Release 4.4.2 - Release Candidate 2 - Specific systems

Packages tests metrics information


Main release candidate issue	#17004
Main packages metrics issue	#17078
Version	4.4.2
Release candidate	RC2
Tag	https://github.com/wazuh/wazuh/tree/v4.4.2-rc2

Build packages

System	Status	Build
AIX	:green_circle:	https://ci.wazuh.info/view/Packages/job/Packages_builder_special/699
HPUX	:green_circle:	https://ci.wazuh.info/view/Packages/job/Packages_builder_special/698/
S10 SPARC	:green_circle:	https://ci.wazuh.info/view/Packages/job/Packages_builder_special/702/
S11 SPARC	:green_circle:	https://ci.wazuh.info/view/Packages/job/Packages_builder_special/700
OVA	:green_circle:	https://ci.wazuh.info/view/Packages/job/Packages_Builder_OVA/228/
AMI	:green_circle:	https://ci.wazuh.info/view/Packages/job/Packages_Builder_AMI/143/

Test packages

System	Build	Install	Deployment install	Upgrade	Remove	TCP	UDP	Errors found	Warnings found	Alerts found	Check users
AIX	:green_circle:	:green_circle:	:green_circle:	:green_circle:	:green_circle:	:green_circle:	:green_circle:	:green_circle:	:green_circle:	:green_circle:	:green_circle:
HPUX	:green_circle:	:green_circle:	:white_circle:	:white_circle:	:green_circle:	:green_circle:	:green_circle:	:green_circle:	:green_circle:	:green_circle:	:green_circle:
S10 SPARC	:green_circle:	:green_circle:	---	:green_circle:	:green_circle:	:green_circle:	:green_circle:	:green_circle:	:green_circle:	:green_circle:	:green_circle:
S11 SPARC	:green_circle:	:green_circle:	---	:green_circle:	:green_circle:	:green_circle:	:green_circle:	:green_circle:	:green_circle:	:green_circle:	:green_circle:
OVA	:green_circle:	:green_circle:	---	---	---	:green_circle:	:green_circle:	:green_circle:	:green_circle:	:green_circle:	:green_circle:
AMI	:green_circle:	:green_circle:	:white_circle:	:white_circle:	:white_circle:	:green_circle:	:green_circle:	:green_circle:	:green_circle:	:green_circle:	:green_circle:

PPC64EL packages

System	Build	Install	Deployment install	Upgrade	Uninstall	Alerts	TCP	UDP	Errors	Warnings	System users
CentOS 7	:green_circle:	:green_circle:	:green_circle:	:green_circle:	:green_circle:	:green_circle:	:green_circle:	:green_circle:	:green_circle:	:green_circle:	:green_circle:
Debian Stretch	:green_circle:	:green_circle:	:green_circle:	:green_circle:	:green_circle:	:green_circle:	:green_circle:	:green_circle:	:green_circle:	:green_circle:	:green_circle:

OVA/AMI specific tests

System	Filebeat test	Cluster green/yellow	Production repositories	UI Access	No SSH root access	SSH user access	Wazuh dashboard/APP version	Dashboard/Indexer VERSION file
OVA	:green_circle:	:green_circle:	:green_circle:	:green_circle:	:green_circle:	:green_circle:	:green_circle:	:green_circle:	:green_circle:
AMI	:green_circle:	:green_circle:	:green_circle:	:green_circle:	:green_circle:	:green_circle:	:green_circle:	:green_circle:	:green_circle:

Status legend: :black_circle: - Pending/In progress :white_circle: - Skipped :red_circle: - Rejected :yellow_circle: - Ready to review :green_circle: - Approved

Auditor's validation

In order to close and proceed with the release or the next candidate version, the following auditors must give the green light to this RC.

[x] @davidjiglesias
[ ] @teddytpc1

Analysis report - AIX :green_circle:

System info

``` # bash bash-4.4# hostname soaxp078 bash-4.4# uname -a AIX soaxp078 1 6 00CADA644C00 bash-4.4# ```

Install

- Wazuh agent ``` bash-4.4# curl -k -LO https://packages-dev.wazuh.com/pre-release/aix/wazuh-agent-4.4.2-1.aix.ppc.rpm % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 8266k 100 8266k 0 0 4104k 0 0:00:02 0:00:02 --:--:-- 4106k bash-4.4# rpm -qip wazuh-agent-4.4.2-1.aix.ppc.rpm Name : wazuh-agent Relocations: (not relocateable) Version : 4.4.2 Vendor: Wazuh, Inc Release : 1 Build Date: Mon May 15 07:55:45 2023 Install date: (not installed) Build Host: soaxp078 Group : System Environment/Daemons Source RPM: wazuh-agent-4.4.2-1.src.rpm Size : 27775309 License: GPL Packager : Wazuh, Inc URL : https://www.wazuh.com/ Summary : The Wazuh agent, used for threat detection, incident response and integrity monitoring. Description : Wazuh is an open source security monitoring solution for threat detection, integrity monitoring, incident response and compliance. bash-4.4# bash-4.4# bash-4.4# bash-4.4# WAZUH_MANAGER="3.238.245.177" rpm -ivh wazuh-agent-4.4.2-1.aix.ppc.rpm wazuh-agent ################################################## bash-4.4# bash-4.4# bash-4.4# rpm -qi wazuh-agent Name : wazuh-agent Relocations: (not relocateable) Version : 4.4.2 Vendor: Wazuh, Inc Release : 1 Build Date: Mon May 15 07:55:45 2023 Install date: Mon May 15 14:45:03 2023 Build Host: soaxp078 Group : System Environment/Daemons Source RPM: wazuh-agent-4.4.2-1.src.rpm Size : 27775309 License: GPL Packager : Wazuh, Inc URL : https://www.wazuh.com/ Summary : The Wazuh agent, used for threat detection, incident response and integrity monitoring. Description : Wazuh is an open source security monitoring solution for threat detection, integrity monitoring, incident response and compliance. bash-4.4# bash-4.4# ``` ``` bash-4.4# /var/ossec/bin/wazuh-control start Starting Wazuh v4.4.2... Started wazuh-execd... Started wazuh-agentd... Started wazuh-syscheckd... Started wazuh-logcollector... Started wazuh-modulesd... Completed. bash-4.4# ``` - Wazuh server ``` [root@wazuh-server wazuh-user]# /var/ossec/bin/agent_control -i 001 Wazuh agent_control. Agent information: Agent ID: 001 Agent Name: soaxp078 IP address: any Status: Active Operating system: AIX |soaxp078 |1 |6 |00CADA644C00 Client version: Wazuh v4.4.2 Configuration hash: ab73af41699f13fdd81903b5f23d8d00 Shared file hash: 4a8724b20dee0124ff9656783c490c4e Last keep alive: 1684179962 Syscheck last started at: Mon May 15 19:46:03 2023 (Scan in progress) Syscheck last ended at: Unknown [root@wazuh-server wazuh-user]# /var/ossec/bin/agent_control -i 001 Wazuh agent_control. Agent information: Agent ID: 001 Agent Name: soaxp078 IP address: any Status: Active Operating system: AIX |soaxp078 |1 |6 |00CADA644C00 Client version: Wazuh v4.4.2 Configuration hash: ab73af41699f13fdd81903b5f23d8d00 Shared file hash: 4a8724b20dee0124ff9656783c490c4e Last keep alive: 1684179972 Syscheck last started at: Mon May 15 19:46:03 2023 Syscheck last ended at: Mon May 15 19:46:10 2023 [root@wazuh-server wazuh-user]# ```

Alert

- TCP ``` bash-4.4# grep -Ei "tcp" /var/ossec/logs/ossec.log 2023/05/15 14:45:54 wazuh-agentd: INFO: Trying to connect to server ([3.238.245.177]:1514/tcp). 2023/05/15 14:45:54 wazuh-agentd: INFO: (4102): Connected to the server ([3.238.245.177]:1514/tcp). 2023/05/15 14:46:02 wazuh-agentd: INFO: Trying to connect to server ([3.238.245.177]:1514/tcp). 2023/05/15 14:46:02 wazuh-agentd: INFO: (4102): Connected to the server ([3.238.245.177]:1514/tcp). bash-4.4# [root@wazuh-server wazuh-user]# cat /var/ossec/logs/alerts/alerts.log | grep soaxp078 2023 May 15 19:45:54 (soaxp078) any->wazuh-agent ossec: Agent started: 'soaxp078->any'. 2023 May 15 19:45:56 (soaxp078) any->rootcheck 2023 May 15 19:45:57 (soaxp078) any->rootcheck 2023 May 15 19:45:57 (soaxp078) any->rootcheck 2023 May 15 19:45:57 (soaxp078) any->rootcheck 2023 May 15 19:45:57 (soaxp078) any->rootcheck 2023 May 15 19:45:57 (soaxp078) any->rootcheck 2023 May 15 19:45:59 (soaxp078) any->wazuh-remoted ossec: Agent stopped: 'soaxp078->any'. 2023 May 15 19:46:02 (soaxp078) any->wazuh-agent [root@wazuh-server wazuh-user]# ``` ``` bash-4.4# grep -Ei "ERROR|CRITICAL|FATAL|WARNING" /var/ossec/logs/ossec.log bash-4.4# ``` - UDP ``` bash-4.4# grep -Ei "udp" /var/ossec/logs/ossec.log 2023/05/15 14:51:54 wazuh-agentd: INFO: Trying to connect to server ([3.238.245.177]:1514/udp). 2023/05/15 14:51:54 wazuh-agentd: INFO: (4102): Connected to the server ([3.238.245.177]:1514/udp). bash-4.4# ``` ```json ** Alert 1684180319.614789: - ossec,rootcheck,pci_dss_10.6.1,gdpr_IV_35.7.d, 2023 May 15 19:51:59 (soaxp078) any->rootcheck Rule: 510 (level 7) -> 'Host-based anomaly detection event (rootcheck).' File '/tmp/.com_ibm_tools_attach/_notifier' is owned by root and has written permissions to anyone. title: File is owned by root and has written permissions to anyone. file: /tmp/.com_ibm_tools_attach/_notifier ```

Remove

``` bash-4.4# rpm -e wazuh-agent rmdir of /var/ossec/tmp/src/init failed: No such file or directory rmdir of /var/ossec/tmp/etc/templates/config/generic/localfile-logs failed: No such file or directory rmdir of /var/ossec/tmp/etc/templates/config/generic failed: No such file or directory rmdir of /var/ossec/tmp/etc/templates/config failed: No such file or directory rmdir of /var/ossec/tmp/etc/templates failed: No such file or directory cannot remove /var/ossec/queue/syscollector/db - directory not empty cannot remove /var/ossec/queue/syscollector - directory not empty cannot remove /var/ossec/queue/logcollector - directory not empty cannot remove /var/ossec/queue/fim/db - directory not empty cannot remove /var/ossec/queue/fim - directory not empty cannot remove /var/ossec/queue - directory not empty removal of /var/ossec/logs/ossec.json failed: No such file or directory cannot remove /var/ossec/etc/shared - directory not empty cannot remove /var/ossec/etc - directory not empty cannot remove /var/ossec - directory not empty bash-4.4# ```

Upgrade 4.4.1 -> 4.4.2

``` bash-4.4# curl -k -LO https://packages.wazuh.com/4.x/aix/wazuh-agent-4.4.1-1.aix.ppc.rpm % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 8254k 100 8254k 0 0 4367k 0 0:00:01 0:00:01 --:--:-- 4367k bash-4.4# WAZUH_MANAGER="3.238.245.177" rpm -ivh wazuh-agent-4.4.1-1.aix.ppc.rpm wazuh-agent ################################################## bash-4.4# bash-4.4# bash-4.4# /var/ossec/bin/wazuh-control restart 2023/05/15 14:56:19 wazuh-agentd: ERROR: (1103): Could not open file 'queue/sockets/.agent_info' due to [(2)-(No such file or directory)]. 2023/05/15 14:56:19 wazuh-agentd: ERROR: (1103): Could not open file 'queue/sockets/.agent_info' due to [(2)-(No such file or directory)]. 2023/05/15 14:56:19 wazuh-syscheckd: ERROR: (1103): Could not open file 'queue/sockets/.agent_info' due to [(2)-(No such file or directory)]. 2023/05/15 14:56:19 wazuh-syscheckd: ERROR: (1103): Could not open file 'queue/sockets/.agent_info' due to [(2)-(No such file or directory)]. 2023/05/15 14:56:19 wazuh-logcollector: ERROR: (1103): Could not open file 'queue/sockets/.agent_info' due to [(2)-(No such file or directory)]. 2023/05/15 14:56:19 wazuh-modulesd: ERROR: (1103): Could not open file 'queue/sockets/.agent_info' due to [(2)-(No such file or directory)]. wazuh-modulesd not running... wazuh-logcollector not running... wazuh-syscheckd not running... wazuh-agentd not running... wazuh-execd not running... Wazuh v4.4.1 Stopped Starting Wazuh v4.4.1... Started wazuh-execd... 2023/05/15 14:56:20 wazuh-agentd: ERROR: (1103): Could not open file 'queue/sockets/.agent_info' due to [(2)-(No such file or directory)]. 2023/05/15 14:56:20 wazuh-agentd: ERROR: (1103): Could not open file 'queue/sockets/.agent_info' due to [(2)-(No such file or directory)]. Started wazuh-agentd... 2023/05/15 14:56:21 wazuh-syscheckd: ERROR: (1103): Could not open file 'queue/sockets/.agent_info' due to [(2)-(No such file or directory)]. 2023/05/15 14:56:21 wazuh-syscheckd: ERROR: (1103): Could not open file 'queue/sockets/.agent_info' due to [(2)-(No such file or directory)]. Started wazuh-syscheckd... 2023/05/15 14:56:21 wazuh-logcollector: ERROR: (1103): Could not open file 'queue/sockets/.agent_info' due to [(2)-(No such file or directory)]. Started wazuh-logcollector... 2023/05/15 14:56:21 wazuh-modulesd: ERROR: (1103): Could not open file 'queue/sockets/.agent_info' due to [(2)-(No such file or directory)]. Started wazuh-modulesd... Completed. bash-4.4# ``` - Wazuh-manager ``` [root@wazuh-server wazuh-user]# /var/ossec/bin/agent_control -l Wazuh agent_control. List of available agents: ID: 000, Name: wazuh-server (server), IP: 127.0.0.1, Active/Local ID: 002, Name: soaxp078, IP: any, Active List of agentless devices: [root@wazuh-server wazuh-user]# [root@wazuh-server wazuh-user]# /var/ossec/bin/agent_control -i 002 Wazuh agent_control. Agent information: Agent ID: 002 Agent Name: soaxp078 IP address: any Status: Active Operating system: AIX |soaxp078 |1 |6 |00CADA644C00 Client version: Wazuh v4.4.1 Configuration hash: ab73af41699f13fdd81903b5f23d8d00 Shared file hash: 4a8724b20dee0124ff9656783c490c4e Last keep alive: 1684180712 Syscheck last started at: Mon May 15 19:57:32 2023 Syscheck last ended at: Mon May 15 19:58:28 2023 [root@wazuh-server wazuh-user]# ``` - Agent ``` bash-4.4# bash-4.4# bash-4.4# rpm -U wazuh-agent-4.4.2-1.aix.ppc.rpm bash-4.4# /var/ossec/bin/wazuh-control start Starting Wazuh v4.4.2... wazuh-execd already running... wazuh-agentd already running... wazuh-syscheckd already running... wazuh-logcollector already running... wazuh-modulesd already running... Completed. bash-4.4# ``` - Manager ``` [root@wazuh-server wazuh-user]# [root@wazuh-server wazuh-user]# /var/ossec/bin/agent_control -l Wazuh agent_control. List of available agents: ID: 000, Name: wazuh-server (server), IP: 127.0.0.1, Active/Local ID: 002, Name: soaxp078, IP: any, Active List of agentless devices: [root@wazuh-server wazuh-user]# /var/ossec/bin/agent_control -i 002 Wazuh agent_control. Agent information: Agent ID: 002 Agent Name: soaxp078 IP address: any Status: Active Operating system: AIX |soaxp078 |1 |6 |00CADA644C00 Client version: Wazuh v4.4.2 Configuration hash: ab73af41699f13fdd81903b5f23d8d00 Shared file hash: 4a8724b20dee0124ff9656783c490c4e Last keep alive: 1684180797 Syscheck last started at: Mon May 15 19:59:18 2023 Syscheck last ended at: Mon May 15 19:59:25 2023 [root@wazuh-server wazuh-user]# ```

Users and groups

``` bash-4.4# cat /etc/passwd | grep wazuh wazuh:*:209:1::/home/wazuh:/usr/bin/ksh bash-4.4# cat /etc/group | grep wazuh wazuh:!:208:wazuh bash-4.4# ```

Analysis report - Solaris 11 SPARC :green_circle:

System info

Install

- Wazuh agent ``` root@sossp534:~# wget https://packages-dev.wazuh.com/pre-release/solaris/sparc/11/wazuh-agent_v4.4.2-sol11-sparc.p5p --2023-05-15 15:03:58-- https://packages-dev.wazuh.com/pre-release/solaris/sparc/11/wazuh-agent_v4.4.2-sol11-sparc.p5p Resolving packages-dev.wazuh.com (packages-dev.wazuh.com)... 18.64.155.22, 18.64.155.103, 18.64.155.28, ... Connecting to packages-dev.wazuh.com (packages-dev.wazuh.com)|18.64.155.22|:443... connected. HTTP request sent, awaiting response... 200 OK Length: 6205440 (5.9M) [binary/octet-stream] Saving to: ‘wazuh-agent_v4.4.2-sol11-sparc.p5p’ wazuh-agent_v4.4.2-sol11-sparc.p5p 100%[=============================================================================================>] 5.92M 8.22MB/s in 0.7s 2023-05-15 15:04:00 (8.22 MB/s) - ‘wazuh-agent_v4.4.2-sol11-sparc.p5p’ saved [6205440/6205440] root@sossp534:~# ``` ``` root@sossp534:~# pkg install -g wazuh-agent_v4.4.2-sol11-sparc.p5p wazuh-agent Packages to install: 1 Services to change: 1 Create boot environment: No Create backup boot environment: No DOWNLOAD PKGS FILES XFER (MB) SPEED Completed 1/1 97/97 5.6/5.6 32.2M/s PHASE ITEMS Installing new actions 150/150 Updating package state database Done Updating package cache 0/0 Updating image state Done Creating fast lookup database Done Updating package cache 2/2 root@sossp534:~# ``` ``` oot@sossp534:~# /var/ossec/bin/wazuh-control start Starting Wazuh v4.4.2... Started wazuh-execd... Started wazuh-agentd... Started wazuh-syscheckd... Started wazuh-logcollector... Started wazuh-modulesd... Completed. root@sossp534:~# root@sossp534:~# /var/ossec/bin/wazuh-control status wazuh-modulesd is running... wazuh-logcollector is running... wazuh-syscheckd is running... wazuh-agentd is running... wazuh-execd is running... root@sossp534:~# ``` - Wazuh server ``` [root@wazuh-server wazuh-user]# /var/ossec/bin/agent_control -l Wazuh agent_control. List of available agents: ID: 000, Name: wazuh-server (server), IP: 127.0.0.1, Active/Local ID: 002, Name: soaxp078, IP: any, Active ID: 003, Name: sossp534, IP: any, Active List of agentless devices: [root@wazuh-server wazuh-user]# [root@wazuh-server wazuh-user]# /var/ossec/bin/agent_control -i 003 Wazuh agent_control. Agent information: Agent ID: 003 Agent Name: sossp534 IP address: any Status: Active Operating system: SunOS |sossp534 |5.11 |11.3 |sun4v Client version: Wazuh v4.4.2 Configuration hash: ab73af41699f13fdd81903b5f23d8d00 Shared file hash: 4a8724b20dee0124ff9656783c490c4e Last keep alive: 1684181527 Syscheck last started at: Mon May 15 20:11:01 2023 Syscheck last ended at: Mon May 15 20:11:24 2023 [root@wazuh-server wazuh-user]# ```

Alert

- TCP ``` root@sossp534:~# grep -i "tcp" /var/ossec/logs/ossec.log 2023/05/15 15:10:55 wazuh-agentd: INFO: Trying to connect to server ([3.238.245.177]:1514/tcp). 2023/05/15 15:10:55 wazuh-agentd: INFO: (4102): Connected to the server ([3.238.245.177]:1514/tcp). 2023/05/15 15:10:59 wazuh-agentd: INFO: Trying to connect to server ([3.238.245.177]:1514/tcp). 2023/05/15 15:10:59 wazuh-agentd: INFO: (4102): Connected to the server ([3.238.245.177]:1514/tcp). root@sossp534:~# ``` ``` ** Alert 1684181487.969069: - sca,gdpr_IV_35.7.d,pci_dss_2.2,nist_800_53_CM.1,tsc_CC7.1,tsc_CC7.2, 2023 May 15 20:11:27 (sossp534) any->sca Rule: 19004 (level 7) -> 'SCA summary: CIS Benchmark for Oracle Solaris 11: Score less than 50% (31)' {"type":"summary","scan_id":26189,"name":"CIS Benchmark for Oracle Solaris 11","policy_id":"cis_solaris11","file":"cis_solaris11.yml","description":"This document, CIS Oracle Solaris 11 Benchmark v1.1.0, provides prescriptive guidance for establishing a secure configuration posture for Oracle Solaris 11 on both x86 and SPARC platforms. This guide was tested against Solaris 11 11/11 release, updated to the Software Repository Update 5 (SRU5). As of the publication of this document, Solaris 11 11/11 SRU5 is the latest available support update for the Solaris 11 OS. The recommendations included in this document may need to be adjusted for future Solaris 11 updates.","references":"https://www.cisecurity.org/cis-benchmarks/","passed":16,"failed":35,"invalid":0,"total_checks":51,"score":31.372550964355469,"start_time":1684181462,"end_time":1684181466,"hash":"d0d7397585602bed79d61ddad3bfeedf30db2e134423be75f3f4e20edf198158","hash_file":"bb5ea3d77aece7ed04571bce6039852aacb98f26e060b65542c4229446d02af1","force_alert":"1"} ``` ``` root@sossp534:~# /usr/xpg4/bin/grep -Ei "ERROR|CRITICAL|FATAL|WARNING" /var/ossec/logs/ossec.log | wc -l 0 root@sossp534:~# /usr/xpg4/bin/grep -Ei "ERROR|CRITICAL|FATAL|WARNING" /var/ossec/logs/ossec.log | wc -l root@sossp534:~# ``` - UDP ``` root@sossp534:~# grep -i "udp" /var/ossec/logs/ossec.log 2023/05/15 15:16:01 wazuh-agentd: INFO: Trying to connect to server ([3.238.245.177]:1514/udp). 2023/05/15 15:16:42 wazuh-agentd: INFO: Trying to connect to server ([3.238.245.177]:1514/udp). 2023/05/15 15:16:42 wazuh-agentd: INFO: (4102): Connected to the server ([3.238.245.177]:1514/udp). root@sossp534:~# ``` ```json ** Alert 1684181818.974205: - ossec,rootcheck,pci_dss_10.6.1,gdpr_IV_35.7.d, 2023 May 15 20:16:58 (sossp534) any->rootcheck Rule: 510 (level 7) -> 'Host-based anomaly detection event (rootcheck).' Trojaned version of file '/usr/bin/kill' detected. Signature used: '/dev/[ab,d-k,m-z]|/dev/[F-Z]|/dev/[A-D]|/dev/[0-9]|proc\.sh|tmp' (Generic). title: Trojaned version of file detected. file: /usr/bin/kill ```

Remove

``` root@sossp534:~# /var/ossec/bin/wazuh-control stop Killing wazuh-modulesd... Killing wazuh-logcollector... Killing wazuh-syscheckd... Killing wazuh-agentd... Killing wazuh-execd... Wazuh v4.4.2 Stopped root@sossp534:~# pkg uninstall wazuh-agent Packages to remove: 1 Services to change: 1 Create boot environment: No Create backup boot environment: No PHASE ITEMS Removing old actions 194/194 Updating package state database Done Updating package cache 1/1 Updating image state Done Creating fast lookup database Done Updating package cache 2/2 The following unexpected or editable files and directories were salvaged while executing the requested package operation; they have been moved to the displayed location in the image: ar/ossec/etc/ossec.conf -> /var/pkg/lost+found/var/ossec/etc/ossec.conf-20230515T151816Z ar/ossec/etc/client.keys -> /var/pkg/lost+found/var/ossec/etc/client.keys-20230515T151816Z ar/ossec/ruleset/sca -> /var/pkg/lost+found/var/ossec/ruleset/sca-20230515T151816Z ar/ossec/queue/syscollector/db -> /var/pkg/lost+found/var/ossec/queue/syscollector/db-20230515T151816Z ar/ossec/queue/sockets -> /var/pkg/lost+found/var/ossec/queue/sockets-20230515T151816Z ar/ossec/queue/rids -> /var/pkg/lost+found/var/ossec/queue/rids-20230515T151816Z ar/ossec/queue/logcollector -> /var/pkg/lost+found/var/ossec/queue/logcollector-20230515T151816Z ar/ossec/queue/fim/db -> /var/pkg/lost+found/var/ossec/queue/fim/db-20230515T151816Z ar/ossec/queue/alerts -> /var/pkg/lost+found/var/ossec/queue/alerts-20230515T151816Z ar/ossec/etc/shared -> /var/pkg/lost+found/var/ossec/etc/shared-20230515T151816Z root@sossp534:~# ls -la /var/ossec /var/ossec: No such file or directory root@sossp534:~# root@sossp534:~# groupdel wazuh root@sossp534:~# ```

Upgrade 4.4.1 -> 4.4.2-rc1

``` root@sossp534:~# wget https://packages.wazuh.com/4.x/solaris/sparc/11/wazuh-agent_v4.4.1-sol11-sparc.p5p --2023-05-15 15:23:24-- https://packages.wazuh.com/4.x/solaris/sparc/11/wazuh-agent_v4.4.1-sol11-sparc.p5p Resolving packages.wazuh.com (packages.wazuh.com)... 13.33.4.9, 13.33.4.92, 13.33.4.108, ... Connecting to packages.wazuh.com (packages.wazuh.com)|13.33.4.9|:443... connected. HTTP request sent, awaiting response... 200 OK Length: 6195200 (5.9M) [binary/octet-stream] Saving to: ‘wazuh-agent_v4.4.1-sol11-sparc.p5p’ wazuh-agent_v4.4.1-sol11-sparc.p5p 100%[=============================================================================================>] 5.91M 7.89MB/s in 0.7s 2023-05-15 15:23:26 (7.89 MB/s) - ‘wazuh-agent_v4.4.1-sol11-sparc.p5p’ saved [6195200/6195200] root@sossp534:~# root@sossp534:~# root@sossp534:~# groupdel wazuh root@sossp534:~# ^C root@sossp534:~# pkg install -g wazuh-agent_v4.4.1-sol11-sparc.p5p wazuh-agent Packages to install: 1 Services to change: 1 Create boot environment: No Create backup boot environment: No DOWNLOAD PKGS FILES XFER (MB) SPEED Completed 1/1 97/97 5.6/5.6 29.0M/s PHASE ITEMS Installing new actions 150/150 Updating package state database Done Updating package cache 0/0 Updating image state Done Creating fast lookup database Done Updating package cache 2/2 root@sossp534:~# root@sossp534:~# root@sossp534:~# root@sossp534:~# root@sossp534:~# vi /var/ossec/etc/ossec.conf root@sossp534:~# root@sossp534:~# root@sossp534:~# /var/ossec/bin/wazuh-control start Starting Wazuh v4.4.1... Started wazuh-execd... Started wazuh-agentd... Started wazuh-syscheckd... Started wazuh-logcollector... Started wazuh-modulesd... Completed. root@sossp534:~# root@sossp534:~# /var/ossec/bin/wazuh-control status wazuh-modulesd is running... wazuh-logcollector is running... wazuh-syscheckd is running... wazuh-agentd is running... wazuh-execd is running... root@sossp534:~# ``` ``` root@sossp534:~# /var/ossec/bin/wazuh-control stop Killing wazuh-modulesd... Killing wazuh-logcollector... Killing wazuh-syscheckd... Killing wazuh-agentd... Killing wazuh-execd... Wazuh v4.4.1 Stopped root@sossp534:~# pkg install -g wazuh-agent_v4.4.2-sol11-sparc.p5p wazuh-agent Packages to update: 1 Create boot environment: No Create backup boot environment: Yes DOWNLOAD PKGS FILES XFER (MB) SPEED Completed 1/1 15/15 4.7/4.7 81.5M/s PHASE ITEMS Updating modified actions 17/17 Updating package state database Done Updating package cache 1/1 Updating image state Done Creating fast lookup database Done Updating package cache 2/2 root@sossp534:~# /var/ossec/bin/wazuh-control start Starting Wazuh v4.4.2... Started wazuh-execd... Started wazuh-agentd... Started wazuh-syscheckd... Started wazuh-logcollector... Started wazuh-modulesd... Completed. root@sossp534:~# ``` ``` [root@wazuh-server wazuh-user]# /var/ossec/bin/agent_control -l Wazuh agent_control. List of available agents: ID: 000, Name: wazuh-server (server), IP: 127.0.0.1, Active/Local ID: 002, Name: soaxp078, IP: any, Active ID: 004, Name: sossp534, IP: any, Active List of agentless devices: [root@wazuh-server wazuh-user]# /var/ossec/bin/agent_control -i 004 Wazuh agent_control. Agent information: Agent ID: 004 Agent Name: sossp534 IP address: any Status: Active Operating system: SunOS |sossp534 |5.11 |11.3 |sun4v Client version: Wazuh v4.4.2 Configuration hash: ab73af41699f13fdd81903b5f23d8d00 Shared file hash: 4a8724b20dee0124ff9656783c490c4e Last keep alive: 1684182651 Syscheck last started at: Mon May 15 20:30:28 2023 Syscheck last ended at: Mon May 15 20:30:33 2023 [root@wazuh-server wazuh-user]# ```

Users and groups

``` root@sossp534:~# cat /etc/passwd | grep wazuh wazuh:x:7:13:& User:/: root@sossp534:~# cat /etc/group | grep wazuh wazuh::13: root@sossp534:~# ```

Analysis report - AMI :green_circle:

AMI - Agent connection and workload

- SSH using root ``` $ ssh -i Documentos/claves/clave-jenkins-esfimera.pem root@3.238.245.177 Please login as the user "wazuh-user" rather than the user "root". Connection to 3.238.245.177 closed. $ ``` This was tested as part of Special systems (PPC64 Centos), since the AMI was the Wazuh Manager

AMI - WUI

- Loading screen OK ![image](https://github.com/wazuh/wazuh/assets/89791732/863c6e9a-4dd3-44f9-9b1b-f772ce99f103) - Login screen OK ![image](https://github.com/wazuh/wazuh/assets/89791732/d74a3dd0-cf6d-4708-99dc-6f5c42c0f9b8) - Light/dark mode OK ![image](https://github.com/wazuh/wazuh/assets/89791732/fe1c5575-9047-44d9-8008-cc6046fe7f9d) ![image](https://github.com/wazuh/wazuh/assets/89791732/863c6e9a-4dd3-44f9-9b1b-f772ce99f103) - Credentials: OK ![image](https://github.com/wazuh/wazuh/assets/89791732/d74a3dd0-cf6d-4708-99dc-6f5c42c0f9b8) ![image](https://github.com/wazuh/wazuh/assets/89791732/c8befa41-ff54-444e-a21c-f6ae1f13fb61) ![image](https://github.com/wazuh/wazuh/assets/89791732/6a7f2e45-54fa-4267-9120-b0fffbd7cbb1) ![image](https://github.com/wazuh/wazuh/assets/89791732/46084967-d29c-4795-900e-878334fd14ac)

AMI - Logs

Wazuh dashboard - journalctl

``` [root@wazuh-server wazuh-user]# journalctl -r -u wazuh-dashboard | grep -i -E "error|critical|fatal|warning" may 15 20:55:00 wazuh-server opensearch-dashboards[4638]: {"type":"log","@timestamp":"2023-05-15T20:55:00Z","tags":["error","opensearch","data"],"pid":4638,"message":"[resource_already_exists_exception]: index [wazuh-statistics-2023.20w/ZPrrBt8DRgCcPpSiMSIkhw] already exists"} may 15 20:53:05 wazuh-server opensearch-dashboards[4638]: {"type":"error","@timestamp":"2023-05-15T20:53:05Z","tags":["connection","client","error"],"pid":4638,"level":"error","error":{"message":"140454437541760:error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown:../deps/openssl/openssl/ssl/record/rec_layer_s3.c:1544:SSL alert number 46\n","name":"Error","stack":"Error: 140454437541760:error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown:../deps/openssl/openssl/ssl/record/rec_layer_s3.c:1544:SSL alert number 46\n","code":"ERR_SSL_SSLV3_ALERT_CERTIFICATE_UNKNOWN"},"message":"140454437541760:error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown:../deps/openssl/openssl/ssl/record/rec_layer_s3.c:1544:SSL alert number 46\n"} may 15 20:53:05 wazuh-server opensearch-dashboards[4638]: {"type":"error","@timestamp":"2023-05-15T20:53:05Z","tags":["connection","client","error"],"pid":4638,"level":"error","error":{"message":"140454437541760:error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown:../deps/openssl/openssl/ssl/record/rec_layer_s3.c:1544:SSL alert number 46\n","name":"Error","stack":"Error: 140454437541760:error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown:../deps/openssl/openssl/ssl/record/rec_layer_s3.c:1544:SSL alert number 46\n","code":"ERR_SSL_SSLV3_ALERT_CERTIFICATE_UNKNOWN"},"message":"140454437541760:error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown:../deps/openssl/openssl/ssl/record/rec_layer_s3.c:1544:SSL alert number 46\n"} may 15 20:52:52 wazuh-server opensearch-dashboards[4638]: {"type":"error","@timestamp":"2023-05-15T20:52:52Z","tags":["connection","client","error"],"pid":4638,"level":"error","error":{"message":"140454437541760:error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown:../deps/openssl/openssl/ssl/record/rec_layer_s3.c:1544:SSL alert number 46\n","name":"Error","stack":"Error: 140454437541760:error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown:../deps/openssl/openssl/ssl/record/rec_layer_s3.c:1544:SSL alert number 46\n","code":"ERR_SSL_SSLV3_ALERT_CERTIFICATE_UNKNOWN"},"message":"140454437541760:error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown:../deps/openssl/openssl/ssl/record/rec_layer_s3.c:1544:SSL alert number 46\n"} may 15 20:52:52 wazuh-server opensearch-dashboards[4638]: {"type":"error","@timestamp":"2023-05-15T20:52:52Z","tags":["connection","client","error"],"pid":4638,"level":"error","error":{"message":"140454437541760:error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown:../deps/openssl/openssl/ssl/record/rec_layer_s3.c:1544:SSL alert number 46\n","name":"Error","stack":"Error: 140454437541760:error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown:../deps/openssl/openssl/ssl/record/rec_layer_s3.c:1544:SSL alert number 46\n","code":"ERR_SSL_SSLV3_ALERT_CERTIFICATE_UNKNOWN"},"message":"140454437541760:error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown:../deps/openssl/openssl/ssl/record/rec_layer_s3.c:1544:SSL alert number 46\n"} may 15 20:52:52 wazuh-server opensearch-dashboards[4638]: {"type":"error","@timestamp":"2023-05-15T20:52:52Z","tags":["connection","client","error"],"pid":4638,"level":"error","error":{"message":"140454437541760:error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown:../deps/openssl/openssl/ssl/record/rec_layer_s3.c:1544:SSL alert number 46\n","name":"Error","stack":"Error: 140454437541760:error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown:../deps/openssl/openssl/ssl/record/rec_layer_s3.c:1544:SSL alert number 46\n","code":"ERR_SSL_SSLV3_ALERT_CERTIFICATE_UNKNOWN"},"message":"140454437541760:error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown:../deps/openssl/openssl/ssl/record/rec_layer_s3.c:1544:SSL alert number 46\n"} may 15 20:49:46 wazuh-server opensearch-dashboards[4638]: {"type":"error","@timestamp":"2023-05-15T20:49:46Z","tags":["connection","client","error"],"pid":4638,"level":"error","error":{"message":"140454437541760:error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown:../deps/openssl/openssl/ssl/record/rec_layer_s3.c:1544:SSL alert number 46\n","name":"Error","stack":"Error: 140454437541760:error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown:../deps/openssl/openssl/ssl/record/rec_layer_s3.c:1544:SSL alert number 46\n","code":"ERR_SSL_SSLV3_ALERT_CERTIFICATE_UNKNOWN"},"message":"140454437541760:error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown:../deps/openssl/openssl/ssl/record/rec_layer_s3.c:1544:SSL alert number 46\n"} may 15 20:49:46 wazuh-server opensearch-dashboards[4638]: {"type":"error","@timestamp":"2023-05-15T20:49:46Z","tags":["connection","client","error"],"pid":4638,"level":"error","error":{"message":"140454437541760:error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown:../deps/openssl/openssl/ssl/record/rec_layer_s3.c:1544:SSL alert number 46\n","name":"Error","stack":"Error: 140454437541760:error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown:../deps/openssl/openssl/ssl/record/rec_layer_s3.c:1544:SSL alert number 46\n","code":"ERR_SSL_SSLV3_ALERT_CERTIFICATE_UNKNOWN"},"message":"140454437541760:error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown:../deps/openssl/openssl/ssl/record/rec_layer_s3.c:1544:SSL alert number 46\n"} may 15 20:49:46 wazuh-server opensearch-dashboards[4638]: {"type":"error","@timestamp":"2023-05-15T20:49:46Z","tags":["connection","client","error"],"pid":4638,"level":"error","error":{"message":"140454437541760:error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown:../deps/openssl/openssl/ssl/record/rec_layer_s3.c:1544:SSL alert number 46\n","name":"Error","stack":"Error: 140454437541760:error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown:../deps/openssl/openssl/ssl/record/rec_layer_s3.c:1544:SSL alert number 46\n","code":"ERR_SSL_SSLV3_ALERT_CERTIFICATE_UNKNOWN"},"message":"140454437541760:error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown:../deps/openssl/openssl/ssl/record/rec_layer_s3.c:1544:SSL alert number 46\n"} may 15 20:49:46 wazuh-server opensearch-dashboards[4638]: {"type":"error","@timestamp":"2023-05-15T20:49:46Z","tags":["connection","client","error"],"pid":4638,"level":"error","error":{"message":"140454437541760:error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown:../deps/openssl/openssl/ssl/record/rec_layer_s3.c:1544:SSL alert number 46\n","name":"Error","stack":"Error: 140454437541760:error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown:../deps/openssl/openssl/ssl/record/rec_layer_s3.c:1544:SSL alert number 46\n","code":"ERR_SSL_SSLV3_ALERT_CERTIFICATE_UNKNOWN"},"message":"140454437541760:error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown:../deps/openssl/openssl/ssl/record/rec_layer_s3.c:1544:SSL alert number 46\n"} may 15 20:49:46 wazuh-server opensearch-dashboards[4638]: {"type":"error","@timestamp":"2023-05-15T20:49:46Z","tags":["connection","client","error"],"pid":4638,"level":"error","error":{"message":"140454437541760:error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown:../deps/openssl/openssl/ssl/record/rec_layer_s3.c:1544:SSL alert number 46\n","name":"Error","stack":"Error: 140454437541760:error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown:../deps/openssl/openssl/ssl/record/rec_layer_s3.c:1544:SSL alert number 46\n","code":"ERR_SSL_SSLV3_ALERT_CERTIFICATE_UNKNOWN"},"message":"140454437541760:error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown:../deps/openssl/openssl/ssl/record/rec_layer_s3.c:1544:SSL alert number 46\n"} may 15 20:49:46 wazuh-server opensearch-dashboards[4638]: {"type":"error","@timestamp":"2023-05-15T20:49:46Z","tags":["connection","client","error"],"pid":4638,"level":"error","error":{"message":"140454437541760:error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown:../deps/openssl/openssl/ssl/record/rec_layer_s3.c:1544:SSL alert number 46\n","name":"Error","stack":"Error: 140454437541760:error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown:../deps/openssl/openssl/ssl/record/rec_layer_s3.c:1544:SSL alert number 46\n","code":"ERR_SSL_SSLV3_ALERT_CERTIFICATE_UNKNOWN"},"message":"140454437541760:error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown:../deps/openssl/openssl/ssl/record/rec_layer_s3.c:1544:SSL alert number 46\n"} may 15 20:49:46 wazuh-server opensearch-dashboards[4638]: {"type":"error","@timestamp":"2023-05-15T20:49:46Z","tags":["connection","client","error"],"pid":4638,"level":"error","error":{"message":"140454437541760:error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown:../deps/openssl/openssl/ssl/record/rec_layer_s3.c:1544:SSL alert number 46\n","name":"Error","stack":"Error: 140454437541760:error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown:../deps/openssl/openssl/ssl/record/rec_layer_s3.c:1544:SSL alert number 46\n","code":"ERR_SSL_SSLV3_ALERT_CERTIFICATE_UNKNOWN"},"message":"140454437541760:error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown:../deps/openssl/openssl/ssl/record/rec_layer_s3.c:1544:SSL alert number 46\n"} may 15 20:49:46 wazuh-server opensearch-dashboards[4638]: {"type":"error","@timestamp":"2023-05-15T20:49:46Z","tags":["connection","client","error"],"pid":4638,"level":"error","error":{"message":"140454437541760:error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown:../deps/openssl/openssl/ssl/record/rec_layer_s3.c:1544:SSL alert number 46\n","name":"Error","stack":"Error: 140454437541760:error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown:../deps/openssl/openssl/ssl/record/rec_layer_s3.c:1544:SSL alert number 46\n","code":"ERR_SSL_SSLV3_ALERT_CERTIFICATE_UNKNOWN"},"message":"140454437541760:error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown:../deps/openssl/openssl/ssl/record/rec_layer_s3.c:1544:SSL alert number 46\n"} may 15 20:49:45 wazuh-server opensearch-dashboards[4638]: {"type":"error","@timestamp":"2023-05-15T20:49:45Z","tags":["connection","client","error"],"pid":4638,"level":"error","error":{"message":"140454437541760:error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown:../deps/openssl/openssl/ssl/record/rec_layer_s3.c:1544:SSL alert number 46\n","name":"Error","stack":"Error: 140454437541760:error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown:../deps/openssl/openssl/ssl/record/rec_layer_s3.c:1544:SSL alert number 46\n","code":"ERR_SSL_SSLV3_ALERT_CERTIFICATE_UNKNOWN"},"message":"140454437541760:error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown:../deps/openssl/openssl/ssl/record/rec_layer_s3.c:1544:SSL alert number 46\n"} may 15 20:49:45 wazuh-server opensearch-dashboards[4638]: {"type":"error","@timestamp":"2023-05-15T20:49:45Z","tags":["connection","client","error"],"pid":4638,"level":"error","error":{"message":"140454437541760:error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown:../deps/openssl/openssl/ssl/record/rec_layer_s3.c:1544:SSL alert number 46\n","name":"Error","stack":"Error: 140454437541760:error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown:../deps/openssl/openssl/ssl/record/rec_layer_s3.c:1544:SSL alert number 46\n","code":"ERR_SSL_SSLV3_ALERT_CERTIFICATE_UNKNOWN"},"message":"140454437541760:error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown:../deps/openssl/openssl/ssl/record/rec_layer_s3.c:1544:SSL alert number 46\n"} may 15 20:49:45 wazuh-server opensearch-dashboards[4638]: {"type":"error","@timestamp":"2023-05-15T20:49:45Z","tags":["connection","client","error"],"pid":4638,"level":"error","error":{"message":"140454437541760:error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown:../deps/openssl/openssl/ssl/record/rec_layer_s3.c:1544:SSL alert number 46\n","name":"Error","stack":"Error: 140454437541760:error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown:../deps/openssl/openssl/ssl/record/rec_layer_s3.c:1544:SSL alert number 46\n","code":"ERR_SSL_SSLV3_ALERT_CERTIFICATE_UNKNOWN"},"message":"140454437541760:error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown:../deps/openssl/openssl/ssl/record/rec_layer_s3.c:1544:SSL alert number 46\n"} may 15 20:49:45 wazuh-server opensearch-dashboards[4638]: {"type":"error","@timestamp":"2023-05-15T20:49:45Z","tags":["connection","client","error"],"pid":4638,"level":"error","error":{"message":"140454437541760:error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown:../deps/openssl/openssl/ssl/record/rec_layer_s3.c:1544:SSL alert number 46\n","name":"Error","stack":"Error: 140454437541760:error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown:../deps/openssl/openssl/ssl/record/rec_layer_s3.c:1544:SSL alert number 46\n","code":"ERR_SSL_SSLV3_ALERT_CERTIFICATE_UNKNOWN"},"message":"140454437541760:error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown:../deps/openssl/openssl/ssl/record/rec_layer_s3.c:1544:SSL alert number 46\n"} may 15 20:49:45 wazuh-server opensearch-dashboards[4638]: {"type":"error","@timestamp":"2023-05-15T20:49:45Z","tags":["connection","client","error"],"pid":4638,"level":"error","error":{"message":"140454437541760:error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown:../deps/openssl/openssl/ssl/record/rec_layer_s3.c:1544:SSL alert number 46\n","name":"Error","stack":"Error: 140454437541760:error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown:../deps/openssl/openssl/ssl/record/rec_layer_s3.c:1544:SSL alert number 46\n","code":"ERR_SSL_SSLV3_ALERT_CERTIFICATE_UNKNOWN"},"message":"140454437541760:error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown:../deps/openssl/openssl/ssl/record/rec_layer_s3.c:1544:SSL alert number 46\n"} may 15 20:49:44 wazuh-server opensearch-dashboards[4638]: {"type":"error","@timestamp":"2023-05-15T20:49:44Z","tags":["connection","client","error"],"pid":4638,"level":"error","error":{"message":"140454437541760:error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown:../deps/openssl/openssl/ssl/record/rec_layer_s3.c:1544:SSL alert number 46\n","name":"Error","stack":"Error: 140454437541760:error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown:../deps/openssl/openssl/ssl/record/rec_layer_s3.c:1544:SSL alert number 46\n","code":"ERR_SSL_SSLV3_ALERT_CERTIFICATE_UNKNOWN"},"message":"140454437541760:error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown:../deps/openssl/openssl/ssl/record/rec_layer_s3.c:1544:SSL alert number 46\n"} may 15 20:49:17 wazuh-server opensearch-dashboards[4638]: {"type":"log","@timestamp":"2023-05-15T20:49:17Z","tags":["error","plugins","securityDashboards"],"pid":4638,"message":"Failed authentication: Error: Authentication Exception"} may 15 20:49:14 wazuh-server opensearch-dashboards[4638]: {"type":"log","@timestamp":"2023-05-15T20:49:14Z","tags":["error","plugins","securityDashboards"],"pid":4638,"message":"Failed authentication: Error: Authentication Exception"} may 15 20:48:16 wazuh-server opensearch-dashboards[4638]: {"type":"log","@timestamp":"2023-05-15T20:48:16Z","tags":["error","plugins","securityDashboards"],"pid":4638,"message":"Failed authentication: Error: Authentication Exception"} may 15 20:48:05 wazuh-server opensearch-dashboards[4638]: {"type":"log","@timestamp":"2023-05-15T20:48:05Z","tags":["error","plugins","securityDashboards"],"pid":4638,"message":"Failed authentication: Error: Authentication Exception"} may 15 20:47:57 wazuh-server opensearch-dashboards[4638]: {"type":"log","@timestamp":"2023-05-15T20:47:57Z","tags":["error","plugins","securityDashboards"],"pid":4638,"message":"Failed authentication: Error: Authentication Exception"} may 15 20:47:57 wazuh-server opensearch-dashboards[4638]: {"type":"error","@timestamp":"2023-05-15T20:47:57Z","tags":["connection","client","error"],"pid":4638,"level":"error","error":{"message":"140454437541760:error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown:../deps/openssl/openssl/ssl/record/rec_layer_s3.c:1544:SSL alert number 46\n","name":"Error","stack":"Error: 140454437541760:error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown:../deps/openssl/openssl/ssl/record/rec_layer_s3.c:1544:SSL alert number 46\n","code":"ERR_SSL_SSLV3_ALERT_CERTIFICATE_UNKNOWN"},"message":"140454437541760:error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown:../deps/openssl/openssl/ssl/record/rec_layer_s3.c:1544:SSL alert number 46\n"} may 15 20:42:21 wazuh-server opensearch-dashboards[4638]: {"type":"log","@timestamp":"2023-05-15T20:42:21Z","tags":["error","plugins","securityDashboards"],"pid":4638,"message":"Failed authentication: Error: Authentication Exception"} may 15 20:41:17 wazuh-server opensearch-dashboards[4638]: {"type":"log","@timestamp":"2023-05-15T20:41:17Z","tags":["error","plugins","securityDashboards"],"pid":4638,"message":"Failed authentication: Error: Authentication Exception"} may 15 20:40:45 wazuh-server opensearch-dashboards[4638]: {"type":"log","@timestamp":"2023-05-15T20:40:45Z","tags":["error","plugins","securityDashboards"],"pid":4638,"message":"Failed authentication: Error: Authentication Exception"} may 15 20:40:38 wazuh-server opensearch-dashboards[4638]: {"type":"log","@timestamp":"2023-05-15T20:40:38Z","tags":["error","plugins","securityDashboards"],"pid":4638,"message":"Failed authentication: Error: Authentication Exception"} may 15 20:40:37 wazuh-server opensearch-dashboards[4638]: {"type":"error","@timestamp":"2023-05-15T20:40:37Z","tags":["connection","client","error"],"pid":4638,"level":"error","error":{"message":"140454437541760:error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown:../deps/openssl/openssl/ssl/record/rec_layer_s3.c:1544:SSL alert number 46\n","name":"Error","stack":"Error: 140454437541760:error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown:../deps/openssl/openssl/ssl/record/rec_layer_s3.c:1544:SSL alert number 46\n","code":"ERR_SSL_SSLV3_ALERT_CERTIFICATE_UNKNOWN"},"message":"140454437541760:error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown:../deps/openssl/openssl/ssl/record/rec_layer_s3.c:1544:SSL alert number 46\n"} may 15 20:38:23 wazuh-server opensearch-dashboards[4638]: {"type":"log","@timestamp":"2023-05-15T20:38:23Z","tags":["error","plugins","securityDashboards"],"pid":4638,"message":"Failed authentication: Error: Authentication Exception"} may 15 20:38:20 wazuh-server opensearch-dashboards[4638]: {"type":"log","@timestamp":"2023-05-15T20:38:20Z","tags":["error","plugins","securityDashboards"],"pid":4638,"message":"Failed authentication: Error: Authentication Exception"} may 15 20:37:58 wazuh-server opensearch-dashboards[4638]: {"type":"log","@timestamp":"2023-05-15T20:37:58Z","tags":["error","plugins","securityDashboards"],"pid":4638,"message":"Failed authentication: Error: Authentication Exception"} may 15 20:37:55 wazuh-server opensearch-dashboards[4638]: {"type":"log","@timestamp":"2023-05-15T20:37:55Z","tags":["error","plugins","securityDashboards"],"pid":4638,"message":"Failed authentication: Error: Authentication Exception"} may 15 20:37:42 wazuh-server opensearch-dashboards[4638]: {"type":"log","@timestamp":"2023-05-15T20:37:42Z","tags":["error","plugins","securityDashboards"],"pid":4638,"message":"Failed authentication: Error: Authentication Exception"} may 15 20:37:29 wazuh-server opensearch-dashboards[4638]: {"type":"log","@timestamp":"2023-05-15T20:37:29Z","tags":["error","plugins","securityDashboards"],"pid":4638,"message":"Failed authentication: Error: Authentication Exception"} may 15 20:37:00 wazuh-server opensearch-dashboards[4638]: {"type":"log","@timestamp":"2023-05-15T20:37:00Z","tags":["error","plugins","securityDashboards"],"pid":4638,"message":"Failed authentication: Error: Authentication Exception"} may 15 20:35:42 wazuh-server opensearch-dashboards[4638]: {"type":"error","@timestamp":"2023-05-15T20:35:42Z","tags":["connection","client","error"],"pid":4638,"level":"error","error":{"message":"140454437541760:error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown:../deps/openssl/openssl/ssl/record/rec_layer_s3.c:1544:SSL alert number 46\n","name":"Error","stack":"Error: 140454437541760:error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown:../deps/openssl/openssl/ssl/record/rec_layer_s3.c:1544:SSL alert number 46\n","code":"ERR_SSL_SSLV3_ALERT_CERTIFICATE_UNKNOWN"},"message":"140454437541760:error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown:../deps/openssl/openssl/ssl/record/rec_layer_s3.c:1544:SSL alert number 46\n"} may 15 20:35:42 wazuh-server opensearch-dashboards[4638]: {"type":"error","@timestamp":"2023-05-15T20:35:42Z","tags":["connection","client","error"],"pid":4638,"level":"error","error":{"message":"140454437541760:error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown:../deps/openssl/openssl/ssl/record/rec_layer_s3.c:1544:SSL alert number 46\n","name":"Error","stack":"Error: 140454437541760:error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown:../deps/openssl/openssl/ssl/record/rec_layer_s3.c:1544:SSL alert number 46\n","code":"ERR_SSL_SSLV3_ALERT_CERTIFICATE_UNKNOWN"},"message":"140454437541760:error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown:../deps/openssl/openssl/ssl/record/rec_layer_s3.c:1544:SSL alert number 46\n"} may 15 20:35:41 wazuh-server opensearch-dashboards[4638]: {"type":"error","@timestamp":"2023-05-15T20:35:41Z","tags":["connection","client","error"],"pid":4638,"level":"error","error":{"message":"140454437541760:error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown:../deps/openssl/openssl/ssl/record/rec_layer_s3.c:1544:SSL alert number 46\n","name":"Error","stack":"Error: 140454437541760:error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown:../deps/openssl/openssl/ssl/record/rec_layer_s3.c:1544:SSL alert number 46\n","code":"ERR_SSL_SSLV3_ALERT_CERTIFICATE_UNKNOWN"},"message":"140454437541760:error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown:../deps/openssl/openssl/ssl/record/rec_layer_s3.c:1544:SSL alert number 46\n"} may 15 20:35:40 wazuh-server opensearch-dashboards[4638]: {"type":"error","@timestamp":"2023-05-15T20:35:40Z","tags":["connection","client","error"],"pid":4638,"level":"error","error":{"message":"140454437541760:error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown:../deps/openssl/openssl/ssl/record/rec_layer_s3.c:1544:SSL alert number 46\n","name":"Error","stack":"Error: 140454437541760:error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown:../deps/openssl/openssl/ssl/record/rec_layer_s3.c:1544:SSL alert number 46\n","code":"ERR_SSL_SSLV3_ALERT_CERTIFICATE_UNKNOWN"},"message":"140454437541760:error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown:../deps/openssl/openssl/ssl/record/rec_layer_s3.c:1544:SSL alert number 46\n"} may 15 20:35:40 wazuh-server opensearch-dashboards[4638]: {"type":"error","@timestamp":"2023-05-15T20:35:40Z","tags":["connection","client","error"],"pid":4638,"level":"error","error":{"message":"140454437541760:error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown:../deps/openssl/openssl/ssl/record/rec_layer_s3.c:1544:SSL alert number 46\n","name":"Error","stack":"Error: 140454437541760:error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown:../deps/openssl/openssl/ssl/record/rec_layer_s3.c:1544:SSL alert number 46\n","code":"ERR_SSL_SSLV3_ALERT_CERTIFICATE_UNKNOWN"},"message":"140454437541760:error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown:../deps/openssl/openssl/ssl/record/rec_layer_s3.c:1544:SSL alert number 46\n"} may 15 20:35:40 wazuh-server opensearch-dashboards[4638]: {"type":"error","@timestamp":"2023-05-15T20:35:40Z","tags":["connection","client","error"],"pid":4638,"level":"error","error":{"message":"140454437541760:error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown:../deps/openssl/openssl/ssl/record/rec_layer_s3.c:1544:SSL alert number 46\n","name":"Error","stack":"Error: 140454437541760:error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown:../deps/openssl/openssl/ssl/record/rec_layer_s3.c:1544:SSL alert number 46\n","code":"ERR_SSL_SSLV3_ALERT_CERTIFICATE_UNKNOWN"},"message":"140454437541760:error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown:../deps/openssl/openssl/ssl/record/rec_layer_s3.c:1544:SSL alert number 46\n"} may 15 20:35:40 wazuh-server opensearch-dashboards[4638]: {"type":"error","@timestamp":"2023-05-15T20:35:40Z","tags":["connection","client","error"],"pid":4638,"level":"error","error":{"message":"140454437541760:error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown:../deps/openssl/openssl/ssl/record/rec_layer_s3.c:1544:SSL alert number 46\n","name":"Error","stack":"Error: 140454437541760:error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown:../deps/openssl/openssl/ssl/record/rec_layer_s3.c:1544:SSL alert number 46\n","code":"ERR_SSL_SSLV3_ALERT_CERTIFICATE_UNKNOWN"},"message":"140454437541760:error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown:../deps/openssl/openssl/ssl/record/rec_layer_s3.c:1544:SSL alert number 46\n"} may 15 20:35:38 wazuh-server opensearch-dashboards[4638]: {"type":"error","@timestamp":"2023-05-15T20:35:38Z","tags":["connection","client","error"],"pid":4638,"level":"error","error":{"message":"140454437541760:error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown:../deps/openssl/openssl/ssl/record/rec_layer_s3.c:1544:SSL alert number 46\n","name":"Error","stack":"Error: 140454437541760:error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown:../deps/openssl/openssl/ssl/record/rec_layer_s3.c:1544:SSL alert number 46\n","code":"ERR_SSL_SSLV3_ALERT_CERTIFICATE_UNKNOWN"},"message":"140454437541760:error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown:../deps/openssl/openssl/ssl/record/rec_layer_s3.c:1544:SSL alert number 46\n"} may 15 20:35:38 wazuh-server opensearch-dashboards[4638]: {"type":"error","@timestamp":"2023-05-15T20:35:38Z","tags":["connection","client","error"],"pid":4638,"level":"error","error":{"message":"140454437541760:error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown:../deps/openssl/openssl/ssl/record/rec_layer_s3.c:1544:SSL alert number 46\n","name":"Error","stack":"Error: 140454437541760:error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown:../deps/openssl/openssl/ssl/record/rec_layer_s3.c:1544:SSL alert number 46\n","code":"ERR_SSL_SSLV3_ALERT_CERTIFICATE_UNKNOWN"},"message":"140454437541760:error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown:../deps/openssl/openssl/ssl/record/rec_layer_s3.c:1544:SSL alert number 46\n"} may 15 20:35:35 wazuh-server opensearch-dashboards[4638]: {"type":"error","@timestamp":"2023-05-15T20:35:35Z","tags":["connection","client","error"],"pid":4638,"level":"error","error":{"message":"140454437541760:error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown:../deps/openssl/openssl/ssl/record/rec_layer_s3.c:1544:SSL alert number 46\n","name":"Error","stack":"Error: 140454437541760:error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown:../deps/openssl/openssl/ssl/record/rec_layer_s3.c:1544:SSL alert number 46\n","code":"ERR_SSL_SSLV3_ALERT_CERTIFICATE_UNKNOWN"},"message":"140454437541760:error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown:../deps/openssl/openssl/ssl/record/rec_layer_s3.c:1544:SSL alert number 46\n"} may 15 20:35:35 wazuh-server opensearch-dashboards[4638]: {"type":"error","@timestamp":"2023-05-15T20:35:35Z","tags":["connection","client","error"],"pid":4638,"level":"error","error":{"message":"140454437541760:error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown:../deps/openssl/openssl/ssl/record/rec_layer_s3.c:1544:SSL alert number 46\n","name":"Error","stack":"Error: 140454437541760:error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown:../deps/openssl/openssl/ssl/record/rec_layer_s3.c:1544:SSL alert number 46\n","code":"ERR_SSL_SSLV3_ALERT_CERTIFICATE_UNKNOWN"},"message":"140454437541760:error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown:../deps/openssl/openssl/ssl/record/rec_layer_s3.c:1544:SSL alert number 46\n"} may 15 19:35:12 wazuh-server opensearch-dashboards[1916]: {"type":"log","@timestamp":"2023-05-15T19:35:12Z","tags":["warning","savedobjects-service"],"pid":1916,"message":"Unable to connect to OpenSearch. Error: Given the configuration, the ConnectionPool was not able to find a usable Connection for this request."} may 15 19:35:12 wazuh-server opensearch-dashboards[1916]: {"type":"log","@timestamp":"2023-05-15T19:35:12Z","tags":["error","opensearch","data"],"pid":1916,"message":"[ResponseError]: Response Error"} may 15 19:35:09 wazuh-server opensearch-dashboards[1916]: {"type":"log","@timestamp":"2023-05-15T19:35:09Z","tags":["error","opensearch","data"],"pid":1916,"message":"[ResponseError]: Response Error"} may 15 19:35:07 wazuh-server opensearch-dashboards[1916]: {"type":"log","@timestamp":"2023-05-15T19:35:07Z","tags":["error","opensearch","data"],"pid":1916,"message":"[ResponseError]: Response Error"} may 15 19:35:04 wazuh-server opensearch-dashboards[1916]: {"type":"log","@timestamp":"2023-05-15T19:35:04Z","tags":["error","opensearch","data"],"pid":1916,"message":"[ResponseError]: Response Error"} may 15 19:35:02 wazuh-server opensearch-dashboards[1916]: {"type":"log","@timestamp":"2023-05-15T19:35:02Z","tags":["error","opensearch","data"],"pid":1916,"message":"[ResponseError]: Response Error"} may 15 19:34:59 wazuh-server opensearch-dashboards[1916]: {"type":"log","@timestamp":"2023-05-15T19:34:59Z","tags":["error","opensearch","data"],"pid":1916,"message":"[ResponseError]: Response Error"} may 15 19:34:57 wazuh-server opensearch-dashboards[1916]: {"type":"log","@timestamp":"2023-05-15T19:34:57Z","tags":["error","opensearch","data"],"pid":1916,"message":"[ConnectionError]: connect ECONNREFUSED 127.0.0.1:9200"} may 15 19:34:54 wazuh-server opensearch-dashboards[1916]: {"type":"log","@timestamp":"2023-05-15T19:34:54Z","tags":["error","opensearch","data"],"pid":1916,"message":"[ConnectionError]: connect ECONNREFUSED 127.0.0.1:9200"} may 15 19:34:52 wazuh-server opensearch-dashboards[1916]: {"type":"log","@timestamp":"2023-05-15T19:34:52Z","tags":["error","savedobjects-service"],"pid":1916,"message":"Unable to retrieve version information from OpenSearch nodes."} may 15 19:34:52 wazuh-server opensearch-dashboards[1916]: {"type":"log","@timestamp":"2023-05-15T19:34:52Z","tags":["error","opensearch","data"],"pid":1916,"message":"[ConnectionError]: connect ECONNREFUSED 127.0.0.1:9200"} [root@wazuh-server wazuh-user]# ```

Wazuh indexer - journalctl
``` [root@wazuh-server wazuh-user]# journalctl -r -u wazuh-indexer.service | grep -i -E "error|critical|fatal|warning" may 15 19:34:16 wazuh-server systemd-entrypoint[2401]: WARNING: System::setSecurityManager will be removed in a future release may 15 19:34:16 wazuh-server systemd-entrypoint[2401]: WARNING: Please consider reporting this to the maintainers of org.opensearch.bootstrap.Security may 15 19:34:16 wazuh-server systemd-entrypoint[2401]: WARNING: System::setSecurityManager has been called by org.opensearch.bootstrap.Security (file:/usr/share/wazuh-indexer/lib/opensearch-2.6.0.jar) may 15 19:34:16 wazuh-server systemd-entrypoint[2401]: WARNING: A terminally deprecated method in java.lang.System has been called may 15 19:34:12 wazuh-server systemd-entrypoint[2401]: WARNING: System::setSecurityManager will be removed in a future release may 15 19:34:12 wazuh-server systemd-entrypoint[2401]: WARNING: Please consider reporting this to the maintainers of org.opensearch.bootstrap.OpenSearch may 15 19:34:12 wazuh-server systemd-entrypoint[2401]: WARNING: System::setSecurityManager has been called by org.opensearch.bootstrap.OpenSearch (file:/usr/share/wazuh-indexer/lib/opensearch-2.6.0.jar) may 15 19:34:12 wazuh-server systemd-entrypoint[2401]: WARNING: A terminally deprecated method in java.lang.System has been called [root@wazuh-server wazuh-user]# ```
Wazuh indexer - /var/logs/wazuh-indexer
``` [root@wazuh-server wazuh-user]# xzgrep -i -E "error|critical|fatal|warning" /var/log/wazuh-indexer/* /var/log/wazuh-indexer/wazuh-cluster.log:[2023-05-15T19:34:16,260][INFO ][o.o.n.Node ] [node-1] JVM arguments [-Xshare:auto, -Dopensearch.networkaddress.cache.ttl=60, -Dopensearch.networkaddress.cache.negative.ttl=10, -XX:+AlwaysPreTouch, -Xss1m, -Djava.awt.headless=true, -Dfile.encoding=UTF-8, -Djna.nosys=true, -XX:-OmitStackTraceInFastThrow, -XX:+ShowCodeDetailsInExceptionMessages, -Dio.netty.noUnsafe=true, -Dio.netty.noKeySetOptimization=true, -Dio.netty.recycler.maxCapacityPerThread=0, -Dio.netty.allocator.numDirectArenas=0, -Dlog4j.shutdownHookEnabled=false, -Dlog4j2.disable.jmx=true, -Djava.locale.providers=SPI,COMPAT, -Xms3930m, -Xmx3930m, -XX:+UseG1GC, -XX:G1ReservePercent=25, -XX:InitiatingHeapOccupancyPercent=30, -Djava.io.tmpdir=/tmp/opensearch-15532920117268708575, -XX:+HeapDumpOnOutOfMemoryError, -XX:HeapDumpPath=/var/lib/wazuh-indexer, -XX:ErrorFile=/var/log/wazuh-indexer/hs_err_pid%p.log, -Xlog:gc*,gc+age=trace,safepoint:file=/var/log/wazuh-indexer/gc.log:utctime,pid,tags:filecount=32,filesize=64m, -Dclk.tck=100, -Djdk.attach.allowAttachSelf=true, -Djava.security.policy=file:///etc/wazuh-indexer/opensearch-performance-analyzer/opensearch_security.policy, --add-opens=jdk.attach/sun.tools.attach=ALL-UNNAMED, -XX:MaxDirectMemorySize=2060451840, -Dopensearch.path.home=/usr/share/wazuh-indexer, -Dopensearch.path.conf=/etc/wazuh-indexer, -Dopensearch.distribution.type=rpm, -Dopensearch.bundled_jdk=true] /var/log/wazuh-indexer/wazuh-cluster.log:[2023-05-15T19:34:54,171][ERROR][o.o.s.a.s.SinkProvider ] [node-1] Default endpoint could not be created, auditlog will not work properly. /var/log/wazuh-indexer/wazuh-cluster.log:[2023-05-15T19:34:59,743][ERROR][o.o.s.c.ConfigurationLoaderSecurity7] [node-1] Exception while retrieving configuration for [INTERNALUSERS, ACTIONGROUPS, CONFIG, ROLES, ROLESMAPPING, TENANTS, NODESDN, WHITELIST, ALLOWLIST, AUDIT] (index=.opendistro_security) /var/log/wazuh-indexer/wazuh-cluster.log:[2023-05-15T19:34:59,888][ERROR][o.o.s.a.BackendRegistry ] [node-1] Not yet initialized (you may need to run securityadmin) /var/log/wazuh-indexer/wazuh-cluster.log:[2023-05-15T19:34:59,909][ERROR][o.o.s.a.BackendRegistry ] [node-1] Not yet initialized (you may need to run securityadmin) /var/log/wazuh-indexer/wazuh-cluster.log:[2023-05-15T19:34:59,912][ERROR][o.o.s.a.BackendRegistry ] [node-1] Not yet initialized (you may need to run securityadmin) /var/log/wazuh-indexer/wazuh-cluster.log:[2023-05-15T19:34:59,915][ERROR][o.o.s.a.BackendRegistry ] [node-1] Not yet initialized (you may need to run securityadmin) /var/log/wazuh-indexer/wazuh-cluster.log:[2023-05-15T19:35:00,721][ERROR][o.o.s.a.BackendRegistry ] [node-1] Not yet initialized (you may need to run securityadmin) /var/log/wazuh-indexer/wazuh-cluster.log:[2023-05-15T19:35:02,230][ERROR][o.o.s.a.BackendRegistry ] [node-1] Not yet initialized (you may need to run securityadmin) /var/log/wazuh-indexer/wazuh-cluster.log:[2023-05-15T19:35:02,232][ERROR][o.o.s.a.BackendRegistry ] [node-1] Not yet initialized (you may need to run securityadmin) /var/log/wazuh-indexer/wazuh-cluster.log:[2023-05-15T19:35:02,235][ERROR][o.o.s.a.BackendRegistry ] [node-1] Not yet initialized (you may need to run securityadmin) /var/log/wazuh-indexer/wazuh-cluster.log:[2023-05-15T19:35:02,237][ERROR][o.o.s.a.BackendRegistry ] [node-1] Not yet initialized (you may need to run securityadmin) /var/log/wazuh-indexer/wazuh-cluster.log:[2023-05-15T19:35:04,062][ERROR][o.o.s.a.BackendRegistry ] [node-1] Not yet initialized (you may need to run securityadmin) /var/log/wazuh-indexer/wazuh-cluster.log:[2023-05-15T19:35:04,731][ERROR][o.o.s.a.BackendRegistry ] [node-1] Not yet initialized (you may need to run securityadmin) /var/log/wazuh-indexer/wazuh-cluster.log:[2023-05-15T19:35:04,733][ERROR][o.o.s.a.BackendRegistry ] [node-1] Not yet initialized (you may need to run securityadmin) /var/log/wazuh-indexer/wazuh-cluster.log:[2023-05-15T19:35:04,735][ERROR][o.o.s.a.BackendRegistry ] [node-1] Not yet initialized (you may need to run securityadmin) /var/log/wazuh-indexer/wazuh-cluster.log:[2023-05-15T19:35:04,737][ERROR][o.o.s.a.BackendRegistry ] [node-1] Not yet initialized (you may need to run securityadmin) /var/log/wazuh-indexer/wazuh-cluster.log:[2023-05-15T19:35:07,233][ERROR][o.o.s.a.BackendRegistry ] [node-1] Not yet initialized (you may need to run securityadmin) /var/log/wazuh-indexer/wazuh-cluster.log:[2023-05-15T19:35:07,235][ERROR][o.o.s.a.BackendRegistry ] [node-1] Not yet initialized (you may need to run securityadmin) /var/log/wazuh-indexer/wazuh-cluster.log:[2023-05-15T19:35:07,241][ERROR][o.o.s.a.BackendRegistry ] [node-1] Not yet initialized (you may need to run securityadmin) /var/log/wazuh-indexer/wazuh-cluster.log:[2023-05-15T19:35:07,244][ERROR][o.o.s.a.BackendRegistry ] [node-1] Not yet initialized (you may need to run securityadmin) /var/log/wazuh-indexer/wazuh-cluster.log:[2023-05-15T19:35:09,735][ERROR][o.o.s.a.BackendRegistry ] [node-1] Not yet initialized (you may need to run securityadmin) /var/log/wazuh-indexer/wazuh-cluster.log:[2023-05-15T19:35:09,737][ERROR][o.o.s.a.BackendRegistry ] [node-1] Not yet initialized (you may need to run securityadmin) /var/log/wazuh-indexer/wazuh-cluster.log:[2023-05-15T19:35:09,740][ERROR][o.o.s.a.BackendRegistry ] [node-1] Not yet initialized (you may need to run securityadmin) /var/log/wazuh-indexer/wazuh-cluster.log:[2023-05-15T19:35:09,742][ERROR][o.o.s.a.BackendRegistry ] [node-1] Not yet initialized (you may need to run securityadmin) /var/log/wazuh-indexer/wazuh-cluster.log:[2023-05-15T19:35:12,236][ERROR][o.o.s.a.BackendRegistry ] [node-1] Not yet initialized (you may need to run securityadmin) /var/log/wazuh-indexer/wazuh-cluster.log:[2023-05-15T19:35:12,238][ERROR][o.o.s.a.BackendRegistry ] [node-1] Not yet initialized (you may need to run securityadmin) /var/log/wazuh-indexer/wazuh-cluster.log:[2023-05-15T19:35:12,240][ERROR][o.o.s.a.BackendRegistry ] [node-1] Not yet initialized (you may need to run securityadmin) /var/log/wazuh-indexer/wazuh-cluster.log:[2023-05-15T19:35:12,242][ERROR][o.o.s.a.BackendRegistry ] [node-1] Not yet initialized (you may need to run securityadmin) /var/log/wazuh-indexer/wazuh-cluster.log:[2023-05-15T19:35:13,054][ERROR][o.o.s.a.BackendRegistry ] [node-1] Not yet initialized (you may need to run securityadmin) /var/log/wazuh-indexer/wazuh-cluster_server.json:{"type": "server", "timestamp": "2023-05-15T19:34:16,260Z", "level": "INFO", "component": "o.o.n.Node", "cluster.name": "wazuh-cluster", "node.name": "node-1", "message": "JVM arguments [-Xshare:auto, -Dopensearch.networkaddress.cache.ttl=60, -Dopensearch.networkaddress.cache.negative.ttl=10, -XX:+AlwaysPreTouch, -Xss1m, -Djava.awt.headless=true, -Dfile.encoding=UTF-8, -Djna.nosys=true, -XX:-OmitStackTraceInFastThrow, -XX:+ShowCodeDetailsInExceptionMessages, -Dio.netty.noUnsafe=true, -Dio.netty.noKeySetOptimization=true, -Dio.netty.recycler.maxCapacityPerThread=0, -Dio.netty.allocator.numDirectArenas=0, -Dlog4j.shutdownHookEnabled=false, -Dlog4j2.disable.jmx=true, -Djava.locale.providers=SPI,COMPAT, -Xms3930m, -Xmx3930m, -XX:+UseG1GC, -XX:G1ReservePercent=25, -XX:InitiatingHeapOccupancyPercent=30, -Djava.io.tmpdir=/tmp/opensearch-15532920117268708575, -XX:+HeapDumpOnOutOfMemoryError, -XX:HeapDumpPath=/var/lib/wazuh-indexer, -XX:ErrorFile=/var/log/wazuh-indexer/hs_err_pid%p.log, -Xlog:gc*,gc+age=trace,safepoint:file=/var/log/wazuh-indexer/gc.log:utctime,pid,tags:filecount=32,filesize=64m, -Dclk.tck=100, -Djdk.attach.allowAttachSelf=true, -Djava.security.policy=file:///etc/wazuh-indexer/opensearch-performance-analyzer/opensearch_security.policy, --add-opens=jdk.attach/sun.tools.attach=ALL-UNNAMED, -XX:MaxDirectMemorySize=2060451840, -Dopensearch.path.home=/usr/share/wazuh-indexer, -Dopensearch.path.conf=/etc/wazuh-indexer, -Dopensearch.distribution.type=rpm, -Dopensearch.bundled_jdk=true]" } /var/log/wazuh-indexer/wazuh-cluster_server.json:{"type": "server", "timestamp": "2023-05-15T19:34:54,171Z", "level": "ERROR", "component": "o.o.s.a.s.SinkProvider", "cluster.name": "wazuh-cluster", "node.name": "node-1", "message": "Default endpoint could not be created, auditlog will not work properly." } /var/log/wazuh-indexer/wazuh-cluster_server.json:{"type": "server", "timestamp": "2023-05-15T19:34:59,743Z", "level": "ERROR", "component": "o.o.s.c.ConfigurationLoaderSecurity7", "cluster.name": "wazuh-cluster", "node.name": "node-1", "message": "Exception while retrieving configuration for [INTERNALUSERS, ACTIONGROUPS, CONFIG, ROLES, ROLESMAPPING, TENANTS, NODESDN, WHITELIST, ALLOWLIST, AUDIT] (index=.opendistro_security)", "cluster.uuid": "BGMg8oOoRTSQYrojfiDfOQ", "node.id": "t_762RBfSYq4FXMC0xffJQ" , /var/log/wazuh-indexer/wazuh-cluster_server.json:{"type": "server", "timestamp": "2023-05-15T19:34:59,888Z", "level": "ERROR", "component": "o.o.s.a.BackendRegistry", "cluster.name": "wazuh-cluster", "node.name": "node-1", "message": "Not yet initialized (you may need to run securityadmin)", "cluster.uuid": "BGMg8oOoRTSQYrojfiDfOQ", "node.id": "t_762RBfSYq4FXMC0xffJQ" } /var/log/wazuh-indexer/wazuh-cluster_server.json:{"type": "server", "timestamp": "2023-05-15T19:34:59,909Z", "level": "ERROR", "component": "o.o.s.a.BackendRegistry", "cluster.name": "wazuh-cluster", "node.name": "node-1", "message": "Not yet initialized (you may need to run securityadmin)", "cluster.uuid": "BGMg8oOoRTSQYrojfiDfOQ", "node.id": "t_762RBfSYq4FXMC0xffJQ" } /var/log/wazuh-indexer/wazuh-cluster_server.json:{"type": "server", "timestamp": "2023-05-15T19:34:59,912Z", "level": "ERROR", "component": "o.o.s.a.BackendRegistry", "cluster.name": "wazuh-cluster", "node.name": "node-1", "message": "Not yet initialized (you may need to run securityadmin)", "cluster.uuid": "BGMg8oOoRTSQYrojfiDfOQ", "node.id": "t_762RBfSYq4FXMC0xffJQ" } /var/log/wazuh-indexer/wazuh-cluster_server.json:{"type": "server", "timestamp": "2023-05-15T19:34:59,915Z", "level": "ERROR", "component": "o.o.s.a.BackendRegistry", "cluster.name": "wazuh-cluster", "node.name": "node-1", "message": "Not yet initialized (you may need to run securityadmin)", "cluster.uuid": "BGMg8oOoRTSQYrojfiDfOQ", "node.id": "t_762RBfSYq4FXMC0xffJQ" } /var/log/wazuh-indexer/wazuh-cluster_server.json:{"type": "server", "timestamp": "2023-05-15T19:35:00,721Z", "level": "ERROR", "component": "o.o.s.a.BackendRegistry", "cluster.name": "wazuh-cluster", "node.name": "node-1", "message": "Not yet initialized (you may need to run securityadmin)", "cluster.uuid": "BGMg8oOoRTSQYrojfiDfOQ", "node.id": "t_762RBfSYq4FXMC0xffJQ" } /var/log/wazuh-indexer/wazuh-cluster_server.json:{"type": "server", "timestamp": "2023-05-15T19:35:02,230Z", "level": "ERROR", "component": "o.o.s.a.BackendRegistry", "cluster.name": "wazuh-cluster", "node.name": "node-1", "message": "Not yet initialized (you may need to run securityadmin)", "cluster.uuid": "BGMg8oOoRTSQYrojfiDfOQ", "node.id": "t_762RBfSYq4FXMC0xffJQ" } /var/log/wazuh-indexer/wazuh-cluster_server.json:{"type": "server", "timestamp": "2023-05-15T19:35:02,232Z", "level": "ERROR", "component": "o.o.s.a.BackendRegistry", "cluster.name": "wazuh-cluster", "node.name": "node-1", "message": "Not yet initialized (you may need to run securityadmin)", "cluster.uuid": "BGMg8oOoRTSQYrojfiDfOQ", "node.id": "t_762RBfSYq4FXMC0xffJQ" } /var/log/wazuh-indexer/wazuh-cluster_server.json:{"type": "server", "timestamp": "2023-05-15T19:35:02,235Z", "level": "ERROR", "component": "o.o.s.a.BackendRegistry", "cluster.name": "wazuh-cluster", "node.name": "node-1", "message": "Not yet initialized (you may need to run securityadmin)", "cluster.uuid": "BGMg8oOoRTSQYrojfiDfOQ", "node.id": "t_762RBfSYq4FXMC0xffJQ" } /var/log/wazuh-indexer/wazuh-cluster_server.json:{"type": "server", "timestamp": "2023-05-15T19:35:02,237Z", "level": "ERROR", "component": "o.o.s.a.BackendRegistry", "cluster.name": "wazuh-cluster", "node.name": "node-1", "message": "Not yet initialized (you may need to run securityadmin)", "cluster.uuid": "BGMg8oOoRTSQYrojfiDfOQ", "node.id": "t_762RBfSYq4FXMC0xffJQ" } /var/log/wazuh-indexer/wazuh-cluster_server.json:{"type": "server", "timestamp": "2023-05-15T19:35:04,062Z", "level": "ERROR", "component": "o.o.s.a.BackendRegistry", "cluster.name": "wazuh-cluster", "node.name": "node-1", "message": "Not yet initialized (you may need to run securityadmin)", "cluster.uuid": "BGMg8oOoRTSQYrojfiDfOQ", "node.id": "t_762RBfSYq4FXMC0xffJQ" } /var/log/wazuh-indexer/wazuh-cluster_server.json:{"type": "server", "timestamp": "2023-05-15T19:35:04,731Z", "level": "ERROR", "component": "o.o.s.a.BackendRegistry", "cluster.name": "wazuh-cluster", "node.name": "node-1", "message": "Not yet initialized (you may need to run securityadmin)", "cluster.uuid": "BGMg8oOoRTSQYrojfiDfOQ", "node.id": "t_762RBfSYq4FXMC0xffJQ" } /var/log/wazuh-indexer/wazuh-cluster_server.json:{"type": "server", "timestamp": "2023-05-15T19:35:04,733Z", "level": "ERROR", "component": "o.o.s.a.BackendRegistry", "cluster.name": "wazuh-cluster", "node.name": "node-1", "message": "Not yet initialized (you may need to run securityadmin)", "cluster.uuid": "BGMg8oOoRTSQYrojfiDfOQ", "node.id": "t_762RBfSYq4FXMC0xffJQ" } /var/log/wazuh-indexer/wazuh-cluster_server.json:{"type": "server", "timestamp": "2023-05-15T19:35:04,735Z", "level": "ERROR", "component": "o.o.s.a.BackendRegistry", "cluster.name": "wazuh-cluster", "node.name": "node-1", "message": "Not yet initialized (you may need to run securityadmin)", "cluster.uuid": "BGMg8oOoRTSQYrojfiDfOQ", "node.id": "t_762RBfSYq4FXMC0xffJQ" } /var/log/wazuh-indexer/wazuh-cluster_server.json:{"type": "server", "timestamp": "2023-05-15T19:35:04,737Z", "level": "ERROR", "component": "o.o.s.a.BackendRegistry", "cluster.name": "wazuh-cluster", "node.name": "node-1", "message": "Not yet initialized (you may need to run securityadmin)", "cluster.uuid": "BGMg8oOoRTSQYrojfiDfOQ", "node.id": "t_762RBfSYq4FXMC0xffJQ" } /var/log/wazuh-indexer/wazuh-cluster_server.json:{"type": "server", "timestamp": "2023-05-15T19:35:07,233Z", "level": "ERROR", "component": "o.o.s.a.BackendRegistry", "cluster.name": "wazuh-cluster", "node.name": "node-1", "message": "Not yet initialized (you may need to run securityadmin)", "cluster.uuid": "BGMg8oOoRTSQYrojfiDfOQ", "node.id": "t_762RBfSYq4FXMC0xffJQ" } /var/log/wazuh-indexer/wazuh-cluster_server.json:{"type": "server", "timestamp": "2023-05-15T19:35:07,235Z", "level": "ERROR", "component": "o.o.s.a.BackendRegistry", "cluster.name": "wazuh-cluster", "node.name": "node-1", "message": "Not yet initialized (you may need to run securityadmin)", "cluster.uuid": "BGMg8oOoRTSQYrojfiDfOQ", "node.id": "t_762RBfSYq4FXMC0xffJQ" } /var/log/wazuh-indexer/wazuh-cluster_server.json:{"type": "server", "timestamp": "2023-05-15T19:35:07,241Z", "level": "ERROR", "component": "o.o.s.a.BackendRegistry", "cluster.name": "wazuh-cluster", "node.name": "node-1", "message": "Not yet initialized (you may need to run securityadmin)", "cluster.uuid": "BGMg8oOoRTSQYrojfiDfOQ", "node.id": "t_762RBfSYq4FXMC0xffJQ" } /var/log/wazuh-indexer/wazuh-cluster_server.json:{"type": "server", "timestamp": "2023-05-15T19:35:07,244Z", "level": "ERROR", "component": "o.o.s.a.BackendRegistry", "cluster.name": "wazuh-cluster", "node.name": "node-1", "message": "Not yet initialized (you may need to run securityadmin)", "cluster.uuid": "BGMg8oOoRTSQYrojfiDfOQ", "node.id": "t_762RBfSYq4FXMC0xffJQ" } /var/log/wazuh-indexer/wazuh-cluster_server.json:{"type": "server", "timestamp": "2023-05-15T19:35:09,735Z", "level": "ERROR", "component": "o.o.s.a.BackendRegistry", "cluster.name": "wazuh-cluster", "node.name": "node-1", "message": "Not yet initialized (you may need to run securityadmin)", "cluster.uuid": "BGMg8oOoRTSQYrojfiDfOQ", "node.id": "t_762RBfSYq4FXMC0xffJQ" } /var/log/wazuh-indexer/wazuh-cluster_server.json:{"type": "server", "timestamp": "2023-05-15T19:35:09,737Z", "level": "ERROR", "component": "o.o.s.a.BackendRegistry", "cluster.name": "wazuh-cluster", "node.name": "node-1", "message": "Not yet initialized (you may need to run securityadmin)", "cluster.uuid": "BGMg8oOoRTSQYrojfiDfOQ", "node.id": "t_762RBfSYq4FXMC0xffJQ" } /var/log/wazuh-indexer/wazuh-cluster_server.json:{"type": "server", "timestamp": "2023-05-15T19:35:09,740Z", "level": "ERROR", "component": "o.o.s.a.BackendRegistry", "cluster.name": "wazuh-cluster", "node.name": "node-1", "message": "Not yet initialized (you may need to run securityadmin)", "cluster.uuid": "BGMg8oOoRTSQYrojfiDfOQ", "node.id": "t_762RBfSYq4FXMC0xffJQ" } /var/log/wazuh-indexer/wazuh-cluster_server.json:{"type": "server", "timestamp": "2023-05-15T19:35:09,742Z", "level": "ERROR", "component": "o.o.s.a.BackendRegistry", "cluster.name": "wazuh-cluster", "node.name": "node-1", "message": "Not yet initialized (you may need to run securityadmin)", "cluster.uuid": "BGMg8oOoRTSQYrojfiDfOQ", "node.id": "t_762RBfSYq4FXMC0xffJQ" } /var/log/wazuh-indexer/wazuh-cluster_server.json:{"type": "server", "timestamp": "2023-05-15T19:35:12,236Z", "level": "ERROR", "component": "o.o.s.a.BackendRegistry", "cluster.name": "wazuh-cluster", "node.name": "node-1", "message": "Not yet initialized (you may need to run securityadmin)", "cluster.uuid": "BGMg8oOoRTSQYrojfiDfOQ", "node.id": "t_762RBfSYq4FXMC0xffJQ" } /var/log/wazuh-indexer/wazuh-cluster_server.json:{"type": "server", "timestamp": "2023-05-15T19:35:12,238Z", "level": "ERROR", "component": "o.o.s.a.BackendRegistry", "cluster.name": "wazuh-cluster", "node.name": "node-1", "message": "Not yet initialized (you may need to run securityadmin)", "cluster.uuid": "BGMg8oOoRTSQYrojfiDfOQ", "node.id": "t_762RBfSYq4FXMC0xffJQ" } /var/log/wazuh-indexer/wazuh-cluster_server.json:{"type": "server", "timestamp": "2023-05-15T19:35:12,240Z", "level": "ERROR", "component": "o.o.s.a.BackendRegistry", "cluster.name": "wazuh-cluster", "node.name": "node-1", "message": "Not yet initialized (you may need to run securityadmin)", "cluster.uuid": "BGMg8oOoRTSQYrojfiDfOQ", "node.id": "t_762RBfSYq4FXMC0xffJQ" } /var/log/wazuh-indexer/wazuh-cluster_server.json:{"type": "server", "timestamp": "2023-05-15T19:35:12,242Z", "level": "ERROR", "component": "o.o.s.a.BackendRegistry", "cluster.name": "wazuh-cluster", "node.name": "node-1", "message": "Not yet initialized (you may need to run securityadmin)", "cluster.uuid": "BGMg8oOoRTSQYrojfiDfOQ", "node.id": "t_762RBfSYq4FXMC0xffJQ" } /var/log/wazuh-indexer/wazuh-cluster_server.json:{"type": "server", "timestamp": "2023-05-15T19:35:13,054Z", "level": "ERROR", "component": "o.o.s.a.BackendRegistry", "cluster.name": "wazuh-cluster", "node.name": "node-1", "message": "Not yet initialized (you may need to run securityadmin)", "cluster.uuid": "BGMg8oOoRTSQYrojfiDfOQ", "node.id": "t_762RBfSYq4FXMC0xffJQ" } [root@wazuh-server wazuh-user]# ```
Wazuh server - /var/ossec/logs
``` [root@wazuh-server wazuh-user]# grep -i -E "error|critical|fatal|warning" /var/ossec/logs/ossec.log | wc -l 0 [root@wazuh-server wazuh-user]# [root@wazuh-server wazuh-user]# xzgrep -i -E "error|critical|fatal|warning" /var/ossec/logs/wazuh/2023/Apr/* | wc -l 0 ```

AMI - Filebeat test

``` [root@wazuh-server wazuh-user]# filebeat test output elasticsearch: https://127.0.0.1:9200... parse url... OK connection... parse host... OK dns lookup... OK addresses: 127.0.0.1 dial up... OK TLS... security: server's certificate chain verification is enabled handshake... OK TLS version: TLSv1.2 dial up... OK talk to server... OK version: 7.10.2 [root@wazuh-server wazuh-user]# ```

AMI - Wazuh Indexer Cluster

``` [root@wazuh-server wazuh-user]# curl -k -u admin:INSTANCE_ID https://127.0.0.1:9200 { "name" : "node-1", "cluster_name" : "wazuh-cluster", "cluster_uuid" : "BGMg8oOoRTSQYrojfiDfOQ", "version" : { "number" : "7.10.2", "build_type" : "rpm", "build_hash" : "7203a5af21a8a009aece1474446b437a3c674db6", "build_date" : "2023-02-24T18:57:04.388618985Z", "build_snapshot" : false, "lucene_version" : "9.5.0", "minimum_wire_compatibility_version" : "7.10.0", "minimum_index_compatibility_version" : "7.0.0" }, "tagline" : "The OpenSearch Project: https://opensearch.org/" } [root@wazuh-server wazuh-user]# [root@wazuh-server wazuh-user]# curl -k -u admin:i-078cb135b5157b1b1 https://127.0.0.1:9200/_cat/nodes?v ip heap.percent ram.percent cpu load_1m load_5m load_15m node.role node.roles cluster_manager name 127.0.0.1 18 80 1 0.00 0.00 0.00 dimr cluster_manager,data,ingest,remote_cluster_client * node-1 [root@wazuh-server wazuh-user]# [root@wazuh-server wazuh-user]# curl -k -u admin:i-078cb135b5157b1b1 https://127.0.0.1:9200/_cluster/health?pretty { "cluster_name" : "wazuh-cluster", "status" : "green", "timed_out" : false, "number_of_nodes" : 1, "number_of_data_nodes" : 1, "discovered_master" : true, "discovered_cluster_manager" : true, "active_primary_shards" : 8, "active_shards" : 8, "relocating_shards" : 0, "initializing_shards" : 0, "unassigned_shards" : 0, "delayed_unassigned_shards" : 0, "number_of_pending_tasks" : 0, "number_of_in_flight_fetch" : 0, "task_max_waiting_in_queue_millis" : 0, "active_shards_percent_as_number" : 100.0 } [root@wazuh-server wazuh-user]# ```

AMI - Users

``` [root@wazuh-server wazuh-user]# grep -R "wazuh" /etc/group wheel:x:10:wazuh-user wazuh-user:x:1001: wazuh-indexer:x:993: wazuh:x:992:wazuh wazuh-dashboard:x:991:wazuh-dashboard [root@wazuh-server wazuh-user]# grep -R "wazuh" /etc/passwd wazuh-user:x:1001:1001::/home/wazuh-user:/bin/bash wazuh-indexer:x:995:993:wazuh-indexer user:/usr/share/wazuh-indexer:/sbin/nologin wazuh:x:994:992::/var/ossec:/sbin/nologin wazuh-dashboard:x:993:991::/usr/share/wazuh-dashboard/:/sbin/nologin [root@wazuh-server wazuh-user]# ```

AMI - Versions

``` [root@wazuh-server wazuh-user]# /var/ossec/bin/wazuh-control info WAZUH_VERSION="v4.4.2" WAZUH_REVISION="40408" WAZUH_TYPE="server" [root@wazuh-server wazuh-user]# cat /usr/share/wazuh-indexer/VERSION 4.4.2 [root@wazuh-server wazuh-user]# cat /usr/share/wazuh-dashboard/VERSION 4.4.2 [root@wazuh-server wazuh-user]# cat /usr/share/wazuh-dashboard/package.json { "name": "opensearch-dashboards", "description": "OpenSearch Dashboards is a browser based analytics and search dashboard for OpenSearch. OpenSearch Dashboards is a snap to setup and start using. OpenSearch Dashboards strives to be easy to get started with, while also being flexible and powerful, just like OpenSearch.", "keywords": [ "opensearch-dashboards", "opensearch", "logstash", "analytics", "visualizations", "dashboards", "dashboarding" ], "version": "2.6.0", "branch": "2.6", "build": { "number": 44201, "sha": "b15a28f9d6d6ec40d695a2eb01442d2a7d6d72d9", "distributable": true, "release": true }, "repository": { "type": "git", "url": "https://github.com/opensearch-project/opensearch-dashboards.git" }, "engines": { "node": "14.20.1" } } [root@wazuh-server wazuh-user]# ```

AMI - Processes

``` [root@wazuh-server wazuh-user]# ps -ef | grep wazuh root 2156 1 0 19:33 ? 00:00:00 /sbin/dhclient -q -lf /var/lib/dhclient/dhclient--eth0.lease -pf /var/run/dhclient-eth0.pid -H wazuh-server eth0 root 2196 1 0 19:33 ? 00:00:00 /sbin/dhclient -6 -nw -lf /var/lib/dhclient/dhclient6--eth0.lease -pf /var/run/dhclient6-eth0.pid eth0 -H wazuh-server wazuh-i+ 2401 1 1 19:33 ? 00:01:21 /usr/share/wazuh-indexer/jdk/bin/java -Xshare:auto -Dopensearch.networkaddress.cache.ttl=60 -Dopensearch.networkaddress.cache.negative.ttl=10 -XX:+AlwaysPreTouch -Xss1m -Djava.awt.headless=true -Dfile.encoding=UTF-8 -Djna.nosys=true -XX:-OmitStackTraceInFastThrow -XX:+ShowCodeDetailsInExceptionMessages -Dio.netty.noUnsafe=true -Dio.netty.noKeySetOptimization=true -Dio.netty.recycler.maxCapacityPerThread=0 -Dio.netty.allocator.numDirectArenas=0 -Dlog4j.shutdownHookEnabled=false -Dlog4j2.disable.jmx=true -Djava.locale.providers=SPI,COMPAT -Xms3930m -Xmx3930m -XX:+UseG1GC -XX:G1ReservePercent=25 -XX:InitiatingHeapOccupancyPercent=30 -Djava.io.tmpdir=/tmp/opensearch-15532920117268708575 -XX:+HeapDumpOnOutOfMemoryError -XX:HeapDumpPath=/var/lib/wazuh-indexer -XX:ErrorFile=/var/log/wazuh-indexer/hs_err_pid%p.log -Xlog:gc*,gc+age=trace,safepoint:file=/var/log/wazuh-indexer/gc.log:utctime,pid,tags:filecount=32,filesize=64m -Dclk.tck=100 -Djdk.attach.allowAttachSelf=true -Djava.security.policy=file:///etc/wazuh-indexer/opensearch-performance-analyzer/opensearch_security.policy --add-opens=jdk.attach/sun.tools.attach=ALL-UNNAMED -XX:MaxDirectMemorySize=2060451840 -Dopensearch.path.home=/usr/share/wazuh-indexer -Dopensearch.path.conf=/etc/wazuh-indexer -Dopensearch.distribution.type=rpm -Dopensearch.bundled_jdk=true -cp /usr/share/wazuh-indexer/lib/* org.opensearch.bootstrap.OpenSearch -p /run/wazuh-indexer/wazuh-indexer.pid --quiet wazuh-d+ 4638 1 0 19:35 ? 00:00:15 /usr/share/wazuh-dashboard/bin/../node/bin/node --no-warnings --max-http-header-size=65536 --unhandled-rejections=warn /usr/share/wazuh-dashboard/bin/../src/cli/dist -c /etc/wazuh-dashboard/opensearch_dashboards.yml root 5827 2482 0 19:49 ? 00:00:00 sshd: wazuh-user [priv] wazuh-u+ 5889 5827 0 19:49 ? 00:00:00 sshd: wazuh-user@pts/0 wazuh-u+ 5890 5889 0 19:49 pts/0 00:00:00 -bash wazuh 16255 1 0 20:23 ? 00:00:10 /var/ossec/framework/python/bin/python3 /var/ossec/api/scripts/wazuh-apid.py root 16295 1 0 20:23 ? 00:00:05 /var/ossec/bin/wazuh-authd wazuh 16312 1 0 20:23 ? 00:00:01 /var/ossec/bin/wazuh-db wazuh 16327 16255 0 20:24 ? 00:00:00 /var/ossec/framework/python/bin/python3 /var/ossec/api/scripts/wazuh-apid.py wazuh 16330 16255 0 20:24 ? 00:00:01 /var/ossec/framework/python/bin/python3 /var/ossec/api/scripts/wazuh-apid.py root 16343 1 0 20:24 ? 00:00:00 /var/ossec/bin/wazuh-execd wazuh 16355 1 0 20:24 ? 00:00:03 /var/ossec/bin/wazuh-analysisd root 16365 1 0 20:24 ? 00:00:05 /var/ossec/bin/wazuh-syscheckd wazuh 16431 1 0 20:24 ? 00:00:02 /var/ossec/bin/wazuh-remoted root 16480 1 0 20:24 ? 00:00:00 /var/ossec/bin/wazuh-logcollector wazuh 16500 1 0 20:24 ? 00:00:00 /var/ossec/bin/wazuh-monitord root 16548 1 0 20:24 ? 00:00:00 /var/ossec/bin/wazuh-modulesd root 18277 5913 0 21:02 pts/0 00:00:00 grep --color=auto wazuh [root@wazuh-server wazuh-user]# [root@wazuh-server wazuh-user]# /var/ossec/bin/wazuh-control status wazuh-clusterd not running... wazuh-modulesd is running... wazuh-monitord is running... wazuh-logcollector is running... wazuh-remoted is running... wazuh-syscheckd is running... wazuh-analysisd is running... wazuh-maild not running... wazuh-execd is running... wazuh-db is running... wazuh-authd is running... wazuh-agentlessd not running... wazuh-integratord not running... wazuh-dbd not running... wazuh-csyslogd not running... wazuh-apid is running... [root@wazuh-server wazuh-user]# ```

Analysis report - HP-UX :green_circle:

System info

``` # model ia64 hp server Integrity Virtual Machine # uname -a HP-UX sovmh317 B.11.31 U ia64 1870146614 unlimited-user license # ```

Install

- Wazuh agent ```` # /usr/local/bin/curl -k -L -O https://packages-dev.wazuh.com/pre-release/hp-ux/wazuh-agent-4.4.2-1-hpux-11v3-ia64.tar % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 20.8M 100 20.8M 0 0 1184k 0 0:00:18 0:00:18 --:--:-- 1694k # ```` ```` # # groupadd wazuh # useradd -G wazuh wazuh # tar -xvf wazuh-agent-4.4.2-1-hpux-11v3-ia64.tar x /var/ossec/logs/ossec.log, 0 bytes, 0 tape blocks x /var/ossec/logs/ossec.json, 0 bytes, 0 tape blocks x /var/ossec/logs/active-responses.log, 0 bytes, 0 tape blocks x /var/ossec/bin/wazuh-logcollector, 1631496 bytes, 3187 tape blocks x /var/ossec/bin/wazuh-syscheckd, 2124144 bytes, 4149 tape blocks x /var/ossec/bin/wazuh-execd, 1559840 bytes, 3047 tape blocks x /var/ossec/bin/manage_agents, 440500 bytes, 861 tape blocks x /var/ossec/bin/wazuh-control, 7148 bytes, 14 tape blocks x /var/ossec/bin/wazuh-modulesd, 1490192 bytes, 2911 tape blocks x /var/ossec/bin/wazuh-agentd, 1633012 bytes, 3190 tape blocks x /var/ossec/bin/agent-auth, 441288 bytes, 862 tape blocks x /var/ossec/lib/libwazuhext.so, 9738588 bytes, 19021 tape blocks x /var/ossec/lib/libwazuhshared.so, 290356 bytes, 568 tape blocks x /var/ossec/queue/syscollector/norm_config.json, 4206 bytes, 9 tape blocks x /var/ossec/ruleset/sca/cis_hpux_11i_bastille.yml, 94882 bytes, 186 tape blocks x /var/ossec/ruleset/sca/cis_hpux_11i.yml, 86153 bytes, 169 tape blocks x /var/ossec/wodles/__init__.py, 0 bytes, 0 tape blocks x /var/ossec/wodles/utils.py, 3493 bytes, 7 tape blocks x /var/ossec/wodles/aws/aws-s3, 184614 bytes, 361 tape blocks x /var/ossec/wodles/gcloud/pubsub/subscriber.py, 6018 bytes, 12 tape blocks x /var/ossec/wodles/gcloud/buckets/bucket.py, 14685 bytes, 29 tape blocks x /var/ossec/wodles/gcloud/buckets/access_logs.py, 1841 bytes, 4 tape blocks x /var/ossec/wodles/gcloud/gcloud, 4661 bytes, 10 tape blocks x /var/ossec/wodles/gcloud/integration.py, 2887 bytes, 6 tape blocks x /var/ossec/wodles/gcloud/tools.py, 5524 bytes, 11 tape blocks x /var/ossec/wodles/gcloud/exceptions.py, 4453 bytes, 9 tape blocks x /var/ossec/wodles/docker/DockerListener, 4705 bytes, 10 tape blocks x /var/ossec/wodles/azure/azure-logs, 37349 bytes, 73 tape blocks x /var/ossec/wodles/azure/orm.py, 7007 bytes, 14 tape blocks x /var/ossec/etc/TIMEZONE, 21 bytes, 1 tape blocks x /var/ossec/etc/internal_options.conf, 14012 bytes, 28 tape blocks x /var/ossec/etc/local_internal_options.conf, 320 bytes, 1 tape blocks x /var/ossec/etc/client.keys, 0 bytes, 0 tape blocks x /var/ossec/etc/ossec.conf, 4855 bytes, 10 tape blocks x /var/ossec/etc/shared/cis_apache2224_rcl.txt, 28411 bytes, 56 tape blocks x /var/ossec/etc/shared/cis_debian_linux_rcl.txt, 12576 bytes, 25 tape blocks x /var/ossec/etc/shared/cis_mysql5-6_community_rcl.txt, 7609 bytes, 15 tape blocks x /var/ossec/etc/shared/cis_mysql5-6_enterprise_rcl.txt, 10297 bytes, 21 tape blocks x /var/ossec/etc/shared/cis_rhel5_linux_rcl.txt, 35781 bytes, 70 tape blocks x /var/ossec/etc/shared/cis_rhel6_linux_rcl.txt, 33870 bytes, 67 tape blocks x /var/ossec/etc/shared/cis_rhel7_linux_rcl.txt, 36957 bytes, 73 tape blocks x /var/ossec/etc/shared/cis_rhel_linux_rcl.txt, 17658 bytes, 35 tape blocks x /var/ossec/etc/shared/cis_sles11_linux_rcl.txt, 34376 bytes, 68 tape blocks x /var/ossec/etc/shared/cis_sles12_linux_rcl.txt, 35081 bytes, 69 tape blocks x /var/ossec/etc/shared/cis_win2012r2_domainL1_rcl.txt, 94877 bytes, 186 tape blocks x /var/ossec/etc/shared/cis_win2012r2_domainL2_rcl.txt, 28006 bytes, 55 tape blocks x /var/ossec/etc/shared/cis_win2012r2_memberL1_rcl.txt, 100530 bytes, 197 tape blocks x /var/ossec/etc/shared/cis_win2012r2_memberL2_rcl.txt, 376002 bytes, 735 tape blocks x /var/ossec/etc/shared/rootkit_files.txt, 16174 bytes, 32 tape blocks x /var/ossec/etc/shared/rootkit_trojans.txt, 5548 bytes, 11 tape blocks x /var/ossec/etc/shared/system_audit_rcl.txt, 4466 bytes, 9 tape blocks x /var/ossec/etc/shared/system_audit_ssh.txt, 3285 bytes, 7 tape blocks x /var/ossec/etc/shared/win_applications_rcl.txt, 5214 bytes, 11 tape blocks x /var/ossec/etc/shared/win_audit_rcl.txt, 4277 bytes, 9 tape blocks x /var/ossec/etc/shared/win_malware_rcl.txt, 7314 bytes, 15 tape blocks x /var/ossec/etc/wpk_root.pem, 1367 bytes, 3 tape blocks x /var/ossec/active-response/bin/restart.sh, 695 bytes, 2 tape blocks x /var/ossec/active-response/bin/kaspersky.py, 14429 bytes, 29 tape blocks x /var/ossec/active-response/bin/firewall-drop, 74444 bytes, 146 tape blocks x /var/ossec/active-response/bin/default-firewall-drop, 74444 bytes, 146 tape blocks x /var/ossec/active-response/bin/pf, 74040 bytes, 145 tape blocks x /var/ossec/active-response/bin/npf, 73972 bytes, 145 tape blocks x /var/ossec/active-response/bin/ipfw, 74028 bytes, 145 tape blocks x /var/ossec/active-response/bin/firewalld-drop, 74052 bytes, 145 tape blocks x /var/ossec/active-response/bin/disable-account, 73932 bytes, 145 tape blocks x /var/ossec/active-response/bin/host-deny, 74152 bytes, 145 tape blocks x /var/ossec/active-response/bin/ip-customblock, 73888 bytes, 145 tape blocks x /var/ossec/active-response/bin/restart-wazuh, 73680 bytes, 144 tape blocks x /var/ossec/active-response/bin/route-null, 73868 bytes, 145 tape blocks x /var/ossec/active-response/bin/kaspersky, 73728 bytes, 144 tape blocks x /var/ossec/active-response/bin/wazuh-slack, 73960 bytes, 145 tape blocks x /var/ossec/agentless/main.exp, 2453 bytes, 5 tape blocks x /var/ossec/agentless/register_host.sh, 2406 bytes, 5 tape blocks x /var/ossec/agentless/ssh.exp, 1476 bytes, 3 tape blocks x /var/ossec/agentless/ssh_asa-fwsmconfig_diff, 5283 bytes, 11 tape blocks x /var/ossec/agentless/ssh_foundry_diff, 5403 bytes, 11 tape blocks x /var/ossec/agentless/ssh_generic_diff, 898 bytes, 2 tape blocks x /var/ossec/agentless/ssh_integrity_check_bsd, 1091 bytes, 3 tape blocks x /var/ossec/agentless/ssh_integrity_check_linux, 1099 bytes, 3 tape blocks x /var/ossec/agentless/ssh_nopass.exp, 1616 bytes, 4 tape blocks x /var/ossec/agentless/ssh_pixconfig_diff, 5265 bytes, 11 tape blocks x /var/ossec/agentless/sshlogin.exp, 915 bytes, 2 tape blocks x /var/ossec/agentless/su.exp, 1381 bytes, 3 tape blocks x /sbin/init.d/wazuh-agent, 691 bytes, 2 tape blocks x /sbin/rc2.d/S97wazuh-agent symbolic link to /sbin/init.d/wazuh-agent x /sbin/rc3.d/S97wazuh-agent symbolic link to /sbin/init.d/wazuh-agent # ```` ``` # cat /var/ossec/etc/ossec.conf | grep address

3.238.245.177

# # /var/ossec/bin/wazuh-control start Starting Wazuh v4.4.2... Started wazuh-execd... Started wazuh-agentd... Started wazuh-syscheckd... Started wazuh-logcollector... Started wazuh-modulesd... Completed. # /var/ossec/bin/wazuh-control status wazuh-modulesd is running... wazuh-logcollector is running... wazuh-syscheckd is running... wazuh-agentd is running... wazuh-execd is running... # ``` - Wazuh server ``` [root@wazuh-server wazuh-user]# /var/ossec/bin/agent_control -l Wazuh agent_control. List of available agents: ID: 000, Name: wazuh-server (server), IP: 127.0.0.1, Active/Local ID: 002, Name: soaxp078, IP: any, Disconnected ID: 004, Name: sossp534, IP: any, Disconnected ID: 005, Name: sovmh317, IP: any, Active List of agentless devices: [root@wazuh-server wazuh-user]# /var/ossec/bin/agent_control -i 005 Wazuh agent_control. Agent information: Agent ID: 005 Agent Name: sovmh317 IP address: any Status: Active Operating system: HP-UX |sovmh317 |B.11.31 |U |ia64 Client version: Wazuh v4.4.2 Configuration hash: ab73af41699f13fdd81903b5f23d8d00 Shared file hash: 4a8724b20dee0124ff9656783c490c4e Last keep alive: 1684247829 Syscheck last started at: Tue May 16 13:48:32 2023 Syscheck last ended at: Tue May 16 13:49:27 2023 [root@wazuh-server wazuh-user]# [root@wazuh-server wazuh-user]# grep -Ei "ERROR|CRITICAL|FATAL|WARNING" /var/ossec/logs/ossec.log 2023/05/16 10:41:22 wazuh-authd: ERROR: Invalid request for new agent from: 45.79.181.94 2023/05/16 12:24:18 wazuh-authd: ERROR: Invalid request for new agent from: 45.56.108.128 [root@wazuh-server wazuh-user]# ``` ``` # grep -Ei "ERROR|CRITICAL|FATAL|WARNING" /var/ossec/logs/ossec.log # ```

Alert

- TCP ``` # grep -i "tcp" /var/ossec/logs/ossec.log 2023/05/16 08:48:27 wazuh-agentd: INFO: Trying to connect to server ([3.238.245.177]:1514/tcp). 2023/05/16 08:48:27 wazuh-agentd: INFO: (4102): Connected to the server ([3.238.245.177]:1514/tcp). 2023/05/16 08:48:31 wazuh-agentd: INFO: Trying to connect to server ([3.238.245.177]:1514/tcp). 2023/05/16 08:48:31 wazuh-agentd: INFO: (4102): Connected to the server ([3.238.245.177]:1514/tcp). # ``` ``` 482-** Alert 1684247788.29481: - ossec,rootcheck,pci_dss_10.6.1,gdpr_IV_35.7.d, 483:2023 May 16 14:36:28 (sovmh317) any->rootcheck 484-Rule: 510 (level 7) -> 'Host-based anomaly detection event (rootcheck).' 485-File '/tmp/.kc.trace' is owned by root and has written permissions to anyone. 486-title: File is owned by root and has written permissions to anyone. 487-file: /tmp/.kc.trace ``` - UDP ``` # grep -i "udp" /var/ossec/logs/ossec.log 2023/05/16 08:54:43 wazuh-agentd: INFO: Trying to connect to server ([3.238.245.177]:1514/udp). 2023/05/16 08:54:43 wazuh-agentd: INFO: (4102): Connected to the server ([3.238.245.177]:1514/udp). # ``` ``` 565-** Alert 1684248113.33231: - ossec,rootcheck,pci_dss_10.6.1,gdpr_IV_35.7.d, 566:2023 May 16 14:41:53 (sovmh317) any->rootcheck 567-Rule: 510 (level 7) -> 'Host-based anomaly detection event (rootcheck).' 568-File '/tmp/.kc.trace' is owned by root and has written permissions to anyone. 569-title: File is owned by root and has written permissions to anyone. 570-file: /tmp/.kc.trace 571- ```

Remove

``` # /var/ossec/bin/wazuh-control stop Killing wazuh-modulesd... Killing wazuh-logcollector... Killing wazuh-syscheckd... Killing wazuh-agentd... Killing wazuh-execd... Wazuh v4.4.2 Stopped # groupdel wazuh # # userdel wazuh # # rm -rf /var/ossec # # ```

Upgrade 4.4.1 -> 4.4.2

``` # /usr/local/bin/curl -k -LO https://packages.wazuh.com/4.x/hp-ux/wazuh-agent-4.4.1-1-hpux-11v3-ia64.tar % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 20.6M 100 20.6M 0 0 1245k 0 0:00:17 0:00:17 --:--:-- 2336k # tar -xvf wazuh-agent-4.4.1-1-hpux-11v3-ia64.tar x /var/ossec/logs/ossec.log, 0 bytes, 0 tape blocks x /var/ossec/logs/ossec.json, 0 bytes, 0 tape blocks x /var/ossec/logs/active-responses.log, 0 bytes, 0 tape blocks x /var/ossec/bin/wazuh-logcollector, 1631052 bytes, 3186 tape blocks x /var/ossec/bin/wazuh-syscheckd, 2123776 bytes, 4148 tape blocks x /var/ossec/bin/wazuh-execd, 1493872 bytes, 2918 tape blocks x /var/ossec/bin/manage_agents, 440500 bytes, 861 tape blocks x /var/ossec/bin/wazuh-control, 7148 bytes, 14 tape blocks x /var/ossec/bin/wazuh-modulesd, 1489744 bytes, 2910 tape blocks x /var/ossec/bin/wazuh-agentd, 1567032 bytes, 3061 tape blocks x /var/ossec/bin/agent-auth, 441288 bytes, 862 tape blocks x /var/ossec/lib/libwazuhext.so, 9738588 bytes, 19021 tape blocks x /var/ossec/lib/libwazuhshared.so, 290356 bytes, 568 tape blocks x /var/ossec/queue/syscollector/norm_config.json, 4206 bytes, 9 tape blocks x /var/ossec/ruleset/sca/cis_hpux_11i_bastille.yml, 94882 bytes, 186 tape blocks x /var/ossec/ruleset/sca/cis_hpux_11i.yml, 86153 bytes, 169 tape blocks x /var/ossec/wodles/__init__.py, 0 bytes, 0 tape blocks x /var/ossec/wodles/utils.py, 3493 bytes, 7 tape blocks x /var/ossec/wodles/aws/aws-s3, 175795 bytes, 344 tape blocks x /var/ossec/wodles/gcloud/pubsub/subscriber.py, 6018 bytes, 12 tape blocks x /var/ossec/wodles/gcloud/buckets/bucket.py, 14685 bytes, 29 tape blocks x /var/ossec/wodles/gcloud/buckets/access_logs.py, 1841 bytes, 4 tape blocks x /var/ossec/wodles/gcloud/gcloud, 4661 bytes, 10 tape blocks x /var/ossec/wodles/gcloud/integration.py, 2887 bytes, 6 tape blocks x /var/ossec/wodles/gcloud/tools.py, 5524 bytes, 11 tape blocks x /var/ossec/wodles/gcloud/exceptions.py, 4453 bytes, 9 tape blocks x /var/ossec/wodles/docker/DockerListener, 4705 bytes, 10 tape blocks x /var/ossec/wodles/azure/azure-logs, 37349 bytes, 73 tape blocks x /var/ossec/wodles/azure/orm.py, 7007 bytes, 14 tape blocks x /var/ossec/etc/TIMEZONE, 21 bytes, 1 tape blocks x /var/ossec/etc/internal_options.conf, 14012 bytes, 28 tape blocks x /var/ossec/etc/local_internal_options.conf, 320 bytes, 1 tape blocks x /var/ossec/etc/client.keys, 0 bytes, 0 tape blocks x /var/ossec/etc/ossec.conf, 4855 bytes, 10 tape blocks x /var/ossec/etc/shared/cis_apache2224_rcl.txt, 28411 bytes, 56 tape blocks x /var/ossec/etc/shared/cis_debian_linux_rcl.txt, 12576 bytes, 25 tape blocks x /var/ossec/etc/shared/cis_mysql5-6_community_rcl.txt, 7609 bytes, 15 tape blocks x /var/ossec/etc/shared/cis_mysql5-6_enterprise_rcl.txt, 10297 bytes, 21 tape blocks x /var/ossec/etc/shared/cis_rhel5_linux_rcl.txt, 35781 bytes, 70 tape blocks x /var/ossec/etc/shared/cis_rhel6_linux_rcl.txt, 33870 bytes, 67 tape blocks x /var/ossec/etc/shared/cis_rhel7_linux_rcl.txt, 36957 bytes, 73 tape blocks x /var/ossec/etc/shared/cis_rhel_linux_rcl.txt, 17658 bytes, 35 tape blocks x /var/ossec/etc/shared/cis_sles11_linux_rcl.txt, 34376 bytes, 68 tape blocks x /var/ossec/etc/shared/cis_sles12_linux_rcl.txt, 35081 bytes, 69 tape blocks x /var/ossec/etc/shared/cis_win2012r2_domainL1_rcl.txt, 94877 bytes, 186 tape blocks x /var/ossec/etc/shared/cis_win2012r2_domainL2_rcl.txt, 28006 bytes, 55 tape blocks x /var/ossec/etc/shared/cis_win2012r2_memberL1_rcl.txt, 100530 bytes, 197 tape blocks x /var/ossec/etc/shared/cis_win2012r2_memberL2_rcl.txt, 376002 bytes, 735 tape blocks x /var/ossec/etc/shared/rootkit_files.txt, 16174 bytes, 32 tape blocks x /var/ossec/etc/shared/rootkit_trojans.txt, 5548 bytes, 11 tape blocks x /var/ossec/etc/shared/system_audit_rcl.txt, 4466 bytes, 9 tape blocks x /var/ossec/etc/shared/system_audit_ssh.txt, 3285 bytes, 7 tape blocks x /var/ossec/etc/shared/win_applications_rcl.txt, 5214 bytes, 11 tape blocks x /var/ossec/etc/shared/win_audit_rcl.txt, 4277 bytes, 9 tape blocks x /var/ossec/etc/shared/win_malware_rcl.txt, 7314 bytes, 15 tape blocks x /var/ossec/etc/wpk_root.pem, 1367 bytes, 3 tape blocks x /var/ossec/active-response/bin/restart.sh, 695 bytes, 2 tape blocks x /var/ossec/active-response/bin/kaspersky.py, 14429 bytes, 29 tape blocks x /var/ossec/active-response/bin/firewall-drop, 74444 bytes, 146 tape blocks x /var/ossec/active-response/bin/default-firewall-drop, 74444 bytes, 146 tape blocks x /var/ossec/active-response/bin/pf, 74040 bytes, 145 tape blocks x /var/ossec/active-response/bin/npf, 73972 bytes, 145 tape blocks x /var/ossec/active-response/bin/ipfw, 74028 bytes, 145 tape blocks x /var/ossec/active-response/bin/firewalld-drop, 74052 bytes, 145 tape blocks x /var/ossec/active-response/bin/disable-account, 73932 bytes, 145 tape blocks x /var/ossec/active-response/bin/host-deny, 74152 bytes, 145 tape blocks x /var/ossec/active-response/bin/ip-customblock, 73888 bytes, 145 tape blocks x /var/ossec/active-response/bin/restart-wazuh, 73680 bytes, 144 tape blocks x /var/ossec/active-response/bin/route-null, 73868 bytes, 145 tape blocks x /var/ossec/active-response/bin/kaspersky, 73728 bytes, 144 tape blocks x /var/ossec/active-response/bin/wazuh-slack, 73960 bytes, 145 tape blocks x /var/ossec/agentless/main.exp, 2453 bytes, 5 tape blocks x /var/ossec/agentless/register_host.sh, 2406 bytes, 5 tape blocks x /var/ossec/agentless/ssh.exp, 1476 bytes, 3 tape blocks x /var/ossec/agentless/ssh_asa-fwsmconfig_diff, 5283 bytes, 11 tape blocks x /var/ossec/agentless/ssh_foundry_diff, 5403 bytes, 11 tape blocks x /var/ossec/agentless/ssh_generic_diff, 898 bytes, 2 tape blocks x /var/ossec/agentless/ssh_integrity_check_bsd, 1091 bytes, 3 tape blocks x /var/ossec/agentless/ssh_integrity_check_linux, 1099 bytes, 3 tape blocks x /var/ossec/agentless/ssh_nopass.exp, 1616 bytes, 4 tape blocks x /var/ossec/agentless/ssh_pixconfig_diff, 5265 bytes, 11 tape blocks x /var/ossec/agentless/sshlogin.exp, 915 bytes, 2 tape blocks x /var/ossec/agentless/su.exp, 1381 bytes, 3 tape blocks x /sbin/init.d/wazuh-agent, 691 bytes, 2 tape blocks x /sbin/rc2.d/S97wazuh-agent symbolic link to /sbin/init.d/wazuh-agent x /sbin/rc3.d/S97wazuh-agent symbolic link to /sbin/init.d/wazuh-agent # groupadd wazuh # useradd -G wazuh wazuh # vi /var/ossec/etc/ossec.conf # /var/ossec/bin/wazuh-control start Starting Wazuh v4.4.1... Started wazuh-execd... Started wazuh-agentd... Started wazuh-syscheckd... Started wazuh-logcollector... Started wazuh-modulesd... Completed. # ``` ``` [root@wazuh-server wazuh-user]# /var/ossec/bin/agent_control -l Wazuh agent_control. List of available agents: ID: 000, Name: wazuh-server (server), IP: 127.0.0.1, Active/Local ID: 002, Name: soaxp078, IP: any, Disconnected ID: 004, Name: sossp534, IP: any, Disconnected ID: 006, Name: sovmh317, IP: any, Active List of agentless devices: [root@wazuh-server wazuh-user]# /var/ossec/bin/agent_control -i 006 Wazuh agent_control. Agent information: Agent ID: 006 Agent Name: sovmh317 IP address: any Status: Active Operating system: HP-UX |sovmh317 |B.11.31 |U |ia64 Client version: Wazuh v4.4.1 Configuration hash: ab73af41699f13fdd81903b5f23d8d00 Shared file hash: 4a8724b20dee0124ff9656783c490c4e Last keep alive: 1684248375 Syscheck last started at: Tue May 16 13:58:49 2023 Syscheck last ended at: Tue May 16 13:59:17 2023 [root@wazuh-server wazuh-user]# ``` ``` # /var/ossec/bin/wazuh-control stop Killing wazuh-modulesd... Killing wazuh-logcollector... Killing wazuh-syscheckd... Killing wazuh-agentd... Killing wazuh-execd... Wazuh v4.4.1 Stopped # cp /var/ossec/etc/ossec.conf ~/ossec.conf.bk # cp /var/ossec/etc/client.keys ~/client.keys.bk # tar -xvf wazuh-agent-4.4.2-1-hpux-11v3-ia64.tar x /var/ossec/logs/ossec.log, 0 bytes, 0 tape blocks x /var/ossec/logs/ossec.json, 0 bytes, 0 tape blocks x /var/ossec/logs/active-responses.log, 0 bytes, 0 tape blocks x /var/ossec/bin/wazuh-logcollector, 1631496 bytes, 3187 tape blocks x /var/ossec/bin/wazuh-syscheckd, 2124144 bytes, 4149 tape blocks x /var/ossec/bin/wazuh-execd, 1559840 bytes, 3047 tape blocks x /var/ossec/bin/manage_agents, 440500 bytes, 861 tape blocks x /var/ossec/bin/wazuh-control, 7148 bytes, 14 tape blocks x /var/ossec/bin/wazuh-modulesd, 1490192 bytes, 2911 tape blocks x /var/ossec/bin/wazuh-agentd, 1633012 bytes, 3190 tape blocks x /var/ossec/bin/agent-auth, 441288 bytes, 862 tape blocks x /var/ossec/lib/libwazuhext.so, 9738588 bytes, 19021 tape blocks x /var/ossec/lib/libwazuhshared.so, 290356 bytes, 568 tape blocks x /var/ossec/queue/syscollector/norm_config.json, 4206 bytes, 9 tape blocks x /var/ossec/ruleset/sca/cis_hpux_11i_bastille.yml, 94882 bytes, 186 tape blocks x /var/ossec/ruleset/sca/cis_hpux_11i.yml, 86153 bytes, 169 tape blocks x /var/ossec/wodles/__init__.py, 0 bytes, 0 tape blocks x /var/ossec/wodles/utils.py, 3493 bytes, 7 tape blocks x /var/ossec/wodles/aws/aws-s3, 184614 bytes, 361 tape blocks x /var/ossec/wodles/gcloud/pubsub/subscriber.py, 6018 bytes, 12 tape blocks x /var/ossec/wodles/gcloud/buckets/bucket.py, 14685 bytes, 29 tape blocks x /var/ossec/wodles/gcloud/buckets/access_logs.py, 1841 bytes, 4 tape blocks x /var/ossec/wodles/gcloud/gcloud, 4661 bytes, 10 tape blocks x /var/ossec/wodles/gcloud/integration.py, 2887 bytes, 6 tape blocks x /var/ossec/wodles/gcloud/tools.py, 5524 bytes, 11 tape blocks x /var/ossec/wodles/gcloud/exceptions.py, 4453 bytes, 9 tape blocks x /var/ossec/wodles/docker/DockerListener, 4705 bytes, 10 tape blocks x /var/ossec/wodles/azure/azure-logs, 37349 bytes, 73 tape blocks x /var/ossec/wodles/azure/orm.py, 7007 bytes, 14 tape blocks x /var/ossec/etc/TIMEZONE, 21 bytes, 1 tape blocks x /var/ossec/etc/internal_options.conf, 14012 bytes, 28 tape blocks x /var/ossec/etc/local_internal_options.conf, 320 bytes, 1 tape blocks x /var/ossec/etc/client.keys, 0 bytes, 0 tape blocks x /var/ossec/etc/ossec.conf, 4855 bytes, 10 tape blocks x /var/ossec/etc/shared/cis_apache2224_rcl.txt, 28411 bytes, 56 tape blocks x /var/ossec/etc/shared/cis_debian_linux_rcl.txt, 12576 bytes, 25 tape blocks x /var/ossec/etc/shared/cis_mysql5-6_community_rcl.txt, 7609 bytes, 15 tape blocks x /var/ossec/etc/shared/cis_mysql5-6_enterprise_rcl.txt, 10297 bytes, 21 tape blocks x /var/ossec/etc/shared/cis_rhel5_linux_rcl.txt, 35781 bytes, 70 tape blocks x /var/ossec/etc/shared/cis_rhel6_linux_rcl.txt, 33870 bytes, 67 tape blocks x /var/ossec/etc/shared/cis_rhel7_linux_rcl.txt, 36957 bytes, 73 tape blocks x /var/ossec/etc/shared/cis_rhel_linux_rcl.txt, 17658 bytes, 35 tape blocks x /var/ossec/etc/shared/cis_sles11_linux_rcl.txt, 34376 bytes, 68 tape blocks x /var/ossec/etc/shared/cis_sles12_linux_rcl.txt, 35081 bytes, 69 tape blocks x /var/ossec/etc/shared/cis_win2012r2_domainL1_rcl.txt, 94877 bytes, 186 tape blocks x /var/ossec/etc/shared/cis_win2012r2_domainL2_rcl.txt, 28006 bytes, 55 tape blocks x /var/ossec/etc/shared/cis_win2012r2_memberL1_rcl.txt, 100530 bytes, 197 tape blocks x /var/ossec/etc/shared/cis_win2012r2_memberL2_rcl.txt, 376002 bytes, 735 tape blocks x /var/ossec/etc/shared/rootkit_files.txt, 16174 bytes, 32 tape blocks x /var/ossec/etc/shared/rootkit_trojans.txt, 5548 bytes, 11 tape blocks x /var/ossec/etc/shared/system_audit_rcl.txt, 4466 bytes, 9 tape blocks x /var/ossec/etc/shared/system_audit_ssh.txt, 3285 bytes, 7 tape blocks x /var/ossec/etc/shared/win_applications_rcl.txt, 5214 bytes, 11 tape blocks x /var/ossec/etc/shared/win_audit_rcl.txt, 4277 bytes, 9 tape blocks x /var/ossec/etc/shared/win_malware_rcl.txt, 7314 bytes, 15 tape blocks x /var/ossec/etc/wpk_root.pem, 1367 bytes, 3 tape blocks x /var/ossec/active-response/bin/restart.sh, 695 bytes, 2 tape blocks x /var/ossec/active-response/bin/kaspersky.py, 14429 bytes, 29 tape blocks x /var/ossec/active-response/bin/firewall-drop, 74444 bytes, 146 tape blocks x /var/ossec/active-response/bin/default-firewall-drop, 74444 bytes, 146 tape blocks x /var/ossec/active-response/bin/pf, 74040 bytes, 145 tape blocks x /var/ossec/active-response/bin/npf, 73972 bytes, 145 tape blocks x /var/ossec/active-response/bin/ipfw, 74028 bytes, 145 tape blocks x /var/ossec/active-response/bin/firewalld-drop, 74052 bytes, 145 tape blocks x /var/ossec/active-response/bin/disable-account, 73932 bytes, 145 tape blocks x /var/ossec/active-response/bin/host-deny, 74152 bytes, 145 tape blocks x /var/ossec/active-response/bin/ip-customblock, 73888 bytes, 145 tape blocks x /var/ossec/active-response/bin/restart-wazuh, 73680 bytes, 144 tape blocks x /var/ossec/active-response/bin/route-null, 73868 bytes, 145 tape blocks x /var/ossec/active-response/bin/kaspersky, 73728 bytes, 144 tape blocks x /var/ossec/active-response/bin/wazuh-slack, 73960 bytes, 145 tape blocks x /var/ossec/agentless/main.exp, 2453 bytes, 5 tape blocks x /var/ossec/agentless/register_host.sh, 2406 bytes, 5 tape blocks x /var/ossec/agentless/ssh.exp, 1476 bytes, 3 tape blocks x /var/ossec/agentless/ssh_asa-fwsmconfig_diff, 5283 bytes, 11 tape blocks x /var/ossec/agentless/ssh_foundry_diff, 5403 bytes, 11 tape blocks x /var/ossec/agentless/ssh_generic_diff, 898 bytes, 2 tape blocks x /var/ossec/agentless/ssh_integrity_check_bsd, 1091 bytes, 3 tape blocks x /var/ossec/agentless/ssh_integrity_check_linux, 1099 bytes, 3 tape blocks x /var/ossec/agentless/ssh_nopass.exp, 1616 bytes, 4 tape blocks x /var/ossec/agentless/ssh_pixconfig_diff, 5265 bytes, 11 tape blocks x /var/ossec/agentless/sshlogin.exp, 915 bytes, 2 tape blocks x /var/ossec/agentless/su.exp, 1381 bytes, 3 tape blocks x /sbin/init.d/wazuh-agent, 691 bytes, 2 tape blocks x /sbin/rc2.d/S97wazuh-agent symbolic link to /sbin/init.d/wazuh-agent x /sbin/rc3.d/S97wazuh-agent symbolic link to /sbin/init.d/wazuh-agent # # # mv ~/ossec.conf.bk /var/ossec/etc/ossec.conf # chown root:wazuh /var/ossec/etc/ossec.conf # mv ~/client.keys.bk /var/ossec/etc/client.keys # chown root:wazuh /var/ossec/etc/client.keys # # # /var/ossec/bin/wazuh-control start Starting Wazuh v4.4.2... Started wazuh-execd... Started wazuh-agentd... Started wazuh-syscheckd... Started wazuh-logcollector... Started wazuh-modulesd... Completed. # ``` ``` [root@wazuh-server wazuh-user]# /var/ossec/bin/agent_control -l Wazuh agent_control. List of available agents: ID: 000, Name: wazuh-server (server), IP: 127.0.0.1, Active/Local ID: 002, Name: soaxp078, IP: any, Disconnected ID: 004, Name: sossp534, IP: any, Disconnected ID: 006, Name: sovmh317, IP: any, Active List of agentless devices: [root@wazuh-server wazuh-user]# /var/ossec/bin/agent_control -i 006 Wazuh agent_control. Agent information: Agent ID: 006 Agent Name: sovmh317 IP address: any Status: Active Operating system: HP-UX |sovmh317 |B.11.31 |U |ia64 Client version: Wazuh v4.4.2 Configuration hash: ab73af41699f13fdd81903b5f23d8d00 Shared file hash: 4a8724b20dee0124ff9656783c490c4e Last keep alive: 1684248474 Syscheck last started at: Tue May 16 14:00:37 2023 (Scan in progress) Syscheck last ended at: Tue May 16 13:59:17 2023 [root@wazuh-server wazuh-user]# ```

Users and groups

``` # cat /etc/passwd | grep wazuh wazuh:*:108:20::/home/wazuh:/sbin/sh # cat /etc/group | grep wazuh wazuh::105:wazuh # # ```

Analysis report - Solaris 10 SPARC :green_circle:

System info

``` # cat /etc/release Oracle Solaris 10 1/13 s10s_u11wos_24a SPARC Copyright (c) 1983, 2013, Oracle and/or its affiliates. All rights reserved. Assembled 17 January 2013 # uname -a SunOS sossp272 5.10 Generic_147147-26 sun4v sparc sun4v # ```

Install

- Wazuh agent ``` # /opt/csw/bin/curl -o wazuh-agent_v4.4.2-sol10-sparc.pkg https://packages-dev.wazuh.com/pre-release/solaris/sparc/10/wazuh-agent_v4.4.2-sol10-sparc.pkg % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 15.0M 100 15.0M 0 0 4003k 0 0:00:03 0:00:03 --:--:-- 4002k # ``` ``` # pkgadd -d wazuh-agent_v4.4.2-sol10-sparc.pkg The following packages are available: 1 wazuh-agent Wazuh - Wazuh unifies historically separate functions into a single agent and platform architecture. Providing protection for public clouds, private clouds, and on-premise data centers. (sparc) 4.4.2 Select package(s) you wish to process (or 'all' to process all packages). (default: all) [?,??,q]: Processing package instance from Wazuh - Wazuh unifies historically separate functions into a single agent and platform architecture. Providing protection for public clouds, private clouds, and on-premise data centers.(sparc) 4.4.2 Wazuh, Inc ## Executing checkinstall script. ## Processing package information. ## Processing system information. ## Verifying disk space requirements. ## Checking for conflicts with packages already installed. ## Checking for setuid/setgid programs. This package contains scripts which will be executed with super-user permission during the process of installing this package. Do you want to continue with the installation of [y,n,?] y Installing Wazuh - Wazuh unifies historically separate functions into a single agent and platform architecture. Providing protection for public clouds, private clouds, and on-premise data centers. as ## Executing preinstall script. ## Installing part 1 of 1. /etc/init.d/wazuh-agent /etc/rc2.d/S97wazuh-agent /etc/rc3.d/S97wazuh-agent /var/ossec/active-response/bin/default-firewall-drop /var/ossec/active-response/bin/disable-account /var/ossec/active-response/bin/firewall-drop /var/ossec/active-response/bin/firewalld-drop /var/ossec/active-response/bin/host-deny /var/ossec/active-response/bin/ip-customblock /var/ossec/active-response/bin/ipfw /var/ossec/active-response/bin/kaspersky /var/ossec/active-response/bin/kaspersky.py /var/ossec/active-response/bin/npf /var/ossec/active-response/bin/pf /var/ossec/active-response/bin/restart-wazuh /var/ossec/active-response/bin/restart.sh /var/ossec/active-response/bin/route-null /var/ossec/active-response/bin/wazuh-slack /var/ossec/agentless/main.exp /var/ossec/agentless/register_host.sh /var/ossec/agentless/ssh.exp /var/ossec/agentless/ssh_asa-fwsmconfig_diff /var/ossec/agentless/ssh_foundry_diff /var/ossec/agentless/ssh_generic_diff /var/ossec/agentless/ssh_integrity_check_bsd /var/ossec/agentless/ssh_integrity_check_linux /var/ossec/agentless/ssh_nopass.exp /var/ossec/agentless/ssh_pixconfig_diff /var/ossec/agentless/sshlogin.exp /var/ossec/agentless/su.exp /var/ossec/bin/agent-auth /var/ossec/bin/manage_agents /var/ossec/bin/wazuh-agentd /var/ossec/bin/wazuh-control /var/ossec/bin/wazuh-execd /var/ossec/bin/wazuh-logcollector /var/ossec/bin/wazuh-modulesd /var/ossec/bin/wazuh-syscheckd /var/ossec/etc/TIMEZONE /var/ossec/etc/client.keys /var/ossec/etc/internal_options.conf /var/ossec/etc/local_internal_options.conf /var/ossec/etc/ossec.conf /var/ossec/etc/shared/cis_apache2224_rcl.txt /var/ossec/etc/shared/cis_debian_linux_rcl.txt /var/ossec/etc/shared/cis_mysql5-6_community_rcl.txt /var/ossec/etc/shared/cis_mysql5-6_enterprise_rcl.txt /var/ossec/etc/shared/cis_rhel5_linux_rcl.txt /var/ossec/etc/shared/cis_rhel6_linux_rcl.txt /var/ossec/etc/shared/cis_rhel7_linux_rcl.txt /var/ossec/etc/shared/cis_rhel_linux_rcl.txt /var/ossec/etc/shared/cis_sles11_linux_rcl.txt /var/ossec/etc/shared/cis_sles12_linux_rcl.txt /var/ossec/etc/shared/cis_win2012r2_domainL1_rcl.txt /var/ossec/etc/shared/cis_win2012r2_domainL2_rcl.txt /var/ossec/etc/shared/cis_win2012r2_memberL1_rcl.txt /var/ossec/etc/shared/cis_win2012r2_memberL2_rcl.txt /var/ossec/etc/shared/rootkit_files.txt /var/ossec/etc/shared/rootkit_trojans.txt /var/ossec/etc/shared/system_audit_rcl.txt /var/ossec/etc/shared/system_audit_ssh.txt /var/ossec/etc/shared/win_applications_rcl.txt /var/ossec/etc/shared/win_audit_rcl.txt /var/ossec/etc/shared/win_malware_rcl.txt /var/ossec/etc/wpk_root.pem /var/ossec/lib/libdbsync.so /var/ossec/lib/libgcc_s.so.1 /var/ossec/lib/librsync.so /var/ossec/lib/libstdc++.so.6 /var/ossec/lib/libsyscollector.so /var/ossec/lib/libsysinfo.so /var/ossec/lib/libwazuhext.so /var/ossec/lib/libwazuhshared.so /var/ossec/logs/active-responses.log /var/ossec/logs/ossec.json /var/ossec/logs/ossec.log /var/ossec/queue/syscollector/norm_config.json /var/ossec/ruleset/sca/sca_unix_audit.yml /var/ossec/wodles/__init__.py /var/ossec/wodles/aws/aws-s3 /var/ossec/wodles/azure/azure-logs /var/ossec/wodles/azure/orm.py /var/ossec/wodles/docker/DockerListener /var/ossec/wodles/gcloud/buckets/access_logs.py /var/ossec/wodles/gcloud/buckets/bucket.py /var/ossec/wodles/gcloud/exceptions.py /var/ossec/wodles/gcloud/gcloud /var/ossec/wodles/gcloud/integration.py /var/ossec/wodles/gcloud/pubsub/subscriber.py /var/ossec/wodles/gcloud/tools.py /var/ossec/wodles/utils.py [ verifying class ] ## Executing postinstall script. Installation of was successful. # ``` ``` # cat /var/ossec/etc/ossec.conf | grep address

3.238.245.177

# /var/ossec/bin/wazuh-control start Starting Wazuh v4.4.2... Started wazuh-execd... Started wazuh-agentd... Started wazuh-syscheckd... Started wazuh-logcollector... Started wazuh-modulesd... Completed. # /var/ossec/bin/wazuh-control status wazuh-modulesd is running... wazuh-logcollector is running... wazuh-syscheckd is running... wazuh-agentd is running... wazuh-execd is running... # ``` - Wazuh server ``` [root@wazuh-server wazuh-user]# /var/ossec/bin/agent_control -l Wazuh agent_control. List of available agents: ID: 000, Name: wazuh-server (server), IP: 127.0.0.1, Active/Local ID: 002, Name: soaxp078, IP: any, Disconnected ID: 004, Name: sossp534, IP: any, Disconnected ID: 006, Name: sovmh317, IP: any, Disconnected ID: 007, Name: sossp272, IP: any, Active List of agentless devices: [root@wazuh-server wazuh-user]# /var/ossec/bin/agent_control -i 007 Wazuh agent_control. Agent information: Agent ID: 007 Agent Name: sossp272 IP address: any Status: Active Operating system: SunOS |sossp272 |5.10 |Generic_147147-26 |sun4v Client version: Wazuh v4.4.2 Configuration hash: ab73af41699f13fdd81903b5f23d8d00 Shared file hash: 4a8724b20dee0124ff9656783c490c4e Last keep alive: 1684249731 Syscheck last started at: Tue May 16 21:08:15 2023 (Scan in progress) Syscheck last ended at: Unknown [root@wazuh-server wazuh-user]# ```

Alert

- TCP ``` # grep -i "tcp" /var/ossec/logs/ossec.log 2023/05/16 16:08:11 wazuh-agentd: INFO: Trying to connect to server ([3.238.245.177]:1514/tcp). 2023/05/16 16:08:11 wazuh-agentd: INFO: (4102): Connected to the server ([3.238.245.177]:1514/tcp). 2023/05/16 16:08:14 wazuh-agentd: INFO: Trying to connect to server ([3.238.245.177]:1514/tcp). 2023/05/16 16:08:14 wazuh-agentd: INFO: (4102): Connected to the server ([3.238.245.177]:1514/tcp). # ``` ``` 1206-** Alert 1684249745.94463: - ossec,rootcheck,pci_dss_10.6.1,gdpr_IV_35.7.d, 1207:2023 May 16 15:09:05 (sossp272) any->rootcheck 1208-Rule: 510 (level 7) -> 'Host-based anomaly detection event (rootcheck).' 1209-File '/tmp/.X11-pipe/X0' is owned by root and has written permissions to anyone. 1210-title: File is owned by root and has written permissions to anyone. 1211-file: /tmp/.X11-pipe/X0 1212- ``` - UDP ``` # cat /var/ossec/etc/ossec.conf | grep udp udp # /var/ossec/bin/wazuh-control restart Killing wazuh-modulesd... Killing wazuh-logcollector... Killing wazuh-syscheckd... Killing wazuh-agentd... Killing wazuh-execd... Wazuh v4.4.2 Stopped Starting Wazuh v4.4.2... Started wazuh-execd... Started wazuh-agentd... Started wazuh-syscheckd... Started wazuh-logcollector... Started wazuh-modulesd... Completed. # grep -i "udp" /var/ossec/logs/ossec.log 2023/05/16 16:11:24 wazuh-agentd: INFO: Trying to connect to server ([3.238.245.177]:1514/udp). 2023/05/16 16:11:24 wazuh-agentd: INFO: (4102): Connected to the server ([3.238.245.177]:1514/udp). # ``` ``` 1267-** Alert 1684249925.97208: - ossec,rootcheck,pci_dss_10.6.1,gdpr_IV_35.7.d, 1268:2023 May 16 15:12:05 (sossp272) any->rootcheck 1269-Rule: 510 (level 7) -> 'Host-based anomaly detection event (rootcheck).' 1270-File '/tmp/.X11-pipe/X0' is owned by root and has written permissions to anyone. 1271-title: File is owned by root and has written permissions to anyone. 1272-file: /tmp/.X11-pipe/X0 ```

Remove

``` # pkgrm wazuh-agent The following package is currently installed: wazuh-agent Wazuh - Wazuh unifies historically separate functions into a single agent and platform architecture. Providing protection for public clouds, private clouds, and on-premise data centers. (sparc) 4.4.2 Do you want to remove this package? [y,n,?,q] y ## Removing installed package instance This package contains scripts which will be executed with super-user permission during the process of removing this package. Do you want to continue with the removal of this package [y,n,?,q] y ## Verifying package dependencies in global zone ## Processing package information. ## Executing preremove script. Killing wazuh-modulesd... Killing wazuh-logcollector... Killing wazuh-syscheckd... Killing wazuh-agentd... Killing wazuh-execd... Wazuh v4.4.2 Stopped ## Removing pathnames in class /var/ossec/wodles/utils.py /var/ossec/wodles/gcloud/tools.py /var/ossec/wodles/gcloud/pubsub/subscriber.py /var/ossec/wodles/gcloud/pubsub /var/ossec/wodles/gcloud/integration.py /var/ossec/wodles/gcloud/gcloud /var/ossec/wodles/gcloud/exceptions.py /var/ossec/wodles/gcloud/buckets/bucket.py /var/ossec/wodles/gcloud/buckets/access_logs.py /var/ossec/wodles/gcloud/buckets /var/ossec/wodles/gcloud /var/ossec/wodles/docker/DockerListener /var/ossec/wodles/docker /var/ossec/wodles/azure/orm.py /var/ossec/wodles/azure/azure-logs /var/ossec/wodles/azure /var/ossec/wodles/aws/aws-s3 /var/ossec/wodles/aws /var/ossec/wodles/__init__.py /var/ossec/wodles /var/ossec/var/wodles /var/ossec/var/upgrade /var/ossec/var/selinux /var/ossec/var/run /var/ossec/var/incoming /var/ossec/var /var/ossec/tmp /var/ossec/ruleset/sca/sca_unix_audit.yml /var/ossec/ruleset/sca /var/ossec/ruleset /var/ossec/queue/syscollector/norm_config.json /var/ossec/queue/syscollector/db /var/ossec/queue/syscollector /var/ossec/queue/sockets /var/ossec/queue/rids /var/ossec/queue/logcollector /var/ossec/queue/fim/db /var/ossec/queue/fim /var/ossec/queue/diff /var/ossec/queue/alerts /var/ossec/queue /var/ossec/logs/wazuh /var/ossec/logs/ossec.log /var/ossec/logs/ossec.json /var/ossec/logs/active-responses.log /var/ossec/logs /var/ossec/lib/libwazuhshared.so /var/ossec/lib/libwazuhext.so /var/ossec/lib/libsysinfo.so /var/ossec/lib/libsyscollector.so /var/ossec/lib/libstdc++.so.6 /var/ossec/lib/librsync.so /var/ossec/lib/libgcc_s.so.1 /var/ossec/lib/libdbsync.so /var/ossec/lib /var/ossec/etc/wpk_root.pem /var/ossec/etc/shared/win_malware_rcl.txt /var/ossec/etc/shared/win_audit_rcl.txt /var/ossec/etc/shared/win_applications_rcl.txt /var/ossec/etc/shared/system_audit_ssh.txt /var/ossec/etc/shared/system_audit_rcl.txt /var/ossec/etc/shared/rootkit_trojans.txt /var/ossec/etc/shared/rootkit_files.txt /var/ossec/etc/shared/cis_win2012r2_memberL2_rcl.txt /var/ossec/etc/shared/cis_win2012r2_memberL1_rcl.txt /var/ossec/etc/shared/cis_win2012r2_domainL2_rcl.txt /var/ossec/etc/shared/cis_win2012r2_domainL1_rcl.txt /var/ossec/etc/shared/cis_sles12_linux_rcl.txt /var/ossec/etc/shared/cis_sles11_linux_rcl.txt /var/ossec/etc/shared/cis_rhel_linux_rcl.txt /var/ossec/etc/shared/cis_rhel7_linux_rcl.txt /var/ossec/etc/shared/cis_rhel6_linux_rcl.txt /var/ossec/etc/shared/cis_rhel5_linux_rcl.txt /var/ossec/etc/shared/cis_mysql5-6_enterprise_rcl.txt /var/ossec/etc/shared/cis_mysql5-6_community_rcl.txt /var/ossec/etc/shared/cis_debian_linux_rcl.txt /var/ossec/etc/shared/cis_apache2224_rcl.txt /var/ossec/etc/shared /var/ossec/etc/ossec.conf /var/ossec/etc/local_internal_options.conf /var/ossec/etc/internal_options.conf /var/ossec/etc/client.keys /var/ossec/etc/TIMEZONE /var/ossec/etc /var/ossec/bin/wazuh-syscheckd /var/ossec/bin/wazuh-modulesd /var/ossec/bin/wazuh-logcollector /var/ossec/bin/wazuh-execd /var/ossec/bin/wazuh-control /var/ossec/bin/wazuh-agentd /var/ossec/bin/manage_agents /var/ossec/bin/agent-auth /var/ossec/bin /var/ossec/backup /var/ossec/agentless/su.exp /var/ossec/agentless/sshlogin.exp /var/ossec/agentless/ssh_pixconfig_diff /var/ossec/agentless/ssh_nopass.exp /var/ossec/agentless/ssh_integrity_check_linux /var/ossec/agentless/ssh_integrity_check_bsd /var/ossec/agentless/ssh_generic_diff /var/ossec/agentless/ssh_foundry_diff /var/ossec/agentless/ssh_asa-fwsmconfig_diff /var/ossec/agentless/ssh.exp /var/ossec/agentless/register_host.sh /var/ossec/agentless/main.exp /var/ossec/agentless /var/ossec/active-response/bin/wazuh-slack /var/ossec/active-response/bin/route-null /var/ossec/active-response/bin/restart.sh /var/ossec/active-response/bin/restart-wazuh /var/ossec/active-response/bin/pf /var/ossec/active-response/bin/npf /var/ossec/active-response/bin/kaspersky.py /var/ossec/active-response/bin/kaspersky /var/ossec/active-response/bin/ipfw /var/ossec/active-response/bin/ip-customblock /var/ossec/active-response/bin/host-deny /var/ossec/active-response/bin/firewalld-drop /var/ossec/active-response/bin/firewall-drop /var/ossec/active-response/bin/disable-account /var/ossec/active-response/bin/default-firewall-drop /var/ossec/active-response/bin /var/ossec/active-response /var/ossec/.ssh /var/ossec /etc/rc3.d/S97wazuh-agent /etc/rc2.d/S97wazuh-agent /etc/init.d/wazuh-agent ## Executing postremove script. ## Updating system information. Removal of was successful. # ``` ``` # ls -la /var/ossec total 14 drwxr-x--- 4 root 57447 4 May 16 16:12 . drwxr-xr-x 49 root sys 49 May 16 16:06 .. drwxrwx--- 3 46203 57447 3 May 16 16:12 etc drwxr-x--- 8 root 57447 8 May 16 16:12 queue # ls -la /var/ossec/etc/ total 9 drwxrwx--- 3 46203 57447 3 May 16 16:12 . drwxr-x--- 4 root 57447 4 May 16 16:12 .. drwxrwx--- 2 root 57447 5 May 16 16:12 shared # ls -la /var/ossec/etc/shared/ total 1807 drwxrwx--- 2 root 57447 5 May 16 16:12 . drwxrwx--- 3 46203 57447 3 May 16 16:12 .. -rw-r--r-- 1 46203 57447 76 May 16 16:08 agent.conf -rw-r--r-- 1 46203 57447 228 May 16 16:08 ar.conf -rw-r--r-- 1 46203 57447 899315 May 16 16:08 merged.mg # ls -la /var/ossec/queue/ total 24 drwxr-x--- 8 root 57447 8 May 16 16:12 . drwxr-x--- 4 root 57447 4 May 16 16:12 .. drwxrwx--- 2 46203 57447 4 May 16 16:11 alerts drwxr-x--- 3 46203 57447 3 May 16 16:06 fim drwxr-x--- 2 46203 57447 3 May 16 16:07 logcollector drwxr-x--- 2 46203 57447 4 May 16 16:08 rids drwxrwx--- 2 46203 57447 10 May 16 16:11 sockets drwxr-x--- 3 46203 57447 3 May 16 16:12 syscollector # ```

Upgrade 4.4.1 -> 4.4.2

``` # /opt/csw/bin/curl -o wazuh-agent_v4.4.1-sol10-sparc.pkg https://packages.wazuh.com/4.x/solaris/sparc/10/wazuh-agent_v4.4.1-sol10-sparc.pkg % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 15.0M 100 15.0M 0 0 3776k 0 0:00:04 0:00:04 --:--:-- 3777k # # pkgadd -d wazuh-agent_v4.4.1-sol10-sparc.pkg The following packages are available: 1 wazuh-agent Wazuh - Wazuh unifies historically separate functions into a single agent and platform architecture. Providing protection for public clouds, private clouds, and on-premise data centers. (sparc) 4.4.1 Select package(s) you wish to process (or 'all' to process all packages). (default: all) [?,??,q]: Processing package instance from Wazuh - Wazuh unifies historically separate functions into a single agent and platform architecture. Providing protection for public clouds, private clouds, and on-premise data centers.(sparc) 4.4.1 Wazuh, Inc ## Executing checkinstall script. ## Processing package information. ## Processing system information. ## Verifying disk space requirements. ## Checking for conflicts with packages already installed. The following files are already installed on the system and are being used by another package: * /var/ossec * /var/ossec/etc * /var/ossec/etc/shared * /var/ossec/queue * /var/ossec/queue/alerts * /var/ossec/queue/fim * /var/ossec/queue/fim/db * /var/ossec/queue/logcollector * /var/ossec/queue/rids * /var/ossec/queue/sockets * /var/ossec/queue/syscollector * /var/ossec/queue/syscollector/db * - conflict with a file which does not belong to any package. Do you want to install these conflicting files [y,n,?,q] y ## Checking for setuid/setgid programs. This package contains scripts which will be executed with super-user permission during the process of installing this package. Do you want to continue with the installation of [y,n,?] y Installing Wazuh - Wazuh unifies historically separate functions into a single agent and platform architecture. Providing protection for public clouds, private clouds, and on-premise data centers. as ## Executing preinstall script. ## Installing part 1 of 1. /etc/init.d/wazuh-agent /etc/rc2.d/S97wazuh-agent /etc/rc3.d/S97wazuh-agent /var/ossec/active-response/bin/default-firewall-drop /var/ossec/active-response/bin/disable-account /var/ossec/active-response/bin/firewall-drop /var/ossec/active-response/bin/firewalld-drop /var/ossec/active-response/bin/host-deny /var/ossec/active-response/bin/ip-customblock /var/ossec/active-response/bin/ipfw /var/ossec/active-response/bin/kaspersky /var/ossec/active-response/bin/kaspersky.py /var/ossec/active-response/bin/npf /var/ossec/active-response/bin/pf /var/ossec/active-response/bin/restart-wazuh /var/ossec/active-response/bin/restart.sh /var/ossec/active-response/bin/route-null /var/ossec/active-response/bin/wazuh-slack /var/ossec/agentless/main.exp /var/ossec/agentless/register_host.sh /var/ossec/agentless/ssh.exp /var/ossec/agentless/ssh_asa-fwsmconfig_diff /var/ossec/agentless/ssh_foundry_diff /var/ossec/agentless/ssh_generic_diff /var/ossec/agentless/ssh_integrity_check_bsd /var/ossec/agentless/ssh_integrity_check_linux /var/ossec/agentless/ssh_nopass.exp /var/ossec/agentless/ssh_pixconfig_diff /var/ossec/agentless/sshlogin.exp /var/ossec/agentless/su.exp /var/ossec/bin/agent-auth /var/ossec/bin/manage_agents /var/ossec/bin/wazuh-agentd /var/ossec/bin/wazuh-control /var/ossec/bin/wazuh-execd /var/ossec/bin/wazuh-logcollector /var/ossec/bin/wazuh-modulesd /var/ossec/bin/wazuh-syscheckd /var/ossec/etc/TIMEZONE /var/ossec/etc/client.keys /var/ossec/etc/internal_options.conf /var/ossec/etc/local_internal_options.conf /var/ossec/etc/ossec.conf /var/ossec/etc/shared/cis_apache2224_rcl.txt /var/ossec/etc/shared/cis_debian_linux_rcl.txt /var/ossec/etc/shared/cis_mysql5-6_community_rcl.txt /var/ossec/etc/shared/cis_mysql5-6_enterprise_rcl.txt /var/ossec/etc/shared/cis_rhel5_linux_rcl.txt /var/ossec/etc/shared/cis_rhel6_linux_rcl.txt /var/ossec/etc/shared/cis_rhel7_linux_rcl.txt /var/ossec/etc/shared/cis_rhel_linux_rcl.txt /var/ossec/etc/shared/cis_sles11_linux_rcl.txt /var/ossec/etc/shared/cis_sles12_linux_rcl.txt /var/ossec/etc/shared/cis_win2012r2_domainL1_rcl.txt /var/ossec/etc/shared/cis_win2012r2_domainL2_rcl.txt /var/ossec/etc/shared/cis_win2012r2_memberL1_rcl.txt /var/ossec/etc/shared/cis_win2012r2_memberL2_rcl.txt /var/ossec/etc/shared/rootkit_files.txt /var/ossec/etc/shared/rootkit_trojans.txt /var/ossec/etc/shared/system_audit_rcl.txt /var/ossec/etc/shared/system_audit_ssh.txt /var/ossec/etc/shared/win_applications_rcl.txt /var/ossec/etc/shared/win_audit_rcl.txt /var/ossec/etc/shared/win_malware_rcl.txt /var/ossec/etc/wpk_root.pem /var/ossec/lib/libdbsync.so /var/ossec/lib/libgcc_s.so.1 /var/ossec/lib/librsync.so /var/ossec/lib/libstdc++.so.6 /var/ossec/lib/libsyscollector.so /var/ossec/lib/libsysinfo.so /var/ossec/lib/libwazuhext.so /var/ossec/lib/libwazuhshared.so /var/ossec/logs/active-responses.log /var/ossec/logs/ossec.json /var/ossec/logs/ossec.log /var/ossec/queue/syscollector/norm_config.json /var/ossec/ruleset/sca/sca_unix_audit.yml /var/ossec/wodles/__init__.py /var/ossec/wodles/aws/aws-s3 /var/ossec/wodles/azure/azure-logs /var/ossec/wodles/azure/orm.py /var/ossec/wodles/docker/DockerListener /var/ossec/wodles/gcloud/buckets/access_logs.py /var/ossec/wodles/gcloud/buckets/bucket.py /var/ossec/wodles/gcloud/exceptions.py /var/ossec/wodles/gcloud/gcloud /var/ossec/wodles/gcloud/integration.py /var/ossec/wodles/gcloud/pubsub/subscriber.py /var/ossec/wodles/gcloud/tools.py /var/ossec/wodles/utils.py [ verifying class ] ## Executing postinstall script. Installation of was successful. (reverse-i-search)`c': pkgadd -d wazuh-agent_v4.4.1-sol10-sparc.pkg # vi /var/ossec/etc/ossec.conf # cat /var/ossec/etc/ossec.conf | grep address

3.238.245.177

# /var/ossec/bin/wazuh-control start Starting Wazuh v4.4.1... Started wazuh-execd... Started wazuh-agentd... Started wazuh-syscheckd... Started wazuh-logcollector... Started wazuh-modulesd... Completed. # ``` ``` [root@wazuh-server wazuh-user]# /var/ossec/bin/agent_control -l Wazuh agent_control. List of available agents: ID: 000, Name: wazuh-server (server), IP: 127.0.0.1, Active/Local ID: 002, Name: soaxp078, IP: any, Disconnected ID: 004, Name: sossp534, IP: any, Disconnected ID: 006, Name: sovmh317, IP: any, Disconnected ID: 008, Name: sossp272, IP: any, Active List of agentless devices: [root@wazuh-server wazuh-user]# /var/ossec/bin/agent_control -i 008 Wazuh agent_control. Agent information: Agent ID: 008 Agent Name: sossp272 IP address: any Status: Active Operating system: SunOS |sossp272 |5.10 |Generic_147147-26 |sun4v Client version: Wazuh v4.4.1 Configuration hash: ab73af41699f13fdd81903b5f23d8d00 Shared file hash: 4a8724b20dee0124ff9656783c490c4e Last keep alive: 1684250982 Syscheck last started at: Tue May 16 21:28:19 2023 Syscheck last ended at: Tue May 16 21:28:41 2023 [root@wazuh-server wazuh-user]# ``` ``` # /var/ossec/bin/wazuh-control stop Killing wazuh-modulesd... Killing wazuh-logcollector... Killing wazuh-syscheckd... Killing wazuh-agentd... Killing wazuh-execd... Wazuh v4.4.1 Stopped # cp /var/ossec/etc/ossec.conf ~/ossec.conf.bk # cp /var/ossec/etc/client.keys ~/client.keys.bk # pkgrm wazuh-agent The following package is currently installed: wazuh-agent Wazuh - Wazuh unifies historically separate functions into a single agent and platform architecture. Providing protection for public clouds, private clouds, and on-premise data centers. (sparc) 4.4.1 Do you want to remove this package? [y,n,?,q] y ## Removing installed package instance This package contains scripts which will be executed with super-user permission during the process of removing this package. Do you want to continue with the removal of this package [y,n,?,q] y ## Verifying package dependencies in global zone ## Processing package information. ## Executing preremove script. wazuh-modulesd not running... wazuh-logcollector not running... wazuh-syscheckd not running... wazuh-agentd not running... wazuh-execd not running... Wazuh v4.4.1 Stopped ## Removing pathnames in class /var/ossec/wodles/utils.py /var/ossec/wodles/gcloud/tools.py /var/ossec/wodles/gcloud/pubsub/subscriber.py /var/ossec/wodles/gcloud/pubsub /var/ossec/wodles/gcloud/integration.py /var/ossec/wodles/gcloud/gcloud /var/ossec/wodles/gcloud/exceptions.py /var/ossec/wodles/gcloud/buckets/bucket.py /var/ossec/wodles/gcloud/buckets/access_logs.py /var/ossec/wodles/gcloud/buckets /var/ossec/wodles/gcloud /var/ossec/wodles/docker/DockerListener /var/ossec/wodles/docker /var/ossec/wodles/azure/orm.py /var/ossec/wodles/azure/azure-logs /var/ossec/wodles/azure /var/ossec/wodles/aws/aws-s3 /var/ossec/wodles/aws /var/ossec/wodles/__init__.py /var/ossec/wodles /var/ossec/var/wodles /var/ossec/var/upgrade /var/ossec/var/selinux /var/ossec/var/run /var/ossec/var/incoming /var/ossec/var /var/ossec/tmp /var/ossec/ruleset/sca/sca_unix_audit.yml /var/ossec/ruleset/sca /var/ossec/ruleset /var/ossec/queue/syscollector/norm_config.json /var/ossec/queue/syscollector/db /var/ossec/queue/syscollector /var/ossec/queue/sockets /var/ossec/queue/rids /var/ossec/queue/logcollector /var/ossec/queue/fim/db /var/ossec/queue/fim /var/ossec/queue/diff /var/ossec/queue/alerts /var/ossec/queue /var/ossec/logs/wazuh /var/ossec/logs/ossec.log /var/ossec/logs/ossec.json /var/ossec/logs/active-responses.log /var/ossec/logs /var/ossec/lib/libwazuhshared.so /var/ossec/lib/libwazuhext.so /var/ossec/lib/libsysinfo.so /var/ossec/lib/libsyscollector.so /var/ossec/lib/libstdc++.so.6 /var/ossec/lib/librsync.so /var/ossec/lib/libgcc_s.so.1 /var/ossec/lib/libdbsync.so /var/ossec/lib /var/ossec/etc/wpk_root.pem /var/ossec/etc/shared/win_malware_rcl.txt /var/ossec/etc/shared/win_audit_rcl.txt /var/ossec/etc/shared/win_applications_rcl.txt /var/ossec/etc/shared/system_audit_ssh.txt /var/ossec/etc/shared/system_audit_rcl.txt /var/ossec/etc/shared/rootkit_trojans.txt /var/ossec/etc/shared/rootkit_files.txt /var/ossec/etc/shared/cis_win2012r2_memberL2_rcl.txt /var/ossec/etc/shared/cis_win2012r2_memberL1_rcl.txt /var/ossec/etc/shared/cis_win2012r2_domainL2_rcl.txt /var/ossec/etc/shared/cis_win2012r2_domainL1_rcl.txt /var/ossec/etc/shared/cis_sles12_linux_rcl.txt /var/ossec/etc/shared/cis_sles11_linux_rcl.txt /var/ossec/etc/shared/cis_rhel_linux_rcl.txt /var/ossec/etc/shared/cis_rhel7_linux_rcl.txt /var/ossec/etc/shared/cis_rhel6_linux_rcl.txt /var/ossec/etc/shared/cis_rhel5_linux_rcl.txt /var/ossec/etc/shared/cis_mysql5-6_enterprise_rcl.txt /var/ossec/etc/shared/cis_mysql5-6_community_rcl.txt /var/ossec/etc/shared/cis_debian_linux_rcl.txt /var/ossec/etc/shared/cis_apache2224_rcl.txt /var/ossec/etc/shared /var/ossec/etc/ossec.conf /var/ossec/etc/local_internal_options.conf /var/ossec/etc/internal_options.conf /var/ossec/etc/client.keys /var/ossec/etc/TIMEZONE /var/ossec/etc /var/ossec/bin/wazuh-syscheckd /var/ossec/bin/wazuh-modulesd /var/ossec/bin/wazuh-logcollector /var/ossec/bin/wazuh-execd /var/ossec/bin/wazuh-control /var/ossec/bin/wazuh-agentd /var/ossec/bin/manage_agents /var/ossec/bin/agent-auth /var/ossec/bin /var/ossec/backup /var/ossec/agentless/su.exp /var/ossec/agentless/sshlogin.exp /var/ossec/agentless/ssh_pixconfig_diff /var/ossec/agentless/ssh_nopass.exp /var/ossec/agentless/ssh_integrity_check_linux /var/ossec/agentless/ssh_integrity_check_bsd /var/ossec/agentless/ssh_generic_diff /var/ossec/agentless/ssh_foundry_diff /var/ossec/agentless/ssh_asa-fwsmconfig_diff /var/ossec/agentless/ssh.exp /var/ossec/agentless/register_host.sh /var/ossec/agentless/main.exp /var/ossec/agentless /var/ossec/active-response/bin/wazuh-slack /var/ossec/active-response/bin/route-null /var/ossec/active-response/bin/restart.sh /var/ossec/active-response/bin/restart-wazuh /var/ossec/active-response/bin/pf /var/ossec/active-response/bin/npf /var/ossec/active-response/bin/kaspersky.py /var/ossec/active-response/bin/kaspersky /var/ossec/active-response/bin/ipfw /var/ossec/active-response/bin/ip-customblock /var/ossec/active-response/bin/host-deny /var/ossec/active-response/bin/firewalld-drop /var/ossec/active-response/bin/firewall-drop /var/ossec/active-response/bin/disable-account /var/ossec/active-response/bin/default-firewall-drop /var/ossec/active-response/bin /var/ossec/active-response /var/ossec/.ssh /var/ossec /etc/rc3.d/S97wazuh-agent /etc/rc2.d/S97wazuh-agent /etc/init.d/wazuh-agent ## Executing postremove script. ## Updating system information. Removal of was successful. # # # pkgadd -d wazuh-agent_v4.4.2-sol10-sparc.pkg wazuh-agentpkgadd -d wazuh-agent_v4.4.2-sol10-sparc.pkg wazuh-agent pkgadd: ERROR: no package associated with # # pkgadd -d wazuh-agent_v4.4.2-sol10-sparc.pkg wazuh-agent Processing package instance from Wazuh - Wazuh unifies historically separate functions into a single agent and platform architecture. Providing protection for public clouds, private clouds, and on-premise data centers.(sparc) 4.4.2 Wazuh, Inc ## Executing checkinstall script. ## Processing package information. ## Processing system information. ## Verifying disk space requirements. ## Checking for conflicts with packages already installed. The following files are already installed on the system and are being used by another package: * /var/ossec * /var/ossec/etc * /var/ossec/etc/shared * /var/ossec/queue * /var/ossec/queue/alerts * /var/ossec/queue/fim * /var/ossec/queue/fim/db * /var/ossec/queue/logcollector * /var/ossec/queue/rids * /var/ossec/queue/sockets * /var/ossec/queue/syscollector * /var/ossec/queue/syscollector/db * - conflict with a file which does not belong to any package. Do you want to install these conflicting files [y,n,?,q] y ## Checking for setuid/setgid programs. This package contains scripts which will be executed with super-user permission during the process of installing this package. Do you want to continue with the installation of [y,n,?] y Installing Wazuh - Wazuh unifies historically separate functions into a single agent and platform architecture. Providing protection for public clouds, private clouds, and on-premise data centers. as ## Executing preinstall script. ## Installing part 1 of 1. /etc/init.d/wazuh-agent /etc/rc2.d/S97wazuh-agent /etc/rc3.d/S97wazuh-agent /var/ossec/active-response/bin/default-firewall-drop /var/ossec/active-response/bin/disable-account /var/ossec/active-response/bin/firewall-drop /var/ossec/active-response/bin/firewalld-drop /var/ossec/active-response/bin/host-deny /var/ossec/active-response/bin/ip-customblock /var/ossec/active-response/bin/ipfw /var/ossec/active-response/bin/kaspersky /var/ossec/active-response/bin/kaspersky.py /var/ossec/active-response/bin/npf /var/ossec/active-response/bin/pf /var/ossec/active-response/bin/restart-wazuh /var/ossec/active-response/bin/restart.sh /var/ossec/active-response/bin/route-null /var/ossec/active-response/bin/wazuh-slack /var/ossec/agentless/main.exp /var/ossec/agentless/register_host.sh /var/ossec/agentless/ssh.exp /var/ossec/agentless/ssh_asa-fwsmconfig_diff /var/ossec/agentless/ssh_foundry_diff /var/ossec/agentless/ssh_generic_diff /var/ossec/agentless/ssh_integrity_check_bsd /var/ossec/agentless/ssh_integrity_check_linux /var/ossec/agentless/ssh_nopass.exp /var/ossec/agentless/ssh_pixconfig_diff /var/ossec/agentless/sshlogin.exp /var/ossec/agentless/su.exp /var/ossec/bin/agent-auth /var/ossec/bin/manage_agents /var/ossec/bin/wazuh-agentd /var/ossec/bin/wazuh-control /var/ossec/bin/wazuh-execd /var/ossec/bin/wazuh-logcollector /var/ossec/bin/wazuh-modulesd /var/ossec/bin/wazuh-syscheckd /var/ossec/etc/TIMEZONE /var/ossec/etc/client.keys /var/ossec/etc/internal_options.conf /var/ossec/etc/local_internal_options.conf /var/ossec/etc/ossec.conf /var/ossec/etc/shared/cis_apache2224_rcl.txt /var/ossec/etc/shared/cis_debian_linux_rcl.txt /var/ossec/etc/shared/cis_mysql5-6_community_rcl.txt /var/ossec/etc/shared/cis_mysql5-6_enterprise_rcl.txt /var/ossec/etc/shared/cis_rhel5_linux_rcl.txt /var/ossec/etc/shared/cis_rhel6_linux_rcl.txt /var/ossec/etc/shared/cis_rhel7_linux_rcl.txt /var/ossec/etc/shared/cis_rhel_linux_rcl.txt /var/ossec/etc/shared/cis_sles11_linux_rcl.txt /var/ossec/etc/shared/cis_sles12_linux_rcl.txt /var/ossec/etc/shared/cis_win2012r2_domainL1_rcl.txt /var/ossec/etc/shared/cis_win2012r2_domainL2_rcl.txt /var/ossec/etc/shared/cis_win2012r2_memberL1_rcl.txt /var/ossec/etc/shared/cis_win2012r2_memberL2_rcl.txt /var/ossec/etc/shared/rootkit_files.txt /var/ossec/etc/shared/rootkit_trojans.txt /var/ossec/etc/shared/system_audit_rcl.txt /var/ossec/etc/shared/system_audit_ssh.txt /var/ossec/etc/shared/win_applications_rcl.txt /var/ossec/etc/shared/win_audit_rcl.txt /var/ossec/etc/shared/win_malware_rcl.txt /var/ossec/etc/wpk_root.pem /var/ossec/lib/libdbsync.so /var/ossec/lib/libgcc_s.so.1 /var/ossec/lib/librsync.so /var/ossec/lib/libstdc++.so.6 /var/ossec/lib/libsyscollector.so /var/ossec/lib/libsysinfo.so /var/ossec/lib/libwazuhext.so /var/ossec/lib/libwazuhshared.so /var/ossec/logs/active-responses.log /var/ossec/logs/ossec.json /var/ossec/logs/ossec.log /var/ossec/queue/syscollector/norm_config.json /var/ossec/ruleset/sca/sca_unix_audit.yml /var/ossec/wodles/__init__.py /var/ossec/wodles/aws/aws-s3 /var/ossec/wodles/azure/azure-logs /var/ossec/wodles/azure/orm.py /var/ossec/wodles/docker/DockerListener /var/ossec/wodles/gcloud/buckets/access_logs.py /var/ossec/wodles/gcloud/buckets/bucket.py /var/ossec/wodles/gcloud/exceptions.py /var/ossec/wodles/gcloud/gcloud /var/ossec/wodles/gcloud/integration.py /var/ossec/wodles/gcloud/pubsub/subscriber.py /var/ossec/wodles/gcloud/tools.py /var/ossec/wodles/utils.py [ verifying class ] ## Executing postinstall script. Installation of was successful. # mv ~/ossec.conf.bk /var/ossec/etc/ossec.conf # chown root:wazuh /var/ossec/etc/ossec.conf # # mv ~/client.keys.bk /var/ossec/etc/client.keys # chown root:wazuh /var/ossec/etc/client.keys # # # /var/ossec/bin/wazuh-control start Starting Wazuh v4.4.2... Started wazuh-execd... Started wazuh-agentd... Started wazuh-syscheckd... Started wazuh-logcollector... Started wazuh-modulesd... Completed. # # ``` ``` [root@wazuh-server wazuh-user]# /var/ossec/bin/agent_control -l Wazuh agent_control. List of available agents: ID: 000, Name: wazuh-server (server), IP: 127.0.0.1, Active/Local ID: 002, Name: soaxp078, IP: any, Disconnected ID: 004, Name: sossp534, IP: any, Disconnected ID: 006, Name: sovmh317, IP: any, Disconnected ID: 008, Name: sossp272, IP: any, Active List of agentless devices: [root@wazuh-server wazuh-user]# /var/ossec/bin/agent_control -i 008 Wazuh agent_control. Agent information: Agent ID: 008 Agent Name: sossp272 IP address: any Status: Active Operating system: SunOS |sossp272 |5.10 |Generic_147147-26 |sun4v Client version: Wazuh v4.4.2 Configuration hash: ab73af41699f13fdd81903b5f23d8d00 Shared file hash: 4a8724b20dee0124ff9656783c490c4e Last keep alive: 1684251266 Syscheck last started at: Tue May 16 21:33:33 2023 Syscheck last ended at: Tue May 16 21:33:37 2023 [root@wazuh-server wazuh-user]# ```

Users and groups

``` # cat /etc/passwd | grep wazuh wazuh:x:46203:57447::/var/ossec:/bin/false # cat /etc/group | grep wazuh wazuh::57447: # ```

Analysis report - OVA :green_circle:

Agent info

```console [root@stack-centos7 vagrant]# curl -O https://packages-dev.wazuh.com/pre-release/yum/wazuh-agent-4.4.2-1.x86_64.rpm % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 8746k 100 8746k 0 0 2868k 0 0:00:03 0:00:03 --:--:-- 2869k [root@stack-centos7 vagrant]# [root@stack-centos7 vagrant]# curl -O https://packages-dev.wazuh.com/pre-release/yum/wazuh-agent-4.4.2-1.x86_64.rpm % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 8746k 100 8746k 0 0 2967k 0 0:00:02 0:00:02 --:--:-- 2968k [root@stack-centos7 vagrant]# yum localinstall -y wazuh-agent-4.4.2-1.x86_64.rpm Loaded plugins: fastestmirror Examining wazuh-agent-4.4.2-1.x86_64.rpm: wazuh-agent-4.4.2-1.x86_64 Marking wazuh-agent-4.4.2-1.x86_64.rpm to be installed Resolving Dependencies --> Running transaction check ---> Package wazuh-agent.x86_64 0:4.4.2-1 will be installed --> Finished Dependency Resolution Dependencies Resolved ================================================================================================================================================================================ Package Arch Version Repository Size ================================================================================================================================================================================ Installing: wazuh-agent x86_64 4.4.2-1 /wazuh-agent-4.4.2-1.x86_64 25 M Transaction Summary ================================================================================================================================================================================ Install 1 Package Total size: 25 M Installed size: 25 M Downloading packages: Running transaction check Running transaction test Transaction test succeeded Running transaction Installing : wazuh-agent-4.4.2-1.x86_64 1/1 Verifying : wazuh-agent-4.4.2-1.x86_64 1/1 Installed: wazuh-agent.x86_64 0:4.4.2-1 Complete! [root@stack-centos7 vagrant]# [root@stack-centos7 vagrant]# vi /var/ossec/etc/ossec.conf [root@stack-centos7 vagrant]# cat /var/ossec/etc/ossec.conf | grep address

192.168.1.33

[root@stack-centos7 vagrant]# /var/ossec/bin/wazuh-control start Starting Wazuh v4.4.2... Started wazuh-execd... Started wazuh-agentd... Started wazuh-syscheckd... Started wazuh-logcollector... Started wazuh-modulesd... Completed. [root@stack-centos7 vagrant]# /var/ossec/bin/wazuh-control info WAZUH_VERSION="v4.4.2" WAZUH_REVISION="40408" WAZUH_TYPE="agent" [root@stack-centos7 vagrant]# ``` ```console [root@wazuh-server wazuh-user]# /var/ossec/bin/agent_control -l Wazuh agent_control. List of available agents: ID: 000, Name: wazuh-server (server), IP: 127.0.0.1, Active/Local ID: 001, Name: stack-centos7, IP: any, Active List of agentless devices: [root@wazuh-server wazuh-user]# /var/ossec/bin/agent_control -i 001 Wazuh agent_control. Agent information: Agent ID: 001 Agent Name: stack-centos7 IP address: any Status: Active Operating system: Linux |stack-centos7 |3.10.0-1160.59.1.el7.x86_64 |#1 SMP Wed Feb 23 16:47:03 UTC 2022 |x86_64 Client version: Wazuh v4.4.2 Configuration hash: ab73af41699f13fdd81903b5f23d8d00 Shared file hash: 4a8724b20dee0124ff9656783c490c4e Last keep alive: 1684269477 Syscheck last started at: Tue May 16 20:37:38 2023 Syscheck last ended at: Tue May 16 20:37:40 2023 [root@wazuh-server wazuh-user]# ```

OVA - Check Wazuh agent connection

```console [root@wazuh-server wazuh-user]# cat /etc/os-release NAME="CentOS Linux" VERSION="7 (Core)" ID="centos" ID_LIKE="rhel fedora" VERSION_ID="7" PRETTY_NAME="CentOS Linux 7 (Core)" ANSI_COLOR="0;31" CPE_NAME="cpe:/o:centos:centos:7" HOME_URL="https://www.centos.org/" BUG_REPORT_URL="https://bugs.centos.org/" CENTOS_MANTISBT_PROJECT="CentOS-7" CENTOS_MANTISBT_PROJECT_VERSION="7" REDHAT_SUPPORT_PRODUCT="centos" REDHAT_SUPPORT_PRODUCT_VERSION="7" [root@wazuh-server wazuh-user]# grep "tcp" /var/ossec/etc/ossec.conf tcp [root@wazuh-server wazuh-user]# /var/ossec/bin/agent_control -i 001 Wazuh agent_control. Agent information: Agent ID: 001 Agent Name: stack-centos7 IP address: any Status: Active Operating system: Linux |stack-centos7 |3.10.0-1160.59.1.el7.x86_64 |#1 SMP Wed Feb 23 16:47:03 UTC 2022 |x86_64 Client version: Wazuh v4.4.2 Configuration hash: ab73af41699f13fdd81903b5f23d8d00 Shared file hash: 4a8724b20dee0124ff9656783c490c4e Last keep alive: 1684269607 Syscheck last started at: Tue May 16 20:37:38 2023 Syscheck last ended at: Tue May 16 20:37:40 2023 [root@wazuh-server wazuh-user]# grep -i -E "tcp" /var/ossec/logs/ossec.log 2023/05/15 12:01:31 wazuh-remoted: INFO: Started (pid: 5890). Listening on port 1514/TCP (secure). 2023/05/16 20:05:35 wazuh-remoted: INFO: Started (pid: 1508). Listening on port 1514/TCP (secure). 2023/05/16 20:08:46 wazuh-remoted: INFO: Started (pid: 1570). Listening on port 1514/TCP (secure). 2023/05/16 20:18:02 wazuh-remoted: INFO: Started (pid: 1666). Listening on port 1514/TCP (secure). 2023/05/16 20:22:02 wazuh-remoted: INFO: Started (pid: 1598). Listening on port 1514/TCP (secure). 2023/05/16 20:23:08 wazuh-remoted: INFO: Started (pid: 1633). Listening on port 1514/TCP (secure). 2023/05/16 20:25:12 wazuh-remoted: INFO: Started (pid: 1663). Listening on port 1514/TCP (secure). 2023/05/16 20:27:06 wazuh-remoted: INFO: Started (pid: 1602). Listening on port 1514/TCP (secure). 2023/05/16 20:31:36 wazuh-remoted: INFO: Started (pid: 1665). Listening on port 1514/TCP (secure). [root@wazuh-server wazuh-user]# vi /var/ossec/etc/ossec.conf [root@wazuh-server wazuh-user]# /var/ossec/bin/wazuh-control restart wazuh-clusterd not running... Killing wazuh-modulesd... Killing wazuh-monitord... Killing wazuh-logcollector... Killing wazuh-remoted... Killing wazuh-syscheckd... Killing wazuh-analysisd... wazuh-maild not running... Killing wazuh-execd... Killing wazuh-db... wazuh-authd not running... wazuh-agentlessd not running... wazuh-integratord not running... wazuh-dbd not running... wazuh-csyslogd not running... Killing wazuh-apid... Wazuh v4.4.2 Stopped Starting Wazuh v4.4.2... Started wazuh-apid... Started wazuh-csyslogd... Started wazuh-dbd... 2023/05/16 20:41:02 wazuh-integratord: INFO: Remote integrations not configured. Clean exit. Started wazuh-integratord... Started wazuh-agentlessd... Started wazuh-authd... Started wazuh-db... Started wazuh-execd... Started wazuh-analysisd... Started wazuh-syscheckd... Started wazuh-remoted... Started wazuh-logcollector... Started wazuh-monitord... Started wazuh-modulesd... Completed. [root@wazuh-server wazuh-user]# grep "tcp" /var/ossec/etc/ossec.conf [root@wazuh-server wazuh-user]# grep "udp" /var/ossec/etc/ossec.conf udp [root@wazuh-server wazuh-user]# /var/ossec/bin/agent_control -i 001 Wazuh agent_control. Agent information: Agent ID: 001 Agent Name: stack-centos7 IP address: any Status: Disconnected Operating system: Linux |stack-centos7 |3.10.0-1160.59.1.el7.x86_64 |#1 SMP Wed Feb 23 16:47:03 UTC 2022 |x86_64 Client version: Wazuh v4.4.2 Configuration hash: ab73af41699f13fdd81903b5f23d8d00 Shared file hash: 4a8724b20dee0124ff9656783c490c4e Last keep alive: 1684269657 Syscheck last started at: Tue May 16 20:37:38 2023 Syscheck last ended at: Tue May 16 20:37:40 2023 [root@wazuh-server wazuh-user]# grep -i -E "udp" /var/ossec/logs/ossec.log 2023/05/16 20:41:05 wazuh-remoted: INFO: Started (pid: 2766). Listening on port 1514/UDP (secure). [root@wazuh-server wazuh-user]# grep -i -E "error|critical|fatal|warning" /var/ossec/logs/ossec.log 2023/05/16 20:41:38 wazuh-authd: WARNING: Duplicate name 'stack-centos7', rejecting enrollment. Agent '001' has not been disconnected long enough to be replaced. [root@wazuh-server wazuh-user]# ```

Wazuh processes

```console [root@wazuh-server wazuh-user]# ps -ef | grep wazuh wazuh-d+ 411 1 1 20:30 ? 00:00:13 /usr/share/wazuh-dashboard/bin/../node/bin/node --no-warnings --max-http-header-size=65536 --unhandled-rejections=warn /usr/share/wazuh-dashboard/bin/../src/cli/dist -c /etc/wazuh-dashboard/opensearch_dashboards.yml root 458 1 0 20:30 ? 00:00:00 login -- wazuh-user wazuh-u+ 640 458 0 20:31 tty1 00:00:00 -bash root 956 1 0 20:31 ? 00:00:00 /sbin/dhclient -1 -q -lf /var/lib/dhclient/dhclient--eth0.lease -pf /var/run/dhclient-eth0.pid -H wazuh-server eth0 root 2342 1014 0 20:36 ? 00:00:00 sshd: wazuh-user [priv] wazuh-u+ 2346 2342 0 20:36 ? 00:00:00 sshd: wazuh-user@pts/0 wazuh-u+ 2347 2346 0 20:36 pts/0 00:00:00 -bash wazuh 2590 1 8 20:41 ? 00:00:06 /var/ossec/framework/python/bin/python3 /var/ossec/api/scripts/wazuh-apid.py root 2630 1 0 20:41 ? 00:00:00 /var/ossec/bin/wazuh-authd wazuh 2644 1 0 20:41 ? 00:00:00 /var/ossec/bin/wazuh-db root 2669 1 0 20:41 ? 00:00:00 /var/ossec/bin/wazuh-execd wazuh 2681 1 1 20:41 ? 00:00:01 /var/ossec/bin/wazuh-analysisd wazuh 2684 2590 0 20:41 ? 00:00:00 /var/ossec/framework/python/bin/python3 /var/ossec/api/scripts/wazuh-apid.py wazuh 2687 2590 0 20:41 ? 00:00:00 /var/ossec/framework/python/bin/python3 /var/ossec/api/scripts/wazuh-apid.py root 2749 1 13 20:41 ? 00:00:10 /var/ossec/bin/wazuh-syscheckd wazuh 2766 1 0 20:41 ? 00:00:00 /var/ossec/bin/wazuh-remoted root 2801 1 0 20:41 ? 00:00:00 /var/ossec/bin/wazuh-logcollector wazuh 2853 1 0 20:41 ? 00:00:00 /var/ossec/bin/wazuh-monitord root 2865 1 2 20:41 ? 00:00:01 /var/ossec/bin/wazuh-modulesd root 3935 2375 0 20:42 pts/0 00:00:00 grep --color=auto wazuh [root@wazuh-server wazuh-user]# /var/ossec/bin/wazuh-control restart wazuh-clusterd not running... Killing wazuh-modulesd... Killing wazuh-monitord... Killing wazuh-logcollector... Killing wazuh-remoted... Killing wazuh-syscheckd... Killing wazuh-analysisd... wazuh-maild not running... Killing wazuh-execd... Killing wazuh-db... Killing wazuh-authd... wazuh-agentlessd not running... wazuh-integratord not running... wazuh-dbd not running... wazuh-csyslogd not running... Killing wazuh-apid... Wazuh v4.4.2 Stopped Starting Wazuh v4.4.2... Started wazuh-apid... Started wazuh-csyslogd... Started wazuh-dbd... 2023/05/16 20:42:36 wazuh-integratord: INFO: Remote integrations not configured. Clean exit. Started wazuh-integratord... Started wazuh-agentlessd... Started wazuh-authd... Started wazuh-db... Started wazuh-execd... Started wazuh-analysisd... Started wazuh-syscheckd... Started wazuh-remoted... Started wazuh-logcollector... Started wazuh-monitord... Started wazuh-modulesd... Completed. [root@wazuh-server wazuh-user]# ps -ef | grep wazuh wazuh-d+ 411 1 1 20:30 ? 00:00:13 /usr/share/wazuh-dashboard/bin/../node/bin/node --no-warnings --max-http-header-size=65536 --unhandled-rejections=warn /usr/share/wazuh-dashboard/bin/../src/cli/dist -c /etc/wazuh-dashboard/opensearch_dashboards.yml root 458 1 0 20:30 ? 00:00:00 login -- wazuh-user wazuh-u+ 640 458 0 20:31 tty1 00:00:00 -bash root 956 1 0 20:31 ? 00:00:00 /sbin/dhclient -1 -q -lf /var/lib/dhclient/dhclient--eth0.lease -pf /var/run/dhclient-eth0.pid -H wazuh-server eth0 root 2342 1014 0 20:36 ? 00:00:00 sshd: wazuh-user [priv] wazuh-u+ 2346 2342 0 20:36 ? 00:00:00 sshd: wazuh-user@pts/0 wazuh-u+ 2347 2346 0 20:36 pts/0 00:00:00 -bash wazuh 4118 1 78 20:42 ? 00:00:06 /var/ossec/framework/python/bin/python3 /var/ossec/api/scripts/wazuh-apid.py root 4158 1 0 20:42 ? 00:00:00 /var/ossec/bin/wazuh-authd wazuh 4172 1 1 20:42 ? 00:00:00 /var/ossec/bin/wazuh-db root 4197 1 0 20:42 ? 00:00:00 /var/ossec/bin/wazuh-execd wazuh 4209 1 10 20:42 ? 00:00:00 /var/ossec/bin/wazuh-analysisd root 4219 1 49 20:42 ? 00:00:03 /var/ossec/bin/wazuh-syscheckd wazuh 4224 4118 0 20:42 ? 00:00:00 /var/ossec/framework/python/bin/python3 /var/ossec/api/scripts/wazuh-apid.py wazuh 4227 4118 0 20:42 ? 00:00:00 /var/ossec/framework/python/bin/python3 /var/ossec/api/scripts/wazuh-apid.py wazuh 4291 1 0 20:42 ? 00:00:00 /var/ossec/bin/wazuh-remoted root 4346 1 0 20:42 ? 00:00:00 /var/ossec/bin/wazuh-logcollector wazuh 4363 1 0 20:42 ? 00:00:00 /var/ossec/bin/wazuh-monitord root 4375 1 16 20:42 ? 00:00:00 /var/ossec/bin/wazuh-modulesd root 4658 2375 0 20:42 pts/0 00:00:00 grep --color=auto wazuh [root@wazuh-server wazuh-user]# [root@wazuh-server wazuh-user]# [root@wazuh-server wazuh-user]# service wazuh-manager restart Restarting wazuh-manager (via systemctl): [ OK ] [root@wazuh-server wazuh-user]# ps -ef | grep wazuh wazuh-d+ 411 1 1 20:30 ? 00:00:13 /usr/share/wazuh-dashboard/bin/../node/bin/node --no-warnings --max-http-header-size=65536 --unhandled-rejections=warn /usr/share/wazuh-dashboard/bin/../src/cli/dist -c /etc/wazuh-dashboard/opensearch_dashboards.yml root 458 1 0 20:30 ? 00:00:00 login -- wazuh-user wazuh-u+ 640 458 0 20:31 tty1 00:00:00 -bash root 956 1 0 20:31 ? 00:00:00 /sbin/dhclient -1 -q -lf /var/lib/dhclient/dhclient--eth0.lease -pf /var/run/dhclient-eth0.pid -H wazuh-server eth0 root 2342 1014 0 20:36 ? 00:00:00 sshd: wazuh-user [priv] wazuh-u+ 2346 2342 0 20:36 ? 00:00:00 sshd: wazuh-user@pts/0 wazuh-u+ 2347 2346 0 20:36 pts/0 00:00:00 -bash wazuh 5063 1 55 20:42 ? 00:00:06 /var/ossec/framework/python/bin/python3 /var/ossec/api/scripts/wazuh-apid.py root 5103 1 0 20:42 ? 00:00:00 /var/ossec/bin/wazuh-authd wazuh 5117 1 1 20:42 ? 00:00:00 /var/ossec/bin/wazuh-db root 5142 1 0 20:42 ? 00:00:00 /var/ossec/bin/wazuh-execd wazuh 5146 5063 0 20:43 ? 00:00:00 /var/ossec/framework/python/bin/python3 /var/ossec/api/scripts/wazuh-apid.py wazuh 5149 5063 0 20:43 ? 00:00:00 /var/ossec/framework/python/bin/python3 /var/ossec/api/scripts/wazuh-apid.py wazuh 5163 1 8 20:43 ? 00:00:00 /var/ossec/bin/wazuh-analysisd root 5225 1 43 20:43 ? 00:00:03 /var/ossec/bin/wazuh-syscheckd wazuh 5238 1 0 20:43 ? 00:00:00 /var/ossec/bin/wazuh-remoted root 5269 1 0 20:43 ? 00:00:00 /var/ossec/bin/wazuh-logcollector wazuh 5289 1 0 20:43 ? 00:00:00 /var/ossec/bin/wazuh-monitord root 5336 1 15 20:43 ? 00:00:00 /var/ossec/bin/wazuh-modulesd root 5601 2375 0 20:43 pts/0 00:00:00 grep --color=auto wazuh [root@wazuh-server wazuh-user]# ```

Versions

```console [root@wazuh-server wazuh-user]# /var/ossec/bin/wazuh-control info WAZUH_VERSION="v4.4.2" WAZUH_REVISION="40408" WAZUH_TYPE="server" [root@wazuh-server wazuh-user]# [root@wazuh-server wazuh-user]# [root@wazuh-server wazuh-user]# cat /usr/share/wazuh-indexer/VERSION 4.4.2 [root@wazuh-server wazuh-user]# cat /usr/share/wazuh-dashboard/VERSION 4.4.2 [root@wazuh-server wazuh-user]# cat /usr/share/wazuh-dashboard/package.json { "name": "opensearch-dashboards", "description": "OpenSearch Dashboards is a browser based analytics and search dashboard for OpenSearch. OpenSearch Dashboards is a snap to setup and start using. OpenSearch Dashboards strives to be easy to get started with, while also being flexible and powerful, just like OpenSearch.", "keywords": [ "opensearch-dashboards", "opensearch", "logstash", "analytics", "visualizations", "dashboards", "dashboarding" ], "version": "2.6.0", "branch": "2.6", "build": { "number": 44201, "sha": "b15a28f9d6d6ec40d695a2eb01442d2a7d6d72d9", "distributable": true, "release": true }, "repository": { "type": "git", "url": "https://github.com/opensearch-project/opensearch-dashboards.git" }, "engines": { "node": "14.20.1" } } [root@wazuh-server wazuh-user]# ```

OVA - Users

```console [root@wazuh-server wazuh-user]# grep -R "wazuh" /etc/group wheel:x:10:wazuh-user wazuh-user:x:1000: wazuh-indexer:x:993: wazuh:x:992:wazuh wazuh-dashboard:x:991:wazuh-dashboard [root@wazuh-server wazuh-user]# grep -R "wazuh" /etc/passwd wazuh-user:x:1000:1000::/home/wazuh-user:/bin/bash wazuh-indexer:x:996:993:wazuh-indexer user:/usr/share/wazuh-indexer:/sbin/nologin wazuh:x:995:992::/var/ossec:/sbin/nologin wazuh-dashboard:x:994:991::/usr/share/wazuh-dashboard/:/sbin/nologin [root@wazuh-server wazuh-user]# ```

OVA - WUI

- Loading screen OK - Login screen OK - Light/dark mode OK - Credentials admin:admin OK ![image](https://github.com/wazuh/wazuh/assets/89791732/98d52440-580f-442b-829d-c25d8a50ac9d) ![image](https://github.com/wazuh/wazuh/assets/89791732/de4efcfd-f814-4226-804c-6d6dfd70d182) ![image](https://github.com/wazuh/wazuh/assets/89791732/2b234574-76d2-43ba-8df5-da822cbbb490) ![image](https://github.com/wazuh/wazuh/assets/89791732/99c38b84-2d5b-4347-b5bb-456cbba7aa07)

OVA - Logs

Wazuh dashboard - journalctl

- Certificate errors reported at https://github.com/wazuh/wazuh-packages/issues/2106 ```console [root@wazuh-server wazuh-user]# journalctl -r -u wazuh-dashboard | grep -i -E "error|critical|fatal|warning" may 16 21:00:53 wazuh-server opensearch-dashboards[417]: {"type":"error","@timestamp":"2023-05-16T21:00:53Z","tags":["connection","client","error"],"pid":417,"level":"error","error":{"message":"139731897722752:error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown:../deps/openssl/openssl/ssl/record/rec_layer_s3.c:1544:SSL alert number 46\n","name":"Error","stack":"Error: 139731897722752:error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown:../deps/openssl/openssl/ssl/record/rec_layer_s3.c:1544:SSL alert number 46\n","code":"ERR_SSL_SSLV3_ALERT_CERTIFICATE_UNKNOWN"},"message":"139731897722752:error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown:../deps/openssl/openssl/ssl/record/rec_layer_s3.c:1544:SSL alert number 46\n"} may 16 21:00:53 wazuh-server opensearch-dashboards[417]: {"type":"error","@timestamp":"2023-05-16T21:00:53Z","tags":["connection","client","error"],"pid":417,"level":"error","error":{"message":"139731897722752:error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown:../deps/openssl/openssl/ssl/record/rec_layer_s3.c:1544:SSL alert number 46\n","name":"Error","stack":"Error: 139731897722752:error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown:../deps/openssl/openssl/ssl/record/rec_layer_s3.c:1544:SSL alert number 46\n","code":"ERR_SSL_SSLV3_ALERT_CERTIFICATE_UNKNOWN"},"message":"139731897722752:error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown:../deps/openssl/openssl/ssl/record/rec_layer_s3.c:1544:SSL alert number 46\n"} may 16 21:00:53 wazuh-server opensearch-dashboards[417]: {"type":"error","@timestamp":"2023-05-16T21:00:53Z","tags":["connection","client","error"],"pid":417,"level":"error","error":{"message":"139731897722752:error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown:../deps/openssl/openssl/ssl/record/rec_layer_s3.c:1544:SSL alert number 46\n","name":"Error","stack":"Error: 139731897722752:error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown:../deps/openssl/openssl/ssl/record/rec_layer_s3.c:1544:SSL alert number 46\n","code":"ERR_SSL_SSLV3_ALERT_CERTIFICATE_UNKNOWN"},"message":"139731897722752:error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown:../deps/openssl/openssl/ssl/record/rec_layer_s3.c:1544:SSL alert number 46\n"} may 16 21:00:53 wazuh-server opensearch-dashboards[417]: {"type":"error","@timestamp":"2023-05-16T21:00:53Z","tags":["connection","client","error"],"pid":417,"level":"error","error":{"message":"139731897722752:error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown:../deps/openssl/openssl/ssl/record/rec_layer_s3.c:1544:SSL alert number 46\n","name":"Error","stack":"Error: 139731897722752:error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown:../deps/openssl/openssl/ssl/record/rec_layer_s3.c:1544:SSL alert number 46\n","code":"ERR_SSL_SSLV3_ALERT_CERTIFICATE_UNKNOWN"},"message":"139731897722752:error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown:../deps/openssl/openssl/ssl/record/rec_layer_s3.c:1544:SSL alert number 46\n"} may 16 21:00:53 wazuh-server opensearch-dashboards[417]: {"type":"error","@timestamp":"2023-05-16T21:00:53Z","tags":["connection","client","error"],"pid":417,"level":"error","error":{"message":"139731897722752:error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown:../deps/openssl/openssl/ssl/record/rec_layer_s3.c:1544:SSL alert number 46\n","name":"Error","stack":"Error: 139731897722752:error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown:../deps/openssl/openssl/ssl/record/rec_layer_s3.c:1544:SSL alert number 46\n","code":"ERR_SSL_SSLV3_ALERT_CERTIFICATE_UNKNOWN"},"message":"139731897722752:error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown:../deps/openssl/openssl/ssl/record/rec_layer_s3.c:1544:SSL alert number 46\n"} may 16 21:00:53 wazuh-server opensearch-dashboards[417]: {"type":"error","@timestamp":"2023-05-16T21:00:53Z","tags":["connection","client","error"],"pid":417,"level":"error","error":{"message":"139731897722752:error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown:../deps/openssl/openssl/ssl/record/rec_layer_s3.c:1544:SSL alert number 46\n","name":"Error","stack":"Error: 139731897722752:error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown:../deps/openssl/openssl/ssl/record/rec_layer_s3.c:1544:SSL alert number 46\n","code":"ERR_SSL_SSLV3_ALERT_CERTIFICATE_UNKNOWN"},"message":"139731897722752:error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown:../deps/openssl/openssl/ssl/record/rec_layer_s3.c:1544:SSL alert number 46\n"} may 16 21:00:53 wazuh-server opensearch-dashboards[417]: {"type":"error","@timestamp":"2023-05-16T21:00:53Z","tags":["connection","client","error"],"pid":417,"level":"error","error":{"message":"139731897722752:error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown:../deps/openssl/openssl/ssl/record/rec_layer_s3.c:1544:SSL alert number 46\n","name":"Error","stack":"Error: 139731897722752:error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown:../deps/openssl/openssl/ssl/record/rec_layer_s3.c:1544:SSL alert number 46\n","code":"ERR_SSL_SSLV3_ALERT_CERTIFICATE_UNKNOWN"},"message":"139731897722752:error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown:../deps/openssl/openssl/ssl/record/rec_layer_s3.c:1544:SSL alert number 46\n"} may 16 21:00:44 wazuh-server opensearch-dashboards[417]: {"type":"log","@timestamp":"2023-05-16T21:00:44Z","tags":["error","plugins","securityDashboards"],"pid":417,"message":"Failed authentication: Error: Authentication Exception"} may 16 21:00:37 wazuh-server opensearch-dashboards[417]: {"type":"error","@timestamp":"2023-05-16T21:00:37Z","tags":["connection","client","error"],"pid":417,"level":"error","error":{"message":"139731897722752:error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown:../deps/openssl/openssl/ssl/record/rec_layer_s3.c:1544:SSL alert number 46\n","name":"Error","stack":"Error: 139731897722752:error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown:../deps/openssl/openssl/ssl/record/rec_layer_s3.c:1544:SSL alert number 46\n","code":"ERR_SSL_SSLV3_ALERT_CERTIFICATE_UNKNOWN"},"message":"139731897722752:error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown:../deps/openssl/openssl/ssl/record/rec_layer_s3.c:1544:SSL alert number 46\n"} may 16 21:00:37 wazuh-server opensearch-dashboards[417]: {"type":"error","@timestamp":"2023-05-16T21:00:37Z","tags":["connection","client","error"],"pid":417,"level":"error","error":{"message":"139731897722752:error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown:../deps/openssl/openssl/ssl/record/rec_layer_s3.c:1544:SSL alert number 46\n","name":"Error","stack":"Error: 139731897722752:error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown:../deps/openssl/openssl/ssl/record/rec_layer_s3.c:1544:SSL alert number 46\n","code":"ERR_SSL_SSLV3_ALERT_CERTIFICATE_UNKNOWN"},"message":"139731897722752:error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown:../deps/openssl/openssl/ssl/record/rec_layer_s3.c:1544:SSL alert number 46\n"} may 16 21:00:37 wazuh-server opensearch-dashboards[417]: {"type":"error","@timestamp":"2023-05-16T21:00:37Z","tags":["connection","client","error"],"pid":417,"level":"error","error":{"message":"139731897722752:error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown:../deps/openssl/openssl/ssl/record/rec_layer_s3.c:1544:SSL alert number 46\n","name":"Error","stack":"Error: 139731897722752:error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown:../deps/openssl/openssl/ssl/record/rec_layer_s3.c:1544:SSL alert number 46\n","code":"ERR_SSL_SSLV3_ALERT_CERTIFICATE_UNKNOWN"},"message":"139731897722752:error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown:../deps/openssl/openssl/ssl/record/rec_layer_s3.c:1544:SSL alert number 46\n"} may 16 21:00:37 wazuh-server opensearch-dashboards[417]: {"type":"error","@timestamp":"2023-05-16T21:00:37Z","tags":["connection","client","error"],"pid":417,"level":"error","error":{"message":"139731897722752:error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown:../deps/openssl/openssl/ssl/record/rec_layer_s3.c:1544:SSL alert number 46\n","name":"Error","stack":"Error: 139731897722752:error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown:../deps/openssl/openssl/ssl/record/rec_layer_s3.c:1544:SSL alert number 46\n","code":"ERR_SSL_SSLV3_ALERT_CERTIFICATE_UNKNOWN"},"message":"139731897722752:error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown:../deps/openssl/openssl/ssl/record/rec_layer_s3.c:1544:SSL alert number 46\n"} may 16 21:00:37 wazuh-server opensearch-dashboards[417]: {"type":"error","@timestamp":"2023-05-16T21:00:37Z","tags":["connection","client","error"],"pid":417,"level":"error","error":{"message":"139731897722752:error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown:../deps/openssl/openssl/ssl/record/rec_layer_s3.c:1544:SSL alert number 46\n","name":"Error","stack":"Error: 139731897722752:error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown:../deps/openssl/openssl/ssl/record/rec_layer_s3.c:1544:SSL alert number 46\n","code":"ERR_SSL_SSLV3_ALERT_CERTIFICATE_UNKNOWN"},"message":"139731897722752:error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown:../deps/openssl/openssl/ssl/record/rec_layer_s3.c:1544:SSL alert number 46\n"} may 16 21:00:37 wazuh-server opensearch-dashboards[417]: {"type":"error","@timestamp":"2023-05-16T21:00:37Z","tags":["connection","client","error"],"pid":417,"level":"error","error":{"message":"139731897722752:error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown:../deps/openssl/openssl/ssl/record/rec_layer_s3.c:1544:SSL alert number 46\n","name":"Error","stack":"Error: 139731897722752:error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown:../deps/openssl/openssl/ssl/record/rec_layer_s3.c:1544:SSL alert number 46\n","code":"ERR_SSL_SSLV3_ALERT_CERTIFICATE_UNKNOWN"},"message":"139731897722752:error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown:../deps/openssl/openssl/ssl/record/rec_layer_s3.c:1544:SSL alert number 46\n"} may 16 21:00:37 wazuh-server opensearch-dashboards[417]: {"type":"error","@timestamp":"2023-05-16T21:00:37Z","tags":["connection","client","error"],"pid":417,"level":"error","error":{"message":"139731897722752:error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown:../deps/openssl/openssl/ssl/record/rec_layer_s3.c:1544:SSL alert number 46\n","name":"Error","stack":"Error: 139731897722752:error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown:../deps/openssl/openssl/ssl/record/rec_layer_s3.c:1544:SSL alert number 46\n","code":"ERR_SSL_SSLV3_ALERT_CERTIFICATE_UNKNOWN"},"message":"139731897722752:error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown:../deps/openssl/openssl/ssl/record/rec_layer_s3.c:1544:SSL alert number 46\n"} may 16 21:00:37 wazuh-server opensearch-dashboards[417]: {"type":"error","@timestamp":"2023-05-16T21:00:37Z","tags":["connection","client","error"],"pid":417,"level":"error","error":{"message":"139731897722752:error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown:../deps/openssl/openssl/ssl/record/rec_layer_s3.c:1544:SSL alert number 46\n","name":"Error","stack":"Error: 139731897722752:error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown:../deps/openssl/openssl/ssl/record/rec_layer_s3.c:1544:SSL alert number 46\n","code":"ERR_SSL_SSLV3_ALERT_CERTIFICATE_UNKNOWN"},"message":"139731897722752:error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown:../deps/openssl/openssl/ssl/record/rec_layer_s3.c:1544:SSL alert number 46\n"} may 16 21:00:30 wazuh-server opensearch-dashboards[417]: {"type":"log","@timestamp":"2023-05-16T21:00:30Z","tags":["error","opensearch","data"],"pid":417,"message":"[ResponseError]: Response Error"} may 16 21:00:28 wazuh-server opensearch-dashboards[417]: {"type":"log","@timestamp":"2023-05-16T21:00:28Z","tags":["error","opensearch","data"],"pid":417,"message":"[ResponseError]: Response Error"} may 16 21:00:25 wazuh-server opensearch-dashboards[417]: {"type":"log","@timestamp":"2023-05-16T21:00:25Z","tags":["error","opensearch","data"],"pid":417,"message":"[ResponseError]: Response Error"} may 16 21:00:23 wazuh-server opensearch-dashboards[417]: {"type":"log","@timestamp":"2023-05-16T21:00:23Z","tags":["error","opensearch","data"],"pid":417,"message":"[ResponseError]: Response Error"} may 16 21:00:20 wazuh-server opensearch-dashboards[417]: {"type":"log","@timestamp":"2023-05-16T21:00:20Z","tags":["error","opensearch","data"],"pid":417,"message":"[ResponseError]: Response Error"} may 16 21:00:18 wazuh-server opensearch-dashboards[417]: {"type":"log","@timestamp":"2023-05-16T21:00:18Z","tags":["error","opensearch","data"],"pid":417,"message":"[ConnectionError]: connect ECONNREFUSED 127.0.0.1:9200"} may 16 21:00:15 wazuh-server opensearch-dashboards[417]: {"type":"log","@timestamp":"2023-05-16T21:00:15Z","tags":["error","opensearch","data"],"pid":417,"message":"[ConnectionError]: connect ECONNREFUSED 127.0.0.1:9200"} may 16 21:00:13 wazuh-server opensearch-dashboards[417]: {"type":"log","@timestamp":"2023-05-16T21:00:13Z","tags":["error","opensearch","data"],"pid":417,"message":"[ConnectionError]: connect ECONNREFUSED 127.0.0.1:9200"} may 16 21:00:10 wazuh-server opensearch-dashboards[417]: {"type":"log","@timestamp":"2023-05-16T21:00:10Z","tags":["error","opensearch","data"],"pid":417,"message":"[ConnectionError]: connect ECONNREFUSED 127.0.0.1:9200"} may 16 21:00:08 wazuh-server opensearch-dashboards[417]: {"type":"log","@timestamp":"2023-05-16T21:00:08Z","tags":["error","opensearch","data"],"pid":417,"message":"[ConnectionError]: connect ECONNREFUSED 127.0.0.1:9200"} may 16 21:00:05 wazuh-server opensearch-dashboards[417]: {"type":"log","@timestamp":"2023-05-16T21:00:05Z","tags":["error","opensearch","data"],"pid":417,"message":"[ConnectionError]: connect ECONNREFUSED 127.0.0.1:9200"} may 16 21:00:03 wazuh-server opensearch-dashboards[417]: {"type":"log","@timestamp":"2023-05-16T21:00:03Z","tags":["error","opensearch","data"],"pid":417,"message":"[ConnectionError]: connect ECONNREFUSED 127.0.0.1:9200"} may 16 21:00:00 wazuh-server opensearch-dashboards[417]: {"type":"log","@timestamp":"2023-05-16T21:00:00Z","tags":["error","savedobjects-service"],"pid":417,"message":"Unable to retrieve version information from OpenSearch nodes."} may 16 21:00:00 wazuh-server opensearch-dashboards[417]: {"type":"log","@timestamp":"2023-05-16T21:00:00Z","tags":["error","opensearch","data"],"pid":417,"message":"[ConnectionError]: connect ECONNREFUSED 127.0.0.1:9200"} [root@wazuh-server wazuh-user]# ```

Wazuh indexer - journalctl
- Warnings reported at https://github.com/wazuh/wazuh-packages/issues/2046 ```console [root@wazuh-server wazuh-user]# journalctl -r -u wazuh-indexer | grep -i -E "error|critical|fatal|warning" may 16 21:00:06 wazuh-server systemd-entrypoint[960]: WARNING: System::setSecurityManager will be removed in a future release may 16 21:00:06 wazuh-server systemd-entrypoint[960]: WARNING: Please consider reporting this to the maintainers of org.opensearch.bootstrap.Security may 16 21:00:06 wazuh-server systemd-entrypoint[960]: WARNING: System::setSecurityManager has been called by org.opensearch.bootstrap.Security (file:/usr/share/wazuh-indexer/lib/opensearch-2.6.0.jar) may 16 21:00:06 wazuh-server systemd-entrypoint[960]: WARNING: A terminally deprecated method in java.lang.System has been called may 16 21:00:04 wazuh-server systemd-entrypoint[960]: WARNING: System::setSecurityManager will be removed in a future release may 16 21:00:04 wazuh-server systemd-entrypoint[960]: WARNING: Please consider reporting this to the maintainers of org.opensearch.bootstrap.OpenSearch may 16 21:00:04 wazuh-server systemd-entrypoint[960]: WARNING: System::setSecurityManager has been called by org.opensearch.bootstrap.OpenSearch (file:/usr/share/wazuh-indexer/lib/opensearch-2.6.0.jar) may 16 21:00:04 wazuh-server systemd-entrypoint[960]: WARNING: A terminally deprecated method in java.lang.System has been called [root@wazuh-server wazuh-user]# ```
Wazuh indexer - /var/logs/wazuh-indexer
```console [root@wazuh-server wazuh-user]# grep -R -i -E "error|critical|fatal|warning" /var/log/wazuh-indexer/ /var/log/wazuh-indexer/wazuh-cluster.log:[2023-05-16T21:00:06,207][INFO ][o.o.n.Node ] [node-1] JVM arguments [-Xshare:auto, -Dopensearch.networkaddress.cache.ttl=60, -Dopensearch.networkaddress.cache.negative.ttl=10, -XX:+AlwaysPreTouch, -Xss1m, -Djava.awt.headless=true, -Dfile.encoding=UTF-8, -Djna.nosys=true, -XX:-OmitStackTraceInFastThrow, -XX:+ShowCodeDetailsInExceptionMessages, -Dio.netty.noUnsafe=true, -Dio.netty.noKeySetOptimization=true, -Dio.netty.recycler.maxCapacityPerThread=0, -Dio.netty.allocator.numDirectArenas=0, -Dlog4j.shutdownHookEnabled=false, -Dlog4j2.disable.jmx=true, -Djava.locale.providers=SPI,COMPAT, -Xms3990m, -Xmx3990m, -XX:+UseG1GC, -XX:G1ReservePercent=25, -XX:InitiatingHeapOccupancyPercent=30, -Djava.io.tmpdir=/tmp/opensearch-6374726690152348129, -XX:+HeapDumpOnOutOfMemoryError, -XX:HeapDumpPath=/var/lib/wazuh-indexer, -XX:ErrorFile=/var/log/wazuh-indexer/hs_err_pid%p.log, -Xlog:gc*,gc+age=trace,safepoint:file=/var/log/wazuh-indexer/gc.log:utctime,pid,tags:filecount=32,filesize=64m, -Dclk.tck=100, -Djdk.attach.allowAttachSelf=true, -Djava.security.policy=file:///etc/wazuh-indexer/opensearch-performance-analyzer/opensearch_security.policy, --add-opens=jdk.attach/sun.tools.attach=ALL-UNNAMED, -XX:MaxDirectMemorySize=2091909120, -Dopensearch.path.home=/usr/share/wazuh-indexer, -Dopensearch.path.conf=/etc/wazuh-indexer, -Dopensearch.distribution.type=rpm, -Dopensearch.bundled_jdk=true] /var/log/wazuh-indexer/wazuh-cluster.log:[2023-05-16T21:00:15,223][ERROR][o.o.s.a.s.SinkProvider ] [node-1] Default endpoint could not be created, auditlog will not work properly. /var/log/wazuh-indexer/wazuh-cluster.log:[2023-05-16T21:00:19,200][ERROR][o.o.s.c.ConfigurationLoaderSecurity7] [node-1] Exception while retrieving configuration for [INTERNALUSERS, ACTIONGROUPS, CONFIG, ROLES, ROLESMAPPING, TENANTS, NODESDN, WHITELIST, ALLOWLIST, AUDIT] (index=.opendistro_security) /var/log/wazuh-indexer/wazuh-cluster.log:[2023-05-16T21:00:20,715][ERROR][o.o.s.a.BackendRegistry ] [node-1] Not yet initialized (you may need to run securityadmin) /var/log/wazuh-indexer/wazuh-cluster.log:[2023-05-16T21:00:20,735][ERROR][o.o.s.a.BackendRegistry ] [node-1] Not yet initialized (you may need to run securityadmin) /var/log/wazuh-indexer/wazuh-cluster.log:[2023-05-16T21:00:20,739][ERROR][o.o.s.a.BackendRegistry ] [node-1] Not yet initialized (you may need to run securityadmin) /var/log/wazuh-indexer/wazuh-cluster.log:[2023-05-16T21:00:20,743][ERROR][o.o.s.a.BackendRegistry ] [node-1] Not yet initialized (you may need to run securityadmin) /var/log/wazuh-indexer/wazuh-cluster.log:[2023-05-16T21:00:23,095][ERROR][o.o.s.a.BackendRegistry ] [node-1] Not yet initialized (you may need to run securityadmin) /var/log/wazuh-indexer/wazuh-cluster.log:[2023-05-16T21:00:23,098][ERROR][o.o.s.a.BackendRegistry ] [node-1] Not yet initialized (you may need to run securityadmin) /var/log/wazuh-indexer/wazuh-cluster.log:[2023-05-16T21:00:23,101][ERROR][o.o.s.a.BackendRegistry ] [node-1] Not yet initialized (you may need to run securityadmin) /var/log/wazuh-indexer/wazuh-cluster.log:[2023-05-16T21:00:23,106][ERROR][o.o.s.a.BackendRegistry ] [node-1] Not yet initialized (you may need to run securityadmin) /var/log/wazuh-indexer/wazuh-cluster.log:[2023-05-16T21:00:25,595][ERROR][o.o.s.a.BackendRegistry ] [node-1] Not yet initialized (you may need to run securityadmin) /var/log/wazuh-indexer/wazuh-cluster.log:[2023-05-16T21:00:25,598][ERROR][o.o.s.a.BackendRegistry ] [node-1] Not yet initialized (you may need to run securityadmin) /var/log/wazuh-indexer/wazuh-cluster.log:[2023-05-16T21:00:25,602][ERROR][o.o.s.a.BackendRegistry ] [node-1] Not yet initialized (you may need to run securityadmin) /var/log/wazuh-indexer/wazuh-cluster.log:[2023-05-16T21:00:25,605][ERROR][o.o.s.a.BackendRegistry ] [node-1] Not yet initialized (you may need to run securityadmin) /var/log/wazuh-indexer/wazuh-cluster.log:[2023-05-16T21:00:27,673][ERROR][o.o.s.a.BackendRegistry ] [node-1] Not yet initialized (you may need to run securityadmin) /var/log/wazuh-indexer/wazuh-cluster.log:[2023-05-16T21:00:28,098][ERROR][o.o.s.a.BackendRegistry ] [node-1] Not yet initialized (you may need to run securityadmin) /var/log/wazuh-indexer/wazuh-cluster.log:[2023-05-16T21:00:28,101][ERROR][o.o.s.a.BackendRegistry ] [node-1] Not yet initialized (you may need to run securityadmin) /var/log/wazuh-indexer/wazuh-cluster.log:[2023-05-16T21:00:28,104][ERROR][o.o.s.a.BackendRegistry ] [node-1] Not yet initialized (you may need to run securityadmin) /var/log/wazuh-indexer/wazuh-cluster.log:[2023-05-16T21:00:28,106][ERROR][o.o.s.a.BackendRegistry ] [node-1] Not yet initialized (you may need to run securityadmin) /var/log/wazuh-indexer/wazuh-cluster.log:[2023-05-16T21:00:29,017][ERROR][o.o.s.a.BackendRegistry ] [node-1] Not yet initialized (you may need to run securityadmin) /var/log/wazuh-indexer/wazuh-cluster.log:[2023-05-16T21:00:30,599][ERROR][o.o.s.a.BackendRegistry ] [node-1] Not yet initialized (you may need to run securityadmin) /var/log/wazuh-indexer/wazuh-cluster.log:[2023-05-16T21:00:30,602][ERROR][o.o.s.a.BackendRegistry ] [node-1] Not yet initialized (you may need to run securityadmin) /var/log/wazuh-indexer/wazuh-cluster.log:[2023-05-16T21:00:30,604][ERROR][o.o.s.a.BackendRegistry ] [node-1] Not yet initialized (you may need to run securityadmin) /var/log/wazuh-indexer/wazuh-cluster.log:[2023-05-16T21:00:30,607][ERROR][o.o.s.a.BackendRegistry ] [node-1] Not yet initialized (you may need to run securityadmin) /var/log/wazuh-indexer/wazuh-cluster.log:[2023-05-16T21:00:31,023][ERROR][o.o.s.a.BackendRegistry ] [node-1] Not yet initialized (you may need to run securityadmin) /var/log/wazuh-indexer/wazuh-cluster_server.json:{"type": "server", "timestamp": "2023-05-16T21:00:06,207Z", "level": "INFO", "component": "o.o.n.Node", "cluster.name": "wazuh-cluster", "node.name": "node-1", "message": "JVM arguments [-Xshare:auto, -Dopensearch.networkaddress.cache.ttl=60, -Dopensearch.networkaddress.cache.negative.ttl=10, -XX:+AlwaysPreTouch, -Xss1m, -Djava.awt.headless=true, -Dfile.encoding=UTF-8, -Djna.nosys=true, -XX:-OmitStackTraceInFastThrow, -XX:+ShowCodeDetailsInExceptionMessages, -Dio.netty.noUnsafe=true, -Dio.netty.noKeySetOptimization=true, -Dio.netty.recycler.maxCapacityPerThread=0, -Dio.netty.allocator.numDirectArenas=0, -Dlog4j.shutdownHookEnabled=false, -Dlog4j2.disable.jmx=true, -Djava.locale.providers=SPI,COMPAT, -Xms3990m, -Xmx3990m, -XX:+UseG1GC, -XX:G1ReservePercent=25, -XX:InitiatingHeapOccupancyPercent=30, -Djava.io.tmpdir=/tmp/opensearch-6374726690152348129, -XX:+HeapDumpOnOutOfMemoryError, -XX:HeapDumpPath=/var/lib/wazuh-indexer, -XX:ErrorFile=/var/log/wazuh-indexer/hs_err_pid%p.log, -Xlog:gc*,gc+age=trace,safepoint:file=/var/log/wazuh-indexer/gc.log:utctime,pid,tags:filecount=32,filesize=64m, -Dclk.tck=100, -Djdk.attach.allowAttachSelf=true, -Djava.security.policy=file:///etc/wazuh-indexer/opensearch-performance-analyzer/opensearch_security.policy, --add-opens=jdk.attach/sun.tools.attach=ALL-UNNAMED, -XX:MaxDirectMemorySize=2091909120, -Dopensearch.path.home=/usr/share/wazuh-indexer, -Dopensearch.path.conf=/etc/wazuh-indexer, -Dopensearch.distribution.type=rpm, -Dopensearch.bundled_jdk=true]" } /var/log/wazuh-indexer/wazuh-cluster_server.json:{"type": "server", "timestamp": "2023-05-16T21:00:15,223Z", "level": "ERROR", "component": "o.o.s.a.s.SinkProvider", "cluster.name": "wazuh-cluster", "node.name": "node-1", "message": "Default endpoint could not be created, auditlog will not work properly." } /var/log/wazuh-indexer/wazuh-cluster_server.json:{"type": "server", "timestamp": "2023-05-16T21:00:19,200Z", "level": "ERROR", "component": "o.o.s.c.ConfigurationLoaderSecurity7", "cluster.name": "wazuh-cluster", "node.name": "node-1", "message": "Exception while retrieving configuration for [INTERNALUSERS, ACTIONGROUPS, CONFIG, ROLES, ROLESMAPPING, TENANTS, NODESDN, WHITELIST, ALLOWLIST, AUDIT] (index=.opendistro_security)", "cluster.uuid": "B6mhJJLkSpyOX7vzOvxYJg", "node.id": "TQGdSLgxTLy0gnfyzRGRaw" , /var/log/wazuh-indexer/wazuh-cluster_server.json:{"type": "server", "timestamp": "2023-05-16T21:00:20,715Z", "level": "ERROR", "component": "o.o.s.a.BackendRegistry", "cluster.name": "wazuh-cluster", "node.name": "node-1", "message": "Not yet initialized (you may need to run securityadmin)", "cluster.uuid": "B6mhJJLkSpyOX7vzOvxYJg", "node.id": "TQGdSLgxTLy0gnfyzRGRaw" } /var/log/wazuh-indexer/wazuh-cluster_server.json:{"type": "server", "timestamp": "2023-05-16T21:00:20,735Z", "level": "ERROR", "component": "o.o.s.a.BackendRegistry", "cluster.name": "wazuh-cluster", "node.name": "node-1", "message": "Not yet initialized (you may need to run securityadmin)", "cluster.uuid": "B6mhJJLkSpyOX7vzOvxYJg", "node.id": "TQGdSLgxTLy0gnfyzRGRaw" } /var/log/wazuh-indexer/wazuh-cluster_server.json:{"type": "server", "timestamp": "2023-05-16T21:00:20,739Z", "level": "ERROR", "component": "o.o.s.a.BackendRegistry", "cluster.name": "wazuh-cluster", "node.name": "node-1", "message": "Not yet initialized (you may need to run securityadmin)", "cluster.uuid": "B6mhJJLkSpyOX7vzOvxYJg", "node.id": "TQGdSLgxTLy0gnfyzRGRaw" } /var/log/wazuh-indexer/wazuh-cluster_server.json:{"type": "server", "timestamp": "2023-05-16T21:00:20,743Z", "level": "ERROR", "component": "o.o.s.a.BackendRegistry", "cluster.name": "wazuh-cluster", "node.name": "node-1", "message": "Not yet initialized (you may need to run securityadmin)", "cluster.uuid": "B6mhJJLkSpyOX7vzOvxYJg", "node.id": "TQGdSLgxTLy0gnfyzRGRaw" } /var/log/wazuh-indexer/wazuh-cluster_server.json:{"type": "server", "timestamp": "2023-05-16T21:00:23,095Z", "level": "ERROR", "component": "o.o.s.a.BackendRegistry", "cluster.name": "wazuh-cluster", "node.name": "node-1", "message": "Not yet initialized (you may need to run securityadmin)", "cluster.uuid": "B6mhJJLkSpyOX7vzOvxYJg", "node.id": "TQGdSLgxTLy0gnfyzRGRaw" } /var/log/wazuh-indexer/wazuh-cluster_server.json:{"type": "server", "timestamp": "2023-05-16T21:00:23,098Z", "level": "ERROR", "component": "o.o.s.a.BackendRegistry", "cluster.name": "wazuh-cluster", "node.name": "node-1", "message": "Not yet initialized (you may need to run securityadmin)", "cluster.uuid": "B6mhJJLkSpyOX7vzOvxYJg", "node.id": "TQGdSLgxTLy0gnfyzRGRaw" } /var/log/wazuh-indexer/wazuh-cluster_server.json:{"type": "server", "timestamp": "2023-05-16T21:00:23,101Z", "level": "ERROR", "component": "o.o.s.a.BackendRegistry", "cluster.name": "wazuh-cluster", "node.name": "node-1", "message": "Not yet initialized (you may need to run securityadmin)", "cluster.uuid": "B6mhJJLkSpyOX7vzOvxYJg", "node.id": "TQGdSLgxTLy0gnfyzRGRaw" } /var/log/wazuh-indexer/wazuh-cluster_server.json:{"type": "server", "timestamp": "2023-05-16T21:00:23,106Z", "level": "ERROR", "component": "o.o.s.a.BackendRegistry", "cluster.name": "wazuh-cluster", "node.name": "node-1", "message": "Not yet initialized (you may need to run securityadmin)", "cluster.uuid": "B6mhJJLkSpyOX7vzOvxYJg", "node.id": "TQGdSLgxTLy0gnfyzRGRaw" } /var/log/wazuh-indexer/wazuh-cluster_server.json:{"type": "server", "timestamp": "2023-05-16T21:00:25,595Z", "level": "ERROR", "component": "o.o.s.a.BackendRegistry", "cluster.name": "wazuh-cluster", "node.name": "node-1", "message": "Not yet initialized (you may need to run securityadmin)", "cluster.uuid": "B6mhJJLkSpyOX7vzOvxYJg", "node.id": "TQGdSLgxTLy0gnfyzRGRaw" } /var/log/wazuh-indexer/wazuh-cluster_server.json:{"type": "server", "timestamp": "2023-05-16T21:00:25,598Z", "level": "ERROR", "component": "o.o.s.a.BackendRegistry", "cluster.name": "wazuh-cluster", "node.name": "node-1", "message": "Not yet initialized (you may need to run securityadmin)", "cluster.uuid": "B6mhJJLkSpyOX7vzOvxYJg", "node.id": "TQGdSLgxTLy0gnfyzRGRaw" } /var/log/wazuh-indexer/wazuh-cluster_server.json:{"type": "server", "timestamp": "2023-05-16T21:00:25,602Z", "level": "ERROR", "component": "o.o.s.a.BackendRegistry", "cluster.name": "wazuh-cluster", "node.name": "node-1", "message": "Not yet initialized (you may need to run securityadmin)", "cluster.uuid": "B6mhJJLkSpyOX7vzOvxYJg", "node.id": "TQGdSLgxTLy0gnfyzRGRaw" } /var/log/wazuh-indexer/wazuh-cluster_server.json:{"type": "server", "timestamp": "2023-05-16T21:00:25,605Z", "level": "ERROR", "component": "o.o.s.a.BackendRegistry", "cluster.name": "wazuh-cluster", "node.name": "node-1", "message": "Not yet initialized (you may need to run securityadmin)", "cluster.uuid": "B6mhJJLkSpyOX7vzOvxYJg", "node.id": "TQGdSLgxTLy0gnfyzRGRaw" } /var/log/wazuh-indexer/wazuh-cluster_server.json:{"type": "server", "timestamp": "2023-05-16T21:00:27,673Z", "level": "ERROR", "component": "o.o.s.a.BackendRegistry", "cluster.name": "wazuh-cluster", "node.name": "node-1", "message": "Not yet initialized (you may need to run securityadmin)", "cluster.uuid": "B6mhJJLkSpyOX7vzOvxYJg", "node.id": "TQGdSLgxTLy0gnfyzRGRaw" } /var/log/wazuh-indexer/wazuh-cluster_server.json:{"type": "server", "timestamp": "2023-05-16T21:00:28,098Z", "level": "ERROR", "component": "o.o.s.a.BackendRegistry", "cluster.name": "wazuh-cluster", "node.name": "node-1", "message": "Not yet initialized (you may need to run securityadmin)", "cluster.uuid": "B6mhJJLkSpyOX7vzOvxYJg", "node.id": "TQGdSLgxTLy0gnfyzRGRaw" } /var/log/wazuh-indexer/wazuh-cluster_server.json:{"type": "server", "timestamp": "2023-05-16T21:00:28,101Z", "level": "ERROR", "component": "o.o.s.a.BackendRegistry", "cluster.name": "wazuh-cluster", "node.name": "node-1", "message": "Not yet initialized (you may need to run securityadmin)", "cluster.uuid": "B6mhJJLkSpyOX7vzOvxYJg", "node.id": "TQGdSLgxTLy0gnfyzRGRaw" } /var/log/wazuh-indexer/wazuh-cluster_server.json:{"type": "server", "timestamp": "2023-05-16T21:00:28,104Z", "level": "ERROR", "component": "o.o.s.a.BackendRegistry", "cluster.name": "wazuh-cluster", "node.name": "node-1", "message": "Not yet initialized (you may need to run securityadmin)", "cluster.uuid": "B6mhJJLkSpyOX7vzOvxYJg", "node.id": "TQGdSLgxTLy0gnfyzRGRaw" } /var/log/wazuh-indexer/wazuh-cluster_server.json:{"type": "server", "timestamp": "2023-05-16T21:00:28,106Z", "level": "ERROR", "component": "o.o.s.a.BackendRegistry", "cluster.name": "wazuh-cluster", "node.name": "node-1", "message": "Not yet initialized (you may need to run securityadmin)", "cluster.uuid": "B6mhJJLkSpyOX7vzOvxYJg", "node.id": "TQGdSLgxTLy0gnfyzRGRaw" } /var/log/wazuh-indexer/wazuh-cluster_server.json:{"type": "server", "timestamp": "2023-05-16T21:00:29,017Z", "level": "ERROR", "component": "o.o.s.a.BackendRegistry", "cluster.name": "wazuh-cluster", "node.name": "node-1", "message": "Not yet initialized (you may need to run securityadmin)", "cluster.uuid": "B6mhJJLkSpyOX7vzOvxYJg", "node.id": "TQGdSLgxTLy0gnfyzRGRaw" } /var/log/wazuh-indexer/wazuh-cluster_server.json:{"type": "server", "timestamp": "2023-05-16T21:00:30,599Z", "level": "ERROR", "component": "o.o.s.a.BackendRegistry", "cluster.name": "wazuh-cluster", "node.name": "node-1", "message": "Not yet initialized (you may need to run securityadmin)", "cluster.uuid": "B6mhJJLkSpyOX7vzOvxYJg", "node.id": "TQGdSLgxTLy0gnfyzRGRaw" } /var/log/wazuh-indexer/wazuh-cluster_server.json:{"type": "server", "timestamp": "2023-05-16T21:00:30,602Z", "level": "ERROR", "component": "o.o.s.a.BackendRegistry", "cluster.name": "wazuh-cluster", "node.name": "node-1", "message": "Not yet initialized (you may need to run securityadmin)", "cluster.uuid": "B6mhJJLkSpyOX7vzOvxYJg", "node.id": "TQGdSLgxTLy0gnfyzRGRaw" } /var/log/wazuh-indexer/wazuh-cluster_server.json:{"type": "server", "timestamp": "2023-05-16T21:00:30,604Z", "level": "ERROR", "component": "o.o.s.a.BackendRegistry", "cluster.name": "wazuh-cluster", "node.name": "node-1", "message": "Not yet initialized (you may need to run securityadmin)", "cluster.uuid": "B6mhJJLkSpyOX7vzOvxYJg", "node.id": "TQGdSLgxTLy0gnfyzRGRaw" } /var/log/wazuh-indexer/wazuh-cluster_server.json:{"type": "server", "timestamp": "2023-05-16T21:00:30,607Z", "level": "ERROR", "component": "o.o.s.a.BackendRegistry", "cluster.name": "wazuh-cluster", "node.name": "node-1", "message": "Not yet initialized (you may need to run securityadmin)", "cluster.uuid": "B6mhJJLkSpyOX7vzOvxYJg", "node.id": "TQGdSLgxTLy0gnfyzRGRaw" } /var/log/wazuh-indexer/wazuh-cluster_server.json:{"type": "server", "timestamp": "2023-05-16T21:00:31,023Z", "level": "ERROR", "component": "o.o.s.a.BackendRegistry", "cluster.name": "wazuh-cluster", "node.name": "node-1", "message": "Not yet initialized (you may need to run securityadmin)", "cluster.uuid": "B6mhJJLkSpyOX7vzOvxYJg", "node.id": "TQGdSLgxTLy0gnfyzRGRaw" } [root@wazuh-server wazuh-user]# ```
Wazuh server - /var/ossec/logs
```console [root@wazuh-server wazuh-user]# grep -i -E "error|critical|fatal|warning" /var/ossec/logs/ossec.log 2023/05/16 21:00:12 wazuh-remoted: WARNING: (1408): Invalid ID 001 for the source ip: '192.168.1.35' (name 'unknown'). 2023/05/16 21:00:22 wazuh-remoted: WARNING: (1408): Invalid ID 001 for the source ip: '192.168.1.35' (name 'unknown'). 2023/05/16 21:00:32 wazuh-remoted: WARNING: (1408): Invalid ID 001 for the source ip: '192.168.1.35' (name 'unknown'). 2023/05/16 21:00:42 wazuh-remoted: WARNING: (1408): Invalid ID 001 for the source ip: '192.168.1.35' (name 'unknown'). [root@wazuh-server wazuh-user]# ```

OVA - Filebeat test

```console [root@wazuh-server wazuh-user]# filebeat test output elasticsearch: https://127.0.0.1:9200... parse url... OK connection... parse host... OK dns lookup... OK addresses: 127.0.0.1 dial up... OK TLS... security: server's certificate chain verification is enabled handshake... OK TLS version: TLSv1.2 dial up... OK talk to server... OK version: 7.10.2 [root@wazuh-server wazuh-user]# ```

OVA - Wazuh indexer cluster

```console [root@wazuh-server wazuh-user]# curl -k -u admin:admin https://127.0.0.1:9200 { "name" : "node-1", "cluster_name" : "wazuh-cluster", "cluster_uuid" : "B6mhJJLkSpyOX7vzOvxYJg", "version" : { "number" : "7.10.2", "build_type" : "rpm", "build_hash" : "7203a5af21a8a009aece1474446b437a3c674db6", "build_date" : "2023-02-24T18:57:04.388618985Z", "build_snapshot" : false, "lucene_version" : "9.5.0", "minimum_wire_compatibility_version" : "7.10.0", "minimum_index_compatibility_version" : "7.0.0" }, "tagline" : "The OpenSearch Project: https://opensearch.org/" } [root@wazuh-server wazuh-user]# [root@wazuh-server wazuh-user]# curl -k -u admin:admin https://127.0.0.1:9200/_cat/nodes?v ip heap.percent ram.percent cpu load_1m load_5m load_15m node.role node.roles cluster_manager name 127.0.0.1 14 78 2 0.04 0.08 0.10 dimr cluster_manager,data,ingest,remote_cluster_client * node-1 [root@wazuh-server wazuh-user]# [root@wazuh-server wazuh-user]# [root@wazuh-server wazuh-user]# curl -k -u admin:admin https://127.0.0.1:9200/_cluster/health?pretty { "cluster_name" : "wazuh-cluster", "status" : "green", "timed_out" : false, "number_of_nodes" : 1, "number_of_data_nodes" : 1, "discovered_master" : true, "discovered_cluster_manager" : true, "active_primary_shards" : 11, "active_shards" : 11, "relocating_shards" : 0, "initializing_shards" : 0, "unassigned_shards" : 0, "delayed_unassigned_shards" : 0, "number_of_pending_tasks" : 0, "number_of_in_flight_fetch" : 0, "task_max_waiting_in_queue_millis" : 0, "active_shards_percent_as_number" : 100.0 } [root@wazuh-server wazuh-user]# [root@wazuh-server wazuh-user]# ```

Analysis report - PPC64LE :green_circle:

Deployment + Install

CentOS 7

``` [root@wazuh3 centos]# cat /etc/os-release NAME="CentOS Linux" VERSION="7 (AltArch)" ID="centos" ID_LIKE="rhel fedora" VERSION_ID="7" PRETTY_NAME="CentOS Linux 7 (AltArch)" ANSI_COLOR="0;31" CPE_NAME="cpe:/o:centos:centos:7:server" HOME_URL="https://www.centos.org/" BUG_REPORT_URL="https://bugs.centos.org/" CENTOS_MANTISBT_PROJECT="CentOS-7" CENTOS_MANTISBT_PROJECT_VERSION="7" REDHAT_SUPPORT_PRODUCT="centos" REDHAT_SUPPORT_PRODUCT_VERSION="7" [root@wazuh3 centos]# rpm --import https://packages.wazuh.com/key/GPG-KEY-WAZUH [root@wazuh3 centos]# cat > /etc/yum.repos.d/wazuh.repo << EOF > [wazuh] > gpgcheck=1 > gpgkey=https://packages.wazuh.com/key/GPG-KEY-WAZUH > enabled=1 > name=EL-\$releasever - Wazuh > baseurl=https://packages-dev.wazuh.com/pre-release/yum/ > protect=1 > EOF [root@wazuh3 centos]# WAZUH_MANAGER="3.238.245.177" yum install wazuh-agent Complementos cargados:fastestmirror, product-id, search-disabled-repos, subscription-manager This system is not registered with an entitlement server. You can use subscription-manager to register. Determining fastest mirrors base | 3.6 kB 00:00:00 extras | 2.9 kB 00:00:00 updates | 2.9 kB 00:00:00 wazuh | 3.4 kB 00:00:00 (1/2): updates/7/ppc64le/primary_db | 16 MB 00:00:00 (2/2): wazuh/primary_db | 304 kB 00:00:00 Resolviendo dependencias --> Ejecutando prueba de transacción ---> Paquete wazuh-agent.ppc64le 0:4.3.11-1 debe ser actualizado ---> Paquete wazuh-agent.ppc64le 0:4.4.2-1 debe ser una actualización --> Resolución de dependencias finalizada Dependencias resueltas ================================================================================================================================================================================ Package Arquitectura Versión Repositorio Tamaño ================================================================================================================================================================================ Actualizando: wazuh-agent ppc64le 4.4.2-1 wazuh 6.2 M Resumen de la transacción ================================================================================================================================================================================ Actualizar 1 Paquete Tamaño total de la descarga: 6.2 M Is this ok [y/d/N]: y Downloading packages: Delta RPMs disabled because /usr/bin/applydeltarpm not installed. wazuh-agent-4.4.2-1.ppc64le.rpm | 6.2 MB 00:00:00 Running transaction check Running transaction test Transaction test succeeded Running transaction Actualizando : wazuh-agent-4.4.2-1.ppc64le 1/2 Limpieza : wazuh-agent-4.3.11-1.ppc64le 2/2 Comprobando : wazuh-agent-4.4.2-1.ppc64le 1/2 Comprobando : wazuh-agent-4.3.11-1.ppc64le 2/2 Actualizado: wazuh-agent.ppc64le 0:4.4.2-1 ¡Listo! [root@wazuh3 centos]# /var/ossec/bin/wazuh-control status wazuh-modulesd not running... wazuh-logcollector not running... wazuh-syscheckd not running... wazuh-agentd not running... wazuh-execd not running... [root@wazuh3 centos]# /var/ossec/bin/wazuh-control start Starting Wazuh v4.4.2... Started wazuh-execd... Started wazuh-agentd... Started wazuh-syscheckd... Started wazuh-logcollector... Started wazuh-modulesd... Completed. [root@wazuh3 centos]# ps -ef | grep wazuh root 29205 1 0 12:35 ? 00:00:00 /var/ossec/bin/wazuh-execd wazuh 29217 1 0 12:35 ? 00:00:00 /var/ossec/bin/wazuh-agentd root 29231 1 0 12:35 ? 00:00:00 /var/ossec/bin/wazuh-syscheckd root 29243 1 0 12:35 ? 00:00:00 /var/ossec/bin/wazuh-logcollector root 29261 1 3 12:35 ? 00:00:00 /var/ossec/bin/wazuh-modulesd root 29642 28971 0 12:35 pts/0 00:00:00 grep --color=auto wazuh [root@wazuh3 centos]# /var/ossec/bin/wazuh-control info WAZUH_VERSION="v4.4.2" WAZUH_REVISION="40408" WAZUH_TYPE="agent" [root@wazuh3 centos]# grep "tcp" /var/ossec/logs/ossec.log 2023/05/17 12:35:58 wazuh-agentd: INFO: Trying to connect to server ([3.238.245.177]:1514/tcp). 2023/05/17 12:35:58 wazuh-agentd: INFO: (4102): Connected to the server ([3.238.245.177]:1514/tcp). 2023/05/17 12:36:04 wazuh-agentd: INFO: Trying to connect to server ([3.238.245.177]:1514/tcp). 2023/05/17 12:36:04 wazuh-agentd: INFO: (4102): Connected to the server ([3.238.245.177]:1514/tcp). [root@wazuh3 centos]# ``` ``` [root@wazuh-server wazuh-user]# /var/ossec/bin/agent_control -l Wazuh agent_control. List of available agents: ID: 000, Name: wazuh-server (server), IP: 127.0.0.1, Active/Local ID: 002, Name: soaxp078, IP: any, Disconnected ID: 004, Name: sossp534, IP: any, Disconnected ID: 006, Name: sovmh317, IP: any, Disconnected ID: 008, Name: sossp272, IP: any, Active ID: 009, Name: wazuh3.novalocal, IP: any, Active List of agentless devices: [root@wazuh-server wazuh-user]# /var/ossec/bin/agent_control -i 009 Wazuh agent_control. Agent information: Agent ID: 009 Agent Name: wazuh3.novalocal IP address: any Status: Active Operating system: Linux |wazuh3.novalocal |3.10.0-957.21.3.el7.ppc64le |#1 SMP Tue Jun 18 16:48:04 UTC 2019 |ppc64le Client version: Wazuh v4.4.2 Configuration hash: ab73af41699f13fdd81903b5f23d8d00 Shared file hash: 4a8724b20dee0124ff9656783c490c4e Last keep alive: 1684327014 Syscheck last started at: Wed May 17 12:36:13 2023 (Scan in progress) Syscheck last ended at: Unknown [root@wazuh-server wazuh-user]# ``` ``` [root@wazuh3 centos]# sed -i "s/tcp/udp/" /var/ossec/etc/ossec.conf [root@wazuh3 centos]# [root@wazuh3 centos]# /var/ossec/bin/wazuh-control restart Killing wazuh-modulesd... Killing wazuh-logcollector... Killing wazuh-syscheckd... Killing wazuh-agentd... Killing wazuh-execd... Wazuh v4.4.2 Stopped Starting Wazuh v4.4.2... Started wazuh-execd... Started wazuh-agentd... Started wazuh-syscheckd... Started wazuh-logcollector... Started wazuh-modulesd... Completed. [root@wazuh3 centos]# grep "udp" /var/ossec/logs/ossec.log 2023/05/17 12:51:38 wazuh-agentd: INFO: Trying to connect to server ([3.238.245.177]:1514/udp). 2023/05/17 12:51:38 wazuh-agentd: INFO: (4102): Connected to the server ([3.238.245.177]:1514/udp). [root@wazuh3 centos]# grep -i -E "error|critical|fatal|warning" /var/ossec/logs/ossec.log | wc -l 6 [root@wazuh3 centos]# cat /etc/passwd | grep wazuh wazuh:x:994:990::/var/ossec:/sbin/nologin [root@wazuh3 centos]# cat /etc/passwd | grep wazuh wazuh:x:994:990::/var/ossec:/sbin/nologin [root@wazuh3 centos]# ``` ---

Debian Stretch

``` root@wazuh1:/home/debian# cat /etc/os-release PRETTY_NAME="Debian GNU/Linux 9 (stretch)" NAME="Debian GNU/Linux" VERSION_ID="9" VERSION="9 (stretch)" VERSION_CODENAME=stretch ID=debian HOME_URL="https://www.debian.org/" SUPPORT_URL="https://www.debian.org/support" BUG_REPORT_URL="https://bugs.debian.org/" root@wazuh1:/home/debian# root@wazuh1:/home/debian# root@wazuh1:/home/debian# WAZUH_MANAGER="3.238.245.177" apt install ./wazuh-agent_4.4.2-1_ppc64el.deb Reading package lists... Done Building dependency tree Reading state information... Done Note, selecting 'wazuh-agent' instead of './wazuh-agent_4.4.2-1_ppc64el.deb' The following NEW packages will be installed: wazuh-agent 0 upgraded, 1 newly installed, 0 to remove and 0 not upgraded. Need to get 0 B/5,295 kB of archives. After this operation, 34.4 MB of additional disk space will be used. Do you want to continue? [Y/n] Y Get:1 /wazuh-agent_4.4.2-1_ppc64el.deb wazuh-agent ppc64el 4.4.2-1 [5279 kB] Get:2 http://deb.debian.org/debian stretch/main ppc64el libpython3.5-minimal ppc64el 3.5.3-1+deb9u1 [574 kB] Get:3 http://deb.debian.org/debian stretch/main ppc64el libexpat1 ppc64el 2.2.0-2+deb9u3 [76.8 kB] Get:4 http://deb.debian.org/debian stretch/main ppc64el python3.5-minimal ppc64el 3.5.3-1+deb9u1 [1704 kB] Get:5 http://deb.debian.org/debian stretch/main ppc64el python3-minimal ppc64el 3.5.3-1 [35.3 kB] Get:6 http://deb.debian.org/debian stretch/main ppc64el mime-support all 3.60 [36.7 kB] Get:7 http://deb.debian.org/debian stretch/main ppc64el libmpdec2 ppc64el 2.4.2-1 [81.9 kB] Get:8 http://deb.debian.org/debian stretch/main ppc64el readline-common all 7.0-3 [70.4 kB] Get:9 http://deb.debian.org/debian stretch/main ppc64el libreadline7 ppc64el 7.0-3 [139 kB] Get:10 http://deb.debian.org/debian stretch/main ppc64el libsqlite3-0 ppc64el 3.16.2-5+deb9u1 [525 kB] Get:11 http://deb.debian.org/debian stretch/main ppc64el libpython3.5-stdlib ppc64el 3.5.3-1+deb9u1 [2179 kB] Get:12 http://deb.debian.org/debian stretch/main ppc64el python3.5 ppc64el 3.5.3-1+deb9u1 [229 kB] Get:13 http://deb.debian.org/debian stretch/main ppc64el libpython3-stdlib ppc64el 3.5.3-1 [18.6 kB] Get:14 http://deb.debian.org/debian stretch/main ppc64el dh-python all 2.20170125 [86.8 kB] Get:15 http://deb.debian.org/debian stretch/main ppc64el python3 ppc64el 3.5.3-1 [21.6 kB] Get:16 http://deb.debian.org/debian stretch/main ppc64el bzip2 ppc64el 1.0.6-8.1 [46.3 kB] Get:17 http://deb.debian.org/debian stretch/main ppc64el libmagic-mgc ppc64el 1:5.30-1+deb9u3 [222 kB] Get:18 http://deb.debian.org/debian stretch/main ppc64el libmagic1 ppc64el 1:5.30-1+deb9u3 [108 kB] Get:19 http://deb.debian.org/debian stretch/main ppc64el file ppc64el 1:5.30-1+deb9u3 [64.4 kB] Get:20 http://deb.debian.org/debian stretch/main ppc64el xz-utils ppc64el 5.2.2-1.2+b1 [262 kB] Get:21 http://deb.debian.org/debian stretch/main ppc64el distro-info-data all 0.36 [5810 B] Get:22 http://deb.debian.org/debian stretch/main ppc64el lsb-release all 9.20161125 [27.1 kB] Fetched 6514 kB in 8s (781 kB/s) debconf: delaying package configuration, since apt-utils is not installed Selecting previously unselected package libpython3.5-minimal:ppc64el. (Reading database ... 7205 files and directories currently installed.) Preparing to unpack .../00-libpython3.5-minimal_3.5.3-1+deb9u1_ppc64el.deb ... Unpacking libpython3.5-minimal:ppc64el (3.5.3-1+deb9u1) ... Selecting previously unselected package libexpat1:ppc64el. Preparing to unpack .../01-libexpat1_2.2.0-2+deb9u3_ppc64el.deb ... Unpacking libexpat1:ppc64el (2.2.0-2+deb9u3) ... Selecting previously unselected package python3.5-minimal. Preparing to unpack .../02-python3.5-minimal_3.5.3-1+deb9u1_ppc64el.deb ... Unpacking python3.5-minimal (3.5.3-1+deb9u1) ... Selecting previously unselected package python3-minimal. Preparing to unpack .../03-python3-minimal_3.5.3-1_ppc64el.deb ... Unpacking python3-minimal (3.5.3-1) ... Selecting previously unselected package mime-support. Preparing to unpack .../04-mime-support_3.60_all.deb ... Unpacking mime-support (3.60) ... Selecting previously unselected package libmpdec2:ppc64el. Preparing to unpack .../05-libmpdec2_2.4.2-1_ppc64el.deb ... Unpacking libmpdec2:ppc64el (2.4.2-1) ... Selecting previously unselected package readline-common. Preparing to unpack .../06-readline-common_7.0-3_all.deb ... Unpacking readline-common (7.0-3) ... Selecting previously unselected package libreadline7:ppc64el. Preparing to unpack .../07-libreadline7_7.0-3_ppc64el.deb ... Unpacking libreadline7:ppc64el (7.0-3) ... Selecting previously unselected package libsqlite3-0:ppc64el. Preparing to unpack .../08-libsqlite3-0_3.16.2-5+deb9u1_ppc64el.deb ... Unpacking libsqlite3-0:ppc64el (3.16.2-5+deb9u1) ... Selecting previously unselected package libpython3.5-stdlib:ppc64el. Preparing to unpack .../09-libpython3.5-stdlib_3.5.3-1+deb9u1_ppc64el.deb ... Unpacking libpython3.5-stdlib:ppc64el (3.5.3-1+deb9u1) ... Selecting previously unselected package python3.5. Preparing to unpack .../10-python3.5_3.5.3-1+deb9u1_ppc64el.deb ... Unpacking python3.5 (3.5.3-1+deb9u1) ... Selecting previously unselected package libpython3-stdlib:ppc64el. Preparing to unpack .../11-libpython3-stdlib_3.5.3-1_ppc64el.deb ... Unpacking libpython3-stdlib:ppc64el (3.5.3-1) ... Selecting previously unselected package dh-python. Preparing to unpack .../12-dh-python_2.20170125_all.deb ... Unpacking dh-python (2.20170125) ... Setting up libpython3.5-minimal:ppc64el (3.5.3-1+deb9u1) ... Setting up libexpat1:ppc64el (2.2.0-2+deb9u3) ... Setting up python3.5-minimal (3.5.3-1+deb9u1) ... Setting up python3-minimal (3.5.3-1) ... Selecting previously unselected package python3. (Reading database ... 8189 files and directories currently installed.) Preparing to unpack .../0-python3_3.5.3-1_ppc64el.deb ... Unpacking python3 (3.5.3-1) ... Selecting previously unselected package bzip2. Preparing to unpack .../1-bzip2_1.0.6-8.1_ppc64el.deb ... Unpacking bzip2 (1.0.6-8.1) ... Selecting previously unselected package libmagic-mgc. Preparing to unpack .../2-libmagic-mgc_1%3a5.30-1+deb9u3_ppc64el.deb ... Unpacking libmagic-mgc (1:5.30-1+deb9u3) ... Selecting previously unselected package libmagic1:ppc64el. Preparing to unpack .../3-libmagic1_1%3a5.30-1+deb9u3_ppc64el.deb ... Unpacking libmagic1:ppc64el (1:5.30-1+deb9u3) ... Selecting previously unselected package file. Preparing to unpack .../4-file_1%3a5.30-1+deb9u3_ppc64el.deb ... Unpacking file (1:5.30-1+deb9u3) ... Selecting previously unselected package xz-utils. Preparing to unpack .../5-xz-utils_5.2.2-1.2+b1_ppc64el.deb ... Unpacking xz-utils (5.2.2-1.2+b1) ... Selecting previously unselected package distro-info-data. Preparing to unpack .../6-distro-info-data_0.36_all.deb ... Unpacking distro-info-data (0.36) ... Selecting previously unselected package lsb-release. Preparing to unpack .../7-lsb-release_9.20161125_all.deb ... Unpacking lsb-release (9.20161125) ... Selecting previously unselected package wazuh-agent. Preparing to unpack .../8-wazuh-agent_4.4.2-1_ppc64el.deb ... Unpacking wazuh-agent (4.4.2-1) ... Setting up readline-common (7.0-3) ... Setting up mime-support (3.60) ... Setting up libreadline7:ppc64el (7.0-3) ... Setting up distro-info-data (0.36) ... Setting up libmagic-mgc (1:5.30-1+deb9u3) ... Setting up bzip2 (1.0.6-8.1) ... Setting up libmagic1:ppc64el (1:5.30-1+deb9u3) ... Processing triggers for libc-bin (2.24-11+deb9u4) ... Setting up xz-utils (5.2.2-1.2+b1) ... update-alternatives: using /usr/bin/xz to provide /usr/bin/lzma (lzma) in auto mode Setting up libsqlite3-0:ppc64el (3.16.2-5+deb9u1) ... Setting up libmpdec2:ppc64el (2.4.2-1) ... Setting up libpython3.5-stdlib:ppc64el (3.5.3-1+deb9u1) ... Setting up file (1:5.30-1+deb9u3) ... Setting up python3.5 (3.5.3-1+deb9u1) ... Setting up libpython3-stdlib:ppc64el (3.5.3-1) ... Setting up python3 (3.5.3-1) ... running python rtupdate hooks for python3.5... running python post-rtupdate hooks for python3.5... Setting up lsb-release (9.20161125) ... Setting up dh-python (2.20170125) ... Setting up wazuh-agent (4.4.2-1) ... Processing triggers for libc-bin (2.24-11+deb9u4) ... root@715ccbf23c3c:/# root@wazuh1:/home/debian# root@wazuh1:/home/debian# ps -ef | grep wazuh root 8508 1 0 12:46 ? 00:00:00 /var/ossec/bin/wazuh-execd wazuh 8519 1 0 12:46 ? 00:00:00 /var/ossec/bin/wazuh-agentd root 8533 1 4 12:46 ? 00:00:07 /var/ossec/bin/wazuh-syscheckd root 8544 1 0 12:46 ? 00:00:00 /var/ossec/bin/wazuh-logcollector root 8571 1 0 12:46 ? 00:00:00 /var/ossec/bin/wazuh-modulesd root 9240 6209 0 12:49 pts/1 00:00:00 grep wazuh root@wazuh1:/home/debian# ``` ``` [root@wazuh-server wazuh-user]# /var/ossec/bin/agent_control -l Wazuh agent_control. List of available agents: ID: 000, Name: wazuh-server (server), IP: 127.0.0.1, Active/Local ID: 002, Name: soaxp078, IP: any, Disconnected ID: 004, Name: sossp534, IP: any, Disconnected ID: 006, Name: sovmh317, IP: any, Disconnected ID: 008, Name: sossp272, IP: any, Active ID: 009, Name: wazuh3.novalocal, IP: any, Active ID: 010, Name: wazuh1, IP: any, Active List of agentless devices: [root@wazuh-server wazuh-user]# /var/ossec/bin/agent_control -i 010 Wazuh agent_control. Agent information: Agent ID: 010 Agent Name: wazuh1 IP address: any Status: Active Operating system: Linux |wazuh1 |4.9.0-13-powerpc64le |#1 SMP Debian 4.9.228-1 (2020-07-05) |ppc64le Client version: Wazuh v4.4.2 Configuration hash: ab73af41699f13fdd81903b5f23d8d00 Shared file hash: 4a8724b20dee0124ff9656783c490c4e Last keep alive: 1684327795 Syscheck last started at: Wed May 17 12:46:54 2023 Syscheck last ended at: Wed May 17 12:49:00 2023 [root@wazuh-server wazuh-user]# ``` ``` root@wazuh1:/home/debian# ps -ef | grep wazuh root 8508 1 0 12:46 ? 00:00:00 /var/ossec/bin/wazuh-execd wazuh 8519 1 0 12:46 ? 00:00:00 /var/ossec/bin/wazuh-agentd root 8533 1 4 12:46 ? 00:00:07 /var/ossec/bin/wazuh-syscheckd root 8544 1 0 12:46 ? 00:00:00 /var/ossec/bin/wazuh-logcollector root 8571 1 0 12:46 ? 00:00:00 /var/ossec/bin/wazuh-modulesd root 9240 6209 0 12:49 pts/1 00:00:00 grep wazuh root@wazuh1:/home/debian# /var/ossec/bin/wazuh-control info WAZUH_VERSION="v4.4.2" WAZUH_REVISION="40408" WAZUH_TYPE="agent" root@wazuh1:/home/debian# grep "tcp" /var/ossec/logs/ossec.log 2023/05/17 12:46:39 wazuh-agentd: INFO: Trying to connect to server ([3.238.245.177]:1514/tcp). 2023/05/17 12:46:40 wazuh-agentd: INFO: (4102): Connected to the server ([3.238.245.177]:1514/tcp). 2023/05/17 12:46:45 wazuh-agentd: INFO: Trying to connect to server ([3.238.245.177]:1514/tcp). 2023/05/17 12:46:45 wazuh-agentd: INFO: (4102): Connected to the server ([3.238.245.177]:1514/tcp). root@wazuh1:/home/debian# /var/ossec/bin/wazuh-control stop Killing wazuh-modulesd... Killing wazuh-logcollector... Killing wazuh-syscheckd... Killing wazuh-agentd... Killing wazuh-execd... Wazuh v4.4.2 Stopped root@wazuh1:/home/debian# root@wazuh1:/home/debian# sed -i "s/tcp/udp/" /var/ossec/etc/ossec.conf root@wazuh1:/home/debian# sed -i "s/tcp/udp/" /var/ossec/etc/ossec.conf root@wazuh1:/home/debian# /var/ossec/bin/wazuh-control restart wazuh-modulesd not running... wazuh-logcollector not running... wazuh-syscheckd not running... wazuh-agentd not running... wazuh-execd not running... Wazuh v4.4.2 Stopped Starting Wazuh v4.4.2... Started wazuh-execd... Started wazuh-agentd... Started wazuh-syscheckd... Started wazuh-logcollector... Started wazuh-modulesd... Completed. root@wazuh1:/home/debian# grep "udp" /var/ossec/logs/ossec.log 2023/05/17 12:51:32 wazuh-agentd: INFO: Trying to connect to server ([3.238.245.177]:1514/udp). 2023/05/17 12:51:42 wazuh-agentd: INFO: Closing connection to server ([3.238.245.177]:1514/udp). 2023/05/17 12:51:42 wazuh-agentd: INFO: Trying to connect to server ([3.238.245.177]:1514/udp). 2023/05/17 12:51:42 wazuh-agentd: INFO: (4102): Connected to the server ([3.238.245.177]:1514/udp). root@wazuh1:/home/debian# grep -i -E "error|critical|fatal|warning" /var/ossec/logs/ossec.log | wc -l 2 root@wazuh1:/home/debian# cat /etc/passwd | grep wazuh wazuh:x:107:111::/var/ossec:/bin/false root@wazuh1:/home/debian# cat /etc/group | grep wazuh wazuh:x:111: root@wazuh1:/home/debian# ```

Alerts

CentOS 7

``` [root@wazuh-server wazuh-user]# cat /var/ossec/logs/alerts/alerts.log | grep -n10 wazuh3 4585-** Alert 1684326990.584135: - sca,gdpr_IV_35.7.d,pci_dss_2.2,nist_800_53_CM.1,tsc_CC7.1,tsc_CC7.2, 4586:2023 May 17 12:36:30 (wazuh3.novalocal) any->sca 4587-Rule: 19005 (level 9) -> 'SCA summary: CIS Benchmark for CentOS 7: Score less than 30% (18)' 4588-{"type":"summary","scan_id":406231102,"name":"CIS Benchmark for CentOS 7","policy_id":"cis_centos7_linux","file":"cis_centos7_linux.yml","description":"This document provides prescriptive guidance for establishing a secure configuration posture for CentOS 7 systems running on x86 and x64 platforms. This document was tested against CentOS 7.","references":"https://www.cisecurity.org/cis-benchmarks/","passed":35,"failed":150,"invalid":11,"total_checks":196,"score":18.918918609619141,"start_time":1684326967,"end_time":1684326976,"hash":"77b8313d8c752972c0262bf3e54664ea358775d984ddc4dcb796a1908d08fa5c","hash_file":"227d9cd90ec0abb5ef02fa3049764e46d8cdd1b137ab13e60187c0409c04e391","force_alert":"1"} tion":"wazuh-agent"} ```

Debian Bullseye

``` [root@wazuh-server wazuh-user]# cat /var/ossec/logs/alerts/alerts.log | grep -n10 wazuh1 8246-** Alert 1684327634.1058749: - sca,gdpr_IV_35.7.d,pci_dss_2.2,nist_800_53_CM.1,tsc_CC7.1,tsc_CC7.2, 8247:2023 May 17 12:47:14 (wazuh1) any->sca 8248-Rule: 19004 (level 7) -> 'SCA summary: CIS Benchmark for Debian/Linux 9: Score less than 50% (38)' 8249-{"type":"summary","scan_id":2016010646,"name":"CIS Benchmark for Debian/Linux 9","policy_id":"cis_debian9","file":"cis_debian9.yml","description":"This document provides prescriptive guidance for establishing a secure configuration posture for Debian Linux 9.","references":"https://www.cisecurity.org/cis-benchmarks/","passed":64,"failed":104,"invalid":7,"total_checks":175,"score":38.095237731933594,"start_time":1684327608,"end_time":1684327609,"hash":"516f781ab236af0c14b50ad81783b6cbae5ae8dc50c54b302a52c82f818df7d3","hash_file":"9720efa38d9a3c64e030f89a8ebf2009d22b6077ef9c67313c0c3251836eb2a8","force_alert":"1","force_alert":"1"} ```

Remove

CentOS 7

``` [root@wazuh3 centos]# ps -ef | grep wazuh root 30798 1 0 12:51 ? 00:00:00 /var/ossec/bin/wazuh-execd wazuh 30810 1 0 12:51 ? 00:00:00 /var/ossec/bin/wazuh-agentd root 30825 1 5 12:51 ? 00:00:15 /var/ossec/bin/wazuh-syscheckd root 30837 1 0 12:51 ? 00:00:00 /var/ossec/bin/wazuh-logcollector root 30855 1 0 12:51 ? 00:00:00 /var/ossec/bin/wazuh-modulesd root 31636 28971 0 12:56 pts/0 00:00:00 grep --color=auto wazuh [root@wazuh3 centos]# yum remove wazuh-agent Complementos cargados:fastestmirror, product-id, search-disabled-repos, subscription-manager This system is not registered with an entitlement server. You can use subscription-manager to register. Resolviendo dependencias --> Ejecutando prueba de transacción ---> Paquete wazuh-agent.ppc64le 0:4.4.2-1 debe ser eliminado --> Resolución de dependencias finalizada Dependencias resueltas ================================================================================================================================================================================ Package Arquitectura Versión Repositorio Tamaño ================================================================================================================================================================================ Eliminando: wazuh-agent ppc64le 4.4.2-1 @wazuh 30 M Resumen de la transacción ================================================================================================================================================================================ Eliminar 1 Paquete Tamaño instalado: 30 M Está de acuerdo [s/N]:s Downloading packages: Running transaction check Running transaction test Transaction test succeeded Running transaction Eliminando : wazuh-agent-4.4.2-1.ppc64le 1/1 advertencia:/var/ossec/etc/ossec.conf guardado como /var/ossec/etc/ossec.conf.rpmsave advertencia:/var/ossec/etc/client.keys guardado como /var/ossec/etc/client.keys.rpmsave Comprobando : wazuh-agent-4.4.2-1.ppc64le 1/1 Eliminado(s): wazuh-agent.ppc64le 0:4.4.2-1 ¡Listo! [root@wazuh3 centos]# ps -ef | grep wazuh root 31827 28971 0 12:57 pts/0 00:00:00 grep --color=auto wazuh [root@wazuh3 centos]# cat /etc/passwd | grep wazuh [root@wazuh3 centos]# cat /etc/group | grep wazuh [root@wazuh3 centos]# ls -l /var/ossec/etc/ total 12 -rw-r-----. 1 994 990 90 may 17 12:35 client.keys.rpmsave -rw-rw----. 1 root 990 5650 may 17 12:51 ossec.conf.rpmsave [root@wazuh3 centos]# ```

Debian Bullseyes

``` root@wazuh1:/home/debian# ps -ef | grep wazuh root 9562 1 0 12:51 ? 00:00:00 /var/ossec/bin/wazuh-execd wazuh 9574 1 0 12:51 ? 00:00:00 /var/ossec/bin/wazuh-agentd root 9589 1 3 12:51 ? 00:00:11 /var/ossec/bin/wazuh-syscheckd root 9600 1 0 12:51 ? 00:00:00 /var/ossec/bin/wazuh-logcollector root 9617 1 0 12:51 ? 00:00:00 /var/ossec/bin/wazuh-modulesd root 13257 6209 0 12:56 pts/1 00:00:00 grep wazuh root@wazuh1:/home/debian# apt-get remove wazuh-agent Reading package lists... Done Building dependency tree Reading state information... Done The following packages will be REMOVED: wazuh-agent 0 upgraded, 0 newly installed, 1 to remove and 0 not upgraded. After this operation, 34.4 MB disk space will be freed. Do you want to continue? [Y/n] y (Reading database ... 38585 files and directories currently installed.) Removing wazuh-agent (4.4.2-1) ... Processing triggers for libc-bin (2.24-11+deb9u4) ... root@wazuh1:/home/debian# root@wazuh1:/home/debian# root@wazuh1:/home/debian# ls -ltR /var/ossec/ /var/ossec/: total 8 drwxrwx--- 3 wazuh wazuh 4096 May 17 13:10 etc drwxr-x--- 7 root wazuh 4096 May 17 13:10 queue /var/ossec/etc: total 24 drwxrwx--- 2 root wazuh 4096 May 17 13:10 shared -rw-r----- 1 root wazuh 0 May 17 13:04 client.keys.save -rw-rw---- 1 root root 5050 May 17 13:04 ossec.conf.new.save -rw-rw---- 1 root wazuh 5756 May 17 13:02 ossec.conf.save -rw-r----- 1 root wazuh 320 Apr 11 14:57 local_internal_options.conf.save /var/ossec/etc/shared: total 920 -rw-rw---- 1 root wazuh 28411 Apr 11 14:57 cis_apache2224_rcl.txt.save -rw-rw---- 1 root wazuh 12576 Apr 11 14:57 cis_debian_linux_rcl.txt.save -rw-rw---- 1 root wazuh 7609 Apr 11 14:57 cis_mysql5-6_community_rcl.txt.save -rw-rw---- 1 root wazuh 10297 Apr 11 14:57 cis_mysql5-6_enterprise_rcl.txt.save -rw-rw---- 1 root wazuh 35781 Apr 11 14:57 cis_rhel5_linux_rcl.txt.save -rw-rw---- 1 root wazuh 33870 Apr 11 14:57 cis_rhel6_linux_rcl.txt.save -rw-rw---- 1 root wazuh 36957 Apr 11 14:57 cis_rhel7_linux_rcl.txt.save -rw-rw---- 1 root wazuh 17658 Apr 11 14:57 cis_rhel_linux_rcl.txt.save -rw-rw---- 1 root wazuh 34376 Apr 11 14:57 cis_sles11_linux_rcl.txt.save -rw-rw---- 1 root wazuh 35081 Apr 11 14:57 cis_sles12_linux_rcl.txt.save -rw-rw---- 1 root wazuh 94877 Apr 11 14:57 cis_win2012r2_domainL1_rcl.txt.save -rw-rw---- 1 root wazuh 28006 Apr 11 14:57 cis_win2012r2_domainL2_rcl.txt.save -rw-rw---- 1 root wazuh 100530 Apr 11 14:57 cis_win2012r2_memberL1_rcl.txt.save -rw-rw---- 1 root wazuh 376002 Apr 11 14:57 cis_win2012r2_memberL2_rcl.txt.save -rw-rw---- 1 root wazuh 16174 Apr 11 14:57 rootkit_files.txt.save -rw-rw---- 1 root wazuh 5548 Apr 11 14:57 rootkit_trojans.txt.save -rw-rw---- 1 root wazuh 4466 Apr 11 14:57 system_audit_rcl.txt.save -rw-rw---- 1 root wazuh 3285 Apr 11 14:57 system_audit_ssh.txt.save -rw-rw---- 1 root wazuh 5214 Apr 11 14:57 win_applications_rcl.txt.save -rw-rw---- 1 root wazuh 4277 Apr 11 14:57 win_audit_rcl.txt.save -rw-rw---- 1 root wazuh 7314 Apr 11 14:57 win_malware_rcl.txt.save /var/ossec/queue: total 20 drwxr-x--- 3 wazuh wazuh 4096 May 17 13:10 syscollector drwxrwx--- 2 wazuh wazuh 4096 May 17 13:04 alerts drwxrwx--- 2 wazuh wazuh 4096 May 17 13:04 sockets drwxr-x--- 2 wazuh wazuh 4096 May 17 13:03 logcollector drwxr-x--- 3 wazuh wazuh 4096 May 17 13:02 fim /var/ossec/queue/syscollector: total 4 drwxr-x--- 2 wazuh wazuh 4096 May 17 13:04 db /var/ossec/queue/syscollector/db: total 180 -rw-r--r-- 1 root root 184320 May 17 13:04 local.db /var/ossec/queue/alerts: total 0 srw-rw---- 1 root wazuh 0 May 17 13:04 cfgaq srw-rw---- 1 root wazuh 0 May 17 13:04 execq /var/ossec/queue/sockets: total 0 srw-rw---- 1 root wazuh 0 May 17 13:04 upgrade srw-rw---- 1 root wazuh 0 May 17 13:04 wmodules srw-rw---- 1 root wazuh 0 May 17 13:04 control srw-rw---- 1 root wazuh 0 May 17 13:04 logcollector srw-rw---- 1 root wazuh 0 May 17 13:04 syscheck srw-rw---- 1 wazuh wazuh 0 May 17 13:04 queue srw-rw---- 1 root wazuh 0 May 17 13:04 com /var/ossec/queue/logcollector: total 4 -rw-r--r-- 1 root wazuh 599 May 17 13:10 file_status.json /var/ossec/queue/fim: total 4 drwxr-x--- 2 wazuh wazuh 4096 May 17 13:04 db /var/ossec/queue/fim/db: total 48 -rw-rw---- 1 root wazuh 45056 May 17 13:04 fim.db root@wazuh1:/home/debian# root@wazuh1:/home/debian# root@wazuh1:/home/debian# root@wazuh1:/home/debian# root@wazuh1:/home/debian# apt-get remove --purge wazuh-agent Reading package lists... Done Building dependency tree Reading state information... Done The following packages will be REMOVED: wazuh-agent* 0 upgraded, 0 newly installed, 1 to remove and 0 not upgraded. After this operation, 0 B of additional disk space will be used. Do you want to continue? [Y/n] y (Reading database ... 38227 files and directories currently installed.) Purging configuration files for wazuh-agent (4.4.2-1) ... wazuh:x:107:111::/var/ossec:/bin/false Processing triggers for systemd (232-25+deb9u12) ... root@wazuh1:/home/debian# tree /var/ossec/ bash: tree: command not found root@wazuh1:/home/debian# ls -ltR /var/ossec/ ls: cannot access '/var/ossec/': No such file or directory root@wazuh1:/home/debian# ```

Upgrade

CentOS 7

``` [root@wazuh3 centos]# WAZUH_MANAGER="3.238.245.177" yum localinstall wazuh-agent-4.4.1-1.ppc64le.rpm -y Complementos cargados:fastestmirror, product-id, search-disabled-repos, subscription-manager This system is not registered with an entitlement server. You can use subscription-manager to register. Examinando wazuh-agent-4.4.1-1.ppc64le.rpm: wazuh-agent-4.4.1-1.ppc64le Marcando wazuh-agent-4.4.1-1.ppc64le.rpm para ser instalado Resolviendo dependencias --> Ejecutando prueba de transacción ---> Paquete wazuh-agent.ppc64le 0:4.4.1-1 debe ser instalado --> Resolución de dependencias finalizada Dependencias resueltas ================================================================================================================================================================================ Package Arquitectura Versión Repositorio Tamaño ================================================================================================================================================================================ Instalando: wazuh-agent ppc64le 4.4.1-1 /wazuh-agent-4.4.1-1.ppc64le 30 M Resumen de la transacción ================================================================================================================================================================================ Instalar 1 Paquete Tamaño total: 30 M Tamaño instalado: 30 M Downloading packages: Running transaction check Running transaction test Transaction test succeeded Running transaction Instalando : wazuh-agent-4.4.1-1.ppc64le 1/1 Comprobando : wazuh-agent-4.4.1-1.ppc64le 1/1 Instalado: wazuh-agent.ppc64le 0:4.4.1-1 ¡Listo! [root@wazuh3 centos]# /var/ossec/bin/wazuh-control start Starting Wazuh v4.4.1... Started wazuh-execd... Started wazuh-agentd... Started wazuh-syscheckd... Started wazuh-logcollector... Started wazuh-modulesd... Completed. [root@wazuh3 centos]# ps -ef | grep wazuh root 304 1 0 13:03 ? 00:00:00 /var/ossec/bin/wazuh-syscheckd root 317 1 0 13:03 ? 00:00:00 /var/ossec/bin/wazuh-logcollector root 335 1 4 13:03 ? 00:00:00 /var/ossec/bin/wazuh-modulesd root 482 28971 0 13:03 pts/0 00:00:00 grep --color=auto wazuh root 32721 1 0 13:03 ? 00:00:00 /var/ossec/bin/wazuh-execd wazuh 32758 1 0 13:03 ? 00:00:00 /var/ossec/bin/wazuh-agentd [root@wazuh3 centos]# yum localinstall wazuh-agent-4.4.2-1.ppc64le.rpm -y Complementos cargados:fastestmirror, product-id, search-disabled-repos, subscription-manager This system is not registered with an entitlement server. You can use subscription-manager to register. No es posible abrir: wazuh-agent-4.4.2-1.ppc64le.rpm. Ignorando. Nada para hacer [root@wazuh3 centos]# [root@wazuh3 centos]# [root@wazuh3 centos]# [root@wazuh3 centos]# yum localinstall wazuh-agent-4.4.2-1.ppc64le.rpm -y Complementos cargados:fastestmirror, product-id, search-disabled-repos, subscription-manager This system is not registered with an entitlement server. You can use subscription-manager to register. Examinando wazuh-agent-4.4.2-1.ppc64le.rpm: wazuh-agent-4.4.2-1.ppc64le Marcando wazuh-agent-4.4.2-1.ppc64le.rpm como una actualización de wazuh-agent-4.4.1-1.ppc64le Resolviendo dependencias --> Ejecutando prueba de transacción ---> Paquete wazuh-agent.ppc64le 0:4.4.1-1 debe ser actualizado ---> Paquete wazuh-agent.ppc64le 0:4.4.2-1 debe ser una actualización --> Resolución de dependencias finalizada Dependencias resueltas ================================================================================================================================================================================ Package Arquitectura Versión Repositorio Tamaño ================================================================================================================================================================================ Actualizando: wazuh-agent ppc64le 4.4.2-1 /wazuh-agent-4.4.2-1.ppc64le 30 M Resumen de la transacción ================================================================================================================================================================================ Actualizar 1 Paquete Tamaño total: 30 M Downloading packages: Running transaction check Running transaction test Transaction test succeeded Running transaction Actualizando : wazuh-agent-4.4.2-1.ppc64le 1/2 Limpieza : wazuh-agent-4.4.1-1.ppc64le 2/2 Comprobando : wazuh-agent-4.4.2-1.ppc64le 1/2 Comprobando : wazuh-agent-4.4.1-1.ppc64le 2/2 Actualizado: wazuh-agent.ppc64le 0:4.4.2-1 ¡Listo! [root@wazuh3 centos]# ps -ef | grep wazuh root 1034 1 0 13:05 ? 00:00:00 /var/ossec/bin/wazuh-execd wazuh 1046 1 0 13:06 ? 00:00:00 /var/ossec/bin/wazuh-agentd root 1060 1 0 13:06 ? 00:00:00 /var/ossec/bin/wazuh-syscheckd root 1072 1 0 13:06 ? 00:00:00 /var/ossec/bin/wazuh-logcollector root 1091 1 1 13:06 ? 00:00:00 /var/ossec/bin/wazuh-modulesd root 1491 28971 0 13:06 pts/0 00:00:00 grep --color=auto wazuh [root@wazuh3 centos]# ```

Debian Bullseyes

``` oot@wazuh1:/home/debian# WAZUH_MANAGER="3.238.245.177" apt install ./wazuh-agent_4.4.1-1_ppc64el.deb Reading package lists... Done Building dependency tree Reading state information... Done Note, selecting 'wazuh-agent' instead of './wazuh-agent_4.4.1-1_ppc64el.deb' The following NEW packages will be installed: wazuh-agent 0 upgraded, 1 newly installed, 0 to remove and 0 not upgraded. Need to get 0 B/5,281 kB of archives. After this operation, 34.1 MB of additional disk space will be used. Get:1 /home/debian/wazuh-agent_4.4.1-1_ppc64el.deb wazuh-agent ppc64el 4.4.1-1 [5,281 kB] Preconfiguring packages ... Selecting previously unselected package wazuh-agent. (Reading database ... 38212 files and directories currently installed.) Preparing to unpack .../wazuh-agent_4.4.1-1_ppc64el.deb ... Unpacking wazuh-agent (4.4.1-1) ... Setting up wazuh-agent (4.4.1-1) ... Processing triggers for libc-bin (2.24-11+deb9u4) ... Processing triggers for systemd (232-25+deb9u12) ... root@wazuh1:/home/debian# /var/ossec/bin/wazuh-control start Starting Wazuh v4.4.1... Started wazuh-execd... Started wazuh-agentd... Started wazuh-syscheckd... Started wazuh-logcollector... Started wazuh-modulesd... Completed. root@wazuh1:/home/debian# ps -ef | grep wazuh root 14887 1 0 13:03 ? 00:00:00 /var/ossec/bin/wazuh-execd wazuh 14898 1 0 13:03 ? 00:00:00 /var/ossec/bin/wazuh-agentd root 14911 1 0 13:03 ? 00:00:00 /var/ossec/bin/wazuh-syscheckd root 14922 1 0 13:03 ? 00:00:00 /var/ossec/bin/wazuh-logcollector root 14939 1 2 13:03 ? 00:00:00 /var/ossec/bin/wazuh-modulesd root 15345 6209 0 13:04 pts/1 00:00:00 grep wazuh root@wazuh1:/home/debian# apt-get install ./wazuh-agent_4.4.2-1_ppc64el.deb Reading package lists... Done Building dependency tree Reading state information... Done Note, selecting 'wazuh-agent' instead of './wazuh-agent_4.4.2-1_ppc64el.deb' The following packages will be upgraded: wazuh-agent 1 upgraded, 0 newly installed, 0 to remove and 0 not upgraded. Need to get 0 B/5,295 kB of archives. After this operation, 259 kB of additional disk space will be used. Get:1 /home/debian/wazuh-agent_4.4.2-1_ppc64el.deb wazuh-agent ppc64el 4.4.2-1 [5,295 kB] Reading changelogs... Done Preconfiguring packages ... (Reading database ... 38583 files and directories currently installed.) Preparing to unpack .../wazuh-agent_4.4.2-1_ppc64el.deb ... Unpacking wazuh-agent (4.4.2-1) over (4.4.1-1) ... Setting up wazuh-agent (4.4.2-1) ... Processing triggers for libc-bin (2.24-11+deb9u4) ... Processing triggers for systemd (232-25+deb9u12) ... root@wazuh1:/home/debian# /var/ossec/bin/wazuh-control start Starting Wazuh v4.4.2... wazuh-execd already running... wazuh-agentd already running... wazuh-syscheckd already running... wazuh-logcollector already running... wazuh-modulesd already running... Completed. root@wazuh1:/home/debian# ```

Findings

Same behaviour from the other test

Wazuh deb uninstall left non-config files #2195

wazuh / wazuh