Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Invalid API calls and broken link in the Management < Configuration < Alerts section #5565

Closed
2 of 3 tasks
AlexRuiz7 opened this issue Jun 15, 2023 · 4 comments · Fixed by #5687, #5731 or #5730
Closed
2 of 3 tasks

Invalid API calls and broken link in the Management < Configuration < Alerts section #5565

AlexRuiz7 opened this issue Jun 15, 2023 · 4 comments · Fixed by #5687, #5731 or #5730
Assignees
@Desvelao
Labels
level/task Task issue type/bug Bug issue

Comments

@AlexRuiz7
Copy link
Member

AlexRuiz7 commented Jun 15, 2023
edited by Desvelao
Loading

Wazuh Rev
4.4.4 01

Description

This section has several problems:

  • Invalid API requests returning a 500 response.
  • A broken link to the documentation.

Steps to reproduce

  1. Navigate to Management < Configuration < Alerts

  2. Check the Network tab: there are several requests with 500 response code

  3. Click on 'Labels'

  4. Click on the info icon

  5. Click onAgent labels

  6. Redirects to a 404 in the documentation page

Additional info

Request:

{
  "method": "GET",
  "path": "/cluster/node01/configuration/analysis/labels",
  "body": {},
  "id": "default"
}

Response

{
  "statusCode": 500,
  "error": "Internal Server Error",
  "message": "3013 - Invalid configuration for the given component: Valid configuration values for 'analysis': {'global', 'active_response', 'alerts', 'internal', 'command', 'rule_test', 'rules', 'decoders'}"
}

Request:

{
  "method": "GET",
  "path": "/cluster/node01/configuration/monitor/reports",
  "body": {},
  "id": "default"
}

Response

{
  "statusCode": 500,
  "error": "Internal Server Error",
  "message": "3013 - Invalid configuration for the given component: Valid configuration values for 'monitor': {'internal', 'global'}"
}

Broken link: https://documentation.wazuh.com/4.4/user-manual/capabilities/labels.html
should be: https://documentation.wazuh.com/current/user-manual/agents/labels.html

Tasks

  • Fix broken link
  • Fix broken API requests

Screenshots

image

image

Related issues
@AlexRuiz7 AlexRuiz7 added type/bug Bug issue level/task Task issue labels Jun 15, 2023
@Desvelao Desvelao self-assigned this Jun 20, 2023
@Desvelao
Copy link
Member

Desvelao commented Jun 20, 2023
edited
Loading

Research

According to the Wazuh API reference, the current requests are not using the expected paths.

Labels - Manager

Manager node

API endpoint: GET /manager/configuration/{component}/{configuration}
Reference: https://documentation.wazuh.com/4.4/user-manual/api/reference.html#operation/api.controllers.manager_controller.get_manager_config_ondemand

Component Configuration Tag
agent labels <labels>
monitor internal <reports>

I added a configuration for the <labels> tag to the manager configuration:

<ossec_config>
  <labels>
    <label key="custom">customLabel</label>
  </labels>
</ossec_config>

The expected response of GET /manager/configuration/agent/labels is failing.

The current request is GET /manager/configuration/analysis/labels

Response 
{
  "data": {
      "affected_items": [],
      "total_affected_items": 0,
      "total_failed_items": 1,
      "failed_items": [
          {
              "error": {
                  "code": 1121,
                  "message": "Error connecting with socket: Please verify that the component 'agent' is properly configured",
                  "remediation": "Please ensure the selected module is running and properly configured"
              },
              "id": [
                  "manager"
              ]
          }
      ]
  },
  "message": "Could not read active configuration",
  "error": 1
}

But using the GET /manager/configuration the labels are visible

Response 
{
"data": {
  "affected_items": [
    {
      "global": {
        "jsonout_output": "yes",
        "alerts_log": "yes",
        "logall": "no",
        "logall_json": "no",
        "email_notification": "no",
        "smtp_server": "smtp.example.wazuh.com",
        "email_from": "[email protected]",
        "email_to": "[email protected]",
        "email_maxperhour": "12",
        "email_log_source": "alerts.log",
        "agents_disconnection_time": "10m",
        "agents_disconnection_alert_time": "0",
        "white_list": [
          "127.0.0.1",
          "^localhost.localdomain$",
          "10.0.0.106"
        ]
      },
      "alerts": {
        "log_alert_level": "3",
        "email_alert_level": "12"
      },
      "remote": [
        {
          "connection": "secure",
          "port": "1514",
          "protocol": [
            "tcp"
          ],
          "queue_size": "131072"
        }
      ],
      "rootcheck": {
        "disabled": "no",
        "check_files": "yes",
        "check_trojans": "yes",
        "check_dev": "yes",
        "check_sys": "yes",
        "check_pids": "yes",
        "check_ports": "yes",
        "check_if": "yes",
        "frequency": "43200",
        "rootkit_files": [
          "etc/rootcheck/rootkit_files.txt"
        ],
        "rootkit_trojans": [
          "etc/rootcheck/rootkit_trojans.txt"
        ],
        "skip_nfs": "yes"
      },
      "cis-cat": {
        "disabled": "yes",
        "timeout": "1800",
        "interval": "1d",
        "scan-on-start": "yes",
        "java_path": "wodles/java",
        "ciscat_path": "wodles/ciscat"
      },
      "osquery": {
        "disabled": "yes",
        "run_daemon": "yes",
        "log_path": "/var/log/osquery/osqueryd.results.log",
        "config_path": "/etc/osquery/osquery.conf",
        "add_labels": "yes"
      },
      "syscollector": {
        "disabled": "no",
        "interval": "1h",
        "scan_on_start": "yes",
        "hardware": "yes",
        "os": "yes",
        "network": "yes",
        "packages": "yes",
        "ports": {
          "all": "no",
          "item": "yes"
        },
        "processes": "yes",
        "synchronization": {
          "max_eps": "10"
        }
      },
      "sca": {
        "enabled": "yes",
        "scan_on_start": "yes",
        "interval": "12h",
        "skip_nfs": "yes"
      },
      "vulnerability-detector": {
        "enabled": "no",
        "interval": "5m",
        "min_full_scan_interval": "6h",
        "run_on_start": "yes",
        "provider": {
          "name": "nvd",
          "enabled": "yes",
          "update_from_year": "2010",
          "update_interval": "1h"
        }
      },
      "syscheck": {
        "disabled": "no",
        "frequency": "43200",
        "scan_on_start": "yes",
        "alert_new_files": "yes",
        "auto_ignore": {
          "frequency": "10",
          "timeframe": "3600",
          "item": "no"
        },
        "directories": [
          {
            "path": "/etc"
          },
          {
            "path": "/usr/bin"
          },
          {
            "path": "/usr/sbin"
          },
          {
            "path": "/bin"
          },
          {
            "path": "/sbin"
          },
          {
            "path": "/boot"
          }
        ],
        "ignore": [
          "/etc/mtab",
          "/etc/hosts.deny",
          "/etc/mail/statistics",
          "/etc/random-seed",
          "/etc/random.seed",
          "/etc/adjtime",
          "/etc/httpd/logs",
          "/etc/utmpx",
          "/etc/wtmpx",
          "/etc/cups/certs",
          "/etc/dumpdates",
          "/etc/svc/volatile",
          {
            "type": "sregex",
            "item": ".log$|.swp$"
          }
        ],
        "nodiff": [
          "/etc/ssl/private.key"
        ],
        "skip_nfs": "yes",
        "skip_dev": "yes",
        "skip_proc": "yes",
        "skip_sys": "yes",
        "process_priority": "10",
        "max_eps": "100",
        "synchronization": {
          "enabled": "yes",
          "interval": "5m",
          "max_interval": "1h",
          "max_eps": "10"
        }
      },
      "command": [
        {
          "name": "disable-account",
          "executable": "disable-account",
          "timeout_allowed": "yes"
        },
        {
          "name": "restart-wazuh",
          "executable": "restart-wazuh"
        },
        {
          "name": "firewall-drop",
          "executable": "firewall-drop",
          "timeout_allowed": "yes"
        },
        {
          "name": "host-deny",
          "executable": "host-deny",
          "timeout_allowed": "yes"
        },
        {
          "name": "route-null",
          "executable": "route-null",
          "timeout_allowed": "yes"
        },
        {
          "name": "win_route-null",
          "executable": "route-null.exe",
          "timeout_allowed": "yes"
        },
        {
          "name": "netsh",
          "executable": "netsh.exe",
          "timeout_allowed": "yes"
        }
      ],
      "localfile": [
        {
          "log_format": "command",
          "command": "df -P",
          "frequency": "360"
        },
        {
          "log_format": "full_command",
          "command": "netstat -tulpn | sed 's/\\([[:alnum:]]\\+\\)\\ \\+[[:digit:]]\\+\\ \\+[[:digit:]]\\+\\ \\+\\(.*\\):\\([[:digit:]]*\\)\\ \\+\\([0-9\\.\\:\\*]\\+\\).\\+\\ \\([[:digit:]]*\\/[[:alnum:]\\-]*\\).*/\\1 \\2 == \\3 == \\4 \\5/' | sort -k 4 -g | sed 's/ == \\(.*\\) ==/:\\1/' | sed 1,2d",
          "alias": "netstat listening ports",
          "frequency": "360"
        },
        {
          "log_format": "full_command",
          "command": "last -n 20",
          "frequency": "360"
        },
        {
          "log_format": "syslog",
          "location": "/var/ossec/logs/active-responses.log"
        }
      ],
      "ruleset": {
        "decoder_dir": [
          "ruleset/decoders",
          "etc/decoders"
        ],
        "rule_dir": [
          "ruleset/rules",
          "etc/rules"
        ],
        "rule_exclude": [
          "0215-policy_rules.xml"
        ],
        "list": [
          "etc/lists/audit-keys",
          "etc/lists/amazon/aws-eventnames",
          "etc/lists/security-eventchannel"
        ]
      },
      "auth": {
        "disabled": "no",
        "port": "1515",
        "use_source_ip": "no",
        "purge": "yes",
        "use_password": "no",
        "ciphers": "HIGH:!ADH:!EXP:!MD5:!RC4:!3DES:!CAMELLIA:@STRENGTH",
        "ssl_verify_host": "no",
        "ssl_manager_cert": "etc/sslmanager.cert",
        "ssl_manager_key": "etc/sslmanager.key",
        "ssl_auto_negotiate": "no"
      },
      "cluster": {
        "name": "wazuh",
        "node_name": "node01",
        "node_type": "master",
        "port": "1516",
        "bind_addr": "0.0.0.0",
        "nodes": [
          "NODE_IP"
        ],
        "hidden": "no",
        "disabled": "yes"
      },
      "labels": [
        {
          "label": [
            {
              "value": "customLabel",
              "key": "custom"
            }
          ]
        }
      ]
    }
  ],
  "total_affected_items": 1,
  "total_failed_items": 0,
  "failed_items": []
},
"message": "Configuration was successfully read",
"error": 0
}

I don't know if I have missed some requirements for the API response to work correctly.

Cluster nodes

Component Configuration Tag
agent labels <labels>
monitor internal <reports>

I configured the labels:

<ossec_config>
  <labels>
    <label key="custom">customLabel</label>
  </labels>
</ossec_config>

The expected request GET /cluster/{node_name}/configuration/agent/labels is failing.

The current request is GET /cluster/{node_name}/configuration/analysis/labels

Response 
{
  "data": {
      "affected_items": [],
      "total_affected_items": 0,
      "total_failed_items": 1,
      "failed_items": [
          {
              "error": {
                  "code": 1121,
                  "message": "Error connecting with socket: Please verify that the component 'agent' is properly configured",
                  "remediation": "Please ensure the selected module is running and properly configured"
              },
              "id": [
                  "node01"
              ]
          }
      ]
  },
  "message": "Could not read active configuration in specified node",
  "error": 1
}

But using the GET /cluster/{node_name}/configuration the labels are visible

Response 
{
"data": {
  "affected_items": [
    {
      "global": {
        "jsonout_output": "yes",
        "alerts_log": "yes",
        "logall": "no",
        "logall_json": "no",
        "email_notification": "no",
        "smtp_server": "smtp.example.wazuh.com",
        "email_from": "[email protected]",
        "email_to": "[email protected]",
        "email_maxperhour": "12",
        "email_log_source": "alerts.log",
        "agents_disconnection_time": "10m",
        "agents_disconnection_alert_time": "0",
        "white_list": [
          "127.0.0.1",
          "^localhost.localdomain$",
          "10.0.0.106"
        ]
      },
      "alerts": {
        "log_alert_level": "3",
        "email_alert_level": "12"
      },
      "remote": [
        {
          "connection": "secure",
          "port": "1514",
          "protocol": [
            "tcp"
          ],
          "queue_size": "131072"
        }
      ],
      "rootcheck": {
        "disabled": "no",
        "check_files": "yes",
        "check_trojans": "yes",
        "check_dev": "yes",
        "check_sys": "yes",
        "check_pids": "yes",
        "check_ports": "yes",
        "check_if": "yes",
        "frequency": "43200",
        "rootkit_files": [
          "etc/rootcheck/rootkit_files.txt"
        ],
        "rootkit_trojans": [
          "etc/rootcheck/rootkit_trojans.txt"
        ],
        "skip_nfs": "yes"
      },
      "cis-cat": {
        "disabled": "yes",
        "timeout": "1800",
        "interval": "1d",
        "scan-on-start": "yes",
        "java_path": "wodles/java",
        "ciscat_path": "wodles/ciscat"
      },
      "osquery": {
        "disabled": "yes",
        "run_daemon": "yes",
        "log_path": "/var/log/osquery/osqueryd.results.log",
        "config_path": "/etc/osquery/osquery.conf",
        "add_labels": "yes"
      },
      "syscollector": {
        "disabled": "no",
        "interval": "1h",
        "scan_on_start": "yes",
        "hardware": "yes",
        "os": "yes",
        "network": "yes",
        "packages": "yes",
        "ports": {
          "all": "no",
          "item": "yes"
        },
        "processes": "yes",
        "synchronization": {
          "max_eps": "10"
        }
      },
      "sca": {
        "enabled": "yes",
        "scan_on_start": "yes",
        "interval": "12h",
        "skip_nfs": "yes"
      },
      "vulnerability-detector": {
        "enabled": "no",
        "interval": "5m",
        "min_full_scan_interval": "6h",
        "run_on_start": "yes",
        "provider": {
          "name": "nvd",
          "enabled": "yes",
          "update_from_year": "2010",
          "update_interval": "1h"
        }
      },
      "syscheck": {
        "disabled": "no",
        "frequency": "43200",
        "scan_on_start": "yes",
        "alert_new_files": "yes",
        "auto_ignore": {
          "frequency": "10",
          "timeframe": "3600",
          "item": "no"
        },
        "directories": [
          {
            "path": "/etc"
          },
          {
            "path": "/usr/bin"
          },
          {
            "path": "/usr/sbin"
          },
          {
            "path": "/bin"
          },
          {
            "path": "/sbin"
          },
          {
            "path": "/boot"
          }
        ],
        "ignore": [
          "/etc/mtab",
          "/etc/hosts.deny",
          "/etc/mail/statistics",
          "/etc/random-seed",
          "/etc/random.seed",
          "/etc/adjtime",
          "/etc/httpd/logs",
          "/etc/utmpx",
          "/etc/wtmpx",
          "/etc/cups/certs",
          "/etc/dumpdates",
          "/etc/svc/volatile",
          {
            "type": "sregex",
            "item": ".log$|.swp$"
          }
        ],
        "nodiff": [
          "/etc/ssl/private.key"
        ],
        "skip_nfs": "yes",
        "skip_dev": "yes",
        "skip_proc": "yes",
        "skip_sys": "yes",
        "process_priority": "10",
        "max_eps": "100",
        "synchronization": {
          "enabled": "yes",
          "interval": "5m",
          "max_interval": "1h",
          "max_eps": "10"
        }
      },
      "command": [
        {
          "name": "disable-account",
          "executable": "disable-account",
          "timeout_allowed": "yes"
        },
        {
          "name": "restart-wazuh",
          "executable": "restart-wazuh"
        },
        {
          "name": "firewall-drop",
          "executable": "firewall-drop",
          "timeout_allowed": "yes"
        },
        {
          "name": "host-deny",
          "executable": "host-deny",
          "timeout_allowed": "yes"
        },
        {
          "name": "route-null",
          "executable": "route-null",
          "timeout_allowed": "yes"
        },
        {
          "name": "win_route-null",
          "executable": "route-null.exe",
          "timeout_allowed": "yes"
        },
        {
          "name": "netsh",
          "executable": "netsh.exe",
          "timeout_allowed": "yes"
        }
      ],
      "localfile": [
        {
          "log_format": "command",
          "command": "df -P",
          "frequency": "360"
        },
        {
          "log_format": "full_command",
          "command": "netstat -tulpn | sed 's/\\([[:alnum:]]\\+\\)\\ \\+[[:digit:]]\\+\\ \\+[[:digit:]]\\+\\ \\+\\(.*\\):\\([[:digit:]]*\\)\\ \\+\\([0-9\\.\\:\\*]\\+\\).\\+\\ \\([[:digit:]]*\\/[[:alnum:]\\-]*\\).*/\\1 \\2 == \\3 == \\4 \\5/' | sort -k 4 -g | sed 's/ == \\(.*\\) ==/:\\1/' | sed 1,2d",
          "alias": "netstat listening ports",
          "frequency": "360"
        },
        {
          "log_format": "full_command",
          "command": "last -n 20",
          "frequency": "360"
        },
        {
          "log_format": "syslog",
          "location": "/var/ossec/logs/active-responses.log"
        }
      ],
      "ruleset": {
        "decoder_dir": [
          "ruleset/decoders",
          "etc/decoders"
        ],
        "rule_dir": [
          "ruleset/rules",
          "etc/rules"
        ],
        "rule_exclude": [
          "0215-policy_rules.xml"
        ],
        "list": [
          "etc/lists/audit-keys",
          "etc/lists/amazon/aws-eventnames",
          "etc/lists/security-eventchannel"
        ]
      },
      "auth": {
        "disabled": "no",
        "port": "1515",
        "use_source_ip": "no",
        "purge": "yes",
        "use_password": "no",
        "ciphers": "HIGH:!ADH:!EXP:!MD5:!RC4:!3DES:!CAMELLIA:@STRENGTH",
        "ssl_verify_host": "no",
        "ssl_manager_cert": "etc/sslmanager.cert",
        "ssl_manager_key": "etc/sslmanager.key",
        "ssl_auto_negotiate": "no"
      },
      "cluster": {
        "name": "wazuh",
        "node_name": "node01",
        "node_type": "master",
        "key": "c98b62a9b6169ac5f67dae55ae4a9088",
        "port": "1516",
        "bind_addr": "0.0.0.0",
        "nodes": [
          "wazuh.manager"
        ],
        "hidden": "no",
        "disabled": "no"
      },
      "labels": [
        {
          "label": [
            {
              "value": "customLabel",
              "key": "custom"
            }
          ]
        }
      ]
    }
  ],
  "total_affected_items": 1,
  "total_failed_items": 0,
  "failed_items": []
},
"message": "Configuration was successfully read in specified node",
"error": 0
}

I don't know if I have missed some requirements for the API response to work correctly.

Labels - Agent

Component Configuration Tag
agent labels <labels>
monitor internal <reports>

I added a configuration for the <labels> tag to the manager configuration:

<ossec_config>
  <labels>
    <label key="custom">customLabel</label>
  </labels>
</ossec_config>

The labels are visible in the agent configuration.
image

The expected request GET /agents/{agent_id}/config/agent/labels is working correctly.

The current request is GET /agents/{agent_id}/configuration/analysis/labels

Response 
{
"data": {
  "labels": [
    {
      "value": "customLabel",
      "key": "custom",
      "hidden": "no"
    }
  ]
},
"error": 0
}

Reports

Manager node

API endpoint: GET /manager/configuration/{component}/{configuration}
Reference: https://documentation.wazuh.com/4.4/user-manual/api/reference.html#operation/api.controllers.manager_controller.get_manager_config_ondemand

Component Configuration Tag
monitor internal <reports>

I added a configuration for the <reports> tag to the manager configuration:

<ossec_config>
  <reports>
    <title>Auth_Report</title>
    <group>authentication_failed,</group>
    <email_to>[email protected]</email_to>
  </reports>
</ossec_config>

The expected response of GET /manager/configuration/monitor/internal is not returning the expected configuration related to the reports.

The current request is GET /manager/configuration/monitor/reports

Response 
{
"data": {
  "affected_items": [
    {
      "monitord": {
        "day_wait": 10,
        "compress": 1,
        "sign": 1,
        "monitor_agents": 1,
        "keep_log_days": 31,
        "rotate_log": 1,
        "size_rotate": 536870912,
        "daily_rotations": 12,
        "delete_old_agents": 0
      }
    }
  ],
  "total_affected_items": 1,
  "total_failed_items": 0,
  "failed_items": []
},
"message": "Active configuration was successfully read",
"error": 0
}

Cluster node

API endpoint: GET /cluster/{node_id}/configuration/{component}/{configuration}
Reference: https://documentation.wazuh.com/4.4/user-manual/api/reference.html#operation/api.controllers.cluster_controller.get_node_config

Component Configuration Tag
monitor internal <reports>

I added a configuration for the <reports> tag to the manager configuration:

<ossec_config>
  <reports>
    <title>Auth_Report</title>
    <group>authentication_failed,</group>
    <email_to>[email protected]</email_to>
  </reports>
</ossec_config>

The expected response of GET /cluster/{node_id}/configuration/monitor/internal is not returning the expected configuration related to the reports.

The current request is GET /cluster/{node_id}/configuration/monitor/reports

Response 
{
"data": {
  "affected_items": [
    {
      "monitord": {
        "day_wait": 10,
        "compress": 1,
        "sign": 1,
        "monitor_agents": 1,
        "keep_log_days": 31,
        "rotate_log": 1,
        "size_rotate": 536870912,
        "daily_rotations": 12,
        "delete_old_agents": 0
      }
    }
  ],
  "total_affected_items": 1,
  "total_failed_items": 0,
  "failed_items": []
},
"message": "Active configuration was successfully read in specified node",
"error": 0
}

Conclusions

  • The requests to get the labels from the manager (manager or cluster mode) are failing.

Current request: GET /manager/configuration/analysis/labels
Expected request to work: GET /manager/configuration/agent/labels

How are we supposed to retrieve this data? Am I missing something or there is a problem with the manager (4.4.x)?

  • The requests to get the reports from the manager (manager or cluster mode) are failing.

Current request: GET /manager/configuration/monitor/reports
Expected request to work: GET /manager/configuration/monitor/internal

The endpoint GET /manager/configuration/monitor/internal doesn't return the data related to the reports tag. Is is required to configure the SMTP server to the reports configuration can be retrieved using this endpoint?

@Selutario Selutario mentioned this issue Jun 20, 2023
Closed
4 tasks
@Desvelao
Copy link
Member

Desvelao commented Jun 20, 2023
edited
Loading

I was talking with some co-workers about the conclusions of my research.

It seems there is a problem in the API retrieving the manager and tags from its configuration. This issue was opened to fix the problem: wazuh/wazuh#17610.

The fixes should not affect the current requests done by the plugin. But we should ensure this is working as expected when the fix is ready. So this issue will be blocked until we could verify the API responses are as expected.

@vikman90's response

Hi guys,
Using API
✅ Get internal options:

$wazuh-api -XGET https://localhost:55000/manager/configuration/monitor/internal

{"data": {"affected_items": [{"monitord": {"day_wait": 10, "compress": 1, "sign": 1, "monitor_agents": 1, "keep_log_days": 31, "rotate_log": 1, "size_rotate": 536870912, "daily_rotations": 12, "delete_old_agents": 0}}], "total_affected_items": 1, "total_failed_items": 0, "failed_items": []}, "message": "Active configuration was successfully read", "error": 0}

❌ Get reporting options:

$ wazuh-api -XGET https://localhost:55000/manager/configuration/monitor/reports

{"title": "Bad Request", "detail": "Invalid configuration for the given component: Valid configuration values for 'monitor': {'global', 'internal'}", "error": 1128}

Using direct socket request
✅ Get internal options:

$ echo -n 'getconfig internal' | ~/wazuh-tools/utils/secure-tcp.py /var/ossec/queue/sockets/monitor

ok {"monitord":{"day_wait":10,"compress":1,"sign":1,"monitor_agents":1,"keep_log_days":31,"rotate_log":1,"size_rotate":536870912,"daily_rotations":12,"delete_old_agents":0}}

✅ Get reporting options:

$ echo -n 'getconfig reports' | ~/wazuh-tools/utils/secure-tcp.py /var/ossec/queue/sockets/monitor

ok {"reports":[{"title":"Auth_Report","group":"authentication_failed-","srcip":"192.168.1.10","showlogs":"yes","email_to":["[email protected]"]}]}
root@Rocket:~/wazuh-4.4# wazuh-api -XGET https://localhost:55000/manager/configuration/monitor/reports
{"title": "Bad Request", "detail": "Invalid configuration for the given component: Valid configuration values for 'monitor': {'global', 'internal'}", "error": 1128}

@Selutario identified that:

  • Get manager labels
GET /manager/configuration/analysis/labels
GET /cluster/{node_id}/configuration/analysis/labels
  • Get manager reports
GET /manager/configuration/monitor/reports
GET /cluster/{node_id}/configuration/monitor/reports

These are the current API requests done by the recent plugins, so on our side, these requests don't need to change it.

@wazuhci wazuhci moved this to Blocked in Release 4.5.1 Jul 18, 2023
@Desvelao Desvelao mentioned this issue Jul 18, 2023
Merged
6 tasks
@wazuhci wazuhci moved this from Blocked to In progress in Release 4.5.1 Jul 18, 2023
@Desvelao Desvelao linked a pull request Jul 18, 2023 that will close this issue
Fix API request to get the manager labels and broken documentation link #5687
Merged
6 tasks
@Desvelao
Copy link
Member

Changes

Broken link: https://documentation.wazuh.com/4.4/user-manual/capabilities/labels.html
should be: https://documentation.wazuh.com/current/user-manual/agents/labels.html

@Desvelao
Copy link
Member

Desvelao commented Jul 18, 2023
edited
Loading

Check

Check changes in wazuh/wazuh#17610.

I installed from sources a Wazuh manager based in the current 4.5.1 version.

{"data": {"title": "Wazuh API REST", "api_version": "4.5.1", "revision": 40501, "license_name": "GPL 2.0", "license_url": "https://github.com/wazuh/wazuh/blob/v4.5.1/LICENSE", "hostname": "wazuh-manager-master-7102", "timestamp": "2023-07-18T11:10:11Z"}, "error": 0}

Review changes in wazuh/wazuh#17610

Labels manager

I added the following configuration to the ossec.conf of the agent:

<ossec_config>
  <labels>
    <label key="custom">customLabel</label>
  </labels>
</ossec_config>

  • Manager
    Adapting the API request and managing the response:
    image
    image

  • Cluster
    Adapting the API request and managing the response:
    image
    image

Labels - agent

I added the following configuration to the ossec.conf of the agent:

<ossec_config>
  <labels>
    <label key="custom">customLabel</label>
  </labels>
</ossec_config>

The API endpoint is working as expected:

  • API request
    image

  • UI
    image

Reports

Add to the ossec.conf of the manager:

<ossec_config>
  <reports>
    <title>Auth_Report</title>
    <group>authentication_failed,</group>
    <email_to>[email protected]</email_to>
  </reports>
</ossec_config>

  • Cluster node
    image

  • Manager node
    image

  • UI
    image

Conclusions

It seems the endpoint to get the manger labels (manager or cluster node) changed to use:

  • GET /manager/configuration/agent/labels
  • GET /cluster/{node_name}/configuration/agent/labels

instead of

  • GET /manager/configuration/analysis/labels
  • GET /cluster/{node_name}/configuration/analysis/labels
    I had to adapt the request to get the labels from the
Endpoint Working Comment
GET /manager/configuration/agent/labels 🟢 Adapted to new endpoint
GET /cluster/{node_name}/configuration/agent/labels 🟢 Adapted to new endpoint
GET /agent/{agent_id}/configuration/agent/labels 🟢
GET /manager/configuration/analysis/labels 🟢
GET /cluster/{node_name}/configuration/analysis/labels 🟢

@wazuhci wazuhci moved this from In progress to Pending review in Release 4.5.1 Jul 18, 2023
This was linked to pull requests Jul 24, 2023
[Backport 4.5.1-7.16] Fix API request to get the manager labels and broken documentation link #5731
Merged
[Backport 4.5.1-7.10] Fix API request to get the manager labels and broken documentation link #5730
Merged
@wazuhci wazuhci moved this from Pending review to Done in Release 4.5.1 Jul 24, 2023
@asteriscos asteriscos mentioned this issue Aug 7, 2023
Closed
2 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@Desvelao Desvelao

Labels
level/task Task issue type/bug Bug issue
Projects
No open projects
Release 4.5.1
Status: Done
Milestone
No milestone
2 participants
@AlexRuiz7 @Desvelao