davidjiglesias commented 4 months ago

End-to-End (E2E) Testing Guideline

Documentation: Always consult the development documentation for the current stage tag at this link. Be careful because some of the description steps might refer to a current version in production, always navigate using the current development documention for the stage under test. Also, visit the following pre-release package guide to understand how to modify certain links and urls for the correct testing of the development packages.
Test Requirements: Ensure your test comprehensively includes a full stack and agent/s deployment as per the Deployment requirements, detailing the machine OS, installed version, and revision.
Deployment Options: While deployments can be local (using VMs, Vagrant, etc) or on the aws-dev account, opt for local deployments when feasible. For AWS access, coordinate with the DevOps team through this link.
External Accounts: If tests require third-party accounts (e.g., GitHub, Azure, AWS, GCP), request the necessary access through the DevOps team here.
Alerts: Every test should generate a minimum of one end-to-end alert, from the agent to the dashboard, irrespective of test type.
Multi-node Testing: For multi-node wazuh-manager tests, ensure agents are connected to both workers and the master node.
Package Verification: Use the pre-release package that matches the current TAG you're testing. Confirm its version and revision.
Filebeat Errors: If you encounter errors with Filebeat during testing, refer to this Slack discussion for insights and resolutions.
Known Issues: Familiarize yourself with previously reported issues in the Known Issues section. This helps in identifying already recognized errors during testing.
Reporting New Issues: Any new errors discovered during testing that aren't listed under Known Issues should be reported. Assign the issue to the corresponding team (QA if unsure), add the Release testing objective and Very high priority. Communicate these to the team and QA via the c-release Slack channel.
Test Conduct: It's imperative to be thorough in your testing, offering enough detail for reviewers. Incomplete tests might necessitate a redo.
Documentation Feedback: Encountering documentation gaps, unclear guidelines, or anything that disrupts the testing or UX? Open an issue, especially if it's not listed under Known Issues. Please answer the feedback section, this is a mandatory step.
Format: If this is your first time doing this, refer to the format (but not necessarily the content, as it may vary) of previous E2E tests, here you have an example https://github.com/wazuh/wazuh/issues/13994.
Status and completion: Change the issue status within your team project accordingly. Once you finish testing and write the conclusions, move it to Pending review and notify the @wazuh/devel-agent-div4 team via Slack using the c-release channel. Beware that the reviewers might request additional information or task repetitions.
For reviewers: Please move the issue to Pending final review and notify via Slack using the same thread if everything is ok, otherwise, perform an issue update with the requested changes and move it to On hold, increase the review_cycles in the team project by one and notify the issue assignee via Slack using the same thread.

For the conclusions and the issue testing and updates, use the following legend:

Status legend

🟢 All checks passed
🟡 Found a known issue
🔴 Found a new error

Issue delivery and completion

Initial delivery: The issue's assignee must complete the testing and deliver the results by May 25, 2024 and notify the @wazuh/devel-agent-div4 team via Slack using the c-release channel
Review: The @wazuh/devel-agent-div4 team will assign a reviewer and add it to the review_assignee field in the project. The reviewer must then review the test steps and results. Ensure that all iteration cycles are completed by May 26, 2024 date (issue must be in Pending final review status) and notify the QA team via Slack using the c-release channel.
Auditor: The QA team must audit, validate the results, and close the issue by May 27, 2024.

Deployment requirements

Component	Installation	Type	OS
Indexer	Step by step	Single node	RHEL 8 x86_64
Server	Step by step	Multi node	RHEL 8 x86_64
Dashboard	Step by step	-	RHEL 8 x86_64
Agent	Wazuh WUI one-liner deploy using FQDN and GROUP (created beforehand, don't use default)	-	macOS Sonoma x86_64, macOS Sonoma arm

Test description

Test that macOS log data collection works out of the box. Test that macOS vulnerability works out of the box. Test that macOS file integrity monitoring works out of the box.
Test that macOS security configuration assessment works out of the box.

Known issues

Conclusions

Status	Test	Failure type	Notes
🟢	Wazuh Indexer
🟢	Wazuh Sever
🔴	Wazuh Dashboard	No template found for the selected index-pattern title [wazuh-alerts-*]	https://github.com/wazuh/wazuh/issues/23649
🟢	Agent installation
🔴	Log data collection works out of the box	No events generated in "Security Events"	https://github.com/wazuh/wazuh/issues/23650
🟢	SCA works out of the box
🟡	FIM works out of the box		https://github.com/wazuh/wazuh/issues/8602 https://github.com/wazuh/wazuh/issues/16226
🟡	Vulnerability works out of the box	No vulnerabilities detected from pkg packages	https://github.com/wazuh/wazuh/issues/23507 https://github.com/wazuh/wazuh/issues/22911

Feedback

We value your feedback. Please provide insights on your testing experience.

Was the testing guideline clear? Were there any ambiguities?
- Yes it was
Did you face any challenges not covered by the guideline?
- I ran into issues related to index pattern for wazuh-alerts-*
Suggestions for improvement:

Reviewers validation

The criteria for completing this task is based on the validation of the conclusions and the test results by all reviewers.

All the checkboxes below must be marked in order to close this issue.

[ ] @davidjiglesias
[ ] @wazuh/devel-agent-div4

SeyiSoneye commented 4 months ago

Wazuh central components installation

Wazuh Indexer 🟢

``` [root@ip-172-31-40-90 ec2-user]# curl -sO https://packages-dev.wazuh.com/4.7/config.yml [root@ip-172-31-40-90 ec2-user]# curl -sO https://packages-dev.wazuh.com/4.7/wazuh-certs-tool.sh [root@ip-172-31-40-90 ec2-user]# vi config.yml [root@ip-172-31-40-90 ec2-user]# cat config.yml nodes: # Wazuh indexer nodes indexer: - name: node-1 ip: "172.31.40.90" #- name: node-2 # ip: "" #- name: node-3 # ip: "" # Wazuh server nodes # If there is more than one Wazuh server # node, each one must have a node_type server: - name: wazuh-1 ip: "172.31.40.90" node_type: master - name: wazuh-2 ip: "172.31.37.181" node_type: worker #- name: wazuh-3 # ip: "" # node_type: worker # Wazuh dashboard nodes dashboard: - name: dashboard ip: "172.31.40.90" [root@ip-172-31-40-90 ec2-user]# bash ./wazuh-certs-tool.sh -A 24/05/2024 09:07:22 INFO: Admin certificates created. 24/05/2024 09:07:22 INFO: Wazuh indexer certificates created. 24/05/2024 09:07:23 INFO: Wazuh server certificates created. 24/05/2024 09:07:23 INFO: Wazuh dashboard certificates created. [root@ip-172-31-40-90 ec2-user]# tar -cvf ./wazuh-certificates.tar -C ./wazuh-certificates/ . ./ ./root-ca.key ./root-ca.pem ./admin-key.pem ./admin.pem ./node-1-key.pem ./node-1.pem ./wazuh-1-key.pem ./wazuh-1.pem ./wazuh-2-key.pem ./wazuh-2.pem ./dashboard-key.pem ./dashboard.pem [root@ip-172-31-40-90 ec2-user]# yum install coreutils Updating Subscription Management repositories. Unable to read consumer identity This system is not registered with an entitlement server. You can use subscription-manager to register. Last metadata expiration check: 0:06:46 ago on Fri 24 May 2024 12:29:09 PM UTC. Package coreutils-8.30-15.el8.x86_64 is already installed. Dependencies resolved. Nothing to do. Complete! [root@ip-172-31-40-90 ec2-user]# rpm --import https://packages-dev.wazuh.com/key/GPG-KEY-WAZUH [root@ip-172-31-40-90 ec2-user]# echo -e '[wazuh]\ngpgcheck=1\ngpgkey=https://packages-dev.wazuh.com/key/GPG-KEY-WAZUH\nenabled=1\nname=EL-$releasever - Wazuh\nbaseurl=https://packages-dev.wazuh.com/pre-release/yum/\nprotect=1' | tee /etc/yum.repos.d/wazuh.repo [wazuh] gpgcheck=1 gpgkey=https://packages-dev.wazuh.com/key/GPG-KEY-WAZUH enabled=1 name=EL-$releasever - Wazuh baseurl=https://packages-dev.wazuh.com/pre-release/yum/ protect=1 [root@ip-172-31-40-90 ec2-user]# yum -y install wazuh-indexer-4.7.0-1 Updating Subscription Management repositories. Unable to read consumer identity This system is not registered with an entitlement server. You can use subscription-manager to register. EL-8 - Wazuh 11 kB/s | 3.4 kB 00:00 EL-8 - Wazuh 19 MB/s | 26 MB 00:01 Last metadata expiration check: 0:00:13 ago on Fri 24 May 2024 12:39:24 PM UTC. Dependencies resolved. ============================================================================================== Package Architecture Version Repository Size ============================================================================================== Installing: wazuh-indexer x86_64 4.7.0-1 wazuh 673 M Transaction Summary ============================================================================================== Install 1 Package Total download size: 673 M Installed size: 930 M Downloading Packages: wazuh-indexer-4.7.0-1.x86_64.rpm 46 MB/s | 673 MB 00:14 ---------------------------------------------------------------------------------------------- Total 46 MB/s | 673 MB 00:14 Running transaction check Transaction check succeeded. Running transaction test Transaction test succeeded. Running transaction Preparing : 1/1 Running scriptlet: wazuh-indexer-4.7.0-1.x86_64 1/1 Installing : wazuh-indexer-4.7.0-1.x86_64 1/1 Running scriptlet: wazuh-indexer-4.7.0-1.x86_64 1/1 Created opensearch keystore in /etc/wazuh-indexer/opensearch.keystore Verifying : wazuh-indexer-4.7.0-1.x86_64 1/1 Installed products updated. Installed: wazuh-indexer-4.7.0-1.x86_64 Complete! [root@ip-172-31-40-90 ec2-user]# vi /etc/wazuh-indexer/opensearch.yml [root@ip-172-31-40-90 ec2-user]# NODE_NAME=node-1 [root@ip-172-31-40-90 ec2-user]# mkdir /etc/wazuh-indexer/certs [root@ip-172-31-40-90 ec2-user]# tar -xf ./wazuh-certificates.tar -C /etc/wazuh-indexer/certs/ ./$NODE_NAME.pem ./$NODE_NAME-key.pem ./admin.pem ./admin-key.pem ./root-ca.pem [root@ip-172-31-40-90 ec2-user]# mv -n /etc/wazuh-indexer/certs/$NODE_NAME.pem /etc/wazuh-indexer/certs/indexer.pem [root@ip-172-31-40-90 ec2-user]# mv -n /etc/wazuh-indexer/certs/$NODE_NAME-key.pem /etc/wazuh-indexer/certs/indexer-key.pem [root@ip-172-31-40-90 ec2-user]# chmod 500 /etc/wazuh-indexer/certs [root@ip-172-31-40-90 ec2-user]# chmod 400 /etc/wazuh-indexer/certs/* [root@ip-172-31-40-90 ec2-user]# chown -R wazuh-indexer:wazuh-indexer /etc/wazuh-indexer/certs [root@ip-172-31-40-90 ec2-user]# systemctl daemon-reload [root@ip-172-31-40-90 ec2-user]# systemctl enable wazuh-indexer Created symlink /etc/systemd/system/multi-user.target.wants/wazuh-indexer.service → /usr/lib/systemd/system/wazuh-indexer.service. [root@ip-172-31-40-90 ec2-user]# systemctl start wazuh-indexer [root@ip-172-31-40-90 ec2-user]# /usr/share/wazuh-indexer/bin/indexer-security-init.sh ************************************************************************** ** This tool will be deprecated in the next major release of OpenSearch ** ** https://github.com/opensearch-project/security/issues/1755 ** ************************************************************************** Security Admin v7 Will connect to 172.31.40.90:9200 ... done Connected as "CN=admin,OU=Wazuh,O=Wazuh,L=California,C=US" OpenSearch Version: 2.8.0 Contacting opensearch cluster 'opensearch' and wait for YELLOW clusterstate ... Clustername: wazuh-cluster Clusterstate: GREEN Number of nodes: 1 Number of data nodes: 1 .opendistro_security index does not exists, attempt to create it ... done (0-all replicas) Populate config from /etc/wazuh-indexer/opensearch-security/ Will update '/config' with /etc/wazuh-indexer/opensearch-security/config.yml SUCC: Configuration for 'config' created or updated Will update '/roles' with /etc/wazuh-indexer/opensearch-security/roles.yml SUCC: Configuration for 'roles' created or updated Will update '/rolesmapping' with /etc/wazuh-indexer/opensearch-security/roles_mapping.yml SUCC: Configuration for 'rolesmapping' created or updated Will update '/internalusers' with /etc/wazuh-indexer/opensearch-security/internal_users.yml SUCC: Configuration for 'internalusers' created or updated Will update '/actiongroups' with /etc/wazuh-indexer/opensearch-security/action_groups.yml SUCC: Configuration for 'actiongroups' created or updated Will update '/tenants' with /etc/wazuh-indexer/opensearch-security/tenants.yml SUCC: Configuration for 'tenants' created or updated Will update '/nodesdn' with /etc/wazuh-indexer/opensearch-security/nodes_dn.yml SUCC: Configuration for 'nodesdn' created or updated Will update '/whitelist' with /etc/wazuh-indexer/opensearch-security/whitelist.yml SUCC: Configuration for 'whitelist' created or updated Will update '/audit' with /etc/wazuh-indexer/opensearch-security/audit.yml SUCC: Configuration for 'audit' created or updated Will update '/allowlist' with /etc/wazuh-indexer/opensearch-security/allowlist.yml SUCC: Configuration for 'allowlist' created or updated SUCC: Expected 10 config types for node {"updated_config_types":["allowlist","tenants","rolesmapping","nodesdn","audit","roles","whitelist","internalusers","actiongroups","config"],"updated_config_size":10,"message":null} is 10 (["allowlist","tenants","rolesmapping","nodesdn","audit","roles","whitelist","internalusers","actiongroups","config"]) due to: null Done with success [root@ip-172-31-40-90 ec2-user]# curl -k -u admin:admin https://172.31.40.90:9200 { "name" : "node-1", "cluster_name" : "wazuh-cluster", "cluster_uuid" : "c8lSpAc5T22wYZBatWtfhA", "version" : { "number" : "7.10.2", "build_type" : "rpm", "build_hash" : "db90a415ff2fd428b4f7b3f800a51dc229287cb4", "build_date" : "2023-06-03T06:24:25.112415503Z", "build_snapshot" : false, "lucene_version" : "9.6.0", "minimum_wire_compatibility_version" : "7.10.0", "minimum_index_compatibility_version" : "7.0.0" }, "tagline" : "The OpenSearch Project: https://opensearch.org/" } [root@ip-172-31-40-90 ec2-user]# curl -k -u admin:admin https://172.31.40.90:9200/_cat/nodes?v ip heap.percent ram.percent cpu load_1m load_5m load_15m node.role node.roles cluster_manager name 172.31.40.90 32 84 11 0.33 0.45 0.36 dimr cluster_manager,data,ingest,remote_cluster_client * node-1 [root@ip-172-31-40-90 ec2-user]# systemctl status wazuh-indexer ● wazuh-indexer.service - Wazuh-indexer Loaded: loaded (/usr/lib/systemd/system/wazuh-indexer.service; enabled; vendor preset: dis> Active: active (running) since Fri 2024-05-24 12:44:19 UTC; 2min 30s ago Docs: https://documentation.wazuh.com Main PID: 27830 (java) Tasks: 54 (limit: 22454) Memory: 1.2G CGroup: /system.slice/wazuh-indexer.service └─27830 /usr/share/wazuh-indexer/jdk/bin/java -Xshare:auto -Dopensearch.networkadd> May 24 12:43:54 ip-172-31-40-90.ec2.internal systemd[1]: Starting Wazuh-indexer... May 24 12:43:57 ip-172-31-40-90.ec2.internal systemd-entrypoint[27830]: WARNING: A terminally> May 24 12:43:57 ip-172-31-40-90.ec2.internal systemd-entrypoint[27830]: WARNING: System::setS> May 24 12:43:57 ip-172-31-40-90.ec2.internal systemd-entrypoint[27830]: WARNING: Please consi> May 24 12:43:57 ip-172-31-40-90.ec2.internal systemd-entrypoint[27830]: WARNING: System::setS> May 24 12:44:00 ip-172-31-40-90.ec2.internal systemd-entrypoint[27830]: WARNING: A terminally> May 24 12:44:00 ip-172-31-40-90.ec2.internal systemd-entrypoint[27830]: WARNING: System::setS> May 24 12:44:00 ip-172-31-40-90.ec2.internal systemd-entrypoint[27830]: WARNING: Please consi> May 24 12:44:00 ip-172-31-40-90.ec2.internal systemd-entrypoint[27830]: WARNING: System::setS> May 24 12:44:19 ip-172-31-40-90.ec2.internal systemd[1]: Started Wazuh-indexer. ```

Wazuh Server🟢

### Master node :green_circle: ``` [root@ip-172-31-40-90 ec2-user]# yum -y install wazuh-manager-4.7.0-1 Updating Subscription Management repositories. Unable to read consumer identity This system is not registered with an entitlement server. You can use subscription-manager to register. Last metadata expiration check: 0:08:11 ago on Fri 24 May 2024 12:39:24 PM UTC. Dependencies resolved. ============================================================================================== Package Architecture Version Repository Size ============================================================================================== Installing: wazuh-manager x86_64 4.7.0-1 wazuh 165 M Transaction Summary ============================================================================================== Install 1 Package Total download size: 165 M Installed size: 600 M Downloading Packages: wazuh-manager-4.7.0-1.x86_64.rpm 38 MB/s | 165 MB 00:04 ---------------------------------------------------------------------------------------------- Total 38 MB/s | 165 MB 00:04 Running transaction check Transaction check succeeded. Running transaction test Transaction test succeeded. Running transaction Preparing : 1/1 Running scriptlet: wazuh-manager-4.7.0-1.x86_64 1/1 Installing : wazuh-manager-4.7.0-1.x86_64 1/1 Running scriptlet: wazuh-manager-4.7.0-1.x86_64 1/1 Verifying : wazuh-manager-4.7.0-1.x86_64 1/1 Installed products updated. Installed: wazuh-manager-4.7.0-1.x86_64 Complete! [root@ip-172-31-40-90 ec2-user]# systemctl daemon-reload [root@ip-172-31-40-90 ec2-user]# systemctl enable wazuh-manager Created symlink /etc/systemd/system/multi-user.target.wants/wazuh-manager.service → /usr/lib/systemd/system/wazuh-manager.service. [root@ip-172-31-40-90 ec2-user]# systemctl start wazuh-manager [root@ip-172-31-40-90 ec2-user]# systemctl status wazuh-manager ● wazuh-manager.service - Wazuh manager Loaded: loaded (/usr/lib/systemd/system/wazuh-manager.service; enabled; vendor preset: dis> Active: active (running) since Fri 2024-05-24 12:50:55 UTC; 4min 19s ago Process: 29121 ExecStart=/usr/bin/env /var/ossec/bin/wazuh-control start (code=exited, stat> Tasks: 120 (limit: 22454) Memory: 527.6M CGroup: /system.slice/wazuh-manager.service ├─29180 /var/ossec/framework/python/bin/python3 /var/ossec/api/scripts/wazuh-apid.> ├─29222 /var/ossec/bin/wazuh-authd ├─29239 /var/ossec/bin/wazuh-db ├─29264 /var/ossec/bin/wazuh-execd ├─29279 /var/ossec/bin/wazuh-analysisd ├─29292 /var/ossec/bin/wazuh-syscheckd ├─29296 /var/ossec/framework/python/bin/python3 /var/ossec/api/scripts/wazuh-apid.> ├─29299 /var/ossec/framework/python/bin/python3 /var/ossec/api/scripts/wazuh-apid.> ├─29302 /var/ossec/framework/python/bin/python3 /var/ossec/api/scripts/wazuh-apid.> ├─29349 /var/ossec/bin/wazuh-remoted ├─29362 /var/ossec/bin/wazuh-logcollector ├─29382 /var/ossec/bin/wazuh-monitord └─29424 /var/ossec/bin/wazuh-modulesd May 24 12:50:46 ip-172-31-40-90.ec2.internal env[29121]: Started wazuh-execd... May 24 12:50:47 ip-172-31-40-90.ec2.internal env[29121]: Started wazuh-analysisd... May 24 12:50:49 ip-172-31-40-90.ec2.internal env[29121]: Started wazuh-syscheckd... May 24 12:50:50 ip-172-31-40-90.ec2.internal env[29121]: Started wazuh-remoted... May 24 12:50:51 ip-172-31-40-90.ec2.internal env[29121]: Started wazuh-logcollector... May 24 12:50:52 ip-172-31-40-90.ec2.internal env[29121]: Started wazuh-monitord... May 24 12:50:53 ip-172-31-40-90.ec2.internal env[29121]: Started wazuh-modulesd... May 24 12:50:55 ip-172-31-40-90.ec2.internal env[29121]: Completed. May 24 12:50:55 ip-172-31-40-90.ec2.internal systemd[1]: Started Wazuh manager. May 24 12:51:01 ip-172-31-40-90.ec2.internal crontab[30182]: (root) LIST (root) [root@ip-172-31-40-90 ec2-user]# yum -y install filebeat Updating Subscription Management repositories. Unable to read consumer identity This system is not registered with an entitlement server. You can use subscription-manager to register. Last metadata expiration check: 0:15:47 ago on Fri 24 May 2024 10:41:38 AM UTC. Dependencies resolved. ============================================================================================== Package Architecture Version Repository Size ============================================================================================== Installing: filebeat x86_64 7.10.2-1 wazuh 21 M Transaction Summary ============================================================================================== Install 1 Package Total download size: 21 M Installed size: 70 M Downloading Packages: filebeat-oss-7.10.2-x86_64.rpm 14 MB/s | 21 MB 00:01 ---------------------------------------------------------------------------------------------- Total 14 MB/s | 21 MB 00:01 Running transaction check Transaction check succeeded. Running transaction test Transaction test succeeded. Running transaction Preparing : 1/1 Installing : filebeat-7.10.2-1.x86_64 1/1 Running scriptlet: filebeat-7.10.2-1.x86_64 1/1 Verifying : filebeat-7.10.2-1.x86_64 1/1 Installed products updated. Installed: filebeat-7.10.2-1.x86_64 Complete! [root@ip-172-31-40-90 filebeat]# curl -so /etc/filebeat/filebeat.yml https://packages-dev.wazuh.com/4.7/tpl/wazuh/filebeat/filebeat.yml [root@ip-172-31-40-90 filebeat]# curl -so /etc/filebeat/filebeat.yml https://packages-dev.wazuh.com/4.7/tpl/wazuh/filebeat/filebeat.yml [root@ip-172-31-40-90 filebeat]# vi /etc/filebeat/filebeat.yml [root@ip-172-31-40-90 filebeat]# filebeat keystore create Created filebeat keystore [root@ip-172-31-40-90 filebeat]# echo admin | filebeat keystore add username --stdin --force Successfully updated the keystore [root@ip-172-31-40-90 filebeat]# echo admin | filebeat keystore add password --stdin --force Successfully updated the keystore [root@ip-172-31-40-90 filebeat]# curl -so /etc/filebeat/wazuh-template.json https://raw.githubusercontent.com/wazuh/wazuh/v4.7.5-rc1/extensions/elasticsearch/7.x/wazuh-template.json [root@ip-172-31-40-90 filebeat]# chmod go+r /etc/filebeat/wazuh-template.json [root@ip-172-31-40-90 filebeat]# curl -s https://packages-dev.wazuh.com/pre-release/filebeat/wazuh-filebeat-0.3.tar.gz | tar -xvz -C /usr/share/filebeat/module wazuh/ wazuh/archives/ wazuh/archives/ingest/ wazuh/archives/ingest/pipeline.json wazuh/archives/config/ wazuh/archives/config/archives.yml wazuh/archives/manifest.yml wazuh/_meta/ wazuh/_meta/config.yml wazuh/_meta/docs.asciidoc wazuh/_meta/fields.yml wazuh/alerts/ wazuh/alerts/ingest/ wazuh/alerts/ingest/pipeline.json wazuh/alerts/config/ wazuh/alerts/config/alerts.yml wazuh/alerts/manifest.yml wazuh/module.yml [root@ip-172-31-40-90 filebeat]# NODE_NAME=wazuh-1 [root@ip-172-31-40-90 filebeat]# cd /home/ec2-user [root@ip-172-31-40-90 filebeat]# mkdir /etc/filebeat/certs [root@ip-172-31-40-90 ec2-user]# tar -xf ./wazuh-certificates.tar -C /etc/filebeat/certs/ ./$NODE_NAME.pem ./$NODE_NAME-key.pem ./root-ca.pem [root@ip-172-31-40-90 ec2-user]# mv -n /etc/filebeat/certs/$NODE_NAME.pem /etc/filebeat/certs/filebeat.pem [root@ip-172-31-40-90 ec2-user]# mv -n /etc/filebeat/certs/$NODE_NAME-key.pem /etc/filebeat/certs/filebeat-key.pem [root@ip-172-31-40-90 ec2-user]# chmod 500 /etc/filebeat/certs [root@ip-172-31-40-90 ec2-user]# chmod 400 /etc/filebeat/certs/* [root@ip-172-31-40-90 ec2-user]# chown -R root:root /etc/filebeat/certs [root@ip-172-31-40-90 ec2-user]# systemctl daemon-reload [root@ip-172-31-40-90 ec2-user]# systemctl enable filebeat Synchronizing state of filebeat.service with SysV service script with /usr/lib/systemd/systemd-sysv-install. Executing: /usr/lib/systemd/systemd-sysv-install enable filebeat Created symlink /etc/systemd/system/multi-user.target.wants/filebeat.service → /usr/lib/systemd/system/filebeat.service. [root@ip-172-31-40-90 ec2-user]# systemctl start filebeat [root@ip-172-31-40-90 ec2-user]# filebeat test output elasticsearch: https://172.31.40.90:9200... parse url... OK connection... parse host... OK dns lookup... OK addresses: 172.31.40.90 dial up... OK TLS... security: server's certificate chain verification is enabled handshake... OK TLS version: TLSv1.3 dial up... OK talk to server... OK version: 7.10.2 ``` ### Worker node :green_circle: ``` [root@ip-172-31-37-181 ec2-user]# rpm --import https://packages-dev.wazuh.com/key/GPG-KEY-WAZUH [root@ip-172-31-37-181 ec2-user]# echo -e '[wazuh]\ngpgcheck=1\ngpgkey=https://packages-dev.wazuh.com/key/GPG-KEY-WAZUH\nenabled=1\nname=EL-$releasever - Wazuh\nbaseurl=https://packages-dev.wazuh.com/pre-release/yum/\nprotect=1' | tee /etc/yum.repos.d/wazuh.repo [wazuh] gpgcheck=1 gpgkey=https://packages-dev.wazuh.com/key/GPG-KEY-WAZUH enabled=1 name=EL-$releasever - Wazuh baseurl=https://packages-dev.wazuh.com/pre-release/yum/ protect=1 [root@ip-172-31-37-181 ec2-user]# yum -y install wazuh-manager-4.7.0-1 Updating Subscription Management repositories. Unable to read consumer identity This system is not registered with an entitlement server. You can use subscription-manager to register. EL-8 - Wazuh 11 kB/s | 3.4 kB 00:00 EL-8 - Wazuh 16 MB/s | 26 MB 00:01 Last metadata expiration check: 0:00:11 ago on Fri 24 May 2024 12:57:21 PM UTC. Dependencies resolved. ================================================================================================== Package Architecture Version Repository Size ================================================================================================== Installing: wazuh-manager x86_64 4.7.0-1 wazuh 165 M Transaction Summary ================================================================================================== Install 1 Package Total download size: 165 M Installed size: 600 M Downloading Packages: wazuh-manager-4.7.0-1.x86_64.rpm 39 MB/s | 165 MB 00:04 -------------------------------------------------------------------------------------------------- Total 39 MB/s | 165 MB 00:04 Running transaction check Transaction check succeeded. Running transaction test Transaction test succeeded. Running transaction Preparing : 1/1 Running scriptlet: wazuh-manager-4.7.0-1.x86_64 1/1 Installing : wazuh-manager-4.7.0-1.x86_64 1/1 Running scriptlet: wazuh-manager-4.7.0-1.x86_64 1/1 Verifying : wazuh-manager-4.7.0-1.x86_64 1/1 Installed products updated. Installed: wazuh-manager-4.7.0-1.x86_64 Complete! [root@ip-172-31-37-181 ec2-user]# systemctl daemon-reload [root@ip-172-31-37-181 ec2-user]# systemctl enable wazuh-managersystemctl enable wazuh-manager^C [root@ip-172-31-37-181 ec2-user]# systemctl enable wazuh-manager Created symlink /etc/systemd/system/multi-user.target.wants/wazuh-manager.service → /usr/lib/systemd/system/wazuh-manager.service. [root@ip-172-31-37-181 ec2-user]# systemctl start wazuh-manager [root@ip-172-31-37-181 ec2-user]# systemctl status wazuh-manager ● wazuh-manager.service - Wazuh manager Loaded: loaded (/usr/lib/systemd/system/wazuh-manager.service; enabled; vendor preset: disable> Active: active (running) since Fri 2024-05-24 13:00:33 UTC; 22s ago Process: 20261 ExecStart=/usr/bin/env /var/ossec/bin/wazuh-control start (code=exited, status=0> Tasks: 119 (limit: 22454) Memory: 558.0M CGroup: /system.slice/wazuh-manager.service ├─20320 /var/ossec/framework/python/bin/python3 /var/ossec/api/scripts/wazuh-apid.py ├─20362 /var/ossec/bin/wazuh-authd ├─20379 /var/ossec/bin/wazuh-db ├─20404 /var/ossec/bin/wazuh-execd ├─20419 /var/ossec/bin/wazuh-analysisd ├─20420 /var/ossec/framework/python/bin/python3 /var/ossec/api/scripts/wazuh-apid.py ├─20423 /var/ossec/framework/python/bin/python3 /var/ossec/api/scripts/wazuh-apid.py ├─20426 /var/ossec/framework/python/bin/python3 /var/ossec/api/scripts/wazuh-apid.py ├─20440 /var/ossec/bin/wazuh-syscheckd ├─20489 /var/ossec/bin/wazuh-remoted ├─20523 /var/ossec/bin/wazuh-logcollector ├─20543 /var/ossec/bin/wazuh-monitord └─20563 /var/ossec/bin/wazuh-modulesd May 24 13:00:22 ip-172-31-37-181.ec2.internal env[20261]: Started wazuh-db... May 24 13:00:23 ip-172-31-37-181.ec2.internal env[20261]: Started wazuh-execd... May 24 13:00:25 ip-172-31-37-181.ec2.internal env[20261]: Started wazuh-analysisd... May 24 13:00:26 ip-172-31-37-181.ec2.internal env[20261]: Started wazuh-syscheckd... May 24 13:00:27 ip-172-31-37-181.ec2.internal env[20261]: Started wazuh-remoted... May 24 13:00:28 ip-172-31-37-181.ec2.internal env[20261]: Started wazuh-logcollector... May 24 13:00:29 ip-172-31-37-181.ec2.internal env[20261]: Started wazuh-monitord... May 24 13:00:30 ip-172-31-37-181.ec2.internal env[20261]: Started wazuh-modulesd... May 24 13:00:33 ip-172-31-37-181.ec2.internal env[20261]: Completed. May 24 13:00:33 ip-172-31-37-181.ec2.internal systemd[1]: Started Wazuh manager. ...skipping... ● wazuh-manager.service - Wazuh manager Loaded: loaded (/usr/lib/systemd/system/wazuh-manager.service; enabled; vendor preset: disable> Active: active (running) since Fri 2024-05-24 13:00:33 UTC; 22s ago Process: 20261 ExecStart=/usr/bin/env /var/ossec/bin/wazuh-control start (code=exited, status=0> Tasks: 119 (limit: 22454) Memory: 558.0M CGroup: /system.slice/wazuh-manager.service ├─20320 /var/ossec/framework/python/bin/python3 /var/ossec/api/scripts/wazuh-apid.py ├─20362 /var/ossec/bin/wazuh-authd ├─20379 /var/ossec/bin/wazuh-db ├─20404 /var/ossec/bin/wazuh-execd ├─20419 /var/ossec/bin/wazuh-analysisd ├─20420 /var/ossec/framework/python/bin/python3 /var/ossec/api/scripts/wazuh-apid.py ├─20423 /var/ossec/framework/python/bin/python3 /var/ossec/api/scripts/wazuh-apid.py ├─20426 /var/ossec/framework/python/bin/python3 /var/ossec/api/scripts/wazuh-apid.py ├─20440 /var/ossec/bin/wazuh-syscheckd ├─20489 /var/ossec/bin/wazuh-remoted ├─20523 /var/ossec/bin/wazuh-logcollector ├─20543 /var/ossec/bin/wazuh-monitord └─20563 /var/ossec/bin/wazuh-modulesd May 24 13:00:22 ip-172-31-37-181.ec2.internal env[20261]: Started wazuh-db... May 24 13:00:23 ip-172-31-37-181.ec2.internal env[20261]: Started wazuh-execd... May 24 13:00:25 ip-172-31-37-181.ec2.internal env[20261]: Started wazuh-analysisd... May 24 13:00:26 ip-172-31-37-181.ec2.internal env[20261]: Started wazuh-syscheckd... May 24 13:00:27 ip-172-31-37-181.ec2.internal env[20261]: Started wazuh-remoted... May 24 13:00:28 ip-172-31-37-181.ec2.internal env[20261]: Started wazuh-logcollector... May 24 13:00:29 ip-172-31-37-181.ec2.internal env[20261]: Started wazuh-monitord... May 24 13:00:30 ip-172-31-37-181.ec2.internal env[20261]: Started wazuh-modulesd... May 24 13:00:33 ip-172-31-37-181.ec2.internal env[20261]: Completed. May 24 13:00:33 ip-172-31-37-181.ec2.internal systemd[1]: Started Wazuh manager. ~ ~ ~ ~ ~ ~ ~ ~ ~ ...skipping... ● wazuh-manager.service - Wazuh manager Loaded: loaded (/usr/lib/systemd/system/wazuh-manager.service; enabled; vendor preset: disable> Active: active (running) since Fri 2024-05-24 13:00:33 UTC; 22s ago Process: 20261 ExecStart=/usr/bin/env /var/ossec/bin/wazuh-control start (code=exited, status=0> Tasks: 119 (limit: 22454) Memory: 558.0M CGroup: /system.slice/wazuh-manager.service ├─20320 /var/ossec/framework/python/bin/python3 /var/ossec/api/scripts/wazuh-apid.py ├─20362 /var/ossec/bin/wazuh-authd ├─20379 /var/ossec/bin/wazuh-db ├─20404 /var/ossec/bin/wazuh-execd ├─20419 /var/ossec/bin/wazuh-analysisd ├─20420 /var/ossec/framework/python/bin/python3 /var/ossec/api/scripts/wazuh-apid.py ├─20423 /var/ossec/framework/python/bin/python3 /var/ossec/api/scripts/wazuh-apid.py ├─20426 /var/ossec/framework/python/bin/python3 /var/ossec/api/scripts/wazuh-apid.py ├─20440 /var/ossec/bin/wazuh-syscheckd ├─20489 /var/ossec/bin/wazuh-remoted ├─20523 /var/ossec/bin/wazuh-logcollector ├─20543 /var/ossec/bin/wazuh-monitord └─20563 /var/ossec/bin/wazuh-modulesd May 24 13:00:22 ip-172-31-37-181.ec2.internal env[20261]: Started wazuh-db... May 24 13:00:23 ip-172-31-37-181.ec2.internal env[20261]: Started wazuh-execd... May 24 13:00:25 ip-172-31-37-181.ec2.internal env[20261]: Started wazuh-analysisd... May 24 13:00:26 ip-172-31-37-181.ec2.internal env[20261]: Started wazuh-syscheckd... May 24 13:00:27 ip-172-31-37-181.ec2.internal env[20261]: Started wazuh-remoted... May 24 13:00:28 ip-172-31-37-181.ec2.internal env[20261]: Started wazuh-logcollector... May 24 13:00:29 ip-172-31-37-181.ec2.internal env[20261]: Started wazuh-monitord... May 24 13:00:30 ip-172-31-37-181.ec2.internal env[20261]: Started wazuh-modulesd... May 24 13:00:33 ip-172-31-37-181.ec2.internal env[20261]: Completed. May 24 13:00:33 ip-172-31-37-181.ec2.internal systemd[1]: Started Wazuh manager. ~ ~ ~ ~ ~ ~ ~ ~ ~ [root@ip-172-31-37-181 ec2-user]# ^C [root@ip-172-31-37-181 ec2-user]# ^C [root@ip-172-31-37-181 ec2-user]# yum -y install filebeat Updating Subscription Management repositories. Unable to read consumer identity This system is not registered with an entitlement server. You can use subscription-manager to register. Last metadata expiration check: 0:04:07 ago on Fri 24 May 2024 12:57:21 PM UTC. Dependencies resolved. ================================================================================================== Package Architecture Version Repository Size ================================================================================================== Installing: filebeat x86_64 7.10.2-1 wazuh 21 M Transaction Summary ================================================================================================== Install 1 Package Total download size: 21 M Installed size: 70 M Downloading Packages: filebeat-oss-7.10.2-x86_64.rpm 42 MB/s | 21 MB 00:00 -------------------------------------------------------------------------------------------------- Total 42 MB/s | 21 MB 00:00 Running transaction check Transaction check succeeded. Running transaction test Transaction test succeeded. Running transaction Preparing : 1/1 Installing : filebeat-7.10.2-1.x86_64 1/1 Running scriptlet: filebeat-7.10.2-1.x86_64 1/1 Verifying : filebeat-7.10.2-1.x86_64 1/1 Installed products updated. Installed: filebeat-7.10.2-1.x86_64 Complete! [root@ip-172-31-37-181 ec2-user]# curl -so /etc/filebeat/filebeat.yml https://packages-dev.wazuh.com/4.7/tpl/wazuh/filebeat/filebeat.yml [root@ip-172-31-37-181 ec2-user]# vi /etc/filebeat/filebeat.yml [root@ip-172-31-37-181 ec2-user]# [root@ip-172-31-37-181 ec2-user]# filebeat keystore create Created filebeat keystore [root@ip-172-31-37-181 ec2-user]# echo admin | filebeat keystore add username --stdin --force Successfully updated the keystore [root@ip-172-31-37-181 ec2-user]# echo admin | filebeat keystore add password --stdin --force Successfully updated the keystore [root@ip-172-31-37-181 ec2-user]# curl -so /etc/filebeat/wazuh-template.json https://raw.githubusercontent.com/wazuh/wazuh/v4.7.5-rc1/extensions/elasticsearch/7.x/wazuh-template.json [root@ip-172-31-37-181 ec2-user]# chmod go+r /etc/filebeat/wazuh-template.json [root@ip-172-31-37-181 ec2-user]# curl -s https://packages-dev.wazuh.com/pre-release/filebeat/wazuh-filebeat-0.3.tar.gz | tar -xvz -C /usr/share/filebeat/module wazuh/ wazuh/archives/ wazuh/archives/ingest/ wazuh/archives/ingest/pipeline.json wazuh/archives/config/ wazuh/archives/config/archives.yml wazuh/archives/manifest.yml wazuh/_meta/ wazuh/_meta/config.yml wazuh/_meta/docs.asciidoc wazuh/_meta/fields.yml wazuh/alerts/ wazuh/alerts/ingest/ wazuh/alerts/ingest/pipeline.json wazuh/alerts/config/ wazuh/alerts/config/alerts.yml wazuh/alerts/manifest.yml wazuh/module.yml [root@ip-172-31-37-181 ec2-user]# NODE_NAME=wazuh-2 [root@ip-172-31-37-181 ec2-user]# mkdir /etc/filebeat/certs [root@ip-172-31-37-181 ec2-user]# tar -xf ./wazuh-certificates.tar -C /etc/filebeat/certs/ ./$NODE_NAME.pem ./$NODE_NAME-key.pem ./root-ca.pem [root@ip-172-31-37-181 ec2-user]# mv -n /etc/filebeat/certs/$NODE_NAME.pem /etc/filebeat/certs/filebeat.pem [root@ip-172-31-37-181 ec2-user]# mv -n /etc/filebeat/certs/$NODE_NAME-key.pem /etc/filebeat/certs/filebeat-key.pem [root@ip-172-31-37-181 ec2-user]# chmod 500 /etc/filebeat/certs [root@ip-172-31-37-181 ec2-user]# chmod 400 /etc/filebeat/certs/* [root@ip-172-31-37-181 ec2-user]# chown -R root:root /etc/filebeat/certs [root@ip-172-31-37-181 ec2-user]# systemctl daemon-reload [root@ip-172-31-37-181 ec2-user]# systemctl enable filebeat Synchronizing state of filebeat.service with SysV service script with /usr/lib/systemd/systemd-sysv-install. Executing: /usr/lib/systemd/systemd-sysv-install enable filebeat Created symlink /etc/systemd/system/multi-user.target.wants/filebeat.service → /usr/lib/systemd/system/filebeat.service. [root@ip-172-31-37-181 ec2-user]# systemctl start filebeat [root@ip-172-31-37-181 ec2-user]# filebeat test output elasticsearch: https://172.31.40.90:9200... parse url... OK connection... parse host... OK dns lookup... OK addresses: 172.31.40.90 dial up... OK TLS... security: server's certificate chain verification is enabled handshake... OK TLS version: TLSv1.3 dial up... OK talk to server... OK version: 7.10.2 ``` ### Cluster configuration :green_circle: Master Node ``` [root@ip-172-31-40-90 ec2-user]# vi /var/ossec/etc/ossec.conf wazuh wazuh-1 master 5bbc92a57406e1ad16c6c4dcab2cfaf8 1516 0.0.0.0 172.31.40.90 no no [root@ip-172-31-40-90 ec2-user]# systemctl restart wazuh-manager [root@ip-172-31-40-90 ec2-user]# /var/ossec/bin/cluster_control -l NAME TYPE VERSION ADDRESS wazuh-1 master 4.7.0 172.31.40.90 wazuh-2 worker 4.7.0 172.31.37.181 ``` Worker Node ``` [root@ip-172-31-37-181 ec2-user]# vi /var/ossec/etc/ossec.conf wazuh wazuh-2 worker 5bbc92a57406e1ad16c6c4dcab2cfaf8 1516 0.0.0.0 172.31.40.90 no no [root@ip-172-31-37-181 ec2-user]# systemctl restart wazuh-manager ```

Wazuh Dashboard 🟢

``` [root@ip-172-31-40-90 ec2-user]# yum install libcap Updating Subscription Management repositories. Unable to read consumer identity This system is not registered with an entitlement server. You can use subscription-manager to register. Last metadata expiration check: 0:30:46 ago on Fri 24 May 2024 12:39:24 PM UTC. Package libcap-2.48-6.el8_9.x86_64 is already installed. Dependencies resolved. Nothing to do. Complete! [root@ip-172-31-40-90 ec2-user]# yum -y install wazuh-dashboard-4.7.0-1 Updating Subscription Management repositories. Unable to read consumer identity This system is not registered with an entitlement server. You can use subscription-manager to register. Last metadata expiration check: 0:33:26 ago on Fri 24 May 2024 12:39:24 PM UTC. Dependencies resolved. ============================================================================================== Package Architecture Version Repository Size ============================================================================================== Installing: wazuh-dashboard x86_64 4.7.0-1 wazuh 262 M Transaction Summary ============================================================================================== Install 1 Package Total download size: 262 M Installed size: 884 M Downloading Packages: wazuh-dashboard-4.7.0-1.x86_64.rpm 41 MB/s | 262 MB 00:06 ---------------------------------------------------------------------------------------------- Total 41 MB/s | 262 MB 00:06 Running transaction check Transaction check succeeded. Running transaction test Transaction test succeeded. Running transaction Preparing : 1/1 Running scriptlet: wazuh-dashboard-4.7.0-1.x86_64 1/1 Installing : wazuh-dashboard-4.7.0-1.x86_64 1/1 Running scriptlet: wazuh-dashboard-4.7.0-1.x86_64 1/1 Verifying : wazuh-dashboard-4.7.0-1.x86_64 1/1 Installed products updated. Installed: wazuh-dashboard-4.7.0-1.x86_64 Complete! [root@ip-172-31-40-90 ec2-user]# vi /etc/wazuh-dashboard/opensearch_dashboards.yml [root@ip-172-31-40-90 ec2-user]# NODE_NAME=dashboard [root@ip-172-31-40-90 ec2-user]# mkdir /etc/wazuh-dashboard/certs [root@ip-172-31-40-90 ec2-user]# tar -xf ./wazuh-certificates.tar -C /etc/wazuh-dashboard/certs/ ./$NODE_NAME.pem ./$NODE_NAME-key.pem ./root-ca.pem [root@ip-172-31-40-90 ec2-user]# mv -n /etc/wazuh-dashboard/certs/$NODE_NAME.pem /etc/wazuh-dashboard/certs/dashboard.pem [root@ip-172-31-40-90 ec2-user]# mv -n /etc/wazuh-dashboard/certs/$NODE_NAME-key.pem /etc/wazuh-dashboard/certs/dashboard-key.pem [root@ip-172-31-40-90 ec2-user]# chmod 500 /etc/wazuh-dashboard/certs [root@ip-172-31-40-90 ec2-user]# chmod 400 /etc/wazuh-dashboard/certs/* [root@ip-172-31-40-90 ec2-user]# chown -R wazuh-dashboard:wazuh-dashboard /etc/wazuh-dashboard/certs [root@ip-172-31-40-90 ec2-user]# systemctl daemon-reload [root@ip-172-31-40-90 ec2-user]# systemctl enable wazuh-dashboard Created symlink /etc/systemd/system/multi-user.target.wants/wazuh-dashboard.service → /etc/systemd/system/wazuh-dashboard.service. [root@ip-172-31-40-90 ec2-user]# systemctl start wazuh-dashboard [root@ip-172-31-40-90 ec2-user]# vi /usr/share/wazuh-dashboard/data/wazuh/config/wazuh.yml ```

Accessing the Wazuh Dashboard 🔴

![image](https://github.com/wazuh/wazuh/assets/56078275/ba22c6ef-2298-4a4a-af30-4986c059141f) ![image](https://github.com/wazuh/wazuh/assets/56078275/ed720eac-d3b1-4600-b456-560cdca05908) Error ``` INFO: Index pattern id in cookie: yes [wazuh-alerts-*] INFO: Getting list of valid index patterns... INFO: Valid index patterns found: 1 INFO: Found default index pattern with title [wazuh-alerts-*]: yes INFO: Checking the app default pattern exists: id [wazuh-alerts-*]... INFO: Default pattern with id [wazuh-alerts-*] exists: yes ACTION: Default pattern id [wazuh-alerts-*] set as default index pattern INFO: Checking the index pattern id [wazuh-alerts-*] exists... INFO: Index pattern id exists [wazuh-alerts-*]: yes INFO: Index pattern id in cookie: yes [wazuh-alerts-*] INFO: Checking if the index pattern id [wazuh-alerts-*] exists... INFO: Index pattern id [wazuh-alerts-*] found: yes title [wazuh-alerts-*] INFO: Checking if exists a template compatible with the index pattern title [wazuh-alerts-*] INFO: Template found for the selected index-pattern title [wazuh-alerts-*]: no ERROR: No template found for the selected index-pattern title [wazuh-alerts-*] INFO: Index pattern id in cookie: [wazuh-alerts-*] INFO: Getting index pattern data [wazuh-alerts-*]... INFO: Index pattern data found: [yes] INFO: Refreshing index pattern fields: title [wazuh-alerts-*], id [wazuh-alerts-*]... ACTION: Refreshed index pattern fields: title [wazuh-alerts-*], id [wazuh-alerts-*] INFO: Getting settings... INFO: Check Wazuh dashboard setting [timeline:max_buckets]: 200000 INFO: App setting [timeline:max_buckets]: 200000 INFO: Settings mismatch [timeline:max_buckets]: no INFO: Getting settings... INFO: Check Wazuh dashboard setting [metaFields]: ["_source","_index"] INFO: App setting [metaFields]: ["_source","_index"] INFO: Settings mismatch [metaFields]: no INFO: Getting settings... INFO: Check Wazuh dashboard setting [timepicker:timeDefaults]: {"from":"now-24h","to":"now"} INFO: App setting [timepicker:timeDefaults]: "{\"from\":\"now-24h\",\"to\":\"now\"}" INFO: Settings mismatch [timepicker:timeDefaults]: no ```

Troubleshooting and resolution 🟢

``` [root@ip-172-31-40-90 ec2-user]# [root@ip-172-31-40-90 ec2-user]# filebeat test output elasticsearch: https://172.31.40.90:9200... parse url... OK connection... parse host... OK dns lookup... OK addresses: 172.31.40.90 dial up... OK TLS... security: server's certificate chain verification is enabled handshake... OK TLS version: TLSv1.3 dial up... OK talk to server... OK version: 7.10.2 [root@ip-172-31-40-90 ec2-user]# stat /etc/filebeat/wazuh-template.json File: /etc/filebeat/wazuh-template.json Size: 62776 Blocks: 128 IO Block: 4096 regular file Device: 10303h/66307d Inode: 92394072 Links: 1 Access: (0644/-rw-r--r--) Uid: ( 0/ root) Gid: ( 0/ root) Context: unconfined_u:object_r:etc_t:s0 Access: 2024-05-24 14:25:03.173233763 +0000 Modify: 2024-05-24 13:05:14.304813340 +0000 Change: 2024-05-24 13:06:18.888753670 +0000 Birth: 2024-05-24 12:08:35.811087684 +0000 [root@ip-172-31-40-90 ec2-user]# ^C [root@ip-172-31-40-90 ec2-user]# ls -l /usr/share/filebeat/module/wazuh/ total 4 drwxr-xr-x. 4 root root 54 Jan 18 17:59 alerts drwxr-xr-x. 4 root root 54 Jan 18 17:59 archives drwxr-xr-x. 2 root root 63 Jan 18 17:59 _meta -rw-r--r--. 1 root root 12 Jan 18 17:59 module.yml [root@ip-172-31-40-90curl -k -u admin:admin https://172.31.40.90:9200 { "name" : "node-1", "cluster_name" : "wazuh-cluster", "cluster_uuid" : "c8lSpAc5T22wYZBatWtfhA", "version" : { "number" : "7.10.2", "build_type" : "rpm", "build_hash" : "db90a415ff2fd428b4f7b3f800a51dc229287cb4", "build_date" : "2023-06-03T06:24:25.112415503Z", "build_snapshot" : false, "lucene_version" : "9.6.0", "minimum_wire_compatibility_version" : "7.10.0", "minimum_index_compatibility_version" : "7.0.0" }, "tagline" : "The OpenSearch Project: https://opensearch.org/" } ``` This was resolved by inserting the correct template: ``` [root@ip-172-31-40-90 ec2-user]# curl https://raw.githubusercontent.com/wazuh/wazuh/v4.7.5-rc1/extensions/elasticsearch/7.x/wazuh-template.json | curl -X PUT "https://172.31.40.90:9200/_template/wazuh" -H 'Content-Type: application/json' -d @- -u admin:admin -k % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 62776 100 62776 0 0 467k 0 --:--:-- --:--:-- --:--:-- 471k {"acknowledged":true} [root@ip-172-31-40-90 ec2-user]# systemctl restart wazuh-manager ``` ![image](https://github.com/wazuh/wazuh/assets/56078275/844a05df-d12c-4af0-9236-4918e1c427e1)

SeyiSoneye commented 4 months ago

Agent installation 🟢

Wazuh Agent 🟢

Creating a group named TestSonoma: ![image](https://github.com/wazuh/wazuh/assets/56078275/647403c2-f94c-44f9-a2f1-25f6066e4c6c) ## macOS Sonoma x86_64 🟢 1. Generate installation one-liner ![image](https://github.com/wazuh/wazuh/assets/56078275/6cf39594-bf57-447a-bcb9-e96543cf9054) 2. Download and install the agent ``` sh-3.2# curl -so wazuh-agent.pkg https://packages-dev.wazuh.com/pre-release/macos/wazuh-agent-4.7.5-1.intel64.pkg && echo "WAZUH_MANAGER='54.156.56.146' && WAZUH_AGENT_GROUP='TestSonoma' && WAZUH_AGENT_NAME='sonoma_intel'" > /tmp/wazuh_envs && sudo installer -pkg ./wazuh-agent.pkg -target / installer: Package name is Wazuh Agent installer: Installing at base path / installer: The install was successful. ``` 3. Start the agent ``` sh-3.2# sudo /Library/Ossec/bin/wazuh-control start Starting Wazuh v4.7.0... Started wazuh-execd... Started wazuh-agentd... Started wazuh-syscheckd... Started wazuh-logcollector... Started wazuh-modulesd... Completed. ``` ## macOS Sonoma arm 🟢 1. Generate installation one-liner ![image](https://github.com/wazuh/wazuh/assets/56078275/14d8dd2d-8d0e-40a0-a4dc-d5957e5e964e) 2. Download and install the agent ``` sh-3.2# curl -so wazuh-agent.pkg https://packages-dev.wazuh.com/pre-release/macos/wazuh-agent-4.7.5-1.arm64.pkg && echo "WAZUH_MANAGER='54.156.56.146' && WAZUH_AGENT_GROUP='TestSonoma' && WAZUH_AGENT_NAME='sonoma_arm'" > /tmp/wazuh_envs && sudo installer -pkg ./wazuh-agent.pkg -target / installer: Package name is Wazuh Agent installer: Installing at base path / installer: The install was successful. ``` 3. Start the agent ``` sh-3.2# sudo /Library/Ossec/bin/wazuh-control start Starting Wazuh v4.7.0... Started wazuh-execd... Started wazuh-agentd... Started wazuh-syscheckd... Started wazuh-logcollector... Started wazuh-modulesd... Completed. ``` ## Agents overview 🟢: ![image](https://github.com/wazuh/wazuh/assets/56078275/6bc01dea-c0ee-45b6-8329-cd11e4c3d0b3)

SeyiSoneye commented 4 months ago

Log data collection works out of the box 🔴

macOS Sonoma x86_64 🔴

1. Check connection 🟢 ![image](https://github.com/wazuh/wazuh/assets/56078275/9c397a45-7bb9-484b-90b4-751f836d84ba) 2. Check data collection 🟢 ![image](https://github.com/wazuh/wazuh/assets/56078275/cd653916-d49c-4b08-a20e-815a647a343e) 3. Check security events dashboard (restarted agent to trigger an event) 🔴 ![image](https://github.com/wazuh/wazuh/assets/56078275/f7defedc-44d9-4ac9-8e71-9dacd0736238) 4. Check Events 🔴 ![image](https://github.com/wazuh/wazuh/assets/56078275/022836a1-7c32-4709-bc0f-ffeb8acb7721) 5. Check Inventory data 🟢 ![image](https://github.com/wazuh/wazuh/assets/56078275/7c05fc23-21b6-48fc-8c67-1f7d03d5bd1a)

macOS Sonoma arm 🔴

1. Check connection 🟢 ![image](https://github.com/wazuh/wazuh/assets/56078275/7e7cb0a9-070c-4b0b-b07a-35b36dac6dcf) 2. Check data collection 🟢 ![image](https://github.com/wazuh/wazuh/assets/56078275/7e01b819-655f-4fa0-a939-57d45c3f6f36) 3. Check security events dashboard (restarted agent to trigger an event) 🔴 ![image](https://github.com/wazuh/wazuh/assets/56078275/af0e7f11-4683-495d-a5ed-c58c27773c25) 4. Check Events 🔴 ![image](https://github.com/wazuh/wazuh/assets/56078275/92ed48d9-c484-468e-b1b2-4114e8ae3be2) 5. Check Inventory data 🟢 ![image](https://github.com/wazuh/wazuh/assets/56078275/db2474fc-a242-447f-913a-54c4705f2950)

Relevant details for troubleshooting

wazuh alerts index pattern: ![image](https://github.com/wazuh/wazuh/assets/56078275/bc0a508d-a021-4428-b725-c2d8a008b89f) Snippet of /var/ossec/logs/alerts/alerts.log showing alerts are being generated: ![image](https://github.com/wazuh/wazuh/assets/56078275/56503703-0da8-4b6f-ae84-577ee14f63a3)

SeyiSoneye commented 4 months ago

SCA works out of the box 🟢

macOS Sonoma x86_64 🟢

Check the policy status ![image](https://github.com/wazuh/wazuh/assets/56078275/92c6a48d-2226-44d2-9322-8b1ee644428b)

macOS Sonoma arm 🟢

Check the policy status ![image](https://github.com/wazuh/wazuh/assets/56078275/0c1e2ec4-9bf8-4e07-a449-a5c3053469cf)

SeyiSoneye commented 4 months ago

FIM works out of the box 🟡

macOS Sonoma x86_64 🟡

1. Check inventory ![image](https://github.com/wazuh/wazuh/assets/56078275/c8b153d0-083b-49dc-b75a-dbaf98378e70) 2. There are no alerts / events in FIM ![image](https://github.com/wazuh/wazuh/assets/56078275/aa416f65-f603-433d-b3b7-0b3fd3ae3d0c)

macOS Sonoma arm 🟡

1. Check Inventory ![image](https://github.com/wazuh/wazuh/assets/56078275/ac142b36-68e6-497e-b0f9-281d3d9d86e9) 2. There are no alerts / events in FIM ![image](https://github.com/wazuh/wazuh/assets/56078275/f9a68975-64c5-45d8-8a36-41bd3c2e012c)

SeyiSoneye commented 4 months ago

Vulnerability works out of the box 🟡

NOTE: Enable Vulnerability Detection on Wazuh Server.

On the manager side:

2024/05/24 20:47:08 wazuh-modulesd:vulnerability-detector: INFO: (5431): Starting vulnerability scan.
2024/05/24 20:47:08 wazuh-modulesd:vulnerability-detector: INFO: (5450): Analyzing agent '000' vulnerabilities.
2024/05/24 20:47:08 wazuh-modulesd:vulnerability-detector: INFO: (5471): Finished vulnerability assessment for agent '000'
2024/05/24 20:47:08 wazuh-modulesd:vulnerability-detector: INFO: (5450): Analyzing agent '003' vulnerabilities.
2024/05/24 20:47:08 wazuh-modulesd:vulnerability-detector: INFO: (5471): Finished vulnerability assessment for agent '003'
2024/05/24 20:47:08 wazuh-modulesd:vulnerability-detector: INFO: (5450): Analyzing agent '004' vulnerabilities.
2024/05/24 20:47:08 wazuh-modulesd:vulnerability-detector: INFO: (5471): Finished vulnerability assessment for agent '004'
2024/05/24 20:47:08 wazuh-modulesd:vulnerability-detector: INFO: (5472): Vulnerability scan finished.

macOS Sonoma x86_64

1. Check Dashboard. There are no vulnerabilities. ![image](https://github.com/wazuh/wazuh/assets/56078275/8c02f703-3afb-46dc-b45b-4f5aeb38fb28) 2. Install and detect a vulnerability ``` sh-3.2# curl -o node-v20.2.0.pkg https://nodejs.org/dist/v20.2.0/node-v20.2.0.pkg % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 69.9M 100 69.9M 0 0 44.9M 0 0:00:01 0:00:01 --:--:-- 44.9M sh-3.2# sudo installer -pkg node-v20.2.0.pkg -target / installer: Package name is Node.js installer: Installing at base path / installer: The install was successful. sh-3.2# node -v v20.2.0 ``` 3. Check inventory and events. No data seen ![image](https://github.com/wazuh/wazuh/assets/56078275/8c02f703-3afb-46dc-b45b-4f5aeb38fb28) ![image](https://github.com/wazuh/wazuh/assets/56078275/a8625627-ada7-4941-a609-1c057a48bfa7)

macOS Sonoma arm

1. Check Dashboard. There are no vulnerabilities ![image](https://github.com/wazuh/wazuh/assets/56078275/e2b3a551-2259-4c8b-bccc-3253fe0961ce) 2. Install and detect a vulnerability ``` sh-3.2# curl -o node-v20.2.0.pkg https://nodejs.org/dist/v20.2.0/node-v20.2.0.pkg % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 69.9M 100 69.9M 0 0 71.4M 0 --:--:-- --:--:-- --:--:-- 71.4M sh-3.2# sudo installer -pkg node-v20.2.0.pkg -target / installer: Package name is Node.js installer: Installing at base path / installer: The install was successful. sh-3.2# node -v v20.2.0 ``` From manager: ``` 2024/05/24 21:01:41 wazuh-modulesd:vulnerability-detector: INFO: (5450): Analyzing agent '003' vulnerabilities. 2024/05/24 21:01:41 wazuh-modulesd:syscollector: INFO: Evaluation finished. 2024/05/24 21:01:41 wazuh-modulesd:vulnerability-detector: INFO: (5471): Finished vulnerability assessment for agent '003' 2024/05/24 21:01:41 wazuh-modulesd:vulnerability-detector: INFO: (5472): Vulnerability scan finished. ``` 3. Check inventory and events. No data seen ![image](https://github.com/wazuh/wazuh/assets/56078275/81c7ebe4-96a1-4e46-80de-61b8b8dde6b6) ![image](https://github.com/wazuh/wazuh/assets/56078275/c8cbd6d6-c1df-4e61-adb3-97e01d05e699)

cborla commented 4 months ago

Hello @SeyiSoneye We are reviewing the test, at first sight the procedure you executed seems correct, but you testedwazuh-manager-4.7.0 instead wazuh-manager-4.7.5.

indexer
- [root@ip-172-31-40-90 ec2-user]# yum -y install wazuh-indexer-4.7.0-1
Master node
- [root@ip-172-31-40-90 ec2-user]# yum -y install wazuh-manager-4.7.0-1
Worker node
- [root@ip-172-31-37-181 ec2-user]# yum -y install wazuh-manager-4.7.0-1
Dashboard
- [root@ip-172-31-40-90 ec2-user]# yum -y install wazuh-dashboard-4.7.0-1

This may be the cause of the problems encountered. I think the test should be repeated using version 4.7.5.

SeyiSoneye commented 4 months ago

Wazuh central components installation (v4.7.5)

Wazuh Indexer 🟢

``` [root@ip-172-31-40-90 ec2-user]# curl -sO https://packages-dev.wazuh.com/4.7/config.yml [root@ip-172-31-40-90 ec2-user]# curl -sO https://packages-dev.wazuh.com/4.7/wazuh-certs-tool.sh [root@ip-172-31-40-90 ec2-user]# vi config.yml [root@ip-172-31-40-90 ec2-user]# cat config.yml nodes: # Wazuh indexer nodes indexer: - name: node-1 ip: "172.31.40.90" #- name: node-2 # ip: "" #- name: node-3 # ip: "" # Wazuh server nodes # If there is more than one Wazuh server # node, each one must have a node_type server: - name: wazuh-1 ip: "172.31.40.90" node_type: master - name: wazuh-2 ip: "172.31.37.181" node_type: worker #- name: wazuh-3 # ip: "" # node_type: worker # Wazuh dashboard nodes dashboard: - name: dashboard ip: "172.31.40.90" [root@ip-172-31-40-90 ec2-user]# bash ./wazuh-certs-tool.sh -A 27/05/2024 15:55:16 INFO: Admin certificates created. 27/05/202415:55:17 INFO: Wazuh indexer certificates created. 27/05/2024 15:55:22 INFO: Wazuh server certificates created. 27/05/2024 15:55:22 INFO: Wazuh dashboard certificates created. [root@ip-172-31-40-90 ec2-user]# tar -cvf ./wazuh-certificates.tar -C ./wazuh-certificates/ . ./ ./root-ca.key ./root-ca.pem ./admin-key.pem ./admin.pem ./node-1-key.pem ./node-1.pem ./wazuh-1-key.pem ./wazuh-1.pem ./wazuh-2-key.pem ./wazuh-2.pem ./dashboard-key.pem ./dashboard.pem [root@ip-172-31-40-90 ec2-user]# yum install coreutils Updating Subscription Management repositories. Unable to read consumer identity This system is not registered with an entitlement server. You can use subscription-manager to register. Last metadata expiration check: 0:06:46 ago on Fri 24 May 2024 12:29:09 PM UTC. Package coreutils-8.30-15.el8.x86_64 is already installed. Dependencies resolved. Nothing to do. Complete! [root@ip-172-31-40-90 ec2-user]# rpm --import https://packages-dev.wazuh.com/key/GPG-KEY-WAZUH [root@ip-172-31-40-90 ec2-user]# echo -e '[wazuh]\ngpgcheck=1\ngpgkey=https://packages-dev.wazuh.com/key/GPG-KEY-WAZUH\nenabled=1\nname=EL-$releasever - Wazuh\nbaseurl=https://packages-dev.wazuh.com/pre-release/yum/\nprotect=1' | tee /etc/yum.repos.d/wazuh.repo [wazuh] gpgcheck=1 gpgkey=https://packages-dev.wazuh.com/key/GPG-KEY-WAZUH enabled=1 name=EL-$releasever - Wazuh baseurl=https://packages-dev.wazuh.com/pre-release/yum/ protect=1 [root@ip-172-31-40-90 ec2-user]# yum -y install wazuh-indexer-4.7.5-1 Updating Subscription Management repositories. Unable to read consumer identity This system is not registered with an entitlement server. You can use subscription-manager to register. EL-8 - Wazuh 11 kB/s | 3.4 kB 00:00 Dependencies resolved. ============================================================================================================================================================================ Package Architecture Version Repository Size ============================================================================================================================================================================Installing: wazuh-indexer x86_64 4.7.5-1 wazuh 673 M Transaction Summary ============================================================================================================================================================================Install 1 Package Total download size: 673 M Installed size: 930 M Downloading Packages: wazuh-indexer-4.7.5-1.x86_64.rpm 51 MB/s | 673 MB 00:13 ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------Total 51 MB/s | 673 MB 00:13 Running transaction check Transaction check succeeded. Running transaction test Transaction test succeeded. Running transaction Preparing : 1/1 Running scriptlet: wazuh-indexer-4.7.5-1.x86_64 1/1 Installing : wazuh-indexer-4.7.5-1.x86_64 [========================================================================================= Installing : wazuh-indexer-4.7.5-1.x86_64 1/1 Running scriptlet: wazuh-indexer-4.7.5-1.x86_64 1/1 Created opensearch keystore in /etc/wazuh-indexer/opensearch.keystore Verifying : wazuh-indexer-4.7.5-1.x86_64 1/1 Installed products updated. Installed: wazuh-indexer-4.7.5-1.x86_64 Complete! [root@ip-172-31-40-90 ec2-user]# NODE_NAME=node-1 [root@ip-172-31-40-90 ec2-user]# rm -rf /etc/wazuh-indexer/certs [root@ip-172-31-40-90 ec2-user]# mkdir /etc/wazuh-indexer/certs [root@ip-172-31-40-90 ec2-user]# tar -xf ./wazuh-certificates.tar -C /etc/wazuh-indexer/certs/ ./$NODE_NAME.pem ./$NODE_NAME-key.pem ./admin.pem ./admin-key.pem ./root-ca.pem [root@ip-172-31-40-90 ec2-user]# mv -n /etc/wazuh-indexer/certs/$NODE_NAME.pem /etc/wazuh-indexer/certs/indexer.pem [root@ip-172-31-40-90 ec2-user]# mv -n /etc/wazuh-indexer/certs/$NODE_NAME-key.pem /etc/wazuh-indexer/certs/indexer-key.pem [root@ip-172-31-40-90 ec2-user]# chmod 500 /etc/wazuh-indexer/certs [root@ip-172-31-40-90 ec2-user]# chmod 400 /etc/wazuh-indexer/certs/* [root@ip-172-31-40-90 ec2-user]# chown -R wazuh-indexer:wazuh-indexer /etc/wazuh-indexer/certs [root@ip-172-31-40-90 ec2-user]# systemctl daemon-reload [root@ip-172-31-40-90 ec2-user]# systemctl enable wazuh-indexer Created symlink /etc/systemd/system/multi-user.target.wants/wazuh-indexer.service → /usr/lib/systemd/system/wazuh-indexer.service. [root@ip-172-31-40-90 ec2-user]# systemctl start wazuh-indexer [root@ip-172-31-40-90 ec2-user]# /usr/share/wazuh-indexer/bin/indexer-security-init.sh ************************************************************************** ** This tool will be deprecated in the next major release of OpenSearch ** ** https://github.com/opensearch-project/security/issues/1755 ** ************************************************************************** Security Admin v7 Will connect to 127.0.0.1:9200 ... done Connected as "CN=admin,OU=Wazuh,O=Wazuh,L=California,C=US" OpenSearch Version: 2.8.0 Contacting opensearch cluster 'opensearch' and wait for YELLOW clusterstate ... Clustername: wazuh-cluster Clusterstate: GREEN Number of nodes: 1 Number of data nodes: 1 .opendistro_security index does not exists, attempt to create it ... done (0-all replicas) Populate config from /etc/wazuh-indexer/opensearch-security/ Will update '/config' with /etc/wazuh-indexer/opensearch-security/config.yml SUCC: Configuration for 'config' created or updated Will update '/roles' with /etc/wazuh-indexer/opensearch-security/roles.yml SUCC: Configuration for 'roles' created or updated Will update '/rolesmapping' with /etc/wazuh-indexer/opensearch-security/roles_mapping.yml SUCC: Configuration for 'rolesmapping' created or updated Will update '/internalusers' with /etc/wazuh-indexer/opensearch-security/internal_users.yml SUCC: Configuration for 'internalusers' created or updated Will update '/actiongroups' with /etc/wazuh-indexer/opensearch-security/action_groups.yml SUCC: Configuration for 'actiongroups' created or updated Will update '/tenants' with /etc/wazuh-indexer/opensearch-security/tenants.yml SUCC: Configuration for 'tenants' created or updated Will update '/nodesdn' with /etc/wazuh-indexer/opensearch-security/nodes_dn.yml SUCC: Configuration for 'nodesdn' created or updated Will update '/whitelist' with /etc/wazuh-indexer/opensearch-security/whitelist.yml SUCC: Configuration for 'whitelist' created or updated Will update '/audit' with /etc/wazuh-indexer/opensearch-security/audit.yml SUCC: Configuration for 'audit' created or updated Will update '/allowlist' with /etc/wazuh-indexer/opensearch-security/allowlist.yml SUCC: Configuration for 'allowlist' created or updated SUCC: Expected 10 config types for node {"updated_config_types":["allowlist","tenants","rolesmapping","nodesdn","audit","roles","whitelist","internalusers","actiongroups","config"],"updated_config_size":10,"message":null} is 10 (["allowlist","tenants","rolesmapping","nodesdn","audit","roles","whitelist","internalusers","actiongroups","config"]) due to: null Done with success [root@ip-172-31-40-90 ec2-user]# curl -k -u admin:admin https://172.31.40.90:9200 { "name" : "node-1", "cluster_name" : "wazuh-cluster", "cluster_uuid" : "BnheRypmSSm5YRodygvpTw", "version" : { "number" : "7.10.2", "build_type" : "rpm", "build_hash" : "db90a415ff2fd428b4f7b3f800a51dc229287cb4", "build_date" : "2023-06-03T06:24:25.112415503Z", "build_snapshot" : false, "lucene_version" : "9.6.0", "minimum_wire_compatibility_version" : "7.10.0", "minimum_index_compatibility_version" : "7.0.0" }, "tagline" : "The OpenSearch Project: https://opensearch.org/" } [root@ip-172-31-40-90 ec2-user]# curl -k -u admin:admin https://172.31.40.90:9200/_cat/nodes?v ip heap.percent ram.percent cpu load_1m load_5m load_15m node.role node.roles cluster_manager name 172.31.40.90 27 93 14 0.44 0.45 0.26 dimr cluster_manager,data,ingest,remote_cluster_client * node-1 [root@ip-172-31-40-90 ec2-user]# systemctl status wazuh-indexer ● wazuh-indexer.service - Wazuh-indexer Loaded: loaded (/usr/lib/systemd/system/wazuh-indexer.service; enabled; vendor preset: disabled) Active: active (running) since Mon 2024-05-27 16:06:04 UTC; 1min 47s ago Docs: https://documentation.wazuh.com Main PID: 71647 (java) Tasks: 54 (limit: 22454) Memory: 1.2G CGroup: /system.slice/wazuh-indexer.service └─71647 /usr/share/wazuh-indexer/jdk/bin/java -Xshare:auto -Dopensearch.networkaddress.cache.ttl=60 -Dopensearch.networkaddress.> May 27 16:05:40 ip-172-31-40-90.ec2.internal systemd[1]: Starting Wazuh-indexer... May 27 16:05:43 ip-172-31-40-90.ec2.internal systemd-entrypoint[71647]: WARNING: A terminally deprecated method in java.lang.System has bee> May 27 16:05:43 ip-172-31-40-90.ec2.internal systemd-entrypoint[71647]: WARNING: System::setSecurityManager has been called by org.opensear> May 27 16:05:43 ip-172-31-40-90.ec2.internal systemd-entrypoint[71647]: WARNING: Please consider reporting this to the maintainers of org.o> May 27 16:05:43 ip-172-31-40-90.ec2.internal systemd-entrypoint[71647]: WARNING: System::setSecurityManager will be removed in a future rel> May 27 16:05:45 ip-172-31-40-90.ec2.internal systemd-entrypoint[71647]: WARNING: A terminally deprecated method in java.lang.System has bee> May 27 16:05:45 ip-172-31-40-90.ec2.internal systemd-entrypoint[71647]: WARNING: System::setSecurityManager has been called by org.opensear> May 27 16:05:45 ip-172-31-40-90.ec2.internal systemd-entrypoint[71647]: WARNING: Please consider reporting this to the maintainers of org.o> May 27 16:05:45 ip-172-31-40-90.ec2.internal systemd-entrypoint[71647]: WARNING: System::setSecurityManager will be removed in a future rel> May 27 16:06:04 ip-172-31-40-90.ec2.internal systemd[1]: Started Wazuh-indexer. ```

Wazuh Server🟢

### Master node :green_circle: ``` [root@ip-172-31-40-90 ec2-user]# yum -y install wazuh-manager-4.7.5-1 Updating Subscription Management repositories. Unable to read consumer identity This system is not registered with an entitlement server. You can use subscription-manager to register. Last metadata expiration check: 0:08:19 ago on Mon 27 May 2024 03:59:59 PM UTC. Dependencies resolved. ============================================================================================================================================ Package Architecture Version Repository Size ============================================================================================================================================ Installing: wazuh-manager x86_64 4.7.5-1 wazuh 165 M Transaction Summary ============================================================================================================================================ Install 1 Package Total download size: 165 M Installed size: 600 M Downloading Packages: wazuh-manager-4.7.5-1.x86_64.rpm 41 MB/s | 165 MB 00:04 -------------------------------------------------------------------------------------------------------------------------------------------- Total 41 MB/s | 165 MB 00:04 Running transaction check Transaction check succeeded. Running transaction test Transaction test succeeded. Running transaction Preparing : 1/1 Running scriptlet: wazuh-manager-4.7.5-1.x86_64 1/1 Installing : wazuh-manager-4.7.5-1.x86_64 1/1 Running scriptlet: wazuh-manager-4.7.5-1.x86_64 1/1 Verifying : wazuh-manager-4.7.5-1.x86_64 1/1 Installed products updated. Installed: wazuh-manager-4.7.5-1.x86_64 Complete! [root@ip-172-31-40-90 ec2-user]# systemctl daemon-reload [root@ip-172-31-40-90 ec2-user]# [root@ip-172-31-40-90 ec2-user]# systemctl enable wazuh-manager Created symlink /etc/systemd/system/multi-user.target.wants/wazuh-manager.service → /usr/lib/systemd/system/wazuh-manager.service. [root@ip-172-31-40-90 ec2-user]# systemctl start wazuh-manager [root@ip-172-31-40-90 ec2-user]# yum -y install filebeat Updating Subscription Management repositories. Unable to read consumer identity This system is not registered with an entitlement server. You can use subscription-manager to register. Last metadata expiration check: 0:15:07 ago on Mon 27 May 2024 03:59:59 PM UTC. Dependencies resolved. ============================================================================================================================================ Package Architecture Version Repository Size ============================================================================================================================================ Installing: filebeat x86_64 7.10.2-1 wazuh 21 M Transaction Summary ============================================================================================================================================ Install 1 Package Total download size: 21 M Installed size: 70 M Downloading Packages: filebeat-oss-7.10.2-x86_64.rpm 42 MB/s | 21 MB 00:00 -------------------------------------------------------------------------------------------------------------------------------------------- Total 42 MB/s | 21 MB 00:00 Running transaction check Transaction check succeeded. Running transaction test Transaction test succeeded. Running transaction Preparing : 1/1 Installing : filebeat-7.10.2-1.x86_64 1/1 Running scriptlet: filebeat-7.10.2-1.x86_64 1/1 Verifying : filebeat-7.10.2-1.x86_64 1/1 Installed products updated. Installed: filebeat-7.10.2-1.x86_64 Complete! [root@ip-172-31-40-90 ec2-user]# curl -so /etc/filebeat/filebeat.yml https://packages-dev.wazuh.com/4.7/tpl/wazuh/filebeat/filebeat.yml [root@ip-172-31-40-90 ec2-user]# vi /etc/filebeat/filebeat.yml [root@ip-172-31-40-90 ec2-user]# filebeat keystore create Created filebeat keystore [root@ip-172-31-40-90 ec2-user]# echo admin | filebeat keystore add username --stdin --force Successfully updated the keystore [root@ip-172-31-40-90 ec2-user]# echo admin | filebeat keystore add password --stdin --force Successfully updated the keystore [root@ip-172-31-40-90 ec2-user]# curl -so /etc/filebeat/wazuh-template.json https://raw.githubusercontent.com/wazuh/wazuh/v4.7.5-rc1/extensions/elasticsearch/7.x/wazuh-template.json [root@ip-172-31-40-90 ec2-user]# chmod go+r /etc/filebeat/wazuh-template.json [root@ip-172-31-40-90 ec2-user]# curl -s https://packages-dev.wazuh.com/pre-release/filebeat/wazuh-filebeat-0.3.tar.gz | tar -xvz -C /usr/share/filebeat/module wazuh/ wazuh/archives/ wazuh/archives/ingest/ wazuh/archives/ingest/pipeline.json wazuh/archives/config/ wazuh/archives/config/archives.yml wazuh/archives/manifest.yml wazuh/_meta/ wazuh/_meta/config.yml wazuh/_meta/docs.asciidoc wazuh/_meta/fields.yml wazuh/alerts/ wazuh/alerts/ingest/ wazuh/alerts/ingest/pipeline.json wazuh/alerts/config/ wazuh/alerts/config/alerts.yml wazuh/alerts/manifest.yml wazuh/module.yml [root@ip-172-31-40-90 ec2-user]# NODE_NAME=wazuh-1 [root@ip-172-31-40-90 ec2-user]# [root@ip-172-31-40-90 ec2-user]# mkdir /etc/filebeat/certs [root@ip-172-31-40-90 ec2-user]# tar -xf ./wazuh-certificates.tar -C /etc/filebeat/certs/ ./$NODE_NAME.pem ./$NODE_NAME-key.pem ./root-ca.pem [root@ip-172-31-40-90 ec2-user]# mv -n /etc/filebeat/certs/$NODE_NAME.pem /etc/filebeat/certs/filebeat.pem [root@ip-172-31-40-90 ec2-user]# mv -n /etc/filebeat/certs/$NODE_NAME-key.pem /etc/filebeat/certs/filebeat-key.pem [root@ip-172-31-40-90 ec2-user]# chmod 500 /etc/filebeat/certs [root@ip-172-31-40-90 ec2-user]# chmod 400 /etc/filebeat/certs/* [root@ip-172-31-40-90 ec2-user]# chown -R root:root /etc/filebeat/certs [root@ip-172-31-40-90 ec2-user]# systemctl daemon-reload [root@ip-172-31-40-90 ec2-user]# systemctl enable filebeat Synchronizing state of filebeat.service with SysV service script with /usr/lib/systemd/systemd-sysv-install. Executing: /usr/lib/systemd/systemd-sysv-install enable filebeat Created symlink /etc/systemd/system/multi-user.target.wants/filebeat.service → /usr/lib/systemd/system/filebeat.service. [root@ip-172-31-40-90 ec2-user]# systemctl start filebeat [root@ip-172-31-40-90 ec2-user]# filebeat test output elasticsearch: https://172.31.40.90:9200... parse url... OK connection... parse host... OK dns lookup... OK addresses: 172.31.40.90 dial up... OK TLS... security: server's certificate chain verification is enabled handshake... OK TLS version: TLSv1.3 dial up... OK talk to server... OK version: 7.10.2 ``` ### Worker node :green_circle: ``` [root@ip-172-31-37-181 ec2-user]# rpm --import https://packages-dev.wazuh.com/key/GPG-KEY-WAZUH [root@ip-172-31-37-181 ec2-user]# echo -e '[wazuh]\ngpgcheck=1\ngpgkey=https://packages-dev.wazuh.com/key/GPG-KEY-WAZUH\nenabled=1\nname=EL-$releasever - Wazuh\nbaseurl=https://packages-dev.wazuh.com/pre-release/yum/\nprotect=1' | tee /etc/yum.repos.d/wazuh.repo [wazuh] gpgcheck=1 gpgkey=https://packages-dev.wazuh.com/key/GPG-KEY-WAZUH enabled=1 name=EL-$releasever - Wazuh baseurl=https://packages-dev.wazuh.com/pre-release/yum/ protect=1 [root@ip-172-31-37-181 ec2-user]# yum -y install wazuh-manager-4.7.5-1 Updating Subscription Management repositories. Unable to read consumer identity This system is not registered with an entitlement server. You can use subscription-manager to register. EL-8 - Wazuh 12 kB/s | 3.4 kB 00:00 Dependencies resolved. ================================================================================================== Package Architecture Version Repository Size ==================================================================================================Installing: wazuh-manager x86_64 4.7.5-1 wazuh 165 M Transaction Summary ==================================================================================================Install 1 Package Total download size: 165 M Installed size: 600 M Downloading Packages: wazuh-manager-4.7.5-1.x86_64.rpm 40 MB/s | 165 MB 00:04 --------------------------------------------------------------------------------------------------Total 40 MB/s | 165 MB 00:04 Running transaction check Transaction check succeeded. Running transaction test Transaction test succeeded. Running transaction Preparing : 1/1 Running scriptlet: wazuh-manager-4.7.5-1.x86_64 1/1 Installing : wazuh-manager-4.7.5-1.x86_64 1/1 Running scriptlet: wazuh-manager-4.7.5-1.x86_64 1/1 Running scriptlet: wazuh-manager-4.7.5-1.x86_64 1/1 Verifying : wazuh-manager-4.7.5-1.x86_64 1/1 Installed products updated. Installed: wazuh-manager-4.7.5-1.x86_64 Complete! [root@ip-172-31-37-181 ec2-user]# systemctl daemon-reload [root@ip-172-31-37-181 ec2-user]# systemctl enable wazuh-manager Created symlink /etc/systemd/system/multi-user.target.wants/wazuh-manager.service → /usr/lib/systemd/system/wazuh-manager.service. [root@ip-172-31-37-181 ec2-user]# systemctl start wazuh-manager [root@ip-172-31-37-181 ec2-user]# yum -y install filebeat Updating Subscription Management repositories. Unable to read consumer identity This system is not registered with an entitlement server. You can use subscription-manager to register. Last metadata expiration check: 0:14:48 ago on Mon 27 May 2024 04:00:17 PM UTC. Dependencies resolved. ============================================================================================================================================================= Package Architecture Version Repository Size ============================================================================================================================================================= Installing: filebeat x86_64 7.10.2-1 wazuh 21 M Transaction Summary ============================================================================================================================================================= Install 1 Package Total download size: 21 M Installed size: 70 M Downloading Packages: filebeat-oss-7.10.2-x86_64.rpm 17 MB/s | 21 MB 00:01 ------------------------------------------------------------------------------------------------------------------------------------------------------------- Total 17 MB/s | 21 MB 00:01 Running transaction check Transaction check succeeded. Running transaction test Transaction test succeeded. Running transaction Preparing : 1/1 Installing : filebeat-7.10.2-1.x86_64 1/1 Running scriptlet: filebeat-7.10.2-1.x86_64 1/1 Verifying : filebeat-7.10.2-1.x86_64 1/1 Installed products updated. Installed: filebeat-7.10.2-1.x86_64 Complete! [root@ip-172-31-37-181 ec2-user]# curl -so /etc/filebeat/filebeat.yml https://packages-dev.wazuh.com/4.7/tpl/wazuh/filebeat/filebeat.yml [root@ip-172-31-37-181 ec2-user]# vi /etc/filebeat/filebeat.yml [root@ip-172-31-37-181 ec2-user]# [root@ip-172-31-37-181 ec2-user]# curl -so /etc/filebeat/filebeat.yml https://packages-dev.wazuh.com/4.7/tpl/wazuh/filebeat/filebeat.yml vi /etc/filebeat/filebeat.yml [root@ip-172-31-37-181 ec2-user]# [root@ip-172-31-37-181 ec2-user]# filebeat keystore create Created filebeat keystore [root@ip-172-31-37-181 ec2-user]# echo admin | filebeat keystore add username --stdin --force Successfully updated the keystore [root@ip-172-31-37-181 ec2-user]# echo admin | filebeat keystore add password --stdin --force Successfully updated the keystore [root@ip-172-31-37-181 ec2-user]# curl -so /etc/filebeat/wazuh-template.json https://raw.githubusercontent.com/wazuh/wazuh/v4.7.5-rc1/extensions/elasticsearch/7.x/wazuh-template.json [root@ip-172-31-37-181 ec2-user]# chmod go+r /etc/filebeat/wazuh-template.json [root@ip-172-31-37-181 ec2-user]# curl -s https://packages-dev.wazuh.com/pre-release/filebeat/wazuh-filebeat-0.3.tar.gz | tar -xvz -C /usr/share/filebeat/module wazuh/ wazuh/archives/ wazuh/archives/ingest/ wazuh/archives/ingest/pipeline.json wazuh/archives/config/ wazuh/archives/config/archives.yml wazuh/archives/manifest.yml wazuh/_meta/ wazuh/_meta/config.yml wazuh/_meta/docs.asciidoc wazuh/_meta/fields.yml wazuh/alerts/ wazuh/alerts/ingest/ wazuh/alerts/ingest/pipeline.json wazuh/alerts/config/ wazuh/alerts/config/alerts.yml wazuh/alerts/manifest.yml wazuh/module.yml [root@ip-172-31-37-181 ec2-user]# NODE_NAME=wazuh-2 [root@ip-172-31-37-181 ec2-user]# mkdir /etc/filebeat/certs [root@ip-172-31-37-181 ec2-user]# tar -xf ./wazuh-certificates.tar -C /etc/filebeat/certs/ ./$NODE_NAME.pem ./$NODE_NAME-key.pem ./root-ca.pem [root@ip-172-31-37-181 ec2-user]# mv -n /etc/filebeat/certs/$NODE_NAME.pem /etc/filebeat/certs/filebeat.pem [root@ip-172-31-37-181 ec2-user]# mv -n /etc/filebeat/certs/$NODE_NAME-key.pem /etc/filebeat/certs/filebeat-key.pem [root@ip-172-31-37-181 ec2-user]# chmod 500 /etc/filebeat/certs [root@ip-172-31-37-181 ec2-user]# chmod 400 /etc/filebeat/certs/* [root@ip-172-31-37-181 ec2-user]# chown -R root:root /etc/filebeat/certs [root@ip-172-31-37-181 ec2-user]# systemctl daemon-reload [root@ip-172-31-37-181 ec2-user]# systemctl enable filebeat Synchronizing state of filebeat.service with SysV service script with /usr/lib/systemd/systemd-sysv-install. Executing: /usr/lib/systemd/systemd-sysv-install enable filebeat Created symlink /etc/systemd/system/multi-user.target.wants/filebeat.service → /usr/lib/systemd/system/filebeat.service. [root@ip-172-31-37-181 ec2-user]# [root@ip-172-31-37-181 ec2-user]# systemctl start filebeat [root@ip-172-31-37-181 ec2-user]# filebeat test output elasticsearch: https://172.31.40.90:9200... parse url... OK connection... parse host... OK dns lookup... OK addresses: 172.31.40.90 dial up... OK TLS... security: server's certificate chain verification is enabled handshake... OK TLS version: TLSv1.3 dial up... OK talk to server... OK version: 7.10.2 ``` ### Cluster configuration :green_circle: Master Node ``` [root@ip-172-31-40-90 ec2-user]# vi /var/ossec/etc/ossec.conf wazuh wazuh-1 master 5bbc92a57406e1ad16c6c4dcab2cfaf8 1516 0.0.0.0 172.31.40.90 no no [root@ip-172-31-40-90 ec2-user]# systemctl restart wazuh-manager [root@ip-172-31-40-90 ec2-user]# /var/ossec/bin/cluster_control -l NAME TYPE VERSION ADDRESS wazuh-1 master 4.7.5 172.31.40.90 wazuh-2 worker 4.7.5 172.31.37.181 ``` Worker Node ``` [root@ip-172-31-37-181 ec2-user]# vi /var/ossec/etc/ossec.conf wazuh wazuh-2 worker 5bbc92a57406e1ad16c6c4dcab2cfaf8 1516 0.0.0.0 172.31.40.90 no no [root@ip-172-31-37-181 ec2-user]# systemctl restart wazuh-manager ```

Wazuh Dashboard 🟢

``` [root@ip-172-31-40-90 ec2-user]# yum -y install wazuh-dashboard-4.7.5-1 Updating Subscription Management repositories. Unable to read consumer identity This system is not registered with an entitlement server. You can use subscription-manager to register. Last metadata expiration check: 0:53:42 ago on Mon 27 May 2024 03:59:59 PM UTC. Dependencies resolved. ============================================================================================================================================ Package Architecture Version Repository Size ============================================================================================================================================ Installing: wazuh-dashboard x86_64 4.7.5-1 wazuh 264 M Transaction Summary ============================================================================================================================================ Install 1 Package Total download size: 264 M Installed size: 892 M Downloading Packages: wazuh-dashboard-4.7.5-1.x86_64.rpm 45 MB/s | 264 MB 00:05 -------------------------------------------------------------------------------------------------------------------------------------------- Total 45 MB/s | 264 MB 00:05 Running transaction check Transaction check succeeded. Running transaction test Transaction test succeeded. Running transaction Preparing : 1/1 Running scriptlet: wazuh-dashboard-4.7.5-1.x86_64 1/1 Installing : wazuh-dashboard-4.7.5-1.x86_64 1/1 Running scriptlet: wazuh-dashboard-4.7.5-1.x86_64 1/1 Verifying : wazuh-dashboard-4.7.5-1.x86_64 1/1 Installed products updated. Installed: wazuh-dashboard-4.7.5-1.x86_64 Complete! [root@ip-172-31-40-90 ec2-user]# vi /etc/wazuh-dashboard/opensearch_dashboards.yml [root@ip-172-31-40-90 ec2-user]# NODE_NAME=dashboard [root@ip-172-31-40-90 ec2-user]# mkdir /etc/wazuh-dashboard/certs [root@ip-172-31-40-90 ec2-user]# tar -xf ./wazuh-certificates.tar -C /etc/wazuh-dashboard/certs/ ./$NODE_NAME.pem ./$NODE_NAME-key.pem ./root-ca.pem [root@ip-172-31-40-90 ec2-user]# mv -n /etc/wazuh-dashboard/certs/$NODE_NAME.pem /etc/wazuh-dashboard/certs/dashboard.pem [root@ip-172-31-40-90 ec2-user]# mv -n /etc/wazuh-dashboard/certs/$NODE_NAME-key.pem /etc/wazuh-dashboard/certs/dashboard-key.pem [root@ip-172-31-40-90 ec2-user]# chmod 500 /etc/wazuh-dashboard/certs [root@ip-172-31-40-90 ec2-user]# chmod 400 /etc/wazuh-dashboard/certs/* [root@ip-172-31-40-90 ec2-user]# chown -R wazuh-dashboard:wazuh-dashboard /etc/wazuh-dashboard/certs [root@ip-172-31-40-90 ec2-user]# systemctl daemon-reload [root@ip-172-31-40-90 ec2-user]# systemctl enable wazuh-dashboard Created symlink /etc/systemd/system/multi-user.target.wants/wazuh-dashboard.service → /etc/systemd/system/wazuh-dashboard.service. [root@ip-172-31-40-90 ec2-user]# systemctl start wazuh-dashboard [root@ip-172-31-40-90 ec2-user]# vi /usr/share/wazuh-dashboard/data/wazuh/config/wazuh.yml ```

Accessing the Wazuh Dashboard 🔴

![image](https://github.com/wazuh/wazuh/assets/56078275/9c954054-eb1c-436a-8ddb-f2d7ceac9810) Error ``` INFO: Index pattern id in cookie: yes [wazuh-alerts-*] INFO: Getting list of valid index patterns... INFO: Valid index patterns found: 1 INFO: Found default index pattern with title [wazuh-alerts-*]: yes INFO: Checking the app default pattern exists: id [wazuh-alerts-*]... INFO: Default pattern with id [wazuh-alerts-*] exists: yes ACTION: Default pattern id [wazuh-alerts-*] set as default index pattern INFO: Checking the index pattern id [wazuh-alerts-*] exists... INFO: Index pattern id exists [wazuh-alerts-*]: yes INFO: Index pattern id in cookie: yes [wazuh-alerts-*] INFO: Checking if the index pattern id [wazuh-alerts-*] exists... INFO: Index pattern id [wazuh-alerts-*] found: yes title [wazuh-alerts-*] INFO: Checking if exists a template compatible with the index pattern title [wazuh-alerts-*] INFO: Template found for the selected index-pattern title [wazuh-alerts-*]: no ERROR: No template found for the selected index-pattern title [wazuh-alerts-*] INFO: Index pattern id in cookie: [wazuh-alerts-*] INFO: Getting index pattern data [wazuh-alerts-*]... INFO: Index pattern data found: [yes] INFO: Refreshing index pattern fields: title [wazuh-alerts-*], id [wazuh-alerts-*]... ACTION: Refreshed index pattern fields: title [wazuh-alerts-*], id [wazuh-alerts-*] INFO: Getting settings... INFO: Check Wazuh dashboard setting [timeline:max_buckets]: 200000 INFO: App setting [timeline:max_buckets]: 200000 INFO: Settings mismatch [timeline:max_buckets]: no INFO: Getting settings... INFO: Check Wazuh dashboard setting [metaFields]: ["_source","_index"] INFO: App setting [metaFields]: ["_source","_index"] INFO: Settings mismatch [metaFields]: no INFO: Getting settings... INFO: Check Wazuh dashboard setting [timepicker:timeDefaults]: {"from":"now-24h","to":"now"} INFO: App setting [timepicker:timeDefaults]: "{\"from\":\"now-24h\",\"to\":\"now\"}" INFO: Settings mismatch [timepicker:timeDefaults]: no ```

Index pattern

![image](https://github.com/wazuh/wazuh/assets/56078275/fade3871-cf76-449f-8685-15f236f54818) ![image](https://github.com/wazuh/wazuh/assets/56078275/87c7b4e7-f581-4613-be1e-0d2ec3283961) ![image](https://github.com/wazuh/wazuh/assets/56078275/0d1b55ce-c4a6-46fe-ac2b-cb4d82e18431)

SeyiSoneye commented 4 months ago

@cborla The results are the same with 4.7.5.

Same error: [Alerts index pattern] No template found for the selected index-pattern title [wazuh-alerts-*] Still See previous comment for all steps

Indexer
[root@ip-172-31-40-90 ec2-user]# yum -y install wazuh-indexer-4.7.5-1

Master node
[root@ip-172-31-40-90 ec2-user]# yum -y install wazuh-manager-4.7.5-1
[root@ip-172-31-37-181 ec2-user]# curl -so /etc/filebeat/wazuh-template.json https://raw.githubusercontent.com/wazuh/wazuh/v4.7.5-rc1/extensions/elasticsearch/7.x/wazuh-template.json

Worker node
[root@ip-172-31-37-181 ec2-user]# yum -y install wazuh-manager-4.7.5-1
[root@ip-172-31-37-181 ec2-user]# curl -so /etc/filebeat/wazuh-template.json https://raw.githubusercontent.com/wazuh/wazuh/v4.7.5-rc1/extensions/elasticsearch/7.x/wazuh-template.json

Dashboard
[root@ip-172-31-40-90 ec2-user]# yum -y install wazuh-dashboard-4.7.5-1

cborla commented 4 months ago

Even though the test was done again, it is indicated that the errors persist, as pending is to include the project to which each issue belongs, in this case and according to the evidence in the tests, I understand that the project to assign to each issue is dashboard.

wazuh / wazuh

Release 4.7.5 - RC 1 - E2E UX tests - macOs #23571

End-to-End (E2E) Testing Guideline

Issue delivery and completion

Deployment requirements

Test description

Known issues

Conclusions

Feedback

Reviewers validation

Wazuh central components installation

Agent installation 🟢

Log data collection works out of the box 🔴

SCA works out of the box 🟢

FIM works out of the box 🟡

Vulnerability works out of the box 🟡

Wazuh central components installation (v4.7.5)