Release 4.7.0 - Alpha 1 - Specific systems

[wazuhci]

Packages tests metrics information

Main release candidate issue	#19667
Main packages metrics issue	#19689
Version	4.7.0
Release candidate	Alpha 1
Tag	https://github.com/wazuh/wazuh/tree/v4.7.0-alpha1

---

Build packages

System	Status	Build
AIX	🟢	https://ci.wazuh.info/job/Packages_builder_special/842/
HPUX	🟢	https://ci.wazuh.info/job/Packages_builder_special/841/
S10 SPARC	🟢	https://ci.wazuh.info/job/Packages_builder_special/844/
S11 SPARC	🟢	https://ci.wazuh.info/job/Packages_builder_special/843/
OVA	🟢	https://ci.wazuh.info/job/Packages_Builder_OVA/293/
AMI	🟢	https://ci.wazuh.info/job/Packages_Builder_AMI/171/

---

Test packages

System	Build	Install	Deployment install	Upgrade	Remove	TCP	UDP	Errors found	Warnings found	Alerts found	Check users
AIX	🟢	🟢	🟢	🟢	🟢	🟢	🟢	🟢	🟢	🟢	🟢
HPUX	🟢	🟢	---	---	🟢	🟢	🟢	🟢	🟢	🟢	🟢
S10 SPARC	🟢	🟢	---	🟢	🟢	🟢	🟢	🟢	🟢	🟢	🟢
S11 SPARC	🟢	🟢	---	🟡	🟢	🟢	🟢	🟢	🟢	🟢	🟢
OVA	🟢	🟢	---	---	---	🟢	🟢	🟡	🟡	🟢	🟢
AMI	🟢	🟢	---	---	---	🟢	🟢	🟡	🟡	🟢	🟢

---

PPC64EL packages

System	Build	Install	Deployment install	Upgrade	Uninstall	Alerts	TCP	UDP	Errors	Warnings	System users
CentOS 7	🟢	🟢	🟢	🟢	🟢	🟢	🟢	🟢	🟢	🟢	🟢
Debian Stretch	🟢	🟢	🟢	🟢	🟢	🟢	🟢	🟢	🟢	🟢	🟢

---

OVA/AMI specific tests

System	Filebeat test	Cluster green/yellow	Production repositories	UI Access	No SSH root access	SSH user access	Wazuh dashboard/APP version	Dashboard/Indexer VERSION file
OVA	🟢	🟢	🟢	🟢	🟢	🟢	🟢	🟢
AMI	🟢	🟢	🟢	🟢	🟢	🟢	🟢	🟢

---

Status legend:
⚫ - Pending/In progress
⚪ - Skipped
🔴 - New issue related to the step
🟡 - Known issue related to the step
🟢 - No issues related

---

Auditor's validation

In order to close and proceed with the release or the next candidate version, the following auditors must give the green light to this RC.

• @davidjiglesias
• @teddytpc1

---

Conclusion 🟡

Solaris11 update could not be tested. Same issue was previously reported.

• Reported: Issue with ossec group in reinstall Wazuh agent 4.3.4 in Solaris 11 SPARC wazuh-packages#1631

Solaris10 unwanted files could be seen after remove the agent.

• Reported: Solaris 10 agent uninstall leaves unwanted files in the installation directory wazuh-packages#2099

OVA and AMI logs have showed known error and warning messages

• Reported: Systemd-entrypoint warnings in wazuh indexer wazuh-packages#2046
• Reported: Warning and error logs found in wazuh-indexer in demo environment wazuh-packages#1511

HP-UX Agent pack size is increased as 4.6.0

• Reported : HP-UX Wazuh agent package size increased considerably #19251

[pro-akim]

Analysis report - OVA 🟡

OVA - System info 🟢

• OS release

  [wazuh-user@wazuh-server ~]$ cat /etc/os-release
  NAME="Amazon Linux"
  VERSION="2"
  ID="amzn"
  ID_LIKE="centos rhel fedora"
  VERSION_ID="2"
  PRETTY_NAME="Amazon Linux 2"
  ANSI_COLOR="0;33"
  CPE_NAME="cpe:2.3:o:amazon:amazon_linux:2"
  HOME_URL="https://amazonlinux.com/"
  SUPPORT_END="2025-06-30"

• Wazuh processes

  [wazuh-user@wazuh-server ~]$ ps aux | grep wazuh
  wazuh-d+  2156  2.0  1.0 1044560 178712 ?      Ssl  09:44   0:15 /usr/share/wazuh-dashboard/node/bin/node --no-warnings --max-http-header-size=65536 --unhandled-rejections=warn /usr/share/wazuh-dashboard/src/cli/dist -c /etc/wazuh-dashboard/opensearch_dashboards.yml
  root      4857  0.0  0.0  98656  2040 ?        Ss   09:45   0:00 /sbin/dhclient -1 -q -lf /var/lib/dhclient/dhclient--eth0.lease -pf /var/run/dhclient-eth0.pid -H wazuh-server eth0
  wazuh-i+  5446 13.8 54.0 12569508 8872436 ?    Ssl  09:45   1:37 /usr/share/wazuh-indexer/jdk/bin/java -Xshare:auto -Dopensearch.networkaddress.cache.ttl=60 -Dopensearch.networkaddress.cache.negative.ttl=10 -XX:+AlwaysPreTouch -Xss1m -Djava.awt.headless=true -Dfile.encoding=UTF-8 -Djna.nosys=true -XX:-OmitStackTraceInFastThrow -XX:+ShowCodeDetailsInExceptionMessages -Dio.netty.noUnsafe=true -Dio.netty.noKeySetOptimization=true -Dio.netty.recycler.maxCapacityPerThread=0 -Dio.netty.allocator.numDirectArenas=0 -Dlog4j.shutdownHookEnabled=false -Dlog4j2.disable.jmx=true -Djava.locale.providers=SPI,COMPAT -Xms8013m -Xmx8013m -XX:+UseG1GC -XX:G1ReservePercent=25 -XX:InitiatingHeapOccupancyPercent=30 -Djava.io.tmpdir=/tmp/opensearch-1527205111138725436 -XX:+HeapDumpOnOutOfMemoryError -XX:HeapDumpPath=/var/lib/wazuh-indexer -XX:ErrorFile=/var/log/wazuh-indexer/hs_err_pid%p.log -Xlog:gc*,gc+age=trace,safepoint:file=/var/log/wazuh-indexer/gc.log:utctime,pid,tags:filecount=32,filesize=64m -Dclk.tck=100 -Djdk.attach.allowAttachSelf=true -Djava.security.policy=file:///etc/wazuh-indexer/opensearch-performance-analyzer/opensearch_security.policy --add-opens=jdk.attach/sun.tools.attach=ALL-UNNAMED -XX:MaxDirectMemorySize=4202692608 -Dopensearch.path.home=/usr/share/wazuh-indexer -Dopensearch.path.conf=/etc/wazuh-indexer -Dopensearch.distribution.type=rpm -Dopensearch.bundled_jdk=true -cp /usr/share/wazuh-indexer/lib/* org.opensearch.bootstrap.OpenSearch -p /run/wazuh-indexer/wazuh-indexer.pid --quiet
  root      5471  0.0  0.0  86432  3944 ?        Ss   09:45   0:00 login -- wazuh-user
  wazuh     7516  1.5  0.6 986424 111832 ?       Sl   09:45   0:10 /var/ossec/framework/python/bin/python3 /var/ossec/api/scripts/wazuh-apid.py
  wazuh     7519  0.0  0.4 330228 66704 ?        S    09:45   0:00 /var/ossec/framework/python/bin/python3 /var/ossec/api/scripts/wazuh-apid.py
  wazuh     7526  0.0  0.4 414624 71700 ?        S    09:45   0:00 /var/ossec/framework/python/bin/python3 /var/ossec/api/scripts/wazuh-apid.py
  wazuh     7530  0.0  0.3 617440 63036 ?        S    09:45   0:00 /var/ossec/framework/python/bin/python3 /var/ossec/api/scripts/wazuh-apid.py
  root      7629  0.0  0.0 129356  5896 ?        Sl   09:45   0:00 /var/ossec/bin/wazuh-authd
  wazuh     7712  0.2  0.0 784872 12388 ?        Sl   09:45   0:01 /var/ossec/bin/wazuh-db
  root      7810  0.0  0.0  39180  3568 ?        Sl   09:45   0:00 /var/ossec/bin/wazuh-execd
  wazuh     7887  0.3  0.1 1439912 28168 ?       Sl   09:45   0:02 /var/ossec/bin/wazuh-analysisd
  root      7968  2.3  0.0 358072 11652 ?        SNl  09:45   0:15 /var/ossec/bin/wazuh-syscheckd
  wazuh     8093  0.0  0.0 466296  4280 ?        Sl   09:45   0:00 /var/ossec/bin/wazuh-remoted
  root      8278  0.0  0.0 481580  4604 ?        Sl   09:45   0:00 /var/ossec/bin/wazuh-logcollector
  wazuh     8377  0.0  0.0  39148  3604 ?        Sl   09:45   0:00 /var/ossec/bin/wazuh-monitord
  root      8517  0.1  0.1 314332 23868 ?        Sl   09:45   0:01 /var/ossec/bin/wazuh-modulesd
  wazuh-u+ 18698  0.0  0.0 124864  3996 tty1     Ss+  09:54   0:00 -bash
  root     18724  0.1  0.0 148512  8936 ?        Ss   09:55   0:00 sshd: wazuh-user [priv]
  wazuh-u+ 18727  0.0  0.0 148512  4816 ?        R    09:55   0:00 sshd: wazuh-user@pts/0
  wazuh-u+ 18728  0.0  0.0 124732  4132 pts/0    Ss   09:55   0:00 -bash
  wazuh-u+ 18751  0.0  0.0 162292  4516 pts/0    R+   09:56   0:00 ps aux
  wazuh-u+ 18752  0.0  0.0 119416   972 pts/0    S+   09:56   0:00 grep --color=auto wazuh

• Manager version

  [root@wazuh-server wazuh-user]# /var/ossec/bin/wazuh-control info
  WAZUH_VERSION="v4.7.0"
  WAZUH_REVISION="40701"
  WAZUH_TYPE="server"

• Indexer version

  [root@wazuh-server wazuh-user]# cat /usr/share/wazuh-indexer/VERSION
  4.7.0

• Dashboard version

  [root@wazuh-server wazuh-user]# cat /usr/share/wazuh-dashboard/VERSION
  4.7.0

  [root@wazuh-server wazuh-user]# cat /usr/share/wazuh-dashboard/package.json
  {
    "name": "opensearch-dashboards",
    "description": "OpenSearch Dashboards is a browser based analytics and search dashboard for OpenSearch. OpenSearch Dashboards is a snap to setup and start using. OpenSearch Dashboards strives to be easy to get started with, while also being flexible and powerful, just like OpenSearch.",
    "keywords": [
      "opensearch-dashboards",
      "opensearch",
      "logstash",
      "analytics",
      "visualizations",
      "dashboards",
      "dashboarding"
    ],
    "version": "2.8.0",
    "branch": "2.8",
    "build": {
      "number": 47001,
      "sha": "8bd48f16ad37a5dfa805234223e4d5bffa926abe",
      "distributable": true,
      "release": true
    },
    "repository": {
      "type": "git",
      "url": "https://github.com/opensearch-project/opensearch-dashboards.git"
    },
    "engines": {
      "node": ">=14.20.1 <19"
    }
  }

OVA - Users 🟢

[root@wazuh-server wazuh-user]# grep -R "wazuh" /etc/group
wheel:x:10:wazuh-user
wazuh-user:x:1000:
wazuh-indexer:x:993:
wazuh:x:992:wazuh
wazuh-dashboard:x:991:wazuh-dashboard

[root@wazuh-server wazuh-user]# grep -R "wazuh" /etc/passwd
wazuh-user:x:1000:1000::/home/wazuh-user:/bin/bash
wazuh-indexer:x:995:993:wazuh-indexer user:/usr/share/wazuh-indexer:/sbin/nologin
wazuh:x:994:992::/var/ossec:/sbin/nologin
wazuh-dashboard:x:993:991::/usr/share/wazuh-dashboard/:/sbin/nologin

OVA - WUI 🟢

• Credentials admin:admin OK

OVA - Logs 🟡

Wazuh dashboard - journalctl 🟢

```shellsession
[root@wazuh-server wazuh-user]# journalctl -r -u wazuh-dashboard | grep -i -E "error|critical|fatal|warning"
oct 17 10:00:24 wazuh-server opensearch-dashboards[2156]: {"type":"error","@timestamp":"2023-10-17T10:00:24Z","tags":["connection","client","error"],"pid":2156,"level":"error","error":{"message":"140641155639232:error:14094418:SSL routines:ssl3_read_bytes:tlsv1 alert unknown ca:../deps/openssl/openssl/ssl/record/rec_layer_s3.c:1565:SSL alert number 48\n","name":"Error","stack":"Error: 140641155639232:error:14094418:SSL routines:ssl3_read_bytes:tlsv1 alert unknown ca:../deps/openssl/openssl/ssl/record/rec_layer_s3.c:1565:SSL alert number 48\n","code":"ERR_SSL_TLSV1_ALERT_UNKNOWN_CA"},"message":"140641155639232:error:14094418:SSL routines:ssl3_read_bytes:tlsv1 alert unknown ca:../deps/openssl/openssl/ssl/record/rec_layer_s3.c:1565:SSL alert number 48\n"}
oct 17 09:46:00 wazuh-server opensearch-dashboards[2156]: {"type":"log","@timestamp":"2023-10-17T09:46:00Z","tags":["error","opensearch","data"],"pid":2156,"message":"[ResponseError]: Response Error"}
oct 17 09:45:58 wazuh-server opensearch-dashboards[2156]: {"type":"log","@timestamp":"2023-10-17T09:45:58Z","tags":["error","opensearch","data"],"pid":2156,"message":"[ResponseError]: Response Error"}
oct 17 09:45:55 wazuh-server opensearch-dashboards[2156]: {"type":"log","@timestamp":"2023-10-17T09:45:55Z","tags":["error","opensearch","data"],"pid":2156,"message":"[ResponseError]: Response Error"}
oct 17 09:45:53 wazuh-server opensearch-dashboards[2156]: {"type":"log","@timestamp":"2023-10-17T09:45:53Z","tags":["error","opensearch","data"],"pid":2156,"message":"[ResponseError]: Response Error"}
oct 17 09:45:50 wazuh-server opensearch-dashboards[2156]: {"type":"log","@timestamp":"2023-10-17T09:45:50Z","tags":["error","opensearch","data"],"pid":2156,"message":"[ResponseError]: Response Error"}
oct 17 09:45:48 wazuh-server opensearch-dashboards[2156]: {"type":"log","@timestamp":"2023-10-17T09:45:48Z","tags":["error","opensearch","data"],"pid":2156,"message":"[ConnectionError]: connect ECONNREFUSED 127.0.0.1:9200"}
oct 17 09:45:45 wazuh-server opensearch-dashboards[2156]: {"type":"log","@timestamp":"2023-10-17T09:45:45Z","tags":["error","opensearch","data"],"pid":2156,"message":"[ConnectionError]: connect ECONNREFUSED 127.0.0.1:9200"}
oct 17 09:45:43 wazuh-server opensearch-dashboards[2156]: {"type":"log","@timestamp":"2023-10-17T09:45:43Z","tags":["error","opensearch","data"],"pid":2156,"message":"[ConnectionError]: connect ECONNREFUSED 127.0.0.1:9200"}
oct 17 09:45:40 wazuh-server opensearch-dashboards[2156]: {"type":"log","@timestamp":"2023-10-17T09:45:40Z","tags":["error","opensearch","data"],"pid":2156,"message":"[ConnectionError]: connect ECONNREFUSED 127.0.0.1:9200"}
oct 17 09:45:38 wazuh-server opensearch-dashboards[2156]: {"type":"log","@timestamp":"2023-10-17T09:45:38Z","tags":["error","opensearch","data"],"pid":2156,"message":"[ConnectionError]: connect ECONNREFUSED 127.0.0.1:9200"}
oct 17 09:45:35 wazuh-server opensearch-dashboards[2156]: {"type":"log","@timestamp":"2023-10-17T09:45:35Z","tags":["error","opensearch","data"],"pid":2156,"message":"[ConnectionError]: connect ECONNREFUSED 127.0.0.1:9200"}
oct 17 09:45:33 wazuh-server opensearch-dashboards[2156]: {"type":"log","@timestamp":"2023-10-17T09:45:33Z","tags":["error","opensearch","data"],"pid":2156,"message":"[ConnectionError]: connect ECONNREFUSED 127.0.0.1:9200"}
oct 17 09:45:30 wazuh-server opensearch-dashboards[2156]: {"type":"log","@timestamp":"2023-10-17T09:45:30Z","tags":["error","opensearch","data"],"pid":2156,"message":"[ConnectionError]: connect ECONNREFUSED 127.0.0.1:9200"}
oct 17 09:45:28 wazuh-server opensearch-dashboards[2156]: {"type":"log","@timestamp":"2023-10-17T09:45:28Z","tags":["error","opensearch","data"],"pid":2156,"message":"[ConnectionError]: connect ECONNREFUSED 127.0.0.1:9200"}
oct 17 09:45:25 wazuh-server opensearch-dashboards[2156]: {"type":"log","@timestamp":"2023-10-17T09:45:25Z","tags":["error","opensearch","data"],"pid":2156,"message":"[ConnectionError]: connect ECONNREFUSED 127.0.0.1:9200"}
oct 17 11:45:22 wazuh-server opensearch-dashboards[2156]: {"type":"log","@timestamp":"2023-10-17T11:45:22Z","tags":["error","opensearch","data"],"pid":2156,"message":"[ConnectionError]: connect ECONNREFUSED 127.0.0.1:9200"}
oct 17 11:45:19 wazuh-server opensearch-dashboards[2156]: {"type":"log","@timestamp":"2023-10-17T11:45:19Z","tags":["error","opensearch","data"],"pid":2156,"message":"[ConnectionError]: connect ECONNREFUSED 127.0.0.1:9200"}
oct 17 11:45:17 wazuh-server opensearch-dashboards[2156]: {"type":"log","@timestamp":"2023-10-17T11:45:17Z","tags":["error","opensearch","data"],"pid":2156,"message":"[ConnectionError]: connect ECONNREFUSED 127.0.0.1:9200"}
oct 17 11:45:14 wazuh-server opensearch-dashboards[2156]: {"type":"log","@timestamp":"2023-10-17T11:45:14Z","tags":["error","opensearch","data"],"pid":2156,"message":"[ConnectionError]: connect ECONNREFUSED 127.0.0.1:9200"}
oct 17 11:45:12 wazuh-server opensearch-dashboards[2156]: {"type":"log","@timestamp":"2023-10-17T11:45:12Z","tags":["error","opensearch","data"],"pid":2156,"message":"[ConnectionError]: connect ECONNREFUSED 127.0.0.1:9200"}
oct 17 11:45:09 wazuh-server opensearch-dashboards[2156]: {"type":"log","@timestamp":"2023-10-17T11:45:09Z","tags":["error","opensearch","data"],"pid":2156,"message":"[ConnectionError]: connect ECONNREFUSED 127.0.0.1:9200"}
oct 17 11:45:07 wazuh-server opensearch-dashboards[2156]: {"type":"log","@timestamp":"2023-10-17T11:45:07Z","tags":["error","opensearch","data"],"pid":2156,"message":"[ConnectionError]: connect ECONNREFUSED 127.0.0.1:9200"}
oct 17 11:45:04 wazuh-server opensearch-dashboards[2156]: {"type":"log","@timestamp":"2023-10-17T11:45:04Z","tags":["error","opensearch","data"],"pid":2156,"message":"[ConnectionError]: connect ECONNREFUSED 127.0.0.1:9200"}
oct 17 11:45:02 wazuh-server opensearch-dashboards[2156]: {"type":"log","@timestamp":"2023-10-17T11:45:02Z","tags":["error","opensearch","data"],"pid":2156,"message":"[ConnectionError]: connect ECONNREFUSED 127.0.0.1:9200"}
oct 17 11:44:59 wazuh-server opensearch-dashboards[2156]: {"type":"log","@timestamp":"2023-10-17T11:44:59Z","tags":["error","savedobjects-service"],"pid":2156,"message":"Unable to retrieve version information from OpenSearch nodes."}
oct 17 11:44:59 wazuh-server opensearch-dashboards[2156]: {"type":"log","@timestamp":"2023-10-17T11:44:59Z","tags":["error","opensearch","data"],"pid":2156,"message":"[ConnectionError]: connect ECONNREFUSED 127.0.0.1:9200"}
```

Wazuh indexer - journalctl 🟡

```shellsession
[root@wazuh-server wazuh-user]# journalctl -r -u wazuh-indexer | grep -i -E "error|critical|fatal|warning"
oct 17 11:45:22 wazuh-server systemd-entrypoint[5446]: WARNING: System::setSecurityManager will be removed in a future release
oct 17 11:45:22 wazuh-server systemd-entrypoint[5446]: WARNING: Please consider reporting this to the maintainers of org.opensearch.bootstrap.Security
oct 17 11:45:22 wazuh-server systemd-entrypoint[5446]: WARNING: System::setSecurityManager has been called by org.opensearch.bootstrap.Security (file:/usr/share/wazuh-indexer/lib/opensearch-2.8.0.jar)
oct 17 11:45:22 wazuh-server systemd-entrypoint[5446]: WARNING: A terminally deprecated method in java.lang.System has been called
oct 17 11:45:19 wazuh-server systemd-entrypoint[5446]: WARNING: System::setSecurityManager will be removed in a future release
oct 17 11:45:19 wazuh-server systemd-entrypoint[5446]: WARNING: Please consider reporting this to the maintainers of org.opensearch.bootstrap.OpenSearch
oct 17 11:45:19 wazuh-server systemd-entrypoint[5446]: WARNING: System::setSecurityManager has been called by org.opensearch.bootstrap.OpenSearch (file:/usr/share/wazuh-indexer/lib/opensearch-2.8.0.jar)
oct 17 11:45:19 wazuh-server systemd-entrypoint[5446]: WARNING: A terminally deprecated method in java.lang.System has been called
```

Wazuh indexer - /var/logs/wazuh-indexer 🟢

```shellsession
[root@wazuh-server wazuh-user]# grep -R -i -E "error|critical|fatal|warning" /var/log/wazuh-indexer/
/var/log/wazuh-indexer/wazuh-cluster.log:[2023-10-17T11:45:22,993][INFO ][o.o.n.Node               ] [node-1] JVM arguments [-Xshare:auto, -Dopensearch.networkaddress.cache.ttl=60, -Dopensearch.networkaddress.cache.negative.ttl=10, -XX:+AlwaysPreTouch, -Xss1m, -Djava.awt.headless=true, -Dfile.encoding=UTF-8, -Djna.nosys=true, -XX:-OmitStackTraceInFastThrow, -XX:+ShowCodeDetailsInExceptionMessages, -Dio.netty.noUnsafe=true, -Dio.netty.noKeySetOptimization=true, -Dio.netty.recycler.maxCapacityPerThread=0, -Dio.netty.allocator.numDirectArenas=0, -Dlog4j.shutdownHookEnabled=false, -Dlog4j2.disable.jmx=true, -Djava.locale.providers=SPI,COMPAT, -Xms8013m, -Xmx8013m, -XX:+UseG1GC, -XX:G1ReservePercent=25, -XX:InitiatingHeapOccupancyPercent=30, -Djava.io.tmpdir=/tmp/opensearch-1527205111138725436, -XX:+HeapDumpOnOutOfMemoryError, -XX:HeapDumpPath=/var/lib/wazuh-indexer, -XX:ErrorFile=/var/log/wazuh-indexer/hs_err_pid%p.log, -Xlog:gc*,gc+age=trace,safepoint:file=/var/log/wazuh-indexer/gc.log:utctime,pid,tags:filecount=32,filesize=64m, -Dclk.tck=100, -Djdk.attach.allowAttachSelf=true, -Djava.security.policy=file:///etc/wazuh-indexer/opensearch-performance-analyzer/opensearch_security.policy, --add-opens=jdk.attach/sun.tools.attach=ALL-UNNAMED, -XX:MaxDirectMemorySize=4202692608, -Dopensearch.path.home=/usr/share/wazuh-indexer, -Dopensearch.path.conf=/etc/wazuh-indexer, -Dopensearch.distribution.type=rpm, -Dopensearch.bundled_jdk=true]
/var/log/wazuh-indexer/wazuh-cluster.log:[2023-10-17T09:45:43,433][ERROR][o.o.s.a.s.SinkProvider   ] [node-1] Default endpoint could not be created, auditlog will not work properly.
/var/log/wazuh-indexer/wazuh-cluster.log:[2023-10-17T09:45:50,083][ERROR][o.o.s.c.ConfigurationLoaderSecurity7] [node-1] Failure No shard available for [org.opensearch.action.get.MultiGetShardRequest@bed06a7] retrieving configuration for [INTERNALUSERS, ACTIONGROUPS, CONFIG, ROLES, ROLESMAPPING, TENANTS, NODESDN, WHITELIST, ALLOWLIST, AUDIT] (index=.opendistro_security)
/var/log/wazuh-indexer/wazuh-cluster.log:[2023-10-17T09:45:50,084][ERROR][o.o.s.c.ConfigurationLoaderSecurity7] [node-1] Failure No shard available for [org.opensearch.action.get.MultiGetShardRequest@bed06a7] retrieving configuration for [INTERNALUSERS, ACTIONGROUPS, CONFIG, ROLES, ROLESMAPPING, TENANTS, NODESDN, WHITELIST, ALLOWLIST, AUDIT] (index=.opendistro_security)
/var/log/wazuh-indexer/wazuh-cluster.log:[2023-10-17T09:45:50,084][ERROR][o.o.s.c.ConfigurationLoaderSecurity7] [node-1] Failure No shard available for [org.opensearch.action.get.MultiGetShardRequest@bed06a7] retrieving configuration for [INTERNALUSERS, ACTIONGROUPS, CONFIG, ROLES, ROLESMAPPING, TENANTS, NODESDN, WHITELIST, ALLOWLIST, AUDIT] (index=.opendistro_security)
/var/log/wazuh-indexer/wazuh-cluster.log:[2023-10-17T09:45:50,084][ERROR][o.o.s.c.ConfigurationLoaderSecurity7] [node-1] Failure No shard available for [org.opensearch.action.get.MultiGetShardRequest@bed06a7] retrieving configuration for [INTERNALUSERS, ACTIONGROUPS, CONFIG, ROLES, ROLESMAPPING, TENANTS, NODESDN, WHITELIST, ALLOWLIST, AUDIT] (index=.opendistro_security)
/var/log/wazuh-indexer/wazuh-cluster.log:[2023-10-17T09:45:50,084][ERROR][o.o.s.c.ConfigurationLoaderSecurity7] [node-1] Failure No shard available for [org.opensearch.action.get.MultiGetShardRequest@bed06a7] retrieving configuration for [INTERNALUSERS, ACTIONGROUPS, CONFIG, ROLES, ROLESMAPPING, TENANTS, NODESDN, WHITELIST, ALLOWLIST, AUDIT] (index=.opendistro_security)
/var/log/wazuh-indexer/wazuh-cluster.log:[2023-10-17T09:45:50,085][ERROR][o.o.s.c.ConfigurationLoaderSecurity7] [node-1] Failure No shard available for [org.opensearch.action.get.MultiGetShardRequest@bed06a7] retrieving configuration for [INTERNALUSERS, ACTIONGROUPS, CONFIG, ROLES, ROLESMAPPING, TENANTS, NODESDN, WHITELIST, ALLOWLIST, AUDIT] (index=.opendistro_security)
/var/log/wazuh-indexer/wazuh-cluster.log:[2023-10-17T09:45:50,085][ERROR][o.o.s.c.ConfigurationLoaderSecurity7] [node-1] Failure No shard available for [org.opensearch.action.get.MultiGetShardRequest@bed06a7] retrieving configuration for [INTERNALUSERS, ACTIONGROUPS, CONFIG, ROLES, ROLESMAPPING, TENANTS, NODESDN, WHITELIST, ALLOWLIST, AUDIT] (index=.opendistro_security)
/var/log/wazuh-indexer/wazuh-cluster.log:[2023-10-17T09:45:50,085][ERROR][o.o.s.c.ConfigurationLoaderSecurity7] [node-1] Failure No shard available for [org.opensearch.action.get.MultiGetShardRequest@bed06a7] retrieving configuration for [INTERNALUSERS, ACTIONGROUPS, CONFIG, ROLES, ROLESMAPPING, TENANTS, NODESDN, WHITELIST, ALLOWLIST, AUDIT] (index=.opendistro_security)
/var/log/wazuh-indexer/wazuh-cluster.log:[2023-10-17T09:45:50,085][ERROR][o.o.s.c.ConfigurationLoaderSecurity7] [node-1] Failure No shard available for [org.opensearch.action.get.MultiGetShardRequest@bed06a7] retrieving configuration for [INTERNALUSERS, ACTIONGROUPS, CONFIG, ROLES, ROLESMAPPING, TENANTS, NODESDN, WHITELIST, ALLOWLIST, AUDIT] (index=.opendistro_security)
/var/log/wazuh-indexer/wazuh-cluster.log:[2023-10-17T09:45:50,086][ERROR][o.o.s.c.ConfigurationLoaderSecurity7] [node-1] Failure No shard available for [org.opensearch.action.get.MultiGetShardRequest@bed06a7] retrieving configuration for [INTERNALUSERS, ACTIONGROUPS, CONFIG, ROLES, ROLESMAPPING, TENANTS, NODESDN, WHITELIST, ALLOWLIST, AUDIT] (index=.opendistro_security)
/var/log/wazuh-indexer/wazuh-cluster.log:[2023-10-17T09:45:50,955][ERROR][o.o.s.a.BackendRegistry  ] [node-1] Not yet initialized (you may need to run securityadmin)
/var/log/wazuh-indexer/wazuh-cluster.log:[2023-10-17T09:45:50,987][ERROR][o.o.s.a.BackendRegistry  ] [node-1] Not yet initialized (you may need to run securityadmin)
/var/log/wazuh-indexer/wazuh-cluster.log:[2023-10-17T09:45:50,991][ERROR][o.o.s.a.BackendRegistry  ] [node-1] Not yet initialized (you may need to run securityadmin)
/var/log/wazuh-indexer/wazuh-cluster.log:[2023-10-17T09:45:50,994][ERROR][o.o.s.a.BackendRegistry  ] [node-1] Not yet initialized (you may need to run securityadmin)
/var/log/wazuh-indexer/wazuh-cluster.log:[2023-10-17T09:45:53,254][ERROR][o.o.s.a.BackendRegistry  ] [node-1] Not yet initialized (you may need to run securityadmin)
/var/log/wazuh-indexer/wazuh-cluster.log:[2023-10-17T09:45:53,257][ERROR][o.o.s.a.BackendRegistry  ] [node-1] Not yet initialized (you may need to run securityadmin)
/var/log/wazuh-indexer/wazuh-cluster.log:[2023-10-17T09:45:53,261][ERROR][o.o.s.a.BackendRegistry  ] [node-1] Not yet initialized (you may need to run securityadmin)
/var/log/wazuh-indexer/wazuh-cluster.log:[2023-10-17T09:45:53,264][ERROR][o.o.s.a.BackendRegistry  ] [node-1] Not yet initialized (you may need to run securityadmin)
/var/log/wazuh-indexer/wazuh-cluster.log:[2023-10-17T09:45:55,756][ERROR][o.o.s.a.BackendRegistry  ] [node-1] Not yet initialized (you may need to run securityadmin)
/var/log/wazuh-indexer/wazuh-cluster.log:[2023-10-17T09:45:55,759][ERROR][o.o.s.a.BackendRegistry  ] [node-1] Not yet initialized (you may need to run securityadmin)
/var/log/wazuh-indexer/wazuh-cluster.log:[2023-10-17T09:45:55,763][ERROR][o.o.s.a.BackendRegistry  ] [node-1] Not yet initialized (you may need to run securityadmin)
/var/log/wazuh-indexer/wazuh-cluster.log:[2023-10-17T09:45:55,766][ERROR][o.o.s.a.BackendRegistry  ] [node-1] Not yet initialized (you may need to run securityadmin)
/var/log/wazuh-indexer/wazuh-cluster.log:[2023-10-17T09:45:58,258][ERROR][o.o.s.a.BackendRegistry  ] [node-1] Not yet initialized (you may need to run securityadmin)
/var/log/wazuh-indexer/wazuh-cluster.log:[2023-10-17T09:45:58,263][ERROR][o.o.s.a.BackendRegistry  ] [node-1] Not yet initialized (you may need to run securityadmin)
/var/log/wazuh-indexer/wazuh-cluster.log:[2023-10-17T09:45:58,266][ERROR][o.o.s.a.BackendRegistry  ] [node-1] Not yet initialized (you may need to run securityadmin)
/var/log/wazuh-indexer/wazuh-cluster.log:[2023-10-17T09:45:58,270][ERROR][o.o.s.a.BackendRegistry  ] [node-1] Not yet initialized (you may need to run securityadmin)
/var/log/wazuh-indexer/wazuh-cluster.log:[2023-10-17T09:46:00,760][ERROR][o.o.s.a.BackendRegistry  ] [node-1] Not yet initialized (you may need to run securityadmin)
/var/log/wazuh-indexer/wazuh-cluster.log:[2023-10-17T09:46:00,764][ERROR][o.o.s.a.BackendRegistry  ] [node-1] Not yet initialized (you may need to run securityadmin)
/var/log/wazuh-indexer/wazuh-cluster.log:[2023-10-17T09:46:00,767][ERROR][o.o.s.a.BackendRegistry  ] [node-1] Not yet initialized (you may need to run securityadmin)
/var/log/wazuh-indexer/wazuh-cluster.log:[2023-10-17T09:46:00,770][ERROR][o.o.s.a.BackendRegistry  ] [node-1] Not yet initialized (you may need to run securityadmin)
/var/log/wazuh-indexer/wazuh-cluster.log:[2023-10-17T09:46:01,763][ERROR][o.o.s.a.BackendRegistry  ] [node-1] Not yet initialized (you may need to run securityadmin)
/var/log/wazuh-indexer/wazuh-cluster_server.json:{"type": "server", "timestamp": "2023-10-17T11:45:22,993Z", "level": "INFO", "component": "o.o.n.Node", "cluster.name": "wazuh-cluster", "node.name": "node-1", "message": "JVM arguments [-Xshare:auto, -Dopensearch.networkaddress.cache.ttl=60, -Dopensearch.networkaddress.cache.negative.ttl=10, -XX:+AlwaysPreTouch, -Xss1m, -Djava.awt.headless=true, -Dfile.encoding=UTF-8, -Djna.nosys=true, -XX:-OmitStackTraceInFastThrow, -XX:+ShowCodeDetailsInExceptionMessages, -Dio.netty.noUnsafe=true, -Dio.netty.noKeySetOptimization=true, -Dio.netty.recycler.maxCapacityPerThread=0, -Dio.netty.allocator.numDirectArenas=0, -Dlog4j.shutdownHookEnabled=false, -Dlog4j2.disable.jmx=true, -Djava.locale.providers=SPI,COMPAT, -Xms8013m, -Xmx8013m, -XX:+UseG1GC, -XX:G1ReservePercent=25, -XX:InitiatingHeapOccupancyPercent=30, -Djava.io.tmpdir=/tmp/opensearch-1527205111138725436, -XX:+HeapDumpOnOutOfMemoryError, -XX:HeapDumpPath=/var/lib/wazuh-indexer, -XX:ErrorFile=/var/log/wazuh-indexer/hs_err_pid%p.log, -Xlog:gc*,gc+age=trace,safepoint:file=/var/log/wazuh-indexer/gc.log:utctime,pid,tags:filecount=32,filesize=64m, -Dclk.tck=100, -Djdk.attach.allowAttachSelf=true, -Djava.security.policy=file:///etc/wazuh-indexer/opensearch-performance-analyzer/opensearch_security.policy, --add-opens=jdk.attach/sun.tools.attach=ALL-UNNAMED, -XX:MaxDirectMemorySize=4202692608, -Dopensearch.path.home=/usr/share/wazuh-indexer, -Dopensearch.path.conf=/etc/wazuh-indexer, -Dopensearch.distribution.type=rpm, -Dopensearch.bundled_jdk=true]" }
/var/log/wazuh-indexer/wazuh-cluster_server.json:{"type": "server", "timestamp": "2023-10-17T09:45:43,433Z", "level": "ERROR", "component": "o.o.s.a.s.SinkProvider", "cluster.name": "wazuh-cluster", "node.name": "node-1", "message": "Default endpoint could not be created, auditlog will not work properly." }
/var/log/wazuh-indexer/wazuh-cluster_server.json:{"type": "server", "timestamp": "2023-10-17T09:45:50,083Z", "level": "ERROR", "component": "o.o.s.c.ConfigurationLoaderSecurity7", "cluster.name": "wazuh-cluster", "node.name": "node-1", "message": "Failure No shard available for [org.opensearch.action.get.MultiGetShardRequest@bed06a7] retrieving configuration for [INTERNALUSERS, ACTIONGROUPS, CONFIG, ROLES, ROLESMAPPING, TENANTS, NODESDN, WHITELIST, ALLOWLIST, AUDIT] (index=.opendistro_security)", "cluster.uuid": "vQRGIiPtRlu8yp16OJPGLQ", "node.id": "CRH1R3csRg22PSvbbWgs4A"  }
/var/log/wazuh-indexer/wazuh-cluster_server.json:{"type": "server", "timestamp": "2023-10-17T09:45:50,084Z", "level": "ERROR", "component": "o.o.s.c.ConfigurationLoaderSecurity7", "cluster.name": "wazuh-cluster", "node.name": "node-1", "message": "Failure No shard available for [org.opensearch.action.get.MultiGetShardRequest@bed06a7] retrieving configuration for [INTERNALUSERS, ACTIONGROUPS, CONFIG, ROLES, ROLESMAPPING, TENANTS, NODESDN, WHITELIST, ALLOWLIST, AUDIT] (index=.opendistro_security)", "cluster.uuid": "vQRGIiPtRlu8yp16OJPGLQ", "node.id": "CRH1R3csRg22PSvbbWgs4A"  }
/var/log/wazuh-indexer/wazuh-cluster_server.json:{"type": "server", "timestamp": "2023-10-17T09:45:50,084Z", "level": "ERROR", "component": "o.o.s.c.ConfigurationLoaderSecurity7", "cluster.name": "wazuh-cluster", "node.name": "node-1", "message": "Failure No shard available for [org.opensearch.action.get.MultiGetShardRequest@bed06a7] retrieving configuration for [INTERNALUSERS, ACTIONGROUPS, CONFIG, ROLES, ROLESMAPPING, TENANTS, NODESDN, WHITELIST, ALLOWLIST, AUDIT] (index=.opendistro_security)", "cluster.uuid": "vQRGIiPtRlu8yp16OJPGLQ", "node.id": "CRH1R3csRg22PSvbbWgs4A"  }
/var/log/wazuh-indexer/wazuh-cluster_server.json:{"type": "server", "timestamp": "2023-10-17T09:45:50,084Z", "level": "ERROR", "component": "o.o.s.c.ConfigurationLoaderSecurity7", "cluster.name": "wazuh-cluster", "node.name": "node-1", "message": "Failure No shard available for [org.opensearch.action.get.MultiGetShardRequest@bed06a7] retrieving configuration for [INTERNALUSERS, ACTIONGROUPS, CONFIG, ROLES, ROLESMAPPING, TENANTS, NODESDN, WHITELIST, ALLOWLIST, AUDIT] (index=.opendistro_security)", "cluster.uuid": "vQRGIiPtRlu8yp16OJPGLQ", "node.id": "CRH1R3csRg22PSvbbWgs4A"  }
/var/log/wazuh-indexer/wazuh-cluster_server.json:{"type": "server", "timestamp": "2023-10-17T09:45:50,084Z", "level": "ERROR", "component": "o.o.s.c.ConfigurationLoaderSecurity7", "cluster.name": "wazuh-cluster", "node.name": "node-1", "message": "Failure No shard available for [org.opensearch.action.get.MultiGetShardRequest@bed06a7] retrieving configuration for [INTERNALUSERS, ACTIONGROUPS, CONFIG, ROLES, ROLESMAPPING, TENANTS, NODESDN, WHITELIST, ALLOWLIST, AUDIT] (index=.opendistro_security)", "cluster.uuid": "vQRGIiPtRlu8yp16OJPGLQ", "node.id": "CRH1R3csRg22PSvbbWgs4A"  }
/var/log/wazuh-indexer/wazuh-cluster_server.json:{"type": "server", "timestamp": "2023-10-17T09:45:50,085Z", "level": "ERROR", "component": "o.o.s.c.ConfigurationLoaderSecurity7", "cluster.name": "wazuh-cluster", "node.name": "node-1", "message": "Failure No shard available for [org.opensearch.action.get.MultiGetShardRequest@bed06a7] retrieving configuration for [INTERNALUSERS, ACTIONGROUPS, CONFIG, ROLES, ROLESMAPPING, TENANTS, NODESDN, WHITELIST, ALLOWLIST, AUDIT] (index=.opendistro_security)", "cluster.uuid": "vQRGIiPtRlu8yp16OJPGLQ", "node.id": "CRH1R3csRg22PSvbbWgs4A"  }
/var/log/wazuh-indexer/wazuh-cluster_server.json:{"type": "server", "timestamp": "2023-10-17T09:45:50,085Z", "level": "ERROR", "component": "o.o.s.c.ConfigurationLoaderSecurity7", "cluster.name": "wazuh-cluster", "node.name": "node-1", "message": "Failure No shard available for [org.opensearch.action.get.MultiGetShardRequest@bed06a7] retrieving configuration for [INTERNALUSERS, ACTIONGROUPS, CONFIG, ROLES, ROLESMAPPING, TENANTS, NODESDN, WHITELIST, ALLOWLIST, AUDIT] (index=.opendistro_security)", "cluster.uuid": "vQRGIiPtRlu8yp16OJPGLQ", "node.id": "CRH1R3csRg22PSvbbWgs4A"  }
/var/log/wazuh-indexer/wazuh-cluster_server.json:{"type": "server", "timestamp": "2023-10-17T09:45:50,085Z", "level": "ERROR", "component": "o.o.s.c.ConfigurationLoaderSecurity7", "cluster.name": "wazuh-cluster", "node.name": "node-1", "message": "Failure No shard available for [org.opensearch.action.get.MultiGetShardRequest@bed06a7] retrieving configuration for [INTERNALUSERS, ACTIONGROUPS, CONFIG, ROLES, ROLESMAPPING, TENANTS, NODESDN, WHITELIST, ALLOWLIST, AUDIT] (index=.opendistro_security)", "cluster.uuid": "vQRGIiPtRlu8yp16OJPGLQ", "node.id": "CRH1R3csRg22PSvbbWgs4A"  }
/var/log/wazuh-indexer/wazuh-cluster_server.json:{"type": "server", "timestamp": "2023-10-17T09:45:50,085Z", "level": "ERROR", "component": "o.o.s.c.ConfigurationLoaderSecurity7", "cluster.name": "wazuh-cluster", "node.name": "node-1", "message": "Failure No shard available for [org.opensearch.action.get.MultiGetShardRequest@bed06a7] retrieving configuration for [INTERNALUSERS, ACTIONGROUPS, CONFIG, ROLES, ROLESMAPPING, TENANTS, NODESDN, WHITELIST, ALLOWLIST, AUDIT] (index=.opendistro_security)", "cluster.uuid": "vQRGIiPtRlu8yp16OJPGLQ", "node.id": "CRH1R3csRg22PSvbbWgs4A"  }
/var/log/wazuh-indexer/wazuh-cluster_server.json:{"type": "server", "timestamp": "2023-10-17T09:45:50,086Z", "level": "ERROR", "component": "o.o.s.c.ConfigurationLoaderSecurity7", "cluster.name": "wazuh-cluster", "node.name": "node-1", "message": "Failure No shard available for [org.opensearch.action.get.MultiGetShardRequest@bed06a7] retrieving configuration for [INTERNALUSERS, ACTIONGROUPS, CONFIG, ROLES, ROLESMAPPING, TENANTS, NODESDN, WHITELIST, ALLOWLIST, AUDIT] (index=.opendistro_security)", "cluster.uuid": "vQRGIiPtRlu8yp16OJPGLQ", "node.id": "CRH1R3csRg22PSvbbWgs4A"  }
/var/log/wazuh-indexer/wazuh-cluster_server.json:{"type": "server", "timestamp": "2023-10-17T09:45:50,955Z", "level": "ERROR", "component": "o.o.s.a.BackendRegistry", "cluster.name": "wazuh-cluster", "node.name": "node-1", "message": "Not yet initialized (you may need to run securityadmin)", "cluster.uuid": "vQRGIiPtRlu8yp16OJPGLQ", "node.id": "CRH1R3csRg22PSvbbWgs4A"  }
/var/log/wazuh-indexer/wazuh-cluster_server.json:{"type": "server", "timestamp": "2023-10-17T09:45:50,987Z", "level": "ERROR", "component": "o.o.s.a.BackendRegistry", "cluster.name": "wazuh-cluster", "node.name": "node-1", "message": "Not yet initialized (you may need to run securityadmin)", "cluster.uuid": "vQRGIiPtRlu8yp16OJPGLQ", "node.id": "CRH1R3csRg22PSvbbWgs4A"  }
/var/log/wazuh-indexer/wazuh-cluster_server.json:{"type": "server", "timestamp": "2023-10-17T09:45:50,991Z", "level": "ERROR", "component": "o.o.s.a.BackendRegistry", "cluster.name": "wazuh-cluster", "node.name": "node-1", "message": "Not yet initialized (you may need to run securityadmin)", "cluster.uuid": "vQRGIiPtRlu8yp16OJPGLQ", "node.id": "CRH1R3csRg22PSvbbWgs4A"  }
/var/log/wazuh-indexer/wazuh-cluster_server.json:{"type": "server", "timestamp": "2023-10-17T09:45:50,994Z", "level": "ERROR", "component": "o.o.s.a.BackendRegistry", "cluster.name": "wazuh-cluster", "node.name": "node-1", "message": "Not yet initialized (you may need to run securityadmin)", "cluster.uuid": "vQRGIiPtRlu8yp16OJPGLQ", "node.id": "CRH1R3csRg22PSvbbWgs4A"  }
/var/log/wazuh-indexer/wazuh-cluster_server.json:{"type": "server", "timestamp": "2023-10-17T09:45:53,254Z", "level": "ERROR", "component": "o.o.s.a.BackendRegistry", "cluster.name": "wazuh-cluster", "node.name": "node-1", "message": "Not yet initialized (you may need to run securityadmin)", "cluster.uuid": "vQRGIiPtRlu8yp16OJPGLQ", "node.id": "CRH1R3csRg22PSvbbWgs4A"  }
/var/log/wazuh-indexer/wazuh-cluster_server.json:{"type": "server", "timestamp": "2023-10-17T09:45:53,257Z", "level": "ERROR", "component": "o.o.s.a.BackendRegistry", "cluster.name": "wazuh-cluster", "node.name": "node-1", "message": "Not yet initialized (you may need to run securityadmin)", "cluster.uuid": "vQRGIiPtRlu8yp16OJPGLQ", "node.id": "CRH1R3csRg22PSvbbWgs4A"  }
/var/log/wazuh-indexer/wazuh-cluster_server.json:{"type": "server", "timestamp": "2023-10-17T09:45:53,261Z", "level": "ERROR", "component": "o.o.s.a.BackendRegistry", "cluster.name": "wazuh-cluster", "node.name": "node-1", "message": "Not yet initialized (you may need to run securityadmin)", "cluster.uuid": "vQRGIiPtRlu8yp16OJPGLQ", "node.id": "CRH1R3csRg22PSvbbWgs4A"  }
/var/log/wazuh-indexer/wazuh-cluster_server.json:{"type": "server", "timestamp": "2023-10-17T09:45:53,264Z", "level": "ERROR", "component": "o.o.s.a.BackendRegistry", "cluster.name": "wazuh-cluster", "node.name": "node-1", "message": "Not yet initialized (you may need to run securityadmin)", "cluster.uuid": "vQRGIiPtRlu8yp16OJPGLQ", "node.id": "CRH1R3csRg22PSvbbWgs4A"  }
/var/log/wazuh-indexer/wazuh-cluster_server.json:{"type": "server", "timestamp": "2023-10-17T09:45:55,756Z", "level": "ERROR", "component": "o.o.s.a.BackendRegistry", "cluster.name": "wazuh-cluster", "node.name": "node-1", "message": "Not yet initialized (you may need to run securityadmin)", "cluster.uuid": "vQRGIiPtRlu8yp16OJPGLQ", "node.id": "CRH1R3csRg22PSvbbWgs4A"  }
/var/log/wazuh-indexer/wazuh-cluster_server.json:{"type": "server", "timestamp": "2023-10-17T09:45:55,759Z", "level": "ERROR", "component": "o.o.s.a.BackendRegistry", "cluster.name": "wazuh-cluster", "node.name": "node-1", "message": "Not yet initialized (you may need to run securityadmin)", "cluster.uuid": "vQRGIiPtRlu8yp16OJPGLQ", "node.id": "CRH1R3csRg22PSvbbWgs4A"  }
/var/log/wazuh-indexer/wazuh-cluster_server.json:{"type": "server", "timestamp": "2023-10-17T09:45:55,763Z", "level": "ERROR", "component": "o.o.s.a.BackendRegistry", "cluster.name": "wazuh-cluster", "node.name": "node-1", "message": "Not yet initialized (you may need to run securityadmin)", "cluster.uuid": "vQRGIiPtRlu8yp16OJPGLQ", "node.id": "CRH1R3csRg22PSvbbWgs4A"  }
/var/log/wazuh-indexer/wazuh-cluster_server.json:{"type": "server", "timestamp": "2023-10-17T09:45:55,766Z", "level": "ERROR", "component": "o.o.s.a.BackendRegistry", "cluster.name": "wazuh-cluster", "node.name": "node-1", "message": "Not yet initialized (you may need to run securityadmin)", "cluster.uuid": "vQRGIiPtRlu8yp16OJPGLQ", "node.id": "CRH1R3csRg22PSvbbWgs4A"  }
/var/log/wazuh-indexer/wazuh-cluster_server.json:{"type": "server", "timestamp": "2023-10-17T09:45:58,258Z", "level": "ERROR", "component": "o.o.s.a.BackendRegistry", "cluster.name": "wazuh-cluster", "node.name": "node-1", "message": "Not yet initialized (you may need to run securityadmin)", "cluster.uuid": "vQRGIiPtRlu8yp16OJPGLQ", "node.id": "CRH1R3csRg22PSvbbWgs4A"  }
/var/log/wazuh-indexer/wazuh-cluster_server.json:{"type": "server", "timestamp": "2023-10-17T09:45:58,263Z", "level": "ERROR", "component": "o.o.s.a.BackendRegistry", "cluster.name": "wazuh-cluster", "node.name": "node-1", "message": "Not yet initialized (you may need to run securityadmin)", "cluster.uuid": "vQRGIiPtRlu8yp16OJPGLQ", "node.id": "CRH1R3csRg22PSvbbWgs4A"  }
/var/log/wazuh-indexer/wazuh-cluster_server.json:{"type": "server", "timestamp": "2023-10-17T09:45:58,266Z", "level": "ERROR", "component": "o.o.s.a.BackendRegistry", "cluster.name": "wazuh-cluster", "node.name": "node-1", "message": "Not yet initialized (you may need to run securityadmin)", "cluster.uuid": "vQRGIiPtRlu8yp16OJPGLQ", "node.id": "CRH1R3csRg22PSvbbWgs4A"  }
/var/log/wazuh-indexer/wazuh-cluster_server.json:{"type": "server", "timestamp": "2023-10-17T09:45:58,270Z", "level": "ERROR", "component": "o.o.s.a.BackendRegistry", "cluster.name": "wazuh-cluster", "node.name": "node-1", "message": "Not yet initialized (you may need to run securityadmin)", "cluster.uuid": "vQRGIiPtRlu8yp16OJPGLQ", "node.id": "CRH1R3csRg22PSvbbWgs4A"  }
/var/log/wazuh-indexer/wazuh-cluster_server.json:{"type": "server", "timestamp": "2023-10-17T09:46:00,760Z", "level": "ERROR", "component": "o.o.s.a.BackendRegistry", "cluster.name": "wazuh-cluster", "node.name": "node-1", "message": "Not yet initialized (you may need to run securityadmin)", "cluster.uuid": "vQRGIiPtRlu8yp16OJPGLQ", "node.id": "CRH1R3csRg22PSvbbWgs4A"  }
/var/log/wazuh-indexer/wazuh-cluster_server.json:{"type": "server", "timestamp": "2023-10-17T09:46:00,764Z", "level": "ERROR", "component": "o.o.s.a.BackendRegistry", "cluster.name": "wazuh-cluster", "node.name": "node-1", "message": "Not yet initialized (you may need to run securityadmin)", "cluster.uuid": "vQRGIiPtRlu8yp16OJPGLQ", "node.id": "CRH1R3csRg22PSvbbWgs4A"  }
/var/log/wazuh-indexer/wazuh-cluster_server.json:{"type": "server", "timestamp": "2023-10-17T09:46:00,767Z", "level": "ERROR", "component": "o.o.s.a.BackendRegistry", "cluster.name": "wazuh-cluster", "node.name": "node-1", "message": "Not yet initialized (you may need to run securityadmin)", "cluster.uuid": "vQRGIiPtRlu8yp16OJPGLQ", "node.id": "CRH1R3csRg22PSvbbWgs4A"  }
/var/log/wazuh-indexer/wazuh-cluster_server.json:{"type": "server", "timestamp": "2023-10-17T09:46:00,770Z", "level": "ERROR", "component": "o.o.s.a.BackendRegistry", "cluster.name": "wazuh-cluster", "node.name": "node-1", "message": "Not yet initialized (you may need to run securityadmin)", "cluster.uuid": "vQRGIiPtRlu8yp16OJPGLQ", "node.id": "CRH1R3csRg22PSvbbWgs4A"  }
/var/log/wazuh-indexer/wazuh-cluster_server.json:{"type": "server", "timestamp": "2023-10-17T09:46:01,763Z", "level": "ERROR", "component": "o.o.s.a.BackendRegistry", "cluster.name": "wazuh-cluster", "node.name": "node-1", "message": "Not yet initialized (you may need to run securityadmin)", "cluster.uuid": "vQRGIiPtRlu8yp16OJPGLQ", "node.id": "CRH1R3csRg22PSvbbWgs4A"  }
```

Wazuh server - /var/ossec/logs 🟢

```shellsession
[root@wazuh-server wazuh-user]# grep -i -E "error|critical|fatal|warning" /var/ossec/logs/ossec.log
[root@wazuh-server wazuh-user]# 
```

OVA - Filebeat test 🟢

[root@wazuh-server wazuh-user]# filebeat test output
elasticsearch: https://127.0.0.1:9200...
  parse url... OK
  connection...
    parse host... OK
    dns lookup... OK
    addresses: 127.0.0.1
    dial up... OK
  TLS...
    security: server's certificate chain verification is enabled
    handshake... OK
    TLS version: TLSv1.2
    dial up... OK
  talk to server... OK
  version: 7.10.2

OVA - Wazuh indexer cluster 🟢

[root@wazuh-server wazuh-user]# curl -k -u admin:admin https://127.0.0.1:9200
{
  "name" : "node-1",
  "cluster_name" : "wazuh-cluster",
  "cluster_uuid" : "vQRGIiPtRlu8yp16OJPGLQ",
  "version" : {
    "number" : "7.10.2",
    "build_type" : "rpm",
    "build_hash" : "db90a415ff2fd428b4f7b3f800a51dc229287cb4",
    "build_date" : "2023-06-03T06:24:25.112415503Z",
    "build_snapshot" : false,
    "lucene_version" : "9.6.0",
    "minimum_wire_compatibility_version" : "7.10.0",
    "minimum_index_compatibility_version" : "7.0.0"
  },
  "tagline" : "The OpenSearch Project: https://opensearch.org/"
}

[root@wazuh-server wazuh-user]# curl -k -u admin:admin https://127.0.0.1:9200/_cat/nodes?v
ip        heap.percent ram.percent cpu load_1m load_5m load_15m node.role node.roles                                        cluster_manager name
127.0.0.1            1          66   1    0.40    0.18     0.19 dimr      cluster_manager,data,ingest,remote_cluster_client *               node-1

[root@wazuh-server wazuh-user]# curl -k -u admin:admin https://127.0.0.1:9200/_cluster/health?pretty
{
  "cluster_name" : "wazuh-cluster",
  "status" : "green",
  "timed_out" : false,
  "number_of_nodes" : 1,
  "number_of_data_nodes" : 1,
  "discovered_master" : true,
  "discovered_cluster_manager" : true,
  "active_primary_shards" : 11,
  "active_shards" : 11,
  "relocating_shards" : 0,
  "initializing_shards" : 0,
  "unassigned_shards" : 0,
  "delayed_unassigned_shards" : 0,
  "number_of_pending_tasks" : 0,
  "number_of_in_flight_fetch" : 0,
  "task_max_waiting_in_queue_millis" : 0,
  "active_shards_percent_as_number" : 100.0
}

OVA - No root SSH access 🟢

akim@akim-PC:~/Desktop/personal$ ssh root@192.168.1.88
root@192.168.1.88's password: 
Permission denied, please try again.
root@192.168.1.88's password: 
Permission denied, please try again.
root@192.168.1.88's password: 
root@192.168.1.88: Permission denied (publickey,gssapi-keyex,gssapi-with-mic,password).

Agent - system info 🟢

• OS

	root@ubuntu-agent1:/home/vagrant# cat /etc/os-release
	NAME="Ubuntu"
	VERSION="20.04.5 LTS (Focal Fossa)"
	ID=ubuntu
	ID_LIKE=debian
	PRETTY_NAME="Ubuntu 20.04.5 LTS"
	VERSION_ID="20.04"
	HOME_URL="https://www.ubuntu.com/"
	SUPPORT_URL="https://help.ubuntu.com/"
	BUG_REPORT_URL="https://bugs.launchpad.net/ubuntu/"
	PRIVACY_POLICY_URL="https://www.ubuntu.com/legal/terms-and-policies/privacy-policy"
	VERSION_CODENAME=focal
	UBUNTU_CODENAME=focal

Agent - Install 🟢

• Download wazuh agent

  root@ubuntu-agent1:/home/vagrant# curl -OL https://packages-dev.wazuh.com/pre-release/apt/pool/main/w/wazuh-agent/wazuh-agent_4.7.0-1_amd64.deb
    % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                   Dload  Upload   Total   Spent    Left  Speed
  100 9072k  100 9072k    0     0  1105k      0  0:00:08  0:00:08 --:--:-- 2283k

• Install wazuh agent

  root@ubuntu-agent1:/home/vagrant# apt-get install /home/vagrant/wazuh-agent_4.7.0-1_amd64.deb 
  Reading package lists... Done
  Building dependency tree       
  Reading state information... Done
  Note, selecting 'wazuh-agent' instead of '/home/vagrant/wazuh-agent_4.7.0-1_amd64.deb'
  The following NEW packages will be installed:
    wazuh-agent
  0 upgraded, 1 newly installed, 0 to remove and 0 not upgraded.
  Need to get 0 B/9290 kB of archives.
  After this operation, 31.0 MB of additional disk space will be used.
  Get:1 /home/vagrant/wazuh-agent_4.7.0-1_amd64.deb wazuh-agent amd64 4.7.0-1 [9290 kB]
  Preconfiguring packages ...      
  Selecting previously unselected package wazuh-agent.
  (Reading database ... 111809 files and directories currently installed.)
  Preparing to unpack .../wazuh-agent_4.7.0-1_amd64.deb ...
  Unpacking wazuh-agent (4.7.0-1) ...
  Setting up wazuh-agent (4.7.0-1) ...
  Processing triggers for systemd (245.4-4ubuntu3.19) ...

• Configure and start agent

  root@ubuntu-agent1:/home/vagrant# nano /var/ossec/etc/ossec.conf

  root@ubuntu-agent1:/home/vagrant# /var/ossec/bin/wazuh-control start
  Starting Wazuh v4.7.0...
  Started wazuh-execd...
  Started wazuh-agentd...
  Started wazuh-syscheckd...
  Started wazuh-logcollector...
  Started wazuh-modulesd...
  Completed.

  root@ubuntu-agent1:/home/vagrant# /var/ossec/bin/wazuh-control status
  wazuh-modulesd is running...
  wazuh-logcollector is running...
  wazuh-syscheckd is running...
  wazuh-agentd is running...
  wazuh-execd is running...

• Wazuh server

  [root@wazuh-server wazuh-user]# /var/ossec/bin/agent_control -i 001
  
  Wazuh agent_control. Agent information:
     Agent ID:   001
     Agent Name: ubuntu-agent1
     IP address: any
     Status:     Active
  
     Operating system:    Linux |ubuntu-agent1 |5.4.0-139-generic |#156-Ubuntu SMP Fri Jan 20 17:27:18 UTC 2023 |x86_64
     Client version:      Wazuh v4.7.0
     Configuration hash:  ab73af41699f13fdd81903b5f23d8d00
     Shared file hash:    4a8724b20dee0124ff9656783c490c4e
     Last keep alive:     1697537605
  
     Syscheck last started at:  Tue Oct 17 10:13:06 2023
     Syscheck last ended at:    Tue Oct 17 10:13:13 2023

---

Indexer - journalctl Warnings related to setSecurityManager

oct 17 11:45:19 wazuh-server systemd-entrypoint[5446]: WARNING: Please consider reporting this to the maintainers of org.opensearch.bootstrap.OpenSearch
oct 17 11:45:19 wazuh-server systemd-entrypoint[5446]: WARNING: System::setSecurityManager has been called by org.opensearch.bootstrap.OpenSearch (file:/usr/share/wazuh-indexer/lib/opensearch-2.8.0.jar)
oct 17 11:45:19 wazuh-server systemd-entrypoint[5446]: WARNING: A terminally deprecated method in java.lang.System has been called

• Reported: Systemd-entrypoint warnings in wazuh indexer wazuh-packages#2046 - Known issue

Some warning and error messages found

• Reported: Warning and error logs found in wazuh-indexer in demo environment wazuh-packages#1511 - Known issue

[pro-akim]

Analysis report - AIX 🟢

System info 🟢

# hostname
soaxp078

# uname -a
AIX soaxp078 1 6 00CADA644C00

# df -g  
Filesystem    GB blocks      Free %Used    Iused %Iused Mounted on
/dev/hd4           1.00      0.85   15%    10465     5% /
/dev/hd2          12.00      4.16   66%   196270    17% /usr
/dev/hd9var        1.00      0.62   38%     9301     6% /var
/dev/hd3           1.00      0.98    2%       55     1% /tmp
/dev/hd1           2.00      1.98    2%       20     1% /home
/dev/hd11admin      0.50      0.50    1%        5     1% /admin
/proc                 -         -    -         -     -  /proc
/dev/hd10opt       2.00      0.16   92%    67133    62% /opt
/dev/livedump      0.50      0.50    1%        4     1% /var/adm/ras/livedump
/dev/lv00          0.50      0.48    4%       18     1% /var/adm/csd

Installation 🟢

• Wazuh agent

# curl -sO -k https://packages-dev.wazuh.com/pre-release/aix/wazuh-agent-4.7.0-1.aix.ppc.rpm 

# ls
.Xauthority                      .sh_history
.profile                         wazuh-agent-4.7.0-1.aix.ppc.rpm

# rpm -qip wazuh-agent-4.7.0-1.aix.ppc.rpm
Name        : wazuh-agent                  Relocations: (not relocateable)
Version     : 4.7.0                             Vendor: Wazuh, Inc <info@wazuh.com>
Release     : 1                             Build Date: Mon Oct 16 04:57:34 2023
Install date: (not installed)               Build Host: soaxp078
Group       : System Environment/Daemons    Source RPM: wazuh-agent-4.7.0-1.src.rpm
Size        : 65076807                         License: GPL
Packager    : Wazuh, Inc <info@wazuh.com>
URL         : https://www.wazuh.com/
Summary     : The Wazuh agent, used for threat detection, incident response and integrity monitoring.
Description :
Wazuh is an open source security monitoring solution for threat detection, integrity monitoring, incident response and compliance.


# pwd
/home/hagzt

# WAZUH_MANAGER="44.211.192.146" rpm -ivh wazuh-agent-4.7.0-1.aix.ppc.rpm                                                      
wazuh-agent                 ##################################################

# rpm -qi wazuh-agent
Name        : wazuh-agent                  Relocations: (not relocateable)
Version     : 4.7.0                             Vendor: Wazuh, Inc <info@wazuh.com>
Release     : 1                             Build Date: Mon Oct 16 04:57:34 2023
Install date: Tue Oct 17 07:07:36 2023      Build Host: soaxp078
Group       : System Environment/Daemons    Source RPM: wazuh-agent-4.7.0-1.src.rpm
Size        : 65076807                         License: GPL
Packager    : Wazuh, Inc <info@wazuh.com>
URL         : https://www.wazuh.com/
Summary     : The Wazuh agent, used for threat detection, incident response and integrity monitoring.
Description :
Wazuh is an open source security monitoring solution for threat detection, integrity monitoring, incident response and compliance.

# /var/ossec/bin/wazuh-control start
Starting Wazuh v4.7.0...
Started wazuh-execd...
Started wazuh-agentd...
Started wazuh-syscheckd...
Started wazuh-logcollector...
Started wazuh-modulesd...
Completed.

• Wazuh server

[root@wazuh-server wazuh-user]# /var/ossec/bin/agent_control -l

Wazuh agent_control. List of available agents:
   ID: 000, Name: wazuh-server (server), IP: 127.0.0.1, Active/Local
   ID: 002, Name: sovmh353, IP: any, Disconnected
   ID: 003, Name: sossp107, IP: any, Disconnected
   ID: 004, Name: soaxp078, IP: any, Active

List of agentless devices:



[root@wazuh-server wazuh-user]# /var/ossec/bin/agent_control -i 004

Wazuh agent_control. Agent information:
   Agent ID:   004
   Agent Name: soaxp078
   IP address: any
   Status:     Active

   Operating system:    AIX |soaxp078 |1 |6 |00CADA644C00
   Client version:      Wazuh v4.7.0
   Configuration hash:  ab73af41699f13fdd81903b5f23d8d00
   Shared file hash:    4a8724b20dee0124ff9656783c490c4e
   Last keep alive:     1697544519

   Syscheck last started at:  Tue Oct 17 12:08:40 2023 (Scan in progress)
   Syscheck last ended at:    Unknown

Generate alerts (TCP & UDP) 🟢

• TCP
  • Wazuh Agent

# grep -Ei "tcp" /var/ossec/logs/ossec.log
2023/10/17 07:08:31 wazuh-agentd: INFO: Trying to connect to server ([44.211.192.146]:1514/tcp).
2023/10/17 07:08:31 wazuh-agentd: INFO: (4102): Connected to the server ([44.211.192.146]:1514/tcp).
2023/10/17 07:08:39 wazuh-agentd: INFO: Trying to connect to server ([44.211.192.146]:1514/tcp).
2023/10/17 07:08:39 wazuh-agentd: INFO: (4102): Connected to the server ([44.211.192.146]:1514/tcp).

• TCP
  • Wazuh Server

[root@wazuh-server wazuh-user]# grep soaxp078 /var/ossec/logs/alerts/alerts.json
{"timestamp":"2023-10-17T12:08:46.740+0000","rule":{"level":7,"description":"System audit for Unix based systems: SSH Hardening: Protocol should be set to 2","id":"19007","firedtimes":3,"mail":false,"groups":["sca"],"gdpr":["IV_35.7.d"],"pci_dss":["2.2","2.2.4"],"nist_800_53":["CM.1","CM.1"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"004","name":"soaxp078","ip":"192.168.253.78"},"manager":{"name":"wazuh-server"},"id":"1697544526.200682","decoder":{"name":"sca"},"data":{"sca":{"type":"check","scan_id":"3723","policy":"System audit for Unix based systems","check":{"id":"3001","title":"SSH Hardening: Protocol should be set to 2","description":"The SSH protocol should not be 1.","rationale":"The Protocol parameter dictates which version of the SSH communication and encryption protocols are in use. Version 1 of the SSH protocol has weaknesses.","remediation":"Change the Protocol option value in the sshd_config file.","compliance":{"pci_dss":"2.2.4","nist_800_53":"CM.1"},"file":["/etc/ssh/sshd_config"],"result":"failed"}}},"location":"sca"}
{"timestamp":"2023-10-17T12:08:46.764+0000","rule":{"level":7,"description":"System audit for Unix based systems: SSH Hardening: Password Authentication should be disabled","id":"19007","firedtimes":4,"mail":false,"groups":["sca"],"gdpr":["IV_35.7.d"],"pci_dss":["2.2","2.2.4"],"nist_800_53":["CM.1","CM.1"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"004","name":"soaxp078","ip":"192.168.253.78"},"manager":{"name":"wazuh-server"},"id":"1697544526.202186","decoder":{"name":"sca"},"data":{"sca":{"type":"check","scan_id":"3723","policy":"System audit for Unix based systems","check":{"id":"3004","title":"SSH Hardening: Password Authentication should be disabled","description":"The option PasswordAuthentication should be set to no.","rationale":"The option PasswordAuthentication specifies whether we should use password-based authentication. Use public key authentication instead of passwords.","remediation":"Change the PasswordAuthentication option value in the sshd_config file.","compliance":{"pci_dss":"2.2.4","nist_800_53":"CM.1"},"file":["/etc/ssh/sshd_config"],"result":"failed"}}},"location":"sca"}
{"timestamp":"2023-10-17T12:08:46.764+0000","rule":{"level":7,"description":"System audit for Unix based systems: SSH Hardening: No Public Key authentication","id":"19007","firedtimes":5,"mail":false,"groups":["sca"],"gdpr":["IV_35.7.d"],"pci_dss":["2.2","2.2.4"],"nist_800_53":["CM.1","CM.1"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"004","name":"soaxp078","ip":"192.168.253.78"},"manager":{"name":"wazuh-server"},"id":"1697544526.203806","decoder":{"name":"sca"},"data":{"sca":{"type":"check","scan_id":"3723","policy":"System audit for Unix based systems","check":{"id":"3003","title":"SSH Hardening: No Public Key authentication","description":"The option PubkeyAuthentication should be set yes.","rationale":"Access only by public key. Generally people will use weak passwords and have poor password practices. Keys are considered stronger than password.","remediation":"Change the PubkeyAuthentication option value in the sshd_config file.","compliance":{"pci_dss":"2.2.4","nist_800_53":"CM.1"},"file":["/etc/ssh/sshd_config"],"result":"failed"}}},"location":"sca"}
{"timestamp":"2023-10-17T12:08:46.785+0000","rule":{"level":7,"description":"System audit for Unix based systems: SSH Hardening: Empty passwords should not be allowed","id":"19007","firedtimes":6,"mail":false,"groups":["sca"],"gdpr":["IV_35.7.d"],"pci_dss":["2.2","2.2.4"],"nist_800_53":["CM.1","CM.1"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"004","name":"soaxp078","ip":"192.168.253.78"},"manager":{"name":"wazuh-server"},"id":"1697544526.205365","decoder":{"name":"sca"},"data":{"sca":{"type":"check","scan_id":"3723","policy":"System audit for Unix based systems","check":{"id":"3005","title":"SSH Hardening: Empty passwords should not be allowed","description":"The option PermitEmptyPasswords should be set to no.","rationale":"The option PermitEmptyPasswords specifies whether the server allows logging in to accounts with a null password. Accounts with null passwords are a bad practice.","remediation":"Change the PermitEmptyPasswords option value in the sshd_config file.","compliance":{"pci_dss":"2.2.4","nist_800_53":"CM.1"},"file":["/etc/ssh/sshd_config"],"result":"failed"}}},"location":"sca"}
{"timestamp":"2023-10-17T12:08:46.785+0000","rule":{"level":7,"description":"System audit for Unix based systems: SSH Hardening: Rhost or shost should not be used for authentication","id":"19007","firedtimes":7,"mail":false,"groups":["sca"],"gdpr":["IV_35.7.d"],"pci_dss":["2.2","2.2.4"],"nist_800_53":["CM.1","CM.1"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"004","name":"soaxp078","ip":"192.168.253.78"},"manager":{"name":"wazuh-server"},"id":"1697544526.206986","decoder":{"name":"sca"},"data":{"sca":{"type":"check","scan_id":"3723","policy":"System audit for Unix based systems","check":{"id":"3006","title":"SSH Hardening: Rhost or shost should not be used for authentication","description":"The option IgnoreRhosts should be set to yes.","rationale":"The option IgnoreRhosts specifies whether rhosts or shosts files should not be used in authentication. For security reasons it is recommended to no use rhosts or shosts files for authentication.","remediation":"Change the IgnoreRhosts option value in the sshd_config file.","compliance":{"pci_dss":"2.2.4","nist_800_53":"CM.1"},"file":["/etc/ssh/sshd_config"],"result":"failed"}}},"location":"sca"}
{"timestamp":"2023-10-17T12:08:46.810+0000","rule":{"level":7,"description":"System audit for Unix based systems: SSH Hardening: Grace Time should be one minute or less.","id":"19007","firedtimes":8,"mail":false,"groups":["sca"],"gdpr":["IV_35.7.d"],"pci_dss":["2.2","2.2.4"],"nist_800_53":["CM.1","CM.1"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"004","name":"soaxp078","ip":"192.168.253.78"},"manager":{"name":"wazuh-server"},"id":"1697544526.208685","decoder":{"name":"sca"},"data":{"sca":{"type":"check","scan_id":"3723","policy":"System audit for Unix based systems","check":{"id":"3007","title":"SSH Hardening: Grace Time should be one minute or less.","description":"The option LoginGraceTime should be set to 60 or less.","rationale":"The option LoginGraceTime specifies how long in seconds after a connection request the server will wait before disconnecting if the user has not successfully logged in. 30 seconds is the recommended time for avoiding open connections without authenticate.","remediation":"Change the LoginGraceTime option value in the sshd_config file.","compliance":{"pci_dss":"2.2.4","nist_800_53":"CM.1"},"file":["/etc/ssh/sshd_config"],"result":"failed"}}},"location":"sca"}
{"timestamp":"2023-10-17T12:08:46.810+0000","rule":{"level":7,"description":"System audit for Unix based systems: SSH Hardening: Ensure SSH HostbasedAuthentication is disabled","id":"19007","firedtimes":9,"mail":false,"groups":["sca"],"gdpr":["IV_35.7.d"],"pci_dss":["2.2","4.1"],"nist_800_53":["CM.1","SC.8"],"tsc":["CC7.1","CC7.2","CC6.1","CC6.7","CC7.2"],"hipaa":["164.312.a.2.IV","164.312.e.1","164.312.e.2.I","164.312.e.2.II"]},"agent":{"id":"004","name":"soaxp078","ip":"192.168.253.78"},"manager":{"name":"wazuh-server"},"id":"1697544526.210508","decoder":{"name":"sca"},"data":{"sca":{"type":"check","scan_id":"3723","policy":"System audit for Unix based systems","check":{"id":"3009","title":"SSH Hardening: Ensure SSH HostbasedAuthentication is disabled","description":"The HostbasedAuthentication parameter specifies if authentication is allowed through trusted hosts via the user of .rhosts , or /etc/hosts.equiv , along with successful public key client host authentication. This option only applies to SSH Protocol Version 2.","rationale":"Even though the .rhosts files are ineffective if support is disabled in /etc/pam.conf, disabling the ability to use .rhosts files in SSH provides an additional layer of protection.","remediation":"Edit the /etc/ssh/sshd_config file to set the parameter as follows: HostbasedAuthentication no","compliance":{"pci_dss":"4.1","hipaa":"164.312.a.2.IV,164.312.e.1,164.312.e.2.I,164.312.e.2.II","nist_800_53":"SC.8","tsc":"CC6.1,CC6.7,CC7.2"},"file":["/etc/ssh/sshd_config"],"result":"failed"}}},"location":"sca"}
{"timestamp":"2023-10-17T12:08:46.811+0000","rule":{"level":7,"description":"System audit for Unix based systems: SSH Hardening: Wrong Maximum number of authentication attempts","id":"19007","firedtimes":10,"mail":false,"groups":["sca"],"gdpr":["IV_35.7.d"],"pci_dss":["2.2","2.2.4"],"nist_800_53":["CM.1","CM.1"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"004","name":"soaxp078","ip":"192.168.253.78"},"manager":{"name":"wazuh-server"},"id":"1697544526.212881","decoder":{"name":"sca"},"data":{"sca":{"type":"check","scan_id":"3723","policy":"System audit for Unix based systems","check":{"id":"3008","title":"SSH Hardening: Wrong Maximum number of authentication attempts","description":"The option MaxAuthTries should be set to 4 or less.","rationale":"The MaxAuthTries parameter specifies the maximum number of authentication attempts permitted per connection. Once the number of failures reaches half this value, additional failures are logged. This should be set to 4.","remediation":"Change the MaxAuthTries option value in the sshd_config file.","compliance":{"pci_dss":"2.2.4","nist_800_53":"CM.1"},"file":["/etc/ssh/sshd_config"],"result":"failed"}}},"location":"sca"}
{"timestamp":"2023-10-17T12:08:46.826+0000","rule":{"level":3,"description":"System audit for Unix based systems: Ensure retry option for passwords is less than 3","id":"19009","firedtimes":1,"mail":false,"groups":["sca"],"gdpr":["IV_35.7.d"],"pci_dss":["2.2"],"nist_800_53":["CM.1"],"tsc":["CC7.1","CC7.2"],"cis_csc":["4.4","5.7","16.12"]},"agent":{"id":"004","name":"soaxp078","ip":"192.168.253.78"},"manager":{"name":"wazuh-server"},"id":"1697544526.214637","decoder":{"name":"sca"},"data":{"sca":{"type":"check","scan_id":"3723","policy":"System audit for Unix based systems","check":{"id":"3010","title":"Ensure retry option for passwords is less than 3","description":"The pam_pwquality.so module and pam_cracklib.so module (depending on the Linux distribution used) checks the strength of passwords. It performs checks such as making sure a password is not a dictionary word, it is a certain length, contains a mix of characters (e.g. alphabet, numeric, other) and more.","rationale":"Strong passwords protect systems from being hacked through brute force methods.","remediation":"Edit the /etc/pam.d/common-password and /etc/security/pwquality.conf files, or the /etc/pam.d/password-auth and /etc/pam.d/system-auth files, to include the appropriate options for pam_pwquality.so or pam_cracklib.so and to conform to site policy.","compliance":{"cis_csc":"4.4,5.7,16.12"},"references":"https://linux-audit.com/configure-the-minimum-password-length-on-linux-systems/","file":["/etc/pam.d/common-password","/etc/pam.d/password-auth","/etc/pam.d/system-auth","/etc/pam.d/system-auth-ac","/etc/pam.d/passwd"],"result":"not applicable","reason":"Could not open file '/etc/pam.d/common-password'"}}},"location":"sca"}
{"timestamp":"2023-10-17T12:08:46.846+0000","rule":{"level":3,"description":"System audit for Unix based systems: Ensure passwords are longer than 14 characters","id":"19009","firedtimes":2,"mail":false,"groups":["sca"],"gdpr":["IV_35.7.d"],"pci_dss":["2.2"],"nist_800_53":["CM.1"],"tsc":["CC7.1","CC7.2"],"cis_csc":["4.4","5.7","16.12"]},"agent":{"id":"004","name":"soaxp078","ip":"192.168.253.78"},"manager":{"name":"wazuh-server"},"id":"1697544526.217518","decoder":{"name":"sca"},"data":{"sca":{"type":"check","scan_id":"3723","policy":"System audit for Unix based systems","check":{"id":"3011","title":"Ensure passwords are longer than 14 characters","description":"The pam_pwquality.so module and pam_cracklib.so module (depending on the Linux distribution used) checks the strength of passwords. It performs checks such as making sure a password is not a dictionary word, it is a certain length, contains a mix of characters (e.g. alphabet, numeric, other) and more.","rationale":"Strong passwords protect systems from being hacked through brute force methods.","remediation":"Edit the /etc/pam.d/common-password and /etc/security/pwquality.conf files, or the /etc/pam.d/password-auth and /etc/pam.d/system-auth files, to include the appropriate options for pam_pwquality.so or pam_cracklib.so and to conform to site policy.","compliance":{"cis_csc":"4.4,5.7,16.12"},"references":"https://linux-audit.com/configure-the-minimum-password-length-on-linux-systems/","file":["/etc/pam.d/common-password","/etc/pam.d/password-auth","/etc/pam.d/system-auth","/etc/pam.d/system-auth-ac","/etc/pam.d/passwd"],"result":"not applicable","reason":"Could not open file '/etc/pam.d/common-password'"}}},"location":"sca"}
{"timestamp":"2023-10-17T12:08:46.846+0000","rule":{"level":3,"description":"System audit for Unix based systems: Ensure passwords contain at least one digit","id":"19009","firedtimes":3,"mail":false,"groups":["sca"],"gdpr":["IV_35.7.d"],"pci_dss":["2.2"],"nist_800_53":["CM.1"],"tsc":["CC7.1","CC7.2"],"cis_csc":["4.4","5.7","16.12"]},"agent":{"id":"004","name":"soaxp078","ip":"192.168.253.78"},"manager":{"name":"wazuh-server"},"id":"1697544526.220332","decoder":{"name":"sca"},"data":{"sca":{"type":"check","scan_id":"3723","policy":"System audit for Unix based systems","check":{"id":"3012","title":"Ensure passwords contain at least one digit","description":"The pam_pwquality.so module and pam_cracklib.so module (depending on the Linux distribution used) checks the strength of passwords. It performs checks such as making sure a password is not a dictionary word, it is a certain length, contains a mix of characters (e.g. alphabet, numeric, other) and more.","rationale":"Strong passwords protect systems from being hacked through brute force methods.","remediation":"Edit the /etc/pam.d/common-password and /etc/security/pwquality.conf files, or the /etc/pam.d/password-auth and /etc/pam.d/system-auth files, to include the appropriate options for pam_pwquality.so or pam_cracklib.so and to conform to site policy.","compliance":{"cis_csc":"4.4,5.7,16.12"},"references":"https://linux-audit.com/configure-the-minimum-password-length-on-linux-systems/","file":["/etc/pam.d/common-password","/etc/pam.d/password-auth","/etc/pam.d/system-auth","/etc/pam.d/system-auth-ac","/etc/pam.d/passwd"],"result":"not applicable","reason":"Could not open file '/etc/pam.d/common-password'"}}},"location":"sca"}
{"timestamp":"2023-10-17T12:08:46.866+0000","rule":{"level":3,"description":"System audit for Unix based systems: Ensure passwords contain at least one uppercase character","id":"19009","firedtimes":4,"mail":false,"groups":["sca"],"gdpr":["IV_35.7.d"],"pci_dss":["2.2"],"nist_800_53":["CM.1"],"tsc":["CC7.1","CC7.2"],"cis_csc":["4.4","5.7","16.12"]},"agent":{"id":"004","name":"soaxp078","ip":"192.168.253.78"},"manager":{"name":"wazuh-server"},"id":"1697544526.223126","decoder":{"name":"sca"},"data":{"sca":{"type":"check","scan_id":"3723","policy":"System audit for Unix based systems","check":{"id":"3014","title":"Ensure passwords contain at least one uppercase character","description":"The pam_pwquality.so module and pam_cracklib.so module (depending on the Linux distribution used) checks the strength of passwords. It performs checks such as making sure a password is not a dictionary word, it is a certain length, contains a mix of characters (e.g. alphabet, numeric, other) and more.","rationale":"Strong passwords protect systems from being hacked through brute force methods.","remediation":"Edit the /etc/pam.d/common-password and /etc/security/pwquality.conf files, or the /etc/pam.d/password-auth and /etc/pam.d/system-auth files, to include the appropriate options for pam_pwquality.so or pam_cracklib.so and to conform to site policy.","compliance":{"cis_csc":"4.4,5.7,16.12"},"references":"https://linux-audit.com/configure-the-minimum-password-length-on-linux-systems/","file":["/etc/pam.d/common-password","/etc/pam.d/password-auth","/etc/pam.d/system-auth","/etc/pam.d/system-auth-ac","/etc/pam.d/passwd"],"result":"not applicable","reason":"Could not open file '/etc/pam.d/common-password'"}}},"location":"sca"}
{"timestamp":"2023-10-17T12:08:46.866+0000","rule":{"level":3,"description":"System audit for Unix based systems: Ensure passwords contain at least one lowercase character","id":"19009","firedtimes":5,"mail":false,"groups":["sca"],"gdpr":["IV_35.7.d"],"pci_dss":["2.2"],"nist_800_53":["CM.1"],"tsc":["CC7.1","CC7.2"],"cis_csc":["4.4","5.7","16.12"]},"agent":{"id":"004","name":"soaxp078","ip":"192.168.253.78"},"manager":{"name":"wazuh-server"},"id":"1697544526.225962","decoder":{"name":"sca"},"data":{"sca":{"type":"check","scan_id":"3723","policy":"System audit for Unix based systems","check":{"id":"3013","title":"Ensure passwords contain at least one lowercase character","description":"The pam_pwquality.so module and pam_cracklib.so module (depending on the Linux distribution used) checks the strength of passwords. It performs checks such as making sure a password is not a dictionary word, it is a certain length, contains a mix of characters (e.g. alphabet, numeric, other) and more.","rationale":"Strong passwords protect systems from being hacked through brute force methods.","remediation":"Edit the /etc/pam.d/common-password and /etc/security/pwquality.conf files, or the /etc/pam.d/password-auth and /etc/pam.d/system-auth files, to include the appropriate options for pam_pwquality.so or pam_cracklib.so and to conform to site policy.","compliance":{"cis_csc":"4.4,5.7,16.12"},"references":"https://linux-audit.com/configure-the-minimum-password-length-on-linux-systems/","file":["/etc/pam.d/common-password","/etc/pam.d/password-auth","/etc/pam.d/system-auth","/etc/pam.d/system-auth-ac","/etc/pam.d/passwd"],"result":"not applicable","reason":"Could not open file '/etc/pam.d/common-password'"}}},"location":"sca"}
{"timestamp":"2023-10-17T12:08:46.890+0000","rule":{"level":3,"description":"System audit for Unix based systems: Ensure password hashing algorithm is SHA-512","id":"19009","firedtimes":6,"mail":false,"groups":["sca"],"gdpr":["IV_35.7.d"],"pci_dss":["2.2"],"nist_800_53":["CM.1"],"tsc":["CC7.1","CC7.2"],"cis_csc":["16.14"]},"agent":{"id":"004","name":"soaxp078","ip":"192.168.253.78"},"manager":{"name":"wazuh-server"},"id":"1697544526.228798","decoder":{"name":"sca"},"data":{"sca":{"type":"check","scan_id":"3723","policy":"System audit for Unix based systems","check":{"id":"3017","title":"Ensure password hashing algorithm is SHA-512","description":"The commands below change password encryption from md5 to sha512 (a much stronger hashing algorithm). All existing accounts will need to perform a password change to upgrade the stored hashes to the new algorithm.","rationale":"The SHA-512 algorithm provides much stronger hashing than MD5, thus providing additional protection to the system by increasing the level of effort for an attacker to successfully determine passwords. Note that these change only apply to accounts configured on the local system.","remediation":"Edit the /etc/pam.d/common-password file to include the sha512 option for pam_unix.so as shown: password required pam_unix.so sha512","compliance":{"cis_csc":"16.14"},"file":["/etc/pam.d/common-password","/etc/pam.d/password-auth","/etc/pam.d/system-auth","/etc/pam.d/system-auth-ac","/etc/pam.d/passwd"],"result":"not applicable","reason":"Could not open file '/etc/pam.d/common-password'"}}},"location":"sca"}
{"timestamp":"2023-10-17T12:08:46.890+0000","rule":{"level":3,"description":"System audit for Unix based systems: Ensure passwords contain at least one special character","id":"19009","firedtimes":7,"mail":false,"groups":["sca"],"gdpr":["IV_35.7.d"],"pci_dss":["2.2"],"nist_800_53":["CM.1"],"tsc":["CC7.1","CC7.2"],"cis_csc":["4.4","5.7","16.12"]},"agent":{"id":"004","name":"soaxp078","ip":"192.168.253.78"},"manager":{"name":"wazuh-server"},"id":"1697544526.231369","decoder":{"name":"sca"},"data":{"sca":{"type":"check","scan_id":"3723","policy":"System audit for Unix based systems","check":{"id":"3015","title":"Ensure passwords contain at least one special character","description":"The pam_pwquality.so module and pam_cracklib.so module (depending on the Linux distribution used) checks the strength of passwords. It performs checks such as making sure a password is not a dictionary word, it is a certain length, contains a mix of characters (e.g. alphabet, numeric, other) and more.","rationale":"Strong passwords protect systems from being hacked through brute force methods.","remediation":"Edit the /etc/pam.d/common-password and /etc/security/pwquality.conf files, or the /etc/pam.d/password-auth and /etc/pam.d/system-auth files, to include the appropriate options for pam_pwquality.so or pam_cracklib.so and to conform to site policy.","compliance":{"cis_csc":"4.4,5.7,16.12"},"references":"https://linux-audit.com/configure-the-minimum-password-length-on-linux-systems/","file":["/etc/pam.d/common-password","/etc/pam.d/password-auth","/etc/pam.d/system-auth","/etc/pam.d/system-auth-ac","/etc/pam.d/passwd"],"result":"not applicable","reason":"Could not open file '/etc/pam.d/common-password'"}}},"location":"sca"}
{"timestamp":"2023-10-17T12:08:46.891+0000","rule":{"level":3,"description":"System audit for Unix based systems: Ensure lockout for failed password attempts is configured","id":"19009","firedtimes":8,"mail":false,"groups":["sca"],"gdpr":["IV_35.7.d"],"pci_dss":["2.2"],"nist_800_53":["CM.1"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"004","name":"soaxp078","ip":"192.168.253.78"},"manager":{"name":"wazuh-server"},"id":"1697544526.234199","decoder":{"name":"sca"},"data":{"sca":{"type":"check","scan_id":"3723","policy":"System audit for Unix based systems","check":{"id":"3016","title":"Ensure lockout for failed password attempts is configured","description":"Lock out users after n unsuccessful consecutive login attempts. The first sets of changes are made to the PAM configuration files. The second set of changes are applied to the program specific PAM configuration file. The second set of changes must be applied to each program that will lock out users.","rationale":"Locking out user IDs after n unsuccessful consecutive login attempts mitigates brute force password attacks against your systems.","remediation":"Edit the /etc/pam.d/common-auth file and add the auth line below: #auth required pam_tally2.so onerr=fail audit silent deny=5 unlock_time=900","file":["/etc/pam.d/common-auth"],"result":"not applicable","reason":"Could not open file '/etc/pam.d/common-auth'"}}},"location":"sca"}
{"timestamp":"2023-10-17T12:08:46.915+0000","rule":{"level":3,"description":"System audit for Unix based systems: Ensure passwords in /etc/shadow are hashed with SHA-512 or SHA-256","id":"19009","firedtimes":9,"mail":false,"groups":["sca"],"gdpr":["IV_35.7.d"],"pci_dss":["2.2"],"nist_800_53":["CM.1"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"004","name":"soaxp078","ip":"192.168.253.78"},"manager":{"name":"wazuh-server"},"id":"1697544526.236545","decoder":{"name":"sca"},"data":{"sca":{"type":"check","scan_id":"3723","policy":"System audit for Unix based systems","check":{"id":"3018","title":"Ensure passwords in /etc/shadow are hashed with SHA-512 or SHA-256","description":"SHA-512 and SHA-256 are much stronger hashing algorithms than MD5.","rationale":"The SHA-512 algorithm provides much stronger hashing than MD5, thus providing additional protection to the system by increasing the level of effort for an attacker to successfully determine passwords.","remediation":"Set the default algorithm for password hashing in /etc/shadow to SHA-512 or SHA-256.","references":"https://linux-audit.com/password-security-with-linux-etc-shadow-file/,https://docs.oracle.com/cd/E19253-01/816-4557/concept-23/index.html","file":["/etc/shadow"],"result":"not applicable","reason":"Could not open file '/etc/shadow'"}}},"location":"sca"}
{"timestamp":"2023-10-17T12:08:46.915+0000","rule":{"level":3,"description":"System audit for Unix based systems: Ensure password expiration is 365 days or less","id":"19009","firedtimes":10,"mail":false,"groups":["sca"],"gdpr":["IV_35.7.d"],"pci_dss":["2.2"],"nist_800_53":["CM.1"],"tsc":["CC7.1","CC7.2"],"cis_csc":["4.4","16"]},"agent":{"id":"004","name":"soaxp078","ip":"192.168.253.78"},"manager":{"name":"wazuh-server"},"id":"1697544526.238670","decoder":{"name":"sca"},"data":{"sca":{"type":"check","scan_id":"3723","policy":"System audit for Unix based systems","check":{"id":"3019","title":"Ensure password expiration is 365 days or less","description":"The PASS_MAX_DAYS parameter in /etc/login.defs allows an administrator to force passwords to expire once they reach a defined age. It is recommended that the PASS_MAX_DAYS parameter be set to less than or equal to 365 days.","rationale":"The window of opportunity for an attacker to leverage compromised credentials or successfully compromise credentials via an online brute force attack is limited by the age of the password. Therefore, reducing the maximum age of a password also reduces an attacker's window of opportunity.","remediation":"Set the PASS_MAX_DAYS parameter to conform to site policy in /etc/login.defs.","compliance":{"cis_csc":"4.4,16"},"references":"https://www.thegeekdiary.com/understanding-etclogin-defs-file","file":["/etc/login.defs"],"result":"not applicable","reason":"Could not open file '/etc/login.defs'"}}},"location":"sca"}
{"timestamp":"2023-10-17T12:08:46.936+0000","rule":{"level":3,"description":"System audit for Unix based systems: Ensure SELinux or AppArmor are installed","id":"19009","firedtimes":11,"mail":false,"groups":["sca"],"gdpr":["IV_35.7.d"],"pci_dss":["2.2"],"nist_800_53":["CM.1"],"tsc":["CC7.1","CC7.2"],"cis_csc":["14.4","14.6"]},"agent":{"id":"004","name":"soaxp078","ip":"192.168.253.78"},"manager":{"name":"wazuh-server"},"id":"1697544526.241113","decoder":{"name":"sca"},"data":{"sca":{"type":"check","scan_id":"3723","policy":"System audit for Unix based systems","check":{"id":"3020","title":"Ensure SELinux or AppArmor are installed","description":"SELinux and AppArmor provide Mandatory Access Controls.","rationale":"Without a Mandatory Access Control system installed only the default Discretionary Access Control system will be available.","remediation":"Run one of the following commands to install SELinux or apparmor: # apt-get install selinux-basics Or: # apt-get install apparmor apparmor-profiles apparmor-utils","compliance":{"cis_csc":"14.4,14.6"},"command":["dpkg -s selinux-basics","dpkg -s apparmor"],"result":"not applicable","reason":"Invalid path or wrong permissions to run command 'dpkg -s selinux-basics'"}}},"location":"sca"}
{"timestamp":"2023-10-17T12:08:46.936+0000","rule":{"level":3,"description":"System audit for Unix based systems: Ensure CUPS is not enabled","id":"19009","firedtimes":12,"mail":false,"groups":["sca"],"gdpr":["IV_35.7.d"],"pci_dss":["2.2"],"nist_800_53":["CM.1"],"tsc":["CC7.1","CC7.2"],"cis_csc":["9.1","9.2"]},"agent":{"id":"004","name":"soaxp078","ip":"192.168.253.78"},"manager":{"name":"wazuh-server"},"id":"1697544526.243046","decoder":{"name":"sca"},"data":{"sca":{"type":"check","scan_id":"3723","policy":"System audit for Unix based systems","check":{"id":"3021","title":"Ensure CUPS is not enabled","description":"The Common Unix Print System (CUPS) provides the ability to print to both local and network printers. A system running CUPS can also accept print jobs from remote systems and print them to local printers. It also provides a web based remote administration capability.","rationale":"If the system does not need to print jobs or accept print jobs from other systems, it is recommended that CUPS be disabled to reduce the potential attack surface.","remediation":"Run the following command to disable cups: # systemctl disable cups","compliance":{"cis_csc":"9.1,9.2"},"references":"https://www.cups.org","command":["systemctl is-enabled cups"],"result":"not applicable","reason":"Invalid path or wrong permissions to run command 'systemctl is-enabled cups'"}}},"location":"sca"}
{"timestamp":"2023-10-17T12:08:46.961+0000","rule":{"level":3,"description":"System audit for Unix based systems: Ensure auditd service is enabled","id":"19009","firedtimes":13,"mail":false,"groups":["sca"],"gdpr":["IV_35.7.d"],"pci_dss":["2.2"],"nist_800_53":["CM.1"],"tsc":["CC7.1","CC7.2"],"cis_csc":["6.2","6.3"]},"agent":{"id":"004","name":"soaxp078","ip":"192.168.253.78"},"manager":{"name":"wazuh-server"},"id":"1697544526.245244","decoder":{"name":"sca"},"data":{"sca":{"type":"check","scan_id":"3723","policy":"System audit for Unix based systems","check":{"id":"3022","title":"Ensure auditd service is enabled","description":"Turn on the auditd daemon to record system events.","rationale":"The capturing of system events provides system administrators with information to allow them to determine if unauthorized access to their system is occurring.","remediation":"Run the following command to enable auditd: # systemctl enable auditd","compliance":{"cis_csc":"6.2,6.3"},"command":["systemctl is-enabled auditd"],"result":"not applicable","reason":"Invalid path or wrong permissions to run command 'systemctl is-enabled auditd'"}}},"location":"sca"}
{"timestamp":"2023-10-17T12:08:51.555+0000","rule":{"level":7,"description":"Host-based anomaly detection event (rootcheck).","id":"510","firedtimes":13,"mail":false,"groups":["ossec","rootcheck"],"pci_dss":["10.6.1"],"gdpr":["IV_35.7.d"]},"agent":{"id":"004","name":"soaxp078","ip":"192.168.253.78"},"manager":{"name":"wazuh-server"},"id":"1697544531.246952","full_log":"File '/tmp/.com_ibm_tools_attach/8650812/attachNotificationSync' is owned by root and has written permissions to anyone.","decoder":{"name":"rootcheck"},"data":{"title":"File is owned by root and has written permissions to anyone.","file":"/tmp/.com_ibm_tools_attach/8650812/attachNotificationSync"},"location":"rootcheck"}
{"timestamp":"2023-10-17T12:08:51.580+0000","rule":{"level":7,"description":"Host-based anomaly detection event (rootcheck).","id":"510","firedtimes":14,"mail":false,"groups":["ossec","rootcheck"],"pci_dss":["10.6.1"],"gdpr":["IV_35.7.d"]},"agent":{"id":"004","name":"soaxp078","ip":"192.168.253.78"},"manager":{"name":"wazuh-server"},"id":"1697544531.247403","full_log":"File '/tmp/.com_ibm_tools_attach/_master' is owned by root and has written permissions to anyone.","decoder":{"name":"rootcheck"},"data":{"title":"File is owned by root and has written permissions to anyone.","file":"/tmp/.com_ibm_tools_attach/_master"},"location":"rootcheck"}
{"timestamp":"2023-10-17T12:08:51.580+0000","rule":{"level":7,"description":"Host-based anomaly detection event (rootcheck).","id":"510","firedtimes":15,"mail":false,"groups":["ossec","rootcheck"],"pci_dss":["10.6.1"],"gdpr":["IV_35.7.d"]},"agent":{"id":"004","name":"soaxp078","ip":"192.168.253.78"},"manager":{"name":"wazuh-server"},"id":"1697544531.247808","full_log":"File '/tmp/.com_ibm_tools_attach/_attachlock' is owned by root and has written permissions to anyone.","decoder":{"name":"rootcheck"},"data":{"title":"File is owned by root and has written permissions to anyone.","file":"/tmp/.com_ibm_tools_attach/_attachlock"},"location":"rootcheck"}
{"timestamp":"2023-10-17T12:08:51.580+0000","rule":{"level":7,"description":"Host-based anomaly detection event (rootcheck).","id":"510","firedtimes":16,"mail":false,"groups":["ossec","rootcheck"],"pci_dss":["10.6.1"],"gdpr":["IV_35.7.d"]},"agent":{"id":"004","name":"soaxp078","ip":"192.168.253.78"},"manager":{"name":"wazuh-server"},"id":"1697544531.248221","full_log":"File '/tmp/.com_ibm_tools_attach/_notifier' is owned by root and has written permissions to anyone.","decoder":{"name":"rootcheck"},"data":{"title":"File is owned by root and has written permissions to anyone.","file":"/tmp/.com_ibm_tools_attach/_notifier"},"location":"rootcheck"}
{"timestamp":"2023-10-17T12:08:53.957+0000","rule":{"level":9,"description":"SCA summary: System audit for Unix based systems: Score less than 30% (0)","id":"19005","firedtimes":1,"mail":false,"groups":["sca"],"gdpr":["IV_35.7.d"],"pci_dss":["2.2"],"nist_800_53":["CM.1"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"004","name":"soaxp078","ip":"192.168.253.78"},"manager":{"name":"wazuh-server"},"id":"1697544533.248630","decoder":{"name":"sca"},"data":{"sca":{"type":"summary","scan_id":"3723","policy":"System audit for Unix based systems","description":"Guidance for establishing a secure configuration for Unix based systems.","policy_id":"unix_audit","passed":"0","failed":"10","invalid":"13","total_checks":"23","score":"0","file":"sca_unix_audit.yml"}},"location":"sca"}
{"timestamp":"2023-10-17T12:09:03.210+0000","rule":{"level":9,"description":"SCA summary: System audit for Unix based systems: Score less than 30% (0)","id":"19005","firedtimes":2,"mail":false,"groups":["sca"],"gdpr":["IV_35.7.d"],"pci_dss":["2.2"],"nist_800_53":["CM.1"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"004","name":"soaxp078","ip":"192.168.253.78"},"manager":{"name":"wazuh-server"},"id":"1697544543.249722","decoder":{"name":"sca"},"data":{"sca":{"type":"summary","scan_id":"3723","policy":"System audit for Unix based systems","description":"Guidance for establishing a secure configuration for Unix based systems.","policy_id":"unix_audit","passed":"0","failed":"10","invalid":"13","total_checks":"23","score":"0","file":"sca_unix_audit.yml"}},"location":"sca"}

• UDP
  • Wazuh Agent

# sed 's/tcp/udp/g' /var/ossec/etc/ossec.conf > /var/ossec/etc/ossec.conf.new && mv /var/ossec/etc/ossec.conf.new /var/ossec/etc/ossec.conf

# grep udp /var/ossec/etc/ossec.conf
      <protocol>udp</protocol>

# /var/ossec/bin/wazuh-control restart
Killing wazuh-modulesd... 
Killing wazuh-logcollector... 
Killing wazuh-syscheckd... 
Killing wazuh-agentd... 
Killing wazuh-execd... 
Wazuh v4.7.0 Stopped
Starting Wazuh v4.7.0...
Started wazuh-execd...
Started wazuh-agentd...
Started wazuh-syscheckd...
Started wazuh-logcollector...
Started wazuh-modulesd...
Completed.


# grep -Ei "udp" /var/ossec/logs/ossec.log
2023/10/17 07:11:46 wazuh-agentd: INFO: Trying to connect to server ([44.211.192.146]:1514/udp).
2023/10/17 07:11:46 wazuh-agentd: INFO: (4102): Connected to the server ([44.211.192.146]:1514/udp).

• UDP
  • Wazuh Server

[root@wazuh-server wazuh-user]# sed -i 's/tcp/udp/g' /var/ossec/etc/ossec.conf
[root@wazuh-server wazuh-user]# grep udp /var/ossec/etc/ossec.conf
    <protocol>tcp,udp</protocol>


[root@wazuh-server wazuh-user]# systemctl restart wazuh-manager

[root@wazuh-server wazuh-user]# /var/ossec/bin/agent_control -i 004

Wazuh agent_control. Agent information:
   Agent ID:   004
   Agent Name: soaxp078
   IP address: any
   Status:     Active

   Operating system:    AIX |soaxp078 |1 |6 |00CADA644C00
   Client version:      Wazuh v4.7.0
   Configuration hash:  ab73af41699f13fdd81903b5f23d8d00
   Shared file hash:    4a8724b20dee0124ff9656783c490c4e
   Last keep alive:     1697544816

   Syscheck last started at:  Tue Oct 17 12:11:47 2023
   Syscheck last ended at:    Tue Oct 17 12:11:54 2023




[root@wazuh-server wazuh-user]# grep soaxp078 /var/ossec/logs/alerts/alerts.json

{"timestamp":"2023-10-17T12:11:52.240+0000","rule":{"level":7,"description":"Host-based anomaly detection event (rootcheck).","id":"510","firedtimes":23,"mail":false,"groups":["ossec","rootcheck"],"pci_dss":["10.6.1"],"gdpr":["IV_35.7.d"]},"agent":{"id":"004","name":"soaxp078","ip":"192.168.253.78"},"manager":{"name":"wazuh-server"},"id":"1697544712.281227","full_log":"File '/tmp/.com_ibm_tools_attach/8650812/attachNotificationSync' is owned by root and has written permissions to anyone.","decoder":{"name":"rootcheck"},"data":{"title":"File is owned by root and has written permissions to anyone.","file":"/tmp/.com_ibm_tools_attach/8650812/attachNotificationSync"},"location":"rootcheck"}
{"timestamp":"2023-10-17T12:11:52.240+0000","rule":{"level":7,"description":"Host-based anomaly detection event (rootcheck).","id":"510","firedtimes":24,"mail":false,"groups":["ossec","rootcheck"],"pci_dss":["10.6.1"],"gdpr":["IV_35.7.d"]},"agent":{"id":"004","name":"soaxp078","ip":"192.168.253.78"},"manager":{"name":"wazuh-server"},"id":"1697544712.281678","full_log":"File '/tmp/.com_ibm_tools_attach/_attachlock' is owned by root and has written permissions to anyone.","decoder":{"name":"rootcheck"},"data":{"title":"File is owned by root and has written permissions to anyone.","file":"/tmp/.com_ibm_tools_attach/_attachlock"},"location":"rootcheck"}
{"timestamp":"2023-10-17T12:11:52.241+0000","rule":{"level":7,"description":"Host-based anomaly detection event (rootcheck).","id":"510","firedtimes":25,"mail":false,"groups":["ossec","rootcheck"],"pci_dss":["10.6.1"],"gdpr":["IV_35.7.d"]},"agent":{"id":"004","name":"soaxp078","ip":"192.168.253.78"},"manager":{"name":"wazuh-server"},"id":"1697544712.282091","full_log":"File '/tmp/.com_ibm_tools_attach/_notifier' is owned by root and has written permissions to anyone.","decoder":{"name":"rootcheck"},"data":{"title":"File is owned by root and has written permissions to anyone.","file":"/tmp/.com_ibm_tools_attach/_notifier"},"location":"rootcheck"}
{"timestamp":"2023-10-17T12:11:52.241+0000","rule":{"level":7,"description":"Host-based anomaly detection event (rootcheck).","id":"510","firedtimes":26,"mail":false,"groups":["ossec","rootcheck"],"pci_dss":["10.6.1"],"gdpr":["IV_35.7.d"]},"agent":{"id":"004","name":"soaxp078","ip":"192.168.253.78"},"manager":{"name":"wazuh-server"},"id":"1697544712.282500","full_log":"File '/tmp/.com_ibm_tools_attach/_master' is owned by root and has written permissions to anyone.","decoder":{"name":"rootcheck"},"data":{"title":"File is owned by root and has written permissions to anyone.","file":"/tmp/.com_ibm_tools_attach/_master"},"location":"rootcheck"}

Removal 🟢

# rpm -e wazuh-agent
rmdir of /var/ossec/tmp/src/init failed: No such file or directory
rmdir of /var/ossec/tmp/etc/templates/config/generic/localfile-logs failed: No such file or directory
rmdir of /var/ossec/tmp/etc/templates/config/generic failed: No such file or directory
rmdir of /var/ossec/tmp/etc/templates/config failed: No such file or directory
rmdir of /var/ossec/tmp/etc/templates failed: No such file or directory
cannot remove /var/ossec/queue/syscollector/db - directory not empty
cannot remove /var/ossec/queue/syscollector - directory not empty
cannot remove /var/ossec/queue/logcollector - directory not empty
cannot remove /var/ossec/queue/fim/db - directory not empty
cannot remove /var/ossec/queue/fim - directory not empty
cannot remove /var/ossec/queue - directory not empty
removal of /var/ossec/logs/ossec.json failed: No such file or directory
cannot remove /var/ossec/etc/shared - directory not empty
cannot remove /var/ossec/etc - directory not empty
cannot remove /var/ossec - directory not empty

Upgrade 4.5.3 -> 4.7.0 🟢

Note: Before starting uninstall the agent and remove it from the manager.

# curl -sOk https://packages-dev.wazuh.com/pre-release/aix/wazuh-agent-4.5.3-1.aix.ppc.rpm
# ls -la
total 43752
drwxr-xr-x    2 hagzt    staff          4096 Oct 18 01:58 .
drwxr-xr-x   10 bin      bin            4096 Oct 17 07:17 ..
-rw-------    1 hagzt    staff            54 Oct 18 01:52 .Xauthority
-rwxr-----    1 hagzt    staff           254 Oct  9 09:11 .profile
-rw-------    1 hagzt    staff          1346 Oct 18 01:59 .sh_history
-rw-r--r--    1 root     system      8217238 Oct 18 01:56 wazuh-agent-4.5.3-1.aix.ppc.rpm
-rw-r--r--    1 root     system     14158699 Oct 17 07:05 wazuh-agent-4.7.0-1.aix.ppc.rpm

 


# WAZUH_MANAGER="3.82.119.164" rpm -ivh wazuh-agent-4.5.3-1.aix.ppc.rpm
wazuh-agent                 ##################################################


# /var/ossec/bin/wazuh-control start
2023/10/18 02:01:27 wazuh-agentd: ERROR: (1103): Could not open file 'queue/sockets/.agent_info' due to [(2)-(No such file or directory)].
2023/10/18 02:01:27 wazuh-agentd: ERROR: (1103): Could not open file 'queue/sockets/.agent_info' due to [(2)-(No such file or directory)].
2023/10/18 02:01:28 wazuh-syscheckd: ERROR: (1103): Could not open file 'queue/sockets/.agent_info' due to [(2)-(No such file or directory)].
2023/10/18 02:01:28 wazuh-syscheckd: ERROR: (1103): Could not open file 'queue/sockets/.agent_info' due to [(2)-(No such file or directory)].
2023/10/18 02:01:28 wazuh-logcollector: ERROR: (1103): Could not open file 'queue/sockets/.agent_info' due to [(2)-(No such file or directory)].
2023/10/18 02:01:28 wazuh-modulesd: ERROR: (1103): Could not open file 'queue/sockets/.agent_info' due to [(2)-(No such file or directory)].
Starting Wazuh v4.5.3...
Started wazuh-execd...
2023/10/18 02:01:28 wazuh-agentd: ERROR: (1103): Could not open file 'queue/sockets/.agent_info' due to [(2)-(No such file or directory)].
2023/10/18 02:01:28 wazuh-agentd: ERROR: (1103): Could not open file 'queue/sockets/.agent_info' due to [(2)-(No such file or directory)].
Started wazuh-agentd...
2023/10/18 02:01:29 wazuh-syscheckd: ERROR: (1103): Could not open file 'queue/sockets/.agent_info' due to [(2)-(No such file or directory)].
2023/10/18 02:01:29 wazuh-syscheckd: ERROR: (1103): Could not open file 'queue/sockets/.agent_info' due to [(2)-(No such file or directory)].
Started wazuh-syscheckd...
2023/10/18 02:01:29 wazuh-logcollector: ERROR: (1103): Could not open file 'queue/sockets/.agent_info' due to [(2)-(No such file or directory)].
Started wazuh-logcollector...
2023/10/18 02:01:29 wazuh-modulesd: ERROR: (1103): Could not open file 'queue/sockets/.agent_info' due to [(2)-(No such file or directory)].
Started wazuh-modulesd...
Completed.

Those errors appear when the /var/ossec folder is not deleted while uninstalling the Wazuh Agent. Because the downgrade is not allowed.

• Wazuh Server

[root@wazuh-server wazuh-user]# /var/ossec/bin/agent_control -l

Wazuh agent_control. List of available agents:
   ID: 000, Name: wazuh-server (server), IP: 127.0.0.1, Active/Local
   ID: 001, Name: soaxp078, IP: any, Active

List of agentless devices:

[root@wazuh-server wazuh-user]# /var/ossec/bin/agent_control -i 001

Wazuh agent_control. Agent information:
   Agent ID:   001
   Agent Name: soaxp078
   IP address: any
   Status:     Active

   Operating system:    AIX |soaxp078 |1 |6 |00CADA644C00
   Client version:      Wazuh v4.5.3
   Configuration hash:  (null)
   Shared file hash:    4a8724b20dee0124ff9656783c490c4e
   Last keep alive:     1697612518

   Syscheck last started at:  Wed Oct 18 07:01:29 2023
   Syscheck last ended at:    Wed Oct 18 07:01:54 2023

• Wazuh Agent

# rpm -U wazuh-agent-4.7.0-1.aix.ppc.rpm

/var/ossec/bin/wazuh-control start
# Starting Wazuh v4.7.0...
wazuh-execd already running...
wazuh-agentd already running...
wazuh-syscheckd already running...
wazuh-logcollector already running...
wazuh-modulesd already running...
Completed.

• Wazuh Server

[root@wazuh-server wazuh-user]# /var/ossec/bin/agent_control -i 001

Wazuh agent_control. Agent information:
   Agent ID:   001
   Agent Name: soaxp078
   IP address: any
   Status:     Active

   Operating system:    AIX |soaxp078 |1 |6 |00CADA644C00
   Client version:      Wazuh v4.7.0
   Configuration hash:  (null)
   Shared file hash:    4a8724b20dee0124ff9656783c490c4e
   Last keep alive:     1697612580

   Syscheck last started at:  Wed Oct 18 07:02:31 2023
   Syscheck last ended at:    Wed Oct 18 07:02:41 2023

Check users and groups 🟢

# cat /etc/passwd | grep wazuh
wazuh:*:209:1::/home/wazuh:/usr/bin/ksh

# cat /etc/group | grep wazuh
wazuh:!:208:wazuh

[pro-akim]

Analysis report - HP-UX 🟢

System Info 🟢

$ uname -a                                                           
HP-UX sovmh353 B.11.31 U ia64 0888355532 unlimited-user license  

Installation 🟢

• Installation

# /usr/local/bin/curl -sOk https://packages-dev.wazuh.com/pre-release/hp-ux/wazuh-agent-4.7.0-1-hpux-11v3-ia64.tar

# groupadd wazuh

# useradd -G wazuh wazuh


# tar -xvf wazuh-agent-4.7.0-1-hpux-11v3-ia64.tar
x /var/ossec/logs/ossec.log, 0 bytes, 0 tape blocks
x /var/ossec/logs/ossec.json, 0 bytes, 0 tape blocks
x /var/ossec/logs/active-responses.log, 0 bytes, 0 tape blocks
x /var/ossec/bin/wazuh-logcollector, 1951568 bytes, 3812 tape blocks
x /var/ossec/bin/wazuh-syscheckd, 2373620 bytes, 4636 tape blocks
x /var/ossec/bin/wazuh-execd, 1814552 bytes, 3545 tape blocks
x /var/ossec/bin/manage_agents, 570740 bytes, 1115 tape blocks
x /var/ossec/bin/wazuh-control, 7144 bytes, 14 tape blocks
x /var/ossec/bin/wazuh-modulesd, 1744844 bytes, 3408 tape blocks
x /var/ossec/bin/wazuh-agentd, 1887140 bytes, 3686 tape blocks
x /var/ossec/bin/agent-auth, 506176 bytes, 989 tape blocks
x /var/ossec/lib/libwazuhext.so, 9804464 bytes, 19150 tape blocks
x /var/ossec/lib/libwazuhshared.so, 355412 bytes, 695 tape blocks
x /var/ossec/lib/libdbsync.so, 1314728 bytes, 2568 tape blocks
x /var/ossec/lib/librsync.so, 900228 bytes, 1759 tape blocks
x /var/ossec/lib/libsysinfo.so, 796672 bytes, 1556 tape blocks
x /var/ossec/lib/libfimdb.so, 1267160 bytes, 2475 tape blocks
x /var/ossec/lib/libstdc++.so.6.28, 27064832 bytes, 52861 tape blocks
x /var/ossec/lib/libgcc_s.so.0, 448764 bytes, 877 tape blocks
x /var/ossec/lib/libstdc++.so.6 symbolic link to /var/ossec/lib/libstdc++.so.6.28
x /var/ossec/lib/libstdc++.so symbolic link to /var/ossec/lib/libstdc++.so.6.28
x /var/ossec/lib/libgcc_s.so symbolic link to /var/ossec/lib/libgcc_s.so.0
x /var/ossec/queue/syscollector/norm_config.json, 4206 bytes, 9 tape blocks
x /var/ossec/ruleset/sca/cis_hpux_11i_bastille.yml, 94882 bytes, 186 tape blocks
x /var/ossec/ruleset/sca/cis_hpux_11i.yml, 86160 bytes, 169 tape blocks
x /var/ossec/wodles/__init__.py, 0 bytes, 0 tape blocks
x /var/ossec/wodles/utils.py, 3493 bytes, 7 tape blocks
x /var/ossec/wodles/aws/aws-s3, 182656 bytes, 357 tape blocks
x /var/ossec/wodles/gcloud/pubsub/subscriber.py, 6085 bytes, 12 tape blocks
x /var/ossec/wodles/gcloud/buckets/bucket.py, 12735 bytes, 25 tape blocks
x /var/ossec/wodles/gcloud/buckets/access_logs.py, 1870 bytes, 4 tape blocks
x /var/ossec/wodles/gcloud/gcloud, 4513 bytes, 9 tape blocks
x /var/ossec/wodles/gcloud/integration.py, 2887 bytes, 6 tape blocks
x /var/ossec/wodles/gcloud/tools.py, 4420 bytes, 9 tape blocks
x /var/ossec/wodles/gcloud/exceptions.py, 4704 bytes, 10 tape blocks
x /var/ossec/wodles/docker/DockerListener, 4709 bytes, 10 tape blocks
x /var/ossec/wodles/azure/azure-logs, 38402 bytes, 76 tape blocks
x /var/ossec/wodles/azure/orm.py, 10034 bytes, 20 tape blocks
x /var/ossec/etc/TIMEZONE, 21 bytes, 1 tape blocks
x /var/ossec/etc/internal_options.conf, 14164 bytes, 28 tape blocks
x /var/ossec/etc/local_internal_options.conf, 320 bytes, 1 tape blocks
x /var/ossec/etc/client.keys, 0 bytes, 0 tape blocks
x /var/ossec/etc/ossec.conf, 4817 bytes, 10 tape blocks
x /var/ossec/etc/shared/cis_apache2224_rcl.txt, 28411 bytes, 56 tape blocks
x /var/ossec/etc/shared/cis_debian_linux_rcl.txt, 12576 bytes, 25 tape blocks
x /var/ossec/etc/shared/cis_mysql5-6_community_rcl.txt, 7609 bytes, 15 tape blocks
x /var/ossec/etc/shared/cis_mysql5-6_enterprise_rcl.txt, 10297 bytes, 21 tape blocks
x /var/ossec/etc/shared/cis_rhel5_linux_rcl.txt, 35781 bytes, 70 tape blocks
x /var/ossec/etc/shared/cis_rhel6_linux_rcl.txt, 33870 bytes, 67 tape blocks
x /var/ossec/etc/shared/cis_rhel7_linux_rcl.txt, 36957 bytes, 73 tape blocks
x /var/ossec/etc/shared/cis_rhel_linux_rcl.txt, 17658 bytes, 35 tape blocks
x /var/ossec/etc/shared/cis_sles11_linux_rcl.txt, 34376 bytes, 68 tape blocks
x /var/ossec/etc/shared/cis_sles12_linux_rcl.txt, 35081 bytes, 69 tape blocks
x /var/ossec/etc/shared/cis_win2012r2_domainL1_rcl.txt, 94877 bytes, 186 tape blocks
x /var/ossec/etc/shared/cis_win2012r2_domainL2_rcl.txt, 28006 bytes, 55 tape blocks
x /var/ossec/etc/shared/cis_win2012r2_memberL1_rcl.txt, 100530 bytes, 197 tape blocks
x /var/ossec/etc/shared/cis_win2012r2_memberL2_rcl.txt, 376002 bytes, 735 tape blocks
x /var/ossec/etc/shared/rootkit_files.txt, 16174 bytes, 32 tape blocks
x /var/ossec/etc/shared/rootkit_trojans.txt, 5548 bytes, 11 tape blocks
x /var/ossec/etc/shared/system_audit_rcl.txt, 4466 bytes, 9 tape blocks
x /var/ossec/etc/shared/system_audit_ssh.txt, 3285 bytes, 7 tape blocks
x /var/ossec/etc/shared/win_applications_rcl.txt, 5214 bytes, 11 tape blocks
x /var/ossec/etc/shared/win_audit_rcl.txt, 4277 bytes, 9 tape blocks
x /var/ossec/etc/shared/win_malware_rcl.txt, 7314 bytes, 15 tape blocks
x /var/ossec/etc/wpk_root.pem, 1367 bytes, 3 tape blocks
x /var/ossec/active-response/bin/restart.sh, 695 bytes, 2 tape blocks
x /var/ossec/active-response/bin/kaspersky.py, 14429 bytes, 29 tape blocks
x /var/ossec/active-response/bin/firewall-drop, 70248 bytes, 138 tape blocks
x /var/ossec/active-response/bin/default-firewall-drop, 70248 bytes, 138 tape blocks
x /var/ossec/active-response/bin/pf, 70024 bytes, 137 tape blocks
x /var/ossec/active-response/bin/npf, 69856 bytes, 137 tape blocks
x /var/ossec/active-response/bin/ipfw, 69880 bytes, 137 tape blocks
x /var/ossec/active-response/bin/firewalld-drop, 69880 bytes, 137 tape blocks
x /var/ossec/active-response/bin/disable-account, 69848 bytes, 137 tape blocks
x /var/ossec/active-response/bin/host-deny, 69952 bytes, 137 tape blocks
x /var/ossec/active-response/bin/ip-customblock, 69800 bytes, 137 tape blocks
x /var/ossec/active-response/bin/restart-wazuh, 69692 bytes, 137 tape blocks
x /var/ossec/active-response/bin/route-null, 69824 bytes, 137 tape blocks
x /var/ossec/active-response/bin/kaspersky, 69740 bytes, 137 tape blocks
x /var/ossec/active-response/bin/wazuh-slack, 69996 bytes, 137 tape blocks
x /var/ossec/agentless/main.exp, 2453 bytes, 5 tape blocks
x /var/ossec/agentless/register_host.sh, 2406 bytes, 5 tape blocks
x /var/ossec/agentless/ssh.exp, 1476 bytes, 3 tape blocks
x /var/ossec/agentless/ssh_asa-fwsmconfig_diff, 5283 bytes, 11 tape blocks
x /var/ossec/agentless/ssh_foundry_diff, 5403 bytes, 11 tape blocks
x /var/ossec/agentless/ssh_generic_diff, 898 bytes, 2 tape blocks
x /var/ossec/agentless/ssh_integrity_check_bsd, 1091 bytes, 3 tape blocks
x /var/ossec/agentless/ssh_integrity_check_linux, 1099 bytes, 3 tape blocks
x /var/ossec/agentless/ssh_nopass.exp, 1616 bytes, 4 tape blocks
x /var/ossec/agentless/ssh_pixconfig_diff, 5265 bytes, 11 tape blocks
x /var/ossec/agentless/sshlogin.exp, 915 bytes, 2 tape blocks
x /var/ossec/agentless/su.exp, 1381 bytes, 3 tape blocks
x /sbin/init.d/wazuh-agent, 691 bytes, 2 tape blocks
x /sbin/rc2.d/S97wazuh-agent symbolic link to /sbin/init.d/wazuh-agent
x /sbin/rc3.d/S97wazuh-agent symbolic link to /sbin/init.d/wazuh-agent

• Change agent IP

# sed "s/MANAGER_IP/44.211.192.146/g" /var/ossec/etc/ossec.conf > /var/ossec/etc/ossec.conf.new && mv /var/ossec/etc/ossec.conf.new /var/ossec/etc/ossec.conf

# grep address /var/ossec/etc/ossec.conf
      <address>44.211.192.146</address>

• Start agent

# /var/ossec/bin/wazuh-control start
Starting Wazuh v4.7.0...
Started wazuh-execd...
Started wazuh-agentd...
Started wazuh-syscheckd...
Started wazuh-logcollector...
Started wazuh-modulesd...
Completed.

• Agent info

# /var/ossec/bin/wazuh-control info 
WAZUH_VERSION="v4.7.0"
WAZUH_REVISION="40701"
WAZUH_TYPE="agent"

• Check agent in Manager

[root@wazuh-server wazuh-user]# /var/ossec/bin/agent_control -i 001

Wazuh agent_control. Agent information:
   Agent ID:   001
   Agent Name: sovmh353
   IP address: any
   Status:     Active

   Operating system:    HP-UX |sovmh353 |B.11.31 |U |ia64
   Client version:      Wazuh v4.7.0
   Configuration hash:  ab73af41699f13fdd81903b5f23d8d00
   Shared file hash:    4a8724b20dee0124ff9656783c490c4e
   Last keep alive:     1697538895

   Syscheck last started at:  Wed Oct 18 00:20:07 2023 (Scan in progress)
   Syscheck last ended at:    Unknown

• No errors present in the agent

# grep -Ei "ERROR|CRITICAL|FATAL|WARNING" /var/ossec/logs/ossec.log | wc -l
0

• No errors present in the manager

[root@wazuh-server wazuh-user]# grep -Ei "ERROR|CRITICAL|FATAL|WARNING" /var/ossec/logs/ossec.log | wc -l
0

Generate Alerts 🟢

• TCP 🟢

  
  

  • Agent is connected through TCP

  # grep -i "tcp" /var/ossec/logs/ossec.log
  2023/10/17 19:19:57 wazuh-agentd: INFO: Trying to connect to server ([44.211.192.146]:1514/tcp).
  2023/10/17 19:19:57 wazuh-agentd: INFO: (4102): Connected to the server ([44.211.192.146]:1514/tcp).
  2023/10/17 19:20:06 wazuh-agentd: INFO: Trying to connect to server ([44.211.192.146]:1514/tcp).
  2023/10/17 19:20:06 wazuh-agentd: INFO: (4102): Connected to the server ([44.211.192.146]:1514/tcp).
  

  • Alerts are correctly generated for the agent - Expected logs

  [root@wazuh-server wazuh-user]# grep sovmh353 /var/ossec/logs/alerts/alerts.json
  {"timestamp":"2023-10-17T10:34:17.665+0000","rule":{"level":3,"description":"New wazuh agent connected.","id":"501","firedtimes":1,"mail":false,"groups":["ossec"],"pci_dss":["10.6.1"],"gpg13":["10.1"],"gdpr":["IV_35.7.d"],"hipaa":["164.312.b"],"nist_800_53":["AU.6"],"tsc":["CC7.2","CC7.3"]},"agent":{"id":"001","name":"sovmh353"},"manager":{"name":"wazuh-server"},"id":"1697538857.24416","full_log":"ossec: Agent started: 'sovmh353->any'.","decoder":{"parent":"ossec","name":"ossec"},"data":{"extra_data":"sovmh353->any"},"location":"wazuh-agent"}
  {"timestamp":"2023-10-17T10:34:24.436+0000","rule":{"level":3,"description":"Wazuh agent stopped.","id":"506","mitre":{"id":["T1562.001"],"tactic":["Defense Evasion"],"technique":["Disable or Modify Tools"]},"firedtimes":1,"mail":false,"groups":["ossec"],"pci_dss":["10.6.1","10.2.6"],"gpg13":["10.1"],"gdpr":["IV_35.7.d"],"hipaa":["164.312.b"],"nist_800_53":["AU.6","AU.14","AU.5"],"tsc":["CC7.2","CC7.3","CC6.8"]},"agent":{"id":"001","name":"sovmh353"},"manager":{"name":"wazuh-server"},"id":"1697538864.24687","full_log":"ossec: Agent stopped: 'sovmh353->any'.","decoder":{"parent":"ossec","name":"ossec"},"data":{"extra_data":"sovmh353->any"},"location":"wazuh-remoted"}
  {"timestamp":"2023-10-17T10:34:25.874+0000","rule":{"level":3,"description":"Wazuh agent started.","id":"503","firedtimes":1,"mail":false,"groups":["ossec"],"pci_dss":["10.6.1","10.2.6"],"gpg13":["10.1"],"gdpr":["IV_35.7.d"],"hipaa":["164.312.b"],"nist_800_53":["AU.6","AU.14","AU.5"],"tsc":["CC7.2","CC7.3","CC6.8"]},"agent":{"id":"001","name":"sovmh353"},"manager":{"name":"wazuh-server"},"id":"1697538865.25014","full_log":"ossec: Agent started: 'sovmh353->any'.","decoder":{"parent":"ossec","name":"ossec"},"data":{"extra_data":"sovmh353->any"},"location":"wazuh-agent"}
  {"timestamp":"2023-10-17T10:34:29.124+0000","rule":{"level":7,"description":"Listened ports status (netstat) changed (new port opened or closed).","id":"533","firedtimes":1,"mail":false,"groups":["ossec"],"pci_dss":["10.2.7","10.6.1"],"gpg13":["10.1"],"gdpr":["IV_35.7.d"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AU.6"],"tsc":["CC6.8","CC7.2","CC7.3"]},"agent":{"id":"001","name":"sovmh353","ip":"192.168.253.53"},"manager":{"name":"wazuh-server"},"id":"1697538869.25339","previous_output":"Previous output:\nossec: output: 'netstat listening ports':\ntcp 192.168.253.53.1712 192.168.253.53.49291\ntcp 192.168.253.53.49291 192.168.253.53.1712\ntcp 192.168.253.53.22 90.168.145.212.60244\nudp 192.168.253.53.123 *.*\nudp 127.0.0.1.49157 127.0.0.1.49157\nudp 127.0.0.1.123 *.*","full_log":"ossec: output: 'netstat listening ports':\ntcp 192.168.253.53.1712 192.168.253.53.49291\ntcp 192.168.253.53.49291 192.168.253.53.1712\ntcp 192.168.253.53.22 90.168.145.212.60244\ntcp 192.168.253.53.52561 44.211.192.146.1514\ntcp 192.168.253.53.52560 44.211.192.146.1514\nudp 192.168.253.53.123 *.*\nudp 127.0.0.1.49157 127.0.0.1.49157\nudp 127.0.0.1.123 *.*","decoder":{"name":"ossec"},"previous_log":"ossec: output: 'netstat listening ports':\ntcp 192.168.253.53.1712 192.168.253.53.49291\ntcp 192.168.253.53.49291 192.168.253.53.1712\ntcp 192.168.253.53.22 90.168.145.212.60244\nudp 192.168.253.53.123 *.*\nudp 127.0.0.1.49157 127.0.0.1.49157\nudp 127.0.0.1.123 *.*","location":"netstat listening ports"}
  {"timestamp":"2023-10-17T10:35:23.006+0000","rule":{"level":7,"description":"Host-based anomaly detection event (rootcheck).","id":"510","firedtimes":1,"mail":false,"groups":["ossec","rootcheck"],"pci_dss":["10.6.1"],"gdpr":["IV_35.7.d"]},"agent":{"id":"001","name":"sovmh353","ip":"192.168.253.53"},"manager":{"name":"wazuh-server"},"id":"1697538923.26295","full_log":"File '/tmp/.kc.trace' is owned by root and has written permissions to anyone.","decoder":{"name":"rootcheck"},"data":{"title":"File is owned by root and has written permissions to anyone.","file":"/tmp/.kc.trace"},"location":"rootcheck"}
  
  
  

  • No errors in agent logs

  [root@wazuh-server wazuh-user]# grep -Ei "ERROR|CRITICAL|FATAL|WARNING" /var/ossec/logs/ossec.log | wc -l
  0
  

• UDP 🟢

  
  

  • Agent is connected through UDP

  # sed 's/tcp/udp/g' /var/ossec/etc/ossec.conf > /var/ossec/etc/ossec.conf.new && mv /var/ossec/etc/ossec.conf.new /var/ossec/etc/ossec.conf
  
  
  
  # grep udp /var/ossec/etc/ossec.conf
        <protocol>udp</protocol>
  
  # /var/ossec/bin/wazuh-control restart
  Killing wazuh-modulesd... 
  Killing wazuh-logcollector... 
  Killing wazuh-syscheckd... 
  Killing wazuh-agentd... 
  Killing wazuh-execd... 
  Wazuh v4.7.0 Stopped
  Starting Wazuh v4.7.0...
  Started wazuh-execd...
  Started wazuh-agentd...
  Started wazuh-syscheckd...
  Started wazuh-logcollector...
  Started wazuh-modulesd...
  Completed.
  
  # grep -i "udp" /var/ossec/logs/ossec.log
  2023/10/17 19:25:59 wazuh-agentd: INFO: Trying to connect to server ([44.211.192.146]:1514/udp).
  2023/10/17 19:25:59 wazuh-agentd: INFO: (4102): Connected to the server ([44.211.192.146]:1514/udp).
  

  • Alerts are correctly generated for the agent

  [root@wazuh-server wazuh-user]# grep sovmh353 /var/ossec/logs/alerts/alerts.json
  {"timestamp":"2023-10-17T10:34:17.665+0000","rule":{"level":3,"description":"New wazuh agent connected.","id":"501","firedtimes":1,"mail":false,"groups":["ossec"],"pci_dss":["10.6.1"],"gpg13":["10.1"],"gdpr":["IV_35.7.d"],"hipaa":["164.312.b"],"nist_800_53":["AU.6"],"tsc":["CC7.2","CC7.3"]},"agent":{"id":"001","name":"sovmh353"},"manager":{"name":"wazuh-server"},"id":"1697538857.24416","full_log":"ossec: Agent started: 'sovmh353->any'.","decoder":{"parent":"ossec","name":"ossec"},"data":{"extra_data":"sovmh353->any"},"location":"wazuh-agent"}
  {"timestamp":"2023-10-17T10:34:24.436+0000","rule":{"level":3,"description":"Wazuh agent stopped.","id":"506","mitre":{"id":["T1562.001"],"tactic":["Defense Evasion"],"technique":["Disable or Modify Tools"]},"firedtimes":1,"mail":false,"groups":["ossec"],"pci_dss":["10.6.1","10.2.6"],"gpg13":["10.1"],"gdpr":["IV_35.7.d"],"hipaa":["164.312.b"],"nist_800_53":["AU.6","AU.14","AU.5"],"tsc":["CC7.2","CC7.3","CC6.8"]},"agent":{"id":"001","name":"sovmh353"},"manager":{"name":"wazuh-server"},"id":"1697538864.24687","full_log":"ossec: Agent stopped: 'sovmh353->any'.","decoder":{"parent":"ossec","name":"ossec"},"data":{"extra_data":"sovmh353->any"},"location":"wazuh-remoted"}
  {"timestamp":"2023-10-17T10:34:25.874+0000","rule":{"level":3,"description":"Wazuh agent started.","id":"503","firedtimes":1,"mail":false,"groups":["ossec"],"pci_dss":["10.6.1","10.2.6"],"gpg13":["10.1"],"gdpr":["IV_35.7.d"],"hipaa":["164.312.b"],"nist_800_53":["AU.6","AU.14","AU.5"],"tsc":["CC7.2","CC7.3","CC6.8"]},"agent":{"id":"001","name":"sovmh353"},"manager":{"name":"wazuh-server"},"id":"1697538865.25014","full_log":"ossec: Agent started: 'sovmh353->any'.","decoder":{"parent":"ossec","name":"ossec"},"data":{"extra_data":"sovmh353->any"},"location":"wazuh-agent"}
  {"timestamp":"2023-10-17T10:34:29.124+0000","rule":{"level":7,"description":"Listened ports status (netstat) changed (new port opened or closed).","id":"533","firedtimes":1,"mail":false,"groups":["ossec"],"pci_dss":["10.2.7","10.6.1"],"gpg13":["10.1"],"gdpr":["IV_35.7.d"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AU.6"],"tsc":["CC6.8","CC7.2","CC7.3"]},"agent":{"id":"001","name":"sovmh353","ip":"192.168.253.53"},"manager":{"name":"wazuh-server"},"id":"1697538869.25339","previous_output":"Previous output:\nossec: output: 'netstat listening ports':\ntcp 192.168.253.53.1712 192.168.253.53.49291\ntcp 192.168.253.53.49291 192.168.253.53.1712\ntcp 192.168.253.53.22 90.168.145.212.60244\nudp 192.168.253.53.123 *.*\nudp 127.0.0.1.49157 127.0.0.1.49157\nudp 127.0.0.1.123 *.*","full_log":"ossec: output: 'netstat listening ports':\ntcp 192.168.253.53.1712 192.168.253.53.49291\ntcp 192.168.253.53.49291 192.168.253.53.1712\ntcp 192.168.253.53.22 90.168.145.212.60244\ntcp 192.168.253.53.52561 44.211.192.146.1514\ntcp 192.168.253.53.52560 44.211.192.146.1514\nudp 192.168.253.53.123 *.*\nudp 127.0.0.1.49157 127.0.0.1.49157\nudp 127.0.0.1.123 *.*","decoder":{"name":"ossec"},"previous_log":"ossec: output: 'netstat listening ports':\ntcp 192.168.253.53.1712 192.168.253.53.49291\ntcp 192.168.253.53.49291 192.168.253.53.1712\ntcp 192.168.253.53.22 90.168.145.212.60244\nudp 192.168.253.53.123 *.*\nudp 127.0.0.1.49157 127.0.0.1.49157\nudp 127.0.0.1.123 *.*","location":"netstat listening ports"}
  {"timestamp":"2023-10-17T10:35:23.006+0000","rule":{"level":7,"description":"Host-based anomaly detection event (rootcheck).","id":"510","firedtimes":1,"mail":false,"groups":["ossec","rootcheck"],"pci_dss":["10.6.1"],"gdpr":["IV_35.7.d"]},"agent":{"id":"001","name":"sovmh353","ip":"192.168.253.53"},"manager":{"name":"wazuh-server"},"id":"1697538923.26295","full_log":"File '/tmp/.kc.trace' is owned by root and has written permissions to anyone.","decoder":{"name":"rootcheck"},"data":{"title":"File is owned by root and has written permissions to anyone.","file":"/tmp/.kc.trace"},"location":"rootcheck"}
  {"timestamp":"2023-10-17T10:37:57.851+0000","rule":{"level":3,"description":"Wazuh agent stopped.","id":"506","mitre":{"id":["T1562.001"],"tactic":["Defense Evasion"],"technique":["Disable or Modify Tools"]},"firedtimes":2,"mail":false,"groups":["ossec"],"pci_dss":["10.6.1","10.2.6"],"gpg13":["10.1"],"gdpr":["IV_35.7.d"],"hipaa":["164.312.b"],"nist_800_53":["AU.6","AU.14","AU.5"],"tsc":["CC7.2","CC7.3","CC6.8"]},"agent":{"id":"001","name":"sovmh353","ip":"192.168.253.53"},"manager":{"name":"wazuh-server"},"id":"1697539077.26659","full_log":"ossec: Agent stopped: 'sovmh353->any'.","decoder":{"parent":"ossec","name":"ossec"},"data":{"extra_data":"sovmh353->any"},"location":"wazuh-remoted"}
  {"timestamp":"2023-10-17T10:40:19.298+0000","rule":{"level":3,"description":"Wazuh agent started.","id":"503","firedtimes":1,"mail":false,"groups":["ossec"],"pci_dss":["10.6.1","10.2.6"],"gpg13":["10.1"],"gdpr":["IV_35.7.d"],"hipaa":["164.312.b"],"nist_800_53":["AU.6","AU.14","AU.5"],"tsc":["CC7.2","CC7.3","CC6.8"]},"agent":{"id":"001","name":"sovmh353","ip":"192.168.253.53"},"manager":{"name":"wazuh-server"},"id":"1697539219.26986","full_log":"ossec: Agent started: 'sovmh353->any'.","decoder":{"parent":"ossec","name":"ossec"},"data":{"extra_data":"sovmh353->any"},"location":"wazuh-agent"}
  {"timestamp":"2023-10-17T10:40:23.471+0000","rule":{"level":7,"description":"Listened ports status (netstat) changed (new port opened or closed).","id":"533","firedtimes":2,"mail":false,"groups":["ossec"],"pci_dss":["10.2.7","10.6.1"],"gpg13":["10.1"],"gdpr":["IV_35.7.d"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AU.6"],"tsc":["CC6.8","CC7.2","CC7.3"]},"agent":{"id":"001","name":"sovmh353","ip":"192.168.253.53"},"manager":{"name":"wazuh-server"},"id":"1697539223.29195","previous_output":"Previous output:\nossec: output: 'netstat listening ports':\ntcp 192.168.253.53.1712 192.168.253.53.49291\ntcp 192.168.253.53.49291 192.168.253.53.1712\ntcp 192.168.253.53.22 90.168.145.212.60244\ntcp 192.168.253.53.52561 44.211.192.146.1514\ntcp 192.168.253.53.52560 44.211.192.146.1514\nudp 192.168.253.53.123 *.*\nudp 127.0.0.1.49157 127.0.0.1.49157\nudp 127.0.0.1.123 *.*","full_log":"ossec: output: 'netstat listening ports':\ntcp 192.168.253.53.1712 192.168.253.53.49291\ntcp 192.168.253.53.49291 192.168.253.53.1712\ntcp 192.168.253.53.22 90.168.145.212.60244\ntcp 192.168.253.53.52561 44.211.192.146.1514\nudp 192.168.253.53.123 *.*\nudp 192.168.253.53.51467 44.211.192.146.1514\nudp 127.0.0.1.49157 127.0.0.1.49157\nudp 127.0.0.1.123 *.*","decoder":{"name":"ossec"},"previous_log":"ossec: output: 'netstat listening ports':\ntcp 192.168.253.53.1712 192.168.253.53.49291\ntcp 192.168.253.53.49291 192.168.253.53.1712\ntcp 192.168.253.53.22 90.168.145.212.60244\ntcp 192.168.253.53.52561 44.211.192.146.1514\ntcp 192.168.253.53.52560 44.211.192.146.1514\nudp 192.168.253.53.123 *.*\nudp 127.0.0.1.49157 127.0.0.1.49157\nudp 127.0.0.1.123 *.*","location":"netstat listening ports"}
  {"timestamp":"2023-10-17T10:40:30.504+0000","rule":{"level":7,"description":"Host-based anomaly detection event (rootcheck).","id":"510","firedtimes":1,"mail":false,"groups":["ossec","rootcheck"],"pci_dss":["10.6.1"],"gdpr":["IV_35.7.d"]},"agent":{"id":"001","name":"sovmh353","ip":"192.168.253.53"},"manager":{"name":"wazuh-server"},"id":"1697539230.30493","full_log":"File '/tmp/.kc.trace' is owned by root and has written permissions to anyone.","decoder":{"name":"rootcheck"},"data":{"title":"File is owned by root and has written permissions to anyone.","file":"/tmp/.kc.trace"},"location":"rootcheck"}
  
  

  • No errors in agent logs

  # grep -Ei "ERROR|CRITICAL|FATAL|WARNING" /var/ossec/logs/ossec.log | wc -l
  0
  

Removal 🟢

# /var/ossec/bin/wazuh-control stop
Killing wazuh-modulesd... 
Killing wazuh-logcollector... 
Killing wazuh-syscheckd... 
Killing wazuh-agentd... 
Killing wazuh-execd... 
Wazuh v4.7.0 Stopped

# groupdel wazuh

# userdel wazuh

# rm -rf /var/ossec

Check users and groups 🟢

# cat /etc/passwd | grep wazuh
wazuh:*:108:20::/home/wazuh:/sbin/sh


# cat /etc/group | grep wazuh
wazuh::105:wazuh

Upgrade 4.5.3 -> 4.7.0 🟢

⚠️ NOTE: Before starting uninstall the agent (if you did not) and remove it from the manager.

• Install the initial version

# /usr/local/bin/curl -sOk https://packages-dev.wazuh.com/pre-release/hp-ux/wazuh-agent-4.5.3-1-hpux-11v3-ia64.tar

# groupadd wazuh

# useradd -G wazuh wazuh

# tar -xvf wazuh-agent-4.5.3-1-hpux-11v3-ia64.tar
x /var/ossec/logs/ossec.log, 0 bytes, 0 tape blocks
x /var/ossec/logs/ossec.json, 0 bytes, 0 tape blocks
x /var/ossec/logs/active-responses.log, 0 bytes, 0 tape blocks
x /var/ossec/bin/wazuh-logcollector, 1631872 bytes, 3188 tape blocks
x /var/ossec/bin/wazuh-syscheckd, 2124576 bytes, 4150 tape blocks
x /var/ossec/bin/wazuh-execd, 1560236 bytes, 3048 tape blocks
x /var/ossec/bin/manage_agents, 440852 bytes, 862 tape blocks
x /var/ossec/bin/wazuh-control, 7148 bytes, 14 tape blocks
x /var/ossec/bin/wazuh-modulesd, 1490584 bytes, 2912 tape blocks
x /var/ossec/bin/wazuh-agentd, 1633380 bytes, 3191 tape blocks
x /var/ossec/bin/agent-auth, 441644 bytes, 863 tape blocks
x /var/ossec/lib/libwazuhext.so, 9804464 bytes, 19150 tape blocks
x /var/ossec/lib/libwazuhshared.so, 290680 bytes, 568 tape blocks
x /var/ossec/queue/syscollector/norm_config.json, 4206 bytes, 9 tape blocks
x /var/ossec/ruleset/sca/cis_hpux_11i_bastille.yml, 94882 bytes, 186 tape blocks
x /var/ossec/ruleset/sca/cis_hpux_11i.yml, 86160 bytes, 169 tape blocks
x /var/ossec/wodles/__init__.py, 0 bytes, 0 tape blocks
x /var/ossec/wodles/utils.py, 3493 bytes, 7 tape blocks
x /var/ossec/wodles/aws/aws-s3, 188765 bytes, 369 tape blocks
x /var/ossec/wodles/gcloud/pubsub/subscriber.py, 6018 bytes, 12 tape blocks
x /var/ossec/wodles/gcloud/buckets/bucket.py, 14685 bytes, 29 tape blocks
x /var/ossec/wodles/gcloud/buckets/access_logs.py, 1841 bytes, 4 tape blocks
x /var/ossec/wodles/gcloud/gcloud, 4661 bytes, 10 tape blocks
x /var/ossec/wodles/gcloud/integration.py, 2887 bytes, 6 tape blocks
x /var/ossec/wodles/gcloud/tools.py, 5524 bytes, 11 tape blocks
x /var/ossec/wodles/gcloud/exceptions.py, 4453 bytes, 9 tape blocks
x /var/ossec/wodles/docker/DockerListener, 4705 bytes, 10 tape blocks
x /var/ossec/wodles/azure/azure-logs, 37467 bytes, 74 tape blocks
x /var/ossec/wodles/azure/orm.py, 7007 bytes, 14 tape blocks
x /var/ossec/etc/TIMEZONE, 21 bytes, 1 tape blocks
x /var/ossec/etc/internal_options.conf, 14012 bytes, 28 tape blocks
x /var/ossec/etc/local_internal_options.conf, 320 bytes, 1 tape blocks
x /var/ossec/etc/client.keys, 0 bytes, 0 tape blocks
x /var/ossec/etc/ossec.conf, 4855 bytes, 10 tape blocks
x /var/ossec/etc/shared/cis_apache2224_rcl.txt, 28411 bytes, 56 tape blocks
x /var/ossec/etc/shared/cis_debian_linux_rcl.txt, 12576 bytes, 25 tape blocks
x /var/ossec/etc/shared/cis_mysql5-6_community_rcl.txt, 7609 bytes, 15 tape blocks
x /var/ossec/etc/shared/cis_mysql5-6_enterprise_rcl.txt, 10297 bytes, 21 tape blocks
x /var/ossec/etc/shared/cis_rhel5_linux_rcl.txt, 35781 bytes, 70 tape blocks
x /var/ossec/etc/shared/cis_rhel6_linux_rcl.txt, 33870 bytes, 67 tape blocks
x /var/ossec/etc/shared/cis_rhel7_linux_rcl.txt, 36957 bytes, 73 tape blocks
x /var/ossec/etc/shared/cis_rhel_linux_rcl.txt, 17658 bytes, 35 tape blocks
x /var/ossec/etc/shared/cis_sles11_linux_rcl.txt, 34376 bytes, 68 tape blocks
x /var/ossec/etc/shared/cis_sles12_linux_rcl.txt, 35081 bytes, 69 tape blocks
x /var/ossec/etc/shared/cis_win2012r2_domainL1_rcl.txt, 94877 bytes, 186 tape blocks
x /var/ossec/etc/shared/cis_win2012r2_domainL2_rcl.txt, 28006 bytes, 55 tape blocks
x /var/ossec/etc/shared/cis_win2012r2_memberL1_rcl.txt, 100530 bytes, 197 tape blocks
x /var/ossec/etc/shared/cis_win2012r2_memberL2_rcl.txt, 376002 bytes, 735 tape blocks
x /var/ossec/etc/shared/rootkit_files.txt, 16174 bytes, 32 tape blocks
x /var/ossec/etc/shared/rootkit_trojans.txt, 5548 bytes, 11 tape blocks
x /var/ossec/etc/shared/system_audit_rcl.txt, 4466 bytes, 9 tape blocks
x /var/ossec/etc/shared/system_audit_ssh.txt, 3285 bytes, 7 tape blocks
x /var/ossec/etc/shared/win_applications_rcl.txt, 5214 bytes, 11 tape blocks
x /var/ossec/etc/shared/win_audit_rcl.txt, 4277 bytes, 9 tape blocks
x /var/ossec/etc/shared/win_malware_rcl.txt, 7314 bytes, 15 tape blocks
x /var/ossec/etc/wpk_root.pem, 1367 bytes, 3 tape blocks
x /var/ossec/active-response/bin/restart.sh, 695 bytes, 2 tape blocks
x /var/ossec/active-response/bin/kaspersky.py, 14429 bytes, 29 tape blocks
x /var/ossec/active-response/bin/firewall-drop, 70200 bytes, 138 tape blocks
x /var/ossec/active-response/bin/default-firewall-drop, 70200 bytes, 138 tape blocks
x /var/ossec/active-response/bin/pf, 69848 bytes, 137 tape blocks
x /var/ossec/active-response/bin/npf, 69800 bytes, 137 tape blocks
x /var/ossec/active-response/bin/ipfw, 69832 bytes, 137 tape blocks
x /var/ossec/active-response/bin/firewalld-drop, 69832 bytes, 137 tape blocks
x /var/ossec/active-response/bin/disable-account, 69784 bytes, 137 tape blocks
x /var/ossec/active-response/bin/host-deny, 69888 bytes, 137 tape blocks
x /var/ossec/active-response/bin/ip-customblock, 69712 bytes, 137 tape blocks
x /var/ossec/active-response/bin/restart-wazuh, 69604 bytes, 136 tape blocks
x /var/ossec/active-response/bin/route-null, 69744 bytes, 137 tape blocks
x /var/ossec/active-response/bin/kaspersky, 69652 bytes, 137 tape blocks
x /var/ossec/active-response/bin/wazuh-slack, 69908 bytes, 137 tape blocks
x /var/ossec/agentless/main.exp, 2453 bytes, 5 tape blocks
x /var/ossec/agentless/register_host.sh, 2406 bytes, 5 tape blocks
x /var/ossec/agentless/ssh.exp, 1476 bytes, 3 tape blocks
x /var/ossec/agentless/ssh_asa-fwsmconfig_diff, 5283 bytes, 11 tape blocks
x /var/ossec/agentless/ssh_foundry_diff, 5403 bytes, 11 tape blocks
x /var/ossec/agentless/ssh_generic_diff, 898 bytes, 2 tape blocks
x /var/ossec/agentless/ssh_integrity_check_bsd, 1091 bytes, 3 tape blocks
x /var/ossec/agentless/ssh_integrity_check_linux, 1099 bytes, 3 tape blocks
x /var/ossec/agentless/ssh_nopass.exp, 1616 bytes, 4 tape blocks
x /var/ossec/agentless/ssh_pixconfig_diff, 5265 bytes, 11 tape blocks
x /var/ossec/agentless/sshlogin.exp, 915 bytes, 2 tape blocks
x /var/ossec/agentless/su.exp, 1381 bytes, 3 tape blocks
x /sbin/init.d/wazuh-agent, 691 bytes, 2 tape blocks
x /sbin/rc2.d/S97wazuh-agent symbolic link to /sbin/init.d/wazuh-agent
x /sbin/rc3.d/S97wazuh-agent symbolic link to /sbin/init.d/wazuh-agent



# sed "s/3.82.119.164</3.82.119.164/g" /var/ossec/etc/ossec.conf > /var/ossec/etc/ossec.conf.new && mv /var/ossec/etc/ossec.conf.new /var/ossec/etc/ossec.conf

# grep address /var/ossec/etc/ossec.conf
      <address>3.82.119.164</address>

# /var/ossec/bin/wazuh-control start
Starting Wazuh v4.5.3...
Started wazuh-execd...
Started wazuh-agentd...
Started wazuh-syscheckd...
Started wazuh-logcollector...
Started wazuh-modulesd...
Completed.

• Check connection in the manager

[root@wazuh-server wazuh-user]# /var/ossec/bin/agent_control -i 004

Wazuh agent_control. Agent information:
   Agent ID:   004
   Agent Name: sovmh353
   IP address: any
   Status:     Active

   Operating system:    HP-UX |sovmh353 |B.11.31 |U |ia64
   Client version:      Wazuh v4.5.3
   Configuration hash:  ab73af41699f13fdd81903b5f23d8d00
   Shared file hash:    4a8724b20dee0124ff9656783c490c4e
   Last keep alive:     1697617190

   Syscheck last started at:  Wed Oct 18 22:05:03 2023 (Scan in progress)
   Syscheck last ended at:    Unknown

• Upgrade the agent following the documentation

# /var/ossec/bin/wazuh-control stop
Killing wazuh-modulesd... 
Killing wazuh-logcollector... 
Killing wazuh-syscheckd... 
Killing wazuh-agentd... 
Killing wazuh-execd... 
Wazuh v4.5.3 Stopped

# cp /var/ossec/etc/ossec.conf ~/ossec.conf.bk

# cp /var/ossec/etc/client.keys ~/client.keys.bk

# tar -xvf wazuh-agent-4.7.0-1-hpux-11v3-ia64.tar
x /var/ossec/logs/ossec.log, 0 bytes, 0 tape blocks
x /var/ossec/logs/ossec.json, 0 bytes, 0 tape blocks
x /var/ossec/logs/active-responses.log, 0 bytes, 0 tape blocks
x /var/ossec/bin/wazuh-logcollector, 1951568 bytes, 3812 tape blocks
x /var/ossec/bin/wazuh-syscheckd, 2373620 bytes, 4636 tape blocks
x /var/ossec/bin/wazuh-execd, 1814552 bytes, 3545 tape blocks
x /var/ossec/bin/manage_agents, 570740 bytes, 1115 tape blocks
x /var/ossec/bin/wazuh-control, 7144 bytes, 14 tape blocks
x /var/ossec/bin/wazuh-modulesd, 1744844 bytes, 3408 tape blocks
x /var/ossec/bin/wazuh-agentd, 1887140 bytes, 3686 tape blocks
x /var/ossec/bin/agent-auth, 506176 bytes, 989 tape blocks
x /var/ossec/lib/libwazuhext.so, 9804464 bytes, 19150 tape blocks
x /var/ossec/lib/libwazuhshared.so, 355412 bytes, 695 tape blocks
x /var/ossec/lib/libdbsync.so, 1314728 bytes, 2568 tape blocks
x /var/ossec/lib/librsync.so, 900228 bytes, 1759 tape blocks
x /var/ossec/lib/libsysinfo.so, 796672 bytes, 1556 tape blocks
x /var/ossec/lib/libfimdb.so, 1267160 bytes, 2475 tape blocks
x /var/ossec/lib/libstdc++.so.6.28, 27064832 bytes, 52861 tape blocks
x /var/ossec/lib/libgcc_s.so.0, 448764 bytes, 877 tape blocks
x /var/ossec/lib/libstdc++.so.6 symbolic link to /var/ossec/lib/libstdc++.so.6.28
x /var/ossec/lib/libstdc++.so symbolic link to /var/ossec/lib/libstdc++.so.6.28
x /var/ossec/lib/libgcc_s.so symbolic link to /var/ossec/lib/libgcc_s.so.0
x /var/ossec/queue/syscollector/norm_config.json, 4206 bytes, 9 tape blocks
x /var/ossec/ruleset/sca/cis_hpux_11i_bastille.yml, 94882 bytes, 186 tape blocks
x /var/ossec/ruleset/sca/cis_hpux_11i.yml, 86160 bytes, 169 tape blocks
x /var/ossec/wodles/__init__.py, 0 bytes, 0 tape blocks
x /var/ossec/wodles/utils.py, 3493 bytes, 7 tape blocks
x /var/ossec/wodles/aws/aws-s3, 182656 bytes, 357 tape blocks
x /var/ossec/wodles/gcloud/pubsub/subscriber.py, 6085 bytes, 12 tape blocks
x /var/ossec/wodles/gcloud/buckets/bucket.py, 12735 bytes, 25 tape blocks
x /var/ossec/wodles/gcloud/buckets/access_logs.py, 1870 bytes, 4 tape blocks
x /var/ossec/wodles/gcloud/gcloud, 4513 bytes, 9 tape blocks
x /var/ossec/wodles/gcloud/integration.py, 2887 bytes, 6 tape blocks
x /var/ossec/wodles/gcloud/tools.py, 4420 bytes, 9 tape blocks
x /var/ossec/wodles/gcloud/exceptions.py, 4704 bytes, 10 tape blocks
x /var/ossec/wodles/docker/DockerListener, 4709 bytes, 10 tape blocks
x /var/ossec/wodles/azure/azure-logs, 38402 bytes, 76 tape blocks
x /var/ossec/wodles/azure/orm.py, 10034 bytes, 20 tape blocks
x /var/ossec/etc/TIMEZONE, 21 bytes, 1 tape blocks
x /var/ossec/etc/internal_options.conf, 14164 bytes, 28 tape blocks
x /var/ossec/etc/local_internal_options.conf, 320 bytes, 1 tape blocks
x /var/ossec/etc/client.keys, 0 bytes, 0 tape blocks
x /var/ossec/etc/ossec.conf, 4817 bytes, 10 tape blocks
x /var/ossec/etc/shared/cis_apache2224_rcl.txt, 28411 bytes, 56 tape blocks
x /var/ossec/etc/shared/cis_debian_linux_rcl.txt, 12576 bytes, 25 tape blocks
x /var/ossec/etc/shared/cis_mysql5-6_community_rcl.txt, 7609 bytes, 15 tape blocks
x /var/ossec/etc/shared/cis_mysql5-6_enterprise_rcl.txt, 10297 bytes, 21 tape blocks
x /var/ossec/etc/shared/cis_rhel5_linux_rcl.txt, 35781 bytes, 70 tape blocks
x /var/ossec/etc/shared/cis_rhel6_linux_rcl.txt, 33870 bytes, 67 tape blocks
x /var/ossec/etc/shared/cis_rhel7_linux_rcl.txt, 36957 bytes, 73 tape blocks
x /var/ossec/etc/shared/cis_rhel_linux_rcl.txt, 17658 bytes, 35 tape blocks
x /var/ossec/etc/shared/cis_sles11_linux_rcl.txt, 34376 bytes, 68 tape blocks
x /var/ossec/etc/shared/cis_sles12_linux_rcl.txt, 35081 bytes, 69 tape blocks
x /var/ossec/etc/shared/cis_win2012r2_domainL1_rcl.txt, 94877 bytes, 186 tape blocks
x /var/ossec/etc/shared/cis_win2012r2_domainL2_rcl.txt, 28006 bytes, 55 tape blocks
x /var/ossec/etc/shared/cis_win2012r2_memberL1_rcl.txt, 100530 bytes, 197 tape blocks
x /var/ossec/etc/shared/cis_win2012r2_memberL2_rcl.txt, 376002 bytes, 735 tape blocks
x /var/ossec/etc/shared/rootkit_files.txt, 16174 bytes, 32 tape blocks
x /var/ossec/etc/shared/rootkit_trojans.txt, 5548 bytes, 11 tape blocks
x /var/ossec/etc/shared/system_audit_rcl.txt, 4466 bytes, 9 tape blocks
x /var/ossec/etc/shared/system_audit_ssh.txt, 3285 bytes, 7 tape blocks
x /var/ossec/etc/shared/win_applications_rcl.txt, 5214 bytes, 11 tape blocks
x /var/ossec/etc/shared/win_audit_rcl.txt, 4277 bytes, 9 tape blocks
x /var/ossec/etc/shared/win_malware_rcl.txt, 7314 bytes, 15 tape blocks
x /var/ossec/etc/wpk_root.pem, 1367 bytes, 3 tape blocks
x /var/ossec/active-response/bin/restart.sh, 695 bytes, 2 tape blocks
x /var/ossec/active-response/bin/kaspersky.py, 14429 bytes, 29 tape blocks
x /var/ossec/active-response/bin/firewall-drop, 70248 bytes, 138 tape blocks
x /var/ossec/active-response/bin/default-firewall-drop, 70248 bytes, 138 tape blocks
x /var/ossec/active-response/bin/pf, 70024 bytes, 137 tape blocks
x /var/ossec/active-response/bin/npf, 69856 bytes, 137 tape blocks
x /var/ossec/active-response/bin/ipfw, 69880 bytes, 137 tape blocks
x /var/ossec/active-response/bin/firewalld-drop, 69880 bytes, 137 tape blocks
x /var/ossec/active-response/bin/disable-account, 69848 bytes, 137 tape blocks
x /var/ossec/active-response/bin/host-deny, 69952 bytes, 137 tape blocks
x /var/ossec/active-response/bin/ip-customblock, 69800 bytes, 137 tape blocks
x /var/ossec/active-response/bin/restart-wazuh, 69692 bytes, 137 tape blocks
x /var/ossec/active-response/bin/route-null, 69824 bytes, 137 tape blocks
x /var/ossec/active-response/bin/kaspersky, 69740 bytes, 137 tape blocks
x /var/ossec/active-response/bin/wazuh-slack, 69996 bytes, 137 tape blocks
x /var/ossec/agentless/main.exp, 2453 bytes, 5 tape blocks
x /var/ossec/agentless/register_host.sh, 2406 bytes, 5 tape blocks
x /var/ossec/agentless/ssh.exp, 1476 bytes, 3 tape blocks
x /var/ossec/agentless/ssh_asa-fwsmconfig_diff, 5283 bytes, 11 tape blocks
x /var/ossec/agentless/ssh_foundry_diff, 5403 bytes, 11 tape blocks
x /var/ossec/agentless/ssh_generic_diff, 898 bytes, 2 tape blocks
x /var/ossec/agentless/ssh_integrity_check_bsd, 1091 bytes, 3 tape blocks
x /var/ossec/agentless/ssh_integrity_check_linux, 1099 bytes, 3 tape blocks
x /var/ossec/agentless/ssh_nopass.exp, 1616 bytes, 4 tape blocks
x /var/ossec/agentless/ssh_pixconfig_diff, 5265 bytes, 11 tape blocks
x /var/ossec/agentless/sshlogin.exp, 915 bytes, 2 tape blocks
x /var/ossec/agentless/su.exp, 1381 bytes, 3 tape blocks
x /sbin/init.d/wazuh-agent, 691 bytes, 2 tape blocks
x /sbin/rc2.d/S97wazuh-agent symbolic link to /sbin/init.d/wazuh-agent
x /sbin/rc3.d/S97wazuh-agent symbolic link to /sbin/init.d/wazuh-agent




# mv ~/ossec.conf.bk /var/ossec/etc/ossec.conf

# chown root:wazuh /var/ossec/etc/ossec.conf

# mv ~/client.keys.bk /var/ossec/etc/client.keys

# chown root:wazuh /var/ossec/etc/client.keys

# /var/ossec/bin/wazuh-control start
Starting Wazuh v4.7.0...
Started wazuh-execd...
Started wazuh-agentd...
Started wazuh-syscheckd...
Started wazuh-logcollector...
Started wazuh-modulesd...
Completed.

• Check agent in the manager

[root@wazuh-server wazuh-user]# /var/ossec/bin/agent_control -i 004

Wazuh agent_control. Agent information:
   Agent ID:   004
   Agent Name: sovmh353
   IP address: any
   Status:     Active

   Operating system:    HP-UX |sovmh353 |B.11.31 |U |ia64
   Client version:      Wazuh v4.7.0
   Configuration hash:  ab73af41699f13fdd81903b5f23d8d00
   Shared file hash:    4a8724b20dee0124ff9656783c490c4e
   Last keep alive:     1697617336

   Syscheck last started at:  Wed Oct 18 22:07:43 2023 (Scan in progress)
   Syscheck last ended at:    Unknown

---

Size of Agent is similar to 4.6.0, but it was reported a big increase in comparison to older versions.

• Reported: HP-UX Wazuh agent package size increased considerably #19251 - Known issue

[pro-akim]

Analysis report - Solaris 11 SPARC 🟡

System info 🟢

root@sossp107:~# cat /etc/release
                            Oracle Solaris 11.3 SPARC
  Copyright (c) 1983, 2015, Oracle and/or its affiliates.  All rights reserved.
                            Assembled 06 October 2015

Install 🟢

• Wazuh agent

root@sossp107:~# curl -o wazuh-agent_v4.7.0-sol11-sparc.p5p https://packages-dev.wazuh.com/pre-release/solaris/sparc/11/wazuh-agent_v4.7.0-sol11-sparc.p5p
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100 6270k  100 6270k    0     0  4624k      0  0:00:01  0:00:01 --:--:-- 5000k

root@sossp107:~# ls -la
total 12728
drwxr-xr-x   2 mpuxpt   root           8 oct 17 06:18 .
drwxr-xr-x   4 root     sys            4 oct 16 03:52 ..
-r--r--r--   1 mpuxpt   root         159 oct 16 03:52 .bashrc
-rw-r--r--   1 mpuxpt   root         568 oct 16 03:52 .profile
-rw-r--r--   1 mpuxpt   root         166 oct 16 03:52 local.cshrc
-rw-r--r--   1 mpuxpt   root         170 oct 16 03:52 local.login
-rw-r--r--   1 mpuxpt   root         131 oct 16 03:52 local.profile
-rw-r--r--   1 root     root     6420480 oct 17 06:18 wazuh-agent_v4.7.0-sol11-sparc.p5p


root@sossp107:~# pkg install -g wazuh-agent_v4.7.0-sol11-sparc.p5p wazuh-agent
           Packages to install:  1
            Services to change:  1
       Create boot environment: No
Create backup boot environment: No

DOWNLOAD                                PKGS         FILES    XFER (MB)   SPEED
Completed                                1/1         98/98      5.8/5.8 31.5M/s

PHASE                                          ITEMS
Installing new actions                       151/151
Updating package state database                 Done 
Updating package cache                           0/0 
Updating image state                            Done 
Creating fast lookup database                   Done 
Updating package cache                           2/2 

root@sossp107:~# cat /var/ossec/etc/ossec.conf | grep address
      <address>44.211.192.146</address>
root@sossp107:~# /var/ossec/bin/wazuh-control start
Starting Wazuh v4.7.0...
Started wazuh-execd...
Started wazuh-agentd...
Started wazuh-syscheckd...
Started wazuh-logcollector...
Started wazuh-modulesd...
Completed.

root@sossp107:~# /var/ossec/bin/wazuh-control status
wazuh-modulesd is running...
wazuh-logcollector is running...
wazuh-syscheckd is running...
wazuh-agentd is running...
wazuh-execd is running...

• Wazuh server

[root@wazuh-server wazuh-user]# /var/ossec/bin/agent_control -l

Wazuh agent_control. List of available agents:
   ID: 000, Name: wazuh-server (server), IP: 127.0.0.1, Active/Local
   ID: 002, Name: sovmh353, IP: any, Active
   ID: 003, Name: sossp107, IP: any, Active

List of agentless devices:


[root@wazuh-server wazuh-user]# /var/ossec/bin/agent_control -i 003

Wazuh agent_control. Agent information:
   Agent ID:   003
   Agent Name: sossp107
   IP address: any
   Status:     Active

   Operating system:    SunOS |sossp107 |5.11 |11.3 |sun4v
   Client version:      Wazuh v4.7.0
   Configuration hash:  ab73af41699f13fdd81903b5f23d8d00
   Shared file hash:    4a8724b20dee0124ff9656783c490c4e
   Last keep alive:     1697541781

   Syscheck last started at:  Tue Oct 17 11:22:01 2023 (Scan in progress)
   Syscheck last ended at:    Unknown

Alert 🟢

• TCP

root@sossp107:~# grep -i "tcp" /var/ossec/logs/ossec.log 
2023/10/17 06:21:54 wazuh-agentd: INFO: Trying to connect to server ([44.211.192.146]:1514/tcp).
2023/10/17 06:21:54 wazuh-agentd: INFO: (4102): Connected to the server ([44.211.192.146]:1514/tcp).
2023/10/17 06:22:00 wazuh-agentd: INFO: Trying to connect to server ([44.211.192.146]:1514/tcp).
2023/10/17 06:22:00 wazuh-agentd: INFO: (4102): Connected to the server ([44.211.192.146]:1514/tcp).

[root@wazuh-server wazuh-user]# cat /var/ossec/logs/alerts/alerts.log | grep -n5 sossp107
1608-** Alert 1697541789.183993: - sca,gdpr_IV_35.7.d,pci_dss_2.2,nist_800_53_CM.1,tsc_CC7.1,tsc_CC7.2,
1609:2023 Oct 17 11:23:09 (sossp107) any->sca
1610-Rule: 19004 (level 7) -> 'SCA summary: CIS Benchmark for Oracle Solaris 11 v1.1.0: Score less than 50% (31)'
1611-{"type":"summary","scan_id":10547,"name":"CIS Benchmark for Oracle Solaris 11 v1.1.0","policy_id":"cis_solaris11","file":"cis_solaris11.yml","description":"This document, CIS Oracle Solaris 11 Benchmark v1.1.0, provides prescriptive guidance for establishing a secure configuration posture for Oracle Solaris 11 on both x86 and SPARC platforms. This guide was tested against  Solaris 11 11/11 release, updated to the Software Repository Update 5 (SRU5). As of the publication of this document, Solaris 11 11/11 SRU5 is the latest available support update for the Solaris 11 OS. The recommendations included in this document may need to be adjusted for future Solaris 11 updates.","references":"https://www.cisecurity.org/cis-benchmarks/","passed":16,"failed":35,"invalid":0,"total_checks":51,"score":31.372550964355469,"start_time":1697541721,"end_time":1697541725,"hash":"d0d7397585602bed79d61ddad3bfeedf30db2e134423be75f3f4e20edf198158","hash_file":"4b2fd9806b141e4ae64476837fb5d3852993bc2de7ac91661a682387ed000be5","force_alert":"1"}
1612-sca.type: summary
1613-sca.scan_id: 10547
1614-sca.policy: CIS Benchmark for Oracle Solaris 11 v1.1.0
--
1620-sca.total_checks: 51
1621-sca.score: 31
1622-sca.file: cis_solaris11.yml
1623-
1624-** Alert 1697541799.186049: - sca,gdpr_IV_35.7.d,pci_dss_2.2,nist_800_53_CM.1,tsc_CC7.1,tsc_CC7.2,
1625:2023 Oct 17 11:23:19 (sossp107) any->sca
1626-Rule: 19004 (level 7) -> 'SCA summary: CIS Benchmark for Oracle Solaris 11 v1.1.0: Score less than 50% (31)'
1627-{"type":"summary","scan_id":10547,"name":"CIS Benchmark for Oracle Solaris 11 v1.1.0","policy_id":"cis_solaris11","file":"cis_solaris11.yml","description":"This document, CIS Oracle Solaris 11 Benchmark v1.1.0, provides prescriptive guidance for establishing a secure configuration posture for Oracle Solaris 11 on both x86 and SPARC platforms. This guide was tested against  Solaris 11 11/11 release, updated to the Software Repository Update 5 (SRU5). As of the publication of this document, Solaris 11 11/11 SRU5 is the latest available support update for the Solaris 11 OS. The recommendations included in this document may need to be adjusted for future Solaris 11 updates.","references":"https://www.cisecurity.org/cis-benchmarks/","passed":16,"failed":35,"invalid":0,"total_checks":51,"score":31.372550964355469,"start_time":1697541721,"end_time":1697541725,"hash":"d0d7397585602bed79d61ddad3bfeedf30db2e134423be75f3f4e20edf198158","hash_file":"4b2fd9806b141e4ae64476837fb5d3852993bc2de7ac91661a682387ed000be5","force_alert":"1","force_alert":"1"}
1628-sca.type: summary
1629-sca.scan_id: 10547
1630-sca.policy: CIS Benchmark for Oracle Solaris 11 v1.1.0

root@sossp107:~# /usr/xpg4/bin/grep -Ei "ERROR|CRITICAL|FATAL|WARNING" /var/ossec/logs/ossec.log | wc -l
       0

• UDP

root@sossp107:~# grep -i "udp" /var/ossec/logs/ossec.log 
root@sossp107:~# 

Remove 🟢

root@sossp107:~# /var/ossec/bin/wazuh-control stop
Killing wazuh-modulesd... 
Killing wazuh-logcollector... 
Killing wazuh-syscheckd... 
Killing wazuh-agentd... 
Killing wazuh-execd... 
Wazuh v4.7.0 Stopped

root@sossp107:~# pkg uninstall wazuh-agent
            Packages to remove:  1
            Services to change:  1
       Create boot environment: No
Create backup boot environment: No

PHASE                                          ITEMS
Removing old actions                         195/195
Updating package state database                 Done 
Updating package cache                           1/1 
Updating image state                            Done 
Creating fast lookup database                   Done 
Updating package cache                           2/2 

The following unexpected or editable files and directories were
salvaged while executing the requested package operation; they
have been moved to the displayed location in the image:

  ar/ossec/etc/ossec.conf -> /var/pkg/lost+found/var/ossec/etc/ossec.conf-20231017T062703Z
  ar/ossec/etc/client.keys -> /var/pkg/lost+found/var/ossec/etc/client.keys-20231017T062703Z
  ar/ossec/ruleset/sca -> /var/pkg/lost+found/var/ossec/ruleset/sca-20231017T062703Z
  ar/ossec/queue/syscollector/db -> /var/pkg/lost+found/var/ossec/queue/syscollector/db-20231017T062703Z
  ar/ossec/queue/sockets -> /var/pkg/lost+found/var/ossec/queue/sockets-20231017T062703Z
  ar/ossec/queue/rids -> /var/pkg/lost+found/var/ossec/queue/rids-20231017T062703Z
  ar/ossec/queue/logcollector -> /var/pkg/lost+found/var/ossec/queue/logcollector-20231017T062703Z
  ar/ossec/queue/fim/db -> /var/pkg/lost+found/var/ossec/queue/fim/db-20231017T062703Z
  ar/ossec/queue/alerts -> /var/pkg/lost+found/var/ossec/queue/alerts-20231017T062703Z
  ar/ossec/etc/shared -> /var/pkg/lost+found/var/ossec/etc/shared-20231017T062703Z

groupdel wazuh

Upgrade 4.5.3 -> 4.7.0 🟡

Agent 4.5.3 could not be installed

root@sossp107:~# wget https://packages-dev.wazuh.com/pre-release/solaris/sparc/11/wazuh-agent_v4.5.3-sol11-sparc.p5p
--2023-10-18 02:06:59--  https://packages-dev.wazuh.com/pre-release/solaris/sparc/11/wazuh-agent_v4.5.3-sol11-sparc.p5p
Resolving packages-dev.wazuh.com (packages-dev.wazuh.com)... 3.161.136.100, 3.161.136.61, 3.161.136.16, ...
Connecting to packages-dev.wazuh.com (packages-dev.wazuh.com)|3.161.136.100|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 6195200 (5,9M) [binary/octet-stream]
Saving to: ‘wazuh-agent_v4.5.3-sol11-sparc.p5p’

wazuh-agent_v4.5.3-sol11-sparc.p5p                   100%[=======================================================================================================================>]   5,91M  7,11MB/s   in 0,8s   

2023-10-18 02:07:01 (7,11 MB/s) - ‘wazuh-agent_v4.5.3-sol11-sparc.p5p’ saved [6195200/6195200]




root@sossp107:~# ls -la
total 25066
drwxr-xr-x   2 mpuxpt   root          10 oct 18 02:07 .
drwxr-xr-x   4 root     sys            4 oct 16 03:52 ..
-rw-------   1 root     root        1664 oct 17 06:52 .bash_history
-r--r--r--   1 mpuxpt   root         159 oct 16 03:52 .bashrc
-rw-r--r--   1 mpuxpt   root         568 oct 16 03:52 .profile
-rw-r--r--   1 mpuxpt   root         166 oct 16 03:52 local.cshrc
-rw-r--r--   1 mpuxpt   root         170 oct 16 03:52 local.login
-rw-r--r--   1 mpuxpt   root         131 oct 16 03:52 local.profile
-rw-r--r--   1 root     root     6195200 oct 10 14:40 wazuh-agent_v4.5.3-sol11-sparc.p5p
-rw-r--r--   1 root     root     6420480 oct 17 06:18 wazuh-agent_v4.7.0-sol11-sparc.p5p



root@sossp107:~# pkg install -g wazuh-agent_v4.5.3-sol11-sparc.p5p wazuh-agent

           Packages to install:  1
            Services to change:  1
       Create boot environment: No
Create backup boot environment: No

DOWNLOAD                                PKGS         FILES    XFER (MB)   SPEED
Completed                                1/1         97/97      5.6/5.6    0B/s

PHASE                                          ITEMS
Installing new actions                         1/150Action install failed for 'ossec' (pkg://wazuh/wazuh-agent):
  KeyError: 'gid'

The Boot Environment solaris failed to be updated. A snapshot was taken before the failed attempt and is mounted here /tmp/tmpj1Dweo. Use 'beadm unmount solaris-5' and then 'beadm activate solaris-5' if you wish to boot to this BE.
pkg: An unexpected error happened during install: 'gid'
Traceback (most recent call last):
  File "/usr/bin/pkg", line 6254, in handle_errors
    __ret = func(*args, **kwargs)
  File "/usr/bin/pkg", line 6240, in main_func
    pargs=pargs, **opts)
  File "/usr/bin/pkg", line 1985, in install
    update_index=update_index)
  File "/usr/bin/pkg", line 1758, in __api_op
    ret_code = __api_execute_plan(_op, _api_inst)
  File "/usr/bin/pkg", line 1326, in __api_execute_plan
    api_inst.execute_plan()
  File "/usr/lib/python2.7/vendor-packages/pkg/client/api.py", line 2816, in execute_plan
    self._img.imageplan.execute()
  File "/usr/lib/python2.7/vendor-packages/pkg/client/imageplan.py", line 4593, in execute
    p.execute_install(src, dest)
  File "/usr/lib/python2.7/vendor-packages/pkg/client/pkgplan.py", line 563, in execute_install
    dest.install(self, src)
  File "/usr/lib/python2.7/vendor-packages/pkg/actions/group.py", line 80, in install
    if (cur_attrs["gid"] != self.attrs["gid"]):
KeyError: 'gid'


pkg: This is an internal error in pkg(5) version a1fb8dcc1a5e.  Please log a
Service Request about this issue including the information above and this
message.

• Reported: Issue with ossec group in reinstall Wazuh agent 4.3.4 in Solaris 11 SPARC wazuh-packages#1631 - Known issue

Users and groups 🟢

root@sossp107:~# cat /etc/passwd | grep wazuh
wazuh:x:7:13:& User:/:
root@sossp107:~# cat /etc/group | grep wazuh
wazuh::13:

---

Install of 4.5.3 Agent failed after removing 4.7.0 Agent

• Reported: Issue with ossec group in reinstall Wazuh agent 4.3.4 in Solaris 11 SPARC wazuh-packages#1631 - Known issue

[pro-akim]

Analysis report - Solaris 10 SPARC 🟢

System info 🟢

  cat /etc/release 
                   Oracle Solaris 10 1/13 s10s_u11wos_24a SPARC
  Copyright (c) 1983, 2013, Oracle and/or its affiliates. All rights reserved.
                            Assembled 17 January 2013

Install 🟢

• Install package

# pkgadd -d wazuh-agent_v4.7.0-sol10-sparc.pkg

The following packages are available:
  1  wazuh-agent     Wazuh - Wazuh unifies historically separate functions into a single agent and platform architecture. Providing protection for public clouds, private clouds, and on-premise data centers.
                     (sparc) 4.7.0

Select package(s) you wish to process (or 'all' to process
all packages). (default: all) [?,??,q]: 

Processing package instance <wazuh-agent> from </export/home/kilm/wazuh-agent_v4.7.0-sol10-sparc.pkg>

Wazuh - Wazuh unifies historically separate functions into a single agent and platform architecture. Providing protection for public clouds, private clouds, and on-premise data centers.(sparc) 4.7.0
Wazuh, Inc <info@wazuh.com>
## Executing checkinstall script.
## Processing package information.
## Processing system information.
## Verifying disk space requirements.
## Checking for conflicts with packages already installed.
## Checking for setuid/setgid programs.

This package contains scripts which will be executed with super-user
permission during the process of installing this package.

Do you want to continue with the installation of <wazuh-agent> [y,n,?] 
        ERROR: Input is required.

Do you want to continue with the installation of <wazuh-agent> [y,n,?] y

Installing Wazuh - Wazuh unifies historically separate functions into a single agent and platform architecture. Providing protection for public clouds, private clouds, and on-premise data centers. as <wazuh-agent>

## Executing preinstall script.
## Installing part 1 of 1.
/etc/init.d/wazuh-agent
/etc/rc2.d/S97wazuh-agent <symbolic link>
/etc/rc3.d/S97wazuh-agent <symbolic link>
/var/ossec/active-response/bin/default-firewall-drop
/var/ossec/active-response/bin/disable-account
/var/ossec/active-response/bin/firewall-drop
/var/ossec/active-response/bin/firewalld-drop
/var/ossec/active-response/bin/host-deny
/var/ossec/active-response/bin/ip-customblock
/var/ossec/active-response/bin/ipfw
/var/ossec/active-response/bin/kaspersky
/var/ossec/active-response/bin/kaspersky.py
/var/ossec/active-response/bin/npf
/var/ossec/active-response/bin/pf
/var/ossec/active-response/bin/restart-wazuh
/var/ossec/active-response/bin/restart.sh
/var/ossec/active-response/bin/route-null
/var/ossec/active-response/bin/wazuh-slack
/var/ossec/agentless/main.exp
/var/ossec/agentless/register_host.sh
/var/ossec/agentless/ssh.exp
/var/ossec/agentless/ssh_asa-fwsmconfig_diff
/var/ossec/agentless/ssh_foundry_diff
/var/ossec/agentless/ssh_generic_diff
/var/ossec/agentless/ssh_integrity_check_bsd
/var/ossec/agentless/ssh_integrity_check_linux
/var/ossec/agentless/ssh_nopass.exp
/var/ossec/agentless/ssh_pixconfig_diff
/var/ossec/agentless/sshlogin.exp
/var/ossec/agentless/su.exp
/var/ossec/bin/agent-auth
/var/ossec/bin/manage_agents
/var/ossec/bin/wazuh-agentd
/var/ossec/bin/wazuh-control
/var/ossec/bin/wazuh-execd
/var/ossec/bin/wazuh-logcollector
/var/ossec/bin/wazuh-modulesd
/var/ossec/bin/wazuh-syscheckd
/var/ossec/etc/TIMEZONE
/var/ossec/etc/client.keys
/var/ossec/etc/internal_options.conf
/var/ossec/etc/local_internal_options.conf
/var/ossec/etc/ossec.conf
/var/ossec/etc/shared/cis_apache2224_rcl.txt
/var/ossec/etc/shared/cis_debian_linux_rcl.txt
/var/ossec/etc/shared/cis_mysql5-6_community_rcl.txt
/var/ossec/etc/shared/cis_mysql5-6_enterprise_rcl.txt
/var/ossec/etc/shared/cis_rhel5_linux_rcl.txt
/var/ossec/etc/shared/cis_rhel6_linux_rcl.txt
/var/ossec/etc/shared/cis_rhel7_linux_rcl.txt
/var/ossec/etc/shared/cis_rhel_linux_rcl.txt
/var/ossec/etc/shared/cis_sles11_linux_rcl.txt
/var/ossec/etc/shared/cis_sles12_linux_rcl.txt
/var/ossec/etc/shared/cis_win2012r2_domainL1_rcl.txt
/var/ossec/etc/shared/cis_win2012r2_domainL2_rcl.txt
/var/ossec/etc/shared/cis_win2012r2_memberL1_rcl.txt
/var/ossec/etc/shared/cis_win2012r2_memberL2_rcl.txt
/var/ossec/etc/shared/rootkit_files.txt
/var/ossec/etc/shared/rootkit_trojans.txt
/var/ossec/etc/shared/system_audit_rcl.txt
/var/ossec/etc/shared/system_audit_ssh.txt
/var/ossec/etc/shared/win_applications_rcl.txt
/var/ossec/etc/shared/win_audit_rcl.txt
/var/ossec/etc/shared/win_malware_rcl.txt
/var/ossec/etc/wpk_root.pem
/var/ossec/lib/libdbsync.so
/var/ossec/lib/libfimdb.so
/var/ossec/lib/libgcc_s.so.1
/var/ossec/lib/librsync.so
/var/ossec/lib/libstdc++.so.6
/var/ossec/lib/libsyscollector.so
/var/ossec/lib/libsysinfo.so
/var/ossec/lib/libwazuhext.so
/var/ossec/lib/libwazuhshared.so
/var/ossec/logs/active-responses.log
/var/ossec/logs/ossec.json
/var/ossec/logs/ossec.log
/var/ossec/queue/syscollector/norm_config.json
/var/ossec/ruleset/sca/sca_unix_audit.yml
/var/ossec/wodles/__init__.py
/var/ossec/wodles/aws/aws-s3
/var/ossec/wodles/azure/azure-logs
/var/ossec/wodles/azure/orm.py
/var/ossec/wodles/docker/DockerListener
/var/ossec/wodles/gcloud/buckets/access_logs.py
/var/ossec/wodles/gcloud/buckets/bucket.py
/var/ossec/wodles/gcloud/exceptions.py
/var/ossec/wodles/gcloud/gcloud
/var/ossec/wodles/gcloud/integration.py
/var/ossec/wodles/gcloud/pubsub/subscriber.py
/var/ossec/wodles/gcloud/tools.py
/var/ossec/wodles/utils.py
[ verifying class <none> ]
## Executing postinstall script.

Installation of <wazuh-agent> was successful.

• Configure ossec.conf

# sed 's/MANAGER_IP/44.211.192.146/g' /var/ossec/etc/ossec.conf > /var/ossec/etc/ossec.conf.new && mv /var/ossec/etc/ossec.conf.new /var/ossec/etc/ossec.conf

# grep "address" /var/ossec/etc/ossec.conf
      <address>44.211.192.146</address>

# grep "protocol" /var/ossec/etc/ossec.conf 
      <protocol>tcp</protocol>

• Start agent and check properties

# /var/ossec/bin/wazuh-control start 
Starting Wazuh v4.7.0...
Started wazuh-execd...
Started wazuh-agentd...
Started wazuh-syscheckd...
Started wazuh-logcollector...
Started wazuh-modulesd...
Completed.

# /var/ossec/bin/wazuh-control info
WAZUH_VERSION="v4.7.0"
WAZUH_REVISION="40701"
WAZUH_TYPE="agent"

# ps -ef | grep wazuh
    root  1170     1   0 13:33:15 ?           0:00 /var/ossec/bin/wazuh-logcollector
    root  1144     1   0 13:33:14 ?           0:00 /var/ossec/bin/wazuh-execd
    root  1163     1   2 13:33:15 ?           0:03 /var/ossec/bin/wazuh-syscheckd
    root  1207   876   0 13:33:25 pts/1       0:00 grep wazuh
   wazuh  1151     1   0 13:33:14 ?           0:00 /var/ossec/bin/wazuh-agentd
    root  1177     1   0 13:33:16 ?           0:02 /var/ossec/bin/wazuh-modulesd

• Stop agent and check properties

# /var/ossec/bin/wazuh-control stop
Killing wazuh-modulesd... 
Killing wazuh-logcollector... 
Killing wazuh-syscheckd... 
Killing wazuh-agentd... 
Killing wazuh-execd... 
Wazuh v4.5.3 Stopped
# ps -ef | grep wazuh              
    root  2983   868   0 09:13:33 pts/1       0:00 grep wazuh

• Restart agent and check properties

# /var/ossec/bin/wazuh-control start
Starting Wazuh v4.7.0...
wazuh-execd already running...
wazuh-agentd already running...
wazuh-syscheckd already running...
wazuh-logcollector already running...
wazuh-modulesd already running...
Completed.

# ps -ef | grep wazuh 
    root  1170     1   0 13:33:15 ?           0:00 /var/ossec/bin/wazuh-logcollector
    root  1144     1   0 13:33:14 ?           0:00 /var/ossec/bin/wazuh-execd
    root  1482   876   0 13:34:59 pts/1       0:00 grep wazuh
    root  1163     1   0 13:33:15 ?           0:41 /var/ossec/bin/wazuh-syscheckd
   wazuh  1151     1   0 13:33:14 ?           0:01 /var/ossec/bin/wazuh-agentd
    root  1177     1   0 13:33:16 ?           0:02 /var/ossec/bin/wazuh-modulesd

# /var/ossec/bin/wazuh-control restart
Killing wazuh-modulesd... 
Killing wazuh-logcollector... 
Killing wazuh-syscheckd... 
Killing wazuh-agentd... 
Killing wazuh-execd... 
Wazuh v4.7.0 Stopped
Starting Wazuh v4.7.0...
Started wazuh-execd...
Started wazuh-agentd...
Started wazuh-syscheckd...
Started wazuh-logcollector...
Started wazuh-modulesd...
Completed.

# ps -ef | grep wazuh    
    root  1762     1   0 13:35:14 ?           0:00 /var/ossec/bin/wazuh-execd
    root  1781     1  23 13:35:15 ?           0:19 /var/ossec/bin/wazuh-syscheckd
    root  1932   876   0 13:35:33 pts/1       0:00 grep wazuh
    root  1798     1   0 13:35:16 ?           0:02 /var/ossec/bin/wazuh-modulesd
   wazuh  1769     1   0 13:35:14 ?           0:00 /var/ossec/bin/wazuh-agentd
    root  1788     1   0 13:35:15 ?           0:00 /var/ossec/bin/wazuh-logcollector

• Check agent TCP connection

# grep "tcp" /var/ossec/logs/ossec.log 
2023/10/17 13:33:11 wazuh-agentd: INFO: Trying to connect to server ([44.211.192.146]:1514/tcp).
2023/10/17 13:33:11 wazuh-agentd: INFO: (4102): Connected to the server ([44.211.192.146]:1514/tcp).
2023/10/17 13:33:14 wazuh-agentd: INFO: Trying to connect to server ([44.211.192.146]:1514/tcp).
2023/10/17 13:33:14 wazuh-agentd: INFO: (4102): Connected to the server ([44.211.192.146]:1514/tcp).
2023/10/17 13:35:13 wazuh-agentd: INFO: Trying to connect to server ([44.211.192.146]:1514/tcp).
2023/10/17 13:35:13 wazuh-agentd: INFO: (4102): Connected to the server ([44.211.192.146]:1514/tcp).

• Check agent logs

# grep "ERROR" /var/ossec/logs/ossec.log   
# grep "ERROR" /var/ossec/logs/ossec.log  | wc -l
       0
# grep "CRITICAL" /var/ossec/logs/ossec.log 
# grep "CRITICAL" /var/ossec/logs/ossec.log | wc -l
       0
# grep "WARNING" /var/ossec/logs/ossec.log  
# grep "WARNING" /var/ossec/logs/ossec.log | wc -l 
       0
# grep "FATAL" /var/ossec/logs/ossec.log   
# grep "FATAL" /var/ossec/logs/ossec.log | wc -l
       0

• Check agent user and group

# grep "wazuh" /etc/passwd 
wazuh:x:46203:57447::/var/ossec:/bin/false
# grep "wazuh" /etc/group  
wazuh::57447:

• Check agent UDP connection

# sed 's/tcp/udp/g' /var/ossec/etc/ossec.conf > /var/ossec/etc/ossec.conf.new && mv /var/ossec/etc/ossec.conf.new /var/ossec/etc/ossec.conf

# grep "protocol" /var/ossec/etc/ossec.conf 
      <protocol>udp</protocol>

# /var/ossec/bin/wazuh-control restart
Killing wazuh-modulesd... 
Killing wazuh-logcollector... 
Killing wazuh-syscheckd... 
Killing wazuh-agentd... 
Killing wazuh-execd... 
Wazuh v4.7.0 Stopped
Starting Wazuh v4.7.0...
Started wazuh-execd...
Started wazuh-agentd...
Started wazuh-syscheckd...
Started wazuh-logcollector...
Started wazuh-modulesd...
Completed.

# grep "udp" /var/ossec/logs/ossec.log  
2023/10/17 13:38:34 wazuh-agentd: INFO: Trying to connect to server ([44.211.192.146]:1514/udp).
2023/10/17 13:38:34 wazuh-agentd: INFO: (4102): Connected to the server ([44.211.192.146]:1514/udp).
# grep "ERROR" /var/ossec/logs/ossec.log   
# grep "CRITICAL" /var/ossec/logs/ossec.log | wc -l
       0
# grep "ERROR" /var/ossec/logs/ossec.log  | wc -l  
       0
# grep "WARNING" /var/ossec/logs/ossec.log | wc -l 
       0
# grep "WARNING" /var/ossec/logs/ossec.log  
# grep "FATAL" /var/ossec/logs/ossec.log | wc -l   
       0

Wazuh manager - Agent install 🟢

• Agent connected

[root@wazuh-server wazuh-user]# /var/ossec/bin/agent_control  -l

Wazuh agent_control. List of available agents:
   ID: 000, Name: wazuh-server (server), IP: 127.0.0.1, Active/Local
   ID: 002, Name: sovmh353, IP: any, Disconnected
   ID: 003, Name: sossp107, IP: any, Disconnected
   ID: 005, Name: soaxp078, IP: any, Disconnected
   ID: 006, Name: sossp272, IP: any, Active

List of agentless devices:

[root@wazuh-server wazuh-user]# /var/ossec/bin/agent_control  -i 006

Wazuh agent_control. Agent information:
   Agent ID:   006
   Agent Name: sossp272
   IP address: any
   Status:     Active

   Operating system:    SunOS |sossp272 |5.10 |Generic_147147-26 |sun4v
   Client version:      Wazuh v4.7.0
   Configuration hash:  ab73af41699f13fdd81903b5f23d8d00
   Shared file hash:    4a8724b20dee0124ff9656783c490c4e
   Last keep alive:     1697546069

   Syscheck last started at:  Tue Oct 17 18:33:15 2023
   Syscheck last ended at:    Tue Oct 17 18:33:33 2023

• Alert received

[root@wazuh-server wazuh-user]# cat /var/ossec/logs/alerts/alerts.log | grep -n5 sossp272
4238-** Alert 1697546128.427356: - ossec,pci_dss_10.6.1,pci_dss_10.2.6,gpg13_10.1,gdpr_IV_35.7.d,hipaa_164.312.b,nist_800_53_AU.6,nist_800_53_AU.14,nist_800_53_AU.5,tsc_CC7.2,tsc_CC7.3,tsc_CC6.8,
4239:2023 Oct 17 12:35:28 (sossp272) any->wazuh-remoted
4240-Rule: 506 (level 3) -> 'Wazuh agent stopped.'
4241:ossec: Agent stopped: 'sossp272->any'.
4242-
4243-** Alert 1697546129.427684: - ossec,pci_dss_10.6.1,pci_dss_10.2.6,gpg13_10.1,gdpr_IV_35.7.d,hipaa_164.312.b,nist_800_53_AU.6,nist_800_53_AU.14,nist_800_53_AU.5,tsc_CC7.2,tsc_CC7.3,tsc_CC6.8,
4244:2023 Oct 17 12:35:29 (sossp272) any->wazuh-agent
4245-Rule: 503 (level 3) -> 'Wazuh agent started.'
4246:ossec: Agent started: 'sossp272->any'.
4247-
4248-** Alert 1697546136.428010: - ossec,rootcheck,pci_dss_10.6.1,gdpr_IV_35.7.d,
4249:2023 Oct 17 12:35:36 (sossp272) any->rootcheck
4250-Rule: 510 (level 7) -> 'Host-based anomaly detection event (rootcheck).'
4251-File '/tmp/.X11-pipe/X0' is owned by root and has written permissions to anyone.
4252-title: File is owned by root and has written permissions to anyone.
4253-file: /tmp/.X11-pipe/X0
4254-
4255-** Alert 1697546329.428381: - ossec,pci_dss_10.6.1,pci_dss_10.2.6,gpg13_10.1,gdpr_IV_35.7.d,hipaa_164.312.b,nist_800_53_AU.6,nist_800_53_AU.14,nist_800_53_AU.5,tsc_CC7.2,tsc_CC7.3,tsc_CC6.8,
4256:2023 Oct 17 12:38:49 (sossp272) any->wazuh-remoted
4257-Rule: 506 (level 3) -> 'Wazuh agent stopped.'
4258:ossec: Agent stopped: 'sossp272->any'.
4259-
4260-** Alert 1697546330.428709: - ossec,pci_dss_10.6.1,pci_dss_10.2.6,gpg13_10.1,gdpr_IV_35.7.d,hipaa_164.312.b,nist_800_53_AU.6,nist_800_53_AU.14,nist_800_53_AU.5,tsc_CC7.2,tsc_CC7.3,tsc_CC6.8,
4261:2023 Oct 17 12:38:50 (sossp272) any->wazuh-agent
4262-Rule: 503 (level 3) -> 'Wazuh agent started.'
4263:ossec: Agent started: 'sossp272->any'.
4264-
4265-** Alert 1697546337.429035: - ossec,rootcheck,pci_dss_10.6.1,gdpr_IV_35.7.d,
4266:2023 Oct 17 12:38:57 (sossp272) any->rootcheck
4267-Rule: 510 (level 7) -> 'Host-based anomaly detection event (rootcheck).'
4268-File '/tmp/.X11-pipe/X0' is owned by root and has written permissions to anyone.
4269-title: File is owned by root and has written permissions to anyone.
4270-file: /tmp/.X11-pipe/X0

• Check manager logs

[root@wazuh-server wazuh-user]# grep -i -E "error|critical|fatal|warning" /var/ossec/logs/ossec.log 

Remove 🟢

• Check initial status

# /var/ossec/bin/wazuh-control status
wazuh-modulesd is running...
wazuh-logcollector is running...
wazuh-syscheckd is running...
wazuh-agentd is running...
wazuh-execd is running...
# ps -ef | grep wazuh
   wazuh  2504     1   0 13:38:35 ?           0:00 /var/ossec/bin/wazuh-agentd
    root  2533     1   0 13:38:37 ?           0:02 /var/ossec/bin/wazuh-modulesd
    root  2523     1   0 13:38:36 ?           0:00 /var/ossec/bin/wazuh-logcollector
    root  2497     1   0 13:38:35 ?           0:00 /var/ossec/bin/wazuh-execd
    root  2516     1   0 13:38:36 ?           0:41 /var/ossec/bin/wazuh-syscheckd
    root  2854   876   0 13:43:19 pts/1       0:00 grep wazuh

• Remove agent

# pkgrm wazuh-agent

The following package is currently installed:
   wazuh-agent  Wazuh - Wazuh unifies historically separate functions into a single agent and platform architecture. Providing protection for public clouds, private clouds, and on-premise data centers.
                (sparc) 4.7.0

Do you want to remove this package? [y,n,?,q] y

## Removing installed package instance <wazuh-agent>

This package contains scripts which will be executed with super-user
permission during the process of removing this package.

Do you want to continue with the removal of this package [y,n,?,q] y
## Verifying package <wazuh-agent> dependencies in global zone
## Processing package information.
## Executing preremove script.
Killing wazuh-modulesd... 
Killing wazuh-logcollector... 
Killing wazuh-syscheckd... 
Killing wazuh-agentd... 
Killing wazuh-execd... 
Wazuh v4.7.0 Stopped
## Removing pathnames in class <none>
/var/ossec/wodles/utils.py
/var/ossec/wodles/gcloud/tools.py
/var/ossec/wodles/gcloud/pubsub/subscriber.py
/var/ossec/wodles/gcloud/pubsub
/var/ossec/wodles/gcloud/integration.py
/var/ossec/wodles/gcloud/gcloud
/var/ossec/wodles/gcloud/exceptions.py
/var/ossec/wodles/gcloud/buckets/bucket.py
/var/ossec/wodles/gcloud/buckets/access_logs.py
/var/ossec/wodles/gcloud/buckets
/var/ossec/wodles/gcloud
/var/ossec/wodles/docker/DockerListener
/var/ossec/wodles/docker
/var/ossec/wodles/azure/orm.py
/var/ossec/wodles/azure/azure-logs
/var/ossec/wodles/azure
/var/ossec/wodles/aws/aws-s3
/var/ossec/wodles/aws
/var/ossec/wodles/__init__.py
/var/ossec/wodles
/var/ossec/var/wodles
/var/ossec/var/upgrade
/var/ossec/var/selinux
/var/ossec/var/run
/var/ossec/var/incoming
/var/ossec/var
/var/ossec/tmp
/var/ossec/ruleset/sca/sca_unix_audit.yml
/var/ossec/ruleset/sca
/var/ossec/ruleset
/var/ossec/queue/syscollector/norm_config.json
/var/ossec/queue/syscollector/db <non-empty directory not removed>
/var/ossec/queue/syscollector <non-empty directory not removed>
/var/ossec/queue/sockets <non-empty directory not removed>
/var/ossec/queue/rids <non-empty directory not removed>
/var/ossec/queue/logcollector <non-empty directory not removed>
/var/ossec/queue/fim/db <non-empty directory not removed>
/var/ossec/queue/fim <non-empty directory not removed>
/var/ossec/queue/diff
/var/ossec/queue/alerts <non-empty directory not removed>
/var/ossec/queue <non-empty directory not removed>
/var/ossec/logs/wazuh
/var/ossec/logs/ossec.log
/var/ossec/logs/ossec.json
/var/ossec/logs/active-responses.log
/var/ossec/logs
/var/ossec/lib/libwazuhshared.so
/var/ossec/lib/libwazuhext.so
/var/ossec/lib/libsysinfo.so
/var/ossec/lib/libsyscollector.so
/var/ossec/lib/libstdc++.so.6
/var/ossec/lib/librsync.so
/var/ossec/lib/libgcc_s.so.1
/var/ossec/lib/libfimdb.so
/var/ossec/lib/libdbsync.so
/var/ossec/lib
/var/ossec/etc/wpk_root.pem
/var/ossec/etc/shared/win_malware_rcl.txt
/var/ossec/etc/shared/win_audit_rcl.txt
/var/ossec/etc/shared/win_applications_rcl.txt
/var/ossec/etc/shared/system_audit_ssh.txt
/var/ossec/etc/shared/system_audit_rcl.txt
/var/ossec/etc/shared/rootkit_trojans.txt
/var/ossec/etc/shared/rootkit_files.txt
/var/ossec/etc/shared/cis_win2012r2_memberL2_rcl.txt
/var/ossec/etc/shared/cis_win2012r2_memberL1_rcl.txt
/var/ossec/etc/shared/cis_win2012r2_domainL2_rcl.txt
/var/ossec/etc/shared/cis_win2012r2_domainL1_rcl.txt
/var/ossec/etc/shared/cis_sles12_linux_rcl.txt
/var/ossec/etc/shared/cis_sles11_linux_rcl.txt
/var/ossec/etc/shared/cis_rhel_linux_rcl.txt
/var/ossec/etc/shared/cis_rhel7_linux_rcl.txt
/var/ossec/etc/shared/cis_rhel6_linux_rcl.txt
/var/ossec/etc/shared/cis_rhel5_linux_rcl.txt
/var/ossec/etc/shared/cis_mysql5-6_enterprise_rcl.txt
/var/ossec/etc/shared/cis_mysql5-6_community_rcl.txt
/var/ossec/etc/shared/cis_debian_linux_rcl.txt
/var/ossec/etc/shared/cis_apache2224_rcl.txt
/var/ossec/etc/shared <non-empty directory not removed>
/var/ossec/etc/ossec.conf
/var/ossec/etc/local_internal_options.conf
/var/ossec/etc/internal_options.conf
/var/ossec/etc/client.keys
/var/ossec/etc/TIMEZONE
/var/ossec/etc <non-empty directory not removed>
/var/ossec/bin/wazuh-syscheckd
/var/ossec/bin/wazuh-modulesd
/var/ossec/bin/wazuh-logcollector
/var/ossec/bin/wazuh-execd
/var/ossec/bin/wazuh-control
/var/ossec/bin/wazuh-agentd
/var/ossec/bin/manage_agents
/var/ossec/bin/agent-auth
/var/ossec/bin
/var/ossec/backup
/var/ossec/agentless/su.exp
/var/ossec/agentless/sshlogin.exp
/var/ossec/agentless/ssh_pixconfig_diff
/var/ossec/agentless/ssh_nopass.exp
/var/ossec/agentless/ssh_integrity_check_linux
/var/ossec/agentless/ssh_integrity_check_bsd
/var/ossec/agentless/ssh_generic_diff
/var/ossec/agentless/ssh_foundry_diff
/var/ossec/agentless/ssh_asa-fwsmconfig_diff
/var/ossec/agentless/ssh.exp
/var/ossec/agentless/register_host.sh
/var/ossec/agentless/main.exp
/var/ossec/agentless
/var/ossec/active-response/bin/wazuh-slack
/var/ossec/active-response/bin/route-null
/var/ossec/active-response/bin/restart.sh
/var/ossec/active-response/bin/restart-wazuh
/var/ossec/active-response/bin/pf
/var/ossec/active-response/bin/npf
/var/ossec/active-response/bin/kaspersky.py
/var/ossec/active-response/bin/kaspersky
/var/ossec/active-response/bin/ipfw
/var/ossec/active-response/bin/ip-customblock
/var/ossec/active-response/bin/host-deny
/var/ossec/active-response/bin/firewalld-drop
/var/ossec/active-response/bin/firewall-drop
/var/ossec/active-response/bin/disable-account
/var/ossec/active-response/bin/default-firewall-drop
/var/ossec/active-response/bin
/var/ossec/active-response
/var/ossec/.ssh
/var/ossec <non-empty directory not removed>
/etc/rc3.d/S97wazuh-agent
/etc/rc2.d/S97wazuh-agent
/etc/init.d/wazuh-agent
## Executing postremove script.
## Updating system information.

Removal of <wazuh-agent> was successful.

• Check process

# ps -ef | grep wazuh
    root  2924   876   0 13:44:33 pts/1       0:00 grep wazuh

• Check files

# ls -l /var/ossec/
total 6
drwxrwx---   3 46203    57447          3 Oct 17 13:43 etc
drwxr-x---   8 root     57447          8 Oct 17 13:43 queue
# ls -l /var/ossec/etc/
total 3
drwxrwx---   2 root     57447          5 Oct 17 13:43 shared
# ls -l /var/ossec/etc/shared/
total 1801
-rw-------   1 46203    57447         76 Oct 17 13:33 agent.conf
-rw-------   1 46203    57447        228 Oct 17 13:33 ar.conf
-rw-r--r--   1 46203    57447     899315 Oct 17 13:33 merged.mg
# ls -l /var/ossec/queue/   
total 18
drwxrwx---   2 46203    57447          4 Oct 17 13:38 alerts
drwxr-x---   3 46203    57447          3 Oct 17 13:29 fim
drwxr-x---   2 46203    57447          3 Oct 17 13:32 logcollector
drwxr-x---   2 46203    57447          4 Oct 17 13:33 rids
drwxrwx---   2 46203    57447         10 Oct 17 13:38 sockets
drwxr-x---   3 46203    57447          3 Oct 17 13:43 syscollector

Upgrade 4.5.3 -> 4.7.0 🟢

• Install 4.5.3 agent

# # pkgadd -d wazuh-agent_v4.5.3-sol10-sparc.pkg

The following packages are available:
  1  wazuh-agent     Wazuh - Wazuh unifies historically separate functions into a single agent and platform architecture. Providing protection for public clouds, private clouds, and on-premise data centers.
                     (sparc) 4.5.3

Select package(s) you wish to process (or 'all' to process
all packages). (default: all) [?,??,q]: 

Processing package instance <wazuh-agent> from </export/home/kilm/wazuh-agent_v4.5.3-sol10-sparc.pkg>

Wazuh - Wazuh unifies historically separate functions into a single agent and platform architecture. Providing protection for public clouds, private clouds, and on-premise data centers.(sparc) 4.5.3
Wazuh, Inc <info@wazuh.com>
## Executing checkinstall script.
## Processing package information.
## Processing system information.
## Verifying disk space requirements.
## Checking for conflicts with packages already installed.

The following files are already installed on the system and are being
used by another package:
* /var/ossec <attribute change only>
* /var/ossec/etc <attribute change only>
* /var/ossec/etc/shared <attribute change only>
* /var/ossec/queue <attribute change only>
* /var/ossec/queue/alerts <attribute change only>
* /var/ossec/queue/fim <attribute change only>
* /var/ossec/queue/fim/db <attribute change only>
* /var/ossec/queue/logcollector <attribute change only>
* /var/ossec/queue/rids <attribute change only>
* /var/ossec/queue/sockets <attribute change only>
* /var/ossec/queue/syscollector <attribute change only>
* /var/ossec/queue/syscollector/db <attribute change only>

* - conflict with a file which does not belong to any package.

Do you want to install these conflicting files [y,n,?,q] y
## Checking for setuid/setgid programs.

This package contains scripts which will be executed with super-user
permission during the process of installing this package.

Do you want to continue with the installation of <wazuh-agent> [y,n,?] y

Installing Wazuh - Wazuh unifies historically separate functions into a single agent and platform architecture. Providing protection for public clouds, private clouds, and on-premise data centers. as <wazuh-agent>

## Executing preinstall script.
## Installing part 1 of 1.
/etc/init.d/wazuh-agent
/etc/rc2.d/S97wazuh-agent <symbolic link>
/etc/rc3.d/S97wazuh-agent <symbolic link>
/var/ossec/active-response/bin/default-firewall-drop
/var/ossec/active-response/bin/disable-account
/var/ossec/active-response/bin/firewall-drop
/var/ossec/active-response/bin/firewalld-drop
/var/ossec/active-response/bin/host-deny
/var/ossec/active-response/bin/ip-customblock
/var/ossec/active-response/bin/ipfw
/var/ossec/active-response/bin/kaspersky
/var/ossec/active-response/bin/kaspersky.py
/var/ossec/active-response/bin/npf
/var/ossec/active-response/bin/pf
/var/ossec/active-response/bin/restart-wazuh
/var/ossec/active-response/bin/restart.sh
/var/ossec/active-response/bin/route-null
/var/ossec/active-response/bin/wazuh-slack
/var/ossec/agentless/main.exp
/var/ossec/agentless/register_host.sh
/var/ossec/agentless/ssh.exp
/var/ossec/agentless/ssh_asa-fwsmconfig_diff
/var/ossec/agentless/ssh_foundry_diff
/var/ossec/agentless/ssh_generic_diff
/var/ossec/agentless/ssh_integrity_check_bsd
/var/ossec/agentless/ssh_integrity_check_linux
/var/ossec/agentless/ssh_nopass.exp
/var/ossec/agentless/ssh_pixconfig_diff
/var/ossec/agentless/sshlogin.exp
/var/ossec/agentless/su.exp
/var/ossec/bin/agent-auth
/var/ossec/bin/manage_agents
/var/ossec/bin/wazuh-agentd
/var/ossec/bin/wazuh-control
/var/ossec/bin/wazuh-execd
/var/ossec/bin/wazuh-logcollector
/var/ossec/bin/wazuh-modulesd
/var/ossec/bin/wazuh-syscheckd
/var/ossec/etc/TIMEZONE
/var/ossec/etc/client.keys
/var/ossec/etc/internal_options.conf
/var/ossec/etc/local_internal_options.conf
/var/ossec/etc/ossec.conf
/var/ossec/etc/shared/cis_apache2224_rcl.txt
/var/ossec/etc/shared/cis_debian_linux_rcl.txt
/var/ossec/etc/shared/cis_mysql5-6_community_rcl.txt
/var/ossec/etc/shared/cis_mysql5-6_enterprise_rcl.txt
/var/ossec/etc/shared/cis_rhel5_linux_rcl.txt
/var/ossec/etc/shared/cis_rhel6_linux_rcl.txt
/var/ossec/etc/shared/cis_rhel7_linux_rcl.txt
/var/ossec/etc/shared/cis_rhel_linux_rcl.txt
/var/ossec/etc/shared/cis_sles11_linux_rcl.txt
/var/ossec/etc/shared/cis_sles12_linux_rcl.txt
/var/ossec/etc/shared/cis_win2012r2_domainL1_rcl.txt
/var/ossec/etc/shared/cis_win2012r2_domainL2_rcl.txt
/var/ossec/etc/shared/cis_win2012r2_memberL1_rcl.txt
/var/ossec/etc/shared/cis_win2012r2_memberL2_rcl.txt
/var/ossec/etc/shared/rootkit_files.txt
/var/ossec/etc/shared/rootkit_trojans.txt
/var/ossec/etc/shared/system_audit_rcl.txt
/var/ossec/etc/shared/system_audit_ssh.txt
/var/ossec/etc/shared/win_applications_rcl.txt
/var/ossec/etc/shared/win_audit_rcl.txt
/var/ossec/etc/shared/win_malware_rcl.txt
/var/ossec/etc/wpk_root.pem
/var/ossec/lib/libdbsync.so
/var/ossec/lib/libgcc_s.so.1
/var/ossec/lib/librsync.so
/var/ossec/lib/libstdc++.so.6
/var/ossec/lib/libsyscollector.so
/var/ossec/lib/libsysinfo.so
/var/ossec/lib/libwazuhext.so
/var/ossec/lib/libwazuhshared.so
/var/ossec/logs/active-responses.log
/var/ossec/logs/ossec.json
/var/ossec/logs/ossec.log
/var/ossec/queue/syscollector/norm_config.json
/var/ossec/ruleset/sca/sca_unix_audit.yml
/var/ossec/wodles/__init__.py
/var/ossec/wodles/aws/aws-s3
/var/ossec/wodles/azure/azure-logs
/var/ossec/wodles/azure/orm.py
/var/ossec/wodles/docker/DockerListener
/var/ossec/wodles/gcloud/buckets/access_logs.py
/var/ossec/wodles/gcloud/buckets/bucket.py
/var/ossec/wodles/gcloud/exceptions.py
/var/ossec/wodles/gcloud/gcloud
/var/ossec/wodles/gcloud/integration.py
/var/ossec/wodles/gcloud/pubsub/subscriber.py
/var/ossec/wodles/gcloud/tools.py
/var/ossec/wodles/utils.py
[ verifying class <none> ]
## Executing postinstall script.

Installation of <wazuh-agent> was successful.

• Check agent properties

# sed 's/MANAGER_IP/3.82.119.164/g' /var/ossec/etc/ossec.conf > /var/ossec/etc/ossec.conf.new && mv /var/ossec/etc/ossec.conf.new /var/ossec/etc/ossec.conf
# grep "address" /var/ossec/etc/ossec.conf
      <address>3.82.119.164</address>
# sed 's/tcp/udp/g' /var/ossec/etc/ossec.conf > /var/ossec/etc/ossec.conf.new && mv /var/ossec/etc/ossec.conf.new /var/ossec/etc/ossec.conf
# grep "protocol" /var/ossec/etc/ossec.conf 
      <protocol>udp</protocol>

• Start 4.5.3 agent

# /var/ossec/bin/wazuh-control start
Starting Wazuh v4.5.3...
Started wazuh-execd...
Started wazuh-agentd...
Started wazuh-syscheckd...
Started wazuh-logcollector...
Started wazuh-modulesd...
Completed.

# /var/ossec/bin/wazuh-control info
WAZUH_VERSION="v4.5.3"
WAZUH_REVISION="40508"
WAZUH_TYPE="agent"

# ps -ef | grep wazuh
    root  4741  4493   0 08:26:52 pts/1       0:00 grep wazuh
    root  4659     1   0 08:26:28 ?           0:02 /var/ossec/bin/wazuh-modulesd
    root  4620     1   0 08:26:25 ?           0:00 /var/ossec/bin/wazuh-execd
    root  4639     1   5 08:26:26 ?           0:08 /var/ossec/bin/wazuh-syscheckd
   wazuh  4627     1   0 08:26:25 ?           0:00 /var/ossec/bin/wazuh-agentd
    root  4649     1   0 08:26:27 ?           0:00 /var/ossec/bin/wazuh-logcollector

• Check 4.5.3 agent protocol connection

# grep "udp" /var/ossec/logs/ossec.log 
2023/10/18 08:26:44 wazuh-agentd: INFO: Trying to connect to server ([3.82.119.164]:1514/udp).
2023/10/18 08:26:44 wazuh-agentd: INFO: (4102): Connected to the server ([3.82.119.164]:1514/udp).

• Stop 4.5.3 agent to upgrade agent to 4.7.0

# /var/ossec/bin/wazuh-control stop
Killing wazuh-modulesd... 
Killing wazuh-logcollector... 
Killing wazuh-syscheckd... 
Killing wazuh-agentd... 
Killing wazuh-execd... 
Wazuh v4.5.3 Stopped

# ps -ef | grep wazuh
    root  5059  4493   0 08:27:50 pts/1       0:00 grep wazuh

• Save config files

# cp /var/ossec/etc/ossec.conf ./ossec.conf.bk
# cp /var/ossec/etc/client.keys ./client.keys.bk
# ls -l
total 73040
-rw-r-----   1 root     root          82 Oct 18 08:28 client.keys.bk
-rw-r--r--   1 kilm     staff        136 Oct 16 09:43 local.cshrc
-rw-r--r--   1 kilm     staff        157 Oct 16 09:43 local.login
-rw-r--r--   1 kilm     staff        174 Oct 16 09:43 local.profile
-rw-r--r--   1 root     root        5544 Oct 18 08:28 ossec.conf.bk
-rw-r--r--   1 kilm     staff    4849664 Oct 17 13:26 wazuh-agent_4.7.0-1_amd64.deb
-rw-r--r--   1 kilm     staff    15760896 Oct 18 08:23 wazuh-agent_v4.5.3-sol10-sparc.pkg
-rw-r--r--   1 kilm     staff    16538624 Oct 17 13:28 wazuh-agent_v4.7.0-sol10-sparc.pkg

• Remove 4.5.3 agent

# pkgrm wazuh-agent

The following package is currently installed:
   wazuh-agent  Wazuh - Wazuh unifies historically separate functions into a single agent and platform architecture. Providing protection for public clouds, private clouds, and on-premise data centers.
                (sparc) 4.5.3

Do you want to remove this package? [y,n,?,q] y

## Removing installed package instance <wazuh-agent>

This package contains scripts which will be executed with super-user
permission during the process of removing this package.

Do you want to continue with the removal of this package [y,n,?,q] y
## Verifying package <wazuh-agent> dependencies in global zone
## Processing package information.
## Executing preremove script.
wazuh-modulesd not running...
wazuh-logcollector not running...
wazuh-syscheckd not running...
wazuh-agentd not running...
wazuh-execd not running...
Wazuh v4.5.3 Stopped
## Removing pathnames in class <none>
/var/ossec/wodles/utils.py
/var/ossec/wodles/gcloud/tools.py
/var/ossec/wodles/gcloud/pubsub/subscriber.py
/var/ossec/wodles/gcloud/pubsub
/var/ossec/wodles/gcloud/integration.py
/var/ossec/wodles/gcloud/gcloud
/var/ossec/wodles/gcloud/exceptions.py
/var/ossec/wodles/gcloud/buckets/bucket.py
/var/ossec/wodles/gcloud/buckets/access_logs.py
/var/ossec/wodles/gcloud/buckets
/var/ossec/wodles/gcloud
/var/ossec/wodles/docker/DockerListener
/var/ossec/wodles/docker
/var/ossec/wodles/azure/orm.py
/var/ossec/wodles/azure/azure-logs
/var/ossec/wodles/azure
/var/ossec/wodles/aws/aws-s3
/var/ossec/wodles/aws
/var/ossec/wodles/__init__.py
/var/ossec/wodles
/var/ossec/var/wodles
/var/ossec/var/upgrade
/var/ossec/var/selinux
/var/ossec/var/run
/var/ossec/var/incoming
/var/ossec/var
/var/ossec/tmp
/var/ossec/ruleset/sca/sca_unix_audit.yml
/var/ossec/ruleset/sca
/var/ossec/ruleset
/var/ossec/queue/syscollector/norm_config.json
/var/ossec/queue/syscollector/db <non-empty directory not removed>
/var/ossec/queue/syscollector <non-empty directory not removed>
/var/ossec/queue/sockets <non-empty directory not removed>
/var/ossec/queue/rids <non-empty directory not removed>
/var/ossec/queue/logcollector <non-empty directory not removed>
/var/ossec/queue/fim/db <non-empty directory not removed>
/var/ossec/queue/fim <non-empty directory not removed>
/var/ossec/queue/diff
/var/ossec/queue/alerts <non-empty directory not removed>
/var/ossec/queue <non-empty directory not removed>
/var/ossec/logs/wazuh
/var/ossec/logs/ossec.log
/var/ossec/logs/ossec.json
/var/ossec/logs/active-responses.log
/var/ossec/logs
/var/ossec/lib/libwazuhshared.so
/var/ossec/lib/libwazuhext.so
/var/ossec/lib/libsysinfo.so
/var/ossec/lib/libsyscollector.so
/var/ossec/lib/libstdc++.so.6
/var/ossec/lib/librsync.so
/var/ossec/lib/libgcc_s.so.1
/var/ossec/lib/libdbsync.so
/var/ossec/lib
/var/ossec/etc/wpk_root.pem
/var/ossec/etc/shared/win_malware_rcl.txt
/var/ossec/etc/shared/win_audit_rcl.txt
/var/ossec/etc/shared/win_applications_rcl.txt
/var/ossec/etc/shared/system_audit_ssh.txt
/var/ossec/etc/shared/system_audit_rcl.txt
/var/ossec/etc/shared/rootkit_trojans.txt
/var/ossec/etc/shared/rootkit_files.txt
/var/ossec/etc/shared/cis_win2012r2_memberL2_rcl.txt
/var/ossec/etc/shared/cis_win2012r2_memberL1_rcl.txt
/var/ossec/etc/shared/cis_win2012r2_domainL2_rcl.txt
/var/ossec/etc/shared/cis_win2012r2_domainL1_rcl.txt
/var/ossec/etc/shared/cis_sles12_linux_rcl.txt
/var/ossec/etc/shared/cis_sles11_linux_rcl.txt
/var/ossec/etc/shared/cis_rhel_linux_rcl.txt
/var/ossec/etc/shared/cis_rhel7_linux_rcl.txt
/var/ossec/etc/shared/cis_rhel6_linux_rcl.txt
/var/ossec/etc/shared/cis_rhel5_linux_rcl.txt
/var/ossec/etc/shared/cis_mysql5-6_enterprise_rcl.txt
/var/ossec/etc/shared/cis_mysql5-6_community_rcl.txt
/var/ossec/etc/shared/cis_debian_linux_rcl.txt
/var/ossec/etc/shared/cis_apache2224_rcl.txt
/var/ossec/etc/shared <non-empty directory not removed>
/var/ossec/etc/ossec.conf
/var/ossec/etc/local_internal_options.conf
/var/ossec/etc/internal_options.conf
/var/ossec/etc/client.keys
/var/ossec/etc/TIMEZONE
/var/ossec/etc <non-empty directory not removed>
/var/ossec/bin/wazuh-syscheckd
/var/ossec/bin/wazuh-modulesd
/var/ossec/bin/wazuh-logcollector
/var/ossec/bin/wazuh-execd
/var/ossec/bin/wazuh-control
/var/ossec/bin/wazuh-agentd
/var/ossec/bin/manage_agents
/var/ossec/bin/agent-auth
/var/ossec/bin
/var/ossec/backup
/var/ossec/agentless/su.exp
/var/ossec/agentless/sshlogin.exp
/var/ossec/agentless/ssh_pixconfig_diff
/var/ossec/agentless/ssh_nopass.exp
/var/ossec/agentless/ssh_integrity_check_linux
/var/ossec/agentless/ssh_integrity_check_bsd
/var/ossec/agentless/ssh_generic_diff
/var/ossec/agentless/ssh_foundry_diff
/var/ossec/agentless/ssh_asa-fwsmconfig_diff
/var/ossec/agentless/ssh.exp
/var/ossec/agentless/register_host.sh
/var/ossec/agentless/main.exp
/var/ossec/agentless
/var/ossec/active-response/bin/wazuh-slack
/var/ossec/active-response/bin/route-null
/var/ossec/active-response/bin/restart.sh
/var/ossec/active-response/bin/restart-wazuh
/var/ossec/active-response/bin/pf
/var/ossec/active-response/bin/npf
/var/ossec/active-response/bin/kaspersky.py
/var/ossec/active-response/bin/kaspersky
/var/ossec/active-response/bin/ipfw
/var/ossec/active-response/bin/ip-customblock
/var/ossec/active-response/bin/host-deny
/var/ossec/active-response/bin/firewalld-drop
/var/ossec/active-response/bin/firewall-drop
/var/ossec/active-response/bin/disable-account
/var/ossec/active-response/bin/default-firewall-drop
/var/ossec/active-response/bin
/var/ossec/active-response
/var/ossec/.ssh
/var/ossec <non-empty directory not removed>
/etc/rc3.d/S97wazuh-agent
/etc/rc2.d/S97wazuh-agent
/etc/init.d/wazuh-agent
## Executing postremove script.
## Updating system information.

Removal of <wazuh-agent> was successful.

• Install 4.7.0 agent

# pkgadd -d wazuh-agent_v4.7.0-sol10-sparc.pkg wazuh-agent

Processing package instance <wazuh-agent> from </export/home/kilm/wazuh-agent_v4.7.0-sol10-sparc.pkg>

Wazuh - Wazuh unifies historically separate functions into a single agent and platform architecture. Providing protection for public clouds, private clouds, and on-premise data centers.(sparc) 4.7.0
Wazuh, Inc <info@wazuh.com>
## Executing checkinstall script.
## Processing package information.
## Processing system information.
## Verifying disk space requirements.
## Checking for conflicts with packages already installed.

The following files are already installed on the system and are being
used by another package:
* /var/ossec <attribute change only>
* /var/ossec/etc <attribute change only>
* /var/ossec/etc/shared <attribute change only>
* /var/ossec/queue <attribute change only>
* /var/ossec/queue/alerts <attribute change only>
* /var/ossec/queue/fim <attribute change only>
* /var/ossec/queue/fim/db <attribute change only>
* /var/ossec/queue/logcollector <attribute change only>
* /var/ossec/queue/rids <attribute change only>
* /var/ossec/queue/sockets <attribute change only>
* /var/ossec/queue/syscollector <attribute change only>
* /var/ossec/queue/syscollector/db <attribute change only>

* - conflict with a file which does not belong to any package.

Do you want to install these conflicting files [y,n,?,q] y
## Checking for setuid/setgid programs.

This package contains scripts which will be executed with super-user
permission during the process of installing this package.

Do you want to continue with the installation of <wazuh-agent> [y,n,?] y

Installing Wazuh - Wazuh unifies historically separate functions into a single agent and platform architecture. Providing protection for public clouds, private clouds, and on-premise data centers. as <wazuh-agent>

## Executing preinstall script.
## Installing part 1 of 1.
/etc/init.d/wazuh-agent
/etc/rc2.d/S97wazuh-agent <symbolic link>
/etc/rc3.d/S97wazuh-agent <symbolic link>
/var/ossec/active-response/bin/default-firewall-drop
/var/ossec/active-response/bin/disable-account
/var/ossec/active-response/bin/firewall-drop
/var/ossec/active-response/bin/firewalld-drop
/var/ossec/active-response/bin/host-deny
/var/ossec/active-response/bin/ip-customblock
/var/ossec/active-response/bin/ipfw
/var/ossec/active-response/bin/kaspersky
/var/ossec/active-response/bin/kaspersky.py
/var/ossec/active-response/bin/npf
/var/ossec/active-response/bin/pf
/var/ossec/active-response/bin/restart-wazuh
/var/ossec/active-response/bin/restart.sh
/var/ossec/active-response/bin/route-null
/var/ossec/active-response/bin/wazuh-slack
/var/ossec/agentless/main.exp
/var/ossec/agentless/register_host.sh
/var/ossec/agentless/ssh.exp
/var/ossec/agentless/ssh_asa-fwsmconfig_diff
/var/ossec/agentless/ssh_foundry_diff
/var/ossec/agentless/ssh_generic_diff
/var/ossec/agentless/ssh_integrity_check_bsd
/var/ossec/agentless/ssh_integrity_check_linux
/var/ossec/agentless/ssh_nopass.exp
/var/ossec/agentless/ssh_pixconfig_diff
/var/ossec/agentless/sshlogin.exp
/var/ossec/agentless/su.exp
/var/ossec/bin/agent-auth
/var/ossec/bin/manage_agents
/var/ossec/bin/wazuh-agentd
/var/ossec/bin/wazuh-control
/var/ossec/bin/wazuh-execd
/var/ossec/bin/wazuh-logcollector
/var/ossec/bin/wazuh-modulesd
/var/ossec/bin/wazuh-syscheckd
/var/ossec/etc/TIMEZONE
/var/ossec/etc/client.keys
/var/ossec/etc/internal_options.conf
/var/ossec/etc/local_internal_options.conf
/var/ossec/etc/ossec.conf
/var/ossec/etc/shared/cis_apache2224_rcl.txt
/var/ossec/etc/shared/cis_debian_linux_rcl.txt
/var/ossec/etc/shared/cis_mysql5-6_community_rcl.txt
/var/ossec/etc/shared/cis_mysql5-6_enterprise_rcl.txt
/var/ossec/etc/shared/cis_rhel5_linux_rcl.txt
/var/ossec/etc/shared/cis_rhel6_linux_rcl.txt
/var/ossec/etc/shared/cis_rhel7_linux_rcl.txt
/var/ossec/etc/shared/cis_rhel_linux_rcl.txt
/var/ossec/etc/shared/cis_sles11_linux_rcl.txt
/var/ossec/etc/shared/cis_sles12_linux_rcl.txt
/var/ossec/etc/shared/cis_win2012r2_domainL1_rcl.txt
/var/ossec/etc/shared/cis_win2012r2_domainL2_rcl.txt
/var/ossec/etc/shared/cis_win2012r2_memberL1_rcl.txt
/var/ossec/etc/shared/cis_win2012r2_memberL2_rcl.txt
/var/ossec/etc/shared/rootkit_files.txt
/var/ossec/etc/shared/rootkit_trojans.txt
/var/ossec/etc/shared/system_audit_rcl.txt
/var/ossec/etc/shared/system_audit_ssh.txt
/var/ossec/etc/shared/win_applications_rcl.txt
/var/ossec/etc/shared/win_audit_rcl.txt
/var/ossec/etc/shared/win_malware_rcl.txt
/var/ossec/etc/wpk_root.pem
/var/ossec/lib/libdbsync.so
/var/ossec/lib/libfimdb.so
/var/ossec/lib/libgcc_s.so.1
/var/ossec/lib/librsync.so
/var/ossec/lib/libstdc++.so.6
/var/ossec/lib/libsyscollector.so
/var/ossec/lib/libsysinfo.so
/var/ossec/lib/libwazuhext.so
/var/ossec/lib/libwazuhshared.so
/var/ossec/logs/active-responses.log
/var/ossec/logs/ossec.json
/var/ossec/logs/ossec.log
/var/ossec/queue/syscollector/norm_config.json
/var/ossec/ruleset/sca/sca_unix_audit.yml
/var/ossec/wodles/__init__.py
/var/ossec/wodles/aws/aws-s3
/var/ossec/wodles/azure/azure-logs
/var/ossec/wodles/azure/orm.py
/var/ossec/wodles/docker/DockerListener
/var/ossec/wodles/gcloud/buckets/access_logs.py
/var/ossec/wodles/gcloud/buckets/bucket.py
/var/ossec/wodles/gcloud/exceptions.py
/var/ossec/wodles/gcloud/gcloud
/var/ossec/wodles/gcloud/integration.py
/var/ossec/wodles/gcloud/pubsub/subscriber.py
/var/ossec/wodles/gcloud/tools.py
/var/ossec/wodles/utils.py
[ verifying class <none> ]
## Executing postinstall script.

Installation of <wazuh-agent> was successful.

• Restore saved config files

# mv ./ossec.conf.bk /var/ossec/etc/ossec.conf
# chown root:wazuh /var/ossec/etc/ossec.conf
# mv ./client.keys.bk /var/ossec/etc/client.keys
# chown root:wazuh /var/ossec/etc/client.keys
# ls -l /var/ossec/etc/
total 56
-rw-r-----   1 root     wazuh         82 Oct 18 08:28 client.keys
-rw-r-----   1 root     wazuh      14164 Oct 16 12:40 internal_options.conf
-rw-r-----   1 root     wazuh        320 Oct 16 12:40 local_internal_options.conf
-rw-r--r--   1 root     wazuh       5544 Oct 18 08:28 ossec.conf
drwxrwx---   2 root     wazuh         26 Oct 18 08:34 shared
-rw-r-----   1 root     wazuh        670 Oct 16 12:40 TIMEZONE
-rw-r-----   1 root     wazuh       1367 Oct 16 12:40 wpk_root.pem

• Start 4.7.0 agent

# /var/ossec/bin/wazuh-control start
Starting Wazuh v4.7.0...
Started wazuh-execd...
Started wazuh-agentd...
Started wazuh-syscheckd...
Started wazuh-logcollector...
Started wazuh-modulesd...
Completed.
# ps -ef | grep wazuh
    root  5641     1   0 08:36:20 ?           0:02 /var/ossec/bin/wazuh-modulesd
    root  5777  4493   0 08:36:37 pts/1       0:00 grep wazuh
    root  5608     1   0 08:36:19 ?           0:00 /var/ossec/bin/wazuh-execd
   wazuh  5615     1   0 08:36:19 ?           0:00 /var/ossec/bin/wazuh-agentd
    root  5627     1  21 08:36:20 ?           0:18 /var/ossec/bin/wazuh-syscheckd
    root  5634     1   0 08:36:20 ?           0:00 /var/ossec/bin/wazuh-logcollector


# /var/ossec/bin/wazuh-control info
WAZUH_VERSION="v4.7.0"
WAZUH_REVISION="40701"
WAZUH_TYPE="agent"

• Check 4.7.0 agent logs

# grep "ERROR" /var/ossec/logs/ossec.log | wc -l
       0
# grep "CRITICAL" /var/ossec/logs/ossec.log | wc -l
       0
# grep "WARNING" /var/ossec/logs/ossec.log | wc -l 
       0
# grep "FATAL" /var/ossec/logs/ossec.log | wc -l  
       0

• Check agent config is correct after upgrade

# grep "protocol" /var/ossec/etc/ossec.conf 
      <protocol>udp</protocol>
# grep "udp" /var/ossec/logs/ossec.log  
2023/10/18 08:36:18 wazuh-agentd: INFO: Trying to connect to server ([3.82.119.164]:1514/udp).
2023/10/18 08:36:18 wazuh-agentd: INFO: (4102): Connected to the server ([3.82.119.164]:1514/udp).

• Check user and group

# grep "wazuh" /etc/passwd 
wazuh:x:46203:57447::/var/ossec:/bin/false
# grep "wazuh" /etc/group 
wazuh::57447:

Wazuh manager - Agent upgrade 🟢

[root@wazuh-server wazuh-user]# /var/ossec/bin/agent_control -i 002

Wazuh agent_control. Agent information:
   Agent ID:   002
   Agent Name: sossp272
   IP address: any
   Status:     Active

   Operating system:    SunOS |sossp272 |5.10 |Generic_147147-26 |sun4v
   Client version:      Wazuh v4.7.0
   Configuration hash:  ab73af41699f13fdd81903b5f23d8d00
   Shared file hash:    4a8724b20dee0124ff9656783c490c4e
   Last keep alive:     1697614695

   Syscheck last started at:  Wed Oct 18 13:36:20 2023
   Syscheck last ended at:    Wed Oct 18 13:36:26 2023

[root@wazuh-server wazuh-user]# /var/ossec/bin/agent_control -i 002

Wazuh agent_control. Agent information:
   Agent ID:   002
   Agent Name: sossp272
   IP address: any
   Status:     Active

   Operating system:    SunOS |sossp272 |5.10 |Generic_147147-26 |sun4v
   Client version:      Wazuh v4.5.3
   Configuration hash:  ab73af41699f13fdd81903b5f23d8d00
   Shared file hash:    4a8724b20dee0124ff9656783c490c4e
   Last keep alive:     1697614172

   Syscheck last started at:  Wed Oct 18 13:28:56 2023
   Syscheck last ended at:    Wed Oct 18 13:29:01 2023

---

Files remains after remove the agent

• Reported: Solaris 10 agent uninstall leaves unwanted files in the installation directory wazuh-packages#2099 - Known issue

[pro-akim]

Analysis report - CentOS 7 PPC64LE 🟢

Deployment + Install 🟢

• Wazuh Agent

[root@7fbd0b78fbcd ~]# uname -a
Linux 7fbd0b78fbcd 3.10.0-1160.71.1.el7.ppc64le #1 SMP Tue Jun 28 18:34:40 UTC 2022 ppc64le ppc64le ppc64le GNU/Linux

[root@7fbd0b78fbcd ~]# cat /etc/os-release 
NAME="CentOS Linux"
VERSION="7 (AltArch)"
ID="centos"
ID_LIKE="rhel fedora"
VERSION_ID="7"
PRETTY_NAME="CentOS Linux 7 (AltArch)"
ANSI_COLOR="0;31"
CPE_NAME="cpe:/o:centos:centos:7:server"
HOME_URL="https://www.centos.org/"
BUG_REPORT_URL="https://bugs.centos.org/"

CENTOS_MANTISBT_PROJECT="CentOS-7"
CENTOS_MANTISBT_PROJECT_VERSION="7"
REDHAT_SUPPORT_PRODUCT="centos"
REDHAT_SUPPORT_PRODUCT_VERSION="7"



[root@7fbd0b78fbcd ~]# curl -OL https://packages-dev.wazuh.com/pre-release/yum/wazuh-agent-4.7.0-1.ppc64le.rpm
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100 7044k  100 7044k    0     0   911k      0  0:00:07  0:00:07 --:--:--  911k

[root@7fbd0b78fbcd ~]# yum install -y ./wazuh-agent-4.7.0-1.ppc64le.rpm 
Failed to set locale, defaulting to C
Loaded plugins: fastestmirror, ovl
Examining ./wazuh-agent-4.7.0-1.ppc64le.rpm: wazuh-agent-4.7.0-1.ppc64le
Marking ./wazuh-agent-4.7.0-1.ppc64le.rpm to be installed
Resolving Dependencies
--> Running transaction check
---> Package wazuh-agent.ppc64le 0:4.7.0-1 will be installed
--> Finished Dependency Resolution

Dependencies Resolved

===================================================================================================
 Package             Arch            Version            Repository                            Size
===================================================================================================
Installing:
 wazuh-agent         ppc64le         4.7.0-1            /wazuh-agent-4.7.0-1.ppc64le          32 M

Transaction Summary
===================================================================================================
Install  1 Package

Total size: 32 M
Installed size: 32 M
Downloading packages:
Running transaction check
Running transaction test
Transaction test succeeded
Running transaction
  Installing : wazuh-agent-4.7.0-1.ppc64le                                                     1/1 
  Verifying  : wazuh-agent-4.7.0-1.ppc64le                                                     1/1 

Installed:
  wazuh-agent.ppc64le 0:4.7.0-1                                                                    

Complete!




[root@7fbd0b78fbcd ~]# grep address /var/ossec/etc/ossec.conf 
      <address>44.211.192.146</address>



[root@7fbd0b78fbcd ~]# /var/ossec/bin/wazuh-control start
Starting Wazuh v4.7.0...
Started wazuh-execd...
Started wazuh-agentd...
Started wazuh-syscheckd...
Started wazuh-logcollector...
Started wazuh-modulesd...
Completed.



[root@7fbd0b78fbcd ~]# grep "tcp" /var/ossec/logs/ossec.log
2023/10/17 14:02:04 wazuh-agentd: INFO: Trying to connect to server ([44.211.192.146]:1514/tcp).
2023/10/17 14:02:04 wazuh-agentd: INFO: (4102): Connected to the server ([44.211.192.146]:1514/tcp).
2023/10/17 14:02:10 wazuh-agentd: INFO: Trying to connect to server ([44.211.192.146]:1514/tcp).
2023/10/17 14:02:11 wazuh-agentd: INFO: (4102): Connected to the server ([44.211.192.146]:1514/tcp).




[root@7fbd0b78fbcd ~]# ps -ef | grep wazuh
root      1413     1  0 14:02 ?        00:00:00 /var/ossec/bin/wazuh-execd
wazuh     1425     1  0 14:02 ?        00:00:00 /var/ossec/bin/wazuh-agentd
root      1441     1 17 14:02 ?        00:00:02 /var/ossec/bin/wazuh-syscheckd
root      1456     1  0 14:02 ?        00:00:00 /var/ossec/bin/wazuh-logcollector
root      1473     1  1 14:02 ?        00:00:00 /var/ossec/bin/wazuh-modulesd
root      1859    40  0 14:02 pts/0    00:00:00 grep --color=auto wazuh



[root@7fbd0b78fbcd ~]# /var/ossec/bin/wazuh-control info
WAZUH_VERSION="v4.7.0"
WAZUH_REVISION="40701"
WAZUH_TYPE="agent"

• Wazuh Server

[root@wazuh-server wazuh-user]# /var/ossec/bin/agent_control -l

Wazuh agent_control. List of available agents:
   ID: 000, Name: wazuh-server (server), IP: 127.0.0.1, Active/Local
   ID: 002, Name: sovmh353, IP: any, Disconnected
   ID: 003, Name: sossp107, IP: any, Disconnected
   ID: 005, Name: soaxp078, IP: any, Disconnected
   ID: 007, Name: sossp272, IP: any, Disconnected
   ID: 008, Name: 7fbd0b78fbcd, IP: any, Active

List of agentless devices:


[root@wazuh-server wazuh-user]# /var/ossec/bin/agent_control -i 008

Wazuh agent_control. Agent information:
   Agent ID:   008
   Agent Name: 7fbd0b78fbcd
   IP address: any
   Status:     Active

   Operating system:    Linux |7fbd0b78fbcd |3.10.0-1160.71.1.el7.ppc64le |#1 SMP Tue Jun 28 18:34:40 UTC 2022 |ppc64le
   Client version:      Wazuh v4.7.0
   Configuration hash:  ab73af41699f13fdd81903b5f23d8d00
   Shared file hash:    4a8724b20dee0124ff9656783c490c4e
   Last keep alive:     1697551381

   Syscheck last started at:  Tue Oct 17 14:02:11 2023
   Syscheck last ended at:    Tue Oct 17 14:02:53 2023

• UDP
  • Wazuh Agent

[root@7fbd0b78fbcd ~]# grep udp /var/ossec/etc/ossec.conf
      <protocol>udp</protocol>


[root@7fbd0b78fbcd ~]# /var/ossec/bin/wazuh-control restart
Killing wazuh-modulesd... 
Killing wazuh-logcollector... 
Killing wazuh-syscheckd... 
Killing wazuh-agentd... 
Killing wazuh-execd... 
Wazuh v4.7.0 Stopped
Starting Wazuh v4.7.0...
Started wazuh-execd...
Started wazuh-agentd...
Started wazuh-syscheckd...
Started wazuh-logcollector...
Started wazuh-modulesd...
Completed.



[root@7fbd0b78fbcd ~]# grep "udp" /var/ossec/logs/ossec.log
2023/10/17 14:04:27 wazuh-agentd: INFO: Trying to connect to server ([44.211.192.146]:1514/udp).
2023/10/17 14:04:27 wazuh-agentd: INFO: (4102): Connected to the server ([44.211.192.146]:1514/udp).

• UDP
  • Wazuh Server (check if the agent is connected)

[root@wazuh-server wazuh-user]# /var/ossec/bin/agent_control -i 008

Wazuh agent_control. Agent information:
   Agent ID:   008
   Agent Name: 7fbd0b78fbcd
   IP address: any
   Status:     Active

   Operating system:    Linux |7fbd0b78fbcd |3.10.0-1160.71.1.el7.ppc64le |#1 SMP Tue Jun 28 18:34:40 UTC 2022 |ppc64le
   Client version:      Wazuh v4.7.0
   Configuration hash:  ab73af41699f13fdd81903b5f23d8d00
   Shared file hash:    4a8724b20dee0124ff9656783c490c4e
   Last keep alive:     1697551717

   Syscheck last started at:  Tue Oct 17 14:04:28 2023
   Syscheck last ended at:    Tue Oct 17 14:04:30 2023

Alerts 🟢

8957-** Alert 1697551346.1046890: - sca,gdpr_IV_35.7.d,pci_dss_2.2,nist_800_53_CM.1,tsc_CC7.1,tsc_CC7.2,
8958:2023 Oct 17 14:02:26 (7fbd0b78fbcd) any->sca
8959-Rule: 19008 (level 3) -> 'CIS CentOS Linux 7 Benchmark v3.0.0: Ensure shadow group is empty.'
8960-{"type":"check","id":11389262,"policy":"CIS CentOS Linux 7 Benchmark v3.0.0","policy_id":"cis_centos7_linux","check":{"id":6195,"title":"Ensure shadow group is empty.","description":"The shadow group allows system programs which require access the ability to read the /etc/shadow file. No users should be assigned to the shadow group","rationale":"Any users assigned to the shadow group would be granted read access to the /etc/shadow file. If attackers can gain read access to the /etc/shadow file, they can easily runa password cracking program against the hashed passwords to break them. Other security information that is stored in the /etc/shadow file (such as expiration) could also be useful to subvert additional user accounts.","remediation":"Remove any legacy '+' entries from /etc/shadow if they exist.","compliance":{"cis":"6.2.18","cis_csc":"5.1","pci_dss":"2.2.3","nist_800_53":"CM.1","gpg_13":"4.3","gdpr_IV":"35.7.d","hipaa":"164.312.b","tsc":"CC5.2","cis_level":"1"},"rules":["not c:grep -E ^shadow:[^:]*:[^:]*:[^:]+ /etc/group -> r:^shadow"],"condition":"all","command":"grep -E ^shadow:[^:]*:[^:]*:[^:]+ /etc/group","result":"passed"}}
8961-sca.type: check
8962-sca.scan_id: 11389262
8963-sca.policy: CIS CentOS Linux 7 Benchmark v3.0.0
--
8977-sca.check.compliance.cis_level: 1
8978-sca.check.command: ["grep -E ^shadow:[^:]*:[^:]*:[^:]+ /etc/group"]
8979-sca.check.result: passed
8980-
8981-** Alert 1697551353.1049514: - sca,gdpr_IV_35.7.d,pci_dss_2.2,nist_800_53_CM.1,tsc_CC7.1,tsc_CC7.2,
8982:2023 Oct 17 14:02:33 (7fbd0b78fbcd) any->sca
8983-Rule: 19004 (level 7) -> 'SCA summary: CIS CentOS Linux 7 Benchmark v3.0.0: Score less than 50% (40)'
8984-{"type":"summary","scan_id":11389262,"name":"CIS CentOS Linux 7 Benchmark v3.0.0","policy_id":"cis_centos7_linux","file":"cis_centos7_linux.yml","description":"This document provides prescriptive guidance for establishing a secure configuration posture for CentOS 7 systems running on x86 and x64 platforms. This document was tested against CentOS 7.","references":"https://www.cisecurity.org/cis-benchmarks/","passed":61,"failed":89,"invalid":46,"total_checks":196,"score":40.666667938232422,"start_time":1697551334,"end_time":1697551339,"hash":"d3ab0b9c36554b8a7ff414d7c4a49633d985baf836470e1c1b7f6e7add22c3c8","hash_file":"dabf026b2d2cd3077cb07b9a02e7be6bca2246b4099b45d73cf40b751a30ca7f","force_alert":"1"}
8985-sca.type: summary
8986-sca.scan_id: 11389262
8987-sca.policy: CIS CentOS Linux 7 Benchmark v3.0.0
--
8993-sca.total_checks: 196
8994-sca.score: 40
8995-sca.file: cis_centos7_linux.yml
8996-
8997-** Alert 1697551364.1050916: - sca,gdpr_IV_35.7.d,pci_dss_2.2,nist_800_53_CM.1,tsc_CC7.1,tsc_CC7.2,
8998:2023 Oct 17 14:02:44 (7fbd0b78fbcd) any->sca
8999-Rule: 19004 (level 7) -> 'SCA summary: CIS CentOS Linux 7 Benchmark v3.0.0: Score less than 50% (40)'
9000-{"type":"summary","scan_id":11389262,"name":"CIS CentOS Linux 7 Benchmark v3.0.0","policy_id":"cis_centos7_linux","file":"cis_centos7_linux.yml","description":"This document provides prescriptive guidance for establishing a secure configuration posture for CentOS 7 systems running on x86 and x64 platforms. This document was tested against CentOS 7.","references":"https://www.cisecurity.org/cis-benchmarks/","passed":61,"failed":89,"invalid":46,"total_checks":196,"score":40.666667938232422,"start_time":1697551334,"end_time":1697551339,"hash":"d3ab0b9c36554b8a7ff414d7c4a49633d985baf836470e1c1b7f6e7add22c3c8","hash_file":"dabf026b2d2cd3077cb07b9a02e7be6bca2246b4099b45d73cf40b751a30ca7f","force_alert":"1","force_alert":"1"}
9001-sca.type: summary
9002-sca.scan_id: 11389262
9003-sca.policy: CIS CentOS Linux 7 Benchmark v3.0.0
--
9009-sca.total_checks: 196
9010-sca.score: 40
9011-sca.file: cis_centos7_linux.yml
9012-
9013-** Alert 1697551465.1052336: - ossec,pci_dss_10.6.1,pci_dss_10.2.6,gpg13_10.1,gdpr_IV_35.7.d,hipaa_164.312.b,nist_800_53_AU.6,nist_800_53_AU.14,nist_800_53_AU.5,tsc_CC7.2,tsc_CC7.3,tsc_CC6.8,
9014:2023 Oct 17 14:04:25 (7fbd0b78fbcd) any->wazuh-remoted
9015-Rule: 506 (level 3) -> 'Wazuh agent stopped.'
9016:ossec: Agent stopped: '7fbd0b78fbcd->any'.
9017-
9018-** Alert 1697551467.1052673: - ossec,pci_dss_10.6.1,pci_dss_10.2.6,gpg13_10.1,gdpr_IV_35.7.d,hipaa_164.312.b,nist_800_53_AU.6,nist_800_53_AU.14,nist_800_53_AU.5,tsc_CC7.2,tsc_CC7.3,tsc_CC6.8,
9019:2023 Oct 17 14:04:27 (7fbd0b78fbcd) any->wazuh-agent
9020-Rule: 503 (level 3) -> 'Wazuh agent started.'
9021:ossec: Agent started: '7fbd0b78fbcd->any'.

Check User and Groups 🟢

[root@7fbd0b78fbcd ~]# cat /etc/passwd | grep wazuh
wazuh:x:999:997::/var/ossec:/sbin/nologin

Check Errors or Warnings in logs 🟢

[root@7fbd0b78fbcd ~]# grep -i -E "error|critical|fatal|warning" /var/ossec/logs/ossec.log 

Removal 🟢

[root@7fbd0b78fbcd ~]# yum remove wazuh-agent
Failed to set locale, defaulting to C
Loaded plugins: fastestmirror, ovl
Resolving Dependencies
--> Running transaction check
---> Package wazuh-agent.ppc64le 0:4.7.0-1 will be erased
--> Finished Dependency Resolution

Dependencies Resolved

===================================================================================================
 Package             Arch            Version           Repository                             Size
===================================================================================================
Removing:
 wazuh-agent         ppc64le         4.7.0-1           @/wazuh-agent-4.7.0-1.ppc64le          32 M

Transaction Summary
===================================================================================================
Remove  1 Package

Installed size: 32 M
Is this ok [y/N]: y
Downloading packages:
Running transaction check
Running transaction test
Transaction test succeeded
Running transaction
  Erasing    : wazuh-agent-4.7.0-1.ppc64le                                                     1/1 
warning: /var/ossec/etc/ossec.conf saved as /var/ossec/etc/ossec.conf.rpmsave
warning: /var/ossec/etc/client.keys saved as /var/ossec/etc/client.keys.rpmsave
  Verifying  : wazuh-agent-4.7.0-1.ppc64le                                                     1/1 

Removed:
  wazuh-agent.ppc64le 0:4.7.0-1                                                                    

Complete!

Upgrade 🟢

[root@7fbd0b78fbcd ~]# curl -OL https://packages-dev.wazuh.com/pre-release/yum/wazuh-agent-4.5.3-1.ppc64le.rpm
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100 6857k  100 6857k    0     0   9.9M      0 --:--:-- --:--:-- --:--:--  9.9M

[root@7fbd0b78fbcd ~]# yum install -y ./wazuh-agent-4.5.3-1.ppc64le.rpm 
Failed to set locale, defaulting to C
Loaded plugins: fastestmirror, ovl
Examining ./wazuh-agent-4.5.3-1.ppc64le.rpm: wazuh-agent-4.5.3-1.ppc64le
Marking ./wazuh-agent-4.5.3-1.ppc64le.rpm to be installed
Resolving Dependencies
--> Running transaction check
---> Package wazuh-agent.ppc64le 0:4.5.3-1 will be installed
--> Finished Dependency Resolution

Dependencies Resolved

===================================================================================================================================================================================================================
 Package                                         Arch                                        Version                                        Repository                                                        Size
===================================================================================================================================================================================================================
Installing:
 wazuh-agent                                     ppc64le                                     4.5.3-1                                        /wazuh-agent-4.5.3-1.ppc64le                                      31 M

Transaction Summary
===================================================================================================================================================================================================================
Install  1 Package

Total size: 31 M
Installed size: 31 M
Downloading packages:
Running transaction check
Running transaction test
Transaction test succeeded
Running transaction
  Installing : wazuh-agent-4.5.3-1.ppc64le                                                                                                                                                                     1/1 
  Verifying  : wazuh-agent-4.5.3-1.ppc64le                                                                                                                                                                     1/1 

Installed:
  wazuh-agent.ppc64le 0:4.5.3-1                                                                                                                                                                                    

Complete!




[root@7fbd0b78fbcd ~]# grep address /var/ossec/etc/ossec.conf 
      <address>3.82.119.164</address>

[root@7fbd0b78fbcd ~]# /var/ossec/bin/wazuh-control start
Starting Wazuh v4.5.3...
Started wazuh-execd...
Started wazuh-agentd...
Started wazuh-syscheckd...
Started wazuh-logcollector...
Started wazuh-modulesd...
Completed.


[root@7fbd0b78fbcd ~]# ps -ef | grep wazuh
root      8188     1  0 07:44 ?        00:00:00 /var/ossec/bin/wazuh-execd
wazuh     8200     1  0 07:44 ?        00:00:00 /var/ossec/bin/wazuh-agentd
root      8214     1  0 07:44 ?        00:00:00 /var/ossec/bin/wazuh-syscheckd
root      8226     1  0 07:44 ?        00:00:00 /var/ossec/bin/wazuh-logcollector
root      8244     1  1 07:44 ?        00:00:00 /var/ossec/bin/wazuh-modulesd
root      8630  7222  0 07:44 pts/0    00:00:00 grep --color=auto wazuh

• Wazuh Server (check if the agent is connected)

[root@wazuh-server wazuh-user]# /var/ossec/bin/agent_control -l

Wazuh agent_control. List of available agents:
   ID: 000, Name: wazuh-server (server), IP: 127.0.0.1, Active/Local
   ID: 001, Name: soaxp078, IP: any, Disconnected
   ID: 002, Name: sossp272, IP: any, Active
   ID: 003, Name: 7fbd0b78fbcd, IP: any, Active


List of agentless devices:


[root@wazuh-server wazuh-user]# /var/ossec/bin/agent_control -i 003

Wazuh agent_control. Agent information:
   Agent ID:   003
   Agent Name: 7fbd0b78fbcd
   IP address: any
   Status:     Active

   Operating system:    Linux |7fbd0b78fbcd |3.10.0-1160.71.1.el7.ppc64le |#1 SMP Tue Jun 28 18:34:40 UTC 2022 |ppc64le
   Client version:      Wazuh v4.5.3
   Configuration hash:  ab73af41699f13fdd81903b5f23d8d00
   Shared file hash:    4a8724b20dee0124ff9656783c490c4e
   Last keep alive:     1697615118

   Syscheck last started at:  Wed Oct 18 07:45:24 2023 (Scan in progress)
   Syscheck last ended at:    Unknown

• Upgrade agent

[root@7fbd0b78fbcd ~]# yum install -y ./wazuh-agent-4.7.0-1.ppc64le.rpm 
Failed to set locale, defaulting to C
Loaded plugins: fastestmirror, ovl
Examining ./wazuh-agent-4.7.0-1.ppc64le.rpm: wazuh-agent-4.7.0-1.ppc64le
Marking ./wazuh-agent-4.7.0-1.ppc64le.rpm as an update to wazuh-agent-4.5.3-1.ppc64le
Resolving Dependencies
--> Running transaction check
---> Package wazuh-agent.ppc64le 0:4.5.3-1 will be updated
---> Package wazuh-agent.ppc64le 0:4.7.0-1 will be an update
--> Finished Dependency Resolution

Dependencies Resolved

===================================================================================================================================================================================================================
 Package                                         Arch                                        Version                                        Repository                                                        Size
===================================================================================================================================================================================================================
Updating:
 wazuh-agent                                     ppc64le                                     4.7.0-1                                        /wazuh-agent-4.7.0-1.ppc64le                                      32 M

Transaction Summary
===================================================================================================================================================================================================================
Upgrade  1 Package

Total size: 32 M
Downloading packages:
Running transaction check
Running transaction test
Transaction test succeeded
Running transaction
  Updating   : wazuh-agent-4.7.0-1.ppc64le                                                                                                                                                                     1/2 
  Cleanup    : wazuh-agent-4.5.3-1.ppc64le                                                                                                                                                                     2/2 
  Verifying  : wazuh-agent-4.7.0-1.ppc64le                                                                                                                                                                     1/2 
  Verifying  : wazuh-agent-4.5.3-1.ppc64le                                                                                                                                                                     2/2 

Updated:
  wazuh-agent.ppc64le 0:4.7.0-1                                                                                                                                                                                    

Complete!


[root@7fbd0b78fbcd ~]# ps -ef | grep wazuh
root      9445     1  0 07:46 ?        00:00:00 /var/ossec/bin/wazuh-execd
wazuh     9457     1  0 07:46 ?        00:00:00 /var/ossec/bin/wazuh-agentd
root      9473     1 19 07:46 ?        00:00:08 /var/ossec/bin/wazuh-syscheckd
root      9488     1  0 07:46 ?        00:00:00 /var/ossec/bin/wazuh-logcollector
root      9508     1  0 07:46 ?        00:00:00 /var/ossec/bin/wazuh-modulesd
root      9987  7222  0 07:47 pts/0    00:00:00 grep --color=auto wazuh




[root@7fbd0b78fbcd ~]# /var/ossec/bin/wazuh-control status
wazuh-modulesd is running...
wazuh-logcollector is running...
wazuh-syscheckd is running...
wazuh-agentd is running...
wazuh-execd is running...

• Wazuh Server (check connection)

[root@wazuh-server wazuh-user]# /var/ossec/bin/agent_control -i 003

Wazuh agent_control. Agent information:
   Agent ID:   003
   Agent Name: 7fbd0b78fbcd
   IP address: any
   Status:     Active

   Operating system:    Linux |7fbd0b78fbcd |3.10.0-1160.71.1.el7.ppc64le |#1 SMP Tue Jun 28 18:34:40 UTC 2022 |ppc64le
   Client version:      Wazuh v4.7.0
   Configuration hash:  ab73af41699f13fdd81903b5f23d8d00
   Shared file hash:    4a8724b20dee0124ff9656783c490c4e
   Last keep alive:     1697615262

   Syscheck last started at:  Wed Oct 18 07:46:33 2023
   Syscheck last ended at:    Wed Oct 18 07:46:35 2023

[pro-akim]

Analysis report - AMI 🟡

AMI - Agent connection and workload 🟢

• SSH using root

akim@akim-PC:~/Desktop/personal$ ssh -i "Ephemeral.pem" root@ec2-44-211-192-146.compute-1.amazonaws.com

Please login as the user "wazuh-user" rather than the user "root".

Connection to ec2-44-211-192-146.compute-1.amazonaws.com closed.

This was tested as part of Special systems, since the AMI was the Wazuh Manager

AMI - WUI 🟢

• Loading screen OK
• Login screen OK
• Credentials: OK

AMI - Logs 🟡

Wazuh dashboard - journalctl 🟢

[root@wazuh-server wazuh-user]# journalctl -r -u wazuh-dashboard | grep -i -E "error|critical|fatal|warning"
oct 17 14:53:14 wazuh-server opensearch-dashboards[18183]: {"type":"error","@timestamp":"2023-10-17T14:53:14Z","tags":["connection","client","error"],"pid":18183,"level":"error","error":{"message":"140337986267072:error:14209102:SSL routines:tls_early_post_process_client_hello:unsupported protocol:../deps/openssl/openssl/ssl/statem/statem_srvr.c:1714:\n","name":"Error","stack":"Error: 140337986267072:error:14209102:SSL routines:tls_early_post_process_client_hello:unsupported protocol:../deps/openssl/openssl/ssl/statem/statem_srvr.c:1714:\n","code":"ERR_SSL_UNSUPPORTED_PROTOCOL"},"message":"140337986267072:error:14209102:SSL routines:tls_early_post_process_client_hello:unsupported protocol:../deps/openssl/openssl/ssl/statem/statem_srvr.c:1714:\n"}
oct 17 14:50:00 wazuh-server opensearch-dashboards[18183]: {"type":"log","@timestamp":"2023-10-17T14:50:00Z","tags":["error","opensearch","data"],"pid":18183,"message":"[resource_already_exists_exception]: index [wazuh-statistics-2023.42w/q6Z8DgB1Sb-LRLPoeTgaIQ] already exists"}
oct 17 14:45:24 wazuh-server opensearch-dashboards[4239]: {"type":"error","@timestamp":"2023-10-17T14:45:24Z","tags":["connection","client","error"],"pid":4239,"level":"error","error":{"message":"140096345016256:error:14209102:SSL routines:tls_early_post_process_client_hello:unsupported protocol:../deps/openssl/openssl/ssl/statem/statem_srvr.c:1714:\n","name":"Error","stack":"Error: 140096345016256:error:14209102:SSL routines:tls_early_post_process_client_hello:unsupported protocol:../deps/openssl/openssl/ssl/statem/statem_srvr.c:1714:\n","code":"ERR_SSL_UNSUPPORTED_PROTOCOL"},"message":"140096345016256:error:14209102:SSL routines:tls_early_post_process_client_hello:unsupported protocol:../deps/openssl/openssl/ssl/statem/statem_srvr.c:1714:\n"}
oct 17 14:45:05 wazuh-server opensearch-dashboards[4239]: {"type":"log","@timestamp":"2023-10-17T14:45:05Z","tags":["error","plugins","securityDashboards"],"pid":4239,"message":"Failed authentication: Error: Authentication Exception"}
oct 17 14:44:15 wazuh-server opensearch-dashboards[4239]: {"type":"error","@timestamp":"2023-10-17T14:44:15Z","tags":["connection","client","error"],"pid":4239,"level":"error","error":{"message":"140096345016256:error:14094418:SSL routines:ssl3_read_bytes:tlsv1 alert unknown ca:../deps/openssl/openssl/ssl/record/rec_layer_s3.c:1565:SSL alert number 48\n","name":"Error","stack":"Error: 140096345016256:error:14094418:SSL routines:ssl3_read_bytes:tlsv1 alert unknown ca:../deps/openssl/openssl/ssl/record/rec_layer_s3.c:1565:SSL alert number 48\n","code":"ERR_SSL_TLSV1_ALERT_UNKNOWN_CA"},"message":"140096345016256:error:14094418:SSL routines:ssl3_read_bytes:tlsv1 alert unknown ca:../deps/openssl/openssl/ssl/record/rec_layer_s3.c:1565:SSL alert number 48\n"}
oct 17 14:44:14 wazuh-server opensearch-dashboards[4239]: {"type":"error","@timestamp":"2023-10-17T14:44:14Z","tags":["connection","client","error"],"pid":4239,"level":"error","error":{"message":"140096345016256:error:14094418:SSL routines:ssl3_read_bytes:tlsv1 alert unknown ca:../deps/openssl/openssl/ssl/record/rec_layer_s3.c:1565:SSL alert number 48\n","name":"Error","stack":"Error: 140096345016256:error:14094418:SSL routines:ssl3_read_bytes:tlsv1 alert unknown ca:../deps/openssl/openssl/ssl/record/rec_layer_s3.c:1565:SSL alert number 48\n","code":"ERR_SSL_TLSV1_ALERT_UNKNOWN_CA"},"message":"140096345016256:error:14094418:SSL routines:ssl3_read_bytes:tlsv1 alert unknown ca:../deps/openssl/openssl/ssl/record/rec_layer_s3.c:1565:SSL alert number 48\n"}
oct 17 14:35:27 wazuh-server opensearch-dashboards[4239]: {"type":"error","@timestamp":"2023-10-17T14:35:27Z","tags":["connection","client","error"],"pid":4239,"level":"error","error":{"message":"140096345016256:error:14209102:SSL routines:tls_early_post_process_client_hello:unsupported protocol:../deps/openssl/openssl/ssl/statem/statem_srvr.c:1714:\n","name":"Error","stack":"Error: 140096345016256:error:14209102:SSL routines:tls_early_post_process_client_hello:unsupported protocol:../deps/openssl/openssl/ssl/statem/statem_srvr.c:1714:\n","code":"ERR_SSL_UNSUPPORTED_PROTOCOL"},"message":"140096345016256:error:14209102:SSL routines:tls_early_post_process_client_hello:unsupported protocol:../deps/openssl/openssl/ssl/statem/statem_srvr.c:1714:\n"}
oct 17 14:26:21 wazuh-server opensearch-dashboards[4239]: {"type":"error","@timestamp":"2023-10-17T14:26:21Z","tags":["connection","client","error"],"pid":4239,"level":"error","error":{"message":"TLS handshake timeout","name":"Error","stack":"Error: TLS handshake timeout\n    at new NodeError (node:internal/errors:387:5)\n    at TLSSocket._handleTimeout (node:_tls_wrap:903:22)\n    at Object.onceWrapper (node:events:627:28)\n    at TLSSocket.emit (node:events:513:28)\n    at TLSSocket.emit (node:domain:489:12)\n    at TLSSocket.Socket._onTimeout (node:net:550:8)\n    at listOnTimeout (node:internal/timers:559:17)\n    at processTimers (node:internal/timers:502:7)","code":"ERR_TLS_HANDSHAKE_TIMEOUT"},"message":"TLS handshake timeout"}
oct 17 14:01:12 wazuh-server opensearch-dashboards[4239]: {"type":"error","@timestamp":"2023-10-17T14:01:12Z","tags":["connection","client","error"],"pid":4239,"level":"error","error":{"message":"140096345016256:error:14209102:SSL routines:tls_early_post_process_client_hello:unsupported protocol:../deps/openssl/openssl/ssl/statem/statem_srvr.c:1714:\n","name":"Error","stack":"Error: 140096345016256:error:14209102:SSL routines:tls_early_post_process_client_hello:unsupported protocol:../deps/openssl/openssl/ssl/statem/statem_srvr.c:1714:\n","code":"ERR_SSL_UNSUPPORTED_PROTOCOL"},"message":"140096345016256:error:14209102:SSL routines:tls_early_post_process_client_hello:unsupported protocol:../deps/openssl/openssl/ssl/statem/statem_srvr.c:1714:\n"}
oct 17 13:34:31 wazuh-server opensearch-dashboards[4239]: {"type":"error","@timestamp":"2023-10-17T13:34:31Z","tags":["connection","client","error"],"pid":4239,"level":"error","error":{"message":"140096345016256:error:14209102:SSL routines:tls_early_post_process_client_hello:unsupported protocol:../deps/openssl/openssl/ssl/statem/statem_srvr.c:1714:\n","name":"Error","stack":"Error: 140096345016256:error:14209102:SSL routines:tls_early_post_process_client_hello:unsupported protocol:../deps/openssl/openssl/ssl/statem/statem_srvr.c:1714:\n","code":"ERR_SSL_UNSUPPORTED_PROTOCOL"},"message":"140096345016256:error:14209102:SSL routines:tls_early_post_process_client_hello:unsupported protocol:../deps/openssl/openssl/ssl/statem/statem_srvr.c:1714:\n"}
oct 17 13:02:59 wazuh-server opensearch-dashboards[4239]: {"type":"error","@timestamp":"2023-10-17T13:02:59Z","tags":["connection","client","error"],"pid":4239,"level":"error","error":{"message":"140096345016256:error:14209102:SSL routines:tls_early_post_process_client_hello:unsupported protocol:../deps/openssl/openssl/ssl/statem/statem_srvr.c:1714:\n","name":"Error","stack":"Error: 140096345016256:error:14209102:SSL routines:tls_early_post_process_client_hello:unsupported protocol:../deps/openssl/openssl/ssl/statem/statem_srvr.c:1714:\n","code":"ERR_SSL_UNSUPPORTED_PROTOCOL"},"message":"140096345016256:error:14209102:SSL routines:tls_early_post_process_client_hello:unsupported protocol:../deps/openssl/openssl/ssl/statem/statem_srvr.c:1714:\n"}
oct 17 12:38:28 wazuh-server opensearch-dashboards[4239]: {"type":"error","@timestamp":"2023-10-17T12:38:28Z","tags":["connection","client","error"],"pid":4239,"level":"error","error":{"message":"140096345016256:error:14209102:SSL routines:tls_early_post_process_client_hello:unsupported protocol:../deps/openssl/openssl/ssl/statem/statem_srvr.c:1714:\n","name":"Error","stack":"Error: 140096345016256:error:14209102:SSL routines:tls_early_post_process_client_hello:unsupported protocol:../deps/openssl/openssl/ssl/statem/statem_srvr.c:1714:\n","code":"ERR_SSL_UNSUPPORTED_PROTOCOL"},"message":"140096345016256:error:14209102:SSL routines:tls_early_post_process_client_hello:unsupported protocol:../deps/openssl/openssl/ssl/statem/statem_srvr.c:1714:\n"}
oct 17 12:32:31 wazuh-server opensearch-dashboards[4239]: {"type":"error","@timestamp":"2023-10-17T12:32:31Z","tags":["connection","client","error"],"pid":4239,"level":"error","error":{"message":"140096345016256:error:1408F10B:SSL routines:ssl3_get_record:wrong version number:../deps/openssl/openssl/ssl/record/ssl3_record.c:332:\n","name":"Error","stack":"Error: 140096345016256:error:1408F10B:SSL routines:ssl3_get_record:wrong version number:../deps/openssl/openssl/ssl/record/ssl3_record.c:332:\n","code":"ERR_SSL_WRONG_VERSION_NUMBER"},"message":"140096345016256:error:1408F10B:SSL routines:ssl3_get_record:wrong version number:../deps/openssl/openssl/ssl/record/ssl3_record.c:332:\n"}
oct 17 12:32:31 wazuh-server opensearch-dashboards[4239]: {"type":"error","@timestamp":"2023-10-17T12:32:31Z","tags":["connection","client","error"],"pid":4239,"level":"error","error":{"message":"140096345016256:error:1408F10B:SSL routines:ssl3_get_record:wrong version number:../deps/openssl/openssl/ssl/record/ssl3_record.c:332:\n","name":"Error","stack":"Error: 140096345016256:error:1408F10B:SSL routines:ssl3_get_record:wrong version number:../deps/openssl/openssl/ssl/record/ssl3_record.c:332:\n","code":"ERR_SSL_WRONG_VERSION_NUMBER"},"message":"140096345016256:error:1408F10B:SSL routines:ssl3_get_record:wrong version number:../deps/openssl/openssl/ssl/record/ssl3_record.c:332:\n"}
oct 17 12:12:00 wazuh-server opensearch-dashboards[4239]: {"type":"error","@timestamp":"2023-10-17T12:12:00Z","tags":["connection","client","error"],"pid":4239,"level":"error","error":{"message":"140096345016256:error:14209102:SSL routines:tls_early_post_process_client_hello:unsupported protocol:../deps/openssl/openssl/ssl/statem/statem_srvr.c:1714:\n","name":"Error","stack":"Error: 140096345016256:error:14209102:SSL routines:tls_early_post_process_client_hello:unsupported protocol:../deps/openssl/openssl/ssl/statem/statem_srvr.c:1714:\n","code":"ERR_SSL_UNSUPPORTED_PROTOCOL"},"message":"140096345016256:error:14209102:SSL routines:tls_early_post_process_client_hello:unsupported protocol:../deps/openssl/openssl/ssl/statem/statem_srvr.c:1714:\n"}
oct 17 11:53:38 wazuh-server opensearch-dashboards[4239]: {"type":"error","@timestamp":"2023-10-17T11:53:38Z","tags":["connection","client","error"],"pid":4239,"level":"error","error":{"message":"140096345016256:error:14209102:SSL routines:tls_early_post_process_client_hello:unsupported protocol:../deps/openssl/openssl/ssl/statem/statem_srvr.c:1714:\n","name":"Error","stack":"Error: 140096345016256:error:14209102:SSL routines:tls_early_post_process_client_hello:unsupported protocol:../deps/openssl/openssl/ssl/statem/statem_srvr.c:1714:\n","code":"ERR_SSL_UNSUPPORTED_PROTOCOL"},"message":"140096345016256:error:14209102:SSL routines:tls_early_post_process_client_hello:unsupported protocol:../deps/openssl/openssl/ssl/statem/statem_srvr.c:1714:\n"}
oct 17 11:51:03 wazuh-server opensearch-dashboards[4239]: {"type":"error","@timestamp":"2023-10-17T11:51:03Z","tags":["connection","client","error"],"pid":4239,"level":"error","error":{"message":"Parse Error: Pause on PRI/Upgrade","name":"Error","stack":"Error: Parse Error: Pause on PRI/Upgrade","code":"HPE_PAUSED_H2_UPGRADE"},"message":"Parse Error: Pause on PRI/Upgrade"}
oct 17 11:51:03 wazuh-server opensearch-dashboards[4239]: {"type":"error","@timestamp":"2023-10-17T11:51:03Z","tags":["connection","client","error"],"pid":4239,"level":"error","error":{"message":"Parse Error: Pause on PRI/Upgrade","name":"Error","stack":"Error: Parse Error: Pause on PRI/Upgrade","code":"HPE_PAUSED_H2_UPGRADE"},"message":"Parse Error: Pause on PRI/Upgrade"}
oct 17 11:51:03 wazuh-server opensearch-dashboards[4239]: {"type":"error","@timestamp":"2023-10-17T11:51:03Z","tags":["connection","client","error"],"pid":4239,"level":"error","error":{"message":"Parse Error: Pause on PRI/Upgrade","name":"Error","stack":"Error: Parse Error: Pause on PRI/Upgrade","code":"HPE_PAUSED_H2_UPGRADE"},"message":"Parse Error: Pause on PRI/Upgrade"}
oct 17 11:51:03 wazuh-server opensearch-dashboards[4239]: {"type":"error","@timestamp":"2023-10-17T11:51:03Z","tags":["connection","client","error"],"pid":4239,"level":"error","error":{"message":"Parse Error: Pause on PRI/Upgrade","name":"Error","stack":"Error: Parse Error: Pause on PRI/Upgrade","code":"HPE_PAUSED_H2_UPGRADE"},"message":"Parse Error: Pause on PRI/Upgrade"}
oct 17 11:39:19 wazuh-server opensearch-dashboards[4239]: {"type":"error","@timestamp":"2023-10-17T11:39:19Z","tags":["connection","client","error"],"pid":4239,"level":"error","error":{"message":"140096345016256:error:141CF06C:SSL routines:tls_parse_ctos_key_share:bad key share:../deps/openssl/openssl/ssl/statem/extensions_srvr.c:698:\n","name":"Error","stack":"Error: 140096345016256:error:141CF06C:SSL routines:tls_parse_ctos_key_share:bad key share:../deps/openssl/openssl/ssl/statem/extensions_srvr.c:698:\n","code":"ERR_SSL_BAD_KEY_SHARE"},"message":"140096345016256:error:141CF06C:SSL routines:tls_parse_ctos_key_share:bad key share:../deps/openssl/openssl/ssl/statem/extensions_srvr.c:698:\n"}
oct 17 11:39:19 wazuh-server opensearch-dashboards[4239]: {"type":"error","@timestamp":"2023-10-17T11:39:19Z","tags":["connection","client","error"],"pid":4239,"level":"error","error":{"message":"140096345016256:error:142090C1:SSL routines:tls_early_post_process_client_hello:no shared cipher:../deps/openssl/openssl/ssl/statem/statem_srvr.c:1809:\n","name":"Error","stack":"Error: 140096345016256:error:142090C1:SSL routines:tls_early_post_process_client_hello:no shared cipher:../deps/openssl/openssl/ssl/statem/statem_srvr.c:1809:\n","code":"ERR_SSL_NO_SHARED_CIPHER"},"message":"140096345016256:error:142090C1:SSL routines:tls_early_post_process_client_hello:no shared cipher:../deps/openssl/openssl/ssl/statem/statem_srvr.c:1809:\n"}
oct 17 11:39:19 wazuh-server opensearch-dashboards[4239]: {"type":"error","@timestamp":"2023-10-17T11:39:19Z","tags":["connection","client","error"],"pid":4239,"level":"error","error":{"message":"140096345016256:error:14209102:SSL routines:tls_early_post_process_client_hello:unsupported protocol:../deps/openssl/openssl/ssl/statem/statem_srvr.c:1714:\n","name":"Error","stack":"Error: 140096345016256:error:14209102:SSL routines:tls_early_post_process_client_hello:unsupported protocol:../deps/openssl/openssl/ssl/statem/statem_srvr.c:1714:\n","code":"ERR_SSL_UNSUPPORTED_PROTOCOL"},"message":"140096345016256:error:14209102:SSL routines:tls_early_post_process_client_hello:unsupported protocol:../deps/openssl/openssl/ssl/statem/statem_srvr.c:1714:\n"}
oct 17 11:39:18 wazuh-server opensearch-dashboards[4239]: {"type":"error","@timestamp":"2023-10-17T11:39:18Z","tags":["connection","client","error"],"pid":4239,"level":"error","error":{"message":"140096345016256:error:1417A0C1:SSL routines:tls_post_process_client_hello:no shared cipher:../deps/openssl/openssl/ssl/statem/statem_srvr.c:2313:\n","name":"Error","stack":"Error: 140096345016256:error:1417A0C1:SSL routines:tls_post_process_client_hello:no shared cipher:../deps/openssl/openssl/ssl/statem/statem_srvr.c:2313:\n","code":"ERR_SSL_NO_SHARED_CIPHER"},"message":"140096345016256:error:1417A0C1:SSL routines:tls_post_process_client_hello:no shared cipher:../deps/openssl/openssl/ssl/statem/statem_srvr.c:2313:\n"}
oct 17 11:38:08 wazuh-server opensearch-dashboards[4239]: {"type":"error","@timestamp":"2023-10-17T11:38:08Z","tags":["connection","client","error"],"pid":4239,"level":"error","error":{"message":"140096345016256:error:141CF06C:SSL routines:tls_parse_ctos_key_share:bad key share:../deps/openssl/openssl/ssl/statem/extensions_srvr.c:698:\n","name":"Error","stack":"Error: 140096345016256:error:141CF06C:SSL routines:tls_parse_ctos_key_share:bad key share:../deps/openssl/openssl/ssl/statem/extensions_srvr.c:698:\n","code":"ERR_SSL_BAD_KEY_SHARE"},"message":"140096345016256:error:141CF06C:SSL routines:tls_parse_ctos_key_share:bad key share:../deps/openssl/openssl/ssl/statem/extensions_srvr.c:698:\n"}
oct 17 11:38:07 wazuh-server opensearch-dashboards[4239]: {"type":"error","@timestamp":"2023-10-17T11:38:07Z","tags":["connection","client","error"],"pid":4239,"level":"error","error":{"message":"140096345016256:error:142090C1:SSL routines:tls_early_post_process_client_hello:no shared cipher:../deps/openssl/openssl/ssl/statem/statem_srvr.c:1809:\n","name":"Error","stack":"Error: 140096345016256:error:142090C1:SSL routines:tls_early_post_process_client_hello:no shared cipher:../deps/openssl/openssl/ssl/statem/statem_srvr.c:1809:\n","code":"ERR_SSL_NO_SHARED_CIPHER"},"message":"140096345016256:error:142090C1:SSL routines:tls_early_post_process_client_hello:no shared cipher:../deps/openssl/openssl/ssl/statem/statem_srvr.c:1809:\n"}
oct 17 11:38:07 wazuh-server opensearch-dashboards[4239]: {"type":"error","@timestamp":"2023-10-17T11:38:07Z","tags":["connection","client","error"],"pid":4239,"level":"error","error":{"message":"140096345016256:error:14209102:SSL routines:tls_early_post_process_client_hello:unsupported protocol:../deps/openssl/openssl/ssl/statem/statem_srvr.c:1714:\n","name":"Error","stack":"Error: 140096345016256:error:14209102:SSL routines:tls_early_post_process_client_hello:unsupported protocol:../deps/openssl/openssl/ssl/statem/statem_srvr.c:1714:\n","code":"ERR_SSL_UNSUPPORTED_PROTOCOL"},"message":"140096345016256:error:14209102:SSL routines:tls_early_post_process_client_hello:unsupported protocol:../deps/openssl/openssl/ssl/statem/statem_srvr.c:1714:\n"}
oct 17 11:38:07 wazuh-server opensearch-dashboards[4239]: {"type":"error","@timestamp":"2023-10-17T11:38:07Z","tags":["connection","client","error"],"pid":4239,"level":"error","error":{"message":"140096345016256:error:1417A0C1:SSL routines:tls_post_process_client_hello:no shared cipher:../deps/openssl/openssl/ssl/statem/statem_srvr.c:2313:\n","name":"Error","stack":"Error: 140096345016256:error:1417A0C1:SSL routines:tls_post_process_client_hello:no shared cipher:../deps/openssl/openssl/ssl/statem/statem_srvr.c:2313:\n","code":"ERR_SSL_NO_SHARED_CIPHER"},"message":"140096345016256:error:1417A0C1:SSL routines:tls_post_process_client_hello:no shared cipher:../deps/openssl/openssl/ssl/statem/statem_srvr.c:2313:\n"}
oct 17 11:13:16 wazuh-server opensearch-dashboards[4239]: {"type":"error","@timestamp":"2023-10-17T11:13:16Z","tags":["connection","client","error"],"pid":4239,"level":"error","error":{"message":"140096345016256:error:14209102:SSL routines:tls_early_post_process_client_hello:unsupported protocol:../deps/openssl/openssl/ssl/statem/statem_srvr.c:1714:\n","name":"Error","stack":"Error: 140096345016256:error:14209102:SSL routines:tls_early_post_process_client_hello:unsupported protocol:../deps/openssl/openssl/ssl/statem/statem_srvr.c:1714:\n","code":"ERR_SSL_UNSUPPORTED_PROTOCOL"},"message":"140096345016256:error:14209102:SSL routines:tls_early_post_process_client_hello:unsupported protocol:../deps/openssl/openssl/ssl/statem/statem_srvr.c:1714:\n"}
oct 17 10:51:48 wazuh-server opensearch-dashboards[4239]: {"type":"error","@timestamp":"2023-10-17T10:51:48Z","tags":["connection","client","error"],"pid":4239,"level":"error","error":{"message":"140096345016256:error:14209102:SSL routines:tls_early_post_process_client_hello:unsupported protocol:../deps/openssl/openssl/ssl/statem/statem_srvr.c:1714:\n","name":"Error","stack":"Error: 140096345016256:error:14209102:SSL routines:tls_early_post_process_client_hello:unsupported protocol:../deps/openssl/openssl/ssl/statem/statem_srvr.c:1714:\n","code":"ERR_SSL_UNSUPPORTED_PROTOCOL"},"message":"140096345016256:error:14209102:SSL routines:tls_early_post_process_client_hello:unsupported protocol:../deps/openssl/openssl/ssl/statem/statem_srvr.c:1714:\n"}
oct 17 10:14:41 wazuh-server opensearch-dashboards[4239]: {"type":"error","@timestamp":"2023-10-17T10:14:41Z","tags":["connection","client","error"],"pid":4239,"level":"error","error":{"message":"140096345016256:error:14209102:SSL routines:tls_early_post_process_client_hello:unsupported protocol:../deps/openssl/openssl/ssl/statem/statem_srvr.c:1714:\n","name":"Error","stack":"Error: 140096345016256:error:14209102:SSL routines:tls_early_post_process_client_hello:unsupported protocol:../deps/openssl/openssl/ssl/statem/statem_srvr.c:1714:\n","code":"ERR_SSL_UNSUPPORTED_PROTOCOL"},"message":"140096345016256:error:14209102:SSL routines:tls_early_post_process_client_hello:unsupported protocol:../deps/openssl/openssl/ssl/statem/statem_srvr.c:1714:\n"}
oct 17 10:05:26 wazuh-server opensearch-dashboards[4239]: {"type":"error","@timestamp":"2023-10-17T10:05:26Z","tags":["connection","client","error"],"pid":4239,"level":"error","error":{"message":"140096345016256:error:14209102:SSL routines:tls_early_post_process_client_hello:unsupported protocol:../deps/openssl/openssl/ssl/statem/statem_srvr.c:1714:\n","name":"Error","stack":"Error: 140096345016256:error:14209102:SSL routines:tls_early_post_process_client_hello:unsupported protocol:../deps/openssl/openssl/ssl/statem/statem_srvr.c:1714:\n","code":"ERR_SSL_UNSUPPORTED_PROTOCOL"},"message":"140096345016256:error:14209102:SSL routines:tls_early_post_process_client_hello:unsupported protocol:../deps/openssl/openssl/ssl/statem/statem_srvr.c:1714:\n"}
oct 17 09:51:56 wazuh-server opensearch-dashboards[1763]: {"type":"log","@timestamp":"2023-10-17T09:51:56Z","tags":["error","opensearch","data"],"pid":1763,"message":"[ResponseError]: Response Error"}
oct 17 09:51:54 wazuh-server opensearch-dashboards[1763]: {"type":"log","@timestamp":"2023-10-17T09:51:54Z","tags":["error","opensearch","data"],"pid":1763,"message":"[ResponseError]: Response Error"}
oct 17 09:51:51 wazuh-server opensearch-dashboards[1763]: {"type":"log","@timestamp":"2023-10-17T09:51:51Z","tags":["error","opensearch","data"],"pid":1763,"message":"[ResponseError]: Response Error"}
oct 17 09:51:49 wazuh-server opensearch-dashboards[1763]: {"type":"log","@timestamp":"2023-10-17T09:51:49Z","tags":["error","opensearch","data"],"pid":1763,"message":"[ResponseError]: Response Error"}
oct 17 09:51:46 wazuh-server opensearch-dashboards[1763]: {"type":"log","@timestamp":"2023-10-17T09:51:46Z","tags":["error","opensearch","data"],"pid":1763,"message":"[ResponseError]: Response Error"}
oct 17 09:51:44 wazuh-server opensearch-dashboards[1763]: {"type":"log","@timestamp":"2023-10-17T09:51:44Z","tags":["error","opensearch","data"],"pid":1763,"message":"[ResponseError]: Response Error"}
oct 17 09:51:41 wazuh-server opensearch-dashboards[1763]: {"type":"log","@timestamp":"2023-10-17T09:51:41Z","tags":["error","opensearch","data"],"pid":1763,"message":"[ConnectionError]: connect ECONNREFUSED 127.0.0.1:9200"}
oct 17 09:51:39 wazuh-server opensearch-dashboards[1763]: {"type":"log","@timestamp":"2023-10-17T09:51:39Z","tags":["error","opensearch","data"],"pid":1763,"message":"[ConnectionError]: connect ECONNREFUSED 127.0.0.1:9200"}
oct 17 09:51:36 wazuh-server opensearch-dashboards[1763]: {"type":"log","@timestamp":"2023-10-17T09:51:36Z","tags":["error","opensearch","data"],"pid":1763,"message":"[ConnectionError]: connect ECONNREFUSED 127.0.0.1:9200"}
oct 17 09:51:34 wazuh-server opensearch-dashboards[1763]: {"type":"log","@timestamp":"2023-10-17T09:51:34Z","tags":["error","opensearch","data"],"pid":1763,"message":"[ConnectionError]: connect ECONNREFUSED 127.0.0.1:9200"}
oct 17 09:51:31 wazuh-server opensearch-dashboards[1763]: {"type":"log","@timestamp":"2023-10-17T09:51:31Z","tags":["error","opensearch","data"],"pid":1763,"message":"[ConnectionError]: connect ECONNREFUSED 127.0.0.1:9200"}
oct 17 09:51:29 wazuh-server opensearch-dashboards[1763]: {"type":"log","@timestamp":"2023-10-17T09:51:29Z","tags":["error","savedobjects-service"],"pid":1763,"message":"Unable to retrieve version information from OpenSearch nodes."}
oct 17 09:51:29 wazuh-server opensearch-dashboards[1763]: {"type":"log","@timestamp":"2023-10-17T09:51:29Z","tags":["error","opensearch","data"],"pid":1763,"message":"[ConnectionError]: connect ECONNREFUSED 127.0.0.1:9200"}

Wazuh indexer - journalctl 🟡

[root@wazuh-server wazuh-user]# journalctl -r -u wazuh-indexer | grep -i -E "error|critical|fatal|warning"
oct 17 09:50:50 wazuh-server systemd-entrypoint[2256]: at org.opensearch.cli.Command.mainWithoutErrorHandling(Command.java:138)
oct 17 09:50:50 wazuh-server systemd-entrypoint[2256]: 2023-10-17 09:50:50,343 main ERROR Could not define attribute view on path "/var/log/wazuh-indexer/wazuh-cluster.log" got access denied ("java.lang.RuntimePermission" "accessUserInformation") java.security.AccessControlException: access denied ("java.lang.RuntimePermission" "accessUserInformation")
oct 17 09:50:50 wazuh-server systemd-entrypoint[2256]: at org.opensearch.cli.Command.mainWithoutErrorHandling(Command.java:138)
oct 17 09:50:50 wazuh-server systemd-entrypoint[2256]: 2023-10-17 09:50:50,305 main ERROR Could not define attribute view on path "/var/log/wazuh-indexer/wazuh-cluster_server.json" got access denied ("java.lang.RuntimePermission" "accessUserInformation") java.security.AccessControlException: access denied ("java.lang.RuntimePermission" "accessUserInformation")
oct 17 09:50:50 wazuh-server systemd-entrypoint[2256]: WARNING: System::setSecurityManager will be removed in a future release
oct 17 09:50:50 wazuh-server systemd-entrypoint[2256]: WARNING: Please consider reporting this to the maintainers of org.opensearch.bootstrap.Security
oct 17 09:50:50 wazuh-server systemd-entrypoint[2256]: WARNING: System::setSecurityManager has been called by org.opensearch.bootstrap.Security (file:/usr/share/wazuh-indexer/lib/opensearch-2.8.0.jar)
oct 17 09:50:50 wazuh-server systemd-entrypoint[2256]: WARNING: A terminally deprecated method in java.lang.System has been called
oct 17 09:50:44 wazuh-server systemd-entrypoint[2256]: WARNING: System::setSecurityManager will be removed in a future release
oct 17 09:50:44 wazuh-server systemd-entrypoint[2256]: WARNING: Please consider reporting this to the maintainers of org.opensearch.bootstrap.OpenSearch
oct 17 09:50:44 wazuh-server systemd-entrypoint[2256]: WARNING: System::setSecurityManager has been called by org.opensearch.bootstrap.OpenSearch (file:/usr/share/wazuh-indexer/lib/opensearch-2.8.0.jar)
oct 17 09:50:44 wazuh-server systemd-entrypoint[2256]: WARNING: A terminally deprecated method in java.lang.System has been called

Wazuh indexer - /var/logs/wazuh-indexer 🟡

[root@wazuh-server wazuh-user]# grep -R -i -E "error|critical|fatal|warning" /var/log/wazuh-indexer/
/var/log/wazuh-indexer/wazuh-cluster_server.json:{"type": "server", "timestamp": "2023-10-17T09:50:50,362Z", "level": "INFO", "component": "o.o.n.Node", "cluster.name": "wazuh-cluster", "node.name": "node-1", "message": "JVM arguments [-Xshare:auto, -Dopensearch.networkaddress.cache.ttl=60, -Dopensearch.networkaddress.cache.negative.ttl=10, -XX:+AlwaysPreTouch, -Xss1m, -Djava.awt.headless=true, -Dfile.encoding=UTF-8, -Djna.nosys=true, -XX:-OmitStackTraceInFastThrow, -XX:+ShowCodeDetailsInExceptionMessages, -Dio.netty.noUnsafe=true, -Dio.netty.noKeySetOptimization=true, -Dio.netty.recycler.maxCapacityPerThread=0, -Dio.netty.allocator.numDirectArenas=0, -Dlog4j.shutdownHookEnabled=false, -Dlog4j2.disable.jmx=true, -Djava.locale.providers=SPI,COMPAT, -Xms1859m, -Xmx1859m, -XX:+UseG1GC, -XX:G1ReservePercent=25, -XX:InitiatingHeapOccupancyPercent=30, -Djava.io.tmpdir=/tmp/opensearch-4212648970239149176, -XX:+HeapDumpOnOutOfMemoryError, -XX:HeapDumpPath=/var/lib/wazuh-indexer, -XX:ErrorFile=/var/log/wazuh-indexer/hs_err_pid%p.log, -Xlog:gc*,gc+age=trace,safepoint:file=/var/log/wazuh-indexer/gc.log:utctime,pid,tags:filecount=32,filesize=64m, -Dclk.tck=100, -Djdk.attach.allowAttachSelf=true, -Djava.security.policy=file:///etc/wazuh-indexer/opensearch-performance-analyzer/opensearch_security.policy, --add-opens=jdk.attach/sun.tools.attach=ALL-UNNAMED, -XX:MaxDirectMemorySize=975175680, -Dopensearch.path.home=/usr/share/wazuh-indexer, -Dopensearch.path.conf=/etc/wazuh-indexer, -Dopensearch.distribution.type=rpm, -Dopensearch.bundled_jdk=true]" }
/var/log/wazuh-indexer/wazuh-cluster_server.json:{"type": "server", "timestamp": "2023-10-17T09:51:36,767Z", "level": "ERROR", "component": "o.o.s.a.s.SinkProvider", "cluster.name": "wazuh-cluster", "node.name": "node-1", "message": "Default endpoint could not be created, auditlog will not work properly." }
/var/log/wazuh-indexer/wazuh-cluster_server.json:{"type": "server", "timestamp": "2023-10-17T09:51:44,534Z", "level": "ERROR", "component": "o.o.s.a.BackendRegistry", "cluster.name": "wazuh-cluster", "node.name": "node-1", "message": "Not yet initialized (you may need to run securityadmin)", "cluster.uuid": "QvmsjFWsQ0Gnt2C1_NjkGQ", "node.id": "ahWb3Uu9SXaaE6h71GaG2g"  }
/var/log/wazuh-indexer/wazuh-cluster_server.json:{"type": "server", "timestamp": "2023-10-17T09:51:45,132Z", "level": "ERROR", "component": "o.o.s.c.ConfigurationLoaderSecurity7", "cluster.name": "wazuh-cluster", "node.name": "node-1", "message": "Failure No shard available for [org.opensearch.action.get.MultiGetShardRequest@19916fed] retrieving configuration for [INTERNALUSERS, ACTIONGROUPS, CONFIG, ROLES, ROLESMAPPING, TENANTS, NODESDN, WHITELIST, ALLOWLIST, AUDIT] (index=.opendistro_security)", "cluster.uuid": "QvmsjFWsQ0Gnt2C1_NjkGQ", "node.id": "ahWb3Uu9SXaaE6h71GaG2g"  }
/var/log/wazuh-indexer/wazuh-cluster_server.json:{"type": "server", "timestamp": "2023-10-17T09:51:45,133Z", "level": "ERROR", "component": "o.o.s.c.ConfigurationLoaderSecurity7", "cluster.name": "wazuh-cluster", "node.name": "node-1", "message": "Failure No shard available for [org.opensearch.action.get.MultiGetShardRequest@19916fed] retrieving configuration for [INTERNALUSERS, ACTIONGROUPS, CONFIG, ROLES, ROLESMAPPING, TENANTS, NODESDN, WHITELIST, ALLOWLIST, AUDIT] (index=.opendistro_security)", "cluster.uuid": "QvmsjFWsQ0Gnt2C1_NjkGQ", "node.id": "ahWb3Uu9SXaaE6h71GaG2g"  }
/var/log/wazuh-indexer/wazuh-cluster_server.json:{"type": "server", "timestamp": "2023-10-17T09:51:45,134Z", "level": "ERROR", "component": "o.o.s.c.ConfigurationLoaderSecurity7", "cluster.name": "wazuh-cluster", "node.name": "node-1", "message": "Failure No shard available for [org.opensearch.action.get.MultiGetShardRequest@19916fed] retrieving configuration for [INTERNALUSERS, ACTIONGROUPS, CONFIG, ROLES, ROLESMAPPING, TENANTS, NODESDN, WHITELIST, ALLOWLIST, AUDIT] (index=.opendistro_security)", "cluster.uuid": "QvmsjFWsQ0Gnt2C1_NjkGQ", "node.id": "ahWb3Uu9SXaaE6h71GaG2g"  }
/var/log/wazuh-indexer/wazuh-cluster_server.json:{"type": "server", "timestamp": "2023-10-17T09:51:45,134Z", "level": "ERROR", "component": "o.o.s.c.ConfigurationLoaderSecurity7", "cluster.name": "wazuh-cluster", "node.name": "node-1", "message": "Failure No shard available for [org.opensearch.action.get.MultiGetShardRequest@19916fed] retrieving configuration for [INTERNALUSERS, ACTIONGROUPS, CONFIG, ROLES, ROLESMAPPING, TENANTS, NODESDN, WHITELIST, ALLOWLIST, AUDIT] (index=.opendistro_security)", "cluster.uuid": "QvmsjFWsQ0Gnt2C1_NjkGQ", "node.id": "ahWb3Uu9SXaaE6h71GaG2g"  }
/var/log/wazuh-indexer/wazuh-cluster_server.json:{"type": "server", "timestamp": "2023-10-17T09:51:45,134Z", "level": "ERROR", "component": "o.o.s.c.ConfigurationLoaderSecurity7", "cluster.name": "wazuh-cluster", "node.name": "node-1", "message": "Failure No shard available for [org.opensearch.action.get.MultiGetShardRequest@19916fed] retrieving configuration for [INTERNALUSERS, ACTIONGROUPS, CONFIG, ROLES, ROLESMAPPING, TENANTS, NODESDN, WHITELIST, ALLOWLIST, AUDIT] (index=.opendistro_security)", "cluster.uuid": "QvmsjFWsQ0Gnt2C1_NjkGQ", "node.id": "ahWb3Uu9SXaaE6h71GaG2g"  }
/var/log/wazuh-indexer/wazuh-cluster_server.json:{"type": "server", "timestamp": "2023-10-17T09:51:45,135Z", "level": "ERROR", "component": "o.o.s.c.ConfigurationLoaderSecurity7", "cluster.name": "wazuh-cluster", "node.name": "node-1", "message": "Failure No shard available for [org.opensearch.action.get.MultiGetShardRequest@19916fed] retrieving configuration for [INTERNALUSERS, ACTIONGROUPS, CONFIG, ROLES, ROLESMAPPING, TENANTS, NODESDN, WHITELIST, ALLOWLIST, AUDIT] (index=.opendistro_security)", "cluster.uuid": "QvmsjFWsQ0Gnt2C1_NjkGQ", "node.id": "ahWb3Uu9SXaaE6h71GaG2g"  }
/var/log/wazuh-indexer/wazuh-cluster_server.json:{"type": "server", "timestamp": "2023-10-17T09:51:45,136Z", "level": "ERROR", "component": "o.o.s.c.ConfigurationLoaderSecurity7", "cluster.name": "wazuh-cluster", "node.name": "node-1", "message": "Failure No shard available for [org.opensearch.action.get.MultiGetShardRequest@19916fed] retrieving configuration for [INTERNALUSERS, ACTIONGROUPS, CONFIG, ROLES, ROLESMAPPING, TENANTS, NODESDN, WHITELIST, ALLOWLIST, AUDIT] (index=.opendistro_security)", "cluster.uuid": "QvmsjFWsQ0Gnt2C1_NjkGQ", "node.id": "ahWb3Uu9SXaaE6h71GaG2g"  }
/var/log/wazuh-indexer/wazuh-cluster_server.json:{"type": "server", "timestamp": "2023-10-17T09:51:45,137Z", "level": "ERROR", "component": "o.o.s.c.ConfigurationLoaderSecurity7", "cluster.name": "wazuh-cluster", "node.name": "node-1", "message": "Failure No shard available for [org.opensearch.action.get.MultiGetShardRequest@19916fed] retrieving configuration for [INTERNALUSERS, ACTIONGROUPS, CONFIG, ROLES, ROLESMAPPING, TENANTS, NODESDN, WHITELIST, ALLOWLIST, AUDIT] (index=.opendistro_security)", "cluster.uuid": "QvmsjFWsQ0Gnt2C1_NjkGQ", "node.id": "ahWb3Uu9SXaaE6h71GaG2g"  }
/var/log/wazuh-indexer/wazuh-cluster_server.json:{"type": "server", "timestamp": "2023-10-17T09:51:45,137Z", "level": "ERROR", "component": "o.o.s.c.ConfigurationLoaderSecurity7", "cluster.name": "wazuh-cluster", "node.name": "node-1", "message": "Failure No shard available for [org.opensearch.action.get.MultiGetShardRequest@19916fed] retrieving configuration for [INTERNALUSERS, ACTIONGROUPS, CONFIG, ROLES, ROLESMAPPING, TENANTS, NODESDN, WHITELIST, ALLOWLIST, AUDIT] (index=.opendistro_security)", "cluster.uuid": "QvmsjFWsQ0Gnt2C1_NjkGQ", "node.id": "ahWb3Uu9SXaaE6h71GaG2g"  }
/var/log/wazuh-indexer/wazuh-cluster_server.json:{"type": "server", "timestamp": "2023-10-17T09:51:45,137Z", "level": "ERROR", "component": "o.o.s.c.ConfigurationLoaderSecurity7", "cluster.name": "wazuh-cluster", "node.name": "node-1", "message": "Failure No shard available for [org.opensearch.action.get.MultiGetShardRequest@19916fed] retrieving configuration for [INTERNALUSERS, ACTIONGROUPS, CONFIG, ROLES, ROLESMAPPING, TENANTS, NODESDN, WHITELIST, ALLOWLIST, AUDIT] (index=.opendistro_security)", "cluster.uuid": "QvmsjFWsQ0Gnt2C1_NjkGQ", "node.id": "ahWb3Uu9SXaaE6h71GaG2g"  }
/var/log/wazuh-indexer/wazuh-cluster_server.json:{"type": "server", "timestamp": "2023-10-17T09:51:46,601Z", "level": "ERROR", "component": "o.o.s.a.BackendRegistry", "cluster.name": "wazuh-cluster", "node.name": "node-1", "message": "Not yet initialized (you may need to run securityadmin)", "cluster.uuid": "QvmsjFWsQ0Gnt2C1_NjkGQ", "node.id": "ahWb3Uu9SXaaE6h71GaG2g"  }
/var/log/wazuh-indexer/wazuh-cluster_server.json:{"type": "server", "timestamp": "2023-10-17T09:51:46,611Z", "level": "ERROR", "component": "o.o.s.a.BackendRegistry", "cluster.name": "wazuh-cluster", "node.name": "node-1", "message": "Not yet initialized (you may need to run securityadmin)", "cluster.uuid": "QvmsjFWsQ0Gnt2C1_NjkGQ", "node.id": "ahWb3Uu9SXaaE6h71GaG2g"  }
/var/log/wazuh-indexer/wazuh-cluster_server.json:{"type": "server", "timestamp": "2023-10-17T09:51:46,613Z", "level": "ERROR", "component": "o.o.s.a.BackendRegistry", "cluster.name": "wazuh-cluster", "node.name": "node-1", "message": "Not yet initialized (you may need to run securityadmin)", "cluster.uuid": "QvmsjFWsQ0Gnt2C1_NjkGQ", "node.id": "ahWb3Uu9SXaaE6h71GaG2g"  }
/var/log/wazuh-indexer/wazuh-cluster_server.json:{"type": "server", "timestamp": "2023-10-17T09:51:46,616Z", "level": "ERROR", "component": "o.o.s.a.BackendRegistry", "cluster.name": "wazuh-cluster", "node.name": "node-1", "message": "Not yet initialized (you may need to run securityadmin)", "cluster.uuid": "QvmsjFWsQ0Gnt2C1_NjkGQ", "node.id": "ahWb3Uu9SXaaE6h71GaG2g"  }
/var/log/wazuh-indexer/wazuh-cluster_server.json:{"type": "server", "timestamp": "2023-10-17T09:51:49,102Z", "level": "ERROR", "component": "o.o.s.a.BackendRegistry", "cluster.name": "wazuh-cluster", "node.name": "node-1", "message": "Not yet initialized (you may need to run securityadmin)", "cluster.uuid": "QvmsjFWsQ0Gnt2C1_NjkGQ", "node.id": "ahWb3Uu9SXaaE6h71GaG2g"  }
/var/log/wazuh-indexer/wazuh-cluster_server.json:{"type": "server", "timestamp": "2023-10-17T09:51:49,104Z", "level": "ERROR", "component": "o.o.s.a.BackendRegistry", "cluster.name": "wazuh-cluster", "node.name": "node-1", "message": "Not yet initialized (you may need to run securityadmin)", "cluster.uuid": "QvmsjFWsQ0Gnt2C1_NjkGQ", "node.id": "ahWb3Uu9SXaaE6h71GaG2g"  }
/var/log/wazuh-indexer/wazuh-cluster_server.json:{"type": "server", "timestamp": "2023-10-17T09:51:49,106Z", "level": "ERROR", "component": "o.o.s.a.BackendRegistry", "cluster.name": "wazuh-cluster", "node.name": "node-1", "message": "Not yet initialized (you may need to run securityadmin)", "cluster.uuid": "QvmsjFWsQ0Gnt2C1_NjkGQ", "node.id": "ahWb3Uu9SXaaE6h71GaG2g"  }
/var/log/wazuh-indexer/wazuh-cluster_server.json:{"type": "server", "timestamp": "2023-10-17T09:51:49,108Z", "level": "ERROR", "component": "o.o.s.a.BackendRegistry", "cluster.name": "wazuh-cluster", "node.name": "node-1", "message": "Not yet initialized (you may need to run securityadmin)", "cluster.uuid": "QvmsjFWsQ0Gnt2C1_NjkGQ", "node.id": "ahWb3Uu9SXaaE6h71GaG2g"  }
/var/log/wazuh-indexer/wazuh-cluster_server.json:{"type": "server", "timestamp": "2023-10-17T09:51:51,564Z", "level": "ERROR", "component": "o.o.s.a.BackendRegistry", "cluster.name": "wazuh-cluster", "node.name": "node-1", "message": "Not yet initialized (you may need to run securityadmin)", "cluster.uuid": "QvmsjFWsQ0Gnt2C1_NjkGQ", "node.id": "ahWb3Uu9SXaaE6h71GaG2g"  }
/var/log/wazuh-indexer/wazuh-cluster_server.json:{"type": "server", "timestamp": "2023-10-17T09:51:51,604Z", "level": "ERROR", "component": "o.o.s.a.BackendRegistry", "cluster.name": "wazuh-cluster", "node.name": "node-1", "message": "Not yet initialized (you may need to run securityadmin)", "cluster.uuid": "QvmsjFWsQ0Gnt2C1_NjkGQ", "node.id": "ahWb3Uu9SXaaE6h71GaG2g"  }
/var/log/wazuh-indexer/wazuh-cluster_server.json:{"type": "server", "timestamp": "2023-10-17T09:51:51,608Z", "level": "ERROR", "component": "o.o.s.a.BackendRegistry", "cluster.name": "wazuh-cluster", "node.name": "node-1", "message": "Not yet initialized (you may need to run securityadmin)", "cluster.uuid": "QvmsjFWsQ0Gnt2C1_NjkGQ", "node.id": "ahWb3Uu9SXaaE6h71GaG2g"  }
/var/log/wazuh-indexer/wazuh-cluster_server.json:{"type": "server", "timestamp": "2023-10-17T09:51:51,612Z", "level": "ERROR", "component": "o.o.s.a.BackendRegistry", "cluster.name": "wazuh-cluster", "node.name": "node-1", "message": "Not yet initialized (you may need to run securityadmin)", "cluster.uuid": "QvmsjFWsQ0Gnt2C1_NjkGQ", "node.id": "ahWb3Uu9SXaaE6h71GaG2g"  }
/var/log/wazuh-indexer/wazuh-cluster_server.json:{"type": "server", "timestamp": "2023-10-17T09:51:51,615Z", "level": "ERROR", "component": "o.o.s.a.BackendRegistry", "cluster.name": "wazuh-cluster", "node.name": "node-1", "message": "Not yet initialized (you may need to run securityadmin)", "cluster.uuid": "QvmsjFWsQ0Gnt2C1_NjkGQ", "node.id": "ahWb3Uu9SXaaE6h71GaG2g"  }
/var/log/wazuh-indexer/wazuh-cluster_server.json:{"type": "server", "timestamp": "2023-10-17T09:51:54,104Z", "level": "ERROR", "component": "o.o.s.a.BackendRegistry", "cluster.name": "wazuh-cluster", "node.name": "node-1", "message": "Not yet initialized (you may need to run securityadmin)", "cluster.uuid": "QvmsjFWsQ0Gnt2C1_NjkGQ", "node.id": "ahWb3Uu9SXaaE6h71GaG2g"  }
/var/log/wazuh-indexer/wazuh-cluster_server.json:{"type": "server", "timestamp": "2023-10-17T09:51:54,114Z", "level": "ERROR", "component": "o.o.s.a.BackendRegistry", "cluster.name": "wazuh-cluster", "node.name": "node-1", "message": "Not yet initialized (you may need to run securityadmin)", "cluster.uuid": "QvmsjFWsQ0Gnt2C1_NjkGQ", "node.id": "ahWb3Uu9SXaaE6h71GaG2g"  }
/var/log/wazuh-indexer/wazuh-cluster_server.json:{"type": "server", "timestamp": "2023-10-17T09:51:54,119Z", "level": "ERROR", "component": "o.o.s.a.BackendRegistry", "cluster.name": "wazuh-cluster", "node.name": "node-1", "message": "Not yet initialized (you may need to run securityadmin)", "cluster.uuid": "QvmsjFWsQ0Gnt2C1_NjkGQ", "node.id": "ahWb3Uu9SXaaE6h71GaG2g"  }
/var/log/wazuh-indexer/wazuh-cluster_server.json:{"type": "server", "timestamp": "2023-10-17T09:51:54,121Z", "level": "ERROR", "component": "o.o.s.a.BackendRegistry", "cluster.name": "wazuh-cluster", "node.name": "node-1", "message": "Not yet initialized (you may need to run securityadmin)", "cluster.uuid": "QvmsjFWsQ0Gnt2C1_NjkGQ", "node.id": "ahWb3Uu9SXaaE6h71GaG2g"  }
/var/log/wazuh-indexer/wazuh-cluster_server.json:{"type": "server", "timestamp": "2023-10-17T09:51:56,605Z", "level": "ERROR", "component": "o.o.s.a.BackendRegistry", "cluster.name": "wazuh-cluster", "node.name": "node-1", "message": "Not yet initialized (you may need to run securityadmin)", "cluster.uuid": "QvmsjFWsQ0Gnt2C1_NjkGQ", "node.id": "ahWb3Uu9SXaaE6h71GaG2g"  }
/var/log/wazuh-indexer/wazuh-cluster_server.json:{"type": "server", "timestamp": "2023-10-17T09:51:56,607Z", "level": "ERROR", "component": "o.o.s.a.BackendRegistry", "cluster.name": "wazuh-cluster", "node.name": "node-1", "message": "Not yet initialized (you may need to run securityadmin)", "cluster.uuid": "QvmsjFWsQ0Gnt2C1_NjkGQ", "node.id": "ahWb3Uu9SXaaE6h71GaG2g"  }
/var/log/wazuh-indexer/wazuh-cluster_server.json:{"type": "server", "timestamp": "2023-10-17T09:51:56,610Z", "level": "ERROR", "component": "o.o.s.a.BackendRegistry", "cluster.name": "wazuh-cluster", "node.name": "node-1", "message": "Not yet initialized (you may need to run securityadmin)", "cluster.uuid": "QvmsjFWsQ0Gnt2C1_NjkGQ", "node.id": "ahWb3Uu9SXaaE6h71GaG2g"  }
/var/log/wazuh-indexer/wazuh-cluster_server.json:{"type": "server", "timestamp": "2023-10-17T09:51:56,614Z", "level": "ERROR", "component": "o.o.s.a.BackendRegistry", "cluster.name": "wazuh-cluster", "node.name": "node-1", "message": "Not yet initialized (you may need to run securityadmin)", "cluster.uuid": "QvmsjFWsQ0Gnt2C1_NjkGQ", "node.id": "ahWb3Uu9SXaaE6h71GaG2g"  }
/var/log/wazuh-indexer/wazuh-cluster.log:[2023-10-17T09:50:50,362][INFO ][o.o.n.Node               ] [node-1] JVM arguments [-Xshare:auto, -Dopensearch.networkaddress.cache.ttl=60, -Dopensearch.networkaddress.cache.negative.ttl=10, -XX:+AlwaysPreTouch, -Xss1m, -Djava.awt.headless=true, -Dfile.encoding=UTF-8, -Djna.nosys=true, -XX:-OmitStackTraceInFastThrow, -XX:+ShowCodeDetailsInExceptionMessages, -Dio.netty.noUnsafe=true, -Dio.netty.noKeySetOptimization=true, -Dio.netty.recycler.maxCapacityPerThread=0, -Dio.netty.allocator.numDirectArenas=0, -Dlog4j.shutdownHookEnabled=false, -Dlog4j2.disable.jmx=true, -Djava.locale.providers=SPI,COMPAT, -Xms1859m, -Xmx1859m, -XX:+UseG1GC, -XX:G1ReservePercent=25, -XX:InitiatingHeapOccupancyPercent=30, -Djava.io.tmpdir=/tmp/opensearch-4212648970239149176, -XX:+HeapDumpOnOutOfMemoryError, -XX:HeapDumpPath=/var/lib/wazuh-indexer, -XX:ErrorFile=/var/log/wazuh-indexer/hs_err_pid%p.log, -Xlog:gc*,gc+age=trace,safepoint:file=/var/log/wazuh-indexer/gc.log:utctime,pid,tags:filecount=32,filesize=64m, -Dclk.tck=100, -Djdk.attach.allowAttachSelf=true, -Djava.security.policy=file:///etc/wazuh-indexer/opensearch-performance-analyzer/opensearch_security.policy, --add-opens=jdk.attach/sun.tools.attach=ALL-UNNAMED, -XX:MaxDirectMemorySize=975175680, -Dopensearch.path.home=/usr/share/wazuh-indexer, -Dopensearch.path.conf=/etc/wazuh-indexer, -Dopensearch.distribution.type=rpm, -Dopensearch.bundled_jdk=true]
/var/log/wazuh-indexer/wazuh-cluster.log:[2023-10-17T09:51:36,767][ERROR][o.o.s.a.s.SinkProvider   ] [node-1] Default endpoint could not be created, auditlog will not work properly.
/var/log/wazuh-indexer/wazuh-cluster.log:[2023-10-17T09:51:44,534][ERROR][o.o.s.a.BackendRegistry  ] [node-1] Not yet initialized (you may need to run securityadmin)
/var/log/wazuh-indexer/wazuh-cluster.log:[2023-10-17T09:51:45,132][ERROR][o.o.s.c.ConfigurationLoaderSecurity7] [node-1] Failure No shard available for [org.opensearch.action.get.MultiGetShardRequest@19916fed] retrieving configuration for [INTERNALUSERS, ACTIONGROUPS, CONFIG, ROLES, ROLESMAPPING, TENANTS, NODESDN, WHITELIST, ALLOWLIST, AUDIT] (index=.opendistro_security)
/var/log/wazuh-indexer/wazuh-cluster.log:[2023-10-17T09:51:45,133][ERROR][o.o.s.c.ConfigurationLoaderSecurity7] [node-1] Failure No shard available for [org.opensearch.action.get.MultiGetShardRequest@19916fed] retrieving configuration for [INTERNALUSERS, ACTIONGROUPS, CONFIG, ROLES, ROLESMAPPING, TENANTS, NODESDN, WHITELIST, ALLOWLIST, AUDIT] (index=.opendistro_security)
/var/log/wazuh-indexer/wazuh-cluster.log:[2023-10-17T09:51:45,134][ERROR][o.o.s.c.ConfigurationLoaderSecurity7] [node-1] Failure No shard available for [org.opensearch.action.get.MultiGetShardRequest@19916fed] retrieving configuration for [INTERNALUSERS, ACTIONGROUPS, CONFIG, ROLES, ROLESMAPPING, TENANTS, NODESDN, WHITELIST, ALLOWLIST, AUDIT] (index=.opendistro_security)
/var/log/wazuh-indexer/wazuh-cluster.log:[2023-10-17T09:51:45,134][ERROR][o.o.s.c.ConfigurationLoaderSecurity7] [node-1] Failure No shard available for [org.opensearch.action.get.MultiGetShardRequest@19916fed] retrieving configuration for [INTERNALUSERS, ACTIONGROUPS, CONFIG, ROLES, ROLESMAPPING, TENANTS, NODESDN, WHITELIST, ALLOWLIST, AUDIT] (index=.opendistro_security)
/var/log/wazuh-indexer/wazuh-cluster.log:[2023-10-17T09:51:45,134][ERROR][o.o.s.c.ConfigurationLoaderSecurity7] [node-1] Failure No shard available for [org.opensearch.action.get.MultiGetShardRequest@19916fed] retrieving configuration for [INTERNALUSERS, ACTIONGROUPS, CONFIG, ROLES, ROLESMAPPING, TENANTS, NODESDN, WHITELIST, ALLOWLIST, AUDIT] (index=.opendistro_security)
/var/log/wazuh-indexer/wazuh-cluster.log:[2023-10-17T09:51:45,135][ERROR][o.o.s.c.ConfigurationLoaderSecurity7] [node-1] Failure No shard available for [org.opensearch.action.get.MultiGetShardRequest@19916fed] retrieving configuration for [INTERNALUSERS, ACTIONGROUPS, CONFIG, ROLES, ROLESMAPPING, TENANTS, NODESDN, WHITELIST, ALLOWLIST, AUDIT] (index=.opendistro_security)
/var/log/wazuh-indexer/wazuh-cluster.log:[2023-10-17T09:51:45,136][ERROR][o.o.s.c.ConfigurationLoaderSecurity7] [node-1] Failure No shard available for [org.opensearch.action.get.MultiGetShardRequest@19916fed] retrieving configuration for [INTERNALUSERS, ACTIONGROUPS, CONFIG, ROLES, ROLESMAPPING, TENANTS, NODESDN, WHITELIST, ALLOWLIST, AUDIT] (index=.opendistro_security)
/var/log/wazuh-indexer/wazuh-cluster.log:[2023-10-17T09:51:45,137][ERROR][o.o.s.c.ConfigurationLoaderSecurity7] [node-1] Failure No shard available for [org.opensearch.action.get.MultiGetShardRequest@19916fed] retrieving configuration for [INTERNALUSERS, ACTIONGROUPS, CONFIG, ROLES, ROLESMAPPING, TENANTS, NODESDN, WHITELIST, ALLOWLIST, AUDIT] (index=.opendistro_security)
/var/log/wazuh-indexer/wazuh-cluster.log:[2023-10-17T09:51:45,137][ERROR][o.o.s.c.ConfigurationLoaderSecurity7] [node-1] Failure No shard available for [org.opensearch.action.get.MultiGetShardRequest@19916fed] retrieving configuration for [INTERNALUSERS, ACTIONGROUPS, CONFIG, ROLES, ROLESMAPPING, TENANTS, NODESDN, WHITELIST, ALLOWLIST, AUDIT] (index=.opendistro_security)
/var/log/wazuh-indexer/wazuh-cluster.log:[2023-10-17T09:51:45,137][ERROR][o.o.s.c.ConfigurationLoaderSecurity7] [node-1] Failure No shard available for [org.opensearch.action.get.MultiGetShardRequest@19916fed] retrieving configuration for [INTERNALUSERS, ACTIONGROUPS, CONFIG, ROLES, ROLESMAPPING, TENANTS, NODESDN, WHITELIST, ALLOWLIST, AUDIT] (index=.opendistro_security)
/var/log/wazuh-indexer/wazuh-cluster.log:[2023-10-17T09:51:46,601][ERROR][o.o.s.a.BackendRegistry  ] [node-1] Not yet initialized (you may need to run securityadmin)
/var/log/wazuh-indexer/wazuh-cluster.log:[2023-10-17T09:51:46,611][ERROR][o.o.s.a.BackendRegistry  ] [node-1] Not yet initialized (you may need to run securityadmin)
/var/log/wazuh-indexer/wazuh-cluster.log:[2023-10-17T09:51:46,613][ERROR][o.o.s.a.BackendRegistry  ] [node-1] Not yet initialized (you may need to run securityadmin)
/var/log/wazuh-indexer/wazuh-cluster.log:[2023-10-17T09:51:46,616][ERROR][o.o.s.a.BackendRegistry  ] [node-1] Not yet initialized (you may need to run securityadmin)
/var/log/wazuh-indexer/wazuh-cluster.log:[2023-10-17T09:51:49,102][ERROR][o.o.s.a.BackendRegistry  ] [node-1] Not yet initialized (you may need to run securityadmin)
/var/log/wazuh-indexer/wazuh-cluster.log:[2023-10-17T09:51:49,104][ERROR][o.o.s.a.BackendRegistry  ] [node-1] Not yet initialized (you may need to run securityadmin)
/var/log/wazuh-indexer/wazuh-cluster.log:[2023-10-17T09:51:49,106][ERROR][o.o.s.a.BackendRegistry  ] [node-1] Not yet initialized (you may need to run securityadmin)
/var/log/wazuh-indexer/wazuh-cluster.log:[2023-10-17T09:51:49,108][ERROR][o.o.s.a.BackendRegistry  ] [node-1] Not yet initialized (you may need to run securityadmin)
/var/log/wazuh-indexer/wazuh-cluster.log:[2023-10-17T09:51:51,564][ERROR][o.o.s.a.BackendRegistry  ] [node-1] Not yet initialized (you may need to run securityadmin)
/var/log/wazuh-indexer/wazuh-cluster.log:[2023-10-17T09:51:51,604][ERROR][o.o.s.a.BackendRegistry  ] [node-1] Not yet initialized (you may need to run securityadmin)
/var/log/wazuh-indexer/wazuh-cluster.log:[2023-10-17T09:51:51,608][ERROR][o.o.s.a.BackendRegistry  ] [node-1] Not yet initialized (you may need to run securityadmin)
/var/log/wazuh-indexer/wazuh-cluster.log:[2023-10-17T09:51:51,612][ERROR][o.o.s.a.BackendRegistry  ] [node-1] Not yet initialized (you may need to run securityadmin)
/var/log/wazuh-indexer/wazuh-cluster.log:[2023-10-17T09:51:51,615][ERROR][o.o.s.a.BackendRegistry  ] [node-1] Not yet initialized (you may need to run securityadmin)
/var/log/wazuh-indexer/wazuh-cluster.log:[2023-10-17T09:51:54,104][ERROR][o.o.s.a.BackendRegistry  ] [node-1] Not yet initialized (you may need to run securityadmin)
/var/log/wazuh-indexer/wazuh-cluster.log:[2023-10-17T09:51:54,114][ERROR][o.o.s.a.BackendRegistry  ] [node-1] Not yet initialized (you may need to run securityadmin)
/var/log/wazuh-indexer/wazuh-cluster.log:[2023-10-17T09:51:54,119][ERROR][o.o.s.a.BackendRegistry  ] [node-1] Not yet initialized (you may need to run securityadmin)
/var/log/wazuh-indexer/wazuh-cluster.log:[2023-10-17T09:51:54,121][ERROR][o.o.s.a.BackendRegistry  ] [node-1] Not yet initialized (you may need to run securityadmin)
/var/log/wazuh-indexer/wazuh-cluster.log:[2023-10-17T09:51:56,605][ERROR][o.o.s.a.BackendRegistry  ] [node-1] Not yet initialized (you may need to run securityadmin)
/var/log/wazuh-indexer/wazuh-cluster.log:[2023-10-17T09:51:56,607][ERROR][o.o.s.a.BackendRegistry  ] [node-1] Not yet initialized (you may need to run securityadmin)
/var/log/wazuh-indexer/wazuh-cluster.log:[2023-10-17T09:51:56,610][ERROR][o.o.s.a.BackendRegistry  ] [node-1] Not yet initialized (you may need to run securityadmin)
/var/log/wazuh-indexer/wazuh-cluster.log:[2023-10-17T09:51:56,614][ERROR][o.o.s.a.BackendRegistry  ] [node-1] Not yet initialized (you may need to run securityadmin)

Wazuh server - /var/ossec/logs 🟢

grep -i -E "error|critical|fatal|warning" /var/ossec/logs/ossec.log
2023/10/17 12:49:05 wazuh-authd: WARNING: Duplicate name 'sossp272', rejecting enrollment. Agent '006' has not been disconnected long enough to be replaced.
2023/10/17 12:49:10 wazuh-authd: WARNING: Duplicate name 'sossp272', rejecting enrollment. Agent '006' has not been disconnected long enough to be replaced.
2023/10/17 12:49:20 wazuh-authd: WARNING: Duplicate name 'sossp272', rejecting enrollment. Agent '006' has not been disconnected long enough to be replaced.
2023/10/17 12:49:35 wazuh-authd: WARNING: Duplicate name 'sossp272', rejecting enrollment. Agent '006' has not been disconnected long enough to be replaced.
2023/10/17 12:49:55 wazuh-authd: WARNING: Duplicate name 'sossp272', rejecting enrollment. Agent '006' has not been disconnected long enough to be replaced.
2023/10/17 12:50:20 wazuh-authd: WARNING: Duplicate name 'sossp272', rejecting enrollment. Agent '006' has not been disconnected long enough to be replaced.
2023/10/17 14:15:47 wazuh-authd: WARNING: Duplicate name '7fbd0b78fbcd', rejecting enrollment. Agent '008' has not been disconnected long enough to be replaced.
2023/10/17 14:15:52 wazuh-authd: WARNING: Duplicate name '7fbd0b78fbcd', rejecting enrollment. Agent '008' has not been disconnected long enough to be replaced.
2023/10/17 14:16:03 wazuh-authd: WARNING: Duplicate name '7fbd0b78fbcd', rejecting enrollment. Agent '008' has not been disconnected long enough to be replaced.
2023/10/17 14:16:18 wazuh-authd: WARNING: Duplicate name '7fbd0b78fbcd', rejecting enrollment. Agent '008' has not been disconnected long enough to be replaced.
2023/10/17 14:16:38 wazuh-authd: WARNING: Duplicate name '7fbd0b78fbcd', rejecting enrollment. Agent '008' has not been disconnected long enough to be replaced.

AMI - Filebeat test 🟢

[root@wazuh-server wazuh-user]# filebeat test output
elasticsearch: https://127.0.0.1:9200...
  parse url... OK
  connection...
    parse host... OK
    dns lookup... OK
    addresses: 127.0.0.1
    dial up... OK
  TLS...
    security: server's certificate chain verification is enabled
    handshake... OK
    TLS version: TLSv1.2
    dial up... OK
  talk to server... OK
  version: 7.10.2

AMI - Wazuh Indexer Cluster 🟢

[root@wazuh-server wazuh-user]# curl -k -u admin:pass https://127.0.0.1:9200
{
  "name" : "node-1",
  "cluster_name" : "wazuh-cluster",
  "cluster_uuid" : "QvmsjFWsQ0Gnt2C1_NjkGQ",
  "version" : {
    "number" : "7.10.2",
    "build_type" : "rpm",
    "build_hash" : "db90a415ff2fd428b4f7b3f800a51dc229287cb4",
    "build_date" : "2023-06-03T06:24:25.112415503Z",
    "build_snapshot" : false,
    "lucene_version" : "9.6.0",
    "minimum_wire_compatibility_version" : "7.10.0",
    "minimum_index_compatibility_version" : "7.0.0"
  },
  "tagline" : "The OpenSearch Project: https://opensearch.org/"
}


[root@wazuh-server wazuh-user]# curl -k -u admin:pass https://127.0.0.1:9200/_cat/nodes?v
ip        heap.percent ram.percent cpu load_1m load_5m load_15m node.role node.roles                                        cluster_manager name
127.0.0.1           49          96   1    0.41    0.18     0.08 dimr      cluster_manager,data,ingest,remote_cluster_client *               node-1


[root@wazuh-server wazuh-user]# curl -k -u admin:pass https://127.0.0.1:9200/_cluster/health?pretty
{
  "cluster_name" : "wazuh-cluster",
  "status" : "green",
  "timed_out" : false,
  "number_of_nodes" : 1,
  "number_of_data_nodes" : 1,
  "discovered_master" : true,
  "discovered_cluster_manager" : true,
  "active_primary_shards" : 11,
  "active_shards" : 11,
  "relocating_shards" : 0,
  "initializing_shards" : 0,
  "unassigned_shards" : 0,
  "delayed_unassigned_shards" : 0,
  "number_of_pending_tasks" : 0,
  "number_of_in_flight_fetch" : 0,
  "task_max_waiting_in_queue_millis" : 0,
  "active_shards_percent_as_number" : 100.0
}

AMI - Users 🟢

[root@wazuh-server wazuh-user]# grep -R "wazuh" /etc/group
wheel:x:10:wazuh-user
wazuh-user:x:1001:
wazuh-indexer:x:993:
wazuh:x:992:wazuh
wazuh-dashboard:x:991:wazuh-dashboard

[root@wazuh-server wazuh-user]# grep -R "wazuh" /etc/passwd
wazuh-user:x:1001:1001::/home/wazuh-user:/bin/bash
wazuh-indexer:x:995:993:wazuh-indexer user:/usr/share/wazuh-indexer:/sbin/nologin
wazuh:x:994:992::/var/ossec:/sbin/nologin
wazuh-dashboard:x:993:991::/usr/share/wazuh-dashboard/:/sbin/nologin

AMI - Versions 🟢

[root@wazuh-server wazuh-user]# /var/ossec/bin/wazuh-control info
WAZUH_VERSION="v4.7.0"
WAZUH_REVISION="40701"
WAZUH_TYPE="server"
[root@wazuh-server wazuh-user]# cat /usr/share/wazuh-indexer/VERSION 
4.7.0
[root@wazuh-server wazuh-user]# cat /usr/share/wazuh-dashboard/VERSION
4.7.0
[root@wazuh-server wazuh-user]# cat /usr/share/wazuh-dashboard/package.json
{
  "name": "opensearch-dashboards",
  "description": "OpenSearch Dashboards is a browser based analytics and search dashboard for OpenSearch. OpenSearch Dashboards is a snap to setup and start using. OpenSearch Dashboards strives to be easy to get started with, while also being flexible and powerful, just like OpenSearch.",
  "keywords": [
    "opensearch-dashboards",
    "opensearch",
    "logstash",
    "analytics",
    "visualizations",
    "dashboards",
    "dashboarding"
  ],
  "version": "2.8.0",
  "branch": "2.8",
  "build": {
    "number": 47001,
    "sha": "8bd48f16ad37a5dfa805234223e4d5bffa926abe",
    "distributable": true,
    "release": true
  },
  "repository": {
    "type": "git",
    "url": "https://github.com/opensearch-project/opensearch-dashboards.git"
  },
  "engines": {
    "node": ">=14.20.1 <19"
  }
}

AMI - Processes 🟢

[root@wazuh-server wazuh-user]# ps -ef | grep wazuh
root      2016     1  0 09:50 ?        00:00:00 /sbin/dhclient -q -lf /var/lib/dhclient/dhclient--eth0.lease -pf /var/run/dhclient-eth0.pid -H wazuh-server eth0
root      2057     1  0 09:50 ?        00:00:00 /sbin/dhclient -6 -nw -lf /var/lib/dhclient/dhclient6--eth0.lease -pf /var/run/dhclient6-eth0.pid eth0 -H wazuh-server
wazuh-i+  2256     1  0 09:50 ?        00:02:09 /usr/share/wazuh-indexer/jdk/bin/java -Xshare:auto -Dopensearch.networkaddress.cache.ttl=60 -Dopensearch.networkaddress.cache.negative.ttl=10 -XX:+AlwaysPreTouch -Xss1m -Djava.awt.headless=true -Dfile.encoding=UTF-8 -Djna.nosys=true -XX:-OmitStackTraceInFastThrow -XX:+ShowCodeDetailsInExceptionMessages -Dio.netty.noUnsafe=true -Dio.netty.noKeySetOptimization=true -Dio.netty.recycler.maxCapacityPerThread=0 -Dio.netty.allocator.numDirectArenas=0 -Dlog4j.shutdownHookEnabled=false -Dlog4j2.disable.jmx=true -Djava.locale.providers=SPI,COMPAT -Xms1859m -Xmx1859m -XX:+UseG1GC -XX:G1ReservePercent=25 -XX:InitiatingHeapOccupancyPercent=30 -Djava.io.tmpdir=/tmp/opensearch-4212648970239149176 -XX:+HeapDumpOnOutOfMemoryError -XX:HeapDumpPath=/var/lib/wazuh-indexer -XX:ErrorFile=/var/log/wazuh-indexer/hs_err_pid%p.log -Xlog:gc*,gc+age=trace,safepoint:file=/var/log/wazuh-indexer/gc.log:utctime,pid,tags:filecount=32,filesize=64m -Dclk.tck=100 -Djdk.attach.allowAttachSelf=true -Djava.security.policy=file:///etc/wazuh-indexer/opensearch-performance-analyzer/opensearch_security.policy --add-opens=jdk.attach/sun.tools.attach=ALL-UNNAMED -XX:MaxDirectMemorySize=975175680 -Dopensearch.path.home=/usr/share/wazuh-indexer -Dopensearch.path.conf=/etc/wazuh-indexer -Dopensearch.distribution.type=rpm -Dopensearch.bundled_jdk=true -cp /usr/share/wazuh-indexer/lib/* org.opensearch.bootstrap.OpenSearch -p /run/wazuh-indexer/wazuh-indexer.pid --quiet
root      5409  2330  0 10:17 ?        00:00:00 sshd: wazuh-user [priv]
wazuh-u+  5441  5409  0 10:17 ?        00:00:00 sshd: wazuh-user@pts/0
wazuh-u+  5442  5441  0 10:17 pts/0    00:00:00 -bash
wazuh    15385     1  0 12:13 ?        00:00:08 /var/ossec/framework/python/bin/python3 /var/ossec/api/scripts/wazuh-apid.py
wazuh    15386 15385  0 12:13 ?        00:00:01 /var/ossec/framework/python/bin/python3 /var/ossec/api/scripts/wazuh-apid.py
wazuh    15389 15385  0 12:13 ?        00:00:05 /var/ossec/framework/python/bin/python3 /var/ossec/api/scripts/wazuh-apid.py
wazuh    15392 15385  0 12:13 ?        00:00:00 /var/ossec/framework/python/bin/python3 /var/ossec/api/scripts/wazuh-apid.py
root     15435     1  0 12:13 ?        00:00:28 /var/ossec/bin/wazuh-authd
wazuh    15453     1  0 12:13 ?        00:00:04 /var/ossec/bin/wazuh-db
root     15478     1  0 12:13 ?        00:00:00 /var/ossec/bin/wazuh-execd
wazuh    15493     1  0 12:13 ?        00:00:05 /var/ossec/bin/wazuh-analysisd
root     15537     1  0 12:13 ?        00:00:09 /var/ossec/bin/wazuh-syscheckd
wazuh    15558     1  0 12:13 ?        00:00:14 /var/ossec/bin/wazuh-remoted
root     15591     1  0 12:13 ?        00:00:00 /var/ossec/bin/wazuh-logcollector
wazuh    15610     1  0 12:13 ?        00:00:00 /var/ossec/bin/wazuh-monitord
root     15656     1  0 12:13 ?        00:00:00 /var/ossec/bin/wazuh-modulesd
root     17399  2330  0 14:15 ?        00:00:00 sshd: wazuh-user [priv]
wazuh-u+ 17416 17399  0 14:15 ?        00:00:00 sshd: wazuh-user@pts/1
wazuh-u+ 17417 17416  0 14:15 pts/1    00:00:00 -bash
wazuh-d+ 18814     1  4 14:54 ?        00:00:07 /usr/share/wazuh-dashboard/node/bin/node --no-warnings --max-http-header-size=65536 --unhandled-rejections=warn /usr/share/wazuh-dashboard/src/cli/dist -c /etc/wazuh-dashboard/opensearch_dashboards.yml
root     18940 13042  0 14:57 pts/0    00:00:00 grep --color=auto wazuh



[root@wazuh-server wazuh-user]# /var/ossec/bin/wazuh-control status
wazuh-clusterd not running...
wazuh-modulesd is running...
wazuh-monitord is running...
wazuh-logcollector is running...
wazuh-remoted is running...
wazuh-syscheckd is running...
wazuh-analysisd is running...
wazuh-maild not running...
wazuh-execd is running...
wazuh-db is running...
wazuh-authd is running...
wazuh-agentlessd not running...
wazuh-integratord not running...
wazuh-dbd not running...
wazuh-csyslogd not running...
wazuh-apid is running...

---

Indexer - journalctl Warnings related to setSecurityManager

oct 17 11:45:19 wazuh-server systemd-entrypoint[5446]: WARNING: Please consider reporting this to the maintainers of org.opensearch.bootstrap.OpenSearch
oct 17 11:45:19 wazuh-server systemd-entrypoint[5446]: WARNING: System::setSecurityManager has been called by org.opensearch.bootstrap.OpenSearch (file:/usr/share/wazuh-indexer/lib/opensearch-2.8.0.jar)
oct 17 11:45:19 wazuh-server systemd-entrypoint[5446]: WARNING: A terminally deprecated method in java.lang.System has been called

• Reported: Systemd-entrypoint warnings in wazuh indexer wazuh-packages#2046 - Known issue

Some warning and error messages found

• Reported: Warning and error logs found in wazuh-indexer in demo environment wazuh-packages#1511 - Known issue

[juliamagan]

Analysis report - Debian Stretch PPC64EL 🟢

System info

root@7444929a3847:~# cat /etc/os-release 
PRETTY_NAME="Debian GNU/Linux 9 (stretch)"
NAME="Debian GNU/Linux"
VERSION_ID="9"
VERSION="9 (stretch)"
VERSION_CODENAME=stretch
ID=debian
HOME_URL="https://www.debian.org/"
SUPPORT_URL="https://www.debian.org/support"
BUG_REPORT_URL="https://bugs.debian.org/"

Install

• Install package

root@7444929a3847:~# WAZUH_MANAGER="X.X.X.X" apt-get install ./wazuh-agent_4.7.0-1_ppc64el.deb 
Reading package lists... Done
Building dependency tree       
Reading state information... Done
Note, selecting 'wazuh-agent' instead of './wazuh-agent_4.7.0-1_ppc64el.deb'
The following additional packages will be installed:
  bzip2 dh-python distro-info-data file libmagic-mgc libmagic1 libmpdec2 libpython3-stdlib
  libpython3.5-minimal libpython3.5-stdlib libreadline7 libsqlite3-0 lsb-release mime-support python3
  python3-minimal python3.5 python3.5-minimal readline-common xz-utils
Suggested packages:
  bzip2-doc libdpkg-perl lsb python3-doc python3-tk python3-venv python3.5-venv python3.5-doc binutils
  binfmt-support readline-doc
The following NEW packages will be installed:
  bzip2 dh-python distro-info-data file libmagic-mgc libmagic1 libmpdec2 libpython3-stdlib
  libpython3.5-minimal libpython3.5-stdlib libreadline7 libsqlite3-0 lsb-release mime-support python3
  python3-minimal python3.5 python3.5-minimal readline-common wazuh-agent xz-utils
0 upgraded, 21 newly installed, 0 to remove and 3 not upgraded.
Need to get 6437 kB/12.2 MB of archives.
After this operation, 72.5 MB of additional disk space will be used.
Do you want to continue? [Y/n] y
Get:1 /root/wazuh-agent_4.7.0-1_ppc64el.deb wazuh-agent ppc64el 4.7.0-1 [5714 kB]
Get:2 http://archive.debian.org/debian stretch/main ppc64el libpython3.5-minimal ppc64el 3.5.3-1+deb9u1 [574 kB]
Get:3 http://archive.debian.org/debian stretch/main ppc64el python3.5-minimal ppc64el 3.5.3-1+deb9u1 [1704 kB]
Get:4 http://archive.debian.org/debian stretch/main ppc64el python3-minimal ppc64el 3.5.3-1 [35.3 kB]
Get:5 http://archive.debian.org/debian stretch/main ppc64el mime-support all 3.60 [36.7 kB]
Get:6 http://archive.debian.org/debian stretch/main ppc64el libmpdec2 ppc64el 2.4.2-1 [81.9 kB]
Get:7 http://archive.debian.org/debian stretch/main ppc64el readline-common all 7.0-3 [70.4 kB]
Get:8 http://archive.debian.org/debian stretch/main ppc64el libreadline7 ppc64el 7.0-3 [139 kB]
Get:9 http://archive.debian.org/debian stretch/main ppc64el libsqlite3-0 ppc64el 3.16.2-5+deb9u1 [525 kB]
Get:10 http://archive.debian.org/debian stretch/main ppc64el libpython3.5-stdlib ppc64el 3.5.3-1+deb9u1 [2179 kB]
Get:11 http://archive.debian.org/debian stretch/main ppc64el python3.5 ppc64el 3.5.3-1+deb9u1 [229 kB]
Get:12 http://archive.debian.org/debian stretch/main ppc64el libpython3-stdlib ppc64el 3.5.3-1 [18.6 kB]
Get:13 http://archive.debian.org/debian stretch/main ppc64el dh-python all 2.20170125 [86.8 kB]
Get:14 http://archive.debian.org/debian stretch/main ppc64el python3 ppc64el 3.5.3-1 [21.6 kB]
Get:15 http://archive.debian.org/debian stretch/main ppc64el bzip2 ppc64el 1.0.6-8.1 [46.3 kB]
Get:16 http://archive.debian.org/debian stretch/main ppc64el libmagic-mgc ppc64el 1:5.30-1+deb9u3 [222 kB]
Get:17 http://archive.debian.org/debian stretch/main ppc64el libmagic1 ppc64el 1:5.30-1+deb9u3 [108 kB]
Get:18 http://archive.debian.org/debian stretch/main ppc64el file ppc64el 1:5.30-1+deb9u3 [64.4 kB]
Get:19 http://archive.debian.org/debian stretch/main ppc64el xz-utils ppc64el 5.2.2-1.2+b1 [262 kB]
Get:20 http://archive.debian.org/debian stretch/main ppc64el distro-info-data all 0.36 [5810 B]
Get:21 http://archive.debian.org/debian stretch/main ppc64el lsb-release all 9.20161125 [27.1 kB]
Fetched 6437 kB in 2s (2656 kB/s)  
perl: warning: Setting locale failed.
perl: warning: Please check that your locale settings:
	LANGUAGE = (unset),
	LC_ALL = (unset),
	LC_TIME = "es_ES.UTF-8",
	LC_MONETARY = "es_ES.UTF-8",
	LC_ADDRESS = "es_ES.UTF-8",
	LC_TELEPHONE = "es_ES.UTF-8",
	LC_NAME = "es_ES.UTF-8",
	LC_MEASUREMENT = "es_ES.UTF-8",
	LC_IDENTIFICATION = "es_ES.UTF-8",
	LC_NUMERIC = "es_ES.UTF-8",
	LC_PAPER = "es_ES.UTF-8",
	LANG = "en_US.UTF-8"
    are supported and installed on your system.
perl: warning: Falling back to the standard locale ("C").
debconf: delaying package configuration, since apt-utils is not installed
Selecting previously unselected package libpython3.5-minimal:ppc64el.
(Reading database ... 11670 files and directories currently installed.)
Preparing to unpack .../00-libpython3.5-minimal_3.5.3-1+deb9u1_ppc64el.deb ...
Unpacking libpython3.5-minimal:ppc64el (3.5.3-1+deb9u1) ...
Selecting previously unselected package python3.5-minimal.
Preparing to unpack .../01-python3.5-minimal_3.5.3-1+deb9u1_ppc64el.deb ...
Unpacking python3.5-minimal (3.5.3-1+deb9u1) ...
Selecting previously unselected package python3-minimal.
Preparing to unpack .../02-python3-minimal_3.5.3-1_ppc64el.deb ...
Unpacking python3-minimal (3.5.3-1) ...
Selecting previously unselected package mime-support.
Preparing to unpack .../03-mime-support_3.60_all.deb ...
Unpacking mime-support (3.60) ...
Selecting previously unselected package libmpdec2:ppc64el.
Preparing to unpack .../04-libmpdec2_2.4.2-1_ppc64el.deb ...
Unpacking libmpdec2:ppc64el (2.4.2-1) ...
Selecting previously unselected package readline-common.
Preparing to unpack .../05-readline-common_7.0-3_all.deb ...
Unpacking readline-common (7.0-3) ...
Selecting previously unselected package libreadline7:ppc64el.
Preparing to unpack .../06-libreadline7_7.0-3_ppc64el.deb ...
Unpacking libreadline7:ppc64el (7.0-3) ...
Selecting previously unselected package libsqlite3-0:ppc64el.
Preparing to unpack .../07-libsqlite3-0_3.16.2-5+deb9u1_ppc64el.deb ...
Unpacking libsqlite3-0:ppc64el (3.16.2-5+deb9u1) ...
Selecting previously unselected package libpython3.5-stdlib:ppc64el.
Preparing to unpack .../08-libpython3.5-stdlib_3.5.3-1+deb9u1_ppc64el.deb ...
Unpacking libpython3.5-stdlib:ppc64el (3.5.3-1+deb9u1) ...
Selecting previously unselected package python3.5.
Preparing to unpack .../09-python3.5_3.5.3-1+deb9u1_ppc64el.deb ...
Unpacking python3.5 (3.5.3-1+deb9u1) ...
Selecting previously unselected package libpython3-stdlib:ppc64el.
Preparing to unpack .../10-libpython3-stdlib_3.5.3-1_ppc64el.deb ...
Unpacking libpython3-stdlib:ppc64el (3.5.3-1) ...
Selecting previously unselected package dh-python.
Preparing to unpack .../11-dh-python_2.20170125_all.deb ...
Unpacking dh-python (2.20170125) ...
Setting up libpython3.5-minimal:ppc64el (3.5.3-1+deb9u1) ...
Setting up python3.5-minimal (3.5.3-1+deb9u1) ...
Setting up python3-minimal (3.5.3-1) ...
Selecting previously unselected package python3.
(Reading database ... 12642 files and directories currently installed.)
Preparing to unpack .../0-python3_3.5.3-1_ppc64el.deb ...
Unpacking python3 (3.5.3-1) ...
Selecting previously unselected package bzip2.
Preparing to unpack .../1-bzip2_1.0.6-8.1_ppc64el.deb ...
Unpacking bzip2 (1.0.6-8.1) ...
Selecting previously unselected package libmagic-mgc.
Preparing to unpack .../2-libmagic-mgc_1%3a5.30-1+deb9u3_ppc64el.deb ...
Unpacking libmagic-mgc (1:5.30-1+deb9u3) ...
Selecting previously unselected package libmagic1:ppc64el.
Preparing to unpack .../3-libmagic1_1%3a5.30-1+deb9u3_ppc64el.deb ...
Unpacking libmagic1:ppc64el (1:5.30-1+deb9u3) ...
Selecting previously unselected package file.
Preparing to unpack .../4-file_1%3a5.30-1+deb9u3_ppc64el.deb ...
Unpacking file (1:5.30-1+deb9u3) ...
Selecting previously unselected package xz-utils.
Preparing to unpack .../5-xz-utils_5.2.2-1.2+b1_ppc64el.deb ...
Unpacking xz-utils (5.2.2-1.2+b1) ...
Selecting previously unselected package distro-info-data.
Preparing to unpack .../6-distro-info-data_0.36_all.deb ...
Unpacking distro-info-data (0.36) ...
Selecting previously unselected package lsb-release.
Preparing to unpack .../7-lsb-release_9.20161125_all.deb ...
Unpacking lsb-release (9.20161125) ...
Selecting previously unselected package wazuh-agent.
Preparing to unpack .../8-wazuh-agent_4.7.0-1_ppc64el.deb ...
Unpacking wazuh-agent (4.7.0-1) ...
Setting up readline-common (7.0-3) ...
Setting up mime-support (3.60) ...
Setting up libreadline7:ppc64el (7.0-3) ...
Setting up distro-info-data (0.36) ...
Setting up libmagic-mgc (1:5.30-1+deb9u3) ...
Setting up bzip2 (1.0.6-8.1) ...
Setting up libmagic1:ppc64el (1:5.30-1+deb9u3) ...
Processing triggers for libc-bin (2.24-11+deb9u4) ...
Setting up xz-utils (5.2.2-1.2+b1) ...
update-alternatives: using /usr/bin/xz to provide /usr/bin/lzma (lzma) in auto mode
Processing triggers for systemd (232-25+deb9u12) ...
Setting up libsqlite3-0:ppc64el (3.16.2-5+deb9u1) ...
Setting up libmpdec2:ppc64el (2.4.2-1) ...
Setting up libpython3.5-stdlib:ppc64el (3.5.3-1+deb9u1) ...
Setting up file (1:5.30-1+deb9u3) ...
Setting up python3.5 (3.5.3-1+deb9u1) ...
Setting up libpython3-stdlib:ppc64el (3.5.3-1) ...
Setting up python3 (3.5.3-1) ...
running python rtupdate hooks for python3.5...
running python post-rtupdate hooks for python3.5...
Setting up lsb-release (9.20161125) ...
Setting up dh-python (2.20170125) ...
Setting up wazuh-agent (4.7.0-1) ...
Processing triggers for libc-bin (2.24-11+deb9u4) ...
Processing triggers for systemd (232-25+deb9u12) ...
N: Download is performed unsandboxed as root as file '/root/wazuh-agent_4.7.0-1_ppc64el.deb' couldn't be accessed by user '_apt'. - pkgAcquire::Run (13: Permission denied)

• Check version

root@7444929a3847:~# /var/ossec/bin/wazuh-control info
WAZUH_VERSION="v4.7.0"
WAZUH_REVISION="40701"
WAZUH_TYPE="agent"

• Start and check connection

root@7444929a3847:~# /var/ossec/bin/wazuh-control start
Starting Wazuh v4.7.0...
Started wazuh-execd...
Started wazuh-agentd...
Started wazuh-syscheckd...
Started wazuh-logcollector...
Started wazuh-modulesd...
Completed.

[root@wazuh-server wazuh-user]#  /var/ossec/bin/agent_control -i 010

Wazuh agent_control. Agent information:
   Agent ID:   010
   Agent Name: 7444929a3847
   IP address: any
   Status:     Active

   Operating system:    Linux |7444929a3847 |4.9.0-13-powerpc64le |#1 SMP Debian 4.9.228-1 (2020-07-05) |ppc64le
   Client version:      Wazuh v4.7.0
   Configuration hash:  ab73af41699f13fdd81903b5f23d8d00
   Shared file hash:    4a8724b20dee0124ff9656783c490c4e
   Last keep alive:     1697553253

   Syscheck last started at:  Tue Oct 17 14:30:34 2023
   Syscheck last ended at:    Tue Oct 17 14:30:35 2023

TCP and alerts

root@7444929a3847:~# grep tcp /var/ossec/etc/ossec.conf 
      <protocol>tcp</protocol>

root@7444929a3847:~# grep "tcp" /var/ossec/logs/ossec.log 
2023/10/17 14:29:20 wazuh-agentd: INFO: Trying to connect to server ([X.X.X.X]:1514/tcp).
2023/10/17 14:29:20 wazuh-agentd: INFO: (4102): Connected to the server ([X.X.X.X]:1514/tcp).
2023/10/17 14:29:26 wazuh-agentd: INFO: Trying to connect to server ([X.X.X.X]:1514/tcp).
2023/10/17 14:29:26 wazuh-agentd: INFO: (4102): Connected to the server ([X.X.X.X]:1514/tcp).
2023/10/17 14:30:33 wazuh-agentd: INFO: Trying to connect to server ([X.X.X.X]:1514/tcp).
2023/10/17 14:30:33 wazuh-agentd: INFO: (4102): Connected to the server ([X.X.X.X]:1514/tcp).

** Alert 1697553030.2102407: - ossec,pci_dss_10.6.1,pci_dss_10.2.6,gpg13_10.1,gdpr_IV_35.7.d,hipaa_164.312.b,nist_800_53_AU.6,nist_800_53_AU.14,nist_800_53_AU.5,tsc_CC7.2,tsc_CC7.3,tsc_CC6.8,
2023 Oct 17 14:30:30 (7444929a3847) any->wazuh-remoted
Rule: 506 (level 3) -> 'Wazuh agent stopped.'
ossec: Agent stopped: '7444929a3847->any'.

** Alert 1697553033.2102744: - ossec,pci_dss_10.6.1,pci_dss_10.2.6,gpg13_10.1,gdpr_IV_35.7.d,hipaa_164.312.b,nist_800_53_AU.6,nist_800_53_AU.14,nist_800_53_AU.5,tsc_CC7.2,tsc_CC7.3,tsc_CC6.8,
2023 Oct 17 14:30:33 (7444929a3847) any->wazuh-agent
Rule: 503 (level 3) -> 'Wazuh agent started.'
ossec: Agent started: '7444929a3847->any'.

UDP and alerts

root@7444929a3847:~# grep "udp" /var/ossec/logs/ossec.log 
2023/10/17 15:02:49 wazuh-agentd: INFO: Trying to connect to server ([X.X.X.X]:1514/udp).
2023/10/17 15:02:49 wazuh-agentd: INFO: (4102): Connected to the server ([X.X.X.X]:1514/udp).

** Alert 1697554967.2593250: - ossec,pci_dss_10.6.1,pci_dss_10.2.6,gpg13_10.1,gdpr_IV_35.7.d,hipaa_164.312.b,nist_800_53_AU.6,nist_800_53_AU.14,nist_800_53_AU.5,tsc_CC7.2,tsc_CC7.3,tsc_CC6.8,
2023 Oct 17 15:02:47 (7444929a3847) any->wazuh-remoted
Rule: 506 (level 3) -> 'Wazuh agent stopped.'
ossec: Agent stopped: '7444929a3847->any'.

** Alert 1697554969.2593587: - ossec,pci_dss_10.6.1,pci_dss_10.2.6,gpg13_10.1,gdpr_IV_35.7.d,hipaa_164.312.b,nist_800_53_AU.6,nist_800_53_AU.14,nist_800_53_AU.5,tsc_CC7.2,tsc_CC7.3,tsc_CC6.8,
2023 Oct 17 15:02:49 (7444929a3847) any->wazuh-agent
Rule: 503 (level 3) -> 'Wazuh agent started.'
ossec: Agent started: '7444929a3847->any'.

Errors and warnings

root@7444929a3847:~# grep -i -E "error|critical|fatal|warning" /var/ossec/logs/ossec.log 
root@7444929a3847:~# grep -i -E "error|critical|fatal|warning" /var/ossec/logs/ossec.log | wc -l
0

System users

root@7444929a3847:~# grep -R wazuh /etc/
/etc/passwd-:wazuh:x:107:108::/var/ossec:/bin/false
/etc/group:wazuh:x:108:
/etc/passwd:wazuh:x:107:108::/var/ossec:/bin/false
/etc/shadow-:wazuh:*:19647:0:99999:7:::
/etc/init.d/wazuh-agent:WAZUH_CONTROL="$WAZUH_HOME/bin/wazuh-control"
/etc/shadow:wazuh:*:19647:0:99999:7:::
/etc/gshadow:wazuh:!::

Uninstall

root@7444929a3847:~# apt-get remove wazuh-agent
Reading package lists... Done
Building dependency tree       
Reading state information... Done
The following packages were automatically installed and are no longer required:
  bzip2 dh-python distro-info-data file libmagic-mgc libmagic1 libmpdec2 libpython3-stdlib
  libpython3.5-minimal libpython3.5-stdlib libreadline7 libsqlite3-0 lsb-release mime-support python3
  python3-minimal python3.5 python3.5-minimal readline-common xz-utils
Use 'apt autoremove' to remove them.
The following packages will be REMOVED:
  wazuh-agent
0 upgraded, 0 newly installed, 1 to remove and 3 not upgraded.
After this operation, 36.6 MB disk space will be freed.
Do you want to continue? [Y/n] y
perl: warning: Setting locale failed.
perl: warning: Please check that your locale settings:
	LANGUAGE = (unset),
	LC_ALL = (unset),
	LC_TIME = "es_ES.UTF-8",
	LC_MONETARY = "es_ES.UTF-8",
	LC_ADDRESS = "es_ES.UTF-8",
	LC_TELEPHONE = "es_ES.UTF-8",
	LC_NAME = "es_ES.UTF-8",
	LC_MEASUREMENT = "es_ES.UTF-8",
	LC_IDENTIFICATION = "es_ES.UTF-8",
	LC_NUMERIC = "es_ES.UTF-8",
	LC_PAPER = "es_ES.UTF-8",
	LANG = "en_US.UTF-8"
    are supported and installed on your system.
perl: warning: Falling back to the standard locale ("C").
(Reading database ... 13305 files and directories currently installed.)
Removing wazuh-agent (4.7.0-1) ...
Processing triggers for libc-bin (2.24-11+deb9u4) ...

root@7444929a3847:~# tree /var/ossec
/var/ossec
|-- etc
|   |-- client.keys.save
|   |-- local_internal_options.conf.save
|   |-- ossec.conf.save
|   `-- shared
|       |-- agent.conf.save
|       |-- ar.conf.save
|       |-- cis_apache2224_rcl.txt.save
|       |-- cis_debian_linux_rcl.txt.save
|       |-- cis_mysql5-6_community_rcl.txt.save
|       |-- cis_mysql5-6_enterprise_rcl.txt.save
|       |-- cis_rhel5_linux_rcl.txt.save
|       |-- cis_rhel6_linux_rcl.txt.save
|       |-- cis_rhel7_linux_rcl.txt.save
|       |-- cis_rhel_linux_rcl.txt.save
|       |-- cis_sles11_linux_rcl.txt.save
|       |-- cis_sles12_linux_rcl.txt.save
|       |-- cis_win2012r2_domainL1_rcl.txt.save
|       |-- cis_win2012r2_domainL2_rcl.txt.save
|       |-- cis_win2012r2_memberL1_rcl.txt.save
|       |-- cis_win2012r2_memberL2_rcl.txt.save
|       |-- merged.mg.save
|       |-- rootkit_files.txt.save
|       |-- rootkit_trojans.txt.save
|       |-- system_audit_rcl.txt.save
|       |-- system_audit_ssh.txt.save
|       |-- win_applications_rcl.txt.save
|       |-- win_audit_rcl.txt.save
|       `-- win_malware_rcl.txt.save
`-- queue
    |-- alerts
    |   |-- cfgaq
    |   `-- execq
    |-- fim
    |   `-- db
    |       |-- fim.db
    |       `-- fim.db-journal
    |-- logcollector
    |   `-- file_status.json
    |-- rids
    |   |-- 010
    |   `-- sender_counter
    |-- sockets
    |   |-- com
    |   |-- control
    |   |-- logcollector
    |   |-- queue
    |   |-- syscheck
    |   |-- upgrade
    |   `-- wmodules
    `-- syscollector
        `-- db
            |-- local.db
            `-- local.db-journal

11 directories, 43 files

root@7444929a3847:~# apt-get remove --purge wazuh-agent
Reading package lists... Done
Building dependency tree       
Reading state information... Done
The following packages were automatically installed and are no longer required:
  bzip2 dh-python distro-info-data file libmagic-mgc libmagic1 libmpdec2 libpython3-stdlib
  libpython3.5-minimal libpython3.5-stdlib libreadline7 libsqlite3-0 lsb-release mime-support python3
  python3-minimal python3.5 python3.5-minimal readline-common xz-utils
Use 'apt autoremove' to remove them.
The following packages will be REMOVED:
  wazuh-agent*
0 upgraded, 0 newly installed, 1 to remove and 3 not upgraded.
After this operation, 0 B of additional disk space will be used.
Do you want to continue? [Y/n] y
perl: warning: Setting locale failed.
perl: warning: Please check that your locale settings:
	LANGUAGE = (unset),
	LC_ALL = (unset),
	LC_TIME = "es_ES.UTF-8",
	LC_MONETARY = "es_ES.UTF-8",
	LC_ADDRESS = "es_ES.UTF-8",
	LC_TELEPHONE = "es_ES.UTF-8",
	LC_NAME = "es_ES.UTF-8",
	LC_MEASUREMENT = "es_ES.UTF-8",
	LC_IDENTIFICATION = "es_ES.UTF-8",
	LC_NUMERIC = "es_ES.UTF-8",
	LC_PAPER = "es_ES.UTF-8",
	LANG = "en_US.UTF-8"
    are supported and installed on your system.
perl: warning: Falling back to the standard locale ("C").
(Reading database ... 12953 files and directories currently installed.)
Purging configuration files for wazuh-agent (4.7.0-1) ...
Processing triggers for systemd (232-25+deb9u12) ...

root@7444929a3847:~# tree /var/ossec
/var/ossec [error opening dir]

0 directories, 0 files

Upgrade

root@7444929a3847:~# WAZUH_MANAGER="X.X.X.X" apt-get install ./wazuh-agent_4.5.3-1_ppc64el.deb 
Reading package lists... Done
Building dependency tree       
Reading state information... Done
Note, selecting 'wazuh-agent' instead of './wazuh-agent_4.5.3-1_ppc64el.deb'
The following NEW packages will be installed:
  wazuh-agent
0 upgraded, 1 newly installed, 0 to remove and 3 not upgraded.
Need to get 0 B/5575 kB of archives.
After this operation, 35.5 MB of additional disk space will be used.
Get:1 /root/wazuh-agent_4.5.3-1_ppc64el.deb wazuh-agent ppc64el 4.5.3-1 [5575 kB]
perl: warning: Setting locale failed.
perl: warning: Please check that your locale settings:
	LANGUAGE = (unset),
	LC_ALL = (unset),
	LC_TIME = "es_ES.UTF-8",
	LC_MONETARY = "es_ES.UTF-8",
	LC_ADDRESS = "es_ES.UTF-8",
	LC_TELEPHONE = "es_ES.UTF-8",
	LC_NAME = "es_ES.UTF-8",
	LC_MEASUREMENT = "es_ES.UTF-8",
	LC_IDENTIFICATION = "es_ES.UTF-8",
	LC_NUMERIC = "es_ES.UTF-8",
	LC_PAPER = "es_ES.UTF-8",
	LANG = "en_US.UTF-8"
    are supported and installed on your system.
perl: warning: Falling back to the standard locale ("C").
debconf: delaying package configuration, since apt-utils is not installed
Selecting previously unselected package wazuh-agent.
(Reading database ... 12939 files and directories currently installed.)
Preparing to unpack .../wazuh-agent_4.5.3-1_ppc64el.deb ...
Unpacking wazuh-agent (4.5.3-1) ...
Setting up wazuh-agent (4.5.3-1) ...
Processing triggers for libc-bin (2.24-11+deb9u4) ...
Processing triggers for systemd (232-25+deb9u12) ...
N: Download is performed unsandboxed as root as file '/root/wazuh-agent_4.5.3-1_ppc64el.deb' couldn't be accessed by user '_apt'. - pkgAcquire::Run (13: Permission denied)


root@7444929a3847:~# /var/ossec/bin/wazuh-control start
Starting Wazuh v4.5.3...
Started wazuh-execd...
Started wazuh-agentd...
Started wazuh-syscheckd...
Started wazuh-logcollector...
Started wazuh-modulesd...
Completed.

root@7444929a3847:~#  ps -ef | grep wazuh
root      7171     1  0 14:55 ?        00:00:00 /var/ossec/bin/wazuh-execd
wazuh     7182     1  0 14:55 ?        00:00:00 /var/ossec/bin/wazuh-agentd
root      7195     1  0 14:55 ?        00:00:00 /var/ossec/bin/wazuh-syscheckd
root      7206     1  0 14:55 ?        00:00:00 /var/ossec/bin/wazuh-logcollector
root      7223     1  0 14:55 ?        00:00:00 /var/ossec/bin/wazuh-modulesd
root      7577    22  0 14:56 pts/1    00:00:00 grep wazuh


root@7444929a3847:~# /var/ossec/bin/wazuh-control info
WAZUH_VERSION="v4.5.3"
WAZUH_REVISION="40508"
WAZUH_TYPE="agent"

root@7444929a3847:~# apt install ./wazuh-agent_4.7.0-1_ppc64el.deb 
Reading package lists... Done
Building dependency tree       
Reading state information... Done
Note, selecting 'wazuh-agent' instead of './wazuh-agent_4.7.0-1_ppc64el.deb'
The following packages will be upgraded:
  wazuh-agent
1 upgraded, 0 newly installed, 0 to remove and 3 not upgraded.
Need to get 0 B/5714 kB of archives.
After this operation, 1060 kB of additional disk space will be used.
Get:1 /root/wazuh-agent_4.7.0-1_ppc64el.deb wazuh-agent ppc64el 4.7.0-1 [5714 kB]
perl: warning: Setting locale failed.
perl: warning: Please check that your locale settings:
	LANGUAGE = (unset),
	LC_ALL = (unset),
	LC_TIME = "es_ES.UTF-8",
	LC_MONETARY = "es_ES.UTF-8",
	LC_ADDRESS = "es_ES.UTF-8",
	LC_TELEPHONE = "es_ES.UTF-8",
	LC_NAME = "es_ES.UTF-8",
	LC_MEASUREMENT = "es_ES.UTF-8",
	LC_IDENTIFICATION = "es_ES.UTF-8",
	LC_NUMERIC = "es_ES.UTF-8",
	LC_PAPER = "es_ES.UTF-8",
	LANG = "en_US.UTF-8"
    are supported and installed on your system.
perl: warning: Falling back to the standard locale ("C").
debconf: delaying package configuration, since apt-utils is not installed
(Reading database ... 13312 files and directories currently installed.)
Preparing to unpack .../wazuh-agent_4.7.0-1_ppc64el.deb ...
Unpacking wazuh-agent (4.7.0-1) over (4.5.3-1) ...
Setting up wazuh-agent (4.7.0-1) ...
Processing triggers for libc-bin (2.24-11+deb9u4) ...
Processing triggers for systemd (232-25+deb9u12) ...
N: Download is performed unsandboxed as root as file '/root/wazuh-agent_4.7.0-1_ppc64el.deb' couldn't be accessed by user '_apt'. - pkgAcquire::Run (13: Permission denied)

root@7444929a3847:~# /var/ossec/bin/wazuh-control info
WAZUH_VERSION="v4.7.0"
WAZUH_REVISION="40701"
WAZUH_TYPE="agent"

root@7444929a3847:~# /var/ossec/bin/wazuh-control status
wazuh-modulesd is running...
wazuh-logcollector is running...
wazuh-syscheckd is running...
wazuh-agentd is running...
wazuh-execd is running...

root@7444929a3847:~# ps -ef | grep wazuh
root      8723     1  0 14:58 ?        00:00:00 /var/ossec/bin/wazuh-execd
wazuh     8734     1  0 14:58 ?        00:00:00 /var/ossec/bin/wazuh-agentd
root      8749     1  6 14:58 ?        00:00:05 /var/ossec/bin/wazuh-syscheckd
root      8762     1  0 14:58 ?        00:00:00 /var/ossec/bin/wazuh-logcollector
root      8782     1  0 14:58 ?        00:00:00 /var/ossec/bin/wazuh-modulesd
root      9269    22  0 15:00 pts/1    00:00:00 grep wazuh

root@7444929a3847:~# grep -i -E "error|critical|fatal|warning" /var/ossec/logs/ossec.log 
root@7444929a3847:~# grep -i -E "error|critical|fatal|warning" /var/ossec/logs/ossec.log  | wc -l
0

[root@wazuh-server wazuh-user]# /var/ossec/bin/agent_control -i 011

Wazuh agent_control. Agent information:
   Agent ID:   011
   Agent Name: 7444929a3847
   IP address: any
   Status:     Active

   Operating system:    Linux |7444929a3847 |4.9.0-13-powerpc64le |#1 SMP Debian 4.9.228-1 (2020-07-05) |ppc64le
   Client version:      Wazuh v4.7.0
   Configuration hash:  ab73af41699f13fdd81903b5f23d8d00
   Shared file hash:    4a8724b20dee0124ff9656783c490c4e
   Last keep alive:     1697554878

   Syscheck last started at:  Tue Oct 17 14:58:49 2023
   Syscheck last ended at:    Tue Oct 17 14:58:51 2023

[damarisg]

@pro-akim needs to add update 4.5.3 to 4.7.0, not 4.6.0 to 4.7.0; modify it on AIX, HP-UX, Solaris 10 Sparc, and CentOS 7 PPC64LE.

[pro-akim]

Update

Changes done, moved to pending review

[damarisg]

LGTM!