search

wazuh / wazuh-packages

Wazuh - Tools for packages creation
https://wazuh.com
GNU General Public License v2.0
103 stars 94 forks source link

Indexer stops working after reboot #1962

Closed juliamagan closed 1 year ago

juliamagan commented 1 year ago
Wazuh version Install type Platform
4.4.0-40401 Indexer Amazon Linux 2

Environment info
Component OS AMI Instance Installation
Wazuh dashboard Amazon Linux 2 ami-06cfe42abdba039eb c5.xlarge Installation assistant
Wazuh indexer Amazon Linux 2 ami-06cfe42abdba039eb c5.xlarge Installation assistant
Wazuh server Amazon Linux 2 ami-06cfe42abdba039eb c5.xlarge Installation assistant
Wazuh agent Windows ami-0270e15cf87054f5a t3.small Wazuh WUI one-liner deploy IP GROUP (created beforehand)

Description

After the testing performed here, we could see that when we reboot our environment, wazuh-indexer can't start:

● wazuh-indexer.service - Wazuh-indexer
   Loaded: loaded (/usr/lib/systemd/system/wazuh-indexer.service; enabled; vendor preset: disabled)
   Active: failed (Result: exit-code) since Fri 2022-12-02 13:59:10 UTC; 2min 2s ago
     Docs: https://documentation.wazuh.com
  Process: 2456 ExecStart=/usr/share/wazuh-indexer/bin/systemd-entrypoint -p ${PID_DIR}/wazuh-indexer.pid --quiet (code=exited, status=1/FAILURE)
 Main PID: 2456 (code=exited, status=1/FAILURE)

Dec 02 13:59:10 ip-172-31-29-235.ec2.internal systemd-entrypoint[2456]: at org.opensearch.cli.EnvironmentAwareCommand.execute(EnvironmentAwareCommand.java:104)
Dec 02 13:59:10 ip-172-31-29-235.ec2.internal systemd-entrypoint[2456]: at org.opensearch.cli.Command.mainWithoutErrorHandling(Command.java:138)
Dec 02 13:59:10 ip-172-31-29-235.ec2.internal systemd-entrypoint[2456]: at org.opensearch.cli.Command.main(Command.java:101)
Dec 02 13:59:10 ip-172-31-29-235.ec2.internal systemd-entrypoint[2456]: at org.opensearch.bootstrap.OpenSearch.main(OpenSearch.java:137)
Dec 02 13:59:10 ip-172-31-29-235.ec2.internal systemd-entrypoint[2456]: at org.opensearch.bootstrap.OpenSearch.main(OpenSearch.java:103)
Dec 02 13:59:10 ip-172-31-29-235.ec2.internal systemd-entrypoint[2456]: For complete error details, refer to the log at /var/log/wazuh-indexer/wazuh-indexer-cluster.log
Dec 02 13:59:10 ip-172-31-29-235.ec2.internal systemd[1]: wazuh-indexer.service: main process exited, code=exited, status=1/FAILURE
Dec 02 13:59:10 ip-172-31-29-235.ec2.internal systemd[1]: Failed to start Wazuh-indexer.
Dec 02 13:59:10 ip-172-31-29-235.ec2.internal systemd[1]: Unit wazuh-indexer.service entered failed state.
Dec 02 13:59:10 ip-172-31-29-235.ec2.internal systemd[1]: wazuh-indexer.service failed.

We have to reinstall it to get it working again.

In addition, when we tested some Sysmon events here, alerts stopped being indexed.

When we tried to investigate what was going on, we found that the indexer logs did not exist:

[root@ip-172-31-27-190 qa]# ls /var/log/ | grep wazuh
wazuh-install.log

And the only information we get from the dashboard is the following:

{"date":"2022-12-02T11:20:00.926Z","level":"info","location":"Cron-scheduler","data":{"message":"mapper_parsing_exception: [mapper_parsing_exception] Reason: failed to parse","stack":"ResponseError: mapper_parsing_exception: [mapper_parsing_exception] Reason: failed to parse\n    at onBody (/usr/share/wazuh-dashboard/node_modules/@opensearch-project/opensearch/lib/Transport.js:374:23)\n    at IncomingMessage.onEnd (/usr/share/wazuh-dashboard/node_modules/@opensearch-project/opensearch/lib/Transport.js:293:11)\n    at IncomingMessage.emit (events.js:412:35)\n    at endReadableNT (internal/streams/readable.js:1333:12)\n    at processTicksAndRejections (internal/process/task_queues.js:82:21)"}}

Attached logs - Before reinstall

Attached logs - After reinstall

Logs are deleted after reinstalling wazuh-dashboard

[root@ip-172-31-29-235 qa]# ls /var/log | grep wazuh
wazuh-install.log
verdx commented 1 year ago

Some tests have been done and with a reboot the Wazuh Indexer has worked fine, but the logs have been lost because of networking problems with the AWS machines, the tests need to be repeated.

verdx commented 1 year ago

A test has been performed and the error has been not been replicated:

Test

Config file:

nodes:
  # Wazuh indexer nodes
  indexer:
    - name: indexer-1
      ip: 172.31.32.33

  # Wazuh server nodes
  # If there is more than one Wazuh server
  # node, each one must have a node_type
  server:
    - name: server-1
      ip: 172.31.34.245

  # Wazuh dashboard nodes
  dashboard:
    - name: dashboard
      ip: 172.31.42.160

Wazuh Indexer installation:

[ec2-user@ip-172-31-32-33 ~]$ sudo bash wazuh-install.sh --generate-config-files
09/01/2023 10:10:48 INFO: Starting Wazuh installation assistant. Wazuh version: 4.4.0
09/01/2023 10:10:48 INFO: Verbose logging redirected to /var/log/wazuh-install.log
09/01/2023 10:10:50 INFO: --- Configuration files ---
09/01/2023 10:10:50 INFO: Generating configuration files.
09/01/2023 10:10:50 INFO: Created wazuh-install-files.tar. It contains the Wazuh cluster key, certificates, and passwords necessary for installation.
[ec2-user@ip-172-31-32-33 ~]$ sudo chmod a+rw wazuh-install-files.tar 
[ec2-user@ip-172-31-32-33 ~]$ sudo bash wazuh-install.sh --wazuh-indexer indexer-1
09/01/2023 10:14:41 INFO: Starting Wazuh installation assistant. Wazuh version: 4.4.0
09/01/2023 10:14:41 INFO: Verbose logging redirected to /var/log/wazuh-install.log
09/01/2023 10:14:46 INFO: Wazuh development repository added.
09/01/2023 10:14:46 INFO: --- Wazuh indexer ---
09/01/2023 10:14:46 INFO: Starting Wazuh indexer installation.
09/01/2023 10:15:40 INFO: Wazuh indexer installation finished.
09/01/2023 10:15:40 INFO: Wazuh indexer post-install configuration finished.
09/01/2023 10:15:40 INFO: Starting service wazuh-indexer.
09/01/2023 10:15:52 INFO: wazuh-indexer service started.
09/01/2023 10:15:52 INFO: Initializing Wazuh indexer cluster security settings.
09/01/2023 10:15:54 INFO: Wazuh indexer cluster initialized.
09/01/2023 10:15:54 INFO: Installation finished.
[ec2-user@ip-172-31-32-33 ~]$ sudo su
[root@ip-172-31-32-33 ec2-user]# bash wazuh-install.sh  --start-cluster
09/01/2023 10:17:24 INFO: Starting Wazuh installation assistant. Wazuh version: 4.4.0
09/01/2023 10:17:24 INFO: Verbose logging redirected to /var/log/wazuh-install.log
09/01/2023 10:17:33 INFO: Wazuh indexer cluster security configuration initialized.
09/01/2023 10:17:41 INFO: Wazuh indexer cluster started.
[root@ip-172-31-32-33 ec2-user]# tar -axf wazuh-install-files.tar wazuh-install-files/wazuh-passwords.txt -O | grep -P "\'admin\'" -A 1
  indexer_username: 'admin'
  indexer_password: 'ICzyV*i4tpAo*NdZpGjpk9NCFkhbf8aH'
[root@ip-172-31-32-33 ec2-user]# curl -k -u admin:ICzyV*i4tpAo*NdZpGjpk9NCFkhbf8aH https://172.31.32.33:9200
{
  "name" : "indexer-1",
  "cluster_name" : "wazuh-indexer-cluster",
  "cluster_uuid" : "BURnJ4NPSDaaVUukE84KRQ",
  "version" : {
    "number" : "7.10.2",
    "build_type" : "rpm",
    "build_hash" : "f2f809ea280ffba217451da894a5899f1cec02ab",
    "build_date" : "2022-12-12T22:17:42.341124910Z",
    "build_snapshot" : false,
    "lucene_version" : "9.4.2",
    "minimum_wire_compatibility_version" : "7.10.0",
    "minimum_index_compatibility_version" : "7.0.0"
  },
  "tagline" : "The OpenSearch Project: https://opensearch.org/"
}

:green_circle: Reboot test 1, before installation of the rest of components

#### Before reboot ``` [root@ip-172-31-32-33 ec2-user]# systemctl status wazuh-indexer ● wazuh-indexer.service - Wazuh-indexer Loaded: loaded (/usr/lib/systemd/system/wazuh-indexer.service; enabled; vendor preset: disabled) Active: active (running) since Mon 2023-01-09 10:15:52 UTC; 7min ago Docs: https://documentation.wazuh.com Main PID: 4036 (java) CGroup: /system.slice/wazuh-indexer.service └─4036 /usr/share/wazuh-indexer/jdk/bin/java -Xshare:auto -Dopensearch.networkaddress.cach... Jan 09 10:15:41 ip-172-31-32-33.ec2.internal systemd[1]: Starting Wazuh-indexer... Jan 09 10:15:43 ip-172-31-32-33.ec2.internal systemd-entrypoint[4036]: WARNING: A terminally depreca...d Jan 09 10:15:43 ip-172-31-32-33.ec2.internal systemd-entrypoint[4036]: WARNING: System::setSecurityM...) Jan 09 10:15:43 ip-172-31-32-33.ec2.internal systemd-entrypoint[4036]: WARNING: Please consider repo...h Jan 09 10:15:43 ip-172-31-32-33.ec2.internal systemd-entrypoint[4036]: WARNING: System::setSecurityM...e Jan 09 10:15:44 ip-172-31-32-33.ec2.internal systemd-entrypoint[4036]: WARNING: A terminally depreca...d Jan 09 10:15:44 ip-172-31-32-33.ec2.internal systemd-entrypoint[4036]: WARNING: System::setSecurityM...) Jan 09 10:15:44 ip-172-31-32-33.ec2.internal systemd-entrypoint[4036]: WARNING: Please consider repo...y Jan 09 10:15:44 ip-172-31-32-33.ec2.internal systemd-entrypoint[4036]: WARNING: System::setSecurityM...e Jan 09 10:15:52 ip-172-31-32-33.ec2.internal systemd[1]: Started Wazuh-indexer. Hint: Some lines were ellipsized, use -l to show in full. ``` #### After reboot: ``` [root@ip-172-31-32-33 ec2-user]# systemctl status wazuh-indexer ● wazuh-indexer.service - Wazuh-indexer Loaded: loaded (/usr/lib/systemd/system/wazuh-indexer.service; enabled; vendor preset: disabled) Active: active (running) since Mon 2023-01-09 10:26:23 UTC; 2min 50s ago Docs: https://documentation.wazuh.com Main PID: 2475 (java) CGroup: /system.slice/wazuh-indexer.service └─2475 /usr/share/wazuh-indexer/jdk/bin/java -Xshare:auto -Dopensearch.networkaddress.cach... Jan 09 10:26:08 ip-172-31-32-33.ec2.internal systemd[1]: Starting Wazuh-indexer... Jan 09 10:26:11 ip-172-31-32-33.ec2.internal systemd-entrypoint[2475]: WARNING: A terminally depreca...d Jan 09 10:26:11 ip-172-31-32-33.ec2.internal systemd-entrypoint[2475]: WARNING: System::setSecurityM...) Jan 09 10:26:11 ip-172-31-32-33.ec2.internal systemd-entrypoint[2475]: WARNING: Please consider repo...h Jan 09 10:26:11 ip-172-31-32-33.ec2.internal systemd-entrypoint[2475]: WARNING: System::setSecurityM...e Jan 09 10:26:13 ip-172-31-32-33.ec2.internal systemd-entrypoint[2475]: WARNING: A terminally depreca...d Jan 09 10:26:13 ip-172-31-32-33.ec2.internal systemd-entrypoint[2475]: WARNING: System::setSecurityM...) Jan 09 10:26:13 ip-172-31-32-33.ec2.internal systemd-entrypoint[2475]: WARNING: Please consider repo...y Jan 09 10:26:13 ip-172-31-32-33.ec2.internal systemd-entrypoint[2475]: WARNING: System::setSecurityM...e Jan 09 10:26:23 ip-172-31-32-33.ec2.internal systemd[1]: Started Wazuh-indexer. Hint: Some lines were ellipsized, use -l to show in full. ```

Wazuh Server installation:

[root@ip-172-31-34-245 ec2-user]# bash wazuh-install.sh --wazuh-server server-1
bash: wazuh-install.sh: No such file or directory
[root@ip-172-31-34-245 ec2-user]# curl -sO https://packages-dev.wazuh.com/4.4/wazuh-install.sh
[root@ip-172-31-34-245 ec2-user]# bash wazuh-install.sh --wazuh-server server-1
09/01/2023 10:30:21 INFO: Starting Wazuh installation assistant. Wazuh version: 4.4.0
09/01/2023 10:30:21 INFO: Verbose logging redirected to /var/log/wazuh-install.log
09/01/2023 10:30:25 INFO: Wazuh development repository added.
09/01/2023 10:30:25 INFO: --- Wazuh server ---
09/01/2023 10:30:25 INFO: Starting the Wazuh manager installation.
09/01/2023 10:30:41 INFO: Wazuh manager installation finished.
09/01/2023 10:30:41 INFO: Starting service wazuh-manager.
09/01/2023 10:30:53 INFO: wazuh-manager service started.
09/01/2023 10:30:53 INFO: Starting Filebeat installation.
09/01/2023 10:31:05 INFO: Filebeat installation finished.
09/01/2023 10:31:05 INFO: Filebeat post-install configuration finished.
09/01/2023 10:31:09 INFO: Starting service filebeat.
09/01/2023 10:31:10 INFO: filebeat service started.
09/01/2023 10:31:10 INFO: Installation finished.
[root@ip-172-31-34-245 ec2-user]# filebeat test output
elasticsearch: https://172.31.32.33:9200...
  parse url... OK
  connection...
    parse host... OK
    dns lookup... OK
    addresses: 172.31.32.33
    dial up... OK
  TLS...
    security: server's certificate chain verification is enabled
    handshake... OK
    TLS version: TLSv1.2
    dial up... OK
  talk to server... OK
  version: 7.10.2

Wazuh Dashboard installation:

[root@ip-172-31-42-160 ec2-user]# curl -sO https://packages-dev.wazuh.com/4.4/wazuh-install.sh
[root@ip-172-31-42-160 ec2-user]# bash wazuh-install.sh --wazuh-dashboard dashboard
09/01/2023 10:32:29 INFO: Starting Wazuh installation assistant. Wazuh version: 4.4.0
09/01/2023 10:32:29 INFO: Verbose logging redirected to /var/log/wazuh-install.log
09/01/2023 10:32:33 INFO: Wazuh development repository added.
dashboard
09/01/2023 10:32:33 INFO: --- Wazuh dashboard ----
09/01/2023 10:32:33 INFO: Starting Wazuh dashboard installation.
09/01/2023 10:33:36 INFO: Wazuh dashboard installation finished.
09/01/2023 10:33:36 INFO: Wazuh dashboard post-install configuration finished.
09/01/2023 10:33:36 INFO: Starting service wazuh-dashboard.
09/01/2023 10:33:36 INFO: wazuh-dashboard service started.
09/01/2023 10:33:53 INFO: Initializing Wazuh dashboard web application.
09/01/2023 10:33:53 INFO: Wazuh dashboard web application initialized.
09/01/2023 10:33:53 INFO: --- Summary ---
09/01/2023 10:33:53 INFO: You can access the web interface https://172.31.42.160
    User: admin
    Password: ICzyV*i4tpAo*NdZpGjpk9NCFkhbf8aH
09/01/2023 10:33:53 INFO: Installation finished.

:green_circle: Reboot test 2, after full installation, no agents

#### Before reboot: ``` [root@ip-172-31-32-33 ec2-user]# systemctl status wazuh-indexer ● wazuh-indexer.service - Wazuh-indexer Loaded: loaded (/usr/lib/systemd/system/wazuh-indexer.service; enabled; vendor preset: disabled) Active: active (running) since Mon 2023-01-09 10:26:23 UTC; 17min ago Docs: https://documentation.wazuh.com Main PID: 2475 (java) CGroup: /system.slice/wazuh-indexer.service └─2475 /usr/share/wazuh-indexer/jdk/bin/java -Xshare:auto -Dopensearch.networkaddress.cach... Jan 09 10:26:08 ip-172-31-32-33.ec2.internal systemd[1]: Starting Wazuh-indexer... Jan 09 10:26:11 ip-172-31-32-33.ec2.internal systemd-entrypoint[2475]: WARNING: A terminally depreca...d Jan 09 10:26:11 ip-172-31-32-33.ec2.internal systemd-entrypoint[2475]: WARNING: System::setSecurityM...) Jan 09 10:26:11 ip-172-31-32-33.ec2.internal systemd-entrypoint[2475]: WARNING: Please consider repo...h Jan 09 10:26:11 ip-172-31-32-33.ec2.internal systemd-entrypoint[2475]: WARNING: System::setSecurityM...e Jan 09 10:26:13 ip-172-31-32-33.ec2.internal systemd-entrypoint[2475]: WARNING: A terminally depreca...d Jan 09 10:26:13 ip-172-31-32-33.ec2.internal systemd-entrypoint[2475]: WARNING: System::setSecurityM...) Jan 09 10:26:13 ip-172-31-32-33.ec2.internal systemd-entrypoint[2475]: WARNING: Please consider repo...y Jan 09 10:26:13 ip-172-31-32-33.ec2.internal systemd-entrypoint[2475]: WARNING: System::setSecurityM...e Jan 09 10:26:23 ip-172-31-32-33.ec2.internal systemd[1]: Started Wazuh-indexer. Hint: Some lines were ellipsized, use -l to show in full. ``` #### After reboot: ``` [root@ip-172-31-32-33 ec2-user]# systemctl status wazuh-indexer ● wazuh-indexer.service - Wazuh-indexer Loaded: loaded (/usr/lib/systemd/system/wazuh-indexer.service; enabled; vendor preset: disabled) Active: active (running) since Mon 2023-01-09 10:45:50 UTC; 11s ago Docs: https://documentation.wazuh.com Main PID: 2483 (java) CGroup: /system.slice/wazuh-indexer.service └─2483 /usr/share/wazuh-indexer/jdk/bin/java -Xshare:auto -Dopensearch.networkaddress.cach... Jan 09 10:45:36 ip-172-31-32-33.ec2.internal systemd[1]: Starting Wazuh-indexer... Jan 09 10:45:39 ip-172-31-32-33.ec2.internal systemd-entrypoint[2483]: WARNING: A terminally depreca...d Jan 09 10:45:39 ip-172-31-32-33.ec2.internal systemd-entrypoint[2483]: WARNING: System::setSecurityM...) Jan 09 10:45:39 ip-172-31-32-33.ec2.internal systemd-entrypoint[2483]: WARNING: Please consider repo...h Jan 09 10:45:39 ip-172-31-32-33.ec2.internal systemd-entrypoint[2483]: WARNING: System::setSecurityM...e Jan 09 10:45:41 ip-172-31-32-33.ec2.internal systemd-entrypoint[2483]: WARNING: A terminally depreca...d Jan 09 10:45:41 ip-172-31-32-33.ec2.internal systemd-entrypoint[2483]: WARNING: System::setSecurityM...) Jan 09 10:45:41 ip-172-31-32-33.ec2.internal systemd-entrypoint[2483]: WARNING: Please consider repo...y Jan 09 10:45:41 ip-172-31-32-33.ec2.internal systemd-entrypoint[2483]: WARNING: System::setSecurityM...e Jan 09 10:45:50 ip-172-31-32-33.ec2.internal systemd[1]: Started Wazuh-indexer. Hint: Some lines were ellipsized, use -l to show in full. ```

Installation of Windows agent:

Invoke-WebRequest -Uri https://packages-dev.wazuh.com/pre-release/windows/wazuh-agent-4.4.0-1.msi -OutFile ${env:tmp}\wazuh-agent-4.4.0.msi; msiexec.exe /i ${env:tmp}\wazuh-agent-4.4.0.msi /q WAZUH_MANAGER='172.31.34.245' WAZUH_AGENT_GROUP='windows' WAZUH_AGENT_NAME='windows-agent'
NET Start WazuhSvc

Enrolled-agent

:green_circle: Reboot test 3, after agent installation and enrollment

#### Before reboot: ``` [root@ip-172-31-32-33 ec2-user]# systemctl status wazuh-indexer ● wazuh-indexer.service - Wazuh-indexer Loaded: loaded (/usr/lib/systemd/system/wazuh-indexer.service; enabled; vendor preset: disabled) Active: active (running) since Mon 2023-01-09 10:45:50 UTC; 1h 41min ago Docs: https://documentation.wazuh.com Main PID: 2483 (java) CGroup: /system.slice/wazuh-indexer.service └─2483 /usr/share/wazuh-indexer/jdk/bin/java -Xshare:auto -Dopensearch.networkaddress.cach... Jan 09 10:45:36 ip-172-31-32-33.ec2.internal systemd[1]: Starting Wazuh-indexer... Jan 09 10:45:39 ip-172-31-32-33.ec2.internal systemd-entrypoint[2483]: WARNING: A terminally depreca...d Jan 09 10:45:39 ip-172-31-32-33.ec2.internal systemd-entrypoint[2483]: WARNING: System::setSecurityM...) Jan 09 10:45:39 ip-172-31-32-33.ec2.internal systemd-entrypoint[2483]: WARNING: Please consider repo...h Jan 09 10:45:39 ip-172-31-32-33.ec2.internal systemd-entrypoint[2483]: WARNING: System::setSecurityM...e Jan 09 10:45:41 ip-172-31-32-33.ec2.internal systemd-entrypoint[2483]: WARNING: A terminally depreca...d Jan 09 10:45:41 ip-172-31-32-33.ec2.internal systemd-entrypoint[2483]: WARNING: System::setSecurityM...) Jan 09 10:45:41 ip-172-31-32-33.ec2.internal systemd-entrypoint[2483]: WARNING: Please consider repo...y Jan 09 10:45:41 ip-172-31-32-33.ec2.internal systemd-entrypoint[2483]: WARNING: System::setSecurityM...e Jan 09 10:45:50 ip-172-31-32-33.ec2.internal systemd[1]: Started Wazuh-indexer. Hint: Some lines were ellipsized, use -l to show in full. ``` #### After reboot: ``` ● wazuh-indexer.service - Wazuh-indexer Loaded: loaded (/usr/lib/systemd/system/wazuh-indexer.service; enabled; vendor preset: disabled) Active: active (running) since Mon 2023-01-09 12:28:37 UTC; 12s ago Docs: https://documentation.wazuh.com Main PID: 2461 (java) CGroup: /system.slice/wazuh-indexer.service └─2461 /usr/share/wazuh-indexer/jdk/bin/java -Xshare:auto -Dopensearch.networkaddress.cach... Jan 09 12:28:22 ip-172-31-32-33.ec2.internal systemd[1]: Starting Wazuh-indexer... Jan 09 12:28:25 ip-172-31-32-33.ec2.internal systemd-entrypoint[2461]: WARNING: A terminally depreca...d Jan 09 12:28:25 ip-172-31-32-33.ec2.internal systemd-entrypoint[2461]: WARNING: System::setSecurityM...) Jan 09 12:28:25 ip-172-31-32-33.ec2.internal systemd-entrypoint[2461]: WARNING: Please consider repo...h Jan 09 12:28:25 ip-172-31-32-33.ec2.internal systemd-entrypoint[2461]: WARNING: System::setSecurityM...e Jan 09 12:28:27 ip-172-31-32-33.ec2.internal systemd-entrypoint[2461]: WARNING: A terminally depreca...d Jan 09 12:28:27 ip-172-31-32-33.ec2.internal systemd-entrypoint[2461]: WARNING: System::setSecurityM...) Jan 09 12:28:27 ip-172-31-32-33.ec2.internal systemd-entrypoint[2461]: WARNING: Please consider repo...y Jan 09 12:28:27 ip-172-31-32-33.ec2.internal systemd-entrypoint[2461]: WARNING: System::setSecurityM...e Jan 09 12:28:37 ip-172-31-32-33.ec2.internal systemd[1]: Started Wazuh-indexer. Hint: Some lines were ellipsized, use -l to show in full. ```
verdx commented 1 year ago

In hold, waiting for new information by @juliamagan

verdx commented 1 year ago
In progress again after a new test by @juliamagan has managed to replicate the error in an AIO installation.
Component SO Type of instance
AIO installation Amazon Linux 2 c5.xlarge
Agent Windows t3.small

Steps to reproduce:

Jan 10 08:55:30 ip-172-31-30-232.ec2.internal systemd-entrypoint[2472]: at org.opensearch.cli.EnvironmentAwareCommand.execute(EnvironmentAwareCommand.java:104) Jan 10 08:55:30 ip-172-31-30-232.ec2.internal systemd-entrypoint[2472]: at org.opensearch.cli.Command.mainWithoutErrorHandling(Command.java:138) Jan 10 08:55:30 ip-172-31-30-232.ec2.internal systemd-entrypoint[2472]: at org.opensearch.cli.Command.main(Command.java:101) Jan 10 08:55:30 ip-172-31-30-232.ec2.internal systemd-entrypoint[2472]: at org.opensearch.bootstrap.OpenSearch.main(OpenSearch.java:137) Jan 10 08:55:30 ip-172-31-30-232.ec2.internal systemd-entrypoint[2472]: at org.opensearch.bootstrap.OpenSearch.main(OpenSearch.java:103) Jan 10 08:55:30 ip-172-31-30-232.ec2.internal systemd-entrypoint[2472]: For complete error details, refer to the log at /var/log/wazuh-indexer/wazuh-indexer-cluster.log Jan 10 08:55:30 ip-172-31-30-232.ec2.internal systemd[1]: wazuh-indexer.service: main process exited, code=exited, status=1/FAILURE Jan 10 08:55:30 ip-172-31-30-232.ec2.internal systemd[1]: Failed to start Wazuh-indexer. Jan 10 08:55:30 ip-172-31-30-232.ec2.internal systemd[1]: Unit wazuh-indexer.service entered failed state. Jan 10 08:55:30 ip-172-31-30-232.ec2.internal systemd[1]: wazuh-indexer.service failed.

<details>
  <summary>`config.yml` used</summary>

nodes:

Wazuh indexer nodes

indexer:

verdx commented 1 year ago

:green_circle: Test without agent and using -a to install

On the same instance as @juliamagan, and using the same config.yml, another test has been done. Steps:

Installation - Remove previous installation: ``` [qa@ip-172-31-30-232 ~]$ sudo bash wazuh-install.sh -u 10/01/2023 09:37:02 INFO: Starting Wazuh installation assistant. Wazuh version: 4.4.0 10/01/2023 09:37:02 INFO: Verbose logging redirected to /var/log/wazuh-install.log 10/01/2023 09:37:05 INFO: Removing Wazuh manager. 10/01/2023 09:37:10 INFO: Wazuh manager removed. 10/01/2023 09:37:10 INFO: Removing Wazuh indexer. 10/01/2023 09:37:11 INFO: Wazuh indexer removed. 10/01/2023 09:37:11 INFO: Removing Filebeat. 10/01/2023 09:37:13 INFO: Filebeat removed. 10/01/2023 09:37:13 INFO: Removing Wazuh dashboard. 10/01/2023 09:37:21 INFO: Wazuh dashboard removed. ``` - Install AIO ``` [qa@ip-172-31-30-232 ~]$ sudo bash wazuh-install.sh -a 10/01/2023 09:43:57 INFO: Starting Wazuh installation assistant. Wazuh version: 4.4.0 10/01/2023 09:43:57 INFO: Verbose logging redirected to /var/log/wazuh-install.log 10/01/2023 09:44:02 INFO: Wazuh development repository added. 10/01/2023 09:44:02 INFO: --- Configuration files --- 10/01/2023 09:44:02 INFO: Generating configuration files. 10/01/2023 09:44:03 INFO: Created wazuh-install-files.tar. It contains the Wazuh cluster key, certificates, and passwords necessary for installation. 10/01/2023 09:44:03 INFO: --- Wazuh indexer --- 10/01/2023 09:44:03 INFO: Starting Wazuh indexer installation. 10/01/2023 09:44:52 INFO: Wazuh indexer installation finished. 10/01/2023 09:44:52 INFO: Wazuh indexer post-install configuration finished. 10/01/2023 09:44:52 INFO: Starting service wazuh-indexer. 10/01/2023 09:45:03 INFO: wazuh-indexer service started. 10/01/2023 09:45:03 INFO: Initializing Wazuh indexer cluster security settings. 10/01/2023 09:45:13 INFO: Wazuh indexer cluster initialized. 10/01/2023 09:45:13 INFO: --- Wazuh server --- 10/01/2023 09:45:13 INFO: Starting the Wazuh manager installation. 10/01/2023 09:45:27 INFO: Wazuh manager installation finished. 10/01/2023 09:45:27 INFO: Starting service wazuh-manager. 10/01/2023 09:45:38 INFO: wazuh-manager service started. 10/01/2023 09:45:38 INFO: Starting Filebeat installation. 10/01/2023 09:45:49 INFO: Filebeat installation finished. 10/01/2023 09:45:50 INFO: Filebeat post-install configuration finished. 10/01/2023 09:45:50 INFO: Starting service filebeat. 10/01/2023 09:45:50 INFO: filebeat service started. 10/01/2023 09:45:50 INFO: --- Wazuh dashboard --- 10/01/2023 09:45:50 INFO: Starting Wazuh dashboard installation. 10/01/2023 09:46:58 INFO: Wazuh dashboard installation finished. 10/01/2023 09:46:58 INFO: Wazuh dashboard post-install configuration finished. 10/01/2023 09:46:58 INFO: Starting service wazuh-dashboard. 10/01/2023 09:46:58 INFO: wazuh-dashboard service started. 10/01/2023 09:47:16 INFO: Initializing Wazuh dashboard web application. 10/01/2023 09:47:17 INFO: Wazuh dashboard web application initialized. 10/01/2023 09:47:17 INFO: --- Summary --- 10/01/2023 09:47:17 INFO: You can access the web interface https:// User: admin Password: xqJb+5OWuvF2.0gSoRGGeucjnczf2tWn 10/01/2023 09:47:17 INFO: Installation finished. ```
Test - Reboot system - Check indexer: ``` [ec2-user@ip-172-31-30-232 ~]$ sudo systemctl status wazuh-indexer ● wazuh-indexer.service - Wazuh-indexer Loaded: loaded (/usr/lib/systemd/system/wazuh-indexer.service; enabled; vendor preset: disabled) Active: active (running) since Tue 2023-01-10 09:48:46 UTC; 11s ago Docs: https://documentation.wazuh.com Main PID: 2454 (java) Tasks: 71 Memory: 4.2G CGroup: /system.slice/wazuh-indexer.service └─2454 /usr/share/wazuh-indexer/jdk/bin/java -Xshare:auto -Dopensearch.networkaddress.cache.ttl=60 -Dopensearch.networkaddress.cache.negative.ttl=10 -XX:+AlwaysPreTouch -Xss1m -Djava.awt.headless=t... Jan 10 09:48:24 ip-172-31-30-232.ec2.internal systemd[1]: Starting Wazuh-indexer... Jan 10 09:48:29 ip-172-31-30-232.ec2.internal systemd-entrypoint[2454]: WARNING: A terminally deprecated method in java.lang.System has been called Jan 10 09:48:29 ip-172-31-30-232.ec2.internal systemd-entrypoint[2454]: WARNING: System::setSecurityManager has been called by org.opensearch.bootstrap.OpenSearch (file:/usr/share/wazuh-indexer/lib...-2.4.1.jar) Jan 10 09:48:29 ip-172-31-30-232.ec2.internal systemd-entrypoint[2454]: WARNING: Please consider reporting this to the maintainers of org.opensearch.bootstrap.OpenSearch Jan 10 09:48:29 ip-172-31-30-232.ec2.internal systemd-entrypoint[2454]: WARNING: System::setSecurityManager will be removed in a future release Jan 10 09:48:31 ip-172-31-30-232.ec2.internal systemd-entrypoint[2454]: WARNING: A terminally deprecated method in java.lang.System has been called Jan 10 09:48:31 ip-172-31-30-232.ec2.internal systemd-entrypoint[2454]: WARNING: System::setSecurityManager has been called by org.opensearch.bootstrap.Security (file:/usr/share/wazuh-indexer/lib/o...-2.4.1.jar) Jan 10 09:48:31 ip-172-31-30-232.ec2.internal systemd-entrypoint[2454]: WARNING: Please consider reporting this to the maintainers of org.opensearch.bootstrap.Security Jan 10 09:48:31 ip-172-31-30-232.ec2.internal systemd-entrypoint[2454]: WARNING: System::setSecurityManager will be removed in a future release Jan 10 09:48:46 ip-172-31-30-232.ec2.internal systemd[1]: Started Wazuh-indexer. Hint: Some lines were ellipsized, use -l to show in full. ```

Conclusion

As can be seen, when only installing the components and rebooting the system, the Wazuh Indexer does not give any error. This means the problem may have to do with the agent deployment.

verdx commented 1 year ago

:green_circle: Test with agent and using -a to install

Using the same installation and instance as in the previous test, we now add an agent.

Adding agent - Add a new group `windows` using the Wazuh Dashboard - Download the installer ``` PS C:\Users\qa> Invoke-WebRequest -Uri https://packages-dev.wazuh.com/pre-release/windows/wazuh-agent-4.4.0-1.msi -OutFile .\wazuh-agent-4.4.0-1.msi ``` - Install using deployment variables ``` PS C:\Users\qa> msiexec.exe /i wazuh-agent-4.4.0-1.msi /q WAZUH_MANAGER='172.31.30.232' WAZUH_REGISTRATION_SERVER='172.31.30.232' WAZUH_AGENT_GROUP='windows' WAZUH_AGENT_NAME='windows-agent' ``` - Start the agent ``` PS C:\Users\qa> NET START WazuhSvc The Wazuh service is starting. The Wazuh service was started successfully. ``` - Check the agent is connected ``` [root@ip-172-31-30-232 ec2-user]# /var/ossec/bin/agent_control -l Wazuh agent_control. List of available agents: ID: 000, Name: ip-172-31-30-232.ec2.internal (server), IP: 127.0.0.1, Active/Local ID: 001, Name: windows-agent, IP: any, Active List of agentless devices: ```
Test - Check the Wazuh Indexer is running before reboot ``` [root@ip-172-31-30-232 ec2-user]# sudo systemctl status wazuh-indexer ● wazuh-indexer.service - Wazuh-indexer Loaded: loaded (/usr/lib/systemd/system/wazuh-indexer.service; enabled; vendor preset: disabled) Active: active (running) since Tue 2023-01-10 09:48:46 UTC; 46min ago Docs: https://documentation.wazuh.com Main PID: 2454 (java) Tasks: 84 Memory: 4.3G CGroup: /system.slice/wazuh-indexer.service └─2454 /usr/share/wazuh-indexer/jdk/bin/java -Xshare:auto -Dopensearch.networkaddress.cache.ttl=60 -Dopensearch.networkaddress.cache.negative.ttl=10 -XX:+AlwaysPreTouch -Xss1m -Djava.awt.headless=t... Jan 10 09:48:24 ip-172-31-30-232.ec2.internal systemd[1]: Starting Wazuh-indexer... Jan 10 09:48:29 ip-172-31-30-232.ec2.internal systemd-entrypoint[2454]: WARNING: A terminally deprecated method in java.lang.System has been called Jan 10 09:48:29 ip-172-31-30-232.ec2.internal systemd-entrypoint[2454]: WARNING: System::setSecurityManager has been called by org.opensearch.bootstrap.OpenSearch (file:/usr/share/wazuh-indexer/lib...-2.4.1.jar) Jan 10 09:48:29 ip-172-31-30-232.ec2.internal systemd-entrypoint[2454]: WARNING: Please consider reporting this to the maintainers of org.opensearch.bootstrap.OpenSearch Jan 10 09:48:29 ip-172-31-30-232.ec2.internal systemd-entrypoint[2454]: WARNING: System::setSecurityManager will be removed in a future release Jan 10 09:48:31 ip-172-31-30-232.ec2.internal systemd-entrypoint[2454]: WARNING: A terminally deprecated method in java.lang.System has been called Jan 10 09:48:31 ip-172-31-30-232.ec2.internal systemd-entrypoint[2454]: WARNING: System::setSecurityManager has been called by org.opensearch.bootstrap.Security (file:/usr/share/wazuh-indexer/lib/o...-2.4.1.jar) Jan 10 09:48:31 ip-172-31-30-232.ec2.internal systemd-entrypoint[2454]: WARNING: Please consider reporting this to the maintainers of org.opensearch.bootstrap.Security Jan 10 09:48:31 ip-172-31-30-232.ec2.internal systemd-entrypoint[2454]: WARNING: System::setSecurityManager will be removed in a future release Jan 10 09:48:46 ip-172-31-30-232.ec2.internal systemd[1]: Started Wazuh-indexer. Hint: Some lines were ellipsized, use -l to show in full. ``` - Reboot the instance - Check the Wazuh Indexer after reboot ``` [qa@ip-172-31-30-232 ~]$ sudo systemctl status wazuh-indexer ● wazuh-indexer.service - Wazuh-indexer Loaded: loaded (/usr/lib/systemd/system/wazuh-indexer.service; enabled; vendor preset: disabled) Active: active (running) since Tue 2023-01-10 10:35:35 UTC; 3min 53s ago Docs: https://documentation.wazuh.com Main PID: 2460 (java) Tasks: 77 Memory: 4.3G CGroup: /system.slice/wazuh-indexer.service └─2460 /usr/share/wazuh-indexer/jdk/bin/java -Xshare:auto -Dopensearch.networkaddress.cache.ttl=60 -Dopensearch.networkaddress.cache.negative.ttl=10 -XX:+AlwaysPreTouch -Xss1m -Djava.awt.headless=t... Jan 10 10:35:12 ip-172-31-30-232.ec2.internal systemd[1]: Starting Wazuh-indexer... Jan 10 10:35:16 ip-172-31-30-232.ec2.internal systemd-entrypoint[2460]: WARNING: A terminally deprecated method in java.lang.System has been called Jan 10 10:35:16 ip-172-31-30-232.ec2.internal systemd-entrypoint[2460]: WARNING: System::setSecurityManager has been called by org.opensearch.bootstrap.OpenSearch (file:/usr/share/wazuh-indexer/lib...-2.4.1.jar) Jan 10 10:35:16 ip-172-31-30-232.ec2.internal systemd-entrypoint[2460]: WARNING: Please consider reporting this to the maintainers of org.opensearch.bootstrap.OpenSearch Jan 10 10:35:16 ip-172-31-30-232.ec2.internal systemd-entrypoint[2460]: WARNING: System::setSecurityManager will be removed in a future release Jan 10 10:35:19 ip-172-31-30-232.ec2.internal systemd-entrypoint[2460]: WARNING: A terminally deprecated method in java.lang.System has been called Jan 10 10:35:19 ip-172-31-30-232.ec2.internal systemd-entrypoint[2460]: WARNING: System::setSecurityManager has been called by org.opensearch.bootstrap.Security (file:/usr/share/wazuh-indexer/lib/o...-2.4.1.jar) Jan 10 10:35:19 ip-172-31-30-232.ec2.internal systemd-entrypoint[2460]: WARNING: Please consider reporting this to the maintainers of org.opensearch.bootstrap.Security Jan 10 10:35:19 ip-172-31-30-232.ec2.internal systemd-entrypoint[2460]: WARNING: System::setSecurityManager will be removed in a future release Jan 10 10:35:35 ip-172-31-30-232.ec2.internal systemd[1]: Started Wazuh-indexer. Hint: Some lines were ellipsized, use -l to show in full. ```

Conclusion

After installing Wazuh All-in-one and connecting the agent using the same instances, configurations and commands, the error has not been replicated.

verdx commented 1 year ago

:red_circle: Test installing the AIO as per the documentation

Finally, installing the components as shown in the documentation instead of with argument -a of wazuh-install.sh has permitted the error to be replicated.

Installation - Remove the previous installation ``` [qa@ip-172-31-30-232 ~]$ sudo bash wazuh-install.sh -u 10/01/2023 10:53:28 INFO: Starting Wazuh installation assistant. Wazuh version: 4.4.0 10/01/2023 10:53:28 INFO: Verbose logging redirected to /var/log/wazuh-install.log 10/01/2023 10:53:31 INFO: Removing Wazuh manager. 10/01/2023 10:53:36 INFO: Wazuh manager removed. 10/01/2023 10:53:36 INFO: Removing Wazuh indexer. 10/01/2023 10:53:38 INFO: Wazuh indexer removed. 10/01/2023 10:53:38 INFO: Removing Filebeat. 10/01/2023 10:53:39 INFO: Filebeat removed. 10/01/2023 10:53:39 INFO: Removing Wazuh dashboard. 10/01/2023 10:53:47 INFO: Wazuh dashboard removed. ``` - Generation of configuration files ``` [root@ip-172-31-30-232 qa]# bash wazuh-install.sh --generate-config-files 10/01/2023 10:58:33 INFO: Starting Wazuh installation assistant. Wazuh version: 4.4.0 10/01/2023 10:58:33 INFO: Verbose logging redirected to /var/log/wazuh-install.log 10/01/2023 10:58:36 INFO: --- Configuration files --- 10/01/2023 10:58:36 INFO: Generating configuration files. 10/01/2023 10:58:36 INFO: Created wazuh-install-files.tar. It contains the Wazuh cluster key, certificates, and passwords necessary for installation. ``` - Installation of Wazuh Indexer ``` [root@ip-172-31-30-232 qa]# bash wazuh-install.sh --wazuh-indexer node-1 10/01/2023 10:58:57 INFO: Starting Wazuh installation assistant. Wazuh version: 4.4.0 10/01/2023 10:58:57 INFO: Verbose logging redirected to /var/log/wazuh-install.log 10/01/2023 10:59:02 INFO: Wazuh development repository added. 10/01/2023 10:59:02 INFO: --- Wazuh indexer --- 10/01/2023 10:59:02 INFO: Starting Wazuh indexer installation. 10/01/2023 10:59:52 INFO: Wazuh indexer installation finished. 10/01/2023 10:59:52 INFO: Wazuh indexer post-install configuration finished. 10/01/2023 10:59:52 INFO: Starting service wazuh-indexer. 10/01/2023 11:00:05 INFO: wazuh-indexer service started. 10/01/2023 11:00:05 INFO: Initializing Wazuh indexer cluster security settings. 10/01/2023 11:00:07 INFO: Wazuh indexer cluster initialized. 10/01/2023 11:00:07 INFO: Installation finished. [root@ip-172-31-30-232 qa]# bash wazuh-install.sh --start-cluster 10/01/2023 11:01:05 INFO: Starting Wazuh installation assistant. Wazuh version: 4.4.0 10/01/2023 11:01:05 INFO: Verbose logging redirected to /var/log/wazuh-install.log 10/01/2023 11:01:20 INFO: Wazuh indexer cluster security configuration initialized. 10/01/2023 11:01:28 INFO: Wazuh indexer cluster started. [root@ip-172-31-30-232 qa]# tar -axf wazuh-install-files.tar wazuh-install-files/wazuh-passwords.txt -O | grep -P "\'admin\'" -A 1 indexer_username: 'admin' indexer_password: 'lE*Wk+FAkXbTVCZhuN9KjfqusyGnh3rP' [root@ip-172-31-30-232 qa]# curl -k -u admin:lE*Wk+FAkXbTVCZhuN9KjfqusyGnh3rP https://172.31.30.232:9200 { "name" : "node-1", "cluster_name" : "wazuh-indexer-cluster", "cluster_uuid" : "bWVLwUbGTX6kWFRDvYj9sA", "version" : { "number" : "7.10.2", "build_type" : "rpm", "build_hash" : "f2f809ea280ffba217451da894a5899f1cec02ab", "build_date" : "2022-12-12T22:17:42.341124910Z", "build_snapshot" : false, "lucene_version" : "9.4.2", "minimum_wire_compatibility_version" : "7.10.0", "minimum_index_compatibility_version" : "7.0.0" }, "tagline" : "The OpenSearch Project: https://opensearch.org/" } [root@ip-172-31-30-232 qa]# curl -k -u admin:lE*Wk+FAkXbTVCZhuN9KjfqusyGnh3rP https://172.31.30.232:9200/_cat/nodes?v ip heap.percent ram.percent cpu load_1m load_5m load_15m node.role node.roles cluster_manager name 172.31.30.232 6 88 3 0.03 0.20 0.15 dimmr cluster_manager,data,ingest,master,remote_cluster_client * node-1 ``` - Installation of Wazuh Server ``` [root@ip-172-31-30-232 qa]# bash wazuh-install.sh --wazuh-server wazuh-1 10/01/2023 11:06:16 INFO: Starting Wazuh installation assistant. Wazuh version: 4.4.0 10/01/2023 11:06:16 INFO: Verbose logging redirected to /var/log/wazuh-install.log 10/01/2023 11:06:21 INFO: Wazuh development repository added. 10/01/2023 11:06:21 INFO: --- Wazuh server --- 10/01/2023 11:06:21 INFO: Starting the Wazuh manager installation. 10/01/2023 11:06:37 INFO: Wazuh manager installation finished. 10/01/2023 11:06:37 INFO: Starting service wazuh-manager. 10/01/2023 11:06:50 INFO: wazuh-manager service started. 10/01/2023 11:06:50 INFO: Starting Filebeat installation. 10/01/2023 11:07:01 INFO: Filebeat installation finished. 10/01/2023 11:07:02 INFO: Filebeat post-install configuration finished. 10/01/2023 11:07:07 INFO: Starting service filebeat. 10/01/2023 11:07:07 INFO: filebeat service started. 10/01/2023 11:07:07 INFO: Installation finished. [root@ip-172-31-30-232 qa]# filebeat test output elasticsearch: https://172.31.30.232:9200... parse url... OK connection... parse host... OK dns lookup... OK addresses: 172.31.30.232 dial up... OK TLS... security: server's certificate chain verification is enabled handshake... OK TLS version: TLSv1.2 dial up... OK talk to server... OK version: 7.10.2 ``` - Installation of Wazuh Dashboard ``` [root@ip-172-31-30-232 qa]# bash wazuh-install.sh --wazuh-dashboard dashboard 10/01/2023 11:08:18 INFO: Starting Wazuh installation assistant. Wazuh version: 4.4.0 10/01/2023 11:08:18 INFO: Verbose logging redirected to /var/log/wazuh-install.log 10/01/2023 11:08:24 INFO: Wazuh development repository added. dashboard 10/01/2023 11:08:24 INFO: --- Wazuh dashboard ---- 10/01/2023 11:08:24 INFO: Starting Wazuh dashboard installation. 10/01/2023 11:09:34 INFO: Wazuh dashboard installation finished. 10/01/2023 11:09:34 INFO: Wazuh dashboard post-install configuration finished. 10/01/2023 11:09:34 INFO: Starting service wazuh-dashboard. 10/01/2023 11:09:35 INFO: wazuh-dashboard service started. 10/01/2023 11:09:49 INFO: Initializing Wazuh dashboard web application. 10/01/2023 11:09:49 INFO: Wazuh dashboard web application initialized. 10/01/2023 11:09:49 INFO: --- Summary --- 10/01/2023 11:09:49 INFO: You can access the web interface https://172.31.30.232 User: admin Password: lE*Wk+FAkXbTVCZhuN9KjfqusyGnh3rP 10/01/2023 11:09:49 INFO: Installation finished. ```
Test - Check the Wazuh Indexer before reboot ``` [root@ip-172-31-30-232 qa]# systemctl status wazuh-indexer ● wazuh-indexer.service - Wazuh-indexer Loaded: loaded (/usr/lib/systemd/system/wazuh-indexer.service; enabled; vendor preset: disabled) Active: active (running) since Tue 2023-01-10 11:00:05 UTC; 12min ago Docs: https://documentation.wazuh.com Main PID: 6623 (java) Tasks: 76 Memory: 4.2G CGroup: /system.slice/wazuh-indexer.service └─6623 /usr/share/wazuh-indexer/jdk/bin/java -Xshare:auto -Dopensearch.networkaddress.cache.ttl=60 -Dopensearch.networkaddress.cache.negative.ttl=10 -XX:+AlwaysPreTouch -Xss1m -Djava.awt.headless=t... Jan 10 10:59:52 ip-172-31-30-232.ec2.internal systemd[1]: Starting Wazuh-indexer... Jan 10 10:59:55 ip-172-31-30-232.ec2.internal systemd-entrypoint[6623]: WARNING: A terminally deprecated method in java.lang.System has been called Jan 10 10:59:55 ip-172-31-30-232.ec2.internal systemd-entrypoint[6623]: WARNING: System::setSecurityManager has been called by org.opensearch.bootstrap.OpenSearch (file:/usr/share/wazuh-indexer/lib...-2.4.1.jar) Jan 10 10:59:55 ip-172-31-30-232.ec2.internal systemd-entrypoint[6623]: WARNING: Please consider reporting this to the maintainers of org.opensearch.bootstrap.OpenSearch Jan 10 10:59:55 ip-172-31-30-232.ec2.internal systemd-entrypoint[6623]: WARNING: System::setSecurityManager will be removed in a future release Jan 10 10:59:56 ip-172-31-30-232.ec2.internal systemd-entrypoint[6623]: WARNING: A terminally deprecated method in java.lang.System has been called Jan 10 10:59:56 ip-172-31-30-232.ec2.internal systemd-entrypoint[6623]: WARNING: System::setSecurityManager has been called by org.opensearch.bootstrap.Security (file:/usr/share/wazuh-indexer/lib/o...-2.4.1.jar) Jan 10 10:59:56 ip-172-31-30-232.ec2.internal systemd-entrypoint[6623]: WARNING: Please consider reporting this to the maintainers of org.opensearch.bootstrap.Security Jan 10 10:59:56 ip-172-31-30-232.ec2.internal systemd-entrypoint[6623]: WARNING: System::setSecurityManager will be removed in a future release Jan 10 11:00:05 ip-172-31-30-232.ec2.internal systemd[1]: Started Wazuh-indexer. Hint: Some lines were ellipsized, use -l to show in full. ``` - Reboot system ``` [root@ip-172-31-30-232 qa]# reboot ``` - Check the Wazuh Indexer after the reboot ``` [qa@ip-172-31-30-232 ~]$ sudo systemctl status wazuh-indexer ● wazuh-indexer.service - Wazuh-indexer Loaded: loaded (/usr/lib/systemd/system/wazuh-indexer.service; enabled; vendor preset: disabled) Active: failed (Result: exit-code) since Tue 2023-01-10 11:13:31 UTC; 27s ago Docs: https://documentation.wazuh.com Process: 2475 ExecStart=/usr/share/wazuh-indexer/bin/systemd-entrypoint -p ${PID_DIR}/wazuh-indexer.pid --quiet (code=exited, status=1/FAILURE) Main PID: 2475 (code=exited, status=1/FAILURE) Jan 10 11:13:31 ip-172-31-30-232.ec2.internal systemd-entrypoint[2475]: at org.opensearch.cli.EnvironmentAwareCommand.execute(EnvironmentAwareCommand.java:104) Jan 10 11:13:31 ip-172-31-30-232.ec2.internal systemd-entrypoint[2475]: at org.opensearch.cli.Command.mainWithoutErrorHandling(Command.java:138) Jan 10 11:13:31 ip-172-31-30-232.ec2.internal systemd-entrypoint[2475]: at org.opensearch.cli.Command.main(Command.java:101) Jan 10 11:13:31 ip-172-31-30-232.ec2.internal systemd-entrypoint[2475]: at org.opensearch.bootstrap.OpenSearch.main(OpenSearch.java:137) Jan 10 11:13:31 ip-172-31-30-232.ec2.internal systemd-entrypoint[2475]: at org.opensearch.bootstrap.OpenSearch.main(OpenSearch.java:103) Jan 10 11:13:31 ip-172-31-30-232.ec2.internal systemd-entrypoint[2475]: For complete error details, refer to the log at /var/log/wazuh-indexer/wazuh-indexer-cluster.log Jan 10 11:13:31 ip-172-31-30-232.ec2.internal systemd[1]: wazuh-indexer.service: main process exited, code=exited, status=1/FAILURE Jan 10 11:13:31 ip-172-31-30-232.ec2.internal systemd[1]: Failed to start Wazuh-indexer. Jan 10 11:13:31 ip-172-31-30-232.ec2.internal systemd[1]: Unit wazuh-indexer.service entered failed state. Jan 10 11:13:31 ip-172-31-30-232.ec2.internal systemd[1]: wazuh-indexer.service failed. [qa@ip-172-31-30-232 ~]$ ```

Conclusion

The error is replicated when all components are installed in the same host using the Installation Assistant to install them separately, as seen in the documentation. The agent deployment is not necessary for the error to appear. As per this test, it appears it is only replicated when using one host only.

verdx commented 1 year ago

:red_circle: Test after the installation of each component

Another test was done, where the reboot was tested after the installation of each component.

Installation of Wazuh Indexer ``` [qa@ip-172-31-30-232 ~]$ sudo bash wazuh-install.sh --wazuh-indexer wazuh-indexer 10/01/2023 13:58:15 INFO: Starting Wazuh installation assistant. Wazuh version: 4.4.0 10/01/2023 13:58:15 INFO: Verbose logging redirected to /var/log/wazuh-install.log 10/01/2023 13:58:20 INFO: Wazuh development repository added. 10/01/2023 13:58:21 INFO: --- Wazuh indexer --- 10/01/2023 13:58:21 INFO: Starting Wazuh indexer installation. 10/01/2023 13:59:06 INFO: Wazuh indexer installation finished. 10/01/2023 13:59:06 INFO: Wazuh indexer post-install configuration finished. 10/01/2023 13:59:06 INFO: Starting service wazuh-indexer. 10/01/2023 13:59:17 INFO: wazuh-indexer service started. 10/01/2023 13:59:17 INFO: Initializing Wazuh indexer cluster security settings. 10/01/2023 13:59:20 INFO: Wazuh indexer cluster initialized. 10/01/2023 13:59:20 INFO: Installation finished. [qa@ip-172-31-30-232 ~]$ sudo bash wazuh-install.sh --start-cluster 10/01/2023 14:01:47 INFO: Starting Wazuh installation assistant. Wazuh version: 4.4.0 10/01/2023 14:01:47 INFO: Verbose logging redirected to /var/log/wazuh-install.log ++ cat /etc/wazuh-indexer/opensearch.yml ++ sed 's/network.host:\s//' ++ grep network.host + eval 'wazuh_indexer_ip=( 127.0.0.1 )' ++ wazuh_indexer_ip=(127.0.0.1) + eval 'sudo -u wazuh-indexer JAVA_HOME=/usr/share/wazuh-indexer/jdk/ OPENSEARCH_CONF_DIR=/etc/wazuh-indexer /usr/share/wazuh-indexer/plugins/opensearch-security/tools/securityadmin.sh -cd /etc/wazuh-indexer/opensearch-security -icl -p 9200 -nhnv -cacert /etc/wazuh-indexer/certs/root-ca.pem -cert /etc/wazuh-indexer/certs/admin.pem -key /etc/wazuh-indexer/certs/admin-key.pem -h 127.0.0.1 >> /var/log/wazuh-install.log 2>&1' ++ sudo -u wazuh-indexer JAVA_HOME=/usr/share/wazuh-indexer/jdk/ OPENSEARCH_CONF_DIR=/etc/wazuh-indexer /usr/share/wazuh-indexer/plugins/opensearch-security/tools/securityadmin.sh -cd /etc/wazuh-indexer/opensearch-security -icl -p 9200 -nhnv -cacert /etc/wazuh-indexer/certs/root-ca.pem -cert /etc/wazuh-indexer/certs/admin.pem -key /etc/wazuh-indexer/certs/admin-key.pem -h 127.0.0.1 + set +x 10/01/2023 14:01:52 INFO: Wazuh indexer cluster security configuration initialized. 10/01/2023 14:02:00 INFO: Wazuh indexer cluster started. ```

:green_circle: Test 1 - Only Wazuh Indexer installation

Test 1 log ``` [root@ip-172-31-30-232 qa]# systemctl status wazuh-indexer ● wazuh-indexer.service - Wazuh-indexer Loaded: loaded (/usr/lib/systemd/system/wazuh-indexer.service; enabled; vendor preset: disabled) Active: active (running) since Tue 2023-01-10 13:59:17 UTC; 3min 1s ago Docs: https://documentation.wazuh.com Main PID: 6427 (java) Tasks: 61 Memory: 4.1G CGroup: /system.slice/wazuh-indexer.service └─6427 /usr/share/wazuh-indexer/jdk/bin/java -Xshare:auto -Dopensearch.networkaddress.cache.ttl=60 -Dopensearch.networkaddress.cache.negative.ttl=10 -XX:+AlwaysPreTouch -Xss1m -Djava.awt.headless=t... Jan 10 13:59:06 ip-172-31-30-232.ec2.internal systemd[1]: Starting Wazuh-indexer... Jan 10 13:59:08 ip-172-31-30-232.ec2.internal systemd-entrypoint[6427]: WARNING: A terminally deprecated method in java.lang.System has been called Jan 10 13:59:08 ip-172-31-30-232.ec2.internal systemd-entrypoint[6427]: WARNING: System::setSecurityManager has been called by org.opensearch.bootstrap.OpenSearch (file:/usr/share/wazuh-indexer/lib...-2.4.1.jar) Jan 10 13:59:08 ip-172-31-30-232.ec2.internal systemd-entrypoint[6427]: WARNING: Please consider reporting this to the maintainers of org.opensearch.bootstrap.OpenSearch Jan 10 13:59:08 ip-172-31-30-232.ec2.internal systemd-entrypoint[6427]: WARNING: System::setSecurityManager will be removed in a future release Jan 10 13:59:09 ip-172-31-30-232.ec2.internal systemd-entrypoint[6427]: WARNING: A terminally deprecated method in java.lang.System has been called Jan 10 13:59:09 ip-172-31-30-232.ec2.internal systemd-entrypoint[6427]: WARNING: System::setSecurityManager has been called by org.opensearch.bootstrap.Security (file:/usr/share/wazuh-indexer/lib/o...-2.4.1.jar) Jan 10 13:59:09 ip-172-31-30-232.ec2.internal systemd-entrypoint[6427]: WARNING: Please consider reporting this to the maintainers of org.opensearch.bootstrap.Security Jan 10 13:59:09 ip-172-31-30-232.ec2.internal systemd-entrypoint[6427]: WARNING: System::setSecurityManager will be removed in a future release Jan 10 13:59:17 ip-172-31-30-232.ec2.internal systemd[1]: Started Wazuh-indexer. Hint: Some lines were ellipsized, use -l to show in full. ``` ``` [root@ip-172-31-30-232 qa]# reboot ``` ``` [root@ip-172-31-30-232 qa]# systemctl status wazuh-indexer ● wazuh-indexer.service - Wazuh-indexer Loaded: loaded (/usr/lib/systemd/system/wazuh-indexer.service; enabled; vendor preset: disabled) Active: active (running) since Tue 2023-01-10 14:05:21 UTC; 3min 7s ago Docs: https://documentation.wazuh.com Main PID: 2457 (java) Tasks: 62 Memory: 4.2G CGroup: /system.slice/wazuh-indexer.service └─2457 /usr/share/wazuh-indexer/jdk/bin/java -Xshare:auto -Dopensearch.networkaddress.cache.ttl=60 -Dopensearch.networkaddress.cache.negative.ttl=10 -XX:+AlwaysPreTouch -Xss1m -Djava.awt.headless=t... Jan 10 14:05:06 ip-172-31-30-232.ec2.internal systemd[1]: Starting Wazuh-indexer... Jan 10 14:05:09 ip-172-31-30-232.ec2.internal systemd-entrypoint[2457]: WARNING: A terminally deprecated method in java.lang.System has been called Jan 10 14:05:09 ip-172-31-30-232.ec2.internal systemd-entrypoint[2457]: WARNING: System::setSecurityManager has been called by org.opensearch.bootstrap.OpenSearch (file:/usr/share/wazuh-indexer/lib...-2.4.1.jar) Jan 10 14:05:09 ip-172-31-30-232.ec2.internal systemd-entrypoint[2457]: WARNING: Please consider reporting this to the maintainers of org.opensearch.bootstrap.OpenSearch Jan 10 14:05:09 ip-172-31-30-232.ec2.internal systemd-entrypoint[2457]: WARNING: System::setSecurityManager will be removed in a future release Jan 10 14:05:10 ip-172-31-30-232.ec2.internal systemd-entrypoint[2457]: WARNING: A terminally deprecated method in java.lang.System has been called Jan 10 14:05:10 ip-172-31-30-232.ec2.internal systemd-entrypoint[2457]: WARNING: System::setSecurityManager has been called by org.opensearch.bootstrap.Security (file:/usr/share/wazuh-indexer/lib/o...-2.4.1.jar) Jan 10 14:05:10 ip-172-31-30-232.ec2.internal systemd-entrypoint[2457]: WARNING: Please consider reporting this to the maintainers of org.opensearch.bootstrap.Security Jan 10 14:05:10 ip-172-31-30-232.ec2.internal systemd-entrypoint[2457]: WARNING: System::setSecurityManager will be removed in a future release Jan 10 14:05:21 ip-172-31-30-232.ec2.internal systemd[1]: Started Wazuh-indexer. Hint: Some lines were ellipsized, use -l to show in full. ```
Installation of Wazuh Server ``` [root@ip-172-31-30-232 qa]# bash wazuh-install.sh --wazuh-server wazuh-server 10/01/2023 14:10:08 INFO: Starting Wazuh installation assistant. Wazuh version: 4.4.0 10/01/2023 14:10:08 INFO: Verbose logging redirected to /var/log/wazuh-install.log 10/01/2023 14:10:13 INFO: Wazuh development repository added. 10/01/2023 14:10:13 INFO: --- Wazuh server --- 10/01/2023 14:10:13 INFO: Starting the Wazuh manager installation. 10/01/2023 14:10:29 INFO: Wazuh manager installation finished. 10/01/2023 14:10:29 INFO: Starting service wazuh-manager. 10/01/2023 14:10:40 INFO: wazuh-manager service started. 10/01/2023 14:10:40 INFO: Starting Filebeat installation. 10/01/2023 14:10:55 INFO: Filebeat installation finished. 10/01/2023 14:10:55 INFO: Filebeat post-install configuration finished. 10/01/2023 14:11:00 INFO: Starting service filebeat. 10/01/2023 14:11:00 INFO: filebeat service started. 10/01/2023 14:11:00 INFO: Installation finished. [root@ip-172-31-30-232 qa]# filebeat test output elasticsearch: https://127.0.0.1:9200... parse url... OK connection... parse host... OK dns lookup... OK addresses: 127.0.0.1 dial up... OK TLS... security: server's certificate chain verification is enabled handshake... OK TLS version: TLSv1.2 dial up... OK talk to server... OK version: 7.10.2 ```

:red_circle: Test 2: Installation of Wazuh Server

Test 2 log ``` [root@ip-172-31-30-232 qa]# systemctl status wazuh-indexer ● wazuh-indexer.service - Wazuh-indexer Loaded: loaded (/usr/lib/systemd/system/wazuh-indexer.service; enabled; vendor preset: disabled) Active: active (running) since Tue 2023-01-10 14:09:41 UTC; 1min 37s ago Docs: https://documentation.wazuh.com Main PID: 2450 (java) CGroup: /system.slice/wazuh-indexer.service └─2450 /usr/share/wazuh-indexer/jdk/bin/java -Xshare:auto -Dopensearch.networkaddress.cache.ttl=60 -Dopensearch.networkaddress.cache.negative.ttl=10 -XX:+AlwaysPreTouch -Xss1m -Djava.awt.headless=t... Jan 10 14:09:28 ip-172-31-30-232.ec2.internal systemd[1]: Starting Wazuh-indexer... Jan 10 14:09:31 ip-172-31-30-232.ec2.internal systemd-entrypoint[2450]: WARNING: A terminally deprecated method in java.lang.System has been called Jan 10 14:09:31 ip-172-31-30-232.ec2.internal systemd-entrypoint[2450]: WARNING: System::setSecurityManager has been called by org.opensearch.bootstrap.OpenSearch (file:/usr/share/wazuh-indexer/lib...-2.4.1.jar) Jan 10 14:09:31 ip-172-31-30-232.ec2.internal systemd-entrypoint[2450]: WARNING: Please consider reporting this to the maintainers of org.opensearch.bootstrap.OpenSearch Jan 10 14:09:31 ip-172-31-30-232.ec2.internal systemd-entrypoint[2450]: WARNING: System::setSecurityManager will be removed in a future release Jan 10 14:09:32 ip-172-31-30-232.ec2.internal systemd-entrypoint[2450]: WARNING: A terminally deprecated method in java.lang.System has been called Jan 10 14:09:32 ip-172-31-30-232.ec2.internal systemd-entrypoint[2450]: WARNING: System::setSecurityManager has been called by org.opensearch.bootstrap.Security (file:/usr/share/wazuh-indexer/lib/o...-2.4.1.jar) Jan 10 14:09:32 ip-172-31-30-232.ec2.internal systemd-entrypoint[2450]: WARNING: Please consider reporting this to the maintainers of org.opensearch.bootstrap.Security Jan 10 14:09:32 ip-172-31-30-232.ec2.internal systemd-entrypoint[2450]: WARNING: System::setSecurityManager will be removed in a future release Jan 10 14:09:41 ip-172-31-30-232.ec2.internal systemd[1]: Started Wazuh-indexer. Hint: Some lines were ellipsized, use -l to show in full. ``` ``` [root@ip-172-31-30-232 qa]# reboot ``` ``` [root@ip-172-31-30-232 qa]# filebeat test output elasticsearch: https://127.0.0.1:9200... parse url... OK connection... parse host... OK dns lookup... OK addresses: 127.0.0.1 dial up... ERROR dial tcp 127.0.0.1:9200: connect: connection refused [root@ip-172-31-30-232 qa]# systemctl status wazuh-indexer ● wazuh-indexer.service - Wazuh-indexer Loaded: loaded (/usr/lib/systemd/system/wazuh-indexer.service; enabled; vendor preset: disabled) Active: failed (Result: exit-code) since Tue 2023-01-10 14:11:45 UTC; 8s ago Docs: https://documentation.wazuh.com Process: 2447 ExecStart=/usr/share/wazuh-indexer/bin/systemd-entrypoint -p ${PID_DIR}/wazuh-indexer.pid --quiet (code=exited, status=1/FAILURE) Main PID: 2447 (code=exited, status=1/FAILURE) Jan 10 14:11:45 ip-172-31-30-232.ec2.internal systemd-entrypoint[2447]: at org.opensearch.cli.EnvironmentAwareCommand.execute(EnvironmentAwareCommand.java:104) Jan 10 14:11:45 ip-172-31-30-232.ec2.internal systemd-entrypoint[2447]: at org.opensearch.cli.Command.mainWithoutErrorHandling(Command.java:138) Jan 10 14:11:45 ip-172-31-30-232.ec2.internal systemd-entrypoint[2447]: at org.opensearch.cli.Command.main(Command.java:101) Jan 10 14:11:45 ip-172-31-30-232.ec2.internal systemd-entrypoint[2447]: at org.opensearch.bootstrap.OpenSearch.main(OpenSearch.java:137) Jan 10 14:11:45 ip-172-31-30-232.ec2.internal systemd-entrypoint[2447]: at org.opensearch.bootstrap.OpenSearch.main(OpenSearch.java:103) Jan 10 14:11:45 ip-172-31-30-232.ec2.internal systemd-entrypoint[2447]: For complete error details, refer to the log at /var/log/wazuh-indexer/wazuh-indexer-cluster.log Jan 10 14:11:45 ip-172-31-30-232.ec2.internal systemd[1]: wazuh-indexer.service: main process exited, code=exited, status=1/FAILURE Jan 10 14:11:45 ip-172-31-30-232.ec2.internal systemd[1]: Failed to start Wazuh-indexer. Jan 10 14:11:45 ip-172-31-30-232.ec2.internal systemd[1]: Unit wazuh-indexer.service entered failed state. Jan 10 14:11:45 ip-172-31-30-232.ec2.internal systemd[1]: wazuh-indexer.service failed. ```

Conclusion

Even though the error is clearly related to the Wazuh Indexer, it seems it is triggered by the installation of the Wazuh Server, which would explain why doing a distributed installation doesn't replicate it.

verdx commented 1 year ago

Error found

After more investigation, the problem has been has been reduced to a permissions error coming from a file /etc/wazuh-indexer/backup, with owner root:root. This file is created in function passwords_changePassword() and removed in function passwords_runSecurityAdmin()

The script tries to create it every time passwords_changePassword() is called:

On the other hand, function passwords_runSecurityAdmin(), which removes the file is only called in two of those occasions:

The problem in this Issue came from the fact that when the last function called from the two of them was passwords_changePassword(), file /etc/wazuh-indexer/backup with incorrect permissions was left created, and when the service for the Wazuh Indexer was restarted, it had a permissions problems with it. That explains why the error didn't appear neither when using argument -a or when just installing one node, where the last use of the script was starting the cluster.

Logs

- Code creating the file in `passwords_changePassword()`: ``` function passwords_changePassword() { eval "mkdir /etc/wazuh-indexer/backup/ 2>/dev/null" eval "cp /etc/wazuh-indexer/opensearch-security/* /etc/wazuh-indexer/backup/ 2>/dev/null" ``` - Installation of Wazuh Indexer ``` [root@ip-172-31-32-33 ec2-user]# bash wazuh-install.sh --wazuh-indexer indexer-1 -o 11/01/2023 11:01:45 INFO: Starting Wazuh installation assistant. Wazuh version: 4.4.0 11/01/2023 11:01:45 INFO: Verbose logging redirected to /var/log/wazuh-install.log 11/01/2023 11:01:46 INFO: --- Removing existing Wazuh installation --- 11/01/2023 11:01:46 INFO: Wazuh GPG key not found in the system 11/01/2023 11:01:46 INFO: Installation cleaned. 11/01/2023 11:01:49 INFO: Wazuh development repository added. 11/01/2023 11:01:49 INFO: --- Wazuh indexer --- 11/01/2023 11:01:49 INFO: Starting Wazuh indexer installation. 11/01/2023 11:02:35 INFO: Wazuh indexer installation finished. 11/01/2023 11:02:35 INFO: Wazuh indexer post-install configuration finished. 11/01/2023 11:02:35 INFO: Starting service wazuh-indexer. 11/01/2023 11:02:46 INFO: wazuh-indexer service started. 11/01/2023 11:02:46 INFO: Initializing Wazuh indexer cluster security settings. 11/01/2023 11:02:48 INFO: Wazuh indexer cluster initialized. 11/01/2023 11:02:48 INFO: Installation finished. ``` - File `/etc/wazuh-indexer/backup` is created ``` [root@ip-172-31-32-33 ec2-user]# ls -la /etc/wazuh-indexer/ total 48 drwxr-x--- 11 wazuh-indexer wazuh-indexer 4096 Jan 11 11:02 . drwxr-xr-x 82 root root 8192 Jan 11 11:01 .. drw------- 2 root root 245 Jan 11 11:02 backup dr-x------ 2 wazuh-indexer wazuh-indexer 109 Jan 11 11:02 certs -rw-rw---- 1 wazuh-indexer wazuh-indexer 2735 Jan 11 11:02 jvm.options drwxr-x--- 2 wazuh-indexer wazuh-indexer 6 Dec 23 12:07 jvm.options.d -rw-rw---- 1 wazuh-indexer wazuh-indexer 14808 Dec 23 12:07 log4j2.properties -rw-rw---- 1 wazuh-indexer wazuh-indexer 196 Jan 11 11:02 opensearch.keystore -rw------- 1 wazuh-indexer wazuh-indexer 73 Jan 11 11:02 .opensearch.keystore.initial_md5sum drwxr-x--- 2 wazuh-indexer wazuh-indexer 31 Jan 11 11:01 opensearch-notifications drwxr-x--- 2 wazuh-indexer wazuh-indexer 36 Jan 11 11:01 opensearch-notifications-core drwxr-x--- 2 wazuh-indexer wazuh-indexer 31 Jan 11 11:01 opensearch-observability drwxr-x--- 2 wazuh-indexer wazuh-indexer 263 Jan 11 11:01 opensearch-performance-analyzer drwxr-x--- 2 wazuh-indexer wazuh-indexer 35 Jan 11 11:01 opensearch-reports-scheduler drwxr-x--- 2 wazuh-indexer wazuh-indexer 245 Jan 11 11:01 opensearch-security -rw-rw---- 1 wazuh-indexer wazuh-indexer 2259 Jan 11 11:02 opensearch.yml ``` - Wazuh Indexer service is active ``` [root@ip-172-31-32-33 ec2-user]# systemctl status wazuh-indexer ● wazuh-indexer.service - Wazuh-indexer Loaded: loaded (/usr/lib/systemd/system/wazuh-indexer.service; enabled; vendor preset: disabled) Active: active (running) since Wed 2023-01-11 11:02:46 UTC; 2min 14s ago Docs: https://documentation.wazuh.com Main PID: 6706 (java) CGroup: /system.slice/wazuh-indexer.service └─6706 /usr/share/wazuh-indexer/jdk/bin/java -Xshare:auto -Dopensearch.networkaddress.cache.ttl=60 -Dopensearch.networkaddress.cache.negative.ttl=10 -XX:+AlwaysPreTouch -Xss1m -Djava.awt.headless=t... Jan 11 11:02:35 ip-172-31-32-33.ec2.internal systemd[1]: Starting Wazuh-indexer... Jan 11 11:02:37 ip-172-31-32-33.ec2.internal systemd-entrypoint[6706]: WARNING: A terminally deprecated method in java.lang.System has been called Jan 11 11:02:37 ip-172-31-32-33.ec2.internal systemd-entrypoint[6706]: WARNING: System::setSecurityManager has been called by org.opensearch.bootstrap.OpenSearch (file:/usr/share/wazuh-indexer/lib/...-2.4.1.jar) Jan 11 11:02:37 ip-172-31-32-33.ec2.internal systemd-entrypoint[6706]: WARNING: Please consider reporting this to the maintainers of org.opensearch.bootstrap.OpenSearch Jan 11 11:02:37 ip-172-31-32-33.ec2.internal systemd-entrypoint[6706]: WARNING: System::setSecurityManager will be removed in a future release Jan 11 11:02:38 ip-172-31-32-33.ec2.internal systemd-entrypoint[6706]: WARNING: A terminally deprecated method in java.lang.System has been called Jan 11 11:02:38 ip-172-31-32-33.ec2.internal systemd-entrypoint[6706]: WARNING: System::setSecurityManager has been called by org.opensearch.bootstrap.Security (file:/usr/share/wazuh-indexer/lib/op...-2.4.1.jar) Jan 11 11:02:38 ip-172-31-32-33.ec2.internal systemd-entrypoint[6706]: WARNING: Please consider reporting this to the maintainers of org.opensearch.bootstrap.Security Jan 11 11:02:38 ip-172-31-32-33.ec2.internal systemd-entrypoint[6706]: WARNING: System::setSecurityManager will be removed in a future release Jan 11 11:02:46 ip-172-31-32-33.ec2.internal systemd[1]: Started Wazuh-indexer. Hint: Some lines were ellipsized, use -l to show in full. ``` - Restart of Wazuh Indexer service failed and `journalctl` ``` [root@ip-172-31-32-33 ec2-user]# systemctl restart wazuh-indexer Job for wazuh-indexer.service failed because the control process exited with error code. See "systemctl status wazuh-indexer.service" and "journalctl -xe" for details. [root@ip-172-31-32-33 ec2-user]# journalctl -xeu wazuh-indexer -- Subject: Unit wazuh-indexer.service has begun start-up -- Defined-By: systemd -- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel -- -- Unit wazuh-indexer.service has begun starting up. Jan 11 11:05:10 ip-172-31-32-33.ec2.internal systemd-entrypoint[7059]: WARNING: A terminally deprecated method in java.lang.System has been called Jan 11 11:05:10 ip-172-31-32-33.ec2.internal systemd-entrypoint[7059]: WARNING: System::setSecurityManager has been called by org.opensearch.bootstrap.OpenSearch (file:/usr/share/wazuh-indexer/lib/opensearch-2.4 Jan 11 11:05:10 ip-172-31-32-33.ec2.internal systemd-entrypoint[7059]: WARNING: Please consider reporting this to the maintainers of org.opensearch.bootstrap.OpenSearch Jan 11 11:05:10 ip-172-31-32-33.ec2.internal systemd-entrypoint[7059]: WARNING: System::setSecurityManager will be removed in a future release Jan 11 11:05:11 ip-172-31-32-33.ec2.internal systemd-entrypoint[7059]: Exception in thread "main" org.opensearch.bootstrap.BootstrapException: java.nio.file.AccessDeniedException: /etc/wazuh-indexer/backup Jan 11 11:05:11 ip-172-31-32-33.ec2.internal systemd-entrypoint[7059]: Likely root cause: java.nio.file.AccessDeniedException: /etc/wazuh-indexer/backup Jan 11 11:05:11 ip-172-31-32-33.ec2.internal systemd-entrypoint[7059]: at java.base/sun.nio.fs.UnixException.translateToIOException(UnixException.java:90) Jan 11 11:05:11 ip-172-31-32-33.ec2.internal systemd-entrypoint[7059]: at java.base/sun.nio.fs.UnixException.rethrowAsIOException(UnixException.java:106) Jan 11 11:05:11 ip-172-31-32-33.ec2.internal systemd-entrypoint[7059]: at java.base/sun.nio.fs.UnixException.rethrowAsIOException(UnixException.java:111) Jan 11 11:05:11 ip-172-31-32-33.ec2.internal systemd-entrypoint[7059]: at java.base/sun.nio.fs.UnixFileSystemProvider.newDirectoryStream(UnixFileSystemProvider.java:440) Jan 11 11:05:11 ip-172-31-32-33.ec2.internal systemd-entrypoint[7059]: at java.base/java.nio.file.Files.newDirectoryStream(Files.java:482) Jan 11 11:05:11 ip-172-31-32-33.ec2.internal systemd-entrypoint[7059]: at java.base/java.nio.file.FileTreeWalker.visit(FileTreeWalker.java:301) Jan 11 11:05:11 ip-172-31-32-33.ec2.internal systemd-entrypoint[7059]: at java.base/java.nio.file.FileTreeWalker.next(FileTreeWalker.java:374) Jan 11 11:05:11 ip-172-31-32-33.ec2.internal systemd-entrypoint[7059]: at java.base/java.nio.file.Files.walkFileTree(Files.java:2845) Jan 11 11:05:11 ip-172-31-32-33.ec2.internal systemd-entrypoint[7059]: at org.opensearch.common.logging.LogConfigurator.configure(LogConfigurator.java:237) Jan 11 11:05:11 ip-172-31-32-33.ec2.internal systemd-entrypoint[7059]: at org.opensearch.common.logging.LogConfigurator.configure(LogConfigurator.java:147) Jan 11 11:05:11 ip-172-31-32-33.ec2.internal systemd-entrypoint[7059]: at org.opensearch.bootstrap.Bootstrap.init(Bootstrap.java:373) Jan 11 11:05:11 ip-172-31-32-33.ec2.internal systemd-entrypoint[7059]: at org.opensearch.bootstrap.OpenSearch.init(OpenSearch.java:180) Jan 11 11:05:11 ip-172-31-32-33.ec2.internal systemd-entrypoint[7059]: at org.opensearch.bootstrap.OpenSearch.execute(OpenSearch.java:171) Jan 11 11:05:11 ip-172-31-32-33.ec2.internal systemd-entrypoint[7059]: at org.opensearch.cli.EnvironmentAwareCommand.execute(EnvironmentAwareCommand.java:104) Jan 11 11:05:11 ip-172-31-32-33.ec2.internal systemd-entrypoint[7059]: at org.opensearch.cli.Command.mainWithoutErrorHandling(Command.java:138) Jan 11 11:05:11 ip-172-31-32-33.ec2.internal systemd-entrypoint[7059]: at org.opensearch.cli.Command.main(Command.java:101) Jan 11 11:05:11 ip-172-31-32-33.ec2.internal systemd-entrypoint[7059]: at org.opensearch.bootstrap.OpenSearch.main(OpenSearch.java:137) Jan 11 11:05:11 ip-172-31-32-33.ec2.internal systemd-entrypoint[7059]: at org.opensearch.bootstrap.OpenSearch.main(OpenSearch.java:103) Jan 11 11:05:11 ip-172-31-32-33.ec2.internal systemd-entrypoint[7059]: For complete error details, refer to the log at /var/log/wazuh-indexer/wazuh-indexer-cluster.log Jan 11 11:05:11 ip-172-31-32-33.ec2.internal systemd[1]: wazuh-indexer.service: main process exited, code=exited, status=1/FAILURE Jan 11 11:05:11 ip-172-31-32-33.ec2.internal systemd[1]: Failed to start Wazuh-indexer. -- Subject: Unit wazuh-indexer.service has failed -- Defined-By: systemd -- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel -- -- Unit wazuh-indexer.service has failed. -- -- The result is failed. Jan 11 11:05:11 ip-172-31-32-33.ec2.internal systemd[1]: Unit wazuh-indexer.service entered failed state. Jan 11 11:05:11 ip-172-31-32-33.ec2.internal systemd[1]: wazuh-indexer.service failed. [root@ip-172-31-32-33 ec2-user]# ``` - Error regarding permissions in previous log is: ``` "main" org.opensearch.bootstrap.BootstrapException: java.nio.file.AccessDeniedException: /etc/wazuh-indexer/backup ``` - If the file is removed, the service can be started again ``` [root@ip-172-31-32-33 ec2-user]# rm -rf /etc/wazuh-indexer/backup/ [root@ip-172-31-32-33 ec2-user]# systemctl restart wazuh-indexer [root@ip-172-31-32-33 ec2-user]# systemctl status wazuh-indexer ● wazuh-indexer.service - Wazuh-indexer Loaded: loaded (/usr/lib/systemd/system/wazuh-indexer.service; enabled; vendor preset: disabled) Active: active (running) since Wed 2023-01-11 11:08:58 UTC; 1min 28s ago Docs: https://documentation.wazuh.com Main PID: 7299 (java) CGroup: /system.slice/wazuh-indexer.service └─7299 /usr/share/wazuh-indexer/jdk/bin/java -Xshare:auto -Dopensearch.networkaddress.cache.ttl=60 -Dopensearch.networkaddress.cache.negative.ttl=10 -XX:+AlwaysPreTouch -Xss1m -Djava.awt.headless=t... Jan 11 11:08:47 ip-172-31-32-33.ec2.internal systemd[1]: Starting Wazuh-indexer... Jan 11 11:08:49 ip-172-31-32-33.ec2.internal systemd-entrypoint[7299]: WARNING: A terminally deprecated method in java.lang.System has been called Jan 11 11:08:49 ip-172-31-32-33.ec2.internal systemd-entrypoint[7299]: WARNING: System::setSecurityManager has been called by org.opensearch.bootstrap.OpenSearch (file:/usr/share/wazuh-indexer/lib/...-2.4.1.jar) Jan 11 11:08:49 ip-172-31-32-33.ec2.internal systemd-entrypoint[7299]: WARNING: Please consider reporting this to the maintainers of org.opensearch.bootstrap.OpenSearch Jan 11 11:08:49 ip-172-31-32-33.ec2.internal systemd-entrypoint[7299]: WARNING: System::setSecurityManager will be removed in a future release Jan 11 11:08:50 ip-172-31-32-33.ec2.internal systemd-entrypoint[7299]: WARNING: A terminally deprecated method in java.lang.System has been called Jan 11 11:08:50 ip-172-31-32-33.ec2.internal systemd-entrypoint[7299]: WARNING: System::setSecurityManager has been called by org.opensearch.bootstrap.Security (file:/usr/share/wazuh-indexer/lib/op...-2.4.1.jar) Jan 11 11:08:50 ip-172-31-32-33.ec2.internal systemd-entrypoint[7299]: WARNING: Please consider reporting this to the maintainers of org.opensearch.bootstrap.Security Jan 11 11:08:50 ip-172-31-32-33.ec2.internal systemd-entrypoint[7299]: WARNING: System::setSecurityManager will be removed in a future release Jan 11 11:08:58 ip-172-31-32-33.ec2.internal systemd[1]: Started Wazuh-indexer. Hint: Some lines were ellipsized, use -l to show in full. [root@ip-172-31-32-33 ec2-user]# ``` - Wazuh Indexer Cluster started ``` [root@ip-172-31-32-33 ec2-user]# bash wazuh-install.sh --start-cluster 11/01/2023 11:11:05 INFO: Starting Wazuh installation assistant. Wazuh version: 4.4.0 11/01/2023 11:11:05 INFO: Verbose logging redirected to /var/log/wazuh-install.log 11/01/2023 11:11:18 INFO: Wazuh indexer cluster security configuration initialized. 11/01/2023 11:11:26 INFO: Wazuh indexer cluster started. ``` - The file is not created and the Indexer restarts without error ``` [root@ip-172-31-32-33 ec2-user]# ls -la /etc/wazuh-indexer/ total 48 drwxr-x--- 10 wazuh-indexer wazuh-indexer 4096 Jan 11 11:11 . drwxr-xr-x 82 root root 8192 Jan 11 11:01 .. dr-x------ 2 wazuh-indexer wazuh-indexer 109 Jan 11 11:02 certs -rw-rw---- 1 wazuh-indexer wazuh-indexer 2735 Jan 11 11:02 jvm.options drwxr-x--- 2 wazuh-indexer wazuh-indexer 6 Dec 23 12:07 jvm.options.d -rw-rw---- 1 wazuh-indexer wazuh-indexer 14808 Dec 23 12:07 log4j2.properties -rw-rw---- 1 wazuh-indexer wazuh-indexer 196 Jan 11 11:02 opensearch.keystore -rw------- 1 wazuh-indexer wazuh-indexer 73 Jan 11 11:02 .opensearch.keystore.initial_md5sum drwxr-x--- 2 wazuh-indexer wazuh-indexer 31 Jan 11 11:01 opensearch-notifications drwxr-x--- 2 wazuh-indexer wazuh-indexer 36 Jan 11 11:01 opensearch-notifications-core drwxr-x--- 2 wazuh-indexer wazuh-indexer 31 Jan 11 11:01 opensearch-observability drwxr-x--- 2 wazuh-indexer wazuh-indexer 263 Jan 11 11:01 opensearch-performance-analyzer drwxr-x--- 2 wazuh-indexer wazuh-indexer 35 Jan 11 11:01 opensearch-reports-scheduler drwxr-x--- 2 wazuh-indexer wazuh-indexer 245 Jan 11 11:01 opensearch-security -rw-rw---- 1 wazuh-indexer wazuh-indexer 2259 Jan 11 11:02 opensearch.yml [root@ip-172-31-32-33 ec2-user]# systemctl restart wazuh-indexer [root@ip-172-31-32-33 ec2-user]# ``` - Installing the Wazuh Server creates the file again ``` [root@ip-172-31-32-33 ec2-user]# bash wazuh-install.sh --wazuh-server server-1 11/01/2023 11:13:09 INFO: Starting Wazuh installation assistant. Wazuh version: 4.4.0 11/01/2023 11:13:09 INFO: Verbose logging redirected to /var/log/wazuh-install.log 11/01/2023 11:13:13 INFO: Wazuh development repository added. 11/01/2023 11:13:13 INFO: --- Wazuh server --- 11/01/2023 11:13:13 INFO: Starting the Wazuh manager installation. 11/01/2023 11:13:26 INFO: Wazuh manager installation finished. 11/01/2023 11:13:26 INFO: Starting service wazuh-manager. 11/01/2023 11:13:37 INFO: wazuh-manager service started. 11/01/2023 11:13:37 INFO: Starting Filebeat installation. 11/01/2023 11:13:44 INFO: Filebeat installation finished. 11/01/2023 11:13:45 INFO: Filebeat post-install configuration finished. 11/01/2023 11:13:53 INFO: Starting service filebeat. 11/01/2023 11:13:53 INFO: filebeat service started. 11/01/2023 11:13:53 INFO: Installation finished. [root@ip-172-31-32-33 ec2-user]# ls -la /etc/wazuh-indexer/ total 48 drwxr-x--- 11 wazuh-indexer wazuh-indexer 4096 Jan 11 11:13 . drwxr-xr-x 83 root root 8192 Jan 11 11:13 .. drw------- 2 root root 245 Jan 11 11:13 backup dr-x------ 2 wazuh-indexer wazuh-indexer 109 Jan 11 11:02 certs -rw-rw---- 1 wazuh-indexer wazuh-indexer 2735 Jan 11 11:02 jvm.options drwxr-x--- 2 wazuh-indexer wazuh-indexer 6 Dec 23 12:07 jvm.options.d -rw-rw---- 1 wazuh-indexer wazuh-indexer 14808 Dec 23 12:07 log4j2.properties -rw-rw---- 1 wazuh-indexer wazuh-indexer 196 Jan 11 11:02 opensearch.keystore -rw------- 1 wazuh-indexer wazuh-indexer 73 Jan 11 11:02 .opensearch.keystore.initial_md5sum drwxr-x--- 2 wazuh-indexer wazuh-indexer 31 Jan 11 11:01 opensearch-notifications drwxr-x--- 2 wazuh-indexer wazuh-indexer 36 Jan 11 11:01 opensearch-notifications-core drwxr-x--- 2 wazuh-indexer wazuh-indexer 31 Jan 11 11:01 opensearch-observability drwxr-x--- 2 wazuh-indexer wazuh-indexer 263 Jan 11 11:01 opensearch-performance-analyzer drwxr-x--- 2 wazuh-indexer wazuh-indexer 35 Jan 11 11:01 opensearch-reports-scheduler drwxr-x--- 2 wazuh-indexer wazuh-indexer 245 Jan 11 11:01 opensearch-security -rw-rw---- 1 wazuh-indexer wazuh-indexer 2259 Jan 11 11:02 opensearch.yml [root@ip-172-31-32-33 ec2-user]# ``` - Same with the Wazuh Dashboard ``` [root@ip-172-31-32-33 ec2-user]# rm -rf /etc/wazuh-indexer/backup/ [root@ip-172-31-32-33 ec2-user]# bash wazuh-install.sh --wazuh-dashboard dashboard 11/01/2023 11:15:07 INFO: Starting Wazuh installation assistant. Wazuh version: 4.4.0 11/01/2023 11:15:07 INFO: Verbose logging redirected to /var/log/wazuh-install.log 11/01/2023 11:15:11 INFO: Wazuh development repository added. dashboard 11/01/2023 11:15:11 INFO: --- Wazuh dashboard ---- 11/01/2023 11:15:11 INFO: Starting Wazuh dashboard installation. 11/01/2023 11:16:14 INFO: Wazuh dashboard installation finished. 11/01/2023 11:16:14 INFO: Wazuh dashboard post-install configuration finished. 11/01/2023 11:16:14 INFO: Starting service wazuh-dashboard. 11/01/2023 11:16:14 INFO: wazuh-dashboard service started. 11/01/2023 11:16:31 INFO: Initializing Wazuh dashboard web application. 11/01/2023 11:16:32 INFO: Wazuh dashboard web application initialized. 11/01/2023 11:16:32 INFO: --- Summary --- 11/01/2023 11:16:32 INFO: You can access the web interface https:// User: admin Password: E+odfkh1b*x83Ip03BT6O8Zl*fYVuDzE 11/01/2023 11:16:32 INFO: Installation finished. [root@ip-172-31-32-33 ec2-user]# ls -la /etc/wazuh-indexer/ total 48 drwxr-x--- 11 wazuh-indexer wazuh-indexer 4096 Jan 11 11:16 . drwxr-xr-x 84 root root 8192 Jan 11 11:15 .. drw------- 2 root root 245 Jan 11 11:16 backup dr-x------ 2 wazuh-indexer wazuh-indexer 109 Jan 11 11:02 certs -rw-rw---- 1 wazuh-indexer wazuh-indexer 2735 Jan 11 11:02 jvm.options drwxr-x--- 2 wazuh-indexer wazuh-indexer 6 Dec 23 12:07 jvm.options.d -rw-rw---- 1 wazuh-indexer wazuh-indexer 14808 Dec 23 12:07 log4j2.properties -rw-rw---- 1 wazuh-indexer wazuh-indexer 196 Jan 11 11:02 opensearch.keystore -rw------- 1 wazuh-indexer wazuh-indexer 73 Jan 11 11:02 .opensearch.keystore.initial_md5sum drwxr-x--- 2 wazuh-indexer wazuh-indexer 31 Jan 11 11:01 opensearch-notifications drwxr-x--- 2 wazuh-indexer wazuh-indexer 36 Jan 11 11:01 opensearch-notifications-core drwxr-x--- 2 wazuh-indexer wazuh-indexer 31 Jan 11 11:01 opensearch-observability drwxr-x--- 2 wazuh-indexer wazuh-indexer 263 Jan 11 11:01 opensearch-performance-analyzer drwxr-x--- 2 wazuh-indexer wazuh-indexer 35 Jan 11 11:01 opensearch-reports-scheduler drwxr-x--- 2 wazuh-indexer wazuh-indexer 245 Jan 11 11:01 opensearch-security -rw-rw---- 1 wazuh-indexer wazuh-indexer 2259 Jan 11 11:02 opensearch.yml [root@ip-172-31-32-33 ec2-user]# ``` - When installing the AIO using `-a` the file is not left after the installation ``` [root@ip-172-31-32-33 ec2-user]# bash wazuh-install.sh -a 11/01/2023 11:20:55 INFO: Starting Wazuh installation assistant. Wazuh version: 4.4.0 11/01/2023 11:20:55 INFO: Verbose logging redirected to /var/log/wazuh-install.log 11/01/2023 11:20:59 INFO: Wazuh development repository added. 11/01/2023 11:20:59 INFO: --- Configuration files --- 11/01/2023 11:20:59 INFO: Generating configuration files. 11/01/2023 11:21:00 INFO: Created wazuh-install-files.tar. It contains the Wazuh cluster key, certificates, and passwords necessary for installation. 11/01/2023 11:21:00 INFO: --- Wazuh indexer --- 11/01/2023 11:21:00 INFO: Starting Wazuh indexer installation. 11/01/2023 11:21:47 INFO: Wazuh indexer installation finished. 11/01/2023 11:21:47 INFO: Wazuh indexer post-install configuration finished. 11/01/2023 11:21:47 INFO: Starting service wazuh-indexer. 11/01/2023 11:21:57 INFO: wazuh-indexer service started. 11/01/2023 11:21:57 INFO: Initializing Wazuh indexer cluster security settings. 11/01/2023 11:22:07 INFO: Wazuh indexer cluster initialized. 11/01/2023 11:22:07 INFO: --- Wazuh server --- 11/01/2023 11:22:07 INFO: Starting the Wazuh manager installation. 11/01/2023 11:22:20 INFO: Wazuh manager installation finished. 11/01/2023 11:22:20 INFO: Starting service wazuh-manager. 11/01/2023 11:22:31 INFO: wazuh-manager service started. 11/01/2023 11:22:31 INFO: Starting Filebeat installation. 11/01/2023 11:22:37 INFO: Filebeat installation finished. 11/01/2023 11:22:38 INFO: Filebeat post-install configuration finished. 11/01/2023 11:22:38 INFO: Starting service filebeat. 11/01/2023 11:22:38 INFO: filebeat service started. 11/01/2023 11:22:38 INFO: --- Wazuh dashboard --- 11/01/2023 11:22:38 INFO: Starting Wazuh dashboard installation. 11/01/2023 11:23:39 INFO: Wazuh dashboard installation finished. 11/01/2023 11:23:39 INFO: Wazuh dashboard post-install configuration finished. 11/01/2023 11:23:39 INFO: Starting service wazuh-dashboard. 11/01/2023 11:23:39 INFO: wazuh-dashboard service started. 11/01/2023 11:24:00 INFO: Initializing Wazuh dashboard web application. 11/01/2023 11:24:01 INFO: Wazuh dashboard web application initialized. 11/01/2023 11:24:01 INFO: --- Summary --- 11/01/2023 11:24:01 INFO: You can access the web interface https:// User: admin Password: QuStx0?NK4Y1nMGeGKQcLG21ZK*rlSxZ 11/01/2023 11:24:01 INFO: Installation finished. [root@ip-172-31-32-33 ec2-user]# ls -la /etc/wazuh-indexer/ certs/ log4j2.properties opensearch-notifications/ opensearch-performance-analyzer/ opensearch.yml jvm.options opensearch.keystore opensearch-notifications-core/ opensearch-reports-scheduler/ jvm.options.d/ .opensearch.keystore.initial_md5sum opensearch-observability/ opensearch-security/ [root@ip-172-31-32-33 ec2-user]# ls -la /etc/wazuh-indexer/ total 48 drwxr-x--- 10 wazuh-indexer wazuh-indexer 4096 Jan 11 11:23 . drwxr-xr-x 84 root root 8192 Jan 11 11:23 .. dr-x------ 2 wazuh-indexer wazuh-indexer 117 Jan 11 11:21 certs -rw-rw---- 1 wazuh-indexer wazuh-indexer 2735 Jan 11 11:21 jvm.options drwxr-x--- 2 wazuh-indexer wazuh-indexer 6 Dec 23 12:07 jvm.options.d -rw-rw---- 1 wazuh-indexer wazuh-indexer 14808 Dec 23 12:07 log4j2.properties -rw-rw---- 1 wazuh-indexer wazuh-indexer 196 Jan 11 11:21 opensearch.keystore -rw------- 1 wazuh-indexer wazuh-indexer 73 Jan 11 11:21 .opensearch.keystore.initial_md5sum drwxr-x--- 2 wazuh-indexer wazuh-indexer 31 Jan 11 11:21 opensearch-notifications drwxr-x--- 2 wazuh-indexer wazuh-indexer 36 Jan 11 11:21 opensearch-notifications-core drwxr-x--- 2 wazuh-indexer wazuh-indexer 31 Jan 11 11:21 opensearch-observability drwxr-x--- 2 wazuh-indexer wazuh-indexer 263 Jan 11 11:21 opensearch-performance-analyzer drwxr-x--- 2 wazuh-indexer wazuh-indexer 35 Jan 11 11:21 opensearch-reports-scheduler drwxr-x--- 2 wazuh-indexer wazuh-indexer 245 Jan 11 11:21 opensearch-security -rw-rw---- 1 wazuh-indexer wazuh-indexer 2152 Jan 11 11:21 opensearch.yml [root@ip-172-31-32-33 ec2-user]# ```
DFolchA commented 1 year ago

Update

Testing

Install AIO

``` [root@amazon2 vagrant]# bash ./wazuh-install.sh -a 11/01/2023 11:17:07 INFO: Starting Wazuh installation assistant. Wazuh version: 4.4.0 11/01/2023 11:17:07 INFO: Verbose logging redirected to /var/log/wazuh-install.log 11/01/2023 11:17:10 INFO: Wazuh development repository added. 11/01/2023 11:17:10 INFO: --- Configuration files --- 11/01/2023 11:17:10 INFO: Generating configuration files. 11/01/2023 11:17:11 INFO: Created wazuh-install-files.tar. It contains the Wazuh cluster key, certificates, and passwords necessary for installation. 11/01/2023 11:17:12 INFO: --- Wazuh indexer --- 11/01/2023 11:17:12 INFO: Starting Wazuh indexer installation. 11/01/2023 11:18:30 INFO: Wazuh indexer installation finished. 11/01/2023 11:18:30 INFO: Wazuh indexer post-install configuration finished. 11/01/2023 11:18:30 INFO: Starting service wazuh-indexer. 11/01/2023 11:18:41 INFO: wazuh-indexer service started. 11/01/2023 11:18:41 INFO: Initializing Wazuh indexer cluster security settings. 11/01/2023 11:18:51 INFO: Wazuh indexer cluster initialized. 11/01/2023 11:18:51 INFO: --- Wazuh server --- 11/01/2023 11:18:51 INFO: Starting the Wazuh manager installation. 11/01/2023 11:19:18 INFO: Wazuh manager installation finished. 11/01/2023 11:19:18 INFO: Starting service wazuh-manager. 11/01/2023 11:19:30 INFO: wazuh-manager service started. 11/01/2023 11:19:30 INFO: Starting Filebeat installation. 11/01/2023 11:19:42 INFO: Filebeat installation finished. 11/01/2023 11:19:43 INFO: Filebeat post-install configuration finished. 11/01/2023 11:19:43 INFO: Starting service filebeat. 11/01/2023 11:19:43 INFO: filebeat service started. 11/01/2023 11:19:43 INFO: --- Wazuh dashboard --- 11/01/2023 11:19:43 INFO: Starting Wazuh dashboard installation. 11/01/2023 11:21:04 INFO: Wazuh dashboard installation finished. 11/01/2023 11:21:04 INFO: Wazuh dashboard post-install configuration finished. 11/01/2023 11:21:04 INFO: Starting service wazuh-dashboard. 11/01/2023 11:21:04 INFO: wazuh-dashboard service started. 11/01/2023 11:21:24 INFO: Initializing Wazuh dashboard web application. 11/01/2023 11:21:26 INFO: Wazuh dashboard web application initialized. 11/01/2023 11:21:26 INFO: --- Summary --- 11/01/2023 11:21:26 INFO: You can access the web interface https:// User: admin Password: zu617v0mw3hdiNGms8iYOTgr.XzvhK9V 11/01/2023 11:21:26 INFO: Installation finished. ``` ![image](https://user-images.githubusercontent.com/19505384/211794740-58ef6e33-3862-4026-9e85-3d0a7de2811a.png)

Passwords tool: Change All

``` [root@amazon2 vagrant]# ./wazuh-passwords-tool.sh -a 11/01/2023 11:39:39 INFO: Wazuh API admin credentials not provided, Wazuh API passwords not changed. 11/01/2023 11:39:47 INFO: The password for user admin is j5.IM*qkTqU4xMF8KAhpxk35ONVlwij3 11/01/2023 11:39:47 INFO: The password for user kibanaserver is cH1y9of?8IVsm90BhyUH?d++yh3HbQFm 11/01/2023 11:39:47 INFO: The password for user kibanaro is OaSXddObvV+HkuVPZ7rMCOg.5O6aWgIh 11/01/2023 11:39:47 INFO: The password for user logstash is ZB3f?d.YGyC9Rkdln7Fz9xAkzaBQJu0F 11/01/2023 11:39:47 INFO: The password for user readall is dviqV2Ayj2a+nB38l4pXjkycqL+pdwAD 11/01/2023 11:39:47 INFO: The password for user snapshotrestore is AvxvRG561e4Tm2UEAGWhHX88DKzt++zj 11/01/2023 11:39:47 WARNING: Wazuh indexer passwords changed. Remember to update the password in the Wazuh dashboard and Filebeat nodes if necessary, and restart the services. ```

Passwords tool: Change All with API

``` [root@amazon2 vagrant]# ./wazuh-passwords-tool.sh -a -au wazuh -ap gYD?AML7s.DmC3J2?RzbQxMr8dj1zzMw 11/01/2023 11:40:31 INFO: The password for user admin is nCx3HGsg8G.QIgDcFjoMtjL0sF*Jc.6N 11/01/2023 11:40:31 INFO: The password for user kibanaserver is ulYlKc3VpLdT6?GZ3IXzmGO?U7ehQ6.m 11/01/2023 11:40:31 INFO: The password for user kibanaro is QrP3MZKwdoax0gIb+Ej?ltEHzX3tP1t9 11/01/2023 11:40:31 INFO: The password for user logstash is Yz?zLND8wAsZ6lTHCA+P1YSNwm6aD+kK 11/01/2023 11:40:31 INFO: The password for user readall is TSyWk.Z.0Bo5DZ5gGb6fk*XcMZl9Tq8X 11/01/2023 11:40:31 INFO: The password for user snapshotrestore is SBgP?ZA*Fs0F*drz*IHx8KMJ+Zcg4hkj 11/01/2023 11:40:31 WARNING: Wazuh indexer passwords changed. Remember to update the password in the Wazuh dashboard and Filebeat nodes if necessary, and restart the services. 11/01/2023 11:40:32 INFO: The password for Wazuh API user wazuh is Iv1nn2C1oiVC6ubA+YqoOf2m82DpHcwU 11/01/2023 11:40:33 INFO: The password for Wazuh API user wazuh-wui is u1Dt63NE28A1whH3*Dda0xb.pg2L?jIl 11/01/2023 11:40:33 INFO: Updated wazuh-wui user password in wazuh dashboard. Remember to restart the service. ```

Passwords tool: API

``` [root@amazon2 vagrant]# ./wazuh-passwords-tool.sh -A -au wazuh -ap Iv1nn2C1oiVC6ubA+YqoOf2m82DpHcwU -u wazuh -p vXSUxApNy7*3i0vOoGIrwH7BDDVmq4?L 11/01/2023 11:42:37 INFO: The password for Wazuh API user wazuh is vXSUxApNy7*3i0vOoGIrwH7BDDVmq4?L [root@amazon2 vagrant]# ./wazuh-passwords-tool.sh -A -au wazuh -ap vXSUxApNy7*3i0vOoGIrwH7BDDVmq4?L -u wazuh-wui -p vXSUxApNy7*3i0vOoGIrwH7BDDVmq4?L 11/01/2023 11:45:09 INFO: The password for Wazuh API user wazuh-wui is vXSUxApNy7*3i0vOoGIrwH7BDDVmq4?L 11/01/2023 11:45:09 INFO: Updated wazuh-wui user password in wazuh dashboard. Remember to restart the service. ```

Passwords tool: Change one user

``` [root@amazon2 vagrant]# ./wazuh-passwords-tool.sh -u admin 11/01/2023 11:48:58 INFO: Generating password hash 11/01/2023 11:49:01 INFO: The password for user admin is ur.XNv2e?JfvpaO7nc033?n4ehqIcmG+ 11/01/2023 11:49:01 WARNING: Password changed. Remember to update the password in the Wazuh dashboard and Filebeat nodes if necessary, and restart the services. ```

Passwords tool: File no API

``` [root@amazon2 vagrant]# ./wazuh-passwords-tool.sh -f wazuh-passwords.txt 11/01/2023 11:52:25 INFO: Wazuh API admin credentials not provided, Wazuh API passwords not changed. 11/01/2023 11:52:33 INFO: The password for user admin is zu617v0mw3hdiNGms8iYOTgr.XzvhK9V 11/01/2023 11:52:33 INFO: The password for user kibanaserver is 22y8dkuV948CG.3d4*n+1KnOFxDE2AYx 11/01/2023 11:52:33 INFO: The password for user kibanaro is SiOwKAo3J5bkFf8AwxB3LhKpewjqOxK+ 11/01/2023 11:52:33 INFO: The password for user logstash is kAZ7s7+YBknNuFY3VJ6HP7JOz8F+B0VA 11/01/2023 11:52:33 INFO: The password for user readall is P+qY.8MWQnfCKMOQMgaJWdqxxjPuHCvo 11/01/2023 11:52:33 INFO: The password for user snapshotrestore is l1R2+m1vC.e1xoc?wOVJoREs4RkU?xBy 11/01/2023 11:52:33 WARNING: Wazuh indexer passwords changed. Remember to update the password in the Wazuh dashboard and Filebeat nodes if necessary, and restart the services. ```

Passwords tool: File with API

``` [root@amazon2 vagrant]# ./wazuh-passwords-tool.sh -f wazuh-passwords.txt -au wazuh -ap vXSUxApNy7*3i0vOoGIrwH7BDDVmq4?L 11/01/2023 11:54:13 INFO: The password for user admin is zu617v0mw3hdiNGms8iYOTgr.XzvhK9V 11/01/2023 11:54:13 INFO: The password for user kibanaserver is 22y8dkuV948CG.3d4*n+1KnOFxDE2AYx 11/01/2023 11:54:13 INFO: The password for user kibanaro is SiOwKAo3J5bkFf8AwxB3LhKpewjqOxK+ 11/01/2023 11:54:13 INFO: The password for user logstash is kAZ7s7+YBknNuFY3VJ6HP7JOz8F+B0VA 11/01/2023 11:54:13 INFO: The password for user readall is P+qY.8MWQnfCKMOQMgaJWdqxxjPuHCvo 11/01/2023 11:54:13 INFO: The password for user snapshotrestore is l1R2+m1vC.e1xoc?wOVJoREs4RkU?xBy 11/01/2023 11:54:13 WARNING: Wazuh indexer passwords changed. Remember to update the password in the Wazuh dashboard and Filebeat nodes if necessary, and restart the services. 11/01/2023 11:54:15 INFO: The password for Wazuh API user wazuh is vXSUxApNy7*3i0vOoGIrwH7BDDVmq4?L 11/01/2023 11:54:15 INFO: The password for Wazuh API user wazuh-wui is ?uIt5jpOWaf64YG0XukJ3wazDDuxojHH 11/01/2023 11:54:15 INFO: Updated wazuh-wui user password in wazuh dashboard. Remember to restart the service. ```
verdx commented 1 year ago

Testing

:green_circle: AIO with -a Installation (Amazon Linux 2)

``` [root@ip-172-31-36-228 ec2-user]# bash wazuh-install.sh -a 11/01/2023 11:47:07 INFO: Starting Wazuh installation assistant. Wazuh version: 4.4.0 11/01/2023 11:47:07 INFO: Verbose logging redirected to /var/log/wazuh-install.log 11/01/2023 11:47:11 INFO: Wazuh development repository added. 11/01/2023 11:47:11 INFO: --- Configuration files --- 11/01/2023 11:47:11 INFO: Generating configuration files. 11/01/2023 11:47:12 INFO: Created wazuh-install-files.tar. It contains the Wazuh cluster key, certificates, and passwords necessary for installation. 11/01/2023 11:47:12 INFO: --- Wazuh indexer --- 11/01/2023 11:47:12 INFO: Starting Wazuh indexer installation. 11/01/2023 11:47:55 INFO: Wazuh indexer installation finished. 11/01/2023 11:47:55 INFO: Wazuh indexer post-install configuration finished. 11/01/2023 11:47:55 INFO: Starting service wazuh-indexer. 11/01/2023 11:48:07 INFO: wazuh-indexer service started. 11/01/2023 11:48:07 INFO: Initializing Wazuh indexer cluster security settings. 11/01/2023 11:48:17 INFO: Wazuh indexer cluster initialized. 11/01/2023 11:48:17 INFO: --- Wazuh server --- 11/01/2023 11:48:17 INFO: Starting the Wazuh manager installation. 11/01/2023 11:48:34 INFO: Wazuh manager installation finished. 11/01/2023 11:48:34 INFO: Starting service wazuh-manager. 11/01/2023 11:48:45 INFO: wazuh-manager service started. 11/01/2023 11:48:45 INFO: Starting Filebeat installation. 11/01/2023 11:48:55 INFO: Filebeat installation finished. 11/01/2023 11:48:56 INFO: Filebeat post-install configuration finished. 11/01/2023 11:48:56 INFO: Starting service filebeat. 11/01/2023 11:48:56 INFO: filebeat service started. 11/01/2023 11:48:56 INFO: --- Wazuh dashboard --- 11/01/2023 11:48:56 INFO: Starting Wazuh dashboard installation. 11/01/2023 11:49:54 INFO: Wazuh dashboard installation finished. 11/01/2023 11:49:54 INFO: Wazuh dashboard post-install configuration finished. 11/01/2023 11:49:54 INFO: Starting service wazuh-dashboard. 11/01/2023 11:49:54 INFO: wazuh-dashboard service started. 11/01/2023 11:50:15 INFO: Initializing Wazuh dashboard web application. 11/01/2023 11:50:16 INFO: Wazuh dashboard web application initialized. 11/01/2023 11:50:16 INFO: --- Summary --- 11/01/2023 11:50:16 INFO: You can access the web interface https:// User: admin Password: UPtQ.kepJM8W.?b2IY9ORTkpFgl9t+rr 11/01/2023 11:50:16 INFO: Installation finished. [root@ip-172-31-36-228 ec2-user]# ls -la /etc/wazuh-indexer/ total 48 drwxr-x--- 10 wazuh-indexer wazuh-indexer 4096 Jan 11 11:50 . drwxr-xr-x 84 root root 8192 Jan 11 11:49 .. dr-x------ 2 wazuh-indexer wazuh-indexer 117 Jan 11 11:47 certs -rw-rw---- 1 wazuh-indexer wazuh-indexer 2735 Jan 11 11:47 jvm.options drwxr-x--- 2 wazuh-indexer wazuh-indexer 6 Dec 23 12:07 jvm.options.d -rw-rw---- 1 wazuh-indexer wazuh-indexer 14808 Dec 23 12:07 log4j2.properties -rw-rw---- 1 wazuh-indexer wazuh-indexer 196 Jan 11 11:47 opensearch.keystore -rw------- 1 wazuh-indexer wazuh-indexer 73 Jan 11 11:47 .opensearch.keystore.initial_md5sum drwxr-x--- 2 wazuh-indexer wazuh-indexer 31 Jan 11 11:47 opensearch-notifications drwxr-x--- 2 wazuh-indexer wazuh-indexer 36 Jan 11 11:47 opensearch-notifications-core drwxr-x--- 2 wazuh-indexer wazuh-indexer 31 Jan 11 11:47 opensearch-observability drwxr-x--- 2 wazuh-indexer wazuh-indexer 263 Jan 11 11:47 opensearch-performance-analyzer drwxr-x--- 2 wazuh-indexer wazuh-indexer 35 Jan 11 11:47 opensearch-reports-scheduler drwxr-x--- 2 wazuh-indexer wazuh-indexer 245 Jan 11 11:47 opensearch-security -rw-rw---- 1 wazuh-indexer wazuh-indexer 2152 Jan 11 11:47 opensearch.yml ```

:green_circle: AIO step-by-step installation (Amazon Linux 2)

On each step, the tests performed are checking if directory /etc/wazuh-indexer/backup and to restart the Wazuh Indexer service and check if it doesn't stop. Normal tests for the cluster and filebeat are also performed.

Wazuh Indexer installation and checks

``` [root@ip-172-31-36-228 ec2-user]# bash wazuh-install.sh --wazuh-indexer wazuh-indexer -o 11/01/2023 11:57:16 INFO: Starting Wazuh installation assistant. Wazuh version: 4.4.0 11/01/2023 11:57:16 INFO: Verbose logging redirected to /var/log/wazuh-install.log 11/01/2023 11:57:18 INFO: --- Removing existing Wazuh installation --- 11/01/2023 11:57:18 INFO: Removing Wazuh indexer. 11/01/2023 11:57:18 INFO: Wazuh indexer removed. 11/01/2023 11:57:18 INFO: Wazuh GPG key was not found in the system. 11/01/2023 11:57:18 INFO: Installation cleaned. 11/01/2023 11:57:21 INFO: Wazuh development repository added. 11/01/2023 11:57:21 INFO: --- Wazuh indexer --- 11/01/2023 11:57:21 INFO: Starting Wazuh indexer installation. 11/01/2023 11:58:04 INFO: Wazuh indexer installation finished. 11/01/2023 11:58:04 INFO: Wazuh indexer post-install configuration finished. 11/01/2023 11:58:04 INFO: Starting service wazuh-indexer. 11/01/2023 11:58:15 INFO: wazuh-indexer service started. 11/01/2023 11:58:15 INFO: Initializing Wazuh indexer cluster security settings. 11/01/2023 11:58:17 INFO: Wazuh indexer cluster initialized. 11/01/2023 11:58:18 INFO: Installation finished. [root@ip-172-31-36-228 ec2-user]# ls -la /etc/wazuh-indexer/ total 56 drwxr-x--- 10 wazuh-indexer wazuh-indexer 4096 Jan 11 11:58 . drwxr-xr-x 82 root root 8192 Jan 11 11:57 .. dr-x------ 2 wazuh-indexer wazuh-indexer 117 Jan 11 11:58 certs -rw-rw---- 1 wazuh-indexer wazuh-indexer 2735 Jan 11 11:58 jvm.options drwxr-x--- 2 wazuh-indexer wazuh-indexer 6 Dec 23 12:07 jvm.options.d -rw-rw---- 1 wazuh-indexer wazuh-indexer 2735 Jan 11 11:47 jvm.options.rpmsave -rw-rw---- 1 wazuh-indexer wazuh-indexer 14808 Dec 23 12:07 log4j2.properties -rw-rw---- 1 wazuh-indexer wazuh-indexer 196 Jan 11 11:47 opensearch.keystore -rw------- 1 wazuh-indexer wazuh-indexer 73 Jan 11 11:47 .opensearch.keystore.initial_md5sum drwxr-x--- 2 wazuh-indexer wazuh-indexer 31 Jan 11 11:57 opensearch-notifications drwxr-x--- 2 wazuh-indexer wazuh-indexer 36 Jan 11 11:57 opensearch-notifications-core drwxr-x--- 2 wazuh-indexer wazuh-indexer 31 Jan 11 11:57 opensearch-observability drwxr-x--- 2 wazuh-indexer wazuh-indexer 263 Jan 11 11:57 opensearch-performance-analyzer drwxr-x--- 2 wazuh-indexer wazuh-indexer 35 Jan 11 11:57 opensearch-reports-scheduler drwxr-x--- 2 wazuh-indexer wazuh-indexer 245 Jan 11 11:57 opensearch-security -rw-rw---- 1 wazuh-indexer wazuh-indexer 2287 Jan 11 11:58 opensearch.yml -rw-rw---- 1 wazuh-indexer wazuh-indexer 2152 Jan 11 11:47 opensearch.yml.rpmsave [root@ip-172-31-36-228 ec2-user]# systemctl restart wazuh-indexer [root@ip-172-31-36-228 ec2-user]# systemctl status wazuh-indexer ● wazuh-indexer.service - Wazuh-indexer Loaded: loaded (/usr/lib/systemd/system/wazuh-indexer.service; enabled; vendor preset: disabled) Active: active (running) since Wed 2023-01-11 12:00:58 UTC; 7s ago Docs: https://documentation.wazuh.com Main PID: 11162 (java) CGroup: /system.slice/wazuh-indexer.service └─11162 /usr/share/wazuh-indexer/jdk/bin/java -Xshare:auto -Dopensearch.networkaddress.cache.ttl=60 -Dopensearch.networkaddress.cache.negative.ttl=10 -XX:+AlwaysPreTouch -Xss1m -Djava.awt.headless=... Jan 11 12:00:47 ip-172-31-36-228.ec2.internal systemd[1]: Starting Wazuh-indexer... Jan 11 12:00:49 ip-172-31-36-228.ec2.internal systemd-entrypoint[11162]: WARNING: A terminally deprecated method in java.lang.System has been called Jan 11 12:00:49 ip-172-31-36-228.ec2.internal systemd-entrypoint[11162]: WARNING: System::setSecurityManager has been called by org.opensearch.bootstrap.OpenSearch (file:/usr/share/wazuh-indexer/li...-2.4.1.jar) Jan 11 12:00:49 ip-172-31-36-228.ec2.internal systemd-entrypoint[11162]: WARNING: Please consider reporting this to the maintainers of org.opensearch.bootstrap.OpenSearch Jan 11 12:00:49 ip-172-31-36-228.ec2.internal systemd-entrypoint[11162]: WARNING: System::setSecurityManager will be removed in a future release Jan 11 12:00:50 ip-172-31-36-228.ec2.internal systemd-entrypoint[11162]: WARNING: A terminally deprecated method in java.lang.System has been called Jan 11 12:00:50 ip-172-31-36-228.ec2.internal systemd-entrypoint[11162]: WARNING: System::setSecurityManager has been called by org.opensearch.bootstrap.Security (file:/usr/share/wazuh-indexer/lib/...-2.4.1.jar) Jan 11 12:00:50 ip-172-31-36-228.ec2.internal systemd-entrypoint[11162]: WARNING: Please consider reporting this to the maintainers of org.opensearch.bootstrap.Security Jan 11 12:00:50 ip-172-31-36-228.ec2.internal systemd-entrypoint[11162]: WARNING: System::setSecurityManager will be removed in a future release Jan 11 12:00:58 ip-172-31-36-228.ec2.internal systemd[1]: Started Wazuh-indexer. Hint: Some lines were ellipsized, use -l to show in full. [root@ip-172-31-36-228 ec2-user]# tar -axf wazuh-install-files.tar wazuh-install-files/wazuh-passwords.txt -O | grep -P "\'admin\'" -A 1 indexer_username: 'admin' indexer_password: 'UPtQ.kepJM8W.?b2IY9ORTkpFgl9t+rr' [root@ip-172-31-36-228 ec2-user]# curl -k -u admin:UPtQ.kepJM8W.?b2IY9ORTkpFgl9t+rr https://127.0.0.1:9200 { "name" : "wazuh-indexer", "cluster_name" : "wazuh-indexer-cluster", "cluster_uuid" : "ccAorEZyS-6HSFGq7A_VDQ", "version" : { "number" : "7.10.2", "build_type" : "rpm", "build_hash" : "f2f809ea280ffba217451da894a5899f1cec02ab", "build_date" : "2022-12-12T22:17:42.341124910Z", "build_snapshot" : false, "lucene_version" : "9.4.2", "minimum_wire_compatibility_version" : "7.10.0", "minimum_index_compatibility_version" : "7.0.0" }, "tagline" : "The OpenSearch Project: https://opensearch.org/" } [root@ip-172-31-36-228 ec2-user]# curl -k -u admin:UPtQ.kepJM8W.?b2IY9ORTkpFgl9t+rr https://127.0.0.1:9200/_cat/nodes?v ip heap.percent ram.percent cpu load_1m load_5m load_15m node.role node.roles cluster_manager name 127.0.0.1 6 85 1 0.01 0.21 0.24 dimmr cluster_manager,data,ingest,master,remote_cluster_client * wazuh-indexer ```

Wazuh Indexer start cluster and tests

``` [root@ip-172-31-36-228 ec2-user]# bash wazuh-install.sh --start-cluster 11/01/2023 12:06:42 INFO: Starting Wazuh installation assistant. Wazuh version: 4.4.0 11/01/2023 12:06:42 INFO: Verbose logging redirected to /var/log/wazuh-install.log 11/01/2023 12:06:47 INFO: Wazuh indexer cluster security configuration initialized. 11/01/2023 12:06:54 INFO: Wazuh indexer cluster started. [root@ip-172-31-36-228 ec2-user]# ls -la /etc/wazuh-indexer/ total 56 drwxr-x--- 10 wazuh-indexer wazuh-indexer 4096 Jan 11 12:06 . drwxr-xr-x 82 root root 8192 Jan 11 11:57 .. dr-x------ 2 wazuh-indexer wazuh-indexer 117 Jan 11 11:58 certs -rw-rw---- 1 wazuh-indexer wazuh-indexer 2735 Jan 11 11:58 jvm.options drwxr-x--- 2 wazuh-indexer wazuh-indexer 6 Dec 23 12:07 jvm.options.d -rw-rw---- 1 wazuh-indexer wazuh-indexer 2735 Jan 11 11:47 jvm.options.rpmsave -rw-rw---- 1 wazuh-indexer wazuh-indexer 14808 Dec 23 12:07 log4j2.properties -rw-rw---- 1 wazuh-indexer wazuh-indexer 196 Jan 11 11:47 opensearch.keystore -rw------- 1 wazuh-indexer wazuh-indexer 73 Jan 11 11:47 .opensearch.keystore.initial_md5sum drwxr-x--- 2 wazuh-indexer wazuh-indexer 31 Jan 11 11:57 opensearch-notifications drwxr-x--- 2 wazuh-indexer wazuh-indexer 36 Jan 11 11:57 opensearch-notifications-core drwxr-x--- 2 wazuh-indexer wazuh-indexer 31 Jan 11 11:57 opensearch-observability drwxr-x--- 2 wazuh-indexer wazuh-indexer 263 Jan 11 11:57 opensearch-performance-analyzer drwxr-x--- 2 wazuh-indexer wazuh-indexer 35 Jan 11 11:57 opensearch-reports-scheduler drwxr-x--- 2 wazuh-indexer wazuh-indexer 245 Jan 11 11:57 opensearch-security -rw-rw---- 1 wazuh-indexer wazuh-indexer 2287 Jan 11 11:58 opensearch.yml -rw-rw---- 1 wazuh-indexer wazuh-indexer 2152 Jan 11 11:47 opensearch.yml.rpmsave [root@ip-172-31-36-228 ec2-user]# systemctl restart wazuh-indexer [root@ip-172-31-36-228 ec2-user]# systemctl status wazuh-indexer ● wazuh-indexer.service - Wazuh-indexer Loaded: loaded (/usr/lib/systemd/system/wazuh-indexer.service; enabled; vendor preset: disabled) Active: active (running) since Wed 2023-01-11 12:00:58 UTC; 6min ago Docs: https://documentation.wazuh.com Main PID: 11162 (java) CGroup: /system.slice/wazuh-indexer.service └─11162 /usr/share/wazuh-indexer/jdk/bin/java -Xshare:auto -Dopensearch.networkaddress.cache.ttl=60 -Dopensearch.networkaddress.cache.negative.ttl=10 -XX:+AlwaysPreTouch -Xss1m -Djava.awt.headless=... Jan 11 12:00:47 ip-172-31-36-228.ec2.internal systemd[1]: Starting Wazuh-indexer... Jan 11 12:00:49 ip-172-31-36-228.ec2.internal systemd-entrypoint[11162]: WARNING: A terminally deprecated method in java.lang.System has been called Jan 11 12:00:49 ip-172-31-36-228.ec2.internal systemd-entrypoint[11162]: WARNING: System::setSecurityManager has been called by org.opensearch.bootstrap.OpenSearch (file:/usr/share/wazuh-indexer/li...-2.4.1.jar) Jan 11 12:00:49 ip-172-31-36-228.ec2.internal systemd-entrypoint[11162]: WARNING: Please consider reporting this to the maintainers of org.opensearch.bootstrap.OpenSearch Jan 11 12:00:49 ip-172-31-36-228.ec2.internal systemd-entrypoint[11162]: WARNING: System::setSecurityManager will be removed in a future release Jan 11 12:00:50 ip-172-31-36-228.ec2.internal systemd-entrypoint[11162]: WARNING: A terminally deprecated method in java.lang.System has been called Jan 11 12:00:50 ip-172-31-36-228.ec2.internal systemd-entrypoint[11162]: WARNING: System::setSecurityManager has been called by org.opensearch.bootstrap.Security (file:/usr/share/wazuh-indexer/lib/...-2.4.1.jar) Jan 11 12:00:50 ip-172-31-36-228.ec2.internal systemd-entrypoint[11162]: WARNING: Please consider reporting this to the maintainers of org.opensearch.bootstrap.Security Jan 11 12:00:50 ip-172-31-36-228.ec2.internal systemd-entrypoint[11162]: WARNING: System::setSecurityManager will be removed in a future release Jan 11 12:00:58 ip-172-31-36-228.ec2.internal systemd[1]: Started Wazuh-indexer. Hint: Some lines were ellipsized, use -l to show in full. ```

Wazuh server installation and tests

``` [root@ip-172-31-36-228 ec2-user]# bash wazuh-install.sh --wazuh-server wazuh-server 11/01/2023 12:08:30 INFO: Starting Wazuh installation assistant. Wazuh version: 4.4.0 11/01/2023 12:08:30 INFO: Verbose logging redirected to /var/log/wazuh-install.log 11/01/2023 12:08:34 INFO: Wazuh development repository added. 11/01/2023 12:08:34 INFO: --- Wazuh server --- 11/01/2023 12:08:34 INFO: Starting the Wazuh manager installation. 11/01/2023 12:08:48 INFO: Wazuh manager installation finished. 11/01/2023 12:08:48 INFO: Starting service wazuh-manager. 11/01/2023 12:08:59 INFO: wazuh-manager service started. 11/01/2023 12:08:59 INFO: Starting Filebeat installation. 11/01/2023 12:09:10 INFO: Filebeat installation finished. 11/01/2023 12:09:10 INFO: Filebeat post-install configuration finished. 11/01/2023 12:09:15 INFO: Starting service filebeat. 11/01/2023 12:09:15 INFO: filebeat service started. 11/01/2023 12:09:15 INFO: Installation finished. [root@ip-172-31-36-228 ec2-user]# ls -la /etc/wazuh-indexer/ total 56 drwxr-x--- 10 wazuh-indexer wazuh-indexer 4096 Jan 11 12:06 . drwxr-xr-x 83 root root 8192 Jan 11 12:09 .. dr-x------ 2 wazuh-indexer wazuh-indexer 117 Jan 11 11:58 certs -rw-rw---- 1 wazuh-indexer wazuh-indexer 2735 Jan 11 11:58 jvm.options drwxr-x--- 2 wazuh-indexer wazuh-indexer 6 Dec 23 12:07 jvm.options.d -rw-rw---- 1 wazuh-indexer wazuh-indexer 2735 Jan 11 11:47 jvm.options.rpmsave -rw-rw---- 1 wazuh-indexer wazuh-indexer 14808 Dec 23 12:07 log4j2.properties -rw-rw---- 1 wazuh-indexer wazuh-indexer 196 Jan 11 11:47 opensearch.keystore -rw------- 1 wazuh-indexer wazuh-indexer 73 Jan 11 11:47 .opensearch.keystore.initial_md5sum drwxr-x--- 2 wazuh-indexer wazuh-indexer 31 Jan 11 11:57 opensearch-notifications drwxr-x--- 2 wazuh-indexer wazuh-indexer 36 Jan 11 11:57 opensearch-notifications-core drwxr-x--- 2 wazuh-indexer wazuh-indexer 31 Jan 11 11:57 opensearch-observability drwxr-x--- 2 wazuh-indexer wazuh-indexer 263 Jan 11 11:57 opensearch-performance-analyzer drwxr-x--- 2 wazuh-indexer wazuh-indexer 35 Jan 11 11:57 opensearch-reports-scheduler drwxr-x--- 2 wazuh-indexer wazuh-indexer 245 Jan 11 11:57 opensearch-security -rw-rw---- 1 wazuh-indexer wazuh-indexer 2287 Jan 11 11:58 opensearch.yml -rw-rw---- 1 wazuh-indexer wazuh-indexer 2152 Jan 11 11:47 opensearch.yml.rpmsave [root@ip-172-31-36-228 ec2-user]# systemctl restart wazuh-indexer [root@ip-172-31-36-228 ec2-user]# systemctl status wazuh-indexer ● wazuh-indexer.service - Wazuh-indexer Loaded: loaded (/usr/lib/systemd/system/wazuh-indexer.service; enabled; vendor preset: disabled) Active: active (running) since Wed 2023-01-11 12:10:11 UTC; 14s ago Docs: https://documentation.wazuh.com Main PID: 15398 (java) CGroup: /system.slice/wazuh-indexer.service └─15398 /usr/share/wazuh-indexer/jdk/bin/java -Xshare:auto -Dopensearch.networkaddress.cache.ttl=60 -Dopensearch.networkaddress.cache.negative.ttl=10 -XX:+AlwaysPreTouch -Xss1m -Djava.awt.headless=... Jan 11 12:10:01 ip-172-31-36-228.ec2.internal systemd[1]: Starting Wazuh-indexer... Jan 11 12:10:03 ip-172-31-36-228.ec2.internal systemd-entrypoint[15398]: WARNING: A terminally deprecated method in java.lang.System has been called Jan 11 12:10:03 ip-172-31-36-228.ec2.internal systemd-entrypoint[15398]: WARNING: System::setSecurityManager has been called by org.opensearch.bootstrap.OpenSearch (file:/usr/share/wazuh-indexer/li...-2.4.1.jar) Jan 11 12:10:03 ip-172-31-36-228.ec2.internal systemd-entrypoint[15398]: WARNING: Please consider reporting this to the maintainers of org.opensearch.bootstrap.OpenSearch Jan 11 12:10:03 ip-172-31-36-228.ec2.internal systemd-entrypoint[15398]: WARNING: System::setSecurityManager will be removed in a future release Jan 11 12:10:04 ip-172-31-36-228.ec2.internal systemd-entrypoint[15398]: WARNING: A terminally deprecated method in java.lang.System has been called Jan 11 12:10:04 ip-172-31-36-228.ec2.internal systemd-entrypoint[15398]: WARNING: System::setSecurityManager has been called by org.opensearch.bootstrap.Security (file:/usr/share/wazuh-indexer/lib/...-2.4.1.jar) Jan 11 12:10:04 ip-172-31-36-228.ec2.internal systemd-entrypoint[15398]: WARNING: Please consider reporting this to the maintainers of org.opensearch.bootstrap.Security Jan 11 12:10:04 ip-172-31-36-228.ec2.internal systemd-entrypoint[15398]: WARNING: System::setSecurityManager will be removed in a future release Jan 11 12:10:11 ip-172-31-36-228.ec2.internal systemd[1]: Started Wazuh-indexer. Hint: Some lines were ellipsized, use -l to show in full. [root@ip-172-31-36-228 ec2-user]# filebeat test output elasticsearch: https://127.0.0.1:9200... parse url... OK connection... parse host... OK dns lookup... OK addresses: 127.0.0.1 dial up... OK TLS... security: server's certificate chain verification is enabled handshake... OK TLS version: TLSv1.2 dial up... OK talk to server... OK version: 7.10.2 [root@ip-172-31-36-228 ec2-user]# ```

Wazuh Dashboard installation and tests

``` [root@ip-172-31-36-228 ec2-user]# bash wazuh-install.sh --wazuh-dashboard wazuh-dashboard 11/01/2023 12:15:50 INFO: Starting Wazuh installation assistant. Wazuh version: 4.4.0 11/01/2023 12:15:50 INFO: Verbose logging redirected to /var/log/wazuh-install.log 11/01/2023 12:15:55 INFO: Wazuh development repository added. wazuh-dashboard 11/01/2023 12:15:55 INFO: --- Wazuh dashboard ---- 11/01/2023 12:15:55 INFO: Starting Wazuh dashboard installation. 11/01/2023 12:16:54 INFO: Wazuh dashboard installation finished. 11/01/2023 12:16:54 INFO: Wazuh dashboard post-install configuration finished. 11/01/2023 12:16:54 INFO: Starting service wazuh-dashboard. 11/01/2023 12:16:54 INFO: wazuh-dashboard service started. 11/01/2023 12:17:11 INFO: Initializing Wazuh dashboard web application. 11/01/2023 12:17:11 INFO: Wazuh dashboard web application initialized. 11/01/2023 12:17:11 INFO: --- Summary --- 11/01/2023 12:17:11 INFO: You can access the web interface https:// User: admin Password: UPtQ.kepJM8W.?b2IY9ORTkpFgl9t+rr 11/01/2023 12:17:11 INFO: Installation finished. [root@ip-172-31-36-228 ec2-user]# ls -la /etc/wazuh-indexer/ total 56 drwxr-x--- 10 wazuh-indexer wazuh-indexer 4096 Jan 11 12:06 . drwxr-xr-x 84 root root 8192 Jan 11 12:16 .. dr-x------ 2 wazuh-indexer wazuh-indexer 117 Jan 11 11:58 certs -rw-rw---- 1 wazuh-indexer wazuh-indexer 2735 Jan 11 11:58 jvm.options drwxr-x--- 2 wazuh-indexer wazuh-indexer 6 Dec 23 12:07 jvm.options.d -rw-rw---- 1 wazuh-indexer wazuh-indexer 2735 Jan 11 11:47 jvm.options.rpmsave -rw-rw---- 1 wazuh-indexer wazuh-indexer 14808 Dec 23 12:07 log4j2.properties -rw-rw---- 1 wazuh-indexer wazuh-indexer 196 Jan 11 11:47 opensearch.keystore -rw------- 1 wazuh-indexer wazuh-indexer 73 Jan 11 11:47 .opensearch.keystore.initial_md5sum drwxr-x--- 2 wazuh-indexer wazuh-indexer 31 Jan 11 11:57 opensearch-notifications drwxr-x--- 2 wazuh-indexer wazuh-indexer 36 Jan 11 11:57 opensearch-notifications-core drwxr-x--- 2 wazuh-indexer wazuh-indexer 31 Jan 11 11:57 opensearch-observability drwxr-x--- 2 wazuh-indexer wazuh-indexer 263 Jan 11 11:57 opensearch-performance-analyzer drwxr-x--- 2 wazuh-indexer wazuh-indexer 35 Jan 11 11:57 opensearch-reports-scheduler drwxr-x--- 2 wazuh-indexer wazuh-indexer 245 Jan 11 11:57 opensearch-security -rw-rw---- 1 wazuh-indexer wazuh-indexer 2287 Jan 11 11:58 opensearch.yml -rw-rw---- 1 wazuh-indexer wazuh-indexer 2152 Jan 11 11:47 opensearch.yml.rpmsave [root@ip-172-31-36-228 ec2-user]# systemctl restart wazuh-indexer [root@ip-172-31-36-228 ec2-user]# systemctl status wazuh-indexer ● wazuh-indexer.service - Wazuh-indexer Loaded: loaded (/usr/lib/systemd/system/wazuh-indexer.service; enabled; vendor preset: disabled) Active: active (running) since Wed 2023-01-11 12:18:16 UTC; 6s ago Docs: https://documentation.wazuh.com Main PID: 16557 (java) CGroup: /system.slice/wazuh-indexer.service └─16557 /usr/share/wazuh-indexer/jdk/bin/java -Xshare:auto -Dopensearch.networkaddress.cache.ttl=60 -Dopensearch.networkaddress.cache.negative.ttl=10 -XX:+AlwaysPreTouch -Xss1m -Djava.awt.headless=... Jan 11 12:18:06 ip-172-31-36-228.ec2.internal systemd[1]: Starting Wazuh-indexer... Jan 11 12:18:08 ip-172-31-36-228.ec2.internal systemd-entrypoint[16557]: WARNING: A terminally deprecated method in java.lang.System has been called Jan 11 12:18:08 ip-172-31-36-228.ec2.internal systemd-entrypoint[16557]: WARNING: System::setSecurityManager has been called by org.opensearch.bootstrap.OpenSearch (file:/usr/share/wazuh-indexer/li...-2.4.1.jar) Jan 11 12:18:08 ip-172-31-36-228.ec2.internal systemd-entrypoint[16557]: WARNING: Please consider reporting this to the maintainers of org.opensearch.bootstrap.OpenSearch Jan 11 12:18:08 ip-172-31-36-228.ec2.internal systemd-entrypoint[16557]: WARNING: System::setSecurityManager will be removed in a future release Jan 11 12:18:09 ip-172-31-36-228.ec2.internal systemd-entrypoint[16557]: WARNING: A terminally deprecated method in java.lang.System has been called Jan 11 12:18:09 ip-172-31-36-228.ec2.internal systemd-entrypoint[16557]: WARNING: System::setSecurityManager has been called by org.opensearch.bootstrap.Security (file:/usr/share/wazuh-indexer/lib/...-2.4.1.jar) Jan 11 12:18:09 ip-172-31-36-228.ec2.internal systemd-entrypoint[16557]: WARNING: Please consider reporting this to the maintainers of org.opensearch.bootstrap.Security Jan 11 12:18:09 ip-172-31-36-228.ec2.internal systemd-entrypoint[16557]: WARNING: System::setSecurityManager will be removed in a future release Jan 11 12:18:16 ip-172-31-36-228.ec2.internal systemd[1]: Started Wazuh-indexer. Hint: Some lines were ellipsized, use -l to show in full. ``` ![image](https://user-images.githubusercontent.com/61122643/211805270-a363a054-a989-47e5-9090-3f3ce706cf17.png)

Reboot test

``` [root@ip-172-31-36-228 ec2-user]# systemctl status wazuh-indexer ● wazuh-indexer.service - Wazuh-indexer Loaded: loaded (/usr/lib/systemd/system/wazuh-indexer.service; enabled; vendor preset: disabled) Active: active (running) since Wed 2023-01-11 12:18:16 UTC; 55min ago Docs: https://documentation.wazuh.com Main PID: 16557 (java) CGroup: /system.slice/wazuh-indexer.service └─16557 /usr/share/wazuh-indexer/jdk/bin/java -Xshare:auto -Dopensearch.networkaddress.cache.ttl=60 -Dopensearch.networkaddress.cache.negative.ttl=10 -XX:+AlwaysPreTouch -Xss1m -Djava.awt.headless=... Jan 11 12:18:06 ip-172-31-36-228.ec2.internal systemd[1]: Starting Wazuh-indexer... Jan 11 12:18:08 ip-172-31-36-228.ec2.internal systemd-entrypoint[16557]: WARNING: A terminally deprecated method in java.lang.System has been called Jan 11 12:18:08 ip-172-31-36-228.ec2.internal systemd-entrypoint[16557]: WARNING: System::setSecurityManager has been called by org.opensearch.bootstrap.OpenSearch (file:/usr/share/wazuh-indexer/li...-2.4.1.jar) Jan 11 12:18:08 ip-172-31-36-228.ec2.internal systemd-entrypoint[16557]: WARNING: Please consider reporting this to the maintainers of org.opensearch.bootstrap.OpenSearch Jan 11 12:18:08 ip-172-31-36-228.ec2.internal systemd-entrypoint[16557]: WARNING: System::setSecurityManager will be removed in a future release Jan 11 12:18:09 ip-172-31-36-228.ec2.internal systemd-entrypoint[16557]: WARNING: A terminally deprecated method in java.lang.System has been called Jan 11 12:18:09 ip-172-31-36-228.ec2.internal systemd-entrypoint[16557]: WARNING: System::setSecurityManager has been called by org.opensearch.bootstrap.Security (file:/usr/share/wazuh-indexer/lib/...-2.4.1.jar) Jan 11 12:18:09 ip-172-31-36-228.ec2.internal systemd-entrypoint[16557]: WARNING: Please consider reporting this to the maintainers of org.opensearch.bootstrap.Security Jan 11 12:18:09 ip-172-31-36-228.ec2.internal systemd-entrypoint[16557]: WARNING: System::setSecurityManager will be removed in a future release Jan 11 12:18:16 ip-172-31-36-228.ec2.internal systemd[1]: Started Wazuh-indexer. Hint: Some lines were ellipsized, use -l to show in full. [root@ip-172-31-36-228 ec2-user]# reboot ``` ``` Last login: Wed Jan 11 13:13:06 2023 from 47.62.20.200 __| __|_ ) _| ( / Amazon Linux 2 AMI ___|\___|___| https://aws.amazon.com/amazon-linux-2/ [ec2-user@ip-172-31-36-228 ~]$ sudo su [root@ip-172-31-36-228 ec2-user]# systemctl status wazuh-indexer ● wazuh-indexer.service - Wazuh-indexer Loaded: loaded (/usr/lib/systemd/system/wazuh-indexer.service; enabled; vendor preset: disabled) Active: active (running) since Wed 2023-01-11 13:14:33 UTC; 3s ago Docs: https://documentation.wazuh.com Main PID: 2475 (java) CGroup: /system.slice/wazuh-indexer.service └─2475 /usr/share/wazuh-indexer/jdk/bin/java -Xshare:auto -Dopensearch.networkaddress.cache.ttl=60 -Dopensearch.networkaddress.cache.negative.ttl=10 -XX:+AlwaysPreTouch -Xss1m -Djava.awt.headless=t... Jan 11 13:14:14 ip-172-31-36-228.ec2.internal systemd[1]: Starting Wazuh-indexer... Jan 11 13:14:17 ip-172-31-36-228.ec2.internal systemd-entrypoint[2475]: WARNING: A terminally deprecated method in java.lang.System has been called Jan 11 13:14:17 ip-172-31-36-228.ec2.internal systemd-entrypoint[2475]: WARNING: System::setSecurityManager has been called by org.opensearch.bootstrap.OpenSearch (file:/usr/share/wazuh-indexer/lib...-2.4.1.jar) Jan 11 13:14:17 ip-172-31-36-228.ec2.internal systemd-entrypoint[2475]: WARNING: Please consider reporting this to the maintainers of org.opensearch.bootstrap.OpenSearch Jan 11 13:14:17 ip-172-31-36-228.ec2.internal systemd-entrypoint[2475]: WARNING: System::setSecurityManager will be removed in a future release Jan 11 13:14:19 ip-172-31-36-228.ec2.internal systemd-entrypoint[2475]: WARNING: A terminally deprecated method in java.lang.System has been called Jan 11 13:14:19 ip-172-31-36-228.ec2.internal systemd-entrypoint[2475]: WARNING: System::setSecurityManager has been called by org.opensearch.bootstrap.Security (file:/usr/share/wazuh-indexer/lib/o...-2.4.1.jar) Jan 11 13:14:19 ip-172-31-36-228.ec2.internal systemd-entrypoint[2475]: WARNING: Please consider reporting this to the maintainers of org.opensearch.bootstrap.Security Jan 11 13:14:19 ip-172-31-36-228.ec2.internal systemd-entrypoint[2475]: WARNING: System::setSecurityManager will be removed in a future release Jan 11 13:14:33 ip-172-31-36-228.ec2.internal systemd[1]: Started Wazuh-indexer. Hint: Some lines were ellipsized, use -l to show in full. [root@ip-172-31-36-228 ec2-user]# ```

:green_circle: Distributed Installation

Component OS
CentOS 7 Wazuh Indexer
RHEL 9 Wazuh server
Debian 10 Wazuh Dashboard
Windows XP Agent

On each step, the tests performed are checking if directory /etc/wazuh-indexer/backup and to restart the Wazuh Indexer service and check if it doesn't stop. Normal tests for the cluster and filebeat are also performed.

:green_circle: Wazuh Indexer installation and tests

``` [vagrant@centos7 ~]$ sudo bash wazuh-install.sh --wazuh-indexer wazuh-indexer 11/01/2023 13:20:22 INFO: Starting Wazuh installation assistant. Wazuh version: 4.4.0 11/01/2023 13:20:22 INFO: Verbose logging redirected to /var/log/wazuh-install.log 11/01/2023 13:20:31 INFO: Wazuh development repository added. 11/01/2023 13:20:31 INFO: --- Wazuh indexer --- 11/01/2023 13:20:31 INFO: Starting Wazuh indexer installation. 11/01/2023 13:25:18 INFO: Wazuh indexer installation finished. 11/01/2023 13:25:18 INFO: Wazuh indexer post-install configuration finished. 11/01/2023 13:25:18 INFO: Starting service wazuh-indexer. 11/01/2023 13:25:35 INFO: wazuh-indexer service started. 11/01/2023 13:25:35 INFO: Initializing Wazuh indexer cluster security settings. 11/01/2023 13:25:40 INFO: Wazuh indexer cluster initialized. 11/01/2023 13:25:40 INFO: Installation finished. [vagrant@centos7 ~]$ systemctl status wazuh-indexer ● wazuh-indexer.service - Wazuh-indexer Loaded: loaded (/usr/lib/systemd/system/wazuh-indexer.service; enabled; vendor preset: disabled) Active: active (running) since Wed 2023-01-11 13:25:35 UTC; 5min ago Docs: https://documentation.wazuh.com Main PID: 3723 (java) CGroup: /system.slice/wazuh-indexer.service └─3723 /usr/share/wazuh-indexer/jdk/bin/java -Xshare:auto -Dopensearch.networkaddress.cache.ttl=60 -Dopensearch.networkaddress.cache.negative.ttl=10 -XX:+AlwaysPreTouch -Xss1m -Djava.awt.headless=t... [vagrant@centos7 ~]$ bash wazuh-install.sh --start-cluster wazuh-install.sh: line 2535: /var/log/wazuh-install.log: Permission denied This script must be run as root. [vagrant@centos7 ~]$ sudo bash wazuh-install.sh --start-cluster 11/01/2023 13:32:27 INFO: Starting Wazuh installation assistant. Wazuh version: 4.4.0 11/01/2023 13:32:27 INFO: Verbose logging redirected to /var/log/wazuh-install.log 11/01/2023 13:32:42 INFO: Wazuh indexer cluster security configuration initialized. 11/01/2023 13:32:55 INFO: Wazuh indexer cluster started. [vagrant@centos7 ~]$ sudo su [root@centos7 vagrant]# tar -axf wazuh-install-files.tar wazuh-install-files/wazuh-passwords.txt -O | grep -P "\'admin\'" -A 1 indexer_username: 'admin' indexer_password: 'lmi.l4H28fvTsBjZ?5i6+1YQOAWpgIhP' [root@centos7 vagrant]# [root@centos7 vagrant]# [root@centos7 vagrant]# curl -k -u admin:lmi.l4H28fvTsBjZ?5i6+1YQOAWpgIhP https://192.168.57.102:9200 { "name" : "wazuh-indexer", "cluster_name" : "wazuh-indexer-cluster", "cluster_uuid" : "rvD0C1MUQgCRx_YzKnkyeQ", "version" : { "number" : "7.10.2", "build_type" : "rpm", "build_hash" : "f2f809ea280ffba217451da894a5899f1cec02ab", "build_date" : "2022-12-12T22:17:42.341124910Z", "build_snapshot" : false, "lucene_version" : "9.4.2", "minimum_wire_compatibility_version" : "7.10.0", "minimum_index_compatibility_version" : "7.0.0" }, "tagline" : "The OpenSearch Project: https://opensearch.org/" } [root@centos7 vagrant]# curl -k -u admin:lmi.l4H28fvTsBjZ?5i6+1YQOAWpgIhP https://192.168.57.102:9200/_cat/nodes?v ip heap.percent ram.percent cpu load_1m load_5m load_15m node.role node.roles cluster_manager name 192.168.57.102 8 94 1 0.12 0.22 0.17 dimmr cluster_manager,data,ingest,master,remote_cluster_client * wazuh-indexer [root@centos7 vagrant]# reboot ``` - After reboot ``` [root@centos7 vagrant]# systemctl status wazuh-indexer ● wazuh-indexer.service - Wazuh-indexer Loaded: loaded (/usr/lib/systemd/system/wazuh-indexer.service; enabled; vendor preset: disabled) Active: active (running) since Wed 2023-01-11 13:35:39 UTC; 302ms ago Docs: https://documentation.wazuh.com Main PID: 705 (java) CGroup: /system.slice/wazuh-indexer.service └─705 /usr/share/wazuh-indexer/jdk/bin/java -Xshare:auto -Dopensearch.networkaddress.cache.ttl=60 -Dopensearch.networkaddress.cache.negative.ttl=10 -XX:+AlwaysPreTouch -Xss1m -Djava.awt.headless=tr... Jan 11 13:35:19 centos7 systemd[1]: Starting Wazuh-indexer... Jan 11 13:35:23 centos7 systemd-entrypoint[705]: WARNING: A terminally deprecated method in java.lang.System has been called Jan 11 13:35:23 centos7 systemd-entrypoint[705]: WARNING: System::setSecurityManager has been called by org.opensearch.bootstrap.OpenSearch (file:/usr/share/wazuh-indexer/lib/opensearch-2.4.1.jar) Jan 11 13:35:23 centos7 systemd-entrypoint[705]: WARNING: Please consider reporting this to the maintainers of org.opensearch.bootstrap.OpenSearch Jan 11 13:35:23 centos7 systemd-entrypoint[705]: WARNING: System::setSecurityManager will be removed in a future release Jan 11 13:35:24 centos7 systemd-entrypoint[705]: WARNING: A terminally deprecated method in java.lang.System has been called Jan 11 13:35:24 centos7 systemd-entrypoint[705]: WARNING: System::setSecurityManager has been called by org.opensearch.bootstrap.Security (file:/usr/share/wazuh-indexer/lib/opensearch-2.4.1.jar) Jan 11 13:35:24 centos7 systemd-entrypoint[705]: WARNING: Please consider reporting this to the maintainers of org.opensearch.bootstrap.Security Jan 11 13:35:24 centos7 systemd-entrypoint[705]: WARNING: System::setSecurityManager will be removed in a future release Jan 11 13:35:39 centos7 systemd[1]: Started Wazuh-indexer. [root@centos7 vagrant]# curl -k -u admin:lmi.l4H28fvTsBjZ?5i6+1YQOAWpgIhP https://192.168.57.102:9200 { "name" : "wazuh-indexer", "cluster_name" : "wazuh-indexer-cluster", "cluster_uuid" : "rvD0C1MUQgCRx_YzKnkyeQ", "version" : { "number" : "7.10.2", "build_type" : "rpm", "build_hash" : "f2f809ea280ffba217451da894a5899f1cec02ab", "build_date" : "2022-12-12T22:17:42.341124910Z", "build_snapshot" : false, "lucene_version" : "9.4.2", "minimum_wire_compatibility_version" : "7.10.0", "minimum_index_compatibility_version" : "7.0.0" }, "tagline" : "The OpenSearch Project: https://opensearch.org/" } [root@centos7 vagrant]# curl -k -u admin:lmi.l4H28fvTsBjZ?5i6+1YQOAWpgIhP https://192.168.57.102:9200/_cat/nodes?v ip heap.percent ram.percent cpu load_1m load_5m load_15m node.role node.roles cluster_manager name 192.168.57.102 15 69 9 0.70 0.26 0.09 dimmr cluster_manager,data,ingest,master,remote_cluster_client * wazuh-indexer ```

:green_circle: Wazuh server installation and test

``` [root@redhat9 vagrant]# bash wazuh-install.sh --wazuh-server wazuh-server 11/01/2023 15:18:43 INFO: Starting Wazuh installation assistant. Wazuh version: 4.4.0 11/01/2023 15:18:43 INFO: Verbose logging redirected to /var/log/wazuh-install.log 11/01/2023 15:18:51 INFO: Wazuh development repository added. 11/01/2023 15:18:52 INFO: --- Wazuh server --- 11/01/2023 15:18:52 INFO: Starting the Wazuh manager installation. 11/01/2023 15:19:52 INFO: Wazuh manager installation finished. 11/01/2023 15:19:52 INFO: Starting service wazuh-manager. 11/01/2023 15:20:03 INFO: wazuh-manager service started. 11/01/2023 15:20:03 INFO: Starting Filebeat installation. 11/01/2023 15:20:30 INFO: Filebeat installation finished. 11/01/2023 15:20:32 INFO: Filebeat post-install configuration finished. 11/01/2023 15:20:41 INFO: Starting service filebeat. 11/01/2023 15:20:42 INFO: filebeat service started. 11/01/2023 15:20:42 INFO: Installation finished. [root@redhat9 vagrant]# filebeat test output elasticsearch: https://192.168.57.102:9200... parse url... OK connection... parse host... OK dns lookup... OK addresses: 192.168.57.102 dial up... OK TLS... security: server's certificate chain verification is enabled handshake... OK TLS version: TLSv1.2 dial up... OK talk to server... OK version: 7.10.2 [root@redhat9 vagrant]# systemctl status wazuh-manager ● wazuh-manager.service - Wazuh manager Loaded: loaded (/usr/lib/systemd/system/wazuh-manager.service; enabled; vendor preset: disabled) Active: active (running) since Wed 2023-01-11 15:20:03 UTC; 1min 3s ago Tasks: 116 (limit: 23585) Memory: 258.8M CPU: 40.729s CGroup: /system.slice/wazuh-manager.service ├─11255 /var/ossec/framework/python/bin/python3 /var/ossec/api/scripts/wazuh-apid.py ├─11295 /var/ossec/bin/wazuh-authd ├─11313 /var/ossec/bin/wazuh-db ├─11337 /var/ossec/bin/wazuh-execd ├─11349 /var/ossec/bin/wazuh-analysisd ├─11360 /var/ossec/bin/wazuh-syscheckd ├─11377 /var/ossec/bin/wazuh-remoted ├─11405 /var/ossec/bin/wazuh-logcollector ├─11457 /var/ossec/bin/wazuh-monitord ├─11467 /var/ossec/bin/wazuh-modulesd ├─12017 /var/ossec/framework/python/bin/python3 /var/ossec/api/scripts/wazuh-apid.py └─12021 /var/ossec/framework/python/bin/python3 /var/ossec/api/scripts/wazuh-apid.py Jan 11 15:19:59 redhat9 env[11199]: Started wazuh-db... Jan 11 15:19:59 redhat9 env[11199]: Started wazuh-execd... [root@redhat9 vagrant]# systemctl status filebeat ● filebeat.service - Filebeat sends log files to Logstash or directly to Elasticsearch. Loaded: loaded (/usr/lib/systemd/system/filebeat.service; enabled; vendor preset: disabled) Active: active (running) since Wed 2023-01-11 15:20:37 UTC; 58s ago Docs: https://www.elastic.co/products/beats/filebeat Main PID: 12719 (filebeat) Tasks: 7 (limit: 23585) Memory: 13.7M CPU: 139ms CGroup: /system.slice/filebeat.service └─12719 /usr/share/filebeat/bin/filebeat --environment systemd -c /etc/filebeat/filebeat.y> Jan 11 15:20:37 redhat9 systemd[1]: Started Filebeat sends log files to Logstash or directly to Elastic> ``` - After reboot ``` [vagrant@redhat9 ~]$ systemctl status wazuh-manager ● wazuh-manager.service - Wazuh manager Loaded: loaded (/usr/lib/systemd/system/wazuh-manager.service; enabled; vendor preset: disabled) Active: active (running) since Wed 2023-01-11 15:22:27 UTC; 21s ago Process: 849 ExecStart=/usr/bin/env /var/ossec/bin/wazuh-control start (code=exited, status=0/SUCCESS) Tasks: 120 (limit: 23585) Memory: 797.2M CPU: 33.315s CGroup: /system.slice/wazuh-manager.service ├─ 999 /var/ossec/framework/python/bin/python3 /var/ossec/api/scripts/wazuh-apid.py ├─1040 /var/ossec/bin/wazuh-authd ├─1057 /var/ossec/bin/wazuh-db ├─1082 /var/ossec/bin/wazuh-execd ├─1085 /var/ossec/framework/python/bin/python3 /var/ossec/api/scripts/wazuh-apid.py ├─1088 /var/ossec/framework/python/bin/python3 /var/ossec/api/scripts/wazuh-apid.py ├─1103 /var/ossec/bin/wazuh-analysisd ├─1116 /var/ossec/bin/wazuh-syscheckd ├─1130 /var/ossec/bin/wazuh-remoted ├─1192 /var/ossec/bin/wazuh-logcollector ├─1212 /var/ossec/bin/wazuh-monitord ├─1222 /var/ossec/bin/wazuh-modulesd ├─1939 sh -c "df --local -P 2> /dev/null | awk '{if (NR!=1) print \$6}' | xargs -I '{}' find '{}' -xdev -type d \\( -perm -0002 -a ! -perm -1000 \\) 2>/dev/null" ├─1943 xargs -I {} find {} -xdev -type d "(" -perm -0002 -a "!" -perm -1000 ")" └─1947 find / -xdev -type d "(" -perm -0002 -a "!" -perm -1000 ")" [vagrant@redhat9 ~]$ systemctl status filebeat ● filebeat.service - Filebeat sends log files to Logstash or directly to Elasticsearch. Loaded: loaded (/usr/lib/systemd/system/filebeat.service; enabled; vendor preset: disabled) Active: active (running) since Wed 2023-01-11 15:22:07 UTC; 48s ago Docs: https://www.elastic.co/products/beats/filebeat Main PID: 845 (filebeat) Tasks: 8 (limit: 23585) Memory: 74.1M CPU: 134ms CGroup: /system.slice/filebeat.service └─845 /usr/share/filebeat/bin/filebeat --environment systemd -c /etc/filebeat/filebeat.yml --path.home /usr/share/filebeat --path.config /etc/filebeat --path.data /var/lib/filebeat --path.logs /var> [vagrant@redhat9 ~]$ sudo filebeat test output elasticsearch: https://192.168.57.102:9200... parse url... OK connection... parse host... OK dns lookup... OK addresses: 192.168.57.102 dial up... OK TLS... security: server's certificate chain verification is enabled handshake... OK TLS version: TLSv1.2 dial up... OK talk to server... OK version: 7.10.2 [vagrant@redhat9 ~]$ curl -k -u admin:lmi.l4H28fvTsBjZ?5i6+1YQOAWpgIhP https://192.168.57.102:9200 { "name" : "wazuh-indexer", "cluster_name" : "wazuh-indexer-cluster", "cluster_uuid" : "rvD0C1MUQgCRx_YzKnkyeQ", "version" : { "number" : "7.10.2", "build_type" : "rpm", "build_hash" : "f2f809ea280ffba217451da894a5899f1cec02ab", "build_date" : "2022-12-12T22:17:42.341124910Z", "build_snapshot" : false, "lucene_version" : "9.4.2", "minimum_wire_compatibility_version" : "7.10.0", "minimum_index_compatibility_version" : "7.0.0" }, "tagline" : "The OpenSearch Project: https://opensearch.org/" } ```

:green_circle: Wazuh Dashboard installation and test

``` root@debian10:/home/vagrant# bash wazuh-install.sh --wazuh-dashboard wazuh-dashboard -i 11/01/2023 15:25:05 INFO: Starting Wazuh installation assistant. Wazuh version: 4.4.0 11/01/2023 15:25:05 INFO: Verbose logging redirected to /var/log/wazuh-install.log 11/01/2023 15:25:07 WARNING: Hardware and system checks ignored. 11/01/2023 15:25:11 INFO: --- Dependencies ---- 11/01/2023 15:25:11 INFO: Installing apt-transport-https. 11/01/2023 15:25:14 INFO: Installing software-properties-common. 11/01/2023 15:25:30 INFO: Wazuh development repository added. wazuh-dashboard 11/01/2023 15:25:30 INFO: --- Wazuh dashboard ---- 11/01/2023 15:25:30 INFO: Starting Wazuh dashboard installation. 11/01/2023 15:29:06 INFO: Wazuh dashboard installation finished. 11/01/2023 15:29:06 INFO: Wazuh dashboard post-install configuration finished. 11/01/2023 15:29:06 INFO: Starting service wazuh-dashboard. 11/01/2023 15:29:06 INFO: wazuh-dashboard service started. 11/01/2023 15:29:24 INFO: Initializing Wazuh dashboard web application. 11/01/2023 15:29:25 INFO: Wazuh dashboard web application initialized. 11/01/2023 15:29:25 INFO: --- Summary --- 11/01/2023 15:29:25 INFO: You can access the web interface https://192.168.57.122 User: admin Password: lmi.l4H28fvTsBjZ?5i6+1YQOAWpgIhP 11/01/2023 15:29:25 INFO: Installation finished. root@debian10:/home/vagrant# systemctl status wazuh-dashboard ● wazuh-dashboard.service - wazuh-dashboard Loaded: loaded (/etc/systemd/system/wazuh-dashboard.service; enabled; vendor preset: enabled) Active: active (running) since Wed 2023-01-11 15:29:09 UTC; 23s ago Main PID: 4076 (node) Tasks: 11 (limit: 4701) Memory: 189.0M CGroup: /system.slice/wazuh-dashboard.service └─4076 /usr/share/wazuh-dashboard/bin/../node/bin/node --no-warnings --max-http-header-size=6 Jan 11 15:29:17 debian10 opensearch-dashboards[4076]: {"type":"log","@timestamp":"2023-01-11T15:29:17Z", Jan 11 15:29:17 debian10 opensearch-dashboards[4076]: {"type":"log","@timestamp":"2023-01-11T15:29:17Z", Jan 11 15:29:17 debian10 opensearch-dashboards[4076]: {"type":"log","@timestamp":"2023-01-11T15:29:17Z", Jan 11 15:29:17 debian10 opensearch-dashboards[4076]: {"type":"log","@timestamp":"2023-01-11T15:29:17Z", Jan 11 15:29:17 debian10 opensearch-dashboards[4076]: {"type":"log","@timestamp":"2023-01-11T15:29:17Z", Jan 11 15:29:18 debian10 opensearch-dashboards[4076]: {"type":"log","@timestamp":"2023-01-11T15:29:18Z", Jan 11 15:29:18 debian10 opensearch-dashboards[4076]: {"type":"log","@timestamp":"2023-01-11T15:29:18Z", Jan 11 15:29:18 debian10 opensearch-dashboards[4076]: {"type":"log","@timestamp":"2023-01-11T15:29:18Z", Jan 11 15:29:18 debian10 opensearch-dashboards[4076]: {"type":"log","@timestamp":"2023-01-11T15:29:18Z", Jan 11 15:29:25 debian10 opensearch-dashboards[4076]: {"type":"response","@timestamp":"2023-01-11T15:29: root@debian10:/home/vagrant# reboot ``` - After reboot ``` root@debian10:/home/vagrant# systemctl status wazuh-dashboard ● wazuh-dashboard.service - wazuh-dashboard Loaded: loaded (/etc/systemd/system/wazuh-dashboard.service; enabled; vendor preset: enabled) Active: active (running) since Wed 2023-01-11 15:29:45 UTC; 37s ago Main PID: 371 (node) Tasks: 11 (limit: 4701) Memory: 170.3M CGroup: /system.slice/wazuh-dashboard.service └─371 /usr/share/wazuh-dashboard/bin/../node/bin/node --no-warnings --max-http-header-size=65 Jan 11 15:29:45 debian10 systemd[1]: Started wazuh-dashboard. root@debian10:/home/vagrant# curl -k -u admin:lmi.l4H28fvTsBjZ?5i6+1YQOAWpgIhP https://192.168.57.102:9200 { "name" : "wazuh-indexer", "cluster_name" : "wazuh-indexer-cluster", "cluster_uuid" : "rvD0C1MUQgCRx_YzKnkyeQ", "version" : { "number" : "7.10.2", "build_type" : "rpm", "build_hash" : "f2f809ea280ffba217451da894a5899f1cec02ab", "build_date" : "2022-12-12T22:17:42.341124910Z", "build_snapshot" : false, "lucene_version" : "9.4.2", "minimum_wire_compatibility_version" : "7.10.0", "minimum_index_compatibility_version" : "7.0.0" }, "tagline" : "The OpenSearch Project: https://opensearch.org/" } root@debian10:/home/vagrant# ``` ![image](https://user-images.githubusercontent.com/61122643/211848073-93b3c189-784c-4242-adf0-f22d96b71789.png) Problem with the API: ``` INFO: No current API selected INFO: Getting API hosts... INFO: API hosts found: 1 INFO: Checking API host id [default]... INFO: Could not connect to API id [default]: 3099 - ERROR3099 - Wazuh not ready yet INFO: Removed [navigate] cookie ERROR: No API available to connect ``` When trying it from inside the Wazuh server node, the API is accesible: ``` [root@redhat9 vagrant]# TOKEN=$(curl -u wazuh:dairRaEb4Yj8VJHjm+8Y.aGs?am5I78I -k -X GET "https://localhost:55000/security/user/authenticate?raw=true") % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 398 100 398 0 0 493 0 --:--:-- --:--:-- --:--:-- 493 [root@redhat9 vagrant]# echo $TOKEN eyJhbGciOiJFUzUxMiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJ3YXp1aCIsImF1ZCI6IldhenVoIEFQSSBSRVNUIiwibmJmIjoxNjczNDUyNzA1LCJleHAiOjE2NzM0NTM2MDUsInN1YiI6IndhenVoIiwicnVuX2FzIjpmYWxzZSwicmJhY19yb2xlcyI6WzFdLCJyYmFjX21vZGUiOiJ3aGl0ZSJ9.AXxMz7jezK4MiWHhQeShtkL0lQYeLowP6CYzU7SNF7J67s0COxiveq1mTZNW-l9XsCCQfQBwTth5gztJ-dhLOcFNAT7RQjWsaPiWjLX_PwlIi6cEXvPskaXKzX4dQyzMpa76Pr5VGwKanHm5YbFAG4ylgHjYL8p7yU5ZRAacrXtyFj3f [root@redhat9 vagrant]# curl -k -X GET "https://localhost:55000/" -H "Authorization: Bearer $TOKEN" {"data": {"title": "Wazuh API REST", "api_version": "4.4.0", "revision": 40402, "license_name": "GPL 2.0", "license_url": "https://github.com/wazuh/wazuh/blob/4.3/LICENSE", "hostname": "redhat9", "timestamp": "2023-01-11T15:58:39Z"}, "error": 0} ``` When trying to connect to the API from the host hosting the Dashboard, this error appears: ``` root@debian10:/home/vagrant# TOKEN=$(curl -u wazuh:dairRaEb4Yj8VJHjm+8Y.aGs?am5I78I -k -X GET "https://192.168.57.119:55000/security/user/authenticate?raw=true") % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0curl: (7) Failed to connect to 192.168.57.119 port 55000: No route to host ``` The result of an `nmap` for the Wazuh server host: ``` [verdx@pop-os 1962]$ nmap -Pn 192.168.57.119 Starting Nmap 7.80 ( https://nmap.org ) at 2023-01-11 17:08 CET Nmap scan report for 192.168.57.119 Host is up (0.44s latency). Not shown: 998 filtered ports PORT STATE SERVICE 22/tcp open ssh 9090/tcp closed zeus-admin Nmap done: 1 IP address (1 host up) scanned in 83.11 seconds ``` After disabling the firewall in the Wazuh dashboard host, the system is correctly accessed from the dashboard. - Wazuh Dashboard before disabling firewalld ``` root@debian10:/home/vagrant# TOKEN=$(curl -u wazuh:dairRaEb4Yj8VJHjm+8Y.aGs?am5I78I -k -X GET "https://192.168.57.119:55000/security/user/authenticate?raw=true") % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0curl: (7) Failed connect to 192.168.57.119:55000; No route to host root@debian10:/home/vagrant# ``` - Wazuh server commands: ``` [root@redhat9 vagrant]# TOKEN=$(curl -u wazuh:dairRaEb4Yj8VJHjm+8Y.aGs?am5I78I -k -X GET "https://localhost:55000/security/user/authenticate?raw=true") % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 398 100 398 0 0 221 0 0:00:01 0:00:01 --:--:-- 221 [root@redhat9 vagrant]# systemctl stop firewalld [root@redhat9 vagrant]# systemctl disable firewalld Removed /etc/systemd/system/multi-user.target.wants/firewalld.service. Removed /etc/systemd/system/dbus-org.fedoraproject.FirewallD1.service. ``` - After disabling firewalld: ``` root@debian10:/home/vagrant# TOKEN=$(curl -u wazuh:dairRaEb4Yj8VJHjm+8Y.aGs?am5I78I -k -X GET "https://192.168.57.119:55000/security/user/authenticate?raw=true") % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 398 100 398 0 0 651 0 --:--:-- --:--:-- --:--:-- 651 root@debian10:/home/vagrant# ```
verdx commented 1 year ago

Testing

:green_circle: AIO with -a Installation (Ubuntu 22)

``` root@ip-172-31-36-185:/home/ubuntu# bash wazuh-install.sh -a 11/01/2023 16:36:48 INFO: Starting Wazuh installation assistant. Wazuh version: 4.4.0 11/01/2023 16:36:48 INFO: Verbose logging redirected to /var/log/wazuh-install.log 11/01/2023 16:37:00 INFO: --- Dependencies ---- 11/01/2023 16:37:00 INFO: Installing apt-transport-https. 11/01/2023 16:37:06 INFO: Wazuh development repository added. 11/01/2023 16:37:06 INFO: --- Configuration files --- 11/01/2023 16:37:06 INFO: Generating configuration files. 11/01/2023 16:37:07 INFO: Created wazuh-install-files.tar. It contains the Wazuh cluster key, certificates, and passwords necessary for installation. 11/01/2023 16:37:07 INFO: --- Wazuh indexer --- 11/01/2023 16:37:07 INFO: Starting Wazuh indexer installation. 11/01/2023 16:37:59 INFO: Wazuh indexer installation finished. 11/01/2023 16:37:59 INFO: Wazuh indexer post-install configuration finished. 11/01/2023 16:37:59 INFO: Starting service wazuh-indexer. 11/01/2023 16:38:10 INFO: wazuh-indexer service started. 11/01/2023 16:38:10 INFO: Initializing Wazuh indexer cluster security settings. 11/01/2023 16:38:21 INFO: Wazuh indexer cluster initialized. 11/01/2023 16:38:21 INFO: --- Wazuh server --- 11/01/2023 16:38:21 INFO: Starting the Wazuh manager installation. 11/01/2023 16:39:02 INFO: Wazuh manager installation finished. 11/01/2023 16:39:02 INFO: Starting service wazuh-manager. 11/01/2023 16:39:18 INFO: wazuh-manager service started. 11/01/2023 16:39:18 INFO: Starting Filebeat installation. 11/01/2023 16:39:25 INFO: Filebeat installation finished. 11/01/2023 16:39:25 INFO: Filebeat post-install configuration finished. 11/01/2023 16:39:25 INFO: Starting service filebeat. 11/01/2023 16:39:26 INFO: filebeat service started. 11/01/2023 16:39:26 INFO: --- Wazuh dashboard --- 11/01/2023 16:39:26 INFO: Starting Wazuh dashboard installation. 11/01/2023 16:40:26 INFO: Wazuh dashboard installation finished. 11/01/2023 16:40:26 INFO: Wazuh dashboard post-install configuration finished. 11/01/2023 16:40:26 INFO: Starting service wazuh-dashboard. 11/01/2023 16:40:26 INFO: wazuh-dashboard service started. 11/01/2023 16:40:44 INFO: Initializing Wazuh dashboard web application. 11/01/2023 16:40:44 INFO: Wazuh dashboard web application initialized. 11/01/2023 16:40:44 INFO: --- Summary --- 11/01/2023 16:40:44 INFO: You can access the web interface https:// User: admin Password: EM.aspDD7lEYYNY7f5vJvy*9j.nMwcHP 11/01/2023 16:40:44 INFO: Installation finished. root@ip-172-31-36-185:/home/ubuntu# systemctl status wazuh-indexer ● wazuh-indexer.service - Wazuh-indexer Loaded: loaded (/lib/systemd/system/wazuh-indexer.service; enabled; vendor preset: enabled) Active: active (running) since Wed 2023-01-11 16:38:10 UTC; 3min 52s ago Docs: https://documentation.wazuh.com Main PID: 3598 (java) Tasks: 81 (limit: 9100) Memory: 4.1G CPU: 50.794s CGroup: /system.slice/wazuh-indexer.service └─3598 /usr/share/wazuh-indexer/jdk/bin/java -Xshare:auto -Dopensearch.networkaddress.cache.ttl=60 -Dopensearch.networkaddress.cache.negative.ttl=10 -XX:+AlwaysPreTouch -Xss1m -Djava.awt.headless=t> Jan 11 16:37:59 ip-172-31-36-185 systemd[1]: Starting Wazuh-indexer... Jan 11 16:38:02 ip-172-31-36-185 systemd-entrypoint[3598]: WARNING: A terminally deprecated method in java.lang.System has been called Jan 11 16:38:02 ip-172-31-36-185 systemd-entrypoint[3598]: WARNING: System::setSecurityManager has been called by org.opensearch.bootstrap.OpenSearch (file:/usr/share/wazuh-indexer/lib/opensearch-2.4.1.jar) Jan 11 16:38:02 ip-172-31-36-185 systemd-entrypoint[3598]: WARNING: Please consider reporting this to the maintainers of org.opensearch.bootstrap.OpenSearch Jan 11 16:38:02 ip-172-31-36-185 systemd-entrypoint[3598]: WARNING: System::setSecurityManager will be removed in a future release Jan 11 16:38:03 ip-172-31-36-185 systemd-entrypoint[3598]: WARNING: A terminally deprecated method in java.lang.System has been called Jan 11 16:38:03 ip-172-31-36-185 systemd-entrypoint[3598]: WARNING: System::setSecurityManager has been called by org.opensearch.bootstrap.Security (file:/usr/share/wazuh-indexer/lib/opensearch-2.4.1.jar) Jan 11 16:38:03 ip-172-31-36-185 systemd-entrypoint[3598]: WARNING: Please consider reporting this to the maintainers of org.opensearch.bootstrap.Security Jan 11 16:38:03 ip-172-31-36-185 systemd-entrypoint[3598]: WARNING: System::setSecurityManager will be removed in a future release Jan 11 16:38:10 ip-172-31-36-185 systemd[1]: Started Wazuh-indexer. root@ip-172-31-36-185:/home/ubuntu# systemctl status wazuh-manager ● wazuh-manager.service - Wazuh manager Loaded: loaded (/lib/systemd/system/wazuh-manager.service; enabled; vendor preset: enabled) Active: active (running) since Wed 2023-01-11 16:39:18 UTC; 2min 50s ago Tasks: 136 (limit: 9100) Memory: 428.7M CPU: 25.417s CGroup: /system.slice/wazuh-manager.service ├─42075 /var/ossec/framework/python/bin/python3 /var/ossec/api/scripts/wazuh-apid.py ├─42114 /var/ossec/bin/wazuh-authd ├─42131 /var/ossec/bin/wazuh-db ├─42157 /var/ossec/bin/wazuh-execd ├─42161 /var/ossec/framework/python/bin/python3 /var/ossec/api/scripts/wazuh-apid.py ├─42164 /var/ossec/framework/python/bin/python3 /var/ossec/api/scripts/wazuh-apid.py ├─42177 /var/ossec/bin/wazuh-analysisd ├─42238 /var/ossec/bin/wazuh-syscheckd ├─42254 /var/ossec/bin/wazuh-remoted ├─42285 /var/ossec/bin/wazuh-logcollector ├─42308 /var/ossec/bin/wazuh-monitord └─42351 /var/ossec/bin/wazuh-modulesd Jan 11 16:39:09 ip-172-31-36-185 env[42019]: Started wazuh-db... Jan 11 16:39:10 ip-172-31-36-185 env[42019]: Started wazuh-execd... Jan 11 16:39:11 ip-172-31-36-185 env[42019]: Started wazuh-analysisd... Jan 11 16:39:12 ip-172-31-36-185 env[42019]: Started wazuh-syscheckd... Jan 11 16:39:13 ip-172-31-36-185 env[42019]: Started wazuh-remoted... Jan 11 16:39:14 ip-172-31-36-185 env[42019]: Started wazuh-logcollector... Jan 11 16:39:15 ip-172-31-36-185 env[42019]: Started wazuh-monitord... Jan 11 16:39:16 ip-172-31-36-185 env[42019]: Started wazuh-modulesd... Jan 11 16:39:18 ip-172-31-36-185 env[42019]: Completed. Jan 11 16:39:18 ip-172-31-36-185 systemd[1]: Started Wazuh manager. root@ip-172-31-36-185:/home/ubuntu# systemctl status filebeat ● filebeat.service - Filebeat sends log files to Logstash or directly to Elasticsearch. Loaded: loaded (/lib/systemd/system/filebeat.service; enabled; vendor preset: enabled) Active: active (running) since Wed 2023-01-11 16:40:33 UTC; 1min 40s ago Docs: https://www.elastic.co/products/beats/filebeat Main PID: 44509 (filebeat) Tasks: 8 (limit: 9100) Memory: 9.2M CPU: 53ms CGroup: /system.slice/filebeat.service └─44509 /usr/share/filebeat/bin/filebeat --environment systemd -c /etc/filebeat/filebeat.yml --path.home /usr/share/filebeat --path.config /etc/filebeat --path.data /var/lib/filebeat --path.logs /v> Jan 11 16:40:33 ip-172-31-36-185 systemd[1]: Started Filebeat sends log files to Logstash or directly to Elasticsearch.. root@ip-172-31-36-185:/home/ubuntu# systemctl status wazuh-dashboard ● wazuh-dashboard.service - wazuh-dashboard Loaded: loaded (/etc/systemd/system/wazuh-dashboard.service; enabled; vendor preset: enabled) Active: active (running) since Wed 2023-01-11 16:40:34 UTC; 1min 45s ago Main PID: 44579 (node) Tasks: 11 (limit: 9100) Memory: 139.0M CPU: 7.635s CGroup: /system.slice/wazuh-dashboard.service └─44579 /usr/share/wazuh-dashboard/bin/../node/bin/node --no-warnings --max-http-header-size=65536 --unhandled-rejections=warn /usr/share/wazuh-dashboard/bin/../src/cli/dist -c /etc/wazuh-dashboard> Jan 11 16:40:38 ip-172-31-36-185 opensearch-dashboards[44579]: {"type":"log","@timestamp":"2023-01-11T16:40:38Z","tags":["info","plugins-service"],"pid":44579,"message":"Plugin \"dataSourceManagement\" has been> Jan 11 16:40:38 ip-172-31-36-185 opensearch-dashboards[44579]: {"type":"log","@timestamp":"2023-01-11T16:40:38Z","tags":["info","plugins-service"],"pid":44579,"message":"Plugin \"dataSource\" is disabled."} Jan 11 16:40:38 ip-172-31-36-185 opensearch-dashboards[44579]: {"type":"log","@timestamp":"2023-01-11T16:40:38Z","tags":["info","plugins-service"],"pid":44579,"message":"Plugin \"visTypeXy\" is disabled."} Jan 11 16:40:38 ip-172-31-36-185 opensearch-dashboards[44579]: {"type":"log","@timestamp":"2023-01-11T16:40:38Z","tags":["info","plugins-system"],"pid":44579,"message":"Setting up [45] plugins: [alertingDashboa> Jan 11 16:40:39 ip-172-31-36-185 opensearch-dashboards[44579]: {"type":"log","@timestamp":"2023-01-11T16:40:39Z","tags":["info","savedobjects-service"],"pid":44579,"message":"Waiting until all OpenSearch nodes > Jan 11 16:40:39 ip-172-31-36-185 opensearch-dashboards[44579]: {"type":"log","@timestamp":"2023-01-11T16:40:39Z","tags":["info","savedobjects-service"],"pid":44579,"message":"Starting saved objects migrations"} Jan 11 16:40:39 ip-172-31-36-185 opensearch-dashboards[44579]: {"type":"log","@timestamp":"2023-01-11T16:40:39Z","tags":["info","plugins-system"],"pid":44579,"message":"Starting [45] plugins: [alertingDashboard> Jan 11 16:40:40 ip-172-31-36-185 opensearch-dashboards[44579]: {"type":"log","@timestamp":"2023-01-11T16:40:40Z","tags":["listening","info"],"pid":44579,"message":"Server running at https://0.0.0.0:443"} Jan 11 16:40:40 ip-172-31-36-185 opensearch-dashboards[44579]: {"type":"log","@timestamp":"2023-01-11T16:40:40Z","tags":["info","http","server","OpenSearchDashboards"],"pid":44579,"message":"http server running> Jan 11 16:40:44 ip-172-31-36-185 opensearch-dashboards[44579]: {"type":"response","@timestamp":"2023-01-11T16:40:44Z","tags":[],"pid":44579,"method":"get","statusCode":200,"req":{"url":"/status","method":"get",> root@ip-172-31-36-185:/home/ubuntu# filebeat test output elasticsearch: https://127.0.0.1:9200... parse url... OK connection... parse host... OK dns lookup... OK addresses: 127.0.0.1 dial up... OK TLS... security: server's certificate chain verification is enabled handshake... OK TLS version: TLSv1.2 dial up... OK talk to server... OK version: 7.10.2 root@ip-172-31-36-185:/home/ubuntu# tar -axf wazuh-install-files.tar wazuh-install-files/wazuh-passwords.txt -O | grep -P "\'admin\'" -A 1 indexer_username: 'admin' indexer_password: 'EM.aspDD7lEYYNY7f5vJvy*9j.nMwcHP' root@ip-172-31-36-185:/home/ubuntu# curl -k -u admin:EM.aspDD7lEYYNY7f5vJvy*9j.nMwcHP https://localhost:9200 { "name" : "node-1", "cluster_name" : "wazuh-cluster", "cluster_uuid" : "OWE5mjYUR4iOP6xkuU-KxQ", "version" : { "number" : "7.10.2", "build_type" : "rpm", "build_hash" : "f2f809ea280ffba217451da894a5899f1cec02ab", "build_date" : "2022-12-12T22:17:42.341124910Z", "build_snapshot" : false, "lucene_version" : "9.4.2", "minimum_wire_compatibility_version" : "7.10.0", "minimum_index_compatibility_version" : "7.0.0" }, "tagline" : "The OpenSearch Project: https://opensearch.org/" } root@ip-172-31-36-185:/home/ubuntu# reboot ``` - After reboot ``` Last login: Wed Jan 11 16:35:36 2023 from 80.174.8.76 ubuntu@ip-172-31-36-185:~$ sudo su root@ip-172-31-36-185:/home/ubuntu# systemctl wazuh* Unknown command verb wazuh-install-files.tar. root@ip-172-31-36-185:/home/ubuntu# systemctl status wazuh-indexer ● wazuh-indexer.service - Wazuh-indexer Loaded: loaded (/lib/systemd/system/wazuh-indexer.service; enabled; vendor preset: enabled) Active: active (running) since Wed 2023-01-11 16:43:42 UTC; 17s ago Docs: https://documentation.wazuh.com Main PID: 493 (java) Tasks: 81 (limit: 9100) Memory: 4.2G CPU: 42.042s CGroup: /system.slice/wazuh-indexer.service └─493 /usr/share/wazuh-indexer/jdk/bin/java -Xshare:auto -Dopensearch.networkaddress.cache.ttl=60 -Dopensearch.networkaddress.cache.negative.ttl=10 -XX:+AlwaysPreTouch -Xss1m -Djava.awt.headless=tr> Jan 11 16:43:18 ip-172-31-36-185 systemd[1]: Starting Wazuh-indexer... Jan 11 16:43:23 ip-172-31-36-185 systemd-entrypoint[493]: WARNING: A terminally deprecated method in java.lang.System has been called Jan 11 16:43:23 ip-172-31-36-185 systemd-entrypoint[493]: WARNING: System::setSecurityManager has been called by org.opensearch.bootstrap.OpenSearch (file:/usr/share/wazuh-indexer/lib/opensearch-2.4.1.jar) Jan 11 16:43:23 ip-172-31-36-185 systemd-entrypoint[493]: WARNING: Please consider reporting this to the maintainers of org.opensearch.bootstrap.OpenSearch Jan 11 16:43:23 ip-172-31-36-185 systemd-entrypoint[493]: WARNING: System::setSecurityManager will be removed in a future release Jan 11 16:43:27 ip-172-31-36-185 systemd-entrypoint[493]: WARNING: A terminally deprecated method in java.lang.System has been called Jan 11 16:43:27 ip-172-31-36-185 systemd-entrypoint[493]: WARNING: System::setSecurityManager has been called by org.opensearch.bootstrap.Security (file:/usr/share/wazuh-indexer/lib/opensearch-2.4.1.jar) Jan 11 16:43:27 ip-172-31-36-185 systemd-entrypoint[493]: WARNING: Please consider reporting this to the maintainers of org.opensearch.bootstrap.Security Jan 11 16:43:27 ip-172-31-36-185 systemd-entrypoint[493]: WARNING: System::setSecurityManager will be removed in a future release Jan 11 16:43:42 ip-172-31-36-185 systemd[1]: Started Wazuh-indexer. root@ip-172-31-36-185:/home/ubuntu# systemctl status wazuh-manager ● wazuh-manager.service - Wazuh manager Loaded: loaded (/lib/systemd/system/wazuh-manager.service; enabled; vendor preset: enabled) Active: active (running) since Wed 2023-01-11 16:43:37 UTC; 27s ago Process: 494 ExecStart=/usr/bin/env /var/ossec/bin/wazuh-control start (code=exited, status=0/SUCCESS) Tasks: 136 (limit: 9100) Memory: 719.6M CPU: 29.100s CGroup: /system.slice/wazuh-manager.service ├─ 977 /var/ossec/framework/python/bin/python3 /var/ossec/api/scripts/wazuh-apid.py ├─1019 /var/ossec/bin/wazuh-authd ├─1057 /var/ossec/bin/wazuh-db ├─1091 /var/ossec/bin/wazuh-execd ├─1095 /var/ossec/framework/python/bin/python3 /var/ossec/api/scripts/wazuh-apid.py ├─1098 /var/ossec/framework/python/bin/python3 /var/ossec/api/scripts/wazuh-apid.py ├─1139 /var/ossec/bin/wazuh-analysisd ├─1236 /var/ossec/bin/wazuh-syscheckd ├─1324 /var/ossec/bin/wazuh-remoted ├─1404 /var/ossec/bin/wazuh-logcollector ├─1468 /var/ossec/bin/wazuh-monitord └─1489 /var/ossec/bin/wazuh-modulesd Jan 11 16:43:27 ip-172-31-36-185 env[494]: Started wazuh-db... Jan 11 16:43:28 ip-172-31-36-185 env[494]: Started wazuh-execd... Jan 11 16:43:29 ip-172-31-36-185 env[494]: Started wazuh-analysisd... Jan 11 16:43:30 ip-172-31-36-185 env[494]: Started wazuh-syscheckd... Jan 11 16:43:32 ip-172-31-36-185 env[494]: Started wazuh-remoted... Jan 11 16:43:33 ip-172-31-36-185 env[494]: Started wazuh-logcollector... Jan 11 16:43:34 ip-172-31-36-185 env[494]: Started wazuh-monitord... Jan 11 16:43:35 ip-172-31-36-185 env[494]: Started wazuh-modulesd... Jan 11 16:43:37 ip-172-31-36-185 env[494]: Completed. Jan 11 16:43:37 ip-172-31-36-185 systemd[1]: Started Wazuh manager. root@ip-172-31-36-185:/home/ubuntu# systemctl status wazuh-dashboard ● wazuh-dashboard.service - wazuh-dashboard Loaded: loaded (/etc/systemd/system/wazuh-dashboard.service; enabled; vendor preset: enabled) Active: active (running) since Wed 2023-01-11 16:43:18 UTC; 50s ago Main PID: 491 (node) Tasks: 11 (limit: 9100) Memory: 310.1M CPU: 9.404s CGroup: /system.slice/wazuh-dashboard.service └─491 /usr/share/wazuh-dashboard/bin/../node/bin/node --no-warnings --max-http-header-size=65536 --unhandled-rejections=warn /usr/share/wazuh-dashboard/bin/../src/cli/dist -c /etc/wazuh-dashboard/o> Jan 11 16:43:43 ip-172-31-36-185 opensearch-dashboards[491]: {"type":"log","@timestamp":"2023-01-11T16:43:43Z","tags":["error","opensearch","data"],"pid":491,"message":"[ResponseError]: Response Error"} Jan 11 16:43:45 ip-172-31-36-185 opensearch-dashboards[491]: {"type":"log","@timestamp":"2023-01-11T16:43:45Z","tags":["error","opensearch","data"],"pid":491,"message":"[ResponseError]: Response Error"} Jan 11 16:43:47 ip-172-31-36-185 opensearch-dashboards[491]: {"type":"log","@timestamp":"2023-01-11T16:43:47Z","tags":["error","opensearch","data"],"pid":491,"message":"[ResponseError]: Response Error"} Jan 11 16:43:50 ip-172-31-36-185 opensearch-dashboards[491]: {"type":"log","@timestamp":"2023-01-11T16:43:50Z","tags":["error","opensearch","data"],"pid":491,"message":"[ResponseError]: Response Error"} Jan 11 16:43:52 ip-172-31-36-185 opensearch-dashboards[491]: {"type":"log","@timestamp":"2023-01-11T16:43:52Z","tags":["error","opensearch","data"],"pid":491,"message":"[ResponseError]: Response Error"} Jan 11 16:43:55 ip-172-31-36-185 opensearch-dashboards[491]: {"type":"log","@timestamp":"2023-01-11T16:43:55Z","tags":["error","opensearch","data"],"pid":491,"message":"[ResponseError]: Response Error"} Jan 11 16:43:58 ip-172-31-36-185 opensearch-dashboards[491]: {"type":"log","@timestamp":"2023-01-11T16:43:58Z","tags":["info","savedobjects-service"],"pid":491,"message":"Starting saved objects migrations"} Jan 11 16:43:58 ip-172-31-36-185 opensearch-dashboards[491]: {"type":"log","@timestamp":"2023-01-11T16:43:58Z","tags":["info","plugins-system"],"pid":491,"message":"Starting [45] plugins: [alertingDashboards,us> Jan 11 16:43:58 ip-172-31-36-185 opensearch-dashboards[491]: {"type":"log","@timestamp":"2023-01-11T16:43:58Z","tags":["listening","info"],"pid":491,"message":"Server running at https://0.0.0.0:443"} Jan 11 16:43:59 ip-172-31-36-185 opensearch-dashboards[491]: {"type":"log","@timestamp":"2023-01-11T16:43:59Z","tags":["info","http","server","OpenSearchDashboards"],"pid":491,"message":"http server running at > root@ip-172-31-36-185:/home/ubuntu# systemctl status filebeat ● filebeat.service - Filebeat sends log files to Logstash or directly to Elasticsearch. Loaded: loaded (/lib/systemd/system/filebeat.service; enabled; vendor preset: enabled) Active: active (running) since Wed 2023-01-11 16:43:18 UTC; 56s ago Docs: https://www.elastic.co/products/beats/filebeat Main PID: 475 (filebeat) Tasks: 9 (limit: 9100) Memory: 49.5M CPU: 134ms CGroup: /system.slice/filebeat.service └─475 /usr/share/filebeat/bin/filebeat --environment systemd -c /etc/filebeat/filebeat.yml --path.home /usr/share/filebeat --path.config /etc/filebeat --path.data /var/lib/filebeat --path.logs /var> Jan 11 16:43:18 ip-172-31-36-185 systemd[1]: Started Filebeat sends log files to Logstash or directly to Elasticsearch.. root@ip-172-31-36-185:/home/ubuntu# filebeat test output elasticsearch: https://127.0.0.1:9200... parse url... OK connection... parse host... OK dns lookup... OK addresses: 127.0.0.1 dial up... OK TLS... security: server's certificate chain verification is enabled handshake... OK TLS version: TLSv1.2 dial up... OK talk to server... OK version: 7.10.2 root@ip-172-31-36-185:/home/ubuntu# curl -k -u admin:EM.aspDD7lEYYNY7f5vJvy*9j.nMwcHP https://localhost:9200 { "name" : "node-1", "cluster_name" : "wazuh-cluster", "cluster_uuid" : "OWE5mjYUR4iOP6xkuU-KxQ", "version" : { "number" : "7.10.2", "build_type" : "rpm", "build_hash" : "f2f809ea280ffba217451da894a5899f1cec02ab", "build_date" : "2022-12-12T22:17:42.341124910Z", "build_snapshot" : false, "lucene_version" : "9.4.2", "minimum_wire_compatibility_version" : "7.10.0", "minimum_index_compatibility_version" : "7.0.0" }, "tagline" : "The OpenSearch Project: https://opensearch.org/" } root@ip-172-31-36-185:/home/ubuntu# ``` ![image](https://user-images.githubusercontent.com/61122643/211865706-b8ecd5be-5f78-4066-b1a1-5d6e8a3febba.png)

:green_circle: AIO step-by-step installation (Amazon Linux 2)

Wazuh Indexer installation and checks

``` root@ip-172-31-36-185:/home/ubuntu# bash wazuh-install.sh --wazuh-indexer wazuh-indexer -o 11/01/2023 16:49:47 INFO: Starting Wazuh installation assistant. Wazuh version: 4.4.0 11/01/2023 16:49:47 INFO: Verbose logging redirected to /var/log/wazuh-install.log 11/01/2023 16:49:48 INFO: --- Removing existing Wazuh installation --- 11/01/2023 16:49:48 INFO: Removing Wazuh indexer. 11/01/2023 16:49:49 INFO: Wazuh indexer removed. 11/01/2023 16:49:49 INFO: Wazuh GPG key was not found in the system 11/01/2023 16:49:49 INFO: Installation cleaned. 11/01/2023 16:49:53 INFO: Wazuh development repository added. 11/01/2023 16:49:53 INFO: --- Wazuh indexer --- 11/01/2023 16:49:53 INFO: Starting Wazuh indexer installation. 11/01/2023 16:50:27 INFO: Wazuh indexer installation finished. 11/01/2023 16:50:27 INFO: Wazuh indexer post-install configuration finished. 11/01/2023 16:50:27 INFO: Starting service wazuh-indexer. 11/01/2023 16:50:40 INFO: wazuh-indexer service started. 11/01/2023 16:50:40 INFO: Initializing Wazuh indexer cluster security settings. 11/01/2023 16:50:41 INFO: Wazuh indexer cluster initialized. 11/01/2023 16:50:41 INFO: Installation finished. root@ip-172-31-36-185:/home/ubuntu# bash wazuh-install.sh --start-cluster 11/01/2023 16:51:39 INFO: Starting Wazuh installation assistant. Wazuh version: 4.4.0 11/01/2023 16:51:39 INFO: Verbose logging redirected to /var/log/wazuh-install.log 11/01/2023 16:51:43 INFO: Wazuh indexer cluster security configuration initialized. 11/01/2023 16:51:50 INFO: Wazuh indexer cluster started. root@ip-172-31-36-185:/home/ubuntu# systemctl status wazuh-indexer ● wazuh-indexer.service - Wazuh-indexer Loaded: loaded (/lib/systemd/system/wazuh-indexer.service; enabled; vendor preset: enabled) Active: active (running) since Wed 2023-01-11 16:50:40 UTC; 1min 21s ago Docs: https://documentation.wazuh.com Main PID: 5633 (java) Tasks: 81 (limit: 9100) Memory: 4.1G CPU: 41.944s CGroup: /system.slice/wazuh-indexer.service └─5633 /usr/share/wazuh-indexer/jdk/bin/java -Xshare:auto -Dopensearch.networkaddress.cache.ttl=60 -Dopensearch.networkaddress.cache.negative.ttl=10 -XX:+AlwaysPreTouch -Xss1m -Djava.awt.headless=t> Jan 11 16:50:28 ip-172-31-36-185 systemd[1]: Starting Wazuh-indexer... Jan 11 16:50:30 ip-172-31-36-185 systemd-entrypoint[5633]: WARNING: A terminally deprecated method in java.lang.System has been called Jan 11 16:50:30 ip-172-31-36-185 systemd-entrypoint[5633]: WARNING: System::setSecurityManager has been called by org.opensearch.bootstrap.OpenSearch (file:/usr/share/wazuh-indexer/lib/opensearch-2.4.1.jar) Jan 11 16:50:30 ip-172-31-36-185 systemd-entrypoint[5633]: WARNING: Please consider reporting this to the maintainers of org.opensearch.bootstrap.OpenSearch Jan 11 16:50:30 ip-172-31-36-185 systemd-entrypoint[5633]: WARNING: System::setSecurityManager will be removed in a future release Jan 11 16:50:31 ip-172-31-36-185 systemd-entrypoint[5633]: WARNING: A terminally deprecated method in java.lang.System has been called Jan 11 16:50:31 ip-172-31-36-185 systemd-entrypoint[5633]: WARNING: System::setSecurityManager has been called by org.opensearch.bootstrap.Security (file:/usr/share/wazuh-indexer/lib/opensearch-2.4.1.jar) Jan 11 16:50:31 ip-172-31-36-185 systemd-entrypoint[5633]: WARNING: Please consider reporting this to the maintainers of org.opensearch.bootstrap.Security Jan 11 16:50:31 ip-172-31-36-185 systemd-entrypoint[5633]: WARNING: System::setSecurityManager will be removed in a future release Jan 11 16:50:40 ip-172-31-36-185 systemd[1]: Started Wazuh-indexer. root@ip-172-31-36-185:/home/ubuntu# tar -axf wazuh-install-files.tar wazuh-install-files/wazuh-passwords.txt -O | grep -P "\'admin\'" -A 1 indexer_username: 'admin' indexer_password: 'EM.aspDD7lEYYNY7f5vJvy*9j.nMwcHP' root@ip-172-31-36-185:/home/ubuntu# curl -k -u admin:EM.aspDD7lEYYNY7f5vJvy*9j.nMwcHP https://127.0.0.1:9200 { "name" : "wazuh-indexer", "cluster_name" : "wazuh-indexer-cluster", "cluster_uuid" : "OWE5mjYUR4iOP6xkuU-KxQ", "version" : { "number" : "7.10.2", "build_type" : "rpm", "build_hash" : "f2f809ea280ffba217451da894a5899f1cec02ab", "build_date" : "2022-12-12T22:17:42.341124910Z", "build_snapshot" : false, "lucene_version" : "9.4.2", "minimum_wire_compatibility_version" : "7.10.0", "minimum_index_compatibility_version" : "7.0.0" }, "tagline" : "The OpenSearch Project: https://opensearch.org/" } root@ip-172-31-36-185:/home/ubuntu# ```

Wazuh server installation and tests

``` root@ip-172-31-36-185:/home/ubuntu# bash wazuh-install.sh --wazuh-server wazuh-server 11/01/2023 16:53:24 INFO: Starting Wazuh installation assistant. Wazuh version: 4.4.0 11/01/2023 16:53:24 INFO: Verbose logging redirected to /var/log/wazuh-install.log 11/01/2023 16:53:30 INFO: Wazuh development repository added. 11/01/2023 16:53:30 INFO: --- Wazuh server --- 11/01/2023 16:53:30 INFO: Starting the Wazuh manager installation. 11/01/2023 16:54:00 INFO: Wazuh manager installation finished. 11/01/2023 16:54:00 INFO: Starting service wazuh-manager. 11/01/2023 16:54:17 INFO: wazuh-manager service started. 11/01/2023 16:54:17 INFO: Starting Filebeat installation. 11/01/2023 16:54:21 INFO: Filebeat installation finished. 11/01/2023 16:54:22 INFO: Filebeat post-install configuration finished. 11/01/2023 16:54:26 INFO: Starting service filebeat. 11/01/2023 16:54:27 INFO: filebeat service started. 11/01/2023 16:54:27 INFO: Installation finished. root@ip-172-31-36-185:/home/ubuntu# root@ip-172-31-36-185:/home/ubuntu# systemctl status wazuh-manager filebeat ● wazuh-manager.service - Wazuh manager Loaded: loaded (/lib/systemd/system/wazuh-manager.service; enabled; vendor preset: enabled) Active: active (running) since Wed 2023-01-11 16:54:17 UTC; 25s ago Tasks: 135 (limit: 9100) Memory: 231.6M CPU: 23.766s CGroup: /system.slice/wazuh-manager.service ├─45738 /var/ossec/framework/python/bin/python3 /var/ossec/api/scripts/wazuh-apid.py ├─45777 /var/ossec/bin/wazuh-authd ├─45793 /var/ossec/bin/wazuh-db ├─45808 /var/ossec/framework/python/bin/python3 /var/ossec/api/scripts/wazuh-apid.py ├─45811 /var/ossec/framework/python/bin/python3 /var/ossec/api/scripts/wazuh-apid.py ├─45823 /var/ossec/bin/wazuh-execd ├─45837 /var/ossec/bin/wazuh-analysisd ├─45898 /var/ossec/bin/wazuh-syscheckd ├─45914 /var/ossec/bin/wazuh-remoted ├─45946 /var/ossec/bin/wazuh-logcollector ├─45995 /var/ossec/bin/wazuh-monitord └─46055 /var/ossec/bin/wazuh-modulesd Jan 11 16:54:07 ip-172-31-36-185 env[45682]: Started wazuh-db... Jan 11 16:54:08 ip-172-31-36-185 env[45682]: Started wazuh-execd... Jan 11 16:54:09 ip-172-31-36-185 env[45682]: Started wazuh-analysisd... Jan 11 16:54:10 ip-172-31-36-185 env[45682]: Started wazuh-syscheckd... Jan 11 16:54:12 ip-172-31-36-185 env[45682]: Started wazuh-remoted... Jan 11 16:54:13 ip-172-31-36-185 env[45682]: Started wazuh-logcollector... Jan 11 16:54:14 ip-172-31-36-185 env[45682]: Started wazuh-monitord... Jan 11 16:54:15 ip-172-31-36-185 env[45682]: Started wazuh-modulesd... Jan 11 16:54:17 ip-172-31-36-185 env[45682]: Completed. root@ip-172-31-36-185:/home/ubuntu# systemctl status filebeat ● filebeat.service - Filebeat sends log files to Logstash or directly to Elasticsearch. Loaded: loaded (/lib/systemd/system/filebeat.service; enabled; vendor preset: enabled) Active: active (running) since Wed 2023-01-11 16:54:24 UTC; 29s ago Docs: https://www.elastic.co/products/beats/filebeat Main PID: 47221 (filebeat) Tasks: 9 (limit: 9100) Memory: 11.0M CPU: 81ms CGroup: /system.slice/filebeat.service └─47221 /usr/share/filebeat/bin/filebeat --environment systemd -c /etc/filebeat/filebeat.yml --path.home /usr/share/filebeat --path.config /etc/filebeat --path.data /var/lib/filebeat --path.logs /v> Jan 11 16:54:24 ip-172-31-36-185 systemd[1]: Started Filebeat sends log files to Logstash or directly to Elasticsearch.. root@ip-172-31-36-185:/home/ubuntu# filebeat test output elasticsearch: https://127.0.0.1:9200... parse url... OK connection... parse host... OK dns lookup... OK addresses: 127.0.0.1 dial up... OK TLS... security: server's certificate chain verification is enabled handshake... OK TLS version: TLSv1.2 dial up... OK talk to server... OK version: 7.10.2 ```

Wazuh Dashboard installation and tests

``` root@ip-172-31-36-185:/home/ubuntu# bash wazuh-install.sh --wazuh-dashboard wazuh-dashboard 11/01/2023 16:55:31 INFO: Starting Wazuh installation assistant. Wazuh version: 4.4.0 11/01/2023 16:55:31 INFO: Verbose logging redirected to /var/log/wazuh-install.log 11/01/2023 16:55:37 INFO: Wazuh development repository added. wazuh-dashboard 11/01/2023 16:55:37 INFO: --- Wazuh dashboard ---- 11/01/2023 16:55:37 INFO: Starting Wazuh dashboard installation. 11/01/2023 16:56:16 INFO: Wazuh dashboard installation finished. 11/01/2023 16:56:16 INFO: Wazuh dashboard post-install configuration finished. 11/01/2023 16:56:16 INFO: Starting service wazuh-dashboard. 11/01/2023 16:56:16 INFO: wazuh-dashboard service started. 11/01/2023 16:56:30 INFO: Initializing Wazuh dashboard web application. 11/01/2023 16:56:30 INFO: Wazuh dashboard web application initialized. 11/01/2023 16:56:30 INFO: --- Summary --- 11/01/2023 16:56:30 INFO: You can access the web interface https:// User: admin Password: EM.aspDD7lEYYNY7f5vJvy*9j.nMwcHP 11/01/2023 16:56:30 INFO: Installation finished. root@ip-172-31-36-185:/home/ubuntu# systemctl status wazuh-dashboard ● wazuh-dashboard.service - wazuh-dashboard Loaded: loaded (/etc/systemd/system/wazuh-dashboard.service; enabled; vendor preset: enabled) Active: active (running) since Wed 2023-01-11 16:56:20 UTC; 11min ago Main PID: 49042 (node) Tasks: 11 (limit: 9100) Memory: 139.3M CPU: 7.441s CGroup: /system.slice/wazuh-dashboard.service └─49042 /usr/share/wazuh-dashboard/bin/../node/bin/node --no-warnings --max-http-header-size=65536 --unhandled-rejections=warn /usr/share/wazuh-dashboard/bin/../src/cli/dist -c /etc/wazuh-dashboard> Jan 11 16:56:23 ip-172-31-36-185 opensearch-dashboards[49042]: {"type":"log","@timestamp":"2023-01-11T16:56:23Z","tags":["info","plugins-service"],"pid":49042,"message":"Plugin \"dataSourceManagement\" has been> Jan 11 16:56:23 ip-172-31-36-185 opensearch-dashboards[49042]: {"type":"log","@timestamp":"2023-01-11T16:56:23Z","tags":["info","plugins-service"],"pid":49042,"message":"Plugin \"dataSource\" is disabled."} Jan 11 16:56:23 ip-172-31-36-185 opensearch-dashboards[49042]: {"type":"log","@timestamp":"2023-01-11T16:56:23Z","tags":["info","plugins-service"],"pid":49042,"message":"Plugin \"visTypeXy\" is disabled."} Jan 11 16:56:24 ip-172-31-36-185 opensearch-dashboards[49042]: {"type":"log","@timestamp":"2023-01-11T16:56:24Z","tags":["info","plugins-system"],"pid":49042,"message":"Setting up [45] plugins: [alertingDashboa> Jan 11 16:56:24 ip-172-31-36-185 opensearch-dashboards[49042]: {"type":"log","@timestamp":"2023-01-11T16:56:24Z","tags":["info","savedobjects-service"],"pid":49042,"message":"Waiting until all OpenSearch nodes > Jan 11 16:56:24 ip-172-31-36-185 opensearch-dashboards[49042]: {"type":"log","@timestamp":"2023-01-11T16:56:24Z","tags":["info","savedobjects-service"],"pid":49042,"message":"Starting saved objects migrations"} Jan 11 16:56:24 ip-172-31-36-185 opensearch-dashboards[49042]: {"type":"log","@timestamp":"2023-01-11T16:56:24Z","tags":["info","plugins-system"],"pid":49042,"message":"Starting [45] plugins: [alertingDashboard> Jan 11 16:56:25 ip-172-31-36-185 opensearch-dashboards[49042]: {"type":"log","@timestamp":"2023-01-11T16:56:25Z","tags":["listening","info"],"pid":49042,"message":"Server running at https://0.0.0.0:443"} Jan 11 16:56:25 ip-172-31-36-185 opensearch-dashboards[49042]: {"type":"log","@timestamp":"2023-01-11T16:56:25Z","tags":["info","http","server","OpenSearchDashboards"],"pid":49042,"message":"http server running> Jan 11 16:56:30 ip-172-31-36-185 opensearch-dashboards[49042]: {"type":"response","@timestamp":"2023-01-11T16:56:30Z","tags":[],"pid":49042,"method":"get","statusCode":200,"req":{"url":"/status","method":"get",> root@ip-172-31-36-185:/home/ubuntu# ``` ![image](https://user-images.githubusercontent.com/61122643/211870969-40fe8dd7-6076-4cd4-83e3-1dbf0075513f.png)

Reboot test

- After the reboot ``` root@ip-172-31-36-185:/home/ubuntu# systemctl status wazuh-indexer ● wazuh-indexer.service - Wazuh-indexer Loaded: loaded (/lib/systemd/system/wazuh-indexer.service; enabled; vendor preset: enabled) Active: active (running) since Wed 2023-01-11 17:09:11 UTC; 1min 53s ago Docs: https://documentation.wazuh.com Main PID: 490 (java) Tasks: 81 (limit: 9100) Memory: 4.3G CPU: 46.931s CGroup: /system.slice/wazuh-indexer.service └─490 /usr/share/wazuh-indexer/jdk/bin/java -Xshare:auto -Dopensearch.networkaddress.cache.ttl=60 -Dopensearch.networkaddress.cache.negative.ttl=10 -XX:+AlwaysPreTouch -Xss1m -Djava.awt.headless=tr> Jan 11 17:08:48 ip-172-31-36-185 systemd[1]: Starting Wazuh-indexer... Jan 11 17:08:52 ip-172-31-36-185 systemd-entrypoint[490]: WARNING: A terminally deprecated method in java.lang.System has been called Jan 11 17:08:52 ip-172-31-36-185 systemd-entrypoint[490]: WARNING: System::setSecurityManager has been called by org.opensearch.bootstrap.OpenSearch (file:/usr/share/wazuh-indexer/lib/opensearch-2.4.1.jar) Jan 11 17:08:52 ip-172-31-36-185 systemd-entrypoint[490]: WARNING: Please consider reporting this to the maintainers of org.opensearch.bootstrap.OpenSearch Jan 11 17:08:52 ip-172-31-36-185 systemd-entrypoint[490]: WARNING: System::setSecurityManager will be removed in a future release Jan 11 17:08:55 ip-172-31-36-185 systemd-entrypoint[490]: WARNING: A terminally deprecated method in java.lang.System has been called Jan 11 17:08:55 ip-172-31-36-185 systemd-entrypoint[490]: WARNING: System::setSecurityManager has been called by org.opensearch.bootstrap.Security (file:/usr/share/wazuh-indexer/lib/opensearch-2.4.1.jar) Jan 11 17:08:55 ip-172-31-36-185 systemd-entrypoint[490]: WARNING: Please consider reporting this to the maintainers of org.opensearch.bootstrap.Security Jan 11 17:08:55 ip-172-31-36-185 systemd-entrypoint[490]: WARNING: System::setSecurityManager will be removed in a future release Jan 11 17:09:11 ip-172-31-36-185 systemd[1]: Started Wazuh-indexer. root@ip-172-31-36-185:/home/ubuntu# systemctl status wazuh-manager ● wazuh-manager.service - Wazuh manager Loaded: loaded (/lib/systemd/system/wazuh-manager.service; enabled; vendor preset: enabled) Active: active (running) since Wed 2023-01-11 17:09:05 UTC; 2min 3s ago Process: 491 ExecStart=/usr/bin/env /var/ossec/bin/wazuh-control start (code=exited, status=0/SUCCESS) Tasks: 136 (limit: 9100) Memory: 723.8M CPU: 30.127s CGroup: /system.slice/wazuh-manager.service ├─ 995 /var/ossec/framework/python/bin/python3 /var/ossec/api/scripts/wazuh-apid.py ├─1036 /var/ossec/bin/wazuh-authd ├─1061 /var/ossec/bin/wazuh-db ├─1089 /var/ossec/bin/wazuh-execd ├─1177 /var/ossec/framework/python/bin/python3 /var/ossec/api/scripts/wazuh-apid.py ├─1183 /var/ossec/framework/python/bin/python3 /var/ossec/api/scripts/wazuh-apid.py ├─1203 /var/ossec/bin/wazuh-analysisd ├─1236 /var/ossec/bin/wazuh-syscheckd ├─1303 /var/ossec/bin/wazuh-remoted ├─1334 /var/ossec/bin/wazuh-logcollector ├─1353 /var/ossec/bin/wazuh-monitord └─1374 /var/ossec/bin/wazuh-modulesd Jan 11 17:08:56 ip-172-31-36-185 env[491]: Started wazuh-db... Jan 11 17:08:57 ip-172-31-36-185 env[491]: Started wazuh-execd... Jan 11 17:08:58 ip-172-31-36-185 env[491]: Started wazuh-analysisd... Jan 11 17:08:59 ip-172-31-36-185 env[491]: Started wazuh-syscheckd... Jan 11 17:09:00 ip-172-31-36-185 env[491]: Started wazuh-remoted... Jan 11 17:09:01 ip-172-31-36-185 env[491]: Started wazuh-logcollector... Jan 11 17:09:02 ip-172-31-36-185 env[491]: Started wazuh-monitord... Jan 11 17:09:03 ip-172-31-36-185 env[491]: Started wazuh-modulesd... root@ip-172-31-36-185:/home/ubuntu# systemctl status wazuh-dashboard ● wazuh-dashboard.service - wazuh-dashboard Loaded: loaded (/etc/systemd/system/wazuh-dashboard.service; enabled; vendor preset: enabled) Active: active (running) since Wed 2023-01-11 17:08:48 UTC; 2min 25s ago Main PID: 489 (node) Tasks: 11 (limit: 9100) Memory: 262.0M CPU: 9.867s CGroup: /system.slice/wazuh-dashboard.service └─489 /usr/share/wazuh-dashboard/bin/../node/bin/node --no-warnings --max-http-header-size=65536 --unhandled-rejections=warn /usr/share/wazuh-dashboard/bin/../src/cli/dist -c /etc/wazuh-dashboard/o> Jan 11 17:09:24 ip-172-31-36-185 opensearch-dashboards[489]: {"type":"log","@timestamp":"2023-01-11T17:09:24Z","tags":["error","opensearch","data"],"pid":489,"message":"[ResponseError]: Response Error"} Jan 11 17:09:27 ip-172-31-36-185 opensearch-dashboards[489]: {"type":"log","@timestamp":"2023-01-11T17:09:27Z","tags":["info","savedobjects-service"],"pid":489,"message":"Starting saved objects migrations"} Jan 11 17:09:27 ip-172-31-36-185 opensearch-dashboards[489]: {"type":"log","@timestamp":"2023-01-11T17:09:27Z","tags":["info","plugins-system"],"pid":489,"message":"Starting [45] plugins: [alertingDashboards,us> Jan 11 17:09:27 ip-172-31-36-185 opensearch-dashboards[489]: {"type":"log","@timestamp":"2023-01-11T17:09:27Z","tags":["listening","info"],"pid":489,"message":"Server running at https://0.0.0.0:443"} Jan 11 17:09:28 ip-172-31-36-185 opensearch-dashboards[489]: {"type":"log","@timestamp":"2023-01-11T17:09:28Z","tags":["info","http","server","OpenSearchDashboards"],"pid":489,"message":"http server running at > Jan 11 17:10:00 ip-172-31-36-185 opensearch-dashboards[489]: {"type":"log","@timestamp":"2023-01-11T17:10:00Z","tags":["error","opensearch","data"],"pid":489,"message":"[resource_already_exists_exception]: inde> Jan 11 17:10:00 ip-172-31-36-185 opensearch-dashboards[489]: {"type":"log","@timestamp":"2023-01-11T17:10:00Z","tags":["error","opensearch","data"],"pid":489,"message":"[mapper_parsing_exception]: failed to par> Jan 11 17:10:00 ip-172-31-36-185 opensearch-dashboards[489]: {"type":"log","@timestamp":"2023-01-11T17:10:00Z","tags":["error","plugins","wazuh","cron-scheduler"],"pid":489,"message":"{\"error\":{\"root_cause\"> Jan 11 17:10:00 ip-172-31-36-185 opensearch-dashboards[489]: {"type":"log","@timestamp":"2023-01-11T17:10:00Z","tags":["error","opensearch","data"],"pid":489,"message":"[mapper_parsing_exception]: failed to par> Jan 11 17:10:00 ip-172-31-36-185 opensearch-dashboards[489]: {"type":"log","@timestamp":"2023-01-11T17:10:00Z","tags":["error","plugins","wazuh","cron-scheduler"],"pid":489,"message":"{\"error\":{\"root_cause\"> ...skipping... ● wazuh-dashboard.service - wazuh-dashboard Loaded: loaded (/etc/systemd/system/wazuh-dashboard.service; enabled; vendor preset: enabled) Active: active (running) since Wed 2023-01-11 17:08:48 UTC; 2min 25s ago Main PID: 489 (node) Tasks: 11 (limit: 9100) Memory: 262.0M CPU: 9.867s CGroup: /system.slice/wazuh-dashboard.service └─489 /usr/share/wazuh-dashboard/bin/../node/bin/node --no-warnings --max-http-header-size=65536 --unhandled-rejections=warn /usr/share/wazuh-dashboard/bin/../src/cli/dist -c /etc/wazuh-dashboard/o> Jan 11 17:09:24 ip-172-31-36-185 opensearch-dashboards[489]: {"type":"log","@timestamp":"2023-01-11T17:09:24Z","tags":["error","opensearch","data"],"pid":489,"message":"[ResponseError]: Response Error"} Jan 11 17:09:27 ip-172-31-36-185 opensearch-dashboards[489]: {"type":"log","@timestamp":"2023-01-11T17:09:27Z","tags":["info","savedobjects-service"],"pid":489,"message":"Starting saved objects migrations"} Jan 11 17:09:27 ip-172-31-36-185 opensearch-dashboards[489]: {"type":"log","@timestamp":"2023-01-11T17:09:27Z","tags":["info","plugins-system"],"pid":489,"message":"Starting [45] plugins: [alertingDashboards,us> Jan 11 17:09:27 ip-172-31-36-185 opensearch-dashboards[489]: {"type":"log","@timestamp":"2023-01-11T17:09:27Z","tags":["listening","info"],"pid":489,"message":"Server running at https://0.0.0.0:443"} Jan 11 17:09:28 ip-172-31-36-185 opensearch-dashboards[489]: {"type":"log","@timestamp":"2023-01-11T17:09:28Z","tags":["info","http","server","OpenSearchDashboards"],"pid":489,"message":"http server running at > Jan 11 17:10:00 ip-172-31-36-185 opensearch-dashboards[489]: {"type":"log","@timestamp":"2023-01-11T17:10:00Z","tags":["error","opensearch","data"],"pid":489,"message":"[resource_already_exists_exception]: inde> Jan 11 17:10:00 ip-172-31-36-185 opensearch-dashboards[489]: {"type":"log","@timestamp":"2023-01-11T17:10:00Z","tags":["error","opensearch","data"],"pid":489,"message":"[mapper_parsing_exception]: failed to par> Jan 11 17:10:00 ip-172-31-36-185 opensearch-dashboards[489]: {"type":"log","@timestamp":"2023-01-11T17:10:00Z","tags":["error","plugins","wazuh","cron-scheduler"],"pid":489,"message":"{\"error\":{\"root_cause\"> Jan 11 17:10:00 ip-172-31-36-185 opensearch-dashboards[489]: {"type":"log","@timestamp":"2023-01-11T17:10:00Z","tags":["error","opensearch","data"],"pid":489,"message":"[mapper_parsing_exception]: failed to par> Jan 11 17:10:00 ip-172-31-36-185 opensearch-dashboards[489]: {"type":"log","@timestamp":"2023-01-11T17:10:00Z","tags":["error","plugins","wazuh","cron-scheduler"],"pid":489,"message":"{\"error\":{\"root_cause\"> ~ ~ ~ ~ ~ ~ ~ ~ ~ root@ip-172-31-36-185:/home/ubuntu# systemctl status filebeat ● filebeat.service - Filebeat sends log files to Logstash or directly to Elasticsearch. Loaded: loaded (/lib/systemd/system/filebeat.service; enabled; vendor preset: enabled) Active: active (running) since Wed 2023-01-11 17:08:48 UTC; 2min 32s ago Docs: https://www.elastic.co/products/beats/filebeat Main PID: 476 (filebeat) Tasks: 10 (limit: 9100) Memory: 50.9M CPU: 152ms CGroup: /system.slice/filebeat.service └─476 /usr/share/filebeat/bin/filebeat --environment systemd -c /etc/filebeat/filebeat.yml --path.home /usr/share/filebeat --path.config /etc/filebeat --path.data /var/lib/filebeat --path.logs /var> Jan 11 17:08:48 ip-172-31-36-185 systemd[1]: Started Filebeat sends log files to Logstash or directly to Elasticsearch.. root@ip-172-31-36-185:/home/ubuntu# filebeat test output elasticsearch: https://127.0.0.1:9200... parse url... OK connection... parse host... OK dns lookup... OK addresses: 127.0.0.1 dial up... OK TLS... security: server's certificate chain verification is enabled handshake... OK TLS version: TLSv1.2 dial up... OK talk to server... OK version: 7.10.2 root@ip-172-31-36-185:/home/ubuntu# curl -k -u admin:EM.aspDD7lEYYNY7f5vJvy*9j.nMwcHP https://127.0.0.1:9200 { "name" : "wazuh-indexer", "cluster_name" : "wazuh-indexer-cluster", "cluster_uuid" : "OWE5mjYUR4iOP6xkuU-KxQ", "version" : { "number" : "7.10.2", "build_type" : "rpm", "build_hash" : "f2f809ea280ffba217451da894a5899f1cec02ab", "build_date" : "2022-12-12T22:17:42.341124910Z", "build_snapshot" : false, "lucene_version" : "9.4.2", "minimum_wire_compatibility_version" : "7.10.0", "minimum_index_compatibility_version" : "7.0.0" }, "tagline" : "The OpenSearch Project: https://opensearch.org/" } root@ip-172-31-36-185:/home/ubuntu# ```
verdx commented 1 year ago

Testing

:green_circle: Distributed multi-node (6 hosts)

Name SO Component(s)
U1 Ubuntu 22 indexer-1
U2 Ubuntu 22 server-1
U1 Ubuntu 22 server-2
A1 Amazon Linux 2 indexer-2
A2 Amazon Linux 2 indexer-3, server-3
A3 Amazon Linux 2 dashboard

:green_circle: Install node indexer-1

``` root@ip-172-31-36-185:/home/ubuntu# bash wazuh-install.sh --generate-config-files 12/01/2023 10:33:14 INFO: Starting Wazuh installation assistant. Wazuh version: 4.4.0 12/01/2023 10:33:14 INFO: Verbose logging redirected to /var/log/wazuh-install.log 12/01/2023 10:33:15 INFO: --- Configuration files --- 12/01/2023 10:33:15 INFO: Generating configuration files. 12/01/2023 10:33:18 INFO: Created wazuh-install-files.tar. It contains the Wazuh cluster key, certificates, and passwords necessary for installation. root@ip-172-31-36-185:/home/ubuntu# bash wazuh-install.sh --wazuh-indexer indexer-1 -o 12/01/2023 10:38:23 INFO: Starting Wazuh installation assistant. Wazuh version: 4.4.0 12/01/2023 10:38:23 INFO: Verbose logging redirected to /var/log/wazuh-install.log 12/01/2023 10:38:24 INFO: --- Removing existing Wazuh installation --- 12/01/2023 10:38:24 INFO: Removing Wazuh indexer. 12/01/2023 10:38:25 INFO: Wazuh indexer removed. 12/01/2023 10:38:25 INFO: Wazuh GPG key was not found in the system 12/01/2023 10:38:25 INFO: Installation cleaned. 12/01/2023 10:38:32 INFO: Wazuh development repository added. 12/01/2023 10:38:32 INFO: --- Wazuh indexer --- 12/01/2023 10:38:32 INFO: Starting Wazuh indexer installation. 12/01/2023 10:39:06 INFO: Wazuh indexer installation finished. 12/01/2023 10:39:07 INFO: Wazuh indexer post-install configuration finished. 12/01/2023 10:39:07 INFO: Starting service wazuh-indexer. 12/01/2023 10:39:17 INFO: wazuh-indexer service started. 12/01/2023 10:39:17 INFO: Initializing Wazuh indexer cluster security settings. 12/01/2023 10:39:17 INFO: Wazuh indexer cluster initialized. 12/01/2023 10:39:17 INFO: Installation finished. root@ip-172-31-36-185:/home/ubuntu# systemctl status wazuh-indexer ● wazuh-indexer.service - Wazuh-indexer Loaded: loaded (/lib/systemd/system/wazuh-indexer.service; enabled; vendor preset: enabled) Active: active (running) since Thu 2023-01-12 10:39:17 UTC; 3min 31s ago Docs: https://documentation.wazuh.com Main PID: 13953 (java) Tasks: 74 (limit: 9100) Memory: 4.1G CPU: 30.186s CGroup: /system.slice/wazuh-indexer.service └─13953 /usr/share/wazuh-indexer/jdk/bin/java -Xshare:auto -Dopensearch.networkaddress.cache.ttl=60 -Dopensearch.networkaddress.cache.negative.ttl=10 -XX:+AlwaysPreTouch -Xss1m -Djava.awt.headless=> Jan 12 10:39:07 ip-172-31-36-185 systemd[1]: Starting Wazuh-indexer... Jan 12 10:39:09 ip-172-31-36-185 systemd-entrypoint[13953]: WARNING: A terminally deprecated method in java.lang.System has been called Jan 12 10:39:09 ip-172-31-36-185 systemd-entrypoint[13953]: WARNING: System::setSecurityManager has been called by org.opensearch.bootstrap.OpenSearch (file:/usr/share/wazuh-indexer/lib/opensearch-2.4.1.jar) Jan 12 10:39:09 ip-172-31-36-185 systemd-entrypoint[13953]: WARNING: Please consider reporting this to the maintainers of org.opensearch.bootstrap.OpenSearch Jan 12 10:39:09 ip-172-31-36-185 systemd-entrypoint[13953]: WARNING: System::setSecurityManager will be removed in a future release Jan 12 10:39:10 ip-172-31-36-185 systemd-entrypoint[13953]: WARNING: A terminally deprecated method in java.lang.System has been called Jan 12 10:39:10 ip-172-31-36-185 systemd-entrypoint[13953]: WARNING: System::setSecurityManager has been called by org.opensearch.bootstrap.Security (file:/usr/share/wazuh-indexer/lib/opensearch-2.4.1.jar) Jan 12 10:39:10 ip-172-31-36-185 systemd-entrypoint[13953]: WARNING: Please consider reporting this to the maintainers of org.opensearch.bootstrap.Security root@ip-172-31-36-185:/home/ubuntu# ```

:green_circle: Install node indexer-2

``` [root@ip-172-31-32-168 ec2-user]# bash wazuh-install.sh --wazuh-indexer indexer-2 -i 12/01/2023 10:46:50 INFO: Starting Wazuh installation assistant. Wazuh version: 4.4.0 12/01/2023 10:46:50 INFO: Verbose logging redirected to /var/log/wazuh-install.log 12/01/2023 10:46:52 WARNING: Hardware and system checks ignored. 12/01/2023 10:46:54 INFO: Wazuh development repository added. 12/01/2023 10:46:54 INFO: --- Wazuh indexer --- 12/01/2023 10:46:54 INFO: Starting Wazuh indexer installation. 12/01/2023 10:47:42 INFO: Wazuh indexer installation finished. 12/01/2023 10:47:42 INFO: Wazuh indexer post-install configuration finished. 12/01/2023 10:47:42 INFO: Starting service wazuh-indexer. 12/01/2023 10:47:58 INFO: wazuh-indexer service started. 12/01/2023 10:47:58 INFO: Initializing Wazuh indexer cluster security settings. 12/01/2023 10:47:59 INFO: Wazuh indexer cluster initialized. 12/01/2023 10:47:59 INFO: Installation finished. [root@ip-172-31-32-168 ec2-user]# systemctl status wazuh-indexer ● wazuh-indexer.service - Wazuh-indexer Loaded: loaded (/usr/lib/systemd/system/wazuh-indexer.service; enabled; vendor preset: disabled) Active: active (running) since Thu 2023-01-12 10:47:58 UTC; 19s ago Docs: https://documentation.wazuh.com Main PID: 32510 (java) CGroup: /system.slice/wazuh-indexer.service └─32510 /usr/share/wazuh-indexer/jdk/bin/java -Xshare:auto -Dopensearch.networkaddress.cac... Jan 12 10:47:42 ip-172-31-32-168.ec2.internal systemd[1]: Starting Wazuh-indexer... Jan 12 10:47:44 ip-172-31-32-168.ec2.internal systemd-entrypoint[32510]: WARNING: A terminally depre...d Jan 12 10:47:44 ip-172-31-32-168.ec2.internal systemd-entrypoint[32510]: WARNING: System::setSecurit...) Jan 12 10:47:44 ip-172-31-32-168.ec2.internal systemd-entrypoint[32510]: WARNING: Please consider re...h Jan 12 10:47:44 ip-172-31-32-168.ec2.internal systemd-entrypoint[32510]: WARNING: System::setSecurit...e Jan 12 10:47:46 ip-172-31-32-168.ec2.internal systemd-entrypoint[32510]: WARNING: A terminally depre...d Jan 12 10:47:46 ip-172-31-32-168.ec2.internal systemd-entrypoint[32510]: WARNING: System::setSecurit...) Jan 12 10:47:46 ip-172-31-32-168.ec2.internal systemd-entrypoint[32510]: WARNING: Please consider re...y Jan 12 10:47:46 ip-172-31-32-168.ec2.internal systemd-entrypoint[32510]: WARNING: System::setSecurit...e Jan 12 10:47:58 ip-172-31-32-168.ec2.internal systemd[1]: Started Wazuh-indexer. Hint: Some lines were ellipsized, use -l to show in full. [root@ip-172-31-32-168 ec2-user]# ```

:green_circle: Install node indexer-3

``` [root@ip-172-31-37-200 ec2-user]# bash wazuh-install.sh --wazuh-indexer indexer-3 -i 12/01/2023 10:49:31 INFO: Starting Wazuh installation assistant. Wazuh version: 4.4.0 12/01/2023 10:49:31 INFO: Verbose logging redirected to /var/log/wazuh-install.log 12/01/2023 10:49:32 WARNING: Hardware and system checks ignored. 12/01/2023 10:49:35 INFO: Wazuh development repository added. 12/01/2023 10:49:35 INFO: --- Wazuh indexer --- 12/01/2023 10:49:35 INFO: Starting Wazuh indexer installation. 12/01/2023 10:50:22 INFO: Wazuh indexer installation finished. 12/01/2023 10:50:22 INFO: Wazuh indexer post-install configuration finished. 12/01/2023 10:50:22 INFO: Starting service wazuh-indexer. 12/01/2023 10:50:37 INFO: wazuh-indexer service started. 12/01/2023 10:50:37 INFO: Initializing Wazuh indexer cluster security settings. 12/01/2023 10:50:38 INFO: Wazuh indexer cluster initialized. 12/01/2023 10:50:38 INFO: Installation finished. [root@ip-172-31-37-200 ec2-user]# systemctl status wazuh-indexer ● wazuh-indexer.service - Wazuh-indexer Loaded: loaded (/usr/lib/systemd/system/wazuh-indexer.service; enabled; vendor preset: disabled) Active: active (running) since Thu 2023-01-12 10:50:37 UTC; 9s ago Docs: https://documentation.wazuh.com Main PID: 32568 (java) CGroup: /system.slice/wazuh-indexer.service └─32568 /usr/share/wazuh-indexer/jdk/bin/java -Xshare:auto -Dopensearch.networkaddress.cac... Jan 12 10:50:23 ip-172-31-37-200.ec2.internal systemd[1]: Starting Wazuh-indexer... Jan 12 10:50:25 ip-172-31-37-200.ec2.internal systemd-entrypoint[32568]: WARNING: A terminally depre...d Jan 12 10:50:25 ip-172-31-37-200.ec2.internal systemd-entrypoint[32568]: WARNING: System::setSecurit...) Jan 12 10:50:25 ip-172-31-37-200.ec2.internal systemd-entrypoint[32568]: WARNING: Please consider re...h Jan 12 10:50:25 ip-172-31-37-200.ec2.internal systemd-entrypoint[32568]: WARNING: System::setSecurit...e Jan 12 10:50:26 ip-172-31-37-200.ec2.internal systemd-entrypoint[32568]: WARNING: A terminally depre...d Jan 12 10:50:26 ip-172-31-37-200.ec2.internal systemd-entrypoint[32568]: WARNING: System::setSecurit...) Jan 12 10:50:26 ip-172-31-37-200.ec2.internal systemd-entrypoint[32568]: WARNING: Please consider re...y Jan 12 10:50:26 ip-172-31-37-200.ec2.internal systemd-entrypoint[32568]: WARNING: System::setSecurit...e Jan 12 10:50:37 ip-172-31-37-200.ec2.internal systemd[1]: Started Wazuh-indexer. Hint: Some lines were ellipsized, use -l to show in full. [root@ip-172-31-37-200 ec2-user]# ```

:green_circle: Start indexer cluster and tests

- Start cluster ``` [root@ip-172-31-37-200 ec2-user]# bash wazuh-install.sh --start-cluster 12/01/2023 10:54:28 INFO: Starting Wazuh installation assistant. Wazuh version: 4.4.0 12/01/2023 10:54:28 INFO: Verbose logging redirected to /var/log/wazuh-install.log 12/01/2023 10:54:34 INFO: Wazuh indexer cluster security configuration initialized. 12/01/2023 10:54:43 INFO: Wazuh indexer cluster started. ``` - Access cluster from all nodes ``` [root@ip-172-31-37-200 ec2-user]# curl -k -u admin:9+cOJ28VT+R7Ja9kK.lAWzZfcjrWcZsU https://172.31.37.200:9200 { "name" : "indexer-3", "cluster_name" : "wazuh-indexer-cluster", "cluster_uuid" : "OWE5mjYUR4iOP6xkuU-KxQ", "version" : { "number" : "7.10.2", "build_type" : "rpm", "build_hash" : "f2f809ea280ffba217451da894a5899f1cec02ab", "build_date" : "2022-12-12T22:17:42.341124910Z", "build_snapshot" : false, "lucene_version" : "9.4.2", "minimum_wire_compatibility_version" : "7.10.0", "minimum_index_compatibility_version" : "7.0.0" }, "tagline" : "The OpenSearch Project: https://opensearch.org/" } [root@ip-172-31-37-200 ec2-user]# curl -k -u admin:9+cOJ28VT+R7Ja9kK.lAWzZfcjrWcZsU https://172.31.36.185:9200 { "name" : "indexer-1", "cluster_name" : "wazuh-indexer-cluster", "cluster_uuid" : "OWE5mjYUR4iOP6xkuU-KxQ", "version" : { "number" : "7.10.2", "build_type" : "rpm", "build_hash" : "f2f809ea280ffba217451da894a5899f1cec02ab", "build_date" : "2022-12-12T22:17:42.341124910Z", "build_snapshot" : false, "lucene_version" : "9.4.2", "minimum_wire_compatibility_version" : "7.10.0", "minimum_index_compatibility_version" : "7.0.0" }, "tagline" : "The OpenSearch Project: https://opensearch.org/" } [root@ip-172-31-37-200 ec2-user]# curl -k -u admin:9+cOJ28VT+R7Ja9kK.lAWzZfcjrWcZsU https://172.31.32.168:9200 { "name" : "indexer-2", "cluster_name" : "wazuh-indexer-cluster", "cluster_uuid" : "OWE5mjYUR4iOP6xkuU-KxQ", "version" : { "number" : "7.10.2", "build_type" : "rpm", "build_hash" : "f2f809ea280ffba217451da894a5899f1cec02ab", "build_date" : "2022-12-12T22:17:42.341124910Z", "build_snapshot" : false, "lucene_version" : "9.4.2", "minimum_wire_compatibility_version" : "7.10.0", "minimum_index_compatibility_version" : "7.0.0" }, "tagline" : "The OpenSearch Project: https://opensearch.org/" } [root@ip-172-31-37-200 ec2-user]# ``` - Reboot all nodes and check services ``` root@ip-172-31-36-185:/home/ubuntu# systemctl status wazuh-indexer ● wazuh-indexer.service - Wazuh-indexer Loaded: loaded (/lib/systemd/system/wazuh-indexer.service; enabled; vendor preset: enabled) Active: active (running) since Thu 2023-01-12 11:13:36 UTC; 1s ago Docs: https://documentation.wazuh.com Main PID: 504 (java) Tasks: 58 (limit: 9100) Memory: 4.2G CPU: 39.654s CGroup: /system.slice/wazuh-indexer.service └─504 /usr/share/wazuh-indexer/jdk/bin/java -Xshare:auto -Dopensearch.networkaddress.cache> Jan 12 11:13:15 ip-172-31-36-185 systemd[1]: Starting Wazuh-indexer... Jan 12 11:13:18 ip-172-31-36-185 systemd-entrypoint[504]: WARNING: A terminally deprecated method in ja> Jan 12 11:13:18 ip-172-31-36-185 systemd-entrypoint[504]: WARNING: System::setSecurityManager has been > Jan 12 11:13:18 ip-172-31-36-185 systemd-entrypoint[504]: WARNING: Please consider reporting this to th> Jan 12 11:13:18 ip-172-31-36-185 systemd-entrypoint[504]: WARNING: System::setSecurityManager will be r> Jan 12 11:13:19 ip-172-31-36-185 systemd-entrypoint[504]: WARNING: A terminally deprecated method in ja> Jan 12 11:13:19 ip-172-31-36-185 systemd-entrypoint[504]: WARNING: System::setSecurityManager has been > Jan 12 11:13:19 ip-172-31-36-185 systemd-entrypoint[504]: WARNING: Please consider reporting this to th> root@ip-172-31-36-185:/home/ubuntu# ``` ``` [root@ip-172-31-32-168 ec2-user]# systemctl status wazuh-indexer ● wazuh-indexer.service - Wazuh-indexer Loaded: loaded (/usr/lib/systemd/system/wazuh-indexer.service; enabled; vendor preset: disabled) Active: active (running) since Thu 2023-01-12 11:13:37 UTC; 44s ago Docs: https://documentation.wazuh.com Main PID: 2324 (java) CGroup: /system.slice/wazuh-indexer.service └─2324 /usr/share/wazuh-indexer/jdk/bin/java -Xshare:auto -Dopensearch.networkaddress.cach... Jan 12 11:13:15 ip-172-31-32-168.ec2.internal systemd[1]: Starting Wazuh-indexer... Jan 12 11:13:19 ip-172-31-32-168.ec2.internal systemd-entrypoint[2324]: WARNING: A terminally deprec...d Jan 12 11:13:19 ip-172-31-32-168.ec2.internal systemd-entrypoint[2324]: WARNING: System::setSecurity...) Jan 12 11:13:19 ip-172-31-32-168.ec2.internal systemd-entrypoint[2324]: WARNING: Please consider rep...h Jan 12 11:13:19 ip-172-31-32-168.ec2.internal systemd-entrypoint[2324]: WARNING: System::setSecurity...e Jan 12 11:13:21 ip-172-31-32-168.ec2.internal systemd-entrypoint[2324]: WARNING: A terminally deprec...d Jan 12 11:13:21 ip-172-31-32-168.ec2.internal systemd-entrypoint[2324]: WARNING: System::setSecurity...) Jan 12 11:13:21 ip-172-31-32-168.ec2.internal systemd-entrypoint[2324]: WARNING: Please consider rep...y Jan 12 11:13:21 ip-172-31-32-168.ec2.internal systemd-entrypoint[2324]: WARNING: System::setSecurity...e Jan 12 11:13:37 ip-172-31-32-168.ec2.internal systemd[1]: Started Wazuh-indexer. Hint: Some lines were ellipsized, use -l to show in full. ``` ``` [root@ip-172-31-37-200 ec2-user]# systemctl status wazuh-indexer ● wazuh-indexer.service - Wazuh-indexer Loaded: loaded (/usr/lib/systemd/system/wazuh-indexer.service; enabled; vendor preset: disabled) Active: active (running) since Thu 2023-01-12 11:13:37 UTC; 1min 25s ago Docs: https://documentation.wazuh.com Main PID: 2317 (java) CGroup: /system.slice/wazuh-indexer.service └─2317 /usr/share/wazuh-indexer/jdk/bin/java -Xshare:auto -Dopensearch.networkaddress.cach... Jan 12 11:13:16 ip-172-31-37-200.ec2.internal systemd[1]: Starting Wazuh-indexer... Jan 12 11:13:20 ip-172-31-37-200.ec2.internal systemd-entrypoint[2317]: WARNING: A terminally deprec...d Jan 12 11:13:20 ip-172-31-37-200.ec2.internal systemd-entrypoint[2317]: WARNING: System::setSecurity...) Jan 12 11:13:20 ip-172-31-37-200.ec2.internal systemd-entrypoint[2317]: WARNING: Please consider rep...h Jan 12 11:13:20 ip-172-31-37-200.ec2.internal systemd-entrypoint[2317]: WARNING: System::setSecurity...e Jan 12 11:13:22 ip-172-31-37-200.ec2.internal systemd-entrypoint[2317]: WARNING: A terminally deprec...d Jan 12 11:13:22 ip-172-31-37-200.ec2.internal systemd-entrypoint[2317]: WARNING: System::setSecurity...) Jan 12 11:13:22 ip-172-31-37-200.ec2.internal systemd-entrypoint[2317]: WARNING: Please consider rep...y Jan 12 11:13:22 ip-172-31-37-200.ec2.internal systemd-entrypoint[2317]: WARNING: System::setSecurity...e Jan 12 11:13:37 ip-172-31-37-200.ec2.internal systemd[1]: Started Wazuh-indexer. Hint: Some lines were ellipsized, use -l to show in full. ``` - Cluster working after reboot: ``` [root@ip-172-31-37-200 ec2-user]# curl -k -u admin:9+cOJ28VT+R7Ja9kK.lAWzZfcjrWcZsU https://172.31.36.185:9200 { "name" : "indexer-1", "cluster_name" : "wazuh-indexer-cluster", "cluster_uuid" : "OWE5mjYUR4iOP6xkuU-KxQ", "version" : { "number" : "7.10.2", "build_type" : "rpm", "build_hash" : "f2f809ea280ffba217451da894a5899f1cec02ab", "build_date" : "2022-12-12T22:17:42.341124910Z", "build_snapshot" : false, "lucene_version" : "9.4.2", "minimum_wire_compatibility_version" : "7.10.0", "minimum_index_compatibility_version" : "7.0.0" }, "tagline" : "The OpenSearch Project: https://opensearch.org/" } [root@ip-172-31-37-200 ec2-user]# ```

:green_circle: Install node server-1(master)

``` root@ip-172-31-47-230:/home/ubuntu# bash wazuh-install.sh --wazuh-server server-1 12/01/2023 11:24:44 INFO: Starting Wazuh installation assistant. Wazuh version: 4.4.0 12/01/2023 11:24:44 INFO: Verbose logging redirected to /var/log/wazuh-install.log 12/01/2023 11:24:54 INFO: --- Dependencies ---- 12/01/2023 11:24:54 INFO: Installing apt-transport-https. 12/01/2023 11:24:59 INFO: Wazuh development repository added. 12/01/2023 11:24:59 INFO: --- Wazuh server --- 12/01/2023 11:24:59 INFO: Starting the Wazuh manager installation. 12/01/2023 11:25:33 INFO: Wazuh manager installation finished. 12/01/2023 11:25:33 INFO: Starting service wazuh-manager. 12/01/2023 11:25:50 INFO: wazuh-manager service started. 12/01/2023 11:25:50 INFO: Starting Filebeat installation. 12/01/2023 11:25:56 INFO: Filebeat installation finished. 12/01/2023 11:25:57 INFO: Filebeat post-install configuration finished. 12/01/2023 11:26:01 INFO: Starting service filebeat. 12/01/2023 11:26:02 INFO: filebeat service started. 12/01/2023 11:26:02 INFO: Installation finished. root@ip-172-31-47-230:/home/ubuntu# systemctl status wazuh-manager ● wazuh-manager.service - Wazuh manager Loaded: loaded (/lib/systemd/system/wazuh-manager.service; enabled; vendor preset: enabled) Active: active (running) since Thu 2023-01-12 11:25:50 UTC; 26s ago Tasks: 120 (limit: 4404) Memory: 476.6M CPU: 28.701s CGroup: /system.slice/wazuh-manager.service ├─41181 /var/ossec/framework/python/bin/python3 /var/ossec/api/scripts/wazuh-apid.py ├─41221 /var/ossec/bin/wazuh-authd ├─41237 /var/ossec/bin/wazuh-db root@ip-172-31-47-230:/home/ubuntu# systemctl status filebeat ● filebeat.service - Filebeat sends log files to Logstash or directly to Elasticsearch. Loaded: loaded (/lib/systemd/system/filebeat.service; enabled; vendor preset: enabled) Active: active (running) since Thu 2023-01-12 11:25:59 UTC; 23s ago Docs: https://www.elastic.co/products/beats/filebeat Main PID: 42565 (filebeat) Tasks: 8 (limit: 4404) Memory: 12.6M CPU: 118ms CGroup: /system.slice/filebeat.service └─42565 /usr/share/filebeat/bin/filebeat --environment systemd -c /etc/filebeat/filebeat.y> root@ip-172-31-47-230:/home/ubuntu# filebeat test output elasticsearch: https://172.31.36.185:9200... parse url... OK connection... parse host... OK dns lookup... OK addresses: 172.31.36.185 dial up... OK TLS... security: server's certificate chain verification is enabled handshake... OK TLS version: TLSv1.2 dial up... OK talk to server... OK version: 7.10.2 elasticsearch: https://172.31.32.168:9200... parse url... OK connection... parse host... OK dns lookup... OK addresses: 172.31.32.168 dial up... OK TLS... security: server's certificate chain verification is enabled handshake... OK TLS version: TLSv1.2 dial up... OK talk to server... OK version: 7.10.2 elasticsearch: https://172.31.37.200:9200... parse url... OK connection... parse host... OK dns lookup... OK addresses: 172.31.37.200 dial up... OK TLS... security: server's certificate chain verification is enabled handshake... OK TLS version: TLSv1.2 dial up... OK talk to server... OK version: 7.10.2 ```

:green_circle: Install node server-2(worker)

``` root@ip-172-31-47-156:/home/ubuntu# bash wazuh-install.sh --wazuh-server server-2 12/01/2023 11:26:06 INFO: Starting Wazuh installation assistant. Wazuh version: 4.4.0 12/01/2023 11:26:06 INFO: Verbose logging redirected to /var/log/wazuh-install.log 12/01/2023 11:26:16 INFO: --- Dependencies ---- 12/01/2023 11:26:16 INFO: Installing apt-transport-https. 12/01/2023 11:26:21 INFO: Wazuh development repository added. 12/01/2023 11:26:21 INFO: --- Wazuh server --- 12/01/2023 11:26:21 INFO: Starting the Wazuh manager installation. 12/01/2023 11:26:55 INFO: Wazuh manager installation finished. 12/01/2023 11:26:55 INFO: Starting service wazuh-manager. 12/01/2023 11:27:12 INFO: wazuh-manager service started. 12/01/2023 11:27:12 INFO: Starting Filebeat installation. 12/01/2023 11:27:17 INFO: Filebeat installation finished. 12/01/2023 11:27:18 INFO: Filebeat post-install configuration finished. 12/01/2023 11:27:19 INFO: Starting service filebeat. 12/01/2023 11:27:20 INFO: filebeat service started. 12/01/2023 11:27:20 INFO: Installation finished. root@ip-172-31-47-156:/home/ubuntu# systemctl status wazuh-manager ● wazuh-manager.service - Wazuh manager Loaded: loaded (/lib/systemd/system/wazuh-manager.service; enabled; vendor preset: enabled) Active: active (running) since Thu 2023-01-12 11:27:12 UTC; 23s ago Tasks: 115 (limit: 4404) Memory: 466.7M CPU: 25.692s CGroup: /system.slice/wazuh-manager.service ├─40968 /var/ossec/framework/python/bin/python3 /var/ossec/api/scripts/wazuh-apid.py ├─41008 /var/ossec/bin/wazuh-authd ├─41023 /var/ossec/bin/wazuh-db ├─41037 /var/ossec/framework/python/bin/python3 /var/ossec/api/scripts/wazuh-apid.py ├─41040 /var/ossec/framework/python/bin/python3 /var/ossec/api/scripts/wazuh-apid.py root@ip-172-31-47-156:/home/ubuntu# systemctl status filebeat ● filebeat.service - Filebeat sends log files to Logstash or directly to Elasticsearch. Loaded: loaded (/lib/systemd/system/filebeat.service; enabled; vendor preset: enabled) Active: active (running) since Thu 2023-01-12 11:27:19 UTC; 24s ago Docs: https://www.elastic.co/products/beats/filebeat Main PID: 42311 (filebeat) Tasks: 7 (limit: 4404) Memory: 10.8M CPU: 106ms CGroup: /system.slice/filebeat.service └─42311 /usr/share/filebeat/bin/filebeat --environment systemd -c /etc/filebeat/filebeat.y> Jan 12 11:27:19 ip-172-31-47-156 systemd[1]: Started Filebeat sends log files to Logstash or directly t> root@ip-172-31-47-156:/home/ubuntu# filebeat test output elasticsearch: https://172.31.36.185:9200... parse url... OK connection... parse host... OK dns lookup... OK addresses: 172.31.36.185 dial up... OK TLS... security: server's certificate chain verification is enabled handshake... OK TLS version: TLSv1.2 dial up... OK talk to server... OK version: 7.10.2 elasticsearch: https://172.31.32.168:9200... parse url... OK connection... parse host... OK dns lookup... OK addresses: 172.31.32.168 dial up... OK TLS... security: server's certificate chain verification is enabled handshake... OK TLS version: TLSv1.2 dial up... OK talk to server... OK version: 7.10.2 elasticsearch: https://172.31.37.200:9200... parse url... OK connection... parse host... OK dns lookup... OK addresses: 172.31.37.200 dial up... OK TLS... security: server's certificate chain verification is enabled handshake... OK TLS version: TLSv1.2 dial up... OK talk to server... OK version: 7.10.2 ```

:green_circle: Install node server-3(worker)

``` [root@ip-172-31-37-200 ec2-user]# bash wazuh-install.sh --wazuh-server server-3 12/01/2023 11:34:10 INFO: Starting Wazuh installation assistant. Wazuh version: 4.4.0 12/01/2023 11:34:10 INFO: Verbose logging redirected to /var/log/wazuh-install.log 12/01/2023 11:34:14 INFO: Wazuh development repository added. 12/01/2023 11:34:15 INFO: --- Wazuh server --- 12/01/2023 11:34:15 INFO: Starting the Wazuh manager installation. 12/01/2023 11:34:28 INFO: Wazuh manager installation finished. 12/01/2023 11:34:28 INFO: Starting service wazuh-manager. 12/01/2023 11:34:43 INFO: wazuh-manager service started. 12/01/2023 11:34:43 INFO: Starting Filebeat installation. 12/01/2023 11:34:56 INFO: Filebeat installation finished. 12/01/2023 11:34:57 INFO: Filebeat post-install configuration finished. 12/01/2023 11:34:59 INFO: Starting service filebeat. 12/01/2023 11:34:59 INFO: filebeat service started. 12/01/2023 11:34:59 INFO: Installation finished. [root@ip-172-31-37-200 ec2-user]# systemctl status wazuh-manager ● wazuh-manager.service - Wazuh manager Loaded: loaded (/usr/lib/systemd/system/wazuh-manager.service; enabled; vendor preset: disabled) Active: active (running) since Thu 2023-01-12 11:34:43 UTC; 22s ago CGroup: /system.slice/wazuh-manager.service ├─4217 /var/ossec/framework/python/bin/python3 /var/ossec/api/scripts/wazuh-apid.py ├─4258 /var/ossec/bin/wazuh-authd ├─4275 /var/ossec/bin/wazuh-db ├─4304 /var/ossec/bin/wazuh-execd ├─4306 /var/ossec/framework/python/bin/python3 /var/ossec/api/scripts/wazuh-apid.py ├─4309 /var/ossec/framework/python/bin/python3 /var/ossec/api/scripts/wazuh-apid.py ├─4324 /var/ossec/bin/wazuh-analysisd ├─4369 /var/ossec/bin/wazuh-syscheckd ├─4384 /var/ossec/bin/wazuh-remoted ├─4418 /var/ossec/bin/wazuh-logcollector ├─4439 /var/ossec/bin/wazuh-monitord ├─4464 /var/ossec/bin/wazuh-modulesd ├─4644 /var/ossec/framework/python/bin/python3 /var/ossec/framework/scripts/wazuh_clusterd... └─4655 /var/ossec/framework/python/bin/python3 /var/ossec/framework/scripts/wazuh_clusterd... Jan 12 11:34:35 ip-172-31-37-200.ec2.internal env[4158]: Started wazuh-execd... Jan 12 11:34:36 ip-172-31-37-200.ec2.internal env[4158]: Started wazuh-analysisd... Jan 12 11:34:37 ip-172-31-37-200.ec2.internal env[4158]: Started wazuh-syscheckd... Jan 12 11:34:38 ip-172-31-37-200.ec2.internal env[4158]: Started wazuh-remoted... Jan 12 11:34:39 ip-172-31-37-200.ec2.internal env[4158]: Started wazuh-logcollector... Jan 12 11:34:40 ip-172-31-37-200.ec2.internal env[4158]: Started wazuh-monitord... Jan 12 11:34:41 ip-172-31-37-200.ec2.internal env[4158]: Started wazuh-modulesd... Jan 12 11:34:41 ip-172-31-37-200.ec2.internal env[4158]: Started wazuh-clusterd... Jan 12 11:34:43 ip-172-31-37-200.ec2.internal env[4158]: Completed. Jan 12 11:34:43 ip-172-31-37-200.ec2.internal systemd[1]: Started Wazuh manager. [root@ip-172-31-37-200 ec2-user]# systemctl status filebeat ● filebeat.service - Filebeat sends log files to Logstash or directly to Elasticsearch. Loaded: loaded (/usr/lib/systemd/system/filebeat.service; enabled; vendor preset: disabled) Active: active (running) since Thu 2023-01-12 11:34:59 UTC; 12s ago Docs: https://www.elastic.co/products/beats/filebeat Main PID: 5659 (filebeat) CGroup: /system.slice/filebeat.service └─5659 /usr/share/filebeat/bin/filebeat --environment systemd -c /etc/filebeat/filebeat.ym... Jan 12 11:34:59 ip-172-31-37-200.ec2.internal systemd[1]: Started Filebeat sends log files to Logst..... Hint: Some lines were ellipsized, use -l to show in full. [root@ip-172-31-37-200 ec2-user]# filebeat test output elasticsearch: https://172.31.36.185:9200... parse url... OK connection... parse host... OK dns lookup... OK addresses: 172.31.36.185 dial up... OK TLS... security: server's certificate chain verification is enabled handshake... OK TLS version: TLSv1.2 dial up... OK talk to server... OK version: 7.10.2 elasticsearch: https://172.31.32.168:9200... parse url... OK connection... parse host... OK dns lookup... OK addresses: 172.31.32.168 dial up... OK TLS... security: server's certificate chain verification is enabled handshake... OK TLS version: TLSv1.2 dial up... OK talk to server... OK version: 7.10.2 elasticsearch: https://172.31.37.200:9200... parse url... OK connection... parse host... OK dns lookup... OK addresses: 172.31.37.200 dial up... OK TLS... security: server's certificate chain verification is enabled handshake... OK TLS version: TLSv1.2 dial up... OK talk to server... OK version: 7.10.2 [root@ip-172-31-37-200 ec2-user]# ```

:green_circle: Reboot all server nodes and test filebeat on shared node indexer-3 with filebeat-3

``` [root@ip-172-31-37-200 ec2-user]# filebeat test output elasticsearch: https://172.31.36.185:9200... parse url... OK connection... parse host... OK dns lookup... OK addresses: 172.31.36.185 dial up... OK TLS... security: server's certificate chain verification is enabled handshake... OK TLS version: TLSv1.2 dial up... OK talk to server... OK version: 7.10.2 elasticsearch: https://172.31.32.168:9200... parse url... OK connection... parse host... OK dns lookup... OK addresses: 172.31.32.168 dial up... OK TLS... security: server's certificate chain verification is enabled handshake... OK TLS version: TLSv1.2 dial up... OK talk to server... OK version: 7.10.2 elasticsearch: https://172.31.37.200:9200... parse url... OK connection... parse host... OK dns lookup... OK addresses: 172.31.37.200 dial up... OK TLS... security: server's certificate chain verification is enabled handshake... OK TLS version: TLSv1.2 dial up... OK talk to server... OK version: 7.10.2 [root@ip-172-31-37-200 ec2-user]# systemctl status wazuh-indexer ● wazuh-indexer.service - Wazuh-indexer Loaded: loaded (/usr/lib/systemd/system/wazuh-indexer.service; enabled; vendor preset: disabled) Active: active (running) since Thu 2023-01-12 11:36:24 UTC; 11s ago Docs: https://documentation.wazuh.com Main PID: 2326 (java) CGroup: /system.slice/wazuh-indexer.service └─2326 /usr/share/wazuh-indexer/jdk/bin/java -Xshare:auto -Dopensearch.networkaddress.cach... Jan 12 11:35:54 ip-172-31-37-200.ec2.internal systemd[1]: Starting Wazuh-indexer... Jan 12 11:35:59 ip-172-31-37-200.ec2.internal systemd-entrypoint[2326]: WARNING: A terminally deprec...d Jan 12 11:35:59 ip-172-31-37-200.ec2.internal systemd-entrypoint[2326]: WARNING: System::setSecurity...) Jan 12 11:35:59 ip-172-31-37-200.ec2.internal systemd-entrypoint[2326]: WARNING: Please consider rep...h Jan 12 11:35:59 ip-172-31-37-200.ec2.internal systemd-entrypoint[2326]: WARNING: System::setSecurity...e Jan 12 11:36:02 ip-172-31-37-200.ec2.internal systemd-entrypoint[2326]: WARNING: A terminally deprec...d Jan 12 11:36:02 ip-172-31-37-200.ec2.internal systemd-entrypoint[2326]: WARNING: System::setSecurity...) Jan 12 11:36:02 ip-172-31-37-200.ec2.internal systemd-entrypoint[2326]: WARNING: Please consider rep...y Jan 12 11:36:02 ip-172-31-37-200.ec2.internal systemd-entrypoint[2326]: WARNING: System::setSecurity...e Jan 12 11:36:24 ip-172-31-37-200.ec2.internal systemd[1]: Started Wazuh-indexer. Hint: Some lines were ellipsized, use -l to show in full. [root@ip-172-31-37-200 ec2-user]# ```

:green_circle: Install dashboard node

``` [root@ip-172-31-36-228 ec2-user]# bash wazuh-install.sh --wazuh-dashboard dashboard 12/01/2023 11:37:30 INFO: Starting Wazuh installation assistant. Wazuh version: 4.4.0 12/01/2023 11:37:30 INFO: Verbose logging redirected to /var/log/wazuh-install.log 12/01/2023 11:37:34 INFO: Wazuh development repository added. dashboard 12/01/2023 11:37:35 INFO: --- Wazuh dashboard ---- 12/01/2023 11:37:35 INFO: Starting Wazuh dashboard installation. 12/01/2023 11:38:33 INFO: Wazuh dashboard installation finished. 12/01/2023 11:38:33 INFO: Wazuh dashboard post-install configuration finished. 12/01/2023 11:38:33 INFO: Starting service wazuh-dashboard. 12/01/2023 11:38:33 INFO: wazuh-dashboard service started. 12/01/2023 11:38:56 INFO: Initializing Wazuh dashboard web application. 12/01/2023 11:38:56 INFO: Wazuh dashboard web application initialized. 12/01/2023 11:38:56 INFO: --- Summary --- 12/01/2023 11:38:56 INFO: You can access the web interface https://172.31.36.228 User: admin Password: 9+cOJ28VT+R7Ja9kK.lAWzZfcjrWcZsU 12/01/2023 11:38:56 INFO: Installation finished. [root@ip-172-31-36-228 ec2-user]# systemctl status wazuh-dashboard ● wazuh-dashboard.service - wazuh-dashboard Loaded: loaded (/etc/systemd/system/wazuh-dashboard.service; enabled; vendor preset: disabled) Active: active (running) since Thu 2023-01-12 11:38:41 UTC; 51s ago Main PID: 5140 (node) CGroup: /system.slice/wazuh-dashboard.service └─5140 /usr/share/wazuh-dashboard/bin/../node/bin/node --no-warnings --max-http-header-siz... Jan 12 11:38:45 ip-172-31-36-228.ec2.internal opensearch-dashboards[5140]: {"type":"log","@timestamp"... Jan 12 11:38:45 ip-172-31-36-228.ec2.internal opensearch-dashboards[5140]: {"type":"log","@timestamp"... Jan 12 11:38:45 ip-172-31-36-228.ec2.internal opensearch-dashboards[5140]: {"type":"log","@timestamp"... Jan 12 11:38:45 ip-172-31-36-228.ec2.internal opensearch-dashboards[5140]: {"type":"log","@timestamp"... Jan 12 11:38:45 ip-172-31-36-228.ec2.internal opensearch-dashboards[5140]: {"type":"log","@timestamp"... Jan 12 11:38:45 ip-172-31-36-228.ec2.internal opensearch-dashboards[5140]: {"type":"log","@timestamp"... Jan 12 11:38:46 ip-172-31-36-228.ec2.internal opensearch-dashboards[5140]: {"type":"log","@timestamp"... Jan 12 11:38:47 ip-172-31-36-228.ec2.internal opensearch-dashboards[5140]: {"type":"log","@timestamp"... Jan 12 11:38:47 ip-172-31-36-228.ec2.internal opensearch-dashboards[5140]: {"type":"log","@timestamp"... Jan 12 11:38:56 ip-172-31-36-228.ec2.internal opensearch-dashboards[5140]: {"type":"response","@times... Hint: Some lines were ellipsized, use -l to show in full. ``` ![image](https://user-images.githubusercontent.com/61122643/212058332-ad08fcb5-d9d1-46a8-b070-b10fac365d46.png) ![image](https://user-images.githubusercontent.com/61122643/212058427-dead45f5-8aa6-4234-bf77-a351364aa26e.png)
verdx commented 1 year ago

Testing

Pair combination testing

CentOS 8 RHEL 8 Ubuntu 18
Test 1 indexer and server dashboard -
Test 2 server - indexer and dashboard
Test 3 - dashboard and server indexer

Test 1: Indexer+Server, Dashboard

:green_circle: Install indexer

``` [root@centos8 vagrant]# bash wazuh-install.sh --wazuh-indexer indexer-1 12/01/2023 12:14:00 INFO: Starting Wazuh installation assistant. Wazuh version: 4.4.0 12/01/2023 12:14:00 INFO: Verbose logging redirected to /var/log/wazuh-install.log 12/01/2023 12:14:05 INFO: Wazuh development repository added. 12/01/2023 12:14:05 INFO: --- Wazuh indexer --- 12/01/2023 12:14:05 INFO: Starting Wazuh indexer installation. 12/01/2023 12:18:16 INFO: Wazuh indexer installation finished. 12/01/2023 12:18:16 INFO: Wazuh indexer post-install configuration finished. 12/01/2023 12:18:16 INFO: Starting service wazuh-indexer. 12/01/2023 12:18:34 INFO: wazuh-indexer service started. 12/01/2023 12:18:34 INFO: Initializing Wazuh indexer cluster security settings. 12/01/2023 12:18:37 INFO: Wazuh indexer cluster initialized. 12/01/2023 12:18:37 INFO: Installation finished. [root@centos8 vagrant]# bash wazuh-install.sh --start-cluster 12/01/2023 12:19:07 INFO: Starting Wazuh installation assistant. Wazuh version: 4.4.0 12/01/2023 12:19:07 INFO: Verbose logging redirected to /var/log/wazuh-install.log 12/01/2023 12:19:24 INFO: Wazuh indexer cluster security configuration initialized. 12/01/2023 12:19:36 INFO: Wazuh indexer cluster started. [root@centos8 vagrant]# systemctl status wazuh-indexer ● wazuh-indexer.service - Wazuh-indexer Loaded: loaded (/usr/lib/systemd/system/wazuh-indexer.service; enabled; vendor preset: disabled) Active: active (running) since Thu 2023-01-12 12:18:34 UTC; 4min 16s ago Docs: https://documentation.wazuh.com Main PID: 4138 (java) Tasks: 56 (limit: 24912) Memory: 2.2G CGroup: /system.slice/wazuh-indexer.service └─4138 /usr/share/wazuh-indexer/jdk/bin/java -Xshare:auto -Dopensearch.networkaddress.cache.> Jan 12 12:18:17 centos8 systemd[1]: Starting Wazuh-indexer... Jan 12 12:18:20 centos8 systemd-entrypoint[4138]: WARNING: A terminally deprecated method in java.lang.> Jan 12 12:18:20 centos8 systemd-entrypoint[4138]: WARNING: System::setSecurityManager has been called b> Jan 12 12:18:20 centos8 systemd-entrypoint[4138]: WARNING: Please consider reporting this to the mainta> Jan 12 12:18:20 centos8 systemd-entrypoint[4138]: WARNING: System::setSecurityManager will be removed i> Jan 12 12:18:22 centos8 systemd-entrypoint[4138]: WARNING: A terminally deprecated method in java.lang.> [root@centos8 vagrant]# tar -axf wazuh-install-files.tar wazuh-install-files/wazuh-passwords.txt -O | grep -P "\'admin\'" -A 1 indexer_username: 'admin' indexer_password: 'i?*TX7yntamKx1*cL9K4bp5U*1SkAf3H' [root@centos8 vagrant]# curl -k -u admin:i?*TX7yntamKx1*cL9K4bp5U*1SkAf3H https://192.168.57.103:9200 { "name" : "indexer-1", "cluster_name" : "wazuh-indexer-cluster", "cluster_uuid" : "87Jb8jd3TnKtdmBHyDxsag", "version" : { "number" : "7.10.2", "build_type" : "rpm", "build_hash" : "f2f809ea280ffba217451da894a5899f1cec02ab", "build_date" : "2022-12-12T22:17:42.341124910Z", "build_snapshot" : false, "lucene_version" : "9.4.2", "minimum_wire_compatibility_version" : "7.10.0", "minimum_index_compatibility_version" : "7.0.0" }, "tagline" : "The OpenSearch Project: https://opensearch.org/" } ```

:green_circle: Install server

``` [root@centos8 vagrant]# bash wazuh-install.sh --wazuh-server server-1 12/01/2023 12:19:48 INFO: Starting Wazuh installation assistant. Wazuh version: 4.4.0 12/01/2023 12:19:48 INFO: Verbose logging redirected to /var/log/wazuh-install.log 12/01/2023 12:19:54 INFO: Wazuh development repository added. 12/01/2023 12:19:54 INFO: --- Wazuh server --- 12/01/2023 12:19:54 INFO: Starting the Wazuh manager installation. 12/01/2023 12:21:41 INFO: Wazuh manager installation finished. 12/01/2023 12:21:41 INFO: Starting service wazuh-manager. 12/01/2023 12:21:58 INFO: wazuh-manager service started. 12/01/2023 12:21:58 INFO: Starting Filebeat installation. 12/01/2023 12:22:13 INFO: Filebeat installation finished. 12/01/2023 12:22:15 INFO: Filebeat post-install configuration finished. 12/01/2023 12:22:21 INFO: Starting service filebeat. 12/01/2023 12:22:22 INFO: filebeat service started. 12/01/2023 12:22:22 INFO: Installation finished. [root@centos8 vagrant]# systemctl status wazuh-manager ● wazuh-manager.service - Wazuh manager Loaded: loaded (/usr/lib/systemd/system/wazuh-manager.service; enabled; vendor preset: disabled) Active: active (running) since Thu 2023-01-12 12:21:58 UTC; 3min 27s ago Tasks: 116 (limit: 24912) Memory: 442.5M CGroup: /system.slice/wazuh-manager.service ├─6465 /var/ossec/framework/python/bin/python3 /var/ossec/api/scripts/wazuh-apid.py ├─6507 /var/ossec/bin/wazuh-authd ├─6524 /var/ossec/bin/wazuh-db ├─6549 /var/ossec/bin/wazuh-execd ├─6551 /var/ossec/framework/python/bin/python3 /var/ossec/api/scripts/wazuh-apid.py ├─6554 /var/ossec/framework/python/bin/python3 /var/ossec/api/scripts/wazuh-apid.py ├─6570 /var/ossec/bin/wazuh-analysisd ├─6614 /var/ossec/bin/wazuh-syscheckd ├─6630 /var/ossec/bin/wazuh-remoted ├─6663 /var/ossec/bin/wazuh-logcollector [root@centos8 vagrant]# filebeat test output elasticsearch: https://192.168.57.103:9200... parse url... OK connection... parse host... OK dns lookup... OK addresses: 192.168.57.103 dial up... OK TLS... security: server's certificate chain verification is enabled handshake... OK TLS version: TLSv1.2 dial up... OK talk to server... OK version: 7.10.2 [root@centos8 vagrant]# ```

:green_circle: Install dashboard

``` [root@redhat8 vagrant]# bash wazuh-install.sh --wazuh-dashboard dashboard -i 12/01/2023 12:26:20 INFO: Starting Wazuh installation assistant. Wazuh version: 4.4.0 12/01/2023 12:26:20 INFO: Verbose logging redirected to /var/log/wazuh-install.log 12/01/2023 12:26:24 WARNING: Hardware and system checks ignored. 12/01/2023 12:26:29 INFO: Wazuh development repository added. dashboard 12/01/2023 12:26:29 INFO: --- Wazuh dashboard ---- 12/01/2023 12:26:29 INFO: Starting Wazuh dashboard installation. 12/01/2023 12:31:05 INFO: Wazuh dashboard installation finished. 12/01/2023 12:31:06 INFO: Wazuh dashboard post-install configuration finished. 12/01/2023 12:31:06 INFO: Starting service wazuh-dashboard. 12/01/2023 12:31:06 INFO: wazuh-dashboard service started. 12/01/2023 12:31:54 INFO: Initializing Wazuh dashboard web application. 12/01/2023 12:31:54 INFO: Wazuh dashboard web application initialized. 12/01/2023 12:31:55 INFO: --- Summary --- 12/01/2023 12:31:55 INFO: You can access the web interface https://192.168.57.115 User: admin Password: i?*TX7yntamKx1*cL9K4bp5U*1SkAf3H 12/01/2023 12:31:55 INFO: Installation finished. [root@redhat8 vagrant]# systemctl status wazuh-dashboard ● wazuh-dashboard.service - wazuh-dashboard Loaded: loaded (/etc/systemd/system/wazuh-dashboard.service; enabled; vendor preset: disabled) Active: active (running) since Thu 2023-01-12 12:31:13 UTC; 3min 51s ago Main PID: 5870 (node) Tasks: 11 (limit: 4914) Memory: 193.6M CGroup: /system.slice/wazuh-dashboard.service └─5870 /usr/share/wazuh-dashboard/bin/../node/bin/node --no-warnings --max-http-header-size=> Jan 12 12:31:40 redhat8 opensearch-dashboards[5870]: {"type":"log","@timestamp":"2023-01-12T12:31:40Z",> Jan 12 12:31:40 redhat8 opensearch-dashboards[5870]: {"type":"log","@timestamp":"2023-01-12T12:31:40Z",> Jan 12 12:31:40 redhat8 opensearch-dashboards[5870]: {"type":"log","@timestamp":"2023-01-12T12:31:40Z",> Jan 12 12:31:40 redhat8 opensearch-dashboards[5870]: {"type":"log","@timestamp":"2023-01-12T12:31:40Z",> Jan 12 12:31:41 redhat8 opensearch-dashboards[5870]: {"type":"log","@timestamp":"2023-01-12T12:31:41Z",> Jan 12 12:31:41 redhat8 opensearch-dashboards[5870]: {"type":"log","@timestamp":"2023-01-12T12:31:41Z",> Jan 12 12:31:45 redhat8 opensearch-dashboards[5870]: {"type":"log","@timestamp":"2023-01-12T12:31:45Z",> ``` ![image](https://user-images.githubusercontent.com/61122643/212068358-253e5e0d-fff8-47d3-adcb-c3bc0d187391.png) ![image](https://user-images.githubusercontent.com/61122643/212068394-82789027-d1ee-41ac-98e1-e03fb997b12c.png)

Test 2: Indexer+Dashboard, Server

:green_circle: Install indexer

``` root@ubuntu18:/home/vagrant# bash wazuh-install.sh --wazuh-indexer indexer-1 12/01/2023 12:52:52 INFO: Starting Wazuh installation assistant. Wazuh version: 4.4.0 12/01/2023 12:52:52 INFO: Verbose logging redirected to /var/log/wazuh-install.log 12/01/2023 12:53:15 INFO: --- Dependencies ---- 12/01/2023 12:53:15 INFO: Installing apt-transport-https. 12/01/2023 12:53:27 INFO: Wazuh development repository added. 12/01/2023 12:53:27 INFO: --- Wazuh indexer --- 12/01/2023 12:53:27 INFO: Starting Wazuh indexer installation. 12/01/2023 12:57:00 INFO: Wazuh indexer installation finished. 12/01/2023 12:57:00 INFO: Wazuh indexer post-install configuration finished. 12/01/2023 12:57:00 INFO: Starting service wazuh-indexer. 12/01/2023 12:57:24 INFO: wazuh-indexer service started. 12/01/2023 12:57:24 INFO: Initializing Wazuh indexer cluster security settings. 12/01/2023 12:57:30 INFO: Wazuh indexer cluster initialized. 12/01/2023 12:57:30 INFO: Installation finished. root@ubuntu18:/home/vagrant# systemctl status wazuh-indexer ● wazuh-indexer.service - Wazuh-indexer Loaded: loaded (/usr/lib/systemd/system/wazuh-indexer.service; enabled; vendor preset: enabled) Active: active (running) since Thu 2023-01-12 12:57:24 UTC; 17s ago Docs: https://documentation.wazuh.com Main PID: 5341 (java) Tasks: 57 (limit: 4655) CGroup: /system.slice/wazuh-indexer.service └─5341 /usr/share/wazuh-indexer/jdk/bin/java -Xshare:auto -Dopensearch.networkaddress.cache.t Jan 12 12:57:01 ubuntu18 systemd[1]: Starting Wazuh-indexer... Jan 12 12:57:05 ubuntu18 systemd-entrypoint[5341]: WARNING: A terminally deprecated method in java.lang. Jan 12 12:57:05 ubuntu18 systemd-entrypoint[5341]: WARNING: System::setSecurityManager has been called b root@ubuntu18:/home/vagrant# tar -axf wazuh-install-files.tar wazuh-install-files/wazuh-passwords.txt -O | grep -P "\'admin\'" -A 1 indexer_username: 'admin' indexer_password: 'JcBjU*DspKAeEkrZ+pihsg9V0Qu?lvll' root@ubuntu18:/home/vagrant# curl -k -u admin:JcBjU*DspKAeEkrZ+pihsg9V0Qu?lvll https://localhost:9200 curl: (7) Failed to connect to localhost port 9200: Connection refused root@ubuntu18:/home/vagrant# curl -k -u admin:JcBjU*DspKAeEkrZ+pihsg9V0Qu?lvll https://192.168.57.117:9200 root@ubuntu18:/home/vagrant# bash wazuh-install.sh --start-cluster 12/01/2023 12:59:05 INFO: Starting Wazuh installation assistant. Wazuh version: 4.4.0 12/01/2023 12:59:05 INFO: Verbose logging redirected to /var/log/wazuh-install.log 12/01/2023 12:59:18 INFO: Wazuh indexer cluster security configuration initialized. 12/01/2023 12:59:30 INFO: Wazuh indexer cluster started. root@ubuntu18:/home/vagrant# curl -k -u admin:JcBjU*DspKAeEkrZ+pihsg9V0Qu?lvll https://192.168.57.117:9200 { "name" : "indexer-1", "cluster_name" : "wazuh-indexer-cluster", "cluster_uuid" : "DKTFrNrdTdSSVJC2_8728g", "version" : { "number" : "7.10.2", "build_type" : "rpm", "build_hash" : "f2f809ea280ffba217451da894a5899f1cec02ab", "build_date" : "2022-12-12T22:17:42.341124910Z", "build_snapshot" : false, "lucene_version" : "9.4.2", "minimum_wire_compatibility_version" : "7.10.0", "minimum_index_compatibility_version" : "7.0.0" }, "tagline" : "The OpenSearch Project: https://opensearch.org/" } root@ubuntu18:/home/vagrant# ```

:green_circle: Install server

``` [root@centos8 vagrant]# bash wazuh-install.sh --wazuh-server server-1 12/01/2023 13:08:59 INFO: Starting Wazuh installation assistant. Wazuh version: 4.4.0 12/01/2023 13:08:59 INFO: Verbose logging redirected to /var/log/wazuh-install.log 12/01/2023 13:09:04 INFO: Wazuh development repository added. 12/01/2023 13:09:04 INFO: --- Wazuh server --- 12/01/2023 13:09:04 INFO: Starting the Wazuh manager installation. 12/01/2023 13:11:36 INFO: Wazuh manager installation finished. 12/01/2023 13:11:36 INFO: Starting service wazuh-manager. 12/01/2023 13:11:53 INFO: wazuh-manager service started. 12/01/2023 13:11:53 INFO: Starting Filebeat installation. 12/01/2023 13:12:08 INFO: Filebeat installation finished. 12/01/2023 13:12:10 INFO: Filebeat post-install configuration finished. 12/01/2023 13:12:16 INFO: Starting service filebeat. 12/01/2023 13:12:17 INFO: filebeat service started. 12/01/2023 13:12:17 INFO: Installation finished. [root@centos8 vagrant]# systemctl status wazuh-manager ● wazuh-manager.service - Wazuh manager Loaded: loaded (/usr/lib/systemd/system/wazuh-manager.service; enabled; vendor preset: disabled) Active: active (running) since Thu 2023-01-12 13:11:53 UTC; 1min 17s ago Tasks: 116 (limit: 24912) Memory: 401.1M CGroup: /system.slice/wazuh-manager.service ├─6404 /var/ossec/framework/python/bin/python3 /var/ossec/api/scripts/wazuh-apid.py ├─6446 /var/ossec/bin/wazuh-authd ├─6462 /var/ossec/bin/wazuh-db ├─6486 /var/ossec/bin/wazuh-execd ├─6490 /var/ossec/framework/python/bin/python3 /var/ossec/api/scripts/wazuh-apid.py ├─6493 /var/ossec/framework/python/bin/python3 /var/ossec/api/scripts/wazuh-apid.py ├─6509 /var/ossec/bin/wazuh-analysisd ├─6553 /var/ossec/bin/wazuh-syscheckd ├─6568 /var/ossec/bin/wazuh-remoted ├─6602 /var/ossec/bin/wazuh-logcollector [root@centos8 vagrant]# filebeat test output elasticsearch: https://192.168.57.117:9200... parse url... OK connection... parse host... OK dns lookup... OK addresses: 192.168.57.117 dial up... OK TLS... security: server's certificate chain verification is enabled handshake... OK TLS version: TLSv1.2 dial up... OK talk to server... OK version: 7.10.2 ```

:green_circle: Install dashboard

``` root@ubuntu18:/home/vagrant# bash wazuh-install.sh --wazuh-dashboard dashboard 12/01/2023 13:15:06 INFO: Starting Wazuh installation assistant. Wazuh version: 4.4.0 12/01/2023 13:15:06 INFO: Verbose logging redirected to /var/log/wazuh-install.log 12/01/2023 13:15:30 INFO: Wazuh development repository added. dashboard 12/01/2023 13:15:31 INFO: --- Wazuh dashboard ---- 12/01/2023 13:15:31 INFO: Starting Wazuh dashboard installation. 12/01/2023 13:18:48 INFO: Wazuh dashboard installation finished. 12/01/2023 13:18:48 INFO: Wazuh dashboard post-install configuration finished. 12/01/2023 13:18:48 INFO: Starting service wazuh-dashboard. 12/01/2023 13:18:50 INFO: wazuh-dashboard service started. 12/01/2023 13:19:20 INFO: Initializing Wazuh dashboard web application. 12/01/2023 13:19:22 INFO: Wazuh dashboard web application initialized. 12/01/2023 13:19:22 INFO: --- Summary --- 12/01/2023 13:19:22 INFO: You can access the web interface https://192.168.57.117 User: admin Password: JcBjU*DspKAeEkrZ+pihsg9V0Qu?lvll 12/01/2023 13:19:22 INFO: Installation finished. root@ubuntu18:/home/vagrant# systemctl status wazuh-dashboard ● wazuh-dashboard.service - wazuh-dashboard Loaded: loaded (/etc/systemd/system/wazuh-dashboard.service; enabled; vendor preset: enabled) Active: active (running) since Thu 2023-01-12 13:18:55 UTC; 1min 2s ago Main PID: 7744 (node) Tasks: 11 (limit: 4655) CGroup: /system.slice/wazuh-dashboard.service └─7744 /usr/share/wazuh-dashboard/bin/../node/bin/node --no-warnings --max-http-header-size=6 Jan 12 13:19:08 ubuntu18 opensearch-dashboards[7744]: {"type":"log","@timestamp":"2023-01-12T13:19:08Z", Jan 12 13:19:09 ubuntu18 opensearch-dashboards[7744]: {"type":"log","@timestamp":"2023-01-12T13:19:09Z", Jan 12 13:19:09 ubuntu18 opensearch-dashboards[7744]: {"type":"log","@timestamp":"2023-01-12T13:19:09Z", Jan 12 13:19:09 ubuntu18 opensearch-dashboards[7744]: {"type":"log","@timestamp":"2023-01-12T13:19:09Z", ``` ![image](https://user-images.githubusercontent.com/61122643/212077427-2042d705-b754-499e-b997-2becadde1a0b.png) ![image](https://user-images.githubusercontent.com/61122643/212077522-6ca8e4b2-6485-4e71-b56d-9d64def45475.png)

:orange_circle: Reboot test

Reboot both hosts and check all services, filebeat, the indexer cluster and the API - Indexer ``` root@ubuntu18:/home/vagrant# systemctl status wazuh-indexer ● wazuh-indexer.service - Wazuh-indexer Loaded: loaded (/usr/lib/systemd/system/wazuh-indexer.service; enabled; vendor preset: enabled) Active: failed (Result: timeout) since Thu 2023-01-12 13:25:27 UTC; 31s ago Docs: https://documentation.wazuh.com Process: 1130 ExecStart=/usr/share/wazuh-indexer/bin/systemd-entrypoint -p ${PID_DIR}/wazuh-indexer.pid --quiet (code=exited, status=143) Main PID: 1130 (code=exited, status=143) Jan 12 13:25:04 ubuntu18 systemd-entrypoint[1130]: WARNING: System::setSecurityManager has been called by org.opensearch.bootstrap.OpenSearch (file:/usr/share/wazuh-indexer/lib/opensearch-2.4.1.jar) Jan 12 13:25:04 ubuntu18 systemd-entrypoint[1130]: WARNING: Please consider reporting this to the maintainers of org.opensearch.bootstrap.OpenSearch Jan 12 13:25:04 ubuntu18 systemd-entrypoint[1130]: WARNING: System::setSecurityManager will be removed in a future release Jan 12 13:25:12 ubuntu18 systemd-entrypoint[1130]: WARNING: A terminally deprecated method in java.lang.System has been called Jan 12 13:25:12 ubuntu18 systemd-entrypoint[1130]: WARNING: System::setSecurityManager has been called by org.opensearch.bootstrap.Security (file:/usr/share/wazuh-indexer/lib/opensearch-2.4.1.jar) Jan 12 13:25:12 ubuntu18 systemd-entrypoint[1130]: WARNING: Please consider reporting this to the maintainers of org.opensearch.bootstrap.Security Jan 12 13:25:12 ubuntu18 systemd-entrypoint[1130]: WARNING: System::setSecurityManager will be removed in a future release Jan 12 13:25:27 ubuntu18 systemd[1]: wazuh-indexer.service: Start operation timed out. Terminating. Jan 12 13:25:27 ubuntu18 systemd[1]: wazuh-indexer.service: Failed with result 'timeout'. Jan 12 13:25:27 ubuntu18 systemd[1]: Failed to start Wazuh-indexer. root@ubuntu18:/home/vagrant# systemctl restart wazuh-indexer root@ubuntu18:/home/vagrant# systemctl status wazuh-indexer ● wazuh-indexer.service - Wazuh-indexer Loaded: loaded (/usr/lib/systemd/system/wazuh-indexer.service; enabled; vendor preset: enabled) Active: active (running) since Thu 2023-01-12 13:26:33 UTC; 4s ago Docs: https://documentation.wazuh.com Main PID: 2017 (java) Tasks: 70 (limit: 4655) CGroup: /system.slice/wazuh-indexer.service └─2017 /usr/share/wazuh-indexer/jdk/bin/java -Xshare:auto -Dopensearch.networkaddress.cache.ttl=60 -Dopensearch.networkaddress.cache.negative.ttl=10 -XX:+AlwaysPreTouch -Xss1m -Djava.awt.headless=true Jan 12 13:26:06 ubuntu18 systemd[1]: Starting Wazuh-indexer... Jan 12 13:26:08 ubuntu18 systemd-entrypoint[2017]: WARNING: A terminally deprecated method in java.lang.System has been called Jan 12 13:26:08 ubuntu18 systemd-entrypoint[2017]: WARNING: System::setSecurityManager has been called by org.opensearch.bootstrap.OpenSearch (file:/usr/share/wazuh-indexer/lib/opensearch-2.4.1.jar) Jan 12 13:26:08 ubuntu18 systemd-entrypoint[2017]: WARNING: Please consider reporting this to the maintainers of org.opensearch.bootstrap.OpenSearch Jan 12 13:26:08 ubuntu18 systemd-entrypoint[2017]: WARNING: System::setSecurityManager will be removed in a future release Jan 12 13:26:10 ubuntu18 systemd-entrypoint[2017]: WARNING: A terminally deprecated method in java.lang.System has been called Jan 12 13:26:10 ubuntu18 systemd-entrypoint[2017]: WARNING: System::setSecurityManager has been called by org.opensearch.bootstrap.Security (file:/usr/share/wazuh-indexer/lib/opensearch-2.4.1.jar) Jan 12 13:26:10 ubuntu18 systemd-entrypoint[2017]: WARNING: Please consider reporting this to the maintainers of org.opensearch.bootstrap.Security Jan 12 13:26:10 ubuntu18 systemd-entrypoint[2017]: WARNING: System::setSecurityManager will be removed in a future release Jan 12 13:26:33 ubuntu18 systemd[1]: Started Wazuh-indexer. root@ubuntu18:/home/vagrant# curl -k -u admin:JcBjU*DspKAeEkrZ+pihsg9V0Qu?lvll https://192.168.57.117:9200 { "name" : "indexer-1", "cluster_name" : "wazuh-indexer-cluster", "cluster_uuid" : "DKTFrNrdTdSSVJC2_8728g", "version" : { "number" : "7.10.2", "build_type" : "rpm", "build_hash" : "f2f809ea280ffba217451da894a5899f1cec02ab", "build_date" : "2022-12-12T22:17:42.341124910Z", "build_snapshot" : false, "lucene_version" : "9.4.2", "minimum_wire_compatibility_version" : "7.10.0", "minimum_index_compatibility_version" : "7.0.0" }, "tagline" : "The OpenSearch Project: https://opensearch.org/" } root@ubuntu18:/home/vagrant# ``` No visible error on `journalctl -xeu wazuh-indexer`: ``` -- Reboot -- Jan 12 13:24:12 ubuntu18 systemd[1]: Starting Wazuh-indexer... -- Subject: Unit wazuh-indexer.service has begun start-up -- Defined-By: systemd -- Support: http://www.ubuntu.com/support -- -- Unit wazuh-indexer.service has begun starting up. Jan 12 13:25:04 ubuntu18 systemd-entrypoint[1130]: WARNING: A terminally deprecated method in java.lang.System has been called Jan 12 13:25:04 ubuntu18 systemd-entrypoint[1130]: WARNING: System::setSecurityManager has been called by org.opensearch.bootstrap.OpenSearch (file:/usr/share/wazuh-indexer/lib/opensearch-2.4.1.jar) Jan 12 13:25:04 ubuntu18 systemd-entrypoint[1130]: WARNING: Please consider reporting this to the maintainers of org.opensearch.bootstrap.OpenSearch Jan 12 13:25:04 ubuntu18 systemd-entrypoint[1130]: WARNING: System::setSecurityManager will be removed in a future release Jan 12 13:25:12 ubuntu18 systemd-entrypoint[1130]: WARNING: A terminally deprecated method in java.lang.System has been called Jan 12 13:25:12 ubuntu18 systemd-entrypoint[1130]: WARNING: System::setSecurityManager has been called by org.opensearch.bootstrap.Security (file:/usr/share/wazuh-indexer/lib/opensearch-2.4.1.jar) Jan 12 13:25:12 ubuntu18 systemd-entrypoint[1130]: WARNING: Please consider reporting this to the maintainers of org.opensearch.bootstrap.Security Jan 12 13:25:12 ubuntu18 systemd-entrypoint[1130]: WARNING: System::setSecurityManager will be removed in a future release Jan 12 13:25:27 ubuntu18 systemd[1]: wazuh-indexer.service: Start operation timed out. Terminating. Jan 12 13:25:27 ubuntu18 systemd[1]: wazuh-indexer.service: Failed with result 'timeout'. Jan 12 13:25:27 ubuntu18 systemd[1]: Failed to start Wazuh-indexer. -- Subject: Unit wazuh-indexer.service has failed -- Defined-By: systemd -- Support: http://www.ubuntu.com/support -- -- Unit wazuh-indexer.service has failed. -- -- The result is RESULT. Jan 12 13:26:06 ubuntu18 systemd[1]: Starting Wazuh-indexer... -- Subject: Unit wazuh-indexer.service has begun start-up -- Defined-By: systemd -- Support: http://www.ubuntu.com/support -- -- Unit wazuh-indexer.service has begun starting up. Jan 12 13:26:08 ubuntu18 systemd-entrypoint[2017]: WARNING: A terminally deprecated method in java.lang.System has been called Jan 12 13:26:08 ubuntu18 systemd-entrypoint[2017]: WARNING: System::setSecurityManager has been called by org.opensearch.bootstrap.OpenSearch (file:/usr/share/wazuh-indexer/lib/opensearch-2.4.1.jar) Jan 12 13:26:08 ubuntu18 systemd-entrypoint[2017]: WARNING: Please consider reporting this to the maintainers of org.opensearch.bootstrap.OpenSearch Jan 12 13:26:08 ubuntu18 systemd-entrypoint[2017]: WARNING: System::setSecurityManager will be removed in a future release Jan 12 13:26:10 ubuntu18 systemd-entrypoint[2017]: WARNING: A terminally deprecated method in java.lang.System has been called Jan 12 13:26:10 ubuntu18 systemd-entrypoint[2017]: WARNING: System::setSecurityManager has been called by org.opensearch.bootstrap.Security (file:/usr/share/wazuh-indexer/lib/opensearch-2.4.1.jar) Jan 12 13:26:10 ubuntu18 systemd-entrypoint[2017]: WARNING: Please consider reporting this to the maintainers of org.opensearch.bootstrap.Security Jan 12 13:26:10 ubuntu18 systemd-entrypoint[2017]: WARNING: System::setSecurityManager will be removed in a future release Jan 12 13:26:33 ubuntu18 systemd[1]: Started Wazuh-indexer. -- Subject: Unit wazuh-indexer.service has finished start-up -- Defined-By: systemd -- Support: http://www.ubuntu.com/support -- -- Unit wazuh-indexer.service has finished starting up. -- -- The start-up result is RESULT. ``` The indexer logs from after the reboot don't show any error besides the expected `Exception while retrieving configuration for [INTERNALUSERS, ACTIONGROUPS, CONFIG, ROLES, ROLESMAPPING, TENANTS, NODESDN, WHITELIST, ALLOWLIST, AUDIT] (index=.opendistro_security)`, seen in this Issue ``` [2023-01-12T13:24:06,198][INFO ][o.o.n.Node ] [indexer-1] stopping ... [2023-01-12T13:24:06,198][INFO ][o.o.s.a.r.AuditMessageRouter] [indexer-1] Closing AuditMessageRouter [2023-01-12T13:24:06,199][INFO ][o.o.s.a.s.SinkProvider ] [indexer-1] Closing DebugSink [2023-01-12T13:24:09,184][INFO ][o.o.n.Node ] [indexer-1] stopped [2023-01-12T13:24:09,184][INFO ][o.o.n.Node ] [indexer-1] closing ... [2023-01-12T13:24:09,207][INFO ][o.o.s.a.i.AuditLogImpl ] [indexer-1] Closing AuditLogImpl [2023-01-12T13:24:09,219][INFO ][o.o.n.Node ] [indexer-1] closed [2023-01-12T13:25:13,176][INFO ][o.o.n.Node ] [indexer-1] version[2.4.1], pid[1130], build[rpm/f2f809ea280ffba217451da894a5899f1cec02ab/2022-12-12T22:17:42.341124910Z], OS[Linux/4.15.0-193-generic/amd64], JVM[Eclipse Adoptium/OpenJDK 64-Bit Server VM/17.0.5/17.0.5+8] [2023-01-12T13:25:13,381][INFO ][o.o.n.Node ] [indexer-1] JVM home [/usr/share/wazuh-indexer/jdk], using bundled JDK [true] [2023-01-12T13:25:13,383][INFO ][o.o.n.Node ] [indexer-1] JVM arguments [-Xshare:auto, -Dopensearch.networkaddress.cache.ttl=60, -Dopensearch.networkaddress.cache.negative.ttl=10, -XX:+AlwaysPreTouch, -Xss1m, -Djava.awt.headless=true, -Dfile.encoding=UTF-8, -Djna.nosys=true, -XX:-OmitStackTraceInFastThrow, -XX:+ShowCodeDetailsInExceptionMessages, -Dio.netty.noUnsafe=true, -Dio.netty.noKeySetOptimization=true, -Dio.netty.recycler.maxCapacityPerThread=0, -Dio.netty.allocator.numDirectArenas=0, -Dlog4j.shutdownHookEnabled=false, -Dlog4j2.disable.jmx=true, -Djava.locale.providers=SPI,COMPAT, -Xms1972m, -Xmx1972m, -XX:+UseG1GC, -XX:G1ReservePercent=25, -XX:InitiatingHeapOccupancyPercent=30, -Djava.io.tmpdir=/tmp/opensearch-8762034014759098606, -XX:+HeapDumpOnOutOfMemoryError, -XX:HeapDumpPath=/var/lib/wazuh-indexer, -XX:ErrorFile=/var/log/wazuh-indexer/hs_err_pid%p.log, -Xlog:gc*,gc+age=trace,safepoint:file=/var/log/wazuh-indexer/gc.log:utctime,pid,tags:filecount=32,filesize=64m, -Dclk.tck=100, -Djdk.attach.allowAttachSelf=true, -Djava.security.policy=file:///etc/wazuh-indexer/opensearch-performance-analyzer/opensearch_security.policy, --add-opens=jdk.attach/sun.tools.attach=ALL-UNNAMED, -Dclk.tck=100, -Djdk.attach.allowAttachSelf=true, -Djava.security.policy=file:///usr/share/wazuh-indexer/plugins/opendistro-performance-analyzer/pa_config/es_security.policy, -XX:MaxDirectMemorySize=1033895936, -Dopensearch.path.home=/usr/share/wazuh-indexer, -Dopensearch.path.conf=/etc/wazuh-indexer, -Dopensearch.distribution.type=rpm, -Dopensearch.bundled_jdk=true] [2023-01-12T13:25:26,322][WARN ][stderr ] [indexer-1] SLF4J: Failed to load class "org.slf4j.impl.StaticLoggerBinder". [2023-01-12T13:25:26,323][WARN ][stderr ] [indexer-1] SLF4J: Defaulting to no-operation (NOP) logger implementation [2023-01-12T13:25:26,323][WARN ][stderr ] [indexer-1] SLF4J: See http://www.slf4j.org/codes.html#StaticLoggerBinder for further details. [2023-01-12T13:25:26,448][INFO ][o.o.s.s.t.SSLConfig ] [indexer-1] SSL dual mode is disabled [2023-01-12T13:25:26,449][INFO ][o.o.s.OpenSearchSecurityPlugin] [indexer-1] OpenSearch Config path is /etc/wazuh-indexer [2023-01-12T13:26:10,380][INFO ][o.o.n.Node ] [indexer-1] version[2.4.1], pid[2017], build[rpm/f2f809ea280ffba217451da894a5899f1cec02ab/2022-12-12T22:17:42.341124910Z], OS[Linux/4.15.0-193-generic/amd64], JVM[Eclipse Adoptium/OpenJDK 64-Bit Server VM/17.0.5/17.0.5+8] [2023-01-12T13:26:10,384][INFO ][o.o.n.Node ] [indexer-1] JVM home [/usr/share/wazuh-indexer/jdk], using bundled JDK [true] [2023-01-12T13:26:10,384][INFO ][o.o.n.Node ] [indexer-1] JVM arguments [-Xshare:auto, -Dopensearch.networkaddress.cache.ttl=60, -Dopensearch.networkaddress.cache.negative.ttl=10, -XX:+AlwaysPreTouch, -Xss1m, -Djava.awt.headless=true, -Dfile.encoding=UTF-8, -Djna.nosys=true, -XX:-OmitStackTraceInFastThrow, -XX:+ShowCodeDetailsInExceptionMessages, -Dio.netty.noUnsafe=true, -Dio.netty.noKeySetOptimization=true, -Dio.netty.recycler.maxCapacityPerThread=0, -Dio.netty.allocator.numDirectArenas=0, -Dlog4j.shutdownHookEnabled=false, -Dlog4j2.disable.jmx=true, -Djava.locale.providers=SPI,COMPAT, -Xms1972m, -Xmx1972m, -XX:+UseG1GC, -XX:G1ReservePercent=25, -XX:InitiatingHeapOccupancyPercent=30, -Djava.io.tmpdir=/tmp/opensearch-4832099251789091875, -XX:+HeapDumpOnOutOfMemoryError, -XX:HeapDumpPath=/var/lib/wazuh-indexer, -XX:ErrorFile=/var/log/wazuh-indexer/hs_err_pid%p.log, -Xlog:gc*,gc+age=trace,safepoint:file=/var/log/wazuh-indexer/gc.log:utctime,pid,tags:filecount=32,filesize=64m, -Dclk.tck=100, -Djdk.attach.allowAttachSelf=true, -Djava.security.policy=file:///etc/wazuh-indexer/opensearch-performance-analyzer/opensearch_security.policy, --add-opens=jdk.attach/sun.tools.attach=ALL-UNNAMED, -Dclk.tck=100, -Djdk.attach.allowAttachSelf=true, -Djava.security.policy=file:///usr/share/wazuh-indexer/plugins/opendistro-performance-analyzer/pa_config/es_security.policy, -XX:MaxDirectMemorySize=1033895936, -Dopensearch.path.home=/usr/share/wazuh-indexer, -Dopensearch.path.conf=/etc/wazuh-indexer, -Dopensearch.distribution.type=rpm, -Dopensearch.bundled_jdk=true] [2023-01-12T13:26:11,789][WARN ][stderr ] [indexer-1] SLF4J: Failed to load class "org.slf4j.impl.StaticLoggerBinder". [2023-01-12T13:26:11,790][WARN ][stderr ] [indexer-1] SLF4J: Defaulting to no-operation (NOP) logger implementation [2023-01-12T13:26:11,790][WARN ][stderr ] [indexer-1] SLF4J: See http://www.slf4j.org/codes.html#StaticLoggerBinder for further details. [2023-01-12T13:26:11,807][INFO ][o.o.s.s.t.SSLConfig ] [indexer-1] SSL dual mode is disabled [2023-01-12T13:26:11,807][INFO ][o.o.s.OpenSearchSecurityPlugin] [indexer-1] OpenSearch Config path is /etc/wazuh-indexer [2023-01-12T13:26:12,408][INFO ][o.o.s.s.DefaultSecurityKeyStore] [indexer-1] JVM supports TLSv1.3 [2023-01-12T13:26:12,413][INFO ][o.o.s.s.DefaultSecurityKeyStore] [indexer-1] Config directory is /etc/wazuh-indexer/, from there the key- and truststore files are resolved relatively [2023-01-12T13:26:13,566][INFO ][o.o.s.s.DefaultSecurityKeyStore] [indexer-1] TLS Transport Client Provider : JDK [2023-01-12T13:26:13,566][INFO ][o.o.s.s.DefaultSecurityKeyStore] [indexer-1] TLS Transport Server Provider : JDK [2023-01-12T13:26:13,567][INFO ][o.o.s.s.DefaultSecurityKeyStore] [indexer-1] TLS HTTP Provider : JDK [2023-01-12T13:26:13,567][INFO ][o.o.s.s.DefaultSecurityKeyStore] [indexer-1] Enabled TLS protocols for transport layer : [TLSv1.3, TLSv1.2] [2023-01-12T13:26:13,568][INFO ][o.o.s.s.DefaultSecurityKeyStore] [indexer-1] Enabled TLS protocols for HTTP layer : [TLSv1.2] [2023-01-12T13:26:13,601][INFO ][o.o.s.OpenSearchSecurityPlugin] [indexer-1] Clustername: wazuh-indexer-cluster [2023-01-12T13:26:16,388][INFO ][o.o.p.c.PluginSettings ] [indexer-1] Trying to create directory /dev/shm/performanceanalyzer/. [2023-01-12T13:26:16,389][INFO ][o.o.p.c.PluginSettings ] [indexer-1] Config: metricsLocation: /dev/shm/performanceanalyzer/, metricsDeletionInterval: 1, httpsEnabled: false, cleanup-metrics-db-files: true, batch-metrics-retention-period-minutes: 7, rpc-port: 9650, webservice-port 9600 [2023-01-12T13:26:19,281][INFO ][o.o.i.r.ReindexPlugin ] [indexer-1] ReindexPlugin reloadSPI called [2023-01-12T13:26:19,284][INFO ][o.o.i.r.ReindexPlugin ] [indexer-1] Unable to find any implementation for RemoteReindexExtension [2023-01-12T13:26:19,558][INFO ][o.o.j.JobSchedulerPlugin ] [indexer-1] Loaded scheduler extension: reports-scheduler, index: .opendistro-reports-definitions [2023-01-12T13:26:19,580][INFO ][o.o.j.JobSchedulerPlugin ] [indexer-1] Loaded scheduler extension: opendistro_anomaly_detector, index: .opendistro-anomaly-detector-jobs [2023-01-12T13:26:19,582][INFO ][o.o.j.JobSchedulerPlugin ] [indexer-1] Loaded scheduler extension: opendistro-index-management, index: .opendistro-ism-config [2023-01-12T13:26:19,688][INFO ][o.o.j.JobSchedulerPlugin ] [indexer-1] Loaded scheduler extension: observability, index: .opensearch-observability-job [2023-01-12T13:26:19,706][INFO ][o.o.p.PluginsService ] [indexer-1] loaded module [aggs-matrix-stats] [2023-01-12T13:26:19,706][INFO ][o.o.p.PluginsService ] [indexer-1] loaded module [analysis-common] [2023-01-12T13:26:19,707][INFO ][o.o.p.PluginsService ] [indexer-1] loaded module [geo] [2023-01-12T13:26:19,707][INFO ][o.o.p.PluginsService ] [indexer-1] loaded module [ingest-common] [2023-01-12T13:26:19,707][INFO ][o.o.p.PluginsService ] [indexer-1] loaded module [ingest-geoip] [2023-01-12T13:26:19,707][INFO ][o.o.p.PluginsService ] [indexer-1] loaded module [ingest-user-agent] [2023-01-12T13:26:19,708][INFO ][o.o.p.PluginsService ] [indexer-1] loaded module [lang-expression] [2023-01-12T13:26:19,708][INFO ][o.o.p.PluginsService ] [indexer-1] loaded module [lang-mustache] [2023-01-12T13:26:19,708][INFO ][o.o.p.PluginsService ] [indexer-1] loaded module [lang-painless] [2023-01-12T13:26:19,708][INFO ][o.o.p.PluginsService ] [indexer-1] loaded module [mapper-extras] [2023-01-12T13:26:19,709][INFO ][o.o.p.PluginsService ] [indexer-1] loaded module [opensearch-dashboards] [2023-01-12T13:26:19,709][INFO ][o.o.p.PluginsService ] [indexer-1] loaded module [parent-join] [2023-01-12T13:26:19,709][INFO ][o.o.p.PluginsService ] [indexer-1] loaded module [percolator] [2023-01-12T13:26:19,709][INFO ][o.o.p.PluginsService ] [indexer-1] loaded module [rank-eval] [2023-01-12T13:26:19,709][INFO ][o.o.p.PluginsService ] [indexer-1] loaded module [reindex] [2023-01-12T13:26:19,710][INFO ][o.o.p.PluginsService ] [indexer-1] loaded module [repository-url] [2023-01-12T13:26:19,710][INFO ][o.o.p.PluginsService ] [indexer-1] loaded module [systemd] [2023-01-12T13:26:19,710][INFO ][o.o.p.PluginsService ] [indexer-1] loaded module [transport-netty4] [2023-01-12T13:26:19,711][INFO ][o.o.p.PluginsService ] [indexer-1] loaded plugin [opensearch-alerting] [2023-01-12T13:26:19,711][INFO ][o.o.p.PluginsService ] [indexer-1] loaded plugin [opensearch-anomaly-detection] [2023-01-12T13:26:19,711][INFO ][o.o.p.PluginsService ] [indexer-1] loaded plugin [opensearch-asynchronous-search] [2023-01-12T13:26:19,711][INFO ][o.o.p.PluginsService ] [indexer-1] loaded plugin [opensearch-cross-cluster-replication] [2023-01-12T13:26:19,712][INFO ][o.o.p.PluginsService ] [indexer-1] loaded plugin [opensearch-geospatial] [2023-01-12T13:26:19,712][INFO ][o.o.p.PluginsService ] [indexer-1] loaded plugin [opensearch-index-management] [2023-01-12T13:26:19,712][INFO ][o.o.p.PluginsService ] [indexer-1] loaded plugin [opensearch-job-scheduler] [2023-01-12T13:26:19,712][INFO ][o.o.p.PluginsService ] [indexer-1] loaded plugin [opensearch-knn] [2023-01-12T13:26:19,712][INFO ][o.o.p.PluginsService ] [indexer-1] loaded plugin [opensearch-ml] [2023-01-12T13:26:19,713][INFO ][o.o.p.PluginsService ] [indexer-1] loaded plugin [opensearch-neural-search] [2023-01-12T13:26:19,713][INFO ][o.o.p.PluginsService ] [indexer-1] loaded plugin [opensearch-notifications] [2023-01-12T13:26:19,713][INFO ][o.o.p.PluginsService ] [indexer-1] loaded plugin [opensearch-notifications-core] [2023-01-12T13:26:19,713][INFO ][o.o.p.PluginsService ] [indexer-1] loaded plugin [opensearch-observability] [2023-01-12T13:26:19,714][INFO ][o.o.p.PluginsService ] [indexer-1] loaded plugin [opensearch-performance-analyzer] [2023-01-12T13:26:19,714][INFO ][o.o.p.PluginsService ] [indexer-1] loaded plugin [opensearch-reports-scheduler] [2023-01-12T13:26:19,714][INFO ][o.o.p.PluginsService ] [indexer-1] loaded plugin [opensearch-security] [2023-01-12T13:26:19,714][INFO ][o.o.p.PluginsService ] [indexer-1] loaded plugin [opensearch-security-analytics] [2023-01-12T13:26:19,714][INFO ][o.o.p.PluginsService ] [indexer-1] loaded plugin [opensearch-sql] [2023-01-12T13:26:19,793][INFO ][o.o.s.OpenSearchSecurityPlugin] [indexer-1] Disabled https compression by default to mitigate BREACH attacks. You can enable it by setting 'http.compression: true' in opensearch.yml [2023-01-12T13:26:19,897][INFO ][o.o.e.NodeEnvironment ] [indexer-1] using [1] data paths, mounts [[/ (/dev/sda3)]], net usable_space [111.5gb], net total_space [123gb], types [ext4] [2023-01-12T13:26:19,898][INFO ][o.o.e.NodeEnvironment ] [indexer-1] heap size [1.9gb], compressed ordinary object pointers [true] [2023-01-12T13:26:20,384][INFO ][o.o.n.Node ] [indexer-1] node name [indexer-1], node ID [D9oc2hjSTvSpV7R-PuSWsg], cluster name [wazuh-indexer-cluster], roles [ingest, remote_cluster_client, data, master, cluster_manager] [2023-01-12T13:26:27,355][WARN ][o.o.s.c.Salt ] [indexer-1] If you plan to use field masking pls configure compliance salt e1ukloTsQlOgPquJ to be a random string of 16 chars length identical on all nodes [2023-01-12T13:26:27,447][ERROR][o.o.s.a.s.SinkProvider ] [indexer-1] Default endpoint could not be created, auditlog will not work properly. [2023-01-12T13:26:27,449][WARN ][o.o.s.a.r.AuditMessageRouter] [indexer-1] No default storage available, audit log may not work properly. Please check configuration. [2023-01-12T13:26:27,449][INFO ][o.o.s.a.i.AuditLogImpl ] [indexer-1] Message routing enabled: false [2023-01-12T13:26:27,520][INFO ][o.o.s.f.SecurityFilter ] [indexer-1] indices are made immutable. [2023-01-12T13:26:28,208][INFO ][o.o.a.b.ADCircuitBreakerService] [indexer-1] Registered memory breaker. [2023-01-12T13:26:28,966][INFO ][o.o.m.c.b.MLCircuitBreakerService] [indexer-1] Registered ML memory breaker. [2023-01-12T13:26:28,968][INFO ][o.o.m.c.b.MLCircuitBreakerService] [indexer-1] Registered ML disk breaker. [2023-01-12T13:26:29,219][INFO ][o.r.Reflections ] [indexer-1] Reflections took 132 ms to scan 1 urls, producing 12 keys and 32 values [2023-01-12T13:26:30,241][INFO ][o.o.t.NettyAllocator ] [indexer-1] creating NettyAllocator with the following configs: [name=opensearch_configured, chunk_size=256kb, suggested_max_allocation_size=256kb, factors={opensearch.unsafe.use_netty_default_chunk_and_page_size=false, g1gc_enabled=true, g1gc_region_size=1mb}] [2023-01-12T13:26:30,753][INFO ][o.o.d.DiscoveryModule ] [indexer-1] using discovery type [zen] and seed hosts providers [settings] [2023-01-12T13:26:31,534][WARN ][o.o.g.DanglingIndicesState] [indexer-1] gateway.auto_import_dangling_indices is disabled, dangling indices will not be automatically detected or imported and must be managed manually [2023-01-12T13:26:32,412][INFO ][o.o.p.h.c.PerformanceAnalyzerConfigAction] [indexer-1] PerformanceAnalyzer Enabled: true [2023-01-12T13:26:32,553][INFO ][o.o.n.Node ] [indexer-1] initialized [2023-01-12T13:26:32,555][INFO ][o.o.n.Node ] [indexer-1] starting ... [2023-01-12T13:26:32,876][INFO ][o.o.t.TransportService ] [indexer-1] publish_address {192.168.57.117:9300}, bound_addresses {192.168.57.117:9300} [2023-01-12T13:26:33,317][INFO ][o.o.b.BootstrapChecks ] [indexer-1] bound or publishing to a non-loopback address, enforcing bootstrap checks [2023-01-12T13:26:33,328][INFO ][o.o.c.c.Coordinator ] [indexer-1] cluster UUID [DKTFrNrdTdSSVJC2_8728g] [2023-01-12T13:26:33,547][INFO ][o.o.c.s.MasterService ] [indexer-1] elected-as-cluster-manager ([1] nodes joined)[{indexer-1}{D9oc2hjSTvSpV7R-PuSWsg}{l3W9TzkNQOiJikXxVbBE7w}{192.168.57.117}{192.168.57.117:9300}{dimmr}{shard_indexing_pressure_enabled=true} elect leader, _BECOME_CLUSTER_MANAGER_TASK_, _FINISH_ELECTION_], term: 2, version: 31, delta: cluster-manager node changed {previous [], current [{indexer-1}{D9oc2hjSTvSpV7R-PuSWsg}{l3W9TzkNQOiJikXxVbBE7w}{192.168.57.117}{192.168.57.117:9300}{dimmr}{shard_indexing_pressure_enabled=true}]} [2023-01-12T13:26:33,658][INFO ][o.o.c.s.ClusterApplierService] [indexer-1] cluster-manager node changed {previous [], current [{indexer-1}{D9oc2hjSTvSpV7R-PuSWsg}{l3W9TzkNQOiJikXxVbBE7w}{192.168.57.117}{192.168.57.117:9300}{dimmr}{shard_indexing_pressure_enabled=true}]}, term: 2, version: 31, reason: Publication{term=2, version=31} [2023-01-12T13:26:33,668][INFO ][o.o.a.c.ADClusterEventListener] [indexer-1] Cluster is not recovered yet. [2023-01-12T13:26:33,699][INFO ][o.o.a.u.d.DestinationMigrationCoordinator] [indexer-1] Detected cluster change event for destination migration [2023-01-12T13:26:33,769][INFO ][o.o.i.i.ManagedIndexCoordinator] [indexer-1] Cache cluster manager node onClusterManager time: 1673529993769 [2023-01-12T13:26:33,873][WARN ][o.o.p.c.s.h.ConfigOverridesClusterSettingHandler] [indexer-1] Config override setting update called with empty string. Ignoring. [2023-01-12T13:26:33,892][INFO ][o.o.d.PeerFinder ] [indexer-1] setting findPeersInterval to [1s] as node commission status = [true] for local node [{indexer-1}{D9oc2hjSTvSpV7R-PuSWsg}{l3W9TzkNQOiJikXxVbBE7w}{192.168.57.117}{192.168.57.117:9300}{dimmr}{shard_indexing_pressure_enabled=true}] [2023-01-12T13:26:33,966][INFO ][o.o.h.AbstractHttpServerTransport] [indexer-1] publish_address {192.168.57.117:9200}, bound_addresses {192.168.57.117:9200} [2023-01-12T13:26:33,966][INFO ][o.o.n.Node ] [indexer-1] started [2023-01-12T13:26:33,980][INFO ][o.o.s.OpenSearchSecurityPlugin] [indexer-1] Node started [2023-01-12T13:26:33,982][INFO ][o.o.s.c.ConfigurationRepository] [indexer-1] Will not attempt to create index .opendistro_security and default configs if they are absent. Use securityadmin to initialize cluster [2023-01-12T13:26:33,983][INFO ][o.o.s.OpenSearchSecurityPlugin] [indexer-1] 0 OpenSearch Security modules loaded so far: [] [2023-01-12T13:26:33,985][INFO ][o.o.s.c.ConfigurationRepository] [indexer-1] Background init thread started. Install default config?: false [2023-01-12T13:26:34,053][ERROR][o.o.s.c.ConfigurationLoaderSecurity7] [indexer-1] Exception while retrieving configuration for [INTERNALUSERS, ACTIONGROUPS, CONFIG, ROLES, ROLESMAPPING, TENANTS, NODESDN, WHITELIST, ALLOWLIST, AUDIT] (index=.opendistro_security) org.opensearch.cluster.block.ClusterBlockException: blocked by: [SERVICE_UNAVAILABLE/1/state not recovered / initialized]; at org.opensearch.cluster.block.ClusterBlocks.globalBlockedException(ClusterBlocks.java:205) ~[opensearch-2.4.1.jar:2.4.1] at org.opensearch.cluster.block.ClusterBlocks.globalBlockedRaiseException(ClusterBlocks.java:191) ~[opensearch-2.4.1.jar:2.4.1] at org.opensearch.action.get.TransportMultiGetAction.doExecute(TransportMultiGetAction.java:81) ~[opensearch-2.4.1.jar:2.4.1] at org.opensearch.action.get.TransportMultiGetAction.doExecute(TransportMultiGetAction.java:58) ~[opensearch-2.4.1.jar:2.4.1] at org.opensearch.action.support.TransportAction$RequestFilterChain.proceed(TransportAction.java:218) [opensearch-2.4.1.jar:2.4.1] at org.opensearch.indexmanagement.rollup.actionfilter.FieldCapsFilter.apply(FieldCapsFilter.kt:118) [opensearch-index-management-2.4.1.0.jar:2.4.1.0] at org.opensearch.action.support.TransportAction$RequestFilterChain.proceed(TransportAction.java:216) [opensearch-2.4.1.jar:2.4.1] at org.opensearch.performanceanalyzer.action.PerformanceAnalyzerActionFilter.apply(PerformanceAnalyzerActionFilter.java:78) [opensearch-performance-analyzer-2.4.1.0.jar:2.4.1.0] at org.opensearch.action.support.TransportAction$RequestFilterChain.proceed(TransportAction.java:216) [opensearch-2.4.1.jar:2.4.1] at org.opensearch.security.filter.SecurityFilter.apply0(SecurityFilter.java:232) [opensearch-security-2.4.1.0.jar:2.4.1.0] at org.opensearch.security.filter.SecurityFilter.apply(SecurityFilter.java:149) [opensearch-security-2.4.1.0.jar:2.4.1.0] at org.opensearch.action.support.TransportAction$RequestFilterChain.proceed(TransportAction.java:216) [opensearch-2.4.1.jar:2.4.1] at org.opensearch.action.support.TransportAction.execute(TransportAction.java:188) [opensearch-2.4.1.jar:2.4.1] at org.opensearch.action.support.TransportAction.execute(TransportAction.java:107) [opensearch-2.4.1.jar:2.4.1] at org.opensearch.client.node.NodeClient.executeLocally(NodeClient.java:110) [opensearch-2.4.1.jar:2.4.1] at org.opensearch.client.node.NodeClient.doExecute(NodeClient.java:97) [opensearch-2.4.1.jar:2.4.1] at org.opensearch.client.support.AbstractClient.execute(AbstractClient.java:461) [opensearch-2.4.1.jar:2.4.1] at org.opensearch.client.support.AbstractClient.multiGet(AbstractClient.java:577) [opensearch-2.4.1.jar:2.4.1] at org.opensearch.security.configuration.ConfigurationLoaderSecurity7.loadAsync(ConfigurationLoaderSecurity7.java:208) [opensearch-security-2.4.1.0.jar:2.4.1.0] at org.opensearch.security.configuration.ConfigurationLoaderSecurity7.load(ConfigurationLoaderSecurity7.java:99) [opensearch-security-2.4.1.0.jar:2.4.1.0] at org.opensearch.security.configuration.ConfigurationRepository.getConfigurationsFromIndex(ConfigurationRepository.java:372) [opensearch-security-2.4.1.0.jar:2.4.1.0] at org.opensearch.security.configuration.ConfigurationRepository.reloadConfiguration0(ConfigurationRepository.java:318) [opensearch-security-2.4.1.0.jar:2.4.1.0] at org.opensearch.security.configuration.ConfigurationRepository.reloadConfiguration(ConfigurationRepository.java:303) [opensearch-security-2.4.1.0.jar:2.4.1.0] at org.opensearch.security.configuration.ConfigurationRepository$1.run(ConfigurationRepository.java:163) [opensearch-security-2.4.1.0.jar:2.4.1.0] at java.lang.Thread.run(Thread.java:833) [?:?] [2023-01-12T13:26:34,232][INFO ][o.o.c.s.ClusterSettings ] [indexer-1] updating [plugins.index_state_management.template_migration.control] from [0] to [-1] [2023-01-12T13:26:34,321][INFO ][o.o.a.c.HashRing ] [indexer-1] Node added: [D9oc2hjSTvSpV7R-PuSWsg] [2023-01-12T13:26:34,328][INFO ][o.o.a.c.HashRing ] [indexer-1] Add data node to AD version hash ring: D9oc2hjSTvSpV7R-PuSWsg [2023-01-12T13:26:34,330][INFO ][o.o.a.c.HashRing ] [indexer-1] All nodes with known AD version: {D9oc2hjSTvSpV7R-PuSWsg=ADNodeInfo{version=2.4.1, isEligibleDataNode=true}} [2023-01-12T13:26:34,331][INFO ][o.o.a.c.HashRing ] [indexer-1] Rebuild AD hash ring for realtime AD with cooldown, nodeChangeEvents size 0 [2023-01-12T13:26:34,331][INFO ][o.o.a.c.HashRing ] [indexer-1] Build AD version hash ring successfully [2023-01-12T13:26:34,333][INFO ][o.o.a.u.d.DestinationMigrationCoordinator] [indexer-1] Detected cluster change event for destination migration [2023-01-12T13:26:34,335][INFO ][o.o.a.c.ADDataMigrator ] [indexer-1] Start migrating AD data [2023-01-12T13:26:34,335][INFO ][o.o.a.c.ADDataMigrator ] [indexer-1] AD job index doesn't exist, no need to migrate [2023-01-12T13:26:34,336][INFO ][o.o.a.c.ADClusterEventListener] [indexer-1] Init AD version hash ring successfully [2023-01-12T13:26:34,462][INFO ][o.o.g.GatewayService ] [indexer-1] recovered [3] indices into cluster_state [2023-01-12T13:26:35,364][INFO ][o.o.a.u.d.DestinationMigrationCoordinator] [indexer-1] Detected cluster change event for destination migration [2023-01-12T13:26:35,706][INFO ][o.o.a.u.d.DestinationMigrationCoordinator] [indexer-1] Detected cluster change event for destination migration [2023-01-12T13:26:36,023][INFO ][o.o.a.u.d.DestinationMigrationCoordinator] [indexer-1] Detected cluster change event for destination migration [2023-01-12T13:26:36,176][INFO ][o.o.a.u.d.DestinationMigrationCoordinator] [indexer-1] Detected cluster change event for destination migration [2023-01-12T13:26:36,300][INFO ][o.o.a.u.d.DestinationMigrationCoordinator] [indexer-1] Detected cluster change event for destination migration [2023-01-12T13:26:36,303][INFO ][o.o.c.r.a.AllocationService] [indexer-1] Cluster health status changed from [RED] to [GREEN] (reason: [shards started [[wazuh-alerts-4.x-2023.01.12][1]]]). [2023-01-12T13:26:36,374][INFO ][o.o.a.u.d.DestinationMigrationCoordinator] [indexer-1] Detected cluster change event for destination migration [2023-01-12T13:26:36,421][ERROR][o.o.s.a.BackendRegistry ] [indexer-1] Not yet initialized (you may need to run securityadmin) [2023-01-12T13:26:36,449][ERROR][o.o.s.a.BackendRegistry ] [indexer-1] Not yet initialized (you may need to run securityadmin) [2023-01-12T13:26:36,453][ERROR][o.o.s.a.BackendRegistry ] [indexer-1] Not yet initialized (you may need to run securityadmin) [2023-01-12T13:26:36,457][ERROR][o.o.s.a.BackendRegistry ] [indexer-1] Not yet initialized (you may need to run securityadmin) [2023-01-12T13:26:38,158][ERROR][o.o.s.a.BackendRegistry ] [indexer-1] Not yet initialized (you may need to run securityadmin) [2023-01-12T13:26:38,161][ERROR][o.o.s.a.BackendRegistry ] [indexer-1] Not yet initialized (you may need to run securityadmin) [2023-01-12T13:26:38,165][ERROR][o.o.s.a.BackendRegistry ] [indexer-1] Not yet initialized (you may need to run securityadmin) [2023-01-12T13:26:38,169][ERROR][o.o.s.a.BackendRegistry ] [indexer-1] Not yet initialized (you may need to run securityadmin) [2023-01-12T13:26:40,678][ERROR][o.o.s.a.BackendRegistry ] [indexer-1] Not yet initialized (you may need to run securityadmin) [2023-01-12T13:26:40,681][ERROR][o.o.s.a.BackendRegistry ] [indexer-1] Not yet initialized (you may need to run securityadmin) [2023-01-12T13:26:40,684][ERROR][o.o.s.a.BackendRegistry ] [indexer-1] Not yet initialized (you may need to run securityadmin) [2023-01-12T13:26:40,687][ERROR][o.o.s.a.BackendRegistry ] [indexer-1] Not yet initialized (you may need to run securityadmin) [2023-01-12T13:26:43,181][ERROR][o.o.s.a.BackendRegistry ] [indexer-1] Not yet initialized (you may need to run securityadmin) [2023-01-12T13:26:43,184][ERROR][o.o.s.a.BackendRegistry ] [indexer-1] Not yet initialized (you may need to run securityadmin) [2023-01-12T13:26:43,187][ERROR][o.o.s.a.BackendRegistry ] [indexer-1] Not yet initialized (you may need to run securityadmin) [2023-01-12T13:26:43,191][ERROR][o.o.s.a.BackendRegistry ] [indexer-1] Not yet initialized (you may need to run securityadmin) [2023-01-12T13:26:45,683][ERROR][o.o.s.a.BackendRegistry ] [indexer-1] Not yet initialized (you may need to run securityadmin) [2023-01-12T13:26:45,686][ERROR][o.o.s.a.BackendRegistry ] [indexer-1] Not yet initialized (you may need to run securityadmin) [2023-01-12T13:26:45,689][ERROR][o.o.s.a.BackendRegistry ] [indexer-1] Not yet initialized (you may need to run securityadmin) [2023-01-12T13:26:45,692][ERROR][o.o.s.a.BackendRegistry ] [indexer-1] Not yet initialized (you may need to run securityadmin) [2023-01-12T13:26:47,418][INFO ][o.o.s.a.i.AuditLogImpl ] [indexer-1] Auditing on REST API is enabled. [2023-01-12T13:26:47,419][INFO ][o.o.s.a.i.AuditLogImpl ] [indexer-1] [AUTHENTICATED, GRANTED_PRIVILEGES] are excluded from REST API auditing. [2023-01-12T13:26:47,425][INFO ][o.o.s.a.i.AuditLogImpl ] [indexer-1] Auditing on Transport API is enabled. [2023-01-12T13:26:47,425][INFO ][o.o.s.a.i.AuditLogImpl ] [indexer-1] [AUTHENTICATED, GRANTED_PRIVILEGES] are excluded from Transport API auditing. [2023-01-12T13:26:47,425][INFO ][o.o.s.a.i.AuditLogImpl ] [indexer-1] Auditing of request body is enabled. [2023-01-12T13:26:47,426][INFO ][o.o.s.a.i.AuditLogImpl ] [indexer-1] Bulk requests resolution is disabled during request auditing. [2023-01-12T13:26:47,426][INFO ][o.o.s.a.i.AuditLogImpl ] [indexer-1] Index resolution is enabled during request auditing. [2023-01-12T13:26:47,426][INFO ][o.o.s.a.i.AuditLogImpl ] [indexer-1] Sensitive headers auditing is enabled. [2023-01-12T13:26:47,426][INFO ][o.o.s.a.i.AuditLogImpl ] [indexer-1] Auditing requests from kibanaserver users is disabled. [2023-01-12T13:26:47,426][INFO ][o.o.s.a.i.AuditLogImpl ] [indexer-1] Auditing of external configuration is disabled. [2023-01-12T13:26:47,427][INFO ][o.o.s.a.i.AuditLogImpl ] [indexer-1] Auditing of internal configuration is enabled. [2023-01-12T13:26:47,427][INFO ][o.o.s.a.i.AuditLogImpl ] [indexer-1] Auditing only metadata information for read request is enabled. [2023-01-12T13:26:47,427][INFO ][o.o.s.a.i.AuditLogImpl ] [indexer-1] Auditing will watch {} for read requests. [2023-01-12T13:26:47,427][INFO ][o.o.s.a.i.AuditLogImpl ] [indexer-1] Auditing read operation requests from kibanaserver users is disabled. [2023-01-12T13:26:47,427][INFO ][o.o.s.a.i.AuditLogImpl ] [indexer-1] Auditing only metadata information for write request is enabled. [2023-01-12T13:26:47,428][INFO ][o.o.s.a.i.AuditLogImpl ] [indexer-1] Auditing diffs for write requests is disabled. [2023-01-12T13:26:47,428][INFO ][o.o.s.a.i.AuditLogImpl ] [indexer-1] Auditing write operation requests from kibanaserver users is disabled. [2023-01-12T13:26:47,428][INFO ][o.o.s.a.i.AuditLogImpl ] [indexer-1] Auditing will watch for write requests. [2023-01-12T13:26:47,428][INFO ][o.o.s.a.i.AuditLogImpl ] [indexer-1] .opendistro_security is used as internal security index. [2023-01-12T13:26:47,428][INFO ][o.o.s.a.i.AuditLogImpl ] [indexer-1] Internal index used for posting audit logs is null [2023-01-12T13:26:47,429][INFO ][o.o.s.c.ConfigurationRepository] [indexer-1] Hot-reloading of audit configuration is enabled [2023-01-12T13:26:47,429][INFO ][o.o.s.c.ConfigurationRepository] [indexer-1] Node 'indexer-1' initialized [2023-01-12T13:26:51,816][INFO ][o.o.c.m.MetadataCreateIndexService] [indexer-1] [wazuh-monitoring-2023.2w] creating index, cause [api], templates [wazuh-agent], shards [1]/[0] [2023-01-12T13:26:51,931][INFO ][o.o.a.u.d.DestinationMigrationCoordinator] [indexer-1] Detected cluster change event for destination migration [2023-01-12T13:26:52,030][INFO ][o.o.c.r.a.AllocationService] [indexer-1] Cluster health status changed from [YELLOW] to [GREEN] (reason: [shards started [[wazuh-monitoring-2023.2w][0]]]). [2023-01-12T13:26:52,078][INFO ][o.o.a.u.d.DestinationMigrationCoordinator] [indexer-1] Detected cluster change event for destination migration [2023-01-12T13:26:52,094][INFO ][o.o.c.m.MetadataUpdateSettingsService] [indexer-1] updating number_of_replicas to [0] for indices [wazuh-monitoring-2023.2w] [2023-01-12T13:27:33,771][INFO ][o.o.i.i.ManagedIndexCoordinator] [indexer-1] Performing move cluster state metadata. [2023-01-12T13:27:33,772][INFO ][o.o.i.i.MetadataService ] [indexer-1] ISM config index not exist, so we cancel the metadata migration job. [2023-01-12T13:28:33,772][INFO ][o.o.i.i.ManagedIndexCoordinator] [indexer-1] Cancel background move metadata process. [2023-01-12T13:28:33,773][INFO ][o.o.i.i.ManagedIndexCoordinator] [indexer-1] Performing move cluster state metadata. [2023-01-12T13:28:33,773][INFO ][o.o.i.i.MetadataService ] [indexer-1] Move metadata has finished. [2023-01-12T13:30:00,635][INFO ][o.o.c.m.MetadataCreateIndexService] [indexer-1] [wazuh-statistics-2023.2w] creating index, cause [api], templates [wazuh-statistics], shards [1]/[0] [2023-01-12T13:30:00,693][INFO ][o.o.a.u.d.DestinationMigrationCoordinator] [indexer-1] Detected cluster change event for destination migration [2023-01-12T13:30:00,698][INFO ][o.o.c.m.MetadataUpdateSettingsService] [indexer-1] updating number_of_replicas to [0] for indices [wazuh-monitoring-2023.2w] [2023-01-12T13:30:00,794][INFO ][o.o.c.r.a.AllocationService] [indexer-1] Cluster health status changed from [YELLOW] to [GREEN] (reason: [shards started [[wazuh-statistics-2023.2w][0]]]). [2023-01-12T13:30:00,853][INFO ][o.o.a.u.d.DestinationMigrationCoordinator] [indexer-1] Detected cluster change event for destination migration [2023-01-12T13:30:17,297][INFO ][o.o.c.m.MetadataMappingService] [indexer-1] [wazuh-alerts-4.x-2023.01.12/GemKD2suQ3KHpu4CzO2biw] update_mapping [_doc] [2023-01-12T13:30:17,402][INFO ][o.o.a.u.d.DestinationMigrationCoordinator] [indexer-1] Detected cluster change event for destination migration [2023-01-12T13:31:33,336][INFO ][o.o.j.s.JobSweeper ] [indexer-1] Running full sweep [2023-01-12T13:31:33,881][INFO ][o.o.i.i.PluginVersionSweepCoordinator] [indexer-1] Canceling sweep ism plugin version job ``` - Server ``` [root@centos8 vagrant]# systemctl status wazuh-manager ● wazuh-manager.service - Wazuh manager Loaded: loaded (/usr/lib/systemd/system/wazuh-manager.service; enabled; vendor preset: disabled) Active: active (running) since Thu 2023-01-12 13:24:28 UTC; 5min ago Process: 725 ExecStart=/usr/bin/env /var/ossec/bin/wazuh-control start (code=exited, status=0/SUCCESS) Tasks: 116 (limit: 24912) Memory: 623.2M CGroup: /system.slice/wazuh-manager.service ├─ 992 /var/ossec/framework/python/bin/python3 /var/ossec/api/scripts/wazuh-apid.py ├─1034 /var/ossec/bin/wazuh-authd ├─1051 /var/ossec/bin/wazuh-db ├─1076 /var/ossec/bin/wazuh-execd ├─1078 /var/ossec/framework/python/bin/python3 /var/ossec/api/scripts/wazuh-apid.py ├─1081 /var/ossec/framework/python/bin/python3 /var/ossec/api/scripts/wazuh-apid.py ├─1097 /var/ossec/bin/wazuh-analysisd ├─1141 /var/ossec/bin/wazuh-syscheckd ├─1157 /var/ossec/bin/wazuh-remoted [root@centos8 vagrant]# filebeat test output elasticsearch: https://192.168.57.117:9200... parse url... OK connection... parse host... OK dns lookup... OK addresses: 192.168.57.117 dial up... OK TLS... security: server's certificate chain verification is enabled handshake... OK TLS version: TLSv1.2 dial up... OK talk to server... OK version: 7.10.2 [root@centos8 vagrant]# ``` - Dashboard ``` root@ubuntu18:/home/vagrant# systemctl status wazuh-dashboard ● wazuh-dashboard.service - wazuh-dashboard Loaded: loaded (/etc/systemd/system/wazuh-dashboard.service; enabled; vendor preset: enabled) Active: active (running) since Thu 2023-01-12 13:24:10 UTC; 6min ago Main PID: 1079 (node) Tasks: 11 (limit: 4655) CGroup: /system.slice/wazuh-dashboard.service └─1079 /usr/share/wazuh-dashboard/bin/../node/bin/node --no-warnings --max-http-header-size=6 Jan 12 13:26:45 ubuntu18 opensearch-dashboards[1079]: {"type":"log","@timestamp":"2023-01-12T13:26:45Z", Jan 12 13:26:48 ubuntu18 opensearch-dashboards[1079]: {"type":"log","@timestamp":"2023-01-12T13:26:48Z", Jan 12 13:26:49 ubuntu18 opensearch-dashboards[1079]: {"type":"log","@timestamp":"2023-01-12T13:26:49Z", Jan 12 13:26:51 ubuntu18 opensearch-dashboards[1079]: {"type":"log","@timestamp":"2023-01-12T13:26:51Z", root@ubuntu18:/home/vagrant# ``` ![image](https://user-images.githubusercontent.com/61122643/212079890-ae4d13ea-209b-4d28-a2eb-981b5be54ef7.png) ![image](https://user-images.githubusercontent.com/61122643/212079833-220a0bb4-9828-46f2-b206-47b4b98067e8.png) The problem with the indexer has been solved by increasing the TimeOut time of the Wazuh indexer service to 180. The change has been added to the [PR](https://github.com/wazuh/wazuh-packages/pull/2032) in commit [33f2c6959804402e615fd400088afa3f59d795db](https://github.com/wazuh/wazuh-packages/pull/2032/commits/33f2c6959804402e615fd400088afa3f59d795db)

Test 3: Indexer, Dashboard+Server

:green_circle: Install indexer

``` root@ubuntu18:/home/vagrant# bash wazuh-install.sh --wazuh-indexer indexer-1 12/01/2023 15:56:49 INFO: Starting Wazuh installation assistant. Wazuh version: 4.4.0 12/01/2023 15:56:49 INFO: Verbose logging redirected to /var/log/wazuh-install.log 12/01/2023 15:57:05 INFO: Wazuh development repository added. 12/01/2023 15:57:05 INFO: --- Wazuh indexer --- 12/01/2023 15:57:05 INFO: Starting Wazuh indexer installation. 12/01/2023 15:58:10 INFO: Wazuh indexer installation finished. 12/01/2023 15:58:10 INFO: Wazuh indexer post-install configuration finished. 12/01/2023 15:58:10 INFO: Starting service wazuh-indexer. 12/01/2023 15:58:40 INFO: wazuh-indexer service started. 12/01/2023 15:58:40 INFO: Initializing Wazuh indexer cluster security settings. 12/01/2023 15:58:44 INFO: Wazuh indexer cluster initialized. 12/01/2023 15:58:44 INFO: Installation finished. root@ubuntu18:/home/vagrant# systemctl status wazuh-indexer ● wazuh-indexer.service - Wazuh-indexer Loaded: loaded (/usr/lib/systemd/system/wazuh-indexer.service; enabled; vendor preset: enabled) Active: active (running) since Thu 2023-01-12 15:58:40 UTC; 46s ago Docs: https://documentation.wazuh.com Main PID: 8074 (java) Tasks: 55 (limit: 4655) CGroup: /system.slice/wazuh-indexer.service └─8074 /usr/share/wazuh-indexer/jdk/bin/java -Xshare:auto -Dopensearch.networkaddress.cache.t Jan 12 15:58:11 ubuntu18 systemd[1]: Starting Wazuh-indexer... Jan 12 15:58:21 ubuntu18 systemd-entrypoint[8074]: WARNING: A terminally deprecated method in java.lang. Jan 12 15:58:21 ubuntu18 systemd-entrypoint[8074]: WARNING: System::setSecurityManager has been called b root@ubuntu18:/home/vagrant# tar -axf wazuh-install-files.tar wazuh-install-files/wazuh-passwords.txt -O | grep -P "\'admin\'" -A 1 indexer_username: 'admin' indexer_password: 'JWfY7kPqDKA2?XY0IiHSem?6iQSj4d8R' root@ubuntu18:/home/vagrant# curl -k -u admin:JWfY7kPqDKA2?XY0IiHSem?6iQSj4d8R https://192.168.57.117:9200 OpenSearch Security not initialized.root@ubuntu18:/home/vagrant# bash wazuh-install.sh --start-cluster 12/01/2023 16:00:21 INFO: Starting Wazuh installation assistant. Wazuh version: 4.4.0 12/01/2023 16:00:21 INFO: Verbose logging redirected to /var/log/wazuh-install.log 12/01/2023 16:00:35 INFO: Wazuh indexer cluster security configuration initialized. 12/01/2023 16:00:48 INFO: Wazuh indexer cluster started. root@ubuntu18:/home/vagrant# ls wazuh-install-files.tar wazuh-install.sh root@ubuntu18:/home/vagrant# curl -k -u admin:JWfY7kPqDKA2?XY0IiHSem?6iQSj4d8R https://192.168.57.117:9200 { "name" : "indexer-1", "cluster_name" : "wazuh-indexer-cluster", "cluster_uuid" : "6q6hCjfAQ7iTmmlLqrEv4A", "version" : { "number" : "7.10.2", "build_type" : "rpm", "build_hash" : "f2f809ea280ffba217451da894a5899f1cec02ab", "build_date" : "2022-12-12T22:17:42.341124910Z", "build_snapshot" : false, "lucene_version" : "9.4.2", "minimum_wire_compatibility_version" : "7.10.0", "minimum_index_compatibility_version" : "7.0.0" }, "tagline" : "The OpenSearch Project: https://opensearch.org/" } root@ubuntu18:/home/vagrant# ```

:green_circle: Install server

``` [root@redhat8 vagrant]# bash wazuh-install.sh --wazuh-server server-1 -i 12/01/2023 16:01:52 INFO: Starting Wazuh installation assistant. Wazuh version: 4.4.0 12/01/2023 16:01:52 INFO: Verbose logging redirected to /var/log/wazuh-install.log 12/01/2023 16:01:56 WARNING: Hardware and system checks ignored. 12/01/2023 16:02:02 INFO: Wazuh development repository added. 12/01/2023 16:02:03 INFO: --- Wazuh server --- 12/01/2023 16:02:03 INFO: Starting the Wazuh manager installation. 12/01/2023 16:06:06 INFO: Wazuh manager installation finished. 12/01/2023 16:06:06 INFO: Starting service wazuh-manager. 12/01/2023 16:06:32 INFO: wazuh-manager service started. 12/01/2023 16:06:33 INFO: Starting Filebeat installation. 12/01/2023 16:08:19 INFO: Filebeat installation finished. 12/01/2023 16:08:23 INFO: Filebeat post-install configuration finished. 12/01/2023 16:08:49 INFO: Starting service filebeat. 12/01/2023 16:08:50 INFO: filebeat service started. 12/01/2023 16:08:50 INFO: Installation finished. [root@redhat8 vagrant]# systemctl status wazuh-manager ● wazuh-manager.service - Wazuh manager Loaded: loaded (/usr/lib/systemd/system/wazuh-manager.service; enabled; vendor preset: disabled) Active: active (running) since Thu 2023-01-12 16:06:32 UTC; 2min 28s ago Tasks: 106 (limit: 4914) Memory: 371.1M CGroup: /system.slice/wazuh-manager.service ├─6748 /var/ossec/framework/python/bin/python3 /var/ossec/api/scripts/wazuh-apid.py ├─6789 /var/ossec/bin/wazuh-authd ├─6806 /var/ossec/bin/wazuh-db ├─6832 /var/ossec/bin/wazuh-execd ├─6847 /var/ossec/bin/wazuh-analysisd ├─6860 /var/ossec/bin/wazuh-syscheckd ├─6864 /var/ossec/framework/python/bin/python3 /var/ossec/api/scripts/wazuh-apid.py ├─6867 /var/ossec/framework/python/bin/python3 /var/ossec/api/scripts/wazuh-apid.py ├─6883 /var/ossec/bin/wazuh-remoted ├─6916 /var/ossec/bin/wazuh-logcollector ├─6956 /var/ossec/bin/wazuh-monitord └─6977 /var/ossec/bin/wazuh-modulesd Jan 12 16:06:22 redhat8 env[6689]: Started wazuh-db... Jan 12 16:06:23 redhat8 env[6689]: Started wazuh-execd... Jan 12 16:06:24 redhat8 env[6689]: Started wazuh-analysisd... Jan 12 16:06:25 redhat8 env[6689]: Started wazuh-syscheckd... Jan 12 16:06:26 redhat8 env[6689]: Started wazuh-remoted... [root@redhat8 vagrant]# filebeat test output elasticsearch: https://192.168.57.117:9200... parse url... OK connection... parse host... OK dns lookup... OK addresses: 192.168.57.117 dial up... OK TLS... security: server's certificate chain verification is enabled handshake... OK TLS version: TLSv1.2 dial up... OK talk to server... OK version: 7.10.2 [root@redhat8 vagrant]# ```

:green_circle: Install dashboard

``` [root@redhat8 vagrant]# bash wazuh-install.sh --wazuh-dashboard dashboard -i 12/01/2023 16:12:12 INFO: Starting Wazuh installation assistant. Wazuh version: 4.4.0 12/01/2023 16:12:12 INFO: Verbose logging redirected to /var/log/wazuh-install.log 12/01/2023 16:12:17 WARNING: Hardware and system checks ignored. 12/01/2023 16:12:22 INFO: Wazuh development repository added. dashboard 12/01/2023 16:12:23 INFO: --- Wazuh dashboard ---- 12/01/2023 16:12:23 INFO: Starting Wazuh dashboard installation. 12/01/2023 16:17:38 INFO: Wazuh dashboard installation finished. 12/01/2023 16:17:38 INFO: Wazuh dashboard post-install configuration finished. 12/01/2023 16:17:38 INFO: Starting service wazuh-dashboard. 12/01/2023 16:17:39 INFO: wazuh-dashboard service started. 12/01/2023 16:18:41 INFO: Initializing Wazuh dashboard web application. 12/01/2023 16:18:43 INFO: Wazuh dashboard web application initialized. 12/01/2023 16:18:43 INFO: --- Summary --- 12/01/2023 16:18:43 INFO: You can access the web interface https://192.168.57.115 User: admin Password: JWfY7kPqDKA2?XY0IiHSem?6iQSj4d8R 12/01/2023 16:18:43 INFO: Installation finished. [root@redhat8 vagrant]# systemctl status wazuh-dashboard ● wazuh-dashboard.service - wazuh-dashboard Loaded: loaded (/etc/systemd/system/wazuh-dashboard.service; enabled; vendor preset: disabled) Active: active (running) since Thu 2023-01-12 16:17:50 UTC; 1min 9s ago Main PID: 9270 (node) Tasks: 11 (limit: 4914) Memory: 172.6M CGroup: /system.slice/wazuh-dashboard.service └─9270 /usr/share/wazuh-dashboard/bin/../node/bin/node --no-warnings --max-http-header-size=> Jan 12 16:18:28 redhat8 opensearch-dashboards[9270]: {"type":"log","@timestamp":"2023-01-12T16:18:28Z",> Jan 12 16:18:28 redhat8 opensearch-dashboards[9270]: {"type":"log","@timestamp":"2023-01-12T16:18:28Z",> Jan 12 16:18:28 redhat8 opensearch-dashboards[9270]: {"type":"log","@timestamp":"2023-01-12T16:18:28Z",> Jan 12 16:18:28 redhat8 opensearch-dashboards[9270]: {"type":"log","@timestamp":"2023-01-12T16:18:28Z",> Jan 12 16:18:28 redhat8 opensearch-dashboards[9270]: {"type":"log","@timestamp":"2023-01-12T16:18:28Z",> Jan 12 16:18:32 redhat8 opensearch-dashboards[9270]: {"type":"log","@timestamp":"2023-01-12T16:18:32Z",> Jan 12 16:18:32 redhat8 opensearch-dashboards[9270]: {"type":"log","@timestamp":"2023-01-12T16:18:32Z",> Jan 12 16:18:33 redhat8 opensearch-dashboards[9270]: {"type":"log","@timestamp":"2023-01-12T16:18:33Z",> Jan 12 16:18:34 redhat8 opensearch-dashboards[9270]: {"type":"log","@timestamp":"2023-01-12T16:18:34Z",> Jan 12 16:18:43 redhat8 opensearch-dashboards[9270]: {"type":"response","@timestamp":"2023-01-12T16:18:> [root@redhat8 vagrant]# ``` ![image](https://user-images.githubusercontent.com/61122643/212130069-3dc41c82-dd1f-4477-9ee1-a6f481dbaf59.png) ![image](https://user-images.githubusercontent.com/61122643/212130149-f8459c48-0e5f-4c80-b7a4-0db320d06a86.png)

:green_circle: Reboot test

Reboot both hosts and check all services, filebeat, the indexer cluster and the API - Indexer ``` root@ubuntu18:/home/vagrant# systemctl status wazuh-indexer ● wazuh-indexer.service - Wazuh-indexer Loaded: loaded (/usr/lib/systemd/system/wazuh-indexer.service; enabled; vendor preset: enabled) Active: active (running) since Thu 2023-01-12 17:00:21 UTC; 7s ago Docs: https://documentation.wazuh.com Main PID: 2138 (java) Tasks: 70 (limit: 4655) CGroup: /system.slice/wazuh-indexer.service └─2138 /usr/share/wazuh-indexer/jdk/bin/java -Xshare:auto -Dopensearch.networkaddress.cache.t Jan 12 16:59:43 ubuntu18 systemd[1]: Starting Wazuh-indexer... Jan 12 16:59:45 ubuntu18 systemd-entrypoint[2138]: WARNING: A terminally deprecated method in java.lang. Jan 12 16:59:45 ubuntu18 systemd-entrypoint[2138]: WARNING: System::setSecurityManager has been called b Jan 12 16:59:45 ubuntu18 systemd-entrypoint[2138]: WARNING: Please consider reporting this to the mainta Jan 12 16:59:45 ubuntu18 systemd-entrypoint[2138]: WARNING: System::setSecurityManager will be removed i Jan 12 16:59:47 ubuntu18 systemd-entrypoint[2138]: WARNING: A terminally deprecated method in java.lang. Jan 12 16:59:47 ubuntu18 systemd-entrypoint[2138]: WARNING: System::setSecurityManager has been called b Jan 12 16:59:47 ubuntu18 systemd-entrypoint[2138]: WARNING: Please consider reporting this to the mainta root@ubuntu18:/home/vagrant# curl -k -u admin:JWfY7kPqDKA2?XY0IiHSem?6iQSj4d8R https://192.168.57.117:9200 { "name" : "indexer-1", "cluster_name" : "wazuh-indexer-cluster", "cluster_uuid" : "6q6hCjfAQ7iTmmlLqrEv4A", "version" : { "number" : "7.10.2", "build_type" : "rpm", "build_hash" : "f2f809ea280ffba217451da894a5899f1cec02ab", "build_date" : "2022-12-12T22:17:42.341124910Z", "build_snapshot" : false, "lucene_version" : "9.4.2", "minimum_wire_compatibility_version" : "7.10.0", "minimum_index_compatibility_version" : "7.0.0" }, "tagline" : "The OpenSearch Project: https://opensearch.org/" } root@ubuntu18:/home/vagrant# ``` - Server ``` [root@redhat8 vagrant]# systemctl status wazuh-manager ● wazuh-manager.service - Wazuh manager Loaded: loaded (/usr/lib/systemd/system/wazuh-manager.service; enabled; vendor preset: disabled) Active: active (running) since Thu 2023-01-12 16:58:50 UTC; 6s ago Process: 900 ExecStart=/usr/bin/env /var/ossec/bin/wazuh-control start (code=exited, status=0/SUCCESS) Tasks: 103 (limit: 4914) Memory: 273.8M CGroup: /system.slice/wazuh-manager.service ├─1098 /var/ossec/framework/python/bin/python3 /var/ossec/api/scripts/wazuh-apid.py ├─1140 /var/ossec/bin/wazuh-authd ├─1159 /var/ossec/bin/wazuh-db ├─1172 /var/ossec/framework/python/bin/python3 /var/ossec/api/scripts/wazuh-apid.py ├─1175 /var/ossec/framework/python/bin/python3 /var/ossec/api/scripts/wazuh-apid.py ├─1190 /var/ossec/bin/wazuh-execd ├─1205 /var/ossec/bin/wazuh-analysisd ├─1218 /var/ossec/bin/wazuh-syscheckd ├─1235 /var/ossec/bin/wazuh-remoted ├─1248 /var/ossec/bin/wazuh-logcollector ├─1288 /var/ossec/bin/wazuh-monitord ├─1302 /var/ossec/bin/wazuh-modulesd [root@redhat8 vagrant]# filebeat test output elasticsearch: https://192.168.57.117:9200... parse url... OK connection... parse host... OK dns lookup... OK addresses: 192.168.57.117 dial up... OK TLS... security: server's certificate chain verification is enabled handshake... OK TLS version: TLSv1.2 dial up... OK talk to server... OK version: 7.10.2 [root@redhat8 vagrant]# ``` - Dashboard ``` [root@redhat8 vagrant]# systemctl status wazuh-dashboard ● wazuh-dashboard.service - wazuh-dashboard Loaded: loaded (/etc/systemd/system/wazuh-dashboard.service; enabled; vendor preset: disabled) Active: active (running) since Thu 2023-01-12 16:57:29 UTC; 3min 50s ago Main PID: 816 (node) Tasks: 11 (limit: 4914) Memory: 157.1M CGroup: /system.slice/wazuh-dashboard.service └─816 /usr/share/wazuh-dashboard/bin/../node/bin/node --no-warnings --max-http-header-size=6> Jan 12 16:57:29 redhat8 systemd[1]: Started wazuh-dashboard. Jan 12 17:00:48 redhat8 opensearch-dashboards[816]: {"type":"log","@timestamp":"2023-01-12T17:00:47Z","> Jan 12 17:00:48 redhat8 opensearch-dashboards[816]: {"type":"log","@timestamp":"2023-01-12T17:00:48Z","> Jan 12 17:00:48 redhat8 opensearch-dashboards[816]: {"type":"log","@timestamp":"2023-01-12T17:00:48Z","> Jan 12 17:00:57 redhat8 opensearch-dashboards[816]: {"type":"log","@timestamp":"2023-01-12T17:00:57Z","> Jan 12 17:01:02 redhat8 opensearch-dashboards[816]: {"type":"log","@timestamp":"2023-01-12T17:01:02Z","> Jan 12 17:01:03 redhat8 opensearch-dashboards[816]: {"type":"log","@timestamp":"2023-01-12T17:01:03Z","> Jan 12 17:01:04 redhat8 opensearch-dashboards[816]: {"type":"log","@timestamp":"2023-01-12T17:01:04Z","> [root@redhat8 vagrant]# ``` ![image](https://user-images.githubusercontent.com/61122643/212132139-6ec5b979-a073-4cb2-82ab-366ed7e7fa60.png) ![image](https://user-images.githubusercontent.com/61122643/212132271-9b2b1bdf-d2ef-4799-8d9d-046ef228fbec.png)