Release 4.9.0 - Alpha 3 - E2E UX tests - Central components upgrade

[davidjiglesias]

End-to-End (E2E) Testing Guideline

• Documentation: Always consult the development documentation for the current stage tag at this link. Be careful because some of the description steps might refer to a current version in production, always navigate using the current development documention for the stage under test. Also, visit the following pre-release package guide to understand how to modify certain links and urls for the correct testing of the development packages.
• Test Requirements: Ensure your test comprehensively includes a full stack and agent/s deployment as per the Deployment requirements, detailing the machine OS, installed version, and revision.
• Deployment Options: While deployments can be local (using VMs, Vagrant, etc) or on the aws-dev account, opt for local deployments when feasible. For AWS access, coordinate with the DevOps team through this link.
• External Accounts: If tests require third-party accounts (e.g., GitHub, Azure, AWS, GCP), request the necessary access through the DevOps team here.
• Alerts: Every test should generate a minimum of one end-to-end alert, from the agent to the dashboard, irrespective of test type.
• Multi-node Testing: For multi-node wazuh-manager tests, ensure agents are connected to both workers and the master node.
• Package Verification: Use the pre-release package that matches the current TAG you're testing. Confirm its version and revision.
• Filebeat Errors: If you encounter errors with Filebeat during testing, refer to this Slack discussion for insights and resolutions.
• Known Issues: Familiarize yourself with previously reported issues in the Known Issues section. This helps in identifying already recognized errors during testing.
• Reporting New Issues: Any new errors discovered during testing that aren't listed under Known Issues should be reported. Assign the issue to the corresponding team (QA if unsure), add the Release testing objective and Urgent priority. Communicate these to the team and QA via the c-release Slack channel.
• Test Conduct: It's imperative to be thorough in your testing, offering enough detail for reviewers. Incomplete tests might necessitate a redo.
• Documentation Feedback: Encountering documentation gaps, unclear guidelines, or anything that disrupts the testing or UX? Open an issue, especially if it's not listed under Known Issues. Please answer the feedback section, this is a mandatory step.
• Format: If this is your first time doing this, refer to the format (but not necessarily the content, as it may vary) of previous E2E tests, here you have an example https://github.com/wazuh/wazuh/issues/13994.
• Status and completion: Change the issue status within your team project accordingly. Once you finish testing and write the conclusions, move it to Pending review and notify the @wazuh/devel-qa team via Slack using the c-release channel. Beware that the reviewers might request additional information or task repetitions.
• For reviewers: Please move the issue to Pending final review and notify via Slack using the same thread if everything is ok, otherwise, perform an issue update with the requested changes and move it to On hold, increase the review_cycles in the team project by one and notify the issue assignee via Slack using the same thread.

For the conclusions and the issue testing and updates, use the following legend:

Status legend

• 🟢 All checks passed
• 🟡 Found a known issue
• 🔴 Found a new error

Issue delivery and completion

• Initial delivery: The issue's assignee must complete the testing and deliver the results by Jul 24, 2024 and notify the @wazuh/devel-qa team via Slack using the c-release channel
• Review: The @wazuh/devel-qa team will assign a reviewer and add it to the review_assignee field in the project. The reviewer must then review the test steps and results. Ensure that all iteration cycles are completed by Jul 25, 2024 date (issue must be in Pending final review status) and notify the QA team via Slack using the c-release channel.
• Auditor: The QA team must audit, validate the results, and close the issue by Jul 26, 2024.

Deployment requirements

Component	Installation	Type	OS
Indexer	Quickstart	-	Amazon Linux 2023 x86_64
Server	Same as indexer, all-in-one	-	-
Dashboard	Same as indexer, all-in-one	-	-
Agent	Installing Wazuh agents	-	Windows 11 x86_64, Debian 11 x86_64

Test description

1. Initial Deployment:

• Deploy the latest production release of the defined architecture as per the standard deployment requirements instructions from the section above.
• Connect one agent to the master node and another agent to the worker node.

2. Validation of Initial Deployment:

• Navigate through the UI to ensure that it is accessible and functional.
• Verify that both agents are connected to their respective nodes (master and worker) and are listed as active.
• Trigger or simulate a condition that would generate at least one alert from each agent, and confirm that these alerts are captured and displayed in the UI.

3. Upgrade of Central Components:

• Follow the upgrade guide provided in the documentation to upgrade the central components, including the master, worker, indexer, and dashboard.
• Monitor the upgrade process for any errors or warnings and document any that are encountered.

4. Post-Upgrade Validation:

• After the upgrade, navigate through the UI to ensure that all components are functioning correctly.
• Verify again that both agents are connected to their respective nodes and are active post-upgrade.
• Generate or simulate at least one alert from each agent to confirm that the alerting functionality is intact.

5. Reporting:

• Document the results of the deployment, the upgrade process, and the post-upgrade validation.
• Include any deviations from expected outcomes, such as errors or warnings encountered during the upgrade.

Expected Results

• The deployment of the architecture is successful, with agents properly connected and active.
• The UI is navigable and functional both before and after the upgrade.
• Alerts are generated by both agents before and after the upgrade.
• No errors or warnings are encountered during the upgrade process, or any that occur are documented for further analysis.

Known issues

There are no known issues.

Conclusions

Summarize the errors detected (Known Issues included). Illustrate using the table below. REMOVE CURRENT EXAMPLES:

Status	Test	Failure type	Notes
:green_circle:	Initial Deployment
:green_circle:	Validation of Initial Deployment
:green_circle:	Upgrade of Central Components
:green_circle:	Post-Upgrade Validation

Feedback

We value your feedback. Please provide insights on your testing experience.

• Was the testing guideline clear? Were there any ambiguities?
  • In the tests they talk about a worker that is not defined in the configuration for the deployment
• Did you face any challenges not covered by the guideline?
  • RESPONSE HERE
• Suggestions for improvement:
  • Sometimes variables such as INDEXER PASSWORD and PASSWORD are set, which basically indicate the same thing for the dashboard and the indexer. It's confusing

Reviewers validation

The criteria for completing this task is based on the validation of the conclusions and the test results by all reviewers.

All the checkboxes below must be marked in order to close this issue.

• [ ] @rauldpm
• [ ] @wazuh/devel-qa

[NahuFigueroa97]

Initial Deployment :red_circle:

Vagrant Amazon Linux 2023 x86_64

Vagrant.configure("2") do |config|
    config.vm.box = "gbailey/amzn2"
    config.vm.hostname = "E2E-SERVER"
    config.vm.define "E2E-SERVER" do |e2e|
    end
    config.vm.network "public_network"
    config.vm.synced_folder ".", "/vagrant", disabled: true

    config.vm.provider "virtualbox" do |vm|
        vm.name = "E2E-SERVER"
        vm.check_guest_additions = false
        vm.memory = 8192
        vm.cpus = 8
    end

    config.ssh.forward_agent = true
end

Vagrant Debian 11 x86_64

Vagrant.configure("2") do |config|
  config.vm.box = "generic/debian11"
end

Note :orange_circle:

When trying to run the installer I saw this result:

[root@E2E-SERVER vagrant]# curl -sO https://packages.wazuh.com/4.9/wazuh-install.sh && sudo bash ./wazuh-install.sh -a
./wazuh-install.sh: line 1: syntax error near unexpected element `newline'
./wazuh-install.sh: line 1: `<?xml version="1.0" encoding="UTF-8"?>'

Even if you try to upgrade from 4.8 to 4.9 a problem occurs

[root@E2E-SERVER-WORKER vagrant]# curl -s https://packages.wazuh.com/4.x/filebeat/wazuh-filebeat-0.4.tar.gz | sudo tar -xvz -C /usr/share/filebeat/module
wazuh/
wazuh/_meta/
wazuh/_meta/docs.asciidoc
wazuh/_meta/fields.yml
wazuh/_meta/config.yml
wazuh/alerts/
wazuh/alerts/config/
wazuh/alerts/config/alerts.yml
wazuh/alerts/manifest.yml
wazuh/alerts/ingest/
wazuh/alerts/ingest/pipeline.json
wazuh/module.yml
wazuh/archives/
wazuh/archives/config/
wazuh/archives/config/archives.yml
wazuh/archives/manifest.yml
wazuh/archives/ingest/
wazuh/archives/ingest/pipeline.json
[root@E2E-SERVER-WORKER vagrant]# curl -so /etc/filebeat/wazuh-template.json https://raw.githubusercontent.com/wazuh/wazuh/v4.9.0/extensions/elasticsearch/7.x/wazuh-template.json
[root@E2E-SERVER-WORKER vagrant]# chmod go+r /etc/filebeat/wazuh-template.json
[root@E2E-SERVER-WORKER vagrant]# systemctl daemon-reload
[root@E2E-SERVER-WORKER vagrant]# systemctl enable filebeat
[root@E2E-SERVER-WORKER vagrant]# systemctl start filebeat
[root@E2E-SERVER-WORKER vagrant]# filebeat setup --pipelines
Loaded Ingest pipelines
[root@E2E-SERVER-WORKER vagrant]# filebeat setup --index-management -E output.logstash.enabled=false
ILM policy and write alias loading not enabled.

Exiting: error loading template: could not unmarshal json template: invalid character ':' after top-level value

The other tests were run with 4.8 to see that there were no inconsistencies

[NahuFigueroa97]

Validation of Initial Deployment :orange_circle:

Registering a Debian and Windows agent on the master and worker respectively

Alerts are captured and displayed in the UI

[NahuFigueroa97]

Upgrade of Central Components Master :orange_circle:

Indexer

[root@E2E-SERVER vagrant]# rpm --import https://packages.wazuh.com/key/GPG-KEY-WAZUH
[root@E2E-SERVER vagrant]# echo -e '[wazuh]\ngpgcheck=1\ngpgkey=https://packages.wazuh.com/key/GPG-KEY-WAZUH\nenabled=1\nname=EL-$releasever - Wazuh\nbaseurl=https://packages.wazuh.com/4.x/yum/\nprotect=1' | tee /etc/yum.repos.d/wazuh.repo
[wazuh]
gpgcheck=1
gpgkey=https://packages.wazuh.com/key/GPG-KEY-WAZUH
enabled=1
name=EL-$releasever - Wazuh
baseurl=https://packages.wazuh.com/4.x/yum/
protect=1
[root@E2E-SERVER vagrant]# systemctl stop filebeat
[root@E2E-SERVER vagrant]# systemctl stop wazuh-dashboard
[root@E2E-SERVER vagrant]# curl -X DELETE "https://127.0.0.1:9200/_index_template/ss4o_*_template" -u admin:BbRl?I1YJVd0GQ7If*Lp6ppA?L+0?pBz -k
{"acknowledged":true}
[root@E2E-SERVER vagrant]# curl -X PUT "https://127.0.0.1:9200/_cluster/settings"  -u admin:BbRl?I1YJVd0GQ7If*Lp6ppA?L+0?pBz -k -H 'Content-Type: application/json' -d'
> {
>   "persistent": {
>     "cluster.routing.allocation.enable": "primaries"
>   }
> }
> '
{"acknowledged":true,"persistent":{"cluster":{"routing":{"allocation":{"enable":"primaries"}}}},"transient":{}}[root@E2E-SERVER vagrant]
[root@E2E-SERVER vagrant]# curl -X POST "https://127.0.0.1:9200/_flush/synced" -u admin:BbRl?I1YJVd0GQ7If*Lp6ppA?L+0?pBz -k
{"_shards":{"total":11,"successful":11,"failed":0}}
[root@E2E-SERVER vagrant]# yum upgrade wazuh-indexer
Complementos cargados:langpacks, priorities, update-motd
amzn2-core                                                                                                                                                                           | 3.6 kB  00:00:00     
wazuh                                                                                                                                                                                | 3.4 kB  00:00:00     
No packages marked for update
[root@E2E-SERVER vagrant]# systemctl daemon-reload
[root@E2E-SERVER vagrant]# systemctl enable wazuh-indexer
[root@E2E-SERVER vagrant]# systemctl start wazuh-indexer
[root@E2E-SERVER vagrant]# curl -k -u admin:BbRl?I1YJVd0GQ7If*Lp6ppA?L+0?pBz https://127.0.0.1:9200/_cat/nodes?v
ip        heap.percent ram.percent cpu load_1m load_5m load_15m node.role node.roles                                        cluster_manager name
127.0.0.1           16          91  14    0.59    0.31     0.35 dimr      cluster_manager,data,ingest,remote_cluster_client *               node-1
[root@E2E-SERVER vagrant]# curl -X PUT "https://127.0.0.1:9200/_cluster/settings"  -u admin:BbRl?I1YJVd0GQ7If*Lp6ppA?L+0?pBz -k -H 'Content-Type: application/json' -d'
> {
>   "persistent": {
>     "cluster.routing.allocation.enable": "all"
>   }
> }
> '
{"acknowledged":true,"persistent":{"cluster":{"routing":{"allocation":{"enable":"all"}}}},"transient":{}}[root@E2E-SERVER vagrant]
[root@E2E-SERVER vagrant]# curl -k -u admin:BbRl?I1YJVd0GQ7If*Lp6ppA?L+0?pBz https://127.0.0.1:9200/_cat/nodes?v
ip        heap.percent ram.percent cpu load_1m load_5m load_15m node.role node.roles                                        cluster_manager name
127.0.0.1           18          91   0    0.30    0.28     0.33 dimr      cluster_manager,data,ingest,remote_cluster_client *               node-1

Manager

[root@E2E-SERVER vagrant]# yum upgrade wazuh-manager
Complementos cargados:langpacks, priorities, update-motd
amzn2-core                                                                                                                                                                           | 3.6 kB  00:00:00     
No packages marked for update
[root@E2E-SERVER vagrant]# /var/ossec/bin/wazuh-keystore -f indexer -k username -v admin
[root@E2E-SERVER vagrant]# /var/ossec/bin/wazuh-keystore -f indexer -k password -v BbRl?I1YJVd0GQ7If*Lp6ppA?L+0?pBz

Filebeat

[root@E2E-SERVER vagrant]# curl -s https://packages.wazuh.com/4.x/filebeat/wazuh-filebeat-0.4.tar.gz | sudo tar -xvz -C /usr/share/filebeat/module
wazuh/
wazuh/_meta/
wazuh/_meta/docs.asciidoc
wazuh/_meta/fields.yml
wazuh/_meta/config.yml
wazuh/alerts/
wazuh/alerts/config/
wazuh/alerts/config/alerts.yml
wazuh/alerts/manifest.yml
wazuh/alerts/ingest/
wazuh/alerts/ingest/pipeline.json
wazuh/module.yml
wazuh/archives/
wazuh/archives/config/
wazuh/archives/config/archives.yml
wazuh/archives/manifest.yml
wazuh/archives/ingest/
wazuh/archives/ingest/pipeline.json
[root@E2E-SERVER vagrant]# curl -so /etc/filebeat/wazuh-template.json https://raw.githubusercontent.com/wazuh/wazuh/v4.8.1/extensions/elasticsearch/7.x/wazuh-template.json
[root@E2E-SERVER vagrant]# chmod go+r /etc/filebeat/wazuh-template.json
[root@E2E-SERVER vagrant]# systemctl daemon-reload
[root@E2E-SERVER vagrant]# systemctl enable filebeat
[root@E2E-SERVER vagrant]# systemctl start filebeat
[root@E2E-SERVER vagrant]# filebeat setup --pipelines
Loaded Ingest pipelines
[root@E2E-SERVER vagrant]# filebeat setup --index-management -E output.logstash.enabled=false
ILM policy and write alias loading not enabled.

Index setup finished.

Dashboard

[root@E2E-SERVER vagrant]# rm /etc/wazuh-dashboard/opensearch_dashboards.yml
rm: ¿borrar el fichero regular «/etc/wazuh-dashboard/opensearch_dashboards.yml»? (s/n) s
[root@E2E-SERVER-WORKER vagrant]# yum upgrade wazuh-dashboard
Failed to set locale, defaulting to C
Loaded plugins: langpacks, priorities, update-motd
amzn2-core                                                                                                                                                                                  | 3.6 kB  00:00:00
No packages marked for update
[root@E2E-SERVER vagrant]# systemctl daemon-reload
[root@E2E-SERVER vagrant]# systemctl enable wazuh-dashboard
[root@E2E-SERVER vagrant]# systemctl start wazuh-dashboard

Agent

root@debian11:/home/vagrant# curl -s https://packages.wazuh.com/key/GPG-KEY-WAZUH | gpg --no-default-keyring --keyring gnupg-ring:/usr/share/keyrings/wazuh.gpg --import && chmod 644 /usr/share/keyrings/wazuh.gpg
gpg: keyring '/usr/share/keyrings/wazuh.gpg' created
gpg: directory '/root/.gnupg' created
gpg: /root/.gnupg/trustdb.gpg: trustdb created
gpg: key 96B3EE5F29111145: public key "Wazuh.com (Wazuh Signing Key) <support@wazuh.com>" imported
gpg: Total number processed: 1
gpg:               imported: 1
root@debian11:/home/vagrant# echo "deb [signed-by=/usr/share/keyrings/wazuh.gpg] https://packages.wazuh.com/4.x/apt/ stable main" | tee -a /etc/apt/sources.list.d/wazuh.list
deb [signed-by=/usr/share/keyrings/wazuh.gpg] https://packages.wazuh.com/4.x/apt/ stable main
root@debian11:/home/vagrant# apt-get update
apt-get install wazuh-agent
Get:1 http://deb.debian.org/debian bullseye InRelease [116 kB]                                                                                                           
Get:2 http://security.debian.org/debian-security bullseye-security InRelease [48.4 kB]                                                                                   
Get:3 https://packages.wazuh.com/4.x/apt stable InRelease [17.3 kB]                                             
Get:4 https://packages.wazuh.com/4.x/apt stable/main amd64 Packages [42.1 kB]                                   
Get:5 http://deb.debian.org/debian bullseye-updates InRelease [44.1 kB]   
Get:6 http://security.debian.org/debian-security bullseye-security/main Sources [184 kB]
Get:7 http://deb.debian.org/debian bullseye/main Sources [8,502 kB]
Get:8 http://security.debian.org/debian-security bullseye-security/main amd64 Packages [280 kB]
Get:9 http://security.debian.org/debian-security bullseye-security/main Translation-en [180 kB]
Get:10 http://deb.debian.org/debian bullseye/main amd64 Packages [8,067 kB]                
Get:11 http://deb.debian.org/debian bullseye/main Translation-en [6,236 kB]
Fetched 23.7 MB in 8s (2,875 kB/s)                                                                                                                                                                         
Reading package lists... Done
N: Repository 'http://deb.debian.org/debian bullseye InRelease' changed its 'Version' value from '11.8' to '11.10'
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
wazuh-agent is already the newest version (4.8.1-1).
0 upgraded, 0 newly installed, 0 to remove and 70 not upgraded.
root@debian11:/home/vagrant# sed -i "s/^deb/#deb/" /etc/apt/sources.list.d/wazuh.list
apt-get update
Hit:1 http://security.debian.org/debian-security bullseye-security InRelease                                          
Hit:2 http://deb.debian.org/debian bullseye InRelease                                                                 
Hit:3 http://deb.debian.org/debian bullseye-updates InRelease
Reading package lists... Done

[NahuFigueroa97]

Upgrade of Central Components Worker :orange_circle:

Indexer

[root@E2E-SERVER vagrant]# rpm --import https://packages.wazuh.com/key/GPG-KEY-WAZUH
[root@E2E-SERVER vagrant]# echo -e '[wazuh]\ngpgcheck=1\ngpgkey=https://packages.wazuh.com/key/GPG-KEY-WAZUH\nenabled=1\nname=EL-$releasever - Wazuh\nbaseurl=https://packages.wazuh.com/4.x/yum/\nprotect=1' | tee /etc/yum.repos.d/wazuh.repo
[wazuh]
gpgcheck=1
gpgkey=https://packages.wazuh.com/key/GPG-KEY-WAZUH
enabled=1
name=EL-$releasever - Wazuh
baseurl=https://packages.wazuh.com/4.x/yum/
protect=1
[root@E2E-SERVER vagrant]# systemctl stop filebeat
[root@E2E-SERVER vagrant]# systemctl stop wazuh-dashboard
[root@E2E-SERVER-WORKER vagrant]# curl -X DELETE "https://127.0.0.1:9200/index_template/ss4o*_template" -u admin:Kgi.p2LlVU6zkL6?CHZjZ+r?gVgYM0zM -k
{"acknowledged":true}[root@E2E-SERVER-WORKER vagrant]# curl -X PUT "https://127.0.0.1:9200/_cluster/settings"  -u admin:Kgi.p2LlVU6zkL6?CHZjZ+r?gVgYM0zM -k -H 'Content-Type: application/json' -d'
> {
>   "persistent": {
>     "cluster.routing.allocation.enable": "primaries"
>   }
> }
> '
{"acknowledged":true,"persistent":{"cluster":{"routing":{"allocation":{"enable":"primaries"}}}},"transient":{}}
[root@E2E-SERVER-WORKER vagrant]# curl -X POST "https://127.0.0.1:9200/_flush/synced" -u admin:Kgi.p2LlVU6zkL6?CHZjZ+r?gVgYM0zM -k
{"_shards":{"total":11,"successful":11,"failed":0}}[root@E2E-SERVER-WORKER vagrant]# systemctl stop wazuh-indexer
[root@E2E-SERVER-WORKER vagrant]# yum upgrade wazuh-indexer
Failed to set locale, defaulting to C
Loaded plugins: langpacks, priorities, update-motd
amzn2-core                                                                                                                                                                                  | 3.6 kB  00:00:00
amzn2extra-docker                                                                                                                                                                           | 2.9 kB  00:00:00
wazuh                                                                                                                                                                                       | 3.4 kB  00:00:00
No packages marked for update
[root@E2E-SERVER-WORKER vagrant]# systemctl daemon-reload
[root@E2E-SERVER-WORKER vagrant]# systemctl enable wazuh-indexer
[root@E2E-SERVER-WORKER vagrant]# systemctl start wazuh-indexer
[root@E2E-SERVER-WORKER vagrant]# curl -k -u admin:Kgi.p2LlVU6zkL6?CHZjZ+r?gVgYM0zM https://127.0.0.1:9200/_cat/nodes?v
ip        heap.percent ram.percent cpu load_1m load_5m load_15m node.role node.roles                                        cluster_manager name
127.0.0.1           18          97  15    0.75    0.51     0.27 dimr      cluster_manager,data,ingest,remote_cluster_client *               node-1
[root@E2E-SERVER-WORKER vagrant]# curl -k -u admin:Kgi.p2LlVU6zkL6?CHZjZ+r?gVgYM0zM https://127.0.0.1:9200/_cat/nodes?v^C
[root@E2E-SERVER-WORKER vagrant]# curl -X PUT "https://127.0.0.1:9200/_cluster/settings"  -u admin:Kgi.p2LlVU6zkL6?CHZjZ+r?gVgYM0zM -k -H 'Content-Type: application/json' -d'
> {
>   "persistent": {
>     "cluster.routing.allocation.enable": "all"
>   }
> }
> '
{"acknowledged":true,"persistent":{"cluster":{"routing":{"allocation":{"enable":"all"}}}},"transient":{}}[root@E2E-SERVER-WORKER vagrant]# ^C
[root@E2E-SERVER-WORKER vagrant]# curl -k -u admin:Kgi.p2LlVU6zkL6?CHZjZ+r?gVgYM0zM https://127.0.0.1:9200/_cat/nodes?v
ip        heap.percent ram.percent cpu load_1m load_5m load_15m node.role node.roles                                        cluster_manager name
127.0.0.1           18          97   3    0.41    0.45     0.26 dimr      cluster_manager,data,ingest,remote_cluster_client *               node-1

Manager

[root@E2E-SERVER-WORKER vagrant]# yum upgrade wazuh-manager
Failed to set locale, defaulting to C
Loaded plugins: langpacks, priorities, update-motd
amzn2-core                                                                                                                                                                                  | 3.6 kB  00:00:00
No packages marked for update
[root@E2E-SERVER-WORKER vagrant]# /var/ossec/bin/wazuh-keystore -f indexer -k username -v admin
[root@E2E-SERVER-WORKER vagrant]# /var/ossec/bin/wazuh-keystore -f indexer -k password -v Kgi.p2LlVU6zkL6?CHZjZ+r?gVgYM0zM

Filebeat

[root@E2E-SERVER-WORKER vagrant]# curl -s https://packages.wazuh.com/4.x/filebeat/wazuh-filebeat-0.4.tar.gz | sudo tar -xvz -C /usr/share/filebeat/module
wazuh/
wazuh/_meta/
wazuh/_meta/docs.asciidoc
wazuh/_meta/fields.yml
wazuh/_meta/config.yml
wazuh/alerts/
wazuh/alerts/config/
wazuh/alerts/config/alerts.yml
wazuh/alerts/manifest.yml
wazuh/alerts/ingest/
wazuh/alerts/ingest/pipeline.json
wazuh/module.yml
wazuh/archives/
wazuh/archives/config/
wazuh/archives/config/archives.yml
wazuh/archives/manifest.yml
wazuh/archives/ingest/
wazuh/archives/ingest/pipeline.json
[root@E2E-SERVER-WORKER vagrant]# curl -so /etc/filebeat/wazuh-template.json https://raw.githubusercontent.com/wazuh/wazuh/v4.8.1/extensions/elasticsearch/7.x/wazuh-template.json
[root@E2E-SERVER-WORKER vagrant]# chmod go+r /etc/filebeat/wazuh-template.json
[root@E2E-SERVER-WORKER vagrant]# systemctl daemon-reload
[root@E2E-SERVER-WORKER vagrant]# systemctl enable filebeat
[root@E2E-SERVER-WORKER vagrant]# systemctl start filebeat
[root@E2E-SERVER-WORKER vagrant]# filebeat setup --pipelines
Loaded Ingest pipelines
[root@E2E-SERVER-WORKER vagrant]# filebeat setup --index-management -E output.logstash.enabled=false
ILM policy and write alias loading not enabled.

Index setup finished.

Dashboard

[root@E2E-SERVER-WORKER vagrant]# rm /etc/wazuh-dashboard/opensearch_dashboards.yml
rm: remove regular file '/etc/wazuh-dashboard/opensearch_dashboards.yml'?
[root@E2E-SERVER-WORKER vagrant]# yum upgrade wazuh-dashboard
Failed to set locale, defaulting to C
Loaded plugins: langpacks, priorities, update-motd
amzn2-core                                                                                                                                                                                  | 3.6 kB  00:00:00
No packages marked for update
[root@E2E-SERVER-WORKER vagrant]# systemctl daemon-reload
[root@E2E-SERVER-WORKER vagrant]# systemctl enable wazuh-dashboard
[root@E2E-SERVER-WORKER vagrant]# systemctl start wazuh-dashboard

Agent

The windows installer was used and it was done through the UI

[rauldpm]

The test should be done using 4.9.0 not 4.8.1, please read the issue and links provided

[NahuFigueroa97]

Initial Deployment :green_circle:

Vagrant Amazon Linux 2023 x86_64

Vagrant.configure("2") do |config|
    config.vm.box = "gbailey/amzn2"
    config.vm.hostname = "E2E-SERVER"
    config.vm.define "E2E-SERVER" do |e2e|
    end
    config.vm.network "public_network"
    config.vm.synced_folder ".", "/vagrant", disabled: true

    config.vm.provider "virtualbox" do |vm|
        vm.name = "E2E-SERVER"
        vm.check_guest_additions = false
        vm.memory = 8192
        vm.cpus = 8
    end

    config.ssh.forward_agent = true
end

Vagrant Debian 11 x86_64

Vagrant.configure("2") do |config|
  config.vm.box = "generic/debian11"
end

Install with quickstart

[root@E2E-SERVER vagrant]# yum upgrade
[root@E2E-SERVER vagrant]# yum update
[root@E2E-SERVER vagrant]# curl -sO https://packages-dev.wazuh.com/4.9/wazuh-install.sh &&  bash ./wazuh-install.sh -a
24/07/2024 15:19:28 INFO: Starting Wazuh installation assistant. Wazuh version: 4.9.0
24/07/2024 15:19:28 INFO: Verbose logging redirected to /var/log/wazuh-install.log
24/07/2024 15:19:28 INFO: Verifying that your system meets the recommended minimum hardware requirements.
24/07/2024 15:19:29 INFO: Wazuh web interface port will be 443.
24/07/2024 15:19:30 INFO: Wazuh development repository added.
24/07/2024 15:19:30 INFO: --- Configuration files ---
24/07/2024 15:19:30 INFO: Generating configuration files.
24/07/2024 15:19:30 INFO: Generating the root certificate.
24/07/2024 15:19:30 INFO: Generating Admin certificates.
24/07/2024 15:19:30 INFO: Generating Wazuh indexer certificates.
24/07/2024 15:19:31 INFO: Generating Filebeat certificates.
24/07/2024 15:19:31 INFO: Generating Wazuh dashboard certificates.
24/07/2024 15:19:31 INFO: Created wazuh-install-files.tar. It contains the Wazuh cluster key, certificates, and passwords necessary for installation.
24/07/2024 15:19:31 INFO: --- Wazuh indexer ---
24/07/2024 15:19:31 INFO: Starting Wazuh indexer installation.
24/07/2024 15:21:11 INFO: Wazuh indexer installation finished.
24/07/2024 15:21:11 INFO: Wazuh indexer post-install configuration finished.
24/07/2024 15:21:11 INFO: Starting service wazuh-indexer.
24/07/2024 15:21:34 INFO: wazuh-indexer service started.
24/07/2024 15:21:34 INFO: Initializing Wazuh indexer cluster security settings.
24/07/2024 15:21:42 INFO: Wazuh indexer cluster security configuration initialized.
24/07/2024 15:21:42 INFO: Wazuh indexer cluster initialized.
24/07/2024 15:21:42 INFO: --- Wazuh server ---
24/07/2024 15:21:42 INFO: Starting the Wazuh manager installation.
24/07/2024 15:23:09 INFO: Wazuh manager installation finished.
24/07/2024 15:23:09 INFO: Wazuh manager vulnerability detection configuration finished.
24/07/2024 15:23:09 INFO: Starting service wazuh-manager.
24/07/2024 15:23:23 INFO: wazuh-manager service started.
24/07/2024 15:23:23 INFO: Starting Filebeat installation.
24/07/2024 15:23:23 INFO: Another process is using YUM. Waiting for it to release the lock. Next retry in 30 seconds (1/10)
24/07/2024 15:25:34 INFO: Filebeat installation finished.
24/07/2024 15:25:36 INFO: Filebeat post-install configuration finished.
24/07/2024 15:25:36 INFO: Starting service filebeat.
24/07/2024 15:25:36 INFO: filebeat service started.
24/07/2024 15:25:36 INFO: --- Wazuh dashboard ---
24/07/2024 15:25:36 INFO: Starting Wazuh dashboard installation.
24/07/2024 15:28:27 INFO: Wazuh dashboard installation finished.
24/07/2024 15:28:27 INFO: Wazuh dashboard post-install configuration finished.
24/07/2024 15:28:27 INFO: Starting service wazuh-dashboard.
24/07/2024 15:28:27 INFO: wazuh-dashboard service started.
24/07/2024 15:28:27 INFO: Updating the internal users.
24/07/2024 15:28:41 INFO: A backup of the internal users has been saved in the /etc/wazuh-indexer/internalusers-backup folder.
24/07/2024 15:29:06 INFO: The filebeat.yml file has been updated to use the Filebeat Keystore username and password.
24/07/2024 15:29:47 INFO: Initializing Wazuh dashboard web application.
24/07/2024 15:29:47 INFO: Wazuh dashboard web application not yet initialized. Waiting...
24/07/2024 15:30:03 INFO: Wazuh dashboard web application not yet initialized. Waiting...
24/07/2024 15:30:18 INFO: Wazuh dashboard web application initialized.
24/07/2024 15:30:18 INFO: --- Summary ---
24/07/2024 15:30:18 INFO: You can access the web interface https://<wazuh-dashboard-ip>:443
    User: admin
    Password: CB9Vmlpq6sAs9mYVxFlWZDU.W*A+3jLR
24/07/2024 15:30:19 INFO: Installation finished.

[NahuFigueroa97]

Validation of Initial Deployment :green_circle:

Agents connected

Alerts received

[NahuFigueroa97]

Upgrade of Central Components :green_circle:

Indexer

[root@E2E-SERVER vagrant]# rpm --import https://packages.wazuh.com/key/GPG-KEY-WAZUH
[root@E2E-SERVER vagrant]# echo -e '[wazuh]\ngpgcheck=1\ngpgkey=https://packages.wazuh.com/key/GPG-KEY-WAZUH\nenabled=1\nname=EL-$releasever - Wazuh\nbaseurl=https://packages-dev.wazuh.com/pre-release/yum/\nprotect=1' | tee /etc/yum.repos.d/wazuh.repo
[wazuh]
gpgcheck=1
gpgkey=https://packages.wazuh.com/key/GPG-KEY-WAZUH
enabled=1
name=EL-$releasever - Wazuh
baseurl=https://packages-dev.wazuh.com/pre-release/yum/
protect=1
[root@E2E-SERVER vagrant]# curl -X DELETE "https://127.0.0.1:9200/_index_template/ss4o_*_template" -u admin:e1H5ss.1L0jRbIyjcv4ku0sXKY+N.Etx -k
{"error":{"root_cause":[{"type":"index_template_missing_exception","reason":"index_template [ss4o_*_template] missing"}],"type":"index_template_missing_exception","reason":"index_template [ss4o_*_template] missing"},"status":404}[root@E2E-SERVER vagrant]# curl -X PUT "https://127.0.0.1:9200/_cluster/settings"  -u admin:e1H5ss.1L0jRbIyjcv4ku0sXKY+N.Etx -k -H 'Content-Type: application/json' -d'
> {
>   "persistent": {
>     "cluster.routing.allocation.enable": "primaries"
>   }
> }
> '
{"acknowledged":true,"persistent":{"cluster":{"routing":{"allocation":{"enable":"primaries"}}}},"transient":{}}
[root@E2E-SERVER vagrant]# curl -X POST "https://127.0.0.1:9200/_flush/synced" -u admin:e1H5ss.1L0jRbIyjcv4ku0sXKY+N.Etx -k
{"_shards":{"total":10,"successful":10,"failed":0}}
[root@E2E-SERVER vagrant]# systemctl stop wazuh-indexer
[root@E2E-SERVER vagrant]# yum upgrade wazuh-indexer
Complementos cargados:langpacks, priorities, update-motd
amzn2-core                                                                                                                                                                           | 3.6 kB  00:00:00     
wazuh                                                                                                                                                                                | 3.5 kB  00:00:00     
No packages marked for update
[root@E2E-SERVER vagrant]# systemctl daemon-reload
[root@E2E-SERVER vagrant]# systemctl enable wazuh-indexer
[root@E2E-SERVER vagrant]# systemctl start wazuh-indexer
[root@E2E-SERVER vagrant]# curl -k -u admin:e1H5ss.1L0jRbIyjcv4ku0sXKY+N.Etx https://127.0.0.1:9200/_cat/nodes?v
ip        heap.percent ram.percent cpu load_1m load_5m load_15m node.role node.roles                                        cluster_manager name
127.0.0.1           47          95   8    0.70    0.71     1.21 dimr      cluster_manager,data,ingest,remote_cluster_client *               node-1
[root@E2E-SERVER vagrant]# curl -X PUT "https://127.0.0.1:9200/_cluster/settings"  -u admin:e1H5ss.1L0jRbIyjcv4ku0sXKY+N.Etx -k -H 'Content-Type: application/json' -d'
> {
>   "persistent": {
>     "cluster.routing.allocation.enable": "all"
>   }
> }
> '
{"acknowledged":true,"persistent":{"cluster":{"routing":{"allocation":{"enable":"all"}}}},"transient":{}}
[root@E2E-SERVER vagrant]# curl -k -u admin:e1H5ss.1L0jRbIyjcv4ku0sXKY+N.Etx https://127.0.0.1:9200/_cat/nodes?v
ip        heap.percent ram.percent cpu load_1m load_5m load_15m node.role node.roles                                        cluster_manager name
127.0.0.1           59          95   1    0.33    0.61     1.15 dimr      cluster_manager,data,ingest,remote_cluster_client *               node-1

Manager

[root@E2E-SERVER vagrant]# yum upgrade wazuh-manager
Complementos cargados:langpacks, priorities, update-motd
No packages marked for update
[root@E2E-SERVER vagrant]# /var/ossec/bin/wazuh-keystore -f indexer -k username -v admin
[root@E2E-SERVER vagrant]# /var/ossec/bin/wazuh-keystore -f indexer -k password -v e1H5ss.1L0jRbIyjcv4ku0sXKY+N.Etx

Filebeat

[root@E2E-SERVER vagrant]# curl -s https://packages-dev.wazuh.com/pre-release/filebeat/wazuh-filebeat-0.4.tar.gz | sudo tar -xvz -C /usr/share/filebeat/module
wazuh/
wazuh/_meta/
wazuh/_meta/docs.asciidoc
wazuh/_meta/fields.yml
wazuh/_meta/config.yml
wazuh/alerts/
wazuh/alerts/config/
wazuh/alerts/config/alerts.yml
wazuh/alerts/manifest.yml
wazuh/alerts/ingest/
wazuh/alerts/ingest/pipeline.json
wazuh/module.yml
wazuh/archives/
wazuh/archives/config/
wazuh/archives/config/archives.yml
wazuh/archives/manifest.yml
wazuh/archives/ingest/
wazuh/archives/ingest/pipeline.json
[root@E2E-SERVER vagrant]# curl -so /etc/filebeat/wazuh-template.json https://raw.githubusercontent.com/wazuh/wazuh/v4.9.0-alpha3/extensions/elasticsearch/7.x/wazuh-template.json
[root@E2E-SERVER vagrant]# chmod go+r /etc/filebeat/wazuh-template.json
[root@E2E-SERVER vagrant]# systemctl daemon-reload
[root@E2E-SERVER vagrant]# systemctl enable filebeat
[root@E2E-SERVER vagrant]# systemctl start filebeat
[root@E2E-SERVER vagrant]# filebeat setup --pipelines
Loaded Ingest pipelines
[root@E2E-SERVER vagrant]# filebeat setup --index-management -E output.logstash.enabled=false
ILM policy and write alias loading not enabled.

Index setup finished.

Dashboard

[root@E2E-SERVER vagrant]# rm /etc/wazuh-dashboard/opensearch_dashboards.yml
rm: ¿borrar el fichero regular «/etc/wazuh-dashboard/opensearch_dashboards.yml»? (s/n) y
[root@E2E-SERVER vagrant]# yum upgrade wazuh-dashboard
Complementos cargados:langpacks, priorities, update-motd
amzn2-core                                                                                                                                                                           | 3.6 kB  00:00:00     
No packages marked for update
[root@E2E-SERVER vagrant]# cp bk/opensearch_dashboards.yml /etc/wazuh-dashboard/opensearch_dashboards.yml
[root@E2E-SERVER vagrant]# systemctl daemon-reload
[root@E2E-SERVER vagrant]# systemctl enable wazuh-dashboard
[root@E2E-SERVER vagrant]# systemctl start wazuh-dashboard
[root@E2E-SERVER vagrant]# systemctl status wazuh-dashboard

Debian agent

curl -s https://packages.wazuh.com/key/GPG-KEY-WAZUH | gpg --no-default-keyring --keyring gnupg-ring:/usr/share/keyrings/wazuh.gpg --import && chmod 644 /usr/share/keyrings/wazuh.gpg
gpg: keyring '/usr/share/keyrings/wazuh.gpg' created
gpg: directory '/root/.gnupg' created
gpg: /root/.gnupg/trustdb.gpg: trustdb created
gpg: key 96B3EE5F29111145: public key "Wazuh.com (Wazuh Signing Key) <support@wazuh.com>" imported
gpg: Total number processed: 1
gpg:               imported: 1
root@debian11:/home/vagrant# echo "deb [signed-by=/usr/share/keyrings/wazuh.gpg] https://packages-dev.wazuh.com/pre-release/apt/ unstable main" | tee -a /etc/apt/sources.list.d/wazuh.list
deb [signed-by=/usr/share/keyrings/wazuh.gpg] https://packages-dev.wazuh.com/pre-release/apt/ unstable main
root@debian11:/home/vagrant# apt-get update
apt-get install wazuh-agent
Get:1 http://security.debian.org/debian-security bullseye-security InRelease [48.4 kB]                                     
Get:2 http://deb.debian.org/debian bullseye InRelease [116 kB]                                                             
Get:3 http://security.debian.org/debian-security bullseye-security/main Sources [184 kB]                            
Get:4 http://deb.debian.org/debian bullseye-updates InRelease [44.1 kB]     
Get:5 https://packages-dev.wazuh.com/pre-release/apt unstable InRelease [17.3 kB]        
Get:6 http://deb.debian.org/debian bullseye/main Sources [8,502 kB]                      
Get:7 http://security.debian.org/debian-security bullseye-security/main amd64 Packages [280 kB]     
Get:8 https://packages-dev.wazuh.com/pre-release/apt unstable/main amd64 Packages [39.6 kB]
Get:9 http://security.debian.org/debian-security bullseye-security/main Translation-en [180 kB]     
Get:10 http://deb.debian.org/debian bullseye/main amd64 Packages [8,067 kB]                                                      
Get:11 http://deb.debian.org/debian bullseye/main Translation-en [6,236 kB]
Fetched 23.7 MB in 7s (3,364 kB/s)                                                                                                                                                                         
Reading package lists... Done
N: Repository 'http://deb.debian.org/debian bullseye InRelease' changed its 'Version' value from '11.8' to '11.10'
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
wazuh-agent is already the newest version (4.9.0-1).
0 upgraded, 0 newly installed, 0 to remove and 70 not upgraded.

Windows Agent

PS C:\Users\user\Desktop> .\wazuh-agent-4.9.0-1.msi /q WAZUH_MANAGER="192.168.1.31"
PS C:\Users\user\Desktop> cd 'C:\Program Files (x86)\ossec-agent'
PS C:\Program Files (x86)\ossec-agent> .\agent-auth.exe -m 192.168.1.31
2024/07/24 15:09:50 agent-auth: INFO: Started (pid: 488).
2024/07/24 15:09:50 agent-auth: INFO: Requesting a key from server: 192.168.1.31
2024/07/24 15:09:50 agent-auth: INFO: No authentication password provided
2024/07/24 15:09:50 agent-auth: INFO: Using agent name as: DESKTOP-8D335P5
2024/07/24 15:09:50 agent-auth: INFO: Waiting for server reply
2024/07/24 15:09:50 agent-auth: INFO: Valid key received
PS C:\Program Files (x86)\ossec-agent> NET START Wazuh
The Wazuh service is starting.
The Wazuh service has started successfully.

[NahuFigueroa97]

Post-Upgrade Validation :green_circle:

[pro-akim]

Review Notes

The following comment is present in upgrades:

No packages marked for update

This means that the upgrade was not properly tested.

---

The test must be repeated following the guidelines mentioned in the issue and installing the appropriate versions following the documentation with the changes.

Regarding the execution steps, you can refer to the previous issue of E2E UX tests - Central components upgrade

[NahuFigueroa97]

Initial Deployment :green_circle:

Vagrant Amazon Linux 2023 x86_64

Vagrant.configure("2") do |config|
    config.vm.box = "gbailey/amzn2"
    config.vm.hostname = "E2E-SERVER"
    config.vm.define "E2E-SERVER" do |e2e|
    end
    config.vm.network "public_network"
    config.vm.synced_folder ".", "/vagrant", disabled: true

    config.vm.provider "virtualbox" do |vm|
        vm.name = "E2E-SERVER"
        vm.check_guest_additions = false
        vm.memory = 8192
        vm.cpus = 8
    end

    config.ssh.forward_agent = true
end

Vagrant Debian 11 x86_64

Vagrant.configure("2") do |config|
  config.vm.box = "generic/debian11"
end

Install with quickstart

[root@E2E-SERVER vagrant]# curl -sO https://packages.wazuh.com/4.8/wazuh-install.sh && sudo bash ./wazuh-install.sh -a
26/07/2024 11:54:47 INFO: Starting Wazuh installation assistant. Wazuh version: 4.8.1
26/07/2024 11:54:47 INFO: Verbose logging redirected to /var/log/wazuh-install.log
26/07/2024 11:54:48 INFO: Verifying that your system meets the recommended minimum hardware requirements.
26/07/2024 11:54:50 INFO: Wazuh web interface port will be 443.
26/07/2024 11:54:51 INFO: Wazuh repository added.
26/07/2024 11:54:51 INFO: --- Configuration files ---
26/07/2024 11:54:51 INFO: Generating configuration files.
26/07/2024 11:54:51 INFO: Generating the root certificate.
26/07/2024 11:54:52 INFO: Generating Admin certificates.
26/07/2024 11:54:52 INFO: Generating Wazuh indexer certificates.
26/07/2024 11:54:52 INFO: Generating Filebeat certificates.
26/07/2024 11:54:52 INFO: Generating Wazuh dashboard certificates.
26/07/2024 11:54:52 INFO: Created wazuh-install-files.tar. It contains the Wazuh cluster key, certificates, and passwords necessary for installation.
26/07/2024 11:54:52 INFO: --- Wazuh indexer ---
26/07/2024 11:54:52 INFO: Starting Wazuh indexer installation.
26/07/2024 11:57:06 INFO: Wazuh indexer installation finished.
26/07/2024 11:57:06 INFO: Wazuh indexer post-install configuration finished.
26/07/2024 11:57:06 INFO: Starting service wazuh-indexer.
26/07/2024 11:57:27 INFO: wazuh-indexer service started.
26/07/2024 11:57:27 INFO: Initializing Wazuh indexer cluster security settings.
26/07/2024 11:57:39 INFO: Wazuh indexer cluster security configuration initialized.
26/07/2024 11:57:39 INFO: Wazuh indexer cluster initialized.
26/07/2024 11:57:39 INFO: --- Wazuh server ---
26/07/2024 11:57:39 INFO: Starting the Wazuh manager installation.
26/07/2024 11:58:39 INFO: Wazuh manager installation finished.
26/07/2024 11:58:39 INFO: Wazuh manager vulnerability detection configuration finished.
26/07/2024 11:58:39 INFO: Starting service wazuh-manager.
26/07/2024 11:58:51 INFO: wazuh-manager service started.
26/07/2024 11:58:51 INFO: Starting Filebeat installation.
26/07/2024 11:59:16 INFO: Filebeat installation finished.
26/07/2024 11:59:23 INFO: Filebeat post-install configuration finished.
26/07/2024 11:59:23 INFO: Starting service filebeat.
26/07/2024 11:59:25 INFO: filebeat service started.
26/07/2024 11:59:25 INFO: --- Wazuh dashboard ---
26/07/2024 11:59:25 INFO: Starting Wazuh dashboard installation.
26/07/2024 12:03:38 INFO: Wazuh dashboard installation finished.
26/07/2024 12:03:40 INFO: Wazuh dashboard post-install configuration finished.
26/07/2024 12:03:40 INFO: Starting service wazuh-dashboard.
26/07/2024 12:03:54 INFO: wazuh-dashboard service started.
26/07/2024 12:03:54 INFO: Another process is using YUM. Waiting for it to release the lock. Next retry in 30 seconds (1/10)
26/07/2024 12:04:26 INFO: Updating the internal users.
26/07/2024 12:04:49 INFO: A backup of the internal users has been saved in the /etc/wazuh-indexer/internalusers-backup folder.
26/07/2024 12:05:43 INFO: Initializing Wazuh dashboard web application.
26/07/2024 12:05:44 INFO: Wazuh dashboard web application not yet initialized. Waiting...
26/07/2024 12:06:00 INFO: Wazuh dashboard web application not yet initialized. Waiting...
26/07/2024 12:06:15 INFO: Wazuh dashboard web application initialized.
26/07/2024 12:06:15 INFO: --- Summary ---
26/07/2024 12:06:15 INFO: You can access the web interface https://<wazuh-dashboard-ip>:443
    User: admin
    Password: xfDohKiRG4.NtycmQ?EU13zniSjie*U.
26/07/2024 12:06:15 INFO: Installation finished.

Debian agent

root@debian11:/home/vagrant# curl -s https://packages.wazuh.com/key/GPG-KEY-WAZUH | gpg --no-default-keyring --keyring gnupg-ring:/usr/share/keyrings/wazuh.gpg --import && chmod 644 /usr/share/keyrings/wazuh.gpg
gpg: keyring '/usr/share/keyrings/wazuh.gpg' created
gpg: directory '/root/.gnupg' created
gpg: /root/.gnupg/trustdb.gpg: trustdb created
gpg: key 96B3EE5F29111145: public key "Wazuh.com (Wazuh Signing Key) <support@wazuh.com>" imported
gpg: Total number processed: 1
gpg:               imported: 1
root@debian11:/home/vagrant# echo "deb [signed-by=/usr/share/keyrings/wazuh.gpg] https://packages.wazuh.com/4.x/apt/ stable main" | tee -a /etc/apt/sources.list.d/wazuh.list
deb [signed-by=/usr/share/keyrings/wazuh.gpg] https://packages.wazuh.com/4.x/apt/ stable main
root@debian11:/home/vagrant# apt-get update
Get:1 http://deb.debian.org/debian bullseye InRelease [116 kB]                                                                                                          
Get:2 http://security.debian.org/debian-security bullseye-security InRelease [48.4 kB]                                                                                  
Get:3 https://packages.wazuh.com/4.x/apt stable InRelease [17.3 kB]                                                   
Get:4 http://deb.debian.org/debian bullseye-updates InRelease [44.1 kB]
Get:5 http://security.debian.org/debian-security bullseye-security/main Sources [183 kB]
Get:6 https://packages.wazuh.com/4.x/apt stable/main amd64 Packages [42.1 kB]
Get:7 http://deb.debian.org/debian bullseye/main Sources [8,502 kB]           
Get:8 http://security.debian.org/debian-security bullseye-security/main amd64 Packages [280 kB]
Get:9 http://security.debian.org/debian-security bullseye-security/main Translation-en [180 kB]
Get:10 http://deb.debian.org/debian bullseye/main amd64 Packages [8,067 kB]                   
Get:11 http://deb.debian.org/debian bullseye/main Translation-en [6,236 kB]
Fetched 23.7 MB in 10s (2,336 kB/s)                                                                                                                                                                        
Reading package lists... Done
N: Repository 'http://deb.debian.org/debian bullseye InRelease' changed its 'Version' value from '11.8' to '11.10'
root@debian11:/home/vagrant# WAZUH_MANAGER="192.168.1.43" WAZUH_AGENT_NAME="debian-agent" apt-get install wazuh-agent
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
The following NEW packages will be installed:
  wazuh-agent
0 upgraded, 1 newly installed, 0 to remove and 70 not upgraded.
Need to get 10.3 MB of archives.
After this operation, 34.0 MB of additional disk space will be used.
Get:1 https://packages.wazuh.com/4.x/apt stable/main amd64 wazuh-agent amd64 4.8.1-1 [10.3 MB]
Fetched 10.3 MB in 14s (745 kB/s)                                                                                                                                                                          
Preconfiguring packages ...
Selecting previously unselected package wazuh-agent.
(Reading database ... 68848 files and directories currently installed.)
Preparing to unpack .../wazuh-agent_4.8.1-1_amd64.deb ...
Unpacking wazuh-agent (4.8.1-1) ...
Setting up wazuh-agent (4.8.1-1) ...
root@debian11:/home/vagrant# systemctl daemon-reload
systemctl enable wazuh-agent
systemctl start wazuh-agent
Created symlink /etc/systemd/system/multi-user.target.wants/wazuh-agent.service → /lib/systemd/system/wazuh-agent.service.

Windows agent

PS C:\Users\usuario> Invoke-WebRequest -Uri https://packages.wazuh.com/4.x/windows/wazuh-agent-4.8.1-1.msi -OutFile ${env.tmp}\wazuh-agent; msiexec.exe /i ${env.tmp}\wazuh-agent /q WAZUH_MANAGER='192.168.1.43' WAZUH_AGENT_GROUP='default' WAZUH_AGENT_NAME='windows-agent'
PS C:\Users\usuario> NET START WazuhSv
The Wazuh service is starting.
The Wazuh service has started successfully.

[NahuFigueroa97]

Validation of Initial Deployment :green_circle:

Agents connected

Alerts received

Debian agent restarted

Windows agent restarted

[NahuFigueroa97]

Upgrade of Central Components :green_circle:

Preparing the Upgrade

[root@AIOwazuh vagrant]# rpm --import https://packages-dev.wazuh.com/key/GPG-KEY-WAZUH
[root@AIOwazuh vagrant]# echo -e '[wazuh]\ngpgcheck=1\ngpgkey=https://packages-dev.wazuh.com/key/GPG-KEY-WAZUH\nenabled=1\nname=EL-$releasever - Wazuh\nbaseurl=https://packages-dev.wazuh.com/pre-release/yum/\nprotect=1' | tee /etc/yum.repos.d/wazuh.repo
[wazuh]
gpgcheck=1
gpgkey=https://packages-dev.wazuh.com/key/GPG-KEY-WAZUH
enabled=1
name=EL-$releasever - Wazuh
baseurl=https://packages-dev.wazuh.com/pre-release/yum/
protect=1

[root@AIOwazuh vagrant]# systemctl stop filebeat
[root@AIOwazuh vagrant]# systemctl stop wazuh-dashboard

Indexer

[root@E2E-SERVER vagrant]# curl -X DELETE "https://127.0.0.1:9200/_index_template/ss4o_*_template" -u admin:xfDohKiRG4.NtycmQ?EU13zniSjie*U. -k
{"acknowledged":true}
[root@E2E-SERVER vagrant]# curl -X PUT "https://127.0.0.1:9200/_cluster/settings"  -u admin:xfDohKiRG4.NtycmQ?EU13zniSjie*U. -k -H 'Content-Type: application/json' -d'
> {
>   "persistent": {
>     "cluster.routing.allocation.enable": "primaries"
>   }
> }
> '
{"acknowledged":true,"persistent":{"cluster":{"routing":{"allocation":{"enable":"primaries"}}}},"transient":{}}
[root@E2E-SERVER vagrant]# curl -X POST "https://127.0.0.1:9200/_flush/synced" -u admin:xfDohKiRG4.NtycmQ?EU13zniSjie*U. -k
{"_shards":{"total":10,"successful":10,"failed":0}}
[root@E2E-SERVER vagrant]# systemctl stop wazuh-indexer
[root@E2E-SERVER vagrant]# yum upgrade wazuh-indexer
Complementos cargados:langpacks, priorities, update-motd
amzn2-core                                                                                                                                                                           | 3.6 kB  00:00:00     
wazuh                                                                                                                                                                                | 3.5 kB  00:00:00     
wazuh/primary_db                                                                                                                                                                     | 518 kB  00:00:00     
Resolviendo dependencias
--> Ejecutando prueba de transacción
---> Paquete wazuh-indexer.x86_64 0:4.8.1-1 debe ser actualizado
---> Paquete wazuh-indexer.x86_64 0:4.9.0-1 debe ser una actualización
--> Resolución de dependencias finalizada

Dependencias resueltas

============================================================================================================================================================================================================
 Package                                               Arquitectura                                   Versión                                           Repositorio                                   Tamaño
============================================================================================================================================================================================================
Actualizando:
 wazuh-indexer                                         x86_64                                         4.9.0-1                                           wazuh                                         813 M

Resumen de la transacción
============================================================================================================================================================================================================
Actualizar  1 Paquete

Tamaño total de la descarga: 813 M
Is this ok [y/d/N]: y
Downloading packages:
Delta RPMs disabled because /usr/bin/applydeltarpm not installed.
wazuh-indexer-4.9.0-1.x86_64.rpm                                                                                                                                                     | 813 MB  00:01:49     
Running transaction check
Running transaction test
Transaction test succeeded
Running transaction
  Actualizando  : wazuh-indexer-4.9.0-1.x86_64                                                                                                                                                          1/2 
warning: /etc/wazuh-indexer/jvm.options created as /etc/wazuh-indexer/jvm.options.rpmnew
warning: /etc/wazuh-indexer/opensearch-security/internal_users.yml saved as /etc/wazuh-indexer/opensearch-security/internal_users.yml.rpmsave
### NOT starting on installation, please execute the following statements to configure wazuh-indexer service to start automatically using systemd
 sudo systemctl daemon-reload
 sudo systemctl enable wazuh-indexer.service
### You can start wazuh-indexer service by executing
 sudo systemctl start wazuh-indexer.service
  Limpieza      : wazuh-indexer-4.8.1-1.x86_64                                                                                                                                                          2/2 
  Comprobando   : wazuh-indexer-4.9.0-1.x86_64                                                                                                                                                          1/2 
  Comprobando   : wazuh-indexer-4.8.1-1.x86_64                                                                                                                                                          2/2 

Actualizado:
  wazuh-indexer.x86_64 0:4.9.0-1                                                                                                                                                                            

¡Listo!
[root@E2E-SERVER vagrant]# systemctl daemon-reload
[root@E2E-SERVER vagrant]# systemctl enable wazuh-indexer
[root@E2E-SERVER vagrant]# systemctl start wazuh-indexer
[root@E2E-SERVER vagrant]# curl -k -u admin:xfDohKiRG4.NtycmQ?EU13zniSjie*U. https://127.0.0.1:9200/_cat/nodes?v
ip        heap.percent ram.percent cpu load_1m load_5m load_15m node.role node.roles                                        cluster_manager name
127.0.0.1           24          97   9    0.49    0.32     0.23 dimr      cluster_manager,data,ingest,remote_cluster_client *               node-1
[root@E2E-SERVER vagrant]# curl -X PUT "https://127.0.0.1:9200/_cluster/settings"  -u admin:xfDohKiRG4.NtycmQ?EU13zniSjie*U. -k -H 'Content-Type: application/json' -d'
> {
>   "persistent": {
>     "cluster.routing.allocation.enable": "all"
>   }
> }
> '
{"acknowledged":true,"persistent":{"cluster":{"routing":{"allocation":{"enable":"all"}}}},"transient":{}}
[root@E2E-SERVER vagrant]# curl -k -u admin:xfDohKiRG4.NtycmQ?EU13zniSjie*U. https://127.0.0.1:9200/_cat/nodes?v
ip        heap.percent ram.percent cpu load_1m load_5m load_15m node.role node.roles                                        cluster_manager name
127.0.0.1           28          97   2    0.35    0.30     0.23 dimr      cluster_manager,data,ingest,remote_cluster_client *               node-1

Manager

[root@E2E-SERVER vagrant]# yum upgrade wazuh-manager
Complementos cargados:langpacks, priorities, update-motd
amzn2-core                                                                                                                                                                           | 3.6 kB  00:00:00     
Resolviendo dependencias
--> Ejecutando prueba de transacción
---> Paquete wazuh-manager.x86_64 0:4.8.1-1 debe ser actualizado
---> Paquete wazuh-manager.x86_64 0:4.9.0-1 debe ser una actualización
--> Resolución de dependencias finalizada

Dependencias resueltas

============================================================================================================================================================================================================
 Package                                               Arquitectura                                   Versión                                           Repositorio                                   Tamaño
============================================================================================================================================================================================================
Actualizando:
 wazuh-manager                                         x86_64                                         4.9.0-1                                           wazuh                                         301 M

Resumen de la transacción
============================================================================================================================================================================================================
Actualizar  1 Paquete

Tamaño total de la descarga: 301 M
Is this ok [y/d/N]: y
Downloading packages:
Delta RPMs disabled because /usr/bin/applydeltarpm not installed.
wazuh-manager-4.9.0-1.x86_64.rpm                                                                                                                                                     | 301 MB  00:00:40     
Running transaction check
Running transaction test
Transaction test succeeded
Running transaction
  Actualizando  : wazuh-manager-4.9.0-1.x86_64                                                                                                                                                          1/2 
warning: /var/ossec/etc/ossec.conf created as /var/ossec/etc/ossec.conf.rpmnew
  Limpieza      : wazuh-manager-4.8.1-1.x86_64                                                                                                                                                          2/2 
  Comprobando   : wazuh-manager-4.9.0-1.x86_64                                                                                                                                                          1/2 
  Comprobando   : wazuh-manager-4.8.1-1.x86_64                                                                                                                                                          2/2 

Actualizado:
  wazuh-manager.x86_64 0:4.9.0-1                                                                                                                                                                            

¡Listo!

[root@E2E-SERVER vagrant]# /var/ossec/bin/wazuh-keystore -f indexer -k username -v admin
[root@E2E-SERVER vagrant]# /var/ossec/bin/wazuh-keystore -f indexer -k password -v xfDohKiRG4.NtycmQ?EU13zniSjie*U.

Filebeat

[root@E2E-SERVER vagrant]# curl -s https://packages-dev.wazuh.com/pre-release/filebeat/wazuh-filebeat-0.4.tar.gz | sudo tar -xvz -C /usr/share/filebeat/module
wazuh/
wazuh/_meta/
wazuh/_meta/docs.asciidoc
wazuh/_meta/fields.yml
wazuh/_meta/config.yml
wazuh/alerts/
wazuh/alerts/config/
wazuh/alerts/config/alerts.yml
wazuh/alerts/manifest.yml
wazuh/alerts/ingest/
wazuh/alerts/ingest/pipeline.json
wazuh/module.yml
wazuh/archives/
wazuh/archives/config/
wazuh/archives/config/archives.yml
wazuh/archives/manifest.yml
wazuh/archives/ingest/
wazuh/archives/ingest/pipeline.json
[root@E2E-SERVER vagrant]# curl -so /etc/filebeat/wazuh-template.json https://raw.githubusercontent.com/wazuh/wazuh/v4.9.0-alpha3/extensions/elasticsearch/7.x/wazuh-template.json
[root@E2E-SERVER vagrant]# chmod go+r /etc/filebeat/wazuh-template.json
[root@E2E-SERVER vagrant]# systemctl daemon-reload
[root@E2E-SERVER vagrant]# systemctl enable filebeat
[root@E2E-SERVER vagrant]# systemctl start filebeat
[root@E2E-SERVER vagrant]# filebeat setup --pipelines
Loaded Ingest pipelines
[root@E2E-SERVER vagrant]# filebeat setup --index-management -E output.logstash.enabled=false
ILM policy and write alias loading not enabled.

Index setup finished.
[root@E2E-SERVER vagrant]# systemctl status filebeat
● filebeat.service - Filebeat sends log files to Logstash or directly to Elasticsearch.
   Loaded: loaded (/usr/lib/systemd/system/filebeat.service; enabled; vendor preset: disabled)
   Active: active (running) since vie 2024-07-26 13:33:54 UTC; 2min 59s ago
     Docs: https://www.elastic.co/products/beats/filebeat
 Main PID: 3736 (filebeat)
   CGroup: /system.slice/filebeat.service
           └─3736 /usr/share/filebeat/bin/filebeat --environment systemd -c /etc/filebeat/filebeat.yml --path.home /usr/share/filebeat --path.config /etc/filebeat --path.data /var/lib/filebeat --path.l...

jul 26 13:33:54 E2E-SERVER systemd[1]: Started Filebeat sends log files to Logstash or directly to Elasticsearch..

Dashboard

[root@E2E-SERVER vagrant]# rm /etc/wazuh-dashboard/opensearch_dashboards.yml
rm: ¿borrar el fichero regular «/etc/wazuh-dashboard/opensearch_dashboards.yml»? (s/n) s
[root@E2E-SERVER vagrant]# yum upgrade wazuh-dashboard
Complementos cargados:langpacks, priorities, update-motd
amzn2-core                                                                                                                                                                           | 3.6 kB  00:00:00     
Resolviendo dependencias
--> Ejecutando prueba de transacción
---> Paquete wazuh-dashboard.x86_64 0:4.8.1-1 debe ser actualizado
---> Paquete wazuh-dashboard.x86_64 0:4.9.0-1 debe ser una actualización
--> Resolución de dependencias finalizada

Dependencias resueltas

============================================================================================================================================================================================================
 Package                                                 Arquitectura                                   Versión                                         Repositorio                                   Tamaño
============================================================================================================================================================================================================
Actualizando:
 wazuh-dashboard                                         x86_64                                         4.9.0-1                                         wazuh                                         253 M

Resumen de la transacción
============================================================================================================================================================================================================
Actualizar  1 Paquete

Tamaño total de la descarga: 253 M
Is this ok [y/d/N]: y
Downloading packages:
Delta RPMs disabled because /usr/bin/applydeltarpm not installed.
wazuh-dashboard-4.9.0-1.x86_64.rpm                                                                                                                                                   | 253 MB  00:00:38     
Running transaction check
Running transaction test
Transaction test succeeded
Running transaction
  Actualizando  : wazuh-dashboard-4.9.0-1.x86_64                                                                                                                                                        1/2 
  Limpieza      : wazuh-dashboard-4.8.1-1.x86_64                                                                                                                                                        2/2 
  Comprobando   : wazuh-dashboard-4.9.0-1.x86_64                                                                                                                                                        1/2 
  Comprobando   : wazuh-dashboard-4.8.1-1.x86_64                                                                                                                                                        2/2 

Actualizado:
  wazuh-dashboard.x86_64 0:4.9.0-1                                                                                                                                                                          

¡Listo!      
[root@E2E-SERVER vagrant]# systemctl daemon-reload
[root@E2E-SERVER vagrant]# systemctl enable wazuh-dashboard
[root@E2E-SERVER vagrant]# systemctl start wazuh-dashboard
[root@E2E-SERVER vagrant]# systemctl status wazuh-dashboard
● wazuh-dashboard.service - wazuh-dashboard
   Loaded: loaded (/etc/systemd/system/wazuh-dashboard.service; enabled; vendor preset: disabled)
   Active: active (running) since vie 2024-07-26 13:54:18 UTC; 6s ago
 Main PID: 4101 (node)
   CGroup: /system.slice/wazuh-dashboard.service
           └─4101 /usr/share/wazuh-dashboard/node/fallback/bin/node /usr/share/wazuh-dashboard/src/cli/dist -c /etc/wazuh-dashboard/opensearch_dashboards.yml

jul 26 13:54:18 E2E-SERVER systemd[1]: Started wazuh-dashboard.

[root@E2E-SERVER vagrant]# journalctl -u wazuh-dashboard | grep wazuh | grep -Ei "error|warning|critical|fatal"
[root@E2E-SERVER vagrant]#

[root@E2E-SERVER vagrant]# journalctl -u wazuh-dashboard | grep wazuh | grep info | grep initialize
jul 26 14:09:59 E2E-SERVER opensearch-dashboards[4656]: {"type":"log","@timestamp":"2024-07-26T14:09:59Z","tags":["info","plugins","wazuh","initialize"],"pid":4656,"message":"dashboard index: .kibana"}
jul 26 14:09:59 E2E-SERVER opensearch-dashboards[4656]: {"type":"log","@timestamp":"2024-07-26T14:09:59Z","tags":["info","plugins","wazuh","initialize"],"pid":4656,"message":"App revision: 03"}
jul 26 14:09:59 E2E-SERVER opensearch-dashboards[4656]: {"type":"log","@timestamp":"2024-07-26T14:09:59Z","tags":["info","plugins","wazuh","initialize"],"pid":4656,"message":"Total RAM: 3932MB"}
jul 26 16:04:48 E2E-SERVER opensearch-dashboards[2047]: {"type":"log","@timestamp":"2024-07-26T16:04:48Z","tags":["info","plugins","wazuh","initialize"],"pid":2047,"message":"dashboard index: .kibana"}
jul 26 16:04:48 E2E-SERVER opensearch-dashboards[2047]: {"type":"log","@timestamp":"2024-07-26T16:04:48Z","tags":["info","plugins","wazuh","initialize"],"pid":2047,"message":"App revision: 03"}
jul 26 16:04:48 E2E-SERVER opensearch-dashboards[2047]: {"type":"log","@timestamp":"2024-07-26T16:04:48Z","tags":["info","plugins","wazuh","initialize"],"pid":2047,"message":"Total RAM: 3932MB"}

Debian agent

root@debian11:/home/vagrant# curl -s https://packages.wazuh.com/key/GPG-KEY-WAZUH | gpg --no-default-keyring --keyring gnupg-ring:/usr/share/keyrings/wazuh.gpg --import && chmod 644 /usr/share/keyrings/wazuh.gpg
gpg: key 96B3EE5F29111145: "Wazuh.com (Wazuh Signing Key) <support@wazuh.com>" not changed
gpg: Total number processed: 1
gpg:              unchanged: 1
root@debian11:/home/vagrant# echo "deb [signed-by=/usr/share/keyrings/wazuh.gpg] https://packages-dev.wazuh.com/pre-release/apt/ unstable main" | tee -a /etc/apt/sources.list.d/wazuh.list
deb [signed-by=/usr/share/keyrings/wazuh.gpg] https://packages-dev.wazuh.com/pre-release/apt/ unstable main
root@debian11:/home/vagrant# apt-get update
Hit:1 http://deb.debian.org/debian bullseye InRelease                                                                                                                                                      
Hit:2 http://security.debian.org/debian-security bullseye-security InRelease                                                                                                                               
Hit:3 http://deb.debian.org/debian bullseye-updates InRelease                                                                                                                                              
Hit:4 https://packages.wazuh.com/4.x/apt stable InRelease           
Get:5 https://packages-dev.wazuh.com/pre-release/apt unstable InRelease [17.3 kB]
Get:6 https://packages-dev.wazuh.com/pre-release/apt unstable/main amd64 Packages [39.6 kB]
Fetched 56.9 kB in 2s (26.4 kB/s)  
Reading package lists... Done
root@debian11:/home/vagrant# apt-get install wazuh-agent
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
The following packages will be upgraded:
  wazuh-agent
1 upgraded, 0 newly installed, 0 to remove and 70 not upgraded.
Need to get 10.7 MB of archives.
After this operation, 3,162 kB of additional disk space will be used.
Get:1 https://packages-dev.wazuh.com/pre-release/apt unstable/main amd64 wazuh-agent amd64 4.9.0-1 [10.7 MB]
Fetched 10.7 MB in 3s (3,217 kB/s)      
Reading changelogs... Done
Preconfiguring packages ...
(Reading database ... 69254 files and directories currently installed.)
Preparing to unpack .../wazuh-agent_4.9.0-1_amd64.deb ...
Unpacking wazuh-agent (4.9.0-1) over (4.8.1-1) ...
Setting up wazuh-agent (4.9.0-1) ...

Windows Agent

• Update with windows installer using GUI

Logs

[root@E2E-SERVER vagrant]#  grep -i -E "error|critical|fatal|warning" /var/ossec/logs/ossec.log
2024/07/26 11:58:55 indexer-connector: WARNING: IndexerConnector initialization failed for index 'wazuh-states-vulnerabilities-e2e-server', retrying until the connection is successful.
2024/07/26 12:05:20 indexer-connector: WARNING: IndexerConnector initialization failed for index 'wazuh-states-vulnerabilities-e2e-server', retrying until the connection is successful.
2024/07/26 12:42:55 indexer-connector: WARNING: IndexerConnector initialization failed for index 'wazuh-states-vulnerabilities-e2e-server', retrying until the connection is successful.
2024/07/26 16:03:24 indexer-connector: WARNING: IndexerConnector initialization failed for index 'wazuh-states-vulnerabilities-e2e-server', retrying until the connection is successful.
2024/07/26 16:04:52 wazuh-modulesd:vulnerability-scanner: ERROR: Error updating feed: [json.exception.out_of_range.401] array index 1 is out of range, trying to re-download the feed.

After retrying

2024/07/26 16:05:28 indexer-connector: INFO: IndexerConnector initialized successfully for index: wazuh-states-vulnerabilities-e2e-server

2024/07/26 12:05:57 wazuh-modulesd:vulnerability-scanner: INFO: Initiating update feed process
2024/07/26 12:22:41 wazuh-modulesd:vulnerability-scanner: INFO: Triggered a re-scan after content update
2024/07/26 12:22:41 wazuh-modulesd:vulnerability-scanner: INFO: Feed update process completed

2024/07/26 12:47:38 wazuh-remoted: INFO: (1409): Authentication file changed. Updating.
2024/07/26 12:47:38 wazuh-remoted: INFO: (1410): Reading authentication keys file.

[NahuFigueroa97]

Post-Upgrade Validation :green_circle:

Alerts received

Debian agent restarted

Windows agent restarted

[pro-akim]

Review Notes

Checking the requirements of the issue, some are missing.

1. Initial Deployment:

   Deploy the latest production release of the defined architecture as per the standard deployment requirements instructions from the section above. :white_check_mark: (status of each component are not present) Connect one agent to the master node and another agent to the worker node. :white_check_mark: (It is not descripted the process)

2. Validation of Initial Deployment:

   Navigate through the UI to ensure that it is accessible and functional. :white_check_mark: Verify that both agents are connected to their respective nodes (master and worker) and are listed as active. :white_check_mark: Trigger or simulate a condition that would generate at least one alert from each agent, and confirm that these alerts are captured and displayed in the UI. :white_check_mark:

3. Upgrade of Central Components:

   Follow the upgrade guide provided in the documentation to upgrade the central components, including the master, worker, indexer, and dashboard. :white_check_mark: Monitor the upgrade process for any errors or warnings and document any that are encountered. :x: (only stdout are present in the test, logs are not present in the analysis)

4. Post-Upgrade Validation:

   After the upgrade, navigate through the UI to ensure that all components are functioning correctly. :white_check_mark: Verify again that both agents are connected to their respective nodes and are active post-upgrade. :white_check_mark: Generate or simulate at least one alert from each agent to confirm that the alerting functionality is intact. :white_check_mark:

5. Reporting:

   Document the results of the deployment, the upgrade process, and the post-upgrade validation. :white_check_mark: Include any deviations from expected outcomes, such as errors or warnings encountered during the upgrade. :white_check_mark:

[NahuFigueroa97]

Update

Added information about logs:

• journalctl -u wazuh-dashboard | grep wazuh | grep -Ei "error|warning|critical|fatal"
• grep -i -E "error|critical|fatal|warning" /var/ossec/logs/ossec.log

No inconsistency was found

[pro-akim]

Review Notes

LGTM

[juliamagan]

LGTM