wazuh-analysisd ERROR dbsync: Bad response from database: Cannot save Syscheck

Wahyu Kurniawan

unread,

Apr 18, 2024, 7:58:50 PM4/18/24

to Wazuh | Mailing List

Hi there,

I never receive daily report from wazuh anymore. I check the logs and this is happen

Apr 19, 2024 @ 09:46:52.000 wazuh-analysisd ERROR dbsync: Bad response from database: Cannot save Syscheck Apr 19, 2024 @ 09:46:52.000 wazuh-analysisd ERROR dbsync: Bad response from database: Cannot save Syscheck Apr 19, 2024 @ 09:46:53.000 wazuh-analysisd ERROR dbsync: Bad response from database: Cannot save Syscheck Apr 19, 2024 @ 09:46:53.000 wazuh-analysisd ERROR dbsync: Bad response from database: Cannot save Syscheck Apr 19, 2024 @ 09:46:53.000 wazuh-analysisd ERROR dbsync: Bad response from database: Cannot save Syscheck Apr 19, 2024 @ 09:46:53.000 wazuh-analysisd ERROR dbsync: Bad response from database: Cannot save Syscheck
and never stop.
how do I solve this problem?
Best Regards, Wahyu

Isaac Yusuf

unread,

Apr 21, 2024, 5:12:07 PM4/21/24

to Wazuh | Mailing List

Hello Wahyu,

What version of Wazuh do you have installed?
What version of Wazuh are you using for agents?
You have to keep in mind that the compatibility between the Wazuh agent and the Wazuh manager is guaranteed when the Wazuh manager version is later than or equal to that of the Wazuh agent, as indicated here: https://documentation.wazuh.com/current/installation-guide/wazuh-agent/index.html.

If you have a Wazuh agent version later than a Wazuh manager, this could be the cause of your problem.
If that’s ok, please enable debug=2 for wazuh_db by putting this: wazuh_db.debug=2, in your /var/ossec/etc/local_internal_options.conf and restart your manager.

Once that’s done, go back to the logs in the ossec.log file and send us the results again so we can analyze the problem.

I hope this helps with your concern.

Wahyu Kurniawan

unread,

Apr 21, 2024, 11:53:21 PM4/21/24

to Wazuh | Mailing List

Hi Isaac,

Thanks for reply. I never noticed this. I run this command in Wazuh Manager server /var/ossec/bin/wazuh-control -j info

this is what it show {"error":0,"data":[{"WAZUH_VERSION":"v4.3.6"},{"WAZUH_REVISION":"40318"},{"WAZUH_TYPE":"server"}]}

then I check my agent version most of them are version v4.3.9

I will downgrade them all then and come back to you.

I also have enablewazuh_db.debug=2, in your /var/ossec/etc/local_internal_options.conf

GNU nano 4.8 /var/ossec/etc/local_internal_options.conf
# local_internal_options.conf
#
# This file should be handled with care. It contains
# run time modifications that can affect the use
# of OSSEC. Only change it if you know what you
# are doing. Look first at ossec.conf
# for most of the things you want to change.
#
# This file will not be overwritten during upgrades.
wazuh_db.debug=2

after I downgrade the agent, will I able to receive daily update again?

Best Regards,
Wahyu

Isaac Yusuf

unread,

Apr 22, 2024, 4:56:14 AM4/22/24

to Wazuh | Mailing List

Hello Wahyu,

Instead of downgrading, I would recommend upgrading all your components and agents to the latest stable version. 4.7.3.

Regards,

Wahyu Kurniawan

unread,

Apr 22, 2024, 5:36:29 AM4/22/24

to Wazuh | Mailing List

Hi Isaac,

thank you. but I'm afraid to do so, is there any alternative way? how about log I sent you before

Best Regards,
Wahyu

Isaac Yusuf

unread,

Apr 22, 2024, 5:53:14 AM4/22/24

to Wazuh | Mailing List

Hello,

For preparation before the upgrade, you should backup the following directories:

Wazuh Manager

/var/ossec/api/configuration
/var/ossec/etc
/var/ossec/logs
/var/ossec/queue/rootcheck
/var/ossec/queue/agent-groups
/var/ossec/queue/agent-info
/var/ossec/queue/agents-timestamp
/var/ossec/queue/agentless
/var/ossec/queue/cluster
/var/ossec/queue/rids
/var/ossec/queue/fts
/var/ossec/var/multigroups

The next two folders must be copied with the manager service stopped:

/var/ossec/var/db/global.db
/var/ossec/queue/db

Wazuh-Indexer

/etc/wazuh-indexer/opensearch.yml
/etc/systemd/system/wazuh-indexer.service
/etc/wazuh-indexer/jvm.options

Wazuh-Dashboard

/etc/wazuh-dashboard/opensearch_dashboards.yml
/usr/share/wazuh-dashboard/plugins/wazuh/wazuh.yml
You can also export dashboards from Management > Saved Objects . Dashboards are stored in the .kibana index.

If it is deployed on a VM, when possible the ideal would be to take a complete snapshot of the system.

You can then proceed to follow step by step our upgrade guide: https://documentation.wazuh.com/current/upgrade-guide/index.html

Regards,

Wahyu Kurniawan

unread,

Apr 22, 2024, 6:56:16 AM4/22/24

to Wazuh | Mailing List

Hi Isaac,

Thank you for this. I might need to schedule for this.

another question is why the time are different when I execute this command tail -f /var/ossec/logs/ossec.log

2024/04/22 10:50:15 wazuh-analysisd: ERROR: dbsync: Bad response from database: Cannot save Syscheck

it shows different time, it late 10 hours.

Best Regards,
WAhyu

Wahyu Kurniawan

unread,

Apr 22, 2024, 6:57:24 AM4/22/24

to Isaac Yusuf, Wazuh | Mailing List

I’m afraid to do so. What is the risk? Is there any steps for this such as what I need to back up first. Because this server already have lots off data

--
You received this message because you are subscribed to the Google Groups "Wazuh | Mailing List" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/939a58eb-df56-4d80-825f-77dc5552f424n%40googlegroups.com.

Isaac Yusuf

unread,

Apr 22, 2024, 8:21:51 AM4/22/24

to Wazuh | Mailing List

Hello Wahyu,

That time is synonymous with your local host server. you can check it using date.

Regards,

Wahyu Kurniawan

unread,

Apr 22, 2024, 9:51:55 AM4/22/24

to Wazuh | Mailing List

Hi Isaac,

that can't be right. how come it is different