[BUG] 4.7.1 - Manager container not creating etc/shared folder in /var/ossec

[EvoXCX]

Hello,
I have a problem with my Wazuh containers, I scrupulously followed the documentation for the installation I don't understand what is broken.

Additional informations:

OS Info

NAME="Arch Linux"
PRETTY_NAME="Arch Linux"
ID=arch
BUILD_ID=rolling
ANSI_COLOR="38;2;23;147;209"
HOME_URL="https://archlinux.org/"
DOCUMENTATION_URL="https://wiki.archlinux.org/"
SUPPORT_URL="https://bbs.archlinux.org/"
BUG_REPORT_URL="https://bugs.archlinux.org/"
PRIVACY_POLICY_URL="https://terms.archlinux.org/docs/privacy-policy/"
LOGO=archlinux-logo

Podman Engine version

Client:       Podman Engine
Version:      4.8.2
API Version:  4.8.2
Go Version:   go1.21.5
Git Commit:   aa546902fa1a927b3d770528565627d1395b19f3-dirty
Built:        Wed Dec 13 23:07:26 2023
OS/Arch:      linux/amd64

Podman-Compose version

podman-compose version: 1.0.6
['podman', '--version', '']
using podman version: 4.8.2
podman-compose version 1.0.6
podman --version 
podman version 4.8.2
exit code: 0

Wazuh Installation Folder

/opt/wazuh (Only docker-compose.yml is modified to mount conf file in containers)

/opt/wazuh_conf (All edited config goes here)

(The context works since I was able to use it for 2 days and then nothing)

Let me explain:
I normally clone the repository version 4.7.1 and then I have to edit the docker-compose.yml, I removed the part:

ulimits:
      memlock:
        soft: -1
        hard: -1
      nofile:
        soft: 655360
        hard: 655360

Then I define it by hand by editing the /etc/security/limits.conf file, taking care to add the correct values

<user>     hard    memlock         -1
<user>     soft    memlock         -1
<user>     hard    nofile          65536
<user>     soft    nofile          65536

No worry is just a replaced value

Then I add the sysctl option

net.ipv4.ip_unprivileged_port_start=443
vm.max_map_count=262144

Finally, I copy my configuration, which I've been able to improve over the last 2 days of operation, and then add mount points, still in the docker-compose.yml file.

Manager
- /opt/wazuh_conf/config/wazuh_cluster/wazuh_manager.conf:/wazuh-config-mount/etc/ossec.conf
- /opt/wazuh_conf/config/wazuh_cluster/local_rules.xml:/var/ossec/etc/rules/local_rules.xml
- /opt/wazuh_conf/config/wazuh_cluster/local_decoder.xml:/var/ossec/etc/decoders/local_decoder.xml

Indexer
- /opt/wazuh_conf/config/wazuh_indexer/internal_users.yml:/usr/share/wazuh-indexer/opensearch-security/internal_users.yml

Dashboard
- /opt/wazuh_conf/config/wazuh_dashboard/wazuh.yml:/usr/share/wazuh-dashboard/data/wazuh/config/wazuh.yml

and I start the containers via compose up -d but I get this error on the containers manager:

Manager containers logs

[s6-init] making user provided files available at /var/run/s6/etc...exited 0.
[s6-init] ensuring user provided files have correct perms...exited 0.
[fix-attrs.d] applying ownership & permissions fixes...
[fix-attrs.d] done.
[cont-init.d] executing container initialization scripts...
[cont-init.d] 0-wazuh-init: executing... 
/var/ossec/data_tmp/permanent/var/ossec/api/configuration/
The path /var/ossec/api/configuration is already mounted
/var/ossec/data_tmp/permanent/var/ossec/etc/
The path /var/ossec/etc is already mounted
/var/ossec/data_tmp/permanent/var/ossec/logs/
The path /var/ossec/logs is already mounted
/var/ossec/data_tmp/permanent/var/ossec/queue/
The path /var/ossec/queue is already mounted
/var/ossec/data_tmp/permanent/var/ossec/agentless/
The path /var/ossec/agentless is already mounted
/var/ossec/data_tmp/permanent/var/ossec/var/multigroups/
The path /var/ossec/var/multigroups is empty, skiped
/var/ossec/data_tmp/permanent/var/ossec/integrations/
The path /var/ossec/integrations is already mounted
/var/ossec/data_tmp/permanent/var/ossec/active-response/bin/
The path /var/ossec/active-response/bin is already mounted
/var/ossec/data_tmp/permanent/var/ossec/wodles/
The path /var/ossec/wodles is already mounted
/var/ossec/data_tmp/permanent/etc/filebeat/
The path /etc/filebeat is already mounted
Updating /var/ossec/etc/internal_options.conf
Updating /var/ossec/integrations/pagerduty
Updating /var/ossec/integrations/slack
Updating /var/ossec/integrations/slack.py
Updating /var/ossec/integrations/virustotal
Updating /var/ossec/integrations/virustotal.py
Updating /var/ossec/integrations/shuffle
Updating /var/ossec/integrations/shuffle.py
Updating /var/ossec/active-response/bin/default-firewall-drop
Updating /var/ossec/active-response/bin/disable-account
Updating /var/ossec/active-response/bin/firewalld-drop
Updating /var/ossec/active-response/bin/firewall-drop
Updating /var/ossec/active-response/bin/host-deny
Updating /var/ossec/active-response/bin/ip-customblock
Updating /var/ossec/active-response/bin/ipfw
Updating /var/ossec/active-response/bin/kaspersky.py
Updating /var/ossec/active-response/bin/kaspersky
Updating /var/ossec/active-response/bin/npf
Updating /var/ossec/active-response/bin/wazuh-slack
Updating /var/ossec/active-response/bin/pf
Updating /var/ossec/active-response/bin/restart-wazuh
Updating /var/ossec/active-response/bin/restart.sh
Updating /var/ossec/active-response/bin/route-null
Updating /var/ossec/agentless/sshlogin.exp
Updating /var/ossec/agentless/ssh_pixconfig_diff
Updating /var/ossec/agentless/ssh_asa-fwsmconfig_diff
Updating /var/ossec/agentless/ssh_integrity_check_bsd
Updating /var/ossec/agentless/main.exp
Updating /var/ossec/agentless/su.exp
Updating /var/ossec/agentless/ssh_integrity_check_linux
Updating /var/ossec/agentless/register_host.sh
Updating /var/ossec/agentless/ssh_generic_diff
Updating /var/ossec/agentless/ssh_foundry_diff
Updating /var/ossec/agentless/ssh_nopass.exp
Updating /var/ossec/agentless/ssh.exp
Updating /var/ossec/wodles/utils.py
Updating /var/ossec/wodles/aws/aws-s3
Updating /var/ossec/wodles/aws/aws-s3.py
Updating /var/ossec/wodles/azure/azure-logs
Updating /var/ossec/wodles/azure/azure-logs.py
Updating /var/ossec/wodles/docker/DockerListener
Updating /var/ossec/wodles/docker/DockerListener.py
Updating /var/ossec/wodles/gcloud/gcloud
Updating /var/ossec/wodles/gcloud/gcloud.py
Updating /var/ossec/wodles/gcloud/integration.py
Updating /var/ossec/wodles/gcloud/tools.py
find: '/proc/tty/driver': Permission denied
find: '/proc/311/task/311/fd/6': No such file or directory
find: '/proc/311/task/311/fdinfo/6': No such file or directory
find: '/proc/311/fd/5': No such file or directory
find: '/proc/311/fdinfo/5': No such file or directory
find: '/proc/tty/driver': Permission denied
find: '/proc/312/task/312/fd/6': No such file or directory
find: '/proc/312/task/312/fdinfo/6': No such file or directory
find: '/proc/312/fd/5': No such file or directory
find: '/proc/312/fdinfo/5': No such file or directory
Identified Wazuh configuration files to mount...
'/wazuh-config-mount/etc/ossec.conf' -> '/var/ossec/etc/ossec.conf'
[cont-init.d] 0-wazuh-init: exited 0.
[cont-init.d] 1-config-filebeat: executing... 
Customize Elasticsearch ouput IP
Configuring username.
Configuring password.
Configuring SSL verification mode.
Configuring Certificate Authorities.
Configuring SSL Certificate.
Configuring SSL Key.
[cont-init.d] 1-config-filebeat: exited 0.
[cont-init.d] 2-manager: executing... 
2023/12/29 08:02:55 wazuh-analysisd: ERROR: (1103): Could not open file 'etc/shared/ar.conf' due to [(2)-(No such file or directory)].
2023/12/29 08:02:55 wazuh-analysisd: CRITICAL: (1202): Configuration error at 'etc/ossec.conf'.
wazuh-analysisd: Configuration error. Exiting
[cont-init.d] 2-manager: exited 1.
[cont-init.d] done.
[services.d] starting services
[services.d] done.
starting Filebeat
2023/12/29 08:01:36 wazuh-analysisd: ERROR: (1103): Could not open file 'etc/shared/ar.conf' due to [(2)-(No such file or directory)].
2023/12/29 08:01:36 wazuh-analysisd: CRITICAL: (1202): Configuration error at 'etc/ossec.conf'.
2023/12/29 08:02:55 wazuh-analysisd: ERROR: (1103): Could not open file 'etc/shared/ar.conf' due to [(2)-(No such file or directory)].
2023/12/29 08:02:55 wazuh-analysisd: CRITICAL: (1202): Configuration error at 'etc/ossec.conf'.
2023-12-29T08:02:55.541Z        INFO    instance/beat.go:645    Home path: [/usr/share/filebeat] Config path: [/etc/filebeat] Data path: [/var/lib/filebeat] Logs path: [/var/log/filebeat]
2023-12-29T08:02:55.541Z        INFO    instance/beat.go:653    Beat ID: 627039c8-4118-46b9-98c6-fe035f8a1fdd
2023-12-29T08:02:55.542Z        INFO    [seccomp]       seccomp/seccomp.go:124  Syscall filter successfully installed
2023-12-29T08:02:55.542Z        INFO    [beat]  instance/beat.go:981    Beat info       {"system_info": {"beat": {"path": {"config": "/etc/filebeat", "data": "/var/lib/filebeat", "home": "/usr/share/filebeat", "logs": "/var/log/filebeat"}, "type": "filebeat", "uuid": "627039c8-4118-46b9-98c6-fe035f8a1fdd"}}}
2023-12-29T08:02:55.542Z        INFO    [beat]  instance/beat.go:990    Build info      {"system_info": {"build": {"commit": "aacf9ecd9c494aa0908f61fbca82c906b16562a8", "libbeat": "7.10.2", "time": "2021-01-12T22:10:33.000Z", "version": "7.10.2"}}}
2023-12-29T08:02:55.542Z        INFO    [beat]  instance/beat.go:993    Go runtime info {"system_info": {"go": {"os":"linux","arch":"amd64","max_procs":16,"version":"go1.14.12"}}}
2023-12-29T08:02:55.545Z        INFO    [beat]  instance/beat.go:997    Host info       {"system_info": {"host": {"architecture":"x86_64","boot_time":"2023-12-29T07:43:34Z","containerized":false,"name":"wazuh.manager","ip":["127.0.0.1/8","::1/128","10.89.0.7/24","fe80::1c12:baff:fe05:70b1/64"],"kernel_version":"6.6.8-hardened1-1-hardened","mac":["1e:12:ba:05:70:b1"],"os":{"family":"debian","platform":"ubuntu","name":"Ubuntu","version":"20.04.6 LTS (Focal Fossa)","major":20,"minor":4,"patch":6,"codename":"focal"},"timezone":"UTC","timezone_offset_sec":0}}}
2023-12-29T08:02:55.546Z        INFO    [beat]  instance/beat.go:1026   Process info    {"system_info": {"process": {"capabilities": {"inheritable":null,"permitted":["chown","dac_override","fowner","fsetid","kill","setgid","setuid","setpcap","net_bind_service","sys_chroot","setfcap"],"effective":["chown","dac_override","fowner","fsetid","kill","setgid","setuid","setpcap","net_bind_service","sys_chroot","setfcap"],"bounding":["chown","dac_override","fowner","fsetid","kill","setgid","setuid","setpcap","net_bind_service","sys_chroot","setfcap"],"ambient":null}, "cwd": "/run/s6/services/filebeat", "exe": "/usr/share/filebeat/bin/filebeat", "name": "filebeat", "pid": 401, "ppid": 394, "seccomp": {"mode":"filter","no_new_privs":true}, "start_time": "2023-12-29T08:02:54.930Z"}}}
2023-12-29T08:02:55.546Z        INFO    instance/beat.go:299    Setup Beat: filebeat; Version: 7.10.2
2023-12-29T08:02:55.547Z        INFO    eslegclient/connection.go:99    elasticsearch url: https://wazuh.indexer:9200
2023-12-29T08:02:55.548Z        INFO    [publisher]     pipeline/module.go:113  Beat name: wazuh.manager
2023-12-29T08:02:55.550Z        INFO    beater/filebeat.go:117  Enabled modules/filesets: wazuh (alerts),  ()
2023-12-29T08:02:55.551Z        INFO    instance/beat.go:455    filebeat start running.
2023-12-29T08:02:55.551Z        INFO    memlog/store.go:119     Loading data file of '/var/lib/filebeat/registry/filebeat' succeeded. Active transaction id=0
2023-12-29T08:02:55.552Z        INFO    memlog/store.go:124     Finished loading transaction log file for '/var/lib/filebeat/registry/filebeat'. Active transaction id=0
2023-12-29T08:02:55.552Z        INFO    [registrar]     registrar/registrar.go:109      States Loaded from registrar: 0
2023-12-29T08:02:55.552Z        INFO    [crawler]       beater/crawler.go:71    Loading Inputs: 1
2023-12-29T08:02:55.552Z        INFO    log/input.go:157        Configured paths: [/var/ossec/logs/alerts/alerts.json]
2023-12-29T08:02:55.552Z        INFO    [crawler]       beater/crawler.go:141   Starting input (ID: 9132358592892857476)
2023-12-29T08:02:55.552Z        INFO    [crawler]       beater/crawler.go:108   Loading and starting Inputs completed. Enabled inputs: 1

OSSEC File

<ossec_config>
  <global>
    <jsonout_output>yes</jsonout_output>
    <alerts_log>yes</alerts_log>
    <logall>no</logall>
    <logall_json>no</logall_json>
    <email_notification>no</email_notification>
    <smtp_server>smtp.example.wazuh.com</smtp_server>
    <email_from>[email protected]</email_from>
    <email_to>[email protected]</email_to>
    <email_maxperhour>12</email_maxperhour>
    <email_log_source>alerts.log</email_log_source>
    <agents_disconnection_time>10m</agents_disconnection_time>
    <agents_disconnection_alert_time>0</agents_disconnection_alert_time>
  </global>

  <alerts>
    <log_alert_level>6</log_alert_level>
    <email_alert_level>12</email_alert_level>
  </alerts>

  <!-- Choose between "plain", "json", or "plain,json" for the format of internal logs -->
  <logging>
    <log_format>plain</log_format>
  </logging>

  <remote>
    <connection>secure</connection>
    <port>1514</port>
    <protocol>tcp</protocol>
    <queue_size>131072</queue_size>
  </remote>

  <!-- Policy monitoring -->
  <rootcheck>
    <disabled>no</disabled>
    <check_files>yes</check_files>
    <check_trojans>yes</check_trojans>
    <check_dev>yes</check_dev>
    <check_sys>yes</check_sys>
    <check_pids>yes</check_pids>
    <check_ports>yes</check_ports>
    <check_if>yes</check_if>

    <!-- Frequency that rootcheck is executed - every 12 hours -->
    <frequency>43200</frequency>

    <rootkit_files>etc/rootcheck/rootkit_files.txt</rootkit_files>
    <rootkit_trojans>etc/rootcheck/rootkit_trojans.txt</rootkit_trojans>

    <skip_nfs>yes</skip_nfs>
  </rootcheck>

  <wodle name="cis-cat">
    <disabled>yes</disabled>
    <timeout>1800</timeout>
    <interval>1d</interval>
    <scan-on-start>yes</scan-on-start>

    <java_path>wodles/java</java_path>
    <ciscat_path>wodles/ciscat</ciscat_path>
  </wodle>

  <!-- Osquery integration -->
  <wodle name="osquery">
    <disabled>no</disabled>
    <run_daemon>yes</run_daemon>
    <log_path>/var/log/osquery/osqueryd.results.log</log_path>
    <config_path>/etc/osquery/osquery.conf</config_path>
    <add_labels>yes</add_labels>
  </wodle>

  <!-- System inventory -->
  <wodle name="syscollector">
    <disabled>no</disabled>
    <interval>3h</interval>
    <scan_on_start>yes</scan_on_start>
    <hardware>yes</hardware>
    <os>yes</os>
    <network>yes</network>
    <packages>yes</packages>
    <ports all="no">yes</ports>
    <processes>yes</processes>

    <!-- Database synchronization settings -->
    <synchronization>
      <max_eps>10</max_eps>
    </synchronization>
  </wodle>

  <sca>
    <enabled>yes</enabled>
    <scan_on_start>yes</scan_on_start>
    <interval>12h</interval>
    <skip_nfs>yes</skip_nfs>
  </sca>

  <vulnerability-detector>
    <enabled>yes</enabled>
    <interval>5m</interval>
    <min_full_scan_interval>6h</min_full_scan_interval>
    <run_on_start>yes</run_on_start>

    <!-- Ubuntu OS vulnerabilities -->
    <provider name="canonical">
      <enabled>no</enabled>
      <os>trusty</os>
      <os>xenial</os>
      <os>bionic</os>
      <os>focal</os>
      <os>jammy</os>
      <update_interval>1h</update_interval>
    </provider>

    <!-- Debian OS vulnerabilities -->
    <provider name="debian">
      <enabled>no</enabled>
      <os>buster</os>
      <os>bullseye</os>
      <os>bookworm</os>
      <update_interval>1h</update_interval>
    </provider>

    <!-- RedHat OS vulnerabilities -->
    <provider name="redhat">
      <enabled>no</enabled>
      <os>5</os>
      <os>6</os>
      <os>7</os>
      <os>8</os>
      <os>9</os>
      <update_interval>1h</update_interval>
    </provider>

    <!-- Amazon Linux OS vulnerabilities -->
    <provider name="alas">
      <enabled>no</enabled>
      <os>amazon-linux</os>
      <os>amazon-linux-2</os>
      <os>amazon-linux-2023</os>
      <update_interval>1h</update_interval>
    </provider>

    <!-- SUSE Linux Enterprise OS vulnerabilities -->
    <provider name="suse">
      <enabled>no</enabled>
      <os>11-server</os>
      <os>11-desktop</os>
      <os>12-server</os>
      <os>12-desktop</os>
      <os>15-server</os>
      <os>15-desktop</os>
      <update_interval>1h</update_interval>
    </provider>

    <!-- Arch OS vulnerabilities -->
    <provider name="arch">
      <enabled>yes</enabled>
      <update_interval>1h</update_interval>
    </provider>

    <!-- Alma Linux OS vulnerabilities -->
    <provider name="almalinux">
      <enabled>no</enabled>
      <os>8</os>
      <os>9</os>
      <update_interval>1h</update_interval>
    </provider>

    <!-- Windows OS vulnerabilities -->
    <provider name="msu">
      <enabled>yes</enabled>
      <update_interval>1h</update_interval>
    </provider>

    <!-- Aggregate vulnerabilities -->
    <provider name="nvd">
      <enabled>yes</enabled>
      <update_interval>1h</update_interval>
    </provider>

  </vulnerability-detector>

  <!-- File integrity monitoring -->
  <syscheck>
    <disabled>no</disabled>

    <!-- Frequency that syscheck is executed default every 12 hours -->
    <frequency>43200</frequency>

    <scan_on_start>yes</scan_on_start>

    <!-- Generate alert when new file detected -->
    <alert_new_files>yes</alert_new_files>

    <!-- Do not ignore files that change more than 'frequency' times -->
    <auto_ignore frequency="10" timeframe="3600">no</auto_ignore>

    <!-- Directories to check  (perform all possible verifications) -->
    <directories>/etc,/usr/bin,/usr/sbin</directories>
    <directories>/bin,/sbin,/boot</directories>

    <!-- Files/directories to ignore -->
    <ignore>/etc/mtab</ignore>
    <ignore>/etc/hosts.deny</ignore>
    <ignore>/etc/mail/statistics</ignore>
    <ignore>/etc/random-seed</ignore>
    <ignore>/etc/random.seed</ignore>
    <ignore>/etc/adjtime</ignore>
    <ignore>/etc/httpd/logs</ignore>
    <ignore>/etc/utmpx</ignore>
    <ignore>/etc/wtmpx</ignore>
    <ignore>/etc/cups/certs</ignore>
    <ignore>/etc/dumpdates</ignore>
    <ignore>/etc/svc/volatile</ignore>

    <!-- File types to ignore -->
    <ignore type="sregex">.log$|.swp$</ignore>

    <!-- Check the file, but never compute the diff -->
    <nodiff>/etc/ssl/private.key</nodiff>

    <skip_nfs>yes</skip_nfs>
    <skip_dev>yes</skip_dev>
    <skip_proc>yes</skip_proc>
    <skip_sys>yes</skip_sys>

    <!-- Nice value for Syscheck process -->
    <process_priority>10</process_priority>

    <!-- Maximum output throughput -->
    <max_eps>100</max_eps>

    <!-- Database synchronization settings -->
    <synchronization>
      <enabled>yes</enabled>
      <interval>5m</interval>
      <max_interval>1h</max_interval>
      <max_eps>10</max_eps>
    </synchronization>
  </syscheck> 

<!-- Active response -->
  <global>
    <white_list>127.0.0.1</white_list>
    <white_list>^localhost.localdomain$</white_list>
  </global>

  <command>
    <name>yara_linux</name>
    <executable>yara.sh</executable>
    <extra_args>-yara_path /usr/bin -yara_rules /opt/wazuh/yara/rules/yara_rules.yar</extra_args>
    <timeout_allowed>no</timeout_allowed>
  </command>

  <command>
    <name>disable-account</name>
    <executable>disable-account</executable>
    <timeout_allowed>yes</timeout_allowed>
  </command>

  <command>
    <name>restart-wazuh</name>
    <executable>restart-wazuh</executable>
  </command>

  <command>
    <name>firewall-drop</name>
    <executable>firewall-drop</executable>
    <timeout_allowed>yes</timeout_allowed>
  </command>

  <command>
    <name>host-deny</name>
    <executable>host-deny</executable>
    <timeout_allowed>yes</timeout_allowed>
  </command>

  <command>
    <name>route-null</name>
    <executable>route-null</executable>
    <timeout_allowed>yes</timeout_allowed>
  </command>

  <command>
    <name>win_route-null</name>
    <executable>route-null.exe</executable>
    <timeout_allowed>yes</timeout_allowed>
  </command>

  <command>
    <name>netsh</name>
    <executable>netsh.exe</executable>
    <timeout_allowed>yes</timeout_allowed>
  </command>

  <!--
  <active-response>
    <command>yara_linux</command>
    <location>local</location>
    <rules_id>100300,100301</rules_id>
  </active-response>
  -->

  <!-- Log analysis -->
  <localfile>
    <log_format>command</log_format>
    <command>df -P</command>
    <frequency>360</frequency>
  </localfile>

  <localfile>
    <log_format>full_command</log_format>
    <command>netstat -tulpn | sed 's/\([[:alnum:]]\+\)\ \+[[:digit:]]\+\ \+[[:digit:]]\+\ \+\(.*\):\([[:digit:]]*\)\ \+\([0-9\.\:\*]\+\).\+\ \([[:digit:]]*\/[[:alnum:]\-]*\).*/\1 \2 == \3 == \4 \5/' | sort -k 4 -g | sed 's/ == \(.*\) ==/:\1/' | sed 1,2d</command>
    <alias>netstat listening ports</alias>
    <frequency>360</frequency>
  </localfile>

  <localfile>
    <log_format>full_command</log_format>
    <command>last -n 20</command>
    <frequency>360</frequency>
  </localfile>

  <ruleset>
    <!-- Default ruleset -->
    <decoder_dir>ruleset/decoders</decoder_dir>
    <rule_dir>ruleset/rules</rule_dir>
    <rule_exclude>0215-policy_rules.xml</rule_exclude>
    <list>etc/lists/audit-keys</list>
    <list>etc/lists/amazon/aws-eventnames</list>
    <list>etc/lists/security-eventchannel</list>

    <!-- User-defined ruleset -->
    <decoder_dir>etc/decoders</decoder_dir>
    <rule_dir>etc/rules</rule_dir>
  </ruleset>

  <rule_test>
    <enabled>yes</enabled>
    <threads>1</threads>
    <max_sessions>64</max_sessions>
    <session_timeout>15m</session_timeout>
  </rule_test>

  <!-- Configuration for wazuh-authd -->
  <auth>
    <disabled>no</disabled>
    <port>1515</port>
    <use_source_ip>no</use_source_ip>
    <purge>yes</purge>
    <use_password>no</use_password>
    <ciphers>HIGH:!ADH:!EXP:!MD5:!RC4:!3DES:!CAMELLIA:@STRENGTH</ciphers>
    <!-- <ssl_agent_ca></ssl_agent_ca> -->
    <ssl_verify_host>no</ssl_verify_host>
    <ssl_manager_cert>etc/sslmanager.cert</ssl_manager_cert>
    <ssl_manager_key>etc/sslmanager.key</ssl_manager_key>
    <ssl_auto_negotiate>no</ssl_auto_negotiate>
  </auth>

  <cluster>
    <name>wazuh</name>
    <node_name>node01</node_name>
    <node_type>master</node_type>
    <key>aa093264ef885029653eea20dfcf51ae</key>
    <port>1516</port>
    <bind_addr>0.0.0.0</bind_addr>
    <nodes>
        <node>wazuh.manager</node>
    </nodes>
    <hidden>no</hidden>
    <disabled>yes</disabled>
  </cluster>

</ossec_config>

<ossec_config>
  <localfile>
    <log_format>syslog</log_format>
    <location>/var/ossec/logs/active-responses.log</location>
  </localfile>

</ossec_config>

Dashboard can't start because manager can't keep up and crash.

Is someone have a solution ? Because re-downloading a new repository and copying the old data works for a while, then after a few restarts the containers manager gives the above error.

If the bug report isn't complete, I'll be happy to test it and provide more information if required.

[EvoXCX]

When I downloaded the repository again, wazuh launched with the default configurations, then I did a podman compose down and replaced the docker-compose.yml.

Everything launches correctly during the second compose but the passwords I changed don't work even if I do it one by one.

I apply the passwords in the Indexer container with these command:

export INSTALLATION_DIR=/usr/share/wazuh-indexer
CACERT=$INSTALLATION_DIR/certs/root-ca.pem
KEY=$INSTALLATION_DIR/certs/admin-key.pem
CERT=$INSTALLATION_DIR/certs/admin.pem
export JAVA_HOME=/usr/share/wazuh-indexer/jdk

bash /usr/share/wazuh-indexer/plugins/opensearch-security/tools/securityadmin.sh -cd /usr/share/wazuh-indexer/opensearch-security/ -nhnv -cacert $CACERT -cert $CERT -key $KEY -p 9200 -icl

I can't go any further in my analysis as I have absolutely no idea how containers work exactly.

P.S: First problem not resolved, in 1 or 2 days it will no longer work for no reason.

[EvoXCX]

When providing an external ar.conf to container it work on manager container side.

I don't understand why but manager container on compose up do not create the shared folder in /var/ossec/etc/.

Now I only have a problem with password.

[EvoXCX]

Found a solution for password change.

The bug report is complete, sometimes wazuh_manager container do not create /var/ossec/etc/shared folder, same for /var/ossec/etc/lists folder apparently.

[CyDickey-msr]

@EvoXCX what was the solution for the password issue? I seem to be running into the same problem you faced. Creating the ar.conf got me past the manager crashlooping, but now I seem to be hitting the password problem.

UPDATE: it seems as though wazuh/wazuh#19517 helped me out:

<auth>
  <use_password>yes</use_password>
</auth>

[EvoXCX]

Hello @CyDickey-msr, I see you found a response :)

I let a small documentation I writed when I was in Wazuh setup I post it here, maybe it will help someone to unlock some common problem.

Summary

Wazuh is an XDR solution for Linux, Windows, and BSD, it allow to retrieve security information through the agent installed on system.

In this documentation wazuh will be installed as rootless containers as localhost single node and localhost agent.

Requirements

Podman 4.8.0+
Podman-Compose 1.0.6+
Wazuh 4.7.1+

Server Installation

Initial Setup

First we need to pull the git repository with the version we want to download:

git clone https://github.com/wazuh/wazuh-docker.git -b <version>

Generate certificates:

podman compose -f generate-indexer-certs.yml run --rm generator

Set ulimits manually with podman:
/etc/security/limits.conf

<username>	hard	memlock	-1
<username>	soft	memlock	-1
<username>	hard	nofile	65536
<username>	soft	nofile	65536

IMPORTANT
Comment ulimits part in docker-compose.yml for wazuh-manager and wazuh-indexer

Set unprivileged port start to 443:
/etc/sysctl/10-wazuh.conf

net.ipv4.ip_unprivileged_port_start=443

Set users and password

Use this command to generate a password hash:

podman run --rm -ti wazuh/wazuh-indexer:4.7.1 bash /usr/share/wazuh-indexer/plugins/opensearch-security/tools/hash.sh

WARNING
Enter a strong password with alphanumericals characters and special character but do not use problematic special character like @, /, &, [, ],(, ).

Save the hash and edit config/wazuh_indexer/internal_users.yml for admin user and kibanaserver user.

To add a user you need to use the kibanaro line and change user, password, perms and description.

To change API user and password edit config/wazuh_dashboard/wazuh.yml
Same note as above warning you need to choose a strong password.

After changed all password in internal_users.yml and wazuh.yml you need to refer all password to docker-compose.yml file.

API credentials is from wazuh.yml

Dashboard credentials is kibanaserver user and Indexer credentials is admin user from internal_users.yml

Containers autostart

To enable container autostart at boot on podman it need to enable podman-restart systemd unit as the user launched containers:

systemctl enable --now --user podman-restart.service

Start

To start your wazuh instance you need to issue this command:

podman compose up -d

Agent Installation

In case of your system do not support .deb or .rpm you need to compile agent at the hand.

Download agent

Debian
Import GPG key:

curl -s https://packages.wazuh.com/key/GPG-KEY-WAZUH | gpg --no-default-keyring --keyring gnupg-ring:/usr/share/keyrings/wazuh.gpg --import && chmod 644 /usr/share/keyrings/wazuh.gpg

Add repository:

echo "deb [signed-by=/usr/share/keyrings/wazuh.gpg] https://packages.wazuh.com/4.x/apt/ stable main" | tee -a /etc/apt/sources.list.d/wazuh.list

Install agent:

apt update && apt install wazuh-agent

Redhat
Import GPG key:

rpm --import https://packages.wazuh.com/key/GPG-KEY-WAZUH

Add repository:

cat > /etc/yum.repos.d/wazuh.repo << EOF
[wazuh]
gpgcheck=1
gpgkey=https://packages.wazuh.com/key/GPG-KEY-WAZUH
enabled=1
name=EL-\$releasever - Wazuh
baseurl=https://packages.wazuh.com/4.x/yum/
protect=1
EOF

Install agent:

yum update && yum install wazuh-agent

Arch
Packages already available on AUR no need to import repository.

Install agent:

paru -S wazuh-agent

Configure Agent

Edit line in ossec.conf:
/var/ossec/etc/ossec.conf

<address>MANAGER_IP</address>

to

<address>127.0.0.1</address>

Add identifier name for your agent in "client" section (same section as above):
/var/ossec/etc/ossec.conf

<enrollment>
	<agent_name>Linux_01</agent_name>
</enrollment>

Start

To start wazuh-agent daemon:

systemctl enable --now wazuh-agent.service

Reference:
Wazuh Docker Installation Guide
Wazuh Installation Guide

Update

To update infrastructure you need to modify docker-compose file in /opt/wazuh and change version value.

Down Wazuh containers

podman compose -f /opt/wazuh/docker-compose.yml down

Re-Up with new docker-compose file

podman compose -f /opt/wazuh/docker-compose.yml up

Troubleshoot

Manager error etc/shared/ar.conf not present

In this case it need to add etc/shared folder (Need to mount a demo container to get /var/ossec/etc/shared folder)

volumes:
	- /opt/wazuh_conf/config/ossec/etc/shared:/var/ossec/etc/shared

Give right on all folder

chown -R user:user /opt/wazuh
chown -R user:user /opt/wazuh_conf

chmod -R 755 /opt/wazuh
chmod -R 755 /opt/wazuh_conf