Release 4.8.0 - RC 1 - Installation assistant

[teddytpc1]

Installation assistant information

Main release candidate issue	#23246
Version	4.8.0
Release candidate	RC 1
Tag	https://github.com/wazuh/wazuh/tree/v4.8.0-rc1
Previous Installation assistant	#23063

---

Description

• Test installation assistant with the -a option in the following OSs:
  • Amazon Linux 2.
  • RHEL 9.
  • Ubuntu 22.04.
• Test installation assistant with the -dw option (Offline installation)

---

Checks

Status	OS	Check	Issues
🟢	AL 2	Installed packages
🟢	AL 2	Install logs
🟡	AL 2	Wazuh indexer logs	Related: wazuh/wazuh-packages#1511 (comment)
🟡	AL 2	Wazuh manager logs	Related: #21829. Related: #23303.
🟢	AL 2	Wazuh dashboard logs
🟢	AL 2	Wazuh dashboard
🟢	RHEL 9	Installed packages
🟢	RHEL 9	Install logs
🟡	RHEL 9	Wazuh indexer logs	Related: wazuh/wazuh-packages#1511 (comment).
🟡	RHEL 9	Wazuh manager logs	Related: #23303. Related: #21829.
🟡	RHEL 9	Wazuh dashboard logs	Related: wazuh/wazuh-dashboard-plugins#6312.
🟢	RHEL 9	Wazuh dashboard
🟢	Ubuntu 22.04	Installed packages
🟢	Ubuntu 22.04	Install logs
🟡	Ubuntu 22.04	Wazuh indexer logs	Related: wazuh/wazuh-packages#1511 (comment). Related: wazuh/wazuh-indexer#71.
🟡	Ubuntu 22.04	Wazuh manager logs	Related: #23303. Related: #21829.
🟢	Ubuntu 22.04	Wazuh dashboard logs
🟢	Ubuntu 22.04	Wazuh dashboard
🟢	AL 2	Installed packages - Offline
🟢	AL 2	Install logs - Offline
🟡	AL 2	Wazuh indexer logs - Offline	Related: wazuh/wazuh-packages#1511 (comment). Related: wazuh/wazuh-indexer#167
🟡	AL 2	Wazuh manager logs - Offline	Related: #23303. Related: #21829.
🟢	AL 2	Wazuh dashboard logs - Offline
🔴	AL 2	Wazuh dashboard - Offline	Opened: wazuh/wazuh-packages#2941

---

Checks legend:

• Installed packages: the installed packages must match the ones specified in the documentation. If additional packages are installed by the installation assistant, the reason must be justified.
• Install logs: check that there are no errors in the WIA logs.
• Wazuh indexer logs: check that there are no errors in the indexer logs.
• Wazuh manager logs: check that there are no errors in the manager logs.
• Wazuh dashboard logs: check that there are no errors in the dashboard logs.

---

Status legend:
⚫ - Pending/In progress
⚪ - Skipped
🔴 - Rejected
🟡 - Known issue
🟢 - Approved

---

Conclusion

Some issues were found and they were reported.

Auditor's validation

In order to close and proceed with the release or the next candidate version, the following auditors must give the green light to this RC.

• @davidjiglesias
• @teddytpc1

[CarlosALgit]

Environment

Amazon Linux 2

[root@ip-172-31-34-142 ~]# cat /etc/os-release 
NAME="Amazon Linux"
VERSION="2"
ID="amzn"
ID_LIKE="centos rhel fedora"
VERSION_ID="2"
PRETTY_NAME="Amazon Linux 2"
ANSI_COLOR="0;33"
CPE_NAME="cpe:2.3:o:amazon:amazon_linux:2"
HOME_URL="https://amazonlinux.com/"
SUPPORT_END="2025-06-30"
[root@ip-172-31-34-142 ~]# 

Ubuntu 22

root@ip-172-31-45-219:~# cat /etc/os-release 
PRETTY_NAME="Ubuntu 22.04.2 LTS"
NAME="Ubuntu"
VERSION_ID="22.04"
VERSION="22.04.2 LTS (Jammy Jellyfish)"
VERSION_CODENAME=jammy
ID=ubuntu
ID_LIKE=debian
HOME_URL="https://www.ubuntu.com/"
SUPPORT_URL="https://help.ubuntu.com/"
BUG_REPORT_URL="https://bugs.launchpad.net/ubuntu/"
PRIVACY_POLICY_URL="https://www.ubuntu.com/legal/terms-and-policies/privacy-policy"
UBUNTU_CODENAME=jammy
root@ip-172-31-45-219:~# 

RHEL 9

[root@ip-172-31-39-27 ~]# cat /etc/os-release 
NAME="Red Hat Enterprise Linux"
VERSION="9.2 (Plow)"
ID="rhel"
ID_LIKE="fedora"
VERSION_ID="9.2"
PLATFORM_ID="platform:el9"
PRETTY_NAME="Red Hat Enterprise Linux 9.2 (Plow)"
ANSI_COLOR="0;31"
LOGO="fedora-logo-icon"
CPE_NAME="cpe:/o:redhat:enterprise_linux:9::baseos"
HOME_URL="https://www.redhat.com/"
DOCUMENTATION_URL="https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9"
BUG_REPORT_URL="https://bugzilla.redhat.com/"

REDHAT_BUGZILLA_PRODUCT="Red Hat Enterprise Linux 9"
REDHAT_BUGZILLA_PRODUCT_VERSION=9.2
REDHAT_SUPPORT_PRODUCT="Red Hat Enterprise Linux"
REDHAT_SUPPORT_PRODUCT_VERSION="9.2"
[root@ip-172-31-39-27 ~]# 

Amazon Linux 2 - Offline

[root@ip-172-31-34-149 ~]# cat /etc/os-release 
NAME="Amazon Linux"
VERSION="2"
ID="amzn"
ID_LIKE="centos rhel fedora"
VERSION_ID="2"
PRETTY_NAME="Amazon Linux 2"
ANSI_COLOR="0;33"
CPE_NAME="cpe:2.3:o:amazon:amazon_linux:2"
HOME_URL="https://amazonlinux.com/"
SUPPORT_END="2025-06-30"
[root@ip-172-31-34-149 ~]# 

[CarlosALgit]

Install Logs

Amazon Linux 2 🟢

Logs on the console:

[root@ip-172-31-34-142 ~]# curl -sO https://packages-dev.wazuh.com/4.8/wazuh-install.sh && bash ./wazuh-install.sh -a
07/05/2024 08:08:54 INFO: Starting Wazuh installation assistant. Wazuh version: 4.8.0
07/05/2024 08:08:54 INFO: Verbose logging redirected to /var/log/wazuh-install.log
07/05/2024 08:08:57 INFO: Verifying that your system meets the recommended minimum hardware requirements.
07/05/2024 08:09:03 INFO: Wazuh web interface port will be 443.
07/05/2024 08:09:06 INFO: Wazuh development repository added.
07/05/2024 08:09:06 INFO: --- Configuration files ---
07/05/2024 08:09:06 INFO: Generating configuration files.
07/05/2024 08:09:06 INFO: Generating the root certificate.
07/05/2024 08:09:06 INFO: Generating Admin certificates.
07/05/2024 08:09:06 INFO: Generating Wazuh indexer certificates.
07/05/2024 08:09:06 INFO: Generating Filebeat certificates.
07/05/2024 08:09:07 INFO: Generating Wazuh dashboard certificates.
07/05/2024 08:09:07 INFO: Created wazuh-install-files.tar. It contains the Wazuh cluster key, certificates, and passwords necessary for installation.
07/05/2024 08:09:07 INFO: --- Wazuh indexer ---
07/05/2024 08:09:07 INFO: Starting Wazuh indexer installation.
07/05/2024 08:10:44 INFO: Wazuh indexer installation finished.
07/05/2024 08:10:44 INFO: Wazuh indexer post-install configuration finished.
07/05/2024 08:10:44 INFO: Starting service wazuh-indexer.
07/05/2024 08:11:08 INFO: wazuh-indexer service started.
07/05/2024 08:11:08 INFO: Initializing Wazuh indexer cluster security settings.
07/05/2024 08:11:19 INFO: Wazuh indexer cluster security configuration initialized.
07/05/2024 08:11:19 INFO: Wazuh indexer cluster initialized.
07/05/2024 08:11:19 INFO: --- Wazuh server ---
07/05/2024 08:11:19 INFO: Starting the Wazuh manager installation.
07/05/2024 08:12:11 INFO: Wazuh manager installation finished.
07/05/2024 08:12:11 INFO: Wazuh manager vulnerability detection configuration finished.
07/05/2024 08:12:11 INFO: Starting service wazuh-manager.
07/05/2024 08:12:29 INFO: wazuh-manager service started.
07/05/2024 08:12:29 INFO: Starting Filebeat installation.
07/05/2024 08:13:14 INFO: Filebeat installation finished.
07/05/2024 08:13:17 INFO: Filebeat post-install configuration finished.
07/05/2024 08:13:17 INFO: Starting service filebeat.
07/05/2024 08:13:17 INFO: filebeat service started.
07/05/2024 08:13:17 INFO: --- Wazuh dashboard ---
07/05/2024 08:13:17 INFO: Starting Wazuh dashboard installation.
07/05/2024 08:14:53 INFO: Wazuh dashboard installation finished.
07/05/2024 08:14:53 INFO: Wazuh dashboard post-install configuration finished.
07/05/2024 08:14:53 INFO: Starting service wazuh-dashboard.
07/05/2024 08:14:54 INFO: wazuh-dashboard service started.
07/05/2024 08:14:58 INFO: Updating the internal users.
07/05/2024 08:15:07 INFO: A backup of the internal users has been saved in the /etc/wazuh-indexer/internalusers-backup folder.
07/05/2024 08:16:15 INFO: Initializing Wazuh dashboard web application.
07/05/2024 08:16:16 INFO: Wazuh dashboard web application initialized.
07/05/2024 08:16:16 INFO: --- Summary ---
07/05/2024 08:16:16 INFO: You can access the web interface https://<wazuh-dashboard-ip>:443
    User: admin
    Password: *ULVwTox+8OJ0jXZ8d9mxIbWsLS1p92t
07/05/2024 08:16:16 INFO: Installation finished.
[root@ip-172-31-34-142 ~]# 

Logs in wazuh-install.log:

[root@ip-172-31-34-142 ~]# cat /var/log/wazuh-install.log 
07/05/2024 08:08:54 INFO: Starting Wazuh installation assistant. Wazuh version: 4.8.0
07/05/2024 08:08:54 INFO: Verbose logging redirected to /var/log/wazuh-install.log
07/05/2024 08:08:57 INFO: Verifying that your system meets the recommended minimum hardware requirements.
07/05/2024 08:09:03 INFO: Wazuh web interface port will be 443.
[wazuh]
gpgcheck=1
gpgkey=https://packages-dev.wazuh.com/key/GPG-KEY-WAZUH
enabled=1
name=EL-${releasever} - Wazuh
baseurl=https://packages-dev.wazuh.com/pre-release/yum/
protect=1
07/05/2024 08:09:06 INFO: Wazuh development repository added.
07/05/2024 08:09:06 INFO: --- Configuration files ---
07/05/2024 08:09:06 INFO: Generating configuration files.
07/05/2024 08:09:06 INFO: Generating the root certificate.
07/05/2024 08:09:06 INFO: Generating Admin certificates.
07/05/2024 08:09:06 INFO: Generating Wazuh indexer certificates.
07/05/2024 08:09:06 INFO: Generating Filebeat certificates.
07/05/2024 08:09:07 INFO: Generating Wazuh dashboard certificates.
07/05/2024 08:09:07 INFO: Created wazuh-install-files.tar. It contains the Wazuh cluster key, certificates, and passwords necessary for installation.
07/05/2024 08:09:07 INFO: --- Wazuh indexer ---
07/05/2024 08:09:07 INFO: Starting Wazuh indexer installation.
Complementos cargados:extras_suggestions, langpacks, priorities, update-motd
Resolviendo dependencias
--> Ejecutando prueba de transacción
---> Paquete wazuh-indexer.x86_64 0:4.8.0-1 debe ser instalado
--> Resolución de dependencias finalizada

Dependencias resueltas

================================================================================
 Package                Arquitectura    Versión            Repositorio    Tamaño
================================================================================
Instalando:
 wazuh-indexer          x86_64          4.8.0-1            wazuh          743 M

Resumen de la transacción
================================================================================
Instalar  1 Paquete

Tamaño total de la descarga: 743 M
Tamaño instalado: 1.0 G
Downloading packages:
Running transaction check
Running transaction test
Transaction test succeeded
Running transaction
  Instalando    : wazuh-indexer-4.8.0-1.x86_64                              1/1 
Created opensearch keystore in /etc/wazuh-indexer/opensearch.keystore
  Comprobando   : wazuh-indexer-4.8.0-1.x86_64                              1/1 

Instalado:
  wazuh-indexer.x86_64 0:4.8.0-1                                                

¡Listo!
07/05/2024 08:10:44 INFO: Wazuh indexer installation finished.
07/05/2024 08:10:44 INFO: Wazuh indexer post-install configuration finished.
07/05/2024 08:10:44 INFO: Starting service wazuh-indexer.
Created symlink from /etc/systemd/system/multi-user.target.wants/wazuh-indexer.service to /usr/lib/systemd/system/wazuh-indexer.service.
07/05/2024 08:11:08 INFO: wazuh-indexer service started.
07/05/2024 08:11:08 INFO: Initializing Wazuh indexer cluster security settings.
**************************************************************************
** This tool will be deprecated in the next major release of OpenSearch **
** https://github.com/opensearch-project/security/issues/1755           **
**************************************************************************
Security Admin v7
Will connect to 127.0.0.1:9200 ... done
Connected as "CN=admin,OU=Wazuh,O=Wazuh,L=California,C=US"
OpenSearch Version: 2.10.0
Contacting opensearch cluster 'opensearch' and wait for YELLOW clusterstate ...
Clustername: wazuh-cluster
Clusterstate: GREEN
Number of nodes: 1
Number of data nodes: 1
.opendistro_security index does not exists, attempt to create it ... done (0-all replicas)
Populate config from /etc/wazuh-indexer/opensearch-security/
Will update '/config' with /etc/wazuh-indexer/opensearch-security/config.yml 
   SUCC: Configuration for 'config' created or updated
Will update '/roles' with /etc/wazuh-indexer/opensearch-security/roles.yml 
   SUCC: Configuration for 'roles' created or updated
Will update '/rolesmapping' with /etc/wazuh-indexer/opensearch-security/roles_mapping.yml 
   SUCC: Configuration for 'rolesmapping' created or updated
Will update '/internalusers' with /etc/wazuh-indexer/opensearch-security/internal_users.yml 
   SUCC: Configuration for 'internalusers' created or updated
Will update '/actiongroups' with /etc/wazuh-indexer/opensearch-security/action_groups.yml 
   SUCC: Configuration for 'actiongroups' created or updated
Will update '/tenants' with /etc/wazuh-indexer/opensearch-security/tenants.yml 
   SUCC: Configuration for 'tenants' created or updated
Will update '/nodesdn' with /etc/wazuh-indexer/opensearch-security/nodes_dn.yml 
   SUCC: Configuration for 'nodesdn' created or updated
Will update '/whitelist' with /etc/wazuh-indexer/opensearch-security/whitelist.yml 
   SUCC: Configuration for 'whitelist' created or updated
Will update '/audit' with /etc/wazuh-indexer/opensearch-security/audit.yml 
   SUCC: Configuration for 'audit' created or updated
Will update '/allowlist' with /etc/wazuh-indexer/opensearch-security/allowlist.yml 
   SUCC: Configuration for 'allowlist' created or updated
SUCC: Expected 10 config types for node {"updated_config_types":["allowlist","tenants","rolesmapping","nodesdn","audit","roles","whitelist","internalusers","actiongroups","config"],"updated_config_size":10,"message":null} is 10 (["allowlist","tenants","rolesmapping","nodesdn","audit","roles","whitelist","internalusers","actiongroups","config"]) due to: null
Done with success
07/05/2024 08:11:19 INFO: Wazuh indexer cluster security configuration initialized.
07/05/2024 08:11:19 INFO: Wazuh indexer cluster initialized.
07/05/2024 08:11:19 INFO: --- Wazuh server ---
07/05/2024 08:11:19 INFO: Starting the Wazuh manager installation.
Complementos cargados:extras_suggestions, langpacks, priorities, update-motd
Resolviendo dependencias
--> Ejecutando prueba de transacción
---> Paquete wazuh-manager.x86_64 0:4.8.0-1 debe ser instalado
--> Resolución de dependencias finalizada

Dependencias resueltas

================================================================================
 Package                Arquitectura    Versión            Repositorio    Tamaño
================================================================================
Instalando:
 wazuh-manager          x86_64          4.8.0-1            wazuh          295 M

Resumen de la transacción
================================================================================
Instalar  1 Paquete

Tamaño total de la descarga: 295 M
Tamaño instalado: 884 M
Downloading packages:
Running transaction check
Running transaction test
Transaction test succeeded
Running transaction
  Instalando    : wazuh-manager-4.8.0-1.x86_64                              1/1 
  Comprobando   : wazuh-manager-4.8.0-1.x86_64                              1/1 

Instalado:
  wazuh-manager.x86_64 0:4.8.0-1                                                

¡Listo!
07/05/2024 08:12:11 INFO: Wazuh manager installation finished.
07/05/2024 08:12:11 INFO: Wazuh manager vulnerability detection configuration finished.
07/05/2024 08:12:11 INFO: Starting service wazuh-manager.
Created symlink from /etc/systemd/system/multi-user.target.wants/wazuh-manager.service to /usr/lib/systemd/system/wazuh-manager.service.
07/05/2024 08:12:29 INFO: wazuh-manager service started.
07/05/2024 08:12:29 INFO: Starting Filebeat installation.
07/05/2024 08:13:14 INFO: Filebeat installation finished.
wazuh/
wazuh/_meta/
wazuh/_meta/docs.asciidoc
wazuh/_meta/fields.yml
wazuh/_meta/config.yml
wazuh/alerts/
wazuh/alerts/config/
wazuh/alerts/config/alerts.yml
wazuh/alerts/manifest.yml
wazuh/alerts/ingest/
wazuh/alerts/ingest/pipeline.json
wazuh/module.yml
wazuh/archives/
wazuh/archives/config/
wazuh/archives/config/archives.yml
wazuh/archives/manifest.yml
wazuh/archives/ingest/
wazuh/archives/ingest/pipeline.json
Created filebeat keystore
Successfully updated the keystore
Successfully updated the keystore
07/05/2024 08:13:17 INFO: Filebeat post-install configuration finished.
07/05/2024 08:13:17 INFO: Starting service filebeat.
Created symlink from /etc/systemd/system/multi-user.target.wants/filebeat.service to /usr/lib/systemd/system/filebeat.service.
07/05/2024 08:13:17 INFO: filebeat service started.
07/05/2024 08:13:17 INFO: --- Wazuh dashboard ---
07/05/2024 08:13:17 INFO: Starting Wazuh dashboard installation.
Complementos cargados:extras_suggestions, langpacks, priorities, update-motd
Resolviendo dependencias
--> Ejecutando prueba de transacción
---> Paquete wazuh-dashboard.x86_64 0:4.8.0-1 debe ser instalado
--> Resolución de dependencias finalizada

Dependencias resueltas

================================================================================
 Package                  Arquitectura    Versión          Repositorio    Tamaño
================================================================================
Instalando:
 wazuh-dashboard          x86_64          4.8.0-1          wazuh          273 M

Resumen de la transacción
================================================================================
Instalar  1 Paquete

Tamaño total de la descarga: 273 M
Tamaño instalado: 902 M
Downloading packages:
Running transaction check
Running transaction test
Transaction test succeeded
Running transaction
  Instalando    : wazuh-dashboard-4.8.0-1.x86_64                            1/1 
  Comprobando   : wazuh-dashboard-4.8.0-1.x86_64                            1/1 

Instalado:
  wazuh-dashboard.x86_64 0:4.8.0-1                                              

¡Listo!
07/05/2024 08:14:53 INFO: Wazuh dashboard installation finished.
07/05/2024 08:14:53 INFO: Wazuh dashboard post-install configuration finished.
07/05/2024 08:14:53 INFO: Starting service wazuh-dashboard.
Created symlink from /etc/systemd/system/multi-user.target.wants/wazuh-dashboard.service to /etc/systemd/system/wazuh-dashboard.service.
07/05/2024 08:14:54 INFO: wazuh-dashboard service started.
07/05/2024 08:14:58 INFO: Updating the internal users.
**************************************************************************
** This tool will be deprecated in the next major release of OpenSearch **
** https://github.com/opensearch-project/security/issues/1755           **
**************************************************************************
Security Admin v7
Will connect to 127.0.0.1:9200 ... done
Connected as "CN=admin,OU=Wazuh,O=Wazuh,L=California,C=US"
OpenSearch Version: 2.10.0
Contacting opensearch cluster 'opensearch' and wait for YELLOW clusterstate ...
Clustername: wazuh-cluster
Clusterstate: GREEN
Number of nodes: 1
Number of data nodes: 1
.opendistro_security index already exists, so we do not need to create one.
Will retrieve '/config' into /etc/wazuh-indexer/backup/config.yml 
   SUCC: Configuration for 'config' stored in /etc/wazuh-indexer/backup/config.yml
Will retrieve '/roles' into /etc/wazuh-indexer/backup/roles.yml 
   SUCC: Configuration for 'roles' stored in /etc/wazuh-indexer/backup/roles.yml
Will retrieve '/rolesmapping' into /etc/wazuh-indexer/backup/roles_mapping.yml 
   SUCC: Configuration for 'rolesmapping' stored in /etc/wazuh-indexer/backup/roles_mapping.yml
Will retrieve '/internalusers' into /etc/wazuh-indexer/backup/internal_users.yml 
   SUCC: Configuration for 'internalusers' stored in /etc/wazuh-indexer/backup/internal_users.yml
Will retrieve '/actiongroups' into /etc/wazuh-indexer/backup/action_groups.yml 
   SUCC: Configuration for 'actiongroups' stored in /etc/wazuh-indexer/backup/action_groups.yml
Will retrieve '/tenants' into /etc/wazuh-indexer/backup/tenants.yml 
   SUCC: Configuration for 'tenants' stored in /etc/wazuh-indexer/backup/tenants.yml
Will retrieve '/nodesdn' into /etc/wazuh-indexer/backup/nodes_dn.yml 
   SUCC: Configuration for 'nodesdn' stored in /etc/wazuh-indexer/backup/nodes_dn.yml
Will retrieve '/whitelist' into /etc/wazuh-indexer/backup/whitelist.yml 
   SUCC: Configuration for 'whitelist' stored in /etc/wazuh-indexer/backup/whitelist.yml
Will retrieve '/allowlist' into /etc/wazuh-indexer/backup/allowlist.yml 
   SUCC: Configuration for 'allowlist' stored in /etc/wazuh-indexer/backup/allowlist.yml
Will retrieve '/audit' into /etc/wazuh-indexer/backup/audit.yml 
   SUCC: Configuration for 'audit' stored in /etc/wazuh-indexer/backup/audit.yml
07/05/2024 08:15:07 INFO: A backup of the internal users has been saved in the /etc/wazuh-indexer/internalusers-backup folder.
**************************************************************************
** This tool will be deprecated in the next major release of OpenSearch **
** https://github.com/opensearch-project/security/issues/1755           **
**************************************************************************
Security Admin v7
Will connect to 127.0.0.1:9200 ... done
Connected as "CN=admin,OU=Wazuh,O=Wazuh,L=California,C=US"
OpenSearch Version: 2.10.0
Contacting opensearch cluster 'opensearch' and wait for YELLOW clusterstate ...
Clustername: wazuh-cluster
Clusterstate: GREEN
Number of nodes: 1
Number of data nodes: 1
.opendistro_security index already exists, so we do not need to create one.
Will retrieve '/config' into /etc/wazuh-indexer/backup/config.yml 
   SUCC: Configuration for 'config' stored in /etc/wazuh-indexer/backup/config.yml
Will retrieve '/roles' into /etc/wazuh-indexer/backup/roles.yml 
   SUCC: Configuration for 'roles' stored in /etc/wazuh-indexer/backup/roles.yml
Will retrieve '/rolesmapping' into /etc/wazuh-indexer/backup/roles_mapping.yml 
   SUCC: Configuration for 'rolesmapping' stored in /etc/wazuh-indexer/backup/roles_mapping.yml
Will retrieve '/internalusers' into /etc/wazuh-indexer/backup/internal_users.yml 
   SUCC: Configuration for 'internalusers' stored in /etc/wazuh-indexer/backup/internal_users.yml
Will retrieve '/actiongroups' into /etc/wazuh-indexer/backup/action_groups.yml 
   SUCC: Configuration for 'actiongroups' stored in /etc/wazuh-indexer/backup/action_groups.yml
Will retrieve '/tenants' into /etc/wazuh-indexer/backup/tenants.yml 
   SUCC: Configuration for 'tenants' stored in /etc/wazuh-indexer/backup/tenants.yml
Will retrieve '/nodesdn' into /etc/wazuh-indexer/backup/nodes_dn.yml 
   SUCC: Configuration for 'nodesdn' stored in /etc/wazuh-indexer/backup/nodes_dn.yml
Will retrieve '/whitelist' into /etc/wazuh-indexer/backup/whitelist.yml 
   SUCC: Configuration for 'whitelist' stored in /etc/wazuh-indexer/backup/whitelist.yml
Will retrieve '/allowlist' into /etc/wazuh-indexer/backup/allowlist.yml 
   SUCC: Configuration for 'allowlist' stored in /etc/wazuh-indexer/backup/allowlist.yml
Will retrieve '/audit' into /etc/wazuh-indexer/backup/audit.yml 
   SUCC: Configuration for 'audit' stored in /etc/wazuh-indexer/backup/audit.yml
Successfully updated the keystore
**************************************************************************
** This tool will be deprecated in the next major release of OpenSearch **
** https://github.com/opensearch-project/security/issues/1755           **
**************************************************************************
Security Admin v7
Will connect to 127.0.0.1:9200 ... done
Connected as "CN=admin,OU=Wazuh,O=Wazuh,L=California,C=US"
OpenSearch Version: 2.10.0
Contacting opensearch cluster 'opensearch' and wait for YELLOW clusterstate ...
Clustername: wazuh-cluster
Clusterstate: GREEN
Number of nodes: 1
Number of data nodes: 1
.opendistro_security index already exists, so we do not need to create one.
Populate config from /root
Force type: internalusers
Will update '/internalusers' with /etc/wazuh-indexer/backup/internal_users.yml 
   SUCC: Configuration for 'internalusers' created or updated
SUCC: Expected 1 config types for node {"updated_config_types":["internalusers"],"updated_config_size":1,"message":null} is 1 (["internalusers"]) due to: null
Done with success
07/05/2024 08:16:15 INFO: Initializing Wazuh dashboard web application.
07/05/2024 08:16:16 INFO: Wazuh dashboard web application initialized.
07/05/2024 08:16:16 INFO: Installation finished.

Ubuntu 22 🟢

Logs on the console:

root@ip-172-31-45-219:~# curl -sO https://packages-dev.wazuh.com/4.8/wazuh-install.sh && bash ./wazuh-install.sh -a 
07/05/2024 08:13:00 INFO: Starting Wazuh installation assistant. Wazuh version: 4.8.0
07/05/2024 08:13:00 INFO: Verbose logging redirected to /var/log/wazuh-install.log
07/05/2024 08:13:01 INFO: Verifying that your system meets the recommended minimum hardware requirements.
07/05/2024 08:13:21 INFO: Wazuh web interface port will be 443.
07/05/2024 08:13:26 INFO: --- Dependencies ----
07/05/2024 08:13:27 INFO: Installing apt-transport-https.
07/05/2024 08:13:38 INFO: Wazuh development repository added.
07/05/2024 08:13:38 INFO: --- Configuration files ---
07/05/2024 08:13:38 INFO: Generating configuration files.
07/05/2024 08:13:38 INFO: Generating the root certificate.
07/05/2024 08:13:39 INFO: Generating Admin certificates.
07/05/2024 08:13:39 INFO: Generating Wazuh indexer certificates.
07/05/2024 08:13:39 INFO: Generating Filebeat certificates.
07/05/2024 08:13:39 INFO: Generating Wazuh dashboard certificates.
07/05/2024 08:13:40 INFO: Created wazuh-install-files.tar. It contains the Wazuh cluster key, certificates, and passwords necessary for installation.
07/05/2024 08:13:40 INFO: --- Wazuh indexer ---
07/05/2024 08:13:40 INFO: Starting Wazuh indexer installation.
07/05/2024 08:15:25 INFO: Wazuh indexer installation finished.
07/05/2024 08:15:25 INFO: Wazuh indexer post-install configuration finished.
07/05/2024 08:15:25 INFO: Starting service wazuh-indexer.
07/05/2024 08:15:50 INFO: wazuh-indexer service started.
07/05/2024 08:15:50 INFO: Initializing Wazuh indexer cluster security settings.
07/05/2024 08:16:01 INFO: Wazuh indexer cluster security configuration initialized.
07/05/2024 08:16:01 INFO: Wazuh indexer cluster initialized.
07/05/2024 08:16:01 INFO: --- Wazuh server ---
07/05/2024 08:16:01 INFO: Starting the Wazuh manager installation.
07/05/2024 08:17:32 INFO: Wazuh manager installation finished.
07/05/2024 08:17:32 INFO: Wazuh manager vulnerability detection configuration finished.
07/05/2024 08:17:32 INFO: Starting service wazuh-manager.
07/05/2024 08:17:53 INFO: wazuh-manager service started.
07/05/2024 08:17:53 INFO: Starting Filebeat installation.
07/05/2024 08:18:13 INFO: Filebeat installation finished.
07/05/2024 08:18:15 INFO: Filebeat post-install configuration finished.
07/05/2024 08:18:15 INFO: Starting service filebeat.
07/05/2024 08:18:17 INFO: filebeat service started.
07/05/2024 08:18:17 INFO: --- Wazuh dashboard ---
07/05/2024 08:18:17 INFO: Starting Wazuh dashboard installation.
07/05/2024 08:20:44 INFO: Wazuh dashboard installation finished.
07/05/2024 08:20:44 INFO: Wazuh dashboard post-install configuration finished.
07/05/2024 08:20:44 INFO: Starting service wazuh-dashboard.
07/05/2024 08:20:44 INFO: wazuh-dashboard service started.
07/05/2024 08:20:47 INFO: Updating the internal users.
07/05/2024 08:20:55 INFO: A backup of the internal users has been saved in the /etc/wazuh-indexer/internalusers-backup folder.
07/05/2024 08:22:04 INFO: Initializing Wazuh dashboard web application.
07/05/2024 08:22:05 INFO: Wazuh dashboard web application initialized.
07/05/2024 08:22:05 INFO: --- Summary ---
07/05/2024 08:22:05 INFO: You can access the web interface https://<wazuh-dashboard-ip>:443
    User: admin
    Password: xJSV?ws04M2KMywBYYWk95vu+8yafzsH
07/05/2024 08:22:05 INFO: Installation finished.
root@ip-172-31-45-219:~# 

Logs in wazuh-install.log:

root@ip-172-31-45-219:~# cat /var/log/wazuh-install.log 
07/05/2024 08:13:00 INFO: Starting Wazuh installation assistant. Wazuh version: 4.8.0
07/05/2024 08:13:00 INFO: Verbose logging redirected to /var/log/wazuh-install.log
07/05/2024 08:13:01 INFO: Verifying that your system meets the recommended minimum hardware requirements.
Hit:1 http://us-east-1.ec2.archive.ubuntu.com/ubuntu jammy InRelease
Get:2 http://us-east-1.ec2.archive.ubuntu.com/ubuntu jammy-updates InRelease [119 kB]
Get:3 http://us-east-1.ec2.archive.ubuntu.com/ubuntu jammy-backports InRelease [109 kB]
Get:4 http://security.ubuntu.com/ubuntu jammy-security InRelease [110 kB]
Get:5 http://us-east-1.ec2.archive.ubuntu.com/ubuntu jammy/universe amd64 Packages [14.1 MB]
Get:6 http://us-east-1.ec2.archive.ubuntu.com/ubuntu jammy/universe Translation-en [5652 kB]
Get:7 http://us-east-1.ec2.archive.ubuntu.com/ubuntu jammy/universe amd64 c-n-f Metadata [286 kB]
Get:8 http://us-east-1.ec2.archive.ubuntu.com/ubuntu jammy/multiverse amd64 Packages [217 kB]
Get:9 http://us-east-1.ec2.archive.ubuntu.com/ubuntu jammy/multiverse Translation-en [112 kB]
Get:10 http://us-east-1.ec2.archive.ubuntu.com/ubuntu jammy/multiverse amd64 c-n-f Metadata [8372 B]
Get:11 http://us-east-1.ec2.archive.ubuntu.com/ubuntu jammy-updates/main amd64 Packages [1617 kB]
Get:12 http://us-east-1.ec2.archive.ubuntu.com/ubuntu jammy-updates/main Translation-en [305 kB]
Get:13 http://us-east-1.ec2.archive.ubuntu.com/ubuntu jammy-updates/main amd64 c-n-f Metadata [16.1 kB]
Get:14 http://us-east-1.ec2.archive.ubuntu.com/ubuntu jammy-updates/restricted amd64 Packages [1836 kB]
Get:15 http://us-east-1.ec2.archive.ubuntu.com/ubuntu jammy-updates/restricted Translation-en [312 kB]
Get:16 http://us-east-1.ec2.archive.ubuntu.com/ubuntu jammy-updates/restricted amd64 c-n-f Metadata [520 B]
Get:17 http://us-east-1.ec2.archive.ubuntu.com/ubuntu jammy-updates/universe amd64 Packages [1072 kB]
Get:18 http://us-east-1.ec2.archive.ubuntu.com/ubuntu jammy-updates/universe Translation-en [245 kB]
Get:19 http://us-east-1.ec2.archive.ubuntu.com/ubuntu jammy-updates/universe amd64 c-n-f Metadata [22.1 kB]
Get:20 http://us-east-1.ec2.archive.ubuntu.com/ubuntu jammy-updates/multiverse amd64 Packages [42.7 kB]
Get:21 http://us-east-1.ec2.archive.ubuntu.com/ubuntu jammy-updates/multiverse Translation-en [10.4 kB]
Get:22 http://us-east-1.ec2.archive.ubuntu.com/ubuntu jammy-updates/multiverse amd64 c-n-f Metadata [472 B]
Get:23 http://us-east-1.ec2.archive.ubuntu.com/ubuntu jammy-backports/main amd64 Packages [67.1 kB]
Get:24 http://us-east-1.ec2.archive.ubuntu.com/ubuntu jammy-backports/main Translation-en [11.0 kB]
Get:25 http://us-east-1.ec2.archive.ubuntu.com/ubuntu jammy-backports/main amd64 c-n-f Metadata [388 B]
Get:26 http://us-east-1.ec2.archive.ubuntu.com/ubuntu jammy-backports/restricted amd64 c-n-f Metadata [116 B]
Get:27 http://us-east-1.ec2.archive.ubuntu.com/ubuntu jammy-backports/universe amd64 Packages [27.2 kB]
Get:28 http://us-east-1.ec2.archive.ubuntu.com/ubuntu jammy-backports/universe Translation-en [16.2 kB]
Get:29 http://us-east-1.ec2.archive.ubuntu.com/ubuntu jammy-backports/universe amd64 c-n-f Metadata [644 B]
Get:30 http://us-east-1.ec2.archive.ubuntu.com/ubuntu jammy-backports/multiverse amd64 c-n-f Metadata [116 B]
Get:31 http://security.ubuntu.com/ubuntu jammy-security/main amd64 Packages [1395 kB]
Get:32 http://security.ubuntu.com/ubuntu jammy-security/main Translation-en [244 kB]
Get:33 http://security.ubuntu.com/ubuntu jammy-security/main amd64 c-n-f Metadata [11.4 kB]
Get:34 http://security.ubuntu.com/ubuntu jammy-security/restricted amd64 Packages [1773 kB]
Get:35 http://security.ubuntu.com/ubuntu jammy-security/restricted Translation-en [300 kB]
Get:36 http://security.ubuntu.com/ubuntu jammy-security/restricted amd64 c-n-f Metadata [520 B]
Get:37 http://security.ubuntu.com/ubuntu jammy-security/universe amd64 Packages [849 kB]
Get:38 http://security.ubuntu.com/ubuntu jammy-security/universe Translation-en [163 kB]
Get:39 http://security.ubuntu.com/ubuntu jammy-security/universe amd64 c-n-f Metadata [16.8 kB]
Get:40 http://security.ubuntu.com/ubuntu jammy-security/multiverse amd64 Packages [37.2 kB]
Get:41 http://security.ubuntu.com/ubuntu jammy-security/multiverse Translation-en [7588 B]
Get:42 http://security.ubuntu.com/ubuntu jammy-security/multiverse amd64 c-n-f Metadata [260 B]
Fetched 31.1 MB in 5s (6199 kB/s)
Reading package lists...
07/05/2024 08:13:21 INFO: Wazuh web interface port will be 443.
Hit:1 http://us-east-1.ec2.archive.ubuntu.com/ubuntu jammy InRelease
Hit:2 http://us-east-1.ec2.archive.ubuntu.com/ubuntu jammy-updates InRelease
Hit:3 http://us-east-1.ec2.archive.ubuntu.com/ubuntu jammy-backports InRelease
Hit:4 http://security.ubuntu.com/ubuntu jammy-security InRelease
Reading package lists...
07/05/2024 08:13:26 INFO: --- Dependencies ----
07/05/2024 08:13:27 INFO: Installing apt-transport-https.
Reading package lists... Building dependency tree... Reading state information... The following NEW packages will be installed: apt-transport-https 0 upgraded, 1 newly installed, 0 to remove and 194 not upgraded. Need to get 1510 B of archives. After this operation, 170 kB of additional disk space will be used. Get:1 http://us-east-1.ec2.archive.ubuntu.com/ubuntu jammy-updates/universe amd64 apt-transport-https all 2.4.12 [1510 B] F NEEDRESTART-VER: 3.5 NEEDRESTART-KCUR: 5.19.0-1025-aws NEEDRESTART-KEXP: 5.19.0-1025-aws NEEDRESTART-KSTA: 1
gpg: keyring '/usr/share/keyrings/wazuh.gpg' created
gpg: directory '/root/.gnupg' created
gpg: /root/.gnupg/trustdb.gpg: trustdb created
gpg: key 96B3EE5F29111145: public key "Wazuh.com (Wazuh Signing Key) <support@wazuh.com>" imported
gpg: Total number processed: 1
gpg:               imported: 1
deb [signed-by=/usr/share/keyrings/wazuh.gpg] https://packages-dev.wazuh.com/pre-release/apt/ unstable main
Hit:1 http://us-east-1.ec2.archive.ubuntu.com/ubuntu jammy InRelease
Hit:2 http://us-east-1.ec2.archive.ubuntu.com/ubuntu jammy-updates InRelease
Hit:3 http://us-east-1.ec2.archive.ubuntu.com/ubuntu jammy-backports InRelease
Hit:4 http://security.ubuntu.com/ubuntu jammy-security InRelease
Get:5 https://packages-dev.wazuh.com/pre-release/apt unstable InRelease [17.3 kB]
Get:6 https://packages-dev.wazuh.com/pre-release/apt unstable/main amd64 Packages [37.8 kB]
Fetched 55.1 kB in 1s (52.0 kB/s)
Reading package lists...
07/05/2024 08:13:38 INFO: Wazuh development repository added.
07/05/2024 08:13:38 INFO: --- Configuration files ---
07/05/2024 08:13:38 INFO: Generating configuration files.
07/05/2024 08:13:38 INFO: Generating the root certificate.
07/05/2024 08:13:39 INFO: Generating Admin certificates.
07/05/2024 08:13:39 INFO: Generating Wazuh indexer certificates.
07/05/2024 08:13:39 INFO: Generating Filebeat certificates.
07/05/2024 08:13:39 INFO: Generating Wazuh dashboard certificates.
07/05/2024 08:13:40 INFO: Created wazuh-install-files.tar. It contains the Wazuh cluster key, certificates, and passwords necessary for installation.
07/05/2024 08:13:40 INFO: --- Wazuh indexer ---
07/05/2024 08:13:40 INFO: Starting Wazuh indexer installation.
Reading package lists... Building dependency tree... Reading state information... The following NEW packages will be installed: wazuh-indexer 0 upgraded, 1 newly installed, 0 to remove and 194 not upgraded. Need to get 752 MB of archives. After this operation, 1050 MB of additional disk space will be used. Get:1 https://packages-dev.wazuh.com/pre-release/apt unstable/main amd64 wazuh-indexer amd64 4.8.0-1 [752 MB] Fetched 752 MB in  NEEDRESTART-VER: 3.5 NEEDRESTART-KCUR: 5.19.0-1025-aws NEEDRESTART-KEXP: 5.19.0-1025-aws NEEDRESTART-KSTA: 1
07/05/2024 08:15:25 INFO: Wazuh indexer installation finished.
07/05/2024 08:15:25 INFO: Wazuh indexer post-install configuration finished.
07/05/2024 08:15:25 INFO: Starting service wazuh-indexer.
Created symlink /etc/systemd/system/multi-user.target.wants/wazuh-indexer.service → /lib/systemd/system/wazuh-indexer.service.
07/05/2024 08:15:50 INFO: wazuh-indexer service started.
07/05/2024 08:15:50 INFO: Initializing Wazuh indexer cluster security settings.
**************************************************************************
** This tool will be deprecated in the next major release of OpenSearch **
** https://github.com/opensearch-project/security/issues/1755           **
**************************************************************************
Security Admin v7
Will connect to 127.0.0.1:9200 ... done
Connected as "CN=admin,OU=Wazuh,O=Wazuh,L=California,C=US"
OpenSearch Version: 2.10.0
Contacting opensearch cluster 'opensearch' and wait for YELLOW clusterstate ...
Clustername: wazuh-cluster
Clusterstate: GREEN
Number of nodes: 1
Number of data nodes: 1
.opendistro_security index does not exists, attempt to create it ... done (0-all replicas)
Populate config from /etc/wazuh-indexer/opensearch-security/
Will update '/config' with /etc/wazuh-indexer/opensearch-security/config.yml 
   SUCC: Configuration for 'config' created or updated
Will update '/roles' with /etc/wazuh-indexer/opensearch-security/roles.yml 
   SUCC: Configuration for 'roles' created or updated
Will update '/rolesmapping' with /etc/wazuh-indexer/opensearch-security/roles_mapping.yml 
   SUCC: Configuration for 'rolesmapping' created or updated
Will update '/internalusers' with /etc/wazuh-indexer/opensearch-security/internal_users.yml 
   SUCC: Configuration for 'internalusers' created or updated
Will update '/actiongroups' with /etc/wazuh-indexer/opensearch-security/action_groups.yml 
   SUCC: Configuration for 'actiongroups' created or updated
Will update '/tenants' with /etc/wazuh-indexer/opensearch-security/tenants.yml 
   SUCC: Configuration for 'tenants' created or updated
Will update '/nodesdn' with /etc/wazuh-indexer/opensearch-security/nodes_dn.yml 
   SUCC: Configuration for 'nodesdn' created or updated
Will update '/whitelist' with /etc/wazuh-indexer/opensearch-security/whitelist.yml 
   SUCC: Configuration for 'whitelist' created or updated
Will update '/audit' with /etc/wazuh-indexer/opensearch-security/audit.yml 
   SUCC: Configuration for 'audit' created or updated
Will update '/allowlist' with /etc/wazuh-indexer/opensearch-security/allowlist.yml 
   SUCC: Configuration for 'allowlist' created or updated
SUCC: Expected 10 config types for node {"updated_config_types":["allowlist","tenants","rolesmapping","nodesdn","audit","roles","whitelist","internalusers","actiongroups","config"],"updated_config_size":10,"message":null} is 10 (["allowlist","tenants","rolesmapping","nodesdn","audit","roles","whitelist","internalusers","actiongroups","config"]) due to: null
Done with success
07/05/2024 08:16:01 INFO: Wazuh indexer cluster security configuration initialized.
07/05/2024 08:16:01 INFO: Wazuh indexer cluster initialized.
07/05/2024 08:16:01 INFO: --- Wazuh server ---
07/05/2024 08:16:01 INFO: Starting the Wazuh manager installation.
Reading package lists... Building dependency tree... Reading state information... Suggested packages: expect The following NEW packages will be installed: wazuh-manager 0 upgraded, 1 newly installed, 0 to remove and 194 not upgraded. Need to get 314 MB of archives. After this operation, 915 MB of additional disk space will be used. Get:1 https://packages-dev.wazuh.com/pre-release/apt unstable/main amd64 wazuh-manager amd64 4.8.0-1 [ NEEDRESTART-VER: 3.5 NEEDRESTART-KCUR: 5.19.0-1025-aws NEEDRESTART-KEXP: 5.19.0-1025-aws NEEDRESTART-KSTA: 1
07/05/2024 08:17:32 INFO: Wazuh manager installation finished.
07/05/2024 08:17:32 INFO: Wazuh manager vulnerability detection configuration finished.
07/05/2024 08:17:32 INFO: Starting service wazuh-manager.
Created symlink /etc/systemd/system/multi-user.target.wants/wazuh-manager.service → /lib/systemd/system/wazuh-manager.service.
07/05/2024 08:17:53 INFO: wazuh-manager service started.
07/05/2024 08:17:53 INFO: Starting Filebeat installation.
Reading package lists... Building dependency tree... Reading state information... The following NEW packages will be installed: filebeat 0 upgraded, 1 newly installed, 0 to remove and 194 not upgraded. Need to get 22.1 MB of archives. After this operation, 73.6 MB of additional disk space will be used. Get:1 https://packages-dev.wazuh.com/pre-release/apt unstable/main amd64 filebeat amd64 7.10.2 [22.1 MB] Fetched 22.1 MB in 1s (18.3 NEEDRESTART-VER: 3.5 NEEDRESTART-KCUR: 5.19.0-1025-aws NEEDRESTART-KEXP: 5.19.0-1025-aws NEEDRESTART-KSTA: 1
07/05/2024 08:18:13 INFO: Filebeat installation finished.
wazuh/
wazuh/_meta/
wazuh/_meta/docs.asciidoc
wazuh/_meta/fields.yml
wazuh/_meta/config.yml
wazuh/alerts/
wazuh/alerts/config/
wazuh/alerts/config/alerts.yml
wazuh/alerts/manifest.yml
wazuh/alerts/ingest/
wazuh/alerts/ingest/pipeline.json
wazuh/module.yml
wazuh/archives/
wazuh/archives/config/
wazuh/archives/config/archives.yml
wazuh/archives/manifest.yml
wazuh/archives/ingest/
wazuh/archives/ingest/pipeline.json
Created filebeat keystore
Successfully updated the keystore
Successfully updated the keystore
07/05/2024 08:18:15 INFO: Filebeat post-install configuration finished.
07/05/2024 08:18:15 INFO: Starting service filebeat.
Synchronizing state of filebeat.service with SysV service script with /lib/systemd/systemd-sysv-install.
Executing: /lib/systemd/systemd-sysv-install enable filebeat
Created symlink /etc/systemd/system/multi-user.target.wants/filebeat.service → /lib/systemd/system/filebeat.service.
07/05/2024 08:18:17 INFO: filebeat service started.
07/05/2024 08:18:17 INFO: --- Wazuh dashboard ---
07/05/2024 08:18:17 INFO: Starting Wazuh dashboard installation.
Reading package lists... Building dependency tree... Reading state information... The following NEW packages will be installed: wazuh-dashboard 0 upgraded, 1 newly installed, 0 to remove and 194 not upgraded. Need to get 186 MB of archives. After this operation, 987 MB of additional disk space will be used. Get:1 https://packages-dev.wazuh.com/pre-release/apt unstable/main amd64 wazuh-dashboard amd64 4.8.0-1 [186 MB] Fetched 186 MB  NEEDRESTART-VER: 3.5 NEEDRESTART-KCUR: 5.19.0-1025-aws NEEDRESTART-KEXP: 5.19.0-1025-aws NEEDRESTART-KSTA: 1
07/05/2024 08:20:44 INFO: Wazuh dashboard installation finished.
07/05/2024 08:20:44 INFO: Wazuh dashboard post-install configuration finished.
07/05/2024 08:20:44 INFO: Starting service wazuh-dashboard.
Created symlink /etc/systemd/system/multi-user.target.wants/wazuh-dashboard.service → /etc/systemd/system/wazuh-dashboard.service.
07/05/2024 08:20:44 INFO: wazuh-dashboard service started.
07/05/2024 08:20:47 INFO: Updating the internal users.
**************************************************************************
** This tool will be deprecated in the next major release of OpenSearch **
** https://github.com/opensearch-project/security/issues/1755           **
**************************************************************************
Security Admin v7
Will connect to 127.0.0.1:9200 ... done
Connected as "CN=admin,OU=Wazuh,O=Wazuh,L=California,C=US"
OpenSearch Version: 2.10.0
Contacting opensearch cluster 'opensearch' and wait for YELLOW clusterstate ...
Clustername: wazuh-cluster
Clusterstate: GREEN
Number of nodes: 1
Number of data nodes: 1
.opendistro_security index already exists, so we do not need to create one.
Will retrieve '/config' into /etc/wazuh-indexer/backup/config.yml 
   SUCC: Configuration for 'config' stored in /etc/wazuh-indexer/backup/config.yml
Will retrieve '/roles' into /etc/wazuh-indexer/backup/roles.yml 
   SUCC: Configuration for 'roles' stored in /etc/wazuh-indexer/backup/roles.yml
Will retrieve '/rolesmapping' into /etc/wazuh-indexer/backup/roles_mapping.yml 
   SUCC: Configuration for 'rolesmapping' stored in /etc/wazuh-indexer/backup/roles_mapping.yml
Will retrieve '/internalusers' into /etc/wazuh-indexer/backup/internal_users.yml 
   SUCC: Configuration for 'internalusers' stored in /etc/wazuh-indexer/backup/internal_users.yml
Will retrieve '/actiongroups' into /etc/wazuh-indexer/backup/action_groups.yml 
   SUCC: Configuration for 'actiongroups' stored in /etc/wazuh-indexer/backup/action_groups.yml
Will retrieve '/tenants' into /etc/wazuh-indexer/backup/tenants.yml 
   SUCC: Configuration for 'tenants' stored in /etc/wazuh-indexer/backup/tenants.yml
Will retrieve '/nodesdn' into /etc/wazuh-indexer/backup/nodes_dn.yml 
   SUCC: Configuration for 'nodesdn' stored in /etc/wazuh-indexer/backup/nodes_dn.yml
Will retrieve '/whitelist' into /etc/wazuh-indexer/backup/whitelist.yml 
   SUCC: Configuration for 'whitelist' stored in /etc/wazuh-indexer/backup/whitelist.yml
Will retrieve '/allowlist' into /etc/wazuh-indexer/backup/allowlist.yml 
   SUCC: Configuration for 'allowlist' stored in /etc/wazuh-indexer/backup/allowlist.yml
Will retrieve '/audit' into /etc/wazuh-indexer/backup/audit.yml 
   SUCC: Configuration for 'audit' stored in /etc/wazuh-indexer/backup/audit.yml
07/05/2024 08:20:55 INFO: A backup of the internal users has been saved in the /etc/wazuh-indexer/internalusers-backup folder.
**************************************************************************
** This tool will be deprecated in the next major release of OpenSearch **
** https://github.com/opensearch-project/security/issues/1755           **
**************************************************************************
Security Admin v7
Will connect to 127.0.0.1:9200 ... done
Connected as "CN=admin,OU=Wazuh,O=Wazuh,L=California,C=US"
OpenSearch Version: 2.10.0
Contacting opensearch cluster 'opensearch' and wait for YELLOW clusterstate ...
Clustername: wazuh-cluster
Clusterstate: GREEN
Number of nodes: 1
Number of data nodes: 1
.opendistro_security index already exists, so we do not need to create one.
Will retrieve '/config' into /etc/wazuh-indexer/backup/config.yml 
   SUCC: Configuration for 'config' stored in /etc/wazuh-indexer/backup/config.yml
Will retrieve '/roles' into /etc/wazuh-indexer/backup/roles.yml 
   SUCC: Configuration for 'roles' stored in /etc/wazuh-indexer/backup/roles.yml
Will retrieve '/rolesmapping' into /etc/wazuh-indexer/backup/roles_mapping.yml 
   SUCC: Configuration for 'rolesmapping' stored in /etc/wazuh-indexer/backup/roles_mapping.yml
Will retrieve '/internalusers' into /etc/wazuh-indexer/backup/internal_users.yml 
   SUCC: Configuration for 'internalusers' stored in /etc/wazuh-indexer/backup/internal_users.yml
Will retrieve '/actiongroups' into /etc/wazuh-indexer/backup/action_groups.yml 
   SUCC: Configuration for 'actiongroups' stored in /etc/wazuh-indexer/backup/action_groups.yml
Will retrieve '/tenants' into /etc/wazuh-indexer/backup/tenants.yml 
   SUCC: Configuration for 'tenants' stored in /etc/wazuh-indexer/backup/tenants.yml
Will retrieve '/nodesdn' into /etc/wazuh-indexer/backup/nodes_dn.yml 
   SUCC: Configuration for 'nodesdn' stored in /etc/wazuh-indexer/backup/nodes_dn.yml
Will retrieve '/whitelist' into /etc/wazuh-indexer/backup/whitelist.yml 
   SUCC: Configuration for 'whitelist' stored in /etc/wazuh-indexer/backup/whitelist.yml
Will retrieve '/allowlist' into /etc/wazuh-indexer/backup/allowlist.yml 
   SUCC: Configuration for 'allowlist' stored in /etc/wazuh-indexer/backup/allowlist.yml
Will retrieve '/audit' into /etc/wazuh-indexer/backup/audit.yml 
   SUCC: Configuration for 'audit' stored in /etc/wazuh-indexer/backup/audit.yml
Successfully updated the keystore
**************************************************************************
** This tool will be deprecated in the next major release of OpenSearch **
** https://github.com/opensearch-project/security/issues/1755           **
**************************************************************************
Security Admin v7
Will connect to 127.0.0.1:9200 ... done
Connected as "CN=admin,OU=Wazuh,O=Wazuh,L=California,C=US"
OpenSearch Version: 2.10.0
Contacting opensearch cluster 'opensearch' and wait for YELLOW clusterstate ...
Clustername: wazuh-cluster
Clusterstate: GREEN
Number of nodes: 1
Number of data nodes: 1
.opendistro_security index already exists, so we do not need to create one.
Populate config from /root
Force type: internalusers
Will update '/internalusers' with /etc/wazuh-indexer/backup/internal_users.yml 
   SUCC: Configuration for 'internalusers' created or updated
SUCC: Expected 1 config types for node {"updated_config_types":["internalusers"],"updated_config_size":1,"message":null} is 1 (["internalusers"]) due to: null
Done with success
07/05/2024 08:22:04 INFO: Initializing Wazuh dashboard web application.
07/05/2024 08:22:05 INFO: Wazuh dashboard web application initialized.
07/05/2024 08:22:05 INFO: Installation finished.

RHEL 9 🟢

Logs on the console:

[root@ip-172-31-39-27 ~]# curl -sO https://packages-dev.wazuh.com/4.8/wazuh-install.sh && bash ./wazuh-install.sh -a
07/05/2024 08:13:06 INFO: Starting Wazuh installation assistant. Wazuh version: 4.8.0
07/05/2024 08:13:06 INFO: Verbose logging redirected to /var/log/wazuh-install.log
07/05/2024 08:13:09 INFO: Verifying that your system meets the recommended minimum hardware requirements.
07/05/2024 08:13:17 INFO: --- Dependencies ---
07/05/2024 08:13:17 INFO: Installing lsof.
07/05/2024 08:13:35 INFO: Wazuh web interface port will be 443.
07/05/2024 08:13:37 INFO: Wazuh development repository added.
07/05/2024 08:13:37 INFO: --- Configuration files ---
07/05/2024 08:13:37 INFO: Generating configuration files.
07/05/2024 08:13:38 INFO: Generating the root certificate.
07/05/2024 08:13:38 INFO: Generating Admin certificates.
07/05/2024 08:13:39 INFO: Generating Wazuh indexer certificates.
07/05/2024 08:13:39 INFO: Generating Filebeat certificates.
07/05/2024 08:13:40 INFO: Generating Wazuh dashboard certificates.
07/05/2024 08:13:41 INFO: Created wazuh-install-files.tar. It contains the Wazuh cluster key, certificates, and passwords necessary for installation.
07/05/2024 08:13:41 INFO: --- Wazuh indexer ---
07/05/2024 08:13:41 INFO: Starting Wazuh indexer installation.
07/05/2024 08:16:04 INFO: Wazuh indexer installation finished.
07/05/2024 08:16:04 INFO: Wazuh indexer post-install configuration finished.
07/05/2024 08:16:04 INFO: Starting service wazuh-indexer.
07/05/2024 08:16:28 INFO: wazuh-indexer service started.
07/05/2024 08:16:28 INFO: Initializing Wazuh indexer cluster security settings.
07/05/2024 08:16:39 INFO: Wazuh indexer cluster security configuration initialized.
07/05/2024 08:16:39 INFO: Wazuh indexer cluster initialized.
07/05/2024 08:16:39 INFO: --- Wazuh server ---
07/05/2024 08:16:39 INFO: Starting the Wazuh manager installation.
07/05/2024 08:17:55 INFO: Wazuh manager installation finished.
07/05/2024 08:17:56 INFO: Wazuh manager vulnerability detection configuration finished.
07/05/2024 08:17:56 INFO: Starting service wazuh-manager.
07/05/2024 08:18:13 INFO: wazuh-manager service started.
07/05/2024 08:18:13 INFO: Starting Filebeat installation.
07/05/2024 08:19:02 INFO: Filebeat installation finished.
07/05/2024 08:19:03 INFO: Filebeat post-install configuration finished.
07/05/2024 08:19:03 INFO: Starting service filebeat.
07/05/2024 08:19:04 INFO: filebeat service started.
07/05/2024 08:19:04 INFO: --- Wazuh dashboard ---
07/05/2024 08:19:04 INFO: Starting Wazuh dashboard installation.
07/05/2024 08:22:51 INFO: Wazuh dashboard installation finished.
07/05/2024 08:22:51 INFO: Wazuh dashboard post-install configuration finished.
07/05/2024 08:22:51 INFO: Starting service wazuh-dashboard.
07/05/2024 08:22:52 INFO: wazuh-dashboard service started.
07/05/2024 08:22:57 INFO: Updating the internal users.
07/05/2024 08:23:05 INFO: A backup of the internal users has been saved in the /etc/wazuh-indexer/internalusers-backup folder.
07/05/2024 08:24:11 INFO: Initializing Wazuh dashboard web application.
07/05/2024 08:24:12 INFO: Wazuh dashboard web application initialized.
07/05/2024 08:24:12 INFO: --- Summary ---
07/05/2024 08:24:12 INFO: You can access the web interface https://<wazuh-dashboard-ip>:443
    User: admin
    Password: AkGO9sUF?4YmnsxVAE2khD1Xp6?5ND.h
07/05/2024 08:24:12 INFO: --- Dependencies ---
07/05/2024 08:24:12 INFO: Removing lsof.
07/05/2024 08:24:14 INFO: Installation finished.
[root@ip-172-31-39-27 ~]# 

Logs in wazuh-install.log:

[root@ip-172-31-39-27 ~]# cat /var/log/wazuh-install.log 
07/05/2024 08:13:06 INFO: Starting Wazuh installation assistant. Wazuh version: 4.8.0
07/05/2024 08:13:06 INFO: Verbose logging redirected to /var/log/wazuh-install.log
07/05/2024 08:13:09 INFO: Verifying that your system meets the recommended minimum hardware requirements.
07/05/2024 08:13:17 INFO: --- Dependencies ---
07/05/2024 08:13:17 INFO: Installing lsof.
Updating Subscription Management repositories. Unable to read consumer identity This system is not registered with an entitlement server. You can use subscription-manager to register. CentOS Stream 9 - AppStream 35 MB/s | 19 MB 00:00 CentOS Stream 9 - BaseOS 25 MB/s | 8.1 MB 00:00 Last metadata expiration check: 0:00:02 ago on Tue 07 May 2024 08:13:26 AM UTC. Dependencies resolved. ================================================================================ Package Arch Version Repository Size ================================================================================ Installing: lsof x86_64 4.94.0-3.el9 baseos 239 k Installing dependencies: libtirpc x86_64 1.3.3-8.el9_4 rhel-9-baseos-rhui-rpms 96 k Transaction Summary ================================================================================ Install 2 Packages Total download size: 336 k Installed size: 826 k Downloading Packages: (1/2): lsof-4.94.0-3.el9.x86_64.rpm 1.1 MB/s | 239 kB 00:00 (2/2): libtirpc-1.3.3-8.el9_4.x86_64.rpm 431 kB/s | 96 kB 00:00 -------------------------------------------------------------------------------- Total 1.3 MB/s | 336 kB 00:00 CentOS Stream 9 - BaseOS 1.6 MB/s | 1.6 kB 00:00 Importing GPG key 0x8483C65D: Userid : "CentOS (CentOS Official Signing Key) <security@centos.org>" Fingerprint: 99DB 70FA E1D7 CE22 7FB6 4882 05B5 55B3 8483 C65D From : /etc/pki/rpm-gpg/RPM-GPG-KEY-centosofficial Key imported successfully Running transaction check Transaction check succeeded. Running transaction test Transaction test succeeded. Running transaction Preparing : 1/1 Installing : libtirpc-1.3.3-8.el9_4.x86_64 1/2 Installing : lsof-4.94.0-3.el9.x86_64 2/2 Running scriptlet: lsof-4.94.0-3.el9.x86_64 2/2 Verifying : lsof-4.94.0-3.el9.x86_64 1/2 Verifying : libtirpc-1.3.3-8.el9_4.x86_64 2/2 Installed products updated. Installed: libtirpc-1.3.3-8.el9_4.x86_64 lsof-4.94.0-3.el9.x86_64 Complete!
Updating Subscription Management repositories. Unable to read consumer identity This system is not registered with an entitlement server. You can use subscription-manager to register. CentOS Stream 9 - AppStream 35 MB/s | 19 MB 00:00 CentOS Stream 9 - BaseOS 25 MB/s | 8.1 MB 00:00 Last metadata expiration check: 0:00:02 ago on Tue 07 May 2024 08:13:26 AM UTC. Dependencies resolved. ================================================================================ Package Arch Version Repository Size ================================================================================ Installing: lsof x86_64 4.94.0-3.el9 baseos 239 k Installing dependencies: libtirpc x86_64 1.3.3-8.el9_4 rhel-9-baseos-rhui-rpms 96 k Transaction Summary ================================================================================ Install 2 Packages Total download size: 336 k Installed size: 826 k Downloading Packages: (1/2): lsof-4.94.0-3.el9.x86_64.rpm 1.1 MB/s | 239 kB 00:00 (2/2): libtirpc-1.3.3-8.el9_4.x86_64.rpm 431 kB/s | 96 kB 00:00 -------------------------------------------------------------------------------- Total 1.3 MB/s | 336 kB 00:00 CentOS Stream 9 - BaseOS 1.6 MB/s | 1.6 kB 00:00 Importing GPG key 0x8483C65D: Userid : "CentOS (CentOS Official Signing Key) <security@centos.org>" Fingerprint: 99DB 70FA E1D7 CE22 7FB6 4882 05B5 55B3 8483 C65D From : /etc/pki/rpm-gpg/RPM-GPG-KEY-centosofficial Key imported successfully Running transaction check Transaction check succeeded. Running transaction test Transaction test succeeded. Running transaction Preparing : 1/1 Installing : libtirpc-1.3.3-8.el9_4.x86_64 1/2 Installing : lsof-4.94.0-3.el9.x86_64 2/2 Running scriptlet: lsof-4.94.0-3.el9.x86_64 2/2 Verifying : lsof-4.94.0-3.el9.x86_64 1/2 Verifying : libtirpc-1.3.3-8.el9_4.x86_64 2/2 Installed products updated. Installed: libtirpc-1.3.3-8.el9_4.x86_64 lsof-4.94.0-3.el9.x86_64 Complete!
Updating Subscription Management repositories.
Unable to read consumer identity

This system is not registered with an entitlement server. You can use subscription-manager to register.

38 files removed
07/05/2024 08:13:35 INFO: Wazuh web interface port will be 443.
[wazuh]
gpgcheck=1
gpgkey=https://packages-dev.wazuh.com/key/GPG-KEY-WAZUH
enabled=1
name=EL-${releasever} - Wazuh
baseurl=https://packages-dev.wazuh.com/pre-release/yum/
protect=1
07/05/2024 08:13:37 INFO: Wazuh development repository added.
07/05/2024 08:13:37 INFO: --- Configuration files ---
07/05/2024 08:13:37 INFO: Generating configuration files.
07/05/2024 08:13:38 INFO: Generating the root certificate.
07/05/2024 08:13:38 INFO: Generating Admin certificates.
07/05/2024 08:13:39 INFO: Generating Wazuh indexer certificates.
07/05/2024 08:13:39 INFO: Generating Filebeat certificates.
07/05/2024 08:13:40 INFO: Generating Wazuh dashboard certificates.
07/05/2024 08:13:41 INFO: Created wazuh-install-files.tar. It contains the Wazuh cluster key, certificates, and passwords necessary for installation.
07/05/2024 08:13:41 INFO: --- Wazuh indexer ---
07/05/2024 08:13:41 INFO: Starting Wazuh indexer installation.
Updating Subscription Management repositories.
Unable to read consumer identity

This system is not registered with an entitlement server. You can use subscription-manager to register.

Red Hat Enterprise Linux 9 for x86_64 - AppStre  21 MB/s |  34 MB     00:01    
Red Hat Enterprise Linux 9 for x86_64 - BaseOS   68 MB/s |  20 MB     00:00    
Red Hat Enterprise Linux 9 Client Configuration  25 kB/s | 2.6 kB     00:00    
EL-9 - Wazuh                                     16 MB/s |  25 MB     00:01    
Dependencies resolved.
================================================================================
 Package                Architecture    Version            Repository      Size
================================================================================
Installing:
 wazuh-indexer          x86_64          4.8.0-1            wazuh          743 M

Transaction Summary
================================================================================
Install  1 Package

Total download size: 743 M
Installed size: 1.0 G
Downloading Packages:
wazuh-indexer-4.8.0-1.x86_64.rpm                 41 MB/s | 743 MB     00:18    
--------------------------------------------------------------------------------
Total                                            41 MB/s | 743 MB     00:18     
Running transaction check
Transaction check succeeded.
Running transaction test
Transaction test succeeded.
Running transaction
  Preparing        :                                                        1/1 
  Running scriptlet: wazuh-indexer-4.8.0-1.x86_64                           1/1 
  Installing       : wazuh-indexer-4.8.0-1.x86_64                           1/1 
  Running scriptlet: wazuh-indexer-4.8.0-1.x86_64                           1/1 
Created opensearch keystore in /etc/wazuh-indexer/opensearch.keystore

  Verifying        : wazuh-indexer-4.8.0-1.x86_64                           1/1 
Installed products updated.

Installed:
  wazuh-indexer-4.8.0-1.x86_64                                                  

Complete!
07/05/2024 08:16:04 INFO: Wazuh indexer installation finished.
07/05/2024 08:16:04 INFO: Wazuh indexer post-install configuration finished.
07/05/2024 08:16:04 INFO: Starting service wazuh-indexer.
Created symlink /etc/systemd/system/multi-user.target.wants/wazuh-indexer.service → /usr/lib/systemd/system/wazuh-indexer.service.
07/05/2024 08:16:28 INFO: wazuh-indexer service started.
07/05/2024 08:16:28 INFO: Initializing Wazuh indexer cluster security settings.
**************************************************************************
** This tool will be deprecated in the next major release of OpenSearch **
** https://github.com/opensearch-project/security/issues/1755           **
**************************************************************************
Security Admin v7
Will connect to 127.0.0.1:9200 ... done
Connected as "CN=admin,OU=Wazuh,O=Wazuh,L=California,C=US"
OpenSearch Version: 2.10.0
Contacting opensearch cluster 'opensearch' and wait for YELLOW clusterstate ...
Clustername: wazuh-cluster
Clusterstate: GREEN
Number of nodes: 1
Number of data nodes: 1
.opendistro_security index does not exists, attempt to create it ... done (0-all replicas)
Populate config from /etc/wazuh-indexer/opensearch-security/
Will update '/config' with /etc/wazuh-indexer/opensearch-security/config.yml 
   SUCC: Configuration for 'config' created or updated
Will update '/roles' with /etc/wazuh-indexer/opensearch-security/roles.yml 
   SUCC: Configuration for 'roles' created or updated
Will update '/rolesmapping' with /etc/wazuh-indexer/opensearch-security/roles_mapping.yml 
   SUCC: Configuration for 'rolesmapping' created or updated
Will update '/internalusers' with /etc/wazuh-indexer/opensearch-security/internal_users.yml 
   SUCC: Configuration for 'internalusers' created or updated
Will update '/actiongroups' with /etc/wazuh-indexer/opensearch-security/action_groups.yml 
   SUCC: Configuration for 'actiongroups' created or updated
Will update '/tenants' with /etc/wazuh-indexer/opensearch-security/tenants.yml 
   SUCC: Configuration for 'tenants' created or updated
Will update '/nodesdn' with /etc/wazuh-indexer/opensearch-security/nodes_dn.yml 
   SUCC: Configuration for 'nodesdn' created or updated
Will update '/whitelist' with /etc/wazuh-indexer/opensearch-security/whitelist.yml 
   SUCC: Configuration for 'whitelist' created or updated
Will update '/audit' with /etc/wazuh-indexer/opensearch-security/audit.yml 
   SUCC: Configuration for 'audit' created or updated
Will update '/allowlist' with /etc/wazuh-indexer/opensearch-security/allowlist.yml 
   SUCC: Configuration for 'allowlist' created or updated
SUCC: Expected 10 config types for node {"updated_config_types":["allowlist","tenants","rolesmapping","nodesdn","audit","roles","whitelist","internalusers","actiongroups","config"],"updated_config_size":10,"message":null} is 10 (["allowlist","tenants","rolesmapping","nodesdn","audit","roles","whitelist","internalusers","actiongroups","config"]) due to: null
Done with success
07/05/2024 08:16:39 INFO: Wazuh indexer cluster security configuration initialized.
07/05/2024 08:16:39 INFO: Wazuh indexer cluster initialized.
07/05/2024 08:16:39 INFO: --- Wazuh server ---
07/05/2024 08:16:39 INFO: Starting the Wazuh manager installation.
Updating Subscription Management repositories.
Unable to read consumer identity

This system is not registered with an entitlement server. You can use subscription-manager to register.

Last metadata expiration check: 0:02:40 ago on Tue 07 May 2024 08:14:00 AM UTC.
Dependencies resolved.
================================================================================
 Package                Architecture    Version            Repository      Size
================================================================================
Installing:
 wazuh-manager          x86_64          4.8.0-1            wazuh          295 M

Transaction Summary
================================================================================
Install  1 Package

Total download size: 295 M
Installed size: 884 M
Downloading Packages:
wazuh-manager-4.8.0-1.x86_64.rpm                102 MB/s | 295 MB     00:02    
--------------------------------------------------------------------------------
Total                                           102 MB/s | 295 MB     00:02     
Running transaction check
Transaction check succeeded.
Running transaction test
Transaction test succeeded.
Running transaction
  Preparing        :                                                        1/1 
  Running scriptlet: wazuh-manager-4.8.0-1.x86_64                           1/1 
  Installing       : wazuh-manager-4.8.0-1.x86_64                           1/1 
  Running scriptlet: wazuh-manager-4.8.0-1.x86_64                           1/1 
  Verifying        : wazuh-manager-4.8.0-1.x86_64                           1/1 
Installed products updated.

Installed:
  wazuh-manager-4.8.0-1.x86_64                                                  

Complete!
07/05/2024 08:17:55 INFO: Wazuh manager installation finished.
07/05/2024 08:17:56 INFO: Wazuh manager vulnerability detection configuration finished.
07/05/2024 08:17:56 INFO: Starting service wazuh-manager.
Created symlink /etc/systemd/system/multi-user.target.wants/wazuh-manager.service → /usr/lib/systemd/system/wazuh-manager.service.
07/05/2024 08:18:13 INFO: wazuh-manager service started.
07/05/2024 08:18:13 INFO: Starting Filebeat installation.

Installed:
  filebeat-7.10.2-1.x86_64                                                      

07/05/2024 08:19:02 INFO: Filebeat installation finished.
wazuh/
wazuh/_meta/
wazuh/_meta/docs.asciidoc
wazuh/_meta/fields.yml
wazuh/_meta/config.yml
wazuh/alerts/
wazuh/alerts/config/
wazuh/alerts/config/alerts.yml
wazuh/alerts/manifest.yml
wazuh/alerts/ingest/
wazuh/alerts/ingest/pipeline.json
wazuh/module.yml
wazuh/archives/
wazuh/archives/config/
wazuh/archives/config/archives.yml
wazuh/archives/manifest.yml
wazuh/archives/ingest/
wazuh/archives/ingest/pipeline.json
Created filebeat keystore
Successfully updated the keystore
Successfully updated the keystore
07/05/2024 08:19:03 INFO: Filebeat post-install configuration finished.
07/05/2024 08:19:03 INFO: Starting service filebeat.
Synchronizing state of filebeat.service with SysV service script with /usr/lib/systemd/systemd-sysv-install.
Executing: /usr/lib/systemd/systemd-sysv-install enable filebeat
Created symlink /etc/systemd/system/multi-user.target.wants/filebeat.service → /usr/lib/systemd/system/filebeat.service.
07/05/2024 08:19:04 INFO: filebeat service started.
07/05/2024 08:19:04 INFO: --- Wazuh dashboard ---
07/05/2024 08:19:04 INFO: Starting Wazuh dashboard installation.
Updating Subscription Management repositories.
Unable to read consumer identity

This system is not registered with an entitlement server. You can use subscription-manager to register.

Last metadata expiration check: 0:05:05 ago on Tue 07 May 2024 08:14:00 AM UTC.
Dependencies resolved.
================================================================================
 Package                  Architecture    Version          Repository      Size
================================================================================
Installing:
 wazuh-dashboard          x86_64          4.8.0-1          wazuh          273 M

Transaction Summary
================================================================================
Install  1 Package

Total download size: 273 M
Installed size: 902 M
Downloading Packages:
wazuh-dashboard-4.8.0-1.x86_64.rpm               29 MB/s | 273 MB     00:09    
--------------------------------------------------------------------------------
Total                                            29 MB/s | 273 MB     00:09     
Running transaction check
Transaction check succeeded.
Running transaction test
Transaction test succeeded.
Running transaction
  Preparing        :                                                        1/1 
  Running scriptlet: wazuh-dashboard-4.8.0-1.x86_64                         1/1 
  Installing       : wazuh-dashboard-4.8.0-1.x86_64                         1/1 
  Running scriptlet: wazuh-dashboard-4.8.0-1.x86_64                         1/1 
  Verifying        : wazuh-dashboard-4.8.0-1.x86_64                         1/1 
Installed products updated.

Installed:
  wazuh-dashboard-4.8.0-1.x86_64                                                

Complete!
07/05/2024 08:22:51 INFO: Wazuh dashboard installation finished.
07/05/2024 08:22:51 INFO: Wazuh dashboard post-install configuration finished.
07/05/2024 08:22:51 INFO: Starting service wazuh-dashboard.
Created symlink /etc/systemd/system/multi-user.target.wants/wazuh-dashboard.service → /etc/systemd/system/wazuh-dashboard.service.
07/05/2024 08:22:52 INFO: wazuh-dashboard service started.
07/05/2024 08:22:57 INFO: Updating the internal users.
**************************************************************************
** This tool will be deprecated in the next major release of OpenSearch **
** https://github.com/opensearch-project/security/issues/1755           **
**************************************************************************
Security Admin v7
Will connect to 127.0.0.1:9200 ... done
Connected as "CN=admin,OU=Wazuh,O=Wazuh,L=California,C=US"
OpenSearch Version: 2.10.0
Contacting opensearch cluster 'opensearch' and wait for YELLOW clusterstate ...
Clustername: wazuh-cluster
Clusterstate: GREEN
Number of nodes: 1
Number of data nodes: 1
.opendistro_security index already exists, so we do not need to create one.
Will retrieve '/config' into /etc/wazuh-indexer/backup/config.yml 
   SUCC: Configuration for 'config' stored in /etc/wazuh-indexer/backup/config.yml
Will retrieve '/roles' into /etc/wazuh-indexer/backup/roles.yml 
   SUCC: Configuration for 'roles' stored in /etc/wazuh-indexer/backup/roles.yml
Will retrieve '/rolesmapping' into /etc/wazuh-indexer/backup/roles_mapping.yml 
   SUCC: Configuration for 'rolesmapping' stored in /etc/wazuh-indexer/backup/roles_mapping.yml
Will retrieve '/internalusers' into /etc/wazuh-indexer/backup/internal_users.yml 
   SUCC: Configuration for 'internalusers' stored in /etc/wazuh-indexer/backup/internal_users.yml
Will retrieve '/actiongroups' into /etc/wazuh-indexer/backup/action_groups.yml 
   SUCC: Configuration for 'actiongroups' stored in /etc/wazuh-indexer/backup/action_groups.yml
Will retrieve '/tenants' into /etc/wazuh-indexer/backup/tenants.yml 
   SUCC: Configuration for 'tenants' stored in /etc/wazuh-indexer/backup/tenants.yml
Will retrieve '/nodesdn' into /etc/wazuh-indexer/backup/nodes_dn.yml 
   SUCC: Configuration for 'nodesdn' stored in /etc/wazuh-indexer/backup/nodes_dn.yml
Will retrieve '/whitelist' into /etc/wazuh-indexer/backup/whitelist.yml 
   SUCC: Configuration for 'whitelist' stored in /etc/wazuh-indexer/backup/whitelist.yml
Will retrieve '/allowlist' into /etc/wazuh-indexer/backup/allowlist.yml 
   SUCC: Configuration for 'allowlist' stored in /etc/wazuh-indexer/backup/allowlist.yml
Will retrieve '/audit' into /etc/wazuh-indexer/backup/audit.yml 
   SUCC: Configuration for 'audit' stored in /etc/wazuh-indexer/backup/audit.yml
07/05/2024 08:23:05 INFO: A backup of the internal users has been saved in the /etc/wazuh-indexer/internalusers-backup folder.
**************************************************************************
** This tool will be deprecated in the next major release of OpenSearch **
** https://github.com/opensearch-project/security/issues/1755           **
**************************************************************************
Security Admin v7
Will connect to 127.0.0.1:9200 ... done
Connected as "CN=admin,OU=Wazuh,O=Wazuh,L=California,C=US"
OpenSearch Version: 2.10.0
Contacting opensearch cluster 'opensearch' and wait for YELLOW clusterstate ...
Clustername: wazuh-cluster
Clusterstate: GREEN
Number of nodes: 1
Number of data nodes: 1
.opendistro_security index already exists, so we do not need to create one.
Will retrieve '/config' into /etc/wazuh-indexer/backup/config.yml 
   SUCC: Configuration for 'config' stored in /etc/wazuh-indexer/backup/config.yml
Will retrieve '/roles' into /etc/wazuh-indexer/backup/roles.yml 
   SUCC: Configuration for 'roles' stored in /etc/wazuh-indexer/backup/roles.yml
Will retrieve '/rolesmapping' into /etc/wazuh-indexer/backup/roles_mapping.yml 
   SUCC: Configuration for 'rolesmapping' stored in /etc/wazuh-indexer/backup/roles_mapping.yml
Will retrieve '/internalusers' into /etc/wazuh-indexer/backup/internal_users.yml 
   SUCC: Configuration for 'internalusers' stored in /etc/wazuh-indexer/backup/internal_users.yml
Will retrieve '/actiongroups' into /etc/wazuh-indexer/backup/action_groups.yml 
   SUCC: Configuration for 'actiongroups' stored in /etc/wazuh-indexer/backup/action_groups.yml
Will retrieve '/tenants' into /etc/wazuh-indexer/backup/tenants.yml 
   SUCC: Configuration for 'tenants' stored in /etc/wazuh-indexer/backup/tenants.yml
Will retrieve '/nodesdn' into /etc/wazuh-indexer/backup/nodes_dn.yml 
   SUCC: Configuration for 'nodesdn' stored in /etc/wazuh-indexer/backup/nodes_dn.yml
Will retrieve '/whitelist' into /etc/wazuh-indexer/backup/whitelist.yml 
   SUCC: Configuration for 'whitelist' stored in /etc/wazuh-indexer/backup/whitelist.yml
Will retrieve '/allowlist' into /etc/wazuh-indexer/backup/allowlist.yml 
   SUCC: Configuration for 'allowlist' stored in /etc/wazuh-indexer/backup/allowlist.yml
Will retrieve '/audit' into /etc/wazuh-indexer/backup/audit.yml 
   SUCC: Configuration for 'audit' stored in /etc/wazuh-indexer/backup/audit.yml
Successfully updated the keystore
**************************************************************************
** This tool will be deprecated in the next major release of OpenSearch **
** https://github.com/opensearch-project/security/issues/1755           **
**************************************************************************
Security Admin v7
Will connect to 127.0.0.1:9200 ... done
Connected as "CN=admin,OU=Wazuh,O=Wazuh,L=California,C=US"
OpenSearch Version: 2.10.0
Contacting opensearch cluster 'opensearch' and wait for YELLOW clusterstate ...
Clustername: wazuh-cluster
Clusterstate: GREEN
Number of nodes: 1
Number of data nodes: 1
.opendistro_security index already exists, so we do not need to create one.
Populate config from /root
Force type: internalusers
Will update '/internalusers' with /etc/wazuh-indexer/backup/internal_users.yml 
   SUCC: Configuration for 'internalusers' created or updated
SUCC: Expected 1 config types for node {"updated_config_types":["internalusers"],"updated_config_size":1,"message":null} is 1 (["internalusers"]) due to: null
Done with success
07/05/2024 08:24:11 INFO: Initializing Wazuh dashboard web application.
07/05/2024 08:24:12 INFO: Wazuh dashboard web application initialized.
07/05/2024 08:24:12 INFO: --- Dependencies ---
07/05/2024 08:24:12 INFO: Removing lsof.
Updating Subscription Management repositories. Unable to read consumer identity This system is not registered with an entitlement server. You can use subscription-manager to register. Dependencies resolved. ================================================================================ Package Arch Version Repository Size ================================================================================ Removing: lsof x86_64 4.94.0-3.el9 @baseos 624 k Removing unused dependencies: libtirpc x86_64 1.3.3-8.el9_4 @rhel-9-baseos-rhui-rpms 202 k Transaction Summary ================================================================================ Remove 2 Packages Freed space: 826 k Running transaction check Transaction check succeeded. Running transaction test Transaction test succeeded. Running transaction Preparing : 1/1 Erasing : lsof-4.94.0-3.el9.x86_64 1/2 Erasing : libtirpc-1.3.3-8.el9_4.x86_64 2/2 Running scriptlet: libtirpc-1.3.3-8.el9_4.x86_64 2/2 Verifying : libtirpc-1.3.3-8.el9_4.x86_64 1/2 Verifying : lsof-4.94.0-3.el9.x86_64 2/2 Installed products updated. Removed: libtirpc-1.3.3-8.el9_4.x86_64 lsof-4.94.0-3.el9.x86_64 Complete!
07/05/2024 08:24:14 INFO: Installation finished.

Amazon Linux 2 - Offline 🟢

Logs on the console:

[root@ip-172-31-34-149 ~]# curl -sO https://packages-dev.wazuh.com/4.8/wazuh-install.sh && bash ./wazuh-install.sh -dw rpm
07/05/2024 08:49:24 INFO: Starting Wazuh installation assistant. Wazuh version: 4.8.0
07/05/2024 08:49:24 INFO: Verbose logging redirected to /var/log/wazuh-install.log
07/05/2024 08:49:27 INFO: Verifying that your system meets the recommended minimum hardware requirements.
07/05/2024 08:49:33 INFO: --- Download Packages ---
07/05/2024 08:49:33 INFO: Starting Wazuh packages download.
07/05/2024 08:49:33 INFO: Downloading Wazuh rpm packages for x86_64.
07/05/2024 08:49:36 INFO: The manager package was downloaded.
07/05/2024 08:49:36 INFO: The filebeat package was downloaded.
07/05/2024 08:49:39 INFO: The indexer package was downloaded.
07/05/2024 08:49:40 INFO: The dashboard package was downloaded.
07/05/2024 08:49:40 INFO: The packages are in wazuh-offline/wazuh-packages
07/05/2024 08:49:40 INFO: Downloading configuration files and assets.
07/05/2024 08:49:40 INFO: The resource https://packages-dev.wazuh.com/key/GPG-KEY-WAZUH was downloaded.
07/05/2024 08:49:41 INFO: The resource https://packages-dev.wazuh.com/4.8/tpl/wazuh/filebeat/filebeat.yml was downloaded.
07/05/2024 08:49:41 INFO: The resource https://raw.githubusercontent.com/wazuh/wazuh/4.8.0/extensions/elasticsearch/7.x/wazuh-template.json was downloaded.
07/05/2024 08:49:41 INFO: The resource https://packages-dev.wazuh.com/pre-release/filebeat/wazuh-filebeat-0.4.tar.gz was downloaded.
07/05/2024 08:49:41 INFO: The configuration files and assets are in wazuh-offline.tar.gz
07/05/2024 08:50:57 INFO: You can follow the installation guide here https://documentation.wazuh.com/current/deployment-options/offline-installation.html

[root@ip-172-31-34-149 ~]# curl -sO https://packages-dev.wazuh.com/4.8/config.yml
[root@ip-172-31-34-149 ~]# sed -i -e '0,/<indexer-node-ip>/ s/<indexer-node-ip>/127.0.0.1/' config.yml
[root@ip-172-31-34-149 ~]# sed -i -e '0,/<wazuh-manager-ip>/ s/<wazuh-manager-ip>/127.0.0.1/' config.yml
[root@ip-172-31-34-149 ~]# sed -i -e '0,/<dashboard-node-ip>/ s/<dashboard-node-ip>/127.0.0.1/' config.yml

[root@ip-172-31-34-149 ~]# curl -sO https://packages-dev.wazuh.com/4.8/wazuh-certs-tool.sh
[root@ip-172-31-34-149 ~]# chmod 744 wazuh-certs-tool.sh
[root@ip-172-31-34-149 ~]# ./wazuh-certs-tool.sh --all
07/05/2024 08:56:25 INFO: Generating the root certificate.
07/05/2024 08:56:25 INFO: Generating Admin certificates.
07/05/2024 08:56:25 INFO: Admin certificates created.
07/05/2024 08:56:25 INFO: Generating Wazuh indexer certificates.
07/05/2024 08:56:25 INFO: Wazuh indexer certificates created.
07/05/2024 08:56:25 INFO: Generating Filebeat certificates.
07/05/2024 08:56:26 INFO: Wazuh Filebeat certificates created.
07/05/2024 08:56:26 INFO: Generating Wazuh dashboard certificates.
07/05/2024 08:56:26 INFO: Wazuh dashboard certificates created.

[root@ip-172-31-34-149 ~]# tar xf wazuh-offline.tar.gz
[root@ip-172-31-34-149 ~]# ls -l wazuh-offline
total 0
drwx------ 2 root root 107 may  7 08:49 wazuh-files
drwx------ 2 root root 166 may  7 08:49 wazuh-packages
[root@ip-172-31-34-149 ~]# ls -l wazuh-offline/wazuh-packages/
total 1363696
-rw------- 1 root root  21808122 may  7 08:49 filebeat-oss-7.10.2-x86_64.rpm
-rw------- 1 root root 286053840 may  7 08:49 wazuh-dashboard-4.8.0-1.x86_64.rpm
-rw------- 1 root root 778825404 may  7 08:49 wazuh-indexer-4.8.0-1.x86_64.rpm
-rw------- 1 root root 309730892 may  7 08:49 wazuh-manager-4.8.0-1.x86_64.rpm

[root@ip-172-31-34-149 ~]# rpm --import ./wazuh-offline/wazuh-files/GPG-KEY-WAZUH
[root@ip-172-31-34-149 ~]# rpm -ivh ./wazuh-offline/wazuh-packages/wazuh-indexer*.rpm
Preparando...                         ################################# [100%]
Actualizando / instalando...
   1:wazuh-indexer-4.8.0-1            ################################# [100%]
Created opensearch keystore in /etc/wazuh-indexer/opensearch.keystore

[root@ip-172-31-34-149 ~]# NODE_NAME=node-1
[root@ip-172-31-34-149 ~]# mkdir /etc/wazuh-indexer/certs
[root@ip-172-31-34-149 ~]# mv -n wazuh-certificates/$NODE_NAME.pem /etc/wazuh-indexer/certs/indexer.pem
[root@ip-172-31-34-149 ~]# mv -n wazuh-certificates/$NODE_NAME-key.pem /etc/wazuh-indexer/certs/indexer-key.pem
[root@ip-172-31-34-149 ~]# mv wazuh-certificates/admin-key.pem /etc/wazuh-indexer/certs/
[root@ip-172-31-34-149 ~]# mv wazuh-certificates/admin.pem /etc/wazuh-indexer/certs/
[root@ip-172-31-34-149 ~]# cp wazuh-certificates/root-ca.pem /etc/wazuh-indexer/certs/
[root@ip-172-31-34-149 ~]# chmod 500 /etc/wazuh-indexer/certs
[root@ip-172-31-34-149 ~]# chmod 400 /etc/wazuh-indexer/certs/*
[root@ip-172-31-34-149 ~]# chown -R wazuh-indexer:wazuh-indexer /etc/wazuh-indexer/certs
[root@ip-172-31-34-149 ~]# nano /etc/wazuh-indexer/opensearch.yml 

[root@ip-172-31-34-149 ~]# systemctl daemon-reload
[root@ip-172-31-34-149 ~]# systemctl enable wazuh-indexer
Created symlink from /etc/systemd/system/multi-user.target.wants/wazuh-indexer.service to /usr/lib/systemd/system/wazuh-indexer.service.
[root@ip-172-31-34-149 ~]# systemctl start wazuh-indexer

[root@ip-172-31-34-149 ~]# /usr/share/wazuh-indexer/bin/indexer-security-init.sh
**************************************************************************
** This tool will be deprecated in the next major release of OpenSearch **
** https://github.com/opensearch-project/security/issues/1755           **
**************************************************************************
Security Admin v7
Will connect to 127.0.0.1:9200 ... done
Connected as "CN=admin,OU=Wazuh,O=Wazuh,L=California,C=US"
OpenSearch Version: 2.10.0
Contacting opensearch cluster 'opensearch' and wait for YELLOW clusterstate ...
Clustername: wazuh-cluster
Clusterstate: GREEN
Number of nodes: 1
Number of data nodes: 1
.opendistro_security index does not exists, attempt to create it ... done (0-all replicas)
Populate config from /etc/wazuh-indexer/opensearch-security/
Will update '/config' with /etc/wazuh-indexer/opensearch-security/config.yml 
   SUCC: Configuration for 'config' created or updated
Will update '/roles' with /etc/wazuh-indexer/opensearch-security/roles.yml 
   SUCC: Configuration for 'roles' created or updated
Will update '/rolesmapping' with /etc/wazuh-indexer/opensearch-security/roles_mapping.yml 
   SUCC: Configuration for 'rolesmapping' created or updated
Will update '/internalusers' with /etc/wazuh-indexer/opensearch-security/internal_users.yml 
   SUCC: Configuration for 'internalusers' created or updated
Will update '/actiongroups' with /etc/wazuh-indexer/opensearch-security/action_groups.yml 
   SUCC: Configuration for 'actiongroups' created or updated
Will update '/tenants' with /etc/wazuh-indexer/opensearch-security/tenants.yml 
   SUCC: Configuration for 'tenants' created or updated
Will update '/nodesdn' with /etc/wazuh-indexer/opensearch-security/nodes_dn.yml 
   SUCC: Configuration for 'nodesdn' created or updated
Will update '/whitelist' with /etc/wazuh-indexer/opensearch-security/whitelist.yml 
   SUCC: Configuration for 'whitelist' created or updated
Will update '/audit' with /etc/wazuh-indexer/opensearch-security/audit.yml 
   SUCC: Configuration for 'audit' created or updated
Will update '/allowlist' with /etc/wazuh-indexer/opensearch-security/allowlist.yml 
   SUCC: Configuration for 'allowlist' created or updated
SUCC: Expected 10 config types for node {"updated_config_types":["allowlist","tenants","rolesmapping","nodesdn","audit","roles","whitelist","internalusers","actiongroups","config"],"updated_config_size":10,"message":null} is 10 (["allowlist","tenants","rolesmapping","nodesdn","audit","roles","whitelist","internalusers","actiongroups","config"]) due to: null
Done with success

[root@ip-172-31-34-149 ~]# curl -XGET https://localhost:9200 -u admin:admin -k
{
  "name" : "node-1",
  "cluster_name" : "wazuh-cluster",
  "cluster_uuid" : "2ys62gzeQ-W44z_xT85Z7g",
  "version" : {
    "number" : "7.10.2",
    "build_type" : "rpm",
    "build_hash" : "eee49cb340edc6c4d489bcd9324dda571fc8dc03",
    "build_date" : "2023-09-20T23:54:29.889267151Z",
    "build_snapshot" : false,
    "lucene_version" : "9.7.0",
    "minimum_wire_compatibility_version" : "7.10.0",
    "minimum_index_compatibility_version" : "7.0.0"
  },
  "tagline" : "The OpenSearch Project: https://opensearch.org/"
}

[root@ip-172-31-34-149 ~]# rpm --import ./wazuh-offline/wazuh-files/GPG-KEY-WAZUH
[root@ip-172-31-34-149 ~]# rpm -ivh ./wazuh-offline/wazuh-packages/wazuh-manager*.rpm
Preparando...                         ################################# [100%]
Actualizando / instalando...
   1:wazuh-manager-4.8.0-1            ################################# [100%]

[root@ip-172-31-34-149 ~]# /var/ossec/bin/wazuh-keystore -f indexer -k username -v admin
[root@ip-172-31-34-149 ~]# /var/ossec/bin/wazuh-keystore -f indexer -k password -v admin
[root@ip-172-31-34-149 ~]# systemctl daemon-reload
[root@ip-172-31-34-149 ~]# systemctl enable wazuh-manager
Created symlink from /etc/systemd/system/multi-user.target.wants/wazuh-manager.service to /usr/lib/systemd/system/wazuh-manager.service.
[root@ip-172-31-34-149 ~]# systemctl start wazuh-manager
[root@ip-172-31-34-149 ~]# systemctl status wazuh-manager
● wazuh-manager.service - Wazuh manager
   Loaded: loaded (/usr/lib/systemd/system/wazuh-manager.service; enabled; vendor preset: disabled)
   Active: active (running) since mar 2024-05-07 09:19:48 UTC; 5s ago
  Process: 13506 ExecStart=/usr/bin/env /var/ossec/bin/wazuh-control start (code=exited, status=0/SUCCESS)
   CGroup: /system.slice/wazuh-manager.service
           ├─13565 /var/ossec/framework/python/bin/python3 /var/ossec/api/scripts/wazuh-apid.py
           ├─13607 /var/ossec/bin/wazuh-authd
           ├─13624 /var/ossec/bin/wazuh-db
           ├─13638 /var/ossec/framework/python/bin/python3 /var/ossec/api/scripts/wazuh-apid.py
           ├─13641 /var/ossec/framework/python/bin/python3 /var/ossec/api/scripts/wazuh-apid.py
           ├─13644 /var/ossec/framework/python/bin/python3 /var/ossec/api/scripts/wazuh-apid.py
           ├─13658 /var/ossec/bin/wazuh-execd
           ├─13673 /var/ossec/bin/wazuh-analysisd
           ├─13687 /var/ossec/bin/wazuh-syscheckd
           ├─13735 /var/ossec/bin/wazuh-remoted
           ├─13770 /var/ossec/bin/wazuh-logcollector
           ├─13790 /var/ossec/bin/wazuh-monitord
           ├─13812 /var/ossec/bin/wazuh-modulesd
           ├─14118 sh -c  yum check-updates --security | grep "No packages"
           ├─14120 /usr/bin/python /usr/bin/yum check-updates --security
           ├─14121 grep No packages
           ├─14239 sh -c /bin/ps -p 1288 > /dev/null 2>&1
           └─14240 sh -c /bin/ps -p 1288 > /dev/null 2>&1

may 07 09:19:41 ip-172-31-34-149.ec2.internal env[13506]: Started wazuh-analysisd...
may 07 09:19:42 ip-172-31-34-149.ec2.internal env[13506]: Started wazuh-syscheckd...
may 07 09:19:43 ip-172-31-34-149.ec2.internal env[13506]: Started wazuh-remoted...
may 07 09:19:44 ip-172-31-34-149.ec2.internal env[13506]: Started wazuh-logcollector...
may 07 09:19:45 ip-172-31-34-149.ec2.internal env[13506]: Started wazuh-monitord...
may 07 09:19:45 ip-172-31-34-149.ec2.internal env[13506]: 2024/05/07 09:19:45 wazuh-modulesd:router: IN...le.
may 07 09:19:45 ip-172-31-34-149.ec2.internal env[13506]: 2024/05/07 09:19:45 wazuh-modulesd:content_ma...le.
may 07 09:19:46 ip-172-31-34-149.ec2.internal env[13506]: Started wazuh-modulesd...
may 07 09:19:48 ip-172-31-34-149.ec2.internal env[13506]: Completed.
may 07 09:19:48 ip-172-31-34-149.ec2.internal systemd[1]: Started Wazuh manager.
Hint: Some lines were ellipsized, use -l to show in full.

[root@ip-172-31-34-149 ~]# rpm -ivh ./wazuh-offline/wazuh-packages/filebeat*.rpm
Preparando...                         ################################# [100%]
Actualizando / instalando...
   1:filebeat-7.10.2-1                ################################# [100%]
[root@ip-172-31-34-149 ~]# cp ./wazuh-offline/wazuh-files/filebeat.yml /etc/filebeat/ &&\
> cp ./wazuh-offline/wazuh-files/wazuh-template.json /etc/filebeat/ &&\
> chmod go+r /etc/filebeat/wazuh-template.json
cp: ¿sobreescribir «/etc/filebeat/filebeat.yml»? (s/n) s
[root@ip-172-31-34-149 ~]# nano /etc/filebeat/filebeat.yml 
[root@ip-172-31-34-149 ~]# filebeat keystore create
Created filebeat keystore
[root@ip-172-31-34-149 ~]# echo admin | filebeat keystore add username --stdin --force
Successfully updated the keystore
[root@ip-172-31-34-149 ~]# echo admin | filebeat keystore add password --stdin --force
Successfully updated the keystore

[root@ip-172-31-34-149 ~]# tar -xzf ./wazuh-offline/wazuh-files/wazuh-filebeat-0.4.tar.gz -C /usr/share/filebeat/module
[root@ip-172-31-34-149 ~]# NODE_NAME=wazuh-1
[root@ip-172-31-34-149 ~]# mkdir /etc/filebeat/certs
[root@ip-172-31-34-149 ~]# mv -n wazuh-certificates/$NODE_NAME.pem /etc/filebeat/certs/filebeat.pem
[root@ip-172-31-34-149 ~]# mv -n wazuh-certificates/$NODE_NAME-key.pem /etc/filebeat/certs/filebeat-key.pem
[root@ip-172-31-34-149 ~]# cp wazuh-certificates/root-ca.pem /etc/filebeat/certs/
[root@ip-172-31-34-149 ~]# chmod 500 /etc/filebeat/certs
[root@ip-172-31-34-149 ~]# chmod 400 /etc/filebeat/certs/*
[root@ip-172-31-34-149 ~]# chown -R root:root /etc/filebeat/certs
[root@ip-172-31-34-149 ~]# systemctl daemon-reload
[root@ip-172-31-34-149 ~]# systemctl enable filebeat
Created symlink from /etc/systemd/system/multi-user.target.wants/filebeat.service to /usr/lib/systemd/system/filebeat.service.
[root@ip-172-31-34-149 ~]# systemctl start filebeat
[root@ip-172-31-34-149 ~]# filebeat test output
elasticsearch: https://127.0.0.1:9200...
  parse url... OK
  connection...
    parse host... OK
    dns lookup... OK
    addresses: 127.0.0.1
    dial up... OK
  TLS...
    security: server's certificate chain verification is enabled
    handshake... OK
    TLS version: TLSv1.3
    dial up... OK
  talk to server... OK
  version: 7.10.2

[root@ip-172-31-34-149 ~]# rpm --import ./wazuh-offline/wazuh-files/GPG-KEY-WAZUH
[root@ip-172-31-34-149 ~]# rpm -ivh ./wazuh-offline/wazuh-packages/wazuh-dashboard*.rpm
Preparando...                         ################################# [100%]
Actualizando / instalando...
   1:wazuh-dashboard-4.8.0-1          ################################# [100%]

[root@ip-172-31-34-149 ~]# NODE_NAME=dashboard
[root@ip-172-31-34-149 ~]# mkdir /etc/wazuh-dashboard/certs
[root@ip-172-31-34-149 ~]# mv -n wazuh-certificates/$NODE_NAME.pem /etc/wazuh-dashboard/certs/dashboard.pem
[root@ip-172-31-34-149 ~]# mv -n wazuh-certificates/$NODE_NAME-key.pem /etc/wazuh-dashboard/certs/dashboard-key.pem
[root@ip-172-31-34-149 ~]# cp wazuh-certificates/root-ca.pem /etc/wazuh-dashboard/certs/
[root@ip-172-31-34-149 ~]# chmod 500 /etc/wazuh-dashboard/certs
[root@ip-172-31-34-149 ~]# chmod 400 /etc/wazuh-dashboard/certs/*
[root@ip-172-31-34-149 ~]# chown -R wazuh-dashboard:wazuh-dashboard /etc/wazuh-dashboard/certs
[root@ip-172-31-34-149 ~]# nano /etc/wazuh-dashboard/opensearch_dashboards.yml 
[root@ip-172-31-34-149 ~]# systemctl daemon-reload
[root@ip-172-31-34-149 ~]# systemctl enable wazuh-dashboard
Created symlink from /etc/systemd/system/multi-user.target.wants/wazuh-dashboard.service to /etc/systemd/system/wazuh-dashboard.service.
[root@ip-172-31-34-149 ~]# systemctl start wazuh-dashboard
[root@ip-172-31-34-149 ~]# nano /usr/share/wazuh-dashboard/data/wazuh/config/wazuh.yml 
[root@ip-172-31-34-149 ~]# systemctl status wazuh-dashboard
● wazuh-dashboard.service - wazuh-dashboard
   Loaded: loaded (/etc/systemd/system/wazuh-dashboard.service; enabled; vendor preset: disabled)
   Active: active (running) since mar 2024-05-07 09:28:41 UTC; 1min 27s ago
 Main PID: 15613 (node)
   CGroup: /system.slice/wazuh-dashboard.service
           └─15613 /usr/share/wazuh-dashboard/node/fallback/bin/node --no-warnings --max-http-header-size=...

may 07 09:28:47 ip-172-31-34-149.ec2.internal opensearch-dashboards[15613]: {"type":"log","@timestamp":"2...}
may 07 09:28:48 ip-172-31-34-149.ec2.internal opensearch-dashboards[15613]: {"type":"log","@timestamp":"2...}
may 07 09:28:48 ip-172-31-34-149.ec2.internal opensearch-dashboards[15613]: {"type":"log","@timestamp":"2...}
may 07 09:28:48 ip-172-31-34-149.ec2.internal opensearch-dashboards[15613]: {"type":"log","@timestamp":"2...}
may 07 09:28:48 ip-172-31-34-149.ec2.internal opensearch-dashboards[15613]: {"type":"log","@timestamp":"2...}
may 07 09:28:48 ip-172-31-34-149.ec2.internal opensearch-dashboards[15613]: {"type":"log","@timestamp":"2...p
may 07 09:28:49 ip-172-31-34-149.ec2.internal opensearch-dashboards[15613]: {"type":"log","@timestamp":"2...}
may 07 09:28:49 ip-172-31-34-149.ec2.internal opensearch-dashboards[15613]: {"type":"log","@timestamp":"2...}
may 07 09:28:49 ip-172-31-34-149.ec2.internal opensearch-dashboards[15613]: {"type":"log","@timestamp":"2...}
may 07 09:28:49 ip-172-31-34-149.ec2.internal opensearch-dashboards[15613]: {"type":"log","@timestamp":"2...}
Hint: Some lines were ellipsized, use -l to show in full.

Logs in wazuh-install.log

[root@ip-172-31-34-149 ~]# cat /var/log/wazuh-install.log 
07/05/2024 08:49:24 INFO: Starting Wazuh installation assistant. Wazuh version: 4.8.0
07/05/2024 08:49:24 INFO: Verbose logging redirected to /var/log/wazuh-install.log
07/05/2024 08:49:27 INFO: Verifying that your system meets the recommended minimum hardware requirements.
07/05/2024 08:49:33 INFO: --- Download Packages ---
07/05/2024 08:49:33 INFO: Starting Wazuh packages download.
07/05/2024 08:49:33 INFO: Downloading Wazuh rpm packages for x86_64.
07/05/2024 08:49:36 INFO: The manager package was downloaded.
07/05/2024 08:49:36 INFO: The filebeat package was downloaded.
07/05/2024 08:49:39 INFO: The indexer package was downloaded.
07/05/2024 08:49:40 INFO: The dashboard package was downloaded.
07/05/2024 08:49:40 INFO: The packages are in wazuh-offline/wazuh-packages
07/05/2024 08:49:40 INFO: Downloading configuration files and assets.
07/05/2024 08:49:40 INFO: The resource https://packages-dev.wazuh.com/key/GPG-KEY-WAZUH was downloaded.
07/05/2024 08:49:41 INFO: The resource https://packages-dev.wazuh.com/4.8/tpl/wazuh/filebeat/filebeat.yml was downloaded.
07/05/2024 08:49:41 INFO: The resource https://raw.githubusercontent.com/wazuh/wazuh/4.8.0/extensions/elasticsearch/7.x/wazuh-template.json was downloaded.
07/05/2024 08:49:41 INFO: The resource https://packages-dev.wazuh.com/pre-release/filebeat/wazuh-filebeat-0.4.tar.gz was downloaded.
07/05/2024 08:49:41 INFO: The configuration files and assets are in wazuh-offline.tar.gz
07/05/2024 08:50:57 INFO: You can follow the installation guide here https://documentation.wazuh.com/current/deployment-options/offline-installation.html

[CarlosALgit]

Installed packages 🟢

Amazon Linux 2 🟢

[root@ip-172-31-34-142 ~]# rpm -qa --last | head -n 20
wazuh-dashboard-4.8.0-1.x86_64                mar 07 may 2024 08:14:22 UTC
filebeat-7.10.2-1.x86_64                      mar 07 may 2024 08:12:37 UTC
wazuh-manager-4.8.0-1.x86_64                  mar 07 may 2024 08:11:54 UTC
wazuh-indexer-4.8.0-1.x86_64                  mar 07 may 2024 08:10:29 UTC
gpg-pubkey-29111145-591cd381                  mar 07 may 2024 08:09:05 UTC

The gpg package is installed as part of the dependencies of the Installation Assistant. It's used to import the Wazuh GPG keys.

Ubuntu 22 🟢

root@ip-172-31-45-219:~# grep " install " /var/log/dpkg.log | tail
2024-05-07 08:13:28 install apt-transport-https:all <none> 2.4.12
2024-05-07 08:13:58 install wazuh-indexer:amd64 <none> 4.8.0-1
2024-05-07 08:16:10 install wazuh-manager:amd64 <none> 4.8.0-1
2024-05-07 08:17:57 install filebeat:amd64 <none> 7.10.2
2024-05-07 08:18:25 install wazuh-dashboard:amd64 <none> 4.8.0-1

The apt-transport-https package is installed as part of the dependencias of the Installation Assistant. It's used to download packages from repositories that use HTTPS protocol via APT.

RHEL 9 🟢

[root@ip-172-31-39-27 ~]# rpm -qa --last | head -n 20
rh-amazon-rhui-client-4.0.16-1.el9.noarch     Tue 07 May 2024 08:24:03 AM UTC
wazuh-dashboard-4.8.0-1.x86_64                Tue 07 May 2024 08:22:37 AM UTC
filebeat-7.10.2-1.x86_64                      Tue 07 May 2024 08:18:18 AM UTC
wazuh-manager-4.8.0-1.x86_64                  Tue 07 May 2024 08:17:24 AM UTC
wazuh-indexer-4.8.0-1.x86_64                  Tue 07 May 2024 08:15:55 AM UTC
gpg-pubkey-29111145-591cd381                  Tue 07 May 2024 08:13:37 AM UTC
gpg-pubkey-8483c65d-5ccc5b19                  Tue 07 May 2024 08:13:32 AM UTC

The gpg package is installed as part of the dependencies of the Installation Assistant. It's used to import the Wazuh GPG keys.

Amazon Linux 2 - Offline 🟢

[root@ip-172-31-34-149 ~]# rpm -qa --last | head -n 20
wazuh-dashboard-4.8.0-1.x86_64                mar 07 may 2024 09:26:02 UTC
filebeat-7.10.2-1.x86_64                      mar 07 may 2024 09:20:37 UTC
wazuh-manager-4.8.0-1.x86_64                  mar 07 may 2024 09:13:07 UTC
wazuh-indexer-4.8.0-1.x86_64                  mar 07 may 2024 09:00:43 UTC
gpg-pubkey-29111145-591cd381                  mar 07 may 2024 08:59:28 UTC

The gpg package is installed as part of the dependencies of the Installation Assistant. It's used to import the Wazuh GPG keys.

[CarlosALgit]

Wazuh Indexer logs 🟡

Amazon Linux 2 🟡

Agent status

[root@ip-172-31-34-142 ~]# systemctl status wazuh-indexer
● wazuh-indexer.service - Wazuh-indexer
   Loaded: loaded (/usr/lib/systemd/system/wazuh-indexer.service; enabled; vendor preset: disabled)
   Active: active (running) since mar 2024-05-07 08:11:08 UTC; 1h 48min ago
     Docs: https://documentation.wazuh.com
 Main PID: 7728 (java)
   CGroup: /system.slice/wazuh-indexer.service
           └─7728 /usr/share/wazuh-indexer/jdk/bin/java -Xshare:auto -Dopensearch.networkaddress.cache.ttl...

may 07 08:10:44 ip-172-31-34-142.ec2.internal systemd[1]: Starting Wazuh-indexer...
may 07 08:10:47 ip-172-31-34-142.ec2.internal systemd-entrypoint[7728]: WARNING: A terminally deprecated ...d
may 07 08:10:47 ip-172-31-34-142.ec2.internal systemd-entrypoint[7728]: WARNING: System::setSecurityManag...)
may 07 08:10:47 ip-172-31-34-142.ec2.internal systemd-entrypoint[7728]: WARNING: Please consider reportin...h
may 07 08:10:47 ip-172-31-34-142.ec2.internal systemd-entrypoint[7728]: WARNING: System::setSecurityManag...e
may 07 08:10:50 ip-172-31-34-142.ec2.internal systemd-entrypoint[7728]: WARNING: A terminally deprecated ...d
may 07 08:10:50 ip-172-31-34-142.ec2.internal systemd-entrypoint[7728]: WARNING: System::setSecurityManag...)
may 07 08:10:50 ip-172-31-34-142.ec2.internal systemd-entrypoint[7728]: WARNING: Please consider reportin...y
may 07 08:10:50 ip-172-31-34-142.ec2.internal systemd-entrypoint[7728]: WARNING: System::setSecurityManag...e
may 07 08:11:08 ip-172-31-34-142.ec2.internal systemd[1]: Started Wazuh-indexer.
Hint: Some lines were ellipsized, use -l to show in full.

Service status

[root@ip-172-31-34-142 ~]# journalctl -xe -u wazuh-indexer.service --no-pager
-- Logs begin at mar 2024-05-07 07:35:44 UTC, end at mar 2024-05-07 10:00:01 UTC. --
may 07 08:10:44 ip-172-31-34-142.ec2.internal systemd[1]: Starting Wazuh-indexer...
-- Subject: Unit wazuh-indexer.service has begun start-up
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
-- 
-- Unit wazuh-indexer.service has begun starting up.
may 07 08:10:47 ip-172-31-34-142.ec2.internal systemd-entrypoint[7728]: WARNING: A terminally deprecated method in java.lang.System has been called
may 07 08:10:47 ip-172-31-34-142.ec2.internal systemd-entrypoint[7728]: WARNING: System::setSecurityManager has been called by org.opensearch.bootstrap.OpenSearch (file:/usr/share/wazuh-indexer/lib/opensearch-2.10.0.jar)
may 07 08:10:47 ip-172-31-34-142.ec2.internal systemd-entrypoint[7728]: WARNING: Please consider reporting this to the maintainers of org.opensearch.bootstrap.OpenSearch
may 07 08:10:47 ip-172-31-34-142.ec2.internal systemd-entrypoint[7728]: WARNING: System::setSecurityManager will be removed in a future release
may 07 08:10:50 ip-172-31-34-142.ec2.internal systemd-entrypoint[7728]: WARNING: A terminally deprecated method in java.lang.System has been called
may 07 08:10:50 ip-172-31-34-142.ec2.internal systemd-entrypoint[7728]: WARNING: System::setSecurityManager has been called by org.opensearch.bootstrap.Security (file:/usr/share/wazuh-indexer/lib/opensearch-2.10.0.jar)
may 07 08:10:50 ip-172-31-34-142.ec2.internal systemd-entrypoint[7728]: WARNING: Please consider reporting this to the maintainers of org.opensearch.bootstrap.Security
may 07 08:10:50 ip-172-31-34-142.ec2.internal systemd-entrypoint[7728]: WARNING: System::setSecurityManager will be removed in a future release
may 07 08:11:08 ip-172-31-34-142.ec2.internal systemd[1]: Started Wazuh-indexer.
-- Subject: Unit wazuh-indexer.service has finished start-up
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
-- 
-- Unit wazuh-indexer.service has finished starting up.
-- 
-- The start-up result is done.

Errors

Normal errors of uninitialized indexes. Related: wazuh/wazuh-packages#1511 (comment)

[root@ip-172-31-34-142 ~]# cat /var/log/wazuh-indexer/wazuh-cluster.log | grep -i -E "error|warn"
[2024-05-07T08:10:50,085][INFO ][o.o.n.Node               ] [node-1] JVM arguments [-Xshare:auto, -Dopensearch.networkaddress.cache.ttl=60, -Dopensearch.networkaddress.cache.negative.ttl=10, -XX:+AlwaysPreTouch, -Xss1m, -Djava.awt.headless=true, -Dfile.encoding=UTF-8, -Djna.nosys=true, -XX:-OmitStackTraceInFastThrow, -XX:+ShowCodeDetailsInExceptionMessages, -Dio.netty.noUnsafe=true, -Dio.netty.noKeySetOptimization=true, -Dio.netty.recycler.maxCapacityPerThread=0, -Dio.netty.allocator.numDirectArenas=0, -Dlog4j.shutdownHookEnabled=false, -Dlog4j2.disable.jmx=true, -Djava.locale.providers=SPI,COMPAT, -Xms3928m, -Xmx3928m, -XX:+UseG1GC, -XX:G1ReservePercent=25, -XX:InitiatingHeapOccupancyPercent=30, -Djava.io.tmpdir=/tmp/opensearch-14617205322179299816, -XX:+HeapDumpOnOutOfMemoryError, -XX:HeapDumpPath=/var/lib/wazuh-indexer, -XX:ErrorFile=/var/log/wazuh-indexer/hs_err_pid%p.log, -Xlog:gc*,gc+age=trace,safepoint:file=/var/log/wazuh-indexer/gc.log:utctime,pid,tags:filecount=32,filesize=64m, -Dclk.tck=100, -Djdk.attach.allowAttachSelf=true, -Djava.security.policy=file:///etc/wazuh-indexer/opensearch-performance-analyzer/opensearch_security.policy, --add-opens=jdk.attach/sun.tools.attach=ALL-UNNAMED, -XX:MaxDirectMemorySize=2059403264, -Dopensearch.path.home=/usr/share/wazuh-indexer, -Dopensearch.path.conf=/etc/wazuh-indexer, -Dopensearch.distribution.type=rpm, -Dopensearch.bundled_jdk=true]
[2024-05-07T08:11:02,461][WARN ][o.o.s.c.Salt             ] [node-1] If you plan to use field masking pls configure compliance salt e1ukloTsQlOgPquJ to be a random string of 16 chars length identical on all nodes
[2024-05-07T08:11:02,516][ERROR][o.o.s.a.s.SinkProvider   ] [node-1] Default endpoint could not be created, auditlog will not work properly.
[2024-05-07T08:11:02,518][WARN ][o.o.s.a.r.AuditMessageRouter] [node-1] No default storage available, audit log may not work properly. Please check configuration.
[2024-05-07T08:11:04,087][WARN ][o.o.s.p.SQLPlugin        ] [node-1] Master key is a required config for using create and update datasource APIs. Please set plugins.query.datasources.encryption.masterkey config in opensearch.yml in all the cluster nodes. More details can be found here: https://github.com/opensearch-project/sql/blob/main/docs/user/ppl/admin/datasources.rst#master-key-config-for-encrypting-credential-information
[2024-05-07T08:11:06,500][WARN ][o.o.g.DanglingIndicesState] [node-1] gateway.auto_import_dangling_indices is disabled, dangling indices will not be automatically detected or imported and must be managed manually
[2024-05-07T08:11:08,403][WARN ][o.o.p.c.s.h.ConfigOverridesClusterSettingHandler] [node-1] Config override setting update called with empty string. Ignoring.
[2024-05-07T08:11:08,516][ERROR][o.o.s.c.ConfigurationLoaderSecurity7] [node-1] Failure no such index [.opendistro_security] retrieving configuration for [INTERNALUSERS, ACTIONGROUPS, CONFIG, ROLES, ROLESMAPPING, TENANTS, NODESDN, WHITELIST, ALLOWLIST, AUDIT] (index=.opendistro_security)
[2024-05-07T08:11:08,516][ERROR][o.o.s.c.ConfigurationLoaderSecurity7] [node-1] Failure no such index [.opendistro_security] retrieving configuration for [INTERNALUSERS, ACTIONGROUPS, CONFIG, ROLES, ROLESMAPPING, TENANTS, NODESDN, WHITELIST, ALLOWLIST, AUDIT] (index=.opendistro_security)
[2024-05-07T08:11:08,529][ERROR][o.o.s.c.ConfigurationLoaderSecurity7] [node-1] Failure no such index [.opendistro_security] retrieving configuration for [INTERNALUSERS, ACTIONGROUPS, CONFIG, ROLES, ROLESMAPPING, TENANTS, NODESDN, WHITELIST, ALLOWLIST, AUDIT] (index=.opendistro_security)
[2024-05-07T08:11:08,530][ERROR][o.o.s.c.ConfigurationLoaderSecurity7] [node-1] Failure no such index [.opendistro_security] retrieving configuration for [INTERNALUSERS, ACTIONGROUPS, CONFIG, ROLES, ROLESMAPPING, TENANTS, NODESDN, WHITELIST, ALLOWLIST, AUDIT] (index=.opendistro_security)
[2024-05-07T08:11:08,530][ERROR][o.o.s.c.ConfigurationLoaderSecurity7] [node-1] Failure no such index [.opendistro_security] retrieving configuration for [INTERNALUSERS, ACTIONGROUPS, CONFIG, ROLES, ROLESMAPPING, TENANTS, NODESDN, WHITELIST, ALLOWLIST, AUDIT] (index=.opendistro_security)
[2024-05-07T08:11:08,531][ERROR][o.o.s.c.ConfigurationLoaderSecurity7] [node-1] Failure no such index [.opendistro_security] retrieving configuration for [INTERNALUSERS, ACTIONGROUPS, CONFIG, ROLES, ROLESMAPPING, TENANTS, NODESDN, WHITELIST, ALLOWLIST, AUDIT] (index=.opendistro_security)
[2024-05-07T08:11:08,531][ERROR][o.o.s.c.ConfigurationLoaderSecurity7] [node-1] Failure no such index [.opendistro_security] retrieving configuration for [INTERNALUSERS, ACTIONGROUPS, CONFIG, ROLES, ROLESMAPPING, TENANTS, NODESDN, WHITELIST, ALLOWLIST, AUDIT] (index=.opendistro_security)
[2024-05-07T08:11:08,531][ERROR][o.o.s.c.ConfigurationLoaderSecurity7] [node-1] Failure no such index [.opendistro_security] retrieving configuration for [INTERNALUSERS, ACTIONGROUPS, CONFIG, ROLES, ROLESMAPPING, TENANTS, NODESDN, WHITELIST, ALLOWLIST, AUDIT] (index=.opendistro_security)
[2024-05-07T08:11:08,531][ERROR][o.o.s.c.ConfigurationLoaderSecurity7] [node-1] Failure no such index [.opendistro_security] retrieving configuration for [INTERNALUSERS, ACTIONGROUPS, CONFIG, ROLES, ROLESMAPPING, TENANTS, NODESDN, WHITELIST, ALLOWLIST, AUDIT] (index=.opendistro_security)
[2024-05-07T08:11:08,532][ERROR][o.o.s.c.ConfigurationLoaderSecurity7] [node-1] Failure no such index [.opendistro_security] retrieving configuration for [INTERNALUSERS, ACTIONGROUPS, CONFIG, ROLES, ROLESMAPPING, TENANTS, NODESDN, WHITELIST, ALLOWLIST, AUDIT] (index=.opendistro_security)
[2024-05-07T08:11:08,950][ERROR][o.o.s.a.BackendRegistry  ] [node-1] Not yet initialized (you may need to run securityadmin)
[2024-05-07T08:15:52,993][WARN ][o.o.s.a.BackendRegistry  ] [node-1] Authentication finally failed for admin from 127.0.0.1:52270
[2024-05-07T08:15:53,509][WARN ][o.o.s.a.BackendRegistry  ] [node-1] Authentication finally failed for admin from 127.0.0.1:52284
[2024-05-07T08:15:55,551][WARN ][o.o.s.a.BackendRegistry  ] [node-1] Authentication finally failed for admin from 127.0.0.1:51884
[2024-05-07T08:16:00,904][WARN ][o.o.s.a.BackendRegistry  ] [node-1] Authentication finally failed for admin from 127.0.0.1:51904
[2024-05-07T08:16:02,215][WARN ][o.o.s.a.BackendRegistry  ] [node-1] Authentication finally failed for admin from 127.0.0.1:51920
[2024-05-07T08:16:04,383][WARN ][o.o.s.a.BackendRegistry  ] [node-1] Authentication finally failed for admin from 127.0.0.1:51920

Ubuntu 22 🟡

Agent status

root@ip-172-31-45-219:~# systemctl status wazuh-indexer
● wazuh-indexer.service - Wazuh-indexer
     Loaded: loaded (/lib/systemd/system/wazuh-indexer.service; enabled; vendor preset: enabled)
     Active: active (running) since Tue 2024-05-07 08:15:50 UTC; 1h 51min ago
       Docs: https://documentation.wazuh.com
   Main PID: 4258 (java)
      Tasks: 74 (limit: 9425)
     Memory: 4.3G
        CPU: 2min 41.353s
     CGroup: /system.slice/wazuh-indexer.service
             └─4258 /usr/share/wazuh-indexer/jdk/bin/java -Xshare:auto -Dopensearch.networkaddress.cache.ttl>

May 07 08:15:26 ip-172-31-45-219 systemd[1]: Starting Wazuh-indexer...
May 07 08:15:29 ip-172-31-45-219 systemd-entrypoint[4258]: WARNING: A terminally deprecated method in java.l>
May 07 08:15:29 ip-172-31-45-219 systemd-entrypoint[4258]: WARNING: System::setSecurityManager has been call>
May 07 08:15:29 ip-172-31-45-219 systemd-entrypoint[4258]: WARNING: Please consider reporting this to the ma>
May 07 08:15:29 ip-172-31-45-219 systemd-entrypoint[4258]: WARNING: System::setSecurityManager will be remov>
May 07 08:15:31 ip-172-31-45-219 systemd-entrypoint[4258]: WARNING: A terminally deprecated method in java.l>
May 07 08:15:31 ip-172-31-45-219 systemd-entrypoint[4258]: WARNING: System::setSecurityManager has been call>
May 07 08:15:31 ip-172-31-45-219 systemd-entrypoint[4258]: WARNING: Please consider reporting this to the ma>
May 07 08:15:31 ip-172-31-45-219 systemd-entrypoint[4258]: WARNING: System::setSecurityManager will be remov>
May 07 08:15:50 ip-172-31-45-219 systemd[1]: Started Wazuh-indexer.

Service status

root@ip-172-31-45-219:~# journalctl -xe -u wazuh-indexer.service --no-pager
May 07 08:15:26 ip-172-31-45-219 systemd[1]: Starting Wazuh-indexer...
░░ Subject: A start job for unit wazuh-indexer.service has begun execution
░░ Defined-By: systemd
░░ Support: http://www.ubuntu.com/support
░░ 
░░ A start job for unit wazuh-indexer.service has begun execution.
░░ 
░░ The job identifier is 2137.
May 07 08:15:29 ip-172-31-45-219 systemd-entrypoint[4258]: WARNING: A terminally deprecated method in java.lang.System has been called
May 07 08:15:29 ip-172-31-45-219 systemd-entrypoint[4258]: WARNING: System::setSecurityManager has been called by org.opensearch.bootstrap.OpenSearch (file:/usr/share/wazuh-indexer/lib/opensearch-2.10.0.jar)
May 07 08:15:29 ip-172-31-45-219 systemd-entrypoint[4258]: WARNING: Please consider reporting this to the maintainers of org.opensearch.bootstrap.OpenSearch
May 07 08:15:29 ip-172-31-45-219 systemd-entrypoint[4258]: WARNING: System::setSecurityManager will be removed in a future release
May 07 08:15:31 ip-172-31-45-219 systemd-entrypoint[4258]: WARNING: A terminally deprecated method in java.lang.System has been called
May 07 08:15:31 ip-172-31-45-219 systemd-entrypoint[4258]: WARNING: System::setSecurityManager has been called by org.opensearch.bootstrap.Security (file:/usr/share/wazuh-indexer/lib/opensearch-2.10.0.jar)
May 07 08:15:31 ip-172-31-45-219 systemd-entrypoint[4258]: WARNING: Please consider reporting this to the maintainers of org.opensearch.bootstrap.Security
May 07 08:15:31 ip-172-31-45-219 systemd-entrypoint[4258]: WARNING: System::setSecurityManager will be removed in a future release
May 07 08:15:50 ip-172-31-45-219 systemd[1]: Started Wazuh-indexer.
░░ Subject: A start job for unit wazuh-indexer.service has finished successfully
░░ Defined-By: systemd
░░ Support: http://www.ubuntu.com/support
░░ 
░░ A start job for unit wazuh-indexer.service has finished successfully.
░░ 
░░ The job identifier is 2137.

Errors

Normal errors of uninitialized indexes. Related: wazuh/wazuh-packages#1511 (comment)

🟡 Related issue: wazuh/wazuh-indexer#71 Fail to read queue capacity via reflection

root@ip-172-31-45-219:~# cat /var/log/wazuh-indexer/wazuh-cluster.log | grep -i -E "error|warn"
[2024-05-07T08:15:31,879][INFO ][o.o.n.Node               ] [node-1] JVM arguments [-Xshare:auto, -Dopensearch.networkaddress.cache.ttl=60, -Dopensearch.networkaddress.cache.negative.ttl=10, -XX:+AlwaysPreTouch, -Xss1m, -Djava.awt.headless=true, -Dfile.encoding=UTF-8, -Djna.nosys=true, -XX:-OmitStackTraceInFastThrow, -XX:+ShowCodeDetailsInExceptionMessages, -Dio.netty.noUnsafe=true, -Dio.netty.noKeySetOptimization=true, -Dio.netty.recycler.maxCapacityPerThread=0, -Dio.netty.allocator.numDirectArenas=0, -Dlog4j.shutdownHookEnabled=false, -Dlog4j2.disable.jmx=true, -Djava.locale.providers=SPI,COMPAT, -Xms3934m, -Xmx3934m, -XX:+UseG1GC, -XX:G1ReservePercent=25, -XX:InitiatingHeapOccupancyPercent=30, -Djava.io.tmpdir=/tmp/opensearch-14412680302420899804, -XX:+HeapDumpOnOutOfMemoryError, -XX:HeapDumpPath=/var/lib/wazuh-indexer, -XX:ErrorFile=/var/log/wazuh-indexer/hs_err_pid%p.log, -Xlog:gc*,gc+age=trace,safepoint:file=/var/log/wazuh-indexer/gc.log:utctime,pid,tags:filecount=32,filesize=64m, -Dclk.tck=100, -Djdk.attach.allowAttachSelf=true, -Djava.security.policy=file:///etc/wazuh-indexer/opensearch-performance-analyzer/opensearch_security.policy, --add-opens=jdk.attach/sun.tools.attach=ALL-UNNAMED, -Dclk.tck=100, -Djdk.attach.allowAttachSelf=true, -Djava.security.policy=file:///usr/share/wazuh-indexer/plugins/opendistro-performance-analyzer/pa_config/es_security.policy, -XX:MaxDirectMemorySize=2062548992, -Dopensearch.path.home=/usr/share/wazuh-indexer, -Dopensearch.path.conf=/etc/wazuh-indexer, -Dopensearch.distribution.type=rpm, -Dopensearch.bundled_jdk=true]
[2024-05-07T08:15:44,486][WARN ][o.o.s.c.Salt             ] [node-1] If you plan to use field masking pls configure compliance salt e1ukloTsQlOgPquJ to be a random string of 16 chars length identical on all nodes
[2024-05-07T08:15:44,543][ERROR][o.o.s.a.s.SinkProvider   ] [node-1] Default endpoint could not be created, auditlog will not work properly.
[2024-05-07T08:15:44,545][WARN ][o.o.s.a.r.AuditMessageRouter] [node-1] No default storage available, audit log may not work properly. Please check configuration.
[2024-05-07T08:15:46,049][WARN ][o.o.s.p.SQLPlugin        ] [node-1] Master key is a required config for using create and update datasource APIs. Please set plugins.query.datasources.encryption.masterkey config in opensearch.yml in all the cluster nodes. More details can be found here: https://github.com/opensearch-project/sql/blob/main/docs/user/ppl/admin/datasources.rst#master-key-config-for-encrypting-credential-information
[2024-05-07T08:15:47,015][WARN ][o.o.p.c.ThreadPoolMetricsCollector] [node-1] Fail to read queue capacity via reflection
[2024-05-07T08:15:47,025][WARN ][o.o.p.c.ThreadPoolMetricsCollector] [node-1] Fail to read queue capacity via reflection
[2024-05-07T08:15:47,026][WARN ][o.o.p.c.ThreadPoolMetricsCollector] [node-1] Fail to read queue capacity via reflection
[2024-05-07T08:15:47,026][WARN ][o.o.p.c.ThreadPoolMetricsCollector] [node-1] Fail to read queue capacity via reflection
[2024-05-07T08:15:47,036][WARN ][o.o.p.c.ThreadPoolMetricsCollector] [node-1] Fail to read queue capacity via reflection
[2024-05-07T08:15:47,037][WARN ][o.o.p.c.ThreadPoolMetricsCollector] [node-1] Fail to read queue capacity via reflection
[2024-05-07T08:15:47,037][WARN ][o.o.p.c.ThreadPoolMetricsCollector] [node-1] Fail to read queue capacity via reflection
[2024-05-07T08:15:47,038][WARN ][o.o.p.c.ThreadPoolMetricsCollector] [node-1] Fail to read queue capacity via reflection
[2024-05-07T08:15:47,038][WARN ][o.o.p.c.ThreadPoolMetricsCollector] [node-1] Fail to read queue capacity via reflection
[2024-05-07T08:15:47,039][WARN ][o.o.p.c.ThreadPoolMetricsCollector] [node-1] Fail to read queue capacity via reflection
[2024-05-07T08:15:47,039][WARN ][o.o.p.c.ThreadPoolMetricsCollector] [node-1] Fail to read queue capacity via reflection
[2024-05-07T08:15:47,040][WARN ][o.o.p.c.ThreadPoolMetricsCollector] [node-1] Fail to read queue capacity via reflection
[2024-05-07T08:15:47,040][WARN ][o.o.p.c.ThreadPoolMetricsCollector] [node-1] Fail to read queue capacity via reflection
[2024-05-07T08:15:47,040][WARN ][o.o.p.c.ThreadPoolMetricsCollector] [node-1] Fail to read queue capacity via reflection
[2024-05-07T08:15:47,041][WARN ][o.o.p.c.ThreadPoolMetricsCollector] [node-1] Fail to read queue capacity via reflection
[2024-05-07T08:15:47,041][WARN ][o.o.p.c.ThreadPoolMetricsCollector] [node-1] Fail to read queue capacity via reflection
[2024-05-07T08:15:47,044][WARN ][o.o.p.c.ThreadPoolMetricsCollector] [node-1] Fail to read queue capacity via reflection
[2024-05-07T08:15:47,047][WARN ][o.o.p.c.ThreadPoolMetricsCollector] [node-1] Fail to read queue capacity via reflection
[2024-05-07T08:15:47,048][WARN ][o.o.p.c.ThreadPoolMetricsCollector] [node-1] Fail to read queue capacity via reflection
[2024-05-07T08:15:47,050][WARN ][o.o.p.c.ThreadPoolMetricsCollector] [node-1] Fail to read queue capacity via reflection
[2024-05-07T08:15:47,051][WARN ][o.o.p.c.ThreadPoolMetricsCollector] [node-1] Fail to read queue capacity via reflection
[2024-05-07T08:15:47,052][WARN ][o.o.p.c.ThreadPoolMetricsCollector] [node-1] Fail to read queue capacity via reflection
[2024-05-07T08:15:47,052][WARN ][o.o.p.c.ThreadPoolMetricsCollector] [node-1] Fail to read queue capacity via reflection
[2024-05-07T08:15:47,053][WARN ][o.o.p.c.ThreadPoolMetricsCollector] [node-1] Fail to read queue capacity via reflection
[2024-05-07T08:15:47,054][WARN ][o.o.p.c.ThreadPoolMetricsCollector] [node-1] Fail to read queue capacity via reflection
[2024-05-07T08:15:47,054][WARN ][o.o.p.c.ThreadPoolMetricsCollector] [node-1] Fail to read queue capacity via reflection
[2024-05-07T08:15:47,055][WARN ][o.o.p.c.ThreadPoolMetricsCollector] [node-1] Fail to read queue capacity via reflection
[2024-05-07T08:15:47,061][WARN ][o.o.p.c.ThreadPoolMetricsCollector] [node-1] Fail to read queue capacity via reflection
[2024-05-07T08:15:47,062][WARN ][o.o.p.c.ThreadPoolMetricsCollector] [node-1] Fail to read queue capacity via reflection
[2024-05-07T08:15:47,062][WARN ][o.o.p.c.ThreadPoolMetricsCollector] [node-1] Fail to read queue capacity via reflection
[2024-05-07T08:15:47,063][WARN ][o.o.p.c.ThreadPoolMetricsCollector] [node-1] Fail to read queue capacity via reflection
[2024-05-07T08:15:47,063][WARN ][o.o.p.c.ThreadPoolMetricsCollector] [node-1] Fail to read queue capacity via reflection
[2024-05-07T08:15:47,064][WARN ][o.o.p.c.ThreadPoolMetricsCollector] [node-1] Fail to read queue capacity via reflection
[2024-05-07T08:15:47,064][WARN ][o.o.p.c.ThreadPoolMetricsCollector] [node-1] Fail to read queue capacity via reflection
[2024-05-07T08:15:47,064][WARN ][o.o.p.c.ThreadPoolMetricsCollector] [node-1] Fail to read queue capacity via reflection
[2024-05-07T08:15:47,065][WARN ][o.o.p.c.ThreadPoolMetricsCollector] [node-1] Fail to read queue capacity via reflection
[2024-05-07T08:15:48,322][WARN ][o.o.g.DanglingIndicesState] [node-1] gateway.auto_import_dangling_indices is disabled, dangling indices will not be automatically detected or imported and must be managed manually
[2024-05-07T08:15:50,365][WARN ][o.o.p.c.s.h.ConfigOverridesClusterSettingHandler] [node-1] Config override setting update called with empty string. Ignoring.
[2024-05-07T08:15:50,833][ERROR][o.o.s.a.BackendRegistry  ] [node-1] Not yet initialized (you may need to run securityadmin)
[2024-05-07T08:15:51,453][ERROR][o.o.s.c.ConfigurationLoaderSecurity7] [node-1] Failure no such index [.opendistro_security] retrieving configuration for [INTERNALUSERS, ACTIONGROUPS, CONFIG, ROLES, ROLESMAPPING, TENANTS, NODESDN, WHITELIST, ALLOWLIST, AUDIT] (index=.opendistro_security)
[2024-05-07T08:15:51,453][ERROR][o.o.s.c.ConfigurationLoaderSecurity7] [node-1] Failure no such index [.opendistro_security] retrieving configuration for [INTERNALUSERS, ACTIONGROUPS, CONFIG, ROLES, ROLESMAPPING, TENANTS, NODESDN, WHITELIST, ALLOWLIST, AUDIT] (index=.opendistro_security)
[2024-05-07T08:15:51,453][ERROR][o.o.s.c.ConfigurationLoaderSecurity7] [node-1] Failure no such index [.opendistro_security] retrieving configuration for [INTERNALUSERS, ACTIONGROUPS, CONFIG, ROLES, ROLESMAPPING, TENANTS, NODESDN, WHITELIST, ALLOWLIST, AUDIT] (index=.opendistro_security)
[2024-05-07T08:15:51,454][ERROR][o.o.s.c.ConfigurationLoaderSecurity7] [node-1] Failure no such index [.opendistro_security] retrieving configuration for [INTERNALUSERS, ACTIONGROUPS, CONFIG, ROLES, ROLESMAPPING, TENANTS, NODESDN, WHITELIST, ALLOWLIST, AUDIT] (index=.opendistro_security)
[2024-05-07T08:15:51,454][ERROR][o.o.s.c.ConfigurationLoaderSecurity7] [node-1] Failure no such index [.opendistro_security] retrieving configuration for [INTERNALUSERS, ACTIONGROUPS, CONFIG, ROLES, ROLESMAPPING, TENANTS, NODESDN, WHITELIST, ALLOWLIST, AUDIT] (index=.opendistro_security)
[2024-05-07T08:15:51,454][ERROR][o.o.s.c.ConfigurationLoaderSecurity7] [node-1] Failure no such index [.opendistro_security] retrieving configuration for [INTERNALUSERS, ACTIONGROUPS, CONFIG, ROLES, ROLESMAPPING, TENANTS, NODESDN, WHITELIST, ALLOWLIST, AUDIT] (index=.opendistro_security)
[2024-05-07T08:15:51,466][ERROR][o.o.s.c.ConfigurationLoaderSecurity7] [node-1] Failure no such index [.opendistro_security] retrieving configuration for [INTERNALUSERS, ACTIONGROUPS, CONFIG, ROLES, ROLESMAPPING, TENANTS, NODESDN, WHITELIST, ALLOWLIST, AUDIT] (index=.opendistro_security)
[2024-05-07T08:15:51,466][ERROR][o.o.s.c.ConfigurationLoaderSecurity7] [node-1] Failure no such index [.opendistro_security] retrieving configuration for [INTERNALUSERS, ACTIONGROUPS, CONFIG, ROLES, ROLESMAPPING, TENANTS, NODESDN, WHITELIST, ALLOWLIST, AUDIT] (index=.opendistro_security)
[2024-05-07T08:15:51,466][ERROR][o.o.s.c.ConfigurationLoaderSecurity7] [node-1] Failure no such index [.opendistro_security] retrieving configuration for [INTERNALUSERS, ACTIONGROUPS, CONFIG, ROLES, ROLESMAPPING, TENANTS, NODESDN, WHITELIST, ALLOWLIST, AUDIT] (index=.opendistro_security)
[2024-05-07T08:15:51,466][ERROR][o.o.s.c.ConfigurationLoaderSecurity7] [node-1] Failure no such index [.opendistro_security] retrieving configuration for [INTERNALUSERS, ACTIONGROUPS, CONFIG, ROLES, ROLESMAPPING, TENANTS, NODESDN, WHITELIST, ALLOWLIST, AUDIT] (index=.opendistro_security)
[2024-05-07T08:21:40,812][WARN ][o.o.s.a.BackendRegistry  ] [node-1] Authentication finally failed for admin from 127.0.0.1:57708
[2024-05-07T08:21:41,380][WARN ][o.o.s.a.BackendRegistry  ] [node-1] Authentication finally failed for admin from 127.0.0.1:57722
[2024-05-07T08:21:43,307][WARN ][o.o.s.a.BackendRegistry  ] [node-1] Authentication finally failed for admin from 127.0.0.1:57724
[2024-05-07T08:21:48,661][WARN ][o.o.s.a.BackendRegistry  ] [node-1] Authentication finally failed for admin from 127.0.0.1:57748
[2024-05-07T08:21:48,683][WARN ][o.o.s.a.BackendRegistry  ] [node-1] Authentication finally failed for admin from 127.0.0.1:57740
[2024-05-07T08:21:51,439][WARN ][o.o.s.a.BackendRegistry  ] [node-1] Authentication finally failed for admin from 127.0.0.1:57748

RHEL 9 🟡

Agent status

[root@ip-172-31-39-27 ~]# systemctl status wazuh-indexer
● wazuh-indexer.service - Wazuh-indexer
     Loaded: loaded (/usr/lib/systemd/system/wazuh-indexer.service; enabled; preset: disabled)
     Active: active (running) since Tue 2024-05-07 08:16:28 UTC; 1h 56min ago
       Docs: https://documentation.wazuh.com
   Main PID: 15001 (java)
      Tasks: 68 (limit: 48194)
     Memory: 4.1G
        CPU: 1min 58.937s
     CGroup: /system.slice/wazuh-indexer.service
             └─15001 /usr/share/wazuh-indexer/jdk/bin/java -Xshare:auto -Dopensearch.networkaddress.cache.tt>

May 07 08:16:05 ip-172-31-39-27.ec2.internal systemd[1]: Starting Wazuh-indexer...
May 07 08:16:08 ip-172-31-39-27.ec2.internal systemd-entrypoint[15001]: WARNING: A terminally deprecated met>
May 07 08:16:08 ip-172-31-39-27.ec2.internal systemd-entrypoint[15001]: WARNING: System::setSecurityManager >
May 07 08:16:08 ip-172-31-39-27.ec2.internal systemd-entrypoint[15001]: WARNING: Please consider reporting t>
May 07 08:16:08 ip-172-31-39-27.ec2.internal systemd-entrypoint[15001]: WARNING: System::setSecurityManager >
May 07 08:16:10 ip-172-31-39-27.ec2.internal systemd-entrypoint[15001]: WARNING: A terminally deprecated met>
May 07 08:16:10 ip-172-31-39-27.ec2.internal systemd-entrypoint[15001]: WARNING: System::setSecurityManager >
May 07 08:16:10 ip-172-31-39-27.ec2.internal systemd-entrypoint[15001]: WARNING: Please consider reporting t>
May 07 08:16:10 ip-172-31-39-27.ec2.internal systemd-entrypoint[15001]: WARNING: System::setSecurityManager >
May 07 08:16:28 ip-172-31-39-27.ec2.internal systemd[1]: Started Wazuh-indexer.

Service status

[root@ip-172-31-39-27 ~]# journalctl -xe -u wazuh-indexer.service --no-pager
May 07 08:16:05 ip-172-31-39-27.ec2.internal systemd[1]: Starting Wazuh-indexer...
░░ Subject: A start job for unit wazuh-indexer.service has begun execution
░░ Defined-By: systemd
░░ Support: https://access.redhat.com/support
░░ 
░░ A start job for unit wazuh-indexer.service has begun execution.
░░ 
░░ The job identifier is 3074.
May 07 08:16:08 ip-172-31-39-27.ec2.internal systemd-entrypoint[15001]: WARNING: A terminally deprecated method in java.lang.System has been called
May 07 08:16:08 ip-172-31-39-27.ec2.internal systemd-entrypoint[15001]: WARNING: System::setSecurityManager has been called by org.opensearch.bootstrap.OpenSearch (file:/usr/share/wazuh-indexer/lib/opensearch-2.10.0.jar)
May 07 08:16:08 ip-172-31-39-27.ec2.internal systemd-entrypoint[15001]: WARNING: Please consider reporting this to the maintainers of org.opensearch.bootstrap.OpenSearch
May 07 08:16:08 ip-172-31-39-27.ec2.internal systemd-entrypoint[15001]: WARNING: System::setSecurityManager will be removed in a future release
May 07 08:16:10 ip-172-31-39-27.ec2.internal systemd-entrypoint[15001]: WARNING: A terminally deprecated method in java.lang.System has been called
May 07 08:16:10 ip-172-31-39-27.ec2.internal systemd-entrypoint[15001]: WARNING: System::setSecurityManager has been called by org.opensearch.bootstrap.Security (file:/usr/share/wazuh-indexer/lib/opensearch-2.10.0.jar)
May 07 08:16:10 ip-172-31-39-27.ec2.internal systemd-entrypoint[15001]: WARNING: Please consider reporting this to the maintainers of org.opensearch.bootstrap.Security
May 07 08:16:10 ip-172-31-39-27.ec2.internal systemd-entrypoint[15001]: WARNING: System::setSecurityManager will be removed in a future release
May 07 08:16:28 ip-172-31-39-27.ec2.internal systemd[1]: Started Wazuh-indexer.
░░ Subject: A start job for unit wazuh-indexer.service has finished successfully
░░ Defined-By: systemd
░░ Support: https://access.redhat.com/support
░░ 
░░ A start job for unit wazuh-indexer.service has finished successfully.
░░ 
░░ The job identifier is 3074.

Errors

Normal errors of uninitialized indexes. Related: wazuh/wazuh-packages#1511 (comment)

[root@ip-172-31-39-27 ~]# cat /var/log/wazuh-indexer/wazuh-cluster.log | grep -i -E "error|warn"
[2024-05-07T08:16:10,170][INFO ][o.o.n.Node               ] [node-1] JVM arguments [-Xshare:auto, -Dopensearch.networkaddress.cache.ttl=60, -Dopensearch.networkaddress.cache.negative.ttl=10, -XX:+AlwaysPreTouch, -Xss1m, -Djava.awt.headless=true, -Dfile.encoding=UTF-8, -Djna.nosys=true, -XX:-OmitStackTraceInFastThrow, -XX:+ShowCodeDetailsInExceptionMessages, -Dio.netty.noUnsafe=true, -Dio.netty.noKeySetOptimization=true, -Dio.netty.recycler.maxCapacityPerThread=0, -Dio.netty.allocator.numDirectArenas=0, -Dlog4j.shutdownHookEnabled=false, -Dlog4j2.disable.jmx=true, -Djava.locale.providers=SPI,COMPAT, -Xms3804m, -Xmx3804m, -XX:+UseG1GC, -XX:G1ReservePercent=25, -XX:InitiatingHeapOccupancyPercent=30, -Djava.io.tmpdir=/tmp/opensearch-15914961827846388681, -XX:+HeapDumpOnOutOfMemoryError, -XX:HeapDumpPath=/var/lib/wazuh-indexer, -XX:ErrorFile=/var/log/wazuh-indexer/hs_err_pid%p.log, -Xlog:gc*,gc+age=trace,safepoint:file=/var/log/wazuh-indexer/gc.log:utctime,pid,tags:filecount=32,filesize=64m, -Dclk.tck=100, -Djdk.attach.allowAttachSelf=true, -Djava.security.policy=file:///etc/wazuh-indexer/opensearch-performance-analyzer/opensearch_security.policy, --add-opens=jdk.attach/sun.tools.attach=ALL-UNNAMED, -XX:MaxDirectMemorySize=1994391552, -Dopensearch.path.home=/usr/share/wazuh-indexer, -Dopensearch.path.conf=/etc/wazuh-indexer, -Dopensearch.distribution.type=rpm, -Dopensearch.bundled_jdk=true]
[2024-05-07T08:16:22,705][WARN ][o.o.s.c.Salt             ] [node-1] If you plan to use field masking pls configure compliance salt e1ukloTsQlOgPquJ to be a random string of 16 chars length identical on all nodes
[2024-05-07T08:16:22,755][ERROR][o.o.s.a.s.SinkProvider   ] [node-1] Default endpoint could not be created, auditlog will not work properly.
[2024-05-07T08:16:22,762][WARN ][o.o.s.a.r.AuditMessageRouter] [node-1] No default storage available, audit log may not work properly. Please check configuration.
[2024-05-07T08:16:24,293][WARN ][o.o.s.p.SQLPlugin        ] [node-1] Master key is a required config for using create and update datasource APIs. Please set plugins.query.datasources.encryption.masterkey config in opensearch.yml in all the cluster nodes. More details can be found here: https://github.com/opensearch-project/sql/blob/main/docs/user/ppl/admin/datasources.rst#master-key-config-for-encrypting-credential-information
[2024-05-07T08:16:26,425][WARN ][o.o.g.DanglingIndicesState] [node-1] gateway.auto_import_dangling_indices is disabled, dangling indices will not be automatically detected or imported and must be managed manually
[2024-05-07T08:16:28,287][WARN ][o.o.p.c.s.h.ConfigOverridesClusterSettingHandler] [node-1] Config override setting update called with empty string. Ignoring.
[2024-05-07T08:16:28,765][ERROR][o.o.s.a.BackendRegistry  ] [node-1] Not yet initialized (you may need to run securityadmin)
[2024-05-07T08:16:29,371][ERROR][o.o.s.c.ConfigurationLoaderSecurity7] [node-1] Failure no such index [.opendistro_security] retrieving configuration for [INTERNALUSERS, ACTIONGROUPS, CONFIG, ROLES, ROLESMAPPING, TENANTS, NODESDN, WHITELIST, ALLOWLIST, AUDIT] (index=.opendistro_security)
[2024-05-07T08:16:29,371][ERROR][o.o.s.c.ConfigurationLoaderSecurity7] [node-1] Failure no such index [.opendistro_security] retrieving configuration for [INTERNALUSERS, ACTIONGROUPS, CONFIG, ROLES, ROLESMAPPING, TENANTS, NODESDN, WHITELIST, ALLOWLIST, AUDIT] (index=.opendistro_security)
[2024-05-07T08:16:29,371][ERROR][o.o.s.c.ConfigurationLoaderSecurity7] [node-1] Failure no such index [.opendistro_security] retrieving configuration for [INTERNALUSERS, ACTIONGROUPS, CONFIG, ROLES, ROLESMAPPING, TENANTS, NODESDN, WHITELIST, ALLOWLIST, AUDIT] (index=.opendistro_security)
[2024-05-07T08:16:29,372][ERROR][o.o.s.c.ConfigurationLoaderSecurity7] [node-1] Failure no such index [.opendistro_security] retrieving configuration for [INTERNALUSERS, ACTIONGROUPS, CONFIG, ROLES, ROLESMAPPING, TENANTS, NODESDN, WHITELIST, ALLOWLIST, AUDIT] (index=.opendistro_security)
[2024-05-07T08:16:29,372][ERROR][o.o.s.c.ConfigurationLoaderSecurity7] [node-1] Failure no such index [.opendistro_security] retrieving configuration for [INTERNALUSERS, ACTIONGROUPS, CONFIG, ROLES, ROLESMAPPING, TENANTS, NODESDN, WHITELIST, ALLOWLIST, AUDIT] (index=.opendistro_security)
[2024-05-07T08:16:29,372][ERROR][o.o.s.c.ConfigurationLoaderSecurity7] [node-1] Failure no such index [.opendistro_security] retrieving configuration for [INTERNALUSERS, ACTIONGROUPS, CONFIG, ROLES, ROLESMAPPING, TENANTS, NODESDN, WHITELIST, ALLOWLIST, AUDIT] (index=.opendistro_security)
[2024-05-07T08:16:29,372][ERROR][o.o.s.c.ConfigurationLoaderSecurity7] [node-1] Failure no such index [.opendistro_security] retrieving configuration for [INTERNALUSERS, ACTIONGROUPS, CONFIG, ROLES, ROLESMAPPING, TENANTS, NODESDN, WHITELIST, ALLOWLIST, AUDIT] (index=.opendistro_security)
[2024-05-07T08:16:29,373][ERROR][o.o.s.c.ConfigurationLoaderSecurity7] [node-1] Failure no such index [.opendistro_security] retrieving configuration for [INTERNALUSERS, ACTIONGROUPS, CONFIG, ROLES, ROLESMAPPING, TENANTS, NODESDN, WHITELIST, ALLOWLIST, AUDIT] (index=.opendistro_security)
[2024-05-07T08:16:29,373][ERROR][o.o.s.c.ConfigurationLoaderSecurity7] [node-1] Failure no such index [.opendistro_security] retrieving configuration for [INTERNALUSERS, ACTIONGROUPS, CONFIG, ROLES, ROLESMAPPING, TENANTS, NODESDN, WHITELIST, ALLOWLIST, AUDIT] (index=.opendistro_security)
[2024-05-07T08:16:29,373][ERROR][o.o.s.c.ConfigurationLoaderSecurity7] [node-1] Failure no such index [.opendistro_security] retrieving configuration for [INTERNALUSERS, ACTIONGROUPS, CONFIG, ROLES, ROLESMAPPING, TENANTS, NODESDN, WHITELIST, ALLOWLIST, AUDIT] (index=.opendistro_security)
[2024-05-07T08:23:48,320][WARN ][o.o.s.a.BackendRegistry  ] [node-1] Authentication finally failed for admin from 127.0.0.1:49636
[2024-05-07T08:23:49,567][WARN ][o.o.s.a.BackendRegistry  ] [node-1] Authentication finally failed for admin from 127.0.0.1:49640
[2024-05-07T08:23:50,876][WARN ][o.o.s.a.BackendRegistry  ] [node-1] Authentication finally failed for admin from 127.0.0.1:49654
[2024-05-07T08:23:56,352][WARN ][o.o.s.a.BackendRegistry  ] [node-1] Authentication finally failed for admin from 127.0.0.1:49672

Amazon Linux 2 - Offline 🟡

Agent status

[root@ip-172-31-34-149 ~]# systemctl status wazuh-indexer
● wazuh-indexer.service - Wazuh-indexer
   Loaded: loaded (/usr/lib/systemd/system/wazuh-indexer.service; enabled; vendor preset: disabled)
   Active: active (running) since mar 2024-05-07 09:08:08 UTC; 1h 7min ago
     Docs: https://documentation.wazuh.com
 Main PID: 12135 (java)
   CGroup: /system.slice/wazuh-indexer.service
           └─12135 /usr/share/wazuh-indexer/jdk/bin/java -Xshare:auto -Dopensearch.networkaddress.cache.tt...

may 07 09:07:45 ip-172-31-34-149.ec2.internal systemd[1]: Starting Wazuh-indexer...
may 07 09:07:47 ip-172-31-34-149.ec2.internal systemd-entrypoint[12135]: WARNING: A terminally deprecated...d
may 07 09:07:47 ip-172-31-34-149.ec2.internal systemd-entrypoint[12135]: WARNING: System::setSecurityMana...)
may 07 09:07:47 ip-172-31-34-149.ec2.internal systemd-entrypoint[12135]: WARNING: Please consider reporti...h
may 07 09:07:47 ip-172-31-34-149.ec2.internal systemd-entrypoint[12135]: WARNING: System::setSecurityMana...e
may 07 09:07:49 ip-172-31-34-149.ec2.internal systemd-entrypoint[12135]: WARNING: A terminally deprecated...d
may 07 09:07:49 ip-172-31-34-149.ec2.internal systemd-entrypoint[12135]: WARNING: System::setSecurityMana...)
may 07 09:07:49 ip-172-31-34-149.ec2.internal systemd-entrypoint[12135]: WARNING: Please consider reporti...y
may 07 09:07:49 ip-172-31-34-149.ec2.internal systemd-entrypoint[12135]: WARNING: System::setSecurityMana...e
may 07 09:08:08 ip-172-31-34-149.ec2.internal systemd[1]: Started Wazuh-indexer.
Hint: Some lines were ellipsized, use -l to show in full.

Service status

[root@ip-172-31-34-149 ~]# journalctl -xe -u wazuh-indexer.service --no-pager
-- Logs begin at mar 2024-05-07 07:35:41 UTC, end at mar 2024-05-07 10:16:02 UTC. --
may 07 09:07:45 ip-172-31-34-149.ec2.internal systemd[1]: Starting Wazuh-indexer...
-- Subject: Unit wazuh-indexer.service has begun start-up
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
-- 
-- Unit wazuh-indexer.service has begun starting up.
may 07 09:07:47 ip-172-31-34-149.ec2.internal systemd-entrypoint[12135]: WARNING: A terminally deprecated method in java.lang.System has been called
may 07 09:07:47 ip-172-31-34-149.ec2.internal systemd-entrypoint[12135]: WARNING: System::setSecurityManager has been called by org.opensearch.bootstrap.OpenSearch (file:/usr/share/wazuh-indexer/lib/opensearch-2.10.0.jar)
may 07 09:07:47 ip-172-31-34-149.ec2.internal systemd-entrypoint[12135]: WARNING: Please consider reporting this to the maintainers of org.opensearch.bootstrap.OpenSearch
may 07 09:07:47 ip-172-31-34-149.ec2.internal systemd-entrypoint[12135]: WARNING: System::setSecurityManager will be removed in a future release
may 07 09:07:49 ip-172-31-34-149.ec2.internal systemd-entrypoint[12135]: WARNING: A terminally deprecated method in java.lang.System has been called
may 07 09:07:49 ip-172-31-34-149.ec2.internal systemd-entrypoint[12135]: WARNING: System::setSecurityManager has been called by org.opensearch.bootstrap.Security (file:/usr/share/wazuh-indexer/lib/opensearch-2.10.0.jar)
may 07 09:07:49 ip-172-31-34-149.ec2.internal systemd-entrypoint[12135]: WARNING: Please consider reporting this to the maintainers of org.opensearch.bootstrap.Security
may 07 09:07:49 ip-172-31-34-149.ec2.internal systemd-entrypoint[12135]: WARNING: System::setSecurityManager will be removed in a future release
may 07 09:08:08 ip-172-31-34-149.ec2.internal systemd[1]: Started Wazuh-indexer.
-- Subject: Unit wazuh-indexer.service has finished start-up
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
-- 
-- Unit wazuh-indexer.service has finished starting up.
-- 
-- The start-up result is done.

Errors

Normal errors of uninitialized indexes. Related: wazuh/wazuh-packages#1511 (comment)

In addition errors of bad_certificates. Related: wazuh/wazuh-indexer#167

[root@ip-172-31-34-149 ~]# cat /var/log/wazuh-indexer/wazuh-cluster.log | grep -i -E "error|warn"
[2024-05-07T09:07:49,681][INFO ][o.o.n.Node               ] [node-1] JVM arguments [-Xshare:auto, -Dopensearch.networkaddress.cache.ttl=60, -Dopensearch.networkaddress.cache.negative.ttl=10, -XX:+AlwaysPreTouch, -Xss1m, -Djava.awt.headless=true, -Dfile.encoding=UTF-8, -Djna.nosys=true, -XX:-OmitStackTraceInFastThrow, -XX:+ShowCodeDetailsInExceptionMessages, -Dio.netty.noUnsafe=true, -Dio.netty.noKeySetOptimization=true, -Dio.netty.recycler.maxCapacityPerThread=0, -Dio.netty.allocator.numDirectArenas=0, -Dlog4j.shutdownHookEnabled=false, -Dlog4j2.disable.jmx=true, -Djava.locale.providers=SPI,COMPAT, -Xms1g, -Xmx1g, -XX:+UseG1GC, -XX:G1ReservePercent=25, -XX:InitiatingHeapOccupancyPercent=30, -Djava.io.tmpdir=/tmp/opensearch-15108170456169436309, -XX:+HeapDumpOnOutOfMemoryError, -XX:HeapDumpPath=/var/lib/wazuh-indexer, -XX:ErrorFile=/var/log/wazuh-indexer/hs_err_pid%p.log, -Xlog:gc*,gc+age=trace,safepoint:file=/var/log/wazuh-indexer/gc.log:utctime,pid,tags:filecount=32,filesize=64m, -Dclk.tck=100, -Djdk.attach.allowAttachSelf=true, -Djava.security.policy=file:///etc/wazuh-indexer/opensearch-performance-analyzer/opensearch_security.policy, --add-opens=jdk.attach/sun.tools.attach=ALL-UNNAMED, -XX:MaxDirectMemorySize=536870912, -Dopensearch.path.home=/usr/share/wazuh-indexer, -Dopensearch.path.conf=/etc/wazuh-indexer, -Dopensearch.distribution.type=rpm, -Dopensearch.bundled_jdk=true]
[2024-05-07T09:08:02,153][WARN ][o.o.s.c.Salt             ] [node-1] If you plan to use field masking pls configure compliance salt e1ukloTsQlOgPquJ to be a random string of 16 chars length identical on all nodes
[2024-05-07T09:08:02,209][ERROR][o.o.s.a.s.SinkProvider   ] [node-1] Default endpoint could not be created, auditlog will not work properly.
[2024-05-07T09:08:02,216][WARN ][o.o.s.a.r.AuditMessageRouter] [node-1] No default storage available, audit log may not work properly. Please check configuration.
[2024-05-07T09:08:03,872][WARN ][o.o.s.p.SQLPlugin        ] [node-1] Master key is a required config for using create and update datasource APIs. Please set plugins.query.datasources.encryption.masterkey config in opensearch.yml in all the cluster nodes. More details can be found here: https://github.com/opensearch-project/sql/blob/main/docs/user/ppl/admin/datasources.rst#master-key-config-for-encrypting-credential-information
[2024-05-07T09:08:05,921][WARN ][o.o.g.DanglingIndicesState] [node-1] gateway.auto_import_dangling_indices is disabled, dangling indices will not be automatically detected or imported and must be managed manually
[2024-05-07T09:08:07,988][WARN ][o.o.p.c.s.h.ConfigOverridesClusterSettingHandler] [node-1] Config override setting update called with empty string. Ignoring.
[2024-05-07T09:08:08,113][ERROR][o.o.s.c.ConfigurationLoaderSecurity7] [node-1] Failure no such index [.opendistro_security] retrieving configuration for [INTERNALUSERS, ACTIONGROUPS, CONFIG, ROLES, ROLESMAPPING, TENANTS, NODESDN, WHITELIST, ALLOWLIST, AUDIT] (index=.opendistro_security)
[2024-05-07T09:08:08,124][ERROR][o.o.s.c.ConfigurationLoaderSecurity7] [node-1] Failure no such index [.opendistro_security] retrieving configuration for [INTERNALUSERS, ACTIONGROUPS, CONFIG, ROLES, ROLESMAPPING, TENANTS, NODESDN, WHITELIST, ALLOWLIST, AUDIT] (index=.opendistro_security)
[2024-05-07T09:08:08,125][ERROR][o.o.s.c.ConfigurationLoaderSecurity7] [node-1] Failure no such index [.opendistro_security] retrieving configuration for [INTERNALUSERS, ACTIONGROUPS, CONFIG, ROLES, ROLESMAPPING, TENANTS, NODESDN, WHITELIST, ALLOWLIST, AUDIT] (index=.opendistro_security)
[2024-05-07T09:08:08,125][ERROR][o.o.s.c.ConfigurationLoaderSecurity7] [node-1] Failure no such index [.opendistro_security] retrieving configuration for [INTERNALUSERS, ACTIONGROUPS, CONFIG, ROLES, ROLESMAPPING, TENANTS, NODESDN, WHITELIST, ALLOWLIST, AUDIT] (index=.opendistro_security)
[2024-05-07T09:08:08,125][ERROR][o.o.s.c.ConfigurationLoaderSecurity7] [node-1] Failure no such index [.opendistro_security] retrieving configuration for [INTERNALUSERS, ACTIONGROUPS, CONFIG, ROLES, ROLESMAPPING, TENANTS, NODESDN, WHITELIST, ALLOWLIST, AUDIT] (index=.opendistro_security)
[2024-05-07T09:08:08,130][ERROR][o.o.s.c.ConfigurationLoaderSecurity7] [node-1] Failure no such index [.opendistro_security] retrieving configuration for [INTERNALUSERS, ACTIONGROUPS, CONFIG, ROLES, ROLESMAPPING, TENANTS, NODESDN, WHITELIST, ALLOWLIST, AUDIT] (index=.opendistro_security)
[2024-05-07T09:08:08,130][ERROR][o.o.s.c.ConfigurationLoaderSecurity7] [node-1] Failure no such index [.opendistro_security] retrieving configuration for [INTERNALUSERS, ACTIONGROUPS, CONFIG, ROLES, ROLESMAPPING, TENANTS, NODESDN, WHITELIST, ALLOWLIST, AUDIT] (index=.opendistro_security)
[2024-05-07T09:08:08,130][ERROR][o.o.s.c.ConfigurationLoaderSecurity7] [node-1] Failure no such index [.opendistro_security] retrieving configuration for [INTERNALUSERS, ACTIONGROUPS, CONFIG, ROLES, ROLESMAPPING, TENANTS, NODESDN, WHITELIST, ALLOWLIST, AUDIT] (index=.opendistro_security)
[2024-05-07T09:08:08,131][ERROR][o.o.s.c.ConfigurationLoaderSecurity7] [node-1] Failure no such index [.opendistro_security] retrieving configuration for [INTERNALUSERS, ACTIONGROUPS, CONFIG, ROLES, ROLESMAPPING, TENANTS, NODESDN, WHITELIST, ALLOWLIST, AUDIT] (index=.opendistro_security)
[2024-05-07T09:08:08,131][ERROR][o.o.s.c.ConfigurationLoaderSecurity7] [node-1] Failure no such index [.opendistro_security] retrieving configuration for [INTERNALUSERS, ACTIONGROUPS, CONFIG, ROLES, ROLESMAPPING, TENANTS, NODESDN, WHITELIST, ALLOWLIST, AUDIT] (index=.opendistro_security)
[2024-05-07T09:08:21,140][ERROR][o.o.s.c.ConfigurationLoaderSecurity7] [node-1] Failure no such index [.opendistro_security] retrieving configuration for [INTERNALUSERS, ACTIONGROUPS, CONFIG, ROLES, ROLESMAPPING, TENANTS, NODESDN, WHITELIST, ALLOWLIST, AUDIT] (index=.opendistro_security)
[2024-05-07T09:08:21,140][ERROR][o.o.s.c.ConfigurationLoaderSecurity7] [node-1] Failure no such index [.opendistro_security] retrieving configuration for [INTERNALUSERS, ACTIONGROUPS, CONFIG, ROLES, ROLESMAPPING, TENANTS, NODESDN, WHITELIST, ALLOWLIST, AUDIT] (index=.opendistro_security)
[2024-05-07T09:08:21,141][ERROR][o.o.s.c.ConfigurationLoaderSecurity7] [node-1] Failure no such index [.opendistro_security] retrieving configuration for [INTERNALUSERS, ACTIONGROUPS, CONFIG, ROLES, ROLESMAPPING, TENANTS, NODESDN, WHITELIST, ALLOWLIST, AUDIT] (index=.opendistro_security)
[2024-05-07T09:08:21,141][ERROR][o.o.s.c.ConfigurationLoaderSecurity7] [node-1] Failure no such index [.opendistro_security] retrieving configuration for [INTERNALUSERS, ACTIONGROUPS, CONFIG, ROLES, ROLESMAPPING, TENANTS, NODESDN, WHITELIST, ALLOWLIST, AUDIT] (index=.opendistro_security)
[2024-05-07T09:08:21,141][ERROR][o.o.s.c.ConfigurationLoaderSecurity7] [node-1] Failure no such index [.opendistro_security] retrieving configuration for [INTERNALUSERS, ACTIONGROUPS, CONFIG, ROLES, ROLESMAPPING, TENANTS, NODESDN, WHITELIST, ALLOWLIST, AUDIT] (index=.opendistro_security)
[2024-05-07T09:08:21,141][ERROR][o.o.s.c.ConfigurationLoaderSecurity7] [node-1] Failure no such index [.opendistro_security] retrieving configuration for [INTERNALUSERS, ACTIONGROUPS, CONFIG, ROLES, ROLESMAPPING, TENANTS, NODESDN, WHITELIST, ALLOWLIST, AUDIT] (index=.opendistro_security)
[2024-05-07T09:08:21,142][ERROR][o.o.s.c.ConfigurationLoaderSecurity7] [node-1] Failure no such index [.opendistro_security] retrieving configuration for [INTERNALUSERS, ACTIONGROUPS, CONFIG, ROLES, ROLESMAPPING, TENANTS, NODESDN, WHITELIST, ALLOWLIST, AUDIT] (index=.opendistro_security)
[2024-05-07T09:08:21,142][ERROR][o.o.s.c.ConfigurationLoaderSecurity7] [node-1] Failure no such index [.opendistro_security] retrieving configuration for [INTERNALUSERS, ACTIONGROUPS, CONFIG, ROLES, ROLESMAPPING, TENANTS, NODESDN, WHITELIST, ALLOWLIST, AUDIT] (index=.opendistro_security)
[2024-05-07T09:08:21,142][ERROR][o.o.s.c.ConfigurationLoaderSecurity7] [node-1] Failure no such index [.opendistro_security] retrieving configuration for [INTERNALUSERS, ACTIONGROUPS, CONFIG, ROLES, ROLESMAPPING, TENANTS, NODESDN, WHITELIST, ALLOWLIST, AUDIT] (index=.opendistro_security)
[2024-05-07T09:08:21,142][ERROR][o.o.s.c.ConfigurationLoaderSecurity7] [node-1] Failure no such index [.opendistro_security] retrieving configuration for [INTERNALUSERS, ACTIONGROUPS, CONFIG, ROLES, ROLESMAPPING, TENANTS, NODESDN, WHITELIST, ALLOWLIST, AUDIT] (index=.opendistro_security)
[2024-05-07T09:08:34,143][ERROR][o.o.s.c.ConfigurationLoaderSecurity7] [node-1] Failure no such index [.opendistro_security] retrieving configuration for [INTERNALUSERS, ACTIONGROUPS, CONFIG, ROLES, ROLESMAPPING, TENANTS, NODESDN, WHITELIST, ALLOWLIST, AUDIT] (index=.opendistro_security)
[2024-05-07T09:08:34,144][ERROR][o.o.s.c.ConfigurationLoaderSecurity7] [node-1] Failure no such index [.opendistro_security] retrieving configuration for [INTERNALUSERS, ACTIONGROUPS, CONFIG, ROLES, ROLESMAPPING, TENANTS, NODESDN, WHITELIST, ALLOWLIST, AUDIT] (index=.opendistro_security)
[2024-05-07T09:08:34,144][ERROR][o.o.s.c.ConfigurationLoaderSecurity7] [node-1] Failure no such index [.opendistro_security] retrieving configuration for [INTERNALUSERS, ACTIONGROUPS, CONFIG, ROLES, ROLESMAPPING, TENANTS, NODESDN, WHITELIST, ALLOWLIST, AUDIT] (index=.opendistro_security)
[2024-05-07T09:08:34,144][ERROR][o.o.s.c.ConfigurationLoaderSecurity7] [node-1] Failure no such index [.opendistro_security] retrieving configuration for [INTERNALUSERS, ACTIONGROUPS, CONFIG, ROLES, ROLESMAPPING, TENANTS, NODESDN, WHITELIST, ALLOWLIST, AUDIT] (index=.opendistro_security)
[2024-05-07T09:08:34,145][ERROR][o.o.s.c.ConfigurationLoaderSecurity7] [node-1] Failure no such index [.opendistro_security] retrieving configuration for [INTERNALUSERS, ACTIONGROUPS, CONFIG, ROLES, ROLESMAPPING, TENANTS, NODESDN, WHITELIST, ALLOWLIST, AUDIT] (index=.opendistro_security)
[2024-05-07T09:08:34,145][ERROR][o.o.s.c.ConfigurationLoaderSecurity7] [node-1] Failure no such index [.opendistro_security] retrieving configuration for [INTERNALUSERS, ACTIONGROUPS, CONFIG, ROLES, ROLESMAPPING, TENANTS, NODESDN, WHITELIST, ALLOWLIST, AUDIT] (index=.opendistro_security)
[2024-05-07T09:08:34,145][ERROR][o.o.s.c.ConfigurationLoaderSecurity7] [node-1] Failure no such index [.opendistro_security] retrieving configuration for [INTERNALUSERS, ACTIONGROUPS, CONFIG, ROLES, ROLESMAPPING, TENANTS, NODESDN, WHITELIST, ALLOWLIST, AUDIT] (index=.opendistro_security)
[2024-05-07T09:08:34,145][ERROR][o.o.s.c.ConfigurationLoaderSecurity7] [node-1] Failure no such index [.opendistro_security] retrieving configuration for [INTERNALUSERS, ACTIONGROUPS, CONFIG, ROLES, ROLESMAPPING, TENANTS, NODESDN, WHITELIST, ALLOWLIST, AUDIT] (index=.opendistro_security)
[2024-05-07T09:08:34,146][ERROR][o.o.s.c.ConfigurationLoaderSecurity7] [node-1] Failure no such index [.opendistro_security] retrieving configuration for [INTERNALUSERS, ACTIONGROUPS, CONFIG, ROLES, ROLESMAPPING, TENANTS, NODESDN, WHITELIST, ALLOWLIST, AUDIT] (index=.opendistro_security)
[2024-05-07T09:08:34,146][ERROR][o.o.s.c.ConfigurationLoaderSecurity7] [node-1] Failure no such index [.opendistro_security] retrieving configuration for [INTERNALUSERS, ACTIONGROUPS, CONFIG, ROLES, ROLESMAPPING, TENANTS, NODESDN, WHITELIST, ALLOWLIST, AUDIT] (index=.opendistro_security)
[2024-05-07T09:08:47,147][ERROR][o.o.s.c.ConfigurationLoaderSecurity7] [node-1] Failure no such index [.opendistro_security] retrieving configuration for [INTERNALUSERS, ACTIONGROUPS, CONFIG, ROLES, ROLESMAPPING, TENANTS, NODESDN, WHITELIST, ALLOWLIST, AUDIT] (index=.opendistro_security)
[2024-05-07T09:08:47,148][ERROR][o.o.s.c.ConfigurationLoaderSecurity7] [node-1] Failure no such index [.opendistro_security] retrieving configuration for [INTERNALUSERS, ACTIONGROUPS, CONFIG, ROLES, ROLESMAPPING, TENANTS, NODESDN, WHITELIST, ALLOWLIST, AUDIT] (index=.opendistro_security)
[2024-05-07T09:08:47,148][ERROR][o.o.s.c.ConfigurationLoaderSecurity7] [node-1] Failure no such index [.opendistro_security] retrieving configuration for [INTERNALUSERS, ACTIONGROUPS, CONFIG, ROLES, ROLESMAPPING, TENANTS, NODESDN, WHITELIST, ALLOWLIST, AUDIT] (index=.opendistro_security)
[2024-05-07T09:08:47,148][ERROR][o.o.s.c.ConfigurationLoaderSecurity7] [node-1] Failure no such index [.opendistro_security] retrieving configuration for [INTERNALUSERS, ACTIONGROUPS, CONFIG, ROLES, ROLESMAPPING, TENANTS, NODESDN, WHITELIST, ALLOWLIST, AUDIT] (index=.opendistro_security)
[2024-05-07T09:08:47,148][ERROR][o.o.s.c.ConfigurationLoaderSecurity7] [node-1] Failure no such index [.opendistro_security] retrieving configuration for [INTERNALUSERS, ACTIONGROUPS, CONFIG, ROLES, ROLESMAPPING, TENANTS, NODESDN, WHITELIST, ALLOWLIST, AUDIT] (index=.opendistro_security)
[2024-05-07T09:08:47,149][ERROR][o.o.s.c.ConfigurationLoaderSecurity7] [node-1] Failure no such index [.opendistro_security] retrieving configuration for [INTERNALUSERS, ACTIONGROUPS, CONFIG, ROLES, ROLESMAPPING, TENANTS, NODESDN, WHITELIST, ALLOWLIST, AUDIT] (index=.opendistro_security)
[2024-05-07T09:08:47,149][ERROR][o.o.s.c.ConfigurationLoaderSecurity7] [node-1] Failure no such index [.opendistro_security] retrieving configuration for [INTERNALUSERS, ACTIONGROUPS, CONFIG, ROLES, ROLESMAPPING, TENANTS, NODESDN, WHITELIST, ALLOWLIST, AUDIT] (index=.opendistro_security)
[2024-05-07T09:08:47,149][ERROR][o.o.s.c.ConfigurationLoaderSecurity7] [node-1] Failure no such index [.opendistro_security] retrieving configuration for [INTERNALUSERS, ACTIONGROUPS, CONFIG, ROLES, ROLESMAPPING, TENANTS, NODESDN, WHITELIST, ALLOWLIST, AUDIT] (index=.opendistro_security)
[2024-05-07T09:08:47,149][ERROR][o.o.s.c.ConfigurationLoaderSecurity7] [node-1] Failure no such index [.opendistro_security] retrieving configuration for [INTERNALUSERS, ACTIONGROUPS, CONFIG, ROLES, ROLESMAPPING, TENANTS, NODESDN, WHITELIST, ALLOWLIST, AUDIT] (index=.opendistro_security)
[2024-05-07T09:08:47,150][ERROR][o.o.s.c.ConfigurationLoaderSecurity7] [node-1] Failure no such index [.opendistro_security] retrieving configuration for [INTERNALUSERS, ACTIONGROUPS, CONFIG, ROLES, ROLESMAPPING, TENANTS, NODESDN, WHITELIST, ALLOWLIST, AUDIT] (index=.opendistro_security)
[2024-05-07T09:20:00,569][ERROR][o.o.s.s.h.n.SecuritySSLNettyHttpServerTransport] [node-1] Exception during establishing a SSL connection: javax.net.ssl.SSLHandshakeException: Received fatal alert: bad_certificate
[2024-05-07T09:20:00,591][WARN ][o.o.h.AbstractHttpServerTransport] [node-1] caught exception while handling client http traffic, closing connection Netty4HttpChannel{localAddress=/127.0.0.1:9200, remoteAddress=/127.0.0.1:45104}
[2024-05-07T09:20:01,805][ERROR][o.o.s.s.h.n.SecuritySSLNettyHttpServerTransport] [node-1] Exception during establishing a SSL connection: javax.net.ssl.SSLHandshakeException: Received fatal alert: bad_certificate
[2024-05-07T09:20:01,817][WARN ][o.o.h.AbstractHttpServerTransport] [node-1] caught exception while handling client http traffic, closing connection Netty4HttpChannel{localAddress=/127.0.0.1:9200, remoteAddress=/127.0.0.1:59310}
[2024-05-07T09:20:04,561][ERROR][o.o.s.s.h.n.SecuritySSLNettyHttpServerTransport] [node-1] Exception during establishing a SSL connection: javax.net.ssl.SSLHandshakeException: Received fatal alert: bad_certificate
[2024-05-07T09:20:04,567][WARN ][o.o.h.AbstractHttpServerTransport] [node-1] caught exception while handling client http traffic, closing connection Netty4HttpChannel{localAddress=/127.0.0.1:9200, remoteAddress=/127.0.0.1:59312}
[2024-05-07T09:20:11,578][ERROR][o.o.s.s.h.n.SecuritySSLNettyHttpServerTransport] [node-1] Exception during establishing a SSL connection: javax.net.ssl.SSLHandshakeException: Received fatal alert: bad_certificate
[2024-05-07T09:20:11,581][WARN ][o.o.h.AbstractHttpServerTransport] [node-1] caught exception while handling client http traffic, closing connection Netty4HttpChannel{localAddress=/127.0.0.1:9200, remoteAddress=/127.0.0.1:59314}
[2024-05-07T09:20:24,945][ERROR][o.o.s.s.h.n.SecuritySSLNettyHttpServerTransport] [node-1] Exception during establishing a SSL connection: javax.net.ssl.SSLHandshakeException: Received fatal alert: bad_certificate
[2024-05-07T09:20:24,952][WARN ][o.o.h.AbstractHttpServerTransport] [node-1] caught exception while handling client http traffic, closing connection Netty4HttpChannel{localAddress=/127.0.0.1:9200, remoteAddress=/127.0.0.1:45434}
[2024-05-07T09:20:50,137][ERROR][o.o.s.s.h.n.SecuritySSLNettyHttpServerTransport] [node-1] Exception during establishing a SSL connection: javax.net.ssl.SSLHandshakeException: Received fatal alert: bad_certificate
[2024-05-07T09:20:50,139][WARN ][o.o.h.AbstractHttpServerTransport] [node-1] caught exception while handling client http traffic, closing connection Netty4HttpChannel{localAddress=/127.0.0.1:9200, remoteAddress=/127.0.0.1:38526}
[2024-05-07T09:21:28,665][ERROR][o.o.s.s.h.n.SecuritySSLNettyHttpServerTransport] [node-1] Exception during establishing a SSL connection: javax.net.ssl.SSLHandshakeException: Received fatal alert: bad_certificate
[2024-05-07T09:21:28,667][WARN ][o.o.h.AbstractHttpServerTransport] [node-1] caught exception while handling client http traffic, closing connection Netty4HttpChannel{localAddress=/127.0.0.1:9200, remoteAddress=/127.0.0.1:46108}
[2024-05-07T09:22:27,107][ERROR][o.o.s.s.h.n.SecuritySSLNettyHttpServerTransport] [node-1] Exception during establishing a SSL connection: javax.net.ssl.SSLHandshakeException: Received fatal alert: bad_certificate
[2024-05-07T09:22:27,111][WARN ][o.o.h.AbstractHttpServerTransport] [node-1] caught exception while handling client http traffic, closing connection Netty4HttpChannel{localAddress=/127.0.0.1:9200, remoteAddress=/127.0.0.1:48136}
[2024-05-07T09:23:12,644][ERROR][o.o.s.s.h.n.SecuritySSLNettyHttpServerTransport] [node-1] Exception during establishing a SSL connection: javax.net.ssl.SSLHandshakeException: Received fatal alert: bad_certificate
[2024-05-07T09:23:12,652][WARN ][o.o.h.AbstractHttpServerTransport] [node-1] caught exception while handling client http traffic, closing connection Netty4HttpChannel{localAddress=/127.0.0.1:9200, remoteAddress=/127.0.0.1:33308}
[2024-05-07T09:24:07,645][ERROR][o.o.s.s.h.n.SecuritySSLNettyHttpServerTransport] [node-1] Exception during establishing a SSL connection: javax.net.ssl.SSLHandshakeException: Received fatal alert: bad_certificate
[2024-05-07T09:24:07,647][WARN ][o.o.h.AbstractHttpServerTransport] [node-1] caught exception while handling client http traffic, closing connection Netty4HttpChannel{localAddress=/127.0.0.1:9200, remoteAddress=/127.0.0.1:55572}
[2024-05-07T09:25:06,138][ERROR][o.o.s.s.h.n.SecuritySSLNettyHttpServerTransport] [node-1] Exception during establishing a SSL connection: javax.net.ssl.SSLHandshakeException: Received fatal alert: bad_certificate
[2024-05-07T09:25:06,147][WARN ][o.o.h.AbstractHttpServerTransport] [node-1] caught exception while handling client http traffic, closing connection Netty4HttpChannel{localAddress=/127.0.0.1:9200, remoteAddress=/127.0.0.1:46566}
[2024-05-07T09:26:00,116][ERROR][o.o.s.s.h.n.SecuritySSLNettyHttpServerTransport] [node-1] Exception during establishing a SSL connection: javax.net.ssl.SSLHandshakeException: Received fatal alert: bad_certificate
[2024-05-07T09:26:00,118][WARN ][o.o.h.AbstractHttpServerTransport] [node-1] caught exception while handling client http traffic, closing connection Netty4HttpChannel{localAddress=/127.0.0.1:9200, remoteAddress=/127.0.0.1:39378}
[2024-05-07T09:26:48,508][ERROR][o.o.s.s.h.n.SecuritySSLNettyHttpServerTransport] [node-1] Exception during establishing a SSL connection: javax.net.ssl.SSLHandshakeException: Received fatal alert: bad_certificate
[2024-05-07T09:26:48,510][WARN ][o.o.h.AbstractHttpServerTransport] [node-1] caught exception while handling client http traffic, closing connection Netty4HttpChannel{localAddress=/127.0.0.1:9200, remoteAddress=/127.0.0.1:35404}
[2024-05-07T09:27:23,220][ERROR][o.o.s.s.h.n.SecuritySSLNettyHttpServerTransport] [node-1] Exception during establishing a SSL connection: javax.net.ssl.SSLHandshakeException: Received fatal alert: bad_certificate
[2024-05-07T09:27:23,222][WARN ][o.o.h.AbstractHttpServerTransport] [node-1] caught exception while handling client http traffic, closing connection Netty4HttpChannel{localAddress=/127.0.0.1:9200, remoteAddress=/127.0.0.1:46048}
[2024-05-07T09:28:01,333][ERROR][o.o.s.s.h.n.SecuritySSLNettyHttpServerTransport] [node-1] Exception during establishing a SSL connection: javax.net.ssl.SSLHandshakeException: Received fatal alert: bad_certificate
[2024-05-07T09:28:01,335][WARN ][o.o.h.AbstractHttpServerTransport] [node-1] caught exception while handling client http traffic, closing connection Netty4HttpChannel{localAddress=/127.0.0.1:9200, remoteAddress=/127.0.0.1:34766}
[2024-05-07T09:28:56,699][ERROR][o.o.s.s.h.n.SecuritySSLNettyHttpServerTransport] [node-1] Exception during establishing a SSL connection: javax.net.ssl.SSLHandshakeException: Received fatal alert: bad_certificate
[2024-05-07T09:28:56,702][WARN ][o.o.h.AbstractHttpServerTransport] [node-1] caught exception while handling client http traffic, closing connection Netty4HttpChannel{localAddress=/127.0.0.1:9200, remoteAddress=/127.0.0.1:47072}
[2024-05-07T09:29:54,458][ERROR][o.o.s.s.h.n.SecuritySSLNettyHttpServerTransport] [node-1] Exception during establishing a SSL connection: javax.net.ssl.SSLHandshakeException: Received fatal alert: bad_certificate
[2024-05-07T09:29:54,460][WARN ][o.o.h.AbstractHttpServerTransport] [node-1] caught exception while handling client http traffic, closing connection Netty4HttpChannel{localAddress=/127.0.0.1:9200, remoteAddress=/127.0.0.1:55352}
[2024-05-07T09:30:34,606][ERROR][o.o.s.s.h.n.SecuritySSLNettyHttpServerTransport] [node-1] Exception during establishing a SSL connection: javax.net.ssl.SSLHandshakeException: Received fatal alert: bad_certificate
[2024-05-07T09:30:34,609][WARN ][o.o.h.AbstractHttpServerTransport] [node-1] caught exception while handling client http traffic, closing connection Netty4HttpChannel{localAddress=/127.0.0.1:9200, remoteAddress=/127.0.0.1:36038}
[2024-05-07T09:31:31,721][ERROR][o.o.s.s.h.n.SecuritySSLNettyHttpServerTransport] [node-1] Exception during establishing a SSL connection: javax.net.ssl.SSLHandshakeException: Received fatal alert: bad_certificate
[2024-05-07T09:31:31,730][WARN ][o.o.h.AbstractHttpServerTransport] [node-1] caught exception while handling client http traffic, closing connection Netty4HttpChannel{localAddress=/127.0.0.1:9200, remoteAddress=/127.0.0.1:41332}
[2024-05-07T09:32:31,013][ERROR][o.o.s.s.h.n.SecuritySSLNettyHttpServerTransport] [node-1] Exception during establishing a SSL connection: javax.net.ssl.SSLHandshakeException: Received fatal alert: bad_certificate
[2024-05-07T09:32:31,017][WARN ][o.o.h.AbstractHttpServerTransport] [node-1] caught exception while handling client http traffic, closing connection Netty4HttpChannel{localAddress=/127.0.0.1:9200, remoteAddress=/127.0.0.1:44120}
[2024-05-07T09:33:19,218][ERROR][o.o.s.s.h.n.SecuritySSLNettyHttpServerTransport] [node-1] Exception during establishing a SSL connection: javax.net.ssl.SSLHandshakeException: Received fatal alert: bad_certificate
[2024-05-07T09:33:19,220][WARN ][o.o.h.AbstractHttpServerTransport] [node-1] caught exception while handling client http traffic, closing connection Netty4HttpChannel{localAddress=/127.0.0.1:9200, remoteAddress=/127.0.0.1:53326}
[2024-05-07T09:34:06,825][ERROR][o.o.s.s.h.n.SecuritySSLNettyHttpServerTransport] [node-1] Exception during establishing a SSL connection: javax.net.ssl.SSLHandshakeException: Received fatal alert: bad_certificate
[2024-05-07T09:34:06,827][WARN ][o.o.h.AbstractHttpServerTransport] [node-1] caught exception while handling client http traffic, closing connection Netty4HttpChannel{localAddress=/127.0.0.1:9200, remoteAddress=/127.0.0.1:36506}
[2024-05-07T09:34:55,290][ERROR][o.o.s.s.h.n.SecuritySSLNettyHttpServerTransport] [node-1] Exception during establishing a SSL connection: javax.net.ssl.SSLHandshakeException: Received fatal alert: bad_certificate
[2024-05-07T09:34:55,293][WARN ][o.o.h.AbstractHttpServerTransport] [node-1] caught exception while handling client http traffic, closing connection Netty4HttpChannel{localAddress=/127.0.0.1:9200, remoteAddress=/127.0.0.1:35708}
[2024-05-07T09:35:30,998][ERROR][o.o.s.s.h.n.SecuritySSLNettyHttpServerTransport] [node-1] Exception during establishing a SSL connection: javax.net.ssl.SSLHandshakeException: Received fatal alert: bad_certificate
[2024-05-07T09:35:31,005][WARN ][o.o.h.AbstractHttpServerTransport] [node-1] caught exception while handling client http traffic, closing connection Netty4HttpChannel{localAddress=/127.0.0.1:9200, remoteAddress=/127.0.0.1:34604}
[2024-05-07T09:36:03,702][ERROR][o.o.s.s.h.n.SecuritySSLNettyHttpServerTransport] [node-1] Exception during establishing a SSL connection: javax.net.ssl.SSLHandshakeException: Received fatal alert: bad_certificate
[2024-05-07T09:36:03,704][WARN ][o.o.h.AbstractHttpServerTransport] [node-1] caught exception while handling client http traffic, closing connection Netty4HttpChannel{localAddress=/127.0.0.1:9200, remoteAddress=/127.0.0.1:35284}
[2024-05-07T09:36:50,657][ERROR][o.o.s.s.h.n.SecuritySSLNettyHttpServerTransport] [node-1] Exception during establishing a SSL connection: javax.net.ssl.SSLHandshakeException: Received fatal alert: bad_certificate
[2024-05-07T09:36:50,659][WARN ][o.o.h.AbstractHttpServerTransport] [node-1] caught exception while handling client http traffic, closing connection Netty4HttpChannel{localAddress=/127.0.0.1:9200, remoteAddress=/127.0.0.1:50226}
[2024-05-07T09:37:47,272][ERROR][o.o.s.s.h.n.SecuritySSLNettyHttpServerTransport] [node-1] Exception during establishing a SSL connection: javax.net.ssl.SSLHandshakeException: Received fatal alert: bad_certificate
[2024-05-07T09:37:47,274][WARN ][o.o.h.AbstractHttpServerTransport] [node-1] caught exception while handling client http traffic, closing connection Netty4HttpChannel{localAddress=/127.0.0.1:9200, remoteAddress=/127.0.0.1:47108}
[2024-05-07T09:38:37,739][ERROR][o.o.s.s.h.n.SecuritySSLNettyHttpServerTransport] [node-1] Exception during establishing a SSL connection: javax.net.ssl.SSLHandshakeException: Received fatal alert: bad_certificate
[2024-05-07T09:38:37,741][WARN ][o.o.h.AbstractHttpServerTransport] [node-1] caught exception while handling client http traffic, closing connection Netty4HttpChannel{localAddress=/127.0.0.1:9200, remoteAddress=/127.0.0.1:41624}
[2024-05-07T09:39:34,882][ERROR][o.o.s.s.h.n.SecuritySSLNettyHttpServerTransport] [node-1] Exception during establishing a SSL connection: javax.net.ssl.SSLHandshakeException: Received fatal alert: bad_certificate
[2024-05-07T09:39:34,884][WARN ][o.o.h.AbstractHttpServerTransport] [node-1] caught exception while handling client http traffic, closing connection Netty4HttpChannel{localAddress=/127.0.0.1:9200, remoteAddress=/127.0.0.1:50182}
[2024-05-07T09:40:10,508][ERROR][o.o.s.s.h.n.SecuritySSLNettyHttpServerTransport] [node-1] Exception during establishing a SSL connection: javax.net.ssl.SSLHandshakeException: Received fatal alert: bad_certificate
[2024-05-07T09:40:10,511][WARN ][o.o.h.AbstractHttpServerTransport] [node-1] caught exception while handling client http traffic, closing connection Netty4HttpChannel{localAddress=/127.0.0.1:9200, remoteAddress=/127.0.0.1:48648}
[2024-05-07T09:41:06,815][ERROR][o.o.s.s.h.n.SecuritySSLNettyHttpServerTransport] [node-1] Exception during establishing a SSL connection: javax.net.ssl.SSLHandshakeException: Received fatal alert: bad_certificate
[2024-05-07T09:41:06,817][WARN ][o.o.h.AbstractHttpServerTransport] [node-1] caught exception while handling client http traffic, closing connection Netty4HttpChannel{localAddress=/127.0.0.1:9200, remoteAddress=/127.0.0.1:46450}
[2024-05-07T09:41:55,832][ERROR][o.o.s.s.h.n.SecuritySSLNettyHttpServerTransport] [node-1] Exception during establishing a SSL connection: javax.net.ssl.SSLHandshakeException: Received fatal alert: bad_certificate
[2024-05-07T09:41:55,834][WARN ][o.o.h.AbstractHttpServerTransport] [node-1] caught exception while handling client http traffic, closing connection Netty4HttpChannel{localAddress=/127.0.0.1:9200, remoteAddress=/127.0.0.1:37572}
[2024-05-07T09:42:49,408][ERROR][o.o.s.s.h.n.SecuritySSLNettyHttpServerTransport] [node-1] Exception during establishing a SSL connection: javax.net.ssl.SSLHandshakeException: Received fatal alert: bad_certificate
[2024-05-07T09:42:49,409][WARN ][o.o.h.AbstractHttpServerTransport] [node-1] caught exception while handling client http traffic, closing connection Netty4HttpChannel{localAddress=/127.0.0.1:9200, remoteAddress=/127.0.0.1:56892}
[2024-05-07T09:43:31,186][ERROR][o.o.s.s.h.n.SecuritySSLNettyHttpServerTransport] [node-1] Exception during establishing a SSL connection: javax.net.ssl.SSLHandshakeException: Received fatal alert: bad_certificate
[2024-05-07T09:43:31,188][WARN ][o.o.h.AbstractHttpServerTransport] [node-1] caught exception while handling client http traffic, closing connection Netty4HttpChannel{localAddress=/127.0.0.1:9200, remoteAddress=/127.0.0.1:54500}
[2024-05-07T09:44:30,306][ERROR][o.o.s.s.h.n.SecuritySSLNettyHttpServerTransport] [node-1] Exception during establishing a SSL connection: javax.net.ssl.SSLHandshakeException: Received fatal alert: bad_certificate
[2024-05-07T09:44:30,308][WARN ][o.o.h.AbstractHttpServerTransport] [node-1] caught exception while handling client http traffic, closing connection Netty4HttpChannel{localAddress=/127.0.0.1:9200, remoteAddress=/127.0.0.1:40372}
[2024-05-07T09:45:09,404][ERROR][o.o.s.s.h.n.SecuritySSLNettyHttpServerTransport] [node-1] Exception during establishing a SSL connection: javax.net.ssl.SSLHandshakeException: Received fatal alert: bad_certificate
[2024-05-07T09:45:09,406][WARN ][o.o.h.AbstractHttpServerTransport] [node-1] caught exception while handling client http traffic, closing connection Netty4HttpChannel{localAddress=/127.0.0.1:9200, remoteAddress=/127.0.0.1:51808}
[2024-05-07T09:45:48,794][ERROR][o.o.s.s.h.n.SecuritySSLNettyHttpServerTransport] [node-1] Exception during establishing a SSL connection: javax.net.ssl.SSLHandshakeException: Received fatal alert: bad_certificate
[2024-05-07T09:45:48,796][WARN ][o.o.h.AbstractHttpServerTransport] [node-1] caught exception while handling client http traffic, closing connection Netty4HttpChannel{localAddress=/127.0.0.1:9200, remoteAddress=/127.0.0.1:35484}
[2024-05-07T09:46:32,711][ERROR][o.o.s.s.h.n.SecuritySSLNettyHttpServerTransport] [node-1] Exception during establishing a SSL connection: javax.net.ssl.SSLHandshakeException: Received fatal alert: bad_certificate
[2024-05-07T09:46:32,713][WARN ][o.o.h.AbstractHttpServerTransport] [node-1] caught exception while handling client http traffic, closing connection Netty4HttpChannel{localAddress=/127.0.0.1:9200, remoteAddress=/127.0.0.1:38376}
[2024-05-07T09:47:06,986][ERROR][o.o.s.s.h.n.SecuritySSLNettyHttpServerTransport] [node-1] Exception during establishing a SSL connection: javax.net.ssl.SSLHandshakeException: Received fatal alert: bad_certificate
[2024-05-07T09:47:06,988][WARN ][o.o.h.AbstractHttpServerTransport] [node-1] caught exception while handling client http traffic, closing connection Netty4HttpChannel{localAddress=/127.0.0.1:9200, remoteAddress=/127.0.0.1:39072}
[2024-05-07T09:47:45,516][ERROR][o.o.s.s.h.n.SecuritySSLNettyHttpServerTransport] [node-1] Exception during establishing a SSL connection: javax.net.ssl.SSLHandshakeException: Received fatal alert: bad_certificate
[2024-05-07T09:47:45,519][WARN ][o.o.h.AbstractHttpServerTransport] [node-1] caught exception while handling client http traffic, closing connection Netty4HttpChannel{localAddress=/127.0.0.1:9200, remoteAddress=/127.0.0.1:39248}
[2024-05-07T09:48:32,827][ERROR][o.o.s.s.h.n.SecuritySSLNettyHttpServerTransport] [node-1] Exception during establishing a SSL connection: javax.net.ssl.SSLHandshakeException: Received fatal alert: bad_certificate
[2024-05-07T09:48:32,828][WARN ][o.o.h.AbstractHttpServerTransport] [node-1] caught exception while handling client http traffic, closing connection Netty4HttpChannel{localAddress=/127.0.0.1:9200, remoteAddress=/127.0.0.1:43294}
[2024-05-07T09:49:19,442][ERROR][o.o.s.s.h.n.SecuritySSLNettyHttpServerTransport] [node-1] Exception during establishing a SSL connection: javax.net.ssl.SSLHandshakeException: Received fatal alert: bad_certificate
[2024-05-07T09:49:19,444][WARN ][o.o.h.AbstractHttpServerTransport] [node-1] caught exception while handling client http traffic, closing connection Netty4HttpChannel{localAddress=/127.0.0.1:9200, remoteAddress=/127.0.0.1:56538}
[2024-05-07T09:50:00,235][ERROR][o.o.s.s.h.n.SecuritySSLNettyHttpServerTransport] [node-1] Exception during establishing a SSL connection: javax.net.ssl.SSLHandshakeException: Received fatal alert: bad_certificate
[2024-05-07T09:50:00,237][WARN ][o.o.h.AbstractHttpServerTransport] [node-1] caught exception while handling client http traffic, closing connection Netty4HttpChannel{localAddress=/127.0.0.1:9200, remoteAddress=/127.0.0.1:34328}
[2024-05-07T09:50:31,399][ERROR][o.o.s.s.h.n.SecuritySSLNettyHttpServerTransport] [node-1] Exception during establishing a SSL connection: javax.net.ssl.SSLHandshakeException: Received fatal alert: bad_certificate
[2024-05-07T09:50:31,401][WARN ][o.o.h.AbstractHttpServerTransport] [node-1] caught exception while handling client http traffic, closing connection Netty4HttpChannel{localAddress=/127.0.0.1:9200, remoteAddress=/127.0.0.1:46104}
[2024-05-07T09:51:30,362][ERROR][o.o.s.s.h.n.SecuritySSLNettyHttpServerTransport] [node-1] Exception during establishing a SSL connection: javax.net.ssl.SSLHandshakeException: Received fatal alert: bad_certificate
[2024-05-07T09:51:30,363][WARN ][o.o.h.AbstractHttpServerTransport] [node-1] caught exception while handling client http traffic, closing connection Netty4HttpChannel{localAddress=/127.0.0.1:9200, remoteAddress=/127.0.0.1:45360}
[2024-05-07T09:52:18,262][ERROR][o.o.s.s.h.n.SecuritySSLNettyHttpServerTransport] [node-1] Exception during establishing a SSL connection: javax.net.ssl.SSLHandshakeException: Received fatal alert: bad_certificate
[2024-05-07T09:52:18,264][WARN ][o.o.h.AbstractHttpServerTransport] [node-1] caught exception while handling client http traffic, closing connection Netty4HttpChannel{localAddress=/127.0.0.1:9200, remoteAddress=/127.0.0.1:41626}
[2024-05-07T09:53:17,639][ERROR][o.o.s.s.h.n.SecuritySSLNettyHttpServerTransport] [node-1] Exception during establishing a SSL connection: javax.net.ssl.SSLHandshakeException: Received fatal alert: bad_certificate
[2024-05-07T09:53:17,641][WARN ][o.o.h.AbstractHttpServerTransport] [node-1] caught exception while handling client http traffic, closing connection Netty4HttpChannel{localAddress=/127.0.0.1:9200, remoteAddress=/127.0.0.1:56338}
[2024-05-07T09:54:15,281][ERROR][o.o.s.s.h.n.SecuritySSLNettyHttpServerTransport] [node-1] Exception during establishing a SSL connection: javax.net.ssl.SSLHandshakeException: Received fatal alert: bad_certificate
[2024-05-07T09:54:15,283][WARN ][o.o.h.AbstractHttpServerTransport] [node-1] caught exception while handling client http traffic, closing connection Netty4HttpChannel{localAddress=/127.0.0.1:9200, remoteAddress=/127.0.0.1:37476}
[2024-05-07T09:55:14,593][ERROR][o.o.s.s.h.n.SecuritySSLNettyHttpServerTransport] [node-1] Exception during establishing a SSL connection: javax.net.ssl.SSLHandshakeException: Received fatal alert: bad_certificate
[2024-05-07T09:55:14,595][WARN ][o.o.h.AbstractHttpServerTransport] [node-1] caught exception while handling client http traffic, closing connection Netty4HttpChannel{localAddress=/127.0.0.1:9200, remoteAddress=/127.0.0.1:42864}
[2024-05-07T09:56:03,302][ERROR][o.o.s.s.h.n.SecuritySSLNettyHttpServerTransport] [node-1] Exception during establishing a SSL connection: javax.net.ssl.SSLHandshakeException: Received fatal alert: bad_certificate
[2024-05-07T09:56:03,304][WARN ][o.o.h.AbstractHttpServerTransport] [node-1] caught exception while handling client http traffic, closing connection Netty4HttpChannel{localAddress=/127.0.0.1:9200, remoteAddress=/127.0.0.1:38602}
[2024-05-07T09:56:56,486][ERROR][o.o.s.s.h.n.SecuritySSLNettyHttpServerTransport] [node-1] Exception during establishing a SSL connection: javax.net.ssl.SSLHandshakeException: Received fatal alert: bad_certificate
[2024-05-07T09:56:56,489][WARN ][o.o.h.AbstractHttpServerTransport] [node-1] caught exception while handling client http traffic, closing connection Netty4HttpChannel{localAddress=/127.0.0.1:9200, remoteAddress=/127.0.0.1:36908}
[2024-05-07T09:57:41,541][ERROR][o.o.s.s.h.n.SecuritySSLNettyHttpServerTransport] [node-1] Exception during establishing a SSL connection: javax.net.ssl.SSLHandshakeException: Received fatal alert: bad_certificate
[2024-05-07T09:57:41,543][WARN ][o.o.h.AbstractHttpServerTransport] [node-1] caught exception while handling client http traffic, closing connection Netty4HttpChannel{localAddress=/127.0.0.1:9200, remoteAddress=/127.0.0.1:57240}
[2024-05-07T09:58:31,879][ERROR][o.o.s.s.h.n.SecuritySSLNettyHttpServerTransport] [node-1] Exception during establishing a SSL connection: javax.net.ssl.SSLHandshakeException: Received fatal alert: bad_certificate
[2024-05-07T09:58:31,881][WARN ][o.o.h.AbstractHttpServerTransport] [node-1] caught exception while handling client http traffic, closing connection Netty4HttpChannel{localAddress=/127.0.0.1:9200, remoteAddress=/127.0.0.1:40850}
[2024-05-07T09:59:08,168][ERROR][o.o.s.s.h.n.SecuritySSLNettyHttpServerTransport] [node-1] Exception during establishing a SSL connection: javax.net.ssl.SSLHandshakeException: Received fatal alert: bad_certificate
[2024-05-07T09:59:08,169][WARN ][o.o.h.AbstractHttpServerTransport] [node-1] caught exception while handling client http traffic, closing connection Netty4HttpChannel{localAddress=/127.0.0.1:9200, remoteAddress=/127.0.0.1:50886}
[2024-05-07T09:59:57,813][ERROR][o.o.s.s.h.n.SecuritySSLNettyHttpServerTransport] [node-1] Exception during establishing a SSL connection: javax.net.ssl.SSLHandshakeException: Received fatal alert: bad_certificate
[2024-05-07T09:59:57,815][WARN ][o.o.h.AbstractHttpServerTransport] [node-1] caught exception while handling client http traffic, closing connection Netty4HttpChannel{localAddress=/127.0.0.1:9200, remoteAddress=/127.0.0.1:54034}
[2024-05-07T10:00:29,459][ERROR][o.o.s.s.h.n.SecuritySSLNettyHttpServerTransport] [node-1] Exception during establishing a SSL connection: javax.net.ssl.SSLHandshakeException: Received fatal alert: bad_certificate
[2024-05-07T10:00:29,461][WARN ][o.o.h.AbstractHttpServerTransport] [node-1] caught exception while handling client http traffic, closing connection Netty4HttpChannel{localAddress=/127.0.0.1:9200, remoteAddress=/127.0.0.1:52938}
[2024-05-07T10:01:06,832][ERROR][o.o.s.s.h.n.SecuritySSLNettyHttpServerTransport] [node-1] Exception during establishing a SSL connection: javax.net.ssl.SSLHandshakeException: Received fatal alert: bad_certificate
[2024-05-07T10:01:06,834][WARN ][o.o.h.AbstractHttpServerTransport] [node-1] caught exception while handling client http traffic, closing connection Netty4HttpChannel{localAddress=/127.0.0.1:9200, remoteAddress=/127.0.0.1:47578}
[2024-05-07T10:01:49,460][ERROR][o.o.s.s.h.n.SecuritySSLNettyHttpServerTransport] [node-1] Exception during establishing a SSL connection: javax.net.ssl.SSLHandshakeException: Received fatal alert: bad_certificate
[2024-05-07T10:01:49,461][WARN ][o.o.h.AbstractHttpServerTransport] [node-1] caught exception while handling client http traffic, closing connection Netty4HttpChannel{localAddress=/127.0.0.1:9200, remoteAddress=/127.0.0.1:37634}
[2024-05-07T10:02:40,101][ERROR][o.o.s.s.h.n.SecuritySSLNettyHttpServerTransport] [node-1] Exception during establishing a SSL connection: javax.net.ssl.SSLHandshakeException: Received fatal alert: bad_certificate
[2024-05-07T10:02:40,103][WARN ][o.o.h.AbstractHttpServerTransport] [node-1] caught exception while handling client http traffic, closing connection Netty4HttpChannel{localAddress=/127.0.0.1:9200, remoteAddress=/127.0.0.1:52132}
[2024-05-07T10:03:14,021][ERROR][o.o.s.s.h.n.SecuritySSLNettyHttpServerTransport] [node-1] Exception during establishing a SSL connection: javax.net.ssl.SSLHandshakeException: Received fatal alert: bad_certificate
[2024-05-07T10:03:14,022][WARN ][o.o.h.AbstractHttpServerTransport] [node-1] caught exception while handling client http traffic, closing connection Netty4HttpChannel{localAddress=/127.0.0.1:9200, remoteAddress=/127.0.0.1:38668}
[2024-05-07T10:04:00,195][ERROR][o.o.s.s.h.n.SecuritySSLNettyHttpServerTransport] [node-1] Exception during establishing a SSL connection: javax.net.ssl.SSLHandshakeException: Received fatal alert: bad_certificate
[2024-05-07T10:04:00,197][WARN ][o.o.h.AbstractHttpServerTransport] [node-1] caught exception while handling client http traffic, closing connection Netty4HttpChannel{localAddress=/127.0.0.1:9200, remoteAddress=/127.0.0.1:38160}
[2024-05-07T10:04:55,478][ERROR][o.o.s.s.h.n.SecuritySSLNettyHttpServerTransport] [node-1] Exception during establishing a SSL connection: javax.net.ssl.SSLHandshakeException: Received fatal alert: bad_certificate
[2024-05-07T10:04:55,482][WARN ][o.o.h.AbstractHttpServerTransport] [node-1] caught exception while handling client http traffic, closing connection Netty4HttpChannel{localAddress=/127.0.0.1:9200, remoteAddress=/127.0.0.1:44190}
[2024-05-07T10:05:40,911][ERROR][o.o.s.s.h.n.SecuritySSLNettyHttpServerTransport] [node-1] Exception during establishing a SSL connection: javax.net.ssl.SSLHandshakeException: Received fatal alert: bad_certificate
[2024-05-07T10:05:40,913][WARN ][o.o.h.AbstractHttpServerTransport] [node-1] caught exception while handling client http traffic, closing connection Netty4HttpChannel{localAddress=/127.0.0.1:9200, remoteAddress=/127.0.0.1:36594}
[2024-05-07T10:06:25,673][ERROR][o.o.s.s.h.n.SecuritySSLNettyHttpServerTransport] [node-1] Exception during establishing a SSL connection: javax.net.ssl.SSLHandshakeException: Received fatal alert: bad_certificate
[2024-05-07T10:06:25,675][WARN ][o.o.h.AbstractHttpServerTransport] [node-1] caught exception while handling client http traffic, closing connection Netty4HttpChannel{localAddress=/127.0.0.1:9200, remoteAddress=/127.0.0.1:57298}
[2024-05-07T10:07:18,676][ERROR][o.o.s.s.h.n.SecuritySSLNettyHttpServerTransport] [node-1] Exception during establishing a SSL connection: javax.net.ssl.SSLHandshakeException: Received fatal alert: bad_certificate
[2024-05-07T10:07:18,678][WARN ][o.o.h.AbstractHttpServerTransport] [node-1] caught exception while handling client http traffic, closing connection Netty4HttpChannel{localAddress=/127.0.0.1:9200, remoteAddress=/127.0.0.1:47260}
[2024-05-07T10:08:10,706][ERROR][o.o.s.s.h.n.SecuritySSLNettyHttpServerTransport] [node-1] Exception during establishing a SSL connection: javax.net.ssl.SSLHandshakeException: Received fatal alert: bad_certificate
[2024-05-07T10:08:10,709][WARN ][o.o.h.AbstractHttpServerTransport] [node-1] caught exception while handling client http traffic, closing connection Netty4HttpChannel{localAddress=/127.0.0.1:9200, remoteAddress=/127.0.0.1:47676}
[2024-05-07T10:08:51,273][ERROR][o.o.s.s.h.n.SecuritySSLNettyHttpServerTransport] [node-1] Exception during establishing a SSL connection: javax.net.ssl.SSLHandshakeException: Received fatal alert: bad_certificate
[2024-05-07T10:08:51,275][WARN ][o.o.h.AbstractHttpServerTransport] [node-1] caught exception while handling client http traffic, closing connection Netty4HttpChannel{localAddress=/127.0.0.1:9200, remoteAddress=/127.0.0.1:38682}
[2024-05-07T10:09:33,424][ERROR][o.o.s.s.h.n.SecuritySSLNettyHttpServerTransport] [node-1] Exception during establishing a SSL connection: javax.net.ssl.SSLHandshakeException: Received fatal alert: bad_certificate
[2024-05-07T10:09:33,426][WARN ][o.o.h.AbstractHttpServerTransport] [node-1] caught exception while handling client http traffic, closing connection Netty4HttpChannel{localAddress=/127.0.0.1:9200, remoteAddress=/127.0.0.1:44950}
[2024-05-07T10:10:19,701][ERROR][o.o.s.s.h.n.SecuritySSLNettyHttpServerTransport] [node-1] Exception during establishing a SSL connection: javax.net.ssl.SSLHandshakeException: Received fatal alert: bad_certificate
[2024-05-07T10:10:19,703][WARN ][o.o.h.AbstractHttpServerTransport] [node-1] caught exception while handling client http traffic, closing connection Netty4HttpChannel{localAddress=/127.0.0.1:9200, remoteAddress=/127.0.0.1:51832}
[2024-05-07T10:11:08,209][ERROR][o.o.s.s.h.n.SecuritySSLNettyHttpServerTransport] [node-1] Exception during establishing a SSL connection: javax.net.ssl.SSLHandshakeException: Received fatal alert: bad_certificate
[2024-05-07T10:11:08,212][WARN ][o.o.h.AbstractHttpServerTransport] [node-1] caught exception while handling client http traffic, closing connection Netty4HttpChannel{localAddress=/127.0.0.1:9200, remoteAddress=/127.0.0.1:57834}
[2024-05-07T10:12:02,337][ERROR][o.o.s.s.h.n.SecuritySSLNettyHttpServerTransport] [node-1] Exception during establishing a SSL connection: javax.net.ssl.SSLHandshakeException: Received fatal alert: bad_certificate
[2024-05-07T10:12:02,339][WARN ][o.o.h.AbstractHttpServerTransport] [node-1] caught exception while handling client http traffic, closing connection Netty4HttpChannel{localAddress=/127.0.0.1:9200, remoteAddress=/127.0.0.1:60138}
[2024-05-07T10:12:44,860][ERROR][o.o.s.s.h.n.SecuritySSLNettyHttpServerTransport] [node-1] Exception during establishing a SSL connection: javax.net.ssl.SSLHandshakeException: Received fatal alert: bad_certificate
[2024-05-07T10:12:44,861][WARN ][o.o.h.AbstractHttpServerTransport] [node-1] caught exception while handling client http traffic, closing connection Netty4HttpChannel{localAddress=/127.0.0.1:9200, remoteAddress=/127.0.0.1:50392}
[2024-05-07T10:13:36,159][ERROR][o.o.s.s.h.n.SecuritySSLNettyHttpServerTransport] [node-1] Exception during establishing a SSL connection: javax.net.ssl.SSLHandshakeException: Received fatal alert: bad_certificate
[2024-05-07T10:13:36,162][WARN ][o.o.h.AbstractHttpServerTransport] [node-1] caught exception while handling client http traffic, closing connection Netty4HttpChannel{localAddress=/127.0.0.1:9200, remoteAddress=/127.0.0.1:36280}
[2024-05-07T10:14:35,218][ERROR][o.o.s.s.h.n.SecuritySSLNettyHttpServerTransport] [node-1] Exception during establishing a SSL connection: javax.net.ssl.SSLHandshakeException: Received fatal alert: bad_certificate
[2024-05-07T10:14:35,222][WARN ][o.o.h.AbstractHttpServerTransport] [node-1] caught exception while handling client http traffic, closing connection Netty4HttpChannel{localAddress=/127.0.0.1:9200, remoteAddress=/127.0.0.1:47092}
[2024-05-07T10:15:09,820][ERROR][o.o.s.s.h.n.SecuritySSLNettyHttpServerTransport] [node-1] Exception during establishing a SSL connection: javax.net.ssl.SSLHandshakeException: Received fatal alert: bad_certificate
[2024-05-07T10:15:09,822][WARN ][o.o.h.AbstractHttpServerTransport] [node-1] caught exception while handling client http traffic, closing connection Netty4HttpChannel{localAddress=/127.0.0.1:9200, remoteAddress=/127.0.0.1:51604}
[2024-05-07T10:15:52,024][ERROR][o.o.s.s.h.n.SecuritySSLNettyHttpServerTransport] [node-1] Exception during establishing a SSL connection: javax.net.ssl.SSLHandshakeException: Received fatal alert: bad_certificate
[2024-05-07T10:15:52,026][WARN ][o.o.h.AbstractHttpServerTransport] [node-1] caught exception while handling client http traffic, closing connection Netty4HttpChannel{localAddress=/127.0.0.1:9200, remoteAddress=/127.0.0.1:60598}
[2024-05-07T10:16:30,843][ERROR][o.o.s.s.h.n.SecuritySSLNettyHttpServerTransport] [node-1] Exception during establishing a SSL connection: javax.net.ssl.SSLHandshakeException: Received fatal alert: bad_certificate
[2024-05-07T10:16:30,845][WARN ][o.o.h.AbstractHttpServerTransport] [node-1] caught exception while handling client http traffic, closing connection Netty4HttpChannel{localAddress=/127.0.0.1:9200, remoteAddress=/127.0.0.1:58922}
[2024-05-07T10:17:26,981][ERROR][o.o.s.s.h.n.SecuritySSLNettyHttpServerTransport] [node-1] Exception during establishing a SSL connection: javax.net.ssl.SSLHandshakeException: Received fatal alert: bad_certificate
[2024-05-07T10:17:26,983][WARN ][o.o.h.AbstractHttpServerTransport] [node-1] caught exception while handling client http traffic, closing connection Netty4HttpChannel{localAddress=/127.0.0.1:9200, remoteAddress=/127.0.0.1:39840}
[2024-05-07T10:17:59,364][ERROR][o.o.s.s.h.n.SecuritySSLNettyHttpServerTransport] [node-1] Exception during establishing a SSL connection: javax.net.ssl.SSLHandshakeException: Received fatal alert: bad_certificate
[2024-05-07T10:17:59,366][WARN ][o.o.h.AbstractHttpServerTransport] [node-1] caught exception while handling client http traffic, closing connection Netty4HttpChannel{localAddress=/127.0.0.1:9200, remoteAddress=/127.0.0.1:55972}
[2024-05-07T10:18:51,431][ERROR][o.o.s.s.h.n.SecuritySSLNettyHttpServerTransport] [node-1] Exception during establishing a SSL connection: javax.net.ssl.SSLHandshakeException: Received fatal alert: bad_certificate
[2024-05-07T10:18:51,433][WARN ][o.o.h.AbstractHttpServerTransport] [node-1] caught exception while handling client http traffic, closing connection Netty4HttpChannel{localAddress=/127.0.0.1:9200, remoteAddress=/127.0.0.1:38134}
[2024-05-07T10:19:43,586][ERROR][o.o.s.s.h.n.SecuritySSLNettyHttpServerTransport] [node-1] Exception during establishing a SSL connection: javax.net.ssl.SSLHandshakeException: Received fatal alert: bad_certificate
[2024-05-07T10:19:43,587][WARN ][o.o.h.AbstractHttpServerTransport] [node-1] caught exception while handling client http traffic, closing connection Netty4HttpChannel{localAddress=/127.0.0.1:9200, remoteAddress=/127.0.0.1:38396}

[CarlosALgit]

Wazuh Manager logs 🟡

Amazon Linux 2 🟡

Agent status

[root@ip-172-31-34-142 ~]# systemctl status wazuh-manager
● wazuh-manager.service - Wazuh manager
   Loaded: loaded (/usr/lib/systemd/system/wazuh-manager.service; enabled; vendor preset: disabled)
   Active: active (running) since mar 2024-05-07 08:15:55 UTC; 2h 35min ago
   CGroup: /system.slice/wazuh-manager.service
           ├─12202 /var/ossec/framework/python/bin/python3 /var/ossec/api/scripts/wazuh-apid.py
           ├─12203 /var/ossec/framework/python/bin/python3 /var/ossec/api/scripts/wazuh-apid.py
           ├─12206 /var/ossec/framework/python/bin/python3 /var/ossec/api/scripts/wazuh-apid.py
           ├─12209 /var/ossec/framework/python/bin/python3 /var/ossec/api/scripts/wazuh-apid.py
           ├─12253 /var/ossec/bin/wazuh-authd
           ├─12270 /var/ossec/bin/wazuh-db
           ├─12296 /var/ossec/bin/wazuh-execd
           ├─12311 /var/ossec/bin/wazuh-analysisd
           ├─12324 /var/ossec/bin/wazuh-syscheckd
           ├─12371 /var/ossec/bin/wazuh-remoted
           ├─12407 /var/ossec/bin/wazuh-logcollector
           ├─12427 /var/ossec/bin/wazuh-monitord
           └─12453 /var/ossec/bin/wazuh-modulesd

may 07 08:15:48 ip-172-31-34-142.ec2.internal env[12141]: Started wazuh-syscheckd...
may 07 08:15:49 ip-172-31-34-142.ec2.internal env[12141]: Started wazuh-remoted...
may 07 08:15:50 ip-172-31-34-142.ec2.internal env[12141]: Started wazuh-logcollector...
may 07 08:15:52 ip-172-31-34-142.ec2.internal env[12141]: Started wazuh-monitord...
may 07 08:15:52 ip-172-31-34-142.ec2.internal env[12141]: 2024/05/07 08:15:52 wazuh-modulesd:router: IN...le.
may 07 08:15:52 ip-172-31-34-142.ec2.internal env[12141]: 2024/05/07 08:15:52 wazuh-modulesd:content_ma...le.
may 07 08:15:53 ip-172-31-34-142.ec2.internal env[12141]: Started wazuh-modulesd...
may 07 08:15:55 ip-172-31-34-142.ec2.internal env[12141]: Completed.
may 07 08:15:55 ip-172-31-34-142.ec2.internal systemd[1]: Started Wazuh manager.
may 07 08:15:57 ip-172-31-34-142.ec2.internal crontab[12936]: (root) LIST (root)
Hint: Some lines were ellipsized, use -l to show in full.

Service status

[root@ip-172-31-34-142 ~]# journalctl -xe -u wazuh-manager.service --no-pager
-- Logs begin at mar 2024-05-07 07:35:44 UTC, end at mar 2024-05-07 11:00:01 UTC. --
may 07 08:12:12 ip-172-31-34-142.ec2.internal systemd[1]: Starting Wazuh manager...
-- Subject: Unit wazuh-manager.service has begun start-up
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
-- 
-- Unit wazuh-manager.service has begun starting up.
may 07 08:12:13 ip-172-31-34-142.ec2.internal env[9089]: 2024/05/07 08:12:13 wazuh-modulesd:router: INFO: Loaded router module.
may 07 08:12:13 ip-172-31-34-142.ec2.internal env[9089]: 2024/05/07 08:12:13 wazuh-modulesd:content_manager: INFO: Loaded content_manager module.
may 07 08:12:14 ip-172-31-34-142.ec2.internal env[9089]: Starting Wazuh v4.8.0...
may 07 08:12:17 ip-172-31-34-142.ec2.internal env[9089]: Started wazuh-apid...
may 07 08:12:17 ip-172-31-34-142.ec2.internal env[9089]: Started wazuh-csyslogd...
may 07 08:12:17 ip-172-31-34-142.ec2.internal env[9089]: Started wazuh-dbd...
may 07 08:12:17 ip-172-31-34-142.ec2.internal env[9089]: 2024/05/07 08:12:17 wazuh-integratord: INFO: Remote integrations not configured. Clean exit.
may 07 08:12:17 ip-172-31-34-142.ec2.internal env[9089]: Started wazuh-integratord...
may 07 08:12:17 ip-172-31-34-142.ec2.internal env[9089]: Started wazuh-agentlessd...
may 07 08:12:18 ip-172-31-34-142.ec2.internal env[9089]: Started wazuh-authd...
may 07 08:12:19 ip-172-31-34-142.ec2.internal env[9089]: Started wazuh-db...
may 07 08:12:20 ip-172-31-34-142.ec2.internal env[9089]: Started wazuh-execd...
may 07 08:12:21 ip-172-31-34-142.ec2.internal env[9089]: Started wazuh-analysisd...
may 07 08:12:22 ip-172-31-34-142.ec2.internal env[9089]: Started wazuh-syscheckd...
may 07 08:12:23 ip-172-31-34-142.ec2.internal env[9089]: Started wazuh-remoted...
may 07 08:12:24 ip-172-31-34-142.ec2.internal env[9089]: Started wazuh-logcollector...
may 07 08:12:26 ip-172-31-34-142.ec2.internal env[9089]: Started wazuh-monitord...
may 07 08:12:26 ip-172-31-34-142.ec2.internal env[9089]: 2024/05/07 08:12:26 wazuh-modulesd:router: INFO: Loaded router module.
may 07 08:12:26 ip-172-31-34-142.ec2.internal env[9089]: 2024/05/07 08:12:26 wazuh-modulesd:content_manager: INFO: Loaded content_manager module.
may 07 08:12:27 ip-172-31-34-142.ec2.internal env[9089]: Started wazuh-modulesd...
may 07 08:12:29 ip-172-31-34-142.ec2.internal env[9089]: Completed.
may 07 08:12:29 ip-172-31-34-142.ec2.internal systemd[1]: Started Wazuh manager.
-- Subject: Unit wazuh-manager.service has finished start-up
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
-- 
-- Unit wazuh-manager.service has finished starting up.
-- 
-- The start-up result is done.
may 07 08:15:28 ip-172-31-34-142.ec2.internal systemd[1]: Stopping Wazuh manager...
-- Subject: Unit wazuh-manager.service has begun shutting down
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
-- 
-- Unit wazuh-manager.service has begun shutting down.
may 07 08:15:28 ip-172-31-34-142.ec2.internal env[11887]: wazuh-clusterd not running...
may 07 08:15:28 ip-172-31-34-142.ec2.internal env[11887]: Killing wazuh-modulesd...
may 07 08:15:33 ip-172-31-34-142.ec2.internal env[11887]: Killing wazuh-monitord...
may 07 08:15:34 ip-172-31-34-142.ec2.internal env[11887]: Killing wazuh-logcollector...
may 07 08:15:34 ip-172-31-34-142.ec2.internal env[11887]: Killing wazuh-remoted...
may 07 08:15:34 ip-172-31-34-142.ec2.internal env[11887]: Killing wazuh-syscheckd...
may 07 08:15:35 ip-172-31-34-142.ec2.internal env[11887]: Killing wazuh-analysisd...
may 07 08:15:35 ip-172-31-34-142.ec2.internal env[11887]: wazuh-maild not running...
may 07 08:15:35 ip-172-31-34-142.ec2.internal env[11887]: Killing wazuh-execd...
may 07 08:15:35 ip-172-31-34-142.ec2.internal env[11887]: Killing wazuh-db...
may 07 08:15:36 ip-172-31-34-142.ec2.internal env[11887]: Killing wazuh-authd...
may 07 08:15:37 ip-172-31-34-142.ec2.internal env[11887]: wazuh-agentlessd not running...
may 07 08:15:37 ip-172-31-34-142.ec2.internal env[11887]: wazuh-integratord not running...
may 07 08:15:37 ip-172-31-34-142.ec2.internal env[11887]: wazuh-dbd not running...
may 07 08:15:37 ip-172-31-34-142.ec2.internal env[11887]: wazuh-csyslogd not running...
may 07 08:15:37 ip-172-31-34-142.ec2.internal env[11887]: Killing wazuh-apid...
may 07 08:15:37 ip-172-31-34-142.ec2.internal env[11887]: Wazuh v4.8.0 Stopped
may 07 08:15:37 ip-172-31-34-142.ec2.internal systemd[1]: Stopped Wazuh manager.
-- Subject: Unit wazuh-manager.service has finished shutting down
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
-- 
-- Unit wazuh-manager.service has finished shutting down.
may 07 08:15:37 ip-172-31-34-142.ec2.internal systemd[1]: Starting Wazuh manager...
-- Subject: Unit wazuh-manager.service has begun start-up
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
-- 
-- Unit wazuh-manager.service has begun starting up.
may 07 08:15:39 ip-172-31-34-142.ec2.internal env[12141]: 2024/05/07 08:15:39 wazuh-modulesd:router: INFO: Loaded router module.
may 07 08:15:39 ip-172-31-34-142.ec2.internal env[12141]: 2024/05/07 08:15:39 wazuh-modulesd:content_manager: INFO: Loaded content_manager module.
may 07 08:15:40 ip-172-31-34-142.ec2.internal env[12141]: Starting Wazuh v4.8.0...
may 07 08:15:43 ip-172-31-34-142.ec2.internal env[12141]: Started wazuh-apid...
may 07 08:15:43 ip-172-31-34-142.ec2.internal env[12141]: Started wazuh-csyslogd...
may 07 08:15:43 ip-172-31-34-142.ec2.internal env[12141]: Started wazuh-dbd...
may 07 08:15:43 ip-172-31-34-142.ec2.internal env[12141]: 2024/05/07 08:15:43 wazuh-integratord: INFO: Remote integrations not configured. Clean exit.
may 07 08:15:43 ip-172-31-34-142.ec2.internal env[12141]: Started wazuh-integratord...
may 07 08:15:43 ip-172-31-34-142.ec2.internal env[12141]: Started wazuh-agentlessd...
may 07 08:15:44 ip-172-31-34-142.ec2.internal env[12141]: Started wazuh-authd...
may 07 08:15:45 ip-172-31-34-142.ec2.internal env[12141]: Started wazuh-db...
may 07 08:15:46 ip-172-31-34-142.ec2.internal env[12141]: Started wazuh-execd...
may 07 08:15:47 ip-172-31-34-142.ec2.internal env[12141]: Started wazuh-analysisd...
may 07 08:15:48 ip-172-31-34-142.ec2.internal env[12141]: Started wazuh-syscheckd...
may 07 08:15:49 ip-172-31-34-142.ec2.internal env[12141]: Started wazuh-remoted...
may 07 08:15:50 ip-172-31-34-142.ec2.internal env[12141]: Started wazuh-logcollector...
may 07 08:15:52 ip-172-31-34-142.ec2.internal env[12141]: Started wazuh-monitord...
may 07 08:15:52 ip-172-31-34-142.ec2.internal env[12141]: 2024/05/07 08:15:52 wazuh-modulesd:router: INFO: Loaded router module.
may 07 08:15:52 ip-172-31-34-142.ec2.internal env[12141]: 2024/05/07 08:15:52 wazuh-modulesd:content_manager: INFO: Loaded content_manager module.
may 07 08:15:53 ip-172-31-34-142.ec2.internal env[12141]: Started wazuh-modulesd...
may 07 08:15:55 ip-172-31-34-142.ec2.internal env[12141]: Completed.
may 07 08:15:55 ip-172-31-34-142.ec2.internal systemd[1]: Started Wazuh manager.
-- Subject: Unit wazuh-manager.service has finished start-up
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
-- 
-- Unit wazuh-manager.service has finished starting up.
-- 
-- The start-up result is done.
may 07 08:15:57 ip-172-31-34-142.ec2.internal crontab[12936]: (root) LIST (root)

Errors

🟡 Warning IndexerConnector. Related: #21829
🟡 Failed to sync. Related: #23303

[root@ip-172-31-34-142 ~]# cat /var/ossec/logs/ossec.log | grep -i -E "error|warn"
2024/05/07 08:12:26 indexer-connector: WARNING: IndexerConnector initialization failed for index 'wazuh-states-vulnerabilities', retrying until the connection is successful.
2024/05/07 08:15:52 indexer-connector: WARNING: IndexerConnector initialization failed for index 'wazuh-states-vulnerabilities', retrying until the connection is successful.
2024/05/07 08:15:53 indexer-connector: WARNING: Failed to sync agent '000' with the indexer.

Ubuntu 22 🟡

Agent status

root@ip-172-31-45-219:~# systemctl status wazuh-manager
● wazuh-manager.service - Wazuh manager
     Loaded: loaded (/lib/systemd/system/wazuh-manager.service; enabled; vendor preset: enabled)
     Active: active (running) since Tue 2024-05-07 08:21:43 UTC; 2h 41min ago
      Tasks: 154 (limit: 9425)
     Memory: 1.6G
        CPU: 6min 9.666s
     CGroup: /system.slice/wazuh-manager.service
             ├─52492 /var/ossec/framework/python/bin/python3 /var/ossec/api/scripts/wazuh-apid.py
             ├─52493 /var/ossec/framework/python/bin/python3 /var/ossec/api/scripts/wazuh-apid.py
             ├─52496 /var/ossec/framework/python/bin/python3 /var/ossec/api/scripts/wazuh-apid.py
             ├─52499 /var/ossec/framework/python/bin/python3 /var/ossec/api/scripts/wazuh-apid.py
             ├─52541 /var/ossec/bin/wazuh-authd
             ├─52557 /var/ossec/bin/wazuh-db
             ├─52582 /var/ossec/bin/wazuh-execd
             ├─52596 /var/ossec/bin/wazuh-analysisd
             ├─52610 /var/ossec/bin/wazuh-syscheckd
             ├─52656 /var/ossec/bin/wazuh-remoted
             ├─52690 /var/ossec/bin/wazuh-logcollector
             ├─52709 /var/ossec/bin/wazuh-monitord
             └─52734 /var/ossec/bin/wazuh-modulesd

May 07 08:21:35 ip-172-31-45-219 env[52436]: Started wazuh-analysisd...
May 07 08:21:36 ip-172-31-45-219 env[52436]: Started wazuh-syscheckd...
May 07 08:21:37 ip-172-31-45-219 env[52436]: Started wazuh-remoted...
May 07 08:21:38 ip-172-31-45-219 env[52436]: Started wazuh-logcollector...
May 07 08:21:40 ip-172-31-45-219 env[52436]: Started wazuh-monitord...
May 07 08:21:40 ip-172-31-45-219 env[52732]: 2024/05/07 08:21:40 wazuh-modulesd:router: INFO: Loaded router >
May 07 08:21:40 ip-172-31-45-219 env[52732]: 2024/05/07 08:21:40 wazuh-modulesd:content_manager: INFO: Loade>
May 07 08:21:41 ip-172-31-45-219 env[52436]: Started wazuh-modulesd...
May 07 08:21:43 ip-172-31-45-219 env[52436]: Completed.
May 07 08:21:43 ip-172-31-45-219 systemd[1]: Started Wazuh manager.

Service status

root@ip-172-31-45-219:~# journalctl -xe -u wazuh-manager.service --no-pager
May 07 08:17:33 ip-172-31-45-219 systemd[1]: Starting Wazuh manager...
░░ Subject: A start job for unit wazuh-manager.service has begun execution
░░ Defined-By: systemd
░░ Support: http://www.ubuntu.com/support
░░ 
░░ A start job for unit wazuh-manager.service has begun execution.
░░ 
░░ The job identifier is 2225.
May 07 08:17:36 ip-172-31-45-219 env[49269]: 2024/05/07 08:17:36 wazuh-modulesd:router: INFO: Loaded router module.
May 07 08:17:36 ip-172-31-45-219 env[49269]: 2024/05/07 08:17:36 wazuh-modulesd:content_manager: INFO: Loaded content_manager module.
May 07 08:17:36 ip-172-31-45-219 env[49239]: Starting Wazuh v4.8.0...
May 07 08:17:41 ip-172-31-45-219 env[49239]: Started wazuh-apid...
May 07 08:17:41 ip-172-31-45-219 env[49239]: Started wazuh-csyslogd...
May 07 08:17:41 ip-172-31-45-219 env[49239]: Started wazuh-dbd...
May 07 08:17:41 ip-172-31-45-219 env[49314]: 2024/05/07 08:17:41 wazuh-integratord: INFO: Remote integrations not configured. Clean exit.
May 07 08:17:41 ip-172-31-45-219 env[49239]: Started wazuh-integratord...
May 07 08:17:41 ip-172-31-45-219 env[49239]: Started wazuh-agentlessd...
May 07 08:17:42 ip-172-31-45-219 env[49239]: Started wazuh-authd...
May 07 08:17:43 ip-172-31-45-219 env[49239]: Started wazuh-db...
May 07 08:17:45 ip-172-31-45-219 env[49239]: Started wazuh-execd...
May 07 08:17:46 ip-172-31-45-219 env[49239]: Started wazuh-analysisd...
May 07 08:17:47 ip-172-31-45-219 env[49239]: Started wazuh-syscheckd...
May 07 08:17:48 ip-172-31-45-219 env[49239]: Started wazuh-remoted...
May 07 08:17:49 ip-172-31-45-219 env[49239]: Started wazuh-logcollector...
May 07 08:17:50 ip-172-31-45-219 env[49239]: Started wazuh-monitord...
May 07 08:17:50 ip-172-31-45-219 env[49536]: 2024/05/07 08:17:50 wazuh-modulesd:router: INFO: Loaded router module.
May 07 08:17:50 ip-172-31-45-219 env[49536]: 2024/05/07 08:17:50 wazuh-modulesd:content_manager: INFO: Loaded content_manager module.
May 07 08:17:51 ip-172-31-45-219 env[49239]: Started wazuh-modulesd...
May 07 08:17:53 ip-172-31-45-219 env[49239]: Completed.
May 07 08:17:53 ip-172-31-45-219 systemd[1]: Started Wazuh manager.
░░ Subject: A start job for unit wazuh-manager.service has finished successfully
░░ Defined-By: systemd
░░ Support: http://www.ubuntu.com/support
░░ 
░░ A start job for unit wazuh-manager.service has finished successfully.
░░ 
░░ The job identifier is 2225.
May 07 08:21:16 ip-172-31-45-219 systemd[1]: Stopping Wazuh manager...
░░ Subject: A stop job for unit wazuh-manager.service has begun execution
░░ Defined-By: systemd
░░ Support: http://www.ubuntu.com/support
░░ 
░░ A stop job for unit wazuh-manager.service has begun execution.
░░ 
░░ The job identifier is 2578.
May 07 08:21:16 ip-172-31-45-219 env[52195]: wazuh-clusterd not running...
May 07 08:21:16 ip-172-31-45-219 env[52195]: Killing wazuh-modulesd...
May 07 08:21:22 ip-172-31-45-219 env[52195]: Killing wazuh-monitord...
May 07 08:21:22 ip-172-31-45-219 env[52195]: Killing wazuh-logcollector...
May 07 08:21:22 ip-172-31-45-219 env[52195]: Killing wazuh-remoted...
May 07 08:21:22 ip-172-31-45-219 env[52195]: Killing wazuh-syscheckd...
May 07 08:21:23 ip-172-31-45-219 env[52195]: Killing wazuh-analysisd...
May 07 08:21:23 ip-172-31-45-219 env[52195]: wazuh-maild not running...
May 07 08:21:23 ip-172-31-45-219 env[52195]: Killing wazuh-execd...
May 07 08:21:23 ip-172-31-45-219 env[52195]: Killing wazuh-db...
May 07 08:21:24 ip-172-31-45-219 env[52195]: Killing wazuh-authd...
May 07 08:21:25 ip-172-31-45-219 env[52195]: wazuh-agentlessd not running...
May 07 08:21:25 ip-172-31-45-219 env[52195]: wazuh-integratord not running...
May 07 08:21:25 ip-172-31-45-219 env[52195]: wazuh-dbd not running...
May 07 08:21:25 ip-172-31-45-219 env[52195]: wazuh-csyslogd not running...
May 07 08:21:25 ip-172-31-45-219 env[52195]: Killing wazuh-apid...
May 07 08:21:25 ip-172-31-45-219 env[52195]: Wazuh v4.8.0 Stopped
May 07 08:21:25 ip-172-31-45-219 systemd[1]: wazuh-manager.service: Deactivated successfully.
░░ Subject: Unit succeeded
░░ Defined-By: systemd
░░ Support: http://www.ubuntu.com/support
░░ 
░░ The unit wazuh-manager.service has successfully entered the 'dead' state.
May 07 08:21:25 ip-172-31-45-219 systemd[1]: Stopped Wazuh manager.
░░ Subject: A stop job for unit wazuh-manager.service has finished
░░ Defined-By: systemd
░░ Support: http://www.ubuntu.com/support
░░ 
░░ A stop job for unit wazuh-manager.service has finished.
░░ 
░░ The job identifier is 2578 and the job result is done.
May 07 08:21:25 ip-172-31-45-219 systemd[1]: wazuh-manager.service: Consumed 2min 5.308s CPU time.
░░ Subject: Resources consumed by unit runtime
░░ Defined-By: systemd
░░ Support: http://www.ubuntu.com/support
░░ 
░░ The unit wazuh-manager.service completed and consumed the indicated resources.
May 07 08:21:25 ip-172-31-45-219 systemd[1]: Starting Wazuh manager...
░░ Subject: A start job for unit wazuh-manager.service has begun execution
░░ Defined-By: systemd
░░ Support: http://www.ubuntu.com/support
░░ 
░░ A start job for unit wazuh-manager.service has begun execution.
░░ 
░░ The job identifier is 2578.
May 07 08:21:27 ip-172-31-45-219 env[52466]: 2024/05/07 08:21:27 wazuh-modulesd:router: INFO: Loaded router module.
May 07 08:21:27 ip-172-31-45-219 env[52466]: 2024/05/07 08:21:27 wazuh-modulesd:content_manager: INFO: Loaded content_manager module.
May 07 08:21:28 ip-172-31-45-219 env[52436]: Starting Wazuh v4.8.0...
May 07 08:21:31 ip-172-31-45-219 env[52436]: Started wazuh-apid...
May 07 08:21:31 ip-172-31-45-219 env[52436]: Started wazuh-csyslogd...
May 07 08:21:31 ip-172-31-45-219 env[52436]: Started wazuh-dbd...
May 07 08:21:31 ip-172-31-45-219 env[52520]: 2024/05/07 08:21:31 wazuh-integratord: INFO: Remote integrations not configured. Clean exit.
May 07 08:21:31 ip-172-31-45-219 env[52436]: Started wazuh-integratord...
May 07 08:21:31 ip-172-31-45-219 env[52436]: Started wazuh-agentlessd...
May 07 08:21:32 ip-172-31-45-219 env[52436]: Started wazuh-authd...
May 07 08:21:33 ip-172-31-45-219 env[52436]: Started wazuh-db...
May 07 08:21:34 ip-172-31-45-219 env[52436]: Started wazuh-execd...
May 07 08:21:35 ip-172-31-45-219 env[52436]: Started wazuh-analysisd...
May 07 08:21:36 ip-172-31-45-219 env[52436]: Started wazuh-syscheckd...
May 07 08:21:37 ip-172-31-45-219 env[52436]: Started wazuh-remoted...
May 07 08:21:38 ip-172-31-45-219 env[52436]: Started wazuh-logcollector...
May 07 08:21:40 ip-172-31-45-219 env[52436]: Started wazuh-monitord...
May 07 08:21:40 ip-172-31-45-219 env[52732]: 2024/05/07 08:21:40 wazuh-modulesd:router: INFO: Loaded router module.
May 07 08:21:40 ip-172-31-45-219 env[52732]: 2024/05/07 08:21:40 wazuh-modulesd:content_manager: INFO: Loaded content_manager module.
May 07 08:21:41 ip-172-31-45-219 env[52436]: Started wazuh-modulesd...
May 07 08:21:43 ip-172-31-45-219 env[52436]: Completed.
May 07 08:21:43 ip-172-31-45-219 systemd[1]: Started Wazuh manager.
░░ Subject: A start job for unit wazuh-manager.service has finished successfully
░░ Defined-By: systemd
░░ Support: http://www.ubuntu.com/support
░░ 
░░ A start job for unit wazuh-manager.service has finished successfully.
░░ 
░░ The job identifier is 2578.

Errors

🟡 Failed to sync. Related: #23303
🟡 Related: #21829

root@ip-172-31-45-219:~# cat /var/ossec/logs/ossec.log | grep -i -E "error|warn"
2024/05/07 08:17:51 indexer-connector: WARNING: IndexerConnector initialization failed for index 'wazuh-states-vulnerabilities', retrying until the connection is successful.
2024/05/07 08:21:40 indexer-connector: WARNING: IndexerConnector initialization failed for index 'wazuh-states-vulnerabilities', retrying until the connection is successful.
2024/05/07 08:21:41 indexer-connector: WARNING: Failed to sync agent '000' with the indexer.

RHEL 9 🟡

Agent status

[root@ip-172-31-39-27 ~]# systemctl status wazuh-manager
● wazuh-manager.service - Wazuh manager
     Loaded: loaded (/usr/lib/systemd/system/wazuh-manager.service; enabled; preset: disabled)
     Active: active (running) since Tue 2024-05-07 08:23:50 UTC; 2h 47min ago
      Tasks: 154 (limit: 48194)
     Memory: 1.8G
        CPU: 5min 46.305s
     CGroup: /system.slice/wazuh-manager.service
             ├─19408 /var/ossec/framework/python/bin/python3 /var/ossec/api/scripts/wazuh-apid.py
             ├─19409 /var/ossec/framework/python/bin/python3 /var/ossec/api/scripts/wazuh-apid.py
             ├─19412 /var/ossec/framework/python/bin/python3 /var/ossec/api/scripts/wazuh-apid.py
             ├─19415 /var/ossec/framework/python/bin/python3 /var/ossec/api/scripts/wazuh-apid.py
             ├─19459 /var/ossec/bin/wazuh-authd
             ├─19476 /var/ossec/bin/wazuh-db
             ├─19502 /var/ossec/bin/wazuh-execd
             ├─19516 /var/ossec/bin/wazuh-analysisd
             ├─19531 /var/ossec/bin/wazuh-syscheckd
             ├─19578 /var/ossec/bin/wazuh-remoted
             ├─19613 /var/ossec/bin/wazuh-logcollector
             ├─19632 /var/ossec/bin/wazuh-monitord
             └─19643 /var/ossec/bin/wazuh-modulesd

May 07 08:23:44 ip-172-31-39-27.ec2.internal env[19352]: Started wazuh-analysisd...
May 07 08:23:45 ip-172-31-39-27.ec2.internal env[19352]: Started wazuh-syscheckd...
May 07 08:23:46 ip-172-31-39-27.ec2.internal env[19352]: Started wazuh-remoted...
May 07 08:23:47 ip-172-31-39-27.ec2.internal env[19352]: Started wazuh-logcollector...
May 07 08:23:47 ip-172-31-39-27.ec2.internal env[19352]: Started wazuh-monitord...
May 07 08:23:47 ip-172-31-39-27.ec2.internal env[19640]: 2024/05/07 08:23:47 wazuh-modulesd:router: INFO: Lo>
May 07 08:23:47 ip-172-31-39-27.ec2.internal env[19640]: 2024/05/07 08:23:47 wazuh-modulesd:content_manager:>
May 07 08:23:48 ip-172-31-39-27.ec2.internal env[19352]: Started wazuh-modulesd...
May 07 08:23:50 ip-172-31-39-27.ec2.internal env[19352]: Completed.
May 07 08:23:50 ip-172-31-39-27.ec2.internal systemd[1]: Started Wazuh manager.

Service status

[root@ip-172-31-39-27 ~]# journalctl -xe -u wazuh-manager.service --no-pager
May 07 08:17:56 ip-172-31-39-27.ec2.internal systemd[1]: Starting Wazuh manager...
░░ Subject: A start job for unit wazuh-manager.service has begun execution
░░ Defined-By: systemd
░░ Support: https://access.redhat.com/support
░░ 
░░ A start job for unit wazuh-manager.service has begun execution.
░░ 
░░ The job identifier is 3165.
May 07 08:17:58 ip-172-31-39-27.ec2.internal env[16392]: 2024/05/07 08:17:58 wazuh-modulesd:router: INFO: Loaded router module.
May 07 08:17:58 ip-172-31-39-27.ec2.internal env[16392]: 2024/05/07 08:17:58 wazuh-modulesd:content_manager: INFO: Loaded content_manager module.
May 07 08:17:58 ip-172-31-39-27.ec2.internal env[16362]: Starting Wazuh v4.8.0...
May 07 08:18:01 ip-172-31-39-27.ec2.internal env[16362]: Started wazuh-apid...
May 07 08:18:01 ip-172-31-39-27.ec2.internal env[16362]: Started wazuh-csyslogd...
May 07 08:18:01 ip-172-31-39-27.ec2.internal env[16362]: Started wazuh-dbd...
May 07 08:18:01 ip-172-31-39-27.ec2.internal env[16438]: 2024/05/07 08:18:01 wazuh-integratord: INFO: Remote integrations not configured. Clean exit.
May 07 08:18:01 ip-172-31-39-27.ec2.internal env[16362]: Started wazuh-integratord...
May 07 08:18:01 ip-172-31-39-27.ec2.internal env[16362]: Started wazuh-agentlessd...
May 07 08:18:02 ip-172-31-39-27.ec2.internal env[16362]: Started wazuh-authd...
May 07 08:18:03 ip-172-31-39-27.ec2.internal env[16362]: Started wazuh-db...
May 07 08:18:04 ip-172-31-39-27.ec2.internal env[16362]: Started wazuh-execd...
May 07 08:18:05 ip-172-31-39-27.ec2.internal env[16362]: Started wazuh-analysisd...
May 07 08:18:06 ip-172-31-39-27.ec2.internal env[16362]: Started wazuh-syscheckd...
May 07 08:18:07 ip-172-31-39-27.ec2.internal env[16362]: Started wazuh-remoted...
May 07 08:18:09 ip-172-31-39-27.ec2.internal env[16362]: Started wazuh-logcollector...
May 07 08:18:10 ip-172-31-39-27.ec2.internal env[16362]: Started wazuh-monitord...
May 07 08:18:10 ip-172-31-39-27.ec2.internal env[16661]: 2024/05/07 08:18:10 wazuh-modulesd:router: INFO: Loaded router module.
May 07 08:18:10 ip-172-31-39-27.ec2.internal env[16661]: 2024/05/07 08:18:10 wazuh-modulesd:content_manager: INFO: Loaded content_manager module.
May 07 08:18:11 ip-172-31-39-27.ec2.internal env[16362]: Started wazuh-modulesd...
May 07 08:18:13 ip-172-31-39-27.ec2.internal env[16362]: Completed.
May 07 08:18:13 ip-172-31-39-27.ec2.internal systemd[1]: Started Wazuh manager.
░░ Subject: A start job for unit wazuh-manager.service has finished successfully
░░ Defined-By: systemd
░░ Support: https://access.redhat.com/support
░░ 
░░ A start job for unit wazuh-manager.service has finished successfully.
░░ 
░░ The job identifier is 3165.
May 07 08:23:26 ip-172-31-39-27.ec2.internal systemd[1]: Stopping Wazuh manager...
░░ Subject: A stop job for unit wazuh-manager.service has begun execution
░░ Defined-By: systemd
░░ Support: https://access.redhat.com/support
░░ 
░░ A stop job for unit wazuh-manager.service has begun execution.
░░ 
░░ The job identifier is 3608.
May 07 08:23:26 ip-172-31-39-27.ec2.internal env[19117]: wazuh-clusterd not running...
May 07 08:23:26 ip-172-31-39-27.ec2.internal env[19117]: Killing wazuh-modulesd...
May 07 08:23:31 ip-172-31-39-27.ec2.internal env[19117]: Killing wazuh-monitord...
May 07 08:23:31 ip-172-31-39-27.ec2.internal env[19117]: Killing wazuh-logcollector...
May 07 08:23:31 ip-172-31-39-27.ec2.internal env[19117]: Killing wazuh-remoted...
May 07 08:23:32 ip-172-31-39-27.ec2.internal env[19117]: Killing wazuh-syscheckd...
May 07 08:23:32 ip-172-31-39-27.ec2.internal env[19117]: Killing wazuh-analysisd...
May 07 08:23:32 ip-172-31-39-27.ec2.internal env[19117]: wazuh-maild not running...
May 07 08:23:32 ip-172-31-39-27.ec2.internal env[19117]: Killing wazuh-execd...
May 07 08:23:32 ip-172-31-39-27.ec2.internal env[19117]: Killing wazuh-db...
May 07 08:23:33 ip-172-31-39-27.ec2.internal env[19117]: Killing wazuh-authd...
May 07 08:23:34 ip-172-31-39-27.ec2.internal env[19117]: wazuh-agentlessd not running...
May 07 08:23:34 ip-172-31-39-27.ec2.internal env[19117]: wazuh-integratord not running...
May 07 08:23:34 ip-172-31-39-27.ec2.internal env[19117]: wazuh-dbd not running...
May 07 08:23:34 ip-172-31-39-27.ec2.internal env[19117]: wazuh-csyslogd not running...
May 07 08:23:34 ip-172-31-39-27.ec2.internal env[19117]: Killing wazuh-apid...
May 07 08:23:34 ip-172-31-39-27.ec2.internal env[19117]: Wazuh v4.8.0 Stopped
May 07 08:23:34 ip-172-31-39-27.ec2.internal systemd[1]: wazuh-manager.service: Deactivated successfully.
░░ Subject: Unit succeeded
░░ Defined-By: systemd
░░ Support: https://access.redhat.com/support
░░ 
░░ The unit wazuh-manager.service has successfully entered the 'dead' state.
May 07 08:23:34 ip-172-31-39-27.ec2.internal systemd[1]: Stopped Wazuh manager.
░░ Subject: A stop job for unit wazuh-manager.service has finished
░░ Defined-By: systemd
░░ Support: https://access.redhat.com/support
░░ 
░░ A stop job for unit wazuh-manager.service has finished.
░░ 
░░ The job identifier is 3608 and the job result is done.
May 07 08:23:34 ip-172-31-39-27.ec2.internal systemd[1]: wazuh-manager.service: Consumed 1min 37.653s CPU time.
░░ Subject: Resources consumed by unit runtime
░░ Defined-By: systemd
░░ Support: https://access.redhat.com/support
░░ 
░░ The unit wazuh-manager.service completed and consumed the indicated resources.
May 07 08:23:34 ip-172-31-39-27.ec2.internal systemd[1]: Starting Wazuh manager...
░░ Subject: A start job for unit wazuh-manager.service has begun execution
░░ Defined-By: systemd
░░ Support: https://access.redhat.com/support
░░ 
░░ A start job for unit wazuh-manager.service has begun execution.
░░ 
░░ The job identifier is 3608.
May 07 08:23:36 ip-172-31-39-27.ec2.internal env[19382]: 2024/05/07 08:23:36 wazuh-modulesd:router: INFO: Loaded router module.
May 07 08:23:36 ip-172-31-39-27.ec2.internal env[19382]: 2024/05/07 08:23:36 wazuh-modulesd:content_manager: INFO: Loaded content_manager module.
May 07 08:23:36 ip-172-31-39-27.ec2.internal env[19352]: Starting Wazuh v4.8.0...
May 07 08:23:39 ip-172-31-39-27.ec2.internal env[19352]: Started wazuh-apid...
May 07 08:23:39 ip-172-31-39-27.ec2.internal env[19352]: Started wazuh-csyslogd...
May 07 08:23:39 ip-172-31-39-27.ec2.internal env[19352]: Started wazuh-dbd...
May 07 08:23:39 ip-172-31-39-27.ec2.internal env[19437]: 2024/05/07 08:23:39 wazuh-integratord: INFO: Remote integrations not configured. Clean exit.
May 07 08:23:39 ip-172-31-39-27.ec2.internal env[19352]: Started wazuh-integratord...
May 07 08:23:39 ip-172-31-39-27.ec2.internal env[19352]: Started wazuh-agentlessd...
May 07 08:23:40 ip-172-31-39-27.ec2.internal env[19352]: Started wazuh-authd...
May 07 08:23:41 ip-172-31-39-27.ec2.internal env[19352]: Started wazuh-db...
May 07 08:23:42 ip-172-31-39-27.ec2.internal env[19352]: Started wazuh-execd...
May 07 08:23:44 ip-172-31-39-27.ec2.internal env[19352]: Started wazuh-analysisd...
May 07 08:23:45 ip-172-31-39-27.ec2.internal env[19352]: Started wazuh-syscheckd...
May 07 08:23:46 ip-172-31-39-27.ec2.internal env[19352]: Started wazuh-remoted...
May 07 08:23:47 ip-172-31-39-27.ec2.internal env[19352]: Started wazuh-logcollector...
May 07 08:23:47 ip-172-31-39-27.ec2.internal env[19352]: Started wazuh-monitord...
May 07 08:23:47 ip-172-31-39-27.ec2.internal env[19640]: 2024/05/07 08:23:47 wazuh-modulesd:router: INFO: Loaded router module.
May 07 08:23:47 ip-172-31-39-27.ec2.internal env[19640]: 2024/05/07 08:23:47 wazuh-modulesd:content_manager: INFO: Loaded content_manager module.
May 07 08:23:48 ip-172-31-39-27.ec2.internal env[19352]: Started wazuh-modulesd...
May 07 08:23:50 ip-172-31-39-27.ec2.internal env[19352]: Completed.
May 07 08:23:50 ip-172-31-39-27.ec2.internal systemd[1]: Started Wazuh manager.
░░ Subject: A start job for unit wazuh-manager.service has finished successfully
░░ Defined-By: systemd
░░ Support: https://access.redhat.com/support
░░ 
░░ A start job for unit wazuh-manager.service has finished successfully.
░░ 
░░ The job identifier is 3608.

Errors

🟡 Failed to sync. Related: #23303
🟡 Related: #21829

[root@ip-172-31-39-27 ~]# cat /var/ossec/logs/ossec.log | grep -i -E "error|warn"
2024/05/07 08:18:10 indexer-connector: WARNING: IndexerConnector initialization failed for index 'wazuh-states-vulnerabilities', retrying until the connection is successful.
2024/05/07 08:23:48 indexer-connector: WARNING: IndexerConnector initialization failed for index 'wazuh-states-vulnerabilities', retrying until the connection is successful.
2024/05/07 08:23:49 indexer-connector: WARNING: Failed to sync agent '000' with the indexer.

Amazon Linux 2 - Offline 🟡

Agent status

[root@ip-172-31-34-149 ~]# systemctl status wazuh-manager
● wazuh-manager.service - Wazuh manager
   Loaded: loaded (/usr/lib/systemd/system/wazuh-manager.service; enabled; vendor preset: disabled)
   Active: active (running) since mar 2024-05-07 09:19:48 UTC; 1h 55min ago
   CGroup: /system.slice/wazuh-manager.service
           ├─13565 /var/ossec/framework/python/bin/python3 /var/ossec/api/scripts/wazuh-apid.py
           ├─13607 /var/ossec/bin/wazuh-authd
           ├─13624 /var/ossec/bin/wazuh-db
           ├─13638 /var/ossec/framework/python/bin/python3 /var/ossec/api/scripts/wazuh-apid.py
           ├─13641 /var/ossec/framework/python/bin/python3 /var/ossec/api/scripts/wazuh-apid.py
           ├─13644 /var/ossec/framework/python/bin/python3 /var/ossec/api/scripts/wazuh-apid.py
           ├─13658 /var/ossec/bin/wazuh-execd
           ├─13673 /var/ossec/bin/wazuh-analysisd
           ├─13687 /var/ossec/bin/wazuh-syscheckd
           ├─13735 /var/ossec/bin/wazuh-remoted
           ├─13770 /var/ossec/bin/wazuh-logcollector
           ├─13790 /var/ossec/bin/wazuh-monitord
           └─13812 /var/ossec/bin/wazuh-modulesd

may 07 09:19:41 ip-172-31-34-149.ec2.internal env[13506]: Started wazuh-analysisd...
may 07 09:19:42 ip-172-31-34-149.ec2.internal env[13506]: Started wazuh-syscheckd...
may 07 09:19:43 ip-172-31-34-149.ec2.internal env[13506]: Started wazuh-remoted...
may 07 09:19:44 ip-172-31-34-149.ec2.internal env[13506]: Started wazuh-logcollector...
may 07 09:19:45 ip-172-31-34-149.ec2.internal env[13506]: Started wazuh-monitord...
may 07 09:19:45 ip-172-31-34-149.ec2.internal env[13506]: 2024/05/07 09:19:45 wazuh-modulesd:router: IN...le.
may 07 09:19:45 ip-172-31-34-149.ec2.internal env[13506]: 2024/05/07 09:19:45 wazuh-modulesd:content_ma...le.
may 07 09:19:46 ip-172-31-34-149.ec2.internal env[13506]: Started wazuh-modulesd...
may 07 09:19:48 ip-172-31-34-149.ec2.internal env[13506]: Completed.
may 07 09:19:48 ip-172-31-34-149.ec2.internal systemd[1]: Started Wazuh manager.
Hint: Some lines were ellipsized, use -l to show in full.

Service status

[root@ip-172-31-34-149 ~]# journalctl -xe -u wazuh-manager.service --no-pager
-- Logs begin at mar 2024-05-07 07:35:41 UTC, end at mar 2024-05-07 11:15:17 UTC. --
may 07 08:16:35 ip-172-31-34-149.ec2.internal systemd[1]: Starting Wazuh manager...
-- Subject: Unit wazuh-manager.service has begun start-up
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
-- 
-- Unit wazuh-manager.service has begun starting up.
may 07 08:16:37 ip-172-31-34-149.ec2.internal env[9072]: 2024/05/07 08:16:37 wazuh-modulesd:router: INFO: Loaded router module.
may 07 08:16:37 ip-172-31-34-149.ec2.internal env[9072]: 2024/05/07 08:16:37 wazuh-modulesd:content_manager: INFO: Loaded content_manager module.
may 07 08:16:37 ip-172-31-34-149.ec2.internal env[9072]: Starting Wazuh v4.8.0...
may 07 08:16:40 ip-172-31-34-149.ec2.internal env[9072]: Started wazuh-apid...
may 07 08:16:40 ip-172-31-34-149.ec2.internal env[9072]: Started wazuh-csyslogd...
may 07 08:16:40 ip-172-31-34-149.ec2.internal env[9072]: Started wazuh-dbd...
may 07 08:16:40 ip-172-31-34-149.ec2.internal env[9072]: 2024/05/07 08:16:40 wazuh-integratord: INFO: Remote integrations not configured. Clean exit.
may 07 08:16:40 ip-172-31-34-149.ec2.internal env[9072]: Started wazuh-integratord...
may 07 08:16:40 ip-172-31-34-149.ec2.internal env[9072]: Started wazuh-agentlessd...
may 07 08:16:41 ip-172-31-34-149.ec2.internal env[9072]: Started wazuh-authd...
may 07 08:16:42 ip-172-31-34-149.ec2.internal env[9072]: Started wazuh-db...
may 07 08:16:43 ip-172-31-34-149.ec2.internal env[9072]: Started wazuh-execd...
may 07 08:16:44 ip-172-31-34-149.ec2.internal env[9072]: Started wazuh-analysisd...
may 07 08:16:45 ip-172-31-34-149.ec2.internal env[9072]: Started wazuh-syscheckd...
may 07 08:16:46 ip-172-31-34-149.ec2.internal env[9072]: Started wazuh-remoted...
may 07 08:16:47 ip-172-31-34-149.ec2.internal env[9072]: Started wazuh-logcollector...
may 07 08:16:48 ip-172-31-34-149.ec2.internal env[9072]: Started wazuh-monitord...
may 07 08:16:48 ip-172-31-34-149.ec2.internal env[9072]: 2024/05/07 08:16:48 wazuh-modulesd:router: INFO: Loaded router module.
may 07 08:16:48 ip-172-31-34-149.ec2.internal env[9072]: 2024/05/07 08:16:48 wazuh-modulesd:content_manager: INFO: Loaded content_manager module.
may 07 08:16:50 ip-172-31-34-149.ec2.internal env[9072]: Started wazuh-modulesd...
may 07 08:16:52 ip-172-31-34-149.ec2.internal env[9072]: Completed.
may 07 08:16:52 ip-172-31-34-149.ec2.internal systemd[1]: Started Wazuh manager.
-- Subject: Unit wazuh-manager.service has finished start-up
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
-- 
-- Unit wazuh-manager.service has finished starting up.
-- 
-- The start-up result is done.
may 07 08:19:54 ip-172-31-34-149.ec2.internal systemd[1]: Stopping Wazuh manager...
-- Subject: Unit wazuh-manager.service has begun shutting down
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
-- 
-- Unit wazuh-manager.service has begun shutting down.
may 07 08:19:54 ip-172-31-34-149.ec2.internal env[11871]: wazuh-clusterd not running...
may 07 08:19:54 ip-172-31-34-149.ec2.internal env[11871]: Killing wazuh-modulesd...
may 07 08:20:00 ip-172-31-34-149.ec2.internal env[11871]: Killing wazuh-monitord...
may 07 08:20:00 ip-172-31-34-149.ec2.internal env[11871]: Killing wazuh-logcollector...
may 07 08:20:00 ip-172-31-34-149.ec2.internal env[11871]: Killing wazuh-remoted...
may 07 08:20:00 ip-172-31-34-149.ec2.internal env[11871]: Killing wazuh-syscheckd...
may 07 08:20:00 ip-172-31-34-149.ec2.internal env[11871]: Killing wazuh-analysisd...
may 07 08:20:00 ip-172-31-34-149.ec2.internal env[11871]: wazuh-maild not running...
may 07 08:20:00 ip-172-31-34-149.ec2.internal env[11871]: Killing wazuh-execd...
may 07 08:20:00 ip-172-31-34-149.ec2.internal env[11871]: Killing wazuh-db...
may 07 08:20:01 ip-172-31-34-149.ec2.internal env[11871]: Killing wazuh-authd...
may 07 08:20:02 ip-172-31-34-149.ec2.internal env[11871]: wazuh-agentlessd not running...
may 07 08:20:02 ip-172-31-34-149.ec2.internal env[11871]: wazuh-integratord not running...
may 07 08:20:02 ip-172-31-34-149.ec2.internal env[11871]: wazuh-dbd not running...
may 07 08:20:02 ip-172-31-34-149.ec2.internal env[11871]: wazuh-csyslogd not running...
may 07 08:20:02 ip-172-31-34-149.ec2.internal env[11871]: Killing wazuh-apid...
may 07 08:20:03 ip-172-31-34-149.ec2.internal env[11871]: Wazuh v4.8.0 Stopped
may 07 08:20:03 ip-172-31-34-149.ec2.internal systemd[1]: Stopped Wazuh manager.
-- Subject: Unit wazuh-manager.service has finished shutting down
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
-- 
-- Unit wazuh-manager.service has finished shutting down.
may 07 08:20:03 ip-172-31-34-149.ec2.internal systemd[1]: Starting Wazuh manager...
-- Subject: Unit wazuh-manager.service has begun start-up
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
-- 
-- Unit wazuh-manager.service has begun starting up.
may 07 08:20:05 ip-172-31-34-149.ec2.internal env[12126]: 2024/05/07 08:20:05 wazuh-modulesd:router: INFO: Loaded router module.
may 07 08:20:05 ip-172-31-34-149.ec2.internal env[12126]: 2024/05/07 08:20:05 wazuh-modulesd:content_manager: INFO: Loaded content_manager module.
may 07 08:20:06 ip-172-31-34-149.ec2.internal env[12126]: Starting Wazuh v4.8.0...
may 07 08:20:09 ip-172-31-34-149.ec2.internal env[12126]: Started wazuh-apid...
may 07 08:20:09 ip-172-31-34-149.ec2.internal env[12126]: Started wazuh-csyslogd...
may 07 08:20:09 ip-172-31-34-149.ec2.internal env[12126]: Started wazuh-dbd...
may 07 08:20:09 ip-172-31-34-149.ec2.internal env[12126]: 2024/05/07 08:20:09 wazuh-integratord: INFO: Remote integrations not configured. Clean exit.
may 07 08:20:09 ip-172-31-34-149.ec2.internal env[12126]: Started wazuh-integratord...
may 07 08:20:09 ip-172-31-34-149.ec2.internal env[12126]: Started wazuh-agentlessd...
may 07 08:20:10 ip-172-31-34-149.ec2.internal env[12126]: Started wazuh-authd...
may 07 08:20:11 ip-172-31-34-149.ec2.internal env[12126]: Started wazuh-db...
may 07 08:20:12 ip-172-31-34-149.ec2.internal env[12126]: Started wazuh-execd...
may 07 08:20:13 ip-172-31-34-149.ec2.internal env[12126]: Started wazuh-analysisd...
may 07 08:20:14 ip-172-31-34-149.ec2.internal env[12126]: Started wazuh-syscheckd...
may 07 08:20:15 ip-172-31-34-149.ec2.internal env[12126]: Started wazuh-remoted...
may 07 08:20:17 ip-172-31-34-149.ec2.internal env[12126]: Started wazuh-logcollector...
may 07 08:20:18 ip-172-31-34-149.ec2.internal env[12126]: Started wazuh-monitord...
may 07 08:20:18 ip-172-31-34-149.ec2.internal env[12126]: 2024/05/07 08:20:18 wazuh-modulesd:router: INFO: Loaded router module.
may 07 08:20:18 ip-172-31-34-149.ec2.internal env[12126]: 2024/05/07 08:20:18 wazuh-modulesd:content_manager: INFO: Loaded content_manager module.
may 07 08:20:19 ip-172-31-34-149.ec2.internal env[12126]: Started wazuh-modulesd...
may 07 08:20:21 ip-172-31-34-149.ec2.internal env[12126]: Completed.
may 07 08:20:21 ip-172-31-34-149.ec2.internal systemd[1]: Started Wazuh manager.
-- Subject: Unit wazuh-manager.service has finished start-up
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
-- 
-- Unit wazuh-manager.service has finished starting up.
-- 
-- The start-up result is done.
may 07 08:20:23 ip-172-31-34-149.ec2.internal crontab[12925]: (root) LIST (root)
may 07 08:48:44 ip-172-31-34-149.ec2.internal systemd[1]: Stopping Wazuh manager...
-- Subject: Unit wazuh-manager.service has begun shutting down
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
-- 
-- Unit wazuh-manager.service has begun shutting down.
may 07 08:48:44 ip-172-31-34-149.ec2.internal env[10835]: wazuh-clusterd not running...
may 07 08:48:44 ip-172-31-34-149.ec2.internal env[10835]: Killing wazuh-modulesd...
may 07 08:48:44 ip-172-31-34-149.ec2.internal env[10835]: Killing wazuh-monitord...
may 07 08:48:45 ip-172-31-34-149.ec2.internal env[10835]: Killing wazuh-logcollector...
may 07 08:48:45 ip-172-31-34-149.ec2.internal env[10835]: Killing wazuh-remoted...
may 07 08:48:45 ip-172-31-34-149.ec2.internal env[10835]: Killing wazuh-syscheckd...
may 07 08:48:45 ip-172-31-34-149.ec2.internal env[10835]: Killing wazuh-analysisd...
may 07 08:48:45 ip-172-31-34-149.ec2.internal env[10835]: wazuh-maild not running...
may 07 08:48:45 ip-172-31-34-149.ec2.internal env[10835]: Killing wazuh-execd...
may 07 08:48:45 ip-172-31-34-149.ec2.internal env[10835]: Killing wazuh-db...
may 07 08:48:46 ip-172-31-34-149.ec2.internal env[10835]: Killing wazuh-authd...
may 07 08:48:47 ip-172-31-34-149.ec2.internal env[10835]: wazuh-agentlessd not running...
may 07 08:48:47 ip-172-31-34-149.ec2.internal env[10835]: wazuh-integratord not running...
may 07 08:48:47 ip-172-31-34-149.ec2.internal env[10835]: wazuh-dbd not running...
may 07 08:48:47 ip-172-31-34-149.ec2.internal env[10835]: wazuh-csyslogd not running...
may 07 08:48:47 ip-172-31-34-149.ec2.internal env[10835]: Killing wazuh-apid...
may 07 08:48:47 ip-172-31-34-149.ec2.internal env[10835]: Wazuh v4.8.0 Stopped
may 07 08:48:47 ip-172-31-34-149.ec2.internal systemd[1]: Stopped Wazuh manager.
-- Subject: Unit wazuh-manager.service has finished shutting down
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
-- 
-- Unit wazuh-manager.service has finished shutting down.
may 07 09:19:31 ip-172-31-34-149.ec2.internal systemd[1]: Starting Wazuh manager...
-- Subject: Unit wazuh-manager.service has begun start-up
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
-- 
-- Unit wazuh-manager.service has begun starting up.
may 07 09:19:33 ip-172-31-34-149.ec2.internal env[13506]: 2024/05/07 09:19:33 wazuh-modulesd:router: INFO: Loaded router module.
may 07 09:19:33 ip-172-31-34-149.ec2.internal env[13506]: 2024/05/07 09:19:33 wazuh-modulesd:content_manager: INFO: Loaded content_manager module.
may 07 09:19:34 ip-172-31-34-149.ec2.internal env[13506]: Starting Wazuh v4.8.0...
may 07 09:19:36 ip-172-31-34-149.ec2.internal env[13506]: Started wazuh-apid...
may 07 09:19:36 ip-172-31-34-149.ec2.internal env[13506]: Started wazuh-csyslogd...
may 07 09:19:36 ip-172-31-34-149.ec2.internal env[13506]: Started wazuh-dbd...
may 07 09:19:36 ip-172-31-34-149.ec2.internal env[13506]: 2024/05/07 09:19:36 wazuh-integratord: INFO: Remote integrations not configured. Clean exit.
may 07 09:19:36 ip-172-31-34-149.ec2.internal env[13506]: Started wazuh-integratord...
may 07 09:19:36 ip-172-31-34-149.ec2.internal env[13506]: Started wazuh-agentlessd...
may 07 09:19:37 ip-172-31-34-149.ec2.internal env[13506]: Started wazuh-authd...
may 07 09:19:38 ip-172-31-34-149.ec2.internal env[13506]: Started wazuh-db...
may 07 09:19:39 ip-172-31-34-149.ec2.internal env[13506]: Started wazuh-execd...
may 07 09:19:41 ip-172-31-34-149.ec2.internal env[13506]: Started wazuh-analysisd...
may 07 09:19:42 ip-172-31-34-149.ec2.internal env[13506]: Started wazuh-syscheckd...
may 07 09:19:43 ip-172-31-34-149.ec2.internal env[13506]: Started wazuh-remoted...
may 07 09:19:44 ip-172-31-34-149.ec2.internal env[13506]: Started wazuh-logcollector...
may 07 09:19:45 ip-172-31-34-149.ec2.internal env[13506]: Started wazuh-monitord...
may 07 09:19:45 ip-172-31-34-149.ec2.internal env[13506]: 2024/05/07 09:19:45 wazuh-modulesd:router: INFO: Loaded router module.
may 07 09:19:45 ip-172-31-34-149.ec2.internal env[13506]: 2024/05/07 09:19:45 wazuh-modulesd:content_manager: INFO: Loaded content_manager module.
may 07 09:19:46 ip-172-31-34-149.ec2.internal env[13506]: Started wazuh-modulesd...
may 07 09:19:48 ip-172-31-34-149.ec2.internal env[13506]: Completed.
may 07 09:19:48 ip-172-31-34-149.ec2.internal systemd[1]: Started Wazuh manager.
-- Subject: Unit wazuh-manager.service has finished start-up
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
-- 
-- Unit wazuh-manager.service has finished starting up.
-- 
-- The start-up result is done.

Errors

🟡 Failed to sync. Related: #23303
🟡 Related: #21829

[root@ip-172-31-34-149 ~]# cat /var/ossec/logs/ossec.log | grep -i -E "error|warn"
2024/05/07 09:19:45 indexer-connector: WARNING: IndexerConnector initialization failed for index 'wazuh-states-vulnerabilities', retrying until the connection is successful.
2024/05/07 09:22:00 indexer-connector: WARNING: Failed to sync agent '000' with the indexer.

[CarlosALgit]

Wazuh Dashboard logs

Amazon Linux 2 🟢

Agent status

[root@ip-172-31-34-142 ~]# systemctl status wazuh-dashboard
● wazuh-dashboard.service - wazuh-dashboard
   Loaded: loaded (/etc/systemd/system/wazuh-dashboard.service; enabled; vendor preset: disabled)
   Active: active (running) since mar 2024-05-07 08:15:57 UTC; 3h 6min ago
 Main PID: 12947 (node)
   CGroup: /system.slice/wazuh-dashboard.service
           └─12947 /usr/share/wazuh-dashboard/node/fallback/bin/node --no-warnings --max-http-header-size=...

may 07 11:08:36 ip-172-31-34-142.ec2.internal opensearch-dashboards[12947]: {"type":"response","@timestam...0
may 07 11:08:36 ip-172-31-34-142.ec2.internal opensearch-dashboards[12947]: {"type":"response","@timestam...5
may 07 11:08:36 ip-172-31-34-142.ec2.internal opensearch-dashboards[12947]: {"type":"response","@timestam...5
may 07 11:08:36 ip-172-31-34-142.ec2.internal opensearch-dashboards[12947]: {"type":"response","@timestam...5
may 07 11:08:36 ip-172-31-34-142.ec2.internal opensearch-dashboards[12947]: {"type":"response","@timestam...a
may 07 11:08:36 ip-172-31-34-142.ec2.internal opensearch-dashboards[12947]: {"type":"response","@timestam...a
may 07 11:08:37 ip-172-31-34-142.ec2.internal opensearch-dashboards[12947]: {"type":"response","@timestam...a
may 07 11:08:37 ip-172-31-34-142.ec2.internal opensearch-dashboards[12947]: {"type":"response","@timestam...a
may 07 11:08:37 ip-172-31-34-142.ec2.internal opensearch-dashboards[12947]: {"type":"response","@timestam...a
may 07 11:10:00 ip-172-31-34-142.ec2.internal opensearch-dashboards[12947]: {"type":"log","@timestamp":"2...}
Hint: Some lines were ellipsized, use -l to show in full.

Service status

service-status-al2.txt

Errors

[root@ip-172-31-34-142 ~]# cat /usr/share/wazuh-dashboard/data/wazuh/logs/wazuhapp.log | grep -i -E "error|warn"
[root@ip-172-31-34-142 ~]# 

Ubuntu 22 🟢

Agent status

root@ip-172-31-45-219:~# systemctl status wazuh-dashboard
● wazuh-dashboard.service - wazuh-dashboard
     Loaded: loaded (/etc/systemd/system/wazuh-dashboard.service; enabled; vendor preset: enabled)
     Active: active (running) since Tue 2024-05-07 08:21:45 UTC; 3h 21min ago
   Main PID: 53443 (node)
      Tasks: 11 (limit: 9425)
     Memory: 192.0M
        CPU: 33.139s
     CGroup: /system.slice/wazuh-dashboard.service
             └─53443 /usr/share/wazuh-dashboard/node/bin/node --no-warnings --max-http-header-size=65536 --u>

May 07 11:07:04 ip-172-31-45-219 opensearch-dashboards[53443]: {"type":"response","@timestamp":"2024-05-07T1>
May 07 11:07:04 ip-172-31-45-219 opensearch-dashboards[53443]: {"type":"response","@timestamp":"2024-05-07T1>
May 07 11:07:05 ip-172-31-45-219 opensearch-dashboards[53443]: {"type":"response","@timestamp":"2024-05-07T1>
May 07 11:07:05 ip-172-31-45-219 opensearch-dashboards[53443]: {"type":"response","@timestamp":"2024-05-07T1>
May 07 11:07:05 ip-172-31-45-219 opensearch-dashboards[53443]: {"type":"response","@timestamp":"2024-05-07T1>
May 07 11:07:05 ip-172-31-45-219 opensearch-dashboards[53443]: {"type":"response","@timestamp":"2024-05-07T1>
May 07 11:07:05 ip-172-31-45-219 opensearch-dashboards[53443]: {"type":"response","@timestamp":"2024-05-07T1>
May 07 11:07:05 ip-172-31-45-219 opensearch-dashboards[53443]: {"type":"response","@timestamp":"2024-05-07T1>
May 07 11:07:05 ip-172-31-45-219 opensearch-dashboards[53443]: {"type":"response","@timestamp":"2024-05-07T1>
May 07 11:10:00 ip-172-31-45-219 opensearch-dashboards[53443]: {"type":"log","@timestamp":"2024-05-07T11:10:>

Service status

service-status-ubuntu22.txt

Errors

root@ip-172-31-45-219:~# cat /usr/share/wazuh-dashboard/data/wazuh/logs/wazuhapp.log | grep -i -E "error|warn"
root@ip-172-31-45-219:~# 

RHEL 9 🟡

Agent status

[root@ip-172-31-39-27 ~]# systemctl status wazuh-dashboard
● wazuh-dashboard.service - wazuh-dashboard
     Loaded: loaded (/etc/systemd/system/wazuh-dashboard.service; enabled; preset: disabled)
     Active: active (running) since Tue 2024-05-07 08:23:53 UTC; 3h 20min ago
   Main PID: 20167 (node)
      Tasks: 11 (limit: 48194)
     Memory: 179.5M
        CPU: 28.115s
     CGroup: /system.slice/wazuh-dashboard.service
             └─20167 /usr/share/wazuh-dashboard/node/bin/node --no-warnings --max-http-header-size=65536 --u>

May 07 09:43:25 ip-172-31-39-27.ec2.internal opensearch-dashboards[20167]: {"type":"error","@timestamp":"202>
May 07 09:43:25 ip-172-31-39-27.ec2.internal opensearch-dashboards[20167]: {"type":"error","@timestamp":"202>
May 07 09:43:25 ip-172-31-39-27.ec2.internal opensearch-dashboards[20167]: {"type":"error","@timestamp":"202>
May 07 09:43:25 ip-172-31-39-27.ec2.internal opensearch-dashboards[20167]: {"type":"error","@timestamp":"202>
May 07 09:44:50 ip-172-31-39-27.ec2.internal opensearch-dashboards[20167]: {"type":"error","@timestamp":"202>
May 07 09:44:50 ip-172-31-39-27.ec2.internal opensearch-dashboards[20167]: {"type":"error","@timestamp":"202>
May 07 09:44:51 ip-172-31-39-27.ec2.internal opensearch-dashboards[20167]: {"type":"error","@timestamp":"202>
May 07 09:44:51 ip-172-31-39-27.ec2.internal opensearch-dashboards[20167]: {"type":"error","@timestamp":"202>
May 07 09:54:10 ip-172-31-39-27.ec2.internal opensearch-dashboards[20167]: {"type":"response","@timestamp":">
May 07 09:56:23 ip-172-31-39-27.ec2.internal opensearch-dashboards[20167]: {"type":"response","@timestamp":">

Service status

service-status-rhel9.txt

Errors

🟡 Related: wazuh/wazuh-dashboard-plugins#6312

[root@ip-172-31-39-27 ~]# cat /usr/share/wazuh-dashboard/data/wazuh/logs/wazuhapp.log | grep -i -E "error|warn"
{"date":"2024-05-07T08:23:19.346Z","level":"error","location":"monitoring:getApiInfo","message":"connect ECONNREFUSED ::1:55000"}
{"date":"2024-05-07T08:24:10.184Z","level":"error","location":"monitoring:getApiInfo","message":"connect ECONNREFUSED ::1:55000"}

Amazon Linux 2 - Offline 🟢

Agent status

[root@ip-172-31-34-149 ~]# systemctl status wazuh-dashboard
● wazuh-dashboard.service - wazuh-dashboard
   Loaded: loaded (/etc/systemd/system/wazuh-dashboard.service; enabled; vendor preset: disabled)
   Active: active (running) since mar 2024-05-07 10:26:46 UTC; 1h 21min ago
 Main PID: 16010 (node)
   CGroup: /system.slice/wazuh-dashboard.service
           └─16010 /usr/share/wazuh-dashboard/node/fallback/bin/node --no-warnings --max-http-header-size=...

may 07 10:29:57 ip-172-31-34-149.ec2.internal opensearch-dashboards[16010]: {"type":"response","@timestam...e
may 07 10:29:57 ip-172-31-34-149.ec2.internal opensearch-dashboards[16010]: {"type":"response","@timestam...p
may 07 10:29:57 ip-172-31-34-149.ec2.internal opensearch-dashboards[16010]: {"type":"response","@timestam...5
may 07 10:29:57 ip-172-31-34-149.ec2.internal opensearch-dashboards[16010]: {"type":"response","@timestam...0
may 07 10:29:58 ip-172-31-34-149.ec2.internal opensearch-dashboards[16010]: {"type":"response","@timestam...,
may 07 10:29:58 ip-172-31-34-149.ec2.internal opensearch-dashboards[16010]: {"type":"response","@timestam..."
may 07 10:29:58 ip-172-31-34-149.ec2.internal opensearch-dashboards[16010]: {"type":"response","@timestam...5
may 07 10:29:58 ip-172-31-34-149.ec2.internal opensearch-dashboards[16010]: {"type":"response","@timestam...6
may 07 10:29:58 ip-172-31-34-149.ec2.internal opensearch-dashboards[16010]: {"type":"response","@timestam... 
may 07 10:29:58 ip-172-31-34-149.ec2.internal opensearch-dashboards[16010]: {"type":"response","@timestam...1
Hint: Some lines were ellipsized, use -l to show in full.

Service status

service-status-al2-offline.txt

Errors

[root@ip-172-31-34-149 ~]# cat /usr/share/wazuh-dashboard/data/wazuh/logs/wazuhapp.log | grep -i -E "error|warn"
[root@ip-172-31-34-149 ~]# 

[CarlosALgit]

Additional tests

Accessing Wazuh web interface

Amazon Linux 2 🟢

Ubuntu 22 🟢

RHEL 9 🟢

Amazon Linux 2 - Offline 🔴

Opened issue: wazuh/wazuh-packages#2941

INFO: Index pattern id in cookie: yes [wazuh-alerts-*]
INFO: Getting list of valid index patterns...
INFO: Valid index patterns found: 1
INFO: Found default index pattern with title [wazuh-alerts-*]: yes
INFO: Checking the app default pattern exists: id [wazuh-alerts-*]...
INFO: Default pattern with id [wazuh-alerts-*] exists: yes
ACTION: Default pattern id [wazuh-alerts-*] set as default index pattern
INFO: Checking the index pattern id [wazuh-alerts-*] exists...
INFO: Index pattern id exists [wazuh-alerts-*]: yes
INFO: Index pattern id in cookie: yes [wazuh-alerts-*]
INFO: Checking if the index pattern id [wazuh-alerts-*] exists...
INFO: Index pattern id [wazuh-alerts-*] found: yes title [wazuh-alerts-*]
INFO: Checking if exists a template compatible with the index pattern title [wazuh-alerts-*]
INFO: Template found for the selected index-pattern title [wazuh-alerts-*]: no
ERROR: No template found for the selected index-pattern title [wazuh-alerts-*]
INFO: Index pattern id in cookie: [wazuh-alerts-*]
INFO: Getting index pattern data [wazuh-alerts-*]...
INFO: Index pattern data found: [yes]
INFO: Refreshing index pattern fields: title [wazuh-alerts-*], id [wazuh-alerts-*]...
ACTION: Refreshed index pattern fields: title [wazuh-alerts-*], id [wazuh-alerts-*]
INFO: Getting settings...
INFO: Check Wazuh dashboard setting [timeline:max_buckets]: 200000
INFO: App setting [timeline:max_buckets]: 200000
INFO: Settings mismatch [timeline:max_buckets]: no
INFO: Getting settings...
INFO: Check Wazuh dashboard setting [metaFields]: ["_source","_index"]
INFO: App setting [metaFields]: ["_source","_index"]
INFO: Settings mismatch [metaFields]: no
INFO: Getting settings...
INFO: Check Wazuh dashboard setting [timepicker:timeDefaults]: {"from":"now-24h","to":"now"}
INFO: App setting [timepicker:timeDefaults]: "{\"from\":\"now-24h\",\"to\":\"now\"}"
INFO: Settings mismatch [timepicker:timeDefaults]: no

[juliamagan]

LGTM