Test CI

.env

@@ -0,0 +1,2 @@
+WAZUH_VERSION=4.3.3
+WAZUH_IMAGE_VERSION=4.3.3

.github/.goss.yaml

@@ -1,53 +1,3 @@
-file:
-  /etc/filebeat/filebeat.yml:
-    exists: true
-    mode: "0644"
-    owner: root
-    group: root
-    filetype: file
-    contains: []
-  /var/ossec/bin/wazuh-control:
-    exists: true
-    mode: "0750"
-    owner: root
-    group: root
-    filetype: file
-    contains: []
-  /var/ossec/etc/lists/audit-keys:
-    exists: true
-    mode: "0660"
-    owner: wazuh
-    group: wazuh
-    filetype: file
-    contains: []
-  /var/ossec/etc/ossec.conf:
-    exists: true
-    mode: "0660"
-    owner: root
-    group: wazuh
-    filetype: file
-    contains: []
-  /var/ossec/etc/rules/local_rules.xml:
-    exists: true
-    mode: "0660"
-    owner: wazuh
-    group: wazuh
-    filetype: file
-    contains: []
-  /var/ossec/etc/sslmanager.cert:
-    exists: true
-    mode: "0640"
-    owner: root
-    group: root
-    filetype: file
-    contains: []
-  /var/ossec/etc/sslmanager.key:
-    exists: true
-    mode: "0640"
-    owner: root
-    group: root
-    filetype: file
-    contains: []
 package:
   filebeat:
     installed: true
@@ -56,7 +6,7 @@ package:
   wazuh-manager:
     installed: true
     versions:
-    - 4.3.4
+    - 4.3.4-1
 port:
   tcp:1514:
     listening: true
@@ -70,28 +20,6 @@ port:
     listening: true
     ip:
     - 0.0.0.0
-user:
-  wazuh:
-    exists: true
-    groups:
-    - wazuh
-    home: /var/ossec
-    shell: /sbin/nologin
-  wazuh:
-    exists: true
-    groups:
-    - wazuh
-    home: /var/ossec
-    shell: /sbin/nologin
-  wazuh:
-    exists: true
-    groups:
-    - wazuh
-    home: /var/ossec
-    shell: /sbin/nologin
-group:
-  wazuh:
-    exists: true
 process:
   filebeat:
     running: true

.github/multi-node-fb-check.sh

@@ -0,0 +1,18 @@
+fbout1=$(docker exec multi-node_wazuh.master_1 sh -c 'filebeat test output')
+fbstatus1=$(echo "${fbout1}" | grep -c OK)
+if [[ fbstatus1 -eq 7 ]]; then
+ echo "No errors in master filebeat"
+else
+ echo "Errors in master filebeat"
+ echo "${fbout1}"
+ exit 1
+fi
+fbout2=$(docker exec multi-node_wazuh.worker_1 sh -c 'filebeat test output')
+fbstatus2=$(echo "${fbout2}" | grep -c OK)
+if [[ fbstatus2 -eq 7 ]]; then
+ echo "No errors in worker filebeat"
+else
+ echo "Errors in worker filebeat"
+ echo "${fbout2}"
+ exit 1
+fi

.github/multi-node-log-check.sh

@@ -0,0 +1,16 @@
+log1=$(docker exec multi-node_wazuh.master_1 sh -c 'cat /var/ossec/logs/ossec.log' | grep -P "ERR|WARN|CRIT")
+if [[ -z "$log1" ]]; then
+ echo "No errors in master ossec.log"
+else
+ echo "Errors in master ossec.log:"
+ echo "${log1}"
+ exit 1
+fi
+log2=$(docker exec multi-node_wazuh.worker_1 sh -c 'cat /var/ossec/logs/ossec.log' | grep -P "ERR|WARN|CRIT")
+if [[ -z "${log2}" ]]; then
+ echo "No errors in worker ossec.log"
+else
+ echo "Errors in worker ossec.log:"
+ echo "${log2}"
+ exit 1
+fi

.github/single-node-fb-check.sh

@@ -0,0 +1,9 @@
+fbout=$(docker exec single-node_wazuh.manager_1 sh -c 'filebeat test output')
+fbstatus=$(echo "${fbout}" | grep -c OK)
+if [[ fbstatus -eq 7 ]]; then
+  echo "No errors in filebeat"
+else
+  echo "Errors in filebeat"
+  echo "${fbout}"
+  exit 1
+fi

.github/single-node-log-check.sh

@@ -0,0 +1,8 @@
+log=$(docker exec single-node_wazuh.manager_1 sh -c 'cat /var/ossec/logs/ossec.log' | grep -P "ERR|WARN|CRIT")
+if [[ -z "$log" ]]; then
+ echo "No errors in ossec.log"
+else
+ echo "Errors in ossec.log:"
+ echo "${log}"
+ exit 1
+fi

.github/workflows/push.yml

@@ -1,6 +1,6 @@
 name: Wazuh Docker pipeline
 
-on: [push]
+on: [pull_request]
 
 jobs:
   build-stack:
@@ -8,24 +8,210 @@ jobs:
     steps:
 
     - name: Check out code
-      uses: actions/checkout@v2
+      uses: actions/checkout@v3
 
-    - name: Build the docker-compose stack
+    - name: Build Wazuh images
-      run: docker-compose -f build-wazuh-images.yml up -d --build
+      run: build-docker-images/build-images.sh
 
-    - name: Check running containers
+    - name: Create enviroment variables
-      run: docker ps -a
+      run: cat .env > $GITHUB_ENV
-
-    - name: Shutdown the stack
-      run: docker-compose -f build-wazuh-images.yml kill
 
     - name: Install Goss
       uses: e1himself/goss-installation-action@v1.0.3
       with:
         version: v0.3.16
 
-    - name: Execute Goss tests (wazuh-odfe)
+    - name: Execute Goss tests (wazuh-manager)
-      run: dgoss run wazuh/wazuh-manager:4.3.4
+      run: dgoss run wazuh/wazuh-manager:${{env.WAZUH_IMAGE_VERSION}}
       env:
         GOSS_SLEEP: 30
-        GOSS_FILE: .github/.goss.yaml
+        GOSS_FILE: .github/.goss.yaml
+
+    - name: Create single node certficates
+      run: docker-compose -f single-node/generate-indexer-certs.yml run --rm generator
+
+    - name: Start single node stack
+      run: docker-compose -f single-node/docker-compose.yml up -d
+
+    - name: Check Wazuh indexer start
+      run: |
+       sleep 60
+       status_green="`curl -XGET "https://0.0.0.0:9200/_cluster/health" -u admin:SecretPassword -k -s | grep green | wc -l`"
+       if [[ $status_green -eq 1 ]]; then
+        curl -XGET "https://0.0.0.0:9200/_cluster/health" -u admin:SecretPassword -k -s
+       else
+        curl -XGET "https://0.0.0.0:9200/_cluster/health" -u admin:SecretPassword -k -s
+        exit 1
+       fi
+       status_index="`curl -XGET "https://0.0.0.0:9200/_cat/indices" -u admin:SecretPassword -k -s | wc -l`"
+       status_index_green="`curl -XGET "https://0.0.0.0:9200/_cat/indices" -u admin:SecretPassword -k -s | grep -E "green" | wc -l`"
+       if [[ $status_index_green -eq $status_index ]]; then
+        curl -XGET "https://0.0.0.0:9200/_cat/indices" -u admin:SecretPassword -k -s
+       else
+        curl -XGET "https://0.0.0.0:9200/_cat/indices" -u admin:SecretPassword -k -s
+        exit 1
+       fi
+
+
+    - name: Check Wazuh indexer nodes
+      run: |
+       nodes="`curl -XGET "https://0.0.0.0:9200/_cat/nodes" -u admin:SecretPassword -k -s | grep -E "indexer" | wc -l`"
+       if [[ $nodes -eq 1 ]]; then
+        echo "Wazuh indexer nodes: ${nodes}"
+       else
+        echo "Wazuh indexer nodes: ${nodes}"
+        exit 1
+       fi
+
+    - name: Check documents into wazuh-alerts index
+      run: |
+       docs="`curl -XGET "https://0.0.0.0:9200/wazuh-alerts*/_doc/_search" -u admin:SecretPassword -k -s | jq -r ".hits.total.value"`"
+       if [[ $docs -gt 100 ]]; then
+        echo "wazuh-alerts index documents: ${docs}"
+       else
+        echo "wazuh-alerts index documents: ${docs}"
+        exit 1
+       fi
+
+    - name: Check Wazuh templates
+      run: |
+       qty_templates="`curl -XGET "https://0.0.0.0:9200/_cat/templates" -u admin:SecretPassword -k -s | grep -E "wazuh ||wazuh-agent||wazuh-statistics" | wc -l`"
+       templates="`curl -XGET "https://0.0.0.0:9200/_cat/templates" -u admin:SecretPassword -k -s | grep -E "wazuh ||wazuh-agent||wazuh-statistics"`"
+       if [[ $qty_templates -eq 3 ]]; then
+        echo "wazuh templates:"
+        echo "${templates}"
+       else
+        echo "wazuh templates:"
+        echo "${templates}"
+        exit 1
+       fi
+
+    - name: Check Wazuh manager start
+      run: |
+        services="`curl -k -s -X GET "https://0.0.0.0:55000/manager/status?pretty=true" -H  "Authorization: Bearer ${{env.TOKEN}}" | jq -r .data.affected_items | grep running | wc -l`"
+        if [[ $services -gt 9 ]]; then
+          echo "Wazuh Manager Services: ${services}"
+          echo "OK"
+        else
+          echo "Wazuh indexer nodes: ${nodes}"
+          curl -k -X GET "https://0.0.0.0:55000/manager/status?pretty=true" -H  "Authorization: Bearer ${{env.TOKEN}}" | jq -r .data.affected_items
+          exit 1
+        fi
+      env:
+        TOKEN: $(curl -s -u wazuh-wui:MyS3cr37P450r.*- -k -X GET "https://0.0.0.0:55000/security/user/authenticate?raw=true")
+
+    - name: Check errors in ossec.log
+      run: ./.github/single-node-log-check.sh
+
+
+    - name: Check filebeat output
+      run: ./.github/single-node-fb-check.sh
+
+    - name: Check Wazuh dashboard service URL
+      run: |
+       status=$(curl -XGET --silent  https://0.0.0.0:443/app/status -k -u admin:SecretPassword -I -s | grep -E "^HTTP" | awk  '{print $2}')
+       if [[ $status -eq 200 ]]; then
+        echo "Wazuh dashboard status: ${status}"
+       else
+        echo "Wazuh dashboard status: ${status}"
+        exit 1
+       fi
+
+    - name: Stop single node stack
+      run: docker-compose -f single-node/docker-compose.yml down
+
+    - name: Create multi node certficates
+      run: docker-compose -f multi-node/generate-indexer-certs.yml run --rm generator
+
+    - name: Start multi node stack
+      run: docker-compose -f multi-node/docker-compose.yml up -d
+
+    - name: Check Wazuh indexer start
+      run: |
+       sleep 120
+       status_green="`curl -XGET "https://0.0.0.0:9200/_cluster/health" -u admin:SecretPassword -k -s | grep green | wc -l`"
+       if [[ $status_green -eq 1 ]]; then
+        curl -XGET "https://0.0.0.0:9200/_cluster/health" -u admin:SecretPassword -k -s
+       else
+        curl -XGET "https://0.0.0.0:9200/_cluster/health" -u admin:SecretPassword -k -s
+        exit 1
+       fi
+       status_index="`curl -XGET "https://0.0.0.0:9200/_cat/indices" -u admin:SecretPassword -k -s | wc -l`"
+       status_index_green="`curl -XGET "https://0.0.0.0:9200/_cat/indices" -u admin:SecretPassword -k -s | grep -E "green" | wc -l`"
+       if [[ $status_index_green -eq $status_index ]]; then
+        curl -XGET "https://0.0.0.0:9200/_cat/indices" -u admin:SecretPassword -k -s
+       else
+        curl -XGET "https://0.0.0.0:9200/_cat/indices" -u admin:SecretPassword -k -s
+        exit 1
+       fi
+
+    - name: Check Wazuh indexer nodes
+      run: |
+       nodes="`curl -XGET "https://0.0.0.0:9200/_cat/nodes" -u admin:SecretPassword -k -s | grep -E "indexer" | wc -l`"
+       if [[ $nodes -eq 3 ]]; then
+        echo "Wazuh indexer nodes: ${nodes}"
+       else
+        echo "Wazuh indexer nodes: ${nodes}"
+        exit 1
+       fi
+
+    - name: Check documents into wazuh-alerts index
+      run: |
+       docs="`curl -XGET "https://0.0.0.0:9200/wazuh-alerts*/_doc/_search" -u admin:SecretPassword -k -s | jq -r ".hits.total.value"`"
+       if [[ $docs -gt 200 ]]; then
+        echo "wazuh-alerts index documents: ${docs}"
+       else
+        echo "wazuh-alerts index documents: ${docs}"
+        exit 1
+       fi
+
+    - name: Check Wazuh templates
+      run: |
+       qty_templates="`curl -XGET "https://0.0.0.0:9200/_cat/templates" -u admin:SecretPassword -k -s | grep "wazuh" | wc -l`"
+       templates="`curl -XGET "https://0.0.0.0:9200/_cat/templates" -u admin:SecretPassword -k -s | grep "wazuh"`"
+       if [[ $qty_templates -gt 0 ]]; then
+        echo "wazuh templates:"
+        echo "${templates}"
+       else
+        echo "wazuh templates:"
+        echo "${templates}"
+        exit 1
+       fi
+
+    - name: Check Wazuh manager start
+      run: |
+        services="`curl -k -s -X GET "https://0.0.0.0:55000/manager/status?pretty=true" -H  "Authorization: Bearer ${{env.TOKEN}}" | jq -r .data.affected_items | grep running | wc -l`"
+        if [[ $services -gt 10 ]]; then
+          echo "Wazuh Manager Services: ${services}"
+          echo "OK"
+        else
+          echo "Wazuh indexer nodes: ${nodes}"
+          curl -k -s -X GET "https://0.0.0.0:55000/manager/status?pretty=true" -H  "Authorization: Bearer ${{env.TOKEN}}" | jq -r .data.affected_items
+          exit 1
+        fi
+        nodes=$(curl -k -s -X GET "https://0.0.0.0:55000/cluster/nodes" -H "Authorization: Bearer ${{env.TOKEN}}" | jq -r ".data.affected_items[].name" | wc -l)
+        if [[ $nodes -eq 2 ]]; then
+         echo "Wazuh manager nodes: ${nodes}"
+        else
+         echo "Wazuh manager nodes: ${nodes}"
+         exit 1
+        fi
+      env:
+        TOKEN: $(curl -s -u wazuh-wui:MyS3cr37P450r.*- -k -X GET "https://0.0.0.0:55000/security/user/authenticate?raw=true")
+
+    - name: Check errors in ossec.log
+      run: ./.github/multi-node-log-check.sh
+
+
+    - name: Check filebeat output
+      run: ./.github/multi-node-fb-check.sh
+
+    - name: Check Wazuh dashboard service URL
+      run: |
+       status=$(curl -XGET --silent  https://0.0.0.0:443/app/status -k -u admin:SecretPassword -I | grep -E "^HTTP" | awk  '{print $2}')
+       if [[ $status -eq 200 ]]; then
+        echo "Wazuh dashboard status: ${status}"
+       else
+        echo "Wazuh dashboard status: ${status}"
+        exit 1
+       fi

.gitignore

@@ -1,4 +1,4 @@
 single-node/config/wazuh_indexer_ssl_certs/*.pem
 single-node/config/wazuh_indexer_ssl_certs/*.key
 multi-node/config/wazuh_indexer_ssl_certs/*.pem
-multi-node/config/wazuh_indexer_ssl_certs/*.key
+multi-node/config/wazuh_indexer_ssl_certs/*.key

build-docker-images/build-images.sh

@@ -0,0 +1,15 @@
+WAZUH_IMAGE_VERSION=4.3.4
+WAZUH_VERSION=$(echo $WAZUH_IMAGE_VERSION | sed -e 's/\.//g')
+WAZUH_ACTUAL_VERSION=$(curl --silent https://api.github.com/repos/wazuh/wazuh/releases/latest | grep '\"tag_name\":' | sed -E 's/.*\"([^\"]+)\".*/\1/' | cut -c 2- | sed -e 's/\.//g')
+
+## If wazuh manager exists in apt dev repository, change variables, if not, exit 1
+if [ "$WAZUH_VERSION" -le "$WAZUH_ACTUAL_VERSION" ]; then
+  IMAGE_VERSION=${WAZUH_IMAGE_VERSION}
+else
+  IMAGE_VERSION=${WAZUH_IMAGE_VERSION}-dev
+fi
+
+echo WAZUH_VERSION=$WAZUH_IMAGE_VERSION > .env
+echo WAZUH_IMAGE_VERSION=$IMAGE_VERSION >> .env
+
+docker-compose -f build-docker-images/build-images.yml --env-file .env build --no-cache

build-docker-images/build-images.yml

@@ -3,8 +3,11 @@ version: '3.7'
 
 services:
   wazuh.manager:
-    build:  wazuh-manager/
+    build:
-    image: wazuh/wazuh-manager:4.3.4
+      context: wazuh-manager/
+      args:
+        - WAZUH_VERSION=${WAZUH_VERSION}
+    image: wazuh/wazuh-manager:${WAZUH_IMAGE_VERSION}
     hostname: wazuh.manager
     restart: always
     ports:
@@ -31,8 +34,11 @@ services:
       - filebeat_var:/var/lib/filebeat
 
   wazuh.indexer:
-    build: wazuh-indexer/
+    build:
-    image: wazuh/wazuh-indexer:4.3.4
+      context: wazuh-indexer/
+      args:
+        - WAZUH_VERSION=${WAZUH_VERSION}
+    image: wazuh/wazuh-indexer:${WAZUH_IMAGE_VERSION}
     hostname: wazuh.indexer
     restart: always
     ports:
@@ -48,8 +54,11 @@ services:
         hard: 65536
 
   wazuh.dashboard:
-    build: wazuh-dashboard/
+    build:
-    image: wazuh/wazuh-dashboard:4.3.4
+      context: wazuh-dashboard/
+      args:
+        - WAZUH_VERSION=${WAZUH_VERSION}
+    image: wazuh/wazuh-dashboard:${WAZUH_IMAGE_VERSION}
     hostname: wazuh.dashboard
     restart: always
     ports:

build-docker-images/wazuh-dashboard/Dockerfile

@@ -1,8 +1,7 @@
 # Wazuh Docker Copyright (C) 2017, Wazuh Inc. (License GPLv2)
 FROM ubuntu:focal AS builder
 
-ARG WAZUH_VERSION=4.3.4
+ARG WAZUH_VERSION
-ARG WAZUH_UI_REVISION=1
 ARG INSTALL_DIR=/usr/share/wazuh-dashboard
 
 # Update and install dependencies
@@ -20,8 +19,14 @@ COPY config/config.sh .
 COPY config/config.yml /
 RUN bash config.sh
 
-# Install Wazuh App
+# Create and configure Wazuh dashboard keystore
-RUN $INSTALL_DIR/bin/opensearch-dashboards-plugin install https://packages.wazuh.com/4.x/ui/dashboard/wazuh-${WAZUH_VERSION}-${WAZUH_UI_REVISION}.zip --allow-root
+RUN $INSTALL_DIR/bin/opensearch-dashboards-keystore create --allow-root && \
+    echo kibanaserver | $INSTALL_DIR/bin/opensearch-dashboards-keystore add opensearch.username --stdin --allow-root && \
+    echo kibanaserver | $INSTALL_DIR/bin/opensearch-dashboards-keystore add opensearch.password --stdin --allow-root
+
+COPY config/install_wazuh_app.sh /
+RUN chmod 775 /install_wazuh_app.sh
+RUN bash /install_wazuh_app.sh
 
 # Copy and set permissions to config files
 COPY config/opensearch_dashboards.yml $INSTALL_DIR/config/

build-docker-images/wazuh-dashboard/config/install_wazuh_app.sh

@@ -0,0 +1,12 @@
+## Variables
+WAZUH_IMAGE_VERSION=$(echo $WAZUH_VERSION | sed -e 's/\.//g')
+WAZUH_ACTUAL_VERSION=$(curl --silent https://api.github.com/repos/wazuh/wazuh/releases/latest | grep '\"tag_name\":' | sed -E 's/.*\"([^\"]+)\".*/\1/' | cut -c 2- | sed -e 's/\.//g')
+## If wazuh manager exists in apt dev repository, change variables, if not exit 1
+if [ "$WAZUH_IMAGE_VERSION" -le "$WAZUH_ACTUAL_VERSION" ]; then
+  WAZUH_APP=https://packages.wazuh.com/4.x/ui/dashboard/wazuh-${WAZUH_VERSION}-1.zip
+else
+  WAZUH_APP=https://packages-dev.wazuh.com/pre-release/ui/dashboard/wazuh-${WAZUH_VERSION}-1.zip
+fi
+
+# Install Wazuh App
+$INSTALL_DIR/bin/opensearch-dashboards-plugin install $WAZUH_APP --allow-root

build-docker-images/wazuh-indexer/Dockerfile

@@ -1,6 +1,8 @@
 # Wazuh Docker Copyright (C) 2017, Wazuh Inc. (License GPLv2)
 FROM ubuntu:focal AS builder
 
+ARG WAZUH_VERSION
+
 RUN apt-get update -y && apt-get install curl openssl xz-utils -y
 
 COPY config/opensearch.yml /

build-docker-images/wazuh-indexer/config/config.sh

@@ -8,7 +8,7 @@ export TARGET_DIR=${CURDIR}/debian/${NAME}
 # Package build options
 export USER=${NAME}
 export GROUP=${NAME}
-export VERSION=4.3.4
+export VERSION=${WAZUH_VERSION}
 export LOG_DIR=/var/log/${NAME}
 export LIB_DIR=/var/lib/${NAME}
 export PID_DIR=/run/${NAME}

build-docker-images/wazuh-manager/Dockerfile

@@ -1,7 +1,9 @@
 # Wazuh Docker Copyright (C) 2017, Wazuh Inc. (License GPLv2)
 FROM ubuntu:focal
 
-ARG WAZUH_VERSION=4.3.4
+RUN rm /bin/sh && ln -s /bin/bash /bin/sh
+
+ARG WAZUH_VERSION
 ARG TEMPLATE_VERSION=4.3
 ARG FILEBEAT_CHANNEL=filebeat-oss
 ARG FILEBEAT_VERSION=7.10.2
@@ -9,9 +11,12 @@ ARG WAZUH_FILEBEAT_MODULE="wazuh-filebeat-0.2.tar.gz"
 
 RUN apt-get update && apt install curl apt-transport-https lsb-release gnupg -y
 
-RUN apt-key adv --fetch-keys https://packages.wazuh.com/key/GPG-KEY-WAZUH && \
+COPY config/check_repository.sh /
-    echo "deb https://packages.wazuh.com/4.x/apt/ stable main" | tee -a /etc/apt/sources.list.d/wazuh.list && \
+
-    apt-get update && \
+RUN chmod 775 /check_repository.sh
+RUN source /check_repository.sh
+
+RUN apt-get update && \
     apt-get install wazuh-manager=${WAZUH_VERSION}-1
 
 RUN curl -L -O https://artifacts.elastic.co/downloads/beats/filebeat/${FILEBEAT_CHANNEL}-${FILEBEAT_VERSION}-amd64.deb &&\

build-docker-images/wazuh-manager/config/check_repository.sh

@@ -0,0 +1,13 @@
+## Variables
+WAZUH_IMAGE_VERSION=$(echo $WAZUH_VERSION | sed -e 's/\.//g')
+WAZUH_ACTUAL_VERSION=$(curl --silent https://api.github.com/repos/wazuh/wazuh/releases/latest | grep '\"tag_name\":' | sed -E 's/.*\"([^\"]+)\".*/\1/' | cut -c 2- | sed -e 's/\.//g')
+## If wazuh manager exists in apt dev repository, change variables, if not exit 1
+if [ "$WAZUH_IMAGE_VERSION" -le "$WAZUH_ACTUAL_VERSION" ]; then
+  APT_KEY=https://packages.wazuh.com/key/GPG-KEY-WAZUH
+  REPOSITORY="deb https://packages.wazuh.com/4.x/apt/ stable main"
+else
+  APT_KEY=https://packages-dev.wazuh.com/key/GPG-KEY-WAZUH
+  REPOSITORY="deb https://packages-dev.wazuh.com/pre-release/apt/ unstable main"
+fi
+apt-key adv --fetch-keys ${APT_KEY}
+echo ${REPOSITORY} | tee -a /etc/apt/sources.list.d/wazuh.list

multi-node/config/wazuh_cluster/wazuh_manager.conf

@@ -349,24 +349,9 @@
     <location>/var/ossec/logs/active-responses.log</location>
   </localfile>
 
-  <localfile>
-    <log_format>syslog</log_format>
-    <location>/var/log/auth.log</location>
-  </localfile>
-
-  <localfile>
-    <log_format>syslog</log_format>
-    <location>/var/log/syslog</location>
-  </localfile>
-
   <localfile>
     <log_format>syslog</log_format>
     <location>/var/log/dpkg.log</location>
   </localfile>
 
-  <localfile>
-    <log_format>syslog</log_format>
-    <location>/var/log/kern.log</location>
-  </localfile>
-
 </ossec_config>

multi-node/config/wazuh_cluster/wazuh_worker.conf

@@ -349,24 +349,9 @@
     <location>/var/ossec/logs/active-responses.log</location>
   </localfile>
 
-  <localfile>
-    <log_format>syslog</log_format>
-    <location>/var/log/auth.log</location>
-  </localfile>
-
-  <localfile>
-    <log_format>syslog</log_format>
-    <location>/var/log/syslog</location>
-  </localfile>
-
   <localfile>
     <log_format>syslog</log_format>
     <location>/var/log/dpkg.log</location>
   </localfile>
 
-  <localfile>
-    <log_format>syslog</log_format>
-    <location>/var/log/kern.log</location>
-  </localfile>
-
 </ossec_config>

single-node/prueba.sh

@@ -0,0 +1,6 @@
+nodes="`curl -XGET "https://0.0.0.0:9200/_cat/nodes" -u admin:SecretPassword -k  | grep -E "indexer" | wc -l`"
+if [[ $nodes -eq 1 ]]; then
+ echo "bien"
+else
+ echo "mal"
+fi