wazuh.manager won't start

dLoProdz / OSSIEM

Open Source SIEM Stack

GNU General Public License v3.0

11 stars 11 forks source link

wazuh.manager won't start #2

Closed tens0rcat closed 1 week ago

tens0rcat commented 1 week ago

This is using Taylor's fork, but I can't create an issue there.

There are a number of other issues in the logs, but I think this is the one that is preventing any data from flowing into graylog.

wazuh.manager | /var/ossec/framework/python/bin/python3: can't open file '/var/ossec/framework/scripts/create_user.py': [Errno 2] No such file or directory wazuh.manager | There was an error configuring the API user

dLoProdz commented 1 week ago

Hi @tens0rcat, are you building and using the custom Wazuh Manager image?

tens0rcat commented 1 week ago

ack, no. I missed that each directory in the repo has it's own readme.

dLoProdz commented 1 week ago

The custom image is needed for the stack to properly work as it comes pre-packaged with FluentBit which takes care of shipping Wazuh logs to Graylog, give it a try and get back to me if you run into any other issue.

tens0rcat commented 1 week ago

well, it built, I don't know what it built where, nor what to do with it. or do I need to delete all the volumes and redo from scratch?

dLoProdz commented 1 week ago

If you run: docker images or docker image ls The newly built image should be listed there, this image should also match what you're selecting on the docker_compose.yml file for the wazuh.manager container.

It would be best to start from scratch, so yeah delete all volumes and recreate the containers.

tens0rcat commented 1 week ago

ok, clean startup! Thank you!

tens0rcat commented 1 week ago

well, it was clean until I rebooted, now the same error is back even though it shows I'm using the right wazuh.manager (not the ghcr.io one). I'm just going to go back to installing everything separately where I can just attack one problem at a time. Anyway, again, thanks for your help!

dLoProdz commented 1 week ago

Having everything on one compoae file doesn't mean they are all installed together, you can always bring up/down or restart just one container, that's the beauty of compose

docker compose [up -d/down] wazuh.manager

I personally run everything on separate vompose files myself, but for ease of use and installation Taylor asked me to put everything in one compose file.

I also get some errors after rebooting the host, just bring the wazuh.manager container down and up again and it should work.