syscollector

[OrenYa]

Hi all,

I've added the following syscollector wodle to the windows agent conf file:

<wodle name="syscollector">

  <disabled>no</disabled>

  <interval>1h</interval>

  <scan_on_start>yes</scan_on_start>

  <hardware>no</hardware>

  <os>yes</os>

  <network>yes</network>

  <packages>yes</packages>

  <ports all="no">yes</ports>

  <processes>yes</processes>

</wodle>

Also added the following to ossec.conf on Wazuh server:

<wodle name="syscollector">

  <disabled>no</disabled>

  <interval>1h</interval>

  <scan_on_start>yes</scan_on_start>

  <os>yes</os>

  <packages>yes</packages>

</wodle>

After restating both agent and server I still get "Inventory (syscollector) is disabled for this agent. Visit the documentation on this link to learn about how to enable it" when accessing the inventory tab.

What am I doing wrong here? 

Thanks!

[Juanjo Jiménez]

Hello OrenYa,

Sorry for the inconveniences.

The Inventory tab on the Wazuh app requires the hardware scan to be enabled so it can display all the information.

I recommend you add the <hardware>yes</hardware> option on both manager and agent and restart them, and try again to open the tab.

Let me know if this helps.

Regards,
Juanjo

--
You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+unsubscribe@googlegroups.com.
To post to this group, send email to wa...@googlegroups.com.
Visit this group at https://groups.google.com/group/wazuh.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/30bffbe8-efbe-402e-8dde-6c4eed24c8d3%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[OrenYa]

Thanks for the quick response Juanjo.

I've added the hardware option as "yes" on both agent and server, restarted but still the inventory tab displays the same message. 

BTW, the wazuh-modulesd is up and running on the server side. 

What can be the issue here? 

On Monday, August 20, 2018 at 11:34:02 AM UTC+3, Juanjo Jiménez wrote:

Hello OrenYa,

Sorry for the inconveniences.

The Inventory tab on the Wazuh app requires the hardware scan to be enabled so it can display all the information.

I recommend you add the <hardware>yes</hardware> option on both manager and agent and restart them, and try again to open the tab.

Let me know if this helps.

Regards,
Juanjo

[Juanjo Jiménez]

Hello again,

We could try to see the logs and the API calls so we can check if the Syscollector module is working properly.

1. On the Wazuh app, you can open the Management tab (on the top navbar), and then go to Logs. Filter by the wazuh-modulesd:syscollector daemon. This will show the manager logs.
2. To see the agent logs, you’ll have to open the logs file (ossec.log on the Windows agent installation path) and find by the term “syscollector”.
3. Execute the following API calls on the manager:

   curl -u <API_USER>:<API_PASSWORD> "http(s)://<API_IP>:55000/syscollector/<AGENT_ID>/os?pretty"
   curl -u <API_USER>:<API_PASSWORD> "http(s)://<API_IP>:55000/syscollector/<AGENT_ID>/hardware?pretty"
   

Paste here all the outputs so we can see more information to troubleshoot your problem.

Thanks for your patience.

Regards,
Juanjo

To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/3c94c9e0-623a-47c9-9985-81ea70819161%40googlegroups.com.

[OrenYa]

1. Logs from the Wazuh interface: Seems to be OK

2018/08/20 08:58:47	wazuh-modulesd:syscollector	INFO	Evaluation finished.
2018/08/20 08:58:46	wazuh-modulesd:syscollector	INFO	Starting evaluation.
2018/08/20 08:58:45	wazuh-modulesd:syscollector	INFO	Module started.
2018/08/20 08:58:43	wazuh-modulesd:syscollector	INFO	Module finished.

2. Windows agent logs does not contain the term syscollector. (Maybe this is the root cause?)

3. API query output:

OS: 

{

   "error": 0,

   "data": {}

}

Hardware:

{

   "error": 0,

   "data": {}

}

On Monday, August 20, 2018 at 12:08:32 PM UTC+3, Juanjo Jiménez wrote:

Hello again,

We could try to see the logs and the API calls so we can check if the Syscollector module is working properly.

1. On the Wazuh app, you can open the Management tab (on the top navbar), and then go to Logs. Filter by the wazuh-modulesd:syscollector daemon. This will show the manager logs.
2. To see the agent logs, you’ll have to open the logs file (ossec.log on the Windows agent installation path) and find by the term “syscollector”.
3. Execute the following API calls on the manager:

   curl -u <API_USER>:<API_PASSWORD> "http(s)://<API_IP>:55000/syscollector/<AGENT_ID>/os?pretty"
   curl -u <API_USER>:<API_PASSWORD> "http(s)://<API_IP>:55000/syscollector/<AGENT_ID>/hardware?pretty"
   

Paste here all the outputs so we can see more information to troubleshoot your problem.

Thanks for your patience.

Regards,
Juanjo

[OrenYa]

Hey Juanjo,

I've managed to solve the issue by disabling specific unknown wodle syscollector parameters on agent.conf due to errors generated as follows:

- ERROR: No such tag 'processes' at module 'syscollector'

- ERROR: No such tag 'ports' at module 'syscollector'

- ERROR: No such tag 'network' at module 'syscollector'

Once disabled from agent conf the syscollector started working and the inventory tab display the actual info.

Why the agent is not aware of this wodle parameters? They are certainly needed .. 

I'm using Wazuh Agent Manager 3.3.1

Thanks,

O.

[Juanjo Jiménez]

Hello again OrenYa,

I’m glad you managed to solve the issue.

The problem you’re having with the Syscollector configuration is because you need to upgrade your agent to the latest version of Wazuh (v3.5.0) to use the new Syscollector scans (processes, ports and network).

You can follow this guide to learn how to upgrade your Wazuh agent for Windows.

Make sure that your manager is previously updated to v3.5.0 before upgrading the agents, according to this compatibility matrix.

Let us know if you have more problems.

Regards,
Juanjo

--

You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+unsubscribe@googlegroups.com.
To post to this group, send email to wa...@googlegroups.com.
Visit this group at https://groups.google.com/group/wazuh.

To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/be337ef4-e3e8-4861-892a-4bd776544269%40googlegroups.com.

[OrenYa]

Hey Juanjo, 

Finished upgrading to the latest version including the agents and everything works now.

Thanks you for your prompt responses and guidance!

[Juanjo Jiménez]

You're welcome!

Glad to help you with everything we can.

Regards,

Juanjo

--

You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+unsubscribe@googlegroups.com.
To post to this group, send email to wa...@googlegroups.com.
Visit this group at https://groups.google.com/group/wazuh.

To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/579a67f8-bb51-4f3f-b66d-09f557957f5b%40googlegroups.com.

[OrenYa]

Sorry to open this thread again Juanjo but somehow the Wazuh dashboard doesn't display any logs, but for some strange reason I do get alerts. 

I've upgraded without any issues and now I'm stuck ..

On Monday, August 20, 2018 at 3:15:02 PM UTC+3, Juanjo Jiménez wrote:

You're welcome!

Glad to help you with everything we can.

Regards,

Juanjo

[Juanjo Jiménez]

Hello again OrenYa,

If you aren’t seeing the logs coming to the Wazuh app, then let’s check out the data flow:

• If you are using a single-host architecture, check if Logstash is reading the alerts.json file:

lsof /var/ossec/logs/alerts/alerts.json

There should be two processes reading the alerts.json file: ossec-analysisd and java. If that’s not the case, then execute the following command to grant Logstash access to the alerts.json file:

usermod -a -G ossec logstash

• If you are using a distributed architecture, check if Filebeat is reading the alerts.json file:

lsof /var/ossec/logs/alerts/alerts.json

There should be two processes reading the alerts.json file: ossec-analysisd and filebeat. If that’s not the case, make sure that the Logstash service is running using systemctl status filebeat and you have properly set up the Filebeat configuration file (RPM and DEB guides).

Let me know if this helps.

Regards,
Juanjo

To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/d68e6251-7cf5-4702-bbce-ca6b54c34856%40googlegroups.com.

[OrenYa]

Sorry for the late response. I've managed to fix the issue yesterday by performing the upgrade steps again. I think in the first upgrade process I've mistakenly used the remote logstash command instead of the local which probably cause this issue.

Thanks again,

O.

On Monday, August 20, 2018 at 11:22:19 AM UTC+3, OrenYa wrote:

[Juanjo Jiménez]

Glad to hear that you managed to solve the issue OrenYa!

Let us know if you have any questions or problems.

Regards,

Juanjo

--

You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.

To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.

To post to this group, send email to wa...@googlegroups.com.
Visit this group at https://groups.google.com/group/wazuh.

To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/1cec3e0e-cdac-4ac9-aa30-fc51d9f3c8ba%40googlegroups.com.