Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Global queries FIM - Investigate impact on installation/upgrade - Wazuh virtual machines #206

Closed
2 of 3 tasks
c-bordon opened this issue Feb 12, 2025 · 3 comments
Closed
2 of 3 tasks

Global queries FIM - Investigate impact on installation/upgrade - Wazuh virtual machines #206

c-bordon opened this issue Feb 12, 2025 · 3 comments
Assignees
@fcaffieri
Labels
level/subtask Subtask issue type/change Change performed in a resource or Wazuh Cloud environment

Comments

@c-bordon
Copy link
Member

c-bordon commented Feb 12, 2025
edited by fcaffieri
Loading

Description

The issue aims to investigate if the new persisted file needs special handling in the creation of the OVA and the AMI

  • /var/ossec/queue/indexer/wazuh-states-[index_name]-[cluster_name]

Tasks

  • Investigate if this file needs special handling in the OVA build
  • Investigate if this file needs special handling in the AMI build

DRI
@c-bordon c-bordon added level/subtask Subtask issue type/change Change performed in a resource or Wazuh Cloud environment labels Feb 12, 2025
@wazuhci wazuhci moved this to Backlog in XDR+SIEM/Release 4.13.0 Feb 12, 2025
@c-bordon c-bordon assigned fcaffieri and unassigned CarlosALgit Feb 13, 2025
@fcaffieri
Copy link
Member

On hold due to a priority issue https://github.com/wazuh/wazuh-automation/issues/2085

@wazuhci wazuhci moved this from Backlog to On hold in XDR+SIEM/Release 4.13.0 Feb 13, 2025
@wazuhci wazuhci moved this from On hold to In progress in XDR+SIEM/Release 4.13.0 Feb 25, 2025
@fcaffieri
Copy link
Member

fcaffieri commented Feb 25, 2025
edited
Loading

After analyzing the code of the AMI and the OVA, no changes were detected in general. This is because the installation is done in a standard way through packages.
What is detected is that a cleaning of the indexes is done in both cases.

OVA:

The provisioner has the following:

INDEXES=("wazuh-alerts-*" "wazuh-archives-*" "wazuh-states-vulnerabilities-*" "wazuh-statistics-*" "wazuh-monitoring-*")

.....

# Delete indexes
echo "Deleting indexes"
for index in "${INDEXES[@]}"; do
curl -u admin:admin -XDELETE "https://127.0.0.1:9200/$index" -k
done

In this case, it may be necessary to perform a regex on the new indexes to clean them up.

AMI:

In the AMI playbook, the following steps were detected:

- name: Define list of Indexer indices
set_fact:
indexer_indices:
- wazuh-alerts
- wazuh-archives
- wazuh-states-vulnerabilities
- wazuh-statistics
- wazuh-monitoring

- name: Delete Indexer indices
uri:
url: "https://localhost:9200/{{ item }}-*"
method: DELETE
user: admin
password: "{{ old_password }}"
validate_certs: no
status_code: 200
loop: "{{ indexer_indices }}"
register: delete_response

This is a similar case to the OVA, it may be necessary to add the new states indexes.
Both modifications, if necessary, are very simple changes with a low impact. Otherwise, there are no further modifications or references to the states.
Once the changes, packages and branches are ready, it would be important to perform some tests to validate that everything is generated correctly. The issue is moved to pending review, and the tests can be performed in a new one.

@wazuhci wazuhci moved this from In progress to Pending review in XDR+SIEM/Release 4.13.0 Feb 25, 2025
@wazuhci wazuhci moved this from Pending review to In review in XDR+SIEM/Release 4.13.0 Feb 26, 2025
@c-bordon
Copy link
Member Author

Issue for development created #222

@wazuhci wazuhci moved this from In review to Done in XDR+SIEM/Release 4.13.0 Feb 26, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@fcaffieri fcaffieri

Labels
level/subtask Subtask issue type/change Change performed in a resource or Wazuh Cloud environment
Projects
XDR+SIEM/Release 4.13.0
Status: Done
Milestone
No milestone
Development

No branches or pull requests
3 participants
@c-bordon @fcaffieri @CarlosALgit