Release 4.3.6 - Release Candidate 1 - E2E UX tests - Demo environment

[juliamagan]

Description

The following issue aims to run the specified test for the current release candidate, report the results, and open new issues for any encountered errors.

Test information

Test name	Demo environment
Category	Wazuh App
Deployment option	Demo environment
Main release issue	https://github.com/wazuh/wazuh/issues/14260
Release candidate #	RC1

Proposed checks

• [x] (T1): - No errors or warnings found in logs
• [x] (T2): - The daemons are running with the correct user
• [x] (T3): - The status of the Wazuh Indexer clusters is as expected.
• [x] (T4): - No errors in the browser's developer console when browsing the App
• [x] (T5): - Alerts are being generated for each of the modules configured for this purpose
• [x] (T6): - No warning symbols in Discover when expanding a document
• [x] (T7): - Alert generated

Conclusion 🔴

New bugs have been found when testing. In addition, some previously reported problems have been found again.

Issues found

Detected issues and previously reported

• https://github.com/wazuh/wazuh-automation/issues/813
• https://github.com/wazuh/wazuh-packages/issues/1511
• https://github.com/wazuh/wazuh-kibana-app/issues/4108
• https://github.com/wazuh/wazuh-kibana-app/issues/4092
• https://github.com/wazuh/wazuh-packages/issues/1746

New opened issues

• https://github.com/wazuh/wazuh-kibana-app/issues/4346
• https://github.com/wazuh/wazuh-packages/issues/1747
• https://github.com/wazuh/wazuh-packages/issues/1745 (misreported)

Auditors' validation

The definition of done for this one is the validation of the conclusions and the test results from all auditors.

All checks from below must be accepted in order to close this issue.

• [x] @jmv74211
• [x] @alberpilot
• [ ] @davidjiglesias

References

Color	Status
🟢	All tests passed successfully
🟡	All tests passed but there are some warnings
🔴	Some tests have failures or errors

[mauromalara]

Task 1: No errors or warnings found in logs 🔴

Agents

Amazon Linux 🟢

`journalctl -xe -u wazuh-agent.service` ``` Jul 18 13:36:33 ip-10-0-1-74.us-west-1.compute.internal systemd[1]: Stopping Wazuh agent... -- Subject: Unit wazuh-agent.service has begun shutting down -- Defined-By: systemd -- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel -- -- Unit wazuh-agent.service has begun shutting down. Jul 18 13:36:33 ip-10-0-1-74.us-west-1.compute.internal env[937]: Killing wazuh-modulesd... Jul 18 13:36:33 ip-10-0-1-74.us-west-1.compute.internal env[937]: Killing wazuh-logcollector... Jul 18 13:36:34 ip-10-0-1-74.us-west-1.compute.internal env[937]: Killing wazuh-syscheckd... Jul 18 13:36:34 ip-10-0-1-74.us-west-1.compute.internal env[937]: Killing wazuh-agentd... Jul 18 13:36:34 ip-10-0-1-74.us-west-1.compute.internal env[937]: Killing wazuh-execd... Jul 18 13:36:34 ip-10-0-1-74.us-west-1.compute.internal env[937]: Wazuh v4.3.6 Stopped Jul 18 13:36:34 ip-10-0-1-74.us-west-1.compute.internal systemd[1]: Starting Wazuh agent... -- Subject: Unit wazuh-agent.service has begun start-up -- Defined-By: systemd -- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel -- -- Unit wazuh-agent.service has begun starting up. Jul 18 13:36:34 ip-10-0-1-74.us-west-1.compute.internal env[1003]: Starting Wazuh v4.3.6... Jul 18 13:36:35 ip-10-0-1-74.us-west-1.compute.internal env[1003]: Started wazuh-execd... Jul 18 13:36:36 ip-10-0-1-74.us-west-1.compute.internal env[1003]: Started wazuh-agentd... Jul 18 13:36:37 ip-10-0-1-74.us-west-1.compute.internal env[1003]: Started wazuh-syscheckd... Jul 18 13:36:38 ip-10-0-1-74.us-west-1.compute.internal env[1003]: Started wazuh-logcollector... Jul 18 13:36:39 ip-10-0-1-74.us-west-1.compute.internal env[1003]: Started wazuh-modulesd... Jul 18 13:36:41 ip-10-0-1-74.us-west-1.compute.internal env[1003]: Completed. Jul 18 13:36:41 ip-10-0-1-74.us-west-1.compute.internal systemd[1]: Started Wazuh agent. -- Subject: Unit wazuh-agent.service has finished start-up -- Defined-By: systemd -- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel -- -- Unit wazuh-agent.service has finished starting up. -- -- The start-up result is done. ``` - `egrep -i "ERROR|WARNING" /var/ossec/logs/ossec.log`: ``` [root@ip-10-0-1-74 wazuh-user]# egrep -i "ERROR|WARNING" /var/ossec/logs/ossec.log [root@ip-10-0-1-74 wazuh-user]# ``` - `systemctl status wazuh-agent -l`: ``` [root@ip-10-0-1-74 wazuh-user]# systemctl status wazuh-agent -l ● wazuh-agent.service - Wazuh agent Loaded: loaded (/usr/lib/systemd/system/wazuh-agent.service; enabled; vendor preset: disabled) Active: active (running) since lun 2022-07-18 13:36:41 UTC; 18h ago Process: 937 ExecStop=/usr/bin/env /var/ossec/bin/wazuh-control stop (code=exited, status=0/SUCCESS) Process: 1003 ExecStart=/usr/bin/env /var/ossec/bin/wazuh-control start (code=exited, status=0/SUCCESS) CGroup: /system.slice/wazuh-agent.service ├─1032 /var/ossec/bin/wazuh-execd ├─1044 /var/ossec/bin/wazuh-agentd ├─1059 /var/ossec/bin/wazuh-syscheckd ├─1073 /var/ossec/bin/wazuh-logcollector └─1095 /var/ossec/bin/wazuh-modulesd jul 18 13:36:34 ip-10-0-1-74.us-west-1.compute.internal systemd[1]: Starting Wazuh agent... jul 18 13:36:34 ip-10-0-1-74.us-west-1.compute.internal env[1003]: Starting Wazuh v4.3.6... jul 18 13:36:35 ip-10-0-1-74.us-west-1.compute.internal env[1003]: Started wazuh-execd... jul 18 13:36:36 ip-10-0-1-74.us-west-1.compute.internal env[1003]: Started wazuh-agentd... jul 18 13:36:37 ip-10-0-1-74.us-west-1.compute.internal env[1003]: Started wazuh-syscheckd... jul 18 13:36:38 ip-10-0-1-74.us-west-1.compute.internal env[1003]: Started wazuh-logcollector... jul 18 13:36:39 ip-10-0-1-74.us-west-1.compute.internal env[1003]: Started wazuh-modulesd... jul 18 13:36:41 ip-10-0-1-74.us-west-1.compute.internal env[1003]: Completed. jul 18 13:36:41 ip-10-0-1-74.us-west-1.compute.internal systemd[1]: Started Wazuh agent. jul 19 01:36:38 ip-10-0-1-74.us-west-1.compute.internal crontab[5198]: (root) LIST (root) ``` - `/var/ossec/bin/wazuh-control status`: ``` [root@ip-10-0-1-74 wazuh-user]# /var/ossec/bin/wazuh-control status wazuh-modulesd is running... wazuh-logcollector is running... wazuh-syscheckd is running... wazuh-agentd is running... wazuh-execd is running... ```

RHEL 🟢

`journalctl -xe -u wazuh-agent.service` ``` Jul 18 13:41:25 ip-10-0-1-254.us-west-1.compute.internal systemd[1]: Stopping Wazuh agent... -- Subject: Unit wazuh-agent.service has begun shutting down -- Defined-By: systemd -- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel -- -- Unit wazuh-agent.service has begun shutting down. Jul 18 13:41:25 ip-10-0-1-254.us-west-1.compute.internal env[4187]: Killing wazuh-modulesd... Jul 18 13:41:25 ip-10-0-1-254.us-west-1.compute.internal env[4187]: Killing wazuh-logcollector... Jul 18 13:41:25 ip-10-0-1-254.us-west-1.compute.internal env[4187]: Killing wazuh-syscheckd... Jul 18 13:41:25 ip-10-0-1-254.us-west-1.compute.internal env[4187]: Killing wazuh-agentd... Jul 18 13:41:25 ip-10-0-1-254.us-west-1.compute.internal env[4187]: Killing wazuh-execd... Jul 18 13:41:25 ip-10-0-1-254.us-west-1.compute.internal env[4187]: Wazuh v4.3.6 Stopped Jul 18 13:41:25 ip-10-0-1-254.us-west-1.compute.internal systemd[1]: Stopped Wazuh agent. -- Subject: Unit wazuh-agent.service has finished shutting down -- Defined-By: systemd -- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel -- -- Unit wazuh-agent.service has finished shutting down. Jul 18 13:41:25 ip-10-0-1-254.us-west-1.compute.internal systemd[1]: Starting Wazuh agent... -- Subject: Unit wazuh-agent.service has begun start-up -- Defined-By: systemd -- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel -- -- Unit wazuh-agent.service has begun starting up. Jul 18 13:41:25 ip-10-0-1-254.us-west-1.compute.internal env[4274]: Starting Wazuh v4.3.6... Jul 18 13:41:27 ip-10-0-1-254.us-west-1.compute.internal env[4274]: Started wazuh-execd... Jul 18 13:41:28 ip-10-0-1-254.us-west-1.compute.internal env[4274]: Started wazuh-agentd... Jul 18 13:41:29 ip-10-0-1-254.us-west-1.compute.internal env[4274]: Started wazuh-syscheckd... Jul 18 13:41:30 ip-10-0-1-254.us-west-1.compute.internal env[4274]: Started wazuh-logcollector... Jul 18 13:41:30 ip-10-0-1-254.us-west-1.compute.internal osqueryd[4386]: osqueryd started [version=4.3 Jul 18 13:41:31 ip-10-0-1-254.us-west-1.compute.internal env[4274]: Started wazuh-modulesd... Jul 18 13:41:33 ip-10-0-1-254.us-west-1.compute.internal env[4274]: Completed. Jul 18 13:41:33 ip-10-0-1-254.us-west-1.compute.internal systemd[1]: Started Wazuh agent. -- Subject: Unit wazuh-agent.service has finished start-up -- Defined-By: systemd -- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel -- -- Unit wazuh-agent.service has finished starting up. -- -- The start-up result is done. ``` - `egrep -i "ERROR|WARNING" /var/ossec/logs/ossec.log`: ``` [root@ip-10-0-1-254 wazuh-user]# egrep -i "ERROR|WARNING" /var/ossec/logs/ossec.log [root@ip-10-0-1-254 wazuh-user]# ``` - `systemctl status wazuh-agent -l`: ``` [root@ip-10-0-1-254 wazuh-user]# systemctl status wazuh-agent -l ● wazuh-agent.service - Wazuh agent Loaded: loaded (/usr/lib/systemd/system/wazuh-agent.service; enabled; vendor preset: disabled) Active: active (running) since lun 2022-07-18 13:41:33 UTC; 18h ago Process: 4187 ExecStop=/usr/bin/env /var/ossec/bin/wazuh-control stop (code=exited, status=0/SUCCESS) Process: 4274 ExecStart=/usr/bin/env /var/ossec/bin/wazuh-control start (code=exited, status=0/SUCCESS) Tasks: 53 Memory: 196.9M CGroup: /system.slice/wazuh-agent.service ├─4301 /var/ossec/bin/wazuh-execd ├─4313 /var/ossec/bin/wazuh-agentd ├─4328 /var/ossec/bin/wazuh-syscheckd ├─4341 /var/ossec/bin/wazuh-logcollector ├─4365 /var/ossec/bin/wazuh-modulesd ├─4381 python3 wodles/docker/DockerListener ├─4386 /usr/bin/osqueryd --config_path=/etc/osquery/osquery.conf └─4400 /usr/bin/osqueryd jul 18 13:41:25 ip-10-0-1-254.us-west-1.compute.internal env[4274]: Starting Wazuh v4.3.6... jul 18 13:41:27 ip-10-0-1-254.us-west-1.compute.internal env[4274]: Started wazuh-execd... jul 18 13:41:28 ip-10-0-1-254.us-west-1.compute.internal env[4274]: Started wazuh-agentd... jul 18 13:41:29 ip-10-0-1-254.us-west-1.compute.internal env[4274]: Started wazuh-syscheckd... jul 18 13:41:30 ip-10-0-1-254.us-west-1.compute.internal env[4274]: Started wazuh-logcollector... jul 18 13:41:30 ip-10-0-1-254.us-west-1.compute.internal osqueryd[4386]: osqueryd started [version=4.3.0] jul 18 13:41:31 ip-10-0-1-254.us-west-1.compute.internal env[4274]: Started wazuh-modulesd... jul 18 13:41:33 ip-10-0-1-254.us-west-1.compute.internal env[4274]: Completed. jul 18 13:41:33 ip-10-0-1-254.us-west-1.compute.internal systemd[1]: Started Wazuh agent. jul 19 01:41:30 ip-10-0-1-254.us-west-1.compute.internal crontab[21163]: (root) LIST (root) ``` - `/var/ossec/bin/wazuh-control status`: ``` [root@ip-10-0-1-254 wazuh-user]# /var/ossec/bin/wazuh-control status wazuh-modulesd is running... wazuh-logcollector is running... wazuh-syscheckd is running... wazuh-agentd is running... wazuh-execd is running... ```

Ubuntu 🟢

`journalctl -xe -u wazuh-agent.service` ``` Jul 18 14:15:40 ip-10-0-1-129 systemd[1]: Stopping Wazuh agent... -- Subject: Unit wazuh-agent.service has begun shutting down -- Defined-By: systemd -- Support: http://www.ubuntu.com/support -- -- Unit wazuh-agent.service has begun shutting down. Jul 18 14:15:40 ip-10-0-1-129 env[17255]: Killing wazuh-modulesd... Jul 18 14:15:40 ip-10-0-1-129 env[17255]: Killing wazuh-logcollector... Jul 18 14:15:40 ip-10-0-1-129 env[17255]: Killing wazuh-syscheckd... Jul 18 14:15:40 ip-10-0-1-129 env[17255]: Killing wazuh-agentd... Jul 18 14:15:40 ip-10-0-1-129 env[17255]: Killing wazuh-execd... Jul 18 14:15:41 ip-10-0-1-129 env[17255]: Wazuh v4.3.6 Stopped Jul 18 14:15:41 ip-10-0-1-129 systemd[1]: Stopped Wazuh agent. -- Subject: Unit wazuh-agent.service has finished shutting down -- Defined-By: systemd -- Support: http://www.ubuntu.com/support -- -- Unit wazuh-agent.service has finished shutting down. Jul 18 14:15:41 ip-10-0-1-129 systemd[1]: Starting Wazuh agent... -- Subject: Unit wazuh-agent.service has begun start-up -- Defined-By: systemd -- Support: http://www.ubuntu.com/support -- -- Unit wazuh-agent.service has begun starting up. Jul 18 14:15:41 ip-10-0-1-129 env[17309]: Starting Wazuh v4.3.6... Jul 18 14:15:42 ip-10-0-1-129 env[17309]: Started wazuh-execd... Jul 18 14:15:43 ip-10-0-1-129 env[17309]: Started wazuh-agentd... Jul 18 14:15:44 ip-10-0-1-129 env[17309]: Started wazuh-syscheckd... Jul 18 14:15:45 ip-10-0-1-129 env[17309]: Started wazuh-logcollector... Jul 18 14:15:46 ip-10-0-1-129 env[17309]: Started wazuh-modulesd... Jul 18 14:15:48 ip-10-0-1-129 env[17309]: Completed. Jul 18 14:15:48 ip-10-0-1-129 systemd[1]: Started Wazuh agent. -- Subject: Unit wazuh-agent.service has finished start-up -- Defined-By: systemd -- Support: http://www.ubuntu.com/support -- -- Unit wazuh-agent.service has finished starting up. -- -- The start-up result is RESULT. ``` - `egrep -i "ERROR|WARNING" /var/ossec/logs/ossec.log`: ``` root@ip-10-0-1-129:/home/wazuh-user# egrep -i "ERROR|WARNING" /var/ossec/logs/ossec.log root@ip-10-0-1-129:/home/wazuh-user# ``` - `systemctl status wazuh-agent -l`: ``` root@ip-10-0-1-129:/home/wazuh-user# systemctl status wazuh-agent -l ● wazuh-agent.service - Wazuh agent Loaded: loaded (/usr/lib/systemd/system/wazuh-agent.service; enabled; vendor Active: active (running) since Mon 2022-07-18 14:15:48 UTC; 17h ago Process: 17255 ExecStop=/usr/bin/env /var/ossec/bin/wazuh-control stop (code=e Process: 17309 ExecStart=/usr/bin/env /var/ossec/bin/wazuh-control start (code Tasks: 31 (limit: 1125) CGroup: /system.slice/wazuh-agent.service ├─17355 /var/ossec/bin/wazuh-execd ├─17366 /var/ossec/bin/wazuh-agentd ├─17381 /var/ossec/bin/wazuh-syscheckd ├─17396 /var/ossec/bin/wazuh-logcollector └─17411 /var/ossec/bin/wazuh-modulesd Jul 18 14:15:41 ip-10-0-1-129 systemd[1]: Starting Wazuh agent... Jul 18 14:15:41 ip-10-0-1-129 env[17309]: Starting Wazuh v4.3.6... Jul 18 14:15:42 ip-10-0-1-129 env[17309]: Started wazuh-execd... Jul 18 14:15:43 ip-10-0-1-129 env[17309]: Started wazuh-agentd... Jul 18 14:15:44 ip-10-0-1-129 env[17309]: Started wazuh-syscheckd... Jul 18 14:15:45 ip-10-0-1-129 env[17309]: Started wazuh-logcollector... Jul 18 14:15:46 ip-10-0-1-129 env[17309]: Started wazuh-modulesd... Jul 18 14:15:48 ip-10-0-1-129 env[17309]: Completed. Jul 18 14:15:48 ip-10-0-1-129 systemd[1]: Started Wazuh agent. ``` - `/var/ossec/bin/wazuh-control status`: ``` root@ip-10-0-1-129:/home/wazuh-user# /var/ossec/bin/wazuh-control status wazuh-modulesd is running... wazuh-logcollector is running... wazuh-syscheckd is running... wazuh-agentd is running... wazuh-execd is running... ```

Debian 🟢

`journalctl -xe -u wazuh-agent.service` ``` Jul 18 14:15:40 ip-10-0-1-236 systemd[1]: Stopping Wazuh agent... -- Subject: Unit wazuh-agent.service has begun shutting down -- Defined-By: systemd -- Support: https://www.debian.org/support -- -- Unit wazuh-agent.service has begun shutting down. Jul 18 14:15:40 ip-10-0-1-236 env[20403]: Killing wazuh-modulesd... Jul 18 14:15:40 ip-10-0-1-236 env[20403]: Killing wazuh-logcollector... Jul 18 14:15:40 ip-10-0-1-236 env[20403]: Killing wazuh-syscheckd... Jul 18 14:15:40 ip-10-0-1-236 env[20403]: Killing wazuh-agentd... Jul 18 14:15:40 ip-10-0-1-236 env[20403]: Killing wazuh-execd... Jul 18 14:15:40 ip-10-0-1-236 env[20403]: Wazuh v4.3.6 Stopped Jul 18 14:15:40 ip-10-0-1-236 systemd[1]: Stopped Wazuh agent. -- Subject: Unit wazuh-agent.service has finished shutting down -- Defined-By: systemd -- Support: https://www.debian.org/support -- -- Unit wazuh-agent.service has finished shutting down. Jul 18 14:15:40 ip-10-0-1-236 systemd[1]: Starting Wazuh agent... -- Subject: Unit wazuh-agent.service has begun start-up -- Defined-By: systemd -- Support: https://www.debian.org/support -- -- Unit wazuh-agent.service has begun starting up. Jul 18 14:15:40 ip-10-0-1-236 env[20458]: Starting Wazuh v4.3.6... Jul 18 14:15:41 ip-10-0-1-236 env[20458]: Started wazuh-execd... Jul 18 14:15:42 ip-10-0-1-236 env[20458]: Started wazuh-agentd... Jul 18 14:15:43 ip-10-0-1-236 env[20458]: Started wazuh-syscheckd... Jul 18 14:15:44 ip-10-0-1-236 env[20458]: Started wazuh-logcollector... Jul 18 14:15:45 ip-10-0-1-236 env[20458]: Started wazuh-modulesd... Jul 18 14:15:47 ip-10-0-1-236 env[20458]: Completed. Jul 18 14:15:47 ip-10-0-1-236 systemd[1]: Started Wazuh agent. -- Subject: Unit wazuh-agent.service has finished start-up -- Defined-By: systemd -- Support: https://www.debian.org/support -- -- Unit wazuh-agent.service has finished starting up. -- -- The start-up result is done. ``` - `egrep -i "ERROR|WARNING" /var/ossec/logs/ossec.log`: ``` root@ip-10-0-1-236:/home/wazuh-user# egrep -i "ERROR|WARNING" /var/ossec/logs/ossec.log root@ip-10-0-1-236:/home/wazuh-user# ``` - `systemctl status wazuh-agent -l`: ``` root@ip-10-0-1-236:/home/wazuh-user# systemctl status wazuh-agent -l ● wazuh-agent.service - Wazuh agent Loaded: loaded (/usr/lib/systemd/system/wazuh-agent.service; enabled; vendor Active: active (running) since Mon 2022-07-18 14:15:47 UTC; 17h ago Process: 20403 ExecStop=/usr/bin/env /var/ossec/bin/wazuh-control stop (code=e Process: 20458 ExecStart=/usr/bin/env /var/ossec/bin/wazuh-control start (code Tasks: 31 (limit: 4915) CGroup: /system.slice/wazuh-agent.service ├─20482 /var/ossec/bin/wazuh-execd ├─20493 /var/ossec/bin/wazuh-agentd ├─20507 /var/ossec/bin/wazuh-syscheckd ├─20524 /var/ossec/bin/wazuh-logcollector └─20555 /var/ossec/bin/wazuh-modulesd jul 18 14:15:40 ip-10-0-1-236 systemd[1]: Starting Wazuh agent... jul 18 14:15:40 ip-10-0-1-236 env[20458]: Starting Wazuh v4.3.6... jul 18 14:15:41 ip-10-0-1-236 env[20458]: Started wazuh-execd... jul 18 14:15:42 ip-10-0-1-236 env[20458]: Started wazuh-agentd... jul 18 14:15:43 ip-10-0-1-236 env[20458]: Started wazuh-syscheckd... jul 18 14:15:44 ip-10-0-1-236 env[20458]: Started wazuh-logcollector... jul 18 14:15:45 ip-10-0-1-236 env[20458]: Started wazuh-modulesd... jul 18 14:15:47 ip-10-0-1-236 env[20458]: Completed. jul 18 14:15:47 ip-10-0-1-236 systemd[1]: Started Wazuh agent. ``` - `/var/ossec/bin/wazuh-control status`: ``` root@ip-10-0-1-236:/home/wazuh-user# /var/ossec/bin/wazuh-control status wazuh-modulesd is running... wazuh-logcollector is running... wazuh-syscheckd is running... wazuh-agentd is running... wazuh-execd is running... ```

CentOS 🟢

`journalctl -xe -u wazuh-agent.service` ``` Jul 18 14:28:58 ip-10-0-1-223.us-west-1.compute.internal systemd[1]: Stopping Wazuh agent... -- Subject: Unit wazuh-agent.service has begun shutting down -- Defined-By: systemd -- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel -- -- Unit wazuh-agent.service has begun shutting down. Jul 18 14:28:59 ip-10-0-1-223.us-west-1.compute.internal env[28914]: Killing wazuh-modulesd... Jul 18 14:28:59 ip-10-0-1-223.us-west-1.compute.internal env[28914]: Killing wazuh-logcollector... Jul 18 14:28:59 ip-10-0-1-223.us-west-1.compute.internal env[28914]: Killing wazuh-syscheckd... Jul 18 14:28:59 ip-10-0-1-223.us-west-1.compute.internal env[28914]: Killing wazuh-agentd... Jul 18 14:28:59 ip-10-0-1-223.us-west-1.compute.internal env[28914]: Killing wazuh-execd... Jul 18 14:28:59 ip-10-0-1-223.us-west-1.compute.internal env[28914]: Wazuh v4.3.6 Stopped Jul 18 14:28:59 ip-10-0-1-223.us-west-1.compute.internal systemd[1]: Stopped Wazuh agent. -- Subject: Unit wazuh-agent.service has finished shutting down -- Defined-By: systemd -- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel -- -- Unit wazuh-agent.service has finished shutting down. Jul 18 14:28:59 ip-10-0-1-223.us-west-1.compute.internal systemd[1]: Starting Wazuh agent... -- Subject: Unit wazuh-agent.service has begun start-up -- Defined-By: systemd -- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel -- -- Unit wazuh-agent.service has begun starting up. Jul 18 14:28:59 ip-10-0-1-223.us-west-1.compute.internal env[28980]: Starting Wazuh v4.3.6... Jul 18 14:29:00 ip-10-0-1-223.us-west-1.compute.internal env[28980]: Started wazuh-execd... Jul 18 14:29:01 ip-10-0-1-223.us-west-1.compute.internal env[28980]: Started wazuh-agentd... Jul 18 14:29:02 ip-10-0-1-223.us-west-1.compute.internal env[28980]: Started wazuh-syscheckd... Jul 18 14:29:04 ip-10-0-1-223.us-west-1.compute.internal env[28980]: Started wazuh-logcollector... Jul 18 14:29:05 ip-10-0-1-223.us-west-1.compute.internal env[28980]: Started wazuh-modulesd... Jul 18 14:29:07 ip-10-0-1-223.us-west-1.compute.internal env[28980]: Completed. Jul 18 14:29:07 ip-10-0-1-223.us-west-1.compute.internal systemd[1]: Started Wazuh agent. -- Subject: Unit wazuh-agent.service has finished start-up -- Defined-By: systemd -- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel -- -- Unit wazuh-agent.service has finished starting up. -- -- The start-up result is done. ``` - `egrep -i "ERROR|WARNING" /var/ossec/logs/ossec.log`: ``` [root@ip-10-0-1-223 wazuh-user]# egrep -i "ERROR|WARNING" /var/ossec/logs/ossec.log [root@ip-10-0-1-223 wazuh-user]# ``` - `systemctl status wazuh-agent -l`: ``` [root@ip-10-0-1-223 wazuh-user]# systemctl status wazuh-agent -l ● wazuh-agent.service - Wazuh agent Loaded: loaded (/usr/lib/systemd/system/wazuh-agent.service; enabled; vendor preset: disabled) Active: active (running) since lun 2022-07-18 14:29:07 UTC; 17h ago Process: 28914 ExecStop=/usr/bin/env /var/ossec/bin/wazuh-control stop (code=exited, status=0/SUCCESS) Process: 28980 ExecStart=/usr/bin/env /var/ossec/bin/wazuh-control start (code=exited, status=0/SUCCESS) CGroup: /system.slice/wazuh-agent.service ├─29007 /var/ossec/bin/wazuh-execd ├─29019 /var/ossec/bin/wazuh-agentd ├─29034 /var/ossec/bin/wazuh-syscheckd ├─29048 /var/ossec/bin/wazuh-logcollector └─29066 /var/ossec/bin/wazuh-modulesd jul 18 14:28:59 ip-10-0-1-223.us-west-1.compute.internal systemd[1]: Starting Wazuh agent... jul 18 14:28:59 ip-10-0-1-223.us-west-1.compute.internal env[28980]: Starting Wazuh v4.3.6... jul 18 14:29:00 ip-10-0-1-223.us-west-1.compute.internal env[28980]: Started wazuh-execd... jul 18 14:29:01 ip-10-0-1-223.us-west-1.compute.internal env[28980]: Started wazuh-agentd... jul 18 14:29:02 ip-10-0-1-223.us-west-1.compute.internal env[28980]: Started wazuh-syscheckd... jul 18 14:29:04 ip-10-0-1-223.us-west-1.compute.internal env[28980]: Started wazuh-logcollector... jul 18 14:29:05 ip-10-0-1-223.us-west-1.compute.internal env[28980]: Started wazuh-modulesd... jul 18 14:29:07 ip-10-0-1-223.us-west-1.compute.internal env[28980]: Completed. jul 18 14:29:07 ip-10-0-1-223.us-west-1.compute.internal systemd[1]: Started Wazuh agent. ``` - `/var/ossec/bin/wazuh-control status`: ``` [root@ip-10-0-1-223 wazuh-user]# /var/ossec/bin/wazuh-control status wazuh-modulesd is running... wazuh-logcollector is running... wazuh-syscheckd is running... wazuh-agentd is running... wazuh-execd is running... ```

Windows 🟢

`Event Viewer > Windows Logs > System > (Last 2 events)` --- * STOPPED ``` 7036 0 4 0 0 0x8080000000000000 93825 System EC2AMAZ-BPN9OOM Wazuh stopped 570061007A00750068005300760063002F0031000000 ``` --- * STARTED ``` 7036 0 4 0 0 0x8080000000000000 93826 System EC2AMAZ-BPN9OOM Wazuh running 570061007A00750068005300760063002F0034000000 ``` --- **AGENT STATUS: RUNNING**  --- **NO ERRORS FOUND IN OSSEC.LOG**  ---

Managers

Master-env1 🟡

`journalctl -xe -u wazuh-manager.service` ``` -- Unit wazuh-manager.service has begun shutting down. Jul 18 16:56:16 wazuh-manager-master-0 env[29777]: Killing wazuh-clusterd... Jul 18 16:56:16 wazuh-manager-master-0 env[29777]: Killing wazuh-modulesd... Jul 18 16:56:17 wazuh-manager-master-0 env[29777]: Killing wazuh-monitord... Jul 18 16:56:17 wazuh-manager-master-0 env[29777]: Killing wazuh-logcollector... Jul 18 16:56:17 wazuh-manager-master-0 env[29777]: Killing wazuh-remoted... Jul 18 16:56:17 wazuh-manager-master-0 env[29777]: Killing wazuh-syscheckd... Jul 18 16:56:17 wazuh-manager-master-0 env[29777]: Killing wazuh-analysisd... Jul 18 16:56:17 wazuh-manager-master-0 env[29777]: wazuh-maild not running... Jul 18 16:56:17 wazuh-manager-master-0 env[29777]: Killing wazuh-execd... Jul 18 16:56:17 wazuh-manager-master-0 env[29777]: Killing wazuh-db... Jul 18 16:56:18 wazuh-manager-master-0 env[29777]: Killing wazuh-authd... Jul 18 16:56:19 wazuh-manager-master-0 env[29777]: wazuh-agentlessd not running... Jul 18 16:56:19 wazuh-manager-master-0 env[29777]: Killing wazuh-integratord... Jul 18 16:56:19 wazuh-manager-master-0 env[29777]: wazuh-dbd not running... Jul 18 16:56:19 wazuh-manager-master-0 env[29777]: wazuh-csyslogd not running... Jul 18 16:56:19 wazuh-manager-master-0 env[29777]: Killing wazuh-apid... Jul 18 16:56:19 wazuh-manager-master-0 env[29777]: Wazuh v4.3.6 Stopped Jul 18 16:56:19 wazuh-manager-master-0 systemd[1]: Starting Wazuh manager... -- Subject: Unit wazuh-manager.service has begun start-up -- Defined-By: systemd -- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel -- -- Unit wazuh-manager.service has begun starting up. Jul 18 16:56:21 wazuh-manager-master-0 env[29923]: Starting Wazuh v4.3.6... Jul 18 16:56:24 wazuh-manager-master-0 env[29923]: Started wazuh-apid... Jul 18 16:56:24 wazuh-manager-master-0 env[29923]: Started wazuh-csyslogd... Jul 18 16:56:24 wazuh-manager-master-0 env[29923]: Started wazuh-dbd... Jul 18 16:56:24 wazuh-manager-master-0 env[29923]: Started wazuh-integratord... Jul 18 16:56:24 wazuh-manager-master-0 env[29923]: Started wazuh-agentlessd... Jul 18 16:56:25 wazuh-manager-master-0 env[29923]: Started wazuh-authd... Jul 18 16:56:26 wazuh-manager-master-0 env[29923]: Started wazuh-db... Jul 18 16:56:27 wazuh-manager-master-0 env[29923]: Started wazuh-execd... Jul 18 16:56:28 wazuh-manager-master-0 env[29923]: Started wazuh-analysisd... Jul 18 16:56:29 wazuh-manager-master-0 env[29923]: Started wazuh-syscheckd... Jul 18 16:56:30 wazuh-manager-master-0 env[29923]: Started wazuh-remoted... Jul 18 16:56:31 wazuh-manager-master-0 env[29923]: Started wazuh-logcollector... Jul 18 16:56:32 wazuh-manager-master-0 env[29923]: Started wazuh-monitord... Jul 18 16:56:34 wazuh-manager-master-0 env[29923]: Started wazuh-modulesd... Jul 18 16:56:34 wazuh-manager-master-0 env[29923]: Started wazuh-clusterd... Jul 18 16:56:35 wazuh-manager-master-0 crontab[30342]: (root) LIST (root) Jul 18 16:56:36 wazuh-manager-master-0 env[29923]: Completed. Jul 18 16:56:37 wazuh-manager-master-0 systemd[1]: Started Wazuh manager. -- Subject: Unit wazuh-manager.service has finished start-up -- Defined-By: systemd -- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel -- -- Unit wazuh-manager.service has finished starting up. -- -- The start-up result is done. ``` --- **1 warning message found in `ossec.log`** ``` [root@wazuh-manager-master-0 wazuh-user]# egrep -i "ERROR|WARNING" /var/ossec/logs/ossec.log 2022/07/18 16:58:24 wazuh-modulesd:vulnerability-detector: WARNING: (5575): Unavailable vulnerability data for the agent '001' OS. Skipping it. ``` --- **No error or warning messages in `cluster.log`** ```Bash [root@wazuh-manager-master-0 wazuh-user]# egrep -i "ERROR|WARNING" /var/ossec/logs/cluster.log` [root@wazuh-manager-master-0 wazuh-user]# ``` --- **Wazuh control** ```Bash [root@wazuh-manager-master-0 wazuh-user]# /var/ossec/bin/wazuh-control status wazuh-clusterd is running... wazuh-modulesd is running... wazuh-monitord is running... wazuh-logcollector is running... wazuh-remoted is running... wazuh-syscheckd is running... wazuh-analysisd is running... wazuh-maild not running... wazuh-execd is running... wazuh-db is running... wazuh-authd is running... wazuh-agentlessd not running... wazuh-integratord is running... wazuh-dbd not running... wazuh-csyslogd not running... wazuh-apid is running... ``` --- - `systemctl status wazuh-manager -l`: ``` [root@wazuh-manager-master-0 wazuh-user]# systemctl status wazuh-manager -l ● wazuh-manager.service - Wazuh manager Loaded: loaded (/usr/lib/systemd/system/wazuh-manager.service; enabled; vendor preset: disabled) Active: active (running) since lun 2022-07-18 16:56:37 UTC; 15h ago Process: 29777 ExecStop=/usr/bin/env /var/ossec/bin/wazuh-control stop (code=exited, status=0/SUCCESS) Process: 29923 ExecStart=/usr/bin/env /var/ossec/bin/wazuh-control start (code=exited, status=0/SUCCESS) CGroup: /system.slice/wazuh-manager.service ├─29980 /var/ossec/framework/python/bin/python3 /var/ossec/api/scripts/wazuh-apid.py ├─30006 /var/ossec/bin/wazuh-integratord ├─30025 /var/ossec/bin/wazuh-authd ├─30042 /var/ossec/bin/wazuh-db ├─30054 /var/ossec/framework/python/bin/python3 /var/ossec/api/scripts/wazuh-apid.py ├─30057 /var/ossec/framework/python/bin/python3 /var/ossec/api/scripts/wazuh-apid.py ├─30072 /var/ossec/bin/wazuh-execd ├─30087 /var/ossec/bin/wazuh-analysisd ├─30099 /var/ossec/bin/wazuh-syscheckd ├─30119 /var/ossec/bin/wazuh-remoted ├─30152 /var/ossec/bin/wazuh-logcollector ├─30173 /var/ossec/bin/wazuh-monitord ├─30223 /var/ossec/bin/wazuh-modulesd ├─30340 /var/ossec/framework/python/bin/python3 /var/ossec/framework/scripts/wazuh-clusterd.py ├─30364 /var/ossec/framework/python/bin/python3 /var/ossec/framework/scripts/wazuh-clusterd.py └─30367 /var/ossec/framework/python/bin/python3 /var/ossec/framework/scripts/wazuh-clusterd.py jul 18 16:56:29 wazuh-manager-master-0 env[29923]: Started wazuh-syscheckd... jul 18 16:56:30 wazuh-manager-master-0 env[29923]: Started wazuh-remoted... jul 18 16:56:31 wazuh-manager-master-0 env[29923]: Started wazuh-logcollector... jul 18 16:56:32 wazuh-manager-master-0 env[29923]: Started wazuh-monitord... jul 18 16:56:34 wazuh-manager-master-0 env[29923]: Started wazuh-modulesd... jul 18 16:56:34 wazuh-manager-master-0 env[29923]: Started wazuh-clusterd... jul 18 16:56:35 wazuh-manager-master-0 crontab[30342]: (root) LIST (root) jul 18 16:56:36 wazuh-manager-master-0 env[29923]: Completed. jul 18 16:56:37 wazuh-manager-master-0 systemd[1]: Started Wazuh manager. jul 19 04:56:36 wazuh-manager-master-0 crontab[5148]: (root) LIST (root) ``` --- **Filebeat** ```Bash [root@wazuh-manager-master-0 wazuh-user]# filebeat test output elasticsearch: https://10.0.2.230:9200... parse url... OK connection... parse host... OK dns lookup... OK addresses: 10.0.2.230 dial up... OK TLS... security: server's certificate chain verification is enabled handshake... OK TLS version: TLSv1.3 dial up... OK talk to server... OK version: 7.10.2 elasticsearch: https://10.0.2.169:9200... parse url... OK connection... parse host... OK dns lookup... OK addresses: 10.0.2.169 dial up... OK TLS... security: server's certificate chain verification is enabled handshake... OK TLS version: TLSv1.3 dial up... OK talk to server... OK version: 7.10.2 elasticsearch: https://10.0.2.170:9200... parse url... OK connection... parse host... OK dns lookup... OK addresses: 10.0.2.170 dial up... OK TLS... security: server's certificate chain verification is enabled handshake... OK TLS version: TLSv1.3 dial up... OK talk to server... OK version: 7.10.2 ```

Master-env2 🟢

`journalctl -xe -u wazuh-manager.service` ``` Jul 18 16:56:28 wazuh-manager-master-0 systemd[1]: Stopping Wazuh manager... -- Subject: Unit wazuh-manager.service has begun shutting down -- Defined-By: systemd -- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel -- -- Unit wazuh-manager.service has begun shutting down. Jul 18 16:56:28 wazuh-manager-master-0 env[27680]: Killing wazuh-clusterd... Jul 18 16:56:28 wazuh-manager-master-0 env[27680]: Killing wazuh-modulesd... Jul 18 16:56:28 wazuh-manager-master-0 env[27680]: Killing wazuh-monitord... Jul 18 16:56:28 wazuh-manager-master-0 env[27680]: Killing wazuh-logcollector... Jul 18 16:56:29 wazuh-manager-master-0 env[27680]: Killing wazuh-remoted... Jul 18 16:56:29 wazuh-manager-master-0 env[27680]: Killing wazuh-syscheckd... Jul 18 16:56:29 wazuh-manager-master-0 env[27680]: Killing wazuh-analysisd... Jul 18 16:56:29 wazuh-manager-master-0 env[27680]: wazuh-maild not running... Jul 18 16:56:29 wazuh-manager-master-0 env[27680]: Killing wazuh-execd... Jul 18 16:56:29 wazuh-manager-master-0 env[27680]: Killing wazuh-db... Jul 18 16:56:30 wazuh-manager-master-0 env[27680]: Killing wazuh-authd... Jul 18 16:56:31 wazuh-manager-master-0 env[27680]: wazuh-agentlessd not running... Jul 18 16:56:31 wazuh-manager-master-0 env[27680]: Killing wazuh-integratord... Jul 18 16:56:31 wazuh-manager-master-0 env[27680]: wazuh-dbd not running... Jul 18 16:56:31 wazuh-manager-master-0 env[27680]: wazuh-csyslogd not running... Jul 18 16:56:31 wazuh-manager-master-0 env[27680]: Killing wazuh-apid... Jul 18 16:56:31 wazuh-manager-master-0 env[27680]: Wazuh v4.3.6 Stopped Jul 18 16:56:31 wazuh-manager-master-0 systemd[1]: Starting Wazuh manager... -- Subject: Unit wazuh-manager.service has begun start-up -- Defined-By: systemd -- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel -- -- Unit wazuh-manager.service has begun starting up. Jul 18 16:56:33 wazuh-manager-master-0 env[27832]: Starting Wazuh v4.3.6... Jul 18 16:56:36 wazuh-manager-master-0 env[27832]: Started wazuh-apid... Jul 18 16:56:36 wazuh-manager-master-0 env[27832]: Started wazuh-csyslogd... Jul 18 16:56:36 wazuh-manager-master-0 env[27832]: Started wazuh-dbd... Jul 18 16:56:36 wazuh-manager-master-0 env[27832]: Started wazuh-integratord... Jul 18 16:56:36 wazuh-manager-master-0 env[27832]: Started wazuh-agentlessd... Jul 18 16:56:37 wazuh-manager-master-0 env[27832]: Started wazuh-authd... Jul 18 16:56:38 wazuh-manager-master-0 env[27832]: Started wazuh-db... Jul 18 16:56:39 wazuh-manager-master-0 env[27832]: Started wazuh-execd... Jul 18 16:56:40 wazuh-manager-master-0 env[27832]: Started wazuh-analysisd... Jul 18 16:56:41 wazuh-manager-master-0 env[27832]: Started wazuh-syscheckd... Jul 18 16:56:42 wazuh-manager-master-0 env[27832]: Started wazuh-remoted... Jul 18 16:56:43 wazuh-manager-master-0 env[27832]: Started wazuh-logcollector... Jul 18 16:56:44 wazuh-manager-master-0 env[27832]: Started wazuh-monitord... Jul 18 16:56:45 wazuh-manager-master-0 env[27832]: Started wazuh-modulesd... Jul 18 16:56:46 wazuh-manager-master-0 crontab[28262]: (root) LIST (root) Jul 18 16:56:46 wazuh-manager-master-0 env[27832]: Started wazuh-clusterd... Jul 18 16:56:48 wazuh-manager-master-0 env[27832]: Completed. Jul 18 16:56:48 wazuh-manager-master-0 systemd[1]: Started Wazuh manager. -- Subject: Unit wazuh-manager.service has finished start-up -- Defined-By: systemd -- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel -- -- Unit wazuh-manager.service has finished starting up. -- -- The start-up result is done. ``` --- **No error or warning messages in `ossec.log`** ```Bash [root@wazuh-manager-master-0 wazuh-user]# egrep -i "ERROR|WARNING" /var/ossec/logs/ossec.log [root@wazuh-manager-master-0 wazuh-user]# ``` --- **No error or warning messages in `cluster.log`** ```Bash [root@wazuh-manager-master-0 wazuh-user]# egrep -i "ERROR|WARNING" /var/ossec/logs/cluster.log [root@wazuh-manager-master-0 wazuh-user]# ``` --- **Wazuh control** ```Bash [root@wazuh-manager-master-0 wazuh-user]# /var/ossec/bin/wazuh-control status wazuh-clusterd is running... wazuh-modulesd is running... wazuh-monitord is running... wazuh-logcollector is running... wazuh-remoted is running... wazuh-syscheckd is running... wazuh-analysisd is running... wazuh-maild not running... wazuh-execd is running... wazuh-db is running... wazuh-authd is running... wazuh-agentlessd not running... wazuh-integratord is running... wazuh-dbd not running... wazuh-csyslogd not running... wazuh-apid is running... ``` --- - `systemctl status wazuh-manager -l`: ``` [root@wazuh-manager-master-0 wazuh-user]# systemctl status wazuh-manager -l ● wazuh-manager.service - Wazuh manager Loaded: loaded (/usr/lib/systemd/system/wazuh-manager.service; enabled; vendor preset: disabled) Active: active (running) since lun 2022-07-18 16:56:48 UTC; 15h ago Process: 27680 ExecStop=/usr/bin/env /var/ossec/bin/wazuh-control stop (code=exited, status=0/SUCCESS) Process: 27832 ExecStart=/usr/bin/env /var/ossec/bin/wazuh-control start (code=exited, status=0/SUCCESS) CGroup: /system.slice/wazuh-manager.service ├─27890 /var/ossec/framework/python/bin/python3 /var/ossec/api/scripts/wazuh-apid.py ├─27924 /var/ossec/bin/wazuh-integratord ├─27935 /var/ossec/bin/wazuh-authd ├─27952 /var/ossec/bin/wazuh-db ├─27964 /var/ossec/framework/python/bin/python3 /var/ossec/api/scripts/wazuh-apid.py ├─27967 /var/ossec/framework/python/bin/python3 /var/ossec/api/scripts/wazuh-apid.py ├─27982 /var/ossec/bin/wazuh-execd ├─27997 /var/ossec/bin/wazuh-analysisd ├─28009 /var/ossec/bin/wazuh-syscheckd ├─28030 /var/ossec/bin/wazuh-remoted ├─28062 /var/ossec/bin/wazuh-logcollector ├─28084 /var/ossec/bin/wazuh-monitord ├─28133 /var/ossec/bin/wazuh-modulesd ├─28261 /var/ossec/framework/python/bin/python3 /var/ossec/framework/scripts/wazuh-clusterd.py ├─28282 /var/ossec/framework/python/bin/python3 /var/ossec/framework/scripts/wazuh-clusterd.py └─28285 /var/ossec/framework/python/bin/python3 /var/ossec/framework/scripts/wazuh-clusterd.py jul 18 16:56:41 wazuh-manager-master-0 env[27832]: Started wazuh-syscheckd... jul 18 16:56:42 wazuh-manager-master-0 env[27832]: Started wazuh-remoted... jul 18 16:56:43 wazuh-manager-master-0 env[27832]: Started wazuh-logcollector... jul 18 16:56:44 wazuh-manager-master-0 env[27832]: Started wazuh-monitord... jul 18 16:56:45 wazuh-manager-master-0 env[27832]: Started wazuh-modulesd... jul 18 16:56:46 wazuh-manager-master-0 crontab[28262]: (root) LIST (root) jul 18 16:56:46 wazuh-manager-master-0 env[27832]: Started wazuh-clusterd... jul 18 16:56:48 wazuh-manager-master-0 env[27832]: Completed. jul 18 16:56:48 wazuh-manager-master-0 systemd[1]: Started Wazuh manager. jul 19 04:56:45 wazuh-manager-master-0 crontab[3033]: (root) LIST (root) ``` --- **Filebeat** ```Bash [root@wazuh-manager-master-0 wazuh-user]# filebeat test output elasticsearch: https://10.0.2.230:9200... parse url... OK connection... parse host... OK dns lookup... OK addresses: 10.0.2.230 dial up... OK TLS... security: server's certificate chain verification is enabled handshake... OK TLS version: TLSv1.3 dial up... OK talk to server... OK version: 7.10.2 elasticsearch: https://10.0.2.169:9200... parse url... OK connection... parse host... OK dns lookup... OK addresses: 10.0.2.169 dial up... OK TLS... security: server's certificate chain verification is enabled handshake... OK TLS version: TLSv1.3 dial up... OK talk to server... OK version: 7.10.2 elasticsearch: https://10.0.2.170:9200... parse url... OK connection... parse host... OK dns lookup... OK addresses: 10.0.2.170 dial up... OK TLS... security: server's certificate chain verification is enabled handshake... OK TLS version: TLSv1.3 dial up... OK talk to server... OK version: 7.10.2 ```

Worker-env1 🟢

`journalctl -xe -u wazuh-manager.service` ``` Jul 18 16:56:39 wazuh-manager-worker-0 systemd[1]: Stopping Wazuh manager... -- Subject: Unit wazuh-manager.service has begun shutting down -- Defined-By: systemd -- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel -- -- Unit wazuh-manager.service has begun shutting down. Jul 18 16:56:39 wazuh-manager-worker-0 env[14864]: Killing wazuh-clusterd... Jul 18 16:56:39 wazuh-manager-worker-0 env[14864]: Killing wazuh-modulesd... Jul 18 16:56:39 wazuh-manager-worker-0 env[14864]: Killing wazuh-monitord... Jul 18 16:56:39 wazuh-manager-worker-0 env[14864]: Killing wazuh-logcollector... Jul 18 16:56:39 wazuh-manager-worker-0 env[14864]: Killing wazuh-remoted... Jul 18 16:56:39 wazuh-manager-worker-0 env[14864]: Killing wazuh-syscheckd... Jul 18 16:56:40 wazuh-manager-worker-0 env[14864]: Killing wazuh-analysisd... Jul 18 16:56:40 wazuh-manager-worker-0 env[14864]: wazuh-maild not running... Jul 18 16:56:40 wazuh-manager-worker-0 env[14864]: Killing wazuh-execd... Jul 18 16:56:40 wazuh-manager-worker-0 env[14864]: Killing wazuh-db... Jul 18 16:56:41 wazuh-manager-worker-0 env[14864]: wazuh-authd not running... Jul 18 16:56:41 wazuh-manager-worker-0 env[14864]: wazuh-agentlessd not running... Jul 18 16:56:41 wazuh-manager-worker-0 env[14864]: Killing wazuh-integratord... Jul 18 16:56:41 wazuh-manager-worker-0 env[14864]: wazuh-dbd not running... Jul 18 16:56:41 wazuh-manager-worker-0 env[14864]: wazuh-csyslogd not running... Jul 18 16:56:41 wazuh-manager-worker-0 env[14864]: Killing wazuh-apid... Jul 18 16:56:41 wazuh-manager-worker-0 env[14864]: Wazuh v4.3.6 Stopped Jul 18 16:56:41 wazuh-manager-worker-0 systemd[1]: Starting Wazuh manager... -- Subject: Unit wazuh-manager.service has begun start-up -- Defined-By: systemd -- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel -- -- Unit wazuh-manager.service has begun starting up. Jul 18 16:56:44 wazuh-manager-worker-0 env[15002]: Starting Wazuh v4.3.6... Jul 18 16:56:47 wazuh-manager-worker-0 env[15002]: Started wazuh-apid... Jul 18 16:56:47 wazuh-manager-worker-0 env[15002]: Started wazuh-csyslogd... Jul 18 16:56:47 wazuh-manager-worker-0 env[15002]: Started wazuh-dbd... Jul 18 16:56:47 wazuh-manager-worker-0 env[15002]: Started wazuh-integratord... Jul 18 16:56:47 wazuh-manager-worker-0 env[15002]: Started wazuh-agentlessd... Jul 18 16:56:48 wazuh-manager-worker-0 env[15002]: Started wazuh-db... Jul 18 16:56:49 wazuh-manager-worker-0 env[15002]: Started wazuh-execd... Jul 18 16:56:50 wazuh-manager-worker-0 env[15002]: Started wazuh-analysisd... Jul 18 16:56:51 wazuh-manager-worker-0 env[15002]: Started wazuh-syscheckd... Jul 18 16:56:52 wazuh-manager-worker-0 env[15002]: Started wazuh-remoted... Jul 18 16:56:53 wazuh-manager-worker-0 env[15002]: Started wazuh-logcollector... Jul 18 16:56:55 wazuh-manager-worker-0 env[15002]: Started wazuh-monitord... Jul 18 16:56:56 wazuh-manager-worker-0 env[15002]: Started wazuh-modulesd... Jul 18 16:56:57 wazuh-manager-worker-0 env[15002]: Started wazuh-clusterd... Jul 18 16:56:59 wazuh-manager-worker-0 env[15002]: Completed. Jul 18 16:56:59 wazuh-manager-worker-0 systemd[1]: Started Wazuh manager. -- Subject: Unit wazuh-manager.service has finished start-up -- Defined-By: systemd -- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel -- -- Unit wazuh-manager.service has finished starting up. -- -- The start-up result is done. ``` --- **`ossec.log`** ```Bash [root@wazuh-manager-worker-0 wazuh-user]# egrep -i "ERROR|WARNING" /var/ossec/logs/ossec.log [root@wazuh-manager-worker-0 wazuh-user]# ``` --- **`cluster.log`** ```Bash [root@wazuh-manager-worker-0 wazuh-user]# egrep -i "ERROR|WARNING" /var/ossec/logs/cluster.log [root@wazuh-manager-worker-0 wazuh-user]# ``` --- **Wazuh control** ```Bash [root@wazuh-manager-worker-0 wazuh-user]# /var/ossec/bin/wazuh-control status wazuh-clusterd is running... wazuh-modulesd is running... wazuh-monitord is running... wazuh-logcollector is running... wazuh-remoted is running... wazuh-syscheckd is running... wazuh-analysisd is running... wazuh-maild not running... wazuh-execd is running... wazuh-db is running... wazuh-authd not running... wazuh-agentlessd not running... wazuh-integratord is running... wazuh-dbd not running... wazuh-csyslogd not running... wazuh-apid is running... ``` - `systemctl status wazuh-manager -l`: ``` [root@wazuh-manager-worker-0 wazuh-user]# systemctl status wazuh-manager -l ● wazuh-manager.service - Wazuh manager Loaded: loaded (/usr/lib/systemd/system/wazuh-manager.service; enabled; vendor preset: disabled) Active: active (running) since lun 2022-07-18 18:57:48 UTC; 13h ago Process: 17043 ExecStop=/usr/bin/env /var/ossec/bin/wazuh-control stop (code=exited, status=0/SUCCESS) Process: 17179 ExecStart=/usr/bin/env /var/ossec/bin/wazuh-control start (code=exited, status=0/SUCCESS) CGroup: /system.slice/wazuh-manager.service ├─17236 /var/ossec/framework/python/bin/python3 /var/ossec/api/scripts/wazuh-apid.py ├─17267 /var/ossec/bin/wazuh-integratord ├─17279 /var/ossec/bin/wazuh-db ├─17303 /var/ossec/bin/wazuh-execd ├─17305 /var/ossec/framework/python/bin/python3 /var/ossec/api/scripts/wazuh-apid.py ├─17308 /var/ossec/framework/python/bin/python3 /var/ossec/api/scripts/wazuh-apid.py ├─17324 /var/ossec/bin/wazuh-analysisd ├─17335 /var/ossec/bin/wazuh-syscheckd ├─17357 /var/ossec/bin/wazuh-remoted ├─17388 /var/ossec/bin/wazuh-logcollector ├─17412 /var/ossec/bin/wazuh-monitord ├─17460 /var/ossec/bin/wazuh-modulesd ├─17586 /var/ossec/framework/python/bin/python3 /var/ossec/framework/scripts/wazuh-clusterd.py ├─17810 /var/ossec/framework/python/bin/python3 /var/ossec/framework/scripts/wazuh-clusterd.py └─18553 /var/ossec/framework/python/bin/python3 /var/ossec/framework/scripts/wazuh-clusterd.py jul 18 18:57:39 wazuh-manager-worker-0 env[17179]: Started wazuh-analysisd... jul 18 18:57:40 wazuh-manager-worker-0 env[17179]: Started wazuh-syscheckd... jul 18 18:57:42 wazuh-manager-worker-0 env[17179]: Started wazuh-remoted... jul 18 18:57:43 wazuh-manager-worker-0 env[17179]: Started wazuh-logcollector... jul 18 18:57:44 wazuh-manager-worker-0 env[17179]: Started wazuh-monitord... jul 18 18:57:45 wazuh-manager-worker-0 crontab[17543]: (root) LIST (root) jul 18 18:57:45 wazuh-manager-worker-0 env[17179]: Started wazuh-modulesd... jul 18 18:57:46 wazuh-manager-worker-0 env[17179]: Started wazuh-clusterd... jul 18 18:57:48 wazuh-manager-worker-0 env[17179]: Completed. jul 18 18:57:48 wazuh-manager-worker-0 systemd[1]: Started Wazuh manager. ``` --- **Filebeat** ```Bash [root@wazuh-manager-worker-0 wazuh-user]# filebeat test output elasticsearch: https://10.0.2.230:9200... parse url... OK connection... parse host... OK dns lookup... OK addresses: 10.0.2.230 dial up... OK TLS... security: server's certificate chain verification is enabled handshake... OK TLS version: TLSv1.3 dial up... OK talk to server... OK version: 7.10.2 elasticsearch: https://10.0.2.169:9200... parse url... OK connection... parse host... OK dns lookup... OK addresses: 10.0.2.169 dial up... OK TLS... security: server's certificate chain verification is enabled handshake... OK TLS version: TLSv1.3 dial up... OK talk to server... OK version: 7.10.2 elasticsearch: https://10.0.2.170:9200... parse url... OK connection... parse host... OK dns lookup... OK addresses: 10.0.2.170 dial up... OK TLS... security: server's certificate chain verification is enabled handshake... OK TLS version: TLSv1.3 dial up... OK talk to server... OK version: 7.10.2 ```

Indexers

Bootstrap 🟡

**Some warning appears in `systemd`.** `journalctl -xe -u wazuh-indexer.service --no-pager` ``` Jul 18 20:12:13 ip-10-0-2-230.us-west-1.compute.internal systemd[1]: Stopping Wazuh-indexer... -- Subject: Unit wazuh-indexer.service has begun shutting down -- Defined-By: systemd -- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel -- -- Unit wazuh-indexer.service has begun shutting down. Jul 18 20:12:13 ip-10-0-2-230.us-west-1.compute.internal systemd[1]: Starting Wazuh-indexer... -- Subject: Unit wazuh-indexer.service has begun start-up -- Defined-By: systemd -- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel -- -- Unit wazuh-indexer.service has begun starting up. Jul 18 20:12:29 ip-10-0-2-230.us-west-1.compute.internal systemd-entrypoint[29741]: WARNING: An illegal reflective access operation has occurred Jul 18 20:12:29 ip-10-0-2-230.us-west-1.compute.internal systemd-entrypoint[29741]: WARNING: Illegal reflective access by io.protostuff.runtime.PolymorphicThrowableSchema (file:/usr/share/wazuh-indexer/plugins/opensearch-anomaly-detection/protostuff-runtime-1.7.4.jar) to field java.lang.Throwable.cause Jul 18 20:12:29 ip-10-0-2-230.us-west-1.compute.internal systemd-entrypoint[29741]: WARNING: Please consider reporting this to the maintainers of io.protostuff.runtime.PolymorphicThrowableSchema Jul 18 20:12:29 ip-10-0-2-230.us-west-1.compute.internal systemd-entrypoint[29741]: WARNING: Use --illegal-access=warn to enable warnings of further illegal reflective access operations Jul 18 20:12:29 ip-10-0-2-230.us-west-1.compute.internal systemd-entrypoint[29741]: WARNING: All illegal access operations will be denied in a future release Jul 18 20:12:35 ip-10-0-2-230.us-west-1.compute.internal systemd[1]: Started Wazuh-indexer. -- Subject: Unit wazuh-indexer.service has finished start-up -- Defined-By: systemd -- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel -- -- Unit wazuh-indexer.service has finished starting up. -- -- The start-up result is done. ``` --- - `systemctl status wazuh-indexer -l`: ``` [root@ip-10-0-2-230 wazuh-user]# systemctl status wazuh-indexer -l ● wazuh-indexer.service - Wazuh-indexer Loaded: loaded (/usr/lib/systemd/system/wazuh-indexer.service; enabled; vendor preset: disabled) Active: active (running) since lun 2022-07-18 20:12:35 UTC; 12h ago Docs: https://documentation.wazuh.com Main PID: 29741 (java) CGroup: /system.slice/wazuh-indexer.service └─29741 /usr/share/wazuh-indexer/jdk/bin/java -Xshare:auto -Dopensearch.networkaddress.cache.ttl=60 -Dopensearch.networkaddress.cache.negative.ttl=10 -XX:+AlwaysPreTouch -Xss1m -Djava.awt.headless=true -Dfile.encoding=UTF-8 -Djna.nosys=true -XX:-OmitStackTraceInFastThrow -XX:+ShowCodeDetailsInExceptionMessages -Dio.netty.noUnsafe=true -Dio.netty.noKeySetOptimization=true -Dio.netty.recycler.maxCapacityPerThread=0 -Dio.netty.allocator.numDirectArenas=0 -Dlog4j.shutdownHookEnabled=false -Dlog4j2.disable.jmx=true -Djava.locale.providers=SPI,COMPAT -Xms3948m -Xmx3948m -XX:+UseG1GC -XX:G1ReservePercent=25 -XX:InitiatingHeapOccupancyPercent=30 -Djava.io.tmpdir=/tmp/opensearch-13248168441558767060 -XX:+HeapDumpOnOutOfMemoryError -XX:HeapDumpPath=data -XX:ErrorFile=/var/log/wazuh-indexer/hs_err_pid%p.log -Xlog:gc*,gc+age=trace,safepoint:file=/var/log/wazuh-indexer/gc.log:utctime,pid,tags:filecount=32,filesize=64m -Dclk.tck=100 -Djdk.attach.allowAttachSelf=true -Djava.security.policy=file:///usr/share/wazuh-indexer/plugins/opensearch-performance-analyzer/pa_config/opensearch_security.policy -XX:MaxDirectMemorySize=2069889024 -Dopensearch.path.home=/usr/share/wazuh-indexer -Dopensearch.path.conf=/etc/wazuh-indexer -Dopensearch.distribution.type=rpm -Dopensearch.bundled_jdk=true -cp /usr/share/wazuh-indexer/lib/* org.opensearch.bootstrap.OpenSearch -p /run/wazuh-indexer/wazuh-indexer.pid --quiet jul 18 20:12:13 ip-10-0-2-230.us-west-1.compute.internal systemd[1]: Starting Wazuh-indexer... jul 18 20:12:29 ip-10-0-2-230.us-west-1.compute.internal systemd-entrypoint[29741]: WARNING: An illegal reflective access operation has occurred jul 18 20:12:29 ip-10-0-2-230.us-west-1.compute.internal systemd-entrypoint[29741]: WARNING: Illegal reflective access by io.protostuff.runtime.PolymorphicThrowableSchema (file:/usr/share/wazuh-indexer/plugins/opensearch-anomaly-detection/protostuff-runtime-1.7.4.jar) to field java.lang.Throwable.cause jul 18 20:12:29 ip-10-0-2-230.us-west-1.compute.internal systemd-entrypoint[29741]: WARNING: Please consider reporting this to the maintainers of io.protostuff.runtime.PolymorphicThrowableSchema jul 18 20:12:29 ip-10-0-2-230.us-west-1.compute.internal systemd-entrypoint[29741]: WARNING: Use --illegal-access=warn to enable warnings of further illegal reflective access operations jul 18 20:12:29 ip-10-0-2-230.us-west-1.compute.internal systemd-entrypoint[29741]: WARNING: All illegal access operations will be denied in a future release jul 18 20:12:35 ip-10-0-2-230.us-west-1.compute.internal systemd[1]: Started Wazuh-indexer. ``` --- **Indexer log** This error is related to: https://github.com/wazuh/wazuh-packages/issues/1511 ```Bash [root@ip-10-0-2-230 wazuh-user]# egrep -i "ERROR|WARNING" /var/log/wazuh-indexer/wazuh.log [2022-07-18T20:12:28,702][ERROR][o.o.s.a.s.SinkProvider ] [node-1] Default endpoint could not be created, auditlog will not work properly. ```

MasterB 🟡

**Some warning appears in `systemd`.** `journalctl -xe -u wazuh-indexer.service --no-pager` ``` Jul 18 20:09:02 ip-10-0-2-169.us-west-1.compute.internal systemd[1]: Stopping Wazuh-indexer... -- Subject: Unit wazuh-indexer.service has begun shutting down -- Defined-By: systemd -- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel -- -- Unit wazuh-indexer.service has begun shutting down. Jul 18 20:09:02 ip-10-0-2-169.us-west-1.compute.internal systemd[1]: Starting Wazuh-indexer... -- Subject: Unit wazuh-indexer.service has begun start-up -- Defined-By: systemd -- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel -- -- Unit wazuh-indexer.service has begun starting up. Jul 18 20:09:16 ip-10-0-2-169.us-west-1.compute.internal systemd-entrypoint[28811]: WARNING: An illegal reflective access operation has occurred Jul 18 20:09:16 ip-10-0-2-169.us-west-1.compute.internal systemd-entrypoint[28811]: WARNING: Illegal reflective access by io.protostuff.runtime.PolymorphicThrowableSchema (file:/usr/share/wazuh-indexer/plugins/opensearch-anomaly-detection/protostuff-runtime-1.7.4.jar) to field java.lang.Throwable.cause Jul 18 20:09:16 ip-10-0-2-169.us-west-1.compute.internal systemd-entrypoint[28811]: WARNING: Please consider reporting this to the maintainers of io.protostuff.runtime.PolymorphicThrowableSchema Jul 18 20:09:16 ip-10-0-2-169.us-west-1.compute.internal systemd-entrypoint[28811]: WARNING: Use --illegal-access=warn to enable warnings of further illegal reflective access operations Jul 18 20:09:16 ip-10-0-2-169.us-west-1.compute.internal systemd-entrypoint[28811]: WARNING: All illegal access operations will be denied in a future release Jul 18 20:09:22 ip-10-0-2-169.us-west-1.compute.internal systemd[1]: Started Wazuh-indexer. -- Subject: Unit wazuh-indexer.service has finished start-up -- Defined-By: systemd -- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel -- -- Unit wazuh-indexer.service has finished starting up. -- -- The start-up result is done. ``` --- - `systemctl status wazuh-indexer -l`: ``` [root@ip-10-0-2-169 wazuh-user]# systemctl status wazuh-indexer -l ● wazuh-indexer.service - Wazuh-indexer Loaded: loaded (/usr/lib/systemd/system/wazuh-indexer.service; enabled; vendor preset: disabled) Active: active (running) since lun 2022-07-18 20:09:22 UTC; 12h ago Docs: https://documentation.wazuh.com Main PID: 28811 (java) CGroup: /system.slice/wazuh-indexer.service └─28811 /usr/share/wazuh-indexer/jdk/bin/java -Xshare:auto -Dopensearch.networkaddress.cache.ttl=60 -Dopensearch.networkaddress.cache.negative.ttl=10 -XX:+AlwaysPreTouch -Xss1m -Djava.awt.headless=true -Dfile.encoding=UTF-8 -Djna.nosys=true -XX:-OmitStackTraceInFastThrow -XX:+ShowCodeDetailsInExceptionMessages -Dio.netty.noUnsafe=true -Dio.netty.noKeySetOptimization=true -Dio.netty.recycler.maxCapacityPerThread=0 -Dio.netty.allocator.numDirectArenas=0 -Dlog4j.shutdownHookEnabled=false -Dlog4j2.disable.jmx=true -Djava.locale.providers=SPI,COMPAT -Xms3948m -Xmx3948m -XX:+UseG1GC -XX:G1ReservePercent=25 -XX:InitiatingHeapOccupancyPercent=30 -Djava.io.tmpdir=/tmp/opensearch-12183030694015605934 -XX:+HeapDumpOnOutOfMemoryError -XX:HeapDumpPath=data -XX:ErrorFile=/var/log/wazuh-indexer/hs_err_pid%p.log -Xlog:gc*,gc+age=trace,safepoint:file=/var/log/wazuh-indexer/gc.log:utctime,pid,tags:filecount=32,filesize=64m -Dclk.tck=100 -Djdk.attach.allowAttachSelf=true -Djava.security.policy=file:///usr/share/wazuh-indexer/plugins/opensearch-performance-analyzer/pa_config/opensearch_security.policy -XX:MaxDirectMemorySize=2069889024 -Dopensearch.path.home=/usr/share/wazuh-indexer -Dopensearch.path.conf=/etc/wazuh-indexer -Dopensearch.distribution.type=rpm -Dopensearch.bundled_jdk=true -cp /usr/share/wazuh-indexer/lib/* org.opensearch.bootstrap.OpenSearch -p /run/wazuh-indexer/wazuh-indexer.pid --quiet jul 18 20:09:02 ip-10-0-2-169.us-west-1.compute.internal systemd[1]: Starting Wazuh-indexer... jul 18 20:09:16 ip-10-0-2-169.us-west-1.compute.internal systemd-entrypoint[28811]: WARNING: An illegal reflective access operation has occurred jul 18 20:09:16 ip-10-0-2-169.us-west-1.compute.internal systemd-entrypoint[28811]: WARNING: Illegal reflective access by io.protostuff.runtime.PolymorphicThrowableSchema (file:/usr/share/wazuh-indexer/plugins/opensearch-anomaly-detection/protostuff-runtime-1.7.4.jar) to field java.lang.Throwable.cause jul 18 20:09:16 ip-10-0-2-169.us-west-1.compute.internal systemd-entrypoint[28811]: WARNING: Please consider reporting this to the maintainers of io.protostuff.runtime.PolymorphicThrowableSchema jul 18 20:09:16 ip-10-0-2-169.us-west-1.compute.internal systemd-entrypoint[28811]: WARNING: Use --illegal-access=warn to enable warnings of further illegal reflective access operations jul 18 20:09:16 ip-10-0-2-169.us-west-1.compute.internal systemd-entrypoint[28811]: WARNING: All illegal access operations will be denied in a future release jul 18 20:09:22 ip-10-0-2-169.us-west-1.compute.internal systemd[1]: Started Wazuh-indexer. ``` --- **Indexer log** This error is related to: https://github.com/wazuh/wazuh-packages/issues/1511 ```Bash [root@ip-10-0-2-169 wazuh-user]# egrep -i "ERROR|WARNING" /var/log/wazuh-indexer/wazuh.log [2022-07-18T20:09:16,317][ERROR][o.o.s.a.s.SinkProvider ] [node-2] Default endpoint could not be created, auditlog will not work properly. ```

MasterC 🟡

**Some warning appears in `systemd`.** `journalctl -xe -u wazuh-indexer.service --no-pager` ``` Jul 18 20:09:04 ip-10-0-2-170.us-west-1.compute.internal systemd[1]: Stopping Wazuh-indexer... -- Subject: Unit wazuh-indexer.service has begun shutting down -- Defined-By: systemd -- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel -- -- Unit wazuh-indexer.service has begun shutting down. Jul 18 20:09:04 ip-10-0-2-170.us-west-1.compute.internal systemd[1]: Starting Wazuh-indexer... -- Subject: Unit wazuh-indexer.service has begun start-up -- Defined-By: systemd -- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel -- -- Unit wazuh-indexer.service has begun starting up. Jul 18 20:09:20 ip-10-0-2-170.us-west-1.compute.internal systemd-entrypoint[28834]: WARNING: An illegal reflective access operation has occurred Jul 18 20:09:20 ip-10-0-2-170.us-west-1.compute.internal systemd-entrypoint[28834]: WARNING: Illegal reflective access by io.protostuff.runtime.PolymorphicThrowableSchema (file:/usr/share/wazuh-indexer/plugins/opensearch-anomaly-detection/protostuff-runtime-1.7.4.jar) to field java.lang.Throwable.cause Jul 18 20:09:20 ip-10-0-2-170.us-west-1.compute.internal systemd-entrypoint[28834]: WARNING: Please consider reporting this to the maintainers of io.protostuff.runtime.PolymorphicThrowableSchema Jul 18 20:09:20 ip-10-0-2-170.us-west-1.compute.internal systemd-entrypoint[28834]: WARNING: Use --illegal-access=warn to enable warnings of further illegal reflective access operations Jul 18 20:09:20 ip-10-0-2-170.us-west-1.compute.internal systemd-entrypoint[28834]: WARNING: All illegal access operations will be denied in a future release Jul 18 20:09:26 ip-10-0-2-170.us-west-1.compute.internal systemd[1]: Started Wazuh-indexer. -- Subject: Unit wazuh-indexer.service has finished start-up -- Defined-By: systemd -- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel -- -- Unit wazuh-indexer.service has finished starting up. -- -- The start-up result is done. ``` --- - `systemctl status wazuh-indexer -l`: ``` [root@ip-10-0-2-170 wazuh-user]# systemctl status wazuh-indexer -l ● wazuh-indexer.service - Wazuh-indexer Loaded: loaded (/usr/lib/systemd/system/wazuh-indexer.service; enabled; vendor preset: disabled) Active: active (running) since lun 2022-07-18 20:09:26 UTC; 12h ago Docs: https://documentation.wazuh.com Main PID: 28834 (java) CGroup: /system.slice/wazuh-indexer.service └─28834 /usr/share/wazuh-indexer/jdk/bin/java -Xshare:auto -Dopensearch.networkaddress.cache.ttl=60 -Dopensearch.networkaddress.cache.negative.ttl=10 -XX:+AlwaysPreTouch -Xss1m -Djava.awt.headless=true -Dfile.encoding=UTF-8 -Djna.nosys=true -XX:-OmitStackTraceInFastThrow -XX:+ShowCodeDetailsInExceptionMessages -Dio.netty.noUnsafe=true -Dio.netty.noKeySetOptimization=true -Dio.netty.recycler.maxCapacityPerThread=0 -Dio.netty.allocator.numDirectArenas=0 -Dlog4j.shutdownHookEnabled=false -Dlog4j2.disable.jmx=true -Djava.locale.providers=SPI,COMPAT -Xms3948m -Xmx3948m -XX:+UseG1GC -XX:G1ReservePercent=25 -XX:InitiatingHeapOccupancyPercent=30 -Djava.io.tmpdir=/tmp/opensearch-7663747929237962954 -XX:+HeapDumpOnOutOfMemoryError -XX:HeapDumpPath=data -XX:ErrorFile=/var/log/wazuh-indexer/hs_err_pid%p.log -Xlog:gc*,gc+age=trace,safepoint:file=/var/log/wazuh-indexer/gc.log:utctime,pid,tags:filecount=32,filesize=64m -Dclk.tck=100 -Djdk.attach.allowAttachSelf=true -Djava.security.policy=file:///usr/share/wazuh-indexer/plugins/opensearch-performance-analyzer/pa_config/opensearch_security.policy -XX:MaxDirectMemorySize=2069889024 -Dopensearch.path.home=/usr/share/wazuh-indexer -Dopensearch.path.conf=/etc/wazuh-indexer -Dopensearch.distribution.type=rpm -Dopensearch.bundled_jdk=true -cp /usr/share/wazuh-indexer/lib/* org.opensearch.bootstrap.OpenSearch -p /run/wazuh-indexer/wazuh-indexer.pid --quiet jul 18 20:09:04 ip-10-0-2-170.us-west-1.compute.internal systemd[1]: Starting Wazuh-indexer... jul 18 20:09:20 ip-10-0-2-170.us-west-1.compute.internal systemd-entrypoint[28834]: WARNING: An illegal reflective access operation has occurred jul 18 20:09:20 ip-10-0-2-170.us-west-1.compute.internal systemd-entrypoint[28834]: WARNING: Illegal reflective access by io.protostuff.runtime.PolymorphicThrowableSchema (file:/usr/share/wazuh-indexer/plugins/opensearch-anomaly-detection/protostuff-runtime-1.7.4.jar) to field java.lang.Throwable.cause jul 18 20:09:20 ip-10-0-2-170.us-west-1.compute.internal systemd-entrypoint[28834]: WARNING: Please consider reporting this to the maintainers of io.protostuff.runtime.PolymorphicThrowableSchema jul 18 20:09:20 ip-10-0-2-170.us-west-1.compute.internal systemd-entrypoint[28834]: WARNING: Use --illegal-access=warn to enable warnings of further illegal reflective access operations jul 18 20:09:20 ip-10-0-2-170.us-west-1.compute.internal systemd-entrypoint[28834]: WARNING: All illegal access operations will be denied in a future release jul 18 20:09:26 ip-10-0-2-170.us-west-1.compute.internal systemd[1]: Started Wazuh-indexer. ``` --- **Indexer log** This error is related to: https://github.com/wazuh/wazuh-packages/issues/1511 ```Bash [root@ip-10-0-2-170 wazuh-user]# egrep -i "ERROR|WARNING" /var/log/wazuh-indexer/wazuh.log [2022-07-18T20:09:19,613][ERROR][o.o.s.a.s.SinkProvider ] [node-3] Default endpoint could not be created, auditlog will not work properly. ```

Dashboard

Indexer 🟡

- `journalctl -xe -u wazuh-indexer.servicer` ``` jul 19 08:39:08 ip-10-0-0-178.us-west-1.compute.internal systemd[1]: Stopping Wazuh-indexer... -- Subject: Unit wazuh-indexer.service has begun shutting down -- Defined-By: systemd -- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel -- -- Unit wazuh-indexer.service has begun shutting down. jul 19 08:39:08 ip-10-0-0-178.us-west-1.compute.internal systemd[1]: Starting Wazuh-indexer... -- Subject: Unit wazuh-indexer.service has begun start-up -- Defined-By: systemd -- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel -- -- Unit wazuh-indexer.service has begun starting up. jul 19 08:39:23 ip-10-0-0-178.us-west-1.compute.internal systemd-entrypoint[26111]: WARNING: An illegal reflective access operation has occurred jul 19 08:39:23 ip-10-0-0-178.us-west-1.compute.internal systemd-entrypoint[26111]: WARNING: Illegal reflective access by io.protostuff.runtime.PolymorphicThrowableSchema (file:/usr/share/wazuh-indexer/plugins/opensearch-anomaly-detection/protostuff-runtime-1.7.4.jar) to field java.lang.Throwable.cause jul 19 08:39:23 ip-10-0-0-178.us-west-1.compute.internal systemd-entrypoint[26111]: WARNING: Please consider reporting this to the maintainers of io.protostuff.runtime.PolymorphicThrowableSchema jul 19 08:39:23 ip-10-0-0-178.us-west-1.compute.internal systemd-entrypoint[26111]: WARNING: Use --illegal-access=warn to enable warnings of further illegal reflective access operations jul 19 08:39:23 ip-10-0-0-178.us-west-1.compute.internal systemd-entrypoint[26111]: WARNING: All illegal access operations will be denied in a future release jul 19 08:39:29 ip-10-0-0-178.us-west-1.compute.internal systemd[1]: Started Wazuh-indexer. -- Subject: Unit wazuh-indexer.service has finished start-up -- Defined-By: systemd -- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel -- -- Unit wazuh-indexer.service has finished starting up. -- -- The start-up result is done. ``` --- - `egrep -i "ERROR|WARNING" /var/log/wazuh-indexer/wazuh.log` ``` [2022-07-19T08:39:23,143][ERROR][o.o.s.a.s.SinkProvider ] [node-7] Default endpoint could not be created, auditlog will not work properly. ``` --- - `systemctl status wazuh-indexer -l`: ``` [root@ip-10-0-0-178 wazuh-user]# systemctl status wazuh-indexer -l ● wazuh-indexer.service - Wazuh-indexer Loaded: loaded (/usr/lib/systemd/system/wazuh-indexer.service; enabled; vendor preset: disabled) Active: active (running) since mar 2022-07-19 08:39:29 UTC; 3min 21s ago Docs: https://documentation.wazuh.com Main PID: 26111 (java) CGroup: /system.slice/wazuh-indexer.service └─26111 /usr/share/wazuh-indexer/jdk/bin/java -Xshare:auto -Dopensearch.networkaddress.cache.ttl=60 -Dopensearch.networkaddress.cache.negative.ttl=10 -XX:+AlwaysPreTouch -Xss1m -Djava.awt.headless=true -Dfile.encoding=UTF-8 -Djna.nosys=true -XX:-OmitStackTraceInFastThrow -XX:+ShowCodeDetailsInExceptionMessages -Dio.netty.noUnsafe=true -Dio.netty.noKeySetOptimization=true -Dio.netty.recycler.maxCapacityPerThread=0 -Dio.netty.allocator.numDirectArenas=0 -Dlog4j.shutdownHookEnabled=false -Dlog4j2.disable.jmx=true -Djava.locale.providers=SPI,COMPAT -Xms2560m -Xmx2560m -XX:+UseG1GC -XX:G1ReservePercent=25 -XX:InitiatingHeapOccupancyPercent=30 -Djava.io.tmpdir=/tmp/opensearch-16004828063245378125 -XX:+HeapDumpOnOutOfMemoryError -XX:HeapDumpPath=data -XX:ErrorFile=/var/log/wazuh-indexer/hs_err_pid%p.log -Xlog:gc*,gc+age=trace,safepoint:file=/var/log/wazuh-indexer/gc.log:utctime,pid,tags:filecount=32,filesize=64m -Dclk.tck=100 -Djdk.attach.allowAttachSelf=true -Djava.security.policy=file:///usr/share/wazuh-indexer/plugins/opensearch-performance-analyzer/pa_config/opensearch_security.policy -XX:MaxDirectMemorySize=1342177280 -Dopensearch.path.home=/usr/share/wazuh-indexer -Dopensearch.path.conf=/etc/wazuh-indexer -Dopensearch.distribution.type=rpm -Dopensearch.bundled_jdk=true -cp /usr/share/wazuh-indexer/lib/* org.opensearch.bootstrap.OpenSearch -p /run/wazuh-indexer/wazuh-indexer.pid --quiet jul 19 08:39:08 ip-10-0-0-178.us-west-1.compute.internal systemd[1]: Starting Wazuh-indexer... jul 19 08:39:23 ip-10-0-0-178.us-west-1.compute.internal systemd-entrypoint[26111]: WARNING: An illegal reflective access operation has occurred jul 19 08:39:23 ip-10-0-0-178.us-west-1.compute.internal systemd-entrypoint[26111]: WARNING: Illegal reflective access by io.protostuff.runtime.PolymorphicThrowableSchema (file:/usr/share/wazuh-indexer/plugins/opensearch-anomaly-detection/protostuff-runtime-1.7.4.jar) to field java.lang.Throwable.cause jul 19 08:39:23 ip-10-0-0-178.us-west-1.compute.internal systemd-entrypoint[26111]: WARNING: Please consider reporting this to the maintainers of io.protostuff.runtime.PolymorphicThrowableSchema jul 19 08:39:23 ip-10-0-0-178.us-west-1.compute.internal systemd-entrypoint[26111]: WARNING: Use --illegal-access=warn to enable warnings of further illegal reflective access operations jul 19 08:39:23 ip-10-0-0-178.us-west-1.compute.internal systemd-entrypoint[26111]: WARNING: All illegal access operations will be denied in a future release jul 19 08:39:29 ip-10-0-0-178.us-west-1.compute.internal systemd[1]: Started Wazuh-indexer. ```

Dashboard 🔴

`journalctl -xe -u wazuh-dashboard.service --no-pager` ``` Jul 18 21:45:20 ip-10-0-0-178.us-west-1.compute.internal systemd[1]: Stopping wazuh-dashboard... -- Subject: Unit wazuh-dashboard.service has begun shutting down -- Defined-By: systemd -- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel -- -- Unit wazuh-dashboard.service has begun shutting down. Jul 18 21:45:20 ip-10-0-0-178.us-west-1.compute.internal opensearch-dashboards[19866]: {"type":"log","@timestamp":"2022-07-18T21:45:20Z","tags":["info","plugins-system"],"pid":19866,"message":"Stopping all plugins."} Jul 18 21:45:20 ip-10-0-0-178.us-west-1.compute.internal systemd[1]: Started wazuh-dashboard. -- Subject: Unit wazuh-dashboard.service has finished start-up -- Defined-By: systemd -- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel -- -- Unit wazuh-dashboard.service has finished starting up. -- -- The start-up result is done. Jul 18 21:45:20 ip-10-0-0-178.us-west-1.compute.internal systemd[1]: Starting wazuh-dashboard... -- Subject: Unit wazuh-dashboard.service has begun start-up -- Defined-By: systemd -- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel -- -- Unit wazuh-dashboard.service has begun starting up. Jul 18 21:45:25 ip-10-0-0-178.us-west-1.compute.internal opensearch-dashboards[19944]: {"type":"log","@timestamp":"2022-07-18T21:45:25Z","tags":["info","plugins-service"],"pid":19944,"message":"Plugin \"visTypeXy\" is disabled."} Jul 18 21:45:25 ip-10-0-0-178.us-west-1.compute.internal opensearch-dashboards[19944]: {"type":"log","@timestamp":"2022-07-18T21:45:25Z","tags":["info","plugins-system"],"pid":19944,"message":"Setting up [42] plugins: [alertingDashboards,usageCollection,opensearchDashboardsUsageCollection,opensearchDashboardsLegacy,mapsLegacy,share,opensearchUiShared,legacyExport,embeddable,expressions,data,home,console,apmOss,management,indexPatternManagement,advancedSettings,savedObjects,securityDashboards,reportsDashboards,indexManagementDashboards,dashboard,visualizations,visTypeVega,visTypeTimeline,timeline,visTypeTable,visTypeMarkdown,tileMap,regionMap,inputControlVis,ganttChartDashboards,visualize,charts,visTypeVislib,visTypeTimeseries,visTypeTagcloud,visTypeMetric,discover,wazuh,savedObjectsManagement,bfetch]"} Jul 18 21:45:26 ip-10-0-0-178.us-west-1.compute.internal opensearch-dashboards[19944]: {"type":"log","@timestamp":"2022-07-18T21:45:26Z","tags":["info","savedobjects-service"],"pid":19944,"message":"Waiting until all OpenSearch nodes are compatible with OpenSearch Dashboards before starting saved objects migrations..."} Jul 18 21:45:26 ip-10-0-0-178.us-west-1.compute.internal opensearch-dashboards[19944]: {"type":"log","@timestamp":"2022-07-18T21:45:26Z","tags":["info","savedobjects-service"],"pid":19944,"message":"Starting saved objects migrations"} Jul 18 21:45:26 ip-10-0-0-178.us-west-1.compute.internal opensearch-dashboards[19944]: {"type":"log","@timestamp":"2022-07-18T21:45:26Z","tags":["info","plugins-system"],"pid":19944,"message":"Starting [42] plugins: [alertingDashboards,usageCollection,opensearchDashboardsUsageCollection,opensearchDashboardsLegacy,mapsLegacy,share,opensearchUiShared,legacyExport,embeddable,expressions,data,home,console,apmOss,management,indexPatternManagement,advancedSettings,savedObjects,securityDashboards,reportsDashboards,indexManagementDashboards,dashboard,visualizations,visTypeVega,visTypeTimeline,timeline,visTypeTable,visTypeMarkdown,tileMap,regionMap,inputControlVis,ganttChartDashboards,visualize,charts,visTypeVislib,visTypeTimeseries,visTypeTagcloud,visTypeMetric,discover,wazuh,savedObjectsManagement,bfetch]"} Jul 18 21:45:26 ip-10-0-0-178.us-west-1.compute.internal opensearch-dashboards[19944]: {"type":"log","@timestamp":"2022-07-18T21:45:26Z","tags":["listening","info"],"pid":19944,"message":"Server running at https://0.0.0.0:5601"} Jul 18 21:45:27 ip-10-0-0-178.us-west-1.compute.internal opensearch-dashboards[19944]: {"type":"log","@timestamp":"2022-07-18T21:45:27Z","tags":["info","http","server","OpenSearchDashboards"],"pid":19944,"message":"http server running at https://0.0.0.0:5601"} Jul 18 21:45:27 ip-10-0-0-178.us-west-1.compute.internal opensearch-dashboards[19944]: {"type":"log","@timestamp":"2022-07-18T21:45:27Z","tags":["error","opensearch","data"],"pid":19944,"message":"[ResponseError]: Response Error"} Jul 18 21:45:27 ip-10-0-0-178.us-west-1.compute.internal opensearch-dashboards[19944]: {"type":"log","@timestamp":"2022-07-18T21:45:27Z","tags":["error","plugins","wazuh","monitoring"],"pid":19944,"message":"Could not check if the index wazuh-monitoring-2022.29w exists due to no permissions for create, delete or check"} Jul 18 21:45:27 ip-10-0-0-178.us-west-1.compute.internal opensearch-dashboards[19944]: {"type":"log","@timestamp":"2022-07-18T21:45:27Z","tags":["error","opensearch","data"],"pid":19944,"message":"[ResponseError]: Response Error"} Jul 18 21:45:27 ip-10-0-0-178.us-west-1.compute.internal opensearch-dashboards[19944]: {"type":"log","@timestamp":"2022-07-18T21:45:27Z","tags":["error","plugins","wazuh","monitoring"],"pid":19944,"message":"Could not check if the index wazuh-monitoring-2022.29w exists due to no permissions for create, delete or check"} ``` --- - `systemctl status wazuh-dashboard -l`: ``` [root@ip-10-0-0-178 wazuh-user]# systemctl status wazuh-dashboard -l ● wazuh-dashboard.service - wazuh-dashboard Loaded: loaded (/etc/systemd/system/wazuh-dashboard.service; enabled; vendor preset: disabled) Active: active (running) since mar 2022-07-19 08:47:02 UTC; 10s ago Main PID: 26468 (node) CGroup: /system.slice/wazuh-dashboard.service └─26468 /usr/share/wazuh-dashboard/bin/../node/bin/node --no-warnings --max-http-header-size=65536 --unhandled-rejections=warn /usr/share/wazuh-dashboard/bin/../src/cli/dist -c /etc/wazuh-dashboard/opensearch_dashboards.yml jul 19 08:47:08 ip-10-0-0-178.us-west-1.compute.internal opensearch-dashboards[26468]: {"type":"log","@timestamp":"2022-07-19T08:47:08Z","tags":["info","plugins-system"],"pid":26468,"message":"Setting up [42] plugins: [alertingDashboards,usageCollection,opensearchDashboardsUsageCollection,opensearchDashboardsLegacy,mapsLegacy,share,opensearchUiShared,legacyExport,embeddable,expressions,data,home,console,apmOss,management,indexPatternManagement,advancedSettings,savedObjects,securityDashboards,reportsDashboards,indexManagementDashboards,dashboard,visualizations,visTypeVega,visTypeTimeline,timeline,visTypeTable,visTypeMarkdown,tileMap,regionMap,inputControlVis,ganttChartDashboards,visualize,charts,visTypeVislib,visTypeTimeseries,visTypeTagcloud,visTypeMetric,discover,wazuh,savedObjectsManagement,bfetch]"} jul 19 08:47:08 ip-10-0-0-178.us-west-1.compute.internal opensearch-dashboards[26468]: {"type":"log","@timestamp":"2022-07-19T08:47:08Z","tags":["info","savedobjects-service"],"pid":26468,"message":"Waiting until all OpenSearch nodes are compatible with OpenSearch Dashboards before starting saved objects migrations..."} jul 19 08:47:08 ip-10-0-0-178.us-west-1.compute.internal opensearch-dashboards[26468]: {"type":"log","@timestamp":"2022-07-19T08:47:08Z","tags":["info","savedobjects-service"],"pid":26468,"message":"Starting saved objects migrations"} jul 19 08:47:08 ip-10-0-0-178.us-west-1.compute.internal opensearch-dashboards[26468]: {"type":"log","@timestamp":"2022-07-19T08:47:08Z","tags":["info","plugins-system"],"pid":26468,"message":"Starting [42] plugins: [alertingDashboards,usageCollection,opensearchDashboardsUsageCollection,opensearchDashboardsLegacy,mapsLegacy,share,opensearchUiShared,legacyExport,embeddable,expressions,data,home,console,apmOss,management,indexPatternManagement,advancedSettings,savedObjects,securityDashboards,reportsDashboards,indexManagementDashboards,dashboard,visualizations,visTypeVega,visTypeTimeline,timeline,visTypeTable,visTypeMarkdown,tileMap,regionMap,inputControlVis,ganttChartDashboards,visualize,charts,visTypeVislib,visTypeTimeseries,visTypeTagcloud,visTypeMetric,discover,wazuh,savedObjectsManagement,bfetch]"} jul 19 08:47:09 ip-10-0-0-178.us-west-1.compute.internal opensearch-dashboards[26468]: {"type":"log","@timestamp":"2022-07-19T08:47:09Z","tags":["listening","info"],"pid":26468,"message":"Server running at https://0.0.0.0:5601"} jul 19 08:47:09 ip-10-0-0-178.us-west-1.compute.internal opensearch-dashboards[26468]: {"type":"log","@timestamp":"2022-07-19T08:47:09Z","tags":["info","http","server","OpenSearchDashboards"],"pid":26468,"message":"http server running at https://0.0.0.0:5601"} jul 19 08:47:09 ip-10-0-0-178.us-west-1.compute.internal opensearch-dashboards[26468]: {"type":"log","@timestamp":"2022-07-19T08:47:09Z","tags":["error","opensearch","data"],"pid":26468,"message":"[ResponseError]: Response Error"} jul 19 08:47:09 ip-10-0-0-178.us-west-1.compute.internal opensearch-dashboards[26468]: {"type":"log","@timestamp":"2022-07-19T08:47:09Z","tags":["error","plugins","wazuh","monitoring"],"pid":26468,"message":"Could not check if the index wazuh-monitoring-2022.29w exists due to no permissions for create, delete or check"} jul 19 08:47:09 ip-10-0-0-178.us-west-1.compute.internal opensearch-dashboards[26468]: {"type":"log","@timestamp":"2022-07-19T08:47:09Z","tags":["error","opensearch","data"],"pid":26468,"message":"[ResponseError]: Response Error"} jul 19 08:47:09 ip-10-0-0-178.us-west-1.compute.internal opensearch-dashboards[26468]: {"type":"log","@timestamp":"2022-07-19T08:47:09Z","tags":["error","plugins","wazuh","monitoring"],"pid":26468,"message":"Could not check if the index wazuh-monitoring-2022.29w exists due to no permissions for create, delete or check"} ``` --- **1 error while restarting the dashboard** `egrep -Ei "ERR|WARN" /usr/share/wazuh-dashboard/data/wazuh/logs/wazuhapp.log` ```Bash {"date":"2022-07-18T21:45:27.785Z","level":"error","location":"monitoring:insertMonitoringDataElasticsearch","message":"Could not check if the index wazuh-monitoring-2022.29w exists due to no permissions for create, delete or check"} {"date":"2022-07-18T21:45:27.867Z","level":"error","location":"monitoring:insertMonitoringDataElasticsearch","message":"Could not check if the index wazuh-monitoring-2022.29w exists due to no permissions for create, delete or check"} ```

---

Issues

• Master-env1: https://github.com/wazuh/wazuh-packages/issues/1745
• Indexers: https://github.com/wazuh/wazuh-packages/issues/1746
• Dashboard: https://github.com/wazuh/wazuh-packages/issues/1747

[mauromalara]

Task 2: The daemons are running with the correct user 🟢

Agents

Amazon Linux 🟢

`ps aux | grep wazuh` ```Bash root 1032 0.0 0.2 38500 2936 ? Sl 13:36 0:00 /var/ossec/bin/wazuh-execd wazuh 1044 0.0 0.5 264500 5668 ? Sl 13:36 0:00 /var/ossec/bin/wazuh-agentd root 1059 1.1 0.8 204512 8424 ? SNl 13:36 0:08 /var/ossec/bin/wazuh-syscheckd root 1073 0.0 0.4 481016 4620 ? Sl 13:36 0:00 /var/ossec/bin/wazuh-logcollector root 1095 0.0 1.4 741624 14348 ? Sl 13:36 0:00 /var/ossec/bin/wazuh-modulesd ```

RHEL 🟢

`ps aux | grep wazuh` ```Bash root 4301 0.0 0.0 36308 1668 ? Sl 13:41 0:00 /var/ossec/bin/wazuh-execd wazuh 4313 0.0 0.0 262040 3124 ? Sl 13:41 0:00 /var/ossec/bin/wazuh-agentd root 4328 5.9 0.2 415672 8600 ? SNl 13:41 0:23 /var/ossec/bin/wazuh-syscheckd root 4341 0.0 0.0 478724 2608 ? Sl 13:41 0:00 /var/ossec/bin/wazuh-logcollector root 4365 0.3 0.6 1034304 23984 ? Sl 13:41 0:01 /var/ossec/bin/wazuh-modulesd ```

Ubuntu 🟢

`ps aux | grep wazuh` ```Bash root 17355 0.0 0.3 43524 3260 ? Sl 14:15 0:00 /var/ossec/bin/wazuh-execd wazuh 17366 0.0 0.5 269468 5284 ? Sl 14:15 0:01 /var/ossec/bin/wazuh-agentd root 17381 0.0 0.7 208976 7856 ? SNl 14:15 0:08 /var/ossec/bin/wazuh-syscheckd root 17396 0.0 0.4 485948 4492 ? Sl 14:15 0:00 /var/ossec/bin/wazuh-logcollector root 17411 0.0 1.3 749164 13728 ? Sl 14:15 0:01 /var/ossec/bin/wazuh-modulesd ```

Debian 🟢

`ps aux | grep wazuh` ```Bash root 20482 0.0 0.2 42208 2628 ? Sl 14:15 0:00 /var/ossec/bin/wazuh-execd wazuh 20493 0.0 0.5 268236 5208 ? Sl 14:15 0:01 /var/ossec/bin/wazuh-agentd root 20507 0.0 0.7 273020 7380 ? SNl 14:15 0:06 /var/ossec/bin/wazuh-syscheckd root 20524 0.0 0.4 484860 4296 ? Sl 14:15 0:00 /var/ossec/bin/wazuh-logcollector root 20555 0.0 1.2 745740 11976 ? Sl 14:15 0:01 /var/ossec/bin/wazuh-modulesd ```

CentOS 🟢

`ps aux | grep wazuh` ```Bash root 29007 0.0 0.1 36220 1516 ? Sl 14:28 0:00 /var/ossec/bin/wazuh-execd wazuh 29019 0.0 0.3 262044 3084 ? Sl 14:29 0:02 /var/ossec/bin/wazuh-agentd root 29034 0.1 0.5 201932 5224 ? SNl 14:29 0:11 /var/ossec/bin/wazuh-syscheckd root 29048 0.0 0.2 478596 2340 ? Sl 14:29 0:01 /var/ossec/bin/wazuh-logcollector root 29066 0.0 2.2 739252 22524 ? Sl 14:29 0:02 /var/ossec/bin/wazuh-modulesd ```

Windows 🟢

`Task Manager > Services` 

Managers

Master-env1 :green_circle:

`ps aux | grep wazuh` ```Bash wazuh 29980 0.1 2.5 821392 100176 ? Sl 16:56 0:15 /var/ossec/framework/python/bin/python3 /var/ossec/api/scripts/wazuh-apid.py wazuh 30006 0.0 0.0 39232 3384 ? Sl 16:56 0:00 /var/ossec/bin/wazuh-integratord root 30025 0.2 0.1 194956 5856 ? Sl 16:56 0:24 /var/ossec/bin/wazuh-authd wazuh 30042 0.0 0.3 775968 15260 ? Sl 16:56 0:08 /var/ossec/bin/wazuh-db wazuh 30054 0.0 1.4 317364 59752 ? S 16:56 0:00 /var/ossec/framework/python/bin/python3 /var/ossec/api/scripts/wazuh-apid.py wazuh 30057 0.0 1.6 466436 63960 ? S 16:56 0:06 /var/ossec/framework/python/bin/python3 /var/ossec/api/scripts/wazuh-apid.py root 30072 0.0 0.0 39272 3176 ? Sl 16:56 0:00 /var/ossec/bin/wazuh-execd wazuh 30087 0.2 2.3 1293472 92940 ? Sl 16:56 0:20 /var/ossec/bin/wazuh-analysisd root 30099 0.1 0.2 270452 8584 ? SNl 16:56 0:12 /var/ossec/bin/wazuh-syscheckd wazuh 30119 0.4 0.1 1179140 6736 ? Sl 16:56 0:36 /var/ossec/bin/wazuh-remoted root 30152 0.0 0.1 481672 5152 ? Sl 16:56 0:00 /var/ossec/bin/wazuh-logcollector wazuh 30173 0.0 0.0 39252 3224 ? Sl 16:56 0:00 /var/ossec/bin/wazuh-monitord root 30223 3.4 6.3 1424400 255288 ? Sl 16:56 5:13 /var/ossec/bin/wazuh-modulesd wazuh 30340 0.1 1.3 443544 54116 ? Sl 16:56 0:11 /var/ossec/framework/python/bin/python3 /var/ossec/framework/scripts/wazuh-clusterd.py wazuh 30364 0.0 1.0 280460 43828 ? S 16:56 0:02 /var/ossec/framework/python/bin/python3 /var/ossec/framework/scripts/wazuh-clusterd.py wazuh 30367 0.0 1.0 362388 41852 ? S 16:56 0:02 /var/ossec/framework/python/bin/python3 /var/ossec/framework/scripts/wazuh-clusterd.py ```

Master-env2 :green_circle:

`ps aux | grep wazuh` ```Bash wazuh 27890 0.1 2.5 821300 100064 ? Sl 16:56 0:13 /var/ossec/framework/python/bin/python3 /var/ossec/api/scripts/wazuh-apid.py wazuh 27924 0.0 0.0 39232 3380 ? Sl 16:56 0:00 /var/ossec/bin/wazuh-integratord root 27935 0.2 0.1 194956 5836 ? Sl 16:56 0:25 /var/ossec/bin/wazuh-authd wazuh 27952 0.0 0.3 710428 14940 ? Sl 16:56 0:06 /var/ossec/bin/wazuh-db wazuh 27964 0.0 1.5 317372 59860 ? S 16:56 0:00 /var/ossec/framework/python/bin/python3 /var/ossec/api/scripts/wazuh-apid.py wazuh 27967 0.0 1.6 466172 64016 ? S 16:56 0:05 /var/ossec/framework/python/bin/python3 /var/ossec/api/scripts/wazuh-apid.py root 27982 0.0 0.0 39272 3240 ? Sl 16:56 0:00 /var/ossec/bin/wazuh-execd wazuh 27997 0.0 2.2 1293376 91776 ? Sl 16:56 0:09 /var/ossec/bin/wazuh-analysisd root 28009 0.1 0.2 270556 8444 ? SNl 16:56 0:12 /var/ossec/bin/wazuh-syscheckd wazuh 28030 0.1 0.1 1179128 6992 ? Sl 16:56 0:10 /var/ossec/bin/wazuh-remoted root 28062 0.0 0.1 481676 4988 ? Sl 16:56 0:00 /var/ossec/bin/wazuh-logcollector wazuh 28084 0.0 0.0 39252 3180 ? Sl 16:56 0:00 /var/ossec/bin/wazuh-monitord root 28133 3.9 7.5 1416824 299700 ? Sl 16:56 6:02 /var/ossec/bin/wazuh-modulesd wazuh 28261 0.0 1.1 428476 45792 ? Sl 16:56 0:02 /var/ossec/framework/python/bin/python3 /var/ossec/framework/scripts/wazuh-clusterd.py wazuh 28282 0.0 1.0 280460 42940 ? S 16:56 0:01 /var/ossec/framework/python/bin/python3 /var/ossec/framework/scripts/wazuh-clusterd.py wazuh 28285 0.0 1.0 362388 41696 ? S 16:56 0:01 /var/ossec/framework/python/bin/python3 /var/ossec/framework/scripts/wazuh-clusterd.py ```

Worker-env1 :green_circle:

`ps aux | grep wazuh` ```Bash wazuh 17236 0.5 2.3 741632 94540 ? Sl 18:57 0:11 /var/ossec/framework/python/bin/python3 /var/ossec/api/scripts/wazuh-apid.py wazuh 17267 0.0 0.0 39236 3412 ? Sl 18:57 0:00 /var/ossec/bin/wazuh-integratord wazuh 17279 0.0 0.2 775972 11072 ? Sl 18:57 0:01 /var/ossec/bin/wazuh-db root 17303 0.0 0.0 39288 3228 ? Sl 18:57 0:00 /var/ossec/bin/wazuh-execd wazuh 17305 0.0 1.4 310420 57340 ? S 18:57 0:00 /var/ossec/framework/python/bin/python3 /var/ossec/api/scripts/wazuh-apid.py wazuh 17308 0.0 1.5 465076 60124 ? S 18:57 0:00 /var/ossec/framework/python/bin/python3 /var/ossec/api/scripts/wazuh-apid.py wazuh 17324 0.0 0.7 1293328 28936 ? Sl 18:57 0:01 /var/ossec/bin/wazuh-analysisd root 17335 0.5 0.2 204944 8708 ? SNl 18:57 0:10 /var/ossec/bin/wazuh-syscheckd wazuh 17357 0.1 0.1 523728 4648 ? Sl 18:57 0:03 /var/ossec/bin/wazuh-remoted root 17388 0.0 0.1 481680 5012 ? Sl 18:57 0:00 /var/ossec/bin/wazuh-logcollector wazuh 17412 0.0 0.0 39256 3164 ? Sl 18:57 0:00 /var/ossec/bin/wazuh-monitord root 17460 6.5 6.8 1180896 271520 ? Sl 18:57 2:21 /var/ossec/bin/wazuh-modulesd wazuh 17586 0.1 1.3 588308 55152 ? Sl 18:57 0:02 /var/ossec/framework/python/bin/python3 /var/ossec/framework/scripts/wazuh-clusterd.py wazuh 17810 0.0 1.1 288228 45284 ? S 18:57 0:00 /var/ossec/framework/python/bin/python3 /var/ossec/framework/scripts/wazuh-clusterd.py wazuh 18553 0.0 1.1 440844 47248 ? S 19:00 0:00 /var/ossec/framework/python/bin/python3 /var/ossec/framework/scripts/wazuh-clusterd.py ```

Indexers

Bootstrap 🟢

`ps aux | grep wazuh` ``` wazuh-i+ 29741 3.3 55.9 7316876 4524008 ? Ssl 20:12 2:14 /usr/share/wazuh-indexer/jdk/bin/java -Xshare:auto -Dopensearch.networkaddress.cache.ttl=60 -Dopensearch.networkaddress.cache.negative.ttl=10 -XX:+AlwaysPreTouch -Xss1m -Djava.awt.headless=true -Dfile.encoding=UTF-8 -Djna.nosys=true -XX:-OmitStackTraceInFastThrow -XX:+ShowCodeDetailsInExceptionMessages -Dio.netty.noUnsafe=true -Dio.netty.noKeySetOptimization=true -Dio.netty.recycler.maxCapacityPerThread=0 -Dio.netty.allocator.numDirectArenas=0 -Dlog4j.shutdownHookEnabled=false -Dlog4j2.disable.jmx=true -Djava.locale.providers=SPI,COMPAT -Xms3948m -Xmx3948m -XX:+UseG1GC -XX:G1ReservePercent=25 -XX:InitiatingHeapOccupancyPercent=30 -Djava.io.tmpdir=/tmp/opensearch-13248168441558767060 -XX:+HeapDumpOnOutOfMemoryError -XX:HeapDumpPath=data -XX:ErrorFile=/var/log/wazuh-indexer/hs_err_pid%p.log -Xlog:gc*,gc+age=trace,safepoint:file=/var/log/wazuh-indexer/gc.log:utctime,pid,tags:filecount=32,filesize=64m -Dclk.tck=100 -Djdk.attach.allowAttachSelf=true -Djava.security.policy=file:///usr/share/wazuh-indexer/plugins/opensearch-performance-analyzer/pa_config/opensearch_security.policy -XX:MaxDirectMemorySize=2069889024 -Dopensearch.path.home=/usr/share/wazuh-indexer -Dopensearch.path.conf=/etc/wazuh-indexer -Dopensearch.distribution.type=rpm -Dopensearch.bundled_jdk=true -cp /usr/share/wazuh-indexer/lib/* org.opensearch.bootstrap.OpenSearch -p /run/wazuh-indexer/wazuh-indexer.pid --quiet ```

MasterB 🟢

`ps aux | grep wazuh` ``` wazuh-i+ 28811 3.1 56.2 7327416 4544820 ? Ssl 20:09 2:15 /usr/share/wazuh-indexer/jdk/bin/java -Xshare:auto -Dopensearch.networkaddress.cache.ttl=60 -Dopensearch.networkaddress.cache.negative.ttl=10 -XX:+AlwaysPreTouch -Xss1m -Djava.awt.headless=true -Dfile.encoding=UTF-8 -Djna.nosys=true -XX:-OmitStackTraceInFastThrow -XX:+ShowCodeDetailsInExceptionMessages -Dio.netty.noUnsafe=true -Dio.netty.noKeySetOptimization=true -Dio.netty.recycler.maxCapacityPerThread=0 -Dio.netty.allocator.numDirectArenas=0 -Dlog4j.shutdownHookEnabled=false -Dlog4j2.disable.jmx=true -Djava.locale.providers=SPI,COMPAT -Xms3948m -Xmx3948m -XX:+UseG1GC -XX:G1ReservePercent=25 -XX:InitiatingHeapOccupancyPercent=30 -Djava.io.tmpdir=/tmp/opensearch-12183030694015605934 -XX:+HeapDumpOnOutOfMemoryError -XX:HeapDumpPath=data -XX:ErrorFile=/var/log/wazuh-indexer/hs_err_pid%p.log -Xlog:gc*,gc+age=trace,safepoint:file=/var/log/wazuh-indexer/gc.log:utctime,pid,tags:filecount=32,filesize=64m -Dclk.tck=100 -Djdk.attach.allowAttachSelf=true -Djava.security.policy=file:///usr/share/wazuh-indexer/plugins/opensearch-performance-analyzer/pa_config/opensearch_security.policy -XX:MaxDirectMemorySize=2069889024 -Dopensearch.path.home=/usr/share/wazuh-indexer -Dopensearch.path.conf=/etc/wazuh-indexer -Dopensearch.distribution.type=rpm -Dopensearch.bundled_jdk=true -cp /usr/share/wazuh-indexer/lib/* org.opensearch.bootstrap.OpenSearch -p /run/wazuh-indexer/wazuh-indexer.pid --quiet ```

MasterC 🟢

`ps aux | grep wazuh` ``` wazuh-i+ 28834 3.2 56.0 7322904 4531908 ? Ssl 20:09 2:24 /usr/share/wazuh-indexer/jdk/bin/java -Xshare:auto -Dopensearch.networkaddress.cache.ttl=60 -Dopensearch.networkaddress.cache.negative.ttl=10 -XX:+AlwaysPreTouch -Xss1m -Djava.awt.headless=true -Dfile.encoding=UTF-8 -Djna.nosys=true -XX:-OmitStackTraceInFastThrow -XX:+ShowCodeDetailsInExceptionMessages -Dio.netty.noUnsafe=true -Dio.netty.noKeySetOptimization=true -Dio.netty.recycler.maxCapacityPerThread=0 -Dio.netty.allocator.numDirectArenas=0 -Dlog4j.shutdownHookEnabled=false -Dlog4j2.disable.jmx=true -Djava.locale.providers=SPI,COMPAT -Xms3948m -Xmx3948m -XX:+UseG1GC -XX:G1ReservePercent=25 -XX:InitiatingHeapOccupancyPercent=30 -Djava.io.tmpdir=/tmp/opensearch-7663747929237962954 -XX:+HeapDumpOnOutOfMemoryError -XX:HeapDumpPath=data -XX:ErrorFile=/var/log/wazuh-indexer/hs_err_pid%p.log -Xlog:gc*,gc+age=trace,safepoint:file=/var/log/wazuh-indexer/gc.log:utctime,pid,tags:filecount=32,filesize=64m -Dclk.tck=100 -Djdk.attach.allowAttachSelf=true -Djava.security.policy=file:///usr/share/wazuh-indexer/plugins/opensearch-performance-analyzer/pa_config/opensearch_security.policy -XX:MaxDirectMemorySize=2069889024 -Dopensearch.path.home=/usr/share/wazuh-indexer -Dopensearch.path.conf=/etc/wazuh-indexer -Dopensearch.distribution.type=rpm -Dopensearch.bundled_jdk=true -cp /usr/share/wazuh-indexer/lib/* org.opensearch.bootstrap.OpenSearch -p /run/wazuh-indexer/wazuh-indexer.pid --quiet ```

Dashboard

Indexer 🟢

`ps aux | grep wazuh` ``` wazuh-i+ 26111 8.4 37.4 5816456 3031956 ? Ssl 08:39 1:02 /usr/share/wazuh-indexer/jdk/bin/java -Xshare:auto -Dopensearch.networkaddress.cache.ttl=60 -Dopensearch.networkaddress.cache.negative.ttl=10 -XX:+AlwaysPreTouch -Xss1m -Djava.awt.headless=true -Dfile.encoding=UTF-8 -Djna.nosys=true -XX:-OmitStackTraceInFastThrow -XX:+ShowCodeDetailsInExceptionMessages -Dio.netty.noUnsafe=true -Dio.netty.noKeySetOptimization=true -Dio.netty.recycler.maxCapacityPerThread=0 -Dio.netty.allocator.numDirectArenas=0 -Dlog4j.shutdownHookEnabled=false -Dlog4j2.disable.jmx=true -Djava.locale.providers=SPI,COMPAT -Xms2560m -Xmx2560m -XX:+UseG1GC -XX:G1ReservePercent=25 -XX:InitiatingHeapOccupancyPercent=30 -Djava.io.tmpdir=/tmp/opensearch-16004828063245378125 -XX:+HeapDumpOnOutOfMemoryError -XX:HeapDumpPath=data -XX:ErrorFile=/var/log/wazuh-indexer/hs_err_pid%p.log -Xlog:gc*,gc+age=trace,safepoint:file=/var/log/wazuh-indexer/gc.log:utctime,pid,tags:filecount=32,filesize=64m -Dclk.tck=100 -Djdk.attach.allowAttachSelf=true -Djava.security.policy=file:///usr/share/wazuh-indexer/plugins/opensearch-performance-analyzer/pa_config/opensearch_security.policy -XX:MaxDirectMemorySize=1342177280 -Dopensearch.path.home=/usr/share/wazuh-indexer -Dopensearch.path.conf=/etc/wazuh-indexer -Dopensearch.distribution.type=rpm -Dopensearch.bundled_jdk=true -cp /usr/share/wazuh-indexer/lib/* org.opensearch.bootstrap.OpenSearch -p /run/wazuh-indexer/wazuh-indexer.pid --quiet ```

Dashboard 🟢

`ps aux | grep wazuh` ```Bash wazuh-d+ 19944 1.7 1.8 994592 151328 ? Ssl 21:45 0:09 /usr/share/wazuh-dashboard/bin/../node/bin/node --no-warnings --max-http-header-size=65536 --unhandled-rejections=warn /usr/share/wazuh-dashboard/bin/../src/cli/dist -c /etc/wazuh-dashboard/opensearch_dashboards.yml ```

[mauromalara]

Task 3: The status of the Wazuh Indexer clusters is as expected. 🟢

curl -k -u USER:PASS https://<INDEXER-IP>:9200/_cat/nodes?v

ip         heap.percent ram.percent cpu load_1m load_5m load_15m node.role master name
10.0.0.178           18          82   0    0.00    0.00     0.00 dimr      -      node-7
10.0.2.169           33          81   0    0.00    0.00     0.00 dimr      *      node-2
10.0.2.230           12          83   0    0.02    0.01     0.00 dimr      -      node-1
10.0.2.170           23          82   0    0.00    0.00     0.00 dimr      -      node-3

[mauromalara]

Task 4: No errors in the browser's developer console when browsing the App 🔴

When accessing Home from another Opensearch module:

TypeError: NetworkError when attempting to fetch resource.
    Wrapper https://demo-436-info-wazuh-5d79494dfa1b98ee.elb.us-west-1.amazonaws.com/1/bundles/core/core.entry.js:6
    _createSuperInternal https://demo-436-info-wazuh-5d79494dfa1b98ee.elb.us-west-1.amazonaws.com/1/bundles/core/core.entry.js:6
    HttpFetchError https://demo-436-info-wazuh-5d79494dfa1b98ee.elb.us-west-1.amazonaws.com/1/bundles/core/core.entry.js:6
    _callee3$ https://demo-436-info-wazuh-5d79494dfa1b98ee.elb.us-west-1.amazonaws.com/1/bundles/core/core.entry.js:6
    tryCatch https://demo-436-info-wazuh-5d79494dfa1b98ee.elb.us-west-1.amazonaws.com/1/bundles/plugin/indexManagementDashboards/indexManagementDashboards.plugin.js:1
    invoke https://demo-436-info-wazuh-5d79494dfa1b98ee.elb.us-west-1.amazonaws.com/1/bundles/plugin/indexManagementDashboards/indexManagementDashboards.plugin.js:1

Issue:

• https://github.com/wazuh/wazuh-kibana-app/issues/4346

[juliamagan]

Task 5: Alerts are being generated for each of the modules configured for this purpose 🟢

These are the modules configured in environment 1, and we can see events generated in all of them:

However, Osquery is configured in this environment, but it doesn't appear. If we enable it, see can see events:

These are the modules configured in environment 2, and we can see events generated in all of them except System Auditing and Policy monitoring, but they are enabled by default:

[juliamagan]

Task 6: No warning symbols in Discover when expanding a document 🟢

After performing several tests both in Discover and in different modules, we have not been able to find any warning.

[juliamagan]

Task 7: Generate an alert and check it in the web UI 🟢

Bad connection to CentOS agent:

juliamagan@pop-os:~$ ssh -i <key> paco@13.52.153.25 
paco@13.52.153.25's password: 
Permission denied, please try again.
paco@13.52.153.25's password: 
Permission denied, please try again.
paco@13.52.153.25's password: 
paco@13.52.153.25: Permission denied (publickey,gssapi-keyex,gssapi-with-mic,password).

Generated alerts:

Alert info

``` { "_index": "wazuh-alerts-4.x-env-1-2022.07.19", "_type": "_doc", "_id": "5xshFoIBTDDmtmfQjJ07", "_version": 1, "_score": null, "_source": { "predecoder": { "hostname": "ip-10-0-1-223", "program_name": "sshd", "timestamp": "Jul 19 11:04:31" }, "cluster": { "node": "master", "name": "wazuh1" }, "agent": { "ip": "10.0.1.223", "name": "Centos", "id": "002" }, "data": { "srcuser": "paco", "srcip": "81.40.76.164" }, "manager": { "name": "wazuh-manager-master-0" }, "rule": { "mail": false, "level": 5, "hipaa": [ "164.312.b" ], "pci_dss": [ "10.2.4", "10.2.5", "10.6.1" ], "tsc": [ "CC6.1", "CC6.8", "CC7.2", "CC7.3" ], "description": "sshd: Attempt to login using a non-existent user", "groups": [ "syslog", "sshd", "authentication_failed", "invalid_login" ], "nist_800_53": [ "AU.14", "AC.7", "AU.6" ], "gdpr": [ "IV_35.7.d", "IV_32.2" ], "firedtimes": 11, "mitre": { "technique": [ "Password Guessing", "SSH", "Valid Accounts" ], "id": [ "T1110.001", "T1021.004", "T1078" ], "tactic": [ "Credential Access", "Lateral Movement", "Defense Evasion", "Persistence", "Privilege Escalation", "Initial Access" ] }, "id": "5710", "gpg13": [ "7.1" ] }, "decoder": { "parent": "sshd", "name": "sshd" }, "full_log": "Jul 19 11:04:31 ip-10-0-1-223 sshd[1892]: Failed password for invalid user paco from 81.40.76.164 port 44944 ssh2", "input": { "type": "log" }, "location": "/var/log/secure", "id": "1658228671.118850378", "GeoLocation": { "city_name": "Cordova", "country_name": "Spain", "region_name": "Cordoba", "location": { "lon": -4.7727, "lat": 37.8916 } }, "timestamp": "2022-07-19T11:04:31.814+0000" }, "fields": { "timestamp": [ "2022-07-19T11:04:31.814Z" ] }, "highlight": { "cluster.name": [ "@opensearch-dashboards-highlighted-field@wazuh1@/opensearch-dashboards-highlighted-field@" ] }, "sort": [ 1658228671814 ] } ```