:router: ERROR: Error sending message to provider: Error parsing message

German DiCasas

unread,

Aug 8, 2024, 4:29:13 PM8/8/24

to Wazuh | Mailing List

Hi team,

I have a ubuntu server with wazuh 4-8-1 all in one with one manager, indexer and dashboard. All is working fine but I have this msg over ossec.log

:router: ERROR: Error sending message to provider: Error parsing message

this is the full log related

2024/08/08 04:04:53 :router: ERROR: Error sending message to provider: Error parsing message, 1: 352: error: Cannot assign token starting with 'float constant' to value of <long> type.
2024/08/08 04:11:29 :router: ERROR: Error sending message to provider: Error parsing message, 1: 354: error: Cannot assign token starting with 'float constant' to value of <long> type.
2024/08/08 05:04:56 :router: ERROR: Error sending message to provider: Error parsing message, 1: 352: error: Cannot assign token starting with 'float constant' to value of <long> type.
2024/08/08 05:11:34 :router: ERROR: Error sending message to provider: Error parsing message, 1: 354: error: Cannot assign token starting with 'float constant' to value of <long> type.
2024/08/08 06:05:00 :router: ERROR: Error sending message to provider: Error parsing message, 1: 352: error: Cannot assign token starting with 'float constant' to value of <long> type.
2024/08/08 06:11:39 :router: ERROR: Error sending message to provider: Error parsing message, 1: 354: error: Cannot assign token starting with 'float constant' to value of <long> type.
2024/08/08 07:05:03 :router: ERROR: Error sending message to provider: Error parsing message, 1: 352: error: Cannot assign token starting with 'float constant' to value of <long> type.
2024/08/08 07:11:44 :router: ERROR: Error sending message to provider: Error parsing message, 1: 354: error: Cannot assign token starting with 'float constant' to value of <long> type.
2024/08/08 08:05:07 :router: ERROR: Error sending message to provider: Error parsing message, 1: 352: error: Cannot assign token starting with 'float constant' to value of <long> type.
2024/08/08 08:11:48 :router: ERROR: Error sending message to provider: Error parsing message, 1: 354: error: Cannot assign token starting with 'float constant' to value of <long> type.
2024/08/08 09:05:10 :router: ERROR: Error sending message to provider: Error parsing message, 1: 352: error: Cannot assign token starting with 'float constant' to value of <long> type.
2024/08/08 09:11:53 :router: ERROR: Error sending message to provider: Error parsing message, 1: 354: error: Cannot assign token starting with 'float constant' to value of <long> type.
2024/08/08 10:05:14 :router: ERROR: Error sending message to provider: Error parsing message, 1: 352: error: Cannot assign token starting with 'float constant' to value of <long> type.
2024/08/08 10:11:58 :router: ERROR: Error sending message to provider: Error parsing message, 1: 354: error: Cannot assign token starting with 'float constant' to value of <long> type.
2024/08/08 10:17:48 wazuh-integratord: WARNING: Overlong JSON alert read from 'logs/alerts/alerts.json'
2024/08/08 11:05:18 :router: ERROR: Error sending message to provider: Error parsing message, 1: 352: error: Cannot assign token starting with 'float constant' to value of <long> type.
2024/08/08 11:12:04 :router: ERROR: Error sending message to provider: Error parsing message, 1: 354: error: Cannot assign token starting with 'float constant' to value of <long> type.
2024/08/08 12:05:21 :router: ERROR: Error sending message to provider: Error parsing message, 1: 352: error: Cannot assign token starting with 'float constant' to value of <long> type.
2024/08/08 12:12:09 :router: ERROR: Error sending message to provider: Error parsing message, 1: 354: error: Cannot assign token starting with 'float constant' to value of <long> type.
2024/08/08 13:05:25 :router: ERROR: Error sending message to provider: Error parsing message, 1: 352: error: Cannot assign token starting with 'float constant' to value of <long> type.
2024/08/08 13:12:16 :router: ERROR: Error sending message to provider: Error parsing message, 1: 354: error: Cannot assign token starting with 'float constant' to value of <long> type.
2024/08/08 14:05:28 :router: ERROR: Error sending message to provider: Error parsing message, 1: 352: error: Cannot assign token starting with 'float constant' to value of <long> type.
2024/08/08 14:12:21 :router: ERROR: Error sending message to provider: Error parsing message, 1: 354: error: Cannot assign token starting with 'float constant' to value of <long> type.
2024/08/08 15:05:31 :router: ERROR: Error sending message to provider: Error parsing message, 1: 352: error: Cannot assign token starting with 'float constant' to value of <long> type.
2024/08/08 15:12:27 :router: ERROR: Error sending message to provider: Error parsing message, 1: 354: error: Cannot assign token starting with 'float constant' to value of <long> type.
2024/08/08 16:05:35 :router: ERROR: Error sending message to provider: Error parsing message, 1: 352: error: Cannot assign token starting with 'float constant' to value of <long> type.
2024/08/08 16:12:34 :router: ERROR: Error sending message to provider: Error parsing message, 1: 354: error: Cannot assign token starting with 'float constant' to value of <long> type.
2024/08/08 17:05:39 :router: ERROR: Error sending message to provider: Error parsing message, 1: 352: error: Cannot assign token starting with 'float constant' to value of <long> type.
2024/08/08 17:12:30 wazuh-modulesd:vulnerability-scanner: ERROR: VulnerabilityScannerFacade::start: Failed to open RocksDB database. Reason: While opening a file for sequentially reading: queue/vd/event/MANIFEST-000005: No such file or directory
2024/08/08 17:12:40 :router: ERROR: Error sending message to provider: Error parsing message, 1: 354: error: Cannot assign token starting with 'float constant' to value of <long> type.
2024/08/08 17:19:19 wazuh-modulesd:vulnerability-scanner: ERROR: VulnerabilityScannerFacade::start: Failed to open RocksDB database. Reason: While opening a file for sequentially reading: queue/vd/event/MANIFEST-000005: No such file or directory

Any idea of what can be? The heath status of indexer is green.

Regards

German

José Luis Cosentino

unread,

Aug 8, 2024, 5:45:30 PM8/8/24

to Wazuh | Mailing List

Hi German,

Can you provide a brief description about your architecture(cluster? All in One?) Did you apply any changes on indices recently?
Could you provide the output of this command? grep - E 'Cannot|Error|WARN' /var/log/filebeat/filebeat ?

Regards!

German DiCasas

unread,

Aug 9, 2024, 2:54:29 PM8/9/24

to Wazuh | Mailing List

Hi José,

I have wazuh 4.8.1. The indexer, manager and dashboard service are on same server. I mean that all the services on same vm. The only change was the action of upgrade to 4.8 and then4.8.1 with oficial documentations.

grep - E 'Cannot|Error|WARN' /var/log/filebeat/filebeat

root@siem:/home/usuario# grep - E 'Cannot|Error|WARN' /var/log/filebeat/filebeat
grep: E: No such file or directory
grep: Cannot|Error|WARN: No such file or directory
/var/log/filebeat/filebeat:2024-08-09T15:44:15.035-0300 INFO instance/beat.go:645 Home path: [/usr/share/filebeat] Config path: [/etc/filebeat] Data path: [/var/lib/filebeat] Logs path: [/var/log/filebeat]
/var/log/filebeat/filebeat:2024-08-09T15:44:15.049-0300 INFO instance/beat.go:653 Beat ID: e25effab-11b6-4ede-80c6-a6ddf5bfd38e
/var/log/filebeat/filebeat:2024-08-09T15:44:15.049-0300 INFO [index-management] idxmgmt/std.go:184 Set output.elasticsearch.index to 'filebeat-7.10.2' as ILM is enabled.
/var/log/filebeat/filebeat:2024-08-09T15:44:15.053-0300 INFO eslegclient/connection.go:99 elasticsearch url: https://127.0.0.1:9200
/var/log/filebeat/filebeat:2024-08-09T15:44:15.189-0300 INFO [esclientleg] eslegclient/connection.go:314 Attempting to connect to Elasticsearch version 7.10.2

filebeat test output
elasticsearch: https://127.0.0.1:9200...
parse url... OK
connection...
parse host... OK
dns lookup... OK
addresses: 127.0.0.1
dial up... OK
TLS...
security: server's certificate chain verification is enabled
handshake... OK
TLS version: TLSv1.3
dial up... OK
talk to server... OK
version: 7.10.2

GET _cluster/health

{
"cluster_name": "wazuh-cluster",
"status": "green",
"timed_out": false,
"number_of_nodes": 1,
"number_of_data_nodes": 1,
"discovered_master": true,
"discovered_cluster_manager": true,
"active_primary_shards": 202,
"active_shards": 202,
"relocating_shards": 0,
"initializing_shards": 0,
"unassigned_shards": 0,
"delayed_unassigned_shards": 0,
"number_of_pending_tasks": 0,
"number_of_in_flight_fetch": 0,
"task_max_waiting_in_queue_millis": 0,
"active_shards_percent_as_number": 100
}

Let me know ...

German

German DiCasas

unread,

Aug 12, 2024, 3:40:27 PM8/12/24

to Wazuh | Mailing List

Jose,

Let me know if you need any other log or if you have any fix over this.

Regards

German

José Luis Cosentino

unread,

Aug 13, 2024, 7:42:16 AM8/13/24

to Wazuh | Mailing List

HI German,

My sincere apologies for the late response. It seems I have found some related known issues with this kind of error message. I'm checking internally with my dev team in order to come back to you with a proper answer that fits your case.

I will come back as soon as possible.

Regards!

German DiCasas

unread,

Aug 16, 2024, 4:17:13 PM8/16/24

to Wazuh | Mailing List

Hi team,

Let me know if you need other out. I still haven't found what it could be

Regards,,

German

Octavio Valle López

unread,

Aug 18, 2024, 11:54:56 PM8/18/24

to German DiCasas, Wazuh | Mailing List

Hello German, what versions of agents do you have?

--
You received this message because you are subscribed to the Google Groups "Wazuh | Mailing List" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/bf4dc9cb-1d70-4f36-b266-6091614b621dn%40googlegroups.com.

German DiCasas

unread,

Aug 19, 2024, 10:12:56 AM8/19/24

to Wazuh | Mailing List

Hi,

The Agents are too 4-8-1

Regards

German DiCasas

unread,

Aug 26, 2024, 2:21:11 PM8/26/24

to Wazuh | Mailing List

Hi there...some path?

José Luis Cosentino

unread,

Sep 13, 2024, 8:35:35 AM9/13/24

to Wazuh | Mailing List

Hi, German

I'm sorry for not getting back to you sooner. Is this still an issue for you? If so, could you share the ossec.conf file? Plus, your Manager version I will try to reproduce and validate in a lab in order to share a step-by-step solution if you want.

Regards!

German DiCasas

unread,

Oct 18, 2024, 3:49:53 PM10/18/24

to Wazuh | Mailing List

Jose,

Yes I have the issue for now. My ossec.conf file

ii wazuh-manager 4.8.2-1

ossec.conf

<ossec_config>
<global>
<jsonout_output>yes</jsonout_output>
<alerts_log>yes</alerts_log>
<logall>yes</logall>
<logall_json>yes</logall_json>
<email_notification>no</email_notification>
<smtp_server>smtp.example.wazuh.com</smtp_server>
<email_from>wa...@example.wazuh.com</email_from>
<email_to>reci...@example.wazuh.com</email_to>
<email_maxperhour>12</email_maxperhour>
<email_log_source>alerts.log</email_log_source>
<agents_disconnection_time>10m</agents_disconnection_time>
<agents_disconnection_alert_time>0</agents_disconnection_alert_time>
</global>

<alerts>
<log_alert_level>3</log_alert_level>
<email_alert_level>12</email_alert_level>
</alerts>

<logging>
<log_format>plain</log_format>
</logging>

<remote>
<connection>secure</connection>
<port>1514</port>
<protocol>tcp</protocol>
<queue_size>131072</queue_size>
</remote>

<remote>
<connection>syslog</connection>
<port>514</port>
<protocol>udp</protocol>
<allowed-ips>0.0.0.0/0</allowed-ips>
<local_ip>192.168.0.111</local_ip>
</remote>


<rootcheck>
<disabled>no</disabled>
<check_files>yes</check_files>
<check_trojans>yes</check_trojans>
<check_dev>yes</check_dev>
<check_sys>yes</check_sys>
<check_pids>yes</check_pids>
<check_ports>yes</check_ports>
<check_if>yes</check_if>


<frequency>43200</frequency>

<rootkit_files>etc/rootcheck/rootkit_files.txt</rootkit_files>
<rootkit_trojans>etc/rootcheck/rootkit_trojans.txt</rootkit_trojans>

<skip_nfs>yes</skip_nfs>
</rootcheck>

<wodle name="cis-cat">
<disabled>yes</disabled>
<timeout>1800</timeout>
<interval>1d</interval>
<scan-on-start>yes</scan-on-start>

<java_path>wodles/java</java_path>
<ciscat_path>wodles/ciscat</ciscat_path>
</wodle>


<wodle name="osquery">
<disabled>yes</disabled>
<run_daemon>yes</run_daemon>
<log_path>/var/log/osquery/osqueryd.results.log</log_path>
<config_path>/etc/osquery/osquery.conf</config_path>
<add_labels>yes</add_labels>
</wodle>


<wodle name="syscollector">
<disabled>no</disabled>
<interval>1h</interval>
<scan_on_start>yes</scan_on_start>
<hardware>yes</hardware>
<os>yes</os>
<network>yes</network>
<packages>yes</packages>
<ports all="no">yes</ports>
<processes>yes</processes>


<synchronization>
<max_eps>10</max_eps>
</synchronization>
</wodle>

<sca>
<enabled>yes</enabled>
<scan_on_start>yes</scan_on_start>
<interval>12h</interval>
<skip_nfs>yes</skip_nfs>
</sca>

<vulnerability-detection>
<enabled>yes</enabled>
<index-status>yes</index-status>
<feed-update-interval>60m</feed-update-interval>
</vulnerability-detection>

<indexer>
<enabled>yes</enabled>
<hosts>
<host>https://127.0.0.1:9200</host>
</hosts>
<ssl>
<certificate_authorities>
<ca>/etc/filebeat/certs/root-ca.pem</ca>
</certificate_authorities>
<certificate>/etc/filebeat/certs/wazuh-server.pem</certificate>
<key>/etc/filebeat/certs/wazuh-server-key.pem</key>
</ssl>
</indexer>


<syscheck>
<disabled>no</disabled>


<frequency>43200</frequency>

<scan_on_start>yes</scan_on_start>


<alert_new_files>yes</alert_new_files>


<auto_ignore frequency="10" timeframe="3600">no</auto_ignore>


<directories>/etc,/usr/bin,/usr/sbin</directories>
<directories>/bin,/sbin,/boot</directories>


<ignore>/etc/mtab</ignore>
<ignore>/etc/hosts.deny</ignore>
<ignore>/etc/mail/statistics</ignore>
<ignore>/etc/random-seed</ignore>
<ignore>/etc/random.seed</ignore>
<ignore>/etc/adjtime</ignore>
<ignore>/etc/httpd/logs</ignore>
<ignore>/etc/utmpx</ignore>
<ignore>/etc/wtmpx</ignore>
<ignore>/etc/cups/certs</ignore>
<ignore>/etc/dumpdates</ignore>
<ignore>/etc/svc/volatile</ignore>


<ignore type="sregex">.log$|.swp$</ignore>


<nodiff>/etc/ssl/private.key</nodiff>

<skip_nfs>yes</skip_nfs>
<skip_dev>yes</skip_dev>
<skip_proc>yes</skip_proc>
<skip_sys>yes</skip_sys>


<process_priority>10</process_priority>


<max_eps>100</max_eps>


<synchronization>
<enabled>yes</enabled>
<interval>5m</interval>
<max_interval>1h</max_interval>
<max_eps>10</max_eps>
</synchronization>
</syscheck>


<global>
<white_list>127.0.0.1</white_list>
<white_list>^localhost.localdomain$</white_list>
<white_list>127.0.0.53</white_list>
</global>

<command>
<name>disable-account</name>
<executable>disable-account</executable>
<timeout_allowed>yes</timeout_allowed>
</command>

<command>
<name>restart-wazuh</name>
<executable>restart-wazuh</executable>
</command>

<command>
<name>firewall-drop</name>
<executable>firewall-drop</executable>
<timeout_allowed>yes</timeout_allowed>
</command>

<command>
<name>host-deny</name>
<executable>host-deny</executable>
<timeout_allowed>yes</timeout_allowed>
</command>

<command>
<name>route-null</name>
<executable>route-null</executable>
<timeout_allowed>yes</timeout_allowed>
</command>

<command>
<name>win_route-null</name>
<executable>route-null.exe</executable>
<timeout_allowed>yes</timeout_allowed>
</command>

<command>
<name>netsh</name>
<executable>netsh.exe</executable>
<timeout_allowed>yes</timeout_allowed>
</command>




<localfile>
<log_format>command</log_format>
<command>df -P</command>
<frequency>360</frequency>
</localfile>

<localfile>
<log_format>full_command</log_format>
<command>netstat -tulpn | sed 's/$[[:alnum:]]\+$\ \+[[:digit:]]\+\ \+[[:digit:]]\+\ \+$.*$:$[[:digit:]]*$\ \+$[0-9\.\:\*]\+$.\+\ $[[:digit:]]*\/[[:alnum:]\-]*$.*/\1 \2 == \3 == \4 \5/' | sort -k 4 -g | sed 's/ == $.*$ ==/:\1/' | sed 1,2d</command>
<alias>netstat listening ports</alias>
<frequency>360</frequency>
</localfile>

<localfile>
<log_format>full_command</log_format>
<command>last -n 20</command>
<frequency>360</frequency>
</localfile>

<ruleset>

<decoder_dir>ruleset/decoders</decoder_dir>
<rule_dir>ruleset/rules</rule_dir>
<rule_exclude>0215-policy_rules.xml</rule_exclude>
<list>etc/lists/audit-keys</list>
<list>etc/lists/amazon/aws-eventnames</list>
<list>etc/lists/security-eventchannel</list>
<list>etc/lists/admins</list>
<list>etc/lists/gruposadmin</list>

<decoder_dir>etc/decoders</decoder_dir>
<rule_dir>etc/rules</rule_dir>
</ruleset>

<rule_test>
<enabled>yes</enabled>
<threads>1</threads>
<max_sessions>64</max_sessions>
<session_timeout>15m</session_timeout>
</rule_test>


<auth>
<disabled>no</disabled>
<port>1515</port>
<use_source_ip>no</use_source_ip>
<purge>yes</purge>
<use_password>no</use_password>
<ciphers>HIGH:!ADH:!EXP:!MD5:!RC4:!3DES:!CAMELLIA:@STRENGTH</ciphers>

<ssl_verify_host>no</ssl_verify_host>
<ssl_manager_cert>etc/sslmanager.cert</ssl_manager_cert>
<ssl_manager_key>etc/sslmanager.key</ssl_manager_key>
<ssl_auto_negotiate>no</ssl_auto_negotiate>
</auth>

<cluster>
<name>wazuh</name>
<node_name>node01</node_name>
<node_type>master</node_type>
<key></key>
<port>1516</port>
<bind_addr>0.0.0.0</bind_addr>
<nodes>
<node>NODE_IP</node>
</nodes>
<hidden>no</hidden>
<disabled>yes</disabled>
</cluster>

</ossec_config>

<ossec_config>
<localfile>
<log_format>syslog</log_format>
<location>/var/ossec/logs/active-responses.log</location>
</localfile>

<localfile>
<log_format>syslog</log_format>
<location>/var/log/auth.log</location>
</localfile>

<localfile>
<log_format>syslog</log_format>
<location>/var/log/syslog</location>
</localfile>

<localfile>
<log_format>syslog</log_format>
<location>/var/log/dpkg.log</location>
</localfile>

<localfile>
<log_format>syslog</log_format>
<location>/var/log/kern.log</location>
</localfile>

<localfile>
<log_format>json</log_format>
<location>/var/ossec/integrations/syscollector.json</location>
<frequency>10</frequency>

</localfile>

</ossec_config>

Thanks

German DiCasas

unread,

Oct 23, 2024, 4:33:41 PM10/23/24

to Wazuh | Mailing List

Jose,

Do you have any idea what it could be or path? I still have the logs. I upgrated to 4.8.2 but it is the same.

Regards

German

German DiCasas

unread,

Oct 31, 2024, 4:05:59 PM10/31/24

to Wazuh | Mailing List

He there,

Any update over this.

Regards.

German

Reply all

Reply to author

Forward