Wazuh ERROR3099.

Souraj Chakraborty

unread,

Sep 16, 2024, 7:16:30 AM9/16/24

to Wazuh | Mailing List

My dashboard is showing this issue after, the logs were delete from the alerts and archives directories, any ideas how to resolve this? My wazuh is on hosted on aws using Wazuh AMI. INFO: Current API id [default] INFO: Checking current API id [default]... INFO: Current API id [default] has some problem: 3002 - Request failed with status code 400 INFO: Getting API hosts... INFO: API hosts found: 1 INFO: Checking API host id [default]... INFO: Could not connect to API id [default]: 3099 - ERROR3099 - Some Wazuh daemons are not ready yet in node "node01" (wazuh-analysisd->stopped) INFO: Removed [navigate] cookie ERROR: No API available to connect

Federico Gustavo Galland

unread,

Sep 16, 2024, 8:17:08 AM9/16/24

to Wazuh | Mailing List

Hey Souraj,

The error message you share seems to indicate the Wazuh Server's API is down. Can you double check that with the following commands:

systemctl status wazuh-manager

telnet localhost 55000

Please, share the output to these as well so we can further troubleshoot.

Regards,

Fede

Souraj Chakraborty

unread,

Sep 16, 2024, 8:48:42 AM9/16/24

to Wazuh | Mailing List

systemctl status wazuh-manager

● wazuh-manager.service - Wazuh manager

Loaded: loaded (/usr/lib/systemd/system/wazuh-manager.service; enabled; vendor preset: disabled)

Active: active (running) since Mon 2024-09-16 10:04:28 UTC; 2h 40min ago

Process: 3137 ExecStop=/usr/bin/env /var/ossec/bin/wazuh-control stop (code=exited, status=0/SUCCESS)

Process: 3272 ExecStart=/usr/bin/env /var/ossec/bin/wazuh-control start (code=exited, status=0/SUCCESS)

CGroup: /system.slice/wazuh-manager.service

├─3333 /var/ossec/framework/python/bin/python3 /var/ossec/api/scripts/wazuh-apid.py

├─3334 /var/ossec/framework/python/bin/python3 /var/ossec/api/scripts/wazuh-apid.py

├─3337 /var/ossec/framework/python/bin/python3 /var/ossec/api/scripts/wazuh-apid.py

├─3340 /var/ossec/framework/python/bin/python3 /var/ossec/api/scripts/wazuh-apid.py

├─3364 /var/ossec/bin/wazuh-integratord

├─3385 /var/ossec/bin/wazuh-authd

├─3402 /var/ossec/bin/wazuh-db

├─3428 /var/ossec/bin/wazuh-execd

├─3450 /var/ossec/bin/wazuh-syscheckd

├─3472 /var/ossec/bin/wazuh-remoted

├─3508 /var/ossec/bin/wazuh-logcollector

├─3553 /var/ossec/bin/wazuh-monitord

└─3563 /var/ossec/bin/wazuh-modulesd

Sep 16 10:04:22 wazuh-server env[3272]: Started wazuh-analysisd...

Sep 16 10:04:23 wazuh-server env[3272]: Started wazuh-syscheckd...

Sep 16 10:04:24 wazuh-server env[3272]: Started wazuh-remoted...

Sep 16 10:04:25 wazuh-server env[3272]: Started wazuh-logcollector...

Sep 16 10:04:25 wazuh-server env[3272]: Started wazuh-monitord...

Sep 16 10:04:25 wazuh-server env[3272]: 2024/09/16 10:04:25 wazuh-modulesd:router: INFO: Loaded router module.

Sep 16 10:04:25 wazuh-server env[3272]: 2024/09/16 10:04:25 wazuh-modulesd:content_manager: INFO: Loaded content_...odule.

Sep 16 10:04:26 wazuh-server env[3272]: Started wazuh-modulesd...

Sep 16 10:04:28 wazuh-server env[3272]: Completed.

Sep 16 10:04:28 wazuh-server systemd[1]: Started Wazuh manager.

telnet localhost 55000

Trying 127.0.0.1...

Connected to localhost.

Federico Gustavo Galland

unread,

Sep 16, 2024, 10:34:43 AM9/16/24

to Souraj Chakraborty, Wazuh | Mailing List

Souraj,

What about:

systemctl status wazuh-indexer

and

telnet localhost 9200

This is in order to discard the possibility of the API error being caused by a service down.

Regards,

Fede

--
You received this message because you are subscribed to a topic in the Google Groups "Wazuh | Mailing List" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/wazuh/eqxVEKhH2GI/unsubscribe.
To unsubscribe from this group and all its topics, send an email to wazuh+un...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/1e3ef126-0982-485d-ac1b-a277a45bde73n%40googlegroups.com.

--

Federico Galland Wazuh Indexer Team
+1 (844) 349 2984	wazuh.com
federico...@wazuh.com	f-galland

Souraj Chakraborty

unread,

Sep 16, 2024, 10:46:25 AM9/16/24

to Wazuh | Mailing List

status wazuh-indexer

● wazuh-indexer.service - Wazuh-indexer

Loaded: loaded (/usr/lib/systemd/system/wazuh-indexer.service; enabled; vendor preset: disabled)

Active: active (running) since Mon 2024-09-16 07:09:49 UTC; 7h ago

Docs: https://documentation.wazuh.com

Main PID: 469 (java)

CGroup: /system.slice/wazuh-indexer.service

└─469 /usr/share/wazuh-indexer/jdk/bin/java -Xshare:auto -Dopensearch.networkaddress.cache.ttl=60 -Dopensear...

Sep 16 07:09:50 wazuh-server systemd-entrypoint[469]: at org.opensearch.cluster.service.ClusterApplierService.apply...577)

Sep 16 07:09:50 wazuh-server systemd-entrypoint[469]: at org.opensearch.cluster.service.ClusterApplierService.runTa...484)

Sep 16 07:09:50 wazuh-server systemd-entrypoint[469]: at org.opensearch.cluster.service.ClusterApplierService$Updat...186)

Sep 16 07:09:50 wazuh-server systemd-entrypoint[469]: at org.opensearch.common.util.concurrent.ThreadContext$Contex...849)

Sep 16 07:09:50 wazuh-server systemd-entrypoint[469]: at org.opensearch.common.util.concurrent.PrioritizedOpenSearc...282)

Sep 16 07:09:50 wazuh-server systemd-entrypoint[469]: at org.opensearch.common.util.concurrent.PrioritizedOpenSearc...245)

Sep 16 07:09:50 wazuh-server systemd-entrypoint[469]: at java.base/java.util.concurrent.ThreadPoolExecutor.runWorke...136)

Sep 16 07:09:50 wazuh-server systemd-entrypoint[469]: at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.r...635)

Sep 16 07:09:50 wazuh-server systemd-entrypoint[469]: at java.base/java.lang.Thread.run(Thread.java:833)

Sep 16 07:09:50 wazuh-server systemd-entrypoint[469]: For complete error details, refer to the log at /var/log/wazu....log

Hint: Some lines were ellipsized, use -l to show in full.

-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Full status

systemctl status -l wazuh-indexer

● wazuh-indexer.service - Wazuh-indexer

Loaded: loaded (/usr/lib/systemd/system/wazuh-indexer.service; enabled; vendor preset: disabled)

Active: active (running) since Mon 2024-09-16 07:09:49 UTC; 7h ago

Docs: https://documentation.wazuh.com

Main PID: 469 (java)

CGroup: /system.slice/wazuh-indexer.service

└─469 /usr/share/wazuh-indexer/jdk/bin/java -Xshare:auto -Dopensearch.networkaddress.cache.ttl=60 -Dopensearch.networkaddress.cache.negative.ttl=10 -XX:+AlwaysPreTouch -Xss1m -Djava.awt.headless=true -Dfile.encoding=UTF-8 -Djna.nosys=true -XX:-OmitStackTraceInFastThrow -XX:+ShowCodeDetailsInExceptionMessages -Dio.netty.noUnsafe=true -Dio.netty.noKeySetOptimization=true -Dio.netty.recycler.maxCapacityPerThread=0 -Dio.netty.allocator.numDirectArenas=0 -Dlog4j.shutdownHookEnabled=false -Dlog4j2.disable.jmx=true -Djava.locale.providers=SPI,COMPAT -Xms3930m -Xmx3930m -XX:+UseG1GC -XX:G1ReservePercent=25 -XX:InitiatingHeapOccupancyPercent=30 -Djava.io.tmpdir=/tmp/opensearch-9188422357030888860 -XX:+HeapDumpOnOutOfMemoryError -XX:HeapDumpPath=/var/lib/wazuh-indexer -XX:ErrorFile=/var/log/wazuh-indexer/hs_err_pid%p.log -Xlog:gc*,gc+age=trace,safepoint:file=/var/log/wazuh-indexer/gc.log:utctime,pid,tags:filecount=32,filesize=64m -Dclk.tck=100 -Djdk.attach.allowAttachSelf=true -Djava.security.policy=file:///etc/wazuh-indexer/opensearch-performance-analyzer/opensearch_security.policy --add-opens=jdk.attach/sun.tools.attach=ALL-UNNAMED -XX:MaxDirectMemorySize=2060451840 -Dopensearch.path.home=/usr/share/wazuh-indexer -Dopensearch.path.conf=/etc/wazuh-indexer -Dopensearch.distribution.type=rpm -Dopensearch.bundled_jdk=true -cp /usr/share/wazuh-indexer/lib/* org.opensearch.bootstrap.OpenSearch -p /run/wazuh-indexer/wazuh-indexer.pid --quiet

Sep 16 07:09:50 wazuh-server systemd-entrypoint[469]: at org.opensearch.cluster.service.ClusterApplierService.applyChanges(ClusterApplierService.java:577)

Sep 16 07:09:50 wazuh-server systemd-entrypoint[469]: at org.opensearch.cluster.service.ClusterApplierService.runTask(ClusterApplierService.java:484)

Sep 16 07:09:50 wazuh-server systemd-entrypoint[469]: at org.opensearch.cluster.service.ClusterApplierService$UpdateTask.run(ClusterApplierService.java:186)

Sep 16 07:09:50 wazuh-server systemd-entrypoint[469]: at org.opensearch.common.util.concurrent.ThreadContext$ContextPreservingRunnable.run(ThreadContext.java:849)

Sep 16 07:09:50 wazuh-server systemd-entrypoint[469]: at org.opensearch.common.util.concurrent.PrioritizedOpenSearchThreadPoolExecutor$TieBreakingPrioritizedRunnable.runAndClean(PrioritizedOpenSearchThreadPoolExecutor.java:282)

Sep 16 07:09:50 wazuh-server systemd-entrypoint[469]: at org.opensearch.common.util.concurrent.PrioritizedOpenSearchThreadPoolExecutor$TieBreakingPrioritizedRunnable.run(PrioritizedOpenSearchThreadPoolExecutor.java:245)

Sep 16 07:09:50 wazuh-server systemd-entrypoint[469]: at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1136)

Sep 16 07:09:50 wazuh-server systemd-entrypoint[469]: at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:635)

Sep 16 07:09:50 wazuh-server systemd-entrypoint[469]: at java.base/java.lang.Thread.run(Thread.java:833)

Sep 16 07:09:50 wazuh-server systemd-entrypoint[469]: For complete error details, refer to the log at /var/log/wazuh-indexer/wazuh-cluster.log

-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

telnet localhost 9200

Trying 127.0.0.1...

Connected to localhost.

Federico Gustavo Galland

unread,

Sep 17, 2024, 7:28:57 AM9/17/24

to Wazuh | Mailing List

Souraj,

Since we have confirmed the components are up and running let's move over to checking whether the Dashboard's API credentials are good.

In order to do that, we need to read the contents of the following file:

/usr/share/wazuh-dashboard/data/wazuh/config/wazuh.yml

At the bottom of the file you should see a yaml block with the credentials your dashboard uses to authenticate against the Wazuh Server's API. In my case it looks as follows:

hosts:
- default:
url: https://127.0.0.1
port: 55000
username: wazuh-wui
password: "5gAPmgR5kC+jQ4kVddaI4AtTZx8G*.78"
run_as: false

With this information we are going to query the API:

root@manager:~# TOKEN=$(curl -u wazuh-wui:"5gAPmgR5kC+jQ4kVddaI4AtTZx8G*.78" -k -X POST "https://localhost:55000/security/user/authenticate?raw=true") && curl -k -X GET "https://localhost:55000/?pretty=true"
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 404 100 404 0 0 2880 0 --:--:-- --:--:-- --:--:-- 2885
{
"data": {
"title": "Wazuh API REST",
"api_version": "4.9.0",
"revision": 40907,
"license_name": "GPL 2.0",
"license_url": "https://github.com/wazuh/wazuh/blob/v4.9.0/LICENSE",
"hostname": "manager",
"timestamp": "2024-09-17T11:26:18Z"
},
"error": 0
}

Please share the output of these commands. Do make sure to replace my password with your own as retrieved from the wazuh.yml file.

Regards,

Fede

Souraj Chakraborty

unread,

Sep 17, 2024, 7:38:14 AM9/17/24

to Wazuh | Mailing List

hosts:

- default:

url: https://127.0.0.1

port: 55000

username: wazuh-wui

password: *************

run_as: false

hideManagerAlerts: false
-------------------------------------------------------------------------------------------------------------------------------------------------------------------

[root@wazuh-server ~]# TOKEN=$(curl -u wazuh-wui:"***********" -k -X POST "https://localhost:55000/security/user/authenticate?raw=true") && curl -k -X GET "https://localhost:55000/?pretty=true"

% Total % Received % Xferd Average Speed Time Time Time Current

Dload Upload Total Spent Left Speed

100 260 100 260 0 0 44368 0 --:--:-- --:--:-- --:--:-- 52000

{"title": "Unauthorized", "detail": "No authorization token provided"}

Federico Gustavo Galland

unread,

Sep 17, 2024, 8:38:11 AM9/17/24

to Souraj Chakraborty, Wazuh | Mailing List

Souraj,

The last part of my command was clipped, it should be:

TOKEN=$(curl -u wazuh-wui:"PASSWORD" -k -X POST "https://localhost:55000/security/user/authenticate?raw=true") && curl -k -X GET "https://localhost:55000/?pretty=true" -H "Authorization: Bearer $TOKEN"

To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/7c39b9e3-d1c2-4d10-b4dc-6f4f015a1162n%40googlegroups.com.

Souraj Chakraborty

unread,

Sep 17, 2024, 8:41:59 AM9/17/24

to Wazuh | Mailing List

TOKEN=$(curl -u wazuh-wui:"******** " -k -X POST "https://localhost:55000/security/user/authenticate?raw=true") && curl -k -X GET "https://localhost:55000/?pretty=true" -H "Authorization: Bearer $TOKEN"

% Total % Received % Xferd Average Speed Time Time Time Current

Dload Upload Total Spent Left Speed

100 260 100 260 0 0 43580 0 --:--:-- --:--:-- --:--:-- 52000

{"title": "Unauthorized", "detail": "Invalid token"}

Federico Gustavo Galland

unread,

Sep 17, 2024, 8:50:05 AM9/17/24

to Souraj Chakraborty, Wazuh | Mailing List

Souraj,

What about:

echo $TOKEN

?

To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/20416405-d24e-4ddf-9df2-652e334db0f2n%40googlegroups.com.

Federico Gustavo Galland

unread,

Sep 17, 2024, 8:51:32 AM9/17/24

to Souraj Chakraborty, Wazuh | Mailing List

so the command as a whole should be:

TOKEN=$(curl -u wazuh-wui:"PASSWORD" -k -X POST "https://localhost:55000/security/user/authenticate?raw=true") && echo $TOKEN

Souraj Chakraborty

unread,

Sep 17, 2024, 9:59:47 AM9/17/24

to Wazuh | Mailing List

echo $TOKEN

{"title": "Bad Request", "detail": "Some Wazuh daemons are not ready yet in node \"node01\" (wazuh-analysisd->stopped)", "dapi_errors": {"node01": {"error": "Some Wazuh daemons are not ready yet in node \"node01\" (wazuh-analysisd->stopped)"}}, "error": 1017}
---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

TOKEN=$(curl -u wazuh-wui:"*****************" -k -X POST "https://localhost:55000/security/user/authenticate?raw=true") && echo $TOKEN

% Total % Received % Xferd Average Speed Time Time Time Current

Dload Upload Total Spent Left Speed

100 260 100 260 0 0 43837 0 --:--:-- --:--:-- --:--:-- 52000

{"title": "Bad Request", "detail": "Some Wazuh daemons are not ready yet in node \"node01\" (wazuh-analysisd->stopped)", "dapi_errors": {"node01": {"error": "Some Wazuh daemons are not ready yet in node \"node01\" (wazuh-analysisd->stopped)"}}, "error": 1017}

Federico Gustavo Galland

unread,

Sep 17, 2024, 10:02:47 AM9/17/24

to Souraj Chakraborty, Wazuh | Mailing List

Souraj,

That's a curious error. Let's try:

/var/ossec/bin/wazuh-analysisd -t

This should test whether the overall syntax of the configuration files and rules are ok.

To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/a99980c8-bd8b-440e-9e51-299d239e6eedn%40googlegroups.com.

Souraj Chakraborty

unread,

Sep 17, 2024, 10:07:00 AM9/17/24

to Wazuh | Mailing List

Federico

for this path you want me to open the file and check its contents? Can you clarify?

Federico Gustavo Galland

unread,

Sep 17, 2024, 10:12:47 AM9/17/24

to Souraj Chakraborty, Wazuh | Mailing List

You can paste that line in a root terminal and it should run a test on your config files.

To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/daaa6805-32c6-47b5-aea0-f23449b9ded6n%40googlegroups.com.

Souraj Chakraborty

unread,

Sep 17, 2024, 10:16:59 AM9/17/24

to Wazuh | Mailing List

[root@wazuh-server ~]# /var/ossec/bin/wazuh-analysisd -t

[root@wazuh-server ~]#

[root@wazuh-server ~]# cd /var/ossec/bin/

[root@wazuh-server bin]# ls

agent_control manage_agents wazuh-apid wazuh-db wazuh-logcollector wazuh-monitord

agent_groups rbac_control wazuh-authd wazuh-dbd wazuh-logtest wazuh-regex

agent_upgrade verify-agent-conf wazuh-clusterd wazuh-execd wazuh-logtest-legacy wazuh-remoted

clear_stats wazuh-agentlessd wazuh-control wazuh-integratord wazuh-maild wazuh-reportd

cluster_control wazuh-analysisd wazuh-csyslogd wazuh-keystore wazuh-modulesd wazuh-syscheckd

---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

[root@wazuh-server bin]# nano wazuh-analysisd

^?ELF^B^A^A^@^@^@^@^@^@^@^@^@^B^@>^@^A^@^@^@L^m@^@^@^@^@^@@^@^@^@^@^@^@^@ ^E^T^@^@^@^@^@^@^@^@^@@^@8^@ ^@@^@^]^@^\^@^F^$ ^@^O^Q@0H^e ^O^d^Q^A^@^@H^kC^XH^e ^O^d^D^A^@^@H^c8^@^O^d ^@^@^@ D$^L^A^@^@^@f^pH^c ^H^cD$^L^AH^c8^@u M^e t4A E^V$ ^A^@^@^@fA^iUlH^e ^O^d ^C^A^@^@^@ ^O^_^d^@^@^@^@^@ ^x^lM^@ ^H^@^@^@L^i ^O^w ^\^@^d ^O^e ^@^@^@M^e ^O^d^? L^$ I^iE8 f^O^_D^@^@ ^f^lM^@ ^R^@^@^@L^i ^O^w ^\^@^d ^O^d3^A^@^@ ^lM^@ ^N^@^@^@L^i ^O^w ^\^@^d ^O^e ^@^@^@A^O ^A^$^@^@^@1 H^kx^P ^}^P A^hE1 ^X ^lM^@ ^S^@^@^@L^i ^O^w ^\^@^d ^O^d^c^@^@^@ ^lM^@ ^S^@^@^@L^i ^O^w ^\^@^d ^O^e^a^@$ ^@^@^@L^i ^O^w ^\^@^d ^O^e^m^A^@^@A^O ^A^c y^O^dX^A^@^@^c n^O^e,^A^@^@A^`y^Ao^O^e!^A^@^@A^`y^B^@^O^e^V^A^@^@M^e ^O^d $ L^kD$^XL^kL$ ^e ^O^dI^G^@^@L^i ^E^mM^@L^iL$ L^iD$^X

Federico Gustavo Galland

unread,

Sep 17, 2024, 11:21:03 AM9/17/24

to Souraj Chakraborty, Wazuh | Mailing List

Souraj,

An empty reply (as in your first command's output) means your configuration is ok.

Can we try restarting the server:

systemctl restart wazuh-manager

and then try the curl commands again.

To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/c1705810-36e3-4757-bfb2-267a776b673bn%40googlegroups.com.

Souraj Chakraborty

unread,

Sep 17, 2024, 11:31:30 AM9/17/24

to Wazuh | Mailing List

systemctl restart wazuh-manager

systemctl status wazuh-manager

● wazuh-manager.service - Wazuh manager

Loaded: loaded (/usr/lib/systemd/system/wazuh-manager.service; enabled; vendor preset: disabled)

Active: active (running) since Tue 2024-09-17 15:28:29 UTC; 9s ago

Process: 10781 ExecStop=/usr/bin/env /var/ossec/bin/wazuh-control stop (code=exited, status=0/SUCCESS)

Process: 10920 ExecStart=/usr/bin/env /var/ossec/bin/wazuh-control start (code=exited, status=0/SUCCESS)

CGroup: /system.slice/wazuh-manager.service

├─10981 /var/ossec/framework/python/bin/python3 /var/ossec/api/scripts/wazuh-apid.py

├─10982 /var/ossec/framework/python/bin/python3 /var/ossec/api/scripts/wazuh-apid.py

├─10985 /var/ossec/framework/python/bin/python3 /var/ossec/api/scripts/wazuh-apid.py

├─10988 /var/ossec/framework/python/bin/python3 /var/ossec/api/scripts/wazuh-apid.py

├─11012 /var/ossec/bin/wazuh-integratord

├─11033 /var/ossec/bin/wazuh-authd

├─11043 /var/ossec/bin/wazuh-db

├─11073 /var/ossec/bin/wazuh-execd

├─11095 /var/ossec/bin/wazuh-syscheckd

├─11111 /var/ossec/bin/wazuh-remoted

├─11149 /var/ossec/bin/wazuh-logcollector

├─11161 /var/ossec/bin/wazuh-monitord

└─11210 /var/ossec/bin/wazuh-modulesd

Sep 17 15:28:23 wazuh-server env[10920]: Started wazuh-analysisd...

Sep 17 15:28:23 wazuh-server env[10920]: Started wazuh-syscheckd...

Sep 17 15:28:24 wazuh-server env[10920]: Started wazuh-remoted...

Sep 17 15:28:25 wazuh-server env[10920]: Started wazuh-logcollector...

Sep 17 15:28:26 wazuh-server env[10920]: Started wazuh-monitord...

Sep 17 15:28:26 wazuh-server env[10920]: 2024/09/17 15:28:26 wazuh-modulesd:router: INFO: Loaded router module.

Sep 17 15:28:26 wazuh-server env[10920]: 2024/09/17 15:28:26 wazuh-modulesd:content_manager: INFO: Loaded content...dule.

Sep 17 15:28:27 wazuh-server env[10920]: Started wazuh-modulesd...

Sep 17 15:28:29 wazuh-server env[10920]: Completed.

Sep 17 15:28:29 wazuh-server systemd[1]: Started Wazuh manager.

Hint: Some lines were ellipsized, use -l to show in full.

----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

TOKEN=$(curl -u wazuh-wui:"**************" -k -X POST "https://localhost:55000/security/user/authenticate?raw=true") && echo $TOKEN

% Total % Received % Xferd Average Speed Time Time Time Current

Dload Upload Total Spent Left Speed

100 260 100 260 0 0 20880 0 --:--:-- --:--:-- --:--:-- 21666

{"title": "Bad Request", "detail": "Some Wazuh daemons are not ready yet in node \"node01\" (wazuh-analysisd->stopped)", "dapi_errors": {"node01": {"error": "Some Wazuh daemons are not ready yet in node \"node01\" (wazuh-analysisd->stopped)"}}, "error": 1017}

Souraj Chakraborty

unread,

Sep 17, 2024, 11:42:30 AM9/17/24

to Wazuh | Mailing List

Could it be from the agents from the kubernates, hosted it in the nodes so they will be deployed when the pods are active. Could that be the issue, as recently they have stopped the process in those nodes. and moved on new projects, but it was a bit while ago. Sadly my access to the infra is limited and restricted in that matter.
Will it be better to spin up a new instance of Wazuh and set it or can we kill the agents connection from the manager?

Federico Gustavo Galland

unread,

Sep 18, 2024, 12:07:30 PM9/18/24

to Wazuh | Mailing List

Souraj,

I'm not 100% sure I follow, but so long as the agents are hosted on separate pods (not sharing a filesystem) we should be ok in that regard.

In order to further investigate the issue we need to turn on debugging mode on the analysisd module by adding the following line to /var/ossec/etc/internal_options.conf:

analysisd.debug=2

After this, please reboot the manager:

systemctl restart wazuh-manager

Allow some time for the manager to come back up and issue the curl command from before:

TOKEN=$(curl -u wazuh-wui:"PASSWORD" -k -X POST "https://localhost:55000/security/user/authenticate?raw=true") && curl -k -X GET "https://localhost:55000/?pretty=true" -H "Authorization: Bearer $TOKEN"

Once this is done, please share the full output from /var/ossec/logs/ossec.log from the time of the restart to after issuing the curl command above.

Regards,
Fede

Souraj Chakraborty

unread,

Sep 18, 2024, 12:23:48 PM9/18/24

to Wazuh | Mailing List

/var/ossec/etc/internal_options.conf:
analysisd.debug=2
--------------------------------------------------------------------------------------------------------------------------------------------------------

systemctl restart wazuh-manager

systemctl status wazuh-manager

● wazuh-manager.service - Wazuh manager

Loaded: loaded (/usr/lib/systemd/system/wazuh-manager.service; enabled; vendor preset: disabled)

Active: active (running) since Wed 2024-09-18 16:17:57 UTC; 15s ago

--------------------------------------------------------------------------------------------------------------------------------------------------------------

TOKEN=$(curl -u wazuh-wui:"**********" -k -X POST "https://localhost:55000/security/user/authenticate?raw=true") && curl -k -X GET "https://localhost:55000/?pretty=true" -H "Authorization: Bearer $TOKEN"

% Total % Received % Xferd Average Speed Time Time Time Current

Dload Upload Total Spent Left Speed

100 260 100 260 0 0 16786 0 --:--:-- --:--:-- --:--:-- 17333

{"title": "Unauthorized", "detail": "Invalid token"}

--------------------------------------------------------------------------------------------------------------------------------------------------------------

2024/09/18 16:17:54 wazuh-modulesd:download: INFO: Module started.

2024/09/18 16:17:54 wazuh-modulesd:control: INFO: Starting control thread.

2024/09/18 16:17:54 wazuh-modulesd:database: INFO: Module started.

2024/09/18 16:17:54 wazuh-modulesd:content_manager: INFO: Starting content_manager module.

2024/09/18 16:17:54 indexer-connector: INFO: IndexerConnector initialized successfully for index: wazuh-states-vulnerabi$

2024/09/18 16:17:54 wazuh-modulesd:vulnerability-scanner: INFO: Vulnerability scanner module started

2024/09/18 16:18:22 wazuh-syscheckd: ERROR: socketerr (not available).

2024/09/18 16:18:22 rootcheck: ERROR: (1224): Error sending message to queue.

Federico Gustavo Galland

unread,

Sep 18, 2024, 12:29:56 PM9/18/24

to Souraj Chakraborty, Wazuh | Mailing List

Souraj,

You should have a load of DEBUG level messages in your ossec.log, which is what we are looking for. Can you double chat that's indeed the case?

To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/8cb26051-7885-455b-bb91-6551d688f736n%40googlegroups.com.

Souraj Chakraborty

unread,

Sep 18, 2024, 1:07:11 PM9/18/24

to Wazuh | Mailing List

cat internal_options.conf:

analysisd.debug=2
------------------------------------------------------------------------------------------------------------------------------------------------------------------------

systemctl status -l wazuh-manager

● wazuh-manager.service - Wazuh manager

Loaded: loaded (/usr/lib/systemd/system/wazuh-manager.service; enabled; vendor preset: disabled)

Active: active (running) since Wed 2024-09-18 16:58:25 UTC; 1min 2s ago

Process: 20762 ExecStop=/usr/bin/env /var/ossec/bin/wazuh-control stop (code=exited, status=0/SUCCESS)

Process: 20902 ExecStart=/usr/bin/env /var/ossec/bin/wazuh-control start (code=exited, status=0/SUCCESS)

CGroup: /system.slice/wazuh-manager.service

├─20963 /var/ossec/framework/python/bin/python3 /var/ossec/api/scripts/wazuh-apid.py

├─20964 /var/ossec/framework/python/bin/python3 /var/ossec/api/scripts/wazuh-apid.py

├─20967 /var/ossec/framework/python/bin/python3 /var/ossec/api/scripts/wazuh-apid.py

├─20970 /var/ossec/framework/python/bin/python3 /var/ossec/api/scripts/wazuh-apid.py

├─20994 /var/ossec/bin/wazuh-integratord

├─21015 /var/ossec/bin/wazuh-authd

├─21025 /var/ossec/bin/wazuh-db

├─21055 /var/ossec/bin/wazuh-execd

├─21077 /var/ossec/bin/wazuh-syscheckd

├─21099 /var/ossec/bin/wazuh-remoted

├─21131 /var/ossec/bin/wazuh-logcollector

├─21180 /var/ossec/bin/wazuh-monitord

└─21190 /var/ossec/bin/wazuh-modulesd

Sep 18 16:58:19 wazuh-server env[20902]: Started wazuh-analysisd...

Sep 18 16:58:20 wazuh-server env[20902]: Started wazuh-syscheckd...

Sep 18 16:58:21 wazuh-server env[20902]: Started wazuh-remoted...

Sep 18 16:58:22 wazuh-server env[20902]: Started wazuh-logcollector...

Sep 18 16:58:22 wazuh-server env[20902]: Started wazuh-monitord...

Sep 18 16:58:22 wazuh-server env[20902]: 2024/09/18 16:58:22 wazuh-modulesd:router: INFO: Loaded router module.

Sep 18 16:58:22 wazuh-server env[20902]: 2024/09/18 16:58:22 wazuh-modulesd:content_manager: INFO: Loaded content_manager module.

Sep 18 16:58:23 wazuh-server env[20902]: Started wazuh-modulesd...

Sep 18 16:58:25 wazuh-server env[20902]: Completed.

Sep 18 16:58:25 wazuh-server systemd[1]: Started Wazuh manager.
------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

TOKEN=$(curl -u wazuh-wui:"*********" -k -X POST "https://localhost:55000/security/user/authenticate?raw=true") && curl -k -X GET "https://localhost:55000/?pretty=true" -H "Authorization: Bearer $TOKEN"

% Total % Received % Xferd Average Speed Time Time Time Current

Dload Upload Total Spent Left Speed

100 260 100 260 0 0 42159 0 --:--:-- --:--:-- --:--:-- 43333

{"title": "Unauthorized", "detail": "Invalid token"}

--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

1112402 2024/09/18 16:17:54 wazuh-modulesd:vulnerability-scanner: INFO: Starting vulnerability_scanner module.

1112403 2024/09/18 16:17:54 wazuh-modulesd:download: INFO: Module started.

1112404 2024/09/18 16:17:54 wazuh-modulesd:control: INFO: Starting control thread.

1112405 2024/09/18 16:17:54 wazuh-modulesd:database: INFO: Module started.

1112406 2024/09/18 16:17:54 wazuh-modulesd:content_manager: INFO: Starting content_manager module.

1112407 2024/09/18 16:17:54 indexer-connector: INFO: IndexerConnector initialized successfully for index: wazuh-states-vulnerabilities-wazuh-server.

1112408 2024/09/18 16:17:54 wazuh-modulesd:vulnerability-scanner: INFO: Vulnerability scanner module started

1112409 2024/09/18 16:18:22 wazuh-syscheckd: ERROR: socketerr (not available).

1112410 2024/09/18 16:18:22 rootcheck: ERROR: (1224): Error sending message to queue.

1112411 2024/09/18 16:55:02 wazuh-db: INFO: Created Global database backup "backup/db/global.db-backup-2024-09-18-16:55:02.gz"

1112412 2024/09/18 16:55:02 wazuh-db: INFO: Deleted Global database backup: "backup/db/global.db-backup-2024-09-15-16:55:02"

1112413 2024/09/18 16:58:13 wazuh-modulesd:syscollector: INFO: Stop received for Syscollector.

1112414 2024/09/18 16:58:13 wazuh-modulesd:vulnerability-scanner: INFO: Stopping vulnerability_scanner module.

1112415 2024/09/18 16:58:13 wazuh-modulesd:router: INFO: Stopping router module.

1112416 2024/09/18 16:58:13 wazuh-modulesd:content_manager: INFO: Stopping content_manager module.

1112417 2024/09/18 16:58:13 wazuh-monitord: INFO: (1225): SIGNAL [(15)-(Terminated)] Received. Exit Cleaning...

1112418 2024/09/18 16:58:13 wazuh-logcollector: INFO: (1225): SIGNAL [(15)-(Terminated)] Received. Exit Cleaning...

1112419 2024/09/18 16:58:14 wazuh-remoted: INFO: (1225): SIGNAL [(15)-(Terminated)] Received. Exit Cleaning...

1112420 2024/09/18 16:58:14 wazuh-syscheckd: INFO: (1756): Shutdown received. Releasing resources.

1112421 2024/09/18 16:58:14 wazuh-syscheckd: INFO: (1225): SIGNAL [(15)-(Terminated)] Received. Exit Cleaning...

1112422 2024/09/18 16:58:14 wazuh-execd: INFO: (1314): Shutdown received. Deleting responses.

1112423 2024/09/18 16:58:14 wazuh-execd: INFO: (1225): SIGNAL [(15)-(Terminated)] Received. Exit Cleaning...

1112424 2024/09/18 16:58:14 wazuh-db: INFO: (1225): SIGNAL [(15)-(Terminated)] Received. Exit Cleaning...

1112425 2024/09/18 16:58:15 wazuh-db: INFO: Graceful process shutdown.

1112426 2024/09/18 16:58:15 wazuh-authd: INFO: (1225): SIGNAL [(15)-(Terminated)] Received. Exit Cleaning...

1112427 2024/09/18 16:58:15 wazuh-authd: INFO: Exiting...

1112428 2024/09/18 16:58:16 wazuh-integratord: INFO: (1225): SIGNAL [(15)-(Terminated)] Received. Exit Cleaning...

1112429 2024/09/18 16:58:17 wazuh-modulesd:router: INFO: Loaded router module.

1112430 2024/09/18 16:58:17 wazuh-modulesd:content_manager: INFO: Loaded content_manager module.

1112431 2024/09/18 16:58:18 wazuh-csyslogd: INFO: Remote syslog server not configured. Clean exit.

1112432 2024/09/18 16:58:18 wazuh-dbd: INFO: Database not configured. Clean exit.

1112433 2024/09/18 16:58:18 wazuh-integratord: INFO: Started (pid: 20994).

1112434 2024/09/18 16:58:18 wazuh-integratord: INFO: Enabling integration for: 'virustotal'.

1112435 2024/09/18 16:58:18 wazuh-integratord: INFO: Enabling integration for: 'slack'.

1112436 2024/09/18 16:58:18 wazuh-agentlessd: INFO: Not configured. Exiting.

1112437 2024/09/18 16:58:18 wazuh-authd: INFO: Started (pid: 21015).

1112438 2024/09/18 16:58:18 wazuh-authd: INFO: Accepting connections on port 1515. No password required.

1112439 2024/09/18 16:58:18 wazuh-db: INFO: Started (pid: 21025).

1112440 2024/09/18 16:58:18 wazuh-authd: INFO: Setting network timeout to 1.000000 sec.

1112441 2024/09/18 16:58:19 wazuh-execd: INFO: Started (pid: 21055).

1112442 2024/09/18 16:58:19 wazuh-syscheckd: INFO: Started (pid: 21077).

1112449 2024/09/18 16:58:19 wazuh-syscheckd: INFO: (6206): Ignore 'file' entry '/etc/mtab'

1112450 2024/09/18 16:58:19 wazuh-syscheckd: INFO: (6206): Ignore 'file' entry '/etc/hosts.deny'

1112451 2024/09/18 16:58:19 wazuh-syscheckd: INFO: (6206): Ignore 'file' entry '/etc/mail/statistics'

1112452 2024/09/18 16:58:19 wazuh-syscheckd: INFO: (6206): Ignore 'file' entry '/etc/random-seed'

1112453 2024/09/18 16:58:19 wazuh-syscheckd: INFO: (6206): Ignore 'file' entry '/etc/random.seed'

1112454 2024/09/18 16:58:19 wazuh-syscheckd: INFO: (6206): Ignore 'file' entry '/etc/adjtime'

1112455 2024/09/18 16:58:19 wazuh-syscheckd: INFO: (6206): Ignore 'file' entry '/etc/httpd/logs'

1112456 2024/09/18 16:58:19 wazuh-syscheckd: INFO: (6206): Ignore 'file' entry '/etc/utmpx'

1112457 2024/09/18 16:58:19 wazuh-syscheckd: INFO: (6206): Ignore 'file' entry '/etc/wtmpx'

1112458 2024/09/18 16:58:19 wazuh-syscheckd: INFO: (6206): Ignore 'file' entry '/etc/cups/certs'

1112459 2024/09/18 16:58:19 wazuh-syscheckd: INFO: (6206): Ignore 'file' entry '/etc/dumpdates'

1112460 2024/09/18 16:58:19 wazuh-syscheckd: INFO: (6206): Ignore 'file' entry '/etc/svc/volatile'

1112461 2024/09/18 16:58:19 wazuh-syscheckd: INFO: (6207): Ignore 'file' sregex '.log$|.swp$'

1112462 2024/09/18 16:58:19 wazuh-syscheckd: INFO: (6004): No diff for file: '/etc/ssl/private.key'

1112463 2024/09/18 16:58:19 wazuh-syscheckd: INFO: (6000): Starting daemon...

1112464 2024/09/18 16:58:19 wazuh-syscheckd: INFO: (6010): File integrity monitoring scan frequency: 43200 seconds

1112465 2024/09/18 16:58:19 rootcheck: INFO: Starting rootcheck scan.

1112466 2024/09/18 16:58:19 wazuh-syscheckd: INFO: (6008): File integrity monitoring scan started.

1112467 2024/09/18 16:58:20 wazuh-analysisd: INFO: Total rules enabled: '6787'

1112468 2024/09/18 16:58:20 wazuh-analysisd: INFO: Started (pid: 21067).

1112469 2024/09/18 16:58:20 wazuh-analysisd: CRITICAL: (1107): Could not create directory 'logs/archives/2024/Sep' due to [(13)-(Permission denied)].

1112470 2024/09/18 16:58:20 wazuh-remoted: INFO: Started (pid: 21099). Listening on port 1514/TCP (secure).

1112471 2024/09/18 16:58:21 wazuh-syscheckd: INFO: (6009): File integrity monitoring scan ended.

1112472 2024/09/18 16:58:21 wazuh-syscheckd: ERROR: socketerr (not available).

1112473 2024/09/18 16:58:21 wazuh-syscheckd: ERROR: (1224): Error sending message to queue.

1112474 2024/09/18 16:58:22 wazuh-monitord: INFO: Started (pid: 21180).

1112475 2024/09/18 16:58:22 wazuh-modulesd:router: INFO: Loaded router module.

1112476 2024/09/18 16:58:22 wazuh-modulesd:content_manager: INFO: Loaded content_manager module.

1112477 2024/09/18 16:58:22 wazuh-modulesd: INFO: Started (pid: 21190).

1112478 2024/09/18 16:58:22 wazuh-modulesd:agent-upgrade: INFO: (8153): Module Agent Upgrade started.

1112479 2024/09/18 16:58:22 wazuh-modulesd:content_manager: INFO: Starting content_manager module.

1112480 2024/09/18 16:58:22 wazuh-modulesd:vulnerability-scanner: INFO: Starting vulnerability_scanner module.

1112481 2024/09/18 16:58:22 wazuh-modulesd:router: INFO: Starting router module.

1112482 2024/09/18 16:58:22 wazuh-modulesd:osquery: INFO: Module disabled. Exiting...

1112483 2024/09/18 16:58:22 wazuh-modulesd:ciscat: INFO: Module disabled. Exiting...

1112484 2024/09/18 16:58:22 wazuh-modulesd:task-manager: INFO: (8200): Module Task Manager started.

1112485 2024/09/18 16:58:22 wazuh-modulesd:download: INFO: Module started.

1112486 2024/09/18 16:58:22 sca: INFO: Module started.

1112487 2024/09/18 16:58:22 sca: INFO: Loaded policy '/var/ossec/ruleset/sca/cis_amazon_linux_2.yml'

1112488 2024/09/18 16:58:22 wazuh-modulesd:database: INFO: Module started.

1112489 2024/09/18 16:58:22 wazuh-modulesd:control: INFO: Starting control thread.

1112490 2024/09/18 16:58:22 indexer-connector: INFO: IndexerConnector initialized successfully for index: wazuh-states-vulnerabilities-wazuh-server.

1112491 2024/09/18 16:58:23 wazuh-modulesd:vulnerability-scanner: INFO: Vulnerability scanner module started

1112492 2024/09/18 16:58:50 wazuh-syscheckd: ERROR: socketerr (not available).

1112493 2024/09/18 16:58:50 rootcheck: ERROR: (1224): Error sending message to queue.

Federico Gustavo Galland

unread,

Sep 19, 2024, 7:07:30 AM9/19/24

to Wazuh | Mailing List

Hey Souraj,

This output is still not what I was expecting. We can try adding the analysisd.debug=2 line to /var/ossec/etc/local_internal_options.conf and then rebooting.

Anyway, when checking your log I can see the following:

1112469 2024/09/18 16:58:20 wazuh-analysisd: CRITICAL: (1107): Could not create directory 'logs/archives/2024/Sep' due to [(13)-(Permission denied)].

Can you show me the output of:

ls -laR /var/ossec/logs

?

Souraj Chakraborty

unread,

Sep 19, 2024, 7:19:35 AM9/19/24

to Wazuh | Mailing List

ls -laR /var/ossec/logs

/var/ossec/logs:

total 167824

drwxrwx--- 9 wazuh wazuh 258 Sep 19 00:00 .

drwxr-x--- 20 root wazuh 259 Jun 6 17:33 ..

-rw-rw---- 1 wazuh wazuh 6840 Sep 13 12:53 active-responses.log

drwxr-xr-x 2 root root 43 Sep 16 07:07 alerts

-rw-r--r-- 1 root root 0 Sep 16 07:13 analysisd.log

drwxr-x--- 3 wazuh wazuh 18 Sep 16 04:46 api

-rw-r--r-- 1 wazuh wazuh 5940 Sep 19 11:00 api.log

-rw-rw---- 1 wazuh wazuh 15643 Sep 18 23:45 api.log.2024-09-18

drwxr-xr-x 2 root root 6 Sep 16 03:31 archieves

drwxr-xr-x 3 root root 18 Sep 16 10:03 archives

drwxr-x--- 3 wazuh wazuh 18 Jun 20 04:27 cluster

-rw-rw---- 1 wazuh wazuh 105 Jun 20 04:27 cluster.log

drwxr-x--- 3 wazuh wazuh 38 Sep 15 16:55 firewall

-rw-r----- 1 wazuh wazuh 10735 Sep 15 16:55 integrations.log

-rw-rw---- 1 root wazuh 171796176 Sep 18 18:59 ossec.log

drwxr-x--- 3 wazuh wazuh 18 Jun 20 00:00 wazuh

/var/ossec/logs/alerts:

total 0

drwxr-xr-x 2 root root 43 Sep 16 07:07 .

drwxrwx--- 9 wazuh wazuh 258 Sep 19 00:00 ..

-rw-r--r-- 1 root root 0 Sep 16 05:32 alerts.json

-rw-r--r-- 1 root root 0 Sep 16 07:07 alerts.log

/var/ossec/logs/api:

total 0

drwxr-x--- 3 wazuh wazuh 18 Sep 16 04:46 .

drwxrwx--- 9 wazuh wazuh 258 Sep 19 00:00 ..

drwxr-x--- 3 wazuh wazuh 17 Sep 16 04:46 2024

/var/ossec/logs/api/2024:

total 0

drwxr-x--- 3 wazuh wazuh 17 Sep 16 04:46 .

drwxr-x--- 3 wazuh wazuh 18 Sep 16 04:46 ..

drwxr-x--- 2 wazuh wazuh 90 Sep 19 00:00 Sep

/var/ossec/logs/api/2024/Sep:

total 16

drwxr-x--- 2 wazuh wazuh 90 Sep 19 00:00 .

drwxr-x--- 3 wazuh wazuh 17 Sep 16 04:46 ..

-rw-r----- 1 wazuh wazuh 1783 Sep 16 04:46 api.log-14.gz

-rw-r----- 1 wazuh wazuh 2727 Sep 17 00:00 api.log-15.gz

-rw-r----- 1 wazuh wazuh 1903 Sep 18 00:00 api.log-16.gz

-rw-r----- 1 wazuh wazuh 823 Sep 19 00:00 api.log-17.gz

/var/ossec/logs/archieves:

total 0

drwxr-xr-x 2 root root 6 Sep 16 03:31 .

drwxrwx--- 9 wazuh wazuh 258 Sep 19 00:00 ..

/var/ossec/logs/archives:

total 0

drwxr-xr-x 3 root root 18 Sep 16 10:03 .

drwxrwx--- 9 wazuh wazuh 258 Sep 19 00:00 ..

drwxr-xr-x 2 root root 6 Sep 16 10:03 2024

/var/ossec/logs/archives/2024:

total 0

drwxr-xr-x 2 root root 6 Sep 16 10:03 .

drwxr-xr-x 3 root root 18 Sep 16 10:03 ..

/var/ossec/logs/cluster:

total 0

drwxr-x--- 3 wazuh wazuh 18 Jun 20 04:27 .

drwxrwx--- 9 wazuh wazuh 258 Sep 19 00:00 ..

drwxr-x--- 3 root wazuh 17 Jun 20 04:27 2024

/var/ossec/logs/cluster/2024:

total 0

drwxr-x--- 3 root wazuh 17 Jun 20 04:27 .

drwxr-x--- 3 wazuh wazuh 18 Jun 20 04:27 ..

drwxr-x--- 2 root wazuh 31 Jun 20 04:27 Jun

/var/ossec/logs/cluster/2024/Jun:

total 4

drwxr-x--- 2 root wazuh 31 Jun 20 04:27 .

drwxr-x--- 3 root wazuh 17 Jun 20 04:27 ..

-rw-r----- 1 root wazuh 35 Jun 20 04:27 cluster.log-06.gz

/var/ossec/logs/firewall:

total 0

drwxr-x--- 3 wazuh wazuh 38 Sep 15 16:55 .

drwxrwx--- 9 wazuh wazuh 258 Sep 19 00:00 ..

drwxr-x--- 6 wazuh wazuh 50 Sep 1 00:00 2024

-rw-r----- 2 wazuh wazuh 0 Sep 15 00:00 firewall.log

/var/ossec/logs/firewall/2024:

total 16

drwxr-x--- 6 wazuh wazuh 50 Sep 1 00:00 .

drwxr-x--- 3 wazuh wazuh 38 Sep 15 16:55 ..

drwxr-x--- 2 wazuh wazuh 4096 Sep 1 00:00 Aug

drwxr-x--- 2 wazuh wazuh 4096 Aug 1 00:00 Jul

drwxr-x--- 2 wazuh wazuh 4096 Jul 1 00:00 Jun

drwxr-x--- 2 wazuh wazuh 4096 Sep 15 00:05 Sep

/var/ossec/logs/firewall/2024/Aug:

total 128

drwxr-x--- 2 wazuh wazuh 4096 Sep 1 00:00 .

drwxr-x--- 6 wazuh wazuh 50 Sep 1 00:00 ..

-rw-r----- 1 wazuh wazuh 520 Aug 2 00:00 ossec-firewall-01.log.sum

-rw-r----- 1 wazuh wazuh 520 Aug 3 00:00 ossec-firewall-02.log.sum

-rw-r----- 1 wazuh wazuh 520 Aug 4 00:00 ossec-firewall-03.log.sum

-rw-r----- 1 wazuh wazuh 520 Aug 5 00:00 ossec-firewall-04.log.sum

-rw-r----- 1 wazuh wazuh 520 Aug 6 00:00 ossec-firewall-05.log.sum

-rw-r----- 1 wazuh wazuh 520 Aug 7 00:00 ossec-firewall-06.log.sum

-rw-r----- 1 wazuh wazuh 520 Aug 8 00:00 ossec-firewall-07.log.sum

-rw-r----- 1 wazuh wazuh 520 Aug 9 00:00 ossec-firewall-08.log.sum

-rw-r----- 1 wazuh wazuh 520 Aug 10 00:00 ossec-firewall-09.log.sum

-rw-r----- 1 wazuh wazuh 520 Aug 11 00:00 ossec-firewall-10.log.sum

-rw-r----- 1 wazuh wazuh 520 Aug 12 00:00 ossec-firewall-11.log.sum

-rw-r----- 1 wazuh wazuh 520 Aug 13 00:00 ossec-firewall-12.log.sum

-rw-r----- 1 wazuh wazuh 520 Aug 14 00:00 ossec-firewall-13.log.sum

-rw-r----- 1 wazuh wazuh 520 Aug 15 00:00 ossec-firewall-14.log.sum

-rw-r----- 1 wazuh wazuh 520 Aug 16 00:00 ossec-firewall-15.log.sum

-rw-r----- 1 wazuh wazuh 520 Aug 17 00:00 ossec-firewall-16.log.sum

-rw-r----- 1 wazuh wazuh 520 Aug 18 00:00 ossec-firewall-17.log.sum

-rw-r----- 1 wazuh wazuh 520 Aug 19 00:00 ossec-firewall-18.log.sum

-rw-r----- 1 wazuh wazuh 520 Aug 20 00:00 ossec-firewall-19.log.sum

-rw-r----- 1 wazuh wazuh 520 Aug 21 00:00 ossec-firewall-20.log.sum

-rw-r----- 1 wazuh wazuh 520 Aug 22 00:00 ossec-firewall-21.log.sum

-rw-r----- 1 wazuh wazuh 520 Aug 23 00:00 ossec-firewall-22.log.sum

-rw-r----- 1 wazuh wazuh 520 Aug 24 00:00 ossec-firewall-23.log.sum

-rw-r----- 1 wazuh wazuh 520 Aug 25 00:00 ossec-firewall-24.log.sum

-rw-r----- 1 wazuh wazuh 520 Aug 26 00:00 ossec-firewall-25.log.sum

-rw-r----- 1 wazuh wazuh 520 Aug 27 00:00 ossec-firewall-26.log.sum

-rw-r----- 1 wazuh wazuh 520 Aug 28 00:00 ossec-firewall-27.log.sum

-rw-r----- 1 wazuh wazuh 520 Aug 29 00:00 ossec-firewall-28.log.sum

-rw-r----- 1 wazuh wazuh 520 Aug 30 00:00 ossec-firewall-29.log.sum

-rw-r----- 1 wazuh wazuh 520 Aug 31 00:00 ossec-firewall-30.log.sum

-rw-r----- 1 wazuh wazuh 520 Sep 1 00:00 ossec-firewall-31.log.sum

/var/ossec/logs/firewall/2024/Jul:

total 128

drwxr-x--- 2 wazuh wazuh 4096 Aug 1 00:00 .

drwxr-x--- 6 wazuh wazuh 50 Sep 1 00:00 ..

-rw-r----- 1 wazuh wazuh 520 Jul 2 00:00 ossec-firewall-01.log.sum

-rw-r----- 1 wazuh wazuh 520 Jul 3 00:00 ossec-firewall-02.log.sum

-rw-r----- 1 wazuh wazuh 520 Jul 4 00:00 ossec-firewall-03.log.sum

-rw-r----- 1 wazuh wazuh 520 Jul 5 00:00 ossec-firewall-04.log.sum

-rw-r----- 1 wazuh wazuh 520 Jul 6 00:00 ossec-firewall-05.log.sum

-rw-r----- 1 wazuh wazuh 520 Jul 7 00:00 ossec-firewall-06.log.sum

-rw-r----- 1 wazuh wazuh 520 Jul 8 00:00 ossec-firewall-07.log.sum

-rw-r----- 1 wazuh wazuh 520 Jul 9 00:00 ossec-firewall-08.log.sum

-rw-r----- 1 wazuh wazuh 520 Jul 10 00:01 ossec-firewall-09.log.sum

-rw-r----- 1 wazuh wazuh 520 Jul 11 00:06 ossec-firewall-10.log.sum

-rw-r----- 1 wazuh wazuh 520 Jul 12 00:04 ossec-firewall-11.log.sum

-rw-r----- 1 wazuh wazuh 520 Jul 13 00:03 ossec-firewall-12.log.sum

-rw-r----- 1 wazuh wazuh 520 Jul 14 00:03 ossec-firewall-13.log.sum

-rw-r----- 1 wazuh wazuh 520 Jul 15 00:03 ossec-firewall-14.log.sum

-rw-r----- 1 wazuh wazuh 520 Jul 16 00:01 ossec-firewall-15.log.sum

-rw-r----- 1 wazuh wazuh 520 Jul 17 00:00 ossec-firewall-16.log.sum

-rw-r----- 1 wazuh wazuh 520 Jul 18 00:00 ossec-firewall-17.log.sum

-rw-r----- 1 wazuh wazuh 520 Jul 19 00:00 ossec-firewall-18.log.sum

-rw-r----- 1 wazuh wazuh 520 Jul 20 00:00 ossec-firewall-19.log.sum

-rw-r----- 1 wazuh wazuh 520 Jul 21 00:00 ossec-firewall-20.log.sum

-rw-r----- 1 wazuh wazuh 520 Jul 22 00:00 ossec-firewall-21.log.sum

-rw-r----- 1 wazuh wazuh 520 Jul 23 00:00 ossec-firewall-22.log.sum

-rw-r----- 1 wazuh wazuh 520 Jul 24 00:00 ossec-firewall-23.log.sum

-rw-r----- 1 wazuh wazuh 520 Jul 25 00:00 ossec-firewall-24.log.sum

-rw-r----- 1 wazuh wazuh 520 Jul 26 00:00 ossec-firewall-25.log.sum

-rw-r----- 1 wazuh wazuh 520 Jul 27 00:00 ossec-firewall-26.log.sum

-rw-r----- 1 wazuh wazuh 520 Jul 28 00:00 ossec-firewall-27.log.sum

-rw-r----- 1 wazuh wazuh 520 Jul 29 00:00 ossec-firewall-28.log.sum

-rw-r----- 1 wazuh wazuh 520 Jul 30 00:00 ossec-firewall-29.log.sum

-rw-r----- 1 wazuh wazuh 520 Jul 31 00:00 ossec-firewall-30.log.sum

-rw-r----- 1 wazuh wazuh 520 Aug 1 00:00 ossec-firewall-31.log.sum

/var/ossec/logs/firewall/2024/Jun:

total 52

drwxr-x--- 2 wazuh wazuh 4096 Jul 1 00:00 .

drwxr-x--- 6 wazuh wazuh 50 Sep 1 00:00 ..

-rw-r----- 1 wazuh wazuh 0 Jun 6 17:38 ossec-firewall-06.log

-rw-r----- 1 wazuh wazuh 396 Jun 20 00:00 ossec-firewall-19.log.sum

-rw-r----- 1 wazuh wazuh 520 Jun 21 00:00 ossec-firewall-20.log.sum

-rw-r----- 1 wazuh wazuh 520 Jun 22 00:00 ossec-firewall-21.log.sum

-rw-r----- 1 wazuh wazuh 520 Jun 23 00:00 ossec-firewall-22.log.sum

-rw-r----- 1 wazuh wazuh 520 Jun 24 00:00 ossec-firewall-23.log.sum

-rw-r----- 1 wazuh wazuh 520 Jun 25 00:00 ossec-firewall-24.log.sum

-rw-r----- 1 wazuh wazuh 520 Jun 26 00:00 ossec-firewall-25.log.sum

-rw-r----- 1 wazuh wazuh 520 Jun 27 00:00 ossec-firewall-26.log.sum

-rw-r----- 1 wazuh wazuh 520 Jun 28 00:00 ossec-firewall-27.log.sum

-rw-r----- 1 wazuh wazuh 520 Jun 29 00:00 ossec-firewall-28.log.sum

-rw-r----- 1 wazuh wazuh 520 Jun 30 00:00 ossec-firewall-29.log.sum

-rw-r----- 1 wazuh wazuh 520 Jul 1 00:00 ossec-firewall-30.log.sum

/var/ossec/logs/firewall/2024/Sep:

total 60

drwxr-x--- 2 wazuh wazuh 4096 Sep 15 00:05 .

drwxr-x--- 6 wazuh wazuh 50 Sep 1 00:00 ..

-rw-r----- 1 wazuh wazuh 520 Sep 2 00:00 ossec-firewall-01.log.sum

-rw-r----- 1 wazuh wazuh 520 Sep 3 00:00 ossec-firewall-02.log.sum

-rw-r----- 1 wazuh wazuh 520 Sep 4 00:00 ossec-firewall-03.log.sum

-rw-r----- 1 wazuh wazuh 520 Sep 5 00:00 ossec-firewall-04.log.sum

-rw-r----- 1 wazuh wazuh 520 Sep 6 00:00 ossec-firewall-05.log.sum

-rw-r----- 1 wazuh wazuh 520 Sep 7 00:00 ossec-firewall-06.log.sum

-rw-r----- 1 wazuh wazuh 520 Sep 8 00:00 ossec-firewall-07.log.sum

-rw-r----- 1 wazuh wazuh 520 Sep 9 00:00 ossec-firewall-08.log.sum

-rw-r----- 1 wazuh wazuh 520 Sep 10 00:00 ossec-firewall-09.log.sum

-rw-r----- 1 wazuh wazuh 520 Sep 11 00:01 ossec-firewall-10.log.sum

-rw-r----- 1 wazuh wazuh 520 Sep 12 00:01 ossec-firewall-11.log.sum

-rw-r----- 1 wazuh wazuh 520 Sep 13 00:00 ossec-firewall-12.log.sum

-rw-r----- 1 wazuh wazuh 520 Sep 14 00:18 ossec-firewall-13.log.sum

-rw-r----- 1 wazuh wazuh 520 Sep 15 00:05 ossec-firewall-14.log.sum

-rw-r----- 2 wazuh wazuh 0 Sep 15 00:00 ossec-firewall-15.log

/var/ossec/logs/wazuh:

total 0

drwxr-x--- 3 wazuh wazuh 18 Jun 20 00:00 .

drwxrwx--- 9 wazuh wazuh 258 Sep 19 00:00 ..

drwxr-x--- 6 wazuh wazuh 50 Sep 2 00:00 2024

/var/ossec/logs/wazuh/2024:

total 8

drwxr-x--- 6 wazuh wazuh 50 Sep 2 00:00 .

drwxr-x--- 3 wazuh wazuh 18 Jun 20 00:00 ..

drwxr-x--- 2 wazuh wazuh 4096 Sep 14 00:00 Aug

drwxr-x--- 2 wazuh wazuh 6 Sep 1 00:00 Jul

drwxr-x--- 2 wazuh wazuh 6 Aug 1 00:00 Jun

drwxr-x--- 2 wazuh wazuh 4096 Sep 15 00:00 Sep

/var/ossec/logs/wazuh/2024/Aug:

total 296

drwxr-x--- 2 wazuh wazuh 4096 Sep 14 00:00 .

drwxr-x--- 6 wazuh wazuh 50 Sep 2 00:00 ..

-rw-r----- 1 wazuh wazuh 15205 Aug 15 00:00 ossec-14.log.gz

-rw-r----- 1 wazuh wazuh 16011 Aug 16 00:00 ossec-15.log.gz

-rw-r----- 1 wazuh wazuh 14936 Aug 17 00:00 ossec-16.log.gz

-rw-r----- 1 wazuh wazuh 15176 Aug 18 00:00 ossec-17.log.gz

-rw-r----- 1 wazuh wazuh 14696 Aug 19 00:00 ossec-18.log.gz

-rw-r----- 1 wazuh wazuh 15123 Aug 20 00:00 ossec-19.log.gz

-rw-r----- 1 wazuh wazuh 15134 Aug 21 00:00 ossec-20.log.gz

-rw-r----- 1 wazuh wazuh 15612 Aug 22 00:00 ossec-21.log.gz

-rw-r----- 1 wazuh wazuh 15819 Aug 23 00:00 ossec-22.log.gz

-rw-r----- 1 wazuh wazuh 14864 Aug 24 00:00 ossec-23.log.gz

-rw-r----- 1 wazuh wazuh 14899 Aug 25 00:00 ossec-24.log.gz

-rw-r----- 1 wazuh wazuh 14885 Aug 26 00:00 ossec-25.log.gz

-rw-r----- 1 wazuh wazuh 15665 Aug 27 00:00 ossec-26.log.gz

-rw-r----- 1 wazuh wazuh 16781 Aug 28 00:00 ossec-27.log.gz

-rw-r----- 1 wazuh wazuh 14977 Aug 29 00:00 ossec-28.log.gz

-rw-r----- 1 wazuh wazuh 14743 Aug 30 00:00 ossec-29.log.gz

-rw-r----- 1 wazuh wazuh 15299 Aug 31 00:00 ossec-30.log.gz

-rw-r----- 1 wazuh wazuh 15502 Sep 1 00:00 ossec-31.log.gz

/var/ossec/logs/wazuh/2024/Jul:

total 0

drwxr-x--- 2 wazuh wazuh 6 Sep 1 00:00 .

drwxr-x--- 6 wazuh wazuh 50 Sep 2 00:00 ..

/var/ossec/logs/wazuh/2024/Jun:

total 0

drwxr-x--- 2 wazuh wazuh 6 Aug 1 00:00 .

drwxr-x--- 6 wazuh wazuh 50 Sep 2 00:00 ..

/var/ossec/logs/wazuh/2024/Sep:

total 22820

drwxr-x--- 2 wazuh wazuh 4096 Sep 15 00:00 .

drwxr-x--- 6 wazuh wazuh 50 Sep 2 00:00 ..

-rw-r----- 1 wazuh wazuh 17025 Sep 2 00:00 ossec-01.log.gz

-rw-r----- 1 wazuh wazuh 17206 Sep 3 00:00 ossec-02.log.gz

-rw-r----- 1 wazuh wazuh 18659 Sep 4 00:00 ossec-03.log.gz

-rw-r----- 1 wazuh wazuh 17152 Sep 5 00:00 ossec-04.log.gz

-rw-r----- 1 wazuh wazuh 18471 Sep 6 00:00 ossec-05.log.gz

-rw-r----- 1 wazuh wazuh 17836 Sep 7 00:00 ossec-06.log.gz

-rw-r----- 1 wazuh wazuh 15989 Sep 8 00:00 ossec-07.log.gz

-rw-r----- 1 wazuh wazuh 15301 Sep 9 00:00 ossec-08.log.gz

-rw-r----- 1 wazuh wazuh 17704 Sep 10 00:00 ossec-09.log.gz

-rw-r----- 1 wazuh wazuh 17521 Sep 11 00:00 ossec-10.log.gz

-rw-r----- 1 wazuh wazuh 17926 Sep 12 00:00 ossec-11.log.gz

-rw-r----- 1 wazuh wazuh 17843 Sep 13 00:00 ossec-12.log.gz

-rw-r----- 1 wazuh wazuh 0 Sep 14 00:00 ossec-13.log.gz

-rw-r----- 1 wazuh wazuh 2093454 Sep 14 04:22 ossec-14-001.log.gz

-rw-r----- 1 wazuh wazuh 2091380 Sep 14 04:32 ossec-14-002.log.gz

-rw-r----- 1 wazuh wazuh 2091337 Sep 14 04:42 ossec-14-003.log.gz

-rw-r----- 1 wazuh wazuh 2090075 Sep 14 04:51 ossec-14-004.log.gz

-rw-r----- 1 wazuh wazuh 2091456 Sep 14 05:01 ossec-14-005.log.gz

-rw-r----- 1 wazuh wazuh 2091529 Sep 14 05:11 ossec-14-006.log.gz

-rw-r----- 1 wazuh wazuh 2091454 Sep 14 05:20 ossec-14-007.log.gz

-rw-r----- 1 wazuh wazuh 2091529 Sep 14 05:30 ossec-14-008.log.gz

-rw-r----- 1 wazuh wazuh 2090908 Sep 14 05:40 ossec-14-009.log.gz

-rw-r----- 1 wazuh wazuh 2090811 Sep 14 05:50 ossec-14-010.log.gz

-rw-r----- 1 wazuh wazuh 98304 Sep 15 00:00 ossec-14-011.log.gz

-rw-r----- 1 wazuh wazuh 2090592 Sep 14 04:13 ossec-14.log.gz

-------------------------------------------------------------------------------------------------------------------------------------------------------------------------

local_internal_options.conf

# local_internal_options.conf

#

# This file should be handled with care. It contains

# run time modifications that can affect the use

# of OSSEC. Only change it if you know what you

# are doing. Look first at ossec.conf

# for most of the things you want to change.

#

# This file will not be overwritten during upgrades.

analysisd.debug=2
------------------------------------------------------------------------------------------------------------------------------------------------------------------------

TOKEN=$(curl -u wazuh-wui:"wazuh-wui" -k -X POST "https://localhost:55000/security/user/authenticate?raw=true") && curl -k -X GET "https://localhost:55000/?pretty=true" -H "Authorization: Bearer $TOKEN"

% Total % Received % Xferd Average Speed Time Time Time Current

Dload Upload Total Spent Left Speed

100 260 100 260 0 0 44315 0 --:--:-- --:--:-- --:--:-- 52000

{"title": "Unauthorized", "detail": "Invalid token"}

------------------------------------------------------------------------------------------------------------------------------------------------------------------------

1130585 2024/09/19 11:14:34 sca: INFO: Module started.

1130586 2024/09/19 11:14:34 sca: INFO: Loaded policy '/var/ossec/ruleset/sca/cis_amazon_linux_2.yml'

1130587 2024/09/19 11:14:34 wazuh-modulesd:vulnerability-scanner: INFO: Starting vulnerability_scanner module.

1130588 2024/09/19 11:14:34 wazuh-modulesd:router: INFO: Starting router module.

1130589 2024/09/19 11:14:34 wazuh-modulesd:content_manager: INFO: Starting content_manager module.

1130590 2024/09/19 11:14:34 wazuh-modulesd:download: INFO: Module started.

1130591 2024/09/19 11:14:34 wazuh-modulesd:task-manager: INFO: (8200): Module Task Manager started.

1130592 2024/09/19 11:14:34 wazuh-modulesd:control: INFO: Starting control thread.

1130593 2024/09/19 11:14:34 wazuh-modulesd:database: INFO: Module started.

1130594 2024/09/19 11:14:34 indexer-connector: INFO: IndexerConnector initialized successfully for index: wazuh-states-vulnerabilities-wazuh-server.

1130595 2024/09/19 11:14:36 wazuh-modulesd:vulnerability-scanner: INFO: Vulnerability scanner module started

1130596 2024/09/19 11:15:02 wazuh-syscheckd: ERROR: socketerr (not available).

1130597 2024/09/19 11:15:02 rootcheck: ERROR: (1224): Error sending message to queue.

Federico Gustavo Galland

unread,

Sep 19, 2024, 7:25:43 AM9/19/24

to Souraj Chakraborty, Wazuh | Mailing List

Souraj,

I can see various files under /var/ossec/logs are under root:root ownership. That could be one cause of this issue.

Let's correct that:

chown -R wazuh:wazuh /var/ossec/logs

After this, restart and check if the curl commands work.

Regards,

Fede

To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/5427bb87-13cd-497e-a39c-32ad2e85f422n%40googlegroups.com.

Souraj Chakraborty

unread,

Sep 19, 2024, 7:30:53 AM9/19/24

to Wazuh | Mailing List

[root@wazuh-server etc]# chown -R wazuh:wazuh /var/ossec/logs

[root@wazuh-server etc]# TOKEN=$(curl -u wazuh-wui:"********" -k -X POST "https://localhost:55000/security/user/authenticate?raw=true") && curl -k -X GET "https://localhost:55000/?pretty=true" -H "Authorization: Bearer $TOKEN"

% Total % Received % Xferd Average Speed Time Time Time Current

Dload Upload Total Spent Left Speed

100 260 100 260 0 0 43896 0 --:--:-- --:--:-- --:--:-- 52000

{"title": "Unauthorized", "detail": "Invalid token"}

[root@wazuh-server etc]# ls -laR /var/ossec/logs/ossec.log

-rw-rw---- 1 wazuh wazuh 174010976 Sep 19 11:15 /var/ossec/logs/ossec.log

[root@wazuh-server etc]# ls -laR /var/ossec/logs

/var/ossec/logs:

total 169988

drwxrwx--- 9 wazuh wazuh 258 Sep 19 00:00 .

drwxr-x--- 20 root wazuh 259 Jun 6 17:33 ..

-rw-rw---- 1 wazuh wazuh 6840 Sep 13 12:53 active-responses.log

drwxr-xr-x 2 wazuh wazuh 43 Sep 16 07:07 alerts

-rw-r--r-- 1 wazuh wazuh 0 Sep 16 07:13 analysisd.log

drwxr-x--- 3 wazuh wazuh 18 Sep 16 04:46 api

-rw-rw---- 1 wazuh wazuh 7006 Sep 19 11:26 api.log

-rw-rw---- 1 wazuh wazuh 15643 Sep 18 23:45 api.log.2024-09-18

drwxr-xr-x 2 wazuh wazuh 6 Sep 16 03:31 archieves

drwxr-xr-x 3 wazuh wazuh 18 Sep 16 10:03 archives

drwxr-x--- 3 wazuh wazuh 18 Jun 20 04:27 cluster

-rw-rw---- 1 wazuh wazuh 105 Jun 20 04:27 cluster.log

drwxr-x--- 3 wazuh wazuh 38 Sep 15 16:55 firewall

-rw-r----- 1 wazuh wazuh 10735 Sep 15 16:55 integrations.log

-rw-rw---- 1 wazuh wazuh 174010976 Sep 19 11:15 ossec.log

drwxr-x--- 3 wazuh wazuh 18 Jun 20 00:00 wazuh

/var/ossec/logs/alerts:

total 0

drwxr-xr-x 2 wazuh wazuh 43 Sep 16 07:07 .

drwxrwx--- 9 wazuh wazuh 258 Sep 19 00:00 ..

-rw-r--r-- 1 wazuh wazuh 0 Sep 16 05:32 alerts.json

-rw-r--r-- 1 wazuh wazuh 0 Sep 16 07:07 alerts.log

/var/ossec/logs/api:

total 0

drwxr-x--- 3 wazuh wazuh 18 Sep 16 04:46 .

drwxrwx--- 9 wazuh wazuh 258 Sep 19 00:00 ..

drwxr-x--- 3 wazuh wazuh 17 Sep 16 04:46 2024

/var/ossec/logs/api/2024:

total 0

drwxr-x--- 3 wazuh wazuh 17 Sep 16 04:46 .

drwxr-x--- 3 wazuh wazuh 18 Sep 16 04:46 ..

drwxr-x--- 2 wazuh wazuh 90 Sep 19 00:00 Sep

/var/ossec/logs/api/2024/Sep:

total 16

drwxr-x--- 2 wazuh wazuh 90 Sep 19 00:00 .

drwxr-x--- 3 wazuh wazuh 17 Sep 16 04:46 ..

-rw-r----- 1 wazuh wazuh 1783 Sep 16 04:46 api.log-14.gz

-rw-r----- 1 wazuh wazuh 2727 Sep 17 00:00 api.log-15.gz

-rw-r----- 1 wazuh wazuh 1903 Sep 18 00:00 api.log-16.gz

-rw-r----- 1 wazuh wazuh 823 Sep 19 00:00 api.log-17.gz

/var/ossec/logs/archieves:

total 0

drwxr-xr-x 2 wazuh wazuh 6 Sep 16 03:31 .

drwxrwx--- 9 wazuh wazuh 258 Sep 19 00:00 ..

/var/ossec/logs/archives:

total 0

drwxr-xr-x 3 wazuh wazuh 18 Sep 16 10:03 .

drwxrwx--- 9 wazuh wazuh 258 Sep 19 00:00 ..

drwxr-xr-x 2 wazuh wazuh 6 Sep 16 10:03 2024

/var/ossec/logs/archives/2024:

total 0

drwxr-xr-x 2 wazuh wazuh 6 Sep 16 10:03 .

drwxr-xr-x 3 wazuh wazuh 18 Sep 16 10:03 ..

/var/ossec/logs/cluster:

total 0

drwxr-x--- 3 wazuh wazuh 18 Jun 20 04:27 .

drwxrwx--- 9 wazuh wazuh 258 Sep 19 00:00 ..

drwxr-x--- 3 wazuh wazuh 17 Jun 20 04:27 2024

/var/ossec/logs/cluster/2024:

total 0

drwxr-x--- 3 wazuh wazuh 17 Jun 20 04:27 .

drwxr-x--- 3 wazuh wazuh 18 Jun 20 04:27 ..

drwxr-x--- 2 wazuh wazuh 31 Jun 20 04:27 Jun

/var/ossec/logs/cluster/2024/Jun:

total 4

drwxr-x--- 2 wazuh wazuh 31 Jun 20 04:27 .

drwxr-x--- 3 wazuh wazuh 17 Jun 20 04:27 ..

-rw-r----- 1 wazuh wazuh 35 Jun 20 04:27 cluster.log-06.gz

Federico Gustavo Galland

unread,

Sep 19, 2024, 8:50:25 AM9/19/24

to Souraj Chakraborty, Wazuh | Mailing List

Souraj,

Can you restart the manager and try again?

To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/14ff1d61-cc6c-4782-9196-3642c0290e1fn%40googlegroups.com.

Souraj Chakraborty

unread,

Sep 19, 2024, 9:02:21 AM9/19/24

to Wazuh | Mailing List

[root@wazuh-server ~]# systemctl restart wazuh-manager

[root@wazuh-server ~]# systemctl status wazuh-manager

● wazuh-manager.service - Wazuh manager

Loaded: loaded (/usr/lib/systemd/system/wazuh-manager.service; enabled; vendor preset: disabled)

Active: active (running) since Thu 2024-09-19 12:55:11 UTC; 11s ago

Process: 28037 ExecStop=/usr/bin/env /var/ossec/bin/wazuh-control stop (code=exited, status=0/SUCCESS)

Process: 28173 ExecStart=/usr/bin/env /var/ossec/bin/wazuh-control start (code=exited, status=0/SUCCESS)

CGroup: /system.slice/wazuh-manager.service

├─28233 /var/ossec/framework/python/bin/python3 /var/ossec/api/scripts/wazuh-apid.py

├─28234 /var/ossec/framework/python/bin/python3 /var/ossec/api/scripts/wazuh-apid.py

├─28237 /var/ossec/framework/python/bin/python3 /var/ossec/api/scripts/wazuh-apid.py

├─28240 /var/ossec/framework/python/bin/python3 /var/ossec/api/scripts/wazuh-apid.py

├─28264 /var/ossec/bin/wazuh-integratord

├─28285 /var/ossec/bin/wazuh-authd

├─28295 /var/ossec/bin/wazuh-db

├─28325 /var/ossec/bin/wazuh-execd

├─28337 /var/ossec/bin/wazuh-analysisd

├─28347 /var/ossec/bin/wazuh-syscheckd

├─28415 /var/ossec/bin/wazuh-remoted

├─28458 /var/ossec/bin/wazuh-logcollector

├─28516 /var/ossec/bin/wazuh-monitord

├─28569 /var/ossec/bin/wazuh-modulesd

├─28588 /bin/sh wodles/aws/aws-s3 --bucket hot-production-monitoring-logs --aws_account_id 905418174391 --t...

└─28596 /var/ossec/framework/python/bin/python3 /var/ossec/wodles/aws/aws-s3.py --bucket hot-production-mon...

Sep 19 12:55:01 wazuh-server env[28173]: 2024/09/19 12:55:01 wazuh-analysisd[28200] rules.c:2483 at printRuleinfo...ut: 0

Sep 19 12:55:11 wazuh-server systemd[1]: Started Wazuh manager.

Hint: Some lines were ellipsized, use -l to show in full.

--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

[root@wazuh-server ~]# TOKEN=$(curl -u wazuh-wui:"************" -k -X POST "https://localhost:55000/security/user/authenticate?raw=true") && curl -k -X GET "https://localhost:55000/?pretty=true" -H "Authorization: Bearer $TOKEN"

% Total % Received % Xferd Average Speed Time Time Time Current

Dload Upload Total Spent Left Speed

100 404 100 404 0 0 1177 0 --:--:-- --:--:-- --:--:-- 1177

{

"data": {

"title": "Wazuh API REST",

"api_version": "4.8.0",

"revision": 40812,

"license_name": "GPL 2.0",

"license_url": "https://github.com/wazuh/wazuh/blob/v4.8.0/LICENSE",

"hostname": "wazuh-server",

"timestamp": "2024-09-19T12:56:15Z"

},

"error": 0

I just checked Wazuh it is working. I can log in and connect to the dashboard and it is showing. Can you explain how this worked??

Federico Gustavo Galland

unread,

Sep 19, 2024, 9:05:18 AM9/19/24

to Souraj Chakraborty, Wazuh | Mailing List

Souraj,

I'm glad we were able to sort it out!

It seems the analysisd daemon was not running due not being able to write to its output files with the wazuh user. Giving ownership of the /var/ossec/logs folder back to the wazuh user and group restored it to working status.

Regards,

Fede

To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/33196a8b-6490-4bf7-8262-4789c8d0f8c5n%40googlegroups.com.

Souraj Chakraborty

unread,

Sep 19, 2024, 9:18:05 AM9/19/24

to Wazuh | Mailing List

Thank you, for working on this, appreciate the help.

this part is generating the debug messages can i remove the analysisd.debug=2 to let the debug messages stop generating.
local_internal_options.conf

# local_internal_options.conf

#

# This file should be handled with care. It contains

# run time modifications that can affect the use

# of OSSEC. Only change it if you know what you

# are doing. Look first at ossec.conf

# for most of the things you want to change.

#

# This file will not be overwritten during upgrades.

analysisd.debug=2

and i want to clear old logs and any old data to get some storage back can i do that from the dashboard or the manager and any safe and best way to do that can you tell me the steps.

Federico Gustavo Galland

unread,

Sep 19, 2024, 9:21:34 AM9/19/24

to Souraj Chakraborty, Wazuh | Mailing List

Sure, you can set it to 0 to disable it.

To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/89b7d44b-ba63-473b-b5cc-94cd24ed2c1en%40googlegroups.com.

Reply all

Reply to author

Forward