Vulnerability detection seems to be disabled or has a problem #24457

[thony4uu]

Wazuh version	Component	Install type	Install method	Platform
4.8.1	Vulnerability Detection Feed	Manager	Installation Assistant	Ubuntu 22

Description

After performing the Wazuh single-node installation using the installation assistant for the #24457 E2E UX test, I encountered the following error on the Wazuh dashboard when I tried viewing the vulnerability for the agents.

Troubleshooting further, I saw the following errors on the Wazuh manager

root@ip-172-31-34-147:/home/ubuntu# cat /var/ossec/logs/ossec.log | grep -i -E "error|warn"
2024/07/08 18:30:24 indexer-connector: WARNING: No username and password found in the keystore, using default values.
2024/07/08 18:30:24 indexer-connector: WARNING: IndexerConnector initialization failed for index 'wazuh-states-vulnerabilities-ip-172-31-34-147', retrying until the connection is successful.
2024/07/08 18:31:15 indexer-connector: WARNING: No username and password found in the keystore, using default values.
2024/07/08 18:31:15 indexer-connector: WARNING: IndexerConnector initialization failed for index 'wazuh-states-vulnerabilities-ip-172-31-34-147', retrying until the connection is successful.
2024/07/08 18:35:03 wazuh-modulesd:content-updater: WARNING: The offsets download has been interrupted
2024/07/08 18:35:24 indexer-connector: WARNING: No username and password found in the keystore, using default values.
2024/07/08 18:35:24 indexer-connector: WARNING: IndexerConnector initialization failed for index 'wazuh-states-vulnerabilities-ip-172-31-34-147', retrying until the connection is successful.
2024/07/08 19:23:19 wazuh-remoted: WARNING: Agent key already in use: agent ID '001'
2024/07/08 19:38:30 wazuh-modulesd:vulnerability-scanner: ERROR: Error updating feed: [json.exception.parse_error.101] parse error at line 1, column 9517943: syntax error while parsing value - invalid string: missing closing quote; last read: '"/contain', trying to re-download the feed.
2024/07/08 19:38:30 indexer-connector: WARNING: Failed to sync agent '001' with the indexer.
2024/07/08 19:38:31 indexer-connector: WARNING: Failed to sync agent '002' with the indexer.
2024/07/08 19:38:32 indexer-connector: WARNING: Failed to sync agent '003' with the indexer.
2024/07/08 19:38:33 wazuh-modulesd:vulnerability-scanner: ERROR: Error updating feed: [json.exception.out_of_range.401] array index 19 is out of range, trying to re-download the feed.
2024/07/08 21:44:22 indexer-connector: WARNING: Failed to sync agent '004' with the indexer.
2024/07/08 21:44:22 indexer-connector: WARNING: Failed to sync agent '001' with the indexer.
2024/07/08 21:44:22 indexer-connector: WARNING: Failed to sync agent '002' with the indexer.
2024/07/08 21:44:22 indexer-connector: WARNING: Failed to sync agent '003' with the indexer.
2024/07/08 21:44:43 indexer-connector: WARNING: No username and password found in the keystore, using default values.
2024/07/08 21:44:43 indexer-connector: WARNING: IndexerConnector initialization failed for index 'wazuh-states-vulnerabilities-ip-172-31-34-147', retrying until the connection is successful.

Below is the Wazuh manager configuration

root@ip-172-31-34-147:/home/ubuntu# cat  /var/ossec/etc/ossec.conf
<!--
  Wazuh - Manager - Default configuration for ubuntu 22.04
  More info at: https://documentation.wazuh.com
  Mailing list: https://groups.google.com/forum/#!forum/wazuh
-->

<ossec_config>
  <global>
    <jsonout_output>yes</jsonout_output>
    <alerts_log>yes</alerts_log>
    <logall>no</logall>
    <logall_json>no</logall_json>
    <email_notification>no</email_notification>
    <smtp_server>smtp.example.wazuh.com</smtp_server>
    <email_from>[email protected]</email_from>
    <email_to>[email protected]</email_to>
    <email_maxperhour>12</email_maxperhour>
    <email_log_source>alerts.log</email_log_source>
    <agents_disconnection_time>10m</agents_disconnection_time>
    <agents_disconnection_alert_time>0</agents_disconnection_alert_time>
    <update_check>yes</update_check>
  </global>

  <alerts>
    <log_alert_level>3</log_alert_level>
    <email_alert_level>12</email_alert_level>
  </alerts>

  <!-- Choose between "plain", "json", or "plain,json" for the format of internal logs -->
  <logging>
    <log_format>plain</log_format>
  </logging>

  <remote>
    <connection>secure</connection>
    <port>1514</port>
    <protocol>tcp</protocol>
    <queue_size>131072</queue_size>
  </remote>

  <!-- Policy monitoring -->
  <rootcheck>
    <disabled>no</disabled>
    <check_files>yes</check_files>
    <check_trojans>yes</check_trojans>
    <check_dev>yes</check_dev>
    <check_sys>yes</check_sys>
    <check_pids>yes</check_pids>
    <check_ports>yes</check_ports>
    <check_if>yes</check_if>

    <!-- Frequency that rootcheck is executed - every 12 hours -->
    <frequency>43200</frequency>

    <rootkit_files>etc/rootcheck/rootkit_files.txt</rootkit_files>
    <rootkit_trojans>etc/rootcheck/rootkit_trojans.txt</rootkit_trojans>

    <skip_nfs>yes</skip_nfs>
  </rootcheck>

  <wodle name="cis-cat">
    <disabled>yes</disabled>
    <timeout>1800</timeout>
    <interval>1d</interval>
    <scan-on-start>yes</scan-on-start>

    <java_path>wodles/java</java_path>
    <ciscat_path>wodles/ciscat</ciscat_path>
  </wodle>

  <!-- Osquery integration -->
  <wodle name="osquery">
    <disabled>yes</disabled>
    <run_daemon>yes</run_daemon>
    <log_path>/var/log/osquery/osqueryd.results.log</log_path>
    <config_path>/etc/osquery/osquery.conf</config_path>
    <add_labels>yes</add_labels>
  </wodle>

  <!-- System inventory -->
  <wodle name="syscollector">
    <disabled>no</disabled>
    <interval>1h</interval>
    <scan_on_start>yes</scan_on_start>
    <hardware>yes</hardware>
    <os>yes</os>
    <network>yes</network>
    <packages>yes</packages>
    <ports all="no">yes</ports>
    <processes>yes</processes>

    <!-- Database synchronization settings -->
    <synchronization>
      <max_eps>10</max_eps>
    </synchronization>
  </wodle>

  <sca>
    <enabled>yes</enabled>
    <scan_on_start>yes</scan_on_start>
    <interval>12h</interval>
    <skip_nfs>yes</skip_nfs>
  </sca>

  <vulnerability-detection>
    <enabled>yes</enabled>
    <index-status>yes</index-status>
    <feed-update-interval>60m</feed-update-interval>
  </vulnerability-detection>

  <indexer>
    <enabled>yes</enabled>
    <hosts>
      <host>https://127.0.0.1:9200</host>
    </hosts>
    <ssl>
      <certificate_authorities>
        <ca>/etc/filebeat/certs/root-ca.pem</ca>
      </certificate_authorities>
      <certificate>/etc/filebeat/certs/wazuh-1.pem</certificate>
      <key>/etc/filebeat/certs/wazuh-1-key.pem</key>
    </ssl>
  </indexer>

  <!-- File integrity monitoring -->
  <syscheck>
    <disabled>no</disabled>

    <!-- Frequency that syscheck is executed default every 12 hours -->
    <frequency>43200</frequency>

    <scan_on_start>yes</scan_on_start>

    <!-- Generate alert when new file detected -->
    <alert_new_files>yes</alert_new_files>

    <!-- Don't ignore files that change more than 'frequency' times -->
    <auto_ignore frequency="10" timeframe="3600">no</auto_ignore>

    <!-- Directories to check  (perform all possible verifications) -->
    <directories>/etc,/usr/bin,/usr/sbin</directories>
    <directories>/bin,/sbin,/boot</directories>

    <!-- Files/directories to ignore -->
    <ignore>/etc/mtab</ignore>
    <ignore>/etc/hosts.deny</ignore>
    <ignore>/etc/mail/statistics</ignore>
    <ignore>/etc/random-seed</ignore>
    <ignore>/etc/random.seed</ignore>
    <ignore>/etc/adjtime</ignore>
    <ignore>/etc/httpd/logs</ignore>
    <ignore>/etc/utmpx</ignore>
    <ignore>/etc/wtmpx</ignore>
    <ignore>/etc/cups/certs</ignore>
    <ignore>/etc/dumpdates</ignore>
    <ignore>/etc/svc/volatile</ignore>

    <!-- File types to ignore -->
    <ignore type="sregex">.log$|.swp$</ignore>

    <!-- Check the file, but never compute the diff -->
    <nodiff>/etc/ssl/private.key</nodiff>

    <skip_nfs>yes</skip_nfs>
    <skip_dev>yes</skip_dev>
    <skip_proc>yes</skip_proc>
    <skip_sys>yes</skip_sys>

    <!-- Nice value for Syscheck process -->
    <process_priority>10</process_priority>

    <!-- Maximum output throughput -->
    <max_eps>50</max_eps>

    <!-- Database synchronization settings -->
    <synchronization>
      <enabled>yes</enabled>
      <interval>5m</interval>
      <max_eps>10</max_eps>
    </synchronization>
  </syscheck>

  <!-- Active response -->
  <global>
    <white_list>127.0.0.1</white_list>
    <white_list>^localhost.localdomain$</white_list>
    <white_list>127.0.0.53</white_list>
  </global>

  <command>
    <name>disable-account</name>
    <executable>disable-account</executable>
    <timeout_allowed>yes</timeout_allowed>
  </command>

  <command>
    <name>restart-wazuh</name>
    <executable>restart-wazuh</executable>
  </command>

  <command>
    <name>firewall-drop</name>
    <executable>firewall-drop</executable>
    <timeout_allowed>yes</timeout_allowed>
  </command>

  <command>
    <name>host-deny</name>
    <executable>host-deny</executable>
    <timeout_allowed>yes</timeout_allowed>
  </command>

  <command>
    <name>route-null</name>
    <executable>route-null</executable>
    <timeout_allowed>yes</timeout_allowed>
  </command>

  <command>
    <name>win_route-null</name>
    <executable>route-null.exe</executable>
    <timeout_allowed>yes</timeout_allowed>
  </command>

  <command>
    <name>netsh</name>
    <executable>netsh.exe</executable>
    <timeout_allowed>yes</timeout_allowed>
  </command>

  <!--
  <active-response>
    active-response options here
  </active-response>
  -->

  <!-- Log analysis -->
  <localfile>
    <log_format>command</log_format>
    <command>df -P</command>
    <frequency>360</frequency>
  </localfile>

  <localfile>
    <log_format>full_command</log_format>
    <command>netstat -tulpn | sed 's/\([[:alnum:]]\+\)\ \+[[:digit:]]\+\ \+[[:digit:]]\+\ \+\(.*\):\([[:digit:]]*\)\ \+\([0-9\.\:\*]\+\).\+\ \([[:digit:]]*\/[[:alnum:]\-]*\).*/\1 \2 == \3 == \4 \5/' | sort -k 4 -g | sed 's/ == \(.*\) ==/:\1/' | sed 1,2d</command>
    <alias>netstat listening ports</alias>
    <frequency>360</frequency>
  </localfile>

  <localfile>
    <log_format>full_command</log_format>
    <command>last -n 20</command>
    <frequency>360</frequency>
  </localfile>

  <ruleset>
    <!-- Default ruleset -->
    <decoder_dir>ruleset/decoders</decoder_dir>
    <rule_dir>ruleset/rules</rule_dir>
    <rule_exclude>0215-policy_rules.xml</rule_exclude>
    <list>etc/lists/audit-keys</list>
    <list>etc/lists/amazon/aws-eventnames</list>
    <list>etc/lists/security-eventchannel</list>

    <!-- User-defined ruleset -->
    <decoder_dir>etc/decoders</decoder_dir>
    <rule_dir>etc/rules</rule_dir>
  </ruleset>

  <rule_test>
    <enabled>yes</enabled>
    <threads>1</threads>
    <max_sessions>64</max_sessions>
    <session_timeout>15m</session_timeout>
  </rule_test>

  <!-- Configuration for wazuh-authd -->
  <auth>
    <disabled>no</disabled>
    <port>1515</port>
    <use_source_ip>no</use_source_ip>
    <purge>yes</purge>
    <use_password>no</use_password>
    <ciphers>HIGH:!ADH:!EXP:!MD5:!RC4:!3DES:!CAMELLIA:@STRENGTH</ciphers>
    <!-- <ssl_agent_ca></ssl_agent_ca> -->
    <ssl_verify_host>no</ssl_verify_host>
    <ssl_manager_cert>etc/sslmanager.cert</ssl_manager_cert>
    <ssl_manager_key>etc/sslmanager.key</ssl_manager_key>
    <ssl_auto_negotiate>no</ssl_auto_negotiate>
  </auth>

  <cluster>
    <name>wazuh</name>
    <node_name>node01</node_name>
    <node_type>master</node_type>
    <key></key>
    <port>1516</port>
    <bind_addr>0.0.0.0</bind_addr>
    <nodes>
        <node>NODE_IP</node>
    </nodes>
    <hidden>no</hidden>
    <disabled>yes</disabled>
  </cluster>

</ossec_config>

<ossec_config>
  <localfile>
    <log_format>syslog</log_format>
    <location>/var/ossec/logs/active-responses.log</location>
  </localfile>

  <localfile>
    <log_format>syslog</log_format>
    <location>/var/log/auth.log</location>
  </localfile>

  <localfile>
    <log_format>syslog</log_format>
    <location>/var/log/syslog</location>
  </localfile>

  <localfile>
    <log_format>syslog</log_format>
    <location>/var/log/dpkg.log</location>
  </localfile>

  <localfile>
    <log_format>syslog</log_format>
    <location>/var/log/kern.log</location>
  </localfile>

</ossec_config>

I did further troubleshooting by checking the Filebeat configuration file and adding the credentials of the Wazuh indexer to the Wazuh manager keystore. The error persisted after performing all these steps.

root@ip-172-31-34-147:/home/ubuntu# cat /etc/filebeat/filebeat.yml
# Wazuh - Filebeat configuration file
output.elasticsearch:
  protocol: https
  username: ${username}
  password: ${password}
  ssl.certificate_authorities:
    - /etc/filebeat/certs/root-ca.pem
  ssl.certificate: "/etc/filebeat/certs/wazuh-1.pem"
  ssl.key: "/etc/filebeat/certs/wazuh-1-key.pem"
setup.template.json.enabled: true
setup.template.json.path: '/etc/filebeat/wazuh-template.json'
setup.template.json.name: 'wazuh'
setup.ilm.overwrite: true
setup.ilm.enabled: false

filebeat.modules:
  - module: wazuh
    alerts:
      enabled: true
    archives:
      enabled: false

logging.level: info
logging.to_files: true
logging.files:
  path: /var/log/filebeat
  name: filebeat
  keepfiles: 7
  permissions: 0644

logging.metrics.enabled: false

seccomp:
  default_action: allow
  syscalls:
  - action: allow
    names:
    - rseq

output.elasticsearch.hosts:
  - 127.0.0.1:9200
root@ip-172-31-34-147:/home/ubuntu# openssl x509 -in /etc/filebeat/certs/wazuh-1.pem -text -noout | grep IP
                IP Address:127.0.0.1
root@ip-172-31-34-147:/home/ubuntu# ls /etc/filebeat/certs
root-ca.pem  wazuh-1-key.pem  wazuh-1.pem
root@ip-172-31-34-147:/home/ubuntu# /var/ossec/bin/wazuh-keystore -f indexer -k username -v admin
root@ip-172-31-34-147:/home/ubuntu# /var/ossec/bin/wazuh-keystore -f indexer -k password -v P.ie2eZI5S.9FLPLSRB9j7aBINgBabl.
```console

root@ip-172-31-34-147:/home/ubuntu# /var/ossec/bin/wazuh-keystore -f indexer -k username -v admin
root@ip-172-31-34-147:/home/ubuntu# /var/ossec/bin/wazuh-keystore -f indexer -k password -v P.ie2eZI5S.9FLPLSRB9j7aBINgBabl.
root@ip-172-31-34-147:/home/ubuntu# systemctl restart wazuh-indexer
root@ip-172-31-34-147:/home/ubuntu# systemctl restart wazuh-manager
root@ip-172-31-34-147:/home/ubuntu# curl -u admin:P.ie2eZI5S.9FLPLSRB9j7aBINgBabl. --cacert /etc/filebeat/certs/root-ca.pem --cert /etc/filebeat/certs/wazuh-1.pem --key /etc/filebeat/certs/wazuh-1-key.pem -X GET "https://127.0.0.1:9200/_cluster/health"
{"cluster_name":"wazuh-indexer-cluster","status":"green","timed_out":false,"number_of_nodes":1,"number_of_data_nodes":1,"discovered_master":true,"discovered_cluster_manager":true,"active_primary_shards":13,"active_shards":13,"relocating_shards":0,"initializing_shards":0,"unassigned_shards":0,"delayed_unassigned_shards":0,"number_of_pending_tasks":0,"number_of_in_flight_fetch":0,"task_max_waiting_in_queue_millis":0,"active_shards_percent_as_number":100.0}

root@ip-172-31-34-147:/home/ubuntu# cat /var/ossec/logs/ossec.log | grep -i -E "error|warn"
2024/07/09 01:04:34 indexer-connector: WARNING: Failed to sync agent '002' with the indexer.
2024/07/09 01:04:34 indexer-connector: WARNING: Failed to sync agent '003' with the indexer.
2024/07/09 01:04:34 indexer-connector: WARNING: Failed to sync agent '004' with the indexer.
2024/07/09 01:04:34 indexer-connector: WARNING: Failed to sync agent '001' with the indexer.
2024/07/09 01:08:22 indexer-connector: WARNING: No username and password found in the keystore, using default values.
2024/07/09 01:08:23 indexer-connector: WARNING: IndexerConnector initialization failed for index 'wazuh-states-vulnerabilities-ip-172-31-34-147', retrying until the connection is successful.
root@ip-172-31-34-147:/home/ubuntu#

[MiguelazoDS]

Testing in 4.8.0

Component	Installation	Type	OS
Indexer	Installation assistant	Single node	Ubuntu 22.04 x86_64
Server	Installation assistant	Single node	Ubuntu 22.04 x86_64
Agent	Sources	-	Centos 9

Indexer

root@jammy:/home/vagrant/SINGLE_NODE# curl -sO https://packages.wazuh.com/4.8/wazuh-install.sh
curl -sO https://packages.wazuh.com/4.8/config.yml
root@jammy:/home/vagrant/SINGLE_NODE# ls
config.yml  wazuh-install.sh
root@jammy:/home/vagrant/SINGLE_NODE#

nodes:
  # Wazuh indexer nodes
  indexer:
    - name: node-1
      ip: "127.0.0.1"
    #- name: node-2
    #  ip: "<indexer-node-ip>"
    #- name: node-3
    #  ip: "<indexer-node-ip>"

  # Wazuh server nodes
  # If there is more than one Wazuh server
  # node, each one must have a node_type
  server:
    - name: wazuh-1
      ip: "127.0.0.1"
    #  node_type: master
    #- name: wazuh-2
    #  ip: "<wazuh-manager-ip>"
    #  node_type: worker
    #- name: wazuh-3
    #  ip: "<wazuh-manager-ip>"
    #  node_type: worker

  # Wazuh dashboard nodes
  dashboard:
    - name: dashboard
      ip: "127.0.0.1"

root@jammy:/home/vagrant/SINGLE_NODE# bash wazuh-install.sh --generate-config-files
10/07/2024 11:44:22 INFO: Starting Wazuh installation assistant. Wazuh version: 4.8.0
10/07/2024 11:44:22 INFO: Verbose logging redirected to /var/log/wazuh-install.log
10/07/2024 11:44:25 INFO: Verifying that your system meets the recommended minimum hardware requirements.
10/07/2024 11:44:34 INFO: --- Configuration files ---
10/07/2024 11:44:34 INFO: Generating configuration files.
10/07/2024 11:44:34 INFO: Generating the root certificate.
10/07/2024 11:44:34 INFO: Generating Admin certificates.
10/07/2024 11:44:34 INFO: Generating Wazuh indexer certificates.
10/07/2024 11:44:35 INFO: Generating Filebeat certificates.
10/07/2024 11:44:35 INFO: Generating Wazuh dashboard certificates.
10/07/2024 11:44:35 INFO: Created wazuh-install-files.tar. It contains the Wazuh cluster key, certificates, and passwords necessary for installation.
root@jammy:/home/vagrant/SINGLE_NODE# ls
wazuh-install-files.tar  wazuh-install.sh

root@jammy:/home/vagrant/SINGLE_NODE# bash wazuh-install.sh --wazuh-indexer node-1
10/07/2024 11:47:40 INFO: Starting Wazuh installation assistant. Wazuh version: 4.8.0
10/07/2024 11:47:40 INFO: Verbose logging redirected to /var/log/wazuh-install.log
10/07/2024 11:47:43 INFO: Verifying that your system meets the recommended minimum hardware requirements.
10/07/2024 11:47:58 INFO: --- Dependencies ----
10/07/2024 11:47:58 INFO: Installing software-properties-common.
10/07/2024 11:48:05 INFO: Wazuh repository added.
10/07/2024 11:48:05 INFO: --- Wazuh indexer ---
10/07/2024 11:48:05 INFO: Starting Wazuh indexer installation.
10/07/2024 11:49:25 INFO: Wazuh indexer installation finished.
10/07/2024 11:49:25 INFO: Wazuh indexer post-install configuration finished.
10/07/2024 11:49:25 INFO: Starting service wazuh-indexer.
10/07/2024 11:49:35 INFO: wazuh-indexer service started.
10/07/2024 11:49:35 INFO: Initializing Wazuh indexer cluster security settings.
10/07/2024 11:49:38 INFO: Wazuh indexer cluster initialized.
10/07/2024 11:49:38 INFO: Installation finished.

root@jammy:/home/vagrant/SINGLE_NODE# bash wazuh-install.sh --start-cluster
10/07/2024 11:50:12 INFO: Starting Wazuh installation assistant. Wazuh version: 4.8.0
10/07/2024 11:50:12 INFO: Verbose logging redirected to /var/log/wazuh-install.log
10/07/2024 11:50:15 INFO: Verifying that your system meets the recommended minimum hardware requirements.
10/07/2024 11:50:25 INFO: Wazuh indexer cluster security configuration initialized.
10/07/2024 11:50:54 INFO: Updating the internal users.
10/07/2024 11:50:55 INFO: A backup of the internal users has been saved in the /etc/wazuh-indexer/internalusers-backup folder.
10/07/2024 11:51:01 INFO: Wazuh indexer cluster started.

root@jammy:/home/vagrant/SINGLE_NODE# tar -axf wazuh-install-files.tar wazuh-install-files/wazuh-passwords.txt -O | grep -P "\'admin\'" -A 1
  indexer_username: 'admin'
  indexer_password: 'Id9EXe?3d5sUYMrE6z1IChWgpF9p*lRZ'

root@jammy:/home/vagrant/SINGLE_NODE# curl -k -u admin:Id9EXe?3d5sUYMrE6z1IChWgpF9p*lRZ https://127.0.0.1:9200
{
  "name" : "node-1",
  "cluster_name" : "wazuh-indexer-cluster",
  "cluster_uuid" : "3FgXXfG-QsWKUnqmn20tTg",
  "version" : {
    "number" : "7.10.2",
    "build_type" : "rpm",
    "build_hash" : "eee49cb340edc6c4d489bcd9324dda571fc8dc03",
    "build_date" : "2023-09-20T23:54:29.889267151Z",
    "build_snapshot" : false,
    "lucene_version" : "9.7.0",
    "minimum_wire_compatibility_version" : "7.10.0",
    "minimum_index_compatibility_version" : "7.0.0"
  },
  "tagline" : "The OpenSearch Project: https://opensearch.org/"
}

root@jammy:/home/vagrant/SINGLE_NODE# curl -k -u admin:Id9EXe?3d5sUYMrE6z1IChWgpF9p*lRZ https://127.0.0.1:9200/_cat/nodes?v
ip        heap.percent ram.percent cpu load_1m load_5m load_15m node.role node.roles                               cluster_manager name
127.0.0.1           10          97   1    0.14    0.32     0.24 dimr      data,ingest,master,remote_cluster_client *               node-1

Server

root@jammy:/home/vagrant/SINGLE_NODE# bash wazuh-install.sh --wazuh-server wazuh-1
10/07/2024 12:00:43 INFO: Starting Wazuh installation assistant. Wazuh version: 4.8.0
10/07/2024 12:00:43 INFO: Verbose logging redirected to /var/log/wazuh-install.log
10/07/2024 12:00:46 INFO: Verifying that your system meets the recommended minimum hardware requirements.
10/07/2024 12:01:04 INFO: Wazuh repository added.
10/07/2024 12:01:04 INFO: --- Wazuh server ---
10/07/2024 12:01:04 INFO: Starting the Wazuh manager installation.
10/07/2024 12:01:41 INFO: Wazuh manager installation finished.
10/07/2024 12:01:41 INFO: Wazuh manager vulnerability detection configuration finished.
10/07/2024 12:01:41 INFO: Starting service wazuh-manager.
10/07/2024 12:01:55 INFO: wazuh-manager service started.
10/07/2024 12:01:55 INFO: Starting Filebeat installation.
10/07/2024 12:02:02 INFO: Filebeat installation finished.
10/07/2024 12:02:03 INFO: Filebeat post-install configuration finished.
10/07/2024 12:02:26 INFO: Starting service filebeat.
10/07/2024 12:02:26 INFO: filebeat service started.
10/07/2024 12:02:26 INFO: Installation finished.

# Vulnerability detector - Enable or disable the scan manager
# 0. Enabled
# 1. Disabled
vulnerability-detection.disable_scan_manager=0
wazuh_modules.debug=2

root@jammy:/home/vagrant/SINGLE_NODE# wazuh-control restart
2024/07/10 12:05:53 wazuh-modulesd[138494] debug_op.c:116 at _log_function(): DEBUG: Logging module auto-initialized
2024/07/10 12:05:53 wazuh-modulesd[138494] main.c:77 at main(): DEBUG: Wazuh home directory: /var/ossec
2024/07/10 12:05:53 wazuh-modulesd[138494] wmodules-osquery-monitor.c:78 at wm_osquery_monitor_read(): DEBUG: Logpath read: /var/log/osquery/osqueryd.results.log
2024/07/10 12:05:53 wazuh-modulesd[138494] wmodules-osquery-monitor.c:84 at wm_osquery_monitor_read(): DEBUG: configPath read: /etc/osquery/osquery.conf
2024/07/10 12:05:53 wazuh-modulesd:router[138494] wm_router.c:98 at wm_router_read(): INFO: Loaded router module.
2024/07/10 12:05:53 wazuh-modulesd:content_manager[138494] wm_content_manager.c:87 at wm_content_manager_read(): INFO: Loaded content_manager module.
wazuh-clusterd not running...
Killing wazuh-modulesd...
Killing wazuh-monitord...
Killing wazuh-logcollector...
Killing wazuh-remoted...
Killing wazuh-syscheckd...
Killing wazuh-analysisd...
wazuh-maild not running...
Killing wazuh-execd...
Killing wazuh-db...
Killing wazuh-authd...
wazuh-agentlessd not running...
wazuh-integratord not running...
wazuh-dbd not running...
wazuh-csyslogd not running...
Killing wazuh-apid...
Wazuh v4.8.0 Stopped
Starting Wazuh v4.8.0...
Started wazuh-apid...
Started wazuh-csyslogd...
Started wazuh-dbd...
2024/07/10 12:05:58 wazuh-integratord: INFO: Remote integrations not configured. Clean exit.
Started wazuh-integratord...
Started wazuh-agentlessd...
Started wazuh-authd...
Started wazuh-db...
Started wazuh-execd...
Started wazuh-analysisd...
Started wazuh-syscheckd...
Started wazuh-remoted...
Started wazuh-logcollector...
Started wazuh-monitord...
2024/07/10 12:06:06 wazuh-modulesd[138940] debug_op.c:116 at _log_function(): DEBUG: Logging module auto-initialized
2024/07/10 12:06:06 wazuh-modulesd[138940] main.c:77 at main(): DEBUG: Wazuh home directory: /var/ossec
2024/07/10 12:06:06 wazuh-modulesd[138940] wmodules-osquery-monitor.c:78 at wm_osquery_monitor_read(): DEBUG: Logpath read: /var/log/osquery/osqueryd.results.log
2024/07/10 12:06:06 wazuh-modulesd[138940] wmodules-osquery-monitor.c:84 at wm_osquery_monitor_read(): DEBUG: configPath read: /etc/osquery/osquery.conf
2024/07/10 12:06:06 wazuh-modulesd:router[138940] wm_router.c:98 at wm_router_read(): INFO: Loaded router module.
2024/07/10 12:06:06 wazuh-modulesd:content_manager[138940] wm_content_manager.c:87 at wm_content_manager_read(): INFO: Loaded content_manager module.
Started wazuh-modulesd...
Completed.

grep -E "ERR.*|WARN.*|CRIT.*" ossec.log
2024/07/10 12:01:52 indexer-connector: WARNING: IndexerConnector initialization failed for index 'wazuh-states-vulnerabilities-jammy', retrying until the connection is successful.
2024/07/10 12:05:53 wazuh-modulesd:content-updater: WARNING: The offsets download has been interrupted
2024/07/10 12:07:19 wazuh-remoted: WARNING: (1408): Invalid ID 001 for the source ip: '192.168.33.65' (name 'unknown').
2024/07/10 12:07:29 wazuh-remoted: WARNING: (1408): Invalid ID 001 for the source ip: '192.168.33.65' (name 'unknown').
2024/07/10 12:07:39 wazuh-remoted: WARNING: (1408): Invalid ID 001 for the source ip: '192.168.33.65' (name 'unknown').
2024/07/10 12:07:49 wazuh-remoted: WARNING: (1408): Invalid ID 001 for the source ip: '192.168.33.65' (name 'unknown').
2024/07/10 12:07:59 wazuh-remoted: WARNING: (1408): Invalid ID 001 for the source ip: '192.168.33.65' (name 'unknown').

Conclusion

Note

I could not reproduce any of the reported issue in this version

ossec.log.tar.gz
vulnerabilities.json

[MiguelazoDS]

Testing 4.8.1

Component	Installation	Type	OS
Indexer	Installation assistant	Single node	Ubuntu 22.04 x86_64
Server	Installation assistant	Single node	Ubuntu 22.04 x86_64
Agent	Sources	-	Centos 9

Indexer

root@jammy:/home/vagrant/SINGLE_NODE# curl -sO https://packages-dev.wazuh.com/4.8/wazuh-install.sh
root@jammy:/home/vagrant/SINGLE_NODE# curl -sO https://packages-dev.wazuh.com/4.8/config.yml
root@jammy:/home/vagrant/SINGLE_NODE# ls
config.yml  wazuh-install.sh
root@jammy:/home/vagrant/SINGLE_NODE#

nodes:
  # Wazuh indexer nodes
  indexer:
    - name: node-1
      ip: "127.0.0.1"
    #- name: node-2
    #  ip: "<indexer-node-ip>"
    #- name: node-3
    #  ip: "<indexer-node-ip>"

  # Wazuh server nodes
  # If there is more than one Wazuh server
  # node, each one must have a node_type
  server:
    - name: wazuh-1
      ip: "127.0.0.1"
    #  node_type: master
    #- name: wazuh-2
    #  ip: "<wazuh-manager-ip>"
    #  node_type: worker
    #- name: wazuh-3
    #  ip: "<wazuh-manager-ip>"
    #  node_type: worker

  # Wazuh dashboard nodes
  dashboard:
    - name: dashboard
      ip: "127.0.0.1"

root@jammy:/home/vagrant/SINGLE_NODE# bash wazuh-install.sh --generate-config-files
10/07/2024 15:31:56 INFO: Starting Wazuh installation assistant. Wazuh version: 4.8.1
10/07/2024 15:31:56 INFO: Verbose logging redirected to /var/log/wazuh-install.log
10/07/2024 15:31:58 INFO: Verifying that your system meets the recommended minimum hardware requirements.
10/07/2024 15:32:06 INFO: --- Configuration files ---
10/07/2024 15:32:06 INFO: Generating configuration files.
10/07/2024 15:32:07 INFO: Generating the root certificate.
10/07/2024 15:32:07 INFO: Generating Admin certificates.
10/07/2024 15:32:07 INFO: Generating Wazuh indexer certificates.
10/07/2024 15:32:07 INFO: Generating Filebeat certificates.
10/07/2024 15:32:07 INFO: Generating Wazuh dashboard certificates.
10/07/2024 15:32:08 INFO: Created wazuh-install-files.tar. It contains the Wazuh cluster key, certificates, and passwords necessary for installation.
root@jammy:/home/vagrant/SINGLE_NODE# ls
wazuh-install-files.tar  wazuh-install.sh

root@jammy:/home/vagrant/SINGLE_NODE# bash wazuh-install.sh --wazuh-indexer node-1
10/07/2024 15:48:35 INFO: Starting Wazuh installation assistant. Wazuh version: 4.8.1
10/07/2024 15:48:35 INFO: Verbose logging redirected to /var/log/wazuh-install.log
10/07/2024 15:48:38 INFO: Verifying that your system meets the recommended minimum hardware requirements.
10/07/2024 15:48:57 INFO: Wazuh development repository added.
10/07/2024 15:48:57 INFO: --- Wazuh indexer ---
10/07/2024 15:48:57 INFO: Starting Wazuh indexer installation.
10/07/2024 15:49:56 INFO: Wazuh indexer installation finished.
10/07/2024 15:49:56 INFO: Wazuh indexer post-install configuration finished.
10/07/2024 15:49:56 INFO: Starting service wazuh-indexer.
10/07/2024 15:50:04 INFO: wazuh-indexer service started.
10/07/2024 15:50:04 INFO: Initializing Wazuh indexer cluster security settings.
10/07/2024 15:50:07 INFO: Wazuh indexer cluster initialized.
10/07/2024 15:50:07 INFO: Installation finished.

root@jammy:/home/vagrant/SINGLE_NODE# bash wazuh-install.sh --start-cluster
10/07/2024 16:03:13 INFO: Starting Wazuh installation assistant. Wazuh version: 4.8.1
10/07/2024 16:03:13 INFO: Verbose logging redirected to /var/log/wazuh-install.log
10/07/2024 16:03:17 INFO: Verifying that your system meets the recommended minimum hardware requirements.
10/07/2024 16:03:29 INFO: Wazuh indexer cluster security configuration initialized.
10/07/2024 16:03:57 INFO: Updating the internal users.
10/07/2024 16:03:59 INFO: A backup of the internal users has been saved in the /etc/wazuh-indexer/internalusers-backup folder.
10/07/2024 16:04:04 INFO: Wazuh indexer cluster started.

root@jammy:/home/vagrant/SINGLE_NODE# tar -axf wazuh-install-files.tar wazuh-install-files/wazuh-passwords.txt -O | grep -P "\'admin\'" -A 1
  indexer_username: 'admin'
  indexer_password: 'lVpYktFscjy1oau?149?xj1Oy*8zo5x+'

root@jammy:/home/vagrant/SINGLE_NODE# curl -k -u admin:lVpYktFscjy1oau?149?xj1Oy*8zo5x+ https://127.0.0.1:9200
{
  "name" : "node-1",
  "cluster_name" : "wazuh-indexer-cluster",
  "cluster_uuid" : "iTTQbDJwQxSHeljf-xuEuQ",
  "version" : {
    "number" : "7.10.2",
    "build_type" : "rpm",
    "build_hash" : "eee49cb340edc6c4d489bcd9324dda571fc8dc03",
    "build_date" : "2023-09-20T23:54:29.889267151Z",
    "build_snapshot" : false,
    "lucene_version" : "9.7.0",
    "minimum_wire_compatibility_version" : "7.10.0",
    "minimum_index_compatibility_version" : "7.0.0"
  },
  "tagline" : "The OpenSearch Project: https://opensearch.org/"
}

root@jammy:/home/vagrant/SINGLE_NODE# curl -k -u admin:lVpYktFscjy1oau?149?xj1Oy*8zo5x+ https://127.0.0.1:9200/_cat/nodes?v
ip        heap.percent ram.percent cpu load_1m load_5m load_15m node.role node.roles                               cluster_manager name
127.0.0.1           12          97   0    0.31    0.23     0.27 dimr      data,ingest,master,remote_cluster_client *               node-1

Server

root@jammy:/home/vagrant/SINGLE_NODE# bash wazuh-install.sh --wazuh-server wazuh-1
10/07/2024 16:08:07 INFO: Starting Wazuh installation assistant. Wazuh version: 4.8.1
10/07/2024 16:08:07 INFO: Verbose logging redirected to /var/log/wazuh-install.log
10/07/2024 16:08:10 INFO: Verifying that your system meets the recommended minimum hardware requirements.
10/07/2024 16:08:27 INFO: Wazuh development repository added.
10/07/2024 16:08:27 INFO: --- Wazuh server ---
10/07/2024 16:08:27 INFO: Starting the Wazuh manager installation.
10/07/2024 16:09:22 INFO: Wazuh manager installation finished.
10/07/2024 16:09:22 INFO: Wazuh manager vulnerability detection configuration finished.
10/07/2024 16:09:22 INFO: Starting service wazuh-manager.
10/07/2024 16:09:35 INFO: wazuh-manager service started.
10/07/2024 16:09:35 INFO: Starting Filebeat installation.
10/07/2024 16:09:44 INFO: Filebeat installation finished.
10/07/2024 16:09:45 INFO: Filebeat post-install configuration finished.
10/07/2024 16:10:09 INFO: Starting service filebeat.
10/07/2024 16:10:09 INFO: filebeat service started.
10/07/2024 16:10:09 INFO: Installation finished.

# Vulnerability detector - Enable or disable the scan manager
# 0. Enabled
# 1. Disabled
vulnerability-detection.disable_scan_manager=0
wazuh_modules.debug=2

root@jammy:/home/vagrant/SINGLE_NODE# wazuh-keystore -f indexer -k password -v lVpYktFscjy1oau?149?xj1Oy*8zo5x+
root@jammy:/home/vagrant/SINGLE_NODE#

2024/07/10 16:09:32 indexer-connector: WARNING: No username and password found in the keystore, using default values.
2024/07/10 16:09:32 indexer-connector: WARNING: IndexerConnector initialization failed for index 'wazuh-states-vulnerabilities-jammy', retrying until the connection is successful.
2024/07/10 16:10:04 indexer-connector: WARNING: No username and password found in the keystore, using default values.
2024/07/10 16:10:04 indexer-connector: WARNING: IndexerConnector initialization failed for index 'wazuh-states-vulnerabilities-jammy', retrying until the connection is successful.
2024/07/10 16:12:01 wazuh-modulesd:content-updater: WARNING: The offsets download has been interrupted
2024/07/10 16:12:14 indexer-connector[210717] indexerConnector.cpp:82 at initConfiguration(): WARNING: No username and password found in the keystore, using default values.
2024/07/10 16:12:14 indexer-connector[210717] indexerConnector.cpp:482 at operator()(): WARNING: IndexerConnector initialization failed for index 'wazuh-states-vulnerabilities-jammy', retrying until the connection is successful.
2024/07/10 16:12:16 indexer-connector[210717] indexerConnector.cpp:446 at operator()(): WARNING: Failed to sync agent '000' with the indexer.
2024/07/10 16:12:41 wazuh-remoted: WARNING: (1408): Invalid ID 001 for the source ip: '192.168.33.65' (name 'unknown').
2024/07/10 16:12:51 wazuh-remoted: WARNING: (1408): Invalid ID 001 for the source ip: '192.168.33.65' (name 'unknown').
2024/07/10 16:13:01 wazuh-remoted: WARNING: (1408): Invalid ID 001 for the source ip: '192.168.33.65' (name 'unknown').
2024/07/10 16:13:11 wazuh-remoted: WARNING: (1408): Invalid ID 001 for the source ip: '192.168.33.65' (name 'unknown').
2024/07/10 16:13:21 wazuh-remoted: WARNING: (1408): Invalid ID 001 for the source ip: '192.168.33.65' (name 'unknown').
2024/07/10 16:46:07 indexer-connector[210717] indexerConnector.cpp:446 at operator()(): WARNING: Failed to sync agent '001' with the indexer.
2024/07/10 16:46:16 indexer-connector[212962] indexerConnector.cpp:82 at initConfiguration(): WARNING: No username and password found in the keystore, using default values.
2024/07/10 16:46:17 indexer-connector[212962] indexerConnector.cpp:482 at operator()(): WARNING: IndexerConnector initialization failed for index 'wazuh-states-vulnerabilities-jammy', retrying until the connection is successful.
2024/07/10 16:47:24 indexer-connector[212962] indexerConnector.cpp:446 at operator()(): WARNING: Failed to sync agent '000' with the indexer.
2024/07/10 16:47:34 indexer-connector[214893] indexerConnector.cpp:88 at initConfiguration(): WARNING: No username found in the keystore, using default value.

Conclusion

Note

I could not reproduce any of the errors mentioned in the issue. The content downloading was interrupted right after the decompression finished to set the debug level log and enable the scan on the manager. Just a warning message was displayed.

2024/07/10 16:12:01 wazuh-modulesd:content-updater: WARNING: The offsets download has been interrupted.

ossec.log.tar.gz
vulnerabilities.json

[MiguelazoDS]

Hi @thony4uu,

We would like to see the logs of that environment looking for some messages that could give us more insights about this issue. It was not possible to reproduce following the same steps for 4.8.0 and 4.8.1. Since this is related to content, it's independent of the version.

Regards!

[thony4uu]

Hello @MiguelazoDS, please can you let me know the logs you want.

[Dwordcito]

Update

• Draft PR created.
• Unit tests / Test in progress.

[MiguelazoDS]

@thony4uu I was asking for the full ossec.log file, but now dworcito is addressing this issue, so don't worry.

[Dwordcito]

Update
- Added component tests.
- Added unit test for the helper functions.
- keystore project cleanup.
- moved to ready to review