Re: Deploy Wazuh agent on Window endpoint
247 views
Skip to first unread message
Message has been deleted
Daniel Sappa
Oct 8, 2023, 11:28:53 PM10/8/23
to Wazuh | Mailing List
HI Xuân Bách Lê!
Could you share some more information?
The agent returns some error, you can share the ossec.log file to analyze it.
Also, what version of Windows do you have and what version of agent have you installed?
The agent returns some error, you can share the ossec.log file to analyze it.
Also, what version of Windows do you have and what version of agent have you installed?
On Monday, October 9, 2023 at 12:07:52 AM UTC-3 Xuân Bách Lê wrote:
Hi everyone,
I am deploying wazuh agent to the window server according to the instructions https://documentation.wazuh.com/4.4/installation-guide/wazuh-agent/wazuh-agent-package-windows.html
But Wazuh server reported an error Could not fetch data for this agent
Has anyone ever had it? and how to solve the problem?
Please help me, many thanks.
Message has been deleted
Daniel Sappa
Oct 9, 2023, 8:00:11 AM10/9/23
to Wazuh | Mailing List
I understand that you have verified some important points.
However, it may be necessary that I need to see the log files with some more context.
I can also tell you that a good test would be:
1. stop windows agent
2. Delete the enrollment of said agent in the manager and try to do the enrollment process again.
Tell me how it went with this,
However, it may be necessary that I need to see the log files with some more context.
I can also tell you that a good test would be:
1. stop windows agent
2. Delete the enrollment of said agent in the manager and try to do the enrollment process again.
Tell me how it went with this,
On Monday, October 9, 2023 at 5:10:23 AM UTC-3 Lê Xuân Bách wrote:
Hi Daniel Sappa
I add some information as below:
- Wazuh version: wazuh-agent-4.4.5-1.msi
- Window version: Microsoft Windows Server 2016
I tried to test communication with the Wazuh manager
PS C:\> (new-object Net.Sockets.TcpClient).Connect("192.168.10.174", 1515)
After that I checked log on Wazuh Server => Client timeout port 1515 (I checked my firewall => it isn’t deny this port)
# tail -f /var/ossec/logs/ossec.log
2023/10/08 22:24:09 wazuh-authd: INFO: New connection from 192.168.10.192
2023/10/08 22:24:10 wazuh-authd: INFO: Client timeout from 192.168.10.192
Then I checked ossec.log (I enabled windows.debug=2)
2023/10/08 19:49:24 wazuh-agent[1404] syscheck_op.c:1094 at get_registry_group(): DEBUG: Group not found for registry key
2023/10/08 19:49:24 wazuh-agent[1404] syscheck_op.c:853 at process_ace_info(): DEBUG: No information could be extracted from the account linked to the SID. Error: 1332.
2023/10/08 19:49:25 wazuh-agent[1404] registry.c:186 at fim_registry_validate_ignore(): DEBUG: (6259): Ignoring 'registry' '[x32] HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\tunnel\Enum' due to sregex '\Enum$'
I also checked other statuses of agent => I didn’t see any problems.
Check Agent Local Status => also connected
C:\> Select-String -Path 'C:\Program Files (x86)\ossec-agent\wazuh-agent.state' -Pattern "^status"
wazuh-agent.state:7:status='connected'
Checking network communication => also Established
C:\> Get-NetTCPConnection -RemotePort 1514
LocalAddress LocalPort RemoteAddress RemotePort State AppliedSetting OwningProces s
------------ --------- ------------- ---------- ----- -------------- ------------
192.168.10.218 53374 192.168.10.174 1514 Established Internet 5472Vào Th 2, 9 thg 10, 2023 vào lúc 10:28 'Daniel Sappa' via Wazuh | Mailing List <wa...@googlegroups.com> đã viết:
--
You received this message because you are subscribed to the Google Groups "Wazuh | Mailing List" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/9ef85641-fbb1-4536-a58e-774f5ef08eedn%40googlegroups.com.
Message has been deleted
Daniel Sappa
Oct 17, 2023, 11:27:12 AM10/17/23
to Wazuh | Mailing List
Hi
have you fixed this or not?
On Monday, October 9, 2023 at 11:00:04 PM UTC-3 Lê Xuân Bách wrote:
Hi Daniel Sappa
I have done the steps as below:
1. Stop windows agent
PS C:\Program Files (x86)\ossec-agent> NET STOP wazuh
The Wazuh service was stopped successfully.
2. Delete the enrollment of said agent in the manager and try to do the enrollment process again.
Check Agent status on Manager
/var/ossec/bin/agent_control -l| grep SQLServer-212
ID: 311, Name: SQLServer-212, IP: any, Disconnected
Remove Agent from Manager
/var/ossec/bin/manage_agents -r 311
Start Agent to enrollment again
PS C:\Program Files (x86)\ossec-agent> NET START wazuh
Re-Check Status on Manager
# /var/ossec/bin/agent_control -l| grep SQLServer-212
ID: 313, Name: SQLServer-212, IP: any, Active
Finally: Agent is active, so Manager still can’t receivce log
Vào Th 2, 9 thg 10, 2023 vào lúc 19:00 'Daniel Sappa' via Wazuh | Mailing List <wa...@googlegroups.com> đã viết:
You received this message because you are subscribed to a topic in the Google Groups "Wazuh | Mailing List" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/wazuh/lsePp6f_k3w/unsubscribe.
To unsubscribe from this group and all its topics, send an email to wazuh+un...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/afa724df-5fae-4b9f-b5dd-bd940db48adfn%40googlegroups.com.
Message has been deleted
Daniel Sappa
Oct 18, 2023, 8:19:41 AM10/18/23
to Wazuh | Mailing List
I'll try to help you.
Can you share the ossec.log files of the agent and the manager?
On Tuesday, October 17, 2023 at 11:38:48 PM UTC-3 Lê Xuân Bách wrote:
Still notDo you have any way to help me?
Vào Th 3, 17 thg 10, 2023 vào lúc 22:27 'Daniel Sappa' via Wazuh | Mailing List <wa...@googlegroups.com> đã viết:
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/af63145c-2510-474f-ab8d-d717d21dcfbdn%40googlegroups.com.
Message has been deleted
Daniel Sappa
Oct 19, 2023, 2:44:53 PM10/19/23
to Wazuh | Mailing List
No errors are seen, and the agent connects without problems.
Send me some screenshots of the dashboard where you can see how it is connected and so on.
Specifically, what type of log do you expect to see from the manager's?.
Send me some screenshots of the dashboard where you can see how it is connected and so on.
Check the archives.log files in /var/ossec/log that is where the log coming from the agents is saved
Maybe you should follow this guide related to sending logs, take a look at the example for Windows.
Please tell me how this went for you!
ill try to help you.
ill try to help you.
On Thursday, October 19, 2023 at 12:41:52 AM UTC-3 Lê Xuân Bách wrote:
Hi Daniel Sappa,On Manager
# /var/ossec/bin/agent_control -l
ID: 315, Name: ProdTest_Web, IP: any, Active
# tail -f /var/ossec/logs/ossec.log
2023/10/19 09:50:22 wazuh-authd: INFO: New connection from 10.10.10.192
2023/10/19 09:50:22 wazuh-authd: INFO: Received request for a new agent (ProdTest_Web) from: 10.10.10.192
2023/10/19 09:50:22 wazuh-authd: INFO: Agent key generated for 'ProdTest_Web' (requested by any)
2023/10/19 09:50:30 wazuh-remoted: INFO: (1409): Authentication file changed. Updating.
2023/10/19 09:50:30 wazuh-remoted: INFO: (1410): Reading authentication keys file.On AgentWss A Hiệp, [19/10/2023 10:36]
> Get-Content .\ossec.log
2023/10/19 09:56:21 wazuh-agent: INFO: Using notify time: 10 and max time to reconnect: 60
2023/10/19 09:56:21 wazuh-agent: INFO: (1410): Reading authentication keys file.
2023/10/19 09:56:21 wazuh-agent: INFO: Started (pid: 24208).
2023/10/19 09:56:21 wazuh-agent: INFO: Requesting a key from server: 10.10.10.74
2023/10/19 09:56:21 wazuh-agent: INFO: No authentication password provided
2023/10/19 09:56:21 wazuh-agent: INFO: Using agent name as: ProdTest_Web
2023/10/19 09:56:21 wazuh-agent: INFO: Waiting for server reply
2023/10/19 09:56:21 wazuh-agent: INFO: Valid key received
2023/10/19 09:56:21 wazuh-agent: INFO: Waiting 20 seconds before server connection
2023/10/19 09:56:21 rootcheck: INFO: Started (pid: 24208).
2023/10/19 09:56:21 wazuh-agent: INFO: (6002): Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Software\Classes\batfile', with options 'size | permissions | owner | group | mtime | hash_md5 | hash_sha1 | hash_sha256'
2023/10/19 09:56:21 wazuh-agent: INFO: (6002): Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Software\Classes\cmdfile', with options 'size | permissions | owner | group | mtime | hash_md5 | hash_sha1 | hash_sha256'
2023/10/19 09:56:21 wazuh-agent: INFO: (6002): Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Software\Classes\comfile', with options 'size | permissions | owner | group | mtime | hash_md5 | hash_sha1 | hash_sha256'
2023/10/19 09:56:21 wazuh-agent: INFO: (6002): Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Software\Classes\exefile', with options 'size | permissions | owner | group | mtime | hash_md5 | hash_sha1 | hash_sha256'
2023/10/19 09:56:21 wazuh-agent: INFO: (6002): Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Software\Classes\piffile', with options 'size | permissions | owner | group | mtime | hash_md5 | hash_sha1 | hash_sha256'
2023/10/19 09:56:21 wazuh-agent: INFO: (6002): Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Software\Classes\AllFilesystemObjects', with options 'size | permissions | owner | group | mtime | hash_md5 | hash_sha1 | hash_sha256'
2023/10/19 09:56:21 wazuh-agent: INFO: (6002): Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Software\Classes\Directory', with options 'size | permissions | owner | group | mtime | hash_md5 | hash_sha1 | hash_sha256'
2023/10/19 09:56:21 wazuh-agent: INFO: (6002): Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Software\Classes\Folder', with options 'size | permissions | owner | group | mtime | hash_md5 | hash_sha1 | hash_sha256'
2023/10/19 09:56:21 wazuh-agent: INFO: (6002): Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Software\Classes\Protocols [x64]', with options 'size | permissions | owner | group | mtime | hash_md5 | hash_sha1 | hash_sha256'
2023/10/19 09:56:21 wazuh-agent: INFO: (6002): Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Software\Classes\Protocols', with options 'size | permissions | owner | group | mtime | hash_md5 | hash_sha1 | hash_sha256'
2023/10/19 09:56:21 wazuh-agent: INFO: (6002): Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Software\Policies [x64]', with options 'size | permissions | owner | group | mtime | hash_md5 | hash_sha1 | hash_sha256'
2023/10/19 09:56:21 wazuh-agent: INFO: (6002): Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Software\Policies', with options 'size | permissions | owner | group | mtime | hash_md5 | hash_sha1 | hash_sha256'
2023/10/19 09:56:21 wazuh-agent: INFO: (6002): Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Security', with options 'size | permissions | owner | group | mtime | hash_md5 | hash_sha1 | hash_sha256'
2023/10/19 09:56:21 wazuh-agent: INFO: (6002): Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer [x64]', with options 'size | permissions | owner | group | mtime | hash_md5 | hash_sha1 | hash_sha256'
2023/10/19 09:56:21 wazuh-agent: INFO: (6002): Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer', with options 'size | permissions | owner | group | mtime | hash_md5 | hash_sha1 | hash_sha256'
Wss A Hiệp, [19/10/2023 10:36]
2023/10/19 09:56:21 wazuh-agent: INFO: (6002): Monitoring registry entry: 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services', with options 'size | permissions | owner | group | mtime | hash_md5 | hash_sha1 | hash_sha256'
2023/10/19 09:56:21 wazuh-agent: INFO: (6002): Monitoring registry entry: 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\KnownDLLs', with options 'size | permissions | owner | group | mtime | hash_md5 | hash_sha1 | hash_sha256'
2023/10/19 09:56:21 wazuh-agent: INFO: (6002): Monitoring registry entry: 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurePipeServers\winreg', with options 'size | permissions | owner | group | mtime | hash_md5 | hash_sha1 | hash_sha256'
2023/10/19 09:56:21 wazuh-agent: INFO: (6002): Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run [x64]', with options 'size | permissions | owner | group | mtime | hash_md5 | hash_sha1 | hash_sha256'
2023/10/19 09:56:21 wazuh-agent: INFO: (6002): Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run', with options 'size | permissions | owner | group | mtime | hash_md5 | hash_sha1 | hash_sha256'
2023/10/19 09:56:21 wazuh-agent: INFO: (6002): Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce [x64]', with options 'size | permissions | owner | group | mtime | hash_md5 | hash_sha1 | hash_sha256'
2023/10/19 09:56:21 wazuh-agent: INFO: (6002): Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce', with options 'size | permissions | owner | group | mtime | hash_md5 | hash_sha1 | hash_sha256'
2023/10/19 09:56:21 wazuh-agent: INFO: (6002): Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnceEx', with options 'size | permissions | owner | group | mtime | hash_md5 | hash_sha1 | hash_sha256'
2023/10/19 09:56:21 wazuh-agent: INFO: (6002): Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\URL [x64]', with options 'size | permissions | owner | group | mtime | hash_md5 | hash_sha1 | hash_sha256'
2023/10/19 09:56:21 wazuh-agent: INFO: (6002): Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\URL', with options 'size | permissions | owner | group | mtime | hash_md5 | hash_sha1 | hash_sha256'
2023/10/19 09:56:21 wazuh-agent: INFO: (6002): Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies [x64]', with options 'size | permissions | owner | group | mtime | hash_md5 | hash_sha1 | hash_sha256'
2023/10/19 09:56:21 wazuh-agent: INFO: (6002): Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies', with options 'size | permissions | owner | group | mtime | hash_md5 | hash_sha1 | hash_sha256'
2023/10/19 09:56:21 wazuh-agent: INFO: (6002): Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows [x64]', with options 'size | permissions | owner | group | mtime | hash_md5 | hash_sha1 | hash_sha256'
2023/10/19 09:56:21 wazuh-agent: INFO: (6002): Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows', with options 'size | permissions | owner | group | mtime | hash_md5 | hash_sha1 | hash_sha256'
2023/10/19 09:56:21 wazuh-agent: INFO: (6002): Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon [x64]', with options 'size | permissions | owner | group | mtime | hash_md5 | hash_sha1 | hash_sha256'
2023/10/19 09:56:21 wazuh-agent: INFO: (6002): Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon', with options 'size | permissions | owner | group | mtime | hash_md5 | hash_sha1 | hash_sha256'
Wss A Hiệp, [19/10/2023 10:36]
2023/10/19 09:56:21 wazuh-agent: INFO: (6002): Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Active Setup\Installed Components [x64]', with options 'size | permissions | owner | group | mtime | hash_md5 | hash_sha1 | hash_sha256'
2023/10/19 09:56:21 wazuh-agent: INFO: (6002): Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Active Setup\Installed Components', with options 'size | permissions | owner | group | mtime | hash_md5 | hash_sha1 | hash_sha256'
2023/10/19 09:56:21 wazuh-agent: INFO: (6003): Monitoring path: 'c:\programdata\microsoft\windows\start menu\programs\startup', with options 'size | permissions | owner | group | mtime | inode | hash_md5 | hash_sha1 | hash_sha256 | attributes | realtime'.
2023/10/19 09:56:21 wazuh-agent: INFO: (6003): Monitoring path: 'c:\windows', with options 'size | permissions | owner | group | mtime | inode | hash_md5 | hash_sha1 | hash_sha256 | attributes | scheduled'.
2023/10/19 09:56:21 wazuh-agent: INFO: (6003): Monitoring path: 'c:\windows\sysnative', with options 'size | permissions | owner | group | mtime | inode | hash_md5 | hash_sha1 | hash_sha256 | attributes | scheduled'.
2023/10/19 09:56:21 wazuh-agent: INFO: (6003): Monitoring path: 'c:\windows\sysnative\drivers\etc', with options 'size | permissions | owner | group | mtime | inode | hash_md5 | hash_sha1 | hash_sha256 | attributes | scheduled'.
2023/10/19 09:56:21 wazuh-agent: INFO: (6003): Monitoring path: 'c:\windows\sysnative\wbem', with options 'size | permissions | owner | group | mtime | inode | hash_md5 | hash_sha1 | hash_sha256 | attributes | scheduled'.
2023/10/19 09:56:21 wazuh-agent: INFO: (6003): Monitoring path: 'c:\windows\sysnative\windowspowershell\v1.0', with options 'size | permissions | owner | group | mtime | inode | hash_md5 | hash_sha1 | hash_sha256 | attributes | scheduled'.
2023/10/19 09:56:21 wazuh-agent: INFO: (6003): Monitoring path: 'c:\windows\system32', with options 'size | permissions | owner | group | mtime | inode | hash_md5 | hash_sha1 | hash_sha256 | attributes | scheduled'.
2023/10/19 09:56:21 wazuh-agent: INFO: (6003): Monitoring path: 'c:\windows\system32\drivers\etc', with options 'size | permissions | owner | group | mtime | inode | hash_md5 | hash_sha1 | hash_sha256 | attributes | scheduled'.
2023/10/19 09:56:21 wazuh-agent: INFO: (6003): Monitoring path: 'c:\windows\system32\wbem', with options 'size | permissions | owner | group | mtime | inode | hash_md5 | hash_sha1 | hash_sha256 | attributes | scheduled'.
2023/10/19 09:56:21 wazuh-agent: INFO: (6003): Monitoring path: 'c:\windows\system32\windowspowershell\v1.0', with options 'size | permissions | owner | group | mtime | inode | hash_md5 | hash_sha1 | hash_sha256 | attributes | scheduled'.
2023/10/19 09:56:21 wazuh-agent: INFO: (6206): Ignore 'file' entry 'c:\programdata\microsoft\windows\start menu\programs\startup\desktop.ini'
2023/10/19 09:56:21 wazuh-agent: INFO: (6207): Ignore 'file' sregex '.log$|.htm$|.jpg$|.png$|.chm$|.pnf$|.evtx$'
2023/10/19 09:56:21 wazuh-agent: INFO: (6206): Ignore 'registry' entry 'HKEY_LOCAL_MACHINE\Security\Policy\Secrets'
2023/10/19 09:56:21 wazuh-agent: INFO: (6206): Ignore 'registry' entry 'HKEY_LOCAL_MACHINE\Security\SAM\Domains\Account\Users'
2023/10/19 09:56:21 wazuh-agent: INFO: (6206): Ignore 'registry' entry 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\MpsSvc\Parameters\AppCs'
2023/10/19 09:56:21 wazuh-agent: INFO: (6206): Ignore 'registry' entry 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\MpsSvc\Parameters\PortKeywords\DHCP'
2023/10/19 09:56:21 wazuh-agent: INFO: (6206): Ignore 'registry' entry 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\MpsSvc\Parameters\PortKeywords\IPTLSIn'
2023/10/19 09:56:21 wazuh-agent: INFO: (6206): Ignore 'registry' entry 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\MpsSvc\Parameters\PortKeywords\IPTLSOut'
2023/10/19 09:56:21 wazuh-agent: INFO: (6206): Ignore 'registry' entry 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\MpsSvc\Parameters\PortKeywords\RPC-EPMap'
Wss A Hiệp, [19/10/2023 10:36]
2023/10/19 09:56:21 wazuh-agent: INFO: (6206): Ignore 'registry' entry 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\MpsSvc\Parameters\PortKeywords\Teredo'
2023/10/19 09:56:21 wazuh-agent: INFO: (6206): Ignore 'registry' entry 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\PolicyAgent\Parameters\Cache'
2023/10/19 09:56:21 wazuh-agent: INFO: (6206): Ignore 'registry' entry 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnceEx'
2023/10/19 09:56:21 wazuh-agent: INFO: (6206): Ignore 'registry' entry 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\ADOVMPPackage\Final'
2023/10/19 09:56:21 wazuh-agent: INFO: (6207): Ignore 'registry' sregex '\Enum$'
2023/10/19 09:56:21 wazuh-agent: INFO: Started (pid: 24208).
2023/10/19 09:56:41 wazuh-agent: INFO: (1410): Reading authentication keys file.
2023/10/19 09:56:41 wazuh-agent: INFO: Using AES as encryption method.
2023/10/19 09:56:41 wazuh-agent: INFO: Trying to connect to server ([10.10.10.74]:1514/tcp).
2023/10/19 09:56:41 wazuh-agent: INFO: (4102): Connected to the server ([10.10.10.74]:1514/tcp).
2023/10/19 09:56:41 sca: INFO: Module started.
2023/10/19 09:56:41 wazuh-modulesd:agent-upgrade: INFO: (8153): Module Agent Upgrade started.
2023/10/19 09:56:41 wazuh-agent: INFO: Windows version is 6.0 or newer. (Microsoft Windows Server 2016 Datacenter [Ver: 10.0.14393.2724] - Wazuh v4.4.5).
2023/10/19 09:56:41 wazuh-modulesd:ciscat: INFO: Module disabled. Exiting...
2023/10/19 09:56:41 sca: INFO: Loaded policy 'C:\Program Files (x86)\ossec-agent\ruleset\sca\cis_win2016.yml'
2023/10/19 09:56:41 sca: INFO: Starting Security Configuration Assessment scan.
2023/10/19 09:56:41 wazuh-agent: INFO: (1951): Analyzing event log: 'Application'.
2023/10/19 09:56:41 wazuh-agent: INFO: (1951): Analyzing event log: 'Security'.
2023/10/19 09:56:41 wazuh-agent: INFO: (1951): Analyzing event log: 'System'.
2023/10/19 09:56:41 wazuh-agent: INFO: (1950): Analyzing file: 'active-response\active-responses.log'.
2023/10/19 09:56:41 wazuh-agent: INFO: (6000): Starting daemon...
2023/10/19 09:56:41 wazuh-agent: INFO: (6010): File integrity monitoring scan frequency: 43200 seconds
2023/10/19 09:56:41 wazuh-agent: INFO: (6008): File integrity monitoring scan started.
2023/10/19 09:56:41 sca: INFO: Starting evaluation of policy: 'C:\Program Files (x86)\ossec-agent\ruleset\sca\cis_win2016.yml'
2023/10/19 09:56:41 wazuh-modulesd:osquery: INFO: Module disabled. Exiting...
2023/10/19 09:56:41 rootcheck: INFO: Starting rootcheck scan.
2023/10/19 09:56:41 wazuh-modulesd:syscollector: INFO: Module started.
2023/10/19 09:56:41 wazuh-modulesd:syscollector: INFO: Starting evaluation.
2023/10/19 09:56:41 wazuh-agent: INFO: Started (pid: 24208).
2023/10/19 09:56:41 wazuh-modulesd:syscollector: INFO: Evaluation finished.
2023/10/19 09:56:41 wazuh-agent: INFO: Agent is restarting due to shared configuration changes.
2023/10/19 09:56:41 wazuh-agent: INFO: Received exit signal. Starting exit process.
2023/10/19 09:56:41 wazuh-agent: INFO: Set pending exit signal.
2023/10/19 09:56:41 wazuh-modulesd:syscollector: INFO: Stop received for Syscollector.
2023/10/19 09:56:41 wazuh-modulesd:syscollector: INFO: Module finished.
2023/10/19 09:56:41 wazuh-agent: INFO: Exit completed successfully.
2023/10/19 09:56:41 wazuh-agent: INFO: (1314): Shutdown received. Deleting responses.
2023/10/19 09:56:42 wazuh-agent: INFO: Using notify time: 10 and max time to reconnect: 60
2023/10/19 09:56:42 wazuh-agent: INFO: (1410): Reading authentication keys file.
2023/10/19 09:56:42 wazuh-agent: INFO: Started (pid: 23352).
2023/10/19 09:56:42 wazuh-agent: INFO: Using AES as encryption method.
2023/10/19 09:56:42 wazuh-agent: INFO: Trying to connect to server ([10.10.10.74]:1514/tcp).
2023/10/19 09:56:42 rootcheck: INFO: Started (pid: 23352).
2023/10/19 09:56:42 wazuh-agent: INFO: (6002): Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Software\Classes\batfile', with options 'size | permissions | owner | group | mtime | hash_md5 | hash_sha1 | hash_sha256'
Wss A Hiệp, [19/10/2023 10:36]
2023/10/19 09:56:42 wazuh-agent: INFO: (6002): Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Software\Classes\cmdfile', with options 'size | permissions | owner | group | mtime | hash_md5 | hash_sha1 | hash_sha256'
2023/10/19 09:56:42 wazuh-agent: INFO: (4102): Connected to the server ([10.10.10.74]:1514/tcp).
2023/10/19 09:56:42 wazuh-agent: INFO: (6002): Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Software\Classes\comfile', with options 'size | permissions | owner | group | mtime | hash_md5 | hash_sha1 | hash_sha256'
2023/10/19 09:56:42 wazuh-agent: INFO: (6002): Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Software\Classes\exefile', with options 'size | permissions | owner | group | mtime | hash_md5 | hash_sha1 | hash_sha256'
2023/10/19 09:56:42 wazuh-agent: INFO: (6002): Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Software\Classes\piffile', with options 'size | permissions | owner | group | mtime | hash_md5 | hash_sha1 | hash_sha256'
2023/10/19 09:56:42 wazuh-agent: INFO: (6002): Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Software\Classes\AllFilesystemObjects', with options 'size | permissions | owner | group | mtime | hash_md5 | hash_sha1 | hash_sha256'
2023/10/19 09:56:42 wazuh-agent: INFO: (6002): Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Software\Classes\Directory', with options 'size | permissions | owner | group | mtime | hash_md5 | hash_sha1 | hash_sha256'
2023/10/19 09:56:42 wazuh-agent: INFO: (6002): Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Software\Classes\Folder', with options 'size | permissions | owner | group | mtime | hash_md5 | hash_sha1 | hash_sha256'
2023/10/19 09:56:42 wazuh-agent: INFO: (6002): Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Software\Classes\Protocols [x64]', with options 'size | permissions | owner | group | mtime | hash_md5 | hash_sha1 | hash_sha256'
2023/10/19 09:56:42 wazuh-agent: INFO: (6002): Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Software\Classes\Protocols', with options 'size | permissions | owner | group | mtime | hash_md5 | hash_sha1 | hash_sha256'
2023/10/19 09:56:42 wazuh-agent: INFO: (6002): Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Software\Policies [x64]', with options 'size | permissions | owner | group | mtime | hash_md5 | hash_sha1 | hash_sha256'
2023/10/19 09:56:42 wazuh-agent: INFO: (6002): Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Software\Policies', with options 'size | permissions | owner | group | mtime | hash_md5 | hash_sha1 | hash_sha256'
2023/10/19 09:56:42 wazuh-agent: INFO: (6002): Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Security', with options 'size | permissions | owner | group | mtime | hash_md5 | hash_sha1 | hash_sha256'
2023/10/19 09:56:42 wazuh-agent: INFO: (6002): Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer [x64]', with options 'size | permissions | owner | group | mtime | hash_md5 | hash_sha1 | hash_sha256'
2023/10/19 09:56:42 wazuh-agent: INFO: (6002): Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer', with options 'size | permissions | owner | group | mtime | hash_md5 | hash_sha1 | hash_sha256'
2023/10/19 09:56:42 wazuh-agent: INFO: (6002): Monitoring registry entry: 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services', with options 'size | permissions | owner | group | mtime | hash_md5 | hash_sha1 | hash_sha256'
2023/10/19 09:56:42 wazuh-agent: INFO: (6002): Monitoring registry entry: 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\KnownDLLs', with options 'size | permissions | owner | group | mtime | hash_md5 | hash_sha1 | hash_sha256'
2023/10/19 09:56:42 wazuh-agent: INFO: (6002): Monitoring registry entry: 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurePipeServers\winreg', with options 'size | permissions | owner | group | mtime | hash_md5 | hash_sha1 | hash_sha256'
Wss A Hiệp, [19/10/2023 10:36]
2023/10/19 09:56:42 wazuh-agent: INFO: (6002): Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run [x64]', with options 'size | permissions | owner | group | mtime | hash_md5 | hash_sha1 | hash_sha256'
2023/10/19 09:56:42 wazuh-agent: INFO: (6002): Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run', with options 'size | permissions | owner | group | mtime | hash_md5 | hash_sha1 | hash_sha256'
2023/10/19 09:56:42 wazuh-agent: INFO: (6002): Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce [x64]', with options 'size | permissions | owner | group | mtime | hash_md5 | hash_sha1 | hash_sha256'
2023/10/19 09:56:42 wazuh-agent: INFO: (6002): Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce', with options 'size | permissions | owner | group | mtime | hash_md5 | hash_sha1 | hash_sha256'
2023/10/19 09:56:42 wazuh-agent: INFO: (6002): Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnceEx', with options 'size | permissions | owner | group | mtime | hash_md5 | hash_sha1 | hash_sha256'
2023/10/19 09:56:42 wazuh-agent: INFO: (6002): Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\URL [x64]', with options 'size | permissions | owner | group | mtime | hash_md5 | hash_sha1 | hash_sha256'
2023/10/19 09:56:42 wazuh-agent: INFO: (6002): Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\URL', with options 'size | permissions | owner | group | mtime | hash_md5 | hash_sha1 | hash_sha256'
2023/10/19 09:56:42 wazuh-agent: INFO: (6002): Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies [x64]', with options 'size | permissions | owner | group | mtime | hash_md5 | hash_sha1 | hash_sha256'
2023/10/19 09:56:42 wazuh-agent: INFO: (6002): Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies', with options 'size | permissions | owner | group | mtime | hash_md5 | hash_sha1 | hash_sha256'
2023/10/19 09:56:42 wazuh-agent: INFO: (6002): Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows [x64]', with options 'size | permissions | owner | group | mtime | hash_md5 | hash_sha1 | hash_sha256'
2023/10/19 09:56:42 wazuh-agent: INFO: (6002): Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows', with options 'size | permissions | owner | group | mtime | hash_md5 | hash_sha1 | hash_sha256'
2023/10/19 09:56:42 wazuh-agent: INFO: (6002): Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon [x64]', with options 'size | permissions | owner | group | mtime | hash_md5 | hash_sha1 | hash_sha256'
2023/10/19 09:56:42 wazuh-agent: INFO: (6002): Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon', with options 'size | permissions | owner | group | mtime | hash_md5 | hash_sha1 | hash_sha256'
2023/10/19 09:56:42 wazuh-agent: INFO: (6002): Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Active Setup\Installed Components [x64]', with options 'size | permissions | owner | group | mtime | hash_md5 | hash_sha1 | hash_sha256'
2023/10/19 09:56:42 wazuh-agent: INFO: (6002): Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Active Setup\Installed Components', with options 'size | permissions | owner | group | mtime | hash_md5 | hash_sha1 | hash_sha256'
2023/10/19 09:56:42 wazuh-agent: INFO: (6003): Monitoring path: 'c:\programdata\microsoft\windows\start menu\programs\startup', with options 'size | permissions | owner | group | mtime | inode | hash_md5 | hash_sha1 | hash_sha256 | attributes | realtime'.
Wss A Hiệp, [19/10/2023 10:36]
2023/10/19 09:56:42 wazuh-agent: INFO: (6003): Monitoring path: 'c:\windows', with options 'size | permissions | owner | group | mtime | inode | hash_md5 | hash_sha1 | hash_sha256 | attributes | scheduled'.
2023/10/19 09:56:42 wazuh-agent: INFO: (6003): Monitoring path: 'c:\windows\sysnative', with options 'size | permissions | owner | group | mtime | inode | hash_md5 | hash_sha1 | hash_sha256 | attributes | scheduled'.
2023/10/19 09:56:42 wazuh-agent: INFO: (6003): Monitoring path: 'c:\windows\sysnative\drivers\etc', with options 'size | permissions | owner | group | mtime | inode | hash_md5 | hash_sha1 | hash_sha256 | attributes | scheduled'.
2023/10/19 09:56:42 wazuh-agent: INFO: (6003): Monitoring path: 'c:\windows\sysnative\wbem', with options 'size | permissions | owner | group | mtime | inode | hash_md5 | hash_sha1 | hash_sha256 | attributes | scheduled'.
2023/10/19 09:56:42 wazuh-agent: INFO: (6003): Monitoring path: 'c:\windows\sysnative\windowspowershell\v1.0', with options 'size | permissions | owner | group | mtime | inode | hash_md5 | hash_sha1 | hash_sha256 | attributes | scheduled'.
2023/10/19 09:56:42 wazuh-agent: INFO: (6003): Monitoring path: 'c:\windows\system32', with options 'size | permissions | owner | group | mtime | inode | hash_md5 | hash_sha1 | hash_sha256 | attributes | scheduled'.
2023/10/19 09:56:42 wazuh-agent: INFO: (6003): Monitoring path: 'c:\windows\system32\drivers\etc', with options 'size | permissions | owner | group | mtime | inode | hash_md5 | hash_sha1 | hash_sha256 | attributes | scheduled'.
2023/10/19 09:56:42 wazuh-agent: INFO: (6003): Monitoring path: 'c:\windows\system32\wbem', with options 'size | permissions | owner | group | mtime | inode | hash_md5 | hash_sha1 | hash_sha256 | attributes | scheduled'.
2023/10/19 09:56:42 wazuh-agent: INFO: (6003): Monitoring path: 'c:\windows\system32\windowspowershell\v1.0', with options 'size | permissions | owner | group | mtime | inode | hash_md5 | hash_sha1 | hash_sha256 | attributes | scheduled'.
2023/10/19 09:56:42 wazuh-agent: INFO: (6206): Ignore 'file' entry 'c:\programdata\microsoft\windows\start menu\programs\startup\desktop.ini'
2023/10/19 09:56:42 wazuh-agent: INFO: (6207): Ignore 'file' sregex '.log$|.htm$|.jpg$|.png$|.chm$|.pnf$|.evtx$'
2023/10/19 09:56:42 wazuh-agent: INFO: (6206): Ignore 'registry' entry 'HKEY_LOCAL_MACHINE\Security\Policy\Secrets'
2023/10/19 09:56:42 wazuh-agent: INFO: (6206): Ignore 'registry' entry 'HKEY_LOCAL_MACHINE\Security\SAM\Domains\Account\Users'
2023/10/19 09:56:42 wazuh-agent: INFO: (6206): Ignore 'registry' entry 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\MpsSvc\Parameters\AppCs'
2023/10/19 09:56:42 wazuh-agent: INFO: (6206): Ignore 'registry' entry 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\MpsSvc\Parameters\PortKeywords\DHCP'
2023/10/19 09:56:42 wazuh-agent: INFO: (6206): Ignore 'registry' entry 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\MpsSvc\Parameters\PortKeywords\IPTLSIn'
2023/10/19 09:56:42 wazuh-agent: INFO: (6206): Ignore 'registry' entry 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\MpsSvc\Parameters\PortKeywords\IPTLSOut'
2023/10/19 09:56:42 wazuh-agent: INFO: (6206): Ignore 'registry' entry 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\MpsSvc\Parameters\PortKeywords\RPC-EPMap'
2023/10/19 09:56:42 wazuh-agent: INFO: (6206): Ignore 'registry' entry 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\MpsSvc\Parameters\PortKeywords\Teredo'
2023/10/19 09:56:42 wazuh-agent: INFO: (6206): Ignore 'registry' entry 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\PolicyAgent\Parameters\Cache'
2023/10/19 09:56:42 wazuh-agent: INFO: (6206): Ignore 'registry' entry 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnceEx'
2023/10/19 09:56:42 wazuh-agent: INFO: (6206): Ignore 'registry' entry 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\ADOVMPPackage\Final'
2023/10/19 09:56:42 sca: INFO: Module started.
2023/10/19 09:56:42 wazuh-agent: INFO: (6207): Ignore 'registry' sregex '\Enum$'
Wss A Hiệp, [19/10/2023 10:36]
2023/10/19 09:56:42 wazuh-modulesd:agent-upgrade: INFO: (8153): Module Agent Upgrade started.
2023/10/19 09:56:42 wazuh-agent: INFO: Windows version is 6.0 or newer. (Microsoft Windows Server 2016 Datacenter [Ver: 10.0.14393.2724] - Wazuh v4.4.5).
2023/10/19 09:56:42 wazuh-agent: INFO: Started (pid: 23352).
2023/10/19 09:56:42 sca: INFO: Loaded policy 'C:\Program Files (x86)\ossec-agent\ruleset\sca\cis_win2016.yml'
2023/10/19 09:56:42 sca: INFO: Starting Security Configuration Assessment scan.
2023/10/19 09:56:42 wazuh-agent: INFO: (1951): Analyzing event log: 'Application'.
2023/10/19 09:56:42 wazuh-agent: INFO: (1951): Analyzing event log: 'Security'.
2023/10/19 09:56:42 wazuh-agent: INFO: (1951): Analyzing event log: 'System'.
2023/10/19 09:56:42 wazuh-agent: INFO: (1950): Analyzing file: 'active-response\active-responses.log'.
2023/10/19 09:56:42 wazuh-agent: INFO: (6000): Starting daemon...
2023/10/19 09:56:42 wazuh-agent: INFO: (6010): File integrity monitoring scan frequency: 43200 seconds
2023/10/19 09:56:42 wazuh-agent: INFO: (6008): File integrity monitoring scan started.
2023/10/19 09:56:42 sca: INFO: Starting evaluation of policy: 'C:\Program Files (x86)\ossec-agent\ruleset\sca\cis_win2016.yml'
2023/10/19 09:56:42 wazuh-modulesd:osquery: INFO: Module disabled. Exiting...
2023/10/19 09:56:42 wazuh-modulesd:ciscat: INFO: Module disabled. Exiting...
2023/10/19 09:56:42 wazuh-modulesd:syscollector: INFO: Module started.
2023/10/19 09:56:42 wazuh-modulesd:syscollector: INFO: Starting evaluation.
2023/10/19 09:56:42 rootcheck: INFO: Starting rootcheck scan.
2023/10/19 09:56:42 wazuh-agent: INFO: Started (pid: 23352).
2023/10/19 09:56:43 wazuh-modulesd:syscollector: INFO: Evaluation finished.
2023/10/19 09:56:45 sca: INFO: Evaluation finished for policy 'C:\Program Files (x86)\ossec-agent\ruleset\sca\cis_win2016.yml'
2023/10/19 09:56:45 sca: INFO: Security Configuration Assessment scan finished. Duration: 3 seconds.
2023/10/19 09:56:47 rootcheck: INFO: Ending rootcheck scan.
2023/10/19 09:57:02 wazuh-agent: INFO: (6009): File integrity monitoring scan ended.
2023/10/19 09:57:02 wazuh-agent: INFO: (6012): Real-time file integrity monitoring started.
`Pls help
Vào Th 4, 18 thg 10, 2023 vào lúc 19:19 'Daniel Sappa' via Wazuh | Mailing List <wa...@googlegroups.com> đã viết:
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/34a647ae-58ed-4705-bef5-e7af99e750e7n%40googlegroups.com.
Reply all
Reply to author
Forward
Message has been deleted
0 new messages