search

wazuh / wazuh-kubernetes

Wazuh - Wazuh Kubernetes
https://wazuh.com/
GNU General Public License v2.0
256 stars 160 forks source link

Invalid element in the configuration: 'Indexer' #659

Closed crlsgms closed 4 months ago

crlsgms commented 5 months ago

I'm using 4.7.3 version, got from the infos from here - kubernetes local deployment

2024-04-29T02:34:03.237712535Z 2024/04/29 02:34:03 wazuh-csyslogd: ERROR: (1230): Invalid element in the configuration: 'Indexer'.
2024/04/29 02:34:03 wazuh-csyslogd: ERROR: (1202): Configuration error at 'etc/ossec.conf'.
2024/04/29 02:34:03 wazuh-csyslogd: CRITICAL: (1202): Configuration error at 'etc/ossec.conf'

I had too many errors on 4.7.4, so got the last stable version, but comparing both master.conf and worker.conf, on wazuh-kubernetes/wazuh/wazuh_managers/wazuh_conf I noticed that the fixed version #20581 for 4.7.8 has some conflicts with the available package on wazuh-kubernetes.git, that I could be fixed on the current instructions for deployment, or update docs/ versions on the .git package.

one is easy to solve, just replace on both .conf files the values for the old element:

cd wazuh/wazuh_managers/wazuh_conf
sed -i 's/vulnerability-detection/vulnerability-detector/g' worker.conf master.conf

but the Indexer element issue still happens, as the .git package has the and 4.7.3 cannot interpret the element, blocking the wazuh-manager service to start.

crlsgms commented 5 months ago

What I have done for now to mitigate this and continue the deploy, was to get the older .conf files from v4.7.3 zip file as they have the old configs without the indexer block, and with the old vulnerability-detector element.

That leads to another error, but the wazuh-manager service running.

    <!-- Aggregate vulnerabilities -->
    <provider name="nvd">
      <enabled>yes</enabled>
      <update_from_year>2010</update_from_year>
      <update_interval>1h</update_interval>
    </provider>

it claims when goes up that the update_from_year is not valid

vcerenu commented 5 months ago

Hello @crlsgms

For 4.8 we have implemented the new Vulnerability Detection functionality, which replaces the current Vulnerability Detector within Wazuh manager. Regarding the steps to upgrade from 4.7.x to 4.8.0, they will be added to our documentation at the time of release.

Regarding the change you say, that is only the Vulnerablity Detection usage tag, in addition to that it is necessary to add several additional parameters, which are necessary for Vulnerability Detection to work correctly, so that change alone would not help Vulnerability Detection works, they would only correct the error that occurs when starting Wazuh manager and finding a tag not supported by the version.

crlsgms commented 5 months ago

does that means that 4.7.3 will not work, and only on 4.8.x?

Is there a way to fix this anyhow for the current deployment to get the manager service working properly?

vcerenu commented 4 months ago

The configuration in Vulnerability Detector belongs to v4.7.3 and the Vulnerability Detection configuration belongs to v4.8.0, until you update to v4.8.0 you should not change the configuration that v4.7.3 brings, you should reconfigure the Vulnerability Detector configuration in your Wazuh manager.