Unable to view CIS Benchmark

[Bill Justesen]

We're slowly rolling out Wazuh to our workstations, after having successfully done so with our servers. For some reason, though, when I go to view the CIS Benchmark for Windows 11, it has usually timed out resulting in the error of:

Error: timeout of 20000ms exceeded
    at Function._callee$ (https://logs.domain.org/1/bundles/plugin/wazuh/wazuh.plugin.js:1:102662)
    at tryCatch (https://logs.domain.org/1/bundles/plugin/indexManagementDashboards/indexManagementDashboards.plugin.js:1:94916)
    at Generator.invoke [as _invoke] (https://logs.domain.org/1/bundles/plugin/indexManagementDashboards/indexManagementDashboards.plugin.js:1:98867)
    at Generator.throw (https://logs.domain.org/1/bundles/plugin/indexManagementDashboards/indexManagementDashboards.plugin.js:1:96055)
    at asyncGeneratorStep (https://logs.domain.org/1/bundles/plugin/wazuh/wazuh.plugin.js:1:98937)
    at _throw (https://logs.domain.org/1/bundles/plugin/wazuh/wazuh.plugin.js:1:99334)

For the first time, it now just pulled up the page, but as you can see when I choose the result of failed, it is only showing one item. Any ideas as to what is going on?

[Nicolas Zapata]

Hello, Thanks for using Wazuh!

Let's check some logs and see if we have any more information.
Can you attach the output of the following commands to me? To see if there are something erratic.

1. The Wazuh API log

cat /var/ossec/logs/api.log    

       

        2. The Wazuh UI log

cat  /usr/share/kibana/optimize/wazuh-logs/wazuhapp.log

Regards

[Bill Justesen]

Hello, both logs are attached. I pulled the Wazuh UI log from the /usr/share/wazuh-dashboard/data/wazuh/logs/ folder.

[Nicolas Zapata]

Thanks!! 

In order to help you, I need more information:
- What version of Wazuh are you running on the manager node and on the Windows agents?
- Do you have Wazuh cluster enabled?

Finally, it is possible that this endpoint is returning a Timeout as an error due to the amount of information, I share here the reference of the API endpoint:

https://documentation.wazuh.com/current/user-manual/api/reference.html#operation/api.controllers.ciscat_controller.get_agents_ciscat_results

In this reference you can notice that the endpoint accepts the wait_for_complete parameter, this parameter by default is False so if after 10 seconds the requested information is not returned the API will return a Timeout, one of the tests that we can do is from the DevTools of Kibana.

(https://www.elastic.co/guide/en/kibana/current/console-kibana.html), we can execute the endpoint with the parameter wait_for_complete=true. )

You can test this API request to check if the problem is really in the Timeout or on the contrary there is some other error.To be able to make calls to the API the first thing we have to do is to follow this part of the documentation: https://documentation.wazuh.com/current/user-manual/api/getting-started.html#logging-into-the-wazuh-api

TOKEN=$(curl -u <user>:<password> -k -X GET "https://localhost:55000/security/user/authenticate?raw=true")

By default, the user and password are wazuh. Once logged in we will execute the CIS-CAT request from the terminal, as well as the log in in the API:

curl -k -X GET "https://localhost:55000/ciscat/{agent_id}/results?wait_for_complete=true" -H "Authorization: Bearer $TOKEN"

Where we will replace agent_id by the ID of the agent in question.Finally we will check the API log with the following command:

tail -n30 /var/ossec/logs/api.log

Do not hesitate to ask if you have any questions, regards

[Bill Justesen]

Hello again Nicolas. Thank you for your help so far.

I am running Wazuh 4.3.8 on the Windows agent and on the manager node, also 4.3.8 revision 40321. I tried reading the first link you sent, and I'm getting a 'Failed to fetch' error. I'll have to wait for it to come back up.

I did run the commands though. I received a token from the first command, but am not pasting since it isn't necessary.

After the curl, I got: {"data": {"affected_items": [], "total_affected_items": 0, "total_failed_items": 0, "failed_items": []}, "message": "No CISCAT results were returned", "error": 0}

And here is the results of the api.log.

2022/10/04 11:58:34 INFO: wazuh 192.168.100.71 "GET /ciscat/013/results" with parameters {"wait_for_complete": "true"} and body {} done in 0.032s: 200
2022/10/04 11:58:55 INFO: wazuh-wui 127.0.0.1 "GET /agents" with parameters {"agents_list": "013"} and body {} done in 0.031s: 200
2022/10/04 11:58:55 INFO: wazuh-wui 127.0.0.1 "GET /groups" with parameters {} and body {} done in 0.030s: 200
2022/10/04 11:58:55 INFO: wazuh-wui 127.0.0.1 "GET /" with parameters {} and body {} done in 0.021s: 200
2022/10/04 11:58:55 INFO: wazuh-wui 127.0.0.1 "GET /sca/013" with parameters {"sort": "-end_scan", "limit": "1"} and body {} done in 0.044s: 200
2022/10/04 11:59:00 INFO: wazuh-wui 127.0.0.1 "GET /agents/summary/status" with parameters {} and body {} done in 0.027s: 200
2022/10/04 11:59:00 INFO: wazuh-wui 127.0.0.1 "GET /agents/summary/status" with parameters {} and body {} done in 0.028s: 200
2022/10/04 11:59:00 INFO: wazuh-wui 127.0.0.1 "GET /sca/013" with parameters {} and body {} done in 0.030s: 200
2022/10/04 11:59:00 INFO: wazuh-wui 127.0.0.1 "GET /sca/013" with parameters {} and body {"q": "policy_id=sca_win_audit"} done in 0.032s: 200
2022/10/04 11:59:03 INFO: wazuh-wui 127.0.0.1 "GET /sca/013" with parameters {"q": "policy_id=cis_win11_enterprise_21H2"} and body {} done in 0.030s: 200
2022/10/04 11:59:13 ERROR: Timeout executing API request
2022/10/04 11:59:13 INFO: wazuh-wui 127.0.0.1 "GET /sca/013/checks/cis_win11_enterprise_21H2" with parameters {} and body {} done in 10.052s: 500
2022/10/04 11:59:14 INFO: wazuh-wui 127.0.0.1 "GET /security/user/authenticate" with parameters {} and body {} done in 0.836s: 200
2022/10/04 11:59:14 INFO: wazuh 192.168.100.71 "GET /ciscat/013/results" with parameters {"wait_for_complete": "true"} and body {} done in 9.454s: 200
2022/10/04 11:59:14 INFO: wazuh-wui 127.0.0.1 "GET /manager/info" with parameters {} and body {} done in 0.658s: 200
2022/10/04 11:59:15 INFO: wazuh-wui 127.0.0.1 "GET /agents" with parameters {"agents_list": "000"} and body {} done in 0.033s: 200
2022/10/04 11:59:15 INFO: wazuh-wui 127.0.0.1 "GET /cluster/status" with parameters {} and body {} done in 0.033s: 200
2022/10/04 12:00:00 INFO: wazuh-wui 127.0.0.1 "GET /manager/stats/analysisd" with parameters {"pretty": ""} and body {} done in 0.066s: 200
2022/10/04 12:00:00 INFO: wazuh-wui 127.0.0.1 "GET /manager/stats/remoted" with parameters {"pretty": ""} and body {} done in 0.049s: 200
2022/10/04 12:00:00 INFO: wazuh-wui 127.0.0.1 "GET /cluster/status" with parameters {} and body {} done in 0.037s: 200
2022/10/04 12:00:00 INFO: wazuh-wui 127.0.0.1 "GET /agents" with parameters {"offset": "0", "limit": "1", "q": "id!=000"} and body {} done in 0.037s: 200
2022/10/04 12:00:00 INFO: wazuh-wui 127.0.0.1 "GET /agents" with parameters {"offset": "0", "limit": "500", "q": "id!=000"} and body {} done in 0.032s: 200
2022/10/04 12:00:19 INFO: wazuh-wui 127.0.0.1 "GET /sca/013" with parameters {"q": "policy_id=cis_win11_enterprise_21H2"} and body {} done in 0.036s: 200
2022/10/04 12:00:29 ERROR: Timeout executing API request
2022/10/04 12:00:29 INFO: wazuh-wui 127.0.0.1 "GET /sca/013/checks/cis_win11_enterprise_21H2" with parameters {} and body {} done in 10.059s: 500
2022/10/04 12:00:30 INFO: wazuh-wui 127.0.0.1 "GET /security/user/authenticate" with parameters {} and body {} done in 0.812s: 200
2022/10/04 12:00:30 INFO: wazuh 192.168.100.71 "GET /ciscat/013/results" with parameters {"wait_for_complete": "true"} and body {} done in 10.688s: 200
2022/10/04 12:00:30 INFO: wazuh-wui 127.0.0.1 "GET /manager/info" with parameters {} and body {} done in 0.593s: 200
2022/10/04 12:00:30 INFO: wazuh-wui 127.0.0.1 "GET /agents" with parameters {"agents_list": "000"} and body {} done in 0.024s: 200
2022/10/04 12:00:30 INFO: wazuh-wui 127.0.0.1 "GET /cluster/status" with parameters {} and body {} done in 0.037s: 200

[Bill Justesen]

I forgot to mention I do not have a cluster. This is a single server.