Can we downgrade wazuh?

[Luke Lee]

Hi all, have anyone tried to downgrade wazuh before? Plan to downgrade from 3.10.x to 3.9.3. 

Thanks 

[Daniel Melgarejo]

Hi Luke,

Yes, it is possible to downgrade Wazuh. Can you tell me the OS you are using and the host type (Manager or Agent)?

Regards,

               Daniel

[Daniel Melgarejo]

Hi Luke,

I found different methods in order to downgrade Wazuh.

1) In this link there is a method to downgrade an agent: https://documentation.wazuh.com/3.10/user-manual/reference/tools/agent_upgrade.html

    You have to open a terminal in Manager Host and introduce this command:

    # /var/ossec/bin/agent_upgrade -l

   This command shows ID, name and version of all agents you have already registered. Choose the agent to downgrade and use it ID for the next command:

   # /var/ossec/bin/agent_upgrade -a [ID] -dF -v v3.9.3

   In that way, you will downgrade an agent.

2) You can downgrade Manager or Agent by package:

    DEB packages

    -------------------

     Manager: # wget https://packages.wazuh.com/3.x/apt/pool/main/w/wazuh-manager/wazuh-manager_3.9.3-1_amd64.deb

     Agent:  # wget https://packages.wazuh.com/3.x/apt/pool/main/w/wazuh-agent/wazuh-agent_3.9.3-1_amd64.deb

    Then, use this command:

    # dpkg -i wazuh-manager_3.9.3-1_amd64.deb

    or 

    # dpkg -i wazuh-agent_3.9.3-1_amd64.deb

    RPM packages

    ---------------------

    Manager: # wget https://packages.wazuh.com/3.x/yum/wazuh-manager-3.9.3-1.x86_64.rpm

    Agent: # wget https://packages.wazuh.com/3.x/yum/wazuh-agent-3.9.3-1.x86_64.rpm

    Then, use this command:

    # rpm -i wazuh-manager-3.9.3-1.x86_64.rpm

    or

 

    # rpm -i wazuh-agent-3.9.3-1.x86_64.rpm

    

    You can download Windows and macOS packages from here:

    Windows: https://packages.wazuh.com/3.x/windows/wazuh-agent-3.9.3-1.msi

    macOS: https://packages.wazuh.com/3.x/osx/wazuh-agent-3.9.3-1.pkg

I hope these methods can be useful. Please do not hesitate to contact me to share more questions.

Regards,

               Daniel.

[Luke Lee]

Hi Daniel,

I am currently having the following setup:

Elasticsearch 7.3.2

Kibana 7.1.1

Wazuh-manager 3.9.3 

Wazuh-api unsure 

In the API log, I discover this error : ERROR: Wazuh manager v3.9.3 found. Wazuh manager v2.1.x expected." 

To downgrade the API wazuh, I did the following: 

- service kibana stop

- curl -u elastic -XDELETE 10.0.106.144:9200/.kibana

- curl -u elastic -XDELETE 10.0.106.144:9200/.wazuh

- curl -u elastic -XDELETE 10.0.106.144:9200/.wazuh-version

- rm -rf /usr/share/kibana/optimize/bundles

- /usr/share/kibana/bin/kibana-plugin install https://packages.wazuh.com/wazuhapp/wazuhapp-3.9.3_7.2.0.zip

Besides that, when I try to login to the wazuh-API using KIBANA, it shows me wrong port was used. 

Please advise what should I do? 

[Luke Lee]

After I try to downgrade the agent using your method, it shows me a list of conflicting files : 

        file /var/ossec/packages_files/agent_installation_scripts/src/init/adduser.sh from install of wazuh-agent-3.9.3-1.x86_64 conflicts with file from package wazuh-agent-3.10.2-1.x86_64

        file /var/ossec/packages_files/agent_installation_scripts/src/init/darwin-init.sh from install of wazuh-agent-3.9.3-1.x86_64 conflicts with file from package wazuh-agent-3.10.2-1.x86_64

        file /var/ossec/packages_files/agent_installation_scripts/src/init/dist-detect.sh from install of wazuh-agent-3.9.3-1.x86_64 conflicts with file from package wazuh-agent-3.10.2-1.x86_64

        file /var/ossec/packages_files/agent_installation_scripts/src/init/functions.sh from install of wazuh-agent-3.9.3-1.x86_64 conflicts with file from package wazuh-agent-3.10.2-1.x86_64

        file /var/ossec/packages_files/agent_installation_scripts/src/init/init.sh from install of wazuh-agent-3.9.3-1.x86_64 conflicts with file from package wazuh-agent-3.10.2-1.x86_64

        file /var/ossec/packages_files/agent_installation_scripts/src/init/inst-functions.sh from install of wazuh-agent-3.9.3-1.x86_64 conflicts with file from package wazuh-agent-3.10.2-1.x86_64

        file /var/ossec/packages_files/agent_installation_scripts/src/init/ossec-server.sh from install of wazuh-agent-3.9.3-1.x86_64 conflicts with file from package wazuh-agent-3.10.2-1.x86_64

        file /var/ossec/packages_files/agent_installation_scripts/src/init/register_configure_agent.sh from install of wazuh-agent-3.9.3-1.x86_64 conflicts with file from package wazuh-agent-3.10.2-1.x86_64

        file /var/ossec/packages_files/agent_installation_scripts/src/init/replace_manager_ip.sh from install of wazuh-agent-3.9.3-1.x86_64 conflicts with file from package wazuh-agent-3.10.2-1.x86_64

        file /var/ossec/packages_files/agent_installation_scripts/src/init/template-select.sh from install of wazuh-agent-3.9.3-1.x86_64 conflicts with file from package wazuh-agent-3.10.2-1.x86_64

        file /var/ossec/packages_files/agent_installation_scripts/src/init/update.sh from install of wazuh-agent-3.9.3-1.x86_64 conflicts with file from package wazuh-agent-3.10.2-1.x86_64

        file /var/ossec/wodles/aws/aws-s3 from install of wazuh-agent-3.9.3-1.x86_64 conflicts with file from package wazuh-agent-3.10.2-1.x86_64

        file /var/ossec/wodles/docker/DockerListener from install of wazuh-agent-3.9.3-1.x86_64 conflicts with file from package wazuh-agent-3.10.2-1.x86_64

Is this the correct way? or do I need to remove the previous version first. Thanks 

[Daniel Melgarejo]

Hi Luke, 

Thank you for all the information you have given.

I would like to know why you want to downgrade Wazuh. The most recent Wazuh version is 3.10.2. Because if you want API and Kibana to be compatible with Wazuh, perhaps the easiest way to do it is by upgrading API and/or other services. 

If you have other reasons, we would like to know in order to improve Wazuh. Maybe other users have the same problems or reasons and we will be very glad to help you.

While I wait your answer, you can check Wazuh compatibility: https://documentation.wazuh.com/3.10/installation-guide/compatibility_matrix/index.html

And you will find here how to install the most recent Wazuh version, API, Kibana, etc. Only choose the OS and then package installation or source installation: https://documentation.wazuh.com/3.10/installation-guide/installing-wazuh-manager/index.html

Regards,

               Daniel

[Luke Lee]

Hi Daniel, 

Thanks for your detailed reply. 

The reason that I choose to downgrade is because the uptime (Heartbeat) module unable to display correctly due to a bug found on the newer version. That has caused us to downgrade the entire ELKS from 7.3.2 to a more stable version 7.1.1. 

[Daniel Melgarejo]

Hi Luke,

Thanks for your answer. 

My workmate, Pablo Torres, replied to you in the another email you sent. The first solution he proposed is the best for you. I copy it: Downgrade Elasticsearch to 7.1.1 (same version as your Kibana) and install the Wazuh App 3.9.3-7.1.1 ( Link of Wazuh App 3.9.3-7.1.1: https://packages.wazuh.com/wazuhapp/wazuhapp-3.9.3_7.1.1.zip).

Now, moving on to the another question, I downgraded an agent from 3.10.2 to 3.9.3 following the first method that I proposed. I recommend you try this method first.

Manager Host's terminal:

 

# /var/ossec/bin/agent_upgrade -l (to watch the agent ID (e.g. 001) )
# /var/ossec/bin/agent_upgrade -a [agent_ID] -dF -v v3.9.3

I think you tried the second method. If you prefer the second one and if you don't mind uninstalling the agent, you can try this:

# yum remove wazuh-agent

# wget https://packages.wazuh.com/3.x/yum/wazuh-agent-3.9.3-1.x86_64.rpm

# rpm -i wazuh-agent-3.9.3-1.x86_64.rpm

I hope you find this information useful.

Please do not hesitate to contact me to share more questions.

Regards,

               Daniel.

[Luke Lee]

Hi, thanks. Somehow I manage to downgrade but all my previous data and agents went missing. 

[Daniel Melgarejo]

Hi Luke,

I am sorry to hear that. I hope you can build your setup again soon.

Regards,

               Daniel.

[Luke Lee]

Dear Daniel, 

I notice after I downgrade, my "wazuh-alerts" are not receiving data and also there are no email alerts. Can you guide me on that. Thanks 

[Daniel Melgarejo]

Dear Luke,

I am sorry for responding to your mail late.

1) Wazuh-Manager and Wazuh-api have to have the same version:

# systemctl restart wazuh-api

# systemctl status wazuh-api

Expected output:

● wazuh-api.service - Wazuh API daemon
Loaded: loaded (/etc/systemd/system/wazuh-api.service; enabled; vendor preset: disabled)
Active: active (running) since lun 2019-11-04 07:38:44 UTC; 5s ago
Docs: https://documentation.wazuh.com/current/user-manual/api/index.html
Main PID: 7669 (node)
Tasks: 10
Memory: 44.6M
CGroup: /system.slice/wazuh-api.service
└─7669 /bin/node /var/ossec/api/app.js

# curl -u foo:bar "http://localhost:55000?pretty"

Expected output:

{

   "error": 0,

   "data": {

      "msg": "Welcome to Wazuh HIDS API",

      "api_version": "v3.9.3",

      "hostname": "centos7-manager1",

      "timestamp": "Mon Nov 04 2019 07:42:58 GMT+0000 (UTC)"

   }

}

If you have different outputs, it is very possible they have different versions. In that case:

# yum remove wazuh-api

sudo npm config set user 0

# curl -s -o install_api.sh https://raw.githubusercontent.com/wazuh/wazuh-api/v3.9.3/install_api.sh && bash ./install_api.sh download

# systemctl status wazuh-api

2) Check if there is an issue with Filebeat:

# systemctl status filebeat
# filebeat test config
# filebeat test output

If the output shows an error, check Filebeat or Elasticsearch installation: https://documentation.wazuh.com/3.9/installation-guide/installing-wazuh-manager/linux/centos/wazuh_server_packages_centos.html#installing-filebeat

Note: Filebeat 7.3.0 is compatible with ElasticSearch 7.1.1 -> https://www.elastic.co/support/matrix#matrix_compatibility

If you don't mind to remove filebeat:

# yum remove filebeat

And then follow the steps: https://documentation.wazuh.com/3.9/installation-guide/installing-wazuh-manager/linux/centos/wazuh_server_packages_centos.html#installing-filebeat

Note:

In step 3 use:

# curl -so /etc/filebeat/filebeat.yml https://raw.githubusercontent.com/wazuh/wazuh/v3.9.3/extensions/filebeat/7.x/filebeat.yml 

# chmod go+r /etc/filebeat/filebeat.yml

In step 4 use:

# curl -so /etc/filebeat/wazuh-template.json https://raw.githubusercontent.com/wazuh/wazuh/v3.9.3/extensions/elasticsearch/7.x/wazuh-template.json 

# chmod go+r /etc/filebeat/wazuh-template.json

In addition, check Elastic Server IP is correct in filebeat yml file and elasticsearch yml file.

3) Check Elasticsearch and Kibana configuration.

The Elasticsearch service listens on the default port 9200. You can make a simple check by making the following request:

# curl http://<elasticsearch_ip>:9200

If error, check configuration in this link: https://documentation.wazuh.com/3.9/installation-guide/installing-elastic-stack/elastic_server_rpm.html#install-elastic-stack-with-rpm-packages

I hope you find this information useful.

Please do not hesitate to contact me to share more questions or outputs that are different to expected.

Regards,

               Daniel

[Luke Lee]

Hi dear Daniel, 

Thanks for your detailed guide. I think my wazuh already up by following your instructions. 

Currently, my Logstash seems not working. It prompt me with the following errors: 

[2019-11-04T16:01:50,501][WARN ][logstash.config.source.multilocal] Ignoring the 'pipelines.yml' file because modules or command line options are specified
[2019-11-04T16:01:50,520][FATAL][logstash.runner          ] Logstash could not be started because there is already another instance using the configured data directory.  If you wish to run multiple instances, you must change the "path.data" setting.

And for now my Wazuh-alerts does not shows any logs on Kibana. I am suspecting filebeat or logstash fails to collect data from it's log file. 

Looks like there are logs recorded on these files. 

-rw-r----- 1 ossec  ossec    20838 Nov  5 11:15 api.log
-rw-rw---- 1 ossecr ossec 55987670 Nov  5 11:25 ossec.log

[Luke Lee]

Hi Daniel, I notice there is error loading the template when I execute this command "filebeat -e" 

ERROR   instance/beat.go:802    Exiting: Error importing Kibana dashboards: fail to import the dashboards in Kibana: Error importing directory /usr/share/filebeat/kibana: Failed to import dashboard: Failed to load directory /usr/share/filebeat/kibana/7/dashboard.

Please advise what could went wrong?

[Daniel Melgarejo]

Hi dear Luke,

I am glad that my instructions were useful.

Are you using Logstash for any specific reason? If you only need to read and send logs we strongly recommend using only filebeat. You can change filebeat configuration so that it can send logs to Elasticsearch and remove/unistall Logstash because it will no be necessary.

If you need Logstash, configuration can be more difficult. There are some steps you can follow to configure Flibeat, ElasticSearch and Kibana with Logstash: https://documentation.wazuh.com/3.9/learning-wazuh/build-lab/install-elastic-stack.html?highlight=logstash

However, some users have problem with those instructions, so we recommend you follow Javier Castro's instructions in this post: https://groups.google.com/forum/#!searchin/wazuh/15k$20%7Csort:date/wazuh/13_fqghZJ0M/dwrtQKS1BQAJ

I hope you find this information useful.

Regads,

              Daniel

[Daniel Melgarejo]

Hi Luke,

Regarding this last email you sent, I think I need more information. If you can get more error messages, can you show me? In addition, can you show or send me your filebeat.yml? (/etc/filebeat/filebeat.yml)

Regards,

               Daniel.

[Luke Lee]

Hi Daniel. Below is my file. 

  3 filebeat.inputs:
  4 - type: log
  5   paths:
  6     - '/var/ossec/logs/alerts/alerts.json'
  7     - '10.0.106.154/var/log/nginx/error.log-*'
  8     - '10.0.106.154/var/log/nginx/access.log-*'
  9     - '10.0.106.154/etc/nginx/logs/*.access'
 10     - '10.0.106.154/etc/nginx/logs/*.error'
 11   scan_frequency: 10s
 12
 13 # - type: log
 14     # - '10.0.106.154/var/log/nginx/error.log-*'
 15     # scan_frequency: 10s
 16
 17 - type: log
 18   paths:
 19     - '/var/log/nginx/*.json'
 20     - '10.0.106.154/var/log/nginx/*.json'
 21   tags: ["nginx", "json"]
 22   json:
 23     keys_under_root: true
 24     add_error_key: true
 25     fields_under_root: true
 26
 27 filebeat.config.modules:
 28   path: ${path.config}/modules.d/*.yml
 29   reload.enabled: true
 30   reload.period: 10s
 31
 32 # filebeat.registry.path: ${path.data}/registry
 33 filebeat.registry.path: /var/lib/registry
 34 # filebeat.registry.file_permissions: 0664
 35 filebeat.registry.file_permissions: 0640
 36
 37 filebeatt.modules:
 38   - module: nginx
 39   - module: auditd
 40   - module: system
 41
 42 filebeat.modules:
 43   - module: elasticsearch
 44     server:
 45       enabled: true
 46
 47     gc:
 48       enabled: true
 49
 50     audit:
 51       enabled: true
 52
 53     slowlog:
 54       enabled: true
 55
 56     deprecation:
 57       enabled: true
 58
 59 # ---------------------------- Haproxy Module ---------------------------------------
 60   - module: haproxy
 61     log:
 62       enabled: true
 63 # ---------------------------- Kibana Module ---------------------------------------
 64   - module: kibana
 65     log:
 66       enabled: true
 67 # ---------------------------- Osquery Module --------------------------------------
 68   - module: osquery
 69     result:
 70       enabled: true
 71
 72
 73 # To allow data collection from other servers
 74 http.enabled: true
 75 http.port: 5067
 76 monitoring.enabled: true
 77
 78 filebeat.config:
 79   - modules:
 80       enabled: true
 81       path: ${path.config}/modules.d/*.yml
 82       reload.enabled: false
 83
 84 #========================Elasticsearch template setting ===========
 85 setup.template.json.enabled: true
 86 setup.template.json.path: "/etc/filebeat/wazuh-template.json"
 87 setup.template.json.name: "wazuh"
 88 setup.template.overwrite: true
 89
 90 #setup.template.json.path: "/etc/filebeat/filebeat-index-template.json"
 91 #setup.template.json.name: "filebeat"
 92
 93 setup.template.enabled: true
 94 setup.template.name: "filebeat"
 95 setup.template.pattern: "filebeat-*"
 96 setup.template.fields: "fields.yml"
 97 setup.template.overwrite: true
 98 setup.template.settings:
 99   index.number_of_shards: 1
100   index.number_of_replicas: 0
101
102
103 #========================Elasticsearch template setting ===========
104 #setup.template.json.enabled: true
118 setup.dashboards.enabled: true
119
120 # Send events directly to Elasticsearch
121 output.elasticsearch:
122   hosts: ['http://IP']
123   username: "ID"
124   password: "PW"
125   indices:
126     - index: "wazuh-alerts-3.x-%{+yyyy.MM.dd}"
127     - index: "wazuh-monitoring-3.x-%{+yyyy.MM.dd}"
128 #    - index: "filebeat-7.3.0-%{+yyyy.MM.dd}"
129 #    - index: "nginx-filebeat-%"
130     - index: "warning-%{[agent.version]}-%{+yyyy.MM.dd}"
131       when.contains:
132         message: "WARN"
133     - index: "error-%{[agent.version]}-%{+yyyy.MM.dd}"
134       when.contains:
135         message: "ERR"
136 #  ilm.enabled: true
137
138 #  pipeline: "logstash_main"
139 #  pipeline: "geoip-info"
140
141 # output.file:
142 #  enabled: true
143 #  rotation_every_kb: 10000
144 #  number_of_files: 7
145
146 setup.kibana:
147   host: "http://IP"
148   username: "ID"
149   password: "*PW*"
150
151
152 #=============================== Processors ==================================
153 processors:
154   - decode_json_fields:
155       fields: ['message']
156       process_array: true
157       max_depth: 200
158       target: ''
159       overwrite_keys: true
160   - drop_fields:
161       fields: ['message', 'ecs', 'beat', 'input_type', 'tags', 'count', '@version', 'log', 'offset', 'type', 'host']
162   - rename:
163       fields:
164         - from: "data.aws.sourceIPAddress"
165           to: "@src_ip"
166       ignore_missing: true
167       fail_on_error: false
168       when:
169         regexp:
170           data.aws.sourceIPAddress: \b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\b
171   - rename:
172       fields:
173         - from: "data.srcip"
174           to: "@src_ip"
175       ignore_missing: true
176       fail_on_error: false
177       when:
178         regexp:
179           data.srcip: \b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\b
180   - rename:
181       fields:
182         - from: "data.win.eventdata.ipAddress"
183           to: "@src_ip"
184       ignore_missing: true
185       fail_on_error: false
186       when:
187         regexp:
188           data.win.eventdata.ipAddress: \b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\b
189
190 logging.level: debug
191 logging.to_files: true
192 logging.files:
193   path: /var/log/filebeat
194   name: filebeaterr
195   keepfiles: 5
196   permissions: 0644
197
198
199 xpack.monitoring:
200   enabled: true

[Daniel Melgarejo]

Hi Luke,

I am not very sure about the solution for that error.

It is possible you have a permission error. A coworker showed me the permissions he uses:

[Ubuntu]

# namei -l /usr/share/filebeat/kibana/7/dashboard/

Output:

f: /usr/share/filebeat/kibana/7/dashboard/

drwxr-xr-x root root /

drwxr-xr-x root root usr

drwxr-xr-x root root share

drwxr-xr-x root root filebeat

drwxr-xr-x root root kibana

drwxr-xr-x root root 7

drwxr-xr-x root root dashboard

In addition, it is possible the user you have configurated in filebeat.yml (output.elasticsearch.username and/or output.kibana.username) does not have necessary privileges. More information: https://discuss.elastic.co/t/failed-to-import-dashboard-7-2-0/187804/11

If you have access to 'elastic' user, you can try that user in filebeat.yml in order to be sure about that.

I hope you find this information useful.

Regads,

              Daniel

[Luke Lee]

Hi, Daniel the "elastic" user which we are using to connect to all areas including Elasticsearch, kibana user login etc. This has been used in the filebeat configuration too. 

[Luke Lee]

Hi Daniel, 

Many thanks, the problem seems resolved. 

[Daniel Melgarejo]

Hi Luke,

I am sorry for responding to your mail so late. I was finding out other possible solutions.

I am glad that your problem has been resolved.

Please do not hesitate to contact us to share more questions.

Regards,

                Daniel