Release 4.3.7 - Release Candidate 1 - E2E UX tests - Wazuh Indexer

[AdriiiPRodri]

The following issue aims to run the specified test for the current release candidate, report the results, and open new issues for any encountered errors.

Test information

Test name	Wazuh Indexer
Category	Installation
Deployment option	Single Indexer, server and agent: Installation assistant
Main release issue	https://github.com/wazuh/wazuh/issues/14614
Release candidate #	1

Environment

Component	OS	Installation
Wazuh dashboard	Amazon Linux 2	Installation assistant
Wazuh indexer	Amazon Linux 2	Installation assistant
Wazuh server	Amazon Linux 2	Installation assistant
Wazuh agent	Windows	Installation assistant

Test description

Best effort to test Wazuh indexer package. Think critically and at least review/test:

• Wazuh indexer package specs
• Indexer package size
• Indexer package metadata (description)
• Indexer package digital signature
• Installed files location, size and permissions
• Installation footprint (check that no unnecessary files are modified/broken in the file system. For example that operating system files do keep their right owner/pemissions and that the installer did not break the system.)
• Installed Wazuh indexer service
• Wazuh indexer logs when installed
• Wazuh indexer templates and indices created
• Wazuh indexer configuration (e.g. replicas are expected to be zero by default, how many shards per index,...) Try to compare and find anomalies with the previous Wazuh indexer version using appropiate E2E UX issue. Write down and report as much information as possible to allow comparison between versions using this issue.
• Wazuh indexer cluster node communication and configuration
• Wazuh indexer cluster status
• Wazuh indexer packages uninstallation procedure

Test report procedure

All test results must have one of the following statuses:
:green_circle:	All checks passed.
:red_circle:	There is at least one failed result.
:yellow_circle:	There is at least one expected failure or skipped test and no failures.

Any failing test must be properly addressed with a new issue, detailing the error and the possible cause.

An extended report of the test results must be attached as a ZIP or TXT file. Please attach any documents, screenshots, or tables to the issue update with the results. This report can be used by the auditors to dig deeper into any possible failures and details.

Conclusions

All tests have been executed and the results can be found here.

Status	Test	Failure type	Notes
:green_circle:	Environment installation
:green_circle:	Wazuh indexer package
:green_circle:	Wazuh indexer installed files location, size and permissions
:green_circle:	Wazuh indexer installation footprint
:green_circle:	Wazuh indexer installed service
:green_circle:	Wazuh indexer logs when installed
:green_circle:	Wazuh indexer templates and indices created
:green_circle:	Wazuh indexer configuration
:green_circle:	Wazuh indexer cluster node communication and configuration
:green_circle:	Wazuh indexer cluster status
:green_circle:	Wazuh indexer packages uninstallation procedure
:green_circle:	User experience

Auditors validation

The definition of done for this one is the validation of the conclusions and the test results from all auditors.

All checks from below must be accepted in order to close this issue.

• [x] @AdriiiPRodri
• [x] @CarlosRS9
• [x] @Selutario
• [x] @vikman90

[fdalmaup]

Environment installation 🟢

Each component was installed using the Installation assistant.

Initial configuration

🟢 wazuh-install.sh

curl -sO https://packages-dev.wazuh.com/4.3/wazuh-install.sh

🟢 config.yml

curl -sO https://packages-dev.wazuh.com/4.3/config.yml

[root@localhost ~]# cat config.yml
nodes:
  # Wazuh indexer nodes
  indexer:
    - name: node-1
      ip: <indexer-node-ip>
    # - name: node-2
    #   ip: <indexer-node-ip>
    # - name: node-3
    #   ip: <indexer-node-ip>

  # Wazuh server nodes
  # Use node_type only with more than one Wazuh manager
  server:
    - name: wazuh-1
      ip: <wazuh-manager-ip>
    # node_type: master
    # - name: wazuh-2
    #   ip: <wazuh-manager-ip>
    # node_type: worker

  # Wazuh dashboard nodes
  dashboard:
    - name: dashboard
      ip: <dashboard-node-ip>

🟢 bash wazuh-install.sh --generate-config-files

[root@localhost ~]# bash wazuh-install.sh --generate-config-files
16/08/2022 14:18:24 INFO: Starting Wazuh installation assistant. Wazuh version: 4.3.7
16/08/2022 14:18:24 INFO: Verbose logging redirected to /var/log/wazuh-install.log
16/08/2022 14:18:27 INFO: --- Configuration files ---
16/08/2022 14:18:27 INFO: Generating configuration files.
16/08/2022 14:18:28 INFO: Created wazuh-install-files.tar. It contains the Wazuh cluster key, certificates, and passwords necessary for installation.

🟢 Wazuh-install-file.tar generated

[root@localhost ~]# ls -l
total 160
-rw------- 1 root root  10677 ago 16 14:18 wazuh-install-files.tar
-rw-r--r-- 1 root root 148481 ago 16 14:16 wazuh-install.sh

Wazuh indexer

🟢 Wazuh indexer installation

[root@localhost ~]# bash wazuh-install.sh --wazuh-indexer node-1
16/08/2022 14:29:39 INFO: Starting Wazuh installation assistant. Wazuh version: 4.3.7
16/08/2022 14:29:39 INFO: Verbose logging redirected to /var/log/wazuh-install.log
16/08/2022 14:29:45 INFO: Wazuh development repository added.
16/08/2022 14:29:45 INFO: --- Wazuh indexer ---
16/08/2022 14:29:45 INFO: Starting Wazuh indexer installation.
16/08/2022 14:30:36 INFO: Wazuh indexer installation finished.
16/08/2022 14:30:36 INFO: Wazuh indexer post-install configuration finished.
16/08/2022 14:30:36 INFO: Starting service wazuh-indexer.
16/08/2022 14:30:52 INFO: wazuh-indexer service started.
16/08/2022 14:30:52 INFO: Initializing Wazuh indexer cluster security settings.
16/08/2022 14:30:54 INFO: Wazuh indexer cluster initialized.
16/08/2022 14:30:54 INFO: Installation finished.

[root@localhost ~]# bash wazuh-install.sh --start-cluster
16/08/2022 14:31:27 INFO: Starting Wazuh installation assistant. Wazuh version: 4.3.7
16/08/2022 14:31:27 INFO: Verbose logging redirected to /var/log/wazuh-install.log
16/08/2022 14:31:37 INFO: Wazuh indexer cluster security configuration initialized.
16/08/2022 14:31:56 INFO: Wazuh indexer cluster started.

Indexer status

[root@localhost ~]# systemctl status wazuh-indexer
● wazuh-indexer.service - Wazuh-indexer
   Loaded: loaded (/usr/lib/systemd/system/wazuh-indexer.service; enabled; vendor preset: disabled)
   Active: active (running) since mar 2022-08-16 14:30:52 UTC; 4min 50s ago
     Docs: https://documentation.wazuh.com
 Main PID: 3762 (java)
   CGroup: /system.slice/wazuh-indexer.service
           └─3762 /usr/share/wazuh-indexer/jdk/bin/java -Xshare:auto -Dopensearch.networkaddress.cache.ttl=60 -Dopensearch.networkaddress.cache.negative.ttl=10 -XX:+AlwaysPreTouch -Xss1m -Djava.awt.headless=t...

ago 16 14:30:36 localhost systemd[1]: Starting Wazuh-indexer...
ago 16 14:30:49 localhost systemd-entrypoint[3762]: WARNING: An illegal reflective access operation has occurred
ago 16 14:30:49 localhost systemd-entrypoint[3762]: WARNING: Illegal reflective access by io.protostuff.runtime.PolymorphicThrowableSchema (file:/usr/share/wazuh-indexer/plugins/...wable.cause
ago 16 14:30:49 localhost systemd-entrypoint[3762]: WARNING: Please consider reporting this to the maintainers of io.protostuff.runtime.PolymorphicThrowableSchema
ago 16 14:30:49 localhost systemd-entrypoint[3762]: WARNING: Use --illegal-access=warn to enable warnings of further illegal reflective access operations
ago 16 14:30:49 localhost systemd-entrypoint[3762]: WARNING: All illegal access operations will be denied in a future release
ago 16 14:30:52 localhost systemd[1]: Started Wazuh-indexer.
Hint: Some lines were ellipsized, use -l to show in full.

Wazuh server

🟢 Server and filebeat installation

[root@localhost ~]# bash wazuh-install.sh --wazuh-server wazuh-1
16/08/2022 14:36:39 INFO: Starting Wazuh installation assistant. Wazuh version: 4.3.7
16/08/2022 14:36:39 INFO: Verbose logging redirected to /var/log/wazuh-install.log
16/08/2022 14:36:45 INFO: Wazuh development repository added.
16/08/2022 14:36:45 INFO: --- Wazuh server ---
16/08/2022 14:36:45 INFO: Starting the Wazuh manager installation.
16/08/2022 14:37:06 INFO: Wazuh manager installation finished.
16/08/2022 14:37:06 INFO: Starting service wazuh-manager.
16/08/2022 14:37:21 INFO: wazuh-manager service started.
16/08/2022 14:37:21 INFO: Starting Filebeat installation.
16/08/2022 14:37:32 INFO: Filebeat installation finished.
16/08/2022 14:37:33 INFO: Filebeat post-install configuration finished.
16/08/2022 14:37:42 INFO: Starting service filebeat.
16/08/2022 14:37:43 INFO: filebeat service started.
16/08/2022 14:37:43 INFO: Installation finished.

Server status

[root@localhost ~]# systemctl status wazuh-manager
● wazuh-manager.service - Wazuh manager
   Loaded: loaded (/usr/lib/systemd/system/wazuh-manager.service; enabled; vendor preset: disabled)
   Active: active (running) since mar 2022-08-16 17:58:31 UTC; 25s ago
   CGroup: /system.slice/wazuh-manager.service
           ├─7023 /var/ossec/framework/python/bin/python3 /var/ossec/api/scripts/wazuh-apid.py
           ├─7065 /var/ossec/bin/wazuh-authd
           ├─7087 /var/ossec/bin/wazuh-db
           ├─7099 /var/ossec/framework/python/bin/python3 /var/ossec/api/scripts/wazuh-apid.py
           ├─7102 /var/ossec/framework/python/bin/python3 /var/ossec/api/scripts/wazuh-apid.py
           ├─7117 /var/ossec/bin/wazuh-execd
           ├─7132 /var/ossec/bin/wazuh-analysisd
           ├─7176 /var/ossec/bin/wazuh-syscheckd
           ├─7191 /var/ossec/bin/wazuh-remoted
           ├─7224 /var/ossec/bin/wazuh-logcollector
           ├─7247 /var/ossec/bin/wazuh-monitord
           └─7270 /var/ossec/bin/wazuh-modulesd

ago 16 17:58:22 localhost env[6967]: Started wazuh-execd...
ago 16 17:58:23 localhost env[6967]: Started wazuh-analysisd...
ago 16 17:58:25 localhost env[6967]: Started wazuh-syscheckd...
ago 16 17:58:26 localhost env[6967]: Started wazuh-remoted...
ago 16 17:58:27 localhost env[6967]: Started wazuh-logcollector...
ago 16 17:58:28 localhost env[6967]: Started wazuh-monitord...
ago 16 17:58:29 localhost crontab[7351]: (root) LIST (root)
ago 16 17:58:29 localhost env[6967]: Started wazuh-modulesd...
ago 16 17:58:31 localhost env[6967]: Completed.
ago 16 17:58:31 localhost systemd[1]: Started Wazuh manager.

Filebeat status

[root@localhost ~]# systemctl status filebeat
● filebeat.service - Filebeat sends log files to Logstash or directly to Elasticsearch.
   Loaded: loaded (/usr/lib/systemd/system/filebeat.service; enabled; vendor preset: disabled)
   Active: active (running) since mar 2022-08-16 14:37:40 UTC; 1min 18s ago
     Docs: https://www.elastic.co/products/beats/filebeat
 Main PID: 7494 (filebeat)
   CGroup: /system.slice/filebeat.service
           └─7494 /usr/share/filebeat/bin/filebeat --environment systemd -c /etc/filebeat/filebeat.yml --path.home /usr/share/filebeat --path.config /etc/filebeat --path.data /var/lib/filebeat --path.logs /va...

ago 16 14:37:40 localhost systemd[1]: Started Filebeat sends log files to Logstash or directly to Elasticsearch..

Wazuh dashboard

🟢 Wazuh dashboard installation

[root@localhost ~]# bash wazuh-install.sh --wazuh-dashboard dashboard
16/08/2022 18:00:45 INFO: Starting Wazuh installation assistant. Wazuh version: 4.3.7
16/08/2022 18:00:45 INFO: Verbose logging redirected to /var/log/wazuh-install.log
16/08/2022 18:00:51 INFO: Wazuh development repository added.
dashboard
16/08/2022 18:00:51 INFO: --- Wazuh dashboard ----
16/08/2022 18:00:51 INFO: Starting Wazuh dashboard installation.
16/08/2022 18:01:43 INFO: Wazuh dashboard installation finished.
16/08/2022 18:01:43 INFO: Wazuh dashboard post-install configuration finished.
16/08/2022 18:01:43 INFO: Starting service wazuh-dashboard.
16/08/2022 18:01:43 INFO: wazuh-dashboard service started.
16/08/2022 18:02:04 INFO: Initializing Wazuh dashboard web application.
16/08/2022 18:02:05 INFO: Wazuh dashboard web application initialized.
16/08/2022 18:02:05 INFO: --- Summary ---
16/08/2022 18:02:05 INFO: You can access the web interface https://<private_ip>
    User: <user>
    Password: <password>
16/08/2022 18:02:05 INFO: Installation finished.

Wazuh dashboard status

[root@localhost ~]# systemctl status wazuh-dashboard
● wazuh-dashboard.service - wazuh-dashboard
   Loaded: loaded (/etc/systemd/system/wazuh-dashboard.service; enabled; vendor preset: disabled)
   Active: active (running) since mar 2022-08-16 18:01:49 UTC; 2min 38s ago
 Main PID: 9357 (node)
   CGroup: /system.slice/wazuh-dashboard.service
           └─9357 /usr/share/wazuh-dashboard/bin/../node/bin/node --no-warnings --max-http-header-size=65536 --unhandled-rejections=warn /usr/share/wazuh-dashboard/bin/../src/cli/dist -c /etc/wazuh-dashboard/...

ago 16 18:01:55 localhost opensearch-dashboards[9357]: {"type":"log","@timestamp":"2022-08-16T18:01:55Z","tags":["info","plugins-system"],"pid":9357,"message":"Starting [42] plug...able,expres
ago 16 18:01:55 localhost opensearch-dashboards[9357]: {"type":"log","@timestamp":"2022-08-16T18:01:55Z","tags":["listening","info"],"pid":9357,"message":"Server running at https...24.20:443"}
ago 16 18:01:56 localhost opensearch-dashboards[9357]: {"type":"log","@timestamp":"2022-08-16T18:01:56Z","tags":["info","http","server","OpenSearchDashboards"],"pid":9357,"messag...24.20:443"}
ago 16 18:01:56 localhost opensearch-dashboards[9357]: {"type":"log","@timestamp":"2022-08-16T18:01:56Z","tags":["error","opensearch","data"],"pid":9357,"message":"[ResponseError...nse Error"}
ago 16 18:01:56 localhost opensearch-dashboards[9357]: {"type":"log","@timestamp":"2022-08-16T18:01:56Z","tags":["error","opensearch","data"],"pid":9357,"message":"[ResponseError...nse Error"}
ago 16 18:02:05 localhost opensearch-dashboards[9357]: {"type":"log","@timestamp":"2022-08-16T18:02:05Z","tags":["info","branding"],"pid":9357,"message":"logo default config is n... invalid."}
ago 16 18:02:05 localhost opensearch-dashboards[9357]: {"type":"log","@timestamp":"2022-08-16T18:02:05Z","tags":["info","branding"],"pid":9357,"message":"mark default config is n... invalid."}
ago 16 18:02:05 localhost opensearch-dashboards[9357]: {"type":"log","@timestamp":"2022-08-16T18:02:05Z","tags":["info","branding"],"pid":9357,"message":"loadingLogo default conf... invalid."}
ago 16 18:02:05 localhost opensearch-dashboards[9357]: {"type":"log","@timestamp":"2022-08-16T18:02:05Z","tags":["info","branding"],"pid":9357,"message":"favicon config is not fo... invalid."}
ago 16 18:02:05 localhost opensearch-dashboards[9357]: {"type":"response","@timestamp":"2022-08-16T18:02:04Z","tags":[],"pid":9357,"method":"get","statusCode":200,"req":{"url":"/status","me...
Hint: Some lines were ellipsized, use -l to show in full.

[fdalmaup]

Wazuh indexer package 🟢

Package SPECs 🟢

[root@localhost ~]# rpm -qa | grep wazuh-indexer
wazuh-indexer-4.3.7-1.x86_64
[root@localhost ~]# rpm -qi wazuh-indexer-4.3.7-1.x86_64
Name        : wazuh-indexer
Version     : 4.3.7
Release     : 1
Architecture: x86_64
Install Date: mar 16 ago 2022 17:56:12 UTC
Group       : System Environment/Daemons
Size        : 644015829
License     : GPL
Signature   : RSA/SHA256, vie 12 ago 2022 17:32:16 UTC, Key ID 96b3ee5f29111145
Source RPM  : wazuh-indexer-4.3.7-1.src.rpm
Build Date  : vie 12 ago 2022 17:23:30 UTC
Build Host  : ip-172-31-38-74.ec2.internal
Relocations : (not relocatable)
Packager    : Wazuh, Inc <info@wazuh.com>
Vendor      : Wazuh, Inc <info@wazuh.com>
URL         : https://www.wazuh.com/
Summary     : Wazuh indexer is a search and analytics engine for security-related data. Documentation can be found at https://documentation.wazuh.com/current/getting-started/components/wazuh-indexer.html
Description :
Wazuh indexer is a near real-time full-text search and analytics engine that gathers security-related data into one platform. This Wazuh central component indexes and stores alerts generated by the Wazuh server. Wazuh indexer can be configured as a single-node or multi-node cluster, providing scalability and high availability. Documentation can be found at https://documentation.wazuh.com/current/getting-started/components/wazuh-indexer.html

Package size 🟢

Installed size: 614 M

[root@localhost lib]# rpm -qa --queryformat '%{SIZE} %{NAME} \n' | grep indexer
644015829 wazuh-indexer 

Package metadata (description) 🟢

Summary     : Wazuh indexer is a search and analytics engine for security-related data. Documentation can be found at https://documentation.wazuh.com/current/getting-started/components/wazuh-indexer.html
Description :
Wazuh indexer is a near real-time full-text search and analytics engine that gathers security-related data into one platform. This Wazuh central component indexes and stores alerts generated by the Wazuh server. Wazuh indexer can be configured as a single-node or multi-node cluster, providing scalability and high availability. Documentation can be found at https://documentation.wazuh.com/current/getting-started/components/wazuh-indexer.html

Package digital signature

Package digital signature 🟢

[root@localhost /]# rpm --import https://packages-dev.wazuh.com/key/GPG-KEY-WAZUH && rpm -Kv wazuh-indexer-4.3.7-1.x86_64.rpm 
wazuh-indexer-4.3.7-1.x86_64.rpm:
    Header V3 RSA/SHA256 Signature, key ID 29111145: OK
    Header SHA1 digest: OK (0e7f7259fc8bb65a8876964a726c5054e03e6dcc)
    V3 RSA/SHA256 Signature, key ID 29111145: OK
    MD5 digest: OK (71c008fa6c7cf9bbef92654fc3bc2c50)

[fdalmaup]

Wazuh indexer installed files location, size and permissions :green_circle:

Wazuh indexer package files

[fdalmaup]

Wazuh indexer installation footprint :green_circle:

No files with changed ownership could be found.

[root@localhost /]# find /etc -user wazuh-indexer -not -regex ".*wazuh\-indexer.*" -name "*"
[root@localhost /]# find /usr -user wazuh-indexer -not -regex ".*wazuh\-indexer.*" -name "*"
[root@localhost /]# find /var -user wazuh-indexer -not -regex ".*wazuh\-indexer.*" -name "*"
[root@localhost /]# find /bin -user wazuh-indexer -not -regex ".*wazuh\-indexer.*" -name "*"
[root@localhost /]# find /etc -group wazuh-indexer -not -regex ".*wazuh\-indexer.*" -name "*"
[root@localhost /]# find /usr -group wazuh-indexer -not -regex ".*wazuh\-indexer.*" -name "*"
[root@localhost /]# find /var -group wazuh-indexer -not -regex ".*wazuh\-indexer.*" -name "*"
[root@localhost /]# find /bin -group wazuh-indexer -not -regex ".*wazuh\-indexer.*" -name "*"
[root@localhost /]# 

[fdalmaup]

Wazuh indexer installed service :green_circle:

The service was correctly installed, enabled and started.

[root@localhost /]# systemctl status wazuh-indexer
● wazuh-indexer.service - Wazuh-indexer
   Loaded: loaded (/usr/lib/systemd/system/wazuh-indexer.service; enabled; vendor preset: disabled)
   Active: active (running) since mar 2022-08-16 17:56:35 UTC; 1h 8min ago
     Docs: https://documentation.wazuh.com
 Main PID: 4832 (java)
   CGroup: /system.slice/wazuh-indexer.service
           └─4832 /usr/share/wazuh-indexer/jdk/bin/java -Xshare:auto -Dopensearch.networkaddress.cache.ttl=60 -Dopensearch.networkaddress.cache.negative.ttl=1...

ago 16 17:56:20 localhost systemd[1]: Starting Wazuh-indexer...
ago 16 17:56:32 localhost systemd-entrypoint[4832]: WARNING: An illegal reflective access operation has occurred
ago 16 17:56:32 localhost systemd-entrypoint[4832]: WARNING: Illegal reflective access by io.protostuff.runtime.PolymorphicThrowableS....cause
ago 16 17:56:32 localhost systemd-entrypoint[4832]: WARNING: Please consider reporting this to the maintainers of io.protostuff.runti...Schema
ago 16 17:56:32 localhost systemd-entrypoint[4832]: WARNING: Use --illegal-access=warn to enable warnings of further illegal reflecti...ations
ago 16 17:56:32 localhost systemd-entrypoint[4832]: WARNING: All illegal access operations will be denied in a future release
ago 16 17:56:35 localhost systemd[1]: Started Wazuh-indexer.
Hint: Some lines were ellipsized, use -l to show in full.

[root@localhost /]# systemctl is-enabled wazuh-indexer
enabled

[root@localhost /]# systemctl cat wazuh-indexer.service
# /usr/lib/systemd/system/wazuh-indexer.service
[Unit]
Description=Wazuh-indexer
Documentation=https://documentation.wazuh.com
Wants=network-online.target
After=network-online.target

[Service]
Type=notify
RuntimeDirectory=wazuh-indexer
PrivateTmp=yes
Environment=OPENSEARCH_HOME=/usr/share/wazuh-indexer
Environment=OPENSEARCH_PATH_CONF=/etc/wazuh-indexer
Environment=PID_DIR=/run/wazuh-indexer
Environment=OPENSEARCH_SD_NOTIFY=true
EnvironmentFile=-/etc/sysconfig/wazuh-indexer

WorkingDirectory=/usr/share/wazuh-indexer

User=wazuh-indexer
Group=wazuh-indexer

ExecStart=/usr/share/wazuh-indexer/bin/systemd-entrypoint -p ${PID_DIR}/wazuh-indexer.pid --quiet

# StandardOutput is configured to redirect to journalctl since
# some error messages may be logged in standard output before
# wazuh-indexer logging system is initialized. Elasticsearch
# stores its logs in /var/log/wazuh-indexer and does not use
# journalctl by default. If you also want to enable journalctl
# logging, you can simply remove the "quiet" option from ExecStart.
StandardOutput=journal
StandardError=inherit

# Specifies the maximum file descriptor number that can be opened by this process
LimitNOFILE=65535

# Specifies the maximum number of processes
LimitNPROC=4096

# Specifies the maximum size of virtual memory
LimitAS=infinity

# Specifies the maximum file size
LimitFSIZE=infinity

# Disable timeout logic and wait until process is stopped
TimeoutStopSec=0

# SIGTERM signal is used to stop the Java process
KillSignal=SIGTERM

# Send the signal only to the JVM rather than its control group
KillMode=process

# Java process is never killed
SendSIGKILL=no

# When a JVM receives a SIGTERM signal it exits with code 143
SuccessExitStatus=143

# Allow a slow startup before the systemd notifier module kicks in to extend the timeout
TimeoutStartSec=75

[Install]
WantedBy=multi-user.target

[fdalmaup]

Wazuh indexer logs when installed 🟢

No error was reported.

[root@localhost /]# cat /var/log/wazuh-install.log
16/08/2022 19:19:46 INFO: Starting Wazuh installation assistant. Wazuh version: 4.3.7
16/08/2022 19:19:46 INFO: Verbose logging redirected to /var/log/wazuh-install.log
[wazuh]
gpgcheck=1
gpgkey=https://packages-dev.wazuh.com/key/GPG-KEY-WAZUH
enabled=1
name=EL-${releasever} - Wazuh
baseurl=https://packages-dev.wazuh.com/pre-release/yum/
protect=1
16/08/2022 19:19:51 INFO: Wazuh development repository added.
16/08/2022 19:19:51 INFO: --- Wazuh indexer ---
16/08/2022 19:19:51 INFO: Starting Wazuh indexer installation.
Loaded plugins: extras_suggestions, langpacks, priorities, update-motd
Resolving Dependencies
--> Running transaction check
---> Package wazuh-indexer.x86_64 0:4.3.7-1 will be installed
--> Finished Dependency Resolution

Dependencies Resolved

================================================================================
 Package                Arch            Version            Repository      Size
================================================================================
Installing:
 wazuh-indexer          x86_64          4.3.7-1            wazuh          361 M

Transaction Summary
================================================================================
Install  1 Package

Total download size: 361 M
Installed size: 614 M
Downloading packages:
Running transaction check
Running transaction test
Transaction test succeeded
Running transaction
  Installing : wazuh-indexer-4.3.7-1.x86_64                                 1/1 
Created opensearch keystore in /etc/wazuh-indexer/opensearch.keystore
  Verifying  : wazuh-indexer-4.3.7-1.x86_64                                 1/1 

Installed:
  wazuh-indexer.x86_64 0:4.3.7-1                                                

Complete!
16/08/2022 19:20:50 INFO: Wazuh indexer installation finished.
16/08/2022 19:20:50 INFO: Wazuh indexer post-install configuration finished.
16/08/2022 19:20:50 INFO: Starting service wazuh-indexer.
Created symlink from /etc/systemd/system/multi-user.target.wants/wazuh-indexer.service to /usr/lib/systemd/system/wazuh-indexer.service.
16/08/2022 19:21:04 INFO: wazuh-indexer service started.
16/08/2022 19:21:04 INFO: Initializing Wazuh indexer cluster security settings.
16/08/2022 19:21:07 INFO: Wazuh indexer cluster initialized.
16/08/2022 19:21:07 INFO: Installation finished.

[fdalmaup]

Wazuh indexer templates and indices created :green_circle:

Created indices

[root@localhost /]# curl -u <user>:<password> -k https://<private-ip>:9200/_cat/indices?v=true
health status index                       uuid                   pri rep docs.count docs.deleted store.size pri.store.size
green  open   wazuh-alerts-4.x-2022.08.17 XWwkR_iwSheRZlD_5hDhLg   3   0        201            0    626.7kb        626.7kb
green  open   wazuh-monitoring-2022.33w   QhhGn80wSSKs2owCJtS8FA   1   0          0            0       208b           208b
green  open   wazuh-statistics-2022.33w   JuR3NzFSSbKVJOaJtiTpDQ   1   0          2            0     22.8kb         22.8kb
green  open   .kibana_1                   Y03aGc5BQIC6CMZ78Og2OQ   1   0          4            1       45kb           45kb
green  open   .opendistro_security        rhr7JXH_T9GxwHUUyds9Dw   1   0          9            8     91.1kb         91.1kb

Created templates

[root@localhost /]# curl -u <user>:<password> -k https://<private-ip>:9200/_cat/templates?pretty
wazuh-statistics [wazuh-statistics-*]                       0   
wazuh-agent      [wazuh-monitoring-*]                       0   
wazuh            [wazuh-alerts-4.x-*, wazuh-archives-4.x-*] 0 1 

Wazuh indexer configuration :green_circle:

opensearch.yml file

[root@localhost /]# cat /etc/wazuh-indexer/opensearch.yml
node.master: true
node.data: true
node.ingest: true

cluster.name: wazuh-indexer-cluster
cluster.routing.allocation.disk.threshold_enabled: false

node.max_local_storage_nodes: "3"
path.data: /var/lib/wazuh-indexer
path.logs: /var/log/wazuh-indexer

plugins.security.ssl.http.pemcert_filepath: /etc/wazuh-indexer/certs/node-1.pem
plugins.security.ssl.http.pemkey_filepath: /etc/wazuh-indexer/certs/node-1-key.pem
plugins.security.ssl.http.pemtrustedcas_filepath: /etc/wazuh-indexer/certs/root-ca.pem
plugins.security.ssl.transport.pemcert_filepath: /etc/wazuh-indexer/certs/node-1.pem
plugins.security.ssl.transport.pemkey_filepath: /etc/wazuh-indexer/certs/node-1-key.pem
plugins.security.ssl.transport.pemtrustedcas_filepath: /etc/wazuh-indexer/certs/root-ca.pem
plugins.security.ssl.http.enabled: true
plugins.security.ssl.transport.enforce_hostname_verification: false
plugins.security.ssl.transport.resolve_hostname: false
plugins.security.ssl.http.enabled_ciphers:
  - "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256"
  - "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384"
  - "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256"
  - "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384"
plugins.security.ssl.http.enabled_protocols:
  - "TLSv1.2"
plugins.security.authcz.admin_dn:
- "CN=admin,OU=Wazuh,O=Wazuh,L=California,C=US"
plugins.security.check_snapshot_restore_write_privileges: true
plugins.security.enable_snapshot_restore_privilege: true
plugins.security.restapi.roles_enabled:
- "all_access"
- "security_rest_api_access"

plugins.security.system_indices.enabled: true
plugins.security.system_indices.indices: [".opendistro-alerting-config", ".opendistro-alerting-alert*", ".opendistro-anomaly-results*", ".opendistro-anomaly-detector*", ".opendistro-anomaly-checkpoints", ".opendistro-anomaly-detection-state", ".opendistro-reports-*", ".opendistro-notifications-*", ".opendistro-notebooks", ".opensearch-observability", ".opendistro-asynchronous-search-response*", ".replication-metadata-store"]

### Option to allow Filebeat-oss 7.10.2 to work ###
compatibility.override_main_response_version: true
node.name: node-1
network.host: 172.31.24.20
cluster.initial_master_nodes: node-1
plugins.security.nodes_dn:
        - CN=node-1,OU=Wazuh,O=Wazuh,L=California,C=US

Shards

[root@localhost /]# curl -u <user>:<password> -k https://<private-ip>:9200/_cat/shards?v=true
index                       shard prirep state   docs   store ip           node
wazuh-monitoring-2022.33w   0     p      STARTED    0    208b <private-ip> node-1
wazuh-alerts-4.x-2022.08.17 1     p      STARTED   50 203.7kb <private-ip> node-1
wazuh-alerts-4.x-2022.08.17 2     p      STARTED   78 210.6kb <private-ip> node-1
wazuh-alerts-4.x-2022.08.17 0     p      STARTED   73 212.3kb <private-ip> node-1
.kibana_1                   0     p      STARTED    4    45kb <private-ip> node-1
.opendistro_security        0     p      STARTED    9  91.1kb <private-ip> node-1
wazuh-statistics-2022.33w   0     p      STARTED    2  22.8kb <private-ip> node-1

[fdalmaup]

Wazuh indexer cluster node communication and configuration :green_circle:

Configuration

Too long output.

curl -u <user>:<password> -k https://<private-ip>:9200/_nodes?pretty

Endpoint response

```shellsession [root@localhost /]# curl -u : -k https://:9200/_nodes?pretty { "_nodes" : { "total" : 1, "successful" : 1, "failed" : 0 }, "cluster_name" : "wazuh-indexer-cluster", "nodes" : { "5_h_MYEGRMeje22s3jyccQ" : { "name" : "node-1", "transport_address" : ":9300", "host" : "", "ip" : "", "version" : "1.2.4", "build_type" : "rpm", "build_hash" : "e505b10357c03ae8d26d675172402f2f2144ef0f", "total_indexing_buffer" : 205520896, "roles" : [ "data", "ingest", "master", "remote_cluster_client" ], "attributes" : { "shard_indexing_pressure_enabled" : "true" }, "settings" : { "cluster" : { "initial_master_nodes" : "node-1", "name" : "wazuh-indexer-cluster", "routing" : { "allocation" : { "disk" : { "threshold_enabled" : "false" } } } }, "node" : { "pidfile" : "/run/wazuh-indexer/wazuh-indexer.pid", "data" : "true", "max_local_storage_nodes" : "3", "name" : "node-1", "attr" : { "shard_indexing_pressure_enabled" : "true" }, "ingest" : "true", "master" : "true" }, "path" : { "data" : [ "/var/lib/wazuh-indexer" ], "logs" : "/var/log/wazuh-indexer", "home" : "/usr/share/wazuh-indexer" }, "client" : { "type" : "node" }, "http" : { "compression" : "false", "type" : "org.opensearch.security.http.SecurityHttpServerTransport", "type.default" : "netty4" }, "transport" : { "type" : "org.opensearch.security.ssl.http.netty.SecuritySSLNettyTransport", "type.default" : "netty4" }, "compatibility" : { "override_main_response_version" : "true" }, "network" : { "host" : "" } }, "os" : { "refresh_interval_in_millis" : 1000, "name" : "Linux", "pretty_name" : "Amazon Linux 2", "arch" : "amd64", "version" : "5.10.130-118.517.amzn2.x86_64", "available_processors" : 2, "allocated_processors" : 2 }, "process" : { "refresh_interval_in_millis" : 1000, "id" : 4378, "mlockall" : false }, "jvm" : { "pid" : 4378, "version" : "15.0.1", "vm_name" : "OpenJDK 64-Bit Server VM", "vm_version" : "15.0.1+9", "vm_vendor" : "AdoptOpenJDK", "bundled_jdk" : true, "using_bundled_jdk" : true, "start_time_in_millis" : 1660737582036, "mem" : { "heap_init_in_bytes" : 2055208960, "heap_max_in_bytes" : 2055208960, "non_heap_init_in_bytes" : 7667712, "non_heap_max_in_bytes" : 0, "direct_max_in_bytes" : 0 }, "gc_collectors" : [ "G1 Young Generation", "G1 Old Generation" ], "memory_pools" : [ "CodeHeap 'non-nmethods'", "Metaspace", "CodeHeap 'profiled nmethods'", "Compressed Class Space", "G1 Eden Space", "G1 Old Gen", "G1 Survivor Space", "CodeHeap 'non-profiled nmethods'" ], "using_compressed_ordinary_object_pointers" : "true", "input_arguments" : [ "-Xshare:auto", "-Dopensearch.networkaddress.cache.ttl=60", "-Dopensearch.networkaddress.cache.negative.ttl=10", "-XX:+AlwaysPreTouch", "-Xss1m", "-Djava.awt.headless=true", "-Dfile.encoding=UTF-8", "-Djna.nosys=true", "-XX:-OmitStackTraceInFastThrow", "-XX:+ShowCodeDetailsInExceptionMessages", "-Dio.netty.noUnsafe=true", "-Dio.netty.noKeySetOptimization=true", "-Dio.netty.recycler.maxCapacityPerThread=0", "-Dio.netty.allocator.numDirectArenas=0", "-Dlog4j.shutdownHookEnabled=false", "-Dlog4j2.disable.jmx=true", "-Djava.locale.providers=SPI,COMPAT", "-Xms1960m", "-Xmx1960m", "-XX:+UseG1GC", "-XX:G1ReservePercent=25", "-XX:InitiatingHeapOccupancyPercent=30", "-Djava.io.tmpdir=/tmp/opensearch-1165330712055674782", "-XX:+HeapDumpOnOutOfMemoryError", "-XX:HeapDumpPath=data", "-XX:ErrorFile=/var/log/wazuh-indexer/hs_err_pid%p.log", "-Xlog:gc*,gc+age=trace,safepoint:file=/var/log/wazuh-indexer/gc.log:utctime,pid,tags:filecount=32,filesize=64m", "-XX:MaxDirectMemorySize=1027604480", "-Dopensearch.path.home=/usr/share/wazuh-indexer", "-Dopensearch.path.conf=/etc/wazuh-indexer", "-Dopensearch.distribution.type=rpm", "-Dopensearch.bundled_jdk=true" ] }, "thread_pool" : { "force_merge" : { "type" : "fixed", "size" : 1, "queue_size" : -1 }, "fetch_shard_started" : { "type" : "scaling", "core" : 1, "max" : 4, "keep_alive" : "5m", "queue_size" : -1 }, "listener" : { "type" : "fixed", "size" : 1, "queue_size" : -1 }, "training" : { "type" : "fixed", "size" : 1, "queue_size" : 1 }, "sql-worker" : { "type" : "fixed", "size" : 2, "queue_size" : 1000 }, "search" : { "type" : "fixed_auto_queue_size", "size" : 4, "queue_size" : 1000 }, "opensearch_asynchronous_search_generic" : { "type" : "scaling", "core" : 1, "max" : 4, "keep_alive" : "30m", "queue_size" : -1 }, "flush" : { "type" : "scaling", "core" : 1, "max" : 1, "keep_alive" : "5m", "queue_size" : -1 }, "fetch_shard_store" : { "type" : "scaling", "core" : 1, "max" : 4, "keep_alive" : "5m", "queue_size" : -1 }, "get" : { "type" : "fixed", "size" : 2, "queue_size" : 1000 }, "system_read" : { "type" : "fixed", "size" : 1, "queue_size" : 2000 }, "open_distro_job_scheduler" : { "type" : "fixed", "size" : 2, "queue_size" : 200 }, "write" : { "type" : "fixed", "size" : 2, "queue_size" : 10000 }, "replication_follower" : { "type" : "scaling", "core" : 1, "max" : 10, "keep_alive" : "1m", "queue_size" : -1 }, "refresh" : { "type" : "scaling", "core" : 1, "max" : 1, "keep_alive" : "5m", "queue_size" : -1 }, "replication_leader" : { "type" : "fixed", "size" : 4, "queue_size" : 1000 }, "system_write" : { "type" : "fixed", "size" : 1, "queue_size" : 1000 }, "generic" : { "type" : "scaling", "core" : 4, "max" : 128, "keep_alive" : "30s", "queue_size" : -1 }, "warmer" : { "type" : "scaling", "core" : 1, "max" : 1, "keep_alive" : "5m", "queue_size" : -1 }, "management" : { "type" : "scaling", "core" : 1, "max" : 5, "keep_alive" : "5m", "queue_size" : -1 }, "analyze" : { "type" : "fixed", "size" : 1, "queue_size" : 16 }, "ad-threadpool" : { "type" : "scaling", "core" : 1, "max" : 1, "keep_alive" : "10m", "queue_size" : -1 }, "snapshot" : { "type" : "scaling", "core" : 1, "max" : 1, "keep_alive" : "5m", "queue_size" : -1 }, "search_throttled" : { "type" : "fixed_auto_queue_size", "size" : 1, "queue_size" : 100 }, "ad-batch-task-threadpool" : { "type" : "scaling", "core" : 1, "max" : 1, "keep_alive" : "10m", "queue_size" : -1 } }, "transport" : { "bound_address" : [ ":9300" ], "publish_address" : ":9300", "profiles" : { } }, "http" : { "bound_address" : [ ":9200" ], "publish_address" : ":9200", "max_content_length_in_bytes" : 104857600 }, "plugins" : [ { "name" : "opensearch-alerting", "version" : "1.2.4.0", "opensearch_version" : "1.2.4", "java_version" : "1.8", "description" : "Amazon OpenSearch alerting plugin", "classname" : "org.opensearch.alerting.AlertingPlugin", "custom_foldername" : "", "extended_plugins" : [ "lang-painless" ], "has_native_controller" : false }, { "name" : "opensearch-anomaly-detection", "version" : "1.2.4.0", "opensearch_version" : "1.2.4", "java_version" : "1.8", "description" : "OpenSearch anomaly detector plugin", "classname" : "org.opensearch.ad.AnomalyDetectorPlugin", "custom_foldername" : "", "extended_plugins" : [ "lang-painless", "opensearch-job-scheduler" ], "has_native_controller" : false }, { "name" : "opensearch-asynchronous-search", "version" : "1.2.4.0", "opensearch_version" : "1.2.4", "java_version" : "1.8", "description" : "Provides support for asynchronous search", "classname" : "org.opensearch.search.asynchronous.plugin.AsynchronousSearchPlugin", "custom_foldername" : "", "extended_plugins" : [ ], "has_native_controller" : false }, { "name" : "opensearch-cross-cluster-replication", "version" : "1.2.4.0", "opensearch_version" : "1.2.4", "java_version" : "1.8", "description" : "OpenSearch Cross Cluster Replication Plugin", "classname" : "org.opensearch.replication.ReplicationPlugin", "custom_foldername" : "", "extended_plugins" : [ ], "has_native_controller" : false }, { "name" : "opensearch-index-management", "version" : "1.2.4.0", "opensearch_version" : "1.2.4", "java_version" : "1.8", "description" : "OpenSearch Index Management Plugin", "classname" : "org.opensearch.indexmanagement.IndexManagementPlugin", "custom_foldername" : "", "extended_plugins" : [ "opensearch-job-scheduler" ], "has_native_controller" : false }, { "name" : "opensearch-job-scheduler", "version" : "1.2.4.0", "opensearch_version" : "1.2.4", "java_version" : "1.8", "description" : "OpenSearch Job Scheduler plugin", "classname" : "org.opensearch.jobscheduler.JobSchedulerPlugin", "custom_foldername" : "", "extended_plugins" : [ ], "has_native_controller" : false }, { "name" : "opensearch-knn", "version" : "1.2.4.0", "opensearch_version" : "1.2.4", "java_version" : "1.8", "description" : "OpenSearch k-NN plugin", "classname" : "org.opensearch.knn.plugin.KNNPlugin", "custom_foldername" : "", "extended_plugins" : [ "lang-painless" ], "has_native_controller" : false }, { "name" : "opensearch-observability", "version" : "1.2.4.0", "opensearch_version" : "1.2.4", "java_version" : "1.8", "description" : "OpenSearch Plugin for OpenSearch Dashboards Observability", "classname" : "org.opensearch.observability.ObservabilityPlugin", "custom_foldername" : "", "extended_plugins" : [ ], "has_native_controller" : false }, { "name" : "opensearch-performance-analyzer", "version" : "1.2.4.0", "opensearch_version" : "1.2.4", "java_version" : "1.8", "description" : "OpenSearch Performance Analyzer Plugin", "classname" : "org.opensearch.performanceanalyzer.PerformanceAnalyzerPlugin", "custom_foldername" : "", "extended_plugins" : [ ], "has_native_controller" : false }, { "name" : "opensearch-reports-scheduler", "version" : "1.2.4.0", "opensearch_version" : "1.2.4", "java_version" : "1.8", "description" : "Scheduler for Dashboards Reports Plugin", "classname" : "org.opensearch.reportsscheduler.ReportsSchedulerPlugin", "custom_foldername" : "", "extended_plugins" : [ "opensearch-job-scheduler" ], "has_native_controller" : false }, { "name" : "opensearch-security", "version" : "1.2.4.0", "opensearch_version" : "1.2.4", "java_version" : "1.8", "description" : "Provide access control related features for OpenSearch 1.0.0", "classname" : "org.opensearch.security.OpenSearchSecurityPlugin", "custom_foldername" : null, "extended_plugins" : [ ], "has_native_controller" : false }, { "name" : "opensearch-sql", "version" : "1.2.4.0", "opensearch_version" : "1.2.4", "java_version" : "1.8", "description" : "OpenSearch SQL", "classname" : "org.opensearch.sql.plugin.SQLPlugin", "custom_foldername" : "", "extended_plugins" : [ ], "has_native_controller" : false } ], "modules" : [ { "name" : "aggs-matrix-stats", "version" : "1.2.4", "opensearch_version" : "1.2.4", "java_version" : "1.8", "description" : "Adds aggregations whose input are a list of numeric fields and output includes a matrix.", "classname" : "org.opensearch.search.aggregations.matrix.MatrixAggregationPlugin", "custom_foldername" : "", "extended_plugins" : [ ], "has_native_controller" : false }, { "name" : "analysis-common", "version" : "1.2.4", "opensearch_version" : "1.2.4", "java_version" : "1.8", "description" : "Adds \"built in\" analyzers to OpenSearch.", "classname" : "org.opensearch.analysis.common.CommonAnalysisPlugin", "custom_foldername" : "", "extended_plugins" : [ "lang-painless" ], "has_native_controller" : false }, { "name" : "geo", "version" : "1.2.4", "opensearch_version" : "1.2.4", "java_version" : "1.8", "description" : "Placeholder plugin for geospatial features in OpenSearch. only registers geo_shape field mapper for now", "classname" : "org.opensearch.geo.GeoPlugin", "custom_foldername" : "", "extended_plugins" : [ ], "has_native_controller" : false }, { "name" : "ingest-common", "version" : "1.2.4", "opensearch_version" : "1.2.4", "java_version" : "1.8", "description" : "Module for ingest processors that do not require additional security permissions or have large dependencies and resources", "classname" : "org.opensearch.ingest.common.IngestCommonPlugin", "custom_foldername" : "", "extended_plugins" : [ "lang-painless" ], "has_native_controller" : false }, { "name" : "ingest-geoip", "version" : "1.2.4", "opensearch_version" : "1.2.4", "java_version" : "1.8", "description" : "Ingest processor that uses looksup geo data based on ip adresses using the Maxmind geo database", "classname" : "org.opensearch.ingest.geoip.IngestGeoIpPlugin", "custom_foldername" : "", "extended_plugins" : [ ], "has_native_controller" : false }, { "name" : "ingest-user-agent", "version" : "1.2.4", "opensearch_version" : "1.2.4", "java_version" : "1.8", "description" : "Ingest processor that extracts information from a user agent", "classname" : "org.opensearch.ingest.useragent.IngestUserAgentPlugin", "custom_foldername" : "", "extended_plugins" : [ ], "has_native_controller" : false }, { "name" : "lang-expression", "version" : "1.2.4", "opensearch_version" : "1.2.4", "java_version" : "1.8", "description" : "Lucene expressions integration for OpenSearch", "classname" : "org.opensearch.script.expression.ExpressionPlugin", "custom_foldername" : "", "extended_plugins" : [ ], "has_native_controller" : false }, { "name" : "lang-mustache", "version" : "1.2.4", "opensearch_version" : "1.2.4", "java_version" : "1.8", "description" : "Mustache scripting integration for OpenSearch", "classname" : "org.opensearch.script.mustache.MustachePlugin", "custom_foldername" : "", "extended_plugins" : [ ], "has_native_controller" : false }, { "name" : "lang-painless", "version" : "1.2.4", "opensearch_version" : "1.2.4", "java_version" : "1.8", "description" : "An easy, safe and fast scripting language for OpenSearch", "classname" : "org.opensearch.painless.PainlessPlugin", "custom_foldername" : "", "extended_plugins" : [ ], "has_native_controller" : false }, { "name" : "mapper-extras", "version" : "1.2.4", "opensearch_version" : "1.2.4", "java_version" : "1.8", "description" : "Adds advanced field mappers", "classname" : "org.opensearch.index.mapper.MapperExtrasPlugin", "custom_foldername" : "", "extended_plugins" : [ ], "has_native_controller" : false }, { "name" : "opensearch-dashboards", "version" : "1.2.4", "opensearch_version" : "1.2.4", "java_version" : "1.8", "description" : "Plugin exposing APIs for OpenSearch Dashboards system indices", "classname" : "org.opensearch.dashboards.OpenSearchDashboardsPlugin", "custom_foldername" : "", "extended_plugins" : [ ], "has_native_controller" : false }, { "name" : "parent-join", "version" : "1.2.4", "opensearch_version" : "1.2.4", "java_version" : "1.8", "description" : "This module adds the support parent-child queries and aggregations", "classname" : "org.opensearch.join.ParentJoinPlugin", "custom_foldername" : "", "extended_plugins" : [ ], "has_native_controller" : false }, { "name" : "percolator", "version" : "1.2.4", "opensearch_version" : "1.2.4", "java_version" : "1.8", "description" : "Percolator module adds capability to index queries and query these queries by specifying documents", "classname" : "org.opensearch.percolator.PercolatorPlugin", "custom_foldername" : "", "extended_plugins" : [ ], "has_native_controller" : false }, { "name" : "rank-eval", "version" : "1.2.4", "opensearch_version" : "1.2.4", "java_version" : "1.8", "description" : "The Rank Eval module adds APIs to evaluate ranking quality.", "classname" : "org.opensearch.index.rankeval.RankEvalPlugin", "custom_foldername" : "", "extended_plugins" : [ ], "has_native_controller" : false }, { "name" : "reindex", "version" : "1.2.4", "opensearch_version" : "1.2.4", "java_version" : "1.8", "description" : "The Reindex module adds APIs to reindex from one index to another or update documents in place.", "classname" : "org.opensearch.index.reindex.ReindexPlugin", "custom_foldername" : "", "extended_plugins" : [ ], "has_native_controller" : false }, { "name" : "repository-url", "version" : "1.2.4", "opensearch_version" : "1.2.4", "java_version" : "1.8", "description" : "Module for URL repository", "classname" : "org.opensearch.plugin.repository.url.URLRepositoryPlugin", "custom_foldername" : "", "extended_plugins" : [ ], "has_native_controller" : false }, { "name" : "systemd", "version" : "1.2.4", "opensearch_version" : "1.2.4", "java_version" : "1.8", "description" : "Integrates OpenSearch with systemd", "classname" : "org.opensearch.systemd.SystemdPlugin", "custom_foldername" : "", "extended_plugins" : [ ], "has_native_controller" : false }, { "name" : "transport-netty4", "version" : "1.2.4", "opensearch_version" : "1.2.4", "java_version" : "1.8", "description" : "Netty 4 based transport implementation", "classname" : "org.opensearch.transport.Netty4Plugin", "custom_foldername" : "", "extended_plugins" : [ ], "has_native_controller" : false } ], "ingest" : { "processors" : [ { "type" : "append" }, { "type" : "bytes" }, { "type" : "convert" }, { "type" : "csv" }, { "type" : "date" }, { "type" : "date_index_name" }, { "type" : "dissect" }, { "type" : "dot_expander" }, { "type" : "drop" }, { "type" : "fail" }, { "type" : "foreach" }, { "type" : "geoip" }, { "type" : "grok" }, { "type" : "gsub" }, { "type" : "html_strip" }, { "type" : "join" }, { "type" : "json" }, { "type" : "kv" }, { "type" : "lowercase" }, { "type" : "pipeline" }, { "type" : "remove" }, { "type" : "rename" }, { "type" : "script" }, { "type" : "set" }, { "type" : "sort" }, { "type" : "split" }, { "type" : "trim" }, { "type" : "uppercase" }, { "type" : "urldecode" }, { "type" : "user_agent" } ] }, "aggregations" : { "adjacency_matrix" : { "types" : [ "other" ] }, "auto_date_histogram" : { "types" : [ "boolean", "date", "numeric" ] }, "avg" : { "types" : [ "boolean", "date", "numeric" ] }, "cardinality" : { "types" : [ "boolean", "bytes", "date", "geopoint", "ip", "numeric", "range" ] }, "children" : { "types" : [ "other" ] }, "composite" : { "types" : [ "other" ] }, "date_histogram" : { "types" : [ "boolean", "date", "numeric", "range" ] }, "date_range" : { "types" : [ "boolean", "date", "numeric" ] }, "diversified_sampler" : { "types" : [ "boolean", "bytes", "date", "numeric" ] }, "extended_stats" : { "types" : [ "boolean", "date", "numeric" ] }, "filter" : { "types" : [ "other" ] }, "filters" : { "types" : [ "other" ] }, "geo_bounds" : { "types" : [ "geopoint" ] }, "geo_centroid" : { "types" : [ "geopoint" ] }, "geo_distance" : { "types" : [ "geopoint" ] }, "geohash_grid" : { "types" : [ "geopoint" ] }, "geotile_grid" : { "types" : [ "geopoint" ] }, "global" : { "types" : [ "other" ] }, "histogram" : { "types" : [ "boolean", "date", "numeric", "range" ] }, "ip_range" : { "types" : [ "ip" ] }, "matrix_stats" : { "types" : [ "other" ] }, "max" : { "types" : [ "boolean", "date", "numeric" ] }, "median_absolute_deviation" : { "types" : [ "numeric" ] }, "min" : { "types" : [ "boolean", "date", "numeric" ] }, "missing" : { "types" : [ "boolean", "bytes", "date", "geopoint", "ip", "numeric", "range" ] }, "nested" : { "types" : [ "other" ] }, "parent" : { "types" : [ "other" ] }, "percentile_ranks" : { "types" : [ "boolean", "date", "numeric" ] }, "percentiles" : { "types" : [ "boolean", "date", "numeric" ] }, "range" : { "types" : [ "boolean", "date", "numeric" ] }, "rare_terms" : { "types" : [ "boolean", "bytes", "date", "ip", "numeric" ] }, "reverse_nested" : { "types" : [ "other" ] }, "sampler" : { "types" : [ "other" ] }, "scripted_metric" : { "types" : [ "other" ] }, "significant_terms" : { "types" : [ "boolean", "bytes", "date", "ip", "numeric" ] }, "significant_text" : { "types" : [ "other" ] }, "stats" : { "types" : [ "boolean", "date", "numeric" ] }, "sum" : { "types" : [ "boolean", "date", "numeric" ] }, "terms" : { "types" : [ "boolean", "bytes", "date", "ip", "numeric" ] }, "top_hits" : { "types" : [ "other" ] }, "value_count" : { "types" : [ "boolean", "bytes", "date", "geopoint", "ip", "numeric", "range" ] }, "variable_width_histogram" : { "types" : [ "numeric" ] }, "weighted_avg" : { "types" : [ "numeric" ] } } } } } ```

Nodes state

[root@localhost /]# curl -u <user>:<password> -k https://<private-ip>:9200/_cluster/state/nodes?pretty
{
  "cluster_name" : "wazuh-indexer-cluster",
  "cluster_uuid" : "GIHlmd2_Tlmdh2pBlC7-dQ",
  "nodes" : {
    "5_h_MYEGRMeje22s3jyccQ" : {
      "name" : "node-1",
      "ephemeral_id" : "7q5bRtSqTaGwl8m0zSo9iQ",
      "transport_address" : "<private-ip>:9300",
      "attributes" : {
        "shard_indexing_pressure_enabled" : "true"
      }
    }
  }
}

[fdalmaup]

Wazuh indexer cluster status :green_circle:

[root@localhost /]# curl -u <user>:<password> -k https://<private-ip>:9200/_cluster/health?pretty
{
  "cluster_name" : "wazuh-indexer-cluster",
  "status" : "green",
  "timed_out" : false,
  "number_of_nodes" : 1,
  "number_of_data_nodes" : 1,
  "discovered_master" : true,
  "active_primary_shards" : 6,
  "active_shards" : 6,
  "relocating_shards" : 0,
  "initializing_shards" : 0,
  "unassigned_shards" : 0,
  "delayed_unassigned_shards" : 0,
  "number_of_pending_tasks" : 0,
  "number_of_in_flight_fetch" : 0,
  "task_max_waiting_in_queue_millis" : 0,
  "active_shards_percent_as_number" : 100.0
}

[fdalmaup]

Wazuh indexer packages uninstallation procedure 🟢

[root@localhost /]# bash wazuh-install.sh -u
16/08/2022 19:52:56 INFO: Starting Wazuh installation assistant. Wazuh version: 4.3.7
16/08/2022 19:52:56 INFO: Verbose logging redirected to /var/log/wazuh-install.log
16/08/2022 19:52:59 INFO: Removing Wazuh manager.
16/08/2022 19:53:06 INFO: Wazuh manager removed.
16/08/2022 19:53:06 INFO: Removing Wazuh indexer.
16/08/2022 19:53:08 INFO: Wazuh indexer removed.
16/08/2022 19:53:08 INFO: Removing Filebeat.
16/08/2022 19:53:09 INFO: Filebeat removed.
16/08/2022 19:53:09 INFO: Removing Wazuh dashboard.
16/08/2022 19:53:18 INFO: Wazuh dashboard removed.

[root@localhost /]# systemctl status wazuh-indexer
Unit wazuh-indexer.service could not be found.

[root@localhost /]# rpm -qa | grep wazuh
[root@localhost /]#

[fdalmaup]

User experience :green_circle:

Everything worked correctly without any issue.