Release 4.8.0 - Beta 5 - Installation assistant

[davidcr01]

Installation assistant information

Main release candidate issue	https://github.com/wazuh/wazuh/issues/22777
Version	4.8.0
Release candidate	Beta 5
Tag	https://github.com/wazuh/wazuh/tree/v4.8.0-beta5
Previous Installation assistant	wazuh/wazuh#21414

---

Description

Test installation assistant with the -a option in the following OSs:

• Amazon Linux 2.
• RHEL 9.
• Ubuntu 22.04.

---

Checks

Status	OS	Check	Issues
:green_circle:	AL 2	Installed packages
:green_circle:	AL 2	Install logs
:yellow_circle:	AL 2	Wazuh indexer logs	Related issue: https://github.com/wazuh/wazuh-indexer/issues/167. Related issue: https://github.com/wazuh/wazuh-packages/issues/1511#issuecomment-1308329094
:yellow_circle:	AL 2	Wazuh manager logs	Related: https://github.com/wazuh/wazuh/issues/21829. Related: https://github.com/wazuh/wazuh/issues/22835
:green_circle:	AL 2	Wazuh dashboard logs
:green_circle:	AL 2	Wazuh dashboard
:red_circle:	RHEL 9	Installed packages	:red_circle: Opened: https://github.com/wazuh/wazuh-packages/issues/2905
:green_circle:	RHEL 9	Install logs
:yellow_circle:	RHEL 9	Wazuh indexer logs	Related issue: https://github.com/wazuh/wazuh-indexer/issues/167. Related issue: https://github.com/wazuh/wazuh-packages/issues/1511#issuecomment-1308329094
:yellow_circle:	RHEL 9	Wazuh manager logs	Related: https://github.com/wazuh/wazuh/issues/21829. Related: https://github.com/wazuh/wazuh/issues/22835
:yellow_circle:	RHEL 9	Wazuh dashboard logs	Related issue: https://github.com/wazuh/wazuh-dashboard-plugins/issues/6312
:green_circle:	RHEL 9	Wazuh dashboard
:green_circle:	Ubuntu 22.04	Installed packages
:green_circle:	Ubuntu 22.04	Install logs
:yellow_circle:	Ubuntu 22.04	Wazuh indexer logs	Related issue: https://github.com/wazuh/wazuh-indexer/issues/167. Related issue: https://github.com/wazuh/wazuh-packages/issues/1511#issuecomment-1308329094
:yellow_circle:	Ubuntu 22.04	Wazuh manager logs	Related: https://github.com/wazuh/wazuh/issues/21829. Related: https://github.com/wazuh/wazuh/issues/22835
:green_circle:	Ubuntu 22.04	Wazuh dashboard logs
:green_circle:	Ubuntu 22.04	Wazuh dashboard

---

Checks legend:

• Installed packages: the installed packages must match the ones specified in the documentation. If additional packages are installed by the installation assistant, the reason must be justified.
• Install logs: check that there are no errors in the WIA logs.
• Wazuh indexer logs: check that there are no errors in the indexer logs.
• Wazuh manager logs: check that there are no errors in the manager logs.
• Wazuh dashboard logs: check that there are no errors in the dashboard logs.

---

Status legend: :black_circle: - Pending/In progress :white_circle: - Skipped :red_circle: - Rejected :yellow_circle: - Known issue :green_circle: - Approved

---

Conclusion

Some issues were found and they were reported.

Auditor's validation

In order to close and proceed with the release or the next candidate version, the following auditors must give the green light to this RC.

• [x] @davidjiglesias
• [x] @teddytpc1

[davidcr01]

Environment

Amazon Linux 2

[root@ip-172-31-35-94 ec2-user]# cat /etc/os-release
NAME="Amazon Linux"
VERSION="2"
ID="amzn"
ID_LIKE="centos rhel fedora"
VERSION_ID="2"
PRETTY_NAME="Amazon Linux 2"
ANSI_COLOR="0;33"
CPE_NAME="cpe:2.3:o:amazon:amazon_linux:2"
HOME_URL="https://amazonlinux.com/"
SUPPORT_END="2025-06-30"
[root@ip-172-31-35-94 ec2-user]#

Ubuntu 22

root@ip-172-31-39-45:/home/ubuntu# cat /etc/os-release
PRETTY_NAME="Ubuntu 22.04.2 LTS"
NAME="Ubuntu"
VERSION_ID="22.04"
VERSION="22.04.2 LTS (Jammy Jellyfish)"
VERSION_CODENAME=jammy
ID=ubuntu
ID_LIKE=debian
HOME_URL="https://www.ubuntu.com/"
SUPPORT_URL="https://help.ubuntu.com/"
BUG_REPORT_URL="https://bugs.launchpad.net/ubuntu/"
PRIVACY_POLICY_URL="https://www.ubuntu.com/legal/terms-and-policies/privacy-policy"
UBUNTU_CODENAME=jammy
root@ip-172-31-39-45:/home/ubuntu# 

RHEL 9

[root@ip-172-31-39-39 ec2-user]# cat /etc/os-release
NAME="Red Hat Enterprise Linux"
VERSION="9.2 (Plow)"
ID="rhel"
ID_LIKE="fedora"
VERSION_ID="9.2"
PLATFORM_ID="platform:el9"
PRETTY_NAME="Red Hat Enterprise Linux 9.2 (Plow)"
ANSI_COLOR="0;31"
LOGO="fedora-logo-icon"
CPE_NAME="cpe:/o:redhat:enterprise_linux:9::baseos"
HOME_URL="https://www.redhat.com/"
DOCUMENTATION_URL="https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9"
BUG_REPORT_URL="https://bugzilla.redhat.com/"

REDHAT_BUGZILLA_PRODUCT="Red Hat Enterprise Linux 9"
REDHAT_BUGZILLA_PRODUCT_VERSION=9.2
REDHAT_SUPPORT_PRODUCT="Red Hat Enterprise Linux"
REDHAT_SUPPORT_PRODUCT_VERSION="9.2"
[root@ip-172-31-39-39 ec2-user]# 

[davidcr01]

Install logs :green_circle:

Amazon Linux 2 :green_circle:

Log on the console:

```shellsession [root@ip-172-31-35-94 ec2-user]# curl -sO https://packages-dev.wazuh.com/4.8/wazuh-install.sh && bash wazuh-install.sh -a 08/04/2024 14:26:04 INFO: Starting Wazuh installation assistant. Wazuh version: 4.8.0 08/04/2024 14:26:04 INFO: Verbose logging redirected to /var/log/wazuh-install.log 08/04/2024 14:26:12 INFO: Verifying that your system meets the recommended minimum hardware requirements. 08/04/2024 14:26:12 INFO: Wazuh web interface port will be 443. 08/04/2024 14:26:15 INFO: Wazuh development repository added. 08/04/2024 14:26:15 INFO: --- Configuration files --- 08/04/2024 14:26:15 INFO: Generating configuration files. 08/04/2024 14:26:15 INFO: Generating the root certificate. 08/04/2024 14:26:15 INFO: Generating Admin certificates. 08/04/2024 14:26:16 INFO: Generating Wazuh indexer certificates. 08/04/2024 14:26:16 INFO: Generating Filebeat certificates. 08/04/2024 14:26:16 INFO: Generating Wazuh dashboard certificates. 08/04/2024 14:26:16 INFO: Created wazuh-install-files.tar. It contains the Wazuh cluster key, certificates, and passwords necessary for installation. 08/04/2024 14:26:16 INFO: --- Wazuh indexer --- 08/04/2024 14:26:16 INFO: Starting Wazuh indexer installation. 08/04/2024 14:27:58 INFO: Wazuh indexer installation finished. 08/04/2024 14:27:58 INFO: Wazuh indexer post-install configuration finished. 08/04/2024 14:27:58 INFO: Starting service wazuh-indexer. 08/04/2024 14:28:21 INFO: wazuh-indexer service started. 08/04/2024 14:28:21 INFO: Initializing Wazuh indexer cluster security settings. 08/04/2024 14:28:32 INFO: Wazuh indexer cluster security configuration initialized. 08/04/2024 14:28:32 INFO: Wazuh indexer cluster initialized. 08/04/2024 14:28:32 INFO: --- Wazuh server --- 08/04/2024 14:28:32 INFO: Starting the Wazuh manager installation. 08/04/2024 14:29:13 INFO: Wazuh manager installation finished. 08/04/2024 14:29:13 INFO: Wazuh manager vulnerability detection configuration finished. 08/04/2024 14:29:13 INFO: Starting service wazuh-manager. 08/04/2024 14:29:32 INFO: wazuh-manager service started. 08/04/2024 14:29:32 INFO: Starting Filebeat installation. 08/04/2024 14:30:18 INFO: Filebeat installation finished. 08/04/2024 14:30:21 INFO: Filebeat post-install configuration finished. 08/04/2024 14:30:21 INFO: Starting service filebeat. 08/04/2024 14:30:22 INFO: filebeat service started. 08/04/2024 14:30:22 INFO: --- Wazuh dashboard --- 08/04/2024 14:30:22 INFO: Starting Wazuh dashboard installation. 08/04/2024 14:31:56 INFO: Wazuh dashboard installation finished. 08/04/2024 14:31:56 INFO: Wazuh dashboard post-install configuration finished. 08/04/2024 14:31:56 INFO: Starting service wazuh-dashboard. 08/04/2024 14:31:58 INFO: wazuh-dashboard service started. 08/04/2024 14:31:58 INFO: Another process is using YUM. Waiting for it to release the lock. Next retry in 30 seconds (1/10) 08/04/2024 14:32:31 INFO: Updating the internal users. 08/04/2024 14:32:39 INFO: A backup of the internal users has been saved in the /etc/wazuh-indexer/internalusers-backup folder. 08/04/2024 14:33:49 INFO: Initializing Wazuh dashboard web application. 08/04/2024 14:33:49 INFO: Wazuh dashboard web application not yet initialized. Waiting... 08/04/2024 14:34:05 INFO: Wazuh dashboard web application not yet initialized. Waiting... 08/04/2024 14:34:20 INFO: Wazuh dashboard web application initialized. 08/04/2024 14:34:20 INFO: --- Summary --- 08/04/2024 14:34:20 INFO: You can access the web interface https://:443 User: admin Password: RsraZRHC9WhyRCY?Kk3*7ZiQvce4p8BY 08/04/2024 14:34:20 INFO: Installation finished. [root@ip-172-31-35-94 ec2-user]# ```

Log in wazuh-install.log

```shellsession [root@ip-172-31-35-94 ec2-user]# cat /var/log/wazuh-install.log 08/04/2024 14:26:04 INFO: Starting Wazuh installation assistant. Wazuh version: 4.8.0 08/04/2024 14:26:04 INFO: Verbose logging redirected to /var/log/wazuh-install.log 08/04/2024 14:26:12 INFO: Verifying that your system meets the recommended minimum hardware requirements. 08/04/2024 14:26:12 INFO: Wazuh web interface port will be 443. [wazuh] gpgcheck=1 gpgkey=https://packages-dev.wazuh.com/key/GPG-KEY-WAZUH enabled=1 name=EL-${releasever} - Wazuh baseurl=https://packages-dev.wazuh.com/pre-release/yum/ protect=1 08/04/2024 14:26:15 INFO: Wazuh development repository added. 08/04/2024 14:26:15 INFO: --- Configuration files --- 08/04/2024 14:26:15 INFO: Generating configuration files. 08/04/2024 14:26:15 INFO: Generating the root certificate. 08/04/2024 14:26:15 INFO: Generating Admin certificates. 08/04/2024 14:26:16 INFO: Generating Wazuh indexer certificates. 08/04/2024 14:26:16 INFO: Generating Filebeat certificates. 08/04/2024 14:26:16 INFO: Generating Wazuh dashboard certificates. 08/04/2024 14:26:16 INFO: Created wazuh-install-files.tar. It contains the Wazuh cluster key, certificates, and passwords necessary for installation. 08/04/2024 14:26:16 INFO: --- Wazuh indexer --- 08/04/2024 14:26:16 INFO: Starting Wazuh indexer installation. Loaded plugins: extras_suggestions, langpacks, priorities, update-motd Resolving Dependencies --> Running transaction check ---> Package wazuh-indexer.x86_64 0:4.8.0-1 will be installed --> Finished Dependency Resolution Dependencies Resolved ================================================================================ Package Arch Version Repository Size ================================================================================ Installing: wazuh-indexer x86_64 4.8.0-1 wazuh 743 M Transaction Summary ================================================================================ Install 1 Package Total download size: 743 M Installed size: 1.0 G Downloading packages: Running transaction check Running transaction test Transaction test succeeded Running transaction Installing : wazuh-indexer-4.8.0-1.x86_64 1/1 Created opensearch keystore in /etc/wazuh-indexer/opensearch.keystore Verifying : wazuh-indexer-4.8.0-1.x86_64 1/1 Installed: wazuh-indexer.x86_64 0:4.8.0-1 Complete! 08/04/2024 14:27:58 INFO: Wazuh indexer installation finished. 08/04/2024 14:27:58 INFO: Wazuh indexer post-install configuration finished. 08/04/2024 14:27:58 INFO: Starting service wazuh-indexer. Created symlink from /etc/systemd/system/multi-user.target.wants/wazuh-indexer.service to /usr/lib/systemd/system/wazuh-indexer.service. 08/04/2024 14:28:21 INFO: wazuh-indexer service started. 08/04/2024 14:28:21 INFO: Initializing Wazuh indexer cluster security settings. ************************************************************************** ** This tool will be deprecated in the next major release of OpenSearch ** ** https://github.com/opensearch-project/security/issues/1755 ** ************************************************************************** Security Admin v7 Will connect to 127.0.0.1:9200 ... done Connected as "CN=admin,OU=Wazuh,O=Wazuh,L=California,C=US" OpenSearch Version: 2.10.0 Contacting opensearch cluster 'opensearch' and wait for YELLOW clusterstate ... Clustername: wazuh-cluster Clusterstate: GREEN Number of nodes: 1 Number of data nodes: 1 .opendistro_security index does not exists, attempt to create it ... done (0-all replicas) Populate config from /etc/wazuh-indexer/opensearch-security/ Will update '/config' with /etc/wazuh-indexer/opensearch-security/config.yml SUCC: Configuration for 'config' created or updated Will update '/roles' with /etc/wazuh-indexer/opensearch-security/roles.yml SUCC: Configuration for 'roles' created or updated Will update '/rolesmapping' with /etc/wazuh-indexer/opensearch-security/roles_mapping.yml SUCC: Configuration for 'rolesmapping' created or updated Will update '/internalusers' with /etc/wazuh-indexer/opensearch-security/internal_users.yml SUCC: Configuration for 'internalusers' created or updated Will update '/actiongroups' with /etc/wazuh-indexer/opensearch-security/action_groups.yml SUCC: Configuration for 'actiongroups' created or updated Will update '/tenants' with /etc/wazuh-indexer/opensearch-security/tenants.yml SUCC: Configuration for 'tenants' created or updated Will update '/nodesdn' with /etc/wazuh-indexer/opensearch-security/nodes_dn.yml SUCC: Configuration for 'nodesdn' created or updated Will update '/whitelist' with /etc/wazuh-indexer/opensearch-security/whitelist.yml SUCC: Configuration for 'whitelist' created or updated Will update '/audit' with /etc/wazuh-indexer/opensearch-security/audit.yml SUCC: Configuration for 'audit' created or updated Will update '/allowlist' with /etc/wazuh-indexer/opensearch-security/allowlist.yml SUCC: Configuration for 'allowlist' created or updated SUCC: Expected 10 config types for node {"updated_config_types":["allowlist","tenants","rolesmapping","nodesdn","audit","roles","whitelist","internalusers","actiongroups","config"],"updated_config_size":10,"message":null} is 10 (["allowlist","tenants","rolesmapping","nodesdn","audit","roles","whitelist","internalusers","actiongroups","config"]) due to: null Done with success 08/04/2024 14:28:32 INFO: Wazuh indexer cluster security configuration initialized. 08/04/2024 14:28:32 INFO: Wazuh indexer cluster initialized. 08/04/2024 14:28:32 INFO: --- Wazuh server --- 08/04/2024 14:28:32 INFO: Starting the Wazuh manager installation. Loaded plugins: extras_suggestions, langpacks, priorities, update-motd Resolving Dependencies --> Running transaction check ---> Package wazuh-manager.x86_64 0:4.8.0-1 will be installed --> Finished Dependency Resolution Dependencies Resolved ================================================================================ Package Arch Version Repository Size ================================================================================ Installing: wazuh-manager x86_64 4.8.0-1 wazuh 293 M Transaction Summary ================================================================================ Install 1 Package Total download size: 293 M Installed size: 882 M Downloading packages: Running transaction check Running transaction test Transaction test succeeded Running transaction Installing : wazuh-manager-4.8.0-1.x86_64 1/1 Verifying : wazuh-manager-4.8.0-1.x86_64 1/1 Installed: wazuh-manager.x86_64 0:4.8.0-1 Complete! 08/04/2024 14:29:13 INFO: Wazuh manager installation finished. 08/04/2024 14:29:13 INFO: Wazuh manager vulnerability detection configuration finished. 08/04/2024 14:29:13 INFO: Starting service wazuh-manager. Created symlink from /etc/systemd/system/multi-user.target.wants/wazuh-manager.service to /usr/lib/systemd/system/wazuh-manager.service. 08/04/2024 14:29:32 INFO: wazuh-manager service started. 08/04/2024 14:29:32 INFO: Starting Filebeat installation. 08/04/2024 14:30:18 INFO: Filebeat installation finished. wazuh/ wazuh/_meta/ wazuh/_meta/docs.asciidoc wazuh/_meta/fields.yml wazuh/_meta/config.yml wazuh/alerts/ wazuh/alerts/config/ wazuh/alerts/config/alerts.yml wazuh/alerts/manifest.yml wazuh/alerts/ingest/ wazuh/alerts/ingest/pipeline.json wazuh/module.yml wazuh/archives/ wazuh/archives/config/ wazuh/archives/config/archives.yml wazuh/archives/manifest.yml wazuh/archives/ingest/ wazuh/archives/ingest/pipeline.json Created filebeat keystore Successfully updated the keystore Successfully updated the keystore 08/04/2024 14:30:21 INFO: Filebeat post-install configuration finished. 08/04/2024 14:30:21 INFO: Starting service filebeat. Created symlink from /etc/systemd/system/multi-user.target.wants/filebeat.service to /usr/lib/systemd/system/filebeat.service. 08/04/2024 14:30:22 INFO: filebeat service started. 08/04/2024 14:30:22 INFO: --- Wazuh dashboard --- 08/04/2024 14:30:22 INFO: Starting Wazuh dashboard installation. Loaded plugins: extras_suggestions, langpacks, priorities, update-motd Resolving Dependencies --> Running transaction check ---> Package wazuh-dashboard.x86_64 0:4.8.0-1 will be installed --> Finished Dependency Resolution Dependencies Resolved ================================================================================ Package Arch Version Repository Size ================================================================================ Installing: wazuh-dashboard x86_64 4.8.0-1 wazuh 273 M Transaction Summary ================================================================================ Install 1 Package Total download size: 273 M Installed size: 902 M Downloading packages: Running transaction check Running transaction test Transaction test succeeded Running transaction Installing : wazuh-dashboard-4.8.0-1.x86_64 1/1 Verifying : wazuh-dashboard-4.8.0-1.x86_64 1/1 Installed: wazuh-dashboard.x86_64 0:4.8.0-1 Complete! 08/04/2024 14:31:56 INFO: Wazuh dashboard installation finished. 08/04/2024 14:31:56 INFO: Wazuh dashboard post-install configuration finished. 08/04/2024 14:31:56 INFO: Starting service wazuh-dashboard. Created symlink from /etc/systemd/system/multi-user.target.wants/wazuh-dashboard.service to /etc/systemd/system/wazuh-dashboard.service. 08/04/2024 14:31:58 INFO: wazuh-dashboard service started. 08/04/2024 14:31:58 INFO: Another process is using YUM. Waiting for it to release the lock. Next retry in 30 seconds (1/10) 08/04/2024 14:32:31 INFO: Updating the internal users. ************************************************************************** ** This tool will be deprecated in the next major release of OpenSearch ** ** https://github.com/opensearch-project/security/issues/1755 ** ************************************************************************** Security Admin v7 Will connect to 127.0.0.1:9200 ... done Connected as "CN=admin,OU=Wazuh,O=Wazuh,L=California,C=US" OpenSearch Version: 2.10.0 Contacting opensearch cluster 'opensearch' and wait for YELLOW clusterstate ... Clustername: wazuh-cluster Clusterstate: GREEN Number of nodes: 1 Number of data nodes: 1 .opendistro_security index already exists, so we do not need to create one. Will retrieve '/config' into /etc/wazuh-indexer/backup/config.yml SUCC: Configuration for 'config' stored in /etc/wazuh-indexer/backup/config.yml Will retrieve '/roles' into /etc/wazuh-indexer/backup/roles.yml SUCC: Configuration for 'roles' stored in /etc/wazuh-indexer/backup/roles.yml Will retrieve '/rolesmapping' into /etc/wazuh-indexer/backup/roles_mapping.yml SUCC: Configuration for 'rolesmapping' stored in /etc/wazuh-indexer/backup/roles_mapping.yml Will retrieve '/internalusers' into /etc/wazuh-indexer/backup/internal_users.yml SUCC: Configuration for 'internalusers' stored in /etc/wazuh-indexer/backup/internal_users.yml Will retrieve '/actiongroups' into /etc/wazuh-indexer/backup/action_groups.yml SUCC: Configuration for 'actiongroups' stored in /etc/wazuh-indexer/backup/action_groups.yml Will retrieve '/tenants' into /etc/wazuh-indexer/backup/tenants.yml SUCC: Configuration for 'tenants' stored in /etc/wazuh-indexer/backup/tenants.yml Will retrieve '/nodesdn' into /etc/wazuh-indexer/backup/nodes_dn.yml SUCC: Configuration for 'nodesdn' stored in /etc/wazuh-indexer/backup/nodes_dn.yml Will retrieve '/whitelist' into /etc/wazuh-indexer/backup/whitelist.yml SUCC: Configuration for 'whitelist' stored in /etc/wazuh-indexer/backup/whitelist.yml Will retrieve '/allowlist' into /etc/wazuh-indexer/backup/allowlist.yml SUCC: Configuration for 'allowlist' stored in /etc/wazuh-indexer/backup/allowlist.yml Will retrieve '/audit' into /etc/wazuh-indexer/backup/audit.yml SUCC: Configuration for 'audit' stored in /etc/wazuh-indexer/backup/audit.yml 08/04/2024 14:32:39 INFO: A backup of the internal users has been saved in the /etc/wazuh-indexer/internalusers-backup folder. ************************************************************************** ** This tool will be deprecated in the next major release of OpenSearch ** ** https://github.com/opensearch-project/security/issues/1755 ** ************************************************************************** Security Admin v7 Will connect to 127.0.0.1:9200 ... done Connected as "CN=admin,OU=Wazuh,O=Wazuh,L=California,C=US" OpenSearch Version: 2.10.0 Contacting opensearch cluster 'opensearch' and wait for YELLOW clusterstate ... Clustername: wazuh-cluster Clusterstate: GREEN Number of nodes: 1 Number of data nodes: 1 .opendistro_security index already exists, so we do not need to create one. Will retrieve '/config' into /etc/wazuh-indexer/backup/config.yml SUCC: Configuration for 'config' stored in /etc/wazuh-indexer/backup/config.yml Will retrieve '/roles' into /etc/wazuh-indexer/backup/roles.yml SUCC: Configuration for 'roles' stored in /etc/wazuh-indexer/backup/roles.yml Will retrieve '/rolesmapping' into /etc/wazuh-indexer/backup/roles_mapping.yml SUCC: Configuration for 'rolesmapping' stored in /etc/wazuh-indexer/backup/roles_mapping.yml Will retrieve '/internalusers' into /etc/wazuh-indexer/backup/internal_users.yml SUCC: Configuration for 'internalusers' stored in /etc/wazuh-indexer/backup/internal_users.yml Will retrieve '/actiongroups' into /etc/wazuh-indexer/backup/action_groups.yml SUCC: Configuration for 'actiongroups' stored in /etc/wazuh-indexer/backup/action_groups.yml Will retrieve '/tenants' into /etc/wazuh-indexer/backup/tenants.yml SUCC: Configuration for 'tenants' stored in /etc/wazuh-indexer/backup/tenants.yml Will retrieve '/nodesdn' into /etc/wazuh-indexer/backup/nodes_dn.yml SUCC: Configuration for 'nodesdn' stored in /etc/wazuh-indexer/backup/nodes_dn.yml Will retrieve '/whitelist' into /etc/wazuh-indexer/backup/whitelist.yml SUCC: Configuration for 'whitelist' stored in /etc/wazuh-indexer/backup/whitelist.yml Will retrieve '/allowlist' into /etc/wazuh-indexer/backup/allowlist.yml SUCC: Configuration for 'allowlist' stored in /etc/wazuh-indexer/backup/allowlist.yml Will retrieve '/audit' into /etc/wazuh-indexer/backup/audit.yml SUCC: Configuration for 'audit' stored in /etc/wazuh-indexer/backup/audit.yml Successfully updated the keystore ************************************************************************** ** This tool will be deprecated in the next major release of OpenSearch ** ** https://github.com/opensearch-project/security/issues/1755 ** ************************************************************************** Security Admin v7 Will connect to 127.0.0.1:9200 ... done Connected as "CN=admin,OU=Wazuh,O=Wazuh,L=California,C=US" OpenSearch Version: 2.10.0 Contacting opensearch cluster 'opensearch' and wait for YELLOW clusterstate ... Clustername: wazuh-cluster Clusterstate: GREEN Number of nodes: 1 Number of data nodes: 1 .opendistro_security index already exists, so we do not need to create one. Populate config from /home/ec2-user Force type: internalusers Will update '/internalusers' with /etc/wazuh-indexer/backup/internal_users.yml SUCC: Configuration for 'internalusers' created or updated SUCC: Expected 1 config types for node {"updated_config_types":["internalusers"],"updated_config_size":1,"message":null} is 1 (["internalusers"]) due to: null Done with success 08/04/2024 14:33:49 INFO: Initializing Wazuh dashboard web application. 08/04/2024 14:33:49 INFO: Wazuh dashboard web application not yet initialized. Waiting... 08/04/2024 14:34:05 INFO: Wazuh dashboard web application not yet initialized. Waiting... 08/04/2024 14:34:20 INFO: Wazuh dashboard web application initialized. 08/04/2024 14:34:20 INFO: Installation finished. [root@ip-172-31-35-94 ec2-user]# ```

Ubuntu 22 :green_circle:

Log on the console:

```shellsession root@ip-172-31-39-45:/home/ubuntu# curl -sO https://packages-dev.wazuh.com/4.8/wazuh-install.sh && bash wazuh-install.sh -a 08/04/2024 14:26:04 INFO: Starting Wazuh installation assistant. Wazuh version: 4.8.0 08/04/2024 14:26:04 INFO: Verbose logging redirected to /var/log/wazuh-install.log 08/04/2024 14:26:24 INFO: Verifying that your system meets the recommended minimum hardware requirements. 08/04/2024 14:26:24 INFO: Wazuh web interface port will be 443. 08/04/2024 14:26:30 INFO: --- Dependencies ---- 08/04/2024 14:26:30 INFO: Installing apt-transport-https. 08/04/2024 14:26:41 INFO: Wazuh development repository added. 08/04/2024 14:26:41 INFO: --- Configuration files --- 08/04/2024 14:26:41 INFO: Generating configuration files. 08/04/2024 14:26:41 INFO: Generating the root certificate. 08/04/2024 14:26:41 INFO: Generating Admin certificates. 08/04/2024 14:26:42 INFO: Generating Wazuh indexer certificates. 08/04/2024 14:26:43 INFO: Generating Filebeat certificates. 08/04/2024 14:26:43 INFO: Generating Wazuh dashboard certificates. 08/04/2024 14:26:43 INFO: Created wazuh-install-files.tar. It contains the Wazuh cluster key, certificates, and passwords necessary for installation. 08/04/2024 14:26:44 INFO: --- Wazuh indexer --- 08/04/2024 14:26:44 INFO: Starting Wazuh indexer installation. 08/04/2024 14:28:20 INFO: Wazuh indexer installation finished. 08/04/2024 14:28:20 INFO: Wazuh indexer post-install configuration finished. 08/04/2024 14:28:20 INFO: Starting service wazuh-indexer. 08/04/2024 14:28:44 INFO: wazuh-indexer service started. 08/04/2024 14:28:44 INFO: Initializing Wazuh indexer cluster security settings. 08/04/2024 14:28:55 INFO: Wazuh indexer cluster security configuration initialized. 08/04/2024 14:28:55 INFO: Wazuh indexer cluster initialized. 08/04/2024 14:28:55 INFO: --- Wazuh server --- 08/04/2024 14:28:55 INFO: Starting the Wazuh manager installation. 08/04/2024 14:30:19 INFO: Wazuh manager installation finished. 08/04/2024 14:30:19 INFO: Wazuh manager vulnerability detection configuration finished. 08/04/2024 14:30:19 INFO: Starting service wazuh-manager. 08/04/2024 14:30:41 INFO: wazuh-manager service started. 08/04/2024 14:30:41 INFO: Starting Filebeat installation. 08/04/2024 14:31:00 INFO: Filebeat installation finished. 08/04/2024 14:31:05 INFO: Filebeat post-install configuration finished. 08/04/2024 14:31:05 INFO: Starting service filebeat. 08/04/2024 14:31:07 INFO: filebeat service started. 08/04/2024 14:31:07 INFO: --- Wazuh dashboard --- 08/04/2024 14:31:07 INFO: Starting Wazuh dashboard installation. 08/04/2024 14:33:34 INFO: Wazuh dashboard installation finished. 08/04/2024 14:33:34 INFO: Wazuh dashboard post-install configuration finished. 08/04/2024 14:33:34 INFO: Starting service wazuh-dashboard. 08/04/2024 14:33:35 INFO: wazuh-dashboard service started. 08/04/2024 14:33:38 INFO: Updating the internal users. 08/04/2024 14:33:46 INFO: A backup of the internal users has been saved in the /etc/wazuh-indexer/internalusers-backup folder. 08/04/2024 14:35:06 INFO: Initializing Wazuh dashboard web application. 08/04/2024 14:35:06 INFO: Wazuh dashboard web application not yet initialized. Waiting... 08/04/2024 14:35:22 INFO: Wazuh dashboard web application not yet initialized. Waiting... 08/04/2024 14:35:37 INFO: Wazuh dashboard web application initialized. 08/04/2024 14:35:37 INFO: --- Summary --- 08/04/2024 14:35:37 INFO: You can access the web interface https://:443 User: admin Password: 6yvkIEmlrEAVhZBsfc?mqheE+L2rB.lz 08/04/2024 14:35:37 INFO: Installation finished. root@ip-172-31-39-45:/home/ubuntu# ```

Log in wazuh-install.log

```shellsession root@ip-172-31-39-45:/home/ubuntu# cat /var/log/wazuh-install.log 08/04/2024 14:26:04 INFO: Starting Wazuh installation assistant. Wazuh version: 4.8.0 08/04/2024 14:26:04 INFO: Verbose logging redirected to /var/log/wazuh-install.log Get:1 http://security.ubuntu.com/ubuntu jammy-security InRelease [110 kB] Hit:2 http://us-east-1.ec2.archive.ubuntu.com/ubuntu jammy InRelease Get:3 http://us-east-1.ec2.archive.ubuntu.com/ubuntu jammy-updates InRelease [119 kB] Get:4 http://us-east-1.ec2.archive.ubuntu.com/ubuntu jammy-backports InRelease [109 kB] Get:5 http://security.ubuntu.com/ubuntu jammy-security/main amd64 Packages [1303 kB] Get:6 http://security.ubuntu.com/ubuntu jammy-security/main Translation-en [233 kB] Get:7 http://security.ubuntu.com/ubuntu jammy-security/main amd64 c-n-f Metadata [11.4 kB] Get:8 http://security.ubuntu.com/ubuntu jammy-security/restricted amd64 Packages [1616 kB] Get:9 http://security.ubuntu.com/ubuntu jammy-security/restricted Translation-en [271 kB] Get:10 http://security.ubuntu.com/ubuntu jammy-security/restricted amd64 c-n-f Metadata [520 B] Get:11 http://security.ubuntu.com/ubuntu jammy-security/universe amd64 Packages [852 kB] Get:12 http://security.ubuntu.com/ubuntu jammy-security/universe Translation-en [163 kB] Get:13 http://security.ubuntu.com/ubuntu jammy-security/universe amd64 c-n-f Metadata [16.8 kB] Get:14 http://security.ubuntu.com/ubuntu jammy-security/multiverse amd64 Packages [37.1 kB] Get:15 http://security.ubuntu.com/ubuntu jammy-security/multiverse Translation-en [7476 B] Get:16 http://security.ubuntu.com/ubuntu jammy-security/multiverse amd64 c-n-f Metadata [260 B] Get:17 http://us-east-1.ec2.archive.ubuntu.com/ubuntu jammy/universe amd64 Packages [14.1 MB] Get:18 http://us-east-1.ec2.archive.ubuntu.com/ubuntu jammy/universe Translation-en [5652 kB] Get:19 http://us-east-1.ec2.archive.ubuntu.com/ubuntu jammy/universe amd64 c-n-f Metadata [286 kB] Get:20 http://us-east-1.ec2.archive.ubuntu.com/ubuntu jammy/multiverse amd64 Packages [217 kB] Get:21 http://us-east-1.ec2.archive.ubuntu.com/ubuntu jammy/multiverse Translation-en [112 kB] Get:22 http://us-east-1.ec2.archive.ubuntu.com/ubuntu jammy/multiverse amd64 c-n-f Metadata [8372 B] Get:23 http://us-east-1.ec2.archive.ubuntu.com/ubuntu jammy-updates/main amd64 Packages [1556 kB] Get:24 http://us-east-1.ec2.archive.ubuntu.com/ubuntu jammy-updates/main Translation-en [297 kB] Get:25 http://us-east-1.ec2.archive.ubuntu.com/ubuntu jammy-updates/main amd64 c-n-f Metadata [16.1 kB] Get:26 http://us-east-1.ec2.archive.ubuntu.com/ubuntu jammy-updates/restricted amd64 Packages [1691 kB] Get:27 http://us-east-1.ec2.archive.ubuntu.com/ubuntu jammy-updates/restricted Translation-en [284 kB] Get:28 http://us-east-1.ec2.archive.ubuntu.com/ubuntu jammy-updates/restricted amd64 c-n-f Metadata [520 B] Get:29 http://us-east-1.ec2.archive.ubuntu.com/ubuntu jammy-updates/universe amd64 Packages [1060 kB] Get:30 http://us-east-1.ec2.archive.ubuntu.com/ubuntu jammy-updates/universe Translation-en [241 kB] Get:31 http://us-east-1.ec2.archive.ubuntu.com/ubuntu jammy-updates/universe amd64 c-n-f Metadata [22.1 kB] Get:32 http://us-east-1.ec2.archive.ubuntu.com/ubuntu jammy-updates/multiverse amd64 Packages [49.6 kB] Get:33 http://us-east-1.ec2.archive.ubuntu.com/ubuntu jammy-updates/multiverse Translation-en [12.0 kB] Get:34 http://us-east-1.ec2.archive.ubuntu.com/ubuntu jammy-updates/multiverse amd64 c-n-f Metadata [472 B] Get:35 http://us-east-1.ec2.archive.ubuntu.com/ubuntu jammy-backports/main amd64 Packages [67.1 kB] Get:36 http://us-east-1.ec2.archive.ubuntu.com/ubuntu jammy-backports/main Translation-en [11.0 kB] Get:37 http://us-east-1.ec2.archive.ubuntu.com/ubuntu jammy-backports/main amd64 c-n-f Metadata [388 B] Get:38 http://us-east-1.ec2.archive.ubuntu.com/ubuntu jammy-backports/restricted amd64 c-n-f Metadata [116 B] Get:39 http://us-east-1.ec2.archive.ubuntu.com/ubuntu jammy-backports/universe amd64 Packages [28.4 kB] Get:40 http://us-east-1.ec2.archive.ubuntu.com/ubuntu jammy-backports/universe Translation-en [16.2 kB] Get:41 http://us-east-1.ec2.archive.ubuntu.com/ubuntu jammy-backports/universe amd64 c-n-f Metadata [644 B] Get:42 http://us-east-1.ec2.archive.ubuntu.com/ubuntu jammy-backports/multiverse amd64 c-n-f Metadata [116 B] Fetched 30.6 MB in 5s (6135 kB/s) Reading package lists... 08/04/2024 14:26:24 INFO: Verifying that your system meets the recommended minimum hardware requirements. 08/04/2024 14:26:24 INFO: Wazuh web interface port will be 443. Hit:1 http://us-east-1.ec2.archive.ubuntu.com/ubuntu jammy InRelease Hit:2 http://us-east-1.ec2.archive.ubuntu.com/ubuntu jammy-updates InRelease Hit:3 http://us-east-1.ec2.archive.ubuntu.com/ubuntu jammy-backports InRelease Hit:4 http://security.ubuntu.com/ubuntu jammy-security InRelease Reading package lists... 08/04/2024 14:26:30 INFO: --- Dependencies ---- 08/04/2024 14:26:30 INFO: Installing apt-transport-https. Reading package lists... Building dependency tree... Reading state information... The following NEW packages will be installed: apt-transport-https 0 upgraded, 1 newly installed, 0 to remove and 188 not upgraded. Need to get 1510 B of archives. After this operation, 170 kB of additional disk space will be used. Get:1 http://us-east-1.ec2.archive.ubuntu.com/ubuntu jammy-updates/universe amd64 apt-transport-https all 2.4.12 [1510 B] Fetched 1510 B in 0s (95.7 kB/s) Selecting previously unselected package ap(Reading database ... 64295 files and directories c Preparing to unpack .../apt-transport-https_2.4.12 NEEDRESTART-VER: 3.5 NEEDRESTART-KCUR: 5.19.0-1025-aws NEEDRESTART-KEXP: 5.19.0-1025-aws NEEDRESTART-KSTA: 1 gpg: keyring '/usr/share/keyrings/wazuh.gpg' created gpg: directory '/root/.gnupg' created gpg: /root/.gnupg/trustdb.gpg: trustdb created gpg: key 96B3EE5F29111145: public key "Wazuh.com (Wazuh Signing Key) " imported gpg: Total number processed: 1 gpg: imported: 1 deb [signed-by=/usr/share/keyrings/wazuh.gpg] https://packages-dev.wazuh.com/pre-release/apt/ unstable main Hit:1 http://us-east-1.ec2.archive.ubuntu.com/ubuntu jammy InRelease Hit:2 http://security.ubuntu.com/ubuntu jammy-security InRelease Hit:3 http://us-east-1.ec2.archive.ubuntu.com/ubuntu jammy-updates InRelease Hit:4 http://us-east-1.ec2.archive.ubuntu.com/ubuntu jammy-backports InRelease Get:5 https://packages-dev.wazuh.com/pre-release/apt unstable InRelease [17.3 kB] Get:6 https://packages-dev.wazuh.com/pre-release/apt unstable/main amd64 Packages [37.1 kB] Fetched 54.4 kB in 1s (52.0 kB/s) Reading package lists... 08/04/2024 14:26:41 INFO: Wazuh development repository added. 08/04/2024 14:26:41 INFO: --- Configuration files --- 08/04/2024 14:26:41 INFO: Generating configuration files. 08/04/2024 14:26:41 INFO: Generating the root certificate. 08/04/2024 14:26:41 INFO: Generating Admin certificates. 08/04/2024 14:26:42 INFO: Generating Wazuh indexer certificates. 08/04/2024 14:26:43 INFO: Generating Filebeat certificates. 08/04/2024 14:26:43 INFO: Generating Wazuh dashboard certificates. 08/04/2024 14:26:43 INFO: Created wazuh-install-files.tar. It contains the Wazuh cluster key, certificates, and passwords necessary for installation. 08/04/2024 14:26:44 INFO: --- Wazuh indexer --- 08/04/2024 14:26:44 INFO: Starting Wazuh indexer installation. Reading package lists... Building dependency tree... Reading state information... The following NEW packages will be installed: wazuh-indexer 0 upgraded, 1 newly installed, 0 to remove and 188 not upgraded. Need to get 757 MB of archives. After this operation, 1050 MB of additional disk space will be used. Get:1 https://packages-dev.wazuh.com/pre-release/apt unstable/main amd64 wazuh-indexer amd64 4.8.0-1 [757 MB] Fetched 757 MB in 14s (54.0 MB/s) Selecti(Reading database ... 64299 files and directories c Preparing to unpack .../wazuh-indexer_4.8.0-1_amd6 Created opensearch keystore in /etc/wazuh-indexer/ Processing triggers for libc-bin (2.35-0ubuntu3.1) NEEDRESTART-VER: 3.5 NEEDRESTART-KCUR: 5.19.0-1025-aws NEEDRESTART-KEXP: 5.19.0-1025-aws NEEDRESTART-KSTA: 1 08/04/2024 14:28:20 INFO: Wazuh indexer installation finished. 08/04/2024 14:28:20 INFO: Wazuh indexer post-install configuration finished. 08/04/2024 14:28:20 INFO: Starting service wazuh-indexer. Created symlink /etc/systemd/system/multi-user.target.wants/wazuh-indexer.service → /lib/systemd/system/wazuh-indexer.service. 08/04/2024 14:28:44 INFO: wazuh-indexer service started. 08/04/2024 14:28:44 INFO: Initializing Wazuh indexer cluster security settings. ************************************************************************** ** This tool will be deprecated in the next major release of OpenSearch ** ** https://github.com/opensearch-project/security/issues/1755 ** ************************************************************************** Security Admin v7 Will connect to 127.0.0.1:9200 ... done Connected as "CN=admin,OU=Wazuh,O=Wazuh,L=California,C=US" OpenSearch Version: 2.10.0 Contacting opensearch cluster 'opensearch' and wait for YELLOW clusterstate ... Clustername: wazuh-cluster Clusterstate: GREEN Number of nodes: 1 Number of data nodes: 1 .opendistro_security index does not exists, attempt to create it ... done (0-all replicas) Populate config from /etc/wazuh-indexer/opensearch-security/ Will update '/config' with /etc/wazuh-indexer/opensearch-security/config.yml SUCC: Configuration for 'config' created or updated Will update '/roles' with /etc/wazuh-indexer/opensearch-security/roles.yml SUCC: Configuration for 'roles' created or updated Will update '/rolesmapping' with /etc/wazuh-indexer/opensearch-security/roles_mapping.yml SUCC: Configuration for 'rolesmapping' created or updated Will update '/internalusers' with /etc/wazuh-indexer/opensearch-security/internal_users.yml SUCC: Configuration for 'internalusers' created or updated Will update '/actiongroups' with /etc/wazuh-indexer/opensearch-security/action_groups.yml SUCC: Configuration for 'actiongroups' created or updated Will update '/tenants' with /etc/wazuh-indexer/opensearch-security/tenants.yml SUCC: Configuration for 'tenants' created or updated Will update '/nodesdn' with /etc/wazuh-indexer/opensearch-security/nodes_dn.yml SUCC: Configuration for 'nodesdn' created or updated Will update '/whitelist' with /etc/wazuh-indexer/opensearch-security/whitelist.yml SUCC: Configuration for 'whitelist' created or updated Will update '/audit' with /etc/wazuh-indexer/opensearch-security/audit.yml SUCC: Configuration for 'audit' created or updated Will update '/allowlist' with /etc/wazuh-indexer/opensearch-security/allowlist.yml SUCC: Configuration for 'allowlist' created or updated SUCC: Expected 10 config types for node {"updated_config_types":["allowlist","tenants","rolesmapping","nodesdn","audit","roles","whitelist","internalusers","actiongroups","config"],"updated_config_size":10,"message":null} is 10 (["allowlist","tenants","rolesmapping","nodesdn","audit","roles","whitelist","internalusers","actiongroups","config"]) due to: null Done with success 08/04/2024 14:28:55 INFO: Wazuh indexer cluster security configuration initialized. 08/04/2024 14:28:55 INFO: Wazuh indexer cluster initialized. 08/04/2024 14:28:55 INFO: --- Wazuh server --- 08/04/2024 14:28:55 INFO: Starting the Wazuh manager installation. Reading package lists... Building dependency tree... Reading state information... Suggested packages: expect The following NEW packages will be installed: wazuh-manager 0 upgraded, 1 newly installed, 0 to remove and 188 not upgraded. Need to get 311 MB of archives. After this operation, 914 MB of additional disk space will be used. Get:1 https://packages-dev.wazuh.com/pre-release/apt unstable/main amd64 wazuh-manager amd64 4.8.0-1 [311 MB] Fetched 311 MB in 6s (52.6 MB/s) Selecting previously unselected p(Reading database ... 65472 files and directories c Preparing to unpack .../wazuh-manager_4.8.0-1_amd6 NEEDRESTART-VER: 3.5 NEEDRESTART-KCUR: 5.19.0-1025-aws NEEDRESTART-KEXP: 5.19.0-1025-aws NEEDRESTART-KSTA: 1 08/04/2024 14:30:19 INFO: Wazuh manager installation finished. 08/04/2024 14:30:19 INFO: Wazuh manager vulnerability detection configuration finished. 08/04/2024 14:30:19 INFO: Starting service wazuh-manager. Created symlink /etc/systemd/system/multi-user.target.wants/wazuh-manager.service → /lib/systemd/system/wazuh-manager.service. 08/04/2024 14:30:41 INFO: wazuh-manager service started. 08/04/2024 14:30:41 INFO: Starting Filebeat installation. Reading package lists... Building dependency tree... Reading state information... The following NEW packages will be installed: filebeat 0 upgraded, 1 newly installed, 0 to remove and 188 not upgraded. Need to get 22.1 MB of archives. After this operation, 73.6 MB of additional disk space will be used. Get:1 https://packages-dev.wazuh.com/pre-release/apt unstable/main amd64 filebeat amd64 7.10.2 [22.1 MB] Fetched 22.1 MB in 1s (29.2 MB/s) Selecting previo(Reading database ... 87504 files and directories c Preparing to unpack .../filebeat_7.10.2_amd64.deb NEEDRESTART-VER: 3.5 NEEDRESTART-KCUR: 5.19.0-1025-aws NEEDRESTART-KEXP: 5.19.0-1025-aws NEEDRESTART-KSTA: 1 08/04/2024 14:31:00 INFO: Filebeat installation finished. wazuh/ wazuh/_meta/ wazuh/_meta/docs.asciidoc wazuh/_meta/fields.yml wazuh/_meta/config.yml wazuh/alerts/ wazuh/alerts/config/ wazuh/alerts/config/alerts.yml wazuh/alerts/manifest.yml wazuh/alerts/ingest/ wazuh/alerts/ingest/pipeline.json wazuh/module.yml wazuh/archives/ wazuh/archives/config/ wazuh/archives/config/archives.yml wazuh/archives/manifest.yml wazuh/archives/ingest/ wazuh/archives/ingest/pipeline.json Created filebeat keystore Successfully updated the keystore Successfully updated the keystore 08/04/2024 14:31:05 INFO: Filebeat post-install configuration finished. 08/04/2024 14:31:05 INFO: Starting service filebeat. Synchronizing state of filebeat.service with SysV service script with /lib/systemd/systemd-sysv-install. Executing: /lib/systemd/systemd-sysv-install enable filebeat Created symlink /etc/systemd/system/multi-user.target.wants/filebeat.service → /lib/systemd/system/filebeat.service. 08/04/2024 14:31:07 INFO: filebeat service started. 08/04/2024 14:31:07 INFO: --- Wazuh dashboard --- 08/04/2024 14:31:07 INFO: Starting Wazuh dashboard installation. Reading package lists... Building dependency tree... Reading state information... The following NEW packages will be installed: wazuh-dashboard 0 upgraded, 1 newly installed, 0 to remove and 188 not upgraded. Need to get 186 MB of archives. After this operation, 988 MB of additional disk space will be used. Get:1 https://packages-dev.wazuh.com/pre-release/apt unstable/main amd64 wazuh-dashboard amd64 4.8.0-1 [186 MB] Fetched 186 MB in 5s (36.0 MB/s) Selec(Reading database ... 87823 files and directories c Preparing to unpack .../wazuh-dashboard_4.8.0-1_am NEEDRESTART-VER: 3.5 NEEDRESTART-KCUR: 5.19.0-1025-aws NEEDRESTART-KEXP: 5.19.0-1025-aws NEEDRESTART-KSTA: 1 08/04/2024 14:33:34 INFO: Wazuh dashboard installation finished. 08/04/2024 14:33:34 INFO: Wazuh dashboard post-install configuration finished. 08/04/2024 14:33:34 INFO: Starting service wazuh-dashboard. Created symlink /etc/systemd/system/multi-user.target.wants/wazuh-dashboard.service → /etc/systemd/system/wazuh-dashboard.service. 08/04/2024 14:33:35 INFO: wazuh-dashboard service started. 08/04/2024 14:33:38 INFO: Updating the internal users. ************************************************************************** ** This tool will be deprecated in the next major release of OpenSearch ** ** https://github.com/opensearch-project/security/issues/1755 ** ************************************************************************** Security Admin v7 Will connect to 127.0.0.1:9200 ... done Connected as "CN=admin,OU=Wazuh,O=Wazuh,L=California,C=US" OpenSearch Version: 2.10.0 Contacting opensearch cluster 'opensearch' and wait for YELLOW clusterstate ... Clustername: wazuh-cluster Clusterstate: GREEN Number of nodes: 1 Number of data nodes: 1 .opendistro_security index already exists, so we do not need to create one. Will retrieve '/config' into /etc/wazuh-indexer/backup/config.yml SUCC: Configuration for 'config' stored in /etc/wazuh-indexer/backup/config.yml Will retrieve '/roles' into /etc/wazuh-indexer/backup/roles.yml SUCC: Configuration for 'roles' stored in /etc/wazuh-indexer/backup/roles.yml Will retrieve '/rolesmapping' into /etc/wazuh-indexer/backup/roles_mapping.yml SUCC: Configuration for 'rolesmapping' stored in /etc/wazuh-indexer/backup/roles_mapping.yml Will retrieve '/internalusers' into /etc/wazuh-indexer/backup/internal_users.yml SUCC: Configuration for 'internalusers' stored in /etc/wazuh-indexer/backup/internal_users.yml Will retrieve '/actiongroups' into /etc/wazuh-indexer/backup/action_groups.yml SUCC: Configuration for 'actiongroups' stored in /etc/wazuh-indexer/backup/action_groups.yml Will retrieve '/tenants' into /etc/wazuh-indexer/backup/tenants.yml SUCC: Configuration for 'tenants' stored in /etc/wazuh-indexer/backup/tenants.yml Will retrieve '/nodesdn' into /etc/wazuh-indexer/backup/nodes_dn.yml SUCC: Configuration for 'nodesdn' stored in /etc/wazuh-indexer/backup/nodes_dn.yml Will retrieve '/whitelist' into /etc/wazuh-indexer/backup/whitelist.yml SUCC: Configuration for 'whitelist' stored in /etc/wazuh-indexer/backup/whitelist.yml Will retrieve '/allowlist' into /etc/wazuh-indexer/backup/allowlist.yml SUCC: Configuration for 'allowlist' stored in /etc/wazuh-indexer/backup/allowlist.yml Will retrieve '/audit' into /etc/wazuh-indexer/backup/audit.yml SUCC: Configuration for 'audit' stored in /etc/wazuh-indexer/backup/audit.yml 08/04/2024 14:33:46 INFO: A backup of the internal users has been saved in the /etc/wazuh-indexer/internalusers-backup folder. ************************************************************************** ** This tool will be deprecated in the next major release of OpenSearch ** ** https://github.com/opensearch-project/security/issues/1755 ** ************************************************************************** Security Admin v7 Will connect to 127.0.0.1:9200 ... done Connected as "CN=admin,OU=Wazuh,O=Wazuh,L=California,C=US" OpenSearch Version: 2.10.0 Contacting opensearch cluster 'opensearch' and wait for YELLOW clusterstate ... Clustername: wazuh-cluster Clusterstate: GREEN Number of nodes: 1 Number of data nodes: 1 .opendistro_security index already exists, so we do not need to create one. Will retrieve '/config' into /etc/wazuh-indexer/backup/config.yml SUCC: Configuration for 'config' stored in /etc/wazuh-indexer/backup/config.yml Will retrieve '/roles' into /etc/wazuh-indexer/backup/roles.yml SUCC: Configuration for 'roles' stored in /etc/wazuh-indexer/backup/roles.yml Will retrieve '/rolesmapping' into /etc/wazuh-indexer/backup/roles_mapping.yml SUCC: Configuration for 'rolesmapping' stored in /etc/wazuh-indexer/backup/roles_mapping.yml Will retrieve '/internalusers' into /etc/wazuh-indexer/backup/internal_users.yml SUCC: Configuration for 'internalusers' stored in /etc/wazuh-indexer/backup/internal_users.yml Will retrieve '/actiongroups' into /etc/wazuh-indexer/backup/action_groups.yml SUCC: Configuration for 'actiongroups' stored in /etc/wazuh-indexer/backup/action_groups.yml Will retrieve '/tenants' into /etc/wazuh-indexer/backup/tenants.yml SUCC: Configuration for 'tenants' stored in /etc/wazuh-indexer/backup/tenants.yml Will retrieve '/nodesdn' into /etc/wazuh-indexer/backup/nodes_dn.yml SUCC: Configuration for 'nodesdn' stored in /etc/wazuh-indexer/backup/nodes_dn.yml Will retrieve '/whitelist' into /etc/wazuh-indexer/backup/whitelist.yml SUCC: Configuration for 'whitelist' stored in /etc/wazuh-indexer/backup/whitelist.yml Will retrieve '/allowlist' into /etc/wazuh-indexer/backup/allowlist.yml SUCC: Configuration for 'allowlist' stored in /etc/wazuh-indexer/backup/allowlist.yml Will retrieve '/audit' into /etc/wazuh-indexer/backup/audit.yml SUCC: Configuration for 'audit' stored in /etc/wazuh-indexer/backup/audit.yml Successfully updated the keystore ************************************************************************** ** This tool will be deprecated in the next major release of OpenSearch ** ** https://github.com/opensearch-project/security/issues/1755 ** ************************************************************************** Security Admin v7 Will connect to 127.0.0.1:9200 ... done Connected as "CN=admin,OU=Wazuh,O=Wazuh,L=California,C=US" OpenSearch Version: 2.10.0 Contacting opensearch cluster 'opensearch' and wait for YELLOW clusterstate ... Clustername: wazuh-cluster Clusterstate: GREEN Number of nodes: 1 Number of data nodes: 1 .opendistro_security index already exists, so we do not need to create one. Populate config from /home/ubuntu Force type: internalusers Will update '/internalusers' with /etc/wazuh-indexer/backup/internal_users.yml SUCC: Configuration for 'internalusers' created or updated SUCC: Expected 1 config types for node {"updated_config_types":["internalusers"],"updated_config_size":1,"message":null} is 1 (["internalusers"]) due to: null Done with success 08/04/2024 14:35:06 INFO: Initializing Wazuh dashboard web application. 08/04/2024 14:35:06 INFO: Wazuh dashboard web application not yet initialized. Waiting... 08/04/2024 14:35:22 INFO: Wazuh dashboard web application not yet initialized. Waiting... 08/04/2024 14:35:37 INFO: Wazuh dashboard web application initialized. 08/04/2024 14:35:37 INFO: Installation finished. root@ip-172-31-39-45:/home/ubuntu# ```

RHEL 9 :yellow_circle:

The RHEL9 system (4GB of RAM) failed on a first test because it did not have the enough free RAM memory. Known issue: https://github.com/wazuh/wazuh-packages/issues/2119 :yellow_circle:

[root@ip-172-31-39-39 ec2-user]# curl -sO https://packages-dev.wazuh.com/4.8/wazuh-install.sh && bash wazuh-install.sh -a
08/04/2024 14:26:04 INFO: Starting Wazuh installation assistant. Wazuh version: 4.8.0
08/04/2024 14:26:04 INFO: Verbose logging redirected to /var/log/wazuh-install.log
08/04/2024 14:26:18 INFO: --- Dependencies ---
08/04/2024 14:26:18 INFO: Installing lsof.
08/04/2024 14:26:38 INFO: Verifying that your system meets the recommended minimum hardware requirements.
08/04/2024 14:26:38 ERROR: Your system does not meet the recommended minimum hardware requirements of 4Gb of RAM and 2 CPU cores. If you want to proceed with the installation use the -i option to ignore these requirements.

Using the -i option solves the problem:

Log in the console:

```shellsession [root@ip-172-31-39-39 ec2-user]# bash wazuh-install.sh -a -i 08/04/2024 14:26:55 INFO: Starting Wazuh installation assistant. Wazuh version: 4.8.0 08/04/2024 14:26:55 INFO: Verbose logging redirected to /var/log/wazuh-install.log 08/04/2024 14:27:10 WARNING: Hardware and system checks ignored. 08/04/2024 14:27:10 INFO: Wazuh web interface port will be 443. 08/04/2024 14:27:14 INFO: Wazuh development repository added. 08/04/2024 14:27:14 INFO: --- Configuration files --- 08/04/2024 14:27:14 INFO: Generating configuration files. 08/04/2024 14:27:14 INFO: Generating the root certificate. 08/04/2024 14:27:15 INFO: Generating Admin certificates. 08/04/2024 14:27:15 INFO: Generating Wazuh indexer certificates. 08/04/2024 14:27:16 INFO: Generating Filebeat certificates. 08/04/2024 14:27:17 INFO: Generating Wazuh dashboard certificates. 08/04/2024 14:27:18 INFO: Created wazuh-install-files.tar. It contains the Wazuh cluster key, certificates, and passwords necessary for installation. 08/04/2024 14:27:18 INFO: --- Wazuh indexer --- 08/04/2024 14:27:18 INFO: Starting Wazuh indexer installation. 08/04/2024 14:29:44 INFO: Wazuh indexer installation finished. 08/04/2024 14:29:45 INFO: Wazuh indexer post-install configuration finished. 08/04/2024 14:29:45 INFO: Starting service wazuh-indexer. 08/04/2024 14:30:11 INFO: wazuh-indexer service started. 08/04/2024 14:30:11 INFO: Initializing Wazuh indexer cluster security settings. 08/04/2024 14:30:22 INFO: Wazuh indexer cluster security configuration initialized. 08/04/2024 14:30:22 INFO: Wazuh indexer cluster initialized. 08/04/2024 14:30:22 INFO: --- Wazuh server --- 08/04/2024 14:30:22 INFO: Starting the Wazuh manager installation. 08/04/2024 14:32:07 INFO: Wazuh manager installation finished. 08/04/2024 14:32:07 INFO: Wazuh manager vulnerability detection configuration finished. 08/04/2024 14:32:07 INFO: Starting service wazuh-manager. 08/04/2024 14:32:26 INFO: wazuh-manager service started. 08/04/2024 14:32:26 INFO: Starting Filebeat installation. 08/04/2024 14:32:48 INFO: Filebeat installation finished. 08/04/2024 14:32:50 INFO: Filebeat post-install configuration finished. 08/04/2024 14:32:50 INFO: Starting service filebeat. 08/04/2024 14:32:53 INFO: filebeat service started. 08/04/2024 14:32:53 INFO: --- Wazuh dashboard --- 08/04/2024 14:32:53 INFO: Starting Wazuh dashboard installation. 08/04/2024 14:35:59 INFO: Wazuh dashboard installation finished. 08/04/2024 14:35:59 INFO: Wazuh dashboard post-install configuration finished. 08/04/2024 14:35:59 INFO: Starting service wazuh-dashboard. 08/04/2024 14:36:00 INFO: wazuh-dashboard service started. 08/04/2024 14:36:05 INFO: Updating the internal users. 08/04/2024 14:36:15 INFO: A backup of the internal users has been saved in the /etc/wazuh-indexer/internalusers-backup folder. 08/04/2024 14:37:40 INFO: Initializing Wazuh dashboard web application. 08/04/2024 14:37:40 INFO: Wazuh dashboard web application not yet initialized. Waiting... 08/04/2024 14:37:57 INFO: Wazuh dashboard web application not yet initialized. Waiting... 08/04/2024 14:38:12 INFO: Wazuh dashboard web application initialized. 08/04/2024 14:38:12 INFO: --- Summary --- 08/04/2024 14:38:12 INFO: You can access the web interface https://:443 User: admin Password: l3ky.91s2C6+xjQlQmqz*65n4?7VEAZ+ 08/04/2024 14:38:12 INFO: Installation finished. [root@ip-172-31-39-39 ec2-user]# ```

Log in wazuh-install.log

```shellsession [root@ip-172-31-39-39 ec2-user]# cat /var/log/wazuh-install.log 08/04/2024 14:26:55 INFO: Starting Wazuh installation assistant. Wazuh version: 4.8.0 08/04/2024 14:26:55 INFO: Verbose logging redirected to /var/log/wazuh-install.log Updating Subscription Management repositories. Unable to read consumer identity This system is not registered with an entitlement server. You can use subscription-manager to register. 0 files removed 08/04/2024 14:27:10 WARNING: Hardware and system checks ignored. 08/04/2024 14:27:10 INFO: Wazuh web interface port will be 443. [wazuh] gpgcheck=1 gpgkey=https://packages-dev.wazuh.com/key/GPG-KEY-WAZUH enabled=1 name=EL-${releasever} - Wazuh baseurl=https://packages-dev.wazuh.com/pre-release/yum/ protect=1 08/04/2024 14:27:14 INFO: Wazuh development repository added. 08/04/2024 14:27:14 INFO: --- Configuration files --- 08/04/2024 14:27:14 INFO: Generating configuration files. 08/04/2024 14:27:14 INFO: Generating the root certificate. 08/04/2024 14:27:15 INFO: Generating Admin certificates. 08/04/2024 14:27:15 INFO: Generating Wazuh indexer certificates. 08/04/2024 14:27:16 INFO: Generating Filebeat certificates. 08/04/2024 14:27:17 INFO: Generating Wazuh dashboard certificates. 08/04/2024 14:27:18 INFO: Created wazuh-install-files.tar. It contains the Wazuh cluster key, certificates, and passwords necessary for installation. 08/04/2024 14:27:18 INFO: --- Wazuh indexer --- 08/04/2024 14:27:18 INFO: Starting Wazuh indexer installation. Updating Subscription Management repositories. Unable to read consumer identity This system is not registered with an entitlement server. You can use subscription-manager to register. Red Hat Enterprise Linux 9 for x86_64 - AppStre 66 MB/s | 30 MB 00:00 Red Hat Enterprise Linux 9 for x86_64 - BaseOS 49 MB/s | 19 MB 00:00 Red Hat Enterprise Linux 9 Client Configuration 18 kB/s | 2.2 kB 00:00 EL-9 - Wazuh 14 MB/s | 24 MB 00:01 Dependencies resolved. ================================================================================ Package Architecture Version Repository Size ================================================================================ Installing: wazuh-indexer x86_64 4.8.0-1 wazuh 743 M Transaction Summary ================================================================================ Install 1 Package Total download size: 743 M Installed size: 1.0 G Downloading Packages: wazuh-indexer-4.8.0-1.x86_64.rpm 110 MB/s | 743 MB 00:06 -------------------------------------------------------------------------------- Total 110 MB/s | 743 MB 00:06 Running transaction check Transaction check succeeded. Running transaction test Transaction test succeeded. Running transaction Preparing : 1/1 Running scriptlet: wazuh-indexer-4.8.0-1.x86_64 1/1 Installing : wazuh-indexer-4.8.0-1.x86_64 1/1 Running scriptlet: wazuh-indexer-4.8.0-1.x86_64 1/1 Created opensearch keystore in /etc/wazuh-indexer/opensearch.keystore Verifying : wazuh-indexer-4.8.0-1.x86_64 1/1 Installed products updated. Installed: wazuh-indexer-4.8.0-1.x86_64 Complete! 08/04/2024 14:29:44 INFO: Wazuh indexer installation finished. 08/04/2024 14:29:45 INFO: Wazuh indexer post-install configuration finished. 08/04/2024 14:29:45 INFO: Starting service wazuh-indexer. Created symlink /etc/systemd/system/multi-user.target.wants/wazuh-indexer.service → /usr/lib/systemd/system/wazuh-indexer.service. 08/04/2024 14:30:11 INFO: wazuh-indexer service started. 08/04/2024 14:30:11 INFO: Initializing Wazuh indexer cluster security settings. ************************************************************************** ** This tool will be deprecated in the next major release of OpenSearch ** ** https://github.com/opensearch-project/security/issues/1755 ** ************************************************************************** Security Admin v7 Will connect to 127.0.0.1:9200 ... done Connected as "CN=admin,OU=Wazuh,O=Wazuh,L=California,C=US" OpenSearch Version: 2.10.0 Contacting opensearch cluster 'opensearch' and wait for YELLOW clusterstate ... Clustername: wazuh-cluster Clusterstate: GREEN Number of nodes: 1 Number of data nodes: 1 .opendistro_security index does not exists, attempt to create it ... done (0-all replicas) Populate config from /etc/wazuh-indexer/opensearch-security/ Will update '/config' with /etc/wazuh-indexer/opensearch-security/config.yml SUCC: Configuration for 'config' created or updated Will update '/roles' with /etc/wazuh-indexer/opensearch-security/roles.yml SUCC: Configuration for 'roles' created or updated Will update '/rolesmapping' with /etc/wazuh-indexer/opensearch-security/roles_mapping.yml SUCC: Configuration for 'rolesmapping' created or updated Will update '/internalusers' with /etc/wazuh-indexer/opensearch-security/internal_users.yml SUCC: Configuration for 'internalusers' created or updated Will update '/actiongroups' with /etc/wazuh-indexer/opensearch-security/action_groups.yml SUCC: Configuration for 'actiongroups' created or updated Will update '/tenants' with /etc/wazuh-indexer/opensearch-security/tenants.yml SUCC: Configuration for 'tenants' created or updated Will update '/nodesdn' with /etc/wazuh-indexer/opensearch-security/nodes_dn.yml SUCC: Configuration for 'nodesdn' created or updated Will update '/whitelist' with /etc/wazuh-indexer/opensearch-security/whitelist.yml SUCC: Configuration for 'whitelist' created or updated Will update '/audit' with /etc/wazuh-indexer/opensearch-security/audit.yml SUCC: Configuration for 'audit' created or updated Will update '/allowlist' with /etc/wazuh-indexer/opensearch-security/allowlist.yml SUCC: Configuration for 'allowlist' created or updated SUCC: Expected 10 config types for node {"updated_config_types":["allowlist","tenants","rolesmapping","nodesdn","audit","roles","whitelist","internalusers","actiongroups","config"],"updated_config_size":10,"message":null} is 10 (["allowlist","tenants","rolesmapping","nodesdn","audit","roles","whitelist","internalusers","actiongroups","config"]) due to: null Done with success 08/04/2024 14:30:22 INFO: Wazuh indexer cluster security configuration initialized. 08/04/2024 14:30:22 INFO: Wazuh indexer cluster initialized. 08/04/2024 14:30:22 INFO: --- Wazuh server --- 08/04/2024 14:30:22 INFO: Starting the Wazuh manager installation. Updating Subscription Management repositories. Unable to read consumer identity This system is not registered with an entitlement server. You can use subscription-manager to register. Last metadata expiration check: 0:02:46 ago on Mon 08 Apr 2024 02:27:38 PM UTC. Dependencies resolved. ================================================================================ Package Architecture Version Repository Size ================================================================================ Installing: wazuh-manager x86_64 4.8.0-1 wazuh 293 M Transaction Summary ================================================================================ Install 1 Package Total download size: 293 M Installed size: 882 M Downloading Packages: wazuh-manager-4.8.0-1.x86_64.rpm 136 MB/s | 293 MB 00:02 -------------------------------------------------------------------------------- Total 136 MB/s | 293 MB 00:02 Running transaction check Transaction check succeeded. Running transaction test Transaction test succeeded. Running transaction Preparing : 1/1 Running scriptlet: wazuh-manager-4.8.0-1.x86_64 1/1 Installing : wazuh-manager-4.8.0-1.x86_64 1/1 Running scriptlet: wazuh-manager-4.8.0-1.x86_64 1/1 Verifying : wazuh-manager-4.8.0-1.x86_64 1/1 Installed products updated. Installed: wazuh-manager-4.8.0-1.x86_64 Complete! 08/04/2024 14:32:07 INFO: Wazuh manager installation finished. 08/04/2024 14:32:07 INFO: Wazuh manager vulnerability detection configuration finished. 08/04/2024 14:32:07 INFO: Starting service wazuh-manager. Created symlink /etc/systemd/system/multi-user.target.wants/wazuh-manager.service → /usr/lib/systemd/system/wazuh-manager.service. 08/04/2024 14:32:26 INFO: wazuh-manager service started. 08/04/2024 14:32:26 INFO: Starting Filebeat installation. Installed: filebeat-7.10.2-1.x86_64 08/04/2024 14:32:48 INFO: Filebeat installation finished. wazuh/ wazuh/_meta/ wazuh/_meta/docs.asciidoc wazuh/_meta/fields.yml wazuh/_meta/config.yml wazuh/alerts/ wazuh/alerts/config/ wazuh/alerts/config/alerts.yml wazuh/alerts/manifest.yml wazuh/alerts/ingest/ wazuh/alerts/ingest/pipeline.json wazuh/module.yml wazuh/archives/ wazuh/archives/config/ wazuh/archives/config/archives.yml wazuh/archives/manifest.yml wazuh/archives/ingest/ wazuh/archives/ingest/pipeline.json Created filebeat keystore Successfully updated the keystore Successfully updated the keystore 08/04/2024 14:32:50 INFO: Filebeat post-install configuration finished. 08/04/2024 14:32:50 INFO: Starting service filebeat. Synchronizing state of filebeat.service with SysV service script with /usr/lib/systemd/systemd-sysv-install. Executing: /usr/lib/systemd/systemd-sysv-install enable filebeat Created symlink /etc/systemd/system/multi-user.target.wants/filebeat.service → /usr/lib/systemd/system/filebeat.service. 08/04/2024 14:32:53 INFO: filebeat service started. 08/04/2024 14:32:53 INFO: --- Wazuh dashboard --- 08/04/2024 14:32:53 INFO: Starting Wazuh dashboard installation. Updating Subscription Management repositories. Unable to read consumer identity This system is not registered with an entitlement server. You can use subscription-manager to register. Last metadata expiration check: 0:05:18 ago on Mon 08 Apr 2024 02:27:38 PM UTC. Dependencies resolved. ================================================================================ Package Architecture Version Repository Size ================================================================================ Installing: wazuh-dashboard x86_64 4.8.0-1 wazuh 273 M Transaction Summary ================================================================================ Install 1 Package Total download size: 273 M Installed size: 902 M Downloading Packages: wazuh-dashboard-4.8.0-1.x86_64.rpm 42 MB/s | 273 MB 00:06 -------------------------------------------------------------------------------- Total 42 MB/s | 273 MB 00:06 Running transaction check Transaction check succeeded. Running transaction test Transaction test succeeded. Running transaction Preparing : 1/1 Running scriptlet: wazuh-dashboard-4.8.0-1.x86_64 1/1 Installing : wazuh-dashboard-4.8.0-1.x86_64 1/1 Running scriptlet: wazuh-dashboard-4.8.0-1.x86_64 1/1 Verifying : wazuh-dashboard-4.8.0-1.x86_64 1/1 Installed products updated. Installed: wazuh-dashboard-4.8.0-1.x86_64 Complete! 08/04/2024 14:35:59 INFO: Wazuh dashboard installation finished. 08/04/2024 14:35:59 INFO: Wazuh dashboard post-install configuration finished. 08/04/2024 14:35:59 INFO: Starting service wazuh-dashboard. Created symlink /etc/systemd/system/multi-user.target.wants/wazuh-dashboard.service → /etc/systemd/system/wazuh-dashboard.service. 08/04/2024 14:36:00 INFO: wazuh-dashboard service started. 08/04/2024 14:36:05 INFO: Updating the internal users. ************************************************************************** ** This tool will be deprecated in the next major release of OpenSearch ** ** https://github.com/opensearch-project/security/issues/1755 ** ************************************************************************** Security Admin v7 Will connect to 127.0.0.1:9200 ... done Connected as "CN=admin,OU=Wazuh,O=Wazuh,L=California,C=US" OpenSearch Version: 2.10.0 Contacting opensearch cluster 'opensearch' and wait for YELLOW clusterstate ... Clustername: wazuh-cluster Clusterstate: GREEN Number of nodes: 1 Number of data nodes: 1 .opendistro_security index already exists, so we do not need to create one. Will retrieve '/config' into /etc/wazuh-indexer/backup/config.yml SUCC: Configuration for 'config' stored in /etc/wazuh-indexer/backup/config.yml Will retrieve '/roles' into /etc/wazuh-indexer/backup/roles.yml SUCC: Configuration for 'roles' stored in /etc/wazuh-indexer/backup/roles.yml Will retrieve '/rolesmapping' into /etc/wazuh-indexer/backup/roles_mapping.yml SUCC: Configuration for 'rolesmapping' stored in /etc/wazuh-indexer/backup/roles_mapping.yml Will retrieve '/internalusers' into /etc/wazuh-indexer/backup/internal_users.yml SUCC: Configuration for 'internalusers' stored in /etc/wazuh-indexer/backup/internal_users.yml Will retrieve '/actiongroups' into /etc/wazuh-indexer/backup/action_groups.yml SUCC: Configuration for 'actiongroups' stored in /etc/wazuh-indexer/backup/action_groups.yml Will retrieve '/tenants' into /etc/wazuh-indexer/backup/tenants.yml SUCC: Configuration for 'tenants' stored in /etc/wazuh-indexer/backup/tenants.yml Will retrieve '/nodesdn' into /etc/wazuh-indexer/backup/nodes_dn.yml SUCC: Configuration for 'nodesdn' stored in /etc/wazuh-indexer/backup/nodes_dn.yml Will retrieve '/whitelist' into /etc/wazuh-indexer/backup/whitelist.yml SUCC: Configuration for 'whitelist' stored in /etc/wazuh-indexer/backup/whitelist.yml Will retrieve '/allowlist' into /etc/wazuh-indexer/backup/allowlist.yml SUCC: Configuration for 'allowlist' stored in /etc/wazuh-indexer/backup/allowlist.yml Will retrieve '/audit' into /etc/wazuh-indexer/backup/audit.yml SUCC: Configuration for 'audit' stored in /etc/wazuh-indexer/backup/audit.yml 08/04/2024 14:36:15 INFO: A backup of the internal users has been saved in the /etc/wazuh-indexer/internalusers-backup folder. ************************************************************************** ** This tool will be deprecated in the next major release of OpenSearch ** ** https://github.com/opensearch-project/security/issues/1755 ** ************************************************************************** Security Admin v7 Will connect to 127.0.0.1:9200 ... done Connected as "CN=admin,OU=Wazuh,O=Wazuh,L=California,C=US" OpenSearch Version: 2.10.0 Contacting opensearch cluster 'opensearch' and wait for YELLOW clusterstate ... Clustername: wazuh-cluster Clusterstate: GREEN Number of nodes: 1 Number of data nodes: 1 .opendistro_security index already exists, so we do not need to create one. Will retrieve '/config' into /etc/wazuh-indexer/backup/config.yml SUCC: Configuration for 'config' stored in /etc/wazuh-indexer/backup/config.yml Will retrieve '/roles' into /etc/wazuh-indexer/backup/roles.yml SUCC: Configuration for 'roles' stored in /etc/wazuh-indexer/backup/roles.yml Will retrieve '/rolesmapping' into /etc/wazuh-indexer/backup/roles_mapping.yml SUCC: Configuration for 'rolesmapping' stored in /etc/wazuh-indexer/backup/roles_mapping.yml Will retrieve '/internalusers' into /etc/wazuh-indexer/backup/internal_users.yml SUCC: Configuration for 'internalusers' stored in /etc/wazuh-indexer/backup/internal_users.yml Will retrieve '/actiongroups' into /etc/wazuh-indexer/backup/action_groups.yml SUCC: Configuration for 'actiongroups' stored in /etc/wazuh-indexer/backup/action_groups.yml Will retrieve '/tenants' into /etc/wazuh-indexer/backup/tenants.yml SUCC: Configuration for 'tenants' stored in /etc/wazuh-indexer/backup/tenants.yml Will retrieve '/nodesdn' into /etc/wazuh-indexer/backup/nodes_dn.yml SUCC: Configuration for 'nodesdn' stored in /etc/wazuh-indexer/backup/nodes_dn.yml Will retrieve '/whitelist' into /etc/wazuh-indexer/backup/whitelist.yml SUCC: Configuration for 'whitelist' stored in /etc/wazuh-indexer/backup/whitelist.yml Will retrieve '/allowlist' into /etc/wazuh-indexer/backup/allowlist.yml SUCC: Configuration for 'allowlist' stored in /etc/wazuh-indexer/backup/allowlist.yml Will retrieve '/audit' into /etc/wazuh-indexer/backup/audit.yml SUCC: Configuration for 'audit' stored in /etc/wazuh-indexer/backup/audit.yml Successfully updated the keystore ************************************************************************** ** This tool will be deprecated in the next major release of OpenSearch ** ** https://github.com/opensearch-project/security/issues/1755 ** ************************************************************************** Security Admin v7 Will connect to 127.0.0.1:9200 ... done Connected as "CN=admin,OU=Wazuh,O=Wazuh,L=California,C=US" OpenSearch Version: 2.10.0 Contacting opensearch cluster 'opensearch' and wait for YELLOW clusterstate ... Clustername: wazuh-cluster Clusterstate: GREEN Number of nodes: 1 Number of data nodes: 1 .opendistro_security index already exists, so we do not need to create one. Populate config from /home/ec2-user Force type: internalusers Will update '/internalusers' with /etc/wazuh-indexer/backup/internal_users.yml SUCC: Configuration for 'internalusers' created or updated SUCC: Expected 1 config types for node {"updated_config_types":["internalusers"],"updated_config_size":1,"message":null} is 1 (["internalusers"]) due to: null Done with success 08/04/2024 14:37:40 INFO: Initializing Wazuh dashboard web application. 08/04/2024 14:37:40 INFO: Wazuh dashboard web application not yet initialized. Waiting... 08/04/2024 14:37:57 INFO: Wazuh dashboard web application not yet initialized. Waiting... 08/04/2024 14:38:12 INFO: Wazuh dashboard web application initialized. 08/04/2024 14:38:12 INFO: Installation finished. [root@ip-172-31-39-39 ec2-user]# ```

[davidcr01]

Installed packages :green_circle:

Amazon Linux 2 :green_circle:

[root@ip-172-31-35-94 ec2-user]# rpm -qa --last | head -n 20
wazuh-dashboard-4.8.0-1.x86_64                Mon 08 Apr 2024 02:31:43 PM UTC
filebeat-7.10.2-1.x86_64                      Mon 08 Apr 2024 02:29:44 PM UTC
wazuh-manager-4.8.0-1.x86_64                  Mon 08 Apr 2024 02:29:07 PM UTC
wazuh-indexer-4.8.0-1.x86_64                  Mon 08 Apr 2024 02:27:43 PM UTC
gpg-pubkey-29111145-591cd381                  Mon 08 Apr 2024 02:26:15 PM UTC

• The gpg package is installed. It is part from the dependency set of the Installation Assistant, used to import the Wazuh GPG keys.

Ubuntu 22 :green_circle:

root@ip-172-31-39-45:/home/ubuntu# grep " install " /var/log/dpkg.log | tail
2024-04-08 14:26:31 install apt-transport-https:all <none> 2.4.12
2024-04-08 14:26:59 install wazuh-indexer:amd64 <none> 4.8.0-1
2024-04-08 14:29:02 install wazuh-manager:amd64 <none> 4.8.0-1
2024-04-08 14:30:44 install filebeat:amd64 <none> 7.10.2
2024-04-08 14:31:16 install wazuh-dashboard:amd64 <none> 4.8.0-1
root@ip-172-31-39-45:/home/ubuntu# 

• The apt-transport-https package is installed. It is part from the dependency set of the Installation Assistant, used to download packages from repositories that use HTTPS protocol via APT.

RHEL 9 :red_circle:

[root@ip-172-31-39-39 ec2-user]# rpm -qa --last | head -n 20
wazuh-dashboard-4.8.0-1.x86_64                Mon 08 Apr 2024 02:35:47 PM UTC
filebeat-7.10.2-1.x86_64                      Mon 08 Apr 2024 02:32:34 PM UTC
wazuh-manager-4.8.0-1.x86_64                  Mon 08 Apr 2024 02:31:24 PM UTC
wazuh-indexer-4.8.0-1.x86_64                  Mon 08 Apr 2024 02:29:37 PM UTC
gpg-pubkey-29111145-591cd381                  Mon 08 Apr 2024 02:27:14 PM UTC
lsof-4.94.0-3.el9.x86_64                      Mon 08 Apr 2024 02:26:36 PM UTC
libtirpc-1.3.3-6.el9.x86_64                   Mon 08 Apr 2024 02:26:36 PM UTC
gpg-pubkey-8483c65d-5ccc5b19                  Mon 08 Apr 2024 02:26:36 PM UTC

• The gpg package is installed. It is part from the dependency set of the Installation Assistant, used to import the Wazuh GPG keys.

:red_circle: Opened issue: https://github.com/wazuh/wazuh-packages/issues/2905. Installation assistant - lsof package must be removed if the HW check fails

[davidcr01]

Wazuh indexer logs :yellow_circle:

:yellow_circle: In the wazuh-cluster.log file of the three systems, it has been detected again the following warning: Authentication finally failed for admin from 127.0.0.1:53884. Related: https://github.com/wazuh/wazuh-indexer/issues/167. After a while, the warnings are not generated anymore for unknown reasons. This behavior may be related to https://github.com/wazuh/wazuh/issues/21829, when the IndexerConnector finally initializes.

Amazon Linux 2 :yellow_circle:

Agent status

```shellsession [root@ip-172-31-35-94 ec2-user]# systemctl status wazuh-indexer ● wazuh-indexer.service - Wazuh-indexer Loaded: loaded (/usr/lib/systemd/system/wazuh-indexer.service; enabled; vendor preset: disabled) Active: active (running) since Mon 2024-04-08 14:28:21 UTC; 40min ago Docs: https://documentation.wazuh.com Main PID: 4608 (java) CGroup: /system.slice/wazuh-indexer.service └─4608 /usr/share/wazuh-indexer/jdk/bin/java -Xshare:auto -Dopensearch.networkaddress.cache.ttl=60 -Dopensearch.networkaddress.cache.negative.ttl=10 -XX:+AlwaysPreTouch -Xss1m -Djava.awt.... Apr 08 14:27:58 ip-172-31-35-94.ec2.internal systemd[1]: Starting Wazuh-indexer... Apr 08 14:28:01 ip-172-31-35-94.ec2.internal systemd-entrypoint[4608]: WARNING: A terminally deprecated method in java.lang.System has been called Apr 08 14:28:01 ip-172-31-35-94.ec2.internal systemd-entrypoint[4608]: WARNING: System::setSecurityManager has been called by org.opensearch.bootstrap.OpenSearch (file:/usr/share/wazuh-ind....10.0.jar) Apr 08 14:28:01 ip-172-31-35-94.ec2.internal systemd-entrypoint[4608]: WARNING: Please consider reporting this to the maintainers of org.opensearch.bootstrap.OpenSearch Apr 08 14:28:01 ip-172-31-35-94.ec2.internal systemd-entrypoint[4608]: WARNING: System::setSecurityManager will be removed in a future release Apr 08 14:28:03 ip-172-31-35-94.ec2.internal systemd-entrypoint[4608]: WARNING: A terminally deprecated method in java.lang.System has been called Apr 08 14:28:03 ip-172-31-35-94.ec2.internal systemd-entrypoint[4608]: WARNING: System::setSecurityManager has been called by org.opensearch.bootstrap.Security (file:/usr/share/wazuh-index....10.0.jar) Apr 08 14:28:03 ip-172-31-35-94.ec2.internal systemd-entrypoint[4608]: WARNING: Please consider reporting this to the maintainers of org.opensearch.bootstrap.Security Apr 08 14:28:03 ip-172-31-35-94.ec2.internal systemd-entrypoint[4608]: WARNING: System::setSecurityManager will be removed in a future release Apr 08 14:28:21 ip-172-31-35-94.ec2.internal systemd[1]: Started Wazuh-indexer. Hint: Some lines were ellipsized, use -l to show in full. [root@ip-172-31-35-94 ec2-user]# ```

Service status

```shellsession [root@ip-172-31-35-94 ec2-user]# journalctl -xe -u wazuh-indexer.service --no-pager -- Logs begin at Mon 2024-04-08 10:42:04 UTC, end at Mon 2024-04-08 15:08:08 UTC. -- Apr 08 14:27:58 ip-172-31-35-94.ec2.internal systemd[1]: Starting Wazuh-indexer... -- Subject: Unit wazuh-indexer.service has begun start-up -- Defined-By: systemd -- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel -- -- Unit wazuh-indexer.service has begun starting up. Apr 08 14:28:01 ip-172-31-35-94.ec2.internal systemd-entrypoint[4608]: WARNING: A terminally deprecated method in java.lang.System has been called Apr 08 14:28:01 ip-172-31-35-94.ec2.internal systemd-entrypoint[4608]: WARNING: System::setSecurityManager has been called by org.opensearch.bootstrap.OpenSearch (file:/usr/share/wazuh-indexer/lib/opensearch-2.10.0.jar) Apr 08 14:28:01 ip-172-31-35-94.ec2.internal systemd-entrypoint[4608]: WARNING: Please consider reporting this to the maintainers of org.opensearch.bootstrap.OpenSearch Apr 08 14:28:01 ip-172-31-35-94.ec2.internal systemd-entrypoint[4608]: WARNING: System::setSecurityManager will be removed in a future release Apr 08 14:28:03 ip-172-31-35-94.ec2.internal systemd-entrypoint[4608]: WARNING: A terminally deprecated method in java.lang.System has been called Apr 08 14:28:03 ip-172-31-35-94.ec2.internal systemd-entrypoint[4608]: WARNING: System::setSecurityManager has been called by org.opensearch.bootstrap.Security (file:/usr/share/wazuh-indexer/lib/opensearch-2.10.0.jar) Apr 08 14:28:03 ip-172-31-35-94.ec2.internal systemd-entrypoint[4608]: WARNING: Please consider reporting this to the maintainers of org.opensearch.bootstrap.Security Apr 08 14:28:03 ip-172-31-35-94.ec2.internal systemd-entrypoint[4608]: WARNING: System::setSecurityManager will be removed in a future release Apr 08 14:28:21 ip-172-31-35-94.ec2.internal systemd[1]: Started Wazuh-indexer. -- Subject: Unit wazuh-indexer.service has finished start-up -- Defined-By: systemd -- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel -- -- Unit wazuh-indexer.service has finished starting up. -- -- The start-up result is done. [root@ip-172-31-35-94 ec2-user]# ```

Errors

:yellow_circle: Normal errors of uninitialized indexes. Related: https://github.com/wazuh/wazuh-packages/issues/1511#issuecomment-1308329094 ```shellsession [root@ip-172-31-35-94 ec2-user]# cat /var/log/wazuh-indexer/wazuh-cluster.log | grep -i -E "error|warn" [2024-04-08T14:28:03,876][INFO ][o.o.n.Node ] [node-1] JVM arguments [-Xshare:auto, -Dopensearch.networkaddress.cache.ttl=60, -Dopensearch.networkaddress.cache.negative.ttl=10, -XX:+AlwaysPreTouch, -Xss1m, -Djava.awt.headless=true, -Dfile.encoding=UTF-8, -Djna.nosys=true, -XX:-OmitStackTraceInFastThrow, -XX:+ShowCodeDetailsInExceptionMessages, -Dio.netty.noUnsafe=true, -Dio.netty.noKeySetOptimization=true, -Dio.netty.recycler.maxCapacityPerThread=0, -Dio.netty.allocator.numDirectArenas=0, -Dlog4j.shutdownHookEnabled=false, -Dlog4j2.disable.jmx=true, -Djava.locale.providers=SPI,COMPAT, -Xms1931m, -Xmx1931m, -XX:+UseG1GC, -XX:G1ReservePercent=25, -XX:InitiatingHeapOccupancyPercent=30, -Djava.io.tmpdir=/tmp/opensearch-8066795353542561640, -XX:+HeapDumpOnOutOfMemoryError, -XX:HeapDumpPath=/var/lib/wazuh-indexer, -XX:ErrorFile=/var/log/wazuh-indexer/hs_err_pid%p.log, -Xlog:gc*,gc+age=trace,safepoint:file=/var/log/wazuh-indexer/gc.log:utctime,pid,tags:filecount=32,filesize=64m, -Dclk.tck=100, -Djdk.attach.allowAttachSelf=true, -Djava.security.policy=file:///etc/wazuh-indexer/opensearch-performance-analyzer/opensearch_security.policy, --add-opens=jdk.attach/sun.tools.attach=ALL-UNNAMED, -XX:MaxDirectMemorySize=1012924416, -Dopensearch.path.home=/usr/share/wazuh-indexer, -Dopensearch.path.conf=/etc/wazuh-indexer, -Dopensearch.distribution.type=rpm, -Dopensearch.bundled_jdk=true] [2024-04-08T14:28:16,449][WARN ][o.o.s.c.Salt ] [node-1] If you plan to use field masking pls configure compliance salt e1ukloTsQlOgPquJ to be a random string of 16 chars length identical on all nodes [2024-04-08T14:28:16,500][ERROR][o.o.s.a.s.SinkProvider ] [node-1] Default endpoint could not be created, auditlog will not work properly. [2024-04-08T14:28:16,502][WARN ][o.o.s.a.r.AuditMessageRouter] [node-1] No default storage available, audit log may not work properly. Please check configuration. [2024-04-08T14:28:17,951][WARN ][o.o.s.p.SQLPlugin ] [node-1] Master key is a required config for using create and update datasource APIs. Please set plugins.query.datasources.encryption.masterkey config in opensearch.yml in all the cluster nodes. More details can be found here: https://github.com/opensearch-project/sql/blob/main/docs/user/ppl/admin/datasources.rst#master-key-config-for-encrypting-credential-information [2024-04-08T14:28:20,052][WARN ][o.o.g.DanglingIndicesState] [node-1] gateway.auto_import_dangling_indices is disabled, dangling indices will not be automatically detected or imported and must be managed manually [2024-04-08T14:28:21,863][WARN ][o.o.p.c.s.h.ConfigOverridesClusterSettingHandler] [node-1] Config override setting update called with empty string. Ignoring. [2024-04-08T14:28:21,950][ERROR][o.o.s.c.ConfigurationLoaderSecurity7] [node-1] Failure no such index [.opendistro_security] retrieving configuration for [INTERNALUSERS, ACTIONGROUPS, CONFIG, ROLES, ROLESMAPPING, TENANTS, NODESDN, WHITELIST, ALLOWLIST, AUDIT] (index=.opendistro_security) [2024-04-08T14:28:21,963][ERROR][o.o.s.c.ConfigurationLoaderSecurity7] [node-1] Failure no such index [.opendistro_security] retrieving configuration for [INTERNALUSERS, ACTIONGROUPS, CONFIG, ROLES, ROLESMAPPING, TENANTS, NODESDN, WHITELIST, ALLOWLIST, AUDIT] (index=.opendistro_security) [2024-04-08T14:28:21,963][ERROR][o.o.s.c.ConfigurationLoaderSecurity7] [node-1] Failure no such index [.opendistro_security] retrieving configuration for [INTERNALUSERS, ACTIONGROUPS, CONFIG, ROLES, ROLESMAPPING, TENANTS, NODESDN, WHITELIST, ALLOWLIST, AUDIT] (index=.opendistro_security) [2024-04-08T14:28:21,964][ERROR][o.o.s.c.ConfigurationLoaderSecurity7] [node-1] Failure no such index [.opendistro_security] retrieving configuration for [INTERNALUSERS, ACTIONGROUPS, CONFIG, ROLES, ROLESMAPPING, TENANTS, NODESDN, WHITELIST, ALLOWLIST, AUDIT] (index=.opendistro_security) [2024-04-08T14:28:21,964][ERROR][o.o.s.c.ConfigurationLoaderSecurity7] [node-1] Failure no such index [.opendistro_security] retrieving configuration for [INTERNALUSERS, ACTIONGROUPS, CONFIG, ROLES, ROLESMAPPING, TENANTS, NODESDN, WHITELIST, ALLOWLIST, AUDIT] (index=.opendistro_security) [2024-04-08T14:28:21,970][ERROR][o.o.s.c.ConfigurationLoaderSecurity7] [node-1] Failure no such index [.opendistro_security] retrieving configuration for [INTERNALUSERS, ACTIONGROUPS, CONFIG, ROLES, ROLESMAPPING, TENANTS, NODESDN, WHITELIST, ALLOWLIST, AUDIT] (index=.opendistro_security) [2024-04-08T14:28:21,971][ERROR][o.o.s.c.ConfigurationLoaderSecurity7] [node-1] Failure no such index [.opendistro_security] retrieving configuration for [INTERNALUSERS, ACTIONGROUPS, CONFIG, ROLES, ROLESMAPPING, TENANTS, NODESDN, WHITELIST, ALLOWLIST, AUDIT] (index=.opendistro_security) [2024-04-08T14:28:21,971][ERROR][o.o.s.c.ConfigurationLoaderSecurity7] [node-1] Failure no such index [.opendistro_security] retrieving configuration for [INTERNALUSERS, ACTIONGROUPS, CONFIG, ROLES, ROLESMAPPING, TENANTS, NODESDN, WHITELIST, ALLOWLIST, AUDIT] (index=.opendistro_security) [2024-04-08T14:28:21,972][ERROR][o.o.s.c.ConfigurationLoaderSecurity7] [node-1] Failure no such index [.opendistro_security] retrieving configuration for [INTERNALUSERS, ACTIONGROUPS, CONFIG, ROLES, ROLESMAPPING, TENANTS, NODESDN, WHITELIST, ALLOWLIST, AUDIT] (index=.opendistro_security) [2024-04-08T14:28:21,972][ERROR][o.o.s.c.ConfigurationLoaderSecurity7] [node-1] Failure no such index [.opendistro_security] retrieving configuration for [INTERNALUSERS, ACTIONGROUPS, CONFIG, ROLES, ROLESMAPPING, TENANTS, NODESDN, WHITELIST, ALLOWLIST, AUDIT] (index=.opendistro_security) [2024-04-08T14:28:22,329][ERROR][o.o.s.a.BackendRegistry ] [node-1] Not yet initialized (you may need to run securityadmin) [2024-04-08T14:33:23,081][WARN ][o.o.s.a.BackendRegistry ] [node-1] Authentication finally failed for admin from 127.0.0.1:54890 [2024-04-08T14:33:25,503][WARN ][o.o.s.a.BackendRegistry ] [node-1] Authentication finally failed for admin from 127.0.0.1:40764 [2024-04-08T14:33:25,502][WARN ][o.o.s.a.BackendRegistry ] [node-1] Authentication finally failed for admin from 127.0.0.1:40748 [2024-04-08T14:33:27,525][WARN ][o.o.s.a.BackendRegistry ] [node-1] Authentication finally failed for admin from 127.0.0.1:40764 [2024-04-08T14:33:30,219][WARN ][o.o.s.a.BackendRegistry ] [node-1] Authentication finally failed for admin from 127.0.0.1:40780 [2024-04-08T14:33:32,723][WARN ][o.o.s.a.BackendRegistry ] [node-1] Authentication finally failed for admin from 127.0.0.1:40764 [2024-04-08T14:33:39,241][WARN ][o.o.s.a.BackendRegistry ] [node-1] Authentication finally failed for admin from 127.0.0.1:34372 [root@ip-172-31-35-94 ec2-user]# ```

Ubuntu 22 :yellow_circle:

Agent status

```shellsession root@ip-172-31-39-45:/home/ubuntu# systemctl status wazuh-indexer ● wazuh-indexer.service - Wazuh-indexer Loaded: loaded (/lib/systemd/system/wazuh-indexer.service; enabled; vendor preset: enabled) Active: active (running) since Mon 2024-04-08 14:28:44 UTC; 40min ago Docs: https://documentation.wazuh.com Main PID: 4442 (java) Tasks: 73 (limit: 4632) Memory: 2.2G CPU: 1min 53.767s CGroup: /system.slice/wazuh-indexer.service └─4442 /usr/share/wazuh-indexer/jdk/bin/java -Xshare:auto -Dopensearch.networkaddress.cache.ttl=60 -Dopensearch.networkaddress.cache.negative.ttl=10 -XX:+AlwaysPreTouch -Xss1m -Dj> Apr 08 14:28:21 ip-172-31-39-45 systemd[1]: Starting Wazuh-indexer... Apr 08 14:28:24 ip-172-31-39-45 systemd-entrypoint[4442]: WARNING: A terminally deprecated method in java.lang.System has been called Apr 08 14:28:24 ip-172-31-39-45 systemd-entrypoint[4442]: WARNING: System::setSecurityManager has been called by org.opensearch.bootstrap.OpenSearch (file:/usr/share/wazuh-indexer/lib/opensear> Apr 08 14:28:24 ip-172-31-39-45 systemd-entrypoint[4442]: WARNING: Please consider reporting this to the maintainers of org.opensearch.bootstrap.OpenSearch Apr 08 14:28:24 ip-172-31-39-45 systemd-entrypoint[4442]: WARNING: System::setSecurityManager will be removed in a future release Apr 08 14:28:25 ip-172-31-39-45 systemd-entrypoint[4442]: WARNING: A terminally deprecated method in java.lang.System has been called Apr 08 14:28:25 ip-172-31-39-45 systemd-entrypoint[4442]: WARNING: System::setSecurityManager has been called by org.opensearch.bootstrap.Security (file:/usr/share/wazuh-indexer/lib/opensearch> Apr 08 14:28:25 ip-172-31-39-45 systemd-entrypoint[4442]: WARNING: Please consider reporting this to the maintainers of org.opensearch.bootstrap.Security Apr 08 14:28:25 ip-172-31-39-45 systemd-entrypoint[4442]: WARNING: System::setSecurityManager will be removed in a future release Apr 08 14:28:44 ip-172-31-39-45 systemd[1]: Started Wazuh-indexer. ```

Service status

```shellsession root@ip-172-31-39-45:/home/ubuntu# journalctl -xe -u wazuh-indexer.service --no-pager Apr 08 14:28:21 ip-172-31-39-45 systemd[1]: Starting Wazuh-indexer... ░░ Subject: A start job for unit wazuh-indexer.service has begun execution ░░ Defined-By: systemd ░░ Support: http://www.ubuntu.com/support ░░ ░░ A start job for unit wazuh-indexer.service has begun execution. ░░ ░░ The job identifier is 2051. Apr 08 14:28:24 ip-172-31-39-45 systemd-entrypoint[4442]: WARNING: A terminally deprecated method in java.lang.System has been called Apr 08 14:28:24 ip-172-31-39-45 systemd-entrypoint[4442]: WARNING: System::setSecurityManager has been called by org.opensearch.bootstrap.OpenSearch (file:/usr/share/wazuh-indexer/lib/opensearch-2.10.0.jar) Apr 08 14:28:24 ip-172-31-39-45 systemd-entrypoint[4442]: WARNING: Please consider reporting this to the maintainers of org.opensearch.bootstrap.OpenSearch Apr 08 14:28:24 ip-172-31-39-45 systemd-entrypoint[4442]: WARNING: System::setSecurityManager will be removed in a future release Apr 08 14:28:25 ip-172-31-39-45 systemd-entrypoint[4442]: WARNING: A terminally deprecated method in java.lang.System has been called Apr 08 14:28:25 ip-172-31-39-45 systemd-entrypoint[4442]: WARNING: System::setSecurityManager has been called by org.opensearch.bootstrap.Security (file:/usr/share/wazuh-indexer/lib/opensearch-2.10.0.jar) Apr 08 14:28:25 ip-172-31-39-45 systemd-entrypoint[4442]: WARNING: Please consider reporting this to the maintainers of org.opensearch.bootstrap.Security Apr 08 14:28:25 ip-172-31-39-45 systemd-entrypoint[4442]: WARNING: System::setSecurityManager will be removed in a future release Apr 08 14:28:44 ip-172-31-39-45 systemd[1]: Started Wazuh-indexer. ░░ Subject: A start job for unit wazuh-indexer.service has finished successfully ░░ Defined-By: systemd ░░ Support: http://www.ubuntu.com/support ░░ ░░ A start job for unit wazuh-indexer.service has finished successfully. ░░ ░░ The job identifier is 2051. root@ip-172-31-39-45:/home/ubuntu# ```

Errors

:yellow_circle: Normal errors of uninitialized indexes. Related: https://github.com/wazuh/wazuh-packages/issues/1511#issuecomment-1308329094 :yellow_circle: Related issue: https://github.com/wazuh/wazuh-indexer/issues/71 `Fail to read queue capacity via reflection` ```shellsession root@ip-172-31-39-45:/home/ubuntu# cat /var/log/wazuh-indexer/wazuh-cluster.log | grep -i -E "error|warn" [2024-04-08T14:28:26,030][INFO ][o.o.n.Node ] [node-1] JVM arguments [-Xshare:auto, -Dopensearch.networkaddress.cache.ttl=60, -Dopensearch.networkaddress.cache.negative.ttl=10, -XX:+AlwaysPreTouch, -Xss1m, -Djava.awt.headless=true, -Dfile.encoding=UTF-8, -Djna.nosys=true, -XX:-OmitStackTraceInFastThrow, -XX:+ShowCodeDetailsInExceptionMessages, -Dio.netty.noUnsafe=true, -Dio.netty.noKeySetOptimization=true, -Dio.netty.recycler.maxCapacityPerThread=0, -Dio.netty.allocator.numDirectArenas=0, -Dlog4j.shutdownHookEnabled=false, -Dlog4j2.disable.jmx=true, -Djava.locale.providers=SPI,COMPAT, -Xms1937m, -Xmx1937m, -XX:+UseG1GC, -XX:G1ReservePercent=25, -XX:InitiatingHeapOccupancyPercent=30, -Djava.io.tmpdir=/tmp/opensearch-13280116304849999724, -XX:+HeapDumpOnOutOfMemoryError, -XX:HeapDumpPath=/var/lib/wazuh-indexer, -XX:ErrorFile=/var/log/wazuh-indexer/hs_err_pid%p.log, -Xlog:gc*,gc+age=trace,safepoint:file=/var/log/wazuh-indexer/gc.log:utctime,pid,tags:filecount=32,filesize=64m, -Dclk.tck=100, -Djdk.attach.allowAttachSelf=true, -Djava.security.policy=file:///etc/wazuh-indexer/opensearch-performance-analyzer/opensearch_security.policy, --add-opens=jdk.attach/sun.tools.attach=ALL-UNNAMED, -Dclk.tck=100, -Djdk.attach.allowAttachSelf=true, -Djava.security.policy=file:///usr/share/wazuh-indexer/plugins/opendistro-performance-analyzer/pa_config/es_security.policy, -XX:MaxDirectMemorySize=1016070144, -Dopensearch.path.home=/usr/share/wazuh-indexer, -Dopensearch.path.conf=/etc/wazuh-indexer, -Dopensearch.distribution.type=rpm, -Dopensearch.bundled_jdk=true] [2024-04-08T14:28:39,084][WARN ][o.o.s.c.Salt ] [node-1] If you plan to use field masking pls configure compliance salt e1ukloTsQlOgPquJ to be a random string of 16 chars length identical on all nodes [2024-04-08T14:28:39,148][ERROR][o.o.s.a.s.SinkProvider ] [node-1] Default endpoint could not be created, auditlog will not work properly. [2024-04-08T14:28:39,149][WARN ][o.o.s.a.r.AuditMessageRouter] [node-1] No default storage available, audit log may not work properly. Please check configuration. [2024-04-08T14:28:40,582][WARN ][o.o.s.p.SQLPlugin ] [node-1] Master key is a required config for using create and update datasource APIs. Please set plugins.query.datasources.encryption.masterkey config in opensearch.yml in all the cluster nodes. More details can be found here: https://github.com/opensearch-project/sql/blob/main/docs/user/ppl/admin/datasources.rst#master-key-config-for-encrypting-credential-information [2024-04-08T14:28:41,427][WARN ][o.o.p.c.ThreadPoolMetricsCollector] [node-1] Fail to read queue capacity via reflection [2024-04-08T14:28:41,441][WARN ][o.o.p.c.ThreadPoolMetricsCollector] [node-1] Fail to read queue capacity via reflection [2024-04-08T14:28:41,442][WARN ][o.o.p.c.ThreadPoolMetricsCollector] [node-1] Fail to read queue capacity via reflection [2024-04-08T14:28:41,442][WARN ][o.o.p.c.ThreadPoolMetricsCollector] [node-1] Fail to read queue capacity via reflection [2024-04-08T14:28:41,443][WARN ][o.o.p.c.ThreadPoolMetricsCollector] [node-1] Fail to read queue capacity via reflection [2024-04-08T14:28:41,443][WARN ][o.o.p.c.ThreadPoolMetricsCollector] [node-1] Fail to read queue capacity via reflection [2024-04-08T14:28:41,444][WARN ][o.o.p.c.ThreadPoolMetricsCollector] [node-1] Fail to read queue capacity via reflection [2024-04-08T14:28:41,444][WARN ][o.o.p.c.ThreadPoolMetricsCollector] [node-1] Fail to read queue capacity via reflection [2024-04-08T14:28:41,444][WARN ][o.o.p.c.ThreadPoolMetricsCollector] [node-1] Fail to read queue capacity via reflection [2024-04-08T14:28:41,445][WARN ][o.o.p.c.ThreadPoolMetricsCollector] [node-1] Fail to read queue capacity via reflection [2024-04-08T14:28:41,448][WARN ][o.o.p.c.ThreadPoolMetricsCollector] [node-1] Fail to read queue capacity via reflection [2024-04-08T14:28:41,449][WARN ][o.o.p.c.ThreadPoolMetricsCollector] [node-1] Fail to read queue capacity via reflection [2024-04-08T14:28:41,449][WARN ][o.o.p.c.ThreadPoolMetricsCollector] [node-1] Fail to read queue capacity via reflection [2024-04-08T14:28:41,450][WARN ][o.o.p.c.ThreadPoolMetricsCollector] [node-1] Fail to read queue capacity via reflection [2024-04-08T14:28:41,450][WARN ][o.o.p.c.ThreadPoolMetricsCollector] [node-1] Fail to read queue capacity via reflection [2024-04-08T14:28:41,450][WARN ][o.o.p.c.ThreadPoolMetricsCollector] [node-1] Fail to read queue capacity via reflection [2024-04-08T14:28:41,455][WARN ][o.o.p.c.ThreadPoolMetricsCollector] [node-1] Fail to read queue capacity via reflection [2024-04-08T14:28:41,457][WARN ][o.o.p.c.ThreadPoolMetricsCollector] [node-1] Fail to read queue capacity via reflection [2024-04-08T14:28:41,457][WARN ][o.o.p.c.ThreadPoolMetricsCollector] [node-1] Fail to read queue capacity via reflection [2024-04-08T14:28:41,458][WARN ][o.o.p.c.ThreadPoolMetricsCollector] [node-1] Fail to read queue capacity via reflection [2024-04-08T14:28:41,458][WARN ][o.o.p.c.ThreadPoolMetricsCollector] [node-1] Fail to read queue capacity via reflection [2024-04-08T14:28:41,459][WARN ][o.o.p.c.ThreadPoolMetricsCollector] [node-1] Fail to read queue capacity via reflection [2024-04-08T14:28:41,459][WARN ][o.o.p.c.ThreadPoolMetricsCollector] [node-1] Fail to read queue capacity via reflection [2024-04-08T14:28:41,460][WARN ][o.o.p.c.ThreadPoolMetricsCollector] [node-1] Fail to read queue capacity via reflection [2024-04-08T14:28:41,460][WARN ][o.o.p.c.ThreadPoolMetricsCollector] [node-1] Fail to read queue capacity via reflection [2024-04-08T14:28:41,460][WARN ][o.o.p.c.ThreadPoolMetricsCollector] [node-1] Fail to read queue capacity via reflection [2024-04-08T14:28:41,461][WARN ][o.o.p.c.ThreadPoolMetricsCollector] [node-1] Fail to read queue capacity via reflection [2024-04-08T14:28:41,461][WARN ][o.o.p.c.ThreadPoolMetricsCollector] [node-1] Fail to read queue capacity via reflection [2024-04-08T14:28:41,462][WARN ][o.o.p.c.ThreadPoolMetricsCollector] [node-1] Fail to read queue capacity via reflection [2024-04-08T14:28:41,462][WARN ][o.o.p.c.ThreadPoolMetricsCollector] [node-1] Fail to read queue capacity via reflection [2024-04-08T14:28:41,462][WARN ][o.o.p.c.ThreadPoolMetricsCollector] [node-1] Fail to read queue capacity via reflection [2024-04-08T14:28:41,463][WARN ][o.o.p.c.ThreadPoolMetricsCollector] [node-1] Fail to read queue capacity via reflection [2024-04-08T14:28:41,470][WARN ][o.o.p.c.ThreadPoolMetricsCollector] [node-1] Fail to read queue capacity via reflection [2024-04-08T14:28:41,471][WARN ][o.o.p.c.ThreadPoolMetricsCollector] [node-1] Fail to read queue capacity via reflection [2024-04-08T14:28:41,471][WARN ][o.o.p.c.ThreadPoolMetricsCollector] [node-1] Fail to read queue capacity via reflection [2024-04-08T14:28:41,473][WARN ][o.o.p.c.ThreadPoolMetricsCollector] [node-1] Fail to read queue capacity via reflection [2024-04-08T14:28:42,652][WARN ][o.o.g.DanglingIndicesState] [node-1] gateway.auto_import_dangling_indices is disabled, dangling indices will not be automatically detected or imported and must be managed manually [2024-04-08T14:28:44,642][WARN ][o.o.p.c.s.h.ConfigOverridesClusterSettingHandler] [node-1] Config override setting update called with empty string. Ignoring. [2024-04-08T14:28:44,743][ERROR][o.o.s.c.ConfigurationLoaderSecurity7] [node-1] Failure no such index [.opendistro_security] retrieving configuration for [INTERNALUSERS, ACTIONGROUPS, CONFIG, ROLES, ROLESMAPPING, TENANTS, NODESDN, WHITELIST, ALLOWLIST, AUDIT] (index=.opendistro_security) [2024-04-08T14:28:44,750][ERROR][o.o.s.c.ConfigurationLoaderSecurity7] [node-1] Failure no such index [.opendistro_security] retrieving configuration for [INTERNALUSERS, ACTIONGROUPS, CONFIG, ROLES, ROLESMAPPING, TENANTS, NODESDN, WHITELIST, ALLOWLIST, AUDIT] (index=.opendistro_security) [2024-04-08T14:28:44,751][ERROR][o.o.s.c.ConfigurationLoaderSecurity7] [node-1] Failure no such index [.opendistro_security] retrieving configuration for [INTERNALUSERS, ACTIONGROUPS, CONFIG, ROLES, ROLESMAPPING, TENANTS, NODESDN, WHITELIST, ALLOWLIST, AUDIT] (index=.opendistro_security) [2024-04-08T14:28:44,751][ERROR][o.o.s.c.ConfigurationLoaderSecurity7] [node-1] Failure no such index [.opendistro_security] retrieving configuration for [INTERNALUSERS, ACTIONGROUPS, CONFIG, ROLES, ROLESMAPPING, TENANTS, NODESDN, WHITELIST, ALLOWLIST, AUDIT] (index=.opendistro_security) [2024-04-08T14:28:44,752][ERROR][o.o.s.c.ConfigurationLoaderSecurity7] [node-1] Failure no such index [.opendistro_security] retrieving configuration for [INTERNALUSERS, ACTIONGROUPS, CONFIG, ROLES, ROLESMAPPING, TENANTS, NODESDN, WHITELIST, ALLOWLIST, AUDIT] (index=.opendistro_security) [2024-04-08T14:28:44,752][ERROR][o.o.s.c.ConfigurationLoaderSecurity7] [node-1] Failure no such index [.opendistro_security] retrieving configuration for [INTERNALUSERS, ACTIONGROUPS, CONFIG, ROLES, ROLESMAPPING, TENANTS, NODESDN, WHITELIST, ALLOWLIST, AUDIT] (index=.opendistro_security) [2024-04-08T14:28:44,752][ERROR][o.o.s.c.ConfigurationLoaderSecurity7] [node-1] Failure no such index [.opendistro_security] retrieving configuration for [INTERNALUSERS, ACTIONGROUPS, CONFIG, ROLES, ROLESMAPPING, TENANTS, NODESDN, WHITELIST, ALLOWLIST, AUDIT] (index=.opendistro_security) [2024-04-08T14:28:44,753][ERROR][o.o.s.c.ConfigurationLoaderSecurity7] [node-1] Failure no such index [.opendistro_security] retrieving configuration for [INTERNALUSERS, ACTIONGROUPS, CONFIG, ROLES, ROLESMAPPING, TENANTS, NODESDN, WHITELIST, ALLOWLIST, AUDIT] (index=.opendistro_security) [2024-04-08T14:28:44,759][ERROR][o.o.s.c.ConfigurationLoaderSecurity7] [node-1] Failure no such index [.opendistro_security] retrieving configuration for [INTERNALUSERS, ACTIONGROUPS, CONFIG, ROLES, ROLESMAPPING, TENANTS, NODESDN, WHITELIST, ALLOWLIST, AUDIT] (index=.opendistro_security) [2024-04-08T14:28:44,760][ERROR][o.o.s.c.ConfigurationLoaderSecurity7] [node-1] Failure no such index [.opendistro_security] retrieving configuration for [INTERNALUSERS, ACTIONGROUPS, CONFIG, ROLES, ROLESMAPPING, TENANTS, NODESDN, WHITELIST, ALLOWLIST, AUDIT] (index=.opendistro_security) [2024-04-08T14:28:45,223][ERROR][o.o.s.a.BackendRegistry ] [node-1] Not yet initialized (you may need to run securityadmin) [2024-04-08T14:34:37,957][WARN ][o.o.s.a.BackendRegistry ] [node-1] Authentication finally failed for admin from 127.0.0.1:50866 [2024-04-08T14:34:40,601][WARN ][o.o.s.a.BackendRegistry ] [node-1] Authentication finally failed for admin from 127.0.0.1:50870 [2024-04-08T14:34:41,915][WARN ][o.o.s.a.BackendRegistry ] [node-1] Authentication finally failed for admin from 127.0.0.1:50880 [2024-04-08T14:34:43,549][WARN ][o.o.s.a.BackendRegistry ] [node-1] Authentication finally failed for admin from 127.0.0.1:50880 [2024-04-08T14:34:45,328][WARN ][o.o.s.a.BackendRegistry ] [node-1] Authentication finally failed for admin from 127.0.0.1:54170 [2024-04-08T14:34:47,603][WARN ][o.o.s.a.BackendRegistry ] [node-1] Authentication finally failed for admin from 127.0.0.1:50880 [2024-04-08T14:34:53,901][WARN ][o.o.s.a.BackendRegistry ] [node-1] Authentication finally failed for admin from 127.0.0.1:48072 [2024-04-08T14:34:55,168][WARN ][o.o.s.a.BackendRegistry ] [node-1] Authentication finally failed for admin from 127.0.0.1:50880 root@ip-172-31-39-45:/home/ubuntu# ```

RHEL 9 :yellow_circle:

Agent status

```shellsession [root@ip-172-31-39-39 ec2-user]# systemctl status wazuh-indexer ● wazuh-indexer.service - Wazuh-indexer Loaded: loaded (/usr/lib/systemd/system/wazuh-indexer.service; enabled; preset: disabled) Active: active (running) since Mon 2024-04-08 14:30:11 UTC; 39min ago Docs: https://documentation.wazuh.com Main PID: 15594 (java) Tasks: 67 (limit: 22632) Memory: 2.1G CPU: 1min 49.744s CGroup: /system.slice/wazuh-indexer.service └─15594 /usr/share/wazuh-indexer/jdk/bin/java -Xshare:auto -Dopensearch.networkaddress.cache.ttl=60 -Dopensearch.networkaddress.cache.negative.ttl=10 -XX:+AlwaysPreTouch -Xss1m -D> Apr 08 14:29:45 ip-172-31-39-39.ec2.internal systemd[1]: Starting Wazuh-indexer... Apr 08 14:29:48 ip-172-31-39-39.ec2.internal systemd-entrypoint[15594]: WARNING: A terminally deprecated method in java.lang.System has been called Apr 08 14:29:48 ip-172-31-39-39.ec2.internal systemd-entrypoint[15594]: WARNING: System::setSecurityManager has been called by org.opensearch.bootstrap.OpenSearch (file:/usr/share/wazuh-indexe> Apr 08 14:29:48 ip-172-31-39-39.ec2.internal systemd-entrypoint[15594]: WARNING: Please consider reporting this to the maintainers of org.opensearch.bootstrap.OpenSearch Apr 08 14:29:48 ip-172-31-39-39.ec2.internal systemd-entrypoint[15594]: WARNING: System::setSecurityManager will be removed in a future release Apr 08 14:29:50 ip-172-31-39-39.ec2.internal systemd-entrypoint[15594]: WARNING: A terminally deprecated method in java.lang.System has been called Apr 08 14:29:50 ip-172-31-39-39.ec2.internal systemd-entrypoint[15594]: WARNING: System::setSecurityManager has been called by org.opensearch.bootstrap.Security (file:/usr/share/wazuh-indexer/> Apr 08 14:29:50 ip-172-31-39-39.ec2.internal systemd-entrypoint[15594]: WARNING: Please consider reporting this to the maintainers of org.opensearch.bootstrap.Security Apr 08 14:29:50 ip-172-31-39-39.ec2.internal systemd-entrypoint[15594]: WARNING: System::setSecurityManager will be removed in a future release Apr 08 14:30:11 ip-172-31-39-39.ec2.internal systemd[1]: Started Wazuh-indexer. ```

Service status

```shellsession [root@ip-172-31-39-39 ec2-user]# journalctl -xe -u wazuh-indexer.service --no-pager Apr 08 14:29:45 ip-172-31-39-39.ec2.internal systemd[1]: Starting Wazuh-indexer... ░░ Subject: A start job for unit wazuh-indexer.service has begun execution ░░ Defined-By: systemd ░░ Support: https://access.redhat.com/support ░░ ░░ A start job for unit wazuh-indexer.service has begun execution. ░░ ░░ The job identifier is 5842. Apr 08 14:29:48 ip-172-31-39-39.ec2.internal systemd-entrypoint[15594]: WARNING: A terminally deprecated method in java.lang.System has been called Apr 08 14:29:48 ip-172-31-39-39.ec2.internal systemd-entrypoint[15594]: WARNING: System::setSecurityManager has been called by org.opensearch.bootstrap.OpenSearch (file:/usr/share/wazuh-indexer/lib/opensearch-2.10.0.jar) Apr 08 14:29:48 ip-172-31-39-39.ec2.internal systemd-entrypoint[15594]: WARNING: Please consider reporting this to the maintainers of org.opensearch.bootstrap.OpenSearch Apr 08 14:29:48 ip-172-31-39-39.ec2.internal systemd-entrypoint[15594]: WARNING: System::setSecurityManager will be removed in a future release Apr 08 14:29:50 ip-172-31-39-39.ec2.internal systemd-entrypoint[15594]: WARNING: A terminally deprecated method in java.lang.System has been called Apr 08 14:29:50 ip-172-31-39-39.ec2.internal systemd-entrypoint[15594]: WARNING: System::setSecurityManager has been called by org.opensearch.bootstrap.Security (file:/usr/share/wazuh-indexer/lib/opensearch-2.10.0.jar) Apr 08 14:29:50 ip-172-31-39-39.ec2.internal systemd-entrypoint[15594]: WARNING: Please consider reporting this to the maintainers of org.opensearch.bootstrap.Security Apr 08 14:29:50 ip-172-31-39-39.ec2.internal systemd-entrypoint[15594]: WARNING: System::setSecurityManager will be removed in a future release Apr 08 14:30:11 ip-172-31-39-39.ec2.internal systemd[1]: Started Wazuh-indexer. ░░ Subject: A start job for unit wazuh-indexer.service has finished successfully ░░ Defined-By: systemd ░░ Support: https://access.redhat.com/support ░░ ░░ A start job for unit wazuh-indexer.service has finished successfully. ░░ ░░ The job identifier is 5842. [root@ip-172-31-39-39 ec2-user]# ```

Errors

:yellow_circle: Normal errors of uninitialized indexes. Related: https://github.com/wazuh/wazuh-packages/issues/1511#issuecomment-1308329094 ```shellsession [root@ip-172-31-39-39 ec2-user]# cat /var/log/wazuh-indexer/wazuh-cluster.log | grep -i -E "error|warn" [2024-04-08T14:29:50,869][INFO ][o.o.n.Node ] [node-1] JVM arguments [-Xshare:auto, -Dopensearch.networkaddress.cache.ttl=60, -Dopensearch.networkaddress.cache.negative.ttl=10, -XX:+AlwaysPreTouch, -Xss1m, -Djava.awt.headless=true, -Dfile.encoding=UTF-8, -Djna.nosys=true, -XX:-OmitStackTraceInFastThrow, -XX:+ShowCodeDetailsInExceptionMessages, -Dio.netty.noUnsafe=true, -Dio.netty.noKeySetOptimization=true, -Dio.netty.recycler.maxCapacityPerThread=0, -Dio.netty.allocator.numDirectArenas=0, -Dlog4j.shutdownHookEnabled=false, -Dlog4j2.disable.jmx=true, -Djava.locale.providers=SPI,COMPAT, -Xms1807m, -Xmx1807m, -XX:+UseG1GC, -XX:G1ReservePercent=25, -XX:InitiatingHeapOccupancyPercent=30, -Djava.io.tmpdir=/tmp/opensearch-17369715316684598045, -XX:+HeapDumpOnOutOfMemoryError, -XX:HeapDumpPath=/var/lib/wazuh-indexer, -XX:ErrorFile=/var/log/wazuh-indexer/hs_err_pid%p.log, -Xlog:gc*,gc+age=trace,safepoint:file=/var/log/wazuh-indexer/gc.log:utctime,pid,tags:filecount=32,filesize=64m, -Dclk.tck=100, -Djdk.attach.allowAttachSelf=true, -Djava.security.policy=file:///etc/wazuh-indexer/opensearch-performance-analyzer/opensearch_security.policy, --add-opens=jdk.attach/sun.tools.attach=ALL-UNNAMED, -XX:MaxDirectMemorySize=947912704, -Dopensearch.path.home=/usr/share/wazuh-indexer, -Dopensearch.path.conf=/etc/wazuh-indexer, -Dopensearch.distribution.type=rpm, -Dopensearch.bundled_jdk=true] [2024-04-08T14:30:04,520][WARN ][o.o.s.c.Salt ] [node-1] If you plan to use field masking pls configure compliance salt e1ukloTsQlOgPquJ to be a random string of 16 chars length identical on all nodes [2024-04-08T14:30:04,582][ERROR][o.o.s.a.s.SinkProvider ] [node-1] Default endpoint could not be created, auditlog will not work properly. [2024-04-08T14:30:04,591][WARN ][o.o.s.a.r.AuditMessageRouter] [node-1] No default storage available, audit log may not work properly. Please check configuration. [2024-04-08T14:30:06,425][WARN ][o.o.s.p.SQLPlugin ] [node-1] Master key is a required config for using create and update datasource APIs. Please set plugins.query.datasources.encryption.masterkey config in opensearch.yml in all the cluster nodes. More details can be found here: https://github.com/opensearch-project/sql/blob/main/docs/user/ppl/admin/datasources.rst#master-key-config-for-encrypting-credential-information [2024-04-08T14:30:08,956][WARN ][o.o.g.DanglingIndicesState] [node-1] gateway.auto_import_dangling_indices is disabled, dangling indices will not be automatically detected or imported and must be managed manually [2024-04-08T14:30:11,302][WARN ][o.o.p.c.s.h.ConfigOverridesClusterSettingHandler] [node-1] Config override setting update called with empty string. Ignoring. [2024-04-08T14:30:11,847][ERROR][o.o.s.a.BackendRegistry ] [node-1] Not yet initialized (you may need to run securityadmin) [2024-04-08T14:30:12,382][ERROR][o.o.s.c.ConfigurationLoaderSecurity7] [node-1] Failure no such index [.opendistro_security] retrieving configuration for [INTERNALUSERS, ACTIONGROUPS, CONFIG, ROLES, ROLESMAPPING, TENANTS, NODESDN, WHITELIST, ALLOWLIST, AUDIT] (index=.opendistro_security) [2024-04-08T14:30:12,383][ERROR][o.o.s.c.ConfigurationLoaderSecurity7] [node-1] Failure no such index [.opendistro_security] retrieving configuration for [INTERNALUSERS, ACTIONGROUPS, CONFIG, ROLES, ROLESMAPPING, TENANTS, NODESDN, WHITELIST, ALLOWLIST, AUDIT] (index=.opendistro_security) [2024-04-08T14:30:12,383][ERROR][o.o.s.c.ConfigurationLoaderSecurity7] [node-1] Failure no such index [.opendistro_security] retrieving configuration for [INTERNALUSERS, ACTIONGROUPS, CONFIG, ROLES, ROLESMAPPING, TENANTS, NODESDN, WHITELIST, ALLOWLIST, AUDIT] (index=.opendistro_security) [2024-04-08T14:30:12,383][ERROR][o.o.s.c.ConfigurationLoaderSecurity7] [node-1] Failure no such index [.opendistro_security] retrieving configuration for [INTERNALUSERS, ACTIONGROUPS, CONFIG, ROLES, ROLESMAPPING, TENANTS, NODESDN, WHITELIST, ALLOWLIST, AUDIT] (index=.opendistro_security) [2024-04-08T14:30:12,383][ERROR][o.o.s.c.ConfigurationLoaderSecurity7] [node-1] Failure no such index [.opendistro_security] retrieving configuration for [INTERNALUSERS, ACTIONGROUPS, CONFIG, ROLES, ROLESMAPPING, TENANTS, NODESDN, WHITELIST, ALLOWLIST, AUDIT] (index=.opendistro_security) [2024-04-08T14:30:12,397][ERROR][o.o.s.c.ConfigurationLoaderSecurity7] [node-1] Failure no such index [.opendistro_security] retrieving configuration for [INTERNALUSERS, ACTIONGROUPS, CONFIG, ROLES, ROLESMAPPING, TENANTS, NODESDN, WHITELIST, ALLOWLIST, AUDIT] (index=.opendistro_security) [2024-04-08T14:30:12,397][ERROR][o.o.s.c.ConfigurationLoaderSecurity7] [node-1] Failure no such index [.opendistro_security] retrieving configuration for [INTERNALUSERS, ACTIONGROUPS, CONFIG, ROLES, ROLESMAPPING, TENANTS, NODESDN, WHITELIST, ALLOWLIST, AUDIT] (index=.opendistro_security) [2024-04-08T14:30:12,397][ERROR][o.o.s.c.ConfigurationLoaderSecurity7] [node-1] Failure no such index [.opendistro_security] retrieving configuration for [INTERNALUSERS, ACTIONGROUPS, CONFIG, ROLES, ROLESMAPPING, TENANTS, NODESDN, WHITELIST, ALLOWLIST, AUDIT] (index=.opendistro_security) [2024-04-08T14:30:12,398][ERROR][o.o.s.c.ConfigurationLoaderSecurity7] [node-1] Failure no such index [.opendistro_security] retrieving configuration for [INTERNALUSERS, ACTIONGROUPS, CONFIG, ROLES, ROLESMAPPING, TENANTS, NODESDN, WHITELIST, ALLOWLIST, AUDIT] (index=.opendistro_security) [2024-04-08T14:30:12,398][ERROR][o.o.s.c.ConfigurationLoaderSecurity7] [node-1] Failure no such index [.opendistro_security] retrieving configuration for [INTERNALUSERS, ACTIONGROUPS, CONFIG, ROLES, ROLESMAPPING, TENANTS, NODESDN, WHITELIST, ALLOWLIST, AUDIT] (index=.opendistro_security) [2024-04-08T14:37:09,814][WARN ][o.o.s.a.BackendRegistry ] [node-1] Authentication finally failed for admin from 127.0.0.1:46362 [2024-04-08T14:37:12,401][WARN ][o.o.s.a.BackendRegistry ] [node-1] Authentication finally failed for admin from 127.0.0.1:39982 [2024-04-08T14:37:16,838][WARN ][o.o.s.a.BackendRegistry ] [node-1] Authentication finally failed for admin from 127.0.0.1:39988 [2024-04-08T14:37:21,771][WARN ][o.o.s.a.BackendRegistry ] [node-1] Authentication finally failed for admin from 127.0.0.1:47124 [2024-04-08T14:37:25,121][WARN ][o.o.s.a.BackendRegistry ] [node-1] Authentication finally failed for admin from 127.0.0.1:47124 [2024-04-08T14:37:26,471][WARN ][o.o.s.a.BackendRegistry ] [node-1] Authentication finally failed for admin from 127.0.0.1:47134 [2024-04-08T14:37:28,496][WARN ][o.o.s.a.BackendRegistry ] [node-1] Authentication finally failed for admin from 127.0.0.1:47124 [root@ip-172-31-39-39 ec2-user]# ```

[davidcr01]

Wazuh manager logs :yellow_circle:

Amazon Linux 2 :yellow_circle:

Agent status

```shellsession [root@ip-172-31-35-94 ec2-user]# systemctl status wazuh-manager ● wazuh-manager.service - Wazuh manager Loaded: loaded (/usr/lib/systemd/system/wazuh-manager.service; enabled; vendor preset: disabled) Active: active (running) since Mon 2024-04-08 14:33:25 UTC; 46min ago CGroup: /system.slice/wazuh-manager.service ├─9095 /var/ossec/framework/python/bin/python3 /var/ossec/api/scripts/wazuh-apid.py ├─9096 /var/ossec/framework/python/bin/python3 /var/ossec/api/scripts/wazuh-apid.py ├─9099 /var/ossec/framework/python/bin/python3 /var/ossec/api/scripts/wazuh-apid.py ├─9102 /var/ossec/framework/python/bin/python3 /var/ossec/api/scripts/wazuh-apid.py ├─9146 /var/ossec/bin/wazuh-authd ├─9162 /var/ossec/bin/wazuh-db ├─9189 /var/ossec/bin/wazuh-execd ├─9204 /var/ossec/bin/wazuh-analysisd ├─9217 /var/ossec/bin/wazuh-syscheckd ├─9265 /var/ossec/bin/wazuh-remoted ├─9300 /var/ossec/bin/wazuh-logcollector ├─9320 /var/ossec/bin/wazuh-monitord └─9345 /var/ossec/bin/wazuh-modulesd Apr 08 14:33:17 ip-172-31-35-94.ec2.internal env[9035]: Started wazuh-analysisd... Apr 08 14:33:19 ip-172-31-35-94.ec2.internal env[9035]: Started wazuh-syscheckd... Apr 08 14:33:20 ip-172-31-35-94.ec2.internal env[9035]: Started wazuh-remoted... Apr 08 14:33:21 ip-172-31-35-94.ec2.internal env[9035]: Started wazuh-logcollector... Apr 08 14:33:22 ip-172-31-35-94.ec2.internal env[9035]: Started wazuh-monitord... Apr 08 14:33:22 ip-172-31-35-94.ec2.internal env[9035]: 2024/04/08 14:33:22 wazuh-modulesd:router: INFO: Loaded router module. Apr 08 14:33:22 ip-172-31-35-94.ec2.internal env[9035]: 2024/04/08 14:33:22 wazuh-modulesd:content_manager: INFO: Loaded content_manager module. Apr 08 14:33:23 ip-172-31-35-94.ec2.internal env[9035]: Started wazuh-modulesd... Apr 08 14:33:25 ip-172-31-35-94.ec2.internal env[9035]: Completed. Apr 08 14:33:25 ip-172-31-35-94.ec2.internal systemd[1]: Started Wazuh manager. [root@ip-172-31-35-94 ec2-user]# ```

Service status

```shellsession [root@ip-172-31-35-94 ec2-user]# journalctl -xe -u wazuh-manager.service --no-pager -- Logs begin at Mon 2024-04-08 10:42:04 UTC, end at Mon 2024-04-08 15:18:01 UTC. -- Apr 08 14:29:13 ip-172-31-35-94.ec2.internal systemd[1]: Starting Wazuh manager... -- Subject: Unit wazuh-manager.service has begun start-up -- Defined-By: systemd -- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel -- -- Unit wazuh-manager.service has begun starting up. Apr 08 14:29:15 ip-172-31-35-94.ec2.internal env[5965]: 2024/04/08 14:29:15 wazuh-modulesd:router: INFO: Loaded router module. Apr 08 14:29:15 ip-172-31-35-94.ec2.internal env[5965]: 2024/04/08 14:29:15 wazuh-modulesd:content_manager: INFO: Loaded content_manager module. Apr 08 14:29:16 ip-172-31-35-94.ec2.internal env[5965]: Starting Wazuh v4.8.0... Apr 08 14:29:19 ip-172-31-35-94.ec2.internal env[5965]: Started wazuh-apid... Apr 08 14:29:19 ip-172-31-35-94.ec2.internal env[5965]: Started wazuh-csyslogd... Apr 08 14:29:20 ip-172-31-35-94.ec2.internal env[5965]: Started wazuh-dbd... Apr 08 14:29:20 ip-172-31-35-94.ec2.internal env[5965]: 2024/04/08 14:29:20 wazuh-integratord: INFO: Remote integrations not configured. Clean exit. Apr 08 14:29:20 ip-172-31-35-94.ec2.internal env[5965]: Started wazuh-integratord... Apr 08 14:29:20 ip-172-31-35-94.ec2.internal env[5965]: Started wazuh-agentlessd... Apr 08 14:29:21 ip-172-31-35-94.ec2.internal env[5965]: Started wazuh-authd... Apr 08 14:29:22 ip-172-31-35-94.ec2.internal env[5965]: Started wazuh-db... Apr 08 14:29:23 ip-172-31-35-94.ec2.internal env[5965]: Started wazuh-execd... Apr 08 14:29:24 ip-172-31-35-94.ec2.internal env[5965]: Started wazuh-analysisd... Apr 08 14:29:25 ip-172-31-35-94.ec2.internal env[5965]: Started wazuh-syscheckd... Apr 08 14:29:26 ip-172-31-35-94.ec2.internal env[5965]: Started wazuh-remoted... Apr 08 14:29:27 ip-172-31-35-94.ec2.internal env[5965]: Started wazuh-logcollector... Apr 08 14:29:29 ip-172-31-35-94.ec2.internal env[5965]: Started wazuh-monitord... Apr 08 14:29:29 ip-172-31-35-94.ec2.internal env[5965]: 2024/04/08 14:29:29 wazuh-modulesd:router: INFO: Loaded router module. Apr 08 14:29:29 ip-172-31-35-94.ec2.internal env[5965]: 2024/04/08 14:29:29 wazuh-modulesd:content_manager: INFO: Loaded content_manager module. Apr 08 14:29:30 ip-172-31-35-94.ec2.internal env[5965]: Started wazuh-modulesd... Apr 08 14:29:32 ip-172-31-35-94.ec2.internal env[5965]: Completed. Apr 08 14:29:32 ip-172-31-35-94.ec2.internal systemd[1]: Started Wazuh manager. -- Subject: Unit wazuh-manager.service has finished start-up -- Defined-By: systemd -- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel -- -- Unit wazuh-manager.service has finished starting up. -- -- The start-up result is done. Apr 08 14:32:54 ip-172-31-35-94.ec2.internal systemd[1]: Stopping Wazuh manager... -- Subject: Unit wazuh-manager.service has begun shutting down -- Defined-By: systemd -- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel -- -- Unit wazuh-manager.service has begun shutting down. Apr 08 14:32:54 ip-172-31-35-94.ec2.internal env[8696]: wazuh-clusterd not running... Apr 08 14:32:54 ip-172-31-35-94.ec2.internal env[8696]: Killing wazuh-modulesd... Apr 08 14:33:04 ip-172-31-35-94.ec2.internal env[8696]: Killing wazuh-monitord... Apr 08 14:33:04 ip-172-31-35-94.ec2.internal env[8696]: Killing wazuh-logcollector... Apr 08 14:33:04 ip-172-31-35-94.ec2.internal env[8696]: Killing wazuh-remoted... Apr 08 14:33:04 ip-172-31-35-94.ec2.internal env[8696]: Killing wazuh-syscheckd... Apr 08 14:33:05 ip-172-31-35-94.ec2.internal env[8696]: Killing wazuh-analysisd... Apr 08 14:33:05 ip-172-31-35-94.ec2.internal env[8696]: wazuh-maild not running... Apr 08 14:33:05 ip-172-31-35-94.ec2.internal env[8696]: Killing wazuh-execd... Apr 08 14:33:05 ip-172-31-35-94.ec2.internal env[8696]: Killing wazuh-db... Apr 08 14:33:06 ip-172-31-35-94.ec2.internal env[8696]: Killing wazuh-authd... Apr 08 14:33:07 ip-172-31-35-94.ec2.internal env[8696]: wazuh-agentlessd not running... Apr 08 14:33:07 ip-172-31-35-94.ec2.internal env[8696]: wazuh-integratord not running... Apr 08 14:33:07 ip-172-31-35-94.ec2.internal env[8696]: wazuh-dbd not running... Apr 08 14:33:07 ip-172-31-35-94.ec2.internal env[8696]: wazuh-csyslogd not running... Apr 08 14:33:07 ip-172-31-35-94.ec2.internal env[8696]: Killing wazuh-apid... Apr 08 14:33:07 ip-172-31-35-94.ec2.internal env[8696]: Wazuh v4.8.0 Stopped Apr 08 14:33:07 ip-172-31-35-94.ec2.internal systemd[1]: Stopped Wazuh manager. -- Subject: Unit wazuh-manager.service has finished shutting down -- Defined-By: systemd -- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel -- -- Unit wazuh-manager.service has finished shutting down. Apr 08 14:33:07 ip-172-31-35-94.ec2.internal systemd[1]: Starting Wazuh manager... -- Subject: Unit wazuh-manager.service has begun start-up -- Defined-By: systemd -- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel -- -- Unit wazuh-manager.service has begun starting up. Apr 08 14:33:10 ip-172-31-35-94.ec2.internal env[9035]: 2024/04/08 14:33:10 wazuh-modulesd:router: INFO: Loaded router module. Apr 08 14:33:10 ip-172-31-35-94.ec2.internal env[9035]: 2024/04/08 14:33:10 wazuh-modulesd:content_manager: INFO: Loaded content_manager module. Apr 08 14:33:10 ip-172-31-35-94.ec2.internal env[9035]: Starting Wazuh v4.8.0... Apr 08 14:33:13 ip-172-31-35-94.ec2.internal env[9035]: Started wazuh-apid... Apr 08 14:33:13 ip-172-31-35-94.ec2.internal env[9035]: Started wazuh-csyslogd... Apr 08 14:33:13 ip-172-31-35-94.ec2.internal env[9035]: Started wazuh-dbd... Apr 08 14:33:13 ip-172-31-35-94.ec2.internal env[9035]: 2024/04/08 14:33:13 wazuh-integratord: INFO: Remote integrations not configured. Clean exit. Apr 08 14:33:13 ip-172-31-35-94.ec2.internal env[9035]: Started wazuh-integratord... Apr 08 14:33:13 ip-172-31-35-94.ec2.internal env[9035]: Started wazuh-agentlessd... Apr 08 14:33:14 ip-172-31-35-94.ec2.internal env[9035]: Started wazuh-authd... Apr 08 14:33:15 ip-172-31-35-94.ec2.internal env[9035]: Started wazuh-db... Apr 08 14:33:16 ip-172-31-35-94.ec2.internal env[9035]: Started wazuh-execd... Apr 08 14:33:17 ip-172-31-35-94.ec2.internal env[9035]: Started wazuh-analysisd... Apr 08 14:33:19 ip-172-31-35-94.ec2.internal env[9035]: Started wazuh-syscheckd... Apr 08 14:33:20 ip-172-31-35-94.ec2.internal env[9035]: Started wazuh-remoted... Apr 08 14:33:21 ip-172-31-35-94.ec2.internal env[9035]: Started wazuh-logcollector... Apr 08 14:33:22 ip-172-31-35-94.ec2.internal env[9035]: Started wazuh-monitord... Apr 08 14:33:22 ip-172-31-35-94.ec2.internal env[9035]: 2024/04/08 14:33:22 wazuh-modulesd:router: INFO: Loaded router module. Apr 08 14:33:22 ip-172-31-35-94.ec2.internal env[9035]: 2024/04/08 14:33:22 wazuh-modulesd:content_manager: INFO: Loaded content_manager module. Apr 08 14:33:23 ip-172-31-35-94.ec2.internal env[9035]: Started wazuh-modulesd... Apr 08 14:33:25 ip-172-31-35-94.ec2.internal env[9035]: Completed. Apr 08 14:33:25 ip-172-31-35-94.ec2.internal systemd[1]: Started Wazuh manager. -- Subject: Unit wazuh-manager.service has finished start-up -- Defined-By: systemd -- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel -- -- Unit wazuh-manager.service has finished starting up. -- -- The start-up result is done. [root@ip-172-31-35-94 ec2-user]# ```

Errors

:yellow_circle: Related: https://github.com/wazuh/wazuh/issues/21829 :yellow_circle: Related: https://github.com/wazuh/wazuh/issues/22835 ```shellsession [root@ip-172-31-35-94 ec2-user]# cat /var/ossec/logs/ossec.log | grep -i -E "error|warn" 2024/04/08 14:29:29 indexer-connector: WARNING: IndexerConnector initialization failed for index 'wazuh-states-vulnerabilities', retrying until the connection is successful. 2024/04/08 14:33:23 indexer-connector: WARNING: IndexerConnector initialization failed for index 'wazuh-states-vulnerabilities', retrying until the connection is successful. 2024/04/08 14:33:24 wazuh-modulesd:vulnerability-scanner: ERROR: Error updating feed: [json.exception.out_of_range.401] array index 1 is out of range, trying to re-download the feed. [root@ip-172-31-35-94 ec2-user]# ```

Ubuntu 22 :yellow_circle:

Agent status

```shellsession root@ip-172-31-39-45:/home/ubuntu# systemctl status wazuh-manager ● wazuh-manager.service - Wazuh manager Loaded: loaded (/lib/systemd/system/wazuh-manager.service; enabled; vendor preset: enabled) Active: active (running) since Mon 2024-04-08 14:34:40 UTC; 45min ago Tasks: 152 (limit: 4632) Memory: 761.9M CPU: 41min 23.084s CGroup: /system.slice/wazuh-manager.service ├─52742 /var/ossec/framework/python/bin/python3 /var/ossec/api/scripts/wazuh-apid.py ├─52743 /var/ossec/framework/python/bin/python3 /var/ossec/api/scripts/wazuh-apid.py ├─52746 /var/ossec/framework/python/bin/python3 /var/ossec/api/scripts/wazuh-apid.py ├─52749 /var/ossec/framework/python/bin/python3 /var/ossec/api/scripts/wazuh-apid.py ├─52791 /var/ossec/bin/wazuh-authd ├─52807 /var/ossec/bin/wazuh-db ├─52832 /var/ossec/bin/wazuh-execd ├─52846 /var/ossec/bin/wazuh-analysisd ├─52859 /var/ossec/bin/wazuh-syscheckd ├─52906 /var/ossec/bin/wazuh-remoted ├─52940 /var/ossec/bin/wazuh-logcollector ├─52959 /var/ossec/bin/wazuh-monitord └─52984 /var/ossec/bin/wazuh-modulesd Apr 08 14:34:32 ip-172-31-39-45 env[52684]: Started wazuh-analysisd... Apr 08 14:34:33 ip-172-31-39-45 env[52684]: Started wazuh-syscheckd... root@ip-172-31-39-45:/home/ubuntu# ```

Service status

```shellsession root@ip-172-31-39-45:/home/ubuntu# journalctl -xe -u wazuh-manager.service --no-pager Apr 08 14:30:20 ip-172-31-39-45 systemd[1]: Starting Wazuh manager... ░░ Subject: A start job for unit wazuh-manager.service has begun execution ░░ Defined-By: systemd ░░ Support: http://www.ubuntu.com/support ░░ ░░ A start job for unit wazuh-manager.service has begun execution. ░░ ░░ The job identifier is 2225. Apr 08 14:30:24 ip-172-31-39-45 env[49482]: 2024/04/08 14:30:24 wazuh-modulesd:router: INFO: Loaded router module. Apr 08 14:30:24 ip-172-31-39-45 env[49482]: 2024/04/08 14:30:24 wazuh-modulesd:content_manager: INFO: Loaded content_manager module. Apr 08 14:30:24 ip-172-31-39-45 env[49419]: Starting Wazuh v4.8.0... Apr 08 14:30:29 ip-172-31-39-45 env[49419]: Started wazuh-apid... Apr 08 14:30:29 ip-172-31-39-45 env[49419]: Started wazuh-csyslogd... Apr 08 14:30:29 ip-172-31-39-45 env[49419]: Started wazuh-dbd... Apr 08 14:30:29 ip-172-31-39-45 env[49527]: 2024/04/08 14:30:29 wazuh-integratord: INFO: Remote integrations not configured. Clean exit. Apr 08 14:30:29 ip-172-31-39-45 env[49419]: Started wazuh-integratord... Apr 08 14:30:29 ip-172-31-39-45 env[49419]: Started wazuh-agentlessd... Apr 08 14:30:30 ip-172-31-39-45 env[49419]: Started wazuh-authd... Apr 08 14:30:32 ip-172-31-39-45 env[49419]: Started wazuh-db... Apr 08 14:30:33 ip-172-31-39-45 env[49419]: Started wazuh-execd... Apr 08 14:30:34 ip-172-31-39-45 env[49419]: Started wazuh-analysisd... Apr 08 14:30:35 ip-172-31-39-45 env[49419]: Started wazuh-syscheckd... Apr 08 14:30:36 ip-172-31-39-45 env[49419]: Started wazuh-remoted... Apr 08 14:30:37 ip-172-31-39-45 env[49419]: Started wazuh-logcollector... Apr 08 14:30:38 ip-172-31-39-45 env[49419]: Started wazuh-monitord... Apr 08 14:30:38 ip-172-31-39-45 env[49744]: 2024/04/08 14:30:38 wazuh-modulesd:router: INFO: Loaded router module. Apr 08 14:30:38 ip-172-31-39-45 env[49744]: 2024/04/08 14:30:38 wazuh-modulesd:content_manager: INFO: Loaded content_manager module. Apr 08 14:30:39 ip-172-31-39-45 env[49419]: Started wazuh-modulesd... Apr 08 14:30:41 ip-172-31-39-45 env[49419]: Completed. Apr 08 14:30:41 ip-172-31-39-45 systemd[1]: Started Wazuh manager. ░░ Subject: A start job for unit wazuh-manager.service has finished successfully ░░ Defined-By: systemd ░░ Support: http://www.ubuntu.com/support ░░ ░░ A start job for unit wazuh-manager.service has finished successfully. ░░ ░░ The job identifier is 2225. Apr 08 14:34:10 ip-172-31-39-45 systemd[1]: Stopping Wazuh manager... ░░ Subject: A stop job for unit wazuh-manager.service has begun execution ░░ Defined-By: systemd ░░ Support: http://www.ubuntu.com/support ░░ ░░ A stop job for unit wazuh-manager.service has begun execution. ░░ ░░ The job identifier is 2578. Apr 08 14:34:10 ip-172-31-39-45 env[52375]: wazuh-clusterd not running... Apr 08 14:34:10 ip-172-31-39-45 env[52375]: Killing wazuh-modulesd... Apr 08 14:34:19 ip-172-31-39-45 env[52375]: Killing wazuh-monitord... Apr 08 14:34:19 ip-172-31-39-45 env[52375]: Killing wazuh-logcollector... Apr 08 14:34:19 ip-172-31-39-45 env[52375]: Killing wazuh-remoted... Apr 08 14:34:19 ip-172-31-39-45 env[52375]: Killing wazuh-syscheckd... Apr 08 14:34:20 ip-172-31-39-45 env[52375]: Killing wazuh-analysisd... Apr 08 14:34:20 ip-172-31-39-45 env[52375]: wazuh-maild not running... Apr 08 14:34:20 ip-172-31-39-45 env[52375]: Killing wazuh-execd... Apr 08 14:34:20 ip-172-31-39-45 env[52375]: Killing wazuh-db... Apr 08 14:34:21 ip-172-31-39-45 env[52375]: Killing wazuh-authd... Apr 08 14:34:22 ip-172-31-39-45 env[52375]: wazuh-agentlessd not running... Apr 08 14:34:22 ip-172-31-39-45 env[52375]: wazuh-integratord not running... Apr 08 14:34:22 ip-172-31-39-45 env[52375]: wazuh-dbd not running... Apr 08 14:34:22 ip-172-31-39-45 env[52375]: wazuh-csyslogd not running... Apr 08 14:34:22 ip-172-31-39-45 env[52375]: Killing wazuh-apid... Apr 08 14:34:22 ip-172-31-39-45 env[52375]: Wazuh v4.8.0 Stopped Apr 08 14:34:22 ip-172-31-39-45 systemd[1]: wazuh-manager.service: Deactivated successfully. ░░ Subject: Unit succeeded ░░ Defined-By: systemd ░░ Support: http://www.ubuntu.com/support ░░ ░░ The unit wazuh-manager.service has successfully entered the 'dead' state. Apr 08 14:34:22 ip-172-31-39-45 systemd[1]: Stopped Wazuh manager. ░░ Subject: A stop job for unit wazuh-manager.service has finished ░░ Defined-By: systemd ░░ Support: http://www.ubuntu.com/support ░░ ░░ A stop job for unit wazuh-manager.service has finished. ░░ ░░ The job identifier is 2578 and the job result is done. Apr 08 14:34:22 ip-172-31-39-45 systemd[1]: wazuh-manager.service: Consumed 2min 7.808s CPU time. ░░ Subject: Resources consumed by unit runtime ░░ Defined-By: systemd ░░ Support: http://www.ubuntu.com/support ░░ ░░ The unit wazuh-manager.service completed and consumed the indicated resources. Apr 08 14:34:22 ip-172-31-39-45 systemd[1]: Starting Wazuh manager... ░░ Subject: A start job for unit wazuh-manager.service has begun execution ░░ Defined-By: systemd ░░ Support: http://www.ubuntu.com/support ░░ ░░ A start job for unit wazuh-manager.service has begun execution. ░░ ░░ The job identifier is 2578. Apr 08 14:34:24 ip-172-31-39-45 env[52715]: 2024/04/08 14:34:24 wazuh-modulesd:router: INFO: Loaded router module. Apr 08 14:34:24 ip-172-31-39-45 env[52715]: 2024/04/08 14:34:24 wazuh-modulesd:content_manager: INFO: Loaded content_manager module. Apr 08 14:34:25 ip-172-31-39-45 env[52684]: Starting Wazuh v4.8.0... Apr 08 14:34:28 ip-172-31-39-45 env[52684]: Started wazuh-apid... Apr 08 14:34:28 ip-172-31-39-45 env[52684]: Started wazuh-csyslogd... Apr 08 14:34:28 ip-172-31-39-45 env[52684]: Started wazuh-dbd... Apr 08 14:34:28 ip-172-31-39-45 env[52770]: 2024/04/08 14:34:28 wazuh-integratord: INFO: Remote integrations not configured. Clean exit. Apr 08 14:34:28 ip-172-31-39-45 env[52684]: Started wazuh-integratord... Apr 08 14:34:28 ip-172-31-39-45 env[52684]: Started wazuh-agentlessd... Apr 08 14:34:29 ip-172-31-39-45 env[52684]: Started wazuh-authd... Apr 08 14:34:30 ip-172-31-39-45 env[52684]: Started wazuh-db... Apr 08 14:34:31 ip-172-31-39-45 env[52684]: Started wazuh-execd... Apr 08 14:34:32 ip-172-31-39-45 env[52684]: Started wazuh-analysisd... Apr 08 14:34:33 ip-172-31-39-45 env[52684]: Started wazuh-syscheckd... Apr 08 14:34:34 ip-172-31-39-45 env[52684]: Started wazuh-remoted... Apr 08 14:34:36 ip-172-31-39-45 env[52684]: Started wazuh-logcollector... Apr 08 14:34:37 ip-172-31-39-45 env[52684]: Started wazuh-monitord... Apr 08 14:34:37 ip-172-31-39-45 env[52982]: 2024/04/08 14:34:37 wazuh-modulesd:router: INFO: Loaded router module. Apr 08 14:34:37 ip-172-31-39-45 env[52982]: 2024/04/08 14:34:37 wazuh-modulesd:content_manager: INFO: Loaded content_manager module. Apr 08 14:34:38 ip-172-31-39-45 env[52684]: Started wazuh-modulesd... Apr 08 14:34:40 ip-172-31-39-45 env[52684]: Completed. Apr 08 14:34:40 ip-172-31-39-45 systemd[1]: Started Wazuh manager. ░░ Subject: A start job for unit wazuh-manager.service has finished successfully ░░ Defined-By: systemd ░░ Support: http://www.ubuntu.com/support ░░ ░░ A start job for unit wazuh-manager.service has finished successfully. ░░ ░░ The job identifier is 2578. root@ip-172-31-39-45:/home/ubuntu# ```

Errors

:yellow_circle: Related: https://github.com/wazuh/wazuh/issues/21829 :yellow_circle: Related: https://github.com/wazuh/wazuh/issues/22835 ```shellsession root@ip-172-31-39-45:/home/ubuntu# cat /var/ossec/logs/ossec.log | grep -i -E "error|warn" 2024/04/08 14:30:39 indexer-connector: WARNING: IndexerConnector initialization failed for index 'wazuh-states-vulnerabilities', retrying until the connection is successful. 2024/04/08 14:34:37 indexer-connector: WARNING: IndexerConnector initialization failed for index 'wazuh-states-vulnerabilities', retrying until the connection is successful. 2024/04/08 14:34:40 wazuh-modulesd:vulnerability-scanner: ERROR: Error updating feed: [json.exception.out_of_range.401] array index 1 is out of range, trying to re-download the feed. root@ip-172-31-39-45:/home/ubuntu# ```

RHEL 9 :yellow_circle:

Agent status

```shellsession [root@ip-172-31-39-39 ec2-user]# systemctl status wazuh-manager ● wazuh-manager.service - Wazuh manager Loaded: loaded (/usr/lib/systemd/system/wazuh-manager.service; enabled; preset: disabled) Active: active (running) since Mon 2024-04-08 14:37:11 UTC; 44min ago Tasks: 152 (limit: 22632) Memory: 862.8M CPU: 34min 34.527s CGroup: /system.slice/wazuh-manager.service ├─20061 /var/ossec/framework/python/bin/python3 /var/ossec/api/scripts/wazuh-apid.py ├─20062 /var/ossec/framework/python/bin/python3 /var/ossec/api/scripts/wazuh-apid.py ├─20065 /var/ossec/framework/python/bin/python3 /var/ossec/api/scripts/wazuh-apid.py ├─20068 /var/ossec/framework/python/bin/python3 /var/ossec/api/scripts/wazuh-apid.py ├─20112 /var/ossec/bin/wazuh-authd ├─20129 /var/ossec/bin/wazuh-db ├─20160 /var/ossec/bin/wazuh-execd ├─20176 /var/ossec/bin/wazuh-analysisd ├─20189 /var/ossec/bin/wazuh-syscheckd ├─20237 /var/ossec/bin/wazuh-remoted ├─20272 /var/ossec/bin/wazuh-logcollector ├─20292 /var/ossec/bin/wazuh-monitord └─20314 /var/ossec/bin/wazuh-modulesd Apr 08 14:37:04 ip-172-31-39-39.ec2.internal env[20005]: Started wazuh-analysisd... Apr 08 14:37:05 ip-172-31-39-39.ec2.internal env[20005]: Started wazuh-syscheckd... ```

Service status

```shellsession [root@ip-172-31-39-39 ec2-user]# journalctl -xe -u wazuh-manager.service --no-pager Apr 08 14:32:08 ip-172-31-39-39.ec2.internal systemd[1]: Starting Wazuh manager... ░░ Subject: A start job for unit wazuh-manager.service has begun execution ░░ Defined-By: systemd ░░ Support: https://access.redhat.com/support ░░ ░░ A start job for unit wazuh-manager.service has begun execution. ░░ ░░ The job identifier is 6018. Apr 08 14:32:10 ip-172-31-39-39.ec2.internal env[16995]: 2024/04/08 14:32:10 wazuh-modulesd:router: INFO: Loaded router module. Apr 08 14:32:10 ip-172-31-39-39.ec2.internal env[16995]: 2024/04/08 14:32:10 wazuh-modulesd:content_manager: INFO: Loaded content_manager module. Apr 08 14:32:11 ip-172-31-39-39.ec2.internal env[16965]: Starting Wazuh v4.8.0... Apr 08 14:32:14 ip-172-31-39-39.ec2.internal env[16965]: Started wazuh-apid... Apr 08 14:32:14 ip-172-31-39-39.ec2.internal env[16965]: Started wazuh-csyslogd... Apr 08 14:32:14 ip-172-31-39-39.ec2.internal env[16965]: Started wazuh-dbd... Apr 08 14:32:14 ip-172-31-39-39.ec2.internal env[17041]: 2024/04/08 14:32:14 wazuh-integratord: INFO: Remote integrations not configured. Clean exit. Apr 08 14:32:14 ip-172-31-39-39.ec2.internal env[16965]: Started wazuh-integratord... Apr 08 14:32:14 ip-172-31-39-39.ec2.internal env[16965]: Started wazuh-agentlessd... Apr 08 14:32:15 ip-172-31-39-39.ec2.internal env[16965]: Started wazuh-authd... Apr 08 14:32:16 ip-172-31-39-39.ec2.internal env[16965]: Started wazuh-db... Apr 08 14:32:17 ip-172-31-39-39.ec2.internal env[16965]: Started wazuh-execd... Apr 08 14:32:18 ip-172-31-39-39.ec2.internal env[16965]: Started wazuh-analysisd... Apr 08 14:32:20 ip-172-31-39-39.ec2.internal env[16965]: Started wazuh-syscheckd... Apr 08 14:32:21 ip-172-31-39-39.ec2.internal env[16965]: Started wazuh-remoted... Apr 08 14:32:22 ip-172-31-39-39.ec2.internal env[16965]: Started wazuh-logcollector... Apr 08 14:32:23 ip-172-31-39-39.ec2.internal env[16965]: Started wazuh-monitord... Apr 08 14:32:23 ip-172-31-39-39.ec2.internal env[17264]: 2024/04/08 14:32:23 wazuh-modulesd:router: INFO: Loaded router module. Apr 08 14:32:23 ip-172-31-39-39.ec2.internal env[17264]: 2024/04/08 14:32:23 wazuh-modulesd:content_manager: INFO: Loaded content_manager module. Apr 08 14:32:24 ip-172-31-39-39.ec2.internal env[16965]: Started wazuh-modulesd... Apr 08 14:32:26 ip-172-31-39-39.ec2.internal env[16965]: Completed. Apr 08 14:32:26 ip-172-31-39-39.ec2.internal systemd[1]: Started Wazuh manager. ░░ Subject: A start job for unit wazuh-manager.service has finished successfully ░░ Defined-By: systemd ░░ Support: https://access.redhat.com/support ░░ ░░ A start job for unit wazuh-manager.service has finished successfully. ░░ ░░ The job identifier is 6018. Apr 08 14:36:39 ip-172-31-39-39.ec2.internal systemd[1]: Stopping Wazuh manager... ░░ Subject: A stop job for unit wazuh-manager.service has begun execution ░░ Defined-By: systemd ░░ Support: https://access.redhat.com/support ░░ ░░ A stop job for unit wazuh-manager.service has begun execution. ░░ ░░ The job identifier is 6376. Apr 08 14:36:40 ip-172-31-39-39.ec2.internal env[19702]: wazuh-clusterd not running... Apr 08 14:36:40 ip-172-31-39-39.ec2.internal env[19702]: Killing wazuh-modulesd... Apr 08 14:36:48 ip-172-31-39-39.ec2.internal env[19702]: Killing wazuh-monitord... Apr 08 14:36:49 ip-172-31-39-39.ec2.internal env[19702]: Killing wazuh-logcollector... Apr 08 14:36:49 ip-172-31-39-39.ec2.internal env[19702]: Killing wazuh-remoted... Apr 08 14:36:49 ip-172-31-39-39.ec2.internal env[19702]: Killing wazuh-syscheckd... Apr 08 14:36:49 ip-172-31-39-39.ec2.internal env[19702]: Killing wazuh-analysisd... Apr 08 14:36:49 ip-172-31-39-39.ec2.internal env[19702]: wazuh-maild not running... Apr 08 14:36:49 ip-172-31-39-39.ec2.internal env[19702]: Killing wazuh-execd... Apr 08 14:36:49 ip-172-31-39-39.ec2.internal env[19702]: Killing wazuh-db... Apr 08 14:36:50 ip-172-31-39-39.ec2.internal env[19702]: Killing wazuh-authd... Apr 08 14:36:51 ip-172-31-39-39.ec2.internal env[19702]: wazuh-agentlessd not running... Apr 08 14:36:51 ip-172-31-39-39.ec2.internal env[19702]: wazuh-integratord not running... Apr 08 14:36:51 ip-172-31-39-39.ec2.internal env[19702]: wazuh-dbd not running... Apr 08 14:36:51 ip-172-31-39-39.ec2.internal env[19702]: wazuh-csyslogd not running... Apr 08 14:36:51 ip-172-31-39-39.ec2.internal env[19702]: Killing wazuh-apid... Apr 08 14:36:51 ip-172-31-39-39.ec2.internal env[19702]: Wazuh v4.8.0 Stopped Apr 08 14:36:51 ip-172-31-39-39.ec2.internal systemd[1]: wazuh-manager.service: Deactivated successfully. ░░ Subject: Unit succeeded ░░ Defined-By: systemd ░░ Support: https://access.redhat.com/support ░░ ░░ The unit wazuh-manager.service has successfully entered the 'dead' state. Apr 08 14:36:51 ip-172-31-39-39.ec2.internal systemd[1]: Stopped Wazuh manager. ░░ Subject: A stop job for unit wazuh-manager.service has finished ░░ Defined-By: systemd ░░ Support: https://access.redhat.com/support ░░ ░░ A stop job for unit wazuh-manager.service has finished. ░░ ░░ The job identifier is 6376 and the job result is done. Apr 08 14:36:51 ip-172-31-39-39.ec2.internal systemd[1]: wazuh-manager.service: Consumed 2min 29.161s CPU time. ░░ Subject: Resources consumed by unit runtime ░░ Defined-By: systemd ░░ Support: https://access.redhat.com/support ░░ ░░ The unit wazuh-manager.service completed and consumed the indicated resources. Apr 08 14:36:51 ip-172-31-39-39.ec2.internal systemd[1]: Starting Wazuh manager... ░░ Subject: A start job for unit wazuh-manager.service has begun execution ░░ Defined-By: systemd ░░ Support: https://access.redhat.com/support ░░ ░░ A start job for unit wazuh-manager.service has begun execution. ░░ ░░ The job identifier is 6376. Apr 08 14:36:55 ip-172-31-39-39.ec2.internal env[20035]: 2024/04/08 14:36:55 wazuh-modulesd:router: INFO: Loaded router module. Apr 08 14:36:55 ip-172-31-39-39.ec2.internal env[20035]: 2024/04/08 14:36:55 wazuh-modulesd:content_manager: INFO: Loaded content_manager module. Apr 08 14:36:56 ip-172-31-39-39.ec2.internal env[20005]: Starting Wazuh v4.8.0... Apr 08 14:36:59 ip-172-31-39-39.ec2.internal env[20005]: Started wazuh-apid... Apr 08 14:37:00 ip-172-31-39-39.ec2.internal env[20005]: Started wazuh-csyslogd... Apr 08 14:37:00 ip-172-31-39-39.ec2.internal env[20005]: Started wazuh-dbd... Apr 08 14:37:00 ip-172-31-39-39.ec2.internal env[20090]: 2024/04/08 14:37:00 wazuh-integratord: INFO: Remote integrations not configured. Clean exit. Apr 08 14:37:00 ip-172-31-39-39.ec2.internal env[20005]: Started wazuh-integratord... Apr 08 14:37:00 ip-172-31-39-39.ec2.internal env[20005]: Started wazuh-agentlessd... Apr 08 14:37:01 ip-172-31-39-39.ec2.internal env[20005]: Started wazuh-authd... Apr 08 14:37:02 ip-172-31-39-39.ec2.internal env[20005]: Started wazuh-db... Apr 08 14:37:03 ip-172-31-39-39.ec2.internal env[20005]: Started wazuh-execd... Apr 08 14:37:04 ip-172-31-39-39.ec2.internal env[20005]: Started wazuh-analysisd... Apr 08 14:37:05 ip-172-31-39-39.ec2.internal env[20005]: Started wazuh-syscheckd... Apr 08 14:37:06 ip-172-31-39-39.ec2.internal env[20005]: Started wazuh-remoted... Apr 08 14:37:07 ip-172-31-39-39.ec2.internal env[20005]: Started wazuh-logcollector... Apr 08 14:37:08 ip-172-31-39-39.ec2.internal env[20005]: Started wazuh-monitord... Apr 08 14:37:08 ip-172-31-39-39.ec2.internal env[20310]: 2024/04/08 14:37:08 wazuh-modulesd:router: INFO: Loaded router module. Apr 08 14:37:08 ip-172-31-39-39.ec2.internal env[20310]: 2024/04/08 14:37:08 wazuh-modulesd:content_manager: INFO: Loaded content_manager module. Apr 08 14:37:09 ip-172-31-39-39.ec2.internal env[20005]: Started wazuh-modulesd... Apr 08 14:37:11 ip-172-31-39-39.ec2.internal env[20005]: Completed. Apr 08 14:37:11 ip-172-31-39-39.ec2.internal systemd[1]: Started Wazuh manager. ░░ Subject: A start job for unit wazuh-manager.service has finished successfully ░░ Defined-By: systemd ░░ Support: https://access.redhat.com/support ░░ ░░ A start job for unit wazuh-manager.service has finished successfully. ░░ ░░ The job identifier is 6376. [root@ip-172-31-39-39 ec2-user]# ```

Errors

:yellow_circle: Related: https://github.com/wazuh/wazuh/issues/21829 :yellow_circle: Related: https://github.com/wazuh/wazuh/issues/22835 ```shellsession [root@ip-172-31-39-39 ec2-user]# cat /var/ossec/logs/ossec.log | grep -i -E "error|warn" 2024/04/08 14:32:23 indexer-connector: WARNING: IndexerConnector initialization failed for index 'wazuh-states-vulnerabilities', retrying until the connection is successful. 2024/04/08 14:37:09 indexer-connector: WARNING: IndexerConnector initialization failed for index 'wazuh-states-vulnerabilities', retrying until the connection is successful. 2024/04/08 14:37:17 wazuh-modulesd:vulnerability-scanner: ERROR: Error updating feed: [json.exception.out_of_range.401] array index 1 is out of range, trying to re-download the feed. [root@ip-172-31-39-39 ec2-user]# ```

[davidcr01]

Wazuh dashboard logs :yellow_circle:

Amazon Linux 2 :green_circle:

Agent status

```shellsession [root@ip-172-31-35-94 ec2-user]# systemctl status wazuh-dashboard ● wazuh-dashboard.service - wazuh-dashboard Loaded: loaded (/etc/systemd/system/wazuh-dashboard.service; enabled; vendor preset: disabled) Active: active (running) since Mon 2024-04-08 14:33:30 UTC; 1h 4min ago Main PID: 9791 (node) CGroup: /system.slice/wazuh-dashboard.service └─9791 /usr/share/wazuh-dashboard/node/fallback/bin/node --no-warnings --max-http-header-size=65536 --unhandled-rejections=warn /usr/share/wazuh-dashboard/src/cli/dist Apr 08 15:37:05 ip-172-31-35-94.ec2.internal opensearch-dashboards[9791]: {"type":"response","@timestamp":"2024-04-08T15:37:04Z","tags":[],"pid":9791,"method":"post","statu...d\";v=\" Apr 08 15:37:05 ip-172-31-35-94.ec2.internal opensearch-dashboards[9791]: {"type":"response","@timestamp":"2024-04-08T15:37:04Z","tags":[],"pid":9791,"method":"post","statu... \"Not(A Apr 08 15:37:05 ip-172-31-35-94.ec2.internal opensearch-dashboards[9791]: {"type":"response","@timestamp":"2024-04-08T15:37:05Z","tags":[],"pid":9791,"method":"get","status...\", \"Go Apr 08 15:37:05 ip-172-31-35-94.ec2.internal opensearch-dashboards[9791]: {"type":"response","@timestamp":"2024-04-08T15:37:05Z","tags":[],"pid":9791,"method":"post","statu...d\";v=\" Apr 08 15:37:05 ip-172-31-35-94.ec2.internal opensearch-dashboards[9791]: {"type":"response","@timestamp":"2024-04-08T15:37:05Z","tags":[],"pid":9791,"method":"get","status...";v=\"24 Apr 08 15:37:05 ip-172-31-35-94.ec2.internal opensearch-dashboards[9791]: {"type":"response","@timestamp":"2024-04-08T15:37:05Z","tags":[],"pid":9791,"method":"post","statu... \"Not(A Apr 08 15:37:05 ip-172-31-35-94.ec2.internal opensearch-dashboards[9791]: {"type":"response","@timestamp":"2024-04-08T15:37:05Z","tags":[],"pid":9791,"method":"post","statu... \"Not(A Apr 08 15:37:05 ip-172-31-35-94.ec2.internal opensearch-dashboards[9791]: {"type":"response","@timestamp":"2024-04-08T15:37:05Z","tags":[],"pid":9791,"method":"post","statu... \"Not(A Apr 08 15:37:06 ip-172-31-35-94.ec2.internal opensearch-dashboards[9791]: {"type":"response","@timestamp":"2024-04-08T15:37:06Z","tags":[],"pid":9791,"method":"post","statu... \"Not(A Apr 08 15:37:06 ip-172-31-35-94.ec2.internal opensearch-dashboards[9791]: {"type":"response","@timestamp":"2024-04-08T15:37:06Z","tags":[],"pid":9791,"method":"get","status...";v=\"24 Hint: Some lines were ellipsized, use -l to show in full. [root@ip-172-31-35-94 ec2-user]# ```

Service status

```shellsession [root@ip-172-31-35-94 ec2-user]# systemctl status wazuh-dashboard ● wazuh-dashboard.service - wazuh-dashboard Loaded: loaded (/etc/systemd/system/wazuh-dashboard.service; enabled; vendor preset: disabled) Active: active (running) since Mon 2024-04-08 14:33:30 UTC; 1h 4min ago Main PID: 9791 (node) CGroup: /system.slice/wazuh-dashboard.service └─9791 /usr/share/wazuh-dashboard/node/fallback/bin/node --no-warnings --max-http-header-size=65536 --unhandled-rejections=warn /usr/share/wazuh-dashboard/src/cli/dist Apr 08 15:37:05 ip-172-31-35-94.ec2.internal opensearch-dashboards[9791]: {"type":"response","@timestamp":"2024-04-08T15:37:04Z","tags":[],"pid":9791,"method":"post","statu...d\";v=\" Apr 08 15:37:05 ip-172-31-35-94.ec2.internal opensearch-dashboards[9791]: {"type":"response","@timestamp":"2024-04-08T15:37:04Z","tags":[],"pid":9791,"method":"post","statu... \"Not(A Apr 08 15:37:05 ip-172-31-35-94.ec2.internal opensearch-dashboards[9791]: {"type":"response","@timestamp":"2024-04-08T15:37:05Z","tags":[],"pid":9791,"method":"get","status...\", \"Go Apr 08 15:37:05 ip-172-31-35-94.ec2.internal opensearch-dashboards[9791]: {"type":"response","@timestamp":"2024-04-08T15:37:05Z","tags":[],"pid":9791,"method":"post","statu...d\";v=\" Apr 08 15:37:05 ip-172-31-35-94.ec2.internal opensearch-dashboards[9791]: {"type":"response","@timestamp":"2024-04-08T15:37:05Z","tags":[],"pid":9791,"method":"get","status...";v=\"24 Apr 08 15:37:05 ip-172-31-35-94.ec2.internal opensearch-dashboards[9791]: {"type":"response","@timestamp":"2024-04-08T15:37:05Z","tags":[],"pid":9791,"method":"post","statu... \"Not(A Apr 08 15:37:05 ip-172-31-35-94.ec2.internal opensearch-dashboards[9791]: {"type":"response","@timestamp":"2024-04-08T15:37:05Z","tags":[],"pid":9791,"method":"post","statu... \"Not(A Apr 08 15:37:05 ip-172-31-35-94.ec2.internal opensearch-dashboards[9791]: {"type":"response","@timestamp":"2024-04-08T15:37:05Z","tags":[],"pid":9791,"method":"post","statu... \"Not(A Apr 08 15:37:06 ip-172-31-35-94.ec2.internal opensearch-dashboards[9791]: {"type":"response","@timestamp":"2024-04-08T15:37:06Z","tags":[],"pid":9791,"method":"post","statu... \"Not(A Apr 08 15:37:06 ip-172-31-35-94.ec2.internal opensearch-dashboards[9791]: {"type":"response","@timestamp":"2024-04-08T15:37:06Z","tags":[],"pid":9791,"method":"get","status...";v=\"24 Hint: Some lines were ellipsized, use -l to show in full. [root@ip-172-31-35-94 ec2-user]# ```

Errors

```shellsession [root@ip-172-31-35-94 ec2-user]# cat /usr/share/wazuh-dashboard/data/wazuh/logs/wazuhapp.log | grep -i -E "error|warn" [root@ip-172-31-35-94 ec2-user]# ```

Ubuntu 22 :green_circle:

Agent status

```shellsession root@ip-172-31-39-45:/home/ubuntu# systemctl status wazuh-dashboard ● wazuh-dashboard.service - wazuh-dashboard Loaded: loaded (/etc/systemd/system/wazuh-dashboard.service; enabled; vendor preset: enabled) Active: active (running) since Mon 2024-04-08 14:34:46 UTC; 1h 5min ago Main PID: 53734 (node) Tasks: 11 (limit: 4632) Memory: 184.3M CPU: 19.012s CGroup: /system.slice/wazuh-dashboard.service └─53734 /usr/share/wazuh-dashboard/node/bin/node --no-warnings --max-http-header-size=65536 --unhandled-rejections=warn /usr/share/wazuh-dashboard/src/cli/dist Apr 08 14:35:03 ip-172-31-39-45 opensearch-dashboards[53734]: {"type":"log","@timestamp":"2024-04-08T14:35:03Z","tags":["info","plugins-service"],"pid":53734,"message":"Plugin \"visTypeXy\" is d> Apr 08 14:35:03 ip-172-31-39-45 opensearch-dashboards[53734]: {"type":"log","@timestamp":"2024-04-08T14:35:03Z","tags":["info","plugins-system"],"pid":53734,"message":"Setting up [48] plugins: [> Apr 08 14:35:04 ip-172-31-39-45 opensearch-dashboards[53734]: {"type":"log","@timestamp":"2024-04-08T14:35:04Z","tags":["info","savedobjects-service"],"pid":53734,"message":"Waiting until all Op> Apr 08 14:35:05 ip-172-31-39-45 opensearch-dashboards[53734]: {"type":"log","@timestamp":"2024-04-08T14:35:05Z","tags":["info","savedobjects-service"],"pid":53734,"message":"Starting saved objec> Apr 08 14:35:05 ip-172-31-39-45 opensearch-dashboards[53734]: {"type":"log","@timestamp":"2024-04-08T14:35:05Z","tags":["info","plugins-system"],"pid":53734,"message":"Starting [48] plugins: [us> Apr 08 14:35:07 ip-172-31-39-45 opensearch-dashboards[53734]: {"type":"log","@timestamp":"2024-04-08T14:35:07Z","tags":["listening","info"],"pid":53734,"message":"Server running at https://0.0.0> Apr 08 14:35:07 ip-172-31-39-45 opensearch-dashboards[53734]: {"type":"log","@timestamp":"2024-04-08T14:35:07Z","tags":["info","http","server","OpenSearchDashboards"],"pid":53734,"message":"http> Apr 08 14:35:22 ip-172-31-39-45 opensearch-dashboards[53734]: {"type":"response","@timestamp":"2024-04-08T14:35:21Z","tags":[],"pid":53734,"method":"get","statusCode":200,"req":{"url":"/status",> Apr 08 14:39:16 ip-172-31-39-45 opensearch-dashboards[53734]: {"type":"error","@timestamp":"2024-04-08T14:39:16Z","tags":["connection","client","error"],"pid":53734,"level":"error","error":{"mes> Apr 08 14:49:38 ip-172-31-39-45 opensearch-dashboards[53734]: {"type":"error","@timestamp":"2024-04-08T14:49:38Z","tags":["connection","client","error"],"pid":53734,"level":"error","error":{"mes> lines 1-20/20 (END) ```

Service status

```shellsession root@ip-172-31-39-45:/home/ubuntu# journalctl -xe -u wazuh-dashboard.service --no-pager Apr 08 14:33:35 ip-172-31-39-45 systemd[1]: Started wazuh-dashboard. ░░ Subject: A start job for unit wazuh-dashboard.service has finished successfully ░░ Defined-By: systemd ░░ Support: http://www.ubuntu.com/support ░░ ░░ A start job for unit wazuh-dashboard.service has finished successfully. ░░ ░░ The job identifier is 2404. Apr 08 14:33:53 ip-172-31-39-45 opensearch-dashboards[51820]: {"type":"log","@timestamp":"2024-04-08T14:33:53Z","tags":["info","plugins-service"],"pid":51820,"message":"Plugin \"dataSourceManagement\" has been disabled since the following direct or transitive dependencies are missing or disabled: [dataSource]"} Apr 08 14:33:53 ip-172-31-39-45 opensearch-dashboards[51820]: {"type":"log","@timestamp":"2024-04-08T14:33:53Z","tags":["info","plugins-service"],"pid":51820,"message":"Plugin \"dataSource\" is disabled."} Apr 08 14:33:53 ip-172-31-39-45 opensearch-dashboards[51820]: {"type":"log","@timestamp":"2024-04-08T14:33:53Z","tags":["info","plugins-service"],"pid":51820,"message":"Plugin \"visTypeXy\" is disabled."} Apr 08 14:33:54 ip-172-31-39-45 opensearch-dashboards[51820]: {"type":"log","@timestamp":"2024-04-08T14:33:54Z","tags":["info","plugins-system"],"pid":51820,"message":"Setting up [48] plugins: [usageCollection,opensearchDashboardsUsageCollection,opensearchDashboardsLegacy,mapsLegacy,share,opensearchUiShared,embeddable,legacyExport,expressions,data,home,apmOss,savedObjects,reportsDashboards,dashboard,visualizations,visTypeVega,visTypeTable,visTypeTimeline,visTypeMarkdown,visBuilder,visAugmenter,alertingDashboards,tileMap,regionMap,customImportMapDashboards,inputControlVis,ganttChartDashboards,visualize,indexManagementDashboards,notificationsDashboards,management,indexPatternManagement,advancedSettings,console,dataExplorer,charts,visTypeVislib,visTypeTagcloud,visTypeTimeseries,visTypeMetric,discover,savedObjectsManagement,securityDashboards,wazuhCore,wazuhCheckUpdates,wazuh,bfetch]"} Apr 08 14:33:56 ip-172-31-39-45 opensearch-dashboards[51820]: {"type":"log","@timestamp":"2024-04-08T14:33:56Z","tags":["info","savedobjects-service"],"pid":51820,"message":"Waiting until all OpenSearch nodes are compatible with OpenSearch Dashboards before starting saved objects migrations..."} Apr 08 14:33:57 ip-172-31-39-45 opensearch-dashboards[51820]: {"type":"log","@timestamp":"2024-04-08T14:33:57Z","tags":["info","savedobjects-service"],"pid":51820,"message":"Starting saved objects migrations"} Apr 08 14:33:57 ip-172-31-39-45 opensearch-dashboards[51820]: {"type":"log","@timestamp":"2024-04-08T14:33:57Z","tags":["info","savedobjects-service"],"pid":51820,"message":"Creating index .kibana_1."} Apr 08 14:33:58 ip-172-31-39-45 opensearch-dashboards[51820]: {"type":"log","@timestamp":"2024-04-08T14:33:58Z","tags":["info","savedobjects-service"],"pid":51820,"message":"Pointing alias .kibana to .kibana_1."} Apr 08 14:33:58 ip-172-31-39-45 opensearch-dashboards[51820]: {"type":"log","@timestamp":"2024-04-08T14:33:58Z","tags":["info","savedobjects-service"],"pid":51820,"message":"Finished in 664ms."} Apr 08 14:33:58 ip-172-31-39-45 opensearch-dashboards[51820]: {"type":"log","@timestamp":"2024-04-08T14:33:58Z","tags":["info","plugins-system"],"pid":51820,"message":"Starting [48] plugins: [usageCollection,opensearchDashboardsUsageCollection,opensearchDashboardsLegacy,mapsLegacy,share,opensearchUiShared,embeddable,legacyExport,expressions,data,home,apmOss,savedObjects,reportsDashboards,dashboard,visualizations,visTypeVega,visTypeTable,visTypeTimeline,visTypeMarkdown,visBuilder,visAugmenter,alertingDashboards,tileMap,regionMap,customImportMapDashboards,inputControlVis,ganttChartDashboards,visualize,indexManagementDashboards,notificationsDashboards,management,indexPatternManagement,advancedSettings,console,dataExplorer,charts,visTypeVislib,visTypeTagcloud,visTypeTimeseries,visTypeMetric,discover,savedObjectsManagement,securityDashboards,wazuhCore,wazuhCheckUpdates,wazuh,bfetch]"} Apr 08 14:33:59 ip-172-31-39-45 opensearch-dashboards[51820]: {"type":"log","@timestamp":"2024-04-08T14:33:59Z","tags":["error","opensearch","data"],"pid":51820,"message":"[ResponseError]: Response Error"} Apr 08 14:34:00 ip-172-31-39-45 opensearch-dashboards[51820]: {"type":"log","@timestamp":"2024-04-08T14:34:00Z","tags":["error","opensearch","data"],"pid":51820,"message":"[ResponseError]: Response Error"} Apr 08 14:34:01 ip-172-31-39-45 opensearch-dashboards[51820]: {"type":"log","@timestamp":"2024-04-08T14:34:01Z","tags":["listening","info"],"pid":51820,"message":"Server running at https://0.0.0.0:443"} Apr 08 14:34:03 ip-172-31-39-45 opensearch-dashboards[51820]: {"type":"log","@timestamp":"2024-04-08T14:34:03Z","tags":["info","http","server","OpenSearchDashboards"],"pid":51820,"message":"http server running at https://0.0.0.0:443"} Apr 08 14:34:46 ip-172-31-39-45 systemd[1]: Stopping wazuh-dashboard... ░░ Subject: A stop job for unit wazuh-dashboard.service has begun execution ░░ Defined-By: systemd ░░ Support: http://www.ubuntu.com/support ░░ ░░ A stop job for unit wazuh-dashboard.service has begun execution. ░░ ░░ The job identifier is 2665. Apr 08 14:34:46 ip-172-31-39-45 opensearch-dashboards[51820]: {"type":"log","@timestamp":"2024-04-08T14:34:46Z","tags":["info","plugins-system"],"pid":51820,"message":"Stopping all plugins."} Apr 08 14:34:46 ip-172-31-39-45 systemd[1]: wazuh-dashboard.service: Deactivated successfully. ░░ Subject: Unit succeeded ░░ Defined-By: systemd ░░ Support: http://www.ubuntu.com/support ░░ ░░ The unit wazuh-dashboard.service has successfully entered the 'dead' state. Apr 08 14:34:46 ip-172-31-39-45 systemd[1]: Stopped wazuh-dashboard. ░░ Subject: A stop job for unit wazuh-dashboard.service has finished ░░ Defined-By: systemd ░░ Support: http://www.ubuntu.com/support ░░ ░░ A stop job for unit wazuh-dashboard.service has finished. ░░ ░░ The job identifier is 2665 and the job result is done. Apr 08 14:34:46 ip-172-31-39-45 systemd[1]: wazuh-dashboard.service: Consumed 12.372s CPU time. ░░ Subject: Resources consumed by unit runtime ░░ Defined-By: systemd ░░ Support: http://www.ubuntu.com/support ░░ ░░ The unit wazuh-dashboard.service completed and consumed the indicated resources. Apr 08 14:34:46 ip-172-31-39-45 systemd[1]: Started wazuh-dashboard. ░░ Subject: A start job for unit wazuh-dashboard.service has finished successfully ░░ Defined-By: systemd ░░ Support: http://www.ubuntu.com/support ░░ ░░ A start job for unit wazuh-dashboard.service has finished successfully. ░░ ░░ The job identifier is 2665. Apr 08 14:35:03 ip-172-31-39-45 opensearch-dashboards[53734]: {"type":"log","@timestamp":"2024-04-08T14:35:03Z","tags":["info","plugins-service"],"pid":53734,"message":"Plugin \"dataSourceManagement\" has been disabled since the following direct or transitive dependencies are missing or disabled: [dataSource]"} Apr 08 14:35:03 ip-172-31-39-45 opensearch-dashboards[53734]: {"type":"log","@timestamp":"2024-04-08T14:35:03Z","tags":["info","plugins-service"],"pid":53734,"message":"Plugin \"dataSource\" is disabled."} Apr 08 14:35:03 ip-172-31-39-45 opensearch-dashboards[53734]: {"type":"log","@timestamp":"2024-04-08T14:35:03Z","tags":["info","plugins-service"],"pid":53734,"message":"Plugin \"visTypeXy\" is disabled."} Apr 08 14:35:03 ip-172-31-39-45 opensearch-dashboards[53734]: {"type":"log","@timestamp":"2024-04-08T14:35:03Z","tags":["info","plugins-system"],"pid":53734,"message":"Setting up [48] plugins: [usageCollection,opensearchDashboardsUsageCollection,opensearchDashboardsLegacy,mapsLegacy,share,opensearchUiShared,embeddable,legacyExport,expressions,data,home,apmOss,savedObjects,reportsDashboards,dashboard,visualizations,visTypeVega,visTypeTimeline,visTypeTable,visTypeMarkdown,visBuilder,visAugmenter,alertingDashboards,tileMap,regionMap,customImportMapDashboards,inputControlVis,ganttChartDashboards,visualize,indexManagementDashboards,notificationsDashboards,management,indexPatternManagement,advancedSettings,console,dataExplorer,charts,visTypeTagcloud,visTypeVislib,visTypeTimeseries,visTypeMetric,discover,savedObjectsManagement,securityDashboards,wazuhCore,wazuhCheckUpdates,wazuh,bfetch]"} Apr 08 14:35:04 ip-172-31-39-45 opensearch-dashboards[53734]: {"type":"log","@timestamp":"2024-04-08T14:35:04Z","tags":["info","savedobjects-service"],"pid":53734,"message":"Waiting until all OpenSearch nodes are compatible with OpenSearch Dashboards before starting saved objects migrations..."} Apr 08 14:35:05 ip-172-31-39-45 opensearch-dashboards[53734]: {"type":"log","@timestamp":"2024-04-08T14:35:05Z","tags":["info","savedobjects-service"],"pid":53734,"message":"Starting saved objects migrations"} Apr 08 14:35:05 ip-172-31-39-45 opensearch-dashboards[53734]: {"type":"log","@timestamp":"2024-04-08T14:35:05Z","tags":["info","plugins-system"],"pid":53734,"message":"Starting [48] plugins: [usageCollection,opensearchDashboardsUsageCollection,opensearchDashboardsLegacy,mapsLegacy,share,opensearchUiShared,embeddable,legacyExport,expressions,data,home,apmOss,savedObjects,reportsDashboards,dashboard,visualizations,visTypeVega,visTypeTimeline,visTypeTable,visTypeMarkdown,visBuilder,visAugmenter,alertingDashboards,tileMap,regionMap,customImportMapDashboards,inputControlVis,ganttChartDashboards,visualize,indexManagementDashboards,notificationsDashboards,management,indexPatternManagement,advancedSettings,console,dataExplorer,charts,visTypeTagcloud,visTypeVislib,visTypeTimeseries,visTypeMetric,discover,savedObjectsManagement,securityDashboards,wazuhCore,wazuhCheckUpdates,wazuh,bfetch]"} Apr 08 14:35:07 ip-172-31-39-45 opensearch-dashboards[53734]: {"type":"log","@timestamp":"2024-04-08T14:35:07Z","tags":["listening","info"],"pid":53734,"message":"Server running at https://0.0.0.0:443"} Apr 08 14:35:07 ip-172-31-39-45 opensearch-dashboards[53734]: {"type":"log","@timestamp":"2024-04-08T14:35:07Z","tags":["info","http","server","OpenSearchDashboards"],"pid":53734,"message":"http server running at https://0.0.0.0:443"} Apr 08 14:35:22 ip-172-31-39-45 opensearch-dashboards[53734]: {"type":"response","@timestamp":"2024-04-08T14:35:21Z","tags":[],"pid":53734,"method":"get","statusCode":200,"req":{"url":"/status","method":"get","headers":{"host":"localhost","user-agent":"curl/7.81.0","accept":"*/*"},"remoteAddress":"127.0.0.1","userAgent":"curl/7.81.0"},"res":{"statusCode":200,"responseTime":557,"contentLength":9},"message":"GET /status 200 557ms - 9.0B"} Apr 08 14:39:16 ip-172-31-39-45 opensearch-dashboards[53734]: {"type":"error","@timestamp":"2024-04-08T14:39:16Z","tags":["connection","client","error"],"pid":53734,"level":"error","error":{"message":"C01767DFF47F0000:error:0A000076:SSL routines:tls_choose_sigalg:no suitable signature algorithm:../deps/openssl/openssl/ssl/t1_lib.c:3318:\n","name":"Error","stack":"Error: C01767DFF47F0000:error:0A000076:SSL routines:tls_choose_sigalg:no suitable signature algorithm:../deps/openssl/openssl/ssl/t1_lib.c:3318:\n","code":"ERR_SSL_NO_SUITABLE_SIGNATURE_ALGORITHM"},"message":"C01767DFF47F0000:error:0A000076:SSL routines:tls_choose_sigalg:no suitable signature algorithm:../deps/openssl/openssl/ssl/t1_lib.c:3318:\n"} Apr 08 14:49:38 ip-172-31-39-45 opensearch-dashboards[53734]: {"type":"error","@timestamp":"2024-04-08T14:49:38Z","tags":["connection","client","error"],"pid":53734,"level":"error","error":{"message":"C01767DFF47F0000:error:0A000412:SSL routines:ssl3_read_bytes:sslv3 alert bad certificate:../deps/openssl/openssl/ssl/record/rec_layer_s3.c:1605:SSL alert number 42\n","name":"Error","stack":"Error: C01767DFF47F0000:error:0A000412:SSL routines:ssl3_read_bytes:sslv3 alert bad certificate:../deps/openssl/openssl/ssl/record/rec_layer_s3.c:1605:SSL alert number 42\n","code":"ERR_SSL_SSLV3_ALERT_BAD_CERTIFICATE"},"message":"C01767DFF47F0000:error:0A000412:SSL routines:ssl3_read_bytes:sslv3 alert bad certificate:../deps/openssl/openssl/ssl/record/rec_layer_s3.c:1605:SSL alert number 42\n"} root@ip-172-31-39-45:/home/ubuntu# ```

Errors

```shellsession root@ip-172-31-39-45:/home/ubuntu# cat /usr/share/wazuh-dashboard/data/wazuh/logs/wazuhapp.log | grep -i -E "error|warn" root@ip-172-31-39-45:/home/ubuntu# ```

RHEL 9 :yellow_circle:

Agent status

```shellsession [root@ip-172-31-39-39 ec2-user]# systemctl status wazuh-dashboard ● wazuh-dashboard.service - wazuh-dashboard Loaded: loaded (/etc/systemd/system/wazuh-dashboard.service; enabled; preset: disabled) Active: active (running) since Mon 2024-04-08 14:37:20 UTC; 1h 4min ago Main PID: 20802 (node) Tasks: 11 (limit: 22632) Memory: 187.9M CPU: 20.412s CGroup: /system.slice/wazuh-dashboard.service └─20802 /usr/share/wazuh-dashboard/node/bin/node --no-warnings --max-http-header-size=65536 --unhandled-rejections=warn /usr/share/wazuh-dashboard/src/cli/dist Apr 08 14:37:38 ip-172-31-39-39.ec2.internal opensearch-dashboards[20802]: {"type":"log","@timestamp":"2024-04-08T14:37:38Z","tags":["info","plugins-service"],"pid":20802,"message":"Plugin \"dat> Apr 08 14:37:38 ip-172-31-39-39.ec2.internal opensearch-dashboards[20802]: {"type":"log","@timestamp":"2024-04-08T14:37:38Z","tags":["info","plugins-service"],"pid":20802,"message":"Plugin \"vis> Apr 08 14:37:39 ip-172-31-39-39.ec2.internal opensearch-dashboards[20802]: {"type":"log","@timestamp":"2024-04-08T14:37:39Z","tags":["info","plugins-system"],"pid":20802,"message":"Setting up [4> Apr 08 14:37:40 ip-172-31-39-39.ec2.internal opensearch-dashboards[20802]: {"type":"log","@timestamp":"2024-04-08T14:37:40Z","tags":["info","savedobjects-service"],"pid":20802,"message":"Waiting> Apr 08 14:37:41 ip-172-31-39-39.ec2.internal opensearch-dashboards[20802]: {"type":"log","@timestamp":"2024-04-08T14:37:41Z","tags":["info","savedobjects-service"],"pid":20802,"message":"Startin> Apr 08 14:37:41 ip-172-31-39-39.ec2.internal opensearch-dashboards[20802]: {"type":"log","@timestamp":"2024-04-08T14:37:41Z","tags":["info","plugins-system"],"pid":20802,"message":"Starting [48]> Apr 08 14:37:43 ip-172-31-39-39.ec2.internal opensearch-dashboards[20802]: {"type":"log","@timestamp":"2024-04-08T14:37:43Z","tags":["listening","info"],"pid":20802,"message":"Server running at > Apr 08 14:37:44 ip-172-31-39-39.ec2.internal opensearch-dashboards[20802]: {"type":"log","@timestamp":"2024-04-08T14:37:44Z","tags":["info","http","server","OpenSearchDashboards"],"pid":20802,"m> Apr 08 14:37:57 ip-172-31-39-39.ec2.internal opensearch-dashboards[20802]: {"type":"response","@timestamp":"2024-04-08T14:37:55Z","tags":[],"pid":20802,"method":"get","statusCode":200,"req":{"ur> Apr 08 15:09:11 ip-172-31-39-39.ec2.internal opensearch-dashboards[20802]: {"type":"error","@timestamp":"2024-04-08T15:09:11Z","tags":["connection","client","error"],"pid":20802,"level":"error",> lines 1-20/20 (END) ```

Service status

```shellsession [root@ip-172-31-39-39 ec2-user]# journalctl -xe -u wazuh-dashboard.service --no-pager Apr 08 14:36:00 ip-172-31-39-39.ec2.internal systemd[1]: Started wazuh-dashboard. ░░ Subject: A start job for unit wazuh-dashboard.service has finished successfully ░░ Defined-By: systemd ░░ Support: https://access.redhat.com/support ░░ ░░ A start job for unit wazuh-dashboard.service has finished successfully. ░░ ░░ The job identifier is 6200. Apr 08 14:36:21 ip-172-31-39-39.ec2.internal opensearch-dashboards[19158]: {"type":"log","@timestamp":"2024-04-08T14:36:21Z","tags":["info","plugins-service"],"pid":19158,"message":"Plugin \"dataSourceManagement\" has been disabled since the following direct or transitive dependencies are missing or disabled: [dataSource]"} Apr 08 14:36:21 ip-172-31-39-39.ec2.internal opensearch-dashboards[19158]: {"type":"log","@timestamp":"2024-04-08T14:36:21Z","tags":["info","plugins-service"],"pid":19158,"message":"Plugin \"dataSource\" is disabled."} Apr 08 14:36:21 ip-172-31-39-39.ec2.internal opensearch-dashboards[19158]: {"type":"log","@timestamp":"2024-04-08T14:36:21Z","tags":["info","plugins-service"],"pid":19158,"message":"Plugin \"visTypeXy\" is disabled."} Apr 08 14:36:22 ip-172-31-39-39.ec2.internal opensearch-dashboards[19158]: {"type":"log","@timestamp":"2024-04-08T14:36:22Z","tags":["info","plugins-system"],"pid":19158,"message":"Setting up [48] plugins: [usageCollection,opensearchDashboardsUsageCollection,opensearchDashboardsLegacy,mapsLegacy,share,opensearchUiShared,legacyExport,embeddable,expressions,data,home,apmOss,savedObjects,reportsDashboards,dashboard,visualizations,visTypeVega,visTypeTimeline,visTypeTable,visTypeMarkdown,visBuilder,visAugmenter,alertingDashboards,tileMap,regionMap,customImportMapDashboards,inputControlVis,ganttChartDashboards,visualize,indexManagementDashboards,notificationsDashboards,management,indexPatternManagement,advancedSettings,console,dataExplorer,charts,visTypeVislib,visTypeTagcloud,visTypeTimeseries,visTypeMetric,discover,savedObjectsManagement,securityDashboards,wazuhCore,wazuhCheckUpdates,wazuh,bfetch]"} Apr 08 14:36:25 ip-172-31-39-39.ec2.internal opensearch-dashboards[19158]: {"type":"log","@timestamp":"2024-04-08T14:36:25Z","tags":["info","savedobjects-service"],"pid":19158,"message":"Waiting until all OpenSearch nodes are compatible with OpenSearch Dashboards before starting saved objects migrations..."} Apr 08 14:36:26 ip-172-31-39-39.ec2.internal opensearch-dashboards[19158]: {"type":"log","@timestamp":"2024-04-08T14:36:26Z","tags":["info","savedobjects-service"],"pid":19158,"message":"Starting saved objects migrations"} Apr 08 14:36:26 ip-172-31-39-39.ec2.internal opensearch-dashboards[19158]: {"type":"log","@timestamp":"2024-04-08T14:36:26Z","tags":["info","savedobjects-service"],"pid":19158,"message":"Creating index .kibana_1."} Apr 08 14:36:27 ip-172-31-39-39.ec2.internal opensearch-dashboards[19158]: {"type":"log","@timestamp":"2024-04-08T14:36:27Z","tags":["info","savedobjects-service"],"pid":19158,"message":"Pointing alias .kibana to .kibana_1."} Apr 08 14:36:27 ip-172-31-39-39.ec2.internal opensearch-dashboards[19158]: {"type":"log","@timestamp":"2024-04-08T14:36:27Z","tags":["info","savedobjects-service"],"pid":19158,"message":"Finished in 632ms."} Apr 08 14:36:27 ip-172-31-39-39.ec2.internal opensearch-dashboards[19158]: {"type":"log","@timestamp":"2024-04-08T14:36:27Z","tags":["info","plugins-system"],"pid":19158,"message":"Starting [48] plugins: [usageCollection,opensearchDashboardsUsageCollection,opensearchDashboardsLegacy,mapsLegacy,share,opensearchUiShared,legacyExport,embeddable,expressions,data,home,apmOss,savedObjects,reportsDashboards,dashboard,visualizations,visTypeVega,visTypeTimeline,visTypeTable,visTypeMarkdown,visBuilder,visAugmenter,alertingDashboards,tileMap,regionMap,customImportMapDashboards,inputControlVis,ganttChartDashboards,visualize,indexManagementDashboards,notificationsDashboards,management,indexPatternManagement,advancedSettings,console,dataExplorer,charts,visTypeVislib,visTypeTagcloud,visTypeTimeseries,visTypeMetric,discover,savedObjectsManagement,securityDashboards,wazuhCore,wazuhCheckUpdates,wazuh,bfetch]"} Apr 08 14:36:28 ip-172-31-39-39.ec2.internal opensearch-dashboards[19158]: {"type":"log","@timestamp":"2024-04-08T14:36:28Z","tags":["error","opensearch","data"],"pid":19158,"message":"[ResponseError]: Response Error"} Apr 08 14:36:29 ip-172-31-39-39.ec2.internal opensearch-dashboards[19158]: {"type":"log","@timestamp":"2024-04-08T14:36:29Z","tags":["error","opensearch","data"],"pid":19158,"message":"[ResponseError]: Response Error"} Apr 08 14:36:30 ip-172-31-39-39.ec2.internal opensearch-dashboards[19158]: {"type":"log","@timestamp":"2024-04-08T14:36:30Z","tags":["listening","info"],"pid":19158,"message":"Server running at https://0.0.0.0:443"} Apr 08 14:36:31 ip-172-31-39-39.ec2.internal opensearch-dashboards[19158]: {"type":"log","@timestamp":"2024-04-08T14:36:31Z","tags":["info","http","server","OpenSearchDashboards"],"pid":19158,"message":"http server running at https://0.0.0.0:443"} Apr 08 14:37:19 ip-172-31-39-39.ec2.internal systemd[1]: Stopping wazuh-dashboard... ░░ Subject: A stop job for unit wazuh-dashboard.service has begun execution ░░ Defined-By: systemd ░░ Support: https://access.redhat.com/support ░░ ░░ A stop job for unit wazuh-dashboard.service has begun execution. ░░ ░░ The job identifier is 6552. Apr 08 14:37:19 ip-172-31-39-39.ec2.internal opensearch-dashboards[19158]: {"type":"log","@timestamp":"2024-04-08T14:37:19Z","tags":["info","plugins-system"],"pid":19158,"message":"Stopping all plugins."} Apr 08 14:37:19 ip-172-31-39-39.ec2.internal systemd[1]: wazuh-dashboard.service: Deactivated successfully. ░░ Subject: Unit succeeded ░░ Defined-By: systemd ░░ Support: https://access.redhat.com/support ░░ ░░ The unit wazuh-dashboard.service has successfully entered the 'dead' state. Apr 08 14:37:19 ip-172-31-39-39.ec2.internal systemd[1]: Stopped wazuh-dashboard. ░░ Subject: A stop job for unit wazuh-dashboard.service has finished ░░ Defined-By: systemd ░░ Support: https://access.redhat.com/support ░░ ░░ A stop job for unit wazuh-dashboard.service has finished. ░░ ░░ The job identifier is 6552 and the job result is done. Apr 08 14:37:19 ip-172-31-39-39.ec2.internal systemd[1]: wazuh-dashboard.service: Consumed 14.669s CPU time. ░░ Subject: Resources consumed by unit runtime ░░ Defined-By: systemd ░░ Support: https://access.redhat.com/support ░░ ░░ The unit wazuh-dashboard.service completed and consumed the indicated resources. Apr 08 14:37:20 ip-172-31-39-39.ec2.internal systemd[1]: Started wazuh-dashboard. ░░ Subject: A start job for unit wazuh-dashboard.service has finished successfully ░░ Defined-By: systemd ░░ Support: https://access.redhat.com/support ░░ ░░ A start job for unit wazuh-dashboard.service has finished successfully. ░░ ░░ The job identifier is 6552. Apr 08 14:37:38 ip-172-31-39-39.ec2.internal opensearch-dashboards[20802]: {"type":"log","@timestamp":"2024-04-08T14:37:38Z","tags":["info","plugins-service"],"pid":20802,"message":"Plugin \"dataSourceManagement\" has been disabled since the following direct or transitive dependencies are missing or disabled: [dataSource]"} Apr 08 14:37:38 ip-172-31-39-39.ec2.internal opensearch-dashboards[20802]: {"type":"log","@timestamp":"2024-04-08T14:37:38Z","tags":["info","plugins-service"],"pid":20802,"message":"Plugin \"dataSource\" is disabled."} Apr 08 14:37:38 ip-172-31-39-39.ec2.internal opensearch-dashboards[20802]: {"type":"log","@timestamp":"2024-04-08T14:37:38Z","tags":["info","plugins-service"],"pid":20802,"message":"Plugin \"visTypeXy\" is disabled."} Apr 08 14:37:39 ip-172-31-39-39.ec2.internal opensearch-dashboards[20802]: {"type":"log","@timestamp":"2024-04-08T14:37:39Z","tags":["info","plugins-system"],"pid":20802,"message":"Setting up [48] plugins: [usageCollection,opensearchDashboardsUsageCollection,opensearchDashboardsLegacy,mapsLegacy,share,opensearchUiShared,embeddable,legacyExport,expressions,data,home,apmOss,savedObjects,reportsDashboards,dashboard,visualizations,visTypeVega,visTypeMarkdown,visBuilder,visTypeTable,visTypeTimeline,visAugmenter,alertingDashboards,tileMap,regionMap,customImportMapDashboards,inputControlVis,ganttChartDashboards,visualize,indexManagementDashboards,notificationsDashboards,management,indexPatternManagement,advancedSettings,console,dataExplorer,charts,visTypeVislib,visTypeMetric,visTypeTimeseries,visTypeTagcloud,discover,savedObjectsManagement,securityDashboards,wazuhCore,wazuhCheckUpdates,wazuh,bfetch]"} Apr 08 14:37:40 ip-172-31-39-39.ec2.internal opensearch-dashboards[20802]: {"type":"log","@timestamp":"2024-04-08T14:37:40Z","tags":["info","savedobjects-service"],"pid":20802,"message":"Waiting until all OpenSearch nodes are compatible with OpenSearch Dashboards before starting saved objects migrations..."} Apr 08 14:37:41 ip-172-31-39-39.ec2.internal opensearch-dashboards[20802]: {"type":"log","@timestamp":"2024-04-08T14:37:41Z","tags":["info","savedobjects-service"],"pid":20802,"message":"Starting saved objects migrations"} Apr 08 14:37:41 ip-172-31-39-39.ec2.internal opensearch-dashboards[20802]: {"type":"log","@timestamp":"2024-04-08T14:37:41Z","tags":["info","plugins-system"],"pid":20802,"message":"Starting [48] plugins: [usageCollection,opensearchDashboardsUsageCollection,opensearchDashboardsLegacy,mapsLegacy,share,opensearchUiShared,embeddable,legacyExport,expressions,data,home,apmOss,savedObjects,reportsDashboards,dashboard,visualizations,visTypeVega,visTypeMarkdown,visBuilder,visTypeTable,visTypeTimeline,visAugmenter,alertingDashboards,tileMap,regionMap,customImportMapDashboards,inputControlVis,ganttChartDashboards,visualize,indexManagementDashboards,notificationsDashboards,management,indexPatternManagement,advancedSettings,console,dataExplorer,charts,visTypeVislib,visTypeMetric,visTypeTimeseries,visTypeTagcloud,discover,savedObjectsManagement,securityDashboards,wazuhCore,wazuhCheckUpdates,wazuh,bfetch]"} Apr 08 14:37:43 ip-172-31-39-39.ec2.internal opensearch-dashboards[20802]: {"type":"log","@timestamp":"2024-04-08T14:37:43Z","tags":["listening","info"],"pid":20802,"message":"Server running at https://0.0.0.0:443"} Apr 08 14:37:44 ip-172-31-39-39.ec2.internal opensearch-dashboards[20802]: {"type":"log","@timestamp":"2024-04-08T14:37:44Z","tags":["info","http","server","OpenSearchDashboards"],"pid":20802,"message":"http server running at https://0.0.0.0:443"} Apr 08 14:37:57 ip-172-31-39-39.ec2.internal opensearch-dashboards[20802]: {"type":"response","@timestamp":"2024-04-08T14:37:55Z","tags":[],"pid":20802,"method":"get","statusCode":200,"req":{"url":"/status","method":"get","headers":{"host":"localhost","user-agent":"curl/7.76.1","accept":"*/*"},"remoteAddress":"127.0.0.1","userAgent":"curl/7.76.1"},"res":{"statusCode":200,"responseTime":1066,"contentLength":9},"message":"GET /status 200 1066ms - 9.0B"} Apr 08 15:09:11 ip-172-31-39-39.ec2.internal opensearch-dashboards[20802]: {"type":"error","@timestamp":"2024-04-08T15:09:11Z","tags":["connection","client","error"],"pid":20802,"level":"error","error":{"message":"C0F7A948DE7F0000:error:0A000076:SSL routines:tls_choose_sigalg:no suitable signature algorithm:../deps/openssl/openssl/ssl/t1_lib.c:3318:\n","name":"Error","stack":"Error: C0F7A948DE7F0000:error:0A000076:SSL routines:tls_choose_sigalg:no suitable signature algorithm:../deps/openssl/openssl/ssl/t1_lib.c:3318:\n","code":"ERR_SSL_NO_SUITABLE_SIGNATURE_ALGORITHM"},"message":"C0F7A948DE7F0000:error:0A000076:SSL routines:tls_choose_sigalg:no suitable signature algorithm:../deps/openssl/openssl/ssl/t1_lib.c:3318:\n"} [root@ip-172-31-39-39 ec2-user]# ```

Errors

:yellow_circle: Related issue: https://github.com/wazuh/wazuh-dashboard-plugins/issues/6312 ```shellsession [root@ip-172-31-39-39 ec2-user]# cat /usr/share/wazuh-dashboard/data/wazuh/logs/wazuhapp.log | grep -i -E "error|warn" {"date":"2024-04-08T14:36:31.954Z","level":"error","location":"monitoring:getApiInfo","message":"connect ECONNREFUSED ::1:55000"} {"date":"2024-04-08T14:37:43.330Z","level":"error","location":"monitoring:getApiInfo","message":"connect ECONNREFUSED ::1:55000"} [root@ip-172-31-39-39 ec2-user]# ```

[davidcr01]

Additional tests

Accessing Wazuh web interface :green_circle:

Amazon Linux 2 :green_circle:

Ubuntu 22 :green_circle:

RHEL9 :green_circle:

[davidjiglesias]

LGTM