Custom decoders and rules with docker compose

[Tim Rekelj]

Hello,

I am trying to add custom decoder and rule in wazuh manager. The catch is that my wazuh deployment is with docker. If I deploy wazuh manager, add custom rules and decoders from bash and then restart container, it works, but I don't want to do it manually.

I tried doing this with volumes:

- /config/local_decoder.xml:/var/ossec/etc/decoders/local_decoder.xml

- /config/local_rules.xml:/var/ossec/etc/rules/local_rules.xml

but when I deploy, I get this error:

wazuh_1 | tail: cannot open '/var/ossec/logs/ossec.log' for reading: No such file or directory
wazuh_1 | tail: no files remaining

Is this the correct way to do this or am I doing this totally wrong?

Thank you!

P.S.

The reason I am doing this is because I want to send all logs from /var/logs/ to elasticsearch. If you have any idea on how to do this better, I am open to suggestions.

[Julian Bustamante Narvaez]

Hi, I hope you are well, can you share me your dockerfile, local_decoder.x,ml and local_rules.xml.

Please can you explain to me better what the problem is, what is the decoder that you use and what is the rule that you use.

Regards

[Tim Rekelj]

Hello Julian and thank you for your time.

My docker-compose:

wazuh:

image: wazuh/wazuh-odfe:4.2.7

hostname: wazuh-manager

restart: always

ports:

   - "1514:1514"

   - "1515:1515"

   - "514:514/udp"

   - "55000:55000"

environment:

   - ELASTICSEARCH_URL=https://elasticsearch:9200

   - ELASTIC_USERNAME=admin

   - ELASTIC_PASSWORD=p14c3r3P14c3r3

   - FILEBEAT_SSL_VERIFICATION_MODE=none

volumes:

   - ossec_api_configuration:/var/ossec/api/configuration

   - ossec_etc:/var/ossec/etc

   - ossec_logs:/var/ossec/logs

   - ossec_queue:/var/ossec/queue

   - ossec_var_multigroups:/var/ossec/var/multigroups

   - ossec_integrations:/var/ossec/integrations

   - ossec_active_response:/var/ossec/active-response/bin

   - ossec_agentless:/var/ossec/agentless

   - ossec_wodles:/var/ossec/wodles

   - filebeat_etc:/etc/filebeat

   - filebeat_var:/var/lib/filebeat

   - ${PWD}/config/local_decoder.xml:/var/ossec/etc/local_decoder.xml

   - ${PWD}/config/local_rules.xml:/var/ossec/etc/local_rules.xml

There are other images in docker-compose, but I don't think they are relevant.

I tried to do custom decoder example from here to see if it works but it doesn't.

Decoder:

<decoder name="local_decoder_example">

   <program_name>local_decoder_example</program_name>

</decoder>

Rule:

<group name="local,syslog,sshd,">

   <rule id="100001" level="5">

   <if_sid>5716</if_sid>

   <srcip>1.1.1.1</srcip>

   <description>sshd: authentication failed from IP 1.1.1.1.</description>

   <group>authentication_failed,pci_dss_10.2.4,pci_dss_10.2.5,</group>

   </rule>

</group>

Those are only things I played with but it doesn't seem to work. It only works if I comment out the two lines that are bold, but then, the custom decoder does not copy to docker container.

Again, this is the error that i get:

wazuh_1          | tail: cannot open '/var/ossec/logs/ossec.log' for reading: No such file or directory
wazuh_1          | tail: no files remaining

And if I look in container, it seems like there really is no logs or configuration for ossec anymore

Thank you for your time again,

Tim Rekelj

[Julian Bustamante Narvaez]

Hi, sorry for the late reply.
Can you tell me how you are creating the volumes.
you use : docker create volume you_folder   ?

Have you tried the RW options?   -> named_volume_name:/container/path:rw

https://devopscell.com/docker/docker-compose/volumes/2018/01/16/volumes-in-docker-compose.html

Regards

[Tim Rekelj]

Hello,

I am creating volumes just with docker-compose. I tried many ways, with RO and RW options but I always get the same error.

The error shows even if I just create this (with or without :ro and :rw):

            - local_decoders:/var/ossec/etc/decoders/
            - local_rules:/var/ossec/etc/rules/

volumes:

    local_decoders:

    local_rules

It seems like if I change those two folders in any way, the whole ossec configuration is not created.

Thank you,

Tim

[Julian Bustamante Narvaez]

Hi,

I still can't solve your problem, I'm still working on it and as soon as I have a solution, I'll let you know.

Regards

[Tim Rekelj]

Hi,

I looked into the error and figured out the problem but I don't have the solution yet.

Default local_rules.xml and local_decoder.xml (from wazuh docker image) are owned by ossec group, but when I copy them with docker compose, they are owned by root group. So when wazuh wants to generate ossec.conf as user ossec, it doesn't have permissions to even view the rules and decoder. I am trying to bypass this but I don't know how to do it with docker compose.

Cheers,

Tim

[Julian Bustamante Narvaez]

Hi, I change the path of all volumes to the path where the volumes are located in docker (/var/lib/docker/volumes/).

if you go to /var/lib/docker/volumes/ossec_etc/decoder/local_decoder.xml or /var/lib/docker/volumes/ossec_etc/rules/local_rules.xml you can see the decoder and rules that you mentioned above
with this change I don't see the mentioned error.

I attach some screenshots, docker-compose file and the output of the docker-compose up

sudo docker-compose up -d

sudo docker  exec -it ID_CONTAINER /bin/bash

Please try with my docker-compose.yml and give me feedback.
let me know if this is helpful
Regards

[Tim Rekelj]

Hi, thank you for your solution but it is still not working for me. I copied docker-compose.yml from you and I used the same commands as you. I deleted all the volumes, containers and images on my local docker and it is still not working.

I attached some screenshots and logs if you find anything that I did wrong.

Cheers,

Tim

[Tim Rekelj]

Sorry, I attached the wrong image,  I wanted to attach this one too.

[Julian Bustamante Narvaez]

Hi, I don't see anything wrong.

Inside the docker container you can try with this command

/var/ossec/bin/wazuh-control start


You can also show me if ossec.conf is created:
ls /var/lib/docker/volumes/ossec_etc

vim /var/lib/docker/volumes/ossec_etc/ossec.conf

and show me volumes folder:

ls /var/lib/docker/volumes/

Regards.

[Tim Rekelj]

Hi,

I attach results of requested commands. The ossec.conf is not even created.

I tried to run this compose file on 2 other computers and it worked on one but not on the other. The versions of docker and docker-compose are the same on every computer so the versions cannot be the issue. There is a big chance that I am doing something wrong but I tried to run it so many ways that I ran out of ideas what I am doing wrong.

Regards,

Tim

[Julian Bustamante Narvaez]

Hi,

what operating system do you use? What machine do you use? Is it a VM? I wouldn't know what could be happening since it works on my machine and on one of yours too. Give me the characteristics and I can try to replicate it, maybe we can give you a solution. In the machine that did not work, have you tried to raise wazuh in another way (without docker)?

Those are the versions of my docker and docker-compose.

$ docker --version
Docker version 20.10.12, build 20.10.12-0ubuntu4
$ docker-compose --version
docker-compose version 1.29.2, build unknown

Regards.

[Tim Rekelj]

Hi,

I am using Ubuntu 22.04 LTS on Intel NUC from 2021. I tried deploying with and without VM (Ubuntu 20.04 LTS and Centos 8). The wazuh deployment works when there are no volumes for local_rules and local_decoder.

To try to solve the issue, we will create working deployment on a VM on machine, where everything works, and then transfer the VM to my PC. I hope this helps or at least give us some idea if there really is an issue or am I just doing something wrong. 

Docker version: 23.0.1

Docker-compose version: 1.29.2

Regards,

Tim

[Julian Bustamante Narvaez]

Hi,

what you propose is a good test, export your vm from where it works and then test it on the machine that doesn't work, I don't think it's docker-compose.yml configuration problems because it works for me, I think maybe some docker on your machine. If you want, when you have it, share the .ova via G drive and I'll try it if it works.

Regards