Comments (4)
Update Report
Workaround
The workaround is the following:
- Stop manager and Filebeat services
- Delete indexes. (
wazuh-alerts
,wazuh-archives
,wazuh-states-vulnerabilities
,wazuh-statistics
,wazuh-monitoring
) with thecurl -u <username><password> -XDELETE https://<INDEXER_IP> -k
- Execute ISM script to recreate
wazuh-alerts
andwazuh-archives
indexes. (with -i <INDEXER_IP> -p ) - Stop indexer and dashboard services.
- Empty files: ossec.log, alerts.log, alerts.json, indexer. etc. Using the
find <path> -type f -execdir sh -c 'cat /dev/null > "$1"' _ {} \;
command/var/ossec/logs
/var/log/wazuh-indexer/
/var/log/filebeat/
/usr/share/wazuh-dashboard/data/wazuh/logs/
Related lines: https://github.com/wazuh/wazuh-packages/blob/4.8.0/ova/provision.sh#L44-L49
Another workaround could be studied considering wazuh/wazuh-indexer#150
PoC
I followed the steps given above and the alerts are deleted and re-created succesfully:
Alerts are being collected correctly and no old alerts are displayed:
from wazuh-packages.
Update Report
I found a problem and it seems that the /usr/share/wazuh-dasboard/data/wazuh/config/wazuh.yml
file is empty after the OVA generation, leading to this error:
I am currently investigating why this file is empty.
from wazuh-packages.
Update Report
Investigation
After a further investigation with @rauldpm, we concluded that it is necessary a shutdown of the VM before generating the OVA to save the state of the machine. With this shutdown, it is proven that the wazuh.yml
of the Wazuh dashboard has the correct content.
This is related to:
- https://github.com/wazuh/wazuh-packages/pull/2365/files
- https://github.com/wazuh/wazuh-jenkins/issues/2541#issuecomment-832924588
To summarize, the deleted postProvision.sh
script that was removed of the OVA generation was deleted. This script is in charge of cleaning up all the unnecessary files, removing the vagrant user (currently unnecessary because the Vagrant box used to generate the OVA does not have the Vagrant user), and shutting down the machine to save the state of the machine.
The shutdown can't be added directly to the provision.sh
because this script is used in the automated OVA generation in Jenkins, related:
In this YAML, the cleanup and the shutdown of the machine is performed in other tasks. Then, we can not the shutdown in the provision.sh
because it will shutdown the machine before all tasks are executed:
The shutdown will be executed in the Run provision script
and the machine will be powered off
- name: Run provision script
command: "sh provision.sh {{ repository }} {{ debug }}"
args:
chdir: "{{ packages_path }}/ova"
- name: Clean provision files
file:
path: /var/provision/
state: absent
- name: Clean unattended resources
file:
path: /tmp/{{ unattended_scripts }}
state: absent
- name: Clean logs
command: find /var/log/ -type f -exec bash -c 'cat /dev/null > {}' \;
- name: Clean history
shell: cat /dev/null > ~/.bash_history && history -c
Another possible solution could be to add these tasks to the provision.sh
script, but to modularize the tasks of the OVA generation and to preserve the definition and objective of these files, is better to have these tasks separately.
As a conclusion, the postProvision.sh
script will be restored to the OVA generation, saving the machine state and performing all the clean up stages, without affecting the pipeline.
from wazuh-packages.
Update Report
🟢 Testing in local
After the OVA generation in local, it seems that the alerts have been collected and generated since the machine is started (the first alert is generated at 12:57:11.329
, one minute after the machine is started), so no previous logs are displayed:
(Notice that it is necessary to add an hour to get real-time)
[root@wazuh-server wazuh-user]#uptime -p -s
2024-02-14 11:56:42
The indices are created and in a green state:
After these changes, the collected logs are also since the machine was booted:
[root@wazuh-server wazuh-user]# cat /var/ossec/logs/ossec.log | head -n 10
2024/02/14 12:56:51 wazuh-modulesd:router: INFO: Loaded router module.
2024/02/14 12:56:51 wazuh-modulesd:content_manager: INFO: Loaded content_manager module.
2024/02/14 12:56:53 wazuh-dbd: INFO: Database not configured. Clean exit.
2024/02/14 12:56:53 wazuh-integratord: INFO: Remote integrations not configured. Clean exit.
2024/02/14 12:56:53 wazuh-csyslogd: INFO: Remote syslog server not configured. Clean exit.
2024/02/14 12:56:53 wazuh-agentlessd: INFO: Not configured. Exiting.
2024/02/14 12:56:53 wazuh-authd: INFO: Started (pid: 9960).
2024/02/14 12:56:53 wazuh-authd: INFO: Accepting connections on port 1515. No password required.
2024/02/14 12:56:53 wazuh-authd: INFO: Setting network timeout to 1.000000 sec.
2024/02/14 12:56:54 wazuh-db: INFO: Started (pid: 10383).
[root@wazuh-server wazuh-user]#
[root@wazuh-server wazuh-user]# cat /var/ossec/logs/alerts/alerts.json | head -n 10
{"timestamp":"2024-02-14T12:57:01.679+0000","rule":{"level":7,"description":"Listened ports status (netstat) changed (new port opened or closed).","id":"533","firedtimes":1,"mail":false,"groups":["ossec"],"pci_dss":["10.2.7","10.6.1"],"gpg13":["10.1"],"gdpr":["IV_35.7.d"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AU.6"],"tsc":["CC6.8","CC7.2","CC7.3"]},"agent":{"id":"000","name":"wazuh-server"},"manager":{"name":"wazuh-server"},"id":"1707915421.0","previous_output":"Previous output:\nossec: output: 'netstat listening ports':\ntcp 0.0.0.0:22 0.0.0.0:* 2987/sshd\ntcp6 :::22 :::* 2987/sshd\ntcp 127.0.0.1:25 0.0.0.0:* 3100/master\nudp 0.0.0.0:68 0.0.0.0:* 17816/dhclient\ntcp 0.0.0.0:111 0.0.0.0:* 2109/rpcbind\ntcp6 :::111 :::* 2109/rpcbind\nudp 0.0.0.0:111 0.0.0.0:* 2109/rpcbind\nudp6 :::111 :::* 2109/rpcbind\nudp 127.0.0.1:323 0.0.0.0:* 2145/chronyd\nudp6 ::1:323 :::* 2145/chronyd\ntcp 0.0.0.0:443 0.0.0.0:* 16412/node\nudp 0.0.0.0:1011 0.0.0.0:* 2109/rpcbind\nudp6 :::1011 :::* 2109/rpcbind\ntcp 0.0.0.0:1514 0.0.0.0:* 17465/wazuh-remoted\ntcp 0.0.0.0:1515 0.0.0.0:* 17329/wazuh-authd\ntcp6 127.0.0.1:9200 :::* 12807/java\ntcp6 127.0.0.1:9300 :::* 12807/java\ntcp 0.0.0.0:55000 0.0.0.0:* 17280/python3","full_log":"ossec: output: 'netstat listening ports':\ntcp 0.0.0.0:22 0.0.0.0:* 8151/sshd\ntcp6 :::22 :::* 8151/sshd\ntcp 127.0.0.1:25 0.0.0.0:* 8347/master\nudp 0.0.0.0:68 0.0.0.0:* 7452/dhclient\ntcp 0.0.0.0:111 0.0.0.0:* 2073/rpcbind\ntcp6 :::111 :::* 2073/rpcbind\nudp 0.0.0.0:111 0.0.0.0:* 2073/rpcbind\nudp6 :::111 :::* 2073/rpcbind\nudp 127.0.0.1:323 0.0.0.0:* 2085/chronyd\nudp6 ::1:323 :::* 2085/chronyd\ntcp 0.0.0.0:443 0.0.0.0:* 2041/node\nudp 0.0.0.0:935 0.0.0.0:* 2073/rpcbind\nudp6 :::935 :::* 2073/rpcbind\ntcp 0.0.0.0:1514 0.0.0.0:* 13131/wazuh-remoted\ntcp 0.0.0.0:1515 0.0.0.0:* 9960/wazuh-authd\ntcp6 127.0.0.1:9200 :::* 8142/java\ntcp6 127.0.0.1:9300 :::* 8142/java\ntcp 0.0.0.0:55000 0.0.0.0:* 9867/python3","decoder":{"name":"ossec"},"previous_log":"ossec: output: 'netstat listening ports':\ntcp 0.0.0.0:22 0.0.0.0:* 2987/sshd\ntcp6 :::22 :::* 2987/sshd\ntcp 127.0.0.1:25 0.0.0.0:* 3100/master\nudp 0.0.0.0:68 0.0.0.0:* 17816/dhclient\ntcp 0.0.0.0:111 0.0.0.0:* 2109/rpcbind\ntcp6 :::111 :::* 2109/rpcbind\nudp 0.0.0.0:111 0.0.0.0:* 2109/rpcbind\nudp6 :::111 :::* 2109/rpcbind\nudp 127.0.0.1:323 0.0.0.0:* 2145/chronyd\nudp6 ::1:323 :::* 2145/chronyd\ntcp 0.0.0.0:443 0.0.0.0:* 16412/node\nudp 0.0.0.0:1011 0.0.0.0:* 2109/rpcbind\nudp6 :::1011 :::* 2109/rpcbind\ntcp 0.0.0.0:1514 0.0.0.0:* 17465/wazuh-remoted\ntcp 0.0.0.0:1515 0.0.0.0:* 17329/wazuh-authd\ntcp6 127.0.0.1:9200 :::* 12807/java\ntcp6 127.0.0.1:9300 :::* 12807/java\ntcp 0.0.0.0:55000 0.0.0.0:* 17280/python3","location":"netstat listening ports"}
{"timestamp":"2024-02-14T11:57:11.329+0000","rule":{"level":3,"description":"PAM: Login session opened.","id":"5501","mitre":{"id":["T1078"],"tactic":["Defense Evasion","Persistence","Privilege Escalation","Initial Access"],"technique":["Valid Accounts"]},"firedtimes":1,"mail":false,"groups":["pam","syslog","authentication_success"],"pci_dss":["10.2.5"],"gpg13":["7.8","7.9"],"gdpr":["IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7"],"tsc":["CC6.8","CC7.2","CC7.3"]},"agent":{"id":"000","name":"wazuh-server"},"manager":{"name":"wazuh-server"},"id":"1707911831.1744","full_log":"Feb 14 11:57:10 wazuh-server login: pam_unix(login:session): session opened for user wazuh-user by LOGIN(uid=0)","predecoder":{"program_name":"login","timestamp":"Feb 14 11:57:10","hostname":"wazuh-server"},"decoder":{"parent":"pam","name":"pam"},"data":{"srcuser":"LOGIN","dstuser":"wazuh-user","uid":"0"},"location":"/var/log/secure"}
{"timestamp":"2024-02-14T11:57:12.364+0000","rule":{"level":3,"description":"Wazuh server started.","id":"502","firedtimes":1,"mail":false,"groups":["ossec"],"pci_dss":["10.6.1"],"gpg13":["10.1"],"gdpr":["IV_35.7.d"],"hipaa":["164.312.b"],"nist_800_53":["AU.6"],"tsc":["CC7.2","CC7.3"]},"agent":{"id":"000","name":"wazuh-server"},"manager":{"name":"wazuh-server"},"id":"1707911832.2177","full_log":"ossec: Manager started.","decoder":{"name":"ossec"},"location":"wazuh-monitord"}
{"timestamp":"2024-02-14T11:57:13.331+0000","rule":{"level":3,"description":"PAM: Login session opened.","id":"5501","mitre":{"id":["T1078"],"tactic":["Defense Evasion","Persistence","Privilege Escalation","Initial Access"],"technique":["Valid Accounts"]},"firedtimes":2,"mail":false,"groups":["pam","syslog","authentication_success"],"pci_dss":["10.2.5"],"gpg13":["7.8","7.9"],"gdpr":["IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7"],"tsc":["CC6.8","CC7.2","CC7.3"]},"agent":{"id":"000","name":"wazuh-server"},"manager":{"name":"wazuh-server"},"id":"1707911833.2428","full_log":"Feb 14 11:57:13 wazuh-server sudo: pam_unix(sudo:session): session opened for user root by wazuh-user(uid=0)","predecoder":{"program_name":"sudo","timestamp":"Feb 14 11:57:13","hostname":"wazuh-server"},"decoder":{"parent":"pam","name":"pam"},"data":{"srcuser":"wazuh-user","dstuser":"root","uid":"0"},"location":"/var/log/secure"}
{"timestamp":"2024-02-14T11:57:13.331+0000","rule":{"level":3,"description":"PAM: Login session closed.","id":"5502","firedtimes":1,"mail":false,"groups":["pam","syslog"],"pci_dss":["10.2.5"],"gpg13":["7.8","7.9"],"gdpr":["IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7"],"tsc":["CC6.8","CC7.2","CC7.3"]},"agent":{"id":"000","name":"wazuh-server"},"manager":{"name":"wazuh-server"},"id":"1707911833.2852","full_log":"Feb 14 11:57:13 wazuh-server sudo: pam_unix(sudo:session): session closed for user root","predecoder":{"program_name":"sudo","timestamp":"Feb 14 11:57:13","hostname":"wazuh-server"},"decoder":{"parent":"pam","name":"pam"},"data":{"dstuser":"root"},"location":"/var/log/secure"}
{"timestamp":"2024-02-14T11:57:13.331+0000","rule":{"level":4,"description":"First time user executed sudo.","id":"5403","mitre":{"id":["T1548.003"],"tactic":["Privilege Escalation","Defense Evasion"],"technique":["Sudo and Sudo Caching"]},"firedtimes":1,"mail":false,"groups":["syslog","sudo"]},"agent":{"id":"000","name":"wazuh-server"},"manager":{"name":"wazuh-server"},"id":"1707911833.3225","full_log":"Feb 14 11:57:13 wazuh-server sudo: wazuh-user : TTY=tty1 ; PWD=/home/wazuh-user ; USER=root ; COMMAND=/bin/loadkeys#040es","predecoder":{"program_name":"sudo","timestamp":"Feb 14 11:57:13","hostname":"wazuh-server"},"decoder":{"parent":"sudo","name":"sudo","ftscomment":"First time user executed the sudo command"},"data":{"srcuser":"wazuh-user","dstuser":"root","tty":"tty1","pwd":"/home/wazuh-user","command":"/bin/loadkeys#040es"},"location":"/var/log/secure"}
{"timestamp":"2024-02-14T11:57:15.332+0000","rule":{"level":3,"description":"Successful sudo to ROOT executed.","id":"5402","mitre":{"id":["T1548.003"],"tactic":["Privilege Escalation","Defense Evasion"],"technique":["Sudo and Sudo Caching"]},"firedtimes":1,"mail":false,"groups":["syslog","sudo"],"pci_dss":["10.2.5","10.2.2"],"gpg13":["7.6","7.8","7.13"],"gdpr":["IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7","AC.6"],"tsc":["CC6.8","CC7.2","CC7.3"]},"agent":{"id":"000","name":"wazuh-server"},"manager":{"name":"wazuh-server"},"id":"1707911835.3569","full_log":"Feb 14 11:57:14 wazuh-server sudo: wazuh-user : TTY=tty1 ; PWD=/home/wazuh-user ; USER=root ; COMMAND=/bin/su","predecoder":{"program_name":"sudo","timestamp":"Feb 14 11:57:14","hostname":"wazuh-server"},"decoder":{"parent":"sudo","name":"sudo","ftscomment":"First time user executed the sudo command"},"data":{"srcuser":"wazuh-user","dstuser":"root","tty":"tty1","pwd":"/home/wazuh-user","command":"/bin/su"},"location":"/var/log/secure"}
{"timestamp":"2024-02-14T11:57:15.332+0000","rule":{"level":3,"description":"PAM: Login session opened.","id":"5501","mitre":{"id":["T1078"],"tactic":["Defense Evasion","Persistence","Privilege Escalation","Initial Access"],"technique":["Valid Accounts"]},"firedtimes":4,"mail":false,"groups":["pam","syslog","authentication_success"],"pci_dss":["10.2.5"],"gpg13":["7.8","7.9"],"gdpr":["IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7"],"tsc":["CC6.8","CC7.2","CC7.3"]},"agent":{"id":"000","name":"wazuh-server"},"manager":{"name":"wazuh-server"},"id":"1707911835.4064","full_log":"Feb 14 11:57:14 wazuh-server su: pam_unix(su:session): session opened for user root by wazuh-user(uid=0)","predecoder":{"program_name":"su","timestamp":"Feb 14 11:57:14","hostname":"wazuh-server"},"decoder":{"parent":"pam","name":"pam"},"data":{"srcuser":"wazuh-user","dstuser":"root","uid":"0"},"location":"/var/log/secure"}
{"timestamp":"2024-02-14T11:57:15.332+0000","rule":{"level":3,"description":"PAM: Login session opened.","id":"5501","mitre":{"id":["T1078"],"tactic":["Defense Evasion","Persistence","Privilege Escalation","Initial Access"],"technique":["Valid Accounts"]},"firedtimes":3,"mail":false,"groups":["pam","syslog","authentication_success"],"pci_dss":["10.2.5"],"gpg13":["7.8","7.9"],"gdpr":["IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7"],"tsc":["CC6.8","CC7.2","CC7.3"]},"agent":{"id":"000","name":"wazuh-server"},"manager":{"name":"wazuh-server"},"id":"1707911835.4484","full_log":"Feb 14 11:57:14 wazuh-server sudo: pam_unix(sudo:session): session opened for user root by wazuh-user(uid=0)","predecoder":{"program_name":"sudo","timestamp":"Feb 14 11:57:14","hostname":"wazuh-server"},"decoder":{"parent":"pam","name":"pam"},"data":{"srcuser":"wazuh-user","dstuser":"root","uid":"0"},"location":"/var/log/secure"}
{"timestamp":"2024-02-14T12:17:31.049+0000","rule":{"level":5,"description":"sshd: Attempt to login using a non-existent user","id":"5710","mitre":{"id":["T1110.001","T1021.004"],"tactic":["Credential Access","Lateral Movement"],"technique":["Password Guessing","SSH"]},"firedtimes":1,"mail":false,"groups":["syslog","sshd","authentication_failed","invalid_login"],"gdpr":["IV_35.7.d","IV_32.2"],"gpg13":["7.1"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7","AU.6"],"pci_dss":["10.2.4","10.2.5","10.6.1"],"tsc":["CC6.1","CC6.8","CC7.2","CC7.3"]},"agent":{"id":"000","name":"wazuh-server"},"manager":{"name":"wazuh-server"},"id":"1707913051.4908","full_log":"Feb 14 12:17:30 wazuh-server sshd[19246]: Invalid user wazuh-server from 192.168.1.240 port 49672","predecoder":{"program_name":"sshd","timestamp":"Feb 14 12:17:30","hostname":"wazuh-server"},"decoder":{"parent":"sshd","name":"sshd"},"data":{"srcip":"192.168.1.240","srcport":"49672","srcuser":"wazuh-server"},"location":"/var/log/secure"}
[root@wazuh-server wazuh-user]#
[root@wazuh-server wazuh-user]# cat /usr/share/wazuh-dashboard/data/wazuh/logs/wazuhapp.log | head -n 10
{"date":"2024-02-14T11:57:05.763Z","level":"info","location":"initialize","message":"Wazuh dashboard index: .kibana"}
{"date":"2024-02-14T11:57:05.763Z","level":"info","location":"initialize","message":"App revision: 03"}
{"date":"2024-02-14T11:57:05.764Z","level":"info","location":"initialize","message":"Total RAM: 7964MB"}
[root@wazuh-server wazuh-user]#
[root@wazuh-server wazuh-user]# cat /var/log/wazuh-indexer/wazuh-cluster.log | head -n 10
[2024-02-14T12:56:53,563][INFO ][o.o.n.Node ] [node-1] version[2.10.0], pid[8142], build[rpm/eee49cb340edc6c4d489bcd9324dda571fc8dc03/2023-09-20T23:54:29.889267151Z], OS[Linux/4.14.336-255.557.amzn2.x86_64/amd64], JVM[Eclipse Adoptium/OpenJDK 64-Bit Server VM/17.0.8/17.0.8+7]
[2024-02-14T12:56:53,564][INFO ][o.o.n.Node ] [node-1] JVM home [/usr/share/wazuh-indexer/jdk], using bundled JDK/JRE [true]
[2024-02-14T12:56:53,565][INFO ][o.o.n.Node ] [node-1] JVM arguments [-Xshare:auto, -Dopensearch.networkaddress.cache.ttl=60, -Dopensearch.networkaddress.cache.negative.ttl=10, -XX:+AlwaysPreTouch, -Xss1m, -Djava.awt.headless=true, -Dfile.encoding=UTF-8, -Djna.nosys=true, -XX:-OmitStackTraceInFastThrow, -XX:+ShowCodeDetailsInExceptionMessages, -Dio.netty.noUnsafe=true, -Dio.netty.noKeySetOptimization=true, -Dio.netty.recycler.maxCapacityPerThread=0, -Dio.netty.allocator.numDirectArenas=0, -Dlog4j.shutdownHookEnabled=false, -Dlog4j2.disable.jmx=true, -Djava.locale.providers=SPI,COMPAT, -Xms3981m, -Xmx3981m, -XX:+UseG1GC, -XX:G1ReservePercent=25, -XX:InitiatingHeapOccupancyPercent=30, -Djava.io.tmpdir=/tmp/opensearch-15227882268441032914, -XX:+HeapDumpOnOutOfMemoryError, -XX:HeapDumpPath=/var/lib/wazuh-indexer, -XX:ErrorFile=/var/log/wazuh-indexer/hs_err_pid%p.log, -Xlog:gc*,gc+age=trace,safepoint:file=/var/log/wazuh-indexer/gc.log:utctime,pid,tags:filecount=32,filesize=64m, -Dclk.tck=100, -Djdk.attach.allowAttachSelf=true, -Djava.security.policy=file:///etc/wazuh-indexer/opensearch-performance-analyzer/opensearch_security.policy, --add-opens=jdk.attach/sun.tools.attach=ALL-UNNAMED, -XX:MaxDirectMemorySize=2087714816, -Dopensearch.path.home=/usr/share/wazuh-indexer, -Dopensearch.path.conf=/etc/wazuh-indexer, -Dopensearch.distribution.type=rpm, -Dopensearch.bundled_jdk=true]
[2024-02-14T12:56:54,557][INFO ][o.o.s.s.t.SSLConfig ] [node-1] SSL dual mode is disabled
[2024-02-14T12:56:54,557][INFO ][o.o.s.OpenSearchSecurityPlugin] [node-1] OpenSearch Config path is /etc/wazuh-indexer
[2024-02-14T12:56:54,760][INFO ][o.o.s.s.DefaultSecurityKeyStore] [node-1] JVM supports TLSv1.3
[2024-02-14T12:56:54,761][INFO ][o.o.s.s.DefaultSecurityKeyStore] [node-1] Config directory is /etc/wazuh-indexer/, from there the key- and truststore files are resolved relatively
[2024-02-14T12:56:55,154][INFO ][o.o.s.s.DefaultSecurityKeyStore] [node-1] TLS Transport Client Provider : JDK
[2024-02-14T12:56:55,155][INFO ][o.o.s.s.DefaultSecurityKeyStore] [node-1] TLS Transport Server Provider : JDK
[2024-02-14T12:56:55,155][INFO ][o.o.s.s.DefaultSecurityKeyStore] [node-1] TLS HTTP Provider : JDK
[root@wazuh-server wazuh-user]# cat /var/log/filebeat/filebeat | head -n 10
2024-02-14T12:56:50.760Z INFO instance/beat.go:645 Home path: [/usr/share/filebeat] Config path: [/etc/filebeat] Data path: [/var/lib/filebeat] Logs path: [/var/log/filebeat]
2024-02-14T12:56:50.760Z INFO instance/beat.go:653 Beat ID: ed1fd3a5-f0b7-4114-b43e-48fee2fc917d
2024-02-14T12:56:50.761Z INFO [seccomp] seccomp/seccomp.go:124 Syscall filter successfully installed
2024-02-14T12:56:50.761Z INFO [beat] instance/beat.go:981 Beat info {"system_info": {"beat": {"path": {"config": "/etc/filebeat", "data": "/var/lib/filebeat", "home": "/usr/share/filebeat", "logs": "/var/log/filebeat"}, "type": "filebeat", "uuid": "ed1fd3a5-f0b7-4114-b43e-48fee2fc917d"}}}
2024-02-14T12:56:50.761Z INFO [beat] instance/beat.go:990 Build info {"system_info": {"build": {"commit": "aacf9ecd9c494aa0908f61fbca82c906b16562a8", "libbeat": "7.10.2", "time": "2021-01-12T22:10:33.000Z", "version": "7.10.2"}}}
2024-02-14T12:56:50.761Z INFO [beat] instance/beat.go:993 Go runtime info {"system_info": {"go": {"os":"linux","arch":"amd64","max_procs":4,"version":"go1.14.12"}}}
2024-02-14T12:56:50.761Z INFO [beat] instance/beat.go:997 Host info {"system_info": {"host": {"architecture":"x86_64","boot_time":"2024-02-14T12:56:40Z","containerized":false,"name":"wazuh-server","ip":["127.0.0.1/8","::1/128","192.168.1.169/24","2a0c:5a82:2602:b100:a00:27ff:fe6e:b112/64","fe80::a00:27ff:fe6e:b112/64"],"kernel_version":"4.14.336-255.557.amzn2.x86_64","mac":["08:00:27:6e:b1:12"],"os":{"family":"redhat","platform":"amzn","name":"Amazon Linux","version":"2","major":2,"minor":0,"patch":0,"codename":"Karoo"},"timezone":"UTC","timezone_offset_sec":0,"id":"6b47e1b2e948824db9c8c6ba65509eef"}}}
2024-02-14T12:56:50.762Z INFO [beat] instance/beat.go:1026 Process info {"system_info": {"process": {"capabilities": {"inheritable":null,"permitted":["chown","dac_override","dac_read_search","fowner","fsetid","kill","setgid","setuid","setpcap","linux_immutable","net_bind_service","net_broadcast","net_admin","net_raw","ipc_lock","ipc_owner","sys_module","sys_rawio","sys_chroot","sys_ptrace","sys_pacct","sys_admin","sys_boot","sys_nice","sys_resource","sys_time","sys_tty_config","mknod","lease","audit_write","audit_control","setfcap","mac_override","mac_admin","syslog","wake_alarm","block_suspend","audit_read"],"effective":["chown","dac_override","dac_read_search","fowner","fsetid","kill","setgid","setuid","setpcap","linux_immutable","net_bind_service","net_broadcast","net_admin","net_raw","ipc_lock","ipc_owner","sys_module","sys_rawio","sys_chroot","sys_ptrace","sys_pacct","sys_admin","sys_boot","sys_nice","sys_resource","sys_time","sys_tty_config","mknod","lease","audit_write","audit_control","setfcap","mac_override","mac_admin","syslog","wake_alarm","block_suspend","audit_read"],"bounding":["chown","dac_override","dac_read_search","fowner","fsetid","kill","setgid","setuid","setpcap","linux_immutable","net_bind_service","net_broadcast","net_admin","net_raw","ipc_lock","ipc_owner","sys_module","sys_rawio","sys_chroot","sys_ptrace","sys_pacct","sys_admin","sys_boot","sys_nice","sys_resource","sys_time","sys_tty_config","mknod","lease","audit_write","audit_control","setfcap","mac_override","mac_admin","syslog","wake_alarm","block_suspend","audit_read"],"ambient":null}, "cwd": "/", "exe": "/usr/share/filebeat/bin/filebeat", "name": "filebeat", "pid": 8144, "ppid": 1, "seccomp": {"mode":"filter","no_new_privs":true}, "start_time": "2024-02-14T12:56:50.450Z"}}}
2024-02-14T12:56:50.762Z INFO instance/beat.go:299 Setup Beat: filebeat; Version: 7.10.2
2024-02-14T12:56:50.772Z INFO eslegclient/connection.go:99 elasticsearch url: https://127.0.0.1:9200
[root@wazuh-server wazuh-user]#
🟢 Testing in Jenkins
The new tasks have been successfully executed in the pipeline:
12:40:52 + systemctl stop filebeat wazuh-manager
12:40:52 + for index in '"${INDEXES[@]}"'
12:40:52 + curl -u admin:admin -XDELETE 'https://127.0.0.1:9200/wazuh-alerts-*' -k
12:40:52 % Total % Received % Xferd Average Speed Time Time Time Current
12:40:52 Dload Upload Total Spent Left Speed
12:40:52
0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0
100 21 100 21 0 0 387 0 --:--:-- --:--:-- --:--:-- 388
12:40:52 + for index in '"${INDEXES[@]}"'
12:40:52 + curl -u admin:admin -XDELETE 'https://127.0.0.1:9200/wazuh-archives-*' -k
12:40:52 % Total % Received % Xferd Average Speed Time Time Time Current
12:40:52 Dload Upload Total Spent Left Speed
12:40:52
0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0
100 21 100 21 0 0 373 0 --:--:-- --:--:-- --:--:-- 375
12:40:52 + for index in '"${INDEXES[@]}"'
12:40:52 + curl -u admin:admin -XDELETE 'https://127.0.0.1:9200/wazuh-states-vulnerabilities-*' -k
12:40:52 % Total % Received % Xferd Average Speed Time Time Time Current
12:40:52 Dload Upload Total Spent Left Speed
12:40:52
0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0
100 21 100 21 0 0 1983 0 --:--:-- --:--:-- --:--:-- 2100
12:40:52 + for index in '"${INDEXES[@]}"'
12:40:52 + curl -u admin:admin -XDELETE 'https://127.0.0.1:9200/wazuh-statistics-*' -k
12:40:52 % Total % Received % Xferd Average Speed Time Time Time Current
12:40:52 Dload Upload Total Spent Left Speed
12:40:52
0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0
100 21 100 21 0 0 1961 0 --:--:-- --:--:-- --:--:-- 2100
12:40:52 + for index in '"${INDEXES[@]}"'
12:40:52 + curl -u admin:admin -XDELETE 'https://127.0.0.1:9200/wazuh-monitoring-*' -k
12:40:52 % Total % Received % Xferd Average Speed Time Time Time Current
12:40:52 Dload Upload Total Spent Left Speed
12:40:52
0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0
100 21 100 21 0 0 577 0 --:--:-- --:--:-- --:--:-- 583
12:40:52 + bash /usr/share/wazuh-indexer/bin/indexer-ism-init.sh -i 127.0.0.1 -p admin
12:40:52 + systemctl stop wazuh-indexer wazuh-dashboard
12:40:52 + systemctl enable wazuh-manager
12:40:52 + clean
12:40:52 + rm -f /securityadmin_demo.sh
12:40:52 + yum clean all
12:40:52 + systemctl daemon-reload
12:40:52 + rm -rf /var/provision/wazuh-packages/ova/assets /var/provision/wazuh-packages/ova/generate_ova.sh /var/provision/wazuh-packages/ova/Ova2Ovf.py /var/provision/wazuh-packages/ova/provision.sh /var/provision/wazuh-packages/ova/README.md /var/provision/wazuh-packages/ova/setOVADefault.sh /var/provision/wazuh-packages/ova/Vagrantfile /var/provision/wazuh-packages/ova/wazuh_ovf_template /var/provision/wazuh-packages/ova/.gitignore
12:40:52 + cat /dev/null
12:40:52 + history -c
12:40:52
12:40:52 TASK [Clean provision files] ***************************************************
12:40:52 task path: /home/ec2-user/workspace/Packages_Builder_OVA/ansible-playbooks/wazuh_ova_generation.yml:39
12:40:52 changed: [Packages_Builder_OVA_B333_20240214112723] => {
12:40:52 "changed": true,
12:40:52 "path": "/var/provision/",
12:40:52 "state": "absent"
12:40:52 }
12:40:53
12:40:53 TASK [Clean unattended resources] **********************************************
12:40:53 task path: /home/ec2-user/workspace/Packages_Builder_OVA/ansible-playbooks/wazuh_ova_generation.yml:44
12:40:53 changed: [Packages_Builder_OVA_B333_20240214112723] => {
12:40:53 "changed": true,
12:40:53 "path": "/tmp/unattended_installer",
12:40:53 "state": "absent"
12:40:53 }
12:40:53
12:40:53 TASK [Clean logs] **************************************************************
12:40:53 task path: /home/ec2-user/workspace/Packages_Builder_OVA/ansible-playbooks/wazuh_ova_generation.yml:49
12:40:53 changed: [Packages_Builder_OVA_B333_20240214112723] => {
12:40:53 "changed": true,
12:40:53 "cmd": "find /var/log/ -type f -exec bash -c 'cat /dev/null > {}' \\;\nfind /var/ossec/logs -type f -execdir sh -c 'cat /dev/null > \"$1\"' _ {} \\;\nfind /var/log/wazuh-indexer -type f -execdir sh -c 'cat /dev/null > \"$1\"' _ {} \\;\nfind /var/log/filebeat -type f -execdir sh -c 'cat /dev/null > \"$1\"' _ {} \\;\nfind /usr/share/wazuh-dashboard/data/wazuh/logs -type f -execdir sh -c 'cat /dev/null > \"$1\"' _ {} \\;\n",
12:40:53 "delta": "0:00:00.147371",
12:40:53 "end": "2024-02-14 11:40:53.955373",
12:40:53 "rc": 0,
12:40:53 "start": "2024-02-14 11:40:53.808002"
12:40:53 }
https://ci.wazuh.info/job/Packages_Builder_OVA/333/consoleFull
Same result as the local test.
[root@wazuh-server wazuh-user]# uptime -p -s
2024-02-14 15:09:29
[root@wazuh-server wazuh-user]#
[root@wazuh-server wazuh-user]# cat /var/ossec/logs/ossec.log | head -n 10
2024/02/14 16:09:32 wazuh-modulesd:router: INFO: Loaded router module.
2024/02/14 16:09:32 wazuh-modulesd:content_manager: INFO: Loaded content_manager module.
2024/02/14 16:09:34 wazuh-csyslogd: INFO: Remote syslog server not configured. Clean exit.
2024/02/14 16:09:34 wazuh-dbd: INFO: Database not configured. Clean exit.
2024/02/14 16:09:34 wazuh-integratord: INFO: Remote integrations not configured. Clean exit.
2024/02/14 16:09:34 wazuh-agentlessd: INFO: Not configured. Exiting.
2024/02/14 16:09:34 wazuh-authd: INFO: Started (pid: 9371).
2024/02/14 16:09:34 wazuh-authd: INFO: Accepting connections on port 1515. No password required.
2024/02/14 16:09:34 wazuh-authd: INFO: Setting network timeout to 1.000000 sec.
2024/02/14 16:09:35 wazuh-db: INFO: Started (pid: 9853).
[root@wazuh-server wazuh-user]#
[root@wazuh-server wazuh-user]# cat /var/ossec/logs/alerts/alerts.json | head -n 10
{"timestamp":"2024-02-14T16:09:43.249+0000","rule":{"level":7,"description":"Listened ports status (netstat) changed (new port opened or closed).","id":"533","firedtimes":1,"mail":false,"groups":["ossec"],"pci_dss":["10.2.7","10.6.1"],"gpg13":["10.1"],"gdpr":["IV_35.7.d"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AU.6"],"tsc":["CC6.8","CC7.2","CC7.3"]},"agent":{"id":"000","name":"wazuh-server"},"manager":{"name":"wazuh-server"},"id":"1707926983.0","previous_output":"Previous output:\nossec: output: 'netstat listening ports':\ntcp 0.0.0.0:22 0.0.0.0:* 1776/sshd\ntcp6 :::22 :::* 1776/sshd\ntcp 127.0.0.1:25 0.0.0.0:* 1889/master\nudp 0.0.0.0:68 0.0.0.0:* 4112/dhclient\ntcp 0.0.0.0:111 0.0.0.0:* 2992/rpcbind\ntcp6 :::111 :::* 2992/rpcbind\nudp 0.0.0.0:111 0.0.0.0:* 2992/rpcbind\nudp6 :::111 :::* 2992/rpcbind\nudp 127.0.0.1:323 0.0.0.0:* 3001/chronyd\nudp6 ::1:323 :::* 3001/chronyd\ntcp 0.0.0.0:443 0.0.0.0:* 15221/node\nudp 0.0.0.0:614 0.0.0.0:* 2992/rpcbind\nudp6 :::614 :::* 2992/rpcbind\ntcp 0.0.0.0:1514 0.0.0.0:* 16297/wazuh-remoted\ntcp 0.0.0.0:1515 0.0.0.0:* 16151/wazuh-authd\ntcp6 127.0.0.1:9200 :::* 11613/java\ntcp6 127.0.0.1:9300 :::* 11613/java\ntcp 0.0.0.0:55000 0.0.0.0:* 16102/python3","full_log":"ossec: output: 'netstat listening ports':\ntcp 0.0.0.0:22 0.0.0.0:* 7561/sshd\ntcp6 :::22 :::* 7561/sshd\ntcp 127.0.0.1:25 0.0.0.0:* 7770/master\nudp 0.0.0.0:68 0.0.0.0:* 6972/dhclient\ntcp 0.0.0.0:111 0.0.0.0:* 2056/rpcbind\ntcp6 :::111 :::* 2056/rpcbind\nudp 0.0.0.0:111 0.0.0.0:* 2056/rpcbind\nudp6 :::111 :::* 2056/rpcbind\nudp 127.0.0.1:323 0.0.0.0:* 2050/chronyd\nudp6 ::1:323 :::* 2050/chronyd\ntcp 0.0.0.0:443 0.0.0.0:* 2012/node\nudp 0.0.0.0:912 0.0.0.0:* 2056/rpcbind\nudp6 :::912 :::* 2056/rpcbind\ntcp 0.0.0.0:1514 0.0.0.0:* 12653/wazuh-remoted\ntcp 0.0.0.0:1515 0.0.0.0:* 9371/wazuh-authd\ntcp6 127.0.0.1:9200 :::* 7568/java\ntcp6 127.0.0.1:9300 :::* 7568/java\ntcp 0.0.0.0:55000 0.0.0.0:* 9255/python3","decoder":{"name":"ossec"},"previous_log":"ossec: output: 'netstat listening ports':\ntcp 0.0.0.0:22 0.0.0.0:* 1776/sshd\ntcp6 :::22 :::* 1776/sshd\ntcp 127.0.0.1:25 0.0.0.0:* 1889/master\nudp 0.0.0.0:68 0.0.0.0:* 4112/dhclient\ntcp 0.0.0.0:111 0.0.0.0:* 2992/rpcbind\ntcp6 :::111 :::* 2992/rpcbind\nudp 0.0.0.0:111 0.0.0.0:* 2992/rpcbind\nudp6 :::111 :::* 2992/rpcbind\nudp 127.0.0.1:323 0.0.0.0:* 3001/chronyd\nudp6 ::1:323 :::* 3001/chronyd\ntcp 0.0.0.0:443 0.0.0.0:* 15221/node\nudp 0.0.0.0:614 0.0.0.0:* 2992/rpcbind\nudp6 :::614 :::* 2992/rpcbind\ntcp 0.0.0.0:1514 0.0.0.0:* 16297/wazuh-remoted\ntcp 0.0.0.0:1515 0.0.0.0:* 16151/wazuh-authd\ntcp6 127.0.0.1:9200 :::* 11613/java\ntcp6 127.0.0.1:9300 :::* 11613/java\ntcp 0.0.0.0:55000 0.0.0.0:* 16102/python3","location":"netstat listening ports"}
{"timestamp":"2024-02-14T15:09:52.807+0000","rule":{"level":3,"description":"PAM: Login session opened.","id":"5501","mitre":{"id":["T1078"],"tactic":["Defense Evasion","Persistence","Privilege Escalation","Initial Access"],"technique":["Valid Accounts"]},"firedtimes":1,"mail":false,"groups":["pam","syslog","authentication_success"],"pci_dss":["10.2.5"],"gpg13":["7.8","7.9"],"gdpr":["IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7"],"tsc":["CC6.8","CC7.2","CC7.3"]},"agent":{"id":"000","name":"wazuh-server"},"manager":{"name":"wazuh-server"},"id":"1707923392.1741","full_log":"Feb 14 15:09:51 wazuh-server login: pam_unix(login:session): session opened for user wazuh-user by LOGIN(uid=0)","predecoder":{"program_name":"login","timestamp":"Feb 14 15:09:51","hostname":"wazuh-server"},"decoder":{"parent":"pam","name":"pam"},"data":{"srcuser":"LOGIN","dstuser":"wazuh-user","uid":"0"},"location":"/var/log/secure"}
{"timestamp":"2024-02-14T15:09:52.807+0000","rule":{"level":4,"description":"First time user executed sudo.","id":"5403","mitre":{"id":["T1548.003"],"tactic":["Privilege Escalation","Defense Evasion"],"technique":["Sudo and Sudo Caching"]},"firedtimes":1,"mail":false,"groups":["syslog","sudo"]},"agent":{"id":"000","name":"wazuh-server"},"manager":{"name":"wazuh-server"},"id":"1707923392.2174","full_log":"Feb 14 15:09:52 wazuh-server sudo: wazuh-user : TTY=tty1 ; PWD=/home/wazuh-user ; USER=root ; COMMAND=/bin/su","predecoder":{"program_name":"sudo","timestamp":"Feb 14 15:09:52","hostname":"wazuh-server"},"decoder":{"parent":"sudo","name":"sudo","ftscomment":"First time user executed the sudo command"},"data":{"srcuser":"wazuh-user","dstuser":"root","tty":"tty1","pwd":"/home/wazuh-user","command":"/bin/su"},"location":"/var/log/secure"}
{"timestamp":"2024-02-14T15:09:52.807+0000","rule":{"level":3,"description":"PAM: Login session opened.","id":"5501","mitre":{"id":["T1078"],"tactic":["Defense Evasion","Persistence","Privilege Escalation","Initial Access"],"technique":["Valid Accounts"]},"firedtimes":2,"mail":false,"groups":["pam","syslog","authentication_success"],"pci_dss":["10.2.5"],"gpg13":["7.8","7.9"],"gdpr":["IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7"],"tsc":["CC6.8","CC7.2","CC7.3"]},"agent":{"id":"000","name":"wazuh-server"},"manager":{"name":"wazuh-server"},"id":"1707923392.2494","full_log":"Feb 14 15:09:52 wazuh-server su: pam_unix(su:session): session opened for user root by wazuh-user(uid=0)","predecoder":{"program_name":"su","timestamp":"Feb 14 15:09:52","hostname":"wazuh-server"},"decoder":{"parent":"pam","name":"pam"},"data":{"srcuser":"wazuh-user","dstuser":"root","uid":"0"},"location":"/var/log/secure"}
{"timestamp":"2024-02-14T15:09:52.807+0000","rule":{"level":3,"description":"PAM: Login session opened.","id":"5501","mitre":{"id":["T1078"],"tactic":["Defense Evasion","Persistence","Privilege Escalation","Initial Access"],"technique":["Valid Accounts"]},"firedtimes":3,"mail":false,"groups":["pam","syslog","authentication_success"],"pci_dss":["10.2.5"],"gpg13":["7.8","7.9"],"gdpr":["IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7"],"tsc":["CC6.8","CC7.2","CC7.3"]},"agent":{"id":"000","name":"wazuh-server"},"manager":{"name":"wazuh-server"},"id":"1707923392.2914","full_log":"Feb 14 15:09:52 wazuh-server sudo: pam_unix(sudo:session): session opened for user root by wazuh-user(uid=0)","predecoder":{"program_name":"sudo","timestamp":"Feb 14 15:09:52","hostname":"wazuh-server"},"decoder":{"parent":"pam","name":"pam"},"data":{"srcuser":"wazuh-user","dstuser":"root","uid":"0"},"location":"/var/log/secure"}
{"timestamp":"2024-02-14T15:09:53.839+0000","rule":{"level":3,"description":"Wazuh server started.","id":"502","firedtimes":1,"mail":false,"groups":["ossec"],"pci_dss":["10.6.1"],"gpg13":["10.1"],"gdpr":["IV_35.7.d"],"hipaa":["164.312.b"],"nist_800_53":["AU.6"],"tsc":["CC7.2","CC7.3"]},"agent":{"id":"000","name":"wazuh-server"},"manager":{"name":"wazuh-server"},"id":"1707923393.3338","full_log":"ossec: Manager started.","decoder":{"name":"ossec"},"location":"wazuh-monitord"}
{"timestamp":"2024-02-14T15:10:44.867+0000","rule":{"level":3,"description":"PAM: Login session opened.","id":"5501","mitre":{"id":["T1078"],"tactic":["Defense Evasion","Persistence","Privilege Escalation","Initial Access"],"technique":["Valid Accounts"]},"firedtimes":4,"mail":false,"groups":["pam","syslog","authentication_success"],"pci_dss":["10.2.5"],"gpg13":["7.8","7.9"],"gdpr":["IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7"],"tsc":["CC6.8","CC7.2","CC7.3"]},"agent":{"id":"000","name":"wazuh-server"},"manager":{"name":"wazuh-server"},"id":"1707923444.3589","full_log":"Feb 14 15:10:43 wazuh-server sshd[19061]: pam_unix(sshd:session): session opened for user wazuh-user by (uid=0)","predecoder":{"program_name":"sshd","timestamp":"Feb 14 15:10:43","hostname":"wazuh-server"},"decoder":{"parent":"pam","name":"pam"},"data":{"dstuser":"wazuh-user","uid":"0"},"location":"/var/log/secure"}
{"timestamp":"2024-02-14T15:10:44.867+0000","rule":{"level":3,"description":"sshd: authentication success.","id":"5715","mitre":{"id":["T1078","T1021"],"tactic":["Defense Evasion","Persistence","Privilege Escalation","Initial Access","Lateral Movement"],"technique":["Valid Accounts","Remote Services"]},"firedtimes":1,"mail":false,"groups":["syslog","sshd","authentication_success"],"gdpr":["IV_32.2"],"gpg13":["7.1","7.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7"],"pci_dss":["10.2.5"],"tsc":["CC6.8","CC7.2","CC7.3"]},"agent":{"id":"000","name":"wazuh-server"},"manager":{"name":"wazuh-server"},"id":"1707923444.4022","full_log":"Feb 14 15:10:43 wazuh-server sshd[19061]: Accepted password for wazuh-user from 192.168.1.240 port 34680 ssh2","predecoder":{"program_name":"sshd","timestamp":"Feb 14 15:10:43","hostname":"wazuh-server"},"decoder":{"parent":"sshd","name":"sshd"},"data":{"srcip":"192.168.1.240","srcport":"34680","dstuser":"wazuh-user"},"location":"/var/log/secure"}
{"timestamp":"2024-02-14T15:10:44.909+0000","rule":{"level":3,"description":"PAM: Login session opened.","id":"5501","mitre":{"id":["T1078"],"tactic":["Defense Evasion","Persistence","Privilege Escalation","Initial Access"],"technique":["Valid Accounts"]},"firedtimes":5,"mail":false,"groups":["pam","syslog","authentication_success"],"pci_dss":["10.2.5"],"gpg13":["7.8","7.9"],"gdpr":["IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7"],"tsc":["CC6.8","CC7.2","CC7.3"]},"agent":{"id":"000","name":"wazuh-server"},"manager":{"name":"wazuh-server"},"id":"1707923444.4488","full_log":"Feb 14 15:10:44 wazuh-server sudo: pam_unix(sudo:session): session opened for user root by wazuh-user(uid=0)","predecoder":{"program_name":"sudo","timestamp":"Feb 14 15:10:44","hostname":"wazuh-server"},"decoder":{"parent":"pam","name":"pam"},"data":{"srcuser":"wazuh-user","dstuser":"root","uid":"0"},"location":"/var/log/secure"}
{"timestamp":"2024-02-14T15:10:44.909+0000","rule":{"level":3,"description":"PAM: Login session opened.","id":"5501","mitre":{"id":["T1078"],"tactic":["Defense Evasion","Persistence","Privilege Escalation","Initial Access"],"technique":["Valid Accounts"]},"firedtimes":6,"mail":false,"groups":["pam","syslog","authentication_success"],"pci_dss":["10.2.5"],"gpg13":["7.8","7.9"],"gdpr":["IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7"],"tsc":["CC6.8","CC7.2","CC7.3"]},"agent":{"id":"000","name":"wazuh-server"},"manager":{"name":"wazuh-server"},"id":"1707923444.4912","full_log":"Feb 14 15:10:44 wazuh-server su: pam_unix(su:session): session opened for user root by wazuh-user(uid=0)","predecoder":{"program_name":"su","timestamp":"Feb 14 15:10:44","hostname":"wazuh-server"},"decoder":{"parent":"pam","name":"pam"},"data":{"srcuser":"wazuh-user","dstuser":"root","uid":"0"},"location":"/var/log/secure"}
/usr/share/wazuh-dashboard/data/wazuh/logs/wazuhapp.log | head -n 10
{"date":"2024-02-14T16:09:45.581Z","level":"info","location":"initialize","message":"Wazuh dashboard index: .kibana"}
{"date":"2024-02-14T16:09:45.582Z","level":"info","location":"initialize","message":"App revision: 03"}
{"date":"2024-02-14T16:09:45.582Z","level":"info","location":"initialize","message":"Total RAM: 7964MB"}
[root@wazuh-server wazuh-user]#
[root@wazuh-server wazuh-user]#
[root@wazuh-server wazuh-user]#
[root@wazuh-server wazuh-user]# cat /var/log/wazuh-indexer/wazuh-cluster.log | head -n 10
[2024-02-14T16:09:34,933][INFO ][o.o.n.Node ] [node-1] version[2.10.0], pid[7568], build[rpm/eee49cb340edc6c4d489bcd9324dda571fc8dc03/2023-09-20T23:54:29.889267151Z], OS[Linux/4.14.336-255.557.amzn2.x86_64/amd64], JVM[Eclipse Adoptium/OpenJDK 64-Bit Server VM/17.0.8/17.0.8+7]
[2024-02-14T16:09:34,934][INFO ][o.o.n.Node ] [node-1] JVM home [/usr/share/wazuh-indexer/jdk], using bundled JDK/JRE [true]
[2024-02-14T16:09:34,935][INFO ][o.o.n.Node ] [node-1] JVM arguments [-Xshare:auto, -Dopensearch.networkaddress.cache.ttl=60, -Dopensearch.networkaddress.cache.negative.ttl=10, -XX:+AlwaysPreTouch, -Xss1m, -Djava.awt.headless=true, -Dfile.encoding=UTF-8, -Djna.nosys=true, -XX:-OmitStackTraceInFastThrow, -XX:+ShowCodeDetailsInExceptionMessages, -Dio.netty.noUnsafe=true, -Dio.netty.noKeySetOptimization=true, -Dio.netty.recycler.maxCapacityPerThread=0, -Dio.netty.allocator.numDirectArenas=0, -Dlog4j.shutdownHookEnabled=false, -Dlog4j2.disable.jmx=true, -Djava.locale.providers=SPI,COMPAT, -Xms3981m, -Xmx3981m, -XX:+UseG1GC, -XX:G1ReservePercent=25, -XX:InitiatingHeapOccupancyPercent=30, -Djava.io.tmpdir=/tmp/opensearch-406069355175393296, -XX:+HeapDumpOnOutOfMemoryError, -XX:HeapDumpPath=/var/lib/wazuh-indexer, -XX:ErrorFile=/var/log/wazuh-indexer/hs_err_pid%p.log, -Xlog:gc*,gc+age=trace,safepoint:file=/var/log/wazuh-indexer/gc.log:utctime,pid,tags:filecount=32,filesize=64m, -Dclk.tck=100, -Djdk.attach.allowAttachSelf=true, -Djava.security.policy=file:///etc/wazuh-indexer/opensearch-performance-analyzer/opensearch_security.policy, --add-opens=jdk.attach/sun.tools.attach=ALL-UNNAMED, -XX:MaxDirectMemorySize=2087714816, -Dopensearch.path.home=/usr/share/wazuh-indexer, -Dopensearch.path.conf=/etc/wazuh-indexer, -Dopensearch.distribution.type=rpm, -Dopensearch.bundled_jdk=true]
[2024-02-14T16:09:35,567][INFO ][o.o.s.s.t.SSLConfig ] [node-1] SSL dual mode is disabled
[2024-02-14T16:09:35,568][INFO ][o.o.s.OpenSearchSecurityPlugin] [node-1] OpenSearch Config path is /etc/wazuh-indexer
[2024-02-14T16:09:35,768][INFO ][o.o.s.s.DefaultSecurityKeyStore] [node-1] JVM supports TLSv1.3
[2024-02-14T16:09:35,770][INFO ][o.o.s.s.DefaultSecurityKeyStore] [node-1] Config directory is /etc/wazuh-indexer/, from there the key- and truststore files are resolved relatively
[2024-02-14T16:09:36,127][INFO ][o.o.s.s.DefaultSecurityKeyStore] [node-1] TLS Transport Client Provider : JDK
[2024-02-14T16:09:36,128][INFO ][o.o.s.s.DefaultSecurityKeyStore] [node-1] TLS Transport Server Provider : JDK
[2024-02-14T16:09:36,128][INFO ][o.o.s.s.DefaultSecurityKeyStore] [node-1] TLS HTTP Provider : JDK
[root@wazuh-server wazuh-user]# cat /var/log/filebeat/filebeat | head -n 10
2024-02-14T16:09:32.168Z INFO instance/beat.go:645 Home path: [/usr/share/filebeat] Config path: [/etc/filebeat] Data path: [/var/lib/filebeat] Logs path: [/var/log/filebeat]
2024-02-14T16:09:32.169Z INFO instance/beat.go:653 Beat ID: 0037ed7c-5e46-4a96-8ffb-d4eaad9e0ea3
2024-02-14T16:09:32.170Z INFO [seccomp] seccomp/seccomp.go:124 Syscall filter successfully installed
2024-02-14T16:09:32.170Z INFO [beat] instance/beat.go:981 Beat info {"system_info": {"beat": {"path": {"config": "/etc/filebeat", "data": "/var/lib/filebeat", "home": "/usr/share/filebeat", "logs": "/var/log/filebeat"}, "type": "filebeat", "uuid": "0037ed7c-5e46-4a96-8ffb-d4eaad9e0ea3"}}}
2024-02-14T16:09:32.170Z INFO [beat] instance/beat.go:990 Build info {"system_info": {"build": {"commit": "aacf9ecd9c494aa0908f61fbca82c906b16562a8", "libbeat": "7.10.2", "time": "2021-01-12T22:10:33.000Z", "version": "7.10.2"}}}
2024-02-14T16:09:32.170Z INFO [beat] instance/beat.go:993 Go runtime info {"system_info": {"go": {"os":"linux","arch":"amd64","max_procs":4,"version":"go1.14.12"}}}
2024-02-14T16:09:32.178Z INFO [beat] instance/beat.go:997 Host info {"system_info": {"host": {"architecture":"x86_64","boot_time":"2024-02-14T16:09:21Z","containerized":false,"name":"wazuh-server","ip":["127.0.0.1/8","::1/128","192.168.1.170/24","2a0c:5a82:2602:b100:a00:27ff:fed1:fc52/64","fe80::a00:27ff:fed1:fc52/64"],"kernel_version":"4.14.336-255.557.amzn2.x86_64","mac":["08:00:27:d1:fc:52"],"os":{"family":"redhat","platform":"amzn","name":"Amazon Linux","version":"2","major":2,"minor":0,"patch":0,"codename":"Karoo"},"timezone":"UTC","timezone_offset_sec":0,"id":"6b47e1b2e948824db9c8c6ba65509eef"}}}
2024-02-14T16:09:32.179Z INFO [beat] instance/beat.go:1026 Process info {"system_info": {"process": {"capabilities": {"inheritable":null,"permitted":["chown","dac_override","dac_read_search","fowner","fsetid","kill","setgid","setuid","setpcap","linux_immutable","net_bind_service","net_broadcast","net_admin","net_raw","ipc_lock","ipc_owner","sys_module","sys_rawio","sys_chroot","sys_ptrace","sys_pacct","sys_admin","sys_boot","sys_nice","sys_resource","sys_time","sys_tty_config","mknod","lease","audit_write","audit_control","setfcap","mac_override","mac_admin","syslog","wake_alarm","block_suspend","audit_read"],"effective":["chown","dac_override","dac_read_search","fowner","fsetid","kill","setgid","setuid","setpcap","linux_immutable","net_bind_service","net_broadcast","net_admin","net_raw","ipc_lock","ipc_owner","sys_module","sys_rawio","sys_chroot","sys_ptrace","sys_pacct","sys_admin","sys_boot","sys_nice","sys_resource","sys_time","sys_tty_config","mknod","lease","audit_write","audit_control","setfcap","mac_override","mac_admin","syslog","wake_alarm","block_suspend","audit_read"],"bounding":["chown","dac_override","dac_read_search","fowner","fsetid","kill","setgid","setuid","setpcap","linux_immutable","net_bind_service","net_broadcast","net_admin","net_raw","ipc_lock","ipc_owner","sys_module","sys_rawio","sys_chroot","sys_ptrace","sys_pacct","sys_admin","sys_boot","sys_nice","sys_resource","sys_time","sys_tty_config","mknod","lease","audit_write","audit_control","setfcap","mac_override","mac_admin","syslog","wake_alarm","block_suspend","audit_read"],"ambient":null}, "cwd": "/", "exe": "/usr/share/filebeat/bin/filebeat", "name": "filebeat", "pid": 7562, "ppid": 1, "seccomp": {"mode":"filter","no_new_privs":true}, "start_time": "2024-02-14T16:09:31.880Z"}}}
2024-02-14T16:09:32.179Z INFO instance/beat.go:299 Setup Beat: filebeat; Version: 7.10.2
2024-02-14T16:09:32.182Z INFO eslegclient/connection.go:99 elasticsearch url: https://127.0.0.1:9200
[root@wazuh-server wazuh-user]#
from wazuh-packages.
Related Issues (20)
- Different set of permission for plugins in Release 4.8.0 HOT 3
- Support new stage RC 2 for 4.8.0 in wazuh-packages repository
- Support new Wazuh version 4.7.5 in wazuh-packages repository
- Wazuh installation assistant typo
- Fix `Test_unattended` and `Test_unattended_distributed` pytests HOT 1
- Support new stage RC 1 for 4.7.5 in wazuh-packages repository
- Scheduled upward merges for numbered branches in wazuh-packages repository - Fortnight #10
- Support new stage RC 3 for 4.8.0 in wazuh-packages repository
- Add support for Ubuntu 24.04 in Installation assistant for 4.8.0 version
- Unattended installer should allow installing in any OS
- Support new stage RC 2 for 4.7.5 in wazuh-packages repository
- Generate final tag and publish draft release for Wazuh 4.7.5
- Post release tasks for 4.7.5
- Support new Wazuh version 4.8.1 in wazuh-packages repository
- Improve APT package check in the Assistant
- Change OVA and AMI OS to AL2023
- Change OVA OS to AL2023 HOT 12
- Change Wazuh AMI OS to AL2023 HOT 3
- Support new stage RC 4 for 4.8.0 in wazuh-packages repository
- Unable to update wazuh-indexer 4.7.5-1 on Ubuntu 22.04.4
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from wazuh-packages.