API error - 3099 - ERROR3099 - Some Wazuh daemons are not ready in node 'node01' (wazuh-modulesd->failed)

Afilsi commented 4 years ago

Hello, I have Wazuh installed in a server and he worked perfectly for somes day, but now I have this error:

I have try to restart all services, reboot the server, but the error is still present... I have no idea of what is the problem....

systemctl status wazuh-manager

● wazuh-manager.service - Wazuh manager
   Loaded: loaded (/etc/systemd/system/wazuh-manager.service; enabled; vendor preset: disabled)
   Active: active (running) since Mon 2020-04-13 14:35:00 BST; 1h 13min ago
  Process: 1219 ExecStart=/usr/bin/env ${DIRECTORY}/bin/ossec-control start (code=exited, status=0/SUCCESS)
   CGroup: /system.slice/wazuh-manager.service
           ├─1895 /var/ossec/bin/ossec-csyslogd
           ├─1936 /var/ossec/bin/wazuh-db
           ├─1953 /var/ossec/bin/ossec-execd
           ├─1962 /var/ossec/bin/ossec-maild
           ├─1969 /var/ossec/bin/ossec-analysisd
           ├─1974 /var/ossec/bin/ossec-syscheckd
           ├─1987 /var/ossec/bin/ossec-remoted
           ├─1992 /var/ossec/bin/ossec-logcollector
           └─1999 /var/ossec/bin/ossec-monitord

systemctl status wazuh-api

● wazuh-api.service - Wazuh API daemon
   Loaded: loaded (/etc/systemd/system/wazuh-api.service; enabled; vendor preset: disabled)
   Active: active (running) since Mon 2020-04-13 14:34:47 BST; 1h 19min ago
     Docs: https://documentation.wazuh.com/current/user-manual/api/index.html
 Main PID: 1223 (node)
   CGroup: /system.slice/wazuh-api.service
           └─1223 /bin/node /var/ossec/api/app.js

Apr 13 14:34:47 wazuh.nomdomaine systemd[1]: Started Wazuh API daemon.

systemctl status elasticsearch

● elasticsearch.service - Elasticsearch
   Loaded: loaded (/usr/lib/systemd/system/elasticsearch.service; enabled; vendor preset: disabled)
   Active: active (running) since Mon 2020-04-13 14:35:52 BST; 1h 22min ago
     Docs: http://www.elastic.co
 Main PID: 1221 (java)
   CGroup: /system.slice/elasticsearch.service
           ├─1221 /usr/share/elasticsearch/jdk/bin/java -Des.networkaddress.cache.ttl=60 -Des.networkaddress.cache.negative.ttl=10 -XX:+AlwaysPreTouch -Xss1m -Djava.awt.headless=true -Dfile.encoding=UTF-8 -Djna.nosys=true -XX:-OmitSta...
           └─2199 /usr/share/elasticsearch/modules/x-pack-ml/platform/linux-x86_64/bin/controller

Apr 13 14:34:47 wazuh.nomdomaine  systemd[1]: Starting Elasticsearch...
Apr 13 14:34:53 wazuh.nomdomaine  elasticsearch[1221]: OpenJDK 64-Bit Server VM warning: Option UseConcMarkSweepGC was deprecated in version 9.0 and will likely be removed in a future release.
Apr 13 14:35:52 wazuh.nomdomaine  systemd[1]: Started Elasticsearch.

systemctl status filebeat

● filebeat.service - Filebeat sends log files to Logstash or directly to Elasticsearch.
   Loaded: loaded (/usr/lib/systemd/system/filebeat.service; enabled; vendor preset: disabled)
   Active: active (running) since Mon 2020-04-13 14:34:47 BST; 1h 24min ago
     Docs: https://www.elastic.co/products/beats/filebeat
 Main PID: 1220 (filebeat)
   CGroup: /system.slice/filebeat.service
           └─1220 /usr/share/filebeat/bin/filebeat -e -c /etc/filebeat/filebeat.yml -path.home /usr/share/filebeat -path.config /etc/filebeat -path.data /var/lib/filebeat -path.logs /var/log/filebeat

Apr 13 15:58:20 wazuh.nomdomaine   filebeat[1220]: 2020-04-13T15:58:20.103+0100        INFO        [monitoring]        log/log.go:145        Non-zero metrics in the last 30s        {"monitoring": {"metrics": {"beat":{"cpu":{"system...
Apr 13 15:58:50 wazuhnomdomaine   filebeat[1220]: 2020-04-13T15:58:50.104+0100        INFO        [monitoring]        log/log.go:145        Non-zero metrics in the last 30s        {"monitoring": {"metrics": {"beat":{"cpu":{"system...
Apr 13 15:59:20 wazuh.nomdomaine   filebeat[1220]: 2020-04-13T15:59:20.103+0100        INFO        [monitoring]        log/log.go:145        Non-zero metrics in the last 30s        {"monitoring": {"metrics": {"beat":{"cpu":{"system...

systemctl status kibana

● kibana.service - Kibana
   Loaded: loaded (/etc/systemd/system/kibana.service; enabled; vendor preset: disabled)
   Active: active (running) since Mon 2020-04-13 14:34:45 BST; 1h 27min ago
 Main PID: 845 (node)
   CGroup: /system.slice/kibana.service
           └─845 /usr/share/kibana/bin/../node/bin/node /usr/share/kibana/bin/../src/cli -c /etc/kibana/kibana.yml

Apr 13 15:30:57 wazuh.nomdomaine   kibana[845]: {"type":"response","@timestamp":"2020-04-13T14:30:57Z","tags":[],"pid":845,"method":"get","statusCode":200,"req":{"url":"/built_assets/dlls/icon.dot-js.bundle.dll.js","method":"get","headers":{"host":"localhost:5601","user-agent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:68.0) Gecko/20100101 Firefox/68.0","accept":"*/*","accept-language":"fr,fr-FR;q=0.8,en-US;q=0.5,en;q=0.3","accept-encoding":"gzip, deflate, br","referer":"https://wazuh.nomdomaine/app/wazuh","dnt":"1","x-forwarded-for":"10.0.201.5","x-forwarded-host":"wazuh.nomdomaine","x-forwarded-server":"wazuh.nomdomaine","connection":"Keep-Alive"},"remoteAddress":"127.0.0.1","userAgent":"127.0.0.1","referer":"https://wazuh.nomdomaine/app/wazuh"},"res":{"statusCode":200,"responseTime":4,"contentLength":9},"message":"GET /built_assets/dlls/icon.dot-js.bundle.dll.js 200 4ms - 9.0B"}
Apr 13 15:30:57 wazuh.nomdomaine kibana[845]: {"type":"response","@timestamp":"2020-04-13T14:30:57Z","tags":[],"pid":845,"method":"get","statusCode":200,"req":{"url":"/built_assets/dlls/icon.question_in_circle-js.bundle.dll.js","method":"get","headers":{"host":"localhost:5601","user-agent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:68.0) Gecko/20100101 Firefox/68.0","accept":"*/*","accept-language":"fr,fr-FR;q=0.8,en-US;q=0.5,en;q=0.3","accept-encoding":"gzip, deflate, br","referer":"https://wazuh.nomdomaine/app/wazuh","dnt":"1","x-forwarded-for":"10.0.201.5","x-forwarded-host":"wazuh.nomdomaine","x-forwarded-server":"wazuh.nomdomaine","connection":"Keep-Alive"},"remoteAddress":"127.0.0.1","userAgent":"127.0.0.1","referer":"https://wazuh.nomdomaine/app/wazuh"},"res":{"statusCode":200,"responseTime":3,"contentLength":9},"message":"GET /built_assets/dlls/icon.question_in_circle-js.bundle.dll.js 200 3ms - 9.0B"}
Apr 13 15:30:57 wazuh.nomdomaine kibana[845]: {"type":"response","@timestamp":"2020-04-13T14:30:57Z","tags":[],"pid":845,"method":"post","statusCode":500,"req":{"url":"/api/check-api","method":"post","headers":{"host":"localhost:5601","user-agent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:68.0) Gecko/20100101 Firefox/68.0","accept":"application/json, text/plain, */*","accept-language":"fr,fr-FR;q=0.8,en-US;q=0.5,en;q=0.3","accept-encoding":"gzip, deflate, br","referer":"https://wazuh.nomdomaine/app/wazuh","content-type":"application/json","kbn-version":"7.5.1","dnt":"1","x-forwarded-for":"10.0.201.5","x-forwarded-host":"wazuh.nomdomaine","x-forwarded-server":"wazuh.nomdomaine","connection":"Keep-Alive","content-length":"103"},"remoteAddress":"127.0.0.1","userAgent":"127.0.0.1","referer":"https://nomdomaine/app/wazuh"},"res":{"statusCode":500,"responseTime":292,"contentLength":9},"message":"POST /api/check-api 500 292ms - 9.0B"}

cat /usr/share/kibana/plugins/wazuh/package.json

{
  "name": "wazuh",
  "version": "3.11.1",
  "revision": "0581",
  "code": "0581-0",
  "kibana": {
    "version": "7.5.1"
  },
  "description": "Wazuh app",
  "main": "index.js",
  "keywords": [
    "kibana",
    "wazuh",
    "ossec"
  ],
  "node_build": "8.14.0",
  "author": "Wazuh, Inc",
  "license": "GPL-2.0",
  "repository": {
    "type": "git",
    "url": "https://github.com/wazuh/wazuh-kibana-app.git"
  },
  "bugs": {
    "url": "https://github.com/wazuh/wazuh-kibana-app/issues"
  },
  "homepage": "https://www.wazuh.com/",
  "dependencies": {
    "angular-animate": "1.7.8",
    "angular-chart.js": "1.1.1",
    "angular-cookies": "1.6.5",
    "angular-material": "1.1.18",
    "babel-polyfill": "^6.13.0",
    "dom-to-image": "^2.6.0",
    "install": "^0.10.1",
    "js2xmlparser": "^3.0.0",
    "json2csv": "^4.1.2",
    "needle": "^2.0.1",
    "node-cron": "^1.1.2",
    "pdfmake": "^0.1.37",
    "pug-loader": "^2.4.0",
    "querystring-browser": "1.0.4",
    "simple-tail": "^1.1.0",
    "timsort": "^0.3.0",
    "winston": "3.0.0"
  },
  "build": {
    "git": {
      "count": "5723",
      "sha": "fd3f1db67",
      "date": "Fri, 3 Jan 2020 11:29:29 +0100"
    },
    "date": "Fri Jan 03 2020 12:34:14 GMT+0100 (Central European Standard Time)"
  }

curl -u "user:password" "localhost:55000/?pretty"

{
   "error": 0,
   "data": {
      "msg": "Welcome to Wazuh HIDS API",
      "api_version": "v3.11.1",
      "hostname": "wazuh.nomdomaine",
      "timestamp": "Mon Apr 13 2020 16:12:57 GMT+0100 (British Summer Time)"
   }
}

curl localhost:9200/

{
  "name" : "wazuh.nomdomaine",
  "cluster_name" : "elasticsearch",
  "cluster_uuid" : "jMJfA50-S9CIGaUgnxeFwA",
  "version" : {
    "number" : "7.5.1",
    "build_flavor" : "default",
    "build_type" : "rpm",
    "build_snapshot" : false,
    "lucene_version" : "8.3.0",
    "minimum_wire_compatibility_version" : "6.8.0",
    "minimum_index_compatibility_version" : "6.0.0-beta1"
  },
  "tagline" : "You Know, for Search"
}

cat /usr/share/kibana/plugins/wazuh/wazuh.yml

hosts:
  - default:
     url: http://localhost
     port: 55000
     user: user
     password: password

juankaromo commented 4 years ago

Hello @Afilsi ,

The problem may be related to a bug in vulnerability detector, the Redhat feed database made a change and that caused the error in our module.

If you can update your version of Wazuh, I recommend that you install the new version 3.12.2, where this problem is solved.

If this is not possible, try this workaround:

For your version, and Wazuh versions after 3.11, inside your vulnerability configuration do this for the RedHat feed:

<provider name="redhat">
<enabled>no</enabled>
</provider>

Then restart your Wazuh manager: systemctl restart wazuh-manager

Please make sure the manager is properly working afterwards.

In the future, we will use our own feed and we will not depend on any external resources, avoiding problems like this one. Also, we are working on increasing the resilience of the product.

Apologies for the inconvenience and do not hesitate to contact us if you have further problems.

Regards,

Afilsi commented 4 years ago

Hello @juankaromo , Thank you very much for your quick answer! Indeed, disabling the RedHat stream allows us to restart the systems. This was our priority, but we are trying to update the solution in the coming days. Thanks again.

Regards, Afilsi

juliansoc commented 3 years ago

hi my version of wazuh is 4.1 and i am still experiencing the same problem. I already turned off the vulnerability scan for redhat as advised but im still having error. here is my /var/ossec/logs if it helps

2021/05/10 08:06:22 ossec-syscheckd: INFO: (1225): SIGNAL [(15)-(Terminated)] Re ceived. Exit Cleaning... 2021/05/10 08:06:22 ossec-analysisd[157625] sig_op.c:49 at HandleSIG(): INFO: (1 225): SIGNAL [(15)-(Terminated)] Received. Exit Cleaning... 2021/05/10 08:06:22 ossec-execd: INFO: (1225): SIGNAL [(15)-(Terminated)] Receiv ed. Exit Cleaning... 2021/05/10 08:06:22 wazuh-db: INFO: (1225): SIGNAL [(15)-(Terminated)] Received. Exit Cleaning... 2021/05/10 08:06:23 ossec-authd: INFO: (1225): SIGNAL [(15)-(Terminated)] Receiv ed. Exit Cleaning...

Slmn-jpg commented 8 months ago

disabling Redhat Worked for me, but i needed it specifically for Redhat. anything I can do for this?

wazuh / wazuh-dashboard-plugins