any custom rules break Docker Compose deployment.

306 views
Skip to first unread message

Remi Springer

unread,
Mar 1, 2023, 5:18:44 PM3/1/23
to Wazuh mailing list
Good Afternoon Friends.I'm attempting to set up Wazuh in Docker Compose in the multi-node setup. But I'm having some issues when I import any file to /var/ossec/etc/rules in my docker compose.I've pasted my compose file below:
When the compose file has the rules copy line (34 and 68) commented out everything works great.
When the rules copy on line 34 and 68 is in the file and not commented out. I get the error. ERROR in ossec.conf: Could not open file '/var/ossec/etc/shared/ar.conf' due to [(2)-(No such file or directory)]. I believe this rules out any ossec.conf misconfiguration, despite the text on the error.
When the ar.conf file is also copied in the same error applies.(line 39)
I have read far and wide regarding ar.conf, merged.conf, and agent.conf. I can't find a solution to this. But heres some of the thing I've tried.
Built my stack using the default wazuh_manager.conf file (which as far as I can tell becomes ossec.conf on the master node.)
Removed all files from the copied directory -- this allows it to boot. But one or more files immediately break it.
So TLDR for some reason if any files are put in /var/ossec/etc/rules the API fail to stand up.I am able to get to the dashboard Has anyone seen this before?I also have some follow up questions:
1. Where is ar.conf referenced on the managing server? I can't find it in any of my rules. It's not in ossec.conf, I'm not sure. I can't find it anywhere within the setup files of the server as well.
2. Why is ar.conf only being queried with the existance of ANY file in /var/ossec/etc/rules
3. Is there a different way I should be deploying my rules during up the standup of a new cluster
version: '3.7' services: wazuhmaster: image: wazuh/wazuh-manager:4.3.10 hostname: wazuhmaster restart: always ports: - "1515:1515" - "514:514/udp" - "55000:55000" environment: - INDEXER_URL=https://wazuh1indexer:9200 - INDEXER_USERNAME=admin - INDEXER_PASSWORD=SecretPassword - FILEBEAT_SSL_VERIFICATION_MODE=full - SSL_CERTIFICATE_AUTHORITIES=/etc/ssl/root-ca.pem - SSL_CERTIFICATE=/etc/ssl/filebeat.pem - SSL_KEY=/etc/ssl/filebeat.key - API_USERNAME=wazuh-wui - API_PASSWORD=MyS3cr37P450r.*- volumes: - master-wazuh-api-configuration:/var/ossec/api/configuration - master-wazuh-etc:/var/ossec/etc - master-wazuh-logs:/var/ossec/logs - master-wazuh-queue:/var/ossec/queue - master-wazuh-var-multigroups:/var/ossec/var/multigroups - master-wazuh-integrations:/var/ossec/integrations - master-wazuh-active-response:/var/ossec/active-response/bin - master-wazuh-agentless:/var/ossec/agentless - master-wazuh-wodles:/var/ossec/wodles - master-filebeat-etc:/etc/filebeat - master-filebeat-var:/var/lib/filebeat # - /home/ubuntu20/ts-docker-01-git/stack-wazuh-01/rules:/var/ossec/etc/rules - /home/ubuntu20/ts-docker-01-git/stack-wazuh-01/config/wazuh_indexer_ssl_certs/root-ca-manager.pem:/etc/ssl/root-ca.pem - /home/ubuntu20/ts-docker-01-git/stack-wazuh-01/config/wazuh_indexer_ssl_certs/wazuhmaster.pem:/etc/ssl/filebeat.pem - /home/ubuntu20/ts-docker-01-git/stack-wazuh-01/config/wazuh_indexer_ssl_certs/wazuhmaster-key.pem:/etc/ssl/filebeat.key - /home/ubuntu20/ts-docker-01-git/stack-wazuh-01/config/wazuh_cluster/wazuh_manager.conf:/wazuh-config-mount/etc/ossec.conf # - /home/ubuntu20/ts-docker-01-git/stack-wazuh-01/config/wazuh_cluster/ar.conf:/var/ossec/etc/shared/ar.conf deploy: placement: constraints: [node.role == manager] wazuhworker: image: wazuh/wazuh-manager:4.3.10 hostname: wazuhworker restart: always environment: - INDEXER_URL=https://wazuh1indexer:9200 - INDEXER_USERNAME=admin - INDEXER_PASSWORD=SecretPassword - FILEBEAT_SSL_VERIFICATION_MODE=full - SSL_CERTIFICATE_AUTHORITIES=/etc/ssl/root-ca.pem - SSL_CERTIFICATE=/etc/ssl/filebeat.pem - SSL_KEY=/etc/ssl/filebeat.key volumes: - worker-wazuh-api-configuration:/var/ossec/api/configuration - worker-wazuh-etc:/var/ossec/etc - worker-wazuh-logs:/var/ossec/logs - worker-wazuh-queue:/var/ossec/queue - worker-wazuh-var-multigroups:/var/ossec/var/multigroups - worker-wazuh-integrations:/var/ossec/integrations - worker-wazuh-active-response:/var/ossec/active-response/bin - worker-wazuh-agentless:/var/ossec/agentless - worker-wazuh-wodles:/var/ossec/wodles - worker-filebeat-etc:/etc/filebeat - worker-filebeat-var:/var/lib/filebeat # - /home/ubuntu20/ts-docker-01-git/stack-wazuh-01/rules:/var/ossec/etc/rules - /home/ubuntu20/ts-docker-01-git/stack-wazuh-01/config/wazuh_indexer_ssl_certs/root-ca-manager.pem:/etc/ssl/root-ca.pem - /home/ubuntu20/ts-docker-01-git/stack-wazuh-01/config/wazuh_indexer_ssl_certs/wazuhworker.pem:/etc/ssl/filebeat.pem - /home/ubuntu20/ts-docker-01-git/stack-wazuh-01/config/wazuh_indexer_ssl_certs/wazuhworker-key.pem:/etc/ssl/filebeat.key - /home/ubuntu20/ts-docker-01-git/stack-wazuh-01/config/wazuh_cluster/wazuh_worker.conf:/wazuh-config-mount/etc/ossec.conf # - /home/ubuntu20/ts-docker-01-git/stack-wazuh-01/config/wazuh_cluster/ar.conf:/var/ossec/etc/shared/ar.conf deploy: placement: constraints: [node.role == manager] wazuh1indexer: image: wazuh/wazuh-indexer:4.3.10 hostname: wazuh1indexer restart: always ports: - "9200:9200" environment: - "OPENSEARCH_JAVA_OPTS=-Xms4g -Xmx4g" - "bootstrap.memory_lock=true" ulimits: memlock: soft: -1 hard: -1 nofile: soft: 65536 hard: 65536 volumes: - wazuh-indexer-data-1:/var/lib/wazuh-indexer - /home/ubuntu20/ts-docker-01-git/stack-wazuh-01/config/wazuh_indexer_ssl_certs/root-ca.pem:/usr/share/wazuh-indexer/config/certs/root-ca.pem - /home/ubuntu20/ts-docker-01-git/stack-wazuh-01/config/wazuh_indexer_ssl_certs/wazuh1indexer-key.pem:/usr/share/wazuh-indexer/config/certs/wazuh1indexer.key - /home/ubuntu20/ts-docker-01-git/stack-wazuh-01/config/wazuh_indexer_ssl_certs/wazuh1indexer.pem:/usr/share/wazuh-indexer/config/certs/wazuh1indexer.pem - /home/ubuntu20/ts-docker-01-git/stack-wazuh-01/config/wazuh_indexer_ssl_certs/admin.pem:/usr/share/wazuh-indexer/config/certs/admin.pem - /home/ubuntu20/ts-docker-01-git/stack-wazuh-01/config/wazuh_indexer_ssl_certs/admin-key.pem:/usr/share/wazuh-indexer/config/certs/admin-key.pem - /home/ubuntu20/ts-docker-01-git/stack-wazuh-01/config/wazuh_indexer/wazuh1indexer.yml:/usr/share/wazuh-indexer/config/opensearch.yml - /home/ubuntu20/ts-docker-01-git/stack-wazuh-01/config/wazuh_indexer/internal_users.yml:/usr/share/wazuh-indexer/plugins/opensearch-security/securityconfig/internal_users.yml deploy: placement: constraints: [node.role == manager] wazuh2indexer: image: wazuh/wazuh-indexer:4.3.10 hostname: wazuh2indexer restart: always environment: - "OPENSEARCH_JAVA_OPTS=-Xms1g -Xmx1g" - "bootstrap.memory_lock=true" ulimits: memlock: soft: -1 hard: -1 nofile: soft: 65536 hard: 65536 volumes: - wazuh-indexer-data-2:/var/lib/wazuh-indexer - /home/ubuntu20/ts-docker-01-git/stack-wazuh-01/config/wazuh_indexer_ssl_certs/root-ca.pem:/usr/share/wazuh-indexer/config/certs/root-ca.pem - /home/ubuntu20/ts-docker-01-git/stack-wazuh-01/config/wazuh_indexer_ssl_certs/wazuh2indexer-key.pem:/usr/share/wazuh-indexer/config/certs/wazuh2indexer.key - /home/ubuntu20/ts-docker-01-git/stack-wazuh-01/config/wazuh_indexer_ssl_certs/wazuh2indexer.pem:/usr/share/wazuh-indexer/config/certs/wazuh2indexer.pem - /home/ubuntu20/ts-docker-01-git/stack-wazuh-01/config/wazuh_indexer/wazuh2indexer.yml:/usr/share/wazuh-indexer/config/opensearch.yml - /home/ubuntu20/ts-docker-01-git/stack-wazuh-01/config/wazuh_indexer/internal_users.yml:/usr/share/wazuh-indexer/plugins/opensearch-security/securityconfig/internal_users.yml deploy: placement: constraints: [node.role == manager] wazuh3indexer: image: wazuh/wazuh-indexer:4.3.10 hostname: wazuh3indexer restart: always environment: - "OPENSEARCH_JAVA_OPTS=-Xms1g -Xmx1g" - "bootstrap.memory_lock=true" ulimits: memlock: soft: -1 hard: -1 nofile: soft: 65536 hard: 65536 volumes: - wazuh-indexer-data-3:/var/lib/wazuh-indexer - /home/ubuntu20/ts-docker-01-git/stack-wazuh-01/config/wazuh_indexer_ssl_certs/root-ca.pem:/usr/share/wazuh-indexer/config/certs/root-ca.pem - /home/ubuntu20/ts-docker-01-git/stack-wazuh-01/config/wazuh_indexer_ssl_certs/wazuh3indexer-key.pem:/usr/share/wazuh-indexer/config/certs/wazuh3indexer.key - /home/ubuntu20/ts-docker-01-git/stack-wazuh-01/config/wazuh_indexer_ssl_certs/wazuh3indexer.pem:/usr/share/wazuh-indexer/config/certs/wazuh3indexer.pem - /home/ubuntu20/ts-docker-01-git/stack-wazuh-01/config/wazuh_indexer/wazuh3indexer.yml:/usr/share/wazuh-indexer/config/opensearch.yml - /home/ubuntu20/ts-docker-01-git/stack-wazuh-01/config/wazuh_indexer/internal_users.yml:/usr/share/wazuh-indexer/plugins/opensearch-security/securityconfig/internal_users.yml deploy: placement: constraints: [node.role == manager] wazuhdashboard: image: wazuh/wazuh-dashboard:4.3.10 hostname: wazuhdashboard restart: always ports: - 5601:5601 environment: - OPENSEARCH_HOSTS="https://wazuh1indexer:9200" - WAZUH_API_URL="https://wazuhmaster" - API_USERNAME=wazuh-wui - API_PASSWORD=MyS3cr37P450r.*- volumes: - /home/ubuntu20/ts-docker-01-git/stack-wazuh-01/config/wazuh_indexer_ssl_certs/wazuhdashboard.pem:/usr/share/wazuh-dashboard/certs/wazuh-dashboard.pem - /home/ubuntu20/ts-docker-01-git/stack-wazuh-01/config/wazuh_indexer_ssl_certs/wazuhdashboard-key.pem:/usr/share/wazuh-dashboard/certs/wazuh-dashboard-key.pem - /home/ubuntu20/ts-docker-01-git/stack-wazuh-01/config/wazuh_indexer_ssl_certs/root-ca.pem:/usr/share/wazuh-dashboard/certs/root-ca.pem - /home/ubuntu20/ts-docker-01-git/stack-wazuh-01/config/wazuh_dashboard/opensearch_dashboards.yml:/usr/share/wazuh-dashboard/config/opensearch_dashboards.yml - /home/ubuntu20/ts-docker-01-git/stack-wazuh-01/config/wazuh_dashboard/wazuh.yml:/usr/share/wazuh-dashboard/data/wazuh/config/wazuh.yml depends_on: - wazuh1indexer links: - wazuh1indexer:wazuh1indexer - wazuhmaster:wazuhmaster deploy: placement: constraints: [node.role == manager] nginx: image: nginx:stable hostname: nginx restart: always ports: - "1514:1514" depends_on: - wazuhmaster - wazuhworker - wazuhdashboard links: - wazuhmaster:wazuhmaster - wazuhworker:wazuhworker - wazuhdashboard:wazuhdashboard volumes: - /home/ubuntu20/ts-docker-01-git/stack-wazuh-01/config/nginx/nginx.conf:/etc/nginx/nginx.conf:ro deploy: placement: constraints: [node.role == manager] volumes: master-wazuh-api-configuration: master-wazuh-etc: master-wazuh-logs: master-wazuh-queue: master-wazuh-var-multigroups: master-wazuh-integrations: master-wazuh-active-response: master-wazuh-agentless: master-wazuh-wodles: master-filebeat-etc: master-filebeat-var: worker-wazuh-api-configuration: worker-wazuh-etc: worker-wazuh-logs: worker-wazuh-queue: worker-wazuh-var-multigroups: worker-wazuh-integrations: worker-wazuh-active-response: worker-wazuh-agentless: worker-wazuh-wodles: worker-filebeat-etc: worker-filebeat-var: wazuh-indexer-data-1: wazuh-indexer-data-2: wazuh-indexer-data-3:

Remi Springer

unread,
Mar 8, 2023, 11:16:30 AM3/8/23
to Wazuh mailing list
Poking this thread.

Carlos Ezequiel Bordon

unread,
Mar 9, 2023, 7:50:28 AM3/9/23
to Wazuh mailing list
Hello
For the execution of the wazuh/wazuh-manager image, in the case of wanting to mount a directory to maintain persistence, you should mount a Docker volume, as in the other directories that persist in the deployment:

- worker-wazuh-api-configuration:/var/ossec/api/configuration

You will have to declare that volume with all the volumes you have at the end of docker-compose.yml
About mounting a file, inside the entrypoint there is a function that copies everything you mount inside the /wazuh-config-mount/ directory to the /var/ossec/ directory, so as not to generate file permission problems when mounting, an example This is the mounting of the ossec.conf file:

- /home/ubuntu20/ts-docker-01-git/stack-wazuh-01/config/wazuh_cluster/wazuh_manager.conf:/wazuh-config-mount/etc/ossec.conf

In the case of the ar.conf file, line 40 could look like this:

- /home/ubuntu20/ts-docker-01-git/stack-wazuh-01/config/wazuh_cluster/ar.conf:/wazuh-config-mount/etc/shared/ar.conf
Reply all
Reply to author
Forward
0 new messages