Release 4.3.6 - Release Candidate 1 - E2E UX tests - Demo environment

[juliamagan]

Description

The following issue aims to run the specified test for the current release candidate, report the results, and open new issues for any encountered errors.

Test information

Test name	Demo environment
Category	Wazuh App
Deployment option	Demo environment
Main release issue	wazuh/wazuh#14260
Release candidate #	RC1

Proposed checks

• (T1): - No errors or warnings found in logs
• (T2): - The daemons are running with the correct user
• (T3): - The status of the Wazuh Indexer clusters is as expected.
• (T4): - No errors in the browser's developer console when browsing the App
• (T5): - Alerts are being generated for each of the modules configured for this purpose
• (T6): - No warning symbols in Discover when expanding a document
• (T7): - Alert generated

Conclusion 🔴

New bugs have been found when testing. In addition, some previously reported problems have been found again.

Issues found

Detected issues and previously reported

• https://github.com/wazuh/wazuh-automation/issues/813
• Warning and error logs found in wazuh-indexer in demo environment wazuh-packages#1511
• Warnings and errors when logging out of the app wazuh-dashboard-plugins#4108
• Multiple unexpected warning during Wazuh app session wazuh-dashboard-plugins#4092
• Wazuh Indexer - Some warning messages appears in the logs wazuh-packages#1746

New opened issues

• TypeError in the browser's developer console wazuh-dashboard-plugins#4346
• Wazuh Dashboard - Some errors messages appears while restarting wazuh-packages#1747
• Warning message in ossec.log related to Vulnerability Detector - Demo environment wazuh-packages#1745 (misreported)

Auditors' validation

The definition of done for this one is the validation of the conclusions and the test results from all auditors.

All checks from below must be accepted in order to close this issue.

• @jmv74211
• @alberpilot
• @davidjiglesias

References

Color	Status
🟢	All tests passed successfully
🟡	All tests passed but there are some warnings
🔴	Some tests have failures or errors

[mauromalara]

Task 1: No errors or warnings found in logs 🔴

Agents

Amazon Linux 🟢

journalctl -xe -u wazuh-agent.service

Jul 18 13:36:33 ip-10-0-1-74.us-west-1.compute.internal systemd[1]: Stopping Wazuh agent...
-- Subject: Unit wazuh-agent.service has begun shutting down
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
--
-- Unit wazuh-agent.service has begun shutting down.
Jul 18 13:36:33 ip-10-0-1-74.us-west-1.compute.internal env[937]: Killing wazuh-modulesd...
Jul 18 13:36:33 ip-10-0-1-74.us-west-1.compute.internal env[937]: Killing wazuh-logcollector...
Jul 18 13:36:34 ip-10-0-1-74.us-west-1.compute.internal env[937]: Killing wazuh-syscheckd...
Jul 18 13:36:34 ip-10-0-1-74.us-west-1.compute.internal env[937]: Killing wazuh-agentd...
Jul 18 13:36:34 ip-10-0-1-74.us-west-1.compute.internal env[937]: Killing wazuh-execd...
Jul 18 13:36:34 ip-10-0-1-74.us-west-1.compute.internal env[937]: Wazuh v4.3.6 Stopped
Jul 18 13:36:34 ip-10-0-1-74.us-west-1.compute.internal systemd[1]: Starting Wazuh agent...
-- Subject: Unit wazuh-agent.service has begun start-up
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
--
-- Unit wazuh-agent.service has begun starting up.
Jul 18 13:36:34 ip-10-0-1-74.us-west-1.compute.internal env[1003]: Starting Wazuh v4.3.6...
Jul 18 13:36:35 ip-10-0-1-74.us-west-1.compute.internal env[1003]: Started wazuh-execd...
Jul 18 13:36:36 ip-10-0-1-74.us-west-1.compute.internal env[1003]: Started wazuh-agentd...
Jul 18 13:36:37 ip-10-0-1-74.us-west-1.compute.internal env[1003]: Started wazuh-syscheckd...
Jul 18 13:36:38 ip-10-0-1-74.us-west-1.compute.internal env[1003]: Started wazuh-logcollector...
Jul 18 13:36:39 ip-10-0-1-74.us-west-1.compute.internal env[1003]: Started wazuh-modulesd...
Jul 18 13:36:41 ip-10-0-1-74.us-west-1.compute.internal env[1003]: Completed.
Jul 18 13:36:41 ip-10-0-1-74.us-west-1.compute.internal systemd[1]: Started Wazuh agent.
-- Subject: Unit wazuh-agent.service has finished start-up
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
--
-- Unit wazuh-agent.service has finished starting up.
--
-- The start-up result is done.

• egrep -i "ERROR|WARNING" /var/ossec/logs/ossec.log:

[root@ip-10-0-1-74 wazuh-user]# egrep -i "ERROR|WARNING" /var/ossec/logs/ossec.log
[root@ip-10-0-1-74 wazuh-user]# 

• systemctl status wazuh-agent -l:

[root@ip-10-0-1-74 wazuh-user]# systemctl status wazuh-agent -l
● wazuh-agent.service - Wazuh agent
   Loaded: loaded (/usr/lib/systemd/system/wazuh-agent.service; enabled; vendor preset: disabled)
   Active: active (running) since lun 2022-07-18 13:36:41 UTC; 18h ago
  Process: 937 ExecStop=/usr/bin/env /var/ossec/bin/wazuh-control stop (code=exited, status=0/SUCCESS)
  Process: 1003 ExecStart=/usr/bin/env /var/ossec/bin/wazuh-control start (code=exited, status=0/SUCCESS)
   CGroup: /system.slice/wazuh-agent.service
           ├─1032 /var/ossec/bin/wazuh-execd
           ├─1044 /var/ossec/bin/wazuh-agentd
           ├─1059 /var/ossec/bin/wazuh-syscheckd
           ├─1073 /var/ossec/bin/wazuh-logcollector
           └─1095 /var/ossec/bin/wazuh-modulesd

jul 18 13:36:34 ip-10-0-1-74.us-west-1.compute.internal systemd[1]: Starting Wazuh agent...
jul 18 13:36:34 ip-10-0-1-74.us-west-1.compute.internal env[1003]: Starting Wazuh v4.3.6...
jul 18 13:36:35 ip-10-0-1-74.us-west-1.compute.internal env[1003]: Started wazuh-execd...
jul 18 13:36:36 ip-10-0-1-74.us-west-1.compute.internal env[1003]: Started wazuh-agentd...
jul 18 13:36:37 ip-10-0-1-74.us-west-1.compute.internal env[1003]: Started wazuh-syscheckd...
jul 18 13:36:38 ip-10-0-1-74.us-west-1.compute.internal env[1003]: Started wazuh-logcollector...
jul 18 13:36:39 ip-10-0-1-74.us-west-1.compute.internal env[1003]: Started wazuh-modulesd...
jul 18 13:36:41 ip-10-0-1-74.us-west-1.compute.internal env[1003]: Completed.
jul 18 13:36:41 ip-10-0-1-74.us-west-1.compute.internal systemd[1]: Started Wazuh agent.
jul 19 01:36:38 ip-10-0-1-74.us-west-1.compute.internal crontab[5198]: (root) LIST (root)

• /var/ossec/bin/wazuh-control status:

[root@ip-10-0-1-74 wazuh-user]# /var/ossec/bin/wazuh-control status
wazuh-modulesd is running...
wazuh-logcollector is running...
wazuh-syscheckd is running...
wazuh-agentd is running...
wazuh-execd is running...

RHEL 🟢

journalctl -xe -u wazuh-agent.service

Jul 18 13:41:25 ip-10-0-1-254.us-west-1.compute.internal systemd[1]: Stopping Wazuh agent...
-- Subject: Unit wazuh-agent.service has begun shutting down
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
--
-- Unit wazuh-agent.service has begun shutting down.
Jul 18 13:41:25 ip-10-0-1-254.us-west-1.compute.internal env[4187]: Killing wazuh-modulesd...
Jul 18 13:41:25 ip-10-0-1-254.us-west-1.compute.internal env[4187]: Killing wazuh-logcollector...
Jul 18 13:41:25 ip-10-0-1-254.us-west-1.compute.internal env[4187]: Killing wazuh-syscheckd...
Jul 18 13:41:25 ip-10-0-1-254.us-west-1.compute.internal env[4187]: Killing wazuh-agentd...
Jul 18 13:41:25 ip-10-0-1-254.us-west-1.compute.internal env[4187]: Killing wazuh-execd...
Jul 18 13:41:25 ip-10-0-1-254.us-west-1.compute.internal env[4187]: Wazuh v4.3.6 Stopped
Jul 18 13:41:25 ip-10-0-1-254.us-west-1.compute.internal systemd[1]: Stopped Wazuh agent.
-- Subject: Unit wazuh-agent.service has finished shutting down
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
--
-- Unit wazuh-agent.service has finished shutting down.
Jul 18 13:41:25 ip-10-0-1-254.us-west-1.compute.internal systemd[1]: Starting Wazuh agent...
-- Subject: Unit wazuh-agent.service has begun start-up
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
--
-- Unit wazuh-agent.service has begun starting up.
Jul 18 13:41:25 ip-10-0-1-254.us-west-1.compute.internal env[4274]: Starting Wazuh v4.3.6...
Jul 18 13:41:27 ip-10-0-1-254.us-west-1.compute.internal env[4274]: Started wazuh-execd...
Jul 18 13:41:28 ip-10-0-1-254.us-west-1.compute.internal env[4274]: Started wazuh-agentd...
Jul 18 13:41:29 ip-10-0-1-254.us-west-1.compute.internal env[4274]: Started wazuh-syscheckd...
Jul 18 13:41:30 ip-10-0-1-254.us-west-1.compute.internal env[4274]: Started wazuh-logcollector...
Jul 18 13:41:30 ip-10-0-1-254.us-west-1.compute.internal osqueryd[4386]: osqueryd started [version=4.3
Jul 18 13:41:31 ip-10-0-1-254.us-west-1.compute.internal env[4274]: Started wazuh-modulesd...
Jul 18 13:41:33 ip-10-0-1-254.us-west-1.compute.internal env[4274]: Completed.
Jul 18 13:41:33 ip-10-0-1-254.us-west-1.compute.internal systemd[1]: Started Wazuh agent.
-- Subject: Unit wazuh-agent.service has finished start-up
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
--
-- Unit wazuh-agent.service has finished starting up.
--
-- The start-up result is done.

• egrep -i "ERROR|WARNING" /var/ossec/logs/ossec.log:

[root@ip-10-0-1-254 wazuh-user]# egrep -i "ERROR|WARNING" /var/ossec/logs/ossec.log
[root@ip-10-0-1-254 wazuh-user]# 

• systemctl status wazuh-agent -l:

[root@ip-10-0-1-254 wazuh-user]# systemctl status wazuh-agent -l
● wazuh-agent.service - Wazuh agent
   Loaded: loaded (/usr/lib/systemd/system/wazuh-agent.service; enabled; vendor preset: disabled)
   Active: active (running) since lun 2022-07-18 13:41:33 UTC; 18h ago
  Process: 4187 ExecStop=/usr/bin/env /var/ossec/bin/wazuh-control stop (code=exited, status=0/SUCCESS)
  Process: 4274 ExecStart=/usr/bin/env /var/ossec/bin/wazuh-control start (code=exited, status=0/SUCCESS)
    Tasks: 53
   Memory: 196.9M
   CGroup: /system.slice/wazuh-agent.service
           ├─4301 /var/ossec/bin/wazuh-execd
           ├─4313 /var/ossec/bin/wazuh-agentd
           ├─4328 /var/ossec/bin/wazuh-syscheckd
           ├─4341 /var/ossec/bin/wazuh-logcollector
           ├─4365 /var/ossec/bin/wazuh-modulesd
           ├─4381 python3 wodles/docker/DockerListener
           ├─4386 /usr/bin/osqueryd --config_path=/etc/osquery/osquery.conf
           └─4400 /usr/bin/osqueryd                                        

jul 18 13:41:25 ip-10-0-1-254.us-west-1.compute.internal env[4274]: Starting Wazuh v4.3.6...
jul 18 13:41:27 ip-10-0-1-254.us-west-1.compute.internal env[4274]: Started wazuh-execd...
jul 18 13:41:28 ip-10-0-1-254.us-west-1.compute.internal env[4274]: Started wazuh-agentd...
jul 18 13:41:29 ip-10-0-1-254.us-west-1.compute.internal env[4274]: Started wazuh-syscheckd...
jul 18 13:41:30 ip-10-0-1-254.us-west-1.compute.internal env[4274]: Started wazuh-logcollector...
jul 18 13:41:30 ip-10-0-1-254.us-west-1.compute.internal osqueryd[4386]: osqueryd started [version=4.3.0]
jul 18 13:41:31 ip-10-0-1-254.us-west-1.compute.internal env[4274]: Started wazuh-modulesd...
jul 18 13:41:33 ip-10-0-1-254.us-west-1.compute.internal env[4274]: Completed.
jul 18 13:41:33 ip-10-0-1-254.us-west-1.compute.internal systemd[1]: Started Wazuh agent.
jul 19 01:41:30 ip-10-0-1-254.us-west-1.compute.internal crontab[21163]: (root) LIST (root)

• /var/ossec/bin/wazuh-control status:

[root@ip-10-0-1-254 wazuh-user]# /var/ossec/bin/wazuh-control status
wazuh-modulesd is running...
wazuh-logcollector is running...
wazuh-syscheckd is running...
wazuh-agentd is running...
wazuh-execd is running...

Ubuntu 🟢

journalctl -xe -u wazuh-agent.service

Jul 18 14:15:40 ip-10-0-1-129 systemd[1]: Stopping Wazuh agent...
-- Subject: Unit wazuh-agent.service has begun shutting down
-- Defined-By: systemd
-- Support: http://www.ubuntu.com/support
--
-- Unit wazuh-agent.service has begun shutting down.
Jul 18 14:15:40 ip-10-0-1-129 env[17255]: Killing wazuh-modulesd...
Jul 18 14:15:40 ip-10-0-1-129 env[17255]: Killing wazuh-logcollector...
Jul 18 14:15:40 ip-10-0-1-129 env[17255]: Killing wazuh-syscheckd...
Jul 18 14:15:40 ip-10-0-1-129 env[17255]: Killing wazuh-agentd...
Jul 18 14:15:40 ip-10-0-1-129 env[17255]: Killing wazuh-execd...
Jul 18 14:15:41 ip-10-0-1-129 env[17255]: Wazuh v4.3.6 Stopped
Jul 18 14:15:41 ip-10-0-1-129 systemd[1]: Stopped Wazuh agent.
-- Subject: Unit wazuh-agent.service has finished shutting down
-- Defined-By: systemd
-- Support: http://www.ubuntu.com/support
--
-- Unit wazuh-agent.service has finished shutting down.
Jul 18 14:15:41 ip-10-0-1-129 systemd[1]: Starting Wazuh agent...
-- Subject: Unit wazuh-agent.service has begun start-up
-- Defined-By: systemd
-- Support: http://www.ubuntu.com/support
--
-- Unit wazuh-agent.service has begun starting up.
Jul 18 14:15:41 ip-10-0-1-129 env[17309]: Starting Wazuh v4.3.6...
Jul 18 14:15:42 ip-10-0-1-129 env[17309]: Started wazuh-execd...
Jul 18 14:15:43 ip-10-0-1-129 env[17309]: Started wazuh-agentd...
Jul 18 14:15:44 ip-10-0-1-129 env[17309]: Started wazuh-syscheckd...
Jul 18 14:15:45 ip-10-0-1-129 env[17309]: Started wazuh-logcollector...
Jul 18 14:15:46 ip-10-0-1-129 env[17309]: Started wazuh-modulesd...
Jul 18 14:15:48 ip-10-0-1-129 env[17309]: Completed.
Jul 18 14:15:48 ip-10-0-1-129 systemd[1]: Started Wazuh agent.
-- Subject: Unit wazuh-agent.service has finished start-up
-- Defined-By: systemd
-- Support: http://www.ubuntu.com/support
--
-- Unit wazuh-agent.service has finished starting up.
--
-- The start-up result is RESULT.

• egrep -i "ERROR|WARNING" /var/ossec/logs/ossec.log:

root@ip-10-0-1-129:/home/wazuh-user# egrep -i "ERROR|WARNING" /var/ossec/logs/ossec.log
root@ip-10-0-1-129:/home/wazuh-user# 

• systemctl status wazuh-agent -l:

root@ip-10-0-1-129:/home/wazuh-user# systemctl status wazuh-agent -l
● wazuh-agent.service - Wazuh agent
   Loaded: loaded (/usr/lib/systemd/system/wazuh-agent.service; enabled; vendor 
   Active: active (running) since Mon 2022-07-18 14:15:48 UTC; 17h ago
  Process: 17255 ExecStop=/usr/bin/env /var/ossec/bin/wazuh-control stop (code=e
  Process: 17309 ExecStart=/usr/bin/env /var/ossec/bin/wazuh-control start (code
    Tasks: 31 (limit: 1125)
   CGroup: /system.slice/wazuh-agent.service
           ├─17355 /var/ossec/bin/wazuh-execd
           ├─17366 /var/ossec/bin/wazuh-agentd
           ├─17381 /var/ossec/bin/wazuh-syscheckd
           ├─17396 /var/ossec/bin/wazuh-logcollector
           └─17411 /var/ossec/bin/wazuh-modulesd

Jul 18 14:15:41 ip-10-0-1-129 systemd[1]: Starting Wazuh agent...
Jul 18 14:15:41 ip-10-0-1-129 env[17309]: Starting Wazuh v4.3.6...
Jul 18 14:15:42 ip-10-0-1-129 env[17309]: Started wazuh-execd...
Jul 18 14:15:43 ip-10-0-1-129 env[17309]: Started wazuh-agentd...
Jul 18 14:15:44 ip-10-0-1-129 env[17309]: Started wazuh-syscheckd...
Jul 18 14:15:45 ip-10-0-1-129 env[17309]: Started wazuh-logcollector...
Jul 18 14:15:46 ip-10-0-1-129 env[17309]: Started wazuh-modulesd...
Jul 18 14:15:48 ip-10-0-1-129 env[17309]: Completed.
Jul 18 14:15:48 ip-10-0-1-129 systemd[1]: Started Wazuh agent.

• /var/ossec/bin/wazuh-control status:

root@ip-10-0-1-129:/home/wazuh-user# /var/ossec/bin/wazuh-control status
wazuh-modulesd is running...
wazuh-logcollector is running...
wazuh-syscheckd is running...
wazuh-agentd is running...
wazuh-execd is running...

Debian 🟢

journalctl -xe -u wazuh-agent.service

Jul 18 14:15:40 ip-10-0-1-236 systemd[1]: Stopping Wazuh agent...
-- Subject: Unit wazuh-agent.service has begun shutting down
-- Defined-By: systemd
-- Support: https://www.debian.org/support
--
-- Unit wazuh-agent.service has begun shutting down.
Jul 18 14:15:40 ip-10-0-1-236 env[20403]: Killing wazuh-modulesd...
Jul 18 14:15:40 ip-10-0-1-236 env[20403]: Killing wazuh-logcollector...
Jul 18 14:15:40 ip-10-0-1-236 env[20403]: Killing wazuh-syscheckd...
Jul 18 14:15:40 ip-10-0-1-236 env[20403]: Killing wazuh-agentd...
Jul 18 14:15:40 ip-10-0-1-236 env[20403]: Killing wazuh-execd...
Jul 18 14:15:40 ip-10-0-1-236 env[20403]: Wazuh v4.3.6 Stopped
Jul 18 14:15:40 ip-10-0-1-236 systemd[1]: Stopped Wazuh agent.
-- Subject: Unit wazuh-agent.service has finished shutting down
-- Defined-By: systemd
-- Support: https://www.debian.org/support
--
-- Unit wazuh-agent.service has finished shutting down.
Jul 18 14:15:40 ip-10-0-1-236 systemd[1]: Starting Wazuh agent...
-- Subject: Unit wazuh-agent.service has begun start-up
-- Defined-By: systemd
-- Support: https://www.debian.org/support
--
-- Unit wazuh-agent.service has begun starting up.
Jul 18 14:15:40 ip-10-0-1-236 env[20458]: Starting Wazuh v4.3.6...
Jul 18 14:15:41 ip-10-0-1-236 env[20458]: Started wazuh-execd...
Jul 18 14:15:42 ip-10-0-1-236 env[20458]: Started wazuh-agentd...
Jul 18 14:15:43 ip-10-0-1-236 env[20458]: Started wazuh-syscheckd...
Jul 18 14:15:44 ip-10-0-1-236 env[20458]: Started wazuh-logcollector...
Jul 18 14:15:45 ip-10-0-1-236 env[20458]: Started wazuh-modulesd...
Jul 18 14:15:47 ip-10-0-1-236 env[20458]: Completed.
Jul 18 14:15:47 ip-10-0-1-236 systemd[1]: Started Wazuh agent.
-- Subject: Unit wazuh-agent.service has finished start-up
-- Defined-By: systemd
-- Support: https://www.debian.org/support
--
-- Unit wazuh-agent.service has finished starting up.
--
-- The start-up result is done.

• egrep -i "ERROR|WARNING" /var/ossec/logs/ossec.log:

root@ip-10-0-1-236:/home/wazuh-user# egrep -i "ERROR|WARNING" /var/ossec/logs/ossec.log
root@ip-10-0-1-236:/home/wazuh-user# 

• systemctl status wazuh-agent -l:

root@ip-10-0-1-236:/home/wazuh-user# systemctl status wazuh-agent -l
● wazuh-agent.service - Wazuh agent
   Loaded: loaded (/usr/lib/systemd/system/wazuh-agent.service; enabled; vendor 
   Active: active (running) since Mon 2022-07-18 14:15:47 UTC; 17h ago
  Process: 20403 ExecStop=/usr/bin/env /var/ossec/bin/wazuh-control stop (code=e
  Process: 20458 ExecStart=/usr/bin/env /var/ossec/bin/wazuh-control start (code
    Tasks: 31 (limit: 4915)
   CGroup: /system.slice/wazuh-agent.service
           ├─20482 /var/ossec/bin/wazuh-execd
           ├─20493 /var/ossec/bin/wazuh-agentd
           ├─20507 /var/ossec/bin/wazuh-syscheckd
           ├─20524 /var/ossec/bin/wazuh-logcollector
           └─20555 /var/ossec/bin/wazuh-modulesd

jul 18 14:15:40 ip-10-0-1-236 systemd[1]: Starting Wazuh agent...
jul 18 14:15:40 ip-10-0-1-236 env[20458]: Starting Wazuh v4.3.6...
jul 18 14:15:41 ip-10-0-1-236 env[20458]: Started wazuh-execd...
jul 18 14:15:42 ip-10-0-1-236 env[20458]: Started wazuh-agentd...
jul 18 14:15:43 ip-10-0-1-236 env[20458]: Started wazuh-syscheckd...
jul 18 14:15:44 ip-10-0-1-236 env[20458]: Started wazuh-logcollector...
jul 18 14:15:45 ip-10-0-1-236 env[20458]: Started wazuh-modulesd...
jul 18 14:15:47 ip-10-0-1-236 env[20458]: Completed.
jul 18 14:15:47 ip-10-0-1-236 systemd[1]: Started Wazuh agent.

• /var/ossec/bin/wazuh-control status:

root@ip-10-0-1-236:/home/wazuh-user# /var/ossec/bin/wazuh-control status
wazuh-modulesd is running...
wazuh-logcollector is running...
wazuh-syscheckd is running...
wazuh-agentd is running...
wazuh-execd is running...

CentOS 🟢

journalctl -xe -u wazuh-agent.service

Jul 18 14:28:58 ip-10-0-1-223.us-west-1.compute.internal systemd[1]: Stopping Wazuh agent...
-- Subject: Unit wazuh-agent.service has begun shutting down
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
--
-- Unit wazuh-agent.service has begun shutting down.
Jul 18 14:28:59 ip-10-0-1-223.us-west-1.compute.internal env[28914]: Killing wazuh-modulesd...
Jul 18 14:28:59 ip-10-0-1-223.us-west-1.compute.internal env[28914]: Killing wazuh-logcollector...
Jul 18 14:28:59 ip-10-0-1-223.us-west-1.compute.internal env[28914]: Killing wazuh-syscheckd...
Jul 18 14:28:59 ip-10-0-1-223.us-west-1.compute.internal env[28914]: Killing wazuh-agentd...
Jul 18 14:28:59 ip-10-0-1-223.us-west-1.compute.internal env[28914]: Killing wazuh-execd...
Jul 18 14:28:59 ip-10-0-1-223.us-west-1.compute.internal env[28914]: Wazuh v4.3.6 Stopped
Jul 18 14:28:59 ip-10-0-1-223.us-west-1.compute.internal systemd[1]: Stopped Wazuh agent.
-- Subject: Unit wazuh-agent.service has finished shutting down
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
--
-- Unit wazuh-agent.service has finished shutting down.
Jul 18 14:28:59 ip-10-0-1-223.us-west-1.compute.internal systemd[1]: Starting Wazuh agent...
-- Subject: Unit wazuh-agent.service has begun start-up
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
--
-- Unit wazuh-agent.service has begun starting up.
Jul 18 14:28:59 ip-10-0-1-223.us-west-1.compute.internal env[28980]: Starting Wazuh v4.3.6...
Jul 18 14:29:00 ip-10-0-1-223.us-west-1.compute.internal env[28980]: Started wazuh-execd...
Jul 18 14:29:01 ip-10-0-1-223.us-west-1.compute.internal env[28980]: Started wazuh-agentd...
Jul 18 14:29:02 ip-10-0-1-223.us-west-1.compute.internal env[28980]: Started wazuh-syscheckd...
Jul 18 14:29:04 ip-10-0-1-223.us-west-1.compute.internal env[28980]: Started wazuh-logcollector...
Jul 18 14:29:05 ip-10-0-1-223.us-west-1.compute.internal env[28980]: Started wazuh-modulesd...
Jul 18 14:29:07 ip-10-0-1-223.us-west-1.compute.internal env[28980]: Completed.
Jul 18 14:29:07 ip-10-0-1-223.us-west-1.compute.internal systemd[1]: Started Wazuh agent.
-- Subject: Unit wazuh-agent.service has finished start-up
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
--
-- Unit wazuh-agent.service has finished starting up.
--
-- The start-up result is done.

• egrep -i "ERROR|WARNING" /var/ossec/logs/ossec.log:

[root@ip-10-0-1-223 wazuh-user]# egrep -i "ERROR|WARNING" /var/ossec/logs/ossec.log
[root@ip-10-0-1-223 wazuh-user]# 

• systemctl status wazuh-agent -l:

[root@ip-10-0-1-223 wazuh-user]# systemctl status wazuh-agent -l
● wazuh-agent.service - Wazuh agent
   Loaded: loaded (/usr/lib/systemd/system/wazuh-agent.service; enabled; vendor preset: disabled)
   Active: active (running) since lun 2022-07-18 14:29:07 UTC; 17h ago
  Process: 28914 ExecStop=/usr/bin/env /var/ossec/bin/wazuh-control stop (code=exited, status=0/SUCCESS)
  Process: 28980 ExecStart=/usr/bin/env /var/ossec/bin/wazuh-control start (code=exited, status=0/SUCCESS)
   CGroup: /system.slice/wazuh-agent.service
           ├─29007 /var/ossec/bin/wazuh-execd
           ├─29019 /var/ossec/bin/wazuh-agentd
           ├─29034 /var/ossec/bin/wazuh-syscheckd
           ├─29048 /var/ossec/bin/wazuh-logcollector
           └─29066 /var/ossec/bin/wazuh-modulesd

jul 18 14:28:59 ip-10-0-1-223.us-west-1.compute.internal systemd[1]: Starting Wazuh agent...
jul 18 14:28:59 ip-10-0-1-223.us-west-1.compute.internal env[28980]: Starting Wazuh v4.3.6...
jul 18 14:29:00 ip-10-0-1-223.us-west-1.compute.internal env[28980]: Started wazuh-execd...
jul 18 14:29:01 ip-10-0-1-223.us-west-1.compute.internal env[28980]: Started wazuh-agentd...
jul 18 14:29:02 ip-10-0-1-223.us-west-1.compute.internal env[28980]: Started wazuh-syscheckd...
jul 18 14:29:04 ip-10-0-1-223.us-west-1.compute.internal env[28980]: Started wazuh-logcollector...
jul 18 14:29:05 ip-10-0-1-223.us-west-1.compute.internal env[28980]: Started wazuh-modulesd...
jul 18 14:29:07 ip-10-0-1-223.us-west-1.compute.internal env[28980]: Completed.
jul 18 14:29:07 ip-10-0-1-223.us-west-1.compute.internal systemd[1]: Started Wazuh agent.

• /var/ossec/bin/wazuh-control status:

[root@ip-10-0-1-223 wazuh-user]# /var/ossec/bin/wazuh-control status
wazuh-modulesd is running...
wazuh-logcollector is running...
wazuh-syscheckd is running...
wazuh-agentd is running...
wazuh-execd is running...

Windows 🟢

Event Viewer > Windows Logs > System > (Last 2 events)

---

• STOPPED

<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="Service Control Manager" Guid="{555908d1-a6d7-4695-8e1e-26931d2012f4}" EventSourceName="Service Control Manager" />
    <EventID Qualifiers="16384">7036</EventID>
    <Version>0</Version>
    <Level>4</Level>
    <Task>0</Task>
    <Opcode>0</Opcode>
    <Keywords>0x8080000000000000</Keywords>
    <TimeCreated SystemTime="2022-07-18T15:00:11.045504200Z" />
    <EventRecordID>93825</EventRecordID>
    <Correlation />
    <Execution ProcessID="608" ThreadID="6732" />
    <Channel>System</Channel>
    <Computer>EC2AMAZ-BPN9OOM</Computer>
    <Security />
  </System>
  <EventData>
    <Data Name="param1">Wazuh</Data>
    <Data Name="param2">stopped</Data>
    <Binary>570061007A00750068005300760063002F0031000000</Binary>
  </EventData>
</Event>

---

• STARTED

<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="Service Control Manager" Guid="{555908d1-a6d7-4695-8e1e-26931d2012f4}" EventSourceName="Service Control Manager" />
    <EventID Qualifiers="16384">7036</EventID>
    <Version>0</Version>
    <Level>4</Level>
    <Task>0</Task>
    <Opcode>0</Opcode>
    <Keywords>0x8080000000000000</Keywords>
    <TimeCreated SystemTime="2022-07-18T15:00:11.561090100Z" />
    <EventRecordID>93826</EventRecordID>
    <Correlation />
    <Execution ProcessID="608" ThreadID="6732" />
    <Channel>System</Channel>
    <Computer>EC2AMAZ-BPN9OOM</Computer>
    <Security />
  </System>
  <EventData>
    <Data Name="param1">Wazuh</Data>
    <Data Name="param2">running</Data>
    <Binary>570061007A00750068005300760063002F0034000000</Binary>
  </EventData>
</Event>

---

AGENT STATUS: RUNNING

---

NO ERRORS FOUND IN OSSEC.LOG

---

Managers

Master-env1 🟡

journalctl -xe -u wazuh-manager.service

-- Unit wazuh-manager.service has begun shutting down.
Jul 18 16:56:16 wazuh-manager-master-0 env[29777]: Killing wazuh-clusterd...
Jul 18 16:56:16 wazuh-manager-master-0 env[29777]: Killing wazuh-modulesd...
Jul 18 16:56:17 wazuh-manager-master-0 env[29777]: Killing wazuh-monitord...
Jul 18 16:56:17 wazuh-manager-master-0 env[29777]: Killing wazuh-logcollector...
Jul 18 16:56:17 wazuh-manager-master-0 env[29777]: Killing wazuh-remoted...
Jul 18 16:56:17 wazuh-manager-master-0 env[29777]: Killing wazuh-syscheckd...
Jul 18 16:56:17 wazuh-manager-master-0 env[29777]: Killing wazuh-analysisd...
Jul 18 16:56:17 wazuh-manager-master-0 env[29777]: wazuh-maild not running...
Jul 18 16:56:17 wazuh-manager-master-0 env[29777]: Killing wazuh-execd...
Jul 18 16:56:17 wazuh-manager-master-0 env[29777]: Killing wazuh-db...
Jul 18 16:56:18 wazuh-manager-master-0 env[29777]: Killing wazuh-authd...
Jul 18 16:56:19 wazuh-manager-master-0 env[29777]: wazuh-agentlessd not running...
Jul 18 16:56:19 wazuh-manager-master-0 env[29777]: Killing wazuh-integratord...
Jul 18 16:56:19 wazuh-manager-master-0 env[29777]: wazuh-dbd not running...
Jul 18 16:56:19 wazuh-manager-master-0 env[29777]: wazuh-csyslogd not running...
Jul 18 16:56:19 wazuh-manager-master-0 env[29777]: Killing wazuh-apid...
Jul 18 16:56:19 wazuh-manager-master-0 env[29777]: Wazuh v4.3.6 Stopped
Jul 18 16:56:19 wazuh-manager-master-0 systemd[1]: Starting Wazuh manager...
-- Subject: Unit wazuh-manager.service has begun start-up
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
--
-- Unit wazuh-manager.service has begun starting up.
Jul 18 16:56:21 wazuh-manager-master-0 env[29923]: Starting Wazuh v4.3.6...
Jul 18 16:56:24 wazuh-manager-master-0 env[29923]: Started wazuh-apid...
Jul 18 16:56:24 wazuh-manager-master-0 env[29923]: Started wazuh-csyslogd...
Jul 18 16:56:24 wazuh-manager-master-0 env[29923]: Started wazuh-dbd...
Jul 18 16:56:24 wazuh-manager-master-0 env[29923]: Started wazuh-integratord...
Jul 18 16:56:24 wazuh-manager-master-0 env[29923]: Started wazuh-agentlessd...
Jul 18 16:56:25 wazuh-manager-master-0 env[29923]: Started wazuh-authd...
Jul 18 16:56:26 wazuh-manager-master-0 env[29923]: Started wazuh-db...
Jul 18 16:56:27 wazuh-manager-master-0 env[29923]: Started wazuh-execd...
Jul 18 16:56:28 wazuh-manager-master-0 env[29923]: Started wazuh-analysisd...
Jul 18 16:56:29 wazuh-manager-master-0 env[29923]: Started wazuh-syscheckd...
Jul 18 16:56:30 wazuh-manager-master-0 env[29923]: Started wazuh-remoted...
Jul 18 16:56:31 wazuh-manager-master-0 env[29923]: Started wazuh-logcollector...
Jul 18 16:56:32 wazuh-manager-master-0 env[29923]: Started wazuh-monitord...
Jul 18 16:56:34 wazuh-manager-master-0 env[29923]: Started wazuh-modulesd...
Jul 18 16:56:34 wazuh-manager-master-0 env[29923]: Started wazuh-clusterd...
Jul 18 16:56:35 wazuh-manager-master-0 crontab[30342]: (root) LIST (root)
Jul 18 16:56:36 wazuh-manager-master-0 env[29923]: Completed.
Jul 18 16:56:37 wazuh-manager-master-0 systemd[1]: Started Wazuh manager.
-- Subject: Unit wazuh-manager.service has finished start-up
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
--
-- Unit wazuh-manager.service has finished starting up.
--
-- The start-up result is done.

---

1 warning message found in ossec.log

[root@wazuh-manager-master-0 wazuh-user]# egrep -i "ERROR|WARNING" /var/ossec/logs/ossec.log
2022/07/18 16:58:24 wazuh-modulesd:vulnerability-detector: WARNING: (5575): Unavailable vulnerability data for the agent '001' OS. Skipping it.

---

No error or warning messages in cluster.log

[root@wazuh-manager-master-0 wazuh-user]# egrep -i "ERROR|WARNING" /var/ossec/logs/cluster.log`
[root@wazuh-manager-master-0 wazuh-user]# 

---

Wazuh control

[root@wazuh-manager-master-0 wazuh-user]# /var/ossec/bin/wazuh-control status
wazuh-clusterd is running...
wazuh-modulesd is running...
wazuh-monitord is running...
wazuh-logcollector is running...
wazuh-remoted is running...
wazuh-syscheckd is running...
wazuh-analysisd is running...
wazuh-maild not running...
wazuh-execd is running...
wazuh-db is running...
wazuh-authd is running...
wazuh-agentlessd not running...
wazuh-integratord is running...
wazuh-dbd not running...
wazuh-csyslogd not running...
wazuh-apid is running...

---

• systemctl status wazuh-manager -l:

[root@wazuh-manager-master-0 wazuh-user]# systemctl status wazuh-manager -l
● wazuh-manager.service - Wazuh manager
   Loaded: loaded (/usr/lib/systemd/system/wazuh-manager.service; enabled; vendor preset: disabled)
   Active: active (running) since lun 2022-07-18 16:56:37 UTC; 15h ago
  Process: 29777 ExecStop=/usr/bin/env /var/ossec/bin/wazuh-control stop (code=exited, status=0/SUCCESS)
  Process: 29923 ExecStart=/usr/bin/env /var/ossec/bin/wazuh-control start (code=exited, status=0/SUCCESS)
   CGroup: /system.slice/wazuh-manager.service
           ├─29980 /var/ossec/framework/python/bin/python3 /var/ossec/api/scripts/wazuh-apid.py
           ├─30006 /var/ossec/bin/wazuh-integratord
           ├─30025 /var/ossec/bin/wazuh-authd
           ├─30042 /var/ossec/bin/wazuh-db
           ├─30054 /var/ossec/framework/python/bin/python3 /var/ossec/api/scripts/wazuh-apid.py
           ├─30057 /var/ossec/framework/python/bin/python3 /var/ossec/api/scripts/wazuh-apid.py
           ├─30072 /var/ossec/bin/wazuh-execd
           ├─30087 /var/ossec/bin/wazuh-analysisd
           ├─30099 /var/ossec/bin/wazuh-syscheckd
           ├─30119 /var/ossec/bin/wazuh-remoted
           ├─30152 /var/ossec/bin/wazuh-logcollector
           ├─30173 /var/ossec/bin/wazuh-monitord
           ├─30223 /var/ossec/bin/wazuh-modulesd
           ├─30340 /var/ossec/framework/python/bin/python3 /var/ossec/framework/scripts/wazuh-clusterd.py
           ├─30364 /var/ossec/framework/python/bin/python3 /var/ossec/framework/scripts/wazuh-clusterd.py
           └─30367 /var/ossec/framework/python/bin/python3 /var/ossec/framework/scripts/wazuh-clusterd.py

jul 18 16:56:29 wazuh-manager-master-0 env[29923]: Started wazuh-syscheckd...
jul 18 16:56:30 wazuh-manager-master-0 env[29923]: Started wazuh-remoted...
jul 18 16:56:31 wazuh-manager-master-0 env[29923]: Started wazuh-logcollector...
jul 18 16:56:32 wazuh-manager-master-0 env[29923]: Started wazuh-monitord...
jul 18 16:56:34 wazuh-manager-master-0 env[29923]: Started wazuh-modulesd...
jul 18 16:56:34 wazuh-manager-master-0 env[29923]: Started wazuh-clusterd...
jul 18 16:56:35 wazuh-manager-master-0 crontab[30342]: (root) LIST (root)
jul 18 16:56:36 wazuh-manager-master-0 env[29923]: Completed.
jul 18 16:56:37 wazuh-manager-master-0 systemd[1]: Started Wazuh manager.
jul 19 04:56:36 wazuh-manager-master-0 crontab[5148]: (root) LIST (root)

---

Filebeat

[root@wazuh-manager-master-0 wazuh-user]# filebeat test output
elasticsearch: https://10.0.2.230:9200...
  parse url... OK
  connection...
    parse host... OK
    dns lookup... OK
    addresses: 10.0.2.230
    dial up... OK
  TLS...
    security: server's certificate chain verification is enabled
    handshake... OK
    TLS version: TLSv1.3
    dial up... OK
  talk to server... OK
  version: 7.10.2
elasticsearch: https://10.0.2.169:9200...
  parse url... OK
  connection...
    parse host... OK
    dns lookup... OK
    addresses: 10.0.2.169
    dial up... OK
  TLS...
    security: server's certificate chain verification is enabled
    handshake... OK
    TLS version: TLSv1.3
    dial up... OK
  talk to server... OK
  version: 7.10.2
elasticsearch: https://10.0.2.170:9200...
  parse url... OK
  connection...
    parse host... OK
    dns lookup... OK
    addresses: 10.0.2.170
    dial up... OK
  TLS...
    security: server's certificate chain verification is enabled
    handshake... OK
    TLS version: TLSv1.3
    dial up... OK
  talk to server... OK
  version: 7.10.2

Master-env2 🟢

journalctl -xe -u wazuh-manager.service

Jul 18 16:56:28 wazuh-manager-master-0 systemd[1]: Stopping Wazuh manager...
-- Subject: Unit wazuh-manager.service has begun shutting down
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
--
-- Unit wazuh-manager.service has begun shutting down.
Jul 18 16:56:28 wazuh-manager-master-0 env[27680]: Killing wazuh-clusterd...
Jul 18 16:56:28 wazuh-manager-master-0 env[27680]: Killing wazuh-modulesd...
Jul 18 16:56:28 wazuh-manager-master-0 env[27680]: Killing wazuh-monitord...
Jul 18 16:56:28 wazuh-manager-master-0 env[27680]: Killing wazuh-logcollector...
Jul 18 16:56:29 wazuh-manager-master-0 env[27680]: Killing wazuh-remoted...
Jul 18 16:56:29 wazuh-manager-master-0 env[27680]: Killing wazuh-syscheckd...
Jul 18 16:56:29 wazuh-manager-master-0 env[27680]: Killing wazuh-analysisd...
Jul 18 16:56:29 wazuh-manager-master-0 env[27680]: wazuh-maild not running...
Jul 18 16:56:29 wazuh-manager-master-0 env[27680]: Killing wazuh-execd...
Jul 18 16:56:29 wazuh-manager-master-0 env[27680]: Killing wazuh-db...
Jul 18 16:56:30 wazuh-manager-master-0 env[27680]: Killing wazuh-authd...
Jul 18 16:56:31 wazuh-manager-master-0 env[27680]: wazuh-agentlessd not running...
Jul 18 16:56:31 wazuh-manager-master-0 env[27680]: Killing wazuh-integratord...
Jul 18 16:56:31 wazuh-manager-master-0 env[27680]: wazuh-dbd not running...
Jul 18 16:56:31 wazuh-manager-master-0 env[27680]: wazuh-csyslogd not running...
Jul 18 16:56:31 wazuh-manager-master-0 env[27680]: Killing wazuh-apid...
Jul 18 16:56:31 wazuh-manager-master-0 env[27680]: Wazuh v4.3.6 Stopped
Jul 18 16:56:31 wazuh-manager-master-0 systemd[1]: Starting Wazuh manager...
-- Subject: Unit wazuh-manager.service has begun start-up
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
--
-- Unit wazuh-manager.service has begun starting up.
Jul 18 16:56:33 wazuh-manager-master-0 env[27832]: Starting Wazuh v4.3.6...
Jul 18 16:56:36 wazuh-manager-master-0 env[27832]: Started wazuh-apid...
Jul 18 16:56:36 wazuh-manager-master-0 env[27832]: Started wazuh-csyslogd...
Jul 18 16:56:36 wazuh-manager-master-0 env[27832]: Started wazuh-dbd...
Jul 18 16:56:36 wazuh-manager-master-0 env[27832]: Started wazuh-integratord...
Jul 18 16:56:36 wazuh-manager-master-0 env[27832]: Started wazuh-agentlessd...
Jul 18 16:56:37 wazuh-manager-master-0 env[27832]: Started wazuh-authd...
Jul 18 16:56:38 wazuh-manager-master-0 env[27832]: Started wazuh-db...
Jul 18 16:56:39 wazuh-manager-master-0 env[27832]: Started wazuh-execd...
Jul 18 16:56:40 wazuh-manager-master-0 env[27832]: Started wazuh-analysisd...
Jul 18 16:56:41 wazuh-manager-master-0 env[27832]: Started wazuh-syscheckd...
Jul 18 16:56:42 wazuh-manager-master-0 env[27832]: Started wazuh-remoted...
Jul 18 16:56:43 wazuh-manager-master-0 env[27832]: Started wazuh-logcollector...
Jul 18 16:56:44 wazuh-manager-master-0 env[27832]: Started wazuh-monitord...
Jul 18 16:56:45 wazuh-manager-master-0 env[27832]: Started wazuh-modulesd...
Jul 18 16:56:46 wazuh-manager-master-0 crontab[28262]: (root) LIST (root)
Jul 18 16:56:46 wazuh-manager-master-0 env[27832]: Started wazuh-clusterd...
Jul 18 16:56:48 wazuh-manager-master-0 env[27832]: Completed.
Jul 18 16:56:48 wazuh-manager-master-0 systemd[1]: Started Wazuh manager.
-- Subject: Unit wazuh-manager.service has finished start-up
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
--
-- Unit wazuh-manager.service has finished starting up.
--
-- The start-up result is done.

---

No error or warning messages in ossec.log

[root@wazuh-manager-master-0 wazuh-user]# egrep -i "ERROR|WARNING" /var/ossec/logs/ossec.log
[root@wazuh-manager-master-0 wazuh-user]#

---

No error or warning messages in cluster.log

[root@wazuh-manager-master-0 wazuh-user]# egrep -i "ERROR|WARNING" /var/ossec/logs/cluster.log
[root@wazuh-manager-master-0 wazuh-user]#

---

Wazuh control

[root@wazuh-manager-master-0 wazuh-user]# /var/ossec/bin/wazuh-control status
wazuh-clusterd is running...
wazuh-modulesd is running...
wazuh-monitord is running...
wazuh-logcollector is running...
wazuh-remoted is running...
wazuh-syscheckd is running...
wazuh-analysisd is running...
wazuh-maild not running...
wazuh-execd is running...
wazuh-db is running...
wazuh-authd is running...
wazuh-agentlessd not running...
wazuh-integratord is running...
wazuh-dbd not running...
wazuh-csyslogd not running...
wazuh-apid is running...

---

• systemctl status wazuh-manager -l:

[root@wazuh-manager-master-0 wazuh-user]# systemctl status wazuh-manager -l
● wazuh-manager.service - Wazuh manager
   Loaded: loaded (/usr/lib/systemd/system/wazuh-manager.service; enabled; vendor preset: disabled)
   Active: active (running) since lun 2022-07-18 16:56:48 UTC; 15h ago
  Process: 27680 ExecStop=/usr/bin/env /var/ossec/bin/wazuh-control stop (code=exited, status=0/SUCCESS)
  Process: 27832 ExecStart=/usr/bin/env /var/ossec/bin/wazuh-control start (code=exited, status=0/SUCCESS)
   CGroup: /system.slice/wazuh-manager.service
           ├─27890 /var/ossec/framework/python/bin/python3 /var/ossec/api/scripts/wazuh-apid.py
           ├─27924 /var/ossec/bin/wazuh-integratord
           ├─27935 /var/ossec/bin/wazuh-authd
           ├─27952 /var/ossec/bin/wazuh-db
           ├─27964 /var/ossec/framework/python/bin/python3 /var/ossec/api/scripts/wazuh-apid.py
           ├─27967 /var/ossec/framework/python/bin/python3 /var/ossec/api/scripts/wazuh-apid.py
           ├─27982 /var/ossec/bin/wazuh-execd
           ├─27997 /var/ossec/bin/wazuh-analysisd
           ├─28009 /var/ossec/bin/wazuh-syscheckd
           ├─28030 /var/ossec/bin/wazuh-remoted
           ├─28062 /var/ossec/bin/wazuh-logcollector
           ├─28084 /var/ossec/bin/wazuh-monitord
           ├─28133 /var/ossec/bin/wazuh-modulesd
           ├─28261 /var/ossec/framework/python/bin/python3 /var/ossec/framework/scripts/wazuh-clusterd.py
           ├─28282 /var/ossec/framework/python/bin/python3 /var/ossec/framework/scripts/wazuh-clusterd.py
           └─28285 /var/ossec/framework/python/bin/python3 /var/ossec/framework/scripts/wazuh-clusterd.py

jul 18 16:56:41 wazuh-manager-master-0 env[27832]: Started wazuh-syscheckd...
jul 18 16:56:42 wazuh-manager-master-0 env[27832]: Started wazuh-remoted...
jul 18 16:56:43 wazuh-manager-master-0 env[27832]: Started wazuh-logcollector...
jul 18 16:56:44 wazuh-manager-master-0 env[27832]: Started wazuh-monitord...
jul 18 16:56:45 wazuh-manager-master-0 env[27832]: Started wazuh-modulesd...
jul 18 16:56:46 wazuh-manager-master-0 crontab[28262]: (root) LIST (root)
jul 18 16:56:46 wazuh-manager-master-0 env[27832]: Started wazuh-clusterd...
jul 18 16:56:48 wazuh-manager-master-0 env[27832]: Completed.
jul 18 16:56:48 wazuh-manager-master-0 systemd[1]: Started Wazuh manager.
jul 19 04:56:45 wazuh-manager-master-0 crontab[3033]: (root) LIST (root)

---

Filebeat

[root@wazuh-manager-master-0 wazuh-user]# filebeat test output
elasticsearch: https://10.0.2.230:9200...
  parse url... OK
  connection...
    parse host... OK
    dns lookup... OK
    addresses: 10.0.2.230
    dial up... OK
  TLS...
    security: server's certificate chain verification is enabled
    handshake... OK
    TLS version: TLSv1.3
    dial up... OK
  talk to server... OK
  version: 7.10.2
elasticsearch: https://10.0.2.169:9200...
  parse url... OK
  connection...
    parse host... OK
    dns lookup... OK
    addresses: 10.0.2.169
    dial up... OK
  TLS...
    security: server's certificate chain verification is enabled
    handshake... OK
    TLS version: TLSv1.3
    dial up... OK
  talk to server... OK
  version: 7.10.2
elasticsearch: https://10.0.2.170:9200...
  parse url... OK
  connection...
    parse host... OK
    dns lookup... OK
    addresses: 10.0.2.170
    dial up... OK
  TLS...
    security: server's certificate chain verification is enabled
    handshake... OK
    TLS version: TLSv1.3
    dial up... OK
  talk to server... OK
  version: 7.10.2

Worker-env1 🟢

journalctl -xe -u wazuh-manager.service

Jul 18 16:56:39 wazuh-manager-worker-0 systemd[1]: Stopping Wazuh manager...
-- Subject: Unit wazuh-manager.service has begun shutting down
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
--
-- Unit wazuh-manager.service has begun shutting down.
Jul 18 16:56:39 wazuh-manager-worker-0 env[14864]: Killing wazuh-clusterd...
Jul 18 16:56:39 wazuh-manager-worker-0 env[14864]: Killing wazuh-modulesd...
Jul 18 16:56:39 wazuh-manager-worker-0 env[14864]: Killing wazuh-monitord...
Jul 18 16:56:39 wazuh-manager-worker-0 env[14864]: Killing wazuh-logcollector...
Jul 18 16:56:39 wazuh-manager-worker-0 env[14864]: Killing wazuh-remoted...
Jul 18 16:56:39 wazuh-manager-worker-0 env[14864]: Killing wazuh-syscheckd...
Jul 18 16:56:40 wazuh-manager-worker-0 env[14864]: Killing wazuh-analysisd...
Jul 18 16:56:40 wazuh-manager-worker-0 env[14864]: wazuh-maild not running...
Jul 18 16:56:40 wazuh-manager-worker-0 env[14864]: Killing wazuh-execd...
Jul 18 16:56:40 wazuh-manager-worker-0 env[14864]: Killing wazuh-db...
Jul 18 16:56:41 wazuh-manager-worker-0 env[14864]: wazuh-authd not running...
Jul 18 16:56:41 wazuh-manager-worker-0 env[14864]: wazuh-agentlessd not running...
Jul 18 16:56:41 wazuh-manager-worker-0 env[14864]: Killing wazuh-integratord...
Jul 18 16:56:41 wazuh-manager-worker-0 env[14864]: wazuh-dbd not running...
Jul 18 16:56:41 wazuh-manager-worker-0 env[14864]: wazuh-csyslogd not running...
Jul 18 16:56:41 wazuh-manager-worker-0 env[14864]: Killing wazuh-apid...
Jul 18 16:56:41 wazuh-manager-worker-0 env[14864]: Wazuh v4.3.6 Stopped
Jul 18 16:56:41 wazuh-manager-worker-0 systemd[1]: Starting Wazuh manager...
-- Subject: Unit wazuh-manager.service has begun start-up
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
--
-- Unit wazuh-manager.service has begun starting up.
Jul 18 16:56:44 wazuh-manager-worker-0 env[15002]: Starting Wazuh v4.3.6...
Jul 18 16:56:47 wazuh-manager-worker-0 env[15002]: Started wazuh-apid...
Jul 18 16:56:47 wazuh-manager-worker-0 env[15002]: Started wazuh-csyslogd...
Jul 18 16:56:47 wazuh-manager-worker-0 env[15002]: Started wazuh-dbd...
Jul 18 16:56:47 wazuh-manager-worker-0 env[15002]: Started wazuh-integratord...
Jul 18 16:56:47 wazuh-manager-worker-0 env[15002]: Started wazuh-agentlessd...
Jul 18 16:56:48 wazuh-manager-worker-0 env[15002]: Started wazuh-db...
Jul 18 16:56:49 wazuh-manager-worker-0 env[15002]: Started wazuh-execd...
Jul 18 16:56:50 wazuh-manager-worker-0 env[15002]: Started wazuh-analysisd...
Jul 18 16:56:51 wazuh-manager-worker-0 env[15002]: Started wazuh-syscheckd...
Jul 18 16:56:52 wazuh-manager-worker-0 env[15002]: Started wazuh-remoted...
Jul 18 16:56:53 wazuh-manager-worker-0 env[15002]: Started wazuh-logcollector...
Jul 18 16:56:55 wazuh-manager-worker-0 env[15002]: Started wazuh-monitord...
Jul 18 16:56:56 wazuh-manager-worker-0 env[15002]: Started wazuh-modulesd...
Jul 18 16:56:57 wazuh-manager-worker-0 env[15002]: Started wazuh-clusterd...
Jul 18 16:56:59 wazuh-manager-worker-0 env[15002]: Completed.
Jul 18 16:56:59 wazuh-manager-worker-0 systemd[1]: Started Wazuh manager.
-- Subject: Unit wazuh-manager.service has finished start-up
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
--
-- Unit wazuh-manager.service has finished starting up.
--
-- The start-up result is done.

---

ossec.log

[root@wazuh-manager-worker-0 wazuh-user]# egrep -i "ERROR|WARNING" /var/ossec/logs/ossec.log
[root@wazuh-manager-worker-0 wazuh-user]#

---

cluster.log

[root@wazuh-manager-worker-0 wazuh-user]# egrep -i "ERROR|WARNING" /var/ossec/logs/cluster.log
[root@wazuh-manager-worker-0 wazuh-user]#

---

Wazuh control

[root@wazuh-manager-worker-0 wazuh-user]# /var/ossec/bin/wazuh-control status
wazuh-clusterd is running...
wazuh-modulesd is running...
wazuh-monitord is running...
wazuh-logcollector is running...
wazuh-remoted is running...
wazuh-syscheckd is running...
wazuh-analysisd is running...
wazuh-maild not running...
wazuh-execd is running...
wazuh-db is running...
wazuh-authd not running...
wazuh-agentlessd not running...
wazuh-integratord is running...
wazuh-dbd not running...
wazuh-csyslogd not running...
wazuh-apid is running...

• systemctl status wazuh-manager -l:

[root@wazuh-manager-worker-0 wazuh-user]# systemctl status wazuh-manager -l
● wazuh-manager.service - Wazuh manager
   Loaded: loaded (/usr/lib/systemd/system/wazuh-manager.service; enabled; vendor preset: disabled)
   Active: active (running) since lun 2022-07-18 18:57:48 UTC; 13h ago
  Process: 17043 ExecStop=/usr/bin/env /var/ossec/bin/wazuh-control stop (code=exited, status=0/SUCCESS)
  Process: 17179 ExecStart=/usr/bin/env /var/ossec/bin/wazuh-control start (code=exited, status=0/SUCCESS)
   CGroup: /system.slice/wazuh-manager.service
           ├─17236 /var/ossec/framework/python/bin/python3 /var/ossec/api/scripts/wazuh-apid.py
           ├─17267 /var/ossec/bin/wazuh-integratord
           ├─17279 /var/ossec/bin/wazuh-db
           ├─17303 /var/ossec/bin/wazuh-execd
           ├─17305 /var/ossec/framework/python/bin/python3 /var/ossec/api/scripts/wazuh-apid.py
           ├─17308 /var/ossec/framework/python/bin/python3 /var/ossec/api/scripts/wazuh-apid.py
           ├─17324 /var/ossec/bin/wazuh-analysisd
           ├─17335 /var/ossec/bin/wazuh-syscheckd
           ├─17357 /var/ossec/bin/wazuh-remoted
           ├─17388 /var/ossec/bin/wazuh-logcollector
           ├─17412 /var/ossec/bin/wazuh-monitord
           ├─17460 /var/ossec/bin/wazuh-modulesd
           ├─17586 /var/ossec/framework/python/bin/python3 /var/ossec/framework/scripts/wazuh-clusterd.py
           ├─17810 /var/ossec/framework/python/bin/python3 /var/ossec/framework/scripts/wazuh-clusterd.py
           └─18553 /var/ossec/framework/python/bin/python3 /var/ossec/framework/scripts/wazuh-clusterd.py

jul 18 18:57:39 wazuh-manager-worker-0 env[17179]: Started wazuh-analysisd...
jul 18 18:57:40 wazuh-manager-worker-0 env[17179]: Started wazuh-syscheckd...
jul 18 18:57:42 wazuh-manager-worker-0 env[17179]: Started wazuh-remoted...
jul 18 18:57:43 wazuh-manager-worker-0 env[17179]: Started wazuh-logcollector...
jul 18 18:57:44 wazuh-manager-worker-0 env[17179]: Started wazuh-monitord...
jul 18 18:57:45 wazuh-manager-worker-0 crontab[17543]: (root) LIST (root)
jul 18 18:57:45 wazuh-manager-worker-0 env[17179]: Started wazuh-modulesd...
jul 18 18:57:46 wazuh-manager-worker-0 env[17179]: Started wazuh-clusterd...
jul 18 18:57:48 wazuh-manager-worker-0 env[17179]: Completed.
jul 18 18:57:48 wazuh-manager-worker-0 systemd[1]: Started Wazuh manager.

---

Filebeat

[root@wazuh-manager-worker-0 wazuh-user]# filebeat test output
elasticsearch: https://10.0.2.230:9200...
  parse url... OK
  connection...
    parse host... OK
    dns lookup... OK
    addresses: 10.0.2.230
    dial up... OK
  TLS...
    security: server's certificate chain verification is enabled
    handshake... OK
    TLS version: TLSv1.3
    dial up... OK
  talk to server... OK
  version: 7.10.2
elasticsearch: https://10.0.2.169:9200...
  parse url... OK
  connection...
    parse host... OK
    dns lookup... OK
    addresses: 10.0.2.169
    dial up... OK
  TLS...
    security: server's certificate chain verification is enabled
    handshake... OK
    TLS version: TLSv1.3
    dial up... OK
  talk to server... OK
  version: 7.10.2
elasticsearch: https://10.0.2.170:9200...
  parse url... OK
  connection...
    parse host... OK
    dns lookup... OK
    addresses: 10.0.2.170
    dial up... OK
  TLS...
    security: server's certificate chain verification is enabled
    handshake... OK
    TLS version: TLSv1.3
    dial up... OK
  talk to server... OK
  version: 7.10.2

Indexers

Bootstrap 🟡

Some warning appears in systemd.

journalctl -xe -u wazuh-indexer.service --no-pager

Jul 18 20:12:13 ip-10-0-2-230.us-west-1.compute.internal systemd[1]: Stopping Wazuh-indexer...
-- Subject: Unit wazuh-indexer.service has begun shutting down
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
--
-- Unit wazuh-indexer.service has begun shutting down.
Jul 18 20:12:13 ip-10-0-2-230.us-west-1.compute.internal systemd[1]: Starting Wazuh-indexer...
-- Subject: Unit wazuh-indexer.service has begun start-up
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
--
-- Unit wazuh-indexer.service has begun starting up.
Jul 18 20:12:29 ip-10-0-2-230.us-west-1.compute.internal systemd-entrypoint[29741]: WARNING: An illegal reflective access operation has occurred
Jul 18 20:12:29 ip-10-0-2-230.us-west-1.compute.internal systemd-entrypoint[29741]: WARNING: Illegal reflective access by io.protostuff.runtime.PolymorphicThrowableSchema (file:/usr/share/wazuh-indexer/plugins/opensearch-anomaly-detection/protostuff-runtime-1.7.4.jar) to field java.lang.Throwable.cause
Jul 18 20:12:29 ip-10-0-2-230.us-west-1.compute.internal systemd-entrypoint[29741]: WARNING: Please consider reporting this to the maintainers of io.protostuff.runtime.PolymorphicThrowableSchema
Jul 18 20:12:29 ip-10-0-2-230.us-west-1.compute.internal systemd-entrypoint[29741]: WARNING: Use --illegal-access=warn to enable warnings of further illegal reflective access operations
Jul 18 20:12:29 ip-10-0-2-230.us-west-1.compute.internal systemd-entrypoint[29741]: WARNING: All illegal access operations will be denied in a future release
Jul 18 20:12:35 ip-10-0-2-230.us-west-1.compute.internal systemd[1]: Started Wazuh-indexer.
-- Subject: Unit wazuh-indexer.service has finished start-up
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
--
-- Unit wazuh-indexer.service has finished starting up.
--
-- The start-up result is done.

---

• systemctl status wazuh-indexer -l:

[root@ip-10-0-2-230 wazuh-user]# systemctl status wazuh-indexer -l
● wazuh-indexer.service - Wazuh-indexer
   Loaded: loaded (/usr/lib/systemd/system/wazuh-indexer.service; enabled; vendor preset: disabled)
   Active: active (running) since lun 2022-07-18 20:12:35 UTC; 12h ago
     Docs: https://documentation.wazuh.com
 Main PID: 29741 (java)
   CGroup: /system.slice/wazuh-indexer.service
           └─29741 /usr/share/wazuh-indexer/jdk/bin/java -Xshare:auto -Dopensearch.networkaddress.cache.ttl=60 -Dopensearch.networkaddress.cache.negative.ttl=10 -XX:+AlwaysPreTouch -Xss1m -Djava.awt.headless=true -Dfile.encoding=UTF-8 -Djna.nosys=true -XX:-OmitStackTraceInFastThrow -XX:+ShowCodeDetailsInExceptionMessages -Dio.netty.noUnsafe=true -Dio.netty.noKeySetOptimization=true -Dio.netty.recycler.maxCapacityPerThread=0 -Dio.netty.allocator.numDirectArenas=0 -Dlog4j.shutdownHookEnabled=false -Dlog4j2.disable.jmx=true -Djava.locale.providers=SPI,COMPAT -Xms3948m -Xmx3948m -XX:+UseG1GC -XX:G1ReservePercent=25 -XX:InitiatingHeapOccupancyPercent=30 -Djava.io.tmpdir=/tmp/opensearch-13248168441558767060 -XX:+HeapDumpOnOutOfMemoryError -XX:HeapDumpPath=data -XX:ErrorFile=/var/log/wazuh-indexer/hs_err_pid%p.log -Xlog:gc*,gc+age=trace,safepoint:file=/var/log/wazuh-indexer/gc.log:utctime,pid,tags:filecount=32,filesize=64m -Dclk.tck=100 -Djdk.attach.allowAttachSelf=true -Djava.security.policy=file:///usr/share/wazuh-indexer/plugins/opensearch-performance-analyzer/pa_config/opensearch_security.policy -XX:MaxDirectMemorySize=2069889024 -Dopensearch.path.home=/usr/share/wazuh-indexer -Dopensearch.path.conf=/etc/wazuh-indexer -Dopensearch.distribution.type=rpm -Dopensearch.bundled_jdk=true -cp /usr/share/wazuh-indexer/lib/* org.opensearch.bootstrap.OpenSearch -p /run/wazuh-indexer/wazuh-indexer.pid --quiet

jul 18 20:12:13 ip-10-0-2-230.us-west-1.compute.internal systemd[1]: Starting Wazuh-indexer...
jul 18 20:12:29 ip-10-0-2-230.us-west-1.compute.internal systemd-entrypoint[29741]: WARNING: An illegal reflective access operation has occurred
jul 18 20:12:29 ip-10-0-2-230.us-west-1.compute.internal systemd-entrypoint[29741]: WARNING: Illegal reflective access by io.protostuff.runtime.PolymorphicThrowableSchema (file:/usr/share/wazuh-indexer/plugins/opensearch-anomaly-detection/protostuff-runtime-1.7.4.jar) to field java.lang.Throwable.cause
jul 18 20:12:29 ip-10-0-2-230.us-west-1.compute.internal systemd-entrypoint[29741]: WARNING: Please consider reporting this to the maintainers of io.protostuff.runtime.PolymorphicThrowableSchema
jul 18 20:12:29 ip-10-0-2-230.us-west-1.compute.internal systemd-entrypoint[29741]: WARNING: Use --illegal-access=warn to enable warnings of further illegal reflective access operations
jul 18 20:12:29 ip-10-0-2-230.us-west-1.compute.internal systemd-entrypoint[29741]: WARNING: All illegal access operations will be denied in a future release
jul 18 20:12:35 ip-10-0-2-230.us-west-1.compute.internal systemd[1]: Started Wazuh-indexer.

---

Indexer log

This error is related to: wazuh/wazuh-packages#1511

[root@ip-10-0-2-230 wazuh-user]# egrep -i "ERROR|WARNING" /var/log/wazuh-indexer/wazuh.log
[2022-07-18T20:12:28,702][ERROR][o.o.s.a.s.SinkProvider   ] [node-1] Default endpoint could not be created, auditlog will not work properly.

MasterB 🟡

Some warning appears in systemd.

journalctl -xe -u wazuh-indexer.service --no-pager

Jul 18 20:09:02 ip-10-0-2-169.us-west-1.compute.internal systemd[1]: Stopping Wazuh-indexer...
-- Subject: Unit wazuh-indexer.service has begun shutting down
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
--
-- Unit wazuh-indexer.service has begun shutting down.
Jul 18 20:09:02 ip-10-0-2-169.us-west-1.compute.internal systemd[1]: Starting Wazuh-indexer...
-- Subject: Unit wazuh-indexer.service has begun start-up
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
--
-- Unit wazuh-indexer.service has begun starting up.
Jul 18 20:09:16 ip-10-0-2-169.us-west-1.compute.internal systemd-entrypoint[28811]: WARNING: An illegal reflective access operation has occurred
Jul 18 20:09:16 ip-10-0-2-169.us-west-1.compute.internal systemd-entrypoint[28811]: WARNING: Illegal reflective access by io.protostuff.runtime.PolymorphicThrowableSchema (file:/usr/share/wazuh-indexer/plugins/opensearch-anomaly-detection/protostuff-runtime-1.7.4.jar) to field java.lang.Throwable.cause
Jul 18 20:09:16 ip-10-0-2-169.us-west-1.compute.internal systemd-entrypoint[28811]: WARNING: Please consider reporting this to the maintainers of io.protostuff.runtime.PolymorphicThrowableSchema
Jul 18 20:09:16 ip-10-0-2-169.us-west-1.compute.internal systemd-entrypoint[28811]: WARNING: Use --illegal-access=warn to enable warnings of further illegal reflective access operations
Jul 18 20:09:16 ip-10-0-2-169.us-west-1.compute.internal systemd-entrypoint[28811]: WARNING: All illegal access operations will be denied in a future release
Jul 18 20:09:22 ip-10-0-2-169.us-west-1.compute.internal systemd[1]: Started Wazuh-indexer.
-- Subject: Unit wazuh-indexer.service has finished start-up
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
--
-- Unit wazuh-indexer.service has finished starting up.
--
-- The start-up result is done.

---

• systemctl status wazuh-indexer -l:

[root@ip-10-0-2-169 wazuh-user]# systemctl status wazuh-indexer -l
● wazuh-indexer.service - Wazuh-indexer
   Loaded: loaded (/usr/lib/systemd/system/wazuh-indexer.service; enabled; vendor preset: disabled)
   Active: active (running) since lun 2022-07-18 20:09:22 UTC; 12h ago
     Docs: https://documentation.wazuh.com
 Main PID: 28811 (java)
   CGroup: /system.slice/wazuh-indexer.service
           └─28811 /usr/share/wazuh-indexer/jdk/bin/java -Xshare:auto -Dopensearch.networkaddress.cache.ttl=60 -Dopensearch.networkaddress.cache.negative.ttl=10 -XX:+AlwaysPreTouch -Xss1m -Djava.awt.headless=true -Dfile.encoding=UTF-8 -Djna.nosys=true -XX:-OmitStackTraceInFastThrow -XX:+ShowCodeDetailsInExceptionMessages -Dio.netty.noUnsafe=true -Dio.netty.noKeySetOptimization=true -Dio.netty.recycler.maxCapacityPerThread=0 -Dio.netty.allocator.numDirectArenas=0 -Dlog4j.shutdownHookEnabled=false -Dlog4j2.disable.jmx=true -Djava.locale.providers=SPI,COMPAT -Xms3948m -Xmx3948m -XX:+UseG1GC -XX:G1ReservePercent=25 -XX:InitiatingHeapOccupancyPercent=30 -Djava.io.tmpdir=/tmp/opensearch-12183030694015605934 -XX:+HeapDumpOnOutOfMemoryError -XX:HeapDumpPath=data -XX:ErrorFile=/var/log/wazuh-indexer/hs_err_pid%p.log -Xlog:gc*,gc+age=trace,safepoint:file=/var/log/wazuh-indexer/gc.log:utctime,pid,tags:filecount=32,filesize=64m -Dclk.tck=100 -Djdk.attach.allowAttachSelf=true -Djava.security.policy=file:///usr/share/wazuh-indexer/plugins/opensearch-performance-analyzer/pa_config/opensearch_security.policy -XX:MaxDirectMemorySize=2069889024 -Dopensearch.path.home=/usr/share/wazuh-indexer -Dopensearch.path.conf=/etc/wazuh-indexer -Dopensearch.distribution.type=rpm -Dopensearch.bundled_jdk=true -cp /usr/share/wazuh-indexer/lib/* org.opensearch.bootstrap.OpenSearch -p /run/wazuh-indexer/wazuh-indexer.pid --quiet

jul 18 20:09:02 ip-10-0-2-169.us-west-1.compute.internal systemd[1]: Starting Wazuh-indexer...
jul 18 20:09:16 ip-10-0-2-169.us-west-1.compute.internal systemd-entrypoint[28811]: WARNING: An illegal reflective access operation has occurred
jul 18 20:09:16 ip-10-0-2-169.us-west-1.compute.internal systemd-entrypoint[28811]: WARNING: Illegal reflective access by io.protostuff.runtime.PolymorphicThrowableSchema (file:/usr/share/wazuh-indexer/plugins/opensearch-anomaly-detection/protostuff-runtime-1.7.4.jar) to field java.lang.Throwable.cause
jul 18 20:09:16 ip-10-0-2-169.us-west-1.compute.internal systemd-entrypoint[28811]: WARNING: Please consider reporting this to the maintainers of io.protostuff.runtime.PolymorphicThrowableSchema
jul 18 20:09:16 ip-10-0-2-169.us-west-1.compute.internal systemd-entrypoint[28811]: WARNING: Use --illegal-access=warn to enable warnings of further illegal reflective access operations
jul 18 20:09:16 ip-10-0-2-169.us-west-1.compute.internal systemd-entrypoint[28811]: WARNING: All illegal access operations will be denied in a future release
jul 18 20:09:22 ip-10-0-2-169.us-west-1.compute.internal systemd[1]: Started Wazuh-indexer.

---

Indexer log

This error is related to: wazuh/wazuh-packages#1511

[root@ip-10-0-2-169 wazuh-user]# egrep -i "ERROR|WARNING" /var/log/wazuh-indexer/wazuh.log
[2022-07-18T20:09:16,317][ERROR][o.o.s.a.s.SinkProvider   ] [node-2] Default endpoint could not be created, auditlog will not work properly.

MasterC 🟡

Some warning appears in systemd.

journalctl -xe -u wazuh-indexer.service --no-pager

Jul 18 20:09:04 ip-10-0-2-170.us-west-1.compute.internal systemd[1]: Stopping Wazuh-indexer...
-- Subject: Unit wazuh-indexer.service has begun shutting down
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
--
-- Unit wazuh-indexer.service has begun shutting down.
Jul 18 20:09:04 ip-10-0-2-170.us-west-1.compute.internal systemd[1]: Starting Wazuh-indexer...
-- Subject: Unit wazuh-indexer.service has begun start-up
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
--
-- Unit wazuh-indexer.service has begun starting up.
Jul 18 20:09:20 ip-10-0-2-170.us-west-1.compute.internal systemd-entrypoint[28834]: WARNING: An illegal reflective access operation has occurred
Jul 18 20:09:20 ip-10-0-2-170.us-west-1.compute.internal systemd-entrypoint[28834]: WARNING: Illegal reflective access by io.protostuff.runtime.PolymorphicThrowableSchema (file:/usr/share/wazuh-indexer/plugins/opensearch-anomaly-detection/protostuff-runtime-1.7.4.jar) to field java.lang.Throwable.cause
Jul 18 20:09:20 ip-10-0-2-170.us-west-1.compute.internal systemd-entrypoint[28834]: WARNING: Please consider reporting this to the maintainers of io.protostuff.runtime.PolymorphicThrowableSchema
Jul 18 20:09:20 ip-10-0-2-170.us-west-1.compute.internal systemd-entrypoint[28834]: WARNING: Use --illegal-access=warn to enable warnings of further illegal reflective access operations
Jul 18 20:09:20 ip-10-0-2-170.us-west-1.compute.internal systemd-entrypoint[28834]: WARNING: All illegal access operations will be denied in a future release
Jul 18 20:09:26 ip-10-0-2-170.us-west-1.compute.internal systemd[1]: Started Wazuh-indexer.
-- Subject: Unit wazuh-indexer.service has finished start-up
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
--
-- Unit wazuh-indexer.service has finished starting up.
--
-- The start-up result is done.

---

• systemctl status wazuh-indexer -l:

[root@ip-10-0-2-170 wazuh-user]# systemctl status wazuh-indexer -l
● wazuh-indexer.service - Wazuh-indexer
   Loaded: loaded (/usr/lib/systemd/system/wazuh-indexer.service; enabled; vendor preset: disabled)
   Active: active (running) since lun 2022-07-18 20:09:26 UTC; 12h ago
     Docs: https://documentation.wazuh.com
 Main PID: 28834 (java)
   CGroup: /system.slice/wazuh-indexer.service
           └─28834 /usr/share/wazuh-indexer/jdk/bin/java -Xshare:auto -Dopensearch.networkaddress.cache.ttl=60 -Dopensearch.networkaddress.cache.negative.ttl=10 -XX:+AlwaysPreTouch -Xss1m -Djava.awt.headless=true -Dfile.encoding=UTF-8 -Djna.nosys=true -XX:-OmitStackTraceInFastThrow -XX:+ShowCodeDetailsInExceptionMessages -Dio.netty.noUnsafe=true -Dio.netty.noKeySetOptimization=true -Dio.netty.recycler.maxCapacityPerThread=0 -Dio.netty.allocator.numDirectArenas=0 -Dlog4j.shutdownHookEnabled=false -Dlog4j2.disable.jmx=true -Djava.locale.providers=SPI,COMPAT -Xms3948m -Xmx3948m -XX:+UseG1GC -XX:G1ReservePercent=25 -XX:InitiatingHeapOccupancyPercent=30 -Djava.io.tmpdir=/tmp/opensearch-7663747929237962954 -XX:+HeapDumpOnOutOfMemoryError -XX:HeapDumpPath=data -XX:ErrorFile=/var/log/wazuh-indexer/hs_err_pid%p.log -Xlog:gc*,gc+age=trace,safepoint:file=/var/log/wazuh-indexer/gc.log:utctime,pid,tags:filecount=32,filesize=64m -Dclk.tck=100 -Djdk.attach.allowAttachSelf=true -Djava.security.policy=file:///usr/share/wazuh-indexer/plugins/opensearch-performance-analyzer/pa_config/opensearch_security.policy -XX:MaxDirectMemorySize=2069889024 -Dopensearch.path.home=/usr/share/wazuh-indexer -Dopensearch.path.conf=/etc/wazuh-indexer -Dopensearch.distribution.type=rpm -Dopensearch.bundled_jdk=true -cp /usr/share/wazuh-indexer/lib/* org.opensearch.bootstrap.OpenSearch -p /run/wazuh-indexer/wazuh-indexer.pid --quiet

jul 18 20:09:04 ip-10-0-2-170.us-west-1.compute.internal systemd[1]: Starting Wazuh-indexer...
jul 18 20:09:20 ip-10-0-2-170.us-west-1.compute.internal systemd-entrypoint[28834]: WARNING: An illegal reflective access operation has occurred
jul 18 20:09:20 ip-10-0-2-170.us-west-1.compute.internal systemd-entrypoint[28834]: WARNING: Illegal reflective access by io.protostuff.runtime.PolymorphicThrowableSchema (file:/usr/share/wazuh-indexer/plugins/opensearch-anomaly-detection/protostuff-runtime-1.7.4.jar) to field java.lang.Throwable.cause
jul 18 20:09:20 ip-10-0-2-170.us-west-1.compute.internal systemd-entrypoint[28834]: WARNING: Please consider reporting this to the maintainers of io.protostuff.runtime.PolymorphicThrowableSchema
jul 18 20:09:20 ip-10-0-2-170.us-west-1.compute.internal systemd-entrypoint[28834]: WARNING: Use --illegal-access=warn to enable warnings of further illegal reflective access operations
jul 18 20:09:20 ip-10-0-2-170.us-west-1.compute.internal systemd-entrypoint[28834]: WARNING: All illegal access operations will be denied in a future release
jul 18 20:09:26 ip-10-0-2-170.us-west-1.compute.internal systemd[1]: Started Wazuh-indexer.

---

Indexer log

This error is related to: wazuh/wazuh-packages#1511

[root@ip-10-0-2-170 wazuh-user]# egrep -i "ERROR|WARNING" /var/log/wazuh-indexer/wazuh.log
[2022-07-18T20:09:19,613][ERROR][o.o.s.a.s.SinkProvider   ] [node-3] Default endpoint could not be created, auditlog will not work properly.

Dashboard

Indexer 🟡

• journalctl -xe -u wazuh-indexer.servicer

jul 19 08:39:08 ip-10-0-0-178.us-west-1.compute.internal systemd[1]: Stopping Wazuh-indexer...
-- Subject: Unit wazuh-indexer.service has begun shutting down
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
-- 
-- Unit wazuh-indexer.service has begun shutting down.
jul 19 08:39:08 ip-10-0-0-178.us-west-1.compute.internal systemd[1]: Starting Wazuh-indexer...
-- Subject: Unit wazuh-indexer.service has begun start-up
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
-- 
-- Unit wazuh-indexer.service has begun starting up.
jul 19 08:39:23 ip-10-0-0-178.us-west-1.compute.internal systemd-entrypoint[26111]: WARNING: An illegal reflective access operation has occurred
jul 19 08:39:23 ip-10-0-0-178.us-west-1.compute.internal systemd-entrypoint[26111]: WARNING: Illegal reflective access by io.protostuff.runtime.PolymorphicThrowableSchema (file:/usr/share/wazuh-indexer/plugins/opensearch-anomaly-detection/protostuff-runtime-1.7.4.jar) to field java.lang.Throwable.cause
jul 19 08:39:23 ip-10-0-0-178.us-west-1.compute.internal systemd-entrypoint[26111]: WARNING: Please consider reporting this to the maintainers of io.protostuff.runtime.PolymorphicThrowableSchema
jul 19 08:39:23 ip-10-0-0-178.us-west-1.compute.internal systemd-entrypoint[26111]: WARNING: Use --illegal-access=warn to enable warnings of further illegal reflective access operations
jul 19 08:39:23 ip-10-0-0-178.us-west-1.compute.internal systemd-entrypoint[26111]: WARNING: All illegal access operations will be denied in a future release
jul 19 08:39:29 ip-10-0-0-178.us-west-1.compute.internal systemd[1]: Started Wazuh-indexer.
-- Subject: Unit wazuh-indexer.service has finished start-up
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
-- 
-- Unit wazuh-indexer.service has finished starting up.
-- 
-- The start-up result is done.

---

• egrep -i "ERROR|WARNING" /var/log/wazuh-indexer/wazuh.log

[2022-07-19T08:39:23,143][ERROR][o.o.s.a.s.SinkProvider   ] [node-7] Default endpoint could not be created, auditlog will not work properly.

---

• systemctl status wazuh-indexer -l:

[root@ip-10-0-0-178 wazuh-user]# systemctl status wazuh-indexer -l
● wazuh-indexer.service - Wazuh-indexer
   Loaded: loaded (/usr/lib/systemd/system/wazuh-indexer.service; enabled; vendor preset: disabled)
   Active: active (running) since mar 2022-07-19 08:39:29 UTC; 3min 21s ago
     Docs: https://documentation.wazuh.com
 Main PID: 26111 (java)
   CGroup: /system.slice/wazuh-indexer.service
           └─26111 /usr/share/wazuh-indexer/jdk/bin/java -Xshare:auto -Dopensearch.networkaddress.cache.ttl=60 -Dopensearch.networkaddress.cache.negative.ttl=10 -XX:+AlwaysPreTouch -Xss1m -Djava.awt.headless=true -Dfile.encoding=UTF-8 -Djna.nosys=true -XX:-OmitStackTraceInFastThrow -XX:+ShowCodeDetailsInExceptionMessages -Dio.netty.noUnsafe=true -Dio.netty.noKeySetOptimization=true -Dio.netty.recycler.maxCapacityPerThread=0 -Dio.netty.allocator.numDirectArenas=0 -Dlog4j.shutdownHookEnabled=false -Dlog4j2.disable.jmx=true -Djava.locale.providers=SPI,COMPAT -Xms2560m -Xmx2560m -XX:+UseG1GC -XX:G1ReservePercent=25 -XX:InitiatingHeapOccupancyPercent=30 -Djava.io.tmpdir=/tmp/opensearch-16004828063245378125 -XX:+HeapDumpOnOutOfMemoryError -XX:HeapDumpPath=data -XX:ErrorFile=/var/log/wazuh-indexer/hs_err_pid%p.log -Xlog:gc*,gc+age=trace,safepoint:file=/var/log/wazuh-indexer/gc.log:utctime,pid,tags:filecount=32,filesize=64m -Dclk.tck=100 -Djdk.attach.allowAttachSelf=true -Djava.security.policy=file:///usr/share/wazuh-indexer/plugins/opensearch-performance-analyzer/pa_config/opensearch_security.policy -XX:MaxDirectMemorySize=1342177280 -Dopensearch.path.home=/usr/share/wazuh-indexer -Dopensearch.path.conf=/etc/wazuh-indexer -Dopensearch.distribution.type=rpm -Dopensearch.bundled_jdk=true -cp /usr/share/wazuh-indexer/lib/* org.opensearch.bootstrap.OpenSearch -p /run/wazuh-indexer/wazuh-indexer.pid --quiet

jul 19 08:39:08 ip-10-0-0-178.us-west-1.compute.internal systemd[1]: Starting Wazuh-indexer...
jul 19 08:39:23 ip-10-0-0-178.us-west-1.compute.internal systemd-entrypoint[26111]: WARNING: An illegal reflective access operation has occurred
jul 19 08:39:23 ip-10-0-0-178.us-west-1.compute.internal systemd-entrypoint[26111]: WARNING: Illegal reflective access by io.protostuff.runtime.PolymorphicThrowableSchema (file:/usr/share/wazuh-indexer/plugins/opensearch-anomaly-detection/protostuff-runtime-1.7.4.jar) to field java.lang.Throwable.cause
jul 19 08:39:23 ip-10-0-0-178.us-west-1.compute.internal systemd-entrypoint[26111]: WARNING: Please consider reporting this to the maintainers of io.protostuff.runtime.PolymorphicThrowableSchema
jul 19 08:39:23 ip-10-0-0-178.us-west-1.compute.internal systemd-entrypoint[26111]: WARNING: Use --illegal-access=warn to enable warnings of further illegal reflective access operations
jul 19 08:39:23 ip-10-0-0-178.us-west-1.compute.internal systemd-entrypoint[26111]: WARNING: All illegal access operations will be denied in a future release
jul 19 08:39:29 ip-10-0-0-178.us-west-1.compute.internal systemd[1]: Started Wazuh-indexer.

Dashboard 🔴

journalctl -xe -u wazuh-dashboard.service --no-pager

Jul 18 21:45:20 ip-10-0-0-178.us-west-1.compute.internal systemd[1]: Stopping wazuh-dashboard...
-- Subject: Unit wazuh-dashboard.service has begun shutting down
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
--
-- Unit wazuh-dashboard.service has begun shutting down.
Jul 18 21:45:20 ip-10-0-0-178.us-west-1.compute.internal opensearch-dashboards[19866]: {"type":"log","@timestamp":"2022-07-18T21:45:20Z","tags":["info","plugins-system"],"pid":19866,"message":"Stopping all plugins."}
Jul 18 21:45:20 ip-10-0-0-178.us-west-1.compute.internal systemd[1]: Started wazuh-dashboard.
-- Subject: Unit wazuh-dashboard.service has finished start-up
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
--
-- Unit wazuh-dashboard.service has finished starting up.
--
-- The start-up result is done.
Jul 18 21:45:20 ip-10-0-0-178.us-west-1.compute.internal systemd[1]: Starting wazuh-dashboard...
-- Subject: Unit wazuh-dashboard.service has begun start-up
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
--
-- Unit wazuh-dashboard.service has begun starting up.
Jul 18 21:45:25 ip-10-0-0-178.us-west-1.compute.internal opensearch-dashboards[19944]: {"type":"log","@timestamp":"2022-07-18T21:45:25Z","tags":["info","plugins-service"],"pid":19944,"message":"Plugin \"visTypeXy\" is disabled."}
Jul 18 21:45:25 ip-10-0-0-178.us-west-1.compute.internal opensearch-dashboards[19944]: {"type":"log","@timestamp":"2022-07-18T21:45:25Z","tags":["info","plugins-system"],"pid":19944,"message":"Setting up [42] plugins: [alertingDashboards,usageCollection,opensearchDashboardsUsageCollection,opensearchDashboardsLegacy,mapsLegacy,share,opensearchUiShared,legacyExport,embeddable,expressions,data,home,console,apmOss,management,indexPatternManagement,advancedSettings,savedObjects,securityDashboards,reportsDashboards,indexManagementDashboards,dashboard,visualizations,visTypeVega,visTypeTimeline,timeline,visTypeTable,visTypeMarkdown,tileMap,regionMap,inputControlVis,ganttChartDashboards,visualize,charts,visTypeVislib,visTypeTimeseries,visTypeTagcloud,visTypeMetric,discover,wazuh,savedObjectsManagement,bfetch]"}
Jul 18 21:45:26 ip-10-0-0-178.us-west-1.compute.internal opensearch-dashboards[19944]: {"type":"log","@timestamp":"2022-07-18T21:45:26Z","tags":["info","savedobjects-service"],"pid":19944,"message":"Waiting until all OpenSearch nodes are compatible with OpenSearch Dashboards before starting saved objects migrations..."}
Jul 18 21:45:26 ip-10-0-0-178.us-west-1.compute.internal opensearch-dashboards[19944]: {"type":"log","@timestamp":"2022-07-18T21:45:26Z","tags":["info","savedobjects-service"],"pid":19944,"message":"Starting saved objects migrations"}
Jul 18 21:45:26 ip-10-0-0-178.us-west-1.compute.internal opensearch-dashboards[19944]: {"type":"log","@timestamp":"2022-07-18T21:45:26Z","tags":["info","plugins-system"],"pid":19944,"message":"Starting [42] plugins: [alertingDashboards,usageCollection,opensearchDashboardsUsageCollection,opensearchDashboardsLegacy,mapsLegacy,share,opensearchUiShared,legacyExport,embeddable,expressions,data,home,console,apmOss,management,indexPatternManagement,advancedSettings,savedObjects,securityDashboards,reportsDashboards,indexManagementDashboards,dashboard,visualizations,visTypeVega,visTypeTimeline,timeline,visTypeTable,visTypeMarkdown,tileMap,regionMap,inputControlVis,ganttChartDashboards,visualize,charts,visTypeVislib,visTypeTimeseries,visTypeTagcloud,visTypeMetric,discover,wazuh,savedObjectsManagement,bfetch]"}
Jul 18 21:45:26 ip-10-0-0-178.us-west-1.compute.internal opensearch-dashboards[19944]: {"type":"log","@timestamp":"2022-07-18T21:45:26Z","tags":["listening","info"],"pid":19944,"message":"Server running at https://0.0.0.0:5601"}
Jul 18 21:45:27 ip-10-0-0-178.us-west-1.compute.internal opensearch-dashboards[19944]: {"type":"log","@timestamp":"2022-07-18T21:45:27Z","tags":["info","http","server","OpenSearchDashboards"],"pid":19944,"message":"http server running at https://0.0.0.0:5601"}
Jul 18 21:45:27 ip-10-0-0-178.us-west-1.compute.internal opensearch-dashboards[19944]: {"type":"log","@timestamp":"2022-07-18T21:45:27Z","tags":["error","opensearch","data"],"pid":19944,"message":"[ResponseError]: Response Error"}
Jul 18 21:45:27 ip-10-0-0-178.us-west-1.compute.internal opensearch-dashboards[19944]: {"type":"log","@timestamp":"2022-07-18T21:45:27Z","tags":["error","plugins","wazuh","monitoring"],"pid":19944,"message":"Could not check if the index wazuh-monitoring-2022.29w exists due to no permissions for create, delete or check"}
Jul 18 21:45:27 ip-10-0-0-178.us-west-1.compute.internal opensearch-dashboards[19944]: {"type":"log","@timestamp":"2022-07-18T21:45:27Z","tags":["error","opensearch","data"],"pid":19944,"message":"[ResponseError]: Response Error"}
Jul 18 21:45:27 ip-10-0-0-178.us-west-1.compute.internal opensearch-dashboards[19944]: {"type":"log","@timestamp":"2022-07-18T21:45:27Z","tags":["error","plugins","wazuh","monitoring"],"pid":19944,"message":"Could not check if the index wazuh-monitoring-2022.29w exists due to no permissions for create, delete or check"}

---

• systemctl status wazuh-dashboard -l:

[root@ip-10-0-0-178 wazuh-user]# systemctl status wazuh-dashboard -l
● wazuh-dashboard.service - wazuh-dashboard
   Loaded: loaded (/etc/systemd/system/wazuh-dashboard.service; enabled; vendor preset: disabled)
   Active: active (running) since mar 2022-07-19 08:47:02 UTC; 10s ago
 Main PID: 26468 (node)
   CGroup: /system.slice/wazuh-dashboard.service
           └─26468 /usr/share/wazuh-dashboard/bin/../node/bin/node --no-warnings --max-http-header-size=65536 --unhandled-rejections=warn /usr/share/wazuh-dashboard/bin/../src/cli/dist -c /etc/wazuh-dashboard/opensearch_dashboards.yml

jul 19 08:47:08 ip-10-0-0-178.us-west-1.compute.internal opensearch-dashboards[26468]: {"type":"log","@timestamp":"2022-07-19T08:47:08Z","tags":["info","plugins-system"],"pid":26468,"message":"Setting up [42] plugins: [alertingDashboards,usageCollection,opensearchDashboardsUsageCollection,opensearchDashboardsLegacy,mapsLegacy,share,opensearchUiShared,legacyExport,embeddable,expressions,data,home,console,apmOss,management,indexPatternManagement,advancedSettings,savedObjects,securityDashboards,reportsDashboards,indexManagementDashboards,dashboard,visualizations,visTypeVega,visTypeTimeline,timeline,visTypeTable,visTypeMarkdown,tileMap,regionMap,inputControlVis,ganttChartDashboards,visualize,charts,visTypeVislib,visTypeTimeseries,visTypeTagcloud,visTypeMetric,discover,wazuh,savedObjectsManagement,bfetch]"}
jul 19 08:47:08 ip-10-0-0-178.us-west-1.compute.internal opensearch-dashboards[26468]: {"type":"log","@timestamp":"2022-07-19T08:47:08Z","tags":["info","savedobjects-service"],"pid":26468,"message":"Waiting until all OpenSearch nodes are compatible with OpenSearch Dashboards before starting saved objects migrations..."}
jul 19 08:47:08 ip-10-0-0-178.us-west-1.compute.internal opensearch-dashboards[26468]: {"type":"log","@timestamp":"2022-07-19T08:47:08Z","tags":["info","savedobjects-service"],"pid":26468,"message":"Starting saved objects migrations"}
jul 19 08:47:08 ip-10-0-0-178.us-west-1.compute.internal opensearch-dashboards[26468]: {"type":"log","@timestamp":"2022-07-19T08:47:08Z","tags":["info","plugins-system"],"pid":26468,"message":"Starting [42] plugins: [alertingDashboards,usageCollection,opensearchDashboardsUsageCollection,opensearchDashboardsLegacy,mapsLegacy,share,opensearchUiShared,legacyExport,embeddable,expressions,data,home,console,apmOss,management,indexPatternManagement,advancedSettings,savedObjects,securityDashboards,reportsDashboards,indexManagementDashboards,dashboard,visualizations,visTypeVega,visTypeTimeline,timeline,visTypeTable,visTypeMarkdown,tileMap,regionMap,inputControlVis,ganttChartDashboards,visualize,charts,visTypeVislib,visTypeTimeseries,visTypeTagcloud,visTypeMetric,discover,wazuh,savedObjectsManagement,bfetch]"}
jul 19 08:47:09 ip-10-0-0-178.us-west-1.compute.internal opensearch-dashboards[26468]: {"type":"log","@timestamp":"2022-07-19T08:47:09Z","tags":["listening","info"],"pid":26468,"message":"Server running at https://0.0.0.0:5601"}
jul 19 08:47:09 ip-10-0-0-178.us-west-1.compute.internal opensearch-dashboards[26468]: {"type":"log","@timestamp":"2022-07-19T08:47:09Z","tags":["info","http","server","OpenSearchDashboards"],"pid":26468,"message":"http server running at https://0.0.0.0:5601"}
jul 19 08:47:09 ip-10-0-0-178.us-west-1.compute.internal opensearch-dashboards[26468]: {"type":"log","@timestamp":"2022-07-19T08:47:09Z","tags":["error","opensearch","data"],"pid":26468,"message":"[ResponseError]: Response Error"}
jul 19 08:47:09 ip-10-0-0-178.us-west-1.compute.internal opensearch-dashboards[26468]: {"type":"log","@timestamp":"2022-07-19T08:47:09Z","tags":["error","plugins","wazuh","monitoring"],"pid":26468,"message":"Could not check if the index wazuh-monitoring-2022.29w exists due to no permissions for create, delete or check"}
jul 19 08:47:09 ip-10-0-0-178.us-west-1.compute.internal opensearch-dashboards[26468]: {"type":"log","@timestamp":"2022-07-19T08:47:09Z","tags":["error","opensearch","data"],"pid":26468,"message":"[ResponseError]: Response Error"}
jul 19 08:47:09 ip-10-0-0-178.us-west-1.compute.internal opensearch-dashboards[26468]: {"type":"log","@timestamp":"2022-07-19T08:47:09Z","tags":["error","plugins","wazuh","monitoring"],"pid":26468,"message":"Could not check if the index wazuh-monitoring-2022.29w exists due to no permissions for create, delete or check"}

---

1 error while restarting the dashboard

egrep -Ei "ERR|WARN" /usr/share/wazuh-dashboard/data/wazuh/logs/wazuhapp.log

{"date":"2022-07-18T21:45:27.785Z","level":"error","location":"monitoring:insertMonitoringDataElasticsearch","message":"Could not check if the index wazuh-monitoring-2022.29w exists due to no permissions for create, delete or check"}
{"date":"2022-07-18T21:45:27.867Z","level":"error","location":"monitoring:insertMonitoringDataElasticsearch","message":"Could not check if the index wazuh-monitoring-2022.29w exists due to no permissions for create, delete or check"}

---

Issues

• Master-env1: Warning message in ossec.log related to Vulnerability Detector - Demo environment wazuh-packages#1745
• Indexers: Wazuh Indexer - Some warning messages appears in the logs wazuh-packages#1746
• Dashboard: Wazuh Dashboard - Some errors messages appears while restarting wazuh-packages#1747

[mauromalara]

Task 2: The daemons are running with the correct user 🟢

Agents

Amazon Linux 🟢

ps aux | grep wazuh

root      1032  0.0  0.2  38500  2936 ?        Sl   13:36   0:00 /var/ossec/bin/wazuh-execd
wazuh     1044  0.0  0.5 264500  5668 ?        Sl   13:36   0:00 /var/ossec/bin/wazuh-agentd
root      1059  1.1  0.8 204512  8424 ?        SNl  13:36   0:08 /var/ossec/bin/wazuh-syscheckd
root      1073  0.0  0.4 481016  4620 ?        Sl   13:36   0:00 /var/ossec/bin/wazuh-logcollector
root      1095  0.0  1.4 741624 14348 ?        Sl   13:36   0:00 /var/ossec/bin/wazuh-modulesd

RHEL 🟢

ps aux | grep wazuh

root      4301  0.0  0.0  36308  1668 ?        Sl   13:41   0:00 /var/ossec/bin/wazuh-execd
wazuh     4313  0.0  0.0 262040  3124 ?        Sl   13:41   0:00 /var/ossec/bin/wazuh-agentd
root      4328  5.9  0.2 415672  8600 ?        SNl  13:41   0:23 /var/ossec/bin/wazuh-syscheckd
root      4341  0.0  0.0 478724  2608 ?        Sl   13:41   0:00 /var/ossec/bin/wazuh-logcollector
root      4365  0.3  0.6 1034304 23984 ?       Sl   13:41   0:01 /var/ossec/bin/wazuh-modulesd

Ubuntu 🟢

ps aux | grep wazuh

root     17355  0.0  0.3  43524  3260 ?        Sl   14:15   0:00 /var/ossec/bin/wazuh-execd
wazuh    17366  0.0  0.5 269468  5284 ?        Sl   14:15   0:01 /var/ossec/bin/wazuh-agentd
root     17381  0.0  0.7 208976  7856 ?        SNl  14:15   0:08 /var/ossec/bin/wazuh-syscheckd
root     17396  0.0  0.4 485948  4492 ?        Sl   14:15   0:00 /var/ossec/bin/wazuh-logcollector
root     17411  0.0  1.3 749164 13728 ?        Sl   14:15   0:01 /var/ossec/bin/wazuh-modulesd

Debian 🟢

ps aux | grep wazuh

root     20482  0.0  0.2  42208  2628 ?        Sl   14:15   0:00 /var/ossec/bin/wazuh-execd
wazuh    20493  0.0  0.5 268236  5208 ?        Sl   14:15   0:01 /var/ossec/bin/wazuh-agentd
root     20507  0.0  0.7 273020  7380 ?        SNl  14:15   0:06 /var/ossec/bin/wazuh-syscheckd
root     20524  0.0  0.4 484860  4296 ?        Sl   14:15   0:00 /var/ossec/bin/wazuh-logcollector
root     20555  0.0  1.2 745740 11976 ?        Sl   14:15   0:01 /var/ossec/bin/wazuh-modulesd

CentOS 🟢

ps aux | grep wazuh

root     29007  0.0  0.1  36220  1516 ?        Sl   14:28   0:00 /var/ossec/bin/wazuh-execd
wazuh    29019  0.0  0.3 262044  3084 ?        Sl   14:29   0:02 /var/ossec/bin/wazuh-agentd
root     29034  0.1  0.5 201932  5224 ?        SNl  14:29   0:11 /var/ossec/bin/wazuh-syscheckd
root     29048  0.0  0.2 478596  2340 ?        Sl   14:29   0:01 /var/ossec/bin/wazuh-logcollector
root     29066  0.0  2.2 739252 22524 ?        Sl   14:29   0:02 /var/ossec/bin/wazuh-modulesd

Windows 🟢

Task Manager > Services

Managers

Master-env1 🟢

ps aux | grep wazuh

wazuh    29980  0.1  2.5 821392 100176 ?       Sl   16:56   0:15 /var/ossec/framework/python/bin/python3 /var/ossec/api/scripts/wazuh-apid.py
wazuh    30006  0.0  0.0  39232  3384 ?        Sl   16:56   0:00 /var/ossec/bin/wazuh-integratord
root     30025  0.2  0.1 194956  5856 ?        Sl   16:56   0:24 /var/ossec/bin/wazuh-authd
wazuh    30042  0.0  0.3 775968 15260 ?        Sl   16:56   0:08 /var/ossec/bin/wazuh-db
wazuh    30054  0.0  1.4 317364 59752 ?        S    16:56   0:00 /var/ossec/framework/python/bin/python3 /var/ossec/api/scripts/wazuh-apid.py
wazuh    30057  0.0  1.6 466436 63960 ?        S    16:56   0:06 /var/ossec/framework/python/bin/python3 /var/ossec/api/scripts/wazuh-apid.py
root     30072  0.0  0.0  39272  3176 ?        Sl   16:56   0:00 /var/ossec/bin/wazuh-execd
wazuh    30087  0.2  2.3 1293472 92940 ?       Sl   16:56   0:20 /var/ossec/bin/wazuh-analysisd
root     30099  0.1  0.2 270452  8584 ?        SNl  16:56   0:12 /var/ossec/bin/wazuh-syscheckd
wazuh    30119  0.4  0.1 1179140 6736 ?        Sl   16:56   0:36 /var/ossec/bin/wazuh-remoted
root     30152  0.0  0.1 481672  5152 ?        Sl   16:56   0:00 /var/ossec/bin/wazuh-logcollector
wazuh    30173  0.0  0.0  39252  3224 ?        Sl   16:56   0:00 /var/ossec/bin/wazuh-monitord
root     30223  3.4  6.3 1424400 255288 ?      Sl   16:56   5:13 /var/ossec/bin/wazuh-modulesd
wazuh    30340  0.1  1.3 443544 54116 ?        Sl   16:56   0:11 /var/ossec/framework/python/bin/python3 /var/ossec/framework/scripts/wazuh-clusterd.py
wazuh    30364  0.0  1.0 280460 43828 ?        S    16:56   0:02 /var/ossec/framework/python/bin/python3 /var/ossec/framework/scripts/wazuh-clusterd.py
wazuh    30367  0.0  1.0 362388 41852 ?        S    16:56   0:02 /var/ossec/framework/python/bin/python3 /var/ossec/framework/scripts/wazuh-clusterd.py

Master-env2 🟢

ps aux | grep wazuh

wazuh    27890  0.1  2.5 821300 100064 ?       Sl   16:56   0:13 /var/ossec/framework/python/bin/python3 /var/ossec/api/scripts/wazuh-apid.py
wazuh    27924  0.0  0.0  39232  3380 ?        Sl   16:56   0:00 /var/ossec/bin/wazuh-integratord
root     27935  0.2  0.1 194956  5836 ?        Sl   16:56   0:25 /var/ossec/bin/wazuh-authd
wazuh    27952  0.0  0.3 710428 14940 ?        Sl   16:56   0:06 /var/ossec/bin/wazuh-db
wazuh    27964  0.0  1.5 317372 59860 ?        S    16:56   0:00 /var/ossec/framework/python/bin/python3 /var/ossec/api/scripts/wazuh-apid.py
wazuh    27967  0.0  1.6 466172 64016 ?        S    16:56   0:05 /var/ossec/framework/python/bin/python3 /var/ossec/api/scripts/wazuh-apid.py
root     27982  0.0  0.0  39272  3240 ?        Sl   16:56   0:00 /var/ossec/bin/wazuh-execd
wazuh    27997  0.0  2.2 1293376 91776 ?       Sl   16:56   0:09 /var/ossec/bin/wazuh-analysisd
root     28009  0.1  0.2 270556  8444 ?        SNl  16:56   0:12 /var/ossec/bin/wazuh-syscheckd
wazuh    28030  0.1  0.1 1179128 6992 ?        Sl   16:56   0:10 /var/ossec/bin/wazuh-remoted
root     28062  0.0  0.1 481676  4988 ?        Sl   16:56   0:00 /var/ossec/bin/wazuh-logcollector
wazuh    28084  0.0  0.0  39252  3180 ?        Sl   16:56   0:00 /var/ossec/bin/wazuh-monitord
root     28133  3.9  7.5 1416824 299700 ?      Sl   16:56   6:02 /var/ossec/bin/wazuh-modulesd
wazuh    28261  0.0  1.1 428476 45792 ?        Sl   16:56   0:02 /var/ossec/framework/python/bin/python3 /var/ossec/framework/scripts/wazuh-clusterd.py
wazuh    28282  0.0  1.0 280460 42940 ?        S    16:56   0:01 /var/ossec/framework/python/bin/python3 /var/ossec/framework/scripts/wazuh-clusterd.py
wazuh    28285  0.0  1.0 362388 41696 ?        S    16:56   0:01 /var/ossec/framework/python/bin/python3 /var/ossec/framework/scripts/wazuh-clusterd.py

Worker-env1 🟢

ps aux | grep wazuh

wazuh    17236  0.5  2.3 741632 94540 ?        Sl   18:57   0:11 /var/ossec/framework/python/bin/python3 /var/ossec/api/scripts/wazuh-apid.py
wazuh    17267  0.0  0.0  39236  3412 ?        Sl   18:57   0:00 /var/ossec/bin/wazuh-integratord
wazuh    17279  0.0  0.2 775972 11072 ?        Sl   18:57   0:01 /var/ossec/bin/wazuh-db
root     17303  0.0  0.0  39288  3228 ?        Sl   18:57   0:00 /var/ossec/bin/wazuh-execd
wazuh    17305  0.0  1.4 310420 57340 ?        S    18:57   0:00 /var/ossec/framework/python/bin/python3 /var/ossec/api/scripts/wazuh-apid.py
wazuh    17308  0.0  1.5 465076 60124 ?        S    18:57   0:00 /var/ossec/framework/python/bin/python3 /var/ossec/api/scripts/wazuh-apid.py
wazuh    17324  0.0  0.7 1293328 28936 ?       Sl   18:57   0:01 /var/ossec/bin/wazuh-analysisd
root     17335  0.5  0.2 204944  8708 ?        SNl  18:57   0:10 /var/ossec/bin/wazuh-syscheckd
wazuh    17357  0.1  0.1 523728  4648 ?        Sl   18:57   0:03 /var/ossec/bin/wazuh-remoted
root     17388  0.0  0.1 481680  5012 ?        Sl   18:57   0:00 /var/ossec/bin/wazuh-logcollector
wazuh    17412  0.0  0.0  39256  3164 ?        Sl   18:57   0:00 /var/ossec/bin/wazuh-monitord
root     17460  6.5  6.8 1180896 271520 ?      Sl   18:57   2:21 /var/ossec/bin/wazuh-modulesd
wazuh    17586  0.1  1.3 588308 55152 ?        Sl   18:57   0:02 /var/ossec/framework/python/bin/python3 /var/ossec/framework/scripts/wazuh-clusterd.py
wazuh    17810  0.0  1.1 288228 45284 ?        S    18:57   0:00 /var/ossec/framework/python/bin/python3 /var/ossec/framework/scripts/wazuh-clusterd.py
wazuh    18553  0.0  1.1 440844 47248 ?        S    19:00   0:00 /var/ossec/framework/python/bin/python3 /var/ossec/framework/scripts/wazuh-clusterd.py

Indexers

Bootstrap 🟢

ps aux | grep wazuh

wazuh-i+ 29741  3.3 55.9 7316876 4524008 ?     Ssl  20:12   2:14 /usr/share/wazuh-indexer/jdk/bin/java -Xshare:auto -Dopensearch.networkaddress.cache.ttl=60 -Dopensearch.networkaddress.cache.negative.ttl=10 -XX:+AlwaysPreTouch -Xss1m -Djava.awt.headless=true -Dfile.encoding=UTF-8 -Djna.nosys=true -XX:-OmitStackTraceInFastThrow -XX:+ShowCodeDetailsInExceptionMessages -Dio.netty.noUnsafe=true -Dio.netty.noKeySetOptimization=true -Dio.netty.recycler.maxCapacityPerThread=0 -Dio.netty.allocator.numDirectArenas=0 -Dlog4j.shutdownHookEnabled=false -Dlog4j2.disable.jmx=true -Djava.locale.providers=SPI,COMPAT -Xms3948m -Xmx3948m -XX:+UseG1GC -XX:G1ReservePercent=25 -XX:InitiatingHeapOccupancyPercent=30 -Djava.io.tmpdir=/tmp/opensearch-13248168441558767060 -XX:+HeapDumpOnOutOfMemoryError -XX:HeapDumpPath=data -XX:ErrorFile=/var/log/wazuh-indexer/hs_err_pid%p.log -Xlog:gc*,gc+age=trace,safepoint:file=/var/log/wazuh-indexer/gc.log:utctime,pid,tags:filecount=32,filesize=64m -Dclk.tck=100 -Djdk.attach.allowAttachSelf=true -Djava.security.policy=file:///usr/share/wazuh-indexer/plugins/opensearch-performance-analyzer/pa_config/opensearch_security.policy -XX:MaxDirectMemorySize=2069889024 -Dopensearch.path.home=/usr/share/wazuh-indexer -Dopensearch.path.conf=/etc/wazuh-indexer -Dopensearch.distribution.type=rpm -Dopensearch.bundled_jdk=true -cp /usr/share/wazuh-indexer/lib/* org.opensearch.bootstrap.OpenSearch -p /run/wazuh-indexer/wazuh-indexer.pid --quiet

MasterB 🟢

ps aux | grep wazuh

wazuh-i+ 28811  3.1 56.2 7327416 4544820 ?     Ssl  20:09   2:15 /usr/share/wazuh-indexer/jdk/bin/java -Xshare:auto -Dopensearch.networkaddress.cache.ttl=60 -Dopensearch.networkaddress.cache.negative.ttl=10 -XX:+AlwaysPreTouch -Xss1m -Djava.awt.headless=true -Dfile.encoding=UTF-8 -Djna.nosys=true -XX:-OmitStackTraceInFastThrow -XX:+ShowCodeDetailsInExceptionMessages -Dio.netty.noUnsafe=true -Dio.netty.noKeySetOptimization=true -Dio.netty.recycler.maxCapacityPerThread=0 -Dio.netty.allocator.numDirectArenas=0 -Dlog4j.shutdownHookEnabled=false -Dlog4j2.disable.jmx=true -Djava.locale.providers=SPI,COMPAT -Xms3948m -Xmx3948m -XX:+UseG1GC -XX:G1ReservePercent=25 -XX:InitiatingHeapOccupancyPercent=30 -Djava.io.tmpdir=/tmp/opensearch-12183030694015605934 -XX:+HeapDumpOnOutOfMemoryError -XX:HeapDumpPath=data -XX:ErrorFile=/var/log/wazuh-indexer/hs_err_pid%p.log -Xlog:gc*,gc+age=trace,safepoint:file=/var/log/wazuh-indexer/gc.log:utctime,pid,tags:filecount=32,filesize=64m -Dclk.tck=100 -Djdk.attach.allowAttachSelf=true -Djava.security.policy=file:///usr/share/wazuh-indexer/plugins/opensearch-performance-analyzer/pa_config/opensearch_security.policy -XX:MaxDirectMemorySize=2069889024 -Dopensearch.path.home=/usr/share/wazuh-indexer -Dopensearch.path.conf=/etc/wazuh-indexer -Dopensearch.distribution.type=rpm -Dopensearch.bundled_jdk=true -cp /usr/share/wazuh-indexer/lib/* org.opensearch.bootstrap.OpenSearch -p /run/wazuh-indexer/wazuh-indexer.pid --quiet

MasterC 🟢

ps aux | grep wazuh

wazuh-i+ 28834  3.2 56.0 7322904 4531908 ?     Ssl  20:09   2:24 /usr/share/wazuh-indexer/jdk/bin/java -Xshare:auto -Dopensearch.networkaddress.cache.ttl=60 -Dopensearch.networkaddress.cache.negative.ttl=10 -XX:+AlwaysPreTouch -Xss1m -Djava.awt.headless=true -Dfile.encoding=UTF-8 -Djna.nosys=true -XX:-OmitStackTraceInFastThrow -XX:+ShowCodeDetailsInExceptionMessages -Dio.netty.noUnsafe=true -Dio.netty.noKeySetOptimization=true -Dio.netty.recycler.maxCapacityPerThread=0 -Dio.netty.allocator.numDirectArenas=0 -Dlog4j.shutdownHookEnabled=false -Dlog4j2.disable.jmx=true -Djava.locale.providers=SPI,COMPAT -Xms3948m -Xmx3948m -XX:+UseG1GC -XX:G1ReservePercent=25 -XX:InitiatingHeapOccupancyPercent=30 -Djava.io.tmpdir=/tmp/opensearch-7663747929237962954 -XX:+HeapDumpOnOutOfMemoryError -XX:HeapDumpPath=data -XX:ErrorFile=/var/log/wazuh-indexer/hs_err_pid%p.log -Xlog:gc*,gc+age=trace,safepoint:file=/var/log/wazuh-indexer/gc.log:utctime,pid,tags:filecount=32,filesize=64m -Dclk.tck=100 -Djdk.attach.allowAttachSelf=true -Djava.security.policy=file:///usr/share/wazuh-indexer/plugins/opensearch-performance-analyzer/pa_config/opensearch_security.policy -XX:MaxDirectMemorySize=2069889024 -Dopensearch.path.home=/usr/share/wazuh-indexer -Dopensearch.path.conf=/etc/wazuh-indexer -Dopensearch.distribution.type=rpm -Dopensearch.bundled_jdk=true -cp /usr/share/wazuh-indexer/lib/* org.opensearch.bootstrap.OpenSearch -p /run/wazuh-indexer/wazuh-indexer.pid --quiet

Dashboard

Indexer 🟢

ps aux | grep wazuh

wazuh-i+ 26111  8.4 37.4 5816456 3031956 ?     Ssl  08:39   1:02 /usr/share/wazuh-indexer/jdk/bin/java -Xshare:auto -Dopensearch.networkaddress.cache.ttl=60 -Dopensearch.networkaddress.cache.negative.ttl=10 -XX:+AlwaysPreTouch -Xss1m -Djava.awt.headless=true -Dfile.encoding=UTF-8 -Djna.nosys=true -XX:-OmitStackTraceInFastThrow -XX:+ShowCodeDetailsInExceptionMessages -Dio.netty.noUnsafe=true -Dio.netty.noKeySetOptimization=true -Dio.netty.recycler.maxCapacityPerThread=0 -Dio.netty.allocator.numDirectArenas=0 -Dlog4j.shutdownHookEnabled=false -Dlog4j2.disable.jmx=true -Djava.locale.providers=SPI,COMPAT -Xms2560m -Xmx2560m -XX:+UseG1GC -XX:G1ReservePercent=25 -XX:InitiatingHeapOccupancyPercent=30 -Djava.io.tmpdir=/tmp/opensearch-16004828063245378125 -XX:+HeapDumpOnOutOfMemoryError -XX:HeapDumpPath=data -XX:ErrorFile=/var/log/wazuh-indexer/hs_err_pid%p.log -Xlog:gc*,gc+age=trace,safepoint:file=/var/log/wazuh-indexer/gc.log:utctime,pid,tags:filecount=32,filesize=64m -Dclk.tck=100 -Djdk.attach.allowAttachSelf=true -Djava.security.policy=file:///usr/share/wazuh-indexer/plugins/opensearch-performance-analyzer/pa_config/opensearch_security.policy -XX:MaxDirectMemorySize=1342177280 -Dopensearch.path.home=/usr/share/wazuh-indexer -Dopensearch.path.conf=/etc/wazuh-indexer -Dopensearch.distribution.type=rpm -Dopensearch.bundled_jdk=true -cp /usr/share/wazuh-indexer/lib/* org.opensearch.bootstrap.OpenSearch -p /run/wazuh-indexer/wazuh-indexer.pid --quiet

Dashboard 🟢

ps aux | grep wazuh

wazuh-d+ 19944  1.7  1.8 994592 151328 ?       Ssl  21:45   0:09 /usr/share/wazuh-dashboard/bin/../node/bin/node --no-warnings --max-http-header-size=65536 --unhandled-rejections=warn /usr/share/wazuh-dashboard/bin/../src/cli/dist -c /etc/wazuh-dashboard/opensearch_dashboards.yml

[mauromalara]

Task 3: The status of the Wazuh Indexer clusters is as expected. 🟢

curl -k -u USER:PASS https://<INDEXER-IP>:9200/_cat/nodes?v

ip         heap.percent ram.percent cpu load_1m load_5m load_15m node.role master name
10.0.0.178           18          82   0    0.00    0.00     0.00 dimr      -      node-7
10.0.2.169           33          81   0    0.00    0.00     0.00 dimr      *      node-2
10.0.2.230           12          83   0    0.02    0.01     0.00 dimr      -      node-1
10.0.2.170           23          82   0    0.00    0.00     0.00 dimr      -      node-3

[mauromalara]

Task 4: No errors in the browser's developer console when browsing the App 🔴

When accessing Home from another Opensearch module:

TypeError: NetworkError when attempting to fetch resource.
    Wrapper https://demo-436-info-wazuh-5d79494dfa1b98ee.elb.us-west-1.amazonaws.com/1/bundles/core/core.entry.js:6
    _createSuperInternal https://demo-436-info-wazuh-5d79494dfa1b98ee.elb.us-west-1.amazonaws.com/1/bundles/core/core.entry.js:6
    HttpFetchError https://demo-436-info-wazuh-5d79494dfa1b98ee.elb.us-west-1.amazonaws.com/1/bundles/core/core.entry.js:6
    _callee3$ https://demo-436-info-wazuh-5d79494dfa1b98ee.elb.us-west-1.amazonaws.com/1/bundles/core/core.entry.js:6
    tryCatch https://demo-436-info-wazuh-5d79494dfa1b98ee.elb.us-west-1.amazonaws.com/1/bundles/plugin/indexManagementDashboards/indexManagementDashboards.plugin.js:1
    invoke https://demo-436-info-wazuh-5d79494dfa1b98ee.elb.us-west-1.amazonaws.com/1/bundles/plugin/indexManagementDashboards/indexManagementDashboards.plugin.js:1

Issue:

• TypeError in the browser's developer console wazuh-dashboard-plugins#4346

[juliamagan]

Task 5: Alerts are being generated for each of the modules configured for this purpose 🟢

These are the modules configured in environment 1, and we can see events generated in all of them:

However, Osquery is configured in this environment, but it doesn't appear. If we enable it, see can see events:

These are the modules configured in environment 2, and we can see events generated in all of them except System Auditing and Policy monitoring, but they are enabled by default:

[juliamagan]

Task 6: No warning symbols in Discover when expanding a document 🟢

After performing several tests both in Discover and in different modules, we have not been able to find any warning.

[juliamagan]

Task 7: Generate an alert and check it in the web UI 🟢

Bad connection to CentOS agent:

juliamagan@pop-os:~$ ssh -i <key> paco@13.52.153.25 
paco@13.52.153.25's password: 
Permission denied, please try again.
paco@13.52.153.25's password: 
Permission denied, please try again.
paco@13.52.153.25's password: 
paco@13.52.153.25: Permission denied (publickey,gssapi-keyex,gssapi-with-mic,password).

Generated alerts:

Alert info

{
  "_index": "wazuh-alerts-4.x-env-1-2022.07.19",
  "_type": "_doc",
  "_id": "5xshFoIBTDDmtmfQjJ07",
  "_version": 1,
  "_score": null,
  "_source": {
    "predecoder": {
      "hostname": "ip-10-0-1-223",
      "program_name": "sshd",
      "timestamp": "Jul 19 11:04:31"
    },
    "cluster": {
      "node": "master",
      "name": "wazuh1"
    },
    "agent": {
      "ip": "10.0.1.223",
      "name": "Centos",
      "id": "002"
    },
    "data": {
      "srcuser": "paco",
      "srcip": "81.40.76.164"
    },
    "manager": {
      "name": "wazuh-manager-master-0"
    },
    "rule": {
      "mail": false,
      "level": 5,
      "hipaa": [
        "164.312.b"
      ],
      "pci_dss": [
        "10.2.4",
        "10.2.5",
        "10.6.1"
      ],
      "tsc": [
        "CC6.1",
        "CC6.8",
        "CC7.2",
        "CC7.3"
      ],
      "description": "sshd: Attempt to login using a non-existent user",
      "groups": [
        "syslog",
        "sshd",
        "authentication_failed",
        "invalid_login"
      ],
      "nist_800_53": [
        "AU.14",
        "AC.7",
        "AU.6"
      ],
      "gdpr": [
        "IV_35.7.d",
        "IV_32.2"
      ],
      "firedtimes": 11,
      "mitre": {
        "technique": [
          "Password Guessing",
          "SSH",
          "Valid Accounts"
        ],
        "id": [
          "T1110.001",
          "T1021.004",
          "T1078"
        ],
        "tactic": [
          "Credential Access",
          "Lateral Movement",
          "Defense Evasion",
          "Persistence",
          "Privilege Escalation",
          "Initial Access"
        ]
      },
      "id": "5710",
      "gpg13": [
        "7.1"
      ]
    },
    "decoder": {
      "parent": "sshd",
      "name": "sshd"
    },
    "full_log": "Jul 19 11:04:31 ip-10-0-1-223 sshd[1892]: Failed password for invalid user paco from 81.40.76.164 port 44944 ssh2",
    "input": {
      "type": "log"
    },
    "location": "/var/log/secure",
    "id": "1658228671.118850378",
    "GeoLocation": {
      "city_name": "Cordova",
      "country_name": "Spain",
      "region_name": "Cordoba",
      "location": {
        "lon": -4.7727,
        "lat": 37.8916
      }
    },
    "timestamp": "2022-07-19T11:04:31.814+0000"
  },
  "fields": {
    "timestamp": [
      "2022-07-19T11:04:31.814Z"
    ]
  },
  "highlight": {
    "cluster.name": [
      "@opensearch-dashboards-highlighted-field@wazuh1@/opensearch-dashboards-highlighted-field@"
    ]
  },
  "sort": [
    1658228671814
  ]
}