Wazuh Manager Service Error

[Zulfikar Caglar]

Hello,

There are 4 wazuh manager servers working in my environment. 2 of these servers give the following error message every 3 days.;

 Active: active (running) since Wed 2021-01-13 16:47:43 +03; 1 day 20h ago
  Process: 1684 ExecStop=/usr/bin/env ${DIRECTORY}/bin/ossec-control stop (code=exited, status=1/FAILURE)
  Process: 1988 ExecStart=/usr/bin/env ${DIRECTORY}/bin/ossec-control start (code=exited, status=0/SUCCESS)
   CGroup: /system.slice/wazuh-manager.service
           ├─ 2090 /var/ossec/bin/ossec-analysisd
           ├─ 2150 /var/ossec/bin/ossec-syscheckd
           ├─ 2171 /var/ossec/bin/ossec-remoted
           ├─ 2300 /var/ossec/bin/wazuh-modulesd
           ├─24214 /var/ossec/bin/ossec-authd
           ├─24231 /var/ossec/bin/wazuh-db
           ├─24256 /var/ossec/bin/ossec-execd
           ├─24268 /var/ossec/bin/ossec-maild
           ├─24482 /var/ossec/bin/ossec-logcollector
           └─24504 /var/ossec/bin/ossec-monitord

Warning: Journal has been rotated since unit was started. Log output is incomplete or unavailable.

The log records they collect are not transferred to elasticsearch. how can I find the root causes of this problem and how can I solve the problem.

Regards

[Alberto Rodriguez]

Hello 

  In order to find the cause, please provide the following information:

- What Wazuh manager version are you using? 

- What operating system?

- Are the 4 managers configured as cluster or single?

- Could you please check if the logs contain errors? `cat /var/ossec/logs/ossec.log | egrep -i "error|warning|critical"` for the current log. If it was another day, you can use zcat /var/ossec/logs/ossec/<YEAR>/<MONTH>/ossec-<DAY>.log.gz  | egrep -i "error|warning|critical"

If the error is every 3 days, we can check if something is running at this time. Did you check if you have any related cronjob?

Best regards, 
Alberto R