wazuh-analysisd configuration error. exiting
355 views
Skip to first unread message
Dinh Van Thai
Feb 2, 2023, 3:57:55 AM2/2/23
to Wazuh mailing list
Hello,
I'm trying add custom-rule to wazuh-manager. when i add rule using dashboard, save and restart everything is OK. However, problem occurs when i restart wazuh-manager by command. I'm using Wazuh with Docker running in multi-node.
I couldn't find anything relatable regarding these error,
I hope you could help me in resolving this situation.
Best regards.
Damian Alfredo Mangold
Feb 2, 2023, 4:36:59 AM2/2/23
to Wazuh mailing list
Hi, thanks for using Wazuh!
Could you give me more information about the context to better understand the error and maybe try to recreate it?
- Version of wazuh (manager)
- Operating system (manager)
I understood that the problem starts when you add a new rule, so: - Could you remove the rule and check if the reset is successful?
- Could you share the rule with me?
Dinh Van Thai
Feb 2, 2023, 10:47:20 AM2/2/23
to Wazuh mailing list
I'm using wazuh-manager version 4.3.10
docker 20.10 on Ubuntu 20.04
when i remove the rule and restart everything run OK.
sorry i can't share the rule for now.
I hope you could help me in resolving this situation.
Regards
Damian Alfredo Mangold
Feb 2, 2023, 4:11:40 PM2/2/23
to Dinh Van Thai, Wazuh mailing list
I need the rule that is causing the error to run some tests and identify the problem.
As a test, I created a generic rule from the dashboard and then restarted the manager from the dashboard and terminal and had no problems.
Everything indicates that your rule has some peculiarity that causes the problem.
As a test, I created a generic rule from the dashboard and then restarted the manager from the dashboard and terminal and had no problems.
Everything indicates that your rule has some peculiarity that causes the problem.
--
You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/642b09e1-98fb-4c83-89b3-604673d7c100n%40googlegroups.com.
 | Damian Mangold Software Developer | Team leader |
Damian Alfredo Mangold
Feb 13, 2023, 11:57:39 AM2/13/23
to Dinh Van Thai, Wazuh mailing list
Hi, we were able to identify the reason why "analysisd" fails on reboot.
wazuh-analysisd breaks due to excessive memory consumption
The rules you design share <group> and <if_groups>, that has quadratic growth in rule creation and memory consumption!
The explanation for this behavior is that <if_group> is a kind of shortcut that instantiates a rule of type <if_sid> under each rule of the specified group. Since the child rules also belong to the same <group> if we create a series of rules with <if_group>, the memory efficiency is O(n²).
The solution to the problem is to either redraw the rule tree or create a parent rule and then create the child rules using the <if_sid> option. Something like that:
wazuh-analysisd breaks due to excessive memory consumption
The rules you design share <group> and <if_groups>, that has quadratic growth in rule creation and memory consumption!
One rule:
2023/02/08 08:11:42 wazuh-analysisd: INFO: Total rules enabled: '6773'
10 rules:
2023/02/08 08:12:20 wazuh-analysisd: INFO: Total rules enabled: '42587'
19 rules:
2023/02/08 08:14:01 wazuh-analysisd: INFO: Total rules enabled: '36968795'
29 rules:
Killed
The explanation for this behavior is that <if_group> is a kind of shortcut that instantiates a rule of type <if_sid> under each rule of the specified group. Since the child rules also belong to the same <group> if we create a series of rules with <if_group>, the memory efficiency is O(n²).
The solution to the problem is to either redraw the rule tree or create a parent rule and then create the child rules using the <if_sid> option. Something like that:
<group name="custom,">
<rule id="100020" level="0">
<description>MSSQL XPCmdshell Rules</description>
<if_group>windows,</if_group>
</rule>
<rule id="100021" level="13">
<description>MSSQL XPCmdshell Suspicious Execution</description>
<group>windows,application,</group>
<if_sid>100020</if_sid>
<field name="win.system.providerName" negate="no" type="pcre2">(?i)^(?:MSSQLSERVER)$</field>
<field name="win.system.eventID" negate="no" type="pcre2">(?i)^(?:33205)$</field>
<field name="win.evendata.data" negate="no" type="pcre2">(?i)(object_name:xp_cmdshell)</field>
<field name="win.evendata.data" negate="no" type="pcre2">(?i)(statement:EXEC)</field>
</rule>
<rule id="100023" level="13">
<description>MSSQL XPCmdshell Option Change</description>
<group>windows,application,</group>
<if_sid>100020</if_sid>
<field name="win.system.providerName" negate="no" type="pcre2">(?i)^(?:MSSQLSERVER)$</field>
<field name="win.system.eventID" negate="no" type="pcre2">(?i)^(?:15457)$</field>
<field name="win.evendata.data" negate="no" type="pcre2">(?i)(xp_cmdshell)</field>
</rule>
</group>
Regarding why the reboot from the dashboard does not fail, we are analyzing the problem and will inform you when we have news.
Regards !
<rule id="100020" level="0">
<description>MSSQL XPCmdshell Rules</description>
<if_group>windows,</if_group>
</rule>
<rule id="100021" level="13">
<description>MSSQL XPCmdshell Suspicious Execution</description>
<group>windows,application,</group>
<if_sid>100020</if_sid>
<field name="win.system.providerName" negate="no" type="pcre2">(?i)^(?:MSSQLSERVER)$</field>
<field name="win.system.eventID" negate="no" type="pcre2">(?i)^(?:33205)$</field>
<field name="win.evendata.data" negate="no" type="pcre2">(?i)(object_name:xp_cmdshell)</field>
<field name="win.evendata.data" negate="no" type="pcre2">(?i)(statement:EXEC)</field>
</rule>
<rule id="100023" level="13">
<description>MSSQL XPCmdshell Option Change</description>
<group>windows,application,</group>
<if_sid>100020</if_sid>
<field name="win.system.providerName" negate="no" type="pcre2">(?i)^(?:MSSQLSERVER)$</field>
<field name="win.system.eventID" negate="no" type="pcre2">(?i)^(?:15457)$</field>
<field name="win.evendata.data" negate="no" type="pcre2">(?i)(xp_cmdshell)</field>
</rule>
</group>
Regarding why the reboot from the dashboard does not fail, we are analyzing the problem and will inform you when we have news.
Regards !
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/4a859fa2-c949-4fef-a886-976de272e3c5n%40googlegroups.com.
Reply all
Reply to author
Forward
0 new messages