wazuh-puppet
wazuh-puppet copied to clipboard
wazuh
param agent: use systemd for supported debian/ubuntu distro
currently we can't restart wazuh-agent service on configuration change because no service provider is defined
Hi @aderumier
Thank you for contributing to Wazuh!
Before I test your changes, I tested the changes you made in your branch aderumier/wazuh-puppet/tree/fix-agent-reload on Ubuntu/Xenial OS and it works as expected without any errors.
DISTRIB_ID=Ubuntu
DISTRIB_RELEASE=16.04
DISTRIB_CODENAME=xenial
DISTRIB_DESCRIPTION="Ubuntu 16.04.3 LTS"
Looking at your changes and especially, at this commit https://github.com/wazuh/wazuh-puppet/pull/176/commits/fdf45693dfa35acd398acadb6d1f0ab04d951427 I have the following notes.
- As you can see here, for Debian distribution, by default we set the service status and provider to
falseandundefrespectively.
https://github.com/wazuh/wazuh-puppet/blob/042ea696e5219833e0d0c67cf803aa733985dfb0/manifests/params_agent.pp#L183-L186
And for Ubuntu/Xenial OS we then specify no value for the mentioned variables so they still have the default values defined before. But this will not prevent the task where a reload of the service wazuh-agent is required to work correctly, specifically talking about the following task.
concat { 'ossec.conf':
path => $wazuh::params_agent::config_file,
owner => $wazuh::params_agent::config_owner,
group => $wazuh::params_agent::config_group,
mode => $wazuh::params_agent::config_mode,
require => Package[$agent_package_name],
notify => Service[$agent_service_name],
}
wazuh-agent and by default when it's installed, will get created an init service script in
/etc/init.d/etc/systemd/system/wazuh-agent.service. " If systemd is supported "
When running notify => Service[$agent_service_name], and in case of setting
$service_has_status = false
$ossec_service_provider = undef
I suppose puppet will search for wazuh-agent init script in /etc/init.d/ and will not fail.
To really get to know more details about your issue which makes it necessary to have such changes, could you please paste the error message you're getting with puppet, this way I'll be guided better.
Waiting for your reply.
Kr,
Rshad Zhran
Hi, sorry to be late,
if you have "$service_has_status = false" , puppet can't reload the service on notify.
just run puppet agent in debug mode, you'll see an extra log that it skipping it, even if it's display in standard ouput that service is reloaded.
something like "Skipping restart; service is not running"
https://github.com/puppetlabs/puppet/blob/master/lib/puppet/type/service.rb
def refresh # Only restart if we're actually running if (@parameters[:ensure] || newattr(:ensure)).retrieve == :running provider.restart else debug "Skipping restart; service is not running" end end
Hi @aderumier!
Happy new year!
I re-tested the installation with DEBUG mode and got the following log lines corresponding to the task:
concat { 'ossec.conf':
path => $wazuh::params_agent::config_file,
owner => $wazuh::params_agent::config_owner,
group => $wazuh::params_agent::config_group,
mode => $wazuh::params_agent::config_mode,
require => Package[$agent_package_name],
notify => Service[$agent_service_name],
}
Log Output
Debug: /Stage[main]/Wazuh::Agent/Concat[ossec.conf]/Concat_file[ossec.conf]/before: before to File[/var/ossec/etc/ossec.conf]
Debug: /Stage[main]/Apt/Apt::Setting[conf-update-stamp]/File[/etc/apt/apt.conf.d/15update-stamp]/notify: notify to Class[Apt::Update]
Debug: /Stage[main]/Wazuh::Repo/Apt::Source[wazuh]/Apt::Setting[list-wazuh]/File[/etc/apt/sources.list.d/wazuh.list]/notify: notify to Class[Apt::Update]
Debug: /Stage[main]/Wazuh::Agent/Concat[ossec.conf]/Concat_file[ossec.conf]: Skipping automatic relationship with File[/var/ossec/etc/ossec.conf]
Also if we look over the log output related to the task:
exec { 'agent-auth-linux':
command => $agent_auth_command,
unless => "/bin/egrep -q '.' ${::wazuh::params_agent::keys_file}",
require => Concat['ossec.conf'],
before => Service[$agent_service_name],
}
Debug: Exec[agent-auth-without-pwd](provider=posix): Executing '/var/ossec/bin/agent-auth -m 172.17.0.3 '
Debug: Executing: '/var/ossec/bin/agent-auth -m 172.17.0.3 '
Notice: /Stage[main]/Wazuh::Agent/Exec[agent-auth-without-pwd]/returns: executed successfully
Debug: /Stage[main]/Wazuh::Agent/Exec[agent-auth-without-pwd]: The container Class[Wazuh::Agent] will propagate my refresh event
Debug: Service[wazuh-agent](provider=upstart): Could not find wazuh-agent.conf in /etc/init
Debug: Service[wazuh-agent](provider=upstart): Could not find wazuh-agent.conf in /etc/init.d
Debug: Service[wazuh-agent](provider=upstart): Could not find wazuh-agent in /etc/init
Debug: Service[wazuh-agent](provider=upstart): Executing 'ps -ef'
Debug: Executing: 'ps -ef'
Debug: Executing: '/etc/init.d/wazuh-agent start'
Notice: /Stage[main]/Wazuh::Agent/Service[wazuh-agent]/ensure: ensure changed 'stopped' to 'running'
Note that in response to the ensure statement
service { $agent_service_name:
ensure => $agent_service_ensure
.
. ...
Response
Debug: Executing: '/etc/init.d/wazuh-agent start'
I'm not getting any error or Skipping refresh alike messages. I would really appreciate it if you paste the exact error message you get in your case.
Waiting for your reply.
Kind regards,
Rshad
something else related:
on each puppet run, I have:
Notice: /Stage[main]/Wazuh::Agent/Service[wazuh-agent]/ensure: ensure changed 'stopped' to 'running' (corrective)
This is because of default ensure=>running, but status of the service can't be checked with init.d script. (don't have tested with upstart)
now about the bug itself, a simple test: edit ossec.conf, add a space or any character, launch puppet:
Info: Computing checksum on file /var/ossec/etc/ossec.conf
Info: /Stage[main]/Wazuh::Agent/Concat[ossec.conf]/File[/var/ossec/etc/ossec.conf]: Filebucketed /var/ossec/etc/ossec.conf to puppet with sum eb941affce7a2375c2af936b9209c833
Debug: Executing: 'diff -u /var/ossec/etc/ossec.conf /tmp/puppet-file20200114-28196-akjdme'
Notice: /Stage[main]/Wazuh::Agent/Concat[ossec.conf]/File[/var/ossec/etc/ossec.conf]/content:
Notice: /Stage[main]/Wazuh::Agent/Concat[ossec.conf]/File[/var/ossec/etc/ossec.conf]/content: content changed '{md5}eb941affce7a2375c2af936b9209c833' to '{md5}0b349588782ce2b7ecba5f7137ad559e' (corrective)
Debug: /Stage[main]/Wazuh::Agent/Concat[ossec.conf]/File[/var/ossec/etc/ossec.conf]: The container Concat[ossec.conf] will propagate my refresh event
Debug: /Stage[main]/Wazuh::Agent/Concat[ossec.conf]/File[/var/ossec/etc/ossec.conf]: The container ossec.conf will propagate my refresh event
Debug: ossec.conf: The container Concat[ossec.conf] will propagate my refresh event
Debug: Concat[ossec.conf]: The container Class[Wazuh::Agent] will propagate my refresh event
Info: Concat[ossec.conf]: Scheduling refresh of Service[wazuh-agent]
Debug: Exec[agent-auth-linux](provider=posix): Executing check '/bin/egrep -q '.' /var/ossec/etc/client.keys'
Debug: Executing: '/bin/egrep -q '.' /var/ossec/etc/client.keys'
Debug: /Stage[main]/Wazuh::Agent/Exec[agent-auth-linux]: '/var/ossec/bin/agent-auth -m X.X.X.X ' won't be executed because of failed check 'unless'
Debug: Service[wazuh-agent](provider=debian): Executing 'ps -ef'
Debug: Executing: 'ps -ef'
**Debug: /Stage[main]/Wazuh::Agent/Service[wazuh-agent]: Skipping restart; service is not running**
Notice: /Stage[main]/Wazuh::Agent/Service[wazuh-agent]: Triggered 'refresh' from 1 event
service restart is skipped, because puppet can't see if the service is running or not. (because init.d status is not working).
**Debug: /Stage[main]/Wazuh::Agent/Service[wazuh-agent]: Skipping restart; service is not running**`
Also this is strange:
Debug: Service[wazuh-agent](provider=debian): Executing 'ps -ef'
not sure, but because we don't have hasstatus on service, I think puppet try to fallback looking at "wazuh-agent" process. But this is not exist (because with have multiple ossec process).
Looking at your log
Debug: Service[wazuh-agent](provider=upstart): Executing 'ps -ef'
Debug: Executing: 'ps -ef'
Debug: Executing: '/etc/init.d/wazuh-agent start'
Notice: /Stage[main]/Wazuh::Agent/Service[wazuh-agent]/ensure: ensure changed 'stopped' to 'running'
I think what you see the the agent stopped->running , that you can have at each run, because puppet is enable to find the status with "ps -ef"
maybe check your ossec process uptime, but I'm pretty sure they are not restarted. (or maybe remove ensure=>running to avoid confusion for testing)
Note that ,
$service_has_status = true
fix it (without need to change to provider systemd)
init.d script have
status() { ${DIRECTORY}/bin/ossec-control status } and correctly return 0 when no problem occur.
Info: Computing checksum on file /var/ossec/etc/ossec.conf
Info: /Stage[main]/Wazuh::Agent/Concat[ossec.conf]/File[/var/ossec/etc/ossec.conf]: Filebucketed /var/ossec/etc/ossec.conf to puppet with sum eb941affce7a2375c2af936b9209c833
Debug: Executing: 'diff -u /var/ossec/etc/ossec.conf /tmp/puppet-file20200115-24090-3rtl1h'
Notice: /Stage[main]/Wazuh::Agent/Concat[ossec.conf]/File[/var/ossec/etc/ossec.conf]/content:
Notice: /Stage[main]/Wazuh::Agent/Concat[ossec.conf]/File[/var/ossec/etc/ossec.conf]/content: content changed '{md5}eb941affce7a2375c2af936b9209c833' to '{md5}0b349588782ce2b7ecba5f7137ad559e' (corrective)
Debug: /Stage[main]/Wazuh::Agent/Concat[ossec.conf]/File[/var/ossec/etc/ossec.conf]: The container Concat[ossec.conf] will propagate my refresh event
Debug: /Stage[main]/Wazuh::Agent/Concat[ossec.conf]/File[/var/ossec/etc/ossec.conf]: The container ossec.conf will propagate my refresh event
Debug: ossec.conf: The container Concat[ossec.conf] will propagate my refresh event
Debug: Concat[ossec.conf]: The container Class[Wazuh::Agent] will propagate my refresh event
Info: Concat[ossec.conf]: Scheduling refresh of Service[wazuh-agent]
Debug: Exec[agent-auth-linux](provider=posix): Executing check '/bin/egrep -q '.' /var/ossec/etc/client.keys'
Debug: Executing: '/bin/egrep -q '.' /var/ossec/etc/client.keys'
Debug: /Stage[main]/Wazuh::Agent/Exec[agent-auth-linux]: '/var/ossec/bin/agent-auth -m X.X.X.X ' won't be executed because of failed check 'unless'
Debug: Executing: '/bin/systemctl is-enabled wazuh-agent'
Debug: Executing: '/bin/systemctl is-active wazuh-agent'
Debug: Executing: '/bin/systemctl restart wazuh-agent'
Notice: /Stage[main]/Wazuh::Agent/Service[wazuh-agent]: Triggered 'refresh' from 1 event
Debug: /Stage[main]/Wazuh::Agent/Service[wazuh-agent]: The container Class[Wazuh::Agent]
Hey @aderumier ,
Our apologies for the late review, we will take this back ASAP and will let you know about anything. Please stay tuned to this thread and thanks again for contributing here.
Cheers
Hi @aderumier !
Sorry for the late update. I'll review your updates and I'll be back with an analysis.
Kr,
Rshad
Hi @aderumier !
Testing with:
wazuh-puppet 3.12.0_7.6.1- Ubuntu 18.04
Thank you for the analysis. Actually I could not reproduce the case when the wazuh-agent service is not restarted when the file ossec.conf is modified. I don't agree with you because accepting that wazuh-agent service is not being restarted by Puppet will lead the installation to fail or better said, the agent service, when rendering the configuration of wazuh-agent by the execution of the manifest agent.pp, or at least the service wazuh-agent will not take into account the changes we apply to ossec.conf in the different tasks that agent.pp runs.
Running puppet agent -t after modifying ossec.conf in the agent host
After adding a new path to the directories monitored by syscheck and without manually restarting wazuh-agent I ran puppet agent -t and as I expected the ossec.conf will be restarted and no error is produced.
- I added
/root/testto:
<directories check_all="yes" >/etc,/usr/bin,/usr/sbin,/root/test/</directories>
Notice: /Stage[main]/Wazuh::Agent/Concat[ossec.conf]/File[/var/ossec/etc/ossec.conf]/content:
--- /var/ossec/etc/ossec.conf 2020-03-25 14:24:37.814079928 +0000
+++ /tmp/puppet-file20200325-26470-1yjsjtk 2020-03-25 14:25:15.733029928 +0000
@@ -85,7 +85,7 @@
<frequency>43200</frequency>
<scan_on_start>yes</scan_on_start>
- <directories check_all="yes" >/etc,/usr/bin,/usr/sbin,/root/test/</directories>
+ <directories check_all="yes" >/etc,/usr/bin,/usr/sbin</directories>
<directories check_all="yes" >/bin,/sbin,/boot</directories>
<ignore>/etc/mtab</ignore>
<ignore>/etc/hosts.deny</ignore>
@@ -164,4 +164,4 @@
</active-response>
-</ossec_config>
+</ossec_config>
\ No newline at end of file
Info: Computing checksum on file /var/ossec/etc/ossec.conf
Debug: Evicting cache entry for environment 'production'
Debug: Caching environment 'production' (ttl = 0 sec)
Info: /Stage[main]/Wazuh::Agent/Concat[ossec.conf]/File[/var/ossec/etc/ossec.conf]: Filebucketed /var/ossec/etc/ossec.conf to puppet with sum 4593763bcc5439a7ed8539e8554f3b47
Debug: Executing: 'diff -u /var/ossec/etc/ossec.conf /tmp/puppet-file20200325-26470-98aptl'
Notice: /Stage[main]/Wazuh::Agent/Concat[ossec.conf]/File[/var/ossec/etc/ossec.conf]/content:
Notice: /Stage[main]/Wazuh::Agent/Concat[ossec.conf]/File[/var/ossec/etc/ossec.conf]/content: content changed '{md5}4593763bcc5439a7ed8539e8554f3b47' to '{md5}a5598a92b34f131dc0cb64dd3bb94054'
Debug: /Stage[main]/Wazuh::Agent/Concat[ossec.conf]/File[/var/ossec/etc/ossec.conf]: The container Concat[ossec.conf] will propagate my refresh event
Debug: /Stage[main]/Wazuh::Agent/Concat[ossec.conf]/File[/var/ossec/etc/ossec.conf]: The container ossec.conf will propagate my refresh event
Debug: ossec.conf: The container Concat[ossec.conf] will propagate my refresh event
Debug: Concat[ossec.conf]: The container Class[Wazuh::Agent] will propagate my refresh event
Info: Concat[ossec.conf]: Scheduling refresh of Service[wazuh-agent]
Debug: Exec[agent-auth-linux](provider=posix): Executing check '/bin/egrep -q '.' /var/ossec/etc/client.keys'
Debug: Executing: '/bin/egrep -q '.' /var/ossec/etc/client.keys'
Debug: Executing: '/bin/systemctl is-active wazuh-agent'
Debug: Executing: '/bin/systemctl is-enabled wazuh-agent'
Debug: Executing: '/bin/systemctl is-active wazuh-agent'
Debug: Executing: '/bin/systemctl restart wazuh-agent'
Notice: /Stage[main]/Wazuh::Agent/Service[wazuh-agent]: Triggered 'refresh' from 1 events
Debug: /Stage[main]/Wazuh::Agent/Service[wazuh-agent]: The container Class[Wazuh::Agent] will propagate my refresh event
Debug: Class[Wazuh::Agent]: The container Stage[main] will propagate my refresh event
Debug: Finishing transaction 17098800
Debug: Storing state
Debug: Stored state in 0.02 seconds
Notice: Applied catalog in 6.09 seconds
- I also tried the same scenario but by adding a character in
ossec.confso I could make it fail when running Puppet, but as expected it was overwritten by Puppet and the execution log is as follows.
Debug: Executing: 'diff -u /var/ossec/etc/ossec.conf /tmp/puppet-file20200325-28257-h9cb1i'
Notice: /Stage[main]/Wazuh::Agent/Concat[ossec.conf]/File[/var/ossec/etc/ossec.conf]/content:
--- /var/ossec/etc/ossec.conf 2020-03-25 14:52:47.445046131 +0000
+++ /tmp/puppet-file20200325-28257-h9cb1i 2020-03-25 14:53:15.297046131 +0000
@@ -1,6 +1,6 @@
<ossec_config>
<client>
- s<server>
+ <server>
<address>172.17.0.101</address>
<protocol>udp</protocol>
<port>1514</port>
@@ -164,4 +164,4 @@
</active-response>
-</ossec_config>
+</ossec_config>
\ No newline at end of file
Info: Computing checksum on file /var/ossec/etc/ossec.conf
Debug: Evicting cache entry for environment 'production'
Debug: Caching environment 'production' (ttl = 0 sec)
Info: /Stage[main]/Wazuh::Agent/Concat[ossec.conf]/File[/var/ossec/etc/ossec.conf]: Filebucketed /var/ossec/etc/ossec.conf to puppet w ith sum 3720a938e42cbbb37322a03009638bad
Debug: Executing: 'diff -u /var/ossec/etc/ossec.conf /tmp/puppet-file20200325-28257-u1o7h6'
Notice: /Stage[main]/Wazuh::Agent/Concat[ossec.conf]/File[/var/ossec/etc/ossec.conf]/content:
Notice: /Stage[main]/Wazuh::Agent/Concat[ossec.conf]/File[/var/ossec/etc/ossec.conf]/content: content changed '{md5}3720a938e42cbbb373 22a03009638bad' to '{md5}1b2d40e5dea4f08ed62aef27891c50e7'
Debug: /Stage[main]/Wazuh::Agent/Concat[ossec.conf]/File[/var/ossec/etc/ossec.conf]: The container Concat[ossec.conf] will propagate m y refresh event
Debug: /Stage[main]/Wazuh::Agent/Concat[ossec.conf]/File[/var/ossec/etc/ossec.conf]: The container ossec.conf will propagate my refres h event
Debug: ossec.conf: The container Concat[ossec.conf] will propagate my refresh event
Debug: Concat[ossec.conf]: The container Class[Wazuh::Agent] will propagate my refresh event
Info: Concat[ossec.conf]: Scheduling refresh of Service[wazuh-agent]
Debug: Exec[agent-auth-linux](provider=posix): Executing check '/bin/egrep -q '.' /var/ossec/etc/client.keys'
Debug: Executing: '/bin/egrep -q '.' /var/ossec/etc/client.keys'
Debug: Executing: '/bin/systemctl is-active wazuh-agent'
Debug: Executing: '/bin/systemctl is-enabled wazuh-agent'
Debug: Executing: '/bin/systemctl is-active wazuh-agent'
Debug: Executing: '/bin/systemctl restart wazuh-agent'
Notice: /Stage[main]/Wazuh::Agent/Service[wazuh-agent]: Triggered 'refresh' from 1 events
Debug: /Stage[main]/Wazuh::Agent/Service[wazuh-agent]: The container Class[Wazuh::Agent] will propagate my refresh event
Debug: Class[Wazuh::Agent]: The container Stage[main] will propagate my refresh event
Debug: Finishing transaction 36848560
Debug: Storing state
Debug: Stored state in 0.02 seconds
Notice: Applied catalog in 6.99 seconds
Running puppet agent -t after modifying params_agent.pp in the Puppet server host
After modifying params_agent.pp by modifying the variable ossec_syscheck_directories_1 :
- From
$ossec_syscheck_directories_1 = '/etc,/usr/bin,/usr/sbin'
- To
$ossec_syscheck_directories_1 = '/etc,/usr/bin,/usr/sbin, /root/test/'
Debug: Executing: 'diff -u /var/ossec/etc/ossec.conf /tmp/puppet-file20200325-27371-1tjsc42'
Notice: /Stage[main]/Wazuh::Agent/Concat[ossec.conf]/File[/var/ossec/etc/ossec.conf]/content:
--- /var/ossec/etc/ossec.conf 2020-03-25 14:25:15.857091929 +0000
+++ /tmp/puppet-file20200325-27371-1tjsc42 2020-03-25 14:38:55.529046131 +0000
@@ -85,7 +85,7 @@
<frequency>43200</frequency>
<scan_on_start>yes</scan_on_start>
- <directories check_all="yes" >/etc,/usr/bin,/usr/sbin</directories>
+ <directories check_all="yes" >/etc,/usr/bin,/usr/sbin,/root/test/</directories>
<directories check_all="yes" >/bin,/sbin,/boot</directories>
<ignore>/etc/mtab</ignore>
<ignore>/etc/hosts.deny</ignore>
Info: Computing checksum on file /var/ossec/etc/ossec.conf
Debug: Evicting cache entry for environment 'production'
Debug: Caching environment 'production' (ttl = 0 sec)
Info: /Stage[main]/Wazuh::Agent/Concat[ossec.conf]/File[/var/ossec/etc/ossec.conf]: Filebucketed /var/ossec/etc/ossec.conf to puppet with sum a5598a92b34f131dc0cb64dd3bb94054
Notice: /Stage[main]/Wazuh::Agent/Concat[ossec.conf]/File[/var/ossec/etc/ossec.conf]/content: content changed '{md5}a5598a92b34f131dc0cb64dd3bb94054' to '{md5}1b2d40e5dea4f08ed62aef27891c50e7'
Debug: /Stage[main]/Wazuh::Agent/Concat[ossec.conf]/File[/var/ossec/etc/ossec.conf]: The container Concat[ossec.conf] will propagate my refresh event
Debug: /Stage[main]/Wazuh::Agent/Concat[ossec.conf]/File[/var/ossec/etc/ossec.conf]: The container ossec.conf will propagate my refresh event
Debug: ossec.conf: The container Concat[ossec.conf] will propagate my refresh event
Debug: Concat[ossec.conf]: The container Class[Wazuh::Agent] will propagate my refresh event
Info: Concat[ossec.conf]: Scheduling refresh of Service[wazuh-agent]
Debug: Exec[agent-auth-linux](provider=posix): Executing check '/bin/egrep -q '.' /var/ossec/etc/client.keys'
Debug: Executing: '/bin/egrep -q '.' /var/ossec/etc/client.keys'
Debug: Executing: '/bin/systemctl is-active wazuh-agent'
Debug: Executing: '/bin/systemctl is-enabled wazuh-agent'
Debug: Executing: '/bin/systemctl is-active wazuh-agent'
Debug: Executing: '/bin/systemctl restart wazuh-agent'
Notice: /Stage[main]/Wazuh::Agent/Service[wazuh-agent]: Triggered 'refresh' from 1 events
Debug: /Stage[main]/Wazuh::Agent/Service[wazuh-agent]: The container Class[Wazuh::Agent] will propagate my refresh event
Debug: Class[Wazuh::Agent]: The container Stage[main] will propagate my refresh event
Debug: Finishing transaction 36650120
Debug: Storing state
Debug: Stored state in 0.02 seconds
Notice: Applied catalog in 6.73 seconds
ossec.log
2020/03/25 14:38:57 ossec-syscheckd: INFO: Started (pid: 27694).
2020/03/25 14:38:57 ossec-syscheckd: INFO: (6003): Monitoring directory/file: '/etc', with options 'size | permissions | owner | group | mtime | inode | hash_md5 | hash_sha1 | hash_sha256 | scheduled'.
2020/03/25 14:38:57 ossec-syscheckd: INFO: (6003): Monitoring directory/file: '/usr/bin', with options 'size | permissions | owner | group | mtime | inode | hash_md5 | hash_sha1 | hash_sha256 | scheduled'.
2020/03/25 14:38:57 ossec-syscheckd: INFO: (6003): Monitoring directory/file: '/usr/sbin', with options 'size | permissions | owner | group | mtime | inode | hash_md5 | hash_sha1 | hash_sha256 | scheduled'.
2020/03/25 14:38:57 ossec-syscheckd: INFO: (6003): Monitoring directory/file: '/root/test', with options 'size | permissions | owner | group | mtime | inode | hash_md5 | hash_sha1 | hash_sha256 | scheduled'.
2020/03/25 14:38:57 ossec-syscheckd: INFO: (6003): Monitoring directory/file: '/bin', with options 'size | permissions | owner | group | mtime | inode | hash_md5 | hash_sha1 | hash_sha256 | scheduled'.
2020/03/25 14:38:57 ossec-syscheckd: INFO: (6003): Monitoring directory/file: '/sbin', with options 'size | permissions | owner | group | mtime | inode | hash_md5 | hash_sha1 | hash_sha256 | scheduled'.
2020/03/25 14:38:57 ossec-syscheckd: INFO: (6003): Monitoring directory/file: '/boot', with options 'size | permissions | owner | group | mtime | inode | hash_md5 | hash_sha1 | hash_sha256 | scheduled'.
As you can see, the changes are added and wazuh-agent service was restarted correctly.
Please take into account, that with the module of wazuh-puppet and behaving with the mechanism of how Puppet works, when we need to add new configuration or modify a file which is ossec.conf in our case, then you need to modify the manifest itself agent.pp and or it's related parameters in params_agent.pp in the Puppet server node and then run puppet agent -t from the agent host. This way you can control wazuh-agent service to be restarted or not by setting the correct configuration which is already existing.
Waiting for your reply,
Kr,
Rshad
Hi @aderumier,
Changing the base of the PR generated some conflicts, please have a look at them.
Best regards,
Jose
We've actually run into this on new machines (Debian Buster), as well. Setting the systemd provider for the service also resolves the issue to us, so I am in favour of this coming down 👍. Part of the problem here is the combination of Puppet handling for SystemD services + sysvinit scripts, and the same backwards compatibility in Debian. The easiest path to resolution is as the fix proposes -- setting the provider on the service.
Fixed conflicts, I will test it and update with the results.
Best regards,
Jose