davidjiglesias commented 6 months ago

End-to-End (E2E) Testing Guideline

Documentation: Always consult the development documentation for the current stage tag at this link. Be careful because some of the description steps might refer to a current version in production, always navigate using the current development documention for the stage under test. Also, visit the following pre-release package guide to understand how to modify certain links and urls for the correct testing of the development packages.
Test Requirements: Ensure your test comprehensively includes a full stack and agent/s deployment as per the Deployment requirements, detailing the machine OS, installed version, and revision.
Deployment Options: While deployments can be local (using VMs, Vagrant, etc) or on the aws-dev account, opt for local deployments when feasible. For AWS access, coordinate with the CICD team through this link.
External Accounts: If tests require third-party accounts (e.g., GitHub, Azure, AWS, GCP), request the necessary access through the CICD team here.
Alerts: Every test should generate a minimum of one end-to-end alert, from the agent to the dashboard, irrespective of test type.
Multi-node Testing: For multi-node wazuh-manager tests, ensure agents are connected to both workers and the master node.
Package Verification: Use the pre-release package that matches the current TAG you're testing. Confirm its version and revision.
Filebeat Errors: If you encounter errors with Filebeat during testing, refer to this Slack discussion for insights and resolutions.
Known Issues: Familiarize yourself with previously reported issues in the Known Issues section. This helps in identifying already recognized errors during testing.
Reporting New Issues: Any new errors discovered during testing that aren't listed under Known Issues should be reported. Assign the issue to the corresponding team (QA if unsure), add the Release testing objective and Very high priority. Communicate these to the team and QA via the c-release Slack channel.
Test Conduct: It's imperative to be thorough in your testing, offering enough detail for reviewers. Incomplete tests might necessitate a redo.
Documentation Feedback: Encountering documentation gaps, unclear guidelines, or anything that disrupts the testing or UX? Open an issue, especially if it's not listed under Known Issues. Please answer the feedback section, this is a mandatory step.
Format: If this is your first time doing this, refer to the format (but not necessarily the content, as it may vary) of previous E2E tests, here you have an example https://github.com/wazuh/wazuh/issues/13994.
Status and completion: Change the issue status within your team project accordingly. Once you finish testing and write the conclusions, move it to Pending review and notify the @wazuh/indexer team via Slack using the c-release channel. Beware that the reviewers might request additional information or task repetitions.
For reviewers: Please move the issue to Pending final review and notify via Slack using the same thread if everything is ok, otherwise, perform an issue update with the requested changes and move it to On hold, increase the review_cycles in the team project by one and notify the issue assignee via Slack using the same thread.

For the conclusions and the issue testing and updates, use the following legend:

Status legend

🟢 All checks passed
🟡 Found a known issue
🔴 Found a new error

Issue delivery and completion

Initial delivery: The issue's assignee must complete the testing and deliver the results by Feb 27, 2024 and notify the @wazuh/indexer team via Slack using the c-release channel
Review: The @wazuh/indexer team will assign a reviewer and add it to the review_assignee field in the project. The reviewer must then review the test steps and results. Ensure that all iteration cycles are completed by Feb 28, 2024 date (issue must be in Pending final review status) and notify the QA team via Slack using the c-release channel.
Auditor: The QA team must audit, validate the results, and close the issue by Feb 29, 2024.

Deployment requirements

Component	Installation	Type	OS
Indexer	Step by step	Multi node	Alma Linux 9 x86_64
Server	Step by step	Multi node	Alma Linux 9 x86_64
Dashboard	Step by step	-	Alma Linux 9 x86_64
Agent	Installing Wazuh agents	-	Alma Linux 9 x86_64

Test description

Best effort to test the Wazuh indexer package. Think critically and at least review/test:

Wazuh indexer package specs
Indexer package size
Indexer package metadata (description)
Indexer package digital signature
Installed files location, size, and permissions
Installation footprint (check that no unnecessary files are modified/broken in the file system. For example operating system files do keep their right owner/permissions and that the installer did not break the system.)
Installed Wazuh indexer service
Wazuh indexer logs when installed
Wazuh indexer templates and indices created
Wazuh indexer configuration (e.g. replicas are expected to be zero by default, how many shards per index,...) Try to compare and find anomalies with the previous Wazuh indexer version using the appropriate E2E UX issues. Write down and report as much information as possible to allow comparison between versions using this issue.
Wazuh indexer cluster node communication and configuration
Wazuh indexer cluster status
Wazuh indexer packages uninstallation procedure

Known issues

Conclusions

Summarize the errors detected (Known Issues included). Illustrate using the table below. REMOVE CURRENT EXAMPLES:

Status	Test	Notes
🟢	Environment installation
🟢	Wazuh indexer package information
🟢	Installed files location, size and permissions
🟢	Installation footprint
🟢	Wazuh indexer service
🟢	Wazuh indexer installation logs	Known warnings related to `System::setSecurityManager`, also appeared in the previous test,
🟢	Wazuh indexer indices, templates, and shards
🟢	Wazuh indexer cluster status
🟢	User experience
🟢	Uninstall procedure

Feedback

We value your feedback. Please provide insights on your testing experience.

Was the testing guideline clear? Were there any ambiguities?
- Yes it was clear.
Did you face any challenges not covered by the guideline?
- Not necessarily an issue but firewall permissions for ports
Suggestions for improvement:
- None

Reviewers validation

The criteria for completing this task is based on the validation of the conclusions and the test results by all reviewers.

All the checkboxes below must be marked in order to close this issue.

[ ] @davidjiglesias
[ ] @wazuh/indexer

thecotilking commented 6 months ago

Environment Information 🟢

Infrastructure

The environment consists of 6 machines with the following characteristics.

Machine Details

![image](https://github.com/wazuh/wazuh/assets/113598572/413032fe-2756-4be1-a313-9d1aab0a5de9) ``` Indexer1 IP address: 172.20.10.4 CPUS: 2 RAM: 2048 Indexer2 IP address: 172.20.10.5 CPUS: 2 RAM: 2048 Server1 IP address: 172.20.10.6 CPUS: 2 RAM: 2048 Server2 IP address: 172.20.10.7 CPUS: 2 RAM: 2048 Dashboard IP address: 172.20.10.8 CPUS: 2 RAM: 2048 Agent IP address: 172.20.10.9 CPUS: 2 RAM: 2048 ```

OS Check:

Wazuh Indexer node 1

``` [thecotilking@indexer1 ~]$ cat /etc/os-release NAME="AlmaLinux" VERSION="9.3 (Shamrock Pampas Cat)" ID="almalinux" ID_LIKE="rhel centos fedora" VERSION_ID="9.3" PLATFORM_ID="platform:el9" PRETTY_NAME="AlmaLinux 9.3 (Shamrock Pampas Cat)" ANSI_COLOR="0;34" LOGO="fedora-logo-icon" CPE_NAME="cpe:/o:almalinux:almalinux:9::baseos" HOME_URL="https://almalinux.org/" DOCUMENTATION_URL="https://wiki.almalinux.org/" BUG_REPORT_URL="https://bugs.almalinux.org/" ALMALINUX_MANTISBT_PROJECT="AlmaLinux-9" ALMALINUX_MANTISBT_PROJECT_VERSION="9.3" REDHAT_SUPPORT_PRODUCT="AlmaLinux" REDHAT_SUPPORT_PRODUCT_VERSION="9.3" ```

Wazuh Indexer node 2

``` [thecotilking@indexer2 ~]$ cat /etc/os-release NAME="AlmaLinux" VERSION="9.3 (Shamrock Pampas Cat)" ID="almalinux" ID_LIKE="rhel centos fedora" VERSION_ID="9.3" PLATFORM_ID="platform:el9" PRETTY_NAME="AlmaLinux 9.3 (Shamrock Pampas Cat)" ANSI_COLOR="0;34" LOGO="fedora-logo-icon" CPE_NAME="cpe:/o:almalinux:almalinux:9::baseos" HOME_URL="https://almalinux.org/" DOCUMENTATION_URL="https://wiki.almalinux.org/" BUG_REPORT_URL="https://bugs.almalinux.org/" ALMALINUX_MANTISBT_PROJECT="AlmaLinux-9" ALMALINUX_MANTISBT_PROJECT_VERSION="9.3" REDHAT_SUPPORT_PRODUCT="AlmaLinux" REDHAT_SUPPORT_PRODUCT_VERSION="9.3" ```

Wazuh Server node 1

``` [thecotilking@server1 ~]$ cat /etc/os-release NAME="AlmaLinux" VERSION="9.3 (Shamrock Pampas Cat)" ID="almalinux" ID_LIKE="rhel centos fedora" VERSION_ID="9.3" PLATFORM_ID="platform:el9" PRETTY_NAME="AlmaLinux 9.3 (Shamrock Pampas Cat)" ANSI_COLOR="0;34" LOGO="fedora-logo-icon" CPE_NAME="cpe:/o:almalinux:almalinux:9::baseos" HOME_URL="https://almalinux.org/" DOCUMENTATION_URL="https://wiki.almalinux.org/" BUG_REPORT_URL="https://bugs.almalinux.org/" ALMALINUX_MANTISBT_PROJECT="AlmaLinux-9" ALMALINUX_MANTISBT_PROJECT_VERSION="9.3" REDHAT_SUPPORT_PRODUCT="AlmaLinux" REDHAT_SUPPORT_PRODUCT_VERSION="9.3" ```

Wazuh Server node 2

``` [thecotilking@server2 ~]$ cat /etc/os-release NAME="AlmaLinux" VERSION="9.3 (Shamrock Pampas Cat)" ID="almalinux" ID_LIKE="rhel centos fedora" VERSION_ID="9.3" PLATFORM_ID="platform:el9" PRETTY_NAME="AlmaLinux 9.3 (Shamrock Pampas Cat)" ANSI_COLOR="0;34" LOGO="fedora-logo-icon" CPE_NAME="cpe:/o:almalinux:almalinux:9::baseos" HOME_URL="https://almalinux.org/" DOCUMENTATION_URL="https://wiki.almalinux.org/" BUG_REPORT_URL="https://bugs.almalinux.org/" ALMALINUX_MANTISBT_PROJECT="AlmaLinux-9" ALMALINUX_MANTISBT_PROJECT_VERSION="9.3" REDHAT_SUPPORT_PRODUCT="AlmaLinux" REDHAT_SUPPORT_PRODUCT_VERSION="9.3" ```

Wazuh Dashboard

``` [thecotilking@dashboard ~]$ cat /etc/os-release NAME="AlmaLinux" VERSION="9.3 (Shamrock Pampas Cat)" ID="almalinux" ID_LIKE="rhel centos fedora" VERSION_ID="9.3" PLATFORM_ID="platform:el9" PRETTY_NAME="AlmaLinux 9.3 (Shamrock Pampas Cat)" ANSI_COLOR="0;34" LOGO="fedora-logo-icon" CPE_NAME="cpe:/o:almalinux:almalinux:9::baseos" HOME_URL="https://almalinux.org/" DOCUMENTATION_URL="https://wiki.almalinux.org/" BUG_REPORT_URL="https://bugs.almalinux.org/" ALMALINUX_MANTISBT_PROJECT="AlmaLinux-9" ALMALINUX_MANTISBT_PROJECT_VERSION="9.3" REDHAT_SUPPORT_PRODUCT="AlmaLinux" REDHAT_SUPPORT_PRODUCT_VERSION="9.3" ```

Agent

``` [root@agent ~]# cat /etc/os-release NAME="AlmaLinux" VERSION="9.3 (Shamrock Pampas Cat)" ID="almalinux" ID_LIKE="rhel centos fedora" VERSION_ID="9.3" PLATFORM_ID="platform:el9" PRETTY_NAME="AlmaLinux 9.3 (Shamrock Pampas Cat)" ANSI_COLOR="0;34" LOGO="fedora-logo-icon" CPE_NAME="cpe:/o:almalinux:almalinux:9::baseos" HOME_URL="https://almalinux.org/" DOCUMENTATION_URL="https://wiki.almalinux.org/" BUG_REPORT_URL="https://bugs.almalinux.org/" ALMALINUX_MANTISBT_PROJECT="AlmaLinux-9" ALMALINUX_MANTISBT_PROJECT_VERSION="9.3" REDHAT_SUPPORT_PRODUCT="AlmaLinux" REDHAT_SUPPORT_PRODUCT_VERSION="9.3" [root@agent ~]# ```

thecotilking commented 6 months ago

Component Installation 🟢

Step-by-step installation

Certificates creation

- Carried out on the indexer1: ``` [root@indexer1 ~]# curl -sO https://packages-dev.wazuh.com/4.8/wazuh-certs-tool.sh [root@indexer1 ~]# curl -sO https://packages-dev.wazuh.com/4.8/config.yml [root@indexer1 ~]# nano config.yml [root@indexer1 ~]# cat config.yml nodes: # Wazuh indexer nodes indexer: - name: node-1 ip: "172.20.10.4" - name: node-2 ip: "172.20.10.5" #- name: node-3 # ip: "" # Wazuh server nodes # If there is more than one Wazuh server # node, each one must have a node_type server: - name: wazuh-1 ip: "172.20.10.6" node_type: master - name: wazuh-2 ip: "172.20.10.7" node_type: worker #- name: wazuh-3 # ip: "" # node_type: worker # Wazuh dashboard nodes dashboard: - name: dashboard ip: "172.20.10.8" [root@indexer1 ~]# bash ./wazuh-certs-tool.sh -A 26/02/2024 14:56:53 INFO: Generating the root certificate. 26/02/2024 14:56:53 INFO: Generating Admin certificates. 26/02/2024 14:56:53 INFO: Admin certificates created. 26/02/2024 14:56:53 INFO: Generating Wazuh indexer certificates. 26/02/2024 14:56:54 INFO: Wazuh indexer certificates created. 26/02/2024 14:56:54 INFO: Generating Filebeat certificates. 26/02/2024 14:56:54 INFO: Wazuh Filebeat certificates created. 26/02/2024 14:56:54 INFO: Generating Wazuh dashboard certificates. 26/02/2024 14:56:54 INFO: Wazuh dashboard certificates created. [root@indexer1 ~]# tar -cvf ./wazuh-certificates.tar -C ./wazuh-certificates/ . ./ ./root-ca.key ./root-ca.pem ./admin-key.pem ./admin.pem ./node-1-key.pem ./node-1.pem ./node-2-key.pem ./node-2.pem ./wazuh-1-key.pem ./wazuh-1.pem ./wazuh-2-key.pem ./wazuh-2.pem ./dashboard-key.pem ./dashboard.pem [root@indexer1 ~]# rm -rf ./wazuh-certificates [root@indexer1 ~]# scp ./wazuh-certificates.tar thecotilking@172.20.10.5:/home/thecotilking/ thecotilking@172.20.10.5's password: wazuh-certificates.tar 100% 40KB 19.7MB/s 00:00 [root@indexer1 ~]# scp ./wazuh-certificates.tar thecotilking@172.20.10.6:/home/thecotilking/ thecotilking@172.20.10.6's password: wazuh-certificates.tar 100% 40KB 12.8MB/s 00:00 [root@indexer1 ~]# scp ./wazuh-certificates.tar thecotilking@172.20.10.7:/home/thecotilking/ thecotilking@172.20.10.7's password: wazuh-certificates.tar 100% 40KB 15.0MB/s 00:00 [root@indexer1 ~]# scp ./wazuh-certificates.tar thecotilking@172.20.10.8:/home/thecotilking/ thecotilking@172.20.10.8's password: wazuh-certificates.tar 100% 40KB 15.4MB/s 00:00 ```

Wazuh indexer node 1 installation

``` [root@indexer1 ~]# yum install coreutils AlmaLinux 9 - AppStream 500 kB/s | 9.1 MB 00:18 AlmaLinux 9 - BaseOS 576 kB/s | 4.7 MB 00:08 AlmaLinux 9 - Extras 19 kB/s | 17 kB 00:00 Package coreutils-8.32-34.el9.x86_64 is already installed. Dependencies resolved. Nothing to do. Complete! [root@indexer1 ~]# rpm --import https://packages.wazuh.com/key/GPG-KEY-WAZUH [root@indexer1 ~]# echo -e '[wazuh]\ngpgcheck=1\ngpgkey=https://packages.wazuh.com/key/GPG-KEY-WAZUH\nenabled=1\nname=EL-$releasever - Wazuh\nbaseurl=https://packages-dev.wazuh.com/pre-release/yum/\nprotect=1' | tee /etc/yum.repos.d/wazuh.repo [wazuh] gpgcheck=1 gpgkey=https://packages.wazuh.com/key/GPG-KEY-WAZUH enabled=1 name=EL-$releasever - Wazuh baseurl=https://packages-dev.wazuh.com/pre-release/yum/ protect=1 [root@indexer1 ~]# yum -y install wazuh-indexer EL-9 - Wazuh 1.6 MB/s | 24 MB 00:15 Last metadata expiration check: 0:00:14 ago on Mon 26 Feb 2024 15:21:48. Dependencies resolved. ============================================================================================================================================================== Package Architecture Version Repository Size ============================================================================================================================================================== Installing: wazuh-indexer x86_64 4.8.0-1 wazuh 743 M Transaction Summary ============================================================================================================================================================== Install 1 Package Total download size: 743 M Installed size: 1.0 G Downloading Packages: wazuh-indexer-4.8.0-1.x86_64.rpm 1.5 MB/s | 743 MB 08:16 -------------------------------------------------------------------------------------------------------------------------------------------------------------- Total 1.5 MB/s | 743 MB 08:16 Running transaction check Transaction check succeeded. Running transaction test Transaction test succeeded. Running transaction Preparing : 1/1 Running scriptlet: wazuh-indexer-4.8.0-1.x86_64 1/1 Installing : wazuh-indexer-4.8.0-1.x86_64 1/1 Running scriptlet: wazuh-indexer-4.8.0-1.x86_64 1/1 Created opensearch keystore in /etc/wazuh-indexer/opensearch.keystore Verifying : wazuh-indexer-4.8.0-1.x86_64 1/1 Installed: wazuh-indexer-4.8.0-1.x86_64 Complete! [root@indexer1 ~]# ``` ``` [root@indexer1 ~]# nano /etc/wazuh-indexer/opensearch.yml [root@indexer1 ~]# cat /etc/wazuh-indexer/opensearch.yml network.host: "172.20.10.4" node.name: "node-1" cluster.initial_master_nodes: - "node-1" - "node-2" #- "node-3" cluster.name: "wazuh-cluster" discovery.seed_hosts: - "172.20.10.4" - "172.20.10.5" # - "node-3-ip" node.max_local_storage_nodes: "3" path.data: /var/lib/wazuh-indexer path.logs: /var/log/wazuh-indexer plugins.security.ssl.http.pemcert_filepath: /etc/wazuh-indexer/certs/indexer.pem plugins.security.ssl.http.pemkey_filepath: /etc/wazuh-indexer/certs/indexer-key.pem plugins.security.ssl.http.pemtrustedcas_filepath: /etc/wazuh-indexer/certs/root-ca.pem plugins.security.ssl.transport.pemcert_filepath: /etc/wazuh-indexer/certs/indexer.pem plugins.security.ssl.transport.pemkey_filepath: /etc/wazuh-indexer/certs/indexer-key.pem plugins.security.ssl.transport.pemtrustedcas_filepath: /etc/wazuh-indexer/certs/root-ca.pem plugins.security.ssl.http.enabled: true plugins.security.ssl.transport.enforce_hostname_verification: false plugins.security.ssl.transport.resolve_hostname: false plugins.security.authcz.admin_dn: - "CN=admin,OU=Wazuh,O=Wazuh,L=California,C=US" plugins.security.check_snapshot_restore_write_privileges: true plugins.security.enable_snapshot_restore_privilege: true plugins.security.nodes_dn: - "CN=node-1,OU=Wazuh,O=Wazuh,L=California,C=US" - "CN=node-2,OU=Wazuh,O=Wazuh,L=California,C=US" #- "CN=node-3,OU=Wazuh,O=Wazuh,L=California,C=US" plugins.security.restapi.roles_enabled: - "all_access" - "security_rest_api_access" plugins.security.system_indices.enabled: true plugins.security.system_indices.indices: [".plugins-ml-model", ".plugins-ml-task", ".opendistro-alerting-config", ".opendistro-alerting-alert*", ".opendistro-anomaly-results*", ".opendistro-anomaly-detector*", ".opendistro-anomaly-checkpoints", ".opendistro-anomaly-detection-state", ".opendistro-reports-*", ".opensearch-notifications-*", ".opensearch-notebooks", ".opensearch-observability", ".opendistro-asynchronous-search-response*", ".replication-metadata-store"] ### Option to allow Filebeat-oss 7.10.2 to work ### compatibility.override_main_response_version: true [root@indexer1 ~]# ``` ``` [root@indexer1 ~]# ls wazuh-certificates.tar wazuh-certificates.tar [root@indexer1 ~]# NODE_NAME=node-1 [root@indexer1 ~]# mkdir /etc/wazuh-indexer/certs tar -xf ./wazuh-certificates.tar -C /etc/wazuh-indexer/certs/ ./$NODE_NAME.pem ./$NODE_NAME-key.pem ./admin.pem ./admin-key.pem ./root-ca.pem mv -n /etc/wazuh-indexer/certs/$NODE_NAME.pem /etc/wazuh-indexer/certs/indexer.pem mv -n /etc/wazuh-indexer/certs/$NODE_NAME-key.pem /etc/wazuh-indexer/certs/indexer-key.pem chmod 500 /etc/wazuh-indexer/certs chmod 400 /etc/wazuh-indexer/certs/* chown -R wazuh-indexer:wazuh-indexer /etc/wazuh-indexer/certs [root@indexer1 ~]# [root@indexer1 ~]# ls /etc/wazuh-indexer/certs/ admin-key.pem admin.pem indexer-key.pem indexer.pem root-ca.pem [root@indexer1 ~]# ``` ``` [root@indexer1 ~]# systemctl daemon-reload systemctl enable wazuh-indexer systemctl start wazuh-indexer Created symlink /etc/systemd/system/multi-user.target.wants/wazuh-indexer.service → /usr/lib/systemd/system/wazuh-indexer.service. [root@indexer1 ~]# ```

Wazuh indexer node 2 installation

``` [root@indexer2 ~]# ls /home/thecotilking/ wazuh-certificates.tar [root@indexer2 ~]# mv /home/thecotilking/wazuh-certificates.tar . [root@indexer2 ~]# ls anaconda-ks.cfg wazuh-certificates.tar [root@indexer2 ~]# yum install coreutils Last metadata expiration check: 0:52:41 ago on Mon 26 Feb 2024 15:04:24. Package coreutils-8.32-34.el9.x86_64 is already installed. Dependencies resolved. Nothing to do. Complete! [root@indexer2 ~]# rpm --import https://packages.wazuh.com/key/GPG-KEY-WAZUH [root@indexer2 ~]# echo -e '[wazuh]\ngpgcheck=1\ngpgkey=https://packages.wazuh.com/key/GPG-KEY-WAZUH\nenabled=1\nname=EL-$releasever - Wazuh\nbaseurl=https://packages-dev.wazuh.com/pre-release/yum/\nprotect=1' | tee /etc/yum.repos.d/wazuh.repo [wazuh] gpgcheck=1 gpgkey=https://packages.wazuh.com/key/GPG-KEY-WAZUH enabled=1 name=EL-$releasever - Wazuh baseurl=https://packages-dev.wazuh.com/pre-release/yum/ protect=1 [root@indexer2 ~]# yum -y install wazuh-indexer EL-9 - Wazuh 1.3 MB/s | 24 MB 00:18 Last metadata expiration check: 0:00:16 ago on Mon 26 Feb 2024 15:58:01. Dependencies resolved. ============================================================================================================================================================== Package Architecture Version Repository Size ============================================================================================================================================================== Installing: wazuh-indexer x86_64 4.8.0-1 wazuh 743 M Transaction Summary ============================================================================================================================================================== Install 1 Package Total download size: 743 M Installed size: 1.0 G Downloading Packages: wazuh-indexer-4.8.0-1.x86_64.rpm 1.3 MB/s | 743 MB 09:19 -------------------------------------------------------------------------------------------------------------------------------------------------------------- Total 1.3 MB/s | 743 MB 09:19 Running transaction check Transaction check succeeded. Running transaction test Transaction test succeeded. Running transaction Preparing : 1/1 Running scriptlet: wazuh-indexer-4.8.0-1.x86_64 1/1 Installing : wazuh-indexer-4.8.0-1.x86_64 1/1 Running scriptlet: wazuh-indexer-4.8.0-1.x86_64 1/1 Created opensearch keystore in /etc/wazuh-indexer/opensearch.keystore Verifying : wazuh-indexer-4.8.0-1.x86_64 1/1 Installed: wazuh-indexer-4.8.0-1.x86_64 Complete! [root@indexer2 ~]# ``` ``` [root@indexer2 ~]# nano /etc/wazuh-indexer/opensearch.yml [root@indexer2 ~]# cat /etc/wazuh-indexer/opensearch.yml network.host: "172.20.10.5" node.name: "node-2" cluster.initial_master_nodes: - "node-1" - "node-2" #- "node-3" cluster.name: "wazuh-cluster" discovery.seed_hosts: - "172.20.10.4" - "172.20.10.5" # - "node-3-ip" node.max_local_storage_nodes: "3" path.data: /var/lib/wazuh-indexer path.logs: /var/log/wazuh-indexer plugins.security.ssl.http.pemcert_filepath: /etc/wazuh-indexer/certs/indexer.pem plugins.security.ssl.http.pemkey_filepath: /etc/wazuh-indexer/certs/indexer-key.pem plugins.security.ssl.http.pemtrustedcas_filepath: /etc/wazuh-indexer/certs/root-ca.pem plugins.security.ssl.transport.pemcert_filepath: /etc/wazuh-indexer/certs/indexer.pem plugins.security.ssl.transport.pemkey_filepath: /etc/wazuh-indexer/certs/indexer-key.pem plugins.security.ssl.transport.pemtrustedcas_filepath: /etc/wazuh-indexer/certs/root-ca.pem plugins.security.ssl.http.enabled: true plugins.security.ssl.transport.enforce_hostname_verification: false plugins.security.ssl.transport.resolve_hostname: false plugins.security.authcz.admin_dn: - "CN=admin,OU=Wazuh,O=Wazuh,L=California,C=US" plugins.security.check_snapshot_restore_write_privileges: true plugins.security.enable_snapshot_restore_privilege: true plugins.security.nodes_dn: - "CN=node-1,OU=Wazuh,O=Wazuh,L=California,C=US" - "CN=node-2,OU=Wazuh,O=Wazuh,L=California,C=US" #- "CN=node-3,OU=Wazuh,O=Wazuh,L=California,C=US" plugins.security.restapi.roles_enabled: - "all_access" - "security_rest_api_access" plugins.security.system_indices.enabled: true plugins.security.system_indices.indices: [".plugins-ml-model", ".plugins-ml-task", ".opendistro-alerting-config", ".opendistro-alerting-alert*", ".opendistro-anomaly-results*", ".opendistro-anomaly-detector*", ".opendistro-anomaly-checkpoints", ".opendistro-anomaly-detection-state", ".opendistro-reports-*", ".opensearch-notifications-*", ".opensearch-notebooks", ".opensearch-observability", ".opendistro-asynchronous-search-response*", ".replication-metadata-store"] ### Option to allow Filebeat-oss 7.10.2 to work ### compatibility.override_main_response_version: true [root@indexer2 ~]# ``` ``` [root@indexer2 ~]# NODE_NAME=node-2 [root@indexer2 ~]# mkdir /etc/wazuh-indexer/certs tar -xf ./wazuh-certificates.tar -C /etc/wazuh-indexer/certs/ ./$NODE_NAME.pem ./$NODE_NAME-key.pem ./admin.pem ./admin-key.pem ./root-ca.pem mv -n /etc/wazuh-indexer/certs/$NODE_NAME.pem /etc/wazuh-indexer/certs/indexer.pem mv -n /etc/wazuh-indexer/certs/$NODE_NAME-key.pem /etc/wazuh-indexer/certs/indexer-key.pem chmod 500 /etc/wazuh-indexer/certs chmod 400 /etc/wazuh-indexer/certs/* chown -R wazuh-indexer:wazuh-indexer /etc/wazuh-indexer/certs [root@indexer2 ~]# ls -la /etc/wazuh-indexer/certs/ total 24 dr-x------. 2 wazuh-indexer wazuh-indexer 105 Feb 26 16:12 . drwxr-x---. 10 wazuh-indexer wazuh-indexer 4096 Feb 26 16:12 .. -r--------. 1 wazuh-indexer wazuh-indexer 1704 Feb 26 14:56 admin-key.pem -r--------. 1 wazuh-indexer wazuh-indexer 1119 Feb 26 14:56 admin.pem -r--------. 1 wazuh-indexer wazuh-indexer 1704 Feb 26 14:56 indexer-key.pem -r--------. 1 wazuh-indexer wazuh-indexer 1277 Feb 26 14:56 indexer.pem -r--------. 1 wazuh-indexer wazuh-indexer 1204 Feb 26 14:56 root-ca.pem ``` ``` [root@indexer2 ~]# systemctl daemon-reload systemctl enable wazuh-indexer systemctl start wazuh-indexer Created symlink /etc/systemd/system/multi-user.target.wants/wazuh-indexer.service → /usr/lib/systemd/system/wazuh-indexer.service. [root@indexer2 ~]# ```

Wazuh indexer cluster initialization

``` [root@indexer1 ~]# sudo firewall-cmd --permanent --add-port=9200/tcp sudo firewall-cmd --permanent --add-port=9300/tcp sudo firewall-cmd --reload success success success [root@indexer1 ~]# /usr/share/wazuh-indexer/bin/indexer-security-init.sh ************************************************************************** ** This tool will be deprecated in the next major release of OpenSearch ** ** https://github.com/opensearch-project/security/issues/1755 ** ************************************************************************** Security Admin v7 Will connect to 172.20.10.4:9200 ... done Connected as "CN=admin,OU=Wazuh,O=Wazuh,L=California,C=US" OpenSearch Version: 2.10.0 Contacting opensearch cluster 'opensearch' and wait for YELLOW clusterstate ... Clustername: wazuh-cluster Clusterstate: GREEN Number of nodes: 2 Number of data nodes: 2 .opendistro_security index does not exists, attempt to create it ... done (0-all replicas) Populate config from /etc/wazuh-indexer/opensearch-security/ Will update '/config' with /etc/wazuh-indexer/opensearch-security/config.yml SUCC: Configuration for 'config' created or updated Will update '/roles' with /etc/wazuh-indexer/opensearch-security/roles.yml SUCC: Configuration for 'roles' created or updated Will update '/rolesmapping' with /etc/wazuh-indexer/opensearch-security/roles_mapping.yml SUCC: Configuration for 'rolesmapping' created or updated Will update '/internalusers' with /etc/wazuh-indexer/opensearch-security/internal_users.yml SUCC: Configuration for 'internalusers' created or updated Will update '/actiongroups' with /etc/wazuh-indexer/opensearch-security/action_groups.yml SUCC: Configuration for 'actiongroups' created or updated Will update '/tenants' with /etc/wazuh-indexer/opensearch-security/tenants.yml SUCC: Configuration for 'tenants' created or updated Will update '/nodesdn' with /etc/wazuh-indexer/opensearch-security/nodes_dn.yml SUCC: Configuration for 'nodesdn' created or updated Will update '/whitelist' with /etc/wazuh-indexer/opensearch-security/whitelist.yml SUCC: Configuration for 'whitelist' created or updated Will update '/audit' with /etc/wazuh-indexer/opensearch-security/audit.yml SUCC: Configuration for 'audit' created or updated Will update '/allowlist' with /etc/wazuh-indexer/opensearch-security/allowlist.yml SUCC: Configuration for 'allowlist' created or updated SUCC: Expected 10 config types for node {"updated_config_types":["allowlist","tenants","rolesmapping","nodesdn","audit","roles","whitelist","internalusers","actiongroups","config"],"updated_config_size":10,"message":null} is 10 (["allowlist","tenants","rolesmapping","nodesdn","audit","roles","whitelist","internalusers","actiongroups","config"]) due to: null SUCC: Expected 10 config types for node {"updated_config_types":["allowlist","tenants","rolesmapping","nodesdn","audit","roles","whitelist","internalusers","actiongroups","config"],"updated_config_size":10,"message":null} is 10 (["allowlist","tenants","rolesmapping","nodesdn","audit","roles","whitelist","internalusers","actiongroups","config"]) due to: null Done with success [root@indexer1 ~]# ``` #### Tests ``` [root@indexer1 ~]# curl -k -u admin:admin https://172.20.10.4:9200 { "name" : "node-1", "cluster_name" : "wazuh-cluster", "cluster_uuid" : "AAZXq9vYRvqCXD7WbxKuAA", "version" : { "number" : "7.10.2", "build_type" : "rpm", "build_hash" : "eee49cb340edc6c4d489bcd9324dda571fc8dc03", "build_date" : "2023-09-20T23:54:29.889267151Z", "build_snapshot" : false, "lucene_version" : "9.7.0", "minimum_wire_compatibility_version" : "7.10.0", "minimum_index_compatibility_version" : "7.0.0" }, "tagline" : "The OpenSearch Project: https://opensearch.org/" } [root@indexer1 ~]# curl -k -u admin:admin https://172.20.10.4:9200/_cat/nodes?v ip heap.percent ram.percent cpu load_1m load_5m load_15m node.role node.roles cluster_manager name 172.20.10.4 52 92 1 0.00 0.07 0.07 dimr cluster_manager,data,ingest,remote_cluster_client - node-1 172.20.10.5 50 96 1 0.08 0.13 0.10 dimr cluster_manager,data,ingest,remote_cluster_client * node-2 [root@indexer1 ~]# ```

Wazuh server node 1 installation

``` [root@server1 ~]# rpm --import https://packages.wazuh.com/key/GPG-KEY-WAZUH [root@server1 ~]# echo -e '[wazuh]\ngpgcheck=1\ngpgkey=https://packages.wazuh.com/key/GPG-KEY-WAZUH\nenabled=1\nname=EL-$releasever - Wazuh\nbaseurl=https://packages-dev.wazuh.com/pre-release/yum/\nprotect=1' | tee /etc/yum.repos.d/wazuh.repo [wazuh] gpgcheck=1 gpgkey=https://packages.wazuh.com/key/GPG-KEY-WAZUH enabled=1 name=EL-$releasever - Wazuh baseurl=https://packages-dev.wazuh.com/pre-release/yum/ protect=1 [root@server1 ~]# yum -y install wazuh-manager EL-9 - Wazuh 2.5 MB/s | 24 MB 00:09 Last metadata expiration check: 0:00:10 ago on Mon 26 Feb 2024 19:34:16. Dependencies resolved. ============================================================================================================================================================== Package Architecture Version Repository Size ============================================================================================================================================================== Installing: wazuh-manager x86_64 4.8.0-1 wazuh 267 M Transaction Summary ============================================================================================================================================================== Install 1 Package Total download size: 267 M Installed size: 855 M Downloading Packages: wazuh-manager-4.8.0-1.x86_64.rpm 4.4 MB/s | 267 MB 01:01 -------------------------------------------------------------------------------------------------------------------------------------------------------------- Total 4.4 MB/s | 267 MB 01:01 Running transaction check Transaction check succeeded. Running transaction test Transaction test succeeded. Running transaction Preparing : 1/1 Running scriptlet: wazuh-manager-4.8.0-1.x86_64 1/1 Installing : wazuh-manager-4.8.0-1.x86_64 1/1 Running scriptlet: wazuh-manager-4.8.0-1.x86_64 1/1 Verifying : wazuh-manager-4.8.0-1.x86_64 1/1 Installed: wazuh-manager-4.8.0-1.x86_64 Complete! [root@server1 ~]# systemctl daemon-reload systemctl enable wazuh-manager systemctl start wazuh-manager Created symlink /etc/systemd/system/multi-user.target.wants/wazuh-manager.service → /usr/lib/systemd/system/wazuh-manager.service. [root@server1 ~]# systemctl status wazuh-manager ● wazuh-manager.service - Wazuh manager Loaded: loaded (/usr/lib/systemd/system/wazuh-manager.service; enabled; preset: disabled) Active: active (running) since Mon 2024-02-26 19:37:16 WAT; 8s ago Process: 2774 ExecStart=/usr/bin/env /var/ossec/bin/wazuh-control start (code=exited, status=0/SUCCESS) Tasks: 134 (limit: 11018) Memory: 1020.4M CPU: 15.549s CGroup: /system.slice/wazuh-manager.service ├─2830 /var/ossec/framework/python/bin/python3 /var/ossec/api/scripts/wazuh-apid.py ├─2870 /var/ossec/bin/wazuh-authd ├─2884 /var/ossec/bin/wazuh-db ├─2907 /var/ossec/bin/wazuh-execd ├─2919 /var/ossec/bin/wazuh-analysisd ├─2930 /var/ossec/bin/wazuh-syscheckd ├─2948 /var/ossec/bin/wazuh-remoted ├─2961 /var/ossec/bin/wazuh-logcollector ├─3034 /var/ossec/bin/wazuh-monitord ├─3054 /var/ossec/bin/wazuh-modulesd ├─3210 /var/ossec/framework/python/bin/python3 /var/ossec/api/scripts/wazuh-apid.py ├─3213 /var/ossec/framework/python/bin/python3 /var/ossec/api/scripts/wazuh-apid.py └─3216 /var/ossec/framework/python/bin/python3 /var/ossec/api/scripts/wazuh-apid.py Feb 26 19:37:10 server1 env[2774]: Started wazuh-analysisd... Feb 26 19:37:11 server1 env[2774]: Started wazuh-syscheckd... Feb 26 19:37:12 server1 env[2774]: Started wazuh-remoted... Feb 26 19:37:13 server1 env[2774]: Started wazuh-logcollector... Feb 26 19:37:14 server1 env[2774]: Started wazuh-monitord... Feb 26 19:37:14 server1 env[3052]: 2024/02/26 19:37:14 wazuh-modulesd:router: INFO: Loaded router module. Feb 26 19:37:14 server1 env[3052]: 2024/02/26 19:37:14 wazuh-modulesd:content_manager: INFO: Loaded content_manager module. Feb 26 19:37:14 server1 env[2774]: Started wazuh-modulesd... Feb 26 19:37:16 server1 env[2774]: Completed. Feb 26 19:37:16 server1 systemd[1]: Started Wazuh manager. [root@server1 ~]# /var/ossec/bin/wazuh-keystore -f indexer -k username -v admin /var/ossec/bin/wazuh-keystore -f indexer -k password -v admin [root@server1 ~]# ``` ``` [root@server1 ~]# yum -y install filebeat Last metadata expiration check: 0:11:05 ago on Mon 26 Feb 2024 21:00:00. Dependencies resolved. ============================================================================================================================================================== Package Architecture Version Repository Size ============================================================================================================================================================== Installing: filebeat x86_64 7.10.2-1 wazuh 21 M Transaction Summary ============================================================================================================================================================== Install 1 Package Total download size: 21 M Installed size: 70 M Downloading Packages: filebeat-oss-7.10.2-x86_64.rpm 244 kB/s | 21 MB 01:27 -------------------------------------------------------------------------------------------------------------------------------------------------------------- Total 244 kB/s | 21 MB 01:27 Running transaction check Transaction check succeeded. Running transaction test Transaction test succeeded. Running transaction Preparing : 1/1 Installing : filebeat-7.10.2-1.x86_64 1/1 Running scriptlet: filebeat-7.10.2-1.x86_64 1/1 Verifying : filebeat-7.10.2-1.x86_64 1/1 Installed: filebeat-7.10.2-1.x86_64 Complete! [root@server1 ~]# curl -so /etc/filebeat/filebeat.yml https://packages-dev.wazuh.com/4.8/tpl/wazuh/filebeat/filebeat.yml [root@server1 ~]# nano /etc/filebeat/filebeat.yml [root@server1 ~]# grep hosts /etc/filebeat/filebeat.yml hosts: ["172.20.10.6:9200", "172.20.10.7:9200"] [root@server1 ~]# filebeat keystore create Created filebeat keystore [root@server1 ~]# echo admin | filebeat keystore add username --stdin --force Successfully updated the keystore [root@server1 ~]# echo admin | filebeat keystore add password --stdin --force Successfully updated the keystore [root@server1 ~]# curl -so /etc/filebeat/wazuh-template.json https://raw.githubusercontent.com/wazuh/wazuh/v4.8.0-beta2/extensions/elasticsearch/7.x/wazuh-template.json [root@server1 ~]# chmod go+r /etc/filebeat/wazuh-template.json [root@server1 ~]# curl -s https://packages-dev.wazuh.com/pre-release/filebeat/wazuh-filebeat-0.4.tar.gz | tar -xvz -C /usr/share/filebeat/module wazuh/ wazuh/alerts/ wazuh/alerts/ingest/ wazuh/alerts/ingest/pipeline.json wazuh/alerts/config/ wazuh/alerts/config/alerts.yml wazuh/alerts/manifest.yml wazuh/archives/ wazuh/archives/ingest/ wazuh/archives/ingest/pipeline.json wazuh/archives/config/ wazuh/archives/config/archives.yml wazuh/archives/manifest.yml wazuh/_meta/ wazuh/_meta/docs.asciidoc wazuh/_meta/config.yml wazuh/_meta/fields.yml wazuh/module.yml [root@server1 ~]# ``` ``` [root@server1 ~]# NODE_NAME=wazuh-1 [root@server1 ~]# mkdir /etc/filebeat/certs tar -xf ./wazuh-certificates.tar -C /etc/filebeat/certs/ ./$NODE_NAME.pem ./$NODE_NAME-key.pem ./root-ca.pem mv -n /etc/filebeat/certs/$NODE_NAME.pem /etc/filebeat/certs/filebeat.pem mv -n /etc/filebeat/certs/$NODE_NAME-key.pem /etc/filebeat/certs/filebeat-key.pem chmod 500 /etc/filebeat/certs chmod 400 /etc/filebeat/certs/* chown -R root:root /etc/filebeat/certs [root@server1 ~]# systemctl daemon-reload systemctl enable filebeat systemctl start filebeat Created symlink /etc/systemd/system/multi-user.target.wants/filebeat.service → /usr/lib/systemd/system/filebeat.service. [root@server1 ~]# filebeat test output elasticsearch: https://172.20.10.4:9200... parse url... OK connection... parse host... OK dns lookup... OK addresses: 172.20.10.4 dial up... OK TLS... security: server's certificate chain verification is enabled handshake... OK TLS version: TLSv1.3 dial up... OK talk to server... OK version: 7.10.2 elasticsearch: https://172.20.10.5:9200... parse url... OK connection... parse host... OK dns lookup... OK addresses: 172.20.10.5 dial up... OK TLS... security: server's certificate chain verification is enabled handshake... OK TLS version: TLSv1.3 dial up... OK talk to server... OK version: 7.10.2 [root@server1 ~]# ```

Wazuh server node 2 installation

``` [root@server2 ~]# rpm --import https://packages.wazuh.com/key/GPG-KEY-WAZUH [root@server2 ~]# echo -e '[wazuh]\ngpgcheck=1\ngpgkey=https://packages.wazuh.com/key/GPG-KEY-WAZUH\nenabled=1\nname=EL-$releasever - Wazuh\nbaseurl=https://packages-dev.wazuh.com/pre-release/yum/\nprotect=1' | tee /etc/yum.repos.d/wazuh.repo [wazuh] gpgcheck=1 gpgkey=https://packages.wazuh.com/key/GPG-KEY-WAZUH enabled=1 name=EL-$releasever - Wazuh baseurl=https://packages-dev.wazuh.com/pre-release/yum/ protect=1 [root@server2 ~]# yum -y install wazuh-manager EL-9 - Wazuh 1.4 kB/s | 3.4 kB 00:02 Last metadata expiration check: 0:00:01 ago on Mon 26 Feb 2024 20:24:41. Dependencies resolved. ============================================================================================================================================================== Package Architecture Version Repository Size ============================================================================================================================================================== Installing: wazuh-manager x86_64 4.8.0-1 wazuh 267 M Transaction Summary ============================================================================================================================================================== Install 1 Package Total download size: 267 M Installed size: 855 M Downloading Packages: wazuh-manager-4.8.0-1.x86_64.rpm 3.6 MB/s | 267 MB 01:13 -------------------------------------------------------------------------------------------------------------------------------------------------------------- Total 3.6 MB/s | 267 MB 01:13 Running transaction check Transaction check succeeded. Running transaction test Transaction test succeeded. Running transaction Preparing : 1/1 Running scriptlet: wazuh-manager-4.8.0-1.x86_64 1/1 Installing : wazuh-manager-4.8.0-1.x86_64 1/1 Running scriptlet: wazuh-manager-4.8.0-1.x86_64 1/1 Verifying : wazuh-manager-4.8.0-1.x86_64 1/1 Installed: wazuh-manager-4.8.0-1.x86_64 Complete! [root@server2 ~]# systemctl daemon-reload systemctl enable wazuh-manager systemctl start wazuh-manager [root@server2 ~]# systemctl status wazuh-manager ● wazuh-manager.service - Wazuh manager Loaded: loaded (/usr/lib/systemd/system/wazuh-manager.service; enabled; preset: disabled) Active: active (running) since Mon 2024-02-26 21:03:02 WAT; 7s ago Process: 6547 ExecStart=/usr/bin/env /var/ossec/bin/wazuh-control start (code=exited, status=0/SUCCESS) Tasks: 124 (limit: 11018) Memory: 795.7M CPU: 15.391s CGroup: /system.slice/wazuh-manager.service ├─6603 /var/ossec/framework/python/bin/python3 /var/ossec/api/scripts/wazuh-apid.py ├─6644 /var/ossec/bin/wazuh-authd ├─6660 /var/ossec/bin/wazuh-db ├─6683 /var/ossec/bin/wazuh-execd ├─6695 /var/ossec/bin/wazuh-analysisd ├─6706 /var/ossec/bin/wazuh-syscheckd ├─6723 /var/ossec/bin/wazuh-remoted ├─6789 /var/ossec/bin/wazuh-logcollector ├─6806 /var/ossec/bin/wazuh-monitord └─6816 /var/ossec/bin/wazuh-modulesd Feb 26 21:02:56 server2 env[6547]: Started wazuh-analysisd... Feb 26 21:02:57 server2 env[6547]: Started wazuh-syscheckd... Feb 26 21:02:58 server2 env[6547]: Started wazuh-remoted... Feb 26 21:02:58 server2 env[6547]: Started wazuh-logcollector... Feb 26 21:02:58 server2 env[6547]: Started wazuh-monitord... Feb 26 21:02:59 server2 env[6814]: 2024/02/26 21:02:59 wazuh-modulesd:router: INFO: Loaded router module. Feb 26 21:02:59 server2 env[6814]: 2024/02/26 21:02:59 wazuh-modulesd:content_manager: INFO: Loaded content_manager module. Feb 26 21:03:00 server2 env[6547]: Started wazuh-modulesd... Feb 26 21:03:02 server2 env[6547]: Completed. Feb 26 21:03:02 server2 systemd[1]: Started Wazuh manager. [root@server2 ~]# [root@server2 ~]# /var/ossec/bin/wazuh-keystore -f indexer -k password -v admin [root@server2 ~]# /var/ossec/bin/wazuh-keystore -f indexer -k username -v admin [root@server2 ~]# ``` ``` [root@server2 ~]# yum -y install filebeat Last metadata expiration check: 0:10:48 ago on Mon 26 Feb 2024 21:00:21. Dependencies resolved. ============================================================================================================================================================== Package Architecture Version Repository Size ============================================================================================================================================================== Installing: filebeat x86_64 7.10.2-1 wazuh 21 M Transaction Summary ============================================================================================================================================================== Install 1 Package Total download size: 21 M Installed size: 70 M Downloading Packages: filebeat-oss-7.10.2-x86_64.rpm 905 kB/s | 21 MB 00:23 -------------------------------------------------------------------------------------------------------------------------------------------------------------- Total 905 kB/s | 21 MB 00:23 Running transaction check Transaction check succeeded. Running transaction test Transaction test succeeded. Running transaction Preparing : 1/1 Installing : filebeat-7.10.2-1.x86_64 1/1 Running scriptlet: filebeat-7.10.2-1.x86_64 1/1 Verifying : filebeat-7.10.2-1.x86_64 1/1 Installed: filebeat-7.10.2-1.x86_64 Complete! [root@server2 ~]# curl -so /etc/filebeat/filebeat.yml https://packages-dev.wazuh.com/4.8/tpl/wazuh/filebeat/filebeat.yml [root@server2 ~]# nano /etc/filebeat/filebeat.yml [root@server2 ~]# grep hosts /etc/filebeat/filebeat.yml hosts: ["172.20.10.4:9200", "172.20.10.5:9200"] [root@server2 ~]# filebeat keystore create Created filebeat keystore [root@server2 ~]# echo admin | filebeat keystore add username --stdin --force echo admin | filebeat keystore add password --stdin --force Successfully updated the keystore Successfully updated the keystore [root@server2 ~]# curl -so /etc/filebeat/wazuh-template.json https://raw.githubusercontent.com/wazuh/wazuh/v4.8.0-beta2/extensions/elasticsearch/7.x/wazuh-template.json [root@server2 ~]# chmod go+r /etc/filebeat/wazuh-template.json [root@server2 ~]# curl -s https://packages-dev.wazuh.com/pre-release/filebeat/wazuh-filebeat-0.4.tar.gz | tar -xvz -C /usr/share/filebeat/module wazuh/ wazuh/alerts/ wazuh/alerts/ingest/ wazuh/alerts/ingest/pipeline.json wazuh/alerts/config/ wazuh/alerts/config/alerts.yml wazuh/alerts/manifest.yml wazuh/archives/ wazuh/archives/ingest/ wazuh/archives/ingest/pipeline.json wazuh/archives/config/ wazuh/archives/config/archives.yml wazuh/archives/manifest.yml wazuh/_meta/ wazuh/_meta/docs.asciidoc wazuh/_meta/config.yml wazuh/_meta/fields.yml wazuh/module.yml [root@server2 ~]# ``` ``` [root@server2 ~]# NODE_NAME=wazuh-2 [root@server2 ~]# mkdir /etc/filebeat/certs tar -xf ./wazuh-certificates.tar -C /etc/filebeat/certs/ ./$NODE_NAME.pem ./$NODE_NAME-key.pem ./root-ca.pem mv -n /etc/filebeat/certs/$NODE_NAME.pem /etc/filebeat/certs/filebeat.pem mv -n /etc/filebeat/certs/$NODE_NAME-key.pem /etc/filebeat/certs/filebeat-key.pem chmod 500 /etc/filebeat/certs chmod 400 /etc/filebeat/certs/* chown -R root:root /etc/filebeat/certs [root@server2 ~]# systemctl daemon-reload systemctl enable filebeat systemctl start filebeat [root@server2 ~]# filebeat test output elasticsearch: https://172.20.10.4:9200... parse url... OK connection... parse host... OK dns lookup... OK addresses: 172.20.10.4 dial up... OK TLS... security: server's certificate chain verification is enabled handshake... OK TLS version: TLSv1.3 dial up... OK talk to server... OK version: 7.10.2 elasticsearch: https://172.20.10.5:9200... parse url... OK connection... parse host... OK dns lookup... OK addresses: 172.20.10.5 dial up... OK TLS... security: server's certificate chain verification is enabled handshake... OK TLS version: TLSv1.3 dial up... OK talk to server... OK version: 7.10.2 [root@server2 ~]# ```

Wazuh server cluster configuration

#### Master node ``` [root@server1 ~]# openssl rand -hex 16 c36c232d60ba44524e0091b930fa3e53 [root@server1 ~]# nano /var/ossec/etc/ossec.conf [root@server1 ~]# grep -A13 "" /var/ossec/etc/ossec.conf wazuh wazuh-1 master c36c232d60ba44524e0091b930fa3e53 1516 0.0.0.0 172.20.10.6 no no [root@server1 ~]# systemctl restart wazuh-manager ``` #### Worker node ``` [root@server2 ~]# nano /var/ossec/etc/ossec.conf [root@server2 ~]# grep -A13 "" /var/ossec/etc/ossec.conf wazuh wazuh-2 worker c36c232d60ba44524e0091b930fa3e53 1516 0.0.0.0 172.20.10.6 no no [root@server2 ~]# systemctl restart wazuh-manager [root@server2 ~]# /var/ossec/bin/cluster_control -l NAME TYPE VERSION ADDRESS wazuh-1 master 4.8.0 172.20.10.6 wazuh-2 worker 4.8.0 172.20.10.7 ```

Wazuh Dashboard installation

``` [root@dashboard ~]# yum install libcap Last metadata expiration check: 5:57:13 ago on Mon 26 Feb 2024 18:09:09. Package libcap-2.48-9.el9_2.x86_64 is already installed. Dependencies resolved. Nothing to do. Complete! [root@dashboard ~]# rpm --import https://packages.wazuh.com/key/GPG-KEY-WAZUH [root@dashboard ~]# echo -e '[wazuh]\ngpgcheck=1\ngpgkey=https://packages.wazuh.com/key/GPG-KEY-WAZUH\nenabled=1\nname=EL-$releasever - Wazuh\nbaseurl=https://packages-dev.wazuh.com/pre-release/yum/\nprotect=1' | tee /etc/yum.repos.d/wazuh.repo [wazuh] gpgcheck=1 gpgkey=https://packages.wazuh.com/key/GPG-KEY-WAZUH enabled=1 name=EL-$releasever - Wazuh baseurl=https://packages-dev.wazuh.com/pre-release/yum/ protect=1 [root@dashboard ~]# yum -y install wazuh-dashboard EL-9 - Wazuh 2.1 MB/s | 24 MB 00:11 Last metadata expiration check: 0:00:15 ago on Tue 27 Feb 2024 00:07:36. Dependencies resolved. ============================================================================================================================================================== Package Architecture Version Repository Size ============================================================================================================================================================== Installing: wazuh-dashboard x86_64 4.8.0-1 wazuh 273 M Transaction Summary ============================================================================================================================================================== Install 1 Package Total download size: 273 M Installed size: 902 M Downloading Packages: wazuh-dashboard-4.8.0-1.x86_64.rpm 5.2 MB/s | 273 MB 00:52 -------------------------------------------------------------------------------------------------------------------------------------------------------------- Total 5.2 MB/s | 273 MB 00:52 Running transaction check Transaction check succeeded. Running transaction test Transaction test succeeded. Running transaction Preparing : 1/1 Running scriptlet: wazuh-dashboard-4.8.0-1.x86_64 1/1 Installing : wazuh-dashboard-4.8.0-1.x86_64 1/1 Running scriptlet: wazuh-dashboard-4.8.0-1.x86_64 1/1 Verifying : wazuh-dashboard-4.8.0-1.x86_64 1/1 Installed: wazuh-dashboard-4.8.0-1.x86_64 Complete! [root@dashboard ~]# ``` ``` [root@dashboard ~]# nano /etc/wazuh-dashboard/opensearch_dashboards.yml [root@dashboard ~]# grep host /etc/wazuh-dashboard/opensearch_dashboards.yml server.host: 0.0.0.0 opensearch.hosts: ["https://172.20.10.4:9200", "https://172.20.10.5:9200"] [root@dashboard ~]# ``` ``` [root@dashboard ~]# NODE_NAME=dashboard [root@dashboard ~]# mkdir /etc/wazuh-dashboard/certs tar -xf ./wazuh-certificates.tar -C /etc/wazuh-dashboard/certs/ ./$NODE_NAME.pem ./$NODE_NAME-key.pem ./root-ca.pem mv -n /etc/wazuh-dashboard/certs/$NODE_NAME.pem /etc/wazuh-dashboard/certs/dashboard.pem mv -n /etc/wazuh-dashboard/certs/$NODE_NAME-key.pem /etc/wazuh-dashboard/certs/dashboard-key.pem chmod 500 /etc/wazuh-dashboard/certs chmod 400 /etc/wazuh-dashboard/certs/* chown -R wazuh-dashboard:wazuh-dashboard /etc/wazuh-dashboard/certs [root@dashboard ~]# systemctl daemon-reload systemctl enable wazuh-dashboard systemctl start wazuh-dashboard Created symlink /etc/systemd/system/multi-user.target.wants/wazuh-dashboard.service → /etc/systemd/system/wazuh-dashboard.service. [root@dashboard ~]# ``` ``` [root@dashboard ~]# nano /usr/share/wazuh-dashboard/data/wazuh/config/wazuh.yml [root@dashboard ~]# grep -B2 -A5 "\- default" /usr/share/wazuh-dashboard/data/wazuh/config/wazuh.yml hosts: - default: url: https://172.20.10.6 port: 55000 username: wazuh-wui password: wazuh-wui run_as: false [root@dashboard ~]# [root@dashboard ~]# sudo firewall-cmd --zone=public --add-port=443/tcp --permanent success [root@dashboard ~]# sudo firewall-cmd --zone=public --add-port=55000/tcp --permanent success [root@dashboard ~]# sudo firewall-cmd --zone=public --add-port=9200/tcp --permanent success [root@dashboard ~]# sudo firewall-cmd --reload success [root@dashboard ~]# ``` ![image](https://github.com/wazuh/wazuh/assets/113598572/54374d78-beb7-4615-ad0d-3fe28796d1e3) ![image](https://github.com/wazuh/wazuh/assets/113598572/b1d9cf7c-5477-421c-8efa-ac80c3f7e554)

Wazuh installation security

#### On the Wazuh Indexer node ``` [root@indexer1 ~]# /usr/share/wazuh-indexer/plugins/opensearch-security/tools/wazuh-passwords-tool.sh --change-all 26/02/2024 23:42:37 INFO: Updating the internal users. 26/02/2024 23:42:48 INFO: A backup of the internal users has been saved in the /etc/wazuh-indexer/internalusers-backup folder. 26/02/2024 23:42:48 INFO: Wazuh API admin credentials not provided, Wazuh API passwords not changed. 26/02/2024 23:43:20 INFO: The password for user admin is K.EaBal90w4AhYfCdU*h4abhjc8NPGJD 26/02/2024 23:43:20 INFO: The password for user kibanaserver is ?gLYxv2X*F7cnRtBpVuHtZO9tJvNG0yF 26/02/2024 23:43:20 INFO: The password for user kibanaro is cJNPNrp.7xFBCJHzabD7.kP46KLL5ubH 26/02/2024 23:43:20 INFO: The password for user logstash is eZ.4QFzx3lrBz1oT+E27oIArhkUeYHIn 26/02/2024 23:43:20 INFO: The password for user readall is r0Wac*o?bIxdQh0JVBEyi4upvZ9Pps2N 26/02/2024 23:43:20 INFO: The password for user snapshotrestore is 6ndPQ1gN0+?dD69cdPRP776d6EI5AC0+ 26/02/2024 23:43:20 WARNING: Wazuh indexer passwords changed. Remember to update the password in the Wazuh dashboard, Wazuh server, and Filebeat nodes if necessary, and restart the services. [root@indexer1 ~]# ``` #### On the Wazuh Server master node ``` [root@server1 ~]# curl -sO https://packages-dev.wazuh.com/4.8/wazuh-passwords-tool.sh [root@server1 ~]# bash wazuh-passwords-tool.sh --change-all --admin-user wazuh --admin-password wazuh 27/02/2024 00:50:46 INFO: The password for Wazuh API user wazuh is qwNa61KwMr7G4sN0Lw.e*pd+dZwPO7?1 27/02/2024 00:50:47 INFO: The password for Wazuh API user wazuh-wui is uXvKIMdJhOI2R+jMB9p.2?.CWFCq3MKf [root@server1 ~]# ``` #### On all Wazuh Server nodes ``` [root@server1 ~]# echo K.EaBal90w4AhYfCdU*h4abhjc8NPGJD | filebeat keystore add password --stdin --force Successfully updated the keystone [root@server1 ~]# systemctl restart filebeat [root@server2 ~]# echo K.EaBal90w4AhYfCdU*h4abhjc8NPGJD | filebeat keystore add password --stdin --force Successfully updated the keystore [root@server2 ~]# systemctl restart filebeat [root@server2 ~]# ``` #### On the Wazuh Dashboard node ``` [root@dashboard ~]# echo ?gLYxv2X*F7cnRtBpVuHtZO9tJvNG0yF | /usr/share/wazuh-dashboard/bin/opensearch-dashboards-keystore --allow-root add -f --stdin opensearch.password [root@dashboard ~]# [root@dashboard ~]# nano /usr/share/wazuh-dashboard/data/wazuh/config/wazuh.yml [root@dashboard ~]# grep -B2 -A5 "\- default" /usr/share/wazuh-dashboard/data/wazuh/config/wazuh.yml hosts: - default: url: https://172.20.10.6 port: 55000 username: wazuh-wui password: uXvKIMdJhOI2R+jMB9p.2?.CWFCq3MKf run_as: false [root@dashboard ~]# systemctl restart wazuh-dashboard ```

Final checks

#### Wazuh indexer: ``` [root@indexer1 ~]# systemctl status wazuh-indexer ● wazuh-indexer.service - Wazuh-indexer Loaded: loaded (/usr/lib/systemd/system/wazuh-indexer.service; enabled; preset: disabled) Active: active (running) since Mon 2024-02-26 23:24:37 WAT; 28min ago Docs: https://documentation.wazuh.com Main PID: 2441 (java) Tasks: 59 (limit: 11018) Memory: 1.1G CPU: 5min 24.733s CGroup: /system.slice/wazuh-indexer.service └─2441 /usr/share/wazuh-indexer/jdk/bin/java -Xshare:auto -Dopensearch.networkaddress.cache.ttl=60 -Dopensearch.networkaddress.cache.negative.tt> Feb 26 23:23:28 indexer1 systemd-entrypoint[2441]: ERROR StatusConsoleListener Unable to locate appender "task_detailslog_rolling_old" for logger config "tas> Feb 26 23:23:28 indexer1 systemd-entrypoint[2441]: ERROR StatusConsoleListener Unable to locate appender "deprecation_rolling_old" for logger config "org.ope> Feb 26 23:23:28 indexer1 systemd-entrypoint[2441]: ERROR StatusConsoleListener Unable to locate appender "deprecation_rolling" for logger config "org.opensea> Feb 26 23:23:28 indexer1 systemd-entrypoint[2441]: ERROR StatusConsoleListener Unable to locate appender "index_search_slowlog_rolling_old" for logger config> Feb 26 23:23:28 indexer1 systemd-entrypoint[2441]: ERROR StatusConsoleListener Unable to locate appender "index_search_slowlog_rolling" for logger config "in> Feb 26 23:23:30 indexer1 systemd-entrypoint[2441]: WARNING: A terminally deprecated method in java.lang.System has been called Feb 26 23:23:30 indexer1 systemd-entrypoint[2441]: WARNING: System::setSecurityManager has been called by org.opensearch.bootstrap.Security (file:/usr/share/> Feb 26 23:23:30 indexer1 systemd-entrypoint[2441]: WARNING: Please consider reporting this to the maintainers of org.opensearch.bootstrap.Security Feb 26 23:23:30 indexer1 systemd-entrypoint[2441]: WARNING: System::setSecurityManager will be removed in a future release Feb 26 23:24:37 indexer1 systemd[1]: Started Wazuh-indexer. [root@indexer1 ~]# curl -k -u admin:K.EaBal90w4AhYfCdU*h4abhjc8NPGJD https://172.20.10.4:9200 { "name" : "node-1", "cluster_name" : "wazuh-cluster", "cluster_uuid" : "AAZXq9vYRvqCXD7WbxKuAA", "version" : { "number" : "7.10.2", "build_type" : "rpm", "build_hash" : "eee49cb340edc6c4d489bcd9324dda571fc8dc03", "build_date" : "2023-09-20T23:54:29.889267151Z", "build_snapshot" : false, "lucene_version" : "9.7.0", "minimum_wire_compatibility_version" : "7.10.0", "minimum_index_compatibility_version" : "7.0.0" }, "tagline" : "The OpenSearch Project: https://opensearch.org/" } [root@indexer1 ~]# ``` #### Wazuh manager and Filebeat ``` [root@server1 ~]# systemctl status wazuh-manager filebeat ● wazuh-manager.service - Wazuh manager Loaded: loaded (/usr/lib/systemd/system/wazuh-manager.service; enabled; preset: disabled) Active: active (running) since Tue 2024-02-27 01:02:07 WAT; 2s ago Process: 10194 ExecStart=/usr/bin/env /var/ossec/bin/wazuh-control start (code=exited, status=0/SUCCESS) Tasks: 148 (limit: 11018) Memory: 573.0M CPU: 8.796s CGroup: /system.slice/wazuh-manager.service ├─10250 /var/ossec/framework/python/bin/python3 /var/ossec/api/scripts/wazuh-apid.py ├─10251 /var/ossec/framework/python/bin/python3 /var/ossec/api/scripts/wazuh-apid.py ├─10254 /var/ossec/framework/python/bin/python3 /var/ossec/api/scripts/wazuh-apid.py ├─10257 /var/ossec/framework/python/bin/python3 /var/ossec/api/scripts/wazuh-apid.py ├─10300 /var/ossec/bin/wazuh-authd ├─10317 /var/ossec/bin/wazuh-db ├─10343 /var/ossec/bin/wazuh-execd ├─10361 /var/ossec/bin/wazuh-analysisd ├─10371 /var/ossec/bin/wazuh-syscheckd ├─10383 /var/ossec/bin/wazuh-remoted ├─10393 /var/ossec/bin/wazuh-logcollector ├─10433 /var/ossec/bin/wazuh-monitord ├─10443 /var/ossec/bin/wazuh-modulesd ├─10526 /var/ossec/framework/python/bin/python3 /var/ossec/framework/scripts/wazuh_clusterd.py ├─10920 /var/ossec/framework/python/bin/python3 /var/ossec/framework/scripts/wazuh_clusterd.py └─10921 /var/ossec/framework/python/bin/python3 /var/ossec/framework/scripts/wazuh_clusterd.py Feb 27 01:02:05 server1 env[10194]: Started wazuh-syscheckd... Feb 27 01:02:05 server1 env[10194]: Started wazuh-remoted... Feb 27 01:02:05 server1 env[10194]: Started wazuh-logcollector... Feb 27 01:02:05 server1 env[10194]: Started wazuh-monitord... Feb 27 01:02:05 server1 env[10441]: 2024/02/27 01:02:05 wazuh-modulesd:router: INFO: Loaded router module. Feb 27 01:02:05 server1 env[10441]: 2024/02/27 01:02:05 wazuh-modulesd:content_manager: INFO: Loaded content_manager module. Feb 27 01:02:05 server1 env[10194]: Started wazuh-modulesd... Feb 27 01:02:05 server1 env[10194]: Started wazuh-clusterd... Feb 27 01:02:07 server1 env[10194]: Completed. Feb 27 01:02:07 server1 systemd[1]: Started Wazuh manager. ● filebeat.service - Filebeat sends log files to Logstash or directly to Elasticsearch. Loaded: loaded (/usr/lib/systemd/system/filebeat.service; enabled; preset: disabled) Active: active (running) since Tue 2024-02-27 00:53:42 WAT; 8min ago Docs: https://www.elastic.co/products/beats/filebeat Main PID: 9613 (filebeat) [root@server1 ~]# filebeat test output elasticsearch: https://172.20.10.4:9200... parse url... OK connection... parse host... OK dns lookup... OK addresses: 172.20.10.4 dial up... OK TLS... security: server's certificate chain verification is enabled handshake... OK TLS version: TLSv1.3 dial up... OK talk to server... OK version: 7.10.2 elasticsearch: https://172.20.10.5:9200... parse url... OK connection... parse host... OK dns lookup... OK addresses: 172.20.10.5 dial up... OK TLS... security: server's certificate chain verification is enabled handshake... OK TLS version: TLSv1.3 dial up... OK talk to server... OK version: 7.10.2 [root@server1 ~]# ``` #### Wazuh dashboard ``` [root@dashboard ~]# systemctl status wazuh-dashboard ● wazuh-dashboard.service - wazuh-dashboard Loaded: loaded (/etc/systemd/system/wazuh-dashboard.service; enabled; preset: disabled) Active: active (running) since Tue 2024-02-27 00:57:31 WAT; 5min ago Main PID: 1940 (node) Tasks: 11 (limit: 11018) Memory: 163.4M CPU: 19.923s CGroup: /system.slice/wazuh-dashboard.service └─1940 /usr/share/wazuh-dashboard/node/bin/node --no-warnings --max-http-header-size=65536 --unhandled-rejections=warn /usr/share/wazuh-dashboar> Feb 27 00:57:42 dashboard opensearch-dashboards[1940]: {"type":"log","@timestamp":"2024-02-26T23:57:42Z","tags":["info","plugins-service"],"pid":1940,"messag> Feb 27 00:57:42 dashboard opensearch-dashboards[1940]: {"type":"log","@timestamp":"2024-02-26T23:57:42Z","tags":["info","plugins-service"],"pid":1940,"messag> Feb 27 00:57:42 dashboard opensearch-dashboards[1940]: {"type":"log","@timestamp":"2024-02-26T23:57:42Z","tags":["info","plugins-system"],"pid":1940,"message> Feb 27 00:57:43 dashboard opensearch-dashboards[1940]: {"type":"log","@timestamp":"2024-02-26T23:57:43Z","tags":["info","savedobjects-service"],"pid":1940,"m> Feb 27 00:57:44 dashboard opensearch-dashboards[1940]: {"type":"log","@timestamp":"2024-02-26T23:57:44Z","tags":["info","savedobjects-service"],"pid":1940,"m> Feb 27 00:57:45 dashboard opensearch-dashboards[1940]: {"type":"log","@timestamp":"2024-02-26T23:57:45Z","tags":["info","plugins-system"],"pid":1940,"message> Feb 27 00:57:46 dashboard opensearch-dashboards[1940]: {"type":"log","@timestamp":"2024-02-26T23:57:46Z","tags":["listening","info"],"pid":1940,"message":"Se> Feb 27 00:57:47 dashboard opensearch-dashboards[1940]: {"type":"log","@timestamp":"2024-02-26T23:57:47Z","tags":["info","http","server","OpenSearchDashboards> Feb 27 01:01:18 dashboard opensearch-dashboards[1940]: {"type":"log","@timestamp":"2024-02-27T00:01:18Z","tags":["error","plugins","wazuh","cron-scheduler"],> Feb 27 01:01:18 dashboard opensearch-dashboards[1940]: {"type":"log","@timestamp":"2024-02-27T00:01:18Z","tags":["error","plugins","wazuh","cron-scheduler"],> [root@dashboard ~]# ```

thecotilking commented 6 months ago

Wazuh indexer package 🟢

Package SPECs 🟢

[root@indexer1 ~]#  rpm -qa | grep wazuh
wazuh-indexer-4.8.0-1.x86_64
[root@indexer1 ~]# rpm -qi wazuh-indexer-4.8.0-1.x86_64
Name        : wazuh-indexer
Version     : 4.8.0
Release     : 1
Architecture: x86_64
Install Date: Mon 26 Feb 2024 18:25:39
Group       : System Environment/Daemons
Size        : 1055875422
License     : GPL
Signature   : RSA/SHA256, Sat 24 Feb 2024 21:01:41, Key ID 96b3ee5f29111145
Source RPM  : wazuh-indexer-4.8.0-1.src.rpm
Build Date  : Sat 24 Feb 2024 17:51:28
Build Host  : ip-172-31-14-8.ec2.internal
Packager    : Wazuh, Inc <info@wazuh.com>
Vendor      : Wazuh, Inc <info@wazuh.com>
URL         : https://www.wazuh.com/
Summary     : Wazuh indexer is a search and analytics engine for security-related data. Documentation can be found at https://documentation.wazuh.com/current/getting-started/components/wazuh-indexer.html
Description :
Wazuh indexer is a near real-time full-text search and analytics engine that gathers security-related data into one platform. This Wazuh central component indexes and stores alerts generated by the Wazuh server. Wazuh indexer can be configured as a single-node or multi-node cluster, providing scalability and high availability. Documentation can be found at https://documentation.wazuh.com/current/getting-started/components/wazuh-indexer.html
[root@indexer1 ~]#

[x] Package size 🟢
[x] Package description and metadata 🟢
[x] Package signature 🟢

thecotilking commented 6 months ago

Wazuh indexer installed files location, size and permissions 🟢

Indexer node 1 🟢

indexer.txt

Indexer node 2 🟢

indexer2.txt

thecotilking commented 6 months ago

Wazuh indexer installation footprint 🟢

Files with permissions in user wazuh-indexer but not in wazuh indexer paths

#### Node 1 ``` [root@indexer1 ~]# find /etc -user wazuh-indexer -not -regex ".*wazuh\-indexer.*" -name "*" [root@indexer1 ~]# find /usr -user wazuh-indexer -not -regex ".*wazuh\-indexer.*" -name "*" [root@indexer1 ~]# find /var -user wazuh-indexer -not -regex ".*wazuh\-indexer.*" -name "*" [root@indexer1 ~]# find /bin -user wazuh-indexer -not -regex ".*wazuh\-indexer.*" -name "*" [root@indexer1 ~]# find /etc -group wazuh-indexer -not -regex ".*wazuh\-indexer.*" -name "*" [root@indexer1 ~]# find /usr -group wazuh-indexer -not -regex ".*wazuh\-indexer.*" -name "*" [root@indexer1 ~]# find /bin -group wazuh-indexer -not -regex ".*wazuh\-indexer.*" -name "*" [root@indexer1 ~]# find /var -group wazuh-indexer -not -regex ".*wazuh\-indexer.*" -name "*" ``` #### Node 2 ``` [root@indexer2 ~]# find /etc -user wazuh-indexer -not -regex ".*wazuh\-indexer.*" -name "*" [root@indexer2 ~]# find /usr -user wazuh-indexer -not -regex ".*wazuh\-indexer.*" -name "*" [root@indexer2 ~]# find /var -user wazuh-indexer -not -regex ".*wazuh\-indexer.*" -name "*" [root@indexer2 ~]# find /bin -user wazuh-indexer -not -regex ".*wazuh\-indexer.*" -name "*" [root@indexer2 ~]# find /etc -group wazuh-indexer -not -regex ".*wazuh\-indexer.*" -name "*" [root@indexer2 ~]# find /usr -group wazuh-indexer -not -regex ".*wazuh\-indexer.*" -name "*" [root@indexer2 ~]# find /var -group wazuh-indexer -not -regex ".*wazuh\-indexer.*" -name "*" [root@indexer2 ~]# find /bin -group wazuh-indexer -not -regex ".*wazuh\-indexer.*" -name "*" ```

thecotilking commented 6 months ago

Wazuh indexer installed service :green_circle:

The service was correctly installed, enabled, and started.

Node 1 :green_circle:

``` [root@indexer1 ~]# systemctl status wazuh-indexer ● wazuh-indexer.service - Wazuh-indexer Loaded: loaded (/usr/lib/systemd/system/wazuh-indexer.service; enabled; preset: disabled) Active: active (running) since Tue 2024-02-27 12:55:05 WAT; 42min ago Docs: https://documentation.wazuh.com Main PID: 1012 (java) Tasks: 60 (limit: 11018) Memory: 1.2G CPU: 2min 32.013s CGroup: /system.slice/wazuh-indexer.service └─1012 /usr/share/wazuh-indexer/jdk/bin/java -Xshare:auto -Dopensearch.networkaddress.cache.ttl=60 -Dopensearch.networkaddress.cache.negative.tt> Feb 27 12:54:18 indexer1 systemd-entrypoint[1012]: ERROR StatusConsoleListener Unable to locate appender "task_detailslog_rolling_old" for logger config "tas> Feb 27 12:54:18 indexer1 systemd-entrypoint[1012]: ERROR StatusConsoleListener Unable to locate appender "deprecation_rolling_old" for logger config "org.ope> Feb 27 12:54:18 indexer1 systemd-entrypoint[1012]: ERROR StatusConsoleListener Unable to locate appender "deprecation_rolling" for logger config "org.opensea> Feb 27 12:54:18 indexer1 systemd-entrypoint[1012]: ERROR StatusConsoleListener Unable to locate appender "index_search_slowlog_rolling_old" for logger config> Feb 27 12:54:18 indexer1 systemd-entrypoint[1012]: ERROR StatusConsoleListener Unable to locate appender "index_search_slowlog_rolling" for logger config "in> Feb 27 12:54:19 indexer1 systemd-entrypoint[1012]: WARNING: A terminally deprecated method in java.lang.System has been called Feb 27 12:54:19 indexer1 systemd-entrypoint[1012]: WARNING: System::setSecurityManager has been called by org.opensearch.bootstrap.Security (file:/usr/share/> Feb 27 12:54:19 indexer1 systemd-entrypoint[1012]: WARNING: Please consider reporting this to the maintainers of org.opensearch.bootstrap.Security Feb 27 12:54:19 indexer1 systemd-entrypoint[1012]: WARNING: System::setSecurityManager will be removed in a future release Feb 27 12:55:05 indexer1 systemd[1]: Started Wazuh-indexer. [root@indexer1 ~]# ``` ``` [root@indexer1 ~]# systemctl is-enabled wazuh-indexer enabled [root@indexer1 ~]# ``` ``` [root@indexer1 ~]# systemctl cat wazuh-indexer.service # /usr/lib/systemd/system/wazuh-indexer.service [Unit] Description=Wazuh-indexer Documentation=https://documentation.wazuh.com Wants=network-online.target After=network-online.target [Service] Type=notify RuntimeDirectory=wazuh-indexer PrivateTmp=yes Environment=OPENSEARCH_HOME=/usr/share/wazuh-indexer Environment=OPENSEARCH_PATH_CONF=/etc/wazuh-indexer Environment=PID_DIR=/run/wazuh-indexer Environment=OPENSEARCH_SD_NOTIFY=true EnvironmentFile=-/etc/sysconfig/wazuh-indexer WorkingDirectory=/usr/share/wazuh-indexer User=wazuh-indexer Group=wazuh-indexer ExecStart=/usr/share/wazuh-indexer/bin/systemd-entrypoint -p ${PID_DIR}/wazuh-indexer.pid --quiet # StandardOutput is configured to redirect to journalctl since # some error messages may be logged in standard output before # wazuh-indexer logging system is initialized. Elasticsearch # stores its logs in /var/log/wazuh-indexer and does not use # journalctl by default. If you also want to enable journalctl # logging, you can simply remove the "quiet" option from ExecStart. StandardOutput=journal StandardError=inherit # Specifies the maximum file descriptor number that can be opened by this process LimitNOFILE=65535 # Specifies the maximum number of processes LimitNPROC=4096 # Specifies the maximum size of virtual memory LimitAS=infinity [root@indexer1 ~]# ```

Node 2 :green_circle:

``` [root@indexer2 ~]# systemctl status wazuh-indexer ● wazuh-indexer.service - Wazuh-indexer Loaded: loaded (/usr/lib/systemd/system/wazuh-indexer.service; enabled; preset: disabled) Active: active (running) since Tue 2024-02-27 12:55:02 WAT; 45min ago Docs: https://documentation.wazuh.com Main PID: 1007 (java) Tasks: 68 (limit: 11018) Memory: 1.3G CPU: 2min 37.879s CGroup: /system.slice/wazuh-indexer.service └─1007 /usr/share/wazuh-indexer/jdk/bin/java -Xshare:auto -Dopensearch.networkaddress.cache.ttl=60 -Dopensearch.networkaddress.cache.negative.tt> Feb 27 12:54:12 indexer2 systemd[1]: Starting Wazuh-indexer... Feb 27 12:54:20 indexer2 systemd-entrypoint[1007]: WARNING: A terminally deprecated method in java.lang.System has been called Feb 27 12:54:20 indexer2 systemd-entrypoint[1007]: WARNING: System::setSecurityManager has been called by org.opensearch.bootstrap.OpenSearch (file:/usr/shar> Feb 27 12:54:20 indexer2 systemd-entrypoint[1007]: WARNING: Please consider reporting this to the maintainers of org.opensearch.bootstrap.OpenSearch Feb 27 12:54:20 indexer2 systemd-entrypoint[1007]: WARNING: System::setSecurityManager will be removed in a future release Feb 27 12:54:24 indexer2 systemd-entrypoint[1007]: WARNING: A terminally deprecated method in java.lang.System has been called Feb 27 12:54:24 indexer2 systemd-entrypoint[1007]: WARNING: System::setSecurityManager has been called by org.opensearch.bootstrap.Security (file:/usr/share/> Feb 27 12:54:24 indexer2 systemd-entrypoint[1007]: WARNING: Please consider reporting this to the maintainers of org.opensearch.bootstrap.Security Feb 27 12:54:24 indexer2 systemd-entrypoint[1007]: WARNING: System::setSecurityManager will be removed in a future release Feb 27 12:55:02 indexer2 systemd[1]: Started Wazuh-indexer. [root@indexer2 ~]# ``` ``` [root@indexer2 ~]# systemctl is-enabled wazuh-indexer enabled [root@indexer2 ~]# ``` ``` [root@indexer2 ~]# systemctl cat wazuh-indexer.service # /usr/lib/systemd/system/wazuh-indexer.service [Unit] Description=Wazuh-indexer Documentation=https://documentation.wazuh.com Wants=network-online.target After=network-online.target [Service] Type=notify RuntimeDirectory=wazuh-indexer PrivateTmp=yes Environment=OPENSEARCH_HOME=/usr/share/wazuh-indexer Environment=OPENSEARCH_PATH_CONF=/etc/wazuh-indexer Environment=PID_DIR=/run/wazuh-indexer Environment=OPENSEARCH_SD_NOTIFY=true EnvironmentFile=-/etc/sysconfig/wazuh-indexer WorkingDirectory=/usr/share/wazuh-indexer User=wazuh-indexer Group=wazuh-indexer ExecStart=/usr/share/wazuh-indexer/bin/systemd-entrypoint -p ${PID_DIR}/wazuh-indexer.pid --quiet # StandardOutput is configured to redirect to journalctl since # some error messages may be logged in standard output before # wazuh-indexer logging system is initialized. Elasticsearch # stores its logs in /var/log/wazuh-indexer and does not use # journalctl by default. If you also want to enable journalctl # logging, you can simply remove the "quiet" option from ExecStart. StandardOutput=journal StandardError=inherit # Specifies the maximum file descriptor number that can be opened by this process LimitNOFILE=65535 # Specifies the maximum number of processes LimitNPROC=4096 # Specifies the maximum size of virtual memory LimitAS=infinity [root@indexer2 ~]# ```

thecotilking commented 6 months ago

Wazuh indexer installation logs :green_circle:

Node 1 🟢

#### Installation logs ``` [root@indexer1 ~]# journalctl | grep -i wazuh-indexer Feb 27 17:42:29 indexer1 groupadd[3017]: group added to /etc/group: name=wazuh-indexer, GID=980 Feb 27 17:42:30 indexer1 groupadd[3017]: group added to /etc/gshadow: name=wazuh-indexer Feb 27 17:42:30 indexer1 groupadd[3017]: new group: name=wazuh-indexer, GID=980 Feb 27 17:42:30 indexer1 useradd[3024]: new user: name=wazuh-indexer, UID=980, GID=980, home=/usr/share/wazuh-indexer, shell=/sbin/nologin, from=none Feb 27 17:50:37 indexer1 systemd[1]: Configuration file /usr/lib/systemd/system/wazuh-indexer.service is marked world-inaccessible. This has no effect as configuration data is accessible via APIs without restrictions. Proceeding anyway. Feb 27 17:50:37 indexer1 systemd[1]: Configuration file /usr/lib/systemd/system/wazuh-indexer.service is marked world-inaccessible. This has no effect as configuration data is accessible via APIs without restrictions. Proceeding anyway. Feb 27 17:50:37 indexer1 systemd[1]: Starting Wazuh-indexer... Feb 27 17:50:42 indexer1 systemd-entrypoint[3172]: WARNING: System::setSecurityManager has been called by org.opensearch.bootstrap.OpenSearch (file:/usr/share/wazuh-indexer/lib/opensearch-2.10.0.jar) Feb 27 17:50:46 indexer1 systemd-entrypoint[3172]: WARNING: System::setSecurityManager has been called by org.opensearch.bootstrap.Security (file:/usr/share/wazuh-indexer/lib/opensearch-2.10.0.jar) Feb 27 17:51:51 indexer1 systemd[1]: Started Wazuh-indexer. Feb 27 17:52:02 indexer1 systemd[1]: Configuration file /usr/lib/systemd/system/wazuh-indexer.service is marked world-inaccessible. This has no effect as configuration data is accessible via APIs without restrictions. Proceeding anyway. Feb 27 17:52:19 indexer1 systemd[1]: Configuration file /usr/lib/systemd/system/wazuh-indexer.service is marked world-inaccessible. This has no effect as configuration data is accessible via APIs without restrictions. Proceeding anyway. Feb 27 17:52:19 indexer1 systemd[1]: Configuration file /usr/lib/systemd/system/wazuh-indexer-performance-analyzer.service is marked world-inaccessible. This has no effect as configuration data is accessible via APIs without restrictions. Proceeding anyway. Feb 27 17:52:20 indexer1 systemd[1]: Configuration file /usr/lib/systemd/system/wazuh-indexer.service is marked world-inaccessible. This has no effect as configuration data is accessible via APIs without restrictions. Proceeding anyway. Feb 27 17:53:26 indexer1 runuser[3439]: pam_unix(runuser:session): session opened for user wazuh-indexer(uid=980) by thecotilking(uid=0) Feb 27 17:53:46 indexer1 runuser[3439]: pam_unix(runuser:session): session closed for user wazuh-indexer ```

Node 2 :green_circle:

#### Installation logs ``` [root@indexer2 ~]# journalctl | grep -i wazuh-indexer Feb 27 17:41:54 indexer2 groupadd[2301]: group added to /etc/group: name=wazuh-indexer, GID=984 Feb 27 17:41:54 indexer2 groupadd[2301]: group added to /etc/gshadow: name=wazuh-indexer Feb 27 17:41:54 indexer2 groupadd[2301]: new group: name=wazuh-indexer, GID=984 Feb 27 17:41:54 indexer2 useradd[2308]: new user: name=wazuh-indexer, UID=984, GID=984, home=/usr/share/wazuh-indexer, shell=/sbin/nologin, from=none Feb 27 17:50:25 indexer2 systemd[1]: Configuration file /usr/lib/systemd/system/wazuh-indexer.service is marked world-inaccessible. This has no effect as configuration data is accessible via APIs without restrictions. Proceeding anyway. Feb 27 17:50:25 indexer2 systemd[1]: Configuration file /usr/lib/systemd/system/wazuh-indexer.service is marked world-inaccessible. This has no effect as configuration data is accessible via APIs without restrictions. Proceeding anyway. Feb 27 17:50:26 indexer2 systemd[1]: Starting Wazuh-indexer... Feb 27 17:50:31 indexer2 systemd-entrypoint[2482]: WARNING: System::setSecurityManager has been called by org.opensearch.bootstrap.OpenSearch (file:/usr/share/wazuh-indexer/lib/opensearch-2.10.0.jar) Feb 27 17:50:35 indexer2 systemd-entrypoint[2482]: WARNING: System::setSecurityManager has been called by org.opensearch.bootstrap.Security (file:/usr/share/wazuh-indexer/lib/opensearch-2.10.0.jar) Feb 27 17:51:14 indexer2 systemd[1]: Started Wazuh-indexer. Feb 27 17:51:41 indexer2 systemd[1]: Configuration file /usr/lib/systemd/system/wazuh-indexer.service is marked world-inaccessible. This has no effect as configuration data is accessible via APIs without restrictions. Proceeding anyway. Feb 27 17:51:41 indexer2 systemd[1]: Configuration file /usr/lib/systemd/system/wazuh-indexer-performance-analyzer.service is marked world-inaccessible. This has no effect as configuration data is accessible via APIs without restrictions. Proceeding anyway. Feb 27 17:51:42 indexer2 systemd[1]: Configuration file /usr/lib/systemd/system/wazuh-indexer.service is marked world-inaccessible. This has no effect as configuration data is accessible via APIs without restrictions. Proceeding anyway. [root@indexer2 ~]# ```

thecotilking commented 6 months ago

Wazuh indexer indices, templates, and shards 🟢

Indices

[root@indexer1 ~]# curl -u admin:K.EaBal90w4AhYfCdU*h4abhjc8NPGJD -k https://172.20.10.4:9200/_cat/indices?v=true
health status index                       uuid                   pri rep docs.count docs.deleted store.size pri.store.size
green  open   wazuh-alerts-4.x-2024.02.26 0UQuJkZXToW9U5XoN-rqQQ   3   1          6            0      142kb           71kb
green  open   .opensearch-observability   aqsI1GiBQvWMrzJ4-hZqxw   1   1          0            0       416b           208b
green  open   .plugins-ml-config          CT4lilj3SFmUEjbCtjZLhw   1   1          1            0      7.8kb          3.9kb
green  open   wazuh-statistics-2024.9w    QEwja17mRKeX4opl1_T5fA   1   0        170            0    246.7kb        246.7kb
green  open   wazuh-alerts-4.x-2024.02.27 zsNQU6qQTSmyVh-QzSi5gw   3   1         58            0    896.1kb        449.1kb
green  open   wazuh-monitoring-2024.9w    PwqdScOyQm6-g0vVlKX4DQ   1   0          0            0       208b           208b
green  open   .kibana_1                   FD8vVJbARFSNycH3STRfzQ   1   1          6            0     35.6kb         17.8kb
green  open   .opendistro_security        3SGjPzoER32M7_iRu366YA   1   1         10            0    130.4kb         65.2kb
[root@indexer1 ~]#

Templates

[root@indexer1 ~]# curl -u admin:K.EaBal90w4AhYfCdU*h4abhjc8NPGJD -k https://172.20.10.4:9200/_cat/templates?v=true
name                  index_patterns                             order version composed_of
wazuh-agent           [wazuh-monitoring-*]                       0
wazuh                 [wazuh-alerts-4.x-*, wazuh-archives-4.x-*] 0     1
wazuh-statistics      [wazuh-statistics-*]                       0
ss4o_metrics_template [ss4o_metrics-*-*]                         1     1       []
ss4o_traces_template  [ss4o_traces-*-*]                          1     1       []
[root@indexer1 ~]#

Shards

[root@indexer1 ~]# curl -u admin:K.EaBal90w4AhYfCdU*h4abhjc8NPGJD -k https://172.20.10.4:9200/_cat/shards?v=true
index                            shard prirep state   docs   store ip          node
wazuh-alerts-4.x-2024.02.26      0     r      STARTED    3  32.5kb 172.20.10.4 node-1
wazuh-alerts-4.x-2024.02.26      0     p      STARTED    3  32.4kb 172.20.10.5 node-2
wazuh-alerts-4.x-2024.02.26      1     r      STARTED    2  18.4kb 172.20.10.4 node-1
wazuh-alerts-4.x-2024.02.26      1     p      STARTED    2  18.4kb 172.20.10.5 node-2
wazuh-alerts-4.x-2024.02.26      2     r      STARTED    1  20.1kb 172.20.10.4 node-1
wazuh-alerts-4.x-2024.02.26      2     p      STARTED    1  20.1kb 172.20.10.5 node-2
.plugins-ml-config               0     p      STARTED    1   3.9kb 172.20.10.4 node-1
.plugins-ml-config               0     r      STARTED    1   3.9kb 172.20.10.5 node-2
.opensearch-observability        0     r      STARTED    0    208b 172.20.10.4 node-1
.opensearch-observability        0     p      STARTED    0    208b 172.20.10.5 node-2
wazuh-statistics-2024.9w         0     p      STARTED  170 246.7kb 172.20.10.5 node-2
wazuh-alerts-4.x-2024.02.27      0     p      STARTED   24   149kb 172.20.10.4 node-1
wazuh-alerts-4.x-2024.02.27      0     r      STARTED   24   149kb 172.20.10.5 node-2
wazuh-alerts-4.x-2024.02.27      1     r      STARTED   17 157.1kb 172.20.10.4 node-1
wazuh-alerts-4.x-2024.02.27      1     p      STARTED   17 144.7kb 172.20.10.5 node-2
wazuh-alerts-4.x-2024.02.27      2     p      STARTED   17 155.4kb 172.20.10.4 node-1
wazuh-alerts-4.x-2024.02.27      2     r      STARTED   17 140.8kb 172.20.10.5 node-2
.opensearch-sap-log-types-config 0     p      STARTED              172.20.10.4 node-1
.opensearch-sap-log-types-config 0     r      STARTED              172.20.10.5 node-2
wazuh-monitoring-2024.9w         0     p      STARTED    0    208b 172.20.10.4 node-1
.opendistro_security             0     r      STARTED   10  65.2kb 172.20.10.4 node-1
.opendistro_security             0     p      STARTED   10  65.2kb 172.20.10.5 node-2
.kibana_1                        0     r      STARTED    6  17.8kb 172.20.10.4 node-1
.kibana_1                        0     p      STARTED    6  17.8kb 172.20.10.5 node-2
[root@indexer1 ~]#

thecotilking commented 6 months ago

Wazuh indexer cluster status 🟢

Cluster status

[root@indexer1 ~]# curl -u admin:K.EaBal90w4AhYfCdU*h4abhjc8NPGJD -k https://172.20.10.4:9200/_cluster/state/nodes?pretty
{
  "cluster_name" : "wazuh-cluster",
  "cluster_uuid" : "AAZXq9vYRvqCXD7WbxKuAA",
  "nodes" : {
    "WPYRTqdsRR2jlShkq9kamQ" : {
      "name" : "node-1",
      "ephemeral_id" : "PSPXkD-mQmKvBTp1RNrXcg",
      "transport_address" : "172.20.10.4:9300",
      "attributes" : {
        "shard_indexing_pressure_enabled" : "true"
      }
    },
    "h3IkE1MCTj6BkMDka1Gl4w" : {
      "name" : "node-2",
      "ephemeral_id" : "ygqcozeZQbaW6MFg4TRanA",
      "transport_address" : "172.20.10.5:9300",
      "attributes" : {
        "shard_indexing_pressure_enabled" : "true"
      }
    }
  }
}

Cluster health

[root@indexer1 ~]# curl -u admin:K.EaBal90w4AhYfCdU*h4abhjc8NPGJD -k https://172.20.10.4:9200/_cluster/health?pretty
{
  "cluster_name" : "wazuh-cluster",
  "status" : "green",
  "timed_out" : false,
  "number_of_nodes" : 2,
  "number_of_data_nodes" : 2,
  "discovered_master" : true,
  "discovered_cluster_manager" : true,
  "active_primary_shards" : 13,
  "active_shards" : 24,
  "relocating_shards" : 0,
  "initializing_shards" : 0,
  "unassigned_shards" : 0,
  "delayed_unassigned_shards" : 0,
  "number_of_pending_tasks" : 0,
  "number_of_in_flight_fetch" : 0,
  "task_max_waiting_in_queue_millis" : 0,
  "active_shards_percent_as_number" : 100.0
}

thecotilking commented 6 months ago

User experience :green_circle:

An agent was installed and connected. No issues encountered.

Agent installation and connection

#### On the agent host ``` [root@agent ~]# rpm --import https://packages.wazuh.com/key/GPG-KEY-WAZUH [root@agent ~]# cat > /etc/yum.repos.d/wazuh.repo << EOF [wazuh] gpgcheck=1 gpgkey=https://packages.wazuh.com/key/GPG-KEY-WAZUH enabled=1 name=EL-\$releasever - Wazuh baseurl=https://packages-dev.wazuh.com/pre-release/yum/ protect=1 EOF [root@agent ~]# WAZUH_MANAGER="172.20.10.6" yum install wazuh-agent AlmaLinux 9 - AppStream 67 kB/s | 9.1 MB 02:18 AlmaLinux 9 - BaseOS 325 kB/s | 4.7 MB 00:14 AlmaLinux 9 - Extras 16 kB/s | 17 kB 00:01 EL-9 - Wazuh 1.9 MB/s | 24 MB 00:13 Dependencies resolved. ============================================================================================================================================================== Package Architecture Version Repository Size ============================================================================================================================================================== Installing: wazuh-agent x86_64 4.8.0-1 wazuh 10 M Transaction Summary ============================================================================================================================================================== Install 1 Package Total download size: 10 M Installed size: 29 M Is this ok [y/N]: y Downloading Packages: wazuh-agent-4.8.0-1.x86_64.rpm 2.2 MB/s | 10 MB 00:04 -------------------------------------------------------------------------------------------------------------------------------------------------------------- Total 2.2 MB/s | 10 MB 00:04 Running transaction check Transaction check succeeded. Running transaction test Transaction test succeeded. Running transaction Preparing : 1/1 Running scriptlet: wazuh-agent-4.8.0-1.x86_64 1/1 Installing : wazuh-agent-4.8.0-1.x86_64 1/1 Running scriptlet: wazuh-agent-4.8.0-1.x86_64 1/1 Verifying : wazuh-agent-4.8.0-1.x86_64 1/1 Installed: wazuh-agent-4.8.0-1.x86_64 Complete! [root@agent ~]# systemctl daemon-reload systemctl enable wazuh-agent systemctl start wazuh-agent Created symlink /etc/systemd/system/multi-user.target.wants/wazuh-agent.service → /usr/lib/systemd/system/wazuh-agent.service. [root@agent ~]# [root@agent ~]# sudo firewall-cmd --state running [root@agent ~]# sudo firewall-cmd --zone=public --add-port=1514/tcp --permanent success [root@agent ~]# sudo firewall-cmd --zone=public --add-port=1515/tcp --permanent success [root@agent ~]# sudo firewall-cmd --zone=public --add-port=1516/tcp --permanent success [root@agent ~]# sudo firewall-cmd --reload success [root@agent ~]# ``` #### Agent connected ![image](https://github.com/wazuh/wazuh/assets/113598572/6ceebba1-42f5-4d20-b5aa-d135b000e6fd) ![image](https://github.com/wazuh/wazuh/assets/113598572/4d34d1d1-f7bc-4a17-87d2-df8f4ff3e268)

thecotilking commented 6 months ago

Uninstall procedure 🟢

Followed the next guide: https://documentation.wazuh.com/current/user-manual/uninstall/central-components.html#uninstall-the-wazuh-indexer

Node 1

[root@indexer1 ~]#yum remove wazuh-indexer -y
rm -rf /var/lib/wazuh-indexer/
rm -rf /usr/share/wazuh-indexer/
rm -rf /etc/wazuh-indexer/
Dependencies resolved.
==============================================================================================================================================================
 Package                                   Architecture                       Version                                Repository                          Size
==============================================================================================================================================================
Removing:
 wazuh-indexer                             x86_64                             4.8.0-1                                @wazuh                             1.0 G

Transaction Summary
==============================================================================================================================================================
Remove  1 Package

Freed space: 1.0 G
Running transaction check
Transaction check succeeded.
Running transaction test
Transaction test succeeded.
Running transaction
  Preparing        :                                                                                                                                      1/1
  Running scriptlet: wazuh-indexer-4.8.0-1.x86_64                                                                                                         1/1
Stopping wazuh-indexer service... OK

  Erasing          : wazuh-indexer-4.8.0-1.x86_64                                                                                                         1/1
warning: /etc/wazuh-indexer/opensearch.yml saved as /etc/wazuh-indexer/opensearch.yml.rpmsave
warning: /etc/wazuh-indexer/opensearch-security/internal_users.yml saved as /etc/wazuh-indexer/opensearch-security/internal_users.yml.rpmsave

  Running scriptlet: wazuh-indexer-4.8.0-1.x86_64                                                                                                         1/1
  Verifying        : wazuh-indexer-4.8.0-1.x86_64                                                                                                         1/1

Removed:
  wazuh-indexer-4.8.0-1.x86_64

Complete!
[root@indexer1 ~]#systemctl status wazuh-indexer
systemctl cat wazuh-indexer.service
yum list installed | grep wazuh-indexer
Unit wazuh-indexer.service could not be found.
No files found for wazuh-indexer.service.
[root@indexer1 ~]#

Node 2

[root@indexer2 ~]#yum remove wazuh-indexer -y
rm -rf /var/lib/wazuh-indexer/
rm -rf /usr/share/wazuh-indexer/
rm -rf /etc/wazuh-indexer/
Dependencies resolved.
==============================================================================================================================================================
 Package                                   Architecture                       Version                                Repository                          Size
==============================================================================================================================================================
Removing:
 wazuh-indexer                             x86_64                             4.8.0-1                                @wazuh                             1.0 G

Transaction Summary
==============================================================================================================================================================
Remove  1 Package

Freed space: 1.0 G
Running transaction check
Transaction check succeeded.
Running transaction test
Transaction test succeeded.
Running transaction
  Preparing        :                                                                                                                                      1/1
  Running scriptlet: wazuh-indexer-4.8.0-1.x86_64                                                                                                         1/1
Stopping wazuh-indexer service... OK

  Erasing          : wazuh-indexer-4.8.0-1.x86_64                                                                                                         1/1
warning: /etc/wazuh-indexer/opensearch.yml saved as /etc/wazuh-indexer/opensearch.yml.rpmsave

  Running scriptlet: wazuh-indexer-4.8.0-1.x86_64                                                                                                         1/1
  Verifying        : wazuh-indexer-4.8.0-1.x86_64                                                                                                         1/1

Removed:
  wazuh-indexer-4.8.0-1.x86_64

Complete!
[root@indexer2 ~]#
[root@indexer2 ~]#systemctl status wazuh-indexer
systemctl cat wazuh-indexer.service
yum list installed | grep wazuh-indexer
Unit wazuh-indexer.service could not be found.
No files found for wazuh-indexer.service.
[root@indexer2 ~]#

AlexRuiz7 commented 6 months ago

@thecotilking what about these logs?

Feb 27 12:54:18 indexer1 systemd-entrypoint[1012]: ERROR StatusConsoleListener Unable to locate appender "task_detailslog_rolling_old" for logger config "tas>
Feb 27 12:54:18 indexer1 systemd-entrypoint[1012]: ERROR StatusConsoleListener Unable to locate appender "deprecation_rolling_old" for logger config "org.ope>
Feb 27 12:54:18 indexer1 systemd-entrypoint[1012]: ERROR StatusConsoleListener Unable to locate appender "deprecation_rolling" for logger config "org.opensea>
Feb 27 12:54:18 indexer1 systemd-entrypoint[1012]: ERROR StatusConsoleListener Unable to locate appender "index_search_slowlog_rolling_old" for logger config>
Feb 27 12:54:18 indexer1 systemd-entrypoint[1012]: ERROR StatusConsoleListener Unable to locate appender "index_search_slowlog_rolling" for logger config "in>

damarisg commented 6 months ago

LGTM!

wazuh / wazuh

Release 4.8.0 - Beta 2 - E2E UX tests - Wazuh Indexer #22109

End-to-End (E2E) Testing Guideline

Issue delivery and completion

Deployment requirements

Test description

Known issues

Conclusions

Feedback

Reviewers validation

Environment Information 🟢

Infrastructure

OS Check:

Component Installation 🟢

Step-by-step installation

Wazuh indexer package 🟢

Package SPECs 🟢

Wazuh indexer installed files location, size and permissions 🟢

Indexer node 1 🟢

Indexer node 2 🟢

Wazuh indexer installation footprint 🟢

Wazuh indexer installed service :green_circle:

Wazuh indexer installation logs :green_circle:

Wazuh indexer indices, templates, and shards 🟢

Indices

Templates

Shards

Wazuh indexer cluster status 🟢

Cluster status

Cluster health

User experience :green_circle:

Uninstall procedure 🟢

Node 1

Node 2