I'm trying to execute remote command from Wazuh manager to the agent using API, below waht i'm trying to do:
curl -k -X PUT "https://192.168.1.76:55000/active-response?agents_list=001" -H "Authorization: Bearer $TOKEN" -H "content-type: application/json" -d '{"command": "customA", "custom":true}'
and then the response:
{"data": {"affected_items": ["001"], "total_affected_items": 1, "total_failed_items": 0, "failed_items": []}, "message": "AR command was sent to all agents", "error": 0}
The problem is simply that the command "customA" isn't triggered in the agent.
Here the body of the "/var/ossec/etc/ossec.conf" file in the MANAGER:
<command>
<name>customA</name>
<executable>launcher.cmd</executable>
<extra_args>custom_remove.py</extra_args>
</command>
<command>
<name>customB</name>
<executable>launcher.cmd</executable>
<extra_args>custom_remove.py</extra_args>
</command>
<command>
<name>forRemote</name>
<executable>custom_remove.exe</executable>
</command>
<active-response>
<disabled>no</disabled>
<command>customA</command>
<location>local</location>
<rules_id>255001</rules_id>
</active-response>
<active-response>
<disabled>no</disabled>
<command>customA</command>
<location>local</location>
<rules_id>999001</rules_id>
</active-response>
And this is the "local_internal_options.conf" file in the Windows AGENT 001:
windows.debug=2
rootcheck.sleep=0
syscheck.sleep=0
logcollector.remote_commands=1
wazuh_command.remote_commands=1
Eventually, I think that command and active response are correctly configured, because they will work correctly if i try to test them triggering a rule (for exampple rule 999001).
Moreover, i post the response of the api "GET /manager/configuration/analysis/command":
{
"data": {
"affected_items": [
{
"command": [
{
"name": "disable-account",
"executable": "disable-account",
"timeout_allowed": 1
},
{
"name": "restart-wazuh",
"executable": "restart-wazuh",
"timeout_allowed": 0
},
{
"name": "firewall-drop",
"executable": "firewall-drop",
"timeout_allowed": 1
},
{
"name": "host-deny",
"executable": "host-deny",
"timeout_allowed": 1
},
{
"name": "route-null",
"executable": "route-null",
"timeout_allowed": 1
},
{
"name": "win_route-null",
"executable": "route-null.exe",
"timeout_allowed": 1
},
{
"name": "netsh",
"executable": "netsh.exe",
"timeout_allowed": 1
},
{
"name": "customA",
"executable": "launcher.cmd",
"timeout_allowed": 0
},
{
"name": "customB",
"executable": "launcher.cmd",
"timeout_allowed": 0
},
{
"name": "forRemote",
"executable": "custom_remove.exe",
"timeout_allowed": 0
},
{
"name": "remove-threat",
"executable": "remove-threat.exe",
"timeout_allowed": 0
}
]
}
],
"total_affected_items": 1,
"total_failed_items": 0,
"failed_items": []
},
"message": "Active configuration was successfully read",
"error": 0
}
I hope that someone will help me. Thanks in advice!
please open C:\Program Files (x86)\ossec-agent\etc\shared\ar.conf file and verify that you have:
customA0 - launcher.cmd - 0
if you don't have it, create any file in /var/ossec/etc/shared/default/ for the manager to update the agent by sending a merged.mg, this resets the agent and updates it according to what you configured in ossec.conf from the manager.
The command should have customA0 instead of customA.
Example:
curl -k -X PUT "https://192.168.1.72:55000/active-response?agents_list=001" -H "Authorization: Bearer $(curl -u wazuh:wazuh -k -X GET "https://192.168 .1.xxx:55000/security/user/authenticate?raw=true)" -H "content-type: application/json" -d '{"command": "customA0", "custom":true}'
I hope this is useful.
Regards
Note: I attach an example that I did to test
manager
agent
Related
I have the following code snippet where I'm trying to send notification data to a discord webhook, but it is returning {"code": 50109, "message": "The request body contains invalid JSON."}%.
Here is the non-working code (bolded the JSON request part):
if [ "$DISCORD_WEBHOOK_URL" != "" ]; then
rclone_sani_command="$(echo $rclone_command | sed 's/\x1b\[[0-9;]*[a-zA-Z]//g')" # Remove all escape sequences
# Notifications assume following rclone ouput:
# Transferred: 0 / 0 Bytes, -, 0 Bytes/s, ETA - Errors: 0 Checks: 0 / 0, - Transferred: 0 / 0, - Elapsed time: 0.0s
transferred_amount=${rclone_sani_command#*Transferred: }
transferred_amount=${transferred_amount%% /*}
** send_notification() {
output_transferred_main=${rclone_sani_command#*Transferred: }
output_transferred_main=${output_transferred_main% Errors*}
output_errors=${rclone_sani_command#*Errors: }
output_errors=${output_errors% Checks*}
output_checks=${rclone_sani_command#*Checks: }
output_checks=${output_checks% Transferred*}
output_transferred=${rclone_sani_command##*Transferred: }
output_transferred=${output_transferred% Elapsed*}
output_elapsed=${rclone_sani_command##*Elapsed time: }
notification_data='{
"username": "'"$DISCORD_NAME_OVERRIDE"'",
"avatar_url": "'"$DISCORD_ICON_OVERRIDE"'",
"content": null,
"embeds": [
{
"title": "Rclone Local Backup: Finished!",
"color": 65408,
"fields": [
{
"name": "Directories synced",
"value": "'"$SOURCE_DIR"' to '"$DESTINATION_DIR"'"
},
{
"name": "Transferred",
"value": "'"$output_transferred_main"'"
},
{
"name": "Errors",
"value": "'"$output_errors"'"
},
{
"name": "Checks",
"value": "'"$output_checks"'"
},
{
"name": "Transferred",
"value": "'"$output_transferred"'"
},
{
"name": "Elapsed time",
"value": "'"$output_elapsed"'"
},
{
"name": "Finished",
"value": "Finished backup on '"$END_DATE"' at '"$END_TIME"'"
},
],
"thumbnail": {
"url": null
}
}
]
}'
curl -H "Content-Type: application/json" -d "$notification_data" $DISCORD_WEBHOOK_URL
}**
if [ "$transferred_amount" != "0" ]; then
send_notification
fi
fi
rm -f "$LOCK_FILE"
trap - SIGINT SIGTERM
exit
fi
Earlier in the same script, the following code snippet does correctly send a notification to discord:
touch "$LOCK_FILE"
echo "Starting to backup $SOURCE_DIR to $DESTINATION_DIR on $START_DATE at $START_TIME" | tee -a $LOG_FILE
**send_notification_start() {
notification_data='{
"username": "'"$DISCORD_NAME_OVERRIDE"'",
"avatar_url": "'"$DISCORD_ICON_OVERRIDE"'",
"content": null,
"embeds": [
{
"title": "Rclone Local Backup: Started!",
"color": 4094126,
"fields": [
{
"name": "Started",
"value": "Started backup on '$START_DATE' at '$START_TIME'"
},
{
"name": "Directories being synced",
"value": "'$SOURCE_DIR' to '$DESTINATION_DIR'"
}
],
"thumbnail": {
"url": null
}
}
]
}'
curl -H "Content-Type: application/json" -d "$notification_data" $DISCORD_WEBHOOK_URL
}**
I've tried messing with the quotes and other characters to see if that is the issue but I am unable to figure out why this JSON request body is incorrect.
Running either of those two JSON snippets themselves (bolded) through a JSON validator I just get that it is incorrectly parsing right the beginning (even though the latter is working fine).
I am pretty new to using JSON but I wanted to just get a notification sent to discord when my script finishes backing up with some details on what exactly occurred.
While following the Introduction to APIs in Google lab, I'm facing an issue while creating a storage bucket. I followed the instructions but still the following is shown:
Run the following command to create a Cloud Storage bucket:
curl -X POST --data-binary #values.json
-H "Authorization: Bearer $OAUTH2_TOKEN"
-H "Content-Type: application/json"
"https://www.googleapis.com/storage/v1/b?project=$PROJECT_ID"
Error:
{
"error": {
"code": 400,
"message": "Invalid bucket name: '\u003cqwiklabs-gcp-00-eb5dde0a1183-bucket'",
"errors": [
{
"message": "Invalid bucket name: '\u003cqwiklabs-gcp-00-eb5dde0a1183-bucket'",
"domain": "global",
"reason": "invalid"
}
]
}
}
1.Edit the values.json file
nano values.json
{ "name": "quicklab-test-your-bucket",
"location": "us",
"storageClass": "multi_regional"
}
2.Get the token:
gcloud auth print-access-token
3.Set the variables:
export OAUTH2_TOKEN=your-token
export PROJECT_ID=your-project-id
4.Create the bucket:
curl -X POST --data-binary #values.json \
-H "Authorization: Bearer $OAUTH2_TOKEN" \
-H "Content-Type: application/json" \
"https://www.googleapis.com/storage/v1/b?project=$PROJECT_ID"
5.You should receive similar output:
{
"kind": "storage#bucket",
"id": "qwiklabs-test-bucket",
"selfLink": "https://www.googleapis.com/storage/v1/b/sean123456789",
"projectNumber": "218136653205",
"name": "sean123456789",
"timeCreated": "2018-10-19T21:04:03.604Z",
"updated": "2018-10-19T21:04:03.604Z",
"metageneration": "1",
"location": "US",
"storageClass": "MULTI_REGIONAL",
"etag": "CAE="
}
curl -X POST -vv -H "Fiware-Service: myHome" -H "Fiware-ServicePath: /environment" -H "Content-Type: application/json" -H "Cache-Control: no-cache" -d '{
"devices": [
{
"device_id": "0000000000000000",
"entity_name": "BedRoomSensor",
"entity_type": "multiSensor",
"attributes": [
{ "object_id": "t", "name": "Temperature", "type": "celsius" },
{ "object_id": "h", "name": "Humidity", "type": "degrees" }
]
}
]
} 'http://localhost:4041/iot/devices'
I execute the above curl commmand in order to provision my device.However it doesn't show anything and the command never ends.
What i missunderstood?
I have solved the problem following the first two steps of this guide:http://fiwaretourguide.readthedocs.io/en/latest/connection-to-the-internet-of-things/how-to-read-measures-captured-from-iot-devices/
In the step-by-step guide these steps weren't described.
In the second step i change the protocol fielde as "MQTT".
Now whenever i request the measures from my device i take the correct value.
I'm trying to use Orion CB as Contex Provider for an IoT Agent in which I have registred a device with lazy attributes only.
On the IoT Agent I need to handle updateContext requests so I did a handler for these requests like this:
iotAgentLib.setDataUpdateHandler(updateContextHandler);
And in the updateContextHandler function I have only one instruction:
console.log(attributes);
In order to see if all the values I want to update have been received correctly.
Now if I do an update on one of the attributes of the entity represented by the device:
curl -i -X POST \
-H "fiware-service:service1" \
-H "fiware-servicepath:/subservice1" \
-H "X-Auth-Token:wNRwDwqYlLoLD8U9sFkTAEE6PfYMbQ" \
-H "Content-Type:application/json" \
-d \
'{
"contextElements": [
{
"id": "ncc_estimate",
"attributes": [
{
"name": "arrival",
"type": "string",
"value": "some_value"
}
]
}
],
"updateAction": "UPDATE"
} ' \
'http://{orion_address}/v1/updateContext'
What I see on the IoT Agent output console is:
time=2018-01-09T08:14:59.539Z | lvl=DEBUG | corr=2f4fdb0c-f515-11e7-86b2-0242ac110003 | trans=6ac5c35d-d7bf-419c-8f64-bc843b991d47 | op=IoTAgentNGSI.GenericMiddlewares | srv=service1 | subsrv=/subservice1 | msg=Body:
{
"contextElements": [
{
"type": "nccestimate",
"isPattern": "false",
"id": "ncc_estimate",
"attributes": [
{
"name": "arrival",
"type": "string",
"value": ""
}
]
}
],
"updateAction": "UPDATE"
}
Where as you can see the value field is empty, as I can also see from the console.log() output in the UpdateHandler function that is:
[ { name: 'arrival', type: 'string', value: '' } ]
It seems that Orion is deleting the value before sending it to the IoT Agent. What could be the problem? Am I wrong doing something?
edit:
Here is the response for the call to: /v1/registry/contextEntities/ncc_estimate
{"contextRegistrationResponses":[
{"contextRegistration":
{"entities":[
{
"type":"nccestimate",
"isPattern":"false",
"id":"ncc_estimate"
}
],
"attributes":[
{
"name":"transport_type",
"type":"string",
"isDomain":"false"
},
{
"name":"arrival",
"type":"string",
"isDomain":"false"
}
],
"providingApplication":"http://192.168.199.151:4044"}
}
]}
edit2:
This is what Orion is sending to the iot agent when performing the updateContext operation described before:
POST //updateContext HTTP/1.1
User-Agent: orion/1.10.0-next libcurl/7.19.7
Host: 192.168.199.151:4044
fiware-service: service1
Fiware-ServicePath: /subservice1
X-Auth-Token: M62UkJc7yKX5aQwaHrsODfIrV4Ou85
Accept: application/json
Content-length: 169
Content-type: application/json; charset=utf-8
Fiware-Correlator: 42561e9a-f615-11e7-8610-0242ac110003
{"contextElements":[{"type":"nccestimate","isPattern":"false","id":"ncc_estimate","attributes":[{"name":"arrival","type":"string","value":""}]}],"updateAction":"UPDATE"}
As you can see the "value" field for the attribute is empty.
I'm using Orion version 1.10.0 and iot agent node lib version 2.5.1.
I have done the following test using CB same version as yours (i.e. 1.10.0)
First, create a registration as the one that IOTA would create:
(curl -s -S localhost:1026/v1/registry/registerContext -H "fiware-service:service1" -H "fiware-servicepath:/subservice1" -H 'Content-Type: application/json' -d #- | python -mjson.tool) <<EOF
{
"contextRegistrations": [
{
"entities": [
{
"type": "nccestimate",
"isPattern": "false",
"id": "ncc_estimate"
}
],
"attributes": [
{
"name": "transport_type",
"type": "string",
"isDomain": "false"
},
{
"name": "arrival",
"type": "string",
"isDomain": "false"
}
],
"providingApplication": "http://localhost:4044"
}
],
"duration": "P1M"
}
EOF
Next, check that it is exactly the same registration shown in the question post (except by the providingApplication, that points to localhost):
curl localhost:1026/v1/registry/contextEntities/ncc_estimate -s -S -H "fiware-service:service1" -H "fiware-servicepath:/subservice1" -H 'Accept: application/json' | python -mjson.tool
which response is
{
"contextRegistrationResponses": [
{
"contextRegistration": {
"attributes": [
{
"isDomain": "false",
"name": "transport_type",
"type": "string"
},
{
"isDomain": "false",
"name": "arrival",
"type": "string"
}
],
"entities": [
{
"id": "ncc_estimate",
"isPattern": "false",
"type": "nccestimate"
}
],
"providingApplication": "http://localhost:4044"
}
}
]
}
Next, run nc process at localhost on providingApplication port.
nc -l -p 4044
Once the setup is done, let's test first with an update based on the one in the question.
curl -s -S -X POST http://localhost:1026/v1/updateContext -H "fiware-service:service1" -H "fiware-servicepath:/subservice1" -H "Content-Type:application/json" -d #- <<EOF
{
"contextElements": [
{
"id": "ncc_estimate",
"attributes": [
{
"name": "arrival",
"type": "string",
"value": "some_value"
}
]
}
],
"updateAction": "UPDATE"
}
EOF
In this case, Orion doesn't recognized the registration and returns a Not Found response:
{
"contextResponses": [{
"contextElement": {
"type": "",
"isPattern": "false",
"id": "ncc_estimate",
"attributes": [{
"name": "arrival",
"type": "string",
"value": ""
}]
},
"statusCode": {
"code": "404",
"reasonPhrase": "No context element found",
"details": "ncc_estimate"
}
}]
}
In other words, Orion is not forwarding the response. I don't know why in your case is forwarded and leaves a trace in IOTA log file.
Next test uses the same request but adding a type field for the entity.
curl -s -S -X POST http://localhost:1026/v1/updateContext -H "fiware-service:service1" -H "fiware-servicepath:/subservice1" -H "Content-Type:application/json" -d #- <<EOF
{
"contextElements": [
{
"id": "ncc_estimate",
"type": "nccestimate",
"attributes": [
{
"name": "arrival",
"type": "string",
"value": "some_value"
}
]
}
],
"updateAction": "UPDATE"
}
EOF
In this case, the request is forwarded and I get this in the nc terminal.
POST //updateContext HTTP/1.1
User-Agent: orion/1.10.0 libcurl/7.38.0
Host: localhost:4044
fiware-service: service1
Fiware-ServicePath: /subservice1
Accept: application/json
Content-length: 179
Content-type: application/json; charset=utf-8
Fiware-Correlator: 42e75f8a-fa0d-11e7-93f1-000c29173617
{"contextElements":[{"type":"nccestimate","isPattern":"false","id":"ncc_estimate","attributes":[{"name":"arrival","type":"string","value":"some_value"}]}],"updateAction":"UPDATE"}
Note the some_value in the response. Orion seems to be progressing correctly the request in this case.
EDIT: according to user's feedback, entity type solved the problem. We are highlighting it in the documentation regarding Context Providers:
You should include entity type in the query/update in order for the ContextBroker to be able to forward to Context Providers
There are problem with deleting a file from wip.dm.prod bucket ("errorCode": "AUTH-012"). But I can download current file by using -x GET instead of -x DELETE.
I use this tutorial -> https://developer.autodesk.com/en/docs/data/v2/reference/http/buckets-:bucketKey-objects-:objectName-DELETE/ . Attach an example below.
Request
curl
-v https://developer.api.autodesk.com/oss/v2/buckets/wip.dm.prod/objects/de34f4c9-457c-4653-a9e4-8bbad12bf5ec.rvt
-X DELETE
-H "Authorization:Bearer G3fqI9NFKqJVN5MQy3yI0tGXXXXX"
Response
{
"developerMessage": "ACM check failed, user or calling service does not have access to perform this operation",
"userMessage": "",
"errorCode": "AUTH-012",
"more info": "http://developer.api.autodesk.com/documentation/v1/errors/AUTH-012"
}
Could you please check me and explain me what could be wrong?
For file deleting we can use deleting of file version.
curl
-v https://developer.api.autodesk.com/data/v1/projects/{project_Id}/versions
-x POST
-H "Authorization:Bearer G3fqI9NFKqJVN5MQy3yI0tGXXXXX"
-H "Content-Type:application/vnd.api+json"
-d '{
"jsonapi": {
"version": "1.0"
},
"data": {
"type": "versions",
"attributes": {
"extension": {
"type": "versions:autodesk.core:Deleted",
"version": "1.0",
}
},
"relationships": {
"item": {
"data": {
"type": "items",
"id": "urn:adsk.___your_file_id__________"
}
}
}
}
}'
Where:
{project_Id} - is your project id;
"urn:adsk.___your_file_id__________" - is your file id.