Release 4.3.8 - Release Candidate 1 - Specific systems

DFolchA commented 2 years ago

Packages tests metrics information


Main release candidate issue	#14827
Main packages metrics issue	#14862
Version	4.3.8
Release candidate #	RC1
Tag	https://github.com/wazuh/wazuh/tree/v4.3.8-rc1

Build packages

System	Status	Result	Build
AIX	🟢	✔️	https://ci.wazuh.info/view/Packages/job/Packages_builder_special/555/
HPUX	🟢	✔️	https://ci.wazuh.info/view/Packages/job/Packages_builder_special/558/
Solaris 10 SPARC	⚫	⚫	https://ci.wazuh.info/view/Packages/job/Packages_builder_special/557/
Solaris 11 SPARC	⚫	⚫	https://ci.wazuh.info/view/Packages/job/Packages_builder_special/556/
OVA	🟢	✔️	https://ci.wazuh.info/view/Packages/job/Packages_Builder_OVA/178
AMI	🟢	✔️	https://ci.wazuh.info/view/Packages/job/Packages_Builder_AMI/103

Test packages

System	Build	Install	Deployment install	Upgrade	Remove	TCP	UDP	Errors found	Warnings found	Alerts found	Check users
AIX	🟢	🟢	🟢	🟢	🟡	🟢	🟢	🟢	🟢	🟢	🟢
HPUX	🟢	🟢	X	X	🟢	🟢	🟢	🟢	🟢	🟢	🟢	🟢
Solaris 10 SPARC	⚫	⚫	X	⚫	⚫	⚫	⚫	⚫	⚫	⚫	⚫	⚫
Solaris 11 SPARC	⚫	⚫	X	⚫	⚫	⚫	⚫	⚫	⚫	⚫	⚫	⚫
OVA	🟢	🟢	X	X	X	🟢	🟢	🟢	🟢	🟢	🟢
AMI	🟢	🟢	X	X	X	🟢	🟢	🟢	🟢	🟢	🟢

PPC64EL packages

System	Build	Install	Deployment install	Upgrade	Uninstall	Alerts	TCP	UDP	Errors	Warnings	System users
Centos	🟢	🟢	🟢	🟢	🟢	🟢	🟢	🟢	🟢	🟢	🟢
Debian Stretch	🟢	🟢	🟢	🟢	🟢	🟢	🟢	🟢	🟢	🟢	🟢

OVA/AMI specific tests

System	Filebeat test	Opensearch cluster green/yellow	Production repositories	UI Access	No SSH root access	SSH user access	Wazuh dashboard and APP version	Dashboard/Indexer VERSION file
OVA	🟢	🟢	🟢	🟢	🟢	🟢	🟢	🟢	🟢
AMI	🟢	🟢	🟢	🟢	🟢	🟢	🟢	🟢	🟢

Result legend: X - Not supported/Not done (delegated to basic package) ⚫ - Not started 🕐 - Pending/In progress ✔️ - Results Ready ⚠️ - Review required

Status legend: ⚫ - None 🔴 - Rejected 🟢 - Approved

okynos commented 2 years ago

HP-UX tests

Build: First time failed 🔴 https://ci.wazuh.info/view/Packages/job/Packages_builder_special/554/, Second time OK 🟢 https://ci.wazuh.info/view/Packages/job/Packages_builder_special/558/

Install OK 🟢:

# tar -xvf wazuh-agent-4.3.8-1-hpux-11v3-ia64.tar 
x /var/ossec/logs/ossec.log, 0 bytes, 0 tape blocks
x /var/ossec/logs/ossec.json, 0 bytes, 0 tape blocks
x /var/ossec/logs/active-responses.log, 0 bytes, 0 tape blocks
x /var/ossec/bin/wazuh-logcollector, 1560952 bytes, 3049 tape blocks
x /var/ossec/bin/wazuh-syscheckd, 1848692 bytes, 3611 tape blocks
x /var/ossec/bin/wazuh-execd, 1423588 bytes, 2781 tape blocks
x /var/ossec/bin/manage_agents, 437940 bytes, 856 tape blocks
x /var/ossec/bin/wazuh-control, 7148 bytes, 14 tape blocks
x /var/ossec/bin/wazuh-modulesd, 1419492 bytes, 2773 tape blocks
x /var/ossec/bin/wazuh-agentd, 1496872 bytes, 2924 tape blocks
x /var/ossec/bin/agent-auth, 373124 bytes, 729 tape blocks
x /var/ossec/lib/libwazuhext.so, 9737500 bytes, 19019 tape blocks
x /var/ossec/lib/libwazuhshared.so, 218936 bytes, 428 tape blocks
x /var/ossec/queue/syscollector/norm_config.json, 4206 bytes, 9 tape blocks
x /var/ossec/ruleset/sca/sca_unix_audit.yml, 19069 bytes, 38 tape blocks
x /var/ossec/wodles/__init__.py, 0 bytes, 0 tape blocks
x /var/ossec/wodles/utils.py, 2075 bytes, 5 tape blocks
x /var/ossec/wodles/aws/aws-s3, 171546 bytes, 336 tape blocks
x /var/ossec/wodles/gcloud/pubsub/subscriber.py, 5143 bytes, 11 tape blocks
x /var/ossec/wodles/gcloud/buckets/bucket.py, 13648 bytes, 27 tape blocks
x /var/ossec/wodles/gcloud/buckets/access_logs.py, 1841 bytes, 4 tape blocks
x /var/ossec/wodles/gcloud/gcloud, 4261 bytes, 9 tape blocks
x /var/ossec/wodles/gcloud/integration.py, 2889 bytes, 6 tape blocks
x /var/ossec/wodles/gcloud/tools.py, 5418 bytes, 11 tape blocks
x /var/ossec/wodles/docker/DockerListener, 4705 bytes, 10 tape blocks
x /var/ossec/etc/TIMEZONE, 21 bytes, 1 tape blocks
x /var/ossec/etc/internal_options.conf, 13478 bytes, 27 tape blocks
x /var/ossec/etc/local_internal_options.conf, 320 bytes, 1 tape blocks
x /var/ossec/etc/client.keys, 0 bytes, 0 tape blocks
x /var/ossec/etc/ossec.conf, 4855 bytes, 10 tape blocks
x /var/ossec/etc/shared/cis_apache2224_rcl.txt, 28411 bytes, 56 tape blocks
x /var/ossec/etc/shared/cis_debian_linux_rcl.txt, 12576 bytes, 25 tape blocks
x /var/ossec/etc/shared/cis_mysql5-6_community_rcl.txt, 7609 bytes, 15 tape blocks
x /var/ossec/etc/shared/cis_mysql5-6_enterprise_rcl.txt, 10297 bytes, 21 tape blocks
x /var/ossec/etc/shared/cis_rhel5_linux_rcl.txt, 35781 bytes, 70 tape blocks
x /var/ossec/etc/shared/cis_rhel6_linux_rcl.txt, 33870 bytes, 67 tape blocks
x /var/ossec/etc/shared/cis_rhel7_linux_rcl.txt, 36957 bytes, 73 tape blocks
x /var/ossec/etc/shared/cis_rhel_linux_rcl.txt, 17658 bytes, 35 tape blocks
x /var/ossec/etc/shared/cis_sles11_linux_rcl.txt, 34376 bytes, 68 tape blocks
x /var/ossec/etc/shared/cis_sles12_linux_rcl.txt, 35081 bytes, 69 tape blocks
x /var/ossec/etc/shared/cis_win2012r2_domainL1_rcl.txt, 94877 bytes, 186 tape blocks
x /var/ossec/etc/shared/cis_win2012r2_domainL2_rcl.txt, 28006 bytes, 55 tape blocks
x /var/ossec/etc/shared/cis_win2012r2_memberL1_rcl.txt, 100530 bytes, 197 tape blocks
x /var/ossec/etc/shared/cis_win2012r2_memberL2_rcl.txt, 376002 bytes, 735 tape blocks
x /var/ossec/etc/shared/rootkit_files.txt, 16174 bytes, 32 tape blocks
x /var/ossec/etc/shared/rootkit_trojans.txt, 5548 bytes, 11 tape blocks
x /var/ossec/etc/shared/system_audit_rcl.txt, 4466 bytes, 9 tape blocks
x /var/ossec/etc/shared/system_audit_ssh.txt, 3285 bytes, 7 tape blocks
x /var/ossec/etc/shared/win_applications_rcl.txt, 5214 bytes, 11 tape blocks
x /var/ossec/etc/shared/win_audit_rcl.txt, 4277 bytes, 9 tape blocks
x /var/ossec/etc/shared/win_malware_rcl.txt, 7314 bytes, 15 tape blocks
x /var/ossec/etc/wpk_root.pem, 1367 bytes, 3 tape blocks
x /var/ossec/active-response/bin/restart.sh, 695 bytes, 2 tape blocks
x /var/ossec/active-response/bin/kaspersky.py, 14429 bytes, 29 tape blocks
x /var/ossec/active-response/bin/firewall-drop, 74444 bytes, 146 tape blocks
x /var/ossec/active-response/bin/default-firewall-drop, 74444 bytes, 146 tape blocks
x /var/ossec/active-response/bin/pf, 74040 bytes, 145 tape blocks
x /var/ossec/active-response/bin/npf, 73972 bytes, 145 tape blocks
x /var/ossec/active-response/bin/ipfw, 74028 bytes, 145 tape blocks
x /var/ossec/active-response/bin/firewalld-drop, 74052 bytes, 145 tape blocks
x /var/ossec/active-response/bin/disable-account, 73932 bytes, 145 tape blocks
x /var/ossec/active-response/bin/host-deny, 74152 bytes, 145 tape blocks
x /var/ossec/active-response/bin/ip-customblock, 73888 bytes, 145 tape blocks
x /var/ossec/active-response/bin/restart-wazuh, 73680 bytes, 144 tape blocks
x /var/ossec/active-response/bin/route-null, 73868 bytes, 145 tape blocks
x /var/ossec/active-response/bin/kaspersky, 73728 bytes, 144 tape blocks
x /var/ossec/active-response/bin/wazuh-slack, 73960 bytes, 145 tape blocks
x /var/ossec/agentless/main.exp, 2453 bytes, 5 tape blocks
x /var/ossec/agentless/register_host.sh, 2406 bytes, 5 tape blocks
x /var/ossec/agentless/ssh.exp, 1476 bytes, 3 tape blocks
x /var/ossec/agentless/ssh_asa-fwsmconfig_diff, 5283 bytes, 11 tape blocks
x /var/ossec/agentless/ssh_foundry_diff, 5403 bytes, 11 tape blocks
x /var/ossec/agentless/ssh_generic_diff, 898 bytes, 2 tape blocks
x /var/ossec/agentless/ssh_integrity_check_bsd, 1091 bytes, 3 tape blocks
x /var/ossec/agentless/ssh_integrity_check_linux, 1099 bytes, 3 tape blocks
x /var/ossec/agentless/ssh_nopass.exp, 1616 bytes, 4 tape blocks
x /var/ossec/agentless/ssh_pixconfig_diff, 5265 bytes, 11 tape blocks
x /var/ossec/agentless/sshlogin.exp, 915 bytes, 2 tape blocks
x /var/ossec/agentless/su.exp, 1381 bytes, 3 tape blocks
x /sbin/init.d/wazuh-agent, 691 bytes, 2 tape blocks
x /sbin/rc2.d/S97wazuh-agent symbolic link to /sbin/init.d/wazuh-agent
x /sbin/rc3.d/S97wazuh-agent symbolic link to /sbin/init.d/wazuh-agent

Remove OK 🟢:

# /var/ossec/bin/wazuh-control stop
Killing wazuh-modulesd... 
Killing wazuh-logcollector... 
Killing wazuh-syscheckd... 
Killing wazuh-agentd... 
Killing wazuh-execd... 
Wazuh v4.3.8 Stopped
# groupdel wazuh
# userdel wazuh
# rm -rf /var/ossec

TCP and UDP OK connected and working 🟢
No errors or warnings found 🟢

Alerts found in manager 🟢:

{"timestamp":"2022-09-14T11:11:20.932+0000","rule":{"level":7,"description":"Host-based anomaly detection event (rootcheck).","id":"510","firedtimes":1,"mail":false,"groups":["ossec","rootcheck"],"pci_dss":["10.6.1"],"gdpr":["IV_35.7.d"]},"agent":{"id":"009","name":"sovmh315"},"manager":{"name":"ip-172-31-94-2.ec2.internal"},"id":"1663153880.63336","full_log":"File '/tmp/.kc.trace' is owned by root and has written permissions to anyone.","decoder":{"name":"rootcheck"},"data":{"title":"File is owned by root and has written permissions to anyone.","file":"/tmp/.kc.trace"},"location":"rootcheck"}

Users OK 🟢:

# ls -la /var/ossec/
total 128
drwxr-x---  15 root       wazuh         8192 Sep 14 04:44 .
dr-xr-xr-x  28 bin        bin           8192 Sep 14 05:13 ..
drwxrwx---   2 root       wazuh           96 Sep 14 04:44 .ssh
drwxr-x---   3 root       wazuh           96 Sep 14 04:44 active-response
drwxr-x---   2 root       wazuh         8192 Sep 14 04:44 agentless
drwxr-x---   2 root       wazuh           96 Sep 14 04:44 backup
drwxr-x---   2 root       root          8192 Sep 14 04:44 bin
drwxrwx---   3 wazuh      wazuh         8192 Sep 14 05:18 etc
drwxr-x---   2 root       wazuh           96 Sep 14 04:44 lib
drwxrwx---   3 wazuh      wazuh           96 Sep 14 04:44 logs
drwxr-x---   9 root       wazuh         8192 Sep 14 04:44 queue
drwxr-x---   3 root       wazuh           96 Sep 14 04:44 ruleset
drwxrwx--T   2 root       wazuh           96 Sep 14 05:41 tmp
drwxr-x---   7 root       wazuh         8192 Sep 14 05:41 var
drwxr-x---   5 root       wazuh         8192 Sep 14 04:44 wodles
# cat /etc/passwd 
root:soSRAsp6Gmkdc:0:3::/:/sbin/sh
daemon:*:1:5::/:/sbin/sh
bin:*:2:2::/usr/bin:/sbin/sh
sys:*:3:3::/:
adm:*:4:4::/var/adm:/sbin/sh
uucp:*:5:3::/var/spool/uucppublic:/usr/lbin/uucp/uucico
lp:*:9:7::/var/spool/lp:/sbin/sh
nuucp:*:11:11::/var/spool/uucppublic:/usr/lbin/uucp/uucico
hpdb:*:27:1:ALLBASE:/:/sbin/sh
nobody:*:-2:-2::/:
www:*:30:1::/:
cimsrvr:*:101:101:WBEM Services:/var/opt/wbem:/sbin/sh
smbnull:*:102:102:DO NOT USE OR DELETE - needed by Samba:/var/opt/samba/nologin:/bin/false
opc_op:*:777:177:OVO default operator:/home/opc_op:/sbin/sh
hpsmh:*:103:103:System Management Homepage:/var/opt/hpsmh:/sbin/sh
sfmdb:*:104:20::/home/sfmdb:/sbin/sh
sshd:*:105:104:sshd privsep:/var/empty:/bin/false
iwww:*:106:1::/home/iwww:/sbin/sh
owww:*:107:1::/home/owww:/sbin/sh
dfrench:Msz7PqZM8LnCk:49264:20:SO_Dana_French:/home/dfrench:/sbin/sh
mfeha:soSRAsp6Gmkdc:59498:20:SO_Random_User_Name:/home/mfeha:/sbin/sh
wazuh:*:108:20::/home/wazuh:/sbin/sh

okynos commented 2 years ago

AIX tests

Build: OK 🟢 https://ci.wazuh.info/view/Packages/job/Packages_builder_special/555/

Install OK 🟢:

WAZUH_MANAGER="xxx.xxx.xxx" rpm -ivh wazuh-agent-4.3.8-1.aix.ppc.rpm
wazuh-agent                 ##################################################
# /var/ossec/bin/wazuh-control start
Starting Wazuh v4.3.8...
Started wazuh-execd...
Started wazuh-agentd...
Started wazuh-syscheckd...
Started wazuh-logcollector...
Started wazuh-modulesd...
Completed.

Remove OK 🟡 (https://github.com/wazuh/wazuh-packages/issues/607):

# rpm -e wazuh-agent
rmdir of /var/ossec/tmp/src/init failed: No such file or directory
rmdir of /var/ossec/tmp/etc/templates/config/generic/localfile-logs failed: No such file or directory
rmdir of /var/ossec/tmp/etc/templates/config/generic failed: No such file or directory
rmdir of /var/ossec/tmp/etc/templates/config failed: No such file or directory
rmdir of /var/ossec/tmp/etc/templates failed: No such file or directory
cannot remove /var/ossec/queue/syscollector/db - directory not empty
cannot remove /var/ossec/queue/syscollector - directory not empty
cannot remove /var/ossec/queue/logcollector - directory not empty
cannot remove /var/ossec/queue/fim/db - directory not empty
cannot remove /var/ossec/queue/fim - directory not empty
cannot remove /var/ossec/queue - directory not empty
removal of /var/ossec/logs/ossec.json failed: No such file or directory
cannot remove /var/ossec/etc/shared - directory not empty
cannot remove /var/ossec/etc - directory not empty
cannot remove /var/ossec - directory not empty

TCP and UDP OK connected and working 🟢
No errors or warnings found 🟢

Alerts found in manager 🟢:

{"timestamp":"2022-09-14T11:41:48.317+0000","rule":{"level":9,"description":"SCA summary: System audit for Unix based systems: Score less than 30% (0)","id":"19005","firedtimes":2,"mail":false,"groups":["sca"],"gdpr":["IV_35.7.d"],"pci_dss":["2.2"],"nist_800_53":["CM.1"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"010","name":"soaxp077"},"manager":{"name":"ip-172-31-94-2.ec2.internal"},"id":"1663155708.125902","decoder":{"name":"sca"},"data":{"sca":{"type":"summary","scan_id":"32273","policy":"System audit for Unix based systems","description":"Guidance for establishing a secure configuration for Unix based systems.","policy_id":"unix_audit","passed":"0","failed":"10","invalid":"13","total_checks":"23","score":"0","file":"sca_unix_audit.yml"}},"location":"sca"}

Users OK 🟢:

# cat /etc/passwd | grep wazuh
wazuh:x:208:207::/var/ossec:/bin/false
# ls -la /var/ossec/
total 24
drwxr-x---   15 root     wazuh          4096 Sep 14 06:40 .
drwxr-xr-x   41 bin      bin            4096 Sep 14 06:40 ..
drwxrwx---    2 root     wazuh           256 Sep 14 02:55 .ssh
drwxr-x---    3 root     wazuh           256 Sep 14 06:40 active-response
drwxr-x---    2 root     wazuh          4096 Sep 14 06:40 agentless
drwxr-x---    2 root     wazuh           256 Sep 14 02:55 backup
drwxr-x---    2 root     system          256 Sep 14 06:40 bin
drwxrwx---    3 wazuh    wazuh           256 Sep 14 06:40 etc
drwxr-x---    2 root     system          256 Sep 14 06:40 lib
drwxrwx---    3 wazuh    wazuh           256 Sep 14 06:40 logs
drwxr-x---    9 root     wazuh           256 Sep 14 06:40 queue
drwxr-xr-x    3 root     system          256 Sep 14 06:40 ruleset
drwxr-x--T    2 root     wazuh           256 Sep 14 06:41 tmp
drwxr-x---    6 root     wazuh           256 Sep 14 06:41 var
drwxr-x---    5 root     wazuh           256 Sep 14 06:40 wodles

Upgrade OK 🟢:

# rpm -Uvh wazuh-agent-4.3.8-1.aix.ppc.rpm 
wazuh-agent                 ##################################################
# /var/ossec/bin/wazuh-control info -v
v4.3.8

rauldpm commented 2 years ago

Analysis report - OVA

Filebeat test output

``` [root@wazuh-server wazuh-user]# filebeat test output elasticsearch: https://127.0.0.1:9200... parse url... OK connection... parse host... OK dns lookup... OK addresses: 127.0.0.1 dial up... OK TLS... security: server's certificate chain verification is enabled handshake... OK TLS version: TLSv1.2 dial up... OK talk to server... OK version: 7.10.2 ```

Indexer cluster

``` [root@wazuh-server wazuh-user]# curl -k -u admin:admin https://127.0.0.1:9200 { "name" : "node-1", "cluster_name" : "wazuh-cluster", "cluster_uuid" : "EzI18fqRRsqyp_bqBT0xyQ", "version" : { "number" : "7.10.2", "build_type" : "rpm", "build_hash" : "e505b10357c03ae8d26d675172402f2f2144ef0f", "build_date" : "2022-01-14T03:38:06.881862Z", "build_snapshot" : false, "lucene_version" : "8.10.1", "minimum_wire_compatibility_version" : "6.8.0", "minimum_index_compatibility_version" : "6.0.0-beta1" }, "tagline" : "The OpenSearch Project: https://opensearch.org/" } ``` ``` [root@wazuh-server wazuh-user]# curl -k -u admin:admin https://127.0.0.1:9200/_cat/nodes?v ip heap.percent ram.percent cpu load_1m load_5m load_15m node.role master name 127.0.0.1 8 76 0 0.00 0.04 0.07 dimr * node-1 ``` ``` [root@wazuh-server wazuh-user]# curl -k -u admin:admin https://127.0.0.1:9200/_cluster/health?pretty { "cluster_name" : "wazuh-cluster", "status" : "green", "timed_out" : false, "number_of_nodes" : 1, "number_of_data_nodes" : 1, "discovered_master" : true, "active_primary_shards" : 9, "active_shards" : 9, "relocating_shards" : 0, "initializing_shards" : 0, "unassigned_shards" : 0, "delayed_unassigned_shards" : 0, "number_of_pending_tasks" : 0, "number_of_in_flight_fetch" : 0, "task_max_waiting_in_queue_millis" : 0, "active_shards_percent_as_number" : 100.0 } ```

Wazuh dashboard journalctl output

``` [root@wazuh-server wazuh-user]# journalctl -r -u wazuh-dashboard.service | grep -i -E "error|critical|warning|fatal" Sep 14 13:55:00 wazuh-server opensearch-dashboards[405]: {"type":"log","@timestamp":"2022-09-14T13:55:00Z","tags":["error","opensearch","data"],"pid":405,"message":"[resource_already_exists_exception]: index [wazuh-statistics-2022.37w/YnRHj1RYTa29x5Y0L_3jqQ] already exists"} Sep 14 13:51:37 wazuh-server opensearch-dashboards[405]: {"type":"error","@timestamp":"2022-09-14T13:51:37Z","tags":["connection","client","error"],"pid":405,"level":"error","error":{"message":"140328633157504:error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown:../deps/openssl/openssl/ssl/record/rec_layer_s3.c:1544:SSL alert number 46\n","name":"Error","stack":"Error: 140328633157504:error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown:../deps/openssl/openssl/ssl/record/rec_layer_s3.c:1544:SSL alert number 46\n"},"message":"140328633157504:error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown:../deps/openssl/openssl/ssl/record/rec_layer_s3.c:1544:SSL alert number 46\n"} Sep 14 13:51:37 wazuh-server opensearch-dashboards[405]: {"type":"error","@timestamp":"2022-09-14T13:51:37Z","tags":["connection","client","error"],"pid":405,"level":"error","error":{"message":"140328633157504:error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown:../deps/openssl/openssl/ssl/record/rec_layer_s3.c:1544:SSL alert number 46\n","name":"Error","stack":"Error: 140328633157504:error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown:../deps/openssl/openssl/ssl/record/rec_layer_s3.c:1544:SSL alert number 46\n"},"message":"140328633157504:error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown:../deps/openssl/openssl/ssl/record/rec_layer_s3.c:1544:SSL alert number 46\n"} Sep 14 13:51:37 wazuh-server opensearch-dashboards[405]: {"type":"error","@timestamp":"2022-09-14T13:51:37Z","tags":["connection","client","error"],"pid":405,"level":"error","error":{"message":"140328633157504:error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown:../deps/openssl/openssl/ssl/record/rec_layer_s3.c:1544:SSL alert number 46\n","name":"Error","stack":"Error: 140328633157504:error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown:../deps/openssl/openssl/ssl/record/rec_layer_s3.c:1544:SSL alert number 46\n"},"message":"140328633157504:error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown:../deps/openssl/openssl/ssl/record/rec_layer_s3.c:1544:SSL alert number 46\n"} Sep 14 13:51:37 wazuh-server opensearch-dashboards[405]: {"type":"error","@timestamp":"2022-09-14T13:51:37Z","tags":["connection","client","error"],"pid":405,"level":"error","error":{"message":"140328633157504:error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown:../deps/openssl/openssl/ssl/record/rec_layer_s3.c:1544:SSL alert number 46\n","name":"Error","stack":"Error: 140328633157504:error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown:../deps/openssl/openssl/ssl/record/rec_layer_s3.c:1544:SSL alert number 46\n"},"message":"140328633157504:error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown:../deps/openssl/openssl/ssl/record/rec_layer_s3.c:1544:SSL alert number 46\n"} Sep 14 13:51:37 wazuh-server opensearch-dashboards[405]: {"type":"error","@timestamp":"2022-09-14T13:51:37Z","tags":["connection","client","error"],"pid":405,"level":"error","error":{"message":"140328633157504:error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown:../deps/openssl/openssl/ssl/record/rec_layer_s3.c:1544:SSL alert number 46\n","name":"Error","stack":"Error: 140328633157504:error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown:../deps/openssl/openssl/ssl/record/rec_layer_s3.c:1544:SSL alert number 46\n"},"message":"140328633157504:error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown:../deps/openssl/openssl/ssl/record/rec_layer_s3.c:1544:SSL alert number 46\n"} Sep 14 13:51:37 wazuh-server opensearch-dashboards[405]: {"type":"error","@timestamp":"2022-09-14T13:51:37Z","tags":["connection","client","error"],"pid":405,"level":"error","error":{"message":"140328633157504:error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown:../deps/openssl/openssl/ssl/record/rec_layer_s3.c:1544:SSL alert number 46\n","name":"Error","stack":"Error: 140328633157504:error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown:../deps/openssl/openssl/ssl/record/rec_layer_s3.c:1544:SSL alert number 46\n"},"message":"140328633157504:error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown:../deps/openssl/openssl/ssl/record/rec_layer_s3.c:1544:SSL alert number 46\n"} Sep 14 13:51:35 wazuh-server opensearch-dashboards[405]: {"type":"error","@timestamp":"2022-09-14T13:51:35Z","tags":["connection","client","error"],"pid":405,"level":"error","error":{"message":"140328633157504:error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown:../deps/openssl/openssl/ssl/record/rec_layer_s3.c:1544:SSL alert number 46\n","name":"Error","stack":"Error: 140328633157504:error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown:../deps/openssl/openssl/ssl/record/rec_layer_s3.c:1544:SSL alert number 46\n"},"message":"140328633157504:error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown:../deps/openssl/openssl/ssl/record/rec_layer_s3.c:1544:SSL alert number 46\n"} Sep 14 13:30:47 wazuh-server opensearch-dashboards[405]: {"type":"log","@timestamp":"2022-09-14T13:30:47Z","tags":["error","opensearch","data"],"pid":405,"message":"[ResponseError]: Response Error"} Sep 14 13:30:44 wazuh-server opensearch-dashboards[405]: {"type":"log","@timestamp":"2022-09-14T13:30:44Z","tags":["error","opensearch","data"],"pid":405,"message":"[ResponseError]: Response Error"} Sep 14 13:30:42 wazuh-server opensearch-dashboards[405]: {"type":"log","@timestamp":"2022-09-14T13:30:42Z","tags":["error","opensearch","data"],"pid":405,"message":"[ResponseError]: Response Error"} Sep 14 13:30:39 wazuh-server opensearch-dashboards[405]: {"type":"log","@timestamp":"2022-09-14T13:30:39Z","tags":["error","opensearch","data"],"pid":405,"message":"[ConnectionError]: connect ECONNREFUSED 127.0.0.1:9200"} Sep 14 13:30:37 wazuh-server opensearch-dashboards[405]: {"type":"log","@timestamp":"2022-09-14T13:30:37Z","tags":["error","opensearch","data"],"pid":405,"message":"[ConnectionError]: connect ECONNREFUSED 127.0.0.1:9200"} Sep 14 13:30:34 wazuh-server opensearch-dashboards[405]: {"type":"log","@timestamp":"2022-09-14T13:30:34Z","tags":["error","opensearch","data"],"pid":405,"message":"[ConnectionError]: connect ECONNREFUSED 127.0.0.1:9200"} Sep 14 13:30:32 wazuh-server opensearch-dashboards[405]: {"type":"log","@timestamp":"2022-09-14T13:30:32Z","tags":["error","opensearch","data"],"pid":405,"message":"[ConnectionError]: connect ECONNREFUSED 127.0.0.1:9200"} Sep 14 13:30:29 wazuh-server opensearch-dashboards[405]: {"type":"log","@timestamp":"2022-09-14T13:30:29Z","tags":["error","opensearch","data"],"pid":405,"message":"[ConnectionError]: connect ECONNREFUSED 127.0.0.1:9200"} Sep 14 13:30:27 wazuh-server opensearch-dashboards[405]: {"type":"log","@timestamp":"2022-09-14T13:30:27Z","tags":["error","opensearch","data"],"pid":405,"message":"[ConnectionError]: connect ECONNREFUSED 127.0.0.1:9200"} Sep 14 13:30:24 wazuh-server opensearch-dashboards[405]: {"type":"log","@timestamp":"2022-09-14T13:30:24Z","tags":["error","opensearch","data"],"pid":405,"message":"[ConnectionError]: connect ECONNREFUSED 127.0.0.1:9200"} Sep 14 13:30:22 wazuh-server opensearch-dashboards[405]: {"type":"log","@timestamp":"2022-09-14T13:30:22Z","tags":["error","opensearch","data"],"pid":405,"message":"[ConnectionError]: connect ECONNREFUSED 127.0.0.1:9200"} Sep 14 13:30:19 wazuh-server opensearch-dashboards[405]: {"type":"log","@timestamp":"2022-09-14T13:30:19Z","tags":["error","opensearch","data"],"pid":405,"message":"[ConnectionError]: connect ECONNREFUSED 127.0.0.1:9200"} Sep 14 13:30:17 wazuh-server opensearch-dashboards[405]: {"type":"log","@timestamp":"2022-09-14T13:30:17Z","tags":["error","opensearch","data"],"pid":405,"message":"[ConnectionError]: connect ECONNREFUSED 127.0.0.1:9200"} Sep 14 13:30:14 wazuh-server opensearch-dashboards[405]: {"type":"log","@timestamp":"2022-09-14T13:30:14Z","tags":["error","opensearch","data"],"pid":405,"message":"[ConnectionError]: connect ECONNREFUSED 127.0.0.1:9200"} Sep 14 13:30:12 wazuh-server opensearch-dashboards[405]: {"type":"log","@timestamp":"2022-09-14T13:30:12Z","tags":["error","opensearch","data"],"pid":405,"message":"[ConnectionError]: connect ECONNREFUSED 127.0.0.1:9200"} Sep 14 13:30:09 wazuh-server opensearch-dashboards[405]: {"type":"log","@timestamp":"2022-09-14T13:30:09Z","tags":["error","opensearch","data"],"pid":405,"message":"[ConnectionError]: connect ECONNREFUSED 127.0.0.1:9200"} Sep 14 13:30:07 wazuh-server opensearch-dashboards[405]: {"type":"log","@timestamp":"2022-09-14T13:30:07Z","tags":["error","opensearch","data"],"pid":405,"message":"[ConnectionError]: connect ECONNREFUSED 127.0.0.1:9200"} Sep 14 13:30:04 wazuh-server opensearch-dashboards[405]: {"type":"log","@timestamp":"2022-09-14T13:30:04Z","tags":["error","opensearch","data"],"pid":405,"message":"[ConnectionError]: connect ECONNREFUSED 127.0.0.1:9200"} Sep 14 13:30:01 wazuh-server opensearch-dashboards[405]: {"type":"log","@timestamp":"2022-09-14T13:30:01Z","tags":["error","opensearch","data"],"pid":405,"message":"[ConnectionError]: connect ECONNREFUSED 127.0.0.1:9200"} Sep 14 13:29:59 wazuh-server opensearch-dashboards[405]: {"type":"log","@timestamp":"2022-09-14T13:29:59Z","tags":["error","opensearch","data"],"pid":405,"message":"[ConnectionError]: connect ECONNREFUSED 127.0.0.1:9200"} Sep 14 13:29:56 wazuh-server opensearch-dashboards[405]: {"type":"log","@timestamp":"2022-09-14T13:29:56Z","tags":["error","opensearch","data"],"pid":405,"message":"[ConnectionError]: connect ECONNREFUSED 127.0.0.1:9200"} Sep 14 13:29:54 wazuh-server opensearch-dashboards[405]: {"type":"log","@timestamp":"2022-09-14T13:29:54Z","tags":["error","opensearch","data"],"pid":405,"message":"[ConnectionError]: connect ECONNREFUSED 127.0.0.1:9200"} Sep 14 13:29:51 wazuh-server opensearch-dashboards[405]: {"type":"log","@timestamp":"2022-09-14T13:29:51Z","tags":["error","opensearch","data"],"pid":405,"message":"[ConnectionError]: connect ECONNREFUSED 127.0.0.1:9200"} Sep 14 13:29:49 wazuh-server opensearch-dashboards[405]: {"type":"log","@timestamp":"2022-09-14T13:29:49Z","tags":["error","opensearch","data"],"pid":405,"message":"[ConnectionError]: connect ECONNREFUSED 127.0.0.1:9200"} Sep 14 13:29:46 wazuh-server opensearch-dashboards[405]: {"type":"log","@timestamp":"2022-09-14T13:29:46Z","tags":["error","opensearch","data"],"pid":405,"message":"[ConnectionError]: connect ECONNREFUSED 127.0.0.1:9200"} Sep 14 13:29:44 wazuh-server opensearch-dashboards[405]: {"type":"log","@timestamp":"2022-09-14T13:29:44Z","tags":["error","opensearch","data"],"pid":405,"message":"[ConnectionError]: connect ECONNREFUSED 127.0.0.1:9200"} Sep 14 13:29:41 wazuh-server opensearch-dashboards[405]: {"type":"log","@timestamp":"2022-09-14T13:29:41Z","tags":["error","opensearch","data"],"pid":405,"message":"[ConnectionError]: connect ECONNREFUSED 127.0.0.1:9200"} Sep 14 13:29:38 wazuh-server opensearch-dashboards[405]: {"type":"log","@timestamp":"2022-09-14T13:29:38Z","tags":["error","opensearch","data"],"pid":405,"message":"[ConnectionError]: connect ECONNREFUSED 127.0.0.1:9200"} Sep 14 13:29:36 wazuh-server opensearch-dashboards[405]: {"type":"log","@timestamp":"2022-09-14T13:29:36Z","tags":["error","opensearch","data"],"pid":405,"message":"[ConnectionError]: connect ECONNREFUSED 127.0.0.1:9200"} Sep 14 13:29:33 wazuh-server opensearch-dashboards[405]: {"type":"log","@timestamp":"2022-09-14T13:29:33Z","tags":["error","opensearch","data"],"pid":405,"message":"[ConnectionError]: connect ECONNREFUSED 127.0.0.1:9200"} Sep 14 13:29:31 wazuh-server opensearch-dashboards[405]: {"type":"log","@timestamp":"2022-09-14T13:29:31Z","tags":["error","opensearch","data"],"pid":405,"message":"[ConnectionError]: connect ECONNREFUSED 127.0.0.1:9200"} Sep 14 13:29:28 wazuh-server opensearch-dashboards[405]: {"type":"log","@timestamp":"2022-09-14T13:29:28Z","tags":["error","opensearch","data"],"pid":405,"message":"[ConnectionError]: connect ECONNREFUSED 127.0.0.1:9200"} Sep 14 13:29:26 wazuh-server opensearch-dashboards[405]: {"type":"log","@timestamp":"2022-09-14T13:29:26Z","tags":["error","opensearch","data"],"pid":405,"message":"[ConnectionError]: connect ECONNREFUSED 127.0.0.1:9200"} Sep 14 13:29:23 wazuh-server opensearch-dashboards[405]: {"type":"log","@timestamp":"2022-09-14T13:29:23Z","tags":["error","savedobjects-service"],"pid":405,"message":"Unable to retrieve version information from OpenSearch nodes."} Sep 14 13:29:23 wazuh-server opensearch-dashboards[405]: {"type":"log","@timestamp":"2022-09-14T13:29:23Z","tags":["error","opensearch","data"],"pid":405,"message":"[ConnectionError]: connect ECONNREFUSED 127.0.0.1:9200"} [root@wazuh-server wazuh-user]# ```

Wazuh indexer journalctl output

``` [root@wazuh-server wazuh-user]# journalctl -r -u wazuh-indexer.service | grep -i -E "error|critical|warning|fatal" Sep 14 13:30:38 wazuh-server systemd-entrypoint[930]: WARNING: All illegal access operations will be denied in a future release Sep 14 13:30:38 wazuh-server systemd-entrypoint[930]: WARNING: Use --illegal-access=warn to enable warnings of further illegal reflective access operations Sep 14 13:30:38 wazuh-server systemd-entrypoint[930]: WARNING: Please consider reporting this to the maintainers of io.protostuff.runtime.PolymorphicThrowableSchema Sep 14 13:30:38 wazuh-server systemd-entrypoint[930]: WARNING: Illegal reflective access by io.protostuff.runtime.PolymorphicThrowableSchema (file:/usr/share/wazuh-indexer/plugins/opensearch-anomaly-detection/protostuff-runtime-1.7.4.jar) to field java.lang.Throwable.cause Sep 14 13:30:38 wazuh-server systemd-entrypoint[930]: WARNING: An illegal reflective access operation has occurred ```

Wazuh indexer logs

``` [root@wazuh-server wazuh-user]# grep -R -i -E "error|critical|warning|fatal" /var/log/wazuh-indexer/ /var/log/wazuh-indexer/wazuh-cluster_server.json:{"type": "server", "timestamp": "2022-09-14T13:30:30,280Z", "level": "INFO", "component": "o.o.n.Node", "cluster.name": "wazuh-cluster", "node.name": "node-1", "message": "JVM arguments [-Xshare:auto, -Dopensearch.networkaddress.cache.ttl=60, -Dopensearch.networkaddress.cache.negative.ttl=10, -XX:+AlwaysPreTouch, -Xss1m, -Djava.awt.headless=true, -Dfile.encoding=UTF-8, -Djna.nosys=true, -XX:-OmitStackTraceInFastThrow, -XX:+ShowCodeDetailsInExceptionMessages, -Dio.netty.noUnsafe=true, -Dio.netty.noKeySetOptimization=true, -Dio.netty.recycler.maxCapacityPerThread=0, -Dio.netty.allocator.numDirectArenas=0, -Dlog4j.shutdownHookEnabled=false, -Dlog4j2.disable.jmx=true, -Djava.locale.providers=SPI,COMPAT, -Xms3990m, -Xmx3990m, -XX:+UseG1GC, -XX:G1ReservePercent=25, -XX:InitiatingHeapOccupancyPercent=30, -Djava.io.tmpdir=/tmp/opensearch-8425485082451433306, -XX:+HeapDumpOnOutOfMemoryError, -XX:HeapDumpPath=data, -XX:ErrorFile=/var/log/wazuh-indexer/hs_err_pid%p.log, -Xlog:gc*,gc+age=trace,safepoint:file=/var/log/wazuh-indexer/gc.log:utctime,pid,tags:filecount=32,filesize=64m, -XX:MaxDirectMemorySize=2091909120, -Dopensearch.path.home=/usr/share/wazuh-indexer, -Dopensearch.path.conf=/etc/wazuh-indexer, -Dopensearch.distribution.type=rpm, -Dopensearch.bundled_jdk=true]" } /var/log/wazuh-indexer/wazuh-cluster_server.json:{"type": "server", "timestamp": "2022-09-14T13:30:38,330Z", "level": "ERROR", "component": "o.o.s.a.s.SinkProvider", "cluster.name": "wazuh-cluster", "node.name": "node-1", "message": "Default endpoint could not be created, auditlog will not work properly." } /var/log/wazuh-indexer/wazuh-cluster_server.json:{"type": "server", "timestamp": "2022-09-14T13:30:41,110Z", "level": "ERROR", "component": "o.o.s.c.ConfigurationLoaderSecurity7", "cluster.name": "wazuh-cluster", "node.name": "node-1", "message": "Exception while retrieving configuration for [INTERNALUSERS, ACTIONGROUPS, CONFIG, ROLES, ROLESMAPPING, TENANTS, NODESDN, WHITELIST, AUDIT] (index=.opendistro_security)", "cluster.uuid": "EzI18fqRRsqyp_bqBT0xyQ", "node.id": "4cvYCCsLRxm5LHrpv0sOoA" , /var/log/wazuh-indexer/wazuh-cluster_server.json:{"type": "server", "timestamp": "2022-09-14T13:30:42,290Z", "level": "ERROR", "component": "o.o.s.a.BackendRegistry", "cluster.name": "wazuh-cluster", "node.name": "node-1", "message": "Not yet initialized (you may need to run securityadmin)", "cluster.uuid": "EzI18fqRRsqyp_bqBT0xyQ", "node.id": "4cvYCCsLRxm5LHrpv0sOoA" } /var/log/wazuh-indexer/wazuh-cluster_server.json:{"type": "server", "timestamp": "2022-09-14T13:30:42,312Z", "level": "ERROR", "component": "o.o.s.a.BackendRegistry", "cluster.name": "wazuh-cluster", "node.name": "node-1", "message": "Not yet initialized (you may need to run securityadmin)", "cluster.uuid": "EzI18fqRRsqyp_bqBT0xyQ", "node.id": "4cvYCCsLRxm5LHrpv0sOoA" } /var/log/wazuh-indexer/wazuh-cluster_server.json:{"type": "server", "timestamp": "2022-09-14T13:30:42,315Z", "level": "ERROR", "component": "o.o.s.a.BackendRegistry", "cluster.name": "wazuh-cluster", "node.name": "node-1", "message": "Not yet initialized (you may need to run securityadmin)", "cluster.uuid": "EzI18fqRRsqyp_bqBT0xyQ", "node.id": "4cvYCCsLRxm5LHrpv0sOoA" } /var/log/wazuh-indexer/wazuh-cluster_server.json:{"type": "server", "timestamp": "2022-09-14T13:30:42,320Z", "level": "ERROR", "component": "o.o.s.a.BackendRegistry", "cluster.name": "wazuh-cluster", "node.name": "node-1", "message": "Not yet initialized (you may need to run securityadmin)", "cluster.uuid": "EzI18fqRRsqyp_bqBT0xyQ", "node.id": "4cvYCCsLRxm5LHrpv0sOoA" } /var/log/wazuh-indexer/wazuh-cluster_server.json:{"type": "server", "timestamp": "2022-09-14T13:30:44,582Z", "level": "ERROR", "component": "o.o.s.a.BackendRegistry", "cluster.name": "wazuh-cluster", "node.name": "node-1", "message": "Not yet initialized (you may need to run securityadmin)", "cluster.uuid": "EzI18fqRRsqyp_bqBT0xyQ", "node.id": "4cvYCCsLRxm5LHrpv0sOoA" } /var/log/wazuh-indexer/wazuh-cluster_server.json:{"type": "server", "timestamp": "2022-09-14T13:30:44,584Z", "level": "ERROR", "component": "o.o.s.a.BackendRegistry", "cluster.name": "wazuh-cluster", "node.name": "node-1", "message": "Not yet initialized (you may need to run securityadmin)", "cluster.uuid": "EzI18fqRRsqyp_bqBT0xyQ", "node.id": "4cvYCCsLRxm5LHrpv0sOoA" } /var/log/wazuh-indexer/wazuh-cluster_server.json:{"type": "server", "timestamp": "2022-09-14T13:30:44,588Z", "level": "ERROR", "component": "o.o.s.a.BackendRegistry", "cluster.name": "wazuh-cluster", "node.name": "node-1", "message": "Not yet initialized (you may need to run securityadmin)", "cluster.uuid": "EzI18fqRRsqyp_bqBT0xyQ", "node.id": "4cvYCCsLRxm5LHrpv0sOoA" } /var/log/wazuh-indexer/wazuh-cluster_server.json:{"type": "server", "timestamp": "2022-09-14T13:30:44,592Z", "level": "ERROR", "component": "o.o.s.a.BackendRegistry", "cluster.name": "wazuh-cluster", "node.name": "node-1", "message": "Not yet initialized (you may need to run securityadmin)", "cluster.uuid": "EzI18fqRRsqyp_bqBT0xyQ", "node.id": "4cvYCCsLRxm5LHrpv0sOoA" } /var/log/wazuh-indexer/wazuh-cluster_server.json:{"type": "server", "timestamp": "2022-09-14T13:30:47,085Z", "level": "ERROR", "component": "o.o.s.a.BackendRegistry", "cluster.name": "wazuh-cluster", "node.name": "node-1", "message": "Not yet initialized (you may need to run securityadmin)", "cluster.uuid": "EzI18fqRRsqyp_bqBT0xyQ", "node.id": "4cvYCCsLRxm5LHrpv0sOoA" } /var/log/wazuh-indexer/wazuh-cluster_server.json:{"type": "server", "timestamp": "2022-09-14T13:30:47,088Z", "level": "ERROR", "component": "o.o.s.a.BackendRegistry", "cluster.name": "wazuh-cluster", "node.name": "node-1", "message": "Not yet initialized (you may need to run securityadmin)", "cluster.uuid": "EzI18fqRRsqyp_bqBT0xyQ", "node.id": "4cvYCCsLRxm5LHrpv0sOoA" } /var/log/wazuh-indexer/wazuh-cluster_server.json:{"type": "server", "timestamp": "2022-09-14T13:30:47,091Z", "level": "ERROR", "component": "o.o.s.a.BackendRegistry", "cluster.name": "wazuh-cluster", "node.name": "node-1", "message": "Not yet initialized (you may need to run securityadmin)", "cluster.uuid": "EzI18fqRRsqyp_bqBT0xyQ", "node.id": "4cvYCCsLRxm5LHrpv0sOoA" } /var/log/wazuh-indexer/wazuh-cluster_server.json:{"type": "server", "timestamp": "2022-09-14T13:30:47,093Z", "level": "ERROR", "component": "o.o.s.a.BackendRegistry", "cluster.name": "wazuh-cluster", "node.name": "node-1", "message": "Not yet initialized (you may need to run securityadmin)", "cluster.uuid": "EzI18fqRRsqyp_bqBT0xyQ", "node.id": "4cvYCCsLRxm5LHrpv0sOoA" } /var/log/wazuh-indexer/wazuh-cluster_server.json:{"type": "server", "timestamp": "2022-09-14T13:30:47,927Z", "level": "ERROR", "component": "o.o.s.a.BackendRegistry", "cluster.name": "wazuh-cluster", "node.name": "node-1", "message": "Not yet initialized (you may need to run securityadmin)", "cluster.uuid": "EzI18fqRRsqyp_bqBT0xyQ", "node.id": "4cvYCCsLRxm5LHrpv0sOoA" } /var/log/wazuh-indexer/wazuh-cluster.log:[2022-09-14T13:30:30,280][INFO ][o.o.n.Node ] [node-1] JVM arguments [-Xshare:auto, -Dopensearch.networkaddress.cache.ttl=60, -Dopensearch.networkaddress.cache.negative.ttl=10, -XX:+AlwaysPreTouch, -Xss1m, -Djava.awt.headless=true, -Dfile.encoding=UTF-8, -Djna.nosys=true, -XX:-OmitStackTraceInFastThrow, -XX:+ShowCodeDetailsInExceptionMessages, -Dio.netty.noUnsafe=true, -Dio.netty.noKeySetOptimization=true, -Dio.netty.recycler.maxCapacityPerThread=0, -Dio.netty.allocator.numDirectArenas=0, -Dlog4j.shutdownHookEnabled=false, -Dlog4j2.disable.jmx=true, -Djava.locale.providers=SPI,COMPAT, -Xms3990m, -Xmx3990m, -XX:+UseG1GC, -XX:G1ReservePercent=25, -XX:InitiatingHeapOccupancyPercent=30, -Djava.io.tmpdir=/tmp/opensearch-8425485082451433306, -XX:+HeapDumpOnOutOfMemoryError, -XX:HeapDumpPath=data, -XX:ErrorFile=/var/log/wazuh-indexer/hs_err_pid%p.log, -Xlog:gc*,gc+age=trace,safepoint:file=/var/log/wazuh-indexer/gc.log:utctime,pid,tags:filecount=32,filesize=64m, -XX:MaxDirectMemorySize=2091909120, -Dopensearch.path.home=/usr/share/wazuh-indexer, -Dopensearch.path.conf=/etc/wazuh-indexer, -Dopensearch.distribution.type=rpm, -Dopensearch.bundled_jdk=true] /var/log/wazuh-indexer/wazuh-cluster.log:[2022-09-14T13:30:38,330][ERROR][o.o.s.a.s.SinkProvider ] [node-1] Default endpoint could not be created, auditlog will not work properly. /var/log/wazuh-indexer/wazuh-cluster.log:[2022-09-14T13:30:41,110][ERROR][o.o.s.c.ConfigurationLoaderSecurity7] [node-1] Exception while retrieving configuration for [INTERNALUSERS, ACTIONGROUPS, CONFIG, ROLES, ROLESMAPPING, TENANTS, NODESDN, WHITELIST, AUDIT] (index=.opendistro_security) /var/log/wazuh-indexer/wazuh-cluster.log:[2022-09-14T13:30:42,290][ERROR][o.o.s.a.BackendRegistry ] [node-1] Not yet initialized (you may need to run securityadmin) /var/log/wazuh-indexer/wazuh-cluster.log:[2022-09-14T13:30:42,312][ERROR][o.o.s.a.BackendRegistry ] [node-1] Not yet initialized (you may need to run securityadmin) /var/log/wazuh-indexer/wazuh-cluster.log:[2022-09-14T13:30:42,315][ERROR][o.o.s.a.BackendRegistry ] [node-1] Not yet initialized (you may need to run securityadmin) /var/log/wazuh-indexer/wazuh-cluster.log:[2022-09-14T13:30:42,320][ERROR][o.o.s.a.BackendRegistry ] [node-1] Not yet initialized (you may need to run securityadmin) /var/log/wazuh-indexer/wazuh-cluster.log:[2022-09-14T13:30:44,582][ERROR][o.o.s.a.BackendRegistry ] [node-1] Not yet initialized (you may need to run securityadmin) /var/log/wazuh-indexer/wazuh-cluster.log:[2022-09-14T13:30:44,584][ERROR][o.o.s.a.BackendRegistry ] [node-1] Not yet initialized (you may need to run securityadmin) /var/log/wazuh-indexer/wazuh-cluster.log:[2022-09-14T13:30:44,588][ERROR][o.o.s.a.BackendRegistry ] [node-1] Not yet initialized (you may need to run securityadmin) /var/log/wazuh-indexer/wazuh-cluster.log:[2022-09-14T13:30:44,592][ERROR][o.o.s.a.BackendRegistry ] [node-1] Not yet initialized (you may need to run securityadmin) /var/log/wazuh-indexer/wazuh-cluster.log:[2022-09-14T13:30:47,085][ERROR][o.o.s.a.BackendRegistry ] [node-1] Not yet initialized (you may need to run securityadmin) /var/log/wazuh-indexer/wazuh-cluster.log:[2022-09-14T13:30:47,088][ERROR][o.o.s.a.BackendRegistry ] [node-1] Not yet initialized (you may need to run securityadmin) /var/log/wazuh-indexer/wazuh-cluster.log:[2022-09-14T13:30:47,091][ERROR][o.o.s.a.BackendRegistry ] [node-1] Not yet initialized (you may need to run securityadmin) /var/log/wazuh-indexer/wazuh-cluster.log:[2022-09-14T13:30:47,093][ERROR][o.o.s.a.BackendRegistry ] [node-1] Not yet initialized (you may need to run securityadmin) /var/log/wazuh-indexer/wazuh-cluster.log:[2022-09-14T13:30:47,927][ERROR][o.o.s.a.BackendRegistry ] [node-1] Not yet initialized (you may need to run securityadmin) [root@wazuh-server wazuh-user]# ```

Ossec log output

``` [root@wazuh-server wazuh-user]# cat /var/ossec/logs/ossec.log | grep -i -E "error|warning|critical|fatal" - Nothing to report ```

TCP/UDP connection OK
Agent alerts OK

** Alert 1663164000.577915: - ossec,syscheck,syscheck_entry_added,syscheck_file,pci_dss_11.5,gpg13_4.11,gdpr_II_5.1.f,hipaa_164.312.c.1,hipaa_164.312.c.2,nist_800_53_SI.7,tsc_PI1.4,tsc_PI1.5,tsc_CC6.1,tsc_CC6.8,tsc_CC7.2,tsc_CC7.3,
2022 Sep 14 14:00:00 (centos7) any->syscheck
Rule: 554 (level 5) -> 'File added to the system.'
File '/etc/agent_new_file.txt' added
Mode: realtime

Attributes:
 - Size: 0
 - Permissions: rw-r--r--
 - Date: Wed Sep 14 14:00:00 2022
 - Inode: 87
 - User: root (0)
 - Group: root (0)
 - MD5: d41d8cd98f00b204e9800998ecf8427e
 - SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709
 - SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

[root@wazuh-server wazuh-user]# /var/ossec/bin/agent_control -i 001

Wazuh agent_control. Agent information:
   Agent ID:   001
   Agent Name: centos7
   IP address: any/any
   Status:     Active

   Operating system:    Linux |centos7 |3.10.0-1127.el7.x86_64 |#1 SMP Tue Mar 31 23:36:51 UTC 2020 |x86_64
   Client version:      Wazuh v4.3.8
   Configuration hash:  ab73af41699f13fdd81903b5f23d8d00
   Shared file hash:    4a8724b20dee0124ff9656783c490c4e
   Last keep alive:     1663163851

   Syscheck last started at:  Wed Sep 14 13:52:52 2022
   Syscheck last ended at:    Wed Sep 14 13:52:54 2022

WUI access OK
WUI discover alerts OK
VERSIONS files OK

[root@wazuh-server wazuh-user]# /var/ossec/bin/wazuh-control info
WAZUH_VERSION="v4.3.8"
WAZUH_REVISION="40321"
WAZUH_TYPE="server"
[root@wazuh-server wazuh-user]# cat /usr/share/wazuh-dashboard/VERSION
4.3.8
[root@wazuh-server wazuh-user]# cat /usr/share/wazuh-indexer/VERSION
4.3.8
[root@wazuh-server wazuh-user]# cat /usr/share/wazuh-dashboard/package.json 
{
  "name": "opensearch-dashboards",
  "description": "OpenSearch Dashboards is a browser based analytics and search dashboard for OpenSearch. OpenSearch Dashboards is a snap to setup and start using. OpenSearch Dashboards strives to be easy to get started with, while also being flexible and powerful, just like OpenSearch.",
  "keywords": [
    "opensearch-dashboards",
    "opensearch",
    "logstash",
    "analytics",
    "visualizations",
    "dashboards",
    "dashboarding"
  ],
  "version": "1.2.0",
  "branch": "main",
  "build": {
    "number": 1,
    "sha": "caf668e73304bac890f41c37cd6c3a41257cd289",
    "distributable": true,
    "release": true
  },
  "repository": {
    "type": "git",
    "url": "https://github.com/opensearch-project/opensearch-dashboards.git"
  },
  "engines": {
    "node": "10.24.1"
  }

Users OK

wheel:x:10:wazuh-user
wazuh-user:x:1000:
wazuh-indexer:x:993:
wazuh:x:992:wazuh
wazuh-dashboard:x:991:wazuh-dashboard

Production repository OK

[root@wazuh-server wazuh-user]# cat /etc/yum.repos.d/wazuh.repo 
[wazuh]
gpgcheck=1
gpgkey=https://packages.wazuh.com/key/GPG-KEY-WAZUH
enabled=1
name=EL-${releasever} - Wazuh
baseurl=https://packages.wazuh.com/4.x/yum/
protect=1

SSH access wazuh-user OK
SSH access root denied OK

rauldpm commented 2 years ago

Analysis report - AMI

Filebeat test output

``` [root@wazuh-server wazuh-user]# filebeat test output elasticsearch: https://127.0.0.1:9200... parse url... OK connection... parse host... OK dns lookup... OK addresses: 127.0.0.1 dial up... OK TLS... security: server's certificate chain verification is enabled handshake... OK TLS version: TLSv1.2 dial up... OK talk to server... OK version: 7.10.2 ```

Indexer cluster

``` [root@wazuh-server wazuh-user]# curl -k -u admin:i-053c52ae203a276d4 https://127.0.0.1:9200 { "name" : "node-1", "cluster_name" : "wazuh-cluster", "cluster_uuid" : "1Da6kW7FQievENONGqiiHw", "version" : { "number" : "7.10.2", "build_type" : "rpm", "build_hash" : "e505b10357c03ae8d26d675172402f2f2144ef0f", "build_date" : "2022-01-14T03:38:06.881862Z", "build_snapshot" : false, "lucene_version" : "8.10.1", "minimum_wire_compatibility_version" : "6.8.0", "minimum_index_compatibility_version" : "6.0.0-beta1" }, "tagline" : "The OpenSearch Project: https://opensearch.org/" } ``` ``` [root@wazuh-server wazuh-user]# curl -k -u admin:i-053c52ae203a276d4 https://127.0.0.1:9200/_cat/nodes?v ip heap.percent ram.percent cpu load_1m load_5m load_15m node.role master name 127.0.0.1 16 79 4 0.08 0.34 0.36 dimr * node-1 ``` ``` [root@wazuh-server wazuh-user]# curl -k -u admin:i-053c52ae203a276d4 https://127.0.0.1:9200/_cluster/health?pretty { "cluster_name" : "wazuh-cluster", "status" : "green", "timed_out" : false, "number_of_nodes" : 1, "number_of_data_nodes" : 1, "discovered_master" : true, "active_primary_shards" : 10, "active_shards" : 10, "relocating_shards" : 0, "initializing_shards" : 0, "unassigned_shards" : 0, "delayed_unassigned_shards" : 0, "number_of_pending_tasks" : 0, "number_of_in_flight_fetch" : 0, "task_max_waiting_in_queue_millis" : 0, "active_shards_percent_as_number" : 100.0 } ```

Wazuh dashboard journalctl output

``` [root@wazuh-server wazuh-user]# journalctl -r -u wazuh-dashboard.service | grep -i -E "error|critical|warning|fatal" Sep 14 15:40:01 wazuh-server opensearch-dashboards[4405]: {"type":"log","@timestamp":"2022-09-14T15:40:01Z","tags":["error","opensearch","data"],"pid":4405,"message":"[resource_already_exists_exception]: index [wazuh-statistics-2022.37w/2ySxGg8-SQiStThBTqsVNg] already exists"} Sep 14 15:37:30 wazuh-server opensearch-dashboards[4405]: {"type":"error","@timestamp":"2022-09-14T15:37:30Z","tags":["connection","client","error"],"pid":4405,"level":"error","error":{"message":"140275265312576:error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown:../deps/openssl/openssl/ssl/record/rec_layer_s3.c:1544:SSL alert number 46\n","name":"Error","stack":"Error: 140275265312576:error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown:../deps/openssl/openssl/ssl/record/rec_layer_s3.c:1544:SSL alert number 46\n"},"message":"140275265312576:error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown:../deps/openssl/openssl/ssl/record/rec_layer_s3.c:1544:SSL alert number 46\n"} Sep 14 15:37:30 wazuh-server opensearch-dashboards[4405]: {"type":"error","@timestamp":"2022-09-14T15:37:30Z","tags":["connection","client","error"],"pid":4405,"level":"error","error":{"message":"140275265312576:error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown:../deps/openssl/openssl/ssl/record/rec_layer_s3.c:1544:SSL alert number 46\n","name":"Error","stack":"Error: 140275265312576:error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown:../deps/openssl/openssl/ssl/record/rec_layer_s3.c:1544:SSL alert number 46\n"},"message":"140275265312576:error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown:../deps/openssl/openssl/ssl/record/rec_layer_s3.c:1544:SSL alert number 46\n"} Sep 14 15:37:30 wazuh-server opensearch-dashboards[4405]: {"type":"error","@timestamp":"2022-09-14T15:37:30Z","tags":["connection","client","error"],"pid":4405,"level":"error","error":{"message":"140275265312576:error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown:../deps/openssl/openssl/ssl/record/rec_layer_s3.c:1544:SSL alert number 46\n","name":"Error","stack":"Error: 140275265312576:error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown:../deps/openssl/openssl/ssl/record/rec_layer_s3.c:1544:SSL alert number 46\n"},"message":"140275265312576:error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown:../deps/openssl/openssl/ssl/record/rec_layer_s3.c:1544:SSL alert number 46\n"} Sep 14 15:37:30 wazuh-server opensearch-dashboards[4405]: {"type":"error","@timestamp":"2022-09-14T15:37:30Z","tags":["connection","client","error"],"pid":4405,"level":"error","error":{"message":"140275265312576:error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown:../deps/openssl/openssl/ssl/record/rec_layer_s3.c:1544:SSL alert number 46\n","name":"Error","stack":"Error: 140275265312576:error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown:../deps/openssl/openssl/ssl/record/rec_layer_s3.c:1544:SSL alert number 46\n"},"message":"140275265312576:error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown:../deps/openssl/openssl/ssl/record/rec_layer_s3.c:1544:SSL alert number 46\n"} Sep 14 15:37:30 wazuh-server opensearch-dashboards[4405]: {"type":"error","@timestamp":"2022-09-14T15:37:30Z","tags":["connection","client","error"],"pid":4405,"level":"error","error":{"message":"140275265312576:error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown:../deps/openssl/openssl/ssl/record/rec_layer_s3.c:1544:SSL alert number 46\n","name":"Error","stack":"Error: 140275265312576:error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown:../deps/openssl/openssl/ssl/record/rec_layer_s3.c:1544:SSL alert number 46\n"},"message":"140275265312576:error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown:../deps/openssl/openssl/ssl/record/rec_layer_s3.c:1544:SSL alert number 46\n"} Sep 14 15:37:30 wazuh-server opensearch-dashboards[4405]: {"type":"error","@timestamp":"2022-09-14T15:37:30Z","tags":["connection","client","error"],"pid":4405,"level":"error","error":{"message":"140275265312576:error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown:../deps/openssl/openssl/ssl/record/rec_layer_s3.c:1544:SSL alert number 46\n","name":"Error","stack":"Error: 140275265312576:error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown:../deps/openssl/openssl/ssl/record/rec_layer_s3.c:1544:SSL alert number 46\n"},"message":"140275265312576:error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown:../deps/openssl/openssl/ssl/record/rec_layer_s3.c:1544:SSL alert number 46\n"} Sep 14 15:37:30 wazuh-server opensearch-dashboards[4405]: {"type":"error","@timestamp":"2022-09-14T15:37:30Z","tags":["connection","client","error"],"pid":4405,"level":"error","error":{"message":"140275265312576:error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown:../deps/openssl/openssl/ssl/record/rec_layer_s3.c:1544:SSL alert number 46\n","name":"Error","stack":"Error: 140275265312576:error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown:../deps/openssl/openssl/ssl/record/rec_layer_s3.c:1544:SSL alert number 46\n"},"message":"140275265312576:error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown:../deps/openssl/openssl/ssl/record/rec_layer_s3.c:1544:SSL alert number 46\n"} Sep 14 15:37:30 wazuh-server opensearch-dashboards[4405]: {"type":"error","@timestamp":"2022-09-14T15:37:30Z","tags":["connection","client","error"],"pid":4405,"level":"error","error":{"message":"140275265312576:error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown:../deps/openssl/openssl/ssl/record/rec_layer_s3.c:1544:SSL alert number 46\n","name":"Error","stack":"Error: 140275265312576:error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown:../deps/openssl/openssl/ssl/record/rec_layer_s3.c:1544:SSL alert number 46\n"},"message":"140275265312576:error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown:../deps/openssl/openssl/ssl/record/rec_layer_s3.c:1544:SSL alert number 46\n"} Sep 14 15:37:30 wazuh-server opensearch-dashboards[4405]: {"type":"error","@timestamp":"2022-09-14T15:37:30Z","tags":["connection","client","error"],"pid":4405,"level":"error","error":{"message":"140275265312576:error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown:../deps/openssl/openssl/ssl/record/rec_layer_s3.c:1544:SSL alert number 46\n","name":"Error","stack":"Error: 140275265312576:error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown:../deps/openssl/openssl/ssl/record/rec_layer_s3.c:1544:SSL alert number 46\n"},"message":"140275265312576:error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown:../deps/openssl/openssl/ssl/record/rec_layer_s3.c:1544:SSL alert number 46\n"} Sep 14 15:37:30 wazuh-server opensearch-dashboards[4405]: {"type":"error","@timestamp":"2022-09-14T15:37:30Z","tags":["connection","client","error"],"pid":4405,"level":"error","error":{"message":"140275265312576:error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown:../deps/openssl/openssl/ssl/record/rec_layer_s3.c:1544:SSL alert number 46\n","name":"Error","stack":"Error: 140275265312576:error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown:../deps/openssl/openssl/ssl/record/rec_layer_s3.c:1544:SSL alert number 46\n"},"message":"140275265312576:error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown:../deps/openssl/openssl/ssl/record/rec_layer_s3.c:1544:SSL alert number 46\n"} Sep 14 15:37:30 wazuh-server opensearch-dashboards[4405]: {"type":"error","@timestamp":"2022-09-14T15:37:30Z","tags":["connection","client","error"],"pid":4405,"level":"error","error":{"message":"140275265312576:error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown:../deps/openssl/openssl/ssl/record/rec_layer_s3.c:1544:SSL alert number 46\n","name":"Error","stack":"Error: 140275265312576:error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown:../deps/openssl/openssl/ssl/record/rec_layer_s3.c:1544:SSL alert number 46\n"},"message":"140275265312576:error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown:../deps/openssl/openssl/ssl/record/rec_layer_s3.c:1544:SSL alert number 46\n"} Sep 14 15:37:30 wazuh-server opensearch-dashboards[4405]: {"type":"error","@timestamp":"2022-09-14T15:37:30Z","tags":["connection","client","error"],"pid":4405,"level":"error","error":{"message":"140275265312576:error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown:../deps/openssl/openssl/ssl/record/rec_layer_s3.c:1544:SSL alert number 46\n","name":"Error","stack":"Error: 140275265312576:error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown:../deps/openssl/openssl/ssl/record/rec_layer_s3.c:1544:SSL alert number 46\n"},"message":"140275265312576:error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown:../deps/openssl/openssl/ssl/record/rec_layer_s3.c:1544:SSL alert number 46\n"} Sep 14 15:37:30 wazuh-server opensearch-dashboards[4405]: {"type":"error","@timestamp":"2022-09-14T15:37:30Z","tags":["connection","client","error"],"pid":4405,"level":"error","error":{"message":"140275265312576:error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown:../deps/openssl/openssl/ssl/record/rec_layer_s3.c:1544:SSL alert number 46\n","name":"Error","stack":"Error: 140275265312576:error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown:../deps/openssl/openssl/ssl/record/rec_layer_s3.c:1544:SSL alert number 46\n"},"message":"140275265312576:error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown:../deps/openssl/openssl/ssl/record/rec_layer_s3.c:1544:SSL alert number 46\n"} Sep 14 15:37:29 wazuh-server opensearch-dashboards[4405]: {"type":"error","@timestamp":"2022-09-14T15:37:29Z","tags":["connection","client","error"],"pid":4405,"level":"error","error":{"message":"140275265312576:error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown:../deps/openssl/openssl/ssl/record/rec_layer_s3.c:1544:SSL alert number 46\n","name":"Error","stack":"Error: 140275265312576:error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown:../deps/openssl/openssl/ssl/record/rec_layer_s3.c:1544:SSL alert number 46\n"},"message":"140275265312576:error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown:../deps/openssl/openssl/ssl/record/rec_layer_s3.c:1544:SSL alert number 46\n"} Sep 14 15:37:29 wazuh-server opensearch-dashboards[4405]: {"type":"error","@timestamp":"2022-09-14T15:37:29Z","tags":["connection","client","error"],"pid":4405,"level":"error","error":{"message":"140275265312576:error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown:../deps/openssl/openssl/ssl/record/rec_layer_s3.c:1544:SSL alert number 46\n","name":"Error","stack":"Error: 140275265312576:error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown:../deps/openssl/openssl/ssl/record/rec_layer_s3.c:1544:SSL alert number 46\n"},"message":"140275265312576:error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown:../deps/openssl/openssl/ssl/record/rec_layer_s3.c:1544:SSL alert number 46\n"} Sep 14 15:37:25 wazuh-server opensearch-dashboards[4405]: {"type":"error","@timestamp":"2022-09-14T15:37:25Z","tags":["connection","client","error"],"pid":4405,"level":"error","error":{"message":"140275265312576:error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown:../deps/openssl/openssl/ssl/record/rec_layer_s3.c:1544:SSL alert number 46\n","name":"Error","stack":"Error: 140275265312576:error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown:../deps/openssl/openssl/ssl/record/rec_layer_s3.c:1544:SSL alert number 46\n"},"message":"140275265312576:error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown:../deps/openssl/openssl/ssl/record/rec_layer_s3.c:1544:SSL alert number 46\n"} Sep 14 15:30:44 wazuh-server opensearch-dashboards[1887]: {"type":"log","@timestamp":"2022-09-14T15:30:44Z","tags":["error","opensearch","data"],"pid":1887,"message":"[ResponseError]: Response Error"} Sep 14 15:30:41 wazuh-server opensearch-dashboards[1887]: {"type":"log","@timestamp":"2022-09-14T15:30:41Z","tags":["error","opensearch","data"],"pid":1887,"message":"[ResponseError]: Response Error"} Sep 14 15:30:39 wazuh-server opensearch-dashboards[1887]: {"type":"log","@timestamp":"2022-09-14T15:30:39Z","tags":["error","opensearch","data"],"pid":1887,"message":"[ResponseError]: Response Error"} Sep 14 15:30:36 wazuh-server opensearch-dashboards[1887]: {"type":"log","@timestamp":"2022-09-14T15:30:36Z","tags":["error","savedobjects-service"],"pid":1887,"message":"Unable to retrieve version information from OpenSearch nodes."} Sep 14 15:30:36 wazuh-server opensearch-dashboards[1887]: {"type":"log","@timestamp":"2022-09-14T15:30:36Z","tags":["error","opensearch","data"],"pid":1887,"message":"[ConnectionError]: connect ECONNREFUSED 127.0.0.1:9200"} ```

Wazuh indexer journalctl output

``` [root@wazuh-server wazuh-user]# journalctl -r -u wazuh-indexer.service | grep -i -E "error|critical|warning|fatal" Sep 14 15:30:34 wazuh-server systemd-entrypoint[2393]: WARNING: All illegal access operations will be denied in a future release Sep 14 15:30:34 wazuh-server systemd-entrypoint[2393]: WARNING: Use --illegal-access=warn to enable warnings of further illegal reflective access operations Sep 14 15:30:34 wazuh-server systemd-entrypoint[2393]: WARNING: Please consider reporting this to the maintainers of io.protostuff.runtime.PolymorphicThrowableSchema Sep 14 15:30:34 wazuh-server systemd-entrypoint[2393]: WARNING: Illegal reflective access by io.protostuff.runtime.PolymorphicThrowableSchema (file:/usr/share/wazuh-indexer/plugins/opensearch-anomaly-detection/protostuff-runtime-1.7.4.jar) to field java.lang.Throwable.cause Sep 14 15:30:34 wazuh-server systemd-entrypoint[2393]: WARNING: An illegal reflective access operation has occurred ```

Wazuh indexer logs

``` [root@wazuh-server wazuh-user]# grep -R -i -E "error|critical|warning|fatal" /var/log/wazuh-indexer/ /var/log/wazuh-indexer/wazuh-cluster_server.json:{"type": "server", "timestamp": "2022-09-14T15:29:57,965Z", "level": "INFO", "component": "o.o.n.Node", "cluster.name": "wazuh-cluster", "node.name": "node-1", "message": "JVM arguments [-Xshare:auto, -Dopensearch.networkaddress.cache.ttl=60, -Dopensearch.networkaddress.cache.negative.ttl=10, -XX:+AlwaysPreTouch, -Xss1m, -Djava.awt.headless=true, -Dfile.encoding=UTF-8, -Djna.nosys=true, -XX:-OmitStackTraceInFastThrow, -XX:+ShowCodeDetailsInExceptionMessages, -Dio.netty.noUnsafe=true, -Dio.netty.noKeySetOptimization=true, -Dio.netty.recycler.maxCapacityPerThread=0, -Dio.netty.allocator.numDirectArenas=0, -Dlog4j.shutdownHookEnabled=false, -Dlog4j2.disable.jmx=true, -Djava.locale.providers=SPI,COMPAT, -Xms3811m, -Xmx3811m, -XX:+UseG1GC, -XX:G1ReservePercent=25, -XX:InitiatingHeapOccupancyPercent=30, -Djava.io.tmpdir=/tmp/opensearch-1279900606627918302, -XX:+HeapDumpOnOutOfMemoryError, -XX:HeapDumpPath=data, -XX:ErrorFile=/var/log/wazuh-indexer/hs_err_pid%p.log, -Xlog:gc*,gc+age=trace,safepoint:file=/var/log/wazuh-indexer/gc.log:utctime,pid,tags:filecount=32,filesize=64m, -XX:MaxDirectMemorySize=1998585856, -Dopensearch.path.home=/usr/share/wazuh-indexer, -Dopensearch.path.conf=/etc/wazuh-indexer, -Dopensearch.distribution.type=rpm, -Dopensearch.bundled_jdk=true]" } /var/log/wazuh-indexer/wazuh-cluster_server.json:{"type": "server", "timestamp": "2022-09-14T15:30:33,238Z", "level": "ERROR", "component": "o.o.s.a.s.SinkProvider", "cluster.name": "wazuh-cluster", "node.name": "node-1", "message": "Default endpoint could not be created, auditlog will not work properly." } /var/log/wazuh-indexer/wazuh-cluster_server.json:{"type": "server", "timestamp": "2022-09-14T15:30:36,748Z", "level": "ERROR", "component": "o.o.s.c.ConfigurationLoaderSecurity7", "cluster.name": "wazuh-cluster", "node.name": "node-1", "message": "Exception while retrieving configuration for [INTERNALUSERS, ACTIONGROUPS, CONFIG, ROLES, ROLESMAPPING, TENANTS, NODESDN, WHITELIST, AUDIT] (index=.opendistro_security)", "cluster.uuid": "1Da6kW7FQievENONGqiiHw", "node.id": "pSncrF6pQgmZHh6IL6Zyig" , /var/log/wazuh-indexer/wazuh-cluster_server.json:{"type": "server", "timestamp": "2022-09-14T15:30:39,351Z", "level": "ERROR", "component": "o.o.s.a.BackendRegistry", "cluster.name": "wazuh-cluster", "node.name": "node-1", "message": "Not yet initialized (you may need to run securityadmin)", "cluster.uuid": "1Da6kW7FQievENONGqiiHw", "node.id": "pSncrF6pQgmZHh6IL6Zyig" } /var/log/wazuh-indexer/wazuh-cluster_server.json:{"type": "server", "timestamp": "2022-09-14T15:30:39,371Z", "level": "ERROR", "component": "o.o.s.a.BackendRegistry", "cluster.name": "wazuh-cluster", "node.name": "node-1", "message": "Not yet initialized (you may need to run securityadmin)", "cluster.uuid": "1Da6kW7FQievENONGqiiHw", "node.id": "pSncrF6pQgmZHh6IL6Zyig" } /var/log/wazuh-indexer/wazuh-cluster_server.json:{"type": "server", "timestamp": "2022-09-14T15:30:39,374Z", "level": "ERROR", "component": "o.o.s.a.BackendRegistry", "cluster.name": "wazuh-cluster", "node.name": "node-1", "message": "Not yet initialized (you may need to run securityadmin)", "cluster.uuid": "1Da6kW7FQievENONGqiiHw", "node.id": "pSncrF6pQgmZHh6IL6Zyig" } /var/log/wazuh-indexer/wazuh-cluster_server.json:{"type": "server", "timestamp": "2022-09-14T15:30:39,377Z", "level": "ERROR", "component": "o.o.s.a.BackendRegistry", "cluster.name": "wazuh-cluster", "node.name": "node-1", "message": "Not yet initialized (you may need to run securityadmin)", "cluster.uuid": "1Da6kW7FQievENONGqiiHw", "node.id": "pSncrF6pQgmZHh6IL6Zyig" } /var/log/wazuh-indexer/wazuh-cluster_server.json:{"type": "server", "timestamp": "2022-09-14T15:30:41,669Z", "level": "ERROR", "component": "o.o.s.a.BackendRegistry", "cluster.name": "wazuh-cluster", "node.name": "node-1", "message": "Not yet initialized (you may need to run securityadmin)", "cluster.uuid": "1Da6kW7FQievENONGqiiHw", "node.id": "pSncrF6pQgmZHh6IL6Zyig" } /var/log/wazuh-indexer/wazuh-cluster_server.json:{"type": "server", "timestamp": "2022-09-14T15:30:41,673Z", "level": "ERROR", "component": "o.o.s.a.BackendRegistry", "cluster.name": "wazuh-cluster", "node.name": "node-1", "message": "Not yet initialized (you may need to run securityadmin)", "cluster.uuid": "1Da6kW7FQievENONGqiiHw", "node.id": "pSncrF6pQgmZHh6IL6Zyig" } /var/log/wazuh-indexer/wazuh-cluster_server.json:{"type": "server", "timestamp": "2022-09-14T15:30:41,675Z", "level": "ERROR", "component": "o.o.s.a.BackendRegistry", "cluster.name": "wazuh-cluster", "node.name": "node-1", "message": "Not yet initialized (you may need to run securityadmin)", "cluster.uuid": "1Da6kW7FQievENONGqiiHw", "node.id": "pSncrF6pQgmZHh6IL6Zyig" } /var/log/wazuh-indexer/wazuh-cluster_server.json:{"type": "server", "timestamp": "2022-09-14T15:30:41,676Z", "level": "ERROR", "component": "o.o.s.a.BackendRegistry", "cluster.name": "wazuh-cluster", "node.name": "node-1", "message": "Not yet initialized (you may need to run securityadmin)", "cluster.uuid": "1Da6kW7FQievENONGqiiHw", "node.id": "pSncrF6pQgmZHh6IL6Zyig" } /var/log/wazuh-indexer/wazuh-cluster_server.json:{"type": "server", "timestamp": "2022-09-14T15:30:42,862Z", "level": "ERROR", "component": "o.o.s.a.BackendRegistry", "cluster.name": "wazuh-cluster", "node.name": "node-1", "message": "Not yet initialized (you may need to run securityadmin)", "cluster.uuid": "1Da6kW7FQievENONGqiiHw", "node.id": "pSncrF6pQgmZHh6IL6Zyig" } /var/log/wazuh-indexer/wazuh-cluster_server.json:{"type": "server", "timestamp": "2022-09-14T15:30:44,170Z", "level": "ERROR", "component": "o.o.s.a.BackendRegistry", "cluster.name": "wazuh-cluster", "node.name": "node-1", "message": "Not yet initialized (you may need to run securityadmin)", "cluster.uuid": "1Da6kW7FQievENONGqiiHw", "node.id": "pSncrF6pQgmZHh6IL6Zyig" } /var/log/wazuh-indexer/wazuh-cluster_server.json:{"type": "server", "timestamp": "2022-09-14T15:30:44,173Z", "level": "ERROR", "component": "o.o.s.a.BackendRegistry", "cluster.name": "wazuh-cluster", "node.name": "node-1", "message": "Not yet initialized (you may need to run securityadmin)", "cluster.uuid": "1Da6kW7FQievENONGqiiHw", "node.id": "pSncrF6pQgmZHh6IL6Zyig" } /var/log/wazuh-indexer/wazuh-cluster_server.json:{"type": "server", "timestamp": "2022-09-14T15:30:44,176Z", "level": "ERROR", "component": "o.o.s.a.BackendRegistry", "cluster.name": "wazuh-cluster", "node.name": "node-1", "message": "Not yet initialized (you may need to run securityadmin)", "cluster.uuid": "1Da6kW7FQievENONGqiiHw", "node.id": "pSncrF6pQgmZHh6IL6Zyig" } /var/log/wazuh-indexer/wazuh-cluster_server.json:{"type": "server", "timestamp": "2022-09-14T15:30:44,178Z", "level": "ERROR", "component": "o.o.s.a.BackendRegistry", "cluster.name": "wazuh-cluster", "node.name": "node-1", "message": "Not yet initialized (you may need to run securityadmin)", "cluster.uuid": "1Da6kW7FQievENONGqiiHw", "node.id": "pSncrF6pQgmZHh6IL6Zyig" } /var/log/wazuh-indexer/wazuh-cluster.log:[2022-09-14T15:29:57,965][INFO ][o.o.n.Node ] [node-1] JVM arguments [-Xshare:auto, -Dopensearch.networkaddress.cache.ttl=60, -Dopensearch.networkaddress.cache.negative.ttl=10, -XX:+AlwaysPreTouch, -Xss1m, -Djava.awt.headless=true, -Dfile.encoding=UTF-8, -Djna.nosys=true, -XX:-OmitStackTraceInFastThrow, -XX:+ShowCodeDetailsInExceptionMessages, -Dio.netty.noUnsafe=true, -Dio.netty.noKeySetOptimization=true, -Dio.netty.recycler.maxCapacityPerThread=0, -Dio.netty.allocator.numDirectArenas=0, -Dlog4j.shutdownHookEnabled=false, -Dlog4j2.disable.jmx=true, -Djava.locale.providers=SPI,COMPAT, -Xms3811m, -Xmx3811m, -XX:+UseG1GC, -XX:G1ReservePercent=25, -XX:InitiatingHeapOccupancyPercent=30, -Djava.io.tmpdir=/tmp/opensearch-1279900606627918302, -XX:+HeapDumpOnOutOfMemoryError, -XX:HeapDumpPath=data, -XX:ErrorFile=/var/log/wazuh-indexer/hs_err_pid%p.log, -Xlog:gc*,gc+age=trace,safepoint:file=/var/log/wazuh-indexer/gc.log:utctime,pid,tags:filecount=32,filesize=64m, -XX:MaxDirectMemorySize=1998585856, -Dopensearch.path.home=/usr/share/wazuh-indexer, -Dopensearch.path.conf=/etc/wazuh-indexer, -Dopensearch.distribution.type=rpm, -Dopensearch.bundled_jdk=true] /var/log/wazuh-indexer/wazuh-cluster.log:[2022-09-14T15:30:33,238][ERROR][o.o.s.a.s.SinkProvider ] [node-1] Default endpoint could not be created, auditlog will not work properly. /var/log/wazuh-indexer/wazuh-cluster.log:[2022-09-14T15:30:36,748][ERROR][o.o.s.c.ConfigurationLoaderSecurity7] [node-1] Exception while retrieving configuration for [INTERNALUSERS, ACTIONGROUPS, CONFIG, ROLES, ROLESMAPPING, TENANTS, NODESDN, WHITELIST, AUDIT] (index=.opendistro_security) /var/log/wazuh-indexer/wazuh-cluster.log:[2022-09-14T15:30:39,351][ERROR][o.o.s.a.BackendRegistry ] [node-1] Not yet initialized (you may need to run securityadmin) /var/log/wazuh-indexer/wazuh-cluster.log:[2022-09-14T15:30:39,371][ERROR][o.o.s.a.BackendRegistry ] [node-1] Not yet initialized (you may need to run securityadmin) /var/log/wazuh-indexer/wazuh-cluster.log:[2022-09-14T15:30:39,374][ERROR][o.o.s.a.BackendRegistry ] [node-1] Not yet initialized (you may need to run securityadmin) /var/log/wazuh-indexer/wazuh-cluster.log:[2022-09-14T15:30:39,377][ERROR][o.o.s.a.BackendRegistry ] [node-1] Not yet initialized (you may need to run securityadmin) /var/log/wazuh-indexer/wazuh-cluster.log:[2022-09-14T15:30:41,669][ERROR][o.o.s.a.BackendRegistry ] [node-1] Not yet initialized (you may need to run securityadmin) /var/log/wazuh-indexer/wazuh-cluster.log:[2022-09-14T15:30:41,673][ERROR][o.o.s.a.BackendRegistry ] [node-1] Not yet initialized (you may need to run securityadmin) /var/log/wazuh-indexer/wazuh-cluster.log:[2022-09-14T15:30:41,675][ERROR][o.o.s.a.BackendRegistry ] [node-1] Not yet initialized (you may need to run securityadmin) /var/log/wazuh-indexer/wazuh-cluster.log:[2022-09-14T15:30:41,676][ERROR][o.o.s.a.BackendRegistry ] [node-1] Not yet initialized (you may need to run securityadmin) /var/log/wazuh-indexer/wazuh-cluster.log:[2022-09-14T15:30:42,862][ERROR][o.o.s.a.BackendRegistry ] [node-1] Not yet initialized (you may need to run securityadmin) /var/log/wazuh-indexer/wazuh-cluster.log:[2022-09-14T15:30:44,170][ERROR][o.o.s.a.BackendRegistry ] [node-1] Not yet initialized (you may need to run securityadmin) /var/log/wazuh-indexer/wazuh-cluster.log:[2022-09-14T15:30:44,173][ERROR][o.o.s.a.BackendRegistry ] [node-1] Not yet initialized (you may need to run securityadmin) /var/log/wazuh-indexer/wazuh-cluster.log:[2022-09-14T15:30:44,176][ERROR][o.o.s.a.BackendRegistry ] [node-1] Not yet initialized (you may need to run securityadmin) /var/log/wazuh-indexer/wazuh-cluster.log:[2022-09-14T15:30:44,178][ERROR][o.o.s.a.BackendRegistry ] [node-1] Not yet initialized (you may need to run securityadmin) ```

TCP/UDP connection OK
Alerts received

** Alert 1663170931.574375: - ossec,syscheck,syscheck_entry_added,syscheck_file,pci_dss_11.5,gpg13_4.11,gdpr_II_5.1.f,hipaa_164.312.c.1,hipaa_164.312.c.2,nist_800_53_SI.7,tsc_PI1.4,tsc_PI1.5,tsc_CC6.1,tsc_CC6.8,tsc_CC7.2,tsc_CC7.3,
2022 Sep 14 15:55:31 (centos7) any->syscheck
Rule: 554 (level 5) -> 'File added to the system.'
File '/etc/alert_new_file_ami.txt' added
Mode: realtime

Attributes:
 - Size: 0
 - Permissions: rw-r--r--
 - Date: Wed Sep 14 15:55:31 2022
 - Inode: 87
 - User: root (0)
 - Group: root (0)
 - MD5: d41d8cd98f00b204e9800998ecf8427e
 - SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709
 - SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

Agent alerts OK

[root@wazuh-server wazuh-user]# /var/ossec/bin/agent_control -i 001
Wazuh agent_control. Agent information:
   Agent ID:   001
   Agent Name: centos7
   IP address: any/any
   Status:     Active

   Operating system:    Linux |centos7 |3.10.0-1127.el7.x86_64 |#1 SMP Tue Mar 31 23:36:51 UTC 2020 |x86_64
   Client version:      Wazuh v4.3.8
   Configuration hash:  ab73af41699f13fdd81903b5f23d8d00
   Shared file hash:    4a8724b20dee0124ff9656783c490c4e
   Last keep alive:     1663170935

   Syscheck last started at:  Wed Sep 14 15:55:06 2022
   Syscheck last ended at:    Wed Sep 14 15:55:08 2022

WUI access OK
WUI discover alerts OK
VERSIONS files OK

[root@wazuh-server wazuh-user]# /var/ossec/bin/wazuh-control info
WAZUH_VERSION="v4.3.8"
WAZUH_REVISION="40321"
WAZUH_TYPE="server"
[root@wazuh-server wazuh-user]# cat /usr/share/wazuh-dashboard/VERSION 
4.3.8
[root@wazuh-server wazuh-user]# cat /usr/share/wazuh-indexer/VERSION 
4.3.8
[root@wazuh-server wazuh-user]# cat /usr/share/wazuh-dashboard/package.json
{
  "name": "opensearch-dashboards",
  "description": "OpenSearch Dashboards is a browser based analytics and search dashboard for OpenSearch. OpenSearch Dashboards is a snap to setup and start using. OpenSearch Dashboards strives to be easy to get started with, while also being flexible and powerful, just like OpenSearch.",
  "keywords": [
    "opensearch-dashboards",
    "opensearch",
    "logstash",
    "analytics",
    "visualizations",
    "dashboards",
    "dashboarding"
  ],
  "version": "1.2.0",
  "branch": "main",
  "build": {
    "number": 1,
    "sha": "caf668e73304bac890f41c37cd6c3a41257cd289",
    "distributable": true,
    "release": true
  },
  "repository": {
    "type": "git",
    "url": "https://github.com/opensearch-project/opensearch-dashboards.git"
  },
  "engines": {
    "node": "10.24.1"
  }
}

Users OK

[root@wazuh-server wazuh-user]# grep -i -E "ossec|wazuh" /etc/group
wheel:x:10:wazuh-user
wazuh-user:x:1001:
wazuh-indexer:x:993:
wazuh:x:992:wazuh
wazuh-dashboard:x:991:wazuh-dashboard

Production repository OK

[root@wazuh-server wazuh-user]# cat /etc/yum.repos.d/wazuh.repo 
[wazuh]
gpgcheck=1
gpgkey=https://packages.wazuh.com/key/GPG-KEY-WAZUH
enabled=1
name=EL-${releasever} - Wazuh
baseurl=https://packages.wazuh.com/4.x/yum/
protect=1

SSH access wazuh-user OK
SSH access root denied OK

fcaffieri commented 2 years ago

Solaris 10 and Solaris 11

We are having problems from SiteOx with Solaris 10 and Solaris 11 machines, attached SiteOx response:

wazuh / wazuh