Problems to integrate personal SSL certs in wazuh docker container
1,204 views
Skip to first unread message
DUCARROZ Birgit
Apr 21, 2021, 4:59:55 AM4/21/21
to wa...@googlegroups.com
Hi list,
First of all, I am a total newbe of Wazuh. I read this doc
https://documentation.wazuh.com/current/docker/wazuh-container.html#production-deployment
but there is something not working when bringing up my docker containers.
I have just two personal SSL certificate files, and one single server.
The server is filebeat, agent and single node, all at once.
xxx.domain.ch.crt
xxx.domain.ch.key
These certificates are stored outside of any docker container, directly
in a folder on my OS, in /volume/config/certs/xxx/
When bringing up the containers, I get the following error messages:
(below these messages are printed my configuration files)
Please can anyone help me with this issue?
Thank you a lot!
Kind regards, Birgit
ERROR MESSAGES:
===============
kibana_1 | FATAL Error: ENOENT: no such file or directory,
open '/usr/share/kibana/config/xxx.domain.ch.key'
ERROR: for wazuh-docker_elasticsearch_1 Cannot start service
elasticsearch: OCI runtime create failed: container_linux.go:367:
starting container process caused: process_linux.go:495: container init
caused: rootfs_linux.go:60: mounting
"/root/script/wazuh-docker/production_cluster/elastic_opendistro/internal_users.yml"
to rootfs at
"/var/lib/docker/overlay2/936c900d26a11285e3493636dbb6b1cb8799bce43ac576d642ed0fa9167add48/merged/usr/share/elasticsearch/plugins/opendistro_security/securityconfig/internal_users.yml"
caused: not a directory: unknown: Are you trying to mount a directory
onto a file (or vice-versa)? Check if the specified host path exists and
is the expected type
ERROR: for elasticsearch Cannot start service elasticsearch: OCI
runtime create failed: container_linux.go:367: starting container
process caused: process_linux.go:495: container init caused:
rootfs_linux.go:60: mounting
"/root/script/wazuh-docker/production_cluster/elastic_opendistro/internal_users.yml"
to rootfs at
"/var/lib/docker/overlay2/936c900d26a11285e3493636dbb6b1cb8799bce43ac576d642ed0fa9167add48/merged/usr/share/elasticsearch/plugins/opendistro_security/securityconfig/internal_users.yml"
caused: not a directory: unknown: Are you trying to mount a directory
onto a file (or vice-versa)? Check if the specified host path exists and
is the expected type
ERROR: Encountered errors while bringing up the project
CONFIG FILES:
=============
docker-compose.yml
==================
# Wazuh App Copyright (C) 2021 Wazuh Inc. (License GPLv2)
version: '3.7'
services:
wazuh:
image: wazuh/wazuh-odfe:4.1.2
hostname: wazuh-manager
restart: always
ports:
- "1514:1514"
- "1515:1515"
- "514:514/udp"
- "55000:55000"
environment:
- ELASTICSEARCH_URL=https://elasticsearch:9200
- ELASTIC_USERNAME=xxxx
- ELASTIC_PASSWORD=xxxx
- FILEBEAT_SSL_VERIFICATION_MODE=none
volumes:
- ossec_api_configuration:/var/ossec/api/configuration
- ossec_etc:/var/ossec/etc
- ossec_logs:/var/ossec/logs
- ossec_queue:/var/ossec/queue
- ossec_var_multigroups:/var/ossec/var/multigroups
- ossec_integrations:/var/ossec/integrations
- ossec_active_response:/var/ossec/active-response/bin
- ossec_agentless:/var/ossec/agentless
- ossec_wodles:/var/ossec/wodles
- filebeat_etc:/etc/filebeat
- filebeat_var:/var/lib/filebeat
elasticsearch:
image: amazon/opendistro-for-elasticsearch:1.12.0
hostname: elasticsearch
restart: always
ports:
- "9200:9200"
environment:
- discovery.type=single-node
- cluster.name=wazuh-cluster
- network.host=0.0.0.0
- "ES_JAVA_OPTS=-Xms512m -Xmx512m"
- bootstrap.memory_lock=true
ulimits:
memlock:
soft: -1
hard: -1
nofile:
soft: 65536
hard: 65536
kibana:
image: wazuh/wazuh-kibana-odfe:4.1.2
hostname: kibana
restart: always
ports:
- 443:5601
environment:
- ELASTICSEARCH_USERNAME=xxxx
- ELASTICSEARCH_PASSWORD=xxxx
- SERVER_SSL_ENABLED=true
- SERVER_SSL_CERTIFICATE=/usr/share/kibana/config/xxx.domain.ch.crt
- SERVER_SSL_KEY=/usr/share/kibana/config/xxx.domain.ch.key
depends_on:
- elasticsearch
links:
- elasticsearch:elasticsearch
- wazuh:wazuh
volumes:
ossec_api_configuration:
ossec_etc:
ossec_logs:
ossec_queue:
ossec_var_multigroups:
ossec_integrations:
ossec_active_response:
ossec_agentless:
ossec_wodles:
filebeat_etc:
filebeat_var:
production-cluster.yml
======================
# Wazuh App Copyright (C) 2021 Wazuh Inc. (License GPLv2)
version: '3.7'
services:
wazuh-master:
image: wazuh/wazuh-odfe:4.1.2
hostname: wazuh-master
restart: always
ports:
- "1515:1515"
- "514:514/udp"
- "55000:55000"
environment:
- ELASTICSEARCH_URL=https://elasticsearch:9200
- ELASTIC_USERNAME=xxxx
- ELASTIC_PASSWORD=xxxx
- FILEBEAT_SSL_VERIFICATION_MODE=full
- SSL_CERTIFICATE_AUTHORITIES=/etc/ssl/xxx.domain.ch.crt
- SSL_CERTIFICATE=/etc/ssl/xxx.domain.ch.crt
- SSL_KEY=/etc/ssl/xxx.domain.ch.key
- API_USERNAME=acme-user
- API_PASSWORD=xxxx
volumes:
- ossec-api-configuration:/var/ossec/api/configuration
- ossec-etc:/var/ossec/etc
- ossec-logs:/var/ossec/logs
- ossec-queue:/var/ossec/queue
- ossec-var-multigroups:/var/ossec/var/multigroups
- ossec-integrations:/var/ossec/integrations
- ossec-active-response:/var/ossec/active-response/bin
- ossec-agentless:/var/ossec/agentless
- ossec-wodles:/var/ossec/wodles
- filebeat-etc:/etc/filebeat
- filebeat-var:/var/lib/filebeat
-
/volume/config/certs/xxx/xxx.domain.ch.crt:/etc/ssl/xxx.domain.ch.crt
-
/volume/config/certs/xxx/xxx.domain.ch.key:/etc/ssl/xxx.domain.ch.key
-
./production_cluster/wazuh_cluster/wazuh_manager.conf:/wazuh-config-mount/etc/ossec.conf
wazuh-worker:
image: wazuh/wazuh-odfe:4.1.2
hostname: wazuh-worker
restart: always
environment:
- ELASTICSEARCH_URL=https://elasticsearch:9200
- ELASTIC_USERNAME=xxxxx
- ELASTIC_PASSWORD=xxxxx
- FILEBEAT_SSL_VERIFICATION_MODE=full
- SSL_CERTIFICATE_AUTHORITIES=/etc/ssl/xxx.domain.ch.crt
- SSL_CERTIFICATE=/etc/ssl/xxx.domain.ch.crt
- SSL_KEY=/etc/ssl/xxx.domain.ch.key
volumes:
- worker-ossec-api-configuration:/var/ossec/api/configuration
- worker-ossec-etc:/var/ossec/etc
- worker-ossec-logs:/var/ossec/logs
- worker-ossec-queue:/var/ossec/queue
- worker-ossec-var-multigroups:/var/ossec/var/multigroups
- worker-ossec-integrations:/var/ossec/integrations
- worker-ossec-active-response:/var/ossec/active-response/bin
- worker-ossec-agentless:/var/ossec/agentless
- worker-ossec-wodles:/var/ossec/wodles
- worker-filebeat-etc:/etc/filebeat
- worker-filebeat-var:/var/lib/filebeat
-
/volume/config/certs/xxx/xxx.domain.ch.crt:/etc/ssl/xxx.domain.ch.crt
-
/volume/config/certs/xxx/xxx.domain.ch.key:/etc/ssl/xxx.domain.ch.key
-
./production_cluster/wazuh_cluster/wazuh_worker.conf:/wazuh-config-mount/etc/ossec.conf
elasticsearch:
image: amazon/opendistro-for-elasticsearch:1.12.0
hostname: elasticsearch
restart: always
ports:
- "9200:9200"
environment:
- "ES_JAVA_OPTS=-Xms512m -Xmx512m"
ulimits:
memlock:
soft: -1
hard: -1
nofile:
soft: 65536
hard: 65536
volumes:
- elastic-data-1:/usr/share/elasticsearch/data
-
/volume/config/certs/xxx/xxx.domain.ch.crt:/usr/share/elasticsearch/config/xxx.domain.ch.crt
-
/volume/config/certs/xxx/xxx.domain.ch.key:/usr/share/elasticsearch/config/xxx.domain.ch.key
-
./production_cluster/elastic_opendistro/elasticsearch-node1.yml:/usr/share/elasticsearch/config/elasticsearch.yml
-
./production_cluster/elastic_opendistro/internal_users.yml:/usr/share/elasticsearch/plugins/opendistro_security/securityconfig/internal_users.yml
kibana:
image: wazuh/wazuh-kibana-odfe:4.1.2
hostname: kibana
restart: always
ports:
- 5601:5601
environment:
- ELASTICSEARCH_USERNAME=xxxxx
- ELASTICSEARCH_PASSWORD=xxxxx
- SERVER_SSL_ENABLED=true
- SERVER_SSL_CERTIFICATE=/usr/share/kibana/config/xxx.domain.ch.crt
- SERVER_SSL_KEY=/usr/share/kibana/config/xxx.domain.ch.key
- WAZUH_API_URL="https://wazuh-master"
- API_USERNAME=acme-user
- API_PASSWORD=MyS3cr37P450r.*-
volumes:
-
/volume/config/certs/xxx/xxx.domain.ch.crt:/usr/share/kibana/config/xxx.domain.ch.crt
-
/volume/config/certs/xxx/xxx.domain.ch.key:/usr/share/kibana/config/xxx.domain.ch.key
depends_on:
- elasticsearch
links:
- elasticsearch:elasticsearch
- wazuh-master:wazuh-master
nginx:
image: nginx:stable
hostname: nginx
restart: always
ports:
- "80:80"
- "443:443"
- "1514:1514"
depends_on:
- wazuh-master
- wazuh-worker
- kibana
links:
- wazuh-master:wazuh-master
- wazuh-worker:wazuh-worker
- kibana:kibana
volumes:
- ./production_cluster/nginx/nginx.conf:/etc/nginx/nginx.conf:ro
- /volume/config/certs/xxx:/etc/nginx/ssl:ro
volumes:
ossec-api-configuration:
ossec-etc:
ossec-logs:
ossec-queue:
ossec-var-multigroups:
ossec-integrations:
ossec-active-response:
ossec-agentless:
ossec-wodles:
filebeat-etc:
filebeat-var:
worker-ossec-api-configuration:
worker-ossec-etc:
worker-ossec-logs:
worker-ossec-queue:
worker-ossec-var-multigroups:
worker-ossec-integrations:
worker-ossec-active-response:
worker-ossec-agentless:
worker-ossec-wodles:
worker-filebeat-etc:
worker-filebeat-var:
elastic-data-1:
elasticsearch-node1.yml
=======================
network.host: 0.0.0.0
cluster.name: wazuh-cluster
node.name: elasticsearch
discovery.seed_hosts: elasticsearch
cluster.initial_master_nodes: elasticsearch
bootstrap.memory_lock: true
opendistro_security.ssl.transport.pemcert_filepath: xxx.domain.ch.crt
opendistro_security.ssl.transport.pemkey_filepath: xxx.domain.ch.key
opendistro_security.ssl.transport.pemtrustedcas_filepath: xxx.domain.ch.crt
opendistro_security.ssl.transport.enforce_hostname_verification: false
opendistro_security.ssl.transport.resolve_hostname: false
opendistro_security.ssl.http.enabled: true
opendistro_security.ssl.http.pemcert_filepath: xxx.domain.ch.crt
opendistro_security.ssl.http.pemkey_filepath: xxx.domain.ch.key
opendistro_security.ssl.http.pemtrustedcas_filepath: xxx.domain.ch.crt
opendistro_security.allow_default_init_securityindex: true
opendistro_security.nodes_dn:
- CN=xxx.domain.ch,OU=DIUF,O=University of xxx DC=domain,DC=ch
opendistro_security.authcz.admin_dn: []
opendistro_security.audit.type: internal_elasticsearch
opendistro_security.enable_snapshot_restore_privilege: true
opendistro_security.check_snapshot_restore_write_privileges: true
opendistro_security.restapi.roles_enabled: ["all_access",
"security_rest_api_access"]
cluster.routing.allocation.disk.threshold_enabled: false
#opendistro_security.audit.config.disabled_rest_categories: NONE
#opendistro_security.audit.config.disabled_transport_categories: NONE
opendistro_security.audit.log_request_body: false
First of all, I am a total newbe of Wazuh. I read this doc
https://documentation.wazuh.com/current/docker/wazuh-container.html#production-deployment
but there is something not working when bringing up my docker containers.
I have just two personal SSL certificate files, and one single server.
The server is filebeat, agent and single node, all at once.
xxx.domain.ch.crt
xxx.domain.ch.key
These certificates are stored outside of any docker container, directly
in a folder on my OS, in /volume/config/certs/xxx/
When bringing up the containers, I get the following error messages:
(below these messages are printed my configuration files)
Please can anyone help me with this issue?
Thank you a lot!
Kind regards, Birgit
ERROR MESSAGES:
===============
kibana_1 | FATAL Error: ENOENT: no such file or directory,
open '/usr/share/kibana/config/xxx.domain.ch.key'
ERROR: for wazuh-docker_elasticsearch_1 Cannot start service
elasticsearch: OCI runtime create failed: container_linux.go:367:
starting container process caused: process_linux.go:495: container init
caused: rootfs_linux.go:60: mounting
"/root/script/wazuh-docker/production_cluster/elastic_opendistro/internal_users.yml"
to rootfs at
"/var/lib/docker/overlay2/936c900d26a11285e3493636dbb6b1cb8799bce43ac576d642ed0fa9167add48/merged/usr/share/elasticsearch/plugins/opendistro_security/securityconfig/internal_users.yml"
caused: not a directory: unknown: Are you trying to mount a directory
onto a file (or vice-versa)? Check if the specified host path exists and
is the expected type
ERROR: for elasticsearch Cannot start service elasticsearch: OCI
runtime create failed: container_linux.go:367: starting container
process caused: process_linux.go:495: container init caused:
rootfs_linux.go:60: mounting
"/root/script/wazuh-docker/production_cluster/elastic_opendistro/internal_users.yml"
to rootfs at
"/var/lib/docker/overlay2/936c900d26a11285e3493636dbb6b1cb8799bce43ac576d642ed0fa9167add48/merged/usr/share/elasticsearch/plugins/opendistro_security/securityconfig/internal_users.yml"
caused: not a directory: unknown: Are you trying to mount a directory
onto a file (or vice-versa)? Check if the specified host path exists and
is the expected type
ERROR: Encountered errors while bringing up the project
CONFIG FILES:
=============
docker-compose.yml
==================
# Wazuh App Copyright (C) 2021 Wazuh Inc. (License GPLv2)
version: '3.7'
services:
wazuh:
image: wazuh/wazuh-odfe:4.1.2
hostname: wazuh-manager
restart: always
ports:
- "1514:1514"
- "1515:1515"
- "514:514/udp"
- "55000:55000"
environment:
- ELASTICSEARCH_URL=https://elasticsearch:9200
- ELASTIC_USERNAME=xxxx
- ELASTIC_PASSWORD=xxxx
- FILEBEAT_SSL_VERIFICATION_MODE=none
volumes:
- ossec_api_configuration:/var/ossec/api/configuration
- ossec_etc:/var/ossec/etc
- ossec_logs:/var/ossec/logs
- ossec_queue:/var/ossec/queue
- ossec_var_multigroups:/var/ossec/var/multigroups
- ossec_integrations:/var/ossec/integrations
- ossec_active_response:/var/ossec/active-response/bin
- ossec_agentless:/var/ossec/agentless
- ossec_wodles:/var/ossec/wodles
- filebeat_etc:/etc/filebeat
- filebeat_var:/var/lib/filebeat
elasticsearch:
image: amazon/opendistro-for-elasticsearch:1.12.0
hostname: elasticsearch
restart: always
ports:
- "9200:9200"
environment:
- discovery.type=single-node
- cluster.name=wazuh-cluster
- network.host=0.0.0.0
- "ES_JAVA_OPTS=-Xms512m -Xmx512m"
- bootstrap.memory_lock=true
ulimits:
memlock:
soft: -1
hard: -1
nofile:
soft: 65536
hard: 65536
kibana:
image: wazuh/wazuh-kibana-odfe:4.1.2
hostname: kibana
restart: always
ports:
- 443:5601
environment:
- ELASTICSEARCH_USERNAME=xxxx
- ELASTICSEARCH_PASSWORD=xxxx
- SERVER_SSL_ENABLED=true
- SERVER_SSL_CERTIFICATE=/usr/share/kibana/config/xxx.domain.ch.crt
- SERVER_SSL_KEY=/usr/share/kibana/config/xxx.domain.ch.key
depends_on:
- elasticsearch
links:
- elasticsearch:elasticsearch
- wazuh:wazuh
volumes:
ossec_api_configuration:
ossec_etc:
ossec_logs:
ossec_queue:
ossec_var_multigroups:
ossec_integrations:
ossec_active_response:
ossec_agentless:
ossec_wodles:
filebeat_etc:
filebeat_var:
production-cluster.yml
======================
# Wazuh App Copyright (C) 2021 Wazuh Inc. (License GPLv2)
version: '3.7'
services:
wazuh-master:
image: wazuh/wazuh-odfe:4.1.2
hostname: wazuh-master
restart: always
ports:
- "1515:1515"
- "514:514/udp"
- "55000:55000"
environment:
- ELASTICSEARCH_URL=https://elasticsearch:9200
- ELASTIC_USERNAME=xxxx
- ELASTIC_PASSWORD=xxxx
- FILEBEAT_SSL_VERIFICATION_MODE=full
- SSL_CERTIFICATE_AUTHORITIES=/etc/ssl/xxx.domain.ch.crt
- SSL_CERTIFICATE=/etc/ssl/xxx.domain.ch.crt
- SSL_KEY=/etc/ssl/xxx.domain.ch.key
- API_USERNAME=acme-user
- API_PASSWORD=xxxx
volumes:
- ossec-api-configuration:/var/ossec/api/configuration
- ossec-etc:/var/ossec/etc
- ossec-logs:/var/ossec/logs
- ossec-queue:/var/ossec/queue
- ossec-var-multigroups:/var/ossec/var/multigroups
- ossec-integrations:/var/ossec/integrations
- ossec-active-response:/var/ossec/active-response/bin
- ossec-agentless:/var/ossec/agentless
- ossec-wodles:/var/ossec/wodles
- filebeat-etc:/etc/filebeat
- filebeat-var:/var/lib/filebeat
-
/volume/config/certs/xxx/xxx.domain.ch.crt:/etc/ssl/xxx.domain.ch.crt
-
/volume/config/certs/xxx/xxx.domain.ch.key:/etc/ssl/xxx.domain.ch.key
-
./production_cluster/wazuh_cluster/wazuh_manager.conf:/wazuh-config-mount/etc/ossec.conf
wazuh-worker:
image: wazuh/wazuh-odfe:4.1.2
hostname: wazuh-worker
restart: always
environment:
- ELASTICSEARCH_URL=https://elasticsearch:9200
- ELASTIC_USERNAME=xxxxx
- ELASTIC_PASSWORD=xxxxx
- FILEBEAT_SSL_VERIFICATION_MODE=full
- SSL_CERTIFICATE_AUTHORITIES=/etc/ssl/xxx.domain.ch.crt
- SSL_CERTIFICATE=/etc/ssl/xxx.domain.ch.crt
- SSL_KEY=/etc/ssl/xxx.domain.ch.key
volumes:
- worker-ossec-api-configuration:/var/ossec/api/configuration
- worker-ossec-etc:/var/ossec/etc
- worker-ossec-logs:/var/ossec/logs
- worker-ossec-queue:/var/ossec/queue
- worker-ossec-var-multigroups:/var/ossec/var/multigroups
- worker-ossec-integrations:/var/ossec/integrations
- worker-ossec-active-response:/var/ossec/active-response/bin
- worker-ossec-agentless:/var/ossec/agentless
- worker-ossec-wodles:/var/ossec/wodles
- worker-filebeat-etc:/etc/filebeat
- worker-filebeat-var:/var/lib/filebeat
-
/volume/config/certs/xxx/xxx.domain.ch.crt:/etc/ssl/xxx.domain.ch.crt
-
/volume/config/certs/xxx/xxx.domain.ch.key:/etc/ssl/xxx.domain.ch.key
-
./production_cluster/wazuh_cluster/wazuh_worker.conf:/wazuh-config-mount/etc/ossec.conf
elasticsearch:
image: amazon/opendistro-for-elasticsearch:1.12.0
hostname: elasticsearch
restart: always
ports:
- "9200:9200"
environment:
- "ES_JAVA_OPTS=-Xms512m -Xmx512m"
ulimits:
memlock:
soft: -1
hard: -1
nofile:
soft: 65536
hard: 65536
volumes:
- elastic-data-1:/usr/share/elasticsearch/data
-
/volume/config/certs/xxx/xxx.domain.ch.crt:/usr/share/elasticsearch/config/xxx.domain.ch.crt
-
/volume/config/certs/xxx/xxx.domain.ch.key:/usr/share/elasticsearch/config/xxx.domain.ch.key
-
./production_cluster/elastic_opendistro/elasticsearch-node1.yml:/usr/share/elasticsearch/config/elasticsearch.yml
-
./production_cluster/elastic_opendistro/internal_users.yml:/usr/share/elasticsearch/plugins/opendistro_security/securityconfig/internal_users.yml
kibana:
image: wazuh/wazuh-kibana-odfe:4.1.2
hostname: kibana
restart: always
ports:
- 5601:5601
environment:
- ELASTICSEARCH_USERNAME=xxxxx
- ELASTICSEARCH_PASSWORD=xxxxx
- SERVER_SSL_ENABLED=true
- SERVER_SSL_CERTIFICATE=/usr/share/kibana/config/xxx.domain.ch.crt
- SERVER_SSL_KEY=/usr/share/kibana/config/xxx.domain.ch.key
- WAZUH_API_URL="https://wazuh-master"
- API_USERNAME=acme-user
- API_PASSWORD=MyS3cr37P450r.*-
volumes:
-
/volume/config/certs/xxx/xxx.domain.ch.crt:/usr/share/kibana/config/xxx.domain.ch.crt
-
/volume/config/certs/xxx/xxx.domain.ch.key:/usr/share/kibana/config/xxx.domain.ch.key
depends_on:
- elasticsearch
links:
- elasticsearch:elasticsearch
- wazuh-master:wazuh-master
nginx:
image: nginx:stable
hostname: nginx
restart: always
ports:
- "80:80"
- "443:443"
- "1514:1514"
depends_on:
- wazuh-master
- wazuh-worker
- kibana
links:
- wazuh-master:wazuh-master
- wazuh-worker:wazuh-worker
- kibana:kibana
volumes:
- ./production_cluster/nginx/nginx.conf:/etc/nginx/nginx.conf:ro
- /volume/config/certs/xxx:/etc/nginx/ssl:ro
volumes:
ossec-api-configuration:
ossec-etc:
ossec-logs:
ossec-queue:
ossec-var-multigroups:
ossec-integrations:
ossec-active-response:
ossec-agentless:
ossec-wodles:
filebeat-etc:
filebeat-var:
worker-ossec-api-configuration:
worker-ossec-etc:
worker-ossec-logs:
worker-ossec-queue:
worker-ossec-var-multigroups:
worker-ossec-integrations:
worker-ossec-active-response:
worker-ossec-agentless:
worker-ossec-wodles:
worker-filebeat-etc:
worker-filebeat-var:
elastic-data-1:
elasticsearch-node1.yml
=======================
network.host: 0.0.0.0
cluster.name: wazuh-cluster
node.name: elasticsearch
discovery.seed_hosts: elasticsearch
cluster.initial_master_nodes: elasticsearch
bootstrap.memory_lock: true
opendistro_security.ssl.transport.pemcert_filepath: xxx.domain.ch.crt
opendistro_security.ssl.transport.pemkey_filepath: xxx.domain.ch.key
opendistro_security.ssl.transport.pemtrustedcas_filepath: xxx.domain.ch.crt
opendistro_security.ssl.transport.enforce_hostname_verification: false
opendistro_security.ssl.transport.resolve_hostname: false
opendistro_security.ssl.http.enabled: true
opendistro_security.ssl.http.pemcert_filepath: xxx.domain.ch.crt
opendistro_security.ssl.http.pemkey_filepath: xxx.domain.ch.key
opendistro_security.ssl.http.pemtrustedcas_filepath: xxx.domain.ch.crt
opendistro_security.allow_default_init_securityindex: true
opendistro_security.nodes_dn:
- CN=xxx.domain.ch,OU=DIUF,O=University of xxx DC=domain,DC=ch
opendistro_security.authcz.admin_dn: []
opendistro_security.audit.type: internal_elasticsearch
opendistro_security.enable_snapshot_restore_privilege: true
opendistro_security.check_snapshot_restore_write_privileges: true
opendistro_security.restapi.roles_enabled: ["all_access",
"security_rest_api_access"]
cluster.routing.allocation.disk.threshold_enabled: false
#opendistro_security.audit.config.disabled_rest_categories: NONE
#opendistro_security.audit.config.disabled_transport_categories: NONE
opendistro_security.audit.log_request_body: false
Daniel Folch
Apr 22, 2021, 4:59:45 AM4/22/21
to Wazuh mailing list
Hello Birgit,
After some investigation, I have found that this error:
caused: not a directory: unknown: Are you trying to mount a directory
Usually appears when running docker on Windows or MacOS systems, may this be your case?
For this case the problem is that the folder you are trying to mount as volume is not included in the list of shared folders from Docker, to add new directories in Windows go to Settings -> Resources -> File Sharing -> Add a Directory As indicated in the Docker Desktop for Windows user manual.
You will need to add all the directories you want to share with the container as Volumes, in your case /volume/config/certs/xxx/.
Also remember that to check your docker version as sharing files as volumes is only available starting from Docker CE 19.
Regards,
Daniel Folch
DUCARROZ Birgit
Apr 26, 2021, 6:24:12 AM4/26/21
to Daniel Folch, Wazuh mailing list
Hi Daniel,
First of all, thank you for your message which I see only now, our
spamfilter removed it from my mailbox.
I use docker on a ubuntu 20 and I use the latest docker version.
I found Friday that there was a parameter in the nginx.conf file missing
- which I corrected now. For the certificate, output looks now like this:
wazuh-worker_1 | Customize Elasticsearch ouput IP
wazuh-worker_1 | Configuring username.
wazuh-worker_1 | Configuring password.
wazuh-worker_1 | Configuring SSL verification mode.
wazuh-worker_1 | Configuring Certificate Authorities.
wazuh-worker_1 | Configuring SSL Certificate.
wazuh-worker_1 | Configuring SSL Key.
wazuh-worker_1 | [cont-init.d] 1-config-filebeat: exited 0.
wazuh-worker_1 | [cont-init.d] 2-manager: executing...
wazuh-worker_1 | Starting Wazuh v4.1.2...
nginx_1 | 10-listen-on-ipv6-by-default.sh: Enabled listen on
IPv6 in /etc/nginx/conf.d/default.conf
nginx_1 | /docker-entrypoint.sh: Launching
/docker-entrypoint.d/20-envsubst-on-templates.sh
nginx_1 | /docker-entrypoint.sh: Configuration complete; ready
for start up
kibana_1 | % Total % Received % Xferd Average Speed Time
Time Time Current
kibana_1 | Dload Upload
Total Spent Left Speed
0 0 0 0 0 0 0 0 --:--:-- --:--:--
--:--:-- 0curl: (7) Failed connect to elasticsearch:9200; Connection
refused
kibana_1 | Elastic is unavailable - sleeping
But actually I run into some other error messages. Below the error
messages and below these you will find again my new config files:
wazuh-worker_1 | 2021-04-26T09:38:06.842Z ERROR
[publisher_pipeline_output] pipeline/output.go:154 Failed to connect to
backoff(elasticsearch(https://elasticsearch:9200)): Get
"https://elasticsearch:9200": dial tcp 172.18.0.4:9200: connect:
connection refused
kibana_1 | curl: (35) SSL received a record that exceeded the
maximum permissible length.
kibana_1 | Elastic is unavailable - sleeping
--> I'm not sure about the following parameters:
in elsticsearch-node1.yml:
network.host: 0.0.0.0 (should I set a real IP or the real hostname?
cluster.name: wazuh-cluster (should I change something here?)
node.name: elasticsearch (should I change something here?)
discovery.seed_hosts: elasticsearch (should I change something here?)
cluster.initial_master_nodes: elasticsearch (should I change something
here?)
(...)
opendistro_security.ssl.http.enabled: false (should I set true?)
I send again my config files, since I changed them:
production-cluster.yml
======================
# Wazuh App Copyright (C) 2021 Wazuh Inc. (License GPLv2)
version: '3.7'
services:
wazuh-master:
image: wazuh/wazuh-odfe:4.1.2
hostname: wazuh-master
restart: always
ports:
- "1515:1515"
- "514:514/udp"
- "55000:55000"
environment:
- ELASTICSEARCH_URL=https://elasticsearch:9200
- ELASTIC_USERNAME=admin
- ELASTIC_PASSWORD=SecretPassword
-
./production_cluster/ssl_certs/xxx.domain.ch.key:/etc/ssl/xxx.domain.ch.key
-
./production_cluster/ssl_certs/xxx.domain.ch.key:/etc/ssl/xxx.domain.ch.key
-
./production_cluster/ssl_certs/xxx.domain.ch.key:/usr/share/elasticsearch/config/xxx.domain.ch.key
- ELASTICSEARCH_PASSWORD=xxxx
- ELASTICSEARCH_URL=https://elasticsearch:9200
volumes:
-
./production_cluster/ssl_certs/xxx.domain.ch.crt:/usr/share/kibana/config/xxx.domain.ch.crt
-
./production_cluster/ssl_certs/xxx.domain.ch.key:/usr/share/kibana/config/xxx.domain.ch.key
depends_on:
- elasticsearch
links:
- elasticsearch:elasticsearch
- wazuh-master:wazuh-master
nginx:
image: nginx:stable
hostname: nginx
restart: always
ports:
- "80:80"
- "443:443"
- "1514:1514"
depends_on:
- wazuh-master
- wazuh-worker
- kibana
links:
- wazuh-master:wazuh-master
- wazuh-worker:wazuh-worker
- kibana:kibana
volumes:
- ./production_cluster/nginx/nginx.conf:/etc/nginx/nginx.conf:ro
- ./production_cluster/nginx/ssl:/etc/nginx/ssl:ro
==========
user nginx;
worker_processes 1;
error_log /var/log/nginx/error.log warn;
pid /var/run/nginx.pid;
events {
worker_connections 1024;
}
http {
include /etc/nginx/mime.types;
default_type application/octet-stream;
log_format main '$remote_addr - $remote_user [$time_local]
"$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
access_log /var/log/nginx/access.log main;
sendfile on;
tcp_nopush on;
keepalive_timeout 65;
server_tokens off;
gzip on;
# kibana UI
server {
listen 80;
listen [::]:80;
return 301 https://$host:443$request_uri;
}
server {
listen 443 default_server ssl http2;
listen [::]:443 ssl http2;
ssl_certificate /etc/nginx/ssl/xxx.domain.ch.crt;
ssl_certificate_key /etc/nginx/ssl/xxx.domain.ch.key;
location / {
proxy_pass https://kibana:5601/;
proxy_ssl_verify off;
proxy_buffer_size 128k;
proxy_buffers 4 256k;
proxy_busy_buffers_size 256k;
}
}
}
# load balancer for Wazuh cluster
stream {
upstream mycluster {
hash $remote_addr consistent;
server wazuh-master:1514;
server wazuh-worker:1514;
}
server {
listen 1514;
proxy_pass mycluster;
}
}
Thank you in advance for any help.
Kind regards,
Birgit
On 22/04/21 10:59, Daniel Folch wrote:
> Hello Birgit,
>
> After some investigation, I have found that this error:
>
> |caused: not a directory: unknown: Are you trying to mount a directory |
>
> Usually appears when running docker on Windows or MacOS systems, may
> this be your case?
>
> For this case the problem is that the folder you are trying to mount as
> volume is not included in the list of shared folders from Docker, to add
> new directories in Windows go to |Settings -> Resources -> File Sharing
> -> Add a Directory| As indicated in the Docker Desktop for Windows user
> manual <https://docs.docker.com/docker-for-windows/#shared-drives>.
> - cluster.name <http://cluster.name>=wazuh-cluster
> - WAZUH_API_URL="https://wazuh-master <https://wazuh-master>"
> cluster.name <http://cluster.name>: wazuh-cluster
> node.name <http://node.name>: elasticsearch
> You received this message because you are subscribed to the Google
> Groups "Wazuh mailing list" group.
> To unsubscribe from this group and stop receiving emails from it, send
> an email to wazuh+un...@googlegroups.com
> <mailto:wazuh+un...@googlegroups.com>.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/wazuh/90d740eb-5aab-43ff-a2b7-5a4af22537e9n%40googlegroups.com
> <https://groups.google.com/d/msgid/wazuh/90d740eb-5aab-43ff-a2b7-5a4af22537e9n%40googlegroups.com?utm_medium=email&utm_source=footer>.
First of all, thank you for your message which I see only now, our
spamfilter removed it from my mailbox.
I use docker on a ubuntu 20 and I use the latest docker version.
I found Friday that there was a parameter in the nginx.conf file missing
- which I corrected now. For the certificate, output looks now like this:
wazuh-worker_1 | Customize Elasticsearch ouput IP
wazuh-worker_1 | Configuring username.
wazuh-worker_1 | Configuring password.
wazuh-worker_1 | Configuring SSL verification mode.
wazuh-worker_1 | Configuring Certificate Authorities.
wazuh-worker_1 | Configuring SSL Certificate.
wazuh-worker_1 | Configuring SSL Key.
wazuh-worker_1 | [cont-init.d] 1-config-filebeat: exited 0.
wazuh-worker_1 | [cont-init.d] 2-manager: executing...
wazuh-worker_1 | Starting Wazuh v4.1.2...
nginx_1 | 10-listen-on-ipv6-by-default.sh: Enabled listen on
IPv6 in /etc/nginx/conf.d/default.conf
nginx_1 | /docker-entrypoint.sh: Launching
/docker-entrypoint.d/20-envsubst-on-templates.sh
nginx_1 | /docker-entrypoint.sh: Configuration complete; ready
for start up
kibana_1 | % Total % Received % Xferd Average Speed Time
Time Time Current
kibana_1 | Dload Upload
Total Spent Left Speed
0 0 0 0 0 0 0 0 --:--:-- --:--:--
--:--:-- 0curl: (7) Failed connect to elasticsearch:9200; Connection
refused
kibana_1 | Elastic is unavailable - sleeping
But actually I run into some other error messages. Below the error
messages and below these you will find again my new config files:
wazuh-worker_1 | 2021-04-26T09:38:06.842Z ERROR
[publisher_pipeline_output] pipeline/output.go:154 Failed to connect to
backoff(elasticsearch(https://elasticsearch:9200)): Get
"https://elasticsearch:9200": dial tcp 172.18.0.4:9200: connect:
connection refused
kibana_1 | curl: (35) SSL received a record that exceeded the
maximum permissible length.
kibana_1 | Elastic is unavailable - sleeping
--> I'm not sure about the following parameters:
in elsticsearch-node1.yml:
network.host: 0.0.0.0 (should I set a real IP or the real hostname?
cluster.name: wazuh-cluster (should I change something here?)
node.name: elasticsearch (should I change something here?)
discovery.seed_hosts: elasticsearch (should I change something here?)
cluster.initial_master_nodes: elasticsearch (should I change something
here?)
(...)
opendistro_security.ssl.http.enabled: false (should I set true?)
I send again my config files, since I changed them:
production-cluster.yml
======================
# Wazuh App Copyright (C) 2021 Wazuh Inc. (License GPLv2)
version: '3.7'
services:
wazuh-master:
image: wazuh/wazuh-odfe:4.1.2
hostname: wazuh-master
restart: always
ports:
- "1515:1515"
- "514:514/udp"
- "55000:55000"
environment:
- ELASTICSEARCH_URL=https://elasticsearch:9200
- ELASTIC_PASSWORD=SecretPassword
- FILEBEAT_SSL_VERIFICATION_MODE=full
- SSL_CERTIFICATE_AUTHORITIES=/etc/ssl/xxx.domain.ch.crt
- SSL_CERTIFICATE=/etc/ssl/xxx.domain.ch.crt
- SSL_KEY=/etc/ssl/xxx.domain.ch.key
- API_USERNAME=acme-user
- API_PASSWORD=xxxxx
- SSL_CERTIFICATE_AUTHORITIES=/etc/ssl/xxx.domain.ch.crt
- SSL_CERTIFICATE=/etc/ssl/xxx.domain.ch.crt
- SSL_KEY=/etc/ssl/xxx.domain.ch.key
- API_USERNAME=acme-user
volumes:
- ossec-api-configuration:/var/ossec/api/configuration
- ossec-etc:/var/ossec/etc
- ossec-logs:/var/ossec/logs
- ossec-queue:/var/ossec/queue
- ossec-var-multigroups:/var/ossec/var/multigroups
- ossec-integrations:/var/ossec/integrations
- ossec-active-response:/var/ossec/active-response/bin
- ossec-agentless:/var/ossec/agentless
- ossec-wodles:/var/ossec/wodles
- filebeat-etc:/etc/filebeat
- filebeat-var:/var/lib/filebeat
-
./production_cluster/ssl_certs/xxx.domain.ch.crt:/etc/ssl/xxx.domain.ch.crt
- ossec-api-configuration:/var/ossec/api/configuration
- ossec-etc:/var/ossec/etc
- ossec-logs:/var/ossec/logs
- ossec-queue:/var/ossec/queue
- ossec-var-multigroups:/var/ossec/var/multigroups
- ossec-integrations:/var/ossec/integrations
- ossec-active-response:/var/ossec/active-response/bin
- ossec-agentless:/var/ossec/agentless
- ossec-wodles:/var/ossec/wodles
- filebeat-etc:/etc/filebeat
- filebeat-var:/var/lib/filebeat
-
-
./production_cluster/ssl_certs/xxx.domain.ch.key:/etc/ssl/xxx.domain.ch.key
-
./production_cluster/wazuh_cluster/wazuh_manager.conf:/wazuh-config-mount/etc/ossec.conf
wazuh-worker:
image: wazuh/wazuh-odfe:4.1.2
hostname: wazuh-worker
restart: always
environment:
- ELASTICSEARCH_URL=https://elasticsearch:9200
- ELASTIC_USERNAME=admin
./production_cluster/wazuh_cluster/wazuh_manager.conf:/wazuh-config-mount/etc/ossec.conf
wazuh-worker:
image: wazuh/wazuh-odfe:4.1.2
hostname: wazuh-worker
restart: always
environment:
- ELASTICSEARCH_URL=https://elasticsearch:9200
- ELASTIC_PASSWORD=xxxx
- FILEBEAT_SSL_VERIFICATION_MODE=full
- SSL_CERTIFICATE_AUTHORITIES=/etc/ssl/xxx.domain.ch.crt
- SSL_CERTIFICATE=/etc/ssl/xxx.domain.ch.crt
- SSL_KEY=/etc/ssl/xxx.domain.ch.key
- FILEBEAT_SSL_VERIFICATION_MODE=full
- SSL_CERTIFICATE_AUTHORITIES=/etc/ssl/xxx.domain.ch.crt
- SSL_CERTIFICATE=/etc/ssl/xxx.domain.ch.crt
- SSL_KEY=/etc/ssl/xxx.domain.ch.key
volumes:
- worker-ossec-api-configuration:/var/ossec/api/configuration
- worker-ossec-etc:/var/ossec/etc
- worker-ossec-logs:/var/ossec/logs
- worker-ossec-queue:/var/ossec/queue
- worker-ossec-var-multigroups:/var/ossec/var/multigroups
- worker-ossec-integrations:/var/ossec/integrations
- worker-ossec-active-response:/var/ossec/active-response/bin
- worker-ossec-agentless:/var/ossec/agentless
- worker-ossec-wodles:/var/ossec/wodles
- worker-filebeat-etc:/etc/filebeat
- worker-filebeat-var:/var/lib/filebeat
-
./production_cluster/ssl_certs/xxx.domain.ch.crt:/etc/ssl/xxx.domain.ch.crt
- worker-ossec-api-configuration:/var/ossec/api/configuration
- worker-ossec-etc:/var/ossec/etc
- worker-ossec-logs:/var/ossec/logs
- worker-ossec-queue:/var/ossec/queue
- worker-ossec-var-multigroups:/var/ossec/var/multigroups
- worker-ossec-integrations:/var/ossec/integrations
- worker-ossec-active-response:/var/ossec/active-response/bin
- worker-ossec-agentless:/var/ossec/agentless
- worker-ossec-wodles:/var/ossec/wodles
- worker-filebeat-etc:/etc/filebeat
- worker-filebeat-var:/var/lib/filebeat
-
-
./production_cluster/ssl_certs/xxx.domain.ch.key:/etc/ssl/xxx.domain.ch.key
-
./production_cluster/wazuh_cluster/wazuh_worker.conf:/wazuh-config-mount/etc/ossec.conf
elasticsearch:
image: amazon/opendistro-for-elasticsearch:1.12.0
hostname: elasticsearch
restart: always
ports:
- "9200:9200"
environment:
- "ES_JAVA_OPTS=-Xms512m -Xmx512m"
ulimits:
memlock:
soft: -1
hard: -1
nofile:
soft: 65536
hard: 65536
volumes:
- elastic-data-1:/usr/share/elasticsearch/data
-
./production_cluster/ssl_certs/xxx.domain.ch.crt:/usr/share/elasticsearch/config/xxx.domain.ch.crt
./production_cluster/wazuh_cluster/wazuh_worker.conf:/wazuh-config-mount/etc/ossec.conf
elasticsearch:
image: amazon/opendistro-for-elasticsearch:1.12.0
hostname: elasticsearch
restart: always
ports:
- "9200:9200"
environment:
- "ES_JAVA_OPTS=-Xms512m -Xmx512m"
ulimits:
memlock:
soft: -1
hard: -1
nofile:
soft: 65536
hard: 65536
volumes:
- elastic-data-1:/usr/share/elasticsearch/data
-
-
./production_cluster/ssl_certs/xxx.domain.ch.key:/usr/share/elasticsearch/config/xxx.domain.ch.key
-
./production_cluster/elastic_opendistro/elasticsearch-node1.yml:/usr/share/elasticsearch/config/elasticsearch.yml
-
./production_cluster/elastic_opendistro/internal_users.yml:/usr/share/elasticsearch/plugins/opendistro_security/securityconfig/internal_users.yml
kibana:
image: wazuh/wazuh-kibana-odfe:4.1.2
hostname: kibana
restart: always
ports:
- 5601:5601
environment:
- ELASTICSEARCH_USERNAME=admin
./production_cluster/elastic_opendistro/elasticsearch-node1.yml:/usr/share/elasticsearch/config/elasticsearch.yml
-
./production_cluster/elastic_opendistro/internal_users.yml:/usr/share/elasticsearch/plugins/opendistro_security/securityconfig/internal_users.yml
kibana:
image: wazuh/wazuh-kibana-odfe:4.1.2
hostname: kibana
restart: always
ports:
- 5601:5601
environment:
- ELASTICSEARCH_PASSWORD=xxxx
- ELASTICSEARCH_URL=https://elasticsearch:9200
- SERVER_SSL_ENABLED=true
- SERVER_SSL_CERTIFICATE=/usr/share/kibana/config/xxx.domain.ch.crt
- SERVER_SSL_KEY=/usr/share/kibana/config/xxx.domain.ch.key
- WAZUH_API_URL="https://wazuh-master"
- API_USERNAME=acme-user
- API_PASSWORD=xxxx
- SERVER_SSL_CERTIFICATE=/usr/share/kibana/config/xxx.domain.ch.crt
- SERVER_SSL_KEY=/usr/share/kibana/config/xxx.domain.ch.key
- WAZUH_API_URL="https://wazuh-master"
- API_USERNAME=acme-user
volumes:
-
./production_cluster/ssl_certs/xxx.domain.ch.crt:/usr/share/kibana/config/xxx.domain.ch.crt
-
./production_cluster/ssl_certs/xxx.domain.ch.key:/usr/share/kibana/config/xxx.domain.ch.key
depends_on:
- elasticsearch
links:
- elasticsearch:elasticsearch
- wazuh-master:wazuh-master
nginx:
image: nginx:stable
hostname: nginx
restart: always
ports:
- "80:80"
- "443:443"
- "1514:1514"
depends_on:
- wazuh-master
- wazuh-worker
- kibana
links:
- wazuh-master:wazuh-master
- wazuh-worker:wazuh-worker
- kibana:kibana
volumes:
- ./production_cluster/nginx/nginx.conf:/etc/nginx/nginx.conf:ro
volumes:
ossec-api-configuration:
ossec-etc:
ossec-logs:
ossec-queue:
ossec-var-multigroups:
ossec-integrations:
ossec-active-response:
ossec-agentless:
ossec-wodles:
filebeat-etc:
filebeat-var:
worker-ossec-api-configuration:
worker-ossec-etc:
worker-ossec-logs:
worker-ossec-queue:
worker-ossec-var-multigroups:
worker-ossec-integrations:
worker-ossec-active-response:
worker-ossec-agentless:
worker-ossec-wodles:
worker-filebeat-etc:
worker-filebeat-var:
elastic-data-1:
elsticsearch-node1.yml
ossec-api-configuration:
ossec-etc:
ossec-logs:
ossec-queue:
ossec-var-multigroups:
ossec-integrations:
ossec-active-response:
ossec-agentless:
ossec-wodles:
filebeat-etc:
filebeat-var:
worker-ossec-api-configuration:
worker-ossec-etc:
worker-ossec-logs:
worker-ossec-queue:
worker-ossec-var-multigroups:
worker-ossec-integrations:
worker-ossec-active-response:
worker-ossec-agentless:
worker-ossec-wodles:
worker-filebeat-etc:
worker-filebeat-var:
elastic-data-1:
======================
network.host: 0.0.0.0
cluster.name: wazuh-cluster
node.name: elasticsearch
discovery.seed_hosts: elasticsearch
cluster.initial_master_nodes: elasticsearch
bootstrap.memory_lock: true
opendistro_security.ssl.transport.pemcert_filepath: xxx.domain.ch.crt
opendistro_security.ssl.transport.pemkey_filepath: xxx.domain.ch.key
opendistro_security.ssl.transport.pemtrustedcas_filepath: xxx.domain.ch.crt
opendistro_security.ssl.transport.enforce_hostname_verification: false
opendistro_security.ssl.transport.resolve_hostname: false
opendistro_security.ssl.http.enabled: false
network.host: 0.0.0.0
cluster.name: wazuh-cluster
node.name: elasticsearch
discovery.seed_hosts: elasticsearch
cluster.initial_master_nodes: elasticsearch
bootstrap.memory_lock: true
opendistro_security.ssl.transport.pemcert_filepath: xxx.domain.ch.crt
opendistro_security.ssl.transport.pemkey_filepath: xxx.domain.ch.key
opendistro_security.ssl.transport.pemtrustedcas_filepath: xxx.domain.ch.crt
opendistro_security.ssl.transport.enforce_hostname_verification: false
opendistro_security.ssl.transport.resolve_hostname: false
opendistro_security.ssl.http.pemcert_filepath: xxx.domain.ch.crt
opendistro_security.ssl.http.pemkey_filepath: xxx.domain.ch.key
opendistro_security.ssl.http.pemtrustedcas_filepath: xxx.domain.ch.crt
opendistro_security.allow_default_init_securityindex: true
opendistro_security.nodes_dn:
- CN=xxx.domain.ch,OU=XXX,O=University of xxx,DC=domain,DC=ch
opendistro_security.ssl.http.pemkey_filepath: xxx.domain.ch.key
opendistro_security.ssl.http.pemtrustedcas_filepath: xxx.domain.ch.crt
opendistro_security.allow_default_init_securityindex: true
opendistro_security.nodes_dn:
opendistro_security.authcz.admin_dn: []
opendistro_security.audit.type: internal_elasticsearch
opendistro_security.enable_snapshot_restore_privilege: true
opendistro_security.check_snapshot_restore_write_privileges: true
opendistro_security.restapi.roles_enabled: ["all_access",
"security_rest_api_access"]
cluster.routing.allocation.disk.threshold_enabled: false
#opendistro_security.audit.config.disabled_rest_categories: NONE
#opendistro_security.audit.config.disabled_transport_categories: NONE
opendistro_security.audit.log_request_body: false
nginx.conf
opendistro_security.audit.type: internal_elasticsearch
opendistro_security.enable_snapshot_restore_privilege: true
opendistro_security.check_snapshot_restore_write_privileges: true
opendistro_security.restapi.roles_enabled: ["all_access",
"security_rest_api_access"]
cluster.routing.allocation.disk.threshold_enabled: false
#opendistro_security.audit.config.disabled_rest_categories: NONE
#opendistro_security.audit.config.disabled_transport_categories: NONE
opendistro_security.audit.log_request_body: false
==========
user nginx;
worker_processes 1;
error_log /var/log/nginx/error.log warn;
pid /var/run/nginx.pid;
events {
worker_connections 1024;
}
http {
include /etc/nginx/mime.types;
default_type application/octet-stream;
log_format main '$remote_addr - $remote_user [$time_local]
"$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
access_log /var/log/nginx/access.log main;
sendfile on;
tcp_nopush on;
keepalive_timeout 65;
server_tokens off;
gzip on;
# kibana UI
server {
listen 80;
listen [::]:80;
return 301 https://$host:443$request_uri;
}
server {
listen 443 default_server ssl http2;
listen [::]:443 ssl http2;
ssl_certificate /etc/nginx/ssl/xxx.domain.ch.crt;
ssl_certificate_key /etc/nginx/ssl/xxx.domain.ch.key;
location / {
proxy_pass https://kibana:5601/;
proxy_ssl_verify off;
proxy_buffer_size 128k;
proxy_buffers 4 256k;
proxy_busy_buffers_size 256k;
}
}
}
# load balancer for Wazuh cluster
stream {
upstream mycluster {
hash $remote_addr consistent;
server wazuh-master:1514;
server wazuh-worker:1514;
}
server {
listen 1514;
proxy_pass mycluster;
}
}
Thank you in advance for any help.
Kind regards,
Birgit
On 22/04/21 10:59, Daniel Folch wrote:
> Hello Birgit,
>
> After some investigation, I have found that this error:
>
> |caused: not a directory: unknown: Are you trying to mount a directory |
>
> Usually appears when running docker on Windows or MacOS systems, may
> this be your case?
>
> For this case the problem is that the folder you are trying to mount as
> volume is not included in the list of shared folders from Docker, to add
> new directories in Windows go to |Settings -> Resources -> File Sharing
> -> Add a Directory| As indicated in the Docker Desktop for Windows user
> node.name <http://node.name>: elasticsearch
> discovery.seed_hosts: elasticsearch
> cluster.initial_master_nodes: elasticsearch
> bootstrap.memory_lock: true
>
> opendistro_security.ssl.transport.pemcert_filepath: xxx.domain.ch.crt
> opendistro_security.ssl.transport.pemkey_filepath: xxx.domain.ch.key
> opendistro_security.ssl.transport.pemtrustedcas_filepath:
> xxx.domain.ch.crt
> opendistro_security.ssl.transport.enforce_hostname_verification: false
> opendistro_security.ssl.transport.resolve_hostname: false
> opendistro_security.ssl.http.enabled: true
> opendistro_security.ssl.http.pemcert_filepath: xxx.domain.ch.crt
> opendistro_security.ssl.http.pemkey_filepath: xxx.domain.ch.key
> opendistro_security.ssl.http.pemtrustedcas_filepath: xxx.domain.ch.crt
> opendistro_security.allow_default_init_securityindex: true
> opendistro_security.nodes_dn:
> - CN=xxx.domain.ch <http://xxx.domain.ch>,OU=DIUF,O=University of
> cluster.initial_master_nodes: elasticsearch
> bootstrap.memory_lock: true
>
> opendistro_security.ssl.transport.pemcert_filepath: xxx.domain.ch.crt
> opendistro_security.ssl.transport.pemkey_filepath: xxx.domain.ch.key
> opendistro_security.ssl.transport.pemtrustedcas_filepath:
> xxx.domain.ch.crt
> opendistro_security.ssl.transport.enforce_hostname_verification: false
> opendistro_security.ssl.transport.resolve_hostname: false
> opendistro_security.ssl.http.enabled: true
> opendistro_security.ssl.http.pemcert_filepath: xxx.domain.ch.crt
> opendistro_security.ssl.http.pemkey_filepath: xxx.domain.ch.key
> opendistro_security.ssl.http.pemtrustedcas_filepath: xxx.domain.ch.crt
> opendistro_security.allow_default_init_securityindex: true
> opendistro_security.nodes_dn:
> xxx DC=domain,DC=ch
> opendistro_security.authcz.admin_dn: []
> opendistro_security.audit.type: internal_elasticsearch
> opendistro_security.enable_snapshot_restore_privilege: true
> opendistro_security.check_snapshot_restore_write_privileges: true
> opendistro_security.restapi.roles_enabled: ["all_access",
> "security_rest_api_access"]
> cluster.routing.allocation.disk.threshold_enabled: false
> #opendistro_security.audit.config.disabled_rest_categories: NONE
> #opendistro_security.audit.config.disabled_transport_categories: NONE
> opendistro_security.audit.log_request_body: false
>
>
>
>
>
>
> --
> opendistro_security.authcz.admin_dn: []
> opendistro_security.audit.type: internal_elasticsearch
> opendistro_security.enable_snapshot_restore_privilege: true
> opendistro_security.check_snapshot_restore_write_privileges: true
> opendistro_security.restapi.roles_enabled: ["all_access",
> "security_rest_api_access"]
> cluster.routing.allocation.disk.threshold_enabled: false
> #opendistro_security.audit.config.disabled_rest_categories: NONE
> #opendistro_security.audit.config.disabled_transport_categories: NONE
> opendistro_security.audit.log_request_body: false
>
>
>
>
>
>
> You received this message because you are subscribed to the Google
> Groups "Wazuh mailing list" group.
> To unsubscribe from this group and stop receiving emails from it, send
> an email to wazuh+un...@googlegroups.com
> <mailto:wazuh+un...@googlegroups.com>.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/wazuh/90d740eb-5aab-43ff-a2b7-5a4af22537e9n%40googlegroups.com
> <https://groups.google.com/d/msgid/wazuh/90d740eb-5aab-43ff-a2b7-5a4af22537e9n%40googlegroups.com?utm_medium=email&utm_source=footer>.
Daniel Folch
Apr 28, 2021, 6:51:23 AM4/28/21
to Wazuh mailing list
Hello Birgit,
Sorry for the late response, it seems that you are having some trouble with the SSL configuration in Elasteicsearch,
network.host: 0.0.0.0 -> You can change this but setting it to 0.0.0.0 will make it work for every IP
These names can be changed but you have to remember to change every instance accordingly, in short I would not change.
cluster.name: wazuh-cluster
node.name: elasticsearch
discovery.seed_hosts: elasticsearch
cluster.initial_master_nodes: elasticsearch
opendistro_security.ssl.http.enabled: false - > This should be set to true because you are trying to connect to Elasticsearch via https so you need to enable it.
This may be what is causing this error:
backoff(elasticsearch(https://elasticsearch:9200)): Get
"https://elasticsearch:9200": dial tcp 172.18.0.4:9200: connect:
connection refused
Also, remember that if you want to use your own certificates, you need to change the certificates in the Elasticsearch configuration:
opendistro_security.ssl.transport.pemcert_filepath: node1.pem
opendistro_security.ssl.transport.pemkey_filepath: node1.key
opendistro_security.ssl.transport.pemtrustedcas_filepath: root-ca.pem
opendistro_security.ssl.http.pemcert_filepath: node1.pem
opendistro_security.ssl.http.pemkey_filepath: node1.key
opendistro_security.ssl.http.pemtrustedcas_filepath: root-ca.pem
You have to set the path of the certificates within the Docker container
Hope you found this information useful, do not hesitate to ask again if you have further questions.
Regards,
Daniel Folch
Birgit Ducarroz
Apr 28, 2021, 2:34:36 PM4/28/21
to Wazuh mailing list
Hi Daniel,
-r--r--r-- 1 root root 4180 Apr 28 19:47 domain.ch.crt
-rw-r--r-- 1 root root 1704 Apr 28 19:47 domain.ch.key
Normally, the permissions should be like this:
-rw-r--r-- 1 root root 1123 Feb 7 20:51 domain.ch.csr
-rw------- 1 root root 1704 Feb 7 20:51 domain.ch.key
I changed also
ELASTICSEARCH_URL=elasticsearch:9200
into
ELASTICSEARCH_URL=https://domain.ch:9200
The
connection refused messages were due to the permissions of the
certificate files, but I am not happy with the -r--r--r-- solution...
Do I have to set a specific user or is there a config to change in one of the docker containers?
Thank you for any help!
Kind regards,
Birgit
Daniel Folch
Apr 29, 2021, 5:43:04 AM4/29/21
to Wazuh mailing list
Hello,
The Elastic stack programs usually run with their own users and groups(elastisearch, kibana), and are not recommended to run them as root. A more secure set of permissions would be add the files to the elasticsearch group and set 640 permissions:
-rw-r----- root elasticsearch domain.ch.crt
-rw-r----- root elasticsearch domain.ch.key
This way only the root user and the users in the Elasticsearch group will be able to read the certificates and only the root user will be able to modify them. You will need to do the same with the kibana group and certificates. Filebeat uses the root user to run so you can set the permissions to root:root and 640 or if you want them to be more restrictive you can set them to 600.
Regards,
Daniel Folch
Birgit Ducarroz
May 17, 2021, 4:23:37 AM5/17/21
to Wazuh mailing list
Hi Daniel,
Thank you for your response and sorry for my late answer.
After some more investigations and with your help, I found the following solution which works. Right, I have now duplicates of the certs but this is okay.
Thank you again and have a nice week!
Birgit
├── domain.ch.crt
├── domain.ch.key
├── elasticsearch
│  ├── domain.ch.crt
│  └── domain.ch.key
└── kibana
   ├── domain.ch.crt
   └── domain.ch.key
├── domain.ch.key
├── elasticsearch
│  ├── domain.ch.crt
│  └── domain.ch.key
└── kibana
   ├── domain.ch.crt
   └── domain.ch.key
-r-------- 1 root nginx         4180 May 7 10:05 domain.ch.crt
-rw------- 1 root nginx         1704 May 7 10:05 domain.ch.key
dr-------- 2 root elasticsearch 4096 May 5 16:57 elasticsearch
dr-------- 2 root kibana       4096 May 5 16:57 kibana
-r--r----- 1 root elasticsearch 4180 May 5 16:57 domain.ch.crt
-r--r----- 1 root elasticsearch 1704 May 5 16:57 domain.ch.key
-r--r----- 1 root kibana 4180 May 5 16:57 domain.ch.crt
-r--r----- 1 root kibana 1704 May 5 16:57 domain.ch.key
~Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â
-rw------- 1 root nginx         1704 May 7 10:05 domain.ch.key
dr-------- 2 root elasticsearch 4096 May 5 16:57 elasticsearch
dr-------- 2 root kibana       4096 May 5 16:57 kibana
-r--r----- 1 root elasticsearch 4180 May 5 16:57 domain.ch.crt
-r--r----- 1 root elasticsearch 1704 May 5 16:57 domain.ch.key
-r--r----- 1 root kibana 4180 May 5 16:57 domain.ch.crt
-r--r----- 1 root kibana 1704 May 5 16:57 domain.ch.key
~Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â
Birgit Ducarroz
Jun 1, 2021, 6:14:31 AM6/1/21
to Wazuh mailing list
Hi Daniel and sorry to bother you again with this issue.
I try to bring up my production-cluster.yml file again with the personal SSL certifs, but I get now an error by kibana:
``` kibana_1Â Â Â Â Â Â Â Â |Â FATALÂ Error: EACCES: permission denied, open '/usr/share/kibana/config/diuf.unifr.ch.key' ```
First of all, I am not able to tell you why the above solution worked and does not work now. I applicated what you wrote in your previous message, but the certificate is not readable by kibana now. What am I missing?
```
production-cluster.yml
==================
kibana:
   image: wazuh/wazuh-kibana-odfe:4.1.2
 (...)
   environment:
(...)
     - SERVER_SSL_ENABLED=true
     - SERVER_SSL_CERTIFICATE=/usr/share/kibana/config/myhost.crt
     - SERVER_SSL_KEY=/usr/share/kibana/config/myhost.key
(...)
   volumes:
     - /volume/config/certs/OU/kibana/myhost.crt:/usr/share/kibana/config/myhost.crt
     - /volume/config/certs/OU/kibana/myhost.key:/usr/share/kibana/config/myhost.key
   image: wazuh/wazuh-kibana-odfe:4.1.2
 (...)
   environment:
(...)
     - SERVER_SSL_ENABLED=true
     - SERVER_SSL_CERTIFICATE=/usr/share/kibana/config/myhost.crt
     - SERVER_SSL_KEY=/usr/share/kibana/config/myhost.key
(...)
   volumes:
     - /volume/config/certs/OU/kibana/myhost.crt:/usr/share/kibana/config/myhost.crt
     - /volume/config/certs/OU/kibana/myhost.key:/usr/share/kibana/config/myhost.key
(...)
```
I tried several solutions now but I get always the same permission denied error:
Works not:
=========
=========
dr-------- 2 root kibana 4096 Jun 1 09:59 kibana/
ls -la
-r--r----- 1 root kibana 4180 Jun 1 10:00 myhost.crt
-r--r----- 1 root kibana 1704 Jun 1 10:00 myhost.key
-r--r----- 1 root kibana 1704 Jun 1 10:00 myhost.key
Works not:
=========
dr-------- 2 kibana kibana 4096 Jun 1 09:59 kibana/
ls -la
-r--r----- 1 kibana kibana 4180 Jun 1 10:00 myhost.crt
-r--r----- 1 kibana kibana 1704 Jun 1 10:00 myhost.key
-r--r----- 1 kibana kibana 1704 Jun 1 10:00 myhost.key
Works not:
=========
dr-------- 2 root root 4096 Jun 1 09:59 kibana/
ls -la
-r--r----- 1 root root 4180 Jun 1 10:00 myhost.crt
-r--r----- 1 root root 1704 Jun 1 10:00 myhost.key
-r--r----- 1 root root 1704 Jun 1 10:00 myhost.key
Works, but insecure:
================
dr-------- 2 root root 4096 Jun 1 09:59 kibana/
ls -la
-r--r--r-- 1 root root 4180 Jun 1 10:00 myhost.crt
-r--r--r-- 1 root root 1704 Jun 1 10:00 myhost.key
-r--r--r-- 1 root root 1704 Jun 1 10:00 myhost.key
How must I set the user/group rights to be able to have my certificates in 640 mode for kibana?
Thank you in advance for any help.
Birgit
Birgit Ducarroz
Jun 2, 2021, 4:20:58 AM6/2/21
to Wazuh mailing list
SOLVED
=======
I don't know why I didn't had this idea before, but I logged into the docker container "wazuh/wazuh-kibana-odfe:4.1.2" and found that the user "kibana" inside the container had another UID than my local user "kibana".
I chowned now my local key and certificate file to user 1000 (which is the container's kibana user) and it works!
Daniel Folch
Jun 2, 2021, 6:43:32 AM6/2/21
to Wazuh mailing list
Hello Birgit,
Sorry for the late response, I am glad to hear that you could solve the problem, if you encounter any other problem do not hesitate to contact us.
Regards,
Daniel Folch
Sorry for the late response, I am glad to hear that you could solve the problem, if you encounter any other problem do not hesitate to contact us.
Regards,
Daniel Folch
Reply all
Reply to author
Forward
0 new messages