-
Notifications
You must be signed in to change notification settings - Fork 1.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Vulnerability detection seems to be disabled or has a problem #24457 #24509
Comments
Testing in 4.8.0
Indexerroot@jammy:/home/vagrant/SINGLE_NODE# curl -sO https://packages.wazuh.com/4.8/wazuh-install.sh
curl -sO https://packages.wazuh.com/4.8/config.yml
root@jammy:/home/vagrant/SINGLE_NODE# ls
config.yml wazuh-install.sh
root@jammy:/home/vagrant/SINGLE_NODE# nodes:
# Wazuh indexer nodes
indexer:
- name: node-1
ip: "127.0.0.1"
#- name: node-2
# ip: "<indexer-node-ip>"
#- name: node-3
# ip: "<indexer-node-ip>"
# Wazuh server nodes
# If there is more than one Wazuh server
# node, each one must have a node_type
server:
- name: wazuh-1
ip: "127.0.0.1"
# node_type: master
#- name: wazuh-2
# ip: "<wazuh-manager-ip>"
# node_type: worker
#- name: wazuh-3
# ip: "<wazuh-manager-ip>"
# node_type: worker
# Wazuh dashboard nodes
dashboard:
- name: dashboard
ip: "127.0.0.1" root@jammy:/home/vagrant/SINGLE_NODE# bash wazuh-install.sh --generate-config-files
10/07/2024 11:44:22 INFO: Starting Wazuh installation assistant. Wazuh version: 4.8.0
10/07/2024 11:44:22 INFO: Verbose logging redirected to /var/log/wazuh-install.log
10/07/2024 11:44:25 INFO: Verifying that your system meets the recommended minimum hardware requirements.
10/07/2024 11:44:34 INFO: --- Configuration files ---
10/07/2024 11:44:34 INFO: Generating configuration files.
10/07/2024 11:44:34 INFO: Generating the root certificate.
10/07/2024 11:44:34 INFO: Generating Admin certificates.
10/07/2024 11:44:34 INFO: Generating Wazuh indexer certificates.
10/07/2024 11:44:35 INFO: Generating Filebeat certificates.
10/07/2024 11:44:35 INFO: Generating Wazuh dashboard certificates.
10/07/2024 11:44:35 INFO: Created wazuh-install-files.tar. It contains the Wazuh cluster key, certificates, and passwords necessary for installation.
root@jammy:/home/vagrant/SINGLE_NODE# ls
wazuh-install-files.tar wazuh-install.sh root@jammy:/home/vagrant/SINGLE_NODE# bash wazuh-install.sh --wazuh-indexer node-1
10/07/2024 11:47:40 INFO: Starting Wazuh installation assistant. Wazuh version: 4.8.0
10/07/2024 11:47:40 INFO: Verbose logging redirected to /var/log/wazuh-install.log
10/07/2024 11:47:43 INFO: Verifying that your system meets the recommended minimum hardware requirements.
10/07/2024 11:47:58 INFO: --- Dependencies ----
10/07/2024 11:47:58 INFO: Installing software-properties-common.
10/07/2024 11:48:05 INFO: Wazuh repository added.
10/07/2024 11:48:05 INFO: --- Wazuh indexer ---
10/07/2024 11:48:05 INFO: Starting Wazuh indexer installation.
10/07/2024 11:49:25 INFO: Wazuh indexer installation finished.
10/07/2024 11:49:25 INFO: Wazuh indexer post-install configuration finished.
10/07/2024 11:49:25 INFO: Starting service wazuh-indexer.
10/07/2024 11:49:35 INFO: wazuh-indexer service started.
10/07/2024 11:49:35 INFO: Initializing Wazuh indexer cluster security settings.
10/07/2024 11:49:38 INFO: Wazuh indexer cluster initialized.
10/07/2024 11:49:38 INFO: Installation finished. root@jammy:/home/vagrant/SINGLE_NODE# bash wazuh-install.sh --start-cluster
10/07/2024 11:50:12 INFO: Starting Wazuh installation assistant. Wazuh version: 4.8.0
10/07/2024 11:50:12 INFO: Verbose logging redirected to /var/log/wazuh-install.log
10/07/2024 11:50:15 INFO: Verifying that your system meets the recommended minimum hardware requirements.
10/07/2024 11:50:25 INFO: Wazuh indexer cluster security configuration initialized.
10/07/2024 11:50:54 INFO: Updating the internal users.
10/07/2024 11:50:55 INFO: A backup of the internal users has been saved in the /etc/wazuh-indexer/internalusers-backup folder.
10/07/2024 11:51:01 INFO: Wazuh indexer cluster started. root@jammy:/home/vagrant/SINGLE_NODE# tar -axf wazuh-install-files.tar wazuh-install-files/wazuh-passwords.txt -O | grep -P "\'admin\'" -A 1
indexer_username: 'admin'
indexer_password: 'Id9EXe?3d5sUYMrE6z1IChWgpF9p*lRZ' root@jammy:/home/vagrant/SINGLE_NODE# curl -k -u admin:Id9EXe?3d5sUYMrE6z1IChWgpF9p*lRZ https://127.0.0.1:9200
{
"name" : "node-1",
"cluster_name" : "wazuh-indexer-cluster",
"cluster_uuid" : "3FgXXfG-QsWKUnqmn20tTg",
"version" : {
"number" : "7.10.2",
"build_type" : "rpm",
"build_hash" : "eee49cb340edc6c4d489bcd9324dda571fc8dc03",
"build_date" : "2023-09-20T23:54:29.889267151Z",
"build_snapshot" : false,
"lucene_version" : "9.7.0",
"minimum_wire_compatibility_version" : "7.10.0",
"minimum_index_compatibility_version" : "7.0.0"
},
"tagline" : "The OpenSearch Project: https://opensearch.org/"
} root@jammy:/home/vagrant/SINGLE_NODE# curl -k -u admin:Id9EXe?3d5sUYMrE6z1IChWgpF9p*lRZ https://127.0.0.1:9200/_cat/nodes?v
ip heap.percent ram.percent cpu load_1m load_5m load_15m node.role node.roles cluster_manager name
127.0.0.1 10 97 1 0.14 0.32 0.24 dimr data,ingest,master,remote_cluster_client * node-1 Serverroot@jammy:/home/vagrant/SINGLE_NODE# bash wazuh-install.sh --wazuh-server wazuh-1
10/07/2024 12:00:43 INFO: Starting Wazuh installation assistant. Wazuh version: 4.8.0
10/07/2024 12:00:43 INFO: Verbose logging redirected to /var/log/wazuh-install.log
10/07/2024 12:00:46 INFO: Verifying that your system meets the recommended minimum hardware requirements.
10/07/2024 12:01:04 INFO: Wazuh repository added.
10/07/2024 12:01:04 INFO: --- Wazuh server ---
10/07/2024 12:01:04 INFO: Starting the Wazuh manager installation.
10/07/2024 12:01:41 INFO: Wazuh manager installation finished.
10/07/2024 12:01:41 INFO: Wazuh manager vulnerability detection configuration finished.
10/07/2024 12:01:41 INFO: Starting service wazuh-manager.
10/07/2024 12:01:55 INFO: wazuh-manager service started.
10/07/2024 12:01:55 INFO: Starting Filebeat installation.
10/07/2024 12:02:02 INFO: Filebeat installation finished.
10/07/2024 12:02:03 INFO: Filebeat post-install configuration finished.
10/07/2024 12:02:26 INFO: Starting service filebeat.
10/07/2024 12:02:26 INFO: filebeat service started.
10/07/2024 12:02:26 INFO: Installation finished. # Vulnerability detector - Enable or disable the scan manager
# 0. Enabled
# 1. Disabled
vulnerability-detection.disable_scan_manager=0
wazuh_modules.debug=2 root@jammy:/home/vagrant/SINGLE_NODE# wazuh-control restart
2024/07/10 12:05:53 wazuh-modulesd[138494] debug_op.c:116 at _log_function(): DEBUG: Logging module auto-initialized
2024/07/10 12:05:53 wazuh-modulesd[138494] main.c:77 at main(): DEBUG: Wazuh home directory: /var/ossec
2024/07/10 12:05:53 wazuh-modulesd[138494] wmodules-osquery-monitor.c:78 at wm_osquery_monitor_read(): DEBUG: Logpath read: /var/log/osquery/osqueryd.results.log
2024/07/10 12:05:53 wazuh-modulesd[138494] wmodules-osquery-monitor.c:84 at wm_osquery_monitor_read(): DEBUG: configPath read: /etc/osquery/osquery.conf
2024/07/10 12:05:53 wazuh-modulesd:router[138494] wm_router.c:98 at wm_router_read(): INFO: Loaded router module.
2024/07/10 12:05:53 wazuh-modulesd:content_manager[138494] wm_content_manager.c:87 at wm_content_manager_read(): INFO: Loaded content_manager module.
wazuh-clusterd not running...
Killing wazuh-modulesd...
Killing wazuh-monitord...
Killing wazuh-logcollector...
Killing wazuh-remoted...
Killing wazuh-syscheckd...
Killing wazuh-analysisd...
wazuh-maild not running...
Killing wazuh-execd...
Killing wazuh-db...
Killing wazuh-authd...
wazuh-agentlessd not running...
wazuh-integratord not running...
wazuh-dbd not running...
wazuh-csyslogd not running...
Killing wazuh-apid...
Wazuh v4.8.0 Stopped
Starting Wazuh v4.8.0...
Started wazuh-apid...
Started wazuh-csyslogd...
Started wazuh-dbd...
2024/07/10 12:05:58 wazuh-integratord: INFO: Remote integrations not configured. Clean exit.
Started wazuh-integratord...
Started wazuh-agentlessd...
Started wazuh-authd...
Started wazuh-db...
Started wazuh-execd...
Started wazuh-analysisd...
Started wazuh-syscheckd...
Started wazuh-remoted...
Started wazuh-logcollector...
Started wazuh-monitord...
2024/07/10 12:06:06 wazuh-modulesd[138940] debug_op.c:116 at _log_function(): DEBUG: Logging module auto-initialized
2024/07/10 12:06:06 wazuh-modulesd[138940] main.c:77 at main(): DEBUG: Wazuh home directory: /var/ossec
2024/07/10 12:06:06 wazuh-modulesd[138940] wmodules-osquery-monitor.c:78 at wm_osquery_monitor_read(): DEBUG: Logpath read: /var/log/osquery/osqueryd.results.log
2024/07/10 12:06:06 wazuh-modulesd[138940] wmodules-osquery-monitor.c:84 at wm_osquery_monitor_read(): DEBUG: configPath read: /etc/osquery/osquery.conf
2024/07/10 12:06:06 wazuh-modulesd:router[138940] wm_router.c:98 at wm_router_read(): INFO: Loaded router module.
2024/07/10 12:06:06 wazuh-modulesd:content_manager[138940] wm_content_manager.c:87 at wm_content_manager_read(): INFO: Loaded content_manager module.
Started wazuh-modulesd...
Completed. grep -E "ERR.*|WARN.*|CRIT.*" ossec.log
2024/07/10 12:01:52 indexer-connector: WARNING: IndexerConnector initialization failed for index 'wazuh-states-vulnerabilities-jammy', retrying until the connection is successful.
2024/07/10 12:05:53 wazuh-modulesd:content-updater: WARNING: The offsets download has been interrupted
2024/07/10 12:07:19 wazuh-remoted: WARNING: (1408): Invalid ID 001 for the source ip: '192.168.33.65' (name 'unknown').
2024/07/10 12:07:29 wazuh-remoted: WARNING: (1408): Invalid ID 001 for the source ip: '192.168.33.65' (name 'unknown').
2024/07/10 12:07:39 wazuh-remoted: WARNING: (1408): Invalid ID 001 for the source ip: '192.168.33.65' (name 'unknown').
2024/07/10 12:07:49 wazuh-remoted: WARNING: (1408): Invalid ID 001 for the source ip: '192.168.33.65' (name 'unknown').
2024/07/10 12:07:59 wazuh-remoted: WARNING: (1408): Invalid ID 001 for the source ip: '192.168.33.65' (name 'unknown'). ConclusionNote I could not reproduce any of the reported issue in this version |
Testing 4.8.1
Indexerroot@jammy:/home/vagrant/SINGLE_NODE# curl -sO https://packages-dev.wazuh.com/4.8/wazuh-install.sh
root@jammy:/home/vagrant/SINGLE_NODE# curl -sO https://packages-dev.wazuh.com/4.8/config.yml
root@jammy:/home/vagrant/SINGLE_NODE# ls
config.yml wazuh-install.sh
root@jammy:/home/vagrant/SINGLE_NODE# nodes:
# Wazuh indexer nodes
indexer:
- name: node-1
ip: "127.0.0.1"
#- name: node-2
# ip: "<indexer-node-ip>"
#- name: node-3
# ip: "<indexer-node-ip>"
# Wazuh server nodes
# If there is more than one Wazuh server
# node, each one must have a node_type
server:
- name: wazuh-1
ip: "127.0.0.1"
# node_type: master
#- name: wazuh-2
# ip: "<wazuh-manager-ip>"
# node_type: worker
#- name: wazuh-3
# ip: "<wazuh-manager-ip>"
# node_type: worker
# Wazuh dashboard nodes
dashboard:
- name: dashboard
ip: "127.0.0.1" root@jammy:/home/vagrant/SINGLE_NODE# bash wazuh-install.sh --generate-config-files
10/07/2024 15:31:56 INFO: Starting Wazuh installation assistant. Wazuh version: 4.8.1
10/07/2024 15:31:56 INFO: Verbose logging redirected to /var/log/wazuh-install.log
10/07/2024 15:31:58 INFO: Verifying that your system meets the recommended minimum hardware requirements.
10/07/2024 15:32:06 INFO: --- Configuration files ---
10/07/2024 15:32:06 INFO: Generating configuration files.
10/07/2024 15:32:07 INFO: Generating the root certificate.
10/07/2024 15:32:07 INFO: Generating Admin certificates.
10/07/2024 15:32:07 INFO: Generating Wazuh indexer certificates.
10/07/2024 15:32:07 INFO: Generating Filebeat certificates.
10/07/2024 15:32:07 INFO: Generating Wazuh dashboard certificates.
10/07/2024 15:32:08 INFO: Created wazuh-install-files.tar. It contains the Wazuh cluster key, certificates, and passwords necessary for installation.
root@jammy:/home/vagrant/SINGLE_NODE# ls
wazuh-install-files.tar wazuh-install.sh root@jammy:/home/vagrant/SINGLE_NODE# bash wazuh-install.sh --wazuh-indexer node-1
10/07/2024 15:48:35 INFO: Starting Wazuh installation assistant. Wazuh version: 4.8.1
10/07/2024 15:48:35 INFO: Verbose logging redirected to /var/log/wazuh-install.log
10/07/2024 15:48:38 INFO: Verifying that your system meets the recommended minimum hardware requirements.
10/07/2024 15:48:57 INFO: Wazuh development repository added.
10/07/2024 15:48:57 INFO: --- Wazuh indexer ---
10/07/2024 15:48:57 INFO: Starting Wazuh indexer installation.
10/07/2024 15:49:56 INFO: Wazuh indexer installation finished.
10/07/2024 15:49:56 INFO: Wazuh indexer post-install configuration finished.
10/07/2024 15:49:56 INFO: Starting service wazuh-indexer.
10/07/2024 15:50:04 INFO: wazuh-indexer service started.
10/07/2024 15:50:04 INFO: Initializing Wazuh indexer cluster security settings.
10/07/2024 15:50:07 INFO: Wazuh indexer cluster initialized.
10/07/2024 15:50:07 INFO: Installation finished. root@jammy:/home/vagrant/SINGLE_NODE# bash wazuh-install.sh --start-cluster
10/07/2024 16:03:13 INFO: Starting Wazuh installation assistant. Wazuh version: 4.8.1
10/07/2024 16:03:13 INFO: Verbose logging redirected to /var/log/wazuh-install.log
10/07/2024 16:03:17 INFO: Verifying that your system meets the recommended minimum hardware requirements.
10/07/2024 16:03:29 INFO: Wazuh indexer cluster security configuration initialized.
10/07/2024 16:03:57 INFO: Updating the internal users.
10/07/2024 16:03:59 INFO: A backup of the internal users has been saved in the /etc/wazuh-indexer/internalusers-backup folder.
10/07/2024 16:04:04 INFO: Wazuh indexer cluster started. root@jammy:/home/vagrant/SINGLE_NODE# tar -axf wazuh-install-files.tar wazuh-install-files/wazuh-passwords.txt -O | grep -P "\'admin\'" -A 1
indexer_username: 'admin'
indexer_password: 'lVpYktFscjy1oau?149?xj1Oy*8zo5x+' root@jammy:/home/vagrant/SINGLE_NODE# curl -k -u admin:lVpYktFscjy1oau?149?xj1Oy*8zo5x+ https://127.0.0.1:9200
{
"name" : "node-1",
"cluster_name" : "wazuh-indexer-cluster",
"cluster_uuid" : "iTTQbDJwQxSHeljf-xuEuQ",
"version" : {
"number" : "7.10.2",
"build_type" : "rpm",
"build_hash" : "eee49cb340edc6c4d489bcd9324dda571fc8dc03",
"build_date" : "2023-09-20T23:54:29.889267151Z",
"build_snapshot" : false,
"lucene_version" : "9.7.0",
"minimum_wire_compatibility_version" : "7.10.0",
"minimum_index_compatibility_version" : "7.0.0"
},
"tagline" : "The OpenSearch Project: https://opensearch.org/"
} root@jammy:/home/vagrant/SINGLE_NODE# curl -k -u admin:lVpYktFscjy1oau?149?xj1Oy*8zo5x+ https://127.0.0.1:9200/_cat/nodes?v
ip heap.percent ram.percent cpu load_1m load_5m load_15m node.role node.roles cluster_manager name
127.0.0.1 12 97 0 0.31 0.23 0.27 dimr data,ingest,master,remote_cluster_client * node-1 Serverroot@jammy:/home/vagrant/SINGLE_NODE# bash wazuh-install.sh --wazuh-server wazuh-1
10/07/2024 16:08:07 INFO: Starting Wazuh installation assistant. Wazuh version: 4.8.1
10/07/2024 16:08:07 INFO: Verbose logging redirected to /var/log/wazuh-install.log
10/07/2024 16:08:10 INFO: Verifying that your system meets the recommended minimum hardware requirements.
10/07/2024 16:08:27 INFO: Wazuh development repository added.
10/07/2024 16:08:27 INFO: --- Wazuh server ---
10/07/2024 16:08:27 INFO: Starting the Wazuh manager installation.
10/07/2024 16:09:22 INFO: Wazuh manager installation finished.
10/07/2024 16:09:22 INFO: Wazuh manager vulnerability detection configuration finished.
10/07/2024 16:09:22 INFO: Starting service wazuh-manager.
10/07/2024 16:09:35 INFO: wazuh-manager service started.
10/07/2024 16:09:35 INFO: Starting Filebeat installation.
10/07/2024 16:09:44 INFO: Filebeat installation finished.
10/07/2024 16:09:45 INFO: Filebeat post-install configuration finished.
10/07/2024 16:10:09 INFO: Starting service filebeat.
10/07/2024 16:10:09 INFO: filebeat service started.
10/07/2024 16:10:09 INFO: Installation finished. # Vulnerability detector - Enable or disable the scan manager
# 0. Enabled
# 1. Disabled
vulnerability-detection.disable_scan_manager=0
wazuh_modules.debug=2 root@jammy:/home/vagrant/SINGLE_NODE# wazuh-keystore -f indexer -k password -v lVpYktFscjy1oau?149?xj1Oy*8zo5x+
root@jammy:/home/vagrant/SINGLE_NODE# 2024/07/10 16:09:32 indexer-connector: WARNING: No username and password found in the keystore, using default values.
2024/07/10 16:09:32 indexer-connector: WARNING: IndexerConnector initialization failed for index 'wazuh-states-vulnerabilities-jammy', retrying until the connection is successful.
2024/07/10 16:10:04 indexer-connector: WARNING: No username and password found in the keystore, using default values.
2024/07/10 16:10:04 indexer-connector: WARNING: IndexerConnector initialization failed for index 'wazuh-states-vulnerabilities-jammy', retrying until the connection is successful.
2024/07/10 16:12:01 wazuh-modulesd:content-updater: WARNING: The offsets download has been interrupted
2024/07/10 16:12:14 indexer-connector[210717] indexerConnector.cpp:82 at initConfiguration(): WARNING: No username and password found in the keystore, using default values.
2024/07/10 16:12:14 indexer-connector[210717] indexerConnector.cpp:482 at operator()(): WARNING: IndexerConnector initialization failed for index 'wazuh-states-vulnerabilities-jammy', retrying until the connection is successful.
2024/07/10 16:12:16 indexer-connector[210717] indexerConnector.cpp:446 at operator()(): WARNING: Failed to sync agent '000' with the indexer.
2024/07/10 16:12:41 wazuh-remoted: WARNING: (1408): Invalid ID 001 for the source ip: '192.168.33.65' (name 'unknown').
2024/07/10 16:12:51 wazuh-remoted: WARNING: (1408): Invalid ID 001 for the source ip: '192.168.33.65' (name 'unknown').
2024/07/10 16:13:01 wazuh-remoted: WARNING: (1408): Invalid ID 001 for the source ip: '192.168.33.65' (name 'unknown').
2024/07/10 16:13:11 wazuh-remoted: WARNING: (1408): Invalid ID 001 for the source ip: '192.168.33.65' (name 'unknown').
2024/07/10 16:13:21 wazuh-remoted: WARNING: (1408): Invalid ID 001 for the source ip: '192.168.33.65' (name 'unknown').
2024/07/10 16:46:07 indexer-connector[210717] indexerConnector.cpp:446 at operator()(): WARNING: Failed to sync agent '001' with the indexer.
2024/07/10 16:46:16 indexer-connector[212962] indexerConnector.cpp:82 at initConfiguration(): WARNING: No username and password found in the keystore, using default values.
2024/07/10 16:46:17 indexer-connector[212962] indexerConnector.cpp:482 at operator()(): WARNING: IndexerConnector initialization failed for index 'wazuh-states-vulnerabilities-jammy', retrying until the connection is successful.
2024/07/10 16:47:24 indexer-connector[212962] indexerConnector.cpp:446 at operator()(): WARNING: Failed to sync agent '000' with the indexer.
2024/07/10 16:47:34 indexer-connector[214893] indexerConnector.cpp:88 at initConfiguration(): WARNING: No username found in the keystore, using default value. ConclusionNote I could not reproduce any of the errors mentioned in the issue. The content downloading was interrupted right after the decompression finished to set the debug level log and enable the scan on the manager. Just a warning message was displayed.
|
Hi @thony4uu, We would like to see the logs of that environment looking for some messages that could give us more insights about this issue. It was not possible to reproduce following the same steps for 4.8.0 and 4.8.1. Since this is related to content, it's independent of the version. Regards! |
Hello @MiguelazoDS, please can you let me know the logs you want. |
Update
|
@thony4uu I was asking for the full ossec.log file, but now dworcito is addressing this issue, so don't worry. |
Update |
Description
After performing the Wazuh single-node installation using the installation assistant for the #24457 E2E UX test, I encountered the following error on the Wazuh dashboard when I tried viewing the vulnerability for the agents.
Troubleshooting further, I saw the following errors on the Wazuh manager
Below is the Wazuh manager configuration
I did further troubleshooting by checking the Filebeat configuration file and adding the credentials of the Wazuh indexer to the Wazuh manager keystore. The error persisted after performing all these steps.
The text was updated successfully, but these errors were encountered: