-
Notifications
You must be signed in to change notification settings - Fork 392
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[BUG] 4.7.1 - Manager container not creating etc/shared folder in /var/ossec #1167
Comments
When I downloaded the repository again, wazuh launched with the default configurations, then I did a podman compose down and replaced the docker-compose.yml. Everything launches correctly during the second compose but the passwords I changed don't work even if I do it one by one. I apply the passwords in the Indexer container with these command: export INSTALLATION_DIR=/usr/share/wazuh-indexer
CACERT=$INSTALLATION_DIR/certs/root-ca.pem
KEY=$INSTALLATION_DIR/certs/admin-key.pem
CERT=$INSTALLATION_DIR/certs/admin.pem
export JAVA_HOME=/usr/share/wazuh-indexer/jdk bash /usr/share/wazuh-indexer/plugins/opensearch-security/tools/securityadmin.sh -cd /usr/share/wazuh-indexer/opensearch-security/ -nhnv -cacert $CACERT -cert $CERT -key $KEY -p 9200 -icl I can't go any further in my analysis as I have absolutely no idea how containers work exactly. P.S: First problem not resolved, in 1 or 2 days it will no longer work for no reason. |
When providing an external ar.conf to container it work on manager container side. I don't understand why but manager container on compose up do not create the shared folder in /var/ossec/etc/. Now I only have a problem with password. |
Found a solution for password change. The bug report is complete, sometimes wazuh_manager container do not create /var/ossec/etc/shared folder, same for /var/ossec/etc/lists folder apparently. |
@EvoXCX what was the solution for the password issue? I seem to be running into the same problem you faced. Creating the UPDATE: it seems as though wazuh/wazuh#19517 helped me out:
|
Hello @CyDickey-msr, I see you found a response :) I let a small documentation I writed when I was in Wazuh setup I post it here, maybe it will help someone to unlock some common problem. SummaryWazuh is an XDR solution for Linux, Windows, and BSD, it allow to retrieve security information through the agent installed on system. In this documentation wazuh will be installed as rootless containers as localhost single node and localhost agent.
RequirementsPodman 4.8.0+ Server InstallationInitial SetupFirst we need to pull the git repository with the version we want to download: git clone https://github.com/wazuh/wazuh-docker.git -b <version> Generate certificates: podman compose -f generate-indexer-certs.yml run --rm generator Set ulimits manually with podman:
IMPORTANT Set unprivileged port start to 443:
Set users and passwordUse this command to generate a password hash: podman run --rm -ti wazuh/wazuh-indexer:4.7.1 bash /usr/share/wazuh-indexer/plugins/opensearch-security/tools/hash.sh WARNING Save the hash and edit config/wazuh_indexer/internal_users.yml for admin user and kibanaserver user. To add a user you need to use the kibanaro line and change user, password, perms and description. To change API user and password edit config/wazuh_dashboard/wazuh.yml After changed all password in internal_users.yml and wazuh.yml you need to refer all password to docker-compose.yml file. API credentials is from wazuh.yml Dashboard credentials is kibanaserver user and Indexer credentials is admin user from internal_users.yml Containers autostartTo enable container autostart at boot on podman it need to enable podman-restart systemd unit as the user launched containers: systemctl enable --now --user podman-restart.service StartTo start your wazuh instance you need to issue this command: podman compose up -d Agent InstallationIn case of your system do not support .deb or .rpm you need to compile agent at the hand. Download agentDebian curl -s https://packages.wazuh.com/key/GPG-KEY-WAZUH | gpg --no-default-keyring --keyring gnupg-ring:/usr/share/keyrings/wazuh.gpg --import && chmod 644 /usr/share/keyrings/wazuh.gpg Add repository: echo "deb [signed-by=/usr/share/keyrings/wazuh.gpg] https://packages.wazuh.com/4.x/apt/ stable main" | tee -a /etc/apt/sources.list.d/wazuh.list Install agent: apt update && apt install wazuh-agent Redhat rpm --import https://packages.wazuh.com/key/GPG-KEY-WAZUH Add repository: cat > /etc/yum.repos.d/wazuh.repo << EOF
[wazuh]
gpgcheck=1
gpgkey=https://packages.wazuh.com/key/GPG-KEY-WAZUH
enabled=1
name=EL-\$releasever - Wazuh
baseurl=https://packages.wazuh.com/4.x/yum/
protect=1
EOF Install agent: yum update && yum install wazuh-agent Arch Install agent: paru -S wazuh-agent Configure AgentEdit line in ossec.conf: <address>MANAGER_IP</address> to <address>127.0.0.1</address> Add identifier name for your agent in "client" section (same section as above): <enrollment>
<agent_name>Linux_01</agent_name>
</enrollment> StartTo start wazuh-agent daemon: systemctl enable --now wazuh-agent.service Reference: UpdateTo update infrastructure you need to modify docker-compose file in /opt/wazuh and change version value. Down Wazuh containers podman compose -f /opt/wazuh/docker-compose.yml down Re-Up with new docker-compose file podman compose -f /opt/wazuh/docker-compose.yml up TroubleshootManager error etc/shared/ar.conf not presentIn this case it need to add etc/shared folder (Need to mount a demo container to get /var/ossec/etc/shared folder) volumes:
- /opt/wazuh_conf/config/ossec/etc/shared:/var/ossec/etc/shared Give right on all folder chown -R user:user /opt/wazuh
chown -R user:user /opt/wazuh_conf
chmod -R 755 /opt/wazuh
chmod -R 755 /opt/wazuh_conf |
Hello,
I have a problem with my Wazuh containers, I scrupulously followed the documentation for the installation I don't understand what is broken.
Additional informations:
OS Info
Podman Engine version
Podman-Compose version
Wazuh Installation Folder
/opt/wazuh (Only docker-compose.yml is modified to mount conf file in containers) /opt/wazuh_conf (All edited config goes here)
(The context works since I was able to use it for 2 days and then nothing)
Let me explain:
I normally clone the repository version 4.7.1 and then I have to edit the docker-compose.yml, I removed the part:
Then I define it by hand by editing the /etc/security/limits.conf file, taking care to add the correct values
No worry is just a replaced value
Then I add the sysctl option
Finally, I copy my configuration, which I've been able to improve over the last 2 days of operation, and then add mount points, still in the docker-compose.yml file.
and I start the containers via compose up -d but I get this error on the containers manager:
Manager containers logs
OSSEC File
Dashboard can't start because manager can't keep up and crash.
Is someone have a solution ? Because re-downloading a new repository and copying the old data works for a while, then after a few restarts the containers manager gives the above error.
If the bug report isn't complete, I'll be happy to test it and provide more information if required.
The text was updated successfully, but these errors were encountered: