vcerenu
commented
2 months ago Test
Building Docker images and then deploying the Wazuh stack with the created images, adding the startup log of the Wazuh manager container
$ build-docker-images/build-images.sh
Building wazuh.manager
[+] Building 150.6s (23/23) FINISHED
=> [internal] load build definition from Dockerfile 0.1s
=> => transferring dockerfile: 2.35kB 0.0s
=> [internal] load metadata for docker.io/library/amazonlinux:2023 3.7s
=> [auth] library/amazonlinux:pull token for registry-1.docker.io 0.0s
=> [internal] load .dockerignore 0.0s
=> => transferring context: 2B 0.0s
=> [ 1/16] FROM docker.io/library/amazonlinux:2023@sha256:ef1a9c856a0d3b2d581d0d9261540df3c6ab3a7f752546603c93f954def936a3 15.0s
=> => resolve docker.io/library/amazonlinux:2023@sha256:ef1a9c856a0d3b2d581d0d9261540df3c6ab3a7f752546603c93f954def936a3 0.0s
=> => sha256:ef1a9c856a0d3b2d581d0d9261540df3c6ab3a7f752546603c93f954def936a3 2.38kB / 2.38kB 0.0s
=> => sha256:5ebcbcf1c530765b8c8dea03d65644c854e8a06efbb83974fab525955ad64198 1.02kB / 1.02kB 0.0s
=> => sha256:d69484cbddb0c7dc2deffd942a820ec21da22c4177f64f9417977b644758b3ce 575B / 575B 0.0s
=> => sha256:cb6230c89c15ad3884b7222b06322338ef758165e0b4068d1270a3c8141a3e43 52.31MB / 52.31MB 5.0s
=> => extracting sha256:cb6230c89c15ad3884b7222b06322338ef758165e0b4068d1270a3c8141a3e43 9.7s
=> [14/16] ADD https://raw.githubusercontent.com/wazuh/wazuh/4.9.0/extensions/elasticsearch/7.x/wazuh-template.json /etc/filebeat 0.0s
=> [internal] load build context 0.1s
=> => transferring context: 29.40kB 0.0s
=> [ 2/16] RUN rm /bin/sh && ln -s /bin/bash /bin/sh 1.2s
=> [ 3/16] RUN yum install curl-minimal xz gnupg tar gzip openssl findutils procps -y && yum clean all 12.0s
=> [ 4/16] COPY config/check_repository.sh / 0.2s
=> [ 5/16] COPY config/filebeat_module.sh / 0.1s
=> [ 6/16] COPY config/permanent_data.env config/permanent_data.sh / 0.1s
=> [ 7/16] RUN chmod 775 /check_repository.sh 0.4s
=> [ 8/16] RUN source /check_repository.sh 2.0s
=> [ 9/16] RUN yum install wazuh-manager-4.9.0-1 -y && yum clean all && chmod 775 /filebeat_module.sh && source /filebeat_module.sh && rm /filebeat_module.sh && curl --fail - 105.3s
=> [10/16] COPY config/etc/ /etc/ 0.2s
=> [11/16] COPY --chown=root:wazuh config/create_user.py /var/ossec/framework/scripts/create_user.py 0.2s
=> [12/16] COPY config/filebeat.yml /etc/filebeat/ 0.1s
=> [13/16] RUN chmod go-w /etc/filebeat/filebeat.yml 1.0s
=> [14/16] ADD https://raw.githubusercontent.com/wazuh/wazuh/4.9.0/extensions/elasticsearch/7.x/wazuh-template.json /etc/filebeat 0.2s
=> [15/16] RUN chmod go-w /etc/filebeat/wazuh-template.json 0.6s
=> [16/16] RUN mkdir -p /var/ossec/var/multigroups && chown root:wazuh /var/ossec/var/multigroups && chmod 770 /var/ossec/var/multigroups && mkdir -p /var/ossec/agentless && chown 1.7s
=> exporting to image 6.2s
=> => exporting layers 6.2s
=> => writing image sha256:8d28a4d9be0b5223b4bd14fc631392df9284e0ebf831238aa019c777289eddfb 0.0s
=> => naming to docker.io/wazuh/wazuh-manager:4.9.0 0.0s
Building wazuh.indexer
[+] Building 189.3s (33/33) FINISHED
=> [internal] load build definition from Dockerfile 0.0s
=> => transferring dockerfile: 2.76kB 0.0s
=> [internal] load metadata for docker.io/library/amazonlinux:2023 1.0s
=> [internal] load .dockerignore 0.0s
=> => transferring context: 2B 0.0s
=> CACHED [builder 1/13] FROM docker.io/library/amazonlinux:2023@sha256:ef1a9c856a0d3b2d581d0d9261540df3c6ab3a7f752546603c93f954def936a3 0.0s
=> [internal] load build context 0.1s
=> => transferring context: 21.09kB 0.0s
=> [builder 2/13] RUN yum install curl-minimal openssl xz tar findutils shadow-utils -y 15.9s
=> [stage-1 2/16] RUN yum install curl-minimal shadow-utils findutils hostname -y 15.8s
=> [stage-1 3/16] RUN getent group wazuh-indexer || groupadd -r -g 1000 wazuh-indexer 2.0s
=> [builder 3/13] COPY config/check_repository.sh / 0.2s
=> [builder 4/13] RUN chmod 775 /check_repository.sh && source /check_repository.sh 3.1s
=> [stage-1 4/16] RUN useradd --system --uid 1000 --no-create-home --home-dir /usr/share/wazuh-indexer --gid wazuh-indexer --shell /sbi 0.6s
=> [stage-1 5/16] WORKDIR /usr/share/wazuh-indexer 0.2s
=> [stage-1 6/16] COPY config/entrypoint.sh / 0.2s
=> [stage-1 7/16] COPY config/securityadmin.sh / 0.1s
=> [stage-1 8/16] RUN chmod 700 /entrypoint.sh && chmod 700 /securityadmin.sh 0.5s
=> [builder 5/13] RUN yum install wazuh-indexer-4.9.0-1 -y && yum clean all 137.2s
=> [stage-1 9/16] RUN chown 1000:1000 /*.sh 0.7s
=> [builder 6/13] COPY config/opensearch.yml / 0.2s
=> [builder 7/13] COPY config/config.sh . 0.2s
=> [builder 8/13] COPY config/config.yml / 0.2s
=> [builder 9/13] COPY config/action_groups.yml / 0.2s
=> [builder 10/13] COPY config/internal_users.yml / 0.2s
=> [builder 11/13] COPY config/roles_mapping.yml / 0.1s
=> [builder 12/13] COPY config/roles.yml / 0.1s
=> [builder 13/13] RUN bash config.sh 6.3s
=> [stage-1 10/16] COPY --from=builder --chown=1000:1000 /usr/share/wazuh-indexer /usr/share/wazuh-indexer 3.1s
=> [stage-1 11/16] COPY --from=builder --chown=1000:1000 /etc/wazuh-indexer /usr/share/wazuh-indexer 0.1s
=> [stage-1 12/16] COPY --from=builder --chown=0:0 /debian/wazuh-indexer/usr/lib/systemd /usr/lib/systemd 0.1s
=> [stage-1 13/16] COPY --from=builder --chown=0:0 /debian/wazuh-indexer/usr/lib/sysctl.d /usr/lib/sysctl.d 0.2s
=> [stage-1 14/16] COPY --from=builder --chown=0:0 /debian/wazuh-indexer/usr/lib/tmpfiles.d /usr/lib/tmpfiles.d 0.1s
=> [stage-1 15/16] RUN chown -R 1000:1000 /usr/share/wazuh-indexer 9.4s
=> [stage-1 16/16] RUN mkdir -p /var/lib/wazuh-indexer && chown 1000:1000 /var/lib/wazuh-indexer && mkdir -p /usr/share/wazuh-indexer/logs && chown 1000:1000 /usr/share/wazuh-indexer/logs && 0.8s
=> exporting to image 6.1s
=> => exporting layers 6.1s
=> => writing image sha256:7ce19da9e15e15c92d110fa038b10f644eb09dadd8faae2a81f7ed68ea83a720 0.0s
=> => naming to docker.io/wazuh/wazuh-indexer:4.9.0 0.0s
Building wazuh.dashboard
[+] Building 156.2s (30/30) FINISHED
=> [internal] load build definition from Dockerfile 0.0s
=> => transferring dockerfile: 3.21kB 0.0s
=> [internal] load metadata for docker.io/library/amazonlinux:2023 2.0s
=> [auth] library/amazonlinux:pull token for registry-1.docker.io 0.0s
=> [internal] load .dockerignore 0.0s
=> => transferring context: 2B 0.0s
=> [internal] load build context 0.1s
=> => transferring context: 10.19kB 0.0s
=> CACHED [builder 1/12] FROM docker.io/library/amazonlinux:2023@sha256:ef1a9c856a0d3b2d581d0d9261540df3c6ab3a7f752546603c93f954def936a3 0.0s
=> [builder 2/12] RUN yum install curl-minimal libcap openssl -y 15.7s
=> [stage-1 2/13] RUN yum install shadow-utils -y 14.2s
=> [stage-1 3/13] RUN getent group wazuh-dashboard || groupadd -r -g 1000 wazuh-dashboard 0.8s
=> [stage-1 4/13] RUN useradd --system --uid 1000 --no-create-home --home-dir /usr/share/wazuh-dashboard --gid wazuh-dashboard --shell 1.5s
=> [builder 3/12] COPY config/check_repository.sh / 0.3s
=> [builder 4/12] RUN chmod 775 /check_repository.sh && source /check_repository.sh 2.7s
=> [stage-1 5/13] COPY config/entrypoint.sh / 0.1s
=> [stage-1 6/13] COPY config/wazuh_app_config.sh / 0.2s
=> [stage-1 7/13] RUN chmod 700 /entrypoint.sh 0.8s
=> [stage-1 8/13] RUN chmod 700 /wazuh_app_config.sh 0.6s
=> [stage-1 9/13] RUN chown 1000:1000 /*.sh 0.9s
=> [builder 5/12] RUN yum install wazuh-dashboard-4.9.0-1 -y && yum clean all 87.8s
=> [builder 6/12] RUN mkdir -p /usr/share/wazuh-dashboard/data/wazuh && chmod -R 775 /usr/share/wazuh-dashboard/data/wazuh 1.0s
=> [builder 7/12] RUN mkdir -p /usr/share/wazuh-dashboard/data/wazuh/config && chmod -R 775 /usr/share/wazuh-dashboard/data/wazuh/config 0.7s
=> [builder 8/12] RUN mkdir -p /usr/share/wazuh-dashboard/data/wazuh/logs && chmod -R 775 /usr/share/wazuh-dashboard/data/wazuh/logs 0.6s
=> [builder 9/12] COPY config/wazuh.yml /usr/share/wazuh-dashboard/data/wazuh/config/ 0.2s
=> [builder 10/12] COPY config/config.sh . 0.2s
=> [builder 11/12] COPY config/config.yml / 0.1s
=> [builder 12/12] RUN bash config.sh 4.6s
=> [stage-1 10/13] COPY --from=builder --chown=1000:1000 /usr/share/wazuh-dashboard /usr/share/wazuh-dashboard 18.1s
=> [stage-1 11/13] RUN mkdir -p /usr/share/wazuh-dashboard/plugins/wazuh/public/assets/custom 0.5s
=> [stage-1 12/13] RUN chown 1000:1000 /usr/share/wazuh-dashboard/plugins/wazuh/public/assets/custom 0.5s
=> [stage-1 13/13] WORKDIR /usr/share/wazuh-dashboard 0.2s
=> exporting to image 10.4s
=> => exporting layers 10.3s
=> => writing image sha256:cd91ee0f7b4090ef1b045f1532e36be1c2b5afd8601bb50674be5680360d54b1 0.0s
=> => naming to docker.io/wazuh/wazuh-dashboard:4.9.0 0.0s
$ cd single-node/
$ docker-compose -f generate-indexer-certs.yml run --rm generator
Creating network "single-node_default" with the default driver
Pulling generator (wazuh/wazuh-certs-generator:0.0.2)...
0.0.2: Pulling from wazuh/wazuh-certs-generator
17d0386c2fff: Pull complete
7ce91ec7d1d3: Pull complete
5249716d429c: Pull complete
d7003467fd14: Pull complete
Digest: sha256:88c4b30ad9b8320ba29f0a891761ad8000866c15c844d27b04974f5cb427c8f0
Status: Downloaded newer image for wazuh/wazuh-certs-generator:0.0.2
Creating single-node_generator_run ... done
The tool to create the certificates exists in the in Packages bucket
06/08/2024 14:18:39 INFO: Generating the root certificate.
06/08/2024 14:18:39 INFO: Generating Admin certificates.
06/08/2024 14:18:39 INFO: Admin certificates created.
06/08/2024 14:18:39 INFO: Generating Wazuh indexer certificates.
06/08/2024 14:18:39 INFO: Wazuh indexer certificates created.
06/08/2024 14:18:39 INFO: Generating Filebeat certificates.
06/08/2024 14:18:40 INFO: Wazuh Filebeat certificates created.
06/08/2024 14:18:40 INFO: Generating Wazuh dashboard certificates.
06/08/2024 14:18:40 INFO: Wazuh dashboard certificates created.
Moving created certificates to the destination directory
Changing certificate permissions
Setting UID indexer and dashboard
Setting UID for wazuh manager and worker
$ docker-compose up -d
Creating volume "single-node_wazuh_api_configuration" with default driver
Creating volume "single-node_wazuh_etc" with default driver
Creating volume "single-node_wazuh_logs" with default driver
Creating volume "single-node_wazuh_queue" with default driver
Creating volume "single-node_wazuh_var_multigroups" with default driver
Creating volume "single-node_wazuh_integrations" with default driver
Creating volume "single-node_wazuh_active_response" with default driver
Creating volume "single-node_wazuh_agentless" with default driver
Creating volume "single-node_wazuh_wodles" with default driver
Creating volume "single-node_filebeat_etc" with default driver
Creating volume "single-node_filebeat_var" with default driver
Creating volume "single-node_wazuh-indexer-data" with default driver
Creating volume "single-node_wazuh-dashboard-config" with default driver
Creating volume "single-node_wazuh-dashboard-custom" with default driver
Creating single-node_wazuh.indexer_1 ... done
Creating single-node_wazuh.manager_1 ... done
Creating single-node_wazuh.dashboard_1 ... done
$ docker logs single-node_wazuh.manager_1
[s6-init] making user provided files available at /var/run/s6/etc...exited 0.
[s6-init] ensuring user provided files have correct perms...exited 0.
[fix-attrs.d] applying ownership & permissions fixes...
[fix-attrs.d] done.
[cont-init.d] executing container initialization scripts...
[cont-init.d] 0-wazuh-init: executing...
/var/ossec/data_tmp/permanent/var/ossec/api/configuration/
Installing /var/ossec/api/configuration
/var/ossec/data_tmp/permanent/var/ossec/etc/
Installing /var/ossec/etc
/var/ossec/data_tmp/permanent/var/ossec/logs/
Installing /var/ossec/logs
/var/ossec/data_tmp/permanent/var/ossec/queue/
Installing /var/ossec/queue
/var/ossec/data_tmp/permanent/var/ossec/agentless/
The path /var/ossec/agentless is empty, skiped
/var/ossec/data_tmp/permanent/var/ossec/var/multigroups/
The path /var/ossec/var/multigroups is empty, skiped
/var/ossec/data_tmp/permanent/var/ossec/integrations/
The path /var/ossec/integrations is empty, skiped
/var/ossec/data_tmp/permanent/var/ossec/active-response/bin/
The path /var/ossec/active-response/bin is empty, skiped
/var/ossec/data_tmp/permanent/var/ossec/wodles/
Installing /var/ossec/wodles
/var/ossec/data_tmp/permanent/etc/filebeat/
Installing /etc/filebeat
Updating /var/ossec/etc/internal_options.conf
Updating /var/ossec/integrations/slack
Updating /var/ossec/integrations/slack.py
Updating /var/ossec/integrations/virustotal
Updating /var/ossec/integrations/virustotal.py
Updating /var/ossec/integrations/shuffle
Updating /var/ossec/integrations/shuffle.py
Updating /var/ossec/integrations/pagerduty
Updating /var/ossec/integrations/pagerduty.py
Updating /var/ossec/integrations/maltiverse
Updating /var/ossec/integrations/maltiverse.py
Updating /var/ossec/active-response/bin/default-firewall-drop
Updating /var/ossec/active-response/bin/disable-account
Updating /var/ossec/active-response/bin/firewalld-drop
Updating /var/ossec/active-response/bin/firewall-drop
Updating /var/ossec/active-response/bin/host-deny
Updating /var/ossec/active-response/bin/ip-customblock
Updating /var/ossec/active-response/bin/ipfw
Updating /var/ossec/active-response/bin/kaspersky.py
Updating /var/ossec/active-response/bin/kaspersky
Updating /var/ossec/active-response/bin/npf
Updating /var/ossec/active-response/bin/wazuh-slack
Updating /var/ossec/active-response/bin/pf
Updating /var/ossec/active-response/bin/restart-wazuh
Updating /var/ossec/active-response/bin/restart.sh
Updating /var/ossec/active-response/bin/route-null
Updating /var/ossec/agentless/sshlogin.exp
Updating /var/ossec/agentless/ssh_pixconfig_diff
Updating /var/ossec/agentless/ssh_asa-fwsmconfig_diff
Updating /var/ossec/agentless/ssh_integrity_check_bsd
Updating /var/ossec/agentless/main.exp
Updating /var/ossec/agentless/su.exp
Updating /var/ossec/agentless/ssh_integrity_check_linux
Updating /var/ossec/agentless/register_host.sh
Updating /var/ossec/agentless/ssh_generic_diff
Updating /var/ossec/agentless/ssh_foundry_diff
Updating /var/ossec/agentless/ssh_nopass.exp
Updating /var/ossec/agentless/ssh.exp
Updating /var/ossec/wodles/utils.py
Updating /var/ossec/wodles/aws/aws-s3
Updating /var/ossec/wodles/aws/aws-s3.py
Updating /var/ossec/wodles/aws/__init__.py
Updating /var/ossec/wodles/aws/aws_tools.py
Updating /var/ossec/wodles/aws/wazuh_integration.py
Updating /var/ossec/wodles/aws/buckets_s3/__init__.py
Updating /var/ossec/wodles/aws/buckets_s3/aws_bucket.py
Updating /var/ossec/wodles/aws/buckets_s3/cloudtrail.py
Updating /var/ossec/wodles/aws/buckets_s3/config.py
Updating /var/ossec/wodles/aws/buckets_s3/guardduty.py
Updating /var/ossec/wodles/aws/buckets_s3/load_balancers.py
Updating /var/ossec/wodles/aws/buckets_s3/server_access.py
Updating /var/ossec/wodles/aws/buckets_s3/umbrella.py
Updating /var/ossec/wodles/aws/buckets_s3/vpcflow.py
Updating /var/ossec/wodles/aws/buckets_s3/waf.py
Updating /var/ossec/wodles/aws/services/__init__.py
Updating /var/ossec/wodles/aws/services/aws_service.py
Updating /var/ossec/wodles/aws/services/cloudwatchlogs.py
Updating /var/ossec/wodles/aws/services/inspector.py
Updating /var/ossec/wodles/aws/subscribers/__init__.py
Updating /var/ossec/wodles/aws/subscribers/s3_log_handler.py
Updating /var/ossec/wodles/aws/subscribers/sqs_message_processor.py
Updating /var/ossec/wodles/aws/subscribers/sqs_queue.py
Updating /var/ossec/wodles/azure/azure-logs
Updating /var/ossec/wodles/azure/azure-logs.py
Updating /var/ossec/wodles/azure/db/orm.py
Updating /var/ossec/wodles/azure/db/utils.py
Updating /var/ossec/wodles/azure/db/__init__.py
Updating /var/ossec/wodles/docker/DockerListener
Updating /var/ossec/wodles/docker/DockerListener.py
Updating /var/ossec/wodles/gcloud/gcloud
Updating /var/ossec/wodles/gcloud/gcloud.py
Updating /var/ossec/wodles/gcloud/integration.py
Updating /var/ossec/wodles/gcloud/tools.py
Updating /var/ossec/wodles/gcloud/exceptions.py
find: '/proc/396/task/396/fd/5': No such file or directory
find: '/proc/396/task/396/fdinfo/5': No such file or directory
find: '/proc/396/fd/6': No such file or directory
find: '/proc/396/fdinfo/6': No such file or directory
find: '/proc/397/task/397/fd/5': No such file or directory
find: '/proc/397/task/397/fdinfo/5': No such file or directory
find: '/proc/397/fd/6': No such file or directory
find: '/proc/397/fdinfo/6': No such file or directory
find: '/proc/398/task/398/fd/5': No such file or directory
find: '/proc/398/task/398/fdinfo/5': No such file or directory
find: '/proc/398/fd/6': No such file or directory
find: '/proc/398/fdinfo/6': No such file or directory
Identified Wazuh configuration files to mount...
'/wazuh-config-mount/etc/ossec.conf' -> '/var/ossec/etc/ossec.conf'
[cont-init.d] 0-wazuh-init: exited 0.
[cont-init.d] 1-config-filebeat: executing...
Customize Elasticsearch ouput IP
Configuring username.
Configuring password.
Configuring SSL verification mode.
Configuring Certificate Authorities.
Configuring SSL Certificate.
Configuring SSL Key.
[cont-init.d] 1-config-filebeat: exited 0.
[cont-init.d] 2-manager: executing...
Configuring password.
2024/08/06 15:05:57 wazuh-modulesd:router: INFO: Loaded router module.
2024/08/06 15:05:57 wazuh-modulesd:content_manager: INFO: Loaded content_manager module.
Starting Wazuh v4.9.0...
Started wazuh-apid...
Started wazuh-csyslogd...
Started wazuh-dbd...
2024/08/06 15:06:01 wazuh-integratord: INFO: Remote integrations not configured. Clean exit.
Started wazuh-integratord...
Started wazuh-agentlessd...
Started wazuh-authd...
Started wazuh-db...
Started wazuh-execd...
Started wazuh-analysisd...
Started wazuh-syscheckd...
Started wazuh-remoted...
Started wazuh-logcollector...
Started wazuh-monitord...
2024/08/06 15:06:08 wazuh-modulesd:router: INFO: Loaded router module.
2024/08/06 15:06:08 wazuh-modulesd:content_manager: INFO: Loaded content_manager module.
Started wazuh-modulesd...
Completed.
[cont-init.d] 2-manager: exited 0.
[cont-init.d] done.
[services.d] starting services
starting Filebeat
2024/08/06 15:06:08 sca: INFO: Module started.
2024/08/06 15:06:08 sca: INFO: Loaded policy '/var/ossec/ruleset/sca/cis_amazon_linux_2023.yml'
2024/08/06 15:06:08 wazuh-modulesd:task-manager: INFO: (8200): Module Task Manager started.
2024/08/06 15:06:08 sca: INFO: Starting Security Configuration Assessment scan.
2024/08/06 15:06:08 sca: INFO: Starting evaluation of policy: '/var/ossec/ruleset/sca/cis_amazon_linux_2023.yml'
2024/08/06 15:06:09 wazuh-modulesd:syscollector: INFO: Module started.
2024/08/06 15:06:09 wazuh-modulesd:syscollector: INFO: Starting evaluation.
2024/08/06 15:06:09 wazuh-modulesd:syscollector: INFO: Evaluation finished.
2024/08/06 15:06:09 indexer-connector: WARNING: IndexerConnector initialization failed for index 'wazuh-states-vulnerabilities-wazuh.manager', retrying until the connection is successful.
2024/08/06 15:06:09 wazuh-modulesd:vulnerability-scanner: INFO: Starting database file decompression.
[services.d] done.
2024-08-06T15:06:12.990Z INFO instance/beat.go:645 Home path: [/usr/share/filebeat] Config path: [/etc/filebeat] Data path: [/var/lib/filebeat] Logs path: [/var/log/filebeat]
2024-08-06T15:06:13.004Z INFO instance/beat.go:653 Beat ID: d1696603-8d6c-4ff1-9e07-df614107754a
2024-08-06T15:06:13.005Z INFO [seccomp] seccomp/seccomp.go:124 Syscall filter successfully installed
2024-08-06T15:06:13.006Z INFO [beat] instance/beat.go:981 Beat info {"system_info": {"beat": {"path": {"config": "/etc/filebeat", "data": "/var/lib/filebeat", "home": "/usr/share/filebeat", "logs": "/var/log/filebeat"}, "type": "filebeat", "uuid": "d1696603-8d6c-4ff1-9e07-df614107754a"}}}
2024-08-06T15:06:13.006Z INFO [beat] instance/beat.go:990 Build info {"system_info": {"build": {"commit": "aacf9ecd9c494aa0908f61fbca82c906b16562a8", "libbeat": "7.10.2", "time": "2021-01-12T22:10:33.000Z", "version": "7.10.2"}}}
2024-08-06T15:06:13.006Z INFO [beat] instance/beat.go:993 Go runtime info {"system_info": {"go": {"os":"linux","arch":"amd64","max_procs":4,"version":"go1.14.12"}}}
2024-08-06T15:06:13.007Z INFO [beat] instance/beat.go:997 Host info {"system_info": {"host": {"architecture":"x86_64","boot_time":"2024-08-05T07:33:47Z","containerized":false,"name":"wazuh.manager","ip":["127.0.0.1/8","::1/128","172.18.0.3/16"],"kernel_version":"6.5.0-45-generic","mac":["02:42:ac:12:00:03"],"os":{"family":"redhat","platform":"amzn","name":"Amazon Linux","version":"2023","major":2023,"minor":5,"patch":20240730},"timezone":"UTC","timezone_offset_sec":0}}}
2024-08-06T15:06:13.008Z INFO [beat] instance/beat.go:1026 Process info {"system_info": {"process": {"capabilities": {"inheritable":null,"permitted":["chown","dac_override","fowner","fsetid","kill","setgid","setuid","setpcap","net_bind_service","net_raw","sys_chroot","mknod","audit_write","setfcap"],"effective":["chown","dac_override","fowner","fsetid","kill","setgid","setuid","setpcap","net_bind_service","net_raw","sys_chroot","mknod","audit_write","setfcap"],"bounding":["chown","dac_override","fowner","fsetid","kill","setgid","setuid","setpcap","net_bind_service","net_raw","sys_chroot","mknod","audit_write","setfcap"],"ambient":null}, "cwd": "/run/s6/services/filebeat", "exe": "/usr/share/filebeat/bin/filebeat", "name": "filebeat", "pid": 1252, "ppid": 1249, "seccomp": {"mode":"filter","no_new_privs":true}, "start_time": "2024-08-06T15:06:12.040Z"}}}
2024-08-06T15:06:13.008Z INFO instance/beat.go:299 Setup Beat: filebeat; Version: 7.10.2
2024-08-06T15:06:13.010Z INFO eslegclient/connection.go:99 elasticsearch url: https://wazuh.indexer:9200
2024-08-06T15:06:13.011Z INFO [publisher] pipeline/module.go:113 Beat name: wazuh.manager
2024-08-06T15:06:13.063Z INFO beater/filebeat.go:117 Enabled modules/filesets: wazuh (alerts), ()
2024-08-06T15:06:13.064Z INFO instance/beat.go:455 filebeat start running.
2024-08-06T15:06:13.071Z INFO memlog/store.go:119 Loading data file of '/var/lib/filebeat/registry/filebeat' succeeded. Active transaction id=0
2024-08-06T15:06:13.073Z INFO memlog/store.go:124 Finished loading transaction log file for '/var/lib/filebeat/registry/filebeat'. Active transaction id=0
2024-08-06T15:06:13.075Z INFO [registrar] registrar/registrar.go:109 States Loaded from registrar: 0
2024-08-06T15:06:13.076Z INFO [crawler] beater/crawler.go:71 Loading Inputs: 1
2024-08-06T15:06:13.076Z INFO log/input.go:157 Configured paths: [/var/ossec/logs/alerts/alerts.json]
2024-08-06T15:06:13.077Z INFO [crawler] beater/crawler.go:141 Starting input (ID: 9132358592892857476)
2024-08-06T15:06:13.077Z INFO [crawler] beater/crawler.go:108 Loading and starting Inputs completed. Enabled inputs: 1
2024-08-06T15:06:13.078Z INFO log/harvester.go:302 Harvester started for file: /var/ossec/logs/alerts/alerts.json
2024/08/06 15:06:19 sca: INFO: Evaluation finished for policy '/var/ossec/ruleset/sca/cis_amazon_linux_2023.yml'
2024/08/06 15:06:19 sca: INFO: Security Configuration Assessment scan finished. Duration: 11 seconds.
2024-08-06T15:06:21.133Z INFO [publisher] pipeline/retry.go:219 retryer: send unwait signal to consumer
2024-08-06T15:06:21.134Z INFO [publisher] pipeline/retry.go:223 done
2024-08-06T15:06:21.134Z INFO [publisher_pipeline_output] pipeline/output.go:143 Connecting to backoff(elasticsearch(https://wazuh.indexer:9200))
2024-08-06T15:06:22.292Z ERROR [publisher_pipeline_output] pipeline/output.go:154 Failed to connect to backoff(elasticsearch(https://wazuh.indexer:9200)): Get "https://wazuh.indexer:9200": dial tcp 172.18.0.2:9200: connect: connection refused
2024-08-06T15:06:22.293Z INFO [publisher_pipeline_output] pipeline/output.go:145 Attempting to reconnect to backoff(elasticsearch(https://wazuh.indexer:9200)) with 1 reconnect attempt(s)
2024-08-06T15:06:22.294Z INFO [publisher] pipeline/retry.go:219 retryer: send unwait signal to consumer
2024-08-06T15:06:22.295Z INFO [publisher] pipeline/retry.go:223 done
2024-08-06T15:06:25.362Z ERROR [publisher_pipeline_output] pipeline/output.go:154 Failed to connect to backoff(elasticsearch(https://wazuh.indexer:9200)): Get "https://wazuh.indexer:9200": dial tcp 172.18.0.2:9200: connect: connection refused
2024-08-06T15:06:25.366Z INFO [publisher_pipeline_output] pipeline/output.go:145 Attempting to reconnect to backoff(elasticsearch(https://wazuh.indexer:9200)) with 2 reconnect attempt(s)
2024-08-06T15:06:25.367Z INFO [publisher] pipeline/retry.go:219 retryer: send unwait signal to consumer
2024-08-06T15:06:25.371Z INFO [publisher] pipeline/retry.go:223 done
2024-08-06T15:06:32.247Z ERROR [publisher_pipeline_output] pipeline/output.go:154 Failed to connect to backoff(elasticsearch(https://wazuh.indexer:9200)): 503 Service Unavailable: OpenSearch Security not initialized.
2024-08-06T15:06:32.247Z INFO [publisher_pipeline_output] pipeline/output.go:145 Attempting to reconnect to backoff(elasticsearch(https://wazuh.indexer:9200)) with 3 reconnect attempt(s)
2024-08-06T15:06:32.247Z INFO [publisher] pipeline/retry.go:219 retryer: send unwait signal to consumer
2024-08-06T15:06:32.247Z INFO [publisher] pipeline/retry.go:223 done
2024/08/06 15:06:32 rootcheck: INFO: Ending rootcheck scan.
2024-08-06T15:06:32.495Z INFO [esclientleg] eslegclient/connection.go:314 Attempting to connect to Elasticsearch version 7.10.2
2024-08-06T15:06:32.512Z INFO [esclientleg] eslegclient/connection.go:314 Attempting to connect to Elasticsearch version 7.10.2
2024-08-06T15:06:32.519Z INFO template/load.go:183 Existing template will be overwritten, as overwrite is enabled.
2024-08-06T15:06:32.521Z INFO template/load.go:117 Try loading template wazuh to Elasticsearch
2024-08-06T15:06:32.748Z INFO template/load.go:109 template with name 'wazuh' loaded.
2024-08-06T15:06:32.748Z INFO [index-management] idxmgmt/std.go:298 Loaded index template.
2024-08-06T15:06:33.038Z INFO fileset/pipelines.go:143 Elasticsearch pipeline with ID 'filebeat-7.10.2-wazuh-alerts-pipeline' loaded
2024-08-06T15:06:33.045Z INFO [publisher_pipeline_output] pipeline/output.go:151 Connection to backoff(elasticsearch(https://wazuh.indexer:9200)) established
2024/08/06 15:06:41 indexer-connector: INFO: IndexerConnector initialized successfully for index: wazuh-states-vulnerabilities-wazuh.manager.
2024/08/06 15:07:20 wazuh-modulesd:vulnerability-scanner: INFO: Database decompression finished.
2024/08/06 15:07:21 wazuh-modulesd:vulnerability-scanner: INFO: Vulnerability scanner module started.
2024-08-06T15:11:54.290Z INFO log/harvester.go:333 File is inactive: /var/ossec/logs/alerts/alerts.json. Closing because close_inactive of 5m0s reached.
2024/08/06 15:19:40 wazuh-modulesd:vulnerability-scanner: INFO: Initiating update feed process.
$
Description
According to issue https://github.com/wazuh/wazuh/pull/20624, some Azure Wodle files have been modified and it is necessary to except their persistence.
Those files are:
These files must be added to the Wazuh manager persistence exception list.
Related