Change Wazuh Docker Time for Alerts

[Daniel D'Angeli]

Hi,

i need to change timezone for the Docker version of Wazuh 4.3.4, because alerts via mail have a -2 time date.

I have already set up the container to have the correct date by installing tzdata and configuring it to use Europe/Rome.

I believe the culprit is the /var/ossec/etc/localtime file which still contains the UTC value, but from how is formatted i believe it's something that the Wazuh Server needs to handle by itself.

How can i change the value of it?

Regards,

Daniel D.

[Chantal Belen Kelm]

Good day how are you? Thank you very much for using Wazuh, do you want to change the time zone at which the mails arrive? or do you need to change the time that the alerts have?

I will be waiting for your answer!

Regards!

[Daniel D'Angeli]

Hi,

good day to you too!

Basically i have to correct the time in this sample alert:

As you can see, the correct time is the one on the top right (11:05, CEST) whereas in the alert it appears as 09:04 (UTC)

Regards,

Daniel D.

[Chantal Belen Kelm]

To change the time zone that Kibana uses to display the timestamp, you can go to the left side browser, open Administration > Advanced settings and search for "time zone". This will bring up the date format setting: tz, where you can choose the desired timezone to match your Wazuh instance. Click the Save button to apply your changes.

This should be enough to change the timestamp field in your Kibana instance to match your Wazuh alerts.

After making these changes click with the right mouse button, click on Inspect, go to the reload icon that is next to the search bar and on the icon click with the right mouse button and then click on Empty cache and hard reload and ready the changes are already applied.

I am attaching screenshots to help you.

I'll be here for any questions.

Regards!

[Daniel D'Angeli]

Im pretty sure it is not Kibana related since the alert is being sent by the Wazuh Server.

[Chantal Belen Kelm]

server and client nodes have the same location ? and you have the same location as these?

[Daniel D'Angeli]

Yes, i have set the timezone to Europe/Rome to both nodes. You can see the execution of the command "date" for both containers:

I believe that file (/var/ossec/etc/localtime) has to change value since it still contains UTC which is the wrong format, but i dont know how.

[Daniel D'Angeli]

Yes Client too has the correct timezone.

[Chantal Belen Kelm]

And you are also in the same location as the server and client nodes? I mean, are you in Rome?
All times in the wazuh app depend on server time zones.
The time you see in Wazuh notifications is the server time. And the time in the email corresponds to the browser, that's why I ask if you are located in the same time zone as the nodes. This time also depends on the time the email was received by the email provider.

[Chantal Belen Kelm]

I found the solution, here is the link. This user was experiencing the same thing as you and with a command he was able to solve it
https://groups.google.com/g/wazuh/c/Y0zWGTGFghM

Any questions I'll be here!

Regards!

[Daniel D'Angeli]

I already have the latest version, the thread you linked was a bug fixed in 4.1.0. I have the 4.3.4

[Chantal Belen Kelm]

Try doing this command:

timedatectl set-timezone "Europe/Rome"

and then update the cache as I put above

tell me how it went

Regards!

--
You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/7fb6b2a2-9fa5-4a4e-9058-99961996f443n%40googlegroups.com.

[Daniel D'Angeli]

The container doesn't support that command, and as i already said after manipulating the docker-compose the container is already using the Europe/Rome timezone, but Wazuh is still sending alerts with the UTC format.

Output of the command:

Regards,

Daniel D.

[Chantal Belen Kelm]

I'll do some checking with my colleagues, I'll be back in a while

To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/3a2e30d0-9eff-4f9a-9866-2e457fc86ce8n%40googlegroups.com.

[Chantal Belen Kelm]

let's check what timezone you have configured on the server, look at the alerts.json file in which format you see the dates?, send me a screenshot
also open a console and do the command: timedatectl
and send me a screenshot of the result

I will be waiting for your answer!

Regards!

[Daniel D'Angeli]

As i already said, the command "timedatectl" doesn't work in the Wazuh container, resulting in a "command not found" error.

Regarding the timezone, in both the host and the container the correct timezone is already set:

Regards,

Daniel D.

[Daniel D'Angeli]

For the alerts.json file, this is a sample log i took:

{"timestamp":"2022-06-30T15:29:32.096+0000","rule":{"level":3,"description":"Ossec agent started.","id":"503","firedtimes":1,"mail":false,"groups":["ossec"],"pci_dss":["10.6.1","10.2.6"],"gpg13":["10.1"],"gdpr":["IV_35.7.d"],"hipaa":["164.312.b"],"nist_800_53":["AU.6","AU.14","AU.5"],"tsc":["CC7.2","CC7.3","CC6.8"]},"agent":{"id":" OMISSIS ","name":" OMISSIS ","ip":" OMISSIS "},"manager":{"name":"wazuh.master"},"id":"1656602972.3279","cluster":{"name":"wazuh","node":"manager"},"full_log":"ossec: Agent started: 'OMISSIS->any'.","decoder":{"parent":"ossec","name":"ossec"},"data":{"extra_data":"ubuntulab01->any"},"location":"ossec"}

As you can see, the timestamp doesn't have +2, but is +0 so UTC.

[Chantal Belen Kelm]

Good morning, if the time zone is configured correctly on the server, then the problem is that kibana is transforming the time when displaying it, please follow the steps mentioned above:

To change the time zone that Kibana uses to display the timestamp, you can go to the left side browser, open Administration > Advanced settings and search for "time zone". This will bring up the date format setting: tz, where you can choose the desired timezone to match your Wazuh instance. Click the Save button to apply your changes.

This should be enough to change the timestamp field in your Kibana instance to match your Wazuh alerts.

After making these changes click with the right mouse button, click on Inspect, go to the reload icon that is next to the search bar and on the icon click with the right mouse button and then click on Empty cache and hard reload and ready the changes are already applied.

I am attaching screenshots to help you.

I'll be here for any questions.

Regards!

[Daniel D'Angeli]

IT IS NOT A KIBANA PROBLEM, ITS WAZUH SIDE

The mail is sent by the Wazuh Server, for a log that the Wazuh Server compile with the UTC format, because Wazuh itself is using UTC! The localtime file that Wazuh created has UTC in it, so Wazuh uses the UTC format when receiving logs! I have to change the Time format used by the Wazuh Server on Docker! This is the question, other info is useless and timewasting.

I have to fix this for a big client and now more than a week has passed.

Regards,

Daniel D.

[Chantal Belen Kelm]

Try doing this command inside the container: docker exec id-container date

For example, if the container id were 6a1133030332, the command would be like this: docker exec 6a1133030332 date

Send me a screenshot of the result.

I will be waiting for your answer!

Regards!

[Daniel D'Angeli]

Hi,

please check the answer i gave you the 30th of june at 09:03 am, i already provided the screenshot there.

Regards,

Daniel D.

[Chantal Belen Kelm]

Good day how are you? the command that I am sending you to do now is different from the one on June 30.

I will be waiting for your answer!

Regards!

[Daniel D'Angeli]

Hi,

here's the output of the command you requested:

[Alejandro Ruiz Becerra]

Hello Daniel

(sorry, there was an error on my previous message)

You only need to sync the localtime of Wazuh with the system's localtime.

Please, run the following commands:

mv /var/ossec/etc/localtime  /var/ossec/etc/localtime.BACKUP
cp /etc/localtime  /var/ossec/etc/localtime
chown root:wazuh  /var/ossec/etc/localtime
service wazuh-manager restart

If everything works as expected, remove the backup file.

I hope you find this useful.

Regards,

Alex

[Daniel D'Angeli]

I have the docker version so i adapted what you suggested by doing so:

1. Modify the docker-compose file to mount the VM localtime file (/etc/localtime) to the file Wazuh is using in the container (/var/ossec/etc/localtime)

2. Restarted the container by doing docker-compose restart wazuh.master

The file has been mount correcetly. but after looking at the alerts.json post restart seems like Wazuh is still using the UTC format:

{"timestamp":"2022-07-08T08:17:00.323+0000","rule":{"level":3,"description":"Ossec server started.","id":"502","firedtimes":1,"mail":false,"groups":["ossec"],"pci_dss":["10.6.1"],"gpg13":["10.1"],"gdpr":["IV_35.7.d"],"hipaa":["164.312.b"],"nist_800_53":["AU.6"],"tsc":["CC7.2","CC7.3"]},"agent":{"id":"000","name":"wazuh.master"},"manager":{"name":"wazuh.master"},"id":"1657268220.2929","cluster":{"name":"wazuh","node":"manager"},"full_log":"ossec: Ossec started.","decoder":{"name":"ossec"},"location":"wazuh-monitord"}

I checked the file and it has the same permissions as the old one, let me know if im missing something.

Regards,

Daniel D.

[Alejandro Ruiz Becerra]

Hi again Daniel

/etc/localtime is a symbolic link to the selected timezone info file

$ file /etc/localtime
         /etc/localtime: symbolic link to /usr/share/zoneinfo/Europe/Gibraltar

You will probably need to mount the original file into Docker. Run the command above to see the path.

Then, compare the old and new tz files by running the following commands inside the container:

$ file /var/ossec/etc/localtime.BACKUP

$ file /var/ossec/etc/localtime

The output should looks similar to this:

$ file /usr/share/zoneinfo/Europe/Gibraltar
         /usr/share/zoneinfo/Europe/Gibraltar: timezone data, version 2, 7 gmt time flags, 7 std time flags, no leap seconds, 198 transition times, 7 abbreviation chars

Regards,

Alex

[Daniel D'Angeli]

Hi Alex,

i've done the following:

1. Mounted the equivalent for my needs, which is /usr/share/zoneinfo/Europe/Rome into /var/ossec/etc/localtime

2. Compared to the UTC one, this is the output:

    UTC (wrong): /var/ossec/etc/localtime.BACKUP: timezone data, version 2, 1 gmt time flag, 1 std time flag, no leap seconds, no transition times, 1 abbreviation char

    Europe/Rome (desired): /var/ossec/etc/localtime: timezone data, version 2, 6 gmt time flags, 6 std time flags, no leap seconds, 171 transition times, 6 abbreviation chars

After restarting, the log still seems to be using the UTC format:

{"timestamp":"2022-07-08T12:30:26.270+0000","rule":{"level":3,"description":"Ossec server started.","id":"502","firedtimes":1,"mail":false,"groups":["ossec"],"pci_dss":["10.6.1"],"gpg13":["10.1"],"gdpr":["IV_35.7.d"],"hipaa":["164.312.b"],"nist_800_53":["AU.6"],"tsc":["CC7.2","CC7.3"]},"agent":{"id":"000","name":"wazuh.master"},"manager":{"name":"wazuh.master"},"id":"1657283426.3655","cluster":{"name":"wazuh","node":"manager"},"full_log":"ossec: Ossec started.","decoder":{"name":"ossec"},"location":"wazuh-monitord"}

Regards,

Daniel D.

[Alejandro Ruiz Becerra]

Hello again Daniel

I was really convinced that that would work, I'm really sorry about that.

I'm discussing this with the core team, responsible for this component. 

Also, I saw that you have opened an issue on our wazuh-docker repo, so I'm in touch with the colleague assigned to that issue as well, so we are synced about this and provide you a working solution.

On the other hand, the core team tells me that the components might not use the same clock is the default UTC time is changed, providing inconsistent timestamps. Please, be aware of this. Here's the issue: https://github.com/wazuh/wazuh/issues/4365 

Thank you very much for your patience.

Regards,

Alex

[Daniel D'Angeli]

Hi Alex,

thanks for your support, i will be waiting for a possible fix. In the meantime, have a good day.

Best Regards,

Daniel D.

[Daniel D'Angeli]

Hi Alex,

is there any news on the topic?

Regards,

Daniel D.

[Daniel D'Angeli]

Hi Alex,

we finally worked out a solution. It was due to me not RECREATING the container but only RESTARTING it.

So the solution is:

1. Modify the docker-compose to mount the /etc/localtime in /var/ossec/etc/localtime for both nodes

2. Stop and remove both containers

3. Create the containers

Now Wazuh logs with Europe/Rome format.

Regards,

Daniel D.

[Alejandro Ruiz Becerra]

Hello Daniel

Sorry, I lost track of the topic as other things stacked in.

I'm glad to hear that you finally could make it work. 

The responsible team confirmed to me that changing that file should work. At that point, I was absolutely out of ideas. The team also commented to me the issue with the Wazuh components not using the same time. I shared that issue with you on my last comment.

I'm really happy to hear it works, and again, sorry for the delay.

Don't hesitate to get in touch with us if you have any other question or problem with Wazuh. I hope you find Wazuh useful and continue using it for long.

Best regards,

Alex