Wazuh API returned an error message. Error: Error executing internal command. Exit code: 1

[zapililirad]

Hi!

First, thank you for your software!

I installed wazuh-manager&api&app, opened last on kibana.
Than I added a new agent with kibana. After that when i go "agents" or "manager" in kibana i have "Wazuh API returned an error message. Error: Error executing internal command. Exit code: 1" message.
Tab "Agents" shows only the manager.
curl -u foo:bar -k "http://127.0.0.1:55000/agents/?offset=0&limit=30&sort=id&pretty" returns

{
   "error": 0,
   "data": {
      "totalItems": 2,
      "items": [
         {
            "status": "Active",
            "ip": "127.0.0.1",
            "os": {
               "platform": "centos",
               "version": "7",
               "name": "CentOS Linux"
            },
            "id": "000",
            "name": "clog6"
         }
      ]
   }
}

in logs there are:

---
WazuhAPI 2017-09-05 18:21:32: CMD - STDOUT: 254 bytes
WazuhAPI 2017-09-05 18:21:32: [::ffff:192.168.100.106] GET /manager/info? - 200 - error: '0'.
WazuhAPI 2017-09-05 18:21:32: CMD - Exit code: 1
WazuhAPI 2017-09-05 18:21:32: [::ffff:192.168.100.106] GET /agents/?offset=0&limit=1&sort=-id - 500 - error: '1'.
WazuhAPI 2017-09-05 18:21:32: Response: {"error":1,"message":"Error executing internal command. Exit code: 1"} HTTP Status: 500
WazuhAPI 2017-09-05 18:21:32: ::ffff:192.168.100.106 GET /rules
WazuhAPI 2017-09-05 18:21:32: CMD - Command: python args:/var/ossec/api/models/wazuh-api.py stdin:{"function":"/rules","arguments":{"offset":"0","limit":"1"},"ossec_path":"/var/ossec"}
WazuhAPI 2017-09-05 18:21:33: CMD - Exit code: 0
WazuhAPI 2017-09-05 18:21:33: CMD - STDOUT:
---

Please help me:)

P.S. Sorry for my language, I've just started study)

[mgmacias95]

Hi,

I see some strange things on your post:

• In your curl -u foo:bar -k "http://127.0.0.1:55000/agents/?offset=0&limit=30&sort=id&pretty" call, it returns a dictionary with totalItems: 2 but there's only one in the items field (the manager).
• In the logs you've posted (WazuhAPI 2017-09-05 18:21:32: [::ffff:192.168.100.106] GET /agents/?offset=0&limit=1&sort=-id - 500 - error: '1'.) I see you're asking for just one item. If you set the limit parameter limit=1 it will show only the manager but the totalItems variable will be set to the total number of agents:

$ curl -u foo:bar -k "https://localhost:55000/agents?pretty&offset=0&limit=1&sort=id"
{
   "error": 0,
   "data": {
      "totalItems": 5,
      "items": [
         {
            "status": "Active",
            "name": "manager",
            "ip": "127.0.0.1",
            "version": "Wazuh v3.0.0-beta7",
            "os": {
               "platform": "centos",
               "version": "7",
               "name": "CentOS Linux"
            },
            "id": "000"
         }
      ]
   }
}

Can you please post the ouput of the curl -u foo:bar "http://localhost:55000/agents without any limit and offset parameter?

[zapililirad]

Hi!

curl -u foo:bar "http://localhost:55000/agents?pretty"
{
   "error": 0,
   "data": {
      "totalItems": 2,
      "items": [
         {
            "status": "Active",
            "ip": "127.0.0.1",
            "os": {
               "platform": "centos",
               "version": "7",
               "name": "CentOS Linux"
            },
            "id": "000",
            "name": "clog6"
         }
      ]
   }
}

[zapililirad]

I tried to get info about "001" agent:

[root@clog6 ]# curl -u foo:bar "http://localhost:55000/agents/001?pretty"
{
   "error": 1,
   "message": "Error executing internal command. Exit code: 1"
}
[root@clog6 ]# /var/ossec/bin/list_agents -a
popov-w7-192.168.1.161 is available.
[root@clog6 ]# /var/ossec/bin/manage_agents
****************************************
* Wazuh v2.1.0 Agent manager.          *
* The following options are available: *
****************************************
   (A)dd an agent (A).
   (E)xtract key for an agent (E).
   (L)ist already added agents (L).
   (R)emove an agent (R).
   (Q)uit.
Choose your action: A,E,L,R or Q: L

Available agents:
   ID: 001, Name: popov-w7, IP: 192.168.1.161

There are logs:

WazuhAPI 2017-09-06 10:52:26: ::1 GET /agents/:agent_id
WazuhAPI 2017-09-06 10:52:26: CMD - Command: python args:/var/ossec/api/models/wazuh-api.py stdin:{"function":"/agents/:agent_id","arguments":{"agent_id":"001"},"ossec_path":"/var/ossec"}
WazuhAPI 2017-09-06 10:52:26: CMD - Exit code: 1
WazuhAPI 2017-09-06 10:52:26: [::1] GET /agents/001?pretty - 500 - error: '1'.
WazuhAPI 2017-09-06 10:52:26: Response: {"error":1,"message":"Error executing internal command. Exit code: 1"} HTTP Status: 500
WazuhAPI 2017-09-06 10:52:56: Sending SIGTERM to CMD - Command: python args:/var/ossec/api/models/wazuh-api.py stdin:{"function":"/agents/:agent_id","arguments":{"agent_id":"001"},"ossec_path":"/var/ossec"}

[mgmacias95]

Hi,

Thank you for posting all these information. Now I see things much clearer than before. Both /var/ossec/bin/manage_agents and /var/ossec/bin/list_agents show information from the /var/ossec/etc/client.keys file but the API shows information from /var/ossec/var/db/global.db database.

The program that works with that database is wazuh-modulesd. You can check it's running using:

# /var/ossec/bin/ossec-control status
ossec-monitord is running...
ossec-logcollector is running...
ossec-remoted is running...
ossec-syscheckd is running...
ossec-analysisd is running...
ossec-maild not running...
ossec-execd is running...
wazuh-modulesd is running...

Also, check the database is working ok:

# sqlite3 /var/ossec/var/db/global.db 
SQLite version 3.7.17 2013-05-20 00:56:22
Enter ".help" for instructions
Enter SQL statements terminated with a ";" 
sqlite> SELECT * FROM agent;
0|manager|||CentOS Linux|7|7||Core||centos|Linux manager 3.10.0-514.26.2.el7.x86_64 #1 SMP Tue Jul 4 15:04:05 UTC 2017 x86_64|Wazuh v3.0.0-beta7|||2017-09-06 08:40:16|9999-12-31 23:59:59|updated|1149840|0|
1|agent|.....

If the database isn't OK. You can regenerate it with the following commands:

# /var/ossec/bin/ossec-control stop
Killing ossec-monitord .. 
Killing ossec-logcollector .. 
Killing ossec-remoted .. 
Killing ossec-syscheckd .. 
Killing ossec-analysisd .. 
ossec-maild not running ..
Killing ossec-execd .. 
Killing wazuh-modulesd .. 
Wazuh v3.0.0-beta7 Stopped
# rm /var/ossec/var/db/global.db 
# /var/ossec/bin/ossec-control start
Starting Wazuh v3.0.0-beta7 (maintained by Wazuh Inc.)...
Started wazuh-modulesd...
Started ossec-execd...
Started ossec-analysisd...
Started ossec-logcollector...
Started ossec-remoted...
Started ossec-syscheckd...
Started ossec-monitord...
Completed.
# sqlite3 /var/ossec/var/db/global.db 
SQLite version 3.7.17 2013-05-20 00:56:22
Enter ".help" for instructions
Enter SQL statements terminated with a ";"
sqlite> SELECT * FROM agent;
0|manager|||CentOS Linux|7|7||Core||centos|Linux manager 3.10.0-514.26.2.el7.x86_64 #1 SMP Tue Jul 4 15:04:05 UTC 2017 x86_64|Wazuh v3.0.0-beta7|||2017-09-06 10:07:03|9999-12-31 23:59:59|updated|1150154|0|
1|agent....

Best regards,
Marta

[zapililirad]

I added new agent, then tried:

# curl -u foo:bar "http://localhost:55000/agents?pretty"
{
   "error": 0,
   "data": {
      "totalItems": 3,
      "items": [
         {
            "status": "Active",
            "ip": "127.0.0.1",
            "os": {
               "platform": "centos",
               "version": "7",
               "name": "CentOS Linux"
            },
            "id": "000",
            "name": "clog6"
         }
      ]
   }
}
# curl -u foo:bar "http://localhost:55000/agents/001?pretty"
{
   "error": 1,
   "message": "Error executing internal command. Exit code: 1"
}
# curl -u foo:bar "http://localhost:55000/agents/002?pretty"
{
   "error": 0,
   "data": {
      "status": "Active",
      "name": "win03",
      "ip": "192.168.0.74",
      "dateAdd": "2017-09-06 11:54:39",
      "version": "Wazuh v2.1.0",
      "lastKeepAlive": "2017-09-06 11:55:05",
      "os": {
         "major": "6",
         "name": "Microsoft Windows Server 2008 R2 Standard Edition Service Pack 1",
         "platform": "windows",
         "uname": "Microsoft Windows Server 2008 R2 Standard Edition Service Pack 1",
         "version": "6.1.7601",
         "build": "7601",
         "minor": "1"
      },
      "id": "002"
   }
}
# sqlite3 /var/ossec/var/db/global.db
SQLite version 3.7.17 2013-05-20 00:56:22
Enter ".help" for instructions
Enter SQL statements terminated with a ";"
sqlite> SELECT * FROM agent;
0|clog6.ufs-online.ru|||CentOS Linux|7|7||Core||centos|Linux clog6.ufs-online.ru 3.10.0-514.21.2.el7.x86_64 #1 SMP Tue Jun 20 12:24:47 UTC 2017 x86_64|Wazuh v2.1.0||2017-09-06 11:58:09|9999-12-31 23:59:59|updated|853962|0
1|popov-w7|192.168.1.161|0b69cd8c4157f7de9ae42ca1c2487050252a0a29eb8cab73062170bfec0c4ff7|▒▒▒▒▒▒▒▒ Windows 10 Pro (Registered Trademark)|10.0.14393|10|0||14393|windows|▒▒▒▒▒▒▒▒ Windows 10 Pro (Registered Trademark)|Wazuh v2.1.0||2017-09-06 11:58:10|2017-09-06 11:57:10|updated|9662|1146735
2|win03|192.168.0.74|554c4ff2363a575d09fca22b3185c42b10179dff05a15a1cb43301ae0461dfd8|Microsoft Windows Server 2008 R2 Standard Edition Service Pack 1|6.1.7601|6|1||7601|windows|Microsoft Windows Server 2008 R2 Standard Edition Service Pack 1|Wazuh v2.1.0||2017-09-06 11:58:10|2017-09-06 11:55:05|updated|9624|11895

Than I removed the agent 001 and it worked:

# curl -u foo:bar "http://localhost:55000/agents?pretty"
{
   "error": 0,
   "data": {
      "totalItems": 2,
      "items": [
         {
            "status": "Active",
            "ip": "127.0.0.1",
            "os": {
               "platform": "centos",
               "version": "7",
               "name": "CentOS Linux"
            },
            "id": "000",
            "name": "clog6"
         },
         {
            "status": "Active",
            "ip": "192.168.0.74",
            "os": {
               "platform": "windows",
               "version": "6.1.7601",
               "name": "Microsoft Windows Server 2008 R2 Standard Edition Service Pack 1"
            },
            "id": "002",
            "name": "win03"
         }
      ]
   }
}

I think the problem in database in fist 8 symbols in strings "▒▒▒▒▒▒▒▒ Windows 10 Pro (Registered Trademark)". How to fix it?

[mgmacias95]

Hi @zapililirad,

To get the OS name, wazuh executes the following Powershell/CMD command:

wmic os get caption

Can you please post the output of that command?

Thank you so much,
Marta

[zapililirad]

Sure:

>wmic os get caption
Caption
Майкрософт Windows 10 Pro (Registered Trademark)

Cyrillic symbols

[mgmacias95]

Hi @zapililirad

This is clearly a bug with the character encoding. We're working to fix it at this moment.

Thank you so much,
Marta

[zapililirad]

Thank you.
Will it be in the next release or will you give me the code to insert?

[mgmacias95]

Hi @zapililirad,

We're working in this issue at the moment but we still don't know if it will be included the next release.

Best regards,
Marta

[enterdv]

Hi,
Can you please tell when it will be fix?
Because of this issue we can't use wazuh.

[mgmacias95]

Hello @enterdv,

We're working on this issue and will be released in the Wazuh 3.1 release. We're sorry for taking too long to resolve this issue.

Thank you for your patience,
Marta

[mgmacias95]

Hello @enterdv,

This bug has been solved in wazuh/wazuh@b3c734a. It's included in the new upcoming Wazuh 3.1 release.

Feel free to reopen this issue or open a new one if you have more problems .

Best regards,
Marta

[BzCCCCC]

hey，@mgmacias95
I really like this project, it has brought me a lot of convenience.
The same problem happened in Chinese support
------windows agent
C:\Users\user>wmic os get caption
Caption
Microsoft Windows 10 专业版

-----wazuh server
SQLite version 3.7.17 2013-05-20 00:56:22
Enter ".help" for instructions
Enter SQL statements terminated with a ";"
sqlite> SELECT * FROM agent;
.....|windows|Microsoft Windows 10 רҵ▒▒| Wazuh v3.2.0|......