Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Release 4.9.1 - RC 3 - E2E UX tests - Central components upgrade #26187

Closed
2 tasks done
juliamagan opened this issue Oct 7, 2024 · 9 comments
Closed
2 tasks done

Release 4.9.1 - RC 3 - E2E UX tests - Central components upgrade #26187

juliamagan opened this issue Oct 7, 2024 · 9 comments
Assignees
@thony4uu
Labels
level/subtask type/test

Comments

@juliamagan
Copy link
Member

juliamagan commented Oct 7, 2024
edited by rauldpm
Loading

End-to-End (E2E) Testing Guideline

  • Documentation: Always consult the development documentation for the current stage tag at this link. Be careful because some of the description steps might refer to a current version in production, always navigate using the current development documention for the stage under test. Also, visit the following pre-release package guide to understand how to modify certain links and urls for the correct testing of the development packages.
  • Test Requirements: Ensure your test comprehensively includes a full stack and agent/s deployment as per the Deployment requirements, detailing the machine OS, installed version, and revision.
  • Deployment Options: While deployments can be local (using VMs, Vagrant, etc) or on the aws-dev account, opt for local deployments when feasible. For AWS access, coordinate with the DevOps team through this link.
  • External Accounts: If tests require third-party accounts (e.g., GitHub, Azure, AWS, GCP), request the necessary access through the DevOps team here.
  • Alerts: Every test should generate a minimum of one end-to-end alert, from the agent to the dashboard, irrespective of test type.
  • Multi-node Testing: For multi-node wazuh-manager tests, ensure agents are connected to both workers and the master node.
  • Package Verification: Use the pre-release package that matches the current TAG you're testing. Confirm its version and revision.
  • Filebeat Errors: If you encounter errors with Filebeat during testing, refer to this Slack discussion for insights and resolutions.
  • Known Issues: Familiarize yourself with previously reported issues in the Known Issues section. This helps in identifying already recognized errors during testing.
  • Reporting New Issues: Any new errors discovered during testing that aren't listed under Known Issues should be reported. Assign the issue to the corresponding team (QA if unsure), add the Release testing objective and Urgent priority. Communicate these to the team and QA via the c-release Slack channel.
  • Test Conduct: It's imperative to be thorough in your testing, offering enough detail for reviewers. Incomplete tests might necessitate a redo.
  • Documentation Feedback: Encountering documentation gaps, unclear guidelines, or anything that disrupts the testing or UX? Open an issue, especially if it's not listed under Known Issues. Please answer the feedback section, this is a mandatory step.
  • Format: If this is your first time doing this, refer to the format (but not necessarily the content, as it may vary) of previous E2E tests, here you have an example Release 4.3.5 - Release Candidate 1 - E2E UX tests - Wazuh Indexer #13994.
  • Status and completion: Change the issue status within your team project accordingly. Once you finish testing and write the conclusions, move it to Pending review and notify the @wazuh/devel-qa team via Slack using the c-release channel. Beware that the reviewers might request additional information or task repetitions.
  • For reviewers: Please move the issue to Pending final review and notify via Slack using the same thread if everything is ok, otherwise, perform an issue update with the requested changes and move it to On hold, increase the review_cycles in the team project by one and notify the issue assignee via Slack using the same thread.

For the conclusions and the issue testing and updates, use the following legend:

Status legend

  • 🟢 All checks passed
  • 🟡 Found a known issue
  • 🔴 Found a new error

Issue delivery and completion

  • Initial delivery: The issue's assignee must complete the testing and deliver the results by Oct 07, 2024 and notify the @wazuh/devel-qa team via Slack using the c-release channel
  • Review: The @wazuh/devel-qa team will assign a reviewer and add it to the review_assignee field in the project. The reviewer must then review the test steps and results. Ensure that all iteration cycles are completed by Oct 08, 2024 date (issue must be in Pending final review status) and notify the QA team via Slack using the c-release channel.
  • Auditor: The QA team must audit, validate the results, and close the issue by Oct 9, 2024.

Deployment requirements

Component Installation Type OS
Indexer Step by step Single node Ubuntu 24.04 x86_64
Server Step by step Multi node Ubuntu 24.04 amd64
Dashboard Step by step - -
Agent Installing Wazuh agents - Windows 11 x86_64, Debian 11 x86_64

Test description

1. Initial Deployment:

  • Deploy the latest production release of the defined architecture as per the standard deployment requirements instructions from the section above.
  • Connect one agent to the master node and another agent to the worker node.

2. Validation of Initial Deployment:

  • Navigate through the UI to ensure that it is accessible and functional.
  • Verify that both agents are connected to their respective nodes (master and worker) and are listed as active.
  • Trigger or simulate a condition that would generate at least one alert from each agent, and confirm that these alerts are captured and displayed in the UI.
  • Modify configuration files with the following command:
for file in \
    /etc/wazuh-indexer/opensearch-security/config.yml \
    /etc/wazuh-indexer/jvm.options \
    /etc/wazuh-indexer/opensearch.yml \
    /etc/wazuh-indexer/opensearch-security/internal_users.yml \
    /etc/wazuh-indexer/opensearch-security/roles_mapping.yml \
    /etc/wazuh-dashboard/opensearch_dashboards.yml \
    /etc/default/wazuh-dashboard \
    /etc/wazuh-dashboard/opensearch_dashboards.keystore; do
    if [ -f "$file" ]; then
        echo -e "\n# This file should not be modified during the upgrade." | sudo tee -a "$file"
    else
        echo "File $file does not exist, skipping."
    fi
done

3. Upgrade of Central Components:

  • Follow the upgrade guide provided in the documentation to upgrade the central components, including the master, worker, indexer, and dashboard.
  • Monitor the upgrade process for any errors or warnings and document any that are encountered.
  • ⚠️ Check that the installation does not hang and that there is no need to press enter to continue.

4. Post-Upgrade Validation:

  • After the upgrade, navigate through the UI to ensure that all components are functioning correctly.
  • Verify again that both agents are connected to their respective nodes and are active post-upgrade.
  • Generate or simulate at least one alert from each agent to confirm that the alerting functionality is intact.
  • Verify that the configuration files weren't modified with the following command:
for file in \
    /etc/wazuh-indexer/opensearch-security/config.yml \
    /etc/wazuh-indexer/jvm.options \
    /etc/wazuh-indexer/opensearch.yml \
    /etc/wazuh-indexer/opensearch-security/internal_users.yml \
    /etc/wazuh-indexer/opensearch-security/roles_mapping.yml \
    /etc/wazuh-indexer/opensearch-security/roles.yml \
    /etc/wazuh-dashboard/opensearch_dashboards.yml \
    /etc/default/wazuh-dashboard \
    /etc/wazuh-dashboard/opensearch_dashboards.keystore; do
    grep -q "# This file should not be modified during the upgrade." "$file" && echo "PASSED: The phrase keeps appearing in: $file. The file has not been modified" || echo "FAILED: Missing phrase in $file. The file could have been modified"
done

5. Reporting:

  • Document the results of the deployment, the upgrade process, and the post-upgrade validation.
  • Include any deviations from expected outcomes, such as errors or warnings encountered during the upgrade.

Expected Results

  • The deployment of the architecture is successful, with agents properly connected and active.
  • The UI is navigable and functional both before and after the upgrade.
  • Alerts are generated by both agents before and after the upgrade.
  • No errors or warnings are encountered during the upgrade process, or any that occur are documented for further analysis.
  • No configuration files were modified in the upgrade.

Known issues

There are no known issues.

Conclusions

Summarize the errors detected (Known Issues included). Illustrate using the table below. REMOVE CURRENT EXAMPLES:

Status Test Failure type Notes
🟢 The deployment of the architecture is successful, with agents properly connected and active - -
🟢 The UI is navigable and functional both before and after the upgrade. - -
🟢 Alerts are generated by both agents before and after the upgrade. - -
🟢 No errors or warnings are encountered during the upgrade process - -
🔴 No configuration files were modified in the upgrade. - New issue: wazuh/wazuh-indexer#450

Feedback

We value your feedback. Please provide insights on your testing experience.

  • Was the testing guideline clear? Were there any ambiguities?
    • Yes the testing guideline was clear
  • Did you face any challenges not covered by the guideline?
    • No challenge faced
  • Suggestions for improvement:
    • Nothing for now

Reviewers validation

The criteria for completing this task is based on the validation of the conclusions and the test results by all reviewers.

All the checkboxes below must be marked in order to close this issue.
@juliamagan juliamagan mentioned this issue Oct 7, 2024
Closed
@wazuhci wazuhci moved this to Triage in Release 4.9.1 Oct 7, 2024
@thony4uu thony4uu self-assigned this Oct 7, 2024
@wazuhci wazuhci moved this from Triage to In progress in Release 4.9.1 Oct 7, 2024
@thony4uu
Copy link
Member

thony4uu commented Oct 7, 2024

System Information

Ubuntu 24.04 x86_64(Indexer, Wazuh server node 1, dashboard) 
root@ip-172-31-44-8:/home/ubuntu# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host noprefixroute
       valid_lft forever preferred_lft forever
2: ens5: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 9001 qdisc mq state UP group default qlen 1000
    link/ether 0e:df:ef:ee:90:85 brd ff:ff:ff:ff:ff:ff
    altname enp0s5
    inet 172.31.44.8/20 metric 100 brd 172.31.47.255 scope global dynamic ens5
       valid_lft 3111sec preferred_lft 3111sec
    inet6 fe80::cdf:efff:feee:9085/64 scope link
       valid_lft forever preferred_lft forever
root@ip-172-31-44-8:/home/ubuntu# cat /etc/os-release
PRETTY_NAME="Ubuntu 24.04 LTS"
NAME="Ubuntu"
VERSION_ID="24.04"
VERSION="24.04 LTS (Noble Numbat)"
VERSION_CODENAME=noble
ID=ubuntu
ID_LIKE=debian
HOME_URL="https://www.ubuntu.com/"
SUPPORT_URL="https://help.ubuntu.com/"
BUG_REPORT_URL="https://bugs.launchpad.net/ubuntu/"
PRIVACY_POLICY_URL="https://www.ubuntu.com/legal/terms-and-policies/privacy-policy"
UBUNTU_CODENAME=noble
LOGO=ubuntu-logo
Ubuntu 24.04 x86_64 (Wazuh server node 2) 
root@ip-172-31-36-102:/home/ubuntu# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host noprefixroute
       valid_lft forever preferred_lft forever
2: ens5: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 9001 qdisc mq state UP group default qlen 1000
    link/ether 0e:fc:77:f3:36:f9 brd ff:ff:ff:ff:ff:ff
    altname enp0s5
    inet 172.31.36.102/20 metric 100 brd 172.31.47.255 scope global dynamic ens5
       valid_lft 2838sec preferred_lft 2838sec
    inet6 fe80::cfc:77ff:fef3:36f9/64 scope link
       valid_lft forever preferred_lft forever
root@ip-172-31-36-102:/home/ubuntu# cat /etc/os-release
PRETTY_NAME="Ubuntu 24.04 LTS"
NAME="Ubuntu"
VERSION_ID="24.04"
VERSION="24.04 LTS (Noble Numbat)"
VERSION_CODENAME=noble
ID=ubuntu
ID_LIKE=debian
HOME_URL="https://www.ubuntu.com/"
SUPPORT_URL="https://help.ubuntu.com/"
BUG_REPORT_URL="https://bugs.launchpad.net/ubuntu/"
PRIVACY_POLICY_URL="https://www.ubuntu.com/legal/terms-and-policies/privacy-policy"
UBUNTU_CODENAME=noble
LOGO=ubuntu-logo
Windows 11 x86_64 (Wazuh agent 1) 
C:\Users\Jenkins>ipconfig

Windows IP Configuration


Ethernet adapter Ethernet:

   Connection-specific DNS Suffix  . : ec2.internal
   Link-local IPv6 Address . . . . . : fe80::87bd:9138:f108:a2df%5
   IPv4 Address. . . . . . . . . . . : 172.31.46.185
   Subnet Mask . . . . . . . . . . . : 255.255.240.0
   Default Gateway . . . . . . . . . : 172.31.32.1
C:\Users\Jenkins>systeminfo | findstr /B /C:"OS Name" /B /C:"OS Version"
OS Name:                   Microsoft Windows 11 Pro
OS Version:                10.0.22621 N/A Build 22621
Debian 11 x86_64 (Wazuh agent 2) 
root@ip-172-31-35-100:/home/admin# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host
       valid_lft forever preferred_lft forever
2: ens5: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 9001 qdisc mq state UP group default qlen 1000
    link/ether 0e:89:f1:8a:78:09 brd ff:ff:ff:ff:ff:ff
    altname enp0s5
    inet 172.31.35.100/20 brd 172.31.47.255 scope global dynamic ens5
       valid_lft 3551sec preferred_lft 3551sec
    inet6 fe80::c89:f1ff:fe8a:7809/64 scope link
       valid_lft forever preferred_lft forever
root@ip-172-31-35-100:/home/admin#  cat /etc/os-release
PRETTY_NAME="Debian GNU/Linux 11 (bullseye)"
NAME="Debian GNU/Linux"
VERSION_ID="11"
VERSION="11 (bullseye)"
VERSION_CODENAME=bullseye
ID=debian
HOME_URL="https://www.debian.org/"
SUPPORT_URL="https://www.debian.org/support"
BUG_REPORT_URL="https://bugs.debian.org/"

@thony4uu
Copy link
Member

thony4uu commented Oct 8, 2024
edited
Loading

🟢### 1. Initial Deployment:

Wazuh indexer: 
root@ip-172-31-44-8:/home/ubuntu# curl -sO https://packages.wazuh.com/4.9/wazuh-certs-tool.sh
root@ip-172-31-44-8:/home/ubuntu# curl -sO https://packages.wazuh.com/4.9/config.yml
root@ip-172-31-44-8:/home/ubuntu# nano ./config.yml
root@ip-172-31-44-8:/home/ubuntu# cat ./config.yml
nodes:
  # Wazuh indexer nodes
  indexer:
    - name: node-1
      ip: "172.31.44.8"
    #- name: node-2
    #  ip: ""
    #- name: node-3
    #  ip: ""

Wazuh server nodes


If there is more than one Wazuh server


node, each one must have a node_type


server:

- name: wazuh-1

ip: "172.31.44.8"

node_type: master

- name: wazuh-2

ip: "172.31.36.102"

node_type: worker

#- name: wazuh-3

#  ip: ""

#  node_type: worker


Wazuh dashboard nodes


dashboard:

- name: dashboard

ip: "172.31.44.8"

root@ip-172-31-44-8:/home/ubuntu#  bash ./wazuh-certs-tool.sh -A

08/10/2024 02:01:13 INFO: Verbose logging redirected to /home/ubuntu/wazuh-certificates-tool.log

08/10/2024 02:01:13 INFO: Generating the root certificate.

08/10/2024 02:01:14 INFO: Generating Admin certificates.

08/10/2024 02:01:14 INFO: Admin certificates created.

08/10/2024 02:01:14 INFO: Generating Wazuh indexer certificates.

08/10/2024 02:01:14 INFO: Wazuh indexer certificates created.

08/10/2024 02:01:14 INFO: Generating Filebeat certificates.

08/10/2024 02:01:15 INFO: Wazuh Filebeat certificates created.

08/10/2024 02:01:15 INFO: Generating Wazuh dashboard certificates.

08/10/2024 02:01:16 INFO: Wazuh dashboard certificates created.

root@ip-172-31-44-8:/home/ubuntu# tar -cvf ./wazuh-certificates.tar -C ./wazuh-certificates/ .

./

./root-ca.pem

./node-1-key.pem

./admin-key.pem

./wazuh-2-key.pem

./dashboard.pem

./wazuh-1.pem

./root-ca.key

./admin.pem

./node-1.pem

./dashboard-key.pem

./wazuh-1-key.pem

./wazuh-2.pem

root@ip-172-31-44-8:/home/ubuntu# rm -rf ./wazuh-certificates

root@ip-172-31-44-8:/home/ubuntu# apt-get install debconf adduser procps

Reading package lists... Done

Building dependency tree... Done

Reading state information... Done

debconf is already the newest version (1.5.86ubuntu1).

debconf set to manually installed.

adduser is already the newest version (3.137ubuntu1).

adduser set to manually installed.

The following additional packages will be installed:

libproc2-0

The following packages will be upgraded:

libproc2-0 procps

2 upgraded, 0 newly installed, 0 to remove and 194 not upgraded.

Need to get 767 kB of archives.

After this operation, 4096 B of additional disk space will be used.

Do you want to continue? [Y/n] y

Get:1 http://us-east-1.ec2.archive.ubuntu.com/ubuntu noble-updates/main amd64 libproc2-0 amd64 2:4.0.4-4ubuntu3.1 [59.4 kB]

Get:2 http://us-east-1.ec2.archive.ubuntu.com/ubuntu noble-updates/main amd64 procps amd64 2:4.0.4-4ubuntu3.1 [708 kB]

Fetched 767 kB in 0s (19.5 MB/s)

(Reading database ... 71848 files and directories currently installed.)

Preparing to unpack .../libproc2-0_2%3a4.0.4-4ubuntu3.1_amd64.deb ...

Unpacking libproc2-0:amd64 (2:4.0.4-4ubuntu3.1) over (2:4.0.4-4ubuntu3) ...

Preparing to unpack .../procps_2%3a4.0.4-4ubuntu3.1_amd64.deb ...

Unpacking procps (2:4.0.4-4ubuntu3.1) over (2:4.0.4-4ubuntu3) ...

Setting up libproc2-0:amd64 (2:4.0.4-4ubuntu3.1) ...

Setting up procps (2:4.0.4-4ubuntu3.1) ...

Processing triggers for man-db (2.12.0-4build2) ...

Processing triggers for libc-bin (2.39-0ubuntu8) ...

Scanning processes...

Scanning linux images...


Running kernel seems to be up-to-date.


No services need to be restarted.


No containers need to be restarted.


No user sessions are running outdated binaries.


No VM guests are running outdated hypervisor (qemu) binaries on this host.

root@ip-172-31-44-8:/home/ubuntu# apt-get install gnupg apt-transport-https

Reading package lists... Done

Building dependency tree... Done

Reading state information... Done

gnupg is already the newest version (2.4.4-2ubuntu17).

gnupg set to manually installed.

The following NEW packages will be installed:

apt-transport-https

0 upgraded, 1 newly installed, 0 to remove and 194 not upgraded.

Need to get 3974 B of archives.

After this operation, 35.8 kB of additional disk space will be used.

Do you want to continue? [Y/n] y

Get:1 http://us-east-1.ec2.archive.ubuntu.com/ubuntu noble/universe amd64 apt-transport-https all 2.7.14build2 [3974 B]

Fetched 3974 B in 0s (217 kB/s)

Selecting previously unselected package apt-transport-https.

(Reading database ... 71849 files and directories currently installed.)

Preparing to unpack .../apt-transport-https_2.7.14build2_all.deb ...

Unpacking apt-transport-https (2.7.14build2) ...

Setting up apt-transport-https (2.7.14build2) ...

Scanning processes...

Scanning linux images...


Running kernel seems to be up-to-date.


No services need to be restarted.


No containers need to be restarted.


No user sessions are running outdated binaries.


No VM guests are running outdated hypervisor (qemu) binaries on this host.

root@ip-172-31-44-8:/home/ubuntu# curl -s https://packages.wazuh.com/key/GPG-KEY-WAZUH | gpg --no-default-keyring --keyring gnupg-ring:/usr/share/keyrings/wazuh.gpg --import && chmod 644 /usr/share/keyrings/wazuh.gpg

gpg: keyring '/usr/share/keyrings/wazuh.gpg' created

gpg: directory '/root/.gnupg' created

gpg: /root/.gnupg/trustdb.gpg: trustdb created

gpg: key 96B3EE5F29111145: public key "Wazuh.com (Wazuh Signing Key) [email protected]" imported

gpg: Total number processed: 1

gpg:               imported: 1

root@ip-172-31-44-8:/home/ubuntu# echo "deb [signed-by=/usr/share/keyrings/wazuh.gpg] https://packages.wazuh.com/4.x/apt/ stable main" | tee -a /etc/apt/sources.list.d/wazuh.list

deb [signed-by=/usr/share/keyrings/wazuh.gpg] https://packages.wazuh.com/4.x/apt/ stable main

root@ip-172-31-44-8:/home/ubuntu# apt-get update

Hit:1 http://us-east-1.ec2.archive.ubuntu.com/ubuntu noble InRelease

Get:2 http://us-east-1.ec2.archive.ubuntu.com/ubuntu noble-updates InRelease [126 kB]

Hit:3 http://us-east-1.ec2.archive.ubuntu.com/ubuntu noble-backports InRelease

Get:4 https://packages.wazuh.com/4.x/apt stable InRelease [17.3 kB]

Hit:5 http://security.ubuntu.com/ubuntu noble-security InRelease

Get:6 http://us-east-1.ec2.archive.ubuntu.com/ubuntu noble-updates/universe amd64 Packages [385 kB]

Get:7 http://us-east-1.ec2.archive.ubuntu.com/ubuntu noble-updates/universe Translation-en [160 kB]

Get:8 https://packages.wazuh.com/4.x/apt stable/main amd64 Packages [40.2 kB]

Fetched 728 kB in 1s (862 kB/s)

Reading package lists... Done

root@ip-172-31-44-8:/home/ubuntu# apt-get -y install wazuh-indexer

Reading package lists... Done

Building dependency tree... Done

Reading state information... Done

The following NEW packages will be installed:

wazuh-indexer

0 upgraded, 1 newly installed, 0 to remove and 194 not upgraded.

Need to get 850 MB of archives.

After this operation, 1077 MB of additional disk space will be used.

Get:1 https://packages.wazuh.com/4.x/apt stable/main amd64 wazuh-indexer amd64 4.9.0-1 [850 MB]

Fetched 850 MB in 14s (60.6 MB/s)

Selecting previously unselected package wazuh-indexer.

(Reading database ... 71853 files and directories currently installed.)

Preparing to unpack .../wazuh-indexer_4.9.0-1_amd64.deb ...

Running Wazuh Indexer Pre-Installation Script

Unpacking wazuh-indexer (4.9.0-1) ...

Setting up wazuh-indexer (4.9.0-1) ...

Running Wazuh Indexer Post-Installation Script


NOT starting on installation, please execute the following statements to configure wazuh-indexer service to start automatically using systemd


sudo systemctl daemon-reload

sudo systemctl enable wazuh-indexer.service


You can start wazuh-indexer service by executing


sudo systemctl start wazuh-indexer.service

Scanning processes...

Scanning linux images...


Running kernel seems to be up-to-date.


No services need to be restarted.


No containers need to be restarted.


No user sessions are running outdated binaries.


No VM guests are running outdated hypervisor (qemu) binaries on this host.

root@ip-172-31-44-8:/home/ubuntu# nano /etc/wazuh-indexer/opensearch.yml

root@ip-172-31-44-8:/home/ubuntu# nano /etc/wazuh-indexer/opensearch.yml

root@ip-172-31-44-8:/home/ubuntu# NODE_NAME=node-1

root@ip-172-31-44-8:/home/ubuntu# mkdir /etc/wazuh-indexer/certs

root@ip-172-31-44-8:/home/ubuntu# tar -xf ./wazuh-certificates.tar -C /etc/wazuh-indexer/certs/ ./$NODE_NAME.pem ./$NODE_NAME-key.pem ./admin.pem ./admin-key.pem ./root-ca.pem

root@ip-172-31-44-8:/home/ubuntu# mv -n /etc/wazuh-indexer/certs/$NODE_NAME.pem /etc/wazuh-indexer/certs/indexer.pem

root@ip-172-31-44-8:/home/ubuntu# ls /etc/wazuh-indexer/certs

admin-key.pem  admin.pem  indexer.pem  node-1-key.pem  root-ca.pem

root@ip-172-31-44-8:/home/ubuntu# mv -n /etc/wazuh-indexer/certs/$NODE_NAME-key.pem /etc/wazuh-indexer/certs/indexer-key.pem

root@ip-172-31-44-8:/home/ubuntu# chmod 500 /etc/wazuh-indexer/certs

root@ip-172-31-44-8:/home/ubuntu# chmod 400 /etc/wazuh-indexer/certs/*

root@ip-172-31-44-8:/home/ubuntu# chown -R wazuh-indexer:wazuh-indexer /etc/wazuh-indexer/certs

root@ip-172-31-44-8:/home/ubuntu# systemctl daemon-reload

root@ip-172-31-44-8:/home/ubuntu# systemctl enable wazuh-indexer

Synchronizing state of wazuh-indexer.service with SysV service script with /usr/lib/systemd/systemd-sysv-install.

Executing: /usr/lib/systemd/systemd-sysv-install enable wazuh-indexer

Created symlink /etc/systemd/system/multi-user.target.wants/wazuh-indexer.service → /usr/lib/systemd/system/wazuh-indexer.service.

root@ip-172-31-44-8:/home/ubuntu# systemctl start wazuh-indexer

root@ip-172-31-44-8:/home/ubuntu# /usr/share/wazuh-indexer/bin/indexer-security-init.sh




** This tool will be deprecated in the next major release of OpenSearch **

** opensearch-project/security#1755           **




Security Admin v7

Will connect to 127.0.0.1:9200 ... done

Connected as "CN=admin,OU=Wazuh,O=Wazuh,L=California,C=US"

OpenSearch Version: 2.13.0

Contacting opensearch cluster 'opensearch' and wait for YELLOW clusterstate ...

Clustername: wazuh-cluster

Clusterstate: GREEN

Number of nodes: 1

Number of data nodes: 1

.opendistro_security index does not exists, attempt to create it ... done (0-all replicas)

Populate config from /etc/wazuh-indexer/opensearch-security/

Will update '/config' with /etc/wazuh-indexer/opensearch-security/config.yml

SUCC: Configuration for 'config' created or updated

Will update '/roles' with /etc/wazuh-indexer/opensearch-security/roles.yml

SUCC: Configuration for 'roles' created or updated

Will update '/rolesmapping' with /etc/wazuh-indexer/opensearch-security/roles_mapping.yml

SUCC: Configuration for 'rolesmapping' created or updated

Will update '/internalusers' with /etc/wazuh-indexer/opensearch-security/internal_users.yml

SUCC: Configuration for 'internalusers' created or updated

Will update '/actiongroups' with /etc/wazuh-indexer/opensearch-security/action_groups.yml

SUCC: Configuration for 'actiongroups' created or updated

Will update '/tenants' with /etc/wazuh-indexer/opensearch-security/tenants.yml

SUCC: Configuration for 'tenants' created or updated

Will update '/nodesdn' with /etc/wazuh-indexer/opensearch-security/nodes_dn.yml

SUCC: Configuration for 'nodesdn' created or updated

Will update '/whitelist' with /etc/wazuh-indexer/opensearch-security/whitelist.yml

SUCC: Configuration for 'whitelist' created or updated

Will update '/audit' with /etc/wazuh-indexer/opensearch-security/audit.yml

SUCC: Configuration for 'audit' created or updated

Will update '/allowlist' with /etc/wazuh-indexer/opensearch-security/allowlist.yml

SUCC: Configuration for 'allowlist' created or updated

SUCC: Expected 10 config types for node {"updated_config_types":["allowlist","tenants","rolesmapping","nodesdn","audit","roles","whitelist","internalusers","actiongroups","config"],"updated_config_size":10,"message":null} is 10 (["allowlist","tenants","rolesmapping","nodesdn","audit","roles","whitelist","internalusers","actiongroups","config"]) due to: null

Done with success

root@ip-172-31-44-8:/home/ubuntu# curl -k -u admin:admin https://172.31.44.8:9200

{

"name" : "node-1",

"cluster_name" : "wazuh-cluster",

"cluster_uuid" : "SB3v3qO1RK6M5AQai0nxDw",

"version" : {

"number" : "7.10.2",

"build_type" : "deb",

"build_hash" : "9fd1835bba77ae04d48550eb4dc9be4787070806",

"build_date" : "2024-08-30T10:06:03.028357Z",

"build_snapshot" : false,

"lucene_version" : "9.10.0",

"minimum_wire_compatibility_version" : "7.10.0",

"minimum_index_compatibility_version" : "7.0.0"

},

"tagline" : "The OpenSearch Project: https://opensearch.org/"

}

root@ip-172-31-44-8:/home/ubuntu# curl -k -u admin:admin https://172.31.44.8:9200/_cat/nodes?v

ip          heap.percent ram.percent cpu load_1m load_5m load_15m node.role node.roles                                        cluster_manager name

172.31.44.8           42          63   9    0.11    0.18     0.08 dimr      cluster_manager,data,ingest,remote_cluster_client *               node-1

root@ip-172-31-44-8:/home/ubuntu# systemctl status wazuh-indexer

● wazuh-indexer.service - wazuh-indexer

Loaded: loaded (/usr/lib/systemd/system/wazuh-indexer.service; enabled; preset: enabled)

Active: active (running) since Tue 2024-10-08 02:27:14 UTC; 3min 6s ago

Docs: https://documentation.wazuh.com

Main PID: 7129 (java)

Tasks: 64 (limit: 9393)

Memory: 1.3G (peak: 1.3G)

CPU: 59.349s

CGroup: /system.slice/wazuh-indexer.service

└─7129 /usr/share/wazuh-indexer/jdk/bin/java -Xshare:auto -Dopensearch.networkaddress.cache.ttl=60 -Dopensearch.networkaddress.cache.negative.>


Oct 08 02:26:54 ip-172-31-44-8 systemd-entrypoint[7129]: WARNING: System::setSecurityManager has been called by org.opensearch.bootstrap.OpenSearch (file:/>

Oct 08 02:26:54 ip-172-31-44-8 systemd-entrypoint[7129]: WARNING: Please consider reporting this to the maintainers of org.opensearch.bootstrap.OpenSearch

Oct 08 02:26:54 ip-172-31-44-8 systemd-entrypoint[7129]: WARNING: System::setSecurityManager will be removed in a future release

Oct 08 02:26:55 ip-172-31-44-8 systemd-entrypoint[7129]: Oct 08, 2024 2:26:55 AM sun.util.locale.provider.LocaleProviderAdapter 

Oct 08 02:26:55 ip-172-31-44-8 systemd-entrypoint[7129]: WARNING: COMPAT locale provider will be removed in a future release

Oct 08 02:26:56 ip-172-31-44-8 systemd-entrypoint[7129]: WARNING: A terminally deprecated method in java.lang.System has been called

Oct 08 02:26:56 ip-172-31-44-8 systemd-entrypoint[7129]: WARNING: System::setSecurityManager has been called by org.opensearch.bootstrap.Security (file:/us>

Oct 08 02:26:56 ip-172-31-44-8 systemd-entrypoint[7129]: WARNING: Please consider reporting this to the maintainers of org.opensearch.bootstrap.Security

Oct 08 02:26:56 ip-172-31-44-8 systemd-entrypoint[7129]: WARNING: System::setSecurityManager will be removed in a future release

Oct 08 02:27:14 ip-172-31-44-8 systemd[1]: Started wazuh-indexer.service - wazuh-indexer.
Wazuh server node 1: 
root@ip-172-31-44-8:/home/ubuntu# apt-get -y install wazuh-manager
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
Suggested packages:
  expect
The following NEW packages will be installed:
  wazuh-manager
0 upgraded, 1 newly installed, 0 to remove and 194 not upgraded.
Need to get 322 MB of archives.
After this operation, 891 MB of additional disk space will be used.
Get:1 https://packages.wazuh.com/4.x/apt stable/main amd64 wazuh-manager amd64 4.9.0-1 [322 MB]
Fetched 322 MB in 5s (62.5 MB/s)
Selecting previously unselected package wazuh-manager.
(Reading database ... 73038 files and directories currently installed.)
Preparing to unpack .../wazuh-manager_4.9.0-1_amd64.deb ...
Unpacking wazuh-manager (4.9.0-1) ...
Setting up wazuh-manager (4.9.0-1) ...
Scanning processes...
Scanning linux images...

Running kernel seems to be up-to-date.


No services need to be restarted.


No containers need to be restarted.


No user sessions are running outdated binaries.


No VM guests are running outdated hypervisor (qemu) binaries on this host.

root@ip-172-31-44-8:/home/ubuntu# apt-get -y install filebeat

Reading package lists... Done

Building dependency tree... Done

Reading state information... Done

The following NEW packages will be installed:

filebeat

0 upgraded, 1 newly installed, 0 to remove and 194 not upgraded.

Need to get 22.1 MB of archives.

After this operation, 73.6 MB of additional disk space will be used.

Get:1 https://packages.wazuh.com/4.x/apt stable/main amd64 filebeat amd64 7.10.2 [22.1 MB]

Fetched 22.1 MB in 0s (65.0 MB/s)

Selecting previously unselected package filebeat.

(Reading database ... 97016 files and directories currently installed.)

Preparing to unpack .../filebeat_7.10.2_amd64.deb ...

Unpacking filebeat (7.10.2) ...

Setting up filebeat (7.10.2) ...

Scanning processes...

Scanning linux images...


Running kernel seems to be up-to-date.


No services need to be restarted.


No containers need to be restarted.


No user sessions are running outdated binaries.


No VM guests are running outdated hypervisor (qemu) binaries on this host.

root@ip-172-31-44-8:/home/ubuntu# curl -so /etc/filebeat/filebeat.yml https://packages.wazuh.com/4.9/tpl/wazuh/filebeat/filebeat.yml

root@ip-172-31-44-8:/home/ubuntu# nano /etc/filebeat/filebeat.yml

root@ip-172-31-44-8:/home/ubuntu# filebeat keystore create

Created filebeat keystore

root@ip-172-31-44-8:/home/ubuntu# echo admin | filebeat keystore add username --stdin --force

Successfully updated the keystore

root@ip-172-31-44-8:/home/ubuntu# echo admin | filebeat keystore add password --stdin --force

Successfully updated the keystore

root@ip-172-31-44-8:/home/ubuntu# curl -so /etc/filebeat/wazuh-template.json https://raw.githubusercontent.com/wazuh/wazuh/v4.9.0/extensions/elasticsearch/7.x/wazuh-template.json

root@ip-172-31-44-8:/home/ubuntu# chmod go+r /etc/filebeat/wazuh-template.json

root@ip-172-31-44-8:/home/ubuntu# curl -s https://packages.wazuh.com/4.x/filebeat/wazuh-filebeat-0.4.tar.gz | tar -xvz -C /usr/share/filebeat/module

wazuh/

wazuh/_meta/

wazuh/_meta/docs.asciidoc

wazuh/_meta/fields.yml

wazuh/_meta/config.yml

wazuh/alerts/

wazuh/alerts/config/

wazuh/alerts/config/alerts.yml

wazuh/alerts/manifest.yml

wazuh/alerts/ingest/

wazuh/alerts/ingest/pipeline.json

wazuh/module.yml

wazuh/archives/

wazuh/archives/config/

wazuh/archives/config/archives.yml

wazuh/archives/manifest.yml

wazuh/archives/ingest/

wazuh/archives/ingest/pipeline.json

root@ip-172-31-44-8:/home/ubuntu# NODE_NAME=wazuh-1

root@ip-172-31-44-8:/home/ubuntu# mkdir /etc/filebeat/certs

root@ip-172-31-44-8:/home/ubuntu# tar -xf ./wazuh-certificates.tar -C /etc/filebeat/certs/ ./$NODE_NAME.pem ./$NODE_NAME-key.pem ./root-ca.pem

root@ip-172-31-44-8:/home/ubuntu# mv -n /etc/filebeat/certs/$NODE_NAME.pem /etc/filebeat/certs/filebeat.pem

root@ip-172-31-44-8:/home/ubuntu# mv -n /etc/filebeat/certs/$NODE_NAME-key.pem /etc/filebeat/certs/filebeat-key.pem

root@ip-172-31-44-8:/home/ubuntu# chmod 500 /etc/filebeat/certs

root@ip-172-31-44-8:/home/ubuntu# chmod 400 /etc/filebeat/certs/*

root@ip-172-31-44-8:/home/ubuntu# chown -R root:root /etc/filebeat/certs

root@ip-172-31-44-8:/home/ubuntu# systemctl daemon-reload

root@ip-172-31-44-8:/home/ubuntu# systemctl enable wazuh-manager

Created symlink /etc/systemd/system/multi-user.target.wants/wazuh-manager.service → /usr/lib/systemd/system/wazuh-manager.service.

root@ip-172-31-44-8:/home/ubuntu# systemctl start wazuh-manager

root@ip-172-31-44-8:/home/ubuntu# systemctl status wazuh-manager

● wazuh-manager.service - Wazuh manager

Loaded: loaded (/usr/lib/systemd/system/wazuh-manager.service; enabled; preset: enabled)

Active: active (running) since Tue 2024-10-08 02:55:57 UTC; 7s ago

Process: 56297 ExecStart=/usr/bin/env /var/ossec/bin/wazuh-control start (code=exited, status=0/SUCCESS)

Tasks: 147 (limit: 9393)

Memory: 1.9G (peak: 1.9G)

CPU: 41.340s

CGroup: /system.slice/wazuh-manager.service

├─56359 /var/ossec/framework/python/bin/python3 /var/ossec/api/scripts/wazuh_apid.py

├─56398 /var/ossec/bin/wazuh-authd

├─56411 /var/ossec/bin/wazuh-db

├─56437 /var/ossec/bin/wazuh-execd

├─56441 /var/ossec/framework/python/bin/python3 /var/ossec/api/scripts/wazuh_apid.py

├─56447 /var/ossec/framework/python/bin/python3 /var/ossec/api/scripts/wazuh_apid.py

├─56450 /var/ossec/framework/python/bin/python3 /var/ossec/api/scripts/wazuh_apid.py

├─56460 /var/ossec/bin/wazuh-analysisd

├─56472 /var/ossec/bin/wazuh-syscheckd

├─56520 /var/ossec/bin/wazuh-remoted

├─56553 /var/ossec/bin/wazuh-logcollector

├─56572 /var/ossec/bin/wazuh-monitord

├─56595 /var/ossec/bin/wazuh-modulesd

├─56807 sh -c -- "/bin/ps -p 15 > /dev/null 2>&1"

└─56808 /bin/ps -p 15


Oct 08 02:55:49 ip-172-31-44-8 env[56297]: Started wazuh-analysisd...

Oct 08 02:55:50 ip-172-31-44-8 env[56297]: Started wazuh-syscheckd...

Oct 08 02:55:51 ip-172-31-44-8 env[56297]: Started wazuh-remoted...

Oct 08 02:55:52 ip-172-31-44-8 env[56297]: Started wazuh-logcollector...

Oct 08 02:55:54 ip-172-31-44-8 env[56297]: Started wazuh-monitord...

Oct 08 02:55:54 ip-172-31-44-8 env[56592]: 2024/10/08 02:55:54 wazuh-modulesd:router: INFO: Loaded router module.

Oct 08 02:55:54 ip-172-31-44-8 env[56592]: 2024/10/08 02:55:54 wazuh-modulesd:content_manager: INFO: Loaded content_manager module.

Oct 08 02:55:55 ip-172-31-44-8 env[56297]: Started wazuh-modulesd...

Oct 08 02:55:57 ip-172-31-44-8 env[56297]: Completed.

Oct 08 02:55:57 ip-172-31-44-8 systemd[1]: Started wazuh-manager.service - Wazuh manager.

root@ip-172-31-44-8:/home/ubuntu# systemctl daemon-reload

root@ip-172-31-44-8:/home/ubuntu# systemctl enable filebeat

Synchronizing state of filebeat.service with SysV service script with /usr/lib/systemd/systemd-sysv-install.

Executing: /usr/lib/systemd/systemd-sysv-install enable filebeat

Created symlink /etc/systemd/system/multi-user.target.wants/filebeat.service → /usr/lib/systemd/system/filebeat.service.

root@ip-172-31-44-8:/home/ubuntu# systemctl start filebeat

root@ip-172-31-44-8:/home/ubuntu# filebeat test output

elasticsearch: https://172.31.44.8:9200...

parse url... OK

connection...

parse host... OK

dns lookup... OK

addresses: 172.31.44.8

dial up... OK

TLS...

security: server's certificate chain verification is enabled

handshake... OK

TLS version: TLSv1.3

dial up... OK

talk to server... OK

version: 7.10.2

Wazuh server node 2: 
root@ip-172-31-36-102:/home/ubuntu# ls
wazuh-certificates.tar
root@ip-172-31-36-102:/home/ubuntu# apt-get install gnupg apt-transport-https
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
gnupg is already the newest version (2.4.4-2ubuntu17).
gnupg set to manually installed.
The following NEW packages will be installed:
  apt-transport-https
0 upgraded, 1 newly installed, 0 to remove and 196 not upgraded.
Need to get 3974 B of archives.
After this operation, 35.8 kB of additional disk space will be used.
Do you want to continue? [Y/n] y
Get:1 http://us-east-1.ec2.archive.ubuntu.com/ubuntu noble/universe amd64 apt-transport-https all 2.7.14build2 [3974 B]
Fetched 3974 B in 0s (180 kB/s)
Selecting previously unselected package apt-transport-https.
(Reading database ... 71848 files and directories currently installed.)
Preparing to unpack .../apt-transport-https_2.7.14build2_all.deb ...
Unpacking apt-transport-https (2.7.14build2) ...
Setting up apt-transport-https (2.7.14build2) ...
Scanning processes...
Scanning linux images...

Running kernel seems to be up-to-date.


No services need to be restarted.


No containers need to be restarted.


No user sessions are running outdated binaries.


No VM guests are running outdated hypervisor (qemu) binaries on this host.

root@ip-172-31-36-102:/home/ubuntu# curl -s https://packages.wazuh.com/key/GPG-KEY-WAZUH | gpg --no-default-keyring --keyring gnupg-ring:/usr/share/keyrings/wazuh.gpg --import && chmod 644 /usr/share/keyrings/wazuh.gpg

gpg: keyring '/usr/share/keyrings/wazuh.gpg' created

gpg: directory '/root/.gnupg' created

gpg: /root/.gnupg/trustdb.gpg: trustdb created

gpg: key 96B3EE5F29111145: public key "Wazuh.com (Wazuh Signing Key) [email protected]" imported

gpg: Total number processed: 1

gpg:               imported: 1

root@ip-172-31-36-102:/home/ubuntu# echo "deb [signed-by=/usr/share/keyrings/wazuh.gpg] https://packages.wazuh.com/4.x/apt/ stable main" | tee -a /etc/apt/sources.list.d/wazuh.list

deb [signed-by=/usr/share/keyrings/wazuh.gpg] https://packages.wazuh.com/4.x/apt/ stable main

root@ip-172-31-36-102:/home/ubuntu# apt-get update

Hit:1 http://us-east-1.ec2.archive.ubuntu.com/ubuntu noble InRelease

Get:2 http://us-east-1.ec2.archive.ubuntu.com/ubuntu noble-updates InRelease [126 kB]

Hit:3 http://us-east-1.ec2.archive.ubuntu.com/ubuntu noble-backports InRelease

Hit:4 http://security.ubuntu.com/ubuntu noble-security InRelease

Get:5 https://packages.wazuh.com/4.x/apt stable InRelease [17.3 kB]

Get:6 http://us-east-1.ec2.archive.ubuntu.com/ubuntu noble-updates/universe amd64 Packages [385 kB]

Get:7 http://us-east-1.ec2.archive.ubuntu.com/ubuntu noble-updates/universe Translation-en [160 kB]

Get:8 https://packages.wazuh.com/4.x/apt stable/main amd64 Packages [40.2 kB]

Fetched 728 kB in 1s (787 kB/s)

Reading package lists... Done

root@ip-172-31-36-102:/home/ubuntu# apt-get -y install wazuh-manager

Reading package lists... Done

Building dependency tree... Done

Reading state information... Done

Suggested packages:

expect

The following NEW packages will be installed:

wazuh-manager

0 upgraded, 1 newly installed, 0 to remove and 196 not upgraded.

Need to get 322 MB of archives.

After this operation, 891 MB of additional disk space will be used.

Get:1 https://packages.wazuh.com/4.x/apt stable/main amd64 wazuh-manager amd64 4.9.0-1 [322 MB]

Fetched 322 MB in 5s (58.8 MB/s)

Selecting previously unselected package wazuh-manager.

(Reading database ... 71852 files and directories currently installed.)

Preparing to unpack .../wazuh-manager_4.9.0-1_amd64.deb ...

Unpacking wazuh-manager (4.9.0-1) ...

Setting up wazuh-manager (4.9.0-1) ...

Scanning processes...

Scanning linux images...


Running kernel seems to be up-to-date.


No services need to be restarted.


No containers need to be restarted.


No user sessions are running outdated binaries.


No VM guests are running outdated hypervisor (qemu) binaries on this host.

root@ip-172-31-36-102:/home/ubuntu# apt-get -y install filebeat

Reading package lists... Done

Building dependency tree... Done

Reading state information... Done

The following NEW packages will be installed:

filebeat

0 upgraded, 1 newly installed, 0 to remove and 196 not upgraded.

Need to get 22.1 MB of archives.

After this operation, 73.6 MB of additional disk space will be used.

Get:1 https://packages.wazuh.com/4.x/apt stable/main amd64 filebeat amd64 7.10.2 [22.1 MB]

Fetched 22.1 MB in 0s (58.9 MB/s)

Selecting previously unselected package filebeat.

(Reading database ... 95830 files and directories currently installed.)

Preparing to unpack .../filebeat_7.10.2_amd64.deb ...

Unpacking filebeat (7.10.2) ...

Setting up filebeat (7.10.2) ...

Scanning processes...

Scanning linux images...


Running kernel seems to be up-to-date.


No services need to be restarted.


No containers need to be restarted.


No user sessions are running outdated binaries.


No VM guests are running outdated hypervisor (qemu) binaries on this host.

root@ip-172-31-36-102:/home/ubuntu# curl -so /etc/filebeat/filebeat.yml https://packages.wazuh.com/4.9/tpl/wazuh/filebeat/filebeat.yml

root@ip-172-31-36-102:/home/ubuntu# nano /etc/filebeat/filebeat.yml

root@ip-172-31-36-102:/home/ubuntu# filebeat keystore create

Created filebeat keystore

root@ip-172-31-36-102:/home/ubuntu# echo admin | filebeat keystore add username --stdin --force

Successfully updated the keystore

root@ip-172-31-36-102:/home/ubuntu# echo admin | filebeat keystore add password --stdin --force

Successfully updated the keystore

root@ip-172-31-36-102:/home/ubuntu# curl -so /etc/filebeat/wazuh-template.json https://raw.githubusercontent.com/wazuh/wazuh/v4.9.0/extensions/elasticsearch/7.x/wazuh-template.json

root@ip-172-31-36-102:/home/ubuntu# chmod go+r /etc/filebeat/wazuh-template.json

root@ip-172-31-36-102:/home/ubuntu# curl -s https://packages.wazuh.com/4.x/filebeat/wazuh-filebeat-0.4.tar.gz | tar -xvz -C /usr/share/filebeat/module

wazuh/

wazuh/_meta/

wazuh/_meta/docs.asciidoc

wazuh/_meta/fields.yml

wazuh/_meta/config.yml

wazuh/alerts/

wazuh/alerts/config/

wazuh/alerts/config/alerts.yml

wazuh/alerts/manifest.yml

wazuh/alerts/ingest/

wazuh/alerts/ingest/pipeline.json

wazuh/module.yml

wazuh/archives/

wazuh/archives/config/

wazuh/archives/config/archives.yml

wazuh/archives/manifest.yml

wazuh/archives/ingest/

wazuh/archives/ingest/pipeline.json

root@ip-172-31-36-102:/home/ubuntu# NODE_NAME=wazuh-2

root@ip-172-31-36-102:/home/ubuntu# mkdir /etc/filebeat/certs

root@ip-172-31-36-102:/home/ubuntu# tar -xf ./wazuh-certificates.tar -C /etc/filebeat/certs/ ./$NODE_NAME.pem ./$NODE_NAME-key.pem ./root-ca.pem

root@ip-172-31-36-102:/home/ubuntu# mv -n /etc/filebeat/certs/$NODE_NAME.pem /etc/filebeat/certs/filebeat.pem

root@ip-172-31-36-102:/home/ubuntu# mv -n /etc/filebeat/certs/$NODE_NAME-key.pem /etc/filebeat/certs/filebeat-key.pem

root@ip-172-31-36-102:/home/ubuntu# chmod 500 /etc/filebeat/certs

root@ip-172-31-36-102:/home/ubuntu# chmod 400 /etc/filebeat/certs/*

root@ip-172-31-36-102:/home/ubuntu# chown -R root:root /etc/filebeat/certs

root@ip-172-31-36-102:/home/ubuntu# systemctl daemon-reload

root@ip-172-31-36-102:/home/ubuntu# systemctl enable wazuh-manager

Created symlink /etc/systemd/system/multi-user.target.wants/wazuh-manager.service → /usr/lib/systemd/system/wazuh-manager.service.

root@ip-172-31-36-102:/home/ubuntu# systemctl start wazuh-manager

root@ip-172-31-36-102:/home/ubuntu# systemctl status wazuh-manager

● wazuh-manager.service - Wazuh manager

Loaded: loaded (/usr/lib/systemd/system/wazuh-manager.service; enabled; preset: enabled)

Active: active (running) since Tue 2024-10-08 03:16:54 UTC; 4s ago

Process: 54964 ExecStart=/usr/bin/env /var/ossec/bin/wazuh-control start (code=exited, status=0/SUCCESS)

Tasks: 136 (limit: 4600)

Memory: 1.3G (peak: 1.3G)

CPU: 36.095s

CGroup: /system.slice/wazuh-manager.service

├─55026 /var/ossec/framework/python/bin/python3 /var/ossec/api/scripts/wazuh_apid.py

├─55065 /var/ossec/bin/wazuh-authd

├─55079 /var/ossec/bin/wazuh-db

├─55104 /var/ossec/bin/wazuh-execd

├─55117 /var/ossec/bin/wazuh-analysisd

├─55127 /var/ossec/bin/wazuh-syscheckd

├─55132 /var/ossec/framework/python/bin/python3 /var/ossec/api/scripts/wazuh_apid.py

├─55135 /var/ossec/framework/python/bin/python3 /var/ossec/api/scripts/wazuh_apid.py

├─55138 /var/ossec/framework/python/bin/python3 /var/ossec/api/scripts/wazuh_apid.py

├─55151 /var/ossec/bin/wazuh-remoted

├─55218 /var/ossec/bin/wazuh-logcollector

├─55236 /var/ossec/bin/wazuh-monitord

└─55258 /var/ossec/bin/wazuh-modulesd


Oct 08 03:16:46 ip-172-31-36-102 env[54964]: Started wazuh-analysisd...

Oct 08 03:16:47 ip-172-31-36-102 env[54964]: Started wazuh-syscheckd...

Oct 08 03:16:48 ip-172-31-36-102 env[54964]: Started wazuh-remoted...

Oct 08 03:16:50 ip-172-31-36-102 env[54964]: Started wazuh-logcollector...

Oct 08 03:16:51 ip-172-31-36-102 env[54964]: Started wazuh-monitord...

Oct 08 03:16:51 ip-172-31-36-102 env[55256]: 2024/10/08 03:16:51 wazuh-modulesd:router: INFO: Loaded router module.

Oct 08 03:16:51 ip-172-31-36-102 env[55256]: 2024/10/08 03:16:51 wazuh-modulesd:content_manager: INFO: Loaded content_manager module.

Oct 08 03:16:52 ip-172-31-36-102 env[54964]: Started wazuh-modulesd...

Oct 08 03:16:54 ip-172-31-36-102 env[54964]: Completed.

Oct 08 03:16:54 ip-172-31-36-102 systemd[1]: Started wazuh-manager.service - Wazuh manager.

root@ip-172-31-36-102:/home/ubuntu# systemctl daemon-reload

root@ip-172-31-36-102:/home/ubuntu# systemctl enable filebeat

Synchronizing state of filebeat.service with SysV service script with /usr/lib/systemd/systemd-sysv-install.

Executing: /usr/lib/systemd/systemd-sysv-install enable filebeat

Created symlink /etc/systemd/system/multi-user.target.wants/filebeat.service → /usr/lib/systemd/system/filebeat.service.

root@ip-172-31-36-102:/home/ubuntu# systemctl start filebeat

root@ip-172-31-36-102:/home/ubuntu# filebeat test output

elasticsearch: https://172.31.44.8:9200...

parse url... OK

connection...

parse host... OK

dns lookup... OK

addresses: 172.31.44.8

dial up... OK

TLS...

security: server's certificate chain verification is enabled

handshake... OK

TLS version: TLSv1.3

dial up... OK

talk to server... OK

version: 7.10.2

Cluster configuration for Wazuh server nodes: 
root@ip-172-31-44-8:/home/ubuntu# openssl rand -hex 16
2beb14ef64e128a16ce4fa14653a6f86
root@ip-172-31-44-8:/home/ubuntu# nano /var/ossec/etc/ossec.conf
root@ip-172-31-44-8:/home/ubuntu# grep -A13 "" /var/ossec/etc/ossec.conf
  
    wazuh
    wazuh-1
    master
    2beb14ef64e128a16ce4fa14653a6f86
    1516
    0.0.0.0
    
        172.31.44.8
    
    no
    no
  

root@ip-172-31-44-8:/home/ubuntu# systemctl restart wazuh-manager

root@ip-172-31-44-8:/home/ubuntu# /var/ossec/bin/cluster_control -l

NAME     TYPE    VERSION  ADDRESS

wazuh-1  master  4.9.0    172.31.44.8

wazuh-2  worker  4.9.0    172.31.36.102

root@ip-172-31-36-102:/home/ubuntu# nano /var/ossec/etc/ossec.conf

root@ip-172-31-36-102:/home/ubuntu# grep -A13 "" /var/ossec/etc/ossec.conf



wazuh

<node_name>wazuh-2</node_name>

<node_type>worker</node_type>

2beb14ef64e128a16ce4fa14653a6f86

1516

<bind_addr>0.0.0.0</bind_addr>



172.31.44.8



no

no




root@ip-172-31-36-102:/home/ubuntu# systemctl restart wazuh-manager

root@ip-172-31-36-102:/home/ubuntu# /var/ossec/bin/cluster_control -l

NAME     TYPE    VERSION  ADDRESS

wazuh-1  master  4.9.0    172.31.44.8

wazuh-2  worker  4.9.0    172.31.36.102

Wazuh dashboard: 
root@ip-172-31-44-8:/home/ubuntu# apt-get install debhelper tar curl libcap2-bin #debhelper version 9 or later
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
tar is already the newest version (1.35+dfsg-3build1).
tar set to manually installed.
libcap2-bin is already the newest version (1:2.66-5ubuntu2).
libcap2-bin set to manually installed.
The following additional packages will be installed:
  autoconf automake autopoint autotools-dev binutils binutils-common binutils-x86-64-linux-gnu build-essential bzip2 cpp cpp-13 cpp-13-x86-64-linux-gnu
  cpp-x86-64-linux-gnu debugedit dh-autoreconf dh-strip-nondeterminism dpkg dpkg-dev dwz fakeroot g++ g++-13 g++-13-x86-64-linux-gnu g++-x86-64-linux-gnu
  gcc gcc-13 gcc-13-base gcc-13-x86-64-linux-gnu gcc-x86-64-linux-gnu gettext intltool-debian libalgorithm-diff-perl libalgorithm-diff-xs-perl
  libalgorithm-merge-perl libarchive-cpio-perl libarchive-zip-perl libasan8 libatomic1 libbinutils libbz2-1.0 libcc1-0 libctf-nobfd0 libctf0
  libcurl3t64-gnutls libcurl4t64 libdebhelper-perl libdpkg-perl libfakeroot libfile-fcntllock-perl libfile-stripnondeterminism-perl libgcc-13-dev libgomp1
  libgprofng0 libhwasan0 libisl23 libitm1 liblsan0 libltdl-dev libltdl7 libmail-sendmail-perl libmpc3 libquadmath0 libsframe1 libstdc++-13-dev
  libsub-override-perl libsys-hostname-long-perl libtool libtsan2 libubsan1 lto-disabled-list m4 make po-debconf
Suggested packages:
  autoconf-archive gnu-standards autoconf-doc binutils-doc gprofng-gui bzip2-doc cpp-doc gcc-13-locales cpp-13-doc dh-make debsig-verify debian-keyring
  g++-multilib g++-13-multilib gcc-13-doc gcc-multilib flex bison gdb gcc-doc gcc-13-multilib gdb-x86-64-linux-gnu gettext-doc libasprintf-dev
  libgettextpo-dev bzr libtool-doc libstdc++-13-doc gfortran | fortran95-compiler gcj-jdk m4-doc make-doc libmail-box-perl
The following NEW packages will be installed:
  autoconf automake autopoint autotools-dev binutils binutils-common binutils-x86-64-linux-gnu build-essential bzip2 cpp cpp-13 cpp-13-x86-64-linux-gnu
  cpp-x86-64-linux-gnu debhelper debugedit dh-autoreconf dh-strip-nondeterminism dpkg-dev dwz fakeroot g++ g++-13 g++-13-x86-64-linux-gnu
  g++-x86-64-linux-gnu gcc gcc-13 gcc-13-base gcc-13-x86-64-linux-gnu gcc-x86-64-linux-gnu gettext intltool-debian libalgorithm-diff-perl
  libalgorithm-diff-xs-perl libalgorithm-merge-perl libarchive-cpio-perl libarchive-zip-perl libasan8 libatomic1 libbinutils libcc1-0 libctf-nobfd0
  libctf0 libdebhelper-perl libdpkg-perl libfakeroot libfile-fcntllock-perl libfile-stripnondeterminism-perl libgcc-13-dev libgomp1 libgprofng0 libhwasan0
  libisl23 libitm1 liblsan0 libltdl-dev libltdl7 libmail-sendmail-perl libmpc3 libquadmath0 libsframe1 libstdc++-13-dev libsub-override-perl
  libsys-hostname-long-perl libtool libtsan2 libubsan1 lto-disabled-list m4 make po-debconf
The following packages will be upgraded:
  curl dpkg libbz2-1.0 libcurl3t64-gnutls libcurl4t64
5 upgraded, 70 newly installed, 0 to remove and 189 not upgraded.
Need to get 72.8 MB/75.0 MB of archives.
After this operation, 261 MB of additional disk space will be used.
Do you want to continue? [Y/n] y
Get:1 http://us-east-1.ec2.archive.ubuntu.com/ubuntu noble-updates/main amd64 libbz2-1.0 amd64 1.0.8-5.1build0.1 [34.4 kB]
Get:2 http://us-east-1.ec2.archive.ubuntu.com/ubuntu noble/main amd64 m4 amd64 1.4.19-4build1 [244 kB]
Get:3 http://us-east-1.ec2.archive.ubuntu.com/ubuntu noble/main amd64 autoconf all 2.71-3 [339 kB]
Get:4 http://us-east-1.ec2.archive.ubuntu.com/ubuntu noble/main amd64 autotools-dev all 20220109.1 [44.9 kB]
Get:5 http://us-east-1.ec2.archive.ubuntu.com/ubuntu noble/main amd64 automake all 1:1.16.5-1.3ubuntu1 [558 kB]
Get:6 http://us-east-1.ec2.archive.ubuntu.com/ubuntu noble/main amd64 autopoint all 0.21-14ubuntu2 [422 kB]
Get:7 http://us-east-1.ec2.archive.ubuntu.com/ubuntu noble/main amd64 binutils-common amd64 2.42-4ubuntu2 [239 kB]
Get:8 http://us-east-1.ec2.archive.ubuntu.com/ubuntu noble/main amd64 libsframe1 amd64 2.42-4ubuntu2 [14.8 kB]
Get:9 http://us-east-1.ec2.archive.ubuntu.com/ubuntu noble/main amd64 libbinutils amd64 2.42-4ubuntu2 [572 kB]
Get:10 http://us-east-1.ec2.archive.ubuntu.com/ubuntu noble/main amd64 libctf-nobfd0 amd64 2.42-4ubuntu2 [97.1 kB]
Get:11 http://us-east-1.ec2.archive.ubuntu.com/ubuntu noble/main amd64 libctf0 amd64 2.42-4ubuntu2 [94.5 kB]
Get:12 http://us-east-1.ec2.archive.ubuntu.com/ubuntu noble/main amd64 libgprofng0 amd64 2.42-4ubuntu2 [851 kB]
Get:13 http://us-east-1.ec2.archive.ubuntu.com/ubuntu noble/main amd64 binutils-x86-64-linux-gnu amd64 2.42-4ubuntu2 [2469 kB]
Get:14 http://us-east-1.ec2.archive.ubuntu.com/ubuntu noble/main amd64 binutils amd64 2.42-4ubuntu2 [18.0 kB]
Get:15 http://us-east-1.ec2.archive.ubuntu.com/ubuntu noble/main amd64 gcc-13-base amd64 13.2.0-23ubuntu4 [49.0 kB]
Get:16 http://us-east-1.ec2.archive.ubuntu.com/ubuntu noble/main amd64 libisl23 amd64 0.26-3build1 [680 kB]
Get:17 http://us-east-1.ec2.archive.ubuntu.com/ubuntu noble/main amd64 libmpc3 amd64 1.3.1-1build1 [54.5 kB]
Get:18 http://us-east-1.ec2.archive.ubuntu.com/ubuntu noble/main amd64 cpp-13-x86-64-linux-gnu amd64 13.2.0-23ubuntu4 [11.2 MB]
Get:19 http://us-east-1.ec2.archive.ubuntu.com/ubuntu noble/main amd64 cpp-13 amd64 13.2.0-23ubuntu4 [1032 B]
Get:20 http://us-east-1.ec2.archive.ubuntu.com/ubuntu noble/main amd64 cpp-x86-64-linux-gnu amd64 4:13.2.0-7ubuntu1 [5326 B]
Get:21 http://us-east-1.ec2.archive.ubuntu.com/ubuntu noble/main amd64 cpp amd64 4:13.2.0-7ubuntu1 [22.4 kB]
Get:22 http://us-east-1.ec2.archive.ubuntu.com/ubuntu noble/main amd64 libcc1-0 amd64 14-20240412-0ubuntu1 [47.7 kB]
Get:23 http://us-east-1.ec2.archive.ubuntu.com/ubuntu noble/main amd64 libgomp1 amd64 14-20240412-0ubuntu1 [147 kB]
Get:24 http://us-east-1.ec2.archive.ubuntu.com/ubuntu noble/main amd64 libitm1 amd64 14-20240412-0ubuntu1 [28.9 kB]
Get:25 http://us-east-1.ec2.archive.ubuntu.com/ubuntu noble/main amd64 libatomic1 amd64 14-20240412-0ubuntu1 [10.4 kB]
Get:26 http://us-east-1.ec2.archive.ubuntu.com/ubuntu noble/main amd64 libasan8 amd64 14-20240412-0ubuntu1 [3024 kB]
Get:27 http://us-east-1.ec2.archive.ubuntu.com/ubuntu noble/main amd64 liblsan0 amd64 14-20240412-0ubuntu1 [1313 kB]
Get:28 http://us-east-1.ec2.archive.ubuntu.com/ubuntu noble/main amd64 libtsan2 amd64 14-20240412-0ubuntu1 [2736 kB]
Get:29 http://us-east-1.ec2.archive.ubuntu.com/ubuntu noble/main amd64 libubsan1 amd64 14-20240412-0ubuntu1 [1175 kB]
Get:30 http://us-east-1.ec2.archive.ubuntu.com/ubuntu noble/main amd64 libhwasan0 amd64 14-20240412-0ubuntu1 [1632 kB]
Get:31 http://us-east-1.ec2.archive.ubuntu.com/ubuntu noble/main amd64 libquadmath0 amd64 14-20240412-0ubuntu1 [153 kB]
Get:32 http://us-east-1.ec2.archive.ubuntu.com/ubuntu noble/main amd64 libgcc-13-dev amd64 13.2.0-23ubuntu4 [2688 kB]
Get:33 http://us-east-1.ec2.archive.ubuntu.com/ubuntu noble/main amd64 gcc-13-x86-64-linux-gnu amd64 13.2.0-23ubuntu4 [21.9 MB]
Get:34 http://us-east-1.ec2.archive.ubuntu.com/ubuntu noble/main amd64 gcc-13 amd64 13.2.0-23ubuntu4 [482 kB]
Get:35 http://us-east-1.ec2.archive.ubuntu.com/ubuntu noble/main amd64 gcc-x86-64-linux-gnu amd64 4:13.2.0-7ubuntu1 [1212 B]
Get:36 http://us-east-1.ec2.archive.ubuntu.com/ubuntu noble/main amd64 gcc amd64 4:13.2.0-7ubuntu1 [5018 B]
Get:37 http://us-east-1.ec2.archive.ubuntu.com/ubuntu noble/main amd64 libstdc++-13-dev amd64 13.2.0-23ubuntu4 [2399 kB]
Get:38 http://us-east-1.ec2.archive.ubuntu.com/ubuntu noble/main amd64 g++-13-x86-64-linux-gnu amd64 13.2.0-23ubuntu4 [12.5 MB]
Get:39 http://us-east-1.ec2.archive.ubuntu.com/ubuntu noble/main amd64 g++-13 amd64 13.2.0-23ubuntu4 [14.5 kB]
Get:40 http://us-east-1.ec2.archive.ubuntu.com/ubuntu noble/main amd64 g++-x86-64-linux-gnu amd64 4:13.2.0-7ubuntu1 [964 B]
Get:41 http://us-east-1.ec2.archive.ubuntu.com/ubuntu noble/main amd64 g++ amd64 4:13.2.0-7ubuntu1 [1100 B]
Get:42 http://us-east-1.ec2.archive.ubuntu.com/ubuntu noble/main amd64 make amd64 4.3-4.1build2 [180 kB]
Get:43 http://us-east-1.ec2.archive.ubuntu.com/ubuntu noble-updates/main amd64 libdpkg-perl all 1.22.6ubuntu6.1 [269 kB]
Get:44 http://us-east-1.ec2.archive.ubuntu.com/ubuntu noble-updates/main amd64 bzip2 amd64 1.0.8-5.1build0.1 [34.5 kB]
Get:45 http://us-east-1.ec2.archive.ubuntu.com/ubuntu noble/main amd64 lto-disabled-list all 47 [12.4 kB]
Get:46 http://us-east-1.ec2.archive.ubuntu.com/ubuntu noble-updates/main amd64 dpkg-dev all 1.22.6ubuntu6.1 [1074 kB]
Get:47 http://us-east-1.ec2.archive.ubuntu.com/ubuntu noble/main amd64 build-essential amd64 12.10ubuntu1 [4928 B]
Get:48 http://us-east-1.ec2.archive.ubuntu.com/ubuntu noble/main amd64 libdebhelper-perl all 13.14.1ubuntu5 [89.8 kB]
Get:49 http://us-east-1.ec2.archive.ubuntu.com/ubuntu noble/main amd64 libtool all 2.4.7-7build1 [166 kB]
Get:50 http://us-east-1.ec2.archive.ubuntu.com/ubuntu noble/main amd64 dh-autoreconf all 20 [16.1 kB]
Get:51 http://us-east-1.ec2.archive.ubuntu.com/ubuntu noble/main amd64 libarchive-zip-perl all 1.68-1 [90.2 kB]
Get:52 http://us-east-1.ec2.archive.ubuntu.com/ubuntu noble/main amd64 libsub-override-perl all 0.10-1 [10.0 kB]
Get:53 http://us-east-1.ec2.archive.ubuntu.com/ubuntu noble/main amd64 libfile-stripnondeterminism-perl all 1.13.1-1 [18.1 kB]
Get:54 http://us-east-1.ec2.archive.ubuntu.com/ubuntu noble/main amd64 dh-strip-nondeterminism all 1.13.1-1 [5362 B]
Get:55 http://us-east-1.ec2.archive.ubuntu.com/ubuntu noble/main amd64 debugedit amd64 1:5.0-5build2 [46.1 kB]
Get:56 http://us-east-1.ec2.archive.ubuntu.com/ubuntu noble/main amd64 dwz amd64 0.15-1build6 [115 kB]
Get:57 http://us-east-1.ec2.archive.ubuntu.com/ubuntu noble/main amd64 gettext amd64 0.21-14ubuntu2 [864 kB]
Get:58 http://us-east-1.ec2.archive.ubuntu.com/ubuntu noble/main amd64 intltool-debian all 0.35.0+20060710.6 [23.2 kB]
Get:59 http://us-east-1.ec2.archive.ubuntu.com/ubuntu noble/main amd64 po-debconf all 1.0.21+nmu1 [233 kB]
Get:60 http://us-east-1.ec2.archive.ubuntu.com/ubuntu noble/main amd64 debhelper all 13.14.1ubuntu5 [869 kB]
Get:61 http://us-east-1.ec2.archive.ubuntu.com/ubuntu noble/main amd64 libfakeroot amd64 1.33-1 [32.4 kB]
Get:62 http://us-east-1.ec2.archive.ubuntu.com/ubuntu noble/main amd64 fakeroot amd64 1.33-1 [67.2 kB]
Get:63 http://us-east-1.ec2.archive.ubuntu.com/ubuntu noble/main amd64 libalgorithm-diff-perl all 1.201-1 [41.8 kB]
Get:64 http://us-east-1.ec2.archive.ubuntu.com/ubuntu noble/main amd64 libalgorithm-diff-xs-perl amd64 0.04-8build3 [11.2 kB]
Get:65 http://us-east-1.ec2.archive.ubuntu.com/ubuntu noble/main amd64 libalgorithm-merge-perl all 0.08-5 [11.4 kB]
Get:66 http://us-east-1.ec2.archive.ubuntu.com/ubuntu noble/main amd64 libarchive-cpio-perl all 0.10-3 [10.3 kB]
Get:67 http://us-east-1.ec2.archive.ubuntu.com/ubuntu noble/main amd64 libfile-fcntllock-perl amd64 0.22-4ubuntu5 [30.7 kB]
Get:68 http://us-east-1.ec2.archive.ubuntu.com/ubuntu noble/main amd64 libltdl7 amd64 2.4.7-7build1 [40.3 kB]
Get:69 http://us-east-1.ec2.archive.ubuntu.com/ubuntu noble/main amd64 libltdl-dev amd64 2.4.7-7build1 [168 kB]
Get:70 http://us-east-1.ec2.archive.ubuntu.com/ubuntu noble/main amd64 libsys-hostname-long-perl all 1.5-3 [10.6 kB]
Get:71 http://us-east-1.ec2.archive.ubuntu.com/ubuntu noble/main amd64 libmail-sendmail-perl all 0.80-3 [21.7 kB]
Fetched 72.8 MB in 1s (69.4 MB/s)
Extracting templates from packages: 100%
(Reading database ... 97335 files and directories currently installed.)
Preparing to unpack .../dpkg_1.22.6ubuntu6.1_amd64.deb ...
Unpacking dpkg (1.22.6ubuntu6.1) over (1.22.6ubuntu6) ...
Setting up dpkg (1.22.6ubuntu6.1) ...
(Reading database ... 97335 files and directories currently installed.)
Preparing to unpack .../libbz2-1.0_1.0.8-5.1build0.1_amd64.deb ...
Unpacking libbz2-1.0:amd64 (1.0.8-5.1build0.1) over (1.0.8-5.1) ...
Setting up libbz2-1.0:amd64 (1.0.8-5.1build0.1) ...
Selecting previously unselected package m4.
(Reading database ... 97335 files and directories currently installed.)
Preparing to unpack .../00-m4_1.4.19-4build1_amd64.deb ...
Unpacking m4 (1.4.19-4build1) ...
Selecting previously unselected package autoconf.
Preparing to unpack .../01-autoconf_2.71-3_all.deb ...
Unpacking autoconf (2.71-3) ...
Selecting previously unselected package autotools-dev.
Preparing to unpack .../02-autotools-dev_20220109.1_all.deb ...
Unpacking autotools-dev (20220109.1) ...
Selecting previously unselected package automake.
Preparing to unpack .../03-automake_1%3a1.16.5-1.3ubuntu1_all.deb ...
Unpacking automake (1:1.16.5-1.3ubuntu1) ...
Selecting previously unselected package autopoint.
Preparing to unpack .../04-autopoint_0.21-14ubuntu2_all.deb ...
Unpacking autopoint (0.21-14ubuntu2) ...
Selecting previously unselected package binutils-common:amd64.
Preparing to unpack .../05-binutils-common_2.42-4ubuntu2_amd64.deb ...
Unpacking binutils-common:amd64 (2.42-4ubuntu2) ...
Selecting previously unselected package libsframe1:amd64.
Preparing to unpack .../06-libsframe1_2.42-4ubuntu2_amd64.deb ...
Unpacking libsframe1:amd64 (2.42-4ubuntu2) ...
Selecting previously unselected package libbinutils:amd64.
Preparing to unpack .../07-libbinutils_2.42-4ubuntu2_amd64.deb ...
Unpacking libbinutils:amd64 (2.42-4ubuntu2) ...
Selecting previously unselected package libctf-nobfd0:amd64.
Preparing to unpack .../08-libctf-nobfd0_2.42-4ubuntu2_amd64.deb ...
Unpacking libctf-nobfd0:amd64 (2.42-4ubuntu2) ...
Selecting previously unselected package libctf0:amd64.
Preparing to unpack .../09-libctf0_2.42-4ubuntu2_amd64.deb ...
Unpacking libctf0:amd64 (2.42-4ubuntu2) ...
Selecting previously unselected package libgprofng0:amd64.
Preparing to unpack .../10-libgprofng0_2.42-4ubuntu2_amd64.deb ...
Unpacking libgprofng0:amd64 (2.42-4ubuntu2) ...
Selecting previously unselected package binutils-x86-64-linux-gnu.
Preparing to unpack .../11-binutils-x86-64-linux-gnu_2.42-4ubuntu2_amd64.deb ...
Unpacking binutils-x86-64-linux-gnu (2.42-4ubuntu2) ...
Selecting previously unselected package binutils.
Preparing to unpack .../12-binutils_2.42-4ubuntu2_amd64.deb ...
Unpacking binutils (2.42-4ubuntu2) ...
Selecting previously unselected package gcc-13-base:amd64.
Preparing to unpack .../13-gcc-13-base_13.2.0-23ubuntu4_amd64.deb ...
Unpacking gcc-13-base:amd64 (13.2.0-23ubuntu4) ...
Selecting previously unselected package libisl23:amd64.
Preparing to unpack .../14-libisl23_0.26-3build1_amd64.deb ...
Unpacking libisl23:amd64 (0.26-3build1) ...
Selecting previously unselected package libmpc3:amd64.
Preparing to unpack .../15-libmpc3_1.3.1-1build1_amd64.deb ...
Unpacking libmpc3:amd64 (1.3.1-1build1) ...
Selecting previously unselected package cpp-13-x86-64-linux-gnu.
Preparing to unpack .../16-cpp-13-x86-64-linux-gnu_13.2.0-23ubuntu4_amd64.deb ...
Unpacking cpp-13-x86-64-linux-gnu (13.2.0-23ubuntu4) ...
Selecting previously unselected package cpp-13.
Preparing to unpack .../17-cpp-13_13.2.0-23ubuntu4_amd64.deb ...
Unpacking cpp-13 (13.2.0-23ubuntu4) ...
Selecting previously unselected package cpp-x86-64-linux-gnu.
Preparing to unpack .../18-cpp-x86-64-linux-gnu_4%3a13.2.0-7ubuntu1_amd64.deb ...
Unpacking cpp-x86-64-linux-gnu (4:13.2.0-7ubuntu1) ...
Selecting previously unselected package cpp.
Preparing to unpack .../19-cpp_4%3a13.2.0-7ubuntu1_amd64.deb ...
Unpacking cpp (4:13.2.0-7ubuntu1) ...
Selecting previously unselected package libcc1-0:amd64.
Preparing to unpack .../20-libcc1-0_14-20240412-0ubuntu1_amd64.deb ...
Unpacking libcc1-0:amd64 (14-20240412-0ubuntu1) ...
Selecting previously unselected package libgomp1:amd64.
Preparing to unpack .../21-libgomp1_14-20240412-0ubuntu1_amd64.deb ...
Unpacking libgomp1:amd64 (14-20240412-0ubuntu1) ...
Selecting previously unselected package libitm1:amd64.
Preparing to unpack .../22-libitm1_14-20240412-0ubuntu1_amd64.deb ...
Unpacking libitm1:amd64 (14-20240412-0ubuntu1) ...
Selecting previously unselected package libatomic1:amd64.
Preparing to unpack .../23-libatomic1_14-20240412-0ubuntu1_amd64.deb ...
Unpacking libatomic1:amd64 (14-20240412-0ubuntu1) ...
Selecting previously unselected package libasan8:amd64.
Preparing to unpack .../24-libasan8_14-20240412-0ubuntu1_amd64.deb ...
Unpacking libasan8:amd64 (14-20240412-0ubuntu1) ...
Selecting previously unselected package liblsan0:amd64.
Preparing to unpack .../25-liblsan0_14-20240412-0ubuntu1_amd64.deb ...
Unpacking liblsan0:amd64 (14-20240412-0ubuntu1) ...
Selecting previously unselected package libtsan2:amd64.
Preparing to unpack .../26-libtsan2_14-20240412-0ubuntu1_amd64.deb ...
Unpacking libtsan2:amd64 (14-20240412-0ubuntu1) ...
Selecting previously unselected package libubsan1:amd64.
Preparing to unpack .../27-libubsan1_14-20240412-0ubuntu1_amd64.deb ...
Unpacking libubsan1:amd64 (14-20240412-0ubuntu1) ...
Selecting previously unselected package libhwasan0:amd64.
Preparing to unpack .../28-libhwasan0_14-20240412-0ubuntu1_amd64.deb ...
Unpacking libhwasan0:amd64 (14-20240412-0ubuntu1) ...
Selecting previously unselected package libquadmath0:amd64.
Preparing to unpack .../29-libquadmath0_14-20240412-0ubuntu1_amd64.deb ...
Unpacking libquadmath0:amd64 (14-20240412-0ubuntu1) ...
Selecting previously unselected package libgcc-13-dev:amd64.
Preparing to unpack .../30-libgcc-13-dev_13.2.0-23ubuntu4_amd64.deb ...
Unpacking libgcc-13-dev:amd64 (13.2.0-23ubuntu4) ...
Selecting previously unselected package gcc-13-x86-64-linux-gnu.
Preparing to unpack .../31-gcc-13-x86-64-linux-gnu_13.2.0-23ubuntu4_amd64.deb ...
Unpacking gcc-13-x86-64-linux-gnu (13.2.0-23ubuntu4) ...
Selecting previously unselected package gcc-13.
Preparing to unpack .../32-gcc-13_13.2.0-23ubuntu4_amd64.deb ...
Unpacking gcc-13 (13.2.0-23ubuntu4) ...
Selecting previously unselected package gcc-x86-64-linux-gnu.
Preparing to unpack .../33-gcc-x86-64-linux-gnu_4%3a13.2.0-7ubuntu1_amd64.deb ...
Unpacking gcc-x86-64-linux-gnu (4:13.2.0-7ubuntu1) ...
Selecting previously unselected package gcc.
Preparing to unpack .../34-gcc_4%3a13.2.0-7ubuntu1_amd64.deb ...
Unpacking gcc (4:13.2.0-7ubuntu1) ...
Selecting previously unselected package libstdc++-13-dev:amd64.
Preparing to unpack .../35-libstdc++-13-dev_13.2.0-23ubuntu4_amd64.deb ...
Unpacking libstdc++-13-dev:amd64 (13.2.0-23ubuntu4) ...
Selecting previously unselected package g++-13-x86-64-linux-gnu.
Preparing to unpack .../36-g++-13-x86-64-linux-gnu_13.2.0-23ubuntu4_amd64.deb ...
Unpacking g++-13-x86-64-linux-gnu (13.2.0-23ubuntu4) ...
Selecting previously unselected package g++-13.
Preparing to unpack .../37-g++-13_13.2.0-23ubuntu4_amd64.deb ...
Unpacking g++-13 (13.2.0-23ubuntu4) ...
Selecting previously unselected package g++-x86-64-linux-gnu.
Preparing to unpack .../38-g++-x86-64-linux-gnu_4%3a13.2.0-7ubuntu1_amd64.deb ...
Unpacking g++-x86-64-linux-gnu (4:13.2.0-7ubuntu1) ...
Selecting previously unselected package g++.
Preparing to unpack .../39-g++_4%3a13.2.0-7ubuntu1_amd64.deb ...
Unpacking g++ (4:13.2.0-7ubuntu1) ...
Selecting previously unselected package make.
Preparing to unpack .../40-make_4.3-4.1build2_amd64.deb ...
Unpacking make (4.3-4.1build2) ...
Selecting previously unselected package libdpkg-perl.
Preparing to unpack .../41-libdpkg-perl_1.22.6ubuntu6.1_all.deb ...
Unpacking libdpkg-perl (1.22.6ubuntu6.1) ...
Selecting previously unselected package bzip2.
Preparing to unpack .../42-bzip2_1.0.8-5.1build0.1_amd64.deb ...
Unpacking bzip2 (1.0.8-5.1build0.1) ...
Selecting previously unselected package lto-disabled-list.
Preparing to unpack .../43-lto-disabled-list_47_all.deb ...
Unpacking lto-disabled-list (47) ...
Selecting previously unselected package dpkg-dev.
Preparing to unpack .../44-dpkg-dev_1.22.6ubuntu6.1_all.deb ...
Unpacking dpkg-dev (1.22.6ubuntu6.1) ...
Selecting previously unselected package build-essential.
Preparing to unpack .../45-build-essential_12.10ubuntu1_amd64.deb ...
Unpacking build-essential (12.10ubuntu1) ...
Preparing to unpack .../46-curl_8.5.0-2ubuntu10.4_amd64.deb ...
Unpacking curl (8.5.0-2ubuntu10.4) over (8.5.0-2ubuntu10) ...
Preparing to unpack .../47-libcurl4t64_8.5.0-2ubuntu10.4_amd64.deb ...
Unpacking libcurl4t64:amd64 (8.5.0-2ubuntu10.4) over (8.5.0-2ubuntu10) ...
Selecting previously unselected package libdebhelper-perl.
Preparing to unpack .../48-libdebhelper-perl_13.14.1ubuntu5_all.deb ...
Unpacking libdebhelper-perl (13.14.1ubuntu5) ...
Selecting previously unselected package libtool.
Preparing to unpack .../49-libtool_2.4.7-7build1_all.deb ...
Unpacking libtool (2.4.7-7build1) ...
Selecting previously unselected package dh-autoreconf.
Preparing to unpack .../50-dh-autoreconf_20_all.deb ...
Unpacking dh-autoreconf (20) ...
Selecting previously unselected package libarchive-zip-perl.
Preparing to unpack .../51-libarchive-zip-perl_1.68-1_all.deb ...
Unpacking libarchive-zip-perl (1.68-1) ...
Selecting previously unselected package libsub-override-perl.
Preparing to unpack .../52-libsub-override-perl_0.10-1_all.deb ...
Unpacking libsub-override-perl (0.10-1) ...
Selecting previously unselected package libfile-stripnondeterminism-perl.
Preparing to unpack .../53-libfile-stripnondeterminism-perl_1.13.1-1_all.deb ...
Unpacking libfile-stripnondeterminism-perl (1.13.1-1) ...
Selecting previously unselected package dh-strip-nondeterminism.
Preparing to unpack .../54-dh-strip-nondeterminism_1.13.1-1_all.deb ...
Unpacking dh-strip-nondeterminism (1.13.1-1) ...
Selecting previously unselected package debugedit.
Preparing to unpack .../55-debugedit_1%3a5.0-5build2_amd64.deb ...
Unpacking debugedit (1:5.0-5build2) ...
Selecting previously unselected package dwz.
Preparing to unpack .../56-dwz_0.15-1build6_amd64.deb ...
Unpacking dwz (0.15-1build6) ...
Selecting previously unselected package gettext.
Preparing to unpack .../57-gettext_0.21-14ubuntu2_amd64.deb ...
Unpacking gettext (0.21-14ubuntu2) ...
Selecting previously unselected package intltool-debian.
Preparing to unpack .../58-intltool-debian_0.35.0+20060710.6_all.deb ...
Unpacking intltool-debian (0.35.0+20060710.6) ...
Selecting previously unselected package po-debconf.
Preparing to unpack .../59-po-debconf_1.0.21+nmu1_all.deb ...
Unpacking po-debconf (1.0.21+nmu1) ...
Selecting previously unselected package debhelper.
Preparing to unpack .../60-debhelper_13.14.1ubuntu5_all.deb ...
Unpacking debhelper (13.14.1ubuntu5) ...
Selecting previously unselected package libfakeroot:amd64.
Preparing to unpack .../61-libfakeroot_1.33-1_amd64.deb ...
Unpacking libfakeroot:amd64 (1.33-1) ...
Selecting previously unselected package fakeroot.
Preparing to unpack .../62-fakeroot_1.33-1_amd64.deb ...
Unpacking fakeroot (1.33-1) ...
Selecting previously unselected package libalgorithm-diff-perl.
Preparing to unpack .../63-libalgorithm-diff-perl_1.201-1_all.deb ...
Unpacking libalgorithm-diff-perl (1.201-1) ...
Selecting previously unselected package libalgorithm-diff-xs-perl:amd64.
Preparing to unpack .../64-libalgorithm-diff-xs-perl_0.04-8build3_amd64.deb ...
Unpacking libalgorithm-diff-xs-perl:amd64 (0.04-8build3) ...
Selecting previously unselected package libalgorithm-merge-perl.
Preparing to unpack .../65-libalgorithm-merge-perl_0.08-5_all.deb ...
Unpacking libalgorithm-merge-perl (0.08-5) ...
Selecting previously unselected package libarchive-cpio-perl.
Preparing to unpack .../66-libarchive-cpio-perl_0.10-3_all.deb ...
Unpacking libarchive-cpio-perl (0.10-3) ...
Preparing to unpack .../67-libcurl3t64-gnutls_8.5.0-2ubuntu10.4_amd64.deb ...
Unpacking libcurl3t64-gnutls:amd64 (8.5.0-2ubuntu10.4) over (8.5.0-2ubuntu10) ...
Selecting previously unselected package libfile-fcntllock-perl.
Preparing to unpack .../68-libfile-fcntllock-perl_0.22-4ubuntu5_amd64.deb ...
Unpacking libfile-fcntllock-perl (0.22-4ubuntu5) ...
Selecting previously unselected package libltdl7:amd64.
Preparing to unpack .../69-libltdl7_2.4.7-7build1_amd64.deb ...
Unpacking libltdl7:amd64 (2.4.7-7build1) ...
Selecting previously unselected package libltdl-dev:amd64.
Preparing to unpack .../70-libltdl-dev_2.4.7-7build1_amd64.deb ...
Unpacking libltdl-dev:amd64 (2.4.7-7build1) ...
Selecting previously unselected package libsys-hostname-long-perl.
Preparing to unpack .../71-libsys-hostname-long-perl_1.5-3_all.deb ...
Unpacking libsys-hostname-long-perl (1.5-3) ...
Selecting previously unselected package libmail-sendmail-perl.
Preparing to unpack .../72-libmail-sendmail-perl_0.80-3_all.deb ...
Unpacking libmail-sendmail-perl (0.80-3) ...
Setting up lto-disabled-list (47) ...
Setting up libcurl4t64:amd64 (8.5.0-2ubuntu10.4) ...
Setting up libfile-fcntllock-perl (0.22-4ubuntu5) ...
Setting up libalgorithm-diff-perl (1.201-1) ...
Setting up libarchive-zip-perl (1.68-1) ...
Setting up libdebhelper-perl (13.14.1ubuntu5) ...
Setting up binutils-common:amd64 (2.42-4ubuntu2) ...
Setting up libcurl3t64-gnutls:amd64 (8.5.0-2ubuntu10.4) ...
Setting up libctf-nobfd0:amd64 (2.42-4ubuntu2) ...
Setting up m4 (1.4.19-4build1) ...
Setting up libgomp1:amd64 (14-20240412-0ubuntu1) ...
Setting up bzip2 (1.0.8-5.1build0.1) ...
Setting up libsframe1:amd64 (2.42-4ubuntu2) ...
Setting up libfakeroot:amd64 (1.33-1) ...
Setting up fakeroot (1.33-1) ...
update-alternatives: using /usr/bin/fakeroot-sysv to provide /usr/bin/fakeroot (fakeroot) in auto mode
Setting up autotools-dev (20220109.1) ...
Setting up gcc-13-base:amd64 (13.2.0-23ubuntu4) ...
Setting up make (4.3-4.1build2) ...
Setting up libquadmath0:amd64 (14-20240412-0ubuntu1) ...
Setting up libmpc3:amd64 (1.3.1-1build1) ...
Setting up libatomic1:amd64 (14-20240412-0ubuntu1) ...
Setting up autopoint (0.21-14ubuntu2) ...
Setting up libltdl7:amd64 (2.4.7-7build1) ...
Setting up libdpkg-perl (1.22.6ubuntu6.1) ...
Setting up autoconf (2.71-3) ...
Setting up libubsan1:amd64 (14-20240412-0ubuntu1) ...
Setting up dwz (0.15-1build6) ...
Setting up libhwasan0:amd64 (14-20240412-0ubuntu1) ...
Setting up libarchive-cpio-perl (0.10-3) ...
Setting up libasan8:amd64 (14-20240412-0ubuntu1) ...
Setting up debugedit (1:5.0-5build2) ...
Setting up libsub-override-perl (0.10-1) ...
Setting up curl (8.5.0-2ubuntu10.4) ...
Setting up libtsan2:amd64 (14-20240412-0ubuntu1) ...
Setting up libbinutils:amd64 (2.42-4ubuntu2) ...
Setting up libisl23:amd64 (0.26-3build1) ...
Setting up libsys-hostname-long-perl (1.5-3) ...
Setting up libalgorithm-diff-xs-perl:amd64 (0.04-8build3) ...
Setting up libcc1-0:amd64 (14-20240412-0ubuntu1) ...
Setting up liblsan0:amd64 (14-20240412-0ubuntu1) ...
Setting up libitm1:amd64 (14-20240412-0ubuntu1) ...
Setting up libalgorithm-merge-perl (0.08-5) ...
Setting up libctf0:amd64 (2.42-4ubuntu2) ...
Setting up automake (1:1.16.5-1.3ubuntu1) ...
update-alternatives: using /usr/bin/automake-1.16 to provide /usr/bin/automake (automake) in auto mode
Setting up libfile-stripnondeterminism-perl (1.13.1-1) ...
Setting up gettext (0.21-14ubuntu2) ...
Setting up cpp-13-x86-64-linux-gnu (13.2.0-23ubuntu4) ...
Setting up intltool-debian (0.35.0+20060710.6) ...
Setting up libmail-sendmail-perl (0.80-3) ...
Setting up libltdl-dev:amd64 (2.4.7-7build1) ...
Setting up libgprofng0:amd64 (2.42-4ubuntu2) ...
Setting up dh-strip-nondeterminism (1.13.1-1) ...
Setting up libgcc-13-dev:amd64 (13.2.0-23ubuntu4) ...
Setting up libstdc++-13-dev:amd64 (13.2.0-23ubuntu4) ...
Setting up binutils-x86-64-linux-gnu (2.42-4ubuntu2) ...
Setting up cpp-x86-64-linux-gnu (4:13.2.0-7ubuntu1) ...
Setting up cpp-13 (13.2.0-23ubuntu4) ...
Setting up gcc-13-x86-64-linux-gnu (13.2.0-23ubuntu4) ...
Setting up po-debconf (1.0.21+nmu1) ...
Setting up binutils (2.42-4ubuntu2) ...
Setting up dpkg-dev (1.22.6ubuntu6.1) ...
Setting up gcc-13 (13.2.0-23ubuntu4) ...
Setting up cpp (4:13.2.0-7ubuntu1) ...
Setting up g++-13-x86-64-linux-gnu (13.2.0-23ubuntu4) ...
Setting up gcc-x86-64-linux-gnu (4:13.2.0-7ubuntu1) ...
Setting up libtool (2.4.7-7build1) ...
Setting up gcc (4:13.2.0-7ubuntu1) ...
Setting up dh-autoreconf (20) ...
Setting up g++-x86-64-linux-gnu (4:13.2.0-7ubuntu1) ...
Setting up g++-13 (13.2.0-23ubuntu4) ...
Setting up debhelper (13.14.1ubuntu5) ...
Setting up g++ (4:13.2.0-7ubuntu1) ...
update-alternatives: using /usr/bin/g++ to provide /usr/bin/c++ (c++) in auto mode
Setting up build-essential (12.10ubuntu1) ...
Processing triggers for libc-bin (2.39-0ubuntu8) ...
Processing triggers for man-db (2.12.0-4build2) ...
Processing triggers for install-info (7.1-3build2) ...
Scanning processes...
Scanning candidates...
Scanning linux images...

Running kernel seems to be up-to-date.


Restarting services...

systemctl restart fwupd.service wazuh-manager.service


Service restarts being deferred:

systemctl restart networkd-dispatcher.service

systemctl restart unattended-upgrades.service


No containers need to be restarted.


No user sessions are running outdated binaries.


No VM guests are running outdated hypervisor (qemu) binaries on this host.

root@ip-172-31-44-8:/home/ubuntu# apt-get -y install wazuh-dashboard

Reading package lists... Done

Building dependency tree... Done

Reading state information... Done

The following NEW packages will be installed:

wazuh-dashboard

0 upgraded, 1 newly installed, 0 to remove and 189 not upgraded.

Need to get 166 MB of archives.

After this operation, 934 MB of additional disk space will be used.

Get:1 https://packages.wazuh.com/4.x/apt stable/main amd64 wazuh-dashboard amd64 4.9.0-2 [166 MB]

Fetched 166 MB in 3s (59.4 MB/s)

Selecting previously unselected package wazuh-dashboard.

(Reading database ... 100707 files and directories currently installed.)

Preparing to unpack .../wazuh-dashboard_4.9.0-2_amd64.deb ...

Creating wazuh-dashboard group... OK

Creating wazuh-dashboard user... OK

Unpacking wazuh-dashboard (4.9.0-2) ...

Setting up wazuh-dashboard (4.9.0-2) ...

Scanning processes...

Scanning candidates...

Scanning linux images...


Running kernel seems to be up-to-date.


Restarting services...


Service restarts being deferred:

systemctl restart networkd-dispatcher.service

systemctl restart unattended-upgrades.service


No containers need to be restarted.


No user sessions are running outdated binaries.


No VM guests are running outdated hypervisor (qemu) binaries on this host.

root@ip-172-31-44-8:/home/ubuntu# nano /etc/wazuh-dashboard/opensearch_dashboards.yml

root@ip-172-31-44-8:/home/ubuntu# cat /etc/wazuh-dashboard/opensearch_dashboards.yml

server.host: 0.0.0.0

server.port: 443

opensearch.hosts: https://172.31.44.8:9200

opensearch.ssl.verificationMode: certificate

#opensearch.username:

#opensearch.password:

opensearch.requestHeadersAllowlist: ["securitytenant","Authorization"]

opensearch_security.multitenancy.enabled: false

opensearch_security.readonly_mode.roles: ["kibana_read_only"]

server.ssl.enabled: true

server.ssl.key: "/etc/wazuh-dashboard/certs/dashboard-key.pem"

server.ssl.certificate: "/etc/wazuh-dashboard/certs/dashboard.pem"

opensearch.ssl.certificateAuthorities: ["/etc/wazuh-dashboard/certs/root-ca.pem"]

uiSettings.overrides.defaultRoute: /app/wz-home

root@ip-172-31-44-8:/home/ubuntu# NODE_NAME=dashboard

root@ip-172-31-44-8:/home/ubuntu# mkdir /etc/wazuh-dashboard/certs

root@ip-172-31-44-8:/home/ubuntu# tar -xf ./wazuh-certificates.tar -C /etc/wazuh-dashboard/certs/ ./$NODE_NAME.pem ./$NODE_NAME-key.pem ./root-ca.pem

root@ip-172-31-44-8:/home/ubuntu# mv -n /etc/wazuh-dashboard/certs/$NODE_NAME.pem /etc/wazuh-dashboard/certs/dashboard.pem

mv: not replacing '/etc/wazuh-dashboard/certs/dashboard.pem'

root@ip-172-31-44-8:/home/ubuntu# mv -n /etc/wazuh-dashboard/certs/$NODE_NAME-key.pem /etc/wazuh-dashboard/certs/dashboard-key.pem

mv: not replacing '/etc/wazuh-dashboard/certs/dashboard-key.pem'

root@ip-172-31-44-8:/home/ubuntu# chmod 500 /etc/wazuh-dashboard/certs

root@ip-172-31-44-8:/home/ubuntu# chmod 400 /etc/wazuh-dashboard/certs/*

root@ip-172-31-44-8:/home/ubuntu# chown -R wazuh-dashboard:wazuh-dashboard /etc/wazuh-dashboard/certs

root@ip-172-31-44-8:/home/ubuntu# systemctl daemon-reload

root@ip-172-31-44-8:/home/ubuntu# systemctl enable wazuh-dashboard

Created symlink /etc/systemd/system/multi-user.target.wants/wazuh-dashboard.service → /etc/systemd/system/wazuh-dashboard.service.

root@ip-172-31-44-8:/home/ubuntu# systemctl start wazuh-dashboard

root@ip-172-31-44-8:/home/ubuntu# nano /usr/share/wazuh-dashboard/data/wazuh/config/wazuh.yml

root@ip-172-31-44-8:/home/ubuntu# systemctl restart wazuh-dashboard

root@ip-172-31-44-8:/home/ubuntu# systemctl status wazuh-dashboard

● wazuh-dashboard.service - wazuh-dashboard

Loaded: loaded (/etc/systemd/system/wazuh-dashboard.service; enabled; preset: enabled)

Active: active (running) since Tue 2024-10-08 03:45:03 UTC; 6s ago

Main PID: 62104 (node)

Tasks: 11 (limit: 9393)

Memory: 171.0M (peak: 171.4M)

CPU: 7.535s

CGroup: /system.slice/wazuh-dashboard.service

└─62104 /usr/share/wazuh-dashboard/node/bin/node /usr/share/wazuh-dashboard/src/cli/dist


Oct 08 03:45:03 ip-172-31-44-8 systemd[1]: Started wazuh-dashboard.service - wazuh-dashboard.


image
Wazuh agent 1: 
PS C:\Users\Jenkins> Invoke-WebRequest -Uri https://packages.wazuh.com/4.x/windows/wazuh-agent-4.9.0-1.msi -OutFile ${env.tmp}\wazuh-agent; msiexec.exe /i ${env.tmp}\wazuh-agent /q WAZUH_MANAGER='172-31-44-8' WAZUH_AGENT_NAME='Windows_11'
PS C:\Users\Jenkins> NET START WazuhSvc
The Wazuh service is starting.
The Wazuh service was started successfully.
Wazuh agent 2: 
root@ip-172-31-35-100:/home/admin# wget https://packages.wazuh.com/4.x/apt/pool/main/w/wazuh-agent/wazuh-agent_4.9.0-1_amd64.deb && sudo WAZUH_MANAGER='172-31-36-102' WAZUH_AGENT_NAME='Debian_11' dpkg -i ./wazuh-agent_4.9.0-1_amd64.deb
--2024-10-08 04:07:57--  https://packages.wazuh.com/4.x/apt/pool/main/w/wazuh-agent/wazuh-agent_4.9.0-1_amd64.deb
Resolving packages.wazuh.com (packages.wazuh.com)... 18.154.227.113, 18.154.227.16, 18.154.227.69, ...
Connecting to packages.wazuh.com (packages.wazuh.com)|18.154.227.113|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 10727480 (10M) [application/vnd.debian.binary-package]
Saving to: ‘wazuh-agent_4.9.0-1_amd64.deb’

wazuh-agent_4.9.0-1_amd64.deb          100%[============================================================================>]  10.23M  --.-KB/s    in 0.06s


2024-10-08 04:07:57 (176 MB/s) - ‘wazuh-agent_4.9.0-1_amd64.deb’ saved [10727480/10727480]


Selecting previously unselected package wazuh-agent.

(Reading database ... 28326 files and directories currently installed.)

Preparing to unpack .../wazuh-agent_4.9.0-1_amd64.deb ...

Unpacking wazuh-agent (4.9.0-1) ...

Setting up wazuh-agent (4.9.0-1) ...

root@ip-172-31-35-100:/home/admin# sudo systemctl daemon-reload

Created symlink /etc/systemd/system/multi-user.target.wants/wazuh-agent.service → /lib/systemd/system/wazuh-agent.service.

root@ip-172-31-35-100:/home/admin# sudo systemctl enable wazuh-agent

root@ip-172-31-35-100:/home/admin# sudo systemctl start wazuh-agent

root@ip-172-31-35-100:/home/admin# sudo systemctl status wazuh-agent

● wazuh-agent.service - Wazuh agent

Loaded: loaded (/lib/systemd/system/wazuh-agent.service; enabled; vendor preset: enabled)

Active: active (running) since Tue 2024-10-08 04:08:29 UTC; 32s ago

Tasks: 28 (limit: 4638)

Memory: 53.1M

CPU: 5.627s

CGroup: /system.slice/wazuh-agent.service

├─12997 /var/ossec/bin/wazuh-execd

├─13008 /var/ossec/bin/wazuh-agentd

├─13021 /var/ossec/bin/wazuh-syscheckd

├─13034 /var/ossec/bin/wazuh-logcollector

└─13051 /var/ossec/bin/wazuh-modulesd


Oct 08 04:08:14 ip-172-31-35-100 systemd[1]: Starting Wazuh agent...

Oct 08 04:08:18 ip-172-31-35-100 env[12975]: Starting Wazuh v4.9.0...

Oct 08 04:08:19 ip-172-31-35-100 env[12975]: Started wazuh-execd...

Oct 08 04:08:24 ip-172-31-35-100 env[12975]: Started wazuh-agentd...

Oct 08 04:08:25 ip-172-31-35-100 env[12975]: Started wazuh-syscheckd...

Oct 08 04:08:26 ip-172-31-35-100 env[12975]: Started wazuh-logcollector...

Oct 08 04:08:27 ip-172-31-35-100 env[12975]: Started wazuh-modulesd...

Oct 08 04:08:29 ip-172-31-35-100 env[12975]: Completed.

Oct 08 04:08:29 ip-172-31-35-100 systemd[1]: Started Wazuh agent.

root@ip-172-31-35-100:/home/admin#

@thony4uu
Copy link
Member

thony4uu commented Oct 8, 2024
edited
Loading

🟢### 2. Validation of Initial Deployment:

Agent connection status:

image

Alerts triggered by agents:

  • Agent 1:

image

  • Agent 2:
    image

Modify configuration files with the following command:

(Wazuh Indexer, Wazuh server node 1, Wazuh dashboard) 
root@ip-172-31-44-8:/home/ubuntu# for file in \
    /etc/wazuh-indexer/opensearch-security/config.yml \
    /etc/wazuh-indexer/jvm.options \
    /etc/wazuh-indexer/opensearch.yml \
    /etc/wazuh-indexer/opensearch-security/internal_users.yml \
    /etc/wazuh-indexer/opensearch-security/roles_mapping.yml \
    /etc/wazuh-dashboard/opensearch_dashboards.yml \
    /etc/default/wazuh-dashboard \
    /etc/wazuh-dashboard/opensearch_dashboards.keystore; do
    if [ -f "$file" ]; then
        echo -e "\n# This file should not be modified during the upgrade." | sudo tee -a "$file"
    else
        echo "File $file does not exist, skipping."
    fi
done

This file should not be modified during the upgrade.


This file should not be modified during the upgrade.


This file should not be modified during the upgrade.


This file should not be modified during the upgrade.


This file should not be modified during the upgrade.


This file should not be modified during the upgrade.


This file should not be modified during the upgrade.


This file should not be modified during the upgrade.
(Wazuh server node 2) 
root@ip-172-31-36-102:/home/ubuntu# for file in \
    /etc/wazuh-indexer/opensearch-security/config.yml \
    /etc/wazuh-indexer/jvm.options \
    /etc/wazuh-indexer/opensearch.yml \
    /etc/wazuh-indexer/opensearch-security/internal_users.yml \
    /etc/wazuh-indexer/opensearch-security/roles_mapping.yml \
    /etc/wazuh-dashboard/opensearch_dashboards.yml \
    /etc/default/wazuh-dashboard \
    /etc/wazuh-dashboard/opensearch_dashboards.keystore; do
    if [ -f "$file" ]; then
        echo -e "\n# This file should not be modified during the upgrade." | sudo tee -a "$file"
    else
        echo "File $file does not exist, skipping."
    fi
done
File /etc/wazuh-indexer/opensearch-security/config.yml does not exist, skipping.
File /etc/wazuh-indexer/jvm.options does not exist, skipping.
File /etc/wazuh-indexer/opensearch.yml does not exist, skipping.
File /etc/wazuh-indexer/opensearch-security/internal_users.yml does not exist, skipping.
File /etc/wazuh-indexer/opensearch-security/roles_mapping.yml does not exist, skipping.
File /etc/wazuh-dashboard/opensearch_dashboards.yml does not exist, skipping.
File /etc/default/wazuh-dashboard does not exist, skipping.
File /etc/wazuh-dashboard/opensearch_dashboards.keystore does not exist, skipping.

@thony4uu
Copy link
Member

thony4uu commented Oct 8, 2024
edited
Loading

🟢### 3. Upgrade of Central Components:

Wazuh indexer: 
root@ip-172-31-44-8:/home/ubuntu# apt-get install gnupg apt-transport-https
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
gnupg is already the newest version (2.4.4-2ubuntu17).
apt-transport-https is already the newest version (2.7.14build2).
0 upgraded, 0 newly installed, 0 to remove and 126 not upgraded.
root@ip-172-31-44-8:/home/ubuntu# curl -s https://packages-dev.wazuh.com/key/GPG-KEY-WAZUH | gpg --no-default-keyring --keyring gnupg-ring:/usr/share/keyrin
gs/wazuh.gpg --import && chmod 644 /usr/share/keyrings/wazuh.gpg
gpg: key 96B3EE5F29111145: "Wazuh.com (Wazuh Signing Key) " not changed
gpg: Total number processed: 1
gpg:              unchanged: 1
root@ip-172-31-44-8:/home/ubuntu# echo "deb [signed-by=/usr/share/keyrings/wazuh.gpg] https://packages-dev.wazuh.com/pre-release/apt/ unstable main" | tee -a /etc/apt/sources.list.d/wazuh.list
deb [signed-by=/usr/share/keyrings/wazuh.gpg] https://packages-dev.wazuh.com/pre-release/apt/ unstable main
root@ip-172-31-44-8:/home/ubuntu# apt-get update
Hit:1 http://us-east-1.ec2.archive.ubuntu.com/ubuntu noble InRelease
Get:2 http://us-east-1.ec2.archive.ubuntu.com/ubuntu noble-updates InRelease [126 kB]
Hit:3 http://us-east-1.ec2.archive.ubuntu.com/ubuntu noble-backports InRelease
Hit:4 https://packages.wazuh.com/4.x/apt stable InRelease
Hit:5 http://security.ubuntu.com/ubuntu noble-security InRelease
Get:6 https://packages-dev.wazuh.com/pre-release/apt unstable InRelease [17.3 kB]
Get:7 http://us-east-1.ec2.archive.ubuntu.com/ubuntu noble-updates/main amd64 Packages [538 kB]
Get:8 http://us-east-1.ec2.archive.ubuntu.com/ubuntu noble-updates/universe amd64 Packages [385 kB]
Get:9 https://packages-dev.wazuh.com/pre-release/apt unstable/main amd64 Packages [41.0 kB]
Fetched 1107 kB in 1s (824 kB/s)
Reading package lists... Done
root@ip-172-31-44-8:/home/ubuntu# systemctl stop filebeat
root@ip-172-31-44-8:/home/ubuntu# systemctl stop wazuh-dashboard
root@ip-172-31-44-8:/home/ubuntu# curl -X PUT "https://172.31.44.8:9200/_cluster/settings"  -u admin:admin -k -H 'Content-Type: application/json' -d'
{
  "persistent": {
    "cluster.routing.allocation.enable": "primaries"
  }
}
'
{"acknowledged":true,"persistent":{"cluster":{"routing":{"allocation":{"enable":"primaries"}}}},"transient":{}}root@ip-172-31-44-8:/home/ubuntu#
root@ip-172-31-44-8:/home/ubuntu# curl -X POST "https://172.31.44.8:9200/_flush/synced" -u admin:admin -k
{"_shards":{"total":9,"successful":9,"failed":0}}root@ip-172-31-44-8:/home/ubuntu#
root@ip-172-31-44-8:/home/ubuntu# systemctl stop wazuh-indexer
oot@ip-172-31-44-8:/home/ubuntu# apt-get install wazuh-indexer
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
The following packages will be upgraded:
  wazuh-indexer
1 upgraded, 0 newly installed, 0 to remove and 128 not upgraded.
Need to get 850 MB of archives.
After this operation, 0 B of additional disk space will be used.
Get:1 https://packages-dev.wazuh.com/pre-release/apt unstable/main amd64 wazuh-indexer amd64 4.9.1-1 [850 MB]
Fetched 850 MB in 19s (43.9 MB/s)
(Reading database ... 226131 files and directories currently installed.)
Preparing to unpack .../wazuh-indexer_4.9.1-1_amd64.deb ...
Running Wazuh Indexer Pre-Removal Script
Running Wazuh Indexer Pre-Installation Script
Unpacking wazuh-indexer (4.9.1-1) over (4.9.0-1) ...
Setting up wazuh-indexer (4.9.1-1) ...
Running Wazuh Indexer Post-Installation Script
### NOT starting on installation, please execute the following statements to configure wazuh-indexer service to start automatically using systemd
 sudo systemctl daemon-reload
 sudo systemctl enable wazuh-indexer.service
### You can start wazuh-indexer service by executing
 sudo systemctl start wazuh-indexer.service
Scanning processes...
Scanning candidates...
Scanning linux images...

Pending kernel upgrade!

Running kernel version:

6.8.0-1008-aws

Diagnostics:

The currently running kernel version is not the expected kernel version 6.8.0-1016-aws.


Restarting the system to load the new kernel will not be handled automatically, so you should consider rebooting.


Restarting services...


Service restarts being deferred:

/etc/needrestart/restart.d/dbus.service

systemctl restart [email protected]

systemctl restart networkd-dispatcher.service

systemctl restart [email protected]

systemctl restart systemd-logind.service

systemctl restart unattended-upgrades.service


No containers need to be restarted.


User sessions running outdated binaries:

ubuntu @ session #109: gpg-agent[6360]

ubuntu @ session #133: sshd[62416,62513], su[62526]

ubuntu @ user manager service: systemd[4981]


No VM guests are running outdated hypervisor (qemu) binaries on this host.

root@ip-172-31-44-8:/home/ubuntu# systemctl daemon-reload

root@ip-172-31-44-8:/home/ubuntu# systemctl enable wazuh-indexer

Synchronizing state of wazuh-indexer.service with SysV service script with /usr/lib/systemd/systemd-sysv-install.

Executing: /usr/lib/systemd/systemd-sysv-install enable wazuh-indexer

root@ip-172-31-44-8:/home/ubuntu# systemctl start wazuh-indexer

root@ip-172-31-44-8:/home/ubuntu# curl -k -u admin:admin https://172.31.44.8:9200/_cat/nodes?v

ip          heap.percent ram.percent cpu load_1m load_5m load_15m node.role node.roles                                        cluster_manager name

172.31.44.8           35          98  18    0.58    0.33     0.13 dimr      cluster_manager,data,ingest,remote_cluster_client *               node-1

root@ip-172-31-44-8:/home/ubuntu# curl -k -u admin:admin https://172.31.44.8:9200/_cat/nodes?v

ip          heap.percent ram.percent cpu load_1m load_5m load_15m node.role node.roles                                        cluster_manager name

172.31.44.8           36          98   1    0.25    0.28     0.12 dimr      cluster_manager,data,ingest,remote_cluster_client *               node-1

root@ip-172-31-44-8:/home/ubuntu# systemctl status wazuh-indexer

● wazuh-indexer.service - wazuh-indexer

Loaded: loaded (/usr/lib/systemd/system/wazuh-indexer.service; enabled; preset: enabled)

Active: active (running) since Tue 2024-10-08 15:58:34 UTC; 1min 46s ago

Docs: https://documentation.wazuh.com

Main PID: 91622 (java)

Tasks: 67 (limit: 9393)

Memory: 1.3G (peak: 1.3G)

CPU: 1min 1.390s

CGroup: /system.slice/wazuh-indexer.service

└─91622 /usr/share/wazuh-indexer/jdk/bin/java -Xshare:auto -Dopensearch.networkaddress.cache.ttl=60 -Dopensearch.networkaddress.cache.negative>


Oct 08 15:58:10 ip-172-31-44-8 systemd-entrypoint[91622]: WARNING: System::setSecurityManager has been called by org.opensearch.bootstrap.OpenSearch (file:>

Oct 08 15:58:10 ip-172-31-44-8 systemd-entrypoint[91622]: WARNING: Please consider reporting this to the maintainers of org.opensearch.bootstrap.OpenSearch

Oct 08 15:58:10 ip-172-31-44-8 systemd-entrypoint[91622]: WARNING: System::setSecurityManager will be removed in a future release

Oct 08 15:58:12 ip-172-31-44-8 systemd-entrypoint[91622]: Oct 08, 2024 3:58:12 PM sun.util.locale.provider.LocaleProviderAdapter 

Oct 08 15:58:12 ip-172-31-44-8 systemd-entrypoint[91622]: WARNING: COMPAT locale provider will be removed in a future release

Oct 08 15:58:13 ip-172-31-44-8 systemd-entrypoint[91622]: WARNING: A terminally deprecated method in java.lang.System has been called

Oct 08 15:58:13 ip-172-31-44-8 systemd-entrypoint[91622]: WARNING: System::setSecurityManager has been called by org.opensearch.bootstrap.Security (file:/u>

Oct 08 15:58:13 ip-172-31-44-8 systemd-entrypoint[91622]: WARNING: Please consider reporting this to the maintainers of org.opensearch.bootstrap.Security

Oct 08 15:58:13 ip-172-31-44-8 systemd-entrypoint[91622]: WARNING: System::setSecurityManager will be removed in a future release

Oct 08 15:58:34 ip-172-31-44-8 systemd[1]: Started wazuh-indexer.service - wazuh-indexer.

Wazuh server node 1: 
root@ip-172-31-44-8:/home/ubuntu# apt-get install wazuh-manager
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
Suggested packages:
  expect
The following packages will be upgraded:
  wazuh-manager
1 upgraded, 0 newly installed, 0 to remove and 127 not upgraded.
Need to get 330 MB of archives.
After this operation, 7502 kB of additional disk space will be used.
Get:1 https://packages-dev.wazuh.com/pre-release/apt unstable/main amd64 wazuh-manager amd64 4.9.1-1 [330 MB]
Fetched 330 MB in 10s (34.3 MB/s)
(Reading database ... 226131 files and directories currently installed.)
Preparing to unpack .../wazuh-manager_4.9.1-1_amd64.deb ...
Unpacking wazuh-manager (4.9.1-1) over (4.9.0-1) ...
Setting up wazuh-manager (4.9.1-1) ...
Scanning processes...
Scanning candidates...
Scanning linux images...

Pending kernel upgrade!

Running kernel version:

6.8.0-1008-aws

Diagnostics:

The currently running kernel version is not the expected kernel version 6.8.0-1016-aws.


Restarting the system to load the new kernel will not be handled automatically, so you should consider rebooting.


Restarting services...


Service restarts being deferred:

/etc/needrestart/restart.d/dbus.service

systemctl restart [email protected]

systemctl restart networkd-dispatcher.service

systemctl restart [email protected]

systemctl restart systemd-logind.service

systemctl restart unattended-upgrades.service


No containers need to be restarted.


User sessions running outdated binaries:

ubuntu @ session #109: gpg-agent[6360]

ubuntu @ session #133: sshd[62416,62513], su[62526]

ubuntu @ user manager service: systemd[4981]


No VM guests are running outdated hypervisor (qemu) binaries on this host.

root@ip-172-31-44-8:/home/ubuntu# curl -s https://packages-dev.wazuh.com/pre-release/filebeat/wazuh-filebeat-0.4.tar.gz | tar -xvz -C /usr/share/filebeat/module

wazuh/

wazuh/_meta/

wazuh/_meta/docs.asciidoc

wazuh/_meta/fields.yml

wazuh/_meta/config.yml

wazuh/alerts/

wazuh/alerts/config/

wazuh/alerts/config/alerts.yml

wazuh/alerts/manifest.yml

wazuh/alerts/ingest/

wazuh/alerts/ingest/pipeline.json

wazuh/module.yml

wazuh/archives/

wazuh/archives/config/

wazuh/archives/config/archives.yml

wazuh/archives/manifest.yml

wazuh/archives/ingest/

wazuh/archives/ingest/pipeline.json

root@ip-172-31-44-8:/home/ubuntu# curl -so /etc/filebeat/wazuh-template.json https://raw.githubusercontent.com/wazuh/wazuh/v4.9.1-rc3/extensions/elasticsear

ch/7.x/wazuh-template.json

root@ip-172-31-44-8:/home/ubuntu# chmod go+r /etc/filebeat/wazuh-template.json

root@ip-172-31-44-8:/home/ubuntu# systemctl daemon-reload

root@ip-172-31-44-8:/home/ubuntu# systemctl enable filebeat

Synchronizing state of filebeat.service with SysV service script with /usr/lib/systemd/systemd-sysv-install.

Executing: /usr/lib/systemd/systemd-sysv-install enable filebeat

root@ip-172-31-44-8:/home/ubuntu# systemctl start filebeat

root@ip-172-31-44-8:/home/ubuntu# filebeat setup --pipelines

Loaded Ingest pipelines

root@ip-172-31-44-8:/home/ubuntu# filebeat setup --index-management -E output.logstash.enabled=false

ILM policy and write alias loading not enabled.


Index setup finished.

root@ip-172-31-44-8:/home/ubuntu# filebeat test output

elasticsearch: https://172.31.44.8:9200...

parse url... OK

connection...

parse host... OK

dns lookup... OK

addresses: 172.31.44.8

dial up... OK

TLS...

security: server's certificate chain verification is enabled

handshake... OK

TLS version: TLSv1.3

dial up... OK

talk to server... OK

version: 7.10.2

root@ip-172-31-44-8:/home/ubuntu# systemctl status wazuh-manager

● wazuh-manager.service - Wazuh manager

Loaded: loaded (/usr/lib/systemd/system/wazuh-manager.service; enabled; preset: enabled)

Active: active (running) since Tue 2024-10-08 16:17:00 UTC; 39min ago

Tasks: 158 (limit: 9393)

Memory: 4.0G (peak: 4.2G)

CPU: 35min 1.388s

CGroup: /system.slice/wazuh-manager.service

├─139956 /var/ossec/framework/python/bin/python3 /var/ossec/api/scripts/wazuh_apid.py

├─139957 /var/ossec/framework/python/bin/python3 /var/ossec/api/scripts/wazuh_apid.py

├─139960 /var/ossec/framework/python/bin/python3 /var/ossec/api/scripts/wazuh_apid.py

├─139963 /var/ossec/framework/python/bin/python3 /var/ossec/api/scripts/wazuh_apid.py

├─140005 /var/ossec/bin/wazuh-authd

├─140020 /var/ossec/bin/wazuh-db

├─140031 /var/ossec/bin/wazuh-execd

├─140056 /var/ossec/bin/wazuh-analysisd

├─140066 /var/ossec/bin/wazuh-syscheckd

├─140081 /var/ossec/bin/wazuh-remoted

├─140147 /var/ossec/bin/wazuh-logcollector

├─140163 /var/ossec/bin/wazuh-monitord

├─140175 /var/ossec/bin/wazuh-modulesd

├─140385 /var/ossec/framework/python/bin/python3 /var/ossec/framework/scripts/wazuh_clusterd.py

├─140475 /var/ossec/framework/python/bin/python3 /var/ossec/framework/scripts/wazuh_clusterd.py

└─140476 /var/ossec/framework/python/bin/python3 /var/ossec/framework/scripts/wazuh_clusterd.py


Oct 08 16:16:52 ip-172-31-44-8 env[139894]: Started wazuh-syscheckd...

Oct 08 16:16:53 ip-172-31-44-8 env[139894]: Started wazuh-remoted...

Oct 08 16:16:54 ip-172-31-44-8 env[139894]: Started wazuh-logcollector...

Oct 08 16:16:55 ip-172-31-44-8 env[139894]: Started wazuh-monitord...

Oct 08 16:16:55 ip-172-31-44-8 env[140173]: 2024/10/08 16:16:55 wazuh-modulesd:router: INFO: Loaded router module.

Oct 08 16:16:55 ip-172-31-44-8 env[140173]: 2024/10/08 16:16:55 wazuh-modulesd:content_manager: INFO: Loaded content_manager module.

Oct 08 16:16:55 ip-172-31-44-8 env[139894]: Started wazuh-modulesd...

Oct 08 16:16:58 ip-172-31-44-8 env[139894]: Started wazuh-clusterd...

Oct 08 16:17:00 ip-172-31-44-8 env[139894]: Completed.

Oct 08 16:17:00 ip-172-31-44-8 systemd[1]: Started wazuh-manager.service - Wazuh manager.

root@ip-172-31-44-8:/home/ubuntu#

Wazuh server node 2: 
root@ip-172-31-36-102:/home/ubuntu# apt-get install gnupg apt-transport-https
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
gnupg is already the newest version (2.4.4-2ubuntu17).
apt-transport-https is already the newest version (2.7.14build2).
0 upgraded, 0 newly installed, 0 to remove and 129 not upgraded.
root@ip-172-31-36-102:/home/ubuntu# curl -s https://packages-dev.wazuh.com/key/GPG-KEY-WAZUH | gpg --no-default-keyring --keyring gnupg-ring:/usr/share/keyrings/wazuh.gpg --import && chmod 644 /usr/share/keyrings/wazuh.gpg
gpg: key 96B3EE5F29111145: "Wazuh.com (Wazuh Signing Key) " not changed
gpg: Total number processed: 1
gpg:              unchanged: 1
root@ip-172-31-36-102:/home/ubuntu# echo "deb [signed-by=/usr/share/keyrings/wazuh.gpg] https://packages-dev.wazuh.com/pre-release/apt/ unstable main" | tee -a /etc/apt/sources.list.d/wazuh.list
deb [signed-by=/usr/share/keyrings/wazuh.gpg] https://packages-dev.wazuh.com/pre-release/apt/ unstable main
root@ip-172-31-36-102:/home/ubuntu# apt-get update
Hit:1 http://us-east-1.ec2.archive.ubuntu.com/ubuntu noble InRelease
Get:2 http://us-east-1.ec2.archive.ubuntu.com/ubuntu noble-updates InRelease [126 kB]
Hit:3 http://us-east-1.ec2.archive.ubuntu.com/ubuntu noble-backports InRelease
Hit:4 https://packages.wazuh.com/4.x/apt stable InRelease
Hit:5 http://security.ubuntu.com/ubuntu noble-security InRelease
Get:6 http://us-east-1.ec2.archive.ubuntu.com/ubuntu noble-updates/main amd64 Packages [538 kB]
Get:7 http://us-east-1.ec2.archive.ubuntu.com/ubuntu noble-updates/universe amd64 Packages [385 kB]
Get:8 https://packages-dev.wazuh.com/pre-release/apt unstable InRelease [17.3 kB]
Get:9 https://packages-dev.wazuh.com/pre-release/apt unstable/main amd64 Packages [41.0 kB]
Fetched 1107 kB in 1s (872 kB/s)
Reading package lists... Done
root@ip-172-31-36-102:/home/ubuntu# systemctl stop filebeat
root@ip-172-31-36-102:/home/ubuntu# apt-get install wazuh-manager
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
Suggested packages:
  expect
The following packages will be upgraded:
  wazuh-manager
1 upgraded, 0 newly installed, 0 to remove and 129 not upgraded.
Need to get 330 MB of archives.
After this operation, 7502 kB of additional disk space will be used.
Get:1 https://packages-dev.wazuh.com/pre-release/apt unstable/main amd64 wazuh-manager amd64 4.9.1-1 [330 MB]
Fetched 330 MB in 5s (62.7 MB/s)
(Reading database ... 126758 files and directories currently installed.)
Preparing to unpack .../wazuh-manager_4.9.1-1_amd64.deb ...
Unpacking wazuh-manager (4.9.1-1) over (4.9.0-1) ...
Setting up wazuh-manager (4.9.1-1) ...
Scanning processes...
Scanning candidates...
Scanning linux images...

Pending kernel upgrade!

Running kernel version:

6.8.0-1008-aws

Diagnostics:

The currently running kernel version is not the expected kernel version 6.8.0-1016-aws.


Restarting the system to load the new kernel will not be handled automatically, so you should consider rebooting.


Restarting services...


Service restarts being deferred:

/etc/needrestart/restart.d/dbus.service

systemctl restart [email protected]

systemctl restart networkd-dispatcher.service

systemctl restart [email protected]

systemctl restart systemd-logind.service

systemctl restart unattended-upgrades.service


No containers need to be restarted.


User sessions running outdated binaries:

ubuntu @ session #110: gpg-agent[5806]

ubuntu @ session #134: sshd[57873,57969], su[57981]

ubuntu @ user manager service: systemd[4840]


No VM guests are running outdated hypervisor (qemu) binaries on this host.

root@ip-172-31-36-102:/home/ubuntu# curl -s https://packages-dev.wazuh.com/pre-release/filebeat/wazuh-filebeat-0.4.tar.gz | tar -xvz -C /usr/share/filebeat/module

wazuh/

wazuh/_meta/

wazuh/_meta/docs.asciidoc

wazuh/_meta/fields.yml

wazuh/_meta/config.yml

wazuh/alerts/

wazuh/alerts/config/

wazuh/alerts/config/alerts.yml

wazuh/alerts/manifest.yml

wazuh/alerts/ingest/

wazuh/alerts/ingest/pipeline.json

wazuh/module.yml

wazuh/archives/

wazuh/archives/config/

wazuh/archives/config/archives.yml

wazuh/archives/manifest.yml

wazuh/archives/ingest/

wazuh/archives/ingest/pipeline.json

root@ip-172-31-36-102:/home/ubuntu# curl -so /etc/filebeat/wazuh-template.json https://raw.githubusercontent.com/wazuh/wazuh/v4.9.1-rc3/extensions/elasticsearch/7.x/wazuh-template.json

root@ip-172-31-36-102:/home/ubuntu# chmod go+r /etc/filebeat/wazuh-template.json

root@ip-172-31-36-102:/home/ubuntu# systemctl daemon-reload

root@ip-172-31-36-102:/home/ubuntu# systemctl enable filebeat

Synchronizing state of filebeat.service with SysV service script with /usr/lib/systemd/systemd-sysv-install.

Executing: /usr/lib/systemd/systemd-sysv-install enable filebeat

root@ip-172-31-36-102:/home/ubuntu# systemctl start filebeat

root@ip-172-31-36-102:/home/ubuntu# filebeat setup --pipelines

Loaded Ingest pipelines

root@ip-172-31-36-102:/home/ubuntu# filebeat setup --index-management -E output.logstash.enabled=false

ILM policy and write alias loading not enabled.


Index setup finished.

root@ip-172-31-36-102:/home/ubuntu# filebeat test output

elasticsearch: https://172.31.44.8:9200...

parse url... OK

connection...

parse host... OK

dns lookup... OK

addresses: 172.31.44.8

dial up... OK

TLS...

security: server's certificate chain verification is enabled

handshake... OK

TLS version: TLSv1.3

dial up... OK

talk to server... OK

version: 7.10.2

root@ip-172-31-36-102:/home/ubuntu# systemctl status wazuh-manager

● wazuh-manager.service - Wazuh manager

Loaded: loaded (/usr/lib/systemd/system/wazuh-manager.service; enabled; preset: enabled)

Active: active (running) since Tue 2024-10-08 17:05:17 UTC; 5min ago

Tasks: 154 (limit: 4600)

Memory: 1.5G (peak: 1.5G)

CPU: 3min 26.673s

CGroup: /system.slice/wazuh-manager.service

├─135195 /var/ossec/framework/python/bin/python3 /var/ossec/api/scripts/wazuh_apid.py

├─135196 /var/ossec/framework/python/bin/python3 /var/ossec/api/scripts/wazuh_apid.py

├─135199 /var/ossec/framework/python/bin/python3 /var/ossec/api/scripts/wazuh_apid.py

├─135202 /var/ossec/framework/python/bin/python3 /var/ossec/api/scripts/wazuh_apid.py

├─135245 /var/ossec/bin/wazuh-authd

├─135259 /var/ossec/bin/wazuh-db

├─135284 /var/ossec/bin/wazuh-execd

├─135299 /var/ossec/bin/wazuh-analysisd

├─135310 /var/ossec/bin/wazuh-syscheckd

├─135357 /var/ossec/bin/wazuh-remoted

├─135392 /var/ossec/bin/wazuh-logcollector

├─135412 /var/ossec/bin/wazuh-monitord

├─135434 /var/ossec/bin/wazuh-modulesd

├─135640 /var/ossec/framework/python/bin/python3 /var/ossec/framework/scripts/wazuh_clusterd.py

└─135652 /var/ossec/framework/python/bin/python3 /var/ossec/framework/scripts/wazuh_clusterd.py


Oct 08 17:05:08 ip-172-31-36-102 env[135128]: Started wazuh-syscheckd...

Oct 08 17:05:09 ip-172-31-36-102 env[135128]: Started wazuh-remoted...

Oct 08 17:05:10 ip-172-31-36-102 env[135128]: Started wazuh-logcollector...

Oct 08 17:05:11 ip-172-31-36-102 env[135128]: Started wazuh-monitord...

Oct 08 17:05:11 ip-172-31-36-102 env[135431]: 2024/10/08 17:05:11 wazuh-modulesd:router: INFO: Loaded router module.

Oct 08 17:05:11 ip-172-31-36-102 env[135431]: 2024/10/08 17:05:11 wazuh-modulesd:content_manager: INFO: Loaded content_manager module.

Oct 08 17:05:12 ip-172-31-36-102 env[135128]: Started wazuh-modulesd...

Oct 08 17:05:15 ip-172-31-36-102 env[135128]: Started wazuh-clusterd...

Oct 08 17:05:17 ip-172-31-36-102 env[135128]: Completed.

Oct 08 17:05:17 ip-172-31-36-102 systemd[1]: Started wazuh-manager.service - Wazuh manager.

Wazuh dashboard: 
root@ip-172-31-44-8:/home/ubuntu# apt-get install wazuh-dashboard
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
The following packages will be upgraded:
  wazuh-dashboard
1 upgraded, 0 newly installed, 0 to remove and 126 not upgraded.
Need to get 166 MB of archives.
After this operation, 967 kB of additional disk space will be used.
Get:1 https://packages-dev.wazuh.com/pre-release/apt unstable/main amd64 wazuh-dashboard amd64 4.9.1-1 [166 MB]
Fetched 166 MB in 3s (61.7 MB/s)
(Reading database ... 226131 files and directories currently installed.)
Preparing to unpack .../wazuh-dashboard_4.9.1-1_amd64.deb ...
Unpacking wazuh-dashboard (4.9.1-1) over (4.9.0-2) ...
Setting up wazuh-dashboard (4.9.1-1) ...
Scanning processes...
Scanning candidates...
Scanning linux images...

Pending kernel upgrade!

Running kernel version:

6.8.0-1008-aws

Diagnostics:

The currently running kernel version is not the expected kernel version 6.8.0-1016-aws.


Restarting the system to load the new kernel will not be handled automatically, so you should consider rebooting.


Restarting services...


Service restarts being deferred:

/etc/needrestart/restart.d/dbus.service


No containers need to be restarted.


User sessions running outdated binaries:

ubuntu @ session #109: gpg-agent[6360]

ubuntu @ session #133: sshd[62416,62513], su[62526]

ubuntu @ user manager service: systemd[4981]


No VM guests are running outdated hypervisor (qemu) binaries on this host.

root@ip-172-31-44-8:/home/ubuntu# nano /etc/wazuh-dashboard/opensearch_dashboards.yml

root@ip-172-31-44-8:/home/ubuntu# systemctl daemon-reload

root@ip-172-31-44-8:/home/ubuntu# systemctl enable wazuh-dashboard

root@ip-172-31-44-8:/home/ubuntu# systemctl start wazuh-dashboard

root@ip-172-31-44-8:/home/ubuntu# systemctl status wazuh-dashboard

● wazuh-dashboard.service - wazuh-dashboard

Loaded: loaded (/etc/systemd/system/wazuh-dashboard.service; enabled; preset: enabled)

Active: active (running) since Tue 2024-10-08 17:19:30 UTC; 6s ago

Main PID: 142552 (node)

Tasks: 11 (limit: 9393)

Memory: 154.4M (peak: 154.4M)

CPU: 7.378s

CGroup: /system.slice/wazuh-dashboard.service

└─142552 /usr/share/wazuh-dashboard/node/bin/node /usr/share/wazuh-dashboard/src/cli/dist


Oct 08 17:19:30 ip-172-31-44-8 systemd[1]: Started wazuh-dashboard.service - wazuh-dashboard.

root@ip-172-31-44-8:/home/ubuntu#

@thony4uu
Copy link
Member

thony4uu commented Oct 8, 2024

🟢### 4. Post-Upgrade Validation:

Agent connection status:

image
image
image
image
image

Alerts triggered by agents:

  • Agent 1

image

  • Agent 2

image

Verify that the configuration files weren't modified with the following command::

(Wazuh Indexer, Wazuh server node 1, Wazuh dashboard) 
root@ip-172-31-44-8:/home/ubuntu# for file in \
    /etc/wazuh-indexer/opensearch-security/config.yml \
    /etc/wazuh-indexer/jvm.options \
    /etc/wazuh-indexer/opensearch.yml \
    /etc/wazuh-indexer/opensearch-security/internal_users.yml \
    /etc/wazuh-indexer/opensearch-security/roles_mapping.yml \
    /etc/wazuh-indexer/opensearch-security/roles.yml \
    /etc/wazuh-dashboard/opensearch_dashboards.yml \
    /etc/default/wazuh-dashboard \
    /etc/wazuh-dashboard/opensearch_dashboards.keystore; do
    grep -q "# This file should not be modified during the upgrade." "$file" && echo "PASSED: The phrase keeps appearing in: $file. The file has not been modified" || echo "FAILED: Missing phrase in $file. The file could have been modified"
done
PASSED: The phrase keeps appearing in: /etc/wazuh-indexer/opensearch-security/config.yml. The file has not been modified
PASSED: The phrase keeps appearing in: /etc/wazuh-indexer/jvm.options. The file has not been modified
PASSED: The phrase keeps appearing in: /etc/wazuh-indexer/opensearch.yml. The file has not been modified
PASSED: The phrase keeps appearing in: /etc/wazuh-indexer/opensearch-security/internal_users.yml. The file has not been modified
PASSED: The phrase keeps appearing in: /etc/wazuh-indexer/opensearch-security/roles_mapping.yml. The file has not been modified
FAILED: Missing phrase in /etc/wazuh-indexer/opensearch-security/roles.yml. The file could have been modified
PASSED: The phrase keeps appearing in: /etc/wazuh-dashboard/opensearch_dashboards.yml. The file has not been modified
PASSED: The phrase keeps appearing in: /etc/default/wazuh-dashboard. The file has not been modified
PASSED: The phrase keeps appearing in: /etc/wazuh-dashboard/opensearch_dashboards.keystore. The file has not been modified
(Wazuh server node 2) 
root@ip-172-31-36-102:/home/ubuntu# for file in \
    /etc/wazuh-indexer/opensearch-security/config.yml \
    /etc/wazuh-indexer/jvm.options \
    /etc/wazuh-indexer/opensearch.yml \
    /etc/wazuh-indexer/opensearch-security/internal_users.yml \
    /etc/wazuh-indexer/opensearch-security/roles_mapping.yml \
    /etc/wazuh-indexer/opensearch-security/roles.yml \
    /etc/wazuh-dashboard/opensearch_dashboards.yml \
    /etc/default/wazuh-dashboard \
    /etc/wazuh-dashboard/opensearch_dashboards.keystore; do
    grep -q "# This file should not be modified during the upgrade." "$file" && echo "PASSED: The phrase keeps appearing in: $file. The file has not been modified" || echo "FAILED: Missing phrase in $file. The file could have been modified"
done
grep: /etc/wazuh-indexer/opensearch-security/config.yml: No such file or directory
FAILED: Missing phrase in /etc/wazuh-indexer/opensearch-security/config.yml. The file could have been modified
grep: /etc/wazuh-indexer/jvm.options: No such file or directory
FAILED: Missing phrase in /etc/wazuh-indexer/jvm.options. The file could have been modified
grep: /etc/wazuh-indexer/opensearch.yml: No such file or directory
FAILED: Missing phrase in /etc/wazuh-indexer/opensearch.yml. The file could have been modified
grep: /etc/wazuh-indexer/opensearch-security/internal_users.yml: No such file or directory
FAILED: Missing phrase in /etc/wazuh-indexer/opensearch-security/internal_users.yml. The file could have been modified
grep: /etc/wazuh-indexer/opensearch-security/roles_mapping.yml: No such file or directory
FAILED: Missing phrase in /etc/wazuh-indexer/opensearch-security/roles_mapping.yml. The file could have been modified
grep: /etc/wazuh-indexer/opensearch-security/roles.yml: No such file or directory
FAILED: Missing phrase in /etc/wazuh-indexer/opensearch-security/roles.yml. The file could have been modified
grep: /etc/wazuh-dashboard/opensearch_dashboards.yml: No such file or directory
FAILED: Missing phrase in /etc/wazuh-dashboard/opensearch_dashboards.yml. The file could have been modified
grep: /etc/default/wazuh-dashboard: No such file or directory
FAILED: Missing phrase in /etc/default/wazuh-dashboard. The file could have been modified
grep: /etc/wazuh-dashboard/opensearch_dashboards.keystore: No such file or directory
FAILED: Missing phrase in /etc/wazuh-dashboard/opensearch_dashboards.keystore. The file could have been modified

Results

  • The deployment of the architecture is successful, with agents properly connected and active.

  • The UI is navigable and functional both before and after the upgrade.

  • Alerts are generated by both agents before and after the upgrade.

  • No errors or warnings are encountered during the upgrade process, or any that occur are documented for further analysis.

  • No configuration files were modified in the upgrade.

@wazuhci wazuhci moved this from In progress to Pending review in Release 4.9.1 Oct 8, 2024
@wazuhci wazuhci moved this from Pending review to In review in Release 4.9.1 Oct 9, 2024
@pro-akim
Copy link
Member

pro-akim commented Oct 9, 2024

LGTM

@wazuhci wazuhci moved this from In review to Pending final review in Release 4.9.1 Oct 9, 2024
@wazuhci wazuhci moved this from Pending final review to In final review in Release 4.9.1 Oct 9, 2024
@rauldpm
Copy link
Member

rauldpm commented Oct 9, 2024

After the upgrade, there is a failed test

FAILED: Missing phrase in /etc/wazuh-indexer/opensearch-security/roles.yml. The file could have been modified

Test deployment: Connect one agent to the master node and another agent to the worker node.

Agents have been connected to the same Wazuh manager node IP although the WUI

PS C:\Users\Jenkins> Invoke-WebRequest -Uri https://packages.wazuh.com/4.x/windows/wazuh-agent-4.9.0-1.msi -OutFile ${env.tmp}\wazuh-agent; msiexec.exe /i ${env.tmp}\wazuh-agent /q WAZUH_MANAGER='172-31-44-8' WAZUH_AGENT_NAME='Windows_11'

root@ip-172-31-35-100:/home/admin# wget https://packages.wazuh.com/4.x/apt/pool/main/w/wazuh-agent/wazuh-agent_4.9.0-1_amd64.deb && sudo WAZUH_MANAGER='172-31-44-8' WAZUH_AGENT_NAME='Debian_11' dpkg -i ./wazuh-agent_4.9.0-1_amd64.deb

Which is inconsistent with the following screenshot (an agent connected to the same IP will register the same cluster node

image

@wazuhci wazuhci moved this from In final review to On hold in Release 4.9.1 Oct 9, 2024
@thony4uu
Copy link
Member

thony4uu commented Oct 9, 2024

Hello @rauldpm, I have corrected the inconsistency in the IP address each agent is connecting to. I made the mistake initially and forgot to correct it when reporting it.

What do you advise we do as regards the failed test?

@thony4uu thony4uu mentioned this issue Oct 9, 2024
Closed
@rauldpm
Copy link
Member

rauldpm commented Oct 9, 2024

All done @thony4uu, thanks

@rauldpm rauldpm closed this as completed Oct 9, 2024
@wazuhci wazuhci moved this from On hold to Done in Release 4.9.1 Oct 9, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@thony4uu thony4uu

Labels
level/subtask type/test
Projects
No open projects
Release 4.9.1
Status: Done
Milestone
No milestone
Development

No branches or pull requests
4 participants
@rauldpm @juliamagan @thony4uu @pro-akim