I run Wazuh 4.9.2.
This issue appears on Ubuntu 20.04.
Issue
Removing packages from an agent is sometimes not registered with wazuh. Does not appear in the logs.
When I removed this package zabbix-agent:amd64 1:5.4.12-1+ubuntu18.04 on an agent yesterday, nothing happend in the wazuh log.
Other packages worked fine.
Here is the ruleset output:
**Messages:
WARNING: (7003): '1827d631' token expires
INFO: (7202): Session initialized with token '840fb87d'
**Phase 1: Completed pre-decoding.
full event: '2025-01-02 14:39:12 remove zabbix-agent:amd64 1:5.4.12-1+ubuntu18.04 <none>'
**Phase 2: Completed decoding.
name: 'dpkg-decoder'
arch: '5.4.12-1+ubuntu18.04'
dpkg_status: 'remove zabbix-agent:amd64'
package: '1'
version: '<none>'
**Phase 3: Completed filtering (rules).
id: '2900'
level: '0'
description: 'Dpkg (Debian Package) log.'
groups: '["syslog","dpkg"]'
firedtimes: '1'
mail: 'false'
Cause
This happens with all the packages which have a second : in their name. For example:
- update-manager-core:all 1:20.04.10.23
- python3-update-manager:all 1:20.04.10.23
- iputils-tracepath:amd64 3:20190709-3ubuntu1
The additional : causes the first regex rule in the Decoder to match. The second regex rule would be correct.
Possible fix/ Possible Workaround
Changing the order of the two regex rule in the dpkg decoder could be enough.
I run Wazuh 4.9.2.
This issue appears on Ubuntu 20.04.
Issue
Removing packages from an agent is sometimes not registered with wazuh. Does not appear in the logs.
When I removed this package
zabbix-agent:amd64 1:5.4.12-1+ubuntu18.04on an agent yesterday, nothing happend in the wazuh log.Other packages worked fine.
Here is the ruleset output:
Cause
This happens with all the packages which have a second
:in their name. For example:The additional
:causes the first regex rule in the Decoder to match. The second regex rule would be correct.Possible fix/ Possible Workaround
Changing the order of the two regex rule in the dpkg decoder could be enough.