Having the issue in the agnet deploymnet

wazuh / wazuh

Wazuh - The Open Source Security Platform. Unified XDR and SIEM protection for endpoints and cloud workloads.

https://wazuh.com/

Other

10.92k stars 1.66k forks source link

Having the issue in the agnet deploymnet #25366

Closed 12DCE085 closed 1 month ago

12DCE085 commented 2 months ago

Wazuh version	Component	Install type	Install method	Platform
4.8.1rev	Wazuh component	Agent	Packages/Sources	Ubntu 24.04 LTS

I had installed the agent on the client and it was working fine after doing the configuration of the malicious IP blocking as per the documentation the agent is not getting live and exiting with the error code 1 and with the wazuh-execd: Configuration error.

also attaching the ossec.conf file of the agent in this post

192.168.1.11

1514 tcp

ubuntu, ubuntu24, ubuntu24.04

yes aes yes Ubntu-Agent etc/authd.pass no 5000 500 no yes yes yes yes yes yes yes 900 etc/shared/rootkit_files.txt etc/shared/rootkit_trojans.txt yes yes 1800 1d

yes

wodles/java wodles/ciscat yes yes /var/log/osquery/osqueryd.results.log /etc/osquery/osquery.conf yes no 1h yes yes yes yes yes yes yes 10 yes yes 12h yes no 1800 yes /etc,/usr/bin,/usr/bin /bin,/sbin,/boot /root 43200 yes /etc,/usr/bin,/usr/sbin /bin,/sbin,/boot /etc/mtab /etc/hosts.deny /etc/mail/statistics /etc/random-seed /etc/random.seed /etc/adjtime /etc/httpd/logs /etc/utmpx /etc/wtmpx /etc/cups/certs /etc/dumpdates /etc/svc/volatile .log$|.swp$ /etc/ssl/private.key yes yes yes yes 10 50 yes 5m 10 command df -P 360 full_command netstat -tulpn | sed 's/$[[:alnum:]]\+$\ \+[[:digit:]]\+\ \+[[:digit:]]\+\ \+$.*$:$[[:digit:]]*$\ \+$[0-9\.\:\*]\+$.\+\ $[[:digit:]]*\/[[:alnum:]\-]*$.*/\1 \2 == \3 == \4 \5/' | sort -k 4 -g | sed 's/ == $.*$ ==/:\1/' | sed 1,2d netstat listening ports 360 full_command last -n 20 360

no etc/wpk_root.pem yes

plain syslog /var/ossec/logs/active-responses.log syslog /var/log/auth.log syslog /var/log/syslog syslog /var/log/dpkg.log syslog /var/log/kern.log syslog /var/log/apache2/access.log

firewall-drop local 100100 60

davidcr01 commented 1 month ago

Hello.

If you mention that the Wazuh manager exits with an error code 1 and with the wazuh-execd: Configuration error message, it means that the configuration that you inserted in the ossec.conf file is not valid.

I have analyzed your configuration and, when inserting the block to configure the Wazuh agent and monitor the Apache access logs, there is a localfiles tag, instead of the localfile tag:

<localfile>
  <log_format>syslog</log_format>
  <location>/var/log/apache2/access.log</location>
</localfiles>

Please, change the string localfiles to localfile, restart the Wazuh manager service with the systemctl restart wazuh-manager command, and check if everything is alright. Also, please check your configuration file if the manager is reporting that something is wrong with your configuration in this cases.