Dashboard Modules set to default after Docker restart
101 views
Skip to first unread message
Michael Reiner
Dec 20, 2023, 2:58:26 AM12/20/23
to Wazuh | Mailing List
Hey there.
I have this problem since Wazuh 4.2 up to now 4.7.
Everytime I restart the docker containers (docker compose down && docker compose up -d), my enabled Modules in Wazuh Dashboard are set to disabled again.
For example the office 365 and docker listener module in the dashboard under settings -> modules. It seems like the settings are reset to default.
Benjamin Nworah
Dec 20, 2023, 4:06:16 AM12/20/23
to Wazuh | Mailing List
Hello Michael,
Thank you for choosing Wazuh!
Please give me some time to investigate this issue. While I investigate, please confirm your current Wazuh version is 4.7.
Please give me some time to investigate this issue. While I investigate, please confirm your current Wazuh version is 4.7.
Regards,
Michael Reiner
Dec 20, 2023, 4:07:10 AM12/20/23
to Wazuh | Mailing List
Correct. 4.7.0
Benjamin Nworah
Dec 20, 2023, 7:38:28 AM12/20/23
to Wazuh | Mailing List
Hello Michael,
root@wazuh-docker:~/wazuh-docker/single-node# docker compose down
[+] Running 4/4
✔ Container single-node-wazuh.dashboard-1 Removed 10.4s
✔ Container single-node-wazuh.manager-1 Removed 4.0s
✔ Container single-node-wazuh.indexer-1 Removed 0.6s
✔ Network single-node_default Removed 0.2s
root@wazuh-server:~/wazuh-docker/single-node# docker compose up -d
[+] Running 4/4
✔ Network single-node_default Created 0.1s
✔ Container single-node-wazuh.indexer-1 Started 0.2s
✔ Container single-node-wazuh.manager-1 Started 0.2s
✔ Container single-node-wazuh.dashboard-1 Started
I could not simulate the issue you are facing.
As you can see below, the O365, and Docker modules are still enabled after running the commands (docker compose down && docker compose up -d).
Please can you simulate the issue again, while you run this command: #tail -f /var/lib/docker/volumes/single-node_wazuh_logs/_data/ossec.log
Please can you simulate the issue again, while you run this command: #tail -f /var/lib/docker/volumes/single-node_wazuh_logs/_data/ossec.log
root@wazuh-docker:~/wazuh-docker/single-node# docker compose down
[+] Running 4/4
✔ Container single-node-wazuh.dashboard-1 Removed 10.4s
✔ Container single-node-wazuh.manager-1 Removed 4.0s
✔ Container single-node-wazuh.indexer-1 Removed 0.6s
✔ Network single-node_default Removed 0.2s
root@wazuh-server:~/wazuh-docker/single-node# docker compose up -d
[+] Running 4/4
✔ Network single-node_default Created 0.1s
✔ Container single-node-wazuh.indexer-1 Started 0.2s
✔ Container single-node-wazuh.manager-1 Started 0.2s
✔ Container single-node-wazuh.dashboard-1 Started
Michael Reiner
Dec 20, 2023, 7:45:47 AM12/20/23
to Wazuh | Mailing List
tail -f /srv/docker/volumes/volumes/wazuh_wazuh_logs/_data/ossec.log
2023/12/20 12:38:22 wazuh-modulesd:vulnerability-detector: INFO: (5471): Finished vulnerability assessment for agent '003'
2023/12/20 12:38:22 wazuh-modulesd:vulnerability-detector: INFO: (5450): Analyzing agent '011' vulnerabilities.
2023/12/20 12:38:22 wazuh-modulesd:vulnerability-detector: INFO: (5471): Finished vulnerability assessment for agent '011'
2023/12/20 12:38:22 wazuh-modulesd:vulnerability-detector: INFO: (5450): Analyzing agent '012' vulnerabilities.
2023/12/20 12:38:22 wazuh-modulesd:vulnerability-detector: INFO: (5471): Finished vulnerability assessment for agent '012'
2023/12/20 12:38:22 wazuh-modulesd:vulnerability-detector: INFO: (5450): Analyzing agent '013' vulnerabilities.
2023/12/20 12:38:22 wazuh-modulesd:vulnerability-detector: INFO: (5471): Finished vulnerability assessment for agent '013'
2023/12/20 12:38:22 wazuh-modulesd:vulnerability-detector: INFO: (5450): Analyzing agent '015' vulnerabilities.
2023/12/20 12:38:22 wazuh-modulesd:vulnerability-detector: INFO: (5471): Finished vulnerability assessment for agent '015'
2023/12/20 12:38:22 wazuh-modulesd:vulnerability-detector: INFO: (5472): Vulnerability scan finished.
2023/12/20 12:40:54 wazuh-authd: INFO: (1225): SIGNAL [(1)-(Hangup)] Received. Exit Cleaning...
2023/12/20 12:40:54 wazuh-db: INFO: (1225): SIGNAL [(1)-(Hangup)] Received. Exit Cleaning...
2023/12/20 12:40:54 wazuh-authd: INFO: (1225): SIGNAL [(15)-(Terminated)] Received. Exit Cleaning...
2023/12/20 12:40:54 wazuh-db: INFO: (1225): SIGNAL [(15)-(Terminated)] Received. Exit Cleaning...
2023/12/20 12:40:54 wazuh-analysisd: INFO: (1225): SIGNAL [(15)-(Terminated)] Received. Exit Cleaning...
2023/12/20 12:40:54 wazuh-syscheckd: INFO: (1756): Shutdown received. Releasing resources.
2023/12/20 12:40:54 wazuh-execd: INFO: (1314): Shutdown received. Deleting responses.
2023/12/20 12:40:54 wazuh-logcollector: INFO: (1225): SIGNAL [(15)-(Terminated)] Received. Exit Cleaning...
2023/12/20 12:40:54 wazuh-monitord: INFO: (1225): SIGNAL [(15)-(Terminated)] Received. Exit Cleaning...
2023/12/20 12:40:54 wazuh-syscheckd: INFO: (1225): SIGNAL [(15)-(Terminated)] Received. Exit Cleaning...
2023/12/20 12:40:54 wazuh-integratord: INFO: (1225): SIGNAL [(15)-(Terminated)] Received. Exit Cleaning...
2023/12/20 12:40:54 wazuh-remoted: INFO: (1225): SIGNAL [(15)-(Terminated)] Received. Exit Cleaning...
2023/12/20 12:40:54 wazuh-execd: INFO: (1225): SIGNAL [(15)-(Terminated)] Received. Exit Cleaning...
2023/12/20 12:40:55 wazuh-authd: INFO: Exiting...
2023/12/20 12:41:06 wazuh-modulesd: WARNING: 'update_from_year' option cannot be used for 'nvd' provider.
2023/12/20 12:41:09 wazuh-csyslogd: INFO: Remote syslog server not configured. Clean exit.
2023/12/20 12:41:09 wazuh-dbd: INFO: Database not configured. Clean exit.
2023/12/20 12:41:09 wazuh-integratord: INFO: Started (pid: 440).
2023/12/20 12:41:09 wazuh-integratord: INFO: Enabling integration for: 'custom-teams'.
2023/12/20 12:41:09 wazuh-agentlessd: INFO: Not configured. Exiting.
2023/12/20 12:41:09 wazuh-authd: INFO: Started (pid: 461).
2023/12/20 12:41:09 wazuh-authd: INFO: Accepting connections on port 1515. No password required.
2023/12/20 12:41:09 wazuh-authd: INFO: Setting network timeout to 1.000000 sec.
2023/12/20 12:41:10 wazuh-db: INFO: Started (pid: 479).
2023/12/20 12:41:10 wazuh-db: INFO: Created Global database backup "backup/db/global.db-backup-2023-12-20-12:41:10.gz"
2023/12/20 12:41:11 wazuh-execd: INFO: Started (pid: 503).
2023/12/20 12:41:12 wazuh-analysisd: INFO: Total rules enabled: '18901'
2023/12/20 12:41:12 wazuh-analysisd: INFO: Started (pid: 518).
2023/12/20 12:41:13 wazuh-analysisd: INFO: EPS limit disabled
2023/12/20 12:41:13 wazuh-analysisd: INFO: (7200): Logtest started
2023/12/20 12:41:13 wazuh-syscheckd: INFO: Started (pid: 585).
2023/12/20 12:41:13 wazuh-syscheckd: INFO: (6003): Monitoring path: '/bin', with options 'size | permissions | owner | group | mtime | inode | hash_md5 | hash_sha1 | hash_sha256 | scheduled'.
2023/12/20 12:41:13 wazuh-syscheckd: INFO: (6003): Monitoring path: '/boot', with options 'size | permissions | owner | group | mtime | inode | hash_md5 | hash_sha1 | hash_sha256 | scheduled'.
2023/12/20 12:41:13 wazuh-syscheckd: INFO: (6003): Monitoring path: '/etc', with options 'size | permissions | owner | group | mtime | inode | hash_md5 | hash_sha1 | hash_sha256 | scheduled'.
2023/12/20 12:41:13 wazuh-syscheckd: INFO: (6003): Monitoring path: '/sbin', with options 'size | permissions | owner | group | mtime | inode | hash_md5 | hash_sha1 | hash_sha256 | scheduled'.
2023/12/20 12:41:13 wazuh-syscheckd: INFO: (6003): Monitoring path: '/usr/bin', with options 'size | permissions | owner | group | mtime | inode | hash_md5 | hash_sha1 | hash_sha256 | scheduled'.
2023/12/20 12:41:13 wazuh-syscheckd: INFO: (6003): Monitoring path: '/usr/sbin', with options 'size | permissions | owner | group | mtime | inode | hash_md5 | hash_sha1 | hash_sha256 | scheduled'.
2023/12/20 12:41:13 wazuh-syscheckd: INFO: (6206): Ignore 'file' entry '/etc/mtab'
2023/12/20 12:41:13 wazuh-syscheckd: INFO: (6206): Ignore 'file' entry '/etc/hosts.deny'
2023/12/20 12:41:13 wazuh-syscheckd: INFO: (6206): Ignore 'file' entry '/etc/mail/statistics'
2023/12/20 12:41:13 wazuh-syscheckd: INFO: (6206): Ignore 'file' entry '/etc/random-seed'
2023/12/20 12:41:13 wazuh-syscheckd: INFO: (6206): Ignore 'file' entry '/etc/random.seed'
2023/12/20 12:41:13 wazuh-syscheckd: INFO: (6206): Ignore 'file' entry '/etc/adjtime'
2023/12/20 12:41:13 wazuh-syscheckd: INFO: (6206): Ignore 'file' entry '/etc/httpd/logs'
2023/12/20 12:41:13 wazuh-syscheckd: INFO: (6206): Ignore 'file' entry '/etc/utmpx'
2023/12/20 12:41:13 wazuh-syscheckd: INFO: (6206): Ignore 'file' entry '/etc/wtmpx'
2023/12/20 12:41:13 wazuh-syscheckd: INFO: (6206): Ignore 'file' entry '/etc/cups/certs'
2023/12/20 12:41:13 wazuh-syscheckd: INFO: (6206): Ignore 'file' entry '/etc/dumpdates'
2023/12/20 12:41:13 wazuh-syscheckd: INFO: (6206): Ignore 'file' entry '/etc/svc/volatile'
2023/12/20 12:41:13 wazuh-syscheckd: INFO: (6207): Ignore 'file' sregex '.log$|.swp$'
2023/12/20 12:41:13 wazuh-syscheckd: INFO: (6004): No diff for file: '/etc/ssl/private.key'
2023/12/20 12:41:13 wazuh-syscheckd: INFO: (6000): Starting daemon...
2023/12/20 12:41:13 rootcheck: INFO: Starting rootcheck scan.
2023/12/20 12:41:13 wazuh-syscheckd: INFO: (6010): File integrity monitoring scan frequency: 43200 seconds
2023/12/20 12:41:13 wazuh-syscheckd: INFO: (6008): File integrity monitoring scan started.
2023/12/20 12:41:13 wazuh-syscheckd: INFO: (6009): File integrity monitoring scan ended.
2023/12/20 12:41:13 wazuh-syscheckd: INFO: FIM sync module started.
2023/12/20 12:41:14 wazuh-remoted: INFO: Started (pid: 614). Listening on port 1514/TCP (secure).
2023/12/20 12:41:14 wazuh-remoted: INFO: (1410): Reading authentication keys file.
2023/12/20 12:41:15 wazuh-logcollector: INFO: Monitoring output of command(360): df -P
2023/12/20 12:41:15 wazuh-logcollector: INFO: Monitoring full output of command(360): netstat -tulpn | sed 's/\([[:alnum:]]\+\)\ \+[[:digit:]]\+\ \+[[:digit:]]\+\ \+\(.*\):\([[:digit:]]*\)\ \+\([0-9\.\:\*]\+\).\+\ \([[:digit:]]*\/[[:alnum:]\-]*\).*/\1 \2 == \3 == \4 \5/' | sort -k 4 -g | sed 's/ == \(.*\) ==/:\1/' | sed 1,2d
2023/12/20 12:41:15 wazuh-logcollector: INFO: Monitoring full output of command(360): last -n 20
2023/12/20 12:41:15 wazuh-logcollector: INFO: (1950): Analyzing file: '/var/ossec/logs/active-responses.log'.
2023/12/20 12:41:15 wazuh-logcollector: INFO: Started (pid: 683).
2023/12/20 12:41:16 wazuh-monitord: INFO: Started (pid: 737).
2023/12/20 12:41:16 wazuh-modulesd: WARNING: 'update_from_year' option cannot be used for 'nvd' provider.
2023/12/20 12:41:16 wazuh-modulesd: INFO: Started (pid: 748).
2023/12/20 12:41:16 wazuh-modulesd:agent-upgrade: INFO: (8153): Module Agent Upgrade started.
2023/12/20 12:41:16 wazuh-modulesd:task-manager: INFO: (8200): Module Task Manager started.
2023/12/20 12:41:16 wazuh-modulesd:control: INFO: Starting control thread.
2023/12/20 12:41:16 sca: INFO: Module started.
2023/12/20 12:41:16 sca: INFO: Loaded policy '/var/ossec/ruleset/sca/cis_ubuntu20-04.yml'
2023/12/20 12:41:16 sca: INFO: Starting Security Configuration Assessment scan.
2023/12/20 12:41:16 wazuh-modulesd:ciscat: INFO: Module disabled. Exiting...
2023/12/20 12:41:16 wazuh-modulesd:osquery: INFO: Module disabled. Exiting...
2023/12/20 12:41:16 wazuh-modulesd:vulnerability-detector: INFO: (5400): Starting 'Red Hat Enterprise Linux 5' database update.
2023/12/20 12:41:16 wazuh-modulesd: WARNING: Couldn't connect to download module socket 'queue/sockets/download'
2023/12/20 12:41:16 wazuh-modulesd:database: INFO: Module started.
2023/12/20 12:41:16 wazuh-modulesd: WARNING: Couldn't connect to download module socket 'queue/sockets/download'
2023/12/20 12:41:16 wazuh-modulesd:office365: INFO: Module Office365 started.
2023/12/20 12:41:16 wazuh-modulesd:download: INFO: Module started.
2023/12/20 12:41:16 wazuh-modulesd:docker-listener: INFO: Module docker-listener started.
2023/12/20 12:41:16 wazuh-modulesd:syscollector: INFO: Module started.
2023/12/20 12:41:16 wazuh-modulesd:syscollector: INFO: Starting evaluation.
2023/12/20 12:41:16 sca: INFO: Starting evaluation of policy: '/var/ossec/ruleset/sca/cis_ubuntu20-04.yml'
2023/12/20 12:41:16 wazuh-modulesd:syscollector: INFO: Evaluation finished.
2023/12/20 12:41:17 wazuh-modulesd:vulnerability-detector: INFO: (5430): The update of the 'Red Hat Enterprise Linux 5' feed finished successfully.
2023/12/20 12:41:17 wazuh-modulesd:vulnerability-detector: INFO: (5400): Starting 'Red Hat Enterprise Linux 6' database update.
2023/12/20 12:41:23 sca: INFO: Evaluation finished for policy '/var/ossec/ruleset/sca/cis_ubuntu20-04.yml'
2023/12/20 12:41:23 sca: INFO: Security Configuration Assessment scan finished. Duration: 7 seconds.
2023/12/20 12:41:32 wazuh-modulesd:vulnerability-detector: INFO: (5430): The update of the 'Red Hat Enterprise Linux 6' feed finished successfully.
2023/12/20 12:41:32 wazuh-modulesd:vulnerability-detector: INFO: (5400): Starting 'Red Hat Enterprise Linux 7' database update.
2023/12/20 12:41:35 rootcheck: INFO: Ending rootcheck scan.
Benjamin Nworah
Dec 20, 2023, 8:26:46 AM12/20/23
to Wazuh | Mailing List
Hello Michael,
From the log, both modules are started without any issue. Please can you clear your browser cache or repeat the same action with a different browser?
Regards,
Regards,
Michael Reiner
Dec 20, 2023, 8:46:33 AM12/20/23
to Wazuh | Mailing List
Just saw. About a minute later this line also appeared:
2023/12/20 13:44:05 wazuh-modulesd:docker-listener: INFO: Starting to listening Docker events.
So the module do start and run, but when I look to the module settings page, they seem disabled and also do not show up in the dashboard.
If I enable them again everything is visible.
Michael Reiner
Dec 20, 2023, 8:50:10 AM12/20/23
to Wazuh | Mailing List
Tried different browser, clear cache, same result.
Benjamin Nworah
Dec 21, 2023, 7:47:16 AM12/21/23
to Wazuh | Mailing List
Hello Michael,
Thank for the feedback. I am still investigating this issue.
Regards,
Michael Reiner
May 29, 2024, 5:56:25 AM5/29/24
to Wazuh | Mailing List
Found the problem.
Seems at some point dashboard configuration moved to a seperate docker volume
"wazuh-dashboard-config".
Problem was that /usr/share/wazuh-dashboard/data/wazuh/config/wazuh-registry.json got recreated on every container restart.
I moved all files from this folder to the new volume and edited the compose file accordingly.
It works now.
Reply all
Reply to author
Forward
0 new messages