using read_only_root_filesystem
66 views
Skip to first unread message
Paul Charran
Jan 7, 2026, 12:59:51 PMJan 7
to Wazuh | Mailing List
I have set the read_only_root_filesystem: True. This, of course, is causing havoc with logs and other files that Wazuh needs to write to. I have found help on the internet recommending mounting rw (Read/Write) directories for Wazuh to use. The problem is if I use the actual directory names as volumes in my properties.yaml, the directory is empty. It can be written to but the other files that were there have been deleted.
I am proposing creating volumes with alternate names. My question is how to I re-route files like logs and conf files to these volumes? Do I need to hard code in the new rw volumes or is there some other method I am missing?
Jorge Ardila
Jan 8, 2026, 7:54:16 AMJan 8
to Wazuh | Mailing List
Hi Paul.
I'm currently consulting with our internal team to ensure we provide you with the most accurate and appropriate solution for your scenario. I will get back to you as soon as I have an update.
Thanks
Thanks
Jorge Ardila
Jan 8, 2026, 11:54:37 AMJan 8
to Wazuh | Mailing List
Hi Paul.
Regarding to your question and after investigate about it, using alternate directory names to move Wazuh files is not recommended. Wazuh paths are used internally, and changing them could break functionality or upgrades.
Mounting a volume over an existing directory (like /var/ossec/logs) hides the original files. They are not deleted, just masked, so the directory looks empty but is writable.
The best approach is to keep the default structure and mount only the subdirectories that need write access.
Best regards.
Paul Charran
Jan 8, 2026, 12:55:11 PMJan 8
to Wazuh | Mailing List
Jorge,
Thank you for looking into this. I didn't know that Mounting a new volume only hid the original. Is there a way to preserve the original files / directory structure. Maybe copy/paste with a service? If I can find the original that is.
Sincerely,
Paul
Jorge Ardila
Jan 8, 2026, 2:28:52 PMJan 8
to Wazuh | Mailing List
Hi Paul.
Could you share the pod configuration you are using to replicate the scenario you are trying to deploy, either here or privately?
Thanks!
Jorge Ardila
Jan 10, 2026, 4:16:50 AMJan 10
to Wazuh | Mailing List
Hi Paul.
Thanks for the information shared via DM.
Based on your current configuration, the following paths should not be mounted as RW:
/var/ossec/etc
-
/var/ossec (entire directory)
These paths should remain read-only, using the files included in the container image. Mounting volumes over them will hide the original files and may cause unexpected behavior.
What SHOULD be mounted as RW:
Only runtime data paths where Wazuh needs write access should be mounted:
-
/var/ossec/logs
-
/var/ossec/queue
-
/var/ossec/var
-
/var/ossec/tmp
-
/var/ossec/stats (if applicable)
Here is an example of a correct configuration (conceptual)
security:
read_only_root_filesystem: true
volumes:
- name: wazuh-logs
mount: /var/ossec/logs
readonly: false
- name: wazuh-queue
mount: /var/ossec/queue
readonly: false
- name: wazuh-var
mount: /var/ossec/var
readonly: false
- name: wazuh-tmp
mount: /var/ossec/tmp
readonly: false
read_only_root_filesystem: true
volumes:
- name: wazuh-logs
mount: /var/ossec/logs
readonly: false
- name: wazuh-queue
mount: /var/ossec/queue
readonly: false
- name: wazuh-var
mount: /var/ossec/var
readonly: false
- name: wazuh-tmp
mount: /var/ossec/tmp
readonly: false
Best regards,
Jorge Ardila
Jorge Ardila
Jorge Ardila
Jan 13, 2026, 12:16:39 PMJan 13
to Wazuh | Mailing List
Hi Paul,
Thanks for your last reply. For future communications, please also include the group wa...@googlegroups.com.
Regarding your last comment, here are a few key points to clarify what you should expect:
Regarding restarts:
Please let me know if, once Wazuh is running, the volumes are being written to or not.
Thanks for your last reply. For future communications, please also include the group wa...@googlegroups.com.
Regarding your last comment, here are a few key points to clarify what you should expect:
- When you mount a volume on paths such as /var/ossec/logs, /var/ossec/queue, or /var/ossec/var, the volume will start empty. This is normal behavior in Kubernetes. The original directories from the image are not deleted; they are simply hidden by the mount.
- Wazuh will automatically recreate the required subdirectories (such as alerts, archives, etc.) once the services start and begin processing data.
Regarding restarts:
- Restarting the pod is sufficient.
- A manual systemctl restart wazuh-manager inside the container is usually not required and may not apply, depending on how the container is started.
Please let me know if, once Wazuh is running, the volumes are being written to or not.
Thanks.
Paul Charran
Feb 3, 2026, 10:42:39 AM (18 hours ago) Feb 3
to Wazuh | Mailing List
Jorge,
I am getting the volumes that need to be r/w working. But, I am running into an interesting issue. Some of the Wazuh software checks to see if certain files are available, and if they are not, it causes an error. Since the volumes are formed blank I am having to manually (I am writing a service to install these files) add the files to get past these checks. These files are files in name only. They are blank. And I am afraid I may be missing some important information.
Now if I understand our earlier conversations the Volumes don't erase the original files they just provide a mount with a similar structure for Wazuh to write to. Kind of like an overlay. My question is, if those original files are still there somewhere, is there a way to copy them from the 'hidden/read-only' directory to the corresponding read / write volume?
Thanks in advance for any insight you might provide.
Reply all
Reply to author
Forward
0 new messages