Facing Error wazuh-execd: ERROR: (1226): Error reading XML file 'et
41 views
Skip to first unread message
ramiz munshi
Aug 23, 2024, 6:36:41 AM8/23/24
to Wazuh | Mailing List
Hey guys,
I had deployed the wazuh agent in lab environment and testing few cases in between i was doing the exercise of the blocking IP which was having the bad reputation. After doing the configuration as per the document i cant enable agent in the ubntu.
Stuti Gupta
Aug 23, 2024, 6:46:28 AM8/23/24
to Wazuh | Mailing List
Hi Ramiz
Please share the the steps you follow at wazuh-agent side. Can you please confir that you performed the following steps:
Perform the following steps to install an Apache web server and monitor its logs with the Wazuh agent.
Update local packages and install the Apache web server:
sudo apt update
sudo apt install apache2
If the firewall is enabled, modify the firewall to allow external access to web ports. Skip this step if the firewall is disabled:
sudo ufw status
sudo ufw app list
sudo ufw allow 'Apache'
Check the status of the Apache service to verify that the web server is running:
sudo systemctl status apache2
Use the curl command or open http://<UBUNTU_IP> in a browser to view the Apache landing page and verify the installation:
curl http://<UBUNTU_IP>
Add the following to /var/ossec/etc/ossec.conf file to configure the Wazuh agent and monitor the Apache access logs:
<localfile>
<log_format>syslog</log_format>
<location>/var/log/apache2/access.log</location>
</localfile>
Add the active response block to the Wazuh server /var/ossec/etc/ossec.conf file:
The firewall-drop command integrates with the Ubuntu local iptables firewall and drops incoming network connection from the attacker endpoint for 60 seconds:
<ossec_config>
<active-response>
<command>firewall-drop</command>
<location>local</location>
<rules_id>100100</rules_id>
<timeout>60</timeout>
</active-response>
</ossec_config>
Restart the Wazuh agent to apply the changes:
sudo systemctl restart wazuh-agent
Refer https://documentation.wazuh.com/current/proof-of-concept-guide/block-malicious-actor-ip-reputation.html
If you performed the same steps then please share the ossec.conf and /var/ossec/logs/ossec.log
Hope to hear from you soon
Please share the the steps you follow at wazuh-agent side. Can you please confir that you performed the following steps:
Perform the following steps to install an Apache web server and monitor its logs with the Wazuh agent.
Update local packages and install the Apache web server:
sudo apt update
sudo apt install apache2
If the firewall is enabled, modify the firewall to allow external access to web ports. Skip this step if the firewall is disabled:
sudo ufw status
sudo ufw app list
sudo ufw allow 'Apache'
Check the status of the Apache service to verify that the web server is running:
sudo systemctl status apache2
Use the curl command or open http://<UBUNTU_IP> in a browser to view the Apache landing page and verify the installation:
curl http://<UBUNTU_IP>
Add the following to /var/ossec/etc/ossec.conf file to configure the Wazuh agent and monitor the Apache access logs:
<localfile>
<log_format>syslog</log_format>
<location>/var/log/apache2/access.log</location>
</localfile>
Add the active response block to the Wazuh server /var/ossec/etc/ossec.conf file:
The firewall-drop command integrates with the Ubuntu local iptables firewall and drops incoming network connection from the attacker endpoint for 60 seconds:
<ossec_config>
<active-response>
<command>firewall-drop</command>
<location>local</location>
<rules_id>100100</rules_id>
<timeout>60</timeout>
</active-response>
</ossec_config>
Restart the Wazuh agent to apply the changes:
sudo systemctl restart wazuh-agent
Refer https://documentation.wazuh.com/current/proof-of-concept-guide/block-malicious-actor-ip-reputation.html
If you performed the same steps then please share the ossec.conf and /var/ossec/logs/ossec.log
Hope to hear from you soon
Reply all
Reply to author
Forward
0 new messages