Release 4.7.0 - Alpha 1 - E2E UX tests - Deployment with Puppet

[davidjiglesias]

End-to-End (E2E) Testing Guideline

• Documentation: Always consult the development documentation for the current stage tag at this link. Be careful because some of the description steps might refer to a current version in production, always navigate using the current development documention for the stage under test.
• Test Requirements: Ensure your test comprehensively includes a full stack and agent/s deployment as per the Deployment requirements, detailing the machine OS, installed version, and revision.
• Deployment Options: While deployments can be local (using VMs, Vagrant, etc) or on the aws-dev account, opt for local deployments when feasible. For AWS access, coordinate with the CICD team through this link.
• External Accounts: If tests require third-party accounts (e.g., GitHub, Azure, AWS, GCP), request the necessary access through the CICD team here.
• Alerts: Every test should generate a minimum of one end-to-end alert, from the agent to the dashboard, irrespective of test type.
• Multi-node Testing: For multi-node wazuh-manager tests, ensure agents are connected to both workers and the master node.
• Package Verification: Use the pre-release package that matches the current TAG you're testing. Confirm its version and revision.
• Filebeat Errors: If you encounter errors with Filebeat during testing, refer to this Slack discussion for insights and resolutions.
• Known Issues: Familiarize yourself with previously reported issues in the Known Issues section. This helps in identifying already recognized errors during testing.
• Reporting New Issues: Any new errors discovered during testing that aren't listed under Known Issues should be reported. Assign the issue to the corresponding team (QA if unsure), add the Release testing/publication objective and Very high priority. Communicate these to the team and QA via the c-release Slack channel.
• Test Conduct: It's imperative to be thorough in your testing, offering enough detail for reviewers. Incomplete tests might necessitate a redo.
• Documentation Feedback: Encountering documentation gaps, unclear guidelines, or anything that disrupts the testing or UX? Open an issue, especially if it's not listed under Known Issues. Please answer the feedback section, this is a mandatory step.
• Format: If this is your first time doing this, refer to the format (but not necessarily the content, as it may vary) of previous E2E tests, here you have an example Release 4.3.5 - Release Candidate 1 - E2E UX tests - Wazuh Indexer #13994.
• Status and completion: Change the issue status within your team project accordingly. Once you finish testing and write the conclusions, move it to Pending review and notify the @wazuh/cicd team via Slack using the c-release channel. Beware that the reviewers might request additional information or task repetitions.
• For reviewers: Please move the issue to Pending final review and notify via Slack using the same thread if everything is ok, otherwise, perform an issue update with the requested changes and move it to On hold, increase the review_cycles in the team project by one and notify the issue assignee via Slack using the same thread.

For the conclusions and the issue testing and updates, use the following legend:

Status legend

• 🟢 All checks passed
• 🟡 Found a known issue
• 🔴 Found a new error

Issue delivery and completion

• Initial delivery: The issue's assignee must complete the testing and deliver the results by Oct 18, 2023 and notify the @wazuh/cicd team via Slack using the c-release channel
• Review: The @wazuh/cicd team will assign a reviewer and add it to the review_assignee field in the project. The reviewer must then review the test steps and results. Ensure that all iteration cycles are completed by Oct 19, 2023 date (issue must be in Pending final review status) and notify the QA team via Slack using the c-release channel.
• Auditor: The QA team must audit, validate the results, and close the issue by Oct 20, 2023.

Deployment requirements

Component	Installation	Type	OS
Indexer	Deployment with Puppet	Single node	Ubuntu 18.04 x86_64
Server	Deployment with Puppet	Single node	Ubuntu 18.04 x86_64
Dashboard	Deployment with Puppet	-	Ubuntu 18.04 x86_64
Agent	Deployment with Puppet	-	Ubuntu 18.04 x86_64

Test description

Test all in one deployment of Wazuh stack via Puppet.
Test deployment of agents via Puppet.

Known issues

• The PuppetDB optional module doesn't run with the proposed PostgreSQL version wazuh-puppet#461
• After deploying the Wazuh agent for Windows it is not automatically started wazuh-puppet#470

Conclusions

Summarize the errors detected (Known Issues included). Illustrate using the table below. :

Status	Test	Failure type	Notes
🟢	Installation of Puppet Master
🟢	Installing Puppet agent
🟢	Setting up Puppet certificates
🟢	Wazuh Puppet module
🟢	Single Node Deployment of Wazuh Central Components
🟢	Deployment of agent
🟡	Dashboard	#19607	The changes made in Issue #19607 are not yet available for version 4.7.0

Feedback

We value your feedback. Please provide insights on your testing experience.

• Was the testing guideline clear? Were there any ambiguities?
  • Yes it is clear.
• Did you face any challenges not covered by the guideline?
  • No.
• Suggestions for improvement:
  • We should add specific instructions on what manifests we should make changes and which changes for downloading/configuring the correct version. The documentation passed wasn't enough and I had to use the comments of this Issue Release 4.5.1 - RC 1 - E2E UX tests - Deployment With Puppet #18427 as a guide. We should add the steps described in the Issue for the next E2E.

Reviewers validation

The criteria for completing this task is based on the validation of the conclusions and the test results by all reviewers.

All the checkboxes below must be marked in order to close this issue.

• @davidjiglesias
• @wazuh/cicd

[RamosFe]

Setup Puppet

🟢 1. Installing Puppet Master

Host configuration

root@vagrant:~# cat /etc/hosts
127.0.0.1	localhost
127.0.1.1	vagrant

# The following lines are desirable for IPv6 capable hosts
::1     ip6-localhost ip6-loopback
fe00::0 ip6-localnet
ff00::0 ip6-mcastprefix
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
192.168.56.10 puppet puppet-master
192.168.56.4 server-1
192.168.56.6 agent-1

Dependencies installation

root@vagrant:~# apt-get update
Hit:1 http://archive.ubuntu.com/ubuntu bionic InRelease
Get:2 http://archive.ubuntu.com/ubuntu bionic-updates InRelease [88.7 kB]             
Get:3 http://security.ubuntu.com/ubuntu bionic-security InRelease [88.7 kB]           
Get:4 http://archive.ubuntu.com/ubuntu bionic-backports InRelease [83.3 kB]           
Get:5 http://archive.ubuntu.com/ubuntu bionic-updates/main i386 Packages [1,665 kB]             
Get:6 http://security.ubuntu.com/ubuntu bionic-security/main amd64 Packages [2,717 kB]
Get:7 http://archive.ubuntu.com/ubuntu bionic-updates/main amd64 Packages [3,045 kB]
Get:8 http://archive.ubuntu.com/ubuntu bionic-updates/main Translation-en [553 kB]        
Get:9 http://archive.ubuntu.com/ubuntu bionic-updates/restricted amd64 Packages [1,347 kB]      
Get:10 http://archive.ubuntu.com/ubuntu bionic-updates/restricted i386 Packages [39.7 kB]
Get:11 http://archive.ubuntu.com/ubuntu bionic-updates/restricted Translation-en [187 kB] 
Get:12 http://archive.ubuntu.com/ubuntu bionic-updates/universe amd64 Packages [1,914 kB]      
Get:13 http://archive.ubuntu.com/ubuntu bionic-updates/universe i386 Packages [1,663 kB]   
Get:14 http://archive.ubuntu.com/ubuntu bionic-updates/universe Translation-en [421 kB]    
Get:15 http://archive.ubuntu.com/ubuntu bionic-updates/multiverse amd64 Packages [25.6 kB]
Get:16 http://archive.ubuntu.com/ubuntu bionic-updates/multiverse i386 Packages [11.2 kB]
Get:17 http://archive.ubuntu.com/ubuntu bionic-backports/main amd64 Packages [53.3 kB]
Get:18 http://archive.ubuntu.com/ubuntu bionic-backports/main i386 Packages [53.2 kB]
Get:19 http://archive.ubuntu.com/ubuntu bionic-backports/universe i386 Packages [18.1 kB]
Get:20 http://archive.ubuntu.com/ubuntu bionic-backports/universe amd64 Packages [18.2 kB]
Get:21 http://security.ubuntu.com/ubuntu bionic-security/main i386 Packages [1,379 kB]
Get:22 http://security.ubuntu.com/ubuntu bionic-security/main Translation-en [467 kB]
Get:23 http://security.ubuntu.com/ubuntu bionic-security/restricted i386 Packages [33.0 kB]
Get:24 http://security.ubuntu.com/ubuntu bionic-security/restricted amd64 Packages [1,317 kB]
Get:25 http://security.ubuntu.com/ubuntu bionic-security/restricted Translation-en [182 kB]
Get:26 http://security.ubuntu.com/ubuntu bionic-security/universe amd64 Packages [1,303 kB]
Get:27 http://security.ubuntu.com/ubuntu bionic-security/universe i386 Packages [1,078 kB]
Get:28 http://security.ubuntu.com/ubuntu bionic-security/universe Translation-en [308 kB]
Get:29 http://security.ubuntu.com/ubuntu bionic-security/multiverse amd64 Packages [19.8 kB]
Get:30 http://security.ubuntu.com/ubuntu bionic-security/multiverse i386 Packages [6,008 B]
Fetched 20.1 MB in 5s (4,246 kB/s)                     
Reading package lists... Done
root@vagrant:~# apt-get install curl apt-transport-https lsb-release wget
Reading package lists... Done
Building dependency tree       
Reading state information... Done
lsb-release is already the newest version (9.20170808ubuntu1).
lsb-release set to manually installed.
wget is already the newest version (1.19.4-1ubuntu2.2).
The following additional packages will be installed:
  libcurl4 libnghttp2-14 librtmp1
The following NEW packages will be installed:
  apt-transport-https curl libcurl4 libnghttp2-14 librtmp1
0 upgraded, 5 newly installed, 0 to remove and 60 not upgraded.
Need to get 513 kB of archives.
After this operation, 1,553 kB of additional disk space will be used.
Do you want to continue? [Y/n] y
Get:1 http://archive.ubuntu.com/ubuntu bionic-updates/universe amd64 apt-transport-https all 1.6.17 [1,692 B]
Get:2 http://archive.ubuntu.com/ubuntu bionic/main amd64 libnghttp2-14 amd64 1.30.0-1ubuntu1 [77.8 kB]
Get:3 http://archive.ubuntu.com/ubuntu bionic/main amd64 librtmp1 amd64 2.4+20151223.gitfa8646d.1-1 [54.2 kB]
Get:4 http://archive.ubuntu.com/ubuntu bionic-updates/main amd64 libcurl4 amd64 7.58.0-2ubuntu3.24 [221 kB]
Get:5 http://archive.ubuntu.com/ubuntu bionic-updates/main amd64 curl amd64 7.58.0-2ubuntu3.24 [159 kB]
Fetched 513 kB in 1s (405 kB/s)
Selecting previously unselected package apt-transport-https.
(Reading database ... 33405 files and directories currently installed.)
Preparing to unpack .../apt-transport-https_1.6.17_all.deb ...
Unpacking apt-transport-https (1.6.17) ...
Selecting previously unselected package libnghttp2-14:amd64.
Preparing to unpack .../libnghttp2-14_1.30.0-1ubuntu1_amd64.deb ...
Unpacking libnghttp2-14:amd64 (1.30.0-1ubuntu1) ...
Selecting previously unselected package librtmp1:amd64.
Preparing to unpack .../librtmp1_2.4+20151223.gitfa8646d.1-1_amd64.deb ...
Unpacking librtmp1:amd64 (2.4+20151223.gitfa8646d.1-1) ...
Selecting previously unselected package libcurl4:amd64.
Preparing to unpack .../libcurl4_7.58.0-2ubuntu3.24_amd64.deb ...
Unpacking libcurl4:amd64 (7.58.0-2ubuntu3.24) ...
Selecting previously unselected package curl.
Preparing to unpack .../curl_7.58.0-2ubuntu3.24_amd64.deb ...
Unpacking curl (7.58.0-2ubuntu3.24) ...
Setting up apt-transport-https (1.6.17) ...
Setting up libnghttp2-14:amd64 (1.30.0-1ubuntu1) ...
Setting up librtmp1:amd64 (2.4+20151223.gitfa8646d.1-1) ...
Setting up libcurl4:amd64 (7.58.0-2ubuntu3.24) ...
Setting up curl (7.58.0-2ubuntu3.24) ...
Processing triggers for man-db (2.8.3-2ubuntu0.1) ...
Processing triggers for libc-bin (2.27-3ubuntu1.6) ...

Puppet installation

root@vagrant:~# wget https://apt.puppet.com/puppet6-release-bionic.deb
--2023-10-17 17:21:03--  https://apt.puppet.com/puppet6-release-bionic.deb
Resolving apt.puppet.com (apt.puppet.com)... 18.65.48.58, 18.65.48.121, 18.65.48.34, ...
Connecting to apt.puppet.com (apt.puppet.com)|18.65.48.58|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 11704 (11K) [application/x-debian-package]
Saving to: ‘puppet6-release-bionic.deb’

puppet6-release-bionic.deb                      100%[=====================================================================================================>]  11.43K  --.-KB/s    in 0.001s  

2023-10-17 17:21:03 (12.8 MB/s) - ‘puppet6-release-bionic.deb’ saved [11704/11704]

root@vagrant:~# dpkg -i puppet6-release-bionic.deb
Selecting previously unselected package puppet6-release.
(Reading database ... 33433 files and directories currently installed.)
Preparing to unpack puppet6-release-bionic.deb ...
Unpacking puppet6-release (6.0.0-23bionic) ...
Setting up puppet6-release (6.0.0-23bionic) ...

root@vagrant:~# apt-get update
Hit:1 http://security.ubuntu.com/ubuntu bionic-security InRelease
Hit:2 http://archive.ubuntu.com/ubuntu bionic InRelease                        
Hit:3 http://archive.ubuntu.com/ubuntu bionic-updates InRelease
Hit:4 http://archive.ubuntu.com/ubuntu bionic-backports InRelease                     
Get:5 http://apt.puppetlabs.com bionic InRelease [157 kB]       
Get:6 http://apt.puppetlabs.com bionic/puppet6 amd64 Packages [77.3 kB]
Get:7 http://apt.puppetlabs.com bionic/puppet6 all Packages [29.5 kB]
Get:8 http://apt.puppetlabs.com bionic/puppet6 i386 Packages [29.5 kB]
Fetched 293 kB in 3s (104 kB/s)     
Reading package lists... Done


root@vagrant:~# apt-get install -y puppetserver
Reading package lists... Done
Building dependency tree       
Reading state information... Done
The following additional packages will be installed:
  ca-certificates-java fontconfig-config fonts-dejavu-core java-common libfontconfig1 libjpeg-turbo8 libjpeg8 liblcms2-2 libnspr4 libnss3 libpcsclite1 libx11-6 libx11-data libxcb1 libxext6
  libxi6 libxrender1 libxtst6 net-tools openjdk-8-jre-headless puppet-agent x11-common
Suggested packages:
  default-jre liblcms2-utils pcscd libnss-mdns fonts-dejavu-extra fonts-ipafont-gothic fonts-ipafont-mincho fonts-wqy-microhei fonts-wqy-zenhei fonts-indic
The following NEW packages will be installed:
  ca-certificates-java fontconfig-config fonts-dejavu-core java-common libfontconfig1 libjpeg-turbo8 libjpeg8 liblcms2-2 libnspr4 libnss3 libpcsclite1 libx11-6 libx11-data libxcb1 libxext6
  libxi6 libxrender1 libxtst6 net-tools openjdk-8-jre-headless puppet-agent puppetserver x11-common
0 upgraded, 23 newly installed, 0 to remove and 60 not upgraded.
Need to get 148 MB of archives.
After this operation, 366 MB of additional disk space will be used.
Get:1 http://apt.puppetlabs.com bionic/puppet6 amd64 puppet-agent amd64 6.28.0-1bionic [37.7 MB]
Get:2 http://archive.ubuntu.com/ubuntu bionic-updates/main amd64 libxcb1 amd64 1.13-2~ubuntu18.04 [45.5 kB]
Get:3 http://apt.puppetlabs.com bionic/puppet6 amd64 puppetserver all 6.20.0-1bionic [78.4 MB]
Get:4 http://archive.ubuntu.com/ubuntu bionic-updates/main amd64 libx11-data all 2:1.6.4-3ubuntu0.4 [114 kB]
Get:5 http://archive.ubuntu.com/ubuntu bionic-updates/main amd64 libx11-6 amd64 2:1.6.4-3ubuntu0.4 [572 kB]
Get:6 http://archive.ubuntu.com/ubuntu bionic/main amd64 libxext6 amd64 2:1.3.3-1 [29.4 kB]
Get:7 http://archive.ubuntu.com/ubuntu bionic-updates/main amd64 libjpeg-turbo8 amd64 1.5.2-0ubuntu5.18.04.6 [111 kB]
Get:8 http://archive.ubuntu.com/ubuntu bionic-updates/main amd64 java-common all 0.68ubuntu1~18.04.1 [14.5 kB]
Get:9 http://archive.ubuntu.com/ubuntu bionic-updates/main amd64 liblcms2-2 amd64 2.9-1ubuntu0.1 [139 kB]
Get:10 http://archive.ubuntu.com/ubuntu bionic/main amd64 libjpeg8 amd64 8c-2ubuntu8 [2,194 B]
Get:11 http://archive.ubuntu.com/ubuntu bionic/main amd64 fonts-dejavu-core all 2.37-1 [1,041 kB]
Get:12 http://archive.ubuntu.com/ubuntu bionic/main amd64 fontconfig-config all 2.12.6-0ubuntu2 [55.8 kB]
Get:13 http://archive.ubuntu.com/ubuntu bionic/main amd64 libfontconfig1 amd64 2.12.6-0ubuntu2 [137 kB]
Get:14 http://archive.ubuntu.com/ubuntu bionic/main amd64 libnspr4 amd64 2:4.18-1ubuntu1 [112 kB]
Get:15 http://archive.ubuntu.com/ubuntu bionic-updates/main amd64 libnss3 amd64 2:3.35-2ubuntu2.16 [1,220 kB]
Get:16 http://archive.ubuntu.com/ubuntu bionic/main amd64 libpcsclite1 amd64 1.8.23-1 [21.3 kB]
Get:17 http://archive.ubuntu.com/ubuntu bionic/main amd64 libxi6 amd64 2:1.7.9-1 [29.2 kB]
Get:18 http://archive.ubuntu.com/ubuntu bionic/main amd64 libxrender1 amd64 1:0.9.10-1 [18.7 kB]
Get:19 http://archive.ubuntu.com/ubuntu bionic-updates/main amd64 x11-common all 1:7.7+19ubuntu7.1 [22.5 kB]
Get:20 http://archive.ubuntu.com/ubuntu bionic/main amd64 libxtst6 amd64 2:1.2.3-1 [12.8 kB]
Get:21 http://archive.ubuntu.com/ubuntu bionic-updates/universe amd64 openjdk-8-jre-headless amd64 8u372-ga~us1-0ubuntu1~18.04 [28.3 MB]
Get:22 http://archive.ubuntu.com/ubuntu bionic-updates/main amd64 ca-certificates-java all 20180516ubuntu1~18.04.2 [12.5 kB]                                                                 
Get:23 http://archive.ubuntu.com/ubuntu bionic/main amd64 net-tools amd64 1.60+git20161116.90da8a0-1ubuntu1 [194 kB]                                                                         
Fetched 148 MB in 7s (21.3 MB/s)                                                                                                                                                             
Selecting previously unselected package libxcb1:amd64.
(Reading database ... 33438 files and directories currently installed.)
Preparing to unpack .../00-libxcb1_1.13-2~ubuntu18.04_amd64.deb ...
Unpacking libxcb1:amd64 (1.13-2~ubuntu18.04) ...
Selecting previously unselected package libx11-data.
Preparing to unpack .../01-libx11-data_2%3a1.6.4-3ubuntu0.4_all.deb ...
Unpacking libx11-data (2:1.6.4-3ubuntu0.4) ...
Selecting previously unselected package libx11-6:amd64.
Preparing to unpack .../02-libx11-6_2%3a1.6.4-3ubuntu0.4_amd64.deb ...
Unpacking libx11-6:amd64 (2:1.6.4-3ubuntu0.4) ...
Selecting previously unselected package libxext6:amd64.
Preparing to unpack .../03-libxext6_2%3a1.3.3-1_amd64.deb ...
Unpacking libxext6:amd64 (2:1.3.3-1) ...
Selecting previously unselected package libjpeg-turbo8:amd64.
Preparing to unpack .../04-libjpeg-turbo8_1.5.2-0ubuntu5.18.04.6_amd64.deb ...
Unpacking libjpeg-turbo8:amd64 (1.5.2-0ubuntu5.18.04.6) ...
Selecting previously unselected package java-common.
Preparing to unpack .../05-java-common_0.68ubuntu1~18.04.1_all.deb ...
Unpacking java-common (0.68ubuntu1~18.04.1) ...
Selecting previously unselected package liblcms2-2:amd64.
Preparing to unpack .../06-liblcms2-2_2.9-1ubuntu0.1_amd64.deb ...
Unpacking liblcms2-2:amd64 (2.9-1ubuntu0.1) ...
Selecting previously unselected package libjpeg8:amd64.
Preparing to unpack .../07-libjpeg8_8c-2ubuntu8_amd64.deb ...
Unpacking libjpeg8:amd64 (8c-2ubuntu8) ...
Selecting previously unselected package fonts-dejavu-core.
Preparing to unpack .../08-fonts-dejavu-core_2.37-1_all.deb ...
Unpacking fonts-dejavu-core (2.37-1) ...
Selecting previously unselected package fontconfig-config.
Preparing to unpack .../09-fontconfig-config_2.12.6-0ubuntu2_all.deb ...
Unpacking fontconfig-config (2.12.6-0ubuntu2) ...
Selecting previously unselected package libfontconfig1:amd64.
Preparing to unpack .../10-libfontconfig1_2.12.6-0ubuntu2_amd64.deb ...
Unpacking libfontconfig1:amd64 (2.12.6-0ubuntu2) ...
Selecting previously unselected package libnspr4:amd64.
Preparing to unpack .../11-libnspr4_2%3a4.18-1ubuntu1_amd64.deb ...
Unpacking libnspr4:amd64 (2:4.18-1ubuntu1) ...
Selecting previously unselected package libnss3:amd64.
Preparing to unpack .../12-libnss3_2%3a3.35-2ubuntu2.16_amd64.deb ...
Unpacking libnss3:amd64 (2:3.35-2ubuntu2.16) ...
Selecting previously unselected package libpcsclite1:amd64.
Preparing to unpack .../13-libpcsclite1_1.8.23-1_amd64.deb ...
Unpacking libpcsclite1:amd64 (1.8.23-1) ...
Selecting previously unselected package libxi6:amd64.
Preparing to unpack .../14-libxi6_2%3a1.7.9-1_amd64.deb ...
Unpacking libxi6:amd64 (2:1.7.9-1) ...
Selecting previously unselected package libxrender1:amd64.
Preparing to unpack .../15-libxrender1_1%3a0.9.10-1_amd64.deb ...
Unpacking libxrender1:amd64 (1:0.9.10-1) ...
Selecting previously unselected package x11-common.
Preparing to unpack .../16-x11-common_1%3a7.7+19ubuntu7.1_all.deb ...
dpkg-query: no packages found matching nux-tools
Unpacking x11-common (1:7.7+19ubuntu7.1) ...
Selecting previously unselected package libxtst6:amd64.
Preparing to unpack .../17-libxtst6_2%3a1.2.3-1_amd64.deb ...
Unpacking libxtst6:amd64 (2:1.2.3-1) ...
Selecting previously unselected package openjdk-8-jre-headless:amd64.
Preparing to unpack .../18-openjdk-8-jre-headless_8u372-ga~us1-0ubuntu1~18.04_amd64.deb ...
Unpacking openjdk-8-jre-headless:amd64 (8u372-ga~us1-0ubuntu1~18.04) ...
Selecting previously unselected package ca-certificates-java.
Preparing to unpack .../19-ca-certificates-java_20180516ubuntu1~18.04.2_all.deb ...
Unpacking ca-certificates-java (20180516ubuntu1~18.04.2) ...
Selecting previously unselected package net-tools.
Preparing to unpack .../20-net-tools_1.60+git20161116.90da8a0-1ubuntu1_amd64.deb ...
Unpacking net-tools (1.60+git20161116.90da8a0-1ubuntu1) ...
Selecting previously unselected package puppet-agent.
Preparing to unpack .../21-puppet-agent_6.28.0-1bionic_amd64.deb ...
Unpacking puppet-agent (6.28.0-1bionic) ...
Selecting previously unselected package puppetserver.
Preparing to unpack .../22-puppetserver_6.20.0-1bionic_all.deb ...
Unpacking puppetserver (6.20.0-1bionic) ...
Setting up puppet-agent (6.28.0-1bionic) ...
Created symlink /etc/systemd/system/multi-user.target.wants/puppet.service → /lib/systemd/system/puppet.service.
Created symlink /etc/systemd/system/multi-user.target.wants/pxp-agent.service → /lib/systemd/system/pxp-agent.service.
Removed /etc/systemd/system/multi-user.target.wants/pxp-agent.service.
Setting up liblcms2-2:amd64 (2.9-1ubuntu0.1) ...
Setting up libpcsclite1:amd64 (1.8.23-1) ...
Setting up fonts-dejavu-core (2.37-1) ...
Setting up java-common (0.68ubuntu1~18.04.1) ...
Setting up libjpeg-turbo8:amd64 (1.5.2-0ubuntu5.18.04.6) ...
Setting up libnspr4:amd64 (2:4.18-1ubuntu1) ...
Setting up net-tools (1.60+git20161116.90da8a0-1ubuntu1) ...
Setting up x11-common (1:7.7+19ubuntu7.1) ...
update-rc.d: warning: start and stop actions are no longer supported; falling back to defaults
Setting up libxcb1:amd64 (1.13-2~ubuntu18.04) ...
Setting up libx11-data (2:1.6.4-3ubuntu0.4) ...
Setting up libjpeg8:amd64 (8c-2ubuntu8) ...
Setting up fontconfig-config (2.12.6-0ubuntu2) ...
Setting up libx11-6:amd64 (2:1.6.4-3ubuntu0.4) ...
Setting up libnss3:amd64 (2:3.35-2ubuntu2.16) ...
Setting up libxrender1:amd64 (1:0.9.10-1) ...
Setting up libfontconfig1:amd64 (2.12.6-0ubuntu2) ...
Setting up libxext6:amd64 (2:1.3.3-1) ...
Setting up libxtst6:amd64 (2:1.2.3-1) ...
Setting up libxi6:amd64 (2:1.7.9-1) ...
Setting up openjdk-8-jre-headless:amd64 (8u372-ga~us1-0ubuntu1~18.04) ...
update-alternatives: using /usr/lib/jvm/java-8-openjdk-amd64/jre/bin/rmid to provide /usr/bin/rmid (rmid) in auto mode
update-alternatives: using /usr/lib/jvm/java-8-openjdk-amd64/jre/bin/java to provide /usr/bin/java (java) in auto mode
update-alternatives: using /usr/lib/jvm/java-8-openjdk-amd64/jre/bin/keytool to provide /usr/bin/keytool (keytool) in auto mode
update-alternatives: using /usr/lib/jvm/java-8-openjdk-amd64/jre/bin/jjs to provide /usr/bin/jjs (jjs) in auto mode
update-alternatives: using /usr/lib/jvm/java-8-openjdk-amd64/jre/bin/pack200 to provide /usr/bin/pack200 (pack200) in auto mode
update-alternatives: using /usr/lib/jvm/java-8-openjdk-amd64/jre/bin/rmiregistry to provide /usr/bin/rmiregistry (rmiregistry) in auto mode
update-alternatives: using /usr/lib/jvm/java-8-openjdk-amd64/jre/bin/unpack200 to provide /usr/bin/unpack200 (unpack200) in auto mode
update-alternatives: using /usr/lib/jvm/java-8-openjdk-amd64/jre/bin/orbd to provide /usr/bin/orbd (orbd) in auto mode
update-alternatives: using /usr/lib/jvm/java-8-openjdk-amd64/jre/bin/servertool to provide /usr/bin/servertool (servertool) in auto mode
update-alternatives: using /usr/lib/jvm/java-8-openjdk-amd64/jre/bin/tnameserv to provide /usr/bin/tnameserv (tnameserv) in auto mode
update-alternatives: using /usr/lib/jvm/java-8-openjdk-amd64/jre/lib/jexec to provide /usr/bin/jexec (jexec) in auto mode
Setting up ca-certificates-java (20180516ubuntu1~18.04.2) ...
head: cannot open '/etc/ssl/certs/java/cacerts' for reading: No such file or directory
Adding debian:Hellenic_Academic_and_Research_Institutions_RootCA_2011.pem
Adding debian:Comodo_AAA_Services_root.pem
Adding debian:Trustwave_Global_Certification_Authority.pem
Adding debian:Entrust_Root_Certification_Authority_-_EC1.pem
Adding debian:T-TeleSec_GlobalRoot_Class_3.pem
Adding debian:GlobalSign_Root_E46.pem
Adding debian:Certum_Trusted_Network_CA.pem
Adding debian:Atos_TrustedRoot_2011.pem
Adding debian:GlobalSign_Root_CA_-_R3.pem
Adding debian:GDCA_TrustAUTH_R5_ROOT.pem
Adding debian:IdenTrust_Commercial_Root_CA_1.pem
Adding debian:D-TRUST_Root_Class_3_CA_2_2009.pem
Adding debian:Go_Daddy_Root_Certificate_Authority_-_G2.pem
Adding debian:ISRG_Root_X1.pem
Adding debian:IdenTrust_Public_Sector_Root_CA_1.pem
Adding debian:COMODO_RSA_Certification_Authority.pem
Adding debian:E-Tugra_Certification_Authority.pem
Adding debian:AC_RAIZ_FNMT-RCM_SERVIDORES_SEGUROS.pem
Adding debian:Certigna_Root_CA.pem
Adding debian:Certum_Trusted_Network_CA_2.pem
Adding debian:COMODO_Certification_Authority.pem
Adding debian:Security_Communication_RootCA2.pem
Adding debian:XRamp_Global_CA_Root.pem
Adding debian:certSIGN_ROOT_CA.pem
Adding debian:SSL.com_EV_Root_Certification_Authority_RSA_R2.pem
Adding debian:OISTE_WISeKey_Global_Root_GB_CA.pem
Adding debian:Microsoft_RSA_Root_Certificate_Authority_2017.pem
Adding debian:GlobalSign_Root_CA_-_R2.pem
Adding debian:GlobalSign_ECC_Root_CA_-_R4.pem
Adding debian:Buypass_Class_2_Root_CA.pem
Adding debian:Hongkong_Post_Root_CA_3.pem
Adding debian:GTS_Root_R2.pem
Adding debian:emSign_Root_CA_-_C1.pem
Adding debian:TWCA_Global_Root_CA.pem
Adding debian:SecureTrust_CA.pem
Adding debian:SwissSign_Silver_CA_-_G2.pem
Adding debian:Baltimore_CyberTrust_Root.pem
Adding debian:QuoVadis_Root_CA_2.pem
Adding debian:emSign_Root_CA_-_G1.pem
Adding debian:Trustwave_Global_ECC_P384_Certification_Authority.pem
Adding debian:TUBITAK_Kamu_SM_SSL_Kok_Sertifikasi_-_Surum_1.pem
Adding debian:e-Szigno_Root_CA_2017.pem
Adding debian:DigiCert_Global_Root_G2.pem
Adding debian:GLOBALTRUST_2020.pem
Adding debian:AC_RAIZ_FNMT-RCM.pem
Adding debian:ACCVRAIZ1.pem
Adding debian:Entrust_Root_Certification_Authority_-_G4.pem
Adding debian:Amazon_Root_CA_2.pem
Adding debian:UCA_Extended_Validation_Root.pem
Adding debian:DigiCert_Global_Root_G3.pem
Adding debian:D-TRUST_Root_Class_3_CA_2_EV_2009.pem
Adding debian:DigiCert_Trusted_Root_G4.pem
Adding debian:TWCA_Root_Certification_Authority.pem
Adding debian:Entrust.net_Premium_2048_Secure_Server_CA.pem
Adding debian:NAVER_Global_Root_Certification_Authority.pem
Adding debian:Certigna.pem
Adding debian:ANF_Secure_Server_Root_CA.pem
Adding debian:DigiCert_Assured_ID_Root_G3.pem
Adding debian:Cybertrust_Global_Root.pem
Adding debian:Hellenic_Academic_and_Research_Institutions_RootCA_2015.pem
Adding debian:Starfield_Services_Root_Certificate_Authority_-_G2.pem
Adding debian:COMODO_ECC_Certification_Authority.pem
Adding debian:AffirmTrust_Premium_ECC.pem
Adding debian:NetLock_Arany_=Class_Gold=_Főtanúsítvány.pem
Adding debian:Actalis_Authentication_Root_CA.pem
Adding debian:UCA_Global_G2_Root.pem
Adding debian:GlobalSign_Root_CA.pem
Adding debian:Buypass_Class_3_Root_CA.pem
Adding debian:SZAFIR_ROOT_CA2.pem
Adding debian:QuoVadis_Root_CA_3_G3.pem
Adding debian:EC-ACC.pem
Adding debian:GTS_Root_R4.pem
Adding debian:DigiCert_Global_Root_CA.pem
Adding debian:SwissSign_Gold_CA_-_G2.pem
Adding debian:Hellenic_Academic_and_Research_Institutions_ECC_RootCA_2015.pem
Adding debian:SSL.com_EV_Root_Certification_Authority_ECC.pem
Adding debian:Certum_Trusted_Root_CA.pem
Adding debian:Entrust_Root_Certification_Authority.pem
Adding debian:DigiCert_Assured_ID_Root_G2.pem
Adding debian:AffirmTrust_Commercial.pem
Adding debian:GlobalSign_Root_CA_-_R6.pem
Adding debian:Security_Communication_Root_CA.pem
Adding debian:Starfield_Class_2_CA.pem
Adding debian:USERTrust_RSA_Certification_Authority.pem
Adding debian:Trustwave_Global_ECC_P256_Certification_Authority.pem
Adding debian:QuoVadis_Root_CA_3.pem
Adding debian:TeliaSonera_Root_CA_v1.pem
Adding debian:Amazon_Root_CA_3.pem
Adding debian:Microsec_e-Szigno_Root_CA_2009.pem
Adding debian:SSL.com_Root_Certification_Authority_RSA.pem
Adding debian:Go_Daddy_Class_2_CA.pem
Adding debian:Starfield_Root_Certificate_Authority_-_G2.pem
Adding debian:CFCA_EV_ROOT.pem
Adding debian:Staat_der_Nederlanden_EV_Root_CA.pem
Adding debian:Secure_Global_CA.pem
Adding debian:GlobalSign_ECC_Root_CA_-_R5.pem
Adding debian:GTS_Root_R3.pem
Adding debian:ePKI_Root_Certification_Authority.pem
Adding debian:Hongkong_Post_Root_CA_1.pem
Adding debian:Autoridad_de_Certificacion_Firmaprofesional_CIF_A62634068.pem
Adding debian:AffirmTrust_Premium.pem
Adding debian:emSign_ECC_Root_CA_-_C3.pem
Adding debian:SSL.com_Root_Certification_Authority_ECC.pem
Adding debian:DigiCert_Assured_ID_Root_CA.pem
Adding debian:Izenpe.com.pem
Adding debian:Entrust_Root_Certification_Authority_-_G2.pem
Adding debian:Amazon_Root_CA_1.pem
Adding debian:QuoVadis_Root_CA_2_G3.pem
Adding debian:emSign_ECC_Root_CA_-_G3.pem
Adding debian:AffirmTrust_Networking.pem
Adding debian:Certum_EC-384_CA.pem
Adding debian:OISTE_WISeKey_Global_Root_GC_CA.pem
Adding debian:DigiCert_High_Assurance_EV_Root_CA.pem
Adding debian:GlobalSign_Root_R46.pem
Adding debian:Microsoft_ECC_Root_Certificate_Authority_2017.pem
Adding debian:Amazon_Root_CA_4.pem
Adding debian:Network_Solutions_Certificate_Authority.pem
Adding debian:CA_Disig_Root_R2.pem
Adding debian:QuoVadis_Root_CA_1_G3.pem
Adding debian:USERTrust_ECC_Certification_Authority.pem
Adding debian:GTS_Root_R1.pem
Adding debian:certSIGN_Root_CA_G2.pem
Adding debian:SecureSign_RootCA11.pem
Adding debian:T-TeleSec_GlobalRoot_Class_2.pem
done.
Setting up puppetserver (6.20.0-1bionic) ...
usermod: no changes
Processing triggers for man-db (2.8.3-2ubuntu0.1) ...
Processing triggers for ca-certificates (20211016ubuntu0.18.04.1) ...
Updating certificates in /etc/ssl/certs...
0 added, 0 removed; done.
Running hooks in /etc/ca-certificates/update.d...

done.
done.
Processing triggers for ureadahead (0.100.0-21) ...
Processing triggers for libc-bin (2.27-3ubuntu1.6) ...
Processing triggers for systemd (237-3ubuntu10.57) ...

Symlink

root@vagrant:~# ln -s /opt/puppetlabs/bin/puppet /bin
root@vagrant:~# ln -s /opt/puppetlabs/server/bin/puppetserver /bin

Configuration

root@vagrant:~# cat /etc/puppetlabs/puppet/puppet.conf
# This file can be used to override the default puppet settings.
# See the following links for more details on what settings are available:
# - https://puppet.com/docs/puppet/latest/config_important_settings.html
# - https://puppet.com/docs/puppet/latest/config_about_settings.html
# - https://puppet.com/docs/puppet/latest/config_file_main.html
# - https://puppet.com/docs/puppet/latest/configuration.html
[server]
vardir = /opt/puppetlabs/server/data/puppetserver
logdir = /var/log/puppetlabs/puppetserver
rundir = /var/run/puppetlabs/puppetserver
pidfile = /var/run/puppetlabs/puppetserver/puppetserver.pid
codedir = /etc/puppetlabs/code

[main]
dns_alt_names = puppet,puppet-master
server = puppet-master

Service Status

root@vagrant:~# systemctl start puppetserver
root@vagrant:~# systemctl enable puppetserver
Synchronizing state of puppetserver.service with SysV service script with /lib/systemd/systemd-sysv-install.
Executing: /lib/systemd/systemd-sysv-install enable puppetserver
root@vagrant:~# systemctl status puppetserver
● puppetserver.service - puppetserver Service
   Loaded: loaded (/lib/systemd/system/puppetserver.service; enabled; vendor preset: enabled)
   Active: active (running) since Tue 2023-10-17 17:24:50 UTC; 12s ago
 Main PID: 13774 (java)
    Tasks: 47 (limit: 4915)
   CGroup: /system.slice/puppetserver.service
           └─13774 /usr/bin/java -Xms2g -Xmx2g -Djruby.logger.class=com.puppetlabs.jruby_utils.jruby.Slf4jLogger -XX:OnOutOfMemoryError=kill -9 %p -XX:ErrorFile=/var/log/puppetlabs/puppetser

Oct 17 17:24:31 vagrant systemd[1]: Starting puppetserver Service...
Oct 17 17:24:50 vagrant systemd[1]: Started puppetserver Service.

[RamosFe]

🟢 2. Installing Puppet Agent - Server

Host configuration

root@vagrant:~# cat /etc/hosts
127.0.0.1       localhost
127.0.1.1       vagrant
192.168.56.4 server-1
192.168.56.10 puppet puppet-master


# The following lines are desirable for IPv6 capable hosts
::1     ip6-localhost ip6-loopback
fe00::0 ip6-localnet
ff00::0 ip6-mcastprefix
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters

Dependencies installation

root@vagrant:~# apt-get update
Hit:1 http://archive.ubuntu.com/ubuntu bionic InRelease
Get:2 http://archive.ubuntu.com/ubuntu bionic-updates InRelease [88.7 kB]                    
Get:3 http://security.ubuntu.com/ubuntu bionic-security InRelease [88.7 kB]
Get:4 http://archive.ubuntu.com/ubuntu bionic-backports InRelease [83.3 kB]          
Get:5 http://security.ubuntu.com/ubuntu bionic-security/main i386 Packages [1,379 kB]
Get:6 http://archive.ubuntu.com/ubuntu bionic-updates/main i386 Packages [1,665 kB] 
Get:7 http://archive.ubuntu.com/ubuntu bionic-updates/main amd64 Packages [3,045 kB]
Get:8 http://security.ubuntu.com/ubuntu bionic-security/main amd64 Packages [2,717 kB]
Get:9 http://archive.ubuntu.com/ubuntu bionic-updates/main Translation-en [553 kB]           
Get:10 http://archive.ubuntu.com/ubuntu bionic-updates/restricted i386 Packages [39.7 kB]    
Get:11 http://archive.ubuntu.com/ubuntu bionic-updates/restricted amd64 Packages [1,347 kB]  
Get:12 http://archive.ubuntu.com/ubuntu bionic-updates/restricted Translation-en [187 kB]  
Get:13 http://archive.ubuntu.com/ubuntu bionic-updates/universe i386 Packages [1,663 kB]     
Get:14 http://security.ubuntu.com/ubuntu bionic-security/main Translation-en [467 kB]      
Get:15 http://archive.ubuntu.com/ubuntu bionic-updates/universe amd64 Packages [1,914 kB]    
Get:16 http://security.ubuntu.com/ubuntu bionic-security/restricted i386 Packages [33.0 kB]  
Get:17 http://security.ubuntu.com/ubuntu bionic-security/restricted amd64 Packages [1,317 kB]
Get:18 http://security.ubuntu.com/ubuntu bionic-security/restricted Translation-en [182 kB]  
Get:19 http://security.ubuntu.com/ubuntu bionic-security/universe i386 Packages [1,078 kB]   
Get:20 http://archive.ubuntu.com/ubuntu bionic-updates/universe Translation-en [421 kB]      
Get:21 http://archive.ubuntu.com/ubuntu bionic-updates/multiverse i386 Packages [11.2 kB]    
Get:22 http://archive.ubuntu.com/ubuntu bionic-updates/multiverse amd64 Packages [25.6 kB]
Get:23 http://archive.ubuntu.com/ubuntu bionic-backports/main amd64 Packages [53.3 kB]   
Get:24 http://archive.ubuntu.com/ubuntu bionic-backports/main i386 Packages [53.2 kB]    
Get:25 http://archive.ubuntu.com/ubuntu bionic-backports/universe amd64 Packages [18.2 kB]
Get:26 http://archive.ubuntu.com/ubuntu bionic-backports/universe i386 Packages [18.1 kB]
Get:27 http://security.ubuntu.com/ubuntu bionic-security/universe amd64 Packages [1,303 kB]
Get:28 http://security.ubuntu.com/ubuntu bionic-security/universe Translation-en [308 kB]
Get:29 http://security.ubuntu.com/ubuntu bionic-security/multiverse i386 Packages [6,008 B]
Get:30 http://security.ubuntu.com/ubuntu bionic-security/multiverse amd64 Packages [19.8 kB]
Fetched 20.1 MB in 5s (4,212 kB/s)                     
Reading package lists... Done
root@vagrant:~# apt-get install curl apt-transport-https lsb-release wget
Reading package lists... Done
Building dependency tree       
Reading state information... Done
lsb-release is already the newest version (9.20170808ubuntu1).
lsb-release set to manually installed.
wget is already the newest version (1.19.4-1ubuntu2.2).
The following additional packages will be installed:
  libcurl4 libnghttp2-14 librtmp1
The following NEW packages will be installed:
  apt-transport-https curl libcurl4 libnghttp2-14 librtmp1
0 upgraded, 5 newly installed, 0 to remove and 60 not upgraded.
Need to get 513 kB of archives.
After this operation, 1,553 kB of additional disk space will be used.
Do you want to continue? [Y/n] y
Get:1 http://archive.ubuntu.com/ubuntu bionic-updates/universe amd64 apt-transport-https all 1.6.17 [1,692 B]
Get:2 http://archive.ubuntu.com/ubuntu bionic/main amd64 libnghttp2-14 amd64 1.30.0-1ubuntu1 [77.8 kB]
Get:3 http://archive.ubuntu.com/ubuntu bionic/main amd64 librtmp1 amd64 2.4+20151223.gitfa8646d.1-1 [54.2 kB]
Get:4 http://archive.ubuntu.com/ubuntu bionic-updates/main amd64 libcurl4 amd64 7.58.0-2ubuntu3.24 [221 kB]
Get:5 http://archive.ubuntu.com/ubuntu bionic-updates/main amd64 curl amd64 7.58.0-2ubuntu3.24 [159 kB]
Fetched 513 kB in 1s (397 kB/s)
Selecting previously unselected package apt-transport-https.
(Reading database ... 33405 files and directories currently installed.)
Preparing to unpack .../apt-transport-https_1.6.17_all.deb ...
Unpacking apt-transport-https (1.6.17) ...
Selecting previously unselected package libnghttp2-14:amd64.
Preparing to unpack .../libnghttp2-14_1.30.0-1ubuntu1_amd64.deb ...
Unpacking libnghttp2-14:amd64 (1.30.0-1ubuntu1) ...
Selecting previously unselected package librtmp1:amd64.
Preparing to unpack .../librtmp1_2.4+20151223.gitfa8646d.1-1_amd64.deb ...
Unpacking librtmp1:amd64 (2.4+20151223.gitfa8646d.1-1) ...
Selecting previously unselected package libcurl4:amd64.
Preparing to unpack .../libcurl4_7.58.0-2ubuntu3.24_amd64.deb ...
Unpacking libcurl4:amd64 (7.58.0-2ubuntu3.24) ...
Selecting previously unselected package curl.
Preparing to unpack .../curl_7.58.0-2ubuntu3.24_amd64.deb ...
Unpacking curl (7.58.0-2ubuntu3.24) ...
Setting up apt-transport-https (1.6.17) ...
Setting up libnghttp2-14:amd64 (1.30.0-1ubuntu1) ...
Setting up librtmp1:amd64 (2.4+20151223.gitfa8646d.1-1) ...
Setting up libcurl4:amd64 (7.58.0-2ubuntu3.24) ...
Setting up curl (7.58.0-2ubuntu3.24) ...
Processing triggers for man-db (2.8.3-2ubuntu0.1) ...
Processing triggers for libc-bin (2.27-3ubuntu1.6) ...

Puppet installation

root@vagrant:~# wget https://apt.puppet.com/puppet6-release-bionic.deb
--2023-10-17 16:44:38--  https://apt.puppet.com/puppet6-release-bionic.deb
Resolving apt.puppet.com (apt.puppet.com)... 18.65.48.3, 18.65.48.58, 18.65.48.121, ...
Connecting to apt.puppet.com (apt.puppet.com)|18.65.48.3|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 11704 (11K) [application/x-debian-package]
Saving to: ‘puppet6-release-bionic.deb’

puppet6-release-bionic. 100%[=============================>]  11.43K  --.-KB/s    in 0.001s  

2023-10-17 16:44:38 (16.7 MB/s) - ‘puppet6-release-bionic.deb’ saved [11704/11704]

root@vagrant:~# dpkg -i puppet6-release-bionic.deb
Selecting previously unselected package puppet6-release.
(Reading database ... 33433 files and directories currently installed.)
Preparing to unpack puppet6-release-bionic.deb ...
Unpacking puppet6-release (6.0.0-23bionic) ...
Setting up puppet6-release (6.0.0-23bionic) ...

root@vagrant:~# apt-get update
Hit:1 http://security.ubuntu.com/ubuntu bionic-security InRelease
Hit:2 http://archive.ubuntu.com/ubuntu bionic InRelease
Hit:3 http://archive.ubuntu.com/ubuntu bionic-updates InRelease
Hit:4 http://archive.ubuntu.com/ubuntu bionic-backports InRelease                     
Get:5 http://apt.puppetlabs.com bionic InRelease [157 kB]       
Get:6 http://apt.puppetlabs.com bionic/puppet6 i386 Packages [29.5 kB]
Get:7 http://apt.puppetlabs.com bionic/puppet6 amd64 Packages [77.3 kB]
Get:8 http://apt.puppetlabs.com bionic/puppet6 all Packages [29.5 kB]
Fetched 293 kB in 4s (70.7 kB/s)
Reading package lists... Done


root@vagrant:~# apt-get install -y puppet-agent
Reading package lists... Done
Building dependency tree       
Reading state information... Done
The following NEW packages will be installed:
  puppet-agent
0 upgraded, 1 newly installed, 0 to remove and 60 not upgraded.
Need to get 37.7 MB of archives.
After this operation, 141 MB of additional disk space will be used.
Get:1 http://apt.puppetlabs.com bionic/puppet6 amd64 puppet-agent amd64 6.28.0-1bionic [37.7 MB]
Fetched 37.7 MB in 1s (55.9 MB/s)       
Selecting previously unselected package puppet-agent.
(Reading database ... 33438 files and directories currently installed.)
Preparing to unpack .../puppet-agent_6.28.0-1bionic_amd64.deb ...
Unpacking puppet-agent (6.28.0-1bionic) ...
Setting up puppet-agent (6.28.0-1bionic) ...
Created symlink /etc/systemd/system/multi-user.target.wants/puppet.service → /lib/systemd/system/puppet.service.
Created symlink /etc/systemd/system/multi-user.target.wants/pxp-agent.service → /lib/systemd/system/pxp-agent.service.
Removed /etc/systemd/system/multi-user.target.wants/pxp-agent.service.
Processing triggers for libc-bin (2.27-3ubuntu1.6) ...

Symlink

ln -s /opt/puppetlabs/bin/puppet /bin

Configuration

root@vagrant:~# cat /etc/puppetlabs/puppet/puppet.conf
# This file can be used to override the default puppet settings.
# See the following links for more details on what settings are available:
# - https://puppet.com/docs/puppet/latest/config_important_settings.html
# - https://puppet.com/docs/puppet/latest/config_about_settings.html
# - https://puppet.com/docs/puppet/latest/config_file_main.html
# - https://puppet.com/docs/puppet/latest/configuration.html
[main]
server = puppet-master

Service Status

root@vagrant:~# puppet resource service puppet ensure=running enable=true
Notice: /Service[puppet]/ensure: ensure changed 'stopped' to 'running'
service { 'puppet':
  ensure   => 'running',
  enable   => 'true',
  provider => 'systemd',
}

root@vagrant:~# systemctl status puppet
● puppet.service - Puppet agent
   Loaded: loaded (/lib/systemd/system/puppet.service; enabled; vendor preset: enabled)
   Active: active (running) since Tue 2023-10-17 16:47:10 UTC; 58s ago
 Main PID: 11674 (puppet)
    Tasks: 2 (limit: 4915)
   CGroup: /system.slice/puppet.service
           └─11674 /opt/puppetlabs/puppet/bin/ruby /opt/puppetlabs/puppet/bin/puppet agent --n

Oct 17 16:47:10 vagrant systemd[1]: Started Puppet agent.
Oct 17 16:47:11 vagrant puppet-agent[11674]: Starting Puppet client version 6.28.0

[RamosFe]

🟢 3. Installing Puppet Agent - Agent

Host configuration

root@vagrant:~# cat /etc/hosts
127.0.0.1       localhost
127.0.1.1       vagrant
192.168.56.6 agent-1
192.168.56.10 puppet puppet-master

# The following lines are desirable for IPv6 capable hosts
::1     ip6-localhost ip6-loopback
fe00::0 ip6-localnet
ff00::0 ip6-mcastprefix
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters

Dependencies installation

root@vagrant:~# apt-get update
Hit:1 http://archive.ubuntu.com/ubuntu bionic InRelease
Get:2 http://security.ubuntu.com/ubuntu bionic-security InRelease [88.7 kB]
Get:3 http://archive.ubuntu.com/ubuntu bionic-updates InRelease [88.7 kB]           
Get:4 http://security.ubuntu.com/ubuntu bionic-security/main i386 Packages [1,379 kB]
Get:5 http://archive.ubuntu.com/ubuntu bionic-backports InRelease [83.3 kB]
Get:6 http://archive.ubuntu.com/ubuntu bionic-updates/main amd64 Packages [3,045 kB]
Get:7 http://security.ubuntu.com/ubuntu bionic-security/main amd64 Packages [2,717 kB]
Get:8 http://security.ubuntu.com/ubuntu bionic-security/main Translation-en [467 kB]
Get:9 http://security.ubuntu.com/ubuntu bionic-security/restricted i386 Packages [33.0 kB]   
Get:10 http://security.ubuntu.com/ubuntu bionic-security/restricted amd64 Packages [1,317 kB]
Get:11 http://archive.ubuntu.com/ubuntu bionic-updates/main i386 Packages [1,665 kB]         
Get:12 http://security.ubuntu.com/ubuntu bionic-security/restricted Translation-en [182 kB]  
Get:13 http://security.ubuntu.com/ubuntu bionic-security/universe i386 Packages [1,078 kB]   
Get:14 http://archive.ubuntu.com/ubuntu bionic-updates/main Translation-en [553 kB]       
Get:15 http://archive.ubuntu.com/ubuntu bionic-updates/restricted i386 Packages [39.7 kB]    
Get:16 http://security.ubuntu.com/ubuntu bionic-security/universe amd64 Packages [1,303 kB]
Get:17 http://archive.ubuntu.com/ubuntu bionic-updates/restricted amd64 Packages [1,347 kB]
Get:18 http://security.ubuntu.com/ubuntu bionic-security/universe Translation-en [308 kB] 
Get:19 http://security.ubuntu.com/ubuntu bionic-security/multiverse amd64 Packages [19.8 kB] 
Get:20 http://archive.ubuntu.com/ubuntu bionic-updates/restricted Translation-en [187 kB]  
Get:21 http://archive.ubuntu.com/ubuntu bionic-updates/universe amd64 Packages [1,914 kB]    
Get:22 http://archive.ubuntu.com/ubuntu bionic-updates/universe i386 Packages [1,663 kB]     
Get:23 http://security.ubuntu.com/ubuntu bionic-security/multiverse i386 Packages [6,008 B]  
Get:24 http://archive.ubuntu.com/ubuntu bionic-updates/universe Translation-en [421 kB]      
Get:25 http://archive.ubuntu.com/ubuntu bionic-updates/multiverse amd64 Packages [25.6 kB]
Get:26 http://archive.ubuntu.com/ubuntu bionic-updates/multiverse i386 Packages [11.2 kB]
Get:27 http://archive.ubuntu.com/ubuntu bionic-backports/main amd64 Packages [53.3 kB]
Get:28 http://archive.ubuntu.com/ubuntu bionic-backports/main i386 Packages [53.2 kB]
Get:29 http://archive.ubuntu.com/ubuntu bionic-backports/universe amd64 Packages [18.2 kB]
Get:30 http://archive.ubuntu.com/ubuntu bionic-backports/universe i386 Packages [18.1 kB]
Fetched 20.1 MB in 6s (3,461 kB/s)                      
Reading package lists... Done

root@vagrant:~# apt-get install curl apt-transport-https lsb-release wget
Reading package lists... Done
Building dependency tree       
Reading state information... Done
lsb-release is already the newest version (9.20170808ubuntu1).
lsb-release set to manually installed.
wget is already the newest version (1.19.4-1ubuntu2.2).
The following additional packages will be installed:
  libcurl4 libnghttp2-14 librtmp1
The following NEW packages will be installed:
  apt-transport-https curl libcurl4 libnghttp2-14 librtmp1
0 upgraded, 5 newly installed, 0 to remove and 60 not upgraded.
Need to get 513 kB of archives.
After this operation, 1,553 kB of additional disk space will be used.
Do you want to continue? [Y/n] y
Get:1 http://archive.ubuntu.com/ubuntu bionic-updates/universe amd64 apt-transport-https all 1.6.17 [1,692 B]
Get:2 http://archive.ubuntu.com/ubuntu bionic/main amd64 libnghttp2-14 amd64 1.30.0-1ubuntu1 [77.8 kB]
Get:3 http://archive.ubuntu.com/ubuntu bionic/main amd64 librtmp1 amd64 2.4+20151223.gitfa8646d.1-1 [54.2 kB]
Get:4 http://archive.ubuntu.com/ubuntu bionic-updates/main amd64 libcurl4 amd64 7.58.0-2ubuntu3.24 [221 kB]
Get:5 http://archive.ubuntu.com/ubuntu bionic-updates/main amd64 curl amd64 7.58.0-2ubuntu3.24 [159 kB]
Fetched 513 kB in 1s (385 kB/s)
Selecting previously unselected package apt-transport-https.
(Reading database ... 33405 files and directories currently installed.)
Preparing to unpack .../apt-transport-https_1.6.17_all.deb ...
Unpacking apt-transport-https (1.6.17) ...
Selecting previously unselected package libnghttp2-14:amd64.
Preparing to unpack .../libnghttp2-14_1.30.0-1ubuntu1_amd64.deb ...
Unpacking libnghttp2-14:amd64 (1.30.0-1ubuntu1) ...
Selecting previously unselected package librtmp1:amd64.
Preparing to unpack .../librtmp1_2.4+20151223.gitfa8646d.1-1_amd64.deb ...
Unpacking librtmp1:amd64 (2.4+20151223.gitfa8646d.1-1) ...
Selecting previously unselected package libcurl4:amd64.
Preparing to unpack .../libcurl4_7.58.0-2ubuntu3.24_amd64.deb ...
Unpacking libcurl4:amd64 (7.58.0-2ubuntu3.24) ...
Selecting previously unselected package curl.
Preparing to unpack .../curl_7.58.0-2ubuntu3.24_amd64.deb ...
Unpacking curl (7.58.0-2ubuntu3.24) ...
Setting up apt-transport-https (1.6.17) ...
Setting up libnghttp2-14:amd64 (1.30.0-1ubuntu1) ...
Setting up librtmp1:amd64 (2.4+20151223.gitfa8646d.1-1) ...
Setting up libcurl4:amd64 (7.58.0-2ubuntu3.24) ...
Setting up curl (7.58.0-2ubuntu3.24) ...
Processing triggers for man-db (2.8.3-2ubuntu0.1) ...
Processing triggers for libc-bin (2.27-3ubuntu1.6) ...

Puppet installation

root@vagrant:~# wget https://apt.puppet.com/puppet6-release-bionic.deb
--2023-10-17 17:04:15--  https://apt.puppet.com/puppet6-release-bionic.deb
Resolving apt.puppet.com (apt.puppet.com)... 18.65.48.3, 18.65.48.58, 18.65.48.121, ...
Connecting to apt.puppet.com (apt.puppet.com)|18.65.48.3|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 11704 (11K) [application/x-debian-package]
Saving to: ‘puppet6-release-bionic.deb’

puppet6-release-bionic. 100%[=============================>]  11.43K  --.-KB/s    in 0.004s  

2023-10-17 17:04:15 (2.93 MB/s) - ‘puppet6-release-bionic.deb’ saved [11704/11704]

root@vagrant:~# dpkg -i puppet6-release-bionic.deb
Selecting previously unselected package puppet6-release.
(Reading database ... 33433 files and directories currently installed.)
Preparing to unpack puppet6-release-bionic.deb ...
Unpacking puppet6-release (6.0.0-23bionic) ...
Setting up puppet6-release (6.0.0-23bionic) ...

root@vagrant:~# apt-get update
Hit:1 http://security.ubuntu.com/ubuntu bionic-security InRelease
Hit:2 http://archive.ubuntu.com/ubuntu bionic InRelease                               
Hit:3 http://archive.ubuntu.com/ubuntu bionic-updates InRelease                       
Hit:4 http://archive.ubuntu.com/ubuntu bionic-backports InRelease                    
Get:5 http://apt.puppetlabs.com bionic InRelease [157 kB]
Get:6 http://apt.puppetlabs.com bionic/puppet6 amd64 Packages [77.3 kB]
Get:7 http://apt.puppetlabs.com bionic/puppet6 all Packages [29.5 kB]
Get:8 http://apt.puppetlabs.com bionic/puppet6 i386 Packages [29.5 kB]
Fetched 293 kB in 3s (115 kB/s)
Reading package lists... Done

root@vagrant:~# apt-get install -y puppet-agent
Reading package lists... Done
Building dependency tree       
Reading state information... Done
The following NEW packages will be installed:
  puppet-agent
0 upgraded, 1 newly installed, 0 to remove and 60 not upgraded.
Need to get 37.7 MB of archives.
After this operation, 141 MB of additional disk space will be used.
Get:1 http://apt.puppetlabs.com bionic/puppet6 amd64 puppet-agent amd64 6.28.0-1bionic [37.7 MB]
Fetched 37.7 MB in 1s (63.9 MB/s)       
Selecting previously unselected package puppet-agent.
(Reading database ... 33438 files and directories currently installed.)
Preparing to unpack .../puppet-agent_6.28.0-1bionic_amd64.deb ...
Unpacking puppet-agent (6.28.0-1bionic) ...
Setting up puppet-agent (6.28.0-1bionic) ...
Created symlink /etc/systemd/system/multi-user.target.wants/puppet.service → /lib/systemd/system/puppet.service.
Created symlink /etc/systemd/system/multi-user.target.wants/pxp-agent.service → /lib/systemd/system/pxp-agent.service.
Removed /etc/systemd/system/multi-user.target.wants/pxp-agent.service.
Processing triggers for libc-bin (2.27-3ubuntu1.6) ...

Symlink

ln -s /opt/puppetlabs/bin/puppet /bin

Configuration

root@vagrant:~# cat /etc/puppetlabs/puppet/puppet.conf
# This file can be used to override the default puppet settings.
# See the following links for more details on what settings are available:
# - https://puppet.com/docs/puppet/latest/config_important_settings.html
# - https://puppet.com/docs/puppet/latest/config_about_settings.html
# - https://puppet.com/docs/puppet/latest/config_file_main.html
# - https://puppet.com/docs/puppet/latest/configuration.html
[main]
server = puppet-master

Service Status

root@vagrant:~# puppet resource service puppet ensure=running enable=true
Notice: /Service[puppet]/ensure: ensure changed 'stopped' to 'running'
service { 'puppet':
  ensure   => 'running',
  enable   => 'true',
  provider => 'systemd',
}

root@vagrant:~# systemctl status puppet
● puppet.service - Puppet agent
   Loaded: loaded (/lib/systemd/system/puppet.service; enabled; vendor preset: enabled)
   Active: active (running) since Tue 2023-10-17 17:07:00 UTC; 23s ago
 Main PID: 11708 (puppet)
    Tasks: 2 (limit: 2314)
   CGroup: /system.slice/puppet.service
           └─11708 /opt/puppetlabs/puppet/bin/ruby /opt/puppetlabs/puppet/bin/puppet agent --n

Oct 17 17:07:00 vagrant systemd[1]: Started Puppet agent.
Oct 17 17:07:01 vagrant puppet-agent[11708]: Starting Puppet client version 6.28.0

[RamosFe]

🟢 4. Puppet Certification

Generate Empty Certificate - Server

root@vagrant:~# puppet agent --test --verbose --certname server-1
Info: Creating a new RSA SSL key for server-1
Info: csr_attributes file loading from /etc/puppetlabs/puppet/csr_attributes.yaml
Info: Creating a new SSL certificate request for server-1
Info: Certificate Request fingerprint (SHA256): B6:C3:06:7A:7A:AA:78:44:C0:FF:0F:33:D4:4D:7B:89:95:2E:5C:3E:F0:35:4F:F6:1F:A6:38:82:CC:F1:1F:77
Info: Certificate for server-1 has not been signed yet
Couldn't fetch certificate from CA server; you might still need to sign this agent's certificate (server-1).
Exiting now because the waitforcert setting is set to 0.
root@vagrant:~# puppet agent --test --verbose --certname server-1
Info: csr_attributes file loading from /etc/puppetlabs/puppet/csr_attributes.yaml
Info: Creating a new SSL certificate request for server-1
Info: Certificate Request fingerprint (SHA256): B6:C3:06:7A:7A:AA:78:44:C0:FF:0F:33:D4:4D:7B:89:95:2E:5C:3E:F0:35:4F:F6:1F:A6:38:82:CC:F1:1F:77
Info: Downloaded certificate for server-1 from https://puppet-master:8140/puppet-ca/v1
Info: Using environment 'production'
Info: Retrieving pluginfacts
Info: Retrieving plugin
Info: Retrieving locales
Info: Caching catalog for server-1
Info: Applying configuration version '1697567532'
Notice: Applied catalog in 0.01 seconds

Generate Empty Certificate - Agent

root@vagrant:~# puppet agent --test --verbose --certname agent-1
Info: Creating a new RSA SSL key for agent-1
Info: csr_attributes file loading from /etc/puppetlabs/puppet/csr_attributes.yaml
Info: Creating a new SSL certificate request for agent-1
Info: Certificate Request fingerprint (SHA256): E7:7C:77:95:55:A8:33:5D:7C:D5:12:9D:A8:F4:F8:47:6F:C4:D2:88:E3:AE:03:44:CE:DA:30:92:50:01:6C:F9
Info: Certificate for agent-1 has not been signed yet
Couldn't fetch certificate from CA server; you might still need to sign this agent's certificate (agent-1).
Exiting now because the waitforcert setting is set to 0.
root@vagrant:~# puppet agent --test --verbose --certname agent-1
Info: csr_attributes file loading from /etc/puppetlabs/puppet/csr_attributes.yaml
Info: Creating a new SSL certificate request for agent-1
Info: Certificate Request fingerprint (SHA256): E7:7C:77:95:55:A8:33:5D:7C:D5:12:9D:A8:F4:F8:47:6F:C4:D2:88:E3:AE:03:44:CE:DA:30:92:50:01:6C:F9
Info: Downloaded certificate for agent-1 from https://puppet-master:8140/puppet-ca/v1
Info: Using environment 'production'
Info: Retrieving pluginfacts
Info: Retrieving plugin
Info: Retrieving locales
Info: Caching catalog for agent-1
Info: Applying configuration version '1697567527'
Notice: Applied catalog in 0.01 seconds

Sign Certificates - Puppet Master

root@vagrant:~# puppetserver ca list
Requested Certificates:
    agent-1        (SHA256)  E7:7C:77:95:55:A8:33:5D:7C:D5:12:9D:A8:F4:F8:47:6F:C4:D2:88:E3:AE:03:44:CE:DA:30:92:50:01:6C:F9
    server-1       (SHA256)  B6:C3:06:7A:7A:AA:78:44:C0:FF:0F:33:D4:4D:7B:89:95:2E:5C:3E:F0:35:4F:F6:1F:A6:38:82:CC:F1:1F:77
root@vagrant:~# puppetserver ca sign --all
Successfully signed certificate request for agent-1
Successfully signed certificate request for server-1

[RamosFe]

🟢 5. Wazuh Stack Installation

Module Installation

root@vagrant:~# puppet module install wazuh-wazuh-4.7.0.tar.gz
Notice: Preparing to install into /etc/puppetlabs/code/environments/production/modules ...
Notice: Downloading from https://forgeapi.puppet.com ...
Notice: Installing -- do not interrupt ...
/etc/puppetlabs/code/environments/production/modules
└─┬ wazuh-wazuh (v4.7.0)
  ├── puppet-archive (v6.1.2)
  ├── puppet-nodejs (v7.0.1)
  ├── puppet-selinux (v3.4.1)
  ├── puppet-zypprepo (v4.0.1)
  ├── puppetlabs-apt (v7.7.1)
  ├── puppetlabs-concat (v6.4.0)
  ├── puppetlabs-firewall (v2.8.1)
  ├── puppetlabs-powershell (v4.1.0)
  └── puppetlabs-stdlib (v6.6.0)

Changes to module after installation

root@vagrant:~# cat /etc/puppetlabs/code/environments/production/modules/wazuh/manifests/repo.pp
# Copyright (C) 2015, Wazuh Inc.
# Wazuh repository installation
class wazuh::repo (
) {

  case $::osfamily {
    'Debian' : {
      if $::lsbdistcodename =~ /(jessie|wheezy|stretch|precise|trusty|vivid|wily|xenial|yakketi|groovy)/
      and ! defined(Package['apt-transport-https']) {
        ensure_packages(['apt-transport-https'], {'ensure' => 'present'})
      }
      # apt-key added by issue #34
      apt::key { 'wazuh':
        id     => '0DCFCA5547B19D2A6099506096B3EE5F29111145',
        source => 'https://packages.wazuh.com/key/GPG-KEY-WAZUH',
        server => 'pgp.mit.edu'
      }
      case $::lsbdistcodename {
        /(jessie|wheezy|stretch|buster|bullseye|bookworm|sid|precise|trusty|vivid|wily|xenial|yakketi|bionic|focal|groovy|jammy)/: {

          apt::source { 'wazuh':
            ensure   => present,
            comment  => 'This is the WAZUH Ubuntu repository',
            location => 'https://packages-dev.wazuh.com/pre-release/apt',
            release  => 'unstable',
            repos    => 'main',
            include  => {
              'src' => false,
              'deb' => true,
            },
          }
        }
        default: { fail('This ossec module has not been tested on your distribution (or lsb package not installed)') }
      }
    }
    'Linux', 'RedHat', 'Suse' : {
        case $::os[name] {
          /^(CentOS|RedHat|OracleLinux|Fedora|Amazon|AlmaLinux|Rocky|SLES)$/: {

            if ( $::operatingsystemrelease =~ /^5.*/ ) {
              $baseurl  = 'https://packages-dev.wazuh.com/pre-release/yum/5/'
              $gpgkey   = 'http://packages-dev.wazuh.com/key/GPG-KEY-WAZUH'
            } else {
              $baseurl  = 'https://packages-dev.wazuh.com/pre-release/yum'
              $gpgkey   = 'https://packages-dev.wazuh.com/key/GPG-KEY-WAZUH'
            }
          }
          default: { fail('This ossec module has not been tested on your distribution.') }
        }
        # Set up OSSEC repo
        case $::os[name] {
          /^(CentOS|RedHat|OracleLinux|Fedora|Amazon|AlmaLinux)$/: {
            yumrepo { 'wazuh':
              descr    => 'WAZUH OSSEC Repository - www.wazuh.com',
              enabled  => true,
              gpgcheck => 1,
              gpgkey   => $gpgkey,
              baseurl  => $baseurl
            }
          }
          /^(SLES)$/: {
            zypprepo { 'wazuh':
              ensure        => present,
              name          => 'WAZUH OSSEC Repository - www.wazuh.com',
              enabled       => 1,
              gpgcheck      => 0,
              repo_gpgcheck => 0,
              pkg_gpgcheck  => 0,
              gpgkey        => $gpgkey,
              baseurl       => $baseurl
            }
          }
        }
    }
  }
}


root@vagrant:~# cat /etc/puppetlabs/code/environments/production/modules/wazuh/manifests/certificates.pp
# Copyright (C) 2015, Wazuh Inc.
# Wazuh repository installation
class wazuh::certificates (
  $wazuh_repository = 'packages-dev.wazuh.com',
  $wazuh_version = '4.7',
) {
  file { 'Configure Wazuh Certificates config.yml':
    owner   => 'root',
    path    => '/tmp/config.yml',
    group   => 'root',
    mode    => '0640',
    content => template('wazuh/wazuh_config_yml.erb'),
  }

  file { '/tmp/wazuh-certs-tool.sh':
    ensure => file,
    source => "https://${wazuh_repository}/${wazuh_version}/wazuh-certs-tool.sh",
    owner  => 'root',
    group  => 'root',
    mode   => '0740',
  }

  exec { 'Create Wazuh Certificates':
    path    => '/usr/bin:/bin',
    command => 'bash /tmp/wazuh-certs-tool.sh --all',
    creates => '/tmp/wazuh-certificates',
    require => [
      File['/tmp/wazuh-certs-tool.sh'],
      File['/tmp/config.yml'],
    ],
  }
}

Manifest

root@vagrant:~# cat /etc/puppetlabs/code/environments/production/manifests/stack.pp
node "server-1" {
 class { 'wazuh::manager':
 }
 class { 'wazuh::indexer':
 }
 class { 'wazuh::filebeat_oss':
 }
 class { 'wazuh::dashboard':
 }
}

Installation in Puppet Agent - Server

root@vagrant:~# puppet agent --test --verbose --certname server-1
Info: Using environment 'production'
Info: Retrieving pluginfacts
Info: Retrieving plugin
Info: Retrieving locales
Info: Loading facts
Info: Caching catalog for server-1
Info: Applying configuration version '1697570029'
Notice: /Stage[main]/Wazuh::Certificates/File[/tmp/wazuh-certs-tool.sh]/ensure: defined content as '{mtime}2023-10-16 09:27:54 UTC'
Notice: /Stage[main]/Wazuh::Certificates/Exec[Create Wazuh Certificates]/returns: executed successfully
Notice: /Stage[main]/Wazuh::Indexer/Package[wazuh-indexer]/ensure: created
Info: /Stage[main]/Wazuh::Indexer/Package[wazuh-indexer]: Scheduling refresh of Exec[set recusive ownership of /etc/wazuh-indexer]
Info: /Stage[main]/Wazuh::Indexer/Package[wazuh-indexer]: Scheduling refresh of Exec[set recusive ownership of /usr/share/wazuh-indexer]
Info: /Stage[main]/Wazuh::Indexer/Package[wazuh-indexer]: Scheduling refresh of Exec[set recusive ownership of /var/lib/wazuh-indexer]
Notice: /Stage[main]/Wazuh::Indexer/Exec[ensure full path of /etc/wazuh-indexer/certs]/returns: executed successfully
Notice: /Stage[main]/Wazuh::Indexer/File[/etc/wazuh-indexer/certs]/owner: owner changed 'root' to 'wazuh-indexer'
Notice: /Stage[main]/Wazuh::Indexer/File[/etc/wazuh-indexer/certs]/group: group changed 'root' to 'wazuh-indexer'
Notice: /Stage[main]/Wazuh::Indexer/File[/etc/wazuh-indexer/certs]/mode: mode changed '0755' to '0500'
Notice: /Stage[main]/Wazuh::Indexer/File[/etc/wazuh-indexer/certs/indexer.pem]/ensure: defined content as '{md5}dee0f8f223c0eda0ccdc1182f66c5c3a'
Notice: /Stage[main]/Wazuh::Indexer/File[/etc/wazuh-indexer/certs/indexer-key.pem]/ensure: defined content as '{md5}b71a0224e8add59085bb130697a60dcf'
Notice: /Stage[main]/Wazuh::Indexer/File[/etc/wazuh-indexer/certs/root-ca.pem]/ensure: defined content as '{md5}bc966cc9ea1c233e3b88d52ff5e62320'
Notice: /Stage[main]/Wazuh::Indexer/File[/etc/wazuh-indexer/certs/admin.pem]/ensure: defined content as '{md5}f3ebf59d86803d743c7e6c575a10d4ab'
Notice: /Stage[main]/Wazuh::Indexer/File[/etc/wazuh-indexer/certs/admin-key.pem]/ensure: defined content as '{md5}3e960ad801c44ea38d5fe1d6a9546361'
Notice: /Stage[main]/Wazuh::Indexer/File[configuration file]/content: 
--- /etc/wazuh-indexer/opensearch.yml	2023-10-16 07:52:51.000000000 +0000
+++ /tmp/puppet-file20231017-26665-1inc3tm	2023-10-17 19:15:19.954221094 +0000
@@ -2,16 +2,10 @@
 node.name: "node-1"
 cluster.initial_master_nodes:
 - "node-1"
-#- "node-2"
-#- "node-3"
 cluster.name: "wazuh-cluster"
-#discovery.seed_hosts:
-#  - "node-1-ip"
-#  - "node-2-ip"
-#  - "node-3-ip"
-node.max_local_storage_nodes: "3"
-path.data: /var/lib/wazuh-indexer
-path.logs: /var/log/wazuh-indexer
+node.max_local_storage_nodes: "1"
+path.data: "/var/lib/wazuh-indexer"
+path.logs: "/var/log/wazuh-indexer"
 
 plugins.security.ssl.http.pemcert_filepath: /etc/wazuh-indexer/certs/indexer.pem
 plugins.security.ssl.http.pemkey_filepath: /etc/wazuh-indexer/certs/indexer-key.pem
@@ -29,14 +23,12 @@
 plugins.security.enable_snapshot_restore_privilege: true
 plugins.security.nodes_dn:
 - "CN=node-1,OU=Wazuh,O=Wazuh,L=California,C=US"
-#- "CN=node-2,OU=Wazuh,O=Wazuh,L=California,C=US"
-#- "CN=node-3,OU=Wazuh,O=Wazuh,L=California,C=US"
 plugins.security.restapi.roles_enabled:
 - "all_access"
 - "security_rest_api_access"
 
 plugins.security.system_indices.enabled: true
-plugins.security.system_indices.indices: [".plugins-ml-model", ".plugins-ml-task", ".opendistro-alerting-config", ".opendistro-alerting-alert*", ".opendistro-anomaly-results*", ".opendistro-anomaly-detector*", ".opendistro-anomaly-checkpoints", ".opendistro-anomaly-detection-state", ".opendistro-reports-*", ".opensearch-notifications-*", ".opensearch-notebooks", ".opensearch-observability", ".opendistro-asynchronous-search-response*", ".replication-metadata-store"]
+plugins.security.system_indices.indices: [".opendistro-alerting-config", ".opendistro-alerting-alert*", ".opendistro-anomaly-results*", ".opendistro-anomaly-detector*", ".opendistro-anomaly-checkpoints", ".opendistro-anomaly-detection-state", ".opendistro-reports-*", ".opendistro-notifications-*", ".opendistro-notebooks", ".opensearch-observability", ".opendistro-asynchronous-search-response*", ".replication-metadata-store"]
 
 ### Option to allow Filebeat-oss 7.10.2 to work ###
-compatibility.override_main_response_version: true
\ No newline at end of file
+compatibility.override_main_response_version: true

Info: Computing checksum on file /etc/wazuh-indexer/opensearch.yml
Info: /Stage[main]/Wazuh::Indexer/File[configuration file]: Filebucketed /etc/wazuh-indexer/opensearch.yml to puppet with sum 9ee953958f2ca5d4b7753673aec33d42
Notice: /Stage[main]/Wazuh::Indexer/File[configuration file]/content: content changed '{md5}9ee953958f2ca5d4b7753673aec33d42' to '{md5}e7ccb3255cc6687a06c277be3fc7c239'
Info: /Stage[main]/Wazuh::Indexer/File[configuration file]: Scheduling refresh of Service[wazuh-indexer]
Notice: /Stage[main]/Wazuh::Indexer/File_line[Insert line limits nofile for wazuh-indexer]/ensure: created
Info: /Stage[main]/Wazuh::Indexer/File_line[Insert line limits nofile for wazuh-indexer]: Scheduling refresh of Service[wazuh-indexer]
Notice: /Stage[main]/Wazuh::Indexer/File_line[Insert line limits memlock for wazuh-indexer]/ensure: created
Info: /Stage[main]/Wazuh::Indexer/File_line[Insert line limits memlock for wazuh-indexer]: Scheduling refresh of Service[wazuh-indexer]
Notice: /Stage[main]/Wazuh::Indexer/Exec[set recusive ownership of /etc/wazuh-indexer]: Triggered 'refresh' from 1 event
Info: /Stage[main]/Wazuh::Indexer/Exec[set recusive ownership of /etc/wazuh-indexer]: Scheduling refresh of Service[wazuh-indexer]
Notice: /Stage[main]/Wazuh::Indexer/Exec[set recusive ownership of /usr/share/wazuh-indexer]: Triggered 'refresh' from 1 event
Info: /Stage[main]/Wazuh::Indexer/Exec[set recusive ownership of /usr/share/wazuh-indexer]: Scheduling refresh of Service[wazuh-indexer]
Notice: /Stage[main]/Wazuh::Indexer/Exec[set recusive ownership of /var/lib/wazuh-indexer]: Triggered 'refresh' from 1 event
Info: /Stage[main]/Wazuh::Indexer/Exec[set recusive ownership of /var/lib/wazuh-indexer]: Scheduling refresh of Service[wazuh-indexer]
Notice: /Stage[main]/Wazuh::Indexer/Service[wazuh-indexer]/ensure: ensure changed 'stopped' to 'running'
Info: /Stage[main]/Wazuh::Indexer/Service[wazuh-indexer]: Unscheduling refresh on Service[wazuh-indexer]
Notice: /Stage[main]/Wazuh::Indexer/Exec[Initialize the Opensearch security index in Wazuh indexer]/returns: executed successfully
Error: /Stage[main]/Wazuh::Filebeat_oss/Exec[cleanup /etc/filebeat/wazuh-template.json]: Could not evaluate: Could not find command '/bin/curl'
Notice: /Stage[main]/Wazuh::Dashboard/Package[wazuh-dashboard]/ensure: created
Notice: /Stage[main]/Wazuh::Dashboard/Exec[ensure full path of /etc/wazuh-dashboard/certs]/returns: executed successfully
Notice: /Stage[main]/Wazuh::Dashboard/File[/etc/wazuh-dashboard/certs]/owner: owner changed 'root' to 'wazuh-dashboard'
Notice: /Stage[main]/Wazuh::Dashboard/File[/etc/wazuh-dashboard/certs]/group: group changed 'root' to 'wazuh-dashboard'
Notice: /Stage[main]/Wazuh::Dashboard/File[/etc/wazuh-dashboard/certs]/mode: mode changed '0755' to '0500'
Notice: /Stage[main]/Wazuh::Dashboard/File[/etc/wazuh-dashboard/certs/dashboard.pem]/ensure: defined content as '{md5}104dc5b0393608d67f37c0071f8e52e5'
Notice: /Stage[main]/Wazuh::Dashboard/File[/etc/wazuh-dashboard/certs/dashboard-key.pem]/ensure: defined content as '{md5}665c9710fcbe41bc34e1571c7081af92'
Notice: /Stage[main]/Wazuh::Dashboard/File[/etc/wazuh-dashboard/certs/root-ca.pem]/ensure: defined content as '{md5}bc966cc9ea1c233e3b88d52ff5e62320'
Notice: /Stage[main]/Wazuh::Dashboard/File[/etc/wazuh-dashboard/opensearch_dashboards.yml]/content: 
--- /etc/wazuh-dashboard/opensearch_dashboards.yml	2023-10-16 10:20:24.000000000 +0000
+++ /tmp/puppet-file20231017-26665-p2g055	2023-10-17 19:17:24.114221094 +0000
@@ -2,9 +2,9 @@
 server.port: 443
 opensearch.hosts: https://localhost:9200
 opensearch.ssl.verificationMode: certificate
-#opensearch.username:
-#opensearch.password:
-opensearch.requestHeadersAllowlist: ["securitytenant","Authorization"]
+opensearch.username: kibanaserver
+opensearch.password: kibanaserver
+opensearch.requestHeadersWhitelist: ["securitytenant","Authorization"]
 opensearch_security.multitenancy.enabled: false
 opensearch_security.readonly_mode.roles: ["kibana_read_only"]
 server.ssl.enabled: true
@@ -12,4 +12,3 @@
 server.ssl.certificate: "/etc/wazuh-dashboard/certs/dashboard.pem"
 opensearch.ssl.certificateAuthorities: ["/etc/wazuh-dashboard/certs/root-ca.pem"]
 uiSettings.overrides.defaultRoute: /app/wazuh
-

Info: Computing checksum on file /etc/wazuh-dashboard/opensearch_dashboards.yml
Info: /Stage[main]/Wazuh::Dashboard/File[/etc/wazuh-dashboard/opensearch_dashboards.yml]: Filebucketed /etc/wazuh-dashboard/opensearch_dashboards.yml to puppet with sum 7f4b966bc7374b2bc87dd8fb58a42b73
Notice: /Stage[main]/Wazuh::Dashboard/File[/etc/wazuh-dashboard/opensearch_dashboards.yml]/content: content changed '{md5}7f4b966bc7374b2bc87dd8fb58a42b73' to '{md5}c6e0540351c991aee8ab0fea0f609e0a'
Info: /Stage[main]/Wazuh::Dashboard/File[/etc/wazuh-dashboard/opensearch_dashboards.yml]: Scheduling refresh of Service[wazuh-dashboard]
Notice: /Stage[main]/Wazuh::Dashboard/File[/usr/share/wazuh-dashboard/data/wazuh/]/ensure: created
Notice: /Stage[main]/Wazuh::Dashboard/File[/usr/share/wazuh-dashboard/data/wazuh/config]/ensure: created
Notice: /Stage[main]/Wazuh::Dashboard/File[/usr/share/wazuh-dashboard/data/wazuh/config/wazuh.yml]/ensure: defined content as '{md5}f43e7625cbfa0535f5625de74ec2a2ea'
Info: /Stage[main]/Wazuh::Dashboard/File[/usr/share/wazuh-dashboard/data/wazuh/config/wazuh.yml]: Scheduling refresh of Service[wazuh-dashboard]
Notice: /Stage[main]/Wazuh::Dashboard/Service[wazuh-dashboard]/ensure: ensure changed 'stopped' to 'running'
Info: /Stage[main]/Wazuh::Dashboard/Service[wazuh-dashboard]: Unscheduling refresh on Service[wazuh-dashboard]
Notice: /Stage[main]/Wazuh::Filebeat_oss/Package[filebeat]/ensure: created
Notice: /Stage[main]/Wazuh::Filebeat_oss/File[/etc/filebeat/filebeat.yml]/content: 
--- /etc/filebeat/filebeat.yml	2021-01-12 22:10:03.000000000 +0000
+++ /tmp/puppet-file20231017-26665-1sh6ggq	2023-10-17 19:17:33.734221094 +0000
@@ -1,270 +1,34 @@
-###################### Filebeat Configuration Example #########################
+# Wazuh - Filebeat configuration file
+filebeat.modules:
+  - module: wazuh
+    alerts:
+      enabled: true
+    archives:
+      enabled: false
+
+setup.template.json.enabled: true
+setup.template.json.path: "/etc/filebeat/wazuh-template.json"
+setup.template.json.name: "wazuh"
+setup.template.overwrite: true
 
-# This file is an example configuration file highlighting only the most common
-# options. The filebeat.reference.yml file from the same directory contains all the
-# supported options with more comments. You can use it as a reference.
-#
-# You can find the full configuration reference here:
-# https://www.elastic.co/guide/en/beats/filebeat/index.html
-
-# For more available modules and options, please see the filebeat.reference.yml sample
-# configuration file.
-
-# ============================== Filebeat inputs ===============================
-
-filebeat.inputs:
-
-# Each - is an input. Most options can be set at the input level, so
-# you can use different inputs for various configurations.
-# Below are the input specific configurations.
-
-- type: log
-
-  # Change to true to enable this input configuration.
-  enabled: false
-
-  # Paths that should be crawled and fetched. Glob based paths.
-  paths:
-    - /var/log/*.log
-    #- c:\programdata\elasticsearch\logs\*
-
-  # Exclude lines. A list of regular expressions to match. It drops the lines that are
-  # matching any regular expression from the list.
-  #exclude_lines: ['^DBG']
-
-  # Include lines. A list of regular expressions to match. It exports the lines that are
-  # matching any regular expression from the list.
-  #include_lines: ['^ERR', '^WARN']
-
-  # Exclude files. A list of regular expressions to match. Filebeat drops the files that
-  # are matching any regular expression from the list. By default, no files are dropped.
-  #exclude_files: ['.gz$']
-
-  # Optional additional fields. These fields can be freely picked
-  # to add additional information to the crawled log files for filtering
-  #fields:
-  #  level: debug
-  #  review: 1
-
-  ### Multiline options
-
-  # Multiline can be used for log messages spanning multiple lines. This is common
-  # for Java Stack Traces or C-Line Continuation
-
-  # The regexp Pattern that has to be matched. The example pattern matches all lines starting with [
-  #multiline.pattern: ^\[
-
-  # Defines if the pattern set under pattern should be negated or not. Default is false.
-  #multiline.negate: false
-
-  # Match can be set to "after" or "before". It is used to define if lines should be append to a pattern
-  # that was (not) matched before or after or as long as a pattern is not matched based on negate.
-  # Note: After is the equivalent to previous and before is the equivalent to to next in Logstash
-  #multiline.match: after
-
-# filestream is an experimental input. It is going to replace log input in the future.
-- type: filestream
-
-  # Change to true to enable this input configuration.
-  enabled: false
-
-  # Paths that should be crawled and fetched. Glob based paths.
-  paths:
-    - /var/log/*.log
-    #- c:\programdata\elasticsearch\logs\*
-
-  # Exclude lines. A list of regular expressions to match. It drops the lines that are
-  # matching any regular expression from the list.
-  #exclude_lines: ['^DBG']
-
-  # Include lines. A list of regular expressions to match. It exports the lines that are
-  # matching any regular expression from the list.
-  #include_lines: ['^ERR', '^WARN']
-
-  # Exclude files. A list of regular expressions to match. Filebeat drops the files that
-  # are matching any regular expression from the list. By default, no files are dropped.
-  #prospector.scanner.exclude_files: ['.gz$']
-
-  # Optional additional fields. These fields can be freely picked
-  # to add additional information to the crawled log files for filtering
-  #fields:
-  #  level: debug
-  #  review: 1
-
-# ============================== Filebeat modules ==============================
-
-filebeat.config.modules:
-  # Glob pattern for configuration loading
-  path: ${path.config}/modules.d/*.yml
-
-  # Set to true to enable config reloading
-  reload.enabled: false
-
-  # Period on which files under path should be checked for changes
-  #reload.period: 10s
-
-# ======================= Elasticsearch template setting =======================
-
-setup.template.settings:
-  index.number_of_shards: 1
-  #index.codec: best_compression
-  #_source.enabled: false
-
-
-# ================================== General ===================================
-
-# The name of the shipper that publishes the network data. It can be used to group
-# all the transactions sent by a single shipper in the web interface.
-#name:
-
-# The tags of the shipper are included in their own field with each
-# transaction published.
-#tags: ["service-X", "web-tier"]
-
-# Optional fields that you can specify to add additional information to the
-# output.
-#fields:
-#  env: staging
-
-# ================================= Dashboards =================================
-# These settings control loading the sample dashboards to the Kibana index. Loading
-# the dashboards is disabled by default and can be enabled either by setting the
-# options here or by using the `setup` command.
-#setup.dashboards.enabled: false
-
-# The URL from where to download the dashboards archive. By default this URL
-# has a value which is computed based on the Beat name and version. For released
-# versions, this URL points to the dashboard archive on the artifacts.elastic.co
-# website.
-#setup.dashboards.url:
-
-# =================================== Kibana ===================================
-
-# Starting with Beats version 6.0.0, the dashboards are loaded via the Kibana API.
-# This requires a Kibana endpoint configuration.
-setup.kibana:
-
-  # Kibana Host
-  # Scheme and port can be left out and will be set to the default (http and 5601)
-  # In case you specify and additional path, the scheme is required: http://localhost:5601/path
-  # IPv6 addresses should always be defined as: https://[2001:db8::1]:5601
-  #host: "localhost:5601"
-
-  # Kibana Space ID
-  # ID of the Kibana Space into which the dashboards should be loaded. By default,
-  # the Default Space will be used.
-  #space.id:
-
-# =============================== Elastic Cloud ================================
-
-# These settings simplify using Filebeat with the Elastic Cloud (https://cloud.elastic.co/).
-
-# The cloud.id setting overwrites the `output.elasticsearch.hosts` and
-# `setup.kibana.host` options.
-# You can find the `cloud.id` in the Elastic Cloud web UI.
-#cloud.id:
-
-# The cloud.auth setting overwrites the `output.elasticsearch.username` and
-# `output.elasticsearch.password` settings. The format is `<user>:<pass>`.
-#cloud.auth:
-
-# ================================== Outputs ===================================
-
-# Configure what output to use when sending the data collected by the beat.
-
-# ---------------------------- Elasticsearch Output ----------------------------
+# Send events directly to Indexer
 output.elasticsearch:
-  # Array of hosts to connect to.
-  hosts: ["localhost:9200"]
-
-  # Protocol - either `http` (default) or `https`.
-  #protocol: "https"
-
-  # Authentication credentials - either API key or username/password.
-  #api_key: "id:api_key"
-  #username: "elastic"
-  #password: "changeme"
-
-# ------------------------------ Logstash Output -------------------------------
-#output.logstash:
-  # The Logstash hosts
-  #hosts: ["localhost:5044"]
-
-  # Optional SSL. By default is off.
-  # List of root certificates for HTTPS server verifications
-  #ssl.certificate_authorities: ["/etc/pki/root/ca.pem"]
-
-  # Certificate for SSL client authentication
-  #ssl.certificate: "/etc/pki/client/cert.pem"
-
-  # Client Certificate Key
-  #ssl.key: "/etc/pki/client/cert.key"
-
-# ================================= Processors =================================
-processors:
-  - add_host_metadata:
-      when.not.contains.tags: forwarded
-  - add_cloud_metadata: ~
-  - add_docker_metadata: ~
-  - add_kubernetes_metadata: ~
-
-# ================================== Logging ===================================
-
-# Sets log level. The default log level is info.
-# Available log levels are: error, warning, info, debug
-#logging.level: debug
-
-# At debug level, you can selectively enable logging only for some components.
-# To enable all selectors use ["*"]. Examples of other selectors are "beat",
-# "publish", "service".
-#logging.selectors: ["*"]
-
-# ============================= X-Pack Monitoring ==============================
-# Filebeat can export internal metrics to a central Elasticsearch monitoring
-# cluster.  This requires xpack monitoring to be enabled in Elasticsearch.  The
-# reporting is disabled by default.
-
-# Set to true to enable the monitoring reporter.
-#monitoring.enabled: false
-
-# Sets the UUID of the Elasticsearch cluster under which monitoring data for this
-# Filebeat instance will appear in the Stack Monitoring UI. If output.elasticsearch
-# is enabled, the UUID is derived from the Elasticsearch cluster referenced by output.elasticsearch.
-#monitoring.cluster_uuid:
-
-# Uncomment to send the metrics to Elasticsearch. Most settings from the
-# Elasticsearch output are accepted here as well.
-# Note that the settings should point to your Elasticsearch *monitoring* cluster.
-# Any setting that is not set is automatically inherited from the Elasticsearch
-# output configuration, so if you have the Elasticsearch output configured such
-# that it is pointing to your Elasticsearch monitoring cluster, you can simply
-# uncomment the following line.
-#monitoring.elasticsearch:
-
-# ============================== Instrumentation ===============================
-
-# Instrumentation support for the filebeat.
-#instrumentation:
-    # Set to true to enable instrumentation of filebeat.
-    #enabled: false
-
-    # Environment in which filebeat is running on (eg: staging, production, etc.)
-    #environment: ""
-
-    # APM Server hosts to report instrumentation results to.
-    #hosts:
-    #  - http://localhost:8200
-
-    # API Key for the APM Server(s).
-    # If api_key is set then secret_token will be ignored.
-    #api_key:
-
-    # Secret token for the APM Server(s).
-    #secret_token:
-
-
-# ================================= Migration ==================================
-
-# This allows to enable 6.7 migration aliases
-#migration.6_to_7.enabled: true
-
+  hosts: ["https://127.0.0.1:9200"]
+  username: admin
+  password: admin
+  protocol: https
+  ssl.certificate_authorities:
+    - /etc/filebeat/certs/root-ca.pem
+  ssl.certificate: "/etc/filebeat/certs/filebeat.pem"
+  ssl.key: "/etc/filebeat/certs/filebeat-key.pem"
+
+setup.ilm.enabled: false
+
+logging.metrics.enabled: false
+
+seccomp:
+  default_action: allow
+  syscalls:
+  - action: allow
+    names:
+    - rseq

Info: Computing checksum on file /etc/filebeat/filebeat.yml
Info: /Stage[main]/Wazuh::Filebeat_oss/File[/etc/filebeat/filebeat.yml]: Filebucketed /etc/filebeat/filebeat.yml to puppet with sum ac228ab765a77b7a76c26d47bbc25dd4
Notice: /Stage[main]/Wazuh::Filebeat_oss/File[/etc/filebeat/filebeat.yml]/content: content changed '{md5}ac228ab765a77b7a76c26d47bbc25dd4' to '{md5}4106c03a28e1626a91a995455bd4aaeb'
Notice: /Stage[main]/Wazuh::Filebeat_oss/File[/etc/filebeat/filebeat.yml]/mode: mode changed '0600' to '0640'
Info: /Stage[main]/Wazuh::Filebeat_oss/File[/etc/filebeat/filebeat.yml]: Scheduling refresh of Service[filebeat]
Info: /Stage[main]/Wazuh::Filebeat_oss/File[/etc/filebeat/filebeat.yml]: Scheduling refresh of Service[filebeat]
Notice: /Stage[main]/Wazuh::Filebeat_oss/File[/etc/filebeat/wazuh-template.json]: Dependency Exec[cleanup /etc/filebeat/wazuh-template.json] has failures: true
Warning: /Stage[main]/Wazuh::Filebeat_oss/File[/etc/filebeat/wazuh-template.json]: Skipping because of failed dependencies
Notice: /Stage[main]/Wazuh::Filebeat_oss/Archive[/tmp/wazuh-filebeat-0.2.tar.gz]/ensure: download archive from https://packages.wazuh.com/4.x/filebeat/wazuh-filebeat-0.2.tar.gz to /tmp/wazuh-filebeat-0.2.tar.gz and extracted in /usr/share/filebeat/module with cleanup
Info: /Stage[main]/Wazuh::Filebeat_oss/Archive[/tmp/wazuh-filebeat-0.2.tar.gz]: Scheduling refresh of Service[filebeat]
Notice: /Stage[main]/Wazuh::Filebeat_oss/Exec[ensure full path of /etc/filebeat/certs]/returns: executed successfully
Notice: /Stage[main]/Wazuh::Filebeat_oss/File[/etc/filebeat/certs]/mode: mode changed '0755' to '0500'
Notice: /Stage[main]/Wazuh::Filebeat_oss/File[/etc/filebeat/certs/filebeat.pem]/ensure: defined content as '{md5}0740f2a87a643a8e1fb3ae729d4a323e'
Notice: /Stage[main]/Wazuh::Filebeat_oss/File[/etc/filebeat/certs/filebeat-key.pem]/ensure: defined content as '{md5}8dd5dbfa48f43b7f4869a154e65b850f'
Notice: /Stage[main]/Wazuh::Filebeat_oss/File[/etc/filebeat/certs/root-ca.pem]/ensure: defined content as '{md5}bc966cc9ea1c233e3b88d52ff5e62320'
Warning: /Stage[main]/Wazuh::Filebeat_oss/Service[filebeat]: Skipping because of failed dependencies
Info: /Stage[main]/Wazuh::Filebeat_oss/Service[filebeat]: Unscheduling all events on Service[filebeat]
Info: Class[Wazuh::Filebeat_oss]: Unscheduling all events on Class[Wazuh::Filebeat_oss]
Info: Stage[main]: Unscheduling all events on Stage[main]
Notice: Applied catalog in 222.36 seconds

Wazuh Dashboard Status

● wazuh-dashboard.service - wazuh-dashboard
   Loaded: loaded (/etc/systemd/system/wazuh-dashboard.service; enabled; vendor preset: enabled)
   Active: active (running) since Tue 2023-10-17 19:17:24 UTC; 3min 55s ago
 Main PID: 27781 (node)
    Tasks: 11 (limit: 4915)
   CGroup: /system.slice/wazuh-dashboard.service
           └─27781 /usr/share/wazuh-dashboard/node/bin/node --no-warnings --max-http-header-size=65536 --unhandled-rejections=warn /usr/share/wazuh-dashboard/src/cli/dist -c /etc/wazuh-dashboard/opensearch_dashboards.yml

Oct 17 19:17:28 vagrant opensearch-dashboards[27781]: {"type":"log","@timestamp":"2023-10-17T19:17:28Z","tags":["info","savedobjects-service"],"pid":27781,"message":"Waiting until all OpenSearch nodes are compatible with OpenSearch Dashboards before starting saved objects migrations..."}
Oct 17 19:17:29 vagrant opensearch-dashboards[27781]: {"type":"log","@timestamp":"2023-10-17T19:17:29Z","tags":["info","savedobjects-service"],"pid":27781,"message":"Starting saved objects migrations"}
Oct 17 19:17:29 vagrant opensearch-dashboards[27781]: {"type":"log","@timestamp":"2023-10-17T19:17:29Z","tags":["info","savedobjects-service"],"pid":27781,"message":"Creating index .kibana_1."}
Oct 17 19:17:29 vagrant opensearch-dashboards[27781]: {"type":"log","@timestamp":"2023-10-17T19:17:29Z","tags":["info","savedobjects-service"],"pid":27781,"message":"Pointing alias .kibana to .kibana_1."}
Oct 17 19:17:29 vagrant opensearch-dashboards[27781]: {"type":"log","@timestamp":"2023-10-17T19:17:29Z","tags":["info","savedobjects-service"],"pid":27781,"message":"Finished in 422ms."}
Oct 17 19:17:29 vagrant opensearch-dashboards[27781]: {"type":"log","@timestamp":"2023-10-17T19:17:29Z","tags":["info","plugins-system"],"pid":27781,"message":"Starting [44] plugins: [alertingDashboards,usageCollection,opensearchDashboardsUsageCollection,opensearchDashboardsLegacy,mapsLegacy,share,opensearchUiShared,legacyExport,embeddable,expressions,data,home,console,apmOss,management,indexPatternManagement,advancedSettings,savedObjects,reportsDashboards,indexManagementDashboards,dashboard,visualizations,visTypeVega,visTypeTimeline,visTypeTable,visTypeMarkdown,visBuilder,tileMap,regionMap,customImportMapDashboards,inputControlVis,ganttChartDashboards,visualize,notificationsDashboards,charts,visTypeVislib,visTypeTimeseries,visTypeTagcloud,visTypeMetric,discover,savedObjectsManagement,securityDashboards,wazuh,bfetch]"}
Oct 17 19:17:30 vagrant opensearch-dashboards[27781]: {"type":"log","@timestamp":"2023-10-17T19:17:30Z","tags":["listening","info"],"pid":27781,"message":"Server running at https://0.0.0.0:443"}
Oct 17 19:17:30 vagrant opensearch-dashboards[27781]: {"type":"log","@timestamp":"2023-10-17T19:17:30Z","tags":["info","http","server","OpenSearchDashboards"],"pid":27781,"message":"http server running at https://0.0.0.0:443"}
Oct 17 19:17:30 vagrant opensearch-dashboards[27781]: {"type":"log","@timestamp":"2023-10-17T19:17:30Z","tags":["error","opensearch","data"],"pid":27781,"message":"[ResponseError]: Response Error"}
Oct 17 19:17:30 vagrant opensearch-dashboards[27781]: {"type":"log","@timestamp":"2023-10-17T19:17:30Z","tags":["error","opensearch","data"],"pid":27781,"message":"[ResponseError]: Response Error"}

Wazuh Index Status

● wazuh-indexer.service - Wazuh-indexer
   Loaded: loaded (/usr/lib/systemd/system/wazuh-indexer.service; enabled; vendor preset: enabled)
   Active: active (running) since Tue 2023-10-17 19:15:33 UTC; 6min ago
     Docs: https://documentation.wazuh.com
 Main PID: 27258 (java)
    Tasks: 59 (limit: 4915)
   CGroup: /system.slice/wazuh-indexer.service
           └─27258 /usr/share/wazuh-indexer/jdk/bin/java -Xshare:auto -Dopensearch.networkaddress.cache.ttl=60 -Dopensearch.networkaddress.cache.negative.ttl=10 -XX:+AlwaysPreTouch -Xss1m -Djava.awt.headless=true -Dfile.encoding=UTF-8 -Djna.nosys=true -XX:-OmitStackTraceInFastThrow -XX:+ShowCodeDetailsInExceptionMessages -Dio.netty.noUnsafe=true -Dio.netty.noKeySetOptimization=true -Dio.netty.recycler.maxCapacityPerThread=0 -Dio.netty.allocator.numDirectArenas=0 -Dlog4j.shutdownHookEnabled=false -Dlog4j2.disable.jmx=true -Djava.locale.providers=SPI,COMPAT -Xms1g -Xmx1g -XX:+UseG1GC -XX:G1ReservePercent=25 -XX:InitiatingHeapOccupancyPercent=30 -Djava.io.tmpdir=/tmp/opensearch-4512946847237428655 -XX:+HeapDumpOnOutOfMemoryError -XX:HeapDumpPath=/var/lib/wazuh-indexer -XX:ErrorFile=/var/log/wazuh-indexer/hs_err_pid%p.log -Xlog:gc*,gc+age=trace,safepoint:file=/var/log/wazuh-indexer/gc.log:utctime,pid,tags:filecount=32,filesize=64m -Dclk.tck=100 -Djdk.attach.allowAttachSelf=true -Djava.security.policy=file:///etc/wazuh-indexer/opensearch-performance-analyzer/opensearch_security.policy --add-opens=jdk.attach/sun.tools.attach=ALL-UNNAMED -Dclk.tck=100 -Djdk.attach.allowAttachSelf=true -Djava.security.policy=file:///usr/share/wazuh-indexer/plugins/opendistro-performance-analyzer/pa_config/es_security.policy -XX:MaxDirectMemorySize=536870912 -Dopensearch.path.home=/usr/share/wazuh-indexer -Dopensearch.path.conf=/etc/wazuh-indexer -Dopensearch.distribution.type=rpm -Dopensearch.bundled_jdk=true -cp /usr/share/wazuh-indexer/lib/* org.opensearch.bootstrap.OpenSearch -p /run/wazuh-indexer/wazuh-indexer.pid --quiet

Oct 17 19:15:20 vagrant systemd[1]: Starting Wazuh-indexer...
Oct 17 19:15:22 vagrant systemd-entrypoint[27258]: WARNING: A terminally deprecated method in java.lang.System has been called
Oct 17 19:15:22 vagrant systemd-entrypoint[27258]: WARNING: System::setSecurityManager has been called by org.opensearch.bootstrap.OpenSearch (file:/usr/share/wazuh-indexer/lib/opensearch-2.8.0.jar)
Oct 17 19:15:22 vagrant systemd-entrypoint[27258]: WARNING: Please consider reporting this to the maintainers of org.opensearch.bootstrap.OpenSearch
Oct 17 19:15:22 vagrant systemd-entrypoint[27258]: WARNING: System::setSecurityManager will be removed in a future release
Oct 17 19:15:23 vagrant systemd-entrypoint[27258]: WARNING: A terminally deprecated method in java.lang.System has been called
Oct 17 19:15:23 vagrant systemd-entrypoint[27258]: WARNING: System::setSecurityManager has been called by org.opensearch.bootstrap.Security (file:/usr/share/wazuh-indexer/lib/opensearch-2.8.0.jar)
Oct 17 19:15:23 vagrant systemd-entrypoint[27258]: WARNING: Please consider reporting this to the maintainers of org.opensearch.bootstrap.Security
Oct 17 19:15:23 vagrant systemd-entrypoint[27258]: WARNING: System::setSecurityManager will be removed in a future release
Oct 17 19:15:33 vagrant systemd[1]: Started Wazuh-indexer.

Wazuh Manager Status

root@vagrant:~# systemctl status wazuh-manager
● wazuh-manager.service - Wazuh manager
   Loaded: loaded (/usr/lib/systemd/system/wazuh-manager.service; enabled; vendor preset: enabled)
   Active: active (running) since Tue 2023-10-17 19:06:49 UTC; 12min ago
    Tasks: 121 (limit: 4915)
   CGroup: /system.slice/wazuh-manager.service
           ├─25104 /var/ossec/framework/python/bin/python3 /var/ossec/api/scripts/wazuh-apid.py
           ├─25144 /var/ossec/bin/wazuh-authd
           ├─25159 /var/ossec/bin/wazuh-db
           ├─25183 /var/ossec/bin/wazuh-execd
           ├─25194 /var/ossec/bin/wazuh-analysisd
           ├─25203 /var/ossec/bin/wazuh-syscheckd
           ├─25217 /var/ossec/bin/wazuh-remoted
           ├─25281 /var/ossec/bin/wazuh-logcollector
           ├─25299 /var/ossec/bin/wazuh-monitord
           ├─25308 /var/ossec/bin/wazuh-modulesd
           ├─25397 /var/ossec/framework/python/bin/python3 /var/ossec/api/scripts/wazuh-apid.py
           ├─25400 /var/ossec/framework/python/bin/python3 /var/ossec/api/scripts/wazuh-apid.py
           └─25403 /var/ossec/framework/python/bin/python3 /var/ossec/api/scripts/wazuh-apid.py

Oct 17 19:06:45 vagrant env[25048]: Started wazuh-db...
Oct 17 19:06:45 vagrant env[25048]: Started wazuh-execd...
Oct 17 19:06:45 vagrant env[25048]: Started wazuh-analysisd...
Oct 17 19:06:45 vagrant env[25048]: Started wazuh-syscheckd...
Oct 17 19:06:46 vagrant env[25048]: Started wazuh-remoted...
Oct 17 19:06:47 vagrant env[25048]: Started wazuh-logcollector...
Oct 17 19:06:47 vagrant env[25048]: Started wazuh-monitord...
Oct 17 19:06:47 vagrant env[25048]: Started wazuh-modulesd...
Oct 17 19:06:49 vagrant env[25048]: Completed.
Oct 17 19:06:49 vagrant systemd[1]: Started Wazuh manager.

[RamosFe]

🟢 6. Wazuh Agent Installation

Manifest

root@vagrant:~# cat /etc/puppetlabs/code/environments/production/manifests/stack.pp
node "server-1" {
 class { 'wazuh::manager':
 }
 class { 'wazuh::indexer':
 }
 class { 'wazuh::filebeat_oss':
 }
 class { 'wazuh::dashboard':
 }
}

node "agent-1" {
  class { "wazuh::agent":
    wazuh_register_endpoint => "192.168.56.4",
    wazuh_reporting_endpoint => "192.168.56.4"
  }
}

Agent status

root@agent-1:~# systemctl status wazuh-agent
● wazuh-agent.service - Wazuh agent
   Loaded: loaded (/usr/lib/systemd/system/wazuh-agent.service; enabled; vendor preset: enable
   Active: active (running) since Tue 2023-10-17 19:48:49 UTC; 5min ago
    Tasks: 33 (limit: 2314)
   CGroup: /system.slice/wazuh-agent.service
           ├─1665 /var/ossec/bin/wazuh-execd
           ├─1675 /var/ossec/bin/wazuh-agentd
           ├─1690 /var/ossec/bin/wazuh-syscheckd
           ├─1700 /var/ossec/bin/wazuh-logcollector
           └─1717 /var/ossec/bin/wazuh-modulesd

Oct 17 19:48:45 agent-1 systemd[1]: Starting Wazuh agent...
Oct 17 19:48:45 agent-1 env[1021]: Starting Wazuh v4.7.0...
Oct 17 19:48:45 agent-1 env[1021]: Started wazuh-execd...
Oct 17 19:48:46 agent-1 env[1021]: Started wazuh-agentd...
Oct 17 19:48:46 agent-1 env[1021]: Started wazuh-syscheckd...
Oct 17 19:48:46 agent-1 env[1021]: Started wazuh-logcollector...
Oct 17 19:48:47 agent-1 env[1021]: Started wazuh-modulesd...
Oct 17 19:48:49 agent-1 env[1021]: Completed.
Oct 17 19:48:49 agent-1 systemd[1]: Started Wazuh agent.

Due to errors when trying to add the new agent the hostname of the VM was changed to agent-1.

[RamosFe]

🟡 7. Dashboard

Dashboard

The screenshot below shows the version of Wazuh that was deployed and a Wazuh agent showing on the dashboard. At the point of login, it displayed that no template was available for the alerts index pattern. Also, alerts are not showing on the dashboard even though there are alerts in alerts.log and json.

alerts.json

root@vagrant:/var/ossec/logs# cat /var/ossec/logs/alerts/alerts.json | grep "agent"
{"timestamp":"2023-10-18T12:28:17.191+0000","rule":{"level":3,"description":"Wazuh server started.","id":"502","firedtimes":1,"mail":false,"groups":["ossec"],"pci_dss":["10.6.1"],"gpg13":["10.1"],"gdpr":["IV_35.7.d"],"hipaa":["164.312.b"],"nist_800_53":["AU.6"],"tsc":["CC7.2","CC7.3"]},"agent":{"id":"000","name":"vagrant"},"manager":{"name":"vagrant"},"id":"1697632097.0","full_log":"ossec: Manager started.","decoder":{"name":"ossec"},"location":"wazuh-monitord"}
{"timestamp":"2023-10-18T12:28:25.306+0000","rule":{"level":3,"description":"Wazuh agent started.","id":"503","firedtimes":1,"mail":false,"groups":["ossec"],"pci_dss":["10.6.1","10.2.6"],"gpg13":["10.1"],"gdpr":["IV_35.7.d"],"hipaa":["164.312.b"],"nist_800_53":["AU.6","AU.14","AU.5"],"tsc":["CC7.2","CC7.3","CC6.8"]},"agent":{"id":"001","name":"agent-1","ip":"192.168.56.6"},"manager":{"name":"vagrant"},"id":"1697632105.243","full_log":"ossec: Agent started: 'agent-1->192.168.56.6'.","decoder":{"parent":"ossec","name":"ossec"},"data":{"extra_data":"agent-1->192.168.56.6"},"location":"wazuh-agent"}
{"timestamp":"2023-10-18T12:28:28.428+0000","rule":{"level":5,"description":"Puppet Agent started","id":"80050","firedtimes":1,"mail":false,"groups":["puppet"],"gpg13":["4.14"]},"agent":{"id":"001","name":"agent-1","ip":"192.168.56.6"},"manager":{"name":"vagrant"},"id":"1697632108.582","full_log":"Oct 18 12:28:26 agent-1 puppet-agent[632]: Starting Puppet client version 6.28.0","predecoder":{"program_name":"puppet-agent","timestamp":"Oct 18 12:28:26","hostname":"agent-1"},"decoder":{"parent":"puppet-agent","name":"puppet-agent"},"data":{"extra_data":"6.28.0"},"location":"/var/log/syslog"}
{"timestamp":"2023-10-18T12:28:28.432+0000","rule":{"level":3,"description":"Successful sudo to ROOT executed.","id":"5402","mitre":{"id":["T1548.003"],"tactic":["Privilege Escalation","Defense Evasion"],"technique":["Sudo and Sudo Caching"]},"firedtimes":1,"mail":false,"groups":["syslog","sudo"],"pci_dss":["10.2.5","10.2.2"],"gpg13":["7.6","7.8","7.13"],"gdpr":["IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7","AC.6"],"tsc":["CC6.8","CC7.2","CC7.3"]},"agent":{"id":"001","name":"agent-1","ip":"192.168.56.6"},"manager":{"name":"vagrant"},"id":"1697632108.819","full_log":"Oct 18 12:28:26 agent-1 sudo:  vagrant : TTY=unknown ; PWD=/home/vagrant ; USER=root ; COMMAND=/bin/bash -l","predecoder":{"program_name":"sudo","timestamp":"Oct 18 12:28:26","hostname":"agent-1"},"decoder":{"parent":"sudo","name":"sudo","ftscomment":"First time user executed the sudo command"},"data":{"srcuser":"vagrant","dstuser":"root","tty":"unknown","pwd":"/home/vagrant","command":"/bin/bash -l"},"location":"/var/log/auth.log"}
{"timestamp":"2023-10-18T12:28:28.432+0000","rule":{"level":3,"description":"PAM: Login session opened.","id":"5501","mitre":{"id":["T1078"],"tactic":["Defense Evasion","Persistence","Privilege Escalation","Initial Access"],"technique":["Valid Accounts"]},"firedtimes":1,"mail":false,"groups":["pam","syslog","authentication_success"],"pci_dss":["10.2.5"],"gpg13":["7.8","7.9"],"gdpr":["IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7"],"tsc":["CC6.8","CC7.2","CC7.3"]},"agent":{"id":"001","name":"agent-1","ip":"192.168.56.6"},"manager":{"name":"vagrant"},"id":"1697632108.1328","full_log":"Oct 18 12:28:26 agent-1 sudo: pam_unix(sudo:session): session opened for user root by (uid=0)","predecoder":{"program_name":"sudo","timestamp":"Oct 18 12:28:26","hostname":"agent-1"},"decoder":{"parent":"pam","name":"pam"},"data":{"dstuser":"root","uid":"0"},"location":"/var/log/auth.log"}
{"timestamp":"2023-10-18T12:28:28.432+0000","rule":{"level":3,"description":"PAM: Login session closed.","id":"5502","firedtimes":1,"mail":false,"groups":["pam","syslog"],"pci_dss":["10.2.5"],"gpg13":["7.8","7.9"],"gdpr":["IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7"],"tsc":["CC6.8","CC7.2","CC7.3"]},"agent":{"id":"001","name":"agent-1","ip":"192.168.56.6"},"manager":{"name":"vagrant"},"id":"1697632108.1749","full_log":"Oct 18 12:28:26 agent-1 sudo: pam_unix(sudo:session): session closed for user root","predecoder":{"program_name":"sudo","timestamp":"Oct 18 12:28:26","hostname":"agent-1"},"decoder":{"parent":"pam","name":"pam"},"data":{"dstuser":"root"},"location":"/var/log/auth.log"}
{"timestamp":"2023-10-18T12:28:28.432+0000","rule":{"level":3,"description":"Successful sudo to ROOT executed.","id":"5402","mitre":{"id":["T1548.003"],"tactic":["Privilege Escalation","Defense Evasion"],"technique":["Sudo and Sudo Caching"]},"firedtimes":2,"mail":false,"groups":["syslog","sudo"],"pci_dss":["10.2.5","10.2.2"],"gpg13":["7.6","7.8","7.13"],"gdpr":["IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7","AC.6"],"tsc":["CC6.8","CC7.2","CC7.3"]},"agent":{"id":"001","name":"agent-1","ip":"192.168.56.6"},"manager":{"name":"vagrant"},"id":"1697632108.2129","full_log":"Oct 18 12:28:27 agent-1 sudo:  vagrant : TTY=unknown ; PWD=/home/vagrant ; USER=root ; COMMAND=/bin/bash -l","predecoder":{"program_name":"sudo","timestamp":"Oct 18 12:28:27","hostname":"agent-1"},"decoder":{"parent":"sudo","name":"sudo","ftscomment":"First time user executed the sudo command"},"data":{"srcuser":"vagrant","dstuser":"root","tty":"unknown","pwd":"/home/vagrant","command":"/bin/bash -l"},"location":"/var/log/auth.log"}
{"timestamp":"2023-10-18T12:28:28.432+0000","rule":{"level":3,"description":"PAM: Login session opened.","id":"5501","mitre":{"id":["T1078"],"tactic":["Defense Evasion","Persistence","Privilege Escalation","Initial Access"],"technique":["Valid Accounts"]},"firedtimes":2,"mail":false,"groups":["pam","syslog","authentication_success"],"pci_dss":["10.2.5"],"gpg13":["7.8","7.9"],"gdpr":["IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7"],"tsc":["CC6.8","CC7.2","CC7.3"]},"agent":{"id":"001","name":"agent-1","ip":"192.168.56.6"},"manager":{"name":"vagrant"},"id":"1697632108.2639","full_log":"Oct 18 12:28:27 agent-1 sudo: pam_unix(sudo:session): session opened for user root by (uid=0)","predecoder":{"program_name":"sudo","timestamp":"Oct 18 12:28:27","hostname":"agent-1"},"decoder":{"parent":"pam","name":"pam"},"data":{"dstuser":"root","uid":"0"},"location":"/var/log/auth.log"}
{"timestamp":"2023-10-18T12:28:28.432+0000","rule":{"level":3,"description":"PAM: Login session closed.","id":"5502","firedtimes":2,"mail":false,"groups":["pam","syslog"],"pci_dss":["10.2.5"],"gpg13":["7.8","7.9"],"gdpr":["IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7"],"tsc":["CC6.8","CC7.2","CC7.3"]},"agent":{"id":"001","name":"agent-1","ip":"192.168.56.6"},"manager":{"name":"vagrant"},"id":"1697632108.3060","full_log":"Oct 18 12:28:27 agent-1 sudo: pam_unix(sudo:session): session closed for user root","predecoder":{"program_name":"sudo","timestamp":"Oct 18 12:28:27","hostname":"agent-1"},"decoder":{"parent":"pam","name":"pam"},"data":{"dstuser":"root"},"location":"/var/log/auth.log"}
{"timestamp":"2023-10-18T12:28:28.433+0000","rule":{"level":3,"description":"Successful sudo to ROOT executed.","id":"5402","mitre":{"id":["T1548.003"],"tactic":["Privilege Escalation","Defense Evasion"],"technique":["Sudo and Sudo Caching"]},"firedtimes":3,"mail":false,"groups":["syslog","sudo"],"pci_dss":["10.2.5","10.2.2"],"gpg13":["7.6","7.8","7.13"],"gdpr":["IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7","AC.6"],"tsc":["CC6.8","CC7.2","CC7.3"]},"agent":{"id":"001","name":"agent-1","ip":"192.168.56.6"},"manager":{"name":"vagrant"},"id":"1697632108.3440","full_log":"Oct 18 12:28:27 agent-1 sudo:  vagrant : TTY=unknown ; PWD=/home/vagrant ; USER=root ; COMMAND=/bin/bash -l","predecoder":{"program_name":"sudo","timestamp":"Oct 18 12:28:27","hostname":"agent-1"},"decoder":{"parent":"sudo","name":"sudo","ftscomment":"First time user executed the sudo command"},"data":{"srcuser":"vagrant","dstuser":"root","tty":"unknown","pwd":"/home/vagrant","command":"/bin/bash -l"},"location":"/var/log/auth.log"}
{"timestamp":"2023-10-18T12:28:28.434+0000","rule":{"level":3,"description":"PAM: Login session opened.","id":"5501","mitre":{"id":["T1078"],"tactic":["Defense Evasion","Persistence","Privilege Escalation","Initial Access"],"technique":["Valid Accounts"]},"firedtimes":3,"mail":false,"groups":["pam","syslog","authentication_success"],"pci_dss":["10.2.5"],"gpg13":["7.8","7.9"],"gdpr":["IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7"],"tsc":["CC6.8","CC7.2","CC7.3"]},"agent":{"id":"001","name":"agent-1","ip":"192.168.56.6"},"manager":{"name":"vagrant"},"id":"1697632108.3950","full_log":"Oct 18 12:28:27 agent-1 sudo: pam_unix(sudo:session): session opened for user root by (uid=0)","predecoder":{"program_name":"sudo","timestamp":"Oct 18 12:28:27","hostname":"agent-1"},"decoder":{"parent":"pam","name":"pam"},"data":{"dstuser":"root","uid":"0"},"location":"/var/log/auth.log"}
{"timestamp":"2023-10-18T12:28:28.434+0000","rule":{"level":3,"description":"PAM: Login session closed.","id":"5502","firedtimes":3,"mail":false,"groups":["pam","syslog"],"pci_dss":["10.2.5"],"gpg13":["7.8","7.9"],"gdpr":["IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7"],"tsc":["CC6.8","CC7.2","CC7.3"]},"agent":{"id":"001","name":"agent-1","ip":"192.168.56.6"},"manager":{"name":"vagrant"},"id":"1697632108.4371","full_log":"Oct 18 12:28:27 agent-1 sudo: pam_unix(sudo:session): session closed for user root","predecoder":{"program_name":"sudo","timestamp":"Oct 18 12:28:27","hostname":"agent-1"},"decoder":{"parent":"pam","name":"pam"},"data":{"dstuser":"root"},"location":"/var/log/auth.log"}
{"timestamp":"2023-10-18T12:28:28.434+0000","rule":{"level":3,"description":"Successful sudo to ROOT executed.","id":"5402","mitre":{"id":["T1548.003"],"tactic":["Privilege Escalation","Defense Evasion"],"technique":["Sudo and Sudo Caching"]},"firedtimes":4,"mail":false,"groups":["syslog","sudo"],"pci_dss":["10.2.5","10.2.2"],"gpg13":["7.6","7.8","7.13"],"gdpr":["IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7","AC.6"],"tsc":["CC6.8","CC7.2","CC7.3"]},"agent":{"id":"001","name":"agent-1","ip":"192.168.56.6"},"manager":{"name":"vagrant"},"id":"1697632108.4751","full_log":"Oct 18 12:28:27 agent-1 sudo:  vagrant : TTY=unknown ; PWD=/home/vagrant ; USER=root ; COMMAND=/bin/bash -l","predecoder":{"program_name":"sudo","timestamp":"Oct 18 12:28:27","hostname":"agent-1"},"decoder":{"parent":"sudo","name":"sudo","ftscomment":"First time user executed the sudo command"},"data":{"srcuser":"vagrant","dstuser":"root","tty":"unknown","pwd":"/home/vagrant","command":"/bin/bash -l"},"location":"/var/log/auth.log"}
{"timestamp":"2023-10-18T12:28:28.434+0000","rule":{"level":3,"description":"PAM: Login session opened.","id":"5501","mitre":{"id":["T1078"],"tactic":["Defense Evasion","Persistence","Privilege Escalation","Initial Access"],"technique":["Valid Accounts"]},"firedtimes":4,"mail":false,"groups":["pam","syslog","authentication_success"],"pci_dss":["10.2.5"],"gpg13":["7.8","7.9"],"gdpr":["IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7"],"tsc":["CC6.8","CC7.2","CC7.3"]},"agent":{"id":"001","name":"agent-1","ip":"192.168.56.6"},"manager":{"name":"vagrant"},"id":"1697632108.5261","full_log":"Oct 18 12:28:27 agent-1 sudo: pam_unix(sudo:session): session opened for user root by (uid=0)","predecoder":{"program_name":"sudo","timestamp":"Oct 18 12:28:27","hostname":"agent-1"},"decoder":{"parent":"pam","name":"pam"},"data":{"dstuser":"root","uid":"0"},"location":"/var/log/auth.log"}
{"timestamp":"2023-10-18T12:28:28.435+0000","rule":{"level":3,"description":"PAM: Login session closed.","id":"5502","firedtimes":4,"mail":false,"groups":["pam","syslog"],"pci_dss":["10.2.5"],"gpg13":["7.8","7.9"],"gdpr":["IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7"],"tsc":["CC6.8","CC7.2","CC7.3"]},"agent":{"id":"001","name":"agent-1","ip":"192.168.56.6"},"manager":{"name":"vagrant"},"id":"1697632108.5682","full_log":"Oct 18 12:28:27 agent-1 sudo: pam_unix(sudo:session): session closed for user root","predecoder":{"program_name":"sudo","timestamp":"Oct 18 12:28:27","hostname":"agent-1"},"decoder":{"parent":"pam","name":"pam"},"data":{"dstuser":"root"},"location":"/var/log/auth.log"}
{"timestamp":"2023-10-18T12:28:28.435+0000","rule":{"level":3,"description":"Successful sudo to ROOT executed.","id":"5402","mitre":{"id":["T1548.003"],"tactic":["Privilege Escalation","Defense Evasion"],"technique":["Sudo and Sudo Caching"]},"firedtimes":5,"mail":false,"groups":["syslog","sudo"],"pci_dss":["10.2.5","10.2.2"],"gpg13":["7.6","7.8","7.13"],"gdpr":["IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7","AC.6"],"tsc":["CC6.8","CC7.2","CC7.3"]},"agent":{"id":"001","name":"agent-1","ip":"192.168.56.6"},"manager":{"name":"vagrant"},"id":"1697632108.6062","full_log":"Oct 18 12:28:27 agent-1 sudo:  vagrant : TTY=unknown ; PWD=/home/vagrant ; USER=root ; COMMAND=/bin/bash -l","predecoder":{"program_name":"sudo","timestamp":"Oct 18 12:28:27","hostname":"agent-1"},"decoder":{"parent":"sudo","name":"sudo","ftscomment":"First time user executed the sudo command"},"data":{"srcuser":"vagrant","dstuser":"root","tty":"unknown","pwd":"/home/vagrant","command":"/bin/bash -l"},"location":"/var/log/auth.log"}
{"timestamp":"2023-10-18T12:28:28.436+0000","rule":{"level":3,"description":"PAM: Login session opened.","id":"5501","mitre":{"id":["T1078"],"tactic":["Defense Evasion","Persistence","Privilege Escalation","Initial Access"],"technique":["Valid Accounts"]},"firedtimes":5,"mail":false,"groups":["pam","syslog","authentication_success"],"pci_dss":["10.2.5"],"gpg13":["7.8","7.9"],"gdpr":["IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7"],"tsc":["CC6.8","CC7.2","CC7.3"]},"agent":{"id":"001","name":"agent-1","ip":"192.168.56.6"},"manager":{"name":"vagrant"},"id":"1697632108.6572","full_log":"Oct 18 12:28:27 agent-1 sudo: pam_unix(sudo:session): session opened for user root by (uid=0)","predecoder":{"program_name":"sudo","timestamp":"Oct 18 12:28:27","hostname":"agent-1"},"decoder":{"parent":"pam","name":"pam"},"data":{"dstuser":"root","uid":"0"},"location":"/var/log/auth.log"}
{"timestamp":"2023-10-18T12:28:28.436+0000","rule":{"level":3,"description":"PAM: Login session closed.","id":"5502","firedtimes":5,"mail":false,"groups":["pam","syslog"],"pci_dss":["10.2.5"],"gpg13":["7.8","7.9"],"gdpr":["IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7"],"tsc":["CC6.8","CC7.2","CC7.3"]},"agent":{"id":"001","name":"agent-1","ip":"192.168.56.6"},"manager":{"name":"vagrant"},"id":"1697632108.6993","full_log":"Oct 18 12:28:27 agent-1 sudo: pam_unix(sudo:session): session closed for user root","predecoder":{"program_name":"sudo","timestamp":"Oct 18 12:28:27","hostname":"agent-1"},"decoder":{"parent":"pam","name":"pam"},"data":{"dstuser":"root"},"location":"/var/log/auth.log"}
{"timestamp":"2023-10-18T12:28:30.433+0000","rule":{"level":3,"description":"Successful sudo to ROOT executed.","id":"5402","mitre":{"id":["T1548.003"],"tactic":["Privilege Escalation","Defense Evasion"],"technique":["Sudo and Sudo Caching"]},"firedtimes":6,"mail":false,"groups":["syslog","sudo"],"pci_dss":["10.2.5","10.2.2"],"gpg13":["7.6","7.8","7.13"],"gdpr":["IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7","AC.6"],"tsc":["CC6.8","CC7.2","CC7.3"]},"agent":{"id":"001","name":"agent-1","ip":"192.168.56.6"},"manager":{"name":"vagrant"},"id":"1697632110.7373","full_log":"Oct 18 12:28:28 agent-1 sudo:  vagrant : TTY=unknown ; PWD=/home/vagrant ; USER=root ; COMMAND=/bin/bash -l","predecoder":{"program_name":"sudo","timestamp":"Oct 18 12:28:28","hostname":"agent-1"},"decoder":{"parent":"sudo","name":"sudo","ftscomment":"First time user executed the sudo command"},"data":{"srcuser":"vagrant","dstuser":"root","tty":"unknown","pwd":"/home/vagrant","command":"/bin/bash -l"},"location":"/var/log/auth.log"}
{"timestamp":"2023-10-18T12:28:30.434+0000","rule":{"level":3,"description":"PAM: Login session opened.","id":"5501","mitre":{"id":["T1078"],"tactic":["Defense Evasion","Persistence","Privilege Escalation","Initial Access"],"technique":["Valid Accounts"]},"firedtimes":6,"mail":false,"groups":["pam","syslog","authentication_success"],"pci_dss":["10.2.5"],"gpg13":["7.8","7.9"],"gdpr":["IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7"],"tsc":["CC6.8","CC7.2","CC7.3"]},"agent":{"id":"001","name":"agent-1","ip":"192.168.56.6"},"manager":{"name":"vagrant"},"id":"1697632110.7883","full_log":"Oct 18 12:28:28 agent-1 sudo: pam_unix(sudo:session): session opened for user root by (uid=0)","predecoder":{"program_name":"sudo","timestamp":"Oct 18 12:28:28","hostname":"agent-1"},"decoder":{"parent":"pam","name":"pam"},"data":{"dstuser":"root","uid":"0"},"location":"/var/log/auth.log"}
{"timestamp":"2023-10-18T12:28:30.434+0000","rule":{"level":3,"description":"PAM: Login session closed.","id":"5502","firedtimes":6,"mail":false,"groups":["pam","syslog"],"pci_dss":["10.2.5"],"gpg13":["7.8","7.9"],"gdpr":["IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7"],"tsc":["CC6.8","CC7.2","CC7.3"]},"agent":{"id":"001","name":"agent-1","ip":"192.168.56.6"},"manager":{"name":"vagrant"},"id":"1697632110.8304","full_log":"Oct 18 12:28:28 agent-1 sudo: pam_unix(sudo:session): session closed for user root","predecoder":{"program_name":"sudo","timestamp":"Oct 18 12:28:28","hostname":"agent-1"},"decoder":{"parent":"pam","name":"pam"},"data":{"dstuser":"root"},"location":"/var/log/auth.log"}
{"timestamp":"2023-10-18T12:28:30.434+0000","rule":{"level":3,"description":"Successful sudo to ROOT executed.","id":"5402","mitre":{"id":["T1548.003"],"tactic":["Privilege Escalation","Defense Evasion"],"technique":["Sudo and Sudo Caching"]},"firedtimes":7,"mail":false,"groups":["syslog","sudo"],"pci_dss":["10.2.5","10.2.2"],"gpg13":["7.6","7.8","7.13"],"gdpr":["IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7","AC.6"],"tsc":["CC6.8","CC7.2","CC7.3"]},"agent":{"id":"001","name":"agent-1","ip":"192.168.56.6"},"manager":{"name":"vagrant"},"id":"1697632110.8684","full_log":"Oct 18 12:28:29 agent-1 sudo:  vagrant : TTY=unknown ; PWD=/home/vagrant ; USER=root ; COMMAND=/bin/bash -l","predecoder":{"program_name":"sudo","timestamp":"Oct 18 12:28:29","hostname":"agent-1"},"decoder":{"parent":"sudo","name":"sudo","ftscomment":"First time user executed the sudo command"},"data":{"srcuser":"vagrant","dstuser":"root","tty":"unknown","pwd":"/home/vagrant","command":"/bin/bash -l"},"location":"/var/log/auth.log"}
{"timestamp":"2023-10-18T12:28:30.434+0000","rule":{"level":3,"description":"PAM: Login session opened.","id":"5501","mitre":{"id":["T1078"],"tactic":["Defense Evasion","Persistence","Privilege Escalation","Initial Access"],"technique":["Valid Accounts"]},"firedtimes":7,"mail":false,"groups":["pam","syslog","authentication_success"],"pci_dss":["10.2.5"],"gpg13":["7.8","7.9"],"gdpr":["IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7"],"tsc":["CC6.8","CC7.2","CC7.3"]},"agent":{"id":"001","name":"agent-1","ip":"192.168.56.6"},"manager":{"name":"vagrant"},"id":"1697632110.9194","full_log":"Oct 18 12:28:29 agent-1 sudo: pam_unix(sudo:session): session opened for user root by (uid=0)","predecoder":{"program_name":"sudo","timestamp":"Oct 18 12:28:29","hostname":"agent-1"},"decoder":{"parent":"pam","name":"pam"},"data":{"dstuser":"root","uid":"0"},"location":"/var/log/auth.log"}
{"timestamp":"2023-10-18T12:28:30.434+0000","rule":{"level":3,"description":"PAM: Login session closed.","id":"5502","firedtimes":7,"mail":false,"groups":["pam","syslog"],"pci_dss":["10.2.5"],"gpg13":["7.8","7.9"],"gdpr":["IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7"],"tsc":["CC6.8","CC7.2","CC7.3"]},"agent":{"id":"001","name":"agent-1","ip":"192.168.56.6"},"manager":{"name":"vagrant"},"id":"1697632110.9615","full_log":"Oct 18 12:28:29 agent-1 sudo: pam_unix(sudo:session): session closed for user root","predecoder":{"program_name":"sudo","timestamp":"Oct 18 12:28:29","hostname":"agent-1"},"decoder":{"parent":"pam","name":"pam"},"data":{"dstuser":"root"},"location":"/var/log/auth.log"}
{"timestamp":"2023-10-18T12:28:30.434+0000","rule":{"level":3,"description":"Successful sudo to ROOT executed.","id":"5402","mitre":{"id":["T1548.003"],"tactic":["Privilege Escalation","Defense Evasion"],"technique":["Sudo and Sudo Caching"]},"firedtimes":8,"mail":false,"groups":["syslog","sudo"],"pci_dss":["10.2.5","10.2.2"],"gpg13":["7.6","7.8","7.13"],"gdpr":["IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7","AC.6"],"tsc":["CC6.8","CC7.2","CC7.3"]},"agent":{"id":"001","name":"agent-1","ip":"192.168.56.6"},"manager":{"name":"vagrant"},"id":"1697632110.9995","full_log":"Oct 18 12:28:29 agent-1 sudo:  vagrant : TTY=unknown ; PWD=/home/vagrant ; USER=root ; COMMAND=/bin/bash -l","predecoder":{"program_name":"sudo","timestamp":"Oct 18 12:28:29","hostname":"agent-1"},"decoder":{"parent":"sudo","name":"sudo","ftscomment":"First time user executed the sudo command"},"data":{"srcuser":"vagrant","dstuser":"root","tty":"unknown","pwd":"/home/vagrant","command":"/bin/bash -l"},"location":"/var/log/auth.log"}
{"timestamp":"2023-10-18T12:28:30.434+0000","rule":{"level":3,"description":"PAM: Login session opened.","id":"5501","mitre":{"id":["T1078"],"tactic":["Defense Evasion","Persistence","Privilege Escalation","Initial Access"],"technique":["Valid Accounts"]},"firedtimes":8,"mail":false,"groups":["pam","syslog","authentication_success"],"pci_dss":["10.2.5"],"gpg13":["7.8","7.9"],"gdpr":["IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7"],"tsc":["CC6.8","CC7.2","CC7.3"]},"agent":{"id":"001","name":"agent-1","ip":"192.168.56.6"},"manager":{"name":"vagrant"},"id":"1697632110.10505","full_log":"Oct 18 12:28:29 agent-1 sudo: pam_unix(sudo:session): session opened for user root by (uid=0)","predecoder":{"program_name":"sudo","timestamp":"Oct 18 12:28:29","hostname":"agent-1"},"decoder":{"parent":"pam","name":"pam"},"data":{"dstuser":"root","uid":"0"},"location":"/var/log/auth.log"}
{"timestamp":"2023-10-18T12:28:30.434+0000","rule":{"level":3,"description":"PAM: Login session closed.","id":"5502","firedtimes":8,"mail":false,"groups":["pam","syslog"],"pci_dss":["10.2.5"],"gpg13":["7.8","7.9"],"gdpr":["IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7"],"tsc":["CC6.8","CC7.2","CC7.3"]},"agent":{"id":"001","name":"agent-1","ip":"192.168.56.6"},"manager":{"name":"vagrant"},"id":"1697632110.10927","full_log":"Oct 18 12:28:29 agent-1 sudo: pam_unix(sudo:session): session closed for user root","predecoder":{"program_name":"sudo","timestamp":"Oct 18 12:28:29","hostname":"agent-1"},"decoder":{"parent":"pam","name":"pam"},"data":{"dstuser":"root"},"location":"/var/log/auth.log"}
{"timestamp":"2023-10-18T12:28:30.434+0000","rule":{"level":3,"description":"PAM: Login session closed.","id":"5502","firedtimes":9,"mail":false,"groups":["pam","syslog"],"pci_dss":["10.2.5"],"gpg13":["7.8","7.9"],"gdpr":["IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7"],"tsc":["CC6.8","CC7.2","CC7.3"]},"agent":{"id":"001","name":"agent-1","ip":"192.168.56.6"},"manager":{"name":"vagrant"},"id":"1697632110.11308","full_log":"Oct 18 12:28:29 agent-1 sshd[680]: pam_unix(sshd:session): session closed for user vagrant","predecoder":{"program_name":"sshd","timestamp":"Oct 18 12:28:29","hostname":"agent-1"},"decoder":{"parent":"pam","name":"pam"},"data":{"dstuser":"vagrant"},"location":"/var/log/auth.log"}
{"timestamp":"2023-10-18T12:28:30.434+0000","rule":{"level":4,"description":"sshd: connection reset","id":"5762","firedtimes":1,"mail":false,"groups":["syslog","sshd"]},"agent":{"id":"001","name":"agent-1","ip":"192.168.56.6"},"manager":{"name":"vagrant"},"id":"1697632110.11700","full_log":"Oct 18 12:28:29 agent-1 sshd[1159]: Connection reset by 10.0.2.2 port 52036 [preauth]","predecoder":{"program_name":"sshd","timestamp":"Oct 18 12:28:29","hostname":"agent-1"},"decoder":{"parent":"sshd","name":"sshd"},"data":{"srcip":"10.0.2.2","srcport":"52036","dstuser":"by"},"location":"/var/log/auth.log"}
{"timestamp":"2023-10-18T12:28:31.209+0000","rule":{"level":3,"description":"PAM: Login session closed.","id":"5502","firedtimes":10,"mail":false,"groups":["pam","syslog"],"pci_dss":["10.2.5"],"gpg13":["7.8","7.9"],"gdpr":["IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7"],"tsc":["CC6.8","CC7.2","CC7.3"]},"agent":{"id":"000","name":"vagrant"},"manager":{"name":"vagrant"},"id":"1697632111.11983","full_log":"Oct 18 12:28:30 vagrant sshd[911]: pam_unix(sshd:session): session closed for user vagrant","predecoder":{"program_name":"sshd","timestamp":"Oct 18 12:28:30","hostname":"vagrant"},"decoder":{"parent":"pam","name":"pam"},"data":{"dstuser":"vagrant"},"location":"/var/log/auth.log"}
{"timestamp":"2023-10-18T12:28:31.209+0000","rule":{"level":4,"description":"sshd: connection reset","id":"5762","firedtimes":2,"mail":false,"groups":["syslog","sshd"]},"agent":{"id":"000","name":"vagrant"},"manager":{"name":"vagrant"},"id":"1697632111.12360","full_log":"Oct 18 12:28:30 vagrant sshd[788]: Connection reset by 10.0.2.2 port 48024 [preauth]","predecoder":{"program_name":"sshd","timestamp":"Oct 18 12:28:30","hostname":"vagrant"},"decoder":{"parent":"sshd","name":"sshd"},"data":{"srcip":"10.0.2.2","srcport":"48024","dstuser":"by"},"location":"/var/log/auth.log"}
{"timestamp":"2023-10-18T12:29:43.305+0000","rule":{"level":3,"description":"sshd: authentication success.","id":"5715","mitre":{"id":["T1078","T1021"],"tactic":["Defense Evasion","Persistence","Privilege Escalation","Initial Access","Lateral Movement"],"technique":["Valid Accounts","Remote Services"]},"firedtimes":1,"mail":false,"groups":["syslog","sshd","authentication_success"],"gdpr":["IV_32.2"],"gpg13":["7.1","7.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7"],"pci_dss":["10.2.5"],"tsc":["CC6.8","CC7.2","CC7.3"]},"agent":{"id":"000","name":"vagrant"},"manager":{"name":"vagrant"},"id":"1697632183.12627","full_log":"Oct 18 12:29:42 vagrant sshd[2905]: Accepted publickey for vagrant from 10.0.2.2 port 37818 ssh2: RSA SHA256:JQfJr8I19KUwiW6vFaguG98RD3nfw5BllcanbSMFUvg","predecoder":{"program_name":"sshd","timestamp":"Oct 18 12:29:42","hostname":"vagrant"},"decoder":{"parent":"sshd","name":"sshd"},"data":{"srcip":"10.0.2.2","srcport":"37818","dstuser":"vagrant"},"location":"/var/log/auth.log"}
{"timestamp":"2023-10-18T12:29:43.305+0000","rule":{"level":3,"description":"PAM: Login session opened.","id":"5501","mitre":{"id":["T1078"],"tactic":["Defense Evasion","Persistence","Privilege Escalation","Initial Access"],"technique":["Valid Accounts"]},"firedtimes":9,"mail":false,"groups":["pam","syslog","authentication_success"],"pci_dss":["10.2.5"],"gpg13":["7.8","7.9"],"gdpr":["IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7"],"tsc":["CC6.8","CC7.2","CC7.3"]},"agent":{"id":"000","name":"vagrant"},"manager":{"name":"vagrant"},"id":"1697632183.13126","full_log":"Oct 18 12:29:42 vagrant sshd[2905]: pam_unix(sshd:session): session opened for user vagrant by (uid=0)","predecoder":{"program_name":"sshd","timestamp":"Oct 18 12:29:42","hostname":"vagrant"},"decoder":{"parent":"pam","name":"pam"},"data":{"dstuser":"vagrant","uid":"0"},"location":"/var/log/auth.log"}
{"timestamp":"2023-10-18T12:29:43.305+0000","rule":{"level":3,"description":"PAM: Login session opened.","id":"5501","mitre":{"id":["T1078"],"tactic":["Defense Evasion","Persistence","Privilege Escalation","Initial Access"],"technique":["Valid Accounts"]},"firedtimes":10,"mail":false,"groups":["pam","syslog","authentication_success"],"pci_dss":["10.2.5"],"gpg13":["7.8","7.9"],"gdpr":["IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7"],"tsc":["CC6.8","CC7.2","CC7.3"]},"agent":{"id":"000","name":"vagrant"},"manager":{"name":"vagrant"},"id":"1697632183.13545","full_log":"Oct 18 12:29:42 vagrant systemd: pam_unix(systemd-user:session): session opened for user vagrant by (uid=0)","predecoder":{"program_name":"systemd","timestamp":"Oct 18 12:29:42","hostname":"vagrant"},"decoder":{"parent":"pam","name":"pam"},"data":{"dstuser":"vagrant","uid":"0"},"location":"/var/log/auth.log"}
{"timestamp":"2023-10-18T12:30:15.337+0000","rule":{"level":4,"description":"First time user executed sudo.","id":"5403","mitre":{"id":["T1548.003"],"tactic":["Privilege Escalation","Defense Evasion"],"technique":["Sudo and Sudo Caching"]},"firedtimes":1,"mail":false,"groups":["syslog","sudo"]},"agent":{"id":"000","name":"vagrant"},"manager":{"name":"vagrant"},"id":"1697632215.13969","full_log":"Oct 18 12:30:13 vagrant sudo:  vagrant : TTY=pts/0 ; PWD=/var ; USER=root ; COMMAND=/bin/su -","predecoder":{"program_name":"sudo","timestamp":"Oct 18 12:30:13","hostname":"vagrant"},"decoder":{"parent":"sudo","name":"sudo","ftscomment":"First time user executed the sudo command"},"data":{"srcuser":"vagrant","dstuser":"root","tty":"pts/0","pwd":"/var","command":"/bin/su -"},"location":"/var/log/auth.log"}
{"timestamp":"2023-10-18T12:30:15.337+0000","rule":{"level":3,"description":"PAM: Login session opened.","id":"5501","mitre":{"id":["T1078"],"tactic":["Defense Evasion","Persistence","Privilege Escalation","Initial Access"],"technique":["Valid Accounts"]},"firedtimes":11,"mail":false,"groups":["pam","syslog","authentication_success"],"pci_dss":["10.2.5"],"gpg13":["7.8","7.9"],"gdpr":["IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7"],"tsc":["CC6.8","CC7.2","CC7.3"]},"agent":{"id":"000","name":"vagrant"},"manager":{"name":"vagrant"},"id":"1697632215.14262","full_log":"Oct 18 12:30:13 vagrant sudo: pam_unix(sudo:session): session opened for user root by vagrant(uid=0)","predecoder":{"program_name":"sudo","timestamp":"Oct 18 12:30:13","hostname":"vagrant"},"decoder":{"parent":"pam","name":"pam"},"data":{"srcuser":"vagrant","dstuser":"root","uid":"0"},"location":"/var/log/auth.log"}
{"timestamp":"2023-10-18T12:30:15.338+0000","rule":{"level":4,"description":"First time (su) is executed by user.","id":"5305","firedtimes":1,"mail":false,"groups":["syslog","su"]},"agent":{"id":"000","name":"vagrant"},"manager":{"name":"vagrant"},"id":"1697632215.14676","full_log":"Oct 18 12:30:13 vagrant su[2951]: + /dev/pts/0 root:root","predecoder":{"program_name":"su","timestamp":"Oct 18 12:30:13","hostname":"vagrant"},"decoder":{"parent":"su","name":"su"},"data":{"srcuser":"root","dstuser":"root"},"location":"/var/log/auth.log"}
{"timestamp":"2023-10-18T12:30:15.338+0000","rule":{"level":3,"description":"PAM: Login session opened.","id":"5501","mitre":{"id":["T1078"],"tactic":["Defense Evasion","Persistence","Privilege Escalation","Initial Access"],"technique":["Valid Accounts"]},"firedtimes":12,"mail":false,"groups":["pam","syslog","authentication_success"],"pci_dss":["10.2.5"],"gpg13":["7.8","7.9"],"gdpr":["IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7"],"tsc":["CC6.8","CC7.2","CC7.3"]},"agent":{"id":"000","name":"vagrant"},"manager":{"name":"vagrant"},"id":"1697632215.14896","full_log":"Oct 18 12:30:13 vagrant su[2951]: pam_unix(su:session): session opened for user root by vagrant(uid=0)","predecoder":{"program_name":"su","timestamp":"Oct 18 12:30:13","hostname":"vagrant"},"decoder":{"parent":"pam","name":"pam"},"data":{"srcuser":"vagrant","dstuser":"root","uid":"0"},"location":"/var/log/auth.log"}
root@vagrant:/var/ossec/logs# cat /var/ossec/logs/alerts/alerts.json | grep "agent"
{"timestamp":"2023-10-18T12:28:17.191+0000","rule":{"level":3,"description":"Wazuh server started.","id":"502","firedtimes":1,"mail":false,"groups":["ossec"],"pci_dss":["10.6.1"],"gpg13":["10.1"],"gdpr":["IV_35.7.d"],"hipaa":["164.312.b"],"nist_800_53":["AU.6"],"tsc":["CC7.2","CC7.3"]},"agent":{"id":"000","name":"vagrant"},"manager":{"name":"vagrant"},"id":"1697632097.0","full_log":"ossec: Manager started.","decoder":{"name":"ossec"},"location":"wazuh-monitord"}
{"timestamp":"2023-10-18T12:28:25.306+0000","rule":{"level":3,"description":"Wazuh agent started.","id":"503","firedtimes":1,"mail":false,"groups":["ossec"],"pci_dss":["10.6.1","10.2.6"],"gpg13":["10.1"],"gdpr":["IV_35.7.d"],"hipaa":["164.312.b"],"nist_800_53":["AU.6","AU.14","AU.5"],"tsc":["CC7.2","CC7.3","CC6.8"]},"agent":{"id":"001","name":"agent-1","ip":"192.168.56.6"},"manager":{"name":"vagrant"},"id":"1697632105.243","full_log":"ossec: Agent started: 'agent-1->192.168.56.6'.","decoder":{"parent":"ossec","name":"ossec"},"data":{"extra_data":"agent-1->192.168.56.6"},"location":"wazuh-agent"}
{"timestamp":"2023-10-18T12:28:28.428+0000","rule":{"level":5,"description":"Puppet Agent started","id":"80050","firedtimes":1,"mail":false,"groups":["puppet"],"gpg13":["4.14"]},"agent":{"id":"001","name":"agent-1","ip":"192.168.56.6"},"manager":{"name":"vagrant"},"id":"1697632108.582","full_log":"Oct 18 12:28:26 agent-1 puppet-agent[632]: Starting Puppet client version 6.28.0","predecoder":{"program_name":"puppet-agent","timestamp":"Oct 18 12:28:26","hostname":"agent-1"},"decoder":{"parent":"puppet-agent","name":"puppet-agent"},"data":{"extra_data":"6.28.0"},"location":"/var/log/syslog"}
{"timestamp":"2023-10-18T12:28:28.432+0000","rule":{"level":3,"description":"Successful sudo to ROOT executed.","id":"5402","mitre":{"id":["T1548.003"],"tactic":["Privilege Escalation","Defense Evasion"],"technique":["Sudo and Sudo Caching"]},"firedtimes":1,"mail":false,"groups":["syslog","sudo"],"pci_dss":["10.2.5","10.2.2"],"gpg13":["7.6","7.8","7.13"],"gdpr":["IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7","AC.6"],"tsc":["CC6.8","CC7.2","CC7.3"]},"agent":{"id":"001","name":"agent-1","ip":"192.168.56.6"},"manager":{"name":"vagrant"},"id":"1697632108.819","full_log":"Oct 18 12:28:26 agent-1 sudo:  vagrant : TTY=unknown ; PWD=/home/vagrant ; USER=root ; COMMAND=/bin/bash -l","predecoder":{"program_name":"sudo","timestamp":"Oct 18 12:28:26","hostname":"agent-1"},"decoder":{"parent":"sudo","name":"sudo","ftscomment":"First time user executed the sudo command"},"data":{"srcuser":"vagrant","dstuser":"root","tty":"unknown","pwd":"/home/vagrant","command":"/bin/bash -l"},"location":"/var/log/auth.log"}
{"timestamp":"2023-10-18T12:28:28.432+0000","rule":{"level":3,"description":"PAM: Login session opened.","id":"5501","mitre":{"id":["T1078"],"tactic":["Defense Evasion","Persistence","Privilege Escalation","Initial Access"],"technique":["Valid Accounts"]},"firedtimes":1,"mail":false,"groups":["pam","syslog","authentication_success"],"pci_dss":["10.2.5"],"gpg13":["7.8","7.9"],"gdpr":["IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7"],"tsc":["CC6.8","CC7.2","CC7.3"]},"agent":{"id":"001","name":"agent-1","ip":"192.168.56.6"},"manager":{"name":"vagrant"},"id":"1697632108.1328","full_log":"Oct 18 12:28:26 agent-1 sudo: pam_unix(sudo:session): session opened for user root by (uid=0)","predecoder":{"program_name":"sudo","timestamp":"Oct 18 12:28:26","hostname":"agent-1"},"decoder":{"parent":"pam","name":"pam"},"data":{"dstuser":"root","uid":"0"},"location":"/var/log/auth.log"}
{"timestamp":"2023-10-18T12:28:28.432+0000","rule":{"level":3,"description":"PAM: Login session closed.","id":"5502","firedtimes":1,"mail":false,"groups":["pam","syslog"],"pci_dss":["10.2.5"],"gpg13":["7.8","7.9"],"gdpr":["IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7"],"tsc":["CC6.8","CC7.2","CC7.3"]},"agent":{"id":"001","name":"agent-1","ip":"192.168.56.6"},"manager":{"name":"vagrant"},"id":"1697632108.1749","full_log":"Oct 18 12:28:26 agent-1 sudo: pam_unix(sudo:session): session closed for user root","predecoder":{"program_name":"sudo","timestamp":"Oct 18 12:28:26","hostname":"agent-1"},"decoder":{"parent":"pam","name":"pam"},"data":{"dstuser":"root"},"location":"/var/log/auth.log"}
{"timestamp":"2023-10-18T12:28:28.432+0000","rule":{"level":3,"description":"Successful sudo to ROOT executed.","id":"5402","mitre":{"id":["T1548.003"],"tactic":["Privilege Escalation","Defense Evasion"],"technique":["Sudo and Sudo Caching"]},"firedtimes":2,"mail":false,"groups":["syslog","sudo"],"pci_dss":["10.2.5","10.2.2"],"gpg13":["7.6","7.8","7.13"],"gdpr":["IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7","AC.6"],"tsc":["CC6.8","CC7.2","CC7.3"]},"agent":{"id":"001","name":"agent-1","ip":"192.168.56.6"},"manager":{"name":"vagrant"},"id":"1697632108.2129","full_log":"Oct 18 12:28:27 agent-1 sudo:  vagrant : TTY=unknown ; PWD=/home/vagrant ; USER=root ; COMMAND=/bin/bash -l","predecoder":{"program_name":"sudo","timestamp":"Oct 18 12:28:27","hostname":"agent-1"},"decoder":{"parent":"sudo","name":"sudo","ftscomment":"First time user executed the sudo command"},"data":{"srcuser":"vagrant","dstuser":"root","tty":"unknown","pwd":"/home/vagrant","command":"/bin/bash -l"},"location":"/var/log/auth.log"}
{"timestamp":"2023-10-18T12:28:28.432+0000","rule":{"level":3,"description":"PAM: Login session opened.","id":"5501","mitre":{"id":["T1078"],"tactic":["Defense Evasion","Persistence","Privilege Escalation","Initial Access"],"technique":["Valid Accounts"]},"firedtimes":2,"mail":false,"groups":["pam","syslog","authentication_success"],"pci_dss":["10.2.5"],"gpg13":["7.8","7.9"],"gdpr":["IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7"],"tsc":["CC6.8","CC7.2","CC7.3"]},"agent":{"id":"001","name":"agent-1","ip":"192.168.56.6"},"manager":{"name":"vagrant"},"id":"1697632108.2639","full_log":"Oct 18 12:28:27 agent-1 sudo: pam_unix(sudo:session): session opened for user root by (uid=0)","predecoder":{"program_name":"sudo","timestamp":"Oct 18 12:28:27","hostname":"agent-1"},"decoder":{"parent":"pam","name":"pam"},"data":{"dstuser":"root","uid":"0"},"location":"/var/log/auth.log"}
{"timestamp":"2023-10-18T12:28:28.432+0000","rule":{"level":3,"description":"PAM: Login session closed.","id":"5502","firedtimes":2,"mail":false,"groups":["pam","syslog"],"pci_dss":["10.2.5"],"gpg13":["7.8","7.9"],"gdpr":["IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7"],"tsc":["CC6.8","CC7.2","CC7.3"]},"agent":{"id":"001","name":"agent-1","ip":"192.168.56.6"},"manager":{"name":"vagrant"},"id":"1697632108.3060","full_log":"Oct 18 12:28:27 agent-1 sudo: pam_unix(sudo:session): session closed for user root","predecoder":{"program_name":"sudo","timestamp":"Oct 18 12:28:27","hostname":"agent-1"},"decoder":{"parent":"pam","name":"pam"},"data":{"dstuser":"root"},"location":"/var/log/auth.log"}
{"timestamp":"2023-10-18T12:28:28.433+0000","rule":{"level":3,"description":"Successful sudo to ROOT executed.","id":"5402","mitre":{"id":["T1548.003"],"tactic":["Privilege Escalation","Defense Evasion"],"technique":["Sudo and Sudo Caching"]},"firedtimes":3,"mail":false,"groups":["syslog","sudo"],"pci_dss":["10.2.5","10.2.2"],"gpg13":["7.6","7.8","7.13"],"gdpr":["IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7","AC.6"],"tsc":["CC6.8","CC7.2","CC7.3"]},"agent":{"id":"001","name":"agent-1","ip":"192.168.56.6"},"manager":{"name":"vagrant"},"id":"1697632108.3440","full_log":"Oct 18 12:28:27 agent-1 sudo:  vagrant : TTY=unknown ; PWD=/home/vagrant ; USER=root ; COMMAND=/bin/bash -l","predecoder":{"program_name":"sudo","timestamp":"Oct 18 12:28:27","hostname":"agent-1"},"decoder":{"parent":"sudo","name":"sudo","ftscomment":"First time user executed the sudo command"},"data":{"srcuser":"vagrant","dstuser":"root","tty":"unknown","pwd":"/home/vagrant","command":"/bin/bash -l"},"location":"/var/log/auth.log"}
{"timestamp":"2023-10-18T12:28:28.434+0000","rule":{"level":3,"description":"PAM: Login session opened.","id":"5501","mitre":{"id":["T1078"],"tactic":["Defense Evasion","Persistence","Privilege Escalation","Initial Access"],"technique":["Valid Accounts"]},"firedtimes":3,"mail":false,"groups":["pam","syslog","authentication_success"],"pci_dss":["10.2.5"],"gpg13":["7.8","7.9"],"gdpr":["IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7"],"tsc":["CC6.8","CC7.2","CC7.3"]},"agent":{"id":"001","name":"agent-1","ip":"192.168.56.6"},"manager":{"name":"vagrant"},"id":"1697632108.3950","full_log":"Oct 18 12:28:27 agent-1 sudo: pam_unix(sudo:session): session opened for user root by (uid=0)","predecoder":{"program_name":"sudo","timestamp":"Oct 18 12:28:27","hostname":"agent-1"},"decoder":{"parent":"pam","name":"pam"},"data":{"dstuser":"root","uid":"0"},"location":"/var/log/auth.log"}
{"timestamp":"2023-10-18T12:28:28.434+0000","rule":{"level":3,"description":"PAM: Login session closed.","id":"5502","firedtimes":3,"mail":false,"groups":["pam","syslog"],"pci_dss":["10.2.5"],"gpg13":["7.8","7.9"],"gdpr":["IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7"],"tsc":["CC6.8","CC7.2","CC7.3"]},"agent":{"id":"001","name":"agent-1","ip":"192.168.56.6"},"manager":{"name":"vagrant"},"id":"1697632108.4371","full_log":"Oct 18 12:28:27 agent-1 sudo: pam_unix(sudo:session): session closed for user root","predecoder":{"program_name":"sudo","timestamp":"Oct 18 12:28:27","hostname":"agent-1"},"decoder":{"parent":"pam","name":"pam"},"data":{"dstuser":"root"},"location":"/var/log/auth.log"}
{"timestamp":"2023-10-18T12:28:28.434+0000","rule":{"level":3,"description":"Successful sudo to ROOT executed.","id":"5402","mitre":{"id":["T1548.003"],"tactic":["Privilege Escalation","Defense Evasion"],"technique":["Sudo and Sudo Caching"]},"firedtimes":4,"mail":false,"groups":["syslog","sudo"],"pci_dss":["10.2.5","10.2.2"],"gpg13":["7.6","7.8","7.13"],"gdpr":["IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7","AC.6"],"tsc":["CC6.8","CC7.2","CC7.3"]},"agent":{"id":"001","name":"agent-1","ip":"192.168.56.6"},"manager":{"name":"vagrant"},"id":"1697632108.4751","full_log":"Oct 18 12:28:27 agent-1 sudo:  vagrant : TTY=unknown ; PWD=/home/vagrant ; USER=root ; COMMAND=/bin/bash -l","predecoder":{"program_name":"sudo","timestamp":"Oct 18 12:28:27","hostname":"agent-1"},"decoder":{"parent":"sudo","name":"sudo","ftscomment":"First time user executed the sudo command"},"data":{"srcuser":"vagrant","dstuser":"root","tty":"unknown","pwd":"/home/vagrant","command":"/bin/bash -l"},"location":"/var/log/auth.log"}
{"timestamp":"2023-10-18T12:28:28.434+0000","rule":{"level":3,"description":"PAM: Login session opened.","id":"5501","mitre":{"id":["T1078"],"tactic":["Defense Evasion","Persistence","Privilege Escalation","Initial Access"],"technique":["Valid Accounts"]},"firedtimes":4,"mail":false,"groups":["pam","syslog","authentication_success"],"pci_dss":["10.2.5"],"gpg13":["7.8","7.9"],"gdpr":["IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7"],"tsc":["CC6.8","CC7.2","CC7.3"]},"agent":{"id":"001","name":"agent-1","ip":"192.168.56.6"},"manager":{"name":"vagrant"},"id":"1697632108.5261","full_log":"Oct 18 12:28:27 agent-1 sudo: pam_unix(sudo:session): session opened for user root by (uid=0)","predecoder":{"program_name":"sudo","timestamp":"Oct 18 12:28:27","hostname":"agent-1"},"decoder":{"parent":"pam","name":"pam"},"data":{"dstuser":"root","uid":"0"},"location":"/var/log/auth.log"}
{"timestamp":"2023-10-18T12:28:28.435+0000","rule":{"level":3,"description":"PAM: Login session closed.","id":"5502","firedtimes":4,"mail":false,"groups":["pam","syslog"],"pci_dss":["10.2.5"],"gpg13":["7.8","7.9"],"gdpr":["IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7"],"tsc":["CC6.8","CC7.2","CC7.3"]},"agent":{"id":"001","name":"agent-1","ip":"192.168.56.6"},"manager":{"name":"vagrant"},"id":"1697632108.5682","full_log":"Oct 18 12:28:27 agent-1 sudo: pam_unix(sudo:session): session closed for user root","predecoder":{"program_name":"sudo","timestamp":"Oct 18 12:28:27","hostname":"agent-1"},"decoder":{"parent":"pam","name":"pam"},"data":{"dstuser":"root"},"location":"/var/log/auth.log"}
{"timestamp":"2023-10-18T12:28:28.435+0000","rule":{"level":3,"description":"Successful sudo to ROOT executed.","id":"5402","mitre":{"id":["T1548.003"],"tactic":["Privilege Escalation","Defense Evasion"],"technique":["Sudo and Sudo Caching"]},"firedtimes":5,"mail":false,"groups":["syslog","sudo"],"pci_dss":["10.2.5","10.2.2"],"gpg13":["7.6","7.8","7.13"],"gdpr":["IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7","AC.6"],"tsc":["CC6.8","CC7.2","CC7.3"]},"agent":{"id":"001","name":"agent-1","ip":"192.168.56.6"},"manager":{"name":"vagrant"},"id":"1697632108.6062","full_log":"Oct 18 12:28:27 agent-1 sudo:  vagrant : TTY=unknown ; PWD=/home/vagrant ; USER=root ; COMMAND=/bin/bash -l","predecoder":{"program_name":"sudo","timestamp":"Oct 18 12:28:27","hostname":"agent-1"},"decoder":{"parent":"sudo","name":"sudo","ftscomment":"First time user executed the sudo command"},"data":{"srcuser":"vagrant","dstuser":"root","tty":"unknown","pwd":"/home/vagrant","command":"/bin/bash -l"},"location":"/var/log/auth.log"}
{"timestamp":"2023-10-18T12:28:28.436+0000","rule":{"level":3,"description":"PAM: Login session opened.","id":"5501","mitre":{"id":["T1078"],"tactic":["Defense Evasion","Persistence","Privilege Escalation","Initial Access"],"technique":["Valid Accounts"]},"firedtimes":5,"mail":false,"groups":["pam","syslog","authentication_success"],"pci_dss":["10.2.5"],"gpg13":["7.8","7.9"],"gdpr":["IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7"],"tsc":["CC6.8","CC7.2","CC7.3"]},"agent":{"id":"001","name":"agent-1","ip":"192.168.56.6"},"manager":{"name":"vagrant"},"id":"1697632108.6572","full_log":"Oct 18 12:28:27 agent-1 sudo: pam_unix(sudo:session): session opened for user root by (uid=0)","predecoder":{"program_name":"sudo","timestamp":"Oct 18 12:28:27","hostname":"agent-1"},"decoder":{"parent":"pam","name":"pam"},"data":{"dstuser":"root","uid":"0"},"location":"/var/log/auth.log"}
{"timestamp":"2023-10-18T12:28:28.436+0000","rule":{"level":3,"description":"PAM: Login session closed.","id":"5502","firedtimes":5,"mail":false,"groups":["pam","syslog"],"pci_dss":["10.2.5"],"gpg13":["7.8","7.9"],"gdpr":["IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7"],"tsc":["CC6.8","CC7.2","CC7.3"]},"agent":{"id":"001","name":"agent-1","ip":"192.168.56.6"},"manager":{"name":"vagrant"},"id":"1697632108.6993","full_log":"Oct 18 12:28:27 agent-1 sudo: pam_unix(sudo:session): session closed for user root","predecoder":{"program_name":"sudo","timestamp":"Oct 18 12:28:27","hostname":"agent-1"},"decoder":{"parent":"pam","name":"pam"},"data":{"dstuser":"root"},"location":"/var/log/auth.log"}
{"timestamp":"2023-10-18T12:28:30.433+0000","rule":{"level":3,"description":"Successful sudo to ROOT executed.","id":"5402","mitre":{"id":["T1548.003"],"tactic":["Privilege Escalation","Defense Evasion"],"technique":["Sudo and Sudo Caching"]},"firedtimes":6,"mail":false,"groups":["syslog","sudo"],"pci_dss":["10.2.5","10.2.2"],"gpg13":["7.6","7.8","7.13"],"gdpr":["IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7","AC.6"],"tsc":["CC6.8","CC7.2","CC7.3"]},"agent":{"id":"001","name":"agent-1","ip":"192.168.56.6"},"manager":{"name":"vagrant"},"id":"1697632110.7373","full_log":"Oct 18 12:28:28 agent-1 sudo:  vagrant : TTY=unknown ; PWD=/home/vagrant ; USER=root ; COMMAND=/bin/bash -l","predecoder":{"program_name":"sudo","timestamp":"Oct 18 12:28:28","hostname":"agent-1"},"decoder":{"parent":"sudo","name":"sudo","ftscomment":"First time user executed the sudo command"},"data":{"srcuser":"vagrant","dstuser":"root","tty":"unknown","pwd":"/home/vagrant","command":"/bin/bash -l"},"location":"/var/log/auth.log"}
{"timestamp":"2023-10-18T12:28:30.434+0000","rule":{"level":3,"description":"PAM: Login session opened.","id":"5501","mitre":{"id":["T1078"],"tactic":["Defense Evasion","Persistence","Privilege Escalation","Initial Access"],"technique":["Valid Accounts"]},"firedtimes":6,"mail":false,"groups":["pam","syslog","authentication_success"],"pci_dss":["10.2.5"],"gpg13":["7.8","7.9"],"gdpr":["IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7"],"tsc":["CC6.8","CC7.2","CC7.3"]},"agent":{"id":"001","name":"agent-1","ip":"192.168.56.6"},"manager":{"name":"vagrant"},"id":"1697632110.7883","full_log":"Oct 18 12:28:28 agent-1 sudo: pam_unix(sudo:session): session opened for user root by (uid=0)","predecoder":{"program_name":"sudo","timestamp":"Oct 18 12:28:28","hostname":"agent-1"},"decoder":{"parent":"pam","name":"pam"},"data":{"dstuser":"root","uid":"0"},"location":"/var/log/auth.log"}
{"timestamp":"2023-10-18T12:28:30.434+0000","rule":{"level":3,"description":"PAM: Login session closed.","id":"5502","firedtimes":6,"mail":false,"groups":["pam","syslog"],"pci_dss":["10.2.5"],"gpg13":["7.8","7.9"],"gdpr":["IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7"],"tsc":["CC6.8","CC7.2","CC7.3"]},"agent":{"id":"001","name":"agent-1","ip":"192.168.56.6"},"manager":{"name":"vagrant"},"id":"1697632110.8304","full_log":"Oct 18 12:28:28 agent-1 sudo: pam_unix(sudo:session): session closed for user root","predecoder":{"program_name":"sudo","timestamp":"Oct 18 12:28:28","hostname":"agent-1"},"decoder":{"parent":"pam","name":"pam"},"data":{"dstuser":"root"},"location":"/var/log/auth.log"}
{"timestamp":"2023-10-18T12:28:30.434+0000","rule":{"level":3,"description":"Successful sudo to ROOT executed.","id":"5402","mitre":{"id":["T1548.003"],"tactic":["Privilege Escalation","Defense Evasion"],"technique":["Sudo and Sudo Caching"]},"firedtimes":7,"mail":false,"groups":["syslog","sudo"],"pci_dss":["10.2.5","10.2.2"],"gpg13":["7.6","7.8","7.13"],"gdpr":["IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7","AC.6"],"tsc":["CC6.8","CC7.2","CC7.3"]},"agent":{"id":"001","name":"agent-1","ip":"192.168.56.6"},"manager":{"name":"vagrant"},"id":"1697632110.8684","full_log":"Oct 18 12:28:29 agent-1 sudo:  vagrant : TTY=unknown ; PWD=/home/vagrant ; USER=root ; COMMAND=/bin/bash -l","predecoder":{"program_name":"sudo","timestamp":"Oct 18 12:28:29","hostname":"agent-1"},"decoder":{"parent":"sudo","name":"sudo","ftscomment":"First time user executed the sudo command"},"data":{"srcuser":"vagrant","dstuser":"root","tty":"unknown","pwd":"/home/vagrant","command":"/bin/bash -l"},"location":"/var/log/auth.log"}
{"timestamp":"2023-10-18T12:28:30.434+0000","rule":{"level":3,"description":"PAM: Login session opened.","id":"5501","mitre":{"id":["T1078"],"tactic":["Defense Evasion","Persistence","Privilege Escalation","Initial Access"],"technique":["Valid Accounts"]},"firedtimes":7,"mail":false,"groups":["pam","syslog","authentication_success"],"pci_dss":["10.2.5"],"gpg13":["7.8","7.9"],"gdpr":["IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7"],"tsc":["CC6.8","CC7.2","CC7.3"]},"agent":{"id":"001","name":"agent-1","ip":"192.168.56.6"},"manager":{"name":"vagrant"},"id":"1697632110.9194","full_log":"Oct 18 12:28:29 agent-1 sudo: pam_unix(sudo:session): session opened for user root by (uid=0)","predecoder":{"program_name":"sudo","timestamp":"Oct 18 12:28:29","hostname":"agent-1"},"decoder":{"parent":"pam","name":"pam"},"data":{"dstuser":"root","uid":"0"},"location":"/var/log/auth.log"}
{"timestamp":"2023-10-18T12:28:30.434+0000","rule":{"level":3,"description":"PAM: Login session closed.","id":"5502","firedtimes":7,"mail":false,"groups":["pam","syslog"],"pci_dss":["10.2.5"],"gpg13":["7.8","7.9"],"gdpr":["IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7"],"tsc":["CC6.8","CC7.2","CC7.3"]},"agent":{"id":"001","name":"agent-1","ip":"192.168.56.6"},"manager":{"name":"vagrant"},"id":"1697632110.9615","full_log":"Oct 18 12:28:29 agent-1 sudo: pam_unix(sudo:session): session closed for user root","predecoder":{"program_name":"sudo","timestamp":"Oct 18 12:28:29","hostname":"agent-1"},"decoder":{"parent":"pam","name":"pam"},"data":{"dstuser":"root"},"location":"/var/log/auth.log"}
{"timestamp":"2023-10-18T12:28:30.434+0000","rule":{"level":3,"description":"Successful sudo to ROOT executed.","id":"5402","mitre":{"id":["T1548.003"],"tactic":["Privilege Escalation","Defense Evasion"],"technique":["Sudo and Sudo Caching"]},"firedtimes":8,"mail":false,"groups":["syslog","sudo"],"pci_dss":["10.2.5","10.2.2"],"gpg13":["7.6","7.8","7.13"],"gdpr":["IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7","AC.6"],"tsc":["CC6.8","CC7.2","CC7.3"]},"agent":{"id":"001","name":"agent-1","ip":"192.168.56.6"},"manager":{"name":"vagrant"},"id":"1697632110.9995","full_log":"Oct 18 12:28:29 agent-1 sudo:  vagrant : TTY=unknown ; PWD=/home/vagrant ; USER=root ; COMMAND=/bin/bash -l","predecoder":{"program_name":"sudo","timestamp":"Oct 18 12:28:29","hostname":"agent-1"},"decoder":{"parent":"sudo","name":"sudo","ftscomment":"First time user executed the sudo command"},"data":{"srcuser":"vagrant","dstuser":"root","tty":"unknown","pwd":"/home/vagrant","command":"/bin/bash -l"},"location":"/var/log/auth.log"}
{"timestamp":"2023-10-18T12:28:30.434+0000","rule":{"level":3,"description":"PAM: Login session opened.","id":"5501","mitre":{"id":["T1078"],"tactic":["Defense Evasion","Persistence","Privilege Escalation","Initial Access"],"technique":["Valid Accounts"]},"firedtimes":8,"mail":false,"groups":["pam","syslog","authentication_success"],"pci_dss":["10.2.5"],"gpg13":["7.8","7.9"],"gdpr":["IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7"],"tsc":["CC6.8","CC7.2","CC7.3"]},"agent":{"id":"001","name":"agent-1","ip":"192.168.56.6"},"manager":{"name":"vagrant"},"id":"1697632110.10505","full_log":"Oct 18 12:28:29 agent-1 sudo: pam_unix(sudo:session): session opened for user root by (uid=0)","predecoder":{"program_name":"sudo","timestamp":"Oct 18 12:28:29","hostname":"agent-1"},"decoder":{"parent":"pam","name":"pam"},"data":{"dstuser":"root","uid":"0"},"location":"/var/log/auth.log"}
{"timestamp":"2023-10-18T12:28:30.434+0000","rule":{"level":3,"description":"PAM: Login session closed.","id":"5502","firedtimes":8,"mail":false,"groups":["pam","syslog"],"pci_dss":["10.2.5"],"gpg13":["7.8","7.9"],"gdpr":["IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7"],"tsc":["CC6.8","CC7.2","CC7.3"]},"agent":{"id":"001","name":"agent-1","ip":"192.168.56.6"},"manager":{"name":"vagrant"},"id":"1697632110.10927","full_log":"Oct 18 12:28:29 agent-1 sudo: pam_unix(sudo:session): session closed for user root","predecoder":{"program_name":"sudo","timestamp":"Oct 18 12:28:29","hostname":"agent-1"},"decoder":{"parent":"pam","name":"pam"},"data":{"dstuser":"root"},"location":"/var/log/auth.log"}
{"timestamp":"2023-10-18T12:28:30.434+0000","rule":{"level":3,"description":"PAM: Login session closed.","id":"5502","firedtimes":9,"mail":false,"groups":["pam","syslog"],"pci_dss":["10.2.5"],"gpg13":["7.8","7.9"],"gdpr":["IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7"],"tsc":["CC6.8","CC7.2","CC7.3"]},"agent":{"id":"001","name":"agent-1","ip":"192.168.56.6"},"manager":{"name":"vagrant"},"id":"1697632110.11308","full_log":"Oct 18 12:28:29 agent-1 sshd[680]: pam_unix(sshd:session): session closed for user vagrant","predecoder":{"program_name":"sshd","timestamp":"Oct 18 12:28:29","hostname":"agent-1"},"decoder":{"parent":"pam","name":"pam"},"data":{"dstuser":"vagrant"},"location":"/var/log/auth.log"}
{"timestamp":"2023-10-18T12:28:30.434+0000","rule":{"level":4,"description":"sshd: connection reset","id":"5762","firedtimes":1,"mail":false,"groups":["syslog","sshd"]},"agent":{"id":"001","name":"agent-1","ip":"192.168.56.6"},"manager":{"name":"vagrant"},"id":"1697632110.11700","full_log":"Oct 18 12:28:29 agent-1 sshd[1159]: Connection reset by 10.0.2.2 port 52036 [preauth]","predecoder":{"program_name":"sshd","timestamp":"Oct 18 12:28:29","hostname":"agent-1"},"decoder":{"parent":"sshd","name":"sshd"},"data":{"srcip":"10.0.2.2","srcport":"52036","dstuser":"by"},"location":"/var/log/auth.log"}
{"timestamp":"2023-10-18T12:28:31.209+0000","rule":{"level":3,"description":"PAM: Login session closed.","id":"5502","firedtimes":10,"mail":false,"groups":["pam","syslog"],"pci_dss":["10.2.5"],"gpg13":["7.8","7.9"],"gdpr":["IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7"],"tsc":["CC6.8","CC7.2","CC7.3"]},"agent":{"id":"000","name":"vagrant"},"manager":{"name":"vagrant"},"id":"1697632111.11983","full_log":"Oct 18 12:28:30 vagrant sshd[911]: pam_unix(sshd:session): session closed for user vagrant","predecoder":{"program_name":"sshd","timestamp":"Oct 18 12:28:30","hostname":"vagrant"},"decoder":{"parent":"pam","name":"pam"},"data":{"dstuser":"vagrant"},"location":"/var/log/auth.log"}
{"timestamp":"2023-10-18T12:28:31.209+0000","rule":{"level":4,"description":"sshd: connection reset","id":"5762","firedtimes":2,"mail":false,"groups":["syslog","sshd"]},"agent":{"id":"000","name":"vagrant"},"manager":{"name":"vagrant"},"id":"1697632111.12360","full_log":"Oct 18 12:28:30 vagrant sshd[788]: Connection reset by 10.0.2.2 port 48024 [preauth]","predecoder":{"program_name":"sshd","timestamp":"Oct 18 12:28:30","hostname":"vagrant"},"decoder":{"parent":"sshd","name":"sshd"},"data":{"srcip":"10.0.2.2","srcport":"48024","dstuser":"by"},"location":"/var/log/auth.log"}
{"timestamp":"2023-10-18T12:29:43.305+0000","rule":{"level":3,"description":"sshd: authentication success.","id":"5715","mitre":{"id":["T1078","T1021"],"tactic":["Defense Evasion","Persistence","Privilege Escalation","Initial Access","Lateral Movement"],"technique":["Valid Accounts","Remote Services"]},"firedtimes":1,"mail":false,"groups":["syslog","sshd","authentication_success"],"gdpr":["IV_32.2"],"gpg13":["7.1","7.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7"],"pci_dss":["10.2.5"],"tsc":["CC6.8","CC7.2","CC7.3"]},"agent":{"id":"000","name":"vagrant"},"manager":{"name":"vagrant"},"id":"1697632183.12627","full_log":"Oct 18 12:29:42 vagrant sshd[2905]: Accepted publickey for vagrant from 10.0.2.2 port 37818 ssh2: RSA SHA256:JQfJr8I19KUwiW6vFaguG98RD3nfw5BllcanbSMFUvg","predecoder":{"program_name":"sshd","timestamp":"Oct 18 12:29:42","hostname":"vagrant"},"decoder":{"parent":"sshd","name":"sshd"},"data":{"srcip":"10.0.2.2","srcport":"37818","dstuser":"vagrant"},"location":"/var/log/auth.log"}
{"timestamp":"2023-10-18T12:29:43.305+0000","rule":{"level":3,"description":"PAM: Login session opened.","id":"5501","mitre":{"id":["T1078"],"tactic":["Defense Evasion","Persistence","Privilege Escalation","Initial Access"],"technique":["Valid Accounts"]},"firedtimes":9,"mail":false,"groups":["pam","syslog","authentication_success"],"pci_dss":["10.2.5"],"gpg13":["7.8","7.9"],"gdpr":["IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7"],"tsc":["CC6.8","CC7.2","CC7.3"]},"agent":{"id":"000","name":"vagrant"},"manager":{"name":"vagrant"},"id":"1697632183.13126","full_log":"Oct 18 12:29:42 vagrant sshd[2905]: pam_unix(sshd:session): session opened for user vagrant by (uid=0)","predecoder":{"program_name":"sshd","timestamp":"Oct 18 12:29:42","hostname":"vagrant"},"decoder":{"parent":"pam","name":"pam"},"data":{"dstuser":"vagrant","uid":"0"},"location":"/var/log/auth.log"}
{"timestamp":"2023-10-18T12:29:43.305+0000","rule":{"level":3,"description":"PAM: Login session opened.","id":"5501","mitre":{"id":["T1078"],"tactic":["Defense Evasion","Persistence","Privilege Escalation","Initial Access"],"technique":["Valid Accounts"]},"firedtimes":10,"mail":false,"groups":["pam","syslog","authentication_success"],"pci_dss":["10.2.5"],"gpg13":["7.8","7.9"],"gdpr":["IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7"],"tsc":["CC6.8","CC7.2","CC7.3"]},"agent":{"id":"000","name":"vagrant"},"manager":{"name":"vagrant"},"id":"1697632183.13545","full_log":"Oct 18 12:29:42 vagrant systemd: pam_unix(systemd-user:session): session opened for user vagrant by (uid=0)","predecoder":{"program_name":"systemd","timestamp":"Oct 18 12:29:42","hostname":"vagrant"},"decoder":{"parent":"pam","name":"pam"},"data":{"dstuser":"vagrant","uid":"0"},"location":"/var/log/auth.log"}
{"timestamp":"2023-10-18T12:30:15.337+0000","rule":{"level":4,"description":"First time user executed sudo.","id":"5403","mitre":{"id":["T1548.003"],"tactic":["Privilege Escalation","Defense Evasion"],"technique":["Sudo and Sudo Caching"]},"firedtimes":1,"mail":false,"groups":["syslog","sudo"]},"agent":{"id":"000","name":"vagrant"},"manager":{"name":"vagrant"},"id":"1697632215.13969","full_log":"Oct 18 12:30:13 vagrant sudo:  vagrant : TTY=pts/0 ; PWD=/var ; USER=root ; COMMAND=/bin/su -","predecoder":{"program_name":"sudo","timestamp":"Oct 18 12:30:13","hostname":"vagrant"},"decoder":{"parent":"sudo","name":"sudo","ftscomment":"First time user executed the sudo command"},"data":{"srcuser":"vagrant","dstuser":"root","tty":"pts/0","pwd":"/var","command":"/bin/su -"},"location":"/var/log/auth.log"}
{"timestamp":"2023-10-18T12:30:15.337+0000","rule":{"level":3,"description":"PAM: Login session opened.","id":"5501","mitre":{"id":["T1078"],"tactic":["Defense Evasion","Persistence","Privilege Escalation","Initial Access"],"technique":["Valid Accounts"]},"firedtimes":11,"mail":false,"groups":["pam","syslog","authentication_success"],"pci_dss":["10.2.5"],"gpg13":["7.8","7.9"],"gdpr":["IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7"],"tsc":["CC6.8","CC7.2","CC7.3"]},"agent":{"id":"000","name":"vagrant"},"manager":{"name":"vagrant"},"id":"1697632215.14262","full_log":"Oct 18 12:30:13 vagrant sudo: pam_unix(sudo:session): session opened for user root by vagrant(uid=0)","predecoder":{"program_name":"sudo","timestamp":"Oct 18 12:30:13","hostname":"vagrant"},"decoder":{"parent":"pam","name":"pam"},"data":{"srcuser":"vagrant","dstuser":"root","uid":"0"},"location":"/var/log/auth.log"}
{"timestamp":"2023-10-18T12:30:15.338+0000","rule":{"level":4,"description":"First time (su) is executed by user.","id":"5305","firedtimes":1,"mail":false,"groups":["syslog","su"]},"agent":{"id":"000","name":"vagrant"},"manager":{"name":"vagrant"},"id":"1697632215.14676","full_log":"Oct 18 12:30:13 vagrant su[2951]: + /dev/pts/0 root:root","predecoder":{"program_name":"su","timestamp":"Oct 18 12:30:13","hostname":"vagrant"},"decoder":{"parent":"su","name":"su"},"data":{"srcuser":"root","dstuser":"root"},"location":"/var/log/auth.log"}
{"timestamp":"2023-10-18T12:30:15.338+0000","rule":{"level":3,"description":"PAM: Login session opened.","id":"5501","mitre":{"id":["T1078"],"tactic":["Defense Evasion","Persistence","Privilege Escalation","Initial Access"],"technique":["Valid Accounts"]},"firedtimes":12,"mail":false,"groups":["pam","syslog","authentication_success"],"pci_dss":["10.2.5"],"gpg13":["7.8","7.9"],"gdpr":["IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7"],"tsc":["CC6.8","CC7.2","CC7.3"]},"agent":{"id":"000","name":"vagrant"},"manager":{"name":"vagrant"},"id":"1697632215.14896","full_log":"Oct 18 12:30:13 vagrant su[2951]: pam_unix(su:session): session opened for user root by vagrant(uid=0)","predecoder":{"program_name":"su","timestamp":"Oct 18 12:30:13","hostname":"vagrant"},"decoder":{"parent":"pam","name":"pam"},"data":{"srcuser":"vagrant","dstuser":"root","uid":"0"},"location":"/var/log/auth.log"}

Issue

The error that appears is already known and was worked on in the Issue #19607 but the changes have not yet been implemented for version 4.7.0

[vcerenu]

The error presented in the test is due to a misconfiguration of the binary paths to be executed when downloading the wazuh-template.json file.

This bug was fixed in the PR wazuh/wazuh-puppet#797, but it has not been brought to the 4.7.0 branch in a branch maintenance, because the last one made It is prior to the merge of those changes made.

We will proceed to bring these changes to branch 4.7.0 so that they can perform the failed test again.

[davidjiglesias]

LGTM!