Mounting a custom ossec.conf fails

[laukaichung]

I tried to use a docker-compose file to install ossec-docker, but I ran into a problem of replacing the original ossec.conf with my own one:

version: '3.4'

services:
  ossec:
    container_name: ossec
    image: atomicorp/ossec-docker
    restart: alway
    volumes:
      - ./ossec.conf:/var/ossec/data/etc/ossec.conf
    ports:
      - "1514:1514/udp"
      - "1515:1515/tcp"

It seems that the ossec-server.sh doesn't install anything in /var/ossec/data/etc when the custom conf already sits in /var/ossec/data/etc . Is there a way to use a custom ossec.conf?

Here's the log:

ossec    | Installing rules <<=== missing Installing etc
ossec    | Installing logs
ossec    | Installing stats
ossec    | Installing queue
ossec    | Bulk load file: /var/ossec/default_agent
ossec    | Opening: [/var/ossec/default_agent]
ossec    | Agent information:
ossec    |    ID:001
ossec    |    Name:DEFAULT_LOCAL_AGENT
ossec    |    IP Address:127.0.0.1
ossec    | 
ossec    | Agent added.
ossec    | Starting OSSEC HIDS 2.9.2 (by Trend Micro Inc.)...
ossec    | OSSEC analysisd: Testing rules failed. Configuration error. Exiting.
ossec    | 2018/02/05 06:23:35 ossec-authd: INFO: Started (pid: 21).
ossec    | 2018/02/05 06:23:35 getaddrinfo: Name or service not known
ossec    | 2018/02/05 06:23:35 ossec-authd: Unable to bind to port 1515
ossec    | 2018/02/05 06:23:52 ossec-analysisd(1226): ERROR: Error reading XML file 'etc/decoder.xml': XMLERR: File 'etc/decoder.xml' not found. (line 203).
ossec    | 2018/02/05 06:23:52 ossec-testrule(1202): ERROR: Configuration error at '/etc/decoder.xml'. Exiting.

[Atem18]

@laukaichung I think you are mistaken. As you can see here : https://github.com/ossec/ossec-docker/blob/master/Dockerfile, ossec.conf is copied to /var/ossec/etc/ not /var/ossec/data/etc/. Also my best advice would be that you create a custom Docker image based on that one and that you put your custom config.