Vulnerability Detector Discards Events

rafabailon commented 7 months ago

Wazuh Version	Component	Install Type
4.8.0-beta5	Vulnerability Detector	Agent

Description

During the issue Benchmark vulnerability detector performance after the refactor I have done a series of tests (both locally and on machines built with a pipeline ) of Vulnerability Detector. I have used simulate-agents for the tests. Each event that simulate-agents has simulated has generated an entry in the logs with the following error

wazuh-modulesd:vulnerability-scanner: WARNING: Discarded event: Empty response from Wazuh-DB

The simulated agents have been both debian10 and ubuntu18.04. The full list of OS that can be simulated is

debian7, debian8, debian9, debian10
ubuntu12.04, ubuntu14.04, ubuntu16.04, ubuntu18.04
mojave
solaris11

A similar error message was reported and fixed here Windows Server 2019 Scan Error. It is necessary to investigate what is the cause of this error and its possible solution.

rafabailon commented 7 months ago

Error Analysis

I have used a mv with Ubuntu 22.04 to investigate in which I have installed the manager and the simulate-agents. I have enabled the debug options to see if the logs are generated and transmitted correctly.

I have been able to find more error logs. They are generated at the same time that the simulate-agents generates the information.

2024/04/11 10:06:37 wazuh-db: ERROR: DB(003) sqlite3_prepare_v2() stmt(13): no such table: sys_osinfo
2024/04/11 10:06:37 wazuh-modulesd:vulnerability-scanner: WARNING: Discarded event: DB query error: Cannot get sys_osinfo database table information; SQL err: no such table: sys_osinfo
2024/04/11 10:06:37 wazuh-db: ERROR: DB(007) sqlite3_prepare_v2() stmt(13): no such table: sys_osinfo
2024/04/11 10:06:37 wazuh-modulesd:vulnerability-scanner: WARNING: Discarded event: DB query error: Cannot get sys_osinfo database table information; SQL err: no such table: sys_osinfo
2024/04/11 10:06:37 wazuh-db: ERROR: DB(005) sqlite3_prepare_v2() stmt(13): no such table: sys_osinfo
2024/04/11 10:06:37 wazuh-modulesd:vulnerability-scanner: WARNING: Discarded event: DB query error: Cannot get sys_osinfo database table information; SQL err: no such table: sys_osinfo
2024/04/11 10:06:37 wazuh-modulesd:vulnerability-scanner: WARNING: Discarded event: Empty response from Wazuh-DB
2024/04/11 10:06:37 wazuh-modulesd:vulnerability-scanner: WARNING: Discarded event: Empty response from Wazuh-DB
2024/04/11 10:06:37 wazuh-modulesd:vulnerability-scanner: WARNING: Discarded event: Empty response from Wazuh-DB

I have tested different combinations of operating systems for managers and agents. The information of the sys_osinfo table, which is mentioned in the logs, can be found in the documentation. The next step is to review the agent databases and check for errors.

rafabailon commented 7 months ago

DB Analysis

In the test I have used 20 simulated agents. Therefore there are 21 .db files. The first, 000.db, is the one that belongs to the manager and the rest to the simulated agents.

root@ubuntu2204:/var/ossec/queue/db# ls
000.db          001.db  003.db  005.db  007.db  009.db  011.db  013.db  015.db  017.db  019.db  global.db
000.db-journal  002.db  004.db  006.db  008.db  010.db  012.db  014.db  016.db  018.db  020.db  wdb

I have verified that in sys_osinfo there is information for 000.db. The information that appears corresponds to the manager and is correct.

root@ubuntu2204:/var/ossec/queue/db# sqlite3 000.db 
SQLite version 3.37.2 2022-01-06 13:25:41
Enter ".help" for usage hints.
sqlite> SELECT * FROM sys_osinfo;
0|2024/04/11 13:10:30|ubuntu2204.localdomain|x86_64|Ubuntu|22.04.4 LTS (Jammy Jellyfish)|jammy|22|04|4||ubuntu|Linux|5.15.0-91-generic|#101-Ubuntu SMP Tue Nov 14 13:30:08 UTC 2023||1712841029343235276||7ed3f869f36298214ca4b49f052d6a3086029825

The agents have been generated with the command simulate-agents -a 172.16.1.13 -n 20 -m syscollector -w 1 -s 100 -t 200 -o debian10 -v 4.8.0 --debug. This is the result in all the simulated agent databases.

root@ubuntu2204:/var/ossec/queue/db# sqlite3 001.db 
SQLite version 3.37.2 2022-01-06 13:25:41
Enter ".help" for usage hints.
sqlite> SELECT * FROM sys_osinfo;
sqlite>

It occurs in all cases, for all generated debian agents. The databases do not contain the required information. I have generated 10 more agents with `simulate-agents -a 172.16.1.13 -n 10 -m syscollector -w 1 -s 100 -t 200 -o ubuntu18.04 -v 4.8.0 --debug and I have checked their databases . The result has been the same as with debian.

rafabailon commented 7 months ago

Update

The use of simulate-agents is defined here. Use the Agent class in agent_simulator. In agent_db are the operations in the database. It looks like the OS information should be inserted into the database but for some reason when checking the database it is empty.

rafabailon commented 7 months ago

Update

On Hold while I help with Disk read increased for syscollector test in 4.8.0-beta4

rafabailon commented 7 months ago

Update

I have done a test and these are all the logs and results when simulating an agent

Simulate Agent

```console root@ubuntu2204:/home/vagrant# simulate-agents -a 172.16.1.13 -n 1 -m syscollector -s 10 -t 12 -o debian10 -v 4.8.0 --debug DEBUG:root:Registration - 1-siFahXoUycgmItp4-debian10(005) in 172.16.1.13 DEBUG:root:Keep alive message = #!-Linux |agent-debian10 |4.9.0-12-amd64 |#1 SMP Debian 4.9.210-1 (2020-01-20) |x86_64 [Debian GNU/Linux|debian: 10 (buster)] - Wazuh v4.8.0 / ab73af41699f13fdd81903b5f23d8d00 d6e3ac3e75ca0319af3e7c262776f331 merged.mg #"_agent_ip":10.0.2.15 INFO:P96042:{'keepalive': {'status': 'enabled', 'frequency': 10.0}, 'fim': {'status': 'disabled', 'eps': 0}, 'fim_integrity': {'status': 'disabled', 'eps': 0}, 'syscollector': {'status': 'enabled', 'frequency': 60, 'eps': 10}, 'rootcheck': {'status': 'disabled', 'frequency': 60.0, 'eps': 0}, 'sca': {'status': 'disabled', 'frequency': 60, 'eps': 0}, 'hostinfo': {'status': 'disabled', 'eps': 0}, 'winevt': {'status': 'disabled', 'eps': 0}, 'logcollector': {'status': 'disabled', 'eps': 0}, 'receive_messages': {'status': 'enabled'}} INFO:P96042:Waiting 0 seconds before sending EPS and keep-alive events INFO:P96042:Starting 1 agents. DEBUG:root:Starting - 1-siFahXoUycgmItp4-debian10(005)(debian10) - keepalive DEBUG:root:Starting - 1-siFahXoUycgmItp4-debian10(005)(debian10) - syscollector DEBUG:root:Starting - 1-siFahXoUycgmItp4-debian10(005)(debian10) - receive_messages DEBUG:root:Startup - 1-siFahXoUycgmItp4-debian10(005) DEBUG:root:KeepAlive - 1-siFahXoUycgmItp4-debian10(005) DEBUG:root:Syscollector Event - d:syscollector:{"type": "dbsync_packages", "data": {"architecture":"","checksum":"PNR8YU505K","description":"","format":"","groups":"editors","install_time":"2024/04/15 00:00:00","item_id":"SARUTTRZHS","location":"","multiarch":"null","name":"bsd_os","priority":"optional","scan_time":"2023/12/1915:32:25","size":"1","source":"","vendor":"bsdi","version":"3.1"}, "operation": "INSERTED"} DEBUG:root:Syscollector Event - d:syscollector:{"type": "dbsync_packages", "data": {"architecture":"","checksum":"TV19N2DGM8","description":"","format":"","groups":"editors","install_time":"2024/04/15 00:00:00","item_id":"KDUAZH3DW7","location":"","multiarch":"null","name":"freebsd","priority":"optional","scan_time":"2023/12/1915:32:25","size":"2","source":"","vendor":"freebsd","version":"1.0"}, "operation": "INSERTED"} DEBUG:root:Syscollector Event - d:syscollector:{"type": "dbsync_packages", "data": {"architecture":"","checksum":"YVO2HZQ5NQ","description":"","format":"","groups":"editors","install_time":"2024/04/15 00:00:00","item_id":"FSKO5QKDAP","location":"","multiarch":"null","name":"freebsd","priority":"optional","scan_time":"2023/12/1915:32:25","size":"3","source":"","vendor":"freebsd","version":"1.1"}, "operation": "INSERTED"} DEBUG:root:Syscollector Event - d:syscollector:{"type": "dbsync_packages", "data": {"architecture":"","checksum":"UT4I5MZR49","description":"","format":"","groups":"editors","install_time":"2024/04/15 00:00:00","item_id":"HFPMVX365K","location":"","multiarch":"null","name":"freebsd","priority":"optional","scan_time":"2023/12/1915:32:25","size":"4","source":"","vendor":"freebsd","version":"1.1.5.1"}, "operation": "INSERTED"} DEBUG:root:Syscollector Event - d:syscollector:{"type": "dbsync_packages", "data": {"architecture":"","checksum":"ZHUY0743YE","description":"","format":"","groups":"editors","install_time":"2024/04/15 00:00:00","item_id":"0ZXM2IGGT4","location":"","multiarch":"null","name":"freebsd","priority":"optional","scan_time":"2023/12/1915:32:25","size":"5","source":"","vendor":"freebsd","version":"1.2"}, "operation": "INSERTED"} DEBUG:root:Syscollector Event - d:syscollector:{"type": "dbsync_packages", "data": {"architecture":"","checksum":"YKJMJC85DN","description":"","format":"","groups":"editors","install_time":"2024/04/15 00:00:00","item_id":"5M3EUL1RDN","location":"","multiarch":"null","name":"freebsd","priority":"optional","scan_time":"2023/12/1915:32:25","size":"6","source":"","vendor":"freebsd","version":"2.0"}, "operation": "INSERTED"} DEBUG:root:Syscollector Event - d:syscollector:{"type": "dbsync_packages", "data": {"architecture":"","checksum":"4AOEIE00N4","description":"","format":"","groups":"editors","install_time":"2024/04/15 00:00:00","item_id":"48O8J33OI8","location":"","multiarch":"null","name":"freebsd","priority":"optional","scan_time":"2023/12/1915:32:25","size":"7","source":"","vendor":"freebsd","version":"2.0.1"}, "operation": "INSERTED"} DEBUG:root:Syscollector Event - d:syscollector:{"type": "dbsync_packages", "data": {"architecture":"","checksum":"6TOS69T6M1","description":"","format":"","groups":"editors","install_time":"2024/04/15 00:00:00","item_id":"L85UJKXS4D","location":"","multiarch":"null","name":"freebsd","priority":"optional","scan_time":"2023/12/1915:32:25","size":"8","source":"","vendor":"freebsd","version":"2.0.5"}, "operation": "INSERTED"} DEBUG:root:Syscollector Event - d:syscollector:{"type": "dbsync_packages", "data": {"architecture":"","checksum":"WFY39OW8S7","description":"","format":"","groups":"editors","install_time":"2024/04/15 00:00:00","item_id":"2XEWVE1UES","location":"","multiarch":"null","name":"freebsd","priority":"optional","scan_time":"2023/12/1915:32:25","size":"9","source":"","vendor":"freebsd","version":"2.1.5"}, "operation": "INSERTED"} DEBUG:root:Syscollector Event - d:syscollector:{"type": "dbsync_packages", "data": {"architecture":"","checksum":"TJSP41EV1Y","description":"","format":"","groups":"editors","install_time":"2024/04/15 00:00:00","item_id":"H1PCH1XVXX","location":"","multiarch":"null","name":"freebsd","priority":"optional","scan_time":"2023/12/1915:32:25","size":"10","source":"","vendor":"freebsd","version":"2.1.6"}, "operation": "INSERTED"} DEBUG:root:Syscollector Event - d:syscollector:{"type": "dbsync_packages", "data": {"architecture":"","checksum":"FFRPWOWSFZ","description":"","format":"","groups":"editors","install_time":"2024/04/15 00:00:00","item_id":"C34IWFRCVQ","location":"","multiarch":"null","name":"freebsd","priority":"optional","scan_time":"2023/12/1915:32:25","size":"11","source":"","vendor":"freebsd","version":"2.1.6.1"}, "operation": "INSERTED"} DEBUG:root:Syscollector Event - d:syscollector:{"type": "dbsync_packages", "data": {"architecture":"","checksum":"P79WPM4XSB","description":"","format":"","groups":"editors","install_time":"2024/04/15 00:00:00","item_id":"KRBE8JDKXA","location":"","multiarch":"null","name":"freebsd","priority":"optional","scan_time":"2023/12/1915:32:25","size":"12","source":"","vendor":"freebsd","version":"2.1.7"}, "operation": "INSERTED"} DEBUG:root:Syscollector Event - d:syscollector:{"type": "dbsync_packages", "data": {"architecture":"","checksum":"JQRWZHVVUS","description":"","format":"","groups":"editors","install_time":"2024/04/15 00:00:00","item_id":"AP6AYX1Z66","location":"","multiarch":"null","name":"freebsd","priority":"optional","scan_time":"2023/12/1915:32:25","size":"13","source":"","vendor":"freebsd","version":"2.1.7.1"}, "operation": "INSERTED"} DEBUG:root:Syscollector Event - d:syscollector:{"type": "dbsync_packages", "data": {"architecture":"","checksum":"9UWUXV2SXY","description":"","format":"","groups":"editors","install_time":"2024/04/15 00:00:00","item_id":"YM2UPB64FS","location":"","multiarch":"null","name":"freebsd","priority":"optional","scan_time":"2023/12/1915:32:25","size":"14","source":"","vendor":"freebsd","version":"2.2"}, "operation": "INSERTED"} DEBUG:root:Syscollector Event - d:syscollector:{"type": "dbsync_packages", "data": {"architecture":"","checksum":"QBWQ0BB5IY","description":"","format":"","groups":"editors","install_time":"2024/04/15 00:00:00","item_id":"UHJOMI3OCG","location":"","multiarch":"null","name":"freebsd","priority":"optional","scan_time":"2023/12/1915:32:25","size":"15","source":"","vendor":"freebsd","version":"2.2.2"}, "operation": "INSERTED"} DEBUG:root:Syscollector Event - d:syscollector:{"type": "dbsync_packages", "data": {"architecture":"","checksum":"W1MV0YYX80","description":"","format":"","groups":"editors","install_time":"2024/04/15 00:00:00","item_id":"TMKBJKGHXW","location":"","multiarch":"null","name":"freebsd","priority":"optional","scan_time":"2023/12/1915:32:25","size":"16","source":"","vendor":"freebsd","version":"2.2.3"}, "operation": "INSERTED"} DEBUG:root:Syscollector Event - d:syscollector:{"type": "dbsync_packages", "data": {"architecture":"","checksum":"LK036B5WDW","description":"","format":"","groups":"editors","install_time":"2024/04/15 00:00:00","item_id":"HJJQ4EFRR4","location":"","multiarch":"null","name":"freebsd","priority":"optional","scan_time":"2023/12/1915:32:25","size":"17","source":"","vendor":"freebsd","version":"2.2.4"}, "operation": "INSERTED"} DEBUG:root:Syscollector Event - d:syscollector:{"type": "dbsync_packages", "data": {"architecture":"","checksum":"48HQLYVSH9","description":"","format":"","groups":"editors","install_time":"2024/04/15 00:00:00","item_id":"VJ4NA43PS7","location":"","multiarch":"null","name":"freebsd","priority":"optional","scan_time":"2023/12/1915:32:25","size":"18","source":"","vendor":"freebsd","version":"2.2.5"}, "operation": "INSERTED"} DEBUG:root:Syscollector Event - d:syscollector:{"type": "dbsync_packages", "data": {"architecture":"","checksum":"EB2CH2AJEO","description":"","format":"","groups":"editors","install_time":"2024/04/15 00:00:00","item_id":"WAJT703JQ1","location":"","multiarch":"null","name":"freebsd","priority":"optional","scan_time":"2023/12/1915:32:25","size":"19","source":"","vendor":"freebsd","version":"2.2.6"}, "operation": "INSERTED"} DEBUG:root:Syscollector Event - d:syscollector:{"type": "dbsync_packages", "data": {"architecture":"","checksum":"WOVK968J9W","description":"","format":"","groups":"editors","install_time":"2024/04/15 00:00:00","item_id":"Z4C3VOWIV8","location":"","multiarch":"null","name":"freebsd","priority":"optional","scan_time":"2023/12/1915:32:25","size":"20","source":"","vendor":"freebsd","version":"2.2.8"}, "operation": "INSERTED"} DEBUG:root:Syscollector Event - d:syscollector:{"type": "dbsync_packages", "data": {"architecture":"","checksum":"B75UD2RU1M","description":"","format":"","groups":"editors","install_time":"2024/04/15 00:00:00","item_id":"7D27Y4D4ZF","location":"","multiarch":"null","name":"freebsd","priority":"optional","scan_time":"2023/12/1915:32:25","size":"21","source":"","vendor":"freebsd","version":"3.0"}, "operation": "INSERTED"} DEBUG:root:Syscollector Event - d:syscollector:{"type": "dbsync_packages", "data": {"architecture":"","checksum":"79WGJ4LJ2T","description":"","format":"","groups":"editors","install_time":"2024/04/15 00:00:00","item_id":"C7S8WD12QI","location":"","multiarch":"null","name":"openbsd","priority":"optional","scan_time":"2023/12/1915:32:25","size":"22","source":"","vendor":"openbsd","version":"2.3"}, "operation": "INSERTED"} DEBUG:root:Syscollector Event - d:syscollector:{"type": "dbsync_packages", "data": {"architecture":"","checksum":"T8Z8FXY0IT","description":"","format":"","groups":"editors","install_time":"2024/04/15 00:00:00","item_id":"REW6IXBGR5","location":"","multiarch":"null","name":"openbsd","priority":"optional","scan_time":"2023/12/1915:32:25","size":"23","source":"","vendor":"openbsd","version":"2.4"}, "operation": "INSERTED"} DEBUG:root:Syscollector Event - d:syscollector:{"type": "dbsync_packages", "data": {"architecture":"","checksum":"2UGU579W3Z","description":"","format":"","groups":"editors","install_time":"2024/04/15 00:00:00","item_id":"63823FL7GR","location":"","multiarch":"null","name":"bsd_os","priority":"optional","scan_time":"2023/12/1915:32:25","size":"24","source":"","vendor":"bsdi","version":"1.1"}, "operation": "INSERTED"} DEBUG:root:Syscollector Event - d:syscollector:{"type": "dbsync_packages", "data": {"architecture":"","checksum":"HQN03SN969","description":"","format":"","groups":"editors","install_time":"2024/04/15 00:00:00","item_id":"C67HMCFIAV","location":"","multiarch":"null","name":"openlinux","priority":"optional","scan_time":"2023/12/1915:32:25","size":"25","source":"","vendor":"caldera","version":"1.2"}, "operation": "INSERTED"} DEBUG:root:Syscollector Event - d:syscollector:{"type": "dbsync_packages", "data": {"architecture":"","checksum":"LYSX14AA94","description":"","format":"","groups":"editors","install_time":"2024/04/15 00:00:00","item_id":"AKXB4RWFOV","location":"","multiarch":"null","name":"linux","priority":"optional","scan_time":"2023/12/1915:32:25","size":"26","source":"","vendor":"redhat","version":"2.0"}, "operation": "INSERTED"} DEBUG:root:Syscollector Event - d:syscollector:{"type": "dbsync_packages", "data": {"architecture":"","checksum":"TI4YMURD95","description":"","format":"","groups":"editors","install_time":"2024/04/15 00:00:00","item_id":"64UYN6ORDP","location":"","multiarch":"null","name":"linux","priority":"optional","scan_time":"2023/12/1915:32:25","size":"27","source":"","vendor":"redhat","version":"2.1"}, "operation": "INSERTED"} DEBUG:root:Syscollector Event - d:syscollector:{"type": "dbsync_packages", "data": {"architecture":"","checksum":"YEQSPMJNFO","description":"","format":"","groups":"editors","install_time":"2024/04/15 00:00:00","item_id":"242IO8XXVQ","location":"","multiarch":"null","name":"linux","priority":"optional","scan_time":"2023/12/1915:32:25","size":"28","source":"","vendor":"redhat","version":"3.0.3"}, "operation": "INSERTED"} DEBUG:root:Syscollector Event - d:syscollector:{"type": "dbsync_packages", "data": {"architecture":"","checksum":"Q5CUUHCO1Q","description":"","format":"","groups":"editors","install_time":"2024/04/15 00:00:00","item_id":"YLKO1CCLPR","location":"","multiarch":"null","name":"linux","priority":"optional","scan_time":"2023/12/1915:32:25","size":"29","source":"","vendor":"redhat","version":"4.0"}, "operation": "INSERTED"} DEBUG:root:Syscollector Event - d:syscollector:{"type": "dbsync_packages", "data": {"architecture":"","checksum":"MC41LMSEGR","description":"","format":"","groups":"editors","install_time":"2024/04/15 00:00:00","item_id":"SDIXS4DDA9","location":"","multiarch":"null","name":"linux","priority":"optional","scan_time":"2023/12/1915:32:25","size":"30","source":"","vendor":"redhat","version":"4.1"}, "operation": "INSERTED"} DEBUG:root:Syscollector Event - d:syscollector:{"type": "dbsync_packages", "data": {"architecture":"","checksum":"WK457AGL9Q","description":"","format":"","groups":"editors","install_time":"2024/04/15 00:00:00","item_id":"PWLAM0V5ET","location":"","multiarch":"null","name":"linux","priority":"optional","scan_time":"2023/12/1915:32:25","size":"31","source":"","vendor":"redhat","version":"4.2"}, "operation": "INSERTED"} DEBUG:root:Syscollector Event - d:syscollector:{"type": "dbsync_packages", "data": {"architecture":"","checksum":"50UME6PJRN","description":"","format":"","groups":"editors","install_time":"2024/04/15 00:00:00","item_id":"TEA8VN5IHI","location":"","multiarch":"null","name":"linux","priority":"optional","scan_time":"2023/12/1915:32:25","size":"32","source":"","vendor":"redhat","version":"5.0"}, "operation": "INSERTED"} DEBUG:root:Syscollector Event - d:syscollector:{"type": "dbsync_packages", "data": {"architecture":"","checksum":"7EY3MBQ4WJ","description":"","format":"","groups":"editors","install_time":"2024/04/15 00:00:00","item_id":"Z0O92F3NHY","location":"","multiarch":"null","name":"linux","priority":"optional","scan_time":"2023/12/1915:32:25","size":"33","source":"","vendor":"redhat","version":"5.1"}, "operation": "INSERTED"} DEBUG:root:Syscollector Event - d:syscollector:{"type": "dbsync_packages", "data": {"architecture":"","checksum":"ISBXHKDDBB","description":"","format":"","groups":"editors","install_time":"2024/04/15 00:00:00","item_id":"V9IGFLASYQ","location":"","multiarch":"null","name":"ted_cde","priority":"optional","scan_time":"2023/12/1915:32:25","size":"34","source":"","vendor":"tritreal","version":"4.3"}, "operation": "INSERTED"} DEBUG:root:Syscollector Event - d:syscollector:{"type": "dbsync_packages", "data": {"architecture":"","checksum":"E9BZBSRJ3F","description":"","format":"","groups":"editors","install_time":"2024/04/15 00:00:00","item_id":"7JLIGT0TS9","location":"","multiarch":"null","name":"hp-ux","priority":"optional","scan_time":"2023/12/1915:32:25","size":"35","source":"","vendor":"hp","version":"10.01"}, "operation": "INSERTED"} DEBUG:root:Syscollector Event - d:syscollector:{"type": "dbsync_packages", "data": {"architecture":"","checksum":"6LWFA99MB0","description":"","format":"","groups":"editors","install_time":"2024/04/15 00:00:00","item_id":"YXOV45QI7Z","location":"","multiarch":"null","name":"hp-ux","priority":"optional","scan_time":"2023/12/1915:32:25","size":"36","source":"","vendor":"hp","version":"10.02"}, "operation": "INSERTED"} DEBUG:root:Syscollector Event - d:syscollector:{"type": "dbsync_packages", "data": {"architecture":"","checksum":"OJV9RE8QGH","description":"","format":"","groups":"editors","install_time":"2024/04/15 00:00:00","item_id":"KEA3AFM4OO","location":"","multiarch":"null","name":"hp-ux","priority":"optional","scan_time":"2023/12/1915:32:25","size":"37","source":"","vendor":"hp","version":"10.03"}, "operation": "INSERTED"} DEBUG:root:Syscollector Event - d:syscollector:{"type": "dbsync_packages", "data": {"architecture":"","checksum":"R26E8ISSIW","description":"","format":"","groups":"editors","install_time":"2024/04/15 00:00:00","item_id":"B6WPNRYS4P","location":"","multiarch":"null","name":"hp-ux","priority":"optional","scan_time":"2023/12/1915:32:25","size":"38","source":"","vendor":"hp","version":"11.00"}, "operation": "INSERTED"} DEBUG:root:Syscollector Event - d:syscollector:{"type": "dbsync_packages", "data": {"architecture":"","checksum":"YP6YPTKIZR","description":"","format":"","groups":"editors","install_time":"2024/04/15 00:00:00","item_id":"35HPZ6MBYC","location":"","multiarch":"null","name":"aix","priority":"optional","scan_time":"2023/12/1915:32:25","size":"39","source":"","vendor":"ibm","version":"4.1"}, "operation": "INSERTED"} DEBUG:root:Syscollector Event - d:syscollector:{"type": "dbsync_packages", "data": {"architecture":"","checksum":"JK1RIJIJC3","description":"","format":"","groups":"editors","install_time":"2024/04/15 00:00:00","item_id":"QVSCGXU024","location":"","multiarch":"null","name":"aix","priority":"optional","scan_time":"2023/12/1915:32:25","size":"40","source":"","vendor":"ibm","version":"4.1.1"}, "operation": "INSERTED"} DEBUG:root:Syscollector Event - d:syscollector:{"type": "dbsync_packages", "data": {"architecture":"","checksum":"CC4FZFACNH","description":"","format":"","groups":"editors","install_time":"2024/04/15 00:00:00","item_id":"V61X4FFQVA","location":"","multiarch":"null","name":"aix","priority":"optional","scan_time":"2023/12/1915:32:25","size":"41","source":"","vendor":"ibm","version":"4.1.2"}, "operation": "INSERTED"} DEBUG:root:Syscollector Event - d:syscollector:{"type": "dbsync_packages", "data": {"architecture":"","checksum":"EZTDVR0LZ9","description":"","format":"","groups":"editors","install_time":"2024/04/15 00:00:00","item_id":"4AGJOLB8V6","location":"","multiarch":"null","name":"aix","priority":"optional","scan_time":"2023/12/1915:32:25","size":"42","source":"","vendor":"ibm","version":"4.1.3"}, "operation": "INSERTED"} DEBUG:root:Syscollector Event - d:syscollector:{"type": "dbsync_packages", "data": {"architecture":"","checksum":"J3D7WC4TZS","description":"","format":"","groups":"editors","install_time":"2024/04/15 00:00:00","item_id":"G5D1K3RE4K","location":"","multiarch":"null","name":"aix","priority":"optional","scan_time":"2023/12/1915:32:25","size":"43","source":"","vendor":"ibm","version":"4.1.4"}, "operation": "INSERTED"} DEBUG:root:Syscollector Event - d:syscollector:{"type": "dbsync_packages", "data": {"architecture":"","checksum":"2S5T4MMAZK","description":"","format":"","groups":"editors","install_time":"2024/04/15 00:00:00","item_id":"DX76GMTMIM","location":"","multiarch":"null","name":"aix","priority":"optional","scan_time":"2023/12/1915:32:25","size":"44","source":"","vendor":"ibm","version":"4.1.5"}, "operation": "INSERTED"} DEBUG:root:Syscollector Event - d:syscollector:{"type": "dbsync_packages", "data": {"architecture":"","checksum":"ORPNGAXR3P","description":"","format":"","groups":"editors","install_time":"2024/04/15 00:00:00","item_id":"JTXN1R28LM","location":"","multiarch":"null","name":"aix","priority":"optional","scan_time":"2023/12/1915:32:25","size":"45","source":"","vendor":"ibm","version":"4.2"}, "operation": "INSERTED"} DEBUG:root:Syscollector Event - d:syscollector:{"type": "dbsync_packages", "data": {"architecture":"","checksum":"CFWY6GDULS","description":"","format":"","groups":"editors","install_time":"2024/04/15 00:00:00","item_id":"H3HV2A2LPU","location":"","multiarch":"null","name":"aix","priority":"optional","scan_time":"2023/12/1915:32:25","size":"46","source":"","vendor":"ibm","version":"4.2.1"}, "operation": "INSERTED"} DEBUG:root:Syscollector Event - d:syscollector:{"type": "dbsync_packages", "data": {"architecture":"","checksum":"CJ2AQ79AQ4","description":"","format":"","groups":"editors","install_time":"2024/04/15 00:00:00","item_id":"D5YLAHB4J6","location":"","multiarch":"null","name":"aix","priority":"optional","scan_time":"2023/12/1915:32:25","size":"47","source":"","vendor":"ibm","version":"4.3"}, "operation": "INSERTED"} DEBUG:root:Syscollector Event - d:syscollector:{"type": "dbsync_packages", "data": {"architecture":"","checksum":"RNZ2F2LF1T","description":"","format":"","groups":"editors","install_time":"2024/04/15 00:00:00","item_id":"PBLDKYM9YL","location":"","multiarch":"null","name":"irix","priority":"optional","scan_time":"2023/12/1915:32:25","size":"48","source":"","vendor":"sgi","version":"5.2"}, "operation": "INSERTED"} DEBUG:root:Syscollector Event - d:syscollector:{"type": "dbsync_packages", "data": {"architecture":"","checksum":"7BEZF5UPV5","description":"","format":"","groups":"editors","install_time":"2024/04/15 00:00:00","item_id":"OA30WJB6SR","location":"","multiarch":"null","name":"irix","priority":"optional","scan_time":"2023/12/1915:32:25","size":"49","source":"","vendor":"sgi","version":"5.3"}, "operation": "INSERTED"} DEBUG:root:Syscollector Event - d:syscollector:{"type": "dbsync_packages", "data": {"architecture":"","checksum":"TZ870LOFVO","description":"","format":"","groups":"editors","install_time":"2024/04/15 00:00:00","item_id":"BTQW7LHHCD","location":"","multiarch":"null","name":"irix","priority":"optional","scan_time":"2023/12/1915:32:25","size":"50","source":"","vendor":"sgi","version":"6.0"}, "operation": "INSERTED"} ```

Ossec Logs

```console root@ubuntu2204:/home/vagrant# tail -f /var/ossec/logs/ossec.log 2024/04/15 14:59:49 wazuh-authd: INFO: New connection from 172.16.1.13 2024/04/15 14:59:49 wazuh-authd: INFO: Received request for a new agent (1-siFahXoUycgmItp4-debian10) from: 172.16.1.13 2024/04/15 14:59:49 wazuh-authd: INFO: Agent key generated for '1-siFahXoUycgmItp4-debian10' (requested by any) 2024/04/15 14:59:50 wazuh-remoted: INFO: (1409): Authentication file changed. Updating. 2024/04/15 14:59:50 wazuh-remoted: INFO: (1410): Reading authentication keys file. 2024/04/15 15:00:04 wazuh-modulesd:vulnerability-scanner: INFO: Processing file: queue/vd_updater/tmp/contents/444557-api_file.json ```

Archive Logs

```console root@ubuntu2204:/home/vagrant/wazuh-qa/deps/wazuh_testing# tail -f /var/ossec/logs/archives/archives.log 2024 Apr 15 14:59:59 (1-siFahXoUycgmItp4-debian10) any->syscollector {"type": "dbsync_packages", "data": {"architecture":"","checksum":"PNR8YU505K","description":"","format":"","groups":"editors","install_time":"2024/04/15 00:00:00","item_id":"SARUTTRZHS","location":"","multiarch":"null","name":"bsd_os","priority":"optional","scan_time":"2023/12/1915:32:25","size":"1","source":"","vendor":"bsdi","version":"3.1"}, "operation": "INSERTED"} 2024 Apr 15 14:59:59 (1-siFahXoUycgmItp4-debian10) any->syscollector {"type": "dbsync_packages", "data": {"architecture":"","checksum":"TV19N2DGM8","description":"","format":"","groups":"editors","install_time":"2024/04/15 00:00:00","item_id":"KDUAZH3DW7","location":"","multiarch":"null","name":"freebsd","priority":"optional","scan_time":"2023/12/1915:32:25","size":"2","source":"","vendor":"freebsd","version":"1.0"}, "operation": "INSERTED"} 2024 Apr 15 14:59:59 (1-siFahXoUycgmItp4-debian10) any->syscollector {"type": "dbsync_packages", "data": {"architecture":"","checksum":"YVO2HZQ5NQ","description":"","format":"","groups":"editors","install_time":"2024/04/15 00:00:00","item_id":"FSKO5QKDAP","location":"","multiarch":"null","name":"freebsd","priority":"optional","scan_time":"2023/12/1915:32:25","size":"3","source":"","vendor":"freebsd","version":"1.1"}, "operation": "INSERTED"} 2024 Apr 15 14:59:59 (1-siFahXoUycgmItp4-debian10) any->syscollector {"type": "dbsync_packages", "data": {"architecture":"","checksum":"UT4I5MZR49","description":"","format":"","groups":"editors","install_time":"2024/04/15 00:00:00","item_id":"HFPMVX365K","location":"","multiarch":"null","name":"freebsd","priority":"optional","scan_time":"2023/12/1915:32:25","size":"4","source":"","vendor":"freebsd","version":"1.1.5.1"}, "operation": "INSERTED"} 2024 Apr 15 14:59:59 (1-siFahXoUycgmItp4-debian10) any->syscollector {"type": "dbsync_packages", "data": {"architecture":"","checksum":"ZHUY0743YE","description":"","format":"","groups":"editors","install_time":"2024/04/15 00:00:00","item_id":"0ZXM2IGGT4","location":"","multiarch":"null","name":"freebsd","priority":"optional","scan_time":"2023/12/1915:32:25","size":"5","source":"","vendor":"freebsd","version":"1.2"}, "operation": "INSERTED"} 2024 Apr 15 14:59:59 (1-siFahXoUycgmItp4-debian10) any->syscollector {"type": "dbsync_packages", "data": {"architecture":"","checksum":"YKJMJC85DN","description":"","format":"","groups":"editors","install_time":"2024/04/15 00:00:00","item_id":"5M3EUL1RDN","location":"","multiarch":"null","name":"freebsd","priority":"optional","scan_time":"2023/12/1915:32:25","size":"6","source":"","vendor":"freebsd","version":"2.0"}, "operation": "INSERTED"} 2024 Apr 15 14:59:59 (1-siFahXoUycgmItp4-debian10) any->syscollector {"type": "dbsync_packages", "data": {"architecture":"","checksum":"4AOEIE00N4","description":"","format":"","groups":"editors","install_time":"2024/04/15 00:00:00","item_id":"48O8J33OI8","location":"","multiarch":"null","name":"freebsd","priority":"optional","scan_time":"2023/12/1915:32:25","size":"7","source":"","vendor":"freebsd","version":"2.0.1"}, "operation": "INSERTED"} 2024 Apr 15 14:59:59 (1-siFahXoUycgmItp4-debian10) any->syscollector {"type": "dbsync_packages", "data": {"architecture":"","checksum":"6TOS69T6M1","description":"","format":"","groups":"editors","install_time":"2024/04/15 00:00:00","item_id":"L85UJKXS4D","location":"","multiarch":"null","name":"freebsd","priority":"optional","scan_time":"2023/12/1915:32:25","size":"8","source":"","vendor":"freebsd","version":"2.0.5"}, "operation": "INSERTED"} 2024 Apr 15 14:59:59 (1-siFahXoUycgmItp4-debian10) any->syscollector {"type": "dbsync_packages", "data": {"architecture":"","checksum":"WFY39OW8S7","description":"","format":"","groups":"editors","install_time":"2024/04/15 00:00:00","item_id":"2XEWVE1UES","location":"","multiarch":"null","name":"freebsd","priority":"optional","scan_time":"2023/12/1915:32:25","size":"9","source":"","vendor":"freebsd","version":"2.1.5"}, "operation": "INSERTED"} 2024 Apr 15 14:59:59 (1-siFahXoUycgmItp4-debian10) any->syscollector {"type": "dbsync_packages", "data": {"architecture":"","checksum":"TJSP41EV1Y","description":"","format":"","groups":"editors","install_time":"2024/04/15 00:00:00","item_id":"H1PCH1XVXX","location":"","multiarch":"null","name":"freebsd","priority":"optional","scan_time":"2023/12/1915:32:25","size":"10","source":"","vendor":"freebsd","version":"2.1.6"}, "operation": "INSERTED"} 2024 Apr 15 15:00:00 (1-siFahXoUycgmItp4-debian10) any->syscollector {"type": "dbsync_packages", "data": {"architecture":"","checksum":"FFRPWOWSFZ","description":"","format":"","groups":"editors","install_time":"2024/04/15 00:00:00","item_id":"C34IWFRCVQ","location":"","multiarch":"null","name":"freebsd","priority":"optional","scan_time":"2023/12/1915:32:25","size":"11","source":"","vendor":"freebsd","version":"2.1.6.1"}, "operation": "INSERTED"} 2024 Apr 15 15:00:00 (1-siFahXoUycgmItp4-debian10) any->syscollector {"type": "dbsync_packages", "data": {"architecture":"","checksum":"JQRWZHVVUS","description":"","format":"","groups":"editors","install_time":"2024/04/15 00:00:00","item_id":"AP6AYX1Z66","location":"","multiarch":"null","name":"freebsd","priority":"optional","scan_time":"2023/12/1915:32:25","size":"13","source":"","vendor":"freebsd","version":"2.1.7.1"}, "operation": "INSERTED"} 2024 Apr 15 15:00:00 (1-siFahXoUycgmItp4-debian10) any->syscollector {"type": "dbsync_packages", "data": {"architecture":"","checksum":"P79WPM4XSB","description":"","format":"","groups":"editors","install_time":"2024/04/15 00:00:00","item_id":"KRBE8JDKXA","location":"","multiarch":"null","name":"freebsd","priority":"optional","scan_time":"2023/12/1915:32:25","size":"12","source":"","vendor":"freebsd","version":"2.1.7"}, "operation": "INSERTED"} 2024 Apr 15 15:00:00 (1-siFahXoUycgmItp4-debian10) any->syscollector {"type": "dbsync_packages", "data": {"architecture":"","checksum":"9UWUXV2SXY","description":"","format":"","groups":"editors","install_time":"2024/04/15 00:00:00","item_id":"YM2UPB64FS","location":"","multiarch":"null","name":"freebsd","priority":"optional","scan_time":"2023/12/1915:32:25","size":"14","source":"","vendor":"freebsd","version":"2.2"}, "operation": "INSERTED"} 2024 Apr 15 15:00:00 (1-siFahXoUycgmItp4-debian10) any->syscollector {"type": "dbsync_packages", "data": {"architecture":"","checksum":"QBWQ0BB5IY","description":"","format":"","groups":"editors","install_time":"2024/04/15 00:00:00","item_id":"UHJOMI3OCG","location":"","multiarch":"null","name":"freebsd","priority":"optional","scan_time":"2023/12/1915:32:25","size":"15","source":"","vendor":"freebsd","version":"2.2.2"}, "operation": "INSERTED"} 2024 Apr 15 15:00:00 (1-siFahXoUycgmItp4-debian10) any->syscollector {"type": "dbsync_packages", "data": {"architecture":"","checksum":"W1MV0YYX80","description":"","format":"","groups":"editors","install_time":"2024/04/15 00:00:00","item_id":"TMKBJKGHXW","location":"","multiarch":"null","name":"freebsd","priority":"optional","scan_time":"2023/12/1915:32:25","size":"16","source":"","vendor":"freebsd","version":"2.2.3"}, "operation": "INSERTED"} 2024 Apr 15 15:00:00 (1-siFahXoUycgmItp4-debian10) any->syscollector {"type": "dbsync_packages", "data": {"architecture":"","checksum":"LK036B5WDW","description":"","format":"","groups":"editors","install_time":"2024/04/15 00:00:00","item_id":"HJJQ4EFRR4","location":"","multiarch":"null","name":"freebsd","priority":"optional","scan_time":"2023/12/1915:32:25","size":"17","source":"","vendor":"freebsd","version":"2.2.4"}, "operation": "INSERTED"} 2024 Apr 15 15:00:00 (1-siFahXoUycgmItp4-debian10) any->syscollector {"type": "dbsync_packages", "data": {"architecture":"","checksum":"48HQLYVSH9","description":"","format":"","groups":"editors","install_time":"2024/04/15 00:00:00","item_id":"VJ4NA43PS7","location":"","multiarch":"null","name":"freebsd","priority":"optional","scan_time":"2023/12/1915:32:25","size":"18","source":"","vendor":"freebsd","version":"2.2.5"}, "operation": "INSERTED"} 2024 Apr 15 15:00:00 (1-siFahXoUycgmItp4-debian10) any->syscollector {"type": "dbsync_packages", "data": {"architecture":"","checksum":"EB2CH2AJEO","description":"","format":"","groups":"editors","install_time":"2024/04/15 00:00:00","item_id":"WAJT703JQ1","location":"","multiarch":"null","name":"freebsd","priority":"optional","scan_time":"2023/12/1915:32:25","size":"19","source":"","vendor":"freebsd","version":"2.2.6"}, "operation": "INSERTED"} 2024 Apr 15 15:00:00 (1-siFahXoUycgmItp4-debian10) any->syscollector {"type": "dbsync_packages", "data": {"architecture":"","checksum":"WOVK968J9W","description":"","format":"","groups":"editors","install_time":"2024/04/15 00:00:00","item_id":"Z4C3VOWIV8","location":"","multiarch":"null","name":"freebsd","priority":"optional","scan_time":"2023/12/1915:32:25","size":"20","source":"","vendor":"freebsd","version":"2.2.8"}, "operation": "INSERTED"} 2024 Apr 15 15:00:01 (1-siFahXoUycgmItp4-debian10) any->syscollector {"type": "dbsync_packages", "data": {"architecture":"","checksum":"B75UD2RU1M","description":"","format":"","groups":"editors","install_time":"2024/04/15 00:00:00","item_id":"7D27Y4D4ZF","location":"","multiarch":"null","name":"freebsd","priority":"optional","scan_time":"2023/12/1915:32:25","size":"21","source":"","vendor":"freebsd","version":"3.0"}, "operation": "INSERTED"} 2024 Apr 15 15:00:01 (1-siFahXoUycgmItp4-debian10) any->syscollector {"type": "dbsync_packages", "data": {"architecture":"","checksum":"79WGJ4LJ2T","description":"","format":"","groups":"editors","install_time":"2024/04/15 00:00:00","item_id":"C7S8WD12QI","location":"","multiarch":"null","name":"openbsd","priority":"optional","scan_time":"2023/12/1915:32:25","size":"22","source":"","vendor":"openbsd","version":"2.3"}, "operation": "INSERTED"} 2024 Apr 15 15:00:01 (1-siFahXoUycgmItp4-debian10) any->syscollector {"type": "dbsync_packages", "data": {"architecture":"","checksum":"T8Z8FXY0IT","description":"","format":"","groups":"editors","install_time":"2024/04/15 00:00:00","item_id":"REW6IXBGR5","location":"","multiarch":"null","name":"openbsd","priority":"optional","scan_time":"2023/12/1915:32:25","size":"23","source":"","vendor":"openbsd","version":"2.4"}, "operation": "INSERTED"} 2024 Apr 15 15:00:01 (1-siFahXoUycgmItp4-debian10) any->syscollector {"type": "dbsync_packages", "data": {"architecture":"","checksum":"2UGU579W3Z","description":"","format":"","groups":"editors","install_time":"2024/04/15 00:00:00","item_id":"63823FL7GR","location":"","multiarch":"null","name":"bsd_os","priority":"optional","scan_time":"2023/12/1915:32:25","size":"24","source":"","vendor":"bsdi","version":"1.1"}, "operation": "INSERTED"} 2024 Apr 15 15:00:01 (1-siFahXoUycgmItp4-debian10) any->syscollector {"type": "dbsync_packages", "data": {"architecture":"","checksum":"HQN03SN969","description":"","format":"","groups":"editors","install_time":"2024/04/15 00:00:00","item_id":"C67HMCFIAV","location":"","multiarch":"null","name":"openlinux","priority":"optional","scan_time":"2023/12/1915:32:25","size":"25","source":"","vendor":"caldera","version":"1.2"}, "operation": "INSERTED"} 2024 Apr 15 15:00:01 (1-siFahXoUycgmItp4-debian10) any->syscollector {"type": "dbsync_packages", "data": {"architecture":"","checksum":"LYSX14AA94","description":"","format":"","groups":"editors","install_time":"2024/04/15 00:00:00","item_id":"AKXB4RWFOV","location":"","multiarch":"null","name":"linux","priority":"optional","scan_time":"2023/12/1915:32:25","size":"26","source":"","vendor":"redhat","version":"2.0"}, "operation": "INSERTED"} 2024 Apr 15 15:00:01 (1-siFahXoUycgmItp4-debian10) any->syscollector {"type": "dbsync_packages", "data": {"architecture":"","checksum":"TI4YMURD95","description":"","format":"","groups":"editors","install_time":"2024/04/15 00:00:00","item_id":"64UYN6ORDP","location":"","multiarch":"null","name":"linux","priority":"optional","scan_time":"2023/12/1915:32:25","size":"27","source":"","vendor":"redhat","version":"2.1"}, "operation": "INSERTED"} 2024 Apr 15 15:00:01 (1-siFahXoUycgmItp4-debian10) any->syscollector {"type": "dbsync_packages", "data": {"architecture":"","checksum":"YEQSPMJNFO","description":"","format":"","groups":"editors","install_time":"2024/04/15 00:00:00","item_id":"242IO8XXVQ","location":"","multiarch":"null","name":"linux","priority":"optional","scan_time":"2023/12/1915:32:25","size":"28","source":"","vendor":"redhat","version":"3.0.3"}, "operation": "INSERTED"} 2024 Apr 15 15:00:01 (1-siFahXoUycgmItp4-debian10) any->syscollector {"type": "dbsync_packages", "data": {"architecture":"","checksum":"Q5CUUHCO1Q","description":"","format":"","groups":"editors","install_time":"2024/04/15 00:00:00","item_id":"YLKO1CCLPR","location":"","multiarch":"null","name":"linux","priority":"optional","scan_time":"2023/12/1915:32:25","size":"29","source":"","vendor":"redhat","version":"4.0"}, "operation": "INSERTED"} 2024 Apr 15 15:00:01 (1-siFahXoUycgmItp4-debian10) any->syscollector {"type": "dbsync_packages", "data": {"architecture":"","checksum":"MC41LMSEGR","description":"","format":"","groups":"editors","install_time":"2024/04/15 00:00:00","item_id":"SDIXS4DDA9","location":"","multiarch":"null","name":"linux","priority":"optional","scan_time":"2023/12/1915:32:25","size":"30","source":"","vendor":"redhat","version":"4.1"}, "operation": "INSERTED"} 2024 Apr 15 15:00:02 (1-siFahXoUycgmItp4-debian10) any->syscollector {"type": "dbsync_packages", "data": {"architecture":"","checksum":"WK457AGL9Q","description":"","format":"","groups":"editors","install_time":"2024/04/15 00:00:00","item_id":"PWLAM0V5ET","location":"","multiarch":"null","name":"linux","priority":"optional","scan_time":"2023/12/1915:32:25","size":"31","source":"","vendor":"redhat","version":"4.2"}, "operation": "INSERTED"} 2024 Apr 15 15:00:02 (1-siFahXoUycgmItp4-debian10) any->syscollector {"type": "dbsync_packages", "data": {"architecture":"","checksum":"50UME6PJRN","description":"","format":"","groups":"editors","install_time":"2024/04/15 00:00:00","item_id":"TEA8VN5IHI","location":"","multiarch":"null","name":"linux","priority":"optional","scan_time":"2023/12/1915:32:25","size":"32","source":"","vendor":"redhat","version":"5.0"}, "operation": "INSERTED"} 2024 Apr 15 15:00:02 (1-siFahXoUycgmItp4-debian10) any->syscollector {"type": "dbsync_packages", "data": {"architecture":"","checksum":"7EY3MBQ4WJ","description":"","format":"","groups":"editors","install_time":"2024/04/15 00:00:00","item_id":"Z0O92F3NHY","location":"","multiarch":"null","name":"linux","priority":"optional","scan_time":"2023/12/1915:32:25","size":"33","source":"","vendor":"redhat","version":"5.1"}, "operation": "INSERTED"} 2024 Apr 15 15:00:02 (1-siFahXoUycgmItp4-debian10) any->syscollector {"type": "dbsync_packages", "data": {"architecture":"","checksum":"ISBXHKDDBB","description":"","format":"","groups":"editors","install_time":"2024/04/15 00:00:00","item_id":"V9IGFLASYQ","location":"","multiarch":"null","name":"ted_cde","priority":"optional","scan_time":"2023/12/1915:32:25","size":"34","source":"","vendor":"tritreal","version":"4.3"}, "operation": "INSERTED"} 2024 Apr 15 15:00:02 (1-siFahXoUycgmItp4-debian10) any->syscollector {"type": "dbsync_packages", "data": {"architecture":"","checksum":"E9BZBSRJ3F","description":"","format":"","groups":"editors","install_time":"2024/04/15 00:00:00","item_id":"7JLIGT0TS9","location":"","multiarch":"null","name":"hp-ux","priority":"optional","scan_time":"2023/12/1915:32:25","size":"35","source":"","vendor":"hp","version":"10.01"}, "operation": "INSERTED"} 2024 Apr 15 15:00:02 (1-siFahXoUycgmItp4-debian10) any->syscollector {"type": "dbsync_packages", "data": {"architecture":"","checksum":"6LWFA99MB0","description":"","format":"","groups":"editors","install_time":"2024/04/15 00:00:00","item_id":"YXOV45QI7Z","location":"","multiarch":"null","name":"hp-ux","priority":"optional","scan_time":"2023/12/1915:32:25","size":"36","source":"","vendor":"hp","version":"10.02"}, "operation": "INSERTED"} 2024 Apr 15 15:00:02 (1-siFahXoUycgmItp4-debian10) any->syscollector {"type": "dbsync_packages", "data": {"architecture":"","checksum":"OJV9RE8QGH","description":"","format":"","groups":"editors","install_time":"2024/04/15 00:00:00","item_id":"KEA3AFM4OO","location":"","multiarch":"null","name":"hp-ux","priority":"optional","scan_time":"2023/12/1915:32:25","size":"37","source":"","vendor":"hp","version":"10.03"}, "operation": "INSERTED"} 2024 Apr 15 15:00:02 (1-siFahXoUycgmItp4-debian10) any->syscollector {"type": "dbsync_packages", "data": {"architecture":"","checksum":"R26E8ISSIW","description":"","format":"","groups":"editors","install_time":"2024/04/15 00:00:00","item_id":"B6WPNRYS4P","location":"","multiarch":"null","name":"hp-ux","priority":"optional","scan_time":"2023/12/1915:32:25","size":"38","source":"","vendor":"hp","version":"11.00"}, "operation": "INSERTED"} 2024 Apr 15 15:00:02 (1-siFahXoUycgmItp4-debian10) any->syscollector {"type": "dbsync_packages", "data": {"architecture":"","checksum":"YP6YPTKIZR","description":"","format":"","groups":"editors","install_time":"2024/04/15 00:00:00","item_id":"35HPZ6MBYC","location":"","multiarch":"null","name":"aix","priority":"optional","scan_time":"2023/12/1915:32:25","size":"39","source":"","vendor":"ibm","version":"4.1"}, "operation": "INSERTED"} 2024 Apr 15 15:00:02 (1-siFahXoUycgmItp4-debian10) any->syscollector {"type": "dbsync_packages", "data": {"architecture":"","checksum":"JK1RIJIJC3","description":"","format":"","groups":"editors","install_time":"2024/04/15 00:00:00","item_id":"QVSCGXU024","location":"","multiarch":"null","name":"aix","priority":"optional","scan_time":"2023/12/1915:32:25","size":"40","source":"","vendor":"ibm","version":"4.1.1"}, "operation": "INSERTED"} 2024 Apr 15 15:00:03 (1-siFahXoUycgmItp4-debian10) any->syscollector {"type": "dbsync_packages", "data": {"architecture":"","checksum":"CC4FZFACNH","description":"","format":"","groups":"editors","install_time":"2024/04/15 00:00:00","item_id":"V61X4FFQVA","location":"","multiarch":"null","name":"aix","priority":"optional","scan_time":"2023/12/1915:32:25","size":"41","source":"","vendor":"ibm","version":"4.1.2"}, "operation": "INSERTED"} 2024 Apr 15 15:00:03 (1-siFahXoUycgmItp4-debian10) any->syscollector {"type": "dbsync_packages", "data": {"architecture":"","checksum":"EZTDVR0LZ9","description":"","format":"","groups":"editors","install_time":"2024/04/15 00:00:00","item_id":"4AGJOLB8V6","location":"","multiarch":"null","name":"aix","priority":"optional","scan_time":"2023/12/1915:32:25","size":"42","source":"","vendor":"ibm","version":"4.1.3"}, "operation": "INSERTED"} 2024 Apr 15 15:00:03 (1-siFahXoUycgmItp4-debian10) any->syscollector {"type": "dbsync_packages", "data": {"architecture":"","checksum":"2S5T4MMAZK","description":"","format":"","groups":"editors","install_time":"2024/04/15 00:00:00","item_id":"DX76GMTMIM","location":"","multiarch":"null","name":"aix","priority":"optional","scan_time":"2023/12/1915:32:25","size":"44","source":"","vendor":"ibm","version":"4.1.5"}, "operation": "INSERTED"} 2024 Apr 15 15:00:03 (1-siFahXoUycgmItp4-debian10) any->syscollector {"type": "dbsync_packages", "data": {"architecture":"","checksum":"J3D7WC4TZS","description":"","format":"","groups":"editors","install_time":"2024/04/15 00:00:00","item_id":"G5D1K3RE4K","location":"","multiarch":"null","name":"aix","priority":"optional","scan_time":"2023/12/1915:32:25","size":"43","source":"","vendor":"ibm","version":"4.1.4"}, "operation": "INSERTED"} 2024 Apr 15 15:00:03 (1-siFahXoUycgmItp4-debian10) any->syscollector {"type": "dbsync_packages", "data": {"architecture":"","checksum":"ORPNGAXR3P","description":"","format":"","groups":"editors","install_time":"2024/04/15 00:00:00","item_id":"JTXN1R28LM","location":"","multiarch":"null","name":"aix","priority":"optional","scan_time":"2023/12/1915:32:25","size":"45","source":"","vendor":"ibm","version":"4.2"}, "operation": "INSERTED"} 2024 Apr 15 15:00:03 (1-siFahXoUycgmItp4-debian10) any->syscollector {"type": "dbsync_packages", "data": {"architecture":"","checksum":"CFWY6GDULS","description":"","format":"","groups":"editors","install_time":"2024/04/15 00:00:00","item_id":"H3HV2A2LPU","location":"","multiarch":"null","name":"aix","priority":"optional","scan_time":"2023/12/1915:32:25","size":"46","source":"","vendor":"ibm","version":"4.2.1"}, "operation": "INSERTED"} 2024 Apr 15 15:00:03 (1-siFahXoUycgmItp4-debian10) any->syscollector {"type": "dbsync_packages", "data": {"architecture":"","checksum":"CJ2AQ79AQ4","description":"","format":"","groups":"editors","install_time":"2024/04/15 00:00:00","item_id":"D5YLAHB4J6","location":"","multiarch":"null","name":"aix","priority":"optional","scan_time":"2023/12/1915:32:25","size":"47","source":"","vendor":"ibm","version":"4.3"}, "operation": "INSERTED"} 2024 Apr 15 15:00:03 (1-siFahXoUycgmItp4-debian10) any->syscollector {"type": "dbsync_packages", "data": {"architecture":"","checksum":"RNZ2F2LF1T","description":"","format":"","groups":"editors","install_time":"2024/04/15 00:00:00","item_id":"PBLDKYM9YL","location":"","multiarch":"null","name":"irix","priority":"optional","scan_time":"2023/12/1915:32:25","size":"48","source":"","vendor":"sgi","version":"5.2"}, "operation": "INSERTED"} 2024 Apr 15 15:00:03 (1-siFahXoUycgmItp4-debian10) any->syscollector {"type": "dbsync_packages", "data": {"architecture":"","checksum":"7BEZF5UPV5","description":"","format":"","groups":"editors","install_time":"2024/04/15 00:00:00","item_id":"OA30WJB6SR","location":"","multiarch":"null","name":"irix","priority":"optional","scan_time":"2023/12/1915:32:25","size":"49","source":"","vendor":"sgi","version":"5.3"}, "operation": "INSERTED"} 2024 Apr 15 15:00:03 (1-siFahXoUycgmItp4-debian10) any->syscollector {"type": "dbsync_packages", "data": {"architecture":"","checksum":"TZ870LOFVO","description":"","format":"","groups":"editors","install_time":"2024/04/15 00:00:00","item_id":"BTQW7LHHCD","location":"","multiarch":"null","name":"irix","priority":"optional","scan_time":"2023/12/1915:32:25","size":"50","source":"","vendor":"sgi","version":"6.0"}, "operation": "INSERTED"} 2024 Apr 15 15:00:14 ubuntu2204->/var/log/syslog Apr 15 15:00:13 ubuntu2204 systemd[1]: Starting system activity accounting tool... 2024 Apr 15 15:00:14 ubuntu2204->/var/log/syslog Apr 15 15:00:13 ubuntu2204 systemd[1]: sysstat-collect.service: Deactivated successfully. 2024 Apr 15 15:00:14 ubuntu2204->/var/log/syslog Apr 15 15:00:13 ubuntu2204 systemd[1]: Finished system activity accounting tool. ```

DB Info

```console root@ubuntu2204:/home/vagrant# sqlite3 /var/ossec/queue/db/005.db SQLite version 3.37.2 2022-01-06 13:25:41 Enter ".help" for usage hints. sqlite> SELECT * FROM sys_osinfo; sqlite> ```

The problem seems to be that the pipeline is using some default simulate-agents options. When generating packages events, for the simulation to be correct, it is necessary to also send, before the packages, the OS information. There would be 2 possible solutions:

When generating the events, if only packages has been selected, the OS information is sent in the first iteration. With this solution, the number of packages events will be batch_size - 1 and the total number of events will be batch_size.
When generating the events, if only packages has been selected, the OS information and the first packages event will be sent in the first iteration. With this solution, the number of packages events will be batch_size and the number of generated events is batch_size + 1.

The simulator supports generating different events at the same time. When trying to send osinfo and packages events, the vulnerabilities are generated correctly.

rafabailon commented 7 months ago

Update

I have added a change so that when selecting only packages (or leaving the default option), osinfo is added (and the batch_size is 1). In this way, the OS information is always sent and errors are avoided. In the tests I have been able to see that vulnerability logs are generated.

rafabailon commented 6 months ago

Update

I have created a PR with all the changes to add a class to the agent simulator to generate vulnerability events. The tests have been done locally. The results are in the PR.

rafabailon commented 6 months ago

Update

I have had little time to devote to this issue as I received 3 communities at once.

Update 2

I have refactored the code according to the comments in the PR. I have removed all the code repetition and made some changes to remove all the unnecessary code.

I've tested the simulator with different OSs for the agent and the manager (debian and ubuntu). Everything seems to work correctly.

Details can be found in the PR. For the tests I have used the simulator and checked the logs manually to check that the necessary syscollector messages are sent and the vulnerability alerts appear.

Update 3

Occasionally I have found errors in the simulated agents (not all). After several tests, I have related the errors to the value of -t. It is necessary to give it an appropriate value (in seconds) (between 40 and 60 seconds is fine) to avoid problems with the agents.

Rebits commented 6 months ago

Single Vulnerable package testing :green_circle:

We are going to test a single vulnerable package per second ``` simulate-agents -a 192.168.56.9 -n 1 -m vulnerability -s 1 -t 30 --vulnerability-packages-list-file /home/homelab/Wazuh/file.json ``` Where file is ``` [ { "vendor": "bsdi", "product": "bsd_os", "version": "3.1" } ``` - Expected initial os info is correctly sent: ``` {"timestamp":"2024-04-29T16:05:37.651+0000","agent":{"id":"004","name":"1-digJ5mC3GNlEh0A9-debian8"},"manager":{"name":"ubuntu22-2"},"id":"1714406737.2430957","full_log":"{\"type\": \"dbsync_osinfo\", \"data\": {\"checksum\":\"1634140017886803554\",\"architecture\":\"x86_64\",\"hostname\":\"1-digJ5mC3GNlEh0A9-debian8\",\"os_codename\":\"focal\",\"os_major\":\"20\",\"os_minor\":\"04\",\"os_name\":\"Ubuntu\",\"os_platform\":\"ubuntu\",\"os_patch\":\"6\",\"os_release\":\"sp1\",\"os_version\":\"20.04.6LTS(FocalFossa)\",\"os_build\":\"4.18.0-305.12.1.el8_4.x86_64\",\"release\":\"6.2.6-76060206-generic\",\"scan_time\":\"2023/12/2011:24:58\",\"sysname\":\"Linux\",\"version\":\"#202303130630~1689015125~22.04~ab2190eSMPPREEMPT_DYNAMIC\"}, \"operation\": \"INSERTED\"}","decoder":{"name":"syscollector"},"data":{"type":"dbsync_osinfo","os":{"hostname":"1-digJ5mC3GNlEh0A9-debian8","architecture":"x86_64","name":"Ubuntu","version":"20.04.6LTS(FocalFossa)","codename":"focal","major":"20","minor":"04","patch":"6","build":"4.18.0-305.12.1.el8_4.x86_64","platform":"ubuntu","sysname":"Linux","release":"6.2.6-76060206-generic","os_release":"sp1"},"operation_type":"INSERTED"},"location":"syscollector"} ``` The second message is the expected message of package installation ``` {"timestamp":"2024-04-29T16:05:38.649+0000","agent":{"id":"004","name":"1-digJ5mC3GNlEh0A9-debian8"},"manager":{"name":"ubuntu22-2"},"id":"1714406738.2430957","full_log":"{\"type\": \"dbsync_packages\", \"data\": {\"architecture\":\"\",\"checksum\":\"4Y9QX5J9FO\",\"description\":\"\",\"format\":\"\",\"groups\":\"editors\",\"install_time\":\"2024/04/29 00:00:00\",\"item_id\":\"BVWSRG0YC6\",\"location\":\"\",\"multiarch\":\"null\",\"name\":\"bsd_os\",\"priority\":\"optional\",\"scan_time\":\"2023/12/1915:32:25\",\"size\":\"2\",\"source\":\"\",\"vendor\":\"bsdi\",\"version\":\"3.1\"}, \"operation\": \"INSERTED\"}","decoder":{"name":"syscollector"},"data":{"type":"dbsync_packages","program":{"name":"bsd_os","priority":"optional","section":"editors","size":"2","vendor":"bsdi","install_time":"2024/04/29 00:00:00","version":"3.1","multiarch":"null"},"operation_type":"INSERTED"},"location":"syscollector"} ``` - Expected alerts have been triggered ``` {"timestamp":"2024-04-29T16:05:38.668+0000","rule":{"level":5,"description":"CVE-2001-1133 affects bsd_os","id":"23503","firedtimes":45,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"004","name":"1-digJ5mC3GNlEh0A9-debian8"},"manager":{"name":"ubuntu22-2"},"id":"1714406738.2432171","full_log":"{\"vulnerability\":{\"assigner\":\"mitre\",\"cve\":\"CVE-2001-1133\",\"cvss\":{\"cvss2\":{\"base_score\":2.1,\"vector\":{\"access_complexity\":\"LOW\",\"authentication\":\"NONE\",\"availability\":\"PARTIAL\",\"confidentiality_impact\":\"NONE\",\"integrity_impact\":\"NONE\"}}},\"cwe_reference\":\"\",\"enumeration\":\"CVE\",\"package\":{\"architecture\":\"\",\"condition\":\"Package equal to 3.1\",\"name\":\"bsd_os\",\"source\":\"\",\"version\":\"3.1\"},\"published\":\"2001-08-21T04:00:00Z\",\"rationale\":\"Vulnerability in a system call in BSDI 3.0 and 3.1 allows local users to cause a denial of service (reboot) in the kernel via a particular sequence of instructions.\",\"reference\":\"http://www.securityfocus.com/bid/3220, http://www.iss.net/security_center/static/7023.php, http://www.securityfocus.com/archive/1/209192\",\"severity\":\"Low\",\"status\":\"Active\",\"title\":\"CVE-2001-1133 affects bsd_os\",\"type\":\"Packages\",\"updated\":\"2008-09-05T20:25:46Z\"}}","decoder":{"name":"json"},"data":{"vulnerability":{"assigner":"mitre","cve":"CVE-2001-1133","cvss":{"cvss2":{"base_score":"2.100000","vector":{"access_complexity":"LOW","authentication":"NONE","availability":"PARTIAL","confidentiality_impact":"NONE","integrity_impact":"NONE"}}},"enumeration":"CVE","package":{"condition":"Package equal to 3.1","name":"bsd_os","version":"3.1"},"published":"2001-08-21T04:00:00Z","rationale":"Vulnerability in a system call in BSDI 3.0 and 3.1 allows local users to cause a denial of service (reboot) in the kernel via a particular sequence of instructions.","reference":"http://www.securityfocus.com/bid/3220, http://www.iss.net/security_center/static/7023.php, http://www.securityfocus.com/archive/1/209192","severity":"Low","status":"Active","title":"CVE-2001-1133 affects bsd_os","type":"Packages","updated":"2008-09-05T20:25:46Z"}},"location":"vulnerability-detector"} ... ``` - After the installation event, the expected removal package messages has been sent: ``` {"timestamp":"2024-04-29T16:05:39.650+0000","agent":{"id":"004","name":"1-digJ5mC3GNlEh0A9-debian8"},"manager":{"name":"ubuntu22-2"},"id":"1714406739.2459292","full_log":"{\"type\": \"dbsync_packages\", \"data\": {\"architecture\":\"\",\"checksum\":\"SMBUF86VO2\",\"description\":\"\",\"format\":\"\",\"groups\":\"editors\",\"install_time\":\"2024/04/29 00:00:00\",\"item_id\":\"BVWSRG0YC6\",\"location\":\"\",\"multiarch\":\"null\",\"name\":\"bsd_os\",\"priority\":\"optional\",\"scan_time\":\"2023/12/1915:32:25\",\"size\":\"3\",\"source\":\"\",\"vendor\":\"bsdi\",\"version\":\"3.1\"}, \"operation\": \"DELETED\"}","decoder":{"name":"syscollector"},"data":{"type":"dbsync_packages","program":{"name":"bsd_os","priority":"optional","section":"editors","size":"3","vendor":"bsdi","install_time":"2024/04/29 00:00:00","version":"3.1","multiarch":"null"},"operation_type":"DELETED"},"location":"syscollector"} ```

_It has been detected a minor bug in the parse_packages_content script_. Not development related

rafabailon commented 6 months ago

Update

I have made the changes suggested in the PR. I have also reviewed the comments to fix some errors that I have detected. Finally, I repeated the tests to make sure everything still works.

wazuh / wazuh-qa