Release 4.5.3 - RC 1 - E2E UX tests - Centralized configuration - Agent groups

[havidarou]

End-to-End (E2E) Testing Guideline

• Documentation: Always consult the development documentation for the current stage tag at this link. Be careful because some of the description steps might refer to a current version in production, always navigate using the current development documention for the stage under test.
• Test Requirements: Ensure your test comprehensively includes a full stack and agent/s deployment as per the Deployment requirements, detailing the machine OS, installed version, and revision.
• Deployment Options: While deployments can be local (using VMs, Vagrant, etc) or on the aws-dev account, opt for local deployments when feasible. For AWS access, coordinate with the CICD team through this link.
• External Accounts: If tests require third-party accounts (e.g., GitHub, Azure, AWS, GCP), request the necessary access through the CICD team here.
• Alerts: Every test should generate a minimum of one end-to-end alert, from the agent to the dashboard, irrespective of test type.
• Multi-node Testing: For multi-node wazuh-manager tests, ensure agents are connected to both workers and the master node.
• Package Verification: Use the pre-release package that matches the current TAG you're testing. Confirm its version and revision.
• Filebeat Errors: If you encounter errors with Filebeat during testing, refer to this Slack discussion for insights and resolutions.
• Known Issues: Familiarize yourself with previously reported issues in the Known Issues section. This helps in identifying already recognized errors during testing.
• Reporting New Issues: Any new errors discovered during testing that aren't listed under Known Issues should be reported. Assign the issue to the corresponding team (QA if unsure), add the Release testing/publication objective and Very high priority. Communicate these to the team and QA via the c-release Slack channel.
• Test Conduct: It's imperative to be thorough in your testing, offering enough detail for reviewers. Incomplete tests might necessitate a redo.
• Documentation Feedback: Encountering documentation gaps, unclear guidelines, or anything that disrupts the testing or UX? Open an issue, especially if it's not listed under Known Issues.
• Format: If this is your first time doing this, refer to the format (but not necessarily the content, as it may vary) of previous E2E tests, here you have an example https://github.com/wazuh/wazuh/issues/13994.
• Status and completion: Change the issue status within your team project accordingly. Once you finish testing and write the conclusions, move it to Pending review and notify the @wazuh/binary-beasts team via Slack using the c-release channel. Beware that the reviewers might request additional information or task repetitions.
• For reviewers: Please move the issue to Pending final review and notify via Slack using the same thread if everything is ok, otherwise, perform an issue update with the requested changes and move it to On hold, increase the review_cycles in the team project by one and notify the issue assignee via Slack using the same thread.

For the conclusions and the issue testing and updates, use the following legend:

Status legend

• 🟢 All checks passed
• 🟡 Found a known issue
• 🔴 Found a new error

Deployment requirements

Component	Installation	Type	OS
Indexer	Installation assistant	Single node	RHEL 9 x86_64
Server	Installation assistant	Multi node	RHEL 9 x86_64
Dashboard	Installation assistant	-	RHEL 9 x86_64
Agent	Wazuh WUI one-liner deploy using IP and GROUP (created beforehand, don't use default)	-	Windows server 2012 R2 x86_64, RHEL 9 x86_64

Test description

Test the functionality of agent groups for centralized configuration:

• Try different groups for different OS
• Try v4.5.3-rc1s in the same group, to apply different blocks of configuration to different OS or agents.
• Try creating groups with different files of diferent types and sizes (try to reach the limits)
• Try creating multigroups and add agents to them, check configuration applies in order
• Check if propagation times are acceptable

Known issues

• https://github.com/wazuh/wazuh/issues/17204
• https://github.com/wazuh/wazuh-kibana-app/issues/5132

Conclusions

Summarize the errors detected (Known Issues included). Illustrate using the table below, removing current examples:

Status	Test	Failure type	Notes
🟡	Using an invalid configuration in agent.conf	Error is shown and user is redirected to main page	Known issue: https://github.com/wazuh/wazuh-kibana-app/issues/5133
🟡	Add 1G file to /var/ossec/etc/shared/agents/ from master	API starts to fail and timeout	Known issue: https://github.com/wazuh/wazuh/issues/18897
🟡	Adding a compressed file to /var/ossec/etc/shared/agents/ from master	The file is recognized as invalid, but replicated to the workers	Known issue: https://github.com/wazuh/wazuh/issues/17204

Feedback

We value your feedback. Please provide insights on your testing experience.

• Was the testing guideline clear? Were there any ambiguities? The test was clear.

• Did you face any challenges not covered by the guideline? No uncovered challenges faced

• Suggestions for improvement: It would be good to have a list of the changelog entries related to the component.

Reviewers validation

The criteria for completing this task is based on the validation of the conclusions and the test results by all reviewers.

All the checkboxes below must be marked in order to close this issue.

• [x] @juliamagan
• [x] @wazuh/binary-beasts

[Tostti]

System information

Server 1 (Manager, Indexer, Dashboard)

CPU information

```console [root@localhost ~]# lscpu Architecture: x86_64 CPU op-mode(s): 32-bit, 64-bit Address sizes: 39 bits physical, 48 bits virtual Byte Order: Little Endian CPU(s): 4 On-line CPU(s) list: 0-3 Vendor ID: GenuineIntel Model name: 12th Gen Intel(R) Core(TM) i7-12700 CPU family: 6 Model: 151 Thread(s) per core: 1 Core(s) per socket: 4 Socket(s): 1 Stepping: 2 BogoMIPS: 4224.01 Flags: fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca cmov pat pse36 clflush mmx fxsr sse ss e2 ht syscall nx rdtscp lm constant_tsc rep_good nopl xtopology nonstop_tsc cpuid tsc_known_fre q pni pclmulqdq ssse3 cx16 pcid sse4_1 sse4_2 movbe popcnt aes rdrand hypervisor lahf_lm abm 3d nowprefetch invpcid_single ibrs_enhanced fsgsbase bmi1 bmi2 invpcid rdseed clflushopt md_clear flush_l1d arch_capabilities Virtualization features: Hypervisor vendor: KVM Virtualization type: full Caches (sum of all): L1d: 192 KiB (4 instances) L1i: 128 KiB (4 instances) L2: 5 MiB (4 instances) L3: 100 MiB (4 instances) NUMA: NUMA node(s): 1 NUMA node0 CPU(s): 0-3 Vulnerabilities: Itlb multihit: Not affected L1tf: Not affected Mds: Not affected Meltdown: Not affected Mmio stale data: Not affected Retbleed: Mitigation; Enhanced IBRS Spec store bypass: Vulnerable Spectre v1: Mitigation; usercopy/swapgs barriers and __user pointer sanitization Spectre v2: Mitigation; Enhanced IBRS, RSB filling, PBRSB-eIBRS SW sequence Srbds: Not affected Tsx async abort: Not affected ```

OS information

```console [root@localhost ~]# cat /etc/os-release NAME="Red Hat Enterprise Linux" VERSION="9.2 (Plow)" ID="rhel" ID_LIKE="fedora" VERSION_ID="9.2" PLATFORM_ID="platform:el9" PRETTY_NAME="Red Hat Enterprise Linux 9.2 (Plow)" ANSI_COLOR="0;31" LOGO="fedora-logo-icon" CPE_NAME="cpe:/o:redhat:enterprise_linux:9::baseos" HOME_URL="https://www.redhat.com/" DOCUMENTATION_URL="https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9" BUG_REPORT_URL="https://bugzilla.redhat.com/" REDHAT_BUGZILLA_PRODUCT="Red Hat Enterprise Linux 9" REDHAT_BUGZILLA_PRODUCT_VERSION=9.2 REDHAT_SUPPORT_PRODUCT="Red Hat Enterprise Linux" REDHAT_SUPPORT_PRODUCT_VERSION="9.2" ```

Memory information

```console [root@localhost ~]# free -h total used free shared buff/cache available Mem: 7.5Gi 425Mi 7.1Gi 8.0Mi 260Mi 7.1Gi Swap: 4.0Gi 0B 4.0Gi ```

Storage information

```console [root@localhost ~]# df --total -h Filesystem Size Used Avail Use% Mounted on devtmpfs 4.0M 0 4.0M 0% /dev tmpfs 3.8G 0 3.8G 0% /dev/shm tmpfs 1.5G 8.6M 1.5G 1% /run /dev/mapper/rhel-root 35G 1.4G 34G 4% / /dev/sda1 1014M 221M 794M 22% /boot tmpfs 768M 0 768M 0% /run/user/0 total 42G 1.7G 41G 4% - ```

Server 2 (Manager)

CPU information

```console [root@server2 ~]# lscpu Architecture: x86_64 CPU op-mode(s): 32-bit, 64-bit Address sizes: 39 bits physical, 48 bits virtual Byte Order: Little Endian CPU(s): 4 On-line CPU(s) list: 0-3 Vendor ID: GenuineIntel Model name: 12th Gen Intel(R) Core(TM) i7-12700 CPU family: 6 Model: 151 Thread(s) per core: 1 Core(s) per socket: 4 Socket(s): 1 Stepping: 2 BogoMIPS: 4224.01 Flags: fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca cmov pat pse36 clflush mmx fxsr sse ss e2 ht syscall nx rdtscp lm constant_tsc rep_good nopl xtopology nonstop_tsc cpuid tsc_known_fre q pni pclmulqdq ssse3 cx16 pcid sse4_1 sse4_2 movbe popcnt aes rdrand hypervisor lahf_lm abm 3d nowprefetch invpcid_single ibrs_enhanced fsgsbase bmi1 bmi2 invpcid rdseed clflushopt md_clear flush_l1d arch_capabilities Virtualization features: Hypervisor vendor: KVM Virtualization type: full Caches (sum of all): L1d: 192 KiB (4 instances) L1i: 128 KiB (4 instances) L2: 5 MiB (4 instances) L3: 100 MiB (4 instances) NUMA: NUMA node(s): 1 NUMA node0 CPU(s): 0-3 Vulnerabilities: Itlb multihit: Not affected L1tf: Not affected Mds: Not affected Meltdown: Not affected Mmio stale data: Not affected Retbleed: Mitigation; Enhanced IBRS Spec store bypass: Vulnerable Spectre v1: Mitigation; usercopy/swapgs barriers and __user pointer sanitization Spectre v2: Mitigation; Enhanced IBRS, RSB filling, PBRSB-eIBRS SW sequence Srbds: Not affected Tsx async abort: Not affected ```

OS information

```console [root@server2 ~]# cat /etc/os-release NAME="Red Hat Enterprise Linux" VERSION="9.2 (Plow)" ID="rhel" ID_LIKE="fedora" VERSION_ID="9.2" PLATFORM_ID="platform:el9" PRETTY_NAME="Red Hat Enterprise Linux 9.2 (Plow)" ANSI_COLOR="0;31" LOGO="fedora-logo-icon" CPE_NAME="cpe:/o:redhat:enterprise_linux:9::baseos" HOME_URL="https://www.redhat.com/" DOCUMENTATION_URL="https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9" BUG_REPORT_URL="https://bugzilla.redhat.com/" REDHAT_BUGZILLA_PRODUCT="Red Hat Enterprise Linux 9" REDHAT_BUGZILLA_PRODUCT_VERSION=9.2 REDHAT_SUPPORT_PRODUCT="Red Hat Enterprise Linux" REDHAT_SUPPORT_PRODUCT_VERSION="9.2" ```

Memory information

```console [root@server2 ~]# free -h total used free shared buff/cache available Mem: 7.5Gi 428Mi 7.1Gi 8.0Mi 207Mi 7.1Gi Swap: 4.0Gi 0B 4.0Gi ```

Storage information

```console [root@server2 ~]# df --total -h Filesystem Size Used Avail Use% Mounted on devtmpfs 4.0M 0 4.0M 0% /dev tmpfs 3.8G 0 3.8G 0% /dev/shm tmpfs 1.5G 8.6M 1.5G 1% /run /dev/mapper/rhel-root 36G 1.4G 35G 4% / /dev/sda1 1014M 221M 794M 22% /boot tmpfs 768M 0 768M 0% /run/user/0 total 43G 1.6G 41G 4% - ```

Agent RHEL

CPU information

```console [root@localhost ~]# lscpu Architecture: x86_64 CPU op-mode(s): 32-bit, 64-bit Address sizes: 39 bits physical, 48 bits virtual Byte Order: Little Endian CPU(s): 4 On-line CPU(s) list: 0-3 Vendor ID: GenuineIntel Model name: 12th Gen Intel(R) Core(TM) i7-12700 CPU family: 6 Model: 151 Thread(s) per core: 1 Core(s) per socket: 4 Socket(s): 1 Stepping: 2 BogoMIPS: 4224.01 Flags: fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca cmov pat pse36 clflush mmx fxsr sse ss e2 ht syscall nx rdtscp lm constant_tsc rep_good nopl xtopology nonstop_tsc cpuid tsc_known_fre q pni pclmulqdq ssse3 cx16 pcid sse4_1 sse4_2 movbe popcnt aes rdrand hypervisor lahf_lm abm 3d nowprefetch invpcid_single ibrs_enhanced fsgsbase bmi1 bmi2 invpcid rdseed clflushopt md_clear flush_l1d arch_capabilities Virtualization features: Hypervisor vendor: KVM Virtualization type: full Caches (sum of all): L1d: 192 KiB (4 instances) L1i: 128 KiB (4 instances) L2: 5 MiB (4 instances) L3: 100 MiB (4 instances) NUMA: NUMA node(s): 1 NUMA node0 CPU(s): 0-3 Vulnerabilities: Itlb multihit: Not affected L1tf: Not affected Mds: Not affected Meltdown: Not affected Mmio stale data: Not affected Retbleed: Mitigation; Enhanced IBRS Spec store bypass: Vulnerable Spectre v1: Mitigation; usercopy/swapgs barriers and __user pointer sanitization Spectre v2: Mitigation; Enhanced IBRS, RSB filling, PBRSB-eIBRS SW sequence Srbds: Not affected Tsx async abort: Not affected ```

OS information

```console [root@agent01 ~]# cat /etc/os-release NAME="Red Hat Enterprise Linux" VERSION="9.2 (Plow)" ID="rhel" ID_LIKE="fedora" VERSION_ID="9.2" PLATFORM_ID="platform:el9" PRETTY_NAME="Red Hat Enterprise Linux 9.2 (Plow)" ANSI_COLOR="0;31" LOGO="fedora-logo-icon" CPE_NAME="cpe:/o:redhat:enterprise_linux:9::baseos" HOME_URL="https://www.redhat.com/" DOCUMENTATION_URL="https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9" BUG_REPORT_URL="https://bugzilla.redhat.com/" REDHAT_BUGZILLA_PRODUCT="Red Hat Enterprise Linux 9" REDHAT_BUGZILLA_PRODUCT_VERSION=9.2 REDHAT_SUPPORT_PRODUCT="Red Hat Enterprise Linux" REDHAT_SUPPORT_PRODUCT_VERSION="9.2" ```

Memory information

```console [root@agent01 ~]# free -h total used free shared buff/cache available Mem: 1.7Gi 317Mi 1.4Gi 6.0Mi 202Mi 1.4Gi Swap: 2.0Gi 0B 2.0Gi ```

Storage information

```console [root@agent01 ~]# df --total -h Filesystem Size Used Avail Use% Mounted on devtmpfs 4.0M 0 4.0M 0% /dev tmpfs 883M 0 883M 0% /dev/shm tmpfs 354M 6.4M 347M 2% /run /dev/mapper/rhel-root 17G 1.2G 16G 7% / /dev/sda1 1014M 221M 794M 22% /boot tmpfs 177M 0 177M 0% /run/user/0 total 20G 1.5G 18G 8% - ```

Windows Agent

System information


[Tostti]

Installing the server's components

Generate configuration files

```console [root@localhost ~]# curl -sO https://packages-dev.wazuh.com/4.5/config.yml [root@localhost ~]# curl -sO https://packages-dev.wazuh.com/4.5/wazuh-install.sh [root@localhost ~]# nano config.yml [root@localhost ~]# cat config.yml nodes: # Wazuh indexer nodes indexer: - name: node-1 ip: 192.168.0.25 #- name: node-2 # ip: #- name: node-3 # ip: # Wazuh server nodes # If there is more than one Wazuh server # node, each one must have a node_type server: - name: wazuh-1 ip: 192.168.0.25 node_type: master - name: wazuh-2 ip: 192.168.0.70 node_type: worker #- name: wazuh-3 # ip: # node_type: worker # Wazuh dashboard nodes dashboard: - name: dashboard ip: 192.168.0.25 [root@localhost ~]# bash wazuh-install.sh --generate-config-files 22/09/2023 15:42:49 INFO: Starting Wazuh installation assistant. Wazuh version: 4.5.3 22/09/2023 15:42:49 INFO: Verbose logging redirected to /var/log/wazuh-install.log 22/09/2023 15:43:14 INFO: --- Configuration files --- 22/09/2023 15:43:14 INFO: Generating configuration files. 22/09/2023 15:43:18 INFO: Created wazuh-install-files.tar. It contains the Wazuh cluster key, certificates, and passwords necessary for installation. [root@localhost ~]# scp wazuh-install* root@192.168.0.70:/root root@192.168.0.70's password: wazuh-install-files.tar 100% 13KB 1.3MB/s 00:00 wazuh-install.sh 100% 154KB 8.2MB/s 00:00 ```

Install Wazuh Indexer

```console [root@localhost ~]# bash wazuh-install.sh --wazuh-indexer node-1 22/09/2023 15:44:53 INFO: Starting Wazuh installation assistant. Wazuh version: 4.5.3 22/09/2023 15:44:53 INFO: Verbose logging redirected to /var/log/wazuh-install.log 22/09/2023 15:45:24 INFO: Wazuh development repository added. 22/09/2023 15:45:24 INFO: --- Wazuh indexer --- 22/09/2023 15:45:24 INFO: Starting Wazuh indexer installation. 22/09/2023 15:47:55 INFO: Wazuh indexer installation finished. 22/09/2023 15:47:56 INFO: Wazuh indexer post-install configuration finished. 22/09/2023 15:47:56 INFO: Starting service wazuh-indexer. 22/09/2023 15:48:24 INFO: wazuh-indexer service started. 22/09/2023 15:48:24 INFO: Initializing Wazuh indexer cluster security settings. 22/09/2023 15:48:33 INFO: Wazuh indexer cluster initialized. 22/09/2023 15:48:33 INFO: Installation finished. [root@localhost ~]# bash wazuh-install.sh --start-cluster 22/09/2023 15:49:10 INFO: Starting Wazuh installation assistant. Wazuh version: 4.5.3 22/09/2023 15:49:10 INFO: Verbose logging redirected to /var/log/wazuh-install.log 22/09/2023 15:49:53 INFO: Wazuh indexer cluster security configuration initialized. 22/09/2023 15:50:20 INFO: Wazuh indexer cluster started. [root@localhost ~]# tar -axf wazuh-install-files.tar wazuh-install-files/wazuh-passwords.txt -O | grep -P "\'admin\'" -A 1 indexer_username: 'admin' indexer_password: 'f+Qh+*DCVXxDv8mRPii5HR0UkDda6+kp' [root@localhost ~]# curl -k -u admin:f+Qh+*DCVXxDv8mRPii5HR0UkDda6+kp https://192.168.0.25:9200 { "name" : "node-1", "cluster_name" : "wazuh-indexer-cluster", "cluster_uuid" : "L_1p6ZtiTt2Yb6FjOYd64A", "version" : { "number" : "7.10.2", "build_type" : "rpm", "build_hash" : "7203a5af21a8a009aece1474446b437a3c674db6", "build_date" : "2023-02-24T18:57:04.388618985Z", "build_snapshot" : false, "lucene_version" : "9.5.0", "minimum_wire_compatibility_version" : "7.10.0", "minimum_index_compatibility_version" : "7.0.0" }, "tagline" : "The OpenSearch Project: https://opensearch.org/" } ```

Install Wazuh Server Master

```console [root@localhost ~]# bash wazuh-install.sh --wazuh-server wazuh-1 22/09/2023 15:52:12 INFO: Starting Wazuh installation assistant. Wazuh version: 4.5.3 22/09/2023 15:52:12 INFO: Verbose logging redirected to /var/log/wazuh-install.log 22/09/2023 15:52:44 INFO: Wazuh development repository added. 22/09/2023 15:52:44 INFO: --- Wazuh server --- 22/09/2023 15:52:44 INFO: Starting the Wazuh manager installation. 22/09/2023 15:53:58 INFO: Wazuh manager installation finished. 22/09/2023 15:53:58 INFO: Starting service wazuh-manager. 22/09/2023 15:54:21 INFO: wazuh-manager service started. 22/09/2023 15:54:21 INFO: Starting Filebeat installation. 22/09/2023 15:54:40 INFO: Filebeat installation finished. 22/09/2023 15:54:42 INFO: Filebeat post-install configuration finished. 22/09/2023 15:54:55 INFO: Starting service filebeat. 22/09/2023 15:54:56 INFO: filebeat service started. 22/09/2023 15:54:56 INFO: Installation finished. ```

Install Wazuh Server Worker

```console [root@server2 ~]# bash wazuh-install.sh --wazuh-server wazuh-2 22/09/2023 15:48:55 INFO: Starting Wazuh installation assistant. Wazuh version: 4.5.3 22/09/2023 15:48:55 INFO: Verbose logging redirected to /var/log/wazuh-install.log 22/09/2023 15:49:21 INFO: --- Dependencies --- 22/09/2023 15:49:21 INFO: Installing lsof. 22/09/2023 15:49:32 INFO: Wazuh development repository added. 22/09/2023 15:49:32 INFO: --- Wazuh server --- 22/09/2023 15:49:32 INFO: Starting the Wazuh manager installation. 22/09/2023 15:51:15 INFO: Wazuh manager installation finished. 22/09/2023 15:51:15 INFO: Starting service wazuh-manager. 22/09/2023 15:51:34 INFO: wazuh-manager service started. 22/09/2023 15:51:34 INFO: Starting Filebeat installation. 22/09/2023 15:51:55 INFO: Filebeat installation finished. 22/09/2023 15:51:57 INFO: Filebeat post-install configuration finished. 22/09/2023 15:52:10 INFO: Starting service filebeat. 22/09/2023 15:52:11 INFO: filebeat service started. 22/09/2023 15:52:11 INFO: Installation finished. ```

Verify that the cluster is working

```console [root@localhost ~]# /var/ossec/bin/cluster_control -l NAME TYPE VERSION ADDRESS wazuh-1 master 4.5.3 192.168.0.25 wazuh-2 worker 4.5.3 192.168.0.70 ```

Install Wazuh Dashboard

```console [root@localhost ~]# bash wazuh-install.sh --wazuh-dashboard dashboard 22/09/2023 15:57:33 INFO: Starting Wazuh installation assistant. Wazuh version: 4.5.3 22/09/2023 15:57:33 INFO: Verbose logging redirected to /var/log/wazuh-install.log 22/09/2023 15:57:59 INFO: Wazuh web interface port will be 443. 22/09/2023 15:58:07 INFO: Wazuh development repository added. dashboard 22/09/2023 15:58:08 INFO: --- Wazuh dashboard ---- 22/09/2023 15:58:08 INFO: Starting Wazuh dashboard installation. 22/09/2023 16:00:26 INFO: Wazuh dashboard installation finished. 22/09/2023 16:00:26 INFO: Wazuh dashboard post-install configuration finished. 22/09/2023 16:00:26 INFO: Starting service wazuh-dashboard. 22/09/2023 16:00:26 INFO: wazuh-dashboard service started. 22/09/2023 16:00:53 INFO: Initializing Wazuh dashboard web application. 22/09/2023 16:00:53 INFO: Wazuh dashboard web application initialized. 22/09/2023 16:00:54 INFO: --- Summary --- 22/09/2023 16:00:54 INFO: You can access the web interface https://192.168.0.25:443 User: admin Password: f+Qh+*DCVXxDv8mRPii5HR0UkDda6+kp 22/09/2023 16:00:54 INFO: Installation finished. ```

[Tostti]

Installing the agents

RHEL agent

```console [root@agent01 ~]# sudo WAZUH_MANAGER='192.168.0.70' WAZUH_AGENT_GROUP='commongroup,testRHEL' WAZUH_AGENT_NAME='agentRHEL' yum install -y https://packages-dev.wazuh.com/pre-release/yum/wazuh-agent-4.5.3-1.x86_64.rpm Updating Subscription Management repositories. Last metadata expiration check: 0:01:13 ago on Fri 22 Sep 2023 05:22:28 PM -03. wazuh-agent-4.5.3-1.x86_64.rpm 2.9 MB/s | 8.7 MB 00:02 Dependencies resolved. ================================================================================================================================================================================================================= Package Architecture Version Repository Size =================================================================================================================================================================================================================Installing: wazuh-agent x86_64 4.5.3-1 @commandline 8.7 M Transaction Summary =================================================================================================================================================================================================================Install 1 Package Total size: 8.7 M Installed size: 25 M Downloading Packages: Running transaction check Transaction check succeeded. Running transaction test Transaction test succeeded. Running transaction Preparing : 1/1 Running scriptlet: wazuh-agent-4.5.3-1.x86_64 1/1 Installing : wazuh-agent-4.5.3-1.x86_64 1/1 Running scriptlet: wazuh-agent-4.5.3-1.x86_64 1/1 Verifying : wazuh-agent-4.5.3-1.x86_64 1/1 Installed products updated. Installed: wazuh-agent-4.5.3-1.x86_64 Complete! [root@agent01 ~]# sudo systemctl daemon-reload sudo systemctl enable wazuh-agent sudo systemctl start wazuh-agent Created symlink /etc/systemd/system/multi-user.target.wants/wazuh-agent.service → /usr/lib/systemd/system/wazuh-agent.service. [root@agent01 ~]# systemctl status wazuh-agent ● wazuh-agent.service - Wazuh agent Loaded: loaded (/usr/lib/systemd/system/wazuh-agent.service; enabled; preset: disabled) Active: active (running) since Fri 2023-09-22 17:24:39 -03; 5s ago Process: 5484 ExecStart=/usr/bin/env /var/ossec/bin/wazuh-control start (code=exited, status=0/SUCCESS) Tasks: 28 (limit: 11036) Memory: 38.1M CPU: 4.533s CGroup: /system.slice/wazuh-agent.service ├─5511 /var/ossec/bin/wazuh-execd ├─5523 /var/ossec/bin/wazuh-agentd ├─5538 /var/ossec/bin/wazuh-syscheckd ├─5550 /var/ossec/bin/wazuh-logcollector └─5565 /var/ossec/bin/wazuh-modulesd Sep 22 17:24:33 agent01 systemd[1]: Starting Wazuh agent... Sep 22 17:24:33 agent01 env[5484]: Starting Wazuh v4.5.3... Sep 22 17:24:34 agent01 env[5484]: Started wazuh-execd... Sep 22 17:24:35 agent01 env[5484]: Started wazuh-agentd... Sep 22 17:24:36 agent01 env[5484]: Started wazuh-syscheckd... Sep 22 17:24:36 agent01 env[5484]: Started wazuh-logcollector... Sep 22 17:24:37 agent01 env[5484]: Started wazuh-modulesd... Sep 22 17:24:39 agent01 env[5484]: Completed. Sep 22 17:24:39 agent01 systemd[1]: Started Wazuh agent. ```

Windows agent

```console PS C:\Users\Administrator> Invoke-WebRequest -Uri https://packages-dev.wazuh.com/pre-release/windows/wazuh-agent-4.5.3-1 .msi -OutFile ${env:tmp}\wazuh-agent.msi; msiexec.exe /i ${env:tmp}\wazuh-agent.msi /q WAZUH_MANAGER='192.168.0.25' WAZU H_REGISTRATION_SERVER='192.168.0.25' WAZUH_AGENT_GROUP='commongroup,testWindows' WAZUH_AGENT_NAME='agentWindows' PS C:\Users\Administrator> NET START Wazuh The Wazuh service is starting. The Wazuh service was started successfully. ```

[Tostti]

Tests

:green_circle: Add a new group


:green_circle: Add agents to a group


:green_circle: Remove agents from a group


:green_circle: Apply a configuration to a group with several agents

```xml /var/log/my.log syslog ``` After applying the configuration, both agents automatically restarted and modified their `agent.conf` with the configuration.

:green_circle: Apply a configuration to a group with only one agent

```xml /var/log/test2.log syslog ``` After applying the configuration, only the correct agent restarted and modified its `agent.conf`

:green_circle: Apply configurations based on the OS

Applied the following configuration to a group with multiple agents ```xml /var/log/windows.log syslog /var/log/linux.log syslog ``` After applying the configuration, both agents automatically restarted and modified their `agent.conf` with the configuration. The Windows agent only searched for `windows.log` and Linux agent only searched for `linux.log`

:green_circle: Apply configurations based on the agent name

Applied the following configuration to a group with multiple agents ```xml /var/log/agentwindows.log syslog /var/log/agentrhel.log syslog ``` After applying the configuration, both agents automatically restarted and modified their `agent.conf` with the configuration. The Windows agent only searched for `agentwindows.log` and RHEL agent only searched for `agentrhel.log`

:green_circle: Apply configurations based on the agent profile

Applied the following configuration to a group with multiple agents ```xml /var/log/profilewindows.log syslog /var/log/profilerhel.log syslog ``` After applying the configuration, both agents automatically restarted and modified their `agent.conf` with the configuration. The Windows agent only searched for `profilewindows.log` and RHEL agent only searched for `profilerhel.log`

:yellow_circle: Using an invalid configuration

Known issue: https://github.com/wazuh/wazuh-kibana-app/issues/5133 Will be fixed for 4.6.0 

🟢 Add 100M text file to `/var/ossec/etc/shared/agents/` from master

```console [root@localhost commongroup]# pwd /var/ossec/etc/shared/commongroup [root@localhost commongroup]# yes this is a 100M text file | head -c 100M > 100Mfile.txt [root@localhost commongroup]# chown wazuh:wazuh 100Mfile.txt [root@localhost commongroup]# chmod 660 100Mfile.txt [root@localhost commongroup]# ls -la total 233412 drwx------. 2 wazuh wazuh 61 Sep 23 12:15 . drwxrwx---. 7 root wazuh 133 Sep 23 12:05 .. -rw-rw----. 1 wazuh wazuh 104857600 Sep 23 12:15 100Mfile.txt -rw-rw----. 1 wazuh wazuh 361 Sep 23 11:57 agent.conf -rw-rw----. 1 wazuh wazuh 104858255 Sep 23 12:15 merged.mg ```  ### Worker's `/var/ossec/etc/shared/agents/` contents ```console [root@server2 ~]# ls -la /var/ossec/etc/shared/commongroup/ total 204808 drwxrwx---. 2 wazuh wazuh 61 Sep 23 12:15 . drwxrwx---. 7 root wazuh 133 Sep 23 12:05 .. -rw-rw----. 1 wazuh wazuh 104857600 Sep 23 12:15 100Mfile.txt -rw-rw----. 1 wazuh wazuh 361 Sep 23 11:58 agent.conf -rw-rw----. 1 wazuh wazuh 104858255 Sep 23 12:15 merged.mg ``` ### Linux agent `/var/ossec/etc/shared/` contents ```console [root@agent01 ~]# ls -la /var/ossec/etc/shared/ total 204812 drwxrwx---. 2 root wazuh 76 Sep 23 12:16 . drwxrwx---. 3 wazuh wazuh 158 Sep 23 11:39 .. -rw-r--r--. 1 wazuh wazuh 104857600 Sep 23 12:16 100Mfile.txt -rw-r--r--. 1 wazuh wazuh 600 Sep 23 12:16 agent.conf -rw-r--r--. 1 wazuh wazuh 228 Sep 23 12:16 ar.conf -rw-r--r--. 1 wazuh wazuh 104858491 Sep 23 12:16 merged.mg ``` ### Windows agent `C:\Program Files (x86)\ossec-agent\shared\` contents 

🟢 Add 100M text file to `/var/ossec/etc/shared/linux/` from worker

```console [root@server2 commongroup]# yes this is a 100M text file | head -c 100M > 100Mfileworker.txt && ls -lah total 301M drwxrwx---. 2 wazuh wazuh 87 Sep 23 12:21 . drwxrwx---. 7 root wazuh 133 Sep 23 12:05 .. -rw-rw----. 1 wazuh wazuh 100M Sep 23 12:15 100Mfile.txt -rw-r--r--. 1 root root 100M Sep 23 12:21 100Mfileworker.txt -rw-rw----. 1 wazuh wazuh 361 Sep 23 11:58 agent.conf -rw-rw----. 1 wazuh wazuh 101M Sep 23 12:15 merged.mg [root@server2 commongroup]# ls -lah total 201M drwxrwx---. 2 wazuh wazuh 61 Sep 23 12:21 . drwxrwx---. 7 root wazuh 133 Sep 23 12:05 .. -rw-rw----. 1 wazuh wazuh 100M Sep 23 12:15 100Mfile.txt -rw-rw----. 1 wazuh wazuh 361 Sep 23 11:58 agent.conf -rw-rw----. 1 wazuh wazuh 101M Sep 23 12:15 merged.mg ``` ℹ️ File is deleted immediately.

:yellow_circle: Add 1G file to `/var/ossec/etc/shared/agents/` from master

Known issue: https://github.com/wazuh/wazuh/issues/18897 ### Create file ```console [root@localhost commongroup]# yes this is a 1G text file | head -c 1G > 1Gfile.txt [root@localhost commongroup]# chown wazuh: 1Gfile.txt && chmod 660 1Gfile.txt [root@localhost commongroup]# ls -lah total 1.7G drwx------. 2 wazuh wazuh 100 Sep 23 12:59 . drwxrwx---. 7 root wazuh 133 Sep 23 12:05 .. -rw-rw----. 1 wazuh wazuh 100M Sep 23 12:15 100Mfile.txt -rw-rw----. 1 wazuh wazuh 1.0G Sep 23 12:59 1Gfile.txt -rw-rw----. 1 wazuh wazuh 361 Sep 23 11:57 agent.conf -rw-rw----. 1 wazuh wazuh 101M Sep 23 12:15 merged.mg -rw-rw----. 1 wazuh wazuh 371M Sep 23 12:59 merged.mg.tmp ``` - Worker's contents ```console [root@server2 commongroup]# ls -lah total 1.2G drwxrwx---. 2 wazuh wazuh 79 Sep 23 13:00 . drwxrwx---. 7 root wazuh 133 Sep 23 12:05 .. -rw-rw----. 1 wazuh wazuh 100M Sep 23 12:15 100Mfile.txt -rw-rw----. 1 wazuh wazuh 1.0G Sep 23 13:00 1Gfile.txt -rw-rw----. 1 wazuh wazuh 361 Sep 23 11:58 agent.conf -rw-rw----. 1 wazuh wazuh 101M Sep 23 12:15 merged.mg ``` - Logs ```console [root@localhost commongroup]# tail /var/ossec/logs/cluster.log 2023/09/23 13:01:42 WARNING: [Local Server] [Main] File too large to be synced: /var/ossec/etc/shared/commongroup/merged.mg ``` ### WUI In the interface, a delay is detected when trying to load the group data, in some cases, it throws timeout errors with the API, and after a while it loads.

:yellow_circle: Adding a compressed file to `/var/ossec/etc/shared/agents/` from master

Known issue: https://github.com/wazuh/wazuh/issues/17204 ### Create file ```console [root@localhost commongroup]# tar cjvf 100Mfile.tar.bz2 100Mfile.txt && chmod 660 100Mfile.tar.bz2 && chown wazuh:wazuh 100Mfile.tar.bz2 100Mfile.txt [root@localhost commongroup]# ls -lah total 228M drwx------. 2 wazuh wazuh 85 Sep 23 15:59 . drwxrwx---. 7 root wazuh 133 Sep 23 13:41 .. -rw-rw----. 1 wazuh wazuh 15K Sep 23 15:59 100Mfile.tar.bz2 -rw-rw----. 1 wazuh wazuh 100M Sep 23 15:44 100Mfile.txt -rw-rw----. 1 wazuh wazuh 76 Sep 21 17:45 agent.conf -rw-rw----. 1 wazuh wazuh 101M Sep 23 15:59 merged.mg ``` - Worker's contents ```console [root@server2 commongroup]# ls -lah total 201M drwxrwx---. 2 wazuh wazuh 85 Sep 23 16:00 . drwxrwx---. 7 root wazuh 133 Sep 23 13:41 .. -rw-rw----. 1 wazuh wazuh 15K Sep 23 16:00 100Mfile.tar.bz2 -rw-rw----. 1 wazuh wazuh 100M Sep 23 15:44 100Mfile.txt -rw-rw----. 1 wazuh wazuh 76 Sep 23 13:39 agent.conf -rw-rw----. 1 wazuh wazuh 101M Sep 23 15:59 merged.mg ``` - Logs ```console 2023/09/23 15:59:37 wazuh-remoted: ERROR: Invalid shared file 'etc/shared/commongroup/100Mfile.tar.bz2' in group 'commongroup'. Ignoring it. ``` ℹ️ Compressed file is recognized as invalid and ignored, but synced to worker anyways. ### Linux agent 1's shared directory ```console [root@redhat-9-agent ~]# ls -lah /var/ossec/etc/shared/ total 2.2G drwxrwx---. 2 root wazuh 4.0K Sep 7 19:01 . drwxrwx---. 3 wazuh wazuh 4.0K Sep 7 15:21 .. -rw-------. 1 wazuh wazuh 100M Sep 7 19:00 100Mfile.txt -rw-------. 1 wazuh wazuh 1.0G Sep 7 19:01 1Gfile.txt -rw-------. 1 wazuh wazuh 1.3K Sep 7 19:01 agent.conf -rw-------. 1 wazuh wazuh 228 Sep 7 19:00 ar.conf -rw-r--r--. 1 wazuh wazuh 1.1G Sep 7 19:00 merged.mg ``` ### WUI  File appears in 'Management->Groups->agents->Files' in the WUI. ⚠️ Results are the same as with single node cluster. Since the file is invalid and is not going to be synced to the group's agents, maybe it should not appear in this interface.

[juliamagan]

LGTM