enekux
commented
1 month ago +1
Closed hpoettker closed 1 month ago
enekux
commented
1 month ago +1
ToXinE
commented
1 month ago have you manage to solve this ?
hpoettker
commented
1 month ago After you've started the manager container at least once, you can stop and delete it.
You can then edit the Docker Compose file and remove its environment variables API_USERNAME and API_PASSWORD. When you then start a fresh manager container, it will use the existing Docker volumes and start up correctly as there will be no attempt to execute the missing script.
It's not really pleasant, but a good workaround, I hope.
vcerenu
commented
1 month ago The error occurs because the create_user.py file is deleted after it is used in the entrypoint.
When the container starts, it generates errors when executing the entrypoint, since the necessary files are not in the volume mounted to the container.
To solve this problem, it is necessary to delete the container and launch it again. This error will be solved in future versions, we are working on it.
vcerenu
commented
1 month ago The entrypoint has been modified so that it does not delete the create_user.py file and the container can be restarted without generating errors.
Wazuh docker images build:
$ build-docker-images/build-images.sh
Building wazuh.manager
[+] Building 188.3s (23/23) FINISHED
=> [internal] load build definition from Dockerfile 0.1s
=> => transferring dockerfile: 2.35kB 0.0s
=> [internal] load metadata for docker.io/library/amazonlinux:2023 3.9s
=> [auth] library/amazonlinux:pull token for registry-1.docker.io 0.0s
=> [internal] load .dockerignore 0.1s
=> => transferring context: 2B 0.0s
=> [ 1/16] FROM docker.io/library/amazonlinux:2023@sha256:03b398175f863675186c1a8b38f45d702c5ff0c0faa3a3de9089a0fc58ed7269 20.6s
=> => resolve docker.io/library/amazonlinux:2023@sha256:03b398175f863675186c1a8b38f45d702c5ff0c0faa3a3de9089a0fc58ed7269 0.1s
=> => sha256:03b398175f863675186c1a8b38f45d702c5ff0c0faa3a3de9089a0fc58ed7269 2.38kB / 2.38kB 0.0s
=> => sha256:6ae0e55a4983b63d1676d42d946cb38b855b1f6e4c3f7b543c72a229bff7c433 1.02kB / 1.02kB 0.0s
=> => sha256:fdad341b15ef616c9a6a7c432b50be066915424cc2af6af4a3c90a68d1efbb81 575B / 575B 0.0s
=> => sha256:f9dd052e142d6bbee3556a17548362b00b044603d859f7ff1a81d3ef6d64bd6e 52.33MB / 52.33MB 9.7s
=> => extracting sha256:f9dd052e142d6bbee3556a17548362b00b044603d859f7ff1a81d3ef6d64bd6e 10.5s
=> [14/16] ADD https://raw.githubusercontent.com/wazuh/wazuh/v4.9.0/extensions/elasticsearch/7.x/wazuh-template.json /etc/filebeat 0.0s
=> [internal] load build context 0.2s
=> => transferring context: 29.34kB 0.0s
=> [ 2/16] RUN rm /bin/sh && ln -s /bin/bash /bin/sh 1.2s
=> [ 3/16] RUN yum install curl-minimal xz gnupg tar gzip openssl findutils procps -y && yum clean all 18.5s
=> [ 4/16] COPY config/check_repository.sh / 0.2s
=> [ 5/16] COPY config/filebeat_module.sh / 0.2s
=> [ 6/16] COPY config/permanent_data.env config/permanent_data.sh / 0.2s
=> [ 7/16] RUN chmod 775 /check_repository.sh 0.5s
=> [ 8/16] RUN source /check_repository.sh 1.5s
=> [ 9/16] RUN yum install wazuh-manager-4.9.0-1 -y && yum clean all && chmod 775 /filebeat_module.sh && source /filebeat_module.sh && rm /filebeat_module.sh && curl --fail - 126.7s
=> [10/16] COPY config/etc/ /etc/ 0.2s
=> [11/16] COPY --chown=root:wazuh config/create_user.py /var/ossec/framework/scripts/create_user.py 0.2s
=> [12/16] COPY config/filebeat.yml /etc/filebeat/ 0.1s
=> [13/16] RUN chmod go-w /etc/filebeat/filebeat.yml 0.7s
=> [14/16] ADD https://raw.githubusercontent.com/wazuh/wazuh/v4.9.0/extensions/elasticsearch/7.x/wazuh-template.json /etc/filebeat 0.2s
=> [15/16] RUN chmod go-w /etc/filebeat/wazuh-template.json 0.5s
=> [16/16] RUN mkdir -p /var/ossec/var/multigroups && chown root:wazuh /var/ossec/var/multigroups && chmod 770 /var/ossec/var/multigroups && mkdir -p /var/ossec/agentless && chown 1.8s
=> exporting to image 10.6s
=> => exporting layers 10.5s
=> => writing image sha256:5d1ba7b55fb24246838967273136108ed10202360cea66518004c20c17934d86 0.0s
=> => naming to docker.io/wazuh/wazuh-manager:4.9.0 0.0s
Building wazuh.indexer
[+] Building 166.3s (33/33) FINISHED
=> [internal] load build definition from Dockerfile 0.1s
=> => transferring dockerfile: 2.76kB 0.0s
=> [internal] load metadata for docker.io/library/amazonlinux:2023 1.0s
=> [internal] load .dockerignore 0.0s
=> => transferring context: 2B 0.0s
=> CACHED [builder 1/13] FROM docker.io/library/amazonlinux:2023@sha256:03b398175f863675186c1a8b38f45d702c5ff0c0faa3a3de9089a0fc58ed7269 0.0s
=> [internal] load build context 0.1s
=> => transferring context: 19.34kB 0.0s
=> [builder 2/13] RUN yum install curl-minimal openssl xz tar findutils shadow-utils -y 17.5s
=> [stage-1 2/16] RUN yum install curl-minimal shadow-utils findutils hostname -y 17.1s
=> [stage-1 3/16] RUN getent group wazuh-indexer || groupadd -r -g 1000 wazuh-indexer 1.0s
=> [builder 3/13] COPY config/check_repository.sh / 0.3s
=> [builder 4/13] RUN chmod 775 /check_repository.sh && source /check_repository.sh 1.6s
=> [stage-1 4/16] RUN useradd --system --uid 1000 --no-create-home --home-dir /usr/share/wazuh-indexer --gid wazuh-indexer --shell /sbi 0.6s
=> [stage-1 5/16] WORKDIR /usr/share/wazuh-indexer 0.2s
=> [stage-1 6/16] COPY config/entrypoint.sh / 0.2s
=> [stage-1 7/16] COPY config/securityadmin.sh / 0.3s
=> [builder 5/13] RUN yum install wazuh-indexer-4.9.0-1 -y && yum clean all 112.1s
=> [stage-1 8/16] RUN chmod 700 /entrypoint.sh && chmod 700 /securityadmin.sh 0.7s
=> [stage-1 9/16] RUN chown 1000:1000 /*.sh 0.6s
=> [builder 6/13] COPY config/opensearch.yml / 0.2s
=> [builder 7/13] COPY config/config.sh . 0.1s
=> [builder 8/13] COPY config/config.yml / 0.1s
=> [builder 9/13] COPY config/action_groups.yml / 0.1s
=> [builder 10/13] COPY config/internal_users.yml / 0.1s
=> [builder 11/13] COPY config/roles_mapping.yml / 0.1s
=> [builder 12/13] COPY config/roles.yml / 0.1s
=> [builder 13/13] RUN bash config.sh 4.9s
=> [stage-1 10/16] COPY --from=builder --chown=1000:1000 /usr/share/wazuh-indexer /usr/share/wazuh-indexer 3.0s
=> [stage-1 11/16] COPY --from=builder --chown=1000:1000 /etc/wazuh-indexer /usr/share/wazuh-indexer 0.1s
=> [stage-1 12/16] COPY --from=builder --chown=0:0 /debian/wazuh-indexer/usr/lib/systemd /usr/lib/systemd 0.2s
=> [stage-1 13/16] COPY --from=builder --chown=0:0 /debian/wazuh-indexer/usr/lib/sysctl.d /usr/lib/sysctl.d 0.1s
=> [stage-1 14/16] COPY --from=builder --chown=0:0 /debian/wazuh-indexer/usr/lib/tmpfiles.d /usr/lib/tmpfiles.d 0.1s
=> [stage-1 15/16] RUN chown -R 1000:1000 /usr/share/wazuh-indexer 9.3s
=> [stage-1 16/16] RUN mkdir -p /var/lib/wazuh-indexer && chown 1000:1000 /var/lib/wazuh-indexer && mkdir -p /usr/share/wazuh-indexer/logs && chown 1000:1000 /usr/share/wazuh-indexer/logs && 0.6s
=> exporting to image 7.5s
=> => exporting layers 7.5s
=> => writing image sha256:40670e45f88617f4332e6cb2d62df635de5f5ec301131e2e55014444a01713e9 0.0s
=> => naming to docker.io/wazuh/wazuh-indexer:4.9.0 0.0s
Building wazuh.dashboard
[+] Building 225.3s (30/30) FINISHED
=> [internal] load build definition from Dockerfile 0.0s
=> => transferring dockerfile: 3.21kB 0.0s
=> [internal] load metadata for docker.io/library/amazonlinux:2023 2.2s
=> [auth] library/amazonlinux:pull token for registry-1.docker.io 0.0s
=> [internal] load .dockerignore 0.0s
=> => transferring context: 2B 0.0s
=> CACHED [builder 1/12] FROM docker.io/library/amazonlinux:2023@sha256:03b398175f863675186c1a8b38f45d702c5ff0c0faa3a3de9089a0fc58ed7269 0.0s
=> [internal] load build context 0.1s
=> => transferring context: 10.19kB 0.0s
=> [builder 2/12] RUN yum install curl-minimal libcap openssl -y 19.8s
=> [stage-1 2/13] RUN yum install shadow-utils -y 20.6s
=> [builder 3/12] COPY config/check_repository.sh / 0.3s
=> [builder 4/12] RUN chmod 775 /check_repository.sh && source /check_repository.sh 1.6s
=> [stage-1 3/13] RUN getent group wazuh-dashboard || groupadd -r -g 1000 wazuh-dashboard 0.6s
=> [stage-1 4/13] RUN useradd --system --uid 1000 --no-create-home --home-dir /usr/share/wazuh-dashboard --gid wazuh-dashboard --shell 0.9s
=> [builder 5/12] RUN yum install wazuh-dashboard-4.9.0-2 -y && yum clean all 101.6s
=> [stage-1 5/13] COPY config/entrypoint.sh / 0.2s
=> [stage-1 6/13] COPY config/wazuh_app_config.sh / 0.1s
=> [stage-1 7/13] RUN chmod 700 /entrypoint.sh 0.6s
=> [stage-1 8/13] RUN chmod 700 /wazuh_app_config.sh 1.0s
=> [stage-1 9/13] RUN chown 1000:1000 /*.sh 1.0s
=> [builder 6/12] RUN mkdir -p /usr/share/wazuh-dashboard/data/wazuh && chmod -R 775 /usr/share/wazuh-dashboard/data/wazuh 0.5s
=> [builder 7/12] RUN mkdir -p /usr/share/wazuh-dashboard/data/wazuh/config && chmod -R 775 /usr/share/wazuh-dashboard/data/wazuh/config 0.6s
=> [builder 8/12] RUN mkdir -p /usr/share/wazuh-dashboard/data/wazuh/logs && chmod -R 775 /usr/share/wazuh-dashboard/data/wazuh/logs 0.6s
=> [builder 9/12] COPY config/wazuh.yml /usr/share/wazuh-dashboard/data/wazuh/config/ 0.1s
=> [builder 10/12] COPY config/config.sh . 0.1s
=> [builder 11/12] COPY config/config.yml / 0.1s
=> [builder 12/12] RUN bash config.sh 3.7s
=> [stage-1 10/13] COPY --from=builder --chown=1000:1000 /usr/share/wazuh-dashboard /usr/share/wazuh-dashboard 69.0s
=> [stage-1 11/13] RUN mkdir -p /usr/share/wazuh-dashboard/plugins/wazuh/public/assets/custom 0.5s
=> [stage-1 12/13] RUN chown 1000:1000 /usr/share/wazuh-dashboard/plugins/wazuh/public/assets/custom 0.8s
=> [stage-1 13/13] WORKDIR /usr/share/wazuh-dashboard 0.2s
=> exporting to image 10.6s
=> => exporting layers 10.5s
=> => writing image sha256:c4fa4db8a913ef9a65267ddaa7deef5b34cc5f1b6c338ce315e4f374b9a40316 0.0s
=> => naming to docker.io/wazuh/wazuh-dashboard:4.9.0 Docker stack start:
$ cd single-node/
$ docker-compose -f generate-indexer-certs.yml run --rm generator
Creating network "single-node_default" with the default driver
Pulling generator (wazuh/wazuh-certs-generator:0.0.2)...
0.0.2: Pulling from wazuh/wazuh-certs-generator
17d0386c2fff: Pull complete
7ce91ec7d1d3: Pull complete
5249716d429c: Pull complete
d7003467fd14: Pull complete
Digest: sha256:88c4b30ad9b8320ba29f0a891761ad8000866c15c844d27b04974f5cb427c8f0
Status: Downloaded newer image for wazuh/wazuh-certs-generator:0.0.2
Creating single-node_generator_run ... done
The tool to create the certificates exists in the in Packages bucket
13/09/2024 16:41:55 INFO: Generating the root certificate.
13/09/2024 16:41:55 INFO: Generating Admin certificates.
13/09/2024 16:41:55 INFO: Admin certificates created.
13/09/2024 16:41:55 INFO: Generating Wazuh indexer certificates.
13/09/2024 16:41:56 INFO: Wazuh indexer certificates created.
13/09/2024 16:41:56 INFO: Generating Filebeat certificates.
13/09/2024 16:41:56 INFO: Wazuh Filebeat certificates created.
13/09/2024 16:41:56 INFO: Generating Wazuh dashboard certificates.
13/09/2024 16:41:56 INFO: Wazuh dashboard certificates created.
Moving created certificates to the destination directory
Changing certificate permissions
Setting UID indexer and dashboard
Setting UID for wazuh manager and worker
$ docker-compose up -d
Creating volume "single-node_wazuh_api_configuration" with default driver
Creating volume "single-node_wazuh_etc" with default driver
Creating volume "single-node_wazuh_logs" with default driver
Creating volume "single-node_wazuh_queue" with default driver
Creating volume "single-node_wazuh_var_multigroups" with default driver
Creating volume "single-node_wazuh_integrations" with default driver
Creating volume "single-node_wazuh_active_response" with default driver
Creating volume "single-node_wazuh_agentless" with default driver
Creating volume "single-node_wazuh_wodles" with default driver
Creating volume "single-node_filebeat_etc" with default driver
Creating volume "single-node_filebeat_var" with default driver
Creating volume "single-node_wazuh-indexer-data" with default driver
Creating volume "single-node_wazuh-dashboard-config" with default driver
Creating volume "single-node_wazuh-dashboard-custom" with default driver
Creating single-node_wazuh.indexer_1 ... done
Creating single-node_wazuh.manager_1 ... done
Creating single-node_wazuh.dashboard_1 ... done
$ docker logs single-node_wazuh.manager_1 -f
[s6-init] making user provided files available at /var/run/s6/etc...exited 0.
[s6-init] ensuring user provided files have correct perms...exited 0.
[fix-attrs.d] applying ownership & permissions fixes...
[fix-attrs.d] done.
[cont-init.d] executing container initialization scripts...
[cont-init.d] 0-wazuh-init: executing...
/var/ossec/data_tmp/permanent/var/ossec/api/configuration/
Installing /var/ossec/api/configuration
/var/ossec/data_tmp/permanent/var/ossec/etc/
Installing /var/ossec/etc
/var/ossec/data_tmp/permanent/var/ossec/logs/
Installing /var/ossec/logs
/var/ossec/data_tmp/permanent/var/ossec/queue/
Installing /var/ossec/queue
/var/ossec/data_tmp/permanent/var/ossec/agentless/
The path /var/ossec/agentless is empty, skiped
/var/ossec/data_tmp/permanent/var/ossec/var/multigroups/
The path /var/ossec/var/multigroups is empty, skiped
/var/ossec/data_tmp/permanent/var/ossec/integrations/
The path /var/ossec/integrations is empty, skiped
/var/ossec/data_tmp/permanent/var/ossec/active-response/bin/
The path /var/ossec/active-response/bin is empty, skiped
/var/ossec/data_tmp/permanent/var/ossec/wodles/
Installing /var/ossec/wodles
/var/ossec/data_tmp/permanent/etc/filebeat/
Installing /etc/filebeat
Updating /var/ossec/etc/internal_options.conf
Updating /var/ossec/integrations/slack
Updating /var/ossec/integrations/slack.py
Updating /var/ossec/integrations/virustotal
Updating /var/ossec/integrations/virustotal.py
Updating /var/ossec/integrations/shuffle
Updating /var/ossec/integrations/shuffle.py
Updating /var/ossec/integrations/pagerduty
Updating /var/ossec/integrations/pagerduty.py
Updating /var/ossec/integrations/maltiverse
Updating /var/ossec/integrations/maltiverse.py
Updating /var/ossec/active-response/bin/default-firewall-drop
Updating /var/ossec/active-response/bin/disable-account
Updating /var/ossec/active-response/bin/firewalld-drop
Updating /var/ossec/active-response/bin/firewall-drop
Updating /var/ossec/active-response/bin/host-deny
Updating /var/ossec/active-response/bin/ip-customblock
Updating /var/ossec/active-response/bin/ipfw
Updating /var/ossec/active-response/bin/kaspersky.py
Updating /var/ossec/active-response/bin/kaspersky
Updating /var/ossec/active-response/bin/npf
Updating /var/ossec/active-response/bin/wazuh-slack
Updating /var/ossec/active-response/bin/pf
Updating /var/ossec/active-response/bin/restart-wazuh
Updating /var/ossec/active-response/bin/restart.sh
Updating /var/ossec/active-response/bin/route-null
Updating /var/ossec/agentless/sshlogin.exp
Updating /var/ossec/agentless/ssh_pixconfig_diff
Updating /var/ossec/agentless/ssh_asa-fwsmconfig_diff
Updating /var/ossec/agentless/ssh_integrity_check_bsd
Updating /var/ossec/agentless/main.exp
Updating /var/ossec/agentless/su.exp
Updating /var/ossec/agentless/ssh_integrity_check_linux
Updating /var/ossec/agentless/register_host.sh
Updating /var/ossec/agentless/ssh_generic_diff
Updating /var/ossec/agentless/ssh_foundry_diff
Updating /var/ossec/agentless/ssh_nopass.exp
Updating /var/ossec/agentless/ssh.exp
Updating /var/ossec/wodles/utils.py
Updating /var/ossec/wodles/aws/aws-s3
Updating /var/ossec/wodles/aws/aws-s3.py
Updating /var/ossec/wodles/aws/__init__.py
Updating /var/ossec/wodles/aws/aws_tools.py
Updating /var/ossec/wodles/aws/wazuh_integration.py
Updating /var/ossec/wodles/aws/buckets_s3/__init__.py
Updating /var/ossec/wodles/aws/buckets_s3/aws_bucket.py
Updating /var/ossec/wodles/aws/buckets_s3/cloudtrail.py
Updating /var/ossec/wodles/aws/buckets_s3/config.py
Updating /var/ossec/wodles/aws/buckets_s3/guardduty.py
Updating /var/ossec/wodles/aws/buckets_s3/load_balancers.py
Updating /var/ossec/wodles/aws/buckets_s3/server_access.py
Updating /var/ossec/wodles/aws/buckets_s3/umbrella.py
Updating /var/ossec/wodles/aws/buckets_s3/vpcflow.py
Updating /var/ossec/wodles/aws/buckets_s3/waf.py
Updating /var/ossec/wodles/aws/services/__init__.py
Updating /var/ossec/wodles/aws/services/aws_service.py
Updating /var/ossec/wodles/aws/services/cloudwatchlogs.py
Updating /var/ossec/wodles/aws/services/inspector.py
Updating /var/ossec/wodles/aws/subscribers/__init__.py
Updating /var/ossec/wodles/aws/subscribers/s3_log_handler.py
Updating /var/ossec/wodles/aws/subscribers/sqs_message_processor.py
Updating /var/ossec/wodles/aws/subscribers/sqs_queue.py
Updating /var/ossec/wodles/azure/azure-logs
Updating /var/ossec/wodles/azure/azure-logs.py
Updating /var/ossec/wodles/azure/db/orm.py
Updating /var/ossec/wodles/azure/db/utils.py
Updating /var/ossec/wodles/azure/db/__init__.py
Updating /var/ossec/wodles/docker/DockerListener
Updating /var/ossec/wodles/docker/DockerListener.py
Updating /var/ossec/wodles/gcloud/gcloud
Updating /var/ossec/wodles/gcloud/gcloud.py
Updating /var/ossec/wodles/gcloud/integration.py
Updating /var/ossec/wodles/gcloud/tools.py
Updating /var/ossec/wodles/gcloud/exceptions.py
find: '/proc/396/task/396/fd/5': No such file or directory
find: '/proc/396/task/396/fdinfo/5': No such file or directory
find: '/proc/396/fd/6': No such file or directory
find: '/proc/396/fdinfo/6': No such file or directory
find: '/proc/397/task/397/fd/5': No such file or directory
find: '/proc/397/task/397/fdinfo/5': No such file or directory
find: '/proc/397/fd/6': No such file or directory
find: '/proc/397/fdinfo/6': No such file or directory
find: '/proc/398/task/398/fd/5': No such file or directory
find: '/proc/398/task/398/fdinfo/5': No such file or directory
find: '/proc/398/fd/6': No such file or directory
find: '/proc/398/fdinfo/6': No such file or directory
Identified Wazuh configuration files to mount...
'/wazuh-config-mount/etc/ossec.conf' -> '/var/ossec/etc/ossec.conf'
[cont-init.d] 0-wazuh-init: exited 0.
[cont-init.d] 1-config-filebeat: executing...
Customize Elasticsearch ouput IP
Configuring username.
Configuring password.
Configuring SSL verification mode.
Configuring Certificate Authorities.
Configuring SSL Certificate.
Configuring SSL Key.
[cont-init.d] 1-config-filebeat: exited 0.
[cont-init.d] 2-manager: executing...
Configuring password.
2024/09/13 16:42:43 wazuh-modulesd:router: INFO: Loaded router module.
2024/09/13 16:42:43 wazuh-modulesd:content_manager: INFO: Loaded content_manager module.
Starting Wazuh v4.9.0...
Started wazuh-apid...
Started wazuh-csyslogd...
Started wazuh-dbd...
2024/09/13 16:42:46 wazuh-integratord: INFO: Remote integrations not configured. Clean exit.
Started wazuh-integratord...
Started wazuh-agentlessd...
Started wazuh-authd...
Started wazuh-db...
Started wazuh-execd...
Started wazuh-analysisd...
Started wazuh-syscheckd...
Started wazuh-remoted...
Started wazuh-logcollector...
Started wazuh-monitord...
2024/09/13 16:42:52 wazuh-modulesd:router: INFO: Loaded router module.
2024/09/13 16:42:52 wazuh-modulesd:content_manager: INFO: Loaded content_manager module.
Started wazuh-modulesd...
Completed.
[cont-init.d] 2-manager: exited 0.
[cont-init.d] done.
[services.d] starting services
[services.d] done.
starting Filebeat
2024/09/13 16:42:52 sca: INFO: Module started.
2024/09/13 16:42:52 sca: INFO: Loaded policy '/var/ossec/ruleset/sca/cis_amazon_linux_2023.yml'
2024/09/13 16:42:52 wazuh-modulesd:task-manager: INFO: (8200): Module Task Manager started.
2024/09/13 16:42:52 sca: INFO: Starting Security Configuration Assessment scan.
2024/09/13 16:42:53 sca: INFO: Starting evaluation of policy: '/var/ossec/ruleset/sca/cis_amazon_linux_2023.yml'
2024/09/13 16:42:53 wazuh-modulesd:syscollector: INFO: Module started.
2024/09/13 16:42:53 wazuh-modulesd:syscollector: INFO: Starting evaluation.
2024/09/13 16:42:53 wazuh-modulesd:syscollector: INFO: Evaluation finished.
2024/09/13 16:42:53 indexer-connector: WARNING: IndexerConnector initialization failed for index 'wazuh-states-vulnerabilities-wazuh.manager', retrying until the connection is successful.
2024/09/13 16:42:53 wazuh-modulesd:vulnerability-scanner: INFO: Starting database file decompression.
2024-09-13T16:42:55.840Z INFO instance/beat.go:645 Home path: [/usr/share/filebeat] Config path: [/etc/filebeat] Data path: [/var/lib/filebeat] Logs path: [/var/log/filebeat]
2024-09-13T16:42:55.862Z INFO instance/beat.go:653 Beat ID: c106c95b-9c26-4c9f-ae50-5af484e34270
2024-09-13T16:42:55.869Z INFO [seccomp] seccomp/seccomp.go:124 Syscall filter successfully installed
2024-09-13T16:42:55.876Z INFO [beat] instance/beat.go:981 Beat info {"system_info": {"beat": {"path": {"config": "/etc/filebeat", "data": "/var/lib/filebeat", "home": "/usr/share/filebeat", "logs": "/var/log/filebeat"}, "type": "filebeat", "uuid": "c106c95b-9c26-4c9f-ae50-5af484e34270"}}}
2024-09-13T16:42:55.876Z INFO [beat] instance/beat.go:990 Build info {"system_info": {"build": {"commit": "aacf9ecd9c494aa0908f61fbca82c906b16562a8", "libbeat": "7.10.2", "time": "2021-01-12T22:10:33.000Z", "version": "7.10.2"}}}
2024-09-13T16:42:55.876Z INFO [beat] instance/beat.go:993 Go runtime info {"system_info": {"go": {"os":"linux","arch":"amd64","max_procs":4,"version":"go1.14.12"}}}
2024-09-13T16:42:55.914Z INFO [beat] instance/beat.go:997 Host info {"system_info": {"host": {"architecture":"x86_64","boot_time":"2024-09-13T14:39:27Z","containerized":false,"name":"wazuh.manager","ip":["127.0.0.1/8","::1/128","172.18.0.2/16"],"kernel_version":"6.8.0-40-generic","mac":["02:42:ac:12:00:02"],"os":{"family":"redhat","platform":"amzn","name":"Amazon Linux","version":"2023","major":2023,"minor":5,"patch":20240903},"timezone":"UTC","timezone_offset_sec":0}}}
2024-09-13T16:42:55.914Z INFO [beat] instance/beat.go:1026 Process info {"system_info": {"process": {"capabilities": {"inheritable":null,"permitted":["chown","dac_override","fowner","fsetid","kill","setgid","setuid","setpcap","net_bind_service","net_raw","sys_chroot","mknod","audit_write","setfcap"],"effective":["chown","dac_override","fowner","fsetid","kill","setgid","setuid","setpcap","net_bind_service","net_raw","sys_chroot","mknod","audit_write","setfcap"],"bounding":["chown","dac_override","fowner","fsetid","kill","setgid","setuid","setpcap","net_bind_service","net_raw","sys_chroot","mknod","audit_write","setfcap"],"ambient":null}, "cwd": "/run/s6/services/filebeat", "exe": "/usr/share/filebeat/bin/filebeat", "name": "filebeat", "pid": 1238, "ppid": 1234, "seccomp": {"mode":"filter","no_new_privs":true}, "start_time": "2024-09-13T16:42:54.630Z"}}}
2024-09-13T16:42:55.915Z INFO instance/beat.go:299 Setup Beat: filebeat; Version: 7.10.2
2024-09-13T16:42:55.941Z INFO eslegclient/connection.go:99 elasticsearch url: https://wazuh.indexer:9200
2024-09-13T16:42:55.942Z INFO [publisher] pipeline/module.go:113 Beat name: wazuh.manager
2024-09-13T16:42:55.957Z INFO beater/filebeat.go:117 Enabled modules/filesets: wazuh (alerts), ()
2024-09-13T16:42:55.959Z INFO instance/beat.go:455 filebeat start running.
2024-09-13T16:42:56.010Z INFO memlog/store.go:119 Loading data file of '/var/lib/filebeat/registry/filebeat' succeeded. Active transaction id=0
2024-09-13T16:42:56.030Z INFO memlog/store.go:124 Finished loading transaction log file for '/var/lib/filebeat/registry/filebeat'. Active transaction id=0
2024-09-13T16:42:56.038Z INFO [registrar] registrar/registrar.go:109 States Loaded from registrar: 0
2024-09-13T16:42:56.047Z INFO [crawler] beater/crawler.go:71 Loading Inputs: 1
2024-09-13T16:42:56.062Z INFO log/input.go:157 Configured paths: [/var/ossec/logs/alerts/alerts.json]
2024-09-13T16:42:56.100Z INFO [crawler] beater/crawler.go:141 Starting input (ID: 9132358592892857476)
2024-09-13T16:42:56.100Z INFO [crawler] beater/crawler.go:108 Loading and starting Inputs completed. Enabled inputs: 1
2024-09-13T16:42:56.108Z INFO log/harvester.go:302 Harvester started for file: /var/ossec/logs/alerts/alerts.json
2024/09/13 16:43:02 sca: INFO: Evaluation finished for policy '/var/ossec/ruleset/sca/cis_amazon_linux_2023.yml'
2024/09/13 16:43:02 sca: INFO: Security Configuration Assessment scan finished. Duration: 10 seconds.
2024-09-13T16:43:04.161Z INFO [publisher_pipeline_output] pipeline/output.go:143 Connecting to backoff(elasticsearch(https://wazuh.indexer:9200))
2024-09-13T16:43:04.161Z INFO [publisher] pipeline/retry.go:219 retryer: send unwait signal to consumer
2024-09-13T16:43:04.161Z INFO [publisher] pipeline/retry.go:223 done
2024-09-13T16:43:05.257Z ERROR [publisher_pipeline_output] pipeline/output.go:154 Failed to connect to backoff(elasticsearch(https://wazuh.indexer:9200)): Get "https://wazuh.indexer:9200": dial tcp 172.18.0.3:9200: connect: connection refused
2024-09-13T16:43:05.257Z INFO [publisher_pipeline_output] pipeline/output.go:145 Attempting to reconnect to backoff(elasticsearch(https://wazuh.indexer:9200)) with 1 reconnect attempt(s)
2024-09-13T16:43:05.257Z INFO [publisher] pipeline/retry.go:219 retryer: send unwait signal to consumer
2024-09-13T16:43:05.258Z INFO [publisher] pipeline/retry.go:223 doneDown the stack and start:
$ docker-compose down
Stopping single-node_wazuh.dashboard_1 ... done
Stopping single-node_wazuh.indexer_1 ... done
Stopping single-node_wazuh.manager_1 ... done
Removing single-node_wazuh.dashboard_1 ... done
Removing single-node_wazuh.indexer_1 ... done
Removing single-node_wazuh.manager_1 ... done
Removing network single-node_default
$ docker-compose up -d
Creating network "single-node_default" with the default driver
Creating single-node_wazuh.manager_1 ... done
Creating single-node_wazuh.indexer_1 ... done
Creating single-node_wazuh.dashboard_1 ... done
$ docker logs single-node_wazuh.manager_1 -f
[s6-init] making user provided files available at /var/run/s6/etc...exited 0.
[s6-init] ensuring user provided files have correct perms...exited 0.
[fix-attrs.d] applying ownership & permissions fixes...
[fix-attrs.d] done.
[cont-init.d] executing container initialization scripts...
[cont-init.d] 0-wazuh-init: executing...
/var/ossec/data_tmp/permanent/var/ossec/api/configuration/
The path /var/ossec/api/configuration is already mounted
/var/ossec/data_tmp/permanent/var/ossec/etc/
The path /var/ossec/etc is already mounted
/var/ossec/data_tmp/permanent/var/ossec/logs/
The path /var/ossec/logs is already mounted
/var/ossec/data_tmp/permanent/var/ossec/queue/
The path /var/ossec/queue is already mounted
/var/ossec/data_tmp/permanent/var/ossec/agentless/
The path /var/ossec/agentless is already mounted
/var/ossec/data_tmp/permanent/var/ossec/var/multigroups/
The path /var/ossec/var/multigroups is empty, skiped
/var/ossec/data_tmp/permanent/var/ossec/integrations/
The path /var/ossec/integrations is already mounted
/var/ossec/data_tmp/permanent/var/ossec/active-response/bin/
The path /var/ossec/active-response/bin is already mounted
/var/ossec/data_tmp/permanent/var/ossec/wodles/
The path /var/ossec/wodles is already mounted
/var/ossec/data_tmp/permanent/etc/filebeat/
The path /etc/filebeat is already mounted
Updating /var/ossec/etc/internal_options.conf
Updating /var/ossec/integrations/slack
Updating /var/ossec/integrations/slack.py
Updating /var/ossec/integrations/virustotal
Updating /var/ossec/integrations/virustotal.py
Updating /var/ossec/integrations/shuffle
Updating /var/ossec/integrations/shuffle.py
Updating /var/ossec/integrations/pagerduty
Updating /var/ossec/integrations/pagerduty.py
Updating /var/ossec/integrations/maltiverse
Updating /var/ossec/integrations/maltiverse.py
Updating /var/ossec/active-response/bin/default-firewall-drop
Updating /var/ossec/active-response/bin/disable-account
Updating /var/ossec/active-response/bin/firewalld-drop
Updating /var/ossec/active-response/bin/firewall-drop
Updating /var/ossec/active-response/bin/host-deny
Updating /var/ossec/active-response/bin/ip-customblock
Updating /var/ossec/active-response/bin/ipfw
Updating /var/ossec/active-response/bin/kaspersky.py
Updating /var/ossec/active-response/bin/kaspersky
Updating /var/ossec/active-response/bin/npf
Updating /var/ossec/active-response/bin/wazuh-slack
Updating /var/ossec/active-response/bin/pf
Updating /var/ossec/active-response/bin/restart-wazuh
Updating /var/ossec/active-response/bin/restart.sh
Updating /var/ossec/active-response/bin/route-null
Updating /var/ossec/agentless/sshlogin.exp
Updating /var/ossec/agentless/ssh_pixconfig_diff
Updating /var/ossec/agentless/ssh_asa-fwsmconfig_diff
Updating /var/ossec/agentless/ssh_integrity_check_bsd
Updating /var/ossec/agentless/main.exp
Updating /var/ossec/agentless/su.exp
Updating /var/ossec/agentless/ssh_integrity_check_linux
Updating /var/ossec/agentless/register_host.sh
Updating /var/ossec/agentless/ssh_generic_diff
Updating /var/ossec/agentless/ssh_foundry_diff
Updating /var/ossec/agentless/ssh_nopass.exp
Updating /var/ossec/agentless/ssh.exp
Updating /var/ossec/wodles/utils.py
Updating /var/ossec/wodles/aws/aws-s3
Updating /var/ossec/wodles/aws/aws-s3.py
Updating /var/ossec/wodles/aws/__init__.py
Updating /var/ossec/wodles/aws/aws_tools.py
Updating /var/ossec/wodles/aws/wazuh_integration.py
Updating /var/ossec/wodles/aws/buckets_s3/__init__.py
Updating /var/ossec/wodles/aws/buckets_s3/aws_bucket.py
Updating /var/ossec/wodles/aws/buckets_s3/cloudtrail.py
Updating /var/ossec/wodles/aws/buckets_s3/config.py
Updating /var/ossec/wodles/aws/buckets_s3/guardduty.py
Updating /var/ossec/wodles/aws/buckets_s3/load_balancers.py
Updating /var/ossec/wodles/aws/buckets_s3/server_access.py
Updating /var/ossec/wodles/aws/buckets_s3/umbrella.py
Updating /var/ossec/wodles/aws/buckets_s3/vpcflow.py
Updating /var/ossec/wodles/aws/buckets_s3/waf.py
Updating /var/ossec/wodles/aws/services/__init__.py
Updating /var/ossec/wodles/aws/services/aws_service.py
Updating /var/ossec/wodles/aws/services/cloudwatchlogs.py
Updating /var/ossec/wodles/aws/services/inspector.py
Updating /var/ossec/wodles/aws/subscribers/__init__.py
Updating /var/ossec/wodles/aws/subscribers/s3_log_handler.py
Updating /var/ossec/wodles/aws/subscribers/sqs_message_processor.py
Updating /var/ossec/wodles/aws/subscribers/sqs_queue.py
Updating /var/ossec/wodles/azure/azure-logs
Updating /var/ossec/wodles/azure/azure-logs.py
Updating /var/ossec/wodles/azure/db/orm.py
Updating /var/ossec/wodles/azure/db/utils.py
Updating /var/ossec/wodles/azure/db/__init__.py
Updating /var/ossec/wodles/docker/DockerListener
Updating /var/ossec/wodles/docker/DockerListener.py
Updating /var/ossec/wodles/gcloud/gcloud
Updating /var/ossec/wodles/gcloud/gcloud.py
Updating /var/ossec/wodles/gcloud/integration.py
Updating /var/ossec/wodles/gcloud/tools.py
Updating /var/ossec/wodles/gcloud/exceptions.py
find: '/proc/372/task/372/fd/5': No such file or directory
find: '/proc/372/task/372/fdinfo/5': No such file or directory
find: '/proc/372/fd/6': No such file or directory
find: '/proc/372/fdinfo/6': No such file or directory
find: '/proc/373/task/373/fd/5': No such file or directory
find: '/proc/373/task/373/fdinfo/5': No such file or directory
find: '/proc/373/fd/6': No such file or directory
find: '/proc/373/fdinfo/6': No such file or directory
find: '/proc/374/task/374/fd/5': No such file or directory
find: '/proc/374/task/374/fdinfo/5': No such file or directory
find: '/proc/374/fd/6': No such file or directory
find: '/proc/374/fdinfo/6': No such file or directory
Identified Wazuh configuration files to mount...
'/wazuh-config-mount/etc/ossec.conf' -> '/var/ossec/etc/ossec.conf'
[cont-init.d] 0-wazuh-init: exited 0.
[cont-init.d] 1-config-filebeat: executing...
Customize Elasticsearch ouput IP
Configuring username.
Configuring password.
Configuring SSL verification mode.
Configuring Certificate Authorities.
Configuring SSL Certificate.
Configuring SSL Key.
[cont-init.d] 1-config-filebeat: exited 0.
[cont-init.d] 2-manager: executing...
Configuring password.
2024/09/13 16:43:45 wazuh-modulesd:router: INFO: Loaded router module.
2024/09/13 16:43:45 wazuh-modulesd:content_manager: INFO: Loaded content_manager module.
Starting Wazuh v4.9.0...
Started wazuh-apid...
Started wazuh-csyslogd...
Started wazuh-dbd...
2024/09/13 16:43:49 wazuh-integratord: INFO: Remote integrations not configured. Clean exit.
Started wazuh-integratord...
Started wazuh-agentlessd...
Started wazuh-authd...
Started wazuh-db...
Started wazuh-execd...
Started wazuh-analysisd...
Started wazuh-syscheckd...
Started wazuh-remoted...
Started wazuh-logcollector...
Started wazuh-monitord...
2024/09/13 16:43:55 wazuh-modulesd:router: INFO: Loaded router module.
2024/09/13 16:43:55 wazuh-modulesd:content_manager: INFO: Loaded content_manager module.
Started wazuh-modulesd...
Completed.
[cont-init.d] 2-manager: exited 0.
[cont-init.d] done.
[services.d] starting services
starting Filebeat
2024/09/13 16:43:55 wazuh-modulesd:content_manager: INFO: Starting content_manager module.
2024/09/13 16:43:55 wazuh-modulesd:download: INFO: Module started.
2024/09/13 16:43:55 wazuh-modulesd:task-manager: INFO: (8200): Module Task Manager started.
2024/09/13 16:43:55 sca: INFO: Starting Security Configuration Assessment scan.
2024/09/13 16:43:55 sca: INFO: Starting evaluation of policy: '/var/ossec/ruleset/sca/cis_amazon_linux_2023.yml'
2024/09/13 16:43:55 wazuh-modulesd:syscollector: INFO: Module started.
2024/09/13 16:43:55 wazuh-modulesd:syscollector: INFO: Starting evaluation.
2024/09/13 16:43:56 wazuh-modulesd:syscollector: INFO: Evaluation finished.
2024/09/13 16:43:56 indexer-connector: WARNING: IndexerConnector initialization failed for index 'wazuh-states-vulnerabilities-wazuh.manager', retrying until the connection is successful.
2024/09/13 16:43:56 wazuh-modulesd:vulnerability-scanner: INFO: Starting database file decompression.
[services.d] done.
2024-09-13T16:44:00.090Z INFO instance/beat.go:645 Home path: [/usr/share/filebeat] Config path: [/etc/filebeat] Data path: [/var/lib/filebeat] Logs path: [/var/log/filebeat]
2024-09-13T16:44:00.090Z INFO instance/beat.go:653 Beat ID: c106c95b-9c26-4c9f-ae50-5af484e34270
2024-09-13T16:44:00.093Z INFO [seccomp] seccomp/seccomp.go:124 Syscall filter successfully installed
2024-09-13T16:44:00.093Z INFO [beat] instance/beat.go:981 Beat info {"system_info": {"beat": {"path": {"config": "/etc/filebeat", "data": "/var/lib/filebeat", "home": "/usr/share/filebeat", "logs": "/var/log/filebeat"}, "type": "filebeat", "uuid": "c106c95b-9c26-4c9f-ae50-5af484e34270"}}}
2024-09-13T16:44:00.093Z INFO [beat] instance/beat.go:990 Build info {"system_info": {"build": {"commit": "aacf9ecd9c494aa0908f61fbca82c906b16562a8", "libbeat": "7.10.2", "time": "2021-01-12T22:10:33.000Z", "version": "7.10.2"}}}
2024-09-13T16:44:00.093Z INFO [beat] instance/beat.go:993 Go runtime info {"system_info": {"go": {"os":"linux","arch":"amd64","max_procs":4,"version":"go1.14.12"}}}
2024-09-13T16:44:00.094Z INFO [beat] instance/beat.go:997 Host info {"system_info": {"host": {"architecture":"x86_64","boot_time":"2024-09-13T14:39:27Z","containerized":false,"name":"wazuh.manager","ip":["127.0.0.1/8","::1/128","172.18.0.3/16"],"kernel_version":"6.8.0-40-generic","mac":["02:42:ac:12:00:03"],"os":{"family":"redhat","platform":"amzn","name":"Amazon Linux","version":"2023","major":2023,"minor":5,"patch":20240903},"timezone":"UTC","timezone_offset_sec":0}}}
2024-09-13T16:44:00.096Z INFO [beat] instance/beat.go:1026 Process info {"system_info": {"process": {"capabilities": {"inheritable":null,"permitted":["chown","dac_override","fowner","fsetid","kill","setgid","setuid","setpcap","net_bind_service","net_raw","sys_chroot","mknod","audit_write","setfcap"],"effective":["chown","dac_override","fowner","fsetid","kill","setgid","setuid","setpcap","net_bind_service","net_raw","sys_chroot","mknod","audit_write","setfcap"],"bounding":["chown","dac_override","fowner","fsetid","kill","setgid","setuid","setpcap","net_bind_service","net_raw","sys_chroot","mknod","audit_write","setfcap"],"ambient":null}, "cwd": "/run/s6/services/filebeat", "exe": "/usr/share/filebeat/bin/filebeat", "name": "filebeat", "pid": 1369, "ppid": 1367, "seccomp": {"mode":"filter","no_new_privs":true}, "start_time": "2024-09-13T16:43:59.290Z"}}}
2024-09-13T16:44:00.097Z INFO instance/beat.go:299 Setup Beat: filebeat; Version: 7.10.2
2024-09-13T16:44:00.105Z INFO eslegclient/connection.go:99 elasticsearch url: https://wazuh.indexer:9200
2024-09-13T16:44:00.110Z INFO [publisher] pipeline/module.go:113 Beat name: wazuh.manager
2024-09-13T16:44:00.118Z INFO beater/filebeat.go:117 Enabled modules/filesets: wazuh (alerts), ()
2024-09-13T16:44:00.119Z INFO instance/beat.go:455 filebeat start running.
2024-09-13T16:44:00.119Z INFO memlog/store.go:119 Loading data file of '/var/lib/filebeat/registry/filebeat' succeeded. Active transaction id=0
2024-09-13T16:44:00.119Z INFO memlog/store.go:124 Finished loading transaction log file for '/var/lib/filebeat/registry/filebeat'. Active transaction id=2
2024-09-13T16:44:00.120Z INFO [registrar] registrar/registrar.go:109 States Loaded from registrar: 1
2024-09-13T16:44:00.120Z INFO [crawler] beater/crawler.go:71 Loading Inputs: 1
2024-09-13T16:44:00.120Z INFO log/input.go:157 Configured paths: [/var/ossec/logs/alerts/alerts.json]
2024-09-13T16:44:00.120Z INFO [crawler] beater/crawler.go:141 Starting input (ID: 9132358592892857476)
2024-09-13T16:44:00.120Z INFO [crawler] beater/crawler.go:108 Loading and starting Inputs completed. Enabled inputs: 1
2024-09-13T16:44:00.123Z INFO log/harvester.go:302 Harvester started for file: /var/ossec/logs/alerts/alerts.json
2024-09-13T16:44:01.306Z INFO [publisher_pipeline_output] pipeline/output.go:143 Connecting to backoff(elasticsearch(https://wazuh.indexer:9200))
2024-09-13T16:44:01.309Z INFO [publisher] pipeline/retry.go:219 retryer: send unwait signal to consumer
2024-09-13T16:44:01.311Z INFO [publisher] pipeline/retry.go:223 done
2024-09-13T16:44:02.398Z ERROR [publisher_pipeline_output] pipeline/output.go:154 Failed to connect to backoff(elasticsearch(https://wazuh.indexer:9200)): Get "https://wazuh.indexer:9200": dial tcp 172.18.0.2:9200: connect: connection refused
2024-09-13T16:44:02.399Z INFO [publisher_pipeline_output] pipeline/output.go:145 Attempting to reconnect to backoff(elasticsearch(https://wazuh.indexer:9200)) with 1 reconnect attempt(s)
2024-09-13T16:44:02.400Z INFO [publisher] pipeline/retry.go:219 retryer: send unwait signal to consumer
2024-09-13T16:44:02.400Z INFO [publisher] pipeline/retry.go:223 done
2024/09/13 16:44:05 sca: INFO: Evaluation finished for policy '/var/ossec/ruleset/sca/cis_amazon_linux_2023.yml'
2024/09/13 16:44:05 sca: INFO: Security Configuration Assessment scan finished. Duration: 10 seconds.
2024-09-13T16:44:06.072Z ERROR [publisher_pipeline_output] pipeline/output.go:154 Failed to connect to backoff(elasticsearch(https://wazuh.indexer:9200)): Get "https://wazuh.indexer:9200": dial tcp 172.18.0.2:9200: connect: connection refused
2024-09-13T16:44:06.072Z INFO [publisher_pipeline_output] pipeline/output.go:145 Attempting to reconnect to backoff(elasticsearch(https://wazuh.indexer:9200)) with 2 reconnect attempt(s)
2024-09-13T16:44:06.073Z INFO [publisher] pipeline/retry.go:219 retryer: send unwait signal to consumer
2024-09-13T16:44:06.073Z INFO [publisher] pipeline/retry.go:223 done
2024-09-13T16:44:13.337Z ERROR [publisher_pipeline_output] pipeline/output.go:154 Failed to connect to backoff(elasticsearch(https://wazuh.indexer:9200)): Get "https://wazuh.indexer:9200": dial tcp 172.18.0.2:9200: connect: connection refused
2024-09-13T16:44:13.343Z INFO [publisher_pipeline_output] pipeline/output.go:145 Attempting to reconnect to backoff(elasticsearch(https://wazuh.indexer:9200)) with 3 reconnect attempt(s)
2024-09-13T16:44:13.350Z INFO [publisher] pipeline/retry.go:219 retryer: send unwait signal to consumer
2024-09-13T16:44:13.351Z INFO [publisher] pipeline/retry.go:223 done
2024/09/13 16:44:23 rootcheck: INFO: Ending rootcheck scan.
2024-09-13T16:44:25.772Z ERROR [publisher_pipeline_output] pipeline/output.go:154 Failed to connect to backoff(elasticsearch(https://wazuh.indexer:9200)): 503 Service Unavailable: OpenSearch Security not initialized.
2024-09-13T16:44:25.786Z INFO [publisher_pipeline_output] pipeline/output.go:145 Attempting to reconnect to backoff(elasticsearch(https://wazuh.indexer:9200)) with 4 reconnect attempt(s)
2024-09-13T16:44:25.788Z INFO [publisher] pipeline/retry.go:219 retryer: send unwait signal to consumer
2024-09-13T16:44:25.789Z INFO [publisher] pipeline/retry.go:223 done
2024-09-13T16:44:26.212Z INFO [esclientleg] eslegclient/connection.go:314 Attempting to connect to Elasticsearch version 7.10.2
2024-09-13T16:44:26.228Z INFO [esclientleg] eslegclient/connection.go:314 Attempting to connect to Elasticsearch version 7.10.2
2024-09-13T16:44:26.490Z INFO fileset/pipelines.go:143 Elasticsearch pipeline with ID 'filebeat-7.10.2-wazuh-alerts-pipeline' loaded
2024-09-13T16:44:26.500Z INFO template/load.go:183 Existing template will be overwritten, as overwrite is enabled.
2024-09-13T16:44:26.511Z INFO template/load.go:117 Try loading template wazuh to Elasticsearch
2024-09-13T16:44:26.832Z INFO template/load.go:109 template with name 'wazuh' loaded.
2024-09-13T16:44:26.832Z INFO [index-management] idxmgmt/std.go:298 Loaded index template.
2024-09-13T16:44:26.832Z INFO [publisher_pipeline_output] pipeline/output.go:151 Connection to backoff(elasticsearch(https://wazuh.indexer:9200)) established
2024/09/13 16:44:28 indexer-connector: INFO: IndexerConnector initialized successfully for index: wazuh-states-vulnerabilities-wazuh.manager.Restart the Wazuh manager container:
$ docker restart single-node_wazuh.manager_1
single-node_wazuh.manager_1
$ docker logs single-node_wazuh.manager_1 -f
[s6-init] making user provided files available at /var/run/s6/etc...exited 0.
[s6-init] ensuring user provided files have correct perms...exited 0.
[fix-attrs.d] applying ownership & permissions fixes...
[fix-attrs.d] done.
[cont-init.d] executing container initialization scripts...
[cont-init.d] 0-wazuh-init: executing...
/var/ossec/data_tmp/permanent/var/ossec/api/configuration/
The path /var/ossec/api/configuration is already mounted
/var/ossec/data_tmp/permanent/var/ossec/etc/
The path /var/ossec/etc is already mounted
/var/ossec/data_tmp/permanent/var/ossec/logs/
The path /var/ossec/logs is already mounted
/var/ossec/data_tmp/permanent/var/ossec/queue/
The path /var/ossec/queue is already mounted
/var/ossec/data_tmp/permanent/var/ossec/agentless/
The path /var/ossec/agentless is already mounted
/var/ossec/data_tmp/permanent/var/ossec/var/multigroups/
The path /var/ossec/var/multigroups is empty, skiped
/var/ossec/data_tmp/permanent/var/ossec/integrations/
The path /var/ossec/integrations is already mounted
/var/ossec/data_tmp/permanent/var/ossec/active-response/bin/
The path /var/ossec/active-response/bin is already mounted
/var/ossec/data_tmp/permanent/var/ossec/wodles/
The path /var/ossec/wodles is already mounted
/var/ossec/data_tmp/permanent/etc/filebeat/
The path /etc/filebeat is already mounted
Updating /var/ossec/etc/internal_options.conf
Updating /var/ossec/integrations/slack
Updating /var/ossec/integrations/slack.py
Updating /var/ossec/integrations/virustotal
Updating /var/ossec/integrations/virustotal.py
Updating /var/ossec/integrations/shuffle
Updating /var/ossec/integrations/shuffle.py
Updating /var/ossec/integrations/pagerduty
Updating /var/ossec/integrations/pagerduty.py
Updating /var/ossec/integrations/maltiverse
Updating /var/ossec/integrations/maltiverse.py
Updating /var/ossec/active-response/bin/default-firewall-drop
Updating /var/ossec/active-response/bin/disable-account
Updating /var/ossec/active-response/bin/firewalld-drop
Updating /var/ossec/active-response/bin/firewall-drop
Updating /var/ossec/active-response/bin/host-deny
Updating /var/ossec/active-response/bin/ip-customblock
Updating /var/ossec/active-response/bin/ipfw
Updating /var/ossec/active-response/bin/kaspersky.py
Updating /var/ossec/active-response/bin/kaspersky
Updating /var/ossec/active-response/bin/npf
Updating /var/ossec/active-response/bin/wazuh-slack
Updating /var/ossec/active-response/bin/pf
Updating /var/ossec/active-response/bin/restart-wazuh
Updating /var/ossec/active-response/bin/restart.sh
Updating /var/ossec/active-response/bin/route-null
Updating /var/ossec/agentless/sshlogin.exp
Updating /var/ossec/agentless/ssh_pixconfig_diff
Updating /var/ossec/agentless/ssh_asa-fwsmconfig_diff
Updating /var/ossec/agentless/ssh_integrity_check_bsd
Updating /var/ossec/agentless/main.exp
Updating /var/ossec/agentless/su.exp
Updating /var/ossec/agentless/ssh_integrity_check_linux
Updating /var/ossec/agentless/register_host.sh
Updating /var/ossec/agentless/ssh_generic_diff
Updating /var/ossec/agentless/ssh_foundry_diff
Updating /var/ossec/agentless/ssh_nopass.exp
Updating /var/ossec/agentless/ssh.exp
Updating /var/ossec/wodles/utils.py
Updating /var/ossec/wodles/aws/aws-s3
Updating /var/ossec/wodles/aws/aws-s3.py
Updating /var/ossec/wodles/aws/__init__.py
Updating /var/ossec/wodles/aws/aws_tools.py
Updating /var/ossec/wodles/aws/wazuh_integration.py
Updating /var/ossec/wodles/aws/buckets_s3/__init__.py
Updating /var/ossec/wodles/aws/buckets_s3/aws_bucket.py
Updating /var/ossec/wodles/aws/buckets_s3/cloudtrail.py
Updating /var/ossec/wodles/aws/buckets_s3/config.py
Updating /var/ossec/wodles/aws/buckets_s3/guardduty.py
Updating /var/ossec/wodles/aws/buckets_s3/load_balancers.py
Updating /var/ossec/wodles/aws/buckets_s3/server_access.py
Updating /var/ossec/wodles/aws/buckets_s3/umbrella.py
Updating /var/ossec/wodles/aws/buckets_s3/vpcflow.py
Updating /var/ossec/wodles/aws/buckets_s3/waf.py
Updating /var/ossec/wodles/aws/services/__init__.py
Updating /var/ossec/wodles/aws/services/aws_service.py
Updating /var/ossec/wodles/aws/services/cloudwatchlogs.py
Updating /var/ossec/wodles/aws/services/inspector.py
Updating /var/ossec/wodles/aws/subscribers/__init__.py
Updating /var/ossec/wodles/aws/subscribers/s3_log_handler.py
Updating /var/ossec/wodles/aws/subscribers/sqs_message_processor.py
Updating /var/ossec/wodles/aws/subscribers/sqs_queue.py
Updating /var/ossec/wodles/azure/azure-logs
Updating /var/ossec/wodles/azure/azure-logs.py
Updating /var/ossec/wodles/azure/db/orm.py
Updating /var/ossec/wodles/azure/db/utils.py
Updating /var/ossec/wodles/azure/db/__init__.py
Updating /var/ossec/wodles/docker/DockerListener
Updating /var/ossec/wodles/docker/DockerListener.py
Updating /var/ossec/wodles/gcloud/gcloud
Updating /var/ossec/wodles/gcloud/gcloud.py
Updating /var/ossec/wodles/gcloud/integration.py
Updating /var/ossec/wodles/gcloud/tools.py
Updating /var/ossec/wodles/gcloud/exceptions.py
find: '/proc/372/task/372/fd/5': No such file or directory
find: '/proc/372/task/372/fdinfo/5': No such file or directory
find: '/proc/372/fd/6': No such file or directory
find: '/proc/372/fdinfo/6': No such file or directory
find: '/proc/373/task/373/fd/5': No such file or directory
find: '/proc/373/task/373/fdinfo/5': No such file or directory
find: '/proc/373/fd/6': No such file or directory
find: '/proc/373/fdinfo/6': No such file or directory
find: '/proc/374/task/374/fd/5': No such file or directory
find: '/proc/374/task/374/fdinfo/5': No such file or directory
find: '/proc/374/fd/6': No such file or directory
find: '/proc/374/fdinfo/6': No such file or directory
Identified Wazuh configuration files to mount...
'/wazuh-config-mount/etc/ossec.conf' -> '/var/ossec/etc/ossec.conf'
[cont-init.d] 0-wazuh-init: exited 0.
[cont-init.d] 1-config-filebeat: executing...
Customize Elasticsearch ouput IP
Configuring username.
Configuring password.
Configuring SSL verification mode.
Configuring Certificate Authorities.
Configuring SSL Certificate.
Configuring SSL Key.
[cont-init.d] 1-config-filebeat: exited 0.
[cont-init.d] 2-manager: executing...
Configuring password.
2024/09/13 16:43:45 wazuh-modulesd:router: INFO: Loaded router module.
2024/09/13 16:43:45 wazuh-modulesd:content_manager: INFO: Loaded content_manager module.
Starting Wazuh v4.9.0...
Started wazuh-apid...
Started wazuh-csyslogd...
Started wazuh-dbd...
2024/09/13 16:43:49 wazuh-integratord: INFO: Remote integrations not configured. Clean exit.
Started wazuh-integratord...
Started wazuh-agentlessd...
Started wazuh-authd...
Started wazuh-db...
Started wazuh-execd...
Started wazuh-analysisd...
Started wazuh-syscheckd...
Started wazuh-remoted...
Started wazuh-logcollector...
Started wazuh-monitord...
2024/09/13 16:43:55 wazuh-modulesd:router: INFO: Loaded router module.
2024/09/13 16:43:55 wazuh-modulesd:content_manager: INFO: Loaded content_manager module.
Started wazuh-modulesd...
Completed.
[cont-init.d] 2-manager: exited 0.
[cont-init.d] done.
[services.d] starting services
starting Filebeat
2024/09/13 16:43:55 wazuh-modulesd:content_manager: INFO: Starting content_manager module.
2024/09/13 16:43:55 wazuh-modulesd:download: INFO: Module started.
2024/09/13 16:43:55 wazuh-modulesd:task-manager: INFO: (8200): Module Task Manager started.
2024/09/13 16:43:55 sca: INFO: Starting Security Configuration Assessment scan.
2024/09/13 16:43:55 sca: INFO: Starting evaluation of policy: '/var/ossec/ruleset/sca/cis_amazon_linux_2023.yml'
2024/09/13 16:43:55 wazuh-modulesd:syscollector: INFO: Module started.
2024/09/13 16:43:55 wazuh-modulesd:syscollector: INFO: Starting evaluation.
2024/09/13 16:43:56 wazuh-modulesd:syscollector: INFO: Evaluation finished.
2024/09/13 16:43:56 indexer-connector: WARNING: IndexerConnector initialization failed for index 'wazuh-states-vulnerabilities-wazuh.manager', retrying until the connection is successful.
2024/09/13 16:43:56 wazuh-modulesd:vulnerability-scanner: INFO: Starting database file decompression.
[services.d] done.
2024-09-13T16:44:00.090Z INFO instance/beat.go:645 Home path: [/usr/share/filebeat] Config path: [/etc/filebeat] Data path: [/var/lib/filebeat] Logs path: [/var/log/filebeat]
2024-09-13T16:44:00.090Z INFO instance/beat.go:653 Beat ID: c106c95b-9c26-4c9f-ae50-5af484e34270
2024-09-13T16:44:00.093Z INFO [seccomp] seccomp/seccomp.go:124 Syscall filter successfully installed
2024-09-13T16:44:00.093Z INFO [beat] instance/beat.go:981 Beat info {"system_info": {"beat": {"path": {"config": "/etc/filebeat", "data": "/var/lib/filebeat", "home": "/usr/share/filebeat", "logs": "/var/log/filebeat"}, "type": "filebeat", "uuid": "c106c95b-9c26-4c9f-ae50-5af484e34270"}}}
2024-09-13T16:44:00.093Z INFO [beat] instance/beat.go:990 Build info {"system_info": {"build": {"commit": "aacf9ecd9c494aa0908f61fbca82c906b16562a8", "libbeat": "7.10.2", "time": "2021-01-12T22:10:33.000Z", "version": "7.10.2"}}}
2024-09-13T16:44:00.093Z INFO [beat] instance/beat.go:993 Go runtime info {"system_info": {"go": {"os":"linux","arch":"amd64","max_procs":4,"version":"go1.14.12"}}}
2024-09-13T16:44:00.094Z INFO [beat] instance/beat.go:997 Host info {"system_info": {"host": {"architecture":"x86_64","boot_time":"2024-09-13T14:39:27Z","containerized":false,"name":"wazuh.manager","ip":["127.0.0.1/8","::1/128","172.18.0.3/16"],"kernel_version":"6.8.0-40-generic","mac":["02:42:ac:12:00:03"],"os":{"family":"redhat","platform":"amzn","name":"Amazon Linux","version":"2023","major":2023,"minor":5,"patch":20240903},"timezone":"UTC","timezone_offset_sec":0}}}
2024-09-13T16:44:00.096Z INFO [beat] instance/beat.go:1026 Process info {"system_info": {"process": {"capabilities": {"inheritable":null,"permitted":["chown","dac_override","fowner","fsetid","kill","setgid","setuid","setpcap","net_bind_service","net_raw","sys_chroot","mknod","audit_write","setfcap"],"effective":["chown","dac_override","fowner","fsetid","kill","setgid","setuid","setpcap","net_bind_service","net_raw","sys_chroot","mknod","audit_write","setfcap"],"bounding":["chown","dac_override","fowner","fsetid","kill","setgid","setuid","setpcap","net_bind_service","net_raw","sys_chroot","mknod","audit_write","setfcap"],"ambient":null}, "cwd": "/run/s6/services/filebeat", "exe": "/usr/share/filebeat/bin/filebeat", "name": "filebeat", "pid": 1369, "ppid": 1367, "seccomp": {"mode":"filter","no_new_privs":true}, "start_time": "2024-09-13T16:43:59.290Z"}}}
2024-09-13T16:44:00.097Z INFO instance/beat.go:299 Setup Beat: filebeat; Version: 7.10.2
2024-09-13T16:44:00.105Z INFO eslegclient/connection.go:99 elasticsearch url: https://wazuh.indexer:9200
2024-09-13T16:44:00.110Z INFO [publisher] pipeline/module.go:113 Beat name: wazuh.manager
2024-09-13T16:44:00.118Z INFO beater/filebeat.go:117 Enabled modules/filesets: wazuh (alerts), ()
2024-09-13T16:44:00.119Z INFO instance/beat.go:455 filebeat start running.
2024-09-13T16:44:00.119Z INFO memlog/store.go:119 Loading data file of '/var/lib/filebeat/registry/filebeat' succeeded. Active transaction id=0
2024-09-13T16:44:00.119Z INFO memlog/store.go:124 Finished loading transaction log file for '/var/lib/filebeat/registry/filebeat'. Active transaction id=2
2024-09-13T16:44:00.120Z INFO [registrar] registrar/registrar.go:109 States Loaded from registrar: 1
2024-09-13T16:44:00.120Z INFO [crawler] beater/crawler.go:71 Loading Inputs: 1
2024-09-13T16:44:00.120Z INFO log/input.go:157 Configured paths: [/var/ossec/logs/alerts/alerts.json]
2024-09-13T16:44:00.120Z INFO [crawler] beater/crawler.go:141 Starting input (ID: 9132358592892857476)
2024-09-13T16:44:00.120Z INFO [crawler] beater/crawler.go:108 Loading and starting Inputs completed. Enabled inputs: 1
2024-09-13T16:44:00.123Z INFO log/harvester.go:302 Harvester started for file: /var/ossec/logs/alerts/alerts.json
2024-09-13T16:44:01.306Z INFO [publisher_pipeline_output] pipeline/output.go:143 Connecting to backoff(elasticsearch(https://wazuh.indexer:9200))
2024-09-13T16:44:01.309Z INFO [publisher] pipeline/retry.go:219 retryer: send unwait signal to consumer
2024-09-13T16:44:01.311Z INFO [publisher] pipeline/retry.go:223 done
2024-09-13T16:44:02.398Z ERROR [publisher_pipeline_output] pipeline/output.go:154 Failed to connect to backoff(elasticsearch(https://wazuh.indexer:9200)): Get "https://wazuh.indexer:9200": dial tcp 172.18.0.2:9200: connect: connection refused
2024-09-13T16:44:02.399Z INFO [publisher_pipeline_output] pipeline/output.go:145 Attempting to reconnect to backoff(elasticsearch(https://wazuh.indexer:9200)) with 1 reconnect attempt(s)
2024-09-13T16:44:02.400Z INFO [publisher] pipeline/retry.go:219 retryer: send unwait signal to consumer
2024-09-13T16:44:02.400Z INFO [publisher] pipeline/retry.go:223 done
2024/09/13 16:44:05 sca: INFO: Evaluation finished for policy '/var/ossec/ruleset/sca/cis_amazon_linux_2023.yml'
2024/09/13 16:44:05 sca: INFO: Security Configuration Assessment scan finished. Duration: 10 seconds.
2024-09-13T16:44:06.072Z ERROR [publisher_pipeline_output] pipeline/output.go:154 Failed to connect to backoff(elasticsearch(https://wazuh.indexer:9200)): Get "https://wazuh.indexer:9200": dial tcp 172.18.0.2:9200: connect: connection refused
2024-09-13T16:44:06.072Z INFO [publisher_pipeline_output] pipeline/output.go:145 Attempting to reconnect to backoff(elasticsearch(https://wazuh.indexer:9200)) with 2 reconnect attempt(s)
2024-09-13T16:44:06.073Z INFO [publisher] pipeline/retry.go:219 retryer: send unwait signal to consumer
2024-09-13T16:44:06.073Z INFO [publisher] pipeline/retry.go:223 done
2024-09-13T16:44:13.337Z ERROR [publisher_pipeline_output] pipeline/output.go:154 Failed to connect to backoff(elasticsearch(https://wazuh.indexer:9200)): Get "https://wazuh.indexer:9200": dial tcp 172.18.0.2:9200: connect: connection refused
2024-09-13T16:44:13.343Z INFO [publisher_pipeline_output] pipeline/output.go:145 Attempting to reconnect to backoff(elasticsearch(https://wazuh.indexer:9200)) with 3 reconnect attempt(s)
2024-09-13T16:44:13.350Z INFO [publisher] pipeline/retry.go:219 retryer: send unwait signal to consumer
2024-09-13T16:44:13.351Z INFO [publisher] pipeline/retry.go:223 done
2024/09/13 16:44:23 rootcheck: INFO: Ending rootcheck scan.
2024-09-13T16:44:25.772Z ERROR [publisher_pipeline_output] pipeline/output.go:154 Failed to connect to backoff(elasticsearch(https://wazuh.indexer:9200)): 503 Service Unavailable: OpenSearch Security not initialized.
2024-09-13T16:44:25.786Z INFO [publisher_pipeline_output] pipeline/output.go:145 Attempting to reconnect to backoff(elasticsearch(https://wazuh.indexer:9200)) with 4 reconnect attempt(s)
2024-09-13T16:44:25.788Z INFO [publisher] pipeline/retry.go:219 retryer: send unwait signal to consumer
2024-09-13T16:44:25.789Z INFO [publisher] pipeline/retry.go:223 done
2024-09-13T16:44:26.212Z INFO [esclientleg] eslegclient/connection.go:314 Attempting to connect to Elasticsearch version 7.10.2
2024-09-13T16:44:26.228Z INFO [esclientleg] eslegclient/connection.go:314 Attempting to connect to Elasticsearch version 7.10.2
2024-09-13T16:44:26.490Z INFO fileset/pipelines.go:143 Elasticsearch pipeline with ID 'filebeat-7.10.2-wazuh-alerts-pipeline' loaded
2024-09-13T16:44:26.500Z INFO template/load.go:183 Existing template will be overwritten, as overwrite is enabled.
2024-09-13T16:44:26.511Z INFO template/load.go:117 Try loading template wazuh to Elasticsearch
2024-09-13T16:44:26.832Z INFO template/load.go:109 template with name 'wazuh' loaded.
2024-09-13T16:44:26.832Z INFO [index-management] idxmgmt/std.go:298 Loaded index template.
2024-09-13T16:44:26.832Z INFO [publisher_pipeline_output] pipeline/output.go:151 Connection to backoff(elasticsearch(https://wazuh.indexer:9200)) established
2024/09/13 16:44:28 indexer-connector: INFO: IndexerConnector initialized successfully for index: wazuh-states-vulnerabilities-wazuh.manager.
2024-09-13T16:44:51.352Z INFO beater/filebeat.go:515 Stopping filebeat
2024-09-13T16:44:51.352Z INFO beater/crawler.go:148 Stopping Crawler
2024-09-13T16:44:51.352Z INFO beater/crawler.go:158 Stopping 1 inputs
2024-09-13T16:44:51.352Z INFO [crawler] beater/crawler.go:163 Stopping input: 9132358592892857476
2024-09-13T16:44:51.352Z INFO input/input.go:136 input ticker stopped
2024-09-13T16:44:51.352Z INFO log/harvester.go:329 Reader was closed: /var/ossec/logs/alerts/alerts.json. Closing.
2024-09-13T16:44:51.352Z INFO beater/crawler.go:178 Crawler stopped
2024-09-13T16:44:51.352Z INFO [registrar] registrar/registrar.go:132 Stopping Registrar
2024-09-13T16:44:51.352Z INFO [registrar] registrar/registrar.go:166 Ending Registrar
2024-09-13T16:44:51.352Z INFO [registrar] registrar/registrar.go:137 Registrar stopped
2024-09-13T16:44:51.360Z INFO instance/beat.go:461 filebeat stopped.
Filebeat exited. code=0
[cont-finish.d] executing container finish scripts...
[cont-finish.d] done.
[s6-finish] waiting for services.
[s6-finish] sending all processes the TERM signal.
[s6-finish] sending all processes the KILL signal and exiting.
[s6-init] making user provided files available at /var/run/s6/etc...exited 0.
[s6-init] ensuring user provided files have correct perms...exited 0.
[fix-attrs.d] applying ownership & permissions fixes...
[fix-attrs.d] done.
[cont-init.d] executing container initialization scripts...
[cont-init.d] 0-wazuh-init: executing...
/var/ossec/data_tmp/permanent/var/ossec/api/configuration/
The path /var/ossec/api/configuration is already mounted
/var/ossec/data_tmp/permanent/var/ossec/etc/
The path /var/ossec/etc is already mounted
/var/ossec/data_tmp/permanent/var/ossec/logs/
The path /var/ossec/logs is already mounted
/var/ossec/data_tmp/permanent/var/ossec/queue/
The path /var/ossec/queue is already mounted
/var/ossec/data_tmp/permanent/var/ossec/agentless/
The path /var/ossec/agentless is already mounted
/var/ossec/data_tmp/permanent/var/ossec/var/multigroups/
find: '/var/ossec/data_tmp/permanent/var/ossec/var/multigroups/': No such file or directory
The path /var/ossec/var/multigroups is empty, skiped
/var/ossec/data_tmp/permanent/var/ossec/integrations/
The path /var/ossec/integrations is already mounted
/var/ossec/data_tmp/permanent/var/ossec/active-response/bin/
The path /var/ossec/active-response/bin is already mounted
/var/ossec/data_tmp/permanent/var/ossec/wodles/
The path /var/ossec/wodles is already mounted
/var/ossec/data_tmp/permanent/etc/filebeat/
The path /etc/filebeat is already mounted
find: '/proc/227/task/227/fd/5': No such file or directory
find: '/proc/227/task/227/fdinfo/5': No such file or directory
find: '/proc/227/fd/6': No such file or directory
find: '/proc/227/fdinfo/6': No such file or directory
find: '/proc/228/task/228/fd/5': No such file or directory
find: '/proc/228/task/228/fdinfo/5': No such file or directory
find: '/proc/228/fd/6': No such file or directory
find: '/proc/228/fdinfo/6': No such file or directory
find: '/proc/229/task/229/fd/5': No such file or directory
find: '/proc/229/task/229/fdinfo/5': No such file or directory
find: '/proc/229/fd/6': No such file or directory
find: '/proc/229/fdinfo/6': No such file or directory
Identified Wazuh configuration files to mount...
'/wazuh-config-mount/etc/ossec.conf' -> '/var/ossec/etc/ossec.conf'
[cont-init.d] 0-wazuh-init: exited 0.
[cont-init.d] 1-config-filebeat: executing...
Customize Elasticsearch ouput IP
Configuring username.
Configuring password.
Configuring SSL verification mode.
Configuring Certificate Authorities.
Configuring SSL Certificate.
Configuring SSL Key.
[cont-init.d] 1-config-filebeat: exited 0.
[cont-init.d] 2-manager: executing...
Configuring password.
2024/09/13 16:45:04 wazuh-modulesd:router: INFO: Loaded router module.
2024/09/13 16:45:04 wazuh-modulesd:content_manager: INFO: Loaded content_manager module.
Starting Wazuh v4.9.0...
wazuh-apid: Process 542 not used by Wazuh, removing...
wazuh-apid: Non existent process 546, removing from /var/ossec/var/run...
wazuh-apid: Non existent process 549, removing from /var/ossec/var/run...
wazuh-apid: Non existent process 543, removing from /var/ossec/var/run...
wazuh-apid: Non existent process 546, removing from /var/ossec/var/run...
wazuh-apid: Non existent process 549, removing from /var/ossec/var/run...
wazuh-apid: Non existent process 543, removing from /var/ossec/var/run...
wazuh-apid: Non existent process 546, removing from /var/ossec/var/run...
wazuh-apid: Non existent process 549, removing from /var/ossec/var/run...
wazuh-apid: Non existent process 543, removing from /var/ossec/var/run...
Started wazuh-apid...
Started wazuh-csyslogd...
Started wazuh-dbd...
2024/09/13 16:45:07 wazuh-integratord: INFO: Remote integrations not configured. Clean exit.
Started wazuh-integratord...
Started wazuh-agentlessd...
Started wazuh-authd...
Started wazuh-db...
Started wazuh-execd...
Started wazuh-analysisd...
Started wazuh-syscheckd...
Started wazuh-remoted...
Started wazuh-logcollector...
Started wazuh-monitord...
wazuh-modulesd: Process 813 not used by Wazuh, removing...
2024/09/13 16:45:12 wazuh-modulesd:router: INFO: Loaded router module.
2024/09/13 16:45:12 wazuh-modulesd:content_manager: INFO: Loaded content_manager module.
Started wazuh-modulesd...
Completed.
[cont-init.d] 2-manager: exited 0.
[cont-init.d] done.
[services.d] starting services
starting Filebeat
2024/09/13 16:45:12 wazuh-modulesd:content_manager: INFO: Starting content_manager module.
2024/09/13 16:45:12 wazuh-modulesd:database: INFO: Module started.
2024/09/13 16:45:12 wazuh-modulesd:control: INFO: Starting control thread.
2024/09/13 16:45:12 sca: INFO: Starting Security Configuration Assessment scan.
2024/09/13 16:45:12 sca: INFO: Starting evaluation of policy: '/var/ossec/ruleset/sca/cis_amazon_linux_2023.yml'
2024/09/13 16:45:12 wazuh-modulesd:syscollector: INFO: Module started.
2024/09/13 16:45:12 wazuh-modulesd:syscollector: INFO: Starting evaluation.
2024/09/13 16:45:12 indexer-connector: INFO: IndexerConnector initialized successfully for index: wazuh-states-vulnerabilities-wazuh.manager.
2024/09/13 16:45:12 wazuh-modulesd:vulnerability-scanner: INFO: Starting database file decompression.
2024/09/13 16:45:12 wazuh-modulesd:syscollector: INFO: Evaluation finished.
[services.d] done.
2024-09-13T16:45:15.980Z INFO instance/beat.go:645 Home path: [/usr/share/filebeat] Config path: [/etc/filebeat] Data path: [/var/lib/filebeat] Logs path: [/var/log/filebeat]
2024-09-13T16:45:15.987Z INFO instance/beat.go:653 Beat ID: c106c95b-9c26-4c9f-ae50-5af484e34270
2024-09-13T16:45:15.988Z INFO [seccomp] seccomp/seccomp.go:124 Syscall filter successfully installed
2024-09-13T16:45:15.988Z INFO [beat] instance/beat.go:981 Beat info {"system_info": {"beat": {"path": {"config": "/etc/filebeat", "data": "/var/lib/filebeat", "home": "/usr/share/filebeat", "logs": "/var/log/filebeat"}, "type": "filebeat", "uuid": "c106c95b-9c26-4c9f-ae50-5af484e34270"}}}
2024-09-13T16:45:15.988Z INFO [beat] instance/beat.go:990 Build info {"system_info": {"build": {"commit": "aacf9ecd9c494aa0908f61fbca82c906b16562a8", "libbeat": "7.10.2", "time": "2021-01-12T22:10:33.000Z", "version": "7.10.2"}}}
2024-09-13T16:45:15.988Z INFO [beat] instance/beat.go:993 Go runtime info {"system_info": {"go": {"os":"linux","arch":"amd64","max_procs":4,"version":"go1.14.12"}}}
2024-09-13T16:45:15.989Z INFO [beat] instance/beat.go:997 Host info {"system_info": {"host": {"architecture":"x86_64","boot_time":"2024-09-13T14:39:27Z","containerized":false,"name":"wazuh.manager","ip":["127.0.0.1/8","::1/128","172.18.0.3/16"],"kernel_version":"6.8.0-40-generic","mac":["02:42:ac:12:00:03"],"os":{"family":"redhat","platform":"amzn","name":"Amazon Linux","version":"2023","major":2023,"minor":5,"patch":20240903},"timezone":"UTC","timezone_offset_sec":0}}}
2024-09-13T16:45:15.989Z INFO [beat] instance/beat.go:1026 Process info {"system_info": {"process": {"capabilities": {"inheritable":null,"permitted":["chown","dac_override","fowner","fsetid","kill","setgid","setuid","setpcap","net_bind_service","net_raw","sys_chroot","mknod","audit_write","setfcap"],"effective":["chown","dac_override","fowner","fsetid","kill","setgid","setuid","setpcap","net_bind_service","net_raw","sys_chroot","mknod","audit_write","setfcap"],"bounding":["chown","dac_override","fowner","fsetid","kill","setgid","setuid","setpcap","net_bind_service","net_raw","sys_chroot","mknod","audit_write","setfcap"],"ambient":null}, "cwd": "/run/s6/services/filebeat", "exe": "/usr/share/filebeat/bin/filebeat", "name": "filebeat", "pid": 1256, "ppid": 1251, "seccomp": {"mode":"filter","no_new_privs":true}, "start_time": "2024-09-13T16:45:15.330Z"}}}
2024-09-13T16:45:15.989Z INFO instance/beat.go:299 Setup Beat: filebeat; Version: 7.10.2
2024-09-13T16:45:15.990Z INFO eslegclient/connection.go:99 elasticsearch url: https://wazuh.indexer:9200
2024-09-13T16:45:15.990Z INFO [publisher] pipeline/module.go:113 Beat name: wazuh.manager
2024-09-13T16:45:15.997Z INFO beater/filebeat.go:117 Enabled modules/filesets: wazuh (alerts), ()
2024-09-13T16:45:16.003Z INFO instance/beat.go:455 filebeat start running.
2024-09-13T16:45:16.006Z INFO memlog/store.go:119 Loading data file of '/var/lib/filebeat/registry/filebeat' succeeded. Active transaction id=0
2024-09-13T16:45:16.007Z INFO memlog/store.go:124 Finished loading transaction log file for '/var/lib/filebeat/registry/filebeat'. Active transaction id=7
2024-09-13T16:45:16.007Z INFO [registrar] registrar/registrar.go:109 States Loaded from registrar: 1
2024-09-13T16:45:16.007Z INFO [crawler] beater/crawler.go:71 Loading Inputs: 1
2024-09-13T16:45:16.008Z INFO log/input.go:157 Configured paths: [/var/ossec/logs/alerts/alerts.json]
2024-09-13T16:45:16.008Z INFO [crawler] beater/crawler.go:141 Starting input (ID: 9132358592892857476)
2024-09-13T16:45:16.008Z INFO [crawler] beater/crawler.go:108 Loading and starting Inputs completed. Enabled inputs: 1
2024/09/13 16:45:19 sca: INFO: Evaluation finished for policy '/var/ossec/ruleset/sca/cis_amazon_linux_2023.yml'
2024/09/13 16:45:19 sca: INFO: Security Configuration Assessment scan finished. Duration: 7 seconds.
2024-09-13T16:45:26.017Z INFO log/harvester.go:302 Harvester started for file: /var/ossec/logs/alerts/alerts.json
2024-09-13T16:45:27.018Z INFO [publisher_pipeline_output] pipeline/output.go:143 Connecting to backoff(elasticsearch(https://wazuh.indexer:9200))
2024-09-13T16:45:27.018Z INFO [publisher] pipeline/retry.go:219 retryer: send unwait signal to consumer
2024-09-13T16:45:27.019Z INFO [publisher] pipeline/retry.go:223 done
2024-09-13T16:45:27.095Z INFO [esclientleg] eslegclient/connection.go:314 Attempting to connect to Elasticsearch version 7.10.2
2024-09-13T16:45:27.114Z INFO [esclientleg] eslegclient/connection.go:314 Attempting to connect to Elasticsearch version 7.10.2
2024-09-13T16:45:27.152Z INFO template/load.go:183 Existing template will be overwritten, as overwrite is enabled.
2024-09-13T16:45:27.154Z INFO template/load.go:117 Try loading template wazuh to Elasticsearch
2024-09-13T16:45:27.350Z INFO template/load.go:109 template with name 'wazuh' loaded.
2024-09-13T16:45:27.351Z INFO [index-management] idxmgmt/std.go:298 Loaded index template.
2024-09-13T16:45:27.375Z INFO [publisher_pipeline_output] pipeline/output.go:151 Connection to backoff(elasticsearch(https://wazuh.indexer:9200)) established
2024/09/13 16:45:35 rootcheck: INFO: Ending rootcheck scan.@hpoettker @enekux @ToXinE A new Docker image was pushed with the same tag, please pull the wazuh/wazuh-managerimage again and the error will be resolved.
hpoettker
commented
1 month ago @vcerenu Thanks! Works as expected.
enekux
commented
1 month ago Hi sorry for my late response, but even though I am pulling the wazuh/wazuh-manager:4.9.0 again the error persists and the docker is restarting... I see this error:
s6-svscanctl: fatal: unable to control /var/run/s6/services: supervisor not listening
[cont-finish.d] executing container finish scripts...
[cont-finish.d] done.
[s6-finish] waiting for services.
[s6-finish] sending all processes the TERM signal.
[s6-finish] sending all processes the KILL signal and exiting.any ideas? thanks
PS: the same is happening with the image wazuh/wazuh-manager:4.9.1-rc1
enekux
commented
1 month ago anyone please?
enekux
commented
3 weeks ago What is the fix for this error? The wazuh-manager container is restarting constantly even with image from 4.9.1-rc3
Description
The latest release 4.9.0 contains the PR #1274, which deletes the script
create_user.pyafter it is used.I use the single-node setup, and it starts up fine. However, when the manager container is restarted, e.g. with
docker restart wazuh-wazuh.manager-1, it fails to do so with the logsRestarts work fine with 4.8.2.
Is there a check missing that would prevent the script from being called when it has been deleted?
Related