'MSCRM-Adfs', rejecting enrollment. Failed to get agent-info for agent '032'
2024/11/20 17:07:00 wazuh-authd: INFO: New connection from10.0.0.0
2024/11/20 17:07:00 wazuh-authd: INFO: Received request for a new agent (FMR) from: 10.0.0.0
2024/11/20 17:07:00 wazuh-authd: INFO: Cannot find 'queue/db/wdb'. Waiting 1 seconds to reconnect.
2024/11/20 17:07:01 wazuh-authd: INFO: Cannot find 'queue/db/wdb'. Waiting 2 seconds to reconnect.
2024/11/20 17:07:03 wazuh-authd: INFO: Cannot find 'queue/db/wdb'. Waiting 3 seconds to reconnect.
2024/11/20 17:07:06 wazuh-authd: ERROR: Unable to connect to socket 'queue/db/wdb'.
2024/11/20 17:07:06 wazuh-authd: ERROR: Unable to connect to socket 'queue/db/wdb'.
2024/11/20 17:07:06 wazuh-authd: ERROR: Unable to connect to socket 'queue/db/wdb'
2024/11/20 17:07:06 wazuh-authd: ERROR: Error querying Wazuh DB to get the agent's 10 information.
2024/11/20 17:07:06 wazuh-authd: WARNING: Duplicate name 'FMR', rejecting enrollment. Failed to get agent-info for agent '010'
2024/11/20 17:07:06 wazuh-authd: INFO: New connection from 10.0.0.0
2024/11/20 17:07:06 wazuh-authd: INFO: Received request for a new agent (Dev-Server1) from: 10.0.0.0
2024/11/20 17:07:06 wazuh-authd: INFO: Cannot find 'queue/db/wdb'. Waiting 1 seconds to reconnect.
2024/11/20 17:07:07 wazuh-authd: INFO: Cannot find 'queue/db/wdb'. Waiting 2 seconds to reconnect.
2024/11/20 17:07:09 wazuh-authd: INFO: Cannot find 'queue/db/wdb'. Waiting 3 seconds to reconnect.
2024/11/20 17:07:12 wazuh-authd: ERROR: Unable to connect to socket 'queue/db/wdb'.
2024/11/20 17:07:12 wazuh-authd: ERROR: Unable to connect to socket 'queue/db/wdb'.
2024/11/20 17:07:12 wazuh-authd: ERROR: Unable to connect to socket 'queue/db/wdb'
2024/11/20 17:07:12 wazuh-authd: ERROR: Error querying Wazuh DB to get the agent's 35 information.
2024/11/20 17:07:12 wazuh-authd: WARNING: Duplicate name 'Dev-Server1', rejecting enrollment. Failed to get agent-info for agent '035'
2024/11/20 17:07:12 wazuh-authd: INFO: New connection from 10.0.0.0
2024/11/20 17:07:12 wazuh-authd: INFO: Received request for a new agent (MSCRM-App) from: 10.0.0.0
2024/11/20 17:07:12 wazuh-authd: INFO: Cannot find 'queue/db/wdb'. Waiting 1 seconds to reconnect.
2024/11/20 17:07:13 wazuh-authd: INFO: Cannot find 'queue/db/wdb'. Waiting 2 seconds to reconnect.
2024/11/20 17:07:15 wazuh-authd: INFO: Cannot find 'queue/db/wdb'. Waiting 3 seconds to reconnect.
2024/11/20 17:07:18 wazuh-authd: ERROR: Unable to connect to socket 'queue/db/wdb'.
2024/11/20 17:07:18 wazuh-authd: ERROR: Unable to connect to socket 'queue/db/wdb'.
2024/11/20 17:07:18 wazuh-authd: ERROR: Unable to connect to socket 'queue/db/wdb'
2024/11/20 17:07:18 wazuh-authd: ERROR: Error querying Wazuh DB to get the agent's 43 information.
2024/11/20 17:07:18 wazuh-authd: WARNING: Duplicate name 'MSCRM-App', rejecting enrollment. Failed to get agent-info for agent '043'
2024/11/20 17:07:18 wazuh-authd: INFO: New connection from 10.0.0.0
WAZUH_VERSION="v4.7.3"
WAZUH_REVISION="40714"
WAZUH_TYPE="server"
/home/cydeatech# echo 'wazuh_modules.debug=2' >> /var/ossec/etc/local_internal_options.conf
----------------------------------------------------
/home/cydeatech# sudo systemctl restart wazuh-manager
Job for wazuh-manager.service failed because the control process exited with error code.
See "systemctl status wazuh-manager.service" and "journalctl -xeu wazuh-manager.service" for details.
/home/cydeatech# tail -n 200 /var/ossec/logs/ossec.log
2024/11/20 17:06:48 wazuh-authd: ERROR: Unable to connect to socket 'queue/db/wdb'.
2024/11/20 17:06:48 wazuh-authd: ERROR: Unable to connect to socket 'queue/db/wdb'
2024/11/20 17:06:48 wazuh-authd: ERROR: Error querying Wazuh DB to get the agent's 45 information.
2024/11/20 17:06:48 wazuh-authd: WARNING: Duplicate name 'myhcm', rejecting enrollment. Failed to get agent-info for agent '045'
2024/11/20 17:06:48 wazuh-authd: INFO: New connection from 10.0.0.0
2024/11/20 17:06:48 wazuh-authd: INFO: Received request for a new agent (ALLIED-2021) from: 10.0.0.0
2024/11/20 17:06:48 wazuh-authd: INFO: Cannot find 'queue/db/wdb'. Waiting 1 seconds to reconnect.
2024/11/20 17:06:49 wazuh-authd: INFO: Cannot find 'queue/db/wdb'. Waiting 2 seconds to reconnect.
2024/11/20 17:06:51 wazuh-authd: INFO: Cannot find 'queue/db/wdb'. Waiting 3 seconds to reconnect.
2024/11/20 17:06:54 wazuh-authd: ERROR: Unable to connect to socket 'queue/db/wdb'.
2024/11/20 17:06:54 wazuh-authd: ERROR: Unable to connect to socket 'queue/db/wdb'.
2024/11/20 17:06:54 wazuh-authd: ERROR: Unable to connect to socket 'queue/db/wdb'
2024/11/20 17:06:54 wazuh-authd: ERROR: Error querying Wazuh DB to get the agent's 3 information.
2024/11/20 17:06:54 wazuh-authd: WARNING: Duplicate name 'ALLIED-2021', rejecting enrollment. Failed to get agent-info for agent '003'
2024/11/20 17:06:54 wazuh-authd: INFO: New connection from 10.0.0.0
2024/11/20 17:06:54 wazuh-authd: INFO: Received request for a new agent (MSCRM-Adfs) from: 10.0.0.0
2024/11/20 17:06:54 wazuh-authd: INFO: Cannot find 'queue/db/wdb'. Waiting 1 seconds to reconnect.
2024/11/20 17:06:55 wazuh-authd: INFO: Cannot find 'queue/db/wdb'. Waiting 2 seconds to reconnect.
2024/11/20 17:06:57 wazuh-authd: INFO: Cannot find 'queue/db/wdb'. Waiting 3 seconds to reconnect.
2024/11/20 17:07:00 wazuh-authd: ERROR: Unable to connect to socket 'queue/db/wdb'.
2024/11/20 17:07:00 wazuh-authd: ERROR: Unable to connect to socket 'queue/db/wdb'.
2024/11/20 17:07:00 wazuh-authd: ERROR: Unable to connect to socket 'queue/db/wdb'
2024/11/20 17:07:00 wazuh-authd: ERROR: Error querying Wazuh DB to get the agent's 32 information.
2024/11/20 17:07:00 wazuh-authd: WARNING: Duplicate name 'MSCRM-Adfs', rejecting enrollment. Failed to get agent-info for agent '032'
2024/11/20 17:07:00 wazuh-authd: INFO: New connection from10.0.0.0
2024/11/20 17:07:00 wazuh-authd: INFO: Received request for a new agent (FMR) from: 10.0.0.0
2024/11/20 17:07:00 wazuh-authd: INFO: Cannot find 'queue/db/wdb'. Waiting 1 seconds to reconnect.
2024/11/20 17:07:01 wazuh-authd: INFO: Cannot find 'queue/db/wdb'. Waiting 2 seconds to reconnect.
2024/11/20 17:07:03 wazuh-authd: INFO: Cannot find 'queue/db/wdb'. Waiting 3 seconds to reconnect.
2024/11/20 17:07:06 wazuh-authd: ERROR: Unable to connect to socket 'queue/db/wdb'.
2024/11/20 17:07:06 wazuh-authd: ERROR: Unable to connect to socket 'queue/db/wdb'.
2024/11/20 17:07:06 wazuh-authd: ERROR: Unable to connect to socket 'queue/db/wdb'
2024/11/20 17:07:06 wazuh-authd: ERROR: Error querying Wazuh DB to get the agent's 10 information.
2024/11/20 17:07:06 wazuh-authd: WARNING: Duplicate name 'FMR', rejecting enrollment. Failed to get agent-info for agent '010'
2024/11/20 17:07:06 wazuh-authd: INFO: New connection from 10.0.0.0
2024/11/20 17:07:06 wazuh-authd: INFO: Received request for a new agent (Dev-Server1) from: 10.0.0.0
2024/11/20 17:07:06 wazuh-authd: INFO: Cannot find 'queue/db/wdb'. Waiting 1 seconds to reconnect.
2024/11/20 17:07:07 wazuh-authd: INFO: Cannot find 'queue/db/wdb'. Waiting 2 seconds to reconnect.
2024/11/20 17:07:09 wazuh-authd: INFO: Cannot find 'queue/db/wdb'. Waiting 3 seconds to reconnect.
2024/11/20 17:07:12 wazuh-authd: ERROR: Unable to connect to socket 'queue/db/wdb'.
2024/11/20 17:07:12 wazuh-authd: ERROR: Unable to connect to socket 'queue/db/wdb'.
2024/11/20 17:07:12 wazuh-authd: ERROR: Unable to connect to socket 'queue/db/wdb'
2024/11/20 17:07:12 wazuh-authd: ERROR: Error querying Wazuh DB to get the agent's 35 information.
2024/11/20 17:07:12 wazuh-authd: WARNING: Duplicate name 'Dev-Server1', rejecting enrollment. Failed to get agent-info for agent '035'
2024/11/20 17:07:12 wazuh-authd: INFO: New connection from 10.0.0.0
2024/11/20 17:07:12 wazuh-authd: INFO: Received request for a new agent (MSCRM-App) from: 10.0.0.0
2024/11/20 17:07:12 wazuh-authd: INFO: Cannot find 'queue/db/wdb'. Waiting 1 seconds to reconnect.
2024/11/20 17:07:13 wazuh-authd: INFO: Cannot find 'queue/db/wdb'. Waiting 2 seconds to reconnect.
2024/11/20 17:07:15 wazuh-authd: INFO: Cannot find 'queue/db/wdb'. Waiting 3 seconds to reconnect.
2024/11/20 17:07:18 wazuh-authd: ERROR: Unable to connect to socket 'queue/db/wdb'.
2024/11/20 17:07:18 wazuh-authd: ERROR: Unable to connect to socket 'queue/db/wdb'.
2024/11/20 17:07:18 wazuh-authd: ERROR: Unable to connect to socket 'queue/db/wdb'
2024/11/20 17:07:18 wazuh-authd: ERROR: Error querying Wazuh DB to get the agent's 43 information.
2024/11/20 17:07:18 wazuh-authd: WARNING: Duplicate name 'MSCRM-App', rejecting enrollment. Failed to get agent-info for agent '043'
2024/11/20 17:07:18 wazuh-authd: INFO: New connection from 10.0.0.0
Santiago Padilla Alvarez
Nov 27, 2024, 8:50:42 AM11/27/24
to Wazuh | Mailing List
Hi!
There seems to have been a confusion in the logs you have passed me as the date shown is from last week 2024/11/20.
I have replicated the error by modifying the configuration file ossec.conf. And when I restart the manager, today's date appears in the logs, as I show you here:
- Restart the manager with error
root@AIOwazuh:/home/vagrant# sudo systemctl restart wazuh-manager
Job for wazuh-manager.service failed because the control process exited with error code.
See "systemctl status wazuh-manager.service" and "journalctl -xeu wazuh-manager.service" for details.
- Logs with the error and today's date
2024/11/27 12:51:14 wazuh-csyslogd: ERROR: (1226): Error reading XML file 'etc/ossec.conf': (line 0).
- Date
root@AIOwazuh:/home/vagrant# date
Wed Nov 27 12:52:06 PM UTC 2024
So something strange has happened with your logs, check if you have passed me the correct logs from today (27/11) after the manager restart.
And I understand that the date of your local environment is up to date. You can check it with the ‘date’ command as I have shown above.
Any news please let us know!
Best regards!
There seems to have been a confusion in the logs you have passed me as the date shown is from last week 2024/11/20.
I have replicated the error by modifying the configuration file ossec.conf. And when I restart the manager, today's date appears in the logs, as I show you here:
- Restart the manager with error
root@AIOwazuh:/home/vagrant# sudo systemctl restart wazuh-manager
Job for wazuh-manager.service failed because the control process exited with error code.
See "systemctl status wazuh-manager.service" and "journalctl -xeu wazuh-manager.service" for details.
2024/11/27 12:51:14 wazuh-csyslogd: ERROR: (1226): Error reading XML file 'etc/ossec.conf': (line 0).
- Date
root@AIOwazuh:/home/vagrant# date
Wed Nov 27 12:52:06 PM UTC 2024
So something strange has happened with your logs, check if you have passed me the correct logs from today (27/11) after the manager restart.
And I understand that the date of your local environment is up to date. You can check it with the ‘date’ command as I have shown above.
Any news please let us know!
Best regards!
Umair .3632
Nov 27, 2024, 9:02:24 AM11/27/24
to Wazuh | Mailing List
Hi team,
It is also strange for me to as in the ossec.log we have only these logs.
It is also strange for me to as in the ossec.log we have only these logs.
Umair .3632
Nov 27, 2024, 9:17:27 AM11/27/24
to Wazuh | Mailing List
hi,
Even with tail -f we have logs the same logs of date 20/11
/home/cydeatech# tail -f /var/ossec/logs/ossec.log
2024/11/20 17:08:43 wazuh-authd: ERROR: Unable to connect to socket 'queue/db/wdb'.
2024/11/20 17:08:43 wazuh-authd: ERROR: Unable to connect to socket 'queue/db/wdb'
2024/11/20 17:08:43 wazuh-authd: ERROR: Error querying Wazuh DB to get the agent's 29 information.
2024/11/20 17:08:43 wazuh-authd: WARNING: Duplicate name 'UAT-Members', rejecting enrollment. Failed to get agent-info for agent '029'
2024/11/20 17:08:43 wazuh-authd: INFO: New connection from 10.0.0.0
:/home/cydeatech# date
Wed Nov 27 07:15:46 PM PKT 2024
/home/cydeatech# timedate ctl
:/home/cydeatech# timedatectl
Local time: Wed 2024-11-27 19:15:58 PKT
Universal time: Wed 2024-11-27 14:15:58 UTC
RTC time: Wed 2024-11-27 14:15:58
Time zone: Asia/Karachi (PKT, +0500)
System clock synchronized: yes
NTP service: active
RTC in local TZ: no
/home/cydeatech#
is it possible to have a remote session to resolve this issue
Even with tail -f we have logs the same logs of date 20/11
/home/cydeatech# tail -f /var/ossec/logs/ossec.log
2024/11/20 17:08:43 wazuh-authd: ERROR: Unable to connect to socket 'queue/db/wdb'.
2024/11/20 17:08:43 wazuh-authd: ERROR: Unable to connect to socket 'queue/db/wdb'
2024/11/20 17:08:43 wazuh-authd: ERROR: Error querying Wazuh DB to get the agent's 29 information.
2024/11/20 17:08:43 wazuh-authd: WARNING: Duplicate name 'UAT-Members', rejecting enrollment. Failed to get agent-info for agent '029'
2024/11/20 17:08:43 wazuh-authd: INFO: New connection from 10.0.0.0
2024/11/20 17:08:43 wazuh-authd: INFO: Received request for a new agent (IVR-live-srv) from: 10.0.0.0
2024/11/20 17:08:43 wazuh-authd: INFO: Cannot find 'queue/db/wdb'. Waiting 1 seconds to reconnect.
2024/11/20 17:08:44 wazuh-authd: INFO: Cannot find 'queue/db/wdb'. Waiting 2 seconds to reconnect.
2024/11/20 17:08:46 wazuh-authd: INFO: Cannot find 'queue/db/wdb'. Waiting 3 seconds to reconnect.
2024/11/21 16:37:12 wazuh-csyslogd: ERROR: (1226): Error reading XML file 'etc/ossec.conf': (line 0).
---------------------------------------------------------------------2024/11/20 17:08:44 wazuh-authd: INFO: Cannot find 'queue/db/wdb'. Waiting 2 seconds to reconnect.
2024/11/20 17:08:46 wazuh-authd: INFO: Cannot find 'queue/db/wdb'. Waiting 3 seconds to reconnect.
2024/11/21 16:37:12 wazuh-csyslogd: ERROR: (1226): Error reading XML file 'etc/ossec.conf': (line 0).
:/home/cydeatech# date
Wed Nov 27 07:15:46 PM PKT 2024
/home/cydeatech# timedate ctl
:/home/cydeatech# timedatectl
Local time: Wed 2024-11-27 19:15:58 PKT
Universal time: Wed 2024-11-27 14:15:58 UTC
RTC time: Wed 2024-11-27 14:15:58
Time zone: Asia/Karachi (PKT, +0500)
System clock synchronized: yes
NTP service: active
RTC in local TZ: no
/home/cydeatech#
is it possible to have a remote session to resolve this issue
Santiago Padilla Alvarez
Nov 27, 2024, 11:28:56 AM11/27/24
to Wazuh | Mailing List
Hi!
In another message you told me that you were full of storage and that you had truncated some files. So, can you pass me the following information?
- Can you please verify that the /var/ossec/etc/ossec.conf file is not empty or corrupt: ls -l /var/ossec/etc/ossec.conf
- Attempt to view the content: cat /var/ossec/etc/ossec.conf
- Check database permissions: ls -lh /var/ossec/queue/db
- This will list any zero-length files in the configuration directory: find /var/ossec/etc/ -type f -size 0
- Check storage space: df -h
If critical configuration files like ossec.conf have been truncated, the manager cannot start, and no new logs will be generated.
Please let us know if you have any news,
Best regards!
In another message you told me that you were full of storage and that you had truncated some files. So, can you pass me the following information?
- Can you please verify that the /var/ossec/etc/ossec.conf file is not empty or corrupt: ls -l /var/ossec/etc/ossec.conf
- Attempt to view the content: cat /var/ossec/etc/ossec.conf
- Check database permissions: ls -lh /var/ossec/queue/db
- This will list any zero-length files in the configuration directory: find /var/ossec/etc/ -type f -size 0
- Check storage space: df -h
If critical configuration files like ossec.conf have been truncated, the manager cannot start, and no new logs will be generated.
Please let us know if you have any news,
Umair .3632
Nov 27, 2024, 12:07:10 PM11/27/24
to Wazuh | Mailing List
:~# ls -l /var/ossec/queue/db
total 0
-rw-rw---- 1 ossec ossec 0 Nov 21 16:23 wdb
-----------------------------------------------------------------------------------------------------
:~# ls -l /var/ossec/etc/ossec.conf
-rw-rw---- 1 root wazuh 6950 Nov 21 16:38 /var/ossec/etc/ossec.conf
--------------------------------------------------------------------------------------------------------------------------
root@siem-cydeatech:~# cat /var/ossec/etc/ossec.conf <allowed-ips>10.0.0.0/24</allowed-ips>
<local_ip>10.0.0.0</local_ip> <white_list>127.0.0.0/white_list>
<white_list>^localhost.localdomain$</white_list>
<white_list>127.0.0.0</white_list>--------------------------------------------------------------------------------------
:~# ls -lh /var/ossec/queue/db
total 0
-rw-rw---- 1 ossec ossec 0 Nov 21 16:23 wdb
------------------------------------------------------------------------------
:~# find /var/ossec/etc/ -type f -size 0
:~# find /var/ossec/etc/ -type f -size 0
------------------------------------------------------------------------------
:~# df -h
Filesystem Size Used Avail Use% Mounted on
tmpfs 3.2G 1.5M 3.2G 1% /run
/dev/sda2 738G 450G 251G 65% /
tmpfs 16G 3.6M 16G 1% /dev/shm
tmpfs 5.0M 0 5.0M 0% /run/lock
overlay 738G 450G 251G 65% /var/lib/docker/overlay2/4718250bbb62c03664ce81d0d73ad2255076c45d61707fd5e9a5b9788e95156f/merged
overlay 738G 450G 251G 65% /var/lib/docker/overlay2/6c47b108a2514ddcf922e1d44f34ba73ec0c972c5c972ffe481b9ecff522e2b3/merged
tmpfs 3.2G 4.0K 3.2G 1% /run/user/1000
:~#
-----------------------------------------------------------------
total 0
-rw-rw---- 1 ossec ossec 0 Nov 21 16:23 wdb
-----------------------------------------------------------------------------------------------------
:~# ls -l /var/ossec/etc/ossec.conf
-rw-rw---- 1 root wazuh 6950 Nov 21 16:38 /var/ossec/etc/ossec.conf
root@siem-cydeatech:~# cat /var/ossec/etc/ossec.conf
<local_ip>10.0.0.0</local_ip>
<white_list>^localhost.localdomain$</white_list>
<white_list>127.0.0.0</white_list>
:~# ls -lh /var/ossec/queue/db
total 0
-rw-rw---- 1 ossec ossec 0 Nov 21 16:23 wdb
------------------------------------------------------------------------------
:~# find /var/ossec/etc/ -type f -size 0
:~# find /var/ossec/etc/ -type f -size 0
------------------------------------------------------------------------------
:~# df -h
Filesystem Size Used Avail Use% Mounted on
tmpfs 3.2G 1.5M 3.2G 1% /run
/dev/sda2 738G 450G 251G 65% /
tmpfs 16G 3.6M 16G 1% /dev/shm
tmpfs 5.0M 0 5.0M 0% /run/lock
overlay 738G 450G 251G 65% /var/lib/docker/overlay2/4718250bbb62c03664ce81d0d73ad2255076c45d61707fd5e9a5b9788e95156f/merged
overlay 738G 450G 251G 65% /var/lib/docker/overlay2/6c47b108a2514ddcf922e1d44f34ba73ec0c972c5c972ffe481b9ecff522e2b3/merged
tmpfs 3.2G 4.0K 3.2G 1% /run/user/1000
:~#
-----------------------------------------------------------------
Santiago Padilla Alvarez
Nov 28, 2024, 7:25:46 AM11/28/24
to Wazuh | Mailing List
Hi!
You have passed me the following:
~# ls -l /var/ossec/queue/db
total 0
-rw-rw---- 1 ossec ossec 0 Nov 21 16:23 wdb
Please follow the steps below in order to solve it:
- Delete the incorrect regular file: sudo rm /var/ossec/queue/db/wdb
- Set the correct ownership for the db directory: sudo chown -R wazuh:wazuh /var/ossec/queue/db
- Set the correct permissions: sudo chmod 750 /var/ossec/queue/db
- Restart the manager: sudo systemctl restart wazuh-manager
- Verify the wdb socket has been recreated: ls -l /var/ossec/queue/db
- The wdb file should now be a socket, indicated by an s at the beginning of the permissions: srw-rw---- 1 wazuh wazuh 0 Nov 28 11:34 wdb
I hope you find it helpful,
Regards!Reply all
Reply to author
Forward
0 new messages