Release 4.8.0 - Alpha 1 - Specific systems

Packages tests metrics information


Main release stage issue	#20667
Main packages metrics issue	#20673
Version	4.8.0
Release stage	Alpha 1
Tag	https://github.com/wazuh/wazuh/tree/v4.8.0-alpha1

Build packages

System	Status	Build
AIX	:green_circle:	https://ci.wazuh.info/job/Packages_builder_special/878/
HPUX	:green_circle:	https://ci.wazuh.info/job/Packages_builder_special/879/
S10 SPARC	:green_circle:	https://ci.wazuh.info/job/Packages_builder_special/880/
S11 SPARC	:green_circle:	https://ci.wazuh.info/job/Packages_builder_special/881/
OVA	:green_circle:	https://ci.wazuh.info/job/Packages_builder_OVA/307/
AMI	:green_circle:	https://ci.wazuh.info/job/Packages_builder_ami/188/

Test packages

System	Build	Install	Deployment install	Upgrade	Remove	TCP	UDP	Errors found	Warnings found	Alerts found	Check users
AIX	:green_circle:	:green_circle:	:green_circle:	:green_circle:	:green_circle:	:green_circle:	:green_circle:	:green_circle:	:green_circle:	:green_circle:	:green_circle:
HPUX	:green_circle:	:green_circle:	---	---	:green_circle:	:green_circle:	:green_circle:	:green_circle:	:green_circle:	:green_circle:	:green_circle:
S10 SPARC	:green_circle:	:green_circle:	---	:green_circle:	:green_circle:	:green_circle:	:green_circle:	:green_circle:	:green_circle:	:green_circle:	:green_circle:
S11 SPARC	:green_circle:	:green_circle:	---	:green_circle:	:green_circle:	:green_circle:	:green_circle:	:green_circle:	:green_circle:	:green_circle:	:green_circle:
OVA	:green_circle:	:green_circle:	---	---	---	:green_circle:	:green_circle:	:yellow_circle:	:yellow_circle:	:yellow_circle:	:green_circle:
AMI	:green_circle:	:green_circle:	---	---	---	:green_circle:	:green_circle:	:yellow_circle:	:yellow_circle:	:yellow_circle:	:green_circle:

PPC64EL packages

System	Build	Install	Deployment install	Upgrade	Uninstall	Alerts	TCP	UDP	Errors	Warnings	System users
CentOS 7	:green_circle:	:green_circle:	:green_circle:	:green_circle:	:green_circle:	:green_circle:	:green_circle:	:green_circle:	:green_circle:	:green_circle:	:green_circle:
Debian Stretch	:green_circle:	:green_circle:	:green_circle:	:green_circle:	:green_circle:	:green_circle:	:green_circle:	:green_circle:	:green_circle:	:green_circle:	:green_circle:

OVA/AMI specific tests

System	Filebeat test	Cluster green/yellow	Production repositories	UI Access	No SSH root access	SSH user access	Wazuh dashboard/APP version	Dashboard/Indexer VERSION file
OVA	:green_circle:	:green_circle:	:green_circle:	:green_circle:	:green_circle:	:green_circle:	:green_circle:	:green_circle:	:red_circle:
AMI	:green_circle:	:green_circle:	:green_circle:	:green_circle:	:green_circle:	:green_circle:	:green_circle:	:green_circle:	:red_circle:

Status legend: :black_circle: - Pending/In progress :white_circle: - Skipped :red_circle: - Rejected :yellow_circle: - Ready to review :green_circle: - Approved

Testing considerations

Testing on PPC64EL systems must be done inside a container.
- The container must be requested to CICD team using an internal-devel-request, with access through authorized keys and a specific password.
When testing on PPC64EL Debian, installing procps may be required if it is not present in the container.

Auditor's validation

In order to close and proceed with the release or the next candidate version, the following auditors must give the green light to this RC.

[ ] @davidjiglesias

Conclusion :red_circle:

Known issue

New issue

https://github.com/wazuh/wazuh-indexer/issues/79

Analysis report - OVA :red_circle:

New issues:

https://github.com/wazuh/wazuh-indexer/issues/79

OVA - Check system :green_circle:

```shell NAME="Amazon Linux" VERSION="2" ID="amzn" ID_LIKE="centos rhel fedora" VERSION_ID="2" PRETTY_NAME="Amazon Linux 2" ANSI_COLOR="0;33" CPE_NAME="cpe:2.3:o:amazon:amazon_linux:2" HOME_URL="https://amazonlinux.com/" SUPPORT_END="2025-06-30" ```

OVA - Check Wazuh agent connection :green_circle:

- Check Logs - Agent TCP connection ```logs [root@centos1 vagrant]# grep "tcp" /var/ossec/etc/ossec.conf tcp [root@centos1 vagrant]# [root@centos1 vagrant]# grep "tcp" /var/ossec/logs/ossec.log 2023/12/12 11:37:56 wazuh-agentd: INFO: Trying to connect to server ([192.168.1.45]:1514/tcp). 2023/12/12 11:37:56 wazuh-agentd: INFO: (4102): Connected to the server ([192.168.1.45]:1514/tcp). 2023/12/12 11:38:02 wazuh-agentd: INFO: Trying to connect to server ([192.168.1.45]:1514/tcp). 2023/12/12 11:38:02 wazuh-agentd: INFO: (4102): Connected to the server ([192.168.1.45]:1514/tcp). [root@centos1 vagrant]# ``` - Check alerts ```json {"timestamp":"2023-12-12T11:40:49.981+0000","rule":{"level":5,"description":"User missed the password to change UID (user id).","id":"5301","firedtimes":1,"mail":false,"groups":["syslog","su","authentication_failed"],"pci_dss":["10.2.4","10.2.5"],"gpg13":["7.8"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7"],"tsc":["CC6.1","CC6.8","CC7.2","CC7.3"]},"agent":{"id":"001","name":"centos1","ip":"10.0.2.15"},"manager":{"name":"wazuh-server"},"id":"1702381249.686658","full_log":"Dec 12 11:40:45 c3 su[5256]: FAILED SU (to root) vagrant on pts/0","predecoder":{"program_name":"su","timestamp":"Dec 12 11:40:45","hostname":"c3"},"decoder":{"parent":"su","name":"su"},"location":"/var/log/messages"} ``` - Check logs - Agent UDP connection ```logs [root@centos1 vagrant]# grep "udp" /var/ossec/etc/ossec.conf udp [root@centos1 vagrant]# grep "udp" /var/ossec/logs/ossec.log 2023/12/12 11:42:19 wazuh-agentd: INFO: Trying to connect to server ([192.168.1.45]:1514/udp). 2023/12/12 11:42:19 wazuh-agentd: INFO: (4102): Connected to the server ([192.168.1.45]:1514/udp). ``` - Check alerts ```json {"timestamp":"2023-12-12T11:43:59.245+0000","rule":{"level":5,"description":"PAM: User login failed.","id":"5503","mitre":{"id":["T1110.001"],"tactic":["Credential Access"],"technique":["Password Guessing"]},"firedtimes":1,"mail":false,"groups":["pam","syslog","authentication_failed"],"pci_dss":["10.2.4","10.2.5"],"gpg13":["7.8"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7"],"tsc":["CC6.1","CC6.8","CC7.2","CC7.3"]},"agent":{"id":"001","name":"centos1","ip":"10.0.2.15"},"manager":{"name":"wazuh-server"},"id":"1702381439.690195","full_log":"Dec 12 11:43:53 c3 su[6209]: pam_unix(su:auth): authentication failure; logname=vagrant uid=1000 euid=0 tty=pts/0 ruser=vagrant rhost= user=root","predecoder":{"program_name":"su","timestamp":"Dec 12 11:43:53","hostname":"c3"},"decoder":{"name":"pam"},"data":{"srcuser":"vagrant","dstuser":"root","logname":"vagrant","uid":"1000","euid":"0","tty":"pts/0"},"location":"/var/log/secure"} ```

Wazuh processes :green_circle:

```logs wazuh-d+ 2054 0.7 1.9 1028320 161552 ? Ssl 10:17 0:41 /usr/share/wazuh-dashboard/node/fallback/bin/node --no-warnings --max-http-header-size=65536 --unhandled-rejections=warn /usr/share/wazuh-dashboard/src/cli/dist root 3232 0.0 0.0 98668 3876 ? Ss 10:17 0:00 /sbin/dhclient -1 -q -lf /var/lib/dhclient/dhclient--eth0.lease -pf /var/run/dhclient-eth0.pid -H wazuh-server eth0 wazuh-i+ 3439 4.1 58.2 8307764 4752672 ? Ssl 10:17 3:38 /usr/share/wazuh-indexer/jdk/bin/java -Xshare:auto -Dopensearch.networkaddress.cache.ttl=60 -Dopensearch.networkaddress.cache.negative.ttl=10 -XX:+AlwaysPreTouch -Xss1m -Djava.awt.headless=true -Dfile.encoding=UTF-8 -Djna.nosys=true -XX:-OmitStackTraceInFastThrow -XX:+ShowCodeDetailsInExceptionMessages -Dio.netty.noUnsafe=true -Dio.netty.noKeySetOptimization=true -Dio.netty.recycler.maxCapacityPerThread=0 -Dio.netty.allocator.numDirectArenas=0 -Dlog4j.shutdownHookEnabled=false -Dlog4j2.disable.jmx=true -Djava.locale.providers=SPI,COMPAT -Xms3981m -Xmx3981m -XX:+UseG1GC -XX:G1ReservePercent=25 -XX:InitiatingHeapOccupancyPercent=30 -Djava.io.tmpdir=/tmp/opensearch-6158627393719600674 -XX:+HeapDumpOnOutOfMemoryError -XX:HeapDumpPath=/var/lib/wazuh-indexer -XX:ErrorFile=/var/log/wazuh-indexer/hs_err_pid%p.log -Xlog:gc*,gc+age=trace,safepoint:file=/var/log/wazuh-indexer/gc.log:utctime,pid,tags:filecount=32,filesize=64m -Dclk.tck=100 -Djdk.attach.allowAttachSelf=true -Djava.security.policy=file:///etc/wazuh-indexer/opensearch-performance-analyzer/opensearch_security.policy --add-opens=jdk.attach/sun.tools.attach=ALL-UNNAMED -XX:MaxDirectMemorySize=2087714816 -Dopensearch.path.home=/usr/share/wazuh-indexer -Dopensearch.path.conf=/etc/wazuh-indexer -Dopensearch.distribution.type=rpm -Dopensearch.bundled_jdk=true -cp /usr/share/wazuh-indexer/lib/* org.opensearch.bootstrap.OpenSearch -p /run/wazuh-indexer/wazuh-indexer.pid --quiet root 8261 0.0 0.0 86424 3756 ? Ss 10:18 0:00 login -- wazuh-user wazuh-u+ 18133 0.0 0.0 124864 4080 tty1 Ss+ 10:19 0:00 -bash root 18630 0.0 0.1 150624 9196 ? Ss 10:20 0:00 sshd: wazuh-user [priv] wazuh-u+ 18633 0.0 0.0 151140 5240 ? S 10:20 0:00 sshd: wazuh-user@pts/0 wazuh-u+ 18634 0.0 0.0 124732 3984 pts/0 Ss 10:20 0:00 -bash wazuh 19206 3.9 1.2 929336 101336 ? Sl 11:42 0:07 /var/ossec/framework/python/bin/python3 /var/ossec/api/scripts/wazuh-apid.py wazuh 19207 0.0 0.7 278556 59108 ? S 11:42 0:00 /var/ossec/framework/python/bin/python3 /var/ossec/api/scripts/wazuh-apid.py wazuh 19210 0.8 0.8 433884 70476 ? S 11:42 0:01 /var/ossec/framework/python/bin/python3 /var/ossec/api/scripts/wazuh-apid.py wazuh 19213 0.0 0.6 506644 56348 ? S 11:42 0:00 /var/ossec/framework/python/bin/python3 /var/ossec/api/scripts/wazuh-apid.py root 19255 0.0 0.0 129356 5988 ? Sl 11:42 0:00 /var/ossec/bin/wazuh-authd wazuh 19269 0.3 0.1 784872 14368 ? Sl 11:42 0:00 /var/ossec/bin/wazuh-db root 19294 0.0 0.0 39184 3656 ? Sl 11:42 0:00 /var/ossec/bin/wazuh-execd wazuh 19309 0.8 0.3 1440008 29292 ? Sl 11:42 0:01 /var/ossec/bin/wazuh-analysisd root 19319 5.9 0.1 358004 11412 ? SNl 11:42 0:10 /var/ossec/bin/wazuh-syscheckd wazuh 19339 0.2 0.0 728436 7616 ? Sl 11:42 0:00 /var/ossec/bin/wazuh-remoted root 19420 0.0 0.0 416040 4824 ? Sl 11:42 0:00 /var/ossec/bin/wazuh-logcollector wazuh 19468 0.0 0.0 39160 3752 ? Sl 11:42 0:00 /var/ossec/bin/wazuh-monitord root 19515 0.1 0.2 308284 24156 ? Sl 11:42 0:00 /var/ossec/bin/wazuh-modulesd root 32111 0.0 0.0 119416 976 pts/0 S+ 11:45 0:00 grep --color=auto wazuh ```

Versions :green_circle:

``` [root@wazuh-server wazuh-user]# /var/ossec/bin/wazuh-control info WAZUH_VERSION="v4.8.0" WAZUH_REVISION="40801" WAZUH_TYPE="server" [root@wazuh-server wazuh-user]# cat /usr/share/wazuh-indexer/VERSION 4.8.0 [root@wazuh-server wazuh-user]# cat /usr/share/wazuh-dashboard/VERSION 4.8.0 [root@wazuh-server wazuh-user]# cat /usr/share/wazuh-dashboard/package.json { "name": "opensearch-dashboards", "description": "OpenSearch Dashboards is a browser based analytics and search dashboard for OpenSearch. OpenSearch Dashboards is a snap to setup and start using. OpenSearch Dashboards strives to be easy to get started with, while also being flexible and powerful, just like OpenSearch.", "keywords": [ "opensearch-dashboards", "opensearch", "logstash", "analytics", "visualizations", "dashboards", "dashboarding" ], "version": "2.10.0", "branch": "2.x", "build": { "number": 48001, "sha": "c1120d93e2ee647977f917a1249258a622d4eb5b", "distributable": true, "release": true }, "repository": { "type": "git", "url": "https://github.com/opensearch-project/opensearch-dashboards.git" }, "engines": { "node": ">=14.20.1 <19" } } ```

Users :green_circle:

``` [root@wazuh-server wazuh-user]# grep -R "wazuh" /etc/group wheel:x:10:wazuh-user wazuh-user:x:1000: wazuh-indexer:x:993: wazuh:x:992:wazuh wazuh-dashboard:x:991:wazuh-dashboard ``` ``` [root@wazuh-server wazuh-user]# grep -R "wazuh" /etc/passwd wazuh-user:x:1000:1000::/home/wazuh-user:/bin/bash wazuh-indexer:x:995:993:wazuh-indexer user:/usr/share/wazuh-indexer:/sbin/nologin wazuh:x:994:992::/var/ossec:/sbin/nologin wazuh-dashboard:x:993:991::/usr/share/wazuh-dashboard/:/sbin/nologin ```

OVA - WUI :green_circle:

- Loading screen ![image](https://github.com/wazuh/wazuh/assets/11089305/88850c7e-1288-4ad9-b852-3b70e9e8a2ff) - Login screen ![image](https://github.com/wazuh/wazuh/assets/11089305/ddea6535-218a-4d28-89f6-c6d2ea2d8e8d) - Expected failure. Check vulnerabilities index pattern ![image](https://github.com/wazuh/wazuh/assets/11089305/6ce5ad8b-e930-46ec-8ce1-1036d74707d6) Vulnerabilities index is expected to not appear in Alpha 1 - Main menu ![image](https://github.com/wazuh/wazuh/assets/11089305/580716f0-5566-45a2-a790-9634c5c9964f) *** **Dark mode** - Loading page ![image](https://github.com/wazuh/wazuh/assets/11089305/f4d950c6-50ad-4448-a224-c4d80d497b44) - Main menu ![image](https://github.com/wazuh/wazuh/assets/11089305/ad551924-af2a-4dae-b6aa-dd41682906b2)

OVA - Logs :yellow_circle: :

Wazuh Dashboard - Journalctl :yellow_circle:
**Expected errors** - https://github.com/wazuh/wazuh-automation/issues/1286 - https://github.com/wazuh/wazuh-packages/issues/1582 ``` Dec 12 10:23:10 wazuh-server opensearch-dashboards[2054]: {"type":"error","@timestamp":"2023-12-12T10:23:10Z","tags":["connection","client","error"],"pid":2054,"level":"error","error":{"message":"140590198192000:error:14094418:SSL routines:ssl3_read_bytes:tlsv1 alert unknown ca:../deps/openssl/openssl/ssl/record/rec_layer_s3.c:1563:SSL alert number 48\n","name":"Error","stack":"Error: 140590198192000:error:14094418:SSL routines:ssl3_read_bytes:tlsv1 alert unknown ca:../deps/openssl/openssl/ssl/record/rec_layer_s3.c:1563:SSL alert number 48\n","code":"ERR_SSL_TLSV1_ALERT_UNKNOWN_CA"},"message":"140590198192000:error:14094418:SSL routines:ssl3_read_bytes:tlsv1 alert unknown ca:../deps/openssl/openssl/ssl/record/rec_layer_s3.c:1563:SSL alert number 48\n"} ``` ``` Dec 12 10:25:00 wazuh-server opensearch-dashboards[2054]: {"type":"log","@timestamp":"2023-12-12T10:25:00Z","tags":["error","opensearch","data"],"pid":2054,"message":"[resource_already_exists_exception]: index [wazuh-statistics-2023.50w/G-jf35NDRXqwnnh_SejiYQ] already exists"} ``` ``` [root@wazuh-server wazuh-user]# journalctl -r -u wazuh-dashboard | grep -i -E "error|critical|fatal|warning" Dec 12 10:25:00 wazuh-server opensearch-dashboards[2054]: {"type":"log","@timestamp":"2023-12-12T10:25:00Z","tags":["error","opensearch","data"],"pid":2054,"message":"[resource_already_exists_exception]: index [wazuh-statistics-2023.50w/G-jf35NDRXqwnnh_SejiYQ] already exists"} Dec 12 10:23:40 wazuh-server opensearch-dashboards[2054]: {"type":"log","@timestamp":"2023-12-12T10:23:40Z","tags":["error","plugins","securityDashboards"],"pid":2054,"message":"Failed authentication: Error: Authentication Exception"} Dec 12 10:23:10 wazuh-server opensearch-dashboards[2054]: {"type":"error","@timestamp":"2023-12-12T10:23:10Z","tags":["connection","client","error"],"pid":2054,"level":"error","error":{"message":"140590198192000:error:14094418:SSL routines:ssl3_read_bytes:tlsv1 alert unknown ca:../deps/openssl/openssl/ssl/record/rec_layer_s3.c:1563:SSL alert number 48\n","name":"Error","stack":"Error: 140590198192000:error:14094418:SSL routines:ssl3_read_bytes:tlsv1 alert unknown ca:../deps/openssl/openssl/ssl/record/rec_layer_s3.c:1563:SSL alert number 48\n","code":"ERR_SSL_TLSV1_ALERT_UNKNOWN_CA"},"message":"140590198192000:error:14094418:SSL routines:ssl3_read_bytes:tlsv1 alert unknown ca:../deps/openssl/openssl/ssl/record/rec_layer_s3.c:1563:SSL alert number 48\n"} Dec 12 10:18:58 wazuh-server opensearch-dashboards[2054]: {"type":"log","@timestamp":"2023-12-12T10:18:58Z","tags":["error","opensearch","data"],"pid":2054,"message":"[ResponseError]: Response Error"} Dec 12 10:18:55 wazuh-server opensearch-dashboards[2054]: {"type":"log","@timestamp":"2023-12-12T10:18:55Z","tags":["error","opensearch","data"],"pid":2054,"message":"[ResponseError]: Response Error"} Dec 12 10:18:53 wazuh-server opensearch-dashboards[2054]: {"type":"log","@timestamp":"2023-12-12T10:18:53Z","tags":["error","opensearch","data"],"pid":2054,"message":"[ResponseError]: Response Error"} Dec 12 10:18:50 wazuh-server opensearch-dashboards[2054]: {"type":"log","@timestamp":"2023-12-12T10:18:50Z","tags":["error","opensearch","data"],"pid":2054,"message":"[ResponseError]: Response Error"} Dec 12 10:18:48 wazuh-server opensearch-dashboards[2054]: {"type":"log","@timestamp":"2023-12-12T10:18:48Z","tags":["error","opensearch","data"],"pid":2054,"message":"[ResponseError]: Response Error"} Dec 12 10:18:46 wazuh-server opensearch-dashboards[2054]: {"type":"log","@timestamp":"2023-12-12T10:18:46Z","tags":["error","opensearch","data"],"pid":2054,"message":"[ResponseError]: Response Error"} Dec 12 10:18:43 wazuh-server opensearch-dashboards[2054]: {"type":"log","@timestamp":"2023-12-12T10:18:43Z","tags":["error","opensearch","data"],"pid":2054,"message":"[ConnectionError]: connect ECONNREFUSED 127.0.0.1:9200"} Dec 12 10:18:40 wazuh-server opensearch-dashboards[2054]: {"type":"log","@timestamp":"2023-12-12T10:18:40Z","tags":["error","opensearch","data"],"pid":2054,"message":"[ConnectionError]: connect ECONNREFUSED 127.0.0.1:9200"} Dec 12 10:18:38 wazuh-server opensearch-dashboards[2054]: {"type":"log","@timestamp":"2023-12-12T10:18:38Z","tags":["error","opensearch","data"],"pid":2054,"message":"[ConnectionError]: connect ECONNREFUSED 127.0.0.1:9200"} Dec 12 10:18:35 wazuh-server opensearch-dashboards[2054]: {"type":"log","@timestamp":"2023-12-12T10:18:35Z","tags":["error","opensearch","data"],"pid":2054,"message":"[ConnectionError]: connect ECONNREFUSED 127.0.0.1:9200"} Dec 12 10:18:33 wazuh-server opensearch-dashboards[2054]: {"type":"log","@timestamp":"2023-12-12T10:18:33Z","tags":["error","opensearch","data"],"pid":2054,"message":"[ConnectionError]: connect ECONNREFUSED 127.0.0.1:9200"} Dec 12 10:18:30 wazuh-server opensearch-dashboards[2054]: {"type":"log","@timestamp":"2023-12-12T10:18:30Z","tags":["error","opensearch","data"],"pid":2054,"message":"[ConnectionError]: connect ECONNREFUSED 127.0.0.1:9200"} Dec 12 10:18:28 wazuh-server opensearch-dashboards[2054]: {"type":"log","@timestamp":"2023-12-12T10:18:28Z","tags":["error","opensearch","data"],"pid":2054,"message":"[ConnectionError]: connect ECONNREFUSED 127.0.0.1:9200"} Dec 12 10:18:25 wazuh-server opensearch-dashboards[2054]: {"type":"log","@timestamp":"2023-12-12T10:18:25Z","tags":["error","opensearch","data"],"pid":2054,"message":"[ConnectionError]: connect ECONNREFUSED 127.0.0.1:9200"} Dec 12 10:18:23 wazuh-server opensearch-dashboards[2054]: {"type":"log","@timestamp":"2023-12-12T10:18:23Z","tags":["error","opensearch","data"],"pid":2054,"message":"[ConnectionError]: connect ECONNREFUSED 127.0.0.1:9200"} Dec 12 10:18:20 wazuh-server opensearch-dashboards[2054]: {"type":"log","@timestamp":"2023-12-12T10:18:20Z","tags":["error","opensearch","data"],"pid":2054,"message":"[ConnectionError]: connect ECONNREFUSED 127.0.0.1:9200"} Dec 12 10:18:18 wazuh-server opensearch-dashboards[2054]: {"type":"log","@timestamp":"2023-12-12T10:18:18Z","tags":["error","opensearch","data"],"pid":2054,"message":"[ConnectionError]: connect ECONNREFUSED 127.0.0.1:9200"} Dec 12 10:18:15 wazuh-server opensearch-dashboards[2054]: {"type":"log","@timestamp":"2023-12-12T10:18:15Z","tags":["error","opensearch","data"],"pid":2054,"message":"[ConnectionError]: connect ECONNREFUSED 127.0.0.1:9200"} Dec 12 10:18:13 wazuh-server opensearch-dashboards[2054]: {"type":"log","@timestamp":"2023-12-12T10:18:13Z","tags":["error","opensearch","data"],"pid":2054,"message":"[ConnectionError]: connect ECONNREFUSED 127.0.0.1:9200"} Dec 12 10:18:10 wazuh-server opensearch-dashboards[2054]: {"type":"log","@timestamp":"2023-12-12T10:18:10Z","tags":["error","opensearch","data"],"pid":2054,"message":"[ConnectionError]: connect ECONNREFUSED 127.0.0.1:9200"} Dec 12 10:18:08 wazuh-server opensearch-dashboards[2054]: {"type":"log","@timestamp":"2023-12-12T10:18:08Z","tags":["error","opensearch","data"],"pid":2054,"message":"[ConnectionError]: connect ECONNREFUSED 127.0.0.1:9200"} Dec 12 10:18:05 wazuh-server opensearch-dashboards[2054]: {"type":"log","@timestamp":"2023-12-12T10:18:05Z","tags":["error","opensearch","data"],"pid":2054,"message":"[ConnectionError]: connect ECONNREFUSED 127.0.0.1:9200"} Dec 12 10:18:03 wazuh-server opensearch-dashboards[2054]: {"type":"log","@timestamp":"2023-12-12T10:18:03Z","tags":["error","opensearch","data"],"pid":2054,"message":"[ConnectionError]: connect ECONNREFUSED 127.0.0.1:9200"} Dec 12 10:18:00 wazuh-server opensearch-dashboards[2054]: {"type":"log","@timestamp":"2023-12-12T10:18:00Z","tags":["error","savedobjects-service"],"pid":2054,"message":"Unable to retrieve version information from OpenSearch nodes."} Dec 12 10:18:00 wazuh-server opensearch-dashboards[2054]: {"type":"log","@timestamp":"2023-12-12T10:18:00Z","tags":["error","opensearch","data"],"pid":2054,"message":"[ConnectionError]: connect ECONNREFUSED 127.0.0.1:9200"} ```

Wazuh Indexer - Journalctl :yellow_circle:
``` [root@wazuh-server wazuh-user]# journalctl -r -u wazuh-indexer | grep -i -E "error|critical|fatal|warning" Dec 12 10:18:12 wazuh-server systemd-entrypoint[3439]: WARNING: System::setSecurityManager will be removed in a future release Dec 12 10:18:12 wazuh-server systemd-entrypoint[3439]: WARNING: Please consider reporting this to the maintainers of org.opensearch.bootstrap.Security Dec 12 10:18:12 wazuh-server systemd-entrypoint[3439]: WARNING: System::setSecurityManager has been called by org.opensearch.bootstrap.Security (file:/usr/share/wazuh-indexer/lib/opensearch-2.10.0.jar) Dec 12 10:18:12 wazuh-server systemd-entrypoint[3439]: WARNING: A terminally deprecated method in java.lang.System has been called Dec 12 10:18:09 wazuh-server systemd-entrypoint[3439]: WARNING: System::setSecurityManager will be removed in a future release Dec 12 10:18:09 wazuh-server systemd-entrypoint[3439]: WARNING: Please consider reporting this to the maintainers of org.opensearch.bootstrap.OpenSearch Dec 12 10:18:09 wazuh-server systemd-entrypoint[3439]: WARNING: System::setSecurityManager has been called by org.opensearch.bootstrap.OpenSearch (file:/usr/share/wazuh-indexer/lib/opensearch-2.10.0.jar) Dec 12 10:18:09 wazuh-server systemd-entrypoint[3439]: WARNING: A terminally deprecated method in java.lang.System has been called ``` Expected errors: - https://github.com/wazuh/wazuh-packages/issues/2046

Wazuh Indexer - /var/logs/wazuh-indexer :yellow_circle:
``` /var/log/wazuh-indexer/wazuh-cluster.log:[2023-12-12T10:18:12,411][INFO ][o.o.n.Node ] [node-1] JVM arguments [-Xshare:auto, -Dopensearch.networkaddress.cache.ttl=60, -Dopensearch.networkaddress.cache.negative.ttl=10, -XX:+AlwaysPreTouch, -Xss1m, -Djava.awt.headless=true, -Dfile.encoding=UTF-8, -Djna.nosys=true, -XX:-OmitStackTraceInFastThrow, -XX:+ShowCodeDetailsInExceptionMessages, -Dio.netty.noUnsafe=true, -Dio.netty.noKeySetOptimization=true, -Dio.netty.recycler.maxCapacityPerThread=0, -Dio.netty.allocator.numDirectArenas=0, -Dlog4j.shutdownHookEnabled=false, -Dlog4j2.disable.jmx=true, -Djava.locale.providers=SPI,COMPAT, -Xms3981m, -Xmx3981m, -XX:+UseG1GC, -XX:G1ReservePercent=25, -XX:InitiatingHeapOccupancyPercent=30, -Djava.io.tmpdir=/tmp/opensearch-6158627393719600674, -XX:+HeapDumpOnOutOfMemoryError, -XX:HeapDumpPath=/var/lib/wazuh-indexer, -XX:ErrorFile=/var/log/wazuh-indexer/hs_err_pid%p.log, -Xlog:gc*,gc+age=trace,safepoint:file=/var/log/wazuh-indexer/gc.log:utctime,pid,tags:filecount=32,filesize=64m, -Dclk.tck=100, -Djdk.attach.allowAttachSelf=true, -Djava.security.policy=file:///etc/wazuh-indexer/opensearch-performance-analyzer/opensearch_security.policy, --add-opens=jdk.attach/sun.tools.attach=ALL-UNNAMED, -XX:MaxDirectMemorySize=2087714816, -Dopensearch.path.home=/usr/share/wazuh-indexer, -Dopensearch.path.conf=/etc/wazuh-indexer, -Dopensearch.distribution.type=rpm, -Dopensearch.bundled_jdk=true] /var/log/wazuh-indexer/wazuh-cluster.log:[2023-12-12T10:18:36,311][ERROR][o.o.s.a.s.SinkProvider ] [node-1] Default endpoint could not be created, auditlog will not work properly. /var/log/wazuh-indexer/wazuh-cluster.log:[2023-12-12T10:18:44,944][ERROR][o.o.i.i.ManagedIndexCoordinator] [node-1] Failed to get ISM policies with templates: Failed to execute phase [query], all shards failed /var/log/wazuh-indexer/wazuh-cluster.log:[2023-12-12T10:18:45,626][ERROR][o.o.s.c.ConfigurationLoaderSecurity7] [node-1] Failure No shard available for [org.opensearch.action.get.MultiGetShardRequest@26ce8a52] retrieving configuration for [INTERNALUSERS, ACTIONGROUPS, CONFIG, ROLES, ROLESMAPPING, TENANTS, NODESDN, WHITELIST, ALLOWLIST, AUDIT] (index=.opendistro_security) /var/log/wazuh-indexer/wazuh-cluster.log:[2023-12-12T10:18:45,627][ERROR][o.o.s.c.ConfigurationLoaderSecurity7] [node-1] Failure No shard available for [org.opensearch.action.get.MultiGetShardRequest@26ce8a52] retrieving configuration for [INTERNALUSERS, ACTIONGROUPS, CONFIG, ROLES, ROLESMAPPING, TENANTS, NODESDN, WHITELIST, ALLOWLIST, AUDIT] (index=.opendistro_security) /var/log/wazuh-indexer/wazuh-cluster.log:[2023-12-12T10:18:45,627][ERROR][o.o.s.c.ConfigurationLoaderSecurity7] [node-1] Failure No shard available for [org.opensearch.action.get.MultiGetShardRequest@26ce8a52] retrieving configuration for [INTERNALUSERS, ACTIONGROUPS, CONFIG, ROLES, ROLESMAPPING, TENANTS, NODESDN, WHITELIST, ALLOWLIST, AUDIT] (index=.opendistro_security) /var/log/wazuh-indexer/wazuh-cluster.log:[2023-12-12T10:18:45,628][ERROR][o.o.s.c.ConfigurationLoaderSecurity7] [node-1] Failure No shard available for [org.opensearch.action.get.MultiGetShardRequest@26ce8a52] retrieving configuration for [INTERNALUSERS, ACTIONGROUPS, CONFIG, ROLES, ROLESMAPPING, TENANTS, NODESDN, WHITELIST, ALLOWLIST, AUDIT] (index=.opendistro_security) /var/log/wazuh-indexer/wazuh-cluster.log:[2023-12-12T10:18:45,629][ERROR][o.o.s.c.ConfigurationLoaderSecurity7] [node-1] Failure No shard available for [org.opensearch.action.get.MultiGetShardRequest@26ce8a52] retrieving configuration for [INTERNALUSERS, ACTIONGROUPS, CONFIG, ROLES, ROLESMAPPING, TENANTS, NODESDN, WHITELIST, ALLOWLIST, AUDIT] (index=.opendistro_security) /var/log/wazuh-indexer/wazuh-cluster.log:[2023-12-12T10:18:45,630][ERROR][o.o.s.c.ConfigurationLoaderSecurity7] [node-1] Failure No shard available for [org.opensearch.action.get.MultiGetShardRequest@26ce8a52] retrieving configuration for [INTERNALUSERS, ACTIONGROUPS, CONFIG, ROLES, ROLESMAPPING, TENANTS, NODESDN, WHITELIST, ALLOWLIST, AUDIT] (index=.opendistro_security) /var/log/wazuh-indexer/wazuh-cluster.log:[2023-12-12T10:18:45,630][ERROR][o.o.s.c.ConfigurationLoaderSecurity7] [node-1] Failure No shard available for [org.opensearch.action.get.MultiGetShardRequest@26ce8a52] retrieving configuration for [INTERNALUSERS, ACTIONGROUPS, CONFIG, ROLES, ROLESMAPPING, TENANTS, NODESDN, WHITELIST, ALLOWLIST, AUDIT] (index=.opendistro_security) /var/log/wazuh-indexer/wazuh-cluster.log:[2023-12-12T10:18:45,630][ERROR][o.o.s.c.ConfigurationLoaderSecurity7] [node-1] Failure No shard available for [org.opensearch.action.get.MultiGetShardRequest@26ce8a52] retrieving configuration for [INTERNALUSERS, ACTIONGROUPS, CONFIG, ROLES, ROLESMAPPING, TENANTS, NODESDN, WHITELIST, ALLOWLIST, AUDIT] (index=.opendistro_security) /var/log/wazuh-indexer/wazuh-cluster.log:[2023-12-12T10:18:45,631][ERROR][o.o.s.c.ConfigurationLoaderSecurity7] [node-1] Failure No shard available for [org.opensearch.action.get.MultiGetShardRequest@26ce8a52] retrieving configuration for [INTERNALUSERS, ACTIONGROUPS, CONFIG, ROLES, ROLESMAPPING, TENANTS, NODESDN, WHITELIST, ALLOWLIST, AUDIT] (index=.opendistro_security) /var/log/wazuh-indexer/wazuh-cluster.log:[2023-12-12T10:18:45,631][ERROR][o.o.s.c.ConfigurationLoaderSecurity7] [node-1] Failure No shard available for [org.opensearch.action.get.MultiGetShardRequest@26ce8a52] retrieving configuration for [INTERNALUSERS, ACTIONGROUPS, CONFIG, ROLES, ROLESMAPPING, TENANTS, NODESDN, WHITELIST, ALLOWLIST, AUDIT] (index=.opendistro_security) /var/log/wazuh-indexer/wazuh-cluster.log:[2023-12-12T10:18:46,553][ERROR][o.o.s.a.BackendRegistry ] [node-1] Not yet initialized (you may need to run securityadmin) /var/log/wazuh-indexer/wazuh-cluster.log:[2023-12-12T10:18:46,601][ERROR][o.o.s.a.BackendRegistry ] [node-1] Not yet initialized (you may need to run securityadmin) /var/log/wazuh-indexer/wazuh-cluster.log:[2023-12-12T10:18:46,608][ERROR][o.o.s.a.BackendRegistry ] [node-1] Not yet initialized (you may need to run securityadmin) /var/log/wazuh-indexer/wazuh-cluster.log:[2023-12-12T10:18:46,613][ERROR][o.o.s.a.BackendRegistry ] [node-1] Not yet initialized (you may need to run securityadmin) /var/log/wazuh-indexer/wazuh-cluster.log:[2023-12-12T10:18:48,114][ERROR][o.o.s.a.BackendRegistry ] [node-1] Not yet initialized (you may need to run securityadmin) /var/log/wazuh-indexer/wazuh-cluster.log:[2023-12-12T10:18:48,288][ERROR][o.o.s.a.BackendRegistry ] [node-1] Not yet initialized (you may need to run securityadmin) /var/log/wazuh-indexer/wazuh-cluster.log:[2023-12-12T10:18:48,293][ERROR][o.o.s.a.BackendRegistry ] [node-1] Not yet initialized (you may need to run securityadmin) /var/log/wazuh-indexer/wazuh-cluster.log:[2023-12-12T10:18:48,304][ERROR][o.o.s.a.BackendRegistry ] [node-1] Not yet initialized (you may need to run securityadmin) /var/log/wazuh-indexer/wazuh-cluster.log:[2023-12-12T10:18:48,309][ERROR][o.o.s.a.BackendRegistry ] [node-1] Not yet initialized (you may need to run securityadmin) /var/log/wazuh-indexer/wazuh-cluster.log:[2023-12-12T10:18:50,787][ERROR][o.o.s.a.BackendRegistry ] [node-1] Not yet initialized (you may need to run securityadmin) /var/log/wazuh-indexer/wazuh-cluster.log:[2023-12-12T10:18:50,792][ERROR][o.o.s.a.BackendRegistry ] [node-1] Not yet initialized (you may need to run securityadmin) /var/log/wazuh-indexer/wazuh-cluster.log:[2023-12-12T10:18:50,799][ERROR][o.o.s.a.BackendRegistry ] [node-1] Not yet initialized (you may need to run securityadmin) /var/log/wazuh-indexer/wazuh-cluster.log:[2023-12-12T10:18:50,805][ERROR][o.o.s.a.BackendRegistry ] [node-1] Not yet initialized (you may need to run securityadmin) /var/log/wazuh-indexer/wazuh-cluster.log:[2023-12-12T10:18:53,332][ERROR][o.o.s.a.BackendRegistry ] [node-1] Not yet initialized (you may need to run securityadmin) /var/log/wazuh-indexer/wazuh-cluster.log:[2023-12-12T10:18:53,339][ERROR][o.o.s.a.BackendRegistry ] [node-1] Not yet initialized (you may need to run securityadmin) /var/log/wazuh-indexer/wazuh-cluster.log:[2023-12-12T10:18:53,347][ERROR][o.o.s.a.BackendRegistry ] [node-1] Not yet initialized (you may need to run securityadmin) /var/log/wazuh-indexer/wazuh-cluster.log:[2023-12-12T10:18:53,354][ERROR][o.o.s.a.BackendRegistry ] [node-1] Not yet initialized (you may need to run securityadmin) /var/log/wazuh-indexer/wazuh-cluster.log:[2023-12-12T10:18:55,812][ERROR][o.o.s.a.BackendRegistry ] [node-1] Not yet initialized (you may need to run securityadmin) /var/log/wazuh-indexer/wazuh-cluster.log:[2023-12-12T10:18:55,818][ERROR][o.o.s.a.BackendRegistry ] [node-1] Not yet initialized (you may need to run securityadmin) /var/log/wazuh-indexer/wazuh-cluster.log:[2023-12-12T10:18:55,823][ERROR][o.o.s.a.BackendRegistry ] [node-1] Not yet initialized (you may need to run securityadmin) /var/log/wazuh-indexer/wazuh-cluster.log:[2023-12-12T10:18:55,828][ERROR][o.o.s.a.BackendRegistry ] [node-1] Not yet initialized (you may need to run securityadmin) /var/log/wazuh-indexer/wazuh-cluster.log:[2023-12-12T10:18:58,314][ERROR][o.o.s.a.BackendRegistry ] [node-1] Not yet initialized (you may need to run securityadmin) /var/log/wazuh-indexer/wazuh-cluster.log:[2023-12-12T10:18:58,321][ERROR][o.o.s.a.BackendRegistry ] [node-1] Not yet initialized (you may need to run securityadmin) /var/log/wazuh-indexer/wazuh-cluster.log:[2023-12-12T10:18:58,330][ERROR][o.o.s.a.BackendRegistry ] [node-1] Not yet initialized (you may need to run securityadmin) /var/log/wazuh-indexer/wazuh-cluster.log:[2023-12-12T10:18:58,337][ERROR][o.o.s.a.BackendRegistry ] [node-1] Not yet initialized (you may need to run securityadmin) /var/log/wazuh-indexer/wazuh-cluster_server.json:{"type": "server", "timestamp": "2023-12-12T10:18:12,411Z", "level": "INFO", "component": "o.o.n.Node", "cluster.name": "wazuh-cluster", "node.name": "node-1", "message": "JVM arguments [-Xshare:auto, -Dopensearch.networkaddress.cache.ttl=60, -Dopensearch.networkaddress.cache.negative.ttl=10, -XX:+AlwaysPreTouch, -Xss1m, -Djava.awt.headless=true, -Dfile.encoding=UTF-8, -Djna.nosys=true, -XX:-OmitStackTraceInFastThrow, -XX:+ShowCodeDetailsInExceptionMessages, -Dio.netty.noUnsafe=true, -Dio.netty.noKeySetOptimization=true, -Dio.netty.recycler.maxCapacityPerThread=0, -Dio.netty.allocator.numDirectArenas=0, -Dlog4j.shutdownHookEnabled=false, -Dlog4j2.disable.jmx=true, -Djava.locale.providers=SPI,COMPAT, -Xms3981m, -Xmx3981m, -XX:+UseG1GC, -XX:G1ReservePercent=25, -XX:InitiatingHeapOccupancyPercent=30, -Djava.io.tmpdir=/tmp/opensearch-6158627393719600674, -XX:+HeapDumpOnOutOfMemoryError, -XX:HeapDumpPath=/var/lib/wazuh-indexer, -XX:ErrorFile=/var/log/wazuh-indexer/hs_err_pid%p.log, -Xlog:gc*,gc+age=trace,safepoint:file=/var/log/wazuh-indexer/gc.log:utctime,pid,tags:filecount=32,filesize=64m, -Dclk.tck=100, -Djdk.attach.allowAttachSelf=true, -Djava.security.policy=file:///etc/wazuh-indexer/opensearch-performance-analyzer/opensearch_security.policy, --add-opens=jdk.attach/sun.tools.attach=ALL-UNNAMED, -XX:MaxDirectMemorySize=2087714816, -Dopensearch.path.home=/usr/share/wazuh-indexer, -Dopensearch.path.conf=/etc/wazuh-indexer, -Dopensearch.distribution.type=rpm, -Dopensearch.bundled_jdk=true]" } /var/log/wazuh-indexer/wazuh-cluster_server.json:{"type": "server", "timestamp": "2023-12-12T10:18:36,311Z", "level": "ERROR", "component": "o.o.s.a.s.SinkProvider", "cluster.name": "wazuh-cluster", "node.name": "node-1", "message": "Default endpoint could not be created, auditlog will not work properly." } /var/log/wazuh-indexer/wazuh-cluster_server.json:{"type": "server", "timestamp": "2023-12-12T10:18:44,944Z", "level": "ERROR", "component": "o.o.i.i.ManagedIndexCoordinator", "cluster.name": "wazuh-cluster", "node.name": "node-1", "message": "Failed to get ISM policies with templates: Failed to execute phase [query], all shards failed", "cluster.uuid": "qLE0w_LKScadb2U9epsjFA", "node.id": "Vfy4MfdcQ-yf4_Vh12-o8w" } /var/log/wazuh-indexer/wazuh-cluster_server.json:{"type": "server", "timestamp": "2023-12-12T10:18:45,626Z", "level": "ERROR", "component": "o.o.s.c.ConfigurationLoaderSecurity7", "cluster.name": "wazuh-cluster", "node.name": "node-1", "message": "Failure No shard available for [org.opensearch.action.get.MultiGetShardRequest@26ce8a52] retrieving configuration for [INTERNALUSERS, ACTIONGROUPS, CONFIG, ROLES, ROLESMAPPING, TENANTS, NODESDN, WHITELIST, ALLOWLIST, AUDIT] (index=.opendistro_security)", "cluster.uuid": "qLE0w_LKScadb2U9epsjFA", "node.id": "Vfy4MfdcQ-yf4_Vh12-o8w" } /var/log/wazuh-indexer/wazuh-cluster_server.json:{"type": "server", "timestamp": "2023-12-12T10:18:45,627Z", "level": "ERROR", "component": "o.o.s.c.ConfigurationLoaderSecurity7", "cluster.name": "wazuh-cluster", "node.name": "node-1", "message": "Failure No shard available for [org.opensearch.action.get.MultiGetShardRequest@26ce8a52] retrieving configuration for [INTERNALUSERS, ACTIONGROUPS, CONFIG, ROLES, ROLESMAPPING, TENANTS, NODESDN, WHITELIST, ALLOWLIST, AUDIT] (index=.opendistro_security)", "cluster.uuid": "qLE0w_LKScadb2U9epsjFA", "node.id": "Vfy4MfdcQ-yf4_Vh12-o8w" } /var/log/wazuh-indexer/wazuh-cluster_server.json:{"type": "server", "timestamp": "2023-12-12T10:18:45,627Z", "level": "ERROR", "component": "o.o.s.c.ConfigurationLoaderSecurity7", "cluster.name": "wazuh-cluster", "node.name": "node-1", "message": "Failure No shard available for [org.opensearch.action.get.MultiGetShardRequest@26ce8a52] retrieving configuration for [INTERNALUSERS, ACTIONGROUPS, CONFIG, ROLES, ROLESMAPPING, TENANTS, NODESDN, WHITELIST, ALLOWLIST, AUDIT] (index=.opendistro_security)", "cluster.uuid": "qLE0w_LKScadb2U9epsjFA", "node.id": "Vfy4MfdcQ-yf4_Vh12-o8w" } /var/log/wazuh-indexer/wazuh-cluster_server.json:{"type": "server", "timestamp": "2023-12-12T10:18:45,628Z", "level": "ERROR", "component": "o.o.s.c.ConfigurationLoaderSecurity7", "cluster.name": "wazuh-cluster", "node.name": "node-1", "message": "Failure No shard available for [org.opensearch.action.get.MultiGetShardRequest@26ce8a52] retrieving configuration for [INTERNALUSERS, ACTIONGROUPS, CONFIG, ROLES, ROLESMAPPING, TENANTS, NODESDN, WHITELIST, ALLOWLIST, AUDIT] (index=.opendistro_security)", "cluster.uuid": "qLE0w_LKScadb2U9epsjFA", "node.id": "Vfy4MfdcQ-yf4_Vh12-o8w" } /var/log/wazuh-indexer/wazuh-cluster_server.json:{"type": "server", "timestamp": "2023-12-12T10:18:45,629Z", "level": "ERROR", "component": "o.o.s.c.ConfigurationLoaderSecurity7", "cluster.name": "wazuh-cluster", "node.name": "node-1", "message": "Failure No shard available for [org.opensearch.action.get.MultiGetShardRequest@26ce8a52] retrieving configuration for [INTERNALUSERS, ACTIONGROUPS, CONFIG, ROLES, ROLESMAPPING, TENANTS, NODESDN, WHITELIST, ALLOWLIST, AUDIT] (index=.opendistro_security)", "cluster.uuid": "qLE0w_LKScadb2U9epsjFA", "node.id": "Vfy4MfdcQ-yf4_Vh12-o8w" } /var/log/wazuh-indexer/wazuh-cluster_server.json:{"type": "server", "timestamp": "2023-12-12T10:18:45,630Z", "level": "ERROR", "component": "o.o.s.c.ConfigurationLoaderSecurity7", "cluster.name": "wazuh-cluster", "node.name": "node-1", "message": "Failure No shard available for [org.opensearch.action.get.MultiGetShardRequest@26ce8a52] retrieving configuration for [INTERNALUSERS, ACTIONGROUPS, CONFIG, ROLES, ROLESMAPPING, TENANTS, NODESDN, WHITELIST, ALLOWLIST, AUDIT] (index=.opendistro_security)", "cluster.uuid": "qLE0w_LKScadb2U9epsjFA", "node.id": "Vfy4MfdcQ-yf4_Vh12-o8w" } /var/log/wazuh-indexer/wazuh-cluster_server.json:{"type": "server", "timestamp": "2023-12-12T10:18:45,630Z", "level": "ERROR", "component": "o.o.s.c.ConfigurationLoaderSecurity7", "cluster.name": "wazuh-cluster", "node.name": "node-1", "message": "Failure No shard available for [org.opensearch.action.get.MultiGetShardRequest@26ce8a52] retrieving configuration for [INTERNALUSERS, ACTIONGROUPS, CONFIG, ROLES, ROLESMAPPING, TENANTS, NODESDN, WHITELIST, ALLOWLIST, AUDIT] (index=.opendistro_security)", "cluster.uuid": "qLE0w_LKScadb2U9epsjFA", "node.id": "Vfy4MfdcQ-yf4_Vh12-o8w" } /var/log/wazuh-indexer/wazuh-cluster_server.json:{"type": "server", "timestamp": "2023-12-12T10:18:45,630Z", "level": "ERROR", "component": "o.o.s.c.ConfigurationLoaderSecurity7", "cluster.name": "wazuh-cluster", "node.name": "node-1", "message": "Failure No shard available for [org.opensearch.action.get.MultiGetShardRequest@26ce8a52] retrieving configuration for [INTERNALUSERS, ACTIONGROUPS, CONFIG, ROLES, ROLESMAPPING, TENANTS, NODESDN, WHITELIST, ALLOWLIST, AUDIT] (index=.opendistro_security)", "cluster.uuid": "qLE0w_LKScadb2U9epsjFA", "node.id": "Vfy4MfdcQ-yf4_Vh12-o8w" } /var/log/wazuh-indexer/wazuh-cluster_server.json:{"type": "server", "timestamp": "2023-12-12T10:18:45,631Z", "level": "ERROR", "component": "o.o.s.c.ConfigurationLoaderSecurity7", "cluster.name": "wazuh-cluster", "node.name": "node-1", "message": "Failure No shard available for [org.opensearch.action.get.MultiGetShardRequest@26ce8a52] retrieving configuration for [INTERNALUSERS, ACTIONGROUPS, CONFIG, ROLES, ROLESMAPPING, TENANTS, NODESDN, WHITELIST, ALLOWLIST, AUDIT] (index=.opendistro_security)", "cluster.uuid": "qLE0w_LKScadb2U9epsjFA", "node.id": "Vfy4MfdcQ-yf4_Vh12-o8w" } /var/log/wazuh-indexer/wazuh-cluster_server.json:{"type": "server", "timestamp": "2023-12-12T10:18:45,631Z", "level": "ERROR", "component": "o.o.s.c.ConfigurationLoaderSecurity7", "cluster.name": "wazuh-cluster", "node.name": "node-1", "message": "Failure No shard available for [org.opensearch.action.get.MultiGetShardRequest@26ce8a52] retrieving configuration for [INTERNALUSERS, ACTIONGROUPS, CONFIG, ROLES, ROLESMAPPING, TENANTS, NODESDN, WHITELIST, ALLOWLIST, AUDIT] (index=.opendistro_security)", "cluster.uuid": "qLE0w_LKScadb2U9epsjFA", "node.id": "Vfy4MfdcQ-yf4_Vh12-o8w" } /var/log/wazuh-indexer/wazuh-cluster_server.json:{"type": "server", "timestamp": "2023-12-12T10:18:46,553Z", "level": "ERROR", "component": "o.o.s.a.BackendRegistry", "cluster.name": "wazuh-cluster", "node.name": "node-1", "message": "Not yet initialized (you may need to run securityadmin)", "cluster.uuid": "qLE0w_LKScadb2U9epsjFA", "node.id": "Vfy4MfdcQ-yf4_Vh12-o8w" } /var/log/wazuh-indexer/wazuh-cluster_server.json:{"type": "server", "timestamp": "2023-12-12T10:18:46,601Z", "level": "ERROR", "component": "o.o.s.a.BackendRegistry", "cluster.name": "wazuh-cluster", "node.name": "node-1", "message": "Not yet initialized (you may need to run securityadmin)", "cluster.uuid": "qLE0w_LKScadb2U9epsjFA", "node.id": "Vfy4MfdcQ-yf4_Vh12-o8w" } /var/log/wazuh-indexer/wazuh-cluster_server.json:{"type": "server", "timestamp": "2023-12-12T10:18:46,608Z", "level": "ERROR", "component": "o.o.s.a.BackendRegistry", "cluster.name": "wazuh-cluster", "node.name": "node-1", "message": "Not yet initialized (you may need to run securityadmin)", "cluster.uuid": "qLE0w_LKScadb2U9epsjFA", "node.id": "Vfy4MfdcQ-yf4_Vh12-o8w" } /var/log/wazuh-indexer/wazuh-cluster_server.json:{"type": "server", "timestamp": "2023-12-12T10:18:46,613Z", "level": "ERROR", "component": "o.o.s.a.BackendRegistry", "cluster.name": "wazuh-cluster", "node.name": "node-1", "message": "Not yet initialized (you may need to run securityadmin)", "cluster.uuid": "qLE0w_LKScadb2U9epsjFA", "node.id": "Vfy4MfdcQ-yf4_Vh12-o8w" } /var/log/wazuh-indexer/wazuh-cluster_server.json:{"type": "server", "timestamp": "2023-12-12T10:18:48,114Z", "level": "ERROR", "component": "o.o.s.a.BackendRegistry", "cluster.name": "wazuh-cluster", "node.name": "node-1", "message": "Not yet initialized (you may need to run securityadmin)", "cluster.uuid": "qLE0w_LKScadb2U9epsjFA", "node.id": "Vfy4MfdcQ-yf4_Vh12-o8w" } /var/log/wazuh-indexer/wazuh-cluster_server.json:{"type": "server", "timestamp": "2023-12-12T10:18:48,288Z", "level": "ERROR", "component": "o.o.s.a.BackendRegistry", "cluster.name": "wazuh-cluster", "node.name": "node-1", "message": "Not yet initialized (you may need to run securityadmin)", "cluster.uuid": "qLE0w_LKScadb2U9epsjFA", "node.id": "Vfy4MfdcQ-yf4_Vh12-o8w" } /var/log/wazuh-indexer/wazuh-cluster_server.json:{"type": "server", "timestamp": "2023-12-12T10:18:48,293Z", "level": "ERROR", "component": "o.o.s.a.BackendRegistry", "cluster.name": "wazuh-cluster", "node.name": "node-1", "message": "Not yet initialized (you may need to run securityadmin)", "cluster.uuid": "qLE0w_LKScadb2U9epsjFA", "node.id": "Vfy4MfdcQ-yf4_Vh12-o8w" } /var/log/wazuh-indexer/wazuh-cluster_server.json:{"type": "server", "timestamp": "2023-12-12T10:18:48,304Z", "level": "ERROR", "component": "o.o.s.a.BackendRegistry", "cluster.name": "wazuh-cluster", "node.name": "node-1", "message": "Not yet initialized (you may need to run securityadmin)", "cluster.uuid": "qLE0w_LKScadb2U9epsjFA", "node.id": "Vfy4MfdcQ-yf4_Vh12-o8w" } /var/log/wazuh-indexer/wazuh-cluster_server.json:{"type": "server", "timestamp": "2023-12-12T10:18:48,309Z", "level": "ERROR", "component": "o.o.s.a.BackendRegistry", "cluster.name": "wazuh-cluster", "node.name": "node-1", "message": "Not yet initialized (you may need to run securityadmin)", "cluster.uuid": "qLE0w_LKScadb2U9epsjFA", "node.id": "Vfy4MfdcQ-yf4_Vh12-o8w" } /var/log/wazuh-indexer/wazuh-cluster_server.json:{"type": "server", "timestamp": "2023-12-12T10:18:50,787Z", "level": "ERROR", "component": "o.o.s.a.BackendRegistry", "cluster.name": "wazuh-cluster", "node.name": "node-1", "message": "Not yet initialized (you may need to run securityadmin)", "cluster.uuid": "qLE0w_LKScadb2U9epsjFA", "node.id": "Vfy4MfdcQ-yf4_Vh12-o8w" } /var/log/wazuh-indexer/wazuh-cluster_server.json:{"type": "server", "timestamp": "2023-12-12T10:18:50,792Z", "level": "ERROR", "component": "o.o.s.a.BackendRegistry", "cluster.name": "wazuh-cluster", "node.name": "node-1", "message": "Not yet initialized (you may need to run securityadmin)", "cluster.uuid": "qLE0w_LKScadb2U9epsjFA", "node.id": "Vfy4MfdcQ-yf4_Vh12-o8w" } /var/log/wazuh-indexer/wazuh-cluster_server.json:{"type": "server", "timestamp": "2023-12-12T10:18:50,799Z", "level": "ERROR", "component": "o.o.s.a.BackendRegistry", "cluster.name": "wazuh-cluster", "node.name": "node-1", "message": "Not yet initialized (you may need to run securityadmin)", "cluster.uuid": "qLE0w_LKScadb2U9epsjFA", "node.id": "Vfy4MfdcQ-yf4_Vh12-o8w" } /var/log/wazuh-indexer/wazuh-cluster_server.json:{"type": "server", "timestamp": "2023-12-12T10:18:50,805Z", "level": "ERROR", "component": "o.o.s.a.BackendRegistry", "cluster.name": "wazuh-cluster", "node.name": "node-1", "message": "Not yet initialized (you may need to run securityadmin)", "cluster.uuid": "qLE0w_LKScadb2U9epsjFA", "node.id": "Vfy4MfdcQ-yf4_Vh12-o8w" } /var/log/wazuh-indexer/wazuh-cluster_server.json:{"type": "server", "timestamp": "2023-12-12T10:18:53,332Z", "level": "ERROR", "component": "o.o.s.a.BackendRegistry", "cluster.name": "wazuh-cluster", "node.name": "node-1", "message": "Not yet initialized (you may need to run securityadmin)", "cluster.uuid": "qLE0w_LKScadb2U9epsjFA", "node.id": "Vfy4MfdcQ-yf4_Vh12-o8w" } /var/log/wazuh-indexer/wazuh-cluster_server.json:{"type": "server", "timestamp": "2023-12-12T10:18:53,339Z", "level": "ERROR", "component": "o.o.s.a.BackendRegistry", "cluster.name": "wazuh-cluster", "node.name": "node-1", "message": "Not yet initialized (you may need to run securityadmin)", "cluster.uuid": "qLE0w_LKScadb2U9epsjFA", "node.id": "Vfy4MfdcQ-yf4_Vh12-o8w" } /var/log/wazuh-indexer/wazuh-cluster_server.json:{"type": "server", "timestamp": "2023-12-12T10:18:53,347Z", "level": "ERROR", "component": "o.o.s.a.BackendRegistry", "cluster.name": "wazuh-cluster", "node.name": "node-1", "message": "Not yet initialized (you may need to run securityadmin)", "cluster.uuid": "qLE0w_LKScadb2U9epsjFA", "node.id": "Vfy4MfdcQ-yf4_Vh12-o8w" } /var/log/wazuh-indexer/wazuh-cluster_server.json:{"type": "server", "timestamp": "2023-12-12T10:18:53,354Z", "level": "ERROR", "component": "o.o.s.a.BackendRegistry", "cluster.name": "wazuh-cluster", "node.name": "node-1", "message": "Not yet initialized (you may need to run securityadmin)", "cluster.uuid": "qLE0w_LKScadb2U9epsjFA", "node.id": "Vfy4MfdcQ-yf4_Vh12-o8w" } /var/log/wazuh-indexer/wazuh-cluster_server.json:{"type": "server", "timestamp": "2023-12-12T10:18:55,812Z", "level": "ERROR", "component": "o.o.s.a.BackendRegistry", "cluster.name": "wazuh-cluster", "node.name": "node-1", "message": "Not yet initialized (you may need to run securityadmin)", "cluster.uuid": "qLE0w_LKScadb2U9epsjFA", "node.id": "Vfy4MfdcQ-yf4_Vh12-o8w" } /var/log/wazuh-indexer/wazuh-cluster_server.json:{"type": "server", "timestamp": "2023-12-12T10:18:55,818Z", "level": "ERROR", "component": "o.o.s.a.BackendRegistry", "cluster.name": "wazuh-cluster", "node.name": "node-1", "message": "Not yet initialized (you may need to run securityadmin)", "cluster.uuid": "qLE0w_LKScadb2U9epsjFA", "node.id": "Vfy4MfdcQ-yf4_Vh12-o8w" } /var/log/wazuh-indexer/wazuh-cluster_server.json:{"type": "server", "timestamp": "2023-12-12T10:18:55,823Z", "level": "ERROR", "component": "o.o.s.a.BackendRegistry", "cluster.name": "wazuh-cluster", "node.name": "node-1", "message": "Not yet initialized (you may need to run securityadmin)", "cluster.uuid": "qLE0w_LKScadb2U9epsjFA", "node.id": "Vfy4MfdcQ-yf4_Vh12-o8w" } /var/log/wazuh-indexer/wazuh-cluster_server.json:{"type": "server", "timestamp": "2023-12-12T10:18:55,828Z", "level": "ERROR", "component": "o.o.s.a.BackendRegistry", "cluster.name": "wazuh-cluster", "node.name": "node-1", "message": "Not yet initialized (you may need to run securityadmin)", "cluster.uuid": "qLE0w_LKScadb2U9epsjFA", "node.id": "Vfy4MfdcQ-yf4_Vh12-o8w" } /var/log/wazuh-indexer/wazuh-cluster_server.json:{"type": "server", "timestamp": "2023-12-12T10:18:58,314Z", "level": "ERROR", "component": "o.o.s.a.BackendRegistry", "cluster.name": "wazuh-cluster", "node.name": "node-1", "message": "Not yet initialized (you may need to run securityadmin)", "cluster.uuid": "qLE0w_LKScadb2U9epsjFA", "node.id": "Vfy4MfdcQ-yf4_Vh12-o8w" } /var/log/wazuh-indexer/wazuh-cluster_server.json:{"type": "server", "timestamp": "2023-12-12T10:18:58,321Z", "level": "ERROR", "component": "o.o.s.a.BackendRegistry", "cluster.name": "wazuh-cluster", "node.name": "node-1", "message": "Not yet initialized (you may need to run securityadmin)", "cluster.uuid": "qLE0w_LKScadb2U9epsjFA", "node.id": "Vfy4MfdcQ-yf4_Vh12-o8w" } /var/log/wazuh-indexer/wazuh-cluster_server.json:{"type": "server", "timestamp": "2023-12-12T10:18:58,330Z", "level": "ERROR", "component": "o.o.s.a.BackendRegistry", "cluster.name": "wazuh-cluster", "node.name": "node-1", "message": "Not yet initialized (you may need to run securityadmin)", "cluster.uuid": "qLE0w_LKScadb2U9epsjFA", "node.id": "Vfy4MfdcQ-yf4_Vh12-o8w" } /var/log/wazuh-indexer/wazuh-cluster_server.json:{"type": "server", "timestamp": "2023-12-12T10:18:58,337Z", "level": "ERROR", "component": "o.o.s.a.BackendRegistry", "cluster.name": "wazuh-cluster", "node.name": "node-1", "message": "Not yet initialized (you may need to run securityadmin)", "cluster.uuid": "qLE0w_LKScadb2U9epsjFA", "node.id": "Vfy4MfdcQ-yf4_Vh12-o8w" } ``` **Expected error logs** - https://github.com/wazuh/wazuh-packages/issues/1511

Wazuh Server - /var/ossec/logs :green_circle:
``` [root@wazuh-server wazuh-user]# grep -i -E "error|critical|fatal|warning" /var/ossec/logs/ossec.log [root@wazuh-server wazuh-user]# grep -i -E "error|critical|fatal|warning" /var/ossec/logs/ossec.log | wc -l 0 ```

OVA - Filebeat Tests :green_circle:

``` [root@wazuh-server wazuh-user]# filebeat test output elasticsearch: https://localhost:9200... parse url... OK connection... parse host... OK dns lookup... OK addresses: 127.0.0.1 dial up... OK TLS... security: server's certificate chain verification is enabled handshake... OK TLS version: TLSv1.2 dial up... OK talk to server... OK version: 7.10.2 ```

OVA - Wazuh Indexer Cluster :red_circle:

Cluster in yellow state ``` [root@wazuh-server wazuh-user]# curl -k -u admin:admin https://127.0.0.1:9200 { "name" : "node-1", "cluster_name" : "wazuh-cluster", "cluster_uuid" : "qLE0w_LKScadb2U9epsjFA", "version" : { "number" : "7.10.2", "build_type" : "rpm", "build_hash" : "eee49cb340edc6c4d489bcd9324dda571fc8dc03", "build_date" : "2023-09-20T23:54:29.889267151Z", "build_snapshot" : false, "lucene_version" : "9.7.0", "minimum_wire_compatibility_version" : "7.10.0", "minimum_index_compatibility_version" : "7.0.0" }, "tagline" : "The OpenSearch Project: https://opensearch.org/" } [root@wazuh-server wazuh-user]# [root@wazuh-server wazuh-user]# curl -k -u admin:admin https://127.0.0.1:9200/_cat/nodes?v ip heap.percent ram.percent cpu load_1m load_5m load_15m node.role node.roles cluster_manager name 127.0.0.1 26 83 0 0.00 0.03 0.00 dimr cluster_manager,data,ingest,remote_cluster_client * node-1 [root@wazuh-server wazuh-user]# curl -k -u admin:admin https://127.0.0.1:9200/_cluster/health?pretty { "cluster_name" : "wazuh-cluster", "status" : "yellow", "timed_out" : false, "number_of_nodes" : 1, "number_of_data_nodes" : 1, "discovered_master" : true, "discovered_cluster_manager" : true, "active_primary_shards" : 19, "active_shards" : 19, "relocating_shards" : 0, "initializing_shards" : 0, "unassigned_shards" : 5, "delayed_unassigned_shards" : 0, "number_of_pending_tasks" : 0, "number_of_in_flight_fetch" : 0, "task_max_waiting_in_queue_millis" : 0, "active_shards_percent_as_number" : 79.16666666666666 } ```

OVA - No root ssh access :green_circle:

``` ➜ ~ ssh root@192.168.1.45 root@192.168.1.45's password: Permission denied, please try again. root@192.168.1.45's password: Received disconnect from 192.168.1.45 port 22:2: Too many authentication failures Disconnected from 192.168.1.45 port 22 ```

Analysis report - AIX :green_circle:

System info :green_circle:

```shell # hostname soaxp132 # uname -a AIX soaxp132 1 6 00CADA644C00 ```

Installation with variables :green_circle:

- Wazuh agent ```shell # curl -O -k https://packages-dev.wazuh.com/pre-release/aix/wazuh-agent-4.8.0-1.aix.ppc.rpm % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 13.5M 100 13.5M 0 0 9.7M 0 0:00:01 0:00:01 --:--:-- 9.7M ``` ```shell # WAZUH_MANAGER="xx.xxx.xx.xxx" rpm -ivh wazuh-agent-4.8.0-1.aix.ppc.rpm wazuh-agent ################################################## # WAZUH_MANAGER="xx.xxx.xx.xxx" rpm -ivh wazuh-agent-4.8.0-1.aix.ppc.rpm Starting Wazuh v4.8.0... Started wazuh-execd... Started wazuh-agentd... Started wazuh-syscheckd... Started wazuh-logcollector... Started wazuh-modulesd... Completed. # /var/ossec/bin/wazuh-control info WAZUH_VERSION="v4.8.0" WAZUH_REVISION="40801" WAZUH_TYPE="agent" # grep address /var/ossec/etc/ossec.conf

X.X.X.X

``` - Wazuh server ```shell [root@wazuh-server wazuh-user]# /var/ossec/bin/agent_control -i 009 Wazuh agent_control. Agent information: Agent ID: 009 Agent Name: soaxp132 IP address: any Status: Active Operating system: AIX |soaxp132 |1 |6 |00CADA644C00 Client version: Wazuh v4.8.0 Configuration hash: ab73af41699f13fdd81903b5f23d8d00 Shared file hash: 4a8724b20dee0124ff9656783c490c4e Last keep alive: 1702393598 Syscheck last started at: Tue Dec 12 15:06:29 2023 Syscheck last ended at: Tue Dec 12 15:06:37 2023 ```

Installation without variables :green_circle:

- Wazuh agent ```shell curl -O -k https://packages-dev.wazuh.com/pre-release/aix/wazuh-agent-4.8.0-1.aix.ppc.rpm % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 13.5M 100 13.5M 0 0 9.7M 0 0:00:01 0:00:01 --:--:-- 9.7M ``` ```shell # rpm -ivh wazuh-agent-4.8.0-1.aix.ppc.rpm wazuh-agent ################################################## # vi /var/ossec/etc/ossec.conf # /var/ossec/bin/wazuh-control start 2023/12/12 09:16:57 wazuh-agentd: ERROR: (1103): Could not open file 'queue/sockets/.agent_info' due to [(2)-(No such file or directory)]. 2023/12/12 09:16:57 wazuh-agentd: ERROR: (1103): Could not open file 'queue/sockets/.agent_info' due to [(2)-(No such file or directory)]. 2023/12/12 09:16:57 wazuh-syscheckd: ERROR: (1103): Could not open file 'queue/sockets/.agent_info' due to [(2)-(No such file or directory)]. 2023/12/12 09:16:57 wazuh-syscheckd: ERROR: (1103): Could not open file 'queue/sockets/.agent_info' due to [(2)-(No such file or directory)]. 2023/12/12 09:16:57 wazuh-logcollector: ERROR: (1103): Could not open file 'queue/sockets/.agent_info' due to [(2)-(No such file or directory)]. 2023/12/12 09:16:57 wazuh-modulesd: ERROR: (1103): Could not open file 'queue/sockets/.agent_info' due to [(2)-(No such file or directory)]. Starting Wazuh v4.8.0... Started wazuh-execd... 2023/12/12 09:16:57 wazuh-agentd: ERROR: (1103): Could not open file 'queue/sockets/.agent_info' due to [(2)-(No such file or directory)]. 2023/12/12 09:16:57 wazuh-agentd: ERROR: (1103): Could not open file 'queue/sockets/.agent_info' due to [(2)-(No such file or directory)]. Started wazuh-agentd... Started wazuh-syscheckd... Started wazuh-logcollector... Started wazuh-modulesd... Completed. ``` > **Note:** Those errors appear when the /var/ossec folder is not deleted while uninstalling the Wazuh Agent. ``` # /var/ossec/bin/wazuh-control info WAZUH_VERSION="v4.8.0" WAZUH_REVISION="40801" WAZUH_TYPE="agent" ``` - Wazuh server ```shell [root@wazuh-server wazuh-user]# /var/ossec/bin/agent_control -i 010 Wazuh agent_control. Agent information: Agent ID: 010 Agent Name: soaxp132 IP address: any Status: Active Operating system: AIX |soaxp132 |1 |6 |00CADA644C00 Client version: Wazuh v4.8.0 Configuration hash: (null) Shared file hash: 4a8724b20dee0124ff9656783c490c4e Last keep alive: 1702394277 Syscheck last started at: Tue Dec 12 15:16:58 2023 Syscheck last ended at: Tue Dec 12 15:17:05 2023 ```

Generate alerts (TCP & UDP) :green_circle:

- TCP - Wazuh Agent ```shell # grep -Ei "tcp" /var/ossec/logs/ossec.log 2023/12/12 09:16:57 wazuh-agentd: INFO: Trying to connect to server ([xx.xxx.xx.xxx]:1514/tcp). 2023/12/12 09:16:57 wazuh-agentd: INFO: (4102): Connected to the server ([xx.xxx.xx.xxx]:1514/tcp). ``` - TCP - Wazuh Server ``` {"timestamp":"2023-12-12T15:17:04.351+0000","rule":{"level":3,"description":"System audit for Unix based systems: Ensure auditd service is enabled","id":"19009","firedtimes":26,"mail":false,"groups":["sca"],"gdpr":["IV_35.7.d"],"pci_dss":["2.2"],"nist_800_53":["CM.1"],"tsc":["CC7.1","CC7.2"],"cis_csc":["6.2","6.3"]},"agent":{"id":"010","name":"soaxp132"},"manager":{"name":"wazuh-server"},"id":"1702394224.2145285","decoder":{"name":"sca"},"data":{"sca":{"type":"check","scan_id":"31962","policy":"System audit for Unix based systems","check":{"id":"3022","title":"Ensure auditd service is enabled","description":"Turn on the auditd daemon to record system events.","rationale":"The capturing of system events provides system administrators with information to allow them to determine if unauthorized access to their system is occurring.","remediation":"Run the following command to enable auditd: # systemctl enable auditd","compliance":{"cis_csc":"6.2,6.3"},"command":["systemctl is-enabled auditd"],"result":"not applicable","reason":"Invalid path or wrong permissions to run command 'systemctl is-enabled auditd'"}}},"location":"sca"} {"timestamp":"2023-12-12T15:17:11.346+0000","rule":{"level":9,"description":"SCA summary: System audit for Unix based systems: Score less than 30% (0)","id":"19005","firedtimes":3,"mail":false,"groups":["sca"],"gdpr":["IV_35.7.d"],"pci_dss":["2.2"],"nist_800_53":["CM.1"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"010","name":"soaxp132","ip":"192.168.253.132"},"manager":{"name":"wazuh-server"},"id":"1702394231.2146996","decoder":{"name":"sca"},"data":{"sca":{"type":"summary","scan_id":"31962","policy":"System audit for Unix based systems","description":"Guidance for establishing a secure configuration for Unix based systems.","policy_id":"unix_audit","passed":"0","failed":"10","invalid":"13","total_checks":"23","score":"0","file":"sca_unix_audit.yml"}},"location":"sca"} ``` - UDP - Wazuh Agent ```shell # grep udp /var/ossec/etc/ossec.conf udp # /var/ossec/bin/wazuh-control restart Killing wazuh-modulesd... Killing wazuh-logcollector... Killing wazuh-syscheckd... Killing wazuh-agentd... Killing wazuh-execd... Wazuh v4.8.0 Stopped Starting Wazuh v4.8.0... Started wazuh-execd... Started wazuh-agentd... Started wazuh-syscheckd... Started wazuh-logcollector... Started wazuh-modulesd... Completed. # grep -Ei "udp" /var/ossec/logs/ossec.log 2023/12/12 09:21:54 wazuh-agentd: INFO: Trying to connect to server ([xx.xxx.xx.xxx]:1514/udp). 2023/12/12 09:21:54 wazuh-agentd: INFO: (4102): Connected to the server ([xx.xxx.xx.xxx]:1514/udp). ``` - UDP - Wazuh Server ``` {"timestamp":"2023-12-12T15:21:59.745+0000","rule":{"level":7,"description":"Host-based anomaly detection event (rootcheck).","id":"510","firedtimes":36,"mail":false,"groups":["ossec","rootcheck"],"pci_dss":["10.6.1"],"gdpr":["IV_35.7.d"]},"agent":{"id":"010","name":"soaxp132","ip":"192.168.253.132"},"manager":{"name":"wazuh-server"},"id":"1702394519.2181266","full_log":"File '/tmp/.com_ibm_tools_attach/_notifier' is owned by root and has written permissions to anyone.","decoder":{"name":"rootcheck"},"data":{"title":"File is owned by root and has written permissions to anyone.","file":"/tmp/.com_ibm_tools_attach/_notifier"},"location":"rootcheck"} ```

Removal :green_circle:

```shell # rpm -e wazuh-agent rmdir of /var/ossec/tmp/src/init failed: No such file or directory rmdir of /var/ossec/tmp/etc/templates/config/generic/localfile-logs failed: No such file or directory rmdir of /var/ossec/tmp/etc/templates/config/generic failed: No such file or directory rmdir of /var/ossec/tmp/etc/templates/config failed: No such file or directory rmdir of /var/ossec/tmp/etc/templates failed: No such file or directory cannot remove /var/ossec/queue/syscollector/db - directory not empty cannot remove /var/ossec/queue/syscollector - directory not empty cannot remove /var/ossec/queue/logcollector - directory not empty cannot remove /var/ossec/queue/fim/db - directory not empty cannot remove /var/ossec/queue/fim - directory not empty cannot remove /var/ossec/queue - directory not empty removal of /var/ossec/logs/ossec.json failed: No such file or directory cannot remove /var/ossec/etc/shared - directory not empty cannot remove /var/ossec/etc - directory not empty cannot remove /var/ossec - directory not empty ```

Check users and groups :green_circle:

``` # cat /etc/passwd | grep wazuh wazuh:*:211:1::/home/wazuh:/usr/bin/ksh # cat /etc/group | grep wazuh wazuh:!:209:wazuh ```

Errors and warnings :green_circle:

Solaris 11 SPARC

System info 🟢

```console tdfl@sossp206:~$ hostname sossp206 tdfl@sossp206:~$ uname -a SunOS sossp206 5.11 11.3 sun4v sparc sun4v ```

Installation 🟢

Installation details ```console tdfl@sossp206:~$ curl -O https://packages-dev.wazuh.com/pre-release/solaris/sparc/11/wazuh-agent_v4.8.0-sol11-sparc.p5p % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0 6360k 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 100 6360k 100 6360k 0 0 5084k 0 0:00:01 0:00:01 --:--:-- 5238k ``` ```console root@sossp206:~# pkg install -g wazuh-agent_v4.8.0-sol11-sparc.p5p wazuh-agent Creating Plan (Evaluating mediators): / Packages to install: 1 Services to change: 1 Create boot environment: No Create backup boot environment: No DOWNLOAD PKGS FILES XFER (MB) SPEED Completed 1/1 119/119 5.8/5.8 27.1M/s PHASE ITEMS Installing new actions 175/175 Updating package state database Done Updating package cache 0/0 Updating image state Done Creating fast lookup database Done Updating package cache ``` Change Agent IP ```console root@sossp206:~# vi /var/ossec/etc/ossec.conf root@sossp206:~# cat /var/ossec/etc/ossec.conf | grep address

54.84.24.155

``` Start Agent ```console root@sossp206:~# /var/ossec/bin/wazuh-control start Starting Wazuh v4.8.0... Started wazuh-execd... Started wazuh-agentd... Started wazuh-syscheckd... Started wazuh-logcollector... Started wazuh-modulesd... Completed. ``` Agent Info ```console wazuh-modulesd is running... wazuh-logcollector is running... wazuh-syscheckd is running... wazuh-agentd is running... wazuh-execd is running... ``` Check Agent in Manager ```console [root@ip-172-31-45-137 ec2-user]# /var/ossec/bin/agent_control -i 001 Wazuh agent_control. Agent information: Agent ID: 001 Agent Name: sossp206 IP address: any Status: Active Operating system: SunOS |sossp206 |5.11 |11.3 |sun4v Client version: Wazuh v4.8.0 Configuration hash: ab73af41699f13fdd81903b5f23d8d00 Shared file hash: 4a8724b20dee0124ff9656783c490c4e Last keep alive: 1702393932 Syscheck last started at: Tue Dec 12 15:05:32 2023 Syscheck last ended at: Tue Dec 12 15:08:00 2023 ``` No Errors Present in the Agent ```console root@sossp206:~# /usr/xpg4/bin/grep -Ei "ERROR|CRITICAL|FATAL|WARNING" /var/ossec/logs/ossec.log | wc -l 0 ``` No Errors Present in the Manager ```console [root@ip-172-31-45-137 ec2-user]# grep -Ei "ERROR|CRITICAL|FATAL|WARNING" /var/ossec/logs/ossec.log | wc -l 0 ```

Generate Alerts 🟢

TCP 🟢

Agent is Connected Through TCP ```console root@sossp206:~# grep -i "tcp" /var/ossec/logs/ossec.log 2023/12/12 09:04:24 wazuh-agentd: INFO: Trying to connect to server ([54.84.24.155]:1514/tcp). 2023/12/12 09:04:24 wazuh-agentd: INFO: (4102): Connected to the server ([54.84.24.155]:1514/tcp). 2023/12/12 09:05:31 wazuh-agentd: INFO: Trying to connect to server ([54.84.24.155]:1514/tcp). 2023/12/12 09:05:31 wazuh-agentd: INFO: (4102): Connected to the server ([54.84.24.155]:1514/tcp). ``` Alerts are correctly generated for the agent - Expected logs ```console [root@ip-172-31-45-137 ec2-user]# grep sossp206 /var/ossec/logs/alerts/alerts.json {"timestamp":"2023-12-12T15:04:54.862+0000","rule":{"level":3,"description":"New wazuh agent connected.","id":"501","firedtimes":1,"mail":false,"groups":["ossec"],"pci_dss":["10.6.1"],"gpg13":["10.1"],"gdpr":["IV_35.7.d"],"hipaa":["164.312.b"],"nist_800_53":["AU.6"],"tsc":["CC7.2","CC7.3"]},"agent":{"id":"001","name":"sossp206"},"manager":{"name":"ip-172-31-45-137.ec2.internal"},"id":"1702393494.602057","full_log":"ossec: Agent started: 'sossp206->any'.","decoder":{"parent":"ossec","name":"ossec"},"data":{"extra_data":"sossp206->any"},"location":"wazuh-agent"} {"timestamp":"2023-12-12T15:04:57.989+0000","rule":{"level":3,"description":"CIS Benchmark for Oracle Solaris 11 v1.1.0: Disable Local-only Graphical Login Environment","id":"19008","firedtimes":1,"mail":false,"groups":["sca"],"gdpr":["IV_35.7.d"],"pci_dss":["2.2"],"nist_800_53":["CM.1"],"tsc":["CC7.1","CC7.2"],"cis":["2.1"]},"agent":{"id":"001","name":"sossp206"},"manager":{"name":"ip-172-31-45-137.ec2.internal"},"id":"1702393497.602329","decoder":{"name":"sca"},"data":{"sca":{"type":"check","scan_id":"7003","policy":"CIS Benchmark for Oracle Solaris 11 v1.1.0","check":{"id":"8000","title":"Disable Local-only Graphical Login Environment","description":"The graphical login service provides the capability of logging into the system using an X- windows type interface from the console. If graphical login access for the console is required, leave the service in local-only mode.","rationale":"This service should be disabled if it is not required.","remediation":"To disable this service, run the following command: # svcadm disable svc:/application/graphical-login/gdm:default","compliance":{"cis":"2.1"},"command":["svcs -xv svc:/application/graphical-login/gdm:default"],"result":"passed"}}},"location":"sca"} . . . ``` No Errors in Agent Logs ```console [root@ip-172-31-45-137 ec2-user]# grep -Ei "ERROR|CRITICAL|FATAL|WARNING" /var/ossec/logs/ossec.log | wc -l 0 [root@ip-172-31-45-137 ec2-user]# ```

UDP 🟢

Agent is Connected Through UDP ```console root@sossp206:~# sed 's/tcp/udp/g' /var/ossec/etc/ossec.conf > /var/ossec/etc/ossec.conf.new && mv /var/ossec/etc/ossec.conf.new /var/ossec/etc/ossec.conf root@sossp206:~# grep udp /var/ossec/etc/ossec.conf udp root@sossp206:~# /var/ossec/bin/wazuh-control restart Killing wazuh-modulesd... Killing wazuh-logcollector... Killing wazuh-syscheckd... Killing wazuh-agentd... Killing wazuh-execd... Wazuh v4.8.0 Stopped Starting Wazuh v4.8.0... Started wazuh-execd... Started wazuh-agentd... Started wazuh-syscheckd... Started wazuh-logcollector... Started wazuh-modulesd... Completed. root@sossp206:~# grep "udp" /var/ossec/logs/ossec.log 2023/12/12 11:14:10 wazuh-agentd: INFO: Trying to connect to server ([54.84.24.155]:1514/udp). ``` Alerts are Correctly Generated for the Agent (Manager) ```console [root@ip-172-31-45-137 ec2-user]# grep sossp206 /var/ossec/logs/alerts/alerts.json {"timestamp":"2023-12-12T15:04:54.862+0000","rule":{"level":3,"description":"New wazuh agent connected.","id":"501","firedtimes":1,"mail":false,"groups":["ossec"],"pci_dss":["10.6.1"],"gpg13":["10.1"],"gdpr":["IV_35.7.d"],"hipaa":["164.312.b"],"nist_800_53":["AU.6"],"tsc":["CC7.2","CC7.3"]},"agent":{"id":"001","name":"sossp206"},"manager":{"name":"ip-172-31-45-137.ec2.internal"},"id":"1702393494.602057","full_log":"ossec: Agent started: 'sossp206->any'.","decoder":{"parent":"ossec","name":"ossec"},"data":{"extra_data":"sossp206->any"},"location":"wazuh-agent"} {"timestamp":"2023-12-12T15:04:57.989+0000","rule":{"level":3,"description":"CIS Benchmark for Oracle Solaris 11 v1.1.0: Disable Local-only Graphical Login Environment","id":"19008","firedtimes":1,"mail":false,"groups":["sca"],"gdpr":["IV_35.7.d"],"pci_dss":["2.2"],"nist_800_53":["CM.1"],"tsc":["CC7.1","CC7.2"],"cis":["2.1"]},"agent":{"id":"001","name":"sossp206"},"manager":{"name":"ip-172-31-45-137.ec2.internal"},"id":"1702393497.602329","decoder":{"name":"sca"},"data":{"sca":{"type":"check","scan_id":"7003","policy":"CIS Benchmark for Oracle Solaris 11 v1.1.0","check":{"id":"8000","title":"Disable Local-only Graphical Login Environment","description":"The graphical login service provides the capability of logging into the system using an X- windows type interface from the console. If graphical login access for the console is required, leave the service in local-only mode.","rationale":"This service should be disabled if it is not required.","remediation":"To disable this service, run the following command: # svcadm disable svc:/application/graphical-login/gdm:default","compliance":{"cis":"2.1"},"command":["svcs -xv svc:/application/graphical-login/gdm:default"],"result":"passed"}}},"location":"sca"} . . . ``` No Errors of Agent Logs (Manager) ```console [root@ip-172-31-45-137 ec2-user]# grep -Ei "ERROR|CRITICAL|FATAL|WARNING" /var/ossec/logs/ossec.log | wc -l 0 ```

Check Users and Groups 🟢

```console root@sossp206:~# cat /etc/passwd | grep wazuh wazuh:x:7:13:& User:/: root@sossp206:~# cat /etc/group | grep wazuh wazuh::13: ```

Removal 🟢

Stop Agent ```console root@sossp206:~# /var/ossec/bin/wazuh-control stop Killing wazuh-modulesd... Killing wazuh-logcollector... Killing wazuh-syscheckd... Killing wazuh-agentd... Killing wazuh-execd... Wazuh v4.8.0 Stopped ``` Uninstall Agent ```console root@sossp206:~# pkg uninstall wazuh-agent Creating Plan (Consolidating action changes): - Packages to remove: 1 Services to change: 1 Create boot environment: No Create backup boot environment: No PHASE ITEMS Removing old actions 222/222 Updating package state database Done Updating package cache 1/1 Updating image state Done Creating fast lookup database Done Updating package cache 2/2 The following unexpected or editable files and directories were salvaged while executing the requested package operation; they have been moved to the displayed location in the image: ar/ossec/etc/client.keys -> /var/pkg/lost+found/var/ossec/etc/client.keys-20231212T112200Z ar/ossec/etc/ossec.conf -> /var/pkg/lost+found/var/ossec/etc/ossec.conf-20231212T112200Z ar/ossec/ruleset/sca -> /var/pkg/lost+found/var/ossec/ruleset/sca-20231212T112200Z ar/ossec/queue/syscollector/db -> /var/pkg/lost+found/var/ossec/queue/syscollector/db-20231212T112200Z ar/ossec/queue/sockets -> /var/pkg/lost+found/var/ossec/queue/sockets-20231212T112200Z ar/ossec/queue/rids -> /var/pkg/lost+found/var/ossec/queue/rids-20231212T112200Z ar/ossec/queue/logcollector -> /var/pkg/lost+found/var/ossec/queue/logcollector-20231212T112200Z ar/ossec/queue/fim/db -> /var/pkg/lost+found/var/ossec/queue/fim/db-20231212T112200Z ar/ossec/queue/alerts -> /var/pkg/lost+found/var/ossec/queue/alerts-20231212T112200Z ar/ossec/etc/shared -> /var/pkg/lost+found/var/ossec/etc/shared-20231212T112200Z root@sossp206:~# ``` Remove groups ```console root@sossp206:~# groupdel wazuh ```

Upgrade 4.7.0 to 4.8.0 🟢

Install 4.7.0 ```console root@sossp206:~# curl -OL https://packages.wazuh.com/4.x/solaris/sparc/11/wazuh-agent_v4.7.0-sol11-sparc.p5p % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 6260k 100 6260k 0 0 5943k 0 0:00:01 0:00:01 --:--:-- 6125k ``` ```console root@sossp206:~# pkg install -g wazuh-agent_v4.7.0-sol11-sparc.p5p wazuh-agent Packages to install: 1 Services to change: 1 Create boot environment: No Create backup boot environment: No DOWNLOAD PKGS FILES XFER (MB) SPEED Completed 1/1 98/98 5.8/5.8 31.6M/s PHASE ITEMS Installing new actions 151/151 Updating package state database Done Updating package cache 0/0 Updating image state Done Creating fast lookup database Done Updating package cache 2/2 root@sossp206:~# ``` ```console root@sossp206:~# sed 's/MANAGER_IP/OBFUSCATED_MANAGER_IP/g' /var/ossec/etc/ossec.conf > /var/ossec/etc/ossec.conf.new && mv /var/ossec/etc/ossec.conf.new /var/ossec/etc/ossec.conf ``` ```console root@sossp206:~# /var/ossec/bin/wazuh-control start Starting Wazuh v4.7.0... Started wazuh-execd... Started wazuh-agentd... Started wazuh-syscheckd... Started wazuh-logcollector... Started wazuh-modulesd... Completed. ``` Check on Manager ```console [root@ip-172-31-45-137 ec2-user]# /var/ossec/bin/agent_control -i 005 Wazuh agent_control. Agent information: Agent ID: 005 Agent Name: Solaris IP address: any Status: Active Operating system: SunOS |Solaris |5.11 |11.3 |sun4v Client version: Wazuh v4.7.0 Configuration hash: ab73af41699f13fdd81903b5f23d8d00 Shared file hash: 4a8724b20dee0124ff9656783c490c4e Last keep alive: 1702467680 Syscheck last started at: Wed Dec 13 11:40:31 2023 Syscheck last ended at: Wed Dec 13 11:40:37 2023 [root@ip-172-31-45-137 ec2-user]# ``` Upgrade to 4.8.0 ```console root@sossp206:~# pkg install -g wazuh-agent_v4.8.0-sol11-sparc.p5p wazuh-agent Packages to update: 1 Create boot environment: No Create backup boot environment: Yes DOWNLOAD PKGS FILES XFER (MB) SPEED Completed 1/1 56/56 5.0/5.0 40.6M/s PHASE ITEMS Installing new actions 24/24 Updating modified actions 37/37 Updating package state database Done Updating package cache 1/1 Updating image state Done Creating fast lookup database Done Updating package cache 2/2 root@sossp206:~# ``` ```console root@sossp206:~# /var/ossec/bin/wazuh-control status wazuh-modulesd is running... wazuh-logcollector is running... wazuh-syscheckd is running... wazuh-agentd is running... wazuh-execd is running... ``` ```console root@sossp206:~# /var/ossec/bin/wazuh-control restart Killing wazuh-modulesd... Killing wazuh-logcollector... Killing wazuh-syscheckd... Killing wazuh-agentd... Killing wazuh-execd... Wazuh v4.8.0 Stopped Starting Wazuh v4.8.0... Started wazuh-execd... Started wazuh-agentd... Started wazuh-syscheckd... Started wazuh-logcollector... Started wazuh-modulesd... Completed. ``` ```console [root@ip-172-31-45-137 ec2-user]# /var/ossec/bin/agent_control -i 005 Wazuh agent_control. Agent information: Agent ID: 005 Agent Name: Solaris IP address: any Status: Active Operating system: SunOS |Solaris |5.11 |11.3 |sun4v Client version: Wazuh v4.8.0 Configuration hash: ab73af41699f13fdd81903b5f23d8d00 Shared file hash: 4a8724b20dee0124ff9656783c490c4e Last keep alive: 1702468026 Syscheck last started at: Wed Dec 13 11:45:27 2023 Syscheck last ended at: Wed Dec 13 11:45:34 2023 ```

Analysis report - HP-UX :green_circle:

System Info :green_circle:

``` # uname -a HP-UX sovmh336 B.11.31 U ia64 0936332656 unlimited-user license ```

Installation 🟢

- **Installation** ``` # /usr/local/wget https://packages-dev.wazuh.com/pre-release/hp-ux/wazuh-agent-4.8.0-1-hpux-11v3-ia64.tar --no-check-certificate Resolving packages-dev.wazuh.com... 18.161.84.106, 18.161.84.98, 18.161.84.110, ... Connecting to packages-dev.wazuh.com|18.161.84.106|:443... connected. WARNING: The certificate of 'packages-dev.wazuh.com' is not trusted. WARNING: The certificate of 'packages-dev.wazuh.com' hasn't got a known issuer. HTTP request sent, awaiting response... 200 OK Length: 55336960 (53M) [application/x-tar] Saving to: 'wazuh-agent-4.8.0-1-hpux-11v3-ia64.tar' wazuh-agent-4.8.0-1-hpux-11v3-i 100%[=====================================================>] 52.77M 3.24MB/s in 17s 2023-12-12 10:24:17 (3.14 MB/s) - 'wazuh-agent-4.8.0-1-hpux-11v3-ia64.tar' saved [55336960/55336960] # groupadd wazuh # useradd -G wazuh wazuh # tar -xvf wazuh-agent-4.8.0-1-hpux-11v3-ia64.tar x /var/ossec/logs/ossec.log, 0 bytes, 0 tape blocks x /var/ossec/logs/ossec.json, 0 bytes, 0 tape blocks x /var/ossec/logs/active-responses.log, 0 bytes, 0 tape blocks x /var/ossec/bin/wazuh-logcollector, 1951576 bytes, 3812 tape blocks x /var/ossec/bin/wazuh-syscheckd, 2373796 bytes, 4637 tape blocks x /var/ossec/bin/wazuh-execd, 1814612 bytes, 3545 tape blocks x /var/ossec/bin/manage_agents, 570860 bytes, 1115 tape blocks x /var/ossec/bin/wazuh-control, 7144 bytes, 14 tape blocks x /var/ossec/bin/wazuh-modulesd, 1744868 bytes, 3408 tape blocks x /var/ossec/bin/wazuh-agentd, 1886596 bytes, 3685 tape blocks x /var/ossec/bin/agent-auth, 571832 bytes, 1117 tape blocks x /var/ossec/lib/libwazuhext.so, 9804464 bytes, 19150 tape blocks x /var/ossec/lib/libwazuhshared.so, 355552 bytes, 695 tape blocks x /var/ossec/lib/libdbsync.so, 1314728 bytes, 2568 tape blocks x /var/ossec/lib/librsync.so, 900228 bytes, 1759 tape blocks x /var/ossec/lib/libsysinfo.so, 798880 bytes, 1561 tape blocks x /var/ossec/lib/libfimdb.so, 1267160 bytes, 2475 tape blocks x /var/ossec/lib/libstdc++.so.6.28, 27064832 bytes, 52861 tape blocks x /var/ossec/lib/libgcc_s.so.0, 448764 bytes, 877 tape blocks x /var/ossec/lib/libstdc++.so.6 symbolic link to /var/ossec/lib/libstdc++.so.6.28 x /var/ossec/lib/libstdc++.so symbolic link to /var/ossec/lib/libstdc++.so.6.28 x /var/ossec/lib/libgcc_s.so symbolic link to /var/ossec/lib/libgcc_s.so.0 x /var/ossec/queue/syscollector/norm_config.json, 4206 bytes, 9 tape blocks x /var/ossec/ruleset/sca/cis_hpux_11i_bastille.yml, 94882 bytes, 186 tape blocks x /var/ossec/ruleset/sca/cis_hpux_11i.yml, 86160 bytes, 169 tape blocks x /var/ossec/wodles/__init__.py, 0 bytes, 0 tape blocks x /var/ossec/wodles/utils.py, 3567 bytes, 7 tape blocks x /var/ossec/wodles/aws/buckets_s3/aws_bucket.py, 41658 bytes, 82 tape blocks x /var/ossec/wodles/aws/buckets_s3/cloudtrail.py, 1889 bytes, 4 tape blocks x /var/ossec/wodles/aws/buckets_s3/config.py, 8844 bytes, 18 tape blocks x /var/ossec/wodles/aws/buckets_s3/guardduty.py, 4353 bytes, 9 tape blocks x /var/ossec/wodles/aws/buckets_s3/__init__.py, 462 bytes, 1 tape blocks x /var/ossec/wodles/aws/buckets_s3/load_balancers.py, 5729 bytes, 12 tape blocks x /var/ossec/wodles/aws/buckets_s3/server_access.py, 9151 bytes, 18 tape blocks x /var/ossec/wodles/aws/buckets_s3/umbrella.py, 2718 bytes, 6 tape blocks x /var/ossec/wodles/aws/buckets_s3/vpcflow.py, 11310 bytes, 23 tape blocks x /var/ossec/wodles/aws/buckets_s3/waf.py, 2897 bytes, 6 tape blocks x /var/ossec/wodles/aws/services/aws_service.py, 5955 bytes, 12 tape blocks x /var/ossec/wodles/aws/services/cloudwatchlogs.py, 24429 bytes, 48 tape blocks x /var/ossec/wodles/aws/services/__init__.py, 166 bytes, 1 tape blocks x /var/ossec/wodles/aws/services/inspector.py, 6373 bytes, 13 tape blocks x /var/ossec/wodles/aws/subscribers/__init__.py, 201 bytes, 1 tape blocks x /var/ossec/wodles/aws/subscribers/sqs_queue.py, 6214 bytes, 13 tape blocks x /var/ossec/wodles/aws/subscribers/s3_log_handler.py, 10502 bytes, 21 tape blocks x /var/ossec/wodles/aws/subscribers/sqs_message_processor.py, 1795 bytes, 4 tape blocks x /var/ossec/wodles/aws/aws-s3, 9407 bytes, 19 tape blocks x /var/ossec/wodles/aws/__init__.py, 0 bytes, 0 tape blocks x /var/ossec/wodles/aws/aws_tools.py, 16489 bytes, 33 tape blocks x /var/ossec/wodles/aws/wazuh_integration.py, 22836 bytes, 45 tape blocks x /var/ossec/wodles/gcloud/pubsub/subscriber.py, 6085 bytes, 12 tape blocks x /var/ossec/wodles/gcloud/buckets/bucket.py, 12735 bytes, 25 tape blocks x /var/ossec/wodles/gcloud/buckets/access_logs.py, 1870 bytes, 4 tape blocks x /var/ossec/wodles/gcloud/gcloud, 4513 bytes, 9 tape blocks x /var/ossec/wodles/gcloud/integration.py, 3119 bytes, 7 tape blocks x /var/ossec/wodles/gcloud/tools.py, 4420 bytes, 9 tape blocks x /var/ossec/wodles/gcloud/exceptions.py, 4704 bytes, 10 tape blocks x /var/ossec/wodles/docker/DockerListener, 5111 bytes, 10 tape blocks x /var/ossec/wodles/azure/azure-logs, 38654 bytes, 76 tape blocks x /var/ossec/wodles/azure/orm.py, 10097 bytes, 20 tape blocks x /var/ossec/etc/TIMEZONE, 21 bytes, 1 tape blocks x /var/ossec/etc/internal_options.conf, 14163 bytes, 28 tape blocks x /var/ossec/etc/local_internal_options.conf, 320 bytes, 1 tape blocks x /var/ossec/etc/client.keys, 0 bytes, 0 tape blocks x /var/ossec/etc/ossec.conf, 4816 bytes, 10 tape blocks x /var/ossec/etc/shared/cis_apache2224_rcl.txt, 28411 bytes, 56 tape blocks x /var/ossec/etc/shared/cis_debian_linux_rcl.txt, 12576 bytes, 25 tape blocks x /var/ossec/etc/shared/cis_mysql5-6_community_rcl.txt, 7609 bytes, 15 tape blocks x /var/ossec/etc/shared/cis_mysql5-6_enterprise_rcl.txt, 10297 bytes, 21 tape blocks x /var/ossec/etc/shared/cis_rhel5_linux_rcl.txt, 35781 bytes, 70 tape blocks x /var/ossec/etc/shared/cis_rhel6_linux_rcl.txt, 33870 bytes, 67 tape blocks x /var/ossec/etc/shared/cis_rhel7_linux_rcl.txt, 36957 bytes, 73 tape blocks x /var/ossec/etc/shared/cis_rhel_linux_rcl.txt, 17658 bytes, 35 tape blocks x /var/ossec/etc/shared/cis_sles11_linux_rcl.txt, 34376 bytes, 68 tape blocks x /var/ossec/etc/shared/cis_sles12_linux_rcl.txt, 35081 bytes, 69 tape blocks x /var/ossec/etc/shared/cis_win2012r2_domainL1_rcl.txt, 94877 bytes, 186 tape blocks x /var/ossec/etc/shared/cis_win2012r2_domainL2_rcl.txt, 28006 bytes, 55 tape blocks x /var/ossec/etc/shared/cis_win2012r2_memberL1_rcl.txt, 100530 bytes, 197 tape blocks x /var/ossec/etc/shared/cis_win2012r2_memberL2_rcl.txt, 376002 bytes, 735 tape blocks x /var/ossec/etc/shared/rootkit_files.txt, 16174 bytes, 32 tape blocks x /var/ossec/etc/shared/rootkit_trojans.txt, 5548 bytes, 11 tape blocks x /var/ossec/etc/shared/system_audit_rcl.txt, 4466 bytes, 9 tape blocks x /var/ossec/etc/shared/system_audit_ssh.txt, 3285 bytes, 7 tape blocks x /var/ossec/etc/shared/win_applications_rcl.txt, 5214 bytes, 11 tape blocks x /var/ossec/etc/shared/win_audit_rcl.txt, 4277 bytes, 9 tape blocks x /var/ossec/etc/shared/win_malware_rcl.txt, 7314 bytes, 15 tape blocks x /var/ossec/etc/wpk_root.pem, 1367 bytes, 3 tape blocks x /var/ossec/active-response/bin/restart.sh, 695 bytes, 2 tape blocks x /var/ossec/active-response/bin/kaspersky.py, 14491 bytes, 29 tape blocks x /var/ossec/active-response/bin/firewall-drop, 70216 bytes, 138 tape blocks x /var/ossec/active-response/bin/default-firewall-drop, 70216 bytes, 138 tape blocks x /var/ossec/active-response/bin/pf, 70064 bytes, 137 tape blocks x /var/ossec/active-response/bin/npf, 69864 bytes, 137 tape blocks x /var/ossec/active-response/bin/ipfw, 69888 bytes, 137 tape blocks x /var/ossec/active-response/bin/firewalld-drop, 69864 bytes, 137 tape blocks x /var/ossec/active-response/bin/disable-account, 69856 bytes, 137 tape blocks x /var/ossec/active-response/bin/host-deny, 69976 bytes, 137 tape blocks x /var/ossec/active-response/bin/ip-customblock, 69824 bytes, 137 tape blocks x /var/ossec/active-response/bin/restart-wazuh, 69716 bytes, 137 tape blocks x /var/ossec/active-response/bin/route-null, 69856 bytes, 137 tape blocks x /var/ossec/active-response/bin/kaspersky, 69724 bytes, 137 tape blocks x /var/ossec/active-response/bin/wazuh-slack, 70028 bytes, 137 tape blocks x /var/ossec/agentless/main.exp, 2453 bytes, 5 tape blocks x /var/ossec/agentless/register_host.sh, 2406 bytes, 5 tape blocks x /var/ossec/agentless/ssh.exp, 1476 bytes, 3 tape blocks x /var/ossec/agentless/ssh_asa-fwsmconfig_diff, 5283 bytes, 11 tape blocks x /var/ossec/agentless/ssh_foundry_diff, 5403 bytes, 11 tape blocks x /var/ossec/agentless/ssh_generic_diff, 898 bytes, 2 tape blocks x /var/ossec/agentless/ssh_integrity_check_bsd, 1091 bytes, 3 tape blocks x /var/ossec/agentless/ssh_integrity_check_linux, 1099 bytes, 3 tape blocks x /var/ossec/agentless/ssh_nopass.exp, 1616 bytes, 4 tape blocks x /var/ossec/agentless/ssh_pixconfig_diff, 5265 bytes, 11 tape blocks x /var/ossec/agentless/sshlogin.exp, 915 bytes, 2 tape blocks x /var/ossec/agentless/su.exp, 1381 bytes, 3 tape blocks x /sbin/init.d/wazuh-agent, 691 bytes, 2 tape blocks x /sbin/rc2.d/S97wazuh-agent symbolic link to /sbin/init.d/wazuh-agent x /sbin/rc3.d/S97wazuh-agent symbolic link to /sbin/init.d/wazuh-agent ``` - **Change agent IP** ``` # sed "s/MANAGER_IP/xx.xxx.xx.xxx/g" /var/ossec/etc/ossec.conf > /var/ossec/etc/ossec.conf.new && mv /var/ossec/etc/ossec.conf.new /var/ossec/etc/ossec.conf # grep address /var/ossec/etc/ossec.conf

xx.xxx.xx.xxx

``` - **Start agent** ``` # /var/ossec/bin/wazuh-control start Starting Wazuh v4.8.0... Started wazuh-execd... Started wazuh-agentd... Started wazuh-syscheckd... Started wazuh-logcollector... Started wazuh-modulesd... Completed. ``` - **Agent info** ``` # /var/ossec/bin/wazuh-control info WAZUH_VERSION="v4.8.0" WAZUH_REVISION="40801" WAZUH_TYPE="agent" ``` - **Check agent in Manager** ``` [root@wazuh-server wazuh-user]# /var/ossec/bin/agent_control -i 033 Wazuh agent_control. Agent information: Agent ID: 033 Agent Name: sovmh336 IP address: any Status: Active Operating system: HP-UX |sovmh336 |B.11.31 |U |ia64 Client version: Wazuh v4.8.0 Configuration hash: ab73af41699f13fdd81903b5f23d8d00 Shared file hash: 4a8724b20dee0124ff9656783c490c4e Last keep alive: 1702404359 Syscheck last started at: Tue Dec 12 17:04:35 2023 (Scan in progress) Syscheck last ended at: Unknown ``` - **No errors present in the agent** ``` # grep -Ei "ERROR|CRITICAL|FATAL|WARNING" /var/ossec/logs/ossec.log | wc -l 0 ``` - **No errors present in the manager** ``` [root@wazuh-server wazuh-user]# grep -Ei "ERROR|CRITICAL|FATAL|WARNING" /var/ossec/logs/ossec.log | wc -l 0 ```

Generate Alerts 🟢

TCP 🟢

- **Agent is connected through TCP** ``` # grep -i "tcp" /var/ossec/logs/ossec.log 2023/12/12 11:04:29 wazuh-agentd: INFO: Trying to connect to server ([xx.xxx.xx.xxx]:1514/tcp). 2023/12/12 11:04:29 wazuh-agentd: INFO: (4102): Connected to the server ([xx.xxx.xx.xxx]:1514/tcp). ``` - **Alerts are correctly generated for the agent - Expected logs** ``` [root@wazuh-server wazuh-user]# grep sovmh336 /var/ossec/logs/alerts/alerts.json {"timestamp":"2023-12-12T18:05:54.643+0000","rule":{"level":3,"description":"New wazuh agent connected.","id":"501","firedtimes":1,"mail":false,"groups":["ossec"],"pci_dss":["10.6.1"],"gpg13":["10.1"],"gdpr":["IV_35.7.d"],"hipaa":["164.312.b"],"nist_800_53":["AU.6"],"tsc":["CC7.2","CC7.3"]},"agent":{"id":"033","name":"sovmh336"},"manager":{"name":"wazuh-server"},"id":"1702404354.8231493","full_log":"ossec: Agent started: 'sovmh336->any'.","decoder":{"parent":"ossec","name":"ossec"},"data":{"extra_data":"sovmh336->any"},"location":"wazuh-agent"} {"timestamp":"2023-12-12T18:05:58.405+0000","rule":{"level":3,"description":"Wazuh agent stopped.","id":"506","mitre":{"id":["T1562.001"],"tactic":["Defense Evasion"],"technique":["Disable or Modify Tools"]},"firedtimes":6,"mail":false,"groups":["ossec"],"pci_dss":["10.6.1","10.2.6"],"gpg13":["10.1"],"gdpr":["IV_35.7.d"],"hipaa":["164.312.b"],"nist_800_53":["AU.6","AU.14","AU.5"],"tsc":["CC7.2","CC7.3","CC6.8"]},"agent":{"id":"033","name":"sovmh336"},"manager":{"name":"wazuh-server"},"id":"1702404358.8369751","full_log":"ossec: Agent stopped: 'sovmh336->any'.","decoder":{"parent":"ossec","name":"ossec"},"data":{"extra_data":"sovmh336->any"},"location":"wazuh-remoted"} {"timestamp":"2023-12-12T18:05:59.821+0000","rule":{"level":3,"description":"Wazuh agent started.","id":"503","firedtimes":6,"mail":false,"groups":["ossec"],"pci_dss":["10.6.1","10.2.6"],"gpg13":["10.1"],"gdpr":["IV_35.7.d"],"hipaa":["164.312.b"],"nist_800_53":["AU.6","AU.14","AU.5"],"tsc":["CC7.2","CC7.3","CC6.8"]},"agent":{"id":"033","name":"sovmh336"},"manager":{"name":"wazuh-server"},"id":"1702404359.8370080","full_log":"ossec: Agent started: 'sovmh336->any'.","decoder":{"parent":"ossec","name":"ossec"},"data":{"extra_data":"sovmh336->any"},"location":"wazuh-agent"} {"timestamp":"2023-12-12T18:07:00.427+0000","rule":{"level":7,"description":"Host-based anomaly detection event (rootcheck).","id":"510","firedtimes":7,"mail":false,"groups":["ossec","rootcheck"],"pci_dss":["10.6.1"],"gdpr":["IV_35.7.d"]},"agent":{"id":"033","name":"sovmh336","ip":"192.168.253.36"},"manager":{"name":"wazuh-server"},"id":"1702404420.8375218","full_log":"File '/tmp/.kc.trace' is owned by root and has written permissions to anyone.","decoder":{"name":"rootcheck"},"data":{"title":"File is owned by root and has written permissions to anyone.","file":"/tmp/.kc.trace"},"location":"rootcheck"} ``` - **No errors in agent logs** ``` [root@wazuh-server wazuh-user]# grep -Ei "ERROR|CRITICAL|FATAL|WARNING" /var/ossec/logs/ossec.log | wc -l 0 ```

UDP 🟢

- **Agent is connected through UDP** ``` # sed 's/tcp/udp/g' /var/ossec/etc/ossec.conf > /var/ossec/etc/ossec.conf.new && mv /var/ossec/etc/ossec.conf.new /var/ossec/etc/ossec.conf # grep udp /var/ossec/etc/ossec.conf udp # /var/ossec/bin/wazuh-control restart Killing wazuh-modulesd... Killing wazuh-logcollector... Killing wazuh-syscheckd... Killing wazuh-agentd... Killing wazuh-execd... Wazuh v4.8.0 Stopped Starting Wazuh v4.8.0... Started wazuh-execd... Started wazuh-agentd... Started wazuh-syscheckd... Started wazuh-logcollector... Started wazuh-modulesd... Completed. # grep -i "udp" /var/ossec/logs/ossec.log 2023/12/12 11:07:42 wazuh-agentd: INFO: Trying to connect to server ([xx.xxx.xx.xxx]:1514/udp). 2023/12/12 11:07:42 wazuh-agentd: INFO: (4102): Connected to the server ([xx.xxx.xx.xxx]:1514/udp). ``` - **Alerts are correctly generated for the agent** ``` {"timestamp":"2023-12-12T18:09:07.355+0000","rule":{"level":3,"description":"Wazuh agent started.","id":"503","firedtimes":8,"mail":false,"groups":["ossec"],"pci_dss":["10.6.1","10.2.6"],"gpg13":["10.1"],"gdpr":["IV_35.7.d"],"hipaa":["164.312.b"],"nist_800_53":["AU.6","AU.14","AU.5"],"tsc":["CC7.2","CC7.3","CC6.8"]},"agent":{"id":"033","name":"sovmh336","ip":"192.168.253.36"},"manager":{"name":"wazuh-server"},"id":"1702404547.8380748","full_log":"ossec: Agent started: 'sovmh336->any'.","decoder":{"parent":"ossec","name":"ossec"},"data":{"extra_data":"sovmh336->any"},"location":"wazuh-agent"} {"timestamp":"2023-12-12T18:09:10.585+0000","rule":{"level":7,"description":"Listened ports status (netstat) changed (new port opened or closed).","id":"533","firedtimes":3,"mail":false,"groups":["ossec"],"pci_dss":["10.2.7","10.6.1"],"gpg13":["10.1"],"gdpr":["IV_35.7.d"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AU.6"],"tsc":["CC6.8","CC7.2","CC7.3"]},"agent":{"id":"033","name":"sovmh336","ip":"192.168.253.36"},"manager":{"name":"wazuh-server"},"id":"1702404550.8381806","previous_output":"Previous output:\nossec: output: 'netstat listening ports':\ntcp 192.168.253.36.49291 192.168.253.36.1712\ntcp 192.168.253.36.1712 192.168.253.36.49291\ntcp 192.168.253.36.52579 xx.xxx.xx.xxx.1514\ntcp 192.168.253.36.22 90.168.145.212.54096\ntcp 192.168.253.36.52578 xx.xxx.xx.xxx.1514\nudp 127.0.0.1.123 *.*\nudp 192.168.253.36.123 *.*\nudp 127.0.0.1.49157 127.0.0.1.49157","full_log":"ossec: output: 'netstat listening ports':\ntcp 192.168.253.36.49291 192.168.253.36.1712\ntcp 192.168.253.36.1712 192.168.253.36.49291\ntcp 192.168.253.36.22 90.168.145.212.54096\ntcp 192.168.253.36.52579 xx.xxx.xx.xxx.1514\ntcp 192.168.253.36.52583 192.168.253.36.1712\nudp 192.168.253.36.50291 xx.xxx.xx.xxx.1514\nudp 127.0.0.1.123 *.*\nudp 192.168.253.36.123 *.*\nudp 127.0.0.1.49157 127.0.0.1.49157","decoder":{"name":"ossec"},"previous_log":"ossec: output: 'netstat listening ports':\ntcp 192.168.253.36.49291 192.168.253.36.1712\ntcp 192.168.253.36.1712 192.168.253.36.49291\ntcp 192.168.253.36.52579 xx.xxx.xx.xxx.1514\ntcp 192.168.253.36.22 90.168.145.212.54096\ntcp 192.168.253.36.52578 xx.xxx.xx.xxx.1514\nudp 127.0.0.1.123 *.*\nudp 192.168.253.36.123 *.*\nudp 127.0.0.1.49157 127.0.0.1.49157","location":"netstat listening ports"} {"timestamp":"2023-12-12T18:09:19.243+0000","rule":{"level":7,"description":"Host-based anomaly detection event (rootcheck).","id":"510","firedtimes":9,"mail":false,"groups":["ossec","rootcheck"],"pci_dss":["10.6.1"],"gdpr":["IV_35.7.d"]},"agent":{"id":"033","name":"sovmh336","ip":"192.168.253.36"},"manager":{"name":"wazuh-server"},"id":"1702404559.8382895","full_log":"File '/tmp/.kc.trace' is owned by root and has written permissions to anyone.","decoder":{"name":"rootcheck"},"data":{"title":"File is owned by root and has written permissions to anyone.","file":"/tmp/.kc.trace"},"location":"rootcheck"} ``` - **No errors in agent logs** ``` # grep -Ei "ERROR|CRITICAL|FATAL|WARNING" /var/ossec/logs/ossec.log | wc -l 0 ```

Removal 🟢

``` # /var/ossec/bin/wazuh-control stop Killing wazuh-modulesd... Killing wazuh-logcollector... Killing wazuh-syscheckd... Killing wazuh-agentd... Killing wazuh-execd... Wazuh v4.8.0 Stopped # groupdel wazuh # userdel wazuh # rm -rf /var/ossec ```

Check users and groups :green_circle:

``` # cat /etc/passwd | grep wazuh wazuh:*:108:20::/home/wazuh:/sbin/sh # cat /etc/group | grep wazuh wazuh::105:wazuh ```

Upgrade 4.7.0 -> 4.8.0 🟢

> ⚠️ **NOTE**: Before starting uninstall the agent (if you did not) and remove it from the manager. - **Install the initial version** ``` # /usr/local/bin/wget https://packages-dev.wazuh.com/pre-release/hp-ux/wazuh-agent-4.7.0-1-hpux-11v3-ia64.tar --no-check-certificate --2023-12-12 11:11:14-- https://packages-dev.wazuh.com/pre-release/hp-ux/wazuh-agent-4.7.0-1-hpux-11v3-ia64.tar Resolving packages-dev.wazuh.com... 18.161.84.106, 18.161.84.17, 18.161.84.110, ... Connecting to packages-dev.wazuh.com|18.161.84.106|:443... connected. WARNING: The certificate of 'packages-dev.wazuh.com' is not trusted. WARNING: The certificate of 'packages-dev.wazuh.com' hasn't got a known issuer. HTTP request sent, awaiting response... 200 OK Length: 55234560 (53M) [application/x-tar] Saving to: 'wazuh-agent-4.7.0-1-hpux-11v3-ia64.tar' wazuh-agent-4.7.0-1-hpux-11v3 100%[=================================================>] 52.68M 3.26MB/s in 19s 2023-12-12 11:11:33 (2.84 MB/s) - 'wazuh-agent-4.7.0-1-hpux-11v3-ia64.tar' saved [55234560/55234560] # groupadd wazuh # useradd -G wazuh wazuh # tar -xvf wazuh-agent-4.7.0-1-hpux-11v3-ia64.tar x /var/ossec/logs/ossec.log, 0 bytes, 0 tape blocks x /var/ossec/logs/ossec.json, 0 bytes, 0 tape blocks x /var/ossec/logs/active-responses.log, 0 bytes, 0 tape blocks x /var/ossec/bin/wazuh-logcollector, 1951536 bytes, 3812 tape blocks x /var/ossec/bin/wazuh-syscheckd, 2373588 bytes, 4636 tape blocks x /var/ossec/bin/wazuh-execd, 1814520 bytes, 3544 tape blocks x /var/ossec/bin/manage_agents, 570716 bytes, 1115 tape blocks x /var/ossec/bin/wazuh-control, 7144 bytes, 14 tape blocks x /var/ossec/bin/wazuh-modulesd, 1744816 bytes, 3408 tape blocks x /var/ossec/bin/wazuh-agentd, 1886512 bytes, 3685 tape blocks x /var/ossec/bin/agent-auth, 506152 bytes, 989 tape blocks x /var/ossec/lib/libwazuhext.so, 9804464 bytes, 19150 tape blocks x /var/ossec/lib/libwazuhshared.so, 355404 bytes, 695 tape blocks x /var/ossec/lib/libdbsync.so, 1314728 bytes, 2568 tape blocks x /var/ossec/lib/librsync.so, 900228 bytes, 1759 tape blocks x /var/ossec/lib/libsysinfo.so, 796672 bytes, 1556 tape blocks x /var/ossec/lib/libfimdb.so, 1267160 bytes, 2475 tape blocks x /var/ossec/lib/libstdc++.so.6.28, 27064832 bytes, 52861 tape blocks x /var/ossec/lib/libgcc_s.so.0, 448764 bytes, 877 tape blocks x /var/ossec/lib/libstdc++.so.6 symbolic link to /var/ossec/lib/libstdc++.so.6.28 x /var/ossec/lib/libstdc++.so symbolic link to /var/ossec/lib/libstdc++.so.6.28 x /var/ossec/lib/libgcc_s.so symbolic link to /var/ossec/lib/libgcc_s.so.0 x /var/ossec/queue/syscollector/norm_config.json, 4206 bytes, 9 tape blocks x /var/ossec/ruleset/sca/cis_hpux_11i_bastille.yml, 94882 bytes, 186 tape blocks x /var/ossec/ruleset/sca/cis_hpux_11i.yml, 86160 bytes, 169 tape blocks x /var/ossec/wodles/__init__.py, 0 bytes, 0 tape blocks x /var/ossec/wodles/utils.py, 3493 bytes, 7 tape blocks x /var/ossec/wodles/aws/aws-s3, 182657 bytes, 357 tape blocks x /var/ossec/wodles/gcloud/pubsub/subscriber.py, 6085 bytes, 12 tape blocks x /var/ossec/wodles/gcloud/buckets/bucket.py, 12735 bytes, 25 tape blocks x /var/ossec/wodles/gcloud/buckets/access_logs.py, 1870 bytes, 4 tape blocks x /var/ossec/wodles/gcloud/gcloud, 4513 bytes, 9 tape blocks x /var/ossec/wodles/gcloud/integration.py, 2887 bytes, 6 tape blocks x /var/ossec/wodles/gcloud/tools.py, 4420 bytes, 9 tape blocks x /var/ossec/wodles/gcloud/exceptions.py, 4704 bytes, 10 tape blocks x /var/ossec/wodles/docker/DockerListener, 4709 bytes, 10 tape blocks x /var/ossec/wodles/azure/azure-logs, 38402 bytes, 76 tape blocks x /var/ossec/wodles/azure/orm.py, 10034 bytes, 20 tape blocks x /var/ossec/etc/TIMEZONE, 21 bytes, 1 tape blocks x /var/ossec/etc/internal_options.conf, 14163 bytes, 28 tape blocks x /var/ossec/etc/local_internal_options.conf, 320 bytes, 1 tape blocks x /var/ossec/etc/client.keys, 0 bytes, 0 tape blocks x /var/ossec/etc/ossec.conf, 4816 bytes, 10 tape blocks x /var/ossec/etc/shared/cis_apache2224_rcl.txt, 28411 bytes, 56 tape blocks x /var/ossec/etc/shared/cis_debian_linux_rcl.txt, 12576 bytes, 25 tape blocks x /var/ossec/etc/shared/cis_mysql5-6_community_rcl.txt, 7609 bytes, 15 tape blocks x /var/ossec/etc/shared/cis_mysql5-6_enterprise_rcl.txt, 10297 bytes, 21 tape blocks x /var/ossec/etc/shared/cis_rhel5_linux_rcl.txt, 35781 bytes, 70 tape blocks x /var/ossec/etc/shared/cis_rhel6_linux_rcl.txt, 33870 bytes, 67 tape blocks x /var/ossec/etc/shared/cis_rhel7_linux_rcl.txt, 36957 bytes, 73 tape blocks x /var/ossec/etc/shared/cis_rhel_linux_rcl.txt, 17658 bytes, 35 tape blocks x /var/ossec/etc/shared/cis_sles11_linux_rcl.txt, 34376 bytes, 68 tape blocks x /var/ossec/etc/shared/cis_sles12_linux_rcl.txt, 35081 bytes, 69 tape blocks x /var/ossec/etc/shared/cis_win2012r2_domainL1_rcl.txt, 94877 bytes, 186 tape blocks x /var/ossec/etc/shared/cis_win2012r2_domainL2_rcl.txt, 28006 bytes, 55 tape blocks x /var/ossec/etc/shared/cis_win2012r2_memberL1_rcl.txt, 100530 bytes, 197 tape blocks x /var/ossec/etc/shared/cis_win2012r2_memberL2_rcl.txt, 376002 bytes, 735 tape blocks x /var/ossec/etc/shared/rootkit_files.txt, 16174 bytes, 32 tape blocks x /var/ossec/etc/shared/rootkit_trojans.txt, 5548 bytes, 11 tape blocks x /var/ossec/etc/shared/system_audit_rcl.txt, 4466 bytes, 9 tape blocks x /var/ossec/etc/shared/system_audit_ssh.txt, 3285 bytes, 7 tape blocks x /var/ossec/etc/shared/win_applications_rcl.txt, 5214 bytes, 11 tape blocks x /var/ossec/etc/shared/win_audit_rcl.txt, 4277 bytes, 9 tape blocks x /var/ossec/etc/shared/win_malware_rcl.txt, 7314 bytes, 15 tape blocks x /var/ossec/etc/wpk_root.pem, 1367 bytes, 3 tape blocks x /var/ossec/active-response/bin/restart.sh, 695 bytes, 2 tape blocks x /var/ossec/active-response/bin/kaspersky.py, 14429 bytes, 29 tape blocks x /var/ossec/active-response/bin/firewall-drop, 70248 bytes, 138 tape blocks x /var/ossec/active-response/bin/default-firewall-drop, 70248 bytes, 138 tape blocks x /var/ossec/active-response/bin/pf, 70024 bytes, 137 tape blocks x /var/ossec/active-response/bin/npf, 69856 bytes, 137 tape blocks x /var/ossec/active-response/bin/ipfw, 69880 bytes, 137 tape blocks x /var/ossec/active-response/bin/firewalld-drop, 69880 bytes, 137 tape blocks x /var/ossec/active-response/bin/disable-account, 69848 bytes, 137 tape blocks x /var/ossec/active-response/bin/host-deny, 69952 bytes, 137 tape blocks x /var/ossec/active-response/bin/ip-customblock, 69800 bytes, 137 tape blocks x /var/ossec/active-response/bin/restart-wazuh, 69692 bytes, 137 tape blocks x /var/ossec/active-response/bin/route-null, 69824 bytes, 137 tape blocks x /var/ossec/active-response/bin/kaspersky, 69740 bytes, 137 tape blocks x /var/ossec/active-response/bin/wazuh-slack, 69996 bytes, 137 tape blocks x /var/ossec/agentless/main.exp, 2453 bytes, 5 tape blocks x /var/ossec/agentless/register_host.sh, 2406 bytes, 5 tape blocks x /var/ossec/agentless/ssh.exp, 1476 bytes, 3 tape blocks x /var/ossec/agentless/ssh_asa-fwsmconfig_diff, 5283 bytes, 11 tape blocks x /var/ossec/agentless/ssh_foundry_diff, 5403 bytes, 11 tape blocks x /var/ossec/agentless/ssh_generic_diff, 898 bytes, 2 tape blocks x /var/ossec/agentless/ssh_integrity_check_bsd, 1091 bytes, 3 tape blocks x /var/ossec/agentless/ssh_integrity_check_linux, 1099 bytes, 3 tape blocks x /var/ossec/agentless/ssh_nopass.exp, 1616 bytes, 4 tape blocks x /var/ossec/agentless/ssh_pixconfig_diff, 5265 bytes, 11 tape blocks x /var/ossec/agentless/sshlogin.exp, 915 bytes, 2 tape blocks x /var/ossec/agentless/su.exp, 1381 bytes, 3 tape blocks x /sbin/init.d/wazuh-agent, 691 bytes, 2 tape blocks x /sbin/rc2.d/S97wazuh-agent symbolic link to /sbin/init.d/wazuh-agent x /sbin/rc3.d/S97wazuh-agent symbolic link to /sbin/init.d/wazuh-agent sed "s/MANAGER_IP/xx.xxx.xx.xxx/g" /var/ossec/etc/ossec.conf > /var/ossec/etc/ossec.conf.new && mv /var/ossec/etc/ossec.conf.new /var/ossec/etc/ossec.conf # grep address /var/ossec/etc/ossec.conf

xx.xxx.xx.xxx

# /var/ossec/bin/wazuh-control start Starting Wazuh v4.7.0... Started wazuh-execd... Started wazuh-agentd... Started wazuh-syscheckd... Started wazuh-logcollector... Started wazuh-modulesd... Completed. ``` - **Check connection in the manager** ``` [root@wazuh-server wazuh-user]# /var/ossec/bin/agent_control -i 034 Wazuh agent_control. Agent information: Agent ID: 034 Agent Name: sovmh336 IP address: any Status: Active Operating system: HP-UX |sovmh336 |B.11.31 |U |ia64 Client version: Wazuh v4.7.0 Configuration hash: ab73af41699f13fdd81903b5f23d8d00 Shared file hash: 4a8724b20dee0124ff9656783c490c4e Last keep alive: 1702405024 Syscheck last started at: Tue Dec 12 17:15:40 2023 (Scan in progress) Syscheck last ended at: Unknown ``` - **Upgrade the agent following the documentation** ``` # /var/ossec/bin/wazuh-control stop Killing wazuh-modulesd... Killing wazuh-logcollector... Killing wazuh-syscheckd... Killing wazuh-agentd... Killing wazuh-execd... Wazuh v4.5.3 Stopped # cp /var/ossec/etc/ossec.conf ~/ossec.conf.bk # cp /var/ossec/etc/client.keys ~/client.keys.bk # tar -xvf wazuh-agent-4.8.0-1-hpux-11v3-ia64.tar x /var/ossec/logs/ossec.log, 0 bytes, 0 tape blocks x /var/ossec/logs/ossec.json, 0 bytes, 0 tape blocks x /var/ossec/logs/active-responses.log, 0 bytes, 0 tape blocks x /var/ossec/bin/wazuh-logcollector, 1951576 bytes, 3812 tape blocks x /var/ossec/bin/wazuh-syscheckd, 2373796 bytes, 4637 tape blocks x /var/ossec/bin/wazuh-execd, 1814612 bytes, 3545 tape blocks x /var/ossec/bin/manage_agents, 570860 bytes, 1115 tape blocks x /var/ossec/bin/wazuh-control, 7144 bytes, 14 tape blocks x /var/ossec/bin/wazuh-modulesd, 1744868 bytes, 3408 tape blocks x /var/ossec/bin/wazuh-agentd, 1886596 bytes, 3685 tape blocks x /var/ossec/bin/agent-auth, 571832 bytes, 1117 tape blocks x /var/ossec/lib/libwazuhext.so, 9804464 bytes, 19150 tape blocks x /var/ossec/lib/libwazuhshared.so, 355552 bytes, 695 tape blocks x /var/ossec/lib/libdbsync.so, 1314728 bytes, 2568 tape blocks x /var/ossec/lib/librsync.so, 900228 bytes, 1759 tape blocks x /var/ossec/lib/libsysinfo.so, 798880 bytes, 1561 tape blocks x /var/ossec/lib/libfimdb.so, 1267160 bytes, 2475 tape blocks x /var/ossec/lib/libstdc++.so.6.28, 27064832 bytes, 52861 tape blocks x /var/ossec/lib/libgcc_s.so.0, 448764 bytes, 877 tape blocks x /var/ossec/lib/libstdc++.so.6 symbolic link to /var/ossec/lib/libstdc++.so.6.28 x /var/ossec/lib/libstdc++.so symbolic link to /var/ossec/lib/libstdc++.so.6.28 x /var/ossec/lib/libgcc_s.so symbolic link to /var/ossec/lib/libgcc_s.so.0 x /var/ossec/queue/syscollector/norm_config.json, 4206 bytes, 9 tape blocks x /var/ossec/ruleset/sca/cis_hpux_11i_bastille.yml, 94882 bytes, 186 tape blocks x /var/ossec/ruleset/sca/cis_hpux_11i.yml, 86160 bytes, 169 tape blocks x /var/ossec/wodles/__init__.py, 0 bytes, 0 tape blocks x /var/ossec/wodles/utils.py, 3567 bytes, 7 tape blocks x /var/ossec/wodles/aws/buckets_s3/aws_bucket.py, 41658 bytes, 82 tape blocks x /var/ossec/wodles/aws/buckets_s3/cloudtrail.py, 1889 bytes, 4 tape blocks x /var/ossec/wodles/aws/buckets_s3/config.py, 8844 bytes, 18 tape blocks x /var/ossec/wodles/aws/buckets_s3/guardduty.py, 4353 bytes, 9 tape blocks x /var/ossec/wodles/aws/buckets_s3/__init__.py, 462 bytes, 1 tape blocks x /var/ossec/wodles/aws/buckets_s3/load_balancers.py, 5729 bytes, 12 tape blocks x /var/ossec/wodles/aws/buckets_s3/server_access.py, 9151 bytes, 18 tape blocks x /var/ossec/wodles/aws/buckets_s3/umbrella.py, 2718 bytes, 6 tape blocks x /var/ossec/wodles/aws/buckets_s3/vpcflow.py, 11310 bytes, 23 tape blocks x /var/ossec/wodles/aws/buckets_s3/waf.py, 2897 bytes, 6 tape blocks x /var/ossec/wodles/aws/services/aws_service.py, 5955 bytes, 12 tape blocks x /var/ossec/wodles/aws/services/cloudwatchlogs.py, 24429 bytes, 48 tape blocks x /var/ossec/wodles/aws/services/__init__.py, 166 bytes, 1 tape blocks x /var/ossec/wodles/aws/services/inspector.py, 6373 bytes, 13 tape blocks x /var/ossec/wodles/aws/subscribers/__init__.py, 201 bytes, 1 tape blocks x /var/ossec/wodles/aws/subscribers/sqs_queue.py, 6214 bytes, 13 tape blocks x /var/ossec/wodles/aws/subscribers/s3_log_handler.py, 10502 bytes, 21 tape blocks x /var/ossec/wodles/aws/subscribers/sqs_message_processor.py, 1795 bytes, 4 tape blocks x /var/ossec/wodles/aws/aws-s3, 9407 bytes, 19 tape blocks x /var/ossec/wodles/aws/__init__.py, 0 bytes, 0 tape blocks x /var/ossec/wodles/aws/aws_tools.py, 16489 bytes, 33 tape blocks x /var/ossec/wodles/aws/wazuh_integration.py, 22836 bytes, 45 tape blocks x /var/ossec/wodles/gcloud/pubsub/subscriber.py, 6085 bytes, 12 tape blocks x /var/ossec/wodles/gcloud/buckets/bucket.py, 12735 bytes, 25 tape blocks x /var/ossec/wodles/gcloud/buckets/access_logs.py, 1870 bytes, 4 tape blocks x /var/ossec/wodles/gcloud/gcloud, 4513 bytes, 9 tape blocks x /var/ossec/wodles/gcloud/integration.py, 3119 bytes, 7 tape blocks x /var/ossec/wodles/gcloud/tools.py, 4420 bytes, 9 tape blocks x /var/ossec/wodles/gcloud/exceptions.py, 4704 bytes, 10 tape blocks x /var/ossec/wodles/docker/DockerListener, 5111 bytes, 10 tape blocks x /var/ossec/wodles/azure/azure-logs, 38654 bytes, 76 tape blocks x /var/ossec/wodles/azure/orm.py, 10097 bytes, 20 tape blocks x /var/ossec/etc/TIMEZONE, 21 bytes, 1 tape blocks x /var/ossec/etc/internal_options.conf, 14163 bytes, 28 tape blocks x /var/ossec/etc/local_internal_options.conf, 320 bytes, 1 tape blocks x /var/ossec/etc/client.keys, 0 bytes, 0 tape blocks x /var/ossec/etc/ossec.conf, 4816 bytes, 10 tape blocks x /var/ossec/etc/shared/cis_apache2224_rcl.txt, 28411 bytes, 56 tape blocks x /var/ossec/etc/shared/cis_debian_linux_rcl.txt, 12576 bytes, 25 tape blocks x /var/ossec/etc/shared/cis_mysql5-6_community_rcl.txt, 7609 bytes, 15 tape blocks x /var/ossec/etc/shared/cis_mysql5-6_enterprise_rcl.txt, 10297 bytes, 21 tape blocks x /var/ossec/etc/shared/cis_rhel5_linux_rcl.txt, 35781 bytes, 70 tape blocks x /var/ossec/etc/shared/cis_rhel6_linux_rcl.txt, 33870 bytes, 67 tape blocks x /var/ossec/etc/shared/cis_rhel7_linux_rcl.txt, 36957 bytes, 73 tape blocks x /var/ossec/etc/shared/cis_rhel_linux_rcl.txt, 17658 bytes, 35 tape blocks x /var/ossec/etc/shared/cis_sles11_linux_rcl.txt, 34376 bytes, 68 tape blocks x /var/ossec/etc/shared/cis_sles12_linux_rcl.txt, 35081 bytes, 69 tape blocks x /var/ossec/etc/shared/cis_win2012r2_domainL1_rcl.txt, 94877 bytes, 186 tape blocks x /var/ossec/etc/shared/cis_win2012r2_domainL2_rcl.txt, 28006 bytes, 55 tape blocks x /var/ossec/etc/shared/cis_win2012r2_memberL1_rcl.txt, 100530 bytes, 197 tape blocks x /var/ossec/etc/shared/cis_win2012r2_memberL2_rcl.txt, 376002 bytes, 735 tape blocks x /var/ossec/etc/shared/rootkit_files.txt, 16174 bytes, 32 tape blocks x /var/ossec/etc/shared/rootkit_trojans.txt, 5548 bytes, 11 tape blocks x /var/ossec/etc/shared/system_audit_rcl.txt, 4466 bytes, 9 tape blocks x /var/ossec/etc/shared/system_audit_ssh.txt, 3285 bytes, 7 tape blocks x /var/ossec/etc/shared/win_applications_rcl.txt, 5214 bytes, 11 tape blocks x /var/ossec/etc/shared/win_audit_rcl.txt, 4277 bytes, 9 tape blocks x /var/ossec/etc/shared/win_malware_rcl.txt, 7314 bytes, 15 tape blocks x /var/ossec/etc/wpk_root.pem, 1367 bytes, 3 tape blocks x /var/ossec/active-response/bin/restart.sh, 695 bytes, 2 tape blocks x /var/ossec/active-response/bin/kaspersky.py, 14491 bytes, 29 tape blocks x /var/ossec/active-response/bin/firewall-drop, 70216 bytes, 138 tape blocks x /var/ossec/active-response/bin/default-firewall-drop, 70216 bytes, 138 tape blocks x /var/ossec/active-response/bin/pf, 70064 bytes, 137 tape blocks x /var/ossec/active-response/bin/npf, 69864 bytes, 137 tape blocks x /var/ossec/active-response/bin/ipfw, 69888 bytes, 137 tape blocks x /var/ossec/active-response/bin/firewalld-drop, 69864 bytes, 137 tape blocks x /var/ossec/active-response/bin/disable-account, 69856 bytes, 137 tape blocks x /var/ossec/active-response/bin/host-deny, 69976 bytes, 137 tape blocks x /var/ossec/active-response/bin/ip-customblock, 69824 bytes, 137 tape blocks x /var/ossec/active-response/bin/restart-wazuh, 69716 bytes, 137 tape blocks x /var/ossec/active-response/bin/route-null, 69856 bytes, 137 tape blocks x /var/ossec/active-response/bin/kaspersky, 69724 bytes, 137 tape blocks x /var/ossec/active-response/bin/wazuh-slack, 70028 bytes, 137 tape blocks x /var/ossec/agentless/main.exp, 2453 bytes, 5 tape blocks x /var/ossec/agentless/register_host.sh, 2406 bytes, 5 tape blocks x /var/ossec/agentless/ssh.exp, 1476 bytes, 3 tape blocks x /var/ossec/agentless/ssh_asa-fwsmconfig_diff, 5283 bytes, 11 tape blocks x /var/ossec/agentless/ssh_foundry_diff, 5403 bytes, 11 tape blocks x /var/ossec/agentless/ssh_generic_diff, 898 bytes, 2 tape blocks x /var/ossec/agentless/ssh_integrity_check_bsd, 1091 bytes, 3 tape blocks x /var/ossec/agentless/ssh_integrity_check_linux, 1099 bytes, 3 tape blocks x /var/ossec/agentless/ssh_nopass.exp, 1616 bytes, 4 tape blocks x /var/ossec/agentless/ssh_pixconfig_diff, 5265 bytes, 11 tape blocks x /var/ossec/agentless/sshlogin.exp, 915 bytes, 2 tape blocks x /var/ossec/agentless/su.exp, 1381 bytes, 3 tape blocks x /sbin/init.d/wazuh-agent, 691 bytes, 2 tape blocks x /sbin/rc2.d/S97wazuh-agent symbolic link to /sbin/init.d/wazuh-agent x /sbin/rc3.d/S97wazuh-agent symbolic link to /sbin/init.d/wazuh-agent # mv ~/ossec.conf.bk /var/ossec/etc/ossec.conf # chown root:wazuh /var/ossec/etc/ossec.conf # mv ~/client.keys.bk /var/ossec/etc/client.keys # chown root:wazuh /var/ossec/etc/client.keys # /var/ossec/bin/wazuh-control start Starting Wazuh v4.8.0... Started wazuh-execd... Started wazuh-agentd... Started wazuh-syscheckd... Started wazuh-logcollector... Started wazuh-modulesd... Completed. ``` - **Check agent in the manager** ``` [root@wazuh-server wazuh-user]# /var/ossec/bin/agent_control -i 034 Wazuh agent_control. Agent information: Agent ID: 034 Agent Name: sovmh336 IP address: any Status: Active Operating system: HP-UX |sovmh336 |B.11.31 |U |ia64 Client version: Wazuh v4.8.0 Configuration hash: ab73af41699f13fdd81903b5f23d8d00 Shared file hash: 4a8724b20dee0124ff9656783c490c4e Last keep alive: 1702405123 Syscheck last started at: Tue Dec 12 17:17:19 2023 (Scan in progress) Syscheck last ended at: Unknown ```

Analysis report - Debian Stretch PPC64EL 🟢

System info

``` root@6042c74a6ce0:~# cat /etc/os-release PRETTY_NAME="Debian GNU/Linux 9 (stretch)" NAME="Debian GNU/Linux" VERSION_ID="9" VERSION="9 (stretch)" VERSION_CODENAME=stretch ID=debian HOME_URL="https://www.debian.org/" SUPPORT_URL="https://www.debian.org/support" BUG_REPORT_URL="https://bugs.debian.org/" ```

Installation with variables :green_circle:

- Wazuh agent ```shell root@8a5e62503ed9:~# curl -O https://packages-dev.wazuh.com/pre-release/apt/pool/main/w/wazuh-agent/wazuh-agent_4.8.0-1_ppc64el.deb ``` ```shell root@6042c74a6ce0:~# WAZUH_MANAGER="xx.xxx.xx.xxx" apt-get install ./wazuh-agent_4.8.0-1_ppc64el.deb Reading package lists... Done Building dependency tree Reading state information... Done Note, selecting 'wazuh-agent' instead of './wazuh-agent_4.8.0-1_ppc64el.deb' The following additional packages will be installed: bzip2 dh-python distro-info-data file libmagic-mgc libmagic1 libmpdec2 libpython3-stdlib libpython3.5-minimal libpython3.5-stdlib libreadline7 libsqlite3-0 libssl1.1 lsb-release mime-support python3 python3-minimal python3.5 python3.5-minimal readline-common xz-utils Suggested packages: bzip2-doc libdpkg-perl lsb python3-doc python3-tk python3-venv python3.5-venv python3.5-doc binutils binfmt-support readline-doc The following NEW packages will be installed: bzip2 dh-python distro-info-data file libmagic-mgc libmagic1 libmpdec2 libpython3-stdlib libpython3.5-minimal libpython3.5-stdlib libreadline7 libsqlite3-0 libssl1.1 lsb-release mime-support python3 python3-minimal python3.5 python3.5-minimal readline-common wazuh-agent xz-utils 0 upgraded, 22 newly installed, 0 to remove and 3 not upgraded. Need to get 7467 kB/13.3 MB of archives. After this operation, 78.8 MB of additional disk space will be used. Do you want to continue? [Y/n] y Get:1 /root/wazuh-agent_4.8.0-1_ppc64el.deb wazuh-agent ppc64el 4.8.0-1 [5820 kB] Get:2 http://archive.debian.org/debian stretch/main ppc64el libssl1.1 ppc64el 1.1.0l-1~deb9u1 [1030 kB] Get:3 http://archive.debian.org/debian stretch/main ppc64el libpython3.5-minimal ppc64el 3.5.3-1+deb9u1 [574 kB] Get:4 http://archive.debian.org/debian stretch/main ppc64el python3.5-minimal ppc64el 3.5.3-1+deb9u1 [1704 kB] Get:5 http://archive.debian.org/debian stretch/main ppc64el python3-minimal ppc64el 3.5.3-1 [35.3 kB] Get:6 http://archive.debian.org/debian stretch/main ppc64el mime-support all 3.60 [36.7 kB] Get:7 http://archive.debian.org/debian stretch/main ppc64el libmpdec2 ppc64el 2.4.2-1 [81.9 kB] Get:8 http://archive.debian.org/debian stretch/main ppc64el readline-common all 7.0-3 [70.4 kB] Get:9 http://archive.debian.org/debian stretch/main ppc64el libreadline7 ppc64el 7.0-3 [139 kB] Get:10 http://archive.debian.org/debian stretch/main ppc64el libsqlite3-0 ppc64el 3.16.2-5+deb9u1 [525 kB] Get:11 http://archive.debian.org/debian stretch/main ppc64el libpython3.5-stdlib ppc64el 3.5.3-1+deb9u1 [2179 kB] Get:12 http://archive.debian.org/debian stretch/main ppc64el python3.5 ppc64el 3.5.3-1+deb9u1 [229 kB] Get:13 http://archive.debian.org/debian stretch/main ppc64el libpython3-stdlib ppc64el 3.5.3-1 [18.6 kB] Get:14 http://archive.debian.org/debian stretch/main ppc64el dh-python all 2.20170125 [86.8 kB] Get:15 http://archive.debian.org/debian stretch/main ppc64el python3 ppc64el 3.5.3-1 [21.6 kB] Get:16 http://archive.debian.org/debian stretch/main ppc64el bzip2 ppc64el 1.0.6-8.1 [46.3 kB] Get:17 http://archive.debian.org/debian stretch/main ppc64el libmagic-mgc ppc64el 1:5.30-1+deb9u3 [222 kB] Get:18 http://archive.debian.org/debian stretch/main ppc64el libmagic1 ppc64el 1:5.30-1+deb9u3 [108 kB] Get:19 http://archive.debian.org/debian stretch/main ppc64el file ppc64el 1:5.30-1+deb9u3 [64.4 kB] Get:20 http://archive.debian.org/debian stretch/main ppc64el xz-utils ppc64el 5.2.2-1.2+b1 [262 kB] Get:21 http://archive.debian.org/debian stretch/main ppc64el distro-info-data all 0.36 [5810 B] Get:22 http://archive.debian.org/debian stretch/main ppc64el lsb-release all 9.20161125 [27.1 kB] Fetched 7467 kB in 10s (718 kB/s) perl: warning: Setting locale failed. perl: warning: Please check that your locale settings: LANGUAGE = (unset), LC_ALL = (unset), LC_TIME = "es_ES.UTF-8", LC_MONETARY = "es_ES.UTF-8", LC_ADDRESS = "es_ES.UTF-8", LC_TELEPHONE = "es_ES.UTF-8", LC_NAME = "es_ES.UTF-8", LC_MEASUREMENT = "es_ES.UTF-8", LC_IDENTIFICATION = "es_ES.UTF-8", LC_NUMERIC = "es_ES.UTF-8", LC_PAPER = "es_ES.UTF-8", LANG = "en_US.UTF-8" are supported and installed on your system. perl: warning: Falling back to the standard locale ("C"). debconf: delaying package configuration, since apt-utils is not installed Selecting previously unselected package libssl1.1:ppc64el. (Reading database ... 11222 files and directories currently installed.) Preparing to unpack .../00-libssl1.1_1.1.0l-1~deb9u1_ppc64el.deb ... Unpacking libssl1.1:ppc64el (1.1.0l-1~deb9u1) ... Selecting previously unselected package libpython3.5-minimal:ppc64el. Preparing to unpack .../01-libpython3.5-minimal_3.5.3-1+deb9u1_ppc64el.deb ... Unpacking libpython3.5-minimal:ppc64el (3.5.3-1+deb9u1) ... Selecting previously unselected package python3.5-minimal. Preparing to unpack .../02-python3.5-minimal_3.5.3-1+deb9u1_ppc64el.deb ... Unpacking python3.5-minimal (3.5.3-1+deb9u1) ... Selecting previously unselected package python3-minimal. Preparing to unpack .../03-python3-minimal_3.5.3-1_ppc64el.deb ... Unpacking python3-minimal (3.5.3-1) ... Selecting previously unselected package mime-support. Preparing to unpack .../04-mime-support_3.60_all.deb ... Unpacking mime-support (3.60) ... Selecting previously unselected package libmpdec2:ppc64el. Preparing to unpack .../05-libmpdec2_2.4.2-1_ppc64el.deb ... Unpacking libmpdec2:ppc64el (2.4.2-1) ... Selecting previously unselected package readline-common. Preparing to unpack .../06-readline-common_7.0-3_all.deb ... Unpacking readline-common (7.0-3) ... Selecting previously unselected package libreadline7:ppc64el. Preparing to unpack .../07-libreadline7_7.0-3_ppc64el.deb ... Unpacking libreadline7:ppc64el (7.0-3) ... Selecting previously unselected package libsqlite3-0:ppc64el. Preparing to unpack .../08-libsqlite3-0_3.16.2-5+deb9u1_ppc64el.deb ... Unpacking libsqlite3-0:ppc64el (3.16.2-5+deb9u1) ... Selecting previously unselected package libpython3.5-stdlib:ppc64el. Preparing to unpack .../09-libpython3.5-stdlib_3.5.3-1+deb9u1_ppc64el.deb ... Unpacking libpython3.5-stdlib:ppc64el (3.5.3-1+deb9u1) ... Selecting previously unselected package python3.5. Preparing to unpack .../10-python3.5_3.5.3-1+deb9u1_ppc64el.deb ... Unpacking python3.5 (3.5.3-1+deb9u1) ... Selecting previously unselected package libpython3-stdlib:ppc64el. Preparing to unpack .../11-libpython3-stdlib_3.5.3-1_ppc64el.deb ... Unpacking libpython3-stdlib:ppc64el (3.5.3-1) ... Selecting previously unselected package dh-python. Preparing to unpack .../12-dh-python_2.20170125_all.deb ... Unpacking dh-python (2.20170125) ... Setting up libssl1.1:ppc64el (1.1.0l-1~deb9u1) ... debconf: unable to initialize frontend: Dialog debconf: (No usable dialog-like program is installed, so the dialog based frontend cannot be used. at /usr/share/perl5/Debconf/FrontEnd/Dialog.pm line 76.) debconf: falling back to frontend: Readline debconf: unable to initialize frontend: Readline debconf: (Can't locate Term/ReadLine.pm in @INC (you may need to install the Term::ReadLine module) (@INC contains: /etc/perl /usr/local/lib/powerpc64le-linux-gnu/perl/5.24.1 /usr/local/share/perl/5.24.1 /usr/lib/powerpc64le-linux-gnu/perl5/5.24 /usr/share/perl5 /usr/lib/powerpc64le-linux-gnu/perl/5.24 /usr/share/perl/5.24 /usr/local/lib/site_perl /usr/lib/powerpc64le-linux-gnu/perl-base .) at /usr/share/perl5/Debconf/FrontEnd/Readline.pm line 7.) debconf: falling back to frontend: Teletype Setting up libpython3.5-minimal:ppc64el (3.5.3-1+deb9u1) ... Setting up python3.5-minimal (3.5.3-1+deb9u1) ... Setting up python3-minimal (3.5.3-1) ... Selecting previously unselected package python3. (Reading database ... 12203 files and directories currently installed.) Preparing to unpack .../0-python3_3.5.3-1_ppc64el.deb ... Unpacking python3 (3.5.3-1) ... Selecting previously unselected package bzip2. Preparing to unpack .../1-bzip2_1.0.6-8.1_ppc64el.deb ... Unpacking bzip2 (1.0.6-8.1) ... Selecting previously unselected package libmagic-mgc. Preparing to unpack .../2-libmagic-mgc_1%3a5.30-1+deb9u3_ppc64el.deb ... Unpacking libmagic-mgc (1:5.30-1+deb9u3) ... Selecting previously unselected package libmagic1:ppc64el. Preparing to unpack .../3-libmagic1_1%3a5.30-1+deb9u3_ppc64el.deb ... Unpacking libmagic1:ppc64el (1:5.30-1+deb9u3) ... Selecting previously unselected package file. Preparing to unpack .../4-file_1%3a5.30-1+deb9u3_ppc64el.deb ... Unpacking file (1:5.30-1+deb9u3) ... Selecting previously unselected package xz-utils. Preparing to unpack .../5-xz-utils_5.2.2-1.2+b1_ppc64el.deb ... Unpacking xz-utils (5.2.2-1.2+b1) ... Selecting previously unselected package distro-info-data. Preparing to unpack .../6-distro-info-data_0.36_all.deb ... Unpacking distro-info-data (0.36) ... Selecting previously unselected package lsb-release. Preparing to unpack .../7-lsb-release_9.20161125_all.deb ... Unpacking lsb-release (9.20161125) ... Selecting previously unselected package wazuh-agent. Preparing to unpack .../8-wazuh-agent_4.8.0-1_ppc64el.deb ... Unpacking wazuh-agent (4.8.0-1) ... Setting up readline-common (7.0-3) ... Setting up mime-support (3.60) ... Setting up libreadline7:ppc64el (7.0-3) ... Setting up distro-info-data (0.36) ... Setting up libmagic-mgc (1:5.30-1+deb9u3) ... Setting up bzip2 (1.0.6-8.1) ... Setting up libmagic1:ppc64el (1:5.30-1+deb9u3) ... Processing triggers for libc-bin (2.24-11+deb9u4) ... Setting up xz-utils (5.2.2-1.2+b1) ... update-alternatives: using /usr/bin/xz to provide /usr/bin/lzma (lzma) in auto mode Processing triggers for systemd (232-25+deb9u12) ... Setting up libsqlite3-0:ppc64el (3.16.2-5+deb9u1) ... Setting up libmpdec2:ppc64el (2.4.2-1) ... Setting up libpython3.5-stdlib:ppc64el (3.5.3-1+deb9u1) ... Setting up file (1:5.30-1+deb9u3) ... Setting up python3.5 (3.5.3-1+deb9u1) ... Setting up libpython3-stdlib:ppc64el (3.5.3-1) ... Setting up python3 (3.5.3-1) ... running python rtupdate hooks for python3.5... running python post-rtupdate hooks for python3.5... Setting up lsb-release (9.20161125) ... Setting up dh-python (2.20170125) ... Setting up wazuh-agent (4.8.0-1) ... Processing triggers for libc-bin (2.24-11+deb9u4) ... Processing triggers for systemd (232-25+deb9u12) ... N: Download is performed unsandboxed as root as file '/root/wazuh-agent_4.8.0-1_ppc64el.deb' couldn't be accessed by user '_apt'. - pkgAcquire::Run (13: Permission denied) root@6042c74a6ce0:~# /var/ossec/bin/wazuh-control start Starting Wazuh v4.8.0... Started wazuh-execd... Started wazuh-agentd... Started wazuh-syscheckd... Started wazuh-logcollector... Started wazuh-modulesd... Completed. root@6042c74a6ce0:~# /var/ossec/bin/wazuh-control info WAZUH_VERSION="v4.8.0" WAZUH_REVISION="40801" WAZUH_TYPE="agent" root@6042c74a6ce0:~# grep address /var/ossec/etc/ossec.conf

xx.xxx.xx.xxx

``` - Wazuh server ```shell [root@wazuh-server wazuh-user]# /var/ossec/bin/agent_control -i 041 Wazuh agent_control. Agent information: Agent ID: 041 Agent Name: 6042c74a6ce0 IP address: any Status: Active Operating system: Linux |6042c74a6ce0 |4.9.0-13-powerpc64le |#1 SMP Debian 4.9.228-1 (2020-07-05) |ppc64le Client version: Wazuh v4.8.0 Configuration hash: ab73af41699f13fdd81903b5f23d8d00 Shared file hash: 4a8724b20dee0124ff9656783c490c4e Last keep alive: 1702460263 Syscheck last started at: Wed Dec 13 09:37:04 2023 Syscheck last ended at: Wed Dec 13 09:37:21 2023 ```

Installation without variables :green_circle:

Generate alerts (TCP & UDP) :green_circle:

- TCP - Wazuh Agent ```shell root@6042c74a6ce0:~# grep -Ei "tcp" /var/ossec/logs/ossec.log 2023/12/13 09:43:56 wazuh-agentd: INFO: Trying to connect to server ([xx.xxx.xx.xxx]:1514/tcp). 2023/12/13 09:43:56 wazuh-agentd: INFO: (4102): Connected to the server ([xx.xxx.xx.xxx]:1514/tcp). ``` - TCP - Wazuh Server ``` {"timestamp":"2023-12-13T09:44:15.416+0000","rule":{"level":3,"description":"CIS Debian Linux 9 Benchmark v1.0.1: Ensure shadow group is empty","id":"19008","firedtimes":116,"mail":false,"groups":["sca"],"gdpr":["IV_35.7.d"],"pci_dss":["2.2","10.2.5"],"nist_800_53":["CM.1","AU.14","AC.7"],"tsc":["CC7.1","CC7.2","CC7.2","CC6.1","CC6.8","CC7.3","CC7.4"],"cis":["6.2.20"],"cis_csc":["16"],"hipaa":["164.312.b"],"gpg_13":["7.8"],"gdpr_IV":["35.7","32.2"]},"agent":{"id":"042","name":"6042c74a6ce0","ip":"172.17.0.2"},"manager":{"name":"wazuh-server"},"id":"1702460655.2595774","decoder":{"name":"sca"},"data":{"sca":{"type":"check","scan_id":"176119446","policy":"CIS Debian Linux 9 Benchmark v1.0.1","check":{"id":"2174","title":"Ensure shadow group is empty","description":"The shadow group allows system programs which require access the ability to read the /etc/shadow file. No users should be assigned to the shadow group.","rationale":"Any users assigned to the shadow group would be granted read access to the /etc/shadow file. If attackers can gain read access to the /etc/shadow file, they can easily run a password cracking program against the hashed passwords to break them. Other security information that is stored in the /etc/shadow file (such as expiration) could also be useful to subvert additional user accounts.","remediation":"Remove all users from the shadow group, and change the primary group of any users with shadow as their primary group.","compliance":{"cis":"6.2.20","cis_csc":"16","pci_dss":"10.2.5","hipaa":"164.312.b","nist_800_53":"AU.14,AC.7","tsc":"CC7.2,CC6.1,CC6.8,CC7.3,CC7.4","gpg_13":"7.8","gdpr_IV":"35.7,32.2"},"file":["/etc/group"],"result":"passed"}}},"location":"sca"} {"timestamp":"2023-12-13T09:44:22.430+0000","rule":{"level":7,"description":"SCA summary: CIS Debian Linux 9 Benchmark v1.0.1: Score less than 50% (39)","id":"19004","firedtimes":3,"mail":false,"groups":["sca"],"gdpr":["IV_35.7.d"],"pci_dss":["2.2"],"nist_800_53":["CM.1"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"042","name":"6042c74a6ce0","ip":"172.17.0.2"},"manager":{"name":"wazuh-server"},"id":"1702460662.2598435","decoder":{"name":"sca"},"data":{"sca":{"type":"summary","scan_id":"176119446","policy":"CIS Debian Linux 9 Benchmark v1.0.1","description":"This document provides prescriptive guidance for establishing a secure configuration posture for Debian Linux 9.","policy_id":"cis_debian9","passed":"58","failed":"89","invalid":"28","total_checks":"175","score":"39","file":"cis_debian9.yml"}},"location":"sca"} {"timestamp":"2023-12-13T09:44:33.216+0000","rule":{"level":7,"description":"SCA summary: CIS Debian Linux 9 Benchmark v1.0.1: Score less than 50% (39)","id":"19004","firedtimes":4,"mail":false,"groups":["sca"],"gdpr":["IV_35.7.d"],"pci_dss":["2.2"],"nist_800_53":["CM.1"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"042","name":"6042c74a6ce0","ip":"172.17.0.2"},"manager":{"name":"wazuh-server"},"id":"1702460673.2599659","decoder":{"name":"sca"},"data":{"sca":{"type":"summary","scan_id":"176119446","policy":"CIS Debian Linux 9 Benchmark v1.0.1","description":"This document provides prescriptive guidance for establishing a secure configuration posture for Debian Linux 9.","policy_id":"cis_debian9","passed":"58","failed":"89","invalid":"28","total_checks":"175","score":"39","file":"cis_debian9.yml"}},"location":"sca"} ``` - UDP - Wazuh Agent ```shell root@6042c74a6ce0:~# /var/ossec/bin/wazuh-control restart Killing wazuh-modulesd... Killing wazuh-logcollector... Killing wazuh-syscheckd... Killing wazuh-agentd... Killing wazuh-execd... Wazuh v4.8.0 Stopped Starting Wazuh v4.8.0... Started wazuh-execd... Started wazuh-agentd... Started wazuh-syscheckd... Started wazuh-logcollector... Started wazuh-modulesd... Completed. root@6042c74a6ce0:~# grep -Ei "udp" /var/ossec/logs/ossec.log 2023/12/13 09:46:11 wazuh-agentd: INFO: Trying to connect to server ([xx.xxx.xx.xxx]:1514/udp). 2023/12/13 09:46:11 wazuh-agentd: INFO: (4102): Connected to the server ([xx.xxx.xx.xxx]:1514/udp). ``` - UDP - Wazuh Server ``` {"timestamp":"2023-12-13T09:44:33.216+0000","rule":{"level":7,"description":"SCA summary: CIS Debian Linux 9 Benchmark v1.0.1: Score less than 50% (39)","id":"19004","firedtimes":4,"mail":false,"groups":["sca"],"gdpr":["IV_35.7.d"],"pci_dss":["2.2"],"nist_800_53":["CM.1"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"042","name":"6042c74a6ce0","ip":"172.17.0.2"},"manager":{"name":"wazuh-server"},"id":"1702460673.2599659","decoder":{"name":"sca"},"data":{"sca":{"type":"summary","scan_id":"176119446","policy":"CIS Debian Linux 9 Benchmark v1.0.1","description":"This document provides prescriptive guidance for establishing a secure configuration posture for Debian Linux 9.","policy_id":"cis_debian9","passed":"58","failed":"89","invalid":"28","total_checks":"175","score":"39","file":"cis_debian9.yml"}},"location":"sca"} {"timestamp":"2023-12-13T09:46:09.593+0000","rule":{"level":3,"description":"Wazuh agent stopped.","id":"506","mitre":{"id":["T1562.001"],"tactic":["Defense Evasion"],"technique":["Disable or Modify Tools"]},"firedtimes":4,"mail":false,"groups":["ossec"],"pci_dss":["10.6.1","10.2.6"],"gpg13":["10.1"],"gdpr":["IV_35.7.d"],"hipaa":["164.312.b"],"nist_800_53":["AU.6","AU.14","AU.5"],"tsc":["CC7.2","CC7.3","CC6.8"]},"agent":{"id":"042","name":"6042c74a6ce0","ip":"172.17.0.2"},"manager":{"name":"wazuh-server"},"id":"1702460769.2600901","full_log":"ossec: Agent stopped: '6042c74a6ce0->any'.","decoder":{"parent":"ossec","name":"ossec"},"data":{"extra_data":"6042c74a6ce0->any"},"location":"wazuh-remoted"} {"timestamp":"2023-12-13T09:46:11.916+0000","rule":{"level":3,"description":"Wazuh agent started.","id":"503","firedtimes":4,"mail":false,"groups":["ossec"],"pci_dss":["10.6.1","10.2.6"],"gpg13":["10.1"],"gdpr":["IV_35.7.d"],"hipaa":["164.312.b"],"nist_800_53":["AU.6","AU.14","AU.5"],"tsc":["CC7.2","CC7.3","CC6.8"]},"agent":{"id":"042","name":"6042c74a6ce0","ip":"172.17.0.2"},"manager":{"name":"wazuh-server"},"id":"1702460771.2601238","full_log":"ossec: Agent started: '6042c74a6ce0->any'.","decoder":{"parent":"ossec","name":"ossec"},"data":{"extra_data":"6042c74a6ce0->any"},"location":"wazuh-agent"} ```

Removal :green_circle:

```shell root@6042c74a6ce0:~# apt-get remove --purge wazuh-agent Reading package lists... Done Building dependency tree Reading state information... Done The following packages were automatically installed and are no longer required: bzip2 dh-python distro-info-data file libmagic-mgc libmagic1 libmpdec2 libpython3-stdlib libpython3.5-minimal libpython3.5-stdlib libreadline7 libsqlite3-0 libssl1.1 lsb-release mime-support python3 python3-minimal python3.5 python3.5-minimal readline-common xz-utils Use 'apt autoremove' to remove them. The following packages will be REMOVED: wazuh-agent* 0 upgraded, 0 newly installed, 1 to remove and 3 not upgraded. After this operation, 39.4 MB disk space will be freed. Do you want to continue? [Y/n] y perl: warning: Setting locale failed. perl: warning: Please check that your locale settings: LANGUAGE = (unset), LC_ALL = (unset), LC_TIME = "es_ES.UTF-8", LC_MONETARY = "es_ES.UTF-8", LC_ADDRESS = "es_ES.UTF-8", LC_TELEPHONE = "es_ES.UTF-8", LC_NAME = "es_ES.UTF-8", LC_MEASUREMENT = "es_ES.UTF-8", LC_IDENTIFICATION = "es_ES.UTF-8", LC_NUMERIC = "es_ES.UTF-8", LC_PAPER = "es_ES.UTF-8", LANG = "en_US.UTF-8" are supported and installed on your system. perl: warning: Falling back to the standard locale ("C"). (Reading database ... 12750 files and directories currently installed.) Removing wazuh-agent (4.8.0-1) ... Processing triggers for libc-bin (2.24-11+deb9u4) ... (Reading database ... 12361 files and directories currently installed.) Purging configuration files for wazuh-agent (4.8.0-1) ... Processing triggers for systemd (232-25+deb9u12) ... ```

Check users and groups :green_circle:

``` root@8a5e62503ed9:~# cat /etc/passwd | grep wazuh wazuh:x:107:108::/var/ossec:/bin/false root@8a5e62503ed9:~# cat /etc/group | grep wazuh wazuh:x:108: ```

Errors and warnings :green_circle:

Analysis report - CentOS 7 PPC64EL 🟢

System info

```shell [root@1e3c3991b868 ~]# cat /etc/os-release NAME="CentOS Linux" VERSION="7 (AltArch)" ID="centos" ID_LIKE="rhel fedora" VERSION_ID="7" PRETTY_NAME="CentOS Linux 7 (AltArch)" ANSI_COLOR="0;31" CPE_NAME="cpe:/o:centos:centos:7:server" HOME_URL="https://www.centos.org/" BUG_REPORT_URL="https://bugs.centos.org/" CENTOS_MANTISBT_PROJECT="CentOS-7" CENTOS_MANTISBT_PROJECT_VERSION="7" REDHAT_SUPPORT_PRODUCT="centos" REDHAT_SUPPORT_PRODUCT_VERSION="7" ```

Installation with variables :green_circle:

- Wazuh agent ```shell [root@1e3c3991b868 ~]# curl -O https://packages-dev.wazuh.com/pre-release/yum/wazuh-agent-4.8.0-1.ppc64le.rpm % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 7131k 100 7131k 0 0 4086k 0 0:00:01 0:00:01 --:--:-- 4084k ``` ```shell [root@1e3c3991b868 ~]# WAZUH_MANAGER="xx.xxx.xx.xxx" yum install ./wazuh-agent-4.8.0-1.ppc64le.rpm Failed to set locale, defaulting to C Loaded plugins: fastestmirror, ovl Examining ./wazuh-agent-4.8.0-1.ppc64le.rpm: wazuh-agent-4.8.0-1.ppc64le Marking ./wazuh-agent-4.8.0-1.ppc64le.rpm to be installed Resolving Dependencies --> Running transaction check ---> Package wazuh-agent.ppc64le 0:4.8.0-1 will be installed --> Finished Dependency Resolution Dependencies Resolved =================================================================================================== Package Arch Version Repository Size =================================================================================================== Installing: wazuh-agent ppc64le 4.8.0-1 /wazuh-agent-4.8.0-1.ppc64le 33 M Transaction Summary =================================================================================================== Install 1 Package Total size: 33 M Installed size: 33 M Is this ok [y/d/N]: y Downloading packages: Running transaction check Running transaction test Transaction test succeeded Running transaction Installing : wazuh-agent-4.8.0-1.ppc64le 1/1 Verifying : wazuh-agent-4.8.0-1.ppc64le 1/1 Installed: wazuh-agent.ppc64le 0:4.8.0-1 Complete! [root@1e3c3991b868 ~]# /var/ossec/bin/wazuh-control start Starting Wazuh v4.8.0... Started wazuh-execd... Started wazuh-agentd... Started wazuh-syscheckd... Started wazuh-logcollector... Started wazuh-modulesd... Completed. [root@1e3c3991b868 ~]# /var/ossec/bin/wazuh-control info WAZUH_VERSION="v4.8.0" WAZUH_REVISION="40801" WAZUH_TYPE="agent" [root@1e3c3991b868 ~]# grep address /var/ossec/etc/ossec.conf

xx.xxx.xx.xxx

``` - Wazuh server ```shell [root@wazuh-server wazuh-user]# /var/ossec/bin/agent_control -i 043 Wazuh agent_control. Agent information: Agent ID: 043 Agent Name: 1e3c3991b868 IP address: any Status: Active Operating system: Linux |1e3c3991b868 |3.10.0-1160.71.1.el7.ppc64le |#1 SMP Tue Jun 28 18:34:40 UTC 2022 |ppc64le Client version: Wazuh v4.8.0 Configuration hash: ab73af41699f13fdd81903b5f23d8d00 Shared file hash: 4a8724b20dee0124ff9656783c490c4e Last keep alive: 1702462158 Syscheck last started at: Wed Dec 13 10:08:39 2023 Syscheck last ended at: Wed Dec 13 10:09:10 2023 ```

Installation without variables :green_circle:

- Wazuh agent ```shell [root@1e3c3991b868 ~]# curl -O https://packages-dev.wazuh.com/pre-release/yum/wazuh-agent-4.8.0-1.ppc64le.rpm % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 7131k 100 7131k 0 0 13.4M 0 --:--:-- --:--:-- --:--:-- 13.4M [root@1e3c3991b868 ~]# yum install ./wazuh-agent-4.8.0-1.ppc64le.rpm Failed to set locale, defaulting to C Loaded plugins: fastestmirror, ovl Examining ./wazuh-agent-4.8.0-1.ppc64le.rpm: wazuh-agent-4.8.0-1.ppc64le Marking ./wazuh-agent-4.8.0-1.ppc64le.rpm to be installed Resolving Dependencies --> Running transaction check ---> Package wazuh-agent.ppc64le 0:4.8.0-1 will be installed --> Finished Dependency Resolution Dependencies Resolved =================================================================================================== Package Arch Version Repository Size =================================================================================================== Installing: wazuh-agent ppc64le 4.8.0-1 /wazuh-agent-4.8.0-1.ppc64le 33 M Transaction Summary =================================================================================================== Install 1 Package Total size: 33 M Installed size: 33 M Is this ok [y/d/N]: y Downloading packages: Running transaction check Running transaction test Transaction test succeeded Running transaction Installing : wazuh-agent-4.8.0-1.ppc64le 1/1 Verifying : wazuh-agent-4.8.0-1.ppc64le 1/1 Installed: wazuh-agent.ppc64le 0:4.8.0-1 Complete! [root@1e3c3991b868 ~]# vi /var/ossec/etc/ossec.conf [root@1e3c3991b868 ~]# /var/ossec/bin/wazuh-control start Starting Wazuh v4.8.0... Started wazuh-execd... Started wazuh-agentd... Started wazuh-syscheckd... Started wazuh-logcollector... Started wazuh-modulesd... Completed. [root@1e3c3991b868 ~]# /var/ossec/bin/wazuh-control info WAZUH_VERSION="v4.8.0" WAZUH_REVISION="40801" WAZUH_TYPE="agent" ``` - Wazuh server ```shell [root@wazuh-server wazuh-user]# /var/ossec/bin/agent_control -i 044 Wazuh agent_control. Agent information: Agent ID: 044 Agent Name: 1e3c3991b868 IP address: any Status: Active Operating system: Linux |1e3c3991b868 |3.10.0-1160.71.1.el7.ppc64le |#1 SMP Tue Jun 28 18:34:40 UTC 2022 |ppc64le Client version: Wazuh v4.8.0 Configuration hash: ab73af41699f13fdd81903b5f23d8d00 Shared file hash: 4a8724b20dee0124ff9656783c490c4e Last keep alive: 1702462383 Syscheck last started at: Wed Dec 13 10:13:04 2023 Syscheck last ended at: Wed Dec 13 10:13:06 2023 ```

Generate alerts (TCP & UDP) :green_circle:

- TCP - Wazuh Agent ```shell [root@1e3c3991b868 ~]# grep -Ei "tcp" /var/ossec/logs/ossec.log 2023/12/13 10:12:58 wazuh-agentd: INFO: Trying to connect to server ([xx.xxx.xx.xxx]:1514/tcp). 2023/12/13 10:12:58 wazuh-agentd: INFO: (4102): Connected to the server ([xx.xxx.xx.xxx]:1514/tcp). ``` - TCP - Wazuh Server ``` {"timestamp":"2023-12-13T10:13:16.538+0000","rule":{"level":3,"description":"CIS CentOS Linux 7 Benchmark v3.1.2.: Ensure root is the only UID 0 account.","id":"19008","firedtimes":116,"mail":false,"groups":["sca"],"gdpr":["IV_35.7.d"],"pci_dss":["2.2"],"nist_800_53":["CM.1"],"tsc":["CC7.1","CC7.2"],"cis":["6.2.9"],"cis_csc_v8":["4.1"],"cis_csc_v7":["5.1"],"iso_27001-2013":["A.14.2.5","A.8.1.3"],"nist_sp_800-53":["CM-7(1)","CM-9","SA-10"],"soc_2":["CC7.1","CC8.1"]},"agent":{"id":"044","name":"1e3c3991b868","ip":"172.17.0.2"},"manager":{"name":"wazuh-server"},"id":"1702462396.3999293","decoder":{"name":"sca"},"data":{"sca":{"type":"check","scan_id":"1270255293","policy":"CIS CentOS Linux 7 Benchmark v3.1.2.","check":{"id":"6195","title":"Ensure root is the only UID 0 account.","description":"Any account with UID 0 has superuser privileges on the system.","rationale":"This access must be limited to only the default root account and only from the system console. Administrative access must be through an unprivileged account using an approved mechanism as noted in Item 5.6 Ensure access to the su command is restricted.","remediation":"Remove any users other than root with UID 0 or assign them a new UID if appropriate.","compliance":{"cis":"6.2.9","cis_csc_v8":"4.1","cis_csc_v7":"5.1","cmmc_v2":{"0":"AC.L1-3.1.1,AC.L1-3.1.2,CM.L2-3.4.1,CM.L2-3.4.2,CM.L2-3.4.6,CM.L2-3.4.7"},"iso_27001-2013":"A.14.2.5,A.8.1.3","nist_sp_800-53":"CM-7(1),CM-9,SA-10","pci_dss_v3":{"2":{"1":"11.5,2.2"}},"pci_dss_v4":{"0":"1.1.1,1.2.1,1.2.6,1.2.7,1.5.1,2.1.1,2.2.1"},"soc_2":"CC7.1,CC8.1"},"file":["/etc/passwd"],"result":"passed"}}},"location":"sca"} {"timestamp":"2023-12-13T10:13:23.552+0000","rule":{"level":7,"description":"SCA summary: CIS CentOS Linux 7 Benchmark v3.1.2.: Score less than 50% (38)","id":"19004","firedtimes":3,"mail":false,"groups":["sca"],"gdpr":["IV_35.7.d"],"pci_dss":["2.2"],"nist_800_53":["CM.1"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"044","name":"1e3c3991b868","ip":"172.17.0.2"},"manager":{"name":"wazuh-server"},"id":"1702462403.4002796","decoder":{"name":"sca"},"data":{"sca":{"type":"summary","scan_id":"1270255293","policy":"CIS CentOS Linux 7 Benchmark v3.1.2.","description":"This document provides prescriptive guidance for establishing a secure configuration posture for CentOS 7 systems running on x86 and x64 platforms. This document was tested against CentOS 7.","policy_id":"cis_centos7_linux","passed":"58","failed":"91","invalid":"47","total_checks":"196","score":"38","file":"cis_centos7_linux.yml"}},"location":"sca"} ``` - UDP - Wazuh Agent ```shell [root@1e3c3991b868 ~]# /var/ossec/bin/wazuh-control restart Killing wazuh-modulesd... Killing wazuh-logcollector... Killing wazuh-syscheckd... Killing wazuh-agentd... Killing wazuh-execd... Wazuh v4.8.0 Stopped Starting Wazuh v4.8.0... Started wazuh-execd... Started wazuh-agentd... Started wazuh-syscheckd... Started wazuh-logcollector... Started wazuh-modulesd... Completed. [root@1e3c3991b868 ~]# grep -Ei "udp" /var/ossec/logs/ossec.log 2023/12/13 10:15:20 wazuh-agentd: INFO: Trying to connect to server ([xx.xxx.xx.xxx]:1514/udp). 2023/12/13 10:15:20 wazuh-agentd: INFO: (4102): Connected to the server ([xx.xxx.xx.xxx]:1514/udp). ``` - UDP - Wazuh Server ``` {"timestamp":"2023-12-13T10:15:18.611+0000","rule":{"level":3,"description":"Wazuh agent stopped.","id":"506","mitre":{"id":["T1562.001"],"tactic":["Defense Evasion"],"technique":["Disable or Modify Tools"]},"firedtimes":4,"mail":false,"groups":["ossec"],"pci_dss":["10.6.1","10.2.6"],"gpg13":["10.1"],"gdpr":["IV_35.7.d"],"hipaa":["164.312.b"],"nist_800_53":["AU.6","AU.14","AU.5"],"tsc":["CC7.2","CC7.3","CC6.8"]},"agent":{"id":"044","name":"1e3c3991b868","ip":"172.17.0.2"},"manager":{"name":"wazuh-server"},"id":"1702462518.4004205","full_log":"ossec: Agent stopped: '1e3c3991b868->any'.","decoder":{"parent":"ossec","name":"ossec"},"data":{"extra_data":"1e3c3991b868->any"},"location":"wazuh-remoted"} {"timestamp":"2023-12-13T10:15:20.954+0000","rule":{"level":3,"description":"Wazuh agent started.","id":"503","firedtimes":4,"mail":false,"groups":["ossec"],"pci_dss":["10.6.1","10.2.6"],"gpg13":["10.1"],"gdpr":["IV_35.7.d"],"hipaa":["164.312.b"],"nist_800_53":["AU.6","AU.14","AU.5"],"tsc":["CC7.2","CC7.3","CC6.8"]},"agent":{"id":"044","name":"1e3c3991b868","ip":"172.17.0.2"},"manager":{"name":"wazuh-server"},"id":"1702462520.4004542","full_log":"ossec: Agent started: '1e3c3991b868->any'.","decoder":{"parent":"ossec","name":"ossec"},"data":{"extra_data":"1e3c3991b868->any"},"location":"wazuh-agent"} ```

Removal :green_circle:

```shell [root@1e3c3991b868 ~]# yum remove wazuh-agent Failed to set locale, defaulting to C Loaded plugins: fastestmirror, ovl Resolving Dependencies --> Running transaction check ---> Package wazuh-agent.ppc64le 0:4.8.0-1 will be erased --> Finished Dependency Resolution Dependencies Resolved =================================================================================================== Package Arch Version Repository Size =================================================================================================== Removing: wazuh-agent ppc64le 4.8.0-1 @/wazuh-agent-4.8.0-1.ppc64le 33 M Transaction Summary =================================================================================================== Remove 1 Package Installed size: 33 M Is this ok [y/N]: y Downloading packages: Running transaction check Running transaction test Transaction test succeeded Running transaction Erasing : wazuh-agent-4.8.0-1.ppc64le 1/1 warning: /var/ossec/etc/ossec.conf saved as /var/ossec/etc/ossec.conf.rpmsave warning: /var/ossec/etc/client.keys saved as /var/ossec/etc/client.keys.rpmsave Verifying : wazuh-agent-4.8.0-1.ppc64le 1/1 Removed: wazuh-agent.ppc64le 0:4.8.0-1 Complete! ```

Check users and groups :green_circle:

```shell [root@1e3c3991b868 ~]# cat /etc/passwd | grep wazuh wazuh:x:999:997::/var/ossec:/sbin/nologin [root@1e3c3991b868 ~]# cat /etc/group | grep wazuh wazuh:x:997:wazuh ```

Errors and warnings :green_circle:

Analysis Report - AMI :red_circle:

WUI 🟢

- Loading Screen: OK - Login Screen: OK - Credentials: OK ![image](https://github.com/wazuh/wazuh/assets/125690423/5ca5369e-21b0-4c15-a486-27954f13661a) ![image](https://github.com/wazuh/wazuh/assets/125690423/a7f3f19e-b3b6-442d-bf57-b55573623a8e) Expected failure. Check vulnerabilities index pattern ![image](https://github.com/wazuh/wazuh/assets/125690423/dd926a1d-9e48-432b-8a49-d7684fcc3bb0) ![image](https://github.com/wazuh/wazuh/assets/125690423/13ee5fb4-93c7-44ff-b85f-922d10780db7)

Logs 🟡

- Wazuh Dashboard - journalctl 🟢 ```console [root@wazuh-server wazuh-user]# journalctl -r -u wazuh-dashboard | grep -i -E "error|critical|fatal|warning" dic 13 04:33:55 wazuh-server opensearch-dashboards[18548]: {"type":"error","@timestamp":"2023-12-13T04:33:55Z","tags":["connection","client","error"],"pid":18548,"level":"error","error":{"message":"139835281045376:error:14209102:SSL routines:tls_early_post_process_client_hello:unsupported protocol:../deps/openssl/openssl/ssl/statem/statem_srvr.c:1686:\n","name":"Error","stack":"Error: 139835281045376:error:14209102:SSL routines:tls_early_post_process_client_hello:unsupported protocol:../deps/openssl/openssl/ssl/statem/statem_srvr.c:1686:\n","code":"ERR_SSL_UNSUPPORTED_PROTOCOL"},"message":"139835281045376:error:14209102:SSL routines:tls_early_post_process_client_hello:unsupported protocol:../deps/openssl/openssl/ssl/statem/statem_srvr.c:1686:\n"} dic 13 04:11:36 wazuh-server opensearch-dashboards[18548]: {"type":"error","@timestamp":"2023-12-13T04:11:36Z","tags":["connection","client","error"],"pid":18548,"level":"error","error":{"message":"139835281045376:error:14209102:SSL routines:tls_early_post_process_client_hello:unsupported protocol:../deps/openssl/openssl/ssl/statem/statem_srvr.c:1686:\n","name":"Error","stack":"Error: 139835281045376:error:14209102:SSL routines:tls_early_post_process_client_hello:unsupported protocol:../deps/openssl/openssl/ssl/statem/statem_srvr.c:1686:\n","code":"ERR_SSL_UNSUPPORTED_PROTOCOL"},"message":"139835281045376:error:14209102:SSL routines:tls_early_post_process_client_hello:unsupported protocol:../deps/openssl/openssl/ssl/statem/statem_srvr.c:1686:\n"} dic 13 03:40:44 wazuh-server opensearch-dashboards[18548]: {"type":"error","@timestamp":"2023-12-13T03:40:44Z","tags":["connection","client","error"],"pid":18548,"level":"error","error":{"message":"139835281045376:error:14209102:SSL routines:tls_early_post_process_client_hello:unsupported protocol:../deps/openssl/openssl/ssl/statem/statem_srvr.c:1686:\n","name":"Error","stack":"Error: 139835281045376:error:14209102:SSL routines:tls_early_post_process_client_hello:unsupported protocol:../deps/openssl/openssl/ssl/statem/statem_srvr.c:1686:\n","code":"ERR_SSL_UNSUPPORTED_PROTOCOL"},"message":"139835281045376:error:14209102:SSL routines:tls_early_post_process_client_hello:unsupported protocol:../deps/openssl/openssl/ssl/statem/statem_srvr.c:1686:\n"} dic 13 03:19:37 wazuh-server opensearch-dashboards[18548]: {"type":"error","@timestamp":"2023-12-13T03:19:37Z","tags":["connection","client","error"],"pid":18548,"level":"error","error":{"message":"139835281045376:error:14209102:SSL routines:tls_early_post_process_client_hello:unsupported protocol:../deps/openssl/openssl/ssl/statem/statem_srvr.c:1686:\n","name":"Error","stack":"Error: 139835281045376:error:14209102:SSL routines:tls_early_post_process_client_hello:unsupported protocol:../deps/openssl/openssl/ssl/statem/statem_srvr.c:1686:\n","code":"ERR_SSL_UNSUPPORTED_PROTOCOL"},"message":"139835281045376:error:14209102:SSL routines:tls_early_post_process_client_hello:unsupported protocol:../deps/openssl/openssl/ssl/statem/statem_srvr.c:1686:\n"} dic 13 02:50:35 wazuh-server opensearch-dashboards[18548]: {"type":"error","@timestamp":"2023-12-13T02:50:35Z","tags":["connection","client","error"],"pid":18548,"level":"error","error":{"message":"139835281045376:error:14209102:SSL routines:tls_early_post_process_client_hello:unsupported protocol:../deps/openssl/openssl/ssl/statem/statem_srvr.c:1686:\n","name":"Error","stack":"Error: 139835281045376:error:14209102:SSL routines:tls_early_post_process_client_hello:unsupported protocol:../deps/openssl/openssl/ssl/statem/statem_srvr.c:1686:\n","code":"ERR_SSL_UNSUPPORTED_PROTOCOL"},"message":"139835281045376:error:14209102:SSL routines:tls_early_post_process_client_hello:unsupported protocol:../deps/openssl/openssl/ssl/statem/statem_srvr.c:1686:\n"} dic 13 02:19:27 wazuh-server opensearch-dashboards[18548]: {"type":"error","@timestamp":"2023-12-13T02:19:27Z","tags":["connection","client","error"],"pid":18548,"level":"error","error":{"message":"139835281045376:error:14209102:SSL routines:tls_early_post_process_client_hello:unsupported protocol:../deps/openssl/openssl/ssl/statem/statem_srvr.c:1686:\n","name":"Error","stack":"Error: 139835281045376:error:14209102:SSL routines:tls_early_post_process_client_hello:unsupported protocol:../deps/openssl/openssl/ssl/statem/statem_srvr.c:1686:\n","code":"ERR_SSL_UNSUPPORTED_PROTOCOL"},"message":"139835281045376:error:14209102:SSL routines:tls_early_post_process_client_hello:unsupported protocol:../deps/openssl/openssl/ssl/statem/statem_srvr.c:1686:\n"} dic 13 01:53:14 wazuh-server opensearch-dashboards[18548]: {"type":"error","@timestamp":"2023-12-13T01:53:14Z","tags":["connection","client","error"],"pid":18548,"level":"error","error":{"message":"139835281045376:error:14209102:SSL routines:tls_early_post_process_client_hello:unsupported protocol:../deps/openssl/openssl/ssl/statem/statem_srvr.c:1686:\n","name":"Error","stack":"Error: 139835281045376:error:14209102:SSL routines:tls_early_post_process_client_hello:unsupported protocol:../deps/openssl/openssl/ssl/statem/statem_srvr.c:1686:\n","code":"ERR_SSL_UNSUPPORTED_PROTOCOL"},"message":"139835281045376:error:14209102:SSL routines:tls_early_post_process_client_hello:unsupported protocol:../deps/openssl/openssl/ssl/statem/statem_srvr.c:1686:\n"} dic 13 00:58:38 wazuh-server opensearch-dashboards[18548]: {"type":"error","@timestamp":"2023-12-13T00:58:38Z","tags":["connection","client","error"],"pid":18548,"level":"error","error":{"message":"139835281045376:error:14209102:SSL routines:tls_early_post_process_client_hello:unsupported protocol:../deps/openssl/openssl/ssl/statem/statem_srvr.c:1686:\n","name":"Error","stack":"Error: 139835281045376:error:14209102:SSL routines:tls_early_post_process_client_hello:unsupported protocol:../deps/openssl/openssl/ssl/statem/statem_srvr.c:1686:\n","code":"ERR_SSL_UNSUPPORTED_PROTOCOL"},"message":"139835281045376:error:14209102:SSL routines:tls_early_post_process_client_hello:unsupported protocol:../deps/openssl/openssl/ssl/statem/statem_srvr.c:1686:\n"} dic 13 00:31:01 wazuh-server opensearch-dashboards[18548]: {"type":"error","@timestamp":"2023-12-13T00:31:01Z","tags":["connection","client","error"],"pid":18548,"level":"error","error":{"message":"139835281045376:error:14209102:SSL routines:tls_early_post_process_client_hello:unsupported protocol:../deps/openssl/openssl/ssl/statem/statem_srvr.c:1686:\n","name":"Error","stack":"Error: 139835281045376:error:14209102:SSL routines:tls_early_post_process_client_hello:unsupported protocol:../deps/openssl/openssl/ssl/statem/statem_srvr.c:1686:\n","code":"ERR_SSL_UNSUPPORTED_PROTOCOL"},"message":"139835281045376:error:14209102:SSL routines:tls_early_post_process_client_hello:unsupported protocol:../deps/openssl/openssl/ssl/statem/statem_srvr.c:1686:\n"} dic 13 00:13:34 wazuh-server opensearch-dashboards[18548]: {"type":"error","@timestamp":"2023-12-13T00:13:34Z","tags":["connection","client","error"],"pid":18548,"level":"error","error":{"message":"139835281045376:error:14209102:SSL routines:tls_early_post_process_client_hello:unsupported protocol:../deps/openssl/openssl/ssl/statem/statem_srvr.c:1686:\n","name":"Error","stack":"Error: 139835281045376:error:14209102:SSL routines:tls_early_post_process_client_hello:unsupported protocol:../deps/openssl/openssl/ssl/statem/statem_srvr.c:1686:\n","code":"ERR_SSL_UNSUPPORTED_PROTOCOL"},"message":"139835281045376:error:14209102:SSL routines:tls_early_post_process_client_hello:unsupported protocol:../deps/openssl/openssl/ssl/statem/statem_srvr.c:1686:\n"} dic 12 23:49:13 wazuh-server opensearch-dashboards[18548]: {"type":"error","@timestamp":"2023-12-12T23:49:13Z","tags":["connection","client","error"],"pid":18548,"level":"error","error":{"message":"139835281045376:error:14209102:SSL routines:tls_early_post_process_client_hello:unsupported protocol:../deps/openssl/openssl/ssl/statem/statem_srvr.c:1686:\n","name":"Error","stack":"Error: 139835281045376:error:14209102:SSL routines:tls_early_post_process_client_hello:unsupported protocol:../deps/openssl/openssl/ssl/statem/statem_srvr.c:1686:\n","code":"ERR_SSL_UNSUPPORTED_PROTOCOL"},"message":"139835281045376:error:14209102:SSL routines:tls_early_post_process_client_hello:unsupported protocol:../deps/openssl/openssl/ssl/statem/statem_srvr.c:1686:\n"} dic 12 23:30:02 wazuh-server opensearch-dashboards[18548]: {"type":"error","@timestamp":"2023-12-12T23:30:02Z","tags":["connection","client","error"],"pid":18548,"level":"error","error":{"message":"139835281045376:error:14209102:SSL routines:tls_early_post_process_client_hello:unsupported protocol:../deps/openssl/openssl/ssl/statem/statem_srvr.c:1686:\n","name":"Error","stack":"Error: 139835281045376:error:14209102:SSL routines:tls_early_post_process_client_hello:unsupported protocol:../deps/openssl/openssl/ssl/statem/statem_srvr.c:1686:\n","code":"ERR_SSL_UNSUPPORTED_PROTOCOL"},"message":"139835281045376:error:14209102:SSL routines:tls_early_post_process_client_hello:unsupported protocol:../deps/openssl/openssl/ssl/statem/statem_srvr.c:1686:\n"} dic 12 22:56:14 wazuh-server opensearch-dashboards[18548]: {"type":"error","@timestamp":"2023-12-12T22:56:14Z","tags":["connection","client","error"],"pid":18548,"level":"error","error":{"message":"139835281045376:error:14209102:SSL routines:tls_early_post_process_client_hello:unsupported protocol:../deps/openssl/openssl/ssl/statem/statem_srvr.c:1686:\n","name":"Error","stack":"Error: 139835281045376:error:14209102:SSL routines:tls_early_post_process_client_hello:unsupported protocol:../deps/openssl/openssl/ssl/statem/statem_srvr.c:1686:\n","code":"ERR_SSL_UNSUPPORTED_PROTOCOL"},"message":"139835281045376:error:14209102:SSL routines:tls_early_post_process_client_hello:unsupported protocol:../deps/openssl/openssl/ssl/statem/statem_srvr.c:1686:\n"} dic 12 22:26:41 wazuh-server opensearch-dashboards[18548]: {"type":"error","@timestamp":"2023-12-12T22:26:41Z","tags":["connection","client","error"],"pid":18548,"level":"error","error":{"message":"139835281045376:error:14209102:SSL routines:tls_early_post_process_client_hello:unsupported protocol:../deps/openssl/openssl/ssl/statem/statem_srvr.c:1686:\n","name":"Error","stack":"Error: 139835281045376:error:14209102:SSL routines:tls_early_post_process_client_hello:unsupported protocol:../deps/openssl/openssl/ssl/statem/statem_srvr.c:1686:\n","code":"ERR_SSL_UNSUPPORTED_PROTOCOL"},"message":"139835281045376:error:14209102:SSL routines:tls_early_post_process_client_hello:unsupported protocol:../deps/openssl/openssl/ssl/statem/statem_srvr.c:1686:\n"} dic 12 22:06:40 wazuh-server opensearch-dashboards[18548]: {"type":"error","@timestamp":"2023-12-12T22:06:40Z","tags":["connection","client","error"],"pid":18548,"level":"error","error":{"message":"139835281045376:error:14209102:SSL routines:tls_early_post_process_client_hello:unsupported protocol:../deps/openssl/openssl/ssl/statem/statem_srvr.c:1686:\n","name":"Error","stack":"Error: 139835281045376:error:14209102:SSL routines:tls_early_post_process_client_hello:unsupported protocol:../deps/openssl/openssl/ssl/statem/statem_srvr.c:1686:\n","code":"ERR_SSL_UNSUPPORTED_PROTOCOL"},"message":"139835281045376:error:14209102:SSL routines:tls_early_post_process_client_hello:unsupported protocol:../deps/openssl/openssl/ssl/statem/statem_srvr.c:1686:\n"} dic 12 21:56:37 wazuh-server opensearch-dashboards[18548]: {"type":"error","@timestamp":"2023-12-12T21:56:37Z","tags":["connection","client","error"],"pid":18548,"level":"error","error":{"message":"139835281045376:error:14209102:SSL routines:tls_early_post_process_client_hello:unsupported protocol:../deps/openssl/openssl/ssl/statem/statem_srvr.c:1686:\n","name":"Error","stack":"Error: 139835281045376:error:14209102:SSL routines:tls_early_post_process_client_hello:unsupported protocol:../deps/openssl/openssl/ssl/statem/statem_srvr.c:1686:\n","code":"ERR_SSL_UNSUPPORTED_PROTOCOL"},"message":"139835281045376:error:14209102:SSL routines:tls_early_post_process_client_hello:unsupported protocol:../deps/openssl/openssl/ssl/statem/statem_srvr.c:1686:\n"} dic 12 21:56:22 wazuh-server opensearch-dashboards[18548]: {"type":"error","@timestamp":"2023-12-12T21:56:22Z","tags":["connection","client","error"],"pid":18548,"level":"error","error":{"message":"139835281045376:error:14209102:SSL routines:tls_early_post_process_client_hello:unsupported protocol:../deps/openssl/openssl/ssl/statem/statem_srvr.c:1686:\n","name":"Error","stack":"Error: 139835281045376:error:14209102:SSL routines:tls_early_post_process_client_hello:unsupported protocol:../deps/openssl/openssl/ssl/statem/statem_srvr.c:1686:\n","code":"ERR_SSL_UNSUPPORTED_PROTOCOL"},"message":"139835281045376:error:14209102:SSL routines:tls_early_post_process_client_hello:unsupported protocol:../deps/openssl/openssl/ssl/statem/statem_srvr.c:1686:\n"} dic 12 21:16:16 wazuh-server opensearch-dashboards[18548]: {"type":"error","@timestamp":"2023-12-12T21:16:16Z","tags":["connection","client","error"],"pid":18548,"level":"error","error":{"message":"139835281045376:error:14209102:SSL routines:tls_early_post_process_client_hello:unsupported protocol:../deps/openssl/openssl/ssl/statem/statem_srvr.c:1686:\n","name":"Error","stack":"Error: 139835281045376:error:14209102:SSL routines:tls_early_post_process_client_hello:unsupported protocol:../deps/openssl/openssl/ssl/statem/statem_srvr.c:1686:\n","code":"ERR_SSL_UNSUPPORTED_PROTOCOL"},"message":"139835281045376:error:14209102:SSL routines:tls_early_post_process_client_hello:unsupported protocol:../deps/openssl/openssl/ssl/statem/statem_srvr.c:1686:\n"} dic 12 20:40:37 wazuh-server opensearch-dashboards[18548]: {"type":"error","@timestamp":"2023-12-12T20:40:37Z","tags":["connection","client","error"],"pid":18548,"level":"error","error":{"message":"139835281045376:error:14209102:SSL routines:tls_early_post_process_client_hello:unsupported protocol:../deps/openssl/openssl/ssl/statem/statem_srvr.c:1686:\n","name":"Error","stack":"Error: 139835281045376:error:14209102:SSL routines:tls_early_post_process_client_hello:unsupported protocol:../deps/openssl/openssl/ssl/statem/statem_srvr.c:1686:\n","code":"ERR_SSL_UNSUPPORTED_PROTOCOL"},"message":"139835281045376:error:14209102:SSL routines:tls_early_post_process_client_hello:unsupported protocol:../deps/openssl/openssl/ssl/statem/statem_srvr.c:1686:\n"} dic 12 20:32:17 wazuh-server opensearch-dashboards[18548]: {"type":"error","@timestamp":"2023-12-12T20:32:17Z","tags":["connection","client","error"],"pid":18548,"level":"error","error":{"message":"139835281045376:error:14209102:SSL routines:tls_early_post_process_client_hello:unsupported protocol:../deps/openssl/openssl/ssl/statem/statem_srvr.c:1686:\n","name":"Error","stack":"Error: 139835281045376:error:14209102:SSL routines:tls_early_post_process_client_hello:unsupported protocol:../deps/openssl/openssl/ssl/statem/statem_srvr.c:1686:\n","code":"ERR_SSL_UNSUPPORTED_PROTOCOL"},"message":"139835281045376:error:14209102:SSL routines:tls_early_post_process_client_hello:unsupported protocol:../deps/openssl/openssl/ssl/statem/statem_srvr.c:1686:\n"} dic 12 20:30:01 wazuh-server opensearch-dashboards[18548]: {"type":"log","@timestamp":"2023-12-12T20:30:01Z","tags":["error","opensearch","data"],"pid":18548,"message":"[resource_already_exists_exception]: index [wazuh-statistics-2023.50w/dURB9_fZQh66CwrcMYp-Gw] already exists"} {"type":"error","@timestamp":"2023-12-12T20:23:53Z","tags":["connection","client","error"],"pid":4673,"level":"error","error":{"message":"140324594411392:error:14094418:SSL routines:ssl3_read_bytes:tlsv1 alert unknown ca:../deps/openssl/openssl/ssl/record/rec_layer_s3.c:1563:SSL alert number 48\n","name":"Error","stack":"Error: 140324594411392:error:14094418:SSL routines:ssl3_read_bytes:tlsv1 alert unknown ca:../deps/openssl/openssl/ssl/record/rec_layer_s3.c:1563:SSL alert number 48\n","code":"ERR_SSL_TLSV1_ALERT_UNKNOWN_CA"},"message":"140324594411392:error:14094418:SSL routines:ssl3_read_bytes:tlsv1 alert unknown ca:../deps/openssl/openssl/ssl/record/rec_layer_s3.c:1563:SSL alert number 48\n"} dic 12 20:23:49 wazuh-server opensearch-dashboards[4673]: {"type":"error","@timestamp":"2023-12-12T20:23:49Z","tags":["connection","client","error"],"pid":4673,"level":"error","error":{"message":"140324594411392:error:14094418:SSL routines:ssl3_read_bytes:tlsv1 alert unknown ca:../deps/openssl/openssl/ssl/record/rec_layer_s3.c:1563:SSL alert number 48\n","name":"Error","stack":"Error: 140324594411392:error:14094418:SSL routines:ssl3_read_bytes:tlsv1 alert unknown ca:../deps/openssl/openssl/ssl/record/rec_layer_s3.c:1563:SSL alert number 48\n","code":"ERR_SSL_TLSV1_ALERT_UNKNOWN_CA"},"message":"140324594411392:error:14094418:SSL routines:ssl3_read_bytes:tlsv1 alert unknown ca:../deps/openssl/openssl/ssl/record/rec_layer_s3.c:1563:SSL alert number 48\n"} dic 12 20:23:48 wazuh-server opensearch-dashboards[4673]: {"type":"error","@timestamp":"2023-12-12T20:23:48Z","tags":["connection","client","error"],"pid":4673,"level":"error","error":{"message":"140324594411392:error:14094418:SSL routines:ssl3_read_bytes:tlsv1 alert unknown ca:../deps/openssl/openssl/ssl/record/rec_layer_s3.c:1563:SSL alert number 48\n","name":"Error","stack":"Error: 140324594411392:error:14094418:SSL routines:ssl3_read_bytes:tlsv1 alert unknown ca:../deps/openssl/openssl/ssl/record/rec_layer_s3.c:1563:SSL alert number 48\n","code":"ERR_SSL_TLSV1_ALERT_UNKNOWN_CA"},"message":"140324594411392:error:14094418:SSL routines:ssl3_read_bytes:tlsv1 alert unknown ca:../deps/openssl/openssl/ssl/record/rec_layer_s3.c:1563:SSL alert number 48\n"} dic 12 19:59:09 wazuh-server opensearch-dashboards[4673]: {"type":"error","@timestamp":"2023-12-12T19:59:09Z","tags":["connection","client","error"],"pid":4673,"level":"error","error":{"message":"140324594411392:error:14209102:SSL routines:tls_early_post_process_client_hello:unsupported protocol:../deps/openssl/openssl/ssl/statem/statem_srvr.c:1686:\n","name":"Error","stack":"Error: 140324594411392:error:14209102:SSL routines:tls_early_post_process_client_hello:unsupported protocol:../deps/openssl/openssl/ssl/statem/statem_srvr.c:1686:\n","code":"ERR_SSL_UNSUPPORTED_PROTOCOL"},"message":"140324594411392:error:14209102:SSL routines:tls_early_post_process_client_hello:unsupported protocol:../deps/openssl/openssl/ssl/statem/statem_srvr.c:1686:\n"} dic 12 19:33:05 wazuh-server opensearch-dashboards[4673]: {"type":"error","@timestamp":"2023-12-12T19:33:05Z","tags":["connection","client","error"],"pid":4673,"level":"error","error":{"message":"140324594411392:error:14209102:SSL routines:tls_early_post_process_client_hello:unsupported protocol:../deps/openssl/openssl/ssl/statem/statem_srvr.c:1686:\n","name":"Error","stack":"Error: 140324594411392:error:14209102:SSL routines:tls_early_post_process_client_hello:unsupported protocol:../deps/openssl/openssl/ssl/statem/statem_srvr.c:1686:\n","code":"ERR_SSL_UNSUPPORTED_PROTOCOL"},"message":"140324594411392:error:14209102:SSL routines:tls_early_post_process_client_hello:unsupported protocol:../deps/openssl/openssl/ssl/statem/statem_srvr.c:1686:\n"} dic 12 19:07:23 wazuh-server opensearch-dashboards[4673]: {"type":"error","@timestamp":"2023-12-12T19:07:23Z","tags":["connection","client","error"],"pid":4673,"level":"error","error":{"message":"140324594411392:error:14209102:SSL routines:tls_early_post_process_client_hello:unsupported protocol:../deps/openssl/openssl/ssl/statem/statem_srvr.c:1686:\n","name":"Error","stack":"Error: 140324594411392:error:14209102:SSL routines:tls_early_post_process_client_hello:unsupported protocol:../deps/openssl/openssl/ssl/statem/statem_srvr.c:1686:\n","code":"ERR_SSL_UNSUPPORTED_PROTOCOL"},"message":"140324594411392:error:14209102:SSL routines:tls_early_post_process_client_hello:unsupported protocol:../deps/openssl/openssl/ssl/statem/statem_srvr.c:1686:\n"} dic 12 19:06:47 wazuh-server opensearch-dashboards[4673]: {"type":"error","@timestamp":"2023-12-12T19:06:47Z","tags":["connection","client","error"],"pid":4673,"level":"error","error":{"message":"140324594411392:error:1420918C:SSL routines:tls_early_post_process_client_hello:version too low:../deps/openssl/openssl/ssl/statem/statem_srvr.c:1686:\n","name":"Error","stack":"Error: 140324594411392:error:1420918C:SSL routines:tls_early_post_process_client_hello:version too low:../deps/openssl/openssl/ssl/statem/statem_srvr.c:1686:\n","code":"ERR_SSL_VERSION_TOO_LOW"},"message":"140324594411392:error:1420918C:SSL routines:tls_early_post_process_client_hello:version too low:../deps/openssl/openssl/ssl/statem/statem_srvr.c:1686:\n"} dic 12 19:06:47 wazuh-server opensearch-dashboards[4673]: {"type":"error","@timestamp":"2023-12-12T19:06:47Z","tags":["connection","client","error"],"pid":4673,"level":"error","error":{"message":"140324594411392:error:142090FC:SSL routines:tls_early_post_process_client_hello:unknown protocol:../deps/openssl/openssl/ssl/statem/statem_srvr.c:1661:\n","name":"Error","stack":"Error: 140324594411392:error:142090FC:SSL routines:tls_early_post_process_client_hello:unknown protocol:../deps/openssl/openssl/ssl/statem/statem_srvr.c:1661:\n","code":"ERR_SSL_UNKNOWN_PROTOCOL"},"message":"140324594411392:error:142090FC:SSL routines:tls_early_post_process_client_hello:unknown protocol:../deps/openssl/openssl/ssl/statem/statem_srvr.c:1661:\n"} dic 12 19:06:47 wazuh-server opensearch-dashboards[4673]: {"type":"error","@timestamp":"2023-12-12T19:06:47Z","tags":["connection","client","error"],"pid":4673,"level":"error","error":{"message":"140324594411392:error:14209102:SSL routines:tls_early_post_process_client_hello:unsupported protocol:../deps/openssl/openssl/ssl/statem/statem_srvr.c:1686:\n","name":"Error","stack":"Error: 140324594411392:error:14209102:SSL routines:tls_early_post_process_client_hello:unsupported protocol:../deps/openssl/openssl/ssl/statem/statem_srvr.c:1686:\n","code":"ERR_SSL_UNSUPPORTED_PROTOCOL"},"message":"140324594411392:error:14209102:SSL routines:tls_early_post_process_client_hello:unsupported protocol:../deps/openssl/openssl/ssl/statem/statem_srvr.c:1686:\n"} dic 12 19:06:46 wazuh-server opensearch-dashboards[4673]: {"type":"error","@timestamp":"2023-12-12T19:06:46Z","tags":["connection","client","error"],"pid":4673,"level":"error","error":{"message":"140324594411392:error:14209102:SSL routines:tls_early_post_process_client_hello:unsupported protocol:../deps/openssl/openssl/ssl/statem/statem_srvr.c:1686:\n","name":"Error","stack":"Error: 140324594411392:error:14209102:SSL routines:tls_early_post_process_client_hello:unsupported protocol:../deps/openssl/openssl/ssl/statem/statem_srvr.c:1686:\n","code":"ERR_SSL_UNSUPPORTED_PROTOCOL"},"message":"140324594411392:error:14209102:SSL routines:tls_early_post_process_client_hello:unsupported protocol:../deps/openssl/openssl/ssl/statem/statem_srvr.c:1686:\n"} dic 12 19:06:46 wazuh-server opensearch-dashboards[4673]: {"type":"error","@timestamp":"2023-12-12T19:06:46Z","tags":["connection","client","error"],"pid":4673,"level":"error","error":{"message":"140324594411392:error:1417A0C1:SSL routines:tls_post_process_client_hello:no shared cipher:../deps/openssl/openssl/ssl/statem/statem_srvr.c:2285:\n","name":"Error","stack":"Error: 140324594411392:error:1417A0C1:SSL routines:tls_post_process_client_hello:no shared cipher:../deps/openssl/openssl/ssl/statem/statem_srvr.c:2285:\n","code":"ERR_SSL_NO_SHARED_CIPHER"},"message":"140324594411392:error:1417A0C1:SSL routines:tls_post_process_client_hello:no shared cipher:../deps/openssl/openssl/ssl/statem/statem_srvr.c:2285:\n"} dic 12 19:06:16 wazuh-server opensearch-dashboards[4673]: {"type":"error","@timestamp":"2023-12-12T19:06:16Z","tags":["connection","client","error"],"pid":4673,"level":"error","error":{"message":"140324594411392:error:14209102:SSL routines:tls_early_post_process_client_hello:unsupported protocol:../deps/openssl/openssl/ssl/statem/statem_srvr.c:1686:\n","name":"Error","stack":"Error: 140324594411392:error:14209102:SSL routines:tls_early_post_process_client_hello:unsupported protocol:../deps/openssl/openssl/ssl/statem/statem_srvr.c:1686:\n","code":"ERR_SSL_UNSUPPORTED_PROTOCOL"},"message":"140324594411392:error:14209102:SSL routines:tls_early_post_process_client_hello:unsupported protocol:../deps/openssl/openssl/ssl/statem/statem_srvr.c:1686:\n"} dic 12 19:01:52 wazuh-server opensearch-dashboards[4673]: {"type":"error","@timestamp":"2023-12-12T19:01:52Z","tags":["connection","client","error"],"pid":4673,"level":"error","error":{"message":"140324594411392:error:14209102:SSL routines:tls_early_post_process_client_hello:unsupported protocol:../deps/openssl/openssl/ssl/statem/statem_srvr.c:1686:\n","name":"Error","stack":"Error: 140324594411392:error:14209102:SSL routines:tls_early_post_process_client_hello:unsupported protocol:../deps/openssl/openssl/ssl/statem/statem_srvr.c:1686:\n","code":"ERR_SSL_UNSUPPORTED_PROTOCOL"},"message":"140324594411392:error:14209102:SSL routines:tls_early_post_process_client_hello:unsupported protocol:../deps/openssl/openssl/ssl/statem/statem_srvr.c:1686:\n"} dic 12 18:36:47 wazuh-server opensearch-dashboards[4673]: {"type":"error","@timestamp":"2023-12-12T18:36:47Z","tags":["connection","client","error"],"pid":4673,"level":"error","error":{"message":"140324594411392:error:14209102:SSL routines:tls_early_post_process_client_hello:unsupported protocol:../deps/openssl/openssl/ssl/statem/statem_srvr.c:1686:\n","name":"Error","stack":"Error: 140324594411392:error:14209102:SSL routines:tls_early_post_process_client_hello:unsupported protocol:../deps/openssl/openssl/ssl/statem/statem_srvr.c:1686:\n","code":"ERR_SSL_UNSUPPORTED_PROTOCOL"},"message":"140324594411392:error:14209102:SSL routines:tls_early_post_process_client_hello:unsupported protocol:../deps/openssl/openssl/ssl/statem/statem_srvr.c:1686:\n"} dic 12 18:01:19 wazuh-server opensearch-dashboards[4673]: {"type":"error","@timestamp":"2023-12-12T18:01:19Z","tags":["connection","client","error"],"pid":4673,"level":"error","error":{"message":"140324594411392:error:14209102:SSL routines:tls_early_post_process_client_hello:unsupported protocol:../deps/openssl/openssl/ssl/statem/statem_srvr.c:1686:\n","name":"Error","stack":"Error: 140324594411392:error:14209102:SSL routines:tls_early_post_process_client_hello:unsupported protocol:../deps/openssl/openssl/ssl/statem/statem_srvr.c:1686:\n","code":"ERR_SSL_UNSUPPORTED_PROTOCOL"},"message":"140324594411392:error:14209102:SSL routines:tls_early_post_process_client_hello:unsupported protocol:../deps/openssl/openssl/ssl/statem/statem_srvr.c:1686:\n"} dic 12 17:23:55 wazuh-server opensearch-dashboards[4673]: {"type":"error","@timestamp":"2023-12-12T17:23:55Z","tags":["connection","client","error"],"pid":4673,"level":"error","error":{"message":"140324594411392:error:14209102:SSL routines:tls_early_post_process_client_hello:unsupported protocol:../deps/openssl/openssl/ssl/statem/statem_srvr.c:1686:\n","name":"Error","stack":"Error: 140324594411392:error:14209102:SSL routines:tls_early_post_process_client_hello:unsupported protocol:../deps/openssl/openssl/ssl/statem/statem_srvr.c:1686:\n","code":"ERR_SSL_UNSUPPORTED_PROTOCOL"},"message":"140324594411392:error:14209102:SSL routines:tls_early_post_process_client_hello:unsupported protocol:../deps/openssl/openssl/ssl/statem/statem_srvr.c:1686:\n"} dic 12 16:54:29 wazuh-server opensearch-dashboards[4673]: {"type":"error","@timestamp":"2023-12-12T16:54:29Z","tags":["connection","client","error"],"pid":4673,"level":"error","error":{"message":"140324594411392:error:14209102:SSL routines:tls_early_post_process_client_hello:unsupported protocol:../deps/openssl/openssl/ssl/statem/statem_srvr.c:1686:\n","name":"Error","stack":"Error: 140324594411392:error:14209102:SSL routines:tls_early_post_process_client_hello:unsupported protocol:../deps/openssl/openssl/ssl/statem/statem_srvr.c:1686:\n","code":"ERR_SSL_UNSUPPORTED_PROTOCOL"},"message":"140324594411392:error:14209102:SSL routines:tls_early_post_process_client_hello:unsupported protocol:../deps/openssl/openssl/ssl/statem/statem_srvr.c:1686:\n"} dic 12 16:48:34 wazuh-server opensearch-dashboards[4673]: {"type":"error","@timestamp":"2023-12-12T16:48:34Z","tags":["connection","client","error"],"pid":4673,"level":"error","error":{"message":"140324594411392:error:14209102:SSL routines:tls_early_post_process_client_hello:unsupported protocol:../deps/openssl/openssl/ssl/statem/statem_srvr.c:1686:\n","name":"Error","stack":"Error: 140324594411392:error:14209102:SSL routines:tls_early_post_process_client_hello:unsupported protocol:../deps/openssl/openssl/ssl/statem/statem_srvr.c:1686:\n","code":"ERR_SSL_UNSUPPORTED_PROTOCOL"},"message":"140324594411392:error:14209102:SSL routines:tls_early_post_process_client_hello:unsupported protocol:../deps/openssl/openssl/ssl/statem/statem_srvr.c:1686:\n"} dic 12 16:48:34 wazuh-server opensearch-dashboards[4673]: {"type":"error","@timestamp":"2023-12-12T16:48:34Z","tags":["connection","client","error"],"pid":4673,"level":"error","error":{"message":"140324594411392:error:1417A0C1:SSL routines:tls_post_process_client_hello:no shared cipher:../deps/openssl/openssl/ssl/statem/statem_srvr.c:2285:\n","name":"Error","stack":"Error: 140324594411392:error:1417A0C1:SSL routines:tls_post_process_client_hello:no shared cipher:../deps/openssl/openssl/ssl/statem/statem_srvr.c:2285:\n","code":"ERR_SSL_NO_SHARED_CIPHER"},"message":"140324594411392:error:1417A0C1:SSL routines:tls_post_process_client_hello:no shared cipher:../deps/openssl/openssl/ssl/statem/statem_srvr.c:2285:\n"} dic 12 16:48:34 wazuh-server opensearch-dashboards[4673]: {"type":"error","@timestamp":"2023-12-12T16:48:34Z","tags":["connection","client","error"],"pid":4673,"level":"error","error":{"message":"140324594411392:error:142090FC:SSL routines:tls_early_post_process_client_hello:unknown protocol:../deps/openssl/openssl/ssl/statem/statem_srvr.c:1661:\n","name":"Error","stack":"Error: 140324594411392:error:142090FC:SSL routines:tls_early_post_process_client_hello:unknown protocol:../deps/openssl/openssl/ssl/statem/statem_srvr.c:1661:\n","code":"ERR_SSL_UNKNOWN_PROTOCOL"},"message":"140324594411392:error:142090FC:SSL routines:tls_early_post_process_client_hello:unknown protocol:../deps/openssl/openssl/ssl/statem/statem_srvr.c:1661:\n"} dic 12 16:48:34 wazuh-server opensearch-dashboards[4673]: {"type":"error","@timestamp":"2023-12-12T16:48:34Z","tags":["connection","client","error"],"pid":4673,"level":"error","error":{"message":"140324594411392:error:1420918C:SSL routines:tls_early_post_process_client_hello:version too low:../deps/openssl/openssl/ssl/statem/statem_srvr.c:1686:\n","name":"Error","stack":"Error: 140324594411392:error:1420918C:SSL routines:tls_early_post_process_client_hello:version too low:../deps/openssl/openssl/ssl/statem/statem_srvr.c:1686:\n","code":"ERR_SSL_VERSION_TOO_LOW"},"message":"140324594411392:error:1420918C:SSL routines:tls_early_post_process_client_hello:version too low:../deps/openssl/openssl/ssl/statem/statem_srvr.c:1686:\n"} dic 12 16:48:34 wazuh-server opensearch-dashboards[4673]: {"type":"error","@timestamp":"2023-12-12T16:48:34Z","tags":["connection","client","error"],"pid":4673,"level":"error","error":{"message":"140324594411392:error:14209102:SSL routines:tls_early_post_process_client_hello:unsupported protocol:../deps/openssl/openssl/ssl/statem/statem_srvr.c:1686:\n","name":"Error","stack":"Error: 140324594411392:error:14209102:SSL routines:tls_early_post_process_client_hello:unsupported protocol:../deps/openssl/openssl/ssl/statem/statem_srvr.c:1686:\n","code":"ERR_SSL_UNSUPPORTED_PROTOCOL"},"message":"140324594411392:error:14209102:SSL routines:tls_early_post_process_client_hello:unsupported protocol:../deps/openssl/openssl/ssl/statem/statem_srvr.c:1686:\n"} dic 12 16:43:05 wazuh-server opensearch-dashboards[4673]: {"type":"error","@timestamp":"2023-12-12T16:43:05Z","tags":["connection","client","error"],"pid":4673,"level":"error","error":{"message":"140324594411392:error:14209102:SSL routines:tls_early_post_process_client_hello:unsupported protocol:../deps/openssl/openssl/ssl/statem/statem_srvr.c:1686:\n","name":"Error","stack":"Error: 140324594411392:error:14209102:SSL routines:tls_early_post_process_client_hello:unsupported protocol:../deps/openssl/openssl/ssl/statem/statem_srvr.c:1686:\n","code":"ERR_SSL_UNSUPPORTED_PROTOCOL"},"message":"140324594411392:error:14209102:SSL routines:tls_early_post_process_client_hello:unsupported protocol:../deps/openssl/openssl/ssl/statem/statem_srvr.c:1686:\n"} dic 12 16:10:29 wazuh-server opensearch-dashboards[4673]: {"type":"error","@timestamp":"2023-12-12T16:10:29Z","tags":["connection","client","error"],"pid":4673,"level":"error","error":{"message":"140324594411392:error:14209102:SSL routines:tls_early_post_process_client_hello:unsupported protocol:../deps/openssl/openssl/ssl/statem/statem_srvr.c:1686:\n","name":"Error","stack":"Error: 140324594411392:error:14209102:SSL routines:tls_early_post_process_client_hello:unsupported protocol:../deps/openssl/openssl/ssl/statem/statem_srvr.c:1686:\n","code":"ERR_SSL_UNSUPPORTED_PROTOCOL"},"message":"140324594411392:error:14209102:SSL routines:tls_early_post_process_client_hello:unsupported protocol:../deps/openssl/openssl/ssl/statem/statem_srvr.c:1686:\n"} dic 12 15:52:13 wazuh-server opensearch-dashboards[4673]: {"type":"error","@timestamp":"2023-12-12T15:52:13Z","tags":["connection","client","error"],"pid":4673,"level":"error","error":{"message":"140324594411392:error:14094412:SSL routines:ssl3_read_bytes:sslv3 alert bad certificate:../deps/openssl/openssl/ssl/record/rec_layer_s3.c:1563:SSL alert number 42\n","name":"Error","stack":"Error: 140324594411392:error:14094412:SSL routines:ssl3_read_bytes:sslv3 alert bad certificate:../deps/openssl/openssl/ssl/record/rec_layer_s3.c:1563:SSL alert number 42\n","code":"ERR_SSL_SSLV3_ALERT_BAD_CERTIFICATE"},"message":"140324594411392:error:14094412:SSL routines:ssl3_read_bytes:sslv3 alert bad certificate:../deps/openssl/openssl/ssl/record/rec_layer_s3.c:1563:SSL alert number 42\n"} dic 12 15:45:07 wazuh-server opensearch-dashboards[4673]: {"type":"error","@timestamp":"2023-12-12T15:45:07Z","tags":["connection","client","error"],"pid":4673,"level":"error","error":{"message":"140324594411392:error:141CF06C:SSL routines:tls_parse_ctos_key_share:bad key share:../deps/openssl/openssl/ssl/statem/extensions_srvr.c:698:\n","name":"Error","stack":"Error: 140324594411392:error:141CF06C:SSL routines:tls_parse_ctos_key_share:bad key share:../deps/openssl/openssl/ssl/statem/extensions_srvr.c:698:\n","code":"ERR_SSL_BAD_KEY_SHARE"},"message":"140324594411392:error:141CF06C:SSL routines:tls_parse_ctos_key_share:bad key share:../deps/openssl/openssl/ssl/statem/extensions_srvr.c:698:\n"} dic 12 15:45:07 wazuh-server opensearch-dashboards[4673]: {"type":"error","@timestamp":"2023-12-12T15:45:07Z","tags":["connection","client","error"],"pid":4673,"level":"error","error":{"message":"140324594411392:error:142090C1:SSL routines:tls_early_post_process_client_hello:no shared cipher:../deps/openssl/openssl/ssl/statem/statem_srvr.c:1781:\n","name":"Error","stack":"Error: 140324594411392:error:142090C1:SSL routines:tls_early_post_process_client_hello:no shared cipher:../deps/openssl/openssl/ssl/statem/statem_srvr.c:1781:\n","code":"ERR_SSL_NO_SHARED_CIPHER"},"message":"140324594411392:error:142090C1:SSL routines:tls_early_post_process_client_hello:no shared cipher:../deps/openssl/openssl/ssl/statem/statem_srvr.c:1781:\n"} dic 12 15:45:06 wazuh-server opensearch-dashboards[4673]: {"type":"error","@timestamp":"2023-12-12T15:45:06Z","tags":["connection","client","error"],"pid":4673,"level":"error","error":{"message":"140324594411392:error:14209102:SSL routines:tls_early_post_process_client_hello:unsupported protocol:../deps/openssl/openssl/ssl/statem/statem_srvr.c:1686:\n","name":"Error","stack":"Error: 140324594411392:error:14209102:SSL routines:tls_early_post_process_client_hello:unsupported protocol:../deps/openssl/openssl/ssl/statem/statem_srvr.c:1686:\n","code":"ERR_SSL_UNSUPPORTED_PROTOCOL"},"message":"140324594411392:error:14209102:SSL routines:tls_early_post_process_client_hello:unsupported protocol:../deps/openssl/openssl/ssl/statem/statem_srvr.c:1686:\n"} dic 12 15:45:06 wazuh-server opensearch-dashboards[4673]: {"type":"error","@timestamp":"2023-12-12T15:45:06Z","tags":["connection","client","error"],"pid":4673,"level":"error","error":{"message":"140324594411392:error:1417A0C1:SSL routines:tls_post_process_client_hello:no shared cipher:../deps/openssl/openssl/ssl/statem/statem_srvr.c:2285:\n","name":"Error","stack":"Error: 140324594411392:error:1417A0C1:SSL routines:tls_post_process_client_hello:no shared cipher:../deps/openssl/openssl/ssl/statem/statem_srvr.c:2285:\n","code":"ERR_SSL_NO_SHARED_CIPHER"},"message":"140324594411392:error:1417A0C1:SSL routines:tls_post_process_client_hello:no shared cipher:../deps/openssl/openssl/ssl/statem/statem_srvr.c:2285:\n"} dic 12 15:34:32 wazuh-server opensearch-dashboards[4673]: {"type":"error","@timestamp":"2023-12-12T15:34:32Z","tags":["connection","client","error"],"pid":4673,"level":"error","error":{"message":"140324594411392:error:14209102:SSL routines:tls_early_post_process_client_hello:unsupported protocol:../deps/openssl/openssl/ssl/statem/statem_srvr.c:1686:\n","name":"Error","stack":"Error: 140324594411392:error:14209102:SSL routines:tls_early_post_process_client_hello:unsupported protocol:../deps/openssl/openssl/ssl/statem/statem_srvr.c:1686:\n","code":"ERR_SSL_UNSUPPORTED_PROTOCOL"},"message":"140324594411392:error:14209102:SSL routines:tls_early_post_process_client_hello:unsupported protocol:../deps/openssl/openssl/ssl/statem/statem_srvr.c:1686:\n"} dic 12 15:21:01 wazuh-server opensearch-dashboards[4673]: {"type":"error","@timestamp":"2023-12-12T15:21:01Z","tags":["connection","client","error"],"pid":4673,"level":"error","error":{"message":"140324594411392:error:14209102:SSL routines:tls_early_post_process_client_hello:unsupported protocol:../deps/openssl/openssl/ssl/statem/statem_srvr.c:1686:\n","name":"Error","stack":"Error: 140324594411392:error:14209102:SSL routines:tls_early_post_process_client_hello:unsupported protocol:../deps/openssl/openssl/ssl/statem/statem_srvr.c:1686:\n","code":"ERR_SSL_UNSUPPORTED_PROTOCOL"},"message":"140324594411392:error:14209102:SSL routines:tls_early_post_process_client_hello:unsupported protocol:../deps/openssl/openssl/ssl/statem/statem_srvr.c:1686:\n"} dic 12 14:33:41 wazuh-server opensearch-dashboards[4673]: {"type":"error","@timestamp":"2023-12-12T14:33:41Z","tags":["connection","client","error"],"pid":4673,"level":"error","error":{"message":"140324594411392:error:14209102:SSL routines:tls_early_post_process_client_hello:unsupported protocol:../deps/openssl/openssl/ssl/statem/statem_srvr.c:1686:\n","name":"Error","stack":"Error: 140324594411392:error:14209102:SSL routines:tls_early_post_process_client_hello:unsupported protocol:../deps/openssl/openssl/ssl/statem/statem_srvr.c:1686:\n","code":"ERR_SSL_UNSUPPORTED_PROTOCOL"},"message":"140324594411392:error:14209102:SSL routines:tls_early_post_process_client_hello:unsupported protocol:../deps/openssl/openssl/ssl/statem/statem_srvr.c:1686:\n"} dic 12 14:22:51 wazuh-server opensearch-dashboards[4673]: {"type":"error","@timestamp":"2023-12-12T14:22:51Z","tags":["connection","client","error"],"pid":4673,"level":"error","error":{"message":"140324594411392:error:14209102:SSL routines:tls_early_post_process_client_hello:unsupported protocol:../deps/openssl/openssl/ssl/statem/statem_srvr.c:1686:\n","name":"Error","stack":"Error: 140324594411392:error:14209102:SSL routines:tls_early_post_process_client_hello:unsupported protocol:../deps/openssl/openssl/ssl/statem/statem_srvr.c:1686:\n","code":"ERR_SSL_UNSUPPORTED_PROTOCOL"},"message":"140324594411392:error:14209102:SSL routines:tls_early_post_process_client_hello:unsupported protocol:../deps/openssl/openssl/ssl/statem/statem_srvr.c:1686:\n"} dic 12 14:15:58 wazuh-server opensearch-dashboards[4673]: {"type":"error","@timestamp":"2023-12-12T14:15:58Z","tags":["connection","client","error"],"pid":4673,"level":"error","error":{"message":"140324594411392:error:1408F10B:SSL routines:ssl3_get_record:wrong version number:../deps/openssl/openssl/ssl/record/ssl3_record.c:332:\n","name":"Error","stack":"Error: 140324594411392:error:1408F10B:SSL routines:ssl3_get_record:wrong version number:../deps/openssl/openssl/ssl/record/ssl3_record.c:332:\n","code":"ERR_SSL_WRONG_VERSION_NUMBER"},"message":"140324594411392:error:1408F10B:SSL routines:ssl3_get_record:wrong version number:../deps/openssl/openssl/ssl/record/ssl3_record.c:332:\n"} dic 12 13:45:21 wazuh-server opensearch-dashboards[4673]: {"type":"error","@timestamp":"2023-12-12T13:45:21Z","tags":["connection","client","error"],"pid":4673,"level":"error","error":{"message":"140324594411392:error:14209102:SSL routines:tls_early_post_process_client_hello:unsupported protocol:../deps/openssl/openssl/ssl/statem/statem_srvr.c:1686:\n","name":"Error","stack":"Error: 140324594411392:error:14209102:SSL routines:tls_early_post_process_client_hello:unsupported protocol:../deps/openssl/openssl/ssl/statem/statem_srvr.c:1686:\n","code":"ERR_SSL_UNSUPPORTED_PROTOCOL"},"message":"140324594411392:error:14209102:SSL routines:tls_early_post_process_client_hello:unsupported protocol:../deps/openssl/openssl/ssl/statem/statem_srvr.c:1686:\n"} dic 12 13:17:11 wazuh-server opensearch-dashboards[4673]: {"type":"error","@timestamp":"2023-12-12T13:17:11Z","tags":["connection","client","error"],"pid":4673,"level":"error","error":{"message":"140324594411392:error:14209102:SSL routines:tls_early_post_process_client_hello:unsupported protocol:../deps/openssl/openssl/ssl/statem/statem_srvr.c:1686:\n","name":"Error","stack":"Error: 140324594411392:error:14209102:SSL routines:tls_early_post_process_client_hello:unsupported protocol:../deps/openssl/openssl/ssl/statem/statem_srvr.c:1686:\n","code":"ERR_SSL_UNSUPPORTED_PROTOCOL"},"message":"140324594411392:error:14209102:SSL routines:tls_early_post_process_client_hello:unsupported protocol:../deps/openssl/openssl/ssl/statem/statem_srvr.c:1686:\n"} dic 12 12:48:54 wazuh-server opensearch-dashboards[4673]: {"type":"error","@timestamp":"2023-12-12T12:48:54Z","tags":["connection","client","error"],"pid":4673,"level":"error","error":{"message":"140324594411392:error:14209102:SSL routines:tls_early_post_process_client_hello:unsupported protocol:../deps/openssl/openssl/ssl/statem/statem_srvr.c:1686:\n","name":"Error","stack":"Error: 140324594411392:error:14209102:SSL routines:tls_early_post_process_client_hello:unsupported protocol:../deps/openssl/openssl/ssl/statem/statem_srvr.c:1686:\n","code":"ERR_SSL_UNSUPPORTED_PROTOCOL"},"message":"140324594411392:error:14209102:SSL routines:tls_early_post_process_client_hello:unsupported protocol:../deps/openssl/openssl/ssl/statem/statem_srvr.c:1686:\n"} dic 12 12:28:35 wazuh-server opensearch-dashboards[4673]: {"type":"error","@timestamp":"2023-12-12T12:28:35Z","tags":["connection","client","error"],"pid":4673,"level":"error","error":{"message":"140324594411392:error:14209102:SSL routines:tls_early_post_process_client_hello:unsupported protocol:../deps/openssl/openssl/ssl/statem/statem_srvr.c:1686:\n","name":"Error","stack":"Error: 140324594411392:error:14209102:SSL routines:tls_early_post_process_client_hello:unsupported protocol:../deps/openssl/openssl/ssl/statem/statem_srvr.c:1686:\n","code":"ERR_SSL_UNSUPPORTED_PROTOCOL"},"message":"140324594411392:error:14209102:SSL routines:tls_early_post_process_client_hello:unsupported protocol:../deps/openssl/openssl/ssl/statem/statem_srvr.c:1686:\n"} dic 12 11:42:35 wazuh-server opensearch-dashboards[4673]: {"type":"error","@timestamp":"2023-12-12T11:42:35Z","tags":["connection","client","error"],"pid":4673,"level":"error","error":{"message":"140324594411392:error:14209102:SSL routines:tls_early_post_process_client_hello:unsupported protocol:../deps/openssl/openssl/ssl/statem/statem_srvr.c:1686:\n","name":"Error","stack":"Error: 140324594411392:error:14209102:SSL routines:tls_early_post_process_client_hello:unsupported protocol:../deps/openssl/openssl/ssl/statem/statem_srvr.c:1686:\n","code":"ERR_SSL_UNSUPPORTED_PROTOCOL"},"message":"140324594411392:error:14209102:SSL routines:tls_early_post_process_client_hello:unsupported protocol:../deps/openssl/openssl/ssl/statem/statem_srvr.c:1686:\n"} dic 12 11:29:28 wazuh-server opensearch-dashboards[4673]: {"type":"error","@timestamp":"2023-12-12T11:29:28Z","tags":["connection","client","error"],"pid":4673,"level":"error","error":{"message":"140324594411392:error:14209102:SSL routines:tls_early_post_process_client_hello:unsupported protocol:../deps/openssl/openssl/ssl/statem/statem_srvr.c:1686:\n","name":"Error","stack":"Error: 140324594411392:error:14209102:SSL routines:tls_early_post_process_client_hello:unsupported protocol:../deps/openssl/openssl/ssl/statem/statem_srvr.c:1686:\n","code":"ERR_SSL_UNSUPPORTED_PROTOCOL"},"message":"140324594411392:error:14209102:SSL routines:tls_early_post_process_client_hello:unsupported protocol:../deps/openssl/openssl/ssl/statem/statem_srvr.c:1686:\n"} dic 12 11:10:54 wazuh-server opensearch-dashboards[4673]: {"type":"error","@timestamp":"2023-12-12T11:10:54Z","tags":["connection","client","error"],"pid":4673,"level":"error","error":{"message":"140324594411392:error:14209102:SSL routines:tls_early_post_process_client_hello:unsupported protocol:../deps/openssl/openssl/ssl/statem/statem_srvr.c:1686:\n","name":"Error","stack":"Error: 140324594411392:error:14209102:SSL routines:tls_early_post_process_client_hello:unsupported protocol:../deps/openssl/openssl/ssl/statem/statem_srvr.c:1686:\n","code":"ERR_SSL_UNSUPPORTED_PROTOCOL"},"message":"140324594411392:error:14209102:SSL routines:tls_early_post_process_client_hello:unsupported protocol:../deps/openssl/openssl/ssl/statem/statem_srvr.c:1686:\n"} dic 12 10:48:46 wazuh-server opensearch-dashboards[4673]: {"type":"error","@timestamp":"2023-12-12T10:48:46Z","tags":["connection","client","error"],"pid":4673,"level":"error","error":{"message":"140324594411392:error:14209102:SSL routines:tls_early_post_process_client_hello:unsupported protocol:../deps/openssl/openssl/ssl/statem/statem_srvr.c:1686:\n","name":"Error","stack":"Error: 140324594411392:error:14209102:SSL routines:tls_early_post_process_client_hello:unsupported protocol:../deps/openssl/openssl/ssl/statem/statem_srvr.c:1686:\n","code":"ERR_SSL_UNSUPPORTED_PROTOCOL"},"message":"140324594411392:error:14209102:SSL routines:tls_early_post_process_client_hello:unsupported protocol:../deps/openssl/openssl/ssl/statem/statem_srvr.c:1686:\n"} dic 12 10:29:04 wazuh-server opensearch-dashboards[4673]: {"type":"error","@timestamp":"2023-12-12T10:29:04Z","tags":["connection","client","error"],"pid":4673,"level":"error","error":{"message":"140324594411392:error:14209102:SSL routines:tls_early_post_process_client_hello:unsupported protocol:../deps/openssl/openssl/ssl/statem/statem_srvr.c:1686:\n","name":"Error","stack":"Error: 140324594411392:error:14209102:SSL routines:tls_early_post_process_client_hello:unsupported protocol:../deps/openssl/openssl/ssl/statem/statem_srvr.c:1686:\n","code":"ERR_SSL_UNSUPPORTED_PROTOCOL"},"message":"140324594411392:error:14209102:SSL routines:tls_early_post_process_client_hello:unsupported protocol:../deps/openssl/openssl/ssl/statem/statem_srvr.c:1686:\n"} dic 12 09:54:00 wazuh-server opensearch-dashboards[4673]: {"type":"error","@timestamp":"2023-12-12T09:54:00Z","tags":["connection","client","error"],"pid":4673,"level":"error","error":{"message":"140324594411392:error:14209102:SSL routines:tls_early_post_process_client_hello:unsupported protocol:../deps/openssl/openssl/ssl/statem/statem_srvr.c:1686:\n","name":"Error","stack":"Error: 140324594411392:error:14209102:SSL routines:tls_early_post_process_client_hello:unsupported protocol:../deps/openssl/openssl/ssl/statem/statem_srvr.c:1686:\n","code":"ERR_SSL_UNSUPPORTED_PROTOCOL"},"message":"140324594411392:error:14209102:SSL routines:tls_early_post_process_client_hello:unsupported protocol:../deps/openssl/openssl/ssl/statem/statem_srvr.c:1686:\n"} dic 12 09:31:09 wazuh-server opensearch-dashboards[4673]: {"type":"error","@timestamp":"2023-12-12T09:31:09Z","tags":["connection","client","error"],"pid":4673,"level":"error","error":{"message":"140324594411392:error:14209102:SSL routines:tls_early_post_process_client_hello:unsupported protocol:../deps/openssl/openssl/ssl/statem/statem_srvr.c:1686:\n","name":"Error","stack":"Error: 140324594411392:error:14209102:SSL routines:tls_early_post_process_client_hello:unsupported protocol:../deps/openssl/openssl/ssl/statem/statem_srvr.c:1686:\n","code":"ERR_SSL_UNSUPPORTED_PROTOCOL"},"message":"140324594411392:error:14209102:SSL routines:tls_early_post_process_client_hello:unsupported protocol:../deps/openssl/openssl/ssl/statem/statem_srvr.c:1686:\n"} dic 12 09:24:59 wazuh-server opensearch-dashboards[1741]: {"type":"log","@timestamp":"2023-12-12T09:24:59Z","tags":["error","opensearch","data"],"pid":1741,"message":"[ResponseError]: Response Error"} dic 12 09:24:57 wazuh-server opensearch-dashboards[1741]: {"type":"log","@timestamp":"2023-12-12T09:24:57Z","tags":["error","opensearch","data"],"pid":1741,"message":"[ResponseError]: Response Error"} dic 12 09:24:54 wazuh-server opensearch-dashboards[1741]: {"type":"log","@timestamp":"2023-12-12T09:24:54Z","tags":["error","opensearch","data"],"pid":1741,"message":"[ResponseError]: Response Error"} dic 12 09:24:52 wazuh-server opensearch-dashboards[1741]: {"type":"log","@timestamp":"2023-12-12T09:24:52Z","tags":["error","opensearch","data"],"pid":1741,"message":"[ResponseError]: Response Error"} dic 12 09:24:49 wazuh-server opensearch-dashboards[1741]: {"type":"log","@timestamp":"2023-12-12T09:24:49Z","tags":["error","opensearch","data"],"pid":1741,"message":"[ResponseError]: Response Error"} dic 12 09:24:47 wazuh-server opensearch-dashboards[1741]: {"type":"log","@timestamp":"2023-12-12T09:24:47Z","tags":["error","opensearch","data"],"pid":1741,"message":"[ResponseError]: Response Error"} dic 12 09:24:44 wazuh-server opensearch-dashboards[1741]: {"type":"log","@timestamp":"2023-12-12T09:24:44Z","tags":["error","opensearch","data"],"pid":1741,"message":"[ConnectionError]: connect ECONNREFUSED 127.0.0.1:9200"} dic 12 09:24:42 wazuh-server opensearch-dashboards[1741]: {"type":"log","@timestamp":"2023-12-12T09:24:42Z","tags":["error","opensearch","data"],"pid":1741,"message":"[ConnectionError]: connect ECONNREFUSED 127.0.0.1:9200"} dic 12 09:24:39 wazuh-server opensearch-dashboards[1741]: {"type":"log","@timestamp":"2023-12-12T09:24:39Z","tags":["error","opensearch","data"],"pid":1741,"message":"[ConnectionError]: connect ECONNREFUSED 127.0.0.1:9200"} dic 12 09:24:37 wazuh-server opensearch-dashboards[1741]: {"type":"log","@timestamp":"2023-12-12T09:24:37Z","tags":["error","opensearch","data"],"pid":1741,"message":"[ConnectionError]: connect ECONNREFUSED 127.0.0.1:9200"} dic 12 09:24:34 wazuh-server opensearch-dashboards[1741]: {"type":"log","@timestamp":"2023-12-12T09:24:34Z","tags":["error","savedobjects-service"],"pid":1741,"message":"Unable to retrieve version information from OpenSearch nodes."} dic 12 09:24:34 wazuh-server opensearch-dashboards[1741]: {"type":"log","@timestamp":"2023-12-12T09:24:34Z","tags":["error","opensearch","data"],"pid":1741,"message":"[ConnectionError]: connect ECONNREFUSED 127.0.0.1:9200"} ``` - Wazuh Indexer - journalctl 🟡 ```console [root@wazuh-server wazuh-user]# journalctl -r -u wazuh-indexer | grep -i -E "error|critical|fatal|warning" dic 13 00:00:01 wazuh-server systemd-entrypoint[2253]: ERROR StatusConsoleListener Could not define attribute view on path "/var/log/wazuh-indexer/wazuh-cluster.log" got access denied ("java.lang.RuntimePermission" "accessUserInformation") dic 13 00:00:01 wazuh-server systemd-entrypoint[2253]: ERROR StatusConsoleListener Could not define attribute view on path "/var/log/wazuh-indexer/wazuh-cluster_server.json" got access denied ("java.lang.RuntimePermission" "accessUserInformation") dic 12 09:23:35 wazuh-server systemd-entrypoint[2253]: at org.opensearch.cli.Command.mainWithoutErrorHandling(Command.java:138) dic 12 09:23:35 wazuh-server systemd-entrypoint[2253]: ERROR StatusConsoleListener Could not define attribute view on path "/var/log/wazuh-indexer/wazuh-cluster.log" got access denied ("java.lang.RuntimePermission" "accessUserInformation") dic 12 09:23:35 wazuh-server systemd-entrypoint[2253]: at org.opensearch.cli.Command.mainWithoutErrorHandling(Command.java:138) dic 12 09:23:35 wazuh-server systemd-entrypoint[2253]: ERROR StatusConsoleListener Could not define attribute view on path "/var/log/wazuh-indexer/wazuh-cluster_server.json" got access denied ("java.lang.RuntimePermission" "accessUserInformation") dic 12 09:23:35 wazuh-server systemd-entrypoint[2253]: WARNING: System::setSecurityManager will be removed in a future release dic 12 09:23:35 wazuh-server systemd-entrypoint[2253]: WARNING: Please consider reporting this to the maintainers of org.opensearch.bootstrap.Security dic 12 09:23:35 wazuh-server systemd-entrypoint[2253]: WARNING: System::setSecurityManager has been called by org.opensearch.bootstrap.Security (file:/usr/share/wazuh-indexer/lib/opensearch-2.10.0.jar) dic 12 09:23:35 wazuh-server systemd-entrypoint[2253]: WARNING: A terminally deprecated method in java.lang.System has been called dic 12 09:23:26 wazuh-server systemd-entrypoint[2253]: WARNING: System::setSecurityManager will be removed in a future release dic 12 09:23:26 wazuh-server systemd-entrypoint[2253]: WARNING: Please consider reporting this to the maintainers of org.opensearch.bootstrap.OpenSearch dic 12 09:23:26 wazuh-server systemd-entrypoint[2253]: WARNING: System::setSecurityManager has been called by org.opensearch.bootstrap.OpenSearch (file:/usr/share/wazuh-indexer/lib/opensearch-2.10.0.jar) dic 12 09:23:26 wazuh-server systemd-entrypoint[2253]: WARNING: A terminally deprecated method in java.lang.System has been called ``` - Wazuh Indexer - /var/logs/wazuh-indexer :yellow_circle: SecuritySSLNettyHttpServerTransport AlertIndices deleteOldIndices ```console [root@wazuh-server wazuh-user]# grep -R -i -E "error|critical|fatal|warning" /var/log/wazuh-indexer/ /var/log/wazuh-indexer/wazuh-cluster_server.json:{"type": "server", "timestamp": "2023-12-13T09:21:22,825Z", "level": "ERROR", "component": "o.o.s.s.h.n.SecuritySSLNettyHttpServerTransport", "cluster.name": "wazuh-cluster", "node.name": "node-1", "message": "Exception during establishing a SSL connection: java.net.SocketException: Connection reset", "cluster.uuid": "-PkrvAM8T8u2YJZBjTcQzw", "node.id": "GnFODCqAQNKeys6XOaAgDw" , /var/log/wazuh-indexer/wazuh-cluster_server.json:{"type": "server", "timestamp": "2023-12-13T09:24:45,202Z", "level": "ERROR", "component": "o.o.a.a.AlertIndices", "cluster.name": "wazuh-cluster", "node.name": "node-1", "message": "info deleteOldIndices", "cluster.uuid": "-PkrvAM8T8u2YJZBjTcQzw", "node.id": "GnFODCqAQNKeys6XOaAgDw" } /var/log/wazuh-indexer/wazuh-cluster_server.json:{"type": "server", "timestamp": "2023-12-13T09:24:45,203Z", "level": "ERROR", "component": "o.o.a.a.AlertIndices", "cluster.name": "wazuh-cluster", "node.name": "node-1", "message": "info deleteOldIndices", "cluster.uuid": "-PkrvAM8T8u2YJZBjTcQzw", "node.id": "GnFODCqAQNKeys6XOaAgDw" } /var/log/wazuh-indexer/wazuh-cluster.log:[2023-12-13T09:21:22,825][ERROR][o.o.s.s.h.n.SecuritySSLNettyHttpServerTransport] [node-1] Exception during establishing a SSL connection: java.net.SocketException: Connection reset /var/log/wazuh-indexer/wazuh-cluster.log:[2023-12-13T09:24:45,202][ERROR][o.o.a.a.AlertIndices ] [node-1] info deleteOldIndices /var/log/wazuh-indexer/wazuh-cluster.log:[2023-12-13T09:24:45,203][ERROR][o.o.a.a.AlertIndices ] [node-1] info deleteOldIndices ``` - Wazuh Server - /var/ossec/logs 🟢 ```console [root@wazuh-server wazuh-user]# grep -i -E "error|critical|fatal|warning" /var/ossec/logs/ossec.log ```

Filebeat Test 🟢

```console [root@wazuh-server wazuh-user]# filebeat test output elasticsearch: https://localhost:9200... parse url... OK connection... parse host... OK dns lookup... OK addresses: 127.0.0.1 dial up... OK TLS... security: server's certificate chain verification is enabled handshake... OK TLS version: TLSv1.2 dial up... OK talk to server... OK version: 7.10.2 ```

Wazuh Indexer Cluster :red_circle:

Cluster in yellow state ```console [root@wazuh-server wazuh-user]# curl -k -u admin:pass https://127.0.0.1:9200 { "name" : "node-1", "cluster_name" : "wazuh-cluster", "cluster_uuid" : "-PkrvAM8T8u2YJZBjTcQzw", "version" : { "number" : "7.10.2", "build_type" : "rpm", "build_hash" : "eee49cb340edc6c4d489bcd9324dda571fc8dc03", "build_date" : "2023-09-20T23:54:29.889267151Z", "build_snapshot" : false, "lucene_version" : "9.7.0", "minimum_wire_compatibility_version" : "7.10.0", "minimum_index_compatibility_version" : "7.0.0" }, "tagline" : "The OpenSearch Project: https://opensearch.org/" } [root@wazuh-server wazuh-user]# curl -k -u admin:pass https://127.0.0.1:9200/_cat/nodes?v ip heap.percent ram.percent cpu load_1m load_5m load_15m node.role node.roles cluster_manager name 127.0.0.1 66 95 0 0.23 0.11 0.07 dimr cluster_manager,data,ingest,remote_cluster_client * node-1 [root@wazuh-server wazuh-user]# curl -k -u admin:pass https://127.0.0.1:9200/_cluster/health?pretty { "cluster_name" : "wazuh-cluster", "status" : "yellow", "timed_out" : false, "number_of_nodes" : 1, "number_of_data_nodes" : 1, "discovered_master" : true, "discovered_cluster_manager" : true, "active_primary_shards" : 22, "active_shards" : 22, "relocating_shards" : 0, "initializing_shards" : 0, "unassigned_shards" : 5, "delayed_unassigned_shards" : 0, "number_of_pending_tasks" : 0, "number_of_in_flight_fetch" : 0, "task_max_waiting_in_queue_millis" : 0, "active_shards_percent_as_number" : 81.48148148148148 } ```

Users 🟢

```console [root@wazuh-server wazuh-user]# grep -R "wazuh" /etc/group wheel:x:10:wazuh-user wazuh-user:x:1001: wazuh-indexer:x:993: wazuh:x:992:wazuh wazuh-dashboard:x:991:wazuh-dashboard [root@wazuh-server wazuh-user]# wheel:x:10:wazuh-user bash: wheel:x:10:wazuh-user: command not found [root@wazuh-server wazuh-user]# grep -R "wazuh" /etc/passwd wazuh-user:x:1001:1001::/home/wazuh-user:/bin/bash wazuh-indexer:x:995:993:wazuh-indexer user:/usr/share/wazuh-indexer:/sbin/nologin wazuh:x:994:992::/var/ossec:/sbin/nologin wazuh-dashboard:x:993:991::/usr/share/wazuh-dashboard/:/sbin/nologin ```

Versions 🟢

```console [root@wazuh-server wazuh-user]# /var/ossec/bin/wazuh-control info WAZUH_VERSION="v4.8.0" WAZUH_REVISION="40801" WAZUH_TYPE="server" [root@wazuh-server wazuh-user]# /var/ossec/bin/wazuh-control info WAZUH_VERSION="v4.8.0" WAZUH_REVISION="40801" WAZUH_TYPE="server" [root@wazuh-server wazuh-user]# cat /usr/share/wazuh-indexer/VERSION 4.8.0 [root@wazuh-server wazuh-user]# cat /usr/share/wazuh-dashboard/VERSION 4.8.0 [root@wazuh-server wazuh-user]# cat /usr/share/wazuh-dashboard/package.json { "name": "opensearch-dashboards", "description": "OpenSearch Dashboards is a browser based analytics and search dashboard for OpenSearch. OpenSearch Dashboards is a snap to setup and start using. OpenSearch Dashboards strives to be easy to get started with, while also being flexible and powerful, just like OpenSearch.", "keywords": [ "opensearch-dashboards", "opensearch", "logstash", "analytics", "visualizations", "dashboards", "dashboarding" ], "version": "2.10.0", "branch": "2.x", "build": { "number": 48001, "sha": "c1120d93e2ee647977f917a1249258a622d4eb5b", "distributable": true, "release": true }, "repository": { "type": "git", "url": "https://github.com/opensearch-project/opensearch-dashboards.git" }, "engines": { "node": ">=14.20.1 <19" } } ```

Processes 🟢

```console [root@wazuh-server wazuh-user]# ps -ef | grep wazuh wazuh-d+ 434 1 4 10:50 ? 00:00:06 /usr/share/wazuh-dashboard/node/fallback/bin/node --no-warnings --max-http-header-size=65536 --unhandled-rejections=warn /usr/share/wazuh-dashboard/src/cli/dist root 574 5115 0 10:53 pts/0 00:00:00 grep --color=auto wazuh root 2013 1 0 dic12 ? 00:00:00 /sbin/dhclient -q -lf /var/lib/dhclient/dhclient--eth0.lease -pf /var/run/dhclient-eth0.pid -H wazuh-server eth0 root 2060 1 0 dic12 ? 00:00:00 /sbin/dhclient -6 -nw -lf /var/lib/dhclient/dhclient6--eth0.lease -pf /var/run/dhclient6-eth0.pid eth0 -H wazuh-server wazuh-i+ 2253 1 0 dic12 ? 00:07:08 /usr/share/wazuh-indexer/jdk/bin/java -Xshare:auto -Dopensearch.networkaddress.cache.ttl=60 -Dopensearch.networkaddress.cache.negative.ttl=10 -XX:+AlwaysPreTouch -Xss1m -Djava.awt.headless=true -Dfile.encoding=UTF-8 -Djna.nosys=true -XX:-OmitStackTraceInFastThrow -XX:+ShowCodeDetailsInExceptionMessages -Dio.netty.noUnsafe=true -Dio.netty.noKeySetOptimization=true -Dio.netty.recycler.maxCapacityPerThread=0 -Dio.netty.allocator.numDirectArenas=0 -Dlog4j.shutdownHookEnabled=false -Dlog4j2.disable.jmx=true -Djava.locale.providers=SPI,COMPAT -Xms1859m -Xmx1859m -XX:+UseG1GC -XX:G1ReservePercent=25 -XX:InitiatingHeapOccupancyPercent=30 -Djava.io.tmpdir=/tmp/opensearch-16747789960084861931 -XX:+HeapDumpOnOutOfMemoryError -XX:HeapDumpPath=/var/lib/wazuh-indexer -XX:ErrorFile=/var/log/wazuh-indexer/hs_err_pid%p.log -Xlog:gc*,gc+age=trace,safepoint:file=/var/log/wazuh-indexer/gc.log:utctime,pid,tags:filecount=32,filesize=64m -Dclk.tck=100 -Djdk.attach.allowAttachSelf=true -Djava.security.policy=file:///etc/wazuh-indexer/opensearch-performance-analyzer/opensearch_security.policy --add-opens=jdk.attach/sun.tools.attach=ALL-UNNAMED -XX:MaxDirectMemorySize=975175680 -Dopensearch.path.home=/usr/share/wazuh-indexer -Dopensearch.path.conf=/etc/wazuh-indexer -Dopensearch.distribution.type=rpm -Dopensearch.bundled_jdk=true -cp /usr/share/wazuh-indexer/lib/* org.opensearch.bootstrap.OpenSearch -p /run/wazuh-indexer/wazuh-indexer.pid --quiet root 4923 2312 0 dic12 ? 00:00:00 sshd: wazuh-user [priv] wazuh-u+ 4999 4923 0 dic12 ? 00:00:00 sshd: wazuh-user@pts/0 wazuh-u+ 5011 4999 0 dic12 pts/0 00:00:00 -bash wazuh 30997 1 0 10:44 ? 00:00:03 /var/ossec/framework/python/bin/python3 /var/ossec/api/scripts/wazuh-apid.py wazuh 30998 30997 0 10:44 ? 00:00:00 /var/ossec/framework/python/bin/python3 /var/ossec/api/scripts/wazuh-apid.py wazuh 31001 30997 0 10:44 ? 00:00:01 /var/ossec/framework/python/bin/python3 /var/ossec/api/scripts/wazuh-apid.py wazuh 31004 30997 0 10:44 ? 00:00:00 /var/ossec/framework/python/bin/python3 /var/ossec/api/scripts/wazuh-apid.py root 31048 1 0 10:44 ? 00:00:02 /var/ossec/bin/wazuh-authd wazuh 31065 1 0 10:44 ? 00:00:00 /var/ossec/bin/wazuh-db root 31090 1 0 10:44 ? 00:00:00 /var/ossec/bin/wazuh-execd wazuh 31103 1 0 10:44 ? 00:00:00 /var/ossec/bin/wazuh-analysisd root 31151 1 1 10:44 ? 00:00:08 /var/ossec/bin/wazuh-syscheckd wazuh 31170 1 0 10:44 ? 00:00:00 /var/ossec/bin/wazuh-remoted root 31202 1 0 10:44 ? 00:00:00 /var/ossec/bin/wazuh-logcollector wazuh 31222 1 0 10:44 ? 00:00:00 /var/ossec/bin/wazuh-monitord root 31242 1 0 10:44 ? 00:00:00 /var/ossec/bin/wazuh-modulesd [root@wazuh-server wazuh-user]# /var/ossec/bin/wazuh-control status wazuh-clusterd not running... wazuh-modulesd is running... wazuh-monitord is running... wazuh-logcollector is running... wazuh-remoted is running... wazuh-syscheckd is running... wazuh-analysisd is running... wazuh-maild not running... wazuh-execd is running... wazuh-db is running... wazuh-authd is running... wazuh-agentlessd not running... wazuh-integratord not running... wazuh-dbd not running... wazuh-csyslogd not running... wazuh-apid is running... ```

SSH Root Access Denied 🟢

```console akim@akim-PC:~/Desktop/personal$ ssh -i "Ephemeral.pem" root@ec2-35-168-16-157.compute-1.amazonaws.com Please login as the user "wazuh-user" rather than the user "root". ```

SSH wazuh-user Access Allowed 🟢

```console akim@akim-PC:~/Desktop/personal$ ssh -i "Ephemeral.pem" wazuh-user@ec2-35-168-16-157.compute-1.amazonaws.com Last login: Wed Dec 13 10:29:07 2023 from 90.168.145.212 wwwwww. wwwwwww. wwwwwww. wwwwwww. wwwwwww. wwwwwww. wwwwww. wwwwwwwww. wwwwwww. wwwwwww. wwwwwwwww. wwwwwww. wwwwww. wwwwwwwwwww. wwwwwww. wwwwwww. wwwwwwwwwww. wwwwwww. wwwwww. wwwwww.wwwwww. wwwwwww. wwwwwww. wwwww. wwwwww. wwwwwww. wwwwww. wwwwww. wwwwww. wwwwwww. wwwwwww. wwwww. wwwwww. wwwwwww. wwwwww. wwwwww. wwwwww.wwwwwww. wwwwwww.wwwww. wwwwww.wwwwwww. wwwwwwwwwwww. wwwwwwwwwwww. wwwwwwwwwww. wwwwwwwwwwww. oooooo wwwwwwwwww. wwwwwwwwww. oooooooo wwwwwwwww. wwwwwwwwww. oooooooooo wwwwwwww. wwwwwwww. oooooooooo wwwwwww. wwwwwwww. oooooooo wwwwww. wwwwww. oooooo WAZUH Open Source Security Platform https://wazuh.com [wazuh-user@wazuh-server ~]$ ```

Production Repositories 🟢

```console [root@wazuh-server wazuh-user]# cat /etc/yum.repos.d/wazuh.repo [wazuh] gpgcheck=1 gpgkey=https://packages.wazuh.com/key/GPG-KEY-WAZUH enabled=1 name=EL-${releasever} - Wazuh baseurl=https://packages.wazuh.com/4.x/yum/ protect=1 ```

Indexer - /var/logs/wazuh-indexer

AlertIndices - deleteOldIndices
Reported: https://github.com/wazuh/wazuh-packages/issues/2094 - Known issue

/var/log/wazuh-indexer/wazuh-cluster_server.json:{"type": "server", "timestamp": "2023-12-13T09:24:45,202Z", "level": "ERROR", "component": "o.o.a.a.AlertIndices", "cluster.name": "wazuh-cluster", "node.name": "node-1", "message": "info deleteOldIndices", "cluster.uuid": "-PkrvAM8T8u2YJZBjTcQzw", "node.id": "GnFODCqAQNKeys6XOaAgDw"  }
/var/log/wazuh-indexer/wazuh-cluster_server.json:{"type": "server", "timestamp": "2023-12-13T09:24:45,203Z", "level": "ERROR", "component": "o.o.a.a.AlertIndices", "cluster.name": "wazuh-cluster", "node.name": "node-1", "message": "info deleteOldIndices", "cluster.uuid": "-PkrvAM8T8u2YJZBjTcQzw", "node.id": "GnFODCqAQNKeys6XOaAgDw"  }
/var/log/wazuh-indexer/wazuh-cluster.log:[2023-12-13T09:21:22,825][ERROR][o.o.s.s.h.n.SecuritySSLNettyHttpServerTransport] [node-1] Exception during establishing a SSL connection: java.net.SocketException: Connection reset
/var/log/wazuh-indexer/wazuh-cluster.log:[2023-12-13T09:24:45,202][ERROR][o.o.a.a.AlertIndices     ] [node-1] info deleteOldIndices
/var/log/wazuh-indexer/wazuh-cluster.log:[2023-12-13T09:24:45,203][ERROR][o.o.a.a.AlertIndices     ] [node-1] info deleteOldIndices

SecuritySSLNettyHttpServerTransport
Reported: https://github.com/wazuh/wazuh-packages/issues/1489 - Known issue

/var/log/wazuh-indexer/wazuh-cluster_server.json:{"type": "server", "timestamp": "2023-12-13T09:21:22,825Z", "level": "ERROR", "component": "o.o.s.s.h.n.SecuritySSLNettyHttpServerTransport", "cluster.name": "wazuh-cluster", "node.name": "node-1", "message": "Exception during establishing a SSL connection: java.net.SocketException: Connection reset", "cluster.uuid": "-PkrvAM8T8u2YJZBjTcQzw", "node.id": "GnFODCqAQNKeys6XOaAgDw" , 
/var/log/wazuh-indexer/wazuh-cluster_server.json:{"type": "server", "timestamp": "2023-12-13T09:24:45,202Z", "level": "ERROR", "component": "o.o.a.a.AlertIndices", "cluster.name": "wazuh-cluster", "node.name": "node-1", "message": "info deleteOldIndices", "cluster.uuid": "-PkrvAM8T8u2YJZBjTcQzw", "node.id": "GnFODCqAQNKeys6XOaAgDw"  }

Indexer - journalctl

Warnings Related to setSecurityManager
Reported: https://github.com/wazuh/wazuh-packages/issues/2046 - Known issue

dic 12 09:23:26 wazuh-server systemd-entrypoint[2253]: WARNING: System::setSecurityManager will be removed in a future release
dic 12 09:23:26 wazuh-server systemd-entrypoint[2253]: WARNING: Please consider reporting this to the maintainers of org.opensearch.bootstrap.OpenSearch
dic 12 09:23:26 wazuh-server systemd-entrypoint[2253]: WARNING: System::setSecurityManager has been called by org.opensearch.bootstrap.OpenSearch (file:/usr/share/wazuh-indexer/lib/opensearch-2.10.0.jar)
dic 12 09:23:26 wazuh-server systemd-entrypoint[2253]: WARNING: A terminally deprecated method in java.lang.System has been called

Indexer - cluster

Cluster in yellow state

Reported: https://github.com/wazuh/wazuh-indexer/issues/79 - New issue

Analysis report - Solaris 10 SPARC - :green_circle:

System info :green_circle:

```shell # hostname sossp275 # uname -a SunOS sossp275 5.10 Generic_147147-26 sun4v sparc sun4v ```

Installation without variables :green_circle:

- Wazuh agent ```shell # /opt/csw/bin/curl -O https://packages-dev.wazuh.com/pre-release/solaris/sparc/10/wazuh-agent_v4.8.0-sol10-sparc.pkg ``` ```shell # pkgadd -d wazuh-agent_v4.8.0-sol10-sparc.pkg wazuh-agent Processing package instance from Wazuh - Wazuh unifies historically separate functions into a single agent and platform architecture. Providing protection for public clouds, private clouds, and on-premise data centers.(sparc) 4.8.0 Wazuh, Inc ## Executing checkinstall script. ## Processing package information. ## Processing system information. ## Verifying disk space requirements. ## Checking for conflicts with packages already installed. ## Checking for setuid/setgid programs. This package contains scripts which will be executed with super-user permission during the process of installing this package. Do you want to continue with the installation of [y,n,?] y Installing Wazuh - Wazuh unifies historically separate functions into a single agent and platform architecture. Providing protection for public clouds, private clouds, and on-premise data centers. as ## Executing preinstall script. ## Installing part 1 of 1. /etc/init.d/wazuh-agent /etc/rc2.d/S97wazuh-agent /etc/rc3.d/S97wazuh-agent /var/ossec/active-response/bin/default-firewall-drop /var/ossec/active-response/bin/disable-account /var/ossec/active-response/bin/firewall-drop /var/ossec/active-response/bin/firewalld-drop /var/ossec/active-response/bin/host-deny /var/ossec/active-response/bin/ip-customblock /var/ossec/active-response/bin/ipfw /var/ossec/active-response/bin/kaspersky /var/ossec/active-response/bin/kaspersky.py /var/ossec/active-response/bin/npf /var/ossec/active-response/bin/pf /var/ossec/active-response/bin/restart-wazuh /var/ossec/active-response/bin/restart.sh /var/ossec/active-response/bin/route-null /var/ossec/active-response/bin/wazuh-slack /var/ossec/agentless/main.exp /var/ossec/agentless/register_host.sh /var/ossec/agentless/ssh.exp /var/ossec/agentless/ssh_asa-fwsmconfig_diff /var/ossec/agentless/ssh_foundry_diff /var/ossec/agentless/ssh_generic_diff /var/ossec/agentless/ssh_integrity_check_bsd /var/ossec/agentless/ssh_integrity_check_linux /var/ossec/agentless/ssh_nopass.exp /var/ossec/agentless/ssh_pixconfig_diff /var/ossec/agentless/sshlogin.exp /var/ossec/agentless/su.exp /var/ossec/bin/agent-auth /var/ossec/bin/manage_agents /var/ossec/bin/wazuh-agentd /var/ossec/bin/wazuh-control /var/ossec/bin/wazuh-execd /var/ossec/bin/wazuh-logcollector /var/ossec/bin/wazuh-modulesd /var/ossec/bin/wazuh-syscheckd /var/ossec/etc/TIMEZONE /var/ossec/etc/client.keys /var/ossec/etc/internal_options.conf /var/ossec/etc/local_internal_options.conf /var/ossec/etc/ossec.conf /var/ossec/etc/shared/cis_apache2224_rcl.txt /var/ossec/etc/shared/cis_debian_linux_rcl.txt /var/ossec/etc/shared/cis_mysql5-6_community_rcl.txt /var/ossec/etc/shared/cis_mysql5-6_enterprise_rcl.txt /var/ossec/etc/shared/cis_rhel5_linux_rcl.txt /var/ossec/etc/shared/cis_rhel6_linux_rcl.txt /var/ossec/etc/shared/cis_rhel7_linux_rcl.txt /var/ossec/etc/shared/cis_rhel_linux_rcl.txt /var/ossec/etc/shared/cis_sles11_linux_rcl.txt /var/ossec/etc/shared/cis_sles12_linux_rcl.txt /var/ossec/etc/shared/cis_win2012r2_domainL1_rcl.txt /var/ossec/etc/shared/cis_win2012r2_domainL2_rcl.txt /var/ossec/etc/shared/cis_win2012r2_memberL1_rcl.txt /var/ossec/etc/shared/cis_win2012r2_memberL2_rcl.txt /var/ossec/etc/shared/rootkit_files.txt /var/ossec/etc/shared/rootkit_trojans.txt /var/ossec/etc/shared/system_audit_rcl.txt /var/ossec/etc/shared/system_audit_ssh.txt /var/ossec/etc/shared/win_applications_rcl.txt /var/ossec/etc/shared/win_audit_rcl.txt /var/ossec/etc/shared/win_malware_rcl.txt /var/ossec/etc/wpk_root.pem /var/ossec/lib/libdbsync.so /var/ossec/lib/libfimdb.so /var/ossec/lib/libgcc_s.so.1 /var/ossec/lib/librsync.so /var/ossec/lib/libstdc++.so.6 /var/ossec/lib/libsyscollector.so /var/ossec/lib/libsysinfo.so /var/ossec/lib/libwazuhext.so /var/ossec/lib/libwazuhshared.so /var/ossec/logs/active-responses.log /var/ossec/logs/ossec.json /var/ossec/logs/ossec.log /var/ossec/queue/syscollector/norm_config.json /var/ossec/ruleset/sca/sca_unix_audit.yml /var/ossec/wodles/__init__.py /var/ossec/wodles/aws/__init__.py /var/ossec/wodles/aws/aws-s3 /var/ossec/wodles/aws/aws_tools.py /var/ossec/wodles/aws/buckets_s3/__init__.py /var/ossec/wodles/aws/buckets_s3/aws_bucket.py /var/ossec/wodles/aws/buckets_s3/cloudtrail.py /var/ossec/wodles/aws/buckets_s3/config.py /var/ossec/wodles/aws/buckets_s3/guardduty.py /var/ossec/wodles/aws/buckets_s3/load_balancers.py /var/ossec/wodles/aws/buckets_s3/server_access.py /var/ossec/wodles/aws/buckets_s3/umbrella.py /var/ossec/wodles/aws/buckets_s3/vpcflow.py /var/ossec/wodles/aws/buckets_s3/waf.py /var/ossec/wodles/aws/services/__init__.py /var/ossec/wodles/aws/services/aws_service.py /var/ossec/wodles/aws/services/cloudwatchlogs.py /var/ossec/wodles/aws/services/inspector.py /var/ossec/wodles/aws/subscribers/__init__.py /var/ossec/wodles/aws/subscribers/s3_log_handler.py /var/ossec/wodles/aws/subscribers/sqs_message_processor.py /var/ossec/wodles/aws/subscribers/sqs_queue.py /var/ossec/wodles/aws/wazuh_integration.py /var/ossec/wodles/azure/azure-logs /var/ossec/wodles/azure/orm.py /var/ossec/wodles/docker/DockerListener /var/ossec/wodles/gcloud/buckets/access_logs.py /var/ossec/wodles/gcloud/buckets/bucket.py /var/ossec/wodles/gcloud/exceptions.py /var/ossec/wodles/gcloud/gcloud /var/ossec/wodles/gcloud/integration.py /var/ossec/wodles/gcloud/pubsub/subscriber.py /var/ossec/wodles/gcloud/tools.py /var/ossec/wodles/utils.py [ verifying class ] ## Executing postinstall script. Installation of was successful. # sed 's/MANAGER_IP/xx.xxx.xx.xxx/g' /var/ossec/etc/ossec.conf > /var/ossec/etc/ossec.conf.new && mv /var/ossec/etc/ossec.conf.new /var/ossec/etc/ossec.conf # grep "address" /var/ossec/etc/ossec.conf

xx.xxx.xx.xxx

# /var/ossec/bin/wazuh-control start Starting Wazuh v4.8.0... Started wazuh-execd... Started wazuh-agentd... Started wazuh-syscheckd... Started wazuh-logcollector... Started wazuh-modulesd... Completed. # /var/ossec/bin/wazuh-control info WAZUH_VERSION="v4.8.0" WAZUH_REVISION="40801" WAZUH_TYPE="agent" ``` ``` [root@wazuh-server wazuh-user]# /var/ossec/bin/agent_control -i 039 Wazuh agent_control. Agent information: Agent ID: 039 Agent Name: sossp275 IP address: any Status: Active Operating system: SunOS |sossp275 |5.10 |Generic_147147-26 |sun4v Client version: Wazuh v4.8.0 Configuration hash: ab73af41699f13fdd81903b5f23d8d00 Shared file hash: 4a8724b20dee0124ff9656783c490c4e Last keep alive: 1702457364 Syscheck last started at: Wed Dec 13 15:47:29 2023 Syscheck last ended at: Wed Dec 13 15:47:42 2023 ```

Generate alerts (TCP & UDP) :green_circle:

- TCP - Wazuh Agent ```shell # grep tcp /var/ossec/logs/ossec.log 2023/12/13 09:47:24 wazuh-agentd: INFO: Trying to connect to server ([xx.xxx.xx.xxx]:1514/tcp). 2023/12/13 09:47:24 wazuh-agentd: INFO: (4102): Connected to the server ([xx.xxx.xx.xxx]:1514/tcp). ``` - TCP - Wazuh Server ``` {"timestamp":"2023-12-13T08:48:59.070+0000","rule":{"level":7,"description":"SCA summary: System audit for Unix based systems: Score less than 50% (45)","id":"19004","firedtimes":1,"mail":false,"groups":["sca"],"gdpr":["IV_35.7.d"],"pci_dss":["2.2"],"nist_800_53":["CM.1"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"039","name":"sossp275","ip":"192.168.241.175"},"manager":{"name":"wazuh-server"},"id":"1702457339.1510862","decoder":{"name":"sca"},"data":{"sca":{"type":"summary","scan_id":"11899","policy":"System audit for Unix based systems","description":"Guidance for establishing a secure configuration for Unix based systems.","policy_id":"unix_audit","passed":"5","failed":"6","invalid":"12","total_checks":"23","score":"45","file":"sca_unix_audit.yml"}},"location":"sca"} {"timestamp":"2023-12-13T08:49:00.494+0000","rule":{"level":7,"description":"Host-based anomaly detection event (rootcheck).","id":"510","firedtimes":1,"mail":false,"groups":["ossec","rootcheck"],"pci_dss":["10.6.1"],"gdpr":["IV_35.7.d"]},"agent":{"id":"039","name":"sossp275","ip":"192.168.241.175"},"manager":{"name":"wazuh-server"},"id":"1702457340.1511974","full_log":"File '/tmp/.X11-pipe/X0' is owned by root and has written permissions to anyone.","decoder":{"name":"rootcheck"},"data":{"title":"File is owned by root and has written permissions to anyone.","file":"/tmp/.X11-pipe/X0"},"location":"rootcheck"} {"timestamp":"2023-12-13T08:49:08.325+0000","rule":{"level":7,"description":"SCA summary: System audit for Unix based systems: Score less than 50% (45)","id":"19004","firedtimes":2,"mail":false,"groups":["sca"],"gdpr":["IV_35.7.d"],"pci_dss":["2.2"],"nist_800_53":["CM.1"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"039","name":"sossp275","ip":"192.168.241.175"},"manager":{"name":"wazuh-server"},"id":"1702457348.1513353","decoder":{"name":"sca"},"data":{"sca":{"type":"summary","scan_id":"11899","policy":"System audit for Unix based systems","description":"Guidance for establishing a secure configuration for Unix based systems.","policy_id":"unix_audit","passed":"5","failed":"6","invalid":"12","total_checks":"23","score":"45","file":"sca_unix_audit.yml"}},"location":"sca"} ``` - UDP - Wazuh Agent ```shell # sed 's/tcp/udp/g' /var/ossec/etc/ossec.conf > /var/ossec/etc/ossec.conf.new && mv /var/ossec/etc/ossec.conf.new /var/ossec/etc/ossec.conf # /var/ossec/bin/wazuh-control restart Killing wazuh-modulesd... Killing wazuh-logcollector... Killing wazuh-syscheckd... Killing wazuh-agentd... Killing wazuh-execd... Wazuh v4.8.0 Stopped Starting Wazuh v4.8.0... Started wazuh-execd... Started wazuh-agentd... Started wazuh-syscheckd... Started wazuh-logcollector... Started wazuh-modulesd... Completed. # grep udp /var/ossec/etc/ossec.conf udp # grep "udp" /var/ossec/logs/ossec.log 2023/12/13 09:49:33 wazuh-agentd: INFO: Trying to connect to server ([xx.xxx.xx.xxx]:1514/udp). 2023/12/13 09:49:33 wazuh-agentd: INFO: (4102): Connected to the server ([xx.xxx.xx.xxx]:1514/udp). ``` - UDP - Wazuh Server ``` {"timestamp":"2023-12-13T08:50:49.840+0000","rule":{"level":3,"description":"Wazuh agent started.","id":"503","firedtimes":2,"mail":false,"groups":["ossec"],"pci_dss":["10.6.1","10.2.6"],"gpg13":["10.1"],"gdpr":["IV_35.7.d"],"hipaa":["164.312.b"],"nist_800_53":["AU.6","AU.14","AU.5"],"tsc":["CC7.2","CC7.3","CC6.8"]},"agent":{"id":"039","name":"sossp275","ip":"192.168.241.175"},"manager":{"name":"wazuh-server"},"id":"1702457449.1516300","full_log":"ossec: Agent started: 'sossp275->any'.","decoder":{"parent":"ossec","name":"ossec"},"data":{"extra_data":"sossp275->any"},"location":"wazuh-agent"} {"timestamp":"2023-12-13T08:50:56.895+0000","rule":{"level":7,"description":"Host-based anomaly detection event (rootcheck).","id":"510","firedtimes":2,"mail":false,"groups":["ossec","rootcheck"],"pci_dss":["10.6.1"],"gdpr":["IV_35.7.d"]},"agent":{"id":"039","name":"sossp275","ip":"192.168.241.175"},"manager":{"name":"wazuh-server"},"id":"1702457456.1517085","full_log":"File '/tmp/.X11-pipe/X0' is owned by root and has written permissions to anyone.","decoder":{"name":"rootcheck"},"data":{"title":"File is owned by root and has written permissions to anyone.","file":"/tmp/.X11-pipe/X0"},"location":"rootcheck"} ```

Removal :green_circle:

```shell # grep "udp" /var/ossec/logs/ossec.log 2023/12/13 09:49:33 wazuh-agentd: INFO: Trying to connect to server ([xx.xxx.xx.xxx]:1514/udp). 2023/12/13 09:49:33 wazuh-agentd: INFO: (4102): Connected to the server ([xx.xxx.xx.xxx]:1514/udp). # pkgrm wazuh-agent The following package is currently installed: wazuh-agent Wazuh - Wazuh unifies historically separate functions into a single agent and platform architecture. Providing protection for public clouds, private clouds, and on-premise data centers. (sparc) 4.8.0 Do you want to remove this package? [y,n,?,q] y ## Removing installed package instance This package contains scripts which will be executed with super-user permission during the process of removing this package. Do you want to continue with the removal of this package [y,n,?,q] y ## Verifying package dependencies in global zone ## Processing package information. ## Executing preremove script. Killing wazuh-modulesd... Killing wazuh-logcollector... Killing wazuh-syscheckd... Killing wazuh-agentd... Killing wazuh-execd... Wazuh v4.8.0 Stopped ## Removing pathnames in class /var/ossec/wodles/utils.py /var/ossec/wodles/gcloud/tools.py /var/ossec/wodles/gcloud/pubsub/subscriber.py /var/ossec/wodles/gcloud/pubsub /var/ossec/wodles/gcloud/integration.py /var/ossec/wodles/gcloud/gcloud /var/ossec/wodles/gcloud/exceptions.py /var/ossec/wodles/gcloud/buckets/bucket.py /var/ossec/wodles/gcloud/buckets/access_logs.py /var/ossec/wodles/gcloud/buckets /var/ossec/wodles/gcloud /var/ossec/wodles/docker/DockerListener /var/ossec/wodles/docker /var/ossec/wodles/azure/orm.py /var/ossec/wodles/azure/azure-logs /var/ossec/wodles/azure /var/ossec/wodles/aws/wazuh_integration.py /var/ossec/wodles/aws/subscribers/sqs_queue.py /var/ossec/wodles/aws/subscribers/sqs_message_processor.py /var/ossec/wodles/aws/subscribers/s3_log_handler.py /var/ossec/wodles/aws/subscribers/__init__.py /var/ossec/wodles/aws/subscribers /var/ossec/wodles/aws/services/inspector.py /var/ossec/wodles/aws/services/cloudwatchlogs.py /var/ossec/wodles/aws/services/aws_service.py /var/ossec/wodles/aws/services/__init__.py /var/ossec/wodles/aws/services /var/ossec/wodles/aws/buckets_s3/waf.py /var/ossec/wodles/aws/buckets_s3/vpcflow.py /var/ossec/wodles/aws/buckets_s3/umbrella.py /var/ossec/wodles/aws/buckets_s3/server_access.py /var/ossec/wodles/aws/buckets_s3/load_balancers.py /var/ossec/wodles/aws/buckets_s3/guardduty.py /var/ossec/wodles/aws/buckets_s3/config.py /var/ossec/wodles/aws/buckets_s3/cloudtrail.py /var/ossec/wodles/aws/buckets_s3/aws_bucket.py /var/ossec/wodles/aws/buckets_s3/__init__.py /var/ossec/wodles/aws/buckets_s3 /var/ossec/wodles/aws/aws_tools.py /var/ossec/wodles/aws/aws-s3 /var/ossec/wodles/aws/__init__.py /var/ossec/wodles/aws /var/ossec/wodles/__init__.py /var/ossec/wodles /var/ossec/var/wodles /var/ossec/var/upgrade /var/ossec/var/selinux /var/ossec/var/run /var/ossec/var/incoming /var/ossec/var /var/ossec/tmp /var/ossec/ruleset/sca/sca_unix_audit.yml /var/ossec/ruleset/sca /var/ossec/ruleset /var/ossec/queue/syscollector/norm_config.json /var/ossec/queue/syscollector/db /var/ossec/queue/syscollector /var/ossec/queue/sockets /var/ossec/queue/rids /var/ossec/queue/logcollector /var/ossec/queue/fim/db /var/ossec/queue/fim /var/ossec/queue/diff /var/ossec/queue/alerts /var/ossec/queue /var/ossec/logs/wazuh /var/ossec/logs/ossec.log /var/ossec/logs/ossec.json /var/ossec/logs/active-responses.log /var/ossec/logs /var/ossec/lib/libwazuhshared.so /var/ossec/lib/libwazuhext.so /var/ossec/lib/libsysinfo.so /var/ossec/lib/libsyscollector.so /var/ossec/lib/libstdc++.so.6 /var/ossec/lib/librsync.so /var/ossec/lib/libgcc_s.so.1 /var/ossec/lib/libfimdb.so /var/ossec/lib/libdbsync.so /var/ossec/lib /var/ossec/etc/wpk_root.pem /var/ossec/etc/shared/win_malware_rcl.txt /var/ossec/etc/shared/win_audit_rcl.txt /var/ossec/etc/shared/win_applications_rcl.txt /var/ossec/etc/shared/system_audit_ssh.txt /var/ossec/etc/shared/system_audit_rcl.txt /var/ossec/etc/shared/rootkit_trojans.txt /var/ossec/etc/shared/rootkit_files.txt /var/ossec/etc/shared/cis_win2012r2_memberL2_rcl.txt /var/ossec/etc/shared/cis_win2012r2_memberL1_rcl.txt /var/ossec/etc/shared/cis_win2012r2_domainL2_rcl.txt /var/ossec/etc/shared/cis_win2012r2_domainL1_rcl.txt /var/ossec/etc/shared/cis_sles12_linux_rcl.txt /var/ossec/etc/shared/cis_sles11_linux_rcl.txt /var/ossec/etc/shared/cis_rhel_linux_rcl.txt /var/ossec/etc/shared/cis_rhel7_linux_rcl.txt /var/ossec/etc/shared/cis_rhel6_linux_rcl.txt /var/ossec/etc/shared/cis_rhel5_linux_rcl.txt /var/ossec/etc/shared/cis_mysql5-6_enterprise_rcl.txt /var/ossec/etc/shared/cis_mysql5-6_community_rcl.txt /var/ossec/etc/shared/cis_debian_linux_rcl.txt /var/ossec/etc/shared/cis_apache2224_rcl.txt /var/ossec/etc/shared /var/ossec/etc/ossec.conf /var/ossec/etc/local_internal_options.conf /var/ossec/etc/internal_options.conf /var/ossec/etc/client.keys /var/ossec/etc/TIMEZONE /var/ossec/etc /var/ossec/bin/wazuh-syscheckd /var/ossec/bin/wazuh-modulesd /var/ossec/bin/wazuh-logcollector /var/ossec/bin/wazuh-execd /var/ossec/bin/wazuh-control /var/ossec/bin/wazuh-agentd /var/ossec/bin/manage_agents /var/ossec/bin/agent-auth /var/ossec/bin /var/ossec/backup /var/ossec/agentless/su.exp /var/ossec/agentless/sshlogin.exp /var/ossec/agentless/ssh_pixconfig_diff /var/ossec/agentless/ssh_nopass.exp /var/ossec/agentless/ssh_integrity_check_linux /var/ossec/agentless/ssh_integrity_check_bsd /var/ossec/agentless/ssh_generic_diff /var/ossec/agentless/ssh_foundry_diff /var/ossec/agentless/ssh_asa-fwsmconfig_diff /var/ossec/agentless/ssh.exp /var/ossec/agentless/register_host.sh /var/ossec/agentless/main.exp /var/ossec/agentless /var/ossec/active-response/bin/wazuh-slack /var/ossec/active-response/bin/route-null /var/ossec/active-response/bin/restart.sh /var/ossec/active-response/bin/restart-wazuh /var/ossec/active-response/bin/pf /var/ossec/active-response/bin/npf /var/ossec/active-response/bin/kaspersky.py /var/ossec/active-response/bin/kaspersky /var/ossec/active-response/bin/ipfw /var/ossec/active-response/bin/ip-customblock /var/ossec/active-response/bin/host-deny /var/ossec/active-response/bin/firewalld-drop /var/ossec/active-response/bin/firewall-drop /var/ossec/active-response/bin/disable-account /var/ossec/active-response/bin/default-firewall-drop /var/ossec/active-response/bin /var/ossec/active-response /var/ossec/.ssh /var/ossec /etc/rc3.d/S97wazuh-agent /etc/rc2.d/S97wazuh-agent /etc/init.d/wazuh-agent ## Executing postremove script. ## Updating system information. Removal of was successful. ```

Check users and groups :green_circle:

``` # cat /etc/passwd | grep wazuh wazuh:x:46203:57447::/var/ossec:/bin/false # cat /etc/group | grep wazuh wazuh::57447: ```

Errors and warnings :green_circle:

``` # grep "ERROR" /var/ossec/logs/ossec.log # grep "ERROR" /var/ossec/logs/ossec.log | wc -l 0 # grep "WARNING" /var/ossec/logs/ossec.log # grep "WARNING" /var/ossec/logs/ossec.log | wc -l 0 # grep "CRITICAL" /var/ossec/logs/ossec.log # grep "CRITICAL" /var/ossec/logs/ossec.log | wc -l 0 ```

Upgrade 4.7.0 to 4.8.0 :green_circle:

Install 4.7.0 ```console # curl -OL https://packages.wazuh.com/4.x/solaris/sparc/10/wazuh-agent_v4.7.0-sol10-sparc.p5p ``` ```console # pkgadd -d wazuh-agent_v4.7.0-sol10-sparc.pkg wazuh-agent Processing package instance from Wazuh - Wazuh unifies historically separate functions into a single agent and platform architecture. Providing protection for public clouds, private clouds, and on-premise data centers.(sparc) 4.7.0 Wazuh, Inc ## Executing checkinstall script. ## Processing package information. ## Processing system information. ## Verifying disk space requirements. ## Checking for conflicts with packages already installed. The following files are already installed on the system and are being used by another package: * /var/ossec * /var/ossec/etc * /var/ossec/etc/shared * /var/ossec/queue * /var/ossec/queue/alerts * /var/ossec/queue/fim * /var/ossec/queue/fim/db * /var/ossec/queue/logcollector * /var/ossec/queue/rids * /var/ossec/queue/sockets * /var/ossec/queue/syscollector * /var/ossec/queue/syscollector/db * - conflict with a file which does not belong to any package. Do you want to install these conflicting files [y,n,?,q] y ## Checking for setuid/setgid programs. This package contains scripts which will be executed with super-user permission during the process of installing this package. Do you want to continue with the installation of [y,n,?] y Installing Wazuh - Wazuh unifies historically separate functions into a single agent and platform architecture. Providing protection for public clouds, private clouds, and on-premise data centers. as ## Executing preinstall script. ## Installing part 1 of 1. /etc/init.d/wazuh-agent /etc/rc2.d/S97wazuh-agent /etc/rc3.d/S97wazuh-agent /var/ossec/active-response/bin/default-firewall-drop /var/ossec/active-response/bin/disable-account /var/ossec/active-response/bin/firewall-drop /var/ossec/active-response/bin/firewalld-drop /var/ossec/active-response/bin/host-deny /var/ossec/active-response/bin/ip-customblock /var/ossec/active-response/bin/ipfw /var/ossec/active-response/bin/kaspersky /var/ossec/active-response/bin/kaspersky.py /var/ossec/active-response/bin/npf /var/ossec/active-response/bin/pf /var/ossec/active-response/bin/restart-wazuh /var/ossec/active-response/bin/restart.sh /var/ossec/active-response/bin/route-null /var/ossec/active-response/bin/wazuh-slack /var/ossec/agentless/main.exp /var/ossec/agentless/register_host.sh /var/ossec/agentless/ssh.exp /var/ossec/agentless/ssh_asa-fwsmconfig_diff /var/ossec/agentless/ssh_foundry_diff /var/ossec/agentless/ssh_generic_diff /var/ossec/agentless/ssh_integrity_check_bsd /var/ossec/agentless/ssh_integrity_check_linux /var/ossec/agentless/ssh_nopass.exp /var/ossec/agentless/ssh_pixconfig_diff /var/ossec/agentless/sshlogin.exp /var/ossec/agentless/su.exp /var/ossec/bin/agent-auth /var/ossec/bin/manage_agents /var/ossec/bin/wazuh-agentd /var/ossec/bin/wazuh-control /var/ossec/bin/wazuh-execd /var/ossec/bin/wazuh-logcollector /var/ossec/bin/wazuh-modulesd /var/ossec/bin/wazuh-syscheckd /var/ossec/etc/TIMEZONE /var/ossec/etc/client.keys /var/ossec/etc/internal_options.conf /var/ossec/etc/local_internal_options.conf /var/ossec/etc/ossec.conf /var/ossec/etc/shared/cis_apache2224_rcl.txt /var/ossec/etc/shared/cis_debian_linux_rcl.txt /var/ossec/etc/shared/cis_mysql5-6_community_rcl.txt /var/ossec/etc/shared/cis_mysql5-6_enterprise_rcl.txt /var/ossec/etc/shared/cis_rhel5_linux_rcl.txt /var/ossec/etc/shared/cis_rhel6_linux_rcl.txt /var/ossec/etc/shared/cis_rhel7_linux_rcl.txt /var/ossec/etc/shared/cis_rhel_linux_rcl.txt /var/ossec/etc/shared/cis_sles11_linux_rcl.txt /var/ossec/etc/shared/cis_sles12_linux_rcl.txt /var/ossec/etc/shared/cis_win2012r2_domainL1_rcl.txt /var/ossec/etc/shared/cis_win2012r2_domainL2_rcl.txt /var/ossec/etc/shared/cis_win2012r2_memberL1_rcl.txt /var/ossec/etc/shared/cis_win2012r2_memberL2_rcl.txt /var/ossec/etc/shared/rootkit_files.txt /var/ossec/etc/shared/rootkit_trojans.txt /var/ossec/etc/shared/system_audit_rcl.txt /var/ossec/etc/shared/system_audit_ssh.txt /var/ossec/etc/shared/win_applications_rcl.txt /var/ossec/etc/shared/win_audit_rcl.txt /var/ossec/etc/shared/win_malware_rcl.txt /var/ossec/etc/wpk_root.pem /var/ossec/lib/libdbsync.so /var/ossec/lib/libfimdb.so /var/ossec/lib/libgcc_s.so.1 /var/ossec/lib/librsync.so /var/ossec/lib/libstdc++.so.6 /var/ossec/lib/libsyscollector.so /var/ossec/lib/libsysinfo.so /var/ossec/lib/libwazuhext.so /var/ossec/lib/libwazuhshared.so /var/ossec/logs/active-responses.log /var/ossec/logs/ossec.json /var/ossec/logs/ossec.log /var/ossec/queue/syscollector/norm_config.json /var/ossec/ruleset/sca/sca_unix_audit.yml /var/ossec/wodles/__init__.py /var/ossec/wodles/aws/aws-s3 /var/ossec/wodles/azure/azure-logs /var/ossec/wodles/azure/orm.py /var/ossec/wodles/docker/DockerListener /var/ossec/wodles/gcloud/buckets/access_logs.py /var/ossec/wodles/gcloud/buckets/bucket.py /var/ossec/wodles/gcloud/exceptions.py /var/ossec/wodles/gcloud/gcloud /var/ossec/wodles/gcloud/integration.py /var/ossec/wodles/gcloud/pubsub/subscriber.py /var/ossec/wodles/gcloud/tools.py /var/ossec/wodles/utils.py [ verifying class ] ## Executing postinstall script. Installation of was successful. ```console # sed 's/MANAGER_IP/xx.xxx.xx.xxx/g' /var/ossec/etc/ossec.conf > /var/ossec/etc/ossec.conf.new && mv /var/ossec/etc/ossec.conf.new /var/ossec/etc/ossec.conf ``` ```console root@sossp206:~# /var/ossec/bin/wazuh-control start Starting Wazuh v4.7.0... Started wazuh-execd... Started wazuh-agentd... Started wazuh-syscheckd... Started wazuh-logcollector... Started wazuh-modulesd... Completed. ``` Check on Manager ```console [root@wazuh-server wazuh-user]# /var/ossec/bin/agent_control -i 046 Wazuh agent_control. Agent information: Agent ID: 046 Agent Name: sossp275 IP address: any Status: Active Operating system: SunOS |sossp275 |5.10 |Generic_147147-26 |sun4v Client version: Wazuh v4.7.0 Configuration hash: ab73af41699f13fdd81903b5f23d8d00 Shared file hash: 4a8724b20dee0124ff9656783c490c4e Last keep alive: 1702470314 Syscheck last started at: Wed Dec 13 19:23:31 2023 Syscheck last ended at: Wed Dec 13 19:23:56 2023 ``` Upgrade to 4.8.0 ```console # /var/ossec/bin/wazuh-control stop Killing wazuh-modulesd... Killing wazuh-logcollector... Killing wazuh-syscheckd... Killing wazuh-agentd... Killing wazuh-execd... Wazuh v4.7.0 Stopped # cp /var/ossec/etc/ossec.conf ~/ossec.conf.bk # cp /var/ossec/etc/client.keys ~/client.keys.bk # pkgrm wazuh-agent The following package is currently installed: wazuh-agent Wazuh - Wazuh unifies historically separate functions into a single agent and platform architecture. Providing protection for public clouds, private clouds, and on-premise data centers. (sparc) 4.7.0 Do you want to remove this package? [y,n,?,q] y ## Removing installed package instance This package contains scripts which will be executed with super-user permission during the process of removing this package. Do you want to continue with the removal of this package [y,n,?,q] y ## Verifying package dependencies in global zone ## Processing package information. ## Executing preremove script. wazuh-modulesd not running... wazuh-logcollector not running... wazuh-syscheckd not running... wazuh-agentd not running... wazuh-execd not running... Wazuh v4.7.0 Stopped ## Removing pathnames in class /var/ossec/wodles/utils.py /var/ossec/wodles/gcloud/tools.py /var/ossec/wodles/gcloud/pubsub/subscriber.py /var/ossec/wodles/gcloud/pubsub /var/ossec/wodles/gcloud/integration.py /var/ossec/wodles/gcloud/gcloud /var/ossec/wodles/gcloud/exceptions.py /var/ossec/wodles/gcloud/buckets/bucket.py /var/ossec/wodles/gcloud/buckets/access_logs.py /var/ossec/wodles/gcloud/buckets /var/ossec/wodles/gcloud /var/ossec/wodles/docker/DockerListener /var/ossec/wodles/docker /var/ossec/wodles/azure/orm.py /var/ossec/wodles/azure/azure-logs /var/ossec/wodles/azure /var/ossec/wodles/aws/aws-s3 /var/ossec/wodles/aws /var/ossec/wodles/__init__.py /var/ossec/wodles /var/ossec/var/wodles /var/ossec/var/upgrade /var/ossec/var/selinux /var/ossec/var/run /var/ossec/var/incoming /var/ossec/var /var/ossec/tmp /var/ossec/ruleset/sca/sca_unix_audit.yml /var/ossec/ruleset/sca /var/ossec/ruleset /var/ossec/queue/syscollector/norm_config.json /var/ossec/queue/syscollector/db /var/ossec/queue/syscollector /var/ossec/queue/sockets /var/ossec/queue/rids /var/ossec/queue/logcollector /var/ossec/queue/fim/db /var/ossec/queue/fim /var/ossec/queue/diff /var/ossec/queue/alerts /var/ossec/queue /var/ossec/logs/wazuh /var/ossec/logs/ossec.log /var/ossec/logs/ossec.json /var/ossec/logs/active-responses.log /var/ossec/logs /var/ossec/lib/libwazuhshared.so /var/ossec/lib/libwazuhext.so /var/ossec/lib/libsysinfo.so /var/ossec/lib/libsyscollector.so /var/ossec/lib/libstdc++.so.6 /var/ossec/lib/librsync.so /var/ossec/lib/libgcc_s.so.1 /var/ossec/lib/libfimdb.so /var/ossec/lib/libdbsync.so /var/ossec/lib /var/ossec/etc/wpk_root.pem /var/ossec/etc/shared/win_malware_rcl.txt /var/ossec/etc/shared/win_audit_rcl.txt /var/ossec/etc/shared/win_applications_rcl.txt /var/ossec/etc/shared/system_audit_ssh.txt /var/ossec/etc/shared/system_audit_rcl.txt /var/ossec/etc/shared/rootkit_trojans.txt /var/ossec/etc/shared/rootkit_files.txt /var/ossec/etc/shared/cis_win2012r2_memberL2_rcl.txt /var/ossec/etc/shared/cis_win2012r2_memberL1_rcl.txt /var/ossec/etc/shared/cis_win2012r2_domainL2_rcl.txt /var/ossec/etc/shared/cis_win2012r2_domainL1_rcl.txt /var/ossec/etc/shared/cis_sles12_linux_rcl.txt /var/ossec/etc/shared/cis_sles11_linux_rcl.txt /var/ossec/etc/shared/cis_rhel_linux_rcl.txt /var/ossec/etc/shared/cis_rhel7_linux_rcl.txt /var/ossec/etc/shared/cis_rhel6_linux_rcl.txt /var/ossec/etc/shared/cis_rhel5_linux_rcl.txt /var/ossec/etc/shared/cis_mysql5-6_enterprise_rcl.txt /var/ossec/etc/shared/cis_mysql5-6_community_rcl.txt /var/ossec/etc/shared/cis_debian_linux_rcl.txt /var/ossec/etc/shared/cis_apache2224_rcl.txt /var/ossec/etc/shared /var/ossec/etc/ossec.conf /var/ossec/etc/local_internal_options.conf /var/ossec/etc/internal_options.conf /var/ossec/etc/client.keys /var/ossec/etc/TIMEZONE /var/ossec/etc /var/ossec/bin/wazuh-syscheckd /var/ossec/bin/wazuh-modulesd /var/ossec/bin/wazuh-logcollector /var/ossec/bin/wazuh-execd /var/ossec/bin/wazuh-control /var/ossec/bin/wazuh-agentd /var/ossec/bin/manage_agents /var/ossec/bin/agent-auth /var/ossec/bin /var/ossec/backup /var/ossec/agentless/su.exp /var/ossec/agentless/sshlogin.exp /var/ossec/agentless/ssh_pixconfig_diff /var/ossec/agentless/ssh_nopass.exp /var/ossec/agentless/ssh_integrity_check_linux /var/ossec/agentless/ssh_integrity_check_bsd /var/ossec/agentless/ssh_generic_diff /var/ossec/agentless/ssh_foundry_diff /var/ossec/agentless/ssh_asa-fwsmconfig_diff /var/ossec/agentless/ssh.exp /var/ossec/agentless/register_host.sh /var/ossec/agentless/main.exp /var/ossec/agentless /var/ossec/active-response/bin/wazuh-slack /var/ossec/active-response/bin/route-null /var/ossec/active-response/bin/restart.sh /var/ossec/active-response/bin/restart-wazuh /var/ossec/active-response/bin/pf /var/ossec/active-response/bin/npf /var/ossec/active-response/bin/kaspersky.py /var/ossec/active-response/bin/kaspersky /var/ossec/active-response/bin/ipfw /var/ossec/active-response/bin/ip-customblock /var/ossec/active-response/bin/host-deny /var/ossec/active-response/bin/firewalld-drop /var/ossec/active-response/bin/firewall-drop /var/ossec/active-response/bin/disable-account /var/ossec/active-response/bin/default-firewall-drop /var/ossec/active-response/bin /var/ossec/active-response /var/ossec/.ssh /var/ossec /etc/rc3.d/S97wazuh-agent /etc/rc2.d/S97wazuh-agent /etc/init.d/wazuh-agent ## Executing postremove script. ## Updating system information. Removal of was successful. # rm -rf /var/ossec # pkgadd -d wazuh-agent_v4.8.0-sol10-sparc.pkg wazuh-agent Processing package instance from Wazuh - Wazuh unifies historically separate functions into a single agent and platform architecture. Providing protection for public clouds, private clouds, and on-premise data centers.(sparc) 4.8.0 Wazuh, Inc ## Executing checkinstall script. ## Processing package information. ## Processing system information. ## Verifying disk space requirements. ## Checking for conflicts with packages already installed. ## Checking for setuid/setgid programs. This package contains scripts which will be executed with super-user permission during the process of installing this package. Do you want to continue with the installation of [y,n,?] y Installing Wazuh - Wazuh unifies historically separate functions into a single agent and platform architecture. Providing protection for public clouds, private clouds, and on-premise data centers. as ## Executing preinstall script. ## Installing part 1 of 1. /etc/init.d/wazuh-agent /etc/rc2.d/S97wazuh-agent /etc/rc3.d/S97wazuh-agent /var/ossec/active-response/bin/default-firewall-drop /var/ossec/active-response/bin/disable-account /var/ossec/active-response/bin/firewall-drop /var/ossec/active-response/bin/firewalld-drop /var/ossec/active-response/bin/host-deny /var/ossec/active-response/bin/ip-customblock /var/ossec/active-response/bin/ipfw /var/ossec/active-response/bin/kaspersky /var/ossec/active-response/bin/kaspersky.py /var/ossec/active-response/bin/npf /var/ossec/active-response/bin/pf /var/ossec/active-response/bin/restart-wazuh /var/ossec/active-response/bin/restart.sh /var/ossec/active-response/bin/route-null /var/ossec/active-response/bin/wazuh-slack /var/ossec/agentless/main.exp /var/ossec/agentless/register_host.sh /var/ossec/agentless/ssh.exp /var/ossec/agentless/ssh_asa-fwsmconfig_diff /var/ossec/agentless/ssh_foundry_diff /var/ossec/agentless/ssh_generic_diff /var/ossec/agentless/ssh_integrity_check_bsd /var/ossec/agentless/ssh_integrity_check_linux /var/ossec/agentless/ssh_nopass.exp /var/ossec/agentless/ssh_pixconfig_diff /var/ossec/agentless/sshlogin.exp /var/ossec/agentless/su.exp /var/ossec/bin/agent-auth /var/ossec/bin/manage_agents /var/ossec/bin/wazuh-agentd /var/ossec/bin/wazuh-control /var/ossec/bin/wazuh-execd /var/ossec/bin/wazuh-logcollector /var/ossec/bin/wazuh-modulesd /var/ossec/bin/wazuh-syscheckd /var/ossec/etc/TIMEZONE /var/ossec/etc/client.keys /var/ossec/etc/internal_options.conf /var/ossec/etc/local_internal_options.conf /var/ossec/etc/ossec.conf /var/ossec/etc/shared/cis_apache2224_rcl.txt /var/ossec/etc/shared/cis_debian_linux_rcl.txt /var/ossec/etc/shared/cis_mysql5-6_community_rcl.txt /var/ossec/etc/shared/cis_mysql5-6_enterprise_rcl.txt /var/ossec/etc/shared/cis_rhel5_linux_rcl.txt /var/ossec/etc/shared/cis_rhel6_linux_rcl.txt /var/ossec/etc/shared/cis_rhel7_linux_rcl.txt /var/ossec/etc/shared/cis_rhel_linux_rcl.txt /var/ossec/etc/shared/cis_sles11_linux_rcl.txt /var/ossec/etc/shared/cis_sles12_linux_rcl.txt /var/ossec/etc/shared/cis_win2012r2_domainL1_rcl.txt /var/ossec/etc/shared/cis_win2012r2_domainL2_rcl.txt /var/ossec/etc/shared/cis_win2012r2_memberL1_rcl.txt /var/ossec/etc/shared/cis_win2012r2_memberL2_rcl.txt /var/ossec/etc/shared/rootkit_files.txt /var/ossec/etc/shared/rootkit_trojans.txt /var/ossec/etc/shared/system_audit_rcl.txt /var/ossec/etc/shared/system_audit_ssh.txt /var/ossec/etc/shared/win_applications_rcl.txt /var/ossec/etc/shared/win_audit_rcl.txt /var/ossec/etc/shared/win_malware_rcl.txt /var/ossec/etc/wpk_root.pem /var/ossec/lib/libdbsync.so /var/ossec/lib/libfimdb.so /var/ossec/lib/libgcc_s.so.1 /var/ossec/lib/librsync.so /var/ossec/lib/libstdc++.so.6 /var/ossec/lib/libsyscollector.so /var/ossec/lib/libsysinfo.so /var/ossec/lib/libwazuhext.so /var/ossec/lib/libwazuhshared.so /var/ossec/logs/active-responses.log /var/ossec/logs/ossec.json /var/ossec/logs/ossec.log /var/ossec/queue/syscollector/norm_config.json /var/ossec/ruleset/sca/sca_unix_audit.yml /var/ossec/wodles/__init__.py /var/ossec/wodles/aws/__init__.py /var/ossec/wodles/aws/aws-s3 /var/ossec/wodles/aws/aws_tools.py /var/ossec/wodles/aws/buckets_s3/__init__.py /var/ossec/wodles/aws/buckets_s3/aws_bucket.py /var/ossec/wodles/aws/buckets_s3/cloudtrail.py /var/ossec/wodles/aws/buckets_s3/config.py /var/ossec/wodles/aws/buckets_s3/guardduty.py /var/ossec/wodles/aws/buckets_s3/load_balancers.py /var/ossec/wodles/aws/buckets_s3/server_access.py /var/ossec/wodles/aws/buckets_s3/umbrella.py /var/ossec/wodles/aws/buckets_s3/vpcflow.py /var/ossec/wodles/aws/buckets_s3/waf.py /var/ossec/wodles/aws/services/__init__.py /var/ossec/wodles/aws/services/aws_service.py /var/ossec/wodles/aws/services/cloudwatchlogs.py /var/ossec/wodles/aws/services/inspector.py /var/ossec/wodles/aws/subscribers/__init__.py /var/ossec/wodles/aws/subscribers/s3_log_handler.py /var/ossec/wodles/aws/subscribers/sqs_message_processor.py /var/ossec/wodles/aws/subscribers/sqs_queue.py /var/ossec/wodles/aws/wazuh_integration.py /var/ossec/wodles/azure/azure-logs /var/ossec/wodles/azure/orm.py /var/ossec/wodles/docker/DockerListener /var/ossec/wodles/gcloud/buckets/access_logs.py /var/ossec/wodles/gcloud/buckets/bucket.py /var/ossec/wodles/gcloud/exceptions.py /var/ossec/wodles/gcloud/gcloud /var/ossec/wodles/gcloud/integration.py /var/ossec/wodles/gcloud/pubsub/subscriber.py /var/ossec/wodles/gcloud/tools.py /var/ossec/wodles/utils.py [ verifying class ] ## Executing postinstall script. Installation of was successful. # mv ~/ossec.conf.bk /var/ossec/etc/ossec.conf # chown root:wazuh /var/ossec/etc/ossec.conf # mv ~/client.keys.bk /var/ossec/etc/client.keys # chown root:wazuh /var/ossec/etc/client.keys # /var/ossec/bin/wazuh-control start Starting Wazuh v4.8.0... wazuh-execd already running... wazuh-agentd already running... wazuh-syscheckd already running... wazuh-logcollector already running... wazuh-modulesd already running... ``` ```console [root@wazuh-server wazuh-user]# /var/ossec/bin/agent_control -i 046 Wazuh agent_control. Agent information: Agent ID: 046 Agent Name: sossp275 IP address: any Status: Active Operating system: SunOS |sossp275 |5.10 |Generic_147147-26 |sun4v Client version: Wazuh v4.8.0 Configuration hash: ab73af41699f13fdd81903b5f23d8d00 Shared file hash: 4a8724b20dee0124ff9656783c490c4e Last keep alive: 1702470894 Syscheck last started at: Wed Dec 13 19:33:40 2023 Syscheck last ended at: Wed Dec 13 19:33:46 2023 ```

wazuh / wazuh