Addressing Wallarm Node Issues Alerted by OWASP Dashboard¶
When Wallarm nodes are not updated or face synchronization issues with the Cloud, error messages appear on the OWASP dashboard indicating problems that can impact infrastructure security. This article describes how to address these issues.
Wallarm node is outdated¶
Outdated nodes may lack important security updates, allowing malicious traffic to bypass defenses. Synchronization issues can disrupt the nodes' functionality, preventing them from receiving vital security policies from the Cloud. These issues are primarily related to the OWASP API8 (Security Misconfiguration) threat, where a missing security solution in any part of the application stack can make the system vulnerable. To prevent this, the dashboard alerts you to node operation issues, e.g.:
To maintain a secure environment, it is crucial to regularly update Wallarm nodes and address synchronization problems. If your Wallarm node version is at or approaching its end-of-life, it is recommended to upgrade your node to the latest version.
Wallarm node and Cloud have synchronization issues¶
If you encounter issues with Wallarm Cloud synchronization, make sure that the corresponding settings are correct.
If you need assistance in resolving synchronization or other issues or any other requests, you can seek help from the Wallarm support team. Provide them with the following logs for analysis:
-
Logs from
/opt/wallarm/var/log/wallarm/wcli-out.logto check for any problems with thesyncnodescript -
Logs from the
/var/log/syslogor/var/log/messagesdirectory (depending on the deployment option) to provide additional details about the synchronization issue
custom_ruleset and proton.db¶
The important files to be updated during Cloud-node synchronization, are custom_ruleset and proton.db. Search for them in your OS, they can be located in /opt/wallarm/etc/wallarm or another folder depending on the self-hosted node installation method.
-rw-r--r-- 1 wallarm wallarm 93774 Aug 20 07:40 custom_ruleset
-rw-r--r-- 1 wallarm wallarm 406 Jul 29 20:09 libproton.json
-rw-r----- 1 wallarm wallarm 680 Aug 20 07:40 node.yaml
-rw-r--r-- 1 wallarm wallarm 1675 Aug 20 07:40 private.key
-rw-r--r-- 1 wallarm wallarm 363659 Aug 20 13:01 proton.db
-rw-r--r-- 1 wallarm wallarm 6 Jul 29 20:11 version
The mentioned and other files must have correct group (second column with wallarm), this group should be the same as the one running NGINX's workers (check with ps aux|grep nginx)
custom_ruleset version¶
Problems with custom_ruleset synchronization can be caused by inconsistency between min custom ruleset version set for you by Wallarm support group and the node version:
-
Get your custom ruleset version via node's statistics service -
custom_ruleset_ver. For example: -
Get your Wallarm node version, for example via Wallarm Console → Nodes → your node details, bottom of the window.
-
Get your settings via Wallarm API,
/v2/client/{clientid}/rules/settings. For example:
Node uuid and/or secret cannot be detected¶
You can see the following message in just created or updated node logs "Can't detect node uuid and/or secret, please add node to cloud first."
On node creation and update, it is registered in a Cloud. The mentioned message may mean that this registration was not successful which will prevent node and Cloud from syncing (only basic detection in a monitoring mode, no rules, mitigation controls or lists will come from Cloud, no monitoring results will arrive to Cloud).
Node registered
The quickest way to make sure the node was registered successfully is to check its presence in Wallarm Console → Nodes section. The further syncing status can also be checked here.
To generally resolve "not registered node" issues, contact the Wallarm support team.
When you do not need to worry
Sometimes, the "Can't detect node uuid and/or secret, please add node to cloud first" message can appear BEFORE the node registration process is finished and you see in the log:
Thus, if registration errors go BEFORE this message, you can ignore them - they will disappear after registration.