Wazuh API error

[Kobrik Kobrikovic]

Hello,
I ran into a problem with saving when creating custom rules. When I try to save I get the following error message:

The changes I tried to save in custom rolls are discarded and the last working configuration is loaded.

Occasionally after these errors happen, the API completely drops out and the whole wazuh manager is down for a while:

Have you ever encountered such limits when creating your own rules?

There are no errors in /var/ossec/logs/ossec.log.
I have some warnings in /var/log/filebeat/filebeat, but no ERROR errors.

The installed version of the manager and dashboard is 4.7.3. They are installed separately.

But I noticed that some of our Linux agents have updated to version 4.7.4. Apparently auto update is not turned off on the endpoints. Can this cause such problems?

Wazuh-server has 8CPU and 8GB RAM allocated.

Otherwise, I haven't noticed these problems elsewhere than when saving rules. That way, if I start a certain set of rules with an empty file, it's OK. As the number of rules in the file increases, saving slows down until it reaches this error stage. Basically, I can already tell that I'm approaching the ceiling and that maybe with the next rule there will be an error.

I've noticed that when I try to truncate the rules, one of the CPUs is at 100% usage:

 

If you do not manage to save the rules despite these problems, the same problems will occur when you try to restart the manager.

Please, can someone help me?

[Openime Oniagbi]

Hi,

You have encountered several errors and asked questions that may not be entirely related.

Starting with the agent/manager version, you must always ensure that your agent version is equal to or lower than the manager version. Auto-updates are why the last part of the agent installation guide provides steps to disable updates.

If the agent version is higher, it may lead to issues that are related to what you are facing.

Regarding the rule file, if there is an error in the file, then the Wazuh server rejects the changes and may restart, which means it might be unavailable for a while. The most important thing in that case is ensuring there are no errors in the rules configuration you upload. In your case, I'd suggest making the changes using a terminal editor like Vim and restarting the Wazuh manager service afterwards. If there is an error, the manager service will not start, and the full error message will indicate the line causing the error.

Additionally, it is advisable to break your rules into several files which aids management both for the server and for you. If you try to save a rule file with an error, then it is normal for the manager service to enter a failed state. In that case, you must correct the error and restart the manager.

If you have any more concerns, feel free to let me know.

[Kobrik Kobrikovic]

Hello,
I've upgraded all wazuh components to version 4.7.5. I understand what you are writing. Otherwise, yes, I will try it. I'll make the changes using the terminal editor, save the changes, restart the manager. If an error occurs, at what point are the logs for these errors saved?

Dne čtvrtek 6. června 2024 v 11:01:41 UTC+2 uživatel Openime Oniagbi napsal:

[Openime Oniagbi]

The full error is always saved to /var/ossec/logs/ossec.log. There is also an error output to the terminal when you try to restart the Wazuh manager.

​

[Kobrik Kobrikovic]

Hello. Thank you for trying to help. Finally resolved. The problem was in the if_group function. I have used this condition in 3 levels and apparently using this condition in this case is not appropriate. It is a lot of processing. After rewriting the rules using if_sid everything is fine.

Dne úterý 11. června 2024 v 10:39:29 UTC+2 uživatel Openime Oniagbi napsal: