Closed TomasTurina closed 2 weeks ago
Multiple corrections made. Evidence still needs to be uploaded.
Deployment was made using the following docker files: https://github.com/wazuh/wazuh-tools/tree/test/24305-comms-api-env/framework/environments/dev
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
7da153dbf57c dev-wazuh-manager "/scripts/entrypoint…" 7 days ago Up 2 hours (unhealthy) 0.0.0.0:55052->55000/tcp, [::]:55052->55000/tcp dev-wazuh-worker2-1
0992b91f6793 dev-wazuh-manager "/scripts/entrypoint…" 7 days ago Up 2 hours (unhealthy) 0.0.0.0:55051->55000/tcp, [::]:55051->55000/tcp dev-wazuh-worker1-1
b04fe3007339 dev-wazuh-manager "/scripts/entrypoint…" 7 days ago Up 2 hours (unhealthy) 0.0.0.0:27000->27000/tcp, :::27000->27000/tcp, 0.0.0.0:55050->55000/tcp, [::]:55050->55000/tcp dev-wazuh-master-1
87c55d1bd692 dev-wazuh-agent "/scripts/entrypoint…" 8 days ago Up 2 hours (healthy) dev-wazuh-agent-1
4ee505ab3f69 dev-nginx-lb "/scripts/entrypoint…" 8 days ago Up 2 hours 80/tcp dev-nginx-lb-1
1ffa85397506 opensearchproject/opensearch:2.6.0 "./opensearch-docker…" 8 days ago Up 2 hours 9300/tcp, 9600/tcp, 0.0.0.0:9200->9200/tcp, :::9200->9200/tcp, 9650/tcp dev-indexer-1
# cat wazuh.conf
[agent]
server_mgmt_api_port = "55000"
agent_comms_api_port = "27000"
manager_ip = "wazuh-master"
Agent logs:
# ./wazuh-agent --register --user wazuh --password wazuh --key 12345
[2024-09-20 18:39:02.105] [wazuh-agent] [info] [INFO] [main.cpp:13] [main] Starting Wazuh Agent.
[2024-09-20 18:39:02.106] [wazuh-agent] [info] [INFO] [main.cpp:21] [main] Starting registration process
[2024-09-20 18:39:02.358] [wazuh-agent] [debug] [DEBUG] [http_client.cpp:187] [PerformHttpRequest] Response code: 200.
[2024-09-20 18:39:02.358] [wazuh-agent] [debug] [DEBUG] [http_client.cpp:188] [PerformHttpRequest] Response body: {"data": {"token": "eyJhbGciOiJFUzUxMiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJ3YXp1aCIsImF1ZCI6IldhenVoIEFQSSBSRVNUIiwibmJmIjoxNzI2ODU3NTQyLCJleHAiOjE3MjY4NTg0NDIsInN1YiI6IndhenVoIiwicnVuX2FzIjpmYWxzZSwicmJhY19yb2xlcyI6WzFdLCJyYmFjX21vZGUiOiJ3aGl0ZSJ9.ALy_OAaoSnm3LyJn_YM1bpl8p1taVXWSObEoLS8KcYP82Qy4sZAZYSjLkSSq2is_5mNlUYgL6OmcPSZIZejyOJXqAb2q1BNF8mnDOLDHbIXBPLNxZaPlSbh3_zInMvYECr1y6BY73QRNzY3CaCKvQfKisxH4tmDC-flIPDeJWq5sk_EA"}, "error": 0}.
[2024-09-20 18:39:02.586] [wazuh-agent] [debug] [DEBUG] [http_client.cpp:187] [PerformHttpRequest] Response code: 200.
[2024-09-20 18:39:02.586] [wazuh-agent] [debug] [DEBUG] [http_client.cpp:188] [PerformHttpRequest] Response body: {"data": {"id": "621e066f-8d33-4912-a845-25404f4f351e", "key": "q\u00b2J\u0014\u009a\u00a7\u00dd\u00fftO\u00d2\u00abx\u0099\u00ade\u00ed\u00aa\u00f6\u00a8\u00ea*h\u00be\u0002\u0081\u008c\u00a1\u00ab\u00c6-\u00b0 \u00ad\u0005\u00c5\u0093\u0092\u0089\u00f3\u00b5!?\u0015\u00b8\u00eb \u0005"}, "error": 0}.
[2024-09-20 18:39:02.587] [wazuh-agent] [info] [INFO] [main.cpp:46] [main] Agent registered.
[2024-09-20 18:39:02.587] [wazuh-agent] [info] [INFO] [main.cpp:58] [main] Exiting ...
Agent DB:
# sqlite3 agent_info.db
SQLite version 3.37.2 2022-01-06 13:25:41
Enter ".help" for usage hints.
sqlite> .tables
agent_info
sqlite> .headers on
sqlite> select * from agent_info;
name|key|uuid
87c55d1bd692|12345|621e066f-8d33-4912-a845-25404f4f351e
Server logs:
2024/09/20 18:39:02 INFO: wazuh 172.20.0.7 "POST /security/user/authenticate" with parameters {} and body {} done in 0.227s: 200
2024/09/20 18:39:02 INFO: wazuh 172.20.0.7 "POST /agents" with parameters {} and body {"id": "621e066f-8d33-4912-a845-25404f4f351e", "key": "****", "name": "87c55d1bd692"} done in 0.225s: 200
Post command:
# curl -X POST -H "Content-Type: application/json" -ku admin:SecretPassword1% http://wazuh-indexer:9200/commands/_doc -d '{"args": ["fim","execute","param1","param2",12345], "agent": {"id": "621e066f-8d33-4912-a845-25404f4f351e"}, "status": "pending", "info": "string"}'
{"_index":"commands","_id":"CSrCEJIB9AvAKZcRFUKG","_version":1,"result":"created","_shards":{"total":2,"successful":1,"failed":0},"_seq_no":33,"_primary_term":4}
Agent logs:
# ./wazuh-agent
[2024-09-20 18:45:28.812] [wazuh-agent] [info] [INFO] [main.cpp:13] [main] Starting Wazuh Agent.
[2024-09-20 18:45:28.896] [wazuh-agent] [debug] [DEBUG] [http_client.cpp:185] [PerformHttpRequest] Response code: 200.
[2024-09-20 18:45:28.896] [wazuh-agent] [debug] [DEBUG] [http_client.cpp:186] [PerformHttpRequest] Response body: {"token":"eyJhbGciOiJFUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJ3YXp1aCIsImF1ZCI6IldhenVoIENvbW11bmljYXRpb25zIEFQSSIsImlhdCI6MTcyNjg1NzkyOCwiZXhwIjoxNzI2ODU4ODI4LCJ1dWlkIjoiNjIxZTA2NmYtOGQzMy00OTEyLWE4NDUtMjU0MDRmNGYzNTFlIn0.ADH-AEAVrKGzUAP8ihiNyK2DbESMVYYE1xs7OzugcOOi4cI8HPvMZ0WFj6VVMP_-0daxXXlNGjYx1LndZHImiWs5AXTWaZ7AqlGuPI6msDoxoKAGc7sA0YSrkow_qRax0al7E6gIMwJnuT-s_XLuSaZbkMzfs2PzrQV2PVfkpAb6a6jX"}.
[2024-09-20 18:45:59.890] [wazuh-agent] [debug] [DEBUG] [http_client.cpp:154] [Co_PerformHttpRequest] Response code: 408.
[2024-09-20 18:45:59.890] [wazuh-agent] [debug] [DEBUG] [http_client.cpp:155] [Co_PerformHttpRequest] Response body: {"message":"Request exceeded the processing time limit","code":408}.
[2024-09-20 18:46:30.898] [wazuh-agent] [debug] [DEBUG] [http_client.cpp:154] [Co_PerformHttpRequest] Response code: 408.
[2024-09-20 18:46:30.898] [wazuh-agent] [debug] [DEBUG] [http_client.cpp:155] [Co_PerformHttpRequest] Response body: {"message":"Request exceeded the processing time limit","code":408}.
[2024-09-20 18:46:51.981] [wazuh-agent] [debug] [DEBUG] [http_client.cpp:154] [Co_PerformHttpRequest] Response code: 200.
[2024-09-20 18:46:51.981] [wazuh-agent] [debug] [DEBUG] [http_client.cpp:155] [Co_PerformHttpRequest] Response body: {"commands":[{"id":"CSrCEJIB9AvAKZcRFUKG","status":"sent","info":"string","args":["fim","execute","param1","param2",12345],"agent":{"id":"621e066f-8d33-4912-a845-25404f4f351e"}}]}.
[2024-09-20 18:46:52.943] [wazuh-agent] [info] [INFO] [command_handler_utils.cpp:7] [DispatchCommand] Dispatching command execute(fim)
[2024-09-20 18:46:52.945] [wazuh-agent] [info] [INFO] [command_handler.hpp:44] [ProcessCommandsFromQueue] Done processing command: execute(fim)
Agent DB:
# sqlite3 command_store.db
SQLite version 3.37.2 2022-01-06 13:25:41
Enter ".help" for usage hints.
sqlite> .tables
COMMAND
sqlite> .headers on
sqlite> select * from COMMAND;
id|module|command|parameters|result|status|time
CSrCEJIB9AvAKZcRFUKG|fim|execute|param1 param2 12345|Successfully executed|0|1726858012.937
Server logs:
2024/09/20 18:44:27 INFO: "POST /api/v1/authentication" with parameters {} and body {"uuid": "621e066f-8d33-4912-a845-25404f4f351e", "key": "***"} done in 0.098s: 200
2024/09/20 18:44:58 ERROR: Timeout executing API request
2024/09/20 18:44:58 INFO: (621e066f-8d33-4912-a845-25404f4f351e) "GET /api/v1/commands" with parameters {} and body {} done in 30.006s: 408
2024/09/20 18:45:28 INFO: "GET /api/v1/commands" with parameters {} and body {} done in 0.006s: 403
2024/09/20 18:45:28 INFO: "POST /api/v1/authentication" with parameters {} and body {"uuid": "621e066f-8d33-4912-a845-25404f4f351e", "key": "***"} done in 0.073s: 200
2024/09/20 18:45:59 ERROR: Timeout executing API request
2024/09/20 18:45:59 INFO: (621e066f-8d33-4912-a845-25404f4f351e) "GET /api/v1/commands" with parameters {} and body {} done in 30.009s: 408
2024/09/20 18:46:30 ERROR: Timeout executing API request
2024/09/20 18:46:30 INFO: (621e066f-8d33-4912-a845-25404f4f351e) "GET /api/v1/commands" with parameters {} and body {} done in 30.005s: 408
2024/09/20 18:46:51 INFO: (621e066f-8d33-4912-a845-25404f4f351e) "GET /api/v1/commands" with parameters {} and body {} done in 20.079s: 200
Generate event:
Since the inventory module is not ready yet, an event will be inserted directly in the queue for testing purposes:
# sqlite3 queue.db
SQLite version 3.37.2 2022-01-06 13:25:41
Enter ".help" for usage hints.
sqlite> .tables
COMMAND STATEFUL STATELESS
sqlite> insert into STATEFUL (module, message) values ('inventory', '{"data":{"data":{"board_serial":" ","checksum":"51ee4bfdf4dd6179f792c57b94339053067cd2e7","cpu_cores":16,"cpu_mhz":4846.0,"cpu_name":"AMD Ryzen 7 5800X 8-Core Processor","ram_free":23144424,"ram_total":32799344,"ram_usage":30,"scan_time":"2024/08/30 21:22:31"},"operation":"INSERTED","type":"dbsync_hwinfo"},"module":"inventory"}');
sqlite> insert into STATELESS (module, message) values ('inventory', '{"data":{"data":{"board_serial":" ","checksum":"51ee4bfdf4dd6179f792c57b94339053067cd2e7","cpu_cores":16,"cpu_mhz":4846.0,"cpu_name":"AMD Ryzen 7 5800X 8-Core Processor","ram_free":23144424,"ram_total":32799344,"ram_usage":30,"scan_time":"2024/08/30 21:22:31"},"operation":"INSERTED","type":"dbsync_hwinfo"},"module":"inventory"}');
sqlite> .headers on
sqlite> select * from STATEFUL;
module|message
inventory|{"data":{"data":{"board_serial":" ","checksum":"51ee4bfdf4dd6179f792c57b94339053067cd2e7","cpu_cores":16,"cpu_mhz":4846.0,"cpu_name":"AMD Ryzen 7 5800X 8-Core Processor","ram_free":23144424,"ram_total":32799344,"ram_usage":30,"scan_time":"2024/08/30 21:22:31"},"operation":"INSERTED","type":"dbsync_hwinfo"},"module":"inventory"}
sqlite> select * from STATELESS;
module|message
inventory|{"data":{"data":{"board_serial":" ","checksum":"51ee4bfdf4dd6179f792c57b94339053067cd2e7","cpu_cores":16,"cpu_mhz":4846.0,"cpu_name":"AMD Ryzen 7 5800X 8-Core Processor","ram_free":23144424,"ram_total":32799344,"ram_usage":30,"scan_time":"2024/08/30 21:22:31"},"operation":"INSERTED","type":"dbsync_hwinfo"},"module":"inventory"}
Agent logs:
# ./wazuh-agent
[2024-09-20 18:54:49.375] [wazuh-agent] [info] [INFO] [main.cpp:13] [main] Starting Wazuh Agent.
[2024-09-20 18:54:49.479] [wazuh-agent] [debug] [DEBUG] [http_client.cpp:185] [PerformHttpRequest] Response code: 200.
[2024-09-20 18:54:49.479] [wazuh-agent] [debug] [DEBUG] [http_client.cpp:186] [PerformHttpRequest] Response body: {"token":"eyJhbGciOiJFUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJ3YXp1aCIsImF1ZCI6IldhenVoIENvbW11bmljYXRpb25zIEFQSSIsImlhdCI6MTcyNjg1ODQ4OSwiZXhwIjoxNzI2ODU5Mzg5LCJ1dWlkIjoiNjIxZTA2NmYtOGQzMy00OTEyLWE4NDUtMjU0MDRmNGYzNTFlIn0.AdIq0q5AtbLGQgBRKEFbTru-PMY8JJosEoyau4CB2acxfOQaJIB_R324duRgksY1AUjJqrrRH1L6vR_NXxDOvNVtAVNFA2XvcmtUF0Ns6A2Y7czhfDzJK86_B884YRccffYLjNQFU8iMdbpk_KwkITTehwZg9fFF_BQoZlyA4U78DIAv"}.
[2024-09-20 18:54:50.417] [wazuh-agent] [debug] [DEBUG] [http_client.cpp:154] [Co_PerformHttpRequest] Response code: 500.
[2024-09-20 18:54:50.417] [wazuh-agent] [debug] [DEBUG] [http_client.cpp:155] [Co_PerformHttpRequest] Response body: {"message":"AsyncOpenSearch.create() missing 1 required positional argument: 'id'","code":500}.
[2024-09-20 18:54:50.460] [wazuh-agent] [debug] [DEBUG] [http_client.cpp:154] [Co_PerformHttpRequest] Response code: 200.
[2024-09-20 18:54:50.460] [wazuh-agent] [debug] [DEBUG] [http_client.cpp:155] [Co_PerformHttpRequest] Response body: .
[2024-09-20 18:54:51.445] [wazuh-agent] [debug] [DEBUG] [http_client.cpp:154] [Co_PerformHttpRequest] Response code: 500.
[2024-09-20 18:54:51.445] [wazuh-agent] [debug] [DEBUG] [http_client.cpp:155] [Co_PerformHttpRequest] Response body: {"message":"AsyncOpenSearch.create() missing 1 required positional argument: 'id'","code":500}.
[2024-09-20 18:54:52.454] [wazuh-agent] [debug] [DEBUG] [http_client.cpp:154] [Co_PerformHttpRequest] Response code: 500.
[2024-09-20 18:54:52.454] [wazuh-agent] [debug] [DEBUG] [http_client.cpp:155] [Co_PerformHttpRequest] Response body: {"message":"AsyncOpenSearch.create() missing 1 required positional argument: 'id'","code":500}.
[2024-09-20 18:54:53.477] [wazuh-agent] [debug] [DEBUG] [http_client.cpp:154] [Co_PerformHttpRequest] Response code: 500.
Note: The stateful event sending failed because the API is missing some implementation, but we can see that the agent is retrying the sending because of this.
Agent DB:
# sqlite3 queue.db
SQLite version 3.37.2 2022-01-06 13:25:41
Enter ".help" for usage hints.
sqlite> .tables
COMMAND STATEFUL STATELESS
sqlite> .headers on
sqlite> select * from STATEFUL;
module|message
inventory|{"data":{"data":{"board_serial":" ","checksum":"51ee4bfdf4dd6179f792c57b94339053067cd2e7","cpu_cores":16,"cpu_mhz":4846.0,"cpu_name":"AMD Ryzen 7 5800X 8-Core Processor","ram_free":23144424,"ram_total":32799344,"ram_usage":30,"scan_time":"2024/08/30 21:22:31"},"operation":"INSERTED","type":"dbsync_hwinfo"},"module":"inventory"}
sqlite> select * from STATELESS;
sqlite>
Note: The stateful event was not deleted because it has not been successfully sent yet.
Server logs:
2024/09/20 18:54:49 INFO: "POST /api/v1/authentication" with parameters {} and body {"uuid": "621e066f-8d33-4912-a845-25404f4f351e", "key": "***"} done in 0.094s: 200
2024/09/20 18:54:50 ERROR: Exception in ASGI application
...
2024/09/20 18:54:50 INFO: (621e066f-8d33-4912-a845-25404f4f351e) "POST /api/v1/events/stateless" with parameters {} and body {"events": [{"data": {"data": {"data": {"board_serial": " ", "checksum": "51ee4bfdf4dd6179f792c57b94339053067cd2e7", "cpu_cores": 16, "cpu_mhz": 4846.0, "cpu_name": "AMD Ryzen 7 5800X 8-Core Processor", "ram_free": 23144424, "ram_total": 32799344, "ram_usage": 30, "scan_time": "2024/08/30 21:22:31"}, "operation": "INSERTED", "type": "dbsync_hwinfo"}, "module": "inventory"}, "module": "inventory"}]} done in 0.055s: 200
Note: An exception occurs in the stateful event; this will be fixed in the future (cc @wazuh/devel-pyserver).
Description
After the implementation of the agent MVP (https://github.com/wazuh/wazuh-agent/issues/14), it is necessary to verify that everything is working as expected. For this, the real implementation of the API will be used, in order to validate that the communication flows between them.
Things to do: