Closed jnasselle closed 1 year ago
Running on ubuntu:22:04 container
Manager: v4.5.2-rc1 OVA
TOKEN=$(curl -s -u wazuh:wazuh -k -X POST "https://localhost:55000/security/user/authenticate?raw=true")
AGENTID=002
TESTPACKAGE=7zip
Package to be installed/removed
Package: https://packages.wazuh.com/4.x/apt/pool/main/w/wazuh-agent/wazuh-agent_4.1.5-1_amd64.deb Agent info
[root@wazuh-server wazuh-user]# /var/ossec/bin/agent_control -i 002
Wazuh agent_control. Agent information: Agent ID: 002 Agent Name: 58346f6ed610 IP address: any Status: Disconnected
Operating system: Linux |58346f6ed610 |5.15.125-1-MANJARO |#1 SMP PREEMPT Wed Aug 9 06:31:14 UTC 2023 |x86_64 Client version: Wazuh v4.1.5 Configuration hash: ab73af41699f13fdd81903b5f23d8d00 Shared file hash: 4a8724b20dee0124ff9656783c490c4e Last keep alive: 1693324872
Syscheck last started at: Unknown Syscheck last ended at: Unknown
- Agent
- First scan: no package
- Second scan: new package detection
- Third scan: package removal
- First scan: no package
- Manager
- First scan: no package
[root@wazuh-server wazuh-user]# TOKEN=$(curl -s -u wazuh:wazuh -k -X POST "https://localhost:55000/security/user/authenticate?raw=true") [root@wazuh-server wazuh-user]# LASTSCAN=$(curl -s -k -X GET "https://localhost:55000/syscollector/002/os?select=scan.time&pretty=true" -H "Authorization: Bearer $TOKEN" | jq -r '.data.affected_items[0].scan.time' | date +"%Y/%m/%d %H:%M" -f -) [root@wazuh-server wazuh-user]# curl -s -k -X GET "https://localhost:55000/syscollector/$AGENTID/packages?select=name&pretty=true" -H "Authorization: Bearer $TOKEN" | grep $TESTPACKAGE [root@wazuh-server wazuh-user]# grep -A10000 $LASTSCAN /var/ossec/logs/ossec.log | grep "Agent $AGENTID query: package" | grep $TESTPACKAGE grep: 16:11: No such file or directory
- Second scan: new package detection
[root@wazuh-server wazuh-user]# TOKEN=$(curl -s -u wazuh:wazuh -k -X POST "https://localhost:55000/security/user/authenticate?raw=true") [root@wazuh-server wazuh-user]# LASTSCAN=$(curl -s -k -X GET "https://localhost:55000/syscollector/$AGENTID/os?select=scan.time&pretty=true" -H "Authorization: Bearer $TOKEN" | jq -r '.data.affected_items[0].scan.time' | date +"%Y/%m/%d %H:%M" -f -) [root@wazuh-server wazuh-user]# curl -s -k -X GET "https://localhost:55000/syscollector/$AGENTID/packages?select=name&pretty=true" -H "Authorization: Bearer $TOKEN" | grep $TESTPACKAGE "name": "7zip", [root@wazuh-server wazuh-user]# grep -A10000 $LASTSCAN /var/ossec/logs/ossec.log | grep "Agent $AGENTID query: package" | grep $TESTPACKAGE grep: 16:14: No such file or directory /var/ossec/logs/ossec.log:2023/08/29 16:14:07 wazuh-db[18548] wdb_parser.c:263 at wdb_parse(): DEBUG: Agent 002 query: package save 1500947758|2023/08/29 16:14:07|deb|7zip|optional|utils|2396|Ubuntu Developers ubuntu-devel-discuss@lists.ubuntu.com|NULL|21.07+dfsg-4|amd64|NULL|NULL|7-Zip file archiver with a high compression ratio|NULL|569f6ff9040271f10542b6ca7e8afd8055b7a7de
- Third scan: package removal
[root@wazuh-server wazuh-user]# TOKEN=$(curl -s -u wazuh:wazuh -k -X POST "https://localhost:55000/security/user/authenticate?raw=true") [root@wazuh-server wazuh-user]# LASTSCAN=$(curl -s -k -X GET "https://localhost:55000/syscollector/$AGENTID/os?select=scan.time&pretty=true" -H "Authorization: Bearer $TOKEN" | jq -r '.data.affected_items[0].scan.time' | date +"%Y/%m/%d %H:%M" -f -) [root@wazuh-server wazuh-user]# curl -s -k -X GET "https://localhost:55000/syscollector/$AGENTID/packages?select=name&pretty=true" -H "Authorization: Bearer $TOKEN" | grep $TESTPACKAGE [root@wazuh-server wazuh-user]# grep -A10000 $LASTSCAN /var/ossec/logs/ossec.log | grep "Agent $AGENTID query: package" | grep $TESTPACKAGE grep: 16:20: No such file or directory
- First scan: no package
[root@wazuh-server wazuh-user]# TOKEN=$(curl -s -u wazuh:wazuh -k -X POST "https://localhost:55000/security/user/authenticate?raw=true") [root@wazuh-server wazuh-user]# LASTSCAN=$(curl -s -k -X GET "https://localhost:55000/syscollector/$AGENTID/os?select=scan.time&pretty=true" -H "Authorization: Bearer $TOKEN" | jq -r '.data.affected_items[0].scan.time' | date +"%Y/%m/%d %H:%M" -f -) [root@wazuh-server wazuh-user]# curl -s -k -X GET "https://localhost:55000/syscollector/$AGENTID/packages?select=name&pretty=true" -H "Authorization: Bearer $TOKEN" | grep $TESTPACKAGE [root@wazuh-server wazuh-user]# grep -A10000 $LASTSCAN /var/ossec/logs/ossec.log | grep "Agent $AGENTID query: package" | grep $TESTPACKAGE grep: 16:20: No such file or directory
## Wazuh Agent 4.2.7
Package: https://packages.wazuh.com/4.x/apt/pool/main/w/wazuh-agent/wazuh-agent_4.2.7-1_amd64.deb
[root@wazuh-server wazuh-user]# /var/ossec/bin/agent_control -i 002 Wazuh agent_control. Agent information: Agent ID: 002 Agent Name: 58346f6ed610 IP address: any Status: Active
Operating system: Linux |58346f6ed610 |5.15.125-1-MANJARO |#1 SMP PREEMPT Wed Aug 9 06:31:14 UTC 2023 |x86_64 Client version: Wazuh v4.2.7 Configuration hash: ab73af41699f13fdd81903b5f23d8d00 Shared file hash: 4a8724b20dee0124ff9656783c490c4e Last keep alive: 1693326449
Syscheck last started at: Unknown Syscheck last ended at: Unknown
- Agent
- First scan: no package
- Second scan: new package detection
- Third scan: package removal
- First scan: no package
- Manager
- First scan: no package
[root@wazuh-server wazuh-user]# TOKEN=$(curl -s -u wazuh:wazuh -k -X POST "https://localhost:55000/security/user/authenticate?raw=true") [root@wazuh-server wazuh-user]# LASTSCAN=$(curl -s -k -X GET "https://localhost:55000/syscollector/$AGENTID/os?select=scan.time&pretty=true" -H "Authorization: Bearer $TOKEN" | jq -r '.data.affected_items[0].scan.time' | date +"%Y/%m/%d %H:%M" -f -) [root@wazuh-server wazuh-user]# curl -s -k -X GET "https://localhost:55000/syscollector/$AGENTID/packages?select=name&pretty=true" -H "Authorization: Bearer $TOKEN" | grep $TESTPACKAGE [root@wazuh-server wazuh-user]# grep -A10000 $LASTSCAN /var/ossec/logs/ossec.log | grep "DB($AGENTID) syscollector_packages" | grep $TESTPACKAGE grep: 16:26: No such file or directory
- Second scan: new package detection
[root@wazuh-server wazuh-user]# TOKEN=$(curl -s -u wazuh:wazuh -k -X POST "https://localhost:55000/security/user/authenticate?raw=true") [root@wazuh-server wazuh-user]# LASTSCAN=$(curl -s -k -X GET "https://localhost:55000/syscollector/$AGENTID/os?select=scan.time&pretty=true" -H "Authorization: Bearer $TOKEN" | jq -r '.data.affected_items[0].scan.time' | date +"%Y/%m/%d %H:%M" -f -) [root@wazuh-server wazuh-user]# curl -s -k -X GET "https://localhost:55000/syscollector/$AGENTID/packages?select=name&pretty=true" -H "Authorization: Bearer $TOKEN" | grep $TESTPACKAGE "name": "7zip", [root@wazuh-server wazuh-user]# grep -A10000 $LASTSCAN /var/ossec/logs/ossec.log | grep "Agent $AGENTID query: syscollector_packages" | grep $TESTPACKAGE grep: 16:32: No such file or directory /var/ossec/logs/ossec.log:2023/08/29 16:32:35 wazuh-db[20214] wdb_parser.c:263 at wdb_parse(): DEBUG: Agent 002 query: syscollector_packages save2 {"attributes":{"architecture":"amd64","checksum":"69d774cf970b11a6cac9c87f9792a1de1e9049fa","description":"7-Zip file archiver with a high compression ratio","format":"deb","groups":"utils","item_id":"569f6ff9040271f10542b6ca7e8afd8055b7a7de","multiarch":null,"name":"7zip","priority":"optional","scan_time":"2023/08/29 16:32:35","size":2396,"source":null,"vendor":"Ubuntu Developers ubuntu-devel-discuss@lists.ubuntu.com","version":"21.07+dfsg-4"},"index":"569f6ff9040271f10542b6ca7e8afd8055b7a7de","timestamp":""}
- Third scan: package removal
[root@wazuh-server wazuh-user]# TOKEN=$(curl -s -u wazuh:wazuh -k -X POST "https://localhost:55000/security/user/authenticate?raw=true") [root@wazuh-server wazuh-user]# curl -s -k -X GET "https://localhost:55000/syscollector/$AGENTID/packages?select=name&pretty=true" -H "Authorization: Bearer $TOKEN" | grep $TESTPACKAGE
[root@wazuh-server wazuh-user]# grep "Agent $AGENTID query:" /var/ossec/logs/ossec.log| grep $TESTPACKAGE 2023/08/29 16:32:35 wazuh-db[20214] wdb_parser.c:263 at wdb_parse(): DEBUG: Agent 002 query: syscollector_packages save2 {"attributes":{"architecture":"amd64","checksum":"69d774cf970b11a6cac9c87f9792a1de1e9049fa","description":"7-Zip file archiver with a high compression ratio","format":"deb","groups":"utils","item_id":"569f6ff9040271f10542b6ca7e8afd8055b7a7de","multiarch":null,"name":"7zip","priority":"optional","scan_time":"2023/08/29 16:32:35","size":2396,"source":null,"vendor":"Ubuntu Developers ubuntu-devel-discuss@lists.ubuntu.com","version":"21.07+dfsg-4"},"index":"569f6ff9040271f10542b6ca7e8afd8055b7a7de","timestamp":""}
- First scan: no package
[root@wazuh-server wazuh-user]# TOKEN=$(curl -s -u wazuh:wazuh -k -X POST "https://localhost:55000/security/user/authenticate?raw=true") [root@wazuh-server wazuh-user]# curl -s -k -X GET "https://localhost:55000/syscollector/$AGENTID/packages?select=name&pretty=true" -H "Authorization: Bearer $TOKEN" | grep $TESTPACKAGE [root@wazuh-server wazuh-user]# grep "Agent $AGENTID query:" /var/ossec/logs/ossec.log| grep $TESTPACKAGE 2023/08/29 16:32:35 wazuh-db[20214] wdb_parser.c:263 at wdb_parse(): DEBUG: Agent 002 query: syscollector_packages save2 {"attributes":{"architecture":"amd64","checksum":"69d774cf970b11a6cac9c87f9792a1de1e9049fa","description":"7-Zip file archiver with a high compression ratio","format":"deb","groups":"utils","item_id":"569f6ff9040271f10542b6ca7e8afd8055b7a7de","multiarch":null,"name":"7zip","priority":"optional","scan_time":"2023/08/29 16:32:35","size":2396,"source":null,"vendor":"Ubuntu Developers ubuntu-devel-discuss@lists.ubuntu.com","version":"21.07+dfsg-4"},"index":"569f6ff9040271f10542b6ca7e8afd8055b7a7de","timestamp":""}
## Wazuh Agent 4.4.5
Package: https://packages.wazuh.com/4.x/apt/pool/main/w/wazuh-agent/wazuh-agent_4.4.5-1_amd64.deb
[root@wazuh-server wazuh-user]# /var/ossec/bin/agent_control -i 002
Wazuh agent_control. Agent information: Agent ID: 002 Agent Name: 58346f6ed610 IP address: any Status: Active
Operating system: Linux |58346f6ed610 |5.15.125-1-MANJARO |#1 SMP PREEMPT Wed Aug 9 06:31:14 UTC 2023 |x86_64 Client version: Wazuh v4.4.5 Configuration hash: ab73af41699f13fdd81903b5f23d8d00 Shared file hash: 4a8724b20dee0124ff9656783c490c4e Last keep alive: 1693328438
Syscheck last started at: Unknown Syscheck last ended at: Unknown
- Agent
- First scan: no package
- Second scan: new package detection
- Third scan: package removal
- First scan: no package
- Manager
- First scan: no package :green_circle:
[root@wazuh-server wazuh-user]# TOKEN=$(curl -s -u wazuh:wazuh -k -X POST "https://localhost:55000/security/user/authenticate?raw=true") [root@wazuh-server wazuh-user]# curl -s -k -X GET "https://localhost:55000/syscollector/$AGENTID/os?select=scan.time&pretty=true" -H "Authorization: Bearer $TOKEN" | jq -r '.data.affected_items[0].scan.time' 2023-08-29T17:00:38+00:00 [root@wazuh-server wazuh-user]# curl -s -k -X GET "https://localhost:55000/syscollector/$AGENTID/packages?select=name&pretty=true" -H "Authorization: Bearer $TOKEN" | grep $TESTPACKAGE [root@wazuh-server wazuh-user]# grep "Agent $AGENTID query:" /var/ossec/logs/ossec.log| grep $TESTPACKAGE
- Second scan: new package detection :red_circle:
[root@wazuh-server wazuh-user]# TOKEN=$(curl -s -u wazuh:wazuh -k -X POST "https://localhost:55000/security/user/authenticate?raw=true") [root@wazuh-server wazuh-user]# curl -s -k -X GET "https://localhost:55000/syscollector/$AGENTID/os?select=scan.time&pretty=true" -H "Authorization: Bearer $TOKEN" | jq -r '.data.affected_items[0].scan.time' 2023-08-29T17:03:38+00:00 [root@wazuh-server wazuh-user]# curl -s -k -X GET "https://localhost:55000/syscollector/$AGENTID/packages?select=name&pretty=true" -H "Authorization: Bearer $TOKEN" | grep $TESTPACKAGE "name": "7zip", [root@wazuh-server wazuh-user]# grep "Agent $AGENTID query:" /var/ossec/logs/ossec.log| grep $TESTPACKAGE 2023/08/29 17:03:39 wazuh-db[22172] wdb_parser.c:263 at wdb_parse(): DEBUG: Agent 002 query: dbsync packages INSERTED {"architecture":"amd64","checksum":"69d774cf970b11a6cac9c87f9792a1de1e9049fa","description":"7-Zip file archiver with a high compression ratio","format":"deb","groups":"utils","item_id":"569f6ff9040271f10542b6ca7e8afd8055b7a7de","multiarch":null,"name":"7zip","priority":"optional","scan_time":"2023/08/29 17:03:38","size":2396,"source":null,"vendor":"Ubuntu Developers ubuntu-devel-discuss@lists.ubuntu.com","version":"21.07+dfsg-4"} 2023/08/29 17:03:42 wazuh-db[22172] wdb_parser.c:263 at wdb_parse(): DEBUG: Agent 002 query: syscollector_packages save2 {"attributes":{"architecture":"amd64","checksum":"69d774cf970b11a6cac9c87f9792a1de1e9049fa","description":"7-Zip file archiver with a high compression ratio","format":"deb","groups":"utils","item_id":"569f6ff9040271f10542b6ca7e8afd8055b7a7de","multiarch":null,"name":"7zip","priority":"optional","scan_time":"2023/08/29 17:03:42","size":2396,"source":null,"vendor":"Ubuntu Developers ubuntu-devel-discuss@lists.ubuntu.com","version":"21.07+dfsg-4"},"index":"569f6ff9040271f10542b6ca7e8afd8055b7a7de","timestamp":""}
- Third scan: package removal
[root@wazuh-server wazuh-user]# TOKEN=$(curl -s -u wazuh:wazuh -k -X POST "https://localhost:55000/security/user/authenticate?raw=true")
[root@wazuh-server wazuh-user]# curl -s -k -X GET "https://localhost:55000/syscollector/$AGENTID/os?select=scan.time&pretty=true" -H "Authorization: Bearer $TOKEN" | jq -r '.data.affected_items[0].scan.time' 2023-08-29T17:12:44+00:00 [root@wazuh-server wazuh-user]# curl -s -k -X GET "https://localhost:55000/syscollector/$AGENTID/packages?select=name&pretty=true" -H "Authorization: Bearer $TOKEN" | grep $TESTPACKAGE [root@wazuh-server wazuh-user]# grep "Agent $AGENTID query:" /var/ossec/logs/ossec.log| grep $TESTPACKAGE 2023/08/29 17:03:39 wazuh-db[22172] wdb_parser.c:263 at wdb_parse(): DEBUG: Agent 002 query: dbsync packages INSERTED {"architecture":"amd64","checksum":"69d774cf970b11a6cac9c87f9792a1de1e9049fa","description":"7-Zip file archiver with a high compression ratio","format":"deb","groups":"utils","item_id":"569f6ff9040271f10542b6ca7e8afd8055b7a7de","multiarch":null,"name":"7zip","priority":"optional","scan_time":"2023/08/29 17:03:38","size":2396,"source":null,"vendor":"Ubuntu Developers ubuntu-devel-discuss@lists.ubuntu.com","version":"21.07+dfsg-4"} 2023/08/29 17:03:42 wazuh-db[22172] wdb_parser.c:263 at wdb_parse(): DEBUG: Agent 002 query: syscollector_packages save2 {"attributes":{"architecture":"amd64","checksum":"69d774cf970b11a6cac9c87f9792a1de1e9049fa","description":"7-Zip file archiver with a high compression ratio","format":"deb","groups":"utils","item_id":"569f6ff9040271f10542b6ca7e8afd8055b7a7de","multiarch":null,"name":"7zip","priority":"optional","scan_time":"2023/08/29 17:03:42","size":2396,"source":null,"vendor":"Ubuntu Developers ubuntu-devel-discuss@lists.ubuntu.com","version":"21.07+dfsg-4"},"index":"569f6ff9040271f10542b6ca7e8afd8055b7a7de","timestamp":""} 2023/08/29 17:12:45 wazuh-db[22172] wdb_parser.c:263 at wdb_parse(): DEBUG: Agent 002 query: dbsync packages DELETED {"architecture":"amd64","checksum":"69d774cf970b11a6cac9c87f9792a1de1e9049fa","description":"7-Zip file archiver with a high compression ratio","format":"deb","groups":"utils","install_time":null,"item_id":"569f6ff9040271f10542b6ca7e8afd8055b7a7de","location":null,"multiarch":null,"name":"7zip","priority":"optional","scan_time":"2023/08/29 17:12:44","size":2396,"source":null,"vendor":"Ubuntu Developers ubuntu-devel-discuss@lists.ubuntu.com","version":"21.07+dfsg-4"}
Running on Windows Server 2022 Vagrant Box
Manager: v4.5.2-rc1 OVA
TOKEN=$(curl -s -u wazuh:wazuh -k -X POST "https://localhost:55000/security/user/authenticate?raw=true")
AGENTID=003
TESTPACKAGE=7-zip
Package to be installed/removed
Package: https://packages.wazuh.com/4.x/windows/wazuh-agent-4.1.5-1.msi Agent info
[root@wazuh-server wazuh-user]# /var/ossec/bin/agent_control -i 003
Wazuh agent_control. Agent information: Agent ID: 003 Agent Name: WIN-FO8Q4O72AK8 IP address: any Status: Active
Operating system: Microsoft Windows Server 2022 Standard Evaluation Client version: Wazuh v4.1.5 Configuration hash: ab73af41699f13fdd81903b5f23d8d00 Shared file hash: 4a8724b20dee0124ff9656783c490c4e Last keep alive: 1693393139
Syscheck last started at: Unknown Syscheck last ended at: Unknown
- Agent
- First scan: no package
- Second scan: new package detection
- Third scan: package removal
- First scan: no package
- Manager
- First scan: no package
[root@wazuh-server wazuh-user]# AGENTID=003 [root@wazuh-server wazuh-user]# TESTPACKAGE=7zip [root@wazuh-server wazuh-user]# TOKEN=$(curl -s -u wazuh:wazuh -k -X POST "https://localhost:55000/security/user/authenticate?raw=true") [root@wazuh-server wazuh-user]# curl -s -k -X GET "https://localhost:55000/syscollector/$AGENTID/os?select=scan.time&pretty=true" -H "Authorization: Bearer $TOKEN" | jq -r '.data.affected_items[0].scan.time' 2023-08-30T10:59:33+00:00 [root@wazuh-server wazuh-user]# curl -s -k -X GET "https://localhost:55000/syscollector/$AGENTID/packages?select=name&pretty=true" -H "Authorization: Bearer $TOKEN" | grep $TESTPACKAGE [root@wazuh-server wazuh-user]# grep "Agent $AGENTID query:" /var/ossec/logs/ossec.log| grep $TESTPACKAGE
- Second scan: new package detection
[root@wazuh-server wazuh-user]# curl -s -k -X GET "https://localhost:55000/syscollector/$AGENTID/os?select=scan.time&pretty=true" -H "Authorization: Bearer $TOKEN" | jq -r '.data.affected_items[0].scan.time' 2023-08-30T11:02:33+00:00 [root@wazuh-server wazuh-user]# curl -s -k -X GET "https://localhost:55000/syscollector/$AGENTID/packages?select=name&pretty=true" -H "Authorization: Bearer $TOKEN" | grep $TESTPACKAGE "name": "7-Zip 23.01 (x64 edition)", [root@wazuh-server wazuh-user]# grep "Agent $AGENTID query:" /var/ossec/logs/ossec.log| grep $TESTPACKAGE 2023/08/30 11:02:33 wazuh-db[19381] wdb_parser.c:263 at wdb_parse(): DEBUG: Agent 003 query: package save 289995595|2023/08/30 11:02:33|win|7-Zip 23.01 (x64 edition)|NULL|NULL|NULL|Igor Pavlov|20230830|23.01.00.0|x86_64|NULL|NULL|NULL|NULL|953f5b92ba965da6e7d631d9801966069ff93c4b
- Third scan: package removal
[root@wazuh-server wazuh-user]# TOKEN=$(curl -s -u wazuh:wazuh -k -X POST "https://localhost:55000/security/user/authenticate?raw=true") [root@wazuh-server wazuh-user]# curl -s -k -X GET "https://localhost:55000/syscollector/$AGENTID/os?select=scan.time&pretty=true" -H "Authorization: Bearer $TOKEN" | jq -r '.data.affected_items[0].scan.time' 2023-08-30T11:05:33+00:00 [root@wazuh-server wazuh-user]# curl -s -k -X GET "https://localhost:55000/syscollector/$AGENTID/packages?select=name&pretty=true" -H "Authorization: Bearer $TOKEN" | grep $TESTPACKAGE [root@wazuh-server wazuh-user]# grep "Agent $AGENTID query:" /var/ossec/logs/ossec.log| grep $TESTPACKAGE 2023/08/30 11:02:33 wazuh-db[19381] wdb_parser.c:263 at wdb_parse(): DEBUG: Agent 003 query: package save 289995595|2023/08/30 11:02:33|win|7-Zip 23.01 (x64 edition)|NULL|NULL|NULL|Igor Pavlov|20230830|23.01.00.0|x86_64|NULL|NULL|NULL|NULL|953f5b92ba965da6e7d631d9801966069ff93c4b
## Wazuh Agent 4.2.7
Package: https://packages.wazuh.com/4.x/windows/wazuh-agent-4.2.7-1.msi
[root@wazuh-server wazuh-user]# /var/ossec/bin/agent_control -i 003
Wazuh agent_control. Agent information: Agent ID: 003 Agent Name: WIN-FO8Q4O72AK8 IP address: any Status: Active
Operating system: Microsoft Windows Server 2022 Standard Evaluation Client version: Wazuh v4.2.7 Configuration hash: ab73af41699f13fdd81903b5f23d8d00 Shared file hash: 4a8724b20dee0124ff9656783c490c4e Last keep alive: 1693393926
Syscheck last started at: Unknown Syscheck last ended at: Unknown
- Agent
- First scan: no package
- Second scan: new package detection
- Third scan: package removal
- First scan: no package
- Manager
- First scan: no package
[root@wazuh-server wazuh-user]# TOKEN=$(curl -s -u wazuh:wazuh -k -X POST "https://localhost:55000/security/user/authenticate?raw=true") [root@wazuh-server wazuh-user]# curl -s -k -X GET "https://localhost:55000/syscollector/$AGENTID/os?select=scan.time&pretty=true" -H "Authorization: Bearer $TOKEN" | jq -r '.data.affected_items[0].scan.time' 2023-08-30T11:24:20+00:00 [root@wazuh-server wazuh-user]# curl -s -k -X GET "https://localhost:55000/syscollector/$AGENTID/packages?select=name&pretty=true" -H "Authorization: Bearer $TOKEN" | grep $TESTPACKAGE [root@wazuh-server wazuh-user]# grep "Agent $AGENTID query:" /var/ossec/logs/ossec.log| grep $TESTPACKAGE
- Second scan: new package detection
[root@wazuh-server wazuh-user]# TOKEN=$(curl -s -u wazuh:wazuh -k -X POST "https://localhost:55000/security/user/authenticate?raw=true") [root@wazuh-server wazuh-user]# curl -s -k -X GET "https://localhost:55000/syscollector/$AGENTID/os?select=scan.time&pretty=true" -H "Authorization: Bearer $TOKEN" | jq -r '.data.affected_items[0].scan.time' 2023-08-30T11:15:49+00:00 [root@wazuh-server wazuh-user]# curl -s -k -X GET "https://localhost:55000/syscollector/$AGENTID/packages?select=name&pretty=true" -H "Authorization: Bearer $TOKEN" | grep $TESTPACKAGE "name": "7-Zip 23.01 (x64 edition)", [root@wazuh-server wazuh-user]# grep "Agent $AGENTID query:" /var/ossec/logs/ossec.log| grep $TESTPACKAGE 2023/08/30 11:12:49 wazuh-db[19381] wdb_parser.c:263 at wdb_parse(): DEBUG: Agent 003 query: syscollector_packages save2 {"attributes":{"architecture":"x86_64","checksum":"e63c0b1b58f203ab98849cbb145e9c7ba399abe5","format":"win","install_time":"20230830","item_id":"953f5b92ba965da6e7d631d9801966069ff93c4b","location":null,"name":"7-Zip 23.01 (x64 edition)","scan_time":"2023/08/30 11:12:49","vendor":"Igor Pavlov","version":"23.01.00.0"},"index":"953f5b92ba965da6e7d631d9801966069ff93c4b","timestamp":""}
- Third scan: package removal
[root@wazuh-server wazuh-user]# TOKEN=$(curl -s -u wazuh:wazuh -k -X POST "https://localhost:55000/security/user/authenticate?raw=true") [root@wazuh-server wazuh-user]# curl -s -k -X GET "https://localhost:55000/syscollector/$AGENTID/os?select=scan.time&pretty=true" -H "Authorization: Bearer $TOKEN" | jq -r '.data.affected_items[0].scan.time' 2023-08-30T11:18:50+00:00 [root@wazuh-server wazuh-user]# curl -s -k -X GET "https://localhost:55000/syscollector/$AGENTID/packages?select=name&pretty=true" -H "Authorization: Bearer $TOKEN" | grep $TESTPACKAGE [root@wazuh-server wazuh-user]# grep "Agent $AGENTID query:" /var/ossec/logs/ossec.log| grep $TESTPACKAGE 2023/08/30 11:12:49 wazuh-db[19381] wdb_parser.c:263 at wdb_parse(): DEBUG: Agent 003 query: syscollector_packages save2 {"attributes":{"architecture":"x86_64","checksum":"e63c0b1b58f203ab98849cbb145e9c7ba399abe5","format":"win","install_time":"20230830","item_id":"953f5b92ba965da6e7d631d9801966069ff93c4b","location":null,"name":"7-Zip 23.01 (x64 edition)","scan_time":"2023/08/30 11:12:49","vendor":"Igor Pavlov","version":"23.01.00.0"},"index":"953f5b92ba965da6e7d631d9801966069ff93c4b","timestamp":""}
## Wazuh Agent 4.4.5
Package: https://packages.wazuh.com/4.x/apt/pool/main/w/wazuh-agent/wazuh-agent_4.4.5-1_amd64.deb
[root@wazuh-server wazuh-user]# /var/ossec/bin/agent_control -i 002
Wazuh agent_control. Agent information: Agent ID: 002 Agent Name: 58346f6ed610 IP address: any Status: Active
Operating system: Linux |58346f6ed610 |5.15.125-1-MANJARO |#1 SMP PREEMPT Wed Aug 9 06:31:14 UTC 2023 |x86_64 Client version: Wazuh v4.4.5 Configuration hash: ab73af41699f13fdd81903b5f23d8d00 Shared file hash: 4a8724b20dee0124ff9656783c490c4e Last keep alive: 1693328438
Syscheck last started at: Unknown Syscheck last ended at: Unknown
- Agent
- First scan: no package
- Second scan: new package detection
- Third scan: package removal
- First scan: no package
- Manager
- First scan: no package
[root@wazuh-server wazuh-user]# TOKEN=$(curl -s -u wazuh:wazuh -k -X POST "https://localhost:55000/security/user/authenticate?raw=true") [root@wazuh-server wazuh-user]# curl -s -k -X GET "https://localhost:55000/syscollector/$AGENTID/os?select=scan.time&pretty=true" -H "Authorization: Bearer $TOKEN" | jq -r '.data.affected_items[0].scan.time' 2023-08-30T11:24:20+00:00 [root@wazuh-server wazuh-user]# curl -s -k -X GET "https://localhost:55000/syscollector/$AGENTID/packages?select=name&pretty=true" -H "Authorization: Bearer $TOKEN" | grep $TESTPACKAGE [root@wazuh-server wazuh-user]# grep "Agent $AGENTID query:" /var/ossec/logs/ossec.log| grep $TESTPACKAGE
- Second scan: new package detection :red_circle:
[root@wazuh-server wazuh-user]# TOKEN=$(curl -s -u wazuh:wazuh -k -X POST "https://localhost:55000/security/user/authenticate?raw=true") [root@wazuh-server wazuh-user]# curl -s -k -X GET "https://localhost:55000/syscollector/$AGENTID/os?select=scan.time&pretty=true" -H "Authorization: Bearer $TOKEN" | jq -r '.data.affected_items[0].scan.time' 2023-08-30T11:27:26+00:00 [root@wazuh-server wazuh-user]# curl -s -k -X GET "https://localhost:55000/syscollector/$AGENTID/packages?select=name&pretty=true" -H "Authorization: Bearer $TOKEN" | grep $TESTPACKAGE "name": "7-Zip 23.01 (x64 edition)", [root@wazuh-server wazuh-user]# grep "Agent $AGENTID query:" /var/ossec/logs/ossec.log| grep $TESTPACKAGE 2023/08/30 11:27:26 wazuh-db[21340] wdb_parser.c:263 at wdb_parse(): DEBUG: Agent 003 query: dbsync packages INSERTED {"architecture":"x86_64","checksum":"e63c0b1b58f203ab98849cbb145e9c7ba399abe5","format":"win","install_time":"20230830","item_id":"953f5b92ba965da6e7d631d9801966069ff93c4b","location":null,"name":"7-Zip 23.01 (x64 edition)","scan_time":"2023/08/30 11:27:26","vendor":"Igor Pavlov","version":"23.01.00.0"}
- Third scan: package removal
[root@wazuh-server wazuh-user]# TOKEN=$(curl -s -u wazuh:wazuh -k -X POST "https://localhost:55000/security/user/authenticate?raw=true") [root@wazuh-server wazuh-user]# curl -s -k -X GET "https://localhost:55000/syscollector/$AGENTID/os?select=scan.time&pretty=true" -H "Authorization: Bearer $TOKEN" | jq -r '.data.affected_items[0].scan.time' 2023-08-30T11:30:31+00:00 [root@wazuh-server wazuh-user]# curl -s -k -X GET "https://localhost:55000/syscollector/$AGENTID/packages?select=name&pretty=true" -H "Authorization: Bearer $TOKEN" | grep $TESTPACKAGE [root@wazuh-server wazuh-user]# grep "Agent $AGENTID query:" /var/ossec/logs/ossec.log| grep $TESTPACKAGE 2023/08/30 11:27:26 wazuh-db[21340] wdb_parser.c:263 at wdb_parse(): DEBUG: Agent 003 query: dbsync packages INSERTED {"architecture":"x86_64","checksum":"e63c0b1b58f203ab98849cbb145e9c7ba399abe5","format":"win","install_time":"20230830","item_id":"953f5b92ba965da6e7d631d9801966069ff93c4b","location":null,"name":"7-Zip 23.01 (x64 edition)","scan_time":"2023/08/30 11:27:26","vendor":"Igor Pavlov","version":"23.01.00.0"} 2023/08/30 11:30:32 wazuh-db[21340] wdb_parser.c:263 at wdb_parse(): DEBUG: Agent 003 query: dbsync packages DELETED {"architecture":"x86_64","checksum":"e63c0b1b58f203ab98849cbb145e9c7ba399abe5","description":null,"format":"win","groups":null,"install_time":"20230830","item_id":"953f5b92ba965da6e7d631d9801966069ff93c4b","location":null,"multiarch":null,"name":"7-Zip 23.01 (x64 edition)","priority":null,"scan_time":"2023/08/30 11:30:31","size":0,"source":null,"vendor":"Igor Pavlov","version":"23.01.00.0"}
Running on amazonlinux:2 container
Manager: v4.5.2-rc1 OVA
TOKEN=$(curl -s -u wazuh:wazuh -k -X POST "https://localhost:55000/security/user/authenticate?raw=true")
AGENTID=004
TESTPACKAGE=tree
Package to be installed/removed
Package: https://packages.wazuh.com/4.x/yum/wazuh-agent-4.1.5-1.x86_64.rpm
Agent info
[root@wazuh-server wazuh-user]# /var/ossec/bin/agent_control -i 004
Wazuh agent_control. Agent information:
Agent ID: 004
Agent Name: 14d8320b0aed
IP address: any
Status: Active
Operating system: Linux |14d8320b0aed |5.15.125-1-MANJARO |#1 SMP PREEMPT Wed Aug 9 06:31:14 UTC 2023 |x86_64
Client version: Wazuh v4.1.5
Configuration hash: ab73af41699f13fdd81903b5f23d8d00
Shared file hash: 4a8724b20dee0124ff9656783c490c4e
Last keep alive: 1693398519
Syscheck last started at: Unknown
Syscheck last ended at: Unknown
[root@wazuh-server wazuh-user]# TOKEN=$(curl -s -u wazuh:wazuh -k -X POST "https://localhost:55000/security/user/authenticate?raw=true")
[root@wazuh-server wazuh-user]# curl -s -k -X GET "https://localhost:55000/syscollector/$AGENTID/os?select=scan.time&pretty=true" -H "Authorization: Bearer $TOKEN" | jq -r '.data.affected_items[0].scan.time'
2023-08-30T12:28:39+00:00
[root@wazuh-server wazuh-user]# curl -s -k -X GET "https://localhost:55000/syscollector/$AGENTID/packages?select=name&pretty=true" -H "Authorization: Bearer $TOKEN" | grep $TESTPACKAGE
[root@wazuh-server wazuh-user]# grep "Agent $AGENTID query:" /var/ossec/logs/ossec.log| grep $TESTPACKAGE
- Second scan: new package detection
[root@wazuh-server wazuh-user]# TOKEN=$(curl -s -u wazuh:wazuh -k -X POST "https://localhost:55000/security/user/authenticate?raw=true") [root@wazuh-server wazuh-user]# curl -s -k -X GET "https://localhost:55000/syscollector/$AGENTID/os?select=scan.time&pretty=true" -H "Authorization: Bearer $TOKEN" | jq -r '.data.affected_items[0].scan.time' 2023-08-30T12:33:39+00:00 [root@wazuh-server wazuh-user]# curl -s -k -X GET "https://localhost:55000/syscollector/$AGENTID/packages?select=name&pretty=true" -H "Authorization: Bearer $TOKEN" | grep $TESTPACKAGE "name": "tree", [root@wazuh-server wazuh-user]# grep "Agent $AGENTID query:" /var/ossec/logs/ossec.log| grep $TESTPACKAGE 2023/08/30 12:33:41 wazuh-db[23099] wdb_parser.c:263 at wdb_parse(): DEBUG: Agent 004 query: package save 1794708488|2023/08/30 12:33:39|rpm|tree|NULL|Applications/File|83|Amazon Linux|2023/08/30 12:32:16|1.6.0-10.amzn2.0.1|x86_64|NULL|tree-1.6.0-10.amzn2.0.1.src.rpm|File system tree viewer|NULL|9e25b1d02942003bd23c49399339950088eaf575
- Third scan: package removal
[root@wazuh-server wazuh-user]# TOKEN=$(curl -s -u wazuh:wazuh -k -X POST "https://localhost:55000/security/user/authenticate?raw=true") [root@wazuh-server wazuh-user]# curl -s -k -X GET "https://localhost:55000/syscollector/$AGENTID/os?select=scan.time&pretty=true" -H "Authorization: Bearer $TOKEN" | jq -r '.data.affected_items[0].scan.time' 2023-08-30T12:38:39+00:00 [root@wazuh-server wazuh-user]# curl -s -k -X GET "https://localhost:55000/syscollector/$AGENTID/packages?select=name&pretty=true" -H "Authorization: Bearer $TOKEN" | grep $TESTPACKAGE [root@wazuh-server wazuh-user]# grep "Agent $AGENTID query:" /var/ossec/logs/ossec.log| grep $TESTPACKAGE 2023/08/30 12:33:41 wazuh-db[23099] wdb_parser.c:263 at wdb_parse(): DEBUG: Agent 004 query: package save 1794708488|2023/08/30 12:33:39|rpm|tree|NULL|Applications/File|83|Amazon Linux|2023/08/30 12:32:16|1.6.0-10.amzn2.0.1|x86_64|NULL|tree-1.6.0-10.amzn2.0.1.src.rpm|File system tree viewer|NULL|9e25b1d02942003bd23c49399339950088eaf575
## Wazuh Agent 4.2.7
Package: https://packages.wazuh.com/4.x/yum/wazuh-agent-4.2.7-1.x86_64.rpm
[root@wazuh-server wazuh-user]# /var/ossec/bin/agent_control -i 004
Wazuh agent_control. Agent information: Agent ID: 004 Agent Name: 14d8320b0aed IP address: any Status: Active
Operating system: Linux |14d8320b0aed |5.15.125-1-MANJARO |#1 SMP PREEMPT Wed Aug 9 06:31:14 UTC 2023 |x86_64 Client version: Wazuh v4.2.7 Configuration hash: ab73af41699f13fdd81903b5f23d8d00 Shared file hash: 4a8724b20dee0124ff9656783c490c4e Last keep alive: 1693399666
Syscheck last started at: Unknown Syscheck last ended at: Unknown
- Agent
- First scan: no package
- Second scan: new package detection
- Third scan: package removal
- First scan: no package
- Manager
- First scan: no package
[root@wazuh-server wazuh-user]# TOKEN=$(curl -s -u wazuh:wazuh -k -X POST "https://localhost:55000/security/user/authenticate?raw=true") [root@wazuh-server wazuh-user]# curl -s -k -X GET "https://localhost:55000/syscollector/$AGENTID/os?select=scan.time&pretty=true" -H "Authorization: Bearer $TOKEN" | jq -r '.data.affected_items[0].scan.time' 2023-08-30T12:47:39+00:00 [root@wazuh-server wazuh-user]# curl -s -k -X GET "https://localhost:55000/syscollector/$AGENTID/packages?select=name&pretty=true" -H "Authorization: Bearer $TOKEN" | grep $TESTPACKAGE [root@wazuh-server wazuh-user]# grep "Agent $AGENTID query:" /var/ossec/logs/ossec.log| grep $TESTPACKAGE
- Second scan: new package detection
[root@wazuh-server wazuh-user]# TOKEN=$(curl -s -u wazuh:wazuh -k -X POST "https://localhost:55000/security/user/authenticate?raw=true") [root@wazuh-server wazuh-user]# curl -s -k -X GET "https://localhost:55000/syscollector/$AGENTID/os?select=scan.time&pretty=true" -H "Authorization: Bearer $TOKEN" | jq -r '.data.affected_items[0].scan.time' 2023-08-30T12:52:40+00:00 [root@wazuh-server wazuh-user]# curl -s -k -X GET "https://localhost:55000/syscollector/$AGENTID/packages?select=name&pretty=true" -H "Authorization: Bearer $TOKEN" | grep $TESTPACKAGE "name": "tree", [root@wazuh-server wazuh-user]# grep "Agent $AGENTID query:" /var/ossec/logs/ossec.log| grep $TESTPACKAGE 2023/08/30 12:52:42 wazuh-db[24498] wdb_parser.c:263 at wdb_parse(): DEBUG: Agent 004 query: syscollector_packages save2 {"attributes":{"architecture":"x86_64","checksum":"1ddf5f3d2908c71dc74be48f388df7d98ada699e","description":"File system tree viewer","format":"rpm","groups":"Applications/File","install_time":"1693399711","item_id":"9e25b1d02942003bd23c49399339950088eaf575","name":"tree","scan_time":"2023/08/30 12:52:41","size":85345,"vendor":"Amazon Linux","version":"1.6.0-10.amzn2.0.1"},"index":"9e25b1d02942003bd23c49399339950088eaf575","timestamp":""}
- Third scan: package removal
[root@wazuh-server wazuh-user]# TOKEN=$(curl -s -u wazuh:wazuh -k -X POST "https://localhost:55000/security/user/authenticate?raw=true") [root@wazuh-server wazuh-user]# curl -s -k -X GET "https://localhost:55000/syscollector/$AGENTID/os?select=scan.time&pretty=true" -H "Authorization: Bearer $TOKEN" | jq -r '.data.affected_items[0].scan.time' 2023-08-30T12:57:41+00:00 [root@wazuh-server wazuh-user]# curl -s -k -X GET "https://localhost:55000/syscollector/$AGENTID/packages?select=name&pretty=true" -H "Authorization: Bearer $TOKEN" | grep $TESTPACKAGE [root@wazuh-server wazuh-user]# grep "Agent $AGENTID query:" /var/ossec/logs/ossec.log| grep $TESTPACKAGE 2023/08/30 12:52:42 wazuh-db[24498] wdb_parser.c:263 at wdb_parse(): DEBUG: Agent 004 query: syscollector_packages save2 {"attributes":{"architecture":"x86_64","checksum":"1ddf5f3d2908c71dc74be48f388df7d98ada699e","description":"File system tree viewer","format":"rpm","groups":"Applications/File","install_time":"1693399711","item_id":"9e25b1d02942003bd23c49399339950088eaf575","name":"tree","scan_time":"2023/08/30 12:52:41","size":85345,"vendor":"Amazon Linux","version":"1.6.0-10.amzn2.0.1"},"index":"9e25b1d02942003bd23c49399339950088eaf575","timestamp":""} [root@wazuh-server wazuh-user]#
## Wazuh Agent 4.4.5
Package: https://packages.wazuh.com/4.x/yum/wazuh-agent-4.4.5-1.x86_64.rpm
[root@wazuh-server wazuh-user]# /var/ossec/bin/agent_control -i 004
Wazuh agent_control. Agent information: Agent ID: 004 Agent Name: 14d8320b0aed IP address: any Status: Active
Operating system: Linux |14d8320b0aed |5.15.125-1-MANJARO |#1 SMP PREEMPT Wed Aug 9 06:31:14 UTC 2023 |x86_64 Client version: Wazuh v4.4.5 Configuration hash: ab73af41699f13fdd81903b5f23d8d00 Shared file hash: 4a8724b20dee0124ff9656783c490c4e Last keep alive: 1693400556
Syscheck last started at: Unknown Syscheck last ended at: Unknown
- Agent
- First scan: no package
- Second scan: new package detection
- Third scan: package removal
- First scan: no package
- Manager
- First scan: no package
[[root@wazuh-server wazuh-user]# TOKEN=$(curl -s -u wazuh:wazuh -k -X POST "https://localhost:55000/security/user/authenticate?raw=true") [root@wazuh-server wazuh-user]# curl -s -k -X GET "https://localhost:55000/syscollector/$AGENTID/os?select=scan.time&pretty=true" -H "Authorization: Bearer $TOKEN" | jq -r '.data.affected_items[0].scan.time' 2023-08-30T13:01:18+00:00 [root@wazuh-server wazuh-user]# curl -s -k -X GET "https://localhost:55000/syscollector/$AGENTID/packages?select=name&pretty=true" -H "Authorization: Bearer $TOKEN" | grep $TESTPACKAGE [root@wazuh-server wazuh-user]# grep "Agent $AGENTID query:" /var/ossec/logs/ossec.log| grep $TESTPACKAGE
- Second scan: new package detection :red_circle:
[root@wazuh-server wazuh-user]# TOKEN=$(curl -s -u wazuh:wazuh -k -X POST "https://localhost:55000/security/user/authenticate?raw=true") [root@wazuh-server wazuh-user]# curl -s -k -X GET "https://localhost:55000/syscollector/$AGENTID/os?select=scan.time&pretty=true" -H "Authorization: Bearer $TOKEN" | jq -r '.data.affected_items[0].scan.time' 2023-08-30T13:06:18+00:00 [root@wazuh-server wazuh-user]# curl -s -k -X GET "https://localhost:55000/syscollector/$AGENTID/packages?select=name&pretty=true" -H "Authorization: Bearer $TOKEN" | grep $TESTPACKAGE "name": "tree", [root@wazuh-server wazuh-user]# grep "Agent $AGENTID query:" /var/ossec/logs/ossec.log| grep $TESTPACKAGE 2023/08/30 13:06:18 wazuh-db[25944] wdb_parser.c:263 at wdb_parse(): DEBUG: Agent 004 query: dbsync packages INSERTED {"architecture":"x86_64","checksum":"1a6acd803bdab9bffbef01baeea0e108a0411ccc","description":"File system tree viewer","format":"rpm","groups":"Applications/File","install_time":"1693400609","item_id":"9e25b1d02942003bd23c49399339950088eaf575","name":"tree","scan_time":"2023/08/30 13:06:18","size":85345,"vendor":"Amazon Linux","version":"1.6.0-10.amzn2.0.1"} 2023/08/30 13:06:21 wazuh-db[25944] wdb_parser.c:263 at wdb_parse(): DEBUG: Agent 004 query: syscollector_packages save2 {"attributes":{"architecture":"x86_64","checksum":"1a6acd803bdab9bffbef01baeea0e108a0411ccc","description":"File system tree viewer","format":"rpm","groups":"Applications/File","install_time":"1693400609","item_id":"9e25b1d02942003bd23c49399339950088eaf575","name":"tree","scan_time":"2023/08/30 13:06:21","size":85345,"vendor":"Amazon Linux","version":"1.6.0-10.amzn2.0.1"},"index":"9e25b1d02942003bd23c49399339950088eaf575","timestamp":""}
- Third scan: package removal
[root@wazuh-server wazuh-user]# TOKEN=$(curl -s -u wazuh:wazuh -k -X POST "https://localhost:55000/security/user/authenticate?raw=true") [root@wazuh-server wazuh-user]# curl -s -k -X GET "https://localhost:55000/syscollector/$AGENTID/os?select=scan.time&pretty=true" -H "Authorization: Bearer $TOKEN" | jq -r '.data.affected_items[0].scan.time' 2023-08-30T13:11:20+00:00 [root@wazuh-server wazuh-user]# curl -s -k -X GET "https://localhost:55000/syscollector/$AGENTID/packages?select=name&pretty=true" -H "Authorization: Bearer $TOKEN" | grep $TESTPACKAGE [root@wazuh-server wazuh-user]# grep "Agent $AGENTID query:" /var/ossec/logs/ossec.log| grep $TESTPACKAGE 2023/08/30 13:06:18 wazuh-db[25944] wdb_parser.c:263 at wdb_parse(): DEBUG: Agent 004 query: dbsync packages INSERTED {"architecture":"x86_64","checksum":"1a6acd803bdab9bffbef01baeea0e108a0411ccc","description":"File system tree viewer","format":"rpm","groups":"Applications/File","install_time":"1693400609","item_id":"9e25b1d02942003bd23c49399339950088eaf575","name":"tree","scan_time":"2023/08/30 13:06:18","size":85345,"vendor":"Amazon Linux","version":"1.6.0-10.amzn2.0.1"} 2023/08/30 13:06:21 wazuh-db[25944] wdb_parser.c:263 at wdb_parse(): DEBUG: Agent 004 query: syscollector_packages save2 {"attributes":{"architecture":"x86_64","checksum":"1a6acd803bdab9bffbef01baeea0e108a0411ccc","description":"File system tree viewer","format":"rpm","groups":"Applications/File","install_time":"1693400609","item_id":"9e25b1d02942003bd23c49399339950088eaf575","name":"tree","scan_time":"2023/08/30 13:06:21","size":85345,"vendor":"Amazon Linux","version":"1.6.0-10.amzn2.0.1"},"index":"9e25b1d02942003bd23c49399339950088eaf575","timestamp":""} 2023/08/30 13:11:20 wazuh-db[25944] wdb_parser.c:263 at wdb_parse(): DEBUG: Agent 004 query: dbsync packages DELETED {"architecture":"x86_64","checksum":"1a6acd803bdab9bffbef01baeea0e108a0411ccc","description":"File system tree viewer","format":"rpm","groups":"Applications/File","install_time":"1693400609","item_id":"9e25b1d02942003bd23c49399339950088eaf575","location":null,"multiarch":null,"name":"tree","priority":null,"scan_time":"2023/08/30 13:11:20","size":85345,"source":null,"vendor":"Amazon Linux","version":"1.6.0-10.amzn2.0.1"}
TOKEN=$(curl -s -u wazuh:wazuh -k -X POST "https://localhost:55000/security/user/authenticate?raw=true")
AGENTID=005
TESTPACKAGE=tree
Package: https://packages.wazuh.com/4.x/yum/wazuh-agent-4.4.5-1.x86_64.rpm
[root@wazuh-server wazuh-user]# /var/ossec/bin/agent_control -i 005
Wazuh agent_control. Agent information: Agent ID: 005 Agent Name: 00e7e3eeaabf IP address: any Status: Active
Operating system: Linux |00e7e3eeaabf |5.15.125-1-MANJARO |#1 SMP PREEMPT Wed Aug 9 06:31:14 UTC 2023 |x86_64 Client version: Wazuh v4.4.5 Configuration hash: ab73af41699f13fdd81903b5f23d8d00 Shared file hash: 4a8724b20dee0124ff9656783c490c4e Last keep alive: 1693418923
Syscheck last started at: Unknown Syscheck last ended at: Unknown
- Agent
- First scan: no package
- Second scan: new package detection
- Third scan: package removal
- First scan: no package
- Manager
- First scan: no package
[root@wazuh-server wazuh-user]# TOKEN=$(curl -s -u wazuh:wazuh -k -X POST "https://localhost:55000/security/user/authenticate?raw=true") [root@wazuh-server wazuh-user]# curl -s -k -X GET "https://localhost:55000/syscollector/$AGENTID/os?select=scan.time&pretty=true" -H "Authorization: Bearer $TOKEN" | jq -r '.data.affected_items[0].scan.time' 2023-08-30T18:08:43+00:00 [root@wazuh-server wazuh-user]# curl -s -k -X GET "https://localhost:55000/syscollector/$AGENTID/packages?select=name&pretty=true" -H "Authorization: Bearer $TOKEN" | grep $TESTPACKAGE [root@wazuh-server wazuh-user]# grep "Agent $AGENTID query:" /var/ossec/logs/ossec.log| grep $TESTPACKAGE
- Second scan: new package detection :red_circle:
[root@wazuh-server wazuh-user]# TOKEN=$(curl -s -u wazuh:wazuh -k -X POST "https://localhost:55000/security/user/authenticate?raw=true") [root@wazuh-server wazuh-user]# curl -s -k -X GET "https://localhost:55000/syscollector/$AGENTID/os?select=scan.time&pretty=true" -H "Authorization: Bearer $TOKEN" | jq -r '.data.affected_items[0].scan.time' 2023-08-30T18:11:43+00:00 [root@wazuh-server wazuh-user]# curl -s -k -X GET "https://localhost:55000/syscollector/$AGENTID/packages?select=name&pretty=true" -H "Authorization: Bearer $TOKEN" | grep $TESTPACKAGE "name": "tree", [root@wazuh-server wazuh-user]# grep "Agent $AGENTID query:" /var/ossec/logs/ossec.log| grep $TESTPACKAGE 2023/08/30 18:11:44 wazuh-db[30247] wdb_parser.c:263 at wdb_parse(): DEBUG: Agent 005 query: dbsync packages INSERTED {"architecture":"x86_64","checksum":"2fea36714f2aaabbf6530b0ca166d28f8e1f5346","description":"Tree is a recursive directory listing command that produces a depth\nindented listing of files, which is colorized ala dircolors if the\nLS_COLORS environment variable is set and output is to tty.","format":"rpm","groups":"Productivity/File utilities","install_time":"1693418974","item_id":"ab3a3e4eb745f4ed3816731ff4480553ed590198","name":"tree","scan_time":"2023/08/30 18:11:43","size":146359,"vendor":"openSUSE","version":"2.1.1-1.2"} 2023/08/30 18:11:47 wazuh-db[30247] wdb_parser.c:263 at wdb_parse(): DEBUG: Agent 005 query: syscollector_packages save2 {"attributes":{"architecture":"x86_64","checksum":"2fea36714f2aaabbf6530b0ca166d28f8e1f5346","description":"Tree is a recursive directory listing command that produces a depth\nindented listing of files, which is colorized ala dircolors if the\nLS_COLORS environment variable is set and output is to tty.","format":"rpm","groups":"Productivity/File utilities","install_time":"1693418974","item_id":"ab3a3e4eb745f4ed3816731ff4480553ed590198","name":"tree","scan_time":"2023/08/30 18:11:47","size":146359,"vendor":"openSUSE","version":"2.1.1-1.2"},"index":"ab3a3e4eb745f4ed3816731ff4480553ed590198","timestamp":""}
- Third scan: package removal
[root@wazuh-server wazuh-user]# TOKEN=$(curl -s -u wazuh:wazuh -k -X POST "https://localhost:55000/security/user/authenticate?raw=true") [root@wazuh-server wazuh-user]# curl -s -k -X GET "https://localhost:55000/syscollector/$AGENTID/os?select=scan.time&pretty=true" -H "Authorization: Bearer $TOKEN" | jq -r '.data.affected_items[0].scan.time' 2023-08-30T18:17:47+00:00 [root@wazuh-server wazuh-user]# curl -s -k -X GET "https://localhost:55000/syscollector/$AGENTID/packages?select=name&pretty=true" -H "Authorization: Bearer $TOKEN" | grep $TESTPACKAGE [root@wazuh-server wazuh-user]# grep "Agent $AGENTID query:" /var/ossec/logs/ossec.log| grep $TESTPACKAGE 2023/08/30 18:11:44 wazuh-db[30247] wdb_parser.c:263 at wdb_parse(): DEBUG: Agent 005 query: dbsync packages INSERTED {"architecture":"x86_64","checksum":"2fea36714f2aaabbf6530b0ca166d28f8e1f5346","description":"Tree is a recursive directory listing command that produces a depth\nindented listing of files, which is colorized ala dircolors if the\nLS_COLORS environment variable is set and output is to tty.","format":"rpm","groups":"Productivity/File utilities","install_time":"1693418974","item_id":"ab3a3e4eb745f4ed3816731ff4480553ed590198","name":"tree","scan_time":"2023/08/30 18:11:43","size":146359,"vendor":"openSUSE","version":"2.1.1-1.2"} 2023/08/30 18:11:47 wazuh-db[30247] wdb_parser.c:263 at wdb_parse(): DEBUG: Agent 005 query: syscollector_packages save2 {"attributes":{"architecture":"x86_64","checksum":"2fea36714f2aaabbf6530b0ca166d28f8e1f5346","description":"Tree is a recursive directory listing command that produces a depth\nindented listing of files, which is colorized ala dircolors if the\nLS_COLORS environment variable is set and output is to tty.","format":"rpm","groups":"Productivity/File utilities","install_time":"1693418974","item_id":"ab3a3e4eb745f4ed3816731ff4480553ed590198","name":"tree","scan_time":"2023/08/30 18:11:47","size":146359,"vendor":"openSUSE","version":"2.1.1-1.2"},"index":"ab3a3e4eb745f4ed3816731ff4480553ed590198","timestamp":""} 2023/08/30 18:17:48 wazuh-db[30247] wdb_parser.c:263 at wdb_parse(): DEBUG: Agent 005 query: dbsync packages DELETED {"architecture":"x86_64","checksum":"2fea36714f2aaabbf6530b0ca166d28f8e1f5346","description":"Tree is a recursive directory listing command that produces a depth\nindented listing of files, which is colorized ala dircolors if the\nLS_COLORS environment variable is set and output is to tty.","format":"rpm","groups":"Productivity/File utilities","install_time":"1693418974","item_id":"ab3a3e4eb745f4ed3816731ff4480553ed590198","location":null,"multiarch":null,"name":"tree","priority":null,"scan_time":"2023/08/30 18:17:47","size":146359,"source":null,"vendor":"openSUSE","version":"2.1.1-1.2"}
Running on Solais 11.3 Vagrant box
Manager: v4.5.2-rc1 OVA
TOKEN=$(curl -s -u wazuh:wazuh -k -X POST "https://localhost:55000/security/user/authenticate?raw=true")
AGENTID=006
TESTPACKAGE=p7zip
Package to be installed/removed
Package: https://packages.wazuh.com/4.x/solaris/i386/11/wazuh-agent_v4.4.5-sol11-i386.p5p https://www.opencsw.org/packages/p7zip/
[root@wazuh-server wazuh-user]# /var/ossec/bin/agent_control -i 006
Wazuh agent_control. Agent information: Agent ID: 006 Agent Name: solaris IP address: any Status: Active
Operating system: SunOS |solaris |5.11 |11.3 |i86pc Client version: Wazuh v4.4.5 Configuration hash: ab73af41699f13fdd81903b5f23d8d00 Shared file hash: 4a8724b20dee0124ff9656783c490c4e Last keep alive: 1693421923
Syscheck last started at: Unknown Syscheck last ended at: Unknown
- Agent
- First scan: no package
- Second scan: new package detection
- Third scan: package removal
- First scan: no package
- Manager
- First scan: no package
[root@wazuh-server wazuh-user]# TOKEN=$(curl -s -u wazuh:wazuh -k -X POST "https://localhost:55000/security/user/authenticate?raw=true") [root@wazuh-server wazuh-user]# curl -s -k -X GET "https://localhost:55000/syscollector/$AGENTID/os?select=scan.time&pretty=true" -H "Authorization: Bearer $TOKEN" | jq -r '.data.affected_items[0].scan.time' 2023-08-30T18:57:55+00:00 [root@wazuh-server wazuh-user]# curl -s -k -X GET "https://localhost:55000/syscollector/$AGENTID/packages?select=name&pretty=true" -H "Authorization: Bearer $TOKEN" | grep $TESTPACKAGE [root@wazuh-server wazuh-user]# grep "Agent $AGENTID query:" /var/ossec/logs/ossec.log| grep $TESTPACKAGE
- Second scan: new package detection :red_circle:
[root@wazuh-server wazuh-user]# TOKEN=$(curl -s -u wazuh:wazuh -k -X POST "https://localhost:55000/security/user/authenticate?raw=true") [root@wazuh-server wazuh-user]# curl -s -k -X GET "https://localhost:55000/syscollector/$AGENTID/os?select=scan.time&pretty=true" -H "Authorization: Bearer $TOKEN" | jq -r '.data.affected_items[0].scan.time' 2023-08-30T19:02:55+00:00 [root@wazuh-server wazuh-user]# curl -s -k -X GET "https://localhost:55000/syscollector/$AGENTID/packages?select=name&pretty=true" -H "Authorization: Bearer $TOKEN" | grep $TESTPACKAGE "name": "p7zip", [root@wazuh-server wazuh-user]# grep "Agent $AGENTID query:" /var/ossec/logs/ossec.log| grep $TESTPACKAGE 2023/08/30 19:02:55 wazuh-db[32240] wdb_parser.c:263 at wdb_parse(): DEBUG: Agent 006 query: dbsync packages INSERTED {"architecture":"i386","checksum":"83cc5b3e0dad9a2dcc160a0d12af2f1004efdb82","description":"p7zip - File archiver with high compression ratio","format":"pkg","groups":"application","install_time":"2023/08/30 15:01:00","item_id":"c14458a3bc5f6b9e677700bb2c27ce22c9bc7d3c","location":null,"multiarch":null,"name":"p7zip","priority":null,"scan_time":"2023/08/30 19:02:55","size":0,"source":" ","vendor":"http://p7zip.sourceforge.net/ packaged for CSW by Maciej Blizinski","version":"9.20.1"}
Running on macOS Ventura VM on Apple Silicon M2
Manager: v4.5.2-rc1 AMI
TOKEN=$(curl -s -u wazuh:wazuh -k -X POST "https://localhost:55000/security/user/authenticate?raw=true")
AGENTID=001
TESTPACKAGE=Keka
Package to be installed/removed
Package: https://packages.wazuh.com/4.x/macos/wazuh-agent-4.1.5-2.pkg Agent info
[root@wazuh-server wazuh-user]# /var/ossec/bin/agent_control -i 001
Wazuh agent_control. Agent information: Agent ID: 001 Agent Name: Maquina-virtual-de-wazuh.local IP address: any Status: Active
Operating system: Darwin |Maquina-virtual-de-wazuh.local |22.6.0 |Darwin Kernel Version 22.6.0: Wed Jul 5 22:22:19 PDT 2023; root:xnu-8796.141.3~6/RELEASE_ARM64_VMAPPLE |x86_64 Client version: Wazuh v4.1.5 Configuration hash: ab73af41699f13fdd81903b5f23d8d00 Shared file hash: 4a8724b20dee0124ff9656783c490c4e Last keep alive: 1693490521
Syscheck last started at: Unknown Syscheck last ended at: Unknown
- Agent
- First scan: no package
- Second scan: new package detection
- Third scan: package removal
- First scan: no package
- Manager
- First scan: no package
[root@wazuh-server wazuh-user]# TOKEN=$(curl -s -u wazuh:wazuh -k -X POST "https://localhost:55000/security/user/authenticate?raw=true") [root@wazuh-server wazuh-user]# curl -s -k -X GET "https://localhost:55000/syscollector/$AGENTID/os?select=scan.time&pretty=true" -H "Authorization: Bearer $TOKEN" | jq -r '.data.affected_items[0].scan.time' 2023-08-31T11:01:35+00:00 [root@wazuh-server wazuh-user]# curl -s -k -X GET "https://localhost:55000/syscollector/$AGENTID/packages?select=name&pretty=true" -H "Authorization: Bearer $TOKEN" | grep $TESTPACKAGE [root@wazuh-server wazuh-user]# grep "Agent $AGENTID query:" /var/ossec/logs/ossec.log| grep $TESTPACKAGE
- Second scan: new package detection
[root@wazuh-server wazuh-user]# TOKEN=$(curl -s -u wazuh:wazuh -k -X POST "https://localhost:55000/security/user/authenticate?raw=true") [root@wazuh-server wazuh-user]# curl -s -k -X GET "https://localhost:55000/syscollector/$AGENTID/os?select=scan.time&pretty=true" -H "Authorization: Bearer $TOKEN" | jq -r '.data.affected_items[0].scan.time' 2023-08-31T11:05:35+00:00 [root@wazuh-server wazuh-user]# curl -s -k -X GET "https://localhost:55000/syscollector/$AGENTID/packages?select=name&pretty=true" -H "Authorization: Bearer $TOKEN" | grep $TESTPACKAGE "name": "Keka", [root@wazuh-server wazuh-user]# grep "Agent $AGENTID query:" /var/ossec/logs/ossec.log| grep $TESTPACKAGE 2023/08/31 14:05:36 wazuh-db[12662] wdb_parser.c:263 at wdb_parse(): DEBUG: Agent 001 query: package save 1555793785|2023/08/31 11:05:35|pkg|Keka|NULL|public.app-category.utilities|NULL|NULL|NULL|1.3.3|NULL|NULL|NULL|com.aone.keka|/Applications/Keka.app|fed9948f69db2bbb139c4b301d61be20736c168c
- Third scan: package removal
[root@wazuh-server wazuh-user]# TOKEN=$(curl -s -u wazuh:wazuh -k -X POST "https://localhost:55000/security/user/authenticate?raw=true") [root@wazuh-server wazuh-user]# curl -s -k -X GET "https://localhost:55000/syscollector/$AGENTID/os?select=scan.time&pretty=true" -H "Authorization: Bearer $TOKEN" | jq -r '.data.affected_items[0].scan.time' 2023-08-31T11:09:35+00:00 [root@wazuh-server wazuh-user]# curl -s -k -X GET "https://localhost:55000/syscollector/$AGENTID/packages?select=name&pretty=true" -H "Authorization: Bearer $TOKEN" | grep $TESTPACKAGE [root@wazuh-server wazuh-user]# grep "Agent $AGENTID query:" /var/ossec/logs/ossec.log| grep $TESTPACKAGE 2023/08/31 14:05:36 wazuh-db[12662] wdb_parser.c:263 at wdb_parse(): DEBUG: Agent 001 query: package save 1555793785|2023/08/31 11:05:35|pkg|Keka|NULL|public.app-category.utilities|NULL|NULL|NULL|1.3.3|NULL|NULL|NULL|com.aone.keka|/Applications/Keka.app|fed9948f69db2bbb139c4b301d61be20736c168c
## Wazuh Agent 4.2.7
Package: https://packages.wazuh.com/4.x/macos/wazuh-agent-4.2.7-1.pkg
[root@wazuh-server wazuh-user]# /var/ossec/bin/agent_control -i 001
Wazuh agent_control. Agent information: Agent ID: 001 Agent Name: Maquina-virtual-de-wazuh.local IP address: any Status: Active
Operating system: Darwin |Maquina-virtual-de-wazuh.local |22.6.0 |Darwin Kernel Version 22.6.0: Wed Jul 5 22:22:19 PDT 2023; root:xnu-8796.141.3~6/RELEASE_ARM64_VMAPPLE |x86_64 Client version: Wazuh v4.2.7 Configuration hash: ab73af41699f13fdd81903b5f23d8d00 Shared file hash: 4a8724b20dee0124ff9656783c490c4e Last keep alive: 1693491129
Syscheck last started at: Unknown Syscheck last ended at: Unknown
- Agent
- First scan: no package
- Second scan: new package detection
- Third scan: package removal
- First scan: no package
- Manager
- First scan: no package
[root@wazuh-server wazuh-user]# TOKEN=$(curl -s -u wazuh:wazuh -k -X POST "https://localhost:55000/security/user/authenticate?raw=true") [root@wazuh-server wazuh-user]# curl -s -k -X GET "https://localhost:55000/syscollector/$AGENTID/os?select=scan.time&pretty=true" -H "Authorization: Bearer $TOKEN" | jq -r '.data.affected_items[0].scan.time' 2023-08-31T14:10:28+00:00 [root@wazuh-server wazuh-user]# curl -s -k -X GET "https://localhost:55000/syscollector/$AGENTID/packages?select=name&pretty=true" -H "Authorization: Bearer $TOKEN" | grep $TESTPACKAGE [root@wazuh-server wazuh-user]# grep "Agent $AGENTID query:" /var/ossec/logs/ossec.log| grep $TESTPACKAGE
- Second scan: new package detection
[root@wazuh-server wazuh-user]# TOKEN=$(curl -s -u wazuh:wazuh -k -X POST "https://localhost:55000/security/user/authenticate?raw=true") [root@wazuh-server wazuh-user]# curl -s -k -X GET "https://localhost:55000/syscollector/$AGENTID/os?select=scan.time&pretty=true" -H "Authorization: Bearer $TOKEN" | jq -r '.data.affected_items[0].scan.time' 2023-08-31T14:14:30+00:00 [root@wazuh-server wazuh-user]# curl -s -k -X GET "https://localhost:55000/syscollector/$AGENTID/packages?select=name&pretty=true" -H "Authorization: Bearer $TOKEN" | grep $TESTPACKAGE "name": "Keka", [root@wazuh-server wazuh-user]# grep "Agent $AGENTID query:" /var/ossec/logs/ossec.log| grep $TESTPACKAGE 2023/08/31 14:14:48 wazuh-db[14485] wdb_parser.c:263 at wdb_parse(): DEBUG: Agent 001 query: syscollector_packages save2 {"attributes":{"architecture":null,"checksum":"54014c7d1447692c1175af81e98cab001940737c","description":"com.aone.keka","format":"pkg","groups":"public.app-category.utilities","item_id":"fed9948f69db2bbb139c4b301d61be20736c168c","location":"/Applications/Keka.app/Contents/Info.plist","name":"Keka","scan_time":"2023/08/31 14:14:48","source":"utilities","version":"1.3.3"},"index":"fed9948f69db2bbb139c4b301d61be20736c168c","timestamp":""}
- Third scan: package removal
[root@wazuh-server wazuh-user]# TOKEN=$(curl -s -u wazuh:wazuh -k -X POST "https://localhost:55000/security/user/authenticate?raw=true") [root@wazuh-server wazuh-user]# curl -s -k -X GET "https://localhost:55000/syscollector/$AGENTID/os?select=scan.time&pretty=true" -H "Authorization: Bearer $TOKEN" | jq -r '.data.affected_items[0].scan.time' 2023-08-31T14:18:32+00:00 [root@wazuh-server wazuh-user]# curl -s -k -X GET "https://localhost:55000/syscollector/$AGENTID/packages?select=name&pretty=true" -H "Authorization: Bearer $TOKEN" | grep $TESTPACKAGE [root@wazuh-server wazuh-user]# grep "Agent $AGENTID query:" /var/ossec/logs/ossec.log| grep $TESTPACKAGE 2023/08/31 14:14:48 wazuh-db[14485] wdb_parser.c:263 at wdb_parse(): DEBUG: Agent 001 query: syscollector_packages save2 {"attributes":{"architecture":null,"checksum":"54014c7d1447692c1175af81e98cab001940737c","description":"com.aone.keka","format":"pkg","groups":"public.app-category.utilities","item_id":"fed9948f69db2bbb139c4b301d61be20736c168c","location":"/Applications/Keka.app/Contents/Info.plist","name":"Keka","scan_time":"2023/08/31 14:14:48","source":"utilities","version":"1.3.3"},"index":"fed9948f69db2bbb139c4b301d61be20736c168c","timestamp":""}
## Wazuh Agent 4.4.5
Package: https://packages.wazuh.com/4.x/macos/wazuh-agent-4.4.5-1.pkg
[root@wazuh-server wazuh-user]# /var/ossec/bin/agent_control -i 001
Wazuh agent_control. Agent information: Agent ID: 001 Agent Name: Maquina-virtual-de-wazuh.local IP address: any Status: Active
Operating system: Darwin |Maquina-virtual-de-wazuh.local |22.6.0 |Darwin Kernel Version 22.6.0: Wed Jul 5 22:22:19 PDT 2023; root:xnu-8796.141.3~6/RELEASE_ARM64_VMAPPLE |x86_64 Client version: Wazuh v4.4.5 Configuration hash: ab73af41699f13fdd81903b5f23d8d00 Shared file hash: 4a8724b20dee0124ff9656783c490c4e Last keep alive: 1693491700
Syscheck last started at: Unknown Syscheck last ended at: Unknown
- Agent
- First scan: no package
- Second scan: new package detection
- Third scan: package removal
- First scan: no package
- Manager
- First scan: no package
[root@wazuh-server wazuh-user]# TOKEN=$(curl -s -u wazuh:wazuh -k -X POST "https://localhost:55000/security/user/authenticate?raw=true") [root@wazuh-server wazuh-user]# curl -s -k -X GET "https://localhost:55000/syscollector/$AGENTID/os?select=scan.time&pretty=true" -H "Authorization: Bearer $TOKEN" | jq -r '.data.affected_items[0].scan.time' 2023-08-31T14:21:34+00:00 [root@wazuh-server wazuh-user]# curl -s -k -X GET "https://localhost:55000/syscollector/$AGENTID/packages?select=name&pretty=true" -H "Authorization: Bearer $TOKEN" | grep $TESTPACKAGE [root@wazuh-server wazuh-user]# grep "Agent $AGENTID query:" /var/ossec/logs/ossec.log| grep $TESTPACKAGE
- Second scan: new package detection
[root@wazuh-server wazuh-user]# TOKEN=$(curl -s -u wazuh:wazuh -k -X POST "https://localhost:55000/security/user/authenticate?raw=true") [root@wazuh-server wazuh-user]# curl -s -k -X GET "https://localhost:55000/syscollector/$AGENTID/os?select=scan.time&pretty=true" -H "Authorization: Bearer $TOKEN" | jq -r '.data.affected_items[0].scan.time' 2023-08-31T14:23:34+00:00 [root@wazuh-server wazuh-user]# curl -s -k -X GET "https://localhost:55000/syscollector/$AGENTID/packages?select=name&pretty=true" -H "Authorization: Bearer $TOKEN" | grep $TESTPACKAGE "name": "Keka", [root@wazuh-server wazuh-user]# grep "Agent $AGENTID query:" /var/ossec/logs/ossec.log| grep $TESTPACKAGE 2023/08/31 14:23:35 wazuh-db[16280] wdb_parser.c:263 at wdb_parse(): DEBUG: Agent 001 query: dbsync packages INSERTED {"architecture":" ","checksum":"74d2ce58ac8206cfe99fc64b3361fd61025ea1b1","description":"com.aone.keka","format":"pkg","groups":"public.app-category.utilities","install_time":" ","item_id":"b9daec2d30cfb17dc2c990002bf4b3c6ec42de5d","location":"/Applications/Keka.app/Contents/Info.plist","multiarch":" ","name":"Keka","priority":" ","scan_time":"2023/08/31 14:23:34","size":0,"source":"utilities","vendor":"aone","version":"1.3.3"}
- Third scan: package removal
[root@wazuh-server wazuh-user]# TOKEN=$(curl -s -u wazuh:wazuh -k -X POST "https://localhost:55000/security/user/authenticate?raw=true") [root@wazuh-server wazuh-user]# curl -s -k -X GET "https://localhost:55000/syscollector/$AGENTID/os?select=scan.time&pretty=true" -H "Authorization: Bearer $TOKEN" | jq -r '.data.affected_items[0].scan.time' 2023-08-31T14:25:45+00:00 [root@wazuh-server wazuh-user]# curl -s -k -X GET "https://localhost:55000/syscollector/$AGENTID/packages?select=name&pretty=true" -H "Authorization: Bearer $TOKEN" | grep $TESTPACKAGE [root@wazuh-server wazuh-user]# grep "Agent $AGENTID query:" /var/ossec/logs/ossec.log| grep $TESTPACKAGE 2023/08/31 14:23:35 wazuh-db[16280] wdb_parser.c:263 at wdb_parse(): DEBUG: Agent 001 query: dbsync packages INSERTED {"architecture":" ","checksum":"74d2ce58ac8206cfe99fc64b3361fd61025ea1b1","description":"com.aone.keka","format":"pkg","groups":"public.app-category.utilities","install_time":" ","item_id":"b9daec2d30cfb17dc2c990002bf4b3c6ec42de5d","location":"/Applications/Keka.app/Contents/Info.plist","multiarch":" ","name":"Keka","priority":" ","scan_time":"2023/08/31 14:23:34","size":0,"source":"utilities","vendor":"aone","version":"1.3.3"} 2023/08/31 14:25:46 wazuh-db[16280] wdb_parser.c:263 at wdb_parse(): DEBUG: Agent 001 query: dbsync packages DELETED {"architecture":" ","checksum":"74d2ce58ac8206cfe99fc64b3361fd61025ea1b1","description":"com.aone.keka","format":"pkg","groups":"public.app-category.utilities","install_time":" ","item_id":"b9daec2d30cfb17dc2c990002bf4b3c6ec42de5d","location":"/Applications/Keka.app/Contents/Info.plist","multiarch":" ","name":"Keka","priority":" ","scan_time":"2023/08/31 14:25:45","size":0,"source":"utilities","vendor":"aone","version":"1.3.3"}
LGTM!
LGTM!
Description
This issue aims to execute some manual smoke and backward compatibility tests related to https://github.com/wazuh/wazuh/issues/18219 changes
Proposed checks
Check current manager (v4.5.2-rc1) behavior with older Wazuh Agents on different OS families
From version to version, Upgrading it is the method to be used
Scope and history
Preconditions
Expected results
For 4.1.5 agents: