Issue - Integrations not show alert in integrations.log

414 views
Skip to first unread message

Eric

unread,
May 24, 2021, 4:26:23 AM5/24/21
to Wazuh mailing list
Hi everyone,

I have configured Integration with Telegram. Everything is working fine, as I can see the alert in integrations.log. I'm defining an alert level threshold 7 to send the signals to Telegram. It's working. But sometimes, I don't receive any alerts until I restart Wazuh Manager & Wazuh Worker. 

My environment:
  • Wazuh Server version: 4.1.5 (App revision: 4101-3)
  • Wazuh agents: 4.1.4 (all effected)
  • ES 7.10.0 (Opendistro)
  • Server: Ubuntu 18.04 LTS, 4 vCPU, 18 GB RAM, all-in-one installation
  • 1 Wazuh Master, 1 Wazuh Worker, Elastic shards.
The attached screenshot, logs as the below.
1- Wazuh Worker.
wazuh-worker.png

2- Wazuh Master.

wazuh-master-01.png

wazuh master -02.png

Please could you explain more in detail about Wazuh Master & Wazuh Worker when sending the alerts to Telegram? I'm researching on Wazuh Document. It's not clear to me to understand. If you can help, I'll be glad to hear your throughs and bits of advice. 

Regards,

carlos...@wazuh.com

unread,
May 25, 2021, 2:51:20 AM5/25/21
to Wazuh mailing list
Hi,

Taking a look at the attached logs it seems you are experiencing a known bug related to analysisd. I guess you have some Windows agents. Am I right?

The "The new permissions could not be added to the JSON alert" appears when a monitored directory or file in a Windows agent has many ACLs configured. You can make sure that this is what is happening by restart Analysisd with debug-1 logs in your Wazuh manager:

echo "analysisd.debug=1" >> /var/ossec/etc/local_internal_options.conf
systemctl restart wazuh-manager

Once restarted you should be able to find the following DEBUG message:

DEBUG: Uncontrolled condition when parsing a Windows permission from '...'.


If this is the case, don't worry. Fortunately, this known bug was recently fixed here. The fix was applied to Wazuh 4.2.0, which will be released soon. I recommend that you upgrade to this version if possible once available.


Sorry for the inconvenience.

Eric

unread,
May 25, 2021, 3:21:44 AM5/25/21
to carlos...@wazuh.com, Wazuh mailing list

Hi Calors,

 

Thank you for quick response, Cloud you please help me calarify about Wazuh Master & Wazuh Worker when sending the alerts to Telegram, Slack? I'm researching on Wazuh Document. It's not clear to me to understand

 

Regards,

 

From: wa...@googlegroups.com <wa...@googlegroups.com> on behalf of carlos...@wazuh.com <carlos...@wazuh.com>
Date: Tuesday, May 25, 2021 at 1:51 PM
To: Wazuh mailing list <wa...@googlegroups.com>
Subject: Re: Issue - Integrations not show alert in integrations.log

Hi,

 

Taking a look at the attached logs it seems you are experiencing a known bug related to analysisd. I guess you have some Windows agents. Am I right?

 

The "The new permissions could not be added to the JSON alert" appears when a monitored directory or file in a Windows agent has many ACLs configured. You can make sure that this is what is happening by restart Analysisd with debug-1 logs in your Wazuh manager:

 

echo "analysisd.debug=1" >> /var/ossec/etc/local_internal_options.conf
systemctl restart wazuh-manager

 

Once restarted you should be able to find the following DEBUG message:

 

DEBUG: Uncontrolled condition when parsing a Windows permission from '...'.

 

 

If this is the case, don't worry. Fortunately, this known bug was recently fixed here. The fix was applied to Wazuh 4.2.0, which will be released soon. I recommend that you upgrade to this version if possible once available.

 

 

Sorry for the inconvenience.

On Monday, May 24, 2021 at 10:26:23 AM UTC+2 vuvant...@gmail.com wrote:

Hi everyone,

 

I have configured Integration with Telegram. Everything is working fine, as I can see the alert in integrations.log. I'm defining an alert level threshold 7 to send the signals to Telegram. It's working. But sometimes, I don't receive any alerts until I restart Wazuh Manager & Wazuh Worker. 

 

My environment:

  • Wazuh Server version: 4.1.5 (App revision: 4101-3)
  • Wazuh agents: 4.1.4 (all effected)
  • ES 7.10.0 (Opendistro)
  • Server: Ubuntu 18.04 LTS, 4 vCPU, 18 GB RAM, all-in-one installation
  • 1 Wazuh Master, 1 Wazuh Worker, Elastic shards.

The attached screenshot, logs as the below.

1- Wazuh Worker.

 

2- Wazuh Master.

 

 

 

Please could you explain more in detail about Wazuh Master & Wazuh Worker when sending the alerts to Telegram? I'm researching on Wazuh Document. It's not clear to me to understand. If you can help, I'll be glad to hear your throughs and bits of advice. 

 

Regards,

 

--
You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/857920e5-e228-4e4d-b3aa-286b80167664n%40googlegroups.com.

carlos...@wazuh.com

unread,
May 25, 2021, 5:11:07 AM5/25/21
to Wazuh mailing list
Let me try to shed some light on this topic.

The worker nodes don't play a major role when using Slack, Telegram or any custom integration. These integrations are intended to be configured in the master node and it will send a notification to the integrated service if the analysisd module determines an alert should be raised. Worker nodes are used to reduce the master's workload, allowing having hundreds of agents in the same environment, but in the end it is the analysid module in the master node the one that must determine if an alert should be raised and therefore if a notification should be send to the integrated service.

You can find more information about the Wazuh cluster and the relationship between master and worker nodes here.

I hope this clarifies a bit how the custom integration and the Wazuh cluster works. Let me know if you have more questions related to this.

Regards.
Reply all
Reply to author
Forward
0 new messages