Release 4.3.0 - Manual tests - Demo environment

[juliamagan]

The following issue aims to run the specified test for the current release candidate, report the results, and open new issues for any encountered errors.

Test information

Test name	Demo environment
Category	Wazuh App
Deployment option	Demo environment
Main release issue	wazuh/wazuh#10954
Release candidate #	RC6

Test tasks

• (T1): - No errors or warnings found in logs
• (T2): - The daemons are running with the correct user
• (T3): - The status of the Wazuh Indexer clusters is as expected.
• (T4): - No errors in the browser's developer console when browsing the App
• (T5): - Alerts are being generated for each of the modules configured for this purpose.
• (T6): - No warning symbols in Discover when expanding a document.

Conclusion 🔴

Open issues

• Data could not be fetched in agent's FIM events wazuh-dashboard-plugins#4104
• TypeError in Github/AWS/GCP modules wazuh-dashboard-plugins#4095
• TypeError in System Auditing menu wazuh-dashboard-plugins#4093
• Multiple unexpected warning during Wazuh app session wazuh-dashboard-plugins#4092
• TypeError in Management/Rules wazuh-dashboard-plugins#4105
• Warning when accessing the documentation in the demo environment wazuh-dashboard-plugins#4107
• Warnings and errors when logging out of the app wazuh-dashboard-plugins#4108
• Error logs found in wazuh-indexer in demo environment wazuh-packages#1489
• https://github.com/wazuh/wazuh-automation/issues/800
• https://github.com/wazuh/wazuh-automation/issues/801
• https://github.com/wazuh/wazuh-automation/issues/802
• https://github.com/wazuh/wazuh-automation/issues/803
• Unexpected logs found in wazuh-dashboard wazuh-packages#1490

Auditors validation

The definition of done for this one is the validation of the conclusions and the test results from all auditors.

All checks from below must be accepted in order to close this issue.

• @jmv74211
• @alberpilot
• @gdiazlo

[juliamagan]

Task 1: No errors or warnings found in logs

Agents

Amazon Linux 🟢

• journalctl -xe -u wazuh-agent.service:

-- Unit wazuh-agent.service has begun shutting down.
abr 22 16:51:13 ip-10-0-1-42.us-west-1.compute.internal env[26184]: Killing wazuh-modulesd...
abr 22 16:51:13 ip-10-0-1-42.us-west-1.compute.internal env[26184]: Killing wazuh-logcollector...
abr 22 16:51:13 ip-10-0-1-42.us-west-1.compute.internal env[26184]: Killing wazuh-syscheckd...
abr 22 16:51:13 ip-10-0-1-42.us-west-1.compute.internal env[26184]: Killing wazuh-agentd...
abr 22 16:51:13 ip-10-0-1-42.us-west-1.compute.internal env[26184]: Killing wazuh-execd...
abr 22 16:51:14 ip-10-0-1-42.us-west-1.compute.internal env[26184]: Wazuh v4.3.0 Stopped
abr 22 16:51:14 ip-10-0-1-42.us-west-1.compute.internal systemd[1]: Starting Wazuh agent...
-- Subject: Unit wazuh-agent.service has begun start-up
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
-- 
-- Unit wazuh-agent.service has begun starting up.
abr 22 16:51:14 ip-10-0-1-42.us-west-1.compute.internal env[26249]: Starting Wazuh v4.3.0...
abr 22 16:51:15 ip-10-0-1-42.us-west-1.compute.internal env[26249]: Started wazuh-execd...
abr 22 16:51:16 ip-10-0-1-42.us-west-1.compute.internal env[26249]: Started wazuh-agentd...
abr 22 16:51:17 ip-10-0-1-42.us-west-1.compute.internal env[26249]: Started wazuh-syscheckd...
abr 22 16:51:18 ip-10-0-1-42.us-west-1.compute.internal env[26249]: Started wazuh-logcollector...
abr 22 16:51:18 ip-10-0-1-42.us-west-1.compute.internal crontab[26416]: (root) LIST (root)
abr 22 16:51:19 ip-10-0-1-42.us-west-1.compute.internal env[26249]: Started wazuh-modulesd...
abr 22 16:51:21 ip-10-0-1-42.us-west-1.compute.internal env[26249]: Completed.
abr 22 16:51:21 ip-10-0-1-42.us-west-1.compute.internal systemd[1]: Started Wazuh agent.
-- Subject: Unit wazuh-agent.service has finished start-up
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
-- 
-- Unit wazuh-agent.service has finished starting up.
-- 
-- The start-up result is done.

• egrep -i "ERROR|WARNING| /var/ossec/logs/ossec.log:

[root@ip-10-0-1-42 wazuh-user]# egrep -i "ERROR|WARNING" /var/ossec/logs/ossec.log

• systemctl status wazuh-agent -l:

[root@ip-10-0-1-42 wazuh-user]# systemctl status wazuh-agent -l
● wazuh-agent.service - Wazuh agent
   Loaded: loaded (/usr/lib/systemd/system/wazuh-agent.service; enabled; vendor preset: disabled)
   Active: active (running) since vie 2022-04-22 16:51:21 UTC; 2 days ago
  Process: 26184 ExecStop=/usr/bin/env /var/ossec/bin/wazuh-control stop (code=exited, status=0/SUCCESS)
  Process: 26249 ExecStart=/usr/bin/env /var/ossec/bin/wazuh-control start (code=exited, status=0/SUCCESS)
   CGroup: /system.slice/wazuh-agent.service
           ├─26277 /var/ossec/bin/wazuh-execd
           ├─26289 /var/ossec/bin/wazuh-agentd
           ├─26304 /var/ossec/bin/wazuh-syscheckd
           ├─26318 /var/ossec/bin/wazuh-logcollector
           └─26340 /var/ossec/bin/wazuh-modulesd

abr 22 16:51:14 ip-10-0-1-42.us-west-1.compute.internal env[26249]: Starting Wazuh v4.3.0...
abr 22 16:51:15 ip-10-0-1-42.us-west-1.compute.internal env[26249]: Started wazuh-execd...
abr 22 16:51:16 ip-10-0-1-42.us-west-1.compute.internal env[26249]: Started wazuh-agentd...
abr 22 16:51:17 ip-10-0-1-42.us-west-1.compute.internal env[26249]: Started wazuh-syscheckd...
abr 22 16:51:18 ip-10-0-1-42.us-west-1.compute.internal env[26249]: Started wazuh-logcollector...
abr 22 16:51:18 ip-10-0-1-42.us-west-1.compute.internal crontab[26416]: (root) LIST (root)
abr 22 16:51:19 ip-10-0-1-42.us-west-1.compute.internal env[26249]: Started wazuh-modulesd...
abr 22 16:51:21 ip-10-0-1-42.us-west-1.compute.internal env[26249]: Completed.
abr 22 16:51:21 ip-10-0-1-42.us-west-1.compute.internal systemd[1]: Started Wazuh agent.
abr 23 04:51:19 ip-10-0-1-42.us-west-1.compute.internal crontab[30469]: (root) LIST (root)

• /var/ossec/bin/wazuh-control status:

[root@ip-10-0-1-42 wazuh-user]# /var/ossec/bin/wazuh-control status
wazuh-modulesd is running...
wazuh-logcollector is running...
wazuh-syscheckd is running...
wazuh-agentd is running...
wazuh-execd is running...

RHEL 🔴

• journalctl -xe -u wazuh-agent.service:

abr 22 16:55:37 ip-10-0-1-238.us-west-1.compute.internal env[1664]: Wazuh v4.3.0 Stopped
abr 22 16:55:37 ip-10-0-1-238.us-west-1.compute.internal systemd[1]: Stopped Wazuh agent.
-- Subject: Unit wazuh-agent.service has finished shutting down
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
-- 
-- Unit wazuh-agent.service has finished shutting down.
abr 22 16:55:37 ip-10-0-1-238.us-west-1.compute.internal systemd[1]: Starting Wazuh agent...
-- Subject: Unit wazuh-agent.service has begun start-up
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
-- 
-- Unit wazuh-agent.service has begun starting up.
abr 22 16:55:37 ip-10-0-1-238.us-west-1.compute.internal env[1751]: Starting Wazuh v4.3.0...
abr 22 16:55:38 ip-10-0-1-238.us-west-1.compute.internal env[1751]: Started wazuh-execd...
abr 22 16:55:39 ip-10-0-1-238.us-west-1.compute.internal env[1751]: Started wazuh-agentd...
abr 22 16:55:40 ip-10-0-1-238.us-west-1.compute.internal env[1751]: Started wazuh-syscheckd...
abr 22 16:55:41 ip-10-0-1-238.us-west-1.compute.internal env[1751]: Started wazuh-logcollector...
abr 22 16:55:41 ip-10-0-1-238.us-west-1.compute.internal osqueryd[1863]: osqueryd started [version=4.3.0
abr 22 16:55:42 ip-10-0-1-238.us-west-1.compute.internal env[1751]: Started wazuh-modulesd...
abr 22 16:55:44 ip-10-0-1-238.us-west-1.compute.internal env[1751]: Completed.
abr 22 16:55:44 ip-10-0-1-238.us-west-1.compute.internal systemd[1]: Started Wazuh agent.
-- Subject: Unit wazuh-agent.service has finished start-up
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
-- 
-- Unit wazuh-agent.service has finished starting up.
-- 
-- The start-up result is done.

• egrep -i "ERROR|WARNING| /var/ossec/logs/ossec.log:

2022/04/22 16:55:41 wazuh-logcollector: WARNING: (1958): Log file '/var/log/messages' is duplicated.
2022/04/22 16:55:41 wazuh-logcollector: WARNING: (1958): Log file '/var/log/secure' is duplicated.
2022/04/22 16:55:41 wazuh-logcollector: WARNING: (1958): Log file '/var/log/maillog' is duplicated.
2022/04/22 16:55:41 wazuh-logcollector: INFO: (1950): Analyzing file: '/var/log/httpd/error_log'.
2022/04/22 16:55:41 wazuh-modulesd:oscap: ERROR: Internal error. Exiting...

• systemctl status wazuh-agent -l:

[root@ip-10-0-1-238 wazuh-user]# systemctl status wazuh-agent -l
● wazuh-agent.service - Wazuh agent
   Loaded: loaded (/usr/lib/systemd/system/wazuh-agent.service; enabled; vendor preset: disabled)
   Active: active (running) since vie 2022-04-22 16:55:44 UTC; 6min ago
  Process: 1664 ExecStop=/usr/bin/env /var/ossec/bin/wazuh-control stop (code=exited, status=0/SUCCESS)
  Process: 1751 ExecStart=/usr/bin/env /var/ossec/bin/wazuh-control start (code=exited, status=0/SUCCESS)
    Tasks: 53
   Memory: 1.8G
   CGroup: /system.slice/wazuh-agent.service
           ├─1778 /var/ossec/bin/wazuh-execd
           ├─1791 /var/ossec/bin/wazuh-agentd
           ├─1806 /var/ossec/bin/wazuh-syscheckd
           ├─1820 /var/ossec/bin/wazuh-logcollector
           ├─1844 /var/ossec/bin/wazuh-modulesd
           ├─1858 python3 wodles/docker/DockerListener
           ├─1863 /usr/bin/osqueryd --config_path=/etc/osquery/osquery.conf
           └─1879 /usr/bin/osqueryd                                        

abr 22 16:55:37 ip-10-0-1-238.us-west-1.compute.internal systemd[1]: Starting Wazuh agent...
abr 22 16:55:37 ip-10-0-1-238.us-west-1.compute.internal env[1751]: Starting Wazuh v4.3.0...
abr 22 16:55:38 ip-10-0-1-238.us-west-1.compute.internal env[1751]: Started wazuh-execd...
abr 22 16:55:39 ip-10-0-1-238.us-west-1.compute.internal env[1751]: Started wazuh-agentd...
abr 22 16:55:40 ip-10-0-1-238.us-west-1.compute.internal env[1751]: Started wazuh-syscheckd...
abr 22 16:55:41 ip-10-0-1-238.us-west-1.compute.internal env[1751]: Started wazuh-logcollector...
abr 22 16:55:41 ip-10-0-1-238.us-west-1.compute.internal osqueryd[1863]: osqueryd started [version=4.3.0]
abr 22 16:55:42 ip-10-0-1-238.us-west-1.compute.internal env[1751]: Started wazuh-modulesd...
abr 22 16:55:44 ip-10-0-1-238.us-west-1.compute.internal env[1751]: Completed.
abr 22 16:55:44 ip-10-0-1-238.us-west-1.compute.internal systemd[1]: Started Wazuh agent.

• /var/ossec/bin/wazuh-control status:

[root@ip-10-0-1-238 wazuh-user]# /var/ossec/bin/wazuh-control status
wazuh-modulesd is running...
wazuh-logcollector is running...
wazuh-syscheckd is running...
wazuh-agentd is running...
wazuh-execd is running...

Ubuntu 🔴

• journalctl -xe -u wazuh-agent.service:

root@ip-10-0-1-12:/home/wazuh-user# journalctl -xe -u wazuh-agent.service
-- 
-- Unit wazuh-agent.service has finished shutting down.
Apr 25 09:21:43 ip-10-0-1-12 systemd[1]: Starting Wazuh agent...
-- Subject: Unit wazuh-agent.service has begun start-up
-- Defined-By: systemd
-- Support: http://www.ubuntu.com/support
-- 
-- Unit wazuh-agent.service has begun starting up.
Apr 25 09:21:43 ip-10-0-1-12 env[22109]: Starting Wazuh v4.3.0...
Apr 25 09:21:44 ip-10-0-1-12 env[22109]: Started wazuh-execd...
Apr 25 09:21:45 ip-10-0-1-12 env[22109]: Started wazuh-agentd...
Apr 25 09:21:46 ip-10-0-1-12 env[22109]: Started wazuh-syscheckd...
Apr 25 09:21:48 ip-10-0-1-12 env[22109]: Started wazuh-logcollector...
Apr 25 09:21:49 ip-10-0-1-12 env[22109]: Started wazuh-modulesd...
Apr 25 09:21:51 ip-10-0-1-12 env[22109]: Completed.
Apr 25 09:21:51 ip-10-0-1-12 systemd[1]: Started Wazuh agent.
-- Subject: Unit wazuh-agent.service has finished start-up
-- Defined-By: systemd
-- Support: http://www.ubuntu.com/support
-- 
-- Unit wazuh-agent.service has finished starting up.
-- 
-- The start-up result is RESULT.

• egrep -i "ERROR|WARNING| /var/ossec/logs/ossec.log:

root@ip-10-0-1-12:/home/wazuh-user# egrep -i "ERROR|WARNING" /var/ossec/logs/ossec.log
2022/04/25 09:21:47 wazuh-logcollector: ERROR: (1103): Could not open file '/var/log/messages' due to [(2)-(No such file or directory)].
2022/04/25 09:21:47 wazuh-logcollector: ERROR: (1103): Could not open file '/var/log/secure' due to [(2)-(No such file or directory)].
2022/04/25 09:21:47 wazuh-logcollector: ERROR: (1103): Could not open file '/var/log/maillog' due to [(2)-(No such file or directory)].

• systemctl status wazuh-agent -l:

root@ip-10-0-1-12:/home/wazuh-user# systemctl status wazuh-agent -l
● wazuh-agent.service - Wazuh agent
   Loaded: loaded (/usr/lib/systemd/system/wazuh-agent.service; enabled; vendor preset: enabled)
   Active: active (running) since Mon 2022-04-25 09:21:51 UTC; 2min 43s ago
  Process: 22055 ExecStop=/usr/bin/env /var/ossec/bin/wazuh-control stop (code=exited, status=0/SUCCESS)
  Process: 22109 ExecStart=/usr/bin/env /var/ossec/bin/wazuh-control start (code=exited, status=0/SUCCESS)
    Tasks: 31 (limit: 1125)
   CGroup: /system.slice/wazuh-agent.service
           ├─22159 /var/ossec/bin/wazuh-execd
           ├─22170 /var/ossec/bin/wazuh-agentd
           ├─22185 /var/ossec/bin/wazuh-syscheckd
           ├─22199 /var/ossec/bin/wazuh-logcollector
           └─22215 /var/ossec/bin/wazuh-modulesd

Apr 25 09:21:43 ip-10-0-1-12 systemd[1]: Starting Wazuh agent...
Apr 25 09:21:43 ip-10-0-1-12 env[22109]: Starting Wazuh v4.3.0...
Apr 25 09:21:44 ip-10-0-1-12 env[22109]: Started wazuh-execd...
Apr 25 09:21:45 ip-10-0-1-12 env[22109]: Started wazuh-agentd...
Apr 25 09:21:46 ip-10-0-1-12 env[22109]: Started wazuh-syscheckd...
Apr 25 09:21:48 ip-10-0-1-12 env[22109]: Started wazuh-logcollector...
Apr 25 09:21:49 ip-10-0-1-12 env[22109]: Started wazuh-modulesd...
Apr 25 09:21:51 ip-10-0-1-12 env[22109]: Completed.
Apr 25 09:21:51 ip-10-0-1-12 systemd[1]: Started Wazuh agent.

• /var/ossec/bin/wazuh-control status:

root@ip-10-0-1-12:/home/wazuh-user# /var/ossec/bin/wazuh-control status
wazuh-modulesd is running...
wazuh-logcollector is running...
wazuh-syscheckd is running...
wazuh-agentd is running...
wazuh-execd is running...

Centos 🟢

• journalctl -xe -u wazuh-agent.service:

abr 21 12:13:52 ip-10-0-1-63.us-west-1.compute.internal systemd[1]: Stopping Wazuh agent...
-- Subject: Unit wazuh-agent.service has begun shutting down
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
-- 
-- Unit wazuh-agent.service has begun shutting down.
abr 21 12:13:52 ip-10-0-1-63.us-west-1.compute.internal env[4066]: Killing wazuh-modulesd...
abr 21 12:13:52 ip-10-0-1-63.us-west-1.compute.internal env[4066]: Killing wazuh-logcollector...
abr 21 12:13:52 ip-10-0-1-63.us-west-1.compute.internal env[4066]: Killing wazuh-syscheckd...
abr 21 12:13:52 ip-10-0-1-63.us-west-1.compute.internal env[4066]: Killing wazuh-agentd...
abr 21 12:13:52 ip-10-0-1-63.us-west-1.compute.internal env[4066]: Killing wazuh-execd...
abr 21 12:13:52 ip-10-0-1-63.us-west-1.compute.internal env[4066]: Wazuh v4.3.0 Stopped
abr 21 12:13:52 ip-10-0-1-63.us-west-1.compute.internal systemd[1]: Stopped Wazuh agent.
-- Subject: Unit wazuh-agent.service has finished shutting down
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
-- 
-- Unit wazuh-agent.service has finished shutting down.
abr 21 12:16:58 ip-10-0-1-63.us-west-1.compute.internal systemd[1]: Starting Wazuh agent...
-- Subject: Unit wazuh-agent.service has begun start-up
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
-- 
-- Unit wazuh-agent.service has begun starting up.
abr 21 12:16:58 ip-10-0-1-63.us-west-1.compute.internal env[4138]: Starting Wazuh v4.3.0...
abr 21 12:16:59 ip-10-0-1-63.us-west-1.compute.internal env[4138]: Started wazuh-execd...
abr 21 12:17:00 ip-10-0-1-63.us-west-1.compute.internal env[4138]: Started wazuh-agentd...
abr 21 12:17:01 ip-10-0-1-63.us-west-1.compute.internal env[4138]: Started wazuh-syscheckd...
abr 21 12:17:02 ip-10-0-1-63.us-west-1.compute.internal env[4138]: Started wazuh-logcollector...
abr 21 12:17:03 ip-10-0-1-63.us-west-1.compute.internal env[4138]: Started wazuh-modulesd...
abr 21 12:17:05 ip-10-0-1-63.us-west-1.compute.internal env[4138]: Completed.
abr 21 12:17:05 ip-10-0-1-63.us-west-1.compute.internal systemd[1]: Started Wazuh agent.
-- Subject: Unit wazuh-agent.service has finished start-up
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
-- 
-- Unit wazuh-agent.service has finished starting up.
-- 
-- The start-up result is done.

• egrep -i "ERROR|WARNING| /var/ossec/logs/ossec.log:

[root@ip-10-0-1-63 wazuh-user]# egrep -i "ERROR|WARNING" /var/ossec/logs/ossec.log
[root@ip-10-0-1-63 wazuh-user]# 

• systemctl status wazuh-agent -l:

[root@ip-10-0-1-63 wazuh-user]# systemctl status wazuh-agent -l
● wazuh-agent.service - Wazuh agent
   Loaded: loaded (/usr/lib/systemd/system/wazuh-agent.service; enabled; vendor preset: disabled)
   Active: active (running) since jue 2022-04-21 12:17:05 UTC; 3 days ago
  Process: 4066 ExecStop=/usr/bin/env /var/ossec/bin/wazuh-control stop (code=exited, status=0/SUCCESS)
  Process: 4138 ExecStart=/usr/bin/env /var/ossec/bin/wazuh-control start (code=exited, status=0/SUCCESS)
   CGroup: /system.slice/wazuh-agent.service
           ├─4165 /var/ossec/bin/wazuh-execd
           ├─4177 /var/ossec/bin/wazuh-agentd
           ├─4192 /var/ossec/bin/wazuh-syscheckd
           ├─4206 /var/ossec/bin/wazuh-logcollector
           └─4228 /var/ossec/bin/wazuh-modulesd

abr 21 12:16:58 ip-10-0-1-63.us-west-1.compute.internal systemd[1]: Starting Wazuh agent...
abr 21 12:16:58 ip-10-0-1-63.us-west-1.compute.internal env[4138]: Starting Wazuh v4.3.0...
abr 21 12:16:59 ip-10-0-1-63.us-west-1.compute.internal env[4138]: Started wazuh-execd...
abr 21 12:17:00 ip-10-0-1-63.us-west-1.compute.internal env[4138]: Started wazuh-agentd...
abr 21 12:17:01 ip-10-0-1-63.us-west-1.compute.internal env[4138]: Started wazuh-syscheckd...
abr 21 12:17:02 ip-10-0-1-63.us-west-1.compute.internal env[4138]: Started wazuh-logcollector...
abr 21 12:17:03 ip-10-0-1-63.us-west-1.compute.internal env[4138]: Started wazuh-modulesd...
abr 21 12:17:05 ip-10-0-1-63.us-west-1.compute.internal env[4138]: Completed.
abr 21 12:17:05 ip-10-0-1-63.us-west-1.compute.internal systemd[1]: Started Wazuh agent.

• /var/ossec/bin/wazuh-control status:

[root@ip-10-0-1-63 wazuh-user]# /var/ossec/bin/wazuh-control status
wazuh-modulesd is running...
wazuh-logcollector is running...
wazuh-syscheckd is running...
wazuh-agentd is running...
wazuh-execd is running...

Debian 🔴

• journalctl -xe -u wazuh-agent.service:

abr 25 10:08:25 ip-10-0-1-35 systemd[1]: Stopping Wazuh agent...
-- Subject: Unit wazuh-agent.service has begun shutting down
-- Defined-By: systemd
-- Support: https://www.debian.org/support
-- 
-- Unit wazuh-agent.service has begun shutting down.
abr 25 10:08:25 ip-10-0-1-35 env[25637]: Killing wazuh-modulesd...
abr 25 10:08:25 ip-10-0-1-35 env[25637]: Killing wazuh-logcollector...
abr 25 10:08:25 ip-10-0-1-35 env[25637]: Killing wazuh-syscheckd...
abr 25 10:08:25 ip-10-0-1-35 env[25637]: Killing wazuh-agentd...
abr 25 10:08:25 ip-10-0-1-35 env[25637]: Killing wazuh-execd...
abr 25 10:08:25 ip-10-0-1-35 env[25637]: Wazuh v4.3.0 Stopped
abr 25 10:08:25 ip-10-0-1-35 systemd[1]: Stopped Wazuh agent.
-- Subject: Unit wazuh-agent.service has finished shutting down
-- Defined-By: systemd
-- Support: https://www.debian.org/support
-- 
-- Unit wazuh-agent.service has finished shutting down.
abr 25 10:08:25 ip-10-0-1-35 systemd[1]: Starting Wazuh agent...
-- Subject: Unit wazuh-agent.service has begun start-up
-- Defined-By: systemd
-- Support: https://www.debian.org/support
-- 
-- Unit wazuh-agent.service has begun starting up.
abr 25 10:08:25 ip-10-0-1-35 env[25691]: Starting Wazuh v4.3.0...
abr 25 10:08:26 ip-10-0-1-35 env[25691]: Started wazuh-execd...
abr 25 10:08:27 ip-10-0-1-35 env[25691]: Started wazuh-agentd...
abr 25 10:08:28 ip-10-0-1-35 env[25691]: Started wazuh-syscheckd...
abr 25 10:08:29 ip-10-0-1-35 env[25691]: Started wazuh-logcollector...
abr 25 10:08:30 ip-10-0-1-35 env[25691]: Started wazuh-modulesd...
abr 25 10:08:32 ip-10-0-1-35 env[25691]: Completed.
abr 25 10:08:32 ip-10-0-1-35 systemd[1]: Started Wazuh agent.
-- Subject: Unit wazuh-agent.service has finished start-up
-- Defined-By: systemd
-- Support: https://www.debian.org/support
-- 
-- Unit wazuh-agent.service has finished starting up.
-- 
-- The start-up result is done.

• egrep -i "ERROR|WARNING| /var/ossec/logs/ossec.log:

root@ip-10-0-1-35:/home/wazuh-user# egrep -i "ERROR|WARNING" /var/ossec/logs/ossec.log 
2022/04/25 10:08:28 wazuh-logcollector: ERROR: (1103): Could not open file '/var/log/secure' due to [(2)-(No such file or directory)].
2022/04/25 10:08:28 wazuh-logcollector: ERROR: (1103): Could not open file '/var/log/maillog' due to [(2)-(No such file or directory)].

• systemctl status wazuh-agent -l:

root@ip-10-0-1-35:/home/wazuh-user# systemctl status wazuh-agent -l
● wazuh-agent.service - Wazuh agent
   Loaded: loaded (/usr/lib/systemd/system/wazuh-agent.service; enabled; vendor preset: enabled)
   Active: active (running) since Mon 2022-04-25 10:08:32 UTC; 1min 31s ago
  Process: 25637 ExecStop=/usr/bin/env /var/ossec/bin/wazuh-control stop (code=exited, status=0/SUCCESS)
  Process: 25691 ExecStart=/usr/bin/env /var/ossec/bin/wazuh-control start (code=exited, status=0/SUCCES
    Tasks: 31 (limit: 4915)
   CGroup: /system.slice/wazuh-agent.service
           ├─25715 /var/ossec/bin/wazuh-execd
           ├─25727 /var/ossec/bin/wazuh-agentd
           ├─25741 /var/ossec/bin/wazuh-syscheckd
           ├─25758 /var/ossec/bin/wazuh-logcollector
           └─25799 /var/ossec/bin/wazuh-modulesd

abr 25 10:08:25 ip-10-0-1-35 systemd[1]: Starting Wazuh agent...
abr 25 10:08:25 ip-10-0-1-35 env[25691]: Starting Wazuh v4.3.0...
abr 25 10:08:26 ip-10-0-1-35 env[25691]: Started wazuh-execd...
abr 25 10:08:27 ip-10-0-1-35 env[25691]: Started wazuh-agentd...
abr 25 10:08:28 ip-10-0-1-35 env[25691]: Started wazuh-syscheckd...
abr 25 10:08:29 ip-10-0-1-35 env[25691]: Started wazuh-logcollector...
abr 25 10:08:30 ip-10-0-1-35 env[25691]: Started wazuh-modulesd...
abr 25 10:08:32 ip-10-0-1-35 env[25691]: Completed.
abr 25 10:08:32 ip-10-0-1-35 systemd[1]: Started Wazuh agent.

• /var/ossec/bin/wazuh-control status:

root@ip-10-0-1-35:/home/wazuh-user# /var/ossec/bin/wazuh-control status
wazuh-modulesd is running...
wazuh-logcollector is running...
wazuh-syscheckd is running...
wazuh-agentd is running...
wazuh-execd is running...

Windows 🔴

• EventViewer:

Log Name:      System
Source:        Service Control Manager
Date:          4/25/2022 10:18:27 AM
Event ID:      7036
Task Category: None
Level:         Information
Keywords:      Classic
User:          N/A
Computer:      EC2AMAZ-PI8VPUM
Description:
The Wazuh service entered the running state.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="Service Control Manager" Guid="{555908d1-a6d7-4695-8e1e-26931d2012f4}" EventSourceName="Service Control Manager" />
    <EventID Qualifiers="16384">7036</EventID>
    <Version>0</Version>
    <Level>4</Level>
    <Task>0</Task>
    <Opcode>0</Opcode>
    <Keywords>0x8080000000000000</Keywords>
    <TimeCreated SystemTime="2022-04-25T10:18:27.349240500Z" />
    <EventRecordID>85705</EventRecordID>
    <Correlation />
    <Execution ProcessID="600" ThreadID="3216" />
    <Channel>System</Channel>
    <Computer>EC2AMAZ-PI8VPUM</Computer>
    <Security />
  </System>
  <EventData>
    <Data Name="param1">Wazuh</Data>
    <Data Name="param2">running</Data>
    <Binary>570061007A00750068005300760063002F0034000000</Binary>
  </EventData>
</Event>

Log Name:      System
Source:        Service Control Manager
Date:          4/25/2022 10:18:19 AM
Event ID:      7036
Task Category: None
Level:         Information
Keywords:      Classic
User:          N/A
Computer:      EC2AMAZ-PI8VPUM
Description:
The Wazuh service entered the stopped state.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="Service Control Manager" Guid="{555908d1-a6d7-4695-8e1e-26931d2012f4}" EventSourceName="Service Control Manager" />
    <EventID Qualifiers="16384">7036</EventID>
    <Version>0</Version>
    <Level>4</Level>
    <Task>0</Task>
    <Opcode>0</Opcode>
    <Keywords>0x8080000000000000</Keywords>
    <TimeCreated SystemTime="2022-04-25T10:18:19.990460600Z" />
    <EventRecordID>85704</EventRecordID>
    <Correlation />
    <Execution ProcessID="600" ThreadID="6968" />
    <Channel>System</Channel>
    <Computer>EC2AMAZ-PI8VPUM</Computer>
    <Security />
  </System>
  <EventData>
    <Data Name="param1">Wazuh</Data>
    <Data Name="param2">stopped</Data>
    <Binary>570061007A00750068005300760063002F0031000000</Binary>
  </EventData>
</Event>

• egrep -i "ERROR|WARNING| /var/ossec/logs/ossec.log:

2022/04/25 00:00:43 wazuh-agent: ERROR: (1103): Could not open file 'C:\inetpub\logs\LogFiles\W3SVC1\u_ex220425.log' due to [(2)-(The system cannot find the file specified.)].
2022/04/25 00:01:48 wazuh-agent: ERROR: (1103): Could not open file 'C:\inetpub\logs\LogFiles\W3SVC1\u_ex220425.log' due to [(2)-(The system cannot find the file specified.)].
2022/04/25 00:02:53 wazuh-agent: ERROR: (1103): Could not open file 'C:\inetpub\logs\LogFiles\W3SVC1\u_ex220425.log' due to [(2)-(The system cannot find the file specified.)].
2022/04/25 00:03:58 wazuh-agent: ERROR: (1103): Could not open file 'C:\inetpub\logs\LogFiles\W3SVC1\u_ex220425.log' due to [(2)-(The system cannot find the file specified.)].

2022/04/25 10:18:27 wazuh-agent: WARNING: (1958): Log file 'Security' is duplicated.
2022/04/25 10:18:27 wazuh-agent: WARNING: (1958): Log file 'System' is duplicated.

• Agent is running:

Managers

Master env 1 🟡

• journalctl -xe -u wazuh-manager.service:

abr 20 19:12:46 wazuh-manager-master-0 systemd[1]: Stopping Wazuh manager...
-- Subject: Unit wazuh-manager.service has begun shutting down
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
-- 
-- Unit wazuh-manager.service has begun shutting down.
abr 20 19:12:46 wazuh-manager-master-0 env[6630]: Killing wazuh-clusterd...
abr 20 19:12:46 wazuh-manager-master-0 env[6630]: Killing wazuh-modulesd...
abr 20 19:12:46 wazuh-manager-master-0 env[6630]: Killing wazuh-monitord...
abr 20 19:12:46 wazuh-manager-master-0 env[6630]: Killing wazuh-logcollector...
abr 20 19:12:46 wazuh-manager-master-0 env[6630]: Killing wazuh-remoted...
abr 20 19:12:46 wazuh-manager-master-0 env[6630]: Killing wazuh-syscheckd...
abr 20 19:12:47 wazuh-manager-master-0 env[6630]: Killing wazuh-analysisd...
abr 20 19:12:47 wazuh-manager-master-0 env[6630]: wazuh-maild not running...
abr 20 19:12:47 wazuh-manager-master-0 env[6630]: Killing wazuh-execd...
abr 20 19:12:47 wazuh-manager-master-0 env[6630]: Killing wazuh-db...
abr 20 19:12:48 wazuh-manager-master-0 env[6630]: Killing wazuh-authd...
abr 20 19:12:49 wazuh-manager-master-0 env[6630]: wazuh-agentlessd not running...
abr 20 19:12:49 wazuh-manager-master-0 env[6630]: Killing wazuh-integratord...
abr 20 19:12:49 wazuh-manager-master-0 env[6630]: wazuh-dbd not running...
abr 20 19:12:49 wazuh-manager-master-0 env[6630]: wazuh-csyslogd not running...
abr 20 19:12:49 wazuh-manager-master-0 env[6630]: Killing wazuh-apid...
abr 20 19:12:49 wazuh-manager-master-0 env[6630]: Wazuh v4.3.0 Stopped
abr 20 19:12:49 wazuh-manager-master-0 systemd[1]: Starting Wazuh manager...
-- Subject: Unit wazuh-manager.service has begun start-up
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
-- 
-- Unit wazuh-manager.service has begun starting up.
abr 20 19:12:50 wazuh-manager-master-0 env[6786]: 2022/04/20 19:12:50 wazuh-analysisd: WARNING: All aler
abr 20 19:12:50 wazuh-manager-master-0 env[6786]: 2022/04/20 19:12:50 wazuh-analysisd: WARNING: (7606): 
abr 20 19:12:50 wazuh-manager-master-0 env[6786]: 2022/04/20 19:12:50 wazuh-modulesd: WARNING: The <igno
abr 20 19:12:51 wazuh-manager-master-0 env[6786]: Starting Wazuh v4.3.0...
abr 20 19:12:53 wazuh-manager-master-0 env[6786]: Started wazuh-apid...
abr 20 19:12:53 wazuh-manager-master-0 env[6786]: Started wazuh-csyslogd...
abr 20 19:12:53 wazuh-manager-master-0 env[6786]: Started wazuh-dbd...
abr 20 19:12:53 wazuh-manager-master-0 env[6786]: Started wazuh-integratord...
abr 20 19:12:53 wazuh-manager-master-0 env[6786]: Started wazuh-agentlessd...
abr 20 19:12:54 wazuh-manager-master-0 env[6786]: Started wazuh-authd...
abr 20 19:12:55 wazuh-manager-master-0 env[6786]: Started wazuh-db...
abr 20 19:12:56 wazuh-manager-master-0 env[6786]: Started wazuh-execd...
abr 20 19:12:56 wazuh-manager-master-0 env[6786]: 2022/04/20 19:12:56 wazuh-analysisd: WARNING: All aler
abr 20 19:12:58 wazuh-manager-master-0 env[6786]: Started wazuh-analysisd...
abr 20 19:12:59 wazuh-manager-master-0 env[6786]: Started wazuh-syscheckd...
abr 20 19:13:00 wazuh-manager-master-0 env[6786]: Started wazuh-remoted...
abr 20 19:13:01 wazuh-manager-master-0 env[6786]: Started wazuh-logcollector...
abr 20 19:13:02 wazuh-manager-master-0 env[6786]: Started wazuh-monitord...
abr 20 19:13:02 wazuh-manager-master-0 env[6786]: 2022/04/20 19:13:02 wazuh-modulesd: WARNING: The <igno
abr 20 19:13:03 wazuh-manager-master-0 env[6786]: Started wazuh-modulesd...
abr 20 19:13:04 wazuh-manager-master-0 env[6786]: Started wazuh-clusterd...
abr 20 19:13:05 wazuh-manager-master-0 crontab[7222]: (root) LIST (root)
abr 20 19:13:06 wazuh-manager-master-0 env[6786]: Completed.
abr 20 19:13:06 wazuh-manager-master-0 systemd[1]: Started Wazuh manager.
-- Subject: Unit wazuh-manager.service has finished start-up
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
-- 
-- Unit wazuh-manager.service has finished starting up.
-- 
-- The start-up result is done.

• egrep -i "ERROR|WARNING| /var/ossec/logs/ossec.log:

[root@wazuh-manager-master-0 wazuh-user]# egrep -i "ERROR|WARNING" /var/ossec/logs/ossec.log
2022/04/25 00:01:18 wazuh-modulesd:vulnerability-detector: WARNING: (5575): Unavailable vulnerability data for the agent '000' OS. Skipping it.
2022/04/25 00:06:19 wazuh-modulesd:vulnerability-detector: WARNING: (5575): Unavailable vulnerability data for the agent '000' OS. Skipping it.
2022/04/25 00:11:19 wazuh-modulesd:vulnerability-detector: WARNING: (5575): Unavailable vulnerability data for the agent '000' OS. Skipping it.
2022/04/25 00:16:19 wazuh-modulesd:vulnerability-detector: WARNING: (5575): Unavailable vulnerability data for the agent '000' OS. Skipping it.
2022/04/25 00:21:19 wazuh-modulesd:vulnerability-detector: WARNING: (5575): Unavailable vulnerability data for the agent '000' OS. Skipping it.
2022/04/25 00:26:19 wazuh-modulesd:vulnerability-detector: WARNING: (5575): Unavailable vulnerability data for the agent '000' OS. Skipping it.
2022/04/25 00:31:19 wazuh-modulesd:vulnerability-detector: WARNING: (5575): Unavailable vulnerability data for the agent '000' OS. Skipping it.
2022/04/25 00:36:19 wazuh-modulesd:vulnerability-detector: WARNING: (5575): Unavailable vulnerability data for the agent '000' OS. Skipping it.
2022/04/25 00:41:19 wazuh-modulesd:vulnerability-detector: WARNING: (5575): Unavailable vulnerability data for the agent '000' OS. Skipping it.

• egrep -i "ERROR|WARNING" /var/ossec/logs/cluster.log:

[root@wazuh-manager-master-0 wazuh-user]# egrep -i "ERROR|WARNING" /var/ossec/logs/cluster.log 

• systemctl status wazuh-manager -l:

[root@wazuh-manager-master-0 wazuh-user]# systemctl status wazuh-manager -l
● wazuh-manager.service - Wazuh manager
   Loaded: loaded (/usr/lib/systemd/system/wazuh-manager.service; enabled; vendor preset: disabled)
   Active: active (running) since mié 2022-04-20 19:13:06 UTC; 4 days ago
  Process: 6630 ExecStop=/usr/bin/env /var/ossec/bin/wazuh-control stop (code=exited, status=0/SUCCESS)
  Process: 6786 ExecStart=/usr/bin/env /var/ossec/bin/wazuh-control start (code=exited, status=0/SUCCESS)
   CGroup: /system.slice/wazuh-manager.service
           ├─6842 /var/ossec/framework/python/bin/python3 /var/ossec/api/scripts/wazuh-apid.py
           ├─6865 /var/ossec/bin/wazuh-integratord
           ├─6887 /var/ossec/bin/wazuh-authd
           ├─6904 /var/ossec/bin/wazuh-db
           ├─6916 /var/ossec/framework/python/bin/python3 /var/ossec/api/scripts/wazuh-apid.py
           ├─6919 /var/ossec/framework/python/bin/python3 /var/ossec/api/scripts/wazuh-apid.py
           ├─6934 /var/ossec/bin/wazuh-execd
           ├─6949 /var/ossec/bin/wazuh-analysisd
           ├─6961 /var/ossec/bin/wazuh-syscheckd
           ├─6981 /var/ossec/bin/wazuh-remoted
           ├─7013 /var/ossec/bin/wazuh-logcollector
           ├─7064 /var/ossec/bin/wazuh-monitord
           ├─7085 /var/ossec/bin/wazuh-modulesd
           ├─7203 /var/ossec/framework/python/bin/python3 /var/ossec/framework/scripts/wazuh-clusterd.py
           ├─7214 /var/ossec/framework/python/bin/python3 /var/ossec/framework/scripts/wazuh-clusterd.py
           └─7217 /var/ossec/framework/python/bin/python3 /var/ossec/framework/scripts/wazuh-clusterd.py

abr 20 19:12:59 wazuh-manager-master-0 env[6786]: Started wazuh-syscheckd...
abr 20 19:13:00 wazuh-manager-master-0 env[6786]: Started wazuh-remoted...
abr 20 19:13:01 wazuh-manager-master-0 env[6786]: Started wazuh-logcollector...
abr 20 19:13:02 wazuh-manager-master-0 env[6786]: Started wazuh-monitord...
abr 20 19:13:02 wazuh-manager-master-0 env[6786]: 2022/04/20 19:13:02 wazuh-modulesd: WARNING: The <ignore_time> tag at module 'vulnerability-detector' is deprecated for version newer than 4.3.
abr 20 19:13:03 wazuh-manager-master-0 env[6786]: Started wazuh-modulesd...
abr 20 19:13:04 wazuh-manager-master-0 env[6786]: Started wazuh-clusterd...
abr 20 19:13:05 wazuh-manager-master-0 crontab[7222]: (root) LIST (root)
abr 20 19:13:06 wazuh-manager-master-0 env[6786]: Completed.
abr 20 19:13:06 wazuh-manager-master-0 systemd[1]: Started Wazuh manager.

• /var/ossec/bin/wazuh-control status:

[root@wazuh-manager-master-0 wazuh-user]# /var/ossec/bin/wazuh-control status
wazuh-clusterd is running...
wazuh-modulesd is running...
wazuh-monitord is running...
wazuh-logcollector is running...
wazuh-remoted is running...
wazuh-syscheckd is running...
wazuh-analysisd is running...
wazuh-maild not running...
wazuh-execd is running...
wazuh-db is running...
wazuh-authd is running...
wazuh-agentlessd not running...
wazuh-integratord is running...
wazuh-dbd not running...
wazuh-csyslogd not running...
wazuh-apid is running...

Worker env 1 🟡

• journalctl -xe -u wazuh-manager.service:

abr 20 20:02:31 wazuh-manager-worker-0 env[24145]: Killing wazuh-clusterd...
abr 20 20:02:31 wazuh-manager-worker-0 env[24145]: Killing wazuh-modulesd...
abr 20 20:02:32 wazuh-manager-worker-0 env[24145]: Killing wazuh-monitord...
abr 20 20:02:32 wazuh-manager-worker-0 env[24145]: Killing wazuh-logcollector...
abr 20 20:02:32 wazuh-manager-worker-0 env[24145]: Killing wazuh-remoted...
abr 20 20:02:32 wazuh-manager-worker-0 env[24145]: Killing wazuh-syscheckd...
abr 20 20:02:32 wazuh-manager-worker-0 env[24145]: Killing wazuh-analysisd...
abr 20 20:02:32 wazuh-manager-worker-0 env[24145]: wazuh-maild not running...
abr 20 20:02:32 wazuh-manager-worker-0 env[24145]: Killing wazuh-execd...
abr 20 20:02:32 wazuh-manager-worker-0 env[24145]: Killing wazuh-db...
abr 20 20:02:33 wazuh-manager-worker-0 env[24145]: wazuh-authd not running...
abr 20 20:02:33 wazuh-manager-worker-0 env[24145]: wazuh-agentlessd not running...
abr 20 20:02:33 wazuh-manager-worker-0 env[24145]: Killing wazuh-integratord...
abr 20 20:02:33 wazuh-manager-worker-0 env[24145]: wazuh-dbd not running...
abr 20 20:02:33 wazuh-manager-worker-0 env[24145]: wazuh-csyslogd not running...
abr 20 20:02:33 wazuh-manager-worker-0 env[24145]: Killing wazuh-apid...
abr 20 20:02:33 wazuh-manager-worker-0 env[24145]: Wazuh v4.3.0 Stopped
abr 20 20:02:33 wazuh-manager-worker-0 systemd[1]: Starting Wazuh manager...
-- Subject: Unit wazuh-manager.service has begun start-up
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
-- 
-- Unit wazuh-manager.service has begun starting up.
abr 20 20:02:34 wazuh-manager-worker-0 env[24276]: 2022/04/20 20:02:34 wazuh-analysisd: WARNING: (7616):
abr 20 20:02:34 wazuh-manager-worker-0 env[24276]: 2022/04/20 20:02:34 wazuh-analysisd: WARNING: (7606):
abr 20 20:02:34 wazuh-manager-worker-0 env[24276]: 2022/04/20 20:02:34 wazuh-analysisd: WARNING: (7606):
abr 20 20:02:34 wazuh-manager-worker-0 env[24276]: 2022/04/20 20:02:34 wazuh-analysisd: WARNING: (7606):
abr 20 20:02:34 wazuh-manager-worker-0 env[24276]: 2022/04/20 20:02:34 wazuh-analysisd: WARNING: (7606):
abr 20 20:02:34 wazuh-manager-worker-0 env[24276]: 2022/04/20 20:02:34 wazuh-analysisd: WARNING: (7606):
abr 20 20:02:34 wazuh-manager-worker-0 env[24276]: 2022/04/20 20:02:34 wazuh-analysisd: WARNING: (7606):
abr 20 20:02:34 wazuh-manager-worker-0 env[24276]: 2022/04/20 20:02:34 wazuh-analysisd: WARNING: (7606):
abr 20 20:02:35 wazuh-manager-worker-0 env[24276]: 2022/04/20 20:02:35 wazuh-analysisd: WARNING: (7606):
abr 20 20:02:35 wazuh-manager-worker-0 env[24276]: 2022/04/20 20:02:35 wazuh-modulesd: WARNING: The <ign
abr 20 20:02:35 wazuh-manager-worker-0 env[24276]: Starting Wazuh v4.3.0...
abr 20 20:02:38 wazuh-manager-worker-0 env[24276]: Started wazuh-apid...
abr 20 20:02:38 wazuh-manager-worker-0 env[24276]: Started wazuh-csyslogd...
abr 20 20:02:38 wazuh-manager-worker-0 env[24276]: Started wazuh-dbd...
abr 20 20:02:38 wazuh-manager-worker-0 env[24276]: Started wazuh-integratord...
abr 20 20:02:38 wazuh-manager-worker-0 env[24276]: Started wazuh-agentlessd...
abr 20 20:02:39 wazuh-manager-worker-0 env[24276]: Started wazuh-db...
abr 20 20:02:40 wazuh-manager-worker-0 env[24276]: Started wazuh-execd...
abr 20 20:02:41 wazuh-manager-worker-0 env[24276]: Started wazuh-analysisd...
abr 20 20:02:42 wazuh-manager-worker-0 env[24276]: Started wazuh-syscheckd...
abr 20 20:02:43 wazuh-manager-worker-0 env[24276]: Started wazuh-remoted...
abr 20 20:02:44 wazuh-manager-worker-0 env[24276]: Started wazuh-logcollector...
abr 20 20:02:45 wazuh-manager-worker-0 env[24276]: Started wazuh-monitord...
abr 20 20:02:45 wazuh-manager-worker-0 env[24276]: 2022/04/20 20:02:45 wazuh-modulesd: WARNING: The <ign
abr 20 20:02:46 wazuh-manager-worker-0 crontab[24638]: (root) LIST (root)
abr 20 20:02:46 wazuh-manager-worker-0 env[24276]: Started wazuh-modulesd...
abr 20 20:02:47 wazuh-manager-worker-0 env[24276]: Started wazuh-clusterd...
abr 20 20:02:49 wazuh-manager-worker-0 env[24276]: Completed.
abr 20 20:02:49 wazuh-manager-worker-0 systemd[1]: Started Wazuh manager.
-- Subject: Unit wazuh-manager.service has finished start-up
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
-- 
-- Unit wazuh-manager.service has finished starting up.
-- 
-- The start-up result is done.
abr 21 08:02:46 wazuh-manager-worker-0 crontab[30810]: (root) LIST (root)

• egrep -i "ERROR|WARNING| /var/ossec/logs/ossec.log:

2022/04/25 10:15:54 wazuh-analysisd: WARNING: Mitre Technique ID 'T1130' not found in database.
2022/04/25 10:15:54 wazuh-analysisd: WARNING: Mitre Technique ID 'T1130' not found in database.
2022/04/25 10:15:54 wazuh-analysisd: WARNING: Mitre Technique ID 'T1073' not found in database.
2022/04/25 10:16:54 wazuh-modulesd:vulnerability-detector: WARNING: (5575): Unavailable vulnerability data for the agent '000' OS. Skipping it.
2022/04/25 10:21:54 wazuh-modulesd:vulnerability-detector: WARNING: (5575): Unavailable vulnerability data for the agent '000' OS. Skipping it.
2022/04/25 10:26:55 wazuh-modulesd:vulnerability-detector: WARNING: (5575): Unavailable vulnerability data for the agent '000' OS. Skipping it.

• egrep -i "ERROR|WARNING" /var/ossec/logs/cluster.log:

[root@wazuh-manager-worker-0 wazuh-user]# egrep -i "ERROR|WARNING" /var/ossec/logs/cluster.log  

• systemctl status wazuh-manager -l:

[root@wazuh-manager-worker-0 wazuh-user]# systemctl status wazuh-manager -l
● wazuh-manager.service - Wazuh manager
   Loaded: loaded (/usr/lib/systemd/system/wazuh-manager.service; enabled; vendor preset: disabled)
   Active: active (running) since mié 2022-04-20 20:02:49 UTC; 4 days ago
  Process: 24145 ExecStop=/usr/bin/env /var/ossec/bin/wazuh-control stop (code=exited, status=0/SUCCESS)
  Process: 24276 ExecStart=/usr/bin/env /var/ossec/bin/wazuh-control start (code=exited, status=0/SUCCESS)
   CGroup: /system.slice/wazuh-manager.service
           ├─24332 /var/ossec/framework/python/bin/python3 /var/ossec/api/scripts/wazuh-apid.py
           ├─24355 /var/ossec/bin/wazuh-integratord
           ├─24375 /var/ossec/bin/wazuh-db
           ├─24399 /var/ossec/bin/wazuh-execd
           ├─24401 /var/ossec/framework/python/bin/python3 /var/ossec/api/scripts/wazuh-apid.py
           ├─24404 /var/ossec/framework/python/bin/python3 /var/ossec/api/scripts/wazuh-apid.py
           ├─24420 /var/ossec/bin/wazuh-analysisd
           ├─24432 /var/ossec/bin/wazuh-syscheckd
           ├─24453 /var/ossec/bin/wazuh-remoted
           ├─24485 /var/ossec/bin/wazuh-logcollector
           ├─24508 /var/ossec/bin/wazuh-monitord
           ├─24556 /var/ossec/bin/wazuh-modulesd
           ├─24692 /var/ossec/framework/python/bin/python3 /var/ossec/framework/scripts/wazuh-clusterd.py
           ├─24897 /var/ossec/framework/python/bin/python3 /var/ossec/framework/scripts/wazuh-clusterd.py
           └─25608 /var/ossec/framework/python/bin/python3 /var/ossec/framework/scripts/wazuh-clusterd.py

abr 20 20:02:43 wazuh-manager-worker-0 env[24276]: Started wazuh-remoted...
abr 20 20:02:44 wazuh-manager-worker-0 env[24276]: Started wazuh-logcollector...
abr 20 20:02:45 wazuh-manager-worker-0 env[24276]: Started wazuh-monitord...
abr 20 20:02:45 wazuh-manager-worker-0 env[24276]: 2022/04/20 20:02:45 wazuh-modulesd: WARNING: The <ignore_time> tag at module 'vulnerability-detector' is deprecated for version newer than 4.3.
abr 20 20:02:46 wazuh-manager-worker-0 crontab[24638]: (root) LIST (root)
abr 20 20:02:46 wazuh-manager-worker-0 env[24276]: Started wazuh-modulesd...
abr 20 20:02:47 wazuh-manager-worker-0 env[24276]: Started wazuh-clusterd...
abr 20 20:02:49 wazuh-manager-worker-0 env[24276]: Completed.
abr 20 20:02:49 wazuh-manager-worker-0 systemd[1]: Started Wazuh manager.
abr 21 08:02:46 wazuh-manager-worker-0 crontab[30810]: (root) LIST (root)

• /var/ossec/bin/wazuh-control status:

[root@wazuh-manager-worker-0 wazuh-user]# /var/ossec/bin/wazuh-control status
wazuh-clusterd is running...
wazuh-modulesd is running...
wazuh-monitord is running...
wazuh-logcollector is running...
wazuh-remoted is running...
wazuh-syscheckd is running...
wazuh-analysisd is running...
wazuh-maild not running...
wazuh-execd is running...
wazuh-db is running...
wazuh-authd not running...
wazuh-agentlessd not running...
wazuh-integratord is running...
wazuh-dbd not running...
wazuh-csyslogd not running...
wazuh-apid is running...

Master env 2 🟡

• journalctl -xe -u wazuh-manager.service:

abr 20 19:24:31 wazuh-manager-master-0 systemd[1]: Stopping Wazuh manager...
-- Subject: Unit wazuh-manager.service has begun shutting down
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
-- 
-- Unit wazuh-manager.service has begun shutting down.
abr 20 19:24:31 wazuh-manager-master-0 env[24585]: Killing wazuh-clusterd...
abr 20 19:24:32 wazuh-manager-master-0 env[24585]: Killing wazuh-modulesd...
abr 20 19:24:32 wazuh-manager-master-0 env[24585]: Killing wazuh-monitord...
abr 20 19:24:32 wazuh-manager-master-0 env[24585]: Killing wazuh-logcollector...
abr 20 19:24:32 wazuh-manager-master-0 env[24585]: Killing wazuh-remoted...
abr 20 19:24:32 wazuh-manager-master-0 env[24585]: Killing wazuh-syscheckd...
abr 20 19:24:32 wazuh-manager-master-0 env[24585]: Killing wazuh-analysisd...
abr 20 19:24:32 wazuh-manager-master-0 env[24585]: wazuh-maild not running...
abr 20 19:24:32 wazuh-manager-master-0 env[24585]: Killing wazuh-execd...
abr 20 19:24:32 wazuh-manager-master-0 env[24585]: Killing wazuh-db...
abr 20 19:24:33 wazuh-manager-master-0 env[24585]: Killing wazuh-authd...
abr 20 19:24:34 wazuh-manager-master-0 env[24585]: wazuh-agentlessd not running...
abr 20 19:24:34 wazuh-manager-master-0 env[24585]: Killing wazuh-integratord...
abr 20 19:24:34 wazuh-manager-master-0 env[24585]: wazuh-dbd not running...
abr 20 19:24:34 wazuh-manager-master-0 env[24585]: wazuh-csyslogd not running...
abr 20 19:24:34 wazuh-manager-master-0 env[24585]: Killing wazuh-apid...
abr 20 19:24:35 wazuh-manager-master-0 env[24585]: Wazuh v4.3.0 Stopped
abr 20 19:24:35 wazuh-manager-master-0 systemd[1]: Starting Wazuh manager...
-- Subject: Unit wazuh-manager.service has begun start-up
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
-- 
-- Unit wazuh-manager.service has begun starting up.
abr 20 19:24:36 wazuh-manager-master-0 env[24739]: 2022/04/20 19:24:36 wazuh-modulesd: WARNING: The <ign
abr 20 19:24:36 wazuh-manager-master-0 env[24739]: Starting Wazuh v4.3.0...
abr 20 19:24:39 wazuh-manager-master-0 env[24739]: Started wazuh-apid...
abr 20 19:24:39 wazuh-manager-master-0 env[24739]: Started wazuh-csyslogd...
abr 20 19:24:39 wazuh-manager-master-0 env[24739]: Started wazuh-dbd...
abr 20 19:24:39 wazuh-manager-master-0 env[24739]: Started wazuh-integratord...
abr 20 19:24:39 wazuh-manager-master-0 env[24739]: Started wazuh-agentlessd...
abr 20 19:24:40 wazuh-manager-master-0 env[24739]: Started wazuh-authd...
abr 20 19:24:41 wazuh-manager-master-0 env[24739]: Started wazuh-db...
abr 20 19:24:42 wazuh-manager-master-0 env[24739]: Started wazuh-execd...
abr 20 19:24:43 wazuh-manager-master-0 env[24739]: Started wazuh-analysisd...
abr 20 19:24:44 wazuh-manager-master-0 env[24739]: Started wazuh-syscheckd...
abr 20 19:24:45 wazuh-manager-master-0 env[24739]: Started wazuh-remoted...
abr 20 19:24:46 wazuh-manager-master-0 env[24739]: Started wazuh-logcollector...
abr 20 19:24:48 wazuh-manager-master-0 env[24739]: Started wazuh-monitord...
abr 20 19:24:48 wazuh-manager-master-0 env[24739]: 2022/04/20 19:24:48 wazuh-modulesd: WARNING: The <ign
abr 20 19:24:49 wazuh-manager-master-0 env[24739]: Started wazuh-modulesd...
abr 20 19:24:49 wazuh-manager-master-0 crontab[25153]: (root) LIST (root)
abr 20 19:24:50 wazuh-manager-master-0 env[24739]: Started wazuh-clusterd...
abr 20 19:24:52 wazuh-manager-master-0 env[24739]: Completed.
abr 20 19:24:52 wazuh-manager-master-0 systemd[1]: Started Wazuh manager.
-- Subject: Unit wazuh-manager.service has finished start-up
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
-- 
-- Unit wazuh-manager.service has finished starting up.
-- 
-- The start-up result is done.
abr 21 07:24:49 wazuh-manager-master-0 crontab[32693]: (root) LIST (root)
abr 21 19:24:49 wazuh-manager-master-0 crontab[7756]: (root) LIST (root)

• egrep -i "ERROR|WARNING| /var/ossec/logs/ossec.log:

2022/04/25 10:06:24 wazuh-modulesd:vulnerability-detector: WARNING: (5575): Unavailable vulnerability data for the agent '001' OS. Skipping it.
2022/04/25 10:11:24 wazuh-modulesd:vulnerability-detector: WARNING: (5575): Unavailable vulnerability data for the agent '000' OS. Skipping it.
2022/04/25 10:11:24 wazuh-modulesd:vulnerability-detector: WARNING: (5575): Unavailable vulnerability data for the agent '001' OS. Skipping it.
2022/04/25 10:16:24 wazuh-modulesd:vulnerability-detector: WARNING: (5575): Unavailable vulnerability data for the agent '000' OS. Skipping it.
2022/04/25 10:16:24 wazuh-modulesd:vulnerability-detector: WARNING: (5575): Unavailable vulnerability data for the agent '001' OS. Skipping it.

• egrep -i "ERROR|WARNING" /var/ossec/logs/cluster.log:

[root@wazuh-manager-master-0 wazuh-user]# egrep -i "ERROR|WARNING" /var/ossec/logs/cluster.log  

• systemctl status wazuh-manager -l:

[root@wazuh-manager-master-0 wazuh-user]# systemctl status wazuh-manager -l
● wazuh-manager.service - Wazuh manager
   Loaded: loaded (/usr/lib/systemd/system/wazuh-manager.service; enabled; vendor preset: disabled)
   Active: active (running) since mié 2022-04-20 19:24:52 UTC; 4 days ago
  Process: 24585 ExecStop=/usr/bin/env /var/ossec/bin/wazuh-control stop (code=exited, status=0/SUCCESS)
  Process: 24739 ExecStart=/usr/bin/env /var/ossec/bin/wazuh-control start (code=exited, status=0/SUCCESS)
   CGroup: /system.slice/wazuh-manager.service
           ├─24795 /var/ossec/framework/python/bin/python3 /var/ossec/api/scripts/wazuh-apid.py
           ├─24818 /var/ossec/bin/wazuh-integratord
           ├─24840 /var/ossec/bin/wazuh-authd
           ├─24857 /var/ossec/bin/wazuh-db
           ├─24869 /var/ossec/framework/python/bin/python3 /var/ossec/api/scripts/wazuh-apid.py
           ├─24872 /var/ossec/framework/python/bin/python3 /var/ossec/api/scripts/wazuh-apid.py
           ├─24887 /var/ossec/bin/wazuh-execd
           ├─24902 /var/ossec/bin/wazuh-analysisd
           ├─24914 /var/ossec/bin/wazuh-syscheckd
           ├─24934 /var/ossec/bin/wazuh-remoted
           ├─24967 /var/ossec/bin/wazuh-logcollector
           ├─24987 /var/ossec/bin/wazuh-monitord
           ├─25038 /var/ossec/bin/wazuh-modulesd
           ├─25164 /var/ossec/framework/python/bin/python3 /var/ossec/framework/scripts/wazuh-clusterd.py
           ├─25174 /var/ossec/framework/python/bin/python3 /var/ossec/framework/scripts/wazuh-clusterd.py
           └─25177 /var/ossec/framework/python/bin/python3 /var/ossec/framework/scripts/wazuh-clusterd.py

abr 20 19:24:46 wazuh-manager-master-0 env[24739]: Started wazuh-logcollector...
abr 20 19:24:48 wazuh-manager-master-0 env[24739]: Started wazuh-monitord...
abr 20 19:24:48 wazuh-manager-master-0 env[24739]: 2022/04/20 19:24:48 wazuh-modulesd: WARNING: The <ignore_time> tag at module 'vulnerability-detector' is deprecated for version newer than 4.3.
abr 20 19:24:49 wazuh-manager-master-0 env[24739]: Started wazuh-modulesd...
abr 20 19:24:49 wazuh-manager-master-0 crontab[25153]: (root) LIST (root)
abr 20 19:24:50 wazuh-manager-master-0 env[24739]: Started wazuh-clusterd...
abr 20 19:24:52 wazuh-manager-master-0 env[24739]: Completed.
abr 20 19:24:52 wazuh-manager-master-0 systemd[1]: Started Wazuh manager.
abr 21 07:24:49 wazuh-manager-master-0 crontab[32693]: (root) LIST (root)
abr 21 19:24:49 wazuh-manager-master-0 crontab[7756]: (root) LIST (root)

• /var/ossec/bin/wazuh-control status:

[root@wazuh-manager-master-0 wazuh-user]# /var/ossec/bin/wazuh-control status
wazuh-clusterd is running...
wazuh-modulesd is running...
wazuh-monitord is running...
wazuh-logcollector is running...
wazuh-remoted is running...
wazuh-syscheckd is running...
wazuh-analysisd is running...
wazuh-maild not running...
wazuh-execd is running...
wazuh-db is running...
wazuh-authd is running...
wazuh-agentlessd not running...
wazuh-integratord is running...
wazuh-dbd not running...
wazuh-csyslogd not running...
wazuh-apid is running...

Wazuh Indexer

Bootstrap 🔴

• journalctl -xe -u wazuh-indexer.service:

[root@ip-10-0-2-167 wazuh-user]# journalctl -xe -u wazuh-indexer.service
abr 24 05:20:54 ip-10-0-2-167.us-west-1.compute.internal systemd-entrypoint[17699]: Exception in thread "Attach Listener" Agent failed to start!
abr 24 05:51:04 ip-10-0-2-167.us-west-1.compute.internal systemd-entrypoint[17699]: Exception in thread "Attach Listener" Agent failed to start!
abr 24 06:21:15 ip-10-0-2-167.us-west-1.compute.internal systemd-entrypoint[17699]: Exception in thread "Attach Listener" Agent failed to start!
abr 24 06:51:26 ip-10-0-2-167.us-west-1.compute.internal systemd-entrypoint[17699]: Exception in thread "Attach Listener" Agent failed to start!
abr 24 07:21:36 ip-10-0-2-167.us-west-1.compute.internal systemd-entrypoint[17699]: Exception in thread "Attach Listener" Agent failed to start!
abr 24 07:51:47 ip-10-0-2-167.us-west-1.compute.internal systemd-entrypoint[17699]: Exception in thread "Attach Listener" Agent failed to start!

• egrep -i "ERROR|WARNING| /var/log/wazuh-indexer/wazuh.log:

[2022-04-25T00:43:19,356][ERROR][o.o.s.s.h.n.SecuritySSLNettyHttpServerTransport] [node-1] Exception during establishing a SSL connection: java.net.SocketException: Connection reset
[2022-04-25T00:43:19,737][ERROR][o.o.s.s.h.n.SecuritySSLNettyHttpServerTransport] [node-1] Exception during establishing a SSL connection: java.net.SocketException: Connection reset
[2022-04-25T00:43:20,133][ERROR][o.o.s.s.h.n.SecuritySSLNettyHttpServerTransport] [node-1] Exception during establishing a SSL connection: java.net.SocketException: Connection reset
[2022-04-25T00:43:20,514][ERROR][o.o.s.s.h.n.SecuritySSLNettyHttpServerTransport] [node-1] Exception during establishing a SSL connection: java.net.SocketException: Connection reset
[2022-04-25T00:43:20,894][ERROR][o.o.s.s.h.n.SecuritySSLNettyHttpServerTransport] [node-1] Exception during establishing a SSL connection: java.net.SocketException: Connection reset
[2022-04-25T00:43:21,275][ERROR][o.o.s.s.h.n.SecuritySSLNettyHttpServerTransport] [node-1] Exception during establishing a SSL connection: java.net.SocketException: Connection reset
[2022-04-25T00:43:21,675][ERROR][o.o.s.s.h.n.SecuritySSLNettyHttpServerTransport] [node-1] Exception during establishing a SSL connection: java.net.SocketException: Connection reset
[2022-04-25T00:43:22,056][ERROR][o.o.s.s.h.n.SecuritySSLNettyHttpServerTransport] [node-1] Exception during establishing a SSL connection: java.net.SocketException: Connection reset
[2022-04-25T00:43:22,256][ERROR][o.o.s.s.h.n.SecuritySSLNettyHttpServerTransport] [node-1] Exception during establishing a SSL connection: javax.net.ssl.SSLHandshakeException: no cipher suites in common
[2022-04-25T00:43:22,826][ERROR][o.o.s.s.h.n.SecuritySSLNettyHttpServerTransport] [node-1] Exception during establishing a SSL connection: java.net.SocketException: Connection reset
[2022-04-25T01:06:46,960][ERROR][o.o.s.s.h.n.SecuritySSLNettyHttpServerTransport] [node-1] Exception during establishing a SSL connection: io.netty.handler.ssl.NotSslRecordException: not an SSL/TLS record: 474554202f20485454502f312e310d0a486f73743a2035342e3137372e37362e37373a393230300d0a557365722d4167656e743a204d6f7a696c6c612f352e302028636f6d70617469626c653b2043656e737973496e73706563742f312e313b202b68747470733a2f2f61626f75742e63656e7379732e696f2f290d0a4163636570743a202a2f2a0d0a4163636570742d456e636f64696e673a20677a69700d0a0d0a
[2022-04-25T01:06:48,075][ERROR][o.o.s.s.h.n.SecuritySSLNettyHttpServerTransport] [node-1] Exception during establishing a SSL connection: java.net.SocketException: Connection reset
[2022-04-25T03:23:07,637][ERROR][o.o.s.s.h.n.SecuritySSLNettyHttpServerTransport] [node-1] Exception during establishing a SSL connection: io.netty.handler.ssl.NotSslRecordException: not an SSL/TLS record: 474554202f20485454502f312e300d0a557365722d4167656e743a20457870616e73652c20612050616c6f20416c746f204e6574776f726b7320636f6d70616e792c207365617263686573206163726f73732074686520676c6f62616c2049507634207370616365206d756c7469706c652074696d6573207065722064617920746f206964656e7469667920637573746f6d657273262333393b2070726573656e636573206f6e2074686520496e7465726e65742e20496620796f7520776f756c64206c696b6520746f206265206578636c756465642066726f6d206f7572207363616e732c20706c656173652073656e64204950206164647265737365732f646f6d61696e7320746f3a207363616e696e666f4070616c6f616c746f6e6574776f726b732e636f6d0d0a4163636570743a202a2f2a0d0a0d0a
[2022-04-25T08:39:38,223][ERROR][o.o.s.s.h.n.SecuritySSLNettyHttpServerTransport] [node-1] Exception during establishing a SSL connection: io.netty.handler.ssl.NotSslRecordException: not an SSL/TLS record: 474554202f5f616c696173657320485454502f312e310d0a486f73743a2035342e3137372e37362e37373a393230300d0a557365722d4167656e743a204d6f7a696c6c612f352e30207a677261622f302e780d0a4163636570743a202a2f2a0d0a4163636570742d456e636f64696e673a20677a69700d0a0d0a
[2022-04-25T08:48:16,762][ERROR][o.o.s.s.h.n.SecuritySSLNettyHttpServerTransport] [node-1] Exception during establishing a SSL connection: io.netty.handler.ssl.NotSslRecordException: not an SSL/TLS record: 474554202f5f73746174732f696e646963657320485454502f312e310d0a486f73743a2035342e3137372e37362e37373a393230300d0a557365722d4167656e743a204d6f7a696c6c612f352e30207a677261622f302e780d0a4163636570743a202a2f2a0d0a4163636570742d456e636f64696e673a20677a69700d0a0d0a
[2022-04-25T08:53:36,872][ERROR][o.o.s.s.h.n.SecuritySSLNettyHttpServerTransport] [node-1] Exception during establishing a SSL connection: io.netty.handler.ssl.NotSslRecordException: not an SSL/TLS record: 474554202f5f636c75737465722f6865616c74683f6c6576656c3d696e646963657320485454502f312e310d0a486f73743a2035342e3137372e37362e37373a393230300d0a557365722d4167656e743a204d6f7a696c6c612f352e30207a677261622f302e780d0a4163636570743a202a2f2a0d0a4163636570742d456e636f64696e673a20677a69700d0a0d0a
[2022-04-25T09:09:53,467][ERROR][o.o.s.s.h.n.SecuritySSLNettyHttpServerTransport] [node-1] Exception during establishing a SSL connection: io.netty.handler.ssl.NotSslRecordException: not an SSL/TLS record: 474554202f5f73746174757320485454502f312e310d0a486f73743a2035342e3137372e37362e37373a393230300d0a557365722d4167656e743a204d6f7a696c6c612f352e30207a677261622f302e780d0a4163636570743a202a2f2a0d0a4163636570742d456e636f64696e673a20677a69700d0a0d0a
[2022-04-25T10:24:06,383][ERROR][o.o.s.s.h.n.SecuritySSLNettyHttpServerTransport] [node-1] Exception during establishing a SSL connection: io.netty.handler.ssl.NotSslRecordException: not an SSL/TLS record: 474554202f20485454502f312e310d0a486f73743a2035342e3137372e37362e37370d0a0d0a

• systemctl status wazuh-indexer -l:

[wazuh-user@ip-10-0-2-167 ~]$ systemctl status wazuh-indexer -l
● wazuh-indexer.service - Wazuh-indexer
   Loaded: loaded (/usr/lib/systemd/system/wazuh-indexer.service; enabled; vendor preset: disabled)
   Active: active (running) since lun 2022-04-18 14:03:00 UTC; 6 days ago
     Docs: https://documentation.wazuh.com
 Main PID: 17699 (java)
   CGroup: /system.slice/wazuh-indexer.service
           └─17699 /usr/share/wazuh-indexer/jdk/bin/java -Xshare:auto -Dopensearch.networkaddress.cache.ttl=60 -Dopensearch.networkaddress.cache.negative.ttl=10 -XX:+AlwaysPreTouch -Xss1m -Djava.awt.headless=true -Dfile.encoding=UTF-8 -Djna.nosys=true -XX:-OmitStackTraceInFastThrow -XX:+ShowCodeDetailsInExceptionMessages -Dio.netty.noUnsafe=true -Dio.netty.noKeySetOptimization=true -Dio.netty.recycler.maxCapacityPerThread=0 -Dio.netty.allocator.numDirectArenas=0 -Dlog4j.shutdownHookEnabled=false -Dlog4j2.disable.jmx=true -Djava.locale.providers=SPI,COMPAT -Xms3948m -Xmx3948m -XX:+UseG1GC -XX:G1ReservePercent=25 -XX:InitiatingHeapOccupancyPercent=30 -Djava.io.tmpdir=/tmp/opensearch-3307066445668290224 -XX:+HeapDumpOnOutOfMemoryError -XX:HeapDumpPath=data -XX:ErrorFile=/var/log/wazuh-indexer/hs_err_pid%p.log -Xlog:gc*,gc+age=trace,safepoint:file=/var/log/wazuh-indexer/gc.log:utctime,pid,tags:filecount=32,filesize=64m -Dclk.tck=100 -Djdk.attach.allowAttachSelf=true -Djava.security.policy=file:///usr/share/wazuh-indexer/plugins/opensearch-performance-analyzer/pa_config/opensearch_security.policy -XX:MaxDirectMemorySize=2069889024 -Dopensearch.path.home=/usr/share/wazuh-indexer -Dopensearch.path.conf=/etc/wazuh-indexer -Dopensearch.distribution.type=rpm -Dopensearch.bundled_jdk=true -cp /usr/share/wazuh-indexer/lib/* org.opensearch.bootstrap.OpenSearch -p /run/wazuh-indexer/wazuh-indexer.pid --quiet

Master B 🔴

• journalctl -xe -u wazuh-indexer.service:

abr 24 05:50:02 ip-10-0-2-249.us-west-1.compute.internal systemd-entrypoint[17685]: Exception in thread "Attach Listener" Agent failed to start!
abr 24 06:20:13 ip-10-0-2-249.us-west-1.compute.internal systemd-entrypoint[17685]: Exception in thread "Attach Listener" Agent failed to start!
abr 24 06:50:24 ip-10-0-2-249.us-west-1.compute.internal systemd-entrypoint[17685]: Exception in thread "Attach Listener" Agent failed to start!
abr 24 07:20:34 ip-10-0-2-249.us-west-1.compute.internal systemd-entrypoint[17685]: Exception in thread "Attach Listener" Agent failed to start!
abr 24 07:50:45 ip-10-0-2-249.us-west-1.compute.internal systemd-entrypoint[17685]: Exception in thread "Attach Listener" Agent failed to start!
abr 24 08:20:56 ip-10-0-2-249.us-west-1.compute.internal systemd-entrypoint[17685]: Exception in thread "Attach Listener" Agent failed to start!
abr 24 08:51:07 ip-10-0-2-249.us-west-1.compute.internal systemd-entrypoint[17685]: Exception in thread "Attach Listener" Agent failed to start!
abr 24 09:21:17 ip-10-0-2-249.us-west-1.compute.internal systemd-entrypoint[17685]: Exception in thread "Attach Listener" Agent failed to start!
abr 24 09:51:28 ip-10-0-2-249.us-west-1.compute.internal systemd-entrypoint[17685]: Exception in thread "Attach Listener" Agent failed to start!

• egrep -i "ERROR|WARNING| /var/log/wazuh-indexer/wazuh.log:

[root@ip-10-0-2-249 wazuh-user]# egrep -i "ERROR|WARNING" /var/log/wazuh-indexer/wazuh.log
[2022-04-25T00:09:43,512][ERROR][o.o.s.s.h.n.SecuritySSLNettyHttpServerTransport] [node-3] Exception during establishing a SSL connection: io.netty.handler.ssl.NotSslRecordException: not an SSL/TLS record: 474554202f20485454502f312e300d0a557365722d4167656e743a20457870616e73652c20612050616c6f20416c746f204e6574776f726b7320636f6d70616e792c207365617263686573206163726f73732074686520676c6f62616c2049507634207370616365206d756c7469706c652074696d6573207065722064617920746f206964656e7469667920637573746f6d657273262333393b2070726573656e636573206f6e2074686520496e7465726e65742e20496620796f7520776f756c64206c696b6520746f206265206578636c756465642066726f6d206f7572207363616e732c20706c656173652073656e64204950206164647265737365732f646f6d61696e7320746f3a207363616e696e666f4070616c6f616c746f6e6574776f726b732e636f6d0d0a4163636570743a202a2f2a0d0a0d0a
[2022-04-25T01:17:44,336][ERROR][o.o.s.s.h.n.SecuritySSLNettyHttpServerTransport] [node-3] Exception during establishing a SSL connection: io.netty.handler.ssl.NotSslRecordException: not an SSL/TLS record: 474554202f5f6361742f696e64696365733f666f726d61743d6a736f6e26683d696e64657820485454502f312e310d0a486f73743a2035342e3231352e35322e3230393a393230300d0a4163636570743a202a2f2a0d0a4163636570742d456e636f64696e673a20677a69702c206465666c6174652c2062720d0a436f6e6e656374696f6e3a206b6565702d616c6976650d0a557365722d4167656e743a20707974686f6e2d68747470782f302e32312e310d0a0d0a
[2022-04-25T04:10:23,071][ERROR][o.o.s.s.h.n.SecuritySSLNettyHttpServerTransport] [node-3] Exception during establishing a SSL connection: io.netty.handler.ssl.NotSslRecordException: not an SSL/TLS record: 474554202f20485454502f312e310d0a486f73743a2035342e3231352e35322e3230393a393230300d0a557365722d4167656e743a204d6f7a696c6c612f352e30202857696e646f7773204e542031302e303b2072763a36382e3029204765636b6f2f32303130303130312046697265666f782f36382e300d0a4163636570743a202a2f2a0d0a0d0a
[2022-04-25T05:52:19,685][ERROR][o.o.s.s.h.n.SecuritySSLNettyHttpServerTransport] [node-3] Exception during establishing a SSL connection: java.net.SocketException: Connection reset
[2022-04-25T05:52:19,764][ERROR][o.o.s.s.h.n.SecuritySSLNettyHttpServerTransport] [node-3] Exception during establishing a SSL connection: java.net.SocketException: Connection reset
[2022-04-25T05:52:21,808][ERROR][o.o.s.s.h.n.SecuritySSLNettyHttpServerTransport] [node-3] Exception during establishing a SSL connection: java.net.SocketException: Connection reset
[2022-04-25T05:52:24,877][ERROR][o.o.s.s.h.n.SecuritySSLNettyHttpServerTransport] [node-3] Exception during establishing a SSL connection: java.net.SocketException: Connection reset
[2022-04-25T05:52:26,922][ERROR][o.o.s.s.h.n.SecuritySSLNettyHttpServerTransport] [node-3] Exception during establishing a SSL connection: java.net.SocketException: Connection reset
[2022-04-25T05:52:28,965][ERROR][o.o.s.s.h.n.SecuritySSLNettyHttpServerTransport] [node-3] Exception during establishing a SSL connection: java.net.SocketException: Connection reset
[2022-04-25T05:52:31,009][ERROR][o.o.s.s.h.n.SecuritySSLNettyHttpServerTransport] [node-3] Exception during establishing a SSL connection: java.net.SocketException: Connection reset
[2022-04-25T05:52:33,053][ERROR][o.o.s.s.h.n.SecuritySSLNettyHttpServerTransport] [node-3] Exception during establishing a SSL connection: java.net.SocketException: Connection reset
[2022-04-25T05:52:35,098][ERROR][o.o.s.s.h.n.SecuritySSLNettyHttpServerTransport] [node-3] Exception during establishing a SSL connection: java.net.SocketException: Connection reset
[2022-04-25T05:52:37,123][ERROR][o.o.s.s.h.n.SecuritySSLNettyHttpServerTransport] [node-3] Exception during establishing a SSL connection: javax.net.ssl.SSLHandshakeException: no cipher suites in common
[2022-04-25T05:52:39,190][ERROR][o.o.s.s.h.n.SecuritySSLNettyHttpServerTransport] [node-3] Exception during establishing a SSL connection: java.net.SocketException: Connection reset
[2022-04-25T06:19:21,242][ERROR][o.o.s.s.h.n.SecuritySSLNettyHttpServerTransport] [node-3] Exception during establishing a SSL connection: io.netty.handler.ssl.NotSslRecordException: not an SSL/TLS record: 474554202f20485454502f312e310d0a486f73743a2035342e3231352e35322e3230393a393230300d0a557365722d4167656e743a204d6f7a696c6c612f352e302028636f6d70617469626c653b2043656e737973496e73706563742f312e313b202b68747470733a2f2f61626f75742e63656e7379732e696f2f290d0a4163636570743a202a2f2a0d0a4163636570742d456e636f64696e673a20677a69700d0a0d0a
[2022-04-25T06:19:22,534][ERROR][o.o.s.s.h.n.SecuritySSLNettyHttpServerTransport] [node-3] Exception during establishing a SSL connection: java.net.SocketException: Connection reset
[2022-04-25T08:39:37,350][ERROR][o.o.s.s.h.n.SecuritySSLNettyHttpServerTransport] [node-3] Exception during establishing a SSL connection: io.netty.handler.ssl.NotSslRecordException: not an SSL/TLS record: 474554202f5f616c696173657320485454502f312e310d0a486f73743a2035342e3231352e35322e3230393a393230300d0a557365722d4167656e743a204d6f7a696c6c612f352e30207a677261622f302e780d0a4163636570743a202a2f2a0d0a4163636570742d456e636f64696e673a20677a69700d0a0d0a
[2022-04-25T08:48:21,087][ERROR][o.o.s.s.h.n.SecuritySSLNettyHttpServerTransport] [node-3] Exception during establishing a SSL connection: io.netty.handler.ssl.NotSslRecordException: not an SSL/TLS record: 474554202f5f73746174732f696e646963657320485454502f312e310d0a486f73743a2035342e3231352e35322e3230393a393230300d0a557365722d4167656e743a204d6f7a696c6c612f352e30207a677261622f302e780d0a4163636570743a202a2f2a0d0a4163636570742d456e636f64696e673a20677a69700d0a0d0a
[2022-04-25T08:53:37,295][ERROR][o.o.s.s.h.n.SecuritySSLNettyHttpServerTransport] [node-3] Exception during establishing a SSL connection: io.netty.handler.ssl.NotSslRecordException: not an SSL/TLS record: 474554202f5f636c75737465722f6865616c74683f6c6576656c3d696e646963657320485454502f312e310d0a486f73743a2035342e3231352e35322e3230393a393230300d0a557365722d4167656e743a204d6f7a696c6c612f352e30207a677261622f302e780d0a4163636570743a202a2f2a0d0a4163636570742d456e636f64696e673a20677a69700d0a0d0a
[2022-04-25T09:09:45,255][ERROR][o.o.s.s.h.n.SecuritySSLNettyHttpServerTransport] [node-3] Exception during establishing a SSL connection: io.netty.handler.ssl.NotSslRecordException: not an SSL/TLS record: 474554202f5f73746174757320485454502f312e310d0a486f73743a2035342e3231352e35322e3230393a393230300d0a557365722d4167656e743a204d6f7a696c6c612f352e30207a677261622f302e780d0a4163636570743a202a2f2a0d0a4163636570742d456e636f64696e673a20677a69700d0a0d0a
[2022-04-25T10:25:26,480][ERROR][o.o.s.s.h.n.SecuritySSLNettyHttpServerTransport] [node-3] Exception during establishing a SSL connection: io.netty.handler.ssl.NotSslRecordException: not an SSL/TLS record: 474554202f20485454502f312e310d0a486f73743a2035342e3231352e35322e3230390d0a0d0a

• systemctl status wazuh-indexer -l:

[root@ip-10-0-2-249 wazuh-user]# systemctl status wazuh-indexer -l
● wazuh-indexer.service - Wazuh-indexer
   Loaded: loaded (/usr/lib/systemd/system/wazuh-indexer.service; enabled; vendor preset: disabled)
   Active: active (running) since lun 2022-04-18 14:02:38 UTC; 6 days ago
     Docs: https://documentation.wazuh.com
 Main PID: 17685 (java)
   CGroup: /system.slice/wazuh-indexer.service
           └─17685 /usr/share/wazuh-indexer/jdk/bin/java -Xshare:auto -Dopensearch.networkaddress.cache.ttl=60 -Dopensearch.networkaddress.cache.negative.ttl=10 -XX:+AlwaysPreTouch -Xss1m -Djava.awt.headless=true -Dfile.encoding=UTF-8 -Djna.nosys=true -XX:-OmitStackTraceInFastThrow -XX:+ShowCodeDetailsInExceptionMessages -Dio.netty.noUnsafe=true -Dio.netty.noKeySetOptimization=true -Dio.netty.recycler.maxCapacityPerThread=0 -Dio.netty.allocator.numDirectArenas=0 -Dlog4j.shutdownHookEnabled=false -Dlog4j2.disable.jmx=true -Djava.locale.providers=SPI,COMPAT -Xms3948m -Xmx3948m -XX:+UseG1GC -XX:G1ReservePercent=25 -XX:InitiatingHeapOccupancyPercent=30 -Djava.io.tmpdir=/tmp/opensearch-12906269128058797492 -XX:+HeapDumpOnOutOfMemoryError -XX:HeapDumpPath=data -XX:ErrorFile=/var/log/wazuh-indexer/hs_err_pid%p.log -Xlog:gc*,gc+age=trace,safepoint:file=/var/log/wazuh-indexer/gc.log:utctime,pid,tags:filecount=32,filesize=64m -Dclk.tck=100 -Djdk.attach.allowAttachSelf=true -Djava.security.policy=file:///usr/share/wazuh-indexer/plugins/opensearch-performance-analyzer/pa_config/opensearch_security.policy -XX:MaxDirectMemorySize=2069889024 -Dopensearch.path.home=/usr/share/wazuh-indexer -Dopensearch.path.conf=/etc/wazuh-indexer -Dopensearch.distribution.type=rpm -Dopensearch.bundled_jdk=true -cp /usr/share/wazuh-indexer/lib/* org.opensearch.bootstrap.OpenSearch -p /run/wazuh-indexer/wazuh-indexer.pid --quiet

abr 25 06:58:51 ip-10-0-2-249.us-west-1.compute.internal systemd-entrypoint[17685]: Exception in thread "Attach Listener" Agent failed to start!
abr 25 07:29:01 ip-10-0-2-249.us-west-1.compute.internal systemd-entrypoint[17685]: Exception in thread "Attach Listener" Agent failed to start!
abr 25 07:59:12 ip-10-0-2-249.us-west-1.compute.internal systemd-entrypoint[17685]: Exception in thread "Attach Listener" Agent failed to start!
abr 25 08:29:23 ip-10-0-2-249.us-west-1.compute.internal systemd-entrypoint[17685]: Exception in thread "Attach Listener" Agent failed to start!
abr 25 08:59:33 ip-10-0-2-249.us-west-1.compute.internal systemd-entrypoint[17685]: Exception in thread "Attach Listener" Agent failed to start!
abr 25 09:29:43 ip-10-0-2-249.us-west-1.compute.internal systemd-entrypoint[17685]: Exception in thread "Attach Listener" Agent failed to start!
abr 25 09:59:54 ip-10-0-2-249.us-west-1.compute.internal systemd-entrypoint[17685]: Exception in thread "Attach Listener" Agent failed to start!
abr 25 10:30:04 ip-10-0-2-249.us-west-1.compute.internal systemd-entrypoint[17685]: Exception in thread "Attach Listener" Agent failed to start!
abr 25 11:00:14 ip-10-0-2-249.us-west-1.compute.internal systemd-entrypoint[17685]: Exception in thread "Attach Listener" Agent failed to start!
abr 25 11:30:25 ip-10-0-2-249.us-west-1.compute.internal systemd-entrypoint[17685]: Exception in thread "Attach Listener" Agent failed to start!

Master C 🔴

• journalctl -xe -u wazuh-indexer.service:

abr 24 05:50:35 ip-10-0-2-198.us-west-1.compute.internal systemd-entrypoint[17034]: Exception in thread "Attach Listener" Agent failed to start!
abr 24 06:20:46 ip-10-0-2-198.us-west-1.compute.internal systemd-entrypoint[17034]: Exception in thread "Attach Listener" Agent failed to start!
abr 24 06:50:57 ip-10-0-2-198.us-west-1.compute.internal systemd-entrypoint[17034]: Exception in thread "Attach Listener" Agent failed to start!
abr 24 07:21:07 ip-10-0-2-198.us-west-1.compute.internal systemd-entrypoint[17034]: Exception in thread "Attach Listener" Agent failed to start!
abr 24 07:51:18 ip-10-0-2-198.us-west-1.compute.internal systemd-entrypoint[17034]: Exception in thread "Attach Listener" Agent failed to start!
abr 24 08:21:28 ip-10-0-2-198.us-west-1.compute.internal systemd-entrypoint[17034]: Exception in thread "Attach Listener" Agent failed to start!
abr 24 08:51:39 ip-10-0-2-198.us-west-1.compute.internal systemd-entrypoint[17034]: Exception in thread "Attach Listener" Agent failed to start!
abr 24 09:21:49 ip-10-0-2-198.us-west-1.compute.internal systemd-entrypoint[17034]: Exception in thread "Attach Listener" Agent failed to start!
abr 24 09:52:00 ip-10-0-2-198.us-west-1.compute.internal systemd-entrypoint[17034]: Exception in thread "Attach Listener" Agent failed to start!
abr 24 10:22:11 ip-10-0-2-198.us-west-1.compute.internal systemd-entrypoint[17034]: Exception in thread "Attach Listener" Agent failed to start!

• egrep -i "ERROR|WARNING| /var/log/wazuh-indexer/wazuh.log:

[root@ip-10-0-2-198 wazuh-user]# egrep -i "ERROR|WARNING" /var/log/wazuh-indexer/wazuh.log
[2022-04-25T02:01:02,193][ERROR][o.o.s.s.h.n.SecuritySSLNettyHttpServerTransport] [node-2] Exception during establishing a SSL connection: io.netty.handler.ssl.NotSslRecordException: not an SSL/TLS record: 474554202f20485454502f312e310d0a486f73743a203230342e3233362e3138372e3139373a393230300d0a557365722d4167656e743a204d6f7a696c6c612f352e302028636f6d70617469626c653b2043656e737973496e73706563742f312e313b202b68747470733a2f2f61626f75742e63656e7379732e696f2f290d0a4163636570743a202a2f2a0d0a4163636570742d456e636f64696e673a20677a69700d0a0d0a
[2022-04-25T02:01:03,322][ERROR][o.o.s.s.h.n.SecuritySSLNettyHttpServerTransport] [node-2] Exception during establishing a SSL connection: java.net.SocketException: Connection reset
[2022-04-25T03:21:25,941][ERROR][o.o.s.s.h.n.SecuritySSLNettyHttpServerTransport] [node-2] Exception during establishing a SSL connection: io.netty.handler.ssl.NotSslRecordException: not an SSL/TLS record: 474554202f20485454502f312e310d0a486f73743a203230342e3233362e3138372e3139373a393230300d0a557365722d4167656e743a204d6f7a696c6c612f352e30202857696e646f7773204e542031302e303b2057696e36343b2078363429204170706c655765624b69742f3533372e333620284b48544d4c2c206c696b65204765636b6f29204368726f6d652f39352e302e343633382e3639205361666172692f3533372e33360d0a436f6e6e656374696f6e3a20636c6f73650d0a4163636570743a202a2f2a0d0a4163636570742d456e636f64696e673a20677a69700d0a0d0a
[2022-04-25T03:21:29,657][ERROR][o.o.s.s.h.n.SecuritySSLNettyHttpServerTransport] [node-2] Exception during establishing a SSL connection: io.netty.handler.ssl.NotSslRecordException: not an SSL/TLS record: 1201001a0000000000000b00060100110001ff08000155000001
[2022-04-25T03:21:33,148][ERROR][o.o.s.s.h.n.SecuritySSLNettyHttpServerTransport] [node-2] Exception during establishing a SSL connection: io.netty.handler.ssl.NotSslRecordException: not an SSL/TLS record: 0300002c27e00000000000436f6f6b69653a206d737473686173683d656c746f6e730d0a0100080003000000
[2022-04-25T03:21:46,954][ERROR][o.o.s.s.h.n.SecuritySSLNettyHttpServerTransport] [node-2] Exception during establishing a SSL connection: io.netty.handler.ssl.NotSslRecordException: not an SSL/TLS record: 0000006efe534d4240000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000024000400010000000000000000000000000000000000000000000000000000000000000002021002000302031103
[2022-04-25T03:22:25,791][ERROR][o.o.s.s.h.n.SecuritySSLNettyHttpServerTransport] [node-2] Exception during establishing a SSL connection: javax.net.ssl.SSLHandshakeException: no cipher suites in common
[2022-04-25T04:12:21,636][ERROR][o.o.s.s.h.n.SecuritySSLNettyHttpServerTransport] [node-2] Exception during establishing a SSL connection: io.netty.handler.ssl.NotSslRecordException: not an SSL/TLS record: 474554202f20485454502f312e300d0a557365722d4167656e743a20457870616e73652c20612050616c6f20416c746f204e6574776f726b7320636f6d70616e792c207365617263686573206163726f73732074686520676c6f62616c2049507634207370616365206d756c7469706c652074696d6573207065722064617920746f206964656e7469667920637573746f6d657273262333393b2070726573656e636573206f6e2074686520496e7465726e65742e20496620796f7520776f756c64206c696b6520746f206265206578636c756465642066726f6d206f7572207363616e732c20706c656173652073656e64204950206164647265737365732f646f6d61696e7320746f3a207363616e696e666f4070616c6f616c746f6e6574776f726b732e636f6d0d0a4163636570743a202a2f2a0d0a0d0a
[2022-04-25T06:56:39,942][ERROR][o.o.s.s.h.n.SecuritySSLNettyHttpServerTransport] [node-2] Exception during establishing a SSL connection: io.netty.handler.ssl.NotSslRecordException: not an SSL/TLS record: 474554202f20485454502f312e300d0a0d0a
[2022-04-25T08:45:00,648][ERROR][o.o.s.s.h.n.SecuritySSLNettyHttpServerTransport] [node-2] Exception during establishing a SSL connection: io.netty.handler.ssl.NotSslRecordException: not an SSL/TLS record: 474554202f5f616c696173657320485454502f312e310d0a486f73743a203230342e3233362e3138372e3139373a393230300d0a557365722d4167656e743a204d6f7a696c6c612f352e30207a677261622f302e780d0a4163636570743a202a2f2a0d0a4163636570742d456e636f64696e673a20677a69700d0a0d0a
[2022-04-25T09:06:43,599][ERROR][o.o.s.s.h.n.SecuritySSLNettyHttpServerTransport] [node-2] Exception during establishing a SSL connection: io.netty.handler.ssl.NotSslRecordException: not an SSL/TLS record: 474554202f5f73746174732f696e646963657320485454502f312e310d0a486f73743a203230342e3233362e3138372e3139373a393230300d0a557365722d4167656e743a204d6f7a696c6c612f352e30207a677261622f302e780d0a4163636570743a202a2f2a0d0a4163636570742d456e636f64696e673a20677a69700d0a0d0a
[2022-04-25T09:11:43,511][ERROR][o.o.s.s.h.n.SecuritySSLNettyHttpServerTransport] [node-2] Exception during establishing a SSL connection: io.netty.handler.ssl.NotSslRecordException: not an SSL/TLS record: 474554202f5f636c75737465722f6865616c74683f6c6576656c3d696e646963657320485454502f312e310d0a486f73743a203230342e3233362e3138372e3139373a393230300d0a557365722d4167656e743a204d6f7a696c6c612f352e30207a677261622f302e780d0a4163636570743a202a2f2a0d0a4163636570742d456e636f64696e673a20677a69700d0a0d0a
[2022-04-25T09:30:48,135][ERROR][o.o.s.s.h.n.SecuritySSLNettyHttpServerTransport] [node-2] Exception during establishing a SSL connection: io.netty.handler.ssl.NotSslRecordException: not an SSL/TLS record: 474554202f5f73746174757320485454502f312e310d0a486f73743a203230342e3233362e3138372e3139373a393230300d0a557365722d4167656e743a204d6f7a696c6c612f352e30207a677261622f302e780d0a4163636570743a202a2f2a0d0a4163636570742d456e636f64696e673a20677a69700d0a0d0a
[2022-04-25T10:24:30,182][ERROR][o.o.s.s.h.n.SecuritySSLNettyHttpServerTransport] [node-2] Exception during establishing a SSL connection: io.netty.handler.ssl.NotSslRecordException: not an SSL/TLS record: 474554202f20485454502f312e310d0a486f73743a203230342e3233362e3138372e3139370d0a0d0a

• systemctl status wazuh-indexer -l:

[root@ip-10-0-2-198 wazuh-user]# systemctl status wazuh-indexer -l
● wazuh-indexer.service - Wazuh-indexer
   Loaded: loaded (/usr/lib/systemd/system/wazuh-indexer.service; enabled; vendor preset: disabled)
   Active: active (running) since lun 2022-04-18 14:02:07 UTC; 6 days ago
     Docs: https://documentation.wazuh.com
 Main PID: 17034 (java)
   CGroup: /system.slice/wazuh-indexer.service
           └─17034 /usr/share/wazuh-indexer/jdk/bin/java -Xshare:auto -Dopensearch.networkaddress.cache.ttl=60 -Dopensearch.networkaddress.cache.negative.ttl=10 -XX:+AlwaysPreTouch -Xss1m -Djava.awt.headless=true -Dfile.encoding=UTF-8 -Djna.nosys=true -XX:-OmitStackTraceInFastThrow -XX:+ShowCodeDetailsInExceptionMessages -Dio.netty.noUnsafe=true -Dio.netty.noKeySetOptimization=true -Dio.netty.recycler.maxCapacityPerThread=0 -Dio.netty.allocator.numDirectArenas=0 -Dlog4j.shutdownHookEnabled=false -Dlog4j2.disable.jmx=true -Djava.locale.providers=SPI,COMPAT -Xms3948m -Xmx3948m -XX:+UseG1GC -XX:G1ReservePercent=25 -XX:InitiatingHeapOccupancyPercent=30 -Djava.io.tmpdir=/tmp/opensearch-8121338470578713425 -XX:+HeapDumpOnOutOfMemoryError -XX:HeapDumpPath=data -XX:ErrorFile=/var/log/wazuh-indexer/hs_err_pid%p.log -Xlog:gc*,gc+age=trace,safepoint:file=/var/log/wazuh-indexer/gc.log:utctime,pid,tags:filecount=32,filesize=64m -Dclk.tck=100 -Djdk.attach.allowAttachSelf=true -Djava.security.policy=file:///usr/share/wazuh-indexer/plugins/opensearch-performance-analyzer/pa_config/opensearch_security.policy -XX:MaxDirectMemorySize=2069889024 -Dopensearch.path.home=/usr/share/wazuh-indexer -Dopensearch.path.conf=/etc/wazuh-indexer -Dopensearch.distribution.type=rpm -Dopensearch.bundled_jdk=true -cp /usr/share/wazuh-indexer/lib/* org.opensearch.bootstrap.OpenSearch -p /run/wazuh-indexer/wazuh-indexer.pid --quiet

abr 25 07:29:47 ip-10-0-2-198.us-west-1.compute.internal systemd-entrypoint[17034]: Exception in thread "Attach Listener" Agent failed to start!
abr 25 07:59:58 ip-10-0-2-198.us-west-1.compute.internal systemd-entrypoint[17034]: Exception in thread "Attach Listener" Agent failed to start!
abr 25 08:30:09 ip-10-0-2-198.us-west-1.compute.internal systemd-entrypoint[17034]: Exception in thread "Attach Listener" Agent failed to start!
abr 25 09:00:20 ip-10-0-2-198.us-west-1.compute.internal systemd-entrypoint[17034]: Exception in thread "Attach Listener" Agent failed to start!
abr 25 09:30:31 ip-10-0-2-198.us-west-1.compute.internal systemd-entrypoint[17034]: Exception in thread "Attach Listener" Agent failed to start!
abr 25 10:00:42 ip-10-0-2-198.us-west-1.compute.internal systemd-entrypoint[17034]: Exception in thread "Attach Listener" Agent failed to start!
abr 25 10:30:53 ip-10-0-2-198.us-west-1.compute.internal systemd-entrypoint[17034]: Exception in thread "Attach Listener" Agent failed to start!
abr 25 11:01:04 ip-10-0-2-198.us-west-1.compute.internal systemd-entrypoint[17034]: Exception in thread "Attach Listener" Agent failed to start!
abr 25 11:31:15 ip-10-0-2-198.us-west-1.compute.internal systemd-entrypoint[17034]: Exception in thread "Attach Listener" Agent failed to start!
abr 25 12:01:26 ip-10-0-2-198.us-west-1.compute.internal systemd-entrypoint[17034]: Exception in thread "Attach Listener" Agent failed to start!

Wazuh Dashboard

wazuh-indexer 🔴

• journalctl -xe -u wazuh-indexer.service:

abr 25 09:06:42 ip-10-0-0-184.us-west-1.compute.internal systemd-entrypoint[19331]: Exception in thread "Attach Listener" Agent failed to start!
abr 25 09:36:52 ip-10-0-0-184.us-west-1.compute.internal systemd-entrypoint[19331]: Exception in thread "Attach Listener" Agent failed to start!
abr 25 10:07:03 ip-10-0-0-184.us-west-1.compute.internal systemd-entrypoint[19331]: Exception in thread "Attach Listener" Agent failed to start!
abr 25 10:37:14 ip-10-0-0-184.us-west-1.compute.internal systemd-entrypoint[19331]: Exception in thread "Attach Listener" Agent failed to start!
abr 25 11:07:25 ip-10-0-0-184.us-west-1.compute.internal systemd-entrypoint[19331]: Exception in thread "Attach Listener" Agent failed to start!
abr 25 11:37:36 ip-10-0-0-184.us-west-1.compute.internal systemd-entrypoint[19331]: Exception in thread "Attach Listener" Agent failed to start!
abr 25 12:07:46 ip-10-0-0-184.us-west-1.compute.internal systemd-entrypoint[19331]: Exception in thread "Attach Listener" Agent failed to start!
abr 25 12:37:57 ip-10-0-0-184.us-west-1.compute.internal systemd-entrypoint[19331]: Exception in thread "Attach Listener" Agent failed to start!
abr 25 13:08:08 ip-10-0-0-184.us-west-1.compute.internal systemd-entrypoint[19331]: Exception in thread "Attach Listener" Agent failed to start!

• egrep -i "ERROR|WARNING| /var/log/wazuh-indexer/wazuh.log:

[root@ip-10-0-0-184 wazuh-user]# egrep -i "ERROR|WARNING" /var/log/wazuh-indexer/wazuh.log

• systemctl status wazuh-indexer -l:

[root@ip-10-0-0-184 wazuh-user]# systemctl status wazuh-indexer -l
● wazuh-indexer.service - Wazuh-indexer
   Loaded: loaded (/usr/lib/systemd/system/wazuh-indexer.service; enabled; vendor preset: disabled)
   Active: active (running) since lun 2022-04-18 14:08:51 UTC; 6 days ago
     Docs: https://documentation.wazuh.com
 Main PID: 19331 (java)
   CGroup: /system.slice/wazuh-indexer.service
           └─19331 /usr/share/wazuh-indexer/jdk/bin/java -Xshare:auto -Dopensearch.networkaddress.cache.ttl=60 -Dopensearch.networkaddress.cache.negative.ttl=10 -XX:+AlwaysPreTouch -Xss1m -Djava.awt.headless=true -Dfile.encoding=UTF-8 -Djna.nosys=true -XX:-OmitStackTraceInFastThrow -XX:+ShowCodeDetailsInExceptionMessages -Dio.netty.noUnsafe=true -Dio.netty.noKeySetOptimization=true -Dio.netty.recycler.maxCapacityPerThread=0 -Dio.netty.allocator.numDirectArenas=0 -Dlog4j.shutdownHookEnabled=false -Dlog4j2.disable.jmx=true -Djava.locale.providers=SPI,COMPAT -Xms2560m -Xmx2560m -XX:+UseG1GC -XX:G1ReservePercent=25 -XX:InitiatingHeapOccupancyPercent=30 -Djava.io.tmpdir=/tmp/opensearch-18317145943558196621 -XX:+HeapDumpOnOutOfMemoryError -XX:HeapDumpPath=data -XX:ErrorFile=/var/log/wazuh-indexer/hs_err_pid%p.log -Xlog:gc*,gc+age=trace,safepoint:file=/var/log/wazuh-indexer/gc.log:utctime,pid,tags:filecount=32,filesize=64m -Dclk.tck=100 -Djdk.attach.allowAttachSelf=true -Djava.security.policy=file:///usr/share/wazuh-indexer/plugins/opensearch-performance-analyzer/pa_config/opensearch_security.policy -XX:MaxDirectMemorySize=1342177280 -Dopensearch.path.home=/usr/share/wazuh-indexer -Dopensearch.path.conf=/etc/wazuh-indexer -Dopensearch.distribution.type=rpm -Dopensearch.bundled_jdk=true -cp /usr/share/wazuh-indexer/lib/* org.opensearch.bootstrap.OpenSearch -p /run/wazuh-indexer/wazuh-indexer.pid --quiet

abr 25 08:36:31 ip-10-0-0-184.us-west-1.compute.internal systemd-entrypoint[19331]: Exception in thread "Attach Listener" Agent failed to start!
abr 25 09:06:42 ip-10-0-0-184.us-west-1.compute.internal systemd-entrypoint[19331]: Exception in thread "Attach Listener" Agent failed to start!
abr 25 09:36:52 ip-10-0-0-184.us-west-1.compute.internal systemd-entrypoint[19331]: Exception in thread "Attach Listener" Agent failed to start!
abr 25 10:07:03 ip-10-0-0-184.us-west-1.compute.internal systemd-entrypoint[19331]: Exception in thread "Attach Listener" Agent failed to start!
abr 25 10:37:14 ip-10-0-0-184.us-west-1.compute.internal systemd-entrypoint[19331]: Exception in thread "Attach Listener" Agent failed to start!
abr 25 11:07:25 ip-10-0-0-184.us-west-1.compute.internal systemd-entrypoint[19331]: Exception in thread "Attach Listener" Agent failed to start!
abr 25 11:37:36 ip-10-0-0-184.us-west-1.compute.internal systemd-entrypoint[19331]: Exception in thread "Attach Listener" Agent failed to start!
abr 25 12:07:46 ip-10-0-0-184.us-west-1.compute.internal systemd-entrypoint[19331]: Exception in thread "Attach Listener" Agent failed to start!
abr 25 12:37:57 ip-10-0-0-184.us-west-1.compute.internal systemd-entrypoint[19331]: Exception in thread "Attach Listener" Agent failed to start!
abr 25 13:08:08 ip-10-0-0-184.us-west-1.compute.internal systemd-entrypoint[19331]: Exception in thread "Attach Listener" Agent failed to start!

wazuh-dashboard 🔴

• journalctl -xe -u wazuh-dashboard.service:

journal-dashboard.zip

• systemctl status wazuh-dashboard -l:

[root@ip-10-0-0-184 wazuh-user]# systemctl status wazuh-dashboard -l
● wazuh-dashboard.service - wazuh-dashboard
   Loaded: loaded (/etc/systemd/system/wazuh-dashboard.service; enabled; vendor preset: disabled)
   Active: active (running) since lun 2022-04-18 14:25:19 UTC; 6 days ago
 Main PID: 28409 (node)
   CGroup: /system.slice/wazuh-dashboard.service
           └─28409 /usr/share/wazuh-dashboard/bin/../node/bin/node /usr/share/wazuh-dashboard/bin/../src/cli/dist -c /etc/wazuh-dashboard/opensearch_dashboards.yml

abr 25 09:34:43 ip-10-0-0-184.us-west-1.compute.internal opensearch-dashboards[28409]: {"type":"log","@timestamp":"2022-04-25T09:34:43Z","tags":["info","branding"],"pid":28409,"message":"favicon config is not found or invalid."}
abr 25 09:34:43 ip-10-0-0-184.us-west-1.compute.internal opensearch-dashboards[28409]: {"type":"response","@timestamp":"2022-04-25T09:34:42Z","tags":[],"pid":28409,"method":"get","statusCode":200,"req":{"url":"/app/login?nextUrl=%2F","method":"get","headers":{"host":"10.0.0.184:5601","connection":"close","user-agent":"libwww-perl/6.62"},"remoteAddress":"10.0.0.184","userAgent":"libwww-perl/6.62"},"res":{"statusCode":200,"responseTime":297,"contentLength":9},"message":"GET /app/login?nextUrl=%2F 200 297ms - 9.0B"}
abr 25 10:06:23 ip-10-0-0-184.us-west-1.compute.internal opensearch-dashboards[28409]: {"type":"response","@timestamp":"2022-04-25T10:06:23Z","tags":[],"pid":28409,"method":"get","statusCode":302,"req":{"url":"/","method":"get","headers":{"host":"10.0.0.184:5601","connection":"close","user-agent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36","accept-encoding":"gzip"},"remoteAddress":"10.0.0.184","userAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36"},"res":{"statusCode":302,"responseTime":3,"contentLength":9},"message":"GET / 302 3ms - 9.0B"}
abr 25 11:07:14 ip-10-0-0-184.us-west-1.compute.internal opensearch-dashboards[28409]: {"type":"response","@timestamp":"2022-04-25T11:07:14Z","tags":[],"pid":28409,"method":"get","statusCode":302,"req":{"url":"/","method":"get","headers":{"host":"10.0.0.184:5601","connection":"close"},"remoteAddress":"10.0.0.184"},"res":{"statusCode":302,"responseTime":2,"contentLength":9},"message":"GET / 302 2ms - 9.0B"}
abr 25 11:07:14 ip-10-0-0-184.us-west-1.compute.internal opensearch-dashboards[28409]: {"type":"response","@timestamp":"2022-04-25T11:07:14Z","tags":[],"pid":28409,"method":"get","statusCode":302,"req":{"url":"/","method":"get","headers":{"host":"10.0.0.184:5601","connection":"close","user-agent":"Mozilla/5.0 (compatible; CensysInspect/1.1; +https://about.censys.io/)","accept":"*/*","accept-encoding":"gzip"},"remoteAddress":"10.0.0.184","userAgent":"Mozilla/5.0 (compatible; CensysInspect/1.1; +https://about.censys.io/)"},"res":{"statusCode":302,"responseTime":2,"contentLength":9},"message":"GET / 302 2ms - 9.0B"}
abr 25 11:07:15 ip-10-0-0-184.us-west-1.compute.internal opensearch-dashboards[28409]: {"type":"log","@timestamp":"2022-04-25T11:07:15Z","tags":["info","branding"],"pid":28409,"message":"logo default config is not found or invalid."}
abr 25 11:07:15 ip-10-0-0-184.us-west-1.compute.internal opensearch-dashboards[28409]: {"type":"log","@timestamp":"2022-04-25T11:07:15Z","tags":["info","branding"],"pid":28409,"message":"mark default config is not found or invalid."}
abr 25 11:07:15 ip-10-0-0-184.us-west-1.compute.internal opensearch-dashboards[28409]: {"type":"log","@timestamp":"2022-04-25T11:07:15Z","tags":["info","branding"],"pid":28409,"message":"favicon config is not found or invalid."}
abr 25 11:07:15 ip-10-0-0-184.us-west-1.compute.internal opensearch-dashboards[28409]: {"type":"response","@timestamp":"2022-04-25T11:07:15Z","tags":[],"pid":28409,"method":"get","statusCode":200,"req":{"url":"/app/login","method":"get","headers":{"host":"10.0.0.184:5601","connection":"close","user-agent":"Mozilla/5.0 (compatible; CensysInspect/1.1; +https://about.censys.io/)","accept":"*/*","accept-encoding":"gzip"},"remoteAddress":"10.0.0.184","userAgent":"Mozilla/5.0 (compatible; CensysInspect/1.1; +https://about.censys.io/)"},"res":{"statusCode":200,"responseTime":296,"contentLength":9},"message":"GET /app/login 200 296ms - 9.0B"}
abr 25 11:11:06 ip-10-0-0-184.us-west-1.compute.internal opensearch-dashboards[28409]: {"type":"response","@timestamp":"2022-04-25T11:11:06Z","tags":[],"pid":28409,"method":"get","statusCode":401,"req":{"url":"/actuator/gateway/routes","method":"get","headers":{"host":"10.0.0.184:5601","connection":"close","user-agent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36","accept-encoding":"gzip"},"remoteAddress":"10.0.0.184","userAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36"},"res":{"statusCode":401,"responseTime":2,"contentLength":9},"message":"GET /actuator/gateway/routes 401 2ms - 9.0B"}

---

Status
🔴	Errors were found
🟡	Warnings were found
🟢	No errors or warnings were found

[juliamagan]

Task 2: The daemons are running with the correct user

Agents

Amazon Linux

root     26277  0.0  0.2  37708  2924 ?        Sl   abr22   0:05 /var/ossec/bin/wazuh-execd
wazuh    26289  0.0  0.5 263692  5512 ?        Sl   abr22   0:40 /var/ossec/bin/wazuh-agentd
root     26304  0.0  0.8 203884  8676 ?        SNl  abr22   0:58 /var/ossec/bin/wazuh-syscheckd
root     26318  0.0  0.4 480248  4808 ?        Sl   abr22   0:19 /var/ossec/bin/wazuh-logcollector
root     26340  0.0  1.7 740780 17032 ?        Sl   abr22   0:30 /var/ossec/bin/wazuh-modulesd

RHEL

root      1778  0.0  0.0  35524  1512 ?        Sl   16:55   0:00 /var/ossec/bin/wazuh-execd
wazuh     1791  0.0  0.0 261256  2772 ?        Sl   16:55   0:00 /var/ossec/bin/wazuh-agentd
root      1806  5.2  0.1 414544  5520 ?        SNl  16:55   0:32 /var/ossec/bin/wazuh-syscheckd
root      1820  0.0  0.0 477936  2488 ?        Sl   16:55   0:00 /var/ossec/bin/wazuh-logcollector
root      1844  0.3  0.4 1033464 19088 ?       Sl   16:55   0:01 /var/ossec/bin/wazuh-modulesd

Ubuntu

root     22159  0.0  0.3  42736  3272 ?        Sl   09:21   0:00 /var/ossec/bin/wazuh-execd
wazuh    22170  0.0  0.5 268672  5544 ?        Sl   09:21   0:00 /var/ossec/bin/wazuh-agentd
root     22185  2.9  0.7 208168  7464 ?        SNl  09:21   0:07 /var/ossec/bin/wazuh-syscheckd
root     22199  0.0  0.4 485136  4396 ?        Sl   09:21   0:00 /var/ossec/bin/wazuh-logcollector
root     22215  0.1  1.4 748320 13892 ?        Sl   09:21   0:00 /var/ossec/bin/wazuh-modulesd

Centos

root      4165  0.0  0.1  35436  1464 ?        Sl   abr21   0:11 /var/ossec/bin/wazuh-execd
wazuh     4177  0.0  0.5 261260  5380 ?        Sl   abr21   1:25 /var/ossec/bin/wazuh-agentd
root      4192  0.0  0.5 201208  5216 ?        SNl  abr21   1:43 /var/ossec/bin/wazuh-syscheckd
root      4206  0.0  0.2 477816  2932 ?        Sl   abr21   0:45 /var/ossec/bin/wazuh-logcollector
root      4228  0.0  2.7 738416 27136 ?        Sl   abr21   1:05 /var/ossec/bin/wazuh-modulesd

Debian

root     25715  0.0  0.2  41412  2828 ?        Sl   10:08   0:00 /var/ossec/bin/wazuh-execd
wazuh    25727  0.0  0.5 267436  5140 ?        Sl   10:08   0:00 /var/ossec/bin/wazuh-agentd
root     25741  3.0  0.7 272216  7356 ?        SNl  10:08   0:05 /var/ossec/bin/wazuh-syscheckd
root     25758  0.0  0.4 484060  4072 ?        Sl   10:08   0:00 /var/ossec/bin/wazuh-logcollector
root     25799  0.1  1.1 744888 11864 ?        Sl   10:08   0:00 /var/ossec/bin/wazuh-modulesd

Windows

wazuh-agent.exe               4640 WazuhSvc

Managers

Master env 1

wazuh     6842  0.0  2.9 832424 116676 ?       Sl   abr20   3:55 /var/ossec/framework/python/bin/python3 /var/ossec/api/scripts/wazuh-apid.py
wazuh     6865  0.0  0.0  38436  3376 ?        Sl   abr20   0:08 /var/ossec/bin/wazuh-integratord
root      6887  0.2  0.1 259692  5808 ?        Sl   abr20  18:33 /var/ossec/bin/wazuh-authd
wazuh     6904  0.0  1.0 775168 41168 ?        Sl   abr20   5:05 /var/ossec/bin/wazuh-db
wazuh     6916  0.0  2.5 358192 103596 ?       S    abr20   0:59 /var/ossec/framework/python/bin/python3 /var/ossec/api/scripts/wazuh-apid.py
wazuh     6919  0.0  1.6 465720 63864 ?        S    abr20   6:04 /var/ossec/framework/python/bin/python3 /var/ossec/api/scripts/wazuh-apid.py
root      6934  0.0  0.1 177748  4360 ?        Sl   abr20   0:07 /var/ossec/bin/wazuh-execd
wazuh     6949  0.1  2.8 1292644 112844 ?      Sl   abr20   8:05 /var/ossec/bin/wazuh-analysisd
root      6961  0.0  0.2 269920  8616 ?        SNl  abr20   1:50 /var/ossec/bin/wazuh-syscheckd
wazuh     6981  0.3  0.2 1187012 8500 ?        Sl   abr20  25:57 /var/ossec/bin/wazuh-remoted
root      7013  0.0  0.1 546412  5364 ?        Sl   abr20   0:37 /var/ossec/bin/wazuh-logcollector
wazuh     7064  0.0  0.1  38500  5060 ?        Sl   abr20   0:25 /var/ossec/bin/wazuh-monitord
root      7085  3.0  6.4 1372280 256732 ?      Sl   abr20 202:56 /var/ossec/bin/wazuh-modulesd
wazuh     7203  0.1  1.5 444524 60416 ?        Sl   abr20   8:03 /var/ossec/framework/python/bin/python3 /var/ossec/framework/scripts/wazuh-clusterd.py
wazuh     7214  0.0  1.0 279740 43512 ?        S    abr20   4:04 /var/ossec/framework/python/bin/python3 /var/ossec/framework/scripts/wazuh-clusterd.py
wazuh     7217  0.0  1.0 361668 43412 ?        S    abr20   4:05 /var/ossec/framework/python/bin/python3 /var/ossec/framework/scripts/wazuh-clusterd.py

Worker env 1

wazuh    24332  0.0  2.3 740912 94384 ?        Sl   abr20   0:11 /var/ossec/framework/python/bin/python3 /var/ossec/api/scripts/wazuh-apid.py
wazuh    24355  0.0  0.1  38440  4256 ?        Sl   abr20   0:11 /var/ossec/bin/wazuh-integratord
wazuh    24375  0.0  1.0 775164 40872 ?        Sl   abr20   5:27 /var/ossec/bin/wazuh-db
root     24399  0.0  0.0 104020  3164 ?        Sl   abr20   0:08 /var/ossec/bin/wazuh-execd
wazuh    24401  0.0  1.4 309348 57400 ?        S    abr20   0:00 /var/ossec/framework/python/bin/python3 /var/ossec/api/scripts/wazuh-apid.py
wazuh    24404  0.0  1.5 464004 60012 ?        S    abr20   0:00 /var/ossec/framework/python/bin/python3 /var/ossec/api/scripts/wazuh-apid.py
wazuh    24420  0.1  3.0 1292612 122668 ?      Sl   abr20   7:33 /var/ossec/bin/wazuh-analysisd
root     24432  0.0  0.2 204420  8820 ?        SNl  abr20   1:46 /var/ossec/bin/wazuh-syscheckd
wazuh    24453  0.1  0.2 1186896 8604 ?        Sl   abr20  11:24 /var/ossec/bin/wazuh-remoted
root     24485  0.0  0.1 480872  5224 ?        Sl   abr20   0:37 /var/ossec/bin/wazuh-logcollector
wazuh    24508  0.0  0.1  38452  4816 ?        Sl   abr20   0:22 /var/ossec/bin/wazuh-monitord
root     24556  3.4  6.3 1152184 253544 ?      Sl   abr20 232:45 /var/ossec/bin/wazuh-modulesd
wazuh    24692  0.1  1.5 592016 62176 ?        Sl   abr20   7:28 /var/ossec/framework/python/bin/python3 /var/ossec/framework/scripts/wazuh-clusterd.py
wazuh    24897  0.0  1.1 287436 45336 ?        S    abr20   2:15 /var/ossec/framework/python/bin/python3 /var/ossec/framework/scripts/wazuh-clusterd.py
wazuh    25608  0.0  1.2 442336 51076 ?        S    abr20   0:02 /var/ossec/framework/python/bin/python3 /var/ossec/framework/scripts/wazuh-clusterd.py

Master env 2

wazuh    24795  0.0  2.7 830224 109624 ?       Sl   abr20   2:34 /var/ossec/framework/python/bin/python3 /var/ossec/api/scripts/wazuh-apid.py
wazuh    24818  0.0  0.0  38440  3308 ?        Sl   abr20   0:20 /var/ossec/bin/wazuh-integratord
root     24840  0.2  0.1 259688  5724 ?        Sl   abr20  18:05 /var/ossec/bin/wazuh-authd
wazuh    24857  0.0  0.4 709636 16448 ?        Sl   abr20   5:09 /var/ossec/bin/wazuh-db
wazuh    24869  0.0  2.2 343908 89604 ?        S    abr20   0:18 /var/ossec/framework/python/bin/python3 /var/ossec/api/scripts/wazuh-apid.py
wazuh    24872  0.0  1.5 465732 63532 ?        S    abr20   4:33 /var/ossec/framework/python/bin/python3 /var/ossec/api/scripts/wazuh-apid.py
root     24887  0.0  0.0  38480  3124 ?        Sl   abr20   0:09 /var/ossec/bin/wazuh-execd
wazuh    24902  0.0  2.2 1292568 89156 ?       Sl   abr20   4:41 /var/ossec/bin/wazuh-analysisd
root     24914  0.0  0.2 269924  8716 ?        SNl  abr20   1:54 /var/ossec/bin/wazuh-syscheckd
wazuh    24934  0.1  0.2 1186612 8048 ?        Sl   abr20   9:33 /var/ossec/bin/wazuh-remoted
root     24967  0.0  0.1 480880  5216 ?        Sl   abr20   0:45 /var/ossec/bin/wazuh-logcollector
wazuh    24987  0.0  0.1  38500  4640 ?        Sl   abr20   1:08 /var/ossec/bin/wazuh-monitord
root     25038  2.5  6.2 1367420 248140 ?      Sl   abr20 170:12 /var/ossec/bin/wazuh-modulesd
wazuh    25164  0.0  1.1 427836 46688 ?        Sl   abr20   1:49 /var/ossec/framework/python/bin/python3 /var/ossec/framework/scripts/wazuh-clusterd.py
wazuh    25174  0.0  1.0 279740 42824 ?        S    abr20   2:07 /var/ossec/framework/python/bin/python3 /var/ossec/framework/scripts/wazuh-clusterd.py
wazuh    25177  0.0  1.0 361668 42768 ?        S    abr20   2:07 /var/ossec/framework/python/bin/python3 /var/ossec/framework/scripts/wazuh-clusterd.py

Wazuh Indexer

Bootstrap

wazuh-i+ 17699  1.7 61.0 8462868 4934104 ?     Ssl  abr18 174:45 /usr/share/wazuh-indexer/jdk/bin/java -Xshare:auto -Dopensearch.networkaddress.cache.ttl=60 -Dopensearch.networkaddress.cache.negative.ttl=10 -XX:+AlwaysPreTouch -Xss1m -Djava.awt.headless=true -Dfile.encoding=UTF-8 -Djna.nosys=true -XX:-OmitStackTraceInFastThrow -XX:+ShowCodeDetailsInExceptionMessages -Dio.netty.noUnsafe=true -Dio.netty.noKeySetOptimization=true -Dio.netty.recycler.maxCapacityPerThread=0 -Dio.netty.allocator.numDirectArenas=0 -Dlog4j.shutdownHookEnabled=false -Dlog4j2.disable.jmx=true -Djava.locale.providers=SPI,COMPAT -Xms3948m -Xmx3948m -XX:+UseG1GC -XX:G1ReservePercent=25 -XX:InitiatingHeapOccupancyPercent=30 -Djava.io.tmpdir=/tmp/opensearch-3307066445668290224 -XX:+HeapDumpOnOutOfMemoryError -XX:HeapDumpPath=data -XX:ErrorFile=/var/log/wazuh-indexer/hs_err_pid%p.log -Xlog:gc*,gc+age=trace,safepoint:file=/var/log/wazuh-indexer/gc.log:utctime,pid,tags:filecount=32,filesize=64m -Dclk.tck=100 -Djdk.attach.allowAttachSelf=true -Djava.security.policy=file:///usr/share/wazuh-indexer/plugins/opensearch-performance-analyzer/pa_config/opensearch_security.policy -XX:MaxDirectMemorySize=2069889024 -Dopensearch.path.home=/usr/share/wazuh-indexer -Dopensearch.path.conf=/etc/wazuh-indexer -Dopensearch.distribution.type=rpm -Dopensearch.bundled_jdk=true -cp /usr/share/wazuh-indexer/lib/* org.opensearch.bootstrap.OpenSearch -p /run/wazuh-indexer/wazuh-indexer.pid --quiet

Master B

wazuh-i+ 17685  1.4 60.1 8068956 4859972 ?     Ssl  abr18 141:18 /usr/share/wazuh-indexer/jdk/bin/java -Xshare:auto -Dopensearch.networkaddress.cache.ttl=60 -Dopensearch.networkaddress.cache.negative.ttl=10 -XX:+AlwaysPreTouch -Xss1m -Djava.awt.headless=true -Dfile.encoding=UTF-8 -Djna.nosys=true -XX:-OmitStackTraceInFastThrow -XX:+ShowCodeDetailsInExceptionMessages -Dio.netty.noUnsafe=true -Dio.netty.noKeySetOptimization=true -Dio.netty.recycler.maxCapacityPerThread=0 -Dio.netty.allocator.numDirectArenas=0 -Dlog4j.shutdownHookEnabled=false -Dlog4j2.disable.jmx=true -Djava.locale.providers=SPI,COMPAT -Xms3948m -Xmx3948m -XX:+UseG1GC -XX:G1ReservePercent=25 -XX:InitiatingHeapOccupancyPercent=30 -Djava.io.tmpdir=/tmp/opensearch-12906269128058797492 -XX:+HeapDumpOnOutOfMemoryError -XX:HeapDumpPath=data -XX:ErrorFile=/var/log/wazuh-indexer/hs_err_pid%p.log -Xlog:gc*,gc+age=trace,safepoint:file=/var/log/wazuh-indexer/gc.log:utctime,pid,tags:filecount=32,filesize=64m -Dclk.tck=100 -Djdk.attach.allowAttachSelf=true -Djava.security.policy=file:///usr/share/wazuh-indexer/plugins/opensearch-performance-analyzer/pa_config/opensearch_security.policy -XX:MaxDirectMemorySize=2069889024 -Dopensearch.path.home=/usr/share/wazuh-indexer -Dopensearch.path.conf=/etc/wazuh-indexer -Dopensearch.distribution.type=rpm -Dopensearch.bundled_jdk=true -cp /usr/share/wazuh-indexer/lib/* org.opensearch.bootstrap.OpenSearch -p /run/wazuh-indexer/wazuh-indexer.pid --quiet

Master C

wazuh-i+ 17034  1.7 60.6 8137704 4901384 ?     Ssl  abr18 170:38 /usr/share/wazuh-indexer/jdk/bin/java -Xshare:auto -Dopensearch.networkaddress.cache.ttl=60 -Dopensearch.networkaddress.cache.negative.ttl=10 -XX:+AlwaysPreTouch -Xss1m -Djava.awt.headless=true -Dfile.encoding=UTF-8 -Djna.nosys=true -XX:-OmitStackTraceInFastThrow -XX:+ShowCodeDetailsInExceptionMessages -Dio.netty.noUnsafe=true -Dio.netty.noKeySetOptimization=true -Dio.netty.recycler.maxCapacityPerThread=0 -Dio.netty.allocator.numDirectArenas=0 -Dlog4j.shutdownHookEnabled=false -Dlog4j2.disable.jmx=true -Djava.locale.providers=SPI,COMPAT -Xms3948m -Xmx3948m -XX:+UseG1GC -XX:G1ReservePercent=25 -XX:InitiatingHeapOccupancyPercent=30 -Djava.io.tmpdir=/tmp/opensearch-8121338470578713425 -XX:+HeapDumpOnOutOfMemoryError -XX:HeapDumpPath=data -XX:ErrorFile=/var/log/wazuh-indexer/hs_err_pid%p.log -Xlog:gc*,gc+age=trace,safepoint:file=/var/log/wazuh-indexer/gc.log:utctime,pid,tags:filecount=32,filesize=64m -Dclk.tck=100 -Djdk.attach.allowAttachSelf=true -Djava.security.policy=file:///usr/share/wazuh-indexer/plugins/opensearch-performance-analyzer/pa_config/opensearch_security.policy -XX:MaxDirectMemorySize=2069889024 -Dopensearch.path.home=/usr/share/wazuh-indexer -Dopensearch.path.conf=/etc/wazuh-indexer -Dopensearch.distribution.type=rpm -Dopensearch.bundled_jdk=true -cp /usr/share/wazuh-indexer/lib/* org.opensearch.bootstrap.OpenSearch -p /run/wazuh-indexer/wazuh-indexer.pid --quiet

Wazuh Dashboard

wazuh-indexer

wazuh-i+ 19331  0.9 40.6 6265108 3285720 ?     Ssl  abr18  95:46 /usr/share/wazuh-indexer/jdk/bin/java -Xshare:auto -Dopensearch.networkaddress.cache.ttl=60 -Dopensearch.networkaddress.cache.negative.ttl=10 -XX:+AlwaysPreTouch -Xss1m -Djava.awt.headless=true -Dfile.encoding=UTF-8 -Djna.nosys=true -XX:-OmitStackTraceInFastThrow -XX:+ShowCodeDetailsInExceptionMessages -Dio.netty.noUnsafe=true -Dio.netty.noKeySetOptimization=true -Dio.netty.recycler.maxCapacityPerThread=0 -Dio.netty.allocator.numDirectArenas=0 -Dlog4j.shutdownHookEnabled=false -Dlog4j2.disable.jmx=true -Djava.locale.providers=SPI,COMPAT -Xms2560m -Xmx2560m -XX:+UseG1GC -XX:G1ReservePercent=25 -XX:InitiatingHeapOccupancyPercent=30 -Djava.io.tmpdir=/tmp/opensearch-18317145943558196621 -XX:+HeapDumpOnOutOfMemoryError -XX:HeapDumpPath=data -XX:ErrorFile=/var/log/wazuh-indexer/hs_err_pid%p.log -Xlog:gc*,gc+age=trace,safepoint:file=/var/log/wazuh-indexer/gc.log:utctime,pid,tags:filecount=32,filesize=64m -Dclk.tck=100 -Djdk.attach.allowAttachSelf=true -Djava.security.policy=file:///usr/share/wazuh-indexer/plugins/opensearch-performance-analyzer/pa_config/opensearch_security.policy -XX:MaxDirectMemorySize=1342177280 -Dopensearch.path.home=/usr/share/wazuh-indexer -Dopensearch.path.conf=/etc/wazuh-indexer -Dopensearch.distribution.type=rpm -Dopensearch.bundled_jdk=true -cp /usr/share/wazuh-indexer/lib/* org.opensearch.bootstrap.OpenSearch -p /run/wazuh-indexer/wazuh-indexer.pid --quiet

wazuh-dashboard

wazuh-d+ 28409  0.2  2.5 1042792 209048 ?      Ssl  abr18  29:46 /usr/share/wazuh-dashboard/bin/../node/bin/node /usr/share/wazuh-dashboard/bin/../src/cli/dist -c /etc/wazuh-dashboard/opensearch_dashboards.yml

[juliamagan]

Task 3: The status of the Wazuh Indexer clusters is as expected.

[root@ip-10-0-0-184 wazuh-user]# curl -k -u USER:PASS https://10.0.0.184:9200/_cat/nodes?v
ip         heap.percent ram.percent cpu load_1m load_5m load_15m node.role master name
10.0.2.167           27          91   1    0.00    0.00     0.00 dimr      -      node-1
10.0.0.184           61          98   1    0.00    0.00     0.00 dimr      -      node-7
10.0.2.249           42          91   1    0.00    0.01     0.00 dimr      -      node-3
10.0.2.198           21          91   1    0.03    0.03     0.00 dimr      *      node-2

[juliamagan]

Task 4: No errors in the browser's developer console when browsing the App

If we search a rule file, we get:

Uncaught TypeError: this.inputRef is undefined

If we modify a rule and restart the manager, we get:

Element.setCapture() is deprecated. Use Element.setPointerCapture() instead. For more help https://developer.mozilla.org/docs/Web/API/Element/setPointerCapture

Element.releaseCapture() is deprecated. Use Element.releasePointerCapture() instead. For more help https://developer.mozilla.org/docs/Web/API/Element/releasePointerCapture

If we go to an agent and click on the path of an FIM event, we get:

Uncaught TypeError: right-hand side of 'in' should be an object, got boolean

If we get more information in API Console, we get:

Storage access automatically granted for origin “https://documentation.wazuh.com” on “https://demo.wazuh.info”.

If we logout, we get:

Cookie “security_authentication” has been rejected because it is already expired. 
Cookie “security_authentication” will be soon rejected because it has the “SameSite” attribute set to “None” or an invalid value, without the “secure” attribute. To know more about the “SameSite“ attribute, read https://developer.mozilla.org/docs/Web/HTTP/Headers/Set-Cookie/SameSite 
Cookie “security_authentication” has been rejected because it is already expired. 
Cookie “security_authentication” has been rejected because it is already expired. 
Some cookies are misusing the recommended “SameSite“ attribute 
Content Security Policy: The page’s settings blocked the loading of a resource at inline (“script-src”). 
Cookie “security_authentication” has been rejected because it is already expired.
^ A single error about an inline script not firing due to content security policy is expected! 
window.controllers/Controllers is deprecated. Do not use it for UA detection. 
This page uses the non standard property “zoom”. Consider using calc() in the relevant property values, or using “transform” along with “transform-origin: 0 0”. 
XHRGEThttps://demo.wazuh.info/api/v1/restapiinfo
[HTTP/1.1 401 Unauthorized 202ms]

Cookie “security_authentication” has been rejected because it is already expired. 
Error: Unauthorized
    _construct https://demo.wazuh.info/1/bundles/core/core.entry.js:6
    Wrapper https://demo.wazuh.info/1/bundles/core/core.entry.js:6
    _createSuperInternal https://demo.wazuh.info/1/bundles/core/core.entry.js:6
    HttpFetchError https://demo.wazuh.info/1/bundles/core/core.entry.js:6
    _callee3$ https://demo.wazuh.info/1/bundles/core/core.entry.js:6
    tryCatch https://demo.wazuh.info/1/bundles/plugin/reportsDashboards/reportsDashboards.plugin.js:1
    invoke https://demo.wazuh.info/1/bundles/plugin/reportsDashboards/reportsDashboards.plugin.js:1
    method https://demo.wazuh.info/1/bundles/plugin/reportsDashboards/reportsDashboards.plugin.js:1
    fetch_asyncGeneratorStep https://demo.wazuh.info/1/bundles/core/core.entry.js:6
    _next https://demo.wazuh.info/1/bundles/core/core.entry.js:6
    promise callback*fetch_asyncGeneratorStep https://demo.wazuh.info/1/bundles/core/core.entry.js:6
    _next https://demo.wazuh.info/1/bundles/core/core.entry.js:6
    promise callback*fetch_asyncGeneratorStep https://demo.wazuh.info/1/bundles/core/core.entry.js:6
    _next https://demo.wazuh.info/1/bundles/core/core.entry.js:6
    fetch_asyncToGenerator https://demo.wazuh.info/1/bundles/core/core.entry.js:6
    fetch_asyncToGenerator https://demo.wazuh.info/1/bundles/core/core.entry.js:6
    fetchResponse https://demo.wazuh.info/1/bundles/core/core.entry.js:6
    _callee$ https://demo.wazuh.info/1/bundles/core/core.entry.js:6
    tryCatch https://demo.wazuh.info/1/bundles/plugin/reportsDashboards/reportsDashboards.plugin.js:1
    invoke https://demo.wazuh.info/1/bundles/plugin/reportsDashboards/reportsDashboards.plugin.js:1
    method https://demo.wazuh.info/1/bundles/plugin/reportsDashboards/reportsDashboards.plugin.js:1
    fetch_asyncGeneratorStep https://demo.wazuh.info/1/bundles/core/core.entry.js:6
    _next https://demo.wazuh.info/1/bundles/core/core.entry.js:6
    promise callback*fetch_asyncGeneratorStep https://demo.wazuh.info/1/bundles/core/core.entry.js:6
    _next https://demo.wazuh.info/1/bundles/core/core.entry.js:6
    fetch_asyncToGenerator https://demo.wazuh.info/1/bundles/core/core.entry.js:6
    fetch_asyncToGenerator https://demo.wazuh.info/1/bundles/core/core.entry.js:6
    _callee2$/</< https://demo.wazuh.info/1/bundles/core/core.entry.js:6
    _callee2$ https://demo.wazuh.info/1/bundles/core/core.entry.js:6
    tryCatch https://demo.wazuh.info/1/bundles/plugin/reportsDashboards/reportsDashboards.plugin.js:1
    invoke https://demo.wazuh.info/1/bundles/plugin/reportsDashboards/reportsDashboards.plugin.js:1
    method https://demo.wazuh.info/1/bundles/plugin/reportsDashboards/reportsDashboards.plugin.js:1
    fetch_asyncGeneratorStep https://demo.wazuh.info/1/bundles/core/core.entry.js:6
    _next https://demo.wazuh.info/1/bundles/core/core.entry.js:6
    fetch_asyncToGenerator https://demo.wazuh.info/1/bundles/core/core.entry.js:6
    fetch_asyncToGenerator https://demo.wazuh.info/1/bundles/core/core.entry.js:6
    Fetch https://demo.wazuh.info/1/bundles/core/core.entry.js:6
    shorthand https://demo.wazuh.info/1/bundles/core/core.entry.js:6
    _callee5$ https://demo.wazuh.info/1/bundles/plugin/securityDashboards/securityDashboards.plugin.js:13
    tryCatch https://demo.wazuh.info/1/bundles/plugin/reportsDashboards/reportsDashboards.plugin.js:1
    invoke https://demo.wazuh.info/1/bundles/plugin/reportsDashboards/reportsDashboards.plugin.js:1
    method https://demo.wazuh.info/1/bundles/plugin/reportsDashboards/reportsDashboards.plugin.js:1
    public_plugin_asyncGeneratorStep https://demo.wazuh.info/1/bundles/plugin/securityDashboards/securityDashboards.plugin.js:13
    _next https://demo.wazuh.info/1/bundles/plugin/securityDashboards/securityDashboards.plugin.js:13
    public_plugin_asyncToGenerator https://demo.wazuh.info/1/bundles/plugin/securityDashboards/securityDashboards.plugin.js:13
    public_plugin_asyncToGenerator https://demo.wazuh.info/1/bundles/plugin/securityDashboards/securityDashboards.plugin.js:13
    _hasApiPermission https://demo.wazuh.info/1/bundles/plugin/securityDashboards/securityDashboards.plugin.js:13
    hasApiPermission https://demo.wazuh.info/1/bundles/plugin/securityDashboards/securityDashboards.plugin.js:13
    _callee4$ https://demo.wazuh.info/1/bundles/plugin/securityDashboards/securityDashboards.plugin.js:13
    tryCatch https://demo.wazuh.info/1/bundles/plugin/reportsDashboards/reportsDashboards.plugin.js:1
    invoke https://demo.wazuh.info/1/bundles/plugin/reportsDashboards/reportsDashboards.plugin.js:1
    method https://demo.wazuh.info/1/bundles/plugin/reportsDashboards/reportsDashboards.plugin.js:1

XHR GET https://demo.wazuh.info/api/v1/configuration/account HTTP/1.1 401 Unauthorized 291ms]

Cookie “security_authentication” has been rejected because it is already expired. 

XHR GET https://demo.wazuh.info/api/v1/configuration/account [HTTP/1.1 401 Unauthorized 185ms]

XHR GET https://demo.wazuh.info/api/v1/multitenancy/tenant [HTTP/1.1 401 Unauthorized 216ms]

Cookie “security_authentication” has been rejected because it is already expired. 
Cookie “security_authentication” has been rejected because it is already expired.

failed to get user tenant: Error: Unauthorized

Extra

Issues opened by @Rebits:

• TypeError in Github/AWS/GCP modules wazuh-dashboard-plugins#4095
• TypeError in System Auditing menu wazuh-dashboard-plugins#4093
• Multiple unexpected warning during Wazuh app session wazuh-dashboard-plugins#4092

[juliamagan]

Task 5: Alerts are being generated for each of the modules configured for this purpose.

The only module that is not generating alerts is Security Auditing in environment 2, however, this module appears by default. The Amazon agent does have the audit log configured in localfile, but there are no rules created, while the Ubuntu agent does not even have the log.

[juliamagan]

Task 6: No warning symbols in Discover when expanding a document.

After performing several tests both in Discover and in different modules, we have not been able to find any warning.