4.9.0 Release notes - 5 September 2024

This section lists the changes in version 4.9.0. Every update of the Wazuh solution is cumulative and includes all enhancements and fixes from previous releases.

Highlights

This release introduces several significant updates aimed at enhancing functionality, compatibility, and user experience. Key updates include support for journald logs in Logcollector, improved compatibility with OpenSearch 2.11.0, and integration with AWS Security Hub. Additionally, there are improvements to WPK packages and enhancements in the Wazuh-API with Connexion 3.0 and Uvicorn support. The release also addresses numerous bugs, further stabilizing the platform and improving overall performance.

  • Journald support in Logcollector: Systemd's journald logging is now supported, enabling Logcollector to monitor these logs, which can provide valuable information for users.

  • Integrate Wazuh with AWS Security Hub: Wazuh now integrates with AWS Security Hub, enabling users to manage security and assess compliance with best practices directly within AWS.

  • Improve WPKs: The WPK packages' logic has been streamlined, reducing complexity, especially in the backup/rollback process, and ensuring smoother updates.

  • Refactoring and redesign Endpoints Summary charts: The Endpoints Summary charts have been refactored and redesigned for improved clarity and usability.

  • New or updated SCA policies: Added support for Oracle Linux 9, Alma Linux 9, and Rocky Linux 9, and updated policies for RedHat 7, CentOS 7, RedHat 8, and CentOS 8.

What's new

This release includes new features or enhancements as the following:

Wazuh manager

  • #17306 Added alert forwarding to Fluentd.

  • #20285 Changed logging level of wazuh-db recv() messages from error to debug.

  • #16666 Fixed malformed JSON error in wazuh-analysisd.

  • #23727 Added missing functionality for vulnerability scanner translations.

  • #23722 Improved performance for vulnerability scanner translations.

  • #24536 Enhanced vulnerability scanner logging to be more expressive.

  • #17306 The manager now supports alert forwarding to Fluentd.

  • #23513 Added the HAProxy helper to manage load balancer configuration and automatically balance agents.

  • #23222 Added a validation to avoid killing processes from external services.

  • #23996 Enabled certificates validation in the requests to the HAProxy helper using the default CA bundle.

  • #21195 Sanitized the integrations directory code.

Wazuh agent

  • #19753 Removed the directory /boot from the default FIM settings for AIX.

  • #21690 Improved debugging logs for Windows registry monitoring configuration. Now the Wrong registry value type warnings include the registry path to help troubleshooting. Thanks to Zafer Balkan (@zbalkan).

  • #21287 Added Amazon Linux 1 and Amazon Linux 2023 support for the Wazuh installation assistant.

  • #23137 Added Journald support in Logcollector.

  • #20727 Fixed Windows Agent 4.8.0 permission errors on Windows 11 after upgrade.

  • #22440 Fixed Syscollector not checking if there's a scan in progress before starting a new one.

  • #16487 Fixed alerts are created when syscheck diff DB is full.

  • #2195 Fixed Wazuh deb uninstallation to remove non-config files.

  • #23273 Fixed improper Windows agent ACL on non-default installation directory.

  • #17664 Fixed socket configuration of an agent is displayed.

  • #18494 Fixed wazuh-modulesd printing child process not found error.

  • #23848 Fixed issue with an agent starting automatically without reason.

  • #17415 Fixed GET /syscheck to properly report size for files larger than 2GB.

  • #23203 Added support for Amazon Security Hub via AWS SQS.

  • #20624 Refactored and modularized the Azure integration code.

  • #23790 Improved logging of errors in Azure and AWS modules.

  • #22583 Dropped support for Python 3.7 in cloud integrations.

RESTful API

  • #23199 Replaced aiohttp server with uvicorn.

  • #23199 Changed the PUT /groups/{group_id}/configuration endpoint response error code when uploading an empty file.

  • #23199 Changed the GET, PUT and DELETE /lists/files/{filename} endpoints response status code when an invalid file is used.

  • #23199 Changed the PUT /manager/configuration endpoint response status code when uploading a file with invalid content-type.

  • #23094 Added support in the Wazuh API to parse journald configurations from the ossec.conf file.

  • #24360 Added user-agent to the CTI service request.

  • #21653 Merged group files endpoints (GET /groups/{group_id}/files/{filename}) into one that uses the raw parameter to receive plain text data.

  • #22388 Removed the hardcoded fields returned by the GET /agents/outdated endpoint and added the select parameter to the specification.

  • #22423 Updated the regex used to validate CDB lists.

  • #22413 Changed the default value for empty fields in the GET /agents/stats/distinct endpoint response.

  • #22380 Changed the Wazuh API endpoint responses when receiving the Expect header.

  • #22745 Enhanced Authorization header values decoding errors to avoid showing the stack trace and fail gracefully.

  • #22908 Updated the format of the fields that can be N/A in the API specification.

  • #22954 Updated the Wazuh API specification to conform with the current endpoint requests and responses.

  • #22416 Removed the cache configuration option from the Wazuh API.

Ruleset

  • #19754 Clarified the description for rule ID 23502 about solved vulnerabilities.

  • #17784 Added new SCA policy for Rocky Linux 8.

Other

  • #20778 Upgraded external OpenSSL library dependency version used by Wazuh from V1 to V3.

  • #22680 Upgraded external connexion library dependency version to 3.0.5 and its related interdependencies.

Wazuh dashboard

  • #6145 Added AngularJS dependencies.

  • #6580 Migrated from AngularJS to ReactJS. #6555 #6618 #6613 #6631 #6594 #6893

  • #6120 Removed legacy embedded discover component.

  • #6268 Refactored the Endpoints Summary charts.

  • #6250 Added agent groups edition to Endpoints Summary. #6274

  • #6476 Added a filter to select outdated agents and the Upgrade agent action to Endpoints Summary. #6501 #6529 #6648

  • #6337 Changed the way the configuration is managed in the backend side. #6573

  • #6337 Moved the content of the API is down and Check connection views to the Server APIs view.

  • #6545 Added macOS log collection tab.

  • #6481 Removed the GET /api/timestamp API endpoint.

  • #6481 Removed the PUT /api/update-hostname/{id} API endpoint.

  • #6481 Removed the DELETE /hosts/remove-orphan-entries API endpoint.

  • #6573 Enhanced the validation for enrollment.dns on App Settings application.

  • #6607 Implemented the option to control configuration editing via API endpoints and UI.

  • #6572 Added the Journald log collector tab.

  • #6482 Implemented new data source feature on MITRE ATT&CK module.

  • #6653 Added HAProxy helper settings to cluster configuration.

  • #6660 Changed log collector socket configuration response property.

  • #6558 Added the ability to open the report file and the reporting application from toast message.

  • #6558 Added Office 365 support for agents.

  • #6716 Refactored the search bar to handle fixed and user-added filters correctly. #6755

  • #6714 Replaced the custom EuiSuggestItem component with the native component from OpenSearch UI.

  • #6800 Added pinned agent data validation when rendering the Inventory data, Stats, and Configuration tabs in Agent preview of Endpoints Summary.

  • #6534 Improvement of the filter management system by implementing new standard modules. #6772 #6873

  • #6745 Generate URL with predefined filters.

  • #6782 Removed unused API endpoints from creation of old visualizations: GET /elastic/visualizations/{tab}/{pattern}.

  • #6839 Changed permalink field in the Events tab table in VirusTotal to show an external link.

  • #6890 Changed the internal control from Endpoint Groups to a control via URL.

  • #6882 Changed the internal control from MITRE ATT&CK > Intelligence > Table to a control via URL.

  • #6886 Changed the display of rule details flyout to be based on URL.

  • #6161 Changed the logging system to use the one provided by the platform.

  • #6161 Removed logs.level setting.

  • #6161 Removed the usage of wazuhapp-plain.log, wazuhapp.log, wazuh-ui-plain.log, and wazuh-ui.log files.

  • #6161 Removed the App logs application.

  • #6161 Removed API endpoint GET /utils/logs/ui.

  • #6161 Removed API endpoint GET /utils/logs.

  • #6848 Added wz-link component to handle redirections.

  • #6902 Removed embedded dom-to-image dependency.

  • #6902 Added embedded and customized dom-to-image-more dependency.

  • #6949 Changed the order of columns in Vulnerabilities Detection > Events table.

Packages

  • #2989 Updated Password Tool to add default user and password to the filebeat.yml when changing passwords

  • #2991 Allow installation on any OS

  • #2970 Added support for Rocky Linux 9.4 in Installation assistant

  • #2944 Update API script file name

  • #2698 Added new Azure module files

  • #2945 Added support for Ubuntu 24.04 in Installation assistant

  • #2922 Changed log message when not yum nor apt-get are found. Added clearer instructions on following steps

  • #2911 Cert-tool logfile added. Modified common_logger function to write on files without root permission

  • #2908 Added bash dependency to Wazuh agent RPM for AIX

  • #2909 Prevent failed checks related to dashboard and indexer

  • #2900 Installation Assistant language agnostic

  • #2882 Added rollBack to several exit points

  • #2753 Adding support for Amazon Linux 1, 2, and 2023

  • #2790 Added support for AL2023 in WIA

  • #2300 Added SCA policy for Rocky Linux 8 in SPECS.

  • #3070 Removed migrated and unsupported code.

Resolved issues

This release resolves known issues as the following:

Wazuh manager

  • #20505 Fixed compilation issue for local installation.

  • #24375 Fixed a warning when uninstalling the Wazuh manager if the vulnerability detection feed is missing.

  • #24393 Ensured vulnerability detection scanner log messages end with a period.

Wazuh agent

  • #19146 Fixed command monitoring on Windows to support UTF-8 characters.

  • #21455 Fixed an error in Windows agents preventing whodata policies loading.

  • #21595 Fixed an unexpected error where the manager received messages with a reported size not corresponding to the bytes received.

  • #21729 Prevented backup failures during WPK upgrades. A dependency check for the tar package was added.

  • #22210 Fixed a crash of the agent due to a library incompatibility.

  • #21728 Fixed an error of the Osquery integration on Windows that prevented loading osquery.conf.

  • #22588 Fixed a crash in the agent Rootcheck component when using <ignore>.

  • #20425 Fixed the agent not deleting the wazuh-agent.state file in Windows when stopped.

  • #24412 Fixed error in packages generation for CentOS 7.

  • #22392 Fixed Azure auditLogs/signIns status parsing (thanks to @Jmnis for the contribution).

  • #22621 Fixed how the S3 object keys with special characters are handled in the Custom Logs Buckets integration.

RESTful API

  • #20507 Improved XML validation to match the Wazuh internal XML validator.

  • #22428 Fixed bug in GET /groups.

  • #24946 Fixed the GET /agents/outdated endpoint query.

Ruleset

  • #22178 Added parsing of the optional node= log heading field to Audit decoders.

Other

  • #19794 Fixed a buffer overflow hazard in HMAC internal library.

Wazuh dashboard

  • #6237 Fixed disappearing scripted fields when index pattern fields refreshed.

  • #6667 Fixed invalid IP address ranges and file hashes in sample alert scripts.

  • #6558 Fixed error of malformed table row in PDF report generation.

  • #6730 Fixed the validation of the maximum allowed time interval for cron jobs.

  • #6747 Fixed styles in small height viewports.

  • #6770 Fixed behavior in Configuration Assessment when changing API.

  • #6871 Fixed the maximum width of the clear session button in the ruleset test view.

  • #6876 Fixed the width of the last modified column of the table in Windows Registry.

  • #6880 Fixed redirection to FIM > Inventory > Files from FIM > Inventory > Windows Registry when switching to a non-Windows agent.

Packages

  • #3063 Fixed Kibana server change password.

  • #3074 Fixed bugs in the offline installation using the installation assistant.

  • #3082 Fixed bug when inserting Filebeat template.

Changelogs

The repository changelogs provide more details about the changes.

Product repositories

Auxiliary repositories