OVA report alerts before first use

[rauldpm]

Description

The OVA v4.8.0-beta1 reports alerts before the start of the virtual machine, in this case, corresponding to the construction period of the OVA, these alerts should not have been indexed since the environment should reach the user clean

Tasks

• [x] Investigate why the OVA registers alerts before the first use
• [x] Check if this affects the AMI or Docker images
• [x] Modify as necessary so that there are no alerts before first use

Validation

• [x] Wazuh virtual machines are clean before first use

[davidcr01]

Update Report

Workaround

The workaround is the following:

• Stop manager and Filebeat services
• Delete indexes. (wazuh-alerts, wazuh-archives,wazuh-states-vulnerabilities, wazuh-statistics, wazuh-monitoring) with the curl -u <username><password> -XDELETE https://<INDEXER_IP> -k
• Execute ISM script to recreate wazuh-alerts and wazuh-archives indexes. (with -i -p )
• Stop indexer and dashboard services.
• Empty files: ossec.log, alerts.log, alerts.json, indexer. etc. Using the find <path> -type f -execdir sh -c 'cat /dev/null > "$1"' _ {} \; command
  • /var/ossec/logs
  • /var/log/wazuh-indexer/
  • /var/log/filebeat/
  • /usr/share/wazuh-dashboard/data/wazuh/logs/

Related lines: https://github.com/wazuh/wazuh-packages/blob/4.8.0/ova/provision.sh#L44-L49

Another workaround could be studied considering https://github.com/wazuh/wazuh-indexer/issues/150

PoC

I followed the steps given above and the alerts are deleted and re-created succesfully:

Before:

After:

Alerts are being collected correctly and no old alerts are displayed:

[davidcr01]

Update Report

I found a problem and it seems that the /usr/share/wazuh-dasboard/data/wazuh/config/wazuh.yml file is empty after the OVA generation, leading to this error:

I am currently investigating why this file is empty.

[davidcr01]

Update Report

Investigation

After a further investigation with @rauldpm, we concluded that it is necessary a shutdown of the VM before generating the OVA to save the state of the machine. With this shutdown, it is proven that the wazuh.yml of the Wazuh dashboard has the correct content.

This is related to:

• https://github.com/wazuh/wazuh-packages/pull/2365/files
• https://github.com/wazuh/wazuh-jenkins/issues/2541#issuecomment-832924588

To summarize, the deleted postProvision.sh script that was removed of the OVA generation was deleted. This script is in charge of cleaning up all the unnecessary files, removing the vagrant user (currently unnecessary because the Vagrant box used to generate the OVA does not have the Vagrant user), and shutting down the machine to save the state of the machine.

The shutdown can't be added directly to the provision.sh because this script is used in the automated OVA generation in Jenkins, related:

• https://github.com/wazuh/wazuh-jenkins/blob/master/ansible-playbooks/wazuh_ova_generation.yml

In this YAML, the cleanup and the shutdown of the machine is performed in other tasks. Then, we can not the shutdown in the provision.sh because it will shutdown the machine before all tasks are executed:

The shutdown will be executed in the Run provision script and the machine will be powered off

    - name: Run provision script
      command: "sh provision.sh {{ repository }} {{ debug }}"
      args:
        chdir: "{{ packages_path }}/ova"

    - name: Clean provision files
      file:
        path: /var/provision/
        state: absent

    - name: Clean unattended resources
      file:
        path: /tmp/{{ unattended_scripts }}
        state: absent

    - name: Clean logs
      command: find /var/log/ -type f -exec bash -c 'cat /dev/null > {}' \;

    - name: Clean history
      shell: cat /dev/null > ~/.bash_history && history -c

Another possible solution could be to add these tasks to the provision.sh script, but to modularize the tasks of the OVA generation and to preserve the definition and objective of these files, is better to have these tasks separately.

As a conclusion, the postProvision.sh script will be restored to the OVA generation, saving the machine state and performing all the clean up stages, without affecting the pipeline.

[davidcr01]

Update Report

:green_circle: Testing in local

After the OVA generation in local, it seems that the alerts have been collected and generated since the machine is started (the first alert is generated at 12:57:11.329, one minute after the machine is started), so no previous logs are displayed:

(Notice that it is necessary to add an hour to get real-time)

[root@wazuh-server wazuh-user]#uptime -p -s
2024-02-14 11:56:42

The indices are created and in a green state:

After these changes, the collected logs are also since the machine was booted:

[root@wazuh-server wazuh-user]# cat /var/ossec/logs/ossec.log | head -n 10
2024/02/14 12:56:51 wazuh-modulesd:router: INFO: Loaded router module.
2024/02/14 12:56:51 wazuh-modulesd:content_manager: INFO: Loaded content_manager module.
2024/02/14 12:56:53 wazuh-dbd: INFO: Database not configured. Clean exit.
2024/02/14 12:56:53 wazuh-integratord: INFO: Remote integrations not configured. Clean exit.
2024/02/14 12:56:53 wazuh-csyslogd: INFO: Remote syslog server not configured. Clean exit.
2024/02/14 12:56:53 wazuh-agentlessd: INFO: Not configured. Exiting.
2024/02/14 12:56:53 wazuh-authd: INFO: Started (pid: 9960).
2024/02/14 12:56:53 wazuh-authd: INFO: Accepting connections on port 1515. No password required.
2024/02/14 12:56:53 wazuh-authd: INFO: Setting network timeout to 1.000000 sec.
2024/02/14 12:56:54 wazuh-db: INFO: Started (pid: 10383).
[root@wazuh-server wazuh-user]# 

[root@wazuh-server wazuh-user]# cat /var/ossec/logs/alerts/alerts.json | head -n 10
{"timestamp":"2024-02-14T12:57:01.679+0000","rule":{"level":7,"description":"Listened ports status (netstat) changed (new port opened or closed).","id":"533","firedtimes":1,"mail":false,"groups":["ossec"],"pci_dss":["10.2.7","10.6.1"],"gpg13":["10.1"],"gdpr":["IV_35.7.d"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AU.6"],"tsc":["CC6.8","CC7.2","CC7.3"]},"agent":{"id":"000","name":"wazuh-server"},"manager":{"name":"wazuh-server"},"id":"1707915421.0","previous_output":"Previous output:\nossec: output: 'netstat listening ports':\ntcp 0.0.0.0:22 0.0.0.0:* 2987/sshd\ntcp6 :::22 :::* 2987/sshd\ntcp 127.0.0.1:25 0.0.0.0:* 3100/master\nudp 0.0.0.0:68 0.0.0.0:* 17816/dhclient\ntcp 0.0.0.0:111 0.0.0.0:* 2109/rpcbind\ntcp6 :::111 :::* 2109/rpcbind\nudp 0.0.0.0:111 0.0.0.0:* 2109/rpcbind\nudp6 :::111 :::* 2109/rpcbind\nudp 127.0.0.1:323 0.0.0.0:* 2145/chronyd\nudp6 ::1:323 :::* 2145/chronyd\ntcp 0.0.0.0:443 0.0.0.0:* 16412/node\nudp 0.0.0.0:1011 0.0.0.0:* 2109/rpcbind\nudp6 :::1011 :::* 2109/rpcbind\ntcp 0.0.0.0:1514 0.0.0.0:* 17465/wazuh-remoted\ntcp 0.0.0.0:1515 0.0.0.0:* 17329/wazuh-authd\ntcp6 127.0.0.1:9200 :::* 12807/java\ntcp6 127.0.0.1:9300 :::* 12807/java\ntcp 0.0.0.0:55000 0.0.0.0:* 17280/python3","full_log":"ossec: output: 'netstat listening ports':\ntcp 0.0.0.0:22 0.0.0.0:* 8151/sshd\ntcp6 :::22 :::* 8151/sshd\ntcp 127.0.0.1:25 0.0.0.0:* 8347/master\nudp 0.0.0.0:68 0.0.0.0:* 7452/dhclient\ntcp 0.0.0.0:111 0.0.0.0:* 2073/rpcbind\ntcp6 :::111 :::* 2073/rpcbind\nudp 0.0.0.0:111 0.0.0.0:* 2073/rpcbind\nudp6 :::111 :::* 2073/rpcbind\nudp 127.0.0.1:323 0.0.0.0:* 2085/chronyd\nudp6 ::1:323 :::* 2085/chronyd\ntcp 0.0.0.0:443 0.0.0.0:* 2041/node\nudp 0.0.0.0:935 0.0.0.0:* 2073/rpcbind\nudp6 :::935 :::* 2073/rpcbind\ntcp 0.0.0.0:1514 0.0.0.0:* 13131/wazuh-remoted\ntcp 0.0.0.0:1515 0.0.0.0:* 9960/wazuh-authd\ntcp6 127.0.0.1:9200 :::* 8142/java\ntcp6 127.0.0.1:9300 :::* 8142/java\ntcp 0.0.0.0:55000 0.0.0.0:* 9867/python3","decoder":{"name":"ossec"},"previous_log":"ossec: output: 'netstat listening ports':\ntcp 0.0.0.0:22 0.0.0.0:* 2987/sshd\ntcp6 :::22 :::* 2987/sshd\ntcp 127.0.0.1:25 0.0.0.0:* 3100/master\nudp 0.0.0.0:68 0.0.0.0:* 17816/dhclient\ntcp 0.0.0.0:111 0.0.0.0:* 2109/rpcbind\ntcp6 :::111 :::* 2109/rpcbind\nudp 0.0.0.0:111 0.0.0.0:* 2109/rpcbind\nudp6 :::111 :::* 2109/rpcbind\nudp 127.0.0.1:323 0.0.0.0:* 2145/chronyd\nudp6 ::1:323 :::* 2145/chronyd\ntcp 0.0.0.0:443 0.0.0.0:* 16412/node\nudp 0.0.0.0:1011 0.0.0.0:* 2109/rpcbind\nudp6 :::1011 :::* 2109/rpcbind\ntcp 0.0.0.0:1514 0.0.0.0:* 17465/wazuh-remoted\ntcp 0.0.0.0:1515 0.0.0.0:* 17329/wazuh-authd\ntcp6 127.0.0.1:9200 :::* 12807/java\ntcp6 127.0.0.1:9300 :::* 12807/java\ntcp 0.0.0.0:55000 0.0.0.0:* 17280/python3","location":"netstat listening ports"}
{"timestamp":"2024-02-14T11:57:11.329+0000","rule":{"level":3,"description":"PAM: Login session opened.","id":"5501","mitre":{"id":["T1078"],"tactic":["Defense Evasion","Persistence","Privilege Escalation","Initial Access"],"technique":["Valid Accounts"]},"firedtimes":1,"mail":false,"groups":["pam","syslog","authentication_success"],"pci_dss":["10.2.5"],"gpg13":["7.8","7.9"],"gdpr":["IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7"],"tsc":["CC6.8","CC7.2","CC7.3"]},"agent":{"id":"000","name":"wazuh-server"},"manager":{"name":"wazuh-server"},"id":"1707911831.1744","full_log":"Feb 14 11:57:10 wazuh-server login: pam_unix(login:session): session opened for user wazuh-user by LOGIN(uid=0)","predecoder":{"program_name":"login","timestamp":"Feb 14 11:57:10","hostname":"wazuh-server"},"decoder":{"parent":"pam","name":"pam"},"data":{"srcuser":"LOGIN","dstuser":"wazuh-user","uid":"0"},"location":"/var/log/secure"}
{"timestamp":"2024-02-14T11:57:12.364+0000","rule":{"level":3,"description":"Wazuh server started.","id":"502","firedtimes":1,"mail":false,"groups":["ossec"],"pci_dss":["10.6.1"],"gpg13":["10.1"],"gdpr":["IV_35.7.d"],"hipaa":["164.312.b"],"nist_800_53":["AU.6"],"tsc":["CC7.2","CC7.3"]},"agent":{"id":"000","name":"wazuh-server"},"manager":{"name":"wazuh-server"},"id":"1707911832.2177","full_log":"ossec: Manager started.","decoder":{"name":"ossec"},"location":"wazuh-monitord"}
{"timestamp":"2024-02-14T11:57:13.331+0000","rule":{"level":3,"description":"PAM: Login session opened.","id":"5501","mitre":{"id":["T1078"],"tactic":["Defense Evasion","Persistence","Privilege Escalation","Initial Access"],"technique":["Valid Accounts"]},"firedtimes":2,"mail":false,"groups":["pam","syslog","authentication_success"],"pci_dss":["10.2.5"],"gpg13":["7.8","7.9"],"gdpr":["IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7"],"tsc":["CC6.8","CC7.2","CC7.3"]},"agent":{"id":"000","name":"wazuh-server"},"manager":{"name":"wazuh-server"},"id":"1707911833.2428","full_log":"Feb 14 11:57:13 wazuh-server sudo: pam_unix(sudo:session): session opened for user root by wazuh-user(uid=0)","predecoder":{"program_name":"sudo","timestamp":"Feb 14 11:57:13","hostname":"wazuh-server"},"decoder":{"parent":"pam","name":"pam"},"data":{"srcuser":"wazuh-user","dstuser":"root","uid":"0"},"location":"/var/log/secure"}
{"timestamp":"2024-02-14T11:57:13.331+0000","rule":{"level":3,"description":"PAM: Login session closed.","id":"5502","firedtimes":1,"mail":false,"groups":["pam","syslog"],"pci_dss":["10.2.5"],"gpg13":["7.8","7.9"],"gdpr":["IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7"],"tsc":["CC6.8","CC7.2","CC7.3"]},"agent":{"id":"000","name":"wazuh-server"},"manager":{"name":"wazuh-server"},"id":"1707911833.2852","full_log":"Feb 14 11:57:13 wazuh-server sudo: pam_unix(sudo:session): session closed for user root","predecoder":{"program_name":"sudo","timestamp":"Feb 14 11:57:13","hostname":"wazuh-server"},"decoder":{"parent":"pam","name":"pam"},"data":{"dstuser":"root"},"location":"/var/log/secure"}
{"timestamp":"2024-02-14T11:57:13.331+0000","rule":{"level":4,"description":"First time user executed sudo.","id":"5403","mitre":{"id":["T1548.003"],"tactic":["Privilege Escalation","Defense Evasion"],"technique":["Sudo and Sudo Caching"]},"firedtimes":1,"mail":false,"groups":["syslog","sudo"]},"agent":{"id":"000","name":"wazuh-server"},"manager":{"name":"wazuh-server"},"id":"1707911833.3225","full_log":"Feb 14 11:57:13 wazuh-server sudo: wazuh-user : TTY=tty1 ; PWD=/home/wazuh-user ; USER=root ; COMMAND=/bin/loadkeys#040es","predecoder":{"program_name":"sudo","timestamp":"Feb 14 11:57:13","hostname":"wazuh-server"},"decoder":{"parent":"sudo","name":"sudo","ftscomment":"First time user executed the sudo command"},"data":{"srcuser":"wazuh-user","dstuser":"root","tty":"tty1","pwd":"/home/wazuh-user","command":"/bin/loadkeys#040es"},"location":"/var/log/secure"}
{"timestamp":"2024-02-14T11:57:15.332+0000","rule":{"level":3,"description":"Successful sudo to ROOT executed.","id":"5402","mitre":{"id":["T1548.003"],"tactic":["Privilege Escalation","Defense Evasion"],"technique":["Sudo and Sudo Caching"]},"firedtimes":1,"mail":false,"groups":["syslog","sudo"],"pci_dss":["10.2.5","10.2.2"],"gpg13":["7.6","7.8","7.13"],"gdpr":["IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7","AC.6"],"tsc":["CC6.8","CC7.2","CC7.3"]},"agent":{"id":"000","name":"wazuh-server"},"manager":{"name":"wazuh-server"},"id":"1707911835.3569","full_log":"Feb 14 11:57:14 wazuh-server sudo: wazuh-user : TTY=tty1 ; PWD=/home/wazuh-user ; USER=root ; COMMAND=/bin/su","predecoder":{"program_name":"sudo","timestamp":"Feb 14 11:57:14","hostname":"wazuh-server"},"decoder":{"parent":"sudo","name":"sudo","ftscomment":"First time user executed the sudo command"},"data":{"srcuser":"wazuh-user","dstuser":"root","tty":"tty1","pwd":"/home/wazuh-user","command":"/bin/su"},"location":"/var/log/secure"}
{"timestamp":"2024-02-14T11:57:15.332+0000","rule":{"level":3,"description":"PAM: Login session opened.","id":"5501","mitre":{"id":["T1078"],"tactic":["Defense Evasion","Persistence","Privilege Escalation","Initial Access"],"technique":["Valid Accounts"]},"firedtimes":4,"mail":false,"groups":["pam","syslog","authentication_success"],"pci_dss":["10.2.5"],"gpg13":["7.8","7.9"],"gdpr":["IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7"],"tsc":["CC6.8","CC7.2","CC7.3"]},"agent":{"id":"000","name":"wazuh-server"},"manager":{"name":"wazuh-server"},"id":"1707911835.4064","full_log":"Feb 14 11:57:14 wazuh-server su: pam_unix(su:session): session opened for user root by wazuh-user(uid=0)","predecoder":{"program_name":"su","timestamp":"Feb 14 11:57:14","hostname":"wazuh-server"},"decoder":{"parent":"pam","name":"pam"},"data":{"srcuser":"wazuh-user","dstuser":"root","uid":"0"},"location":"/var/log/secure"}
{"timestamp":"2024-02-14T11:57:15.332+0000","rule":{"level":3,"description":"PAM: Login session opened.","id":"5501","mitre":{"id":["T1078"],"tactic":["Defense Evasion","Persistence","Privilege Escalation","Initial Access"],"technique":["Valid Accounts"]},"firedtimes":3,"mail":false,"groups":["pam","syslog","authentication_success"],"pci_dss":["10.2.5"],"gpg13":["7.8","7.9"],"gdpr":["IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7"],"tsc":["CC6.8","CC7.2","CC7.3"]},"agent":{"id":"000","name":"wazuh-server"},"manager":{"name":"wazuh-server"},"id":"1707911835.4484","full_log":"Feb 14 11:57:14 wazuh-server sudo: pam_unix(sudo:session): session opened for user root by wazuh-user(uid=0)","predecoder":{"program_name":"sudo","timestamp":"Feb 14 11:57:14","hostname":"wazuh-server"},"decoder":{"parent":"pam","name":"pam"},"data":{"srcuser":"wazuh-user","dstuser":"root","uid":"0"},"location":"/var/log/secure"}
{"timestamp":"2024-02-14T12:17:31.049+0000","rule":{"level":5,"description":"sshd: Attempt to login using a non-existent user","id":"5710","mitre":{"id":["T1110.001","T1021.004"],"tactic":["Credential Access","Lateral Movement"],"technique":["Password Guessing","SSH"]},"firedtimes":1,"mail":false,"groups":["syslog","sshd","authentication_failed","invalid_login"],"gdpr":["IV_35.7.d","IV_32.2"],"gpg13":["7.1"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7","AU.6"],"pci_dss":["10.2.4","10.2.5","10.6.1"],"tsc":["CC6.1","CC6.8","CC7.2","CC7.3"]},"agent":{"id":"000","name":"wazuh-server"},"manager":{"name":"wazuh-server"},"id":"1707913051.4908","full_log":"Feb 14 12:17:30 wazuh-server sshd[19246]: Invalid user wazuh-server from 192.168.1.240 port 49672","predecoder":{"program_name":"sshd","timestamp":"Feb 14 12:17:30","hostname":"wazuh-server"},"decoder":{"parent":"sshd","name":"sshd"},"data":{"srcip":"192.168.1.240","srcport":"49672","srcuser":"wazuh-server"},"location":"/var/log/secure"}
[root@wazuh-server wazuh-user]# 

[root@wazuh-server wazuh-user]# cat /usr/share/wazuh-dashboard/data/wazuh/logs/wazuhapp.log | head -n 10
{"date":"2024-02-14T11:57:05.763Z","level":"info","location":"initialize","message":"Wazuh dashboard index: .kibana"}
{"date":"2024-02-14T11:57:05.763Z","level":"info","location":"initialize","message":"App revision: 03"}
{"date":"2024-02-14T11:57:05.764Z","level":"info","location":"initialize","message":"Total RAM: 7964MB"}
[root@wazuh-server wazuh-user]# 

[root@wazuh-server wazuh-user]# cat /var/log/wazuh-indexer/wazuh-cluster.log | head -n 10
[2024-02-14T12:56:53,563][INFO ][o.o.n.Node               ] [node-1] version[2.10.0], pid[8142], build[rpm/eee49cb340edc6c4d489bcd9324dda571fc8dc03/2023-09-20T23:54:29.889267151Z], OS[Linux/4.14.336-255.557.amzn2.x86_64/amd64], JVM[Eclipse Adoptium/OpenJDK 64-Bit Server VM/17.0.8/17.0.8+7]
[2024-02-14T12:56:53,564][INFO ][o.o.n.Node               ] [node-1] JVM home [/usr/share/wazuh-indexer/jdk], using bundled JDK/JRE [true]
[2024-02-14T12:56:53,565][INFO ][o.o.n.Node               ] [node-1] JVM arguments [-Xshare:auto, -Dopensearch.networkaddress.cache.ttl=60, -Dopensearch.networkaddress.cache.negative.ttl=10, -XX:+AlwaysPreTouch, -Xss1m, -Djava.awt.headless=true, -Dfile.encoding=UTF-8, -Djna.nosys=true, -XX:-OmitStackTraceInFastThrow, -XX:+ShowCodeDetailsInExceptionMessages, -Dio.netty.noUnsafe=true, -Dio.netty.noKeySetOptimization=true, -Dio.netty.recycler.maxCapacityPerThread=0, -Dio.netty.allocator.numDirectArenas=0, -Dlog4j.shutdownHookEnabled=false, -Dlog4j2.disable.jmx=true, -Djava.locale.providers=SPI,COMPAT, -Xms3981m, -Xmx3981m, -XX:+UseG1GC, -XX:G1ReservePercent=25, -XX:InitiatingHeapOccupancyPercent=30, -Djava.io.tmpdir=/tmp/opensearch-15227882268441032914, -XX:+HeapDumpOnOutOfMemoryError, -XX:HeapDumpPath=/var/lib/wazuh-indexer, -XX:ErrorFile=/var/log/wazuh-indexer/hs_err_pid%p.log, -Xlog:gc*,gc+age=trace,safepoint:file=/var/log/wazuh-indexer/gc.log:utctime,pid,tags:filecount=32,filesize=64m, -Dclk.tck=100, -Djdk.attach.allowAttachSelf=true, -Djava.security.policy=file:///etc/wazuh-indexer/opensearch-performance-analyzer/opensearch_security.policy, --add-opens=jdk.attach/sun.tools.attach=ALL-UNNAMED, -XX:MaxDirectMemorySize=2087714816, -Dopensearch.path.home=/usr/share/wazuh-indexer, -Dopensearch.path.conf=/etc/wazuh-indexer, -Dopensearch.distribution.type=rpm, -Dopensearch.bundled_jdk=true]
[2024-02-14T12:56:54,557][INFO ][o.o.s.s.t.SSLConfig      ] [node-1] SSL dual mode is disabled
[2024-02-14T12:56:54,557][INFO ][o.o.s.OpenSearchSecurityPlugin] [node-1] OpenSearch Config path is /etc/wazuh-indexer
[2024-02-14T12:56:54,760][INFO ][o.o.s.s.DefaultSecurityKeyStore] [node-1] JVM supports TLSv1.3
[2024-02-14T12:56:54,761][INFO ][o.o.s.s.DefaultSecurityKeyStore] [node-1] Config directory is /etc/wazuh-indexer/, from there the key- and truststore files are resolved relatively
[2024-02-14T12:56:55,154][INFO ][o.o.s.s.DefaultSecurityKeyStore] [node-1] TLS Transport Client Provider : JDK
[2024-02-14T12:56:55,155][INFO ][o.o.s.s.DefaultSecurityKeyStore] [node-1] TLS Transport Server Provider : JDK
[2024-02-14T12:56:55,155][INFO ][o.o.s.s.DefaultSecurityKeyStore] [node-1] TLS HTTP Provider             : JDK

[root@wazuh-server wazuh-user]# cat /var/log/filebeat/filebeat | head -n 10
2024-02-14T12:56:50.760Z    INFO    instance/beat.go:645    Home path: [/usr/share/filebeat] Config path: [/etc/filebeat] Data path: [/var/lib/filebeat] Logs path: [/var/log/filebeat]
2024-02-14T12:56:50.760Z    INFO    instance/beat.go:653    Beat ID: ed1fd3a5-f0b7-4114-b43e-48fee2fc917d
2024-02-14T12:56:50.761Z    INFO    [seccomp]   seccomp/seccomp.go:124  Syscall filter successfully installed
2024-02-14T12:56:50.761Z    INFO    [beat]  instance/beat.go:981    Beat info   {"system_info": {"beat": {"path": {"config": "/etc/filebeat", "data": "/var/lib/filebeat", "home": "/usr/share/filebeat", "logs": "/var/log/filebeat"}, "type": "filebeat", "uuid": "ed1fd3a5-f0b7-4114-b43e-48fee2fc917d"}}}
2024-02-14T12:56:50.761Z    INFO    [beat]  instance/beat.go:990    Build info  {"system_info": {"build": {"commit": "aacf9ecd9c494aa0908f61fbca82c906b16562a8", "libbeat": "7.10.2", "time": "2021-01-12T22:10:33.000Z", "version": "7.10.2"}}}
2024-02-14T12:56:50.761Z    INFO    [beat]  instance/beat.go:993    Go runtime info {"system_info": {"go": {"os":"linux","arch":"amd64","max_procs":4,"version":"go1.14.12"}}}
2024-02-14T12:56:50.761Z    INFO    [beat]  instance/beat.go:997    Host info   {"system_info": {"host": {"architecture":"x86_64","boot_time":"2024-02-14T12:56:40Z","containerized":false,"name":"wazuh-server","ip":["127.0.0.1/8","::1/128","192.168.1.169/24","2a0c:5a82:2602:b100:a00:27ff:fe6e:b112/64","fe80::a00:27ff:fe6e:b112/64"],"kernel_version":"4.14.336-255.557.amzn2.x86_64","mac":["08:00:27:6e:b1:12"],"os":{"family":"redhat","platform":"amzn","name":"Amazon Linux","version":"2","major":2,"minor":0,"patch":0,"codename":"Karoo"},"timezone":"UTC","timezone_offset_sec":0,"id":"6b47e1b2e948824db9c8c6ba65509eef"}}}
2024-02-14T12:56:50.762Z    INFO    [beat]  instance/beat.go:1026   Process info    {"system_info": {"process": {"capabilities": {"inheritable":null,"permitted":["chown","dac_override","dac_read_search","fowner","fsetid","kill","setgid","setuid","setpcap","linux_immutable","net_bind_service","net_broadcast","net_admin","net_raw","ipc_lock","ipc_owner","sys_module","sys_rawio","sys_chroot","sys_ptrace","sys_pacct","sys_admin","sys_boot","sys_nice","sys_resource","sys_time","sys_tty_config","mknod","lease","audit_write","audit_control","setfcap","mac_override","mac_admin","syslog","wake_alarm","block_suspend","audit_read"],"effective":["chown","dac_override","dac_read_search","fowner","fsetid","kill","setgid","setuid","setpcap","linux_immutable","net_bind_service","net_broadcast","net_admin","net_raw","ipc_lock","ipc_owner","sys_module","sys_rawio","sys_chroot","sys_ptrace","sys_pacct","sys_admin","sys_boot","sys_nice","sys_resource","sys_time","sys_tty_config","mknod","lease","audit_write","audit_control","setfcap","mac_override","mac_admin","syslog","wake_alarm","block_suspend","audit_read"],"bounding":["chown","dac_override","dac_read_search","fowner","fsetid","kill","setgid","setuid","setpcap","linux_immutable","net_bind_service","net_broadcast","net_admin","net_raw","ipc_lock","ipc_owner","sys_module","sys_rawio","sys_chroot","sys_ptrace","sys_pacct","sys_admin","sys_boot","sys_nice","sys_resource","sys_time","sys_tty_config","mknod","lease","audit_write","audit_control","setfcap","mac_override","mac_admin","syslog","wake_alarm","block_suspend","audit_read"],"ambient":null}, "cwd": "/", "exe": "/usr/share/filebeat/bin/filebeat", "name": "filebeat", "pid": 8144, "ppid": 1, "seccomp": {"mode":"filter","no_new_privs":true}, "start_time": "2024-02-14T12:56:50.450Z"}}}
2024-02-14T12:56:50.762Z    INFO    instance/beat.go:299    Setup Beat: filebeat; Version: 7.10.2
2024-02-14T12:56:50.772Z    INFO    eslegclient/connection.go:99    elasticsearch url: https://127.0.0.1:9200
[root@wazuh-server wazuh-user]# 

:green_circle: Testing in Jenkins

The new tasks have been successfully executed in the pipeline:

12:40:52  + systemctl stop filebeat wazuh-manager
12:40:52  + for index in '"${INDEXES[@]}"'
12:40:52  + curl -u admin:admin -XDELETE 'https://127.0.0.1:9200/wazuh-alerts-*' -k
12:40:52    % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
12:40:52                                   Dload  Upload   Total   Spent    Left  Speed
12:40:52  
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0
100    21  100    21    0     0    387      0 --:--:-- --:--:-- --:--:--   388
12:40:52  + for index in '"${INDEXES[@]}"'
12:40:52  + curl -u admin:admin -XDELETE 'https://127.0.0.1:9200/wazuh-archives-*' -k
12:40:52    % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
12:40:52                                   Dload  Upload   Total   Spent    Left  Speed
12:40:52  
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0
100    21  100    21    0     0    373      0 --:--:-- --:--:-- --:--:--   375
12:40:52  + for index in '"${INDEXES[@]}"'
12:40:52  + curl -u admin:admin -XDELETE 'https://127.0.0.1:9200/wazuh-states-vulnerabilities-*' -k
12:40:52    % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
12:40:52                                   Dload  Upload   Total   Spent    Left  Speed
12:40:52  
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0
100    21  100    21    0     0   1983      0 --:--:-- --:--:-- --:--:--  2100
12:40:52  + for index in '"${INDEXES[@]}"'
12:40:52  + curl -u admin:admin -XDELETE 'https://127.0.0.1:9200/wazuh-statistics-*' -k
12:40:52    % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
12:40:52                                   Dload  Upload   Total   Spent    Left  Speed
12:40:52  
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0
100    21  100    21    0     0   1961      0 --:--:-- --:--:-- --:--:--  2100
12:40:52  + for index in '"${INDEXES[@]}"'
12:40:52  + curl -u admin:admin -XDELETE 'https://127.0.0.1:9200/wazuh-monitoring-*' -k
12:40:52    % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
12:40:52                                   Dload  Upload   Total   Spent    Left  Speed
12:40:52  
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0
100    21  100    21    0     0    577      0 --:--:-- --:--:-- --:--:--   583
12:40:52  + bash /usr/share/wazuh-indexer/bin/indexer-ism-init.sh -i 127.0.0.1 -p admin
12:40:52  + systemctl stop wazuh-indexer wazuh-dashboard
12:40:52  + systemctl enable wazuh-manager
12:40:52  + clean
12:40:52  + rm -f /securityadmin_demo.sh
12:40:52  + yum clean all
12:40:52  + systemctl daemon-reload
12:40:52  + rm -rf /var/provision/wazuh-packages/ova/assets /var/provision/wazuh-packages/ova/generate_ova.sh /var/provision/wazuh-packages/ova/Ova2Ovf.py /var/provision/wazuh-packages/ova/provision.sh /var/provision/wazuh-packages/ova/README.md /var/provision/wazuh-packages/ova/setOVADefault.sh /var/provision/wazuh-packages/ova/Vagrantfile /var/provision/wazuh-packages/ova/wazuh_ovf_template /var/provision/wazuh-packages/ova/.gitignore
12:40:52  + cat /dev/null
12:40:52  + history -c
12:40:52  
12:40:52  TASK [Clean provision files] ***************************************************
12:40:52  task path: /home/ec2-user/workspace/Packages_Builder_OVA/ansible-playbooks/wazuh_ova_generation.yml:39
12:40:52  changed: [Packages_Builder_OVA_B333_20240214112723] => {
12:40:52      "changed": true,
12:40:52      "path": "/var/provision/",
12:40:52      "state": "absent"
12:40:52  }
12:40:53  
12:40:53  TASK [Clean unattended resources] **********************************************
12:40:53  task path: /home/ec2-user/workspace/Packages_Builder_OVA/ansible-playbooks/wazuh_ova_generation.yml:44
12:40:53  changed: [Packages_Builder_OVA_B333_20240214112723] => {
12:40:53      "changed": true,
12:40:53      "path": "/tmp/unattended_installer",
12:40:53      "state": "absent"
12:40:53  }
12:40:53  
12:40:53  TASK [Clean logs] **************************************************************
12:40:53  task path: /home/ec2-user/workspace/Packages_Builder_OVA/ansible-playbooks/wazuh_ova_generation.yml:49
12:40:53  changed: [Packages_Builder_OVA_B333_20240214112723] => {
12:40:53      "changed": true,
12:40:53      "cmd": "find /var/log/ -type f -exec bash -c 'cat /dev/null > {}' \\;\nfind /var/ossec/logs -type f -execdir sh -c 'cat /dev/null > \"$1\"' _ {} \\;\nfind /var/log/wazuh-indexer -type f -execdir sh -c 'cat /dev/null > \"$1\"' _ {} \\;\nfind /var/log/filebeat -type f -execdir sh -c 'cat /dev/null > \"$1\"' _ {} \\;\nfind /usr/share/wazuh-dashboard/data/wazuh/logs -type f -execdir sh -c 'cat /dev/null > \"$1\"' _ {} \\;\n",
12:40:53      "delta": "0:00:00.147371",
12:40:53      "end": "2024-02-14 11:40:53.955373",
12:40:53      "rc": 0,
12:40:53      "start": "2024-02-14 11:40:53.808002"
12:40:53  }

https://ci.wazuh.info/job/Packages_Builder_OVA/333/consoleFull

Same result as the local test.

[root@wazuh-server wazuh-user]# uptime -p -s
2024-02-14 15:09:29
[root@wazuh-server wazuh-user]# 

[root@wazuh-server wazuh-user]# cat /var/ossec/logs/ossec.log | head -n 10
2024/02/14 16:09:32 wazuh-modulesd:router: INFO: Loaded router module.
2024/02/14 16:09:32 wazuh-modulesd:content_manager: INFO: Loaded content_manager module.
2024/02/14 16:09:34 wazuh-csyslogd: INFO: Remote syslog server not configured. Clean exit.
2024/02/14 16:09:34 wazuh-dbd: INFO: Database not configured. Clean exit.
2024/02/14 16:09:34 wazuh-integratord: INFO: Remote integrations not configured. Clean exit.
2024/02/14 16:09:34 wazuh-agentlessd: INFO: Not configured. Exiting.
2024/02/14 16:09:34 wazuh-authd: INFO: Started (pid: 9371).
2024/02/14 16:09:34 wazuh-authd: INFO: Accepting connections on port 1515. No password required.
2024/02/14 16:09:34 wazuh-authd: INFO: Setting network timeout to 1.000000 sec.
2024/02/14 16:09:35 wazuh-db: INFO: Started (pid: 9853).
[root@wazuh-server wazuh-user]# 

[root@wazuh-server wazuh-user]# cat /var/ossec/logs/alerts/alerts.json | head -n 10
{"timestamp":"2024-02-14T16:09:43.249+0000","rule":{"level":7,"description":"Listened ports status (netstat) changed (new port opened or closed).","id":"533","firedtimes":1,"mail":false,"groups":["ossec"],"pci_dss":["10.2.7","10.6.1"],"gpg13":["10.1"],"gdpr":["IV_35.7.d"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AU.6"],"tsc":["CC6.8","CC7.2","CC7.3"]},"agent":{"id":"000","name":"wazuh-server"},"manager":{"name":"wazuh-server"},"id":"1707926983.0","previous_output":"Previous output:\nossec: output: 'netstat listening ports':\ntcp 0.0.0.0:22 0.0.0.0:* 1776/sshd\ntcp6 :::22 :::* 1776/sshd\ntcp 127.0.0.1:25 0.0.0.0:* 1889/master\nudp 0.0.0.0:68 0.0.0.0:* 4112/dhclient\ntcp 0.0.0.0:111 0.0.0.0:* 2992/rpcbind\ntcp6 :::111 :::* 2992/rpcbind\nudp 0.0.0.0:111 0.0.0.0:* 2992/rpcbind\nudp6 :::111 :::* 2992/rpcbind\nudp 127.0.0.1:323 0.0.0.0:* 3001/chronyd\nudp6 ::1:323 :::* 3001/chronyd\ntcp 0.0.0.0:443 0.0.0.0:* 15221/node\nudp 0.0.0.0:614 0.0.0.0:* 2992/rpcbind\nudp6 :::614 :::* 2992/rpcbind\ntcp 0.0.0.0:1514 0.0.0.0:* 16297/wazuh-remoted\ntcp 0.0.0.0:1515 0.0.0.0:* 16151/wazuh-authd\ntcp6 127.0.0.1:9200 :::* 11613/java\ntcp6 127.0.0.1:9300 :::* 11613/java\ntcp 0.0.0.0:55000 0.0.0.0:* 16102/python3","full_log":"ossec: output: 'netstat listening ports':\ntcp 0.0.0.0:22 0.0.0.0:* 7561/sshd\ntcp6 :::22 :::* 7561/sshd\ntcp 127.0.0.1:25 0.0.0.0:* 7770/master\nudp 0.0.0.0:68 0.0.0.0:* 6972/dhclient\ntcp 0.0.0.0:111 0.0.0.0:* 2056/rpcbind\ntcp6 :::111 :::* 2056/rpcbind\nudp 0.0.0.0:111 0.0.0.0:* 2056/rpcbind\nudp6 :::111 :::* 2056/rpcbind\nudp 127.0.0.1:323 0.0.0.0:* 2050/chronyd\nudp6 ::1:323 :::* 2050/chronyd\ntcp 0.0.0.0:443 0.0.0.0:* 2012/node\nudp 0.0.0.0:912 0.0.0.0:* 2056/rpcbind\nudp6 :::912 :::* 2056/rpcbind\ntcp 0.0.0.0:1514 0.0.0.0:* 12653/wazuh-remoted\ntcp 0.0.0.0:1515 0.0.0.0:* 9371/wazuh-authd\ntcp6 127.0.0.1:9200 :::* 7568/java\ntcp6 127.0.0.1:9300 :::* 7568/java\ntcp 0.0.0.0:55000 0.0.0.0:* 9255/python3","decoder":{"name":"ossec"},"previous_log":"ossec: output: 'netstat listening ports':\ntcp 0.0.0.0:22 0.0.0.0:* 1776/sshd\ntcp6 :::22 :::* 1776/sshd\ntcp 127.0.0.1:25 0.0.0.0:* 1889/master\nudp 0.0.0.0:68 0.0.0.0:* 4112/dhclient\ntcp 0.0.0.0:111 0.0.0.0:* 2992/rpcbind\ntcp6 :::111 :::* 2992/rpcbind\nudp 0.0.0.0:111 0.0.0.0:* 2992/rpcbind\nudp6 :::111 :::* 2992/rpcbind\nudp 127.0.0.1:323 0.0.0.0:* 3001/chronyd\nudp6 ::1:323 :::* 3001/chronyd\ntcp 0.0.0.0:443 0.0.0.0:* 15221/node\nudp 0.0.0.0:614 0.0.0.0:* 2992/rpcbind\nudp6 :::614 :::* 2992/rpcbind\ntcp 0.0.0.0:1514 0.0.0.0:* 16297/wazuh-remoted\ntcp 0.0.0.0:1515 0.0.0.0:* 16151/wazuh-authd\ntcp6 127.0.0.1:9200 :::* 11613/java\ntcp6 127.0.0.1:9300 :::* 11613/java\ntcp 0.0.0.0:55000 0.0.0.0:* 16102/python3","location":"netstat listening ports"}
{"timestamp":"2024-02-14T15:09:52.807+0000","rule":{"level":3,"description":"PAM: Login session opened.","id":"5501","mitre":{"id":["T1078"],"tactic":["Defense Evasion","Persistence","Privilege Escalation","Initial Access"],"technique":["Valid Accounts"]},"firedtimes":1,"mail":false,"groups":["pam","syslog","authentication_success"],"pci_dss":["10.2.5"],"gpg13":["7.8","7.9"],"gdpr":["IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7"],"tsc":["CC6.8","CC7.2","CC7.3"]},"agent":{"id":"000","name":"wazuh-server"},"manager":{"name":"wazuh-server"},"id":"1707923392.1741","full_log":"Feb 14 15:09:51 wazuh-server login: pam_unix(login:session): session opened for user wazuh-user by LOGIN(uid=0)","predecoder":{"program_name":"login","timestamp":"Feb 14 15:09:51","hostname":"wazuh-server"},"decoder":{"parent":"pam","name":"pam"},"data":{"srcuser":"LOGIN","dstuser":"wazuh-user","uid":"0"},"location":"/var/log/secure"}
{"timestamp":"2024-02-14T15:09:52.807+0000","rule":{"level":4,"description":"First time user executed sudo.","id":"5403","mitre":{"id":["T1548.003"],"tactic":["Privilege Escalation","Defense Evasion"],"technique":["Sudo and Sudo Caching"]},"firedtimes":1,"mail":false,"groups":["syslog","sudo"]},"agent":{"id":"000","name":"wazuh-server"},"manager":{"name":"wazuh-server"},"id":"1707923392.2174","full_log":"Feb 14 15:09:52 wazuh-server sudo: wazuh-user : TTY=tty1 ; PWD=/home/wazuh-user ; USER=root ; COMMAND=/bin/su","predecoder":{"program_name":"sudo","timestamp":"Feb 14 15:09:52","hostname":"wazuh-server"},"decoder":{"parent":"sudo","name":"sudo","ftscomment":"First time user executed the sudo command"},"data":{"srcuser":"wazuh-user","dstuser":"root","tty":"tty1","pwd":"/home/wazuh-user","command":"/bin/su"},"location":"/var/log/secure"}
{"timestamp":"2024-02-14T15:09:52.807+0000","rule":{"level":3,"description":"PAM: Login session opened.","id":"5501","mitre":{"id":["T1078"],"tactic":["Defense Evasion","Persistence","Privilege Escalation","Initial Access"],"technique":["Valid Accounts"]},"firedtimes":2,"mail":false,"groups":["pam","syslog","authentication_success"],"pci_dss":["10.2.5"],"gpg13":["7.8","7.9"],"gdpr":["IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7"],"tsc":["CC6.8","CC7.2","CC7.3"]},"agent":{"id":"000","name":"wazuh-server"},"manager":{"name":"wazuh-server"},"id":"1707923392.2494","full_log":"Feb 14 15:09:52 wazuh-server su: pam_unix(su:session): session opened for user root by wazuh-user(uid=0)","predecoder":{"program_name":"su","timestamp":"Feb 14 15:09:52","hostname":"wazuh-server"},"decoder":{"parent":"pam","name":"pam"},"data":{"srcuser":"wazuh-user","dstuser":"root","uid":"0"},"location":"/var/log/secure"}
{"timestamp":"2024-02-14T15:09:52.807+0000","rule":{"level":3,"description":"PAM: Login session opened.","id":"5501","mitre":{"id":["T1078"],"tactic":["Defense Evasion","Persistence","Privilege Escalation","Initial Access"],"technique":["Valid Accounts"]},"firedtimes":3,"mail":false,"groups":["pam","syslog","authentication_success"],"pci_dss":["10.2.5"],"gpg13":["7.8","7.9"],"gdpr":["IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7"],"tsc":["CC6.8","CC7.2","CC7.3"]},"agent":{"id":"000","name":"wazuh-server"},"manager":{"name":"wazuh-server"},"id":"1707923392.2914","full_log":"Feb 14 15:09:52 wazuh-server sudo: pam_unix(sudo:session): session opened for user root by wazuh-user(uid=0)","predecoder":{"program_name":"sudo","timestamp":"Feb 14 15:09:52","hostname":"wazuh-server"},"decoder":{"parent":"pam","name":"pam"},"data":{"srcuser":"wazuh-user","dstuser":"root","uid":"0"},"location":"/var/log/secure"}
{"timestamp":"2024-02-14T15:09:53.839+0000","rule":{"level":3,"description":"Wazuh server started.","id":"502","firedtimes":1,"mail":false,"groups":["ossec"],"pci_dss":["10.6.1"],"gpg13":["10.1"],"gdpr":["IV_35.7.d"],"hipaa":["164.312.b"],"nist_800_53":["AU.6"],"tsc":["CC7.2","CC7.3"]},"agent":{"id":"000","name":"wazuh-server"},"manager":{"name":"wazuh-server"},"id":"1707923393.3338","full_log":"ossec: Manager started.","decoder":{"name":"ossec"},"location":"wazuh-monitord"}
{"timestamp":"2024-02-14T15:10:44.867+0000","rule":{"level":3,"description":"PAM: Login session opened.","id":"5501","mitre":{"id":["T1078"],"tactic":["Defense Evasion","Persistence","Privilege Escalation","Initial Access"],"technique":["Valid Accounts"]},"firedtimes":4,"mail":false,"groups":["pam","syslog","authentication_success"],"pci_dss":["10.2.5"],"gpg13":["7.8","7.9"],"gdpr":["IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7"],"tsc":["CC6.8","CC7.2","CC7.3"]},"agent":{"id":"000","name":"wazuh-server"},"manager":{"name":"wazuh-server"},"id":"1707923444.3589","full_log":"Feb 14 15:10:43 wazuh-server sshd[19061]: pam_unix(sshd:session): session opened for user wazuh-user by (uid=0)","predecoder":{"program_name":"sshd","timestamp":"Feb 14 15:10:43","hostname":"wazuh-server"},"decoder":{"parent":"pam","name":"pam"},"data":{"dstuser":"wazuh-user","uid":"0"},"location":"/var/log/secure"}
{"timestamp":"2024-02-14T15:10:44.867+0000","rule":{"level":3,"description":"sshd: authentication success.","id":"5715","mitre":{"id":["T1078","T1021"],"tactic":["Defense Evasion","Persistence","Privilege Escalation","Initial Access","Lateral Movement"],"technique":["Valid Accounts","Remote Services"]},"firedtimes":1,"mail":false,"groups":["syslog","sshd","authentication_success"],"gdpr":["IV_32.2"],"gpg13":["7.1","7.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7"],"pci_dss":["10.2.5"],"tsc":["CC6.8","CC7.2","CC7.3"]},"agent":{"id":"000","name":"wazuh-server"},"manager":{"name":"wazuh-server"},"id":"1707923444.4022","full_log":"Feb 14 15:10:43 wazuh-server sshd[19061]: Accepted password for wazuh-user from 192.168.1.240 port 34680 ssh2","predecoder":{"program_name":"sshd","timestamp":"Feb 14 15:10:43","hostname":"wazuh-server"},"decoder":{"parent":"sshd","name":"sshd"},"data":{"srcip":"192.168.1.240","srcport":"34680","dstuser":"wazuh-user"},"location":"/var/log/secure"}
{"timestamp":"2024-02-14T15:10:44.909+0000","rule":{"level":3,"description":"PAM: Login session opened.","id":"5501","mitre":{"id":["T1078"],"tactic":["Defense Evasion","Persistence","Privilege Escalation","Initial Access"],"technique":["Valid Accounts"]},"firedtimes":5,"mail":false,"groups":["pam","syslog","authentication_success"],"pci_dss":["10.2.5"],"gpg13":["7.8","7.9"],"gdpr":["IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7"],"tsc":["CC6.8","CC7.2","CC7.3"]},"agent":{"id":"000","name":"wazuh-server"},"manager":{"name":"wazuh-server"},"id":"1707923444.4488","full_log":"Feb 14 15:10:44 wazuh-server sudo: pam_unix(sudo:session): session opened for user root by wazuh-user(uid=0)","predecoder":{"program_name":"sudo","timestamp":"Feb 14 15:10:44","hostname":"wazuh-server"},"decoder":{"parent":"pam","name":"pam"},"data":{"srcuser":"wazuh-user","dstuser":"root","uid":"0"},"location":"/var/log/secure"}
{"timestamp":"2024-02-14T15:10:44.909+0000","rule":{"level":3,"description":"PAM: Login session opened.","id":"5501","mitre":{"id":["T1078"],"tactic":["Defense Evasion","Persistence","Privilege Escalation","Initial Access"],"technique":["Valid Accounts"]},"firedtimes":6,"mail":false,"groups":["pam","syslog","authentication_success"],"pci_dss":["10.2.5"],"gpg13":["7.8","7.9"],"gdpr":["IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7"],"tsc":["CC6.8","CC7.2","CC7.3"]},"agent":{"id":"000","name":"wazuh-server"},"manager":{"name":"wazuh-server"},"id":"1707923444.4912","full_log":"Feb 14 15:10:44 wazuh-server su: pam_unix(su:session): session opened for user root by wazuh-user(uid=0)","predecoder":{"program_name":"su","timestamp":"Feb 14 15:10:44","hostname":"wazuh-server"},"decoder":{"parent":"pam","name":"pam"},"data":{"srcuser":"wazuh-user","dstuser":"root","uid":"0"},"location":"/var/log/secure"}

/usr/share/wazuh-dashboard/data/wazuh/logs/wazuhapp.log | head -n 10
{"date":"2024-02-14T16:09:45.581Z","level":"info","location":"initialize","message":"Wazuh dashboard index: .kibana"}
{"date":"2024-02-14T16:09:45.582Z","level":"info","location":"initialize","message":"App revision: 03"}
{"date":"2024-02-14T16:09:45.582Z","level":"info","location":"initialize","message":"Total RAM: 7964MB"}
[root@wazuh-server wazuh-user]# 
[root@wazuh-server wazuh-user]# 
[root@wazuh-server wazuh-user]# 
[root@wazuh-server wazuh-user]# cat /var/log/wazuh-indexer/wazuh-cluster.log | head -n 10
[2024-02-14T16:09:34,933][INFO ][o.o.n.Node               ] [node-1] version[2.10.0], pid[7568], build[rpm/eee49cb340edc6c4d489bcd9324dda571fc8dc03/2023-09-20T23:54:29.889267151Z], OS[Linux/4.14.336-255.557.amzn2.x86_64/amd64], JVM[Eclipse Adoptium/OpenJDK 64-Bit Server VM/17.0.8/17.0.8+7]
[2024-02-14T16:09:34,934][INFO ][o.o.n.Node               ] [node-1] JVM home [/usr/share/wazuh-indexer/jdk], using bundled JDK/JRE [true]
[2024-02-14T16:09:34,935][INFO ][o.o.n.Node               ] [node-1] JVM arguments [-Xshare:auto, -Dopensearch.networkaddress.cache.ttl=60, -Dopensearch.networkaddress.cache.negative.ttl=10, -XX:+AlwaysPreTouch, -Xss1m, -Djava.awt.headless=true, -Dfile.encoding=UTF-8, -Djna.nosys=true, -XX:-OmitStackTraceInFastThrow, -XX:+ShowCodeDetailsInExceptionMessages, -Dio.netty.noUnsafe=true, -Dio.netty.noKeySetOptimization=true, -Dio.netty.recycler.maxCapacityPerThread=0, -Dio.netty.allocator.numDirectArenas=0, -Dlog4j.shutdownHookEnabled=false, -Dlog4j2.disable.jmx=true, -Djava.locale.providers=SPI,COMPAT, -Xms3981m, -Xmx3981m, -XX:+UseG1GC, -XX:G1ReservePercent=25, -XX:InitiatingHeapOccupancyPercent=30, -Djava.io.tmpdir=/tmp/opensearch-406069355175393296, -XX:+HeapDumpOnOutOfMemoryError, -XX:HeapDumpPath=/var/lib/wazuh-indexer, -XX:ErrorFile=/var/log/wazuh-indexer/hs_err_pid%p.log, -Xlog:gc*,gc+age=trace,safepoint:file=/var/log/wazuh-indexer/gc.log:utctime,pid,tags:filecount=32,filesize=64m, -Dclk.tck=100, -Djdk.attach.allowAttachSelf=true, -Djava.security.policy=file:///etc/wazuh-indexer/opensearch-performance-analyzer/opensearch_security.policy, --add-opens=jdk.attach/sun.tools.attach=ALL-UNNAMED, -XX:MaxDirectMemorySize=2087714816, -Dopensearch.path.home=/usr/share/wazuh-indexer, -Dopensearch.path.conf=/etc/wazuh-indexer, -Dopensearch.distribution.type=rpm, -Dopensearch.bundled_jdk=true]
[2024-02-14T16:09:35,567][INFO ][o.o.s.s.t.SSLConfig      ] [node-1] SSL dual mode is disabled
[2024-02-14T16:09:35,568][INFO ][o.o.s.OpenSearchSecurityPlugin] [node-1] OpenSearch Config path is /etc/wazuh-indexer
[2024-02-14T16:09:35,768][INFO ][o.o.s.s.DefaultSecurityKeyStore] [node-1] JVM supports TLSv1.3
[2024-02-14T16:09:35,770][INFO ][o.o.s.s.DefaultSecurityKeyStore] [node-1] Config directory is /etc/wazuh-indexer/, from there the key- and truststore files are resolved relatively
[2024-02-14T16:09:36,127][INFO ][o.o.s.s.DefaultSecurityKeyStore] [node-1] TLS Transport Client Provider : JDK
[2024-02-14T16:09:36,128][INFO ][o.o.s.s.DefaultSecurityKeyStore] [node-1] TLS Transport Server Provider : JDK
[2024-02-14T16:09:36,128][INFO ][o.o.s.s.DefaultSecurityKeyStore] [node-1] TLS HTTP Provider             : JDK

[root@wazuh-server wazuh-user]# cat /var/log/filebeat/filebeat | head -n 10
2024-02-14T16:09:32.168Z    INFO    instance/beat.go:645    Home path: [/usr/share/filebeat] Config path: [/etc/filebeat] Data path: [/var/lib/filebeat] Logs path: [/var/log/filebeat]
2024-02-14T16:09:32.169Z    INFO    instance/beat.go:653    Beat ID: 0037ed7c-5e46-4a96-8ffb-d4eaad9e0ea3
2024-02-14T16:09:32.170Z    INFO    [seccomp]   seccomp/seccomp.go:124  Syscall filter successfully installed
2024-02-14T16:09:32.170Z    INFO    [beat]  instance/beat.go:981    Beat info   {"system_info": {"beat": {"path": {"config": "/etc/filebeat", "data": "/var/lib/filebeat", "home": "/usr/share/filebeat", "logs": "/var/log/filebeat"}, "type": "filebeat", "uuid": "0037ed7c-5e46-4a96-8ffb-d4eaad9e0ea3"}}}
2024-02-14T16:09:32.170Z    INFO    [beat]  instance/beat.go:990    Build info  {"system_info": {"build": {"commit": "aacf9ecd9c494aa0908f61fbca82c906b16562a8", "libbeat": "7.10.2", "time": "2021-01-12T22:10:33.000Z", "version": "7.10.2"}}}
2024-02-14T16:09:32.170Z    INFO    [beat]  instance/beat.go:993    Go runtime info {"system_info": {"go": {"os":"linux","arch":"amd64","max_procs":4,"version":"go1.14.12"}}}
2024-02-14T16:09:32.178Z    INFO    [beat]  instance/beat.go:997    Host info   {"system_info": {"host": {"architecture":"x86_64","boot_time":"2024-02-14T16:09:21Z","containerized":false,"name":"wazuh-server","ip":["127.0.0.1/8","::1/128","192.168.1.170/24","2a0c:5a82:2602:b100:a00:27ff:fed1:fc52/64","fe80::a00:27ff:fed1:fc52/64"],"kernel_version":"4.14.336-255.557.amzn2.x86_64","mac":["08:00:27:d1:fc:52"],"os":{"family":"redhat","platform":"amzn","name":"Amazon Linux","version":"2","major":2,"minor":0,"patch":0,"codename":"Karoo"},"timezone":"UTC","timezone_offset_sec":0,"id":"6b47e1b2e948824db9c8c6ba65509eef"}}}
2024-02-14T16:09:32.179Z    INFO    [beat]  instance/beat.go:1026   Process info    {"system_info": {"process": {"capabilities": {"inheritable":null,"permitted":["chown","dac_override","dac_read_search","fowner","fsetid","kill","setgid","setuid","setpcap","linux_immutable","net_bind_service","net_broadcast","net_admin","net_raw","ipc_lock","ipc_owner","sys_module","sys_rawio","sys_chroot","sys_ptrace","sys_pacct","sys_admin","sys_boot","sys_nice","sys_resource","sys_time","sys_tty_config","mknod","lease","audit_write","audit_control","setfcap","mac_override","mac_admin","syslog","wake_alarm","block_suspend","audit_read"],"effective":["chown","dac_override","dac_read_search","fowner","fsetid","kill","setgid","setuid","setpcap","linux_immutable","net_bind_service","net_broadcast","net_admin","net_raw","ipc_lock","ipc_owner","sys_module","sys_rawio","sys_chroot","sys_ptrace","sys_pacct","sys_admin","sys_boot","sys_nice","sys_resource","sys_time","sys_tty_config","mknod","lease","audit_write","audit_control","setfcap","mac_override","mac_admin","syslog","wake_alarm","block_suspend","audit_read"],"bounding":["chown","dac_override","dac_read_search","fowner","fsetid","kill","setgid","setuid","setpcap","linux_immutable","net_bind_service","net_broadcast","net_admin","net_raw","ipc_lock","ipc_owner","sys_module","sys_rawio","sys_chroot","sys_ptrace","sys_pacct","sys_admin","sys_boot","sys_nice","sys_resource","sys_time","sys_tty_config","mknod","lease","audit_write","audit_control","setfcap","mac_override","mac_admin","syslog","wake_alarm","block_suspend","audit_read"],"ambient":null}, "cwd": "/", "exe": "/usr/share/filebeat/bin/filebeat", "name": "filebeat", "pid": 7562, "ppid": 1, "seccomp": {"mode":"filter","no_new_privs":true}, "start_time": "2024-02-14T16:09:31.880Z"}}}
2024-02-14T16:09:32.179Z    INFO    instance/beat.go:299    Setup Beat: filebeat; Version: 7.10.2
2024-02-14T16:09:32.182Z    INFO    eslegclient/connection.go:99    elasticsearch url: https://127.0.0.1:9200
[root@wazuh-server wazuh-user]#