Based on your current configuration, the following paths should not be mounted as RW:
/var/ossec/etc
/var/ossec (entire directory)
These paths should remain read-only, using the files included in the container image. Mounting volumes over them will hide the original files and may cause unexpected behavior.
What SHOULD be mounted as RW:
Only runtime data paths where Wazuh needs write access should be mounted:
/var/ossec/logs
/var/ossec/queue
/var/ossec/var
/var/ossec/tmp
/var/ossec/stats (if applicable)
/var/ossec/var
and /var/ossec/var/run as separate volumes can cause conflicts.In Kubernetes, when you mount a volume on a parent directory (for example
/var/ossec/var), and then mount another volume on a subdirectory of that path (such as
/var/ossec/var/run), the second mount can override or block what the application expects from the first one. This can result in issues like Wazuh being unable to create PID files.
For Wazuh, the recommended approach is:
Mount only the parent directory
/var/ossec/var as writable.
Do not mount /var/ossec/var/run separately.
Wazuh will automatically create the run directory and the required PID files inside
/var/ossec/var once the service starts, as long as the permissions are correct.
Jorge,I think I forgot to add wa...@googlegroups.com to my last e-mail. Could you forward it to the group? Or should I re-write my post?
Thanks,Paul