Container
257 views
Skip to first unread message
Chris B
Nov 15, 2022, 11:01:07 AM11/15/22
to Wazuh mailing list
According to this document, it appears that you can enable docker monitoring by using the agent.conf for a group.
However, according to this document: https://documentation.wazuh.com/current/user-manual/reference/centralized-configuration.html it doesn't seem it's possible. I tried to enable it via the agent.conf file, but doesn't seem it's possible.
Am I missing something?
Henadence Anyam
Nov 15, 2022, 11:21:34 AM11/15/22
to Wazuh mailing list
Hello Chris B,
<wodle name="docker-listener">
<interval>10m</interval>
<attempts>5</attempts>
<run_on_start>yes</run_on_start>
<disabled>no</disabled>
</wodle>
Thank you for using Wazuh.
I think it is because you are missing the Python Docker library.
You have to perform these actions on the monitored endpoint (endpoint running the Wazuh agent):
- Install Python and pip using this command: sudo apt install python3 python3-pip
- Install Python Docker Library: sudo pip3 install docker==4.2.0
On the Wazuh server, add the following configuration in your agent.conf file within the <agent_config> block:
<interval>10m</interval>
<attempts>5</attempts>
<run_on_start>yes</run_on_start>
<disabled>no</disabled>
</wodle>
Then restart the Wazuh manager: sudo systemctl restart wazuh-manager
You should be good to go.
Let me know if it helps.
Best regards.
Chris B
Nov 15, 2022, 11:49:26 AM11/15/22
to Wazuh mailing list
Thanks. I actually had the first 2 items on the endpoints setup already. The agent.conf info is different then what is in the doc, so I've added that and restarted the docker container.
On the endpoint, where, if anywhere, can I tell if it's getting the configuration update?
Henadence Anyam
Nov 15, 2022, 12:04:32 PM11/15/22
to Wazuh mailing list
You can verify if the configuration was shared successfully by checking the Wazuh agent configuration file: /var/ossec/etc/shared/agent.conf
Regarding the above setup not working, kindly check the Wazuh agent log at /var/ossec/logs/ossec.log if there are any errors such as this: wazuh-modulesd:docker-listener: ERROR: /usr/bin/env: ‘python’: No such file or directory
If the above error exist, you can resolve it by creating a symbolic link using this command: sudo ln -s /usr/bin/python3 /usr/bin/python
Otherwise, kindly share your ossec.log and agent.conf removing any sensitive information so that we can take a look.Sorry for the inconveniences posed, the documentation is currently being updated.
Waiting for your feedback.
Chris B
Nov 15, 2022, 12:21:06 PM11/15/22
to Wazuh mailing list
Thanks - here is the API response from one of the agents:
{
"data": {
"affected_items": [
{
"id": "010",
"synced": false
}
],
"total_affected_items": 1,
"total_failed_items": 0,
"failed_items": []
},
"message": "Sync info was returned for all selected agents",
"error": 0
}
"data": {
"affected_items": [
{
"id": "010",
"synced": false
}
],
"total_affected_items": 1,
"total_failed_items": 0,
"failed_items": []
},
"message": "Sync info was returned for all selected agents",
"error": 0
}
In the Agent logs, I'm not seeing anything yet
Are you wanting the ossec.log and agent.conf from the client or the manager?
Henadence Anyam
Nov 15, 2022, 12:25:05 PM11/15/22
to Wazuh mailing list
Send the ossec.log and agent.conf of the client.
Chris B
Nov 15, 2022, 12:36:30 PM11/15/22
to Wazuh mailing list
ossec.log on client:
2022/11/16 01:18:21 wazuh-agentd: INFO: (4102): Connected to the server (wazuh/ip-address:1514/tcp).
2022/11/16 01:18:22 wazuh-syscheckd: INFO: Started (pid: 2730993).
2022/11/16 01:18:22 wazuh-syscheckd: INFO: (6003): Monitoring path: '/bin', with options 'size | permissions | owner | group | mtime | inode | hash_md5 | hash_sha1 | hash_sha256 | scheduled'.
2022/11/16 01:18:22 wazuh-syscheckd: INFO: (6003): Monitoring path: '/boot', with options 'size | permissions | owner | group | mtime | inode | hash_md5 | hash_sha1 | hash_sha256 | scheduled'.
2022/11/16 01:18:22 wazuh-syscheckd: INFO: (6003): Monitoring path: '/etc', with options 'size | permissions | owner | group | mtime | inode | hash_md5 | hash_sha1 | hash_sha256 | scheduled'.
2022/11/16 01:18:22 wazuh-syscheckd: INFO: (6003): Monitoring path: '/sbin', with options 'size | permissions | owner | group | mtime | inode | hash_md5 | hash_sha1 | hash_sha256 | scheduled'.
2022/11/16 01:18:22 wazuh-syscheckd: INFO: (6003): Monitoring path: '/usr/bin', with options 'size | permissions | owner | group | mtime | inode | hash_md5 | hash_sha1 | hash_sha256 | scheduled'.
2022/11/16 01:18:22 wazuh-syscheckd: INFO: (6003): Monitoring path: '/usr/sbin', with options 'size | permissions | owner | group | mtime | inode | hash_md5 | hash_sha1 | hash_sha256 | scheduled'.
2022/11/16 01:18:22 wazuh-syscheckd: INFO: (6206): Ignore 'file' entry '/etc/mtab'
2022/11/16 01:18:22 wazuh-syscheckd: INFO: (6206): Ignore 'file' entry '/etc/hosts.deny'
2022/11/16 01:18:22 wazuh-syscheckd: INFO: (6206): Ignore 'file' entry '/etc/mail/statistics'
2022/11/16 01:18:22 wazuh-syscheckd: INFO: (6206): Ignore 'file' entry '/etc/random-seed'
2022/11/16 01:18:22 wazuh-syscheckd: INFO: (6206): Ignore 'file' entry '/etc/random.seed'
2022/11/16 01:18:22 wazuh-syscheckd: INFO: (6206): Ignore 'file' entry '/etc/adjtime'
2022/11/16 01:18:22 wazuh-syscheckd: INFO: (6206): Ignore 'file' entry '/etc/httpd/logs'
2022/11/16 01:18:22 wazuh-syscheckd: INFO: (6206): Ignore 'file' entry '/etc/utmpx'
2022/11/16 01:18:22 wazuh-syscheckd: INFO: (6206): Ignore 'file' entry '/etc/wtmpx'
2022/11/16 01:18:22 wazuh-syscheckd: INFO: (6206): Ignore 'file' entry '/etc/cups/certs'
2022/11/16 01:18:22 wazuh-syscheckd: INFO: (6206): Ignore 'file' entry '/etc/dumpdates'
2022/11/16 01:18:22 wazuh-syscheckd: INFO: (6206): Ignore 'file' entry '/etc/svc/volatile'
2022/11/16 01:18:22 wazuh-syscheckd: INFO: (6207): Ignore 'file' sregex '.log$|.swp$'
2022/11/16 01:18:22 wazuh-syscheckd: INFO: (6004): No diff for file: '/etc/ssl/private.key'
2022/11/16 01:18:22 wazuh-syscheckd: INFO: (6000): Starting daemon...
2022/11/16 01:18:22 wazuh-syscheckd: INFO: (6010): File integrity monitoring scan frequency: 43200 seconds
2022/11/16 01:18:22 wazuh-syscheckd: INFO: (6008): File integrity monitoring scan started.
2022/11/16 01:18:22 rootcheck: INFO: Starting rootcheck scan.
2022/11/16 01:18:22 rootcheck: ERROR: No rootcheck_files file: 'etc/shared/rootkit_files.txt'
2022/11/16 01:18:22 rootcheck: ERROR: No rootcheck_trojans file: 'etc/shared/rootkit_trojans.txt'
2022/11/16 01:18:23 wazuh-logcollector: INFO: Monitoring output of command(360): df -P
2022/11/16 01:18:23 wazuh-logcollector: INFO: Monitoring full output of command(360): netstat -tulpn | sed 's/\([[:alnum:]]\+\)\ \+[[:digit:]]\+\ \+[[:digit:]]\+\ \+\(.*\):\([[:digit:]]*\)\ \+\([0-9\.\:\*]\+\).\+\ \([[:digit:]]*\/[[:
alnum:]\-]*\).*/\1 \2 == \3 == \4 \5/' | sort -k 4 -g | sed 's/ == \(.*\) ==/:\1/' | sed 1,2d
2022/11/16 01:18:23 wazuh-logcollector: INFO: Monitoring full output of command(360): last -n 20
2022/11/16 01:18:23 wazuh-logcollector: INFO: (1950): Analyzing file: '/var/ossec/logs/active-responses.log'.
2022/11/16 01:18:23 wazuh-logcollector: INFO: (1950): Analyzing file: '/var/log/auth.log'.
2022/11/16 01:18:23 wazuh-logcollector: INFO: (1950): Analyzing file: '/var/log/syslog'.
2022/11/16 01:18:23 wazuh-logcollector: INFO: (1950): Analyzing file: '/var/log/dpkg.log'.
2022/11/16 01:18:23 wazuh-logcollector: INFO: (1950): Analyzing file: '/var/log/kern.log'.
2022/11/16 01:18:23 wazuh-logcollector: INFO: Started (pid: 2731005).
2022/11/16 01:18:25 wazuh-modulesd: INFO: Started (pid: 2731023).
2022/11/16 01:18:25 wazuh-modulesd:control: INFO: Starting control thread.
2022/11/16 01:18:25 sca: INFO: Module started.
2022/11/16 01:18:25 sca: INFO: Loaded policy '/var/ossec/ruleset/sca/cis_ubuntu20-04.yml'
2022/11/16 01:18:25 sca: INFO: Starting Security Configuration Assessment scan.
2022/11/16 01:18:25 wazuh-modulesd:osquery: INFO: Module disabled. Exiting...
2022/11/16 01:18:25 wazuh-modulesd:agent-upgrade: INFO: (8153): Module Agent Upgrade started.
2022/11/16 01:18:25 wazuh-modulesd:syscollector: INFO: Module started.
2022/11/16 01:18:25 wazuh-modulesd:syscollector: INFO: Starting evaluation.
2022/11/16 01:18:25 wazuh-modulesd:ciscat: INFO: Module disabled. Exiting...
2022/11/16 01:18:25 sca: INFO: Starting evaluation of policy: '/var/ossec/ruleset/sca/cis_ubuntu20-04.yml'
2022/11/16 01:18:25 wazuh-modulesd:syscollector: INFO: Evaluation finished.
2022/11/16 01:18:26 wazuh-syscheckd: INFO: (6009): File integrity monitoring scan ended.
2022/11/16 01:18:36 sca: INFO: Evaluation finished for policy '/var/ossec/ruleset/sca/cis_ubuntu20-04.yml'
2022/11/16 01:18:36 sca: INFO: Security Configuration Assessment scan finished. Duration: 11 seconds.
2022/11/16 01:19:05 rootcheck: INFO: Ending rootcheck scan.
agent.conf on client
<agent_config>
<!-- Shared agent configuration here -->
</agent_config>
<!-- Shared agent configuration here -->
</agent_config>
Chris B
Nov 15, 2022, 12:42:35 PM11/15/22
to Wazuh mailing list
Also, on the client, I've added this line wazuh_command.remote_commands=1 to the /var/ossec/etc/local_internal_options.conf
Henadence Anyam
Nov 15, 2022, 12:48:27 PM11/15/22
to Wazuh mailing list
What is happening is that, the configuration is not shared to the agent.
You have to add that configuration to your shared agent configuration file /var/ossec/etc/shared/default/agent.conf on the manager endpoint.
By default, the manager will push the configuration to all agents belonging to the default group.
Note: If your agents are not in the default group, then you have to add the configuration to the /var/ossec/etc/shared/<GROUP_NAME>/agent.conf that your agents belong to.
If you have not created any groups, then the configuration has to be added to the /var/ossec/etc/shared/default/agent.conf on the manager endpoint as explained above.
Kindly verify that and let me know.
Chris B
Nov 15, 2022, 1:16:47 PM11/15/22
to Wazuh mailing list
From what I can tell, this is all set correctly. I've verified this all. Is it because the client belongs to two groups?
Chris B
Nov 15, 2022, 1:20:33 PM11/15/22
to Wazuh mailing list
Remove the one group and it only belongs to one group, it appears the endpoint is 'synced' now based on the Dashboard. So, that's not helpful - if this isn't how groups are supposed to work.
Henadence Anyam
Nov 15, 2022, 1:31:06 PM11/15/22
to Wazuh mailing list
No! The number of groups belonging to an agent does not matter because the configurations are synchronized irrespective.
Chris B
Nov 15, 2022, 1:34:41 PM11/15/22
to Wazuh mailing list
Unfortunately that doesn't seem to be the case. I'm sure I have something misconfigured, but it seems only one group works. I'll have to look at everything again, but removing all groups but the one (which isn't the default) seemed to resolve the issue.
Henadence Anyam
Nov 15, 2022, 2:16:27 PM11/15/22
to Wazuh mailing list
So, I just tested the configuration creating 2 additional groups (container, test) to the default one and added agent 001 to all. Everything works fine.
Below is the content of the synchronized agent configuration file: /var/ossec/etc/shared/agent.conf
<!-- Source file: default/agent.conf --><agent_config>
<!-- Testing this default agent configuration file -->
</agent_config>
<!-- Source file: container/agent.conf -->
<agent_config>
<wodle name="docker-listener">
<interval>10m</interval>
<attempts>5</attempts>
<run_on_start>yes</run_on_start>
<disabled>no</disabled>
</wodle>
</agent_config>
<!-- Source file: test/agent.conf -->
<agent_config>
<!-- test group -->
</agent_config>
<!-- Source file: test/agent.conf -->
<agent_config>
<!-- test group -->
</agent_config>
Kindly perform everything again as you suggested, lets see the outcome.
Regards.
Chris B
Nov 15, 2022, 9:18:35 PM11/15/22
to Wazuh mailing list
so do all Endpoints have to be apart of the default group no matter what? My configuration for this endpoint was that it was in a Linux and Docker group, but not the default. The endpoint was added to these groups via the Dashboard.
Chris B
Nov 15, 2022, 9:40:00 PM11/15/22
to Wazuh mailing list
One interesting thing to note is that on the manager (running docker) I get a bunch of these errors - and wonder if it's a issue with the docker container and multiple groups?
wazuh-remoted: ERROR: Cannot create multigroup directory 'var/multigroups/e50a1215': Permission denied (13)
Henadence Anyam
Nov 16, 2022, 4:16:15 AM11/16/22
to Wazuh mailing list
Hello Chris,
All endpoints must not be part of the default group.
Regarding the error you are getting, what type of Wazuh deployment and version are you using?
I just realized that the issue occurred in a Kubernetes environment using wazuh/wazuh-manager:4.3.5 and was solved here. So, the issue has been addressed in recent versions of Wazuh.
Chris B
Nov 16, 2022, 4:26:10 AM11/16/22
to Wazuh mailing list
Thanks, it seems broken either way.
I'm running single-node docker on version 4.3.9
Chris B
Nov 16, 2022, 4:28:21 AM11/16/22
to Wazuh mailing list
I also did open a Github issue regarding this on the Docker repo for Wazuh. https://github.com/wazuh/wazuh-docker/issues/745
Chris B
Nov 18, 2022, 4:51:03 AM11/18/22
to Henadence Anyam, Wazuh mailing list
I'm curious. Does it have to be a member of default for it to work?
In my case the end point was in two groups, Linux and Docker, but wasn't in the default.
I'll check this all again later today.
-Chris
From: 'Henadence Anyam' via Wazuh mailing list <wa...@googlegroups.com>
Sent: Wednesday, November 16, 2022 2:16 AM
To: Wazuh mailing list
Subject: Re: Container
Sent: Wednesday, November 16, 2022 2:16 AM
To: Wazuh mailing list
Subject: Re: Container
--
You received this message because you are subscribed to a topic in the Google Groups "Wazuh mailing list" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/wazuh/XJsiocLWPcg/unsubscribe.
To unsubscribe from this group and all its topics, send an email to wazuh+un...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/8a48867c-182d-46d2-adf2-3e7dbca9d227n%40googlegroups.com.
Reply all
Reply to author
Forward
0 new messages