Release 4.5.0 - Alpha 1 - Specific systems #18074

wazuhci · 2023-07-26T12:30:04Z

Packages tests metrics information


Main release candidate issue	#18059
Main packages metrics issue	#18078
Version	4.5.0
Release candidate	Alpha-1
Tag	https://github.com/wazuh/wazuh/tree/v4.5.0-alpha-1

Build packages

System	Status	Build
AIX	🟢	---
HPUX	🟢	---
S10 SPARC	🟢	---
S11 SPARC	🟢	---
OVA	🟢	---
AMI	🟢	---

Test packages

System	Build	Install	Deployment install	Upgrade	Remove	TCP	UDP	Errors found	Warnings found	Alerts found	Check users
AIX	🟢	🟢	🟢	🟢	🟢	🟢	🟢	🟢	🟢	🟢	🟢
HPUX	🟢	🟢	---	---	🟢	🟢	🟢	🟢	🟢	🟢	🟢
S10 SPARC	🟢	🟢	---	🟢	🟢	🟢	🟢	🟢	🟢	🟢	🟢
S11 SPARC	🟢	🟢	---	🟢	🟢	🟢	🟢	🟢	🟢	🟢	🟢
OVA	🟢	🟢	---	---	---	🟢	🟢	🟢	🟢	🟢	🟢
AMI	🟢	🟢	---	---	---	🟢	🟢	🟢	🟢	🟢	🟢

PPC64EL packages

System	Build	Install	Deployment install	Upgrade	Uninstall	Alerts	TCP	UDP	Errors	Warnings	System users
CentOS 7	🟢	🟢	🟢	🟢	🟢	🟢	🟢	🟢	🟢	🟢	🟢
Debian Stretch	🟢	🟢	🟢	🟢	🟢	🟢	🟢	🟢	🟢	🟢	🟢

OVA/AMI specific tests

System	Filebeat test	Cluster green/yellow	Production repositories	UI Access	No SSH root access	SSH user access	Wazuh dashboard/APP version	Dashboard/Indexer VERSION file
OVA	🟢	🟢	🟢	🟢	🟢	🟢	🟢	🟢
AMI	🟢	🟢	🟢	🟢	🟢	🟢	🟢	🟢

Status legend:
⚫ - Pending/In progress
⚪ - Skipped
🔴 - Rejected
🟡 - Ready to review
🟢 - Approved

Auditor's validation

In order to close and proceed with the release or the next candidate version, the following auditors must give the green light to this RC.

Deblintrake09 · 2023-07-27T12:47:47Z

Analysis report - Solaris 11 SPARC 🟢

System info

# cat /etc/release
                            Oracle Solaris 11.3 SPARC
  Copyright (c) 1983, 2015, Oracle and/or its affiliates.  All rights reserved.
                            Assembled 06 October 2015

Install

Download package

wget https://packages-dev.wazuh.com/pre-release/solaris/sparc/11/wazuh-agent_v4.5.0-sol11-sparc.p5p
--2023-07-27 08:49:50--  https://packages-dev.wazuh.com/pre-release/solaris/sparc/11/wazuh-agent_v4.5.0-sol11-sparc.p5p
Resolviendo packages-dev.wazuh.com (packages-dev.wazuh.com)... 18.64.155.103, 18.64.155.22, 18.64.155.6, ...
Conectando con packages-dev.wazuh.com (packages-dev.wazuh.com)[18.64.155.103]:443... conectado.
Petición HTTP enviada, esperando respuesta... 200 OK
Longitud: 6215680 (5,9M) [binary/octet-stream]
Grabando a: “wazuh-agent_v4.5.0-sol11-sparc.p5p.1”

wazuh-agent_v4.5.0-sol11-sparc.p5p.1               100%[=================================================================================================================>]   5,93M  8,19MB/s   en 0,7s   

2023-07-27 08:49:51 (8,19 MB/s) - “wazuh-agent_v4.5.0-sol11-sparc.p5p.1” guardado [6215680/6215680]

Install

# pkg install -g wazuh-agent_v4.5.0-sol11-sparc.p5p wazuh-agent
                        Paquetes que instalar:  1
                        Servicios que cambiar:  1
                      Crear entorno de inicio: No
Crear copia de seguridad de entorno de inicio: No

DESCARGAR                           PAQUETES      ARCHIVOS    XFER (MB) VELOCIDAD
Finalizado                               1/1         97/97      5.6/5.6 28.9M/s

FASE                                       ELEMENTOS
Instalando acciones nuevas                   150/150
Actualizando base de datos de estado de paquete   Terminado 
Actualizando caché de paquete                   0/0 
Actualizando estado de imagen              Terminado 
Creando base de datos de búsqueda rápida   Terminado 
Actualizando caché de paquete                   2/2 

# /var/ossec/bin/wazuh-control start
Starting Wazuh v4.5.0...
Started wazuh-execd...
Started wazuh-agentd...
Started wazuh-syscheckd...
Started wazuh-logcollector...
Started wazuh-modulesd...
Completed.

Wazuh server

# /var/ossec/bin/agent_control -i 007

Wazuh agent_control. Agent information:
   Agent ID:   007
   Agent Name: sossp613
   IP address: any
   Status:     Active

   Operating system:    SunOS |sossp613 |5.11 |11.3 |sun4v
   Client version:      Wazuh v4.5.0
   Configuration hash:  ab73af41699f13fdd81903b5f23d8d00
   Shared file hash:    4a8724b20dee0124ff9656783c490c4e
   Last keep alive:     1690480281

   Syscheck last started at:  Thu Jul 27 19:07:22 2023
   Syscheck last ended at:    Thu Jul 27 19:07:42 2023

Alert

TCP

# grep -i "tcp" /var/ossec/logs/ossec.log 
2023/07/27 14:07:11 wazuh-agentd: INFO: Trying to connect to server ([3.235.62.234]:1514/tcp).
2023/07/27 14:07:12 wazuh-agentd: INFO: (4102): Connected to the server ([3.235.62.234]:1514/tcp).
2023/07/27 14:07:21 wazuh-agentd: INFO: Trying to connect to server ([3.235.62.234]:1514/tcp).
2023/07/27 14:07:21 wazuh-agentd: INFO: (4102): Connected to the server ([3.235.62.234]:1514/tcp).

{"timestamp":"2023-07-27T17:50:50.376+0000","rule":{"level":7,"description":"SCA summary: CIS Benchmark for Oracle Solaris 11 v1.1.0: Score less than 50% (31)","id":"19004","firedtimes":4,"mail":false,"groups":["sca"],"gdpr":["IV_35.7.d"],"pci_dss":["2.2"],"nist_800_53":["CM.1"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"007","name":"sossp613","ip":"192.168.253.13"},"manager":{"name":"wazuh-server"},"id":"1690480250.343118","decoder":{"name":"sca"},"data":{"sca":{"type":"summary","scan_id":"20579","policy":"CIS Benchmark for Oracle Solaris 11 v1.1.0","description":"This document, CIS Oracle Solaris 11 Benchmark v1.1.0, provides prescriptive guidance for establishing a secure configuration posture for Oracle Solaris 11 on both x86 and SPARC platforms. This guide was tested against  Solaris 11 11/11 release, updated to the Software Repository Update 5 (SRU5). As of the publication of this document, Solaris 11 11/11 SRU5 is the latest available support update for the Solaris 11 OS. The recommendations included in this document may need to be adjusted for future Solaris 11 updates.","policy_id":"cis_solaris11","passed":"16","failed":"35","invalid":"0","total_checks":"51","score":"31","file":"cis_solaris11.yml"}},"location":"sca"}

UDP

# grep -i "udp" /var/ossec/logs/ossec.log 
2023/07/27 14:10:29 wazuh-agentd: INFO: Trying to connect to server ([3.235.62.234]:1514/udp).
2023/07/27 14:10:29 wazuh-agentd: INFO: (4102): Connected to the server ([3.235.62.234]:1514/udp).

{"timestamp":"2023-07-27T17:53:37.947+0000","rule":{"level":7,"description":"Host-based anomaly detection event (rootcheck).","id":"510","firedtimes":2,"mail":false,"groups":["ossec","rootcheck"],"pci_dss":["10.6.1"],"gdpr":["IV_35.7.d"]},"agent":{"id":"007","name":"sossp613","ip":"192.168.253.13"},"manager":{"name":"wazuh-server"},"id":"1690480417.348205","full_log":"Trojaned version of file '/usr/bin/kill' detected. Signature used: '/dev/[ab,d-k,m-z]|/dev/[F-Z]|/dev/[A-D]|/dev/[0-9]|proc\\.h|bash|tmp' (Generic).","decoder":{"name":"rootcheck"},"data":{"title":"Trojaned version of file detected.","file":"/usr/bin/kill"},"location":"rootcheck"}

Remove

# /var/ossec/bin/wazuh-control stop
Killing wazuh-modulesd... 
Killing wazuh-logcollector... 
Killing wazuh-syscheckd... 
Killing wazuh-agentd... 
Killing wazuh-execd... 
Wazuh v4.5.0 Stopped

# pkg uninstall wazuh-agent
pkg uninstall wazuh-agent
                        Paquetes que eliminar:  1
                        Servicios que cambiar:  1
                      Crear entorno de inicio: No
Crear copia de seguridad de entorno de inicio: No

FASE                                       ELEMENTOS
Eliminando acciones antiguas                 194/194
Actualizando base de datos de estado de paquete   Terminado 
Actualizando caché de paquete                   1/1 
Actualizando estado de imagen              Terminado 
Creando base de datos de búsqueda rápida   Terminado 
Actualizando caché de paquete                   2/2 

Se recuperaron los siguientes archivos y directorios editables o
inesperados al ejecutar la operación de paquetes seleccionada; se
desplazaron a la ubicación que se muestra en la imagen:

  ar/ossec/etc/client.keys -> /var/pkg/lost+found/var/ossec/etc/client.keys-20230727T141408Z
  ar/ossec/etc/ossec.conf -> /var/pkg/lost+found/var/ossec/etc/ossec.conf-20230727T141408Z
  ar/ossec/ruleset/sca -> /var/pkg/lost+found/var/ossec/ruleset/sca-20230727T141408Z
  ar/ossec/queue/syscollector/db -> /var/pkg/lost+found/var/ossec/queue/syscollector/db-20230727T141408Z
  ar/ossec/queue/sockets -> /var/pkg/lost+found/var/ossec/queue/sockets-20230727T141408Z
  ar/ossec/queue/rids -> /var/pkg/lost+found/var/ossec/queue/rids-20230727T141408Z
  ar/ossec/queue/logcollector -> /var/pkg/lost+found/var/ossec/queue/logcollector-20230727T141408Z
  ar/ossec/queue/fim/db -> /var/pkg/lost+found/var/ossec/queue/fim/db-20230727T141408Z
  ar/ossec/queue/alerts -> /var/pkg/lost+found/var/ossec/queue/alerts-20230727T141408Z
  ar/ossec/etc/shared -> /var/pkg/lost+found/var/ossec/etc/shared-20230727T141408Z

# ls -la /var/ossec
/var/ossec: No such file or directory
# groupdel wazuh

Upgrade 4.4.5 -> 4.5.0-alpha1

# curl -OL https://packages-dev.wazuh.com/pre-release/solaris/sparc/11/wazuh-agent_v4.4.5-sol11-sparc.p5p
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100 6070k  100 6070k    0     0  4961k      0  0:00:01  0:00:01 --:--:-- 5096k

# pkg install -g wazuh-agent_v4.4.5-sol11-sparc.p5p wazuh-agent
                        Paquetes que instalar:  1
                        Servicios que cambiar:  1
                      Crear entorno de inicio: No
Crear copia de seguridad de entorno de inicio: No

DESCARGAR                           PAQUETES      ARCHIVOS    XFER (MB) VELOCIDAD
Finalizado                               1/1         97/97      5.6/5.6 31.2M/s

FASE                                       ELEMENTOS
Instalando acciones nuevas                   150/150
Actualizando base de datos de estado de paquete   Terminado 
Actualizando caché de paquete                   0/0 
Actualizando estado de imagen              Terminado 
Creando base de datos de búsqueda rápida   Terminado 
Actualizando caché de paquete                   2/2 

# /var/ossec/bin/wazuh-control start
Starting Wazuh v4.4.5...
Started wazuh-execd...
Started wazuh-agentd...
Started wazuh-syscheckd...
Started wazuh-logcollector...
Started wazuh-modulesd...
Completed.

# /var/ossec/bin/agent_control -i 008

Wazuh agent_control. Agent information:
   Agent ID:   008
   Agent Name: sossp613
   IP address: any
   Status:     Active

   Operating system:    SunOS |sossp613 |5.11 |11.3 |sun4v
   Client version:      Wazuh v4.4.5
   Configuration hash:  (null)
   Shared file hash:    x
   Last keep alive:     1690481073

   Syscheck last started at:  Thu Jul 27 19:21:25 2023
   Syscheck last ended at:    Thu Jul 27 19:21:30 2023

Upgrade agent

# pkg install -g wazuh-agent_v4.5.0-sol11-sparc.p5p wazuh-agent
                      Paquetes que actualizar:   1
                      Crear entorno de inicio:  No
Crear copia de seguridad de entorno de inicio: Sí

DESCARGAR                           PAQUETES      ARCHIVOS    XFER (MB) VELOCIDAD
Finalizado                               1/1         27/27      4.8/4.8 60.7M/s

FASE                                       ELEMENTOS
Actualizando acciones modificadas              29/29
Actualizando base de datos de estado de paquete   Terminado 
Actualizando caché de paquete                   1/1 
Actualizando estado de imagen              Terminado 
Creando base de datos de búsqueda rápida   Terminado 
Actualizando caché de paquete                   2/2

Check agent in manager

# /var/ossec/bin/agent_control -i 008

Wazuh agent_control. Agent information:
   Agent ID:   008
   Agent Name: sossp613
   IP address: any
   Status:     Active

   Operating system:    SunOS |sossp613 |5.11 |11.3 |sun4v
   Client version:      Wazuh v4.5.0
   Configuration hash:  ab73af41699f13fdd81903b5f23d8d00
   Shared file hash:    4a8724b20dee0124ff9656783c490c4e
   Last keep alive:     1690481491

   Syscheck last started at:  Thu Jul 27 19:28:29 2023 (Scan in progress)
   Syscheck last ended at:    Thu Jul 27 19:22:10 2023

Users and groups

# cat /etc/passwd | grep wazuh
wazuh:x:7:13:& User:/:

# cat /etc/group | grep wazuh
wazuh::13:

Deblintrake09 · 2023-07-27T15:17:51Z

Analysis report - HP-UX 🟢

System info

# model
ia64 hp server Integrity Virtual Machine

Install

Wazuh agent

# curl -OL -k https://packages-dev.wazuh.com/pre-release/hp-ux/wazuh-agent-4.5.0-1-hpux-11v3-ia64.tar
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100 20.8M  100 20.8M    0     0  1122k      0  0:00:19  0:00:19 --:--:-- 1335k

# 
# groupadd wazuh
# useradd -G wazuh wazuh# tar -xvf wazuh-agent-4.5.0-1-hpux-11v3-ia64.tar
x /var/ossec/logs/ossec.log, 0 bytes, 0 tape blocks
x /var/ossec/logs/ossec.json, 0 bytes, 0 tape blocks
x /var/ossec/logs/active-responses.log, 0 bytes, 0 tape blocks
x /var/ossec/bin/wazuh-logcollector, 1631552 bytes, 3187 tape blocks
x /var/ossec/bin/wazuh-syscheckd, 2124204 bytes, 4149 tape blocks
x /var/ossec/bin/wazuh-execd, 1559900 bytes, 3047 tape blocks
x /var/ossec/bin/manage_agents, 440572 bytes, 861 tape blocks
x /var/ossec/bin/wazuh-control, 7148 bytes, 14 tape blocks
x /var/ossec/bin/wazuh-modulesd, 1490252 bytes, 2911 tape blocks
x /var/ossec/bin/wazuh-agentd, 1633072 bytes, 3190 tape blocks
x /var/ossec/bin/agent-auth, 441364 bytes, 863 tape blocks
x /var/ossec/lib/libwazuhext.so, 9738588 bytes, 19021 tape blocks
x /var/ossec/lib/libwazuhshared.so, 290432 bytes, 568 tape blocks
x /var/ossec/queue/syscollector/norm_config.json, 4206 bytes, 9 tape blocks
x /var/ossec/ruleset/sca/cis_hpux_11i_bastille.yml, 94882 bytes, 186 tape blocks
x /var/ossec/ruleset/sca/cis_hpux_11i.yml, 86160 bytes, 169 tape blocks
x /var/ossec/wodles/__init__.py, 0 bytes, 0 tape blocks
x /var/ossec/wodles/utils.py, 3493 bytes, 7 tape blocks
x /var/ossec/wodles/aws/aws-s3, 184614 bytes, 361 tape blocks
x /var/ossec/wodles/gcloud/pubsub/subscriber.py, 6018 bytes, 12 tape blocks
x /var/ossec/wodles/gcloud/buckets/bucket.py, 14685 bytes, 29 tape blocks
x /var/ossec/wodles/gcloud/buckets/access_logs.py, 1841 bytes, 4 tape blocks
x /var/ossec/wodles/gcloud/gcloud, 4661 bytes, 10 tape blocks
x /var/ossec/wodles/gcloud/integration.py, 2887 bytes, 6 tape blocks
x /var/ossec/wodles/gcloud/tools.py, 5524 bytes, 11 tape blocks
x /var/ossec/wodles/gcloud/exceptions.py, 4453 bytes, 9 tape blocks
x /var/ossec/wodles/docker/DockerListener, 4705 bytes, 10 tape blocks
x /var/ossec/wodles/azure/azure-logs, 37349 bytes, 73 tape blocks
x /var/ossec/wodles/azure/orm.py, 7007 bytes, 14 tape blocks
x /var/ossec/etc/TIMEZONE, 21 bytes, 1 tape blocks
x /var/ossec/etc/internal_options.conf, 14012 bytes, 28 tape blocks
x /var/ossec/etc/local_internal_options.conf, 320 bytes, 1 tape blocks
x /var/ossec/etc/client.keys, 0 bytes, 0 tape blocks
x /var/ossec/etc/ossec.conf, 4855 bytes, 10 tape blocks
x /var/ossec/etc/shared/cis_apache2224_rcl.txt, 28411 bytes, 56 tape blocks
x /var/ossec/etc/shared/cis_debian_linux_rcl.txt, 12576 bytes, 25 tape blocks
x /var/ossec/etc/shared/cis_mysql5-6_community_rcl.txt, 7609 bytes, 15 tape blocks
x /var/ossec/etc/shared/cis_mysql5-6_enterprise_rcl.txt, 10297 bytes, 21 tape blocks
x /var/ossec/etc/shared/cis_rhel5_linux_rcl.txt, 35781 bytes, 70 tape blocks
x /var/ossec/etc/shared/cis_rhel6_linux_rcl.txt, 33870 bytes, 67 tape blocks
x /var/ossec/etc/shared/cis_rhel7_linux_rcl.txt, 36957 bytes, 73 tape blocks
x /var/ossec/etc/shared/cis_rhel_linux_rcl.txt, 17658 bytes, 35 tape blocks
x /var/ossec/etc/shared/cis_sles11_linux_rcl.txt, 34376 bytes, 68 tape blocks
x /var/ossec/etc/shared/cis_sles12_linux_rcl.txt, 35081 bytes, 69 tape blocks
x /var/ossec/etc/shared/cis_win2012r2_domainL1_rcl.txt, 94877 bytes, 186 tape blocks
x /var/ossec/etc/shared/cis_win2012r2_domainL2_rcl.txt, 28006 bytes, 55 tape blocks
x /var/ossec/etc/shared/cis_win2012r2_memberL1_rcl.txt, 100530 bytes, 197 tape blocks
x /var/ossec/etc/shared/cis_win2012r2_memberL2_rcl.txt, 376002 bytes, 735 tape blocks
x /var/ossec/etc/shared/rootkit_files.txt, 16174 bytes, 32 tape blocks
x /var/ossec/etc/shared/rootkit_trojans.txt, 5548 bytes, 11 tape blocks
x /var/ossec/etc/shared/system_audit_rcl.txt, 4466 bytes, 9 tape blocks
x /var/ossec/etc/shared/system_audit_ssh.txt, 3285 bytes, 7 tape blocks
x /var/ossec/etc/shared/win_applications_rcl.txt, 5214 bytes, 11 tape blocks
x /var/ossec/etc/shared/win_audit_rcl.txt, 4277 bytes, 9 tape blocks
x /var/ossec/etc/shared/win_malware_rcl.txt, 7314 bytes, 15 tape blocks
x /var/ossec/etc/wpk_root.pem, 1367 bytes, 3 tape blocks
x /var/ossec/active-response/bin/restart.sh, 695 bytes, 2 tape blocks
x /var/ossec/active-response/bin/kaspersky.py, 14429 bytes, 29 tape blocks
x /var/ossec/active-response/bin/firewall-drop, 74444 bytes, 146 tape blocks
x /var/ossec/active-response/bin/default-firewall-drop, 74444 bytes, 146 tape blocks
x /var/ossec/active-response/bin/pf, 74040 bytes, 145 tape blocks
x /var/ossec/active-response/bin/npf, 73972 bytes, 145 tape blocks
x /var/ossec/active-response/bin/ipfw, 74028 bytes, 145 tape blocks
x /var/ossec/active-response/bin/firewalld-drop, 74052 bytes, 145 tape blocks
x /var/ossec/active-response/bin/disable-account, 73932 bytes, 145 tape blocks
x /var/ossec/active-response/bin/host-deny, 74152 bytes, 145 tape blocks
x /var/ossec/active-response/bin/ip-customblock, 73888 bytes, 145 tape blocks
x /var/ossec/active-response/bin/restart-wazuh, 73680 bytes, 144 tape blocks
x /var/ossec/active-response/bin/route-null, 73868 bytes, 145 tape blocks
x /var/ossec/active-response/bin/kaspersky, 73728 bytes, 144 tape blocks
x /var/ossec/active-response/bin/wazuh-slack, 73960 bytes, 145 tape blocks
x /var/ossec/agentless/main.exp, 2453 bytes, 5 tape blocks
x /var/ossec/agentless/register_host.sh, 2406 bytes, 5 tape blocks
x /var/ossec/agentless/ssh.exp, 1476 bytes, 3 tape blocks
x /var/ossec/agentless/ssh_asa-fwsmconfig_diff, 5283 bytes, 11 tape blocks
x /var/ossec/agentless/ssh_foundry_diff, 5403 bytes, 11 tape blocks
x /var/ossec/agentless/ssh_generic_diff, 898 bytes, 2 tape blocks
x /var/ossec/agentless/ssh_integrity_check_bsd, 1091 bytes, 3 tape blocks
x /var/ossec/agentless/ssh_integrity_check_linux, 1099 bytes, 3 tape blocks
x /var/ossec/agentless/ssh_nopass.exp, 1616 bytes, 4 tape blocks
x /var/ossec/agentless/ssh_pixconfig_diff, 5265 bytes, 11 tape blocks
x /var/ossec/agentless/sshlogin.exp, 915 bytes, 2 tape blocks
x /var/ossec/agentless/su.exp, 1381 bytes, 3 tape blocks
x /sbin/init.d/wazuh-agent, 691 bytes, 2 tape blocks
x /sbin/rc2.d/S97wazuh-agent symbolic link to /sbin/init.d/wazuh-agent
x /sbin/rc3.d/S97wazuh-agent symbolic link to /sbin/init.d/wazuh-agent

# cat /var/ossec/etc/ossec.conf | grep address
      <address>172.31.5.205</address>


# /var/ossec/bin/wazuh-control start
Starting Wazuh v4.5.0...
Started wazuh-execd...
Started wazuh-agentd...
Started wazuh-syscheckd...
Started wazuh-logcollector...
Started wazuh-modulesd...
Completed.

# /var/ossec/bin/wazuh-control status
wazuh-modulesd is running...
wazuh-logcollector is running...
wazuh-syscheckd is running...
wazuh-agentd is running...
wazuh-execd is running...

Wazuh server

# /var/ossec/bin/agent_control -i 001

Wazuh agent_control. Agent information:
   Agent ID:   001
   Agent Name: sovmh336
   IP address: any
   Status:     Active

   Operating system:    HP-UX |sovmh336 |B.11.31 |U |ia64
   Client version:      Wazuh v4.5.0
   Configuration hash:  ab73af41699f13fdd81903b5f23d8d00
   Shared file hash:    4a8724b20dee0124ff9656783c490c4e
   Last keep alive:     1690473018

   Syscheck last started at:  Thu Jul 27 14:57:40 2023 (Scan in progress)
   Syscheck last ended at:    Unknown

# grep -Ei "ERROR|CRITICAL|FATAL|WARNING" /var/ossec/logs/ossec.log

Alert

- TCP

# grep -i "tcp" /var/ossec/logs/ossec.log 
2023/07/27 09:57:35 wazuh-agentd: INFO: Trying to connect to server ([AMI_INSTANCE_IP]:1514/tcp).
2023/07/27 09:57:35 wazuh-agentd: INFO: (4102): Connected to the server ([AMI_INSTANCE_IP]:1514/tcp).
2023/07/27 09:57:39 wazuh-agentd: INFO: Trying to connect to server ([AMI_INSTANCE_IP]:1514/tcp).
2023/07/27 09:57:39 wazuh-agentd: INFO: (4102): Connected to the server ([AMI_INSTANCE_IP]:1514/tcp).

{"timestamp":"2023-07-27T15:53:02.590+0000","rule":{"level":5,"description":"sshd: authentication failed.","id":"5760","mitre":{"id":["T1110.001","T1021.004"],"tactic":["Credential Access","Lateral Movement"],"technique":["Password Guessing","SSH"]},"firedtimes":2,"mail":false,"groups":["syslog","sshd","authentication_failed"],"gdpr":["IV_35.7.d","IV_32.2"],"gpg13":["7.1"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7"],"pci_dss":["10.2.4","10.2.5"],"tsc":["CC6.1","CC6.8","CC7.2","CC7.3"]},"agent":{"id":"001","name":"sovmh336"},"manager":{"name":"wazuh-server"},"id":"1690473182.28905","full_log":"Jul 27 10:00:31 sovmh336 sshd[9468]: Failed password for root from 202.53.72.150 port 65166 ssh2","predecoder":{"program_name":"sshd","timestamp":"Jul 27 10:00:31","hostname":"sovmh336"},"decoder":{"parent":"sshd","name":"sshd"},"data":{"srcip":"202.53.72.150","srcport":"65166","dstuser":"root"},"location":"/var/adm/syslog/syslog.log"}

UDP

# grep -i "udp" /var/ossec/logs/ossec.log
2023/07/27 09:59:43 wazuh-agentd: INFO: Trying to connect to server ([AMI_INSTANCE_IP]:1514/udp).
2023/07/27 09:59:43 wazuh-agentd: INFO: (4102): Connected to the server ([AMI_INSTANCE_IP]:1514/udp).

Remove

# /var/ossec/bin/wazuh-control stop
# groupdel wazuh
#  userdel wazuh
# rm -rf /var/ossec

Upgrade 4.4.5 -> 4.5.0-alpha1

# /usr/local/bin/curl -k -LO https://packages.wazuh.com/4.x/hp-ux/wazuh-agent-4.4.1-1-hpux-11v3-ia64.tar
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100 20.8M  100 20.6M    0     0  1245k      0  0:00:17  0:00:17 --:--:-- 2336k
# tar -xvf wazuh-agent-4.4.5-1-hpux-11v3-ia64.tar
x /var/ossec/logs/ossec.log, 0 bytes, 0 tape blocks
x /var/ossec/logs/ossec.json, 0 bytes, 0 tape blocks
x /var/ossec/logs/active-responses.log, 0 bytes, 0 tape blocks
x /var/ossec/bin/wazuh-logcollector, 1631496 bytes, 3187 tape blocks
x /var/ossec/bin/wazuh-syscheckd, 2124144 bytes, 4149 tape blocks
x /var/ossec/bin/wazuh-execd, 1559840 bytes, 3047 tape blocks
x /var/ossec/bin/manage_agents, 440500 bytes, 861 tape blocks
x /var/ossec/bin/wazuh-control, 7148 bytes, 14 tape blocks
x /var/ossec/bin/wazuh-modulesd, 1490192 bytes, 2911 tape blocks
x /var/ossec/bin/wazuh-agentd, 1633012 bytes, 3190 tape blocks
x /var/ossec/bin/agent-auth, 441288 bytes, 862 tape blocks
x /var/ossec/lib/libwazuhext.so, 9738588 bytes, 19021 tape blocks
x /var/ossec/lib/libwazuhshared.so, 290356 bytes, 568 tape blocks
x /var/ossec/queue/syscollector/norm_config.json, 4206 bytes, 9 tape blocks
x /var/ossec/ruleset/sca/cis_hpux_11i_bastille.yml, 94882 bytes, 186 tape blocks
x /var/ossec/ruleset/sca/cis_hpux_11i.yml, 86160 bytes, 169 tape blocks
x /var/ossec/wodles/__init__.py, 0 bytes, 0 tape blocks
x /var/ossec/wodles/utils.py, 3493 bytes, 7 tape blocks
x /var/ossec/wodles/aws/aws-s3, 184614 bytes, 361 tape blocks
x /var/ossec/wodles/gcloud/pubsub/subscriber.py, 6018 bytes, 12 tape blocks
x /var/ossec/wodles/gcloud/buckets/bucket.py, 14685 bytes, 29 tape blocks
x /var/ossec/wodles/gcloud/buckets/access_logs.py, 1841 bytes, 4 tape blocks
x /var/ossec/wodles/gcloud/gcloud, 4661 bytes, 10 tape blocks
x /var/ossec/wodles/gcloud/integration.py, 2887 bytes, 6 tape blocks
x /var/ossec/wodles/gcloud/tools.py, 5524 bytes, 11 tape blocks
x /var/ossec/wodles/gcloud/exceptions.py, 4453 bytes, 9 tape blocks
x /var/ossec/wodles/docker/DockerListener, 4705 bytes, 10 tape blocks
x /var/ossec/wodles/azure/azure-logs, 37349 bytes, 73 tape blocks
x /var/ossec/wodles/azure/orm.py, 7007 bytes, 14 tape blocks
x /var/ossec/etc/TIMEZONE, 21 bytes, 1 tape blocks
x /var/ossec/etc/internal_options.conf, 14012 bytes, 28 tape blocks
x /var/ossec/etc/local_internal_options.conf, 320 bytes, 1 tape blocks
x /var/ossec/etc/client.keys, 0 bytes, 0 tape blocks
x /var/ossec/etc/ossec.conf, 4855 bytes, 10 tape blocks
x /var/ossec/etc/shared/cis_apache2224_rcl.txt, 28411 bytes, 56 tape blocks
x /var/ossec/etc/shared/cis_debian_linux_rcl.txt, 12576 bytes, 25 tape blocks
x /var/ossec/etc/shared/cis_mysql5-6_community_rcl.txt, 7609 bytes, 15 tape blocks
x /var/ossec/etc/shared/cis_mysql5-6_enterprise_rcl.txt, 10297 bytes, 21 tape blocks
x /var/ossec/etc/shared/cis_rhel5_linux_rcl.txt, 35781 bytes, 70 tape blocks
x /var/ossec/etc/shared/cis_rhel6_linux_rcl.txt, 33870 bytes, 67 tape blocks
x /var/ossec/etc/shared/cis_rhel7_linux_rcl.txt, 36957 bytes, 73 tape blocks
x /var/ossec/etc/shared/cis_rhel_linux_rcl.txt, 17658 bytes, 35 tape blocks
x /var/ossec/etc/shared/cis_sles11_linux_rcl.txt, 34376 bytes, 68 tape blocks
x /var/ossec/etc/shared/cis_sles12_linux_rcl.txt, 35081 bytes, 69 tape blocks
x /var/ossec/etc/shared/cis_win2012r2_domainL1_rcl.txt, 94877 bytes, 186 tape blocks
x /var/ossec/etc/shared/cis_win2012r2_domainL2_rcl.txt, 28006 bytes, 55 tape blocks
x /var/ossec/etc/shared/cis_win2012r2_memberL1_rcl.txt, 100530 bytes, 197 tape blocks
x /var/ossec/etc/shared/cis_win2012r2_memberL2_rcl.txt, 376002 bytes, 735 tape blocks
x /var/ossec/etc/shared/rootkit_files.txt, 16174 bytes, 32 tape blocks
x /var/ossec/etc/shared/rootkit_trojans.txt, 5548 bytes, 11 tape blocks
x /var/ossec/etc/shared/system_audit_rcl.txt, 4466 bytes, 9 tape blocks
x /var/ossec/etc/shared/system_audit_ssh.txt, 3285 bytes, 7 tape blocks
x /var/ossec/etc/shared/win_applications_rcl.txt, 5214 bytes, 11 tape blocks
x /var/ossec/etc/shared/win_audit_rcl.txt, 4277 bytes, 9 tape blocks
x /var/ossec/etc/shared/win_malware_rcl.txt, 7314 bytes, 15 tape blocks
x /var/ossec/etc/wpk_root.pem, 1367 bytes, 3 tape blocks
x /var/ossec/active-response/bin/restart.sh, 695 bytes, 2 tape blocks
x /var/ossec/active-response/bin/kaspersky.py, 14429 bytes, 29 tape blocks
x /var/ossec/active-response/bin/firewall-drop, 74444 bytes, 146 tape blocks
x /var/ossec/active-response/bin/default-firewall-drop, 74444 bytes, 146 tape blocks
x /var/ossec/active-response/bin/pf, 74040 bytes, 145 tape blocks
x /var/ossec/active-response/bin/npf, 73972 bytes, 145 tape blocks
x /var/ossec/active-response/bin/ipfw, 74028 bytes, 145 tape blocks
x /var/ossec/active-response/bin/firewalld-drop, 74052 bytes, 145 tape blocks
x /var/ossec/active-response/bin/disable-account, 73932 bytes, 145 tape blocks
x /var/ossec/active-response/bin/host-deny, 74152 bytes, 145 tape blocks
x /var/ossec/active-response/bin/ip-customblock, 73888 bytes, 145 tape blocks
x /var/ossec/active-response/bin/restart-wazuh, 73680 bytes, 144 tape blocks
x /var/ossec/active-response/bin/route-null, 73868 bytes, 145 tape blocks
x /var/ossec/active-response/bin/kaspersky, 73728 bytes, 144 tape blocks
x /var/ossec/active-response/bin/wazuh-slack, 73960 bytes, 145 tape blocks
x /var/ossec/agentless/main.exp, 2453 bytes, 5 tape blocks
x /var/ossec/agentless/register_host.sh, 2406 bytes, 5 tape blocks
x /var/ossec/agentless/ssh.exp, 1476 bytes, 3 tape blocks
x /var/ossec/agentless/ssh_asa-fwsmconfig_diff, 5283 bytes, 11 tape blocks
x /var/ossec/agentless/ssh_foundry_diff, 5403 bytes, 11 tape blocks
x /var/ossec/agentless/ssh_generic_diff, 898 bytes, 2 tape blocks
x /var/ossec/agentless/ssh_integrity_check_bsd, 1091 bytes, 3 tape blocks
x /var/ossec/agentless/ssh_integrity_check_linux, 1099 bytes, 3 tape blocks
x /var/ossec/agentless/ssh_nopass.exp, 1616 bytes, 4 tape blocks
x /var/ossec/agentless/ssh_pixconfig_diff, 5265 bytes, 11 tape blocks
x /var/ossec/agentless/sshlogin.exp, 915 bytes, 2 tape blocks
x /var/ossec/agentless/su.exp, 1381 bytes, 3 tape blocks
x /sbin/init.d/wazuh-agent, 691 bytes, 2 tape blocks
x /sbin/rc2.d/S97wazuh-agent symbolic link to /sbin/init.d/wazuh-agent
x /sbin/rc3.d/S97wazuh-agent symbolic link to /sbin/init.d/wazuh-agent

# groupadd wazuh
# useradd -G wazuh wazuh
# vi /var/ossec/etc/ossec.conf    
# /var/ossec/bin/wazuh-control start
Starting Wazuh v4.4.5...
Started wazuh-execd...
Started wazuh-agentd...
Started wazuh-syscheckd...
Started wazuh-logcollector...
Started wazuh-modulesd...
Completed.

# /var/ossec/bin/agent_control -i 002

Wazuh agent_control. Agent information:
   Agent ID:   002
   Agent Name: sovmh336
   IP address: any
   Status:     Active

   Operating system:    HP-UX |sovmh336 |B.11.31 |U |ia64
   Client version:      Wazuh v4.4.5
   Configuration hash:  ab73af41699f13fdd81903b5f23d8d00
   Shared file hash:    4a8724b20dee0124ff9656783c490c4e
   Last keep alive:     1690473518

   Syscheck last started at:  Thu Jul 27 15:06:00 2023 (Scan in progress)
   Syscheck last ended at:    Unknown

# /var/ossec/bin/wazuh-control stop
Killing wazuh-modulesd... 
Killing wazuh-logcollector... 
Killing wazuh-syscheckd... 
Killing wazuh-agentd... 
Killing wazuh-execd... 
Wazuh v4.4.5 Stopped

# cp /var/ossec/etc/ossec.conf ~/ossec.conf.bk
# cp /var/ossec/etc/client.keys ~/client.keys.bk

# tar -xvf wazuh-agent-4.5.0-1-hpux-11v3-ia64.tar
x /var/ossec/logs/ossec.log, 0 bytes, 0 tape blocks
x /var/ossec/logs/ossec.json, 0 bytes, 0 tape blocks
x /var/ossec/logs/active-responses.log, 0 bytes, 0 tape blocks
x /var/ossec/bin/wazuh-logcollector, 1631552 bytes, 3187 tape blocks
x /var/ossec/bin/wazuh-syscheckd, 2124204 bytes, 4149 tape blocks
x /var/ossec/bin/wazuh-execd, 1559900 bytes, 3047 tape blocks
x /var/ossec/bin/manage_agents, 440572 bytes, 861 tape blocks
x /var/ossec/bin/wazuh-control, 7148 bytes, 14 tape blocks
x /var/ossec/bin/wazuh-modulesd, 1490252 bytes, 2911 tape blocks
x /var/ossec/bin/wazuh-agentd, 1633072 bytes, 3190 tape blocks
x /var/ossec/bin/agent-auth, 441364 bytes, 863 tape blocks
x /var/ossec/lib/libwazuhext.so, 9738588 bytes, 19021 tape blocks
x /var/ossec/lib/libwazuhshared.so, 290432 bytes, 568 tape blocks
x /var/ossec/queue/syscollector/norm_config.json, 4206 bytes, 9 tape blocks
x /var/ossec/ruleset/sca/cis_hpux_11i_bastille.yml, 94882 bytes, 186 tape blocks
x /var/ossec/ruleset/sca/cis_hpux_11i.yml, 86160 bytes, 169 tape blocks
x /var/ossec/wodles/__init__.py, 0 bytes, 0 tape blocks
x /var/ossec/wodles/utils.py, 3493 bytes, 7 tape blocks
x /var/ossec/wodles/aws/aws-s3, 184614 bytes, 361 tape blocks
x /var/ossec/wodles/gcloud/pubsub/subscriber.py, 6018 bytes, 12 tape blocks
x /var/ossec/wodles/gcloud/buckets/bucket.py, 14685 bytes, 29 tape blocks
x /var/ossec/wodles/gcloud/buckets/access_logs.py, 1841 bytes, 4 tape blocks
x /var/ossec/wodles/gcloud/gcloud, 4661 bytes, 10 tape blocks
x /var/ossec/wodles/gcloud/integration.py, 2887 bytes, 6 tape blocks
x /var/ossec/wodles/gcloud/tools.py, 5524 bytes, 11 tape blocks
x /var/ossec/wodles/gcloud/exceptions.py, 4453 bytes, 9 tape blocks
x /var/ossec/wodles/docker/DockerListener, 4705 bytes, 10 tape blocks
x /var/ossec/wodles/azure/azure-logs, 37349 bytes, 73 tape blocks
x /var/ossec/wodles/azure/orm.py, 7007 bytes, 14 tape blocks
x /var/ossec/etc/TIMEZONE, 21 bytes, 1 tape blocks
x /var/ossec/etc/internal_options.conf, 14012 bytes, 28 tape blocks
x /var/ossec/etc/local_internal_options.conf, 320 bytes, 1 tape blocks
x /var/ossec/etc/client.keys, 0 bytes, 0 tape blocks
x /var/ossec/etc/ossec.conf, 4855 bytes, 10 tape blocks
x /var/ossec/etc/shared/cis_apache2224_rcl.txt, 28411 bytes, 56 tape blocks
x /var/ossec/etc/shared/cis_debian_linux_rcl.txt, 12576 bytes, 25 tape blocks
x /var/ossec/etc/shared/cis_mysql5-6_community_rcl.txt, 7609 bytes, 15 tape blocks
x /var/ossec/etc/shared/cis_mysql5-6_enterprise_rcl.txt, 10297 bytes, 21 tape blocks
x /var/ossec/etc/shared/cis_rhel5_linux_rcl.txt, 35781 bytes, 70 tape blocks
x /var/ossec/etc/shared/cis_rhel6_linux_rcl.txt, 33870 bytes, 67 tape blocks
x /var/ossec/etc/shared/cis_rhel7_linux_rcl.txt, 36957 bytes, 73 tape blocks
x /var/ossec/etc/shared/cis_rhel_linux_rcl.txt, 17658 bytes, 35 tape blocks
x /var/ossec/etc/shared/cis_sles11_linux_rcl.txt, 34376 bytes, 68 tape blocks
x /var/ossec/etc/shared/cis_sles12_linux_rcl.txt, 35081 bytes, 69 tape blocks
x /var/ossec/etc/shared/cis_win2012r2_domainL1_rcl.txt, 94877 bytes, 186 tape blocks
x /var/ossec/etc/shared/cis_win2012r2_domainL2_rcl.txt, 28006 bytes, 55 tape blocks
x /var/ossec/etc/shared/cis_win2012r2_memberL1_rcl.txt, 100530 bytes, 197 tape blocks
x /var/ossec/etc/shared/cis_win2012r2_memberL2_rcl.txt, 376002 bytes, 735 tape blocks
x /var/ossec/etc/shared/rootkit_files.txt, 16174 bytes, 32 tape blocks
x /var/ossec/etc/shared/rootkit_trojans.txt, 5548 bytes, 11 tape blocks
x /var/ossec/etc/shared/system_audit_rcl.txt, 4466 bytes, 9 tape blocks
x /var/ossec/etc/shared/system_audit_ssh.txt, 3285 bytes, 7 tape blocks
x /var/ossec/etc/shared/win_applications_rcl.txt, 5214 bytes, 11 tape blocks
x /var/ossec/etc/shared/win_audit_rcl.txt, 4277 bytes, 9 tape blocks
x /var/ossec/etc/shared/win_malware_rcl.txt, 7314 bytes, 15 tape blocks
x /var/ossec/etc/wpk_root.pem, 1367 bytes, 3 tape blocks
x /var/ossec/active-response/bin/restart.sh, 695 bytes, 2 tape blocks
x /var/ossec/active-response/bin/kaspersky.py, 14429 bytes, 29 tape blocks
x /var/ossec/active-response/bin/firewall-drop, 74444 bytes, 146 tape blocks
x /var/ossec/active-response/bin/default-firewall-drop, 74444 bytes, 146 tape blocks
x /var/ossec/active-response/bin/pf, 74040 bytes, 145 tape blocks
x /var/ossec/active-response/bin/npf, 73972 bytes, 145 tape blocks
x /var/ossec/active-response/bin/ipfw, 74028 bytes, 145 tape blocks
x /var/ossec/active-response/bin/firewalld-drop, 74052 bytes, 145 tape blocks
x /var/ossec/active-response/bin/disable-account, 73932 bytes, 145 tape blocks
x /var/ossec/active-response/bin/host-deny, 74152 bytes, 145 tape blocks
x /var/ossec/active-response/bin/ip-customblock, 73888 bytes, 145 tape blocks
x /var/ossec/active-response/bin/restart-wazuh, 73680 bytes, 144 tape blocks
x /var/ossec/active-response/bin/route-null, 73868 bytes, 145 tape blocks
x /var/ossec/active-response/bin/kaspersky, 73728 bytes, 144 tape blocks
x /var/ossec/active-response/bin/wazuh-slack, 73960 bytes, 145 tape blocks
x /var/ossec/agentless/main.exp, 2453 bytes, 5 tape blocks
x /var/ossec/agentless/register_host.sh, 2406 bytes, 5 tape blocks
x /var/ossec/agentless/ssh.exp, 1476 bytes, 3 tape blocks
x /var/ossec/agentless/ssh_asa-fwsmconfig_diff, 5283 bytes, 11 tape blocks
x /var/ossec/agentless/ssh_foundry_diff, 5403 bytes, 11 tape blocks
x /var/ossec/agentless/ssh_generic_diff, 898 bytes, 2 tape blocks
x /var/ossec/agentless/ssh_integrity_check_bsd, 1091 bytes, 3 tape blocks
x /var/ossec/agentless/ssh_integrity_check_linux, 1099 bytes, 3 tape blocks
x /var/ossec/agentless/ssh_nopass.exp, 1616 bytes, 4 tape blocks
x /var/ossec/agentless/ssh_pixconfig_diff, 5265 bytes, 11 tape blocks
x /var/ossec/agentless/sshlogin.exp, 915 bytes, 2 tape blocks
x /var/ossec/agentless/su.exp, 1381 bytes, 3 tape blocks
x /sbin/init.d/wazuh-agent, 691 bytes, 2 tape blocks
x /sbin/rc2.d/S97wazuh-agent symbolic link to /sbin/init.d/wazuh-agent
x /sbin/rc3.d/S97wazuh-agent symbolic link to /sbin/init.d/wazuh-agent

#  mv ~/ossec.conf.bk /var/ossec/etc/ossec.conf
# chown root:wazuh /var/ossec/etc/ossec.conf
# mv ~/client.keys.bk /var/ossec/etc/client.keys
# chown root:wazuh /var/ossec/etc/client.keys
 
 
# /var/ossec/bin/wazuh-control start
Starting Wazuh v4.5.0...
Started wazuh-execd...
Started wazuh-agentd...
Started wazuh-syscheckd...
Started wazuh-logcollector...
Started wazuh-modulesd...
Completed.

[root@wazuh-server wazuh-user]# /var/ossec/bin/agent_control -i 002
Wazuh agent_control. Agent information:
   Agent ID:   002
   Agent Name: sovmh336
   IP address: any
   Status:     Active

   Operating system:    HP-UX |sovmh336 |B.11.31 |U |ia64
   Client version:      Wazuh v4.5.0
   Configuration hash:  ab73af41699f13fdd81903b5f23d8d00
   Shared file hash:    4a8724b20dee0124ff9656783c490c4e
   Last keep alive:     1690473656

   Syscheck last started at:  Thu Jul 27 15:08:09 2023 (Scan in progress)
   Syscheck last ended at:    Thu Jul 27 15:06:33 2023

Users and groups

# cat /etc/passwd | grep wazuh
wazuh:*:108:20::/home/wazuh:/sbin/sh
# cat /etc/group | grep wazuh
wazuh::105:wazuh

Deblintrake09 · 2023-07-27T15:30:50Z

Analysis report - AMI 🟢

AMI - Agent connection and workload

SSH using root

ssh -i /home/deblintrake/Documentos/deployer.pem root@AMI-IP
Please login as the user "wazuh-user" rather than the user "root".

Connection to AMI-IP closed.

This was tested as part of Special systems (HP UX), since the AMI was the Wazuh Manager

AMI - WUI

Loading screen OK
Login screen OK
Light/dark mode OK
Credentials: OK

AMI - Logs

Wazuh dashboard - journalctl

# journalctl -r -u wazuh-dashboard | grep -i -E "error|critical|fatal|warning"
jul 27 15:25:00 wazuh-server opensearch-dashboards[4460]: {"type":"log","@timestamp":"2023-07-27T15:25:00Z","tags":["error","opensearch","data"],"pid":4460,"message":"[resource_already_exists_exception]: index [wazuh-statistics-2023.30w/Sz7CkGSRR-eRuRMdu6jsvw] already exists"}
jul 27 15:21:08 wazuh-server opensearch-dashboards[4460]: {"type":"error","@timestamp":"2023-07-27T15:21:08Z","tags":["connection","client","error"],"pid":4460,"level":"error","error":{"message":"140041040631680:error:14094418:SSL routines:ssl3_read_bytes:tlsv1 alert unknown ca:../deps/openssl/openssl/ssl/record/rec_layer_s3.c:1544:SSL alert number 48\n","name":"Error","stack":"Error: 140041040631680:error:14094418:SSL routines:ssl3_read_bytes:tlsv1 alert unknown ca:../deps/openssl/openssl/ssl/record/rec_layer_s3.c:1544:SSL alert number 48\n","code":"ERR_SSL_TLSV1_ALERT_UNKNOWN_CA"},"message":"140041040631680:error:14094418:SSL routines:ssl3_read_bytes:tlsv1 alert unknown ca:../deps/openssl/openssl/ssl/record/rec_layer_s3.c:1544:SSL alert number 48\n"}
jul 27 15:09:47 wazuh-server opensearch-dashboards[4460]: {"type":"error","@timestamp":"2023-07-27T15:09:47Z","tags":["connection","client","error"],"pid":4460,"level":"error","error":{"message":"140041040631680:error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown:../deps/openssl/openssl/ssl/record/rec_layer_s3.c:1544:SSL alert number 46\n","name":"Error","stack":"Error: 140041040631680:error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown:../deps/openssl/openssl/ssl/record/rec_layer_s3.c:1544:SSL alert number 46\n","code":"ERR_SSL_SSLV3_ALERT_CERTIFICATE_UNKNOWN"},"message":"140041040631680:error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown:../deps/openssl/openssl/ssl/record/rec_layer_s3.c:1544:SSL alert number 46\n"}
jul 27 15:09:47 wazuh-server opensearch-dashboards[4460]: {"type":"error","@timestamp":"2023-07-27T15:09:47Z","tags":["connection","client","error"],"pid":4460,"level":"error","error":{"message":"140041040631680:error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown:../deps/openssl/openssl/ssl/record/rec_layer_s3.c:1544:SSL alert number 46\n","name":"Error","stack":"Error: 140041040631680:error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown:../deps/openssl/openssl/ssl/record/rec_layer_s3.c:1544:SSL alert number 46\n","code":"ERR_SSL_SSLV3_ALERT_CERTIFICATE_UNKNOWN"},"message":"140041040631680:error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown:../deps/openssl/openssl/ssl/record/rec_layer_s3.c:1544:SSL alert number 46\n"}
jul 27 15:09:47 wazuh-server opensearch-dashboards[4460]: {"type":"error","@timestamp":"2023-07-27T15:09:47Z","tags":["connection","client","error"],"pid":4460,"level":"error","error":{"message":"140041040631680:error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown:../deps/openssl/openssl/ssl/record/rec_layer_s3.c:1544:SSL alert number 46\n","name":"Error","stack":"Error: 140041040631680:error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown:../deps/openssl/openssl/ssl/record/rec_layer_s3.c:1544:SSL alert number 46\n","code":"ERR_SSL_SSLV3_ALERT_CERTIFICATE_UNKNOWN"},"message":"140041040631680:error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown:../deps/openssl/openssl/ssl/record/rec_layer_s3.c:1544:SSL alert number 46\n"}
jul 27 15:09:47 wazuh-server opensearch-dashboards[4460]: {"type":"error","@timestamp":"2023-07-27T15:09:47Z","tags":["connection","client","error"],"pid":4460,"level":"error","error":{"message":"140041040631680:error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown:../deps/openssl/openssl/ssl/record/rec_layer_s3.c:1544:SSL alert number 46\n","name":"Error","stack":"Error: 140041040631680:error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown:../deps/openssl/openssl/ssl/record/rec_layer_s3.c:1544:SSL alert number 46\n","code":"ERR_SSL_SSLV3_ALERT_CERTIFICATE_UNKNOWN"},"message":"140041040631680:error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown:../deps/openssl/openssl/ssl/record/rec_layer_s3.c:1544:SSL alert number 46\n"}
jul 27 15:09:46 wazuh-server opensearch-dashboards[4460]: {"type":"error","@timestamp":"2023-07-27T15:09:46Z","tags":["connection","client","error"],"pid":4460,"level":"error","error":{"message":"140041040631680:error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown:../deps/openssl/openssl/ssl/record/rec_layer_s3.c:1544:SSL alert number 46\n","name":"Error","stack":"Error: 140041040631680:error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown:../deps/openssl/openssl/ssl/record/rec_layer_s3.c:1544:SSL alert number 46\n","code":"ERR_SSL_SSLV3_ALERT_CERTIFICATE_UNKNOWN"},"message":"140041040631680:error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown:../deps/openssl/openssl/ssl/record/rec_layer_s3.c:1544:SSL alert number 46\n"}
jul 27 15:09:46 wazuh-server opensearch-dashboards[4460]: {"type":"error","@timestamp":"2023-07-27T15:09:46Z","tags":["connection","client","error"],"pid":4460,"level":"error","error":{"message":"140041040631680:error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown:../deps/openssl/openssl/ssl/record/rec_layer_s3.c:1544:SSL alert number 46\n","name":"Error","stack":"Error: 140041040631680:error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown:../deps/openssl/openssl/ssl/record/rec_layer_s3.c:1544:SSL alert number 46\n","code":"ERR_SSL_SSLV3_ALERT_CERTIFICATE_UNKNOWN"},"message":"140041040631680:error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown:../deps/openssl/openssl/ssl/record/rec_layer_s3.c:1544:SSL alert number 46\n"}
jul 27 15:09:46 wazuh-server opensearch-dashboards[4460]: {"type":"error","@timestamp":"2023-07-27T15:09:46Z","tags":["connection","client","error"],"pid":4460,"level":"error","error":{"message":"140041040631680:error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown:../deps/openssl/openssl/ssl/record/rec_layer_s3.c:1544:SSL alert number 46\n","name":"Error","stack":"Error: 140041040631680:error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown:../deps/openssl/openssl/ssl/record/rec_layer_s3.c:1544:SSL alert number 46\n","code":"ERR_SSL_SSLV3_ALERT_CERTIFICATE_UNKNOWN"},"message":"140041040631680:error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown:../deps/openssl/openssl/ssl/record/rec_layer_s3.c:1544:SSL alert number 46\n"}
jul 27 15:09:46 wazuh-server opensearch-dashboards[4460]: {"type":"error","@timestamp":"2023-07-27T15:09:46Z","tags":["connection","client","error"],"pid":4460,"level":"error","error":{"message":"140041040631680:error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown:../deps/openssl/openssl/ssl/record/rec_layer_s3.c:1544:SSL alert number 46\n","name":"Error","stack":"Error: 140041040631680:error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown:../deps/openssl/openssl/ssl/record/rec_layer_s3.c:1544:SSL alert number 46\n","code":"ERR_SSL_SSLV3_ALERT_CERTIFICATE_UNKNOWN"},"message":"140041040631680:error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown:../deps/openssl/openssl/ssl/record/rec_layer_s3.c:1544:SSL alert number 46\n"}
jul 27 15:09:46 wazuh-server opensearch-dashboards[4460]: {"type":"error","@timestamp":"2023-07-27T15:09:46Z","tags":["connection","client","error"],"pid":4460,"level":"error","error":{"message":"140041040631680:error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown:../deps/openssl/openssl/ssl/record/rec_layer_s3.c:1544:SSL alert number 46\n","name":"Error","stack":"Error: 140041040631680:error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown:../deps/openssl/openssl/ssl/record/rec_layer_s3.c:1544:SSL alert number 46\n","code":"ERR_SSL_SSLV3_ALERT_CERTIFICATE_UNKNOWN"},"message":"140041040631680:error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown:../deps/openssl/openssl/ssl/record/rec_layer_s3.c:1544:SSL alert number 46\n"}
jul 27 15:09:45 wazuh-server opensearch-dashboards[4460]: {"type":"error","@timestamp":"2023-07-27T15:09:45Z","tags":["connection","client","error"],"pid":4460,"level":"error","error":{"message":"140041040631680:error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown:../deps/openssl/openssl/ssl/record/rec_layer_s3.c:1544:SSL alert number 46\n","name":"Error","stack":"Error: 140041040631680:error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown:../deps/openssl/openssl/ssl/record/rec_layer_s3.c:1544:SSL alert number 46\n","code":"ERR_SSL_SSLV3_ALERT_CERTIFICATE_UNKNOWN"},"message":"140041040631680:error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown:../deps/openssl/openssl/ssl/record/rec_layer_s3.c:1544:SSL alert number 46\n"}
jul 27 15:09:42 wazuh-server opensearch-dashboards[4460]: {"type":"error","@timestamp":"2023-07-27T15:09:42Z","tags":["connection","client","error"],"pid":4460,"level":"error","error":{"message":"140041040631680:error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown:../deps/openssl/openssl/ssl/record/rec_layer_s3.c:1544:SSL alert number 46\n","name":"Error","stack":"Error: 140041040631680:error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown:../deps/openssl/openssl/ssl/record/rec_layer_s3.c:1544:SSL alert number 46\n","code":"ERR_SSL_SSLV3_ALERT_CERTIFICATE_UNKNOWN"},"message":"140041040631680:error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown:../deps/openssl/openssl/ssl/record/rec_layer_s3.c:1544:SSL alert number 46\n"}
jul 27 15:09:32 wazuh-server opensearch-dashboards[1898]: {"type":"log","@timestamp":"2023-07-27T15:09:32Z","tags":["warning","savedobjects-service"],"pid":1898,"message":"Unable to connect to OpenSearch. Error: Given the configuration, the ConnectionPool was not able to find a usable Connection for this request."}
jul 27 15:09:32 wazuh-server opensearch-dashboards[1898]: {"type":"log","@timestamp":"2023-07-27T15:09:32Z","tags":JUL    27 15:09:09 wazuh-server opensearch-dashboards[1898]: {"type":"log","@timestamp":"2023-07-27T15:09:09Z","tags":["error","opensearch","data"],"pid":1898,"message":"[ConnectionError]: connect ECONNREFUSED 127.0.0.1:9200"}

Wazuh indexer - journalctl

# journalctl -r -u wazuh-indexer.service | grep -i -E "error|critical|fatal|warning"
jul 27 15:08:24 wazuh-server systemd-entrypoint[2389]: at org.opensearch.cli.Command.mainWithoutErrorHandling(Command.java:138)
jul 27 15:08:24 wazuh-server systemd-entrypoint[2389]: 2023-07-27 15:08:24,048 main ERROR Could not define attribute view on path "/var/log/wazuh-indexer/wazuh-cluster.log" got access denied ("java.lang.RuntimePermission" "accessUserInformation") java.security.AccessControlException: access denied ("java.lang.RuntimePermission" "accessUserInformation")
jul 27 15:08:24 wazuh-server systemd-entrypoint[2389]: at org.opensearch.cli.Command.mainWithoutErrorHandling(Command.java:138)
jul 27 15:08:24 wazuh-server systemd-entrypoint[2389]: 2023-07-27 15:08:24,040 main ERROR Could not define attribute view on path "/var/log/wazuh-indexer/wazuh-cluster_server.json" got access denied ("java.lang.RuntimePermission" "accessUserInformation") java.security.AccessControlException: access denied ("java.lang.RuntimePermission" "accessUserInformation")
jul 27 15:08:23 wazuh-server systemd-entrypoint[2389]: WARNING: System::setSecurityManager will be removed in a future release
jul 27 15:08:23 wazuh-server systemd-entrypoint[2389]: WARNING: Please consider reporting this to the maintainers of org.opensearch.bootstrap.Security
jul 27 15:08:23 wazuh-server systemd-entrypoint[2389]: WARNING: System::setSecurityManager has been called by org.opensearch.bootstrap.Security (file:/usr/share/wazuh-indexer/lib/opensearch-2.6.0.jar)
jul 27 15:08:23 wazuh-server systemd-entrypoint[2389]: WARNING: A terminally deprecated method in java.lang.System has been called

Wazuh indexer - /var/logs/wazuh-indexer

# xzgrep -i -E "error|critical|fatal|warning" /var/log/wazuh-indexer/*
/var/log/wazuh-indexer/wazuh-cluster.log:[2023-07-27T15:08:24,050][INFO ][o.o.n.Node               ] [node-1] JVM arguments [-Xshare:auto, -Dopensearch.networkaddress.cache.ttl=60, -Dopensearch.networkaddress.cache.negative.ttl=10, -XX:+AlwaysPreTouch, -Xss1m, -Djava.awt.headless=true, -Dfile.encoding=UTF-8, -Djna.nosys=true, -XX:-OmitStackTraceInFastThrow, -XX:+ShowCodeDetailsInExceptionMessages, -Dio.netty.noUnsafe=true, -Dio.netty.noKeySetOptimization=true, -Dio.netty.recycler.maxCapacityPerThread=0, -Dio.netty.allocator.numDirectArenas=0, -Dlog4j.shutdownHookEnabled=false, -Dlog4j2.disable.jmx=true, -Djava.locale.providers=SPI,COMPAT, -Xms3930m, -Xmx3930m, -XX:+UseG1GC, -XX:G1ReservePercent=25, -XX:InitiatingHeapOccupancyPercent=30, -Djava.io.tmpdir=/tmp/opensearch-6010481286962466948, -XX:+HeapDumpOnOutOfMemoryError, -XX:HeapDumpPath=/var/lib/wazuh-indexer, -XX:ErrorFile=/var/log/wazuh-indexer/hs_err_pid%p.log, -Xlog:gc*,gc+age=trace,safepoint:file=/var/log/wazuh-indexer/gc.log:utctime,pid,tags:filecount=32,filesize=64m, -Dclk.tck=100, -Djdk.attach.allowAttachSelf=true, -Djava.security.policy=file:///etc/wazuh-indexer/opensearch-performance-analyzer/opensearch_security.policy, --add-opens=jdk.attach/sun.tools.attach=ALL-UNNAMED, -XX:MaxDirectMemorySize=2060451840, -Dopensearch.path.home=/usr/share/wazuh-indexer, -Dopensearch.path.conf=/etc/wazuh-indexer, -Dopensearch.distribution.type=rpm, -Dopensearch.bundled_jdk=true]
/var/log/wazuh-indexer/wazuh-cluster.log:[2023-07-27T15:09:13,869][ERROR][o.o.s.a.s.SinkProvider   ] [node-1] Default endpoint could not be created, auditlog will not work properly.
/var/log/wazuh-indexer/wazuh-cluster.log:[2023-07-27T15:09:20,138][ERROR][o.o.s.c.ConfigurationLoaderSecurity7] [node-1] Exception while retrieving configuration for [INTERNALUSERS, ACTIONGROUPS, CONFIG, ROLES, ROLESMAPPING, TENANTS, NODESDN, WHITELIST, ALLOWLIST, AUDIT] (index=.opendistro_security)
/var/log/wazuh-indexer/wazuh-cluster.log:[2023-07-27T15:09:27,126][ERROR][o.o.s.a.BackendRegistry  ] [node-1] Not yet initialized (you may need to run securityadmin)
/var/log/wazuh-indexer/wazuh-cluster.log:[2023-07-27T15:09:29,617][ERROR][o.o.s.a.BackendRegistry  ] [node-1] Not yet initialized (you may need to run securityadmin)
/var/log/wazuh-indexer/wazuh-cluster.log:[2023-07-27T15:09:29,620][ERROR][o.o.s.a.BackendRegistry  ] [node-1] Not yet initialized (you may need to run securityadmin)
/var/log/wazuh-indexer/wazuh-cluster.log:[2023-07-27T15:09:29,623][ERROR][o.o.s.a.BackendRegistry  ] [node-1] Not yet initialized (you may need to run securityadmin)
/var/log/wazuh-indexer/wazuh-cluster.log:[2023-07-27T15:09:29,626][ERROR][o.o.s.a.BackendRegistry  ] [node-1] Not yet initialized (you may need to run securityadmin)
/var/log/wazuh-indexer/wazuh-cluster.log:[2023-07-27T15:09:32,118][ERROR][o.o.s.a.BackendRegistry  ] [node-1] Not yet initialized (you may need to run securityadmin)
/var/log/wazuh-indexer/wazuh-cluster.log:[2023-07-27T15:09:32,121][ERROR][o.o.s.a.BackendRegistry  ] [node-1] Not yet initialized (you may need to run securityadmin)
/var/log/wazuh-indexer/wazuh-cluster.log:[2023-07-27T15:09:32,124][ERROR][o.o.s.a.BackendRegistry  ] [node-1] Not yet initialized (you may need to run securityadmin)
/var/log/wazuh-indexer/wazuh-cluster.log:[2023-07-27T15:09:32,127][ERROR][o.o.s.a.BackendRegistry  ] [node-1] Not yet initialized (you may need to run securityadmin)
/var/log/wazuh-indexer/wazuh-cluster.log:[2023-07-27T15:09:33,024][ERROR][o.o.s.a.BackendRegistry  ] [node-1] Not yet initialized (you may need to run securityadmin)
/var/log/wazuh-indexer/wazuh-cluster_server.json:{"type": "server", "timestamp": "2023-07-27T15:08:24,050Z", "level": "INFO", "component": "o.o.n.Node", "cluster.name": "wazuh-cluster", "node.name": "node-1", "message": "JVM arguments [-Xshare:auto, -Dopensearch.networkaddress.cache.ttl=60, -Dopensearch.networkaddress.cache.negative.ttl=10, -XX:+AlwaysPreTouch, -Xss1m, -Djava.awt.headless=true, -Dfile.encoding=UTF-8, -Djna.nosys=true, -XX:-OmitStackTraceInFastThrow, -XX:+ShowCodeDetailsInExceptionMessages, -Dio.netty.noUnsafe=true, -Dio.netty.noKeySetOptimization=true, -Dio.netty.recycler.maxCapacityPerThread=0, -Dio.netty.allocator.numDirectArenas=0, -Dlog4j.shutdownHookEnabled=false, -Dlog4j2.disable.jmx=true, -Djava.locale.providers=SPI,COMPAT, -Xms3930m, -Xmx3930m, -XX:+UseG1GC, -XX:G1ReservePercent=25, -XX:InitiatingHeapOccupancyPercent=30, -Djava.io.tmpdir=/tmp/opensearch-6010481286962466948, -XX:+HeapDumpOnOutOfMemoryError, -XX:HeapDumpPath=/var/lib/wazuh-indexer, -XX:ErrorFile=/var/log/wazuh-indexer/hs_err_pid%p.log, -Xlog:gc*,gc+age=trace,safepoint:file=/var/log/wazuh-indexer/gc.log:utctime,pid,tags:filecount=32,filesize=64m, -Dclk.tck=100, -Djdk.attach.allowAttachSelf=true, -Djava.security.policy=file:///etc/wazuh-indexer/opensearch-performance-analyzer/opensearch_security.policy, --add-opens=jdk.attach/sun.tools.attach=ALL-UNNAMED, -XX:MaxDirectMemorySize=2060451840, -Dopensearch.path.home=/usr/share/wazuh-indexer, -Dopensearch.path.conf=/etc/wazuh-indexer, -Dopensearch.distribution.type=rpm, -Dopensearch.bundled_jdk=true]" }
/var/log/wazuh-indexer/wazuh-cluster_server.json:{"type": "server", "timestamp": "2023-07-27T15:09:13,869Z", "level": "ERROR", "component": "o.o.s.a.s.SinkProvider", "cluster.name": "wazuh-cluster", "node.name": "node-1", "message": "Default endpoint could not be created, auditlog will not work properly." }
/var/log/wazuh-indexer/wazuh-cluster_server.json:{"type": "server", "timestamp": "2023-07-27T15:09:20,138Z", "level": "ERROR", "component": "o.o.s.c.ConfigurationLoaderSecurity7", "cluster.name": "wazuh-cluster", "node.name": "node-1", "message": "Exception while retrieving configuration for [INTERNALUSERS, ACTIONGROUPS, CONFIG, ROLES, ROLESMAPPING, TENANTS, NODESDN, WHITELIST, ALLOWLIST, AUDIT] (index=.opendistro_security)", "cluster.uuid": "XYbGtFGlToe5bAdSuGQyzg", "node.id": "KXOzDLUrQLG_IiMsD4u7PA" , 
/var/log/wazuh-indexer/wazuh-cluster_server.json:{"type": "server", "timestamp": "2023-07-27T15:09:22,247Z", "level": "ERROR", "component": "o.o.s.a.BackendRegistry", "cluster.name": "wazuh-cluster", "node.name": "node-1", "message": "Not yet initialized (you may need to run securityadmin)", "cluster.uuid": "XYbGtFGlToe5bAdSuGQyzg", "node.id": "KXOzDLUrQLG_IiMsD4u7PA"  }
/var/log/wazuh-indexer/wazuh-cluster_server.json:{"type": "server", "timestamp": "2023-07-27T15:09:22,265Z", "level": "ERROR", "component": "o.o.s.a.BackendRegistry", "cluster.name": "wazuh-cluster", "node.name": "node-1", "message": "Not yet initialized (you may need to run securityadmin)", "cluster.uuid": "XYbGtFGlToe5bAdSuGQyzg", "node.id": "KXOzDLUrQLG_IiMsD4u7PA"  }
/var/log/wazuh-indexer/wazuh-cluster_server.json:{"type": "server", "timestamp": "2023-07-27T15:09:22,270Z", "level": "ERROR", "component": "o.o.s.a.BackendRegistry", "cluster.name": "wazuh-cluster", "node.name": "node-1", "message": "Not yet initialized (you may need to run securityadmin)", "cluster.uuid": "XYbGtFGlToe5bAdSuGQyzg", "node.id": "KXOzDLUrQLG_IiMsD4u7PA"  }
/var/log/wazuh-indexer/wazuh-cluster_server.json:{"type": "server", "timestamp": "2023-07-27T15:09:22,274Z", "level": "ERROR", "component": "o.o.s.a.BackendRegistry", "cluster.name": "wazuh-cluster", "node.name": "node-1", "message": "Not yet initialized (you may need to run securityadmin)", "cluster.uuid": "XYbGtFGlToe5bAdSuGQyzg", "node.id": "KXOzDLUrQLG_IiMsD4u7PA"  }
/var/log/wazuh-indexer/wazuh-cluster_server.json:{"type": "server", "timestamp": "2023-07-27T15:09:23,591Z", "level": "ERROR", "component": "o.o.s.a.BackendRegistry", "cluster.name": "wazuh-cluster", "node.name": "node-1", "message": "Not yet initialized (you may need to run securityadmin)", "cluster.uuid": "XYbGtFGlToe5bAdSuGQyzg", "node.id": "KXOzDLUrQLG_IiMsD4u7PA"  }
/var/log/wazuh-indexer/wazuh-cluster_server.json:{"type": "server", "timestamp": "2023-07-27T15:09:24,615Z", "level": "ERROR", "component": "o.o.s.a.BackendRegistry", "cluster.name": "wazuh-cluster", "node.name": "node-1", "message": "Not yet initialized (you may need to run securityadmin)", "cluster.uuid": "XYbGtFGlToe5bAdSuGQyzg", "node.id": "KXOzDLUrQLG_IiMsD4u7PA"  }
/var/log/wazuh-indexer/wazuh-cluster_server.json:{"type": "server", "timestamp": "2023-07-27T15:09:24,619Z", "level": "ERROR", "component": "o.o.s.a.BackendRegistry", "cluster.name": "wazuh-cluster", "node.name": "node-1", "message": "Not yet initialized (you may need to run securityadmin)", "cluster.uuid": "XYbGtFGlToe5bAdSuGQyzg", "node.id": "KXOzDLUrQLG_IiMsD4u7PA"  }
/var/log/wazuh-indexer/wazuh-cluster_server.json:{"type": "server", "timestamp": "2023-07-27T15:09:24,621Z", "level": "ERROR", "component": "o.o.s.a.BackendRegistry", "cluster.name": "wazuh-cluster", "node.name": "node-1", "message": "Not yet initialized (you may need to run securityadmin)", "cluster.uuid": "XYbGtFGlToe5bAdSuGQyzg", "node.id": "KXOzDLUrQLG_IiMsD4u7PA"  }
/var/log/wazuh-indexer/wazuh-cluster_server.json:{"type": "server", "timestamp": "2023-07-27T15:09:24,624Z", "level": "ERROR", "component": "o.o.s.a.BackendRegistry", "cluster.name": "wazuh-cluster", "node.name": "node-1", "message": "Not yet initialized (you may need to run securityadmin)", "cluster.uuid": "XYbGtFGlToe5bAdSuGQyzg", "node.id": "KXOzDLUrQLG_IiMsD4u7PA"  }
/var/log/wazuh-indexer/wazuh-cluster_server.json:{"type": "server", "timestamp": "2023-07-27T15:09:27,116Z", "level": "ERROR", "component": "o.o.s.a.BackendRegistry", "cluster.name": "wazuh-cluster", "node.name": "node-1", "message": "Not yet initialized (you may need to run securityadmin)", "cluster.uuid": "XYbGtFGlToe5bAdSuGQyzg", "node.id": "KXOzDLUrQLG_IiMsD4u7PA"  }
/var/log/wazuh-indexer/wazuh-cluster_server.json:{"type": "server", "timestamp": "2023-07-27T15:09:27,120Z", "level": "ERROR", "component": "o.o.s.a.BackendRegistry", "cluster.name": "wazuh-cluster", "node.name": "node-1", "message": "Not yet initialized (you may need to run securityadmin)", "cluster.uuid": "XYbGtFGlToe5bAdSuGQyzg", "node.id": "KXOzDLUrQLG_IiMsD4u7PA"  }
/var/log/wazuh-indexer/wazuh-cluster_server.json:{"type": "server", "timestamp": "2023-07-27T15:09:27,124Z", "level": "ERROR", "component": "o.o.s.a.BackendRegistry", "cluster.name": "wazuh-cluster", "node.name": "node-1", "message": "Not yet initialized (you may need to run securityadmin)", "cluster.uuid": "XYbGtFGlToe5bAdSuGQyzg", "node.id": "KXOzDLUrQLG_IiMsD4u7PA"  }
/var/log/wazuh-indexer/wazuh-cluster_server.json:{"type": "server", "timestamp": "2023-07-27T15:09:27,126Z", "level": "ERROR", "component": "o.o.s.a.BackendRegistry", "cluster.name": "wazuh-cluster", "node.name": "node-1", "message": "Not yet initialized (you may need to run securityadmin)", "cluster.uuid": "XYbGtFGlToe5bAdSuGQyzg", "node.id": "KXOzDLUrQLG_IiMsD4u7PA"  }
/var/log/wazuh-indexer/wazuh-cluster_server.json:{"type": "server", "timestamp": "2023-07-27T15:09:29,617Z", "level": "ERROR", "component": "o.o.s.a.BackendRegistry", "cluster.name": "wazuh-cluster", "node.name": "node-1", "message": "Not yet initialized (you may need to run securityadmin)", "cluster.uuid": "XYbGtFGlToe5bAdSuGQyzg", "node.id": "KXOzDLUrQLG_IiMsD4u7PA"  }
/var/log/wazuh-indexer/wazuh-cluster_server.json:{"type": "server", "timestamp": "2023-07-27T15:09:29,620Z", "level": "ERROR", "component": "o.o.s.a.BackendRegistry", "cluster.name": "wazuh-cluster", "node.name": "node-1", "message": "Not yet initialized (you may need to run securityadmin)", "cluster.uuid": "XYbGtFGlToe5bAdSuGQyzg", "node.id": "KXOzDLUrQLG_IiMsD4u7PA"  }
/var/log/wazuh-indexer/wazuh-cluster_server.json:{"type": "server", "timestamp": "2023-07-27T15:09:29,623Z", "level": "ERROR", "component": "o.o.s.a.BackendRegistry", "cluster.name": "wazuh-cluster", "node.name": "node-1", "message": "Not yet initialized (you may need to run securityadmin)", "cluster.uuid": "XYbGtFGlToe5bAdSuGQyzg", "node.id": "KXOzDLUrQLG_IiMsD4u7PA"  }
/var/log/wazuh-indexer/wazuh-cluster_server.json:{"type": "server", "timestamp": "2023-07-27T15:09:29,626Z", "level": "ERROR", "component": "o.o.s.a.BackendRegistry", "cluster.name": "wazuh-cluster", "node.name": "node-1", "message": "Not yet initialized (you may need to run securityadmin)", "cluster.uuid": "XYbGtFGlToe5bAdSuGQyzg", "node.id": "KXOzDLUrQLG_IiMsD4u7PA"  }
/var/log/wazuh-indexer/wazuh-cluster_server.json:{"type": "server", "timestamp": "2023-07-27T15:09:32,118Z", "level": "ERROR", "component": "o.o.s.a.BackendRegistry", "cluster.name": "wazuh-cluster", "node.name": "node-1", "message": "Not yet initialized (you may need to run securityadmin)", "cluster.uuid": "XYbGtFGlToe5bAdSuGQyzg", "node.id": "KXOzDLUrQLG_IiMsD4u7PA"  }
/var/log/wazuh-indexer/wazuh-cluster_server.json:{"type": "server", "timestamp": "2023-07-27T15:09:32,121Z", "level": "ERROR", "component": "o.o.s.a.BackendRegistry", "cluster.name": "wazuh-cluster", "node.name": "node-1", "message": "Not yet initialized (you may need to run securityadmin)", "cluster.uuid": "XYbGtFGlToe5bAdSuGQyzg", "node.id": "KXOzDLUrQLG_IiMsD4u7PA"  }
/var/log/wazuh-indexer/wazuh-cluster_server.json:{"type": "server", "timestamp": "2023-07-27T15:09:32,124Z", "level": "ERROR", "component": "o.o.s.a.BackendRegistry", "cluster.name": "wazuh-cluster", "node.name": "node-1", "message": "Not yet initialized (you may need to run securityadmin)", "cluster.uuid": "XYbGtFGlToe5bAdSuGQyzg", "node.id": "KXOzDLUrQLG_IiMsD4u7PA"  }
/var/log/wazuh-indexer/wazuh-cluster_server.json:{"type": "server", "timestamp": "2023-07-27T15:09:32,127Z", "level": "ERROR", "component": "o.o.s.a.BackendRegistry", "cluster.name": "wazuh-cluster", "node.name": "node-1", "message": "Not yet initialized (you may need to run securityadmin)", "cluster.uuid": "XYbGtFGlToe5bAdSuGQyzg", "node.id": "KXOzDLUrQLG_IiMsD4u7PA"  }
/var/log/wazuh-indexer/wazuh-cluster_server.json:{"type": "server", "timestamp": "2023-07-27T15:09:33,024Z", "level": "ERROR", "component": "o.o.s.a.BackendRegistry", "cluster.name": "wazuh-cluster", "node.name": "node-1", "message": "Not yet initialized (you may need to run securityadmin)", "cluster.uuid": "XYbGtFGlToe5bAdSuGQyzg", "node.id": "KXOzDLUrQLG_IiMsD4u7PA"  }

Wazuh server - /var/ossec/logs

# grep -i -E "error|critical|fatal|warning" /var/ossec/logs/ossec.log | wc -l
0
# xzgrep -i -E "error|critical|fatal|warning" /var/ossec/logs/wazuh/2023/Jul/* | wc -l
0

AMI - Filebeat test

# filebeat test output
elasticsearch: https://127.0.0.1:9200...
  parse url... OK
  connection...
    parse host... OK
    dns lookup... OK
    addresses: 127.0.0.1
    dial up... OK
  TLS...
    security: server's certificate chain verification is enabled
    handshake... OK
    TLS version: TLSv1.2
    dial up... OK
  talk to server... OK
  version: 7.10.2

AMI - Wazuh Indexer Cluster

# curl -k -u admin:INSTANCE_ID https://127.0.0.1:9200
{
  "name" : "node-1",
  "cluster_name" : "wazuh-cluster",
  "cluster_uuid" : "XYbGtFGlToe5bAdSuGQyzg",
  "version" : {
    "number" : "7.10.2",
    "build_type" : "rpm",
    "build_hash" : "7203a5af21a8a009aece1474446b437a3c674db6",
    "build_date" : "2023-02-24T18:57:04.388618985Z",
    "build_snapshot" : false,
    "lucene_version" : "9.5.0",
    "minimum_wire_compatibility_version" : "7.10.0",
    "minimum_index_compatibility_version" : "7.0.0"
  },
  "tagline" : "The OpenSearch Project: https://opensearch.org/"
}


# curl -k -u admin:INSTANCE_ID https://127.0.0.1:9200/_cat/nodes?v
ip        heap.percent ram.percent cpu load_1m load_5m load_15m node.role node.roles                                        cluster_manager name
127.0.0.1            9          79   1    0.07    0.02     0.09 dimr      cluster_manager,data,ingest,remote_cluster_client *               node-1

# curl -k -u admin:INSTANCE_ID https://127.0.0.1:9200/_cluster/health?pretty
{
  "cluster_name" : "wazuh-cluster",
  "status" : "green",
  "timed_out" : false,
  "number_of_nodes" : 1,
  "number_of_data_nodes" : 1,
  "discovered_master" : true,
  "discovered_cluster_manager" : true,
  "active_primary_shards" : 11,
  "active_shards" : 11,
  "relocating_shards" : 0,
  "initializing_shards" : 0,
  "unassigned_shards" : 0,
  "delayed_unassigned_shards" : 0,
  "number_of_pending_tasks" : 0,
  "number_of_in_flight_fetch" : 0,
  "task_max_waiting_in_queue_millis" : 0,
  "active_shards_percent_as_number" : 100.0
}

AMI - Users

# grep -R "wazuh" /etc/group
wheel:x:10:wazuh-user
wazuh-user:x:1001:
wazuh-indexer:x:993:
wazuh:x:992:wazuh
wazuh-dashboard:x:991:wazuh-dashboard

# grep -R "wazuh" /etc/passwd
wazuh-user:x:1001:1001::/home/wazuh-user:/bin/bash
wazuh-indexer:x:995:993:wazuh-indexer user:/usr/share/wazuh-indexer:/sbin/nologin
wazuh:x:994:992::/var/ossec:/sbin/nologin
wazuh-dashboard:x:993:991::/usr/share/wazuh-dashboard/:/sbin/nologin

AMI - Versions

# /var/ossec/bin/wazuh-control info
WAZUH_VERSION="v4.5.0"
WAZUH_REVISION="40500"
WAZUH_TYPE="server"

# cat /usr/share/wazuh-indexer/VERSION 
4.5.0
# cat /usr/share/wazuh-dashboard/VERSION
4.5.0
# cat /usr/share/wazuh-dashboard/package.json
{
  "name": "opensearch-dashboards",
  "description": "OpenSearch Dashboards is a browser based analytics and search dashboard for OpenSearch. OpenSearch Dashboards is a snap to setup and start using. OpenSearch Dashboards strives to be easy to get started with, while also being flexible and powerful, just like OpenSearch.",
  "keywords": [
    "opensearch-dashboards",
    "opensearch",
    "logstash",
    "analytics",
    "visualizations",
    "dashboards",
    "dashboarding"
  ],
  "version": "2.6.0",
  "branch": "2.6",
  "build": {
    "number": 45001,
    "sha": "b15a28f9d6d6ec40d695a2eb01442d2a7d6d72d9",
    "distributable": true,
    "release": true
  },
  "repository": {
    "type": "git",
    "url": "https://github.com/opensearch-project/opensearch-dashboards.git"
  },
  "engines": {
    "node": "14.20.1"
  }
}

AMI - Processes

# ps -ef | grep wazuh


root      2146     1  0 15:07 ?        00:00:00 /sbin/dhclient -q -lf /var/lib/dhclient/dhclient--eth0.lease -pf /var/run/dhclient-eth0.pid -H wazuh-server eth0
root      2187     1  0 15:07 ?        00:00:00 /sbin/dhclient -6 -nw -lf /var/lib/dhclient/dhclient6--eth0.lease -pf /var/run/dhclient6-eth0.pid eth0 -H wazuh-server
wazuh-i+  2389     1  2 15:07 ?        00:01:04 /usr/share/wazuh-indexer/jdk/bin/java -Xshare:auto -Dopensearch.networkaddress.cache.ttl=60 -Dopensearch.networkaddress.cache.negative.ttl=10 -XX:+AlwaysPreTouch -Xss1m -Djava.awt.headless=true -Dfile.encoding=UTF-8 -Djna.nosys=true -XX:-OmitStackTraceInFastThrow -XX:+ShowCodeDetailsInExceptionMessages -Dio.netty.noUnsafe=true -Dio.netty.noKeySetOptimization=true -Dio.netty.recycler.maxCapacityPerThread=0 -Dio.netty.allocator.numDirectArenas=0 -Dlog4j.shutdownHookEnabled=false -Dlog4j2.disable.jmx=true -Djava.locale.providers=SPI,COMPAT -Xms3930m -Xmx3930m -XX:+UseG1GC -XX:G1ReservePercent=25 -XX:InitiatingHeapOccupancyPercent=30 -Djava.io.tmpdir=/tmp/opensearch-6010481286962466948 -XX:+HeapDumpOnOutOfMemoryError -XX:HeapDumpPath=/var/lib/wazuh-indexer -XX:ErrorFile=/var/log/wazuh-indexer/hs_err_pid%p.log -Xlog:gc*,gc+age=trace,safepoint:file=/var/log/wazuh-indexer/gc.log:utctime,pid,tags:filecount=32,filesize=64m -Dclk.tck=100 -Djdk.attach.allowAttachSelf=true -Djava.security.policy=file:///etc/wazuh-indexer/opensearch-performance-analyzer/opensearch_security.policy --add-opens=jdk.attach/sun.tools.attach=ALL-UNNAMED -XX:MaxDirectMemorySize=2060451840 -Dopensearch.path.home=/usr/share/wazuh-indexer -Dopensearch.path.conf=/etc/wazuh-indexer -Dopensearch.distribution.type=rpm -Dopensearch.bundled_jdk=true -cp /usr/share/wazuh-indexer/lib/* org.opensearch.bootstrap.OpenSearch -p /run/wazuh-indexer/wazuh-indexer.pid --quiet
wazuh     2817     1  0 15:08 ?        00:00:11 /var/ossec/framework/python/bin/python3 /var/ossec/api/scripts/wazuh-apid.py
root      2857     1  0 15:08 ?        00:00:05 /var/ossec/bin/wazuh-authd
wazuh     2871     1  0 15:08 ?        00:00:01 /var/ossec/bin/wazuh-db
root      2900     1  0 15:08 ?        00:00:00 /var/ossec/bin/wazuh-execd
wazuh     2912     1  0 15:08 ?        00:00:01 /var/ossec/bin/wazuh-analysisd
root      2922     1  0 15:08 ?        00:00:06 /var/ossec/bin/wazuh-syscheckd
wazuh     2926  2817  0 15:08 ?        00:00:00 /var/ossec/framework/python/bin/python3 /var/ossec/api/scripts/wazuh-apid.py
wazuh     2929  2817  0 15:08 ?        00:00:02 /var/ossec/framework/python/bin/python3 /var/ossec/api/scripts/wazuh-apid.py
wazuh     2945     1  0 15:08 ?        00:00:01 /var/ossec/bin/wazuh-remoted
root      2980     1  0 15:08 ?        00:00:00 /var/ossec/bin/wazuh-logcollector
wazuh     3050     1  0 15:08 ?        00:00:00 /var/ossec/bin/wazuh-monitord
root      3060     1  0 15:08 ?        00:00:00 /var/ossec/bin/wazuh-modulesd
wazuh-d+  4460     1  0 15:09 ?        00:00:11 /usr/share/wazuh-dashboard/bin/../node/bin/node --no-warnings --max-http-header-size=65536 --unhandled-rejections=warn /usr/share/wazuh-dashboard/bin/../src/cli/dist -c /etc/wazuh-dashboard/opensearch_dashboards.yml
root      5657  2445  0 15:33 ?        00:00:00 sshd: wazuh-user [priv]
wazuh-u+  5674  5657  0 15:33 ?        00:00:00 sshd: wazuh-user@pts/0
wazuh-u+  5675  5674  0 15:33 pts/0    00:00:00 -bash
root      5954  5761  0 15:43 pts/0    00:00:00 grep --color=auto wazuh

# /var/ossec/bin/wazuh-control status
wazuh-clusterd not running...
wazuh-modulesd is running...
wazuh-monitord is running...
wazuh-logcollector is running...
wazuh-remoted is running...
wazuh-syscheckd is running...
wazuh-analysisd is running...
wazuh-maild not running...
wazuh-execd is running...
wazuh-db is running...
wazuh-authd is running...
wazuh-agentlessd not running...
wazuh-integratord not running...
wazuh-dbd not running...
wazuh-csyslogd not running...
wazuh-apid is running...

Deblintrake09 · 2023-07-27T17:22:03Z

Analysis report - Solaris 10 SPARC 🟢

System info

# cat /etc/release
                   Oracle Solaris 10 1/13 s10s_u11wos_24a SPARC
  Copyright (c) 1983, 2013, Oracle and/or its affiliates. All rights reserved.
                            Assembled 17 January 2013

# uname -a
SunOS sossp272 5.10 Generic_147147-26 sun4v sparc sun4v

Install

Wazuh agent

# /opt/csw/bin/curl -o wazuh-agent_v4.5.0-sol10-sparc.pkg https://packages-dev.wazuh.com/pre-release/solaris/sparc/10/wazuh-agent_v4.5.0-sol10-sparc.pkg
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100 15.0M  100 15.0M    0     0  3616k      0  0:00:04  0:00:04 --:--:-- 3616k

# pkgadd -d wazuh-agent_v4.5.0-sol10-sparc.pkg
The following packages are available:
  1  wazuh-agent     Wazuh - Wazuh unifies historically separate functions into a single agent and platform architecture. Providing protection for public clouds, private clouds, and on-premise data centers.
                     (sparc) 4.5.0

Select package(s) you wish to process (or 'all' to process
all packages). (default: all) [?,??,q]: 

Processing package instance <wazuh-agent> from </export/home/nuhbx/wazuh-agent_v4.5.0-sol10-sparc.pkg>

Wazuh - Wazuh unifies historically separate functions into a single agent and platform architecture. Providing protection for public clouds, private clouds, and on-premise data centers.(sparc) 4.5.0
Wazuh, Inc <info@wazuh.com>
## Executing checkinstall script.
## Processing package information.
## Processing system information.
## Verifying disk space requirements.
## Checking for conflicts with packages already installed.
## Checking for setuid/setgid programs.

This package contains scripts which will be executed with super-user
permission during the process of installing this package.

Do you want to continue with the installation of <wazuh-agent> [y,n,?] y

Installing Wazuh - Wazuh unifies historically separate functions into a single agent and platform architecture. Providing protection for public clouds, private clouds, and on-premise data centers. as <wazuh-agent>

## Executing preinstall script.
## Installing part 1 of 1.
/etc/init.d/wazuh-agent
/etc/rc2.d/S97wazuh-agent <symbolic link>
/etc/rc3.d/S97wazuh-agent <symbolic link>
/var/ossec/active-response/bin/default-firewall-drop
/var/ossec/active-response/bin/disable-account
/var/ossec/active-response/bin/firewall-drop
/var/ossec/active-response/bin/firewalld-drop
/var/ossec/active-response/bin/host-deny
/var/ossec/active-response/bin/ip-customblock
/var/ossec/active-response/bin/ipfw
/var/ossec/active-response/bin/kaspersky
/var/ossec/active-response/bin/kaspersky.py
/var/ossec/active-response/bin/npf
/var/ossec/active-response/bin/pf
/var/ossec/active-response/bin/restart-wazuh
/var/ossec/active-response/bin/restart.sh
/var/ossec/active-response/bin/route-null
/var/ossec/active-response/bin/wazuh-slack
/var/ossec/agentless/main.exp
/var/ossec/agentless/register_host.sh
/var/ossec/agentless/ssh.exp
/var/ossec/agentless/ssh_asa-fwsmconfig_diff
/var/ossec/agentless/ssh_foundry_diff
/var/ossec/agentless/ssh_generic_diff
/var/ossec/agentless/ssh_integrity_check_bsd
/var/ossec/agentless/ssh_integrity_check_linux
/var/ossec/agentless/ssh_nopass.exp
/var/ossec/agentless/ssh_pixconfig_diff
/var/ossec/agentless/sshlogin.exp
/var/ossec/agentless/su.exp
/var/ossec/bin/agent-auth
/var/ossec/bin/manage_agents
/var/ossec/bin/wazuh-agentd
/var/ossec/bin/wazuh-control
/var/ossec/bin/wazuh-execd
/var/ossec/bin/wazuh-logcollector
/var/ossec/bin/wazuh-modulesd
/var/ossec/bin/wazuh-syscheckd
/var/ossec/etc/TIMEZONE
/var/ossec/etc/client.keys
/var/ossec/etc/internal_options.conf
/var/ossec/etc/local_internal_options.conf
/var/ossec/etc/ossec.conf
/var/ossec/etc/shared/cis_apache2224_rcl.txt
/var/ossec/etc/shared/cis_debian_linux_rcl.txt
/var/ossec/etc/shared/cis_mysql5-6_community_rcl.txt
/var/ossec/etc/shared/cis_mysql5-6_enterprise_rcl.txt
/var/ossec/etc/shared/cis_rhel5_linux_rcl.txt
/var/ossec/etc/shared/cis_rhel6_linux_rcl.txt
/var/ossec/etc/shared/cis_rhel7_linux_rcl.txt
/var/ossec/etc/shared/cis_rhel_linux_rcl.txt
/var/ossec/etc/shared/cis_sles11_linux_rcl.txt
/var/ossec/etc/shared/cis_sles12_linux_rcl.txt
/var/ossec/etc/shared/cis_win2012r2_domainL1_rcl.txt
/var/ossec/etc/shared/cis_win2012r2_domainL2_rcl.txt
/var/ossec/etc/shared/cis_win2012r2_memberL1_rcl.txt
/var/ossec/etc/shared/cis_win2012r2_memberL2_rcl.txt
/var/ossec/etc/shared/rootkit_files.txt
/var/ossec/etc/shared/rootkit_trojans.txt
/var/ossec/etc/shared/system_audit_rcl.txt
/var/ossec/etc/shared/system_audit_ssh.txt
/var/ossec/etc/shared/win_applications_rcl.txt
/var/ossec/etc/shared/win_audit_rcl.txt
/var/ossec/etc/shared/win_malware_rcl.txt
/var/ossec/etc/wpk_root.pem
/var/ossec/lib/libdbsync.so
/var/ossec/lib/libgcc_s.so.1
/var/ossec/lib/librsync.so
/var/ossec/lib/libstdc++.so.6
/var/ossec/lib/libsyscollector.so
/var/ossec/lib/libsysinfo.so
/var/ossec/lib/libwazuhext.so
/var/ossec/lib/libwazuhshared.so
/var/ossec/logs/active-responses.log
/var/ossec/logs/ossec.json
/var/ossec/logs/ossec.log
/var/ossec/queue/syscollector/norm_config.json
/var/ossec/ruleset/sca/sca_unix_audit.yml
/var/ossec/wodles/__init__.py
/var/ossec/wodles/aws/aws-s3
/var/ossec/wodles/azure/azure-logs
/var/ossec/wodles/azure/orm.py
/var/ossec/wodles/docker/DockerListener
/var/ossec/wodles/gcloud/buckets/access_logs.py
/var/ossec/wodles/gcloud/buckets/bucket.py
/var/ossec/wodles/gcloud/exceptions.py
/var/ossec/wodles/gcloud/gcloud
/var/ossec/wodles/gcloud/integration.py
/var/ossec/wodles/gcloud/pubsub/subscriber.py
/var/ossec/wodles/gcloud/tools.py
/var/ossec/wodles/utils.py
[ verifying class <none> ]
## Executing postinstall script.

Installation of <wazuh-agent> was successful.

# cat /var/ossec/etc/ossec.conf  | grep address
      <address>AMI_INSTANCE_IP</address>
# /var/ossec/bin/wazuh-control start
Starting Wazuh v4.5.0...
Started wazuh-execd...
Started wazuh-agentd...
Started wazuh-syscheckd...
Started wazuh-logcollector...
Started wazuh-modulesd...
Completed.
# /var/ossec/bin/wazuh-control status
wazuh-modulesd is running...
wazuh-logcollector is running...
wazuh-syscheckd is running...
wazuh-agentd is running...
wazuh-execd is running...
#

Wazuh server

# /var/ossec/bin/agent_control -i 003

Wazuh agent_control. Agent information:
   Agent ID:   003
   Agent Name: sossp273
   IP address: any
   Status:     Active

   Operating system:    SunOS |sossp273 |5.10 |Generic_147147-26 |sun4v
   Client version:      Wazuh v4.5.0
   Configuration hash:  ab73af41699f13fdd81903b5f23d8d00
   Shared file hash:    4a8724b20dee0124ff9656783c490c4e
   Last keep alive:     1690474439

   Syscheck last started at:  Thu Jul 27 22:12:11 2023
   Syscheck last ended at:    Thu Jul 27 22:12:24 2023

Alert

TCP

# grep -i "tcp" /var/ossec/logs/ossec.log 
grep -i "tcp" /var/ossec/logs/ossec.log 
2023/07/27 17:12:06 wazuh-agentd: INFO: Trying to connect to server ([AMI_INSTANCE_IP]:1514/tcp).
2023/07/27 17:12:06 wazuh-agentd: INFO: (4102): Connected to the server ([AMI_INSTANCE_IP]:1514/tcp).
2023/07/27 17:12:10 wazuh-agentd: INFO: Trying to connect to server ([AMI_INSTANCE_IP]:1514/tcp).
2023/07/27 17:12:10 wazuh-agentd: INFO: (4102): Connected to the server ([AMI_INSTANCE_IP]:1514/tcp).
#

{"timestamp":"2023-07-27T16:13:14.905+0000","rule":{"level":7,"description":"SCA summary: System audit for Unix based systems: Score less than 50% (45)","id":"19004","firedtimes":1,"mail":false,"groups":["sca"],"gdpr":["IV_35.7.d"],"pci_dss":["2.2"],"nist_800_53":["CM.1"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"003","name":"sossp273","ip":"192.168.241.173"},"manager":{"name":"wazuh-server"},"id":"1690474394.92231","decoder":{"name":"sca"},"data":{"sca":{"type":"summary","scan_id":"11516","policy":"System audit for Unix based systems","description":"Guidance for establishing a secure configuration for Unix based systems.","policy_id":"unix_audit","passed":"5","failed":"6","invalid":"12","total_checks":"23","score":"45","file":"sca_unix_audit.yml"}},"location":"sca"}

UDP

# cat /var/ossec/etc/ossec.conf  | grep udp                          
              <protocol>udp</protocol>
# /var/ossec/bin/wazuh-control restart                          
Killing wazuh-modulesd... 
Killing wazuh-logcollector... 
Killing wazuh-syscheckd... 
Killing wazuh-agentd... 
Killing wazuh-execd... 
Wazuh v4.5.0 Stopped
Starting Wazuh v4.5.0...
Started wazuh-execd...
Started wazuh-agentd...
Started wazuh-syscheckd...
Started wazuh-logcollector...
Started wazuh-modulesd...
Completed.

# grep -i "udp" /var/ossec/logs/ossec.log    
2023/07/27 17:14:15 wazuh-agentd: INFO: Trying to connect to server ([AMI_INSTANCE_IP]:1514/udp).
2023/07/27 17:14:15 wazuh-agentd: INFO: (4102): Connected to the server ([AMI_INSTANCE_IP]:1514/udp).

Remove

 pkgrm wazuh-agent

The following package is currently installed:
   wazuh-agent  Wazuh - Wazuh unifies historically separate functions into a single agent and platform architecture. Providing protection for public clouds, private clouds, and on-premise data centers.
                (sparc) 4.5.0

Do you want to remove this package? [y,n,?,q] y

## Removing installed package instance <wazuh-agent>

This package contains scripts which will be executed with super-user
permission during the process of removing this package.

Do you want to continue with the removal of this package [y,n,?,q] y
## Verifying package <wazuh-agent> dependencies in global zone
## Processing package information.
## Executing preremove script.
Killing wazuh-modulesd... 
Killing wazuh-logcollector... 
Killing wazuh-syscheckd... 
Killing wazuh-agentd... 
Killing wazuh-execd... 
Wazuh v4.5.0 Stopped
## Removing pathnames in class <none>
/var/ossec/wodles/utils.py
/var/ossec/wodles/gcloud/tools.py
/var/ossec/wodles/gcloud/pubsub/subscriber.py
/var/ossec/wodles/gcloud/pubsub
/var/ossec/wodles/gcloud/integration.py
/var/ossec/wodles/gcloud/gcloud
/var/ossec/wodles/gcloud/exceptions.py
/var/ossec/wodles/gcloud/buckets/bucket.py
/var/ossec/wodles/gcloud/buckets/access_logs.py
/var/ossec/wodles/gcloud/buckets
/var/ossec/wodles/gcloud
/var/ossec/wodles/docker/DockerListener
/var/ossec/wodles/docker
/var/ossec/wodles/azure/orm.py
/var/ossec/wodles/azure/azure-logs
/var/ossec/wodles/azure
/var/ossec/wodles/aws/aws-s3
/var/ossec/wodles/aws
/var/ossec/wodles/__init__.py
/var/ossec/wodles
/var/ossec/var/wodles
/var/ossec/var/upgrade
/var/ossec/var/selinux
/var/ossec/var/run
/var/ossec/var/incoming
/var/ossec/var
/var/ossec/tmp
/var/ossec/ruleset/sca/sca_unix_audit.yml
/var/ossec/ruleset/sca
/var/ossec/ruleset
/var/ossec/queue/syscollector/norm_config.json
/var/ossec/queue/syscollector/db <non-empty directory not removed>
/var/ossec/queue/syscollector <non-empty directory not removed>
/var/ossec/queue/sockets <non-empty directory not removed>
/var/ossec/queue/rids <non-empty directory not removed>
/var/ossec/queue/logcollector <non-empty directory not removed>
/var/ossec/queue/fim/db <non-empty directory not removed>
/var/ossec/queue/fim <non-empty directory not removed>
/var/ossec/queue/diff
/var/ossec/queue/alerts <non-empty directory not removed>
/var/ossec/queue <non-empty directory not removed>
/var/ossec/logs/wazuh
/var/ossec/logs/ossec.log
/var/ossec/logs/ossec.json
/var/ossec/logs/active-responses.log
/var/ossec/logs
/var/ossec/lib/libwazuhshared.so
/var/ossec/lib/libwazuhext.so
/var/ossec/lib/libsysinfo.so
/var/ossec/lib/libsyscollector.so
/var/ossec/lib/libstdc++.so.6
/var/ossec/lib/librsync.so
/var/ossec/lib/libgcc_s.so.1
/var/ossec/lib/libdbsync.so
/var/ossec/lib
/var/ossec/etc/wpk_root.pem
/var/ossec/etc/shared/win_malware_rcl.txt
/var/ossec/etc/shared/win_audit_rcl.txt
/var/ossec/etc/shared/win_applications_rcl.txt
/var/ossec/etc/shared/system_audit_ssh.txt
/var/ossec/etc/shared/system_audit_rcl.txt
/var/ossec/etc/shared/rootkit_trojans.txt
/var/ossec/etc/shared/rootkit_files.txt
/var/ossec/etc/shared/cis_win2012r2_memberL2_rcl.txt
/var/ossec/etc/shared/cis_win2012r2_memberL1_rcl.txt
/var/ossec/etc/shared/cis_win2012r2_domainL2_rcl.txt
/var/ossec/etc/shared/cis_win2012r2_domainL1_rcl.txt
/var/ossec/etc/shared/cis_sles12_linux_rcl.txt
/var/ossec/etc/shared/cis_sles11_linux_rcl.txt
/var/ossec/etc/shared/cis_rhel_linux_rcl.txt
/var/ossec/etc/shared/cis_rhel7_linux_rcl.txt
/var/ossec/etc/shared/cis_rhel6_linux_rcl.txt
/var/ossec/etc/shared/cis_rhel5_linux_rcl.txt
/var/ossec/etc/shared/cis_mysql5-6_enterprise_rcl.txt
/var/ossec/etc/shared/cis_mysql5-6_community_rcl.txt
/var/ossec/etc/shared/cis_debian_linux_rcl.txt
/var/ossec/etc/shared/cis_apache2224_rcl.txt
/var/ossec/etc/shared <non-empty directory not removed>
/var/ossec/etc/ossec.conf
/var/ossec/etc/local_internal_options.conf
/var/ossec/etc/internal_options.conf
/var/ossec/etc/client.keys
/var/ossec/etc/TIMEZONE
/var/ossec/etc <non-empty directory not removed>
/var/ossec/bin/wazuh-syscheckd
/var/ossec/bin/wazuh-modulesd
/var/ossec/bin/wazuh-logcollector
/var/ossec/bin/wazuh-execd
/var/ossec/bin/wazuh-control
/var/ossec/bin/wazuh-agentd
/var/ossec/bin/manage_agents
/var/ossec/bin/agent-auth
/var/ossec/bin
/var/ossec/backup
/var/ossec/agentless/su.exp
/var/ossec/agentless/sshlogin.exp
/var/ossec/agentless/ssh_pixconfig_diff
/var/ossec/agentless/ssh_nopass.exp
/var/ossec/agentless/ssh_integrity_check_linux
/var/ossec/agentless/ssh_integrity_check_bsd
/var/ossec/agentless/ssh_generic_diff
/var/ossec/agentless/ssh_foundry_diff
/var/ossec/agentless/ssh_asa-fwsmconfig_diff
/var/ossec/agentless/ssh.exp
/var/ossec/agentless/register_host.sh
/var/ossec/agentless/main.exp
/var/ossec/agentless
/var/ossec/active-response/bin/wazuh-slack
/var/ossec/active-response/bin/route-null
/var/ossec/active-response/bin/restart.sh
/var/ossec/active-response/bin/restart-wazuh
/var/ossec/active-response/bin/pf
/var/ossec/active-response/bin/npf
/var/ossec/active-response/bin/kaspersky.py
/var/ossec/active-response/bin/kaspersky
/var/ossec/active-response/bin/ipfw
/var/ossec/active-response/bin/ip-customblock
/var/ossec/active-response/bin/host-deny
/var/ossec/active-response/bin/firewalld-drop
/var/ossec/active-response/bin/firewall-drop
/var/ossec/active-response/bin/disable-account
/var/ossec/active-response/bin/default-firewall-drop
/var/ossec/active-response/bin
/var/ossec/active-response
/var/ossec/.ssh
/var/ossec <non-empty directory not removed>
/etc/rc3.d/S97wazuh-agent
/etc/rc2.d/S97wazuh-agent
/etc/init.d/wazuh-agent
## Executing postremove script.
## Updating system information.

Removal of <wazuh-agent> was successful.

# ls -la /var/ossec
total 14
drwxr-x---   4 root     57447          4 Jul 27 17:16 .
drwxr-xr-x  49 root     sys           49 Jul 27 17:09 ..
drwxrwx---   3 46203    57447          3 Jul 27 17:16 etc
drwxr-x---   8 root     57447          8 Jul 27 17:16 queue

# ls -la /var/ossec/etc/
total 9
drwxrwx---   3 46203    57447          3 Jul 27 17:16 .
drwxr-x---   4 root     57447          4 Jul 27 17:16 ..
drwxrwx---   2 root     57447          5 Jul 27 17:16 shared

# ls -la /var/ossec/etc/shared/
total 1807
drwxrwx---   2 root     57447          5 Jul 27 17:16 .
drwxrwx---   3 46203    57447          3 Jul 27 17:16 ..
-rw-r--r--   1 46203    57447         76 Jul 27 17:12 agent.conf
-rw-r--r--   1 46203    57447        228 Jul 27 17:12 ar.conf
-rw-r--r--   1 46203    57447     899315 Jul 27 17:12 merged.mg

# ls -la /var/ossec/queue/   
total 24
drwxr-x---   8 root     57447          8 Jul 27 17:16 .
drwxr-x---   4 root     57447          4 Jul 27 17:16 ..
drwxrwx---   2 46203    57447          4 Jul 27 17:12 alerts
drwxr-x---   3 46203    57447          3 Jul 27 17:09 fim
drwxr-x---   2 46203    57447          3 Jul 27 17:11 logcollector
drwxr-x---   2 46203    57447          4 Jul 27 17:12 rids
drwxrwx---   2 46203    57447         10 Jul 27 17:12 sockets
drwxr-x---   3 46203    57447          3 Jul 27 17:16 syscollector

Upgrade 4.4.5 -> 4.5.0

# /opt/csw/bin/curl -o wazuh-agent_v4.4.5-sol10-sparc.pkg https://packages.wazuh.com/4.x/solaris/sparc/10/wazuh-agent_v4.4.5-sol10-sparc.pkg
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100 15.0M  100 15.0M    0     0  3776k      0  0:00:04  0:00:04 --:--:-- 3777k
#
# pkgadd -d wazuh-agent_v4.4.5-sol10-sparc.pkg

The following packages are available:
  1  wazuh-agent     Wazuh - Wazuh unifies historically separate functions into a single agent and platform architecture. Providing protection for public clouds, private clouds, and on-premise data centers.
                     (sparc) 4.4.5

Select package(s) you wish to process (or 'all' to process
all packages). (default: all) [?,??,q]: 

Processing package instance <wazuh-agent> from </export/home/nuhbx/wazuh-agent_v4.4.5-sol10-sparc.pkg>

Wazuh - Wazuh unifies historically separate functions into a single agent and platform architecture. Providing protection for public clouds, private clouds, and on-premise data centers.(sparc) 4.4.5
Wazuh, Inc <info@wazuh.com>
## Executing checkinstall script.
## Processing package information.
## Processing system information.
## Verifying disk space requirements.
## Checking for conflicts with packages already installed.

The following files are already installed on the system and are being
used by another package:
* /var/ossec <attribute change only>
* /var/ossec/etc <attribute change only>
* /var/ossec/etc/shared <attribute change only>
* /var/ossec/queue <attribute change only>
* /var/ossec/queue/alerts <attribute change only>
* /var/ossec/queue/fim <attribute change only>
* /var/ossec/queue/fim/db <attribute change only>
* /var/ossec/queue/logcollector <attribute change only>
* /var/ossec/queue/rids <attribute change only>
* /var/ossec/queue/sockets <attribute change only>
* /var/ossec/queue/syscollector <attribute change only>
* /var/ossec/queue/syscollector/db <attribute change only>

* - conflict with a file which does not belong to any package.

Do you want to install these conflicting files [y,n,?,q] y
## Checking for setuid/setgid programs.

This package contains scripts which will be executed with super-user
permission during the process of installing this package.

Do you want to continue with the installation of <wazuh-agent> [y,n,?] y

Installing Wazuh - Wazuh unifies historically separate functions into a single agent and platform architecture. Providing protection for public clouds, private clouds, and on-premise data centers. as <wazuh-agent>

## Executing preinstall script.
## Installing part 1 of 1.
/etc/init.d/wazuh-agent
/etc/rc2.d/S97wazuh-agent <symbolic link>
/etc/rc3.d/S97wazuh-agent <symbolic link>
/var/ossec/active-response/bin/default-firewall-drop
/var/ossec/active-response/bin/disable-account
/var/ossec/active-response/bin/firewall-drop
/var/ossec/active-response/bin/firewalld-drop
/var/ossec/active-response/bin/host-deny
/var/ossec/active-response/bin/ip-customblock
/var/ossec/active-response/bin/ipfw
/var/ossec/active-response/bin/kaspersky
/var/ossec/active-response/bin/kaspersky.py
/var/ossec/active-response/bin/npf
/var/ossec/active-response/bin/pf
/var/ossec/active-response/bin/restart-wazuh
/var/ossec/active-response/bin/restart.sh
/var/ossec/active-response/bin/route-null
/var/ossec/active-response/bin/wazuh-slack
/var/ossec/agentless/main.exp
/var/ossec/agentless/register_host.sh
/var/ossec/agentless/ssh.exp
/var/ossec/agentless/ssh_asa-fwsmconfig_diff
/var/ossec/agentless/ssh_foundry_diff
/var/ossec/agentless/ssh_generic_diff
/var/ossec/agentless/ssh_integrity_check_bsd
/var/ossec/agentless/ssh_integrity_check_linux
/var/ossec/agentless/ssh_nopass.exp
/var/ossec/agentless/ssh_pixconfig_diff
/var/ossec/agentless/sshlogin.exp
/var/ossec/agentless/su.exp
/var/ossec/bin/agent-auth
/var/ossec/bin/manage_agents
/var/ossec/bin/wazuh-agentd
/var/ossec/bin/wazuh-control
/var/ossec/bin/wazuh-execd
/var/ossec/bin/wazuh-logcollector
/var/ossec/bin/wazuh-modulesd
/var/ossec/bin/wazuh-syscheckd
/var/ossec/etc/TIMEZONE
/var/ossec/etc/client.keys
/var/ossec/etc/internal_options.conf
/var/ossec/etc/local_internal_options.conf
/var/ossec/etc/ossec.conf
/var/ossec/etc/shared/cis_apache2224_rcl.txt
/var/ossec/etc/shared/cis_debian_linux_rcl.txt
/var/ossec/etc/shared/cis_mysql5-6_community_rcl.txt
/var/ossec/etc/shared/cis_mysql5-6_enterprise_rcl.txt
/var/ossec/etc/shared/cis_rhel5_linux_rcl.txt
/var/ossec/etc/shared/cis_rhel6_linux_rcl.txt
/var/ossec/etc/shared/cis_rhel7_linux_rcl.txt
/var/ossec/etc/shared/cis_rhel_linux_rcl.txt
/var/ossec/etc/shared/cis_sles11_linux_rcl.txt
/var/ossec/etc/shared/cis_sles12_linux_rcl.txt
/var/ossec/etc/shared/cis_win2012r2_domainL1_rcl.txt
/var/ossec/etc/shared/cis_win2012r2_domainL2_rcl.txt
/var/ossec/etc/shared/cis_win2012r2_memberL1_rcl.txt
/var/ossec/etc/shared/cis_win2012r2_memberL2_rcl.txt
/var/ossec/etc/shared/rootkit_files.txt
/var/ossec/etc/shared/rootkit_trojans.txt
/var/ossec/etc/shared/system_audit_rcl.txt
/var/ossec/etc/shared/system_audit_ssh.txt
/var/ossec/etc/shared/win_applications_rcl.txt
/var/ossec/etc/shared/win_audit_rcl.txt
/var/ossec/etc/shared/win_malware_rcl.txt
/var/ossec/etc/wpk_root.pem
/var/ossec/lib/libdbsync.so
/var/ossec/lib/libgcc_s.so.1
/var/ossec/lib/librsync.so
/var/ossec/lib/libstdc++.so.6
/var/ossec/lib/libsyscollector.so
/var/ossec/lib/libsysinfo.so
/var/ossec/lib/libwazuhext.so
/var/ossec/lib/libwazuhshared.so
/var/ossec/logs/active-responses.log
/var/ossec/logs/ossec.json
/var/ossec/logs/ossec.log
/var/ossec/queue/syscollector/norm_config.json
/var/ossec/ruleset/sca/sca_unix_audit.yml
/var/ossec/wodles/__init__.py
/var/ossec/wodles/aws/aws-s3
/var/ossec/wodles/azure/azure-logs
/var/ossec/wodles/azure/orm.py
/var/ossec/wodles/docker/DockerListener
/var/ossec/wodles/gcloud/buckets/access_logs.py
/var/ossec/wodles/gcloud/buckets/bucket.py
/var/ossec/wodles/gcloud/exceptions.py
/var/ossec/wodles/gcloud/gcloud
/var/ossec/wodles/gcloud/integration.py
/var/ossec/wodles/gcloud/pubsub/subscriber.py
/var/ossec/wodles/gcloud/tools.py
/var/ossec/wodles/utils.py
[ verifying class <none> ]
## Executing postinstall script.

Installation of <wazuh-agent> was successful.

# /var/ossec/bin/wazuh-control start
Starting Wazuh v4.4.5...
Started wazuh-execd...
Started wazuh-agentd...
Started wazuh-syscheckd...
Started wazuh-logcollector...
Started wazuh-modulesd...
Completed.
#

# /var/ossec/bin/agent_control -i 004

Wazuh agent_control. Agent information:
   Agent ID:   004
   Agent Name: sossp273
   IP address: any
   Status:     Active

   Operating system:    SunOS |sossp273 |5.10 |Generic_147147-26 |sun4v
   Client version:      Wazuh v4.4.5
   Configuration hash:  ab73af41699f13fdd81903b5f23d8d00
   Shared file hash:    4a8724b20dee0124ff9656783c490c4e
   Last keep alive:     1690478236

   Syscheck last started at:  Thu Jul 27 23:16:26 2023
   Syscheck last ended at:    Thu Jul 27 23:16:30 2023

# /var/ossec/bin/wazuh-control stop
Killing wazuh-modulesd... 
Killing wazuh-logcollector... 
Killing wazuh-syscheckd... 
Killing wazuh-agentd... 
Killing wazuh-execd... 
Wazuh v4.5.0 Stopped
# cp /var/ossec/etc/ossec.conf ~/ossec.conf.bk
# cp /var/ossec/etc/client.keys ~/client.keys.bk
# pkgrm wazuh-agent
The following package is currently installed:
   wazuh-agent  Wazuh - Wazuh unifies historically separate functions into a single agent and platform architecture. Providing protection for public clouds, private clouds, and on-premise data centers.
                (sparc) 4.4.5

Do you want to remove this package? [y,n,?,q] y

## Removing installed package instance <wazuh-agent>

This package contains scripts which will be executed with super-user
permission during the process of removing this package.

Do you want to continue with the removal of this package [y,n,?,q] y
## Verifying package <wazuh-agent> dependencies in global zone
## Processing package information.
## Executing preremove script.
wazuh-modulesd not running...
wazuh-logcollector not running...
wazuh-syscheckd not running...
wazuh-agentd not running...
wazuh-execd not running...
Wazuh v4.4.5 Stopped
## Removing pathnames in class <none>
/var/ossec/wodles/utils.py
/var/ossec/wodles/gcloud/tools.py
/var/ossec/wodles/gcloud/pubsub/subscriber.py
/var/ossec/wodles/gcloud/pubsub
/var/ossec/wodles/gcloud/integration.py
/var/ossec/wodles/gcloud/gcloud
/var/ossec/wodles/gcloud/exceptions.py
/var/ossec/wodles/gcloud/buckets/bucket.py
/var/ossec/wodles/gcloud/buckets/access_logs.py
/var/ossec/wodles/gcloud/buckets
/var/ossec/wodles/gcloud
/var/ossec/wodles/docker/DockerListener
/var/ossec/wodles/docker
/var/ossec/wodles/azure/orm.py
/var/ossec/wodles/azure/azure-logs
/var/ossec/wodles/azure
/var/ossec/wodles/aws/aws-s3
/var/ossec/wodles/aws
/var/ossec/wodles/__init__.py
/var/ossec/wodles
/var/ossec/var/wodles
/var/ossec/var/upgrade
/var/ossec/var/selinux
/var/ossec/var/run
/var/ossec/var/incoming
/var/ossec/var
/var/ossec/tmp
/var/ossec/ruleset/sca/sca_unix_audit.yml
/var/ossec/ruleset/sca
/var/ossec/ruleset
/var/ossec/queue/syscollector/norm_config.json
/var/ossec/queue/syscollector/db <non-empty directory not removed>
/var/ossec/queue/syscollector <non-empty directory not removed>
/var/ossec/queue/sockets <non-empty directory not removed>
/var/ossec/queue/rids <non-empty directory not removed>
/var/ossec/queue/logcollector <non-empty directory not removed>
/var/ossec/queue/fim/db <non-empty directory not removed>
/var/ossec/queue/fim <non-empty directory not removed>
/var/ossec/queue/diff
/var/ossec/queue/alerts <non-empty directory not removed>
/var/ossec/queue <non-empty directory not removed>
/var/ossec/logs/wazuh
/var/ossec/logs/ossec.log
/var/ossec/logs/ossec.json
/var/ossec/logs/active-responses.log
/var/ossec/logs
/var/ossec/lib/libwazuhshared.so
/var/ossec/lib/libwazuhext.so
/var/ossec/lib/libsysinfo.so
/var/ossec/lib/libsyscollector.so
/var/ossec/lib/libstdc++.so.6
/var/ossec/lib/librsync.so
/var/ossec/lib/libgcc_s.so.1
/var/ossec/lib/libdbsync.so
/var/ossec/lib
/var/ossec/etc/wpk_root.pem
/var/ossec/etc/shared/win_malware_rcl.txt
/var/ossec/etc/shared/win_audit_rcl.txt
/var/ossec/etc/shared/win_applications_rcl.txt
/var/ossec/etc/shared/system_audit_ssh.txt
/var/ossec/etc/shared/system_audit_rcl.txt
/var/ossec/etc/shared/rootkit_trojans.txt
/var/ossec/etc/shared/rootkit_files.txt
/var/ossec/etc/shared/cis_win2012r2_memberL2_rcl.txt
/var/ossec/etc/shared/cis_win2012r2_memberL1_rcl.txt
/var/ossec/etc/shared/cis_win2012r2_domainL2_rcl.txt
/var/ossec/etc/shared/cis_win2012r2_domainL1_rcl.txt
/var/ossec/etc/shared/cis_sles12_linux_rcl.txt
/var/ossec/etc/shared/cis_sles11_linux_rcl.txt
/var/ossec/etc/shared/cis_rhel_linux_rcl.txt
/var/ossec/etc/shared/cis_rhel7_linux_rcl.txt
/var/ossec/etc/shared/cis_rhel6_linux_rcl.txt
/var/ossec/etc/shared/cis_rhel5_linux_rcl.txt
/var/ossec/etc/shared/cis_mysql5-6_enterprise_rcl.txt
/var/ossec/etc/shared/cis_mysql5-6_community_rcl.txt
/var/ossec/etc/shared/cis_debian_linux_rcl.txt
/var/ossec/etc/shared/cis_apache2224_rcl.txt
/var/ossec/etc/shared <non-empty directory not removed>
/var/ossec/etc/ossec.conf
/var/ossec/etc/local_internal_options.conf
/var/ossec/etc/internal_options.conf
/var/ossec/etc/client.keys
/var/ossec/etc/TIMEZONE
/var/ossec/etc <non-empty directory not removed>
/var/ossec/bin/wazuh-syscheckd
/var/ossec/bin/wazuh-modulesd
/var/ossec/bin/wazuh-logcollector
/var/ossec/bin/wazuh-execd
/var/ossec/bin/wazuh-control
/var/ossec/bin/wazuh-agentd
/var/ossec/bin/manage_agents
/var/ossec/bin/agent-auth
/var/ossec/bin
/var/ossec/backup
/var/ossec/agentless/su.exp
/var/ossec/agentless/sshlogin.exp
/var/ossec/agentless/ssh_pixconfig_diff
/var/ossec/agentless/ssh_nopass.exp
/var/ossec/agentless/ssh_integrity_check_linux
/var/ossec/agentless/ssh_integrity_check_bsd
/var/ossec/agentless/ssh_generic_diff
/var/ossec/agentless/ssh_foundry_diff
/var/ossec/agentless/ssh_asa-fwsmconfig_diff
/var/ossec/agentless/ssh.exp
/var/ossec/agentless/register_host.sh
/var/ossec/agentless/main.exp
/var/ossec/agentless
/var/ossec/active-response/bin/wazuh-slack
/var/ossec/active-response/bin/route-null
/var/ossec/active-response/bin/restart.sh
/var/ossec/active-response/bin/restart-wazuh
/var/ossec/active-response/bin/pf
/var/ossec/active-response/bin/npf
/var/ossec/active-response/bin/kaspersky.py
/var/ossec/active-response/bin/kaspersky
/var/ossec/active-response/bin/ipfw
/var/ossec/active-response/bin/ip-customblock
/var/ossec/active-response/bin/host-deny
/var/ossec/active-response/bin/firewalld-drop
/var/ossec/active-response/bin/firewall-drop
/var/ossec/active-response/bin/disable-account
/var/ossec/active-response/bin/default-firewall-drop
/var/ossec/active-response/bin
/var/ossec/active-response
/var/ossec/.ssh
/var/ossec <non-empty directory not removed>
/etc/rc3.d/S97wazuh-agent
/etc/rc2.d/S97wazuh-agent
/etc/init.d/wazuh-agent
## Executing postremove script.
## Updating system information.

Removal of <wazuh-agent> was successful.


# pkgadd -d wazuh-agent_v4.5.0-sol10-sparc.pkg wazuh-agent

Processing package instance <wazuh-agent> from </export/home/nuhbx/wazuh-agent_v4.5.0-sol10-sparc.pkg>

Wazuh - Wazuh unifies historically separate functions into a single agent and platform architecture. Providing protection for public clouds, private clouds, and on-premise data centers.(sparc) 4.5.0
Wazuh, Inc <info@wazuh.com>
## Executing checkinstall script.
## Processing package information.
## Processing system information.
## Verifying disk space requirements.
## Checking for conflicts with packages already installed.

The following files are already installed on the system and are being
used by another package:
* /var/ossec <attribute change only>
* /var/ossec/etc <attribute change only>
* /var/ossec/etc/shared <attribute change only>
* /var/ossec/queue <attribute change only>
* /var/ossec/queue/alerts <attribute change only>
* /var/ossec/queue/fim <attribute change only>
* /var/ossec/queue/fim/db <attribute change only>
* /var/ossec/queue/logcollector <attribute change only>
* /var/ossec/queue/rids <attribute change only>
* /var/ossec/queue/sockets <attribute change only>
* /var/ossec/queue/syscollector <attribute change only>
* /var/ossec/queue/syscollector/db <attribute change only>

* - conflict with a file which does not belong to any package.

Do you want to install these conflicting files [y,n,?,q] y
## Checking for setuid/setgid programs.

This package contains scripts which will be executed with super-user
permission during the process of installing this package.

Do you want to continue with the installation of <wazuh-agent> [y,n,?] y

Installing Wazuh - Wazuh unifies historically separate functions into a single agent and platform architecture. Providing protection for public clouds, private clouds, and on-premise data centers. as <wazuh-agent>

## Executing preinstall script.
## Installing part 1 of 1.
/etc/init.d/wazuh-agent
/etc/rc2.d/S97wazuh-agent <symbolic link>
/etc/rc3.d/S97wazuh-agent <symbolic link>
/var/ossec/active-response/bin/default-firewall-drop
/var/ossec/active-response/bin/disable-account
/var/ossec/active-response/bin/firewall-drop
/var/ossec/active-response/bin/firewalld-drop
/var/ossec/active-response/bin/host-deny
/var/ossec/active-response/bin/ip-customblock
/var/ossec/active-response/bin/ipfw
/var/ossec/active-response/bin/kaspersky
/var/ossec/active-response/bin/kaspersky.py
/var/ossec/active-response/bin/npf
/var/ossec/active-response/bin/pf
/var/ossec/active-response/bin/restart-wazuh
/var/ossec/active-response/bin/restart.sh
/var/ossec/active-response/bin/route-null
/var/ossec/active-response/bin/wazuh-slack
/var/ossec/agentless/main.exp
/var/ossec/agentless/register_host.sh
/var/ossec/agentless/ssh.exp
/var/ossec/agentless/ssh_asa-fwsmconfig_diff
/var/ossec/agentless/ssh_foundry_diff
/var/ossec/agentless/ssh_generic_diff
/var/ossec/agentless/ssh_integrity_check_bsd
/var/ossec/agentless/ssh_integrity_check_linux
/var/ossec/agentless/ssh_nopass.exp
/var/ossec/agentless/ssh_pixconfig_diff
/var/ossec/agentless/sshlogin.exp
/var/ossec/agentless/su.exp
/var/ossec/bin/agent-auth
/var/ossec/bin/manage_agents
/var/ossec/bin/wazuh-agentd
/var/ossec/bin/wazuh-control
/var/ossec/bin/wazuh-execd
/var/ossec/bin/wazuh-logcollector
/var/ossec/bin/wazuh-modulesd
/var/ossec/bin/wazuh-syscheckd
/var/ossec/etc/TIMEZONE
/var/ossec/etc/client.keys
/var/ossec/etc/internal_options.conf
/var/ossec/etc/local_internal_options.conf
/var/ossec/etc/ossec.conf
/var/ossec/etc/shared/cis_apache2224_rcl.txt
/var/ossec/etc/shared/cis_debian_linux_rcl.txt
/var/ossec/etc/shared/cis_mysql5-6_community_rcl.txt
/var/ossec/etc/shared/cis_mysql5-6_enterprise_rcl.txt
/var/ossec/etc/shared/cis_rhel5_linux_rcl.txt
/var/ossec/etc/shared/cis_rhel6_linux_rcl.txt
/var/ossec/etc/shared/cis_rhel7_linux_rcl.txt
/var/ossec/etc/shared/cis_rhel_linux_rcl.txt
/var/ossec/etc/shared/cis_sles11_linux_rcl.txt
/var/ossec/etc/shared/cis_sles12_linux_rcl.txt
/var/ossec/etc/shared/cis_win2012r2_domainL1_rcl.txt
/var/ossec/etc/shared/cis_win2012r2_domainL2_rcl.txt
/var/ossec/etc/shared/cis_win2012r2_memberL1_rcl.txt
/var/ossec/etc/shared/cis_win2012r2_memberL2_rcl.txt
/var/ossec/etc/shared/rootkit_files.txt
/var/ossec/etc/shared/rootkit_trojans.txt
/var/ossec/etc/shared/system_audit_rcl.txt
/var/ossec/etc/shared/system_audit_ssh.txt
/var/ossec/etc/shared/win_applications_rcl.txt
/var/ossec/etc/shared/win_audit_rcl.txt
/var/ossec/etc/shared/win_malware_rcl.txt
/var/ossec/etc/wpk_root.pem
/var/ossec/lib/libdbsync.so
/var/ossec/lib/libgcc_s.so.1
/var/ossec/lib/librsync.so
/var/ossec/lib/libstdc++.so.6
/var/ossec/lib/libsyscollector.so
/var/ossec/lib/libsysinfo.so
/var/ossec/lib/libwazuhext.so
/var/ossec/lib/libwazuhshared.so
/var/ossec/logs/active-responses.log
/var/ossec/logs/ossec.json
/var/ossec/logs/ossec.log
/var/ossec/queue/syscollector/norm_config.json
/var/ossec/ruleset/sca/sca_unix_audit.yml
/var/ossec/wodles/__init__.py
/var/ossec/wodles/aws/aws-s3
/var/ossec/wodles/azure/azure-logs
/var/ossec/wodles/azure/orm.py
/var/ossec/wodles/docker/DockerListener
/var/ossec/wodles/gcloud/buckets/access_logs.py
/var/ossec/wodles/gcloud/buckets/bucket.py
/var/ossec/wodles/gcloud/exceptions.py
/var/ossec/wodles/gcloud/gcloud
/var/ossec/wodles/gcloud/integration.py
/var/ossec/wodles/gcloud/pubsub/subscriber.py
/var/ossec/wodles/gcloud/tools.py
/var/ossec/wodles/utils.py
[ verifying class <none> ]
## Executing postinstall script.

Installation of <wazuh-agent> was successful.


# mv ~/ossec.conf.bk /var/ossec/etc/ossec.conf
# chown root:wazuh /var/ossec/etc/ossec.conf

# mv ~/client.keys.bk /var/ossec/etc/client.keys
# chown root:wazuh /var/ossec/etc/client.keys 

# /var/ossec/bin/wazuh-control start
Starting Wazuh v4.5.0...
Started wazuh-execd...
Started wazuh-agentd...
Started wazuh-syscheckd...
Started wazuh-logcollector...
Started wazuh-modulesd...
Completed.

# /var/ossec/bin/agent_control -i 004

Wazuh agent_control. Agent information:
   Agent ID:   004
   Agent Name: sossp273
   IP address: any
   Status:     Active

   Operating system:    SunOS |sossp273 |5.10 |Generic_147147-26 |sun4v
   Client version:      Wazuh v4.5.0
   Configuration hash:  ab73af41699f13fdd81903b5f23d8d00
   Shared file hash:    4a8724b20dee0124ff9656783c490c4e
   Last keep alive:     1690478475

   Syscheck last started at:  Thu Jul 27 23:20:07 2023
   Syscheck last ended at:    Thu Jul 27 23:20:11 2023

Users and groups

# cat /etc/passwd | grep wazuh
wazuh:x:46203:57447::/var/ossec:/bin/false
# cat /etc/group | grep wazuh
wazuh::57447:

Deblintrake09 · 2023-07-27T18:35:56Z

Analysis report - AIX 🟢

System info

bash-4.4# hostname
soaxp078
bash-4.4# uname -a
AIX soaxp078 1 6 00CADA644C00

Install

Wazuh agent

# curl -OL https://packages-dev.wazuh.com/pre-release/aix/wazuh-agent-4.5.0-1.aix.ppc.rpm -k
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100 8268k  100 8268k    0     0  4293k      0  0:00:01  0:00:01 --:--:-- 4293k

bash-4.4# rpm -qip wazuh-agent-4.5.0-1.aix.ppc.rpm
Name        : wazuh-agent                  Relocations: (not relocateable)
Version     : 4.5.0                             Vendor: Wazuh, Inc <info@wazuh.com>
Release     : 1                             Build Date: Tue Jul 25 10:43:53 2023
Install date: (not installed)               Build Host: soaxp078
Group       : System Environment/Daemons    Source RPM: wazuh-agent-4.5.0-1.src.rpm
Size        : 27777507                         License: GPL
Packager    : Wazuh, Inc <info@wazuh.com>
URL         : https://www.wazuh.com/
Summary     : The Wazuh agent, used for threat detection, incident response and integrity monitoring.
Description :
Wazuh is an open source security monitoring solution for threat detection, integrity monitoring, incident response and compliance.

bash-4.4# WAZUH_MANAGER="AMI_INSTANCE_IP" rpm -ivh wazuh-agent-4.5.0-1.aix.ppc.rpm
wazuh-agent                 ##################################################


bash-4.4# rpm -qi wazuh-agent
Name        : wazuh-agent                  Relocations: (not relocateable)
Version     : 4.5.0                             Vendor: Wazuh, Inc <info@wazuh.com>
Release     : 1                             Build Date: Tue Jul 25 10:43:53 2023
Install date: Thu Jul 27 13:18:00 2023      Build Host: soaxp078
Group       : System Environment/Daemons    Source RPM: wazuh-agent-4.5.0-1.src.rpm
Size        : 27777507                         License: GPL
Packager    : Wazuh, Inc <info@wazuh.com>
URL         : https://www.wazuh.com/
Summary     : The Wazuh agent, used for threat detection, incident response and integrity monitoring.
Description :
Wazuh is an open source security monitoring solution for threat detection, integrity monitoring, incident response and compliance.

bash-4.4# /var/ossec/bin/wazuh-control start
Starting Wazuh v4.5.0...
Started wazuh-execd...
Started wazuh-agentd...
Started wazuh-syscheckd...
Started wazuh-logcollector...
Started wazuh-modulesd...
Completed.

Wazuh server

# /var/ossec/bin/agent_control -i 009

Wazuh agent_control. Agent information:
   Agent ID:   009
   Agent Name: soaxp078
   IP address: any
   Status:     Active

   Operating system:    AIX |soaxp078 |1 |6 |00CADA644C00
   Client version:      Wazuh v4.5.0
   Configuration hash:  ab73af41699f13fdd81903b5f23d8d00
   Shared file hash:    4a8724b20dee0124ff9656783c490c4e
   Last keep alive:     1690482146

   Syscheck last started at:  Thu Jul 27 18:21:27 2023
   Syscheck last ended at:    Thu Jul 27 18:21:32 2023

Alert

TCP

bash-4.4# grep -Ei "tcp" /var/ossec/logs/ossec.log
2023/07/27 13:20:48 wazuh-agentd: INFO: Trying to connect to server ([AMI_INSTANCE_IP]:1514/tcp).
2023/07/27 13:20:48 wazuh-agentd: INFO: (4102): Connected to the server ([AMI_INSTANCE_IP]:1514/tcp).

{"timestamp":"2023-07-27T18:21:31.867+0000","rule":{"level":7,"description":"Host-based anomaly detection event (rootcheck).","id":"510","firedtimes":26,"mail":false,"groups":["ossec","rootcheck"],"pci_dss":["10.6.1"],"gdpr":["IV_35.7.d"]},"agent":{"id":"009","name":"soaxp078"},"manager":{"name":"wazuh-server"},"id":"1690482091.686107","full_log":"File '/tmp/.com_ibm_tools_attach/_notifier' is owned by root and has written permissions to anyone.","decoder":{"name":"rootcheck"},"data":{"title":"File is owned by root and has written permissions to anyone.","file":"/tmp/.com_ibm_tools_attach/_notifier"},"location":"rootcheck"}

UDP

bash-4.4# grep -Ei "udp" /var/ossec/logs/ossec.log
2023/07/27 13:20:48 wazuh-agentd: INFO: Trying to connect to server ([AMI_INSTANCE_IP]:1514/udp).
2023/07/27 13:20:48 wazuh-agentd: INFO: (4102): Connected to the server ([AMI_INSTANCE_IP]:1514/udp).
2023/07/27 13:21:26 wazuh-agentd: INFO: Trying to connect to server ([AMI_INSTANCE_IP]:1514/udp).
2023/07/27 13:21:26 wazuh-agentd: INFO: (4102): Connected to the server ([AMI_INSTANCE_IP]:1514/udp).```

{"timestamp":"2023-07-27T18:21:31.865+0000","rule":{"level":7,"description":"Host-based anomaly detection event (rootcheck).","id":"510","firedtimes":25,"mail":false,"groups":["ossec","rootcheck"],"pci_dss":["10.6.1"],"gdpr":["IV_35.7.d"]},"agent":{"id":"009","name":"soaxp078"},"manager":{"name":"wazuh-server"},"id":"1690482091.685702","full_log":"File '/tmp/.com_ibm_tools_attach/_master' is owned by root and has written permissions to anyone.","decoder":{"name":"rootcheck"},"data":{"title":"File is owned by root and has written permissions to anyone.","file":"/tmp/.com_ibm_tools_attach/_master"},"location":"rootcheck"}
{"timestamp":"2023-07-27T18:21:31.867+0000","rule":{"level":7,"description":"Host-based anomaly detection event (rootcheck).","id":"510","firedtimes":26,"mail":false,"groups":["ossec","rootcheck"],"pci_dss":["10.6.1"],"gdpr":["IV_35.7.d"]},"agent":{"id":"009","name":"soaxp078"},"manager":{"name":"wazuh-server"},"id":"1690482091.686107","full_log":"File '/tmp/.com_ibm_tools_attach/_notifier' is owned by root and has written permissions to anyone.","decoder":{"name":"rootcheck"},"data":{"title":"File is owned by root and has written permissions to anyone.","file":"/tmp/.com_ibm_tools_attach/_notifier"},"location":"rootcheck"}

Remove

bash-4.4# rpm -e wazuh-agent
rmdir of /var/ossec/tmp/src/init failed: No such file or directory
rmdir of /var/ossec/tmp/etc/templates/config/generic/localfile-logs failed: No such file or directory
rmdir of /var/ossec/tmp/etc/templates/config/generic failed: No such file or directory
rmdir of /var/ossec/tmp/etc/templates/config failed: No such file or directory
rmdir of /var/ossec/tmp/etc/templates failed: No such file or directory
cannot remove /var/ossec/queue/syscollector/db - directory not empty
cannot remove /var/ossec/queue/syscollector - directory not empty
cannot remove /var/ossec/queue/logcollector - directory not empty
cannot remove /var/ossec/queue/fim/db - directory not empty
cannot remove /var/ossec/queue/fim - directory not empty
cannot remove /var/ossec/queue - directory not empty
removal of /var/ossec/logs/ossec.json failed: No such file or directory
cannot remove /var/ossec/etc/shared - directory not empty
cannot remove /var/ossec/etc - directory not empty
cannot remove /var/ossec - directory not empty

Upgrade 4.4.5 -> 4.5.0

bash-4.4# curl -k -LO https://packages.wazuh.com/4.x/aix/wazuh-agent-4.4.5-1.aix.ppc.rpm
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100 8254k  100 8254k    0     0  4367k      0  0:00:01  0:00:01 --:--:-- 4367k
bash-4.4# WAZUH_MANAGER="AMI_INSTANCE_IP" rpm -ivh wazuh-agent-4.4.5-1.aix.ppc.rpm
wazuh-agent                 ##################################################
bash-4.4# 

bash-4.4# /var/ossec/bin/wazuh-control start
2023/07/27 13:32:23 wazuh-agentd: ERROR: (1103): Could not open file 'queue/sockets/.agent_info' due to [(2)-(No such file or directory)].
2023/07/27 13:32:23 wazuh-agentd: ERROR: (1103): Could not open file 'queue/sockets/.agent_info' due to [(2)-(No such file or directory)].
2023/07/27 13:32:23 wazuh-syscheckd: ERROR: (1103): Could not open file 'queue/sockets/.agent_info' due to [(2)-(No such file or directory)].
2023/07/27 13:32:23 wazuh-syscheckd: ERROR: (1103): Could not open file 'queue/sockets/.agent_info' due to [(2)-(No such file or directory)].
2023/07/27 13:32:23 wazuh-logcollector: ERROR: (1103): Could not open file 'queue/sockets/.agent_info' due to [(2)-(No such file or directory)].
2023/07/27 13:32:23 wazuh-modulesd: ERROR: (1103): Could not open file 'queue/sockets/.agent_info' due to [(2)-(No such file or directory)].
Starting Wazuh v4.4.5...
Started wazuh-execd...
2023/07/27 13:32:23 wazuh-agentd: ERROR: (1103): Could not open file 'queue/sockets/.agent_info' due to [(2)-(No such file or directory)].
2023/07/27 13:32:23 wazuh-agentd: ERROR: (1103): Could not open file 'queue/sockets/.agent_info' due to [(2)-(No such file or directory)].
Started wazuh-agentd...
2023/07/27 13:32:24 wazuh-syscheckd: ERROR: (1103): Could not open file 'queue/sockets/.agent_info' due to [(2)-(No such file or directory)].
2023/07/27 13:32:24 wazuh-syscheckd: ERROR: (1103): Could not open file 'queue/sockets/.agent_info' due to [(2)-(No such file or directory)].
Started wazuh-syscheckd...
2023/07/27 13:32:24 wazuh-logcollector: ERROR: (1103): Could not open file 'queue/sockets/.agent_info' due to [(2)-(No such file or directory)].
Started wazuh-logcollector...
2023/07/27 13:32:24 wazuh-modulesd: ERROR: (1103): Could not open file 'queue/sockets/.agent_info' due to [(2)-(No such file or directory)].
Started wazuh-modulesd...
Completed.

Wazuh-manager

# /var/ossec/bin/agent_control -i 010

Wazuh agent_control. Agent information:
   Agent ID:   010
   Agent Name: soaxp078
   IP address: any
   Status:     Active

   Operating system:    AIX |soaxp078 |1 |6 |00CADA644C00
   Client version:      Wazuh v4.4.5
   Configuration hash:  ab73af41699f13fdd81903b5f23d8d00
   Shared file hash:    4a8724b20dee0124ff9656783c490c4e
   Last keep alive:     1690482793

   Syscheck last started at:  Thu Jul 27 18:32:24 2023
   Syscheck last ended at:    Thu Jul 27 18:32:50 2023

Agent

# rpm -U wazuh-agent-4.5.0-1.aix.ppc.rpm
#   /var/ossec/bin/wazuh-control start
Starting Wazuh v4.5.0...
wazuh-execd already running...
wazuh-agentd already running...
wazuh-syscheckd already running...
wazuh-logcollector already running...
wazuh-modulesd already running...
Completed.

Manager

# /var/ossec/bin/agent_control -i 010

Wazuh agent_control. Agent information:
   Agent ID:   010
   Agent Name: soaxp078
   IP address: any
   Status:     Active

   Operating system:    AIX |soaxp078 |1 |6 |00CADA644C00
   Client version:      Wazuh v4.5.0
   Configuration hash:  ab73af41699f13fdd81903b5f23d8d00
   Shared file hash:    4a8724b20dee0124ff9656783c490c4e
   Last keep alive:     1690482902

   Syscheck last started at:  Thu Jul 27 18:33:53 2023
   Syscheck last ended at:    Thu Jul 27 18:33:59 2023

Users and groups

# cat /etc/passwd | grep wazuh
wazuh:*:209:1::/home/wazuh:/usr/bin/ksh
bash-4.4# cat /etc/group | grep wazuh
wazuh:!:208:wazuh

Deblintrake09 · 2023-07-28T15:30:37Z

Analysis report - PPC64LE 🟢

Deployment + Install

CentOS 7

[root@wazuh3 centos]# cat /etc/os-release
NAME="CentOS Linux"
VERSION="7 (AltArch)"
ID="centos"
ID_LIKE="rhel fedora"
VERSION_ID="7"
PRETTY_NAME="CentOS Linux 7 (AltArch)"
ANSI_COLOR="0;31"
CPE_NAME="cpe:/o:centos:centos:7:server"
HOME_URL="https://www.centos.org/"
BUG_REPORT_URL="https://bugs.centos.org/"

CENTOS_MANTISBT_PROJECT="CentOS-7"
CENTOS_MANTISBT_PROJECT_VERSION="7"
REDHAT_SUPPORT_PRODUCT="centos"
REDHAT_SUPPORT_PRODUCT_VERSION="7"

[root@wazuh3 centos]# rpm --import https://packages.wazuh.com/key/GPG-KEY-WAZUH
[root@wazuh3 centos]# cat > /etc/yum.repos.d/wazuh.repo << EOF
> [wazuh]
> gpgcheck=1
> gpgkey=https://packages.wazuh.com/key/GPG-KEY-WAZUH
> enabled=1
> name=EL-\$releasever - Wazuh
> baseurl=https://packages-dev.wazuh.com/pre-release/yum/
> protect=1
> EOF
[root@wazuh3 centos]# WAZUH_MANAGER="AMI_INSTANCE_IP" yum install wazuh-agent
Complementos cargados:fastestmirror, product-id, search-disabled-repos, subscription-manager

This system is not registered with an entitlement server. You can use subscription-manager to register.

Determining fastest mirrors
base                                                                        | 3.6 kB  00:00:00     
extras                                                                      | 2.9 kB  00:00:00     
updates                                                                     | 2.9 kB  00:00:00     
wazuh                                                                       | 3.4 kB  00:00:00     
(1/3): extras/7/ppc64le/primary_db                                          | 230 kB  00:00:00     
(2/3): updates/7/ppc64le/primary_db                                         |  17 MB  00:00:00     
(3/3): wazuh/primary_db                                                     | 343 kB  00:00:00     
Resolviendo dependencias
--> Ejecutando prueba de transacción
---> Paquete wazuh-agent.ppc64le 0:4.5.0-1 debe ser instalado
--> Resolución de dependencias finalizada

Dependencias resueltas

===================================================================================================
 Package                   Arquitectura          Versión                 Repositorio         Tamaño
===================================================================================================
Instalando:
 wazuh-agent               ppc64le               4.5.0-1                 wazuh               6.2 M

Resumen de la transacción
===================================================================================================
Instalar  1 Paquete

Tamaño total de la descarga: 6.2 M
Tamaño instalado: 30 M
Is this ok [y/d/N]: y
Downloading packages:
wazuh-agent-4.5.0-1.ppc64le.rpm                                             | 6.2 MB  00:00:00     
Running transaction check
Running transaction test
Transaction test succeeded
Running transaction
  Instalando    : wazuh-agent-4.5.0-1.ppc64le                                                  1/1 
  Comprobando   : wazuh-agent-4.5.0-1.ppc64le                                                  1/1 

Instalado:
  wazuh-agent.ppc64le 0:4.5.0-1                                                                    


[root@wazuh3 centos]# /var/ossec/bin/wazuh-control start 
Starting Wazuh v4.5.0...
Started wazuh-execd...
Started wazuh-agentd...
Started wazuh-syscheckd...
Started wazuh-logcollector...
Started wazuh-modulesd...
Completed.

[root@wazuh3 centos]# ps -ef | grep wazuh
root       321 31486  0 15:34 pts/0    00:00:00 grep --color=auto wazuh
root     32397     1  0 15:34 ?        00:00:00 /var/ossec/bin/wazuh-execd
wazuh    32409     1  0 15:34 ?        00:00:00 /var/ossec/bin/wazuh-agentd
root     32423     1  0 15:34 ?        00:00:00 /var/ossec/bin/wazuh-syscheckd
root     32436     1  0 15:34 ?        00:00:00 /var/ossec/bin/wazuh-logcollector
root     32454     1  2 15:34 ?        00:00:00 /var/ossec/bin/wazuh-modulesd

[root@wazuh3 centos]# /var/ossec/bin/wazuh-control info
WAZUH_VERSION="v4.5.0"
WAZUH_REVISION="40500"
WAZUH_TYPE="agent"

[root@wazuh3 centos]# grep "tcp" /var/ossec/logs/ossec.log
2023/07/28 15:35:02 wazuh-agentd: INFO: Trying to connect to server ([3.235.62.234]:1514/tcp).
2023/07/28 15:35:02 wazuh-agentd: INFO: (4102): Connected to the server ([3.235.62.234]:1514/tcp).
2023/07/28 15:35:08 wazuh-agentd: INFO: Trying to connect to server ([3.235.62.234]:1514/tcp).
2023/07/28 15:35:08 wazuh-agentd: INFO: (4102): Connected to the server ([3.235.62.234]:1514/tcp).


[root@wazuh-server wazuh-user]# /var/ossec/bin/agent_control -l

Wazuh agent_control. List of available agents:
   ID: 000, Name: wazuh-server (server), IP: 127.0.0.1, Active/Local
   ID: 005, Name: sossp273, IP: any, Disconnected
   ID: 006, Name: sovmh336, IP: any, Disconnected
   ID: 008, Name: sossp613, IP: any, Disconnected
   ID: 010, Name: soaxp078, IP: any, Disconnected
   ID: 011, Name: wazuh3.novalocal, IP: any, Active

List of agentless devices:

[root@wazuh-server wazuh-user]# /var/ossec/bin/agent_control -i 011

Wazuh agent_control. Agent information:
   Agent ID:   011
   Agent Name: wazuh3.novalocal
   IP address: any
   Status:     Active

   Operating system:    Linux |wazuh3.novalocal |3.10.0-957.21.3.el7.ppc64le |#1 SMP Tue Jun 18 16:48:04 UTC 2019 |ppc64le
   Client version:      Wazuh v4.5.0
   Configuration hash:  ab73af41699f13fdd81903b5f23d8d00
   Shared file hash:    4a8724b20dee0124ff9656783c490c4e
   Last keep alive:     1690558618

   Syscheck last started at:  Fri Jul 28 15:35:11 2023
   Syscheck last ended at:    Fri Jul 28 15:36:16 2023


[root@wazuh3 centos]# sed -i "s/tcp/udp/" /var/ossec/etc/ossec.conf

[root@wazuh3 centos]# /var/ossec/bin/wazuh-control restart
Killing wazuh-modulesd... 
Killing wazuh-logcollector... 
Killing wazuh-syscheckd... 
Killing wazuh-agentd... 
Killing wazuh-execd... 
Wazuh v4.5.0 Stopped
Starting Wazuh v4.5.0...
Started wazuh-execd...
Started wazuh-agentd...
Started wazuh-syscheckd...
Started wazuh-logcollector...
Started wazuh-modulesd...
Completed.

[root@wazuh3 centos]# grep "udp" /var/ossec/logs/ossec.log
2023/07/28 15:38:09 wazuh-agentd: INFO: Trying to connect to server ([3.235.62.234]:1514/udp).
2023/07/28 15:38:09 wazuh-agentd: INFO: (4102): Connected to the server ([3.235.62.234]:1514/udp).

[root@wazuh3 centos]# cat /etc/passwd | grep wazuh
wazuh:x:994:990::/var/ossec:/sbin/nologin
[root@wazuh3 centos]# cat /etc/passwd | grep wazuh
wazuh:x:994:990::/var/ossec:/sbin/nologin
[root@wazuh3 centos]#

Debian Stretch

root@wazuh1:/home/debian# cat /etc/os-release 
PRETTY_NAME="Debian GNU/Linux 9 (stretch)"
NAME="Debian GNU/Linux"
VERSION_ID="9"
VERSION="9 (stretch)"
VERSION_CODENAME=stretch
ID=debian
HOME_URL="https://www.debian.org/"
SUPPORT_URL="https://www.debian.org/support"
BUG_REPORT_URL="https://bugs.debian.org/"
root@wazuh1:/home/debian#
root@wazuh1:/home/debian#

root@wazuh1:/home/debian# WAZUH_MANAGER="3.238.245.177" apt install ./wazuh-agent_4.4.2-1_ppc64el.deb 
# apt install /home/debian/wazuh-agent_4.5.0-1_ppc64el.deb 
Reading package lists... Done
Building dependency tree       
Reading state information... Done
Note, selecting 'wazuh-agent' instead of '/home/debian/wazuh-agent_4.5.0-1_ppc64el.deb'
The following NEW packages will be installed:
  wazuh-agent
0 upgraded, 1 newly installed, 0 to remove and 4 not upgraded.
Need to get 0 B/5,304 kB of archives.
After this operation, 34.4 MB of additional disk space will be used.
Get:1 /home/debian/wazuh-agent_4.5.0-1_ppc64el.deb wazuh-agent ppc64el 4.5.0-1 [5,304 kB]
Preconfiguring packages ...       
Selecting previously unselected package wazuh-agent.
(Reading database ... 38212 files and directories currently installed.)
Preparing to unpack .../wazuh-agent_4.5.0-1_ppc64el.deb ...
Unpacking wazuh-agent (4.5.0-1) ...
Setting up wazuh-agent (4.5.0-1) ...
Processing triggers for libc-bin (2.24-11+deb9u4) ...
Processing triggers for systemd (232-25+deb9u12) ...

# /var/ossec/bin/wazuh-control start
Starting Wazuh v4.5.0...
Started wazuh-execd...
Started wazuh-agentd...
Started wazuh-syscheckd...
Started wazuh-logcollector...
Started wazuh-modulesd...
Completed.


root@wazuh1:/home/debian# ps -ef | grep wazuh
root     14671     1  0 17:55 ?        00:00:00 /var/ossec/bin/wazuh-execd
wazuh    14681     1  0 17:55 ?        00:00:00 /var/ossec/bin/wazuh-agentd
root     14694     1  0 17:55 ?        00:00:00 /var/ossec/bin/wazuh-syscheckd
root     14705     1  0 17:55 ?        00:00:00 /var/ossec/bin/wazuh-logcollector
root     14723     1  2 17:55 ?        00:00:00 /var/ossec/bin/wazuh-modulesd
root     15036 13536  0 17:56 pts/0    00:00:00 grep wazuh


# /var/ossec/bin/wazuh-control info
WAZUH_VERSION="v4.5.0"
WAZUH_REVISION="40500"
WAZUH_TYPE="agent"

#  /var/ossec/bin/agent_control -i 013

Wazuh agent_control. Agent information:
   Agent ID:   013
   Agent Name: wazuh1
   IP address: any
   Status:     Active

   Operating system:    Linux |wazuh1 |4.9.0-13-powerpc64le |#1 SMP Debian 4.9.228-1 (2020-07-05) |ppc64le
   Client version:      Wazuh v4.5.0
   Configuration hash:  ab73af41699f13fdd81903b5f23d8d00
   Shared file hash:    4a8724b20dee0124ff9656783c490c4e
   Last keep alive:     1690567080

   Syscheck last started at:  Fri Jul 28 17:56:54 2023
   Syscheck last ended at:    Fri Jul 28 17:57:27 2023

root@wazuh1:/home/debian# grep "udp" /var/ossec/logs/ossec.log
2023/07/28 17:56:15 wazuh-agentd: INFO: Trying to connect to server ([3.235.62.234]:1514/udp).
2023/07/28 17:56:15 wazuh-agentd: INFO: (4102): Connected to the server ([3.235.62.234]:1514/udp).
2023/07/28 17:56:50 wazuh-agentd: INFO: Trying to connect to server ([3.235.62.234]:1514/udp).
2023/07/28 17:56:50 wazuh-agentd: INFO: (4102): Connected to the server ([3.235.62.234]:1514/udp).



root@wazuh1:/home/debian# sed -i "s/tcp/udp/" /var/ossec/etc/ossec.conf

root@wazuh1:/home/debian# /var/ossec/bin/wazuh-control restart
Killing wazuh-modulesd... 
Killing wazuh-logcollector... 
Killing wazuh-syscheckd... 
Killing wazuh-agentd... 
Killing wazuh-execd... 
Wazuh v4.5.0 Stopped
Starting Wazuh v4.5.0...
Started wazuh-execd...
Started wazuh-agentd...
Started wazuh-syscheckd...
Started wazuh-logcollector...
Started wazuh-modulesd...
Completed.


root@wazuh1:/home/debian# grep "tcp" /var/ossec/logs/ossec.log
2023/07/28 18:01:44 wazuh-agentd: INFO: Trying to connect to server ([3.235.62.234]:1514/tcp).
2023/07/28 18:01:44 wazuh-agentd: INFO: (4102): Connected to the server ([3.235.62.234]:1514/tcp).


root@wazuh1:/home/debian# cat /etc/passwd | grep wazuh
wazuh:x:107:111::/var/ossec:/bin/false
root@wazuh1:/home/debian# cat /etc/group | grep wazuh
wazuh:x:111:

Alerts

CentOS 7

{"timestamp":"2023-07-28T15:37:36.953+0000","rule":{"level":3,"description":"Wazuh agent stopped.","id":"506","mitre":{"id":["T1562.001"],"tactic":["Defense Evasion"],"technique":["Disable or Modify Tools"]},"firedtimes":2,"mail":false,"groups":["ossec"],"pci_dss":["10.6.1","10.2.6"],"gpg13":["10.1"],"gdpr":["IV_35.7.d"],"hipaa":["164.312.b"],"nist_800_53":["AU.6","AU.14","AU.5"],"tsc":["CC7.2","CC7.3","CC6.8"]},"agent":{"id":"011","name":"wazuh3.novalocal","ip":"140.211.169.156"},"manager":{"name":"wazuh-server"},"id":"1690558656.1143187","full_log":"ossec: Agent stopped: 'wazuh3.novalocal->any'.","decoder":{"parent":"ossec","name":"ossec"},"data":{"extra_data":"wazuh3.novalocal->any"},"location":"wazuh-remoted"}
{"timestamp":"2023-07-28T15:38:09.492+0000","rule":{"level":3,"description":"Wazuh agent started.","id":"503","firedtimes":1,"mail":false,"groups":["ossec"],"pci_dss":["10.6.1","10.2.6"],"gpg13":["10.1"],"gdpr":["IV_35.7.d"],"hipaa":["164.312.b"],"nist_800_53":["AU.6","AU.14","AU.5"],"tsc":["CC7.2","CC7.3","CC6.8"]},"agent":{"id":"011","name":"wazuh3.novalocal","ip":"140.211.169.156"},"manager":{"name":"wazuh-server"},"id":"1690558689.1145332","full_log":"ossec: Agent started: 'wazuh3.novalocal->any'.","decoder":{"parent":"ossec","name":"ossec"},"data":{"extra_data":"wazuh3.novalocal->any"},"location":"wazuh-agent"}

Debian Stretch

{"timestamp":"2023-07-28T17:59:38.390+0000","rule":{"level":3,"description":"Wazuh server started.","id":"502","firedtimes":1,"mail":false,"groups":["ossec"],"pci_dss":["10.6.1"],"gpg13":["10.1"],"gdpr":["IV_35.7.d"],"hipaa":["164.312.b"],"nist_800_53":["AU.6"],"tsc":["CC7.2","CC7.3"]},"agent":{"id":"000","name":"wazuh-server"},"manager":{"name":"wazuh-server"},"id":"1690567178.2301354","full_log":"ossec: Manager started.","decoder":{"name":"ossec"},"location":"wazuh-monitord"}
{"timestamp":"2023-07-28T18:01:44.810+0000","rule":{"level":3,"description":"Wazuh agent started.","id":"503","firedtimes":1,"mail":false,"groups":["ossec"],"pci_dss":["10.6.1","10.2.6"],"gpg13":["10.1"],"gdpr":["IV_35.7.d"],"hipaa":["164.312.b"],"nist_800_53":["AU.6","AU.14","AU.5"],"tsc":["CC7.2","CC7.3","CC6.8"]},"agent":{"id":"013","name":"wazuh1","ip":"140.211.169.152"},"manager":{"name":"wazuh-server"},"id":"1690567304.2303366","full_log":"ossec: Agent started: 'wazuh1->any'.","decoder":{"parent":"ossec","name":"ossec"},"data":{"extra_data":"wazuh1->any"},"location":"wazuh-agent"}

Remove

CentOS 7

[root@wazuh3 centos]#  ps -ef | grep wazuh
root      1043     1  0 15:37 ?        00:00:00 /var/ossec/bin/wazuh-execd
wazuh     1055     1  0 15:37 ?        00:00:00 /var/ossec/bin/wazuh-agentd
root      1068     1  8 15:37 ?        00:00:15 /var/ossec/bin/wazuh-syscheckd
root      1082     1  0 15:37 ?        00:00:00 /var/ossec/bin/wazuh-logcollector
root      1100     1  0 15:37 ?        00:00:00 /var/ossec/bin/wazuh-modulesd
root      1890 31486  0 15:40 pts/0    00:00:00 grep --color=auto wazuh


[root@wazuh3 centos]# yum remove wazuh-agent
Complementos cargados:fastestmirror, product-id, search-disabled-repos, subscription-manager

This system is not registered with an entitlement server. You can use subscription-manager to register.

Resolviendo dependencias
--> Ejecutando prueba de transacción
---> Paquete wazuh-agent.ppc64le 0:4.5.0-1 debe ser eliminado
--> Resolución de dependencias finalizada

Dependencias resueltas

===================================================================================================
 Package                   Arquitectura          Versión                Repositorio          Tamaño
===================================================================================================
Eliminando:
 wazuh-agent               ppc64le               4.5.0-1                @wazuh                30 M

Resumen de la transacción
===================================================================================================
Eliminar  1 Paquete

Tamaño instalado: 30 M
Está de acuerdo [s/N]:s
Downloading packages:
Running transaction check
Running transaction test
Transaction test succeeded
Running transaction
  Eliminando    : wazuh-agent-4.5.0-1.ppc64le                                                  1/1 
advertencia:/var/ossec/etc/ossec.conf guardado como /var/ossec/etc/ossec.conf.rpmsave
advertencia:/var/ossec/etc/client.keys guardado como /var/ossec/etc/client.keys.rpmsave
  Comprobando   : wazuh-agent-4.5.0-1.ppc64le                                                  1/1 

Eliminado(s):
  wazuh-agent.ppc64le 0:4.5.0-1                                                                    

¡Listo!

[root@wazuh3 centos]# ps -ef | grep wazuh
root      3321 31486  0 15:44 pts/0    00:00:00 grep --color=auto wazuh

[root@wazuh3 centos]# cat /etc/passwd | grep wazuh
[root@wazuh3 centos]# cat /etc/group | grep wazuh

[root@wazuh3 centos]# ls -l /var/ossec/etc/
total 12
-rw-r-----. 1  994 990   90 jul 28 15:34 client.keys.rpmsave
-rw-rw----. 1 root 990 5649 jul 28 15:37 ossec.conf.rpmsave

Debian Stretch

root@wazuh1:/home/debian# ps -ef | grep wazuh
root     16327     1  0 18:01 ?        00:00:00 /var/ossec/bin/wazuh-execd
wazuh    16338     1  0 18:01 ?        00:00:00 /var/ossec/bin/wazuh-agentd
root     16351     1 10 18:01 ?        00:00:10 /var/ossec/bin/wazuh-syscheckd
root     16362     1  0 18:01 ?        00:00:00 /var/ossec/bin/wazuh-logcollector
root     16379     1  0 18:01 ?        00:00:00 /var/ossec/bin/wazuh-modulesd
root     17000 13536  0 18:03 pts/0    00:00:00 grep wazuh

root@wazuh1:/home/debian#  apt-get remove wazuh-agent
Reading package lists... Done
Building dependency tree       
Reading state information... Done
The following packages will be REMOVED:
  wazuh-agent
0 upgraded, 0 newly installed, 1 to remove and 4 not upgraded.
After this operation, 34.4 MB disk space will be freed.
Do you want to continue? [Y/n] y
(Reading database ... 38585 files and directories currently installed.)
Removing wazuh-agent (4.5.0-1) ...
Processing triggers for libc-bin (2.24-11+deb9u4) ...

root@wazuh1:/home/debian# ls -ltR /var/ossec/
/var/ossec/:
total 8
drwxr-xr-x 3 root root  4096 Jul 28 18:03 etc
drwxr-x--- 8 root wazuh 4096 Jul 28 18:03 queue

/var/ossec/etc:
total 20
drwxrwx--- 2 root  wazuh 4096 Jul 28 18:03 shared
-rw-rw---- 1 root  wazuh 5755 Jul 28 18:01 ossec.conf.save
-rw-r----- 1 wazuh wazuh   80 Jul 28 17:55 client.keys.save
-rw-r----- 1 root  wazuh  320 Jul 19 13:45 local_internal_options.conf.save

/var/ossec/etc/shared:
total 1808
-rw-r--r-- 1 wazuh wazuh     76 Jul 28 17:56 agent.conf.save
-rw-r--r-- 1 wazuh wazuh    228 Jul 28 17:56 ar.conf.save
-rw-r--r-- 1 wazuh wazuh  28411 Jul 28 17:56 cis_apache2224_rcl.txt.save
-rw-r--r-- 1 wazuh wazuh  12576 Jul 28 17:56 cis_debian_linux_rcl.txt.save
-rw-r--r-- 1 wazuh wazuh   7609 Jul 28 17:56 cis_mysql5-6_community_rcl.txt.save
-rw-r--r-- 1 wazuh wazuh  10297 Jul 28 17:56 cis_mysql5-6_enterprise_rcl.txt.save
-rw-r--r-- 1 wazuh wazuh  35781 Jul 28 17:56 cis_rhel5_linux_rcl.txt.save
-rw-r--r-- 1 wazuh wazuh  33870 Jul 28 17:56 cis_rhel6_linux_rcl.txt.save
-rw-r--r-- 1 wazuh wazuh  36957 Jul 28 17:56 cis_rhel7_linux_rcl.txt.save
-rw-r--r-- 1 wazuh wazuh  17658 Jul 28 17:56 cis_rhel_linux_rcl.txt.save
-rw-r--r-- 1 wazuh wazuh  34376 Jul 28 17:56 cis_sles11_linux_rcl.txt.save
-rw-r--r-- 1 wazuh wazuh  35081 Jul 28 17:56 cis_sles12_linux_rcl.txt.save
-rw-r--r-- 1 wazuh wazuh  94877 Jul 28 17:56 cis_win2012r2_domainL1_rcl.txt.save
-rw-r--r-- 1 wazuh wazuh  28006 Jul 28 17:56 cis_win2012r2_domainL2_rcl.txt.save
-rw-r--r-- 1 wazuh wazuh 100530 Jul 28 17:56 cis_win2012r2_memberL1_rcl.txt.save
-rw-r--r-- 1 wazuh wazuh 376002 Jul 28 17:56 cis_win2012r2_memberL2_rcl.txt.save
-rw-r--r-- 1 wazuh wazuh  16174 Jul 28 17:56 rootkit_files.txt.save
-rw-r--r-- 1 wazuh wazuh   5548 Jul 28 17:56 rootkit_trojans.txt.save
-rw-r--r-- 1 wazuh wazuh   4466 Jul 28 17:56 system_audit_rcl.txt.save
-rw-r--r-- 1 wazuh wazuh   3285 Jul 28 17:56 system_audit_ssh.txt.save
-rw-r--r-- 1 wazuh wazuh   5214 Jul 28 17:56 win_applications_rcl.txt.save
-rw-r--r-- 1 wazuh wazuh   4277 Jul 28 17:56 win_audit_rcl.txt.save
-rw-r--r-- 1 wazuh wazuh   7314 Jul 28 17:56 win_malware_rcl.txt.save
-rw-r--r-- 1 wazuh wazuh 899315 Jul 28 17:56 merged.mg.save

/var/ossec/queue:
total 24
drwxr-x--- 3 wazuh wazuh 4096 Jul 28 18:03 syscollector
drwxrwx--- 2 wazuh wazuh 4096 Jul 28 18:01 sockets
drwxrwx--- 2 wazuh wazuh 4096 Jul 28 18:01 alerts
drwxr-x--- 2 wazuh wazuh 4096 Jul 28 17:56 rids
drwxr-x--- 2 wazuh wazuh 4096 Jul 28 17:55 logcollector
drwxr-x--- 3 wazuh wazuh 4096 Jul 28 17:54 fim

/var/ossec/queue/syscollector:
total 4
drwxr-x--- 2 wazuh wazuh 4096 Jul 28 18:01 db

/var/ossec/queue/syscollector/db:
total 172
-rw-r--r-- 1 root root 176128 Jul 28 18:01 local.db

/var/ossec/queue/sockets:
total 0
srw-rw---- 1 root  wazuh 0 Jul 28 18:01 upgrade
srw-rw---- 1 root  wazuh 0 Jul 28 18:01 control
srw-rw---- 1 root  wazuh 0 Jul 28 18:01 wmodules
srw-rw---- 1 root  wazuh 0 Jul 28 18:01 logcollector
srw-rw---- 1 root  wazuh 0 Jul 28 18:01 syscheck
srw-rw---- 1 wazuh wazuh 0 Jul 28 18:01 queue
srw-rw---- 1 root  wazuh 0 Jul 28 18:01 com

/var/ossec/queue/alerts:
total 0
srw-rw---- 1 root wazuh 0 Jul 28 18:01 cfgaq
srw-rw---- 1 root wazuh 0 Jul 28 18:01 execq

/var/ossec/queue/rids:
total 8
-rw-r--r-- 1 wazuh wazuh 7 Jul 28 18:03 sender_counter
-rw-r--r-- 1 wazuh wazuh 7 Jul 28 18:03 013

/var/ossec/queue/logcollector:
total 4
-rw-r--r-- 1 root wazuh 602 Jul 28 18:03 file_status.json

/var/ossec/queue/fim:
total 4
drwxr-x--- 2 wazuh wazuh 4096 Jul 28 18:01 db

/var/ossec/queue/fim/db:
total 1000
-rw-rw---- 1 root wazuh       0 Jul 28 18:01 fim.db-journal
-rw-rw---- 1 root wazuh 1019904 Jul 28 18:01 fim.db

root@wazuh1:/home/debian# apt-get remove --purge wazuh-agent
Reading package lists... Done
Building dependency tree       
Reading state information... Done
The following packages will be REMOVED:
  wazuh-agent*
0 upgraded, 0 newly installed, 1 to remove and 4 not upgraded.
After this operation, 0 B of additional disk space will be used.
Do you want to continue? [Y/n] y
(Reading database ... 38226 files and directories currently installed.)
Purging configuration files for wazuh-agent (4.5.0-1) ...
wazuh:x:107:111::/var/ossec:/bin/false
Processing triggers for systemd (232-25+deb9u12) ...


root@wazuh1:/home/debian# ls -ltR /var/ossec/
ls: cannot access '/var/ossec/': No such file or directory

Upgrade

CentOS 7

[root@wazuh3 centos]# WAZUH_MANAGER="AMI_INSTANCE_IP" yum localinstall wazuh-agent-4.4.5-1.ppc64le.rpm -y
Complementos cargados:fastestmirror, product-id, search-disabled-repos, subscription-manager

This system is not registered with an entitlement server. You can use subscription-manager to register.

Examinando wazuh-agent-4.4.5-1.ppc64le.rpm: wazuh-agent-4.4.5-1.ppc64le
Marcando wazuh-agent-4.4.5-1.ppc64le.rpm para ser instalado
Resolviendo dependencias
--> Ejecutando prueba de transacción
---> Paquete wazuh-agent.ppc64le 0:4.4.5-1 debe ser instalado
--> Resolución de dependencias finalizada

Dependencias resueltas

===================================================================================================
 Package             Arquitectura    Versión            Repositorio                          Tamaño
===================================================================================================
Instalando:
 wazuh-agent         ppc64le         4.4.5-1            /wazuh-agent-4.4.5-1.ppc64le          30 M

Resumen de la transacción
===================================================================================================
Instalar  1 Paquete

Tamaño total: 30 M
Tamaño instalado: 30 M
Downloading packages:
Running transaction check
Running transaction test
Transaction test succeeded
Running transaction
  Instalando    : wazuh-agent-4.4.5-1.ppc64le                                                  1/1 
  Comprobando   : wazuh-agent-4.4.5-1.ppc64le                                                  1/1 

Instalado:
  wazuh-agent.ppc64le 0:4.4.5-1                                                                    

¡Listo!


[root@wazuh3 centos]# /var/ossec/bin/wazuh-control start
Starting Wazuh v4.4.5...
Started wazuh-execd...
Started wazuh-agentd...
Started wazuh-syscheckd...
Started wazuh-logcollector...
Started wazuh-modulesd...
Completed.

[root@wazuh3 centos]# ps -ef | grep wazuh
root      5528     1  0 17:45 ?        00:00:00 /var/ossec/bin/wazuh-execd
wazuh     5540     1  0 17:45 ?        00:00:00 /var/ossec/bin/wazuh-agentd
root      5555     1 39 17:45 ?        00:00:03 /var/ossec/bin/wazuh-syscheckd
root      5567     1  0 17:45 ?        00:00:00 /var/ossec/bin/wazuh-logcollector
root      5586     1  5 17:45 ?        00:00:00 /var/ossec/bin/wazuh-modulesd
root      5726  4117  0 17:45 pts/0    00:00:00 grep --color=auto wazuh


#  /var/ossec/bin/agent_control -i 012

Wazuh agent_control. Agent information:
   Agent ID:   012
   Agent Name: wazuh3.novalocal
   IP address: any
   Status:     Active

   Operating system:    Linux |wazuh3.novalocal |3.10.0-957.21.3.el7.ppc64le |#1 SMP Tue Jun 18 16:48:04 UTC 2019 |ppc64le
   Client version:      Wazuh v4.4.5
   Configuration hash:  (null)
   Shared file hash:    bc38f6751d65957f1387727a6fdf5a6e
   Last keep alive:     1690566412

   Syscheck last started at:  Fri Jul 28 17:45:24 2023
   Syscheck last ended at:    Fri Jul 28 17:46:35 2023

Update agent

[root@wazuh3 centos]# yum localinstall wazuh-agent-4.5.0-1.ppc64le.rpm -y
Complementos cargados:fastestmirror, product-id, search-disabled-repos, subscription-manager

This system is not registered with an entitlement server. You can use subscription-manager to register.

Examinando wazuh-agent-4.5.0-1.ppc64le.rpm: wazuh-agent-4.5.0-1.ppc64le
Marcando wazuh-agent-4.5.0-1.ppc64le.rpm como una actualización de wazuh-agent-4.4.5-1.ppc64le
Resolviendo dependencias
--> Ejecutando prueba de transacción
---> Paquete wazuh-agent.ppc64le 0:4.4.5-1 debe ser actualizado
---> Paquete wazuh-agent.ppc64le 0:4.5.0-1 debe ser una actualización
--> Resolución de dependencias finalizada

Dependencias resueltas

===================================================================================================
 Package             Arquitectura    Versión            Repositorio                          Tamaño
===================================================================================================
Actualizando:
 wazuh-agent         ppc64le         4.5.0-1            /wazuh-agent-4.5.0-1.ppc64le          30 M

Resumen de la transacción
===================================================================================================
Actualizar  1 Paquete

Tamaño total: 30 M
Downloading packages:
Running transaction check
Running transaction test
Transaction test succeeded
Running transaction
  Actualizando  : wazuh-agent-4.5.0-1.ppc64le                                                  1/2 
  Limpieza      : wazuh-agent-4.4.5-1.ppc64le                                                  2/2 
  Comprobando   : wazuh-agent-4.5.0-1.ppc64le                                                  1/2 
  Comprobando   : wazuh-agent-4.4.5-1.ppc64le                                                  2/2 

Actualizado:
  wazuh-agent.ppc64le 0:4.5.0-1                                                                    

¡Listo!


[root@wazuh3 centos]# ps -ef | grep wazuh
root      6205     1  0 17:48 ?        00:00:00 /var/ossec/bin/wazuh-execd
wazuh     6217     1  0 17:48 ?        00:00:00 /var/ossec/bin/wazuh-agentd
root      6231     1 15 17:48 ?        00:00:09 /var/ossec/bin/wazuh-syscheckd
root      6244     1  0 17:48 ?        00:00:00 /var/ossec/bin/wazuh-logcollector
root      6261     1  0 17:48 ?        00:00:00 /var/ossec/bin/wazuh-modulesd
root      6682  4117  0 17:49 pts/0    00:00:00 grep --color=auto wazuh


#  /var/ossec/bin/agent_control -i 012

Wazuh agent_control. Agent information:
   Agent ID:   012
   Agent Name: wazuh3.novalocal
   IP address: any
   Status:     Active

   Operating system:    Linux |wazuh3.novalocal |3.10.0-957.21.3.el7.ppc64le |#1 SMP Tue Jun 18 16:48:04 UTC 2019 |ppc64le
   Client version:      Wazuh v4.5.0
   Configuration hash:  (null)
   Shared file hash:    0c0fe9370b526cdb4f8e130d3f6dac07
   Last keep alive:     1690566643

   Syscheck last started at:  Fri Jul 28 17:48:27 2023
   Syscheck last ended at:    Fri Jul 28 17:49:05 2023

Debian Stretch

oot@wazuh1:/home/debian# WAZUH_MANAGER="AMI_INSTANCE_IP" apt install ./wazuh-agent_4.4.5-1_ppc64el.deb
Reading package lists... Done
Building dependency tree       
Reading state information... Done
Note, selecting 'wazuh-agent' instead of '/home/debian/wazuh-agent_4.4.5-1_ppc64el.deb'
The following NEW packages will be installed:
  wazuh-agent
0 upgraded, 1 newly installed, 0 to remove and 4 not upgraded.
Need to get 0 B/5,300 kB of archives.
After this operation, 34.4 MB of additional disk space will be used.
Get:1 /home/debian/wazuh-agent_4.4.5-1_ppc64el.deb wazuh-agent ppc64el 4.4.5-1 [5,300 kB]
Preconfiguring packages ...       
Selecting previously unselected package wazuh-agent.
(Reading database ... 38212 files and directories currently installed.)
Preparing to unpack .../wazuh-agent_4.4.5-1_ppc64el.deb ...
Unpacking wazuh-agent (4.4.5-1) ...
Setting up wazuh-agent (4.4.5-1) ...
Processing triggers for libc-bin (2.24-11+deb9u4) ...
Processing triggers for systemd (232-25+deb9u12) ...

root@wazuh1:/home/debian# /var/ossec/bin/wazuh-control start
Starting Wazuh v4.4.5...
Started wazuh-execd...
Started wazuh-agentd...
Started wazuh-syscheckd...
Started wazuh-logcollector...
Started wazuh-modulesd...
Completed.

root@wazuh1:/home/debian# ps -ef | grep wazuh
root     18786     1  0 18:08 ?        00:00:00 /var/ossec/bin/wazuh-execd
wazuh    18796     1  0 18:08 ?        00:00:00 /var/ossec/bin/wazuh-agentd
root     18811     1 18 18:08 ?        00:00:10 /var/ossec/bin/wazuh-syscheckd
root     18822     1  0 18:08 ?        00:00:00 /var/ossec/bin/wazuh-logcollector
root     18839     1  0 18:08 ?        00:00:00 /var/ossec/bin/wazuh-modulesd
root     19472 13536  0 18:09 pts/0    00:00:00 grep wazuh

#  /var/ossec/bin/agent_control -i 014

Wazuh agent_control. Agent information:
   Agent ID:   014
   Agent Name: wazuh1
   IP address: any
   Status:     Active

   Operating system:    Linux |wazuh1 |4.9.0-13-powerpc64le |#1 SMP Debian 4.9.228-1 (2020-07-05) |ppc64le
   Client version:      Wazuh v4.4.5
   Configuration hash:  ab73af41699f13fdd81903b5f23d8d00
   Shared file hash:    4a8724b20dee0124ff9656783c490c4e
   Last keep alive:     1690567719

   Syscheck last started at:  Fri Jul 28 18:08:24 2023
   Syscheck last ended at:    Fri Jul 28 18:08:33 2023

Update agent
root@wazuh1:/home/debian# apt-get install ./wazuh-agent_4.5.0-1_ppc64el.deb
Reading package lists... Done
Building dependency tree
Reading state information... Done
Note, selecting 'wazuh-agent' instead of '/home/debian/wazuh-agent_4.5.0-1_ppc64el.deb'
The following packages will be upgraded:
wazuh-agent
1 upgraded, 0 newly installed, 0 to remove and 4 not upgraded.
Need to get 0 B/5,304 kB of archives.
After this operation, 0 B of additional disk space will be used.
Get:1 /home/debian/wazuh-agent_4.5.0-1_ppc64el.deb wazuh-agent ppc64el 4.5.0-1 [5,304 kB]
Reading changelogs... Done
Preconfiguring packages ...
(Reading database ... 38585 files and directories currently installed.)
Preparing to unpack .../wazuh-agent_4.5.0-1_ppc64el.deb ...
Unpacking wazuh-agent (4.5.0-1) over (4.4.5-1) ...
Setting up wazuh-agent (4.5.0-1) ...
Processing triggers for libc-bin (2.24-11+deb9u4) ...
Processing triggers for systemd (232-25+deb9u12) ...

root@wazuh1:/home/debian# /var/ossec/bin/wazuh-control start
Starting Wazuh v4.5.0...
wazuh-execd already running...
wazuh-agentd already running...
wazuh-syscheckd already running...
wazuh-logcollector already running...
wazuh-modulesd already running...
Completed.

/var/ossec/bin/agent_control -i 014

Wazuh agent_control. Agent information:
Agent ID: 014
Agent Name: wazuh1
IP address: any
Status: Active

Operating system: Linux |wazuh1 |4.9.0-13-powerpc64le |#1 SMP Debian 4.9.228-1 (2020-07-05) |ppc64le
Client version: Wazuh v4.5.0
Configuration hash: ab73af41699f13fdd81903b5f23d8d00
Shared file hash: 4a8724b20dee0124ff9656783c490c4e
Last keep alive: 1690567857

Syscheck last started at: Fri Jul 28 18:10:28 2023
Syscheck last ended at: Fri Jul 28 18:10:39 2023


</details>

Deblintrake09 · 2023-07-28T18:49:55Z

Analysis report - OVA 🟢

Agent info

# curl -OL https://packages-dev.wazuh.com/pre-release/apt/pool/main/w/wazuh-agent/wazuh-agent_4.5.0-1_amd64.deb
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100 8711k  100 8711k    0     0   945k      0  0:00:09  0:00:09 --:--:-- 1149k

# apt install /home/vagrant/wazuh-agent_4.5.0-1_amd64.deb 
Reading package lists... Done
Building dependency tree       
Reading state information... Done
Note, selecting 'wazuh-agent' instead of '/home/vagrant/wazuh-agent_4.5.0-1_amd64.deb'
The following NEW packages will be installed:
  wazuh-agent
0 upgraded, 1 newly installed, 0 to remove and 56 not upgraded.
Need to get 0 B/8921 kB of archives.
After this operation, 30.2 MB of additional disk space will be used.
Get:1 /home/vagrant/wazuh-agent_4.5.0-1_amd64.deb wazuh-agent amd64 4.5.0-1 [8921 kB]
Preconfiguring packages ...
Selecting previously unselected package wazuh-agent.
(Reading database ... 130749 files and directories currently installed.)
Preparing to unpack .../wazuh-agent_4.5.0-1_amd64.deb ...
Unpacking wazuh-agent (4.5.0-1) ...
Setting up wazuh-agent (4.5.0-1) ...
Processing triggers for systemd (245.4-4ubuntu3.20) ...

# nano /var/ossec/etc/ossec.conf 

# /var/ossec/bin/wazuh-control start
Starting Wazuh v4.5.0...
Started wazuh-execd...
Started wazuh-agentd...
Started wazuh-syscheckd...
Started wazuh-logcollector...
Started wazuh-modulesd...
Completed.

# /var/ossec/bin/wazuh-control info
WAZUH_VERSION="v4.5.0"
WAZUH_REVISION="40500"
WAZUH_TYPE="agent"

# /var/ossec/bin/agent_control -i 001

Wazuh agent_control. Agent information:
   Agent ID:   001
   Agent Name: ubuntu-focal
   IP address: any
   Status:     Active

   Operating system:    Linux |ubuntu-focal |5.4.0-155-generic |#172-Ubuntu SMP Fri Jul 7 16:10:02 UTC 2023 |x86_64
   Client version:      Wazuh v4.5.0
   Configuration hash:  ab73af41699f13fdd81903b5f23d8d00
   Shared file hash:    4a8724b20dee0124ff9656783c490c4e
   Last keep alive:     1690568779

   Syscheck last started at:  Fri Jul 28 18:23:05 2023
   Syscheck last ended at:    Fri Jul 28 18:23:12 2023

OVA - Check Wazuh agent connection

[root@wazuh-server wazuh-user]# cat /etc/os-release
NAME="Ubuntu"
VERSION="20.04.5 LTS (Focal Fossa)"
ID=ubuntu
ID_LIKE=debian
PRETTY_NAME="Ubuntu 20.04.5 LTS"
VERSION_ID="20.04"
HOME_URL="https://www.ubuntu.com/"
SUPPORT_URL="https://help.ubuntu.com/"
BUG_REPORT_URL="https://bugs.launchpad.net/ubuntu/"
PRIVACY_POLICY_URL="https://www.ubuntu.com/legal/terms-and-policies/privacy-policy"
VERSION_CODENAME=focal
UBUNTU_CODENAME=focal

[root@wazuh-server wazuh-user]# grep "tcp" /var/ossec/etc/ossec.conf
    <protocol>tcp</protocol>

[root@wazuh-server wazuh-user]# grep -i -E "tcp" /var/ossec/logs/ossec.log
2023/07/28 18:22:58 wazuh-agentd: INFO: Trying to connect to server ([192.168.2.28]:1514/tcp).
2023/07/28 18:22:58 wazuh-agentd: INFO: (4102): Connected to the server ([192.168.2.28]:1514/tcp).
2023/07/28 18:23:04 wazuh-agentd: INFO: Trying to connect to server ([192.168.2.28]:1514/tcp).
2023/07/28 18:23:04 wazuh-agentd: INFO: (4102): Connected to the server ([192.168.2.28]:1514/tcp).


[root@wazuh-server wazuh-user]# vi /var/ossec/etc/ossec.conf
[root@wazuh-server wazuh-user]# /var/ossec/bin/wazuh-control restart
wazuh-clusterd not running...
Killing wazuh-modulesd...
Killing wazuh-monitord...
Killing wazuh-logcollector...
Killing wazuh-remoted...
Killing wazuh-syscheckd...
Killing wazuh-analysisd...
wazuh-maild not running...
Killing wazuh-execd...
Killing wazuh-db...
Killing wazuh-authd...
wazuh-agentlessd not running...
wazuh-integratord not running...
wazuh-dbd not running...
wazuh-csyslogd not running...
Killing wazuh-apid...
Wazuh v4.5.0 Stopped
Starting Wazuh v4.5.0...
Started wazuh-apid...
Started wazuh-csyslogd...
Started wazuh-dbd...
2023/07/28 18:29:42 wazuh-integratord: INFO: Remote integrations not configured. Clean exit.
Started wazuh-integratord...
Started wazuh-agentlessd...
Started wazuh-authd...
Started wazuh-db...
Started wazuh-execd...
Started wazuh-analysisd...
Started wazuh-syscheckd...
Started wazuh-remoted...
Started wazuh-logcollector...
Started wazuh-monitord...
Started wazuh-modulesd...
Completed.


[root@wazuh-server wazuh-user]# grep "udp" /var/ossec/etc/ossec.conf
    <protocol>udp</protocol>
[root@wazuh-server wazuh-user]# /var/ossec/bin/agent_control -i 001
Wazuh agent_control. Agent information:
   Agent ID:   001
   Agent Name: ubuntu-focal
   IP address: any
   Status:     Active

   Operating system:    Linux |ubuntu-focal |5.4.0-155-generic |#172-Ubuntu SMP Fri Jul 7 16:10:02 UTC 2023 |x86_64
   Client version:      Wazuh v4.5.0
   Configuration hash:  ab73af41699f13fdd81903b5f23d8d00
   Shared file hash:    4a8724b20dee0124ff9656783c490c4e
   Last keep alive:     1690569015

   Syscheck last started at:  Fri Jul 28 18:28:40 2023
   Syscheck last ended at:    Fri Jul 28 18:28:51 2023

[root@wazuh-server wazuh-user]# grep -i -E "udp" /var/ossec/logs/ossec.log
2023/07/28 18:29:45 wazuh-remoted: INFO: Started (pid: 3716). Listening on port 1514/UDP (secure).

[root@wazuh-server wazuh-user]# grep -i -E "error|critical|fatal|warning" /var/ossec/logs/ossec.log

root@ubuntu-focal:/home/vagrant# grep -i -E "udp" /var/ossec/logs/ossec.log
2023/07/28 18:28:38 wazuh-agentd: INFO: Trying to connect to server ([192.168.2.28]:1514/udp).
2023/07/28 18:28:49 wazuh-agentd: INFO: Closing connection to server ([192.168.2.28]:1514/udp).
2023/07/28 18:28:49 wazuh-agentd: INFO: Trying to connect to server ([192.168.2.28]:1514/udp).
2023/07/28 18:28:49 wazuh-agentd: INFO: (4102): Connected to the server ([192.168.2.28]:1514/udp

Wazuh processes

[root@wazuh-server wazuh-user]# ps -ef | grep wazuh
wazuh-d+   430     1  0 18:15 ?        00:00:08 /usr/share/wazuh-dashboard/bin/../node/bin/node --no-warnings --max-http-header-size=65536 --unhandled-rejections=warn /usr/share/wazuh-dashboard/bin/../src/cli/dist -c /etc/wazuh-dashboard/opensearch_dashboards.yml
root       451     1  0 18:15 ?        00:00:00 login -- wazuh-user
root       958     1  0 18:15 ?        00:00:00 /sbin/dhclient -1 -q -lf /var/lib/dhclient/dhclient--eth0.lease -pf /var/run/dhclient-eth0.pid -H wazuh-server eth0
wazuh-u+  2911   451  0 18:16 tty1     00:00:00 -bash
root      2940  1023  0 18:17 ?        00:00:00 sshd: wazuh-user [priv]
wazuh-u+  2944  2940  0 18:17 ?        00:00:00 sshd: wazuh-user@pts/0
wazuh-u+  2945  2944  0 18:17 pts/0    00:00:00 -bash
wazuh-i+  3025     1  7 18:21 ?        00:00:41 /usr/share/wazuh-indexer/jdk/bin/java -Xshare:auto -Dopensearch.networkaddress.cache.ttl=60 -Dopensearch.networkaddress.cache.negative.ttl=10 -XX:+AlwaysPreTouch -Xss1m -Djava.awt.headless=true -Dfile.encoding=UTF-8 -Djna.nosys=true -XX:-OmitStackTraceInFastThrow -XX:+ShowCodeDetailsInExceptionMessages -Dio.netty.noUnsafe=true -Dio.netty.noKeySetOptimization=true -Dio.netty.recycler.maxCapacityPerThread=0 -Dio.netty.allocator.numDirectArenas=0 -Dlog4j.shutdownHookEnabled=false -Dlog4j2.disable.jmx=true -Djava.locale.providers=SPI,COMPAT -Xms3990m -Xmx3990m -XX:+UseG1GC -XX:G1ReservePercent=25 -XX:InitiatingHeapOccupancyPercent=30 -Djava.io.tmpdir=/tmp/opensearch-5351821074469943771 -XX:+HeapDumpOnOutOfMemoryError -XX:HeapDumpPath=/var/lib/wazuh-indexer -XX:ErrorFile=/var/log/wazuh-indexer/hs_err_pid%p.log -Xlog:gc*,gc+age=trace,safepoint:file=/var/log/wazuh-indexer/gc.log:utctime,pid,tags:filecount=32,filesize=64m -Dclk.tck=100 -Djdk.attach.allowAttachSelf=true -Djava.security.policy=file:///etc/wazuh-indexer/opensearch-performance-analyzer/opensearch_security.policy --add-opens=jdk.attach/sun.tools.attach=ALL-UNNAMED -XX:MaxDirectMemorySize=2091909120 -Dopensearch.path.home=/usr/share/wazuh-indexer -Dopensearch.path.conf=/etc/wazuh-indexer -Dopensearch.distribution.type=rpm -Dopensearch.bundled_jdk=true -cp /usr/share/wazuh-indexer/lib/* org.opensearch.bootstrap.OpenSearch -p /run/wazuh-indexer/wazuh-indexer.pid --quiet
wazuh     3540     1  3 18:29 ?        00:00:04 /var/ossec/framework/python/bin/python3 /var/ossec/api/scripts/wazuh-apid.py
root      3580     1  0 18:29 ?        00:00:00 /var/ossec/bin/wazuh-authd
wazuh     3594     1  0 18:29 ?        00:00:00 /var/ossec/bin/wazuh-db
wazuh     3609  3540  0 18:29 ?        00:00:00 /var/ossec/framework/python/bin/python3 /var/ossec/api/scripts/wazuh-apid.py
wazuh     3612  3540  0 18:29 ?        00:00:00 /var/ossec/framework/python/bin/python3 /var/ossec/api/scripts/wazuh-apid.py
root      3625     1  0 18:29 ?        00:00:00 /var/ossec/bin/wazuh-execd
wazuh     3637     1  0 18:29 ?        00:00:00 /var/ossec/bin/wazuh-analysisd
root      3699     1  5 18:29 ?        00:00:06 /var/ossec/bin/wazuh-syscheckd
wazuh     3716     1  0 18:29 ?        00:00:00 /var/ossec/bin/wazuh-remoted
root      3787     1  0 18:29 ?        00:00:00 /var/ossec/bin/wazuh-logcollector
wazuh     3833     1  0 18:29 ?        00:00:00 /var/ossec/bin/wazuh-monitord
root      3886     1  1 18:29 ?        00:00:01 /var/ossec/bin/wazuh-modulesd
root      5054  2973  0 18:31 pts/0    00:00:00 grep --color=auto wazuh



[root@wazuh-server wazuh-user]# /var/ossec/bin/wazuh-control restart
wazuh-clusterd not running...
Killing wazuh-modulesd...
Killing wazuh-monitord...
Killing wazuh-logcollector...
Killing wazuh-remoted...
Killing wazuh-syscheckd...
Killing wazuh-analysisd...
wazuh-maild not running...
Killing wazuh-execd...
Killing wazuh-db...
Killing wazuh-authd...
wazuh-agentlessd not running...
wazuh-integratord not running...
wazuh-dbd not running...
wazuh-csyslogd not running...
Killing wazuh-apid...
Wazuh v4.5.0 Stopped
Starting Wazuh v4.5.0...
Started wazuh-apid...
Started wazuh-csyslogd...
Started wazuh-dbd...
2023/07/28 18:32:18 wazuh-integratord: INFO: Remote integrations not configured. Clean exit.
Started wazuh-integratord...
Started wazuh-agentlessd...
Started wazuh-authd...
Started wazuh-db...
Started wazuh-execd...
Started wazuh-analysisd...
Started wazuh-syscheckd...
Started wazuh-remoted...
Started wazuh-logcollector...
Started wazuh-monitord...
Started wazuh-modulesd...
Completed.
[root@wazuh-server wazuh-user]# ps -ef | grep wazuh
wazuh-d+   430     1  0 18:15 ?        00:00:09 /usr/share/wazuh-dashboard/bin/../node/bin/node --no-warnings --max-http-header-size=65536 --unhandled-rejections=warn /usr/share/wazuh-dashboard/bin/../src/cli/dist -c /etc/wazuh-dashboard/opensearch_dashboards.yml
root       451     1  0 18:15 ?        00:00:00 login -- wazuh-user
root       958     1  0 18:15 ?        00:00:00 /sbin/dhclient -1 -q -lf /var/lib/dhclient/dhclient--eth0.lease -pf /var/run/dhclient-eth0.pid -H wazuh-server eth0
wazuh-u+  2911   451  0 18:16 tty1     00:00:00 -bash
root      2940  1023  0 18:17 ?        00:00:00 sshd: wazuh-user [priv]
wazuh-u+  2944  2940  0 18:17 ?        00:00:00 sshd: wazuh-user@pts/0
wazuh-u+  2945  2944  0 18:17 pts/0    00:00:00 -bash
wazuh-i+  3025     1  6 18:21 ?        00:00:43 /usr/share/wazuh-indexer/jdk/bin/java -Xshare:auto -Dopensearch.networkaddress.cache.ttl=60 -Dopensearch.networkaddress.cache.negative.ttl=10 -XX:+AlwaysPreTouch -Xss1m -Djava.awt.headless=true -Dfile.encoding=UTF-8 -Djna.nosys=true -XX:-OmitStackTraceInFastThrow -XX:+ShowCodeDetailsInExceptionMessages -Dio.netty.noUnsafe=true -Dio.netty.noKeySetOptimization=true -Dio.netty.recycler.maxCapacityPerThread=0 -Dio.netty.allocator.numDirectArenas=0 -Dlog4j.shutdownHookEnabled=false -Dlog4j2.disable.jmx=true -Djava.locale.providers=SPI,COMPAT -Xms3990m -Xmx3990m -XX:+UseG1GC -XX:G1ReservePercent=25 -XX:InitiatingHeapOccupancyPercent=30 -Djava.io.tmpdir=/tmp/opensearch-5351821074469943771 -XX:+HeapDumpOnOutOfMemoryError -XX:HeapDumpPath=/var/lib/wazuh-indexer -XX:ErrorFile=/var/log/wazuh-indexer/hs_err_pid%p.log -Xlog:gc*,gc+age=trace,safepoint:file=/var/log/wazuh-indexer/gc.log:utctime,pid,tags:filecount=32,filesize=64m -Dclk.tck=100 -Djdk.attach.allowAttachSelf=true -Djava.security.policy=file:///etc/wazuh-indexer/opensearch-performance-analyzer/opensearch_security.policy --add-opens=jdk.attach/sun.tools.attach=ALL-UNNAMED -XX:MaxDirectMemorySize=2091909120 -Dopensearch.path.home=/usr/share/wazuh-indexer -Dopensearch.path.conf=/etc/wazuh-indexer -Dopensearch.distribution.type=rpm -Dopensearch.bundled_jdk=true -cp /usr/share/wazuh-indexer/lib/* org.opensearch.bootstrap.OpenSearch -p /run/wazuh-indexer/wazuh-indexer.pid --quiet
wazuh     5237     1  8 18:32 ?        00:00:04 /var/ossec/framework/python/bin/python3 /var/ossec/api/scripts/wazuh-apid.py
root      5277     1  0 18:32 ?        00:00:00 /var/ossec/bin/wazuh-authd
wazuh     5291     1  0 18:32 ?        00:00:00 /var/ossec/bin/wazuh-db
wazuh     5306  5237  0 18:32 ?        00:00:00 /var/ossec/framework/python/bin/python3 /var/ossec/api/scripts/wazuh-apid.py
wazuh     5309  5237  0 18:32 ?        00:00:00 /var/ossec/framework/python/bin/python3 /var/ossec/api/scripts/wazuh-apid.py
root      5322     1  0 18:32 ?        00:00:00 /var/ossec/bin/wazuh-execd
wazuh     5334     1  0 18:32 ?        00:00:00 /var/ossec/bin/wazuh-analysisd
root      5344     1 12 18:32 ?        00:00:07 /var/ossec/bin/wazuh-syscheckd
wazuh     5410     1  0 18:32 ?        00:00:00 /var/ossec/bin/wazuh-remoted
root      5471     1  0 18:32 ?        00:00:00 /var/ossec/bin/wazuh-logcollector
wazuh     5490     1  0 18:32 ?        00:00:00 /var/ossec/bin/wazuh-monitord
root      5533     1  2 18:32 ?        00:00:01 /var/ossec/bin/wazuh-modulesd
root      6732  2973  0 18:33 pts/0    00:00:00 grep --color=auto wazuh

Versions

[root@wazuh-server wazuh-user]# /var/ossec/bin/wazuh-control info
WAZUH_VERSION="v4.5.0"
WAZUH_REVISION="40500"
WAZUH_TYPE="server"

[root@wazuh-server wazuh-user]# cat /usr/share/wazuh-indexer/VERSION
4.5.0
[root@wazuh-server wazuh-user]# cat /usr/share/wazuh-dashboard/VERSION
4.5.0
[root@wazuh-server wazuh-user]# cat /usr/share/wazuh-dashboard/package.json
{
  "name": "opensearch-dashboards",
  "description": "OpenSearch Dashboards is a browser based analytics and search dashboard for OpenSearch. OpenSearch Dashboards is a snap to setup and start using. OpenSearch Dashboards strives to be easy to get started with, while also being flexible and powerful, just like OpenSearch.",
  "keywords": [
    "opensearch-dashboards",
    "opensearch",
    "logstash",
    "analytics",
    "visualizations",
    "dashboards",
    "dashboarding"
  ],
  "version": "2.6.0",
  "branch": "2.6",
  "build": {
    "number": 45001,
    "sha": "b15a28f9d6d6ec40d695a2eb01442d2a7d6d72d9",
    "distributable": true,
    "release": true
  },
  "repository": {
    "type": "git",
    "url": "https://github.com/opensearch-project/opensearch-dashboards.git"
  },
  "engines": {
    "node": "14.20.1"
  }
}

OVA - Users

[root@wazuh-server wazuh-user]# grep -R "wazuh" /etc/group
wheel:x:10:wazuh-user
wazuh-user:x:1000:
wazuh-indexer:x:993:
wazuh:x:992:wazuh
wazuh-dashboard:x:991:wazuh-dashboard

[root@wazuh-server wazuh-user]# grep -R "wazuh" /etc/passwd
wazuh-user:x:1000:
wazuh-indexer:x:993:
wazuh:x:992:wazuh
wazuh-dashboard:x:991:wazuh-dashboard
[root@wazuh-server wazuh-user]# grep -R "wazuh" /etc/passwd
wazuh-user:x:1000:1000::/home/wazuh-user:/bin/bash
wazuh-indexer:x:996:993:wazuh-indexer user:/usr/share/wazuh-indexer:/sbin/nologin
wazuh:x:995:992::/var/ossec:/sbin/nologin
wazuh-dashboard:x:994:991::/usr/share/wazuh-dashboard/:/sbin/nologin

OVA - WUI

Loading screen OK
Login screen OK
Light/dark mode OK
Credentials admin:admin OK

OVA - Logs

Wazuh dashboard - journalctl
```console [root@wazuh-server wazuh-user]# journalctl -r -u wazuh-dashboard | grep -i -E "error|critical|fatal|warning" jul 28 18:40:00 wazuh-server opensearch-dashboards[430]: {"type":"log","@timestamp":"2023-07-28T18:40:00Z","tags":["error","opensearch","data"],"pid":430,"message":"[resource_already_exists_exception]: index [wazuh-statistics-2023.30w/0Jhm8E1lSlCKpmPsjhYKnQ] already exists"} jul 28 18:22:18 wazuh-server opensearch-dashboards[430]: {"type":"log","@timestamp":"2023-07-28T18:22:18Z","tags":["error","opensearch","data"],"pid":430,"message":"[ResponseError]: Response Error"} jul 28 18:22:15 wazuh-server opensearch-dashboards[430]: {"type":"log","@timestamp":"2023-07-28T18:22:15Z","tags":["error","opensearch","data"],"pid":430,"message":"[ResponseError]: Response Error"} jul 28 18:22:13 wazuh-server opensearch-dashboards[430]: {"type":"log","@timestamp":"2023-07-28T18:22:13Z","tags":["error","opensearch","data"],"pid":430,"message":"[ResponseError]: Response Error"} jul 28 18:22:10 wazuh-server opensearch-dashboards[430]: {"type":"log","@timestamp":"2023-07-28T18:22:10Z","tags":["error","opensearch","data"],"pid":430,"message":"[ResponseError]: Response Error"} jul 28 18:22:08 wazuh-server opensearch-dashboards[430]: {"type":"log","@timestamp":"2023-07-28T18:22:08Z","tags":["error","opensearch","data"],"pid":430,"message":"[ResponseError]: Response Error"} jul 28 18:22:05 wazuh-server opensearch-dashboards[430]: {"type":"log","@timestamp":"2023-07-28T18:22:05Z","tags":["error","opensearch","data"],"pid":430,"message":"[ConnectionError]: connect ECONNREFUSED 127.0.0.1:9200"} jul 28 18:22:03 wazuh-server opensearch-dashboards[430]: {"type":"log","@timestamp":"2023-07-28T18:22:03Z","tags":["error","opensearch","data"],"pid":430,"message":"[ConnectionError]: connect ECONNREFUSED 127.0.0.1:9200"} jul 28 18:22:00 wazuh-server opensearch-dashboards[430]: {"type":"log","@timestamp":"2023-07-28T18:22:00Z","tags":["error","opensearch","data"],"pid":430,"message":"[ConnectionError]: connect ECONNREFUSED 127.0.0.1:9200"} jul 28 18:21:58 wazuh-server opensearch-dashboards[430]: {"type":"log","@timestamp":"2023-07-28T18:21:58Z","tags":["error","opensearch","data"],"pid":430,"message":"[ConnectionError]: connect ECONNREFUSED 127.0.0.1:9200"} jul 28 18:21:55 wazuh-server opensearch-dashboards[430]: {"type":"log","@timestamp":"2023-07-28T18:21:55Z","tags":["error","opensearch","data"],"pid":430,"message":"[ConnectionError]: connect ECONNREFUSED 127.0.0.1:9200"} jul 28 18:21:53 wazuh-server opensearch-dashboards[430]: {"type":"log","@timestamp":"2023-07-28T18:21:53Z","tags":["error","opensearch","data"],"pid":430,"message":"[ConnectionError]: connect ECONNREFUSED 127.0.0.1:9200"} jul 28 18:21:50 wazuh-server opensearch-dashboards[430]: {"type":"log","@timestamp":"2023-07-28T18:21:50Z","tags":["error","opensearch","data"],"pid":430,"message":"[ConnectionError]: connect ECONNREFUSED 127.0.0.1:9200"}
```
</details>
```

Wazuh indexer - journalctl

Warnings reported at Systemd-entrypoint warnings in wazuh indexer wazuh-packages#2046

[root@wazuh-server wazuh-user]# journalctl -r -u wazuh-indexer | grep -i -E "error|critical|fatal|warning"
jul 28 18:22:00 wazuh-server systemd-entrypoint[3025]: WARNING: System::setSecurityManager will be removed in a future release
jul 28 18:22:00 wazuh-server systemd-entrypoint[3025]: WARNING: Please consider reporting this to the maintainers of org.opensearch.bootstrap.Security
jul 28 18:22:00 wazuh-server systemd-entrypoint[3025]: WARNING: System::setSecurityManager has been called by org.opensearch.bootstrap.Security (file:/usr/share/wazuh-indexer/lib/opensearch-2.6.0.jar)
jul 28 18:22:00 wazuh-server systemd-entrypoint[3025]: WARNING: A terminally deprecated method in java.lang.System has been called
jul 28 18:21:59 wazuh-server systemd-entrypoint[3025]: WARNING: System::setSecurityManager will be removed in a future release
jul 28 18:21:59 wazuh-server systemd-entrypoint[3025]: WARNING: Please consider reporting this to the maintainers of org.opensearch.bootstrap.OpenSearch
jul 28 18:21:59 wazuh-server systemd-entrypoint[3025]: WARNING: System::setSecurityManager has been called by org.opensearch.bootstrap.OpenSearch (file:/usr/share/wazuh-indexer/lib/opensearch-2.6.0.jar)
jul 28 18:21:59 wazuh-server systemd-entrypoint[3025]: WARNING: A terminally deprecated method in java.lang.System has been called
jul 28 18:15:36 wazuh-server systemd-entrypoint[1022]: WARNING: System::setSecurityManager will be removed in a future release

Wazuh indexer - /var/logs/wazuh-indexer

[root@wazuh-server wazuh-user]#  grep -R -i -E "error|critical|fatal|warning" /var/log/wazuh-indexer/
/var/log/wazuh-indexer/wazuh-cluster.log:[2023-07-28T14:11:28,764][INFO ][o.o.n.Node               ] [node-1] JVM arguments [-Xshare:auto, -Dopensearch.networkaddress.cache.ttl=60, -Dopensearch.networkaddress.cache.negative.ttl=10, -XX:+AlwaysPreTouch, -Xss1m, -Djava.awt.headless=true, -Dfile.encoding=UTF-8, -Djna.nosys=true, -XX:-OmitStackTraceInFastThrow, -XX:+ShowCodeDetailsInExceptionMessages, -Dio.netty.noUnsafe=true, -Dio.netty.noKeySetOptimization=true, -Dio.netty.recycler.maxCapacityPerThread=0, -Dio.netty.allocator.numDirectArenas=0, -Dlog4j.shutdownHookEnabled=false, -Dlog4j2.disable.jmx=true, -Djava.locale.providers=SPI,COMPAT, -Xms3990m, -Xmx3990m, -XX:+UseG1GC, -XX:G1ReservePercent=25, -XX:InitiatingHeapOccupancyPercent=30, -Djava.io.tmpdir=/tmp/opensearch-11934407214772900785, -XX:+HeapDumpOnOutOfMemoryError, -XX:HeapDumpPath=/var/lib/wazuh-indexer, -XX:ErrorFile=/var/log/wazuh-indexer/hs_err_pid%p.log, -Xlog:gc*,gc+age=trace,safepoint:file=/var/log/wazuh-indexer/gc.log:utctime,pid,tags:filecount=32,filesize=64m, -Dclk.tck=100, -Djdk.attach.allowAttachSelf=true, -Djava.security.policy=file:///etc/wazuh-indexer/opensearch-performance-analyzer/opensearch_security.policy, --add-opens=jdk.attach/sun.tools.attach=ALL-UNNAMED, -XX:MaxDirectMemorySize=2091909120, -Dopensearch.path.home=/usr/share/wazuh-indexer, -Dopensearch.path.conf=/etc/wazuh-indexer, -Dopensearch.distribution.type=rpm, -Dopensearch.bundled_jdk=true]
/var/log/wazuh-indexer/wazuh-cluster.log:[2023-07-28T14:11:34,928][ERROR][o.o.s.a.s.SinkProvider   ] [node-1] Default endpoint could not be created, auditlog will not work properly.
/var/log/wazuh-indexer/wazuh-cluster.log:[2023-07-28T14:11:38,507][ERROR][o.o.s.c.ConfigurationLoaderSecurity7] [node-1] Exception while retrieving configuration for [INTERNALUSERS, ACTIONGROUPS, CONFIG, ROLES, ROLESMAPPING, TENANTS, NODESDN, WHITELIST, ALLOWLIST, AUDIT] (index=.opendistro_security)
/var/log/wazuh-indexer/wazuh-cluster.log:[2023-07-28T14:11:38,796][ERROR][o.o.s.a.BackendRegistry  ] [node-1] Not yet initialized (you may need to run securityadmin)
/var/log/wazuh-indexer/wazuh-cluster.log:[2023-07-28T14:11:38,813][ERROR][o.o.s.a.BackendRegistry  ] [node-1] Not yet initialized (you may need to run securityadmin)
/var/log/wazuh-indexer/wazuh-cluster.log:[2023-07-28T14:11:38,818][ERROR][o.o.s.a.BackendRegistry  ] [node-1] Not yet initialized (you may need to run securityadmin)
/var/log/wazuh-indexer/wazuh-cluster.log:[2023-07-28T14:11:38,821][ERROR][o.o.s.a.BackendRegistry  ] [node-1] Not yet initialized (you may need to run securityadmin)
/var/log/wazuh-indexer/wazuh-cluster.log:[2023-07-28T14:11:41,159][ERROR][o.o.s.a.BackendRegistry  ] [node-1] Not yet initialized (you may need to run securityadmin)
/var/log/wazuh-indexer/wazuh-cluster.log:[2023-07-28T14:11:41,164][ERROR][o.o.s.a.BackendRegistry  ] [node-1] Not yet initialized (you may need to run securityadmin)
/var/log/wazuh-indexer/wazuh-cluster.log:[2023-07-28T14:11:41,169][ERROR][o.o.s.a.BackendRegistry  ] [node-1] Not yet initialized (you may need to run securityadmin)
/var/log/wazuh-indexer/wazuh-cluster.log:[2023-07-28T14:11:41,172][ERROR][o.o.s.a.BackendRegistry  ] [node-1] Not yet initialized (you may need to run securityadmin)
/var/log/wazuh-indexer/wazuh-cluster.log:[2023-07-28T14:11:43,657][ERROR][o.o.s.a.BackendRegistry  ] [node-1] Not yet initialized (you may need to run securityadmin)
/var/log/wazuh-indexer/wazuh-cluster.log:[2023-07-28T14:11:43,659][ERROR][o.o.s.a.BackendRegistry  ] [node-1] Not yet initialized (you may need to run securityadmin)

Wazuh server - /var/ossec/logs

[root@wazuh-server wazuh-user]# grep -i -E "error|critical|fatal|warning" /var/ossec/logs/ossec.log

OVA - Filebeat test

[root@wazuh-server wazuh-user]# filebeat test output
elasticsearch: https://127.0.0.1:9200...
  parse url... OK
  connection...
    parse host... OK
    dns lookup... OK
    addresses: 127.0.0.1
    dial up... OK
  TLS...
    security: server's certificate chain verification is enabled
    handshake... OK
    TLS version: TLSv1.2
    dial up... OK
  talk to server... OK
  version: 7.10.2

OVA - Wazuh indexer cluster

[root@wazuh-server wazuh-user]# curl -k -u admin:admin https://127.0.0.1:9200
  parse url... OK
  connection...
    parse host... OK
    dns lookup... OK
    addresses: 127.0.0.1
    dial up... OK
  TLS...
    security: server's certificate chain verification is enabled
    handshake... OK
    TLS version: TLSv1.2
    dial up... OK
  talk to server... OK
  version: 7.10.2
[root@wazuh-server wazuh-user]# curl -k -u admin:admin https://127.0.0.1:9200
{
  "name" : "node-1",
  "cluster_name" : "wazuh-cluster",
  "cluster_uuid" : "iQBIKAiRRdaC2Z1VFla4MA",
  "version" : {
    "number" : "7.10.2",
    "build_type" : "rpm",
    "build_hash" : "7203a5af21a8a009aece1474446b437a3c674db6",
    "build_date" : "2023-02-24T18:57:04.388618985Z",
    "build_snapshot" : false,
    "lucene_version" : "9.5.0",
    "minimum_wire_compatibility_version" : "7.10.0",
    "minimum_index_compatibility_version" : "7.0.0"
  },
  "tagline" : "The OpenSearch Project: https://opensearch.org/"
}



[root@wazuh-server wazuh-user]# curl -k -u admin:admin https://127.0.0.1:9200/_cat/nodes?v
ip        heap.percent ram.percent cpu load_1m load_5m load_15m node.role node.roles                                        cluster_manager name
127.0.0.1           11          81   1    0.04    0.06     0.10 dimr      cluster_manager,data,ingest,remote_cluster_client *               node-1


[root@wazuh-server wazuh-user]# curl -k -u admin:admin https://127.0.0.1:9200/_cluster/health?pretty
{
  "cluster_name" : "wazuh-cluster",
  "status" : "green",
  "timed_out" : false,
  "number_of_nodes" : 1,
  "number_of_data_nodes" : 1,
  "discovered_master" : true,
  "discovered_cluster_manager" : true,
  "active_primary_shards" : 11,
  "active_shards" : 11,
  "relocating_shards" : 0,
  "initializing_shards" : 0,
  "unassigned_shards" : 0,
  "delayed_unassigned_shards" : 0,
  "number_of_pending_tasks" : 0,
  "number_of_in_flight_fetch" : 0,
  "task_max_waiting_in_queue_millis" : 0,
  "active_shards_percent_as_number" : 100.0
}

davidjiglesias · 2023-07-31T15:12:32Z

LGTM!

wazuhci added level/subtask tracking type/release type/test labels Jul 26, 2023

Deblintrake09 mentioned this issue Jul 26, 2023

Release 4.5.0 - Alpha 1 - Packages tests #18078

Closed

2 tasks

Deblintrake09 changed the title ~~Release 4.5.0 - Alpha-1 - Specific systems~~ Release 4.5.0 - Alpha 1 - Specific systems Jul 27, 2023

wazuhci added this to Release 4.5.0 Jul 28, 2023

wazuhci moved this to In progress in Release 4.5.0 Jul 28, 2023

Deblintrake09 self-assigned this Jul 28, 2023

wazuhci moved this from In progress to Pending review in Release 4.5.0 Jul 28, 2023

wazuhci moved this from Pending review to On hold in Release 4.5.0 Jul 31, 2023

wazuhci moved this from On hold to Pending final review in Release 4.5.0 Jul 31, 2023

davidjiglesias removed tracking type/release labels Jul 31, 2023

davidjiglesias closed this as completed Jul 31, 2023

wazuhci moved this from Pending final review to Done in Release 4.5.0 Jul 31, 2023

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Release 4.5.0 - Alpha 1 - Specific systems #18074

Release 4.5.0 - Alpha 1 - Specific systems #18074

wazuhci commented Jul 26, 2023 •

edited by Deblintrake09

Loading

Deblintrake09 commented Jul 27, 2023 •

edited

Loading

Deblintrake09 commented Jul 27, 2023 •

edited

Loading

Deblintrake09 commented Jul 27, 2023 •

edited

Loading

Deblintrake09 commented Jul 27, 2023

Deblintrake09 commented Jul 27, 2023 •

edited

Loading

Deblintrake09 commented Jul 28, 2023 •

edited by jnasselle

Loading

/var/ossec/bin/agent_control -i 014

Deblintrake09 commented Jul 28, 2023

davidjiglesias commented Jul 31, 2023

Release 4.5.0 - Alpha 1 - Specific systems #18074

Release 4.5.0 - Alpha 1 - Specific systems #18074

Comments

wazuhci commented Jul 26, 2023 • edited by Deblintrake09 Loading

Packages tests metrics information

Build packages

Test packages

PPC64EL packages

OVA/AMI specific tests

Auditor's validation

Deblintrake09 commented Jul 27, 2023 • edited Loading

Analysis report - Solaris 11 SPARC 🟢

Deblintrake09 commented Jul 27, 2023 • edited Loading

Analysis report - HP-UX 🟢

Deblintrake09 commented Jul 27, 2023 • edited Loading

Analysis report - AMI 🟢

Deblintrake09 commented Jul 27, 2023

Analysis report - Solaris 10 SPARC 🟢

Deblintrake09 commented Jul 27, 2023 • edited Loading

Analysis report - AIX 🟢

Deblintrake09 commented Jul 28, 2023 • edited by jnasselle Loading

Analysis report - PPC64LE 🟢

Deployment + Install

Alerts

Remove

Upgrade

/var/ossec/bin/agent_control -i 014

Deblintrake09 commented Jul 28, 2023

Analysis report - OVA 🟢

davidjiglesias commented Jul 31, 2023

wazuhci commented Jul 26, 2023 •

edited by Deblintrake09

Loading

Deblintrake09 commented Jul 27, 2023 •

edited

Loading

Deblintrake09 commented Jul 27, 2023 •

edited

Loading

Deblintrake09 commented Jul 27, 2023 •

edited

Loading

Deblintrake09 commented Jul 27, 2023 •

edited

Loading

Deblintrake09 commented Jul 28, 2023 •

edited by jnasselle

Loading