Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Release 4.3.5 - Release Candidate 1 - E2E UX tests - Demo environment #3030

Closed
8 tasks done
BelenValdivia opened this issue Jun 24, 2022 · 6 comments
Closed
8 tasks done

Release 4.3.5 - Release Candidate 1 - E2E UX tests - Demo environment #3030

BelenValdivia opened this issue Jun 24, 2022 · 6 comments
Assignees
@BelenValdivia
Labels
dev-testing manual-testing
Milestone
Release 4.3.5 RC-1

Comments

@BelenValdivia
Copy link
Contributor

BelenValdivia commented Jun 24, 2022
edited by alberpilot
Loading

Description

The following issue aims to run the specified test for the current release candidate, report the results, and open new issues for any encountered errors.

Test information
Test name Demo environment
Category Wazuh App
Deployment option Demo environment
Main release issue wazuh/wazuh#13966
Release candidate # RC1

Proposed checks

  • (T1): - No errors or warnings found in logs
  • (T2): - The daemons are running with the correct user
  • (T3): - The status of the Wazuh Indexer clusters is as expected.
  • (T4): - No errors in the browser's developer console when browsing the App
  • (T5): - Alerts are being generated for each of the modules configured for this purpose
  • (T6): - No warning symbols in Discover when expanding a document

Conclusion 🟢

Nothing serious to note was found. A total of 3 issues have been reported, 2 of them previously created and one new.

Regarding to the issue "Non existent process wazuh-apid and wazuh-clusterd logs found in managers in demo environment ", it seems to have been a momentary thing with no repercussions, although the development team is looking into it.

Issues found

Detected issues and previously reported

New opened issues

Auditors validation

The definition of done for this one is the validation of the conclusions and the test results from all auditors.

All checks from below must be accepted in order to close this issue.

References

Color Status
🟢 All tests passed successfully
🟡 All tests passed but there are some warnings
🔴 Some tests have failures or errors
@BelenValdivia BelenValdivia self-assigned this Jun 24, 2022
@BelenValdivia
Copy link
Contributor Author

BelenValdivia commented Jun 24, 2022
edited
Loading

Task 1: No errors or warnings found in logs

Agents

Amazon Linux 🟢
  • journalctl -xe -u wazuh-agent.service:
jun 24 16:54:09 ip-10-0-1-105.us-west-1.compute.internal systemd[1]: Starting Wazuh agent...
-- Subject: Unit wazuh-agent.service has begun start-up
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
-- 
-- Unit wazuh-agent.service has begun starting up.
jun 24 16:54:10 ip-10-0-1-105.us-west-1.compute.internal env[2409]: Starting Wazuh v4.3.5...
jun 24 16:54:11 ip-10-0-1-105.us-west-1.compute.internal env[2409]: Started wazuh-execd...
jun 24 16:54:12 ip-10-0-1-105.us-west-1.compute.internal env[2409]: Started wazuh-agentd...
jun 24 16:54:13 ip-10-0-1-105.us-west-1.compute.internal env[2409]: Started wazuh-syscheckd...
jun 24 16:54:14 ip-10-0-1-105.us-west-1.compute.internal env[2409]: Started wazuh-logcollector...
jun 24 16:54:15 ip-10-0-1-105.us-west-1.compute.internal env[2409]: Started wazuh-modulesd...
jun 24 16:54:16 ip-10-0-1-105.us-west-1.compute.internal crontab[2656]: (root) LIST (root)
jun 24 16:54:17 ip-10-0-1-105.us-west-1.compute.internal env[2409]: Completed.
jun 24 16:54:17 ip-10-0-1-105.us-west-1.compute.internal systemd[1]: Started Wazuh agent.
-- Subject: Unit wazuh-agent.service has finished start-up
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
-- 
-- Unit wazuh-agent.service has finished starting up.
-- 
-- The start-up result is done.

- egrep -i "ERROR|WARNING" /var/ossec/logs/ossec.log

[root@ip-10-0-1-105 wazuh-user]#  egrep -i "ERROR|WARNING" /var/ossec/logs/ossec.log
[root@ip-10-0-1-105 wazuh-user]#

- systemctl status wazuh-agent -l

[root@ip-10-0-1-105 wazuh-user]# systemctl status wazuh-agent -l
● wazuh-agent.service - Wazuh agent
   Loaded: loaded (/usr/lib/systemd/system/wazuh-agent.service; enabled; vendor preset: disabled)
   Active: active (running) since vie 2022-06-24 16:54:17 UTC; 8min ago
  Process: 2409 ExecStart=/usr/bin/env /var/ossec/bin/wazuh-control start (code=exited, status=0/SUCCESS)
   CGroup: /system.slice/wazuh-agent.service
           ├─2475 /var/ossec/bin/wazuh-execd
           ├─2520 /var/ossec/bin/wazuh-agentd
           ├─2534 /var/ossec/bin/wazuh-syscheckd
           ├─2547 /var/ossec/bin/wazuh-logcollector
           └─2566 /var/ossec/bin/wazuh-modulesd

jun 24 16:54:09 ip-10-0-1-105.us-west-1.compute.internal systemd[1]: Starting Wazuh agent...
jun 24 16:54:10 ip-10-0-1-105.us-west-1.compute.internal env[2409]: Starting Wazuh v4.3.5...
jun 24 16:54:11 ip-10-0-1-105.us-west-1.compute.internal env[2409]: Started wazuh-execd...
jun 24 16:54:12 ip-10-0-1-105.us-west-1.compute.internal env[2409]: Started wazuh-agentd...
jun 24 16:54:13 ip-10-0-1-105.us-west-1.compute.internal env[2409]: Started wazuh-syscheckd...
jun 24 16:54:14 ip-10-0-1-105.us-west-1.compute.internal env[2409]: Started wazuh-logcollector...
jun 24 16:54:15 ip-10-0-1-105.us-west-1.compute.internal env[2409]: Started wazuh-modulesd...
jun 24 16:54:16 ip-10-0-1-105.us-west-1.compute.internal crontab[2656]: (root) LIST (root)
jun 24 16:54:17 ip-10-0-1-105.us-west-1.compute.internal env[2409]: Completed.
jun 24 16:54:17 ip-10-0-1-105.us-west-1.compute.internal systemd[1]: Started Wazuh agent.

- /var/ossec/bin/wazuh-control status

[root@ip-10-0-1-105 wazuh-user]# /var/ossec/bin/wazuh-control status
wazuh-modulesd is running...
wazuh-logcollector is running...
wazuh-syscheckd is running...
wazuh-agentd is running...
wazuh-execd is running...
RHEEL 🟢
  • journalctl -xe -u wazuh-agent.service:

-- Logs begin at vie 2022-06-24 17:11:25 UTC, end at vie 2022-06-24 17:15:36 UTC. --
jun 24 17:11:33 ip-10-0-1-42.us-west-1.compute.internal systemd[1]: Starting Wazuh agent...
-- Subject: Unit wazuh-agent.service has begun start-up
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
-- 
-- Unit wazuh-agent.service has begun starting up.
jun 24 17:11:33 ip-10-0-1-42.us-west-1.compute.internal env[1176]: Starting Wazuh v4.3.5...
jun 24 17:11:35 ip-10-0-1-42.us-west-1.compute.internal env[1176]: Started wazuh-execd...
jun 24 17:11:36 ip-10-0-1-42.us-west-1.compute.internal env[1176]: Started wazuh-agentd...
jun 24 17:11:38 ip-10-0-1-42.us-west-1.compute.internal env[1176]: Started wazuh-syscheckd...
jun 24 17:11:39 ip-10-0-1-42.us-west-1.compute.internal env[1176]: Started wazuh-logcollector...
jun 24 17:11:40 ip-10-0-1-42.us-west-1.compute.internal osqueryd[1734]: osqueryd started [version=4.3.0]
jun 24 17:11:40 ip-10-0-1-42.us-west-1.compute.internal env[1176]: Started wazuh-modulesd...
jun 24 17:11:42 ip-10-0-1-42.us-west-1.compute.internal crontab[1848]: (root) LIST (root)
jun 24 17:11:42 ip-10-0-1-42.us-west-1.compute.internal env[1176]: Completed.
jun 24 17:11:42 ip-10-0-1-42.us-west-1.compute.internal systemd[1]: Started Wazuh agent.
-- Subject: Unit wazuh-agent.service has finished start-up
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
-- 
-- Unit wazuh-agent.service has finished starting up.
-- 
-- The start-up result is done.

- egrep -i "ERROR|WARNING" /var/ossec/logs/ossec.log

[root@ip-10-0-1-42 wazuh-user]# egrep -i "ERROR|WARNING" /var/ossec/logs/ossec.log
[root@ip-10-0-1-42 wazuh-user]#

- systemctl status wazuh-agent -l

[root@ip-X wazuh-user]# systemctl status wazuh-agent -l
● wazuh-agent.service - Wazuh agent
   Loaded: loaded (/usr/lib/systemd/system/wazuh-agent.service; enabled; vendor preset: disabled)
   Active: active (running) since vie 2022-06-24 17:11:42 UTC; 7min ago
  Process: 1176 ExecStart=/usr/bin/env /var/ossec/bin/wazuh-control start (code=exited, status=0/SUCCESS)
    Tasks: 52
   Memory: 991.0M
   CGroup: /system.slice/wazuh-agent.service
           ├─1318 /var/ossec/bin/wazuh-execd
           ├─1406 /var/ossec/bin/wazuh-agentd
           ├─1519 /var/ossec/bin/wazuh-syscheckd
           ├─1659 /var/ossec/bin/wazuh-logcollector
           ├─1717 /var/ossec/bin/wazuh-modulesd
           ├─1727 python3 wodles/docker/DockerListener
           ├─1734 /usr/bin/osqueryd --config_path=/etc/osquery/osquery.conf
           └─1770 /usr/bin/osqueryd                                        

jun 24 17:11:33 ip-10-0-1-42.us-west-1.compute.internal env[1176]: Starting Wazuh v4.3.5...
jun 24 17:11:35 ip-10-0-1-42.us-west-1.compute.internal env[1176]: Started wazuh-execd...
jun 24 17:11:36 ip-10-0-1-42.us-west-1.compute.internal env[1176]: Started wazuh-agentd...
jun 24 17:11:38 ip-10-0-1-42.us-west-1.compute.internal env[1176]: Started wazuh-syscheckd...
jun 24 17:11:39 ip-10-0-1-42.us-west-1.compute.internal env[1176]: Started wazuh-logcollector...
jun 24 17:11:40 ip-10-0-1-42.us-west-1.compute.internal osqueryd[1734]: osqueryd started [version=4.3.0]
jun 24 17:11:40 ip-10-0-1-42.us-west-1.compute.internal env[1176]: Started wazuh-modulesd...
jun 24 17:11:42 ip-10-0-1-42.us-west-1.compute.internal crontab[1848]: (root) LIST (root)
jun 24 17:11:42 ip-10-0-1-42.us-west-1.compute.internal env[1176]: Completed.
jun 24 17:11:42 ip-10-0-1-42.us-west-1.compute.internal systemd[1]: Started Wazuh agent.

- /var/ossec/bin/wazuh-control status

[root@ip-X wazuh-user]# /var/ossec/bin/wazuh-control status
wazuh-modulesd is running...
wazuh-logcollector is running...
wazuh-syscheckd is running...
wazuh-agentd is running...
wazuh-execd is running...
Ubuntu 🟢
  • journalctl -xe -u wazuh-agent.service:

-- Support: http://www.ubuntu.com/support
-- 
-- Unit wazuh-agent.service has finished starting up.
-- 
-- The start-up result is RESULT.
Jun 24 17:25:56 ip-10-0-1-197 systemd[1]: Stopping Wazuh agent...
-- Subject: Unit wazuh-agent.service has begun shutting down
-- Defined-By: systemd
-- Support: http://www.ubuntu.com/support
-- 
-- Unit wazuh-agent.service has begun shutting down.
Jun 24 17:25:56 ip-10-0-1-197 env[11268]: Killing wazuh-modulesd...
Jun 24 17:25:56 ip-10-0-1-197 env[11268]: Killing wazuh-logcollector...
Jun 24 17:25:56 ip-10-0-1-197 env[11268]: Killing wazuh-syscheckd...
Jun 24 17:25:57 ip-10-0-1-197 env[11268]: Killing wazuh-agentd...
Jun 24 17:25:57 ip-10-0-1-197 env[11268]: Killing wazuh-execd...
Jun 24 17:25:57 ip-10-0-1-197 env[11268]: Wazuh v4.3.5 Stopped
Jun 24 17:25:57 ip-10-0-1-197 systemd[1]: Stopped Wazuh agent.
-- Subject: Unit wazuh-agent.service has finished shutting down
-- Defined-By: systemd
-- Support: http://www.ubuntu.com/support
-- 
-- Unit wazuh-agent.service has finished shutting down.
-- Reboot --
Jun 24 17:26:14 ip-10-0-1-197 systemd[1]: Starting Wazuh agent...
-- Subject: Unit wazuh-agent.service has begun start-up
-- Defined-By: systemd
-- Support: http://www.ubuntu.com/support
-- 
-- Unit wazuh-agent.service has begun starting up.
Jun 24 17:26:14 ip-10-0-1-197 env[759]: Starting Wazuh v4.3.5...
Jun 24 17:26:15 ip-10-0-1-197 env[759]: Started wazuh-execd...
Jun 24 17:26:16 ip-10-0-1-197 env[759]: Started wazuh-agentd...
Jun 24 17:26:17 ip-10-0-1-197 env[759]: Started wazuh-syscheckd...
Jun 24 17:26:18 ip-10-0-1-197 env[759]: Started wazuh-logcollector...
Jun 24 17:26:19 ip-10-0-1-197 env[759]: Started wazuh-modulesd...
Jun 24 17:26:21 ip-10-0-1-197 env[759]: Completed.
Jun 24 17:26:21 ip-10-0-1-197 systemd[1]: Started Wazuh agent.
-- Subject: Unit wazuh-agent.service has finished start-up
-- Defined-By: systemd
-- Support: http://www.ubuntu.com/support
-- 
-- Unit wazuh-agent.service has finished starting up.
-- 
-- The start-up result is RESULT.

- egrep -i "ERROR|WARNING" /var/ossec/logs/ossec.log

root@ip-10-0-1-197:/home/wazuh-user# egrep -i "ERROR|WARNING" /var/ossec/logs/ossec.log
root@ip-10-0-1-197:/home/wazuh-user#

- systemctl status wazuh-agent -l

root@ip-x:/home/wazuh-user# systemctl status wazuh-agent -l
● wazuh-agent.service - Wazuh agent
   Loaded: loaded (/usr/lib/systemd/system/wazuh-agent.service; enabled; vendor preset: enabled)
   Active: active (running) since Fri 2022-06-24 17:26:21 UTC; 8min ago
    Tasks: 31 (limit: 1125)
   CGroup: /system.slice/wazuh-agent.service
           ├─ 843 /var/ossec/bin/wazuh-execd
           ├─ 929 /var/ossec/bin/wazuh-agentd
           ├─ 977 /var/ossec/bin/wazuh-syscheckd
           ├─ 991 /var/ossec/bin/wazuh-logcollector
           └─1013 /var/ossec/bin/wazuh-modulesd

Jun 24 17:26:14 ip-10-0-1-197 systemd[1]: Starting Wazuh agent...
Jun 24 17:26:14 ip-10-0-1-197 env[759]: Starting Wazuh v4.3.5...
Jun 24 17:26:15 ip-10-0-1-197 env[759]: Started wazuh-execd...
Jun 24 17:26:16 ip-10-0-1-197 env[759]: Started wazuh-agentd...
Jun 24 17:26:17 ip-10-0-1-197 env[759]: Started wazuh-syscheckd...
Jun 24 17:26:18 ip-10-0-1-197 env[759]: Started wazuh-logcollector...
Jun 24 17:26:19 ip-10-0-1-197 env[759]: Started wazuh-modulesd...
Jun 24 17:26:21 ip-10-0-1-197 env[759]: Completed.
Jun 24 17:26:21 ip-10-0-1-197 systemd[1]: Started Wazuh agent.

- /var/ossec/bin/wazuh-control status

root@ip-10-0-1-197:/home/wazuh-user# /var/ossec/bin/wazuh-control status
wazuh-modulesd is running...
wazuh-logcollector is running...
wazuh-syscheckd is running...
wazuh-agentd is running...
wazuh-execd is running...
Centos 🟢
  • journalctl -xe -u wazuh-agent.service:
-- Logs begin at vie 2022-06-24 17:41:38 UTC, end at vie 2022-06-24 17:42:19 UTC. --
jun 24 17:41:49 ip-10-0-1-33.us-west-1.compute.internal systemd[1]: Starting Wazuh agent...
-- Subject: Unit wazuh-agent.service has begun start-up
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
-- 
-- Unit wazuh-agent.service has begun starting up.
jun 24 17:41:49 ip-10-0-1-33.us-west-1.compute.internal env[2768]: Starting Wazuh v4.3.5...
jun 24 17:41:51 ip-10-0-1-33.us-west-1.compute.internal env[2768]: Started wazuh-execd...
jun 24 17:41:52 ip-10-0-1-33.us-west-1.compute.internal env[2768]: Started wazuh-agentd...
jun 24 17:41:53 ip-10-0-1-33.us-west-1.compute.internal env[2768]: Started wazuh-syscheckd...
jun 24 17:41:54 ip-10-0-1-33.us-west-1.compute.internal env[2768]: Started wazuh-logcollector...
jun 24 17:41:55 ip-10-0-1-33.us-west-1.compute.internal env[2768]: Started wazuh-modulesd...
jun 24 17:41:57 ip-10-0-1-33.us-west-1.compute.internal env[2768]: Completed.
jun 24 17:41:57 ip-10-0-1-33.us-west-1.compute.internal systemd[1]: Started Wazuh agent.
-- Subject: Unit wazuh-agent.service has finished start-up
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
-- 
-- Unit wazuh-agent.service has finished starting up.
-- 
-- The start-up result is done.

- egrep -i "ERROR|WARNING" /var/ossec/logs/ossec.log

[root@ip-10-0-1-33 wazuh-user]#  egrep -i "ERROR|WARNING" /var/ossec/logs/ossec.log
[root@ip-10-0-1-33 wazuh-user]#

- systemctl status wazuh-agent -l


[root@ip-x wazuh-user]# systemctl status wazuh-agent -l
● wazuh-agent.service - Wazuh agent
   Loaded: loaded (/usr/lib/systemd/system/wazuh-agent.service; enabled; vendor preset: disabled)
   Active: active (running) since vie 2022-06-24 17:41:57 UTC; 2min 17s ago
  Process: 2768 ExecStart=/usr/bin/env /var/ossec/bin/wazuh-control start (code=exited, status=0/SUCCESS)
   CGroup: /system.slice/wazuh-agent.service
           ├─2816 /var/ossec/bin/wazuh-execd
           ├─2840 /var/ossec/bin/wazuh-agentd
           ├─2855 /var/ossec/bin/wazuh-syscheckd
           ├─2870 /var/ossec/bin/wazuh-logcollector
           └─2886 /var/ossec/bin/wazuh-modulesd

jun 24 17:41:49 ip-10-0-1-33.us-west-1.compute.internal systemd[1]: Starting Wazuh agent...
jun 24 17:41:49 ip-10-0-1-33.us-west-1.compute.internal env[2768]: Starting Wazuh v4.3.5...
jun 24 17:41:51 ip-10-0-1-33.us-west-1.compute.internal env[2768]: Started wazuh-execd...
jun 24 17:41:52 ip-10-0-1-33.us-west-1.compute.internal env[2768]: Started wazuh-agentd...
jun 24 17:41:53 ip-10-0-1-33.us-west-1.compute.internal env[2768]: Started wazuh-syscheckd...
jun 24 17:41:54 ip-10-0-1-33.us-west-1.compute.internal env[2768]: Started wazuh-logcollector...
jun 24 17:41:55 ip-10-0-1-33.us-west-1.compute.internal env[2768]: Started wazuh-modulesd...
jun 24 17:41:57 ip-10-0-1-33.us-west-1.compute.internal env[2768]: Completed.
jun 24 17:41:57 ip-10-0-1-33.us-west-1.compute.internal systemd[1]: Started Wazuh agent.

- /var/ossec/bin/wazuh-control status

[root@ip-x wazuh-user]# /var/ossec/bin/wazuh-control status
wazuh-modulesd is running...
wazuh-logcollector is running...
wazuh-syscheckd is running...
wazuh-agentd is running...
wazuh-execd is running...
Debian 🟢
  • journalctl -xe -u wazuh-agent.service:

-- Logs begin at Fri 2022-06-24 17:49:08 UTC, end at Fri 2022-06-24 17:51:18 UTC. --
jun 24 17:49:12 ip-10-0-1-233 systemd[1]: Starting Wazuh agent...
-- Subject: Unit wazuh-agent.service has begun start-up
-- Defined-By: systemd
-- Support: https://www.debian.org/support
-- 
-- Unit wazuh-agent.service has begun starting up.
jun 24 17:49:12 ip-10-0-1-233 env[474]: Starting Wazuh v4.3.5...
jun 24 17:49:13 ip-10-0-1-233 env[474]: Started wazuh-execd...
jun 24 17:49:14 ip-10-0-1-233 env[474]: Started wazuh-agentd...
jun 24 17:49:15 ip-10-0-1-233 env[474]: Started wazuh-syscheckd...
jun 24 17:49:16 ip-10-0-1-233 env[474]: Started wazuh-logcollector...
jun 24 17:49:17 ip-10-0-1-233 env[474]: Started wazuh-modulesd...
jun 24 17:49:19 ip-10-0-1-233 env[474]: Completed.
jun 24 17:49:19 ip-10-0-1-233 systemd[1]: Started Wazuh agent.
-- Subject: Unit wazuh-agent.service has finished start-up
-- Defined-By: systemd
-- Support: https://www.debian.org/support
-- 
-- Unit wazuh-agent.service has finished starting up.
-- 
-- The start-up result is done.
  • egrep -i "ERROR|WARNING" /var/ossec/logs/ossec.log
root@ip-10-0-1-233:/home/wazuh-user# egrep -i "ERROR|WARNING" /var/ossec/logs/ossec.log
root@ip-10-0-1-233:/home/wazuh-user#
  • systemctl status wazuh-agent -l
root@ip-10-0-1-233:/home/wazuh-user# systemctl status wazuh-agent -l
● wazuh-agent.service - Wazuh agent
   Loaded: loaded (/usr/lib/systemd/system/wazuh-agent.service; enabled; vendor preset: enabled)
   Active: active (running) since Fri 2022-06-24 17:49:19 UTC; 4min 26s ago
  Process: 474 ExecStart=/usr/bin/env /var/ossec/bin/wazuh-control start (code=exited, status=0/SUCCESS)
    Tasks: 31 (limit: 4915)
   CGroup: /system.slice/wazuh-agent.service
           ├─520 /var/ossec/bin/wazuh-execd
           ├─537 /var/ossec/bin/wazuh-agentd
           ├─551 /var/ossec/bin/wazuh-syscheckd
           ├─563 /var/ossec/bin/wazuh-logcollector
           └─583 /var/ossec/bin/wazuh-modulesd

jun 24 17:49:12 ip-10-0-1-233 systemd[1]: Starting Wazuh agent...
jun 24 17:49:12 ip-10-0-1-233 env[474]: Starting Wazuh v4.3.5...
jun 24 17:49:13 ip-10-0-1-233 env[474]: Started wazuh-execd...
jun 24 17:49:14 ip-10-0-1-233 env[474]: Started wazuh-agentd...
jun 24 17:49:15 ip-10-0-1-233 env[474]: Started wazuh-syscheckd...
jun 24 17:49:16 ip-10-0-1-233 env[474]: Started wazuh-logcollector...
jun 24 17:49:17 ip-10-0-1-233 env[474]: Started wazuh-modulesd...
jun 24 17:49:19 ip-10-0-1-233 env[474]: Completed.
jun 24 17:49:19 ip-10-0-1-233 systemd[1]: Started Wazuh agent.
  • /var/ossec/bin/wazuh-control status
root@ip-10-0-1-233:/home/wazuh-user#  /var/ossec/bin/wazuh-control status
wazuh-modulesd is running...
wazuh-logcollector is running...
wazuh-syscheckd is running...
wazuh-agentd is running...
wazuh-execd is running...
Windows 🟢
  • Event viewer:
  1. Stopped:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
  <Provider Name="Service Control Manager" Guid="{555908d1-a6d7-4695-8e1e-26931d2012f4}" EventSourceName="Service 
    Control Manager" />
  <EventID Qualifiers="16384">7036</EventID>
  <Version>0</Version>
  <Level>4</Level>
  <Task>0</Task>
  <Opcode>0</Opcode>
  <Keywords>0x8080000000000000</Keywords>
  <TimeCreated SystemTime="2022-06-27T12:48:43.964708600Z" />
  <EventRecordID>93871</EventRecordID>
  <Correlation />
  <Execution ProcessID="604" ThreadID="6900" />
  <Channel>System</Channel>
  <Computer>EC2AMAZ-7BPJSF5</Computer>
  <Security />
  </System>
 <EventData>
  <Data Name="param1">Wazuh</Data>
  <Data Name="param2">stopped</Data>
  <Binary>570061007A00750068005300760063002F0034000000</Binary>
  </EventData>
  </Event>
  1. Running:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
  <Provider Name="Service Control Manager" Guid="{555908d1-a6d7-4695-8e1e-26931d2012f4}" EventSourceName="Service 
    Control Manager" />
  <EventID Qualifiers="16384">7036</EventID>
  <Version>0</Version>
  <Level>4</Level>
  <Task>0</Task>
  <Opcode>0</Opcode>
  <Keywords>0x8080000000000000</Keywords>
  <TimeCreated SystemTime="2022-06-27T13:01:21.506190500Z" />
  <EventRecordID>93874</EventRecordID>
  <Correlation />
  <Execution ProcessID="604" ThreadID="3448" />
  <Channel>System</Channel>
  <Computer>EC2AMAZ-7BPJSF5</Computer>
  <Security />
  </System>
 <EventData>
  <Data Name="param1">Wazuh</Data>
  <Data Name="param2">running</Data>
  <Binary>570061007A00750068005300760063002F0034000000</Binary>
  </EventData>
  </Event>

  • Agent running:
    435 agent running

  • Search for errors in ossec.log:
    image

Managers

Master env 1 🟡
  • journalctl -xe -u wazuh-manager.service:
● wazuh-manager.service - Wazuh manager
   Loaded: loaded (/usr/lib/systemd/system/wazuh-manager.service; enabled; vendor preset: disabled)
   Active: active (running) since lun 2022-06-27 14:34:07 UTC; 29s ago
  Process: 10153 ExecStop=/usr/bin/env /var/ossec/bin/wazuh-control stop (code=exited, status=0/SUCCESS)
  Process: 10313 ExecStart=/usr/bin/env /var/ossec/bin/wazuh-control start (code=exited, status=0/SUCCESS)
   CGroup: /system.slice/wazuh-manager.service
           ├─10370 /var/ossec/framework/python/bin/python3 /var/ossec/api/scripts/wazuh-apid.py
           ├─10396 /var/ossec/bin/wazuh-integratord
           ├─10415 /var/ossec/bin/wazuh-authd
           ├─10432 /var/ossec/bin/wazuh-db
           ├─10444 /var/ossec/framework/python/bin/python3 /var/ossec/api/scripts/wazuh-apid.py
           ├─10447 /var/ossec/framework/python/bin/python3 /var/ossec/api/scripts/wazuh-apid.py
           ├─10462 /var/ossec/bin/wazuh-execd
           ├─10477 /var/ossec/bin/wazuh-analysisd
           ├─10489 /var/ossec/bin/wazuh-syscheckd
           ├─10510 /var/ossec/bin/wazuh-remoted
           ├─10542 /var/ossec/bin/wazuh-logcollector
           ├─10563 /var/ossec/bin/wazuh-monitord
           ├─10613 /var/ossec/bin/wazuh-modulesd
           ├─10748 /var/ossec/framework/python/bin/python3 /var/ossec/framework/scripts/wazuh-clusterd.py
           ├─10750 /var/ossec/framework/python/bin/python3 /var/ossec/framework/scripts/wazuh-clusterd.py
           ├─10753 /var/ossec/framework/python/bin/python3 /var/ossec/framework/scripts/wazuh-clusterd.py
           ├─11125 /bin/sh wodles/aws/aws-s3 --service inspector --access_key KEY --secret_key iMefkFstkmbhns8yQtMYuGngtERUNwk/yAgYwdEa
           └─11132 /var/ossec/framework/python/bin/python3 /var/ossec/wodles/aws/aws-s3.py --service inspector --access_key KEY --secret_key iMefkFstkmbhns8yQtMYuGngtERUNwk/yAgYwdEa

jun 27 14:33:57 wazuh-manager-master-0 env[10313]: Started wazuh-execd...
jun 27 14:33:58 wazuh-manager-master-0 env[10313]: Started wazuh-analysisd...
jun 27 14:33:59 wazuh-manager-master-0 env[10313]: Started wazuh-syscheckd...
jun 27 14:34:01 wazuh-manager-master-0 env[10313]: Started wazuh-remoted...
jun 27 14:34:02 wazuh-manager-master-0 env[10313]: Started wazuh-logcollector...
jun 27 14:34:03 wazuh-manager-master-0 env[10313]: Started wazuh-monitord...
jun 27 14:34:04 wazuh-manager-master-0 env[10313]: Started wazuh-modulesd...
jun 27 14:34:05 wazuh-manager-master-0 env[10313]: Started wazuh-clusterd...
jun 27 14:34:07 wazuh-manager-master-0 env[10313]: Completed.
jun 27 14:34:07 wazuh-manager-master-0 systemd[1]: Started Wazuh manager.
  • egrep -i "ERROR|WARNING" /var/ossec/logs/ossec.log:
[root@wazuh-manager-master-0 wazuh-user]# egrep -i "ERROR|WARNING" /var/ossec/logs/ossec.log
[root@wazuh-manager-master-0 wazuh-user]#
  • egrep -i "ERROR|WARNING" /var/ossec/logs/cluster.log:
[root@wazuh-manager-master-0 wazuh-user]# egrep -i "ERROR|WARNING" /var/ossec/logs/cluster.log
[root@wazuh-manager-master-0 wazuh-user]#
  • systemctl status wazuh-manager -l:
[root@wazuh-manager-master-0 wazuh-user]# systemctl status wazuh-manager -l
● wazuh-manager.service - Wazuh manager
   Loaded: loaded (/usr/lib/systemd/system/wazuh-manager.service; enabled; vendor preset: disabled)
   Active: active (running) since lun 2022-06-27 14:34:07 UTC; 6min ago
  Process: 10153 ExecStop=/usr/bin/env /var/ossec/bin/wazuh-control stop (code=exited, status=0/SUCCESS)
  Process: 10313 ExecStart=/usr/bin/env /var/ossec/bin/wazuh-control start (code=exited, status=0/SUCCESS)
   CGroup: /system.slice/wazuh-manager.service
           ├─10370 /var/ossec/framework/python/bin/python3 /var/ossec/api/scripts/wazuh-apid.py
           ├─10396 /var/ossec/bin/wazuh-integratord
           ├─10415 /var/ossec/bin/wazuh-authd
           ├─10432 /var/ossec/bin/wazuh-db
           ├─10444 /var/ossec/framework/python/bin/python3 /var/ossec/api/scripts/wazuh-apid.py
           ├─10447 /var/ossec/framework/python/bin/python3 /var/ossec/api/scripts/wazuh-apid.py
           ├─10462 /var/ossec/bin/wazuh-execd
           ├─10477 /var/ossec/bin/wazuh-analysisd
           ├─10489 /var/ossec/bin/wazuh-syscheckd
           ├─10510 /var/ossec/bin/wazuh-remoted
           ├─10542 /var/ossec/bin/wazuh-logcollector
           ├─10563 /var/ossec/bin/wazuh-monitord
           ├─10613 /var/ossec/bin/wazuh-modulesd
           ├─10748 /var/ossec/framework/python/bin/python3 /var/ossec/framework/scripts/wazuh-clusterd.py
           ├─10750 /var/ossec/framework/python/bin/python3 /var/ossec/framework/scripts/wazuh-clusterd.py
           └─10753 /var/ossec/framework/python/bin/python3 /var/ossec/framework/scripts/wazuh-clusterd.py

jun 27 14:33:57 wazuh-manager-master-0 env[10313]: Started wazuh-execd...
jun 27 14:33:58 wazuh-manager-master-0 env[10313]: Started wazuh-analysisd...
jun 27 14:33:59 wazuh-manager-master-0 env[10313]: Started wazuh-syscheckd...
jun 27 14:34:01 wazuh-manager-master-0 env[10313]: Started wazuh-remoted...
jun 27 14:34:02 wazuh-manager-master-0 env[10313]: Started wazuh-logcollector...
jun 27 14:34:03 wazuh-manager-master-0 env[10313]: Started wazuh-monitord...
jun 27 14:34:04 wazuh-manager-master-0 env[10313]: Started wazuh-modulesd...
jun 27 14:34:05 wazuh-manager-master-0 env[10313]: Started wazuh-clusterd...
jun 27 14:34:07 wazuh-manager-master-0 env[10313]: Completed.
jun 27 14:34:07 wazuh-manager-master-0 systemd[1]: Started Wazuh manager.
  • /var/ossec/bin/wazuh-control status:

[root@wazuh-manager-master-0 wazuh-user]# /var/ossec/bin/wazuh-control status
wazuh-clusterd is running...
wazuh-modulesd is running...
wazuh-monitord is running...
wazuh-logcollector is running...
wazuh-remoted is running...
wazuh-syscheckd is running...
wazuh-analysisd is running...
wazuh-maild not running...
wazuh-execd is running...
wazuh-db is running...
wazuh-authd is running...
wazuh-agentlessd not running...
wazuh-integratord is running...
wazuh-dbd not running...
wazuh-csyslogd not running...
wazuh-apid is running...
  • filebeat test output:

[root@wazuh-manager-master-0 wazuh-user]# filebeat test output
elasticsearch: https://10.0.2.232:9200...
  parse url... OK
  connection...
    parse host... OK
    dns lookup... OK
    addresses: 10.0.2.232
    dial up... OK
  TLS...
    security: server's certificate chain verification is enabled
    handshake... OK
    TLS version: TLSv1.3
    dial up... OK
  talk to server... OK
  version: 7.10.2
elasticsearch: https://10.0.2.34:9200...
  parse url... OK
  connection...
    parse host... OK
    dns lookup... OK
    addresses: 10.0.2.34
    dial up... OK
  TLS...
    security: server's certificate chain verification is enabled
    handshake... OK
    TLS version: TLSv1.3
    dial up... OK
  talk to server... OK
  version: 7.10.2
elasticsearch: https://10.0.2.200:9200...
  parse url... OK
  connection...
    parse host... OK
    dns lookup... OK
    addresses: 10.0.2.200
    dial up... OK
  TLS...
    security: server's certificate chain verification is enabled
    handshake... OK
    TLS version: TLSv1.3
    dial up... OK
  talk to server... OK
  version: 7.10.2
Worker env 1 🟢
  • journalctl -xe -u wazuh-manager.service:


jun 24 18:49:41 wazuh-manager-worker-0 env[22851]: Killing wazuh-db...
jun 24 18:49:41 wazuh-manager-worker-0 env[22851]: wazuh-authd not running...
jun 24 18:49:41 wazuh-manager-worker-0 env[22851]: wazuh-agentlessd not running...
jun 24 18:49:41 wazuh-manager-worker-0 env[22851]: wazuh-integratord not running...
jun 24 18:49:41 wazuh-manager-worker-0 env[22851]: wazuh-dbd not running...
jun 24 18:49:41 wazuh-manager-worker-0 env[22851]: wazuh-csyslogd not running...
jun 24 18:49:41 wazuh-manager-worker-0 env[22851]: wazuh-apid not running...
jun 24 18:49:41 wazuh-manager-worker-0 env[22851]: Wazuh v4.3.5 Stopped
jun 24 18:49:41 wazuh-manager-worker-0 systemd[1]: Stopped Wazuh manager.
-- Subject: Unit wazuh-manager.service has finished shutting down
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
-- 
-- Unit wazuh-manager.service has finished shutting down.
-- Reboot --
jun 24 18:49:55 wazuh-manager-worker-0 systemd[1]: Starting Wazuh manager...
-- Subject: Unit wazuh-manager.service has begun start-up
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
-- 
-- Unit wazuh-manager.service has begun starting up.
jun 24 18:49:58 wazuh-manager-worker-0 env[2459]: Starting Wazuh v4.3.5...
jun 24 18:50:03 wazuh-manager-worker-0 env[2459]: Started wazuh-apid...
jun 24 18:50:03 wazuh-manager-worker-0 env[2459]: Started wazuh-csyslogd...
jun 24 18:50:03 wazuh-manager-worker-0 env[2459]: Started wazuh-dbd...
jun 24 18:50:03 wazuh-manager-worker-0 env[2459]: Started wazuh-integratord...
jun 24 18:50:03 wazuh-manager-worker-0 env[2459]: Started wazuh-agentlessd...
jun 24 18:50:04 wazuh-manager-worker-0 env[2459]: Started wazuh-db...
jun 24 18:50:05 wazuh-manager-worker-0 env[2459]: Started wazuh-execd...
jun 24 18:50:06 wazuh-manager-worker-0 env[2459]: Started wazuh-analysisd...
jun 24 18:50:07 wazuh-manager-worker-0 env[2459]: Started wazuh-syscheckd...
jun 24 18:50:09 wazuh-manager-worker-0 env[2459]: Started wazuh-remoted...
jun 24 18:50:10 wazuh-manager-worker-0 env[2459]: Started wazuh-logcollector...
jun 24 18:50:11 wazuh-manager-worker-0 env[2459]: Started wazuh-monitord...
jun 24 18:50:12 wazuh-manager-worker-0 env[2459]: Started wazuh-modulesd...
jun 24 18:50:13 wazuh-manager-worker-0 env[2459]: Started wazuh-clusterd...
jun 24 18:50:15 wazuh-manager-worker-0 env[2459]: Completed.
jun 24 18:50:15 wazuh-manager-worker-0 systemd[1]: Started Wazuh manager.
-- Subject: Unit wazuh-manager.service has finished start-up
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
-- 
-- Unit wazuh-manager.service has finished starting up.
-- 
-- The start-up result is done.
  • egrep -i "ERROR|WARNING" /var/ossec/logs/ossec.log:
[root@wazuh-manager-worker-0 wazuh-user]# egrep -i "ERROR|WARNING" /var/ossec/logs/ossec.log
[root@wazuh-manager-worker-0 wazuh-user]#

  • egrep -i "ERROR|WARNING" /var/ossec/logs/cluster.log:
    [root@wazuh-manager-worker-0 wazuh-user]# egrep -i "ERROR|WARNING" /var/ossec/logs/cluster.log
    [root@wazuh-manager-worker-0 wazuh-user]#

  • systemctl status wazuh-manager -l:


● wazuh-manager.service - Wazuh manager
   Loaded: loaded (/usr/lib/systemd/system/wazuh-manager.service; enabled; vendor preset: disabled)
   Active: active (running) since vie 2022-06-24 18:50:15 UTC; 4min 58s ago
  Process: 2459 ExecStart=/usr/bin/env /var/ossec/bin/wazuh-control start (code=exited, status=0/SUCCESS)
   CGroup: /system.slice/wazuh-manager.service
           ├─2635 /var/ossec/framework/python/bin/python3 /var/ossec/api/scripts/wazuh-apid.py
           ├─2658 /var/ossec/bin/wazuh-integratord
           ├─2677 /var/ossec/bin/wazuh-db
           ├─2701 /var/ossec/bin/wazuh-execd
           ├─2716 /var/ossec/bin/wazuh-analysisd
           ├─2732 /var/ossec/bin/wazuh-syscheckd
           ├─2737 /var/ossec/framework/python/bin/python3 /var/ossec/api/scripts/wazuh-apid.py
           ├─2740 /var/ossec/framework/python/bin/python3 /var/ossec/api/scripts/wazuh-apid.py
           ├─2770 /var/ossec/bin/wazuh-remoted
           ├─2808 /var/ossec/bin/wazuh-logcollector
           ├─2828 /var/ossec/bin/wazuh-monitord
           ├─2849 /var/ossec/bin/wazuh-modulesd
           ├─2973 /var/ossec/framework/python/bin/python3 /var/ossec/framework/scripts/wazuh-clusterd.py
           ├─3141 /var/ossec/framework/python/bin/python3 /var/ossec/framework/scripts/wazuh-clusterd.py
           └─3890 /var/ossec/framework/python/bin/python3 /var/ossec/framework/scripts/wazuh-clusterd.py

jun 24 18:50:05 wazuh-manager-worker-0 env[2459]: Started wazuh-execd...
jun 24 18:50:06 wazuh-manager-worker-0 env[2459]: Started wazuh-analysisd...
jun 24 18:50:07 wazuh-manager-worker-0 env[2459]: Started wazuh-syscheckd...
jun 24 18:50:09 wazuh-manager-worker-0 env[2459]: Started wazuh-remoted...
jun 24 18:50:10 wazuh-manager-worker-0 env[2459]: Started wazuh-logcollector...
jun 24 18:50:11 wazuh-manager-worker-0 env[2459]: Started wazuh-monitord...
jun 24 18:50:12 wazuh-manager-worker-0 env[2459]: Started wazuh-modulesd...
jun 24 18:50:13 wazuh-manager-worker-0 env[2459]: Started wazuh-clusterd...
jun 24 18:50:15 wazuh-manager-worker-0 env[2459]: Completed.
jun 24 18:50:15 wazuh-manager-worker-0 systemd[1]: Started Wazuh manager.
  • /var/ossec/bin/wazuh-control status:
[root@wazuh-manager-worker-0 wazuh-user]# /var/ossec/bin/wazuh-control status
wazuh-clusterd is running...
wazuh-modulesd is running...
wazuh-monitord is running...
wazuh-logcollector is running...
wazuh-remoted is running...
wazuh-syscheckd is running...
wazuh-analysisd is running...
wazuh-maild not running...
wazuh-execd is running...
wazuh-db is running...
wazuh-authd not running...
wazuh-agentlessd not running...
wazuh-integratord is running...
wazuh-dbd not running...
wazuh-csyslogd not running...
wazuh-apid is running...
  • filebeat test output:

elasticsearch: https://10.0.2.232:9200...
  parse url... OK
  connection...
    parse host... OK
    dns lookup... OK
    addresses: 10.0.2.232
    dial up... OK
  TLS...
    security: server's certificate chain verification is enabled
    handshake... OK
    TLS version: TLSv1.3
    dial up... OK
  talk to server... OK
  version: 7.10.2
elasticsearch: https://10.0.2.34:9200...
  parse url... OK
  connection...
    parse host... OK
    dns lookup... OK
    addresses: 10.0.2.34
    dial up... OK
  TLS...
    security: server's certificate chain verification is enabled
    handshake... OK
    TLS version: TLSv1.3
    dial up... OK
  talk to server... OK
  version: 7.10.2
elasticsearch: https://10.0.2.200:9200...
  parse url... OK
  connection...
    parse host... OK
    dns lookup... OK
    addresses: 10.0.2.200
    dial up... OK
  TLS...
    security: server's certificate chain verification is enabled
    handshake... OK
    TLS version: TLSv1.3
    dial up... OK
  talk to server... OK
  version: 7.10.2
Master env 2 🟡
  • journalctl -xe -u wazuh-manager.service:
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
-- 
-- Unit wazuh-manager.service has finished starting up.
-- 
-- The start-up result is done.

[root@wazuh-manager-master-0 wazuh-user]# clear

[root@wazuh-manager-master-0 wazuh-user]# journalctl -xe -u wazuh-manager.service 
jun 27 14:30:52 wazuh-manager-master-0 env[23295]: Killing wazuh-remoted...
jun 27 14:30:52 wazuh-manager-master-0 env[23295]: Killing wazuh-syscheckd...
jun 27 14:30:52 wazuh-manager-master-0 env[23295]: Killing wazuh-analysisd...
jun 27 14:30:52 wazuh-manager-master-0 env[23295]: wazuh-maild not running...
jun 27 14:30:52 wazuh-manager-master-0 env[23295]: Killing wazuh-execd...
jun 27 14:30:52 wazuh-manager-master-0 env[23295]: Killing wazuh-db...
jun 27 14:30:53 wazuh-manager-master-0 env[23295]: Killing wazuh-authd...
jun 27 14:30:54 wazuh-manager-master-0 env[23295]: wazuh-agentlessd not running...
jun 27 14:30:54 wazuh-manager-master-0 env[23295]: Killing wazuh-integratord...
jun 27 14:30:54 wazuh-manager-master-0 env[23295]: wazuh-dbd not running...
jun 27 14:30:54 wazuh-manager-master-0 env[23295]: wazuh-csyslogd not running...
jun 27 14:30:54 wazuh-manager-master-0 env[23295]: Killing wazuh-apid...
jun 27 14:30:54 wazuh-manager-master-0 env[23295]: Wazuh v4.3.5 Stopped
jun 27 14:30:54 wazuh-manager-master-0 systemd[1]: Starting Wazuh manager...
-- Subject: Unit wazuh-manager.service has begun start-up
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
-- 
-- Unit wazuh-manager.service has begun starting up.
jun 27 14:30:56 wazuh-manager-master-0 env[23443]: Starting Wazuh v4.3.5...
jun 27 14:30:59 wazuh-manager-master-0 env[23443]: Started wazuh-apid...
jun 27 14:30:59 wazuh-manager-master-0 env[23443]: Started wazuh-csyslogd...
jun 27 14:30:59 wazuh-manager-master-0 env[23443]: Started wazuh-dbd...
jun 27 14:30:59 wazuh-manager-master-0 env[23443]: Started wazuh-integratord...
jun 27 14:30:59 wazuh-manager-master-0 env[23443]: Started wazuh-agentlessd...
jun 27 14:31:00 wazuh-manager-master-0 env[23443]: Started wazuh-authd...
jun 27 14:31:01 wazuh-manager-master-0 env[23443]: Started wazuh-db...
jun 27 14:31:02 wazuh-manager-master-0 env[23443]: Started wazuh-execd...
jun 27 14:31:03 wazuh-manager-master-0 env[23443]: Started wazuh-analysisd...
jun 27 14:31:04 wazuh-manager-master-0 env[23443]: Started wazuh-syscheckd...
jun 27 14:31:05 wazuh-manager-master-0 env[23443]: Started wazuh-remoted...
jun 27 14:31:06 wazuh-manager-master-0 env[23443]: Started wazuh-logcollector...
jun 27 14:31:08 wazuh-manager-master-0 env[23443]: Started wazuh-monitord...
jun 27 14:31:09 wazuh-manager-master-0 env[23443]: Started wazuh-modulesd...
jun 27 14:31:10 wazuh-manager-master-0 env[23443]: Started wazuh-clusterd...
jun 27 14:31:10 wazuh-manager-master-0 crontab[23873]: (root) LIST (root)
jun 27 14:31:12 wazuh-manager-master-0 env[23443]: Completed.
jun 27 14:31:12 wazuh-manager-master-0 systemd[1]: Started Wazuh manager.
-- Subject: Unit wazuh-manager.service has finished start-up
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
-- 
-- Unit wazuh-manager.service has finished starting up.
-- 
-- The start-up result is done.
  • egrep -i "ERROR|WARNING" /var/ossec/logs/ossec.log:
[root@wazuh-manager-master-0 wazuh-user]# egrep -i "ERROR|WARNING" /var/ossec/logs/ossec.log
[root@wazuh-manager-master-0 wazuh-user]#
  • egrep -i "ERROR|WARNING" /var/ossec/logs/cluster.log:
[root@wazuh-manager-master-0 wazuh-user]# egrep -i "ERROR|WARNING" /var/ossec/logs/cluster.log
[root@wazuh-manager-master-0 wazuh-user]#
  • systemctl status wazuh-manager -l:
● wazuh-manager.service - Wazuh manager
   Loaded: loaded (/usr/lib/systemd/system/wazuh-manager.service; enabled; vendor preset: disabled)
   Active: active (running) since lun 2022-06-27 14:31:12 UTC; 11min ago
  Process: 23295 ExecStop=/usr/bin/env /var/ossec/bin/wazuh-control stop (code=exited, status=0/SUCCESS)
  Process: 23443 ExecStart=/usr/bin/env /var/ossec/bin/wazuh-control start (code=exited, status=0/SUCCESS)
   CGroup: /system.slice/wazuh-manager.service
           ├─23501 /var/ossec/framework/python/bin/python3 /var/ossec/api/scripts/wazuh-apid.py
           ├─23524 /var/ossec/bin/wazuh-integratord
           ├─23546 /var/ossec/bin/wazuh-authd
           ├─23563 /var/ossec/bin/wazuh-db
           ├─23575 /var/ossec/framework/python/bin/python3 /var/ossec/api/scripts/wazuh-apid.py
           ├─23578 /var/ossec/framework/python/bin/python3 /var/ossec/api/scripts/wazuh-apid.py
           ├─23593 /var/ossec/bin/wazuh-execd
           ├─23608 /var/ossec/bin/wazuh-analysisd
           ├─23620 /var/ossec/bin/wazuh-syscheckd
           ├─23640 /var/ossec/bin/wazuh-remoted
           ├─23673 /var/ossec/bin/wazuh-logcollector
           ├─23693 /var/ossec/bin/wazuh-monitord
           ├─23744 /var/ossec/bin/wazuh-modulesd
           ├─23871 /var/ossec/framework/python/bin/python3 /var/ossec/framework/scripts/wazuh-clusterd.py
           ├─23892 /var/ossec/framework/python/bin/python3 /var/ossec/framework/scripts/wazuh-clusterd.py
           └─23895 /var/ossec/framework/python/bin/python3 /var/ossec/framework/scripts/wazuh-clusterd.py

jun 27 14:31:03 wazuh-manager-master-0 env[23443]: Started wazuh-analysisd...
jun 27 14:31:04 wazuh-manager-master-0 env[23443]: Started wazuh-syscheckd...
jun 27 14:31:05 wazuh-manager-master-0 env[23443]: Started wazuh-remoted...
jun 27 14:31:06 wazuh-manager-master-0 env[23443]: Started wazuh-logcollector...
jun 27 14:31:08 wazuh-manager-master-0 env[23443]: Started wazuh-monitord...
jun 27 14:31:09 wazuh-manager-master-0 env[23443]: Started wazuh-modulesd...
jun 27 14:31:10 wazuh-manager-master-0 env[23443]: Started wazuh-clusterd...
jun 27 14:31:10 wazuh-manager-master-0 crontab[23873]: (root) LIST (root)
jun 27 14:31:12 wazuh-manager-master-0 env[23443]: Completed.
jun 27 14:31:12 wazuh-manager-master-0 systemd[1]: Started Wazuh manager.
  • /var/ossec/bin/wazuh-control status:

[root@wazuh-manager-master-0 wazuh-user]# /var/ossec/bin/wazuh-control status
wazuh-clusterd is running...
wazuh-modulesd is running...
wazuh-monitord is running...
wazuh-logcollector is running...
wazuh-remoted is running...
wazuh-syscheckd is running...
wazuh-analysisd is running...
wazuh-maild not running...
wazuh-execd is running...
wazuh-db is running...
wazuh-authd is running...
wazuh-agentlessd not running...
wazuh-integratord is running...
wazuh-dbd not running...
wazuh-csyslogd not running...
wazuh-apid is running...
  • filebeat test output:

elasticsearch: https://10.0.2.232:9200...
  parse url... OK
  connection...
    parse host... OK
    dns lookup... OK
    addresses: 10.0.2.232
    dial up... OK
  TLS...
    security: server's certificate chain verification is enabled
    handshake... OK
    TLS version: TLSv1.3
    dial up... OK
  talk to server... OK
  version: 7.10.2
elasticsearch: https://10.0.2.34:9200...
  parse url... OK
  connection...
    parse host... OK
    dns lookup... OK
    addresses: 10.0.2.34
    dial up... OK
  TLS...
    security: server's certificate chain verification is enabled
    handshake... OK
    TLS version: TLSv1.3
    dial up... OK
  talk to server... OK
  version: 7.10.2
elasticsearch: https://10.0.2.200:9200...
  parse url... OK
  connection...
    parse host... OK
    dns lookup... OK
    addresses: 10.0.2.200
    dial up... OK
  TLS...
    security: server's certificate chain verification is enabled
    handshake... OK
    TLS version: TLSv1.3
    dial up... OK
  talk to server... OK
  version: 7.10.2

Wazuh Indexer

Bootstrap 🔴
  • journalctl -xe -u wazuh-indexer.service:

jun 24 14:58:28 ip-10-0-2-232.us-west-1.compute.internal systemd-entrypoint[15643]: WARNING: An illegal reflective access operation has occurred
jun 24 14:58:28 ip-10-0-2-232.us-west-1.compute.internal systemd-entrypoint[15643]: WARNING: Illegal reflective access by io.protostuff.runtime.PolymorphicThrowableSchema (file:/usr/share/wazuh-indexer/p
jun 24 14:58:28 ip-10-0-2-232.us-west-1.compute.internal systemd-entrypoint[15643]: WARNING: Please consider reporting this to the maintainers of io.protostuff.runtime.PolymorphicThrowableSchema
jun 24 14:58:28 ip-10-0-2-232.us-west-1.compute.internal systemd-entrypoint[15643]: WARNING: Use --illegal-access=warn to enable warnings of further illegal reflective access operations
jun 24 14:58:28 ip-10-0-2-232.us-west-1.compute.internal systemd-entrypoint[15643]: WARNING: All illegal access operations will be denied in a future release
jun 24 14:58:33 ip-10-0-2-232.us-west-1.compute.internal systemd[1]: Started Wazuh-indexer.
-- Subject: Unit wazuh-indexer.service has finished start-up
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
-- 
-- Unit wazuh-indexer.service has finished starting up.
-- 
-- The start-up result is done.
jun 24 19:25:19 ip-10-0-2-232.us-west-1.compute.internal systemd[1]: Stopping Wazuh-indexer...
-- Subject: Unit wazuh-indexer.service has begun shutting down
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
-- 
-- Unit wazuh-indexer.service has begun shutting down.
jun 24 19:25:20 ip-10-0-2-232.us-west-1.compute.internal systemd[1]: Stopped Wazuh-indexer.
-- Subject: Unit wazuh-indexer.service has finished shutting down
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
-- 
-- Unit wazuh-indexer.service has finished shutting down.
-- Reboot --
jun 24 19:25:33 ip-10-0-2-232.us-west-1.compute.internal systemd[1]: Starting Wazuh-indexer...
-- Subject: Unit wazuh-indexer.service has begun start-up
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
-- 
-- Unit wazuh-indexer.service has begun starting up.
jun 24 19:25:56 ip-10-0-2-232.us-west-1.compute.internal systemd-entrypoint[2491]: WARNING: An illegal reflective access operation has occurred
jun 24 19:25:56 ip-10-0-2-232.us-west-1.compute.internal systemd-entrypoint[2491]: WARNING: Illegal reflective access by io.protostuff.runtime.PolymorphicThrowableSchema (file:/usr/share/wazuh-indexer/pl
jun 24 19:25:56 ip-10-0-2-232.us-west-1.compute.internal systemd-entrypoint[2491]: WARNING: Please consider reporting this to the maintainers of io.protostuff.runtime.PolymorphicThrowableSchema
jun 24 19:25:56 ip-10-0-2-232.us-west-1.compute.internal systemd-entrypoint[2491]: WARNING: Use --illegal-access=warn to enable warnings of further illegal reflective access operations
jun 24 19:25:56 ip-10-0-2-232.us-west-1.compute.internal systemd-entrypoint[2491]: WARNING: All illegal access operations will be denied in a future release
jun 24 19:26:02 ip-10-0-2-232.us-west-1.compute.internal systemd[1]: Started Wazuh-indexer.
-- Subject: Unit wazuh-indexer.service has finished start-up
-- Defined-By: systemd
  • egrep -i "ERROR|WARNING" /var/log/wazuh-indexer/wazuh.log:

[2022-06-24T19:25:42,686][INFO ][o.o.n.Node               ] [node-1] JVM arguments [-Xshare:auto, -Dopensearch.networkaddress.cache.ttl=60, -Dopensearch.networkaddress.cache.negative.ttl=10, -XX:+AlwaysPreTouch, -Xss1m, -Djava.awt.headless=true, -Dfile.encoding=UTF-8, -Djna.nosys=true, -XX:-OmitStackTraceInFastThrow, -XX:+ShowCodeDetailsInExceptionMessages, -Dio.netty.noUnsafe=true, -Dio.netty.noKeySetOptimization=true, -Dio.netty.recycler.maxCapacityPerThread=0, -Dio.netty.allocator.numDirectArenas=0, -Dlog4j.shutdownHookEnabled=false, -Dlog4j2.disable.jmx=true, -Djava.locale.providers=SPI,COMPAT, -Xms3948m, -Xmx3948m, -XX:+UseG1GC, -XX:G1ReservePercent=25, -XX:InitiatingHeapOccupancyPercent=30, -Djava.io.tmpdir=/tmp/opensearch-7297009102481999135, -XX:+HeapDumpOnOutOfMemoryError, -XX:HeapDumpPath=data, -XX:ErrorFile=/var/log/wazuh-indexer/hs_err_pid%p.log, -Xlog:gc*,gc+age=trace,safepoint:file=/var/log/wazuh-indexer/gc.log:utctime,pid,tags:filecount=32,filesize=64m, -Dclk.tck=100, -Djdk.attach.allowAttachSelf=true, -Djava.security.policy=file:///usr/share/wazuh-indexer/plugins/opensearch-performance-analyzer/pa_config/opensearch_security.policy, -XX:MaxDirectMemorySize=2069889024, -Dopensearch.path.home=/usr/share/wazuh-indexer, -Dopensearch.path.conf=/etc/wazuh-indexer, -Dopensearch.distribution.type=rpm, -Dopensearch.bundled_jdk=true]
[2022-06-24T19:25:55,771][ERROR][o.o.s.a.s.SinkProvider   ] [node-1] Default endpoint could not be created, auditlog will not work properly.
  • systemctl status wazuh-indexer -l:

● wazuh-indexer.service - Wazuh-indexer
   Loaded: loaded (/usr/lib/systemd/system/wazuh-indexer.service; enabled; vendor preset: disabled)
   Active: active (running) since vie 2022-06-24 19:26:02 UTC; 7min ago
     Docs: https://documentation.wazuh.com
 Main PID: 2491 (java)
   CGroup: /system.slice/wazuh-indexer.service
           └─2491 /usr/share/wazuh-indexer/jdk/bin/java -Xshare:auto -Dopensearch.networkaddress.cache.ttl=60 -Dopensearch.networkaddress.cache.negative.ttl=10 -XX:+AlwaysPreTouch -Xss1m -Djava.awt.headless=true -Dfile.encoding=UTF-8 -Djna.nosys=true -XX:-OmitStackTraceInFastThrow -XX:+ShowCodeDetailsInExceptionMessages -Dio.netty.noUnsafe=true -Dio.netty.noKeySetOptimization=true -Dio.netty.recycler.maxCapacityPerThread=0 -Dio.netty.allocator.numDirectArenas=0 -Dlog4j.shutdownHookEnabled=false -Dlog4j2.disable.jmx=true -Djava.locale.providers=SPI,COMPAT -Xms3948m -Xmx3948m -XX:+UseG1GC -XX:G1ReservePercent=25 -XX:InitiatingHeapOccupancyPercent=30 -Djava.io.tmpdir=/tmp/opensearch-7297009102481999135 -XX:+HeapDumpOnOutOfMemoryError -XX:HeapDumpPath=data -XX:ErrorFile=/var/log/wazuh-indexer/hs_err_pid%p.log -Xlog:gc*,gc+age=trace,safepoint:file=/var/log/wazuh-indexer/gc.log:utctime,pid,tags:filecount=32,filesize=64m -Dclk.tck=100 -Djdk.attach.allowAttachSelf=true -Djava.security.policy=file:///usr/share/wazuh-indexer/plugins/opensearch-performance-analyzer/pa_config/opensearch_security.policy -XX:MaxDirectMemorySize=2069889024 -Dopensearch.path.home=/usr/share/wazuh-indexer -Dopensearch.path.conf=/etc/wazuh-indexer -Dopensearch.distribution.type=rpm -Dopensearch.bundled_jdk=true -cp /usr/share/wazuh-indexer/lib/* org.opensearch.bootstrap.OpenSearch -p /run/wazuh-indexer/wazuh-indexer.pid --quiet

jun 24 19:25:33 ip-10-0-2-232.us-west-1.compute.internal systemd[1]: Starting Wazuh-indexer...
jun 24 19:25:56 ip-10-0-2-232.us-west-1.compute.internal systemd-entrypoint[2491]: WARNING: An illegal reflective access operation has occurred
jun 24 19:25:56 ip-10-0-2-232.us-west-1.compute.internal systemd-entrypoint[2491]: WARNING: Illegal reflective access by io.protostuff.runtime.PolymorphicThrowableSchema (file:/usr/share/wazuh-indexer/plugins/opensearch-anomaly-detection/protostuff-runtime-1.7.4.jar) to field java.lang.Throwable.cause
jun 24 19:25:56 ip-10-0-2-232.us-west-1.compute.internal systemd-entrypoint[2491]: WARNING: Please consider reporting this to the maintainers of io.protostuff.runtime.PolymorphicThrowableSchema
jun 24 19:25:56 ip-10-0-2-232.us-west-1.compute.internal systemd-entrypoint[2491]: WARNING: Use --illegal-access=warn to enable warnings of further illegal reflective access operations
jun 24 19:25:56 ip-10-0-2-232.us-west-1.compute.internal systemd-entrypoint[2491]: WARNING: All illegal access operations will be denied in a future release
jun 24 19:26:02 ip-10-0-2-232.us-west-1.compute.internal systemd[1]: Started Wazuh-indexer.
Master B 🔴
  • journalctl -xe -u wazuh-indexer.service:

jun 24 14:57:38 ip-10-0-2-34.us-west-1.compute.internal systemd-entrypoint[15464]: WARNING: An illegal reflective access operation has occurred
jun 24 14:57:38 ip-10-0-2-34.us-west-1.compute.internal systemd-entrypoint[15464]: WARNING: Illegal reflective access by io.protostuff.runtime.PolymorphicThrowableSchema (file:/usr/share/wazuh-indexer/pl
jun 24 14:57:38 ip-10-0-2-34.us-west-1.compute.internal systemd-entrypoint[15464]: WARNING: Please consider reporting this to the maintainers of io.protostuff.runtime.PolymorphicThrowableSchema
jun 24 14:57:38 ip-10-0-2-34.us-west-1.compute.internal systemd-entrypoint[15464]: WARNING: Use --illegal-access=warn to enable warnings of further illegal reflective access operations
jun 24 14:57:38 ip-10-0-2-34.us-west-1.compute.internal systemd-entrypoint[15464]: WARNING: All illegal access operations will be denied in a future release
jun 24 14:57:42 ip-10-0-2-34.us-west-1.compute.internal systemd[1]: Started Wazuh-indexer.
-- Subject: Unit wazuh-indexer.service has finished start-up
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
-- 
-- Unit wazuh-indexer.service has finished starting up.
-- 
-- The start-up result is done.
jun 24 19:38:45 ip-10-0-2-34.us-west-1.compute.internal systemd[1]: Stopping Wazuh-indexer...
-- Subject: Unit wazuh-indexer.service has begun shutting down
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
-- 
-- Unit wazuh-indexer.service has begun shutting down.
jun 24 19:38:45 ip-10-0-2-34.us-west-1.compute.internal systemd[1]: Stopped Wazuh-indexer.
-- Subject: Unit wazuh-indexer.service has finished shutting down
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
-- 
-- Unit wazuh-indexer.service has finished shutting down.
-- Reboot --
jun 24 19:38:57 ip-10-0-2-34.us-west-1.compute.internal systemd[1]: Starting Wazuh-indexer...
-- Subject: Unit wazuh-indexer.service has begun start-up
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
-- 
-- Unit wazuh-indexer.service has begun starting up.
jun 24 19:39:20 ip-10-0-2-34.us-west-1.compute.internal systemd-entrypoint[2489]: WARNING: An illegal reflective access operation has occurred
jun 24 19:39:20 ip-10-0-2-34.us-west-1.compute.internal systemd-entrypoint[2489]: WARNING: Illegal reflective access by io.protostuff.runtime.PolymorphicThrowableSchema (file:/usr/share/wazuh-indexer/plu
jun 24 19:39:20 ip-10-0-2-34.us-west-1.compute.internal systemd-entrypoint[2489]: WARNING: Please consider reporting this to the maintainers of io.protostuff.runtime.PolymorphicThrowableSchema
jun 24 19:39:20 ip-10-0-2-34.us-west-1.compute.internal systemd-entrypoint[2489]: WARNING: Use --illegal-access=warn to enable warnings of further illegal reflective access operations
jun 24 19:39:20 ip-10-0-2-34.us-west-1.compute.internal systemd-entrypoint[2489]: WARNING: All illegal access operations will be denied in a future release
jun 24 19:39:25 ip-10-0-2-34.us-west-1.compute.internal systemd[1]: Started Wazuh-indexer.
-- Subject: Unit wazuh-indexer.service has finished start-up
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
-- 
-- Unit wazuh-indexer.service has finished starting up.
-- 
-- The start-up result is done.
  • egrep -i "ERROR|WARNING" /var/log/wazuh-indexer/wazuh.log:

[2022-06-24T19:39:07,105][INFO ][o.o.n.Node               ] [node-2] JVM arguments [-Xshare:auto, -Dopensearch.networkaddress.cache.ttl=60, -Dopensearch.networkaddress.cache.negative.ttl=10, -XX:+AlwaysPreTouch, -Xss1m, -Djava.awt.headless=true, -Dfile.encoding=UTF-8, -Djna.nosys=true, -XX:-OmitStackTraceInFastThrow, -XX:+ShowCodeDetailsInExceptionMessages, -Dio.netty.noUnsafe=true, -Dio.netty.noKeySetOptimization=true, -Dio.netty.recycler.maxCapacityPerThread=0, -Dio.netty.allocator.numDirectArenas=0, -Dlog4j.shutdownHookEnabled=false, -Dlog4j2.disable.jmx=true, -Djava.locale.providers=SPI,COMPAT, -Xms3948m, -Xmx3948m, -XX:+UseG1GC, -XX:G1ReservePercent=25, -XX:InitiatingHeapOccupancyPercent=30, -Djava.io.tmpdir=/tmp/opensearch-8489325963514459203, -XX:+HeapDumpOnOutOfMemoryError, -XX:HeapDumpPath=data, -XX:ErrorFile=/var/log/wazuh-indexer/hs_err_pid%p.log, -Xlog:gc*,gc+age=trace,safepoint:file=/var/log/wazuh-indexer/gc.log:utctime,pid,tags:filecount=32,filesize=64m, -Dclk.tck=100, -Djdk.attach.allowAttachSelf=true, -Djava.security.policy=file:///usr/share/wazuh-indexer/plugins/opensearch-performance-analyzer/pa_config/opensearch_security.policy, -XX:MaxDirectMemorySize=2069889024, -Dopensearch.path.home=/usr/share/wazuh-indexer, -Dopensearch.path.conf=/etc/wazuh-indexer, -Dopensearch.distribution.type=rpm, -Dopensearch.bundled_jdk=true]
[2022-06-24T19:39:19,317][ERROR][o.o.s.a.s.SinkProvider   ] [node-2] Default endpoint could not be created, auditlog will not work properly.
  • systemctl status wazuh-indexer -l:

● wazuh-indexer.service - Wazuh-indexer
   Loaded: loaded (/usr/lib/systemd/system/wazuh-indexer.service; enabled; vendor preset: disabled)
   Active: active (running) since vie 2022-06-24 19:39:25 UTC; 2min 57s ago
     Docs: https://documentation.wazuh.com
 Main PID: 2489 (java)
   CGroup: /system.slice/wazuh-indexer.service
           └─2489 /usr/share/wazuh-indexer/jdk/bin/java -Xshare:auto -Dopensearch.networkaddress.cache.ttl=60 -Dopensearch.networkaddress.cache.negative.ttl=10 -XX:+AlwaysPreTouch -Xss1m -Djava.awt.headless=true -Dfile.encoding=UTF-8 -Djna.nosys=true -XX:-OmitStackTraceInFastThrow -XX:+ShowCodeDetailsInExceptionMessages -Dio.netty.noUnsafe=true -Dio.netty.noKeySetOptimization=true -Dio.netty.recycler.maxCapacityPerThread=0 -Dio.netty.allocator.numDirectArenas=0 -Dlog4j.shutdownHookEnabled=false -Dlog4j2.disable.jmx=true -Djava.locale.providers=SPI,COMPAT -Xms3948m -Xmx3948m -XX:+UseG1GC -XX:G1ReservePercent=25 -XX:InitiatingHeapOccupancyPercent=30 -Djava.io.tmpdir=/tmp/opensearch-8489325963514459203 -XX:+HeapDumpOnOutOfMemoryError -XX:HeapDumpPath=data -XX:ErrorFile=/var/log/wazuh-indexer/hs_err_pid%p.log -Xlog:gc*,gc+age=trace,safepoint:file=/var/log/wazuh-indexer/gc.log:utctime,pid,tags:filecount=32,filesize=64m -Dclk.tck=100 -Djdk.attach.allowAttachSelf=true -Djava.security.policy=file:///usr/share/wazuh-indexer/plugins/opensearch-performance-analyzer/pa_config/opensearch_security.policy -XX:MaxDirectMemorySize=2069889024 -Dopensearch.path.home=/usr/share/wazuh-indexer -Dopensearch.path.conf=/etc/wazuh-indexer -Dopensearch.distribution.type=rpm -Dopensearch.bundled_jdk=true -cp /usr/share/wazuh-indexer/lib/* org.opensearch.bootstrap.OpenSearch -p /run/wazuh-indexer/wazuh-indexer.pid --quiet

jun 24 19:38:57 ip-10-0-2-34.us-west-1.compute.internal systemd[1]: Starting Wazuh-indexer...
jun 24 19:39:20 ip-10-0-2-34.us-west-1.compute.internal systemd-entrypoint[2489]: WARNING: An illegal reflective access operation has occurred
jun 24 19:39:20 ip-10-0-2-34.us-west-1.compute.internal systemd-entrypoint[2489]: WARNING: Illegal reflective access by io.protostuff.runtime.PolymorphicThrowableSchema (file:/usr/share/wazuh-indexer/plugins/opensearch-anomaly-detection/protostuff-runtime-1.7.4.jar) to field java.lang.Throwable.cause
jun 24 19:39:20 ip-10-0-2-34.us-west-1.compute.internal systemd-entrypoint[2489]: WARNING: Please consider reporting this to the maintainers of io.protostuff.runtime.PolymorphicThrowableSchema
jun 24 19:39:20 ip-10-0-2-34.us-west-1.compute.internal systemd-entrypoint[2489]: WARNING: Use --illegal-access=warn to enable warnings of further illegal reflective access operations
jun 24 19:39:20 ip-10-0-2-34.us-west-1.compute.internal systemd-entrypoint[2489]: WARNING: All illegal access operations will be denied in a future release
jun 24 19:39:25 ip-10-0-2-34.us-west-1.compute.internal systemd[1]: Started Wazuh-indexer.
Master C 🔴
  • journalctl -xe -u wazuh-indexer.service:

jun 24 14:58:04 ip-10-0-2-200.us-west-1.compute.internal systemd-entrypoint[15575]: WARNING: An illegal reflective access operation has occurred
jun 24 14:58:04 ip-10-0-2-200.us-west-1.compute.internal systemd-entrypoint[15575]: WARNING: Illegal reflective access by io.protostuff.runtime.PolymorphicThrowableSchema (file:/usr/share/wazuh-indexer/p
jun 24 14:58:04 ip-10-0-2-200.us-west-1.compute.internal systemd-entrypoint[15575]: WARNING: Please consider reporting this to the maintainers of io.protostuff.runtime.PolymorphicThrowableSchema
jun 24 14:58:04 ip-10-0-2-200.us-west-1.compute.internal systemd-entrypoint[15575]: WARNING: Use --illegal-access=warn to enable warnings of further illegal reflective access operations
jun 24 14:58:04 ip-10-0-2-200.us-west-1.compute.internal systemd-entrypoint[15575]: WARNING: All illegal access operations will be denied in a future release
jun 24 14:58:09 ip-10-0-2-200.us-west-1.compute.internal systemd[1]: Started Wazuh-indexer.
-- Subject: Unit wazuh-indexer.service has finished start-up
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
-- 
-- Unit wazuh-indexer.service has finished starting up.
-- 
-- The start-up result is done.
jun 24 19:47:11 ip-10-0-2-200.us-west-1.compute.internal systemd[1]: Stopping Wazuh-indexer...
-- Subject: Unit wazuh-indexer.service has begun shutting down
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
-- 
-- Unit wazuh-indexer.service has begun shutting down.
jun 24 19:47:11 ip-10-0-2-200.us-west-1.compute.internal systemd[1]: Stopped Wazuh-indexer.
-- Subject: Unit wazuh-indexer.service has finished shutting down
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
-- 
-- Unit wazuh-indexer.service has finished shutting down.
-- Reboot --
jun 24 19:47:24 ip-10-0-2-200.us-west-1.compute.internal systemd[1]: Starting Wazuh-indexer...
-- Subject: Unit wazuh-indexer.service has begun start-up
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
-- 
-- Unit wazuh-indexer.service has begun starting up.
jun 24 19:47:50 ip-10-0-2-200.us-west-1.compute.internal systemd-entrypoint[2526]: WARNING: An illegal reflective access operation has occurred
jun 24 19:47:50 ip-10-0-2-200.us-west-1.compute.internal systemd-entrypoint[2526]: WARNING: Illegal reflective access by io.protostuff.runtime.PolymorphicThrowableSchema (file:/usr/share/wazuh-indexer/pl
jun 24 19:47:50 ip-10-0-2-200.us-west-1.compute.internal systemd-entrypoint[2526]: WARNING: Please consider reporting this to the maintainers of io.protostuff.runtime.PolymorphicThrowableSchema
jun 24 19:47:50 ip-10-0-2-200.us-west-1.compute.internal systemd-entrypoint[2526]: WARNING: Use --illegal-access=warn to enable warnings of further illegal reflective access operations
jun 24 19:47:50 ip-10-0-2-200.us-west-1.compute.internal systemd-entrypoint[2526]: WARNING: All illegal access operations will be denied in a future release
jun 24 19:47:56 ip-10-0-2-200.us-west-1.compute.internal systemd[1]: Started Wazuh-indexer.
-- Subject: Unit wazuh-indexer.service has finished start-up
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
-- 
-- Unit wazuh-indexer.service has finished starting up.
-- 
-- The start-up result is done.
  • egrep -i "ERROR|WARNING" /var/log/wazuh-indexer/wazuh.log:
[2022-06-24T19:47:36,281][INFO ][o.o.n.Node               ] [node-3] JVM arguments [-Xshare:auto, -Dopensearch.networkaddress.cache.ttl=60, -Dopensearch.networkaddress.cache.negative.ttl=10, -XX:+AlwaysPreTouch, -Xss1m, -Djava.awt.headless=true, -Dfile.encoding=UTF-8, -Djna.nosys=true, -XX:-OmitStackTraceInFastThrow, -XX:+ShowCodeDetailsInExceptionMessages, -Dio.netty.noUnsafe=true, -Dio.netty.noKeySetOptimization=true, -Dio.netty.recycler.maxCapacityPerThread=0, -Dio.netty.allocator.numDirectArenas=0, -Dlog4j.shutdownHookEnabled=false, -Dlog4j2.disable.jmx=true, -Djava.locale.providers=SPI,COMPAT, -Xms3948m, -Xmx3948m, -XX:+UseG1GC, -XX:G1ReservePercent=25, -XX:InitiatingHeapOccupancyPercent=30, -Djava.io.tmpdir=/tmp/opensearch-1506829919892208782, -XX:+HeapDumpOnOutOfMemoryError, -XX:HeapDumpPath=data, -XX:ErrorFile=/var/log/wazuh-indexer/hs_err_pid%p.log, -Xlog:gc*,gc+age=trace,safepoint:file=/var/log/wazuh-indexer/gc.log:utctime,pid,tags:filecount=32,filesize=64m, -Dclk.tck=100, -Djdk.attach.allowAttachSelf=true, -Djava.security.policy=file:///usr/share/wazuh-indexer/plugins/opensearch-performance-analyzer/pa_config/opensearch_security.policy, -XX:MaxDirectMemorySize=2069889024, -Dopensearch.path.home=/usr/share/wazuh-indexer, -Dopensearch.path.conf=/etc/wazuh-indexer, -Dopensearch.distribution.type=rpm, -Dopensearch.bundled_jdk=true]
[2022-06-24T19:47:49,404][ERROR][o.o.s.a.s.SinkProvider   ] [node-3] Default endpoint could not be created, auditlog will not work properly.
  • systemctl status wazuh-indexer -l:

● wazuh-indexer.service - Wazuh-indexer
   Loaded: loaded (/usr/lib/systemd/system/wazuh-indexer.service; enabled; vendor preset: disabled)
   Active: active (running) since vie 2022-06-24 19:47:56 UTC; 2min 44s ago
     Docs: https://documentation.wazuh.com
 Main PID: 2526 (java)
   CGroup: /system.slice/wazuh-indexer.service
           └─2526 /usr/share/wazuh-indexer/jdk/bin/java -Xshare:auto -Dopensearch.networkaddress.cache.ttl=60 -Dopensearch.networkaddress.cache.negative.ttl=10 -XX:+AlwaysPreTouch -Xss1m -Djava.awt.headless=true -Dfile.encoding=UTF-8 -Djna.nosys=true -XX:-OmitStackTraceInFastThrow -XX:+ShowCodeDetailsInExceptionMessages -Dio.netty.noUnsafe=true -Dio.netty.noKeySetOptimization=true -Dio.netty.recycler.maxCapacityPerThread=0 -Dio.netty.allocator.numDirectArenas=0 -Dlog4j.shutdownHookEnabled=false -Dlog4j2.disable.jmx=true -Djava.locale.providers=SPI,COMPAT -Xms3948m -Xmx3948m -XX:+UseG1GC -XX:G1ReservePercent=25 -XX:InitiatingHeapOccupancyPercent=30 -Djava.io.tmpdir=/tmp/opensearch-1506829919892208782 -XX:+HeapDumpOnOutOfMemoryError -XX:HeapDumpPath=data -XX:ErrorFile=/var/log/wazuh-indexer/hs_err_pid%p.log -Xlog:gc*,gc+age=trace,safepoint:file=/var/log/wazuh-indexer/gc.log:utctime,pid,tags:filecount=32,filesize=64m -Dclk.tck=100 -Djdk.attach.allowAttachSelf=true -Djava.security.policy=file:///usr/share/wazuh-indexer/plugins/opensearch-performance-analyzer/pa_config/opensearch_security.policy -XX:MaxDirectMemorySize=2069889024 -Dopensearch.path.home=/usr/share/wazuh-indexer -Dopensearch.path.conf=/etc/wazuh-indexer -Dopensearch.distribution.type=rpm -Dopensearch.bundled_jdk=true -cp /usr/share/wazuh-indexer/lib/* org.opensearch.bootstrap.OpenSearch -p /run/wazuh-indexer/wazuh-indexer.pid --quiet

jun 24 19:47:24 ip-10-0-2-200.us-west-1.compute.internal systemd[1]: Starting Wazuh-indexer...
jun 24 19:47:50 ip-10-0-2-200.us-west-1.compute.internal systemd-entrypoint[2526]: WARNING: An illegal reflective access operation has occurred
jun 24 19:47:50 ip-10-0-2-200.us-west-1.compute.internal systemd-entrypoint[2526]: WARNING: Illegal reflective access by io.protostuff.runtime.PolymorphicThrowableSchema (file:/usr/share/wazuh-indexer/plugins/opensearch-anomaly-detection/protostuff-runtime-1.7.4.jar) to field java.lang.Throwable.cause
jun 24 19:47:50 ip-10-0-2-200.us-west-1.compute.internal systemd-entrypoint[2526]: WARNING: Please consider reporting this to the maintainers of io.protostuff.runtime.PolymorphicThrowableSchema
jun 24 19:47:50 ip-10-0-2-200.us-west-1.compute.internal systemd-entrypoint[2526]: WARNING: Use --illegal-access=warn to enable warnings of further illegal reflective access operations
jun 24 19:47:50 ip-10-0-2-200.us-west-1.compute.internal systemd-entrypoint[2526]: WARNING: All illegal access operations will be denied in a future release
jun 24 19:47:56 ip-10-0-2-200.us-west-1.compute.internal systemd[1]: Started Wazuh-indexer.

Wazuh Dashboard

wazuh indexer 🔴
  • journalctl -xe -u wazuh-indexer.service:

jun 24 20:02:04 ip-10-0-0-101.us-west-1.compute.internal systemd[1]: Stopping Wazuh-indexer...
-- Subject: Unit wazuh-indexer.service has begun shutting down
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
-- 
-- Unit wazuh-indexer.service has begun shutting down.
jun 24 20:02:04 ip-10-0-0-101.us-west-1.compute.internal systemd[1]: Stopped Wazuh-indexer.
-- Subject: Unit wazuh-indexer.service has finished shutting down
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
-- 
-- Unit wazuh-indexer.service has finished shutting down.
-- Reboot --
jun 24 20:02:20 ip-10-0-0-101.us-west-1.compute.internal systemd[1]: Starting Wazuh-indexer...
-- Subject: Unit wazuh-indexer.service has begun start-up
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
-- 
-- Unit wazuh-indexer.service has begun starting up.
jun 24 20:02:47 ip-10-0-0-101.us-west-1.compute.internal systemd-entrypoint[2509]: WARNING: An illegal reflective access operation has occurred
jun 24 20:02:47 ip-10-0-0-101.us-west-1.compute.internal systemd-entrypoint[2509]: WARNING: Illegal reflective access by io.protostuff.runtime.PolymorphicThrowableSchema (file:/usr/share/wazuh-indexer/pl
jun 24 20:02:47 ip-10-0-0-101.us-west-1.compute.internal systemd-entrypoint[2509]: WARNING: Please consider reporting this to the maintainers of io.protostuff.runtime.PolymorphicThrowableSchema
jun 24 20:02:47 ip-10-0-0-101.us-west-1.compute.internal systemd-entrypoint[2509]: WARNING: Use --illegal-access=warn to enable warnings of further illegal reflective access operations
jun 24 20:02:47 ip-10-0-0-101.us-west-1.compute.internal systemd-entrypoint[2509]: WARNING: All illegal access operations will be denied in a future release
jun 24 20:02:52 ip-10-0-0-101.us-west-1.compute.internal systemd[1]: Started Wazuh-indexer.
-- Subject: Unit wazuh-indexer.service has finished start-up
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
-- 
-- Unit wazuh-indexer.service has finished starting up.
-- 
-- The start-up result is done.
  • egrep -i "ERROR|WARNING" /var/log/wazuh-indexer/wazuh.log:
[2022-06-24T20:02:32,211][INFO ][o.o.n.Node               ] [node-7] JVM arguments [-Xshare:auto, -Dopensearch.networkaddress.cache.ttl=60, -Dopensearch.networkaddress.cache.negative.ttl=10, -XX:+AlwaysPreTouch, -Xss1m, -Djava.awt.headless=true, -Dfile.encoding=UTF-8, -Djna.nosys=true, -XX:-OmitStackTraceInFastThrow, -XX:+ShowCodeDetailsInExceptionMessages, -Dio.netty.noUnsafe=true, -Dio.netty.noKeySetOptimization=true, -Dio.netty.recycler.maxCapacityPerThread=0, -Dio.netty.allocator.numDirectArenas=0, -Dlog4j.shutdownHookEnabled=false, -Dlog4j2.disable.jmx=true, -Djava.locale.providers=SPI,COMPAT, -Xms2560m, -Xmx2560m, -XX:+UseG1GC, -XX:G1ReservePercent=25, -XX:InitiatingHeapOccupancyPercent=30, -Djava.io.tmpdir=/tmp/opensearch-18113524508641409482, -XX:+HeapDumpOnOutOfMemoryError, -XX:HeapDumpPath=data, -XX:ErrorFile=/var/log/wazuh-indexer/hs_err_pid%p.log, -Xlog:gc*,gc+age=trace,safepoint:file=/var/log/wazuh-indexer/gc.log:utctime,pid,tags:filecount=32,filesize=64m, -Dclk.tck=100, -Djdk.attach.allowAttachSelf=true, -Djava.security.policy=file:///usr/share/wazuh-indexer/plugins/opensearch-performance-analyzer/pa_config/opensearch_security.policy, -XX:MaxDirectMemorySize=1342177280, -Dopensearch.path.home=/usr/share/wazuh-indexer, -Dopensearch.path.conf=/etc/wazuh-indexer, -Dopensearch.distribution.type=rpm, -Dopensearch.bundled_jdk=true]
[2022-06-24T20:02:46,254][ERROR][o.o.s.a.s.SinkProvider   ] [node-7] Default endpoint could not be created, auditlog will not work properly.
  • systemctl status wazuh-indexer -l:

● wazuh-indexer.service - Wazuh-indexer
   Loaded: loaded (/usr/lib/systemd/system/wazuh-indexer.service; enabled; vendor preset: disabled)
   Active: active (running) since vie 2022-06-24 20:02:52 UTC; 8min ago
     Docs: https://documentation.wazuh.com
 Main PID: 2509 (java)
   CGroup: /system.slice/wazuh-indexer.service
           └─2509 /usr/share/wazuh-indexer/jdk/bin/java -Xshare:auto -Dopensearch.networkaddress.cache.ttl=60 -Dopensearch.networkaddress.cache.negative.ttl=10 -XX:+AlwaysPreTouch -Xss1m -Djava.awt.headless=true -Dfile.encoding=UTF-8 -Djna.nosys=true -XX:-OmitStackTraceInFastThrow -XX:+ShowCodeDetailsInExceptionMessages -Dio.netty.noUnsafe=true -Dio.netty.noKeySetOptimization=true -Dio.netty.recycler.maxCapacityPerThread=0 -Dio.netty.allocator.numDirectArenas=0 -Dlog4j.shutdownHookEnabled=false -Dlog4j2.disable.jmx=true -Djava.locale.providers=SPI,COMPAT -Xms2560m -Xmx2560m -XX:+UseG1GC -XX:G1ReservePercent=25 -XX:InitiatingHeapOccupancyPercent=30 -Djava.io.tmpdir=/tmp/opensearch-18113524508641409482 -XX:+HeapDumpOnOutOfMemoryError -XX:HeapDumpPath=data -XX:ErrorFile=/var/log/wazuh-indexer/hs_err_pid%p.log -Xlog:gc*,gc+age=trace,safepoint:file=/var/log/wazuh-indexer/gc.log:utctime,pid,tags:filecount=32,filesize=64m -Dclk.tck=100 -Djdk.attach.allowAttachSelf=true -Djava.security.policy=file:///usr/share/wazuh-indexer/plugins/opensearch-performance-analyzer/pa_config/opensearch_security.policy -XX:MaxDirectMemorySize=1342177280 -Dopensearch.path.home=/usr/share/wazuh-indexer -Dopensearch.path.conf=/etc/wazuh-indexer -Dopensearch.distribution.type=rpm -Dopensearch.bundled_jdk=true -cp /usr/share/wazuh-indexer/lib/* org.opensearch.bootstrap.OpenSearch -p /run/wazuh-indexer/wazuh-indexer.pid --quiet

jun 24 20:02:20 ip-10-0-0-101.us-west-1.compute.internal systemd[1]: Starting Wazuh-indexer...
jun 24 20:02:47 ip-10-0-0-101.us-west-1.compute.internal systemd-entrypoint[2509]: WARNING: An illegal reflective access operation has occurred
jun 24 20:02:47 ip-10-0-0-101.us-west-1.compute.internal systemd-entrypoint[2509]: WARNING: Illegal reflective access by io.protostuff.runtime.PolymorphicThrowableSchema (file:/usr/share/wazuh-indexer/plugins/opensearch-anomaly-detection/protostuff-runtime-1.7.4.jar) to field java.lang.Throwable.cause
jun 24 20:02:47 ip-10-0-0-101.us-west-1.compute.internal systemd-entrypoint[2509]: WARNING: Please consider reporting this to the maintainers of io.protostuff.runtime.PolymorphicThrowableSchema
jun 24 20:02:47 ip-10-0-0-101.us-west-1.compute.internal systemd-entrypoint[2509]: WARNING: Use --illegal-access=warn to enable warnings of further illegal reflective access operations
jun 24 20:02:47 ip-10-0-0-101.us-west-1.compute.internal systemd-entrypoint[2509]: WARNING: All illegal access operations will be denied in a future release
jun 24 20:02:52 ip-10-0-0-101.us-west-1.compute.internal systemd[1]: Started Wazuh-indexer.
wazuh dashboard 🔴
  • journalctl -xe -u wazuh-dashboard.service:

jun 24 20:02:04 ip-10-0-0-101.us-west-1.compute.internal systemd[1]: Stopping wazuh-dashboard...
-- Subject: Unit wazuh-dashboard.service has begun shutting down
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
-- 
-- Unit wazuh-dashboard.service has begun shutting down.
jun 24 20:02:04 ip-10-0-0-101.us-west-1.compute.internal systemd[1]: Stopped wazuh-dashboard.
-- Subject: Unit wazuh-dashboard.service has finished shutting down
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
-- 
-- Unit wazuh-dashboard.service has finished shutting down.
-- Reboot --
jun 24 20:02:16 ip-10-0-0-101.us-west-1.compute.internal systemd[1]: Started wazuh-dashboard.
-- Subject: Unit wazuh-dashboard.service has finished start-up
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
-- 
-- Unit wazuh-dashboard.service has finished starting up.
-- 
-- The start-up result is done.
jun 24 20:02:16 ip-10-0-0-101.us-west-1.compute.internal systemd[1]: Starting wazuh-dashboard...
-- Subject: Unit wazuh-dashboard.service has begun start-up
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
-- 
-- Unit wazuh-dashboard.service has begun starting up.
jun 24 20:02:31 ip-10-0-0-101.us-west-1.compute.internal opensearch-dashboards[1993]: {"type":"log","@timestamp":"2022-06-24T20:02:31Z","tags":["info","plugins-service"],"pid":1993,"message":"Plugin \"vi
jun 24 20:02:32 ip-10-0-0-101.us-west-1.compute.internal opensearch-dashboards[1993]: {"type":"log","@timestamp":"2022-06-24T20:02:32Z","tags":["info","plugins-system"],"pid":1993,"message":"Setting up [
jun 24 20:02:34 ip-10-0-0-101.us-west-1.compute.internal opensearch-dashboards[1993]: {"type":"log","@timestamp":"2022-06-24T20:02:34Z","tags":["info","savedobjects-service"],"pid":1993,"message":"Waitin
jun 24 20:02:34 ip-10-0-0-101.us-west-1.compute.internal opensearch-dashboards[1993]: {"type":"log","@timestamp":"2022-06-24T20:02:34Z","tags":["info","savedobjects-service"],"pid":1993,"message":"Starti
jun 24 20:02:34 ip-10-0-0-101.us-west-1.compute.internal opensearch-dashboards[1993]: {"type":"log","@timestamp":"2022-06-24T20:02:34Z","tags":["info","savedobjects-service"],"pid":1993,"message":"Creati
jun 24 20:02:34 ip-10-0-0-101.us-west-1.compute.internal opensearch-dashboards[1993]: {"type":"log","@timestamp":"2022-06-24T20:02:34Z","tags":["info","savedobjects-service"],"pid":1993,"message":"Migrat
jun 24 20:02:35 ip-10-0-0-101.us-west-1.compute.internal opensearch-dashboards[1993]: {"type":"log","@timestamp":"2022-06-24T20:02:35Z","tags":["info","savedobjects-service"],"pid":1993,"message":"Pointi
jun 24 20:02:35 ip-10-0-0-101.us-west-1.compute.internal opensearch-dashboards[1993]: {"type":"log","@timestamp":"2022-06-24T20:02:35Z","tags":["info","savedobjects-service"],"pid":1993,"message":"Finish
jun 24 20:02:35 ip-10-0-0-101.us-west-1.compute.internal opensearch-dashboards[1993]: {"type":"log","@timestamp":"2022-06-24T20:02:35Z","tags":["info","plugins-system"],"pid":1993,"message":"Starting [42
jun 24 20:02:36 ip-10-0-0-101.us-west-1.compute.internal opensearch-dashboards[1993]: {"type":"log","@timestamp":"2022-06-24T20:02:36Z","tags":["listening","info"],"pid":1993,"message":"Server running at
jun 24 20:02:37 ip-10-0-0-101.us-west-1.compute.internal opensearch-dashboards[1993]: {"type":"log","@timestamp":"2022-06-24T20:02:37Z","tags":["info","http","server","OpenSearchDashboards"],"pid":1993,"
lines 402-446/446 (END)
  • systemctl status wazuh-dashboard -l:

● wazuh-dashboard.service - wazuh-dashboard
   Loaded: loaded (/etc/systemd/system/wazuh-dashboard.service; enabled; vendor preset: disabled)
   Active: active (running) since vie 2022-06-24 20:02:16 UTC; 4min 12s ago
 Main PID: 1993 (node)
   CGroup: /system.slice/wazuh-dashboard.service
           └─1993 /usr/share/wazuh-dashboard/bin/../node/bin/node --no-warnings --max-http-header-size=65536 --unhandled-rejections=warn /usr/share/wazuh-dashboard/bin/../src/cli/dist -c /etc/wazuh-dashboard/opensearch_dashboards.yml

jun 24 20:02:32 ip-10-0-0-101.us-west-1.compute.internal opensearch-dashboards[1993]: {"type":"log","@timestamp":"2022-06-24T20:02:32Z","tags":["info","plugins-system"],"pid":1993,"message":"Setting up [42] plugins: [alertingDashboards,usageCollection,opensearchDashboardsUsageCollection,opensearchDashboardsLegacy,mapsLegacy,share,opensearchUiShared,legacyExport,expressions,data,home,console,apmOss,management,indexPatternManagement,advancedSettings,savedObjects,reportsDashboards,securityDashboards,indexManagementDashboards,embeddable,dashboard,visualizations,visTypeVega,visTypeTimeline,timeline,visTypeTable,visTypeMarkdown,tileMap,regionMap,inputControlVis,ganttChartDashboards,visualize,charts,visTypeVislib,visTypeTimeseries,visTypeMetric,visTypeTagcloud,discover,wazuh,savedObjectsManagement,bfetch]"}
jun 24 20:02:34 ip-10-0-0-101.us-west-1.compute.internal opensearch-dashboards[1993]: {"type":"log","@timestamp":"2022-06-24T20:02:34Z","tags":["info","savedobjects-service"],"pid":1993,"message":"Waiting until all OpenSearch nodes are compatible with OpenSearch Dashboards before starting saved objects migrations..."}
jun 24 20:02:34 ip-10-0-0-101.us-west-1.compute.internal opensearch-dashboards[1993]: {"type":"log","@timestamp":"2022-06-24T20:02:34Z","tags":["info","savedobjects-service"],"pid":1993,"message":"Starting saved objects migrations"}
jun 24 20:02:34 ip-10-0-0-101.us-west-1.compute.internal opensearch-dashboards[1993]: {"type":"log","@timestamp":"2022-06-24T20:02:34Z","tags":["info","savedobjects-service"],"pid":1993,"message":"Creating index .kibana_2."}
jun 24 20:02:34 ip-10-0-0-101.us-west-1.compute.internal opensearch-dashboards[1993]: {"type":"log","@timestamp":"2022-06-24T20:02:34Z","tags":["info","savedobjects-service"],"pid":1993,"message":"Migrating .kibana_1 saved objects to .kibana_2"}
jun 24 20:02:35 ip-10-0-0-101.us-west-1.compute.internal opensearch-dashboards[1993]: {"type":"log","@timestamp":"2022-06-24T20:02:35Z","tags":["info","savedobjects-service"],"pid":1993,"message":"Pointing alias .kibana to .kibana_2."}
jun 24 20:02:35 ip-10-0-0-101.us-west-1.compute.internal opensearch-dashboards[1993]: {"type":"log","@timestamp":"2022-06-24T20:02:35Z","tags":["info","savedobjects-service"],"pid":1993,"message":"Finished in 806ms."}
jun 24 20:02:35 ip-10-0-0-101.us-west-1.compute.internal opensearch-dashboards[1993]: {"type":"log","@timestamp":"2022-06-24T20:02:35Z","tags":["info","plugins-system"],"pid":1993,"message":"Starting [42] plugins: [alertingDashboards,usageCollection,opensearchDashboardsUsageCollection,opensearchDashboardsLegacy,mapsLegacy,share,opensearchUiShared,legacyExport,expressions,data,home,console,apmOss,management,indexPatternManagement,advancedSettings,savedObjects,reportsDashboards,securityDashboards,indexManagementDashboards,embeddable,dashboard,visualizations,visTypeVega,visTypeTimeline,timeline,visTypeTable,visTypeMarkdown,tileMap,regionMap,inputControlVis,ganttChartDashboards,visualize,charts,visTypeVislib,visTypeTimeseries,visTypeMetric,visTypeTagcloud,discover,wazuh,savedObjectsManagement,bfetch]"}
jun 24 20:02:36 ip-10-0-0-101.us-west-1.compute.internal opensearch-dashboards[1993]: {"type":"log","@timestamp":"2022-06-24T20:02:36Z","tags":["listening","info"],"pid":1993,"message":"Server running at https://0.0.0.0:5601"}
jun 24 20:02:37 ip-10-0-0-101.us-west-1.compute.internal opensearch-dashboards[1993]: {"type":"log","@timestamp":"2022-06-24T20:02:37Z","tags":["info","http","server","OpenSearchDashboards"],"pid":1993,"message":"http server running at https://0.0.0.0:5601"}
  • cat /usr/share/wazuh-dashboard/data/wazuh/logs/wazuhapp.log:

{"date":"2022-06-24T15:03:56.756Z","level":"info","location":"initialize","message":"Wazuh dashboard index: .kibana"}
{"date":"2022-06-24T15:03:56.757Z","level":"info","location":"initialize","message":"App revision: 4306"}
{"date":"2022-06-24T15:03:56.757Z","level":"info","location":"initialize","message":"Total RAM: 7897MB"}
{"date":"2022-06-24T15:03:57.749Z","level":"error","location":"monitoring:getApiInfo","message":"connect ECONNREFUSED 10.0.0.226:55000"}
{"date":"2022-06-24T15:04:20.803Z","level":"info","location":"initialize","message":"Wazuh dashboard index: .kibana"}
{"date":"2022-06-24T15:04:20.804Z","level":"info","location":"initialize","message":"App revision: 4306"}
{"date":"2022-06-24T15:04:20.804Z","level":"info","location":"initialize","message":"Total RAM: 7897MB"}
{"date":"2022-06-24T15:04:21.331Z","level":"error","location":"monitoring:getApiInfo","message":"connect ECONNREFUSED 10.0.0.226:55000"}
{"date":"2022-06-24T15:18:55.752Z","level":"info","location":"initialize","message":"Wazuh dashboard index: .kibana"}
{"date":"2022-06-24T15:18:55.753Z","level":"info","location":"initialize","message":"App revision: 4306"}
{"date":"2022-06-24T15:18:55.753Z","level":"info","location":"initialize","message":"Total RAM: 7897MB"}
{"date":"2022-06-24T15:20:53.808Z","level":"info","location":"initialize","message":"Wazuh dashboard index: .kibana"}
{"date":"2022-06-24T15:20:53.809Z","level":"info","location":"initialize","message":"App revision: 4306"}
{"date":"2022-06-24T15:20:53.809Z","level":"info","location":"initialize","message":"Total RAM: 7897MB"}
{"date":"2022-06-24T20:02:35.921Z","level":"info","location":"initialize","message":"Wazuh dashboard index: .kibana"}
{"date":"2022-06-24T20:02:35.921Z","level":"info","location":"initialize","message":"App revision: 4306"}
{"date":"2022-06-24T20:02:35.922Z","level":"info","location":"initialize","message":"Total RAM: 7897MB"}

Issues:

@BelenValdivia
Copy link
Contributor Author

BelenValdivia commented Jun 24, 2022
edited
Loading

Task 2: The daemos are running with the correct user 🟢

Agents

Amazon Linux 🟢 
root      2475  0.0  0.2  38492  2912 ?        Sl   16:54   0:00 /var/ossec/bin/wazuh-execd
wazuh     2520  0.0  0.5 264492  5420 ?        Sl   16:54   0:00 /var/ossec/bin/wazuh-agentd
root      2534  1.0  0.8 269972  8348 ?        SNl  16:54   0:08 /var/ossec/bin/wazuh-syscheckd
root      2547  0.0  0.4 481028  4548 ?        Sl   16:54   0:00 /var/ossec/bin/wazuh-logcollector
root      2566  0.0  1.4 741604 14368 ?        Sl   16:54   0:00 /var/ossec/bin/wazuh-modulesd
RHEEL 🟢 
root      1318  0.0  0.0  36312  1668 ?        Sl   17:11   0:00 /var/ossec/bin/wazuh-execd
wazuh     1406  0.3  0.1 262036  7200 ?        Sl   17:11   0:02 /var/ossec/bin/wazuh-agentd
root      1519  6.0  0.2 481556  9676 ?        SNl  17:11   0:38 /var/ossec/bin/wazuh-syscheckd
root      1659  0.0  0.3 478724 12796 ?        Sl   17:11   0:00 /var/ossec/bin/wazuh-logcollector
root      1717  0.2  0.6 1034288 24380 ?       Sl   17:11   0:01 /var/ossec/bin/wazuh-modulesd
Ubuntu 🟢 
root       843  0.0  0.3  43520  3128 ?        Sl   17:26   0:00 /var/ossec/bin/wazuh-execd
wazuh      929  0.0  0.5 269468  5580 ?        Sl   17:26   0:00 /var/ossec/bin/wazuh-agentd
root       977  1.0  0.8 274476  8160 ?        SNl  17:26   0:08 /var/ossec/bin/wazuh-syscheckd
root       991  0.0  0.4 485948  4816 ?        Sl   17:26   0:00 /var/ossec/bin/wazuh-logcollector
root      1013  0.0  1.4 749148 14040 ?        Sl   17:26   0:00 /var/ossec/bin/wazuh-modulesd
CentOS 🟢 
root      2816  0.0  0.1  36220  1516 ?        Sl   17:41   0:00 /var/ossec/bin/wazuh-execd
wazuh     2840  0.0  0.3 262040  3104 ?        Sl   17:41   0:00 /var/ossec/bin/wazuh-agentd
root      2855  2.7  0.7 267480  7408 ?        SNl  17:41   0:09 /var/ossec/bin/wazuh-syscheckd
root      2870  0.0  0.8 478608  8396 ?        Sl   17:41   0:00 /var/ossec/bin/wazuh-logcollector
root      2886  0.2  1.6 739240 16080 ?        Sl   17:41   0:01 /var/ossec/bin/wazuh-modulesd
Debian 🟢 
root       520  0.0  0.2  42212  2812 ?        Sl   17:49   0:00 /var/ossec/bin/wazuh-execd
wazuh      537  0.0  0.5 268240  5232 ?        Sl   17:49   0:00 /var/ossec/bin/wazuh-agentd
root       551  1.5  0.7 273040  7376 ?        SNl  17:49   0:06 /var/ossec/bin/wazuh-syscheckd
root       563  0.0  0.3 484860  3916 ?        Sl   17:49   0:00 /var/ossec/bin/wazuh-logcollector
root       583  0.0  1.2 745728 12684 ?        Sl   17:49   0:00 /var/ossec/bin/wazuh-modulesd
Windows 🟢

image

Managers

Master env1 🟢 

root      2157  0.0  0.0 100620  3900 ?        Ss   18:28   0:00 /sbin/dhclient -q -lf /var/lib/dhclient/dhclient--eth0.lease -pf /var/run/dhclient-eth0.pid -H wazuh-manager-master-0 eth0
root      2260  0.0  0.1 100620  4324 ?        Ss   18:28   0:00 /sbin/dhclient -6 -nw -lf /var/lib/dhclient/dhclient6--eth0.lease -pf /var/run/dhclient6-eth0.pid eth0 -H wazuh-manager-master-0
root      2560  0.0  0.2 152652  9040 ?        Ss   18:28   0:00 sshd: wazuh-user [priv]
wazuh-u+  2586  0.0  0.1 152652  4392 ?        S    18:29   0:00 sshd: wazuh-user@pts/0
wazuh-u+  2587  0.0  0.1 124888  4036 pts/0    Ss   18:29   0:00 -bash
wazuh     2597  1.5  2.5 821084 100392 ?       Sl   18:29   0:13 /var/ossec/framework/python/bin/python3 /var/ossec/api/scripts/wazuh-apid.py
wazuh     2633  0.0  0.0  39224  3376 ?        Sl   18:29   0:00 /var/ossec/bin/wazuh-integratord
root      2654  0.2  0.1 194948  5948 ?        Sl   18:29   0:02 /var/ossec/bin/wazuh-authd
wazuh     2670  0.1  0.3 775956 12724 ?        Sl   18:29   0:00 /var/ossec/bin/wazuh-db
root      2694  0.0  0.0  39264  3196 ?        Sl   18:29   0:00 /var/ossec/bin/wazuh-execd
wazuh     2700  0.0  1.4 317056 59440 ?        S    18:29   0:00 /var/ossec/framework/python/bin/python3 /var/ossec/api/scripts/wazuh-apid.py
wazuh     2703  0.2  1.5 400316 62772 ?        S    18:29   0:02 /var/ossec/framework/python/bin/python3 /var/ossec/api/scripts/wazuh-apid.py
wazuh     2718  3.8  1.6 1293248 66780 ?       Sl   18:29   0:33 /var/ossec/bin/wazuh-analysisd
root      2747  1.2  0.2 336056  8444 ?        SNl  18:29   0:11 /var/ossec/bin/wazuh-syscheckd
wazuh     2766  0.5  0.1 523848  4644 ?        Sl   18:29   0:04 /var/ossec/bin/wazuh-remoted
root      2800  0.0  0.1 481668  4908 ?        Sl   18:29   0:00 /var/ossec/bin/wazuh-logcollector
wazuh     2819  0.0  0.0  39240  3212 ?        Sl   18:29   0:00 /var/ossec/bin/wazuh-monitord
root      2869  6.5  6.7 1412244 269980 ?      Sl   18:29   0:56 /var/ossec/bin/wazuh-modulesd
root      2882  0.0  0.0 124096  3184 ?        SNs  18:29   0:00 /bin/sh wodles/aws/aws-s3 --bucket wazuh-aws-wodle --access_key KEY --secret_key iMefkFstkmbhns8yQtMYuGngtERUNwk/yAgYwdEa --only_logs_after 2020-MAY-01 --type cloudtrail
root      2893  9.0  1.3 268524 52468 ?        SN   18:29   1:18 /var/ossec/framework/python/bin/python3 /var/ossec/wodles/aws/aws-s3.py --bucket wazuh-aws-wodle --access_key KEY --secret_key iMefkFstkmbhns8yQtMYuGngtERUNwk/yAgYwdEa --only_logs_after 2020-MAY-01 --type cloudtrail
wazuh     2986  0.2  1.2 435628 51004 ?        Sl   18:29   0:01 /var/ossec/framework/python/bin/python3 /var/ossec/framework/scripts/wazuh-clusterd.py
wazuh     2990  0.0  1.0 280128 43140 ?        S    18:29   0:00 /var/ossec/framework/python/bin/python3 /var/ossec/framework/scripts/wazuh-clusterd.py
wazuh     2993  0.0  1.0 362056 43084 ?        S    18:29   0:00 /var/ossec/framework/python/bin/python3 /var/ossec/framework/scripts/wazuh-clusterd.py
root      3944  0.0  0.2 150520  8808 ?        Ss   18:37   0:00 sshd: wazuh-user [priv]
wazuh-u+  3958  0.0  0.1 150520  4584 ?        S    18:37   0:00 sshd: wazuh-user@pts/1
wazuh-u+  3959  0.0  0.1 124888  4120 pts/1    Ss   18:37   0:00 -bash
root      4086  0.0  0.0 119420   948 pts/1    S+   18:43   0:00 grep --color=auto wazuh
Worker env 1 🟢 

root      2166  0.0  0.0 100620  3868 ?        Ss   18:49   0:00 /sbin/dhclient -q -lf /var/lib/dhclient/dhclient--eth0.lease -pf /var/run/dhclient-eth0.pid -H wazuh-manager-worker-0 eth0
root      2280  0.0  0.1 100620  4384 ?        Ss   18:49   0:00 /sbin/dhclient -6 -nw -lf /var/lib/dhclient/dhclient6--eth0.lease -pf /var/run/dhclient6-eth0.pid eth0 -H wazuh-manager-worker-0
root      2548  0.0  0.2 150520  9076 ?        Ss   18:49   0:00 sshd: wazuh-user [priv]
wazuh-u+  2590  0.0  0.1 150520  4584 ?        S    18:49   0:00 sshd: wazuh-user@pts/0
wazuh-u+  2595  0.0  0.1 124888  3992 pts/0    Ss   18:49   0:00 -bash
wazuh     2635  2.1  2.3 741408 95448 ?        Sl   18:50   0:12 /var/ossec/framework/python/bin/python3 /var/ossec/api/scripts/wazuh-apid.py
wazuh     2658  0.0  0.0  39236  3368 ?        Sl   18:50   0:00 /var/ossec/bin/wazuh-integratord
wazuh     2677  0.1  0.2 775960 11256 ?        Sl   18:50   0:00 /var/ossec/bin/wazuh-db
root      2701  0.0  0.0  39280  3140 ?        Sl   18:50   0:00 /var/ossec/bin/wazuh-execd
wazuh     2716  0.2  0.7 1293316 28828 ?       Sl   18:50   0:01 /var/ossec/bin/wazuh-analysisd
root      2732  1.7  0.2 270536  8544 ?        SNl  18:50   0:10 /var/ossec/bin/wazuh-syscheckd
wazuh     2737  0.0  1.4 310112 57560 ?        S    18:50   0:00 /var/ossec/framework/python/bin/python3 /var/ossec/api/scripts/wazuh-apid.py
wazuh     2740  0.0  1.5 399232 60232 ?        S    18:50   0:00 /var/ossec/framework/python/bin/python3 /var/ossec/api/scripts/wazuh-apid.py
wazuh     2770  0.1  0.1 523808  4592 ?        Sl   18:50   0:01 /var/ossec/bin/wazuh-remoted
root      2808  0.0  0.1 481672  4788 ?        Sl   18:50   0:00 /var/ossec/bin/wazuh-logcollector
wazuh     2828  0.0  0.0  39252  3208 ?        Sl   18:50   0:00 /var/ossec/bin/wazuh-monitord
root      2849  6.4  5.3 1115340 211872 ?      Sl   18:50   0:38 /var/ossec/bin/wazuh-modulesd
wazuh     2973  0.1  1.2 587952 51192 ?        Sl   18:50   0:01 /var/ossec/framework/python/bin/python3 /var/ossec/framework/scripts/wazuh-clusterd.py
wazuh     3141  0.0  1.1 287892 44628 ?        S    18:50   0:00 /var/ossec/framework/python/bin/python3 /var/ossec/framework/scripts/wazuh-clusterd.py
wazuh     3890  0.0  1.0 440488 43812 ?        S    18:54   0:00 /var/ossec/framework/python/bin/python3 /var/ossec/framework/scripts/wazuh-clusterd.py
root      3983  0.0  0.0 119420   964 pts/0    S+   19:00   0:00 grep --color=auto wazuh
Master env 2 🟢 

root      2156  0.0  0.0 100620  3896 ?        Ss   19:03   0:00 /sbin/dhclient -q -lf /var/lib/dhclient/dhclient--eth0.lease -pf /var/run/dhclient-eth0.pid -H wazuh-manager-master-0 eth0
root      2270  0.0  0.1 100620  4292 ?        Ss   19:03   0:00 /sbin/dhclient -6 -nw -lf /var/lib/dhclient/dhclient6--eth0.lease -pf /var/run/dhclient6-eth0.pid eth0 -H wazuh-manager-master-0
root      2554  0.0  0.2 150520  8768 ?        Ss   19:03   0:00 sshd: wazuh-user [priv]
wazuh-u+  2585  0.0  0.1 150520  4440 ?        S    19:03   0:00 sshd: wazuh-user@pts/0
wazuh-u+  2598  0.0  0.1 124888  4104 pts/0    Ss   19:03   0:00 -bash
wazuh     2620  1.9  2.5 821072 100496 ?       Sl   19:03   0:13 /var/ossec/framework/python/bin/python3 /var/ossec/api/scripts/wazuh-apid.py
wazuh     2643  0.0  0.0  39224  3324 ?        Sl   19:03   0:00 /var/ossec/bin/wazuh-integratord
root      2664  0.2  0.1 194944  5796 ?        Sl   19:03   0:01 /var/ossec/bin/wazuh-authd
wazuh     2681  0.1  0.3 710420 12428 ?        Sl   19:03   0:00 /var/ossec/bin/wazuh-db
root      2705  0.0  0.0  39272  3228 ?        Sl   19:03   0:00 /var/ossec/bin/wazuh-execd
wazuh     2708  0.0  1.4 317044 59492 ?        S    19:03   0:00 /var/ossec/framework/python/bin/python3 /var/ossec/api/scripts/wazuh-apid.py
wazuh     2711  0.2  1.5 400380 62844 ?        S    19:03   0:01 /var/ossec/framework/python/bin/python3 /var/ossec/api/scripts/wazuh-apid.py
wazuh     2729  4.3  1.2 1293248 51520 ?       Sl   19:03   0:29 /var/ossec/bin/wazuh-analysisd
root      2743  1.6  0.2 336004  8360 ?        SNl  19:03   0:11 /var/ossec/bin/wazuh-syscheckd
wazuh     2779  0.1  0.1 1179208 6696 ?        Sl   19:03   0:00 /var/ossec/bin/wazuh-remoted
root      2811  0.0  0.1 481668  4760 ?        Sl   19:03   0:00 /var/ossec/bin/wazuh-logcollector
wazuh     2831  0.0  0.0  39244  3220 ?        Sl   19:03   0:00 /var/ossec/bin/wazuh-monitord
root      2881  8.1  6.0 1402064 240484 ?      Sl   19:03   0:55 /var/ossec/bin/wazuh-modulesd
root      2894  0.0  0.0 124096  3096 ?        SNs  19:03   0:00 /bin/sh wodles/aws/aws-s3 --bucket wazuh-aws-wodle --access_key KEY --secret_key iMefkFstkmbhns8yQtMYuGngtERUNwk/yAgYwdEa --only_logs_after 2020-MAY-01 --type cloudtrail
root      2905  9.5  1.3 269496 53160 ?        SN   19:03   1:05 /var/ossec/framework/python/bin/python3 /var/ossec/wodles/aws/aws-s3.py --bucket wazuh-aws-wodle --access_key KEY --secret_key iMefkFstkmbhns8yQtMYuGngtERUNwk/yAgYwdEa --only_logs_after 2020-MAY-01 --type cloudtrail
wazuh     2987  0.0  1.1 427884 45672 ?        Sl   19:03   0:00 /var/ossec/framework/python/bin/python3 /var/ossec/framework/scripts/wazuh-clusterd.py
wazuh     3000  0.0  1.0 280124 42980 ?        S    19:03   0:00 /var/ossec/framework/python/bin/python3 /var/ossec/framework/scripts/wazuh-clusterd.py
wazuh     3003  0.0  1.0 362184 43136 ?        S    19:03   0:00 /var/ossec/framework/python/bin/python3 /var/ossec/framework/scripts/wazuh-clusterd.py
root      4103  0.0  0.0 119420   952 pts/0    S+   19:15   0:00 grep --color=auto wazuh

Wazuh Indexer

Bootstrap 🟢 
wazuh-i+  2491 13.5 55.6 7164068 4502916 ?     Ssl  19:25   1:21 /usr/share/wazuh-indexer/jdk/bin/java -Xshare:auto -Dopensearch.networkaddress.cache.ttl=60 -Dopensearch.networkaddress.cache.negative.ttl=10 -XX:+AlwaysPreTouch -Xss1m -Djava.awt.headless=true -Dfile.encoding=UTF-8 -Djna.nosys=true -XX:-OmitStackTraceInFastThrow -XX:+ShowCodeDetailsInExceptionMessages -Dio.netty.noUnsafe=true -Dio.netty.noKeySetOptimization=true -Dio.netty.recycler.maxCapacityPerThread=0 -Dio.netty.allocator.numDirectArenas=0 -Dlog4j.shutdownHookEnabled=false -Dlog4j2.disable.jmx=true -Djava.locale.providers=SPI,COMPAT -Xms3948m -Xmx3948m -XX:+UseG1GC -XX:G1ReservePercent=25 -XX:InitiatingHeapOccupancyPercent=30 -Djava.io.tmpdir=/tmp/opensearch-7297009102481999135 -XX:+HeapDumpOnOutOfMemoryError -XX:HeapDumpPath=data -XX:ErrorFile=/var/log/wazuh-indexer/hs_err_pid%p.log -Xlog:gc*,gc+age=trace,safepoint:file=/var/log/wazuh-indexer/gc.log:utctime,pid,tags:filecount=32,filesize=64m -Dclk.tck=100 -Djdk.attach.allowAttachSelf=true -Djava.security.policy=file:///usr/share/wazuh-indexer/plugins/opensearch-performance-analyzer/pa_config/opensearch_security.policy -XX:MaxDirectMemorySize=2069889024 -Dopensearch.path.home=/usr/share/wazuh-indexer -Dopensearch.path.conf=/etc/wazuh-indexer -Dopensearch.distribution.type=rpm -Dopensearch.bundled_jdk=true -cp /usr/share/wazuh-indexer/lib/* org.opensearch.bootstrap.OpenSearch -p /run/wazuh-indexer/wazuh-indexer.pid --quiet
Master B 🟢 
wazuh-i+  2489 18.2 55.5 7184064 4493336 ?     Ssl  19:38   0:57 /usr/share/wazuh-indexer/jdk/bin/java -Xshare:auto -Dopensearch.networkaddress.cache.ttl=60 -Dopensearch.networkaddress.cache.negative.ttl=10 -XX:+AlwaysPreTouch -Xss1m -Djava.awt.headless=true -Dfile.encoding=UTF-8 -Djna.nosys=true -XX:-OmitStackTraceInFastThrow -XX:+ShowCodeDetailsInExceptionMessages -Dio.netty.noUnsafe=true -Dio.netty.noKeySetOptimization=true -Dio.netty.recycler.maxCapacityPerThread=0 -Dio.netty.allocator.numDirectArenas=0 -Dlog4j.shutdownHookEnabled=false -Dlog4j2.disable.jmx=true -Djava.locale.providers=SPI,COMPAT -Xms3948m -Xmx3948m -XX:+UseG1GC -XX:G1ReservePercent=25 -XX:InitiatingHeapOccupancyPercent=30 -Djava.io.tmpdir=/tmp/opensearch-8489325963514459203 -XX:+HeapDumpOnOutOfMemoryError -XX:HeapDumpPath=data -XX:ErrorFile=/var/log/wazuh-indexer/hs_err_pid%p.log -Xlog:gc*,gc+age=trace,safepoint:file=/var/log/wazuh-indexer/gc.log:utctime,pid,tags:filecount=32,filesize=64m -Dclk.tck=100 -Djdk.attach.allowAttachSelf=true -Djava.security.policy=file:///usr/share/wazuh-indexer/plugins/opensearch-performance-analyzer/pa_config/opensearch_security.policy -XX:MaxDirectMemorySize=2069889024 -Dopensearch.path.home=/usr/share/wazuh-indexer -Dopensearch.path.conf=/etc/wazuh-indexer -Dopensearch.distribution.type=rpm -Dopensearch.bundled_jdk=true -cp /usr/share/wazuh-indexer/lib/* org.opensearch.bootstrap.OpenSearch -p /run/wazuh-indexer/wazuh-indexer.pid --quiet
Master C 🟢 
wazuh-i+  2526 16.2 55.6 7137412 4498124 ?     Ssl  19:47   1:09 /usr/share/wazuh-indexer/jdk/bin/java -Xshare:auto -Dopensearch.networkaddress.cache.ttl=60 -Dopensearch.networkaddress.cache.negative.ttl=10 -XX:+AlwaysPreTouch -Xss1m -Djava.awt.headless=true -Dfile.encoding=UTF-8 -Djna.nosys=true -XX:-OmitStackTraceInFastThrow -XX:+ShowCodeDetailsInExceptionMessages -Dio.netty.noUnsafe=true -Dio.netty.noKeySetOptimization=true -Dio.netty.recycler.maxCapacityPerThread=0 -Dio.netty.allocator.numDirectArenas=0 -Dlog4j.shutdownHookEnabled=false -Dlog4j2.disable.jmx=true -Djava.locale.providers=SPI,COMPAT -Xms3948m -Xmx3948m -XX:+UseG1GC -XX:G1ReservePercent=25 -XX:InitiatingHeapOccupancyPercent=30 -Djava.io.tmpdir=/tmp/opensearch-1506829919892208782 -XX:+HeapDumpOnOutOfMemoryError -XX:HeapDumpPath=data -XX:ErrorFile=/var/log/wazuh-indexer/hs_err_pid%p.log -Xlog:gc*,gc+age=trace,safepoint:file=/var/log/wazuh-indexer/gc.log:utctime,pid,tags:filecount=32,filesize=64m -Dclk.tck=100 -Djdk.attach.allowAttachSelf=true -Djava.security.policy=file:///usr/share/wazuh-indexer/plugins/opensearch-performance-analyzer/pa_config/opensearch_security.policy -XX:MaxDirectMemorySize=2069889024 -Dopensearch.path.home=/usr/share/wazuh-indexer -Dopensearch.path.conf=/etc/wazuh-indexer -Dopensearch.distribution.type=rpm -Dopensearch.bundled_jdk=true -cp /usr/share/wazuh-indexer/lib/* org.opensearch.bootstrap.OpenSearch -p /run/wazuh-indexer/wazuh-indexer.pid --quiet

Wazuh Dashboard

wazuh indexer 🟢 
wazuh-i+  2509  7.5 37.3 5621684 3017108 ?     Ssl  20:02   1:10 /usr/share/wazuh-indexer/jdk/bin/java -Xshare:auto -Dopensearch.networkaddress.cache.ttl=60 -Dopensearch.networkaddress.cache.negative.ttl=10 -XX:+AlwaysPreTouch -Xss1m -Djava.awt.headless=true -Dfile.encoding=UTF-8 -Djna.nosys=true -XX:-OmitStackTraceInFastThrow -XX:+ShowCodeDetailsInExceptionMessages -Dio.netty.noUnsafe=true -Dio.netty.noKeySetOptimization=true -Dio.netty.recycler.maxCapacityPerThread=0 -Dio.netty.allocator.numDirectArenas=0 -Dlog4j.shutdownHookEnabled=false -Dlog4j2.disable.jmx=true -Djava.locale.providers=SPI,COMPAT -Xms2560m -Xmx2560m -XX:+UseG1GC -XX:G1ReservePercent=25 -XX:InitiatingHeapOccupancyPercent=30 -Djava.io.tmpdir=/tmp/opensearch-18113524508641409482 -XX:+HeapDumpOnOutOfMemoryError -XX:HeapDumpPath=data -XX:ErrorFile=/var/log/wazuh-indexer/hs_err_pid%p.log -Xlog:gc*,gc+age=trace,safepoint:file=/var/log/wazuh-indexer/gc.log:utctime,pid,tags:filecount=32,filesize=64m -Dclk.tck=100 -Djdk.attach.allowAttachSelf=true -Djava.security.policy=file:///usr/share/wazuh-indexer/plugins/opensearch-performance-analyzer/pa_config/opensearch_security.policy -XX:MaxDirectMemorySize=1342177280 -Dopensearch.path.home=/usr/share/wazuh-indexer -Dopensearch.path.conf=/etc/wazuh-indexer -Dopensearch.distribution.type=rpm -Dopensearch.bundled_jdk=true -cp /usr/share/wazuh-indexer/lib/* org.opensearch.bootstrap.OpenSearch -p /run/wazuh-indexer/wazuh-indexer.pid --quiet
wazuh dashboard 🟢 
wazuh-d+  1993  1.3  1.8 995656 151420 ?       Ssl  20:02   0:13 /usr/share/wazuh-dashboard/bin/../node/bin/node --no-warnings --max-http-header-size=65536 --unhandled-rejections=warn /usr/share/wazuh-dashboard/bin/../src/cli/dist -c /etc/wazuh-dashboard/opensearch_dashboards.yml

@BelenValdivia
Copy link
Contributor Author

Task 3: The status of the Wazuh Indexer clusters is as expected 🟢


[root@ip-10-0-0-101 wazuh-user]# curl -k -u USER:PASSWORD  https://10.0.0.101:9200/_cat/nodes?v
ip         heap.percent ram.percent cpu load_1m load_5m load_15m node.role master name
10.0.2.34             4          61   2    0.02    0.03     0.00 dimr      *      node-2
10.0.2.200           50          61   2    0.02    0.03     0.05 dimr      -      node-3
10.0.2.232           41          61   1    0.05    0.04     0.01 dimr      -      node-1
10.0.0.101           38          45   2    0.00    0.02     0.03 dimr      -      node-7

@juliamagan juliamagan changed the title Release 4.3.5 - Release Candidate 1 - Demo environment Release 4.3.5 - Release Candidate 1 - E2E UX tests - Demo environment Jun 27, 2022
@juliamagan juliamagan mentioned this issue Jun 27, 2022
Closed
1 task
@juliamagan juliamagan added this to the Release 4.3.5 RC-1 milestone Jun 27, 2022
@BelenValdivia
Copy link
Contributor Author

BelenValdivia commented Jun 27, 2022
edited
Loading

Task 4: No errors in the browser's developer console when browsing the App 🟢

@BelenValdivia
Copy link
Contributor Author

BelenValdivia commented Jun 27, 2022
edited
Loading

Task 5: Alerts are being generated for each of the modules configured for this purpose

Issues:

4.3.5.disabled.modules.mp4

@BelenValdivia
Copy link
Contributor Author

BelenValdivia commented Jun 27, 2022
edited
Loading

Task 6: No warning symbols in Discover when expanding a document 🟢

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@BelenValdivia BelenValdivia

Labels
dev-testing manual-testing
Projects
No open projects
Release 4.3.5
Status: Done
Milestone
Release 4.3.5 RC-1
Development

No branches or pull requests
3 participants
@jmv74211 @BelenValdivia @juliamagan