Hi Iman,
Did you reset your manager after adding the rule to such a file? Do you get to see any errors/warnings related to rules loading on the /var/ossec/logs/ossec.log
?
I will be waiting for your reply,
Mariano Koremblum
Could you please try following the steps again, but in this case, when you change the permissions, change them to wazuh:wazuh
instead of ossec:ossec
as follows:
chown wazuh:wazuh /var/ossec/etc/shared/default/log4j_check.yml
Please, let us know if it worked
--
You received this message because you are subscribed to a topic in the Google Groups "Wazuh mailing list" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/wazuh/E3G4pGTiKHs/unsubscribe.
To unsubscribe from this group and all its topics, send an email to wazuh+un...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/8334f865-69c3-4525-b85c-59ad66b7a5fdn%40googlegroups.com.
Hi Iman,
Could you please show us how did you configure, on the ossec.conf
file, the docker’s log collection that you have added?
Regards
You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/7515a6b2-9e27-43c8-bf0f-c0524acec614n%40googlegroups.com.
Hi Iman,
Please let us get this clear, I have a few questions:
Do you have a Wazuh agent installed inside your docker container?
Are you running the log4j POC inside the docker?
Could you please show us the contents of the /var/log/docker/
directory?
Could you please share with us some file’s content that you are trying to monitor?
I will be waiting for your reply,
Mariano Koremblum
Hello Mariano,All of a sudden a new issue has arise. When I started with Wazuh I configured my wazuh to use a static IP from this https://groups.google.com/g/wazuh/c/GWqq1yyzZBo/m/0mL1MdvWEwAJ#fromHistory . Just now, I can no longer open my wazuh dashboard. I figure this has something to do with the API. I'm thinking of restarting everything (reset everything and restart from 0). Your thoughts on this?
Do you have a Wazuh agent installed inside your docker container?
Are you running the log4j POC inside the docker?
Could you please show us the contents of the /var/log/docker/ directory?
Could you please share with us some file’s content that you are trying to monitor?
Hi Iman,
I mean if you can share any of the log files you are trying to collect, to see what it has inside.
On the other hand, the guide was made to detect log4j vulnerabilities on the very same OS, it does not work if the threat is inside a docker container as the commands are run on the same OS as the Wazuh agent, so you wouldn’t be able to detect if the vulnerability is inside the container.
But still, you have to be able to collect logs from /var/log/docker/
, please inspect the /var/ossec/logs/ossec.log
file from your agent and grep it to check if it is collecting such logs, you have to see something like “2022/12/15 08:13:08 wazuh-logcollector: INFO: (1950): Analyzing file: '/var/log/docker/docker.log
“ among others.
Regards