Release 4.8.0 - RC 4 - E2E UX tests - Demo environment

[davidjiglesias]

End-to-End (E2E) Testing Guideline

• Documentation: Always consult the development documentation for the current stage tag at this link. Be careful because some of the description steps might refer to a current version in production, always navigate using the current development documention for the stage under test. Also, visit the following pre-release package guide to understand how to modify certain links and urls for the correct testing of the development packages.
• Test Requirements: Ensure your test comprehensively includes a full stack and agent/s deployment as per the Deployment requirements, detailing the machine OS, installed version, and revision.
• Deployment Options: While deployments can be local (using VMs, Vagrant, etc) or on the aws-dev account, opt for local deployments when feasible. For AWS access, coordinate with the DevOps team through this link.
• External Accounts: If tests require third-party accounts (e.g., GitHub, Azure, AWS, GCP), request the necessary access through the DevOps team here.
• Alerts: Every test should generate a minimum of one end-to-end alert, from the agent to the dashboard, irrespective of test type.
• Multi-node Testing: For multi-node wazuh-manager tests, ensure agents are connected to both workers and the master node.
• Package Verification: Use the pre-release package that matches the current TAG you're testing. Confirm its version and revision.
• Filebeat Errors: If you encounter errors with Filebeat during testing, refer to this Slack discussion for insights and resolutions.
• Known Issues: Familiarize yourself with previously reported issues in the Known Issues section. This helps in identifying already recognized errors during testing.
• Reporting New Issues: Any new errors discovered during testing that aren't listed under Known Issues should be reported. Assign the issue to the corresponding team (QA if unsure), add the Release testing objective and Urgent priority. Communicate these to the team and QA via the c-release Slack channel.
• Test Conduct: It's imperative to be thorough in your testing, offering enough detail for reviewers. Incomplete tests might necessitate a redo.
• Documentation Feedback: Encountering documentation gaps, unclear guidelines, or anything that disrupts the testing or UX? Open an issue, especially if it's not listed under Known Issues. Please answer the feedback section, this is a mandatory step.
• Format: If this is your first time doing this, refer to the format (but not necessarily the content, as it may vary) of previous E2E tests, here you have an example https://github.com/wazuh/wazuh/issues/13994.
• Status and completion: Change the issue status within your team project accordingly. Once you finish testing and write the conclusions, move it to Pending review and notify the @wazuh/devel-devops team via Slack using the c-release channel. Beware that the reviewers might request additional information or task repetitions.
• For reviewers: Please move the issue to Pending final review and notify via Slack using the same thread if everything is ok, otherwise, perform an issue update with the requested changes and move it to On hold, increase the review_cycles in the team project by one and notify the issue assignee via Slack using the same thread.

For the conclusions and the issue testing and updates, use the following legend:

Status legend

• 🟢 All checks passed
• 🟡 Found a known issue
• 🔴 Found a new error

Issue delivery and completion

• Initial delivery: The issue's assignee must complete the testing and deliver the results by Jun 09, 2024 and notify the @wazuh/devel-devops team via Slack using the c-release channel
• Review: The @wazuh/devel-devops team will assign a reviewer and add it to the review_assignee field in the project. The reviewer must then review the test steps and results. Ensure that all iteration cycles are completed by Jun 10, 2024 date (issue must be in Pending final review status) and notify the QA team via Slack using the c-release channel.
• Auditor: The QA team must audit, validate the results, and close the issue by Jun 11, 2024.

Deployment requirements

Component	Installation	Type	OS
Indexer
Server
Dashboard		-
Agent		-

Test description

Test demo.wazuh.info environment:

• Check that there are no errors in the manager, agent, cluster, indexer, and dashboard logs.
• Check that the Wazuh daemons are running with the expected user.
• Check that the status of the indexer cluster is the expected.
• Check that there are no errors in the browser's developer console when browsing the App.
• Check that there are alerts for each of the modules configured.
• Check that no warning symbols appear in the browser's developer console when browsing the App
• Generate an alert and check that this alert appears in the dashboard (end to end)
• Check that the search engine works without specifying a field and using *

To access the demo environment, please contact @devel-devops.

Known issues

• https://github.com/wazuh/wazuh-dashboard-plugins/issues/4108
• https://github.com/wazuh/wazuh-dashboard-plugins/issues/4092
• https://github.com/wazuh/wazuh-packages/issues/1749
• https://github.com/wazuh/wazuh/issues/13253
• https://github.com/wazuh/wazuh/issues/5214
• https://github.com/wazuh/wazuh/issues/8580
• https://github.com/wazuh/wazuh/issues/8581
• https://github.com/wazuh/wazuh-dashboard-plugins/issues/4406
• https://github.com/wazuh/wazuh-dashboard-plugins/issues/4407
• https://github.com/wazuh/wazuh/issues/14710
• https://github.com/wazuh/wazuh-dashboard-plugins/issues/4232
• https://github.com/wazuh/wazuh-dashboard-plugins/issues/4074
• https://github.com/wazuh/wazuh-dashboard-plugins/issues/5745
• https://github.com/wazuh/wazuh-packages/issues/2139
• https://github.com/wazuh/wazuh/issues/18593
• https://github.com/wazuh/wazuh-dashboard-plugins/issues/5821
• https://github.com/wazuh/wazuh-automation/issues/1113
• https://github.com/wazuh/wazuh-dashboard-plugins/issues/5749
• https://github.com/wazuh/wazuh-dashboard-plugins/issues/5750
• https://github.com/wazuh/wazuh-dashboard-plugins/4121
• https://github.com/wazuh/wazuh-dashboard-plugins/5332
• https://github.com/wazuh/wazuh-dashboard-plugins/6022
• https://github.com/wazuh/wazuh-automation/issues/1369
• https://github.com/wazuh/wazuh-dashboard-plugins/6023
• https://github.com/wazuh/wazuh-dashboard-plugins/issues/6182
• https://github.com/wazuh/wazuh-dashboard-plugins/issues/6216
• https://github.com/wazuh/wazuh/issues/21829

Conclusions :yellow_circle:

Summarize the errors detected (Known Issues included). Illustrate using the table below:

Status	Test	Failure Type	Notes
🟡	Check Agent, Dashboard, Indexer, and Manager Logs	Errors and Warning Logs	https://github.com/wazuh/wazuh/issues/13253
🟡	Check Agent, Dashboard, Indexer, and Manager Logs	Errors and Warning Logs	https://github.com/wazuh/wazuh-packages/issues/2685
🟡	Check Browser's Developer Console for Errors While Browsing the App	Console Errors and Warning Messages	https://github.com/wazuh/wazuh-dashboard-plugins/issues/4092
🟡	Check Browser's Developer Console for Errors While Browsing the App	Console Errors and Warning Messages	https://github.com/wazuh/wazuh-dashboard-plugins/issues/4108
🟡	Check Browser's Developer Console for Errors While Browsing the App	Console Errors and Warning Messages	https://github.com/wazuh/wazuh-dashboard-plugins/issues/4121
🟡	Check Browser's Developer Console for Errors While Browsing the App	Console Errors and Warning Messages	https://github.com/wazuh/wazuh-dashboard-plugins/issues/5332
🟡	Check Browser's Developer Console for Errors While Browsing the App	Console Errors and Warning Messages	https://github.com/wazuh/wazuh-dashboard-plugins/issues/5821
🟡	Check Browser's Developer Console for Errors While Browsing the App	Console Errors and Warning Messages	https://github.com/wazuh/wazuh-dashboard-plugins/issues/5869
🟡	Check Browser's Developer Console for Errors While Browsing the App	Console Errors and Warning Messages	https://github.com/wazuh/wazuh-dashboard-plugins/issues/6022
🟡	Check Browser's Developer Console for Errors While Browsing the App	Console Errors and Warning Messages	https://github.com/wazuh/wazuh-dashboard-plugins/issues/6318
🟡	Check Browser's Developer Console for Errors While Browsing the App	Console Errors and Warning Messages	https://github.com/wazuh/wazuh-dashboard-plugins/issues/6320
🟡	Check that there are Alerts for each of the Modules Configured	Docker is not installed on the agents	None
🟡	Check that there are Alerts for each of the Modules Configured	Unnecessary ENV2 Virus Total Setting	https://github.com/wazuh/wazuh-automation/issues/1369

Feedback

We value your feedback. Please provide insights on your testing experience.

• Was the testing guideline clear? Were there any ambiguities?
  • RESPONSE HERE
• Did you face any challenges not covered by the guideline?
  • RESPONSE HERE
• Suggestions for improvement:
  • RESPONSE HERE

Reviewers validation

The criteria for completing this task is based on the validation of the conclusions and the test results by all reviewers.

All the checkboxes below must be marked in order to close this issue.

• [ ] @davidjiglesias
• [ ] @wazuh/devel-devops

[Rebits]

Requested access for Demo Environment: https://github.com/wazuh/internal-devel-requests/issues/1227

[Rebits]

The available machines are:

Agents

- Amazon - Centos - Debian - RHEL9 - Ubuntu - Windows

Dashboard

- WazuhDashboard

Indexers

- IndexerBootstrap - IndexerMasterB - IndexerMasterC - WazuhDashboard

Managers

- WazuhMasterEnv1 - WazuhMasterEnv2 - WazuhWorker

[Rebits]

Check Agent Logs :yellow_circle:

Amazon :green_circle:

### System information ```console [root@amazon-agent-ip bin]# cat /etc/*release NAME="Amazon Linux" VERSION="2" ID="amzn" ID_LIKE="centos rhel fedora" VERSION_ID="2" PRETTY_NAME="Amazon Linux 2" ANSI_COLOR="0;33" CPE_NAME="cpe:2.3:o:amazon:amazon_linux:2" HOME_URL="https://amazonlinux.com/" Amazon Linux release 2 (Karoo) ``` ### Agent Version ```console [root@amazon-agent-ip bin]# /var/ossec/bin/wazuh-control info WAZUH_VERSION="v4.8.0" WAZUH_REVISION="40812" WAZUH_TYPE="agent" ``` ### Agent Status ```console [root@amazon-agent-ip bin]# systemctl status wazuh-agent -l ● wazuh-agent.service - Wazuh agent Loaded: loaded (/usr/lib/systemd/system/wazuh-agent.service; enabled; vendor preset: disabled) Active: active (running) since Fri 2024-06-07 08:37:58 UTC; 3 days ago Process: 9627 ExecStop=/usr/bin/env /var/ossec/bin/wazuh-control stop (code=exited, status=0/SUCCESS) Process: 9761 ExecStart=/usr/bin/env /var/ossec/bin/wazuh-control start (code=exited, status=0/SUCCESS) CGroup: /system.slice/wazuh-agent.service ├─11303 /var/ossec/bin/wazuh-execd ├─11315 /var/ossec/bin/wazuh-agentd ├─11330 /var/ossec/bin/wazuh-syscheckd ├─11346 /var/ossec/bin/wazuh-logcollector └─11364 /var/ossec/bin/wazuh-modulesd Jun 07 08:37:51 amazon-agent-ip.us-west-1.compute.internal env[9761]: Starting Wazuh v4.8.0... Jun 07 08:37:52 amazon-agent-ip.us-west-1.compute.internal env[9761]: Started wazuh-execd... Jun 07 08:37:53 amazon-agent-ip.us-west-1.compute.internal env[9761]: Started wazuh-agentd... Jun 07 08:37:54 amazon-agent-ip.us-west-1.compute.internal env[9761]: Started wazuh-syscheckd... Jun 07 08:37:55 amazon-agent-ip.us-west-1.compute.internal env[9761]: Started wazuh-logcollector... Jun 07 08:37:55 amazon-agent-ip.us-west-1.compute.internal crontab[9955]: (root) LIST (root) Jun 07 08:37:56 amazon-agent-ip.us-west-1.compute.internal env[9761]: Started wazuh-modulesd... Jun 07 08:37:58 amazon-agent-ip.us-west-1.compute.internal env[9761]: Completed. Jun 07 08:37:58 amazon-agent-ip.us-west-1.compute.internal systemd[1]: Started Wazuh agent. Jun 07 08:38:05 amazon-agent-ip.us-west-1.compute.internal crontab[10281]: (root) LIST (root) ``` ### Module Status ```console [root@amazon-agent-ip bin]# /var/ossec/bin/wazuh-control status wazuh-modulesd is running... wazuh-logcollector is running... wazuh-syscheckd is running... wazuh-agentd is running... wazuh-execd is running... ``` ### Service Status ```console [root@amazon-agent-ip bin]# journalctl -xe -u wazuh-agent.service -- Subject: Unit wazuh-agent.service has finished start-up -- Defined-By: systemd -- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel -- -- Unit wazuh-agent.service has finished starting up. -- -- The start-up result is done. Jun 07 08:37:46 amazon-agent-ip.us-west-1.compute.internal systemd[1]: Stopping Wazuh agent... -- Subject: Unit wazuh-agent.service has begun shutting down -- Defined-By: systemd -- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel -- -- Unit wazuh-agent.service has begun shutting down. Jun 07 08:37:47 amazon-agent-ip.us-west-1.compute.internal env[9627]: Killing wazuh-modulesd... Jun 07 08:37:50 amazon-agent-ip.us-west-1.compute.internal env[9627]: Killing wazuh-logcollector... Jun 07 08:37:50 amazon-agent-ip.us-west-1.compute.internal env[9627]: Killing wazuh-syscheckd... Jun 07 08:37:50 amazon-agent-ip.us-west-1.compute.internal env[9627]: Killing wazuh-agentd... Jun 07 08:37:50 amazon-agent-ip.us-west-1.compute.internal env[9627]: Killing wazuh-execd... Jun 07 08:37:51 amazon-agent-ip.us-west-1.compute.internal env[9627]: Wazuh v4.8.0 Stopped Jun 07 08:37:51 amazon-agent-ip.us-west-1.compute.internal systemd[1]: Stopped Wazuh agent. -- Subject: Unit wazuh-agent.service has finished shutting down -- Defined-By: systemd -- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel -- -- Unit wazuh-agent.service has finished shutting down. Jun 07 08:37:51 amazon-agent-ip.us-west-1.compute.internal systemd[1]: Starting Wazuh agent... -- Subject: Unit wazuh-agent.service has begun start-up -- Defined-By: systemd -- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel -- -- Unit wazuh-agent.service has begun starting up. Jun 07 08:37:51 amazon-agent-ip.us-west-1.compute.internal env[9761]: Starting Wazuh v4.8.0... Jun 07 08:37:52 amazon-agent-ip.us-west-1.compute.internal env[9761]: Started wazuh-execd... Jun 07 08:37:53 amazon-agent-ip.us-west-1.compute.internal env[9761]: Started wazuh-agentd... Jun 07 08:37:54 amazon-agent-ip.us-west-1.compute.internal env[9761]: Started wazuh-syscheckd... Jun 07 08:37:55 amazon-agent-ip.us-west-1.compute.internal env[9761]: Started wazuh-logcollector... Jun 07 08:37:55 amazon-agent-ip.us-west-1.compute.internal crontab[9955]: (root) LIST (root) Jun 07 08:37:56 amazon-agent-ip.us-west-1.compute.internal env[9761]: Started wazuh-modulesd... Jun 07 08:37:58 amazon-agent-ip.us-west-1.compute.internal env[9761]: Completed. Jun 07 08:37:58 amazon-agent-ip.us-west-1.compute.internal systemd[1]: Started Wazuh agent. -- Subject: Unit wazuh-agent.service has finished start-up -- Defined-By: systemd -- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel -- -- Unit wazuh-agent.service has finished starting up. -- -- The start-up result is done. Jun 07 08:38:05 amazon-agent-ip.us-west-1.compute.internal crontab[10281]: (root) LIST (root) ``` ### Error Logs ```console [root@amazon-agent-ip bin]# egrep -i "ERROR|WARNING" /var/ossec/logs/ossec.log | wc -l 0 ```

Centos :green_circle:

### System information ```console [root@ip-centos-agent-ip bin]# cat /etc/*release CentOS Linux release 8.4.2105 NAME="CentOS Linux" VERSION="8" ID="centos" ID_LIKE="rhel fedora" VERSION_ID="8" PLATFORM_ID="platform:el8" PRETTY_NAME="CentOS Linux 8" ANSI_COLOR="0;31" CPE_NAME="cpe:/o:centos:centos:8" HOME_URL="https://centos.org/" BUG_REPORT_URL="https://bugs.centos.org/" CENTOS_MANTISBT_PROJECT="CentOS-8" CENTOS_MANTISBT_PROJECT_VERSION="8" CentOS Linux release 8.4.2105 CentOS Linux release 8.4.2105 ``` ### Agent Version ```console [root@ip-centos-agent-ip bin]# /var/ossec/bin/wazuh-control info WAZUH_VERSION="v4.8.0" WAZUH_REVISION="40812" WAZUH_TYPE="agent" ``` ### Agent Status ```console [root@ip-centos-agent-ip bin]# systemctl status wazuh-agent -l ● wazuh-agent.service - Wazuh agent Loaded: loaded (/usr/lib/systemd/system/wazuh-agent.service; enabled; vendor preset: disabled) Active: active (running) since Fri 2024-06-07 08:39:37 UTC; 3 days ago Process: 7764 ExecStop=/usr/bin/env /var/ossec/bin/wazuh-control stop (code=exited, status=0/SUCCESS) Process: 8142 ExecStart=/usr/bin/env /var/ossec/bin/wazuh-control start (code=exited, status=0/SUCCES> Tasks: 32 (limit: 4668) Memory: 386.4M CGroup: /system.slice/wazuh-agent.service ├─9421 /var/ossec/bin/wazuh-execd ├─9433 /var/ossec/bin/wazuh-agentd ├─9448 /var/ossec/bin/wazuh-syscheckd ├─9464 /var/ossec/bin/wazuh-logcollector └─9480 /var/ossec/bin/wazuh-modulesd Jun 07 08:39:31 ip-centos-agent-ip.us-west-1.compute.internal systemd[1]: Stopped Wazuh agent. Jun 07 08:39:31 ip-centos-agent-ip.us-west-1.compute.internal systemd[1]: Starting Wazuh agent... Jun 07 08:39:31 ip-centos-agent-ip.us-west-1.compute.internal env[8142]: Starting Wazuh v4.8.0... Jun 07 08:39:32 ip-centos-agent-ip.us-west-1.compute.internal env[8142]: Started wazuh-execd... Jun 07 08:39:33 ip-centos-agent-ip.us-west-1.compute.internal env[8142]: Started wazuh-agentd... Jun 07 08:39:34 ip-centos-agent-ip.us-west-1.compute.internal env[8142]: Started wazuh-syscheckd... Jun 07 08:39:35 ip-centos-agent-ip.us-west-1.compute.internal env[8142]: Started wazuh-logcollector... Jun 07 08:39:35 ip-centos-agent-ip.us-west-1.compute.internal env[8142]: Started wazuh-modulesd... Jun 07 08:39:37 ip-centos-agent-ip.us-west-1.compute.internal env[8142]: Completed. Jun 07 08:39:37 ip-centos-agent-ip.us-west-1.compute.internal systemd[1]: Started Wazuh agent. ``` ### Module Status ```console [root@ip-centos-agent-ip bin]# /var/ossec/bin/wazuh-control status wazuh-modulesd is running... wazuh-logcollector is running... wazuh-syscheckd is running... wazuh-agentd is running... wazuh-execd is running... ``` ### Service Status ```console [root@ip-centos-agent-ip bin]# journalctl -xe -u wazuh-agent.service -- Unit wazuh-agent.service has finished starting up. -- -- The start-up result is done. Jun 07 08:39:27 ip-centos-agent-ip.us-west-1.compute.internal systemd[1]: Stopping Wazuh agent... -- Subject: Unit wazuh-agent.service has begun shutting down -- Defined-By: systemd -- Support: https://access.redhat.com/support -- -- Unit wazuh-agent.service has begun shutting down. Jun 07 08:39:27 ip-centos-agent-ip.us-west-1.compute.internal env[7764]: Killing wazuh-modulesd... Jun 07 08:39:30 ip-centos-agent-ip.us-west-1.compute.internal env[7764]: Killing wazuh-logcollector... Jun 07 08:39:30 ip-centos-agent-ip.us-west-1.compute.internal env[7764]: Killing wazuh-syscheckd... Jun 07 08:39:31 ip-centos-agent-ip.us-west-1.compute.internal env[7764]: Killing wazuh-agentd... Jun 07 08:39:31 ip-centos-agent-ip.us-west-1.compute.internal env[7764]: Killing wazuh-execd... Jun 07 08:39:31 ip-centos-agent-ip.us-west-1.compute.internal env[7764]: Wazuh v4.8.0 Stopped Jun 07 08:39:31 ip-centos-agent-ip.us-west-1.compute.internal systemd[1]: wazuh-agent.service: Succeeded. -- Subject: Unit succeeded -- Defined-By: systemd -- Support: https://access.redhat.com/support -- -- The unit wazuh-agent.service has successfully entered the 'dead' state. Jun 07 08:39:31 ip-centos-agent-ip.us-west-1.compute.internal systemd[1]: Stopped Wazuh agent. -- Subject: Unit wazuh-agent.service has finished shutting down -- Defined-By: systemd -- Support: https://access.redhat.com/support -- -- Unit wazuh-agent.service has finished shutting down. Jun 07 08:39:31 ip-centos-agent-ip.us-west-1.compute.internal systemd[1]: Starting Wazuh agent... -- Subject: Unit wazuh-agent.service has begun start-up -- Defined-By: systemd -- Support: https://access.redhat.com/support -- -- Unit wazuh-agent.service has begun starting up. Jun 07 08:39:31 ip-centos-agent-ip.us-west-1.compute.internal env[8142]: Starting Wazuh v4.8.0... Jun 07 08:39:32 ip-centos-agent-ip.us-west-1.compute.internal env[8142]: Started wazuh-execd... Jun 07 08:39:33 ip-centos-agent-ip.us-west-1.compute.internal env[8142]: Started wazuh-agentd... Jun 07 08:39:34 ip-centos-agent-ip.us-west-1.compute.internal env[8142]: Started wazuh-syscheckd... Jun 07 08:39:35 ip-centos-agent-ip.us-west-1.compute.internal env[8142]: Started wazuh-logcollector... Jun 07 08:39:35 ip-centos-agent-ip.us-west-1.compute.internal env[8142]: Started wazuh-modulesd... Jun 07 08:39:37 ip-centos-agent-ip.us-west-1.compute.internal env[8142]: Completed. Jun 07 08:39:37 ip-centos-agent-ip.us-west-1.compute.internal systemd[1]: Started Wazuh agent. -- Subject: Unit wazuh-agent.service has finished start-up -- Defined-By: systemd -- Support: https://access.redhat.com/support -- -- Unit wazuh-agent.service has finished starting up. -- -- The start-up result is done. ``` ### Error Logs ```console [root@ip-centos-agent-ip bin]# egrep -i "ERROR|WARNING" /var/ossec/logs/ossec.log | wc -l 0 ```

Debian :yellow_circle:

**Expected warnings due to unclean reboot**: ``` Jun 07 08:38:10 ip-debian-agent-ip systemd[1]: wazuh-agent.service: Found left-over process 6144 (wazuh-exec> ``` ### System information ```console root@ip-debian-agent-ip:/usr/bin# cat /etc/*release ID="ec2" VERSION="20220503-998" PRETTY_NAME="Debian GNU/Linux 11 (bullseye)" NAME="Debian GNU/Linux" VERSION_ID="11" VERSION="11 (bullseye)" VERSION_CODENAME=bullseye ID=debian HOME_URL="https://www.debian.org/" SUPPORT_URL="https://www.debian.org/support" BUG_REPORT_URL="https://bugs.debian.org/" ``` ### Agent Version ```console root@ip-debian-agent-ip:/usr/bin# /var/ossec/bin/wazuh-control info WAZUH_VERSION="v4.8.0" WAZUH_REVISION="40812" WAZUH_TYPE="agent" ``` ### Agent Status ```console root@ip-debian-agent-ip:/usr/bin# systemctl status wazuh-agent -l ● wazuh-agent.service - Wazuh agent Loaded: loaded (/lib/systemd/system/wazuh-agent.service; enabled; vendor preset: enabled) Active: active (running) since Fri 2024-06-07 08:38:12 UTC; 3 days ago Tasks: 32 (limit: 1123) Memory: 265.3M CPU: 5min 8.699s CGroup: /system.slice/wazuh-agent.service ├─8222 /var/ossec/bin/wazuh-execd ├─8233 /var/ossec/bin/wazuh-agentd ├─8247 /var/ossec/bin/wazuh-syscheckd ├─8262 /var/ossec/bin/wazuh-logcollector └─8281 /var/ossec/bin/wazuh-modulesd Jun 07 08:38:10 ip-debian-agent-ip systemd[1]: This usually indicates unclean termination of a previous run,> Jun 07 08:38:10 ip-debian-agent-ip systemd[1]: Starting Wazuh agent... Jun 07 08:38:10 ip-debian-agent-ip env[6535]: Starting Wazuh v4.8.0... Jun 07 08:38:10 ip-debian-agent-ip env[6535]: wazuh-execd already running... Jun 07 08:38:10 ip-debian-agent-ip env[6535]: wazuh-agentd already running... Jun 07 08:38:10 ip-debian-agent-ip env[6535]: wazuh-syscheckd already running... Jun 07 08:38:10 ip-debian-agent-ip env[6535]: wazuh-logcollector already running... Jun 07 08:38:10 ip-debian-agent-ip env[6535]: wazuh-modulesd already running... Jun 07 08:38:12 ip-debian-agent-ip env[6535]: Completed. Jun 07 08:38:12 ip-debian-agent-ip systemd[1]: Started Wazuh agent. ``` ### Module Status ```console root@ip-debian-agent-ip:/usr/bin# /var/ossec/bin/wazuh-control status wazuh-modulesd is running... wazuh-logcollector is running... wazuh-syscheckd is running... wazuh-agentd is running... wazuh-execd is running... ``` ### Service Status ```console root@ip-debian-agent-ip:/usr/bin# journalctl -xe -u wazuh-agent.service ░░ Subject: A stop job for unit wazuh-agent.service has finished ░░ Defined-By: systemd ░░ Support: https://www.debian.org/support ░░ ░░ A stop job for unit wazuh-agent.service has finished. ░░ ░░ The job identifier is 3382 and the job result is done. Jun 07 08:38:10 ip-debian-agent-ip systemd[1]: wazuh-agent.service: Consumed 18.252s CPU time. ░░ Subject: Resources consumed by unit runtime ░░ Defined-By: systemd ░░ Support: https://www.debian.org/support ░░ ░░ The unit wazuh-agent.service completed and consumed the indicated resources. Jun 07 08:38:10 ip-debian-agent-ip systemd[1]: wazuh-agent.service: Found left-over process 6144 (wazuh-exec> Jun 07 08:38:10 ip-debian-agent-ip systemd[1]: This usually indicates unclean termination of a previous run,> Jun 07 08:38:10 ip-debian-agent-ip systemd[1]: wazuh-agent.service: Found left-over process 6159 (wazuh-agen> Jun 07 08:38:10 ip-debian-agent-ip systemd[1]: This usually indicates unclean termination of a previous run,> Jun 07 08:38:10 ip-debian-agent-ip systemd[1]: wazuh-agent.service: Found left-over process 6177 (wazuh-sysc> Jun 07 08:38:10 ip-debian-agent-ip systemd[1]: This usually indicates unclean termination of a previous run,> Jun 07 08:38:10 ip-debian-agent-ip systemd[1]: wazuh-agent.service: Found left-over process 6196 (wazuh-logc> Jun 07 08:38:10 ip-debian-agent-ip systemd[1]: This usually indicates unclean termination of a previous run,> Jun 07 08:38:10 ip-debian-agent-ip systemd[1]: wazuh-agent.service: Found left-over process 6217 (wazuh-modu> Jun 07 08:38:10 ip-debian-agent-ip systemd[1]: This usually indicates unclean termination of a previous run,> Jun 07 08:38:10 ip-debian-agent-ip systemd[1]: wazuh-agent.service: Found left-over process 6533 (wazuh-modu> Jun 07 08:38:10 ip-debian-agent-ip systemd[1]: This usually indicates unclean termination of a previous run,> Jun 07 08:38:10 ip-debian-agent-ip systemd[1]: Starting Wazuh agent... ░░ Subject: A start job for unit wazuh-agent.service has begun execution ░░ Defined-By: systemd ░░ Support: https://www.debian.org/support ░░ ░░ A start job for unit wazuh-agent.service has begun execution. ░░ ░░ The job identifier is 3382. Jun 07 08:38:10 ip-debian-agent-ip env[6535]: Starting Wazuh v4.8.0... Jun 07 08:38:10 ip-debian-agent-ip env[6535]: wazuh-execd already running... Jun 07 08:38:10 ip-debian-agent-ip env[6535]: wazuh-agentd already running... Jun 07 08:38:10 ip-debian-agent-ip env[6535]: wazuh-syscheckd already running... Jun 07 08:38:10 ip-debian-agent-ip env[6535]: wazuh-logcollector already running... Jun 07 08:38:10 ip-debian-agent-ip env[6535]: wazuh-modulesd already running... Jun 07 08:38:12 ip-debian-agent-ip env[6535]: Completed. Jun 07 08:38:12 ip-debian-agent-ip systemd[1]: Started Wazuh agent. ░░ Subject: A start job for unit wazuh-agent.service has finished successfully ░░ Defined-By: systemd ░░ Support: https://www.debian.org/support ░░ ░░ A start job for unit wazuh-agent.service has finished successfully. ░░ ░░ The job identifier is 3382. ``` ### Error Logs ```console root@ip-debian-agent-ip:/usr/bin# egrep -i "ERROR|WARNING" /var/ossec/logs/ossec.log | wc -l 0 ```

RHEL9 :green_circle:

### System information ```console [root@ip-rhel-agent-ip bin]# cat /etc/*release NAME="Red Hat Enterprise Linux" VERSION="9.2 (Plow)" ID="rhel" ID_LIKE="fedora" VERSION_ID="9.2" PLATFORM_ID="platform:el9" PRETTY_NAME="Red Hat Enterprise Linux 9.2 (Plow)" ANSI_COLOR="0;31" LOGO="fedora-logo-icon" CPE_NAME="cpe:/o:redhat:enterprise_linux:9::baseos" HOME_URL="https://www.redhat.com/" DOCUMENTATION_URL="https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9" BUG_REPORT_URL="https://bugzilla.redhat.com/" REDHAT_BUGZILLA_PRODUCT="Red Hat Enterprise Linux 9" REDHAT_BUGZILLA_PRODUCT_VERSION=9.2 REDHAT_SUPPORT_PRODUCT="Red Hat Enterprise Linux" REDHAT_SUPPORT_PRODUCT_VERSION="9.2" Red Hat Enterprise Linux release 9.2 (Plow) Red Hat Enterprise Linux release 9.2 (Plow) ``` ### Agent Version ```console [root@ip-rhel-agent-ip bin]# /var/ossec/bin/wazuh-control info WAZUH_VERSION="v4.8.0" WAZUH_REVISION="40812" WAZUH_TYPE="agent" ``` ### Agent Status ```console [root@ip-rhel-agent-ip bin]# systemctl status wazuh-agent -l ● wazuh-agent.service - Wazuh agent Loaded: loaded (/usr/lib/systemd/system/wazuh-agent.service; enabled; preset: disabled) Active: active (running) since Fri 2024-06-07 09:29:35 UTC; 3 days ago Process: 62123 ExecStart=/usr/bin/env /var/ossec/bin/wazuh-control start (code=exited, status=0/SUC> Tasks: 54 (limit: 22632) Memory: 680.8M CPU: 33min 25.803s CGroup: /system.slice/wazuh-agent.service ├─62150 /var/ossec/bin/wazuh-execd ├─62162 /var/ossec/bin/wazuh-agentd ├─62177 /var/ossec/bin/wazuh-syscheckd ├─62197 /var/ossec/bin/wazuh-logcollector ├─62207 /var/ossec/bin/wazuh-modulesd ├─62218 /usr/bin/osqueryd --config_path=/etc/osquery/osquery.conf ├─62219 python3 wodles/docker/DockerListener └─62231 /usr/bin/osqueryd Jun 07 09:29:29 ip-rhel-agent-ip.us-west-1.compute.internal systemd[1]: Starting Wazuh agent... Jun 07 09:29:29 ip-rhel-agent-ip.us-west-1.compute.internal env[62123]: Starting Wazuh v4.8.0... Jun 07 09:29:30 ip-rhel-agent-ip.us-west-1.compute.internal env[62123]: Started wazuh-execd... Jun 07 09:29:31 ip-rhel-agent-ip.us-west-1.compute.internal env[62123]: Started wazuh-agentd... Jun 07 09:29:32 ip-rhel-agent-ip.us-west-1.compute.internal env[62123]: Started wazuh-syscheckd... Jun 07 09:29:32 ip-rhel-agent-ip.us-west-1.compute.internal env[62123]: Started wazuh-logcollector... Jun 07 09:29:32 ip-rhel-agent-ip.us-west-1.compute.internal osqueryd[62218]: osqueryd started [version=4.4.> Jun 07 09:29:33 ip-rhel-agent-ip.us-west-1.compute.internal env[62123]: Started wazuh-modulesd... Jun 07 09:29:35 ip-rhel-agent-ip.us-west-1.compute.internal env[62123]: Completed. Jun 07 09:29:35 ip-rhel-agent-ip.us-west-1.compute.internal systemd[1]: Started Wazuh agent. ``` ### Module Status ```console [root@ip-rhel-agent-ip bin]# /var/ossec/bin/wazuh-control status wazuh-modulesd is running... wazuh-logcollector is running... wazuh-syscheckd is running... wazuh-agentd is running... wazuh-execd is running... ``` ### Service Status ```console [root@ip-rhel-agent-ip bin]# journalctl -xe -u wazuh-agent.service Jun 07 09:29:29 ip-rhel-agent-ip.us-west-1.compute.internal env[62055]: Wazuh v4.8.0 Stopped Jun 07 09:29:29 ip-rhel-agent-ip.us-west-1.compute.internal systemd[1]: wazuh-agent.service: Deactivated su> ░░ Subject: Unit succeeded ░░ Defined-By: systemd ░░ Support: https://access.redhat.com/support ░░ ░░ The unit wazuh-agent.service has successfully entered the 'dead' state. Jun 07 09:29:29 ip-rhel-agent-ip.us-west-1.compute.internal systemd[1]: wazuh-agent.service: Unit process 5> Jun 07 09:29:29 ip-rhel-agent-ip.us-west-1.compute.internal systemd[1]: wazuh-agent.service: Unit process 6> Jun 07 09:29:29 ip-rhel-agent-ip.us-west-1.compute.internal systemd[1]: wazuh-agent.service: Unit process 6> Jun 07 09:29:29 ip-rhel-agent-ip.us-west-1.compute.internal systemd[1]: Stopped Wazuh agent. ░░ Subject: A stop job for unit wazuh-agent.service has finished ░░ Defined-By: systemd ░░ Support: https://access.redhat.com/support ░░ ░░ A stop job for unit wazuh-agent.service has finished. ░░ ░░ The job identifier is 27067 and the job result is done. Jun 07 09:29:29 ip-rhel-agent-ip.us-west-1.compute.internal systemd[1]: wazuh-agent.service: Consumed 41.28> ░░ Subject: Resources consumed by unit runtime ░░ Defined-By: systemd ░░ Support: https://access.redhat.com/support ░░ ░░ The unit wazuh-agent.service completed and consumed the indicated resources. Jun 07 09:29:29 ip-rhel-agent-ip.us-west-1.compute.internal systemd[1]: Starting Wazuh agent... ░░ Subject: A start job for unit wazuh-agent.service has begun execution ░░ Defined-By: systemd ░░ Support: https://access.redhat.com/support ░░ ░░ A start job for unit wazuh-agent.service has begun execution. ░░ ░░ The job identifier is 27067. Jun 07 09:29:29 ip-rhel-agent-ip.us-west-1.compute.internal env[62123]: Starting Wazuh v4.8.0... Jun 07 09:29:30 ip-rhel-agent-ip.us-west-1.compute.internal env[62123]: Started wazuh-execd... Jun 07 09:29:31 ip-rhel-agent-ip.us-west-1.compute.internal env[62123]: Started wazuh-agentd... Jun 07 09:29:32 ip-rhel-agent-ip.us-west-1.compute.internal env[62123]: Started wazuh-syscheckd... Jun 07 09:29:32 ip-rhel-agent-ip.us-west-1.compute.internal env[62123]: Started wazuh-logcollector... Jun 07 09:29:32 ip-rhel-agent-ip.us-west-1.compute.internal osqueryd[62218]: osqueryd started [version=4.4.> Jun 07 09:29:33 ip-rhel-agent-ip.us-west-1.compute.internal env[62123]: Started wazuh-modulesd... Jun 07 09:29:35 ip-rhel-agent-ip.us-west-1.compute.internal env[62123]: Completed. Jun 07 09:29:35 ip-rhel-agent-ip.us-west-1.compute.internal systemd[1]: Started Wazuh agent. ░░ Subject: A start job for unit wazuh-agent.service has finished successfully ░░ Defined-By: systemd ░░ Support: https://access.redhat.com/support ░░ ░░ A start job for unit wazuh-agent.service has finished successfully. ░░ ░░ The job identifier is 27067. ``` ### Error Logs ```console [root@ip-rhel-agent-ip bin]# egrep -i "ERROR|WARNING" /var/ossec/logs/ossec.log | wc -l 0 ```

Ubuntu :yellow_circle:

**Expected warnings due to unclean reboot**: ``` wazuh-agent.service: Found left-over process 7659 ``` ### System information ```console root@ip-ubuntu-agent-ip:/var/snap/amazon-ssm-agent/7993# cat /etc/os-release PRETTY_NAME="Ubuntu 22.04.2 LTS" NAME="Ubuntu" VERSION_ID="22.04" VERSION="22.04.2 LTS (Jammy Jellyfish)" VERSION_CODENAME=jammy ID=ubuntu ID_LIKE=debian HOME_URL="https://www.ubuntu.com/" SUPPORT_URL="https://help.ubuntu.com/" BUG_REPORT_URL="https://bugs.launchpad.net/ubuntu/" PRIVACY_POLICY_URL="https://www.ubuntu.com/legal/terms-and-policies/privacy-policy" UBUNTU_CODENAME=jammy ``` ### Agent Version ```console root@ip-ubuntu-agent-ip:/var/snap/amazon-ssm-agent/7993# /var/ossec/bin/wazuh-control info WAZUH_VERSION="v4.8.0" WAZUH_REVISION="40812" WAZUH_TYPE="agent" ``` ### Agent Status ```console root@ip-ubuntu-agent-ip:/var/snap/amazon-ssm-agent/7993# systemctl status wazuh-agent -l ● wazuh-agent.service - Wazuh agent Loaded: loaded (/lib/systemd/system/wazuh-agent.service; enabled; vendor preset: enabled) Active: active (running) since Fri 2024-06-07 08:39:14 UTC; 3 days ago Tasks: 32 (limit: 1116) Memory: 290.6M CPU: 5min 26.284s CGroup: /system.slice/wazuh-agent.service ├─9319 /var/ossec/bin/wazuh-execd ├─9330 /var/ossec/bin/wazuh-agentd ├─9344 /var/ossec/bin/wazuh-syscheckd ├─9359 /var/ossec/bin/wazuh-logcollector └─9378 /var/ossec/bin/wazuh-modulesd Jun 07 08:39:07 ip-ubuntu-agent-ip systemd[1]: Starting Wazuh agent... Jun 07 08:39:07 ip-ubuntu-agent-ip env[8276]: Starting Wazuh v4.8.0... Jun 07 08:39:08 ip-ubuntu-agent-ip env[8276]: Started wazuh-execd... Jun 07 08:39:09 ip-ubuntu-agent-ip env[8276]: Started wazuh-agentd... Jun 07 08:39:10 ip-ubuntu-agent-ip env[8276]: Started wazuh-syscheckd... Jun 07 08:39:11 ip-ubuntu-agent-ip env[8276]: Started wazuh-logcollector... Jun 07 08:39:12 ip-ubuntu-agent-ip env[8276]: Started wazuh-modulesd... Jun 07 08:39:14 ip-ubuntu-agent-ip env[8276]: Completed. Jun 07 08:39:14 ip-ubuntu-agent-ip systemd[1]: Started Wazuh agent. ``` ### Module Status ```console root@ip-ubuntu-agent-ip:/var/snap/amazon-ssm-agent/7993# /var/ossec/bin/wazuh-control status wazuh-modulesd is running... wazuh-logcollector is running... wazuh-syscheckd is running... wazuh-agentd is running... wazuh-execd is running... ``` ### Service Status ```console root@ip-ubuntu-agent-ip:/var/snap/amazon-ssm-agent/7993# journalctl -xe -u wazuh-agent.service Jun 07 08:39:06 ip-ubuntu-agent-ip env[7620]: Killing wazuh-logcollector... Jun 07 08:39:06 ip-ubuntu-agent-ip env[7620]: Killing wazuh-syscheckd... Jun 07 08:39:07 ip-ubuntu-agent-ip env[7620]: Killing wazuh-agentd... Jun 07 08:39:07 ip-ubuntu-agent-ip env[7620]: Killing wazuh-execd... Jun 07 08:39:07 ip-ubuntu-agent-ip env[7620]: Wazuh v4.8.0 Stopped Jun 07 08:39:07 ip-ubuntu-agent-ip systemd[1]: wazuh-agent.service: Deactivated successfully. ░░ Subject: Unit succeeded ░░ Defined-By: systemd ░░ Support: http://www.ubuntu.com/support ░░ ░░ The unit wazuh-agent.service has successfully entered the 'dead' state. Jun 07 08:39:07 ip-ubuntu-agent-ip systemd[1]: Stopped Wazuh agent. ░░ Subject: A stop job for unit wazuh-agent.service has finished ░░ Defined-By: systemd ░░ Support: http://www.ubuntu.com/support ░░ ░░ A stop job for unit wazuh-agent.service has finished. ░░ ░░ The job identifier is 6050 and the job result is done. Jun 07 08:39:07 ip-ubuntu-agent-ip systemd[1]: wazuh-agent.service: Consumed 15.214s CPU time. ░░ Subject: Resources consumed by unit runtime ░░ Defined-By: systemd ░░ Support: http://www.ubuntu.com/support ░░ ░░ The unit wazuh-agent.service completed and consumed the indicated resources. Jun 07 08:39:07 ip-ubuntu-agent-ip systemd[1]: Starting Wazuh agent... ░░ Subject: A start job for unit wazuh-agent.service has begun execution ░░ Defined-By: systemd ░░ Support: http://www.ubuntu.com/support ░░ ░░ A start job for unit wazuh-agent.service has begun execution. ░░ ░░ The job identifier is 6050. Jun 07 08:39:07 ip-ubuntu-agent-ip env[8276]: Starting Wazuh v4.8.0... Jun 07 08:39:08 ip-ubuntu-agent-ip env[8276]: Started wazuh-execd... Jun 07 08:39:09 ip-ubuntu-agent-ip env[8276]: Started wazuh-agentd... Jun 07 08:39:10 ip-ubuntu-agent-ip env[8276]: Started wazuh-syscheckd... Jun 07 08:39:11 ip-ubuntu-agent-ip env[8276]: Started wazuh-logcollector... Jun 07 08:39:12 ip-ubuntu-agent-ip env[8276]: Started wazuh-modulesd... Jun 07 08:39:14 ip-ubuntu-agent-ip env[8276]: Completed. Jun 07 08:39:14 ip-ubuntu-agent-ip systemd[1]: Started Wazuh agent. ░░ Subject: A start job for unit wazuh-agent.service has finished successfully ░░ Defined-By: systemd ░░ Support: http://www.ubuntu.com/support ░░ ░░ A start job for unit wazuh-agent.service has finished successfully. ░░ ░░ The job identifier is 6050. ``` ### Error Logs ```console root@ip-ubuntu-agent-ip:/var/snap/amazon-ssm-agent/7993# egrep -i "ERROR|WARNING" /var/ossec/logs/ossec.log | wc -l 0 ```

Windows :yellow_circle:

**Known issues**: - https://github.com/wazuh/wazuh/issues/13253 ### System information ```console PS C:\Windows\system32> systeminfo | findstr /B /C:"OS Name" /B /C:"OS Version" OS Name: Microsoft Windows Server 2019 Datacenter OS Version: 10.0.17763 N/A Build 17763 ``` ### Agent Version ```console PS C:\Program Files (x86)\ossec-agent> (Get-Command .\wazuh-agent.exe).FileVersionInfo ProductVersion FileVersion FileName -------------- ----------- -------- v4.8.0 v4.8.0 C:\Program Files (x86)\ossec-agent\wazuh-agent.exe ``` ### Agent Status ```console PS C:\Program Files (x86)\ossec-agent> NET START wazuh The requested service has already been started. More help is available by typing NET HELPMSG 2182. ``` ### Error Logs ```console PS C:\Program Files (x86)\ossec-agent> Get-Content "C:\Program Files (x86)\ossec-agent\ossec.log" | Sele ct-String -Pattern "ERR|WARN|CRIT|FAT" 2024/06/10 00:00:27 wazuh-agent: ERROR: (1103): Could not open file 'C:\inetpub\logs\LogFiles\W3SVC1\u_ex240610.log' due to [(2)-(No such file or directory)]. 2024/06/10 04:38:25 wazuh-agent: ERROR: Connection socket: An existing connection was forcibly closed by the remote host. (10054) 2024/06/10 04:38:25 wazuh-agent: ERROR: (1137): Lost connection with manager. Setting lock. 2024/06/10 04:39:35 wazuh-agent: ERROR: (1137): Lost connection with manager. Setting lock. ``` **Analysis**: Detected errors are expected, - Logcollector error it is a known issue: https://github.com/wazuh/wazuh/issues/13253 - Connection error seems to be a network issue.

[Rebits]

Check Dashboard Logs :green_circle:

WazuhDashboard :green_circle:

``` sh-4.2$ egrep -i "err|warn" /usr/share/wazuh-dashboard/data/wazuh/logs/wazuhapp.log | wc -l 0 ``` ### System information ```console sh-4.2$ cat /etc/*release NAME="Amazon Linux" VERSION="2" ID="amzn" ID_LIKE="centos rhel fedora" VERSION_ID="2" PRETTY_NAME="Amazon Linux 2" ANSI_COLOR="0;33" CPE_NAME="cpe:2.3:o:amazon:amazon_linux:2" HOME_URL="https://amazonlinux.com/" Amazon Linux release 2 (Karoo) ``` ### Dashboard Version ```console [root@ip-dashboard-ip bin]# cat /usr/share/wazuh-dashboard/plugins/wazuh/package.json { "name": "wazuh", "version": "4.8.0", "revision": "12", "pluginPlatform": { "version": "2.10.0" }, "description": "Wazuh dashboard", "keywords": [ "opensearch_dashboards", "wazuh", "ossec" ], "node_build": "10.23.1", "author": "Wazuh, Inc", "license": "GPL-2.0", "repository": { "type": "git", "url": "https://github.com/wazuh/wazuh-dashboard-plugins.git" }, "bugs": { "url": "https://github.com/wazuh/wazuh-dashboard-plugins/issues" }, "homepage": "https://www.wazuh.com/", "scripts": { "lint": "eslint {public,server,common}/**/*.{js,jsx,ts,tsx,json}", "lint:public": "eslint public/**/*.{js,jsx,ts,tsx,json}", "lint:server": "eslint server/**/*.{js,jsx,ts,tsx,json}", "lint:common": "eslint common/**/*.{js,jsx,ts,tsx,json}", "lint:fix": "eslint --fix '{public,server,common}/**/*.{js,jsx,ts,tsx,json}'", "format": "prettier --write '{public,server,common}/**/*.{js,jsx,ts,tsx,css,md,json}' --config ./.prettierrc", "kbn": "node ../../scripts/kbn", "es": "node ../../scripts/es", "start": "plugin-helpers start", "build": "yarn plugin-helpers build --opensearch-dashboards-version=$OPENSEARCH_DASHBOARDS_VERSION", "build:runner": "node scripts/runner build", "plugin-helpers": "node ../../scripts/plugin_helpers", "test:ui:runner": "node ../../scripts/functional_test_runner.js", "test:server": "plugin-helpers test:server", "test:browser": "plugin-helpers test:browser", "test:jest": "node scripts/jest --runInBand", "test:jest:runner": "node scripts/runner test", "generate:api-data": "node scripts/generate-api-data.js --spec https://raw.githubusercontent.com/wazuh/wazuh/$(node -e \"console.log(require('./package.json').version)\")/api/api/spec/spec.yaml --output file --output-directory common/api-info --display-configuration", "prebuild": "node scripts/generate-build-version" }, "dependencies": { "angular-animate": "1.8.3", "angular-material": "1.2.5", "axios": "^1.6.1", "install": "^0.13.0", "js2xmlparser": "^5.0.0", "json2csv": "^4.1.2", "jwt-decode": "^3.1.2", "loglevel": "^1.7.1", "markdown-it-link-attributes": "^4.0.1", "md5": "^2.3.0", "needle": "^3.2.0", "node-cron": "^1.1.2", "pdfmake": "0.2.7", "querystring-browser": "1.0.4", "react-codemirror": "^1.0.0", "react-cookie": "^4.0.3", "read-last-lines": "^1.7.2", "timsort": "^0.3.0", "typescript": "^5.0.4", "winston": "3.9.0", "dompurify": "^3.1.3", "jsdom": "16.7.0" }, "devDependencies": { "@types/node-cron": "^2.0.3", "@typescript-eslint/eslint-plugin": "^6.2.1", "@typescript-eslint/parser": "^6.2.1", "eslint": "^8.46.0", "eslint-config-prettier": "^8.5.0", "eslint-import-resolver-typescript": "3.5.5", "eslint-plugin-async-await": "^0.0.0", "eslint-plugin-cypress": "^2.12.1", "eslint-plugin-filenames-simple": "^0.8.0", "eslint-plugin-import": "^2.28.0", "eslint-plugin-prettier": "^4.2.1", "eslint-plugin-react": "^7.31.8", "eslint-plugin-react-hooks": "^4.6.0", "prettier": "^2.7.1", "redux-mock-store": "^1.5.4", "swagger-client": "^3.19.11" }, "opensearchDashboards": { "version": "2.10.0" } } ``` ### Dashboard Status ```console [root@ip-dashboard-ip bin]# systemctl status wazuh-dashboard -l ● wazuh-dashboard.service - wazuh-dashboard Loaded: loaded (/etc/systemd/system/wazuh-dashboard.service; enabled; vendor preset: disabled) Active: active (running) since Fri 2024-06-07 08:44:12 UTC; 3 days ago Main PID: 19906 (node) CGroup: /system.slice/wazuh-dashboard.service └─19906 /usr/share/wazuh-dashboard/node/fallback/bin/node --no-warnings --max-http-header-size=65536 --unhandled-rejections=warn /usr/share/wazuh-dashboard/src/cli/dist Jun 10 14:18:26 ip-dashboard-ip.us-west-1.compute.internal opensearch-dashboards[19906]: {"type":"response","@timestamp":"2024-06-10T14:18:26Z","tags":[],"pid":19906,"method":"post","statusCode":200,"req":{"url":"/api/request","method":"post","headers":{"host":"dashboard-ip:5601","connection":"close","content-length":"94","user-agent":"Mozilla/5.0 (X11; Linux x86_64; rv:121.0) Gecko/20100101 Firefox/121.0","accept":"application/json, text/plain, */*","accept-language":"en-US,en;q=0.5","accept-encoding":"gzip, deflate,br","content-type":"application/json","osd-xsrf":"kibana","origin":"https://demo.wazuh.info","referer":"https://demo.wazuh.info/app/endpoints-summary","sec-fetch-dest":"empty","sec-fetch-mode":"cors","sec-fetch-site":"same-origin"},"remoteAddress":"dashboard-ip","userAgent":"Mozilla/5.0 (X11; Linux x86_64; rv:121.0) Gecko/20100101 Firefox/121.0","referer":"https://demo.wazuh.info/app/endpoints-summary"},"res":{"statusCode":200,"responseTime":54,"contentLength":9},"message":"POST /api/request 200 54ms - 9.0B"} Jun 10 14:18:26 ip-dashboard-ip.us-west-1.compute.internal opensearch-dashboards[19906]: {"type":"response","@timestamp":"2024-06-10T14:18:26Z","tags":[],"pid":19906,"method":"post","statusCode":200,"req":{"url":"/internal/search/opensearch","method":"post","headers":{"host":"dashboard-ip:5601","connection":"close","content-length":"817","user-agent":"Mozilla/5.0 (X11; Linux x86_64; rv:121.0) Gecko/20100101 Firefox/121.0","accept":"*/*","accept-language":"en-US,en;q=0.5","accept-encoding":"gzip, deflate, br","referer":"https://demo.wazuh.info/app/endpoints-summary","content-type":"application/json","osd-version":"2.10.0","osd-xsrf":"osd-fetch","origin":"https://demo.wazuh.info","sec-fetch-dest":"empty","sec-fetch-mode":"cors","sec-fetch-site":"same-origin"},"remoteAddress":"dashboard-ip","userAgent":"Mozilla/5.0 (X11; Linux x86_64; rv:121.0) Gecko/20100101 Firefox/121.0","referer":"https://demo.wazuh.info/app/endpoints-summary"},"res":{"statusCode":200,"responseTime":54,"contentLength":9},"message":"POST /internal/search/opensearch 200 54ms - 9.0B"} Jun 10 14:18:26 ip-dashboard-ip.us-west-1.compute.internal opensearch-dashboards[19906]: {"type":"response","@timestamp":"2024-06-10T14:18:26Z","tags":[],"pid":19906,"method":"post","statusCode":200,"req":{"url":"/api/request","method":"post","headers":{"host":"dashboard-ip:5601","connection":"close","content-length":"89","user-agent":"Mozilla/5.0 (X11; Linux x86_64; rv:121.0) Gecko/20100101 Firefox/121.0","accept":"application/json, text/plain, */*","accept-language":"en-US,en;q=0.5","accept-encoding":"gzip, deflate,br","content-type":"application/json","osd-xsrf":"kibana","origin":"https://demo.wazuh.info","referer":"https://demo.wazuh.info/app/endpoints-summary","sec-fetch-dest":"empty","sec-fetch-mode":"cors","sec-fetch-site":"same-origin"},"remoteAddress":"dashboard-ip","userAgent":"Mozilla/5.0 (X11; Linux x86_64; rv:121.0) Gecko/20100101 Firefox/121.0","referer":"https://demo.wazuh.info/app/endpoints-summary"},"res":{"statusCode":200,"responseTime":43,"contentLength":9},"message":"POST /api/request 200 43ms - 9.0B"} Jun 10 14:18:27 ip-dashboard-ip.us-west-1.compute.internal opensearch-dashboards[19906]: {"type":"response","@timestamp":"2024-06-10T14:18:27Z","tags":[],"pid":19906,"method":"post","statusCode":200,"req":{"url":"/api/request","method":"post","headers":{"host":"dashboard-ip:5601","connection":"close","content-length":"57","user-agent":"Mozilla/5.0 (X11; Linux x86_64; rv:121.0) Gecko/20100101 Firefox/121.0","accept":"application/json, text/plain, */*","accept-language":"en-US,en;q=0.5","accept-encoding":"gzip, deflate,br","content-type":"application/json","osd-xsrf":"kibana","origin":"https://demo.wazuh.info","referer":"https://demo.wazuh.info/app/endpoints-summary","sec-fetch-dest":"empty","sec-fetch-mode":"cors","sec-fetch-site":"same-origin"},"remoteAddress":"dashboard-ip","userAgent":"Mozilla/5.0 (X11; Linux x86_64; rv:121.0) Gecko/20100101 Firefox/121.0","referer":"https://demo.wazuh.info/app/endpoints-summary"},"res":{"statusCode":200,"responseTime":37,"contentLength":9},"message":"POST /api/request 200 37ms - 9.0B"} Jun 10 14:18:27 ip-dashboard-ip.us-west-1.compute.internal opensearch-dashboards[19906]: {"type":"response","@timestamp":"2024-06-10T14:18:27Z","tags":[],"pid":19906,"method":"get","statusCode":200,"req":{"url":"/48012/bundles/plugin/visTypeVislib/visTypeVislib.chunk.2.js","method":"get","headers":{"host":"dashboard-ip:5601","connection":"close","user-agent":"Mozilla/5.0 (X11; Linux x86_64; rv:121.0) Gecko/20100101 Firefox/121.0","accept":"*/*","accept-language":"en-US,en;q=0.5","accept-encoding":"gzip, deflate, br","referer":"https://demo.wazuh.info/app/endpoints-summary","sec-fetch-dest":"script","sec-fetch-mode":"no-cors","sec-fetch-site":"same-origin"},"remoteAddress":"dashboard-ip","userAgent":"Mozilla/5.0 (X11; Linux x86_64; rv:121.0) Gecko/20100101 Firefox/121.0","referer":"https://demo.wazuh.info/app/endpoints-summary"},"res":{"statusCode":200,"responseTime":6,"contentLength":9},"message":"GET /48012/bundles/plugin/visTypeVislib/visTypeVislib.chunk.2.js 200 6ms - 9.0B"} Jun 10 14:18:27 ip-dashboard-ip.us-west-1.compute.internal opensearch-dashboards[19906]: {"type":"response","@timestamp":"2024-06-10T14:18:27Z","tags":[],"pid":19906,"method":"get","statusCode":200,"req":{"url":"/48012/bundles/plugin/visTypeVislib/visTypeVislib.chunk.1.js","method":"get","headers":{"host":"dashboard-ip:5601","connection":"close","user-agent":"Mozilla/5.0 (X11; Linux x86_64; rv:121.0) Gecko/20100101 Firefox/121.0","accept":"*/*","accept-language":"en-US,en;q=0.5","accept-encoding":"gzip, deflate, br","referer":"https://demo.wazuh.info/app/endpoints-summary","sec-fetch-dest":"script","sec-fetch-mode":"no-cors","sec-fetch-site":"same-origin"},"remoteAddress":"dashboard-ip","userAgent":"Mozilla/5.0 (X11; Linux x86_64; rv:121.0) Gecko/20100101 Firefox/121.0","referer":"https://demo.wazuh.info/app/endpoints-summary"},"res":{"statusCode":200,"responseTime":7,"contentLength":9},"message":"GET /48012/bundles/plugin/visTypeVislib/visTypeVislib.chunk.1.js 200 7ms - 9.0B"} Jun 10 14:18:27 ip-dashboard-ip.us-west-1.compute.internal opensearch-dashboards[19906]: {"type":"response","@timestamp":"2024-06-10T14:18:27Z","tags":[],"pid":19906,"method":"get","statusCode":200,"req":{"url":"/48012/bundles/plugin/opensearchDashboardsLegacy/opensearchDashboardsLegacy.chunk.1.js","method":"get","headers":{"host":"dashboard-ip:5601","connection":"close","user-agent":"Mozilla/5.0 (X11; Linux x86_64;rv:121.0) Gecko/20100101 Firefox/121.0","accept":"*/*","accept-language":"en-US,en;q=0.5","accept-encoding":"gzip, deflate, br","referer":"https://demo.wazuh.info/app/endpoints-summary","sec-fetch-dest":"script","sec-fetch-mode":"no-cors","sec-fetch-site":"same-origin"},"remoteAddress":"dashboard-ip","userAgent":"Mozilla/5.0 (X11; Linux x86_64; rv:121.0) Gecko/20100101 Firefox/121.0","referer":"https://demo.wazuh.info/app/endpoints-summary"},"res":{"statusCode":200,"responseTime":6,"contentLength":9},"message":"GET /48012/bundles/plugin/opensearchDashboardsLegacy/opensearchDashboardsLegacy.chunk.1.js 200 6ms - 9.0B"} Jun 10 14:18:27 ip-dashboard-ip.us-west-1.compute.internal opensearch-dashboards[19906]: {"type":"response","@timestamp":"2024-06-10T14:18:27Z","tags":[],"pid":19906,"method":"get","statusCode":200,"req":{"url":"/48012/bundles/plugin/opensearchDashboardsLegacy/20fd1704ea223900efa9fd4e869efb08.woff2","method":"get","headers":{"host":"dashboard-ip:5601","connection":"close","user-agent":"Mozilla/5.0 (X11; Linux x86_64; rv:121.0) Gecko/20100101 Firefox/121.0","accept":"application/font-woff2;q=1.0,application/font-woff;q=0.9,*/*;q=0.8","accept-language":"en-US,en;q=0.5","accept-encoding":"identity","referer":"https://demo.wazuh.info/app/wz-home","sec-fetch-dest":"font","sec-fetch-mode":"cors","sec-fetch-site":"same-origin"},"remoteAddress":"dashboard-ip","userAgent":"Mozilla/5.0 (X11; Linux x86_64; rv:121.0) Gecko/20100101 Firefox/121.0","referer":"https://demo.wazuh.info/app/wz-home"},"res":{"statusCode":200,"responseTime":5,"contentLength":9},"message":"GET /48012/bundles/plugin/opensearchDashboardsLegacy/20fd1704ea223900efa9fd4e869efb08.woff2 200 5ms - 9.0B"} Jun 10 14:32:02 ip-dashboard-ip.us-west-1.compute.internal opensearch-dashboards[19906]: {"type":"response","@timestamp":"2024-06-10T14:32:02Z","tags":[],"pid":19906,"method":"get","statusCode":401,"req":{"url":"/manager/text/list","method":"get","headers":{"host":"dashboard-ip:5601","connection":"close","user-agent":"Mozilla/5.0 zgrab/0.x","accept":"*/*","accept-encoding":"gzip"},"remoteAddress":"dashboard-ip","userAgent":"Mozilla/5.0 zgrab/0.x"},"res":{"statusCode":401,"responseTime":7,"contentLength":9},"message":"GET /manager/text/list 401 7ms - 9.0B"} Jun 10 14:39:33 ip-dashboard-ip.us-west-1.compute.internal opensearch-dashboards[19906]: {"type":"response","@timestamp":"2024-06-10T14:39:33Z","tags":[],"pid":19906,"method":"get","statusCode":302,"req":{"url":"/","method":"get","headers":{"host":"dashboard-ip:5601","connection":"close","user-agent":"Lynx/2.8.5rel.1 libwww-FM/2.14 SSL-MM/1.4.1 GNUTLS/0.8.12","accept-charset":"utf-8","accept-encoding":"gzip"},"remoteAddress":"dashboard-ip","userAgent":"Lynx/2.8.5rel.1 libwww-FM/2.14 SSL-MM/1.4.1 GNUTLS/0.8.12"},"res":{"statusCode":302,"responseTime":2,"contentLength":9},"message":"GET / 302 2ms - 9.0B"} ``` ### Dashboard Service Status ```console [root@ip-dashboard-ip bin]# journalctl -xe -u wazuh-dashboard.service --no-pager | head -30 -- Logs begin at Fri 2024-06-07 08:04:28 UTC, end at Mon 2024-06-10 14:53:19 UTC. -- Jun 10 09:58:10 ip-dashboard-ip.us-west-1.compute.internal opensearch-dashboards[19906]: {"type":"response","@timestamp":"2024-06-10T09:58:10Z","tags":[],"pid":19906,"method":"post","statusCode":200,"req":{"url":"/api/login","method":"post","headers":{"host":"dashboard-ip:5601","connection":"close","content-length":"33","sec-ch-ua":"\"Google Chrome\";v=\"125\", \"Chromium\";v=\"125\", \"Not.A/Brand\";v=\"24\"","accept":"application/json, text/plain, */*","content-type":"application/json","osd-xsrf":"kibana","sec-ch-ua-mobile":"?0","user-agent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/125.0.0.0 Safari/537.36","sec-ch-ua-platform":"\"Windows\"","origin":"https://demo.wazuh.info","sec-fetch-site":"same-origin","sec-fetch-mode":"cors","sec-fetch-dest":"empty","referer":"https://demo.wazuh.info/app/settings","accept-encoding":"gzip, deflate, br, zstd","accept-language":"en-US,en;q=0.9"},"remoteAddress":"dashboard-ip","userAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, likeGecko) Chrome/125.0.0.0 Safari/537.36","referer":"https://demo.wazuh.info/app/settings"},"res":{"statusCode":200,"responseTime":19,"contentLength":9},"message":"POST /api/login 200 19ms - 9.0B"} Jun 10 09:58:10 ip-dashboard-ip.us-west-1.compute.internal opensearch-dashboards[19906]: {"type":"response","@timestamp":"2024-06-10T09:58:10Z","tags":[],"pid":19906,"method":"get","statusCode":200,"req":{"url":"/ui/favicons/favicon.ico","method":"get","headers":{"host":"dashboard-ip:5601","connection":"close","sec-ch-ua":"\"Google Chrome\";v=\"125\", \"Chromium\";v=\"125\", \"Not.A/Brand\";v=\"24\"","sec-ch-ua-mobile":"?0","user-agent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/125.0.0.0 Safari/537.36","sec-ch-ua-platform":"\"Windows\"","accept":"image/avif,image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8","sec-fetch-site":"same-origin","sec-fetch-mode":"no-cors","sec-fetch-dest":"image","referer":"https://demo.wazuh.info/app/settings","accept-encoding":"gzip, deflate, br, zstd","accept-language":"en-US,en;q=0.9"},"remoteAddress":"dashboard-ip","userAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/125.0.0.0 Safari/537.36","referer":"https://demo.wazuh.info/app/settings"},"res":{"statusCode":200,"responseTime":16,"contentLength":9},"message":"GET /ui/favicons/favicon.ico 200 16ms - 9.0B"} Jun 10 09:58:11 ip-dashboard-ip.us-west-1.compute.internal opensearch-dashboards[19906]: {"type":"response","@timestamp":"2024-06-10T09:58:11Z","tags":[],"pid":19906,"method":"get","statusCode":200,"req":{"url":"/utils/configuration","method":"get","headers":{"host":"dashboard-ip:5601","connection":"close","sec-ch-ua":"\"Google Chrome\";v=\"125\", \"Chromium\";v=\"125\", \"Not.A/Brand\";v=\"24\"","sec-ch-ua-mobile":"?0","user-agent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/125.0.0.0 Safari/537.36","id":"wazuh1","pattern":"wazuh-alerts-*","accept":"application/json, text/plain, */*","osd-xsrf":"kibana","sec-ch-ua-platform":"\"Windows\"","sec-fetch-site":"same-origin","sec-fetch-mode":"cors","sec-fetch-dest":"empty","referer":"https://demo.wazuh.info/app/settings","accept-encoding":"gzip, deflate, br, zstd","accept-language":"en-US,en;q=0.9"},"remoteAddress":"dashboard-ip","userAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/125.0.0.0 Safari/537.36","referer":"https://demo.wazuh.info/app/settings"},"res":{"statusCode":200,"responseTime":5,"contentLength":9},"message":"GET /utils/configuration 200 5ms - 9.0B"} Jun 10 09:58:11 ip-dashboard-ip.us-west-1.compute.internal opensearch-dashboards[19906]: {"type":"response","@timestamp":"2024-06-10T09:58:11Z","tags":[],"pid":19906,"method":"get","statusCode":200,"req":{"url":"/hosts/apis","method":"get","headers":{"host":"dashboard-ip:5601","connection":"close","sec-ch-ua":"\"Google Chrome\";v=\"125\", \"Chromium\";v=\"125\", \"Not.A/Brand\";v=\"24\"","sec-ch-ua-mobile":"?0","user-agent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/125.0.0.0 Safari/537.36","id":"wazuh1","pattern":"wazuh-alerts-*","accept":"application/json, text/plain, */*","osd-xsrf":"kibana","sec-ch-ua-platform":"\"Windows\"","sec-fetch-site":"same-origin","sec-fetch-mode":"cors","sec-fetch-dest":"empty","referer":"https://demo.wazuh.info/app/settings","accept-encoding":"gzip, deflate, br, zstd","accept-language":"en-US,en;q=0.9"},"remoteAddress":"dashboard-ip","userAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/125.0.0.0 Safari/537.36","referer":"https://demo.wazuh.info/app/settings"},"res":{"statusCode":200,"responseTime":9,"contentLength":9},"message":"GET /hosts/apis 200 9ms - 9.0B"} Jun 10 09:58:11 ip-dashboard-ip.us-west-1.compute.internal opensearch-dashboards[19906]: {"type":"response","@timestamp":"2024-06-10T09:58:11Z","tags":[],"pid":19906,"method":"get","statusCode":200,"req":{"url":"/api/wazuh-check-updates/updates?query_api=false&force_query=false","method":"get","headers":{"host":"dashboard-ip:5601","connection":"close","sec-ch-ua":"\"Google Chrome\";v=\"125\", \"Chromium\";v=\"125\", \"Not.A/Brand\";v=\"24\"","content-type":"application/json","osd-xsrf":"osd-fetch","sec-ch-ua-mobile":"?0","user-agent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/125.0.0.0 Safari/537.36","osd-version":"2.10.0","sec-ch-ua-platform":"\"Windows\"","accept":"*/*","sec-fetch-site":"same-origin","sec-fetch-mode":"cors","sec-fetch-dest":"empty","referer":"https://demo.wazuh.info/app/settings","accept-encoding":"gzip, deflate, br, zstd","accept-language":"en-US,en;q=0.9"},"remoteAddress":"dashboard-ip","userAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko)Chrome/125.0.0.0 Safari/537.36","referer":"https://demo.wazuh.info/app/settings"},"res":{"statusCode":200,"responseTime":6,"contentLength":9},"message":"GET /api/wazuh-check-updates/updates?query_api=false&force_query=false 200 6ms - 9.0B"} Jun 10 09:58:11 ip-dashboard-ip.us-west-1.compute.internal opensearch-dashboards[19906]: {"type":"response","@timestamp":"2024-06-10T09:58:11Z","tags":[],"pid":19906,"method":"get","statusCode":200,"req":{"url":"/api/saved_objects/_find?type=index-pattern&fields=title&fields=fields&per_page=9999","method":"get","headers":{"host":"dashboard-ip:5601","connection":"close","sec-ch-ua":"\"Google Chrome\";v=\"125\", \"Chromium\";v=\"125\", \"Not.A/Brand\";v=\"24\"","sec-ch-ua-mobile":"?0","user-agent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/125.0.0.0 Safari/537.36","id":"wazuh1","pattern":"wazuh-alerts-*","accept":"application/json, text/plain, */*","osd-xsrf":"kibana","sec-ch-ua-platform":"\"Windows\"","sec-fetch-site":"same-origin","sec-fetch-mode":"cors","sec-fetch-dest":"empty","referer":"https://demo.wazuh.info/app/settings","accept-encoding":"gzip, deflate, br, zstd","accept-language":"en-US,en;q=0.9"},"remoteAddress":"dashboard-ip","userAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/125.0.0.0 Safari/537.36","referer":"https://demo.wazuh.info/app/settings"},"res":{"statusCode":200,"responseTime":46,"contentLength":9},"message":"GET /api/saved_objects/_find?type=index-pattern&fields=title&fields=fields&per_page=9999 200 46ms - 9.0B"} Jun 10 09:58:11 ip-dashboard-ip.us-west-1.compute.internal opensearch-dashboards[19906]: {"type":"response","@timestamp":"2024-06-10T09:58:11Z","tags":[],"pid":19906,"method":"get","statusCode":200,"req":{"url":"/hosts/apis","method":"get","headers":{"host":"dashboard-ip:5601","connection":"close","sec-ch-ua":"\"Google Chrome\";v=\"125\", \"Chromium\";v=\"125\", \"Not.A/Brand\";v=\"24\"","sec-ch-ua-mobile":"?0","user-agent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/125.0.0.0 Safari/537.36","id":"wazuh1","pattern":"wazuh-alerts-*","accept":"application/json, text/plain, */*","osd-xsrf":"kibana","sec-ch-ua-platform":"\"Windows\"","sec-fetch-site":"same-origin","sec-fetch-mode":"cors","sec-fetch-dest":"empty","referer":"https://demo.wazuh.info/app/settings","accept-encoding":"gzip, deflate, br, zstd","accept-language":"en-US,en;q=0.9"},"remoteAddress":"dashboard-ip","userAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/125.0.0.0 Safari/537.36","referer":"https://demo.wazuh.info/app/settings"},"res":{"statusCode":200,"responseTime":5,"contentLength":9},"message":"GET /hosts/apis 200 5ms - 9.0B"} Jun 10 09:58:11 ip-dashboard-ip.us-west-1.compute.internal opensearch-dashboards[19906]: {"type":"response","@timestamp":"2024-06-10T09:58:11Z","tags":[],"pid":19906,"method":"get","statusCode":200,"req":{"url":"/ui/logos/opensearch_mark_on_light.svg","method":"get","headers":{"host":"dashboard-ip:5601","connection":"close","sec-ch-ua":"\"Google Chrome\";v=\"125\", \"Chromium\";v=\"125\", \"Not.A/Brand\";v=\"24\"","sec-ch-ua-mobile":"?0","user-agent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/125.0.0.0 Safari/537.36","sec-ch-ua-platform":"\"Windows\"","accept":"image/avif,image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8","sec-fetch-site":"same-origin","sec-fetch-mode":"no-cors","sec-fetch-dest":"image","referer":"https://demo.wazuh.info/app/settings","accept-encoding":"gzip, deflate, br, zstd","accept-language":"en-US,en;q=0.9"},"remoteAddress":"dashboard-ip","userAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/125.0.0.0 Safari/537.36","referer":"https://demo.wazuh.info/app/settings"},"res":{"statusCode":200,"responseTime":3,"contentLength":9},"message":"GET /ui/logos/opensearch_mark_on_light.svg 200 3ms - 9.0B"} Jun 10 09:58:11 ip-dashboard-ip.us-west-1.compute.internal opensearch-dashboards[19906]: {"type":"response","@timestamp":"2024-06-10T09:58:11Z","tags":[],"pid":19906,"method":"post","statusCode":200,"req":{"url":"/api/request","method":"post","headers":{"host":"dashboard-ip:5601","connection":"close","content-length":"94","sec-ch-ua":"\"Google Chrome\";v=\"125\", \"Chromium\";v=\"125\", \"Not.A/Brand\";v=\"24\"","accept":"application/json, text/plain, */*","content-type":"application/json","osd-xsrf":"kibana","sec-ch-ua-mobile":"?0","user-agent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/125.0.0.0 Safari/537.36","sec-ch-ua-platform":"\"Windows\"","origin":"https://demo.wazuh.info","sec-fetch-site":"same-origin","sec-fetch-mode":"cors","sec-fetch-dest":"empty","referer":"https://demo.wazuh.info/app/settings","accept-encoding":"gzip, deflate, br, zstd","accept-language":"en-US,en;q=0.9"},"remoteAddress":"dashboard-ip","userAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/125.0.0.0 Safari/537.36","referer":"https://demo.wazuh.info/app/settings"},"res":{"statusCode":200,"responseTime":230,"contentLength":9},"message":"POST /api/request 200 230ms - 9.0B"} Jun 10 09:58:11 ip-dashboard-ip.us-west-1.compute.internal opensearch-dashboards[19906]: {"type":"response","@timestamp":"2024-06-10T09:58:11Z","tags":[],"pid":19906,"method":"get","statusCode":200,"req":{"url":"/api/saved_objects/_find?type=index-pattern&fields=title&fields=fields&per_page=9999","method":"get","headers":{"host":"dashboard-ip:5601","connection":"close","sec-ch-ua":"\"Google Chrome\";v=\"125\", \"Chromium\";v=\"125\", \"Not.A/Brand\";v=\"24\"","sec-ch-ua-mobile":"?0","user-agent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/125.0.0.0 Safari/537.36","id":"wazuh1","pattern":"wazuh-alerts-*","accept":"application/json, text/plain, */*","osd-xsrf":"kibana","sec-ch-ua-platform":"\"Windows\"","sec-fetch-site":"same-origin","sec-fetch-mode":"cors","sec-fetch-dest":"empty","referer":"https://demo.wazuh.info/app/settings","accept-encoding":"gzip, deflate, br, zstd","accept-language":"en-US,en;q=0.9"},"remoteAddress":"dashboard-ip","userAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/125.0.0.0 Safari/537.36","referer":"https://demo.wazuh.info/app/settings"},"res":{"statusCode":200,"responseTime":24,"contentLength":9},"message":"GET /api/saved_objects/_find?type=index-pattern&fields=title&fields=fields&per_page=9999 200 24ms - 9.0B"} Jun 10 09:58:11 ip-dashboard-ip.us-west-1.compute.internal opensearch-dashboards[19906]: {"type":"response","@timestamp":"2024-06-10T09:58:10Z","tags":[],"pid":19906,"method":"post","statusCode":200,"req":{"url":"/api/check-stored-api","method":"post","headers":{"host":"dashboard-ip:5601","connection":"close","content-length":"15","sec-ch-ua":"\"Google Chrome\";v=\"125\", \"Chromium\";v=\"125\", \"Not.A/Brand\";v=\"24\"","accept":"application/json, text/plain, */*","content-type":"application/json","osd-xsrf":"kibana","sec-ch-ua-mobile":"?0","user-agent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/125.0.0.0 Safari/537.36","sec-ch-ua-platform":"\"Windows\"","origin":"https://demo.wazuh.info","sec-fetch-site":"same-origin","sec-fetch-mode":"cors","sec-fetch-dest":"empty","referer":"https://demo.wazuh.info/app/settings","accept-encoding":"gzip, deflate, br, zstd","accept-language":"en-US,en;q=0.9"},"remoteAddress":"dashboard-ip","userAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/125.0.0.0 Safari/537.36","referer":"https://demo.wazuh.info/app/settings"},"res":{"statusCode":200,"responseTime":605,"contentLength":9},"message":"POST /api/check-stored-api 200 605ms - 9.0B"} Jun 10 09:58:11 ip-dashboard-ip.us-west-1.compute.internal opensearch-dashboards[19906]: {"type":"response","@timestamp":"2024-06-10T09:58:11Z","tags":[],"pid":19906,"method":"get","statusCode":200,"req":{"url":"/hosts/apis","method":"get","headers":{"host":"dashboard-ip:5601","connection":"close","sec-ch-ua":"\"Google Chrome\";v=\"125\", \"Chromium\";v=\"125\", \"Not.A/Brand\";v=\"24\"","sec-ch-ua-mobile":"?0","user-agent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/125.0.0.0 Safari/537.36","id":"wazuh1","pattern":"wazuh-alerts-*","accept":"application/json, text/plain, */*","osd-xsrf":"kibana","sec-ch-ua-platform":"\"Windows\"","sec-fetch-site":"same-origin","sec-fetch-mode":"cors","sec-fetch-dest":"empty","referer":"https://demo.wazuh.info/app/settings","accept-encoding":"gzip, deflate, br, zstd","accept-language":"en-US,en;q=0.9"},"remoteAddress":"dashboard-ip","userAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/125.0.0.0 Safari/537.36","referer":"https://demo.wazuh.info/app/settings"},"res":{"statusCode":200,"responseTime":5,"contentLength":9},"message":"GET /hosts/apis 200 5ms - 9.0B"} Jun 10 09:58:11 ip-dashboard-ip.us-west-1.compute.internal opensearch-dashboards[19906]: {"type":"response","@timestamp":"2024-06-10T09:58:11Z","tags":[],"pid":19906,"method":"get","statusCode":200,"req":{"url":"/api/saved_objects/_find?type=index-pattern&fields=title&fields=fields&per_page=9999","method":"get","headers":{"host":"dashboard-ip:5601","connection":"close","sec-ch-ua":"\"Google Chrome\";v=\"125\", \"Chromium\";v=\"125\", \"Not.A/Brand\";v=\"24\"","sec-ch-ua-mobile":"?0","user-agent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/125.0.0.0 Safari/537.36","id":"wazuh1","pattern":"wazuh-alerts-*","accept":"application/json, text/plain, */*","osd-xsrf":"kibana","sec-ch-ua-platform":"\"Windows\"","sec-fetch-site":"same-origin","sec-fetch-mode":"cors","sec-fetch-dest":"empty","referer":"https://demo.wazuh.info/app/settings","accept-encoding":"gzip, deflate, br, zstd","accept-language":"en-US,en;q=0.9"},"remoteAddress":"dashboard-ip","userAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/125.0.0.0 Safari/537.36","referer":"https://demo.wazuh.info/app/settings"},"res":{"statusCode":200,"responseTime":26,"contentLength":9},"message":"GET /api/saved_objects/_find?type=index-pattern&fields=title&fields=fields&per_page=9999 200 26ms - 9.0B"} Jun 10 09:58:11 ip-dashboard-ip.us-west-1.compute.internal opensearch-dashboards[19906]: {"type":"response","@timestamp":"2024-06-10T09:58:11Z","tags":[],"pid":19906,"method":"get","statusCode":200,"req":{"url":"/hosts/apis","method":"get","headers":{"host":"dashboard-ip:5601","connection":"close","sec-ch-ua":"\"Google Chrome\";v=\"125\", \"Chromium\";v=\"125\", \"Not.A/Brand\";v=\"24\"","sec-ch-ua-mobile":"?0","user-agent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/125.0.0.0 Safari/537.36","id":"wazuh1","pattern":"wazuh-alerts-*","accept":"application/json, text/plain, */*","osd-xsrf":"kibana","sec-ch-ua-platform":"\"Windows\"","sec-fetch-site":"same-origin","sec-fetch-mode":"cors","sec-fetch-dest":"empty","referer":"https://demo.wazuh.info/app/settings","accept-encoding":"gzip, deflate, br, zstd","accept-language":"en-US,en;q=0.9"},"remoteAddress":"dashboard-ip","userAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/125.0.0.0 Safari/537.36","referer":"https://demo.wazuh.info/app/settings"},"res":{"statusCode":200,"responseTime":6,"contentLength":9},"message":"GET /hosts/apis 200 6ms - 9.0B"} Jun 10 09:58:12 ip-dashboard-ip.us-west-1.compute.internal opensearch-dashboards[19906]: {"type":"response","@timestamp":"2024-06-10T09:58:12Z","tags":[],"pid":19906,"method":"get","statusCode":200,"req":{"url":"/hosts/apis","method":"get","headers":{"host":"dashboard-ip:5601","connection":"close","sec-ch-ua":"\"Google Chrome\";v=\"125\", \"Chromium\";v=\"125\", \"Not.A/Brand\";v=\"24\"","sec-ch-ua-mobile":"?0","user-agent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/125.0.0.0 Safari/537.36","id":"wazuh1","pattern":"wazuh-alerts-*","accept":"application/json, text/plain, */*","osd-xsrf":"kibana","sec-ch-ua-platform":"\"Windows\"","sec-fetch-site":"same-origin","sec-fetch-mode":"cors","sec-fetch-dest":"empty","referer":"https://demo.wazuh.info/app/settings","accept-encoding":"gzip, deflate, br, zstd","accept-language":"en-US,en;q=0.9"},"remoteAddress":"dashboard-ip","userAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/125.0.0.0 Safari/537.36","referer":"https://demo.wazuh.info/app/settings"},"res":{"statusCode":200,"responseTime":13,"contentLength":9},"message":"GET /hosts/apis 200 13ms - 9.0B"} Jun 10 09:58:12 ip-dashboard-ip.us-west-1.compute.internal opensearch-dashboards[19906]: {"type":"response","@timestamp":"2024-06-10T09:58:12Z","tags":[],"pid":19906,"method":"get","statusCode":200,"req":{"url":"/hosts/apis","method":"get","headers":{"host":"dashboard-ip:5601","connection":"close","sec-ch-ua":"\"Google Chrome\";v=\"125\", \"Chromium\";v=\"125\", \"Not.A/Brand\";v=\"24\"","sec-ch-ua-mobile":"?0","user-agent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/125.0.0.0 Safari/537.36","id":"wazuh1","pattern":"wazuh-alerts-*","accept":"application/json, text/plain, */*","osd-xsrf":"kibana","sec-ch-ua-platform":"\"Windows\"","sec-fetch-site":"same-origin","sec-fetch-mode":"cors","sec-fetch-dest":"empty","referer":"https://demo.wazuh.info/app/settings","accept-encoding":"gzip, deflate, br, zstd","accept-language":"en-US,en;q=0.9"},"remoteAddress":"dashboard-ip","userAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/125.0.0.0 Safari/537.36","referer":"https://demo.wazuh.info/app/settings"},"res":{"statusCode":200,"responseTime":16,"contentLength":9},"message":"GET /hosts/apis 200 16ms - 9.0B"} Jun 10 09:58:12 ip-dashboard-ip.us-west-1.compute.internal opensearch-dashboards[19906]: {"type":"response","@timestamp":"2024-06-10T09:58:12Z","tags":[],"pid":19906,"method":"post","statusCode":200,"req":{"url":"/api/request","method":"post","headers":{"host":"dashboard-ip:5601","connection":"close","content-length":"65","sec-ch-ua":"\"Google Chrome\";v=\"125\", \"Chromium\";v=\"125\", \"Not.A/Brand\";v=\"24\"","accept":"application/json, text/plain, */*","content-type":"application/json","osd-xsrf":"kibana","sec-ch-ua-mobile":"?0","user-agent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/125.0.0.0 Safari/537.36","sec-ch-ua-platform":"\"Windows\"","origin":"https://demo.wazuh.info","sec-fetch-site":"same-origin","sec-fetch-mode":"cors","sec-fetch-dest":"empty","referer":"https://demo.wazuh.info/app/settings","accept-encoding":"gzip, deflate, br, zstd","accept-language":"en-US,en;q=0.9"},"remoteAddress":"dashboard-ip","userAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/125.0.0.0 Safari/537.36","referer":"https://demo.wazuh.info/app/settings"},"res":{"statusCode":200,"responseTime":55,"contentLength":9},"message":"POST /api/request 200 55ms - 9.0B"} Jun 10 09:58:12 ip-dashboard-ip.us-west-1.compute.internal opensearch-dashboards[19906]: {"type":"response","@timestamp":"2024-06-10T09:58:12Z","tags":[],"pid":19906,"method":"get","statusCode":200,"req":{"url":"/hosts/apis","method":"get","headers":{"host":"dashboard-ip:5601","connection":"close","sec-ch-ua":"\"Google Chrome\";v=\"125\", \"Chromium\";v=\"125\", \"Not.A/Brand\";v=\"24\"","sec-ch-ua-mobile":"?0","user-agent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/125.0.0.0 Safari/537.36","id":"wazuh1","pattern":"wazuh-alerts-*","accept":"application/json, text/plain, */*","osd-xsrf":"kibana","sec-ch-ua-platform":"\"Windows\"","sec-fetch-site":"same-origin","sec-fetch-mode":"cors","sec-fetch-dest":"empty","referer":"https://demo.wazuh.info/app/settings","accept-encoding":"gzip, deflate, br, zstd","accept-language":"en-US,en;q=0.9"},"remoteAddress":"dashboard-ip","userAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/125.0.0.0 Safari/537.36","referer":"https://demo.wazuh.info/app/settings"},"res":{"statusCode":200,"responseTime":6,"contentLength":9},"message":"GET /hosts/apis 200 6ms - 9.0B"} Jun 10 09:58:12 ip-dashboard-ip.us-west-1.compute.internal opensearch-dashboards[19906]: {"type":"response","@timestamp":"2024-06-10T09:58:12Z","tags":[],"pid":19906,"method":"post","statusCode":200,"req":{"url":"/api/request","method":"post","headers":{"host":"dashboard-ip:5601","connection":"close","content-length":"64","sec-ch-ua":"\"Google Chrome\";v=\"125\", \"Chromium\";v=\"125\", \"Not.A/Brand\";v=\"24\"","accept":"application/json, text/plain, */*","content-type":"application/json","osd-xsrf":"kibana","sec-ch-ua-mobile":"?0","user-agent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/125.0.0.0 Safari/537.36","sec-ch-ua-platform":"\"Windows\"","origin":"https://demo.wazuh.info","sec-fetch-site":"same-origin","sec-fetch-mode":"cors","sec-fetch-dest":"empty","referer":"https://demo.wazuh.info/app/settings","accept-encoding":"gzip, deflate, br, zstd","accept-language":"en-US,en;q=0.9"},"remoteAddress":"dashboard-ip","userAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/125.0.0.0 Safari/537.36","referer":"https://demo.wazuh.info/app/settings"},"res":{"statusCode":200,"responseTime":39,"contentLength":9},"message":"POST /api/request 200 39ms - 9.0B"} Jun 10 09:58:12 ip-dashboard-ip.us-west-1.compute.internal opensearch-dashboards[19906]: {"type":"response","@timestamp":"2024-06-10T09:58:12Z","tags":[],"pid":19906,"method":"post","statusCode":200,"req":{"url":"/api/request","method":"post","headers":{"host":"dashboard-ip:5601","connection":"close","content-length":"73","sec-ch-ua":"\"Google Chrome\";v=\"125\", \"Chromium\";v=\"125\", \"Not.A/Brand\";v=\"24\"","accept":"application/json, text/plain, */*","content-type":"application/json","osd-xsrf":"kibana","sec-ch-ua-mobile":"?0","user-agent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/125.0.0.0 Safari/537.36","sec-ch-ua-platform":"\"Windows\"","origin":"https://demo.wazuh.info","sec-fetch-site":"same-origin","sec-fetch-mode":"cors","sec-fetch-dest":"empty","referer":"https://demo.wazuh.info/app/settings","accept-encoding":"gzip, deflate, br, zstd","accept-language":"en-US,en;q=0.9"},"remoteAddress":"dashboard-ip","userAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/125.0.0.0 Safari/537.36","referer":"https://demo.wazuh.info/app/settings"},"res":{"statusCode":200,"responseTime":35,"contentLength":9},"message":"POST /api/request 200 35ms - 9.0B"} Jun 10 09:58:23 ip-dashboard-ip.us-west-1.compute.internal opensearch-dashboards[19906]: {"type":"response","@timestamp":"2024-06-10T09:58:23Z","tags":[],"pid":19906,"method":"get","statusCode":200,"req":{"url":"/elastic/security/current-platform","method":"get","headers":{"host":"dashboard-ip:5601","connection":"close","sec-ch-ua":"\"Google Chrome\";v=\"125\", \"Chromium\";v=\"125\", \"Not.A/Brand\";v=\"24\"","accept":"application/json, text/plain, */*","content-type":"application/json","osd-xsrf":"kibana","sec-ch-ua-mobile":"?0","user-agent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/125.0.0.0 Safari/537.36","sec-ch-ua-platform":"\"Windows\"","sec-fetch-site":"same-origin","sec-fetch-mode":"cors","sec-fetch-dest":"empty","referer":"https://demo.wazuh.info/app/app-settings","accept-encoding":"gzip, deflate, br, zstd","accept-language":"en-US,en;q=0.9"},"remoteAddress":"dashboard-ip","userAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/125.0.0.0 Safari/537.36","referer":"https://demo.wazuh.info/app/app-settings"},"res":{"statusCode":200,"responseTime":5,"contentLength":9},"message":"GET /elastic/security/current-platform 200 5ms - 9.0B"} Jun 10 09:58:23 ip-dashboard-ip.us-west-1.compute.internal opensearch-dashboards[19906]: {"type":"response","@timestamp":"2024-06-10T09:58:23Z","tags":[],"pid":19906,"method":"get","statusCode":200,"req":{"url":"/hosts/apis","method":"get","headers":{"host":"dashboard-ip:5601","connection":"close","sec-ch-ua":"\"Google Chrome\";v=\"125\", \"Chromium\";v=\"125\", \"Not.A/Brand\";v=\"24\"","sec-ch-ua-mobile":"?0","user-agent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/125.0.0.0 Safari/537.36","id":"wazuh1","pattern":"wazuh-alerts-*","accept":"application/json, text/plain, */*","osd-xsrf":"kibana","sec-ch-ua-platform":"\"Windows\"","sec-fetch-site":"same-origin","sec-fetch-mode":"cors","sec-fetch-dest":"empty","referer":"https://demo.wazuh.info/app/app-settings","accept-encoding":"gzip, deflate, br, zstd","accept-language":"en-US,en;q=0.9"},"remoteAddress":"dashboard-ip","userAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/125.0.0.0 Safari/537.36","referer":"https://demo.wazuh.info/app/app-settings"},"res":{"statusCode":200,"responseTime":14,"contentLength":9},"message":"GET /hosts/apis 200 14ms - 9.0B"} Jun 10 09:58:23 ip-dashboard-ip.us-west-1.compute.internal opensearch-dashboards[19906]: {"type":"response","@timestamp":"2024-06-10T09:58:23Z","tags":[],"pid":19906,"method":"get","statusCode":200,"req":{"url":"/api/setup","method":"get","headers":{"host":"dashboard-ip:5601","connection":"close","sec-ch-ua":"\"Google Chrome\";v=\"125\", \"Chromium\";v=\"125\", \"Not.A/Brand\";v=\"24\"","sec-ch-ua-mobile":"?0","user-agent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/125.0.0.0 Safari/537.36","id":"wazuh1","pattern":"wazuh-alerts-*","accept":"application/json, text/plain, */*","osd-xsrf":"kibana","sec-ch-ua-platform":"\"Windows\"","sec-fetch-site":"same-origin","sec-fetch-mode":"cors","sec-fetch-dest":"empty","referer":"https://demo.wazuh.info/app/app-settings","accept-encoding":"gzip, deflate, br, zstd","accept-language":"en-US,en;q=0.9"},"remoteAddress":"dashboard-ip","userAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/125.0.0.0 Safari/537.36","referer":"https://demo.wazuh.info/app/app-settings"},"res":{"statusCode":200,"responseTime":20,"contentLength":9},"message":"GET /api/setup 200 20ms - 9.0B"} Jun 10 09:58:23 ip-dashboard-ip.us-west-1.compute.internal opensearch-dashboards[19906]: {"type":"response","@timestamp":"2024-06-10T09:58:23Z","tags":[],"pid":19906,"method":"get","statusCode":200,"req":{"url":"/ui/favicons/favicon.ico","method":"get","headers":{"host":"dashboard-ip:5601","connection":"close","sec-ch-ua":"\"Google Chrome\";v=\"125\", \"Chromium\";v=\"125\", \"Not.A/Brand\";v=\"24\"","sec-ch-ua-mobile":"?0","user-agent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/125.0.0.0 Safari/537.36","sec-ch-ua-platform":"\"Windows\"","accept":"image/avif,image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8","sec-fetch-site":"same-origin","sec-fetch-mode":"no-cors","sec-fetch-dest":"image","referer":"https://demo.wazuh.info/app/app-settings","accept-encoding":"gzip, deflate, br, zstd","accept-language":"en-US,en;q=0.9"},"remoteAddress":"dashboard-ip","userAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/125.0.0.0 Safari/537.36","referer":"https://demo.wazuh.info/app/app-settings"},"res":{"statusCode":200,"responseTime":22,"contentLength":9},"message":"GET /ui/favicons/favicon.ico 200 22ms - 9.0B"} Jun 10 09:58:23 ip-dashboard-ip.us-west-1.compute.internal opensearch-dashboards[19906]: {"type":"response","@timestamp":"2024-06-10T09:58:23Z","tags":[],"pid":19906,"method":"get","statusCode":200,"req":{"url":"/utils/configuration","method":"get","headers":{"host":"dashboard-ip:5601","connection":"close","sec-ch-ua":"\"Google Chrome\";v=\"125\", \"Chromium\";v=\"125\", \"Not.A/Brand\";v=\"24\"","sec-ch-ua-mobile":"?0","user-agent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/125.0.0.0 Safari/537.36","id":"wazuh1","pattern":"wazuh-alerts-*","accept":"application/json, text/plain, */*","osd-xsrf":"kibana","sec-ch-ua-platform":"\"Windows\"","sec-fetch-site":"same-origin","sec-fetch-mode":"cors","sec-fetch-dest":"empty","referer":"https://demo.wazuh.info/app/app-settings","accept-encoding":"gzip, deflate, br, zstd","accept-language":"en-US,en;q=0.9"},"remoteAddress":"dashboard-ip","userAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/125.0.0.0 Safari/537.36","referer":"https://demo.wazuh.info/app/app-settings"},"res":{"statusCode":200,"responseTime":15,"contentLength":9},"message":"GET /utils/configuration 200 15ms - 9.0B"} Jun 10 09:58:23 ip-dashboard-ip.us-west-1.compute.internal opensearch-dashboards[19906]: {"type":"response","@timestamp":"2024-06-10T09:58:23Z","tags":[],"pid":19906,"method":"get","statusCode":200,"req":{"url":"/api/saved_objects/_find?fields=title&per_page=10000&type=index-pattern","method":"get","headers":{"host":"dashboard-ip:5601","connection":"close","sec-ch-ua":"\"Google Chrome\";v=\"125\", \"Chromium\";v=\"125\", \"Not.A/Brand\";v=\"24\"","content-type":"application/json","osd-xsrf":"osd-fetch","sec-ch-ua-mobile":"?0","user-agent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/125.0.0.0 Safari/537.36","osd-version":"2.10.0","sec-ch-ua-platform":"\"Windows\"","accept":"*/*","sec-fetch-site":"same-origin","sec-fetch-mode":"cors","sec-fetch-dest":"empty","referer":"https://demo.wazuh.info/app/app-settings","accept-encoding":"gzip, deflate, br, zstd","accept-language":"en-US,en;q=0.9"},"remoteAddress":"dashboard-ip","userAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/125.0.0.0 Safari/537.36","referer":"https://demo.wazuh.info/app/app-settings"},"res":{"statusCode":200,"responseTime":29,"contentLength":9},"message":"GET /api/saved_objects/_find?fields=title&per_page=10000&type=index-pattern 200 29ms - 9.0B"} Jun 10 09:58:24 ip-dashboard-ip.us-west-1.compute.internal opensearch-dashboards[19906]: {"type":"response","@timestamp":"2024-06-10T09:58:24Z","tags":[],"pid":19906,"method":"get","statusCode":200,"req":{"url":"/hosts/apis","method":"get","headers":{"host":"dashboard-ip:5601","connection":"close","sec-ch-ua":"\"Google Chrome\";v=\"125\", \"Chromium\";v=\"125\", \"Not.A/Brand\";v=\"24\"","sec-ch-ua-mobile":"?0","user-agent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/125.0.0.0 Safari/537.36","id":"wazuh1","pattern":"wazuh-alerts-*","accept":"application/json, text/plain, */*","osd-xsrf":"kibana","sec-ch-ua-platform":"\"Windows\"","sec-fetch-site":"same-origin","sec-fetch-mode":"cors","sec-fetch-dest":"empty","referer":"https://demo.wazuh.info/app/app-settings","accept-encoding":"gzip, deflate, br, zstd","accept-language":"en-US,en;q=0.9"},"remoteAddress":"dashboard-ip","userAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/125.0.0.0 Safari/537.36","referer":"https://demo.wazuh.info/app/app-settings"},"res":{"statusCode":200,"responseTime":9,"contentLength":9},"message":"GET /hosts/apis 200 9ms - 9.0B"} Jun 10 09:58:24 ip-dashboard-ip.us-west-1.compute.internal opensearch-dashboards[19906]: {"type":"response","@timestamp":"2024-06-10T09:58:24Z","tags":[],"pid":19906,"method":"post","statusCode":200,"req":{"url":"/api/login","method":"post","headers":{"host":"dashboard-ip:5601","connection":"close","content-length":"33","sec-ch-ua":"\"Google Chrome\";v=\"125\", \"Chromium\";v=\"125\", \"Not.A/Brand\";v=\"24\"","accept":"application/json, text/plain, */*","content-type":"application/json","osd-xsrf":"kibana","sec-ch-ua-mobile":"?0","user-agent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/125.0.0.0 Safari/537.36","sec-ch-ua-platform":"\"Windows\"","origin":"https://demo.wazuh.info","sec-fetch-site":"same-origin","sec-fetch-mode":"cors","sec-fetch-dest":"empty","referer":"https://demo.wazuh.info/app/app-settings","accept-encoding":"gzip, deflate, br, zstd","accept-language":"en-US,en;q=0.9"},"remoteAddress":"dashboard-ip","userAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/125.0.0.0 Safari/537.36","referer":"https://demo.wazuh.info/app/app-settings"},"res":{"statusCode":200,"responseTime":30,"contentLength":9},"message":"POST /api/login 200 30ms - 9.0B"} Jun 10 09:58:24 ip-dashboard-ip.us-west-1.compute.internal opensearch-dashboards[19906]: {"type":"response","@timestamp":"2024-06-10T09:58:24Z","tags":[],"pid":19906,"method":"get","statusCode":200,"req":{"url":"/utils/configuration","method":"get","headers":{"host":"dashboard-ip:5601","connection":"close","sec-ch-ua":"\"Google Chrome\";v=\"125\", \"Chromium\";v=\"125\", \"Not.A/Brand\";v=\"24\"","sec-ch-ua-mobile":"?0","user-agent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/125.0.0.0 Safari/537.36","id":"wazuh1","pattern":"wazuh-alerts-*","accept":"application/json, text/plain, */*","osd-xsrf":"kibana","sec-ch-ua-platform":"\"Windows\"","sec-fetch-site":"same-origin","sec-fetch-mode":"cors","sec-fetch-dest":"empty","referer":"https://demo.wazuh.info/app/app-settings","accept-encoding":"gzip, deflate, br, zstd","accept-language":"en-US,en;q=0.9"},"remoteAddress":"dashboard-ip","userAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/125.0.0.0 Safari/537.36","referer":"https://demo.wazuh.info/app/app-settings"},"res":{"statusCode":200,"responseTime":28,"contentLength":9},"message":"GET /utils/configuration 200 28ms - 9.0B"} ``` ### Error Logs ```console [root@ip-dashboard-ip bin]# egrep -i "err|warn" /usr/share/wazuh-dashboard/data/wazuh/logs/wazuhapp.log | wc -l ```

[Rebits]

Check Indexer Logs :yellow_circle:

Known errors:

• https://github.com/wazuh/wazuh-packages/issues/2685
• https://github.com/wazuh/wazuh-packages/issues/2094

IndexerBootstrap :yellow_circle:

**Known errors**: - https://github.com/wazuh/wazuh-packages/issues/2685 - https://github.com/wazuh/wazuh-packages/issues/2094 ### System information ```console sh-4.2$ cat /etc/*release NAME="Amazon Linux" VERSION="2" ID="amzn" ID_LIKE="centos rhel fedora" VERSION_ID="2" PRETTY_NAME="Amazon Linux 2" ANSI_COLOR="0;33" CPE_NAME="cpe:2.3:o:amazon:amazon_linux:2" HOME_URL="https://amazonlinux.com/" Amazon Linux release 2 (Karoo) ``` ### Agent Status ```console sh-4.2$ systemctl status wazuh-indexer -l ● wazuh-indexer.service - Wazuh-indexer Loaded: loaded (/usr/lib/systemd/system/wazuh-indexer.service; enabled; vendor preset: disabled) Active: active (running) since Fri 2024-06-07 08:20:51 UTC; 3 days ago Docs: https://documentation.wazuh.com Main PID: 12389 (java) CGroup: /system.slice/wazuh-indexer.service └─12389 /usr/share/wazuh-indexer/jdk/bin/java -Xshare:auto -Dopensearch.networkaddress.cache.ttl=60 -Dopensearch.networkaddress.cache.negative.ttl=10 -XX:+AlwaysPreTouch -Xss1m -Djava.awt.headless=true -Dfile.encoding=UTF-8 -Djna.nosys=true -XX:-OmitStackTraceInFastThrow -XX:+ShowCodeDetailsInExceptionMessages -Dio.netty.noUnsafe=true -Dio.netty.noKeySetOptimization=true -Dio.netty.recycler.maxCapacityPerThread=0 -Dio.netty.allocator.numDirectArenas=0 -Dlog4j.shutdownHookEnabled=false -Dlog4j2.disable.jmx=true -Djava.locale.providers=SPI,COMPAT -Xms3928m -Xmx3928m -XX:+UseG1GC -XX:G1ReservePercent=25 -XX:InitiatingHeapOccupancyPercent=30 -Djava.io.tmpdir=/tmp/opensearch-12511040543639891548 -XX:+HeapDumpOnOutOfMemoryError -XX:HeapDumpPath=data -XX:ErrorFile=/var/log/wazuh-indexer/hs_err_pid%p.log -Xlog:gc*,gc+age=trace,safepoint:file=/var/log/wazuh-indexer/gc.log:utctime,pid,tags:filecount=32,filesize=64m -Dclk.tck=100 -Djdk.attach.allowAttachSelf=true -Djava.security.policy=file:///usr/share/wazuh-indexer/plugins/opensearch-performance-analyzer/pa_config/opensearch_security.policy -XX:MaxDirectMemorySize=2059403264 -Dopensearch.path.home=/usr/share/wazuh-indexer -Dopensearch.path.conf=/etc/wazuh-indexer -Dopensearch.distribution.type=rpm -Dopensearch.bundled_jdk=true -cp /usr/share/wazuh-indexer/lib/* org.opensearch.bootstrap.OpenSearch -p /run/wazuh-indexer/wazuh-indexer.pid --quiet ``` ### Service Status ```console [root@ip-IndexerBootstrap-ip bin]# journalctl -xe -u wazuh-indexer.service --no-pager | head -80 -- Logs begin at Fri 2024-06-07 08:04:31 UTC, end at Mon 2024-06-10 14:57:40 UTC. -- Jun 07 08:18:17 ip-IndexerBootstrap-ip.us-west-1.compute.internal systemd[1]: Starting Wazuh-indexer... -- Subject: Unit wazuh-indexer.service has begun start-up -- Defined-By: systemd -- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel -- -- Unit wazuh-indexer.service has begun starting up. Jun 07 08:18:19 ip-IndexerBootstrap-ip.us-west-1.compute.internal systemd-entrypoint[10474]: WARNING: A terminally deprecated method in java.lang.System has been called Jun 07 08:18:19 ip-IndexerBootstrap-ip.us-west-1.compute.internal systemd-entrypoint[10474]: WARNING: System::setSecurityManager has been called by org.opensearch.bootstrap.OpenSearch (file:/usr/share/wazuh-indexer/lib/opensearch-2.10.0.jar) Jun 07 08:18:19 ip-IndexerBootstrap-ip.us-west-1.compute.internal systemd-entrypoint[10474]: WARNING: Please consider reporting this to the maintainers of org.opensearch.bootstrap.OpenSearch Jun 07 08:18:19 ip-IndexerBootstrap-ip.us-west-1.compute.internal systemd-entrypoint[10474]: WARNING: System::setSecurityManager will be removed in a future release Jun 07 08:18:22 ip-IndexerBootstrap-ip.us-west-1.compute.internal systemd-entrypoint[10474]: WARNING: A terminally deprecated method in java.lang.System has been called Jun 07 08:18:22 ip-IndexerBootstrap-ip.us-west-1.compute.internal systemd-entrypoint[10474]: WARNING: System::setSecurityManager has been called by org.opensearch.bootstrap.Security (file:/usr/share/wazuh-indexer/lib/opensearch-2.10.0.jar) Jun 07 08:18:22 ip-IndexerBootstrap-ip.us-west-1.compute.internal systemd-entrypoint[10474]: WARNING: Please consider reporting this to the maintainers of org.opensearch.bootstrap.Security Jun 07 08:18:22 ip-IndexerBootstrap-ip.us-west-1.compute.internal systemd-entrypoint[10474]: WARNING: System::setSecurityManager will be removed in a future release Jun 07 08:18:42 ip-IndexerBootstrap-ip.us-west-1.compute.internal systemd[1]: Started Wazuh-indexer. -- Subject: Unit wazuh-indexer.service has finished start-up -- Defined-By: systemd -- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel -- -- Unit wazuh-indexer.service has finished starting up. -- -- The start-up result is done. Jun 07 08:20:24 ip-IndexerBootstrap-ip.us-west-1.compute.internal systemd[1]: Stopping Wazuh-indexer... -- Subject: Unit wazuh-indexer.service has begun shutting down -- Defined-By: systemd -- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel -- -- Unit wazuh-indexer.service has begun shutting down. Jun 07 08:20:24 ip-IndexerBootstrap-ip.us-west-1.compute.internal systemd[1]: Stopped Wazuh-indexer. -- Subject: Unit wazuh-indexer.service has finished shutting down -- Defined-By: systemd -- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel -- -- Unit wazuh-indexer.service has finished shutting down. Jun 07 08:20:24 ip-IndexerBootstrap-ip.us-west-1.compute.internal systemd[1]: Starting Wazuh-indexer... -- Subject: Unit wazuh-indexer.service has begun start-up -- Defined-By: systemd -- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel -- -- Unit wazuh-indexer.service has begun starting up. Jun 07 08:20:27 ip-IndexerBootstrap-ip.us-west-1.compute.internal systemd-entrypoint[12389]: WARNING: A terminally deprecated method in java.lang.System has been called Jun 07 08:20:27 ip-IndexerBootstrap-ip.us-west-1.compute.internal systemd-entrypoint[12389]: WARNING: System::setSecurityManager has been called by org.opensearch.bootstrap.OpenSearch (file:/usr/share/wazuh-indexer/lib/opensearch-2.10.0.jar) Jun 07 08:20:27 ip-IndexerBootstrap-ip.us-west-1.compute.internal systemd-entrypoint[12389]: WARNING: Please consider reporting this to the maintainers of org.opensearch.bootstrap.OpenSearch Jun 07 08:20:27 ip-IndexerBootstrap-ip.us-west-1.compute.internal systemd-entrypoint[12389]: WARNING: System::setSecurityManager will be removed in a future release Jun 07 08:20:30 ip-IndexerBootstrap-ip.us-west-1.compute.internal systemd-entrypoint[12389]: WARNING: A terminally deprecated method in java.lang.System has been called Jun 07 08:20:30 ip-IndexerBootstrap-ip.us-west-1.compute.internal systemd-entrypoint[12389]: WARNING: System::setSecurityManager has been called by org.opensearch.bootstrap.Security (file:/usr/share/wazuh-indexer/lib/opensearch-2.10.0.jar) Jun 07 08:20:30 ip-IndexerBootstrap-ip.us-west-1.compute.internal systemd-entrypoint[12389]: WARNING: Please consider reporting this to the maintainers of org.opensearch.bootstrap.Security Jun 07 08:20:30 ip-IndexerBootstrap-ip.us-west-1.compute.internal systemd-entrypoint[12389]: WARNING: System::setSecurityManager will be removed in a future release Jun 07 08:20:51 ip-IndexerBootstrap-ip.us-west-1.compute.internal systemd[1]: Started Wazuh-indexer. -- Subject: Unit wazuh-indexer.service has finished start-up -- Defined-By: systemd -- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel -- -- Unit wazuh-indexer.service has finished starting up. -- -- The start-up result is done. Jun 08 00:00:49 ip-IndexerBootstrap-ip.us-west-1.compute.internal systemd-entrypoint[12389]: ERROR StatusConsoleListener Could not define attribute view on path "/var/log/wazuh-indexer/wazuh_server.json" got access denied ("java.lang.RuntimePermission" "accessUserInformation") Jun 08 00:00:49 ip-IndexerBootstrap-ip.us-west-1.compute.internal systemd-entrypoint[12389]: java.security.AccessControlException: access denied ("java.lang.RuntimePermission" "accessUserInformation") Jun 08 00:00:49 ip-IndexerBootstrap-ip.us-west-1.compute.internal systemd-entrypoint[12389]: at java.base/java.security.AccessControlContext.checkPermission(AccessControlContext.java:485) Jun 08 00:00:49 ip-IndexerBootstrap-ip.us-west-1.compute.internal systemd-entrypoint[12389]: at java.base/java.security.AccessController.checkPermission(AccessController.java:1068) Jun 08 00:00:49 ip-IndexerBootstrap-ip.us-west-1.compute.internal systemd-entrypoint[12389]: at java.base/java.lang.SecurityManager.checkPermission(SecurityManager.java:416) Jun 08 00:00:49 ip-IndexerBootstrap-ip.us-west-1.compute.internal systemd-entrypoint[12389]: at java.base/sun.nio.fs.UnixFileAttributeViews$Posix.checkWriteExtended(UnixFileAttributeViews.java:195) Jun 08 00:00:49 ip-IndexerBootstrap-ip.us-west-1.compute.internal systemd-entrypoint[12389]: at java.base/sun.nio.fs.UnixFileAttributeViews$Posix.setMode(UnixFileAttributeViews.java:264) Jun 08 00:00:49 ip-IndexerBootstrap-ip.us-west-1.compute.internal systemd-entrypoint[12389]: at java.base/sun.nio.fs.UnixFileAttributeViews$Posix.setPermissions(UnixFileAttributeViews.java:299) Jun 08 00:00:49 ip-IndexerBootstrap-ip.us-west-1.compute.internal systemd-entrypoint[12389]: at org.apache.logging.log4j.core.util.FileUtils.defineFilePosixAttributeView(FileUtils.java:181) Jun 08 00:00:49 ip-IndexerBootstrap-ip.us-west-1.compute.internal systemd-entrypoint[12389]: at org.apache.logging.log4j.core.appender.FileManager.defineAttributeView(FileManager.java:216) Jun 08 00:00:49 ip-IndexerBootstrap-ip.us-west-1.compute.internal systemd-entrypoint[12389]: at org.apache.logging.log4j.core.appender.FileManager.createOutputStream(FileManager.java:203) Jun 08 00:00:49 ip-IndexerBootstrap-ip.us-west-1.compute.internal systemd-entrypoint[12389]: at org.apache.logging.log4j.core.appender.rolling.RollingFileManager.createFileAfterRollover(RollingFileManager.java:421) Jun 08 00:00:49 ip-IndexerBootstrap-ip.us-west-1.compute.internal systemd-entrypoint[12389]: at org.apache.logging.log4j.core.appender.rolling.RollingFileManager.rollover(RollingFileManager.java:398) Jun 08 00:00:49 ip-IndexerBootstrap-ip.us-west-1.compute.internal systemd-entrypoint[12389]: at org.apache.logging.log4j.core.appender.rolling.RollingFileManager.checkRollover(RollingFileManager.java:308) Jun 08 00:00:49 ip-IndexerBootstrap-ip.us-west-1.compute.internal systemd-entrypoint[12389]: at org.apache.logging.log4j.core.appender.RollingFileAppender.append(RollingFileAppender.java:300) Jun 08 00:00:49 ip-IndexerBootstrap-ip.us-west-1.compute.internal systemd-entrypoint[12389]: at org.apache.logging.log4j.core.config.AppenderControl.tryCallAppender(AppenderControl.java:161) Jun 08 00:00:49 ip-IndexerBootstrap-ip.us-west-1.compute.internal systemd-entrypoint[12389]: at org.apache.logging.log4j.core.config.AppenderControl.callAppender0(AppenderControl.java:134) Jun 08 00:00:49 ip-IndexerBootstrap-ip.us-west-1.compute.internal systemd-entrypoint[12389]: at org.apache.logging.log4j.core.config.AppenderControl.callAppenderPreventRecursion(AppenderControl.java:125) Jun 08 00:00:49 ip-IndexerBootstrap-ip.us-west-1.compute.internal systemd-entrypoint[12389]: at org.apache.logging.log4j.core.config.AppenderControl.callAppender(AppenderControl.java:89) Jun 08 00:00:49 ip-IndexerBootstrap-ip.us-west-1.compute.internal systemd-entrypoint[12389]: at org.apache.logging.log4j.core.config.LoggerConfig.callAppenders(LoggerConfig.java:683) Jun 08 00:00:49 ip-IndexerBootstrap-ip.us-west-1.compute.internal systemd-entrypoint[12389]: at org.apache.logging.log4j.core.config.LoggerConfig.processLogEvent(LoggerConfig.java:641) Jun 08 00:00:49 ip-IndexerBootstrap-ip.us-west-1.compute.internal systemd-entrypoint[12389]: at org.apache.logging.log4j.core.config.LoggerConfig.log(LoggerConfig.java:624) Jun 08 00:00:49 ip-IndexerBootstrap-ip.us-west-1.compute.internal systemd-entrypoint[12389]: at org.apache.logging.log4j.core.config.LoggerConfig.log(LoggerConfig.java:560) ``` ### Error Logs ```console [root@ip-IndexerBootstrap-ip bin]# egrep -i "ERROR|WARNING" /var/log/wazuh-indexer/wazuh.log | wc -l 0 ```

IndexerMasterB :yellow_circle:

- **Known warnings**: https://github.com/wazuh/wazuh-packages/issues/2685 ### System information ```console sh-4.2$ cat /etc/*release NAME="Amazon Linux" VERSION="2" ID="amzn" ID_LIKE="centos rhel fedora" VERSION_ID="2" PRETTY_NAME="Amazon Linux 2" ANSI_COLOR="0;33" CPE_NAME="cpe:2.3:o:amazon:amazon_linux:2" HOME_URL="https://amazonlinux.com/" Amazon Linux release 2 (Karoo) ``` ### Agent Status ```console [root@ip-IndexerMasterB-ip bin]# systemctl status wazuh-indexer -l ● wazuh-indexer.service - Wazuh-indexer Loaded: loaded (/usr/lib/systemd/system/wazuh-indexer.service; enabled; vendor preset: disabled) Active: active (running) since Fri 2024-06-07 08:20:09 UTC; 3 days ago Docs: https://documentation.wazuh.com Main PID: 12217 (java) CGroup: /system.slice/wazuh-indexer.service └─12217 /usr/share/wazuh-indexer/jdk/bin/java -Xshare:auto -Dopensearch.networkaddress.cache.ttl=60 -Dopensearch.networkaddress.cache.negative.ttl=10 -XX:+AlwaysPreTouch -Xss1m -Djava.awt.headless=true -Dfile.encoding=UTF-8 -Djna.nosys=true -XX:-OmitStackTraceInFastThrow -XX:+ShowCodeDetailsInExceptionMessages -Dio.netty.noUnsafe=true -Dio.netty.noKeySetOptimization=true -Dio.netty.recycler.maxCapacityPerThread=0 -Dio.netty.allocator.numDirectArenas=0 -Dlog4j.shutdownHookEnabled=false -Dlog4j2.disable.jmx=true -Djava.locale.providers=SPI,COMPAT -Xms3928m -Xmx3928m -XX:+UseG1GC -XX:G1ReservePercent=25 -XX:InitiatingHeapOccupancyPercent=30 -Djava.io.tmpdir=/tmp/opensearch-17160222584255521138 -XX:+HeapDumpOnOutOfMemoryError -XX:HeapDumpPath=data -XX:ErrorFile=/var/log/wazuh-indexer/hs_err_pid%p.log -Xlog:gc*,gc+age=trace,safepoint:file=/var/log/wazuh-indexer/gc.log:utctime,pid,tags:filecount=32,filesize=64m -Dclk.tck=100 -Djdk.attach.allowAttachSelf=true -Djava.security.policy=file:///usr/share/wazuh-indexer/plugins/opensearch-performance-analyzer/pa_config/opensearch_security.policy -XX:MaxDirectMemorySize=2059403264 -Dopensearch.path.home=/usr/share/wazuh-indexer -Dopensearch.path.conf=/etc/wazuh-indexer -Dopensearch.distribution.type=rpm -Dopensearch.bundled_jdk=true -cp /usr/share/wazuh-indexer/lib/* org.opensearch.bootstrap.OpenSearch -p /run/wazuh-indexer/wazuh-indexer.pid --quiet Jun 10 00:00:00 ip-IndexerMasterB-ip.us-west-1.compute.internal systemd-entrypoint[12217]: at org.opensearch.cluster.service.ClusterApplierService.callClusterStateListeners(ClusterApplierService.java:612) Jun 10 00:00:00 ip-IndexerMasterB-ip.us-west-1.compute.internal systemd-entrypoint[12217]: at org.opensearch.cluster.service.ClusterApplierService.applyChanges(ClusterApplierService.java:577) Jun 10 00:00:00 ip-IndexerMasterB-ip.us-west-1.compute.internal systemd-entrypoint[12217]: at org.opensearch.cluster.service.ClusterApplierService.runTask(ClusterApplierService.java:484) Jun 10 00:00:00 ip-IndexerMasterB-ip.us-west-1.compute.internal systemd-entrypoint[12217]: at org.opensearch.cluster.service.ClusterApplierService$UpdateTask.run(ClusterApplierService.java:186) Jun 10 00:00:00 ip-IndexerMasterB-ip.us-west-1.compute.internal systemd-entrypoint[12217]: at org.opensearch.common.util.concurrent.ThreadContext$ContextPreservingRunnable.run(ThreadContext.java:849) Jun 10 00:00:00 ip-IndexerMasterB-ip.us-west-1.compute.internal systemd-entrypoint[12217]: at org.opensearch.common.util.concurrent.PrioritizedOpenSearchThreadPoolExecutor$TieBreakingPrioritizedRunnable.runAndClean(PrioritizedOpenSearchThreadPoolExecutor.java:282) Jun 10 00:00:00 ip-IndexerMasterB-ip.us-west-1.compute.internal systemd-entrypoint[12217]: at org.opensearch.common.util.concurrent.PrioritizedOpenSearchThreadPoolExecutor$TieBreakingPrioritizedRunnable.run(PrioritizedOpenSearchThreadPoolExecutor.java:245) Jun 10 00:00:00 ip-IndexerMasterB-ip.us-west-1.compute.internal systemd-entrypoint[12217]: at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1136) Jun 10 00:00:00 ip-IndexerMasterB-ip.us-west-1.compute.internal systemd-entrypoint[12217]: at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:635) Jun 10 00:00:00 ip-IndexerMasterB-ip.us-west-1.compute.internal systemd-entrypoint[12217]: at java.base/java.lang.Thread.run(Thread.java:833) ``` ### Service Status ```console [root@ip-IndexerMasterB-ip bin]# journalctl -xe -u wazuh-indexer.service --no-pager | head -80 -- Logs begin at Fri 2024-06-07 08:04:26 UTC, end at Mon 2024-06-10 15:00:32 UTC. -- Jun 07 08:18:07 ip-IndexerMasterB-ip.us-west-1.compute.internal systemd[1]: Starting Wazuh-indexer... -- Subject: Unit wazuh-indexer.service has begun start-up -- Defined-By: systemd -- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel -- -- Unit wazuh-indexer.service has begun starting up. Jun 07 08:18:10 ip-IndexerMasterB-ip.us-west-1.compute.internal systemd-entrypoint[10475]: WARNING: A terminally deprecated method in java.lang.System has been called Jun 07 08:18:10 ip-IndexerMasterB-ip.us-west-1.compute.internal systemd-entrypoint[10475]: WARNING: System::setSecurityManager has been called by org.opensearch.bootstrap.OpenSearch (file:/usr/share/wazuh-indexer/lib/opensearch-2.10.0.jar) Jun 07 08:18:10 ip-IndexerMasterB-ip.us-west-1.compute.internal systemd-entrypoint[10475]: WARNING: Please consider reporting this to the maintainers of org.opensearch.bootstrap.OpenSearch Jun 07 08:18:10 ip-IndexerMasterB-ip.us-west-1.compute.internal systemd-entrypoint[10475]: WARNING: System::setSecurityManager will be removed in a future release Jun 07 08:18:12 ip-IndexerMasterB-ip.us-west-1.compute.internal systemd-entrypoint[10475]: WARNING: A terminally deprecated method in java.lang.System has been called Jun 07 08:18:12 ip-IndexerMasterB-ip.us-west-1.compute.internal systemd-entrypoint[10475]: WARNING: System::setSecurityManager has been called by org.opensearch.bootstrap.Security (file:/usr/share/wazuh-indexer/lib/opensearch-2.10.0.jar) Jun 07 08:18:12 ip-IndexerMasterB-ip.us-west-1.compute.internal systemd-entrypoint[10475]: WARNING: Please consider reporting this to the maintainers of org.opensearch.bootstrap.Security Jun 07 08:18:12 ip-IndexerMasterB-ip.us-west-1.compute.internal systemd-entrypoint[10475]: WARNING: System::setSecurityManager will be removed in a future release Jun 07 08:18:30 ip-IndexerMasterB-ip.us-west-1.compute.internal systemd[1]: Started Wazuh-indexer. -- Subject: Unit wazuh-indexer.service has finished start-up -- Defined-By: systemd -- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel -- -- Unit wazuh-indexer.service has finished starting up. -- -- The start-up result is done. Jun 07 08:19:45 ip-IndexerMasterB-ip.us-west-1.compute.internal systemd[1]: Stopping Wazuh-indexer... -- Subject: Unit wazuh-indexer.service has begun shutting down -- Defined-By: systemd -- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel -- -- Unit wazuh-indexer.service has begun shutting down. Jun 07 08:19:45 ip-IndexerMasterB-ip.us-west-1.compute.internal systemd[1]: Stopped Wazuh-indexer. -- Subject: Unit wazuh-indexer.service has finished shutting down -- Defined-By: systemd -- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel -- -- Unit wazuh-indexer.service has finished shutting down. Jun 07 08:19:45 ip-IndexerMasterB-ip.us-west-1.compute.internal systemd[1]: Starting Wazuh-indexer... -- Subject: Unit wazuh-indexer.service has begun start-up -- Defined-By: systemd -- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel -- -- Unit wazuh-indexer.service has begun starting up. Jun 07 08:19:48 ip-IndexerMasterB-ip.us-west-1.compute.internal systemd-entrypoint[12217]: WARNING: A terminally deprecated method in java.lang.System has been called Jun 07 08:19:48 ip-IndexerMasterB-ip.us-west-1.compute.internal systemd-entrypoint[12217]: WARNING: System::setSecurityManager has been called by org.opensearch.bootstrap.OpenSearch (file:/usr/share/wazuh-indexer/lib/opensearch-2.10.0.jar) Jun 07 08:19:48 ip-IndexerMasterB-ip.us-west-1.compute.internal systemd-entrypoint[12217]: WARNING: Please consider reporting this to the maintainers of org.opensearch.bootstrap.OpenSearch Jun 07 08:19:48 ip-IndexerMasterB-ip.us-west-1.compute.internal systemd-entrypoint[12217]: WARNING: System::setSecurityManager will be removed in a future release Jun 07 08:19:50 ip-IndexerMasterB-ip.us-west-1.compute.internal systemd-entrypoint[12217]: WARNING: A terminally deprecated method in java.lang.System has been called Jun 07 08:19:50 ip-IndexerMasterB-ip.us-west-1.compute.internal systemd-entrypoint[12217]: WARNING: System::setSecurityManager has been called by org.opensearch.bootstrap.Security (file:/usr/share/wazuh-indexer/lib/opensearch-2.10.0.jar) Jun 07 08:19:50 ip-IndexerMasterB-ip.us-west-1.compute.internal systemd-entrypoint[12217]: WARNING: Please consider reporting this to the maintainers of org.opensearch.bootstrap.Security Jun 07 08:19:50 ip-IndexerMasterB-ip.us-west-1.compute.internal systemd-entrypoint[12217]: WARNING: System::setSecurityManager will be removed in a future release Jun 07 08:20:09 ip-IndexerMasterB-ip.us-west-1.compute.internal systemd[1]: Started Wazuh-indexer. -- Subject: Unit wazuh-indexer.service has finished start-up -- Defined-By: systemd -- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel -- -- Unit wazuh-indexer.service has finished starting up. -- -- The start-up result is done. Jun 08 00:00:07 ip-IndexerMasterB-ip.us-west-1.compute.internal systemd-entrypoint[12217]: ERROR StatusConsoleListener Could not define attribute view on path "/var/log/wazuh-indexer/wazuh_server.json" got access denied ("java.lang.RuntimePermission" "accessUserInformation") Jun 08 00:00:07 ip-IndexerMasterB-ip.us-west-1.compute.internal systemd-entrypoint[12217]: java.security.AccessControlException: access denied ("java.lang.RuntimePermission" "accessUserInformation") Jun 08 00:00:07 ip-IndexerMasterB-ip.us-west-1.compute.internal systemd-entrypoint[12217]: at java.base/java.security.AccessControlContext.checkPermission(AccessControlContext.java:485) Jun 08 00:00:07 ip-IndexerMasterB-ip.us-west-1.compute.internal systemd-entrypoint[12217]: at java.base/java.security.AccessController.checkPermission(AccessController.java:1068) Jun 08 00:00:07 ip-IndexerMasterB-ip.us-west-1.compute.internal systemd-entrypoint[12217]: at java.base/java.lang.SecurityManager.checkPermission(SecurityManager.java:416) Jun 08 00:00:07 ip-IndexerMasterB-ip.us-west-1.compute.internal systemd-entrypoint[12217]: at java.base/sun.nio.fs.UnixFileAttributeViews$Posix.checkWriteExtended(UnixFileAttributeViews.java:195) Jun 08 00:00:07 ip-IndexerMasterB-ip.us-west-1.compute.internal systemd-entrypoint[12217]: at java.base/sun.nio.fs.UnixFileAttributeViews$Posix.setMode(UnixFileAttributeViews.java:264) Jun 08 00:00:07 ip-IndexerMasterB-ip.us-west-1.compute.internal systemd-entrypoint[12217]: at java.base/sun.nio.fs.UnixFileAttributeViews$Posix.setPermissions(UnixFileAttributeViews.java:299) Jun 08 00:00:07 ip-IndexerMasterB-ip.us-west-1.compute.internal systemd-entrypoint[12217]: at org.apache.logging.log4j.core.util.FileUtils.defineFilePosixAttributeView(FileUtils.java:181) Jun 08 00:00:07 ip-IndexerMasterB-ip.us-west-1.compute.internal systemd-entrypoint[12217]: at org.apache.logging.log4j.core.appender.FileManager.defineAttributeView(FileManager.java:216) Jun 08 00:00:07 ip-IndexerMasterB-ip.us-west-1.compute.internal systemd-entrypoint[12217]: at org.apache.logging.log4j.core.appender.FileManager.createOutputStream(FileManager.java:203) Jun 08 00:00:07 ip-IndexerMasterB-ip.us-west-1.compute.internal systemd-entrypoint[12217]: at org.apache.logging.log4j.core.appender.rolling.RollingFileManager.createFileAfterRollover(RollingFileManager.java:421) Jun 08 00:00:07 ip-IndexerMasterB-ip.us-west-1.compute.internal systemd-entrypoint[12217]: at org.apache.logging.log4j.core.appender.rolling.RollingFileManager.rollover(RollingFileManager.java:398) Jun 08 00:00:07 ip-IndexerMasterB-ip.us-west-1.compute.internal systemd-entrypoint[12217]: at org.apache.logging.log4j.core.appender.rolling.RollingFileManager.checkRollover(RollingFileManager.java:308) Jun 08 00:00:07 ip-IndexerMasterB-ip.us-west-1.compute.internal systemd-entrypoint[12217]: at org.apache.logging.log4j.core.appender.RollingFileAppender.append(RollingFileAppender.java:300) Jun 08 00:00:07 ip-IndexerMasterB-ip.us-west-1.compute.internal systemd-entrypoint[12217]: at org.apache.logging.log4j.core.config.AppenderControl.tryCallAppender(AppenderControl.java:161) Jun 08 00:00:07 ip-IndexerMasterB-ip.us-west-1.compute.internal systemd-entrypoint[12217]: at org.apache.logging.log4j.core.config.AppenderControl.callAppender0(AppenderControl.java:134) Jun 08 00:00:07 ip-IndexerMasterB-ip.us-west-1.compute.internal systemd-entrypoint[12217]: at org.apache.logging.log4j.core.config.AppenderControl.callAppenderPreventRecursion(AppenderControl.java:125) Jun 08 00:00:07 ip-IndexerMasterB-ip.us-west-1.compute.internal systemd-entrypoint[12217]: at org.apache.logging.log4j.core.config.AppenderControl.callAppender(AppenderControl.java:89) Jun 08 00:00:07 ip-IndexerMasterB-ip.us-west-1.compute.internal systemd-entrypoint[12217]: at org.apache.logging.log4j.core.config.LoggerConfig.callAppenders(LoggerConfig.java:683) Jun 08 00:00:07 ip-IndexerMasterB-ip.us-west-1.compute.internal systemd-entrypoint[12217]: at org.apache.logging.log4j.core.config.LoggerConfig.processLogEvent(LoggerConfig.java:641) Jun 08 00:00:07 ip-IndexerMasterB-ip.us-west-1.compute.internal systemd-entrypoint[12217]: at org.apache.logging.log4j.core.config.LoggerConfig.log(LoggerConfig.java:624) Jun 08 00:00:07 ip-IndexerMasterB-ip.us-west-1.compute.internal systemd-entrypoint[12217]: at org.apache.logging.log4j.core.config.LoggerConfig.log(LoggerConfig.java:560) ``` > **Analysis**: > The ERROR logs are expected, it is a known issue: https://github.com/wazuh/wazuh-packages/issues/2685 ### Error Logs ```console [root@ip-IndexerMasterB-ip bin]# egrep -i "ERROR|WARNING" /var/log/wazuh-indexer/wazuh.log | wc -l 0 ```

IndexerMasterC :yellow_circle:

- **Known warnings**: https://github.com/wazuh/wazuh-packages/issues/2685 ### System information ```console sh-4.2$ cat /etc/*release NAME="Amazon Linux" VERSION="2" ID="amzn" ID_LIKE="centos rhel fedora" VERSION_ID="2" PRETTY_NAME="Amazon Linux 2" ANSI_COLOR="0;33" CPE_NAME="cpe:2.3:o:amazon:amazon_linux:2" HOME_URL="https://amazonlinux.com/" Amazon Linux release 2 (Karoo) ``` ### Agent Status ```console [root@ip-IndexerMasterC-ip bin]# systemctl status wazuh-indexer -l ● wazuh-indexer.service - Wazuh-indexer Loaded: loaded (/usr/lib/systemd/system/wazuh-indexer.service; enabled; vendor preset: disabled) Active: active (running) since Fri 2024-06-07 08:19:43 UTC; 3 days ago Docs: https://documentation.wazuh.com Main PID: 12368 (java) CGroup: /system.slice/wazuh-indexer.service └─12368 /usr/share/wazuh-indexer/jdk/bin/java -Xshare:auto -Dopensearch.networkaddress.cache.ttl=60 -Dopensearch.networkaddress.cache.negative.ttl=10 -XX:+AlwaysPreTouch -Xss1m -Djava.awt.headless=true -Dfile.encoding=UTF-8 -Djna.nosys=true -XX:-OmitStackTraceInFastThrow -XX:+ShowCodeDetailsInExceptionMessages -Dio.netty.noUnsafe=true -Dio.netty.noKeySetOptimization=true -Dio.netty.recycler.maxCapacityPerThread=0 -Dio.netty.allocator.numDirectArenas=0 -Dlog4j.shutdownHookEnabled=false -Dlog4j2.disable.jmx=true -Djava.locale.providers=SPI,COMPAT -Xms3928m -Xmx3928m -XX:+UseG1GC -XX:G1ReservePercent=25 -XX:InitiatingHeapOccupancyPercent=30 -Djava.io.tmpdir=/tmp/opensearch-13991278195436695171 -XX:+HeapDumpOnOutOfMemoryError -XX:HeapDumpPath=data -XX:ErrorFile=/var/log/wazuh-indexer/hs_err_pid%p.log -Xlog:gc*,gc+age=trace,safepoint:file=/var/log/wazuh-indexer/gc.log:utctime,pid,tags:filecount=32,filesize=64m -Dclk.tck=100 -Djdk.attach.allowAttachSelf=true -Djava.security.policy=file:///usr/share/wazuh-indexer/plugins/opensearch-performance-analyzer/pa_config/opensearch_security.policy -XX:MaxDirectMemorySize=2059403264 -Dopensearch.path.home=/usr/share/wazuh-indexer -Dopensearch.path.conf=/etc/wazuh-indexer -Dopensearch.distribution.type=rpm -Dopensearch.bundled_jdk=true -cp /usr/share/wazuh-indexer/lib/* org.opensearch.bootstrap.OpenSearch -p /run/wazuh-indexer/wazuh-indexer.pid --quiet Jun 10 00:00:00 ip-IndexerMasterC-ip.us-west-1.compute.internal systemd-entrypoint[12368]: at org.opensearch.cluster.service.MasterService.runTasks(MasterService.java:295) Jun 10 00:00:00 ip-IndexerMasterC-ip.us-west-1.compute.internal systemd-entrypoint[12368]: at org.opensearch.cluster.service.MasterService$Batcher.run(MasterService.java:206) Jun 10 00:00:00 ip-IndexerMasterC-ip.us-west-1.compute.internal systemd-entrypoint[12368]: at org.opensearch.cluster.service.TaskBatcher.runIfNotProcessed(TaskBatcher.java:204) Jun 10 00:00:00 ip-IndexerMasterC-ip.us-west-1.compute.internal systemd-entrypoint[12368]: at org.opensearch.cluster.service.TaskBatcher$BatchedTask.run(TaskBatcher.java:242) Jun 10 00:00:00 ip-IndexerMasterC-ip.us-west-1.compute.internal systemd-entrypoint[12368]: at org.opensearch.common.util.concurrent.ThreadContext$ContextPreservingRunnable.run(ThreadContext.java:849) Jun 10 00:00:00 ip-IndexerMasterC-ip.us-west-1.compute.internal systemd-entrypoint[12368]: at org.opensearch.common.util.concurrent.PrioritizedOpenSearchThreadPoolExecutor$TieBreakingPrioritizedRunnable.runAndClean(PrioritizedOpenSearchThreadPoolExecutor.java:282) Jun 10 00:00:00 ip-IndexerMasterC-ip.us-west-1.compute.internal systemd-entrypoint[12368]: at org.opensearch.common.util.concurrent.PrioritizedOpenSearchThreadPoolExecutor$TieBreakingPrioritizedRunnable.run(PrioritizedOpenSearchThreadPoolExecutor.java:245) Jun 10 00:00:00 ip-IndexerMasterC-ip.us-west-1.compute.internal systemd-entrypoint[12368]: at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1136) Jun 10 00:00:00 ip-IndexerMasterC-ip.us-west-1.compute.internal systemd-entrypoint[12368]: at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:635) Jun 10 00:00:00 ip-IndexerMasterC-ip.us-west-1.compute.internal systemd-entrypoint[12368]: at java.base/java.lang.Thread.run(Thread.java:833) ``` ### Service Status ```console [root@ip-IndexerMasterC-ip bin]# journalctl -xe -u wazuh-indexer.service --no-pager | head -80 -- Logs begin at Fri 2024-06-07 08:04:25 UTC, end at Mon 2024-06-10 15:02:18 UTC. -- Jun 07 08:18:07 ip-IndexerMasterC-ip.us-west-1.compute.internal systemd[1]: Starting Wazuh-indexer... -- Subject: Unit wazuh-indexer.service has begun start-up -- Defined-By: systemd -- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel -- -- Unit wazuh-indexer.service has begun starting up. Jun 07 08:18:10 ip-IndexerMasterC-ip.us-west-1.compute.internal systemd-entrypoint[10638]: WARNING: A terminally deprecated method in java.lang.System has been called Jun 07 08:18:10 ip-IndexerMasterC-ip.us-west-1.compute.internal systemd-entrypoint[10638]: WARNING: System::setSecurityManager has been called by org.opensearch.bootstrap.OpenSearch (file:/usr/share/wazuh-indexer/lib/opensearch-2.10.0.jar) Jun 07 08:18:10 ip-IndexerMasterC-ip.us-west-1.compute.internal systemd-entrypoint[10638]: WARNING: Please consider reporting this to the maintainers of org.opensearch.bootstrap.OpenSearch Jun 07 08:18:10 ip-IndexerMasterC-ip.us-west-1.compute.internal systemd-entrypoint[10638]: WARNING: System::setSecurityManager will be removed in a future release Jun 07 08:18:12 ip-IndexerMasterC-ip.us-west-1.compute.internal systemd-entrypoint[10638]: WARNING: A terminally deprecated method in java.lang.System has been called Jun 07 08:18:12 ip-IndexerMasterC-ip.us-west-1.compute.internal systemd-entrypoint[10638]: WARNING: System::setSecurityManager has been called by org.opensearch.bootstrap.Security (file:/usr/share/wazuh-indexer/lib/opensearch-2.10.0.jar) Jun 07 08:18:12 ip-IndexerMasterC-ip.us-west-1.compute.internal systemd-entrypoint[10638]: WARNING: Please consider reporting this to the maintainers of org.opensearch.bootstrap.Security Jun 07 08:18:12 ip-IndexerMasterC-ip.us-west-1.compute.internal systemd-entrypoint[10638]: WARNING: System::setSecurityManager will be removed in a future release Jun 07 08:18:30 ip-IndexerMasterC-ip.us-west-1.compute.internal systemd[1]: Started Wazuh-indexer. -- Subject: Unit wazuh-indexer.service has finished start-up -- Defined-By: systemd -- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel -- -- Unit wazuh-indexer.service has finished starting up. -- -- The start-up result is done. Jun 07 08:19:20 ip-IndexerMasterC-ip.us-west-1.compute.internal systemd[1]: Stopping Wazuh-indexer... -- Subject: Unit wazuh-indexer.service has begun shutting down -- Defined-By: systemd -- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel -- -- Unit wazuh-indexer.service has begun shutting down. Jun 07 08:19:20 ip-IndexerMasterC-ip.us-west-1.compute.internal systemd[1]: Stopped Wazuh-indexer. -- Subject: Unit wazuh-indexer.service has finished shutting down -- Defined-By: systemd -- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel -- -- Unit wazuh-indexer.service has finished shutting down. Jun 07 08:19:20 ip-IndexerMasterC-ip.us-west-1.compute.internal systemd[1]: Starting Wazuh-indexer... -- Subject: Unit wazuh-indexer.service has begun start-up -- Defined-By: systemd -- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel -- -- Unit wazuh-indexer.service has begun starting up. Jun 07 08:19:23 ip-IndexerMasterC-ip.us-west-1.compute.internal systemd-entrypoint[12368]: WARNING: A terminally deprecated method in java.lang.System has been called Jun 07 08:19:23 ip-IndexerMasterC-ip.us-west-1.compute.internal systemd-entrypoint[12368]: WARNING: System::setSecurityManager has been called by org.opensearch.bootstrap.OpenSearch (file:/usr/share/wazuh-indexer/lib/opensearch-2.10.0.jar) Jun 07 08:19:23 ip-IndexerMasterC-ip.us-west-1.compute.internal systemd-entrypoint[12368]: WARNING: Please consider reporting this to the maintainers of org.opensearch.bootstrap.OpenSearch Jun 07 08:19:23 ip-IndexerMasterC-ip.us-west-1.compute.internal systemd-entrypoint[12368]: WARNING: System::setSecurityManager will be removed in a future release Jun 07 08:19:25 ip-IndexerMasterC-ip.us-west-1.compute.internal systemd-entrypoint[12368]: WARNING: A terminally deprecated method in java.lang.System has been called Jun 07 08:19:25 ip-IndexerMasterC-ip.us-west-1.compute.internal systemd-entrypoint[12368]: WARNING: System::setSecurityManager has been called by org.opensearch.bootstrap.Security (file:/usr/share/wazuh-indexer/lib/opensearch-2.10.0.jar) Jun 07 08:19:25 ip-IndexerMasterC-ip.us-west-1.compute.internal systemd-entrypoint[12368]: WARNING: Please consider reporting this to the maintainers of org.opensearch.bootstrap.Security Jun 07 08:19:25 ip-IndexerMasterC-ip.us-west-1.compute.internal systemd-entrypoint[12368]: WARNING: System::setSecurityManager will be removed in a future release Jun 07 08:19:43 ip-IndexerMasterC-ip.us-west-1.compute.internal systemd[1]: Started Wazuh-indexer. -- Subject: Unit wazuh-indexer.service has finished start-up -- Defined-By: systemd -- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel -- -- Unit wazuh-indexer.service has finished starting up. -- -- The start-up result is done. Jun 08 00:00:00 ip-IndexerMasterC-ip.us-west-1.compute.internal systemd-entrypoint[12368]: ERROR StatusConsoleListener Could not define attribute view on path "/var/log/wazuh-indexer/wazuh_server.json" got access denied ("java.lang.RuntimePermission" "accessUserInformation") Jun 08 00:00:00 ip-IndexerMasterC-ip.us-west-1.compute.internal systemd-entrypoint[12368]: java.security.AccessControlException: access denied ("java.lang.RuntimePermission" "accessUserInformation") Jun 08 00:00:00 ip-IndexerMasterC-ip.us-west-1.compute.internal systemd-entrypoint[12368]: at java.base/java.security.AccessControlContext.checkPermission(AccessControlContext.java:485) Jun 08 00:00:00 ip-IndexerMasterC-ip.us-west-1.compute.internal systemd-entrypoint[12368]: at java.base/java.security.AccessController.checkPermission(AccessController.java:1068) Jun 08 00:00:00 ip-IndexerMasterC-ip.us-west-1.compute.internal systemd-entrypoint[12368]: at java.base/java.lang.SecurityManager.checkPermission(SecurityManager.java:416) Jun 08 00:00:00 ip-IndexerMasterC-ip.us-west-1.compute.internal systemd-entrypoint[12368]: at java.base/sun.nio.fs.UnixFileAttributeViews$Posix.checkWriteExtended(UnixFileAttributeViews.java:195) Jun 08 00:00:00 ip-IndexerMasterC-ip.us-west-1.compute.internal systemd-entrypoint[12368]: at java.base/sun.nio.fs.UnixFileAttributeViews$Posix.setMode(UnixFileAttributeViews.java:264) Jun 08 00:00:00 ip-IndexerMasterC-ip.us-west-1.compute.internal systemd-entrypoint[12368]: at java.base/sun.nio.fs.UnixFileAttributeViews$Posix.setPermissions(UnixFileAttributeViews.java:299) Jun 08 00:00:00 ip-IndexerMasterC-ip.us-west-1.compute.internal systemd-entrypoint[12368]: at org.apache.logging.log4j.core.util.FileUtils.defineFilePosixAttributeView(FileUtils.java:181) Jun 08 00:00:00 ip-IndexerMasterC-ip.us-west-1.compute.internal systemd-entrypoint[12368]: at org.apache.logging.log4j.core.appender.FileManager.defineAttributeView(FileManager.java:216) Jun 08 00:00:00 ip-IndexerMasterC-ip.us-west-1.compute.internal systemd-entrypoint[12368]: at org.apache.logging.log4j.core.appender.FileManager.createOutputStream(FileManager.java:203) Jun 08 00:00:00 ip-IndexerMasterC-ip.us-west-1.compute.internal systemd-entrypoint[12368]: at org.apache.logging.log4j.core.appender.rolling.RollingFileManager.createFileAfterRollover(RollingFileManager.java:421) Jun 08 00:00:00 ip-IndexerMasterC-ip.us-west-1.compute.internal systemd-entrypoint[12368]: at org.apache.logging.log4j.core.appender.rolling.RollingFileManager.rollover(RollingFileManager.java:398) Jun 08 00:00:00 ip-IndexerMasterC-ip.us-west-1.compute.internal systemd-entrypoint[12368]: at org.apache.logging.log4j.core.appender.rolling.RollingFileManager.checkRollover(RollingFileManager.java:308) Jun 08 00:00:00 ip-IndexerMasterC-ip.us-west-1.compute.internal systemd-entrypoint[12368]: at org.apache.logging.log4j.core.appender.RollingFileAppender.append(RollingFileAppender.java:300) Jun 08 00:00:00 ip-IndexerMasterC-ip.us-west-1.compute.internal systemd-entrypoint[12368]: at org.apache.logging.log4j.core.config.AppenderControl.tryCallAppender(AppenderControl.java:161) Jun 08 00:00:00 ip-IndexerMasterC-ip.us-west-1.compute.internal systemd-entrypoint[12368]: at org.apache.logging.log4j.core.config.AppenderControl.callAppender0(AppenderControl.java:134) Jun 08 00:00:00 ip-IndexerMasterC-ip.us-west-1.compute.internal systemd-entrypoint[12368]: at org.apache.logging.log4j.core.config.AppenderControl.callAppenderPreventRecursion(AppenderControl.java:125) Jun 08 00:00:00 ip-IndexerMasterC-ip.us-west-1.compute.internal systemd-entrypoint[12368]: at org.apache.logging.log4j.core.config.AppenderControl.callAppender(AppenderControl.java:89) Jun 08 00:00:00 ip-IndexerMasterC-ip.us-west-1.compute.internal systemd-entrypoint[12368]: at org.apache.logging.log4j.core.config.LoggerConfig.callAppenders(LoggerConfig.java:683) Jun 08 00:00:00 ip-IndexerMasterC-ip.us-west-1.compute.internal systemd-entrypoint[12368]: at org.apache.logging.log4j.core.config.LoggerConfig.processLogEvent(LoggerConfig.java:641) Jun 08 00:00:00 ip-IndexerMasterC-ip.us-west-1.compute.internal systemd-entrypoint[12368]: at org.apache.logging.log4j.core.config.LoggerConfig.log(LoggerConfig.java:624) Jun 08 00:00:00 ip-IndexerMasterC-ip.us-west-1.compute.internal systemd-entrypoint[12368]: at org.apache.logging ``` > **Analysis**: > The ERROR logs are expected, it is a known issue: https://github.com/wazuh/wazuh-packages/issues/2685 ### Error Logs ```console [root@ip-IndexerMasterC-ip bin]# egrep -i "ERROR|WARNING" /var/log/wazuh-indexer/wazuh.log | wc -l 4 [root@ip-IndexerMasterC-ip bin]# egrep -i "ERROR|WARNING" /var/log/wazuh-indexer/wazuh.log [2024-06-10T08:19:46,081][ERROR][o.o.a.a.AlertIndices ] [node-1] info deleteOldIndices [2024-06-10T08:19:46,082][ERROR][o.o.a.a.AlertIndices ] [node-1] info deleteOldIndices[2024-06-10T09:35:12,755] [ERROR][o.o.s.s.h.n.SecuritySSLNettyHttpServerTransport] [node-1] Exception during establishing a SSL connection: java.net.SocketException: Connection reset[2024-06-10T09:38:36,968] [ERROR][o.o.s.s.h.n.SecuritySSLNettyHttpServerTransport] [node-1] Exception during establishing a SSL connection: java.net.SocketException: Connection reset ``` Known issue: https://github.com/wazuh/wazuh-packages/issues/2094

WazuhDashboard :yellow_circle:

- **Known warnings**: https://github.com/wazuh/wazuh-packages/issues/2685 ### System information ```console sh-4.2$ cat /etc/*release NAME="Amazon Linux" VERSION="2" ID="amzn" ID_LIKE="centos rhel fedora" VERSION_ID="2" PRETTY_NAME="Amazon Linux 2" ANSI_COLOR="0;33" CPE_NAME="cpe:2.3:o:amazon:amazon_linux:2" HOME_URL="https://amazonlinux.com/" Amazon Linux release 2 (Karoo) ``` ### Agent Status ```console sh-4.2$ systemctl status wazuh-indexer -l ● wazuh-indexer.service - Wazuh-indexer Loaded: loaded (/usr/lib/systemd/system/wazuh-indexer.service; enabled; vendor preset: disabled) Active: active (running) since Fri 2024-06-07 08:27:18 UTC; 3 days ago Docs: https://documentation.wazuh.com Main PID: 14594 (java) CGroup: /system.slice/wazuh-indexer.service └─14594 /usr/share/wazuh-indexer/jdk/bin/java -Xshare:auto -Dopensearch.networkaddress.cache.ttl=60 -Dopensearch.networkaddress.cache.negative.ttl=10 -XX:+AlwaysPreTouch -Xss1m -Djava.awt.headless=true -Dfile.encoding=UTF-8 -Djna.nosys=true -XX:-OmitStackTraceInFastThrow -XX:+ShowCodeDetailsInExceptionMessages -Dio.netty.noUnsafe=true -Dio.netty.noKeySetOptimization=true -Dio.netty.recycler.maxCapacityPerThread=0 -Dio.netty.allocator.numDirectArenas=0 -Dlog4j.shutdownHookEnabled=false -Dlog4j2.disable.jmx=true -Djava.locale.providers=SPI,COMPAT -Xms2560m -Xmx2560m -XX:+UseG1GC -XX:G1ReservePercent=25 -XX:InitiatingHeapOccupancyPercent=30 -Djava.io.tmpdir=/tmp/opensearch-11616403398296492359 -XX:+HeapDumpOnOutOfMemoryError -XX:HeapDumpPath=data -XX:ErrorFile=/var/log/wazuh-indexer/hs_err_pid%p.log -Xlog:gc*,gc+age=trace,safepoint:file=/var/log/wazuh-indexer/gc.log:utctime,pid,tags:filecount=32,filesize=64m -Dclk.tck=100 -Djdk.attach.allowAttachSelf=true -Djava.security.policy=file:///usr/share/wazuh-indexer/plugins/opensearch-performance-analyzer/pa_config/opensearch_security.policy -XX:MaxDirectMemorySize=1342177280 -Dopensearch.path.home=/usr/share/wazuh-indexer -Dopensearch.path.conf=/etc/wazuh-indexer -Dopensearch.distribution.type=rpm -Dopensearch.bundled_jdk=true -cp /usr/share/wazuh-indexer/lib/* org.opensearch.bootstrap.OpenSearch -p /run/wazuh-indexer/wazuh-indexer.pid --quiet ``` ### Service Status ```console [root@ip-WazuhDashboard-ip1 bin]# journalctl -xe -u wazuh-indexer.service --no-pager | head -80 -- Logs begin at Fri 2024-06-07 08:04:28 UTC, end at Mon 2024-06-10 15:04:56 UTC. -- Jun 07 08:23:32 ip-WazuhDashboard-ip1.us-west-1.compute.internal systemd[1]: Starting Wazuh-indexer... -- Subject: Unit wazuh-indexer.service has begun start-up -- Defined-By: systemd -- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel -- -- Unit wazuh-indexer.service has begun starting up. Jun 07 08:23:34 ip-WazuhDashboard-ip1.us-west-1.compute.internal systemd-entrypoint[10460]: WARNING: A terminally deprecated method in java.lang.System has been called Jun 07 08:23:34 ip-WazuhDashboard-ip1.us-west-1.compute.internal systemd-entrypoint[10460]: WARNING: System::setSecurityManager has been called by org.opensearch.bootstrap.OpenSearch (file:/usr/share/wazuh-indexer/lib/opensearch-2.10.0.jar) Jun 07 08:23:34 ip-WazuhDashboard-ip1.us-west-1.compute.internal systemd-entrypoint[10460]: WARNING: Please consider reporting this to the maintainers of org.opensearch.bootstrap.OpenSearch Jun 07 08:23:34 ip-WazuhDashboard-ip1.us-west-1.compute.internal systemd-entrypoint[10460]: WARNING: System::setSecurityManager will be removed in a future release Jun 07 08:23:37 ip-WazuhDashboard-ip1.us-west-1.compute.internal systemd-entrypoint[10460]: WARNING: A terminally deprecated method in java.lang.System has been called Jun 07 08:23:37 ip-WazuhDashboard-ip1.us-west-1.compute.internal systemd-entrypoint[10460]: WARNING: System::setSecurityManager has been called by org.opensearch.bootstrap.Security (file:/usr/share/wazuh-indexer/lib/opensearch-2.10.0.jar) Jun 07 08:23:37 ip-WazuhDashboard-ip1.us-west-1.compute.internal systemd-entrypoint[10460]: WARNING: Please consider reporting this to the maintainers of org.opensearch.bootstrap.Security Jun 07 08:23:37 ip-WazuhDashboard-ip1.us-west-1.compute.internal systemd-entrypoint[10460]: WARNING: System::setSecurityManager will be removed in a future release Jun 07 08:23:55 ip-WazuhDashboard-ip1.us-west-1.compute.internal systemd[1]: Started Wazuh-indexer. -- Subject: Unit wazuh-indexer.service has finished start-up -- Defined-By: systemd -- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel -- -- Unit wazuh-indexer.service has finished starting up. -- -- The start-up result is done. Jun 07 08:26:51 ip-WazuhDashboard-ip1.us-west-1.compute.internal systemd[1]: Stopping Wazuh-indexer... -- Subject: Unit wazuh-indexer.service has begun shutting down -- Defined-By: systemd -- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel -- -- Unit wazuh-indexer.service has begun shutting down. Jun 07 08:26:51 ip-WazuhDashboard-ip1.us-west-1.compute.internal systemd[1]: Stopped Wazuh-indexer. -- Subject: Unit wazuh-indexer.service has finished shutting down -- Defined-By: systemd -- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel -- -- Unit wazuh-indexer.service has finished shutting down. Jun 07 08:26:51 ip-WazuhDashboard-ip1.us-west-1.compute.internal systemd[1]: Starting Wazuh-indexer... -- Subject: Unit wazuh-indexer.service has begun start-up -- Defined-By: systemd -- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel -- -- Unit wazuh-indexer.service has begun starting up. Jun 07 08:26:55 ip-WazuhDashboard-ip1.us-west-1.compute.internal systemd-entrypoint[14594]: WARNING: A terminally deprecated method in java.lang.System has been called Jun 07 08:26:55 ip-WazuhDashboard-ip1.us-west-1.compute.internal systemd-entrypoint[14594]: WARNING: System::setSecurityManager has been called by org.opensearch.bootstrap.OpenSearch (file:/usr/share/wazuh-indexer/lib/opensearch-2.10.0.jar) Jun 07 08:26:55 ip-WazuhDashboard-ip1.us-west-1.compute.internal systemd-entrypoint[14594]: WARNING: Please consider reporting this to the maintainers of org.opensearch.bootstrap.OpenSearch Jun 07 08:26:55 ip-WazuhDashboard-ip1.us-west-1.compute.internal systemd-entrypoint[14594]: WARNING: System::setSecurityManager will be removed in a future release Jun 07 08:26:58 ip-WazuhDashboard-ip1.us-west-1.compute.internal systemd-entrypoint[14594]: WARNING: A terminally deprecated method in java.lang.System has been called Jun 07 08:26:58 ip-WazuhDashboard-ip1.us-west-1.compute.internal systemd-entrypoint[14594]: WARNING: System::setSecurityManager has been called by org.opensearch.bootstrap.Security (file:/usr/share/wazuh-indexer/lib/opensearch-2.10.0.jar) Jun 07 08:26:58 ip-WazuhDashboard-ip1.us-west-1.compute.internal systemd-entrypoint[14594]: WARNING: Please consider reporting this to the maintainers of org.opensearch.bootstrap.Security Jun 07 08:26:58 ip-WazuhDashboard-ip1.us-west-1.compute.internal systemd-entrypoint[14594]: WARNING: System::setSecurityManager will be removed in a future release Jun 07 08:27:18 ip-WazuhDashboard-ip1.us-west-1.compute.internal systemd[1]: Started Wazuh-indexer. -- Subject: Unit wazuh-indexer.service has finished start-up -- Defined-By: systemd -- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel -- -- Unit wazuh-indexer.service has finished starting up. -- -- The start-up result is done. Jun 08 00:01:10 ip-WazuhDashboard-ip1.us-west-1.compute.internal systemd-entrypoint[14594]: ERROR StatusConsoleListener Could not define attribute view on path "/var/log/wazuh-indexer/wazuh_server.json" got access denied ("java.lang.RuntimePermission" "accessUserInformation") Jun 08 00:01:10 ip-WazuhDashboard-ip1.us-west-1.compute.internal systemd-entrypoint[14594]: java.security.AccessControlException: access denied ("java.lang.RuntimePermission" "accessUserInformation") Jun 08 00:01:10 ip-WazuhDashboard-ip1.us-west-1.compute.internal systemd-entrypoint[14594]: at java.base/java.security.AccessControlContext.checkPermission(AccessControlContext.java:485) Jun 08 00:01:10 ip-WazuhDashboard-ip1.us-west-1.compute.internal systemd-entrypoint[14594]: at java.base/java.security.AccessController.checkPermission(AccessController.java:1068) Jun 08 00:01:10 ip-WazuhDashboard-ip1.us-west-1.compute.internal systemd-entrypoint[14594]: at java.base/java.lang.SecurityManager.checkPermission(SecurityManager.java:416) Jun 08 00:01:10 ip-WazuhDashboard-ip1.us-west-1.compute.internal systemd-entrypoint[14594]: at java.base/sun.nio.fs.UnixFileAttributeViews$Posix.checkWriteExtended(UnixFileAttributeViews.java:195) Jun 08 00:01:10 ip-WazuhDashboard-ip1.us-west-1.compute.internal systemd-entrypoint[14594]: at java.base/sun.nio.fs.UnixFileAttributeViews$Posix.setMode(UnixFileAttributeViews.java:264) Jun 08 00:01:10 ip-WazuhDashboard-ip1.us-west-1.compute.internal systemd-entrypoint[14594]: at java.base/sun.nio.fs.UnixFileAttributeViews$Posix.setPermissions(UnixFileAttributeViews.java:299) Jun 08 00:01:10 ip-WazuhDashboard-ip1.us-west-1.compute.internal systemd-entrypoint[14594]: at org.apache.logging.log4j.core.util.FileUtils.defineFilePosixAttributeView(FileUtils.java:181) Jun 08 00:01:10 ip-WazuhDashboard-ip1.us-west-1.compute.internal systemd-entrypoint[14594]: at org.apache.logging.log4j.core.appender.FileManager.defineAttributeView(FileManager.java:216) Jun 08 00:01:10 ip-WazuhDashboard-ip1.us-west-1.compute.internal systemd-entrypoint[14594]: at org.apache.logging.log4j.core.appender.FileManager.createOutputStream(FileManager.java:203) Jun 08 00:01:10 ip-WazuhDashboard-ip1.us-west-1.compute.internal systemd-entrypoint[14594]: at org.apache.logging.log4j.core.appender.rolling.RollingFileManager.createFileAfterRollover(RollingFileManager.java:421) Jun 08 00:01:10 ip-WazuhDashboard-ip1.us-west-1.compute.internal systemd-entrypoint[14594]: at org.apache.logging.log4j.core.appender.rolling.RollingFileManager.rollover(RollingFileManager.java:398) Jun 08 00:01:10 ip-WazuhDashboard-ip1.us-west-1.compute.internal systemd-entrypoint[14594]: at org.apache.logging.log4j.core.appender.rolling.RollingFileManager.checkRollover(RollingFileManager.java:308) Jun 08 00:01:10 ip-WazuhDashboard-ip1.us-west-1.compute.internal systemd-entrypoint[14594]: at org.apache.logging.log4j.core.appender.RollingFileAppender.append(RollingFileAppender.java:300) Jun 08 00:01:10 ip-WazuhDashboard-ip1.us-west-1.compute.internal systemd-entrypoint[14594]: at org.apache.logging.log4j.core.config.AppenderControl.tryCallAppender(AppenderControl.java:161) Jun 08 00:01:10 ip-WazuhDashboard-ip1.us-west-1.compute.internal systemd-entrypoint[14594]: at org.apache.logging.log4j.core.config.AppenderControl.callAppender0(AppenderControl.java:134) Jun 08 00:01:10 ip-WazuhDashboard-ip1.us-west-1.compute.internal systemd-entrypoint[14594]: at org.apache.logging.log4j.core.config.AppenderControl.callAppenderPreventRecursion(AppenderControl.java:125) Jun 08 00:01:10 ip-WazuhDashboard-ip1.us-west-1.compute.internal systemd-entrypoint[14594]: at org.apache.logging.log4j.core.config.AppenderControl.callAppender(AppenderControl.java:89) Jun 08 00:01:10 ip-WazuhDashboard-ip1.us-west-1.compute.internal systemd-entrypoint[14594]: at org.apache.logging.log4j.core.config.LoggerConfig.callAppenders(LoggerConfig.java:683) Jun 08 00:01:10 ip-WazuhDashboard-ip1.us-west-1.compute.internal systemd-entrypoint[14594]: at org.apache.logging.log4j.core.config.LoggerConfig.processLogEvent(LoggerConfig.java:641) Jun 08 00:01:10 ip-WazuhDashboard-ip1.us-west-1.compute.internal systemd-entrypoint[14594]: at org.apache.logging.log4j.core.config.LoggerConfig.log(LoggerConfig.java:624) Jun 08 00:01:10 ip-WazuhDashboard-ip1.us-west-1.compute.internal systemd-entrypoint[14594]: at org.apache.logging.log4j.core.config.LoggerConfig.log(LoggerConfig.java:560) ``` ### Error Logs ```console egrep -i "ERROR|WARNING" /var/log/wazuh-indexer/wazuh.log | wc -l ```

[Rebits]

Check Manager Logs :yellow_circle:

WazuhMasterEnv1 :yellow_circle:

- **Known issue**: https://github.com/wazuh/wazuh/issues/21014 ``` 2024/06/10 04:38:25 wazuh-remoted: WARNING: Unexpected message (hex): 'ffffff3050ff74ffff0c705072ff691c7cffffff2368ffff37ff0f6148ff0726180effffffff58ffffff362f400dffffffff5bffff1625ff53ffffff4562ffffffffffff21ff19ffffffffff62ff39070fffff22ff06ffffffff5aff53ffff20ff1f69ffff44ffffff07ffffff580b67ff12ffffff11ffffff31ffffff48ff146e0cff521d21ffff4438ff0d65314bff280916ff02ff3bffff70ff0dffffff475dff2a39ff13ffffffff34624506ffff57114616ff73ffffff4fffffff761e47ff4bff20ff39ffffff3d1bffffff2fffffff08ffffff77ffff0545605affffffff3050ff74ffff0c705072ff691c7cffffff2368ffff37ff0f6148ff0726180effffffff58ffffff362f400dffffffff5bffff1625ff53ffffff4562ffffffffffffffffff3047ff66ffff79047eff12ff6801562b351aff77ff2effff0039ff2860ffff57ff3225ffffff54ffffffffff2e6eff2644ffff3affff71ffff3bffffff7a3d517cff627a6c101b2d1862ff01ff06ffff2122ff1e0141ff6fff16ff493effff0aff0dff29ff5535ff16ff65ffffff1cffffff1bffffffffffff6aff02230dffff36ff4234ff1077ff12ffffff6affff2d5bff3aff66ffffffff7a4dffff69ff68ffffffff543665ff0dff440032ffff26ffffffffffffffffff7cffffffff56135affffff66ffffffffff52ff0940ff366e7c577fff77437fff655cff2a394effffff08ff20ff596dffff253eff1effffffffff6620ffffffff713c2f2d7b49ff274bffffffffffff67293d14ffff5036ffff26742b16ffff7708ffffff537e190dffffff613043ff5bff2cff21ff7f19ff6171ffff1d56ffff286dffffff1aff7bffffff01ffffffffffff54757cffff0d7e1d2e5442ff2eff6018ff3815ff44ff1d676bffff52ffffff57ff66ff5c493a3fff575a7930ff5dffffffff3173ffff2626ff503557ff097affffff5fffffffffff18ffffff0affff10ffffffff0455ffffffffffff0affffff66ff29076b1bff37ff5d1d63ff2affff5627ffffffff0cff6fffff123419440d67347d5e7bffff00ffffff4effff1bff5fffffff7fff3016ff0cff43ff6f0bffffffffff78ffff49ffffff4573ffffffffff2cff03ffff15ffffff66791a34ffffffffff4426ff71ffffffffffffffffff53ff792708ff0affffff2931404907ffffffff213d41ff56ffffff6e1c6f58ff4f1cff6b44ff375400ffff7bff2cffff3c756231ffff56ff3affffffffffff150cff1a417dff54ff02ffffffffff02601f51ffffffffff52ffff43ff1fffff4659ffffff49ff3affffffffff1a' 2024/06/10 04:38:25 wazuh-remoted: WARNING: Too big message size from socket [35]. ``` ### System information ```console sh-4.2$ cat /etc/*release NAME="Amazon Linux" VERSION="2" ID="amzn" ID_LIKE="centos rhel fedora" VERSION_ID="2" PRETTY_NAME="Amazon Linux 2" ANSI_COLOR="0;33" CPE_NAME="cpe:2.3:o:amazon:amazon_linux:2" HOME_URL="https://amazonlinux.com/" Amazon Linux release 2 (Karoo) ``` ### Manager Version ```console [root@wazuh-manager-master-0 bin]# /var/ossec/bin/wazuh-control info WAZUH_VERSION="v4.8.0" WAZUH_REVISION="40812" WAZUH_TYPE="server"``` ### Agent Status ```console [root@wazuh-manager-master-0 bin]# systemctl status wazuh-manager -l ● wazuh-manager.service - Wazuh manager Loaded: loaded (/usr/lib/systemd/system/wazuh-manager.service; enabled; vendor preset: disabled) Active: active (exited) since Fri 2024-06-07 08:31:52 UTC; 3 days ago Process: 15245 ExecStop=/usr/bin/env /var/ossec/bin/wazuh-control stop (code=exited, status=0/SUCCESS) Process: 15423 ExecStart=/usr/bin/env /var/ossec/bin/wazuh-control start (code=exited, status=0/SUCCESS) Jun 07 08:31:46 wazuh-manager-master-0 env[15423]: Started wazuh-remoted... Jun 07 08:31:47 wazuh-manager-master-0 env[15423]: Started wazuh-logcollector... Jun 07 08:31:48 wazuh-manager-master-0 env[15423]: Started wazuh-monitord... Jun 07 08:31:48 wazuh-manager-master-0 env[15423]: 2024/06/07 08:31:48 wazuh-modulesd:router: INFO: Loaded router module. Jun 07 08:31:48 wazuh-manager-master-0 env[15423]: 2024/06/07 08:31:48 wazuh-modulesd:content_manager: INFO: Loaded content_manager module. Jun 07 08:31:49 wazuh-manager-master-0 env[15423]: Started wazuh-modulesd... Jun 07 08:31:50 wazuh-manager-master-0 env[15423]: Started wazuh-clusterd... Jun 07 08:31:51 wazuh-manager-master-0 crontab[16007]: (root) LIST (root) Jun 07 08:31:52 wazuh-manager-master-0 env[15423]: Completed. Jun 07 08:31:52 wazuh-manager-master-0 systemd[1]: Started Wazuh manager. ``` ### Module Status ```console [root@wazuh-manager-master-0 bin]# /var/ossec/bin/wazuh-control status wazuh-clusterd is running... wazuh-modulesd is running... wazuh-monitord is running... wazuh-logcollector is running... wazuh-remoted is running... wazuh-syscheckd is running... wazuh-analysisd is running... wazuh-maild not running... wazuh-execd is running... wazuh-db is running... wazuh-authd is running... wazuh-agentlessd not running... wazuh-integratord is running... wazuh-dbd not running... wazuh-csyslogd not running... wazuh-apid is running... ``` ### Service Status ```console [root@wazuh-manager-master-0 bin]# journalctl -xe -u wazuh-manager.service --no-pager -- Logs begin at Fri 2024-06-07 08:04:25 UTC, end at Mon 2024-06-10 15:15:20 UTC. -- Jun 07 08:29:29 wazuh-manager-master-0 systemd[1]: Starting Wazuh manager... -- Subject: Unit wazuh-manager.service has begun start-up -- Defined-By: systemd -- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel -- -- Unit wazuh-manager.service has begun starting up. Jun 07 08:29:31 wazuh-manager-master-0 env[11345]: 2024/06/07 08:29:31 wazuh-modulesd:router: INFO: Loaded router module. Jun 07 08:29:31 wazuh-manager-master-0 env[11345]: 2024/06/07 08:29:31 wazuh-modulesd:content_manager: INFO: Loaded content_manager module. Jun 07 08:29:31 wazuh-manager-master-0 env[11345]: Starting Wazuh v4.8.0... Jun 07 08:29:34 wazuh-manager-master-0 env[11345]: Started wazuh-apid... Jun 07 08:29:34 wazuh-manager-master-0 env[11345]: Started wazuh-csyslogd... Jun 07 08:29:34 wazuh-manager-master-0 env[11345]: Started wazuh-dbd... Jun 07 08:29:34 wazuh-manager-master-0 env[11345]: 2024/06/07 08:29:34 wazuh-integratord: INFO: Remote integrations not configured. Clean exit. Jun 07 08:29:34 wazuh-manager-master-0 env[11345]: Started wazuh-integratord... Jun 07 08:29:34 wazuh-manager-master-0 env[11345]: Started wazuh-agentlessd... Jun 07 08:29:35 wazuh-manager-master-0 env[11345]: Started wazuh-authd... Jun 07 08:29:36 wazuh-manager-master-0 env[11345]: Started wazuh-db... Jun 07 08:29:37 wazuh-manager-master-0 env[11345]: Started wazuh-execd... Jun 07 08:29:38 wazuh-manager-master-0 env[11345]: Started wazuh-analysisd... Jun 07 08:29:39 wazuh-manager-master-0 env[11345]: Started wazuh-syscheckd... Jun 07 08:29:40 wazuh-manager-master-0 env[11345]: Started wazuh-remoted... Jun 07 08:29:41 wazuh-manager-master-0 env[11345]: Started wazuh-logcollector... Jun 07 08:29:42 wazuh-manager-master-0 env[11345]: Started wazuh-monitord... Jun 07 08:29:42 wazuh-manager-master-0 env[11345]: 2024/06/07 08:29:42 wazuh-modulesd:router: INFO: Loaded router module. Jun 07 08:29:42 wazuh-manager-master-0 env[11345]: 2024/06/07 08:29:42 wazuh-modulesd:content_manager: INFO: Loaded content_manager module. Jun 07 08:29:43 wazuh-manager-master-0 env[11345]: Started wazuh-modulesd... Jun 07 08:29:45 wazuh-manager-master-0 env[11345]: Started wazuh-clusterd... Jun 07 08:29:46 wazuh-manager-master-0 crontab[11928]: (root) LIST (root) Jun 07 08:29:47 wazuh-manager-master-0 env[11345]: Completed. Jun 07 08:29:47 wazuh-manager-master-0 systemd[1]: Started Wazuh manager. -- Subject: Unit wazuh-manager.service has finished start-up -- Defined-By: systemd -- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel -- -- Unit wazuh-manager.service has finished starting up. -- -- The start-up result is done. Jun 07 08:31:29 wazuh-manager-master-0 systemd[1]: Stopping Wazuh manager... -- Subject: Unit wazuh-manager.service has begun shutting down -- Defined-By: systemd -- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel -- -- Unit wazuh-manager.service has begun shutting down. Jun 07 08:31:29 wazuh-manager-master-0 env[15245]: Killing wazuh-clusterd... Jun 07 08:31:29 wazuh-manager-master-0 env[15245]: Killing wazuh-modulesd... Jun 07 08:31:30 wazuh-manager-master-0 env[15245]: Killing wazuh-monitord... Jun 07 08:31:30 wazuh-manager-master-0 env[15245]: Killing wazuh-logcollector... Jun 07 08:31:30 wazuh-manager-master-0 env[15245]: Killing wazuh-remoted... Jun 07 08:31:30 wazuh-manager-master-0 env[15245]: Killing wazuh-syscheckd... Jun 07 08:31:31 wazuh-manager-master-0 env[15245]: Killing wazuh-analysisd... Jun 07 08:31:31 wazuh-manager-master-0 env[15245]: wazuh-maild not running... Jun 07 08:31:31 wazuh-manager-master-0 env[15245]: Killing wazuh-execd... Jun 07 08:31:31 wazuh-manager-master-0 env[15245]: Killing wazuh-db... Jun 07 08:31:32 wazuh-manager-master-0 env[15245]: Killing wazuh-authd... Jun 07 08:31:33 wazuh-manager-master-0 env[15245]: wazuh-agentlessd not running... Jun 07 08:31:33 wazuh-manager-master-0 env[15245]: wazuh-integratord not running... Jun 07 08:31:33 wazuh-manager-master-0 env[15245]: wazuh-dbd not running... Jun 07 08:31:33 wazuh-manager-master-0 env[15245]: wazuh-csyslogd not running... Jun 07 08:31:33 wazuh-manager-master-0 env[15245]: Killing wazuh-apid... Jun 07 08:31:34 wazuh-manager-master-0 env[15245]: Wazuh v4.8.0 Stopped Jun 07 08:31:34 wazuh-manager-master-0 systemd[1]: Stopped Wazuh manager. -- Subject: Unit wazuh-manager.service has finished shutting down -- Defined-By: systemd -- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel -- -- Unit wazuh-manager.service has finished shutting down. Jun 07 08:31:34 wazuh-manager-master-0 systemd[1]: Starting Wazuh manager... -- Subject: Unit wazuh-manager.service has begun start-up -- Defined-By: systemd -- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel -- -- Unit wazuh-manager.service has begun starting up. Jun 07 08:31:36 wazuh-manager-master-0 env[15423]: 2024/06/07 08:31:36 wazuh-modulesd:router: INFO: Loaded router module. Jun 07 08:31:36 wazuh-manager-master-0 env[15423]: 2024/06/07 08:31:36 wazuh-modulesd:content_manager: INFO: Loaded content_manager module. Jun 07 08:31:36 wazuh-manager-master-0 env[15423]: Starting Wazuh v4.8.0... Jun 07 08:31:39 wazuh-manager-master-0 env[15423]: Started wazuh-apid... Jun 07 08:31:39 wazuh-manager-master-0 env[15423]: Started wazuh-csyslogd... Jun 07 08:31:39 wazuh-manager-master-0 env[15423]: Started wazuh-dbd... Jun 07 08:31:40 wazuh-manager-master-0 env[15423]: 2024/06/07 08:31:40 wazuh-integratord: INFO: Remote integrations not configured. Clean exit. Jun 07 08:31:40 wazuh-manager-master-0 env[15423]: Started wazuh-integratord... Jun 07 08:31:40 wazuh-manager-master-0 env[15423]: Started wazuh-agentlessd... Jun 07 08:31:41 wazuh-manager-master-0 env[15423]: Started wazuh-authd... Jun 07 08:31:42 wazuh-manager-master-0 env[15423]: Started wazuh-db... Jun 07 08:31:43 wazuh-manager-master-0 env[15423]: Started wazuh-execd... Jun 07 08:31:44 wazuh-manager-master-0 env[15423]: Started wazuh-analysisd... Jun 07 08:31:45 wazuh-manager-master-0 env[15423]: Started wazuh-syscheckd... Jun 07 08:31:46 wazuh-manager-master-0 env[15423]: Started wazuh-remoted... Jun 07 08:31:47 wazuh-manager-master-0 env[15423]: Started wazuh-logcollector... Jun 07 08:31:48 wazuh-manager-master-0 env[15423]: Started wazuh-monitord... Jun 07 08:31:48 wazuh-manager-master-0 env[15423]: 2024/06/07 08:31:48 wazuh-modulesd:router: INFO: Loaded router module. Jun 07 08:31:48 wazuh-manager-master-0 env[15423]: 2024/06/07 08:31:48 wazuh-modulesd:content_manager: INFO: Loaded content_manager module. Jun 07 08:31:49 wazuh-manager-master-0 env[15423]: Started wazuh-modulesd... Jun 07 08:31:50 wazuh-manager-master-0 env[15423]: Started wazuh-clusterd... Jun 07 08:31:51 wazuh-manager-master-0 crontab[16007]: (root) LIST (root) Jun 07 08:31:52 wazuh-manager-master-0 env[15423]: Completed. Jun 07 08:31:52 wazuh-manager-master-0 systemd[1]: Started Wazuh manager. -- Subject: Unit wazuh-manager.service has finished start-up -- Defined-By: systemd -- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel -- -- Unit wazuh-manager.service has finished starting up. -- -- The start-up result is done. ``` ### Error Logs ```console [root@wazuh-manager-master-0 bin]# egrep -i "ERROR|WARNING" /var/ossec/logs/ossec.log | wc -l 4 [root@wazuh-manager-master-0 bin]# egrep -i "ERROR|WARNING" /var/ossec/logs/ossec.log 2024/06/10 04:38:25 wazuh-remoted: WARNING: Unexpected message (hex): 'ffffff3050ff74ffff0c705072ff691c7cffffff2368ffff37ff0f6148ff0726180effffffff58ffffff362f400dffffffff5bffff1625ff53ffffff4562ffffffffffff21ff19ffffffffff62ff39070fffff22ff06ffffffff5aff53ffff20ff1f69ffff44ffffff07ffffff580b67ff12ffffff11ffffff31ffffff48ff146e0cff521d21ffff4438ff0d65314bff280916ff02ff3bffff70ff0dffffff475dff2a39ff13ffffffff34624506ffff57114616ff73ffffff4fffffff761e47ff4bff20ff39ffffff3d1bffffff2fffffff08ffffff77ffff0545605affffffff3050ff74ffff0c705072ff691c7cffffff2368ffff37ff0f6148ff0726180effffffff58ffffff362f400dffffffff5bffff1625ff53ffffff4562ffffffffffffffffff3047ff66ffff79047eff12ff6801562b351aff77ff2effff0039ff2860ffff57ff3225ffffff54ffffffffff2e6eff2644ffff3affff71ffff3bffffff7a3d517cff627a6c101b2d1862ff01ff06ffff2122ff1e0141ff6fff16ff493effff0aff0dff29ff5535ff16ff65ffffff1cffffff1bffffffffffff6aff02230dffff36ff4234ff1077ff12ffffff6affff2d5bff3aff66ffffffff7a4dffff69ff68ffffffff543665ff0dff440032ffff26ffffffffffffffffff7cffffffff56135affffff66ffffffffff52ff0940ff366e7c577fff77437fff655cff2a394effffff08ff20ff596dffff253eff1effffffffff6620ffffffff713c2f2d7b49ff274bffffffffffff67293d14ffff5036ffff26742b16ffff7708ffffff537e190dffffff613043ff5bff2cff21ff7f19ff6171ffff1d56ffff286dffffff1aff7bffffff01ffffffffffff54757cffff0d7e1d2e5442ff2eff6018ff3815ff44ff1d676bffff52ffffff57ff66ff5c493a3fff575a7930ff5dffffffff3173ffff2626ff503557ff097affffff5fffffffffff18ffffff0affff10ffffffff0455ffffffffffff0affffff66ff29076b1bff37ff5d1d63ff2affff5627ffffffff0cff6fffff123419440d67347d5e7bffff00ffffff4effff1bff5fffffff7fff3016ff0cff43ff6f0bffffffffff78ffff49ffffff4573ffffffffff2cff03ffff15ffffff66791a34ffffffffff4426ff71ffffffffffffffffff53ff792708ff0affffff2931404907ffffffff213d41ff56ffffff6e1c6f58ff4f1cff6b44ff375400ffff7bff2cffff3c756231ffff56ff3affffffffffff150cff1a417dff54ff02ffffffffff02601f51ffffffffff52ffff43ff1fffff4659ffffff49ff3affffffffff1a' 2024/06/10 04:38:25 wazuh-remoted: WARNING: Too big message size from socket [35]. 2024/06/10 04:39:35 wazuh-remoted: WARNING: Unexpected message (hex): 'ff182d1dff0fffffffffffff0506ffffff0f00ff7f1effffffff0cffffffffff27ff5a58ff3d3834ff23ff63ffffff7dffff7d075aff25ffffffffffff0dff27ff565eff19ffffff41ffff34ffff074dffff64ff6eff7bffffff54ff0d0476ffffff7dffffff196321ff347bff5f2aff3cff563f596029ff7533ffff5c2cff79ffff375d6a383fff5d5aff6dffff12ff38ff61ffff69ff00ffffff4937ff64ffff4d4a0bffffff71ffffffff1cff4cffff243551ffff2d02ff3e4bff636527ffffff23ff0aff7f211202ff06ffff6011ffff117c33076d34ff05ffffff23ff182d1dff0fffffffffffff0506ffffff0f00ff7f1effffffff0cffffffffff27ff5a58ff3d3834ff23ff63ffffff7dffff7d075aff25ffffffffffff0dff27ff56ff4c5027ff0fff06ffffff751d7058ffffffff03ff1f47ffffffffffffffff432f724cff17ff346f6bffff01ffffff5cff7221720f3a38303fffff6eff510fff6affffffff432b6932ffffffff75470fffffff2fffff5b4c3eff4affff7aff0125ffffff0eff735024ffff430956ff517e76006eff51ffffffff73ff336fff7dffff68ffffffff69ff2309712dffffff747aff1dff0cff5622ff380f58ff32577eff5d102626ffffff07ffffff1568ffffff11ffffffff6cff5d5dff7cff3601ff49646a4377ffffff5dffffffffff16ff7b05677eff656d7aff7f34ffffff13ffffff7b4fff395512ffffff0f3803ffffffffff5a3a7136ff3dff676affff4fffff652dff2d2b2effffff06ff31ffff7b00ff48ff54ff5753ff50ff4aff7221ff3840ff49ffffff50ff7530ff6168ff46ff43ffff35ff48ffff6cffffff0cff454b0b6404ffff7affffffffff641a233349ffffffff28ff5c44ffff0047435eff76ffff7e6effff59ff091dff43ff0d431cffff6f74ff7d452b3357ffff2374ffff7f693c2dffff095f55ffff2b2d1dff720f06495fffff7d20ffffffffffff1a4aff72ffff2cffffff7cff5a5a6b4a6847ff4dff43ffffffffff16ffffffffffff0e1f78ff75257f3b1207ff4f6569ffff23ff6fff69345fffffffff21ff58ff6fff3644ffffffff43ffff7c6dffff4a730754ff244dffffff564cffff3e35ff76ff76260d1bffff793cff7943ff3e5d5aff39ffff2b0624ff53ff5cff0d01ffff0d78ff7e4d3e220f79ff09624dffff03ff0cff697157ffff68ff6e372d5030ffffffffffff7dffffffff2803273e5fffffffffffff656eff2c33ff1cffffff047eff6e257310ffff330b18ff5949ffff74ffff2f45ffff007f2bff04286131ffff515d145b340812ff61ffffff0300002130303421234145533aff5537ff3fffff6dff75ff5fff6fffff1b513cff2affff5a52ffffffff2cff61ffffffffffffffff42ff2e46ffff0e0f042413ff2a69ffff0affff1fffffff5fffffff1a' 2024/06/10 04:39:35 wazuh-remoted: WARNING: Too big message size from socket [35]. [root@wazuh-manager-master-0 bin]# egrep -i "ERROR|WARNING" /var/ossec/logs/cluster.log | wc -l 0``` ### Filebeat Output ```console [root@wazuh-manager-master-0 bin]# filebeat test output elasticsearch: https://indexer3-ip:9200... parse url... OK connection... parse host... OK dns lookup... OK addresses: indexer3-ip dial up... OK TLS... security: server's certificate chain verification is enabled handshake... OK TLS version: TLSv1.3 dial up... OK talk to server... OK version: 7.10.2 elasticsearch: https://indexer1-ip:9200... parse url... OK connection... parse host... OK dns lookup... OK addresses: indexer1-ip dial up... OK TLS... security: server's certificate chain verification is enabled handshake... OK TLS version: TLSv1.3 dial up... OK talk to server... OK version: 7.10.2 elasticsearch: https://indexer2-ip:9200... parse url... OK connection... parse host... OK dns lookup... OK addresses: indexer2-ip dial up... OK TLS... security: server's certificate chain verification is enabled handshake... OK TLS version: TLSv1.3 dial up... OK talk to server... OK version: 7.10.2 ```

WazuhMasterEnv2 :green_circle:

### System information ```console sh-4.2$ cat /etc/*release NAME="Amazon Linux" VERSION="2" ID="amzn" ID_LIKE="centos rhel fedora" VERSION_ID="2" PRETTY_NAME="Amazon Linux 2" ANSI_COLOR="0;33" CPE_NAME="cpe:2.3:o:amazon:amazon_linux:2" HOME_URL="https://amazonlinux.com/" Amazon Linux release 2 (Karoo) ``` ### Manager Version ```console [root@wazuh-manager-master-0 bin]# /var/ossec/bin/wazuh-control info WAZUH_VERSION="v4.8.0" WAZUH_REVISION="40812" WAZUH_TYPE="server" ``` ### Agent Status ```console [root@wazuh-manager-master-0 bin]# systemctl status wazuh-manager -l ● wazuh-manager.service - Wazuh manager Loaded: loaded (/usr/lib/systemd/system/wazuh-manager.service; enabled; vendor preset: disabled) Active: active (exited) since Fri 2024-06-07 08:32:23 UTC; 3 days ago Process: 15302 ExecStop=/usr/bin/env /var/ossec/bin/wazuh-control stop (code=exited, status=0/SUCCESS) Process: 15475 ExecStart=/usr/bin/env /var/ossec/bin/wazuh-control start (code=exited, status=0/SUCCESS) Jun 07 08:32:17 wazuh-manager-master-0 env[15475]: Started wazuh-remoted... Jun 07 08:32:18 wazuh-manager-master-0 env[15475]: Started wazuh-logcollector... Jun 07 08:32:19 wazuh-manager-master-0 env[15475]: Started wazuh-monitord... Jun 07 08:32:19 wazuh-manager-master-0 env[15475]: 2024/06/07 08:32:19 wazuh-modulesd:router: INFO: Loaded router module. Jun 07 08:32:19 wazuh-manager-master-0 env[15475]: 2024/06/07 08:32:19 wazuh-modulesd:content_manager: INFO: Loaded content_manager module. Jun 07 08:32:20 wazuh-manager-master-0 env[15475]: Started wazuh-modulesd... Jun 07 08:32:21 wazuh-manager-master-0 env[15475]: Started wazuh-clusterd... Jun 07 08:32:22 wazuh-manager-master-0 crontab[16057]: (root) LIST (root) Jun 07 08:32:23 wazuh-manager-master-0 env[15475]: Completed. Jun 07 08:32:23 wazuh-manager-master-0 systemd[1]: Started Wazuh manager. ``` ### Module Status ```console [root@wazuh-manager-master-0 bin]# /var/ossec/bin/wazuh-control status wazuh-clusterd is running... wazuh-modulesd is running... wazuh-monitord is running... wazuh-logcollector is running... wazuh-remoted is running... wazuh-syscheckd is running... wazuh-analysisd is running... wazuh-maild not running... wazuh-execd is running... wazuh-db is running... wazuh-authd is running... wazuh-agentlessd not running... wazuh-integratord is running... wazuh-dbd not running... wazuh-csyslogd not running... wazuh-apid is running... ``` ### Service Status ```console [root@wazuh-manager-master-0 bin]# journalctl -xe -u wazuh-manager.service --no-pager -- Logs begin at Fri 2024-06-07 08:04:25 UTC, end at Mon 2024-06-10 15:18:07 UTC. -- Jun 07 08:29:36 wazuh-manager-master-0 systemd[1]: Starting Wazuh manager... -- Subject: Unit wazuh-manager.service has begun start-up -- Defined-By: systemd -- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel -- -- Unit wazuh-manager.service has begun starting up. Jun 07 08:29:38 wazuh-manager-master-0 env[11413]: 2024/06/07 08:29:38 wazuh-modulesd:router: INFO: Loaded router module. Jun 07 08:29:38 wazuh-manager-master-0 env[11413]: 2024/06/07 08:29:38 wazuh-modulesd:content_manager: INFO: Loaded content_manager module. Jun 07 08:29:38 wazuh-manager-master-0 env[11413]: Starting Wazuh v4.8.0... Jun 07 08:29:41 wazuh-manager-master-0 env[11413]: Started wazuh-apid... Jun 07 08:29:41 wazuh-manager-master-0 env[11413]: Started wazuh-csyslogd... Jun 07 08:29:41 wazuh-manager-master-0 env[11413]: Started wazuh-dbd... Jun 07 08:29:41 wazuh-manager-master-0 env[11413]: 2024/06/07 08:29:41 wazuh-integratord: INFO: Remote integrations not configured. Clean exit. Jun 07 08:29:41 wazuh-manager-master-0 env[11413]: Started wazuh-integratord... Jun 07 08:29:41 wazuh-manager-master-0 env[11413]: Started wazuh-agentlessd... Jun 07 08:29:42 wazuh-manager-master-0 env[11413]: Started wazuh-authd... Jun 07 08:29:43 wazuh-manager-master-0 env[11413]: Started wazuh-db... Jun 07 08:29:44 wazuh-manager-master-0 env[11413]: Started wazuh-execd... Jun 07 08:29:45 wazuh-manager-master-0 env[11413]: Started wazuh-analysisd... Jun 07 08:29:46 wazuh-manager-master-0 env[11413]: Started wazuh-syscheckd... Jun 07 08:29:46 wazuh-manager-master-0 env[11413]: Started wazuh-remoted... Jun 07 08:29:47 wazuh-manager-master-0 env[11413]: Started wazuh-logcollector... Jun 07 08:29:49 wazuh-manager-master-0 env[11413]: Started wazuh-monitord... Jun 07 08:29:49 wazuh-manager-master-0 env[11413]: 2024/06/07 08:29:49 wazuh-modulesd:router: INFO: Loaded router module. Jun 07 08:29:49 wazuh-manager-master-0 env[11413]: 2024/06/07 08:29:49 wazuh-modulesd:content_manager: INFO: Loaded content_manager module. Jun 07 08:29:50 wazuh-manager-master-0 env[11413]: Started wazuh-modulesd... Jun 07 08:29:51 wazuh-manager-master-0 env[11413]: Started wazuh-clusterd... Jun 07 08:29:53 wazuh-manager-master-0 crontab[11988]: (root) LIST (root) Jun 07 08:29:53 wazuh-manager-master-0 env[11413]: Completed. Jun 07 08:29:53 wazuh-manager-master-0 systemd[1]: Started Wazuh manager. -- Subject: Unit wazuh-manager.service has finished start-up -- Defined-By: systemd -- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel -- -- Unit wazuh-manager.service has finished starting up. -- -- The start-up result is done. Jun 07 08:32:00 wazuh-manager-master-0 systemd[1]: Stopping Wazuh manager... -- Subject: Unit wazuh-manager.service has begun shutting down -- Defined-By: systemd -- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel -- -- Unit wazuh-manager.service has begun shutting down. Jun 07 08:32:00 wazuh-manager-master-0 env[15302]: Killing wazuh-clusterd... Jun 07 08:32:01 wazuh-manager-master-0 env[15302]: Killing wazuh-modulesd... Jun 07 08:32:01 wazuh-manager-master-0 env[15302]: Killing wazuh-monitord... Jun 07 08:32:02 wazuh-manager-master-0 env[15302]: Killing wazuh-logcollector... Jun 07 08:32:02 wazuh-manager-master-0 env[15302]: Killing wazuh-remoted... Jun 07 08:32:02 wazuh-manager-master-0 env[15302]: Killing wazuh-syscheckd... Jun 07 08:32:03 wazuh-manager-master-0 env[15302]: Killing wazuh-analysisd... Jun 07 08:32:03 wazuh-manager-master-0 env[15302]: wazuh-maild not running... Jun 07 08:32:03 wazuh-manager-master-0 env[15302]: Killing wazuh-execd... Jun 07 08:32:03 wazuh-manager-master-0 env[15302]: Killing wazuh-db... Jun 07 08:32:04 wazuh-manager-master-0 env[15302]: Killing wazuh-authd... Jun 07 08:32:05 wazuh-manager-master-0 env[15302]: wazuh-agentlessd not running... Jun 07 08:32:05 wazuh-manager-master-0 env[15302]: wazuh-integratord not running... Jun 07 08:32:05 wazuh-manager-master-0 env[15302]: wazuh-dbd not running... Jun 07 08:32:05 wazuh-manager-master-0 env[15302]: wazuh-csyslogd not running... Jun 07 08:32:05 wazuh-manager-master-0 env[15302]: Killing wazuh-apid... Jun 07 08:32:05 wazuh-manager-master-0 env[15302]: Wazuh v4.8.0 Stopped Jun 07 08:32:05 wazuh-manager-master-0 systemd[1]: Stopped Wazuh manager. -- Subject: Unit wazuh-manager.service has finished shutting down -- Defined-By: systemd -- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel -- -- Unit wazuh-manager.service has finished shutting down. Jun 07 08:32:05 wazuh-manager-master-0 systemd[1]: Starting Wazuh manager... -- Subject: Unit wazuh-manager.service has begun start-up -- Defined-By: systemd -- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel -- -- Unit wazuh-manager.service has begun starting up. Jun 07 08:32:07 wazuh-manager-master-0 env[15475]: 2024/06/07 08:32:07 wazuh-modulesd:router: INFO: Loaded router module. Jun 07 08:32:07 wazuh-manager-master-0 env[15475]: 2024/06/07 08:32:07 wazuh-modulesd:content_manager: INFO: Loaded content_manager module. Jun 07 08:32:08 wazuh-manager-master-0 env[15475]: Starting Wazuh v4.8.0... Jun 07 08:32:11 wazuh-manager-master-0 env[15475]: Started wazuh-apid... Jun 07 08:32:11 wazuh-manager-master-0 env[15475]: Started wazuh-csyslogd... Jun 07 08:32:11 wazuh-manager-master-0 env[15475]: Started wazuh-dbd... Jun 07 08:32:11 wazuh-manager-master-0 env[15475]: 2024/06/07 08:32:11 wazuh-integratord: INFO: Remote integrations not configured. Clean exit. Jun 07 08:32:11 wazuh-manager-master-0 env[15475]: Started wazuh-integratord... Jun 07 08:32:11 wazuh-manager-master-0 env[15475]: Started wazuh-agentlessd... Jun 07 08:32:12 wazuh-manager-master-0 env[15475]: Started wazuh-authd... Jun 07 08:32:13 wazuh-manager-master-0 env[15475]: Started wazuh-db... Jun 07 08:32:14 wazuh-manager-master-0 env[15475]: Started wazuh-execd... Jun 07 08:32:15 wazuh-manager-master-0 env[15475]: Started wazuh-analysisd... Jun 07 08:32:16 wazuh-manager-master-0 env[15475]: Started wazuh-syscheckd... Jun 07 08:32:17 wazuh-manager-master-0 env[15475]: Started wazuh-remoted... Jun 07 08:32:18 wazuh-manager-master-0 env[15475]: Started wazuh-logcollector... Jun 07 08:32:19 wazuh-manager-master-0 env[15475]: Started wazuh-monitord... Jun 07 08:32:19 wazuh-manager-master-0 env[15475]: 2024/06/07 08:32:19 wazuh-modulesd:router: INFO: Loaded router module. Jun 07 08:32:19 wazuh-manager-master-0 env[15475]: 2024/06/07 08:32:19 wazuh-modulesd:content_manager: INFO: Loaded content_manager module. Jun 07 08:32:20 wazuh-manager-master-0 env[15475]: Started wazuh-modulesd... Jun 07 08:32:21 wazuh-manager-master-0 env[15475]: Started wazuh-clusterd... Jun 07 08:32:22 wazuh-manager-master-0 crontab[16057]: (root) LIST (root) Jun 07 08:32:23 wazuh-manager-master-0 env[15475]: Completed. Jun 07 08:32:23 wazuh-manager-master-0 systemd[1]: Started Wazuh manager. -- Subject: Unit wazuh-manager.service has finished start-up -- Defined-By: systemd -- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel -- -- Unit wazuh-manager.service has finished starting up. -- -- The start-up result is done. ``` ### Error Logs ```console [root@wazuh-manager-master-0 bin]# egrep -i "ERROR|WARNING" /var/ossec/logs/ossec.log | wc -l 0 ``` ### Filebeat Output ```console [root@wazuh-manager-master-0 bin]# filebeat test output elasticsearch: https://indexer3-ip:9200... parse url... OK connection... parse host... OK dns lookup... OK addresses: indexer3-ip dial up... OK TLS... security: server's certificate chain verification is enabled handshake... OK TLS version: TLSv1.3 dial up... OK talk to server... OK version: 7.10.2 elasticsearch: https://indexer1-ip:9200... parse url... OK connection... parse host... OK dns lookup... OK addresses: indexer1-ip dial up... OK TLS... security: server's certificate chain verification is enabled handshake... OK TLS version: TLSv1.3 dial up... OK talk to server... OK version: 7.10.2 elasticsearch: https://indexer2-ip:9200... parse url... OK connection... parse host... OK dns lookup... OK addresses: indexer2-ip dial up... OK TLS... security: server's certificate chain verification is enabled handshake... OK TLS version: TLSv1.3 dial up... OK talk to server... OK version: 7.10.2 ```

WazuhWorker :green_circle:

### System information ```console sh-4.2$ cat /etc/*release NAME="Amazon Linux" VERSION="2" ID="amzn" ID_LIKE="centos rhel fedora" VERSION_ID="2" PRETTY_NAME="Amazon Linux 2" ANSI_COLOR="0;33" CPE_NAME="cpe:2.3:o:amazon:amazon_linux:2" HOME_URL="https://amazonlinux.com/" Amazon Linux release 2 (Karoo) ``` ### Manager Version ```console [root@wazuh-manager-worker-0 bin]# /var/ossec/bin/wazuh-control info WAZUH_VERSION="v4.8.0" WAZUH_REVISION="40812" WAZUH_TYPE="server" ``` ### Agent Status ```console [root@wazuh-manager-worker-0 bin]# systemctl status wazuh-manager -l ● wazuh-manager.service - Wazuh manager Loaded: loaded (/usr/lib/systemd/system/wazuh-manager.service; enabled; vendor preset: disabled) Active: active (exited) since Fri 2024-06-07 08:36:52 UTC; 3 days ago Process: 14941 ExecStop=/usr/bin/env /var/ossec/bin/wazuh-control stop (code=exited, status=0/SUCCESS) Process: 15089 ExecStart=/usr/bin/env /var/ossec/bin/wazuh-control start (code=exited, status=0/SUCCESS) Jun 07 08:36:45 wazuh-manager-worker-0 env[15089]: Started wazuh-syscheckd... Jun 07 08:36:46 wazuh-manager-worker-0 env[15089]: Started wazuh-remoted... Jun 07 08:36:47 wazuh-manager-worker-0 env[15089]: Started wazuh-logcollector... Jun 07 08:36:48 wazuh-manager-worker-0 env[15089]: Started wazuh-monitord... Jun 07 08:36:49 wazuh-manager-worker-0 env[15089]: 2024/06/07 08:36:49 wazuh-modulesd:router: INFO: Loaded router module. Jun 07 08:36:49 wazuh-manager-worker-0 env[15089]: 2024/06/07 08:36:49 wazuh-modulesd:content_manager: INFO: Loaded content_manager module. Jun 07 08:36:50 wazuh-manager-worker-0 env[15089]: Started wazuh-modulesd... Jun 07 08:36:50 wazuh-manager-worker-0 env[15089]: Started wazuh-clusterd... Jun 07 08:36:52 wazuh-manager-worker-0 env[15089]: Completed. Jun 07 08:36:52 wazuh-manager-worker-0 systemd[1]: Started Wazuh manager. ``` ### Module Status ```console [root@wazuh-manager-worker-0 bin]# /var/ossec/bin/wazuh-control status wazuh-clusterd is running... wazuh-modulesd is running... wazuh-monitord is running... wazuh-logcollector is running... wazuh-remoted is running... wazuh-syscheckd is running... wazuh-analysisd is running... wazuh-maild not running... wazuh-execd is running... wazuh-db is running... wazuh-authd not running... wazuh-agentlessd not running... wazuh-integratord is running... wazuh-dbd not running... wazuh-csyslogd not running... wazuh-apid is running... ``` ### Service Status ```console [root@wazuh-manager-worker-0 bin]# journalctl -xe -u wazuh-manager.service --no-pager -- Logs begin at Fri 2024-06-07 08:04:30 UTC, end at Mon 2024-06-10 15:20:56 UTC. -- Jun 07 08:34:29 wazuh-manager-worker-0 systemd[1]: Starting Wazuh manager... -- Subject: Unit wazuh-manager.service has begun start-up -- Defined-By: systemd -- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel -- -- Unit wazuh-manager.service has begun starting up. Jun 07 08:34:30 wazuh-manager-worker-0 env[11128]: 2024/06/07 08:34:30 wazuh-modulesd:router: INFO: Loaded router module. Jun 07 08:34:30 wazuh-manager-worker-0 env[11128]: 2024/06/07 08:34:30 wazuh-modulesd:content_manager: INFO: Loaded content_manager module. Jun 07 08:34:31 wazuh-manager-worker-0 env[11128]: Starting Wazuh v4.8.0... Jun 07 08:34:34 wazuh-manager-worker-0 env[11128]: Started wazuh-apid... Jun 07 08:34:34 wazuh-manager-worker-0 env[11128]: Started wazuh-csyslogd... Jun 07 08:34:34 wazuh-manager-worker-0 env[11128]: Started wazuh-dbd... Jun 07 08:34:34 wazuh-manager-worker-0 env[11128]: 2024/06/07 08:34:34 wazuh-integratord: INFO: Remote integrations not configured. Clean exit. Jun 07 08:34:34 wazuh-manager-worker-0 env[11128]: Started wazuh-integratord... Jun 07 08:34:34 wazuh-manager-worker-0 env[11128]: Started wazuh-agentlessd... Jun 07 08:34:35 wazuh-manager-worker-0 env[11128]: Started wazuh-db... Jun 07 08:34:36 wazuh-manager-worker-0 env[11128]: Started wazuh-execd... Jun 07 08:34:37 wazuh-manager-worker-0 env[11128]: Started wazuh-analysisd... Jun 07 08:34:38 wazuh-manager-worker-0 env[11128]: Started wazuh-syscheckd... Jun 07 08:34:39 wazuh-manager-worker-0 env[11128]: Started wazuh-remoted... Jun 07 08:34:40 wazuh-manager-worker-0 env[11128]: Started wazuh-logcollector... Jun 07 08:34:42 wazuh-manager-worker-0 env[11128]: Started wazuh-monitord... Jun 07 08:34:42 wazuh-manager-worker-0 env[11128]: 2024/06/07 08:34:42 wazuh-modulesd:router: INFO: Loaded router module. Jun 07 08:34:42 wazuh-manager-worker-0 env[11128]: 2024/06/07 08:34:42 wazuh-modulesd:content_manager: INFO: Loaded content_manager module. Jun 07 08:34:43 wazuh-manager-worker-0 env[11128]: Started wazuh-modulesd... Jun 07 08:34:44 wazuh-manager-worker-0 env[11128]: Started wazuh-clusterd... Jun 07 08:34:46 wazuh-manager-worker-0 env[11128]: Completed. Jun 07 08:34:46 wazuh-manager-worker-0 systemd[1]: Started Wazuh manager. -- Subject: Unit wazuh-manager.service has finished start-up -- Defined-By: systemd -- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel -- -- Unit wazuh-manager.service has finished starting up. -- -- The start-up result is done. Jun 07 08:36:31 wazuh-manager-worker-0 systemd[1]: Stopping Wazuh manager... -- Subject: Unit wazuh-manager.service has begun shutting down -- Defined-By: systemd -- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel -- -- Unit wazuh-manager.service has begun shutting down. Jun 07 08:36:31 wazuh-manager-worker-0 env[14941]: Killing wazuh-clusterd... Jun 07 08:36:32 wazuh-manager-worker-0 env[14941]: Killing wazuh-modulesd... Jun 07 08:36:32 wazuh-manager-worker-0 env[14941]: Killing wazuh-monitord... Jun 07 08:36:32 wazuh-manager-worker-0 env[14941]: Killing wazuh-logcollector... Jun 07 08:36:32 wazuh-manager-worker-0 env[14941]: Killing wazuh-remoted... Jun 07 08:36:32 wazuh-manager-worker-0 env[14941]: Killing wazuh-syscheckd... Jun 07 08:36:33 wazuh-manager-worker-0 env[14941]: Killing wazuh-analysisd... Jun 07 08:36:33 wazuh-manager-worker-0 env[14941]: wazuh-maild not running... Jun 07 08:36:33 wazuh-manager-worker-0 env[14941]: Killing wazuh-execd... Jun 07 08:36:33 wazuh-manager-worker-0 env[14941]: Killing wazuh-db... Jun 07 08:36:34 wazuh-manager-worker-0 env[14941]: wazuh-authd not running... Jun 07 08:36:34 wazuh-manager-worker-0 env[14941]: wazuh-agentlessd not running... Jun 07 08:36:34 wazuh-manager-worker-0 env[14941]: wazuh-integratord not running... Jun 07 08:36:34 wazuh-manager-worker-0 env[14941]: wazuh-dbd not running... Jun 07 08:36:34 wazuh-manager-worker-0 env[14941]: wazuh-csyslogd not running... Jun 07 08:36:34 wazuh-manager-worker-0 env[14941]: Killing wazuh-apid... Jun 07 08:36:35 wazuh-manager-worker-0 env[14941]: Wazuh v4.8.0 Stopped Jun 07 08:36:35 wazuh-manager-worker-0 systemd[1]: Stopped Wazuh manager. -- Subject: Unit wazuh-manager.service has finished shutting down -- Defined-By: systemd -- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel -- -- Unit wazuh-manager.service has finished shutting down. Jun 07 08:36:35 wazuh-manager-worker-0 systemd[1]: Starting Wazuh manager... -- Subject: Unit wazuh-manager.service has begun start-up -- Defined-By: systemd -- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel -- -- Unit wazuh-manager.service has begun starting up. Jun 07 08:36:37 wazuh-manager-worker-0 env[15089]: 2024/06/07 08:36:37 wazuh-modulesd:router: INFO: Loaded router module. Jun 07 08:36:37 wazuh-manager-worker-0 env[15089]: 2024/06/07 08:36:37 wazuh-modulesd:content_manager: INFO: Loaded content_manager module. Jun 07 08:36:38 wazuh-manager-worker-0 env[15089]: Starting Wazuh v4.8.0... Jun 07 08:36:41 wazuh-manager-worker-0 env[15089]: Started wazuh-apid... Jun 07 08:36:41 wazuh-manager-worker-0 env[15089]: Started wazuh-csyslogd... Jun 07 08:36:41 wazuh-manager-worker-0 env[15089]: Started wazuh-dbd... Jun 07 08:36:41 wazuh-manager-worker-0 env[15089]: 2024/06/07 08:36:41 wazuh-integratord: INFO: Remote integrations not configured. Clean exit. Jun 07 08:36:41 wazuh-manager-worker-0 env[15089]: Started wazuh-integratord... Jun 07 08:36:41 wazuh-manager-worker-0 env[15089]: Started wazuh-agentlessd... Jun 07 08:36:42 wazuh-manager-worker-0 env[15089]: Started wazuh-db... Jun 07 08:36:43 wazuh-manager-worker-0 env[15089]: Started wazuh-execd... Jun 07 08:36:44 wazuh-manager-worker-0 env[15089]: Started wazuh-analysisd... Jun 07 08:36:45 wazuh-manager-worker-0 env[15089]: Started wazuh-syscheckd... Jun 07 08:36:46 wazuh-manager-worker-0 env[15089]: Started wazuh-remoted... Jun 07 08:36:47 wazuh-manager-worker-0 env[15089]: Started wazuh-logcollector... Jun 07 08:36:48 wazuh-manager-worker-0 env[15089]: Started wazuh-monitord... Jun 07 08:36:49 wazuh-manager-worker-0 env[15089]: 2024/06/07 08:36:49 wazuh-modulesd:router: INFO: Loaded router module. Jun 07 08:36:49 wazuh-manager-worker-0 env[15089]: 2024/06/07 08:36:49 wazuh-modulesd:content_manager: INFO: Loaded content_manager module. Jun 07 08:36:50 wazuh-manager-worker-0 env[15089]: Started wazuh-modulesd... Jun 07 08:36:50 wazuh-manager-worker-0 env[15089]: Started wazuh-clusterd... Jun 07 08:36:52 wazuh-manager-worker-0 env[15089]: Completed. Jun 07 08:36:52 wazuh-manager-worker-0 systemd[1]: Started Wazuh manager. -- Subject: Unit wazuh-manager.service has finished start-up -- Defined-By: systemd -- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel -- -- Unit wazuh-manager.service has finished starting up. -- -- The start-up result is done. ``` ### Error Logs ```console [root@wazuh-manager-worker-0 bin]# egrep -i "ERROR|WARNING" /var/ossec/logs/ossec.log | wc -l 0 [root@wazuh-manager-worker-0 bin]# egrep -i "ERROR|WARNING" /var/ossec/logs/cluster.log | wc -l 0 ``` ### Filebeat Output ```console [root@wazuh-manager-worker-0 bin]# filebeat test output elasticsearch: https://indexer3-ip:9200... parse url... OK connection... parse host... OK dns lookup... OK addresses: indexer3-ip dial up... OK TLS... security: server's certificate chain verification is enabled handshake... OK TLS version: TLSv1.3 dial up... OK talk to server... OK version: 7.10.2 elasticsearch: https://indexer1-ip:9200... parse url... OK connection... parse host... OK dns lookup... OK addresses: indexer1-ip dial up... OK TLS... security: server's certificate chain verification is enabled handshake... OK TLS version: TLSv1.3 dial up... OK talk to server... OK version: 7.10.2 elasticsearch: https://indexer2-ip:9200... parse url... OK connection... parse host... OK dns lookup... OK addresses: indexer2-ip dial up... OK TLS... security: server's certificate chain verification is enabled handshake... OK TLS version: TLSv1.3 dial up... OK talk to server... OK version: 7.10.2 ```

[Rebits]

Check Wazuh Users and Processes :green_circle:

Agent

Amazon 🟢

```console sh-4.2$ ps -aux | grep wazuh root 11303 0.0 0.3 40768 3332 ? Sl Jun07 0:12 /var/ossec/bin/wazuh-execd wazuh 11315 0.0 0.5 262684 5336 ? Sl Jun07 1:03 /var/ossec/bin/wazuh-agentd root 11330 0.0 0.9 233012 9172 ? SNl Jun07 1:43 /var/ossec/bin/wazuh-syscheckd root 11346 0.0 0.4 483212 4660 ? Sl Jun07 0:43 /var/ossec/bin/wazuh-logcollector root 11364 0.0 1.3 751764 13144 ? Sl Jun07 0:25 /var/ossec/bin/wazuh-modulesd root 11624 0.0 0.1 121272 956 pts/0 S+ 15:44 0:00 grep --color=auto wazuh ```

Centos 🟢

```console [root@ip-centos-ip bin]# ps -aux | grep wazuh root 9421 0.0 0.2 45828 2116 ? Sl Jun07 0:07 /var/ossec/bin/wazuh-execd wazuh 9433 0.0 0.7 276772 5836 ? Sl Jun07 0:49 /var/ossec/bin/wazuh-agentd root 9448 0.0 1.0 244476 8828 ? SNl Jun07 1:56 /var/ossec/bin/wazuh-syscheckd root 9464 0.0 0.4 488372 3336 ? Sl Jun07 0:30 /var/ossec/bin/wazuh-logcollector root 9480 0.0 2.7 761852 22304 ? Sl Jun07 0:23 /var/ossec/bin/wazuh-modulesd root 33760 0.0 0.1 221928 1088 pts/0 S+ 15:45 0:00 grep --color=auto wazuh ```

Debian 🟢

```console root@ip-debian-ip:/usr/bin# ps -aux | grep wazuh root 8222 0.0 0.2 26596 2224 ? Sl Jun07 0:11 /var/ossec/bin/wazuh-execd wazuh 8233 0.0 0.6 314404 6672 ? Sl Jun07 1:09 /var/ossec/bin/wazuh-agentd root 8247 0.0 0.8 345380 8296 ? SNl Jun07 1:39 /var/ossec/bin/wazuh-syscheckd root 8262 0.0 1.4 469148 14616 ? Sl Jun07 0:43 /var/ossec/bin/wazuh-logcollector root 8281 0.0 1.5 731556 15512 ? Sl Jun07 0:23 /var/ossec/bin/wazuh-modulesd root 58339 0.0 0.0 5264 712 pts/0 S+ 15:45 0:00 grep wazuh ```

RHEL9 🟢

```console [root@ip-rhel-ip bin]# ps -aux | grep wazuh root 62150 0.0 0.1 26380 6200 ? Sl Jun07 0:08 /var/ossec/bin/wazuh-execd wazuh 62162 0.0 0.2 248196 8668 ? Sl Jun07 1:57 /var/ossec/bin/wazuh-agentd root 62177 0.0 0.3 558436 13156 ? SNl Jun07 3:10 /var/ossec/bin/wazuh-syscheckd root 62197 0.0 0.2 468896 8280 ? Sl Jun07 0:59 /var/ossec/bin/wazuh-logcollector root 62207 0.0 1.0 1026016 40280 ? Sl Jun07 1:18 /var/ossec/bin/wazuh-modulesd root 399574 0.0 0.0 6408 2140 pts/0 S+ 15:46 0:00 grep --color=auto wazuh ```

Ubuntu 🟢

```console root@ip-ubuntu-ip:/var/snap/amazon-ssm-agent/7993# ps -aux | grep wazuh root 9319 0.0 0.2 26436 2552 ? Sl Jun07 0:14 /var/ossec/bin/wazuh-execd wazuh 9330 0.0 0.4 248376 4456 ? Sl Jun07 1:10 /var/ossec/bin/wazuh-agentd root 9344 0.0 0.7 214480 7236 ? SNl Jun07 1:59 /var/ossec/bin/wazuh-syscheckd root 9359 0.0 0.2 468904 2788 ? Sl Jun07 0:45 /var/ossec/bin/wazuh-logcollector root 9378 0.0 1.4 731348 13700 ? Sl Jun07 0:30 /var/ossec/bin/wazuh-modulesd root 81511 0.0 0.2 7008 2216 pts/1 S+ 15:47 0:00 grep --color=auto wazuh ```

Windows 🟢

```console PS C:\Windows\system32> tasklist /svc | Select-String "wazuh" wazuh-agent.exe 928 WazuhSvc ```

Dashboard

WazuhDashboard 🟢

```console [root@ip-dashboard-ip bin]# ps -aux | grep wazuh-dashboard wazuh-d+ 19931 0.2 3.2 1109964 264216 ? Ssl May28 22:02 /usr/share/wazuh-dashboard/node/fallback/bin/node --no-warnings --max-http-header-size=65536 --unhandled-rejections=warn /usr/share/wazuh-dashboard/src/cli/dist root 31105 0.0 0.0 121272 924 pts/0 S+ 16:28 0:00 grep --color=auto wazuh-dashboard ```

Indexer

IndexerBootstrap 🟢

```console [root@ip-indexer-ip bin]# ps -aux | grep wazuh root 1379 0.0 0.0 121272 920 pts/0 S+ 15:49 0:00 grep --color=auto wazuh wazuh-i+ 12389 1.0 57.5 7183760 4627940 ? Ssl Jun07 52:27 /usr/share/wazuh-indexer/jdk/bin/java -Xshare:auto -Dopensearch.networkaddress.cache.ttl=60 -Dopensearch.networkaddress.cache.negative.ttl=10 -XX:+AlwaysPreTouch -Xss1m -Djava.awt.headless=true -Dfile.encoding=UTF-8 -Djna.nosys=true -XX:-OmitStackTraceInFastThrow -XX:+ShowCodeDetailsInExceptionMessages -Dio.netty.noUnsafe=true -Dio.netty.noKeySetOptimization=true -Dio.netty.recycler.maxCapacityPerThread=0 -Dio.netty.allocator.numDirectArenas=0 -Dlog4j.shutdownHookEnabled=false -Dlog4j2.disable.jmx=true -Djava.locale.providers=SPI,COMPAT -Xms3928m -Xmx3928m -XX:+UseG1GC -XX:G1ReservePercent=25 -XX:InitiatingHeapOccupancyPercent=30 -Djava.io.tmpdir=/tmp/opensearch-12511040543639891548 -XX:+HeapDumpOnOutOfMemoryError -XX:HeapDumpPath=data -XX:ErrorFile=/var/log/wazuh-indexer/hs_err_pid%p.log -Xlog:gc*,gc+age=trace,safepoint:file=/var/log/wazuh-indexer/gc.log:utctime,pid,tags:filecount=32,filesize=64m -Dclk.tck=100 -Djdk.attach.allowAttachSelf=true -Djava.security.policy=file:///usr/share/wazuh-indexer/plugins/opensearch-performance-analyzer/pa_config/opensearch_security.policy -XX:MaxDirectMemorySize=2059403264 -Dopensearch.path.home=/usr/share/wazuh-indexer -Dopensearch.path.conf=/etc/wazuh-indexer -Dopensearch.distribution.type=rpm -Dopensearch.bundled_jdk=true -cp /usr/share/wazuh-indexer/lib/* org.opensearch.bootstrap.OpenSearch -p /run/wazuh-indexer/wazuh-indexer.pid --quiet ```

IndexerMasterB 🟢

```console ssm-user 1581 0.0 0.0 121272 972 pts/0 S+ 15:54 0:00 grep wazuh wazuh-i+ 12217 0.9 57.4 7183116 4621720 ? Ssl Jun07 47:19 /usr/share/wazuh-indexer/jdk/bin/java -Xshare:auto -Dopensearch.networkaddress.cache.ttl=60 -Dopensearch.networkaddress.cache.negative.ttl=10 -XX:+AlwaysPreTouch -Xss1m -Djava.awt.headless=true -Dfile.encoding=UTF-8 -Djna.nosys=true -XX:-OmitStackTraceInFastThrow -XX:+ShowCodeDetailsInExceptionMessages -Dio.netty.noUnsafe=true -Dio.netty.noKeySetOptimization=true -Dio.netty.recycler.maxCapacityPerThread=0 -Dio.netty.allocator.numDirectArenas=0 -Dlog4j.shutdownHookEnabled=false -Dlog4j2.disable.jmx=true -Djava.locale.providers=SPI,COMPAT -Xms3928m -Xmx3928m -XX:+UseG1GC -XX:G1ReservePercent=25 -XX:InitiatingHeapOccupancyPercent=30 -Djava.io.tmpdir=/tmp/opensearch-17160222584255521138 -XX:+HeapDumpOnOutOfMemoryError -XX:HeapDumpPath=data -XX:ErrorFile=/var/log/wazuh-indexer/hs_err_pid%p.log -Xlog:gc*,gc+age=trace,safepoint:file=/var/log/wazuh-indexer/gc.log:utctime,pid,tags:filecount=32,filesize=64m -Dclk.tck=100 -Djdk.attach.allowAttachSelf=true -Djava.security.policy=file:///usr/share/wazuh-indexer/plugins/opensearch-performance-analyzer/pa_config/opensearch_security.policy -XX:MaxDirectMemorySize=2059403264 -Dopensearch.path.home=/usr/share/wazuh-indexer -Dopensearch.path.conf=/etc/wazuh-indexer -Dopensearch.distribution.type=rpm -Dopensearch.bundled_jdk=true -cp /usr/share/wazuh-indexer/lib/* org.opensearch.bootstrap.OpenSearch -p /run/wazuh-indexer/wazuh-indexer.pid --quiet ```

IndexerMasterC 🟢

```console sh-4.2$ ps -aux | grep wazuh ssm-user 3116 0.0 0.0 121272 928 pts/0 S+ 15:55 0:00 grep wazuh wazuh-i+ 12368 1.2 57.6 7187232 4638000 ? Ssl Jun07 58:40 /usr/share/wazuh-indexer/jdk/bin/java -Xshare:auto -Dopensearch.networkaddress.cache.ttl=60 -Dopensearch.networkaddress.cache.negative.ttl=10 -XX:+AlwaysPreTouch -Xss1m -Djava.awt.headless=true -Dfile.encoding=UTF-8 -Djna.nosys=true -XX:-OmitStackTraceInFastThrow -XX:+ShowCodeDetailsInExceptionMessages -Dio.netty.noUnsafe=true -Dio.netty.noKeySetOptimization=true -Dio.netty.recycler.maxCapacityPerThread=0 -Dio.netty.allocator.numDirectArenas=0 -Dlog4j.shutdownHookEnabled=false -Dlog4j2.disable.jmx=true -Djava.locale.providers=SPI,COMPAT -Xms3928m -Xmx3928m -XX:+UseG1GC -XX:G1ReservePercent=25 -XX:InitiatingHeapOccupancyPercent=30 -Djava.io.tmpdir=/tmp/opensearch-13991278195436695171 -XX:+HeapDumpOnOutOfMemoryError -XX:HeapDumpPath=data -XX:ErrorFile=/var/log/wazuh-indexer/hs_err_pid%p.log -Xlog:gc*,gc+age=trace,safepoint:file=/var/log/wazuh-indexer/gc.log:utctime,pid,tags:filecount=32,filesize=64m -Dclk.tck=100 -Djdk.attach.allowAttachSelf=true -Djava.security.policy=file:///usr/share/wazuh-indexer/plugins/opensearch-performance-analyzer/pa_config/opensearch_security.policy -XX:MaxDirectMemorySize=2059403264 -Dopensearch.path.home=/usr/share/wazuh-indexer -Dopensearch.path.conf=/etc/wazuh-indexer -Dopensearch.distribution.type=rpm -Dopensearch.bundled_jdk=true -cp /usr/share/wazuh-indexer/lib/* org.opensearch.bootstrap.OpenSearch -p /run/wazuh-indexer/wazuh-indexer.pid --quiet ```

WazuhDashboard 🟢

```console sh-4.2$ ps -aux | grep wazuh-indexer ssm-user 9303 0.0 0.0 121272 1004 pts/0 S+ 15:55 0:00 grep wazuh-indexer wazuh-i+ 14594 0.8 38.9 5660444 3133052 ? Ssl Jun07 38:32 /usr/share/wazuh-indexer/jdk/bin/java -Xshare:auto -Dopensearch.networkaddress.cache.ttl=60 -Dopensearch.networkaddress.cache.negative.ttl=10 -XX:+AlwaysPreTouch -Xss1m -Djava.awt.headless=true -Dfile.encoding=UTF-8 -Djna.nosys=true -XX:-OmitStackTraceInFastThrow -XX:+ShowCodeDetailsInExceptionMessages -Dio.netty.noUnsafe=true -Dio.netty.noKeySetOptimization=true -Dio.netty.recycler.maxCapacityPerThread=0 -Dio.netty.allocator.numDirectArenas=0 -Dlog4j.shutdownHookEnabled=false -Dlog4j2.disable.jmx=true -Djava.locale.providers=SPI,COMPAT -Xms2560m -Xmx2560m -XX:+UseG1GC -XX:G1ReservePercent=25 -XX:InitiatingHeapOccupancyPercent=30 -Djava.io.tmpdir=/tmp/opensearch-11616403398296492359 -XX:+HeapDumpOnOutOfMemoryError -XX:HeapDumpPath=data -XX:ErrorFile=/var/log/wazuh-indexer/hs_err_pid%p.log -Xlog:gc*,gc+age=trace,safepoint:file=/var/log/wazuh-indexer/gc.log:utctime,pid,tags:filecount=32,filesize=64m -Dclk.tck=100 -Djdk.attach.allowAttachSelf=true -Djava.security.policy=file:///usr/share/wazuh-indexer/plugins/opensearch-performance-analyzer/pa_config/opensearch_security.policy -XX:MaxDirectMemorySize=1342177280 -Dopensearch.path.home=/usr/share/wazuh-indexer -Dopensearch.path.conf=/etc/wazuh-indexer -Dopensearch.distribution.type=rpm -Dopensearch.bundled_jdk=true -cp /usr/share/wazuh-indexer/lib/* org.opensearch.bootstrap.OpenSearch -p /run/wazuh-indexer/wazuh-indexer.pid --quiet ```

Manager

WazuhMasterEnv1 🟢

```console [root@wazuh-manager-master-0 bin]# ps -aux | grep wazuh root 15472 0.0 0.0 121272 964 pts/0 S+ 15:56 0:00 grep --color=auto wazuh wazuh 25597 0.0 3.2 1148748 127080 ? Sl Jun07 3:08 /var/ossec/framework/python/bin/python3 /var/ossec/api/scripts/wazuh-apid.py wazuh 25598 0.0 2.3 313620 94432 ? S Jun07 0:35 /var/ossec/framework/python/bin/python3 /var/ossec/api/scripts/wazuh-apid.py wazuh 25601 0.1 2.0 382976 82008 ? S Jun07 5:24 /var/ossec/framework/python/bin/python3 /var/ossec/api/scripts/wazuh-apid.py wazuh 25604 0.0 1.4 512892 58632 ? S Jun07 0:00 /var/ossec/framework/python/bin/python3 /var/ossec/api/scripts/wazuh-apid.py wazuh 25630 0.0 0.1 41376 4876 ? Sl Jun07 0:31 /var/ossec/bin/wazuh-integratord root 25651 0.2 0.2 262820 8024 ? Sl Jun07 12:15 /var/ossec/bin/wazuh-authd wazuh 25668 0.1 0.9 945796 38272 ? Sl Jun07 7:35 /var/ossec/bin/wazuh-db root 25694 0.0 0.1 41440 4152 ? Sl Jun07 0:10 /var/ossec/bin/wazuh-execd wazuh 25709 0.8 5.0 1319112 201220 ? Sl Jun07 39:41 /var/ossec/bin/wazuh-analysisd root 25722 0.0 0.3 294924 14232 ? SNl Jun07 1:53 /var/ossec/bin/wazuh-syscheckd wazuh 25743 0.2 0.4 1242324 17664 ? Sl Jun07 14:09 /var/ossec/bin/wazuh-remoted root 25779 0.0 0.1 483840 5672 ? Sl Jun07 0:40 /var/ossec/bin/wazuh-logcollector wazuh 25798 0.0 0.1 41408 7576 ? Sl Jun07 1:48 /var/ossec/bin/wazuh-monitord root 25849 0.1 5.7 848908 227828 ? Sl Jun07 6:26 /var/ossec/bin/wazuh-modulesd wazuh 26283 0.1 1.7 435572 68876 ? Sl Jun07 7:53 /var/ossec/framework/python/bin/python3 /var/ossec/framework/scripts/wazuh_clusterd.py wazuh 26287 0.0 1.3 276416 52580 ? S Jun07 1:10 /var/ossec/framework/python/bin/python3 /var/ossec/framework/scripts/wazuh_clusterd.py wazuh 26288 0.0 1.3 277988 54820 ? S Jun07 1:10 /var/ossec/framework/python/bin/python3 /var/ossec/framework/scripts/wazuh_clusterd.py ```

WazuhMasterEnv2 🟢

```console [root@wazuh-manager-master-0 bin]# ps -aux | grep wazuh root 11923 0.0 0.0 121272 1000 pts/0 S+ 15:57 0:00 grep --color=auto wazuh wazuh 25058 0.0 3.0 1143784 119244 ? Sl Jun07 2:04 /var/ossec/framework/python/bin/python3 /var/ossec/api/scripts/wazuh-apid.py wazuh 25059 0.0 1.9 295932 76760 ? S Jun07 0:08 /var/ossec/framework/python/bin/python3 /var/ossec/api/scripts/wazuh-apid.py wazuh 25062 0.0 2.0 382184 81712 ? S Jun07 3:56 /var/ossec/framework/python/bin/python3 /var/ossec/api/scripts/wazuh-apid.py wazuh 25065 0.0 1.4 511868 58632 ? S Jun07 0:00 /var/ossec/framework/python/bin/python3 /var/ossec/api/scripts/wazuh-apid.py wazuh 25091 0.0 0.1 41376 4212 ? Sl Jun07 0:27 /var/ossec/bin/wazuh-integratord root 25112 0.2 0.2 197280 8120 ? Sl Jun07 11:01 /var/ossec/bin/wazuh-authd wazuh 25129 0.1 0.6 945796 24824 ? Sl Jun07 6:43 /var/ossec/bin/wazuh-db root 25154 0.0 0.1 41436 4260 ? Sl Jun07 0:10 /var/ossec/bin/wazuh-execd wazuh 25170 0.5 3.5 1297028 141336 ? Sl Jun07 27:14 /var/ossec/bin/wazuh-analysisd root 25182 0.0 0.3 295028 14472 ? SNl Jun07 1:52 /var/ossec/bin/wazuh-syscheckd wazuh 25204 0.1 0.4 1233608 16364 ? Sl Jun07 8:07 /var/ossec/bin/wazuh-remoted root 25239 0.0 0.1 483840 5744 ? Sl Jun07 0:39 /var/ossec/bin/wazuh-logcollector wazuh 25259 0.0 0.1 41408 7744 ? Sl Jun07 1:28 /var/ossec/bin/wazuh-monitord root 25312 0.0 3.3 722444 132240 ? Sl Jun07 1:51 /var/ossec/bin/wazuh-modulesd wazuh 25745 0.0 1.4 424488 59232 ? Sl Jun07 1:45 /var/ossec/framework/python/bin/python3 /var/ossec/framework/scripts/wazuh_clusterd.py wazuh 25758 0.0 1.3 276540 52880 ? S Jun07 1:05 /var/ossec/framework/python/bin/python3 /var/ossec/framework/scripts/wazuh_clusterd.py wazuh 25759 0.0 1.3 276408 52720 ? S Jun07 1:05 /var/ossec/framework/python/bin/python3 /var/ossec/framework/scripts/wazuh_clusterd.py ```

WazuhWorker 🟢

```console [root@wazuh-manager-worker-0 bin]# ps -aux | grep wazuh wazuh 18857 0.0 2.5 860680 100956 ? Sl Jun07 0:08 /var/ossec/framework/python/bin/python3 /var/ossec/api/scripts/wazuh-apid.py wazuh 18858 0.0 1.4 283500 58320 ? S Jun07 0:00 /var/ossec/framework/python/bin/python3 /var/ossec/api/scripts/wazuh-apid.py wazuh 18861 0.0 1.4 365428 58708 ? S Jun07 0:00 /var/ossec/framework/python/bin/python3 /var/ossec/api/scripts/wazuh-apid.py wazuh 18864 0.0 1.4 512892 58564 ? S Jun07 0:00 /var/ossec/framework/python/bin/python3 /var/ossec/api/scripts/wazuh-apid.py wazuh 18890 0.0 0.1 41332 4256 ? Sl Jun07 0:15 /var/ossec/bin/wazuh-integratord wazuh 18908 0.1 0.4 945660 18924 ? Sl Jun07 6:27 /var/ossec/bin/wazuh-db root 18935 0.0 0.1 41372 4092 ? Sl Jun07 0:11 /var/ossec/bin/wazuh-execd wazuh 18949 0.0 0.9 1296968 35996 ? Sl Jun07 0:41 /var/ossec/bin/wazuh-analysisd root 18963 0.0 0.3 229332 13976 ? SNl Jun07 1:52 /var/ossec/bin/wazuh-syscheckd wazuh 18984 0.1 0.2 774684 10872 ? Sl Jun07 8:28 /var/ossec/bin/wazuh-remoted root 19019 0.0 0.1 483772 5700 ? Sl Jun07 0:41 /var/ossec/bin/wazuh-logcollector wazuh 19040 0.0 0.1 41340 7716 ? Sl Jun07 0:16 /var/ossec/bin/wazuh-monitord root 19087 0.0 3.0 639992 122264 ? Sl Jun07 1:10 /var/ossec/bin/wazuh-modulesd root 19258 0.0 0.0 121272 960 pts/0 S+ 15:57 0:00 grep --color=auto wazuh wazuh 19506 0.1 1.6 577888 64700 ? Sl Jun07 8:45 /var/ossec/framework/python/bin/python3 /var/ossec/framework/scripts/wazuh_clusterd.py wazuh 19594 0.0 1.3 277068 54284 ? S Jun07 3:07 /var/ossec/framework/python/bin/python3 /var/ossec/framework/scripts/wazuh_clusterd.py wazuh 20572 0.0 1.3 429268 53248 ? S Jun07 0:01 /var/ossec/framework/python/bin/python3 /var/ossec/framework/scripts/wazuh_clusterd.py ```

[Rebits]

Check the Status of the Indexer Cluster 🟢

sh-4.2$ curl -k -u user:password https://indexer_ip:9200/_cat/nodes?v
ip         heap.percent ram.percent cpu load_1m load_5m load_15m node.role node.roles                     cluster_manager name
indexer1-ip            11          92   0    0.00    0.00     0.00 dimr      cluster_manager,data,ingest,remote_cluster_client *               node-1
indexer2-ip           46          92   0    0.00    0.00     0.00 dimr      cluster_manager,data,ingest,remote_cluster_client -               node-3
indexer3-ip            9          96   0    0.02    0.01     0.00 dimr      cluster_manager,data,ingest,remote_cluster_client -               node-7
indexer4-ip           17          92   0    0.00    0.00     0.00 dimr      cluster_manager,data,ingest,remote_cluster_client -               node-2

[Rebits]

Check Browser's Developer Console for Errors While Browsing the App :yellow_circle:

Login/Logout Screen 🟡

- Reported in https://github.com/wazuh/wazuh-dashboard-plugins/issues/4121 ```console Refused to execute inline script because it violates the following Content Security Policy directive: "script-src 'unsafe-eval' 'self'". Either the 'unsafe-inline' keyword, a hash ('sha256-75XtnrpDA0UHDMcl7S8lvswryIOd0RqgacRh0AMOgdk='), or a nonce ('nonce-...') is required to enable inline execution. ``` - Reported in https://github.com/wazuh/wazuh-dashboard-plugins/issues/5821 and https://github.com/wazuh/wazuh-dashboard-plugins/issues/5332 ```console reportsDashboards.plugin.js:24 Uncaught (in promise) TypeError: Cannot read properties of undefined (reading 'split') at checkURLParams (reportsDashboards.plugin.js:24:109539) at HTMLDocument. (reportsDashboards.plugin.js:24:109421) at u (osd-ui-shared-deps.js:411:26168) at l (osd-ui-shared-deps.js:411:26470) ``` - Reported in https://github.com/wazuh/wazuh-dashboard-plugins/issues/4108 ```console securityDashboards.plugin.js:15 Error: Unauthorized at fetch_Fetch.fetchResponse (core.entry.js:15:177501) at async interceptResponse (core.entry.js:15:172919) at async core.entry.js:15:175399 ```

Overview :yellow_circle:

- Reported in https://github.com/wazuh/wazuh-dashboard-plugins/issues/4121 ```console Refused to execute inline script because it violates the following Content Security Policy directive: "script-src 'unsafe-eval' 'self'". Either the 'unsafe-inline' keyword, a hash ('sha256-75XtnrpDA0UHDMcl7S8lvswryIOd0RqgacRh0AMOgdk='), or a nonce ('nonce-...') is required to enable inline execution. ``` - Reported https://github.com/wazuh/wazuh-dashboard-plugins/issues/5332 ``` Uncaught (in promise) TypeError: Cannot read properties of undefined (reading 'split') ``` - Reported https://github.com/wazuh/wazuh-dashboard-plugins/issues/4121 ``` wz-home#/overview/?_…&tabView=panels:363 Refused to execute inline script because it violates the following Content Security Policy directive: "script-src 'unsafe-eval' 'self'". Either the 'unsafe-inline' keyword, a hash ('sha256-75XtnrpDA0UHDMcl7S8lvswryIOd0RqgacRh0AMOgdk='), or a nonce ('nonce-...') is required to enable inline execution. bootstrap.js:43 ^ A single error about an inline script not firing due to content security policy is expected! ```

Endpoints Summary 🟢

- No issues found here. *** visTypeVislib.chunk.1.js:1 [Violation] Added non-passive event listener to a scroll-blocking 'touchstart' event. Consider marking event handler as 'passive' to make the page more responsive. See https://www.chromestatus.com/feature/5745543795965952

Configuration Assessment 🟢

- Dashboard 🟢 - Inventory 🟢 - Events 🟢

Malware Detection 🟢

- Dashboard 🟢 - Events 🟢

File Integrity Monitoring 🟢

- Dashboard 🟢 - Inventory 🟢 - Events 🟢

Threat Hunting :green_circle:

- Dashboard :green_circle: - Events 🟢

Vulnerability Detection 🟢

- Dashboard 🟢 - Inventory 🟢 - Events 🟢

MITRE ATT&CK 🟢

- Dashboard 🟢 - Intelligence 🟢 - Framework 🟢 - Events 🟢

VirusTotal 🟢

- Dashboard 🟢 - Controls 🟡 ``` osd-ui-shared-deps.@elastic.js:1 EuiButtonIcon requires aria-label or aria-labelledby to be specified because icon-only buttons are screen-reader-inaccessible without them. ``` - Events 🟢

PCI DSS 🟡

- Dashboard 🟢 - Controls 🟡 - Reported in https://github.com/wazuh/wazuh-dashboard-plugins/issues/6320 ```console osd-ui-shared-deps.@elastic.js:1 EuiButtonIcon requires aria-label or aria-labelledby to be specified because icon-only buttons are screen-reader-inaccessible without them. ``` - Events 🟢

GDPR 🟡

- Dashboard 🟢 - Controls 🟡 - Reported in https://github.com/wazuh/wazuh-dashboard-plugins/issues/6320 ```console osd-ui-shared-deps.@elastic.js:1 EuiButtonIcon requires aria-label or aria-labelledby to be specified because icon-only buttons are screen-reader-inaccessible without them. ``` - Events 🟢

NIST 800-53 :yellow_circle:

- Dashboard :green_circle: - Controls 🟡 - Reported in https://github.com/wazuh/wazuh-dashboard-plugins/issues/6320 ```console osd-ui-shared-deps.@elastic.js:1 EuiButtonIcon requires aria-label or aria-labelledby to be specified because icon-only buttons are screen-reader-inaccessible without them. ``` - Events 🟢

TSC 🟡

- Dashboard 🟢 - Controls 🟡 - Reported in https://github.com/wazuh/wazuh-dashboard-plugins/issues/6320 ```console osd-ui-shared-deps.@elastic.js:1 EuiButtonIcon requires aria-label or aria-labelledby to be specified because icon-only buttons are screen-reader-inaccessible without them. ``` - Events 🟢

Amazon Web Services 🟡

- Dashboard 🟡 - Reported in https://github.com/wazuh/wazuh-dashboard-plugins/issues/4092 ```console mapsLegacy.chunk.1.js:1 The "manifestServiceUrl" parameter is deprecated in v7.6.0. Consider using "tileApiUrl" and "fileApiUrl" instead. ``` - Events 🟢

Google Cloud :yellow_circle:

- Dashboard :yellow_circle: Reported: https://github.com/wazuh/wazuh-dashboard-plugins/issues/6022 ``` Uncaught TypeError: Cannot read properties of null (reading 'top_left') at scaleBounds (tileMap.plugin.js:7:13685) at CoordinateMapsVisualization.updateGeohashAgg (tileMap.plugin.js:7:15150) at CoordinateMapsVisualization._updateData (tileMap.plugin.js:7:17884) at CoordinateMapsVisualization.render (mapsLegacy.plugin.js:1:60834) at async CoordinateMapsVisualization.render (tileMap.plugin.js:7:15901) scaleBounds @ tileMap.plugin.js:7 (anonymous) @ tileMap.plugin.js:7 _updateData @ tileMap.plugin.js:7 render @ mapsLegacy.plugin.js:1 setTimeout (async) r @ osd-ui-shared-deps.js:364 t.error @ osd-ui-shared-deps.js:21 t._error @ osd-ui-shared-deps.js:21 t.error @ osd-ui-shared-deps.js:21 t.notifyError @ osd-ui-shared-deps.js:287 t._error @ osd-ui-shared-deps.js:287 t.error @ osd-ui-shared-deps.js:21 (anonymous) @ osd-ui-shared-deps.js:364 Promise.then (async) t @ osd-ui-shared-deps.js:364 u @ osd-ui-shared-deps.js:287 t._innerSub @ osd-ui-shared-deps.js:509 t._next @ osd-ui-shared-deps.js:509 t.next @ osd-ui-shared-deps.js:21 t.debouncedNext @ osd-ui-shared-deps.js:509 oe @ osd-ui-shared-deps.js:509 t._execute @ osd-ui-shared-deps.js:364 t.execute @ osd-ui-shared-deps.js:364 t.flush @ osd-ui-shared-deps.js:364 ``` - Events 🟢

Github 🟢

- Dashboard 🟢 - Panel 🟢 - Events 🟢

Office 365 🟡

- Dashboard 🟢 - Reported in https://github.com/wazuh/wazuh-dashboard-plugins/issues/6022 ```console osd-ui-shared-deps.js:364 Uncaught TypeError: Cannot read properties of null (reading 'top_left') at scaleBounds (tileMap.plugin.js:7:13685) at CoordinateMapsVisualization.updateGeohashAgg (tileMap.plugin.js:7:15150) at CoordinateMapsVisualization._updateData (tileMap.plugin.js:7:17884) at CoordinateMapsVisualization.render (mapsLegacy.plugin.js:1:60834) at async CoordinateMapsVisualization.render (tileMap.plugin.js:7:15901) ``` - Panel 🟢 - Events 🟢

Side Navbar 🟡

- Recently Viewed 🟡 - Reported in https://github.com/wazuh/wazuh-dashboard-plugins/issues/6318

Alerting 🟡

- Alerts 🟡 - Reported in https://github.com/wazuh/wazuh-dashboard-plugins/issues/5869 ```console alertingDashboards.chunk.3.js:1 error getting monitors: {ok: false, resp: '[alerting_exception] Configured indices are not found: [.opendistro-alerting-config]'} ``` - Monitors 🟡 - Reported in https://github.com/wazuh/wazuh-dashboard-plugins/issues/5869 ```console alertingDashboards.chunk.3.js:1 error getting monitors: {ok: false, resp: {…}} ``` - Destinations 🟡 - Reported in https://github.com/wazuh/wazuh-dashboard-plugins/issues/6320 ```console alertingDashboards.chunk.3.js:1 Unable to get email groups [index_not_found_exception] no such index [.opendistro-alerting-config], with { index=".opendistro-alerting-config" & resource.id=".opendistro-alerting-config" & resource.type="index_or_alias" & index_uuid="_na_" } ```

[Rebits]

Check that there are Alerts for each of the Modules Configured :green_circle:

Modules in Wazuh-1 :green_circle:

Check Activated Modules :green_circle:

  

Check Alerts from the Activated Modules :green_circle:

- AWS Module :green_circle:  - VirusTotal Module :green_circle:  - Docker Listener Module :green_circle:  > Note: Docker is not installed on the agents - GDPR Module :green_circle:  - HIPAA Module :green_circle:  - TSC Module :green_circle: 

Modules in Wazuh-2 :green_circle:

Check Activated Modules :green_circle:

  

Check Alerts from the Activated Modules :green_circle:

- AWS Module :large_blue_circle:  - VirusTotal Module :green_circle:  > Reported in Reported in https://github.com/wazuh/wazuh-automation/issues/1369 - Docker Listener Module :green_circle:  > [!NOTE] > Docker was manually installed in the Ubuntu agent. This should be included in the issue template - GDPR Module :green_circle:  - HIPAA Module :green_circle:  - TSC Module :green_circle: 

[Rebits]

Generate an Alert and Check it appears in the Wazuh Dashboard 🟢

Attempt an Invalid SSH Login into Any Agent 🟢

```console ➜ ~ ssh invalid-user@debian.wazuh.info The authenticity of host 'debian.wazuh.info (13.56.41.237)' can't be established. ED25519 key fingerprint is SHA256:7F46pk5i1DtCOYiXNQTvLewuyEvv6fHuddxRrYqf4KM. This key is not known by any other names Are you sure you want to continue connecting (yes/no/[fingerprint])? yes Warning: Permanently added 'debian.wazuh.info' (ED25519) to the list of known hosts. invalid-user@debian.wazuh.info's password: Permission denied, please try again. invalid-user@debian.wazuh.info's password: Received disconnect from 13.56.41.237 port 22:2: Too many authentication failures Disconnected from 13.56.41.237 port 22 ```

Check the Alert in Wazuh Dashboard 🟢


[Rebits]

Check the search engine works using * 🟢

Case 1: Using * 🟢


Case 2: Using aw* 🟢


Case 3: Using *squer* 🟢


Case 4: Using *shd 🟢


[davidcr01]

In this comment, it seems that the Wazuh dashboard logs are not checked correctly. https://github.com/wazuh/wazuh/issues/23945#issuecomment-2158515516.

In https://github.com/wazuh/wazuh/issues/23945#issuecomment-2160136727, the env-1 and env-2 were renamed to wazuh-1 and wazuh-2 respectively. Please, change this in the following test.

[juliamagan]

LGTM