Skip to content

Dynamic Categories Retrieval #33252

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
wants to merge 1 commit into from
Closed

Dynamic Categories Retrieval #33252

wants to merge 1 commit into from
+35 −3

Conversation

@LucioDonda
Copy link
Member

@LucioDonda LucioDonda commented Nov 20, 2025
edited
Loading

Description

Closes #33247

Proposed Changes

  • Dowload logtypes.json from indexer-security repo
  • Modify that file to leave only unique categories.
  • Moved that file to an specific directory at install time.

Results and Evidence

  • make deps
cd external && gunzip concurrentqueue.tar.gz && tar -xf concurrentqueue.tar && rm concurrentqueue.tar)
curl -f -s -o external/wcs-flat-files/system-activity-ecs-flat.yml https://raw.githubusercontent.com/wazuh/wazuh-indexer-plugins/refs/heads/main/ecs/stateless/system-activity/docs/ecs_flat.yml
curl -f -s -o external/categories/logtypes.json https://raw.githubusercontent.com/wazuh/wazuh-indexer-security-analytics/refs/heads/main/src/main/resources/OSMapping/logtypes.json
cd external && [ -f cpython.tar.gz ] && gunzip cpython.tar.gz || true
test -e external/cpython.tar ||\
(curl -so external/cpython.tar.gz https://packages.wazuh.com/deps/99-29585/libraries/sources/cpython_x86_64.tar.gz &&\
cd external && gunzip cpython.tar.gz && tar -xf cpython.tar && rm cpython.tar)
test -d external/cpython || (cd external && gzip cpython.tar)
╰─# ls -l src/external/categories/logtypes.json 
-rw-r--r-- 1 root root 4307 Nov 20 20:57 src/external/categories/logtypes.json
  • install
General settings:
    TARGET:             server
    V:                  
    DEBUG:              
    INSTALLDIR:         /var/ossec
    DATABASE:           
    ONEWAY:             no
    CLEANFULL:          no
    RESOURCES_URL:      https://packages.wazuh.com/deps/99-29585
    EXTERNAL_SRC_ONLY:  
    HTTP_REQUEST_BRANCH:cd50797cfe03c27f3759bdc243fecca6f7535d35
User settings:
    WAZUH_GROUP:        wazuh
    WAZUH_USER:         wazuh
USE settings:
    USE_INOTIFY:        no
    USE_BIG_ENDIAN:     no
    USE_SELINUX:        no
    USE_AUDIT:          yes
    DISABLE_SYSC:       no
    IMAGE_TRUST_CHECKS: 1
    CA_NAME:            DigiCert Assured ID Root CA
Mysql settings:
    includes:           
    libs:               
Pgsql settings:
    includes:           
    libs:               
Defines:
    -DOSSECHIDS -DUSER="wazuh" -DGROUPGLOBAL="wazuh" -DLinux -DINOTIFY_ENABLED -D_XOPEN_SOURCE=600 -D_GNU_SOURCE -DIMAGE_TRUST_CHECKS=1 -DCA_NAME='DigiCert Assured ID Root CA' -DENABLE_SYSC -DENABLE_AUDIT
Compiler:
    CFLAGS            -pthread -Iexternal/pacman/lib/libalpm/ -Iexternal/libarchive/libarchive -Wl,--start-group -Iexternal/audit-userspace/lib -g -DNDEBUG -O2 -DOSSECHIDS -DUSER="wazuh" -DGROUPGLOBAL="wazuh" -DLinux -DINOTIFY_ENABLED -D_XOPEN_SOURCE=600 -D_GNU_SOURCE -DIMAGE_TRUST_CHECKS=1 -DCA_NAME='DigiCert Assured ID Root CA' -DENABLE_SYSC -DENABLE_AUDIT -pipe -Wall -Wextra -std=gnu99 -I./ -I./headers/ -Iexternal/openssl/include -Iexternal/cJSON/ -Iexternal/libyaml/include -Iexternal/curl/include -Iexternal/msgpack/include -Iexternal/bzip2/ -Ishared_modules/common -Ishared_modules/dbsync/include -Ishared_modules/sync_protocol/include -Iwazuh_modules/syscollector/include -Iwazuh_modules/sca/include -Iwazuh_modules/agent_info/include -Idata_provider/include -Iexternal/libpcre2/include -Iexternal/rpm//builddir/output/include -Isyscheckd/include -Ishared_modules/router/include -Ishared_modules/content_manager/include -Ishared_modules/file_helper/file_io/include -Ishared_modules/file_helper/filesystem/include -Iwazuh_modules/vulnerability_scanner/include -I./shared_modules/ 
    LDFLAGS           '-Wl,-rpath,/../lib' -pthread -lrt -ldl -O2 -Lshared_modules/dbsync/build/lib -Lshared_modules/sync_protocol/build/lib -Lshared_modules/file_helper/build/lib  -Lwazuh_modules/syscollector/build/lib -Lwazuh_modules/sca/build/lib -Lwazuh_modules/agent_info/build/lib -Ldata_provider/build/lib -Lsyscheckd/build/lib
    LIBS              -lrt -ldl -lm 
    CC                gcc
    MAKE              make
make[1]: Leaving directory '/workspaces/wazuh-5.x-v1/wazuh/src'

Done building server

Wait for success...
success
Makefile:927: warning: overriding recipe for target 'external/simdjson/build/libsimdjson.a'
Makefile:898: warning: ignoring old recipe for target 'external/simdjson/build/libsimdjson.a'
Makefile:2422: warning: overriding recipe for target 'win32/ui_resource.o'
Makefile:2365: warning: ignoring old recipe for target 'win32/ui_resource.o'
mkdir -p /var/ossec/framework/python
cp external/cpython.tar.gz /var/ossec/framework/python/cpython.tar.gz && tar -xf /var/ossec/framework/python/cpython.tar.gz -C /var/ossec/framework/python && rm -rf /var/ossec/framework/python/cpython.tar.gz
find /var/ossec/framework/python -name "*libpython3.10.so.1.0" -exec ln -f {} /var/ossec/lib/libpython3.10.so.1.0 \;
cd ../framework && /var/ossec/framework/python/bin/python3 -m pip install . --use-pep517 --prefix=/var/ossec/framework/python && rm -rf build/
Processing /workspaces/wazuh-5.x-v1/wazuh/framework
  Installing build dependencies ... done
  Getting requirements to build wheel ... done
  Preparing metadata (pyproject.toml) ... done
Building wheels for collected packages: wazuh
  Building wheel for wazuh (pyproject.toml) ... done
  Created wheel for wazuh: filename=wazuh-5.0.0-py3-none-any.whl size=305040 sha256=52fa2e2f555e0163d7c945e6f04094634dc5201f52099c90a908807cf487fdc7
  Stored in directory: /tmp/pip-ephem-wheel-cache-jq7ngqg8/wheels/4d/02/17/3d166d40b1fe4e9716dffb3ec7f332f2cfdbea9c6e1af216c7
Successfully built wazuh
Installing collected packages: wazuh
Successfully installed wazuh-5.0.0
WARNING: Running pip as the 'root' user can result in broken permissions and conflicting behaviour with the system package manager. It is recommended to use a virtual environment instead: https://pip.pypa.io/warnings/venv

[notice] A new release of pip is available: 23.3.2 -> 25.3
[notice] To update, run: /var/ossec/framework/python/bin/python3 -m pip install --upgrade pip
chown -R root:wazuh /var/ossec/framework/python
chmod -R o=- /var/ossec/framework/python
cd ../api && /var/ossec/framework/python/bin/python3 -m pip install . --use-pep517 --prefix=/var/ossec/framework/python && rm -rf build/
Processing /workspaces/wazuh-5.x-v1/wazuh/api
  Installing build dependencies ... done
  Getting requirements to build wheel ... done
  Preparing metadata (pyproject.toml) ... done
Building wheels for collected packages: api
  Building wheel for api (pyproject.toml) ... done
  Created wheel for api: filename=api-5.0.0-py3-none-any.whl size=139920 sha256=f5c00203145b3691ee964996a835e0331db35d2516f2682e0ee6e25c569ea0f3
  Stored in directory: /tmp/pip-ephem-wheel-cache-sg6owwmo/wheels/bd/95/a9/30937339a19727bbd24a28690efa0ebac097f7d0a4f02c4ceb
Successfully built api
Installing collected packages: api
Successfully installed api-5.0.0
WARNING: Running pip as the 'root' user can result in broken permissions and conflicting behaviour with the system package manager. It is recommended to use a virtual environment instead: https://pip.pypa.io/warnings/venv

[notice] A new release of pip is available: 23.3.2 -> 25.3
[notice] To update, run: /var/ossec/framework/python/bin/python3 -m pip install --upgrade pip
Generating schema files...
Loading resources...
Loading WCS files from directory external/wcs-flat-files/...
Found 6 YAML files to merge: ['applications-ecs-flat.yml', 'system-activity-ecs-flat.yml', 'security-ecs-flat.yml', 'access-management-ecs-flat.yml', 'other-ecs-flat.yml', 'network-activity-ecs-flat.yml']
Loading access-management-ecs-flat.yml...
Loading applications-ecs-flat.yml...
Loading network-activity-ecs-flat.yml...
Loading other-ecs-flat.yml...
Loading security-ecs-flat.yml...
Loading system-activity-ecs-flat.yml...
Successfully merged 6 files into temporary file: /tmp/merged_wcs_6aejw_hq.yml
Loading schema template...
Loading mappings template...
Loading logpar overrides template...
Building field tree from WCS definition...
Success.
Generating engine schema...
Generating fields schema properties...
Success.
Generating indexer mappings...
Success.
Generating logpar configuration...
Success.
Cleaned up temporary file: /tmp/merged_wcs_6aejw_hq.yml
Saving files to "engine/ruleset/schemas/"...
Success.
Schema files generated successfully.
Copying store files...
Engine store installed successfully.
Engine output configuration files installed successfully.
Removing old SCA policies...
Installing SCA policies...
Installing additional SCA policies...
Categories JSON moved to: /var/ossec/engine/categories.json
Generating self-signed certificate for wazuh-authd...


 - System is Debian (Ubuntu or derivative).
 - Init script modified to start Wazuh during boot.
Starting Wazuh...
server
2025/12/01 20:10:44 wazuh-modulesd: ERROR: File '/var/ossec/etc/certs/root-ca.pem' not found for 'indexer.ssl.certificate_authorities' in module 'indexer'. Check configuration
2025/12/01 20:10:44 wazuh-modulesd: ERROR: (1202): Configuration error at 'etc/ossec.conf'.
wazuh-modulesd: Configuration error. Exiting

 - Configuration finished properly.

 - To start Wazuh:
      /var/ossec/bin/wazuh-control start

 - To stop Wazuh:
      /var/ossec/bin/wazuh-control stop

 - The configuration can be viewed or modified at /var/ossec/etc/ossec.conf


   Thanks for using Wazuh.
   Please don't hesitate to contact us if you need help or find
   any bugs.

   Use our public Mailing List at:
          https://groups.google.com/forum/#!forum/wazuh

   More information can be found at:
          - http://www.wazuh.com

    ---  Press ENTER to finish (maybe more information below). ---


 - In order to connect agent and server, you need to add each agent to the server.

   More information at: 
   https://documentation.wazuh.com/
╭─root@3bfac2abd2c6 /workspaces/wazuh-5.x-v1/wazuh ‹enhancement/33247-dynamic-categories-retrieval●› 
╰─# ls -l src/external/categories/logtypes.json        
-rw-r--r-- 1 root root 4307 Nov 20 20:57 src/external/categories/logtypes.json
╭─root@3bfac2abd2c6 /workspaces/wazuh-5.x-v1/wazuh ‹enhancement/33247-dynamic-categories-retrieval●› 
╰─# ls -l /var/ossec/engine                                                                                                                                                                                                    130 ↵
total 20
-rw-r--r-- 1 root  root  4307 Dec  1 20:10 categories.json
drwxr-x--- 2 wazuh wazuh 4096 Dec  1 20:10 kvdb
drwxr-x--- 2 wazuh wazuh 4096 Dec  1 20:10 outputs
drwxr-x--- 3 wazuh wazuh 4096 Dec  1 20:10 store
╭─root@3bfac2abd2c6 /workspaces/wazuh-5.x-v1/wazuh ‹enhancement/33247-dynamic-categories-retrieval●› 
╰─# head  /var/ossec/engine/categories.json 
{
  "others_application": {
    "name": "others_application",
    "description": "Application logs",
    "category": "Other",
    "source": "Sigma",
    "tags": {
      "correlation_id": 0
    }
  },

categories.json

{
  "others_application": {
    "name": "others_application",
    "description": "Application logs",
    "category": "Other",
    "source": "Sigma",
    "tags": {
      "correlation_id": 0
    }
  },
  "others_apt": {
    "name": "others_apt",
    "description": "Apt logs",
    "category": "Other",
    "source": "Sigma",
    "tags": {
      "correlation_id": 1
    }
  },
  "others_cloud": {
    "name": "others_cloud",
    "description": "Cloud logs",
    "category": "Other",
    "source": "Sigma",
    "tags": {
      "correlation_id": 2
    }
  },
  "others_compliance": {
    "name": "others_compliance",
    "description": "Compliance logs",
    "category": "Other",
    "source": "Sigma",
    "tags": {
      "correlation_id": 4
    }
  },
  "linux": {
    "name": "linux",
    "description": "Sys logs",
    "category": "System Activity",
    "source": "Sigma",
    "tags": {
      "correlation_id": 5
    }
  },
  "others_macos": {
    "name": "others_macos",
    "description": "MacOS logs",
    "category": "System Activity",
    "source": "Sigma",
    "tags": {
      "correlation_id": 6
    }
  },
  "network": {
    "name": "network",
    "description": "Network logs",
    "category": "Network Activity",
    "source": "Sigma",
    "tags": {
      "correlation_id": 7
    }
  },
  "others_proxy": {
    "name": "others_proxy",
    "description": "Proxy logs",
    "category": "Other",
    "source": "Sigma",
    "tags": {
      "correlation_id": 8
    }
  },
  "others_web": {
    "name": "others_web",
    "description": "Web logs",
    "category": "Other",
    "source": "Sigma",
    "tags": {
      "correlation_id": 9
    }
  },
  "windows": {
    "name": "windows",
    "description": "Windows logs",
    "category": "System Activity",
    "source": "Sigma",
    "tags": {
      "correlation_id": 10
    }
  },
  "ad_ldap": {
    "name": "ad_ldap",
    "description": "Ad/ldap logs",
    "category": "Access Management",
    "source": "Sigma",
    "tags": {
      "correlation_id": 11
    }
  },
  "apache_access": {
    "name": "apache_access",
    "description": "Apache Access logs",
    "category": "Access Management",
    "source": "Sigma",
    "tags": {
      "correlation_id": 12
    }
  },
  "cloudtrail": {
    "name": "cloudtrail",
    "description": "Cloudtrail Raw or OCSF based logs",
    "category": "Cloud Services",
    "source": "Sigma",
    "tags": {
      "correlation_id": 14
    }
  },
  "dns": {
    "name": "dns",
    "description": "DNS Raw or Route53 OCSF based logs",
    "category": "Network Activity",
    "source": "Sigma",
    "tags": {
      "correlation_id": 15
    }
  },
  "github": {
    "name": "github",
    "description": "Github logs",
    "category": "Applications",
    "source": "Sigma",
    "tags": {
      "correlation_id": 16
    }
  },
  "m365": {
    "name": "m365",
    "description": "M365 logs",
    "category": "Applications",
    "source": "Sigma",
    "tags": {
      "correlation_id": 17
    }
  },
  "gworkspace": {
    "name": "gworkspace",
    "description": "GWorkspace logs",
    "category": "Applications",
    "source": "Sigma",
    "tags": {
      "correlation_id": 18
    }
  },
  "okta": {
    "name": "okta",
    "description": "Okta logs",
    "category": "Access Management",
    "source": "Sigma",
    "tags": {
      "correlation_id": 19
    }
  },
  "azure": {
    "name": "azure",
    "description": "Azure logs",
    "category": "Cloud Services",
    "source": "Sigma",
    "tags": {
      "correlation_id": 20
    }
  },
  "s3": {
    "name": "s3",
    "description": "S3 logs",
    "category": "Cloud Services",
    "source": "Sigma",
    "tags": {
      "correlation_id": 21
    }
  },
  "test_windows": {
    "name": "test_windows",
    "description": "Test Windows Log Type for integ tests. Please do not use.",
    "category": "Other",
    "source": "Sigma",
    "tags": {
      "correlation_id": 22
    }
  },
  "vpcflow": {
    "name": "vpcflow",
    "description": "VPC Flow Raw or OCSF based logs",
    "category": "Network Activity",
    "source": "Sigma",
    "tags": {
      "correlation_id": 23
    }
  },
  "waf": {
    "name": "waf",
    "description": "Web Application Firewall based logs",
    "category": "Security",
    "source": "Sigma",
    "tags": {
      "correlation_id": 24
    }
  }
}

Manual tests with their corresponding evidence

  • Compilation without warnings on every supported platform
    • Linux
    • Windows
    • MAC OS X
  • Log syntax and correct language review

  • Memory tests for Linux

    • Coverity
    • Valgrind (memcheck and descriptor leaks check)
    • AddressSanitizer

  • Memory tests for Windows

    • Coverity
    • UMDH

  • Memory tests for macOS

    • Leaks
    • AddressSanitizer

  • Decoder/Rule tests (Wazuh v4.x)

    • Added unit testing files ".ini"
    • runtests.py executed without errors

  • Engine (Wazuh v5.x and above)

    • Test run in parallel
    • ASAN for test (utest/ctest)
    • TSAN for test and wazuh-engine.

  • Wazuh server API/Framework

    • Run API Integration Tests

Artifacts Affected

Configuration Changes

Tests Introduced

Review Checklist

  • Code changes reviewed
  • Relevant evidence provided
  • Tests cover the new functionality
  • Configuration changes documented
  • Developer documentation reflects the changes
  • Meets requirements and/or definition of done
  • No unresolved dependencies with other issues
  • ...

@LucioDonda LucioDonda self-assigned this Nov 20, 2025
@LucioDonda LucioDonda linked an issue Nov 20, 2025 that may be closed by this pull request
Dynamic categories retrieval #33247
Closed
3 tasks
@LucioDonda LucioDonda force-pushed the enhancement/33247-dynamic-categories-retrieval branch 2 times, most recently from bb0f866 to c94655f Compare November 25, 2025 12:42
@LucioDonda LucioDonda marked this pull request as ready for review November 25, 2025 12:42
matigarciadev
matigarciadev previously approved these changes Nov 26, 2025
View reviewed changes
Copy link
Member

@matigarciadev matigarciadev left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM!

Built and Install

General settings:
    TARGET:             server
    V:                  
    DEBUG:              
    INSTALLDIR:         /var/ossec
    DATABASE:           
    ONEWAY:             no
    CLEANFULL:          no
    RESOURCES_URL:      https://packages.wazuh.com/deps/99-29585
    EXTERNAL_SRC_ONLY:  
    HTTP_REQUEST_BRANCH:cd50797cfe03c27f3759bdc243fecca6f7535d35
User settings:
    WAZUH_GROUP:        wazuh
    WAZUH_USER:         wazuh
USE settings:
    USE_INOTIFY:        no
    USE_BIG_ENDIAN:     no
    USE_SELINUX:        no
    USE_AUDIT:          yes
    DISABLE_SYSC:       no
    IMAGE_TRUST_CHECKS: 1
    CA_NAME:            DigiCert Assured ID Root CA
Mysql settings:
    includes:           
    libs:               
Pgsql settings:
    includes:           
    libs:               
Defines:
    -DOSSECHIDS -DUSER="wazuh" -DGROUPGLOBAL="wazuh" -DLinux -DINOTIFY_ENABLED -D_XOPEN_SOURCE=600 -D_GNU_SOURCE -DIMAGE_TRUST_CHECKS=1 -DCA_NAME='DigiCert Assured ID Root CA' -DENABLE_SYSC -DENABLE_AUDIT
Compiler:
    CFLAGS            -pthread -Iexternal/pacman/lib/libalpm/ -Iexternal/libarchive/libarchive -Wl,--start-group -Iexternal/audit-userspace/lib -g -DNDEBUG -O2 -DOSSECHIDS -DUSER="wazuh" -DGROUPGLOBAL="wazuh" -DLinux -DINOTIFY_ENABLED -D_XOPEN_SOURCE=600 -D_GNU_SOURCE -DIMAGE_TRUST_CHECKS=1 -DCA_NAME='DigiCert Assured ID Root CA' -DENABLE_SYSC -DENABLE_AUDIT -pipe -Wall -Wextra -std=gnu99 -I./ -I./headers/ -Iexternal/openssl/include -Iexternal/cJSON/ -Iexternal/libyaml/include -Iexternal/curl/include -Iexternal/msgpack/include -Iexternal/bzip2/ -Ishared_modules/common -Ishared_modules/dbsync/include -Ishared_modules/sync_protocol/include -Iwazuh_modules/syscollector/include -Iwazuh_modules/sca/include -Iwazuh_modules/agent_info/include -Idata_provider/include -Iexternal/libpcre2/include -Iexternal/rpm//builddir/output/include -Isyscheckd/include -Ishared_modules/router/include -Ishared_modules/content_manager/include -Ishared_modules/file_helper/file_io/include -Ishared_modules/file_helper/filesystem/include -Iwazuh_modules/vulnerability_scanner/include -I./shared_modules/ 
    LDFLAGS           '-Wl,-rpath,/../lib' -pthread -lrt -ldl -O2 -Lshared_modules/dbsync/build/lib -Lshared_modules/sync_protocol/build/lib -Lshared_modules/file_helper/build/lib  -Lwazuh_modules/syscollector/build/lib -Lwazuh_modules/sca/build/lib -Lwazuh_modules/agent_info/build/lib -Ldata_provider/build/lib -Lsyscheckd/build/lib
    LIBS              -lrt -ldl -lm 
    CC                gcc
    MAKE              make
make[1]: Leaving directory '/workspaces/wazuh-5.x/wazuh/src'

Done building server

Started wazuh-modulesd...
Started wazuh-clusterd...
Completed.

 - Configuration finished properly.

 - To start Wazuh:
      /var/ossec/bin/wazuh-control start

 - To stop Wazuh:
      /var/ossec/bin/wazuh-control stop

 - The configuration can be viewed or modified at /var/ossec/etc/ossec.conf


   Thanks for using Wazuh.
   Please don't hesitate to contact us if you need help or find
   any bugs.

   Use our public Mailing List at:
          https://groups.google.com/forum/#!forum/wazuh

   More information can be found at:
          - http://www.wazuh.com

    ---  Press ENTER to finish (maybe more information below). ---

 - Update completed.

In Install:

mkdir -p external/categories
curl -f -s -o external/categories/logtypes.json https://raw.githubusercontent.com/wazuh/wazuh-indexer-security-analytics/refs/heads/enhancement/33247-dynamic-categories-retrieval/src/main/resources/OSMapping/logtypes.json
curl -f -s -o external/categories/logtypes.json https://raw.githubusercontent.com/wazuh/wazuh-indexer-security-analytics/refs/heads/5.0.0/src/main/resources/OSMapping/logtypes.json
curl -f -s -o external/categories/logtypes.json https://raw.githubusercontent.com/wazuh/wazuh-indexer-security-analytics/refs/heads/main/src/main/resources/OSMapping/logtypes.json

Verify dir and file:

(venv) ╭─root@03b15c688053 /workspaces/wazuh-5.x/wazuh ‹enhancement/33247-dynamic-categories-retrieval› 
╰─# find . -type d -name "categories"
./src/external/categories
(venv) ╭─root@03b15c688053 /workspaces/wazuh-5.x/wazuh ‹enhancement/33247-dynamic-categories-retrieval› 
╰─# cd src/external/categories 
(venv) ╭─root@03b15c688053 /workspaces/wazuh-5.x/wazuh/src/external/categories ‹enhancement/33247-dynamic-categories-retrieval› 
╰─# ls -l
total 8
-rw-r--r-- 1 root root 4307 Nov 26 12:53 logtypes.json

(venv) ╭─root@03b15c688053 /workspaces/wazuh-5.x/wazuh/src/external/categories ‹enhancement/33247-dynamic-categories-retrieval› 
╰─# cat logtypes.json 

{
  "others_application": {
    "name": "others_application",
    "description": "Application logs",
....
}

NahuFigueroa97
NahuFigueroa97 previously approved these changes Nov 26, 2025
View reviewed changes
Copy link
Member

@NahuFigueroa97 NahuFigueroa97 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM!

(venv) ╭─root@ca37659e68c4 /workspaces/devContainer 
╰─# apt install ./wazuh-manager_5.0.0-0_amd64_75788c6.deb 
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
Note, selecting 'wazuh-manager' instead of './wazuh-manager_5.0.0-0_amd64_75788c6.deb'
Suggested packages:
  expect
The following NEW packages will be installed:
  wazuh-manager
0 upgraded, 1 newly installed, 0 to remove and 105 not upgraded.
Need to get 0 B/460 MB of archives.
After this operation, 1,037 MB of additional disk space will be used.
Get:1 /workspaces/devContainer/wazuh-manager_5.0.0-0_amd64_75788c6.deb wazuh-manager amd64 5.0.0-0 [460 MB]
Selecting previously unselected package wazuh-manager.
(Reading database ... 64972 files and directories currently installed.)
Preparing to unpack .../wazuh-manager_5.0.0-0_amd64_75788c6.deb ...
Unpacking wazuh-manager (5.0.0-0) ...
Setting up wazuh-manager (5.0.0-0) ...
(venv) ╭─root@ca37659e68c4 /workspaces/devContainer 
╰─# ls -la /var/ossec/etc/categories.json
-rw-r--r-- 1 root root 132 Nov 25 12:55 /var/ossec/etc/categories.json
(venv) ╭─root@ca37659e68c4 /workspaces/devContainer 
╰─# cat /var/ossec/etc/categories.json
[
  "Access Management",
  "Applications",
  "Cloud Services",
  "Network Activity",
  "Other",
  "Security",
  "System Activity"
]
(venv) ╭─root@ca37659e68c4 /workspaces/devContainer 
╰─# service start 
(venv) ╭─root@ca37659e68c4 /workspaces/devContainer 
╰─# service wazuh-manager start                                                                                                      130 ↵
2025/11/26 13:22:00 wazuh-modulesd:router: INFO: Loaded router module.
2025/11/26 13:22:00 wazuh-modulesd:content_manager: INFO: Loaded content_manager module.
2025/11/26 13:22:00 wazuh-modulesd:inventory-sync: INFO: Loaded Inventory sync module.
Starting Wazuh v5.0.0...
Started wazuh-apid...
Started wazuh-authd...
Started wazuh-db...
Started wazuh-execd...
Started wazuh-analysisd...
Started wazuh-syscheckd...
Started wazuh-remoted...
Started wazuh-logcollector...
Started wazuh-monitord...
2025/11/26 13:22:44 wazuh-modulesd:router: INFO: Loaded router module.
2025/11/26 13:22:44 wazuh-modulesd:content_manager: INFO: Loaded content_manager module.
2025/11/26 13:22:44 wazuh-modulesd:inventory-sync: INFO: Loaded Inventory sync module.
Started wazuh-modulesd...
Started wazuh-clusterd...
Completed.
(venv) ╭─root@ca37659e68c4 /workspaces/devContainer 
╰─# service wazuh-manager status
wazuh-clusterd is running...
wazuh-modulesd is running...
wazuh-monitord is running...
wazuh-logcollector is running...
wazuh-remoted is running...
wazuh-syscheckd is running...
wazuh-analysisd is running...
wazuh-execd is running...
wazuh-db is running...
wazuh-authd is running...
wazuh-apid is running...

@LucioDonda
Copy link
Member Author

LucioDonda commented Nov 26, 2025

Checks failing due to changes in indexer:
Issue focus on that -> #33245 (comment)
Rerun on main to check that:
https://github.com/wazuh/wazuh/actions/runs/19676538085
https://github.com/wazuh/wazuh/actions/runs/19678993126
Ossec error due to indexer setion available, when deleting it there's no error.

@jam300
Copy link
Member

jam300 commented Nov 26, 2025

LGTM!

Built and Install

General settings:
    TARGET:             server
    V:                  
    DEBUG:              
    INSTALLDIR:         /var/ossec
    DATABASE:           
    ONEWAY:             no
    CLEANFULL:          no
    RESOURCES_URL:      https://packages.wazuh.com/deps/99-29585
    EXTERNAL_SRC_ONLY:  
    HTTP_REQUEST_BRANCH:cd50797cfe03c27f3759bdc243fecca6f7535d35
User settings:
    WAZUH_GROUP:        wazuh
    WAZUH_USER:         wazuh
USE settings:
    USE_INOTIFY:        no
    USE_BIG_ENDIAN:     no
    USE_SELINUX:        no
    USE_AUDIT:          yes
    DISABLE_SYSC:       no
    IMAGE_TRUST_CHECKS: 1
    CA_NAME:            DigiCert Assured ID Root CA
Mysql settings:
    includes:           
    libs:               
Pgsql settings:
    includes:           
    libs:               
Defines:
    -DOSSECHIDS -DUSER="wazuh" -DGROUPGLOBAL="wazuh" -DLinux -DINOTIFY_ENABLED -D_XOPEN_SOURCE=600 -D_GNU_SOURCE -DIMAGE_TRUST_CHECKS=1 -DCA_NAME='DigiCert Assured ID Root CA' -DENABLE_SYSC -DENABLE_AUDIT
Compiler:
    CFLAGS            -pthread -Iexternal/pacman/lib/libalpm/ -Iexternal/libarchive/libarchive -Wl,--start-group -Iexternal/audit-userspace/lib -g -DNDEBUG -O2 -DOSSECHIDS -DUSER="wazuh" -DGROUPGLOBAL="wazuh" -DLinux -DINOTIFY_ENABLED -D_XOPEN_SOURCE=600 -D_GNU_SOURCE -DIMAGE_TRUST_CHECKS=1 -DCA_NAME='DigiCert Assured ID Root CA' -DENABLE_SYSC -DENABLE_AUDIT -pipe -Wall -Wextra -std=gnu99 -I./ -I./headers/ -Iexternal/openssl/include -Iexternal/cJSON/ -Iexternal/libyaml/include -Iexternal/curl/include -Iexternal/msgpack/include -Iexternal/bzip2/ -Ishared_modules/common -Ishared_modules/dbsync/include -Ishared_modules/sync_protocol/include -Iwazuh_modules/syscollector/include -Iwazuh_modules/sca/include -Iwazuh_modules/agent_info/include -Idata_provider/include -Iexternal/libpcre2/include -Iexternal/rpm//builddir/output/include -Isyscheckd/include -Ishared_modules/router/include -Ishared_modules/content_manager/include -Ishared_modules/file_helper/file_io/include -Ishared_modules/file_helper/filesystem/include -Iwazuh_modules/vulnerability_scanner/include -I./shared_modules/ 
    LDFLAGS           '-Wl,-rpath,/../lib' -pthread -lrt -ldl -O2 -Lshared_modules/dbsync/build/lib -Lshared_modules/sync_protocol/build/lib -Lshared_modules/file_helper/build/lib  -Lwazuh_modules/syscollector/build/lib -Lwazuh_modules/sca/build/lib -Lwazuh_modules/agent_info/build/lib -Ldata_provider/build/lib -Lsyscheckd/build/lib
    LIBS              -lrt -ldl -lm 
    CC                gcc
    MAKE              make
make[1]: Leaving directory '/workspaces/wazuh_5/wazuh/src'

Done building server

- Configuration finished properly.

 - To start Wazuh:
      /var/ossec/bin/wazuh-control start

 - To stop Wazuh:
      /var/ossec/bin/wazuh-control stop

 - The configuration can be viewed or modified at /var/ossec/etc/ossec.conf


   Thanks for using Wazuh.
   Please don't hesitate to contact us if you need help or find
   any bugs.

   Use our public Mailing List at:
          https://groups.google.com/forum/#!forum/wazuh

   More information can be found at:
          - http://www.wazuh.com

    ---  Press ENTER to finish (maybe more information below). ---


 - In order to connect agent and server, you need to add each agent to the server.

   More information at: 
   https://documentation.wazuh.com/

service run

╭─root@49fb68cf5654 /workspaces/wazuh_5/wazuh ‹enhancement/33247-dynamic-categories-retrieval› 
╰─# service wazuh-manager start                                                                                                             1 ↵
2025/11/26 16:01:53 wazuh-modulesd:router: INFO: Loaded router module.
2025/11/26 16:01:53 wazuh-modulesd:content_manager: INFO: Loaded content_manager module.
2025/11/26 16:01:53 wazuh-modulesd:inventory-sync: INFO: Loaded Inventory sync module.
Starting Wazuh v5.0.0...
Started wazuh-apid...
Started wazuh-authd...
Started wazuh-db...
Started wazuh-execd...
Started wazuh-analysisd...
Started wazuh-syscheckd...
Started wazuh-remoted...
Started wazuh-logcollector...
Started wazuh-monitord...
2025/11/26 16:02:12 wazuh-modulesd:router: INFO: Loaded router module.
2025/11/26 16:02:12 wazuh-modulesd:content_manager: INFO: Loaded content_manager module.
2025/11/26 16:02:12 wazuh-modulesd:inventory-sync: INFO: Loaded Inventory sync module.
Started wazuh-modulesd...
Started wazuh-clusterd...
Completed.
╭─root@49fb68cf5654 /workspaces/wazuh_5/wazuh ‹enhancement/33247-dynamic-categories-retrieval› 
╰─# service wazuh-manager status
wazuh-clusterd is running...
wazuh-modulesd is running...
wazuh-monitord is running...
wazuh-logcollector is running...
wazuh-remoted is running...
wazuh-syscheckd is running...
wazuh-analysisd is running...
wazuh-execd is running...
wazuh-db is running...
wazuh-authd is running...
wazuh-apid is running...

file:

╭─root@49fb68cf5654 /workspaces/wazuh_5/wazuh ‹enhancement/33247-dynamic-categories-retrieval› 
╰─# ls -la /var/ossec/etc/categories.json
-rw-r--r-- 1 root root 132 Nov 26 15:41 /var/ossec/etc/categories.json
╭─root@49fb68cf5654 /workspaces/wazuh_5/wazuh ‹enhancement/33247-dynamic-categories-retrieval› 
╰─# cat /var/ossec/etc/categories.json   
[
  "Access Management",
  "Applications",
  "Cloud Services",
  "Network Activity",
  "Other",
  "Security",
  "System Activity"
]

jam300
jam300 previously approved these changes Nov 26, 2025
View reviewed changes
@LucioDonda LucioDonda force-pushed the enhancement/33247-dynamic-categories-retrieval branch from c94655f to dfa43ec Compare November 26, 2025 18:22
@LucioDonda LucioDonda force-pushed the enhancement/33247-dynamic-categories-retrieval branch from dfa43ec to d54b955 Compare December 1, 2025 20:12
@LucioDonda LucioDonda force-pushed the enhancement/33247-dynamic-categories-retrieval branch from d54b955 to 67a1eb0 Compare December 1, 2025 20:40
@juliancnn juliancnn closed this Dec 2, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@jam300 jam300 Awaiting requested review from jam300

@NahuFigueroa97 NahuFigueroa97 Awaiting requested review from NahuFigueroa97

@matigarciadev matigarciadev Awaiting requested review from matigarciadev

@juliancnn juliancnn Awaiting requested review from juliancnn

Assignees

@LucioDonda LucioDonda

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Dynamic categories retrieval

6 participants

@LucioDonda @jam300 @NahuFigueroa97 @matigarciadev @juliancnn