Release 4.8.0 - Beta 1 - E2E UX tests - Demo environment

[davidjiglesias]

End-to-End (E2E) Testing Guideline

• Documentation: Always consult the development documentation for the current stage tag at this link. Be careful because some of the description steps might refer to a current version in production, always navigate using the current development documention for the stage under test. Also, visit the following pre-release package guide to understand how to modify certain links and urls for the correct testing of the development packages.
• Test Requirements: Ensure your test comprehensively includes a full stack and agent/s deployment as per the Deployment requirements, detailing the machine OS, installed version, and revision.
• Deployment Options: While deployments can be local (using VMs, Vagrant, etc) or on the aws-dev account, opt for local deployments when feasible. For AWS access, coordinate with the CICD team through this link.
• External Accounts: If tests require third-party accounts (e.g., GitHub, Azure, AWS, GCP), request the necessary access through the CICD team here.
• Alerts: Every test should generate a minimum of one end-to-end alert, from the agent to the dashboard, irrespective of test type.
• Multi-node Testing: For multi-node wazuh-manager tests, ensure agents are connected to both workers and the master node.
• Package Verification: Use the pre-release package that matches the current TAG you're testing. Confirm its version and revision.
• Filebeat Errors: If you encounter errors with Filebeat during testing, refer to this Slack discussion for insights and resolutions.
• Known Issues: Familiarize yourself with previously reported issues in the Known Issues section. This helps in identifying already recognized errors during testing.
• Reporting New Issues: Any new errors discovered during testing that aren't listed under Known Issues should be reported. Assign the issue to the corresponding team (QA if unsure), add the Release testing objective and Very high priority. Communicate these to the team and QA via the c-release Slack channel.
• Test Conduct: It's imperative to be thorough in your testing, offering enough detail for reviewers. Incomplete tests might necessitate a redo.
• Documentation Feedback: Encountering documentation gaps, unclear guidelines, or anything that disrupts the testing or UX? Open an issue, especially if it's not listed under Known Issues. Please answer the feedback section, this is a mandatory step.
• Format: If this is your first time doing this, refer to the format (but not necessarily the content, as it may vary) of previous E2E tests, here you have an example Release 4.3.5 - Release Candidate 1 - E2E UX tests - Wazuh Indexer #13994.
• Status and completion: Change the issue status within your team project accordingly. Once you finish testing and write the conclusions, move it to Pending review and notify the @wazuh/cicd team via Slack using the c-release channel. Beware that the reviewers might request additional information or task repetitions.
• For reviewers: Please move the issue to Pending final review and notify via Slack using the same thread if everything is ok, otherwise, perform an issue update with the requested changes and move it to On hold, increase the review_cycles in the team project by one and notify the issue assignee via Slack using the same thread.

For the conclusions and the issue testing and updates, use the following legend:

Status legend

• 🟢 All checks passed
• 🟡 Found a known issue
• 🔴 Found a new error

Issue delivery and completion

• Initial delivery: The issue's assignee must complete the testing and deliver the results by Feb 07, 2024 and notify the @wazuh/cicd team via Slack using the c-release channel
• Review: The @wazuh/cicd team will assign a reviewer and add it to the review_assignee field in the project. The reviewer must then review the test steps and results. Ensure that all iteration cycles are completed by Feb 08, 2024 date (issue must be in Pending final review status) and notify the QA team via Slack using the c-release channel.
• Auditor: The QA team must audit, validate the results, and close the issue by Feb 09, 2024.

Deployment requirements

Component	Installation	Type	OS
Indexer
Server
Dashboard		-
Agent		-

Test description

Test demo.wazuh.info environment:

• Check that there are no errors in the manager, agent, cluster, indexer, and dashboard logs.
• Check that the Wazuh daemons are running with the expected user.
• Check that the status of the indexer cluster is the expected.
• Check that there are no errors in the browser's developer console when browsing the App.
• Check that there are alerts for each of the modules configured.
• Check that no warning symbols appear in the browser's developer console when browsing the App
• Generate an alert and check that this alert appears in the dashboard (end to end)
• Check that the search engine works without specifying a field and using *

To access the demo environment, please contact @cicd-team.

Known issues

• Warnings and errors when logging out of the app wazuh-dashboard-plugins#4108
• Multiple unexpected warning during Wazuh app session wazuh-dashboard-plugins#4092
• Warnings messages when checking Wazuh-Indexer status wazuh-packages#1749
• Logcollector attempts messages when a file doesn't exist should be info until the last attempt #13253
• [Development] Windows 2012 R2 Wazuh agent can't subscribe to Windows Defender events #5214
• Reconnect time does not work when system time changed #8580
• Wazuh does not reconnect to Windows event log if the service is down at the start #8581
• ChunkLoadError, Loading chunk 4 failed. wazuh-dashboard-plugins#4406
• highlight.js is EOL wazuh-dashboard-plugins#4407
• Agent information cannot be parsed #14710
• Map rendering Uncaught TypeError: bounds is null wazuh-dashboard-plugins#4232
• Disabled plugins shouldn't appear in More menu wazuh-dashboard-plugins#4074
• Console error when I have an agent selected and environment change wazuh-dashboard-plugins#5745
• OpenSearch modifies log files permissions wazuh-packages#2139
• SUSE OVAL feeds download are too slow #18593
• Multiple unexpected Errors during Wazuh app session wazuh-dashboard-plugins#5821
• https://github.com/wazuh/wazuh-automation/issues/1113
• Does not show events in the 'Docker Listener', 'VirusTotal' and 'System Auditing' Modules when they are enabled wazuh-dashboard-plugins#5749
• The search with (*) does not return all the expected results. wazuh-dashboard-plugins#5750
• https://github.com/wazuh/wazuh-dashboard-plugins/4121
• https://github.com/wazuh/wazuh-dashboard-plugins/5332
• https://github.com/wazuh/wazuh-dashboard-plugins/6022
• https://github.com/wazuh/wazuh-automation/issues/1369
• https://github.com/wazuh/wazuh-dashboard-plugins/6023
• Unexpected Canvas2D warning in HIPAA module wazuh-dashboard-plugins#6182
• The page freezes and shows a notable delay in the response of the elements wazuh-dashboard-plugins#6216

Conclusions

New

Known issues

• https://github.com/wazuh/wazuh-automation/issues/802
• Logcollector attempts messages when a file doesn't exist should be info until the last attempt #13253
• Permission errors in the Wazuh Indexer service (systemd) wazuh-packages#2685
• https://github.com/wazuh/wazuh-jenkins/issues/4867
• Multiple New unexpected console Errors during Wazuh app session wazuh-dashboard-plugins#6320
• Warnings and errors when logging out of the app wazuh-dashboard-plugins#4108
• Multiple unexpected Errors during Wazuh app session wazuh-dashboard-plugins#5821
• Web console errors accesing Wazuh Dashboard wazuh-dashboard-plugins#4121
• Multiple unexpected warning during Wazuh app session wazuh-dashboard-plugins#4092
• Recently viewed button always shows empty options in the sidebar wazuh-dashboard-plugins#6318
• Configured indices are not found: [.opendistro-alerting-config] in Demo environment wazuh-dashboard-plugins#5869
• https://github.com/wazuh/wazuh-automation/issues/1369
• The page freezes and shows a notable delay in the response of the elements wazuh-dashboard-plugins#6216
• Found deleteOldIndices errors in indexer  wazuh-packages#2094
• Error logs found in wazuh-indexer in demo environment wazuh-packages#1489
• Failed to submit a listener notification task. Event loop shut down? elastic/elasticsearch#27226
• https://github.com/wazuh/intelligence-platform/issues/1334
• Remoted show Too big message size from socket after receiving a Wazuh agent message #17596
• Wrong key or corrupt payload in worker node during agent registration process #21297
• Amazon CloudWatch Integration Error - NOT WORKING #21467

New issues

• Abort in wazuh-syscheckd (RHEL 9) #21820
• Premature IndexerConnector warnings generated #21829
• Uninitialized index error logs appear in Wazuh-indexers on demo environment #21861

Status	Test	Failure type	Notes
🟡	Check Agent, Dashboard, Indexer, and Manager Logs	Error while reading a file	Known issue: https://github.com/wazuh/wazuh-automation/issues/802 #13253
🟡	Check Agent, Dashboard, Indexer, and Manager Logs	Could not define attribute view on path	Known issue: wazuh/wazuh-packages#2685
🟡	Check Agent, Dashboard, Indexer, and Manager Logs	Connection error during registration	Known issue: https://github.com/wazuh/wazuh-jenkins/issues/4867
🔴	Check Agent, Dashboard, Indexer, and Manager Logs	Abort in wazuh-sycheckd (RHEL 9)	New issue: #21820
🟡	Check Agent, Dashboard, Indexer, and Manager Logs	Indexers logs	Known issue: wazuh/wazuh-packages#2094 Known issue: wazuh/wazuh-packages#1489 Known issue: elastic/elasticsearch#27226
🟡	Check Agent, Dashboard, Indexer, and Manager Logs	Managers logs	Known issue: https://github.com/wazuh/intelligence-platform/issues/1334 Known issue: https://github.com/wazuh/wazuh-jenkins/issues/4867 Known issue: #17596 Known issue: #21297 Known issue: #21467
🔴	Check Agent, Dashboard, Indexer, and Manager Logs	Premature IndexerConnector warnings generated	New issue: #21829
🔴	Check Agent, Dashboard, Indexer, and Manager Logs	Uninitialized index error logs appear in Wazuh-indexers	New issue: #21861
🟡	Check for Errors in Browser's Developer Console While Browsing the App	Warning message in console	Known issue: wazuh/wazuh-dashboard-plugins#4108 wazuh/wazuh-dashboard-plugins#4121 wazuh/wazuh-dashboard-plugins#5821 wazuh/wazuh-dashboard-plugins#4108 wazuh/wazuh-dashboard-plugins#4092 wazuh/wazuh-dashboard-plugins#6320
🟡	Check for Errors in Browser's Developer Console While Browsing the App	Recently viewed items are empty	Known issue: wazuh/wazuh-dashboard-plugins#6318
🟡	Check that there are Alerts for each of the Modules Configured	Unecessary ENV2 Virus Total setting	Known issue: https://github.com/wazuh/wazuh-automation/issues/1369
🟡	Check the search engine works without specifying a field using *	Delay and freeze in the search page	Known issue: wazuh/wazuh-dashboard-plugins#6216

Feedback

We value your feedback. Please provide insights on your testing experience.

• Was the testing guideline clear? Were there any ambiguities?
  • It was clear
• Did you face any challenges not covered by the guideline?
  • No.
• Suggestions for improvement:
  • Nothing to improve.

Reviewers validation

The criteria for completing this task is based on the validation of the conclusions and the test results by all reviewers.

All the checkboxes below must be marked in order to close this issue.

• @davidjiglesias (@rauldpm)
• @wazuh/cicd

[santipadilla]

The available machines are:

Agents

• RHEL9
• Centos
• Debian
• Windows
• Ubuntu
• Amazon

Dashboard

• WazuhDashboard

Indexers

• IndexerBootstrap
• IndexerMasterB
• IndexerMasterC
• WazuhDashboard

Managers

• WazuhMasterEnv1
• WazuhMasterEnv2
• WazuhWorker

[santipadilla]

1. Check Agent, Dashboard, Indexer, and Manager Logs 🔴

Agent Logs

Amazon 🟢

System information

[wazuh-user@ip-10-0-1-9 ~]$ cat /etc/*release
NAME="Amazon Linux"
VERSION="2"
ID="amzn"
ID_LIKE="centos rhel fedora"
VERSION_ID="2"
PRETTY_NAME="Amazon Linux 2"
ANSI_COLOR="0;33"
CPE_NAME="cpe:2.3:o:amazon:amazon_linux:2"
HOME_URL="https://amazonlinux.com/"
Amazon Linux release 2 (Karoo)

Agent Version

[root@ip-10-0-1-9 wazuh-user]# /var/ossec/bin/wazuh-control info
WAZUH_VERSION="v4.8.0"
WAZUH_REVISION="40803"
WAZUH_TYPE="agent"

Agent Status

[root@ip-10-0-1-9 wazuh-user]# systemctl status wazuh-agent -l
● wazuh-agent.service - Wazuh agent
   Loaded: loaded (/usr/lib/systemd/system/wazuh-agent.service; enabled; vendor preset: disabled)
   Active: active (running) since mié 2024-02-07 11:37:45 UTC; 3h 39min ago
  Process: 9728 ExecStop=/usr/bin/env /var/ossec/bin/wazuh-control stop (code=exited, status=0/SUCCESS)
  Process: 9867 ExecStart=/usr/bin/env /var/ossec/bin/wazuh-control start (code=exited, status=0/SUCCESS)
   CGroup: /system.slice/wazuh-agent.service
           ├─11522 /var/ossec/bin/wazuh-execd
           ├─11534 /var/ossec/bin/wazuh-agentd
           ├─11549 /var/ossec/bin/wazuh-syscheckd
           ├─11565 /var/ossec/bin/wazuh-logcollector
           └─11583 /var/ossec/bin/wazuh-modulesd

feb 07 11:37:38 ip-10-0-1-9.us-west-1.compute.internal systemd[1]: Starting Wazuh agent...
feb 07 11:37:38 ip-10-0-1-9.us-west-1.compute.internal env[9867]: Starting Wazuh v4.8.0...
feb 07 11:37:39 ip-10-0-1-9.us-west-1.compute.internal env[9867]: Started wazuh-execd...
feb 07 11:37:40 ip-10-0-1-9.us-west-1.compute.internal env[9867]: Started wazuh-agentd...
feb 07 11:37:41 ip-10-0-1-9.us-west-1.compute.internal env[9867]: Started wazuh-syscheckd...
feb 07 11:37:42 ip-10-0-1-9.us-west-1.compute.internal env[9867]: Started wazuh-logcollector...
feb 07 11:37:43 ip-10-0-1-9.us-west-1.compute.internal env[9867]: Started wazuh-modulesd...
feb 07 11:37:45 ip-10-0-1-9.us-west-1.compute.internal env[9867]: Completed.
feb 07 11:37:45 ip-10-0-1-9.us-west-1.compute.internal systemd[1]: Started Wazuh agent.

Module Status

[root@ip-10-0-1-9 wazuh-user]# /var/ossec/bin/wazuh-control status
wazuh-modulesd is running...
wazuh-logcollector is running...
wazuh-syscheckd is running...
wazuh-agentd is running...
wazuh-execd is running...

Service Status

[root@ip-10-0-1-9 wazuh-user]# journalctl -xe -u wazuh-agent.service --no-pager
-- Logs begin at mié 2024-02-07 11:05:18 UTC, end at mié 2024-02-07 15:16:07 UTC. --
feb 07 11:37:23 ip-10-0-1-9.us-west-1.compute.internal systemd[1]: Starting Wazuh agent...
-- Subject: Unit wazuh-agent.service has begun start-up
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
-- 
-- Unit wazuh-agent.service has begun starting up.
feb 07 11:37:23 ip-10-0-1-9.us-west-1.compute.internal env[9179]: Starting Wazuh v4.8.0...
feb 07 11:37:24 ip-10-0-1-9.us-west-1.compute.internal env[9179]: Started wazuh-execd...
feb 07 11:37:25 ip-10-0-1-9.us-west-1.compute.internal env[9179]: Started wazuh-agentd...
feb 07 11:37:26 ip-10-0-1-9.us-west-1.compute.internal env[9179]: Started wazuh-syscheckd...
feb 07 11:37:27 ip-10-0-1-9.us-west-1.compute.internal env[9179]: Started wazuh-logcollector...
feb 07 11:37:28 ip-10-0-1-9.us-west-1.compute.internal env[9179]: Started wazuh-modulesd...
feb 07 11:37:30 ip-10-0-1-9.us-west-1.compute.internal env[9179]: Completed.
feb 07 11:37:30 ip-10-0-1-9.us-west-1.compute.internal systemd[1]: Started Wazuh agent.
-- Subject: Unit wazuh-agent.service has finished start-up
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
-- 
-- Unit wazuh-agent.service has finished starting up.
-- 
-- The start-up result is done.
feb 07 11:37:33 ip-10-0-1-9.us-west-1.compute.internal systemd[1]: Stopping Wazuh agent...
-- Subject: Unit wazuh-agent.service has begun shutting down
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
-- 
-- Unit wazuh-agent.service has begun shutting down.
feb 07 11:37:33 ip-10-0-1-9.us-west-1.compute.internal env[9728]: Killing wazuh-modulesd...
feb 07 11:37:37 ip-10-0-1-9.us-west-1.compute.internal env[9728]: Killing wazuh-logcollector...
feb 07 11:37:37 ip-10-0-1-9.us-west-1.compute.internal env[9728]: Killing wazuh-syscheckd...
feb 07 11:37:37 ip-10-0-1-9.us-west-1.compute.internal env[9728]: Killing wazuh-agentd...
feb 07 11:37:38 ip-10-0-1-9.us-west-1.compute.internal env[9728]: Killing wazuh-execd...
feb 07 11:37:38 ip-10-0-1-9.us-west-1.compute.internal env[9728]: Wazuh v4.8.0 Stopped
feb 07 11:37:38 ip-10-0-1-9.us-west-1.compute.internal systemd[1]: Stopped Wazuh agent.
-- Subject: Unit wazuh-agent.service has finished shutting down
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
-- 
-- Unit wazuh-agent.service has finished shutting down.
feb 07 11:37:38 ip-10-0-1-9.us-west-1.compute.internal systemd[1]: Starting Wazuh agent...
-- Subject: Unit wazuh-agent.service has begun start-up
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
-- 
-- Unit wazuh-agent.service has begun starting up.
feb 07 11:37:38 ip-10-0-1-9.us-west-1.compute.internal env[9867]: Starting Wazuh v4.8.0...
feb 07 11:37:39 ip-10-0-1-9.us-west-1.compute.internal env[9867]: Started wazuh-execd...
feb 07 11:37:40 ip-10-0-1-9.us-west-1.compute.internal env[9867]: Started wazuh-agentd...
feb 07 11:37:41 ip-10-0-1-9.us-west-1.compute.internal env[9867]: Started wazuh-syscheckd...
feb 07 11:37:42 ip-10-0-1-9.us-west-1.compute.internal env[9867]: Started wazuh-logcollector...
feb 07 11:37:43 ip-10-0-1-9.us-west-1.compute.internal env[9867]: Started wazuh-modulesd...
feb 07 11:37:45 ip-10-0-1-9.us-west-1.compute.internal env[9867]: Completed.
feb 07 11:37:45 ip-10-0-1-9.us-west-1.compute.internal systemd[1]: Started Wazuh agent.
-- Subject: Unit wazuh-agent.service has finished start-up
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
-- 
-- Unit wazuh-agent.service has finished starting up.
-- 
-- The start-up result is done.

Note
Expected Activity Logs

Error Logs

[root@ip-10-0-1-9 wazuh-user]# egrep -i "ERROR|WARNING" /var/ossec/logs/ossec.log |  wc -l
3

[root@ip-10-0-1-9 wazuh-user]# egrep -i "ERROR|WARNING" /var/ossec/logs/ossec.log
2024/02/07 11:55:11 wazuh-agentd: ERROR: (1137): Lost connection with manager. Setting lock.
2024/02/07 11:55:11 wazuh-agentd: ERROR: (1216): Unable to connect to '[10.0.0.254]:1514/tcp': 'Connection refused'.
2024/02/07 11:55:21 wazuh-agentd: ERROR: (1216): Unable to connect to '[10.0.0.254]:1514/tcp': 'Connection refused'.

Note
The logs are expected because the manager was restarted at that time.

CentOS 🟢

System information

[root@ip-10-0-1-185 wazuh-user]# cat /etc/*release
CentOS Linux release 8.4.2105
NAME="CentOS Linux"
VERSION="8"
ID="centos"
ID_LIKE="rhel fedora"
VERSION_ID="8"
PLATFORM_ID="platform:el8"
PRETTY_NAME="CentOS Linux 8"
ANSI_COLOR="0;31"
CPE_NAME="cpe:/o:centos:centos:8"
HOME_URL="https://centos.org/"
BUG_REPORT_URL="https://bugs.centos.org/"
CENTOS_MANTISBT_PROJECT="CentOS-8"
CENTOS_MANTISBT_PROJECT_VERSION="8"
CentOS Linux release 8.4.2105
CentOS Linux release 8.4.2105

Agent Version

[root@ip-10-0-1-185 wazuh-user]# /var/ossec/bin/wazuh-control info
WAZUH_VERSION="v4.8.0"
WAZUH_REVISION="40803"
WAZUH_TYPE="agent"

Agent Status

[root@ip-10-0-1-185 wazuh-user]# systemctl status wazuh-agent -l
● wazuh-agent.service - Wazuh agent
   Loaded: loaded (/usr/lib/systemd/system/wazuh-agent.service; enabled; vendor preset: disabled)
   Active: active (running) since Wed 2024-02-07 11:39:20 UTC; 3h 47min ago
  Process: 8366 ExecStop=/usr/bin/env /var/ossec/bin/wazuh-control stop (code=exited, status=0/SUCCESS)
  Process: 8536 ExecStart=/usr/bin/env /var/ossec/bin/wazuh-control start (code=exited, status=0/SUCCESS)
    Tasks: 32 (limit: 4668)
   Memory: 400.7M
   CGroup: /system.slice/wazuh-agent.service
           ├─9553 /var/ossec/bin/wazuh-execd
           ├─9565 /var/ossec/bin/wazuh-agentd
           ├─9580 /var/ossec/bin/wazuh-syscheckd
           ├─9596 /var/ossec/bin/wazuh-logcollector
           └─9614 /var/ossec/bin/wazuh-modulesd

feb 07 11:39:12 ip-10-0-1-185.us-west-1.compute.internal systemd[1]: Starting Wazuh agent...
feb 07 11:39:12 ip-10-0-1-185.us-west-1.compute.internal env[8536]: Starting Wazuh v4.8.0...
feb 07 11:39:13 ip-10-0-1-185.us-west-1.compute.internal env[8536]: Started wazuh-execd...
feb 07 11:39:15 ip-10-0-1-185.us-west-1.compute.internal env[8536]: Started wazuh-agentd...
feb 07 11:39:16 ip-10-0-1-185.us-west-1.compute.internal env[8536]: Started wazuh-syscheckd...
feb 07 11:39:17 ip-10-0-1-185.us-west-1.compute.internal env[8536]: Started wazuh-logcollector...
feb 07 11:39:18 ip-10-0-1-185.us-west-1.compute.internal env[8536]: Started wazuh-modulesd...
feb 07 11:39:20 ip-10-0-1-185.us-west-1.compute.internal env[8536]: Completed.
feb 07 11:39:20 ip-10-0-1-185.us-west-1.compute.internal systemd[1]: Started Wazuh agent.

Module Status

[root@ip-10-0-1-185 wazuh-user]# /var/ossec/bin/wazuh-control status
wazuh-modulesd is running...
wazuh-logcollector is running...
wazuh-syscheckd is running...
wazuh-agentd is running...
wazuh-execd is running...

Service Status

[root@ip-10-0-1-185 wazuh-user]# journalctl -xe -u wazuh-agent.service --no-pager
-- Logs begin at Wed 2024-02-07 11:05:23 UTC, end at Wed 2024-02-07 15:26:09 UTC. --
feb 07 11:38:47 ip-10-0-1-185.us-west-1.compute.internal systemd[1]: Starting Wazuh agent...
-- Subject: Unit wazuh-agent.service has begun start-up
-- Defined-By: systemd
-- Support: https://access.redhat.com/support
-- 
-- Unit wazuh-agent.service has begun starting up.
feb 07 11:38:47 ip-10-0-1-185.us-west-1.compute.internal env[7815]: Starting Wazuh v4.8.0...
feb 07 11:38:48 ip-10-0-1-185.us-west-1.compute.internal env[7815]: Started wazuh-execd...
feb 07 11:38:49 ip-10-0-1-185.us-west-1.compute.internal env[7815]: Started wazuh-agentd...
feb 07 11:38:50 ip-10-0-1-185.us-west-1.compute.internal env[7815]: Started wazuh-syscheckd...
feb 07 11:38:51 ip-10-0-1-185.us-west-1.compute.internal env[7815]: Started wazuh-logcollector...
feb 07 11:38:52 ip-10-0-1-185.us-west-1.compute.internal env[7815]: Started wazuh-modulesd...
feb 07 11:38:54 ip-10-0-1-185.us-west-1.compute.internal env[7815]: Completed.
feb 07 11:38:54 ip-10-0-1-185.us-west-1.compute.internal systemd[1]: Started Wazuh agent.
-- Subject: Unit wazuh-agent.service has finished start-up
-- Defined-By: systemd
-- Support: https://access.redhat.com/support
-- 
-- Unit wazuh-agent.service has finished starting up.
-- 
-- The start-up result is done.
feb 07 11:39:08 ip-10-0-1-185.us-west-1.compute.internal systemd[1]: Stopping Wazuh agent...
-- Subject: Unit wazuh-agent.service has begun shutting down
-- Defined-By: systemd
-- Support: https://access.redhat.com/support
-- 
-- Unit wazuh-agent.service has begun shutting down.
feb 07 11:39:08 ip-10-0-1-185.us-west-1.compute.internal env[8366]: Killing wazuh-modulesd...
feb 07 11:39:12 ip-10-0-1-185.us-west-1.compute.internal env[8366]: Killing wazuh-logcollector...
feb 07 11:39:12 ip-10-0-1-185.us-west-1.compute.internal env[8366]: Killing wazuh-syscheckd...
feb 07 11:39:12 ip-10-0-1-185.us-west-1.compute.internal env[8366]: Killing wazuh-agentd...
feb 07 11:39:12 ip-10-0-1-185.us-west-1.compute.internal env[8366]: Killing wazuh-execd...
feb 07 11:39:12 ip-10-0-1-185.us-west-1.compute.internal env[8366]: Wazuh v4.8.0 Stopped
feb 07 11:39:12 ip-10-0-1-185.us-west-1.compute.internal systemd[1]: wazuh-agent.service: Succeeded.
-- Subject: Unit succeeded
-- Defined-By: systemd
-- Support: https://access.redhat.com/support
-- 
-- The unit wazuh-agent.service has successfully entered the 'dead' state.
feb 07 11:39:12 ip-10-0-1-185.us-west-1.compute.internal systemd[1]: Stopped Wazuh agent.
-- Subject: Unit wazuh-agent.service has finished shutting down
-- Defined-By: systemd
-- Support: https://access.redhat.com/support
-- 
-- Unit wazuh-agent.service has finished shutting down.
feb 07 11:39:12 ip-10-0-1-185.us-west-1.compute.internal systemd[1]: wazuh-agent.service: Found left-over process 8408 (restart.sh) in control group while starting unit. Ignoring.
feb 07 11:39:12 ip-10-0-1-185.us-west-1.compute.internal systemd[1]: This usually indicates unclean termination of a previous run, or service implementation deficiencies.
feb 07 11:39:12 ip-10-0-1-185.us-west-1.compute.internal systemd[1]: wazuh-agent.service: Found left-over process 8412 (wazuh-control) in control group while starting unit. Ignoring.
feb 07 11:39:12 ip-10-0-1-185.us-west-1.compute.internal systemd[1]: This usually indicates unclean termination of a previous run, or service implementation deficiencies.
feb 07 11:39:12 ip-10-0-1-185.us-west-1.compute.internal systemd[1]: wazuh-agent.service: Found left-over process 8496 (sleep) in control group while starting unit. Ignoring.
feb 07 11:39:12 ip-10-0-1-185.us-west-1.compute.internal systemd[1]: This usually indicates unclean termination of a previous run, or service implementation deficiencies.
feb 07 11:39:12 ip-10-0-1-185.us-west-1.compute.internal systemd[1]: Starting Wazuh agent...
-- Subject: Unit wazuh-agent.service has begun start-up
-- Defined-By: systemd
-- Support: https://access.redhat.com/support
-- 
-- Unit wazuh-agent.service has begun starting up.
feb 07 11:39:12 ip-10-0-1-185.us-west-1.compute.internal env[8536]: Starting Wazuh v4.8.0...
feb 07 11:39:13 ip-10-0-1-185.us-west-1.compute.internal env[8536]: Started wazuh-execd...
feb 07 11:39:15 ip-10-0-1-185.us-west-1.compute.internal env[8536]: Started wazuh-agentd...
feb 07 11:39:16 ip-10-0-1-185.us-west-1.compute.internal env[8536]: Started wazuh-syscheckd...
feb 07 11:39:17 ip-10-0-1-185.us-west-1.compute.internal env[8536]: Started wazuh-logcollector...
feb 07 11:39:18 ip-10-0-1-185.us-west-1.compute.internal env[8536]: Started wazuh-modulesd...
feb 07 11:39:20 ip-10-0-1-185.us-west-1.compute.internal env[8536]: Completed.
feb 07 11:39:20 ip-10-0-1-185.us-west-1.compute.internal systemd[1]: Started Wazuh agent.
-- Subject: Unit wazuh-agent.service has finished start-up
-- Defined-By: systemd
-- Support: https://access.redhat.com/support
-- 
-- Unit wazuh-agent.service has finished starting up.
-- 
-- The start-up result is done.

Note
Expected Activity Logs

Error Logs

[root@ip-10-0-1-185 wazuh-user]# egrep -i "ERROR|WARNING" /var/ossec/logs/ossec.log |  wc -l
3

[root@ip-10-0-1-185 wazuh-user]# egrep -i "ERROR|WARNING" /var/ossec/logs/ossec.log
2024/02/07 11:55:10 wazuh-agentd: ERROR: (1137): Lost connection with manager. Setting lock.
2024/02/07 11:55:10 wazuh-agentd: ERROR: (1216): Unable to connect to '[10.0.0.9]:1514/tcp': 'Connection refused'.
2024/02/07 11:55:20 wazuh-agentd: ERROR: (1216): Unable to connect to '[10.0.0.9]:1514/tcp': 'Connection refused'.

Note
The logs are expected because the manager was restarted at that time.

Debian 🟢

System information

root@ip-10-0-1-5:/home/wazuh-user# cat /etc/*release
ID="ec2"
VERSION="20220503-998"
PRETTY_NAME="Debian GNU/Linux 11 (bullseye)"
NAME="Debian GNU/Linux"
VERSION_ID="11"
VERSION="11 (bullseye)"
VERSION_CODENAME=bullseye
ID=debian
HOME_URL="https://www.debian.org/"
SUPPORT_URL="https://www.debian.org/support"
BUG_REPORT_URL="https://bugs.debian.org/"

Agent Version

root@ip-10-0-1-5:/home/wazuh-user# /var/ossec/bin/wazuh-control info
WAZUH_VERSION="v4.8.0"
WAZUH_REVISION="40803"
WAZUH_TYPE="agent"

Agent Status

root@ip-10-0-1-5:/home/wazuh-user# systemctl status wazuh-agent -l
● wazuh-agent.service - Wazuh agent
     Loaded: loaded (/lib/systemd/system/wazuh-agent.service; enabled; vendor preset: enabled)
     Active: active (running) since Wed 2024-02-07 11:38:06 UTC; 3h 56min ago
    Process: 7589 ExecStart=/usr/bin/env /var/ossec/bin/wazuh-control start (code=exited, status=0/SUCCESS)
      Tasks: 32 (limit: 1123)
     Memory: 29.6M
        CPU: 54.176s
     CGroup: /system.slice/wazuh-agent.service
             ├─9593 /var/ossec/bin/wazuh-execd
             ├─9604 /var/ossec/bin/wazuh-agentd
             ├─9618 /var/ossec/bin/wazuh-syscheckd
             ├─9633 /var/ossec/bin/wazuh-logcollector
             └─9653 /var/ossec/bin/wazuh-modulesd

Feb 07 11:37:59 ip-10-0-1-5 systemd[1]: Starting Wazuh agent...
Feb 07 11:37:59 ip-10-0-1-5 env[7589]: Starting Wazuh v4.8.0...
Feb 07 11:38:00 ip-10-0-1-5 env[7589]: Started wazuh-execd...
Feb 07 11:38:01 ip-10-0-1-5 env[7589]: Started wazuh-agentd...
Feb 07 11:38:02 ip-10-0-1-5 env[7589]: Started wazuh-syscheckd...
Feb 07 11:38:03 ip-10-0-1-5 env[7589]: Started wazuh-logcollector...
Feb 07 11:38:04 ip-10-0-1-5 env[7589]: Started wazuh-modulesd...
Feb 07 11:38:06 ip-10-0-1-5 env[7589]: Completed.
Feb 07 11:38:06 ip-10-0-1-5 systemd[1]: Started Wazuh agent.

Module Status

root@ip-10-0-1-5:/home/wazuh-user# /var/ossec/bin/wazuh-control status
wazuh-modulesd is running...
wazuh-logcollector is running...
wazuh-syscheckd is running...
wazuh-agentd is running...
wazuh-execd is running...

Service Status

root@ip-10-0-1-5:/home/wazuh-user# journalctl -xe -u wazuh-agent.service --no-pager
-- Journal begins at Wed 2024-02-07 11:05:20 UTC, ends at Wed 2024-02-07 15:33:41 UTC. --
Feb 07 11:37:24 ip-10-0-1-5 systemd[1]: Starting Wazuh agent...
░░ Subject: A start job for unit wazuh-agent.service has begun execution
░░ Defined-By: systemd
░░ Support: https://www.debian.org/support
░░ 
░░ A start job for unit wazuh-agent.service has begun execution.
░░ 
░░ The job identifier is 3245.
Feb 07 11:37:24 ip-10-0-1-5 env[6007]: Starting Wazuh v4.8.0...
Feb 07 11:37:25 ip-10-0-1-5 env[6007]: Started wazuh-execd...
Feb 07 11:37:26 ip-10-0-1-5 env[6007]: Started wazuh-agentd...
Feb 07 11:37:27 ip-10-0-1-5 env[6007]: Started wazuh-syscheckd...
Feb 07 11:37:28 ip-10-0-1-5 env[6007]: Started wazuh-logcollector...
Feb 07 11:37:29 ip-10-0-1-5 env[6007]: Started wazuh-modulesd...
Feb 07 11:37:31 ip-10-0-1-5 env[6007]: Completed.
Feb 07 11:37:31 ip-10-0-1-5 systemd[1]: Started Wazuh agent.
░░ Subject: A start job for unit wazuh-agent.service has finished successfully
░░ Defined-By: systemd
░░ Support: https://www.debian.org/support
░░ 
░░ A start job for unit wazuh-agent.service has finished successfully.
░░ 
░░ The job identifier is 3245.
Feb 07 11:37:50 ip-10-0-1-5 systemd[1]: Stopping Wazuh agent...
░░ Subject: A stop job for unit wazuh-agent.service has begun execution
░░ Defined-By: systemd
░░ Support: https://www.debian.org/support
░░ 
░░ A stop job for unit wazuh-agent.service has begun execution.
░░ 
░░ The job identifier is 3515.
Feb 07 11:37:58 ip-10-0-1-5 env[7120]: Killing wazuh-modulesd...
Feb 07 11:37:58 ip-10-0-1-5 env[7120]: Killing wazuh-logcollector...
Feb 07 11:37:58 ip-10-0-1-5 env[7120]: Killing wazuh-syscheckd...
Feb 07 11:37:59 ip-10-0-1-5 env[7120]: Killing wazuh-agentd...
Feb 07 11:37:59 ip-10-0-1-5 env[7120]: Killing wazuh-execd...
Feb 07 11:37:59 ip-10-0-1-5 env[7120]: Wazuh v4.8.0 Stopped
Feb 07 11:37:59 ip-10-0-1-5 systemd[1]: wazuh-agent.service: Succeeded.
░░ Subject: Unit succeeded
░░ Defined-By: systemd
░░ Support: https://www.debian.org/support
░░ 
░░ The unit wazuh-agent.service has successfully entered the 'dead' state.
Feb 07 11:37:59 ip-10-0-1-5 systemd[1]: Stopped Wazuh agent.
░░ Subject: A stop job for unit wazuh-agent.service has finished
░░ Defined-By: systemd
░░ Support: https://www.debian.org/support
░░ 
░░ A stop job for unit wazuh-agent.service has finished.
░░ 
░░ The job identifier is 3515 and the job result is done.
Feb 07 11:37:59 ip-10-0-1-5 systemd[1]: wazuh-agent.service: Consumed 16.589s CPU time.
░░ Subject: Resources consumed by unit runtime
░░ Defined-By: systemd
░░ Support: https://www.debian.org/support
░░ 
░░ The unit wazuh-agent.service completed and consumed the indicated resources.
Feb 07 11:37:59 ip-10-0-1-5 systemd[1]: Starting Wazuh agent...
░░ Subject: A start job for unit wazuh-agent.service has begun execution
░░ Defined-By: systemd
░░ Support: https://www.debian.org/support
░░ 
░░ A start job for unit wazuh-agent.service has begun execution.
░░ 
░░ The job identifier is 3515.
Feb 07 11:37:59 ip-10-0-1-5 env[7589]: Starting Wazuh v4.8.0...
Feb 07 11:38:00 ip-10-0-1-5 env[7589]: Started wazuh-execd...
Feb 07 11:38:01 ip-10-0-1-5 env[7589]: Started wazuh-agentd...
Feb 07 11:38:02 ip-10-0-1-5 env[7589]: Started wazuh-syscheckd...
Feb 07 11:38:03 ip-10-0-1-5 env[7589]: Started wazuh-logcollector...
Feb 07 11:38:04 ip-10-0-1-5 env[7589]: Started wazuh-modulesd...
Feb 07 11:38:06 ip-10-0-1-5 env[7589]: Completed.
Feb 07 11:38:06 ip-10-0-1-5 systemd[1]: Started Wazuh agent.
░░ Subject: A start job for unit wazuh-agent.service has finished successfully
░░ Defined-By: systemd
░░ Support: https://www.debian.org/support
░░ 
░░ A start job for unit wazuh-agent.service has finished successfully.
░░ 
░░ The job identifier is 3515.

Note
Expected Activity Logs

Error Logs

root@ip-10-0-1-5:/home/wazuh-user# egrep -i "ERROR|WARNING" /var/ossec/logs/ossec.log |  wc -l
3

root@ip-10-0-1-5:/home/wazuh-user# egrep -i "ERROR|WARNING" /var/ossec/logs/ossec.log
2024/02/07 11:55:10 wazuh-agentd: ERROR: (1137): Lost connection with manager. Setting lock.
2024/02/07 11:55:10 wazuh-agentd: ERROR: (1216): Unable to connect to '[10.0.0.9]:1514/tcp': 'Connection refused'.
2024/02/07 11:55:20 wazuh-agentd: ERROR: (1216): Unable to connect to '[10.0.0.9]:1514/tcp': 'Connection refused'.

Note
The logs are expected because the manager was restarted at that time.

Ubuntu 🟢

System information

root@ip-10-0-1-229:/home/wazuh-user# cat /etc/*release
DISTRIB_ID=Ubuntu
DISTRIB_RELEASE=22.04
DISTRIB_CODENAME=jammy
DISTRIB_DESCRIPTION="Ubuntu 22.04.2 LTS"
PRETTY_NAME="Ubuntu 22.04.2 LTS"
NAME="Ubuntu"
VERSION_ID="22.04"
VERSION="22.04.2 LTS (Jammy Jellyfish)"
VERSION_CODENAME=jammy
ID=ubuntu
ID_LIKE=debian
HOME_URL="https://www.ubuntu.com/"
SUPPORT_URL="https://help.ubuntu.com/"
BUG_REPORT_URL="https://bugs.launchpad.net/ubuntu/"
PRIVACY_POLICY_URL="https://www.ubuntu.com/legal/terms-and-policies/privacy-policy"
UBUNTU_CODENAME=jammy

Agent Version

root@ip-10-0-1-229:/home/wazuh-user# /var/ossec/bin/wazuh-control info
WAZUH_VERSION="v4.8.0"
WAZUH_REVISION="40803"
WAZUH_TYPE="agent"

Agent Status

root@ip-10-0-1-229:/home/wazuh-user# systemctl status wazuh-agent -l
● wazuh-agent.service - Wazuh agent
     Loaded: loaded (/lib/systemd/system/wazuh-agent.service; enabled; vendor preset: enabled)
     Active: active (running) since Wed 2024-02-07 11:39:04 UTC; 4h 0min ago
    Process: 8511 ExecStart=/usr/bin/env /var/ossec/bin/wazuh-control start (code=exited, status=0/SUCCESS)
      Tasks: 32 (limit: 1116)
     Memory: 25.2M
        CPU: 40.211s
     CGroup: /system.slice/wazuh-agent.service
             ├─9568 /var/ossec/bin/wazuh-execd
             ├─9579 /var/ossec/bin/wazuh-agentd
             ├─9593 /var/ossec/bin/wazuh-syscheckd
             ├─9607 /var/ossec/bin/wazuh-logcollector
             └─9627 /var/ossec/bin/wazuh-modulesd

Feb 07 11:38:57 ip-10-0-1-229 systemd[1]: Starting Wazuh agent...
Feb 07 11:38:57 ip-10-0-1-229 env[8511]: Starting Wazuh v4.8.0...
Feb 07 11:38:58 ip-10-0-1-229 env[8511]: Started wazuh-execd...
Feb 07 11:38:59 ip-10-0-1-229 env[8511]: Started wazuh-agentd...
Feb 07 11:39:00 ip-10-0-1-229 env[8511]: Started wazuh-syscheckd...
Feb 07 11:39:01 ip-10-0-1-229 env[8511]: Started wazuh-logcollector...
Feb 07 11:39:02 ip-10-0-1-229 env[8511]: Started wazuh-modulesd...
Feb 07 11:39:04 ip-10-0-1-229 env[8511]: Completed.
Feb 07 11:39:04 ip-10-0-1-229 systemd[1]: Started Wazuh agent.

Module Status

root@ip-10-0-1-229:/home/wazuh-user# /var/ossec/bin/wazuh-control status
wazuh-modulesd is running...
wazuh-logcollector is running...
wazuh-syscheckd is running...
wazuh-agentd is running...
wazuh-execd is running...

Service Status

root@ip-10-0-1-229:/home/wazuh-user#  journalctl -xe -u wazuh-agent.service --no-pager
Feb 07 11:38:23 ip-10-0-1-229 systemd[1]: Starting Wazuh agent...
░░ Subject: A start job for unit wazuh-agent.service has begun execution
░░ Defined-By: systemd
░░ Support: http://www.ubuntu.com/support
░░ 
░░ A start job for unit wazuh-agent.service has begun execution.
░░ 
░░ The job identifier is 5618.
Feb 07 11:38:23 ip-10-0-1-229 env[6751]: Starting Wazuh v4.8.0...
Feb 07 11:38:24 ip-10-0-1-229 env[6751]: Started wazuh-execd...
Feb 07 11:38:25 ip-10-0-1-229 env[6751]: Started wazuh-agentd...
Feb 07 11:38:26 ip-10-0-1-229 env[6751]: Started wazuh-syscheckd...
Feb 07 11:38:27 ip-10-0-1-229 env[6751]: Started wazuh-logcollector...
Feb 07 11:38:28 ip-10-0-1-229 env[6751]: Started wazuh-modulesd...
Feb 07 11:38:30 ip-10-0-1-229 env[6751]: Completed.
Feb 07 11:38:30 ip-10-0-1-229 systemd[1]: Started Wazuh agent.
░░ Subject: A start job for unit wazuh-agent.service has finished successfully
░░ Defined-By: systemd
░░ Support: http://www.ubuntu.com/support
░░ 
░░ A start job for unit wazuh-agent.service has finished successfully.
░░ 
░░ The job identifier is 5618.
Feb 07 11:38:50 ip-10-0-1-229 systemd[1]: Stopping Wazuh agent...
░░ Subject: A stop job for unit wazuh-agent.service has begun execution
░░ Defined-By: systemd
░░ Support: http://www.ubuntu.com/support
░░ 
░░ A stop job for unit wazuh-agent.service has begun execution.
░░ 
░░ The job identifier is 6056.
Feb 07 11:38:56 ip-10-0-1-229 env[7956]: Killing wazuh-modulesd...
Feb 07 11:38:56 ip-10-0-1-229 env[7956]: Killing wazuh-logcollector...
Feb 07 11:38:56 ip-10-0-1-229 env[7956]: Killing wazuh-syscheckd...
Feb 07 11:38:57 ip-10-0-1-229 env[7956]: Killing wazuh-agentd...
Feb 07 11:38:57 ip-10-0-1-229 env[7956]: Killing wazuh-execd...
Feb 07 11:38:57 ip-10-0-1-229 env[7956]: Wazuh v4.8.0 Stopped
Feb 07 11:38:57 ip-10-0-1-229 systemd[1]: wazuh-agent.service: Deactivated successfully.
░░ Subject: Unit succeeded
░░ Defined-By: systemd
░░ Support: http://www.ubuntu.com/support
░░ 
░░ The unit wazuh-agent.service has successfully entered the 'dead' state.
Feb 07 11:38:57 ip-10-0-1-229 systemd[1]: Stopped Wazuh agent.
░░ Subject: A stop job for unit wazuh-agent.service has finished
░░ Defined-By: systemd
░░ Support: http://www.ubuntu.com/support
░░ 
░░ A stop job for unit wazuh-agent.service has finished.
░░ 
░░ The job identifier is 6056 and the job result is done.
Feb 07 11:38:57 ip-10-0-1-229 systemd[1]: wazuh-agent.service: Consumed 14.189s CPU time.
░░ Subject: Resources consumed by unit runtime
░░ Defined-By: systemd
░░ Support: http://www.ubuntu.com/support
░░ 
░░ The unit wazuh-agent.service completed and consumed the indicated resources.
Feb 07 11:38:57 ip-10-0-1-229 systemd[1]: Starting Wazuh agent...
░░ Subject: A start job for unit wazuh-agent.service has begun execution
░░ Defined-By: systemd
░░ Support: http://www.ubuntu.com/support
░░ 
░░ A start job for unit wazuh-agent.service has begun execution.
░░ 
░░ The job identifier is 6056.
Feb 07 11:38:57 ip-10-0-1-229 env[8511]: Starting Wazuh v4.8.0...
Feb 07 11:38:58 ip-10-0-1-229 env[8511]: Started wazuh-execd...
Feb 07 11:38:59 ip-10-0-1-229 env[8511]: Started wazuh-agentd...
Feb 07 11:39:00 ip-10-0-1-229 env[8511]: Started wazuh-syscheckd...
Feb 07 11:39:01 ip-10-0-1-229 env[8511]: Started wazuh-logcollector...
Feb 07 11:39:02 ip-10-0-1-229 env[8511]: Started wazuh-modulesd...
Feb 07 11:39:04 ip-10-0-1-229 env[8511]: Completed.
Feb 07 11:39:04 ip-10-0-1-229 systemd[1]: Started Wazuh agent.
░░ Subject: A start job for unit wazuh-agent.service has finished successfully
░░ Defined-By: systemd
░░ Support: http://www.ubuntu.com/support
░░ 
░░ A start job for unit wazuh-agent.service has finished successfully.
░░ 
░░ The job identifier is 6056.

Note
Expected Activity Logs

Error Logs

root@ip-10-0-1-229:/home/wazuh-user# egrep -i "ERROR|WARNING" /var/ossec/logs/ossec.log |  wc -l
4

root@ip-10-0-1-229:/home/wazuh-user# egrep -i "ERROR|WARNING" /var/ossec/logs/ossec.log
2024/02/07 11:39:09 wazuh-agentd: ERROR: (1137): Lost connection with manager. Setting lock.
2024/02/07 11:55:11 wazuh-agentd: ERROR: (1137): Lost connection with manager. Setting lock.
2024/02/07 11:55:11 wazuh-agentd: ERROR: (1216): Unable to connect to '[10.0.0.254]:1514/tcp': 'Connection refused'.
2024/02/07 11:55:21 wazuh-agentd: ERROR: (1216): Unable to connect to '[10.0.0.254]:1514/tcp': 'Connection refused'.

Note
The logs are expected because the manager was restarted at that time.

RHEL9 🔴

System information

[wazuh-user@ip-10-0-1-23 ~]$ cat /etc/*release
NAME="Red Hat Enterprise Linux"
VERSION="9.2 (Plow)"
ID="rhel"
ID_LIKE="fedora"
VERSION_ID="9.2"
PLATFORM_ID="platform:el9"
PRETTY_NAME="Red Hat Enterprise Linux 9.2 (Plow)"
ANSI_COLOR="0;31"
LOGO="fedora-logo-icon"
CPE_NAME="cpe:/o:redhat:enterprise_linux:9::baseos"
HOME_URL="https://www.redhat.com/"
DOCUMENTATION_URL="https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9"
BUG_REPORT_URL="https://bugzilla.redhat.com/"

REDHAT_BUGZILLA_PRODUCT="Red Hat Enterprise Linux 9"
REDHAT_BUGZILLA_PRODUCT_VERSION=9.2
REDHAT_SUPPORT_PRODUCT="Red Hat Enterprise Linux"
REDHAT_SUPPORT_PRODUCT_VERSION="9.2"
Red Hat Enterprise Linux release 9.2 (Plow)
Red Hat Enterprise Linux release 9.2 (Plow)

Agent Version

[root@ip-10-0-1-23 wazuh-user]# /var/ossec/bin/wazuh-control info
WAZUH_VERSION="v4.8.0"
WAZUH_REVISION="40803"
WAZUH_TYPE="agent"

Agent Status

[root@ip-10-0-1-23 wazuh-user]# systemctl status wazuh-agent -l
● wazuh-agent.service - Wazuh agent
     Loaded: loaded (/usr/lib/systemd/system/wazuh-agent.service; enabled; preset: disabled)
     Active: active (running) since Wed 2024-02-07 12:17:50 UTC; 3h 32min ago
    Process: 60555 ExecStart=/usr/bin/env /var/ossec/bin/wazuh-control start (code=exited, status=0/SUCCESS)
      Tasks: 54 (limit: 22632)
     Memory: 303.0M
        CPU: 1min 57.291s
     CGroup: /system.slice/wazuh-agent.service
             ├─60582 /var/ossec/bin/wazuh-execd
             ├─60591 /var/ossec/bin/wazuh-agentd
             ├─60606 /var/ossec/bin/wazuh-syscheckd
             ├─60620 /var/ossec/bin/wazuh-logcollector
             ├─60629 /var/ossec/bin/wazuh-modulesd
             ├─60639 python3 wodles/docker/DockerListener
             ├─60645 /usr/bin/osqueryd --config_path=/etc/osquery/osquery.conf
             └─60660 /usr/bin/osqueryd

Feb 07 12:17:45 ip-10-0-1-23.us-west-1.compute.internal systemd[1]: Starting Wazuh agent...
Feb 07 12:17:45 ip-10-0-1-23.us-west-1.compute.internal env[60555]: Starting Wazuh v4.8.0...
Feb 07 12:17:45 ip-10-0-1-23.us-west-1.compute.internal env[60555]: Started wazuh-execd...
Feb 07 12:17:46 ip-10-0-1-23.us-west-1.compute.internal env[60555]: Started wazuh-agentd...
Feb 07 12:17:47 ip-10-0-1-23.us-west-1.compute.internal env[60555]: Started wazuh-syscheckd...
Feb 07 12:17:47 ip-10-0-1-23.us-west-1.compute.internal env[60555]: Started wazuh-logcollector...
Feb 07 12:17:47 ip-10-0-1-23.us-west-1.compute.internal osqueryd[60645]: osqueryd started [version=4.4.0]
Feb 07 12:17:48 ip-10-0-1-23.us-west-1.compute.internal env[60555]: Started wazuh-modulesd...
Feb 07 12:17:50 ip-10-0-1-23.us-west-1.compute.internal env[60555]: Completed.
Feb 07 12:17:50 ip-10-0-1-23.us-west-1.compute.internal systemd[1]: Started Wazuh agent.

Module status

[root@ip-10-0-1-23 wazuh-user]# /var/ossec/bin/wazuh-control status
wazuh-modulesd is running...
wazuh-logcollector is running...
wazuh-syscheckd is running...
wazuh-agentd is running...
wazuh-execd is running...

Service Status

[root@ip-10-0-1-23 wazuh-user]# journalctl -xe -u wazuh-agent.service --no-pager
Feb 07 11:38:17 ip-10-0-1-23.us-west-1.compute.internal systemd[1]: Starting Wazuh agent...
░░ Subject: A start job for unit wazuh-agent.service has begun execution
░░ Defined-By: systemd
░░ Support: https://access.redhat.com/support
░░ 
░░ A start job for unit wazuh-agent.service has begun execution.
░░ 
░░ The job identifier is 5593.
Feb 07 11:38:17 ip-10-0-1-23.us-west-1.compute.internal env[6226]: Starting Wazuh v4.8.0...
Feb 07 11:38:17 ip-10-0-1-23.us-west-1.compute.internal env[6226]: Started wazuh-execd...
Feb 07 11:38:18 ip-10-0-1-23.us-west-1.compute.internal env[6226]: Started wazuh-agentd...
Feb 07 11:38:19 ip-10-0-1-23.us-west-1.compute.internal env[6226]: Started wazuh-syscheckd...
Feb 07 11:38:19 ip-10-0-1-23.us-west-1.compute.internal env[6226]: Started wazuh-logcollector...
Feb 07 11:38:20 ip-10-0-1-23.us-west-1.compute.internal env[6226]: Started wazuh-modulesd...
Feb 07 11:38:22 ip-10-0-1-23.us-west-1.compute.internal env[6226]: Completed.
Feb 07 11:38:22 ip-10-0-1-23.us-west-1.compute.internal systemd[1]: Started Wazuh agent.
░░ Subject: A start job for unit wazuh-agent.service has finished successfully
░░ Defined-By: systemd
░░ Support: https://access.redhat.com/support
░░ 
░░ A start job for unit wazuh-agent.service has finished successfully.
░░ 
░░ The job identifier is 5593.
Feb 07 11:38:26 ip-10-0-1-23.us-west-1.compute.internal systemd[1]: Stopping Wazuh agent...
░░ Subject: A stop job for unit wazuh-agent.service has begun execution
░░ Defined-By: systemd
░░ Support: https://access.redhat.com/support
░░ 
░░ A stop job for unit wazuh-agent.service has begun execution.
░░ 
░░ The job identifier is 5862.
Feb 07 11:38:26 ip-10-0-1-23.us-west-1.compute.internal env[6737]: Killing wazuh-modulesd...
Feb 07 11:38:30 ip-10-0-1-23.us-west-1.compute.internal env[6737]: Killing wazuh-logcollector...
Feb 07 11:38:30 ip-10-0-1-23.us-west-1.compute.internal env[6737]: Killing wazuh-syscheckd...
Feb 07 11:38:30 ip-10-0-1-23.us-west-1.compute.internal env[6737]: Killing wazuh-agentd...
Feb 07 11:38:30 ip-10-0-1-23.us-west-1.compute.internal env[6737]: Killing wazuh-execd...
Feb 07 11:38:30 ip-10-0-1-23.us-west-1.compute.internal env[6737]: Wazuh v4.8.0 Stopped
Feb 07 11:38:30 ip-10-0-1-23.us-west-1.compute.internal systemd[1]: wazuh-agent.service: Deactivated successfully.
░░ Subject: Unit succeeded
░░ Defined-By: systemd
░░ Support: https://access.redhat.com/support
░░ 
░░ The unit wazuh-agent.service has successfully entered the 'dead' state.
Feb 07 11:38:30 ip-10-0-1-23.us-west-1.compute.internal systemd[1]: Stopped Wazuh agent.
░░ Subject: A stop job for unit wazuh-agent.service has finished
░░ Defined-By: systemd
░░ Support: https://access.redhat.com/support
░░ 
░░ A stop job for unit wazuh-agent.service has finished.
░░ 
░░ The job identifier is 5862 and the job result is done.
Feb 07 11:38:30 ip-10-0-1-23.us-west-1.compute.internal systemd[1]: wazuh-agent.service: Consumed 3.782s CPU time.
░░ Subject: Resources consumed by unit runtime
░░ Defined-By: systemd
░░ Support: https://access.redhat.com/support
░░ 
░░ The unit wazuh-agent.service completed and consumed the indicated resources.
Feb 07 11:38:30 ip-10-0-1-23.us-west-1.compute.internal systemd[1]: Starting Wazuh agent...
░░ Subject: A start job for unit wazuh-agent.service has begun execution
░░ Defined-By: systemd
░░ Support: https://access.redhat.com/support
░░ 
░░ A start job for unit wazuh-agent.service has begun execution.
░░ 
░░ The job identifier is 5862.
Feb 07 11:38:30 ip-10-0-1-23.us-west-1.compute.internal env[6873]: Starting Wazuh v4.8.0...
Feb 07 11:38:31 ip-10-0-1-23.us-west-1.compute.internal env[6873]: Started wazuh-execd...
Feb 07 11:38:32 ip-10-0-1-23.us-west-1.compute.internal env[6873]: Started wazuh-agentd...
Feb 07 11:38:33 ip-10-0-1-23.us-west-1.compute.internal env[6873]: Started wazuh-syscheckd...
Feb 07 11:38:34 ip-10-0-1-23.us-west-1.compute.internal env[6873]: Started wazuh-logcollector...
Feb 07 11:38:35 ip-10-0-1-23.us-west-1.compute.internal env[6873]: Started wazuh-modulesd...
Feb 07 11:38:37 ip-10-0-1-23.us-west-1.compute.internal env[6873]: Completed.
Feb 07 11:38:37 ip-10-0-1-23.us-west-1.compute.internal systemd[1]: Started Wazuh agent.
░░ Subject: A start job for unit wazuh-agent.service has finished successfully
░░ Defined-By: systemd
░░ Support: https://access.redhat.com/support
░░ 
░░ A start job for unit wazuh-agent.service has finished successfully.
░░ 
░░ The job identifier is 5862.
Feb 07 11:51:51 ip-10-0-1-23.us-west-1.compute.internal systemd[1]: Stopping Wazuh agent...
░░ Subject: A stop job for unit wazuh-agent.service has begun execution
░░ Defined-By: systemd
░░ Support: https://access.redhat.com/support
░░ 
░░ A stop job for unit wazuh-agent.service has begun execution.
░░ 
░░ The job identifier is 18539.
Feb 07 11:51:51 ip-10-0-1-23.us-west-1.compute.internal env[49782]: Killing wazuh-modulesd...
Feb 07 11:51:51 ip-10-0-1-23.us-west-1.compute.internal env[49782]: Killing wazuh-logcollector...
Feb 07 11:51:51 ip-10-0-1-23.us-west-1.compute.internal env[49782]: Killing wazuh-syscheckd...
Feb 07 11:51:51 ip-10-0-1-23.us-west-1.compute.internal env[49782]: Killing wazuh-agentd...
Feb 07 11:51:51 ip-10-0-1-23.us-west-1.compute.internal env[49782]: Killing wazuh-execd...
Feb 07 11:51:51 ip-10-0-1-23.us-west-1.compute.internal env[49782]: Wazuh v4.8.0 Stopped
Feb 07 11:51:51 ip-10-0-1-23.us-west-1.compute.internal systemd[1]: wazuh-agent.service: Deactivated successfully.
░░ Subject: Unit succeeded
░░ Defined-By: systemd
░░ Support: https://access.redhat.com/support
░░ 
░░ The unit wazuh-agent.service has successfully entered the 'dead' state.
Feb 07 11:51:51 ip-10-0-1-23.us-west-1.compute.internal systemd[1]: Stopped Wazuh agent.
░░ Subject: A stop job for unit wazuh-agent.service has finished
░░ Defined-By: systemd
░░ Support: https://access.redhat.com/support
░░ 
░░ A stop job for unit wazuh-agent.service has finished.
░░ 
░░ The job identifier is 18539 and the job result is done.
Feb 07 11:51:51 ip-10-0-1-23.us-west-1.compute.internal systemd[1]: wazuh-agent.service: Consumed 45.082s CPU time.
░░ Subject: Resources consumed by unit runtime
░░ Defined-By: systemd
░░ Support: https://access.redhat.com/support
░░ 
░░ The unit wazuh-agent.service completed and consumed the indicated resources.
Feb 07 11:51:51 ip-10-0-1-23.us-west-1.compute.internal systemd[1]: Starting Wazuh agent...
░░ Subject: A start job for unit wazuh-agent.service has begun execution
░░ Defined-By: systemd
░░ Support: https://access.redhat.com/support
░░ 
░░ A start job for unit wazuh-agent.service has begun execution.
░░ 
░░ The job identifier is 18539.
Feb 07 11:51:52 ip-10-0-1-23.us-west-1.compute.internal env[49846]: Starting Wazuh v4.8.0...
Feb 07 11:51:53 ip-10-0-1-23.us-west-1.compute.internal env[49846]: Started wazuh-execd...
Feb 07 11:51:54 ip-10-0-1-23.us-west-1.compute.internal env[49846]: Started wazuh-agentd...
Feb 07 11:51:55 ip-10-0-1-23.us-west-1.compute.internal env[49846]: Started wazuh-syscheckd...
Feb 07 11:51:56 ip-10-0-1-23.us-west-1.compute.internal env[49846]: Started wazuh-logcollector...
Feb 07 11:51:57 ip-10-0-1-23.us-west-1.compute.internal env[49846]: Started wazuh-modulesd...
Feb 07 11:51:59 ip-10-0-1-23.us-west-1.compute.internal env[49846]: Completed.
Feb 07 11:51:59 ip-10-0-1-23.us-west-1.compute.internal systemd[1]: Started Wazuh agent.
░░ Subject: A start job for unit wazuh-agent.service has finished successfully
░░ Defined-By: systemd
░░ Support: https://access.redhat.com/support
░░ 
░░ A start job for unit wazuh-agent.service has finished successfully.
░░ 
░░ The job identifier is 18539.
Feb 07 11:52:50 ip-10-0-1-23.us-west-1.compute.internal systemd-coredump[52170]: [🡕] Process 51572 (wazuh-syscheckd) of user 0 dumped core.
░░ Subject: Process 51572 (wazuh-syscheckd) dumped core
░░ Defined-By: systemd
░░ Support: https://access.redhat.com/support
░░ Documentation: man:core(5)
░░ 
░░ Process 51572 (wazuh-syscheckd) crashed and dumped core.
░░ 
░░ This usually indicates a programming error in the crashing program and
░░ should be reported to its vendor as a bug.
Feb 07 11:52:56 ip-10-0-1-23.us-west-1.compute.internal osqueryd[52287]: osqueryd started [version=4.4.0]
Feb 07 11:56:04 ip-10-0-1-23.us-west-1.compute.internal osqueryd[54435]: osqueryd started [version=4.4.0]
Feb 07 12:11:57 ip-10-0-1-23.us-west-1.compute.internal systemd[1]: Stopping Wazuh agent...
░░ Subject: A stop job for unit wazuh-agent.service has begun execution
░░ Defined-By: systemd
░░ Support: https://access.redhat.com/support
░░ 
░░ A stop job for unit wazuh-agent.service has begun execution.
░░ 
░░ The job identifier is 22288.
Feb 07 12:11:57 ip-10-0-1-23.us-west-1.compute.internal env[57628]: Killing wazuh-modulesd...
Feb 07 12:11:57 ip-10-0-1-23.us-west-1.compute.internal env[57628]: Killing wazuh-logcollector...
Feb 07 12:11:57 ip-10-0-1-23.us-west-1.compute.internal env[57628]: Killing wazuh-syscheckd...
Feb 07 12:11:58 ip-10-0-1-23.us-west-1.compute.internal env[57628]: Killing wazuh-agentd...
Feb 07 12:11:58 ip-10-0-1-23.us-west-1.compute.internal env[57628]: Killing wazuh-execd...
Feb 07 12:11:58 ip-10-0-1-23.us-west-1.compute.internal env[57628]: Wazuh v4.8.0 Stopped
Feb 07 12:11:58 ip-10-0-1-23.us-west-1.compute.internal systemd[1]: wazuh-agent.service: Deactivated successfully.
░░ Subject: Unit succeeded
░░ Defined-By: systemd
░░ Support: https://access.redhat.com/support
░░ 
░░ The unit wazuh-agent.service has successfully entered the 'dead' state.
Feb 07 12:11:58 ip-10-0-1-23.us-west-1.compute.internal systemd[1]: wazuh-agent.service: Unit process 54443 (osqueryd) remains running after unit stopped.
Feb 07 12:11:58 ip-10-0-1-23.us-west-1.compute.internal systemd[1]: wazuh-agent.service: Unit process 57657 (wazuh-modulesd) remains running after unit stopped.
Feb 07 12:11:58 ip-10-0-1-23.us-west-1.compute.internal systemd[1]: wazuh-agent.service: Unit process 57658 (wazuh-modulesd) remains running after unit stopped.
Feb 07 12:11:58 ip-10-0-1-23.us-west-1.compute.internal systemd[1]: Stopped Wazuh agent.
░░ Subject: A stop job for unit wazuh-agent.service has finished
░░ Defined-By: systemd
░░ Support: https://access.redhat.com/support
░░ 
░░ A stop job for unit wazuh-agent.service has finished.
░░ 
░░ The job identifier is 22288 and the job result is done.
Feb 07 12:11:58 ip-10-0-1-23.us-west-1.compute.internal systemd[1]: wazuh-agent.service: Consumed 1min 56.752s CPU time.
░░ Subject: Resources consumed by unit runtime
░░ Defined-By: systemd
░░ Support: https://access.redhat.com/support
░░ 
░░ The unit wazuh-agent.service completed and consumed the indicated resources.
Feb 07 12:11:58 ip-10-0-1-23.us-west-1.compute.internal systemd[1]: Starting Wazuh agent...
░░ Subject: A start job for unit wazuh-agent.service has begun execution
░░ Defined-By: systemd
░░ Support: https://access.redhat.com/support
░░ 
░░ A start job for unit wazuh-agent.service has begun execution.
░░ 
░░ The job identifier is 22288.
Feb 07 12:11:58 ip-10-0-1-23.us-west-1.compute.internal env[57696]: Starting Wazuh v4.8.0...
Feb 07 12:11:59 ip-10-0-1-23.us-west-1.compute.internal env[57696]: Started wazuh-execd...
Feb 07 12:12:00 ip-10-0-1-23.us-west-1.compute.internal env[57696]: Started wazuh-agentd...
Feb 07 12:12:01 ip-10-0-1-23.us-west-1.compute.internal env[57696]: Started wazuh-syscheckd...
Feb 07 12:12:02 ip-10-0-1-23.us-west-1.compute.internal env[57696]: Started wazuh-logcollector...
Feb 07 12:12:02 ip-10-0-1-23.us-west-1.compute.internal osqueryd[57803]: osqueryd started [version=4.4.0]
Feb 07 12:12:03 ip-10-0-1-23.us-west-1.compute.internal env[57696]: Started wazuh-modulesd...
Feb 07 12:12:05 ip-10-0-1-23.us-west-1.compute.internal env[57696]: Completed.
Feb 07 12:12:05 ip-10-0-1-23.us-west-1.compute.internal systemd[1]: Started Wazuh agent.
░░ Subject: A start job for unit wazuh-agent.service has finished successfully
░░ Defined-By: systemd
░░ Support: https://access.redhat.com/support
░░ 
░░ A start job for unit wazuh-agent.service has finished successfully.
░░ 
░░ The job identifier is 22288.
Feb 07 12:17:44 ip-10-0-1-23.us-west-1.compute.internal systemd[1]: Stopping Wazuh agent...
░░ Subject: A stop job for unit wazuh-agent.service has begun execution
░░ Defined-By: systemd
░░ Support: https://access.redhat.com/support
░░ 
░░ A stop job for unit wazuh-agent.service has begun execution.
░░ 
░░ The job identifier is 25772.
Feb 07 12:17:44 ip-10-0-1-23.us-west-1.compute.internal env[60481]: Killing wazuh-modulesd...
Feb 07 12:17:44 ip-10-0-1-23.us-west-1.compute.internal env[60481]: Killing wazuh-logcollector...
Feb 07 12:17:44 ip-10-0-1-23.us-west-1.compute.internal env[60481]: Killing wazuh-syscheckd...
Feb 07 12:17:45 ip-10-0-1-23.us-west-1.compute.internal env[60481]: Killing wazuh-agentd...
Feb 07 12:17:45 ip-10-0-1-23.us-west-1.compute.internal env[60481]: Killing wazuh-execd...
Feb 07 12:17:45 ip-10-0-1-23.us-west-1.compute.internal env[60481]: Wazuh v4.8.0 Stopped
Feb 07 12:17:45 ip-10-0-1-23.us-west-1.compute.internal systemd[1]: wazuh-agent.service: Deactivated successfully.
░░ Subject: Unit succeeded
░░ Defined-By: systemd
░░ Support: https://access.redhat.com/support
░░ 
░░ The unit wazuh-agent.service has successfully entered the 'dead' state.
Feb 07 12:17:45 ip-10-0-1-23.us-west-1.compute.internal systemd[1]: wazuh-agent.service: Unit process 57811 (osqueryd) remains running after unit stopped.
Feb 07 12:17:45 ip-10-0-1-23.us-west-1.compute.internal systemd[1]: wazuh-agent.service: Unit process 60516 (wazuh-modulesd) remains running after unit stopped.
Feb 07 12:17:45 ip-10-0-1-23.us-west-1.compute.internal systemd[1]: wazuh-agent.service: Unit process 60517 (wazuh-modulesd) remains running after unit stopped.
Feb 07 12:17:45 ip-10-0-1-23.us-west-1.compute.internal systemd[1]: Stopped Wazuh agent.
░░ Subject: A stop job for unit wazuh-agent.service has finished
░░ Defined-By: systemd
░░ Support: https://access.redhat.com/support
░░ 
░░ A stop job for unit wazuh-agent.service has finished.
░░ 
░░ The job identifier is 25772 and the job result is done.
Feb 07 12:17:45 ip-10-0-1-23.us-west-1.compute.internal systemd[1]: wazuh-agent.service: Consumed 42.363s CPU time.
░░ Subject: Resources consumed by unit runtime
░░ Defined-By: systemd
░░ Support: https://access.redhat.com/support
░░ 
░░ The unit wazuh-agent.service completed and consumed the indicated resources.
Feb 07 12:17:45 ip-10-0-1-23.us-west-1.compute.internal systemd[1]: Starting Wazuh agent...
░░ Subject: A start job for unit wazuh-agent.service has begun execution
░░ Defined-By: systemd
░░ Support: https://access.redhat.com/support
░░ 
░░ A start job for unit wazuh-agent.service has begun execution.
░░ 
░░ The job identifier is 25772.
Feb 07 12:17:45 ip-10-0-1-23.us-west-1.compute.internal env[60555]: Starting Wazuh v4.8.0...
Feb 07 12:17:45 ip-10-0-1-23.us-west-1.compute.internal env[60555]: Started wazuh-execd...
Feb 07 12:17:46 ip-10-0-1-23.us-west-1.compute.internal env[60555]: Started wazuh-agentd...
Feb 07 12:17:47 ip-10-0-1-23.us-west-1.compute.internal env[60555]: Started wazuh-syscheckd...
Feb 07 12:17:47 ip-10-0-1-23.us-west-1.compute.internal env[60555]: Started wazuh-logcollector...
Feb 07 12:17:47 ip-10-0-1-23.us-west-1.compute.internal osqueryd[60645]: osqueryd started [version=4.4.0]
Feb 07 12:17:48 ip-10-0-1-23.us-west-1.compute.internal env[60555]: Started wazuh-modulesd...
Feb 07 12:17:50 ip-10-0-1-23.us-west-1.compute.internal env[60555]: Completed.
Feb 07 12:17:50 ip-10-0-1-23.us-west-1.compute.internal systemd[1]: Started Wazuh agent.
░░ Subject: A start job for unit wazuh-agent.service has finished successfully
░░ Defined-By: systemd
░░ Support: https://access.redhat.com/support
░░ 
░░ A start job for unit wazuh-agent.service has finished successfully.
░░ 
░░ The job identifier is 25772.

Note
New issue: Abort in wazuh-syscheckd

Error Logs

[root@ip-10-0-1-23 wazuh-user]# egrep -i "ERROR|WARNING" /var/ossec/logs/ossec.log |  wc -l
16

[root@ip-10-0-1-23 wazuh-user]# egrep -i "ERROR|WARNING" /var/ossec/logs/ossec.log
2024/02/07 11:46:43 wazuh-logcollector: WARNING: Target 'agent' message queue is full (1024). Log lines may be lost.
2024/02/07 11:52:40 wazuh-logcollector: INFO: (1950): Analyzing file: '/var/log/httpd/error_log'.
2024/02/07 11:52:55 wazuh-logcollector: INFO: (1950): Analyzing file: '/var/log/httpd/error_log'.
2024/02/07 11:52:56 wazuh-modulesd:osquery: WARNING: Results file '/var/log/osquery/osqueryd.results.log' not available: No such file or directory (2). Retrying in 1 sec.
2024/02/07 11:55:10 wazuh-agentd: ERROR: (1137): Lost connection with manager. Setting lock.
2024/02/07 11:55:10 wazuh-agentd: ERROR: (1216): Unable to connect to '[10.0.0.9]:1514/tcp': 'Connection refused'.
2024/02/07 11:55:10 wazuh-syscheckd: WARNING: Process locked due to agent is offline. Waiting for connection...
2024/02/07 11:55:15 wazuh-logcollector: WARNING: Process locked due to agent is offline. Waiting for connection...
2024/02/07 11:55:20 wazuh-agentd: ERROR: (1216): Unable to connect to '[10.0.0.9]:1514/tcp': 'Connection refused'.
2024/02/07 11:55:20 wazuh-modulesd: WARNING: Process locked due to agent is offline. Waiting for connection...
2024/02/07 11:56:03 wazuh-logcollector: INFO: (1950): Analyzing file: '/var/log/httpd/error_log'.
2024/02/07 12:12:01 wazuh-logcollector: INFO: (1950): Analyzing file: '/var/log/httpd/error_log'.
2024/02/07 12:12:37 wazuh-logcollector: WARNING: Target 'agent' message queue is full (1024). Log lines may be lost.
2024/02/07 12:12:39 wazuh-agentd: WARNING: Agent buffer at 90 %.
2024/02/07 12:12:39 wazuh-agentd: WARNING: Agent buffer is full: Events may be lost.
2024/02/07 12:17:47 wazuh-logcollector: INFO: (1950): Analyzing file: '/var/log/httpd/error_log'.

Note
The logs are expected because the manager was restarted at that time.

Windows 🟡

System information

C:\Users\Administrator>systeminfo | findstr /B /C:"OS Name" /B /C:"OS Version"
OS Name:                   Microsoft Windows Server 2019 Datacenter
OS Version:                10.0.17763 N/A Build 17763

Agent Version

PS C:\Users\Administrator> (Get-Command "C:\Program Files (x86)\ossec-agent\wazuh-agent.exe").FileVersionInfo
>>

ProductVersion   FileVersion      FileName
--------------   -----------      --------
v4.8.0           v4.8.0           C:\Program Files (x86)\ossec-agent\wazuh-agent.exe

Agent Status

PS C:\Users\Administrator> NET START wazuh
The requested service has already been started.

More help is available by typing NET HELPMSG 2182.

Error Logs

2024/02/07 11:48:36 wazuh-agent: ERROR: (1137): Lost connection with manager. Setting lock.
2024/02/07 11:52:29 wazuh-agent: ERROR: (1137): Lost connection with manager. Setting lock.
2024/02/07 11:53:15 wazuh-modulesd:osquery: WARNING: Results file 'C:\Program Files\osquery\log\osqueryd.results.log'
not available: No error (0). Retrying in 1 sec.
2024/02/07 11:53:15 wazuh-modulesd:osquery: WARNING: The configuration file 'C:\Program Files\osquery\osquery.conf' is
not accessible: No such file or directory (2)
2024/02/07 11:53:16 wazuh-modulesd:osquery: WARNING: Results file 'C:\Program Files\osquery\log\osqueryd.results.log'
not available: No error (0). Retrying in 2 sec.
2024/02/07 11:53:18 wazuh-modulesd:osquery: WARNING: Results file 'C:\Program Files\osquery\log\osqueryd.results.log'
not available: No error (0). Retrying in 3 sec.
2024/02/07 11:53:21 wazuh-modulesd:osquery: WARNING: Results file 'C:\Program Files\osquery\log\osqueryd.results.log'
not available: No error (0). Retrying in 4 sec.
2024/02/07 11:53:25 wazuh-modulesd:osquery: WARNING: Results file 'C:\Program Files\osquery\log\osqueryd.results.log'
not available: No error (0). Retrying in 5 sec.
2024/02/07 11:53:30 wazuh-modulesd:osquery: WARNING: Results file 'C:\Program Files\osquery\log\osqueryd.results.log'
not available: No error (0). Retrying in 6 sec.
2024/02/07 11:53:36 wazuh-modulesd:osquery: WARNING: Results file 'C:\Program Files\osquery\log\osqueryd.results.log'
not available: No error (0). Retrying in 7 sec.
2024/02/07 11:53:43 wazuh-modulesd:osquery: WARNING: Results file 'C:\Program Files\osquery\log\osqueryd.results.log'
not available: No error (0). Retrying in 8 sec.
2024/02/07 11:54:00 wazuh-modulesd:osquery: WARNING: Results file 'C:\Program Files\osquery\log\osqueryd.results.log'
not available: No error (0). Retrying in 1 sec.
2024/02/07 11:54:00 wazuh-modulesd:osquery: WARNING: The configuration file 'C:\Program Files\osquery\osquery.conf' is
not accessible: No such file or directory (2)
2024/02/07 11:54:01 wazuh-modulesd:osquery: WARNING: Results file 'C:\Program Files\osquery\log\osqueryd.results.log'
not available: Bad file descriptor (9). Retrying in 2 sec.
2024/02/07 11:54:03 wazuh-modulesd:osquery: WARNING: Results file 'C:\Program Files\osquery\log\osqueryd.results.log'
not available: Bad file descriptor (9). Retrying in 3 sec.
2024/02/07 11:54:06 wazuh-modulesd:osquery: WARNING: Results file 'C:\Program Files\osquery\log\osqueryd.results.log'
not available: Bad file descriptor (9). Retrying in 4 sec.
2024/02/07 11:54:10 wazuh-modulesd:osquery: WARNING: Results file 'C:\Program Files\osquery\log\osqueryd.results.log'
not available: Bad file descriptor (9). Retrying in 5 sec.
2024/02/07 11:54:15 wazuh-modulesd:osquery: WARNING: Results file 'C:\Program Files\osquery\log\osqueryd.results.log'
not available: Bad file descriptor (9). Retrying in 6 sec.
2024/02/07 11:54:21 wazuh-modulesd:osquery: WARNING: Results file 'C:\Program Files\osquery\log\osqueryd.results.log'
not available: Bad file descriptor (9). Retrying in 7 sec.
2024/02/07 11:54:28 wazuh-modulesd:osquery: WARNING: Results file 'C:\Program Files\osquery\log\osqueryd.results.log'
not available: Bad file descriptor (9). Retrying in 8 sec.
2024/02/07 11:54:36 wazuh-modulesd:osquery: WARNING: Results file 'C:\Program Files\osquery\log\osqueryd.results.log'
not available: Bad file descriptor (9). Retrying in 9 sec.
2024/02/07 11:54:45 wazuh-modulesd:osquery: WARNING: Results file 'C:\Program Files\osquery\log\osqueryd.results.log'
not available: Bad file descriptor (9). Retrying in 10 sec.
2024/02/07 11:54:55 wazuh-modulesd:osquery: WARNING: Results file 'C:\Program Files\osquery\log\osqueryd.results.log'
not available: Bad file descriptor (9). Retrying in 11 sec.
2024/02/07 11:55:06 wazuh-modulesd:osquery: WARNING: Results file 'C:\Program Files\osquery\log\osqueryd.results.log'
not available: Bad file descriptor (9). Retrying in 12 sec.
2024/02/07 11:55:10 wazuh-agent: ERROR: (1137): Lost connection with manager. Setting lock.
2024/02/07 11:55:10 wazuh-agent: WARNING: Process locked due to agent is offline. Waiting for connection...
2024/02/07 11:55:11 wazuh-agent: ERROR: (1216): Unable to connect to '[10.0.0.9]:1514/tcp': 'No connection could be
made because the target machine actively refused it.'.
2024/02/07 11:55:18 wazuh-modulesd:osquery: WARNING: Results file 'C:\Program Files\osquery\log\osqueryd.results.log'
not available: Bad file descriptor (9). Retrying in 13 sec.
2024/02/07 11:55:39 wazuh-agent: ERROR: (1103): Could not open file 'C:\inetpub\logs\LogFiles\W3SVC1\u_ex240207.log'
due to [(3)-(The system cannot find the path specified.)].
2024/02/07 11:55:39 wazuh-modulesd:osquery: WARNING: Results file 'C:\Program Files\osquery\log\osqueryd.results.log'
not available: No error (0). Retrying in 1 sec.
2024/02/07 11:55:39 wazuh-modulesd:osquery: WARNING: The configuration file 'C:\Program Files\osquery\osquery.conf' is
not accessible: No such file or directory (2)
2024/02/07 11:55:40 wazuh-modulesd:osquery: WARNING: Results file 'C:\Program Files\osquery\log\osqueryd.results.log'
not available: No error (0). Retrying in 2 sec.
2024/02/07 11:55:42 wazuh-modulesd:osquery: WARNING: Results file 'C:\Program Files\osquery\log\osqueryd.results.log'
not available: No error (0). Retrying in 3 sec.
2024/02/07 11:55:45 wazuh-modulesd:osquery: WARNING: Results file 'C:\Program Files\osquery\log\osqueryd.results.log'
not available: No error (0). Retrying in 4 sec.
2024/02/07 11:55:49 wazuh-modulesd:osquery: WARNING: Results file 'C:\Program Files\osquery\log\osqueryd.results.log'
not available: No error (0). Retrying in 5 sec.
2024/02/07 11:55:54 wazuh-modulesd:osquery: WARNING: Results file 'C:\Program Files\osquery\log\osqueryd.results.log'
not available: No error (0). Retrying in 6 sec.
2024/02/07 11:56:00 wazuh-modulesd:osquery: WARNING: Results file 'C:\Program Files\osquery\log\osqueryd.results.log'
not available: No error (0). Retrying in 7 sec.
2024/02/07 11:56:44 wazuh-agent: ERROR: (1103): Could not open file 'C:\inetpub\logs\LogFiles\W3SVC1\u_ex240207.log'
due to [(3)-(The system cannot find the path specified.)].
2024/02/07 11:57:20 wazuh-agent: ERROR: (1137): Lost connection with manager. Setting lock.
2024/02/07 11:57:20 wazuh-agent: WARNING: (1218): Unable to send message to 'server': A request to send or receive
data was disallowed because the socket is not connected and (when sending on a datagram socket using a sendto call) no
address was supplied.
2024/02/07 11:57:49 wazuh-agent: ERROR: (1103): Could not open file 'C:\inetpub\logs\LogFiles\W3SVC1\u_ex240207.log'
due to [(3)-(The system cannot find the path specified.)].
2024/02/07 11:58:30 wazuh-agent: ERROR: (1137): Lost connection with manager. Setting lock.
2024/02/07 11:58:30 wazuh-agent: WARNING: Process locked due to agent is offline. Waiting for connection...
2024/02/07 11:58:53 wazuh-agent: ERROR: (1103): Could not open file 'C:\inetpub\logs\LogFiles\W3SVC1\u_ex240207.log'
due to [(3)-(The system cannot find the path specified.)].
2024/02/07 11:59:58 wazuh-agent: ERROR: (1103): Could not open file 'C:\inetpub\logs\LogFiles\W3SVC1\u_ex240207.log'
due to [(3)-(The system cannot find the path specified.)].
2024/02/07 12:01:02 wazuh-agent: ERROR: (1103): Could not open file 'C:\inetpub\logs\LogFiles\W3SVC1\u_ex240207.log'
due to [(3)-(The system cannot find the path specified.)].
2024/02/07 12:01:29 wazuh-agent: ERROR: (1137): Lost connection with manager. Setting lock.
2024/02/07 12:02:08 wazuh-agent: ERROR: (1103): Could not open file 'C:\inetpub\logs\LogFiles\W3SVC1\u_ex240207.log'
due to [(3)-(The system cannot find the path specified.)].
2024/02/07 12:03:12 wazuh-agent: ERROR: (1103): Could not open file 'C:\inetpub\logs\LogFiles\W3SVC1\u_ex240207.log'
due to [(3)-(The system cannot find the path specified.)].
2024/02/07 12:03:40 wazuh-agent: ERROR: (1137): Lost connection with manager. Setting lock.
2024/02/07 12:03:40 wazuh-agent: WARNING: Process locked due to agent is offline. Waiting for connection...
2024/02/07 12:04:17 wazuh-agent: ERROR: (1103): Could not open file 'C:\inetpub\logs\LogFiles\W3SVC1\u_ex240207.log'
due to [(3)-(The system cannot find the path specified.)].
2024/02/07 12:05:21 wazuh-agent: ERROR: (1103): Could not open file 'C:\inetpub\logs\LogFiles\W3SVC1\u_ex240207.log'
due to [(3)-(The system cannot find the path specified.)].
2024/02/07 12:06:26 wazuh-agent: ERROR: (1103): Could not open file 'C:\inetpub\logs\LogFiles\W3SVC1\u_ex240207.log'
due to [(3)-(The system cannot find the path specified.)].
2024/02/07 12:06:43 wazuh-modulesd:osquery: ERROR: Couldn't execute osquery (C:\Program
Files\osquery\osqueryd/osqueryd.exe). Check file and permissions. Sleeping for 10 minutes.
2024/02/07 12:09:40 wazuh-agent: ERROR: (1137): Lost connection with manager. Setting lock.
2024/02/07 12:09:40 wazuh-agent: WARNING: Process locked due to agent is offline. Waiting for connection...
2024/02/07 12:09:59 wazuh-agent: ERROR: (1137): Lost connection with manager. Setting lock.
2024/02/07 12:09:59 wazuh-agent: WARNING: Process locked due to agent is offline. Waiting for connection...
2024/02/07 12:10:19 wazuh-agent: ERROR: (1137): Lost connection with manager. Setting lock.
2024/02/07 12:10:19 wazuh-agent: WARNING: Process locked due to agent is offline. Waiting for connection...
2024/02/07 12:10:49 wazuh-agent: ERROR: (1137): Lost connection with manager. Setting lock.
2024/02/07 12:11:01 wazuh-agent: ERROR: (1137): Lost connection with manager. Setting lock.
2024/02/07 12:12:10 wazuh-agent: ERROR: (1137): Lost connection with manager. Setting lock.
2024/02/07 12:12:10 wazuh-agent: WARNING: Process locked due to agent is offline. Waiting for connection...
2024/02/07 12:12:15 wazuh-agent: ERROR: (1137): Lost connection with manager. Setting lock.
2024/02/07 12:12:42 wazuh-agent: ERROR: (1137): Lost connection with manager. Setting lock.
2024/02/07 12:12:49 wazuh-agent: ERROR: (1137): Lost connection with manager. Setting lock.
2024/02/07 12:13:10 wazuh-agent: ERROR: (1137): Lost connection with manager. Setting lock.
2024/02/07 12:14:09 wazuh-agent: ERROR: (1137): Lost connection with manager. Setting lock.
2024/02/07 12:14:09 wazuh-agent: WARNING: Process locked due to agent is offline. Waiting for connection...
2024/02/07 12:21:29 wazuh-agent: ERROR: Connection socket: An established connection was aborted by the software in
your host machine. (10053)
2024/02/07 12:21:29 wazuh-agent: ERROR: (1137): Lost connection with manager. Setting lock.
2024/02/07 12:29:09 wazuh-agent: ERROR: (1137): Lost connection with manager. Setting lock.
2024/02/07 12:29:09 wazuh-agent: WARNING: Process locked due to agent is offline. Waiting for connection...
2024/02/07 12:31:09 wazuh-agent: ERROR: (1137): Lost connection with manager. Setting lock.

Note
The error logs are expected, they're known issues: https://github.com/wazuh/wazuh-automation/issues/802, #13253, https://github.com/wazuh/wazuh-jenkins/issues/4867

Dashboard Logs

WazuhDashboard 🟢

System information

[root@ip-10-0-0-125 ~]# cat /etc/*release
NAME="Amazon Linux"
VERSION="2"
ID="amzn"
ID_LIKE="centos rhel fedora"
VERSION_ID="2"
PRETTY_NAME="Amazon Linux 2"
ANSI_COLOR="0;33"
CPE_NAME="cpe:2.3:o:amazon:amazon_linux:2"
HOME_URL="https://amazonlinux.com/"
Amazon Linux release 2 (Karoo)

Dashboard Version

[root@ip-10-0-0-125 ~]# cat /usr/share/wazuh-dashboard/plugins/wazuh/package.json
{
  "name": "wazuh",
  "version": "4.8.0",
  "revision": "03",
  "pluginPlatform": {
    "version": "2.10.0"
  },
  "description": "Wazuh dashboard",
  "keywords": [
    "opensearch_dashboards",
    "wazuh",
    "ossec"
  ],
  "node_build": "10.23.1",
  "author": "Wazuh, Inc",
  "license": "GPL-2.0",
  "repository": {
    "type": "git",
    "url": "https://github.com/wazuh/wazuh-dashboard-plugins.git"
  },
  "bugs": {
    "url": "https://github.com/wazuh/wazuh-dashboard-plugins/issues"
  },
  "homepage": "https://www.wazuh.com/",
  "scripts": {
    "lint": "eslint {public,server,common}/**/*.{js,jsx,ts,tsx,json}",
    "lint:public": "eslint public/**/*.{js,jsx,ts,tsx,json}",
    "lint:server": "eslint server/**/*.{js,jsx,ts,tsx,json}",
    "lint:common": "eslint common/**/*.{js,jsx,ts,tsx,json}",
    "lint:fix": "eslint --fix '{public,server,common}/**/*.{js,jsx,ts,tsx,json}'",
    "format": "prettier --write '{public,server,common}/**/*.{js,jsx,ts,tsx,css,md,json}' --config ./.prettierrc",
    "kbn": "node ../../scripts/kbn",
    "es": "node ../../scripts/es",
    "start": "plugin-helpers start",
    "build": "yarn plugin-helpers build --opensearch-dashboards-version=$OPENSEARCH_DASHBOARDS_VERSION",
    "build:runner": "node scripts/runner build",
    "plugin-helpers": "node ../../scripts/plugin_helpers",
    "test:ui:runner": "node ../../scripts/functional_test_runner.js",
    "test:server": "plugin-helpers test:server",
    "test:browser": "plugin-helpers test:browser",
    "test:jest": "node scripts/jest --runInBand",
    "test:jest:runner": "node scripts/runner test",
    "generate:api-data": "node scripts/generate-api-data.js --spec https://raw.githubusercontent.com/wazuh/wazuh/$(node -e \"console.log(require('./package.json').version)\")/api/api/spec/spec.yaml --output file --output-directory common/api-info --display-configuration",
    "prebuild": "node scripts/generate-build-version"
  },
  "dependencies": {
    "angular-animate": "1.8.3",
    "angular-material": "1.2.5",
    "axios": "^1.6.1",
    "install": "^0.13.0",
    "js2xmlparser": "^5.0.0",
    "json2csv": "^4.1.2",
    "jwt-decode": "^3.1.2",
    "loglevel": "^1.7.1",
    "markdown-it-link-attributes": "^4.0.1",
    "md5": "^2.3.0",
    "needle": "^3.2.0",
    "node-cron": "^1.1.2",
    "pdfmake": "0.2.7",
    "querystring-browser": "1.0.4",
    "react-codemirror": "^1.0.0",
    "react-cookie": "^4.0.3",
    "read-last-lines": "^1.7.2",
    "timsort": "^0.3.0",
    "typescript": "^5.0.4",
    "winston": "3.9.0"
  },
  "devDependencies": {
    "@types/node-cron": "^2.0.3",
    "@typescript-eslint/eslint-plugin": "^6.2.1",
    "@typescript-eslint/parser": "^6.2.1",
    "eslint": "^8.46.0",
    "eslint-config-prettier": "^8.5.0",
    "eslint-import-resolver-typescript": "3.5.5",
    "eslint-plugin-async-await": "^0.0.0",
    "eslint-plugin-cypress": "^2.12.1",
    "eslint-plugin-filenames-simple": "^0.8.0",
    "eslint-plugin-import": "^2.28.0",
    "eslint-plugin-prettier": "^4.2.1",
    "eslint-plugin-react": "^7.31.8",
    "eslint-plugin-react-hooks": "^4.6.0",
    "prettier": "^2.7.1",
    "redux-mock-store": "^1.5.4",
    "swagger-client": "^3.19.11"
  },
  "opensearchDashboards": {
    "version": "2.10.0"
  }

Dashboard Status

[root@ip-10-0-0-125 ~]# systemctl status wazuh-dashboard -l
● wazuh-dashboard.service - wazuh-dashboard
   Loaded: loaded (/etc/systemd/system/wazuh-dashboard.service; enabled; vendor preset: disabled)
   Active: active (running) since Wed 2024-02-07 11:43:53 UTC; 20h ago
 Main PID: 19958 (node)
   CGroup: /system.slice/wazuh-dashboard.service
           └─19958 /usr/share/wazuh-dashboard/node/fallback/bin/node --no-warnings --max-http-header-size=65536 --unhandled-rejections=warn /usr/share/wazuh-dashboard/src/cli/dist

Feb 08 03:16:43 ip-10-0-0-125.us-west-1.compute.internal opensearch-dashboards[19958]: {"type":"response","@timestamp":"2024-02-08T03:16:43Z","tags":[],"pid":19958,"method":"get","statusCode":200,"req":{"url":"/app/login","method":"get","headers":{"host":"10.0.0.125:5601","connection":"close","user-agent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/16.1 Safari/605.1.15","accept":"*/*","referer":"https://54.241.135.30/","accept-encoding":"gzip"},"remoteAddress":"10.0.0.125","userAgent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/16.1 Safari/605.1.15","referer":"https://54.241.135.30/"},"res":{"statusCode":200,"responseTime":22,"contentLength":9},"message":"GET /app/login 200 22ms - 9.0B"}
Feb 08 03:18:01 ip-10-0-0-125.us-west-1.compute.internal opensearch-dashboards[19958]: {"type":"response","@timestamp":"2024-02-08T03:18:01Z","tags":[],"pid":19958,"method":"get","statusCode":401,"req":{"url":"/vpn/index.html","method":"get","headers":{"host":"10.0.0.125:5601","connection":"close","user-agent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/110.0.0.0 Safari/537.36 Edg/110.0.1587.50","accept":"*/*","accept-encoding":"gzip"},"remoteAddress":"10.0.0.125","userAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/110.0.0.0 Safari/537.36 Edg/110.0.1587.50"},"res":{"statusCode":401,"responseTime":3,"contentLength":9},"message":"GET /vpn/index.html 401 3ms - 9.0B"}
Feb 08 03:18:46 ip-10-0-0-125.us-west-1.compute.internal opensearch-dashboards[19958]: {"type":"response","@timestamp":"2024-02-08T03:18:46Z","tags":[],"pid":19958,"method":"get","statusCode":401,"req":{"url":"/geoserver/web/","method":"get","headers":{"host":"10.0.0.125:5601","connection":"close","user-agent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36","accept":"*/*","accept-encoding":"gzip"},"remoteAddress":"10.0.0.125","userAgent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36"},"res":{"statusCode":401,"responseTime":2,"contentLength":9},"message":"GET /geoserver/web/ 401 2ms - 9.0B"}
Feb 08 03:19:48 ip-10-0-0-125.us-west-1.compute.internal opensearch-dashboards[19958]: {"type":"response","@timestamp":"2024-02-08T03:19:48Z","tags":[],"pid":19958,"method":"get","statusCode":401,"req":{"url":"/.git/config","method":"get","headers":{"host":"10.0.0.125:5601","connection":"close","user-agent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.0.0 Safari/537.36","accept":"*/*","accept-encoding":"gzip"},"remoteAddress":"10.0.0.125","userAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.0.0 Safari/537.36"},"res":{"statusCode":401,"responseTime":2,"contentLength":9},"message":"GET /.git/config 401 2ms - 9.0B"}
Feb 08 03:41:59 ip-10-0-0-125.us-west-1.compute.internal opensearch-dashboards[19958]: {"type":"response","@timestamp":"2024-02-08T03:41:59Z","tags":[],"pid":19958,"method":"get","statusCode":302,"req":{"url":"/","method":"get","headers":{"host":"10.0.0.125:5601","connection":"close","user-agent":"Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/532.5 (KHTML, like Gecko) Chrome/4.0.249.0 Safari/532.5","accept-charset":"utf-8","accept-encoding":"gzip"},"remoteAddress":"10.0.0.125","userAgent":"Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/532.5 (KHTML, like Gecko) Chrome/4.0.249.0 Safari/532.5"},"res":{"statusCode":302,"responseTime":4,"contentLength":9},"message":"GET / 302 4ms - 9.0B"}
Feb 08 03:48:16 ip-10-0-0-125.us-west-1.compute.internal opensearch-dashboards[19958]: {"type":"response","@timestamp":"2024-02-08T03:48:16Z","tags":[],"pid":19958,"method":"get","statusCode":302,"req":{"url":"/","method":"get","headers":{"host":"10.0.0.125:5601","connection":"close","user-agent":"Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.136 Safari/537.36","accept-charset":"utf-8","accept-encoding":"gzip"},"remoteAddress":"10.0.0.125","userAgent":"Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.136 Safari/537.36"},"res":{"statusCode":302,"responseTime":1,"contentLength":9},"message":"GET / 302 1ms - 9.0B"}
Feb 08 04:30:25 ip-10-0-0-125.us-west-1.compute.internal opensearch-dashboards[19958]: {"type":"response","@timestamp":"2024-02-08T04:30:25Z","tags":[],"pid":19958,"method":"get","statusCode":302,"req":{"url":"/","method":"get","headers":{"host":"10.0.0.125:5601","connection":"close","user-agent":"Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.96 Safari/537.36","accept-charset":"utf-8","accept-encoding":"gzip"},"remoteAddress":"10.0.0.125","userAgent":"Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.96 Safari/537.36"},"res":{"statusCode":302,"responseTime":3,"contentLength":9},"message":"GET / 302 3ms - 9.0B"}
Feb 08 06:14:24 ip-10-0-0-125.us-west-1.compute.internal opensearch-dashboards[19958]: {"type":"response","@timestamp":"2024-02-08T06:14:24Z","tags":[],"pid":19958,"method":"get","statusCode":401,"req":{"url":"/autodiscover/autodiscover.json?%40zdi%2FPowershell=","method":"get","headers":{"host":"10.0.0.125:5601","connection":"close","user-agent":"Mozilla/5.0 zgrab/0.x","accept":"*/*","accept-encoding":"gzip"},"remoteAddress":"10.0.0.125","userAgent":"Mozilla/5.0 zgrab/0.x"},"res":{"statusCode":401,"responseTime":5,"contentLength":9},"message":"GET /autodiscover/autodiscover.json?%40zdi%2FPowershell= 401 5ms - 9.0B"}
Feb 08 08:14:16 ip-10-0-0-125.us-west-1.compute.internal opensearch-dashboards[19958]: {"type":"response","@timestamp":"2024-02-08T08:14:16Z","tags":[],"pid":19958,"method":"get","statusCode":401,"req":{"url":"/zabbix/favicon.ico","method":"get","headers":{"host":"10.0.0.125:5601","connection":"close","user-agent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36","accept":"*/*","accept-encoding":"gzip"},"remoteAddress":"10.0.0.125","userAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36"},"res":{"statusCode":401,"responseTime":13,"contentLength":9},"message":"GET /zabbix/favicon.ico 401 13ms - 9.0B"}
Feb 08 08:14:20 ip-10-0-0-125.us-west-1.compute.internal opensearch-dashboards[19958]: {"type":"response","@timestamp":"2024-02-08T08:14:20Z","tags":[],"pid":19958,"method":"get","statusCode":401,"req":{"url":"/favicon.ico","method":"get","headers":{"host":"10.0.0.125:5601","connection":"close","user-agent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36","accept":"*/*","accept-encoding":"gzip"},"remoteAddress":"10.0.0.125","userAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36"},"res":{"statusCode":401,"responseTime":3,"contentLength":9},"message":"GET /favicon.ico 401 3ms - 9.0B"}

Dashboard Service Status

[root@ip-10-0-0-125 ~]# journalctl -xe -u wazuh-dashboard.service --no-pager | egrep "statusCode\"\:5[0-9][0-9]" | wc -l
0

Error Logs

[root@ip-10-0-0-125 ~]# egrep -i "err|warn" /usr/share/wazuh-dashboard/data/wazuh/logs/wazuhapp.log |wc -l
0

---

Indexer Logs

IndexerBootstrap 🔴

System information

[root@ip-10-0-2-26 ~]# cat /etc/*release
NAME="Amazon Linux"
VERSION="2"
ID="amzn"
ID_LIKE="centos rhel fedora"
VERSION_ID="2"
PRETTY_NAME="Amazon Linux 2"
ANSI_COLOR="0;33"
CPE_NAME="cpe:2.3:o:amazon:amazon_linux:2"
HOME_URL="https://amazonlinux.com/"
Amazon Linux release 2 (Karoo)

Agent Status

[root@ip-10-0-2-26 ~]# systemctl status wazuh-indexer -l
● wazuh-indexer.service - Wazuh-indexer
   Loaded: loaded (/usr/lib/systemd/system/wazuh-indexer.service; enabled; vendor preset: disabled)
   Active: active (running) since Wed 2024-02-07 11:19:45 UTC; 21h ago
     Docs: https://documentation.wazuh.com
 Main PID: 12238 (java)
   CGroup: /system.slice/wazuh-indexer.service
           └─12238 /usr/share/wazuh-indexer/jdk/bin/java -Xshare:auto -Dopensearch.networkaddress.cache.ttl=60 -Dopensearch.networkaddress.cache.negative.ttl=10 -XX:+AlwaysPreTouch -Xss1m -Djava.awt.headless=true -Dfile.encoding=UTF-8 -Djna.nosys=true -XX:-OmitStackTraceInFastThrow -XX:+ShowCodeDetailsInExceptionMessages -Dio.netty.noUnsafe=true -Dio.netty.noKeySetOptimization=true -Dio.netty.recycler.maxCapacityPerThread=0 -Dio.netty.allocator.numDirectArenas=0 -Dlog4j.shutdownHookEnabled=false -Dlog4j2.disable.jmx=true -Djava.locale.providers=SPI,COMPAT -Xms3928m -Xmx3928m -XX:+UseG1GC -XX:G1ReservePercent=25 -XX:InitiatingHeapOccupancyPercent=30 -Djava.io.tmpdir=/tmp/opensearch-513617984995903942 -XX:+HeapDumpOnOutOfMemoryError -XX:HeapDumpPath=data -XX:ErrorFile=/var/log/wazuh-indexer/hs_err_pid%p.log -Xlog:gc*,gc+age=trace,safepoint:file=/var/log/wazuh-indexer/gc.log:utctime,pid,tags:filecount=32,filesize=64m -Dclk.tck=100 -Djdk.attach.allowAttachSelf=true -Djava.security.policy=file:///usr/share/wazuh-indexer/plugins/opensearch-performance-analyzer/pa_config/opensearch_security.policy -XX:MaxDirectMemorySize=2059403264 -Dopensearch.path.home=/usr/share/wazuh-indexer -Dopensearch.path.conf=/etc/wazuh-indexer -Dopensearch.distribution.type=rpm -Dopensearch.bundled_jdk=true -cp /usr/share/wazuh-indexer/lib/* org.opensearch.bootstrap.OpenSearch -p /run/wazuh-indexer/wazuh-indexer.pid --quiet

Feb 08 00:00:01 ip-10-0-2-26.us-west-1.compute.internal systemd-entrypoint[12238]: at org.opensearch.cluster.service.MasterService.runTasks(MasterService.java:295)
Feb 08 00:00:01 ip-10-0-2-26.us-west-1.compute.internal systemd-entrypoint[12238]: at org.opensearch.cluster.service.MasterService$Batcher.run(MasterService.java:206)
Feb 08 00:00:01 ip-10-0-2-26.us-west-1.compute.internal systemd-entrypoint[12238]: at org.opensearch.cluster.service.TaskBatcher.runIfNotProcessed(TaskBatcher.java:204)
Feb 08 00:00:01 ip-10-0-2-26.us-west-1.compute.internal systemd-entrypoint[12238]: at org.opensearch.cluster.service.TaskBatcher$BatchedTask.run(TaskBatcher.java:242)
Feb 08 00:00:01 ip-10-0-2-26.us-west-1.compute.internal systemd-entrypoint[12238]: at org.opensearch.common.util.concurrent.ThreadContext$ContextPreservingRunnable.run(ThreadContext.java:849)
Feb 08 00:00:01 ip-10-0-2-26.us-west-1.compute.internal systemd-entrypoint[12238]: at org.opensearch.common.util.concurrent.PrioritizedOpenSearchThreadPoolExecutor$TieBreakingPrioritizedRunnable.runAndClean(PrioritizedOpenSearchThreadPoolExecutor.java:282)
Feb 08 00:00:01 ip-10-0-2-26.us-west-1.compute.internal systemd-entrypoint[12238]: at org.opensearch.common.util.concurrent.PrioritizedOpenSearchThreadPoolExecutor$TieBreakingPrioritizedRunnable.run(PrioritizedOpenSearchThreadPoolExecutor.java:245)
Feb 08 00:00:01 ip-10-0-2-26.us-west-1.compute.internal systemd-entrypoint[12238]: at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1136)
Feb 08 00:00:01 ip-10-0-2-26.us-west-1.compute.internal systemd-entrypoint[12238]: at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:635)
Feb 08 00:00:01 ip-10-0-2-26.us-west-1.compute.internal systemd-entrypoint[12238]: at java.base/java.lang.Thread.run(Thread.java:833)

Service Status

[root@ip-10-0-2-26 ~]# journalctl -xe -u wazuh-indexer.service --no-pager
-- Logs begin at Wed 2024-02-07 11:05:19 UTC, end at Thu 2024-02-08 08:35:50 UTC. --
Feb 07 11:18:01 ip-10-0-2-26.us-west-1.compute.internal systemd[1]: Starting Wazuh-indexer...
-- Subject: Unit wazuh-indexer.service has begun start-up
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
--
-- Unit wazuh-indexer.service has begun starting up.
Feb 07 11:18:03 ip-10-0-2-26.us-west-1.compute.internal systemd-entrypoint[10456]: WARNING: A terminally deprecated method in java.lang.System has been called
Feb 07 11:18:03 ip-10-0-2-26.us-west-1.compute.internal systemd-entrypoint[10456]: WARNING: System::setSecurityManager has been called by org.opensearch.bootstrap.OpenSearch (file:/usr/share/wazuh-indexer/lib/opensearch-2.10.0.jar)
Feb 07 11:18:03 ip-10-0-2-26.us-west-1.compute.internal systemd-entrypoint[10456]: WARNING: Please consider reporting this to the maintainers of org.opensearch.bootstrap.OpenSearch
Feb 07 11:18:03 ip-10-0-2-26.us-west-1.compute.internal systemd-entrypoint[10456]: WARNING: System::setSecurityManager will be removed in a future release
Feb 07 11:18:05 ip-10-0-2-26.us-west-1.compute.internal systemd-entrypoint[10456]: WARNING: A terminally deprecated method in java.lang.System has been called
Feb 07 11:18:05 ip-10-0-2-26.us-west-1.compute.internal systemd-entrypoint[10456]: WARNING: System::setSecurityManager has been called by org.opensearch.bootstrap.Security (file:/usr/share/wazuh-indexer/lib/opensearch-2.10.0.jar)
Feb 07 11:18:05 ip-10-0-2-26.us-west-1.compute.internal systemd-entrypoint[10456]: WARNING: Please consider reporting this to the maintainers of org.opensearch.bootstrap.Security
Feb 07 11:18:05 ip-10-0-2-26.us-west-1.compute.internal systemd-entrypoint[10456]: WARNING: System::setSecurityManager will be removed in a future release
Feb 07 11:18:24 ip-10-0-2-26.us-west-1.compute.internal systemd[1]: Started Wazuh-indexer.
-- Subject: Unit wazuh-indexer.service has finished start-up
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
--
-- Unit wazuh-indexer.service has finished starting up.
--
-- The start-up result is done.
Feb 07 11:19:21 ip-10-0-2-26.us-west-1.compute.internal systemd[1]: Stopping Wazuh-indexer...
-- Subject: Unit wazuh-indexer.service has begun shutting down
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
--
-- Unit wazuh-indexer.service has begun shutting down.
Feb 07 11:19:21 ip-10-0-2-26.us-west-1.compute.internal systemd[1]: Stopped Wazuh-indexer.
-- Subject: Unit wazuh-indexer.service has finished shutting down
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
--
-- Unit wazuh-indexer.service has finished shutting down.
Feb 07 11:19:21 ip-10-0-2-26.us-west-1.compute.internal systemd[1]: Starting Wazuh-indexer...
-- Subject: Unit wazuh-indexer.service has begun start-up
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
--
-- Unit wazuh-indexer.service has begun starting up.
Feb 07 11:19:24 ip-10-0-2-26.us-west-1.compute.internal systemd-entrypoint[12238]: WARNING: A terminally deprecated method in java.lang.System has been called
Feb 07 11:19:24 ip-10-0-2-26.us-west-1.compute.internal systemd-entrypoint[12238]: WARNING: System::setSecurityManager has been called by org.opensearch.bootstrap.OpenSearch (file:/usr/share/wazuh-indexer/lib/opensearch-2.10.0.jar)
Feb 07 11:19:24 ip-10-0-2-26.us-west-1.compute.internal systemd-entrypoint[12238]: WARNING: Please consider reporting this to the maintainers of org.opensearch.bootstrap.OpenSearch
Feb 07 11:19:24 ip-10-0-2-26.us-west-1.compute.internal systemd-entrypoint[12238]: WARNING: System::setSecurityManager will be removed in a future release
Feb 07 11:19:26 ip-10-0-2-26.us-west-1.compute.internal systemd-entrypoint[12238]: WARNING: A terminally deprecated method in java.lang.System has been called
Feb 07 11:19:26 ip-10-0-2-26.us-west-1.compute.internal systemd-entrypoint[12238]: WARNING: System::setSecurityManager has been called by org.opensearch.bootstrap.Security (file:/usr/share/wazuh-indexer/lib/opensearch-2.10.0.jar)
Feb 07 11:19:26 ip-10-0-2-26.us-west-1.compute.internal systemd-entrypoint[12238]: WARNING: Please consider reporting this to the maintainers of org.opensearch.bootstrap.Security
Feb 07 11:19:26 ip-10-0-2-26.us-west-1.compute.internal systemd-entrypoint[12238]: WARNING: System::setSecurityManager will be removed in a future release
Feb 07 11:19:45 ip-10-0-2-26.us-west-1.compute.internal systemd[1]: Started Wazuh-indexer.
-- Subject: Unit wazuh-indexer.service has finished start-up
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
--
-- Unit wazuh-indexer.service has finished starting up.
--
-- The start-up result is done.
Feb 08 00:00:01 ip-10-0-2-26.us-west-1.compute.internal systemd-entrypoint[12238]: ERROR StatusConsoleListener Could not define attribute view on path "/var/log/wazuh-indexer/wazuh_server.json" got access denied ("java.lang.RuntimePermission" "accessUserInformation")
Feb 08 00:00:01 ip-10-0-2-26.us-west-1.compute.internal systemd-entrypoint[12238]: java.security.AccessControlException: access denied ("java.lang.RuntimePermission" "accessUserInformation")
Feb 08 00:00:01 ip-10-0-2-26.us-west-1.compute.internal systemd-entrypoint[12238]: at java.base/java.security.AccessControlContext.checkPermission(AccessControlContext.java:485)
Feb 08 00:00:01 ip-10-0-2-26.us-west-1.compute.internal systemd-entrypoint[12238]: at java.base/java.security.AccessController.checkPermission(AccessController.java:1068)
Feb 08 00:00:01 ip-10-0-2-26.us-west-1.compute.internal systemd-entrypoint[12238]: at java.base/java.lang.SecurityManager.checkPermission(SecurityManager.java:416)
Feb 08 00:00:01 ip-10-0-2-26.us-west-1.compute.internal systemd-entrypoint[12238]: at java.base/sun.nio.fs.UnixFileAttributeViews$Posix.checkWriteExtended(UnixFileAttributeViews.java:195)
Feb 08 00:00:01 ip-10-0-2-26.us-west-1.compute.internal systemd-entrypoint[12238]: at java.base/sun.nio.fs.UnixFileAttributeViews$Posix.setMode(UnixFileAttributeViews.java:264)
Feb 08 00:00:01 ip-10-0-2-26.us-west-1.compute.internal systemd-entrypoint[12238]: at java.base/sun.nio.fs.UnixFileAttributeViews$Posix.setPermissions(UnixFileAttributeViews.java:299)
Feb 08 00:00:01 ip-10-0-2-26.us-west-1.compute.internal systemd-entrypoint[12238]: at org.apache.logging.log4j.core.util.FileUtils.defineFilePosixAttributeView(FileUtils.java:181)
Feb 08 00:00:01 ip-10-0-2-26.us-west-1.compute.internal systemd-entrypoint[12238]: at org.apache.logging.log4j.core.appender.FileManager.defineAttributeView(FileManager.java:216)
Feb 08 00:00:01 ip-10-0-2-26.us-west-1.compute.internal systemd-entrypoint[12238]: at org.apache.logging.log4j.core.appender.FileManager.createOutputStream(FileManager.java:203)
Feb 08 00:00:01 ip-10-0-2-26.us-west-1.compute.internal systemd-entrypoint[12238]: at org.apache.logging.log4j.core.appender.rolling.RollingFileManager.createFileAfterRollover(RollingFileManager.java:421)
Feb 08 00:00:01 ip-10-0-2-26.us-west-1.compute.internal systemd-entrypoint[12238]: at org.apache.logging.log4j.core.appender.rolling.RollingFileManager.rollover(RollingFileManager.java:398)
Feb 08 00:00:01 ip-10-0-2-26.us-west-1.compute.internal systemd-entrypoint[12238]: at org.apache.logging.log4j.core.appender.rolling.RollingFileManager.checkRollover(RollingFileManager.java:308)
Feb 08 00:00:01 ip-10-0-2-26.us-west-1.compute.internal systemd-entrypoint[12238]: at org.apache.logging.log4j.core.appender.RollingFileAppender.append(RollingFileAppender.java:300)
Feb 08 00:00:01 ip-10-0-2-26.us-west-1.compute.internal systemd-entrypoint[12238]: at org.apache.logging.log4j.core.config.AppenderControl.tryCallAppender(AppenderControl.java:161)
Feb 08 00:00:01 ip-10-0-2-26.us-west-1.compute.internal systemd-entrypoint[12238]: at org.apache.logging.log4j.core.config.AppenderControl.callAppender0(AppenderControl.java:134)
Feb 08 00:00:01 ip-10-0-2-26.us-west-1.compute.internal systemd-entrypoint[12238]: at org.apache.logging.log4j.core.config.AppenderControl.callAppenderPreventRecursion(AppenderControl.java:125)
Feb 08 00:00:01 ip-10-0-2-26.us-west-1.compute.internal systemd-entrypoint[12238]: at org.apache.logging.log4j.core.config.AppenderControl.callAppender(AppenderControl.java:89)
Feb 08 00:00:01 ip-10-0-2-26.us-west-1.compute.internal systemd-entrypoint[12238]: at org.apache.logging.log4j.core.config.LoggerConfig.callAppenders(LoggerConfig.java:683)
Feb 08 00:00:01 ip-10-0-2-26.us-west-1.compute.internal systemd-entrypoint[12238]: at org.apache.logging.log4j.core.config.LoggerConfig.processLogEvent(LoggerConfig.java:641)
Feb 08 00:00:01 ip-10-0-2-26.us-west-1.compute.internal systemd-entrypoint[12238]: at org.apache.logging.log4j.core.config.LoggerConfig.log(LoggerConfig.java:624)
Feb 08 00:00:01 ip-10-0-2-26.us-west-1.compute.internal systemd-entrypoint[12238]: at org.apache.logging.log4j.core.config.LoggerConfig.log(LoggerConfig.java:560)
Feb 08 00:00:01 ip-10-0-2-26.us-west-1.compute.internal systemd-entrypoint[12238]: at org.apache.logging.log4j.core.config.AwaitCompletionReliabilityStrategy.log(AwaitCompletionReliabilityStrategy.java:82)
Feb 08 00:00:01 ip-10-0-2-26.us-west-1.compute.internal systemd-entrypoint[12238]: at org.apache.logging.log4j.core.Logger.log(Logger.java:163)
Feb 08 00:00:01 ip-10-0-2-26.us-west-1.compute.internal systemd-entrypoint[12238]: at org.apache.logging.log4j.spi.AbstractLogger.tryLogMessage(AbstractLogger.java:2168)
Feb 08 00:00:01 ip-10-0-2-26.us-west-1.compute.internal systemd-entrypoint[12238]: at org.apache.logging.log4j.spi.AbstractLogger.logMessageTrackRecursion(AbstractLogger.java:2122)
Feb 08 00:00:01 ip-10-0-2-26.us-west-1.compute.internal systemd-entrypoint[12238]: at org.apache.logging.log4j.spi.AbstractLogger.logMessageSafely(AbstractLogger.java:2105)
Feb 08 00:00:01 ip-10-0-2-26.us-west-1.compute.internal systemd-entrypoint[12238]: at org.apache.logging.log4j.spi.AbstractLogger.logMessage(AbstractLogger.java:2003)
Feb 08 00:00:01 ip-10-0-2-26.us-west-1.compute.internal systemd-entrypoint[12238]: at org.apache.logging.log4j.spi.AbstractLogger.logIfEnabled(AbstractLogger.java:1870)
Feb 08 00:00:01 ip-10-0-2-26.us-west-1.compute.internal systemd-entrypoint[12238]: at org.apache.logging.log4j.spi.AbstractLogger.info(AbstractLogger.java:1412)
Feb 08 00:00:01 ip-10-0-2-26.us-west-1.compute.internal systemd-entrypoint[12238]: at org.opensearch.cluster.metadata.MetadataUpdateSettingsService$1.execute(MetadataUpdateSettingsService.java:256)
Feb 08 00:00:01 ip-10-0-2-26.us-west-1.compute.internal systemd-entrypoint[12238]: at org.opensearch.cluster.ClusterStateUpdateTask.execute(ClusterStateUpdateTask.java:65)
Feb 08 00:00:01 ip-10-0-2-26.us-west-1.compute.internal systemd-entrypoint[12238]: at org.opensearch.cluster.service.MasterService.executeTasks(MasterService.java:874)
Feb 08 00:00:01 ip-10-0-2-26.us-west-1.compute.internal systemd-entrypoint[12238]: at org.opensearch.cluster.service.MasterService.calculateTaskOutputs(MasterService.java:424)
Feb 08 00:00:01 ip-10-0-2-26.us-west-1.compute.internal systemd-entrypoint[12238]: at org.opensearch.cluster.service.MasterService.runTasks(MasterService.java:295)
Feb 08 00:00:01 ip-10-0-2-26.us-west-1.compute.internal systemd-entrypoint[12238]: at org.opensearch.cluster.service.MasterService$Batcher.run(MasterService.java:206)
Feb 08 00:00:01 ip-10-0-2-26.us-west-1.compute.internal systemd-entrypoint[12238]: at org.opensearch.cluster.service.TaskBatcher.runIfNotProcessed(TaskBatcher.java:204)
Feb 08 00:00:01 ip-10-0-2-26.us-west-1.compute.internal systemd-entrypoint[12238]: at org.opensearch.cluster.service.TaskBatcher$BatchedTask.run(TaskBatcher.java:242)
Feb 08 00:00:01 ip-10-0-2-26.us-west-1.compute.internal systemd-entrypoint[12238]: at org.opensearch.common.util.concurrent.ThreadContext$ContextPreservingRunnable.run(ThreadContext.java:849)
Feb 08 00:00:01 ip-10-0-2-26.us-west-1.compute.internal systemd-entrypoint[12238]: at org.opensearch.common.util.concurrent.PrioritizedOpenSearchThreadPoolExecutor$TieBreakingPrioritizedRunnable.runAndClean(PrioritizedOpenSearchThreadPoolExecutor.java:282)
Feb 08 00:00:01 ip-10-0-2-26.us-west-1.compute.internal systemd-entrypoint[12238]: at org.opensearch.common.util.concurrent.PrioritizedOpenSearchThreadPoolExecutor$TieBreakingPrioritizedRunnable.run(PrioritizedOpenSearchThreadPoolExecutor.java:245)
Feb 08 00:00:01 ip-10-0-2-26.us-west-1.compute.internal systemd-entrypoint[12238]: at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1136)
Feb 08 00:00:01 ip-10-0-2-26.us-west-1.compute.internal systemd-entrypoint[12238]: at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:635)
Feb 08 00:00:01 ip-10-0-2-26.us-west-1.compute.internal systemd-entrypoint[12238]: at java.base/java.lang.Thread.run(Thread.java:833)
Feb 08 00:00:01 ip-10-0-2-26.us-west-1.compute.internal systemd-entrypoint[12238]: ERROR StatusConsoleListener Could not define attribute view on path "/var/log/wazuh-indexer/wazuh.log" got access denied ("java.lang.RuntimePermission" "accessUserInformation")
Feb 08 00:00:01 ip-10-0-2-26.us-west-1.compute.internal systemd-entrypoint[12238]: java.security.AccessControlException: access denied ("java.lang.RuntimePermission" "accessUserInformation")
Feb 08 00:00:01 ip-10-0-2-26.us-west-1.compute.internal systemd-entrypoint[12238]: at java.base/java.security.AccessControlContext.checkPermission(AccessControlContext.java:485)
Feb 08 00:00:01 ip-10-0-2-26.us-west-1.compute.internal systemd-entrypoint[12238]: at java.base/java.security.AccessController.checkPermission(AccessController.java:1068)
Feb 08 00:00:01 ip-10-0-2-26.us-west-1.compute.internal systemd-entrypoint[12238]: at java.base/java.lang.SecurityManager.checkPermission(SecurityManager.java:416)
Feb 08 00:00:01 ip-10-0-2-26.us-west-1.compute.internal systemd-entrypoint[12238]: at java.base/sun.nio.fs.UnixFileAttributeViews$Posix.checkWriteExtended(UnixFileAttributeViews.java:195)
Feb 08 00:00:01 ip-10-0-2-26.us-west-1.compute.internal systemd-entrypoint[12238]: at java.base/sun.nio.fs.UnixFileAttributeViews$Posix.setMode(UnixFileAttributeViews.java:264)
Feb 08 00:00:01 ip-10-0-2-26.us-west-1.compute.internal systemd-entrypoint[12238]: at java.base/sun.nio.fs.UnixFileAttributeViews$Posix.setPermissions(UnixFileAttributeViews.java:299)
Feb 08 00:00:01 ip-10-0-2-26.us-west-1.compute.internal systemd-entrypoint[12238]: at org.apache.logging.log4j.core.util.FileUtils.defineFilePosixAttributeView(FileUtils.java:181)
Feb 08 00:00:01 ip-10-0-2-26.us-west-1.compute.internal systemd-entrypoint[12238]: at org.apache.logging.log4j.core.appender.FileManager.defineAttributeView(FileManager.java:216)
Feb 08 00:00:01 ip-10-0-2-26.us-west-1.compute.internal systemd-entrypoint[12238]: at org.apache.logging.log4j.core.appender.FileManager.createOutputStream(FileManager.java:203)
Feb 08 00:00:01 ip-10-0-2-26.us-west-1.compute.internal systemd-entrypoint[12238]: at org.apache.logging.log4j.core.appender.rolling.RollingFileManager.createFileAfterRollover(RollingFileManager.java:421)
Feb 08 00:00:01 ip-10-0-2-26.us-west-1.compute.internal systemd-entrypoint[12238]: at org.apache.logging.log4j.core.appender.rolling.RollingFileManager.rollover(RollingFileManager.java:398)
Feb 08 00:00:01 ip-10-0-2-26.us-west-1.compute.internal systemd-entrypoint[12238]: at org.apache.logging.log4j.core.appender.rolling.RollingFileManager.checkRollover(RollingFileManager.java:308)
Feb 08 00:00:01 ip-10-0-2-26.us-west-1.compute.internal systemd-entrypoint[12238]: at org.apache.logging.log4j.core.appender.RollingFileAppender.append(RollingFileAppender.java:300)
Feb 08 00:00:01 ip-10-0-2-26.us-west-1.compute.internal systemd-entrypoint[12238]: at org.apache.logging.log4j.core.config.AppenderControl.tryCallAppender(AppenderControl.java:161)
Feb 08 00:00:01 ip-10-0-2-26.us-west-1.compute.internal systemd-entrypoint[12238]: at org.apache.logging.log4j.core.config.AppenderControl.callAppender0(AppenderControl.java:134)
Feb 08 00:00:01 ip-10-0-2-26.us-west-1.compute.internal systemd-entrypoint[12238]: at org.apache.logging.log4j.core.config.AppenderControl.callAppenderPreventRecursion(AppenderControl.java:125)
Feb 08 00:00:01 ip-10-0-2-26.us-west-1.compute.internal systemd-entrypoint[12238]: at org.apache.logging.log4j.core.config.AppenderControl.callAppender(AppenderControl.java:89)
Feb 08 00:00:01 ip-10-0-2-26.us-west-1.compute.internal systemd-entrypoint[12238]: at org.apache.logging.log4j.core.config.LoggerConfig.callAppenders(LoggerConfig.java:683)
Feb 08 00:00:01 ip-10-0-2-26.us-west-1.compute.internal systemd-entrypoint[12238]: at org.apache.logging.log4j.core.config.LoggerConfig.processLogEvent(LoggerConfig.java:641)
Feb 08 00:00:01 ip-10-0-2-26.us-west-1.compute.internal systemd-entrypoint[12238]: at org.apache.logging.log4j.core.config.LoggerConfig.log(LoggerConfig.java:624)
Feb 08 00:00:01 ip-10-0-2-26.us-west-1.compute.internal systemd-entrypoint[12238]: at org.apache.logging.log4j.core.config.LoggerConfig.log(LoggerConfig.java:560)
Feb 08 00:00:01 ip-10-0-2-26.us-west-1.compute.internal systemd-entrypoint[12238]: at org.apache.logging.log4j.core.config.AwaitCompletionReliabilityStrategy.log(AwaitCompletionReliabilityStrategy.java:82)
Feb 08 00:00:01 ip-10-0-2-26.us-west-1.compute.internal systemd-entrypoint[12238]: at org.apache.logging.log4j.core.Logger.log(Logger.java:163)
Feb 08 00:00:01 ip-10-0-2-26.us-west-1.compute.internal systemd-entrypoint[12238]: at org.apache.logging.log4j.spi.AbstractLogger.tryLogMessage(AbstractLogger.java:2168)
Feb 08 00:00:01 ip-10-0-2-26.us-west-1.compute.internal systemd-entrypoint[12238]: at org.apache.logging.log4j.spi.AbstractLogger.logMessageTrackRecursion(AbstractLogger.java:2122)
Feb 08 00:00:01 ip-10-0-2-26.us-west-1.compute.internal systemd-entrypoint[12238]: at org.apache.logging.log4j.spi.AbstractLogger.logMessageSafely(AbstractLogger.java:2105)
Feb 08 00:00:01 ip-10-0-2-26.us-west-1.compute.internal systemd-entrypoint[12238]: at org.apache.logging.log4j.spi.AbstractLogger.logMessage(AbstractLogger.java:2003)
Feb 08 00:00:01 ip-10-0-2-26.us-west-1.compute.internal systemd-entrypoint[12238]: at org.apache.logging.log4j.spi.AbstractLogger.logIfEnabled(AbstractLogger.java:1870)
Feb 08 00:00:01 ip-10-0-2-26.us-west-1.compute.internal systemd-entrypoint[12238]: at org.apache.logging.log4j.spi.AbstractLogger.info(AbstractLogger.java:1412)
Feb 08 00:00:01 ip-10-0-2-26.us-west-1.compute.internal systemd-entrypoint[12238]: at org.opensearch.cluster.metadata.MetadataUpdateSettingsService$1.execute(MetadataUpdateSettingsService.java:256)
Feb 08 00:00:01 ip-10-0-2-26.us-west-1.compute.internal systemd-entrypoint[12238]: at org.opensearch.cluster.ClusterStateUpdateTask.execute(ClusterStateUpdateTask.java:65)
Feb 08 00:00:01 ip-10-0-2-26.us-west-1.compute.internal systemd-entrypoint[12238]: at org.opensearch.cluster.service.MasterService.executeTasks(MasterService.java:874)
Feb 08 00:00:01 ip-10-0-2-26.us-west-1.compute.internal systemd-entrypoint[12238]: at org.opensearch.cluster.service.MasterService.calculateTaskOutputs(MasterService.java:424)
Feb 08 00:00:01 ip-10-0-2-26.us-west-1.compute.internal systemd-entrypoint[12238]: at org.opensearch.cluster.service.MasterService.runTasks(MasterService.java:295)
Feb 08 00:00:01 ip-10-0-2-26.us-west-1.compute.internal systemd-entrypoint[12238]: at org.opensearch.cluster.service.MasterService$Batcher.run(MasterService.java:206)
Feb 08 00:00:01 ip-10-0-2-26.us-west-1.compute.internal systemd-entrypoint[12238]: at org.opensearch.cluster.service.TaskBatcher.runIfNotProcessed(TaskBatcher.java:204)
Feb 08 00:00:01 ip-10-0-2-26.us-west-1.compute.internal systemd-entrypoint[12238]: at org.opensearch.cluster.service.TaskBatcher$BatchedTask.run(TaskBatcher.java:242)
Feb 08 00:00:01 ip-10-0-2-26.us-west-1.compute.internal systemd-entrypoint[12238]: at org.opensearch.common.util.concurrent.ThreadContext$ContextPreservingRunnable.run(ThreadContext.java:849)
Feb 08 00:00:01 ip-10-0-2-26.us-west-1.compute.internal systemd-entrypoint[12238]: at org.opensearch.common.util.concurrent.PrioritizedOpenSearchThreadPoolExecutor$TieBreakingPrioritizedRunnable.runAndClean(PrioritizedOpenSearchThreadPoolExecutor.java:282)
Feb 08 00:00:01 ip-10-0-2-26.us-west-1.compute.internal systemd-entrypoint[12238]: at org.opensearch.common.util.concurrent.PrioritizedOpenSearchThreadPoolExecutor$TieBreakingPrioritizedRunnable.run(PrioritizedOpenSearchThreadPoolExecutor.java:245)
Feb 08 00:00:01 ip-10-0-2-26.us-west-1.compute.internal systemd-entrypoint[12238]: at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1136)
Feb 08 00:00:01 ip-10-0-2-26.us-west-1.compute.internal systemd-entrypoint[12238]: at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:635)
Feb 08 00:00:01 ip-10-0-2-26.us-west-1.compute.internal systemd-entrypoint[12238]: at java.base/java.lang.Thread.run(Thread.java:833)

Note
ERROR StatusConsoleListener Could not define attribute view on path message is still present
Reported previously: wazuh/wazuh-packages#2685

Error Logs

[root@ip-10-0-2-26 ~]# egrep -i "ERROR|WARNING" /var/log/wazuh-indexer/wazuh.log | wc -l
2

[root@ip-10-0-2-26 ~]# egrep -i "ERROR|WARNING" /var/log/wazuh-indexer/wazuh.log
[2024-02-09T11:20:15,519][ERROR][o.o.a.a.AlertIndices     ] [node-3] info deleteOldIndices
[2024-02-09T11:20:15,519][ERROR][o.o.a.a.AlertIndices     ] [node-3] info deleteOldIndices

[root@ip-10-0-2-26 wazuh-indexer]# zgrep -i "ERROR\|WARNING" wazuh-2024-02-07-1.log.gz | wc -l
29

[root@ip-10-0-2-26 wazuh-indexer]# zgrep -i "ERROR\|WARNING" wazuh-2024-02-08-1.log.gz | wc -l
5

Notes
I can't show all the log output because of the space of the commentary but I will comment all of them below:
In relation to : [2024-02-09T11:20:15,519][ERROR][o.o.a.a.AlertIndices ] [node-3] info deleteOldIndices
Known issue: wazuh/wazuh-packages#2094

In relation to : 2024-02-07T11:18:05,408][INFO ][o.o.n.Node ] [node-3] JVM arguments [2024-02-07T11:18:16,783][ERROR][o.o.s.a.s.SinkProvider ] [node-3] Default endpoint could not be created, auditlog will not work properly. [2024-02-07T11:18:25,322][ERROR][o.o.s.c.ConfigurationLoaderSecurity7] [node-3] Failure no such index [2024-02-07T11:18:48,320][ERROR][o.o.s.a.BackendRegistry ] [node-3] Not yet initialized (you may need to run securityadmin) 2024-02-07T11:19:04,633][ERROR][o.o.i.i.ManagedIndexCoordinator] [node-3] Failed to get ISM policies with templates: Failed to execute phase [query], all shards failed [2024-02-07T11:19:38,293][ERROR][o.o.s.a.s.SinkProvider ] [node-3] Default endpoint could not be created, auditlog will not work properly.
New issue: #21861

IndexerMasterB 🔴

System information

[root@ip-10-0-2-119 ~]# cat /etc/*release
NAME="Amazon Linux"
VERSION="2"
ID="amzn"
ID_LIKE="centos rhel fedora"
VERSION_ID="2"
PRETTY_NAME="Amazon Linux 2"
ANSI_COLOR="0;33"
CPE_NAME="cpe:2.3:o:amazon:amazon_linux:2"
HOME_URL="https://amazonlinux.com/"
Amazon Linux release 2 (Karoo)

Agent Status

[root@ip-10-0-2-119 ~]# systemctl status wazuh-indexer -l
● wazuh-indexer.service - Wazuh-indexer
   Loaded: loaded (/usr/lib/systemd/system/wazuh-indexer.service; enabled; vendor preset: disabled)
   Active: active (running) since Wed 2024-02-07 11:20:40 UTC; 21h ago
     Docs: https://documentation.wazuh.com
 Main PID: 12396 (java)
   CGroup: /system.slice/wazuh-indexer.service
           └─12396 /usr/share/wazuh-indexer/jdk/bin/java -Xshare:auto -Dopensearch.networkaddress.cache.ttl=60 -Dopensearch.networkaddress.cache.negative.ttl=10 -XX:+AlwaysPreTouch -Xss1m -Djava.awt.headless=true -Dfile.encoding=UTF-8 -Djna.nosys=true -XX:-OmitStackTraceInFastThrow -XX:+ShowCodeDetailsInExceptionMessages -Dio.netty.noUnsafe=true -Dio.netty.noKeySetOptimization=true -Dio.netty.recycler.maxCapacityPerThread=0 -Dio.netty.allocator.numDirectArenas=0 -Dlog4j.shutdownHookEnabled=false -Dlog4j2.disable.jmx=true -Djava.locale.providers=SPI,COMPAT -Xms3928m -Xmx3928m -XX:+UseG1GC -XX:G1ReservePercent=25 -XX:InitiatingHeapOccupancyPercent=30 -Djava.io.tmpdir=/tmp/opensearch-18329875161433841309 -XX:+HeapDumpOnOutOfMemoryError -XX:HeapDumpPath=data -XX:ErrorFile=/var/log/wazuh-indexer/hs_err_pid%p.log -Xlog:gc*,gc+age=trace,safepoint:file=/var/log/wazuh-indexer/gc.log:utctime,pid,tags:filecount=32,filesize=64m -Dclk.tck=100 -Djdk.attach.allowAttachSelf=true -Djava.security.policy=file:///usr/share/wazuh-indexer/plugins/opensearch-performance-analyzer/pa_config/opensearch_security.policy -XX:MaxDirectMemorySize=2059403264 -Dopensearch.path.home=/usr/share/wazuh-indexer -Dopensearch.path.conf=/etc/wazuh-indexer -Dopensearch.distribution.type=rpm -Dopensearch.bundled_jdk=true -cp /usr/share/wazuh-indexer/lib/* org.opensearch.bootstrap.OpenSearch -p /run/wazuh-indexer/wazuh-indexer.pid --quiet

Feb 08 00:00:39 ip-10-0-2-119.us-west-1.compute.internal systemd-entrypoint[12396]: at org.opensearch.jobscheduler.sweeper.JobSweeper.lambda$initBackgroundSweep$10(JobSweeper.java:298)
Feb 08 00:00:39 ip-10-0-2-119.us-west-1.compute.internal systemd-entrypoint[12396]: at org.opensearch.threadpool.Scheduler$ReschedulingRunnable.doRun(Scheduler.java:239)
Feb 08 00:00:39 ip-10-0-2-119.us-west-1.compute.internal systemd-entrypoint[12396]: at org.opensearch.common.util.concurrent.ThreadContext$ContextPreservingAbstractRunnable.doRun(ThreadContext.java:908)
Feb 08 00:00:39 ip-10-0-2-119.us-west-1.compute.internal systemd-entrypoint[12396]: at org.opensearch.common.util.concurrent.AbstractRunnable.run(AbstractRunnable.java:52)
Feb 08 00:00:39 ip-10-0-2-119.us-west-1.compute.internal systemd-entrypoint[12396]: at java.base/java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:539)
Feb 08 00:00:39 ip-10-0-2-119.us-west-1.compute.internal systemd-entrypoint[12396]: at java.base/java.util.concurrent.FutureTask.run(FutureTask.java:264)
Feb 08 00:00:39 ip-10-0-2-119.us-west-1.compute.internal systemd-entrypoint[12396]: at java.base/java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.run(ScheduledThreadPoolExecutor.java:304)
Feb 08 00:00:39 ip-10-0-2-119.us-west-1.compute.internal systemd-entrypoint[12396]: at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1136)
Feb 08 00:00:39 ip-10-0-2-119.us-west-1.compute.internal systemd-entrypoint[12396]: at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:635)
Feb 08 00:00:39 ip-10-0-2-119.us-west-1.compute.internal systemd-entrypoint[12396]: at java.base/java.lang.Thread.run(Thread.java:833)

Service Status

[root@ip-10-0-2-119 ~]# journalctl -xe -u wazuh-indexer.service --no-pager
-- Logs begin at Wed 2024-02-07 11:05:19 UTC, end at Thu 2024-02-08 08:40:27 UTC. --
Feb 07 11:18:05 ip-10-0-2-119.us-west-1.compute.internal systemd[1]: Starting Wazuh-indexer...
-- Subject: Unit wazuh-indexer.service has begun start-up
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
--
-- Unit wazuh-indexer.service has begun starting up.
Feb 07 11:18:07 ip-10-0-2-119.us-west-1.compute.internal systemd-entrypoint[10613]: WARNING: A terminally deprecated method in java.lang.System has been called
Feb 07 11:18:07 ip-10-0-2-119.us-west-1.compute.internal systemd-entrypoint[10613]: WARNING: System::setSecurityManager has been called by org.opensearch.bootstrap.OpenSearch (file:/usr/share/wazuh-indexer/lib/opensearch-2.10.0.jar)
Feb 07 11:18:07 ip-10-0-2-119.us-west-1.compute.internal systemd-entrypoint[10613]: WARNING: Please consider reporting this to the maintainers of org.opensearch.bootstrap.OpenSearch
Feb 07 11:18:07 ip-10-0-2-119.us-west-1.compute.internal systemd-entrypoint[10613]: WARNING: System::setSecurityManager will be removed in a future release
Feb 07 11:18:09 ip-10-0-2-119.us-west-1.compute.internal systemd-entrypoint[10613]: WARNING: A terminally deprecated method in java.lang.System has been called
Feb 07 11:18:09 ip-10-0-2-119.us-west-1.compute.internal systemd-entrypoint[10613]: WARNING: System::setSecurityManager has been called by org.opensearch.bootstrap.Security (file:/usr/share/wazuh-indexer/lib/opensearch-2.10.0.jar)
Feb 07 11:18:09 ip-10-0-2-119.us-west-1.compute.internal systemd-entrypoint[10613]: WARNING: Please consider reporting this to the maintainers of org.opensearch.bootstrap.Security
Feb 07 11:18:09 ip-10-0-2-119.us-west-1.compute.internal systemd-entrypoint[10613]: WARNING: System::setSecurityManager will be removed in a future release
Feb 07 11:18:29 ip-10-0-2-119.us-west-1.compute.internal systemd[1]: Started Wazuh-indexer.
-- Subject: Unit wazuh-indexer.service has finished start-up
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
--
-- Unit wazuh-indexer.service has finished starting up.
--
-- The start-up result is done.
Feb 07 11:20:15 ip-10-0-2-119.us-west-1.compute.internal systemd[1]: Stopping Wazuh-indexer...
-- Subject: Unit wazuh-indexer.service has begun shutting down
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
--
-- Unit wazuh-indexer.service has begun shutting down.
Feb 07 11:20:15 ip-10-0-2-119.us-west-1.compute.internal systemd[1]: Stopped Wazuh-indexer.
-- Subject: Unit wazuh-indexer.service has finished shutting down
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
--
-- Unit wazuh-indexer.service has finished shutting down.
Feb 07 11:20:15 ip-10-0-2-119.us-west-1.compute.internal systemd[1]: Starting Wazuh-indexer...
-- Subject: Unit wazuh-indexer.service has begun start-up
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
--
-- Unit wazuh-indexer.service has begun starting up.
Feb 07 11:20:18 ip-10-0-2-119.us-west-1.compute.internal systemd-entrypoint[12396]: WARNING: A terminally deprecated method in java.lang.System has been called
Feb 07 11:20:18 ip-10-0-2-119.us-west-1.compute.internal systemd-entrypoint[12396]: WARNING: System::setSecurityManager has been called by org.opensearch.bootstrap.OpenSearch (file:/usr/share/wazuh-indexer/lib/opensearch-2.10.0.jar)
Feb 07 11:20:18 ip-10-0-2-119.us-west-1.compute.internal systemd-entrypoint[12396]: WARNING: Please consider reporting this to the maintainers of org.opensearch.bootstrap.OpenSearch
Feb 07 11:20:18 ip-10-0-2-119.us-west-1.compute.internal systemd-entrypoint[12396]: WARNING: System::setSecurityManager will be removed in a future release
Feb 07 11:20:20 ip-10-0-2-119.us-west-1.compute.internal systemd-entrypoint[12396]: WARNING: A terminally deprecated method in java.lang.System has been called
Feb 07 11:20:20 ip-10-0-2-119.us-west-1.compute.internal systemd-entrypoint[12396]: WARNING: System::setSecurityManager has been called by org.opensearch.bootstrap.Security (file:/usr/share/wazuh-indexer/lib/opensearch-2.10.0.jar)
Feb 07 11:20:20 ip-10-0-2-119.us-west-1.compute.internal systemd-entrypoint[12396]: WARNING: Please consider reporting this to the maintainers of org.opensearch.bootstrap.Security
Feb 07 11:20:20 ip-10-0-2-119.us-west-1.compute.internal systemd-entrypoint[12396]: WARNING: System::setSecurityManager will be removed in a future release
Feb 07 11:20:40 ip-10-0-2-119.us-west-1.compute.internal systemd[1]: Started Wazuh-indexer.
-- Subject: Unit wazuh-indexer.service has finished start-up
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
--
-- Unit wazuh-indexer.service has finished starting up.
--
-- The start-up result is done.
Feb 08 00:00:39 ip-10-0-2-119.us-west-1.compute.internal systemd-entrypoint[12396]: ERROR StatusConsoleListener Could not define attribute view on path "/var/log/wazuh-indexer/wazuh_server.json" got access denied ("java.lang.RuntimePermission" "accessUserInformation")
Feb 08 00:00:39 ip-10-0-2-119.us-west-1.compute.internal systemd-entrypoint[12396]: java.security.AccessControlException: access denied ("java.lang.RuntimePermission" "accessUserInformation")
Feb 08 00:00:39 ip-10-0-2-119.us-west-1.compute.internal systemd-entrypoint[12396]: at java.base/java.security.AccessControlContext.checkPermission(AccessControlContext.java:485)
Feb 08 00:00:39 ip-10-0-2-119.us-west-1.compute.internal systemd-entrypoint[12396]: at java.base/java.security.AccessController.checkPermission(AccessController.java:1068)
Feb 08 00:00:39 ip-10-0-2-119.us-west-1.compute.internal systemd-entrypoint[12396]: at java.base/java.lang.SecurityManager.checkPermission(SecurityManager.java:416)
Feb 08 00:00:39 ip-10-0-2-119.us-west-1.compute.internal systemd-entrypoint[12396]: at java.base/sun.nio.fs.UnixFileAttributeViews$Posix.checkWriteExtended(UnixFileAttributeViews.java:195)
Feb 08 00:00:39 ip-10-0-2-119.us-west-1.compute.internal systemd-entrypoint[12396]: at java.base/sun.nio.fs.UnixFileAttributeViews$Posix.setMode(UnixFileAttributeViews.java:264)
Feb 08 00:00:39 ip-10-0-2-119.us-west-1.compute.internal systemd-entrypoint[12396]: at java.base/sun.nio.fs.UnixFileAttributeViews$Posix.setPermissions(UnixFileAttributeViews.java:299)
Feb 08 00:00:39 ip-10-0-2-119.us-west-1.compute.internal systemd-entrypoint[12396]: at org.apache.logging.log4j.core.util.FileUtils.defineFilePosixAttributeView(FileUtils.java:181)
Feb 08 00:00:39 ip-10-0-2-119.us-west-1.compute.internal systemd-entrypoint[12396]: at org.apache.logging.log4j.core.appender.FileManager.defineAttributeView(FileManager.java:216)
Feb 08 00:00:39 ip-10-0-2-119.us-west-1.compute.internal systemd-entrypoint[12396]: at org.apache.logging.log4j.core.appender.FileManager.createOutputStream(FileManager.java:203)
Feb 08 00:00:39 ip-10-0-2-119.us-west-1.compute.internal systemd-entrypoint[12396]: at org.apache.logging.log4j.core.appender.rolling.RollingFileManager.createFileAfterRollover(RollingFileManager.java:421)
Feb 08 00:00:39 ip-10-0-2-119.us-west-1.compute.internal systemd-entrypoint[12396]: at org.apache.logging.log4j.core.appender.rolling.RollingFileManager.rollover(RollingFileManager.java:398)
Feb 08 00:00:39 ip-10-0-2-119.us-west-1.compute.internal systemd-entrypoint[12396]: at org.apache.logging.log4j.core.appender.rolling.RollingFileManager.checkRollover(RollingFileManager.java:308)
Feb 08 00:00:39 ip-10-0-2-119.us-west-1.compute.internal systemd-entrypoint[12396]: at org.apache.logging.log4j.core.appender.RollingFileAppender.append(RollingFileAppender.java:300)
Feb 08 00:00:39 ip-10-0-2-119.us-west-1.compute.internal systemd-entrypoint[12396]: at org.apache.logging.log4j.core.config.AppenderControl.tryCallAppender(AppenderControl.java:161)
Feb 08 00:00:39 ip-10-0-2-119.us-west-1.compute.internal systemd-entrypoint[12396]: at org.apache.logging.log4j.core.config.AppenderControl.callAppender0(AppenderControl.java:134)
Feb 08 00:00:39 ip-10-0-2-119.us-west-1.compute.internal systemd-entrypoint[12396]: at org.apache.logging.log4j.core.config.AppenderControl.callAppenderPreventRecursion(AppenderControl.java:125)
Feb 08 00:00:39 ip-10-0-2-119.us-west-1.compute.internal systemd-entrypoint[12396]: at org.apache.logging.log4j.core.config.AppenderControl.callAppender(AppenderControl.java:89)
Feb 08 00:00:39 ip-10-0-2-119.us-west-1.compute.internal systemd-entrypoint[12396]: at org.apache.logging.log4j.core.config.LoggerConfig.callAppenders(LoggerConfig.java:683)
Feb 08 00:00:39 ip-10-0-2-119.us-west-1.compute.internal systemd-entrypoint[12396]: at org.apache.logging.log4j.core.config.LoggerConfig.processLogEvent(LoggerConfig.java:641)
Feb 08 00:00:39 ip-10-0-2-119.us-west-1.compute.internal systemd-entrypoint[12396]: at org.apache.logging.log4j.core.config.LoggerConfig.log(LoggerConfig.java:624)
Feb 08 00:00:39 ip-10-0-2-119.us-west-1.compute.internal systemd-entrypoint[12396]: at org.apache.logging.log4j.core.config.LoggerConfig.log(LoggerConfig.java:560)
Feb 08 00:00:39 ip-10-0-2-119.us-west-1.compute.internal systemd-entrypoint[12396]: at org.apache.logging.log4j.core.config.AwaitCompletionReliabilityStrategy.log(AwaitCompletionReliabilityStrategy.java:82)
Feb 08 00:00:39 ip-10-0-2-119.us-west-1.compute.internal systemd-entrypoint[12396]: at org.apache.logging.log4j.core.Logger.log(Logger.java:163)
Feb 08 00:00:39 ip-10-0-2-119.us-west-1.compute.internal systemd-entrypoint[12396]: at org.apache.logging.log4j.spi.AbstractLogger.tryLogMessage(AbstractLogger.java:2168)
Feb 08 00:00:39 ip-10-0-2-119.us-west-1.compute.internal systemd-entrypoint[12396]: at org.apache.logging.log4j.spi.AbstractLogger.logMessageTrackRecursion(AbstractLogger.java:2122)
Feb 08 00:00:39 ip-10-0-2-119.us-west-1.compute.internal systemd-entrypoint[12396]: at org.apache.logging.log4j.spi.AbstractLogger.logMessageSafely(AbstractLogger.java:2105)
Feb 08 00:00:39 ip-10-0-2-119.us-west-1.compute.internal systemd-entrypoint[12396]: at org.apache.logging.log4j.spi.AbstractLogger.logMessage(AbstractLogger.java:1980)
Feb 08 00:00:39 ip-10-0-2-119.us-west-1.compute.internal systemd-entrypoint[12396]: at org.apache.logging.log4j.spi.AbstractLogger.logIfEnabled(AbstractLogger.java:1946)
Feb 08 00:00:39 ip-10-0-2-119.us-west-1.compute.internal systemd-entrypoint[12396]: at org.apache.logging.log4j.spi.AbstractLogger.info(AbstractLogger.java:1283)
Feb 08 00:00:39 ip-10-0-2-119.us-west-1.compute.internal systemd-entrypoint[12396]: at org.opensearch.jobscheduler.sweeper.JobSweeper.lambda$initBackgroundSweep$10(JobSweeper.java:298)
Feb 08 00:00:39 ip-10-0-2-119.us-west-1.compute.internal systemd-entrypoint[12396]: at org.opensearch.threadpool.Scheduler$ReschedulingRunnable.doRun(Scheduler.java:239)
Feb 08 00:00:39 ip-10-0-2-119.us-west-1.compute.internal systemd-entrypoint[12396]: at org.opensearch.common.util.concurrent.ThreadContext$ContextPreservingAbstractRunnable.doRun(ThreadContext.java:908)
Feb 08 00:00:39 ip-10-0-2-119.us-west-1.compute.internal systemd-entrypoint[12396]: at org.opensearch.common.util.concurrent.AbstractRunnable.run(AbstractRunnable.java:52)
Feb 08 00:00:39 ip-10-0-2-119.us-west-1.compute.internal systemd-entrypoint[12396]: at java.base/java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:539)
Feb 08 00:00:39 ip-10-0-2-119.us-west-1.compute.internal systemd-entrypoint[12396]: at java.base/java.util.concurrent.FutureTask.run(FutureTask.java:264)
Feb 08 00:00:39 ip-10-0-2-119.us-west-1.compute.internal systemd-entrypoint[12396]: at java.base/java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.run(ScheduledThreadPoolExecutor.java:304)
Feb 08 00:00:39 ip-10-0-2-119.us-west-1.compute.internal systemd-entrypoint[12396]: at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1136)
Feb 08 00:00:39 ip-10-0-2-119.us-west-1.compute.internal systemd-entrypoint[12396]: at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:635)
Feb 08 00:00:39 ip-10-0-2-119.us-west-1.compute.internal systemd-entrypoint[12396]: at java.base/java.lang.Thread.run(Thread.java:833)
Feb 08 00:00:39 ip-10-0-2-119.us-west-1.compute.internal systemd-entrypoint[12396]: ERROR StatusConsoleListener Could not define attribute view on path "/var/log/wazuh-indexer/wazuh.log" got access denied ("java.lang.RuntimePermission" "accessUserInformation")
Feb 08 00:00:39 ip-10-0-2-119.us-west-1.compute.internal systemd-entrypoint[12396]: java.security.AccessControlException: access denied ("java.lang.RuntimePermission" "accessUserInformation")
Feb 08 00:00:39 ip-10-0-2-119.us-west-1.compute.internal systemd-entrypoint[12396]: at java.base/java.security.AccessControlContext.checkPermission(AccessControlContext.java:485)
Feb 08 00:00:39 ip-10-0-2-119.us-west-1.compute.internal systemd-entrypoint[12396]: at java.base/java.security.AccessController.checkPermission(AccessController.java:1068)
Feb 08 00:00:39 ip-10-0-2-119.us-west-1.compute.internal systemd-entrypoint[12396]: at java.base/java.lang.SecurityManager.checkPermission(SecurityManager.java:416)
Feb 08 00:00:39 ip-10-0-2-119.us-west-1.compute.internal systemd-entrypoint[12396]: at java.base/sun.nio.fs.UnixFileAttributeViews$Posix.checkWriteExtended(UnixFileAttributeViews.java:195)
Feb 08 00:00:39 ip-10-0-2-119.us-west-1.compute.internal systemd-entrypoint[12396]: at java.base/sun.nio.fs.UnixFileAttributeViews$Posix.setMode(UnixFileAttributeViews.java:264)
Feb 08 00:00:39 ip-10-0-2-119.us-west-1.compute.internal systemd-entrypoint[12396]: at java.base/sun.nio.fs.UnixFileAttributeViews$Posix.setPermissions(UnixFileAttributeViews.java:299)
Feb 08 00:00:39 ip-10-0-2-119.us-west-1.compute.internal systemd-entrypoint[12396]: at org.apache.logging.log4j.core.util.FileUtils.defineFilePosixAttributeView(FileUtils.java:181)
Feb 08 00:00:39 ip-10-0-2-119.us-west-1.compute.internal systemd-entrypoint[12396]: at org.apache.logging.log4j.core.appender.FileManager.defineAttributeView(FileManager.java:216)
Feb 08 00:00:39 ip-10-0-2-119.us-west-1.compute.internal systemd-entrypoint[12396]: at org.apache.logging.log4j.core.appender.FileManager.createOutputStream(FileManager.java:203)
Feb 08 00:00:39 ip-10-0-2-119.us-west-1.compute.internal systemd-entrypoint[12396]: at org.apache.logging.log4j.core.appender.rolling.RollingFileManager.createFileAfterRollover(RollingFileManager.java:421)
Feb 08 00:00:39 ip-10-0-2-119.us-west-1.compute.internal systemd-entrypoint[12396]: at org.apache.logging.log4j.core.appender.rolling.RollingFileManager.rollover(RollingFileManager.java:398)
Feb 08 00:00:39 ip-10-0-2-119.us-west-1.compute.internal systemd-entrypoint[12396]: at org.apache.logging.log4j.core.appender.rolling.RollingFileManager.checkRollover(RollingFileManager.java:308)
Feb 08 00:00:39 ip-10-0-2-119.us-west-1.compute.internal systemd-entrypoint[12396]: at org.apache.logging.log4j.core.appender.RollingFileAppender.append(RollingFileAppender.java:300)
Feb 08 00:00:39 ip-10-0-2-119.us-west-1.compute.internal systemd-entrypoint[12396]: at org.apache.logging.log4j.core.config.AppenderControl.tryCallAppender(AppenderControl.java:161)
Feb 08 00:00:39 ip-10-0-2-119.us-west-1.compute.internal systemd-entrypoint[12396]: at org.apache.logging.log4j.core.config.AppenderControl.callAppender0(AppenderControl.java:134)
Feb 08 00:00:39 ip-10-0-2-119.us-west-1.compute.internal systemd-entrypoint[12396]: at org.apache.logging.log4j.core.config.AppenderControl.callAppenderPreventRecursion(AppenderControl.java:125)
Feb 08 00:00:39 ip-10-0-2-119.us-west-1.compute.internal systemd-entrypoint[12396]: at org.apache.logging.log4j.core.config.AppenderControl.callAppender(AppenderControl.java:89)
Feb 08 00:00:39 ip-10-0-2-119.us-west-1.compute.internal systemd-entrypoint[12396]: at org.apache.logging.log4j.core.config.LoggerConfig.callAppenders(LoggerConfig.java:683)
Feb 08 00:00:39 ip-10-0-2-119.us-west-1.compute.internal systemd-entrypoint[12396]: at org.apache.logging.log4j.core.config.LoggerConfig.processLogEvent(LoggerConfig.java:641)
Feb 08 00:00:39 ip-10-0-2-119.us-west-1.compute.internal systemd-entrypoint[12396]: at org.apache.logging.log4j.core.config.LoggerConfig.log(LoggerConfig.java:624)
Feb 08 00:00:39 ip-10-0-2-119.us-west-1.compute.internal systemd-entrypoint[12396]: at org.apache.logging.log4j.core.config.LoggerConfig.log(LoggerConfig.java:560)
Feb 08 00:00:39 ip-10-0-2-119.us-west-1.compute.internal systemd-entrypoint[12396]: at org.apache.logging.log4j.core.config.AwaitCompletionReliabilityStrategy.log(AwaitCompletionReliabilityStrategy.java:82)
Feb 08 00:00:39 ip-10-0-2-119.us-west-1.compute.internal systemd-entrypoint[12396]: at org.apache.logging.log4j.core.Logger.log(Logger.java:163)
Feb 08 00:00:39 ip-10-0-2-119.us-west-1.compute.internal systemd-entrypoint[12396]: at org.apache.logging.log4j.spi.AbstractLogger.tryLogMessage(AbstractLogger.java:2168)
Feb 08 00:00:39 ip-10-0-2-119.us-west-1.compute.internal systemd-entrypoint[12396]: at org.apache.logging.log4j.spi.AbstractLogger.logMessageTrackRecursion(AbstractLogger.java:2122)
Feb 08 00:00:39 ip-10-0-2-119.us-west-1.compute.internal systemd-entrypoint[12396]: at org.apache.logging.log4j.spi.AbstractLogger.logMessageSafely(AbstractLogger.java:2105)
Feb 08 00:00:39 ip-10-0-2-119.us-west-1.compute.internal systemd-entrypoint[12396]: at org.apache.logging.log4j.spi.AbstractLogger.logMessage(AbstractLogger.java:1980)
Feb 08 00:00:39 ip-10-0-2-119.us-west-1.compute.internal systemd-entrypoint[12396]: at org.apache.logging.log4j.spi.AbstractLogger.logIfEnabled(AbstractLogger.java:1946)
Feb 08 00:00:39 ip-10-0-2-119.us-west-1.compute.internal systemd-entrypoint[12396]: at org.apache.logging.log4j.spi.AbstractLogger.info(AbstractLogger.java:1283)
Feb 08 00:00:39 ip-10-0-2-119.us-west-1.compute.internal systemd-entrypoint[12396]: at org.opensearch.jobscheduler.sweeper.JobSweeper.lambda$initBackgroundSweep$10(JobSweeper.java:298)
Feb 08 00:00:39 ip-10-0-2-119.us-west-1.compute.internal systemd-entrypoint[12396]: at org.opensearch.threadpool.Scheduler$ReschedulingRunnable.doRun(Scheduler.java:239)
Feb 08 00:00:39 ip-10-0-2-119.us-west-1.compute.internal systemd-entrypoint[12396]: at org.opensearch.common.util.concurrent.ThreadContext$ContextPreservingAbstractRunnable.doRun(ThreadContext.java:908)
Feb 08 00:00:39 ip-10-0-2-119.us-west-1.compute.internal systemd-entrypoint[12396]: at org.opensearch.common.util.concurrent.AbstractRunnable.run(AbstractRunnable.java:52)
Feb 08 00:00:39 ip-10-0-2-119.us-west-1.compute.internal systemd-entrypoint[12396]: at java.base/java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:539)
Feb 08 00:00:39 ip-10-0-2-119.us-west-1.compute.internal systemd-entrypoint[12396]: at java.base/java.util.concurrent.FutureTask.run(FutureTask.java:264)
Feb 08 00:00:39 ip-10-0-2-119.us-west-1.compute.internal systemd-entrypoint[12396]: at java.base/java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.run(ScheduledThreadPoolExecutor.java:304)
Feb 08 00:00:39 ip-10-0-2-119.us-west-1.compute.internal systemd-entrypoint[12396]: at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1136)
Feb 08 00:00:39 ip-10-0-2-119.us-west-1.compute.internal systemd-entrypoint[12396]: at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:635)
Feb 08 00:00:39 ip-10-0-2-119.us-west-1.compute.internal systemd-entrypoint[12396]: at java.base/java.lang.Thread.run(Thread.java:833)

Note
ERROR StatusConsoleListener Could not define attribute view on path message is still present
Reported previously: wazuh/wazuh-packages#2685

Error Logs

[root@ip-10-0-2-119 ~]# egrep -i "ERROR|WARNING" /var/log/wazuh-indexer/wazuh.log | wc -l
0

[root@ip-10-0-2-119 wazuh-indexer]# grep -i "ERROR\|WARNING" wazuh-2024-02-07-1.log | wc -l
24

[root@ip-10-0-2-119 wazuh-indexer]# zgrep -i "ERROR\|WARNING" wazuh-2024-02-08-1.log.gz | wc -l
11

Notes
I can't show all the log output because of the space of the commentary but I will comment all of them below:
In relation to : ERROR][o.o.a.u.AlertingException] [node-1] Alerting error: [.opendistro-alerting-config] IndexNotFoundException[no such index [.opendistro-alerting-config]] ERROR][o.o.s.s.h.n.SecuritySSLNettyHttpServerTransport] [node-1] Exception during establishing a SSL connection: java.net.SocketException: Connection reset
Known issue: wazuh/wazuh-packages#1489

In relation to : [2024-02-07T11:18:09,835][INFO ][o.o.n.Node ] [node-1] JVM arguments [2024-02-07T11:18:22,371][ERROR][o.o.s.a.s.SinkProvider ] [node-1] Default endpoint could not be created, auditlog will not work properly. 2024-02-07T11:18:29,164][ERROR][o.o.s.c.ConfigurationLoaderSecurity7] [node-1] Failure no such index
New issue: #21861

IndexerMasterC 🔴

System information

[root@ip-10-0-2-91 ~]# cat /etc/*release
NAME="Amazon Linux"
VERSION="2"
ID="amzn"
ID_LIKE="centos rhel fedora"
VERSION_ID="2"
PRETTY_NAME="Amazon Linux 2"
ANSI_COLOR="0;33"
CPE_NAME="cpe:2.3:o:amazon:amazon_linux:2"
HOME_URL="https://amazonlinux.com/"
Amazon Linux release 2 (Karoo)

Agent Status

[root@ip-10-0-2-91 ~]# systemctl status wazuh-indexer -l
● wazuh-indexer.service - Wazuh-indexer
   Loaded: loaded (/usr/lib/systemd/system/wazuh-indexer.service; enabled; vendor preset: disabled)
   Active: active (running) since Wed 2024-02-07 11:20:11 UTC; 21h ago
     Docs: https://documentation.wazuh.com
 Main PID: 12290 (java)
   CGroup: /system.slice/wazuh-indexer.service
           └─12290 /usr/share/wazuh-indexer/jdk/bin/java -Xshare:auto -Dopensearch.networkaddress.cache.ttl=60 -Dopensearch.networkaddress.cache.negative.ttl=10 -XX:+AlwaysPreTouch -Xss1m -Djava.awt.headless=true -Dfile.encoding=UTF-8 -Djna.nosys=true -XX:-OmitStackTraceInFastThrow -XX:+ShowCodeDetailsInExceptionMessages -Dio.netty.noUnsafe=true -Dio.netty.noKeySetOptimization=true -Dio.netty.recycler.maxCapacityPerThread=0 -Dio.netty.allocator.numDirectArenas=0 -Dlog4j.shutdownHookEnabled=false -Dlog4j2.disable.jmx=true -Djava.locale.providers=SPI,COMPAT -Xms3928m -Xmx3928m -XX:+UseG1GC -XX:G1ReservePercent=25 -XX:InitiatingHeapOccupancyPercent=30 -Djava.io.tmpdir=/tmp/opensearch-18236833073149930256 -XX:+HeapDumpOnOutOfMemoryError -XX:HeapDumpPath=data -XX:ErrorFile=/var/log/wazuh-indexer/hs_err_pid%p.log -Xlog:gc*,gc+age=trace,safepoint:file=/var/log/wazuh-indexer/gc.log:utctime,pid,tags:filecount=32,filesize=64m -Dclk.tck=100 -Djdk.attach.allowAttachSelf=true -Djava.security.policy=file:///usr/share/wazuh-indexer/plugins/opensearch-performance-analyzer/pa_config/opensearch_security.policy -XX:MaxDirectMemorySize=2059403264 -Dopensearch.path.home=/usr/share/wazuh-indexer -Dopensearch.path.conf=/etc/wazuh-indexer -Dopensearch.distribution.type=rpm -Dopensearch.bundled_jdk=true -cp /usr/share/wazuh-indexer/lib/* org.opensearch.bootstrap.OpenSearch -p /run/wazuh-indexer/wazuh-indexer.pid --quiet

Feb 08 00:00:09 ip-10-0-2-91.us-west-1.compute.internal systemd-entrypoint[12290]: at org.opensearch.jobscheduler.sweeper.JobSweeper.lambda$initBackgroundSweep$10(JobSweeper.java:298)
Feb 08 00:00:09 ip-10-0-2-91.us-west-1.compute.internal systemd-entrypoint[12290]: at org.opensearch.threadpool.Scheduler$ReschedulingRunnable.doRun(Scheduler.java:239)
Feb 08 00:00:09 ip-10-0-2-91.us-west-1.compute.internal systemd-entrypoint[12290]: at org.opensearch.common.util.concurrent.ThreadContext$ContextPreservingAbstractRunnable.doRun(ThreadContext.java:908)
Feb 08 00:00:09 ip-10-0-2-91.us-west-1.compute.internal systemd-entrypoint[12290]: at org.opensearch.common.util.concurrent.AbstractRunnable.run(AbstractRunnable.java:52)
Feb 08 00:00:09 ip-10-0-2-91.us-west-1.compute.internal systemd-entrypoint[12290]: at java.base/java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:539)
Feb 08 00:00:09 ip-10-0-2-91.us-west-1.compute.internal systemd-entrypoint[12290]: at java.base/java.util.concurrent.FutureTask.run(FutureTask.java:264)
Feb 08 00:00:09 ip-10-0-2-91.us-west-1.compute.internal systemd-entrypoint[12290]: at java.base/java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.run(ScheduledThreadPoolExecutor.java:304)
Feb 08 00:00:09 ip-10-0-2-91.us-west-1.compute.internal systemd-entrypoint[12290]: at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1136)
Feb 08 00:00:09 ip-10-0-2-91.us-west-1.compute.internal systemd-entrypoint[12290]: at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:635)
Feb 08 00:00:09 ip-10-0-2-91.us-west-1.compute.internal systemd-entrypoint[12290]: at java.base/java.lang.Thread.run(Thread.java:833)

Service Status

[root@ip-10-0-2-91 ~]# journalctl -xe -u wazuh-indexer.service --no-pager
-- Logs begin at Wed 2024-02-07 11:05:18 UTC, end at Thu 2024-02-08 08:58:14 UTC. --
Feb 07 11:18:02 ip-10-0-2-91.us-west-1.compute.internal systemd[1]: Starting Wazuh-indexer...
-- Subject: Unit wazuh-indexer.service has begun start-up
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
--
-- Unit wazuh-indexer.service has begun starting up.
Feb 07 11:18:04 ip-10-0-2-91.us-west-1.compute.internal systemd-entrypoint[10506]: WARNING: A terminally deprecated method in java.lang.System has been called
Feb 07 11:18:04 ip-10-0-2-91.us-west-1.compute.internal systemd-entrypoint[10506]: WARNING: System::setSecurityManager has been called by org.opensearch.bootstrap.OpenSearch (file:/usr/share/wazuh-indexer/lib/opensearch-2.10.0.jar)
Feb 07 11:18:04 ip-10-0-2-91.us-west-1.compute.internal systemd-entrypoint[10506]: WARNING: Please consider reporting this to the maintainers of org.opensearch.bootstrap.OpenSearch
Feb 07 11:18:04 ip-10-0-2-91.us-west-1.compute.internal systemd-entrypoint[10506]: WARNING: System::setSecurityManager will be removed in a future release
Feb 07 11:18:06 ip-10-0-2-91.us-west-1.compute.internal systemd-entrypoint[10506]: WARNING: A terminally deprecated method in java.lang.System has been called
Feb 07 11:18:06 ip-10-0-2-91.us-west-1.compute.internal systemd-entrypoint[10506]: WARNING: System::setSecurityManager has been called by org.opensearch.bootstrap.Security (file:/usr/share/wazuh-indexer/lib/opensearch-2.10.0.jar)
Feb 07 11:18:06 ip-10-0-2-91.us-west-1.compute.internal systemd-entrypoint[10506]: WARNING: Please consider reporting this to the maintainers of org.opensearch.bootstrap.Security
Feb 07 11:18:06 ip-10-0-2-91.us-west-1.compute.internal systemd-entrypoint[10506]: WARNING: System::setSecurityManager will be removed in a future release
Feb 07 11:18:24 ip-10-0-2-91.us-west-1.compute.internal systemd[1]: Started Wazuh-indexer.
-- Subject: Unit wazuh-indexer.service has finished start-up
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
--
-- Unit wazuh-indexer.service has finished starting up.
--
-- The start-up result is done.
Feb 07 11:19:47 ip-10-0-2-91.us-west-1.compute.internal systemd[1]: Stopping Wazuh-indexer...
-- Subject: Unit wazuh-indexer.service has begun shutting down
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
--
-- Unit wazuh-indexer.service has begun shutting down.
Feb 07 11:19:48 ip-10-0-2-91.us-west-1.compute.internal systemd[1]: Stopped Wazuh-indexer.
-- Subject: Unit wazuh-indexer.service has finished shutting down
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
--
-- Unit wazuh-indexer.service has finished shutting down.
Feb 07 11:19:48 ip-10-0-2-91.us-west-1.compute.internal systemd[1]: Starting Wazuh-indexer...
-- Subject: Unit wazuh-indexer.service has begun start-up
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
--
-- Unit wazuh-indexer.service has begun starting up.
Feb 07 11:19:50 ip-10-0-2-91.us-west-1.compute.internal systemd-entrypoint[12290]: WARNING: A terminally deprecated method in java.lang.System has been called
Feb 07 11:19:50 ip-10-0-2-91.us-west-1.compute.internal systemd-entrypoint[12290]: WARNING: System::setSecurityManager has been called by org.opensearch.bootstrap.OpenSearch (file:/usr/share/wazuh-indexer/lib/opensearch-2.10.0.jar)
Feb 07 11:19:50 ip-10-0-2-91.us-west-1.compute.internal systemd-entrypoint[12290]: WARNING: Please consider reporting this to the maintainers of org.opensearch.bootstrap.OpenSearch
Feb 07 11:19:50 ip-10-0-2-91.us-west-1.compute.internal systemd-entrypoint[12290]: WARNING: System::setSecurityManager will be removed in a future release
Feb 07 11:19:52 ip-10-0-2-91.us-west-1.compute.internal systemd-entrypoint[12290]: WARNING: A terminally deprecated method in java.lang.System has been called
Feb 07 11:19:52 ip-10-0-2-91.us-west-1.compute.internal systemd-entrypoint[12290]: WARNING: System::setSecurityManager has been called by org.opensearch.bootstrap.Security (file:/usr/share/wazuh-indexer/lib/opensearch-2.10.0.jar)
Feb 07 11:19:52 ip-10-0-2-91.us-west-1.compute.internal systemd-entrypoint[12290]: WARNING: Please consider reporting this to the maintainers of org.opensearch.bootstrap.Security
Feb 07 11:19:52 ip-10-0-2-91.us-west-1.compute.internal systemd-entrypoint[12290]: WARNING: System::setSecurityManager will be removed in a future release
Feb 07 11:20:11 ip-10-0-2-91.us-west-1.compute.internal systemd[1]: Started Wazuh-indexer.
-- Subject: Unit wazuh-indexer.service has finished start-up
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
--
-- Unit wazuh-indexer.service has finished starting up.
--
-- The start-up result is done.
Feb 08 00:00:09 ip-10-0-2-91.us-west-1.compute.internal systemd-entrypoint[12290]: ERROR StatusConsoleListener Could not define attribute view on path "/var/log/wazuh-indexer/wazuh_server.json" got access denied ("java.lang.RuntimePermission" "accessUserInformation")
Feb 08 00:00:09 ip-10-0-2-91.us-west-1.compute.internal systemd-entrypoint[12290]: java.security.AccessControlException: access denied ("java.lang.RuntimePermission" "accessUserInformation")
Feb 08 00:00:09 ip-10-0-2-91.us-west-1.compute.internal systemd-entrypoint[12290]: at java.base/java.security.AccessControlContext.checkPermission(AccessControlContext.java:485)
Feb 08 00:00:09 ip-10-0-2-91.us-west-1.compute.internal systemd-entrypoint[12290]: at java.base/java.security.AccessController.checkPermission(AccessController.java:1068)
Feb 08 00:00:09 ip-10-0-2-91.us-west-1.compute.internal systemd-entrypoint[12290]: at java.base/java.lang.SecurityManager.checkPermission(SecurityManager.java:416)
Feb 08 00:00:09 ip-10-0-2-91.us-west-1.compute.internal systemd-entrypoint[12290]: at java.base/sun.nio.fs.UnixFileAttributeViews$Posix.checkWriteExtended(UnixFileAttributeViews.java:195)
Feb 08 00:00:09 ip-10-0-2-91.us-west-1.compute.internal systemd-entrypoint[12290]: at java.base/sun.nio.fs.UnixFileAttributeViews$Posix.setMode(UnixFileAttributeViews.java:264)
Feb 08 00:00:09 ip-10-0-2-91.us-west-1.compute.internal systemd-entrypoint[12290]: at java.base/sun.nio.fs.UnixFileAttributeViews$Posix.setPermissions(UnixFileAttributeViews.java:299)
Feb 08 00:00:09 ip-10-0-2-91.us-west-1.compute.internal systemd-entrypoint[12290]: at org.apache.logging.log4j.core.util.FileUtils.defineFilePosixAttributeView(FileUtils.java:181)
Feb 08 00:00:09 ip-10-0-2-91.us-west-1.compute.internal systemd-entrypoint[12290]: at org.apache.logging.log4j.core.appender.FileManager.defineAttributeView(FileManager.java:216)
Feb 08 00:00:09 ip-10-0-2-91.us-west-1.compute.internal systemd-entrypoint[12290]: at org.apache.logging.log4j.core.appender.FileManager.createOutputStream(FileManager.java:203)
Feb 08 00:00:09 ip-10-0-2-91.us-west-1.compute.internal systemd-entrypoint[12290]: at org.apache.logging.log4j.core.appender.rolling.RollingFileManager.createFileAfterRollover(RollingFileManager.java:421)
Feb 08 00:00:09 ip-10-0-2-91.us-west-1.compute.internal systemd-entrypoint[12290]: at org.apache.logging.log4j.core.appender.rolling.RollingFileManager.rollover(RollingFileManager.java:398)
Feb 08 00:00:09 ip-10-0-2-91.us-west-1.compute.internal systemd-entrypoint[12290]: at org.apache.logging.log4j.core.appender.rolling.RollingFileManager.checkRollover(RollingFileManager.java:308)
Feb 08 00:00:09 ip-10-0-2-91.us-west-1.compute.internal systemd-entrypoint[12290]: at org.apache.logging.log4j.core.appender.RollingFileAppender.append(RollingFileAppender.java:300)
Feb 08 00:00:09 ip-10-0-2-91.us-west-1.compute.internal systemd-entrypoint[12290]: at org.apache.logging.log4j.core.config.AppenderControl.tryCallAppender(AppenderControl.java:161)
Feb 08 00:00:09 ip-10-0-2-91.us-west-1.compute.internal systemd-entrypoint[12290]: at org.apache.logging.log4j.core.config.AppenderControl.callAppender0(AppenderControl.java:134)
Feb 08 00:00:09 ip-10-0-2-91.us-west-1.compute.internal systemd-entrypoint[12290]: at org.apache.logging.log4j.core.config.AppenderControl.callAppenderPreventRecursion(AppenderControl.java:125)
Feb 08 00:00:09 ip-10-0-2-91.us-west-1.compute.internal systemd-entrypoint[12290]: at org.apache.logging.log4j.core.config.AppenderControl.callAppender(AppenderControl.java:89)
Feb 08 00:00:09 ip-10-0-2-91.us-west-1.compute.internal systemd-entrypoint[12290]: at org.apache.logging.log4j.core.config.LoggerConfig.callAppenders(LoggerConfig.java:683)
Feb 08 00:00:09 ip-10-0-2-91.us-west-1.compute.internal systemd-entrypoint[12290]: at org.apache.logging.log4j.core.config.LoggerConfig.processLogEvent(LoggerConfig.java:641)
Feb 08 00:00:09 ip-10-0-2-91.us-west-1.compute.internal systemd-entrypoint[12290]: at org.apache.logging.log4j.core.config.LoggerConfig.log(LoggerConfig.java:624)
Feb 08 00:00:09 ip-10-0-2-91.us-west-1.compute.internal systemd-entrypoint[12290]: at org.apache.logging.log4j.core.config.LoggerConfig.log(LoggerConfig.java:560)
Feb 08 00:00:09 ip-10-0-2-91.us-west-1.compute.internal systemd-entrypoint[12290]: at org.apache.logging.log4j.core.config.AwaitCompletionReliabilityStrategy.log(AwaitCompletionReliabilityStrategy.java:82)
Feb 08 00:00:09 ip-10-0-2-91.us-west-1.compute.internal systemd-entrypoint[12290]: at org.apache.logging.log4j.core.Logger.log(Logger.java:163)
Feb 08 00:00:09 ip-10-0-2-91.us-west-1.compute.internal systemd-entrypoint[12290]: at org.apache.logging.log4j.spi.AbstractLogger.tryLogMessage(AbstractLogger.java:2168)
Feb 08 00:00:09 ip-10-0-2-91.us-west-1.compute.internal systemd-entrypoint[12290]: at org.apache.logging.log4j.spi.AbstractLogger.logMessageTrackRecursion(AbstractLogger.java:2122)
Feb 08 00:00:09 ip-10-0-2-91.us-west-1.compute.internal systemd-entrypoint[12290]: at org.apache.logging.log4j.spi.AbstractLogger.logMessageSafely(AbstractLogger.java:2105)
Feb 08 00:00:09 ip-10-0-2-91.us-west-1.compute.internal systemd-entrypoint[12290]: at org.apache.logging.log4j.spi.AbstractLogger.logMessage(AbstractLogger.java:1980)
Feb 08 00:00:09 ip-10-0-2-91.us-west-1.compute.internal systemd-entrypoint[12290]: at org.apache.logging.log4j.spi.AbstractLogger.logIfEnabled(AbstractLogger.java:1946)
Feb 08 00:00:09 ip-10-0-2-91.us-west-1.compute.internal systemd-entrypoint[12290]: at org.apache.logging.log4j.spi.AbstractLogger.info(AbstractLogger.java:1283)
Feb 08 00:00:09 ip-10-0-2-91.us-west-1.compute.internal systemd-entrypoint[12290]: at org.opensearch.jobscheduler.sweeper.JobSweeper.lambda$initBackgroundSweep$10(JobSweeper.java:298)
Feb 08 00:00:09 ip-10-0-2-91.us-west-1.compute.internal systemd-entrypoint[12290]: at org.opensearch.threadpool.Scheduler$ReschedulingRunnable.doRun(Scheduler.java:239)
Feb 08 00:00:09 ip-10-0-2-91.us-west-1.compute.internal systemd-entrypoint[12290]: at org.opensearch.common.util.concurrent.ThreadContext$ContextPreservingAbstractRunnable.doRun(ThreadContext.java:908)
Feb 08 00:00:09 ip-10-0-2-91.us-west-1.compute.internal systemd-entrypoint[12290]: at org.opensearch.common.util.concurrent.AbstractRunnable.run(AbstractRunnable.java:52)
Feb 08 00:00:09 ip-10-0-2-91.us-west-1.compute.internal systemd-entrypoint[12290]: at java.base/java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:539)
Feb 08 00:00:09 ip-10-0-2-91.us-west-1.compute.internal systemd-entrypoint[12290]: at java.base/java.util.concurrent.FutureTask.run(FutureTask.java:264)
Feb 08 00:00:09 ip-10-0-2-91.us-west-1.compute.internal systemd-entrypoint[12290]: at java.base/java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.run(ScheduledThreadPoolExecutor.java:304)
Feb 08 00:00:09 ip-10-0-2-91.us-west-1.compute.internal systemd-entrypoint[12290]: at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1136)
Feb 08 00:00:09 ip-10-0-2-91.us-west-1.compute.internal systemd-entrypoint[12290]: at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:635)
Feb 08 00:00:09 ip-10-0-2-91.us-west-1.compute.internal systemd-entrypoint[12290]: at java.base/java.lang.Thread.run(Thread.java:833)
Feb 08 00:00:09 ip-10-0-2-91.us-west-1.compute.internal systemd-entrypoint[12290]: ERROR StatusConsoleListener Could not define attribute view on path "/var/log/wazuh-indexer/wazuh.log" got access denied ("java.lang.RuntimePermission" "accessUserInformation")
Feb 08 00:00:09 ip-10-0-2-91.us-west-1.compute.internal systemd-entrypoint[12290]: java.security.AccessControlException: access denied ("java.lang.RuntimePermission" "accessUserInformation")
Feb 08 00:00:09 ip-10-0-2-91.us-west-1.compute.internal systemd-entrypoint[12290]: at java.base/java.security.AccessControlContext.checkPermission(AccessControlContext.java:485)
Feb 08 00:00:09 ip-10-0-2-91.us-west-1.compute.internal systemd-entrypoint[12290]: at java.base/java.security.AccessController.checkPermission(AccessController.java:1068)
Feb 08 00:00:09 ip-10-0-2-91.us-west-1.compute.internal systemd-entrypoint[12290]: at java.base/java.lang.SecurityManager.checkPermission(SecurityManager.java:416)
Feb 08 00:00:09 ip-10-0-2-91.us-west-1.compute.internal systemd-entrypoint[12290]: at java.base/sun.nio.fs.UnixFileAttributeViews$Posix.checkWriteExtended(UnixFileAttributeViews.java:195)
Feb 08 00:00:09 ip-10-0-2-91.us-west-1.compute.internal systemd-entrypoint[12290]: at java.base/sun.nio.fs.UnixFileAttributeViews$Posix.setMode(UnixFileAttributeViews.java:264)
Feb 08 00:00:09 ip-10-0-2-91.us-west-1.compute.internal systemd-entrypoint[12290]: at java.base/sun.nio.fs.UnixFileAttributeViews$Posix.setPermissions(UnixFileAttributeViews.java:299)
Feb 08 00:00:09 ip-10-0-2-91.us-west-1.compute.internal systemd-entrypoint[12290]: at org.apache.logging.log4j.core.util.FileUtils.defineFilePosixAttributeView(FileUtils.java:181)
Feb 08 00:00:09 ip-10-0-2-91.us-west-1.compute.internal systemd-entrypoint[12290]: at org.apache.logging.log4j.core.appender.FileManager.defineAttributeView(FileManager.java:216)
Feb 08 00:00:09 ip-10-0-2-91.us-west-1.compute.internal systemd-entrypoint[12290]: at org.apache.logging.log4j.core.appender.FileManager.createOutputStream(FileManager.java:203)
Feb 08 00:00:09 ip-10-0-2-91.us-west-1.compute.internal systemd-entrypoint[12290]: at org.apache.logging.log4j.core.appender.rolling.RollingFileManager.createFileAfterRollover(RollingFileManager.java:421)
Feb 08 00:00:09 ip-10-0-2-91.us-west-1.compute.internal systemd-entrypoint[12290]: at org.apache.logging.log4j.core.appender.rolling.RollingFileManager.rollover(RollingFileManager.java:398)
Feb 08 00:00:09 ip-10-0-2-91.us-west-1.compute.internal systemd-entrypoint[12290]: at org.apache.logging.log4j.core.appender.rolling.RollingFileManager.checkRollover(RollingFileManager.java:308)
Feb 08 00:00:09 ip-10-0-2-91.us-west-1.compute.internal systemd-entrypoint[12290]: at org.apache.logging.log4j.core.appender.RollingFileAppender.append(RollingFileAppender.java:300)
Feb 08 00:00:09 ip-10-0-2-91.us-west-1.compute.internal systemd-entrypoint[12290]: at org.apache.logging.log4j.core.config.AppenderControl.tryCallAppender(AppenderControl.java:161)
Feb 08 00:00:09 ip-10-0-2-91.us-west-1.compute.internal systemd-entrypoint[12290]: at org.apache.logging.log4j.core.config.AppenderControl.callAppender0(AppenderControl.java:134)
Feb 08 00:00:09 ip-10-0-2-91.us-west-1.compute.internal systemd-entrypoint[12290]: at org.apache.logging.log4j.core.config.AppenderControl.callAppenderPreventRecursion(AppenderControl.java:125)
Feb 08 00:00:09 ip-10-0-2-91.us-west-1.compute.internal systemd-entrypoint[12290]: at org.apache.logging.log4j.core.config.AppenderControl.callAppender(AppenderControl.java:89)
Feb 08 00:00:09 ip-10-0-2-91.us-west-1.compute.internal systemd-entrypoint[12290]: at org.apache.logging.log4j.core.config.LoggerConfig.callAppenders(LoggerConfig.java:683)
Feb 08 00:00:09 ip-10-0-2-91.us-west-1.compute.internal systemd-entrypoint[12290]: at org.apache.logging.log4j.core.config.LoggerConfig.processLogEvent(LoggerConfig.java:641)
Feb 08 00:00:09 ip-10-0-2-91.us-west-1.compute.internal systemd-entrypoint[12290]: at org.apache.logging.log4j.core.config.LoggerConfig.log(LoggerConfig.java:624)
Feb 08 00:00:09 ip-10-0-2-91.us-west-1.compute.internal systemd-entrypoint[12290]: at org.apache.logging.log4j.core.config.LoggerConfig.log(LoggerConfig.java:560)
Feb 08 00:00:09 ip-10-0-2-91.us-west-1.compute.internal systemd-entrypoint[12290]: at org.apache.logging.log4j.core.config.AwaitCompletionReliabilityStrategy.log(AwaitCompletionReliabilityStrategy.java:82)
Feb 08 00:00:09 ip-10-0-2-91.us-west-1.compute.internal systemd-entrypoint[12290]: at org.apache.logging.log4j.core.Logger.log(Logger.java:163)
Feb 08 00:00:09 ip-10-0-2-91.us-west-1.compute.internal systemd-entrypoint[12290]: at org.apache.logging.log4j.spi.AbstractLogger.tryLogMessage(AbstractLogger.java:2168)
Feb 08 00:00:09 ip-10-0-2-91.us-west-1.compute.internal systemd-entrypoint[12290]: at org.apache.logging.log4j.spi.AbstractLogger.logMessageTrackRecursion(AbstractLogger.java:2122)
Feb 08 00:00:09 ip-10-0-2-91.us-west-1.compute.internal systemd-entrypoint[12290]: at org.apache.logging.log4j.spi.AbstractLogger.logMessageSafely(AbstractLogger.java:2105)
Feb 08 00:00:09 ip-10-0-2-91.us-west-1.compute.internal systemd-entrypoint[12290]: at org.apache.logging.log4j.spi.AbstractLogger.logMessage(AbstractLogger.java:1980)
Feb 08 00:00:09 ip-10-0-2-91.us-west-1.compute.internal systemd-entrypoint[12290]: at org.apache.logging.log4j.spi.AbstractLogger.logIfEnabled(AbstractLogger.java:1946)
Feb 08 00:00:09 ip-10-0-2-91.us-west-1.compute.internal systemd-entrypoint[12290]: at org.apache.logging.log4j.spi.AbstractLogger.info(AbstractLogger.java:1283)
Feb 08 00:00:09 ip-10-0-2-91.us-west-1.compute.internal systemd-entrypoint[12290]: at org.opensearch.jobscheduler.sweeper.JobSweeper.lambda$initBackgroundSweep$10(JobSweeper.java:298)
Feb 08 00:00:09 ip-10-0-2-91.us-west-1.compute.internal systemd-entrypoint[12290]: at org.opensearch.threadpool.Scheduler$ReschedulingRunnable.doRun(Scheduler.java:239)
Feb 08 00:00:09 ip-10-0-2-91.us-west-1.compute.internal systemd-entrypoint[12290]: at org.opensearch.common.util.concurrent.ThreadContext$ContextPreservingAbstractRunnable.doRun(ThreadContext.java:908)
Feb 08 00:00:09 ip-10-0-2-91.us-west-1.compute.internal systemd-entrypoint[12290]: at org.opensearch.common.util.concurrent.AbstractRunnable.run(AbstractRunnable.java:52)
Feb 08 00:00:09 ip-10-0-2-91.us-west-1.compute.internal systemd-entrypoint[12290]: at java.base/java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:539)
Feb 08 00:00:09 ip-10-0-2-91.us-west-1.compute.internal systemd-entrypoint[12290]: at java.base/java.util.concurrent.FutureTask.run(FutureTask.java:264)
Feb 08 00:00:09 ip-10-0-2-91.us-west-1.compute.internal systemd-entrypoint[12290]: at java.base/java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.run(ScheduledThreadPoolExecutor.java:304)
Feb 08 00:00:09 ip-10-0-2-91.us-west-1.compute.internal systemd-entrypoint[12290]: at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1136)
Feb 08 00:00:09 ip-10-0-2-91.us-west-1.compute.internal systemd-entrypoint[12290]: at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:635)
Feb 08 00:00:09 ip-10-0-2-91.us-west-1.compute.internal systemd-entrypoint[12290]: at java.base/java.lang.Thread.run(Thread.java:833)

Note
ERROR StatusConsoleListener Could not define attribute view on path message is still present
Reported previously: wazuh/wazuh-packages#2685

Error Logs

[root@ip-10-0-2-91 ~]# egrep -i "ERROR|WARNING" /var/log/wazuh-indexer/wazuh.log | wc -l
0

[root@ip-10-0-2-91 wazuh-indexer]# zgrep -i "ERROR\|WARNING" wazuh-2024-02-07-1.log.gz | wc -l
31

[root@ip-10-0-2-91 wazuh-indexer]# zgrep -i "ERROR\|WARNING" wazuh-2024-02-08-1.log.gz | wc -l
1

Notes
I can't show all the log output because of the space of the commentary but I will comment all of them below:
In relation to : ERROR][o.o.a.u.AlertingException] [node-1] Alerting error: [.opendistro-alerting-config] IndexNotFoundException[no such index [.opendistro-alerting-config]] ERROR][o.o.s.s.h.n.SecuritySSLNettyHttpServerTransport] [node-1] Exception during establishing a SSL connection: java.net.SocketException: Connection reset
Known issue: wazuh/wazuh-packages#1489

In relation to : [2024-02-07T11:19:47,913][ERROR][i.n.u.c.D.rejectedExecution] [node-2] Failed to submit a listener notification task. Event loop shut down?
Known issue: elastic/elasticsearch#27226

In relation to : [2024-02-07T11:18:06,716][INFO ][o.o.n.Node ] [node-2] JVM arguments [2024-02-07T11:18:17,887][ERROR][o.o.s.a.s.SinkProvider ] [node-2] Default endpoint could not be created, auditlog will not work properly. [2024-02-07T11:18:25,176][ERROR][o.o.s.c.ConfigurationLoaderSecurity7] [node-2] Failure no such index [2024-02-07T11:18:48,466][ERROR][o.o.s.a.BackendRegistry ] [node-2] Not yet initialized (you may need to run securityadmin)
New issue: #21861

WazuhDasboard 🔴

Indexer Status

[root@ip-10-0-0-125 ~]# systemctl status wazuh-indexer -l
● wazuh-indexer.service - Wazuh-indexer
   Loaded: loaded (/usr/lib/systemd/system/wazuh-indexer.service; enabled; vendor preset: disabled)
   Active: active (running) since Wed 2024-02-07 11:27:08 UTC; 21h ago
     Docs: https://documentation.wazuh.com
 Main PID: 14645 (java)
   CGroup: /system.slice/wazuh-indexer.service
           └─14645 /usr/share/wazuh-indexer/jdk/bin/java -Xshare:auto -Dopensearch.networkaddress.cache.ttl=60 -Dopensearch.networkaddress.cache.negative.ttl=10 -XX:+AlwaysPreTouch -Xss1m -Djava.awt.headless=true -Dfile.encoding=UTF-8 -Djna.nosys=true -XX:-OmitStackTraceInFastThrow -XX:+ShowCodeDetailsInExceptionMessages -Dio.netty.noUnsafe=true -Dio.netty.noKeySetOptimization=true -Dio.netty.recycler.maxCapacityPerThread=0 -Dio.netty.allocator.numDirectArenas=0 -Dlog4j.shutdownHookEnabled=false -Dlog4j2.disable.jmx=true -Djava.locale.providers=SPI,COMPAT -Xms2560m -Xmx2560m -XX:+UseG1GC -XX:G1ReservePercent=25 -XX:InitiatingHeapOccupancyPercent=30 -Djava.io.tmpdir=/tmp/opensearch-6516938638533931987 -XX:+HeapDumpOnOutOfMemoryError -XX:HeapDumpPath=data -XX:ErrorFile=/var/log/wazuh-indexer/hs_err_pid%p.log -Xlog:gc*,gc+age=trace,safepoint:file=/var/log/wazuh-indexer/gc.log:utctime,pid,tags:filecount=32,filesize=64m -Dclk.tck=100 -Djdk.attach.allowAttachSelf=true -Djava.security.policy=file:///usr/share/wazuh-indexer/plugins/opensearch-performance-analyzer/pa_config/opensearch_security.policy -XX:MaxDirectMemorySize=1342177280 -Dopensearch.path.home=/usr/share/wazuh-indexer -Dopensearch.path.conf=/etc/wazuh-indexer -Dopensearch.distribution.type=rpm -Dopensearch.bundled_jdk=true -cp /usr/share/wazuh-indexer/lib/* org.opensearch.bootstrap.OpenSearch -p /run/wazuh-indexer/wazuh-indexer.pid --quiet

Feb 08 00:02:07 ip-10-0-0-125.us-west-1.compute.internal systemd-entrypoint[14645]: at org.opensearch.jobscheduler.sweeper.JobSweeper.lambda$initBackgroundSweep$10(JobSweeper.java:298)
Feb 08 00:02:07 ip-10-0-0-125.us-west-1.compute.internal systemd-entrypoint[14645]: at org.opensearch.threadpool.Scheduler$ReschedulingRunnable.doRun(Scheduler.java:239)
Feb 08 00:02:07 ip-10-0-0-125.us-west-1.compute.internal systemd-entrypoint[14645]: at org.opensearch.common.util.concurrent.ThreadContext$ContextPreservingAbstractRunnable.doRun(ThreadContext.java:908)
Feb 08 00:02:07 ip-10-0-0-125.us-west-1.compute.internal systemd-entrypoint[14645]: at org.opensearch.common.util.concurrent.AbstractRunnable.run(AbstractRunnable.java:52)
Feb 08 00:02:07 ip-10-0-0-125.us-west-1.compute.internal systemd-entrypoint[14645]: at java.base/java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:539)
Feb 08 00:02:07 ip-10-0-0-125.us-west-1.compute.internal systemd-entrypoint[14645]: at java.base/java.util.concurrent.FutureTask.run(FutureTask.java:264)
Feb 08 00:02:07 ip-10-0-0-125.us-west-1.compute.internal systemd-entrypoint[14645]: at java.base/java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.run(ScheduledThreadPoolExecutor.java:304)
Feb 08 00:02:07 ip-10-0-0-125.us-west-1.compute.internal systemd-entrypoint[14645]: at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1136)
Feb 08 00:02:07 ip-10-0-0-125.us-west-1.compute.internal systemd-entrypoint[14645]: at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:635)
Feb 08 00:02:07 ip-10-0-0-125.us-west-1.compute.internal systemd-entrypoint[14645]: at java.base/java.lang.Thread.run(Thread.java:833)

Service Status

[root@ip-10-0-0-125 ~]# journalctl -xe -u wazuh-indexer.service --no-pager
-- Logs begin at Wed 2024-02-07 11:05:18 UTC, end at Thu 2024-02-08 09:14:13 UTC. --
Feb 07 11:23:24 ip-10-0-0-125.us-west-1.compute.internal systemd[1]: Starting Wazuh-indexer...
-- Subject: Unit wazuh-indexer.service has begun start-up
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
--
-- Unit wazuh-indexer.service has begun starting up.
Feb 07 11:23:27 ip-10-0-0-125.us-west-1.compute.internal systemd-entrypoint[10421]: WARNING: A terminally deprecated method in java.lang.System has been called
Feb 07 11:23:27 ip-10-0-0-125.us-west-1.compute.internal systemd-entrypoint[10421]: WARNING: System::setSecurityManager has been called by org.opensearch.bootstrap.OpenSearch (file:/usr/share/wazuh-indexer/lib/opensearch-2.10.0.jar)
Feb 07 11:23:27 ip-10-0-0-125.us-west-1.compute.internal systemd-entrypoint[10421]: WARNING: Please consider reporting this to the maintainers of org.opensearch.bootstrap.OpenSearch
Feb 07 11:23:27 ip-10-0-0-125.us-west-1.compute.internal systemd-entrypoint[10421]: WARNING: System::setSecurityManager will be removed in a future release
Feb 07 11:23:29 ip-10-0-0-125.us-west-1.compute.internal systemd-entrypoint[10421]: WARNING: A terminally deprecated method in java.lang.System has been called
Feb 07 11:23:29 ip-10-0-0-125.us-west-1.compute.internal systemd-entrypoint[10421]: WARNING: System::setSecurityManager has been called by org.opensearch.bootstrap.Security (file:/usr/share/wazuh-indexer/lib/opensearch-2.10.0.jar)
Feb 07 11:23:29 ip-10-0-0-125.us-west-1.compute.internal systemd-entrypoint[10421]: WARNING: Please consider reporting this to the maintainers of org.opensearch.bootstrap.Security
Feb 07 11:23:29 ip-10-0-0-125.us-west-1.compute.internal systemd-entrypoint[10421]: WARNING: System::setSecurityManager will be removed in a future release
Feb 07 11:23:47 ip-10-0-0-125.us-west-1.compute.internal systemd[1]: Started Wazuh-indexer.
-- Subject: Unit wazuh-indexer.service has finished start-up
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
--
-- Unit wazuh-indexer.service has finished starting up.
--
-- The start-up result is done.
Feb 07 11:26:42 ip-10-0-0-125.us-west-1.compute.internal systemd[1]: Stopping Wazuh-indexer...
-- Subject: Unit wazuh-indexer.service has begun shutting down
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
--
-- Unit wazuh-indexer.service has begun shutting down.
Feb 07 11:26:43 ip-10-0-0-125.us-west-1.compute.internal systemd[1]: Stopped Wazuh-indexer.
-- Subject: Unit wazuh-indexer.service has finished shutting down
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
--
-- Unit wazuh-indexer.service has finished shutting down.
Feb 07 11:26:43 ip-10-0-0-125.us-west-1.compute.internal systemd[1]: Starting Wazuh-indexer...
-- Subject: Unit wazuh-indexer.service has begun start-up
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
--
-- Unit wazuh-indexer.service has begun starting up.
Feb 07 11:26:47 ip-10-0-0-125.us-west-1.compute.internal systemd-entrypoint[14645]: WARNING: A terminally deprecated method in java.lang.System has been called
Feb 07 11:26:47 ip-10-0-0-125.us-west-1.compute.internal systemd-entrypoint[14645]: WARNING: System::setSecurityManager has been called by org.opensearch.bootstrap.OpenSearch (file:/usr/share/wazuh-indexer/lib/opensearch-2.10.0.jar)
Feb 07 11:26:47 ip-10-0-0-125.us-west-1.compute.internal systemd-entrypoint[14645]: WARNING: Please consider reporting this to the maintainers of org.opensearch.bootstrap.OpenSearch
Feb 07 11:26:47 ip-10-0-0-125.us-west-1.compute.internal systemd-entrypoint[14645]: WARNING: System::setSecurityManager will be removed in a future release
Feb 07 11:26:49 ip-10-0-0-125.us-west-1.compute.internal systemd-entrypoint[14645]: WARNING: A terminally deprecated method in java.lang.System has been called
Feb 07 11:26:49 ip-10-0-0-125.us-west-1.compute.internal systemd-entrypoint[14645]: WARNING: System::setSecurityManager has been called by org.opensearch.bootstrap.Security (file:/usr/share/wazuh-indexer/lib/opensearch-2.10.0.jar)
Feb 07 11:26:49 ip-10-0-0-125.us-west-1.compute.internal systemd-entrypoint[14645]: WARNING: Please consider reporting this to the maintainers of org.opensearch.bootstrap.Security
Feb 07 11:26:49 ip-10-0-0-125.us-west-1.compute.internal systemd-entrypoint[14645]: WARNING: System::setSecurityManager will be removed in a future release
Feb 07 11:27:08 ip-10-0-0-125.us-west-1.compute.internal systemd[1]: Started Wazuh-indexer.
-- Subject: Unit wazuh-indexer.service has finished start-up
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
--
-- Unit wazuh-indexer.service has finished starting up.
--
-- The start-up result is done.
Feb 08 00:02:07 ip-10-0-0-125.us-west-1.compute.internal systemd-entrypoint[14645]: ERROR StatusConsoleListener Could not define attribute view on path "/var/log/wazuh-indexer/wazuh_server.json" got access denied ("java.lang.RuntimePermission" "accessUserInformation")
Feb 08 00:02:07 ip-10-0-0-125.us-west-1.compute.internal systemd-entrypoint[14645]: java.security.AccessControlException: access denied ("java.lang.RuntimePermission" "accessUserInformation")
Feb 08 00:02:07 ip-10-0-0-125.us-west-1.compute.internal systemd-entrypoint[14645]: at java.base/java.security.AccessControlContext.checkPermission(AccessControlContext.java:485)
Feb 08 00:02:07 ip-10-0-0-125.us-west-1.compute.internal systemd-entrypoint[14645]: at java.base/java.security.AccessController.checkPermission(AccessController.java:1068)
Feb 08 00:02:07 ip-10-0-0-125.us-west-1.compute.internal systemd-entrypoint[14645]: at java.base/java.lang.SecurityManager.checkPermission(SecurityManager.java:416)
Feb 08 00:02:07 ip-10-0-0-125.us-west-1.compute.internal systemd-entrypoint[14645]: at java.base/sun.nio.fs.UnixFileAttributeViews$Posix.checkWriteExtended(UnixFileAttributeViews.java:195)
Feb 08 00:02:07 ip-10-0-0-125.us-west-1.compute.internal systemd-entrypoint[14645]: at java.base/sun.nio.fs.UnixFileAttributeViews$Posix.setMode(UnixFileAttributeViews.java:264)
Feb 08 00:02:07 ip-10-0-0-125.us-west-1.compute.internal systemd-entrypoint[14645]: at java.base/sun.nio.fs.UnixFileAttributeViews$Posix.setPermissions(UnixFileAttributeViews.java:299)
Feb 08 00:02:07 ip-10-0-0-125.us-west-1.compute.internal systemd-entrypoint[14645]: at org.apache.logging.log4j.core.util.FileUtils.defineFilePosixAttributeView(FileUtils.java:181)
Feb 08 00:02:07 ip-10-0-0-125.us-west-1.compute.internal systemd-entrypoint[14645]: at org.apache.logging.log4j.core.appender.FileManager.defineAttributeView(FileManager.java:216)
Feb 08 00:02:07 ip-10-0-0-125.us-west-1.compute.internal systemd-entrypoint[14645]: at org.apache.logging.log4j.core.appender.FileManager.createOutputStream(FileManager.java:203)
Feb 08 00:02:07 ip-10-0-0-125.us-west-1.compute.internal systemd-entrypoint[14645]: at org.apache.logging.log4j.core.appender.rolling.RollingFileManager.createFileAfterRollover(RollingFileManager.java:421)
Feb 08 00:02:07 ip-10-0-0-125.us-west-1.compute.internal systemd-entrypoint[14645]: at org.apache.logging.log4j.core.appender.rolling.RollingFileManager.rollover(RollingFileManager.java:398)
Feb 08 00:02:07 ip-10-0-0-125.us-west-1.compute.internal systemd-entrypoint[14645]: at org.apache.logging.log4j.core.appender.rolling.RollingFileManager.checkRollover(RollingFileManager.java:308)
Feb 08 00:02:07 ip-10-0-0-125.us-west-1.compute.internal systemd-entrypoint[14645]: at org.apache.logging.log4j.core.appender.RollingFileAppender.append(RollingFileAppender.java:300)
Feb 08 00:02:07 ip-10-0-0-125.us-west-1.compute.internal systemd-entrypoint[14645]: at org.apache.logging.log4j.core.config.AppenderControl.tryCallAppender(AppenderControl.java:161)
Feb 08 00:02:07 ip-10-0-0-125.us-west-1.compute.internal systemd-entrypoint[14645]: at org.apache.logging.log4j.core.config.AppenderControl.callAppender0(AppenderControl.java:134)
Feb 08 00:02:07 ip-10-0-0-125.us-west-1.compute.internal systemd-entrypoint[14645]: at org.apache.logging.log4j.core.config.AppenderControl.callAppenderPreventRecursion(AppenderControl.java:125)
Feb 08 00:02:07 ip-10-0-0-125.us-west-1.compute.internal systemd-entrypoint[14645]: at org.apache.logging.log4j.core.config.AppenderControl.callAppender(AppenderControl.java:89)
Feb 08 00:02:07 ip-10-0-0-125.us-west-1.compute.internal systemd-entrypoint[14645]: at org.apache.logging.log4j.core.config.LoggerConfig.callAppenders(LoggerConfig.java:683)
Feb 08 00:02:07 ip-10-0-0-125.us-west-1.compute.internal systemd-entrypoint[14645]: at org.apache.logging.log4j.core.config.LoggerConfig.processLogEvent(LoggerConfig.java:641)
Feb 08 00:02:07 ip-10-0-0-125.us-west-1.compute.internal systemd-entrypoint[14645]: at org.apache.logging.log4j.core.config.LoggerConfig.log(LoggerConfig.java:624)
Feb 08 00:02:07 ip-10-0-0-125.us-west-1.compute.internal systemd-entrypoint[14645]: at org.apache.logging.log4j.core.config.LoggerConfig.log(LoggerConfig.java:560)
Feb 08 00:02:07 ip-10-0-0-125.us-west-1.compute.internal systemd-entrypoint[14645]: at org.apache.logging.log4j.core.config.AwaitCompletionReliabilityStrategy.log(AwaitCompletionReliabilityStrategy.java:82)
Feb 08 00:02:07 ip-10-0-0-125.us-west-1.compute.internal systemd-entrypoint[14645]: at org.apache.logging.log4j.core.Logger.log(Logger.java:163)
Feb 08 00:02:07 ip-10-0-0-125.us-west-1.compute.internal systemd-entrypoint[14645]: at org.apache.logging.log4j.spi.AbstractLogger.tryLogMessage(AbstractLogger.java:2168)
Feb 08 00:02:07 ip-10-0-0-125.us-west-1.compute.internal systemd-entrypoint[14645]: at org.apache.logging.log4j.spi.AbstractLogger.logMessageTrackRecursion(AbstractLogger.java:2122)
Feb 08 00:02:07 ip-10-0-0-125.us-west-1.compute.internal systemd-entrypoint[14645]: at org.apache.logging.log4j.spi.AbstractLogger.logMessageSafely(AbstractLogger.java:2105)
Feb 08 00:02:07 ip-10-0-0-125.us-west-1.compute.internal systemd-entrypoint[14645]: at org.apache.logging.log4j.spi.AbstractLogger.logMessage(AbstractLogger.java:1980)
Feb 08 00:02:07 ip-10-0-0-125.us-west-1.compute.internal systemd-entrypoint[14645]: at org.apache.logging.log4j.spi.AbstractLogger.logIfEnabled(AbstractLogger.java:1946)
Feb 08 00:02:07 ip-10-0-0-125.us-west-1.compute.internal systemd-entrypoint[14645]: at org.apache.logging.log4j.spi.AbstractLogger.info(AbstractLogger.java:1283)
Feb 08 00:02:07 ip-10-0-0-125.us-west-1.compute.internal systemd-entrypoint[14645]: at org.opensearch.jobscheduler.sweeper.JobSweeper.lambda$initBackgroundSweep$10(JobSweeper.java:298)
Feb 08 00:02:07 ip-10-0-0-125.us-west-1.compute.internal systemd-entrypoint[14645]: at org.opensearch.threadpool.Scheduler$ReschedulingRunnable.doRun(Scheduler.java:239)
Feb 08 00:02:07 ip-10-0-0-125.us-west-1.compute.internal systemd-entrypoint[14645]: at org.opensearch.common.util.concurrent.ThreadContext$ContextPreservingAbstractRunnable.doRun(ThreadContext.java:908)
Feb 08 00:02:07 ip-10-0-0-125.us-west-1.compute.internal systemd-entrypoint[14645]: at org.opensearch.common.util.concurrent.AbstractRunnable.run(AbstractRunnable.java:52)
Feb 08 00:02:07 ip-10-0-0-125.us-west-1.compute.internal systemd-entrypoint[14645]: at java.base/java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:539)
Feb 08 00:02:07 ip-10-0-0-125.us-west-1.compute.internal systemd-entrypoint[14645]: at java.base/java.util.concurrent.FutureTask.run(FutureTask.java:264)
Feb 08 00:02:07 ip-10-0-0-125.us-west-1.compute.internal systemd-entrypoint[14645]: at java.base/java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.run(ScheduledThreadPoolExecutor.java:304)
Feb 08 00:02:07 ip-10-0-0-125.us-west-1.compute.internal systemd-entrypoint[14645]: at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1136)
Feb 08 00:02:07 ip-10-0-0-125.us-west-1.compute.internal systemd-entrypoint[14645]: at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:635)
Feb 08 00:02:07 ip-10-0-0-125.us-west-1.compute.internal systemd-entrypoint[14645]: at java.base/java.lang.Thread.run(Thread.java:833)
Feb 08 00:02:07 ip-10-0-0-125.us-west-1.compute.internal systemd-entrypoint[14645]: ERROR StatusConsoleListener Could not define attribute view on path "/var/log/wazuh-indexer/wazuh.log" got access denied ("java.lang.RuntimePermission" "accessUserInformation")
Feb 08 00:02:07 ip-10-0-0-125.us-west-1.compute.internal systemd-entrypoint[14645]: java.security.AccessControlException: access denied ("java.lang.RuntimePermission" "accessUserInformation")
Feb 08 00:02:07 ip-10-0-0-125.us-west-1.compute.internal systemd-entrypoint[14645]: at java.base/java.security.AccessControlContext.checkPermission(AccessControlContext.java:485)
Feb 08 00:02:07 ip-10-0-0-125.us-west-1.compute.internal systemd-entrypoint[14645]: at java.base/java.security.AccessController.checkPermission(AccessController.java:1068)
Feb 08 00:02:07 ip-10-0-0-125.us-west-1.compute.internal systemd-entrypoint[14645]: at java.base/java.lang.SecurityManager.checkPermission(SecurityManager.java:416)
Feb 08 00:02:07 ip-10-0-0-125.us-west-1.compute.internal systemd-entrypoint[14645]: at java.base/sun.nio.fs.UnixFileAttributeViews$Posix.checkWriteExtended(UnixFileAttributeViews.java:195)
Feb 08 00:02:07 ip-10-0-0-125.us-west-1.compute.internal systemd-entrypoint[14645]: at java.base/sun.nio.fs.UnixFileAttributeViews$Posix.setMode(UnixFileAttributeViews.java:264)
Feb 08 00:02:07 ip-10-0-0-125.us-west-1.compute.internal systemd-entrypoint[14645]: at java.base/sun.nio.fs.UnixFileAttributeViews$Posix.setPermissions(UnixFileAttributeViews.java:299)
Feb 08 00:02:07 ip-10-0-0-125.us-west-1.compute.internal systemd-entrypoint[14645]: at org.apache.logging.log4j.core.util.FileUtils.defineFilePosixAttributeView(FileUtils.java:181)
Feb 08 00:02:07 ip-10-0-0-125.us-west-1.compute.internal systemd-entrypoint[14645]: at org.apache.logging.log4j.core.appender.FileManager.defineAttributeView(FileManager.java:216)
Feb 08 00:02:07 ip-10-0-0-125.us-west-1.compute.internal systemd-entrypoint[14645]: at org.apache.logging.log4j.core.appender.FileManager.createOutputStream(FileManager.java:203)
Feb 08 00:02:07 ip-10-0-0-125.us-west-1.compute.internal systemd-entrypoint[14645]: at org.apache.logging.log4j.core.appender.rolling.RollingFileManager.createFileAfterRollover(RollingFileManager.java:421)
Feb 08 00:02:07 ip-10-0-0-125.us-west-1.compute.internal systemd-entrypoint[14645]: at org.apache.logging.log4j.core.appender.rolling.RollingFileManager.rollover(RollingFileManager.java:398)
Feb 08 00:02:07 ip-10-0-0-125.us-west-1.compute.internal systemd-entrypoint[14645]: at org.apache.logging.log4j.core.appender.rolling.RollingFileManager.checkRollover(RollingFileManager.java:308)
Feb 08 00:02:07 ip-10-0-0-125.us-west-1.compute.internal systemd-entrypoint[14645]: at org.apache.logging.log4j.core.appender.RollingFileAppender.append(RollingFileAppender.java:300)
Feb 08 00:02:07 ip-10-0-0-125.us-west-1.compute.internal systemd-entrypoint[14645]: at org.apache.logging.log4j.core.config.AppenderControl.tryCallAppender(AppenderControl.java:161)
Feb 08 00:02:07 ip-10-0-0-125.us-west-1.compute.internal systemd-entrypoint[14645]: at org.apache.logging.log4j.core.config.AppenderControl.callAppender0(AppenderControl.java:134)
Feb 08 00:02:07 ip-10-0-0-125.us-west-1.compute.internal systemd-entrypoint[14645]: at org.apache.logging.log4j.core.config.AppenderControl.callAppenderPreventRecursion(AppenderControl.java:125)
Feb 08 00:02:07 ip-10-0-0-125.us-west-1.compute.internal systemd-entrypoint[14645]: at org.apache.logging.log4j.core.config.AppenderControl.callAppender(AppenderControl.java:89)
Feb 08 00:02:07 ip-10-0-0-125.us-west-1.compute.internal systemd-entrypoint[14645]: at org.apache.logging.log4j.core.config.LoggerConfig.callAppenders(LoggerConfig.java:683)
Feb 08 00:02:07 ip-10-0-0-125.us-west-1.compute.internal systemd-entrypoint[14645]: at org.apache.logging.log4j.core.config.LoggerConfig.processLogEvent(LoggerConfig.java:641)
Feb 08 00:02:07 ip-10-0-0-125.us-west-1.compute.internal systemd-entrypoint[14645]: at org.apache.logging.log4j.core.config.LoggerConfig.log(LoggerConfig.java:624)
Feb 08 00:02:07 ip-10-0-0-125.us-west-1.compute.internal systemd-entrypoint[14645]: at org.apache.logging.log4j.core.config.LoggerConfig.log(LoggerConfig.java:560)
Feb 08 00:02:07 ip-10-0-0-125.us-west-1.compute.internal systemd-entrypoint[14645]: at org.apache.logging.log4j.core.config.AwaitCompletionReliabilityStrategy.log(AwaitCompletionReliabilityStrategy.java:82)
Feb 08 00:02:07 ip-10-0-0-125.us-west-1.compute.internal systemd-entrypoint[14645]: at org.apache.logging.log4j.core.Logger.log(Logger.java:163)
Feb 08 00:02:07 ip-10-0-0-125.us-west-1.compute.internal systemd-entrypoint[14645]: at org.apache.logging.log4j.spi.AbstractLogger.tryLogMessage(AbstractLogger.java:2168)
Feb 08 00:02:07 ip-10-0-0-125.us-west-1.compute.internal systemd-entrypoint[14645]: at org.apache.logging.log4j.spi.AbstractLogger.logMessageTrackRecursion(AbstractLogger.java:2122)
Feb 08 00:02:07 ip-10-0-0-125.us-west-1.compute.internal systemd-entrypoint[14645]: at org.apache.logging.log4j.spi.AbstractLogger.logMessageSafely(AbstractLogger.java:2105)
Feb 08 00:02:07 ip-10-0-0-125.us-west-1.compute.internal systemd-entrypoint[14645]: at org.apache.logging.log4j.spi.AbstractLogger.logMessage(AbstractLogger.java:1980)
Feb 08 00:02:07 ip-10-0-0-125.us-west-1.compute.internal systemd-entrypoint[14645]: at org.apache.logging.log4j.spi.AbstractLogger.logIfEnabled(AbstractLogger.java:1946)
Feb 08 00:02:07 ip-10-0-0-125.us-west-1.compute.internal systemd-entrypoint[14645]: at org.apache.logging.log4j.spi.AbstractLogger.info(AbstractLogger.java:1283)
Feb 08 00:02:07 ip-10-0-0-125.us-west-1.compute.internal systemd-entrypoint[14645]: at org.opensearch.jobscheduler.sweeper.JobSweeper.lambda$initBackgroundSweep$10(JobSweeper.java:298)
Feb 08 00:02:07 ip-10-0-0-125.us-west-1.compute.internal systemd-entrypoint[14645]: at org.opensearch.threadpool.Scheduler$ReschedulingRunnable.doRun(Scheduler.java:239)
Feb 08 00:02:07 ip-10-0-0-125.us-west-1.compute.internal systemd-entrypoint[14645]: at org.opensearch.common.util.concurrent.ThreadContext$ContextPreservingAbstractRunnable.doRun(ThreadContext.java:908)
Feb 08 00:02:07 ip-10-0-0-125.us-west-1.compute.internal systemd-entrypoint[14645]: at org.opensearch.common.util.concurrent.AbstractRunnable.run(AbstractRunnable.java:52)
Feb 08 00:02:07 ip-10-0-0-125.us-west-1.compute.internal systemd-entrypoint[14645]: at java.base/java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:539)
Feb 08 00:02:07 ip-10-0-0-125.us-west-1.compute.internal systemd-entrypoint[14645]: at java.base/java.util.concurrent.FutureTask.run(FutureTask.java:264)
Feb 08 00:02:07 ip-10-0-0-125.us-west-1.compute.internal systemd-entrypoint[14645]: at java.base/java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.run(ScheduledThreadPoolExecutor.java:304)
Feb 08 00:02:07 ip-10-0-0-125.us-west-1.compute.internal systemd-entrypoint[14645]: at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1136)
Feb 08 00:02:07 ip-10-0-0-125.us-west-1.compute.internal systemd-entrypoint[14645]: at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:635)
Feb 08 00:02:07 ip-10-0-0-125.us-west-1.compute.internal systemd-entrypoint[14645]: at java.base/java.lang.Thread.run(Thread.java:833)

Note
ERROR StatusConsoleListener Could not define attribute view on path message is still present
Reported previously: wazuh/wazuh-packages#2685

Error Logs

[root@ip-10-0-0-125 ~]# egrep -i "ERROR|WARNING" /var/log/wazuh-indexer/wazuh.log | wc -l
0

[root@ip-10-0-0-125 wazuh-indexer]# zgrep -i "ERROR\|WARNING" wazuh-2024-02-07-1.log.gz | wc -l
4

[root@ip-10-0-0-125 wazuh-indexer]# zgrep -i "ERROR\|WARNING" wazuh-2024-02-08-1.log.gz | wc -l
0

Notes
I can't show all the log output because of the space of the commentary but I will comment all of them below:
In relation to : [2024-02-07T11:23:29,230][INFO ][o.o.n.Node ] [node-7] JVM arguments [2024-02-07T11:23:40,902][ERROR][o.o.s.a.s.SinkProvider ] [node-7] Default endpoint could not be created, auditlog will not work properly.
New issue: #21861

Manager Logs

WazuhMasterEnv1 🔴

System Information

[root@wazuh-manager-master-0 ~]# cat /etc/*release
NAME="Amazon Linux"
VERSION="2"
ID="amzn"
ID_LIKE="centos rhel fedora"
VERSION_ID="2"
PRETTY_NAME="Amazon Linux 2"
ANSI_COLOR="0;33"
CPE_NAME="cpe:2.3:o:amazon:amazon_linux:2"
HOME_URL="https://amazonlinux.com/"
Amazon Linux release 2 (Karoo)

Manager Version

[root@wazuh-manager-master-0 ~]# /var/ossec/bin/wazuh-control info
WAZUH_VERSION="v4.8.0"
WAZUH_REVISION="40803"
WAZUH_TYPE="server"

Manager Status

[root@wazuh-manager-master-0 ~]# systemctl status wazuh-manager -l
● wazuh-manager.service - Wazuh manager
   Loaded: loaded (/usr/lib/systemd/system/wazuh-manager.service; enabled; vendor preset: disabled)
   Active: active (exited) since Wed 2024-02-07 11:31:44 UTC; 21h ago
  Process: 15453 ExecStop=/usr/bin/env /var/ossec/bin/wazuh-control stop (code=exited, status=0/SUCCESS)
  Process: 15602 ExecStart=/usr/bin/env /var/ossec/bin/wazuh-control start (code=exited, status=0/SUCCESS)

Feb 07 11:31:37 wazuh-manager-master-0 env[15602]: Started wazuh-syscheckd...
Feb 07 11:31:38 wazuh-manager-master-0 env[15602]: Started wazuh-remoted...
Feb 07 11:31:39 wazuh-manager-master-0 env[15602]: Started wazuh-logcollector...
Feb 07 11:31:40 wazuh-manager-master-0 env[15602]: Started wazuh-monitord...
Feb 07 11:31:40 wazuh-manager-master-0 env[15602]: 2024/02/07 11:31:40 wazuh-modulesd:router: INFO: Loaded router module.
Feb 07 11:31:40 wazuh-manager-master-0 env[15602]: 2024/02/07 11:31:40 wazuh-modulesd:content_manager: INFO: Loaded content_manager module.
Feb 07 11:31:41 wazuh-manager-master-0 env[15602]: Started wazuh-modulesd...
Feb 07 11:31:42 wazuh-manager-master-0 env[15602]: Started wazuh-clusterd...
Feb 07 11:31:44 wazuh-manager-master-0 env[15602]: Completed.
Feb 07 11:31:44 wazuh-manager-master-0 systemd[1]: Started Wazuh manager.

Module Status

[root@wazuh-manager-master-0 ~]# /var/ossec/bin/wazuh-control status
wazuh-clusterd is running...
wazuh-modulesd is running...
wazuh-monitord is running...
wazuh-logcollector is running...
wazuh-remoted is running...
wazuh-syscheckd is running...
wazuh-analysisd is running...
wazuh-maild not running...
wazuh-execd is running...
wazuh-db is running...
wazuh-authd is running...
wazuh-agentlessd not running...
wazuh-integratord is running...
wazuh-dbd not running...
wazuh-csyslogd not running...
wazuh-apid is running...

Service Status

[root@wazuh-manager-master-0 ~]# journalctl -xe -u wazuh-manager.service --no-pager
-- Logs begin at Wed 2024-02-07 11:05:24 UTC, end at Thu 2024-02-08 09:18:15 UTC. --
Feb 07 11:29:56 wazuh-manager-master-0 systemd[1]: Starting Wazuh manager...
-- Subject: Unit wazuh-manager.service has begun start-up
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
--
-- Unit wazuh-manager.service has begun starting up.
Feb 07 11:29:58 wazuh-manager-master-0 env[11342]: 2024/02/07 11:29:58 wazuh-modulesd:router: INFO: Loaded router module.
Feb 07 11:29:58 wazuh-manager-master-0 env[11342]: 2024/02/07 11:29:58 wazuh-modulesd:content_manager: INFO: Loaded content_manager module.
Feb 07 11:29:58 wazuh-manager-master-0 env[11342]: Starting Wazuh v4.8.0...
Feb 07 11:30:01 wazuh-manager-master-0 env[11342]: Started wazuh-apid...
Feb 07 11:30:01 wazuh-manager-master-0 env[11342]: Started wazuh-csyslogd...
Feb 07 11:30:01 wazuh-manager-master-0 env[11342]: Started wazuh-dbd...
Feb 07 11:30:01 wazuh-manager-master-0 env[11342]: 2024/02/07 11:30:01 wazuh-integratord: INFO: Remote integrations not configured. Clean exit.
Feb 07 11:30:01 wazuh-manager-master-0 env[11342]: Started wazuh-integratord...
Feb 07 11:30:01 wazuh-manager-master-0 env[11342]: Started wazuh-agentlessd...
Feb 07 11:30:02 wazuh-manager-master-0 env[11342]: Started wazuh-authd...
Feb 07 11:30:03 wazuh-manager-master-0 env[11342]: Started wazuh-db...
Feb 07 11:30:04 wazuh-manager-master-0 env[11342]: Started wazuh-execd...
Feb 07 11:30:05 wazuh-manager-master-0 env[11342]: Started wazuh-analysisd...
Feb 07 11:30:06 wazuh-manager-master-0 env[11342]: Started wazuh-syscheckd...
Feb 07 11:30:08 wazuh-manager-master-0 env[11342]: Started wazuh-remoted...
Feb 07 11:30:09 wazuh-manager-master-0 env[11342]: Started wazuh-logcollector...
Feb 07 11:30:10 wazuh-manager-master-0 env[11342]: Started wazuh-monitord...
Feb 07 11:30:10 wazuh-manager-master-0 env[11342]: 2024/02/07 11:30:10 wazuh-modulesd:router: INFO: Loaded router module.
Feb 07 11:30:10 wazuh-manager-master-0 env[11342]: 2024/02/07 11:30:10 wazuh-modulesd:content_manager: INFO: Loaded content_manager module.
Feb 07 11:30:11 wazuh-manager-master-0 env[11342]: Started wazuh-modulesd...
Feb 07 11:30:12 wazuh-manager-master-0 env[11342]: Started wazuh-clusterd...
Feb 07 11:30:14 wazuh-manager-master-0 env[11342]: Completed.
Feb 07 11:30:14 wazuh-manager-master-0 systemd[1]: Started Wazuh manager.
-- Subject: Unit wazuh-manager.service has finished start-up
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
--
-- Unit wazuh-manager.service has finished starting up.
--
-- The start-up result is done.
Feb 07 11:31:24 wazuh-manager-master-0 systemd[1]: Stopping Wazuh manager...
-- Subject: Unit wazuh-manager.service has begun shutting down
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
--
-- Unit wazuh-manager.service has begun shutting down.
Feb 07 11:31:24 wazuh-manager-master-0 env[15453]: Killing wazuh-clusterd...
Feb 07 11:31:24 wazuh-manager-master-0 env[15453]: Killing wazuh-modulesd...
Feb 07 11:31:24 wazuh-manager-master-0 env[15453]: Killing wazuh-monitord...
Feb 07 11:31:24 wazuh-manager-master-0 env[15453]: Killing wazuh-logcollector...
Feb 07 11:31:25 wazuh-manager-master-0 env[15453]: Killing wazuh-remoted...
Feb 07 11:31:25 wazuh-manager-master-0 env[15453]: Killing wazuh-syscheckd...
Feb 07 11:31:25 wazuh-manager-master-0 env[15453]: Killing wazuh-analysisd...
Feb 07 11:31:25 wazuh-manager-master-0 env[15453]: wazuh-maild not running...
Feb 07 11:31:25 wazuh-manager-master-0 env[15453]: Killing wazuh-execd...
Feb 07 11:31:25 wazuh-manager-master-0 env[15453]: Killing wazuh-db...
Feb 07 11:31:26 wazuh-manager-master-0 env[15453]: Killing wazuh-authd...
Feb 07 11:31:27 wazuh-manager-master-0 env[15453]: wazuh-agentlessd not running...
Feb 07 11:31:27 wazuh-manager-master-0 env[15453]: wazuh-integratord not running...
Feb 07 11:31:27 wazuh-manager-master-0 env[15453]: wazuh-dbd not running...
Feb 07 11:31:27 wazuh-manager-master-0 env[15453]: wazuh-csyslogd not running...
Feb 07 11:31:27 wazuh-manager-master-0 env[15453]: Killing wazuh-apid...
Feb 07 11:31:27 wazuh-manager-master-0 env[15453]: Wazuh v4.8.0 Stopped
Feb 07 11:31:27 wazuh-manager-master-0 systemd[1]: Stopped Wazuh manager.
-- Subject: Unit wazuh-manager.service has finished shutting down
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
--
-- Unit wazuh-manager.service has finished shutting down.
Feb 07 11:31:27 wazuh-manager-master-0 systemd[1]: Starting Wazuh manager...
-- Subject: Unit wazuh-manager.service has begun start-up
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
--
-- Unit wazuh-manager.service has begun starting up.
Feb 07 11:31:29 wazuh-manager-master-0 env[15602]: 2024/02/07 11:31:29 wazuh-modulesd:router: INFO: Loaded router module.
Feb 07 11:31:29 wazuh-manager-master-0 env[15602]: 2024/02/07 11:31:29 wazuh-modulesd:content_manager: INFO: Loaded content_manager module.
Feb 07 11:31:29 wazuh-manager-master-0 env[15602]: Starting Wazuh v4.8.0...
Feb 07 11:31:31 wazuh-manager-master-0 env[15602]: Started wazuh-apid...
Feb 07 11:31:31 wazuh-manager-master-0 env[15602]: Started wazuh-csyslogd...
Feb 07 11:31:32 wazuh-manager-master-0 env[15602]: Started wazuh-dbd...
Feb 07 11:31:32 wazuh-manager-master-0 env[15602]: 2024/02/07 11:31:32 wazuh-integratord: INFO: Remote integrations not configured. Clean exit.
Feb 07 11:31:32 wazuh-manager-master-0 env[15602]: Started wazuh-integratord...
Feb 07 11:31:32 wazuh-manager-master-0 env[15602]: Started wazuh-agentlessd...
Feb 07 11:31:33 wazuh-manager-master-0 env[15602]: Started wazuh-authd...
Feb 07 11:31:34 wazuh-manager-master-0 env[15602]: Started wazuh-db...
Feb 07 11:31:35 wazuh-manager-master-0 env[15602]: Started wazuh-execd...
Feb 07 11:31:36 wazuh-manager-master-0 env[15602]: Started wazuh-analysisd...
Feb 07 11:31:37 wazuh-manager-master-0 env[15602]: Started wazuh-syscheckd...
Feb 07 11:31:38 wazuh-manager-master-0 env[15602]: Started wazuh-remoted...
Feb 07 11:31:39 wazuh-manager-master-0 env[15602]: Started wazuh-logcollector...
Feb 07 11:31:40 wazuh-manager-master-0 env[15602]: Started wazuh-monitord...
Feb 07 11:31:40 wazuh-manager-master-0 env[15602]: 2024/02/07 11:31:40 wazuh-modulesd:router: INFO: Loaded router module.
Feb 07 11:31:40 wazuh-manager-master-0 env[15602]: 2024/02/07 11:31:40 wazuh-modulesd:content_manager: INFO: Loaded content_manager module.
Feb 07 11:31:41 wazuh-manager-master-0 env[15602]: Started wazuh-modulesd...
Feb 07 11:31:42 wazuh-manager-master-0 env[15602]: Started wazuh-clusterd...
Feb 07 11:31:44 wazuh-manager-master-0 env[15602]: Completed.
Feb 07 11:31:44 wazuh-manager-master-0 systemd[1]: Started Wazuh manager.
-- Subject: Unit wazuh-manager.service has finished start-up
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
--
-- Unit wazuh-manager.service has finished starting up.
--
-- The start-up result is done.

Error logs

[root@wazuh-manager-master-0 Feb]# egrep -i "ERROR|WARNING" ossec-07.log | wc -l
287

[root@wazuh-manager-master-0 Feb]# zgrep -i "ERROR\|WARNING" ossec-08.log.gz | wc -l
10

[root@wazuh-manager-master-0 ~]# egrep -i "ERROR|WARNING" /var/ossec/logs/ossec.log |  wc -l
10

[root@wazuh-manager-master-0 ~]# egrep -i "ERROR|WARNING" /var/ossec/logs/cluster.log  | wc -l
0

Notes
I can't show all the log output because of the space of the commentary but I will comment all of them below:
In relation to : indexer-connector: WARNING: Error initializing IndexerConnector: Problem with the local SSL certificate, we will try again after X seconds.
New issue: #21829

In relation to : wazuh-modulesd:vulnerability-scanner: WARNING: Failed to scan package''
Known issue: https://github.com/wazuh/intelligence-platform/issues/1334

In relation to : wazuh-remoted: WARNING: Agent key already in use: agent ID '004'
Known issue: https://github.com/wazuh/wazuh-jenkins/issues/4867

In relation to : wazuh-remoted: WARNING: Unexpected message (hex)' wazuh-remoted: WARNING: Too big message size from socket
Known issue: #17596

In relation to : wazuh-remoted: WARNING: (1404): Authentication error. Wrong key or corrupt payload. Message received from agent '004' at 'any'. wazuh-remoted: WARNING: Decrypt the message fail, socket 38
Known issue: #21297

In relation to : wazuh-modulesd:aws-s3: WARNING: Interval overtaken.
Known issue: #21467

Filebeat Output

[root@wazuh-manager-master-0 ~]# filebeat test output
elasticsearch: https://10.0.2.119:9200...
  parse url... OK
  connection...
    parse host... OK
    dns lookup... OK
    addresses: 10.0.2.119
    dial up... OK
  TLS...
    security: server's certificate chain verification is enabled
    handshake... OK
    TLS version: TLSv1.3
    dial up... OK
  talk to server... OK
  version: 7.10.2
elasticsearch: https://10.0.2.91:9200...
  parse url... OK
  connection...
    parse host... OK
    dns lookup... OK
    addresses: 10.0.2.91
    dial up... OK
  TLS...
    security: server's certificate chain verification is enabled
    handshake... OK
    TLS version: TLSv1.3
    dial up... OK
  talk to server... OK
  version: 7.10.2
elasticsearch: https://10.0.2.26:9200...
  parse url... OK
  connection...
    parse host... OK
    dns lookup... OK
    addresses: 10.0.2.26
    dial up... OK
  TLS...
    security: server's certificate chain verification is enabled
    handshake... OK
    TLS version: TLSv1.3
    dial up... OK
  talk to server... OK
  version: 7.10.2

WazuhMasterEnv2 🔴

System information

[root@wazuh-manager-master-0 ~]# cat /etc/*release
NAME="Amazon Linux"
VERSION="2"
ID="amzn"
ID_LIKE="centos rhel fedora"
VERSION_ID="2"
PRETTY_NAME="Amazon Linux 2"
ANSI_COLOR="0;33"
CPE_NAME="cpe:2.3:o:amazon:amazon_linux:2"
HOME_URL="https://amazonlinux.com/"
Amazon Linux release 2 (Karoo)

Manager Version

[root@wazuh-manager-master-0 ~]# /var/ossec/bin/wazuh-control info
WAZUH_VERSION="v4.8.0"
WAZUH_REVISION="40803"
WAZUH_TYPE="server"

Agent Status

[root@wazuh-manager-master-0 ~]# systemctl status wazuh-manager -l
● wazuh-manager.service - Wazuh manager
   Loaded: loaded (/usr/lib/systemd/system/wazuh-manager.service; enabled; vendor preset: disabled)
   Active: active (exited) since Wed 2024-02-07 11:32:13 UTC; 22h ago
  Process: 15420 ExecStop=/usr/bin/env /var/ossec/bin/wazuh-control stop (code=exited, status=0/SUCCESS)
  Process: 15581 ExecStart=/usr/bin/env /var/ossec/bin/wazuh-control start (code=exited, status=0/SUCCESS)

Feb 07 11:32:06 wazuh-manager-master-0 env[15581]: Started wazuh-syscheckd...
Feb 07 11:32:07 wazuh-manager-master-0 env[15581]: Started wazuh-remoted...
Feb 07 11:32:08 wazuh-manager-master-0 env[15581]: Started wazuh-logcollector...
Feb 07 11:32:09 wazuh-manager-master-0 env[15581]: Started wazuh-monitord...
Feb 07 11:32:09 wazuh-manager-master-0 env[15581]: 2024/02/07 11:32:09 wazuh-modulesd:router: INFO: Loaded router module.
Feb 07 11:32:09 wazuh-manager-master-0 env[15581]: 2024/02/07 11:32:09 wazuh-modulesd:content_manager: INFO: Loaded content_manager module.
Feb 07 11:32:10 wazuh-manager-master-0 env[15581]: Started wazuh-modulesd...
Feb 07 11:32:11 wazuh-manager-master-0 env[15581]: Started wazuh-clusterd...
Feb 07 11:32:13 wazuh-manager-master-0 env[15581]: Completed.
Feb 07 11:32:13 wazuh-manager-master-0 systemd[1]: Started Wazuh manager.

Module Status

[root@wazuh-manager-master-0 ~]# /var/ossec/bin/wazuh-control status
wazuh-clusterd is running...
wazuh-modulesd is running...
wazuh-monitord is running...
wazuh-logcollector is running...
wazuh-remoted is running...
wazuh-syscheckd is running...
wazuh-analysisd is running...
wazuh-maild not running...
wazuh-execd is running...
wazuh-db is running...
wazuh-authd is running...
wazuh-agentlessd not running...
wazuh-integratord is running...
wazuh-dbd not running...
wazuh-csyslogd not running...
wazuh-apid is running...

Service Status

[root@wazuh-manager-master-0 ~]# journalctl -xe -u wazuh-manager.service --no-pager
-- Logs begin at Wed 2024-02-07 11:05:18 UTC, end at Thu 2024-02-08 10:12:46 UTC. --
Feb 07 11:30:05 wazuh-manager-master-0 systemd[1]: Starting Wazuh manager...
-- Subject: Unit wazuh-manager.service has begun start-up
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
--
-- Unit wazuh-manager.service has begun starting up.
Feb 07 11:30:07 wazuh-manager-master-0 env[11360]: 2024/02/07 11:30:07 wazuh-modulesd:router: INFO: Loaded router module.
Feb 07 11:30:07 wazuh-manager-master-0 env[11360]: 2024/02/07 11:30:07 wazuh-modulesd:content_manager: INFO: Loaded content_manager module.
Feb 07 11:30:08 wazuh-manager-master-0 env[11360]: Starting Wazuh v4.8.0...
Feb 07 11:30:11 wazuh-manager-master-0 env[11360]: Started wazuh-apid...
Feb 07 11:30:11 wazuh-manager-master-0 env[11360]: Started wazuh-csyslogd...
Feb 07 11:30:11 wazuh-manager-master-0 env[11360]: Started wazuh-dbd...
Feb 07 11:30:11 wazuh-manager-master-0 env[11360]: 2024/02/07 11:30:11 wazuh-integratord: INFO: Remote integrations not configured. Clean exit.
Feb 07 11:30:11 wazuh-manager-master-0 env[11360]: Started wazuh-integratord...
Feb 07 11:30:11 wazuh-manager-master-0 env[11360]: Started wazuh-agentlessd...
Feb 07 11:30:12 wazuh-manager-master-0 env[11360]: Started wazuh-authd...
Feb 07 11:30:13 wazuh-manager-master-0 env[11360]: Started wazuh-db...
Feb 07 11:30:14 wazuh-manager-master-0 env[11360]: Started wazuh-execd...
Feb 07 11:30:16 wazuh-manager-master-0 env[11360]: Started wazuh-analysisd...
Feb 07 11:30:17 wazuh-manager-master-0 env[11360]: Started wazuh-syscheckd...
Feb 07 11:30:18 wazuh-manager-master-0 env[11360]: Started wazuh-remoted...
Feb 07 11:30:19 wazuh-manager-master-0 env[11360]: Started wazuh-logcollector...
Feb 07 11:30:20 wazuh-manager-master-0 env[11360]: Started wazuh-monitord...
Feb 07 11:30:20 wazuh-manager-master-0 env[11360]: 2024/02/07 11:30:20 wazuh-modulesd:router: INFO: Loaded router module.
Feb 07 11:30:20 wazuh-manager-master-0 env[11360]: 2024/02/07 11:30:20 wazuh-modulesd:content_manager: INFO: Loaded content_manager module.
Feb 07 11:30:21 wazuh-manager-master-0 env[11360]: Started wazuh-modulesd...
Feb 07 11:30:22 wazuh-manager-master-0 env[11360]: Started wazuh-clusterd...
Feb 07 11:30:24 wazuh-manager-master-0 env[11360]: Completed.
Feb 07 11:30:24 wazuh-manager-master-0 systemd[1]: Started Wazuh manager.
-- Subject: Unit wazuh-manager.service has finished start-up
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
--
-- Unit wazuh-manager.service has finished starting up.
--
-- The start-up result is done.
Feb 07 11:31:51 wazuh-manager-master-0 systemd[1]: Stopping Wazuh manager...
-- Subject: Unit wazuh-manager.service has begun shutting down
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
--
-- Unit wazuh-manager.service has begun shutting down.
Feb 07 11:31:51 wazuh-manager-master-0 env[15420]: Killing wazuh-clusterd...
Feb 07 11:31:51 wazuh-manager-master-0 env[15420]: Killing wazuh-modulesd...
Feb 07 11:31:51 wazuh-manager-master-0 env[15420]: Killing wazuh-monitord...
Feb 07 11:31:52 wazuh-manager-master-0 env[15420]: Killing wazuh-logcollector...
Feb 07 11:31:52 wazuh-manager-master-0 env[15420]: Killing wazuh-remoted...
Feb 07 11:31:52 wazuh-manager-master-0 env[15420]: Killing wazuh-syscheckd...
Feb 07 11:31:52 wazuh-manager-master-0 env[15420]: Killing wazuh-analysisd...
Feb 07 11:31:52 wazuh-manager-master-0 env[15420]: wazuh-maild not running...
Feb 07 11:31:52 wazuh-manager-master-0 env[15420]: Killing wazuh-execd...
Feb 07 11:31:52 wazuh-manager-master-0 env[15420]: Killing wazuh-db...
Feb 07 11:31:53 wazuh-manager-master-0 env[15420]: Killing wazuh-authd...
Feb 07 11:31:55 wazuh-manager-master-0 env[15420]: wazuh-agentlessd not running...
Feb 07 11:31:55 wazuh-manager-master-0 env[15420]: wazuh-integratord not running...
Feb 07 11:31:55 wazuh-manager-master-0 env[15420]: wazuh-dbd not running...
Feb 07 11:31:55 wazuh-manager-master-0 env[15420]: wazuh-csyslogd not running...
Feb 07 11:31:55 wazuh-manager-master-0 env[15420]: Killing wazuh-apid...
Feb 07 11:31:55 wazuh-manager-master-0 env[15420]: Wazuh v4.8.0 Stopped
Feb 07 11:31:55 wazuh-manager-master-0 systemd[1]: Stopped Wazuh manager.
-- Subject: Unit wazuh-manager.service has finished shutting down
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
--
-- Unit wazuh-manager.service has finished shutting down.
Feb 07 11:31:55 wazuh-manager-master-0 systemd[1]: Starting Wazuh manager...
-- Subject: Unit wazuh-manager.service has begun start-up
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
--
-- Unit wazuh-manager.service has begun starting up.
Feb 07 11:31:57 wazuh-manager-master-0 env[15581]: 2024/02/07 11:31:57 wazuh-modulesd:router: INFO: Loaded router module.
Feb 07 11:31:57 wazuh-manager-master-0 env[15581]: 2024/02/07 11:31:57 wazuh-modulesd:content_manager: INFO: Loaded content_manager module.
Feb 07 11:31:57 wazuh-manager-master-0 env[15581]: Starting Wazuh v4.8.0...
Feb 07 11:32:00 wazuh-manager-master-0 env[15581]: Started wazuh-apid...
Feb 07 11:32:00 wazuh-manager-master-0 env[15581]: Started wazuh-csyslogd...
Feb 07 11:32:00 wazuh-manager-master-0 env[15581]: Started wazuh-dbd...
Feb 07 11:32:00 wazuh-manager-master-0 env[15581]: 2024/02/07 11:32:00 wazuh-integratord: INFO: Remote integrations not configured. Clean exit.
Feb 07 11:32:00 wazuh-manager-master-0 env[15581]: Started wazuh-integratord...
Feb 07 11:32:00 wazuh-manager-master-0 env[15581]: Started wazuh-agentlessd...
Feb 07 11:32:01 wazuh-manager-master-0 env[15581]: Started wazuh-authd...
Feb 07 11:32:02 wazuh-manager-master-0 env[15581]: Started wazuh-db...
Feb 07 11:32:03 wazuh-manager-master-0 env[15581]: Started wazuh-execd...
Feb 07 11:32:04 wazuh-manager-master-0 env[15581]: Started wazuh-analysisd...
Feb 07 11:32:06 wazuh-manager-master-0 env[15581]: Started wazuh-syscheckd...
Feb 07 11:32:07 wazuh-manager-master-0 env[15581]: Started wazuh-remoted...
Feb 07 11:32:08 wazuh-manager-master-0 env[15581]: Started wazuh-logcollector...
Feb 07 11:32:09 wazuh-manager-master-0 env[15581]: Started wazuh-monitord...
Feb 07 11:32:09 wazuh-manager-master-0 env[15581]: 2024/02/07 11:32:09 wazuh-modulesd:router: INFO: Loaded router module.
Feb 07 11:32:09 wazuh-manager-master-0 env[15581]: 2024/02/07 11:32:09 wazuh-modulesd:content_manager: INFO: Loaded content_manager module.
Feb 07 11:32:10 wazuh-manager-master-0 env[15581]: Started wazuh-modulesd...
Feb 07 11:32:11 wazuh-manager-master-0 env[15581]: Started wazuh-clusterd...
Feb 07 11:32:13 wazuh-manager-master-0 env[15581]: Completed.
Feb 07 11:32:13 wazuh-manager-master-0 systemd[1]: Started Wazuh manager.
-- Subject: Unit wazuh-manager.service has finished start-up
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
--
-- Unit wazuh-manager.service has finished starting up.
--
-- The start-up result is done.

Error Logs

[root@wazuh-manager-master-0 Feb]# zgrep -i "ERROR\|WARNING" ossec-07.log.gz | wc -l
214

[root@wazuh-manager-master-0 Feb]# zgrep -i "ERROR\|WARNING" ossec-08.log.gz | wc -l
0

[root@wazuh-manager-master-0 ~]# egrep -i "ERROR|WARNING" /var/ossec/logs/ossec.log |  wc -l
0

[root@wazuh-manager-master-0 ~]# egrep -i "ERROR|WARNING" /var/ossec/logs/cluster.log  | wc -l
0

Notes
I can't show all the log output because of the space of the commentary but I will comment all of them below:
In relation to : indexer-connector: WARNING: Error initializing IndexerConnector: Problem with the local SSL certificate, we will try again after X seconds.
New issue: #21829

In relation to : wazuh-modulesd:vulnerability-scanner: WARNING: Failed to scan package''
Known issue: https://github.com/wazuh/intelligence-platform/issues/1334

In relation to : wazuh-remoted: WARNING: Unexpected message (hex)' wazuh-remoted: WARNING: Too big message size from socket
Known issue: #17596

In relation to : wazuh-modulesd:aws-s3: WARNING: Interval overtaken.
Known issue: #21467

Filebeat Output

[root@wazuh-manager-master-0 ~]# filebeat test output
elasticsearch: https://10.0.2.119:9200...
  parse url... OK
  connection...
    parse host... OK
    dns lookup... OK
    addresses: 10.0.2.119
    dial up... OK
  TLS...
    security: server's certificate chain verification is enabled
    handshake... OK
    TLS version: TLSv1.3
    dial up... OK
  talk to server... OK
  version: 7.10.2
elasticsearch: https://10.0.2.91:9200...
  parse url... OK
  connection...
    parse host... OK
    dns lookup... OK
    addresses: 10.0.2.91
    dial up... OK
  TLS...
    security: server's certificate chain verification is enabled
    handshake... OK
    TLS version: TLSv1.3
    dial up... OK
  talk to server... OK
  version: 7.10.2
elasticsearch: https://10.0.2.26:9200...
  parse url... OK
  connection...
    parse host... OK
    dns lookup... OK
    addresses: 10.0.2.26
    dial up... OK
  TLS...
    security: server's certificate chain verification is enabled
    handshake... OK
    TLS version: TLSv1.3
    dial up... OK
  talk to server... OK
  version: 7.10.2

WazuhWorker 🔴

System information

[root@wazuh-manager-worker-0 ~]# cat /etc/*release
NAME="Amazon Linux"
VERSION="2"
ID="amzn"
ID_LIKE="centos rhel fedora"
VERSION_ID="2"
PRETTY_NAME="Amazon Linux 2"
ANSI_COLOR="0;33"
CPE_NAME="cpe:2.3:o:amazon:amazon_linux:2"
HOME_URL="https://amazonlinux.com/"
Amazon Linux release 2 (Karoo)

Manager Version

[root@wazuh-manager-worker-0 ~]# /var/ossec/bin/wazuh-control info
WAZUH_VERSION="v4.8.0"
WAZUH_REVISION="40803"
WAZUH_TYPE="server"

Agent Status

[root@wazuh-manager-worker-0 ~]# systemctl status wazuh-manager -l
● wazuh-manager.service - Wazuh manager
   Loaded: loaded (/usr/lib/systemd/system/wazuh-manager.service; enabled; vendor preset: disabled)
   Active: active (exited) since Wed 2024-02-07 11:36:41 UTC; 22h ago
  Process: 15125 ExecStop=/usr/bin/env /var/ossec/bin/wazuh-control stop (code=exited, status=0/SUCCESS)
  Process: 15258 ExecStart=/usr/bin/env /var/ossec/bin/wazuh-control start (code=exited, status=0/SUCCESS)

Feb 07 11:36:34 wazuh-manager-worker-0 env[15258]: Started wazuh-syscheckd...
Feb 07 11:36:35 wazuh-manager-worker-0 env[15258]: Started wazuh-remoted...
Feb 07 11:36:36 wazuh-manager-worker-0 env[15258]: Started wazuh-logcollector...
Feb 07 11:36:37 wazuh-manager-worker-0 env[15258]: Started wazuh-monitord...
Feb 07 11:36:37 wazuh-manager-worker-0 env[15258]: 2024/02/07 11:36:37 wazuh-modulesd:router: INFO: Loaded router module.
Feb 07 11:36:37 wazuh-manager-worker-0 env[15258]: 2024/02/07 11:36:37 wazuh-modulesd:content_manager: INFO: Loaded content_manager module.
Feb 07 11:36:38 wazuh-manager-worker-0 env[15258]: Started wazuh-modulesd...
Feb 07 11:36:39 wazuh-manager-worker-0 env[15258]: Started wazuh-clusterd...
Feb 07 11:36:41 wazuh-manager-worker-0 env[15258]: Completed.
Feb 07 11:36:41 wazuh-manager-worker-0 systemd[1]: Started Wazuh manager.

Module Status

[root@wazuh-manager-worker-0 ~]# /var/ossec/bin/wazuh-control status
wazuh-clusterd is running...
wazuh-modulesd is running...
wazuh-monitord is running...
wazuh-logcollector is running...
wazuh-remoted is running...
wazuh-syscheckd is running...
wazuh-analysisd is running...
wazuh-maild not running...
wazuh-execd is running...
wazuh-db is running...
wazuh-authd not running...
wazuh-agentlessd not running...
wazuh-integratord is running...
wazuh-dbd not running...
wazuh-csyslogd not running...
wazuh-apid is running...

Service Status

[root@wazuh-manager-worker-0 ~]# journalctl -xe -u wazuh-manager.service --no-pager
-- Logs begin at Wed 2024-02-07 11:05:19 UTC, end at Thu 2024-02-08 10:22:25 UTC. --
Feb 07 11:34:53 wazuh-manager-worker-0 systemd[1]: Starting Wazuh manager...
-- Subject: Unit wazuh-manager.service has begun start-up
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
--
-- Unit wazuh-manager.service has begun starting up.
Feb 07 11:34:55 wazuh-manager-worker-0 env[11105]: 2024/02/07 11:34:55 wazuh-modulesd:router: INFO: Loaded router module.
Feb 07 11:34:55 wazuh-manager-worker-0 env[11105]: 2024/02/07 11:34:55 wazuh-modulesd:content_manager: INFO: Loaded content_manager module.
Feb 07 11:34:56 wazuh-manager-worker-0 env[11105]: Starting Wazuh v4.8.0...
Feb 07 11:34:59 wazuh-manager-worker-0 env[11105]: Started wazuh-apid...
Feb 07 11:34:59 wazuh-manager-worker-0 env[11105]: Started wazuh-csyslogd...
Feb 07 11:34:59 wazuh-manager-worker-0 env[11105]: Started wazuh-dbd...
Feb 07 11:34:59 wazuh-manager-worker-0 env[11105]: 2024/02/07 11:34:59 wazuh-integratord: INFO: Remote integrations not configured. Clean exit.
Feb 07 11:34:59 wazuh-manager-worker-0 env[11105]: Started wazuh-integratord...
Feb 07 11:34:59 wazuh-manager-worker-0 env[11105]: Started wazuh-agentlessd...
Feb 07 11:35:00 wazuh-manager-worker-0 env[11105]: Started wazuh-db...
Feb 07 11:35:01 wazuh-manager-worker-0 env[11105]: Started wazuh-execd...
Feb 07 11:35:02 wazuh-manager-worker-0 env[11105]: Started wazuh-analysisd...
Feb 07 11:35:03 wazuh-manager-worker-0 env[11105]: Started wazuh-syscheckd...
Feb 07 11:35:04 wazuh-manager-worker-0 env[11105]: Started wazuh-remoted...
Feb 07 11:35:05 wazuh-manager-worker-0 env[11105]: Started wazuh-logcollector...
Feb 07 11:35:06 wazuh-manager-worker-0 env[11105]: Started wazuh-monitord...
Feb 07 11:35:06 wazuh-manager-worker-0 env[11105]: 2024/02/07 11:35:06 wazuh-modulesd:router: INFO: Loaded router module.
Feb 07 11:35:06 wazuh-manager-worker-0 env[11105]: 2024/02/07 11:35:06 wazuh-modulesd:content_manager: INFO: Loaded content_manager module.
Feb 07 11:35:07 wazuh-manager-worker-0 env[11105]: Started wazuh-modulesd...
Feb 07 11:35:09 wazuh-manager-worker-0 env[11105]: Started wazuh-clusterd...
Feb 07 11:35:11 wazuh-manager-worker-0 env[11105]: Completed.
Feb 07 11:35:11 wazuh-manager-worker-0 systemd[1]: Started Wazuh manager.
-- Subject: Unit wazuh-manager.service has finished start-up
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
--
-- Unit wazuh-manager.service has finished starting up.
--
-- The start-up result is done.
Feb 07 11:36:22 wazuh-manager-worker-0 systemd[1]: Stopping Wazuh manager...
-- Subject: Unit wazuh-manager.service has begun shutting down
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
--
-- Unit wazuh-manager.service has begun shutting down.
Feb 07 11:36:22 wazuh-manager-worker-0 env[15125]: Killing wazuh-clusterd...
Feb 07 11:36:22 wazuh-manager-worker-0 env[15125]: Killing wazuh-modulesd...
Feb 07 11:36:22 wazuh-manager-worker-0 env[15125]: Killing wazuh-monitord...
Feb 07 11:36:22 wazuh-manager-worker-0 env[15125]: Killing wazuh-logcollector...
Feb 07 11:36:22 wazuh-manager-worker-0 env[15125]: Killing wazuh-remoted...
Feb 07 11:36:23 wazuh-manager-worker-0 env[15125]: Killing wazuh-syscheckd...
Feb 07 11:36:23 wazuh-manager-worker-0 env[15125]: Killing wazuh-analysisd...
Feb 07 11:36:23 wazuh-manager-worker-0 env[15125]: wazuh-maild not running...
Feb 07 11:36:23 wazuh-manager-worker-0 env[15125]: Killing wazuh-execd...
Feb 07 11:36:23 wazuh-manager-worker-0 env[15125]: Killing wazuh-db...
Feb 07 11:36:24 wazuh-manager-worker-0 env[15125]: wazuh-authd not running...
Feb 07 11:36:24 wazuh-manager-worker-0 env[15125]: wazuh-agentlessd not running...
Feb 07 11:36:24 wazuh-manager-worker-0 env[15125]: wazuh-integratord not running...
Feb 07 11:36:24 wazuh-manager-worker-0 env[15125]: wazuh-dbd not running...
Feb 07 11:36:24 wazuh-manager-worker-0 env[15125]: wazuh-csyslogd not running...
Feb 07 11:36:24 wazuh-manager-worker-0 env[15125]: Killing wazuh-apid...
Feb 07 11:36:24 wazuh-manager-worker-0 env[15125]: Wazuh v4.8.0 Stopped
Feb 07 11:36:24 wazuh-manager-worker-0 systemd[1]: Stopped Wazuh manager.
-- Subject: Unit wazuh-manager.service has finished shutting down
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
--
-- Unit wazuh-manager.service has finished shutting down.
Feb 07 11:36:24 wazuh-manager-worker-0 systemd[1]: Starting Wazuh manager...
-- Subject: Unit wazuh-manager.service has begun start-up
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
--
-- Unit wazuh-manager.service has begun starting up.
Feb 07 11:36:26 wazuh-manager-worker-0 env[15258]: 2024/02/07 11:36:26 wazuh-modulesd:router: INFO: Loaded router module.
Feb 07 11:36:26 wazuh-manager-worker-0 env[15258]: 2024/02/07 11:36:26 wazuh-modulesd:content_manager: INFO: Loaded content_manager module.
Feb 07 11:36:27 wazuh-manager-worker-0 env[15258]: Starting Wazuh v4.8.0...
Feb 07 11:36:29 wazuh-manager-worker-0 env[15258]: Started wazuh-apid...
Feb 07 11:36:29 wazuh-manager-worker-0 env[15258]: Started wazuh-csyslogd...
Feb 07 11:36:29 wazuh-manager-worker-0 env[15258]: Started wazuh-dbd...
Feb 07 11:36:29 wazuh-manager-worker-0 env[15258]: 2024/02/07 11:36:29 wazuh-integratord: INFO: Remote integrations not configured. Clean exit.
Feb 07 11:36:29 wazuh-manager-worker-0 env[15258]: Started wazuh-integratord...
Feb 07 11:36:29 wazuh-manager-worker-0 env[15258]: Started wazuh-agentlessd...
Feb 07 11:36:31 wazuh-manager-worker-0 env[15258]: Started wazuh-db...
Feb 07 11:36:32 wazuh-manager-worker-0 env[15258]: Started wazuh-execd...
Feb 07 11:36:33 wazuh-manager-worker-0 env[15258]: Started wazuh-analysisd...
Feb 07 11:36:34 wazuh-manager-worker-0 env[15258]: Started wazuh-syscheckd...
Feb 07 11:36:35 wazuh-manager-worker-0 env[15258]: Started wazuh-remoted...
Feb 07 11:36:36 wazuh-manager-worker-0 env[15258]: Started wazuh-logcollector...
Feb 07 11:36:37 wazuh-manager-worker-0 env[15258]: Started wazuh-monitord...
Feb 07 11:36:37 wazuh-manager-worker-0 env[15258]: 2024/02/07 11:36:37 wazuh-modulesd:router: INFO: Loaded router module.
Feb 07 11:36:37 wazuh-manager-worker-0 env[15258]: 2024/02/07 11:36:37 wazuh-modulesd:content_manager: INFO: Loaded content_manager module.
Feb 07 11:36:38 wazuh-manager-worker-0 env[15258]: Started wazuh-modulesd...
Feb 07 11:36:39 wazuh-manager-worker-0 env[15258]: Started wazuh-clusterd...
Feb 07 11:36:41 wazuh-manager-worker-0 env[15258]: Completed.
Feb 07 11:36:41 wazuh-manager-worker-0 systemd[1]: Started Wazuh manager.
-- Subject: Unit wazuh-manager.service has finished start-up
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
--
-- Unit wazuh-manager.service has finished starting up.
--
-- The start-up result is done.

Error Logs

```console
[root@wazuh-manager-worker-0 Feb]# zgrep -i "ERROR\|WARNING" ossec-07.log.gz | wc -l
68

[root@wazuh-manager-worker-0 Feb]# zgrep -i "ERROR\|WARNING" ossec-08.log.gz | wc -l
0

[root@wazuh-manager-worker-0 ~]# egrep -i "ERROR|WARNING" /var/ossec/logs/ossec.log |  wc -l
0

[root@wazuh-manager-worker-0 ~]# egrep -i "ERROR|WARNING" /var/ossec/logs/cluster.log  | wc -l
0

Notes
I can't show all the log output because of the space of the commentary but I will comment all of them below:
In relation to : indexer-connector: WARNING: Error initializing IndexerConnector: Problem with the local SSL certificate, we will try again after X seconds.
New issue: #21829

In relation to : wazuh-modulesd:vulnerability-scanner: WARNING: Failed to scan package''
Known issue: https://github.com/wazuh/intelligence-platform/issues/1334

**Filebeat Output**
```console
[root@wazuh-manager-worker-0 ~]# filebeat test output
elasticsearch: https://10.0.2.119:9200...
  parse url... OK
  connection...
    parse host... OK
    dns lookup... OK
    addresses: 10.0.2.119
    dial up... OK
  TLS...
    security: server's certificate chain verification is enabled
    handshake... OK
    TLS version: TLSv1.3
    dial up... OK
  talk to server... OK
  version: 7.10.2
elasticsearch: https://10.0.2.91:9200...
  parse url... OK
  connection...
    parse host... OK
    dns lookup... OK
    addresses: 10.0.2.91
    dial up... OK
  TLS...
    security: server's certificate chain verification is enabled
    handshake... OK
    TLS version: TLSv1.3
    dial up... OK
  talk to server... OK
  version: 7.10.2
elasticsearch: https://10.0.2.26:9200...
  parse url... OK
  connection...
    parse host... OK
    dns lookup... OK
    addresses: 10.0.2.26
    dial up... OK
  TLS...
    security: server's certificate chain verification is enabled
    handshake... OK
    TLS version: TLSv1.3
    dial up... OK
  talk to server... OK
  version: 7.10.2

---

New

Known issues

• https://github.com/wazuh/wazuh-automation/issues/802
• Logcollector attempts messages when a file doesn't exist should be info until the last attempt #13253
• Permission errors in the Wazuh Indexer service (systemd) wazuh-packages#2685
• https://github.com/wazuh/wazuh-jenkins/issues/4867
• Found deleteOldIndices errors in indexer  wazuh-packages#2094
• Error logs found in wazuh-indexer in demo environment wazuh-packages#1489
• Failed to submit a listener notification task. Event loop shut down? elastic/elasticsearch#27226
• https://github.com/wazuh/intelligence-platform/issues/1334
• Remoted show Too big message size from socket after receiving a Wazuh agent message #17596
• Wrong key or corrupt payload in worker node during agent registration process #21297
• Amazon CloudWatch Integration Error - NOT WORKING #21467

New issues

• Abort in wazuh-syscheckd (RHEL 9) #21820
• Premature IndexerConnector warnings generated #21829
• Uninitialized index error logs appear in Wazuh-indexers on demo environment #21861

[santipadilla]

2. The daemons are running with the correct user🟢

Agent

Amazon 🟢

[root@ip-10-0-1-9 wazuh-user]# ps -aux | grep wazuh
root     11522  0.0  0.3  40220  3800 ?        Sl   feb07   0:03 /var/ossec/bin/wazuh-execd
wazuh    11534  0.0  0.8 262140  8512 ?        Sl   feb07   0:15 /var/ossec/bin/wazuh-agentd
root     11549  0.0  1.4 232572 13384 ?        SNl  feb07   0:29 /var/ossec/bin/wazuh-syscheckd
root     11565  0.0  0.5 482668  5536 ?        Sl   feb07   0:11 /var/ossec/bin/wazuh-logcollector
root     11583  0.0  2.2 751204 21420 ?        Sl   feb07   0:06 /var/ossec/bin/wazuh-modulesd
root     17810  0.0  0.9 148580  8716 ?        Ss   10:37   0:00 sshd: wazuh-user [priv]
wazuh-u+ 17828  0.0  0.3 148580  3528 ?        R    10:37   0:00 sshd: wazuh-user@pts/0
wazuh-u+ 17829  0.0  0.4 124740  3992 pts/0    Ss   10:37   0:00 -bash
root     17867  0.0  0.0 119444   916 pts/0    S+   10:37   0:00 grep --color=auto wazuh

CentOS 🟢

[root@ip-10-0-1-185 wazuh-user]# ps -aux | grep wazuh
root        9553  0.0  0.3  45280  2816 ?        Sl   feb07   0:02 /var/ossec/bin/wazuh-execd
wazuh       9565  0.0  0.6 276212  5172 ?        Sl   feb07   0:14 /var/ossec/bin/wazuh-agentd
root        9580  0.0  1.1 244052  9004 ?        SNl  feb07   0:34 /var/ossec/bin/wazuh-syscheckd
root        9596  0.0  0.5 487820  4312 ?        Sl   feb07   0:08 /var/ossec/bin/wazuh-logcollector
root        9614  0.0  3.1 761292 25580 ?        Sl   feb07   0:07 /var/ossec/bin/wazuh-modulesd
root       16398  0.0  1.3 163756 10532 ?        Ss   11:21   0:00 sshd: wazuh-user [priv]
wazuh-u+   16407  0.1  1.1 100700  9604 ?        Ss   11:21   0:00 /usr/lib/systemd/systemd --user
wazuh-u+   16411  0.0  0.9 266520  7240 ?        S    11:21   0:00 (sd-pam)
wazuh-u+   16417  0.0  0.6 163756  5428 ?        S    11:21   0:00 sshd: wazuh-user@pts/0
wazuh-u+   16418  0.0  0.5 233908  4084 pts/0    Ss   11:21   0:00 -bash
root       16461  0.0  0.1 221928  1000 pts/0    S+   11:22   0:00 grep --color=auto wazuh

Debian 🟢

root@ip-10-0-1-5:/home/wazuh-user# ps -aux | grep wazuh
root        9593  0.0  0.2  26044  2884 ?        Sl   Feb07   0:03 /var/ossec/bin/wazuh-execd
wazuh       9604  0.0  1.1 247940 10916 ?        Sl   Feb07   0:19 /var/ossec/bin/wazuh-agentd
root        9618  0.0  0.9 213724  8996 ?        SNl  Feb07   0:28 /var/ossec/bin/wazuh-syscheckd
root        9633  0.0  0.3 468592  3680 ?        Sl   Feb07   0:12 /var/ossec/bin/wazuh-logcollector
root        9653  0.0  1.5 730988 14804 ?        Sl   Feb07   0:07 /var/ossec/bin/wazuh-modulesd
root       31333  0.2  0.8  14276  8480 ?        Ss   11:23   0:00 sshd: wazuh-user [priv]
wazuh-u+   31336  0.5  0.8  15180  8436 ?        Ss   11:23   0:00 /lib/systemd/systemd --user
wazuh-u+   31337  0.0  0.2  20252  2796 ?        S    11:23   0:00 (sd-pam)
wazuh-u+   31355  0.0  0.4  14276  4752 ?        S    11:23   0:00 sshd: wazuh-user@pts/0
wazuh-u+   31356  0.0  0.4   6820  4524 pts/0    Ss   11:23   0:00 -bash
root       31367  0.0  0.0   5264   716 pts/0    S+   11:23   0:00 grep wazuh

RHEL9 🟢

[root@ip-10-0-1-23 wazuh-user]# ps -aux | grep wazuh
root       60582  0.0  0.1  25836  6608 ?        Sl   Feb07   0:02 /var/ossec/bin/wazuh-execd
wazuh      60591  0.0  0.2 247620 10052 ?        Sl   Feb07   0:33 /var/ossec/bin/wazuh-agentd
root       60606  0.0  0.4 557900 16672 ?        SNl  Feb07   1:14 /var/ossec/bin/wazuh-syscheckd
root       60620  0.0  0.2 468348  7648 ?        Sl   Feb07   0:16 /var/ossec/bin/wazuh-logcollector
root       60629  0.0  1.1 1024532 42312 ?       Sl   Feb07   0:25 /var/ossec/bin/wazuh-modulesd
root      158657  0.1  0.3  19012 11768 ?        Ss   11:25   0:00 sshd: wazuh-user [priv]
wazuh-u+  158670  0.8  0.3  22300 13520 ?        Ss   11:25   0:00 /usr/lib/systemd/systemd --user
wazuh-u+  158672  0.0  0.2 185168  9300 ?        S    11:25   0:00 (sd-pam)
wazuh-u+  158679  0.0  0.1  19184  7252 ?        S    11:25   0:00 sshd: wazuh-user@pts/0
wazuh-u+  158680  0.0  0.1   7384  4224 pts/0    Ss   11:25   0:00 -bash
root      158744  0.0  0.0   6408  2208 pts/0    S+   11:25   0:00 grep --color=auto wazuh

Ubuntu 🟢

root@ip-10-0-1-229:/home/wazuh-user# ps -aux | grep wazuh
root        9568  0.0  0.2  25884  2532 ?        Sl   Feb07   0:04 /var/ossec/bin/wazuh-execd
wazuh       9579  0.0  0.4 247792  4452 ?        Sl   Feb07   0:20 /var/ossec/bin/wazuh-agentd
root        9593  0.0  0.6 213860  6080 ?        SNl  Feb07   0:32 /var/ossec/bin/wazuh-syscheckd
root        9607  0.0  0.3 468352  2988 ?        Sl   Feb07   0:12 /var/ossec/bin/wazuh-logcollector
root        9627  0.0  1.3 730780 12628 ?        Sl   Feb07   0:08 /var/ossec/bin/wazuh-modulesd
root       46120  0.1  1.1  17176 10932 ?        Ss   11:25   0:00 sshd: wazuh-user [priv]
wazuh-u+   46137  0.5  0.9  17064  9620 ?        Ss   11:26   0:00 /lib/systemd/systemd --user
wazuh-u+   46138  0.0  0.5  22928  4924 ?        S    11:26   0:00 (sd-pam)
wazuh-u+   46221  0.0  0.8  17308  8020 ?        S    11:26   0:00 sshd: wazuh-user@pts/0
wazuh-u+   46224  0.4  0.5   9152  5256 pts/0    Ss   11:26   0:00 -bash
root       46251  0.0  0.2   7008  2260 pts/1    S+   11:26   0:00 grep --color=auto wazuh

Windows 🟢

PS C:\Users\Administrator> tasklist /svc | Select-String "wazuh"

wazuh-agent.exe               2552 WazuhSvc

Dashboard

WazuhDashboard 🟢

[root@ip-10-0-0-125 ~]# ps -aux | grep wazuh-dashboard
wazuh-d+ 19958  0.2  2.2 1039712 181880 ?      Ssl  Feb07   3:29 /usr/share/wazuh-dashboard/node/fallback/bin/node --no-warnings --max-http-header-size=65536 --unhandled-rejections=warn /usr/share/wazuh-dashboard/src/cli/dist
root     24148  0.0  0.0 121272   968 pts/0    S+   12:10   0:00 grep --color=auto wazuh-dashboard

Indexer

IndexerBootstrap 🟢

[root@ip-10-0-2-26 ~]#  ps -aux | grep wazuh-indexer
wazuh-i+ 12238  1.8 57.1 7219736 4596748 ?     Ssl  Feb07  28:15 /usr/share/wazuh-indexer/jdk/bin/java -Xshare:auto -Dopensearch.networkaddress.cache.ttl=60 -Dopensearch.networkaddress.cache.negative.ttl=10 -XX:+AlwaysPreTouch -Xss1m -Djava.awt.headless=true -Dfile.encoding=UTF-8 -Djna.nosys=true -XX:-OmitStackTraceInFastThrow -XX:+ShowCodeDetailsInExceptionMessages -Dio.netty.noUnsafe=true -Dio.netty.noKeySetOptimization=true -Dio.netty.recycler.maxCapacityPerThread=0 -Dio.netty.allocator.numDirectArenas=0 -Dlog4j.shutdownHookEnabled=false -Dlog4j2.disable.jmx=true -Djava.locale.providers=SPI,COMPAT -Xms3928m -Xmx3928m -XX:+UseG1GC -XX:G1ReservePercent=25 -XX:InitiatingHeapOccupancyPercent=30 -Djava.io.tmpdir=/tmp/opensearch-513617984995903942 -XX:+HeapDumpOnOutOfMemoryError -XX:HeapDumpPath=data -XX:ErrorFile=/var/log/wazuh-indexer/hs_err_pid%p.log -Xlog:gc*,gc+age=trace,safepoint:file=/var/log/wazuh-indexer/gc.log:utctime,pid,tags:filecount=32,filesize=64m -Dclk.tck=100 -Djdk.attach.allowAttachSelf=true -Djava.security.policy=file:///usr/share/wazuh-indexer/plugins/opensearch-performance-analyzer/pa_config/opensearch_security.policy -XX:MaxDirectMemorySize=2059403264 -Dopensearch.path.home=/usr/share/wazuh-indexer -Dopensearch.path.conf=/etc/wazuh-indexer -Dopensearch.distribution.type=rpm -Dopensearch.bundled_jdk=true -cp /usr/share/wazuh-indexer/lib/* org.opensearch.bootstrap.OpenSearch -p /run/wazuh-indexer/wazuh-indexer.pid --quiet
root     17046  0.0  0.0 121272   956 pts/0    S+   12:11   0:00 grep --color=auto wazuh-indexer

IndexerMasterB 🟢

[root@ip-10-0-2-119 ~]# ps -aux | grep wazuh-indexer
wazuh-i+ 12396  1.8 57.2 7210196 4607504 ?     Ssl  Feb07  27:50 /usr/share/wazuh-indexer/jdk/bin/java -Xshare:auto -Dopensearch.networkaddress.cache.ttl=60 -Dopensearch.networkaddress.cache.negative.ttl=10 -XX:+AlwaysPreTouch -Xss1m -Djava.awt.headless=true -Dfile.encoding=UTF-8 -Djna.nosys=true -XX:-OmitStackTraceInFastThrow -XX:+ShowCodeDetailsInExceptionMessages -Dio.netty.noUnsafe=true -Dio.netty.noKeySetOptimization=true -Dio.netty.recycler.maxCapacityPerThread=0 -Dio.netty.allocator.numDirectArenas=0 -Dlog4j.shutdownHookEnabled=false -Dlog4j2.disable.jmx=true -Djava.locale.providers=SPI,COMPAT -Xms3928m -Xmx3928m -XX:+UseG1GC -XX:G1ReservePercent=25 -XX:InitiatingHeapOccupancyPercent=30 -Djava.io.tmpdir=/tmp/opensearch-18329875161433841309 -XX:+HeapDumpOnOutOfMemoryError -XX:HeapDumpPath=data -XX:ErrorFile=/var/log/wazuh-indexer/hs_err_pid%p.log -Xlog:gc*,gc+age=trace,safepoint:file=/var/log/wazuh-indexer/gc.log:utctime,pid,tags:filecount=32,filesize=64m -Dclk.tck=100 -Djdk.attach.allowAttachSelf=true -Djava.security.policy=file:///usr/share/wazuh-indexer/plugins/opensearch-performance-analyzer/pa_config/opensearch_security.policy -XX:MaxDirectMemorySize=2059403264 -Dopensearch.path.home=/usr/share/wazuh-indexer -Dopensearch.path.conf=/etc/wazuh-indexer -Dopensearch.distribution.type=rpm -Dopensearch.bundled_jdk=true -cp /usr/share/wazuh-indexer/lib/* org.opensearch.bootstrap.OpenSearch -p /run/wazuh-indexer/wazuh-indexer.pid --quiet
root     18707  0.0  0.0 121272   976 pts/0    S+   12:12   0:00 grep --color=auto wazuh-indexer

IndexerMasterC 🟢

[root@ip-10-0-2-91 ~]# ps -aux | grep wazuh-indexer
wazuh-i+ 12290  1.3 56.8 7133536 4570656 ?     Ssl  Feb07  20:14 /usr/share/wazuh-indexer/jdk/bin/java -Xshare:auto -Dopensearch.networkaddress.cache.ttl=60 -Dopensearch.networkaddress.cache.negative.ttl=10 -XX:+AlwaysPreTouch -Xss1m -Djava.awt.headless=true -Dfile.encoding=UTF-8 -Djna.nosys=true -XX:-OmitStackTraceInFastThrow -XX:+ShowCodeDetailsInExceptionMessages -Dio.netty.noUnsafe=true -Dio.netty.noKeySetOptimization=true -Dio.netty.recycler.maxCapacityPerThread=0 -Dio.netty.allocator.numDirectArenas=0 -Dlog4j.shutdownHookEnabled=false -Dlog4j2.disable.jmx=true -Djava.locale.providers=SPI,COMPAT -Xms3928m -Xmx3928m -XX:+UseG1GC -XX:G1ReservePercent=25 -XX:InitiatingHeapOccupancyPercent=30 -Djava.io.tmpdir=/tmp/opensearch-18236833073149930256 -XX:+HeapDumpOnOutOfMemoryError -XX:HeapDumpPath=data -XX:ErrorFile=/var/log/wazuh-indexer/hs_err_pid%p.log -Xlog:gc*,gc+age=trace,safepoint:file=/var/log/wazuh-indexer/gc.log:utctime,pid,tags:filecount=32,filesize=64m -Dclk.tck=100 -Djdk.attach.allowAttachSelf=true -Djava.security.policy=file:///usr/share/wazuh-indexer/plugins/opensearch-performance-analyzer/pa_config/opensearch_security.policy -XX:MaxDirectMemorySize=2059403264 -Dopensearch.path.home=/usr/share/wazuh-indexer -Dopensearch.path.conf=/etc/wazuh-indexer -Dopensearch.distribution.type=rpm -Dopensearch.bundled_jdk=true -cp /usr/share/wazuh-indexer/lib/* org.opensearch.bootstrap.OpenSearch -p /run/wazuh-indexer/wazuh-indexer.pid --quiet
root     16601  0.0  0.0 121272   960 pts/0    S+   12:13   0:00 grep --color=auto wazuh-indexer

WazuhDashboard 🟢

[root@ip-10-0-0-125 ~]# ps -aux | grep wazuh-indexer
wazuh-i+ 14645  0.9 38.3 5599948 3084864 ?     Ssl  Feb07  14:25 /usr/share/wazuh-indexer/jdk/bin/java -Xshare:auto -Dopensearch.networkaddress.cache.ttl=60 -Dopensearch.networkaddress.cache.negative.ttl=10 -XX:+AlwaysPreTouch -Xss1m -Djava.awt.headless=true -Dfile.encoding=UTF-8 -Djna.nosys=true -XX:-OmitStackTraceInFastThrow -XX:+ShowCodeDetailsInExceptionMessages -Dio.netty.noUnsafe=true -Dio.netty.noKeySetOptimization=true -Dio.netty.recycler.maxCapacityPerThread=0 -Dio.netty.allocator.numDirectArenas=0 -Dlog4j.shutdownHookEnabled=false -Dlog4j2.disable.jmx=true -Djava.locale.providers=SPI,COMPAT -Xms2560m -Xmx2560m -XX:+UseG1GC -XX:G1ReservePercent=25 -XX:InitiatingHeapOccupancyPercent=30 -Djava.io.tmpdir=/tmp/opensearch-6516938638533931987 -XX:+HeapDumpOnOutOfMemoryError -XX:HeapDumpPath=data -XX:ErrorFile=/var/log/wazuh-indexer/hs_err_pid%p.log -Xlog:gc*,gc+age=trace,safepoint:file=/var/log/wazuh-indexer/gc.log:utctime,pid,tags:filecount=32,filesize=64m -Dclk.tck=100 -Djdk.attach.allowAttachSelf=true -Djava.security.policy=file:///usr/share/wazuh-indexer/plugins/opensearch-performance-analyzer/pa_config/opensearch_security.policy -XX:MaxDirectMemorySize=1342177280 -Dopensearch.path.home=/usr/share/wazuh-indexer -Dopensearch.path.conf=/etc/wazuh-indexer -Dopensearch.distribution.type=rpm -Dopensearch.bundled_jdk=true -cp /usr/share/wazuh-indexer/lib/* org.opensearch.bootstrap.OpenSearch -p /run/wazuh-indexer/wazuh-indexer.pid --quiet
root     24191  0.0  0.0 121272   936 pts/0    S+   12:14   0:00 grep --color=auto wazuh-indexer

Manager

WazuhMasterEnv1 🟢

[root@wazuh-manager-master-0 ~]# ps -aux | grep wazuh
root     11444  0.0  0.0 121272   960 pts/0    S+   12:15   0:00 grep --color=auto wazuh
wazuh    25819  0.1  2.9 1078268 115720 ?      Sl   Feb07   2:05 /var/ossec/framework/python/bin/python3 /var/ossec/api/scripts/wazuh-apid.py
wazuh    25820  0.0  2.0 297556 79332 ?        S    Feb07   0:07 /var/ossec/framework/python/bin/python3 /var/ossec/api/scripts/wazuh-apid.py
wazuh    25823  0.1  2.1 383124 83192 ?        S    Feb07   1:45 /var/ossec/framework/python/bin/python3 /var/ossec/api/scripts/wazuh-apid.py
wazuh    25826  0.0  1.4 510456 58292 ?        S    Feb07   0:00 /var/ossec/framework/python/bin/python3 /var/ossec/api/scripts/wazuh-apid.py
wazuh    25852  0.0  0.1  40828  4700 ?        Sl   Feb07   0:17 /var/ossec/bin/wazuh-integratord
root     25873  0.2  0.2 262264  7996 ?        Sl   Feb07   3:41 /var/ossec/bin/wazuh-authd
wazuh    25890  0.1  0.7 945104 29900 ?        Sl   Feb07   2:12 /var/ossec/bin/wazuh-db
root     25915  0.0  0.1  40888  4196 ?        Sl   Feb07   0:02 /var/ossec/bin/wazuh-execd
wazuh    25931  2.2  3.8 1296588 153748 ?      Sl   Feb07  33:10 /var/ossec/bin/wazuh-analysisd
root     25944  0.0  0.3 294476 14196 ?        SNl  Feb07   0:40 /var/ossec/bin/wazuh-syscheckd
wazuh    25964  0.2  0.4 1233448 17072 ?       Sl   Feb07   4:10 /var/ossec/bin/wazuh-remoted
root     26001  0.0  0.1 483288  5904 ?        Sl   Feb07   0:09 /var/ossec/bin/wazuh-logcollector
wazuh    26020  0.1  0.1  40864  7372 ?        Sl   Feb07   1:37 /var/ossec/bin/wazuh-monitord
root     26073  0.0  2.2 575720 87548 ?        Sl   Feb07   0:24 /var/ossec/bin/wazuh-modulesd
wazuh    26591  0.1  1.7 434100 68684 ?        Sl   Feb07   2:14 /var/ossec/framework/python/bin/python3 /var/ossec/framework/scripts/wazuh_clusterd.py
wazuh    26595  0.0  1.3 276592 54616 ?        S    Feb07   0:21 /var/ossec/framework/python/bin/python3 /var/ossec/framework/scripts/wazuh_clusterd.py
wazuh    26596  0.0  1.3 275000 52160 ?        S    Feb07   0:21 /var/ossec/framework/python/bin/python3 /var/ossec/framework/scripts/wazuh_clusterd.py

WazuhMasterEnv2 🟢

[root@wazuh-manager-master-0 ~]# ps -aux | grep wazuh
root      8776  0.0  0.0 121272   976 pts/0    S+   12:15   0:00 grep --color=auto wazuh
wazuh    25362  0.1  2.9 1078504 114916 ?      Sl   Feb07   1:28 /var/ossec/framework/python/bin/python3 /var/ossec/api/scripts/wazuh-apid.py
wazuh    25363  0.0  1.9 295604 77988 ?        S    Feb07   0:04 /var/ossec/framework/python/bin/python3 /var/ossec/api/scripts/wazuh-apid.py
wazuh    25366  0.0  2.0 382332 83036 ?        S    Feb07   1:16 /var/ossec/framework/python/bin/python3 /var/ossec/api/scripts/wazuh-apid.py
wazuh    25369  0.0  1.4 510448 58152 ?        S    Feb07   0:00 /var/ossec/framework/python/bin/python3 /var/ossec/api/scripts/wazuh-apid.py
wazuh    25395  0.0  0.1  40824  4848 ?        Sl   Feb07   0:18 /var/ossec/bin/wazuh-integratord
root     25416  0.2  0.2 196732  7928 ?        Sl   Feb07   3:29 /var/ossec/bin/wazuh-authd
wazuh    25433  0.1  0.6 945104 24320 ?        Sl   Feb07   2:00 /var/ossec/bin/wazuh-db
root     25460  0.0  0.1  40884  4204 ?        Sl   Feb07   0:03 /var/ossec/bin/wazuh-execd
wazuh    25476  2.0  3.4 1296476 136664 ?      Sl   Feb07  29:33 /var/ossec/bin/wazuh-analysisd
root     25489  0.0  0.3 294424 14392 ?        SNl  Feb07   0:43 /var/ossec/bin/wazuh-syscheckd
wazuh    25512  0.1  0.3 1232920 15604 ?       Sl   Feb07   2:34 /var/ossec/bin/wazuh-remoted
root     25547  0.0  0.1 483288  5832 ?        Sl   Feb07   0:12 /var/ossec/bin/wazuh-logcollector
wazuh    25567  0.1  0.1  40860  7444 ?        Sl   Feb07   1:37 /var/ossec/bin/wazuh-monitord
root     25618  0.0  2.1 575724 83208 ?        Sl   Feb07   0:27 /var/ossec/bin/wazuh-modulesd
wazuh    26137  0.0  1.4 422924 58208 ?        Sl   Feb07   0:32 /var/ossec/framework/python/bin/python3 /var/ossec/framework/scripts/wazuh_clusterd.py
wazuh    26140  0.0  1.3 275024 52292 ?        S    Feb07   0:20 /var/ossec/framework/python/bin/python3 /var/ossec/framework/scripts/wazuh_clusterd.py
wazuh    26141  0.0  1.3 275024 52588 ?        S    Feb07   0:20 /var/ossec/framework/python/bin/python3 /var/ossec/framework/scripts/wazuh_clusterd.py

WazuhWorker 🟢

[root@wazuh-manager-worker-0 ~]# ps -aux | grep wazuh
wazuh    19007  0.0  2.5 859256 100708 ?       Sl   Feb07   0:08 /var/ossec/framework/python/bin/python3 /var/ossec/api/scripts/wazuh-apid.py
wazuh    19008  0.0  1.4 281064 58084 ?        S    Feb07   0:00 /var/ossec/framework/python/bin/python3 /var/ossec/api/scripts/wazuh-apid.py
wazuh    19011  0.0  1.4 362992 58452 ?        S    Feb07   0:00 /var/ossec/framework/python/bin/python3 /var/ossec/api/scripts/wazuh-apid.py
wazuh    19014  0.0  1.4 444920 58296 ?        S    Feb07   0:00 /var/ossec/framework/python/bin/python3 /var/ossec/api/scripts/wazuh-apid.py
wazuh    19040  0.0  0.1  40776  4232 ?        Sl   Feb07   0:04 /var/ossec/bin/wazuh-integratord
wazuh    19059  0.1  0.4 944980 18144 ?        Sl   Feb07   1:51 /var/ossec/bin/wazuh-db
root     19084  0.0  0.1  40820  4140 ?        Sl   Feb07   0:03 /var/ossec/bin/wazuh-execd
wazuh    19100  0.0  0.8 1296416 32812 ?       Sl   Feb07   0:13 /var/ossec/bin/wazuh-analysisd
root     19113  0.0  0.3 228820 13628 ?        SNl  Feb07   0:39 /var/ossec/bin/wazuh-syscheckd
wazuh    19134  0.1  0.2 774132 10820 ?        Sl   Feb07   2:35 /var/ossec/bin/wazuh-remoted
root     19169  0.0  0.1 483216  5656 ?        Sl   Feb07   0:11 /var/ossec/bin/wazuh-logcollector
wazuh    19190  0.0  0.1  40796  7356 ?        Sl   Feb07   0:05 /var/ossec/bin/wazuh-monitord
root     19237  0.0  1.9 521948 76248 ?        Sl   Feb07   0:16 /var/ossec/bin/wazuh-modulesd
wazuh    19739  0.1  1.6 576552 64912 ?        Sl   Feb07   2:34 /var/ossec/framework/python/bin/python3 /var/ossec/framework/scripts/wazuh_clusterd.py
wazuh    20170  0.0  1.3 275740 54364 ?        S    Feb07   0:56 /var/ossec/framework/python/bin/python3 /var/ossec/framework/scripts/wazuh_clusterd.py
wazuh    20767  0.0  1.3 427928 53176 ?        S    Feb07   0:00 /var/ossec/framework/python/bin/python3 /var/ossec/framework/scripts/wazuh_clusterd.py
root     28252  0.0  0.0 121272   924 pts/0    S+   12:16   0:00 grep --color=auto wazuh

---

New

No abnormalities were found

[santipadilla]

3. Check the Status of the Indexer Cluster 🟢

• Check nodes

[root@wazuh-manager-worker-0 ~]# curl -k -u admin_user:pass https://10.0.2.26:9200/_cat/nodes?v
ip         heap.percent ram.percent cpu load_1m load_5m load_15m node.role node.roles                                        cluster_manager name
10.0.0.125           19          88   0    0.03    0.03     0.00 dimr      cluster_manager,data,ingest,remote_cluster_client -               node-7
10.0.2.91            48          86   0    0.13    0.03     0.01 dimr      cluster_manager,data,ingest,remote_cluster_client -               node-2
10.0.2.26            28          88   0    0.00    0.00     0.00 dimr      cluster_manager,data,ingest,remote_cluster_client *               node-3
10.0.2.119           40          88   0    0.00    0.00     0.00 dimr      cluster_manager,data,ingest,remote_cluster_client -               node-1

• Check cluster status

[root@wazuh-manager-worker-0 ~]# curl -k -u admin_user:pass https://10.0.2.26:9200/_cat/health?v
epoch      timestamp cluster status node.total node.data discovered_cluster_manager shards pri relo init unassign pending_tasks max_task_wait_time active_shards_percent
1707396333 12:45:33  wazuh   green           4         4                       true     33  17    0    0        0             0                  -                100.0%

• Cluster health status check

[root@wazuh-manager-worker-0 ~]# curl -k -u admin_user:pass https://10.0.2.26:9200/_cluster/health?pretty
{
  "cluster_name" : "wazuh",
  "status" : "green",
  "timed_out" : false,
  "number_of_nodes" : 4,
  "number_of_data_nodes" : 4,
  "discovered_master" : true,
  "discovered_cluster_manager" : true,
  "active_primary_shards" : 21,
  "active_shards" : 43,
  "relocating_shards" : 0,
  "initializing_shards" : 0,
  "unassigned_shards" : 0,
  "delayed_unassigned_shards" : 0,
  "number_of_pending_tasks" : 0,
  "number_of_in_flight_fetch" : 0,
  "task_max_waiting_in_queue_millis" : 0,
  "active_shards_percent_as_number" : 100.0
}

---

New

No abnormalities were found

[santipadilla]

4. Check Browser's Developer Console for Errors While Browsing the App 🟡

Login/Logout Screen 🟡

• Reported in Multiple New unexpected console Errors during Wazuh app session wazuh-dashboard-plugins#6320 - Known issue

Some cookies are misusing the recommended “SameSite“ attribute 8

• Reported in Warnings and errors when logging out of the app wazuh-dashboard-plugins#4108 - Known issue

A single error about an inline script not firing due to content security policy is expected!

• Reported in Warnings and errors when logging out of the app wazuh-dashboard-plugins#4108 - Known issue

Content-Security-Policy: The page’s settings blocked the loading of a resource at inline (“script-src”).

• Reported in Warnings and errors when logging out of the app wazuh-dashboard-plugins#4108 - Known issue

window.controllers/Controllers is deprecated. Do not use it for UA detection.

• Reported in Multiple New unexpected console Errors during Wazuh app session wazuh-dashboard-plugins#6320 - New issue

Detected an unhandled Promise rejection.
Error: Unauthorized

• Reported in Multiple unexpected Errors during Wazuh app session wazuh-dashboard-plugins#5821 - Known issue

Error: Unauthorized
    HttpFetchError https://demo.wazuh.info/48003/bundles/core/core.entry.js:15
    fetchResponse https://demo.wazuh.info/48003/bundles/core/core.entry.js:15
[securityDashboards.plugin.js:15:331315](https://demo.wazuh.info/48003/bundles/plugin/securityDashboards/securityDashboards.plugin.js)
    hasApiPermission https://demo.wazuh.info/48003/bundles/plugin/securityDashboards/securityDashboards.plugin.js:15

• Reported in Multiple New unexpected console Errors during Wazuh app session wazuh-dashboard-plugins#6320 - Known issue

Uncaught (in promise) Error: Unauthorized
    HttpFetchError https://demo.wazuh.info/48003/bundles/core/core.entry.js:15
    fetchResponse https://demo.wazuh.info/48003/bundles/core/core.entry.js:15

Overview 🟡

• Reported: Web console errors accesing Wazuh Dashboard wazuh-dashboard-plugins#4121 - Known issue

POST https://demo.wazuh.info/api/request [HTTP/1.1 401 Unauthorized 949ms]

Endpoints summary 🟡

• Reported in Multiple New unexpected console Errors during Wazuh app session wazuh-dashboard-plugins#6320 - Known issue

downloadable font: Glyph bbox was incorrect (glyph ids 48 70 77 96 97 98 99 102 103 104 105 127 134 135 138 154 174 177 179 181 193 199 200 232 233 287 288 289 290 294 296 299 305 306 307 324 325 334 336 338 341 344 345 346 347 348 349 354 362 364 366 367 368 369 372 373 376 381 382 385 386 429 446 451 459 460 473 475 479 480 498 520 523 526 529 531 532 533 535 536 553 554 561 583 589 594 595 600 601 609 611 614 617 618 631 633 637 642 644 645 648 649 653 658 660) (font-family: "FontAwesome" style:normal weight:400 stretch:100 src index:1) source: https://demo.wazuh.info/48003/bundles/plugin/wazuh/0317d582b93c20f68e059e389aecab33.woff2

Configuration Assessment 🟢

• Dashboard 🟢
• Inventory 🟢
• Events 🟢

Malware Detection 🟢

• Dashboard 🟢
• Events 🟢

File Integrity Monitoring 🟢

• Dashboard 🟢
• Inventory 🟢
• Events 🟢

Threat Hunting 🟢

• Dashboard 🟢
• Events 🟢

Vulnerability Detection 🟢

- Dashboard 🟢

No abnormalities were found

- Inventory 🟢

No abnormalities were found

- Events 🟢

No abnormalities were found

MITRE ATT&CK 🟢

• Dashboard 🟢
• Intelligence 🟢
• Framework 🟢
• Events 🟢

VirusTotal 🟢

• Dashboard 🟢
• Events 🟢

Security Operations (HIPAA, PCI DSS, GDPR, etc.) 🟡

PCI DSS 🟡

- Dashboard 🟢

No abnormalities were found

- Controls 🟡

- Reported in https://github.com/wazuh/wazuh-dashboard-plugins/issues/6320 - Known issue

EuiButtonIcon requires aria-label or aria-labelledby to be specified because icon-only
buttons are screen-reader-inaccessible without them.

- Events 🟢

No abnormalities were found

GDPR 🟢

- Dashboard 🟢

No abnormalities were found

- Controls 🟡

- Reported in https://github.com/wazuh/wazuh-dashboard-plugins/issues/6320 - known issue

EuiButtonIcon requires aria-label or aria-labelledby to be specified because icon-only
buttons are screen-reader-inaccessible without them.

- Events 🟢

No abnormalities were found

HIPAA 🟢

- Dashboard 🟢

No abnormalities were found

- Controls 🟡

- Reported in https://github.com/wazuh/wazuh-dashboard-plugins/issues/6320 - Known issue

EuiButtonIcon requires aria-label or aria-labelledby to be specified because icon-only
buttons are screen-reader-inaccessible without them.

- Events 🟢

No abnormalities were found

NIST 800-53 🟢

• Dashboard 🟢
• Controls 🟢
• Events 🟢

TSC 🟢

• Dashboard 🟢
• Controls 🟢
• Events 🟢

Cloud Security 🟡

Amazon Web Services 🟡

• Reported in Multiple unexpected warning during Wazuh app session wazuh-dashboard-plugins#4092

The "manifestServiceUrl" parameter is deprecated in v7.6.0.
        Consider using "tileApiUrl" and "fileApiUrl" instead.

- Events 🟢

No abnormalities were found

Google Cloud 🟢

- Dashboard 🟢

No abnormalities were found

- Events 🟢

No abnormalities were found

Github 🟢

• Dashboard 🟢
• Panel 🟢
• Events 🟢

Office 365 🟢

• Dashboard 🟢
• Panel 🟢
• Events 🟢

Docker 🟢

• Dashboard 🟢
• Events 🟢

Side Navbar 🟡

Recently viewed 🟡

Recently viewed button always shows empty options

• Reported: Recently viewed button always shows empty options in the sidebar wazuh-dashboard-plugins#6318 - Known issue

Alerting 🟡

- Alerts and monitors 🟡

• Reported in Configured indices are not found: [.opendistro-alerting-config] in Demo environment wazuh-dashboard-plugins#5869 - Known issue

error getting monitors: Object { ok: false, resp: "[alerting_exception] Configured indices are not found: [.opendistro-alerting-config]" }

- Designations 🟡

• Reported in Multiple New unexpected console Errors during Wazuh app session wazuh-dashboard-plugins#6320 - Known issue

Unable to get email accounts [index_not_found_exception] no such index [.opendistro-alerting-config], with { index=".opendistro-alerting-config" & resource.id=".opendistro-alerting-config" & resource.type="index_or_alias" & index_uuid="_na_" }

Configuration Assessment 🟢

• Dashboard 🟢
• Inventory 🟢
• Events 🟢

---

New

Known issues

• Multiple New unexpected console Errors during Wazuh app session wazuh-dashboard-plugins#6320
• Warnings and errors when logging out of the app wazuh-dashboard-plugins#4108
• Multiple unexpected Errors during Wazuh app session wazuh-dashboard-plugins#5821
• Web console errors accesing Wazuh Dashboard wazuh-dashboard-plugins#4121
• Multiple unexpected warning during Wazuh app session wazuh-dashboard-plugins#4092
• Recently viewed button always shows empty options in the sidebar wazuh-dashboard-plugins#6318
• Configured indices are not found: [.opendistro-alerting-config] in Demo environment wazuh-dashboard-plugins#5869

[santipadilla]

5. Check that there are Alerts for each of the Modules Configured 🟡

Modules in ENV-1

Check Activated Modules 🟢

AWS

---

VirusTotal

---

Azure

Check Alerts from the Activated Modules 🟢

• AWS Module

• Docker Listener

• VirusTotal

Modules in ENV-2

Check Activated Modules 🟢

AWS

---

VirusTotal

---

Azure

Check Alerts from the Activated Modules 🟡

• AWS Module

• VirusTotal

• Reported: https://github.com/wazuh/wazuh-automation/issues/1369 - Known issue

---

New

Known issue

• https://github.com/wazuh/wazuh-automation/issues/1369

[santipadilla]

7. Check the search engine works without specifying a field using * 🟡

• Still delay in the response was present
  • Reported: The page freezes and shows a notable delay in the response of the elements wazuh-dashboard-plugins#6216 - Known issue

Case 1: Without specifying a field 🟡

Case 2: Using * 🟡

Case 3: Using aw* 🟡

Case 4: Using *ws* 🟡

Case 5: Using *ogin 🟡

---

New

Known issue

• The page freezes and shows a notable delay in the response of the elements wazuh-dashboard-plugins#6216

[teddytpc1]

@santipadilla, the Wazuh manager ossec.log has rotated since the environment creation, so, you'll have to look for errors/warnings in the initial logs that are located in the following path in the Wazuh manager nodes:

• /var/ossec/logs/wazuh/2024/Feb

In the WazuhMasterEnv1 the egrep -i "ERROR|WARNING" ossec-07.log | wc -l returns 287.

The same for the Indexer nodes. The initial logs are zipped here in the Wazuh indexer nodes:

• /var/log/wazuh-indexer/wazuh-2024-02-07-1.log.gz

In this comment the Vulnerability Detection section is marked with 🟡 but the sub-items are 🟢. Please, fix it.

[santipadilla]

@teddytpc1 Fixed! I have added the logs that have appeared from the managers and indexers. I have added them in a note at the end of the "Error logs" section, in the summary at the end of the section and in the conclusion at the beginning of the issue. Thanks!

[rauldpm]

6. Generate an Alert and Check if it appears in the Wazuh Dashboard 🟢

Attempt an invalid SSH login into Debian Agent 🟢

santipa@santipa-Lenovo-Legion-5-15IMH05:~$ ssh [email protected]
The authenticity of host 'xx.xx.xx.xx (xx.xx.xx.xx)' can't be established.
ED25519 key fingerprint is SHA256:lMQ+QHSGF1R8vxPExSnrJOojwTIjcliPxMSck7k/e4U.
This key is not known by any other names
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added 'xx.xx.xx.xx' (ED25519) to the list of known hosts.
[email protected]'s password: 
Permission denied, please try again.
[email protected]'s password: 
Permission denied, please try again.
[email protected]'s password: 
[email protected]: Permission denied (publickey,password).

Check the alert in Wazuh Dashboard 🟢

---

---

New

No abnormalities were found

• Comment removed and added to hide sensitive data

[rauldpm]

Final review notes

Check Agent, Dashboard, Indexer, and Manager Logs

• Indexer, the following is mentioned

In relation to : 2024-02-07T11:18:05,408][INFO ][o.o.n.Node               ] [node-3] JVM arguments [2024-02-07T11:18:16,783][ERROR][o.o.s.a.s.SinkProvider   ] [node-3] Default endpoint could not be created, auditlog will not work properly.  [2024-02-07T11:18:25,322][ERROR][o.o.s.c.ConfigurationLoaderSecurity7] [node-3] Failure no such index [2024-02-07T11:18:48,320][ERROR][o.o.s.a.BackendRegistry  ] [node-3] Not yet initialized (you may need to run securityadmin) 2024-02-07T11:19:04,633][ERROR][o.o.i.i.ManagedIndexCoordinator] [node-3] Failed to get ISM policies with templates: Failed to execute phase [query], all shards failed [2024-02-07T11:19:38,293][ERROR][o.o.s.a.s.SinkProvider   ] [node-3] Default endpoint could not be created, auditlog will not work properly.
 Normal errors of uninitialized indexes.

In relation to : [2024-02-07T11:18:06,716][INFO ][o.o.n.Node               ] [node-2] JVM arguments [2024-02-07T11:18:17,887][ERROR][o.o.s.a.s.SinkProvider   ] [node-2] Default endpoint could not be created, auditlog will not work properly. [2024-02-07T11:18:25,176][ERROR][o.o.s.c.ConfigurationLoaderSecurity7] [node-2] Failure no such index  [2024-02-07T11:18:48,466][ERROR][o.o.s.a.BackendRegistry  ] [node-2] Not yet initialized (you may need to run securityadmin)
 Normal errors of uninitialized indexes.

In relation to : [2024-02-07T11:18:09,835][INFO ][o.o.n.Node               ] [node-1] JVM arguments [2024-02-07T11:18:22,371][ERROR][o.o.s.a.s.SinkProvider   ] [node-1] Default endpoint could not be created, auditlog will not work properly. 2024-02-07T11:18:29,164][ERROR][o.o.s.c.ConfigurationLoaderSecurity7] [node-1] Failure no such index
 Normal errors of uninitialized indexes.

In relation to : [2024-02-07T11:23:29,230][INFO ][o.o.n.Node               ] [node-7] JVM arguments [2024-02-07T11:23:40,902][ERROR][o.o.s.a.s.SinkProvider   ] [node-7] Default endpoint could not be created, auditlog will not work properly.
 Normal errors of uninitialized indexes.

Why has the environment uninitialized indexes? And how are those messages expected?

Check the Status of the Indexer Cluster

• Missing cluster health status check

https://127.0.0.1:9200/_cluster/health?pretty

[santipadilla]

@rauldpm

• Open issue with commented indexer logs.
• Added cluster health status check.
  Thanks!

[rauldpm]

LGTM