RDP to Duplo Master:

1. • Navigate to:

   C:\Windows\SysWOW64\config\systemprofile\AppData\Local
   

• Open the latest file in Duplo.ComplianceManager.
• This file contains recent logs of the compliance service, which can help you resolve issues.

2. Check Event Viewer:
   • Go to Event Viewer > Windows Logs > Applications.
   • Click on Compliance to view the logs.

1. In the Wazuh dashboard, check for two agents registered with the same IP (one with IP and one with hostname).
2. To deregister the agent with the IP address:
   • Go to Administrator > Tenants > Compliance Tenant > Security Group.
   • Delete port 1515 from the security group.
   • Go to the Wazuh dashboard > Agents > search for the IP.
   • Open the dev tools in a new tab and run the following command:

     DELETE /agents?agents_list={agent_id}&status-all&older_than=0

3. Activate the agent registered with the hostname:
   • Go to Security > Agents (Deprecated) > search for the IP > Repair Agent.
   • The agent should now be active.

1. Copy the IP of the host.
2. Go to Security > Agents (Deprecated) > Repair the Agent.
3. The agent should now be available.

1. Deploy Agent:

   • Go to any Wazuh dashboard > Agents > Deploy New Agent.
   • Choose the OS, architecture, and private IP of the compliance instance, and assign it to the Compliance group.
   • You will receive commands to run.
   • Copy those commands and run them on your SIEM instance.

2. Register New Agent:

   • Run the following command to register the new agent:

     echo "Y" | sudo /var/ossec/bin/manage_agents -i {managerAuthKey}

   • To find managerAuthKey, go to dev tools and run:

     GET /agent/{agent_id}/key

   • Restart the Wazuh agent:

     sudo service wazuh-agent restart

3. Wazuh is Installed but in an Inactive State:

• SSH into the compliance instance.
• Navigate to:

/var/ossec/etc/ossec.config

• Add the SIEM manager IP:

<ossec_config>
  <client>
    <server>
      <address>{siem_manager_ip}</address>
      <port>1514</port>
      <protocol>tcp</protocol>
    </server>
  </client>
</ossec_config>

CloudTrail logs are encrypted with KMS, but the role doesn't have permission to decrypt them, causing the logs to be inaccessible.

1. Identify the KMS Key
   Find the KMS key attached to the SIEM Instance(duploservices-compliance).

2. Update the KMS Key Policy
   Add the following block to the key policy:

   {
     "Sid": "Enable Decryption of objects by Compliance",
     "Effect": "Allow",
     "Principal": {
       "AWS": "arn:aws:iam::116981772864:role/duploservices-compliance"
     },
     "Action": [
       "kms:Decrypt",
       "kms:GenerateDataKey"
     ],
     "Resource": "*"
   }

3. Save the Policy
   Apply the changes to the KMS key policy.

4. Verify Logs
   Check CloudTrail logs in S3 to confirm visibility.

When the SIEM host is configured to use an RSA key for SSH authentication, Ubuntu 22 does not support RSA keys by default. This results in failed SSH access to the host, which also affects operations such as installing or managing the Wazuh agent and ensuring the functionality of the network agent.

This solution applies only if the host is configured with an RSA key.

To enable SSH access to a host using an RSA key, follow these steps to modify the SSH server configuration.

1. Check If the Host Uses an RSA Key
   Ensure the host is configured to use an RSA key for SSH authentication.

2. Edit the SSH Configuration File
   Open the SSH daemon configuration file using the following command:

   vim /etc/ssh/sshd_config

3. Enable RSA Key Support
   Add the following lines to the file to explicitly allow RSA keys:

   HostKeyAlgorithms +ssh-rsa
   PubkeyAcceptedKeyTypes +ssh-rsa
   

4. Restart the SSH Service
   Apply the changes by restarting the SSH service:

   service sshd restart

5. Verify SSH Access