Invalid parameters in params_manager.pp
MiguelazoDS opened this issue · 1 comments
MiguelazoDS commented
Description
As part of the testing in https://github.com/wazuh/wazuh/issues/26404 we found errors related to the Wazuh API.
Error: Systemd start for wazuh-manager failed!
journalctl log for wazuh-manager:
Oct 22 14:31:50 al2023-2 systemd[1]: Starting wazuh-manager.service - Wazuh manager...
Oct 22 14:31:50 al2023-2 env[7159]: The `cache` API configuration option was deprecated in 4.8.0 and will be removed in the next minor release.
Oct 22 14:31:50 al2023-2 env[7159]: Traceback (most recent call last):
Oct 22 14:31:50 al2023-2 env[7159]: File "/var/ossec/api/scripts/wazuh_apid.py", line 320, in <module>
Oct 22 14:31:50 al2023-2 env[7159]: from api.configuration import read_yaml_config
Oct 22 14:31:50 al2023-2 env[7159]: File "/var/ossec/framework/python/lib/python3.10/site-packages/api/configuration.py", line 343, in <module>
Oct 22 14:31:50 al2023-2 env[7159]: api_conf = read_yaml_config()
Oct 22 14:31:50 al2023-2 env[7159]: File "/var/ossec/framework/python/lib/python3.10/site-packages/api/configuration.py", line 326, in read_yaml_config
Oct 22 14:31:50 al2023-2 env[7159]: configuration = fill_dict(default_conf, configuration, schema)
Oct 22 14:31:50 al2023-2 env[7159]: File "/var/ossec/framework/python/lib/python3.10/site-packages/api/configuration.py", line 183, in fill_dict
Oct 22 14:31:50 al2023-2 env[7159]: raise APIError(2000, details=validation_exc.message) from None
Oct 22 14:31:50 al2023-2 env[7159]: api.api_exception.APIError: 2000 - Some parameters are not expected in the configuration file (WAZUH_PATH/api/configuration/api.yaml). Please check the documentation for further details: https://documentation.wazuh.com/4.10/user-manual/api/configuration.html#api-configuration-options: '0.0.0.0' is not of type 'array'The errors are related to these settings
https://github.com/wazuh/wazuh-puppet/blob/4.10.0/manifests/params_manager.pp#L317
https://github.com/wazuh/wazuh-puppet/blob/4.10.0/manifests/params_manager.pp#L345-L346
vcerenu commented
The value of the host parameter in the params_manager.pp file was modified and cache-related parameters were removed and deprecated.
A test installation was performed with these changes, using the Wazuh 4.10.0-alpha2 packages:
[root@ip-172-31-37-9 ~]# puppet agent -t
Info: Using environment 'production'
Info: Retrieving pluginfacts
Info: Retrieving plugin
Info: Loading facts
Notice: Requesting catalog from ip-172-31-47-239:8140 (172.31.47.239)
Notice: Catalog compiled by ip-172-31-47-239.ec2.internal
Info: Caching catalog for ip-172-31-37-9.ec2.internal
Info: Applying configuration version '1729700717'
Notice: /Stage[indexerdeploy]/Wazuh::Indexer/Package[wazuh-indexer]/ensure: created (corrective)
Info: /Stage[indexerdeploy]/Wazuh::Indexer/Package[wazuh-indexer]: Scheduling refresh of Exec[set recusive ownership of /etc/wazuh-indexer]
Info: /Stage[indexerdeploy]/Wazuh::Indexer/Package[wazuh-indexer]: Scheduling refresh of Exec[set recusive ownership of /usr/share/wazuh-indexer]
Info: /Stage[indexerdeploy]/Wazuh::Indexer/Package[wazuh-indexer]: Scheduling refresh of Exec[set recusive ownership of /var/lib/wazuh-indexer]
Notice: /Stage[indexerdeploy]/Wazuh::Indexer/File[configuration file]/content:
--- /etc/wazuh-indexer/opensearch.yml 2024-10-18 12:20:36.000000000 +0000
+++ /tmp/puppet-file20241023-30452-x1uaem 2024-10-23 16:26:00.564853675 +0000
@@ -2,41 +2,28 @@
node.name: "node-1"
cluster.initial_master_nodes:
- "node-1"
-#- "node-2"
-#- "node-3"
cluster.name: "wazuh-cluster"
-#discovery.seed_hosts:
-# - "node-1-ip"
-# - "node-2-ip"
-# - "node-3-ip"
-node.max_local_storage_nodes: "3"
-path.data: /var/lib/wazuh-indexer
-path.logs: /var/log/wazuh-indexer
-
-plugins.security.ssl.http.pemcert_filepath: /etc/wazuh-indexer/certs/indexer.pem
-plugins.security.ssl.http.pemkey_filepath: /etc/wazuh-indexer/certs/indexer-key.pem
+node.max_local_storage_nodes: "1"
+path.data: "/var/lib/wazuh-indexer"
+path.logs: "/var/log/wazuh-indexer"
+plugins.security.ssl.http.pemcert_filepath: /etc/wazuh-indexer/certs/indexer-node-1.pem
+plugins.security.ssl.http.pemkey_filepath: /etc/wazuh-indexer/certs/indexer-node-1-key.pem
plugins.security.ssl.http.pemtrustedcas_filepath: /etc/wazuh-indexer/certs/root-ca.pem
-plugins.security.ssl.transport.pemcert_filepath: /etc/wazuh-indexer/certs/indexer.pem
-plugins.security.ssl.transport.pemkey_filepath: /etc/wazuh-indexer/certs/indexer-key.pem
+plugins.security.ssl.transport.pemcert_filepath: /etc/wazuh-indexer/certs/indexer-node-1.pem
+plugins.security.ssl.transport.pemkey_filepath: /etc/wazuh-indexer/certs/indexer-node-1-key.pem
plugins.security.ssl.transport.pemtrustedcas_filepath: /etc/wazuh-indexer/certs/root-ca.pem
plugins.security.ssl.http.enabled: true
plugins.security.ssl.transport.enforce_hostname_verification: false
plugins.security.ssl.transport.resolve_hostname: false
-
plugins.security.authcz.admin_dn:
- "CN=admin,OU=Wazuh,O=Wazuh,L=California,C=US"
plugins.security.check_snapshot_restore_write_privileges: true
plugins.security.enable_snapshot_restore_privilege: true
plugins.security.nodes_dn:
-- "CN=node-1,OU=Wazuh,O=Wazuh,L=California,C=US"
-#- "CN=node-2,OU=Wazuh,O=Wazuh,L=California,C=US"
-#- "CN=node-3,OU=Wazuh,O=Wazuh,L=California,C=US"
+- "CN=indexer-node-1,OU=Wazuh,O=Wazuh,L=California,C=US"
plugins.security.restapi.roles_enabled:
- "all_access"
- "security_rest_api_access"
-
-plugins.security.system_indices.enabled: true
-plugins.security.system_indices.indices: [".plugins-ml-model", ".plugins-ml-task", ".opendistro-alerting-config", ".opendistro-alerting-alert*", ".opendistro-anomaly-results*", ".opendistro-anomaly-detector*", ".opendistro-anomaly-checkpoints", ".opendistro-anomaly-detection-state", ".opendistro-reports-*", ".opensearch-notifications-*", ".opensearch-notebooks", ".opensearch-observability", ".opendistro-asynchronous-search-response*", ".replication-metadata-store"]
-
-### Option to allow Filebeat-oss 7.10.2 to work ###
+plugins.security.allow_default_init_securityindex: true
+cluster.routing.allocation.disk.threshold_enabled: false
compatibility.override_main_response_version: true
\ No newline at end of file
Notice: /Stage[indexerdeploy]/Wazuh::Indexer/File[configuration file]/content:
Notice: /Stage[indexerdeploy]/Wazuh::Indexer/File[configuration file]/content: content changed '{sha256}d95d40b8ee093f122d8015d4a267eddbd92ba3e323c70f2ac7ab7d8ff9e584fe' to '{sha256}7a968bc98cfb330d90f1681ead16418cda35a525b8cf5ad1ec2f4dd01d16eab2' (corrective)
Info: /Stage[indexerdeploy]/Wazuh::Indexer/File[configuration file]: Scheduling refresh of Service[wazuh-indexer]
Notice: /Stage[indexerdeploy]/Wazuh::Indexer/Exec[set recusive ownership of /etc/wazuh-indexer]: Triggered 'refresh' from 1 event
Info: /Stage[indexerdeploy]/Wazuh::Indexer/Exec[set recusive ownership of /etc/wazuh-indexer]: Scheduling refresh of Service[wazuh-indexer]
Notice: /Stage[indexerdeploy]/Wazuh::Indexer/Exec[set recusive ownership of /usr/share/wazuh-indexer]: Triggered 'refresh' from 1 event
Info: /Stage[indexerdeploy]/Wazuh::Indexer/Exec[set recusive ownership of /usr/share/wazuh-indexer]: Scheduling refresh of Service[wazuh-indexer]
Notice: /Stage[indexerdeploy]/Wazuh::Indexer/Exec[set recusive ownership of /var/lib/wazuh-indexer]: Triggered 'refresh' from 1 event
Info: /Stage[indexerdeploy]/Wazuh::Indexer/Exec[set recusive ownership of /var/lib/wazuh-indexer]: Scheduling refresh of Service[wazuh-indexer]
Notice: /Stage[indexerdeploy]/Wazuh::Indexer/Service[wazuh-indexer]/ensure: ensure changed 'stopped' to 'running' (corrective)
Info: /Stage[indexerdeploy]/Wazuh::Indexer/Service[wazuh-indexer]: Unscheduling refresh on Service[wazuh-indexer]
Notice: /Stage[manager]/Wazuh::Manager/Package[wazuh-manager]/ensure: created (corrective)
Notice: /Stage[manager]/Wazuh::Manager/File[/var/ossec/etc/shared/default/agent.conf]/content:
--- /var/ossec/etc/shared/default/agent.conf 2024-10-18 12:16:13.000000000 +0000
+++ /tmp/puppet-file20241023-30452-dq2ms3 2024-10-23 16:27:48.246884454 +0000
@@ -2,4 +2,4 @@
<!-- Shared agent configuration here -->
-</agent_config>
+</agent_config>
\ No newline at end of file
Notice: /Stage[manager]/Wazuh::Manager/File[/var/ossec/etc/shared/default/agent.conf]/content:
Notice: /Stage[manager]/Wazuh::Manager/File[/var/ossec/etc/shared/default/agent.conf]/content: content changed '{sha256}d76908d51018ec72afc1a7e17fbc3971c6a812446fd930fdba5ed66f1af47ed0' to '{sha256}ea2cf84c0fdc6dd290d7cba0ad0eac63850d56203aeb882568f69f22d98dccf9' (corrective)
Notice: /Stage[manager]/Wazuh::Manager/File[/var/ossec/etc/shared/default/agent.conf]/owner: owner changed 'wazuh' to 'root' (corrective)
Notice: /Stage[manager]/Wazuh::Manager/File[/var/ossec/etc/shared/default/agent.conf]/mode: mode changed '0660' to '0640' (corrective)
Info: /Stage[manager]/Wazuh::Manager/File[/var/ossec/etc/shared/default/agent.conf]: Scheduling refresh of Service[wazuh-manager]
Info: /Stage[manager]/Wazuh::Manager/File[/var/ossec/etc/shared/default/agent.conf]: Scheduling refresh of Service[wazuh-manager]
Info: /Stage[manager]/Wazuh::Manager/File[/var/ossec/etc/shared/default/agent.conf]: Scheduling refresh of Service[wazuh-manager]
Notice: /Stage[manager]/Wazuh::Manager/File[/var/ossec/etc/rules/local_rules.xml]/content:
--- /var/ossec/etc/rules/local_rules.xml 2024-10-18 12:15:56.000000000 +0000
+++ /tmp/puppet-file20241023-30452-1jgvksq 2024-10-23 16:27:48.296885457 +0000
@@ -1,14 +1,12 @@
-<!-- Local rules -->
-
<!-- Modify it at your will. -->
-<!-- Copyright (C) 2015, Wazuh Inc. -->
-<!-- Example -->
<group name="local,syslog,sshd,">
- <!--
- Dec 10 01:02:02 host sshd[1234]: Failed none for root from 1.1.1.1 port 1066 ssh2
- -->
+ <!-- Note that rule id 5711 is defined at the ssh_rules file
+ - as a ssh failed login. This is just an example
+ - since ip 1.1.1.1 shouldn't be used anywhere.
+ - Level 0 means ignore.
+ -->
<rule id="100001" level="5">
<if_sid>5716</if_sid>
<srcip>1.1.1.1</srcip>
@@ -16,4 +14,28 @@
<group>authentication_failed,pci_dss_10.2.4,pci_dss_10.2.5,</group>
</rule>
-</group>
+
+ <!-- This example will ignore ssh failed logins for the user name XYZABC.
+ -->
+ <!--
+ <rule id="100020" level="0">
+ <if_sid>5711</if_sid>
+ <user>XYZABC</user>
+ <description>Example of rule that will ignore sshd </description>
+ <description>failed logins for user XYZABC.</description>
+ </rule>
+ -->
+
+
+ <!-- Specify here a list of rules to ignore. -->
+ <!--
+ <rule id="100030" level="0">
+ <if_sid>12345, 23456, xyz, abc</if_sid>
+ <description>List of rules to be ignored.</description>
+ </rule>
+ -->
+
+</group> <!-- SYSLOG,LOCAL -->
+
+
+<!-- EOF -->
Notice: /Stage[manager]/Wazuh::Manager/File[/var/ossec/etc/rules/local_rules.xml]/content:
Notice: /Stage[manager]/Wazuh::Manager/File[/var/ossec/etc/rules/local_rules.xml]/content: content changed '{sha256}991dc926bd2e3aec88bd79be1c8b458777f64f489b3e6524e682ac33620425f4' to '{sha256}4b0ffe3d22c782a75fa5559839751959cc9cb33256ca06efcca298cb0109a342' (corrective)
Notice: /Stage[manager]/Wazuh::Manager/File[/var/ossec/etc/rules/local_rules.xml]/owner: owner changed 'wazuh' to 'root' (corrective)
Notice: /Stage[manager]/Wazuh::Manager/File[/var/ossec/etc/rules/local_rules.xml]/mode: mode changed '0660' to '0640' (corrective)
Info: /Stage[manager]/Wazuh::Manager/File[/var/ossec/etc/rules/local_rules.xml]: Scheduling refresh of Service[wazuh-manager]
Info: /Stage[manager]/Wazuh::Manager/File[/var/ossec/etc/rules/local_rules.xml]: Scheduling refresh of Service[wazuh-manager]
Info: /Stage[manager]/Wazuh::Manager/File[/var/ossec/etc/rules/local_rules.xml]: Scheduling refresh of Service[wazuh-manager]
Notice: /Stage[manager]/Wazuh::Manager/File[/var/ossec/etc/decoders/local_decoder.xml]/content:
--- /var/ossec/etc/decoders/local_decoder.xml 2024-10-18 12:15:56.000000000 +0000
+++ /tmp/puppet-file20241023-30452-1ymos8k 2024-10-23 16:27:48.326886061 +0000
@@ -1,8 +1,6 @@
<!-- Local Decoders -->
<!-- Modify it at your will. -->
-<!-- Copyright (C) 2015, Wazuh Inc. -->
-
<!--
- Allowed static fields:
- location - where the log came from (only on FTS)
Notice: /Stage[manager]/Wazuh::Manager/File[/var/ossec/etc/decoders/local_decoder.xml]/content:
Notice: /Stage[manager]/Wazuh::Manager/File[/var/ossec/etc/decoders/local_decoder.xml]/content: content changed '{sha256}21f5e1ff2ea096f2b1b6acdc1fc25bcac46734614b253f6ad1352d9c2a1c5c13' to '{sha256}7e45d35ee7a35a68fe13cd5e3f7f69ec2776322cd2d3fa42bb474ba06279aecc' (corrective)
Notice: /Stage[manager]/Wazuh::Manager/File[/var/ossec/etc/decoders/local_decoder.xml]/owner: owner changed 'wazuh' to 'root' (corrective)
Notice: /Stage[manager]/Wazuh::Manager/File[/var/ossec/etc/decoders/local_decoder.xml]/mode: mode changed '0660' to '0640' (corrective)
Info: /Stage[manager]/Wazuh::Manager/File[/var/ossec/etc/decoders/local_decoder.xml]: Scheduling refresh of Service[wazuh-manager]
Info: /Stage[manager]/Wazuh::Manager/File[/var/ossec/etc/decoders/local_decoder.xml]: Scheduling refresh of Service[wazuh-manager]
Info: /Stage[manager]/Wazuh::Manager/File[/var/ossec/etc/decoders/local_decoder.xml]: Scheduling refresh of Service[wazuh-manager]
Notice: /Stage[manager]/Wazuh::Manager/File[/var/ossec/bin/.process_list]/ensure: defined content as '{sha256}5309904b42512c478b2da5e23cf756e3733d61834a9749e549af895f5d5b478c' (corrective)
Info: /Stage[manager]/Wazuh::Manager/File[/var/ossec/bin/.process_list]: Scheduling refresh of Service[wazuh-manager]
Notice: /Stage[manager]/Wazuh::Manager/Exec[Generate the wazuh-keystore (username)]/returns: executed successfully (corrective)
Notice: /Stage[manager]/Wazuh::Manager/Exec[Generate the wazuh-keystore (password)]/returns: executed successfully (corrective)
Notice: /Stage[manager]/Wazuh::Manager/File[/var/ossec/api/configuration/api.yaml]/content:
--- /var/ossec/api/configuration/api.yaml 2024-10-18 12:16:12.000000000 +0000
+++ /tmp/puppet-file20241023-30452-1b352jp 2024-10-23 16:27:48.476889076 +0000
@@ -1,76 +1,47 @@
-# USE THIS FILE AS A TEMPLATE. UNCOMMENT LINES TO APPLY CUSTOM CONFIGURATION
-
-# host: ['0.0.0.0', '::']
-# port: 55000
-
-# Advanced configuration
-
-# https:
-# enabled: yes
-# key: "server.key"
-# cert: "server.crt"
-# use_ca: False
-# ca: "ca.crt"
-# ssl_protocol: "auto"
-# ssl_ciphers: ""
-
-# Modify API's intervals (time in seconds)
-# intervals:
-# request_timeout: 10
-
-# Logging configuration
-# Values for API log level: disabled, info, warning, error, debug, debug2 (each level includes the previous level).
-# Values for API log max_size: <value><unit>. Valid units: K (kilobytes), M (megabytes)
-# Enabling the API log max_size will disable the time based rotation (on midnight)
-# logs:
-# level: "info"
-# format: "plain"
-# max_size:
-# enabled: False
-# size: "1M"
-
-# Cross-origin resource sharing: https://www.starlette.io/middleware/#corsmiddleware
-# cors:
-# enabled: no
-# source_route: "*"
-# expose_headers: "*"
-# allow_headers: "*"
-# allow_credentials: no
-
-# Access parameters
-# access:
-# max_login_attempts: 50
-# block_time: 300
-# max_request_per_minute: 300
-
-# Drop privileges (Run as wazuh user)
-# drop_privileges: yes
-
-# Enable features under development
-# experimental_features: no
-
-# Maximum body size that the API can accept, in bytes (0 -> limitless)
-# max_upload_size: 10485760
-
-# Uploadable Wazuh configuration sections
-# upload_configuration:
-# remote_commands:
-# localfile:
-# allow: yes
-# exceptions: []
-# wodle_command:
-# allow: yes
-# exceptions: []
-# limits:
-# eps:
-# allow: yes
-# agents:
-# allow_higher_versions:
-# allow: yes
-# indexer:
-# allow: yes
-# integrations:
-# virustotal:
-# public_key:
-# allow: yes
-# minimum_quota: 240
+#
+# Wazuh API configuration file
+# Copyright (C) 2015, Wazuh Inc.
+#
+host: ["0.0.0.0"]
+port: 55000
+# Advanced configuration
+https:
+ enabled: yes
+ key: server.key
+ cert: server.crt
+ use_ca: False
+ ca: ca.crt
+ ssl_protocol: TLSv1.2
+ ssl_ciphers: ""
+# Logging configuration
+# Values for API log level: disabled, info, warning, error, debug, debug2 (each level includes the previous level).
+logs:
+ level: info
+# Cross-origin resource sharing: https://github.com/aio-libs/aiohttp-cors#usage
+cors:
+ enabled: no
+ source_route: "*"
+ expose_headers: "*"
+ allow_headers: "*"
+ allow_credentials: no
+# Access parameters
+access:
+ max_login_attempts: 5
+ block_time: 300
+ max_request_per_minute: 300
+# Drop privileges (Run as ossec user)
+drop_privileges: yes
+# Enable features under development
+experimental_features: no
+# Enable remote commands
+upload_configuration:
+ remote_commands:
+ localfile:
+ allow: yes
+ exceptions: []
+ wodle_command:
+ allow: yes
+ exceptions: []
+ limits:
+ eps:
+ allow: yes
Notice: /Stage[manager]/Wazuh::Manager/File[/var/ossec/api/configuration/api.yaml]/content:
Notice: /Stage[manager]/Wazuh::Manager/File[/var/ossec/api/configuration/api.yaml]/content: content changed '{sha256}9366088d8dc24331cc02fb8084d8888d0f2aa838f46c239cecf3d18567c8604d' to '{sha256}32fe9b5046a45dc1540691c85588ca2c738a842fdd833227be1f5d96517de036' (corrective)
Notice: /Stage[manager]/Wazuh::Manager/File[/var/ossec/api/configuration/api.yaml]/mode: mode changed '0660' to '0640' (corrective)
Info: /Stage[manager]/Wazuh::Manager/File[/var/ossec/api/configuration/api.yaml]: Scheduling refresh of Service[wazuh-manager]
Info: /Stage[manager]/Wazuh::Manager/File[/var/ossec/api/configuration/api.yaml]: Scheduling refresh of Service[wazuh-manager]
Notice: /Stage[manager]/Wazuh::Filebeat_oss/Package[filebeat]/ensure: created (corrective)
Notice: /Stage[manager]/Wazuh::Filebeat_oss/File[/etc/filebeat/filebeat.yml]/content:
--- /etc/filebeat/filebeat.yml 2021-01-12 22:10:03.000000000 +0000
+++ /tmp/puppet-file20241023-30452-1fv4igo 2024-10-23 16:27:52.236962688 +0000
@@ -1,270 +1,34 @@
-###################### Filebeat Configuration Example #########################
+# Wazuh - Filebeat configuration file
+filebeat.modules:
+ - module: wazuh
+ alerts:
+ enabled: true
+ archives:
+ enabled: false
+
+setup.template.json.enabled: true
+setup.template.json.path: "/etc/filebeat/wazuh-template.json"
+setup.template.json.name: "wazuh"
+setup.template.overwrite: true
-# This file is an example configuration file highlighting only the most common
-# options. The filebeat.reference.yml file from the same directory contains all the
-# supported options with more comments. You can use it as a reference.
-#
-# You can find the full configuration reference here:
-# https://www.elastic.co/guide/en/beats/filebeat/index.html
-
-# For more available modules and options, please see the filebeat.reference.yml sample
-# configuration file.
-
-# ============================== Filebeat inputs ===============================
-
-filebeat.inputs:
-
-# Each - is an input. Most options can be set at the input level, so
-# you can use different inputs for various configurations.
-# Below are the input specific configurations.
-
-- type: log
-
- # Change to true to enable this input configuration.
- enabled: false
-
- # Paths that should be crawled and fetched. Glob based paths.
- paths:
- - /var/log/*.log
- #- c:\programdata\elasticsearch\logs\*
-
- # Exclude lines. A list of regular expressions to match. It drops the lines that are
- # matching any regular expression from the list.
- #exclude_lines: ['^DBG']
-
- # Include lines. A list of regular expressions to match. It exports the lines that are
- # matching any regular expression from the list.
- #include_lines: ['^ERR', '^WARN']
-
- # Exclude files. A list of regular expressions to match. Filebeat drops the files that
- # are matching any regular expression from the list. By default, no files are dropped.
- #exclude_files: ['.gz$']
-
- # Optional additional fields. These fields can be freely picked
- # to add additional information to the crawled log files for filtering
- #fields:
- # level: debug
- # review: 1
-
- ### Multiline options
-
- # Multiline can be used for log messages spanning multiple lines. This is common
- # for Java Stack Traces or C-Line Continuation
-
- # The regexp Pattern that has to be matched. The example pattern matches all lines starting with [
- #multiline.pattern: ^\[
-
- # Defines if the pattern set under pattern should be negated or not. Default is false.
- #multiline.negate: false
-
- # Match can be set to "after" or "before". It is used to define if lines should be append to a pattern
- # that was (not) matched before or after or as long as a pattern is not matched based on negate.
- # Note: After is the equivalent to previous and before is the equivalent to to next in Logstash
- #multiline.match: after
-
-# filestream is an experimental input. It is going to replace log input in the future.
-- type: filestream
-
- # Change to true to enable this input configuration.
- enabled: false
-
- # Paths that should be crawled and fetched. Glob based paths.
- paths:
- - /var/log/*.log
- #- c:\programdata\elasticsearch\logs\*
-
- # Exclude lines. A list of regular expressions to match. It drops the lines that are
- # matching any regular expression from the list.
- #exclude_lines: ['^DBG']
-
- # Include lines. A list of regular expressions to match. It exports the lines that are
- # matching any regular expression from the list.
- #include_lines: ['^ERR', '^WARN']
-
- # Exclude files. A list of regular expressions to match. Filebeat drops the files that
- # are matching any regular expression from the list. By default, no files are dropped.
- #prospector.scanner.exclude_files: ['.gz$']
-
- # Optional additional fields. These fields can be freely picked
- # to add additional information to the crawled log files for filtering
- #fields:
- # level: debug
- # review: 1
-
-# ============================== Filebeat modules ==============================
-
-filebeat.config.modules:
- # Glob pattern for configuration loading
- path: ${path.config}/modules.d/*.yml
-
- # Set to true to enable config reloading
- reload.enabled: false
-
- # Period on which files under path should be checked for changes
- #reload.period: 10s
-
-# ======================= Elasticsearch template setting =======================
-
-setup.template.settings:
- index.number_of_shards: 1
- #index.codec: best_compression
- #_source.enabled: false
-
-
-# ================================== General ===================================
-
-# The name of the shipper that publishes the network data. It can be used to group
-# all the transactions sent by a single shipper in the web interface.
-#name:
-
-# The tags of the shipper are included in their own field with each
-# transaction published.
-#tags: ["service-X", "web-tier"]
-
-# Optional fields that you can specify to add additional information to the
-# output.
-#fields:
-# env: staging
-
-# ================================= Dashboards =================================
-# These settings control loading the sample dashboards to the Kibana index. Loading
-# the dashboards is disabled by default and can be enabled either by setting the
-# options here or by using the `setup` command.
-#setup.dashboards.enabled: false
-
-# The URL from where to download the dashboards archive. By default this URL
-# has a value which is computed based on the Beat name and version. For released
-# versions, this URL points to the dashboard archive on the artifacts.elastic.co
-# website.
-#setup.dashboards.url:
-
-# =================================== Kibana ===================================
-
-# Starting with Beats version 6.0.0, the dashboards are loaded via the Kibana API.
-# This requires a Kibana endpoint configuration.
-setup.kibana:
-
- # Kibana Host
- # Scheme and port can be left out and will be set to the default (http and 5601)
- # In case you specify and additional path, the scheme is required: http://localhost:5601/path
- # IPv6 addresses should always be defined as: https://[2001:db8::1]:5601
- #host: "localhost:5601"
-
- # Kibana Space ID
- # ID of the Kibana Space into which the dashboards should be loaded. By default,
- # the Default Space will be used.
- #space.id:
-
-# =============================== Elastic Cloud ================================
-
-# These settings simplify using Filebeat with the Elastic Cloud (https://cloud.elastic.co/).
-
-# The cloud.id setting overwrites the `output.elasticsearch.hosts` and
-# `setup.kibana.host` options.
-# You can find the `cloud.id` in the Elastic Cloud web UI.
-#cloud.id:
-
-# The cloud.auth setting overwrites the `output.elasticsearch.username` and
-# `output.elasticsearch.password` settings. The format is `<user>:<pass>`.
-#cloud.auth:
-
-# ================================== Outputs ===================================
-
-# Configure what output to use when sending the data collected by the beat.
-
-# ---------------------------- Elasticsearch Output ----------------------------
+# Send events directly to Indexer
output.elasticsearch:
- # Array of hosts to connect to.
- hosts: ["localhost:9200"]
-
- # Protocol - either `http` (default) or `https`.
- #protocol: "https"
-
- # Authentication credentials - either API key or username/password.
- #api_key: "id:api_key"
- #username: "elastic"
- #password: "changeme"
-
-# ------------------------------ Logstash Output -------------------------------
-#output.logstash:
- # The Logstash hosts
- #hosts: ["localhost:5044"]
-
- # Optional SSL. By default is off.
- # List of root certificates for HTTPS server verifications
- #ssl.certificate_authorities: ["/etc/pki/root/ca.pem"]
-
- # Certificate for SSL client authentication
- #ssl.certificate: "/etc/pki/client/cert.pem"
-
- # Client Certificate Key
- #ssl.key: "/etc/pki/client/cert.key"
-
-# ================================= Processors =================================
-processors:
- - add_host_metadata:
- when.not.contains.tags: forwarded
- - add_cloud_metadata: ~
- - add_docker_metadata: ~
- - add_kubernetes_metadata: ~
-
-# ================================== Logging ===================================
-
-# Sets log level. The default log level is info.
-# Available log levels are: error, warning, info, debug
-#logging.level: debug
-
-# At debug level, you can selectively enable logging only for some components.
-# To enable all selectors use ["*"]. Examples of other selectors are "beat",
-# "publish", "service".
-#logging.selectors: ["*"]
-
-# ============================= X-Pack Monitoring ==============================
-# Filebeat can export internal metrics to a central Elasticsearch monitoring
-# cluster. This requires xpack monitoring to be enabled in Elasticsearch. The
-# reporting is disabled by default.
-
-# Set to true to enable the monitoring reporter.
-#monitoring.enabled: false
-
-# Sets the UUID of the Elasticsearch cluster under which monitoring data for this
-# Filebeat instance will appear in the Stack Monitoring UI. If output.elasticsearch
-# is enabled, the UUID is derived from the Elasticsearch cluster referenced by output.elasticsearch.
-#monitoring.cluster_uuid:
-
-# Uncomment to send the metrics to Elasticsearch. Most settings from the
-# Elasticsearch output are accepted here as well.
-# Note that the settings should point to your Elasticsearch *monitoring* cluster.
-# Any setting that is not set is automatically inherited from the Elasticsearch
-# output configuration, so if you have the Elasticsearch output configured such
-# that it is pointing to your Elasticsearch monitoring cluster, you can simply
-# uncomment the following line.
-#monitoring.elasticsearch:
-
-# ============================== Instrumentation ===============================
-
-# Instrumentation support for the filebeat.
-#instrumentation:
- # Set to true to enable instrumentation of filebeat.
- #enabled: false
-
- # Environment in which filebeat is running on (eg: staging, production, etc.)
- #environment: ""
-
- # APM Server hosts to report instrumentation results to.
- #hosts:
- # - http://localhost:8200
-
- # API Key for the APM Server(s).
- # If api_key is set then secret_token will be ignored.
- #api_key:
-
- # Secret token for the APM Server(s).
- #secret_token:
-
-
-# ================================= Migration ==================================
-
-# This allows to enable 6.7 migration aliases
-#migration.6_to_7.enabled: true
-
+ hosts: ["https://127.0.0.1:9200"]
+ username: admin
+ password: admin
+ protocol: https
+ ssl.certificate_authorities:
+ - /etc/filebeat/certs/root-ca.pem
+ ssl.certificate: "/etc/filebeat/certs/filebeat.pem"
+ ssl.key: "/etc/filebeat/certs/filebeat-key.pem"
+
+setup.ilm.enabled: false
+
+logging.metrics.enabled: false
+
+seccomp:
+ default_action: allow
+ syscalls:
+ - action: allow
+ names:
+ - rseq
Notice: /Stage[manager]/Wazuh::Filebeat_oss/File[/etc/filebeat/filebeat.yml]/content:
Notice: /Stage[manager]/Wazuh::Filebeat_oss/File[/etc/filebeat/filebeat.yml]/content: content changed '{sha256}d4d7b4d818401d90b4425814dcf01ad4e1d7b6ec51acb9b926b4ff1c0673a02e' to '{sha256}dbb85d6fd9d8401b09f9c0aeb514b0f0adf970b6af1dbc7997e5b00aa872a4c2' (corrective)
Notice: /Stage[manager]/Wazuh::Filebeat_oss/File[/etc/filebeat/filebeat.yml]/mode: mode changed '0600' to '0640' (corrective)
Info: /Stage[manager]/Wazuh::Filebeat_oss/File[/etc/filebeat/filebeat.yml]: Scheduling refresh of Service[filebeat]
Info: /Stage[manager]/Wazuh::Filebeat_oss/File[/etc/filebeat/filebeat.yml]: Scheduling refresh of Service[filebeat]
Notice: /Stage[manager]/Wazuh::Filebeat_oss/Service[filebeat]: Triggered 'refresh' from 2 events
Notice: /Stage[manager]/Wazuh::Manager/Concat[manager_ossec.conf]/File[/var/ossec/etc/ossec.conf]/content:
--- /var/ossec/etc/ossec.conf 2024-10-23 16:27:16.206266497 +0000
+++ /tmp/puppet-file20241023-30452-p6xe7m 2024-10-23 16:27:53.016977508 +0000
@@ -1,24 +1,15 @@
-<!--
- Wazuh - Manager - Default configuration for amzn 2023
- More info at: https://documentation.wazuh.com
- Mailing list: https://groups.google.com/forum/#!forum/wazuh
--->
-
<ossec_config>
<global>
<jsonout_output>yes</jsonout_output>
<alerts_log>yes</alerts_log>
<logall>no</logall>
<logall_json>no</logall_json>
- <email_notification>no</email_notification>
- <smtp_server>smtp.example.wazuh.com</smtp_server>
- <email_from>wazuh@example.wazuh.com</email_from>
- <email_to>recipient@example.wazuh.com</email_to>
- <email_maxperhour>12</email_maxperhour>
- <email_log_source>alerts.log</email_log_source>
<agents_disconnection_time>10m</agents_disconnection_time>
<agents_disconnection_alert_time>0</agents_disconnection_alert_time>
- <update_check>yes</update_check>
+ <email_notification>no</email_notification>
+ <white_list>127.0.0.1</white_list>
+ <white_list>^localhost.localdomain$</white_list>
+ <white_list>10.0.0.2</white_list>
</global>
<alerts>
@@ -26,7 +17,6 @@
<email_alert_level>12</email_alert_level>
</alerts>
- <!-- Choose between "plain", "json", or "plain,json" for the format of internal logs -->
<logging>
<log_format>plain</log_format>
</logging>
@@ -38,8 +28,9 @@
<queue_size>131072</queue_size>
</remote>
- <!-- Policy monitoring -->
- <rootcheck>
+
+
+<rootcheck>
<disabled>no</disabled>
<check_files>yes</check_files>
<check_trojans>yes</check_trojans>
@@ -48,147 +39,118 @@
<check_pids>yes</check_pids>
<check_ports>yes</check_ports>
<check_if>yes</check_if>
-
- <!-- Frequency that rootcheck is executed - every 12 hours -->
<frequency>43200</frequency>
-
- <rootkit_files>etc/rootcheck/rootkit_files.txt</rootkit_files>
- <rootkit_trojans>etc/rootcheck/rootkit_trojans.txt</rootkit_trojans>
-
+ <rootkit_files>/var/ossec/etc/rootcheck/rootkit_files.txt</rootkit_files>
+ <rootkit_trojans>/var/ossec/etc/rootcheck/rootkit_trojans.txt</rootkit_trojans>
<skip_nfs>yes</skip_nfs>
+</rootcheck>
- <ignore>/var/lib/containerd</ignore>
- <ignore>/var/lib/docker/overlay2</ignore>
- </rootcheck>
-
- <wodle name="cis-cat">
+<wodle name="open-scap">
<disabled>yes</disabled>
<timeout>1800</timeout>
<interval>1d</interval>
<scan-on-start>yes</scan-on-start>
+</wodle>
+<wodle name="cis-cat">
+ <disabled>yes</disabled>
+ <timeout>1800</timeout>
+ <interval>1d</interval>
+ <scan-on-start>yes</scan-on-start>
<java_path>wodles/java</java_path>
<ciscat_path>wodles/ciscat</ciscat_path>
- </wodle>
+</wodle>
+
- <!-- Osquery integration -->
- <wodle name="osquery">
+<wodle name="osquery">
<disabled>yes</disabled>
<run_daemon>yes</run_daemon>
- <log_path>/var/log/osquery/osqueryd.results.log</log_path>
+ <log_path>/var/log/osquery/osqueryd.results.log</log_path>
<config_path>/etc/osquery/osquery.conf</config_path>
<add_labels>yes</add_labels>
- </wodle>
+</wodle>
- <!-- System inventory -->
- <wodle name="syscollector">
- <disabled>no</disabled>
- <interval>1h</interval>
- <scan_on_start>yes</scan_on_start>
- <hardware>yes</hardware>
- <os>yes</os>
- <network>yes</network>
- <packages>yes</packages>
- <ports all="no">yes</ports>
- <processes>yes</processes>
-
- <!-- Database synchronization settings -->
- <synchronization>
- <max_eps>10</max_eps>
- </synchronization>
- </wodle>
+
+<wodle name="syscollector">
+ <disabled>no</disabled>
+ <interval>1h</interval>
+ <scan_on_start>yes</scan_on_start>
+ <hardware>yes</hardware>
+ <os>yes</os>
+ <network>yes</network>
+ <packages>yes</packages>
+ <ports all="no">yes</ports>
+ <processes>yes</processes>
+</wodle>
- <sca>
+
+<sca>
<enabled>yes</enabled>
<scan_on_start>yes</scan_on_start>
<interval>12h</interval>
<skip_nfs>yes</skip_nfs>
+
</sca>
-
- <vulnerability-detection>
+
+ # Configuration for Vulnerability detection
+<vulnerability-detection>
+ <enabled>yes</enabled>
+ <index-status>yes</index-status>
+ <feed-update-interval>60m</feed-update-interval>
+</vulnerability-detection>
+# indexer configuration for vulnerability detection
+<indexer>
+ <enabled>yes</enabled>
+ <hosts>
+ <host>https://127.0.0.1:9200</host>
+ </hosts>
+ <ssl>
+ <certificate_authorities>
+ <ca>/etc/filebeat/certs/root-ca.pem</ca>
+ </certificate_authorities>
+ <certificate>/etc/filebeat/certs/filebeat.pem</certificate>
+ <key>/etc/filebeat/certs/filebeat-key.pem</key>
+ </ssl>
+</indexer>
+
+<syscheck>
+ <disabled>no</disabled>
+ <frequency>43200</frequency>
+ <scan_on_start>yes</scan_on_start>
+ <auto_ignore frequency="10" timeframe="3600">no</auto_ignore>
+ <process_priority>10</process_priority>
+ <synchronization>
<enabled>yes</enabled>
- <index-status>yes</index-status>
- <feed-update-interval>60m</feed-update-interval>
- </vulnerability-detection>
+ <interval>5m</interval>
+ <max_interval>1h</max_interval>
+ <max_eps>10</max_eps>
+ </synchronization>
+
+ <directories check_all="yes" >/etc,/usr/bin,/usr/sbin</directories>
+ <directories check_all="yes" >/bin,/sbin,/boot</directories>
+ <ignore>/etc/mtab</ignore>
+ <ignore>/etc/hosts.deny</ignore>
+ <ignore>/etc/mail/statistics</ignore>
+ <ignore>/etc/random-seed</ignore>
+ <ignore>/etc/random.seed</ignore>
+ <ignore>/etc/adjtime</ignore>
+ <ignore>/etc/httpd/logs</ignore>
+ <ignore>/etc/utmpx</ignore>
+ <ignore>/etc/wtmpx</ignore>
+ <ignore>/etc/cups/certs</ignore>
+ <ignore>/etc/dumpdates</ignore>
+ <ignore>/etc/svc/volatile</ignore>
+ <ignore>/sys/kernel/security</ignore>
+ <ignore>/sys/kernel/debug</ignore>
+ <ignore>/dev/core</ignore>
+ <ignore type="sregex">^/proc</ignore>
+ <ignore type="sregex">.log$|.swp$</ignore>
+ <nodiff>/etc/ssl/private.key</nodiff>
+ <skip_nfs>yes</skip_nfs>
+</syscheck>
- <indexer>
- <enabled>yes</enabled>
- <hosts>
- <host>https://0.0.0.0:9200</host>
- </hosts>
- <ssl>
- <certificate_authorities>
- <ca>/etc/filebeat/certs/root-ca.pem</ca>
- </certificate_authorities>
- <certificate>/etc/filebeat/certs/filebeat.pem</certificate>
- <key>/etc/filebeat/certs/filebeat-key.pem</key>
- </ssl>
- </indexer>
- <!-- File integrity monitoring -->
- <syscheck>
- <disabled>no</disabled>
- <!-- Frequency that syscheck is executed default every 12 hours -->
- <frequency>43200</frequency>
-
- <scan_on_start>yes</scan_on_start>
-
- <!-- Generate alert when new file detected -->
- <alert_new_files>yes</alert_new_files>
-
- <!-- Don't ignore files that change more than 'frequency' times -->
- <auto_ignore frequency="10" timeframe="3600">no</auto_ignore>
-
- <!-- Directories to check (perform all possible verifications) -->
- <directories>/etc,/usr/bin,/usr/sbin</directories>
- <directories>/bin,/sbin,/boot</directories>
-
- <!-- Files/directories to ignore -->
- <ignore>/etc/mtab</ignore>
- <ignore>/etc/hosts.deny</ignore>
- <ignore>/etc/mail/statistics</ignore>
- <ignore>/etc/random-seed</ignore>
- <ignore>/etc/random.seed</ignore>
- <ignore>/etc/adjtime</ignore>
- <ignore>/etc/httpd/logs</ignore>
- <ignore>/etc/utmpx</ignore>
- <ignore>/etc/wtmpx</ignore>
- <ignore>/etc/cups/certs</ignore>
- <ignore>/etc/dumpdates</ignore>
- <ignore>/etc/svc/volatile</ignore>
-
- <!-- File types to ignore -->
- <ignore type="sregex">.log$|.swp$</ignore>
-
- <!-- Check the file, but never compute the diff -->
- <nodiff>/etc/ssl/private.key</nodiff>
-
- <skip_nfs>yes</skip_nfs>
- <skip_dev>yes</skip_dev>
- <skip_proc>yes</skip_proc>
- <skip_sys>yes</skip_sys>
-
- <!-- Nice value for Syscheck process -->
- <process_priority>10</process_priority>
-
- <!-- Maximum output throughput -->
- <max_eps>50</max_eps>
-
- <!-- Database synchronization settings -->
- <synchronization>
- <enabled>yes</enabled>
- <interval>5m</interval>
- <max_eps>10</max_eps>
- </synchronization>
- </syscheck>
-
- <!-- Active response -->
- <global>
- <white_list>127.0.0.1</white_list>
- <white_list>^localhost.localdomain$</white_list>
- <white_list>172.31.0.2</white_list>
- </global>
<command>
<name>disable-account</name>
@@ -197,8 +159,8 @@
</command>
<command>
- <name>restart-wazuh</name>
- <executable>restart-wazuh</executable>
+ <name>restart-ossec</name>
+ <executable>restart-ossec</executable>
</command>
<command>
@@ -221,108 +183,124 @@
<command>
<name>win_route-null</name>
- <executable>route-null.exe</executable>
+ <executable>route-null</executable>
+ <timeout_allowed>yes</timeout_allowed>
+ </command>
+
+ <command>
+ <name>win_route-null-2012</name>
+ <executable>route-null-2012</executable>
<timeout_allowed>yes</timeout_allowed>
</command>
<command>
<name>netsh</name>
- <executable>netsh.exe</executable>
+ <executable>netsh</executable>
+ <timeout_allowed>yes</timeout_allowed>
+ </command>
+
+ <command>
+ <name>netsh-win-2016</name>
+ <executable>netsh-win-2016</executable>
<timeout_allowed>yes</timeout_allowed>
</command>
- <!--
- <active-response>
- active-response options here
- </active-response>
- -->
+
+ <localfile>
+ <log_format>audit</log_format>
+ <location>/var/log/audit/audit.log</location>
+ </localfile>
+ <localfile>
+ <log_format>syslog</log_format>
+ <location>/var/ossec/logs/active-responses.log</location>
+ </localfile>
+ <localfile>
+ <log_format>syslog</log_format>
+ <location>/var/log/messages</location>
+ </localfile>
+ <localfile>
+ <log_format>syslog</log_format>
+ <location>/var/log/secure</location>
+ </localfile>
+ <localfile>
+ <log_format>syslog</log_format>
+ <location>/var/log/maillog</location>
+ </localfile>
- <!-- Log analysis -->
<localfile>
<log_format>command</log_format>
<command>df -P</command>
<frequency>360</frequency>
</localfile>
-
<localfile>
<log_format>full_command</log_format>
<command>netstat -tulpn | sed 's/\([[:alnum:]]\+\)\ \+[[:digit:]]\+\ \+[[:digit:]]\+\ \+\(.*\):\([[:digit:]]*\)\ \+\([0-9\.\:\*]\+\).\+\ \([[:digit:]]*\/[[:alnum:]\-]*\).*/\1 \2 == \3 == \4 \5/' | sort -k 4 -g | sed 's/ == \(.*\) ==/:\1/' | sed 1,2d</command>
<alias>netstat listening ports</alias>
<frequency>360</frequency>
</localfile>
-
<localfile>
<log_format>full_command</log_format>
<command>last -n 20</command>
<frequency>360</frequency>
</localfile>
- <ruleset>
- <!-- Default ruleset -->
+
+
+
+<ruleset>
+ <!-- Default ruleset -->
<decoder_dir>ruleset/decoders</decoder_dir>
<rule_dir>ruleset/rules</rule_dir>
<rule_exclude>0215-policy_rules.xml</rule_exclude>
- <list>etc/lists/audit-keys</list>
- <list>etc/lists/amazon/aws-eventnames</list>
- <list>etc/lists/security-eventchannel</list>
-
- <!-- User-defined ruleset -->
+ <list>etc/lists/audit-keys</list>
+ <list>etc/lists/amazon/aws-eventnames</list>
+ <list>etc/lists/security-eventchannel</list>
+
+ <!-- User-defined ruleset -->
<decoder_dir>etc/decoders</decoder_dir>
<rule_dir>etc/rules</rule_dir>
- </ruleset>
+</ruleset>
- <rule_test>
- <enabled>yes</enabled>
- <threads>1</threads>
- <max_sessions>64</max_sessions>
- <session_timeout>15m</session_timeout>
- </rule_test>
- <!-- Configuration for wazuh-authd -->
- <auth>
- <disabled>no</disabled>
- <port>1515</port>
- <use_source_ip>no</use_source_ip>
- <purge>yes</purge>
- <use_password>no</use_password>
- <ciphers>HIGH:!ADH:!EXP:!MD5:!RC4:!3DES:!CAMELLIA:@STRENGTH</ciphers>
- <!-- <ssl_agent_ca></ssl_agent_ca> -->
- <ssl_verify_host>no</ssl_verify_host>
- <ssl_manager_cert>etc/sslmanager.cert</ssl_manager_cert>
- <ssl_manager_key>etc/sslmanager.key</ssl_manager_key>
- <ssl_auto_negotiate>no</ssl_auto_negotiate>
- </auth>
-
- <cluster>
- <name>wazuh</name>
- <node_name>node01</node_name>
- <node_type>master</node_type>
- <key></key>
- <port>1516</port>
- <bind_addr>0.0.0.0</bind_addr>
- <nodes>
- <node>NODE_IP</node>
- </nodes>
- <hidden>no</hidden>
- <disabled>yes</disabled>
- </cluster>
-</ossec_config>
-<ossec_config>
- <localfile>
- <log_format>journald</log_format>
- <location>journald</location>
- </localfile>
+<!-- Client Authentication Settings -->
+<auth>
+ <disabled>no</disabled>
+ <port>1515</port>
+ <use_source_ip>yes</use_source_ip>
+ <force>
+ <enabled>yes</enabled>
+ <key_mismatch>yes</key_mismatch>
+ <disconnected_time enabled="yes">1h</disconnected_time>
+ <after_registration_time>1h</after_registration_time>
+ </force>
+ <purge>yes</purge>
+ <use_password>no</use_password>
+ <limit_maxagents>yes</limit_maxagents>
+ <ciphers>HIGH:!ADH:!EXP:!MD5:!RC4:!3DES:!CAMELLIA:@STRENGTH</ciphers>
+ <ssl_verify_host>no</ssl_verify_host>
+ <ssl_manager_cert>/var/ossec/etc/sslmanager.cert</ssl_manager_cert>
+ <ssl_manager_key>/var/ossec/etc/sslmanager.key</ssl_manager_key>
+ <ssl_auto_negotiate>no</ssl_auto_negotiate>
+</auth>
- <localfile>
- <log_format>audit</log_format>
- <location>/var/log/audit/audit.log</location>
- </localfile>
- <localfile>
- <log_format>syslog</log_format>
- <location>/var/ossec/logs/active-responses.log</location>
- </localfile>
+
+
+<cluster>
+ <name>wazuh</name>
+ <node_name>node01</node_name>
+ <node_type>master</node_type>
+ <key>KEY</key>
+ <port>1516</port>
+ <bind_addr>0.0.0.0</bind_addr>
+ <nodes>
+ <node>NODE_IP</node>
+ </nodes>
+ <hidden>no</hidden>
+ <disabled>yes</disabled>
+</cluster>
+
</ossec_config>
Info: Computing checksum on file /var/ossec/etc/ossec.conf
Info: /Stage[manager]/Wazuh::Manager/Concat[manager_ossec.conf]/File[/var/ossec/etc/ossec.conf]: Filebucketed /var/ossec/etc/ossec.conf to puppet with sum 13d04407e83e7137a4dc15b2d2a0cc3d0d488d472de5c76dbc61394fddaef236
Notice: /Stage[manager]/Wazuh::Manager/Concat[manager_ossec.conf]/File[/var/ossec/etc/ossec.conf]/content:
Notice: /Stage[manager]/Wazuh::Manager/Concat[manager_ossec.conf]/File[/var/ossec/etc/ossec.conf]/content: content changed '{sha256}13d04407e83e7137a4dc15b2d2a0cc3d0d488d472de5c76dbc61394fddaef236' to '{sha256}ba7553028999e0c4ce2ec7d735f529919da5a1bccb5b5d222701abe638bf282e' (corrective)
Notice: /Stage[manager]/Wazuh::Manager/Concat[manager_ossec.conf]/File[/var/ossec/etc/ossec.conf]/mode: mode changed '0660' to '0640' (corrective)
Info: Concat[manager_ossec.conf]: Scheduling refresh of Service[wazuh-manager]
Notice: /Stage[manager]/Wazuh::Manager/Service[wazuh-manager]/ensure: ensure changed 'stopped' to 'running' (corrective)
Info: /Stage[manager]/Wazuh::Manager/Service[wazuh-manager]: Unscheduling refresh on Service[wazuh-manager]
Notice: /Stage[dashboard]/Wazuh::Dashboard/Package[wazuh-dashboard]/ensure: created (corrective)
Notice: /Stage[dashboard]/Wazuh::Dashboard/File[/etc/wazuh-dashboard/opensearch_dashboards.yml]/content:
--- /etc/wazuh-dashboard/opensearch_dashboards.yml 2024-10-18 12:29:02.000000000 +0000
+++ /tmp/puppet-file20241023-30452-13besz3 2024-10-23 16:30:43.290116452 +0000
@@ -2,9 +2,9 @@
server.port: 443
opensearch.hosts: https://localhost:9200
opensearch.ssl.verificationMode: certificate
-#opensearch.username:
-#opensearch.password:
-opensearch.requestHeadersAllowlist: ["securitytenant","Authorization"]
+opensearch.username: kibanaserver
+opensearch.password: kibanaserver
+opensearch.requestHeadersWhitelist: ["securitytenant","Authorization"]
opensearch_security.multitenancy.enabled: false
opensearch_security.readonly_mode.roles: ["kibana_read_only"]
server.ssl.enabled: true
Notice: /Stage[dashboard]/Wazuh::Dashboard/File[/etc/wazuh-dashboard/opensearch_dashboards.yml]/content:
Notice: /Stage[dashboard]/Wazuh::Dashboard/File[/etc/wazuh-dashboard/opensearch_dashboards.yml]/content: content changed '{sha256}e254125c44e86d4b9d40dc0d22a8b132a5655faa5f8dff238eba47fc6a59bf40' to '{sha256}74ff59a251cbd87e132b8e88826b954f1b0f331dc53550e92a6bb73dc01b8918' (corrective)
Info: /Stage[dashboard]/Wazuh::Dashboard/File[/etc/wazuh-dashboard/opensearch_dashboards.yml]: Scheduling refresh of Service[wazuh-dashboard]
Notice: /Stage[dashboard]/Wazuh::Dashboard/File[/usr/share/wazuh-dashboard/data/wazuh/]/ensure: created (corrective)
Notice: /Stage[dashboard]/Wazuh::Dashboard/File[/usr/share/wazuh-dashboard/data/wazuh/config]/ensure: created (corrective)
Notice: /Stage[dashboard]/Wazuh::Dashboard/File[/usr/share/wazuh-dashboard/data/wazuh/config/wazuh.yml]/ensure: defined content as '{sha256}3a9783f9c7ecfdee95b0c829af68499e2f6c43a5fb04d031493819ae4dcd6fc7' (corrective)
Info: /Stage[dashboard]/Wazuh::Dashboard/File[/usr/share/wazuh-dashboard/data/wazuh/config/wazuh.yml]: Scheduling refresh of Service[wazuh-dashboard]
Notice: /Stage[dashboard]/Wazuh::Dashboard/Service[wazuh-dashboard]/ensure: ensure changed 'stopped' to 'running' (corrective)
Info: /Stage[dashboard]/Wazuh::Dashboard/Service[wazuh-dashboard]: Unscheduling refresh on Service[wazuh-dashboard]
Notice: Applied catalog in 324.25 seconds