Rolly-M commented 2 months ago

Wazuh version	Component	Install type	Install method	Platform
4.9.1-rc2	Wazuh component	Manager	Docker	Ubuntu 22.04

Hello, I am working on the RC 2 - E2E UX tests - Deployment on Docker and encountered the following issue with one of the test requirements.

The requirement was to test container Stop, Start and restart. When doing this for the Single node deployment, I did stop the container for the Wazuh server then restarted it but then it isn't able to restart. It enters a loop and keeps trying but the same error persiste There was an error configuring the API user

Find below the Wazuh server container log from when the service starts to when it stops:

[services.d] starting services
[cont-finish.d] executing container finish scripts...
s6-svscanctl: fatal: unable to control /var/run/s6/services: supervisor not listening
[cont-finish.d] done.
[s6-finish] waiting for services.
s6-svwait: fatal: unable to subscribe to events for /var/run/s6/services/filebeat: No such file or directory
[s6-finish] sending all processes the TERM signal.
[s6-finish] sending all processes the KILL signal and exiting.
[s6-init] making user provided files available at /var/run/s6/etc...exited 0.
[s6-init] ensuring user provided files have correct perms...exited 0.
[fix-attrs.d] applying ownership & permissions fixes...
[fix-attrs.d] done.
[cont-init.d] executing container initialization scripts...
[cont-init.d] 0-wazuh-init: executing...
/var/ossec/data_tmp/permanent/var/ossec/api/configuration/
The path /var/ossec/api/configuration is already mounted
/var/ossec/data_tmp/permanent/var/ossec/etc/
The path /var/ossec/etc is already mounted
/var/ossec/data_tmp/permanent/var/ossec/logs/
The path /var/ossec/logs is already mounted
/var/ossec/data_tmp/permanent/var/ossec/queue/
The path /var/ossec/queue is already mounted
/var/ossec/data_tmp/permanent/var/ossec/agentless/
The path /var/ossec/agentless is already mounted
/var/ossec/data_tmp/permanent/var/ossec/var/multigroups/
find: '/var/ossec/data_tmp/permanent/var/ossec/var/multigroups/': No such file or directory
The path /var/ossec/var/multigroups is empty, skiped
/var/ossec/data_tmp/permanent/var/ossec/integrations/
The path /var/ossec/integrations is already mounted
/var/ossec/data_tmp/permanent/var/ossec/active-response/bin/
The path /var/ossec/active-response/bin is already mounted
/var/ossec/data_tmp/permanent/var/ossec/wodles/
The path /var/ossec/wodles is already mounted
/var/ossec/data_tmp/permanent/etc/filebeat/
The path /etc/filebeat is already mounted
find: '/proc/227/task/227/fd/6': No such file or directory
find: '/proc/227/task/227/fdinfo/6': No such file or directory
find: '/proc/227/fd/5': No such file or directory
find: '/proc/227/fdinfo/5': No such file or directory
find: '/proc/228/task/228/fd/6': No such file or directory
find: '/proc/228/task/228/fdinfo/6': No such file or directory
find: '/proc/228/fd/5': No such file or directory
find: '/proc/228/fdinfo/5': No such file or directory
find: '/proc/229/task/229/fd/6': No such file or directory
find: '/proc/229/task/229/fdinfo/6': No such file or directory
find: '/proc/229/fd/5': No such file or directory
find: '/proc/229/fdinfo/5': No such file or directory
Identified Wazuh configuration files to mount...
'/wazuh-config-mount/etc/ossec.conf' -> '/var/ossec/etc/ossec.conf'
[cont-init.d] 0-wazuh-init: exited 0.
[cont-init.d] 1-config-filebeat: executing...
Customize Elasticsearch ouput IP
Configuring username.
Configuring password.
Configuring SSL verification mode.
Configuring Certificate Authorities.
Configuring SSL Certificate.
Configuring SSL Key.
[cont-init.d] 1-config-filebeat: exited 0.
[cont-init.d] 2-manager: executing...
/var/ossec/framework/python/bin/python3: can't open file '/var/ossec/framework/scripts/create_user.py': [Errno 2] No such file or directory
There was an error configuring the API user
[cont-init.d] 2-manager: exited 0.
[cont-init.d] done.
[services.d] starting services
[cont-finish.d] executing container finish scripts...
[cont-finish.d] done.
[s6-finish] waiting for services.
s6-svscanctl: fatal: unable to control /var/run/s6/services: supervisor not listening
s6-svwait: fatal: unable to subscribe to events for /var/run/s6/services/filebeat: No such file or directory
[s6-finish] sending all processes the TERM signal.

I then tried to restart the Wazuh master node in a multi-node deployment and had the same outcome.

[services.d] starting services
s6-svscanctl: fatal: unable to control /var/run/s6/services: supervisor not listening
[cont-finish.d] executing container finish scripts...
[cont-finish.d] done.
[s6-finish] waiting for services.
s6-svwait: fatal: unable to subscribe to events for /var/run/s6/services/filebeat: No such file or directory
[s6-finish] sending all processes the TERM signal.
[s6-finish] sending all processes the KILL signal and exiting.
[s6-init] making user provided files available at /var/run/s6/etc...exited 0.
[s6-init] ensuring user provided files have correct perms...exited 0.
[fix-attrs.d] applying ownership & permissions fixes...
[fix-attrs.d] done.
[cont-init.d] executing container initialization scripts...
[cont-init.d] 0-wazuh-init: executing...
/var/ossec/data_tmp/permanent/var/ossec/api/configuration/
The path /var/ossec/api/configuration is already mounted
/var/ossec/data_tmp/permanent/var/ossec/etc/
The path /var/ossec/etc is already mounted
/var/ossec/data_tmp/permanent/var/ossec/logs/
The path /var/ossec/logs is already mounted
/var/ossec/data_tmp/permanent/var/ossec/queue/
The path /var/ossec/queue is already mounted
/var/ossec/data_tmp/permanent/var/ossec/agentless/
The path /var/ossec/agentless is already mounted
/var/ossec/data_tmp/permanent/var/ossec/var/multigroups/
find: '/var/ossec/data_tmp/permanent/var/ossec/var/multigroups/': No such file or directory
The path /var/ossec/var/multigroups is empty, skiped
/var/ossec/data_tmp/permanent/var/ossec/integrations/
The path /var/ossec/integrations is already mounted
/var/ossec/data_tmp/permanent/var/ossec/active-response/bin/
The path /var/ossec/active-response/bin is already mounted
/var/ossec/data_tmp/permanent/var/ossec/wodles/
The path /var/ossec/wodles is already mounted
/var/ossec/data_tmp/permanent/etc/filebeat/
The path /etc/filebeat is already mounted
find: '/proc/227/task/227/fd/6': No such file or directory
find: '/proc/227/task/227/fdinfo/6': No such file or directory
find: '/proc/227/fd/5': No such file or directory
find: '/proc/227/fdinfo/5': No such file or directory
find: '/proc/228/task/228/fd/6': No such file or directory
find: '/proc/228/task/228/fdinfo/6': No such file or directory
find: '/proc/228/fd/5': No such file or directory
find: '/proc/228/fdinfo/5': No such file or directory
find: '/proc/229/task/229/fd/6': No such file or directory
find: '/proc/229/task/229/fdinfo/6': No such file or directory
find: '/proc/229/fd/5': No such file or directory
find: '/proc/229/fdinfo/5': No such file or directory
Identified Wazuh configuration files to mount...
'/wazuh-config-mount/etc/ossec.conf' -> '/var/ossec/etc/ossec.conf'
[cont-init.d] 0-wazuh-init: exited 0.
[cont-init.d] 1-config-filebeat: executing...
Customize Elasticsearch ouput IP
Configuring username.
Configuring password.
Configuring SSL verification mode.
Configuring Certificate Authorities.
Configuring SSL Certificate.
Configuring SSL Key.
[cont-init.d] 1-config-filebeat: exited 0.
[cont-init.d] 2-manager: executing...
/var/ossec/framework/python/bin/python3: can't open file '/var/ossec/framework/scripts/create_user.py': [Errno 2] No such file or directory
There was an error configuring the API user
[cont-init.d] 2-manager: exited 0.
[cont-init.d] done.
[services.d] starting services
s6-svscanctl: fatal: unable to control /var/run/s6/services: supervisor not listening
[cont-finish.d] executing container finish scripts...
[cont-finish.d] done.
[s6-finish] waiting for services.
s6-svwait: fatal: unable to subscribe to events for /var/run/s6/services/filebeat: No such file or directory
[s6-finish] sending all processes the TERM signal.
[s6-finish] sending all processes the KILL signal and exiting.

Enaraque commented 2 months ago

Update report

The problem is related to create_user.py script. This issue was already encountered in the following issue: https://github.com/wazuh/wazuh-docker/issues/1520. The issue was resolved, and the fix was added in 4.9.0 but was not merged into 4.9.1.

The fix has been tested at 4.9.1, and the error has been resolved successfully.

Docker stack start

```console root@ip-172-31-44-77:/home/ubuntu/wazuh-docker/single-node# docker images REPOSITORY TAG IMAGE ID CREATED SIZE wazuh/wazuh-dashboard 4.9.1 870c32520641 4 minutes ago 1.11GB wazuh/wazuh-manager 4.9.1 7322f3a81df5 6 minutes ago 1.29GB wazuh/wazuh-indexer 4.9.1 20adcabda6d1 6 minutes ago 2.38GB root@ip-172-31-44-77:/home/ubuntu/wazuh-docker/single-node# docker-compose -f generate-indexer-certs.yml run --rm generator [+] Running 1/1 ⠿ Network single-node_default Created 0.1s [+] Running 5/5 ⠿ generator Pulled 3.8s ⠿ 17d0386c2fff Pull complete 2.3s ⠿ 7ce91ec7d1d3 Pull complete 3.5s ⠿ 5249716d429c Pull complete 3.5s ⠿ d7003467fd14 Pull complete 3.5s The tool to create the certificates exists in the in Packages bucket 03/10/2024 10:55:44 INFO: Generating the root certificate. 03/10/2024 10:55:44 INFO: Generating Admin certificates. 03/10/2024 10:55:44 INFO: Admin certificates created. 03/10/2024 10:55:44 INFO: Generating Wazuh indexer certificates. 03/10/2024 10:55:44 INFO: Wazuh indexer certificates created. 03/10/2024 10:55:44 INFO: Generating Filebeat certificates. 03/10/2024 10:55:45 INFO: Wazuh Filebeat certificates created. 03/10/2024 10:55:45 INFO: Generating Wazuh dashboard certificates. 03/10/2024 10:55:45 INFO: Wazuh dashboard certificates created. Moving created certificates to the destination directory Changing certificate permissions Setting UID indexer and dashboard Setting UID for wazuh manager and worker root@ip-172-31-44-77:/home/ubuntu/wazuh-docker/single-node# docker-compose up -d [+] Running 3/3 ⠿ Container single-node-wazuh.indexer-1 Started 0.6s ⠿ Container single-node-wazuh.manager-1 Started 0.8s ⠿ Container single-node-wazuh.dashboard-1 Started 1.1s root@ip-172-31-44-77:/home/ubuntu/wazuh-docker/single-node# docker logs single-node-wazuh.manager-1 -f [s6-init] making user provided files available at /var/run/s6/etc...exited 0. [s6-init] ensuring user provided files have correct perms...exited 0. [fix-attrs.d] applying ownership & permissions fixes... [fix-attrs.d] done. [cont-init.d] executing container initialization scripts... [cont-init.d] 0-wazuh-init: executing... /var/ossec/data_tmp/permanent/var/ossec/api/configuration/ The path /var/ossec/api/configuration is already mounted /var/ossec/data_tmp/permanent/var/ossec/etc/ The path /var/ossec/etc is already mounted /var/ossec/data_tmp/permanent/var/ossec/logs/ The path /var/ossec/logs is already mounted /var/ossec/data_tmp/permanent/var/ossec/queue/ The path /var/ossec/queue is already mounted /var/ossec/data_tmp/permanent/var/ossec/agentless/ The path /var/ossec/agentless is already mounted /var/ossec/data_tmp/permanent/var/ossec/var/multigroups/ The path /var/ossec/var/multigroups is empty, skiped /var/ossec/data_tmp/permanent/var/ossec/integrations/ The path /var/ossec/integrations is already mounted /var/ossec/data_tmp/permanent/var/ossec/active-response/bin/ The path /var/ossec/active-response/bin is already mounted /var/ossec/data_tmp/permanent/var/ossec/wodles/ The path /var/ossec/wodles is already mounted /var/ossec/data_tmp/permanent/etc/filebeat/ The path /etc/filebeat is already mounted Updating /var/ossec/etc/internal_options.conf Updating /var/ossec/integrations/slack Updating /var/ossec/integrations/slack.py Updating /var/ossec/integrations/virustotal Updating /var/ossec/integrations/virustotal.py Updating /var/ossec/integrations/shuffle Updating /var/ossec/integrations/shuffle.py Updating /var/ossec/integrations/pagerduty Updating /var/ossec/integrations/pagerduty.py Updating /var/ossec/integrations/maltiverse Updating /var/ossec/integrations/maltiverse.py Updating /var/ossec/active-response/bin/default-firewall-drop Updating /var/ossec/active-response/bin/disable-account Updating /var/ossec/active-response/bin/firewalld-drop Updating /var/ossec/active-response/bin/firewall-drop Updating /var/ossec/active-response/bin/host-deny Updating /var/ossec/active-response/bin/ip-customblock Updating /var/ossec/active-response/bin/ipfw Updating /var/ossec/active-response/bin/kaspersky.py Updating /var/ossec/active-response/bin/kaspersky Updating /var/ossec/active-response/bin/npf Updating /var/ossec/active-response/bin/wazuh-slack Updating /var/ossec/active-response/bin/pf Updating /var/ossec/active-response/bin/restart-wazuh Updating /var/ossec/active-response/bin/restart.sh Updating /var/ossec/active-response/bin/route-null Updating /var/ossec/agentless/sshlogin.exp Updating /var/ossec/agentless/ssh_pixconfig_diff Updating /var/ossec/agentless/ssh_asa-fwsmconfig_diff Updating /var/ossec/agentless/ssh_integrity_check_bsd Updating /var/ossec/agentless/main.exp Updating /var/ossec/agentless/su.exp Updating /var/ossec/agentless/ssh_integrity_check_linux Updating /var/ossec/agentless/register_host.sh Updating /var/ossec/agentless/ssh_generic_diff Updating /var/ossec/agentless/ssh_foundry_diff Updating /var/ossec/agentless/ssh_nopass.exp Updating /var/ossec/agentless/ssh.exp Updating /var/ossec/wodles/utils.py Updating /var/ossec/wodles/aws/aws-s3 Updating /var/ossec/wodles/aws/aws-s3.py Updating /var/ossec/wodles/aws/__init__.py Updating /var/ossec/wodles/aws/aws_tools.py Updating /var/ossec/wodles/aws/wazuh_integration.py Updating /var/ossec/wodles/aws/buckets_s3/__init__.py Updating /var/ossec/wodles/aws/buckets_s3/aws_bucket.py Updating /var/ossec/wodles/aws/buckets_s3/cloudtrail.py Updating /var/ossec/wodles/aws/buckets_s3/config.py Updating /var/ossec/wodles/aws/buckets_s3/guardduty.py Updating /var/ossec/wodles/aws/buckets_s3/load_balancers.py Updating /var/ossec/wodles/aws/buckets_s3/server_access.py Updating /var/ossec/wodles/aws/buckets_s3/umbrella.py Updating /var/ossec/wodles/aws/buckets_s3/vpcflow.py Updating /var/ossec/wodles/aws/buckets_s3/waf.py Updating /var/ossec/wodles/aws/services/__init__.py Updating /var/ossec/wodles/aws/services/aws_service.py Updating /var/ossec/wodles/aws/services/cloudwatchlogs.py Updating /var/ossec/wodles/aws/services/inspector.py Updating /var/ossec/wodles/aws/subscribers/__init__.py Updating /var/ossec/wodles/aws/subscribers/s3_log_handler.py Updating /var/ossec/wodles/aws/subscribers/sqs_message_processor.py Updating /var/ossec/wodles/aws/subscribers/sqs_queue.py Updating /var/ossec/wodles/azure/azure-logs Updating /var/ossec/wodles/azure/azure-logs.py Updating /var/ossec/wodles/azure/db/orm.py Updating /var/ossec/wodles/azure/db/utils.py Updating /var/ossec/wodles/azure/db/__init__.py Updating /var/ossec/wodles/docker/DockerListener Updating /var/ossec/wodles/docker/DockerListener.py Updating /var/ossec/wodles/gcloud/gcloud Updating /var/ossec/wodles/gcloud/gcloud.py Updating /var/ossec/wodles/gcloud/integration.py Updating /var/ossec/wodles/gcloud/tools.py Updating /var/ossec/wodles/gcloud/exceptions.py find: '/proc/372/task/372/fd/6': No such file or directory find: '/proc/372/task/372/fdinfo/6': No such file or directory find: '/proc/372/fd/5': No such file or directory find: '/proc/372/fdinfo/5': No such file or directory find: '/proc/373/task/373/fd/6': No such file or directory find: '/proc/373/task/373/fdinfo/6': No such file or directory find: '/proc/373/fd/5': No such file or directory find: '/proc/373/fdinfo/5': No such file or directory find: '/proc/374/task/374/fd/6': No such file or directory find: '/proc/374/task/374/fdinfo/6': No such file or directory find: '/proc/374/fd/5': No such file or directory find: '/proc/374/fdinfo/5': No such file or directory Identified Wazuh configuration files to mount... '/wazuh-config-mount/etc/ossec.conf' -> '/var/ossec/etc/ossec.conf' [cont-init.d] 0-wazuh-init: exited 0. [cont-init.d] 1-config-filebeat: executing... Customize Elasticsearch ouput IP Configuring username. Configuring password. Configuring SSL verification mode. Configuring Certificate Authorities. Configuring SSL Certificate. Configuring SSL Key. [cont-init.d] 1-config-filebeat: exited 0. [cont-init.d] 2-manager: executing... Configuring password. 2024/10/03 10:56:08 wazuh-modulesd:router: INFO: Loaded router module. 2024/10/03 10:56:08 wazuh-modulesd:content_manager: INFO: Loaded content_manager module. Starting Wazuh v4.9.1... Started wazuh-apid... Started wazuh-csyslogd... Started wazuh-dbd... 2024/10/03 10:56:18 wazuh-integratord: INFO: Remote integrations not configured. Clean exit. Started wazuh-integratord... Started wazuh-agentlessd... Started wazuh-authd... Started wazuh-db... Started wazuh-execd... Started wazuh-analysisd... Started wazuh-syscheckd... Started wazuh-remoted... Started wazuh-logcollector... Started wazuh-monitord... 2024/10/03 10:56:27 wazuh-modulesd:router: INFO: Loaded router module. 2024/10/03 10:56:27 wazuh-modulesd:content_manager: INFO: Loaded content_manager module. Started wazuh-modulesd... Completed. [cont-init.d] 2-manager: exited 0. [cont-init.d] done. [services.d] starting services 2024/10/03 10:56:27 wazuh-modulesd:control: INFO: Starting control thread. 2024/10/03 10:56:27 wazuh-modulesd:agent-upgrade: INFO: (8153): Module Agent Upgrade started. 2024/10/03 10:56:27 sca: INFO: Starting Security Configuration Assessment scan. 2024/10/03 10:56:27 wazuh-modulesd:task-manager: INFO: (8200): Module Task Manager started. 2024/10/03 10:56:27 sca: INFO: Starting evaluation of policy: '/var/ossec/ruleset/sca/cis_amazon_linux_2023.yml' 2024/10/03 10:56:28 wazuh-modulesd:syscollector: INFO: Module started. 2024/10/03 10:56:28 wazuh-modulesd:syscollector: INFO: Starting evaluation. 2024/10/03 10:56:28 indexer-connector: WARNING: IndexerConnector initialization failed for index 'wazuh-states-vulnerabilities-wazuh.manager', retrying until the connection is successful. 2024/10/03 10:56:28 wazuh-modulesd:syscollector: INFO: Evaluation finished. 2024/10/03 10:56:29 wazuh-modulesd:vulnerability-scanner: INFO: Vulnerability scanner module started. starting Filebeat [services.d] done. 2024-10-03T10:56:31.185Z INFO instance/beat.go:645 Home path: [/usr/share/filebeat] Config path: [/etc/filebeat] Data path: [/var/lib/filebeat] Logs path: [/var/log/filebeat] 2024-10-03T10:56:31.188Z INFO instance/beat.go:653 Beat ID: 27a53eee-e8b6-46c4-b31d-2786026d6ebf 2024-10-03T10:56:31.189Z INFO [seccomp] seccomp/seccomp.go:124 Syscall filter successfully installed 2024-10-03T10:56:31.189Z INFO [beat] instance/beat.go:981 Beat info {"system_info": {"beat": {"path": {"config": "/etc/filebeat", "data": "/var/lib/filebeat", "home": "/usr/share/filebeat", "logs": "/var/log/filebeat"}, "type": "filebeat", "uuid": "27a53eee-e8b6-46c4-b31d-2786026d6ebf"}}} 2024-10-03T10:56:31.190Z INFO [beat] instance/beat.go:990 Build info {"system_info": {"build": {"commit": "aacf9ecd9c494aa0908f61fbca82c906b16562a8", "libbeat": "7.10.2", "time": "2021-01-12T22:10:33.000Z", "version": "7.10.2"}}} 2024-10-03T10:56:31.190Z INFO [beat] instance/beat.go:993 Go runtime info {"system_info": {"go": {"os":"linux","arch":"amd64","max_procs":2,"version":"go1.14.12"}}} 2024-10-03T10:56:31.194Z INFO [beat] instance/beat.go:997 Host info {"system_info": {"host": {"architecture":"x86_64","boot_time":"2024-10-03T08:48:34Z","containerized":false,"name":"wazuh.manager","ip":["127.0.0.1/8","::1/128","172.18.0.3/16"],"kernel_version":"5.19.0-1025-aws","mac":["02:42:ac:12:00:03"],"os":{"family":"redhat","platform":"amzn","name":"Amazon Linux","version":"2023","major":2023,"minor":5,"patch":20240916},"timezone":"UTC","timezone_offset_sec":0}}} 2024-10-03T10:56:31.195Z INFO [beat] instance/beat.go:1026 Process info {"system_info": {"process": {"capabilities": {"inheritable":null,"permitted":["chown","dac_override","fowner","fsetid","kill","setgid","setuid","setpcap","net_bind_service","net_raw","sys_chroot","mknod","audit_write","setfcap"],"effective":["chown","dac_override","fowner","fsetid","kill","setgid","setuid","setpcap","net_bind_service","net_raw","sys_chroot","mknod","audit_write","setfcap"],"bounding":["chown","dac_override","fowner","fsetid","kill","setgid","setuid","setpcap","net_bind_service","net_raw","sys_chroot","mknod","audit_write","setfcap"],"ambient":null}, "cwd": "/run/s6/services/filebeat", "exe": "/usr/share/filebeat/bin/filebeat", "name": "filebeat", "pid": 1307, "ppid": 1304, "seccomp": {"mode":"filter","no_new_privs":true}, "start_time": "2024-10-03T10:56:30.410Z"}}} 2024-10-03T10:56:31.195Z INFO instance/beat.go:299 Setup Beat: filebeat; Version: 7.10.2 2024-10-03T10:56:31.199Z INFO eslegclient/connection.go:99 elasticsearch url: https://wazuh.indexer:9200 2024-10-03T10:56:31.200Z INFO [publisher] pipeline/module.go:113 Beat name: wazuh.manager 2024-10-03T10:56:31.202Z INFO beater/filebeat.go:117 Enabled modules/filesets: (), wazuh (alerts) 2024-10-03T10:56:31.203Z INFO instance/beat.go:455 filebeat start running. 2024-10-03T10:56:31.204Z INFO memlog/store.go:119 Loading data file of '/var/lib/filebeat/registry/filebeat' succeeded. Active transaction id=0 2024-10-03T10:56:31.208Z INFO memlog/store.go:124 Finished loading transaction log file for '/var/lib/filebeat/registry/filebeat'. Active transaction id=12 2024-10-03T10:56:31.211Z INFO [registrar] registrar/registrar.go:109 States Loaded from registrar: 1 2024-10-03T10:56:31.211Z INFO [crawler] beater/crawler.go:71 Loading Inputs: 1 2024-10-03T10:56:31.213Z INFO log/input.go:157 Configured paths: [/var/ossec/logs/alerts/alerts.json] 2024-10-03T10:56:31.213Z INFO [crawler] beater/crawler.go:141 Starting input (ID: 9132358592892857476) 2024-10-03T10:56:31.213Z INFO [crawler] beater/crawler.go:108 Loading and starting Inputs completed. Enabled inputs: 1 2024-10-03T10:56:31.217Z INFO log/harvester.go:302 Harvester started for file: /var/ossec/logs/alerts/alerts.json 2024-10-03T10:56:32.219Z INFO [publisher_pipeline_output] pipeline/output.go:143 Connecting to backoff(elasticsearch(https://wazuh.indexer:9200)) 2024-10-03T10:56:32.219Z INFO [publisher] pipeline/retry.go:219 retryer: send unwait signal to consumer 2024-10-03T10:56:32.219Z INFO [publisher] pipeline/retry.go:223 done 2024-10-03T10:56:33.796Z ERROR [publisher_pipeline_output] pipeline/output.go:154 Failed to connect to backoff(elasticsearch(https://wazuh.indexer:9200)): Get "https://wazuh.indexer:9200": dial tcp 172.18.0.2:9200: connect: connection refused 2024-10-03T10:56:33.797Z INFO [publisher_pipeline_output] pipeline/output.go:145 Attempting to reconnect to backoff(elasticsearch(https://wazuh.indexer:9200)) with 1 reconnect attempt(s) 2024-10-03T10:56:33.797Z INFO [publisher] pipeline/retry.go:219 retryer: send unwait signal to consumer 2024-10-03T10:56:33.798Z INFO [publisher] pipeline/retry.go:223 done 2024-10-03T10:56:36.268Z ERROR [publisher_pipeline_output] pipeline/output.go:154 Failed to connect to backoff(elasticsearch(https://wazuh.indexer:9200)): Get "https://wazuh.indexer:9200": dial tcp 172.18.0.2:9200: connect: connection refused 2024-10-03T10:56:36.268Z INFO [publisher_pipeline_output] pipeline/output.go:145 Attempting to reconnect to backoff(elasticsearch(https://wazuh.indexer:9200)) with 2 reconnect attempt(s) 2024-10-03T10:56:36.269Z INFO [publisher] pipeline/retry.go:219 retryer: send unwait signal to consumer 2024-10-03T10:56:36.269Z INFO [publisher] pipeline/retry.go:223 done 2024/10/03 10:56:40 sca: INFO: Evaluation finished for policy '/var/ossec/ruleset/sca/cis_amazon_linux_2023.yml' 2024/10/03 10:56:40 sca: INFO: Security Configuration Assessment scan finished. Duration: 13 seconds. 2024-10-03T10:56:41.030Z ERROR [publisher_pipeline_output] pipeline/output.go:154 Failed to connect to backoff(elasticsearch(https://wazuh.indexer:9200)): Get "https://wazuh.indexer:9200": dial tcp 172.18.0.2:9200: connect: connection refused 2024-10-03T10:56:41.030Z INFO [publisher_pipeline_output] pipeline/output.go:145 Attempting to reconnect to backoff(elasticsearch(https://wazuh.indexer:9200)) with 3 reconnect attempt(s) 2024-10-03T10:56:41.031Z INFO [publisher] pipeline/retry.go:219 retryer: send unwait signal to consumer 2024-10-03T10:56:41.031Z INFO [publisher] pipeline/retry.go:223 done 2024/10/03 10:56:50 rootcheck: INFO: Ending rootcheck scan. 2024-10-03T10:56:53.433Z ERROR [publisher_pipeline_output] pipeline/output.go:154 Failed to connect to backoff(elasticsearch(https://wazuh.indexer:9200)): Get "https://wazuh.indexer:9200": dial tcp 172.18.0.2:9200: connect: connection refused 2024-10-03T10:56:53.433Z INFO [publisher_pipeline_output] pipeline/output.go:145 Attempting to reconnect to backoff(elasticsearch(https://wazuh.indexer:9200)) with 4 reconnect attempt(s) 2024-10-03T10:56:53.433Z INFO [publisher] pipeline/retry.go:219 retryer: send unwait signal to consumer 2024-10-03T10:56:53.433Z INFO [publisher] pipeline/retry.go:223 done ```

Down the stack and start:

```console root@ip-172-31-44-77:/home/ubuntu/wazuh-docker/single-node# docker compose down WARN[0000] /home/ubuntu/wazuh-docker/single-node/docker-compose.yml: the attribute `version` is obsolete, it will be ignored, please remove it to avoid potential confusion [+] Running 4/4 ✔ Container single-node-wazuh.dashboard-1 Removed 10.3s ✔ Container single-node-wazuh.indexer-1 Removed 0.6s ✔ Container single-node-wazuh.manager-1 Removed 4.1s ✔ Network single-node_default Removed 0.2s root@ip-172-31-44-77:/home/ubuntu/wazuh-docker/single-node# docker-compose up -d [+] Running 4/4 ⠿ Network single-node_default Created 0.1s ⠿ Container single-node-wazuh.indexer-1 Started 0.8s ⠿ Container single-node-wazuh.manager-1 Started 0.9s ⠿ Container single-node-wazuh.dashboard-1 Started 1.4s root@ip-172-31-44-77:/home/ubuntu/wazuh-docker/single-node# docker logs single-node-wazuh.manager-1 -f [s6-init] making user provided files available at /var/run/s6/etc...exited 0. [s6-init] ensuring user provided files have correct perms...exited 0. [fix-attrs.d] applying ownership & permissions fixes... [fix-attrs.d] done. [cont-init.d] executing container initialization scripts... [cont-init.d] 0-wazuh-init: executing... /var/ossec/data_tmp/permanent/var/ossec/api/configuration/ The path /var/ossec/api/configuration is already mounted /var/ossec/data_tmp/permanent/var/ossec/etc/ The path /var/ossec/etc is already mounted /var/ossec/data_tmp/permanent/var/ossec/logs/ The path /var/ossec/logs is already mounted /var/ossec/data_tmp/permanent/var/ossec/queue/ The path /var/ossec/queue is already mounted /var/ossec/data_tmp/permanent/var/ossec/agentless/ The path /var/ossec/agentless is already mounted /var/ossec/data_tmp/permanent/var/ossec/var/multigroups/ The path /var/ossec/var/multigroups is empty, skiped /var/ossec/data_tmp/permanent/var/ossec/integrations/ The path /var/ossec/integrations is already mounted /var/ossec/data_tmp/permanent/var/ossec/active-response/bin/ The path /var/ossec/active-response/bin is already mounted /var/ossec/data_tmp/permanent/var/ossec/wodles/ The path /var/ossec/wodles is already mounted /var/ossec/data_tmp/permanent/etc/filebeat/ The path /etc/filebeat is already mounted Updating /var/ossec/etc/internal_options.conf Updating /var/ossec/integrations/slack Updating /var/ossec/integrations/slack.py Updating /var/ossec/integrations/virustotal Updating /var/ossec/integrations/virustotal.py Updating /var/ossec/integrations/shuffle Updating /var/ossec/integrations/shuffle.py Updating /var/ossec/integrations/pagerduty Updating /var/ossec/integrations/pagerduty.py Updating /var/ossec/integrations/maltiverse Updating /var/ossec/integrations/maltiverse.py Updating /var/ossec/active-response/bin/default-firewall-drop Updating /var/ossec/active-response/bin/disable-account Updating /var/ossec/active-response/bin/firewalld-drop Updating /var/ossec/active-response/bin/firewall-drop Updating /var/ossec/active-response/bin/host-deny Updating /var/ossec/active-response/bin/ip-customblock Updating /var/ossec/active-response/bin/ipfw Updating /var/ossec/active-response/bin/kaspersky.py Updating /var/ossec/active-response/bin/kaspersky Updating /var/ossec/active-response/bin/npf Updating /var/ossec/active-response/bin/wazuh-slack Updating /var/ossec/active-response/bin/pf Updating /var/ossec/active-response/bin/restart-wazuh Updating /var/ossec/active-response/bin/restart.sh Updating /var/ossec/active-response/bin/route-null Updating /var/ossec/agentless/sshlogin.exp Updating /var/ossec/agentless/ssh_pixconfig_diff Updating /var/ossec/agentless/ssh_asa-fwsmconfig_diff Updating /var/ossec/agentless/ssh_integrity_check_bsd Updating /var/ossec/agentless/main.exp Updating /var/ossec/agentless/su.exp Updating /var/ossec/agentless/ssh_integrity_check_linux Updating /var/ossec/agentless/register_host.sh Updating /var/ossec/agentless/ssh_generic_diff Updating /var/ossec/agentless/ssh_foundry_diff Updating /var/ossec/agentless/ssh_nopass.exp Updating /var/ossec/agentless/ssh.exp Updating /var/ossec/wodles/utils.py Updating /var/ossec/wodles/aws/aws-s3 Updating /var/ossec/wodles/aws/aws-s3.py Updating /var/ossec/wodles/aws/__init__.py Updating /var/ossec/wodles/aws/aws_tools.py Updating /var/ossec/wodles/aws/wazuh_integration.py Updating /var/ossec/wodles/aws/buckets_s3/__init__.py Updating /var/ossec/wodles/aws/buckets_s3/aws_bucket.py Updating /var/ossec/wodles/aws/buckets_s3/cloudtrail.py Updating /var/ossec/wodles/aws/buckets_s3/config.py Updating /var/ossec/wodles/aws/buckets_s3/guardduty.py Updating /var/ossec/wodles/aws/buckets_s3/load_balancers.py Updating /var/ossec/wodles/aws/buckets_s3/server_access.py Updating /var/ossec/wodles/aws/buckets_s3/umbrella.py Updating /var/ossec/wodles/aws/buckets_s3/vpcflow.py Updating /var/ossec/wodles/aws/buckets_s3/waf.py Updating /var/ossec/wodles/aws/services/__init__.py Updating /var/ossec/wodles/aws/services/aws_service.py Updating /var/ossec/wodles/aws/services/cloudwatchlogs.py Updating /var/ossec/wodles/aws/services/inspector.py Updating /var/ossec/wodles/aws/subscribers/__init__.py Updating /var/ossec/wodles/aws/subscribers/s3_log_handler.py Updating /var/ossec/wodles/aws/subscribers/sqs_message_processor.py Updating /var/ossec/wodles/aws/subscribers/sqs_queue.py Updating /var/ossec/wodles/azure/azure-logs Updating /var/ossec/wodles/azure/azure-logs.py Updating /var/ossec/wodles/azure/db/orm.py Updating /var/ossec/wodles/azure/db/utils.py Updating /var/ossec/wodles/azure/db/__init__.py Updating /var/ossec/wodles/docker/DockerListener Updating /var/ossec/wodles/docker/DockerListener.py Updating /var/ossec/wodles/gcloud/gcloud Updating /var/ossec/wodles/gcloud/gcloud.py Updating /var/ossec/wodles/gcloud/integration.py Updating /var/ossec/wodles/gcloud/tools.py Updating /var/ossec/wodles/gcloud/exceptions.py find: '/proc/372/task/372/fd/6': No such file or directory find: '/proc/372/task/372/fdinfo/6': No such file or directory find: '/proc/372/fd/5': No such file or directory find: '/proc/372/fdinfo/5': No such file or directory find: '/proc/373/task/373/fd/6': No such file or directory find: '/proc/373/task/373/fdinfo/6': No such file or directory find: '/proc/373/fd/5': No such file or directory find: '/proc/373/fdinfo/5': No such file or directory find: '/proc/374/task/374/fd/6': No such file or directory find: '/proc/374/task/374/fdinfo/6': No such file or directory find: '/proc/374/fd/5': No such file or directory find: '/proc/374/fdinfo/5': No such file or directory Identified Wazuh configuration files to mount... '/wazuh-config-mount/etc/ossec.conf' -> '/var/ossec/etc/ossec.conf' [cont-init.d] 0-wazuh-init: exited 0. [cont-init.d] 1-config-filebeat: executing... Customize Elasticsearch ouput IP Configuring username. Configuring password. Configuring SSL verification mode. Configuring Certificate Authorities. Configuring SSL Certificate. Configuring SSL Key. [cont-init.d] 1-config-filebeat: exited 0. [cont-init.d] 2-manager: executing... Configuring password. 2024/10/03 10:59:57 wazuh-modulesd:router: INFO: Loaded router module. 2024/10/03 10:59:57 wazuh-modulesd:content_manager: INFO: Loaded content_manager module. Starting Wazuh v4.9.1... Started wazuh-apid... Started wazuh-csyslogd... Started wazuh-dbd... 2024/10/03 11:00:07 wazuh-integratord: INFO: Remote integrations not configured. Clean exit. Started wazuh-integratord... Started wazuh-agentlessd... Started wazuh-authd... Started wazuh-db... Started wazuh-execd... Started wazuh-analysisd... Started wazuh-syscheckd... Started wazuh-remoted... Started wazuh-logcollector... Started wazuh-monitord... 2024/10/03 11:00:16 wazuh-modulesd:router: INFO: Loaded router module. 2024/10/03 11:00:16 wazuh-modulesd:content_manager: INFO: Loaded content_manager module. Started wazuh-modulesd... Completed. [cont-init.d] 2-manager: exited 0. [cont-init.d] done. [services.d] starting services starting Filebeat 2024/10/03 11:00:16 wazuh-modulesd:task-manager: INFO: (8200): Module Task Manager started. 2024/10/03 11:00:16 wazuh-modulesd:agent-upgrade: INFO: (8153): Module Agent Upgrade started. 2024/10/03 11:00:16 sca: INFO: Starting evaluation of policy: '/var/ossec/ruleset/sca/cis_amazon_linux_2023.yml' 2024/10/03 11:00:16 wazuh-modulesd:syscollector: INFO: Module started. 2024/10/03 11:00:16 wazuh-modulesd:syscollector: INFO: Starting evaluation. 2024/10/03 11:00:16 wazuh-syscheckd: INFO: (6009): File integrity monitoring scan ended. 2024/10/03 11:00:16 wazuh-syscheckd: INFO: FIM sync module started. 2024/10/03 11:00:17 wazuh-modulesd:syscollector: INFO: Evaluation finished. 2024/10/03 11:00:17 indexer-connector: WARNING: IndexerConnector initialization failed for index 'wazuh-states-vulnerabilities-wazuh.manager', retrying until the connection is successful. 2024/10/03 11:00:18 wazuh-modulesd:vulnerability-scanner: INFO: Vulnerability scanner module started. [services.d] done. 2024-10-03T11:00:20.191Z INFO instance/beat.go:645 Home path: [/usr/share/filebeat] Config path: [/etc/filebeat] Data path: [/var/lib/filebeat] Logs path: [/var/log/filebeat] 2024-10-03T11:00:20.192Z INFO instance/beat.go:653 Beat ID: 27a53eee-e8b6-46c4-b31d-2786026d6ebf 2024-10-03T11:00:20.193Z INFO [seccomp] seccomp/seccomp.go:124 Syscall filter successfully installed 2024-10-03T11:00:20.193Z INFO [beat] instance/beat.go:981 Beat info {"system_info": {"beat": {"path": {"config": "/etc/filebeat", "data": "/var/lib/filebeat", "home": "/usr/share/filebeat", "logs": "/var/log/filebeat"}, "type": "filebeat", "uuid": "27a53eee-e8b6-46c4-b31d-2786026d6ebf"}}} 2024-10-03T11:00:20.193Z INFO [beat] instance/beat.go:990 Build info {"system_info": {"build": {"commit": "aacf9ecd9c494aa0908f61fbca82c906b16562a8", "libbeat": "7.10.2", "time": "2021-01-12T22:10:33.000Z", "version": "7.10.2"}}} 2024-10-03T11:00:20.193Z INFO [beat] instance/beat.go:993 Go runtime info {"system_info": {"go": {"os":"linux","arch":"amd64","max_procs":2,"version":"go1.14.12"}}} 2024-10-03T11:00:20.195Z INFO [beat] instance/beat.go:997 Host info {"system_info": {"host": {"architecture":"x86_64","boot_time":"2024-10-03T08:48:34Z","containerized":false,"name":"wazuh.manager","ip":["127.0.0.1/8","::1/128","172.18.0.2/16"],"kernel_version":"5.19.0-1025-aws","mac":["02:42:ac:12:00:02"],"os":{"family":"redhat","platform":"amzn","name":"Amazon Linux","version":"2023","major":2023,"minor":5,"patch":20240916},"timezone":"UTC","timezone_offset_sec":0}}} 2024-10-03T11:00:20.196Z INFO [beat] instance/beat.go:1026 Process info {"system_info": {"process": {"capabilities": {"inheritable":null,"permitted":["chown","dac_override","fowner","fsetid","kill","setgid","setuid","setpcap","net_bind_service","net_raw","sys_chroot","mknod","audit_write","setfcap"],"effective":["chown","dac_override","fowner","fsetid","kill","setgid","setuid","setpcap","net_bind_service","net_raw","sys_chroot","mknod","audit_write","setfcap"],"bounding":["chown","dac_override","fowner","fsetid","kill","setgid","setuid","setpcap","net_bind_service","net_raw","sys_chroot","mknod","audit_write","setfcap"],"ambient":null}, "cwd": "/run/s6/services/filebeat", "exe": "/usr/share/filebeat/bin/filebeat", "name": "filebeat", "pid": 1266, "ppid": 1262, "seccomp": {"mode":"filter","no_new_privs":true}, "start_time": "2024-10-03T11:00:19.500Z"}}} 2024-10-03T11:00:20.196Z INFO instance/beat.go:299 Setup Beat: filebeat; Version: 7.10.2 2024-10-03T11:00:20.197Z INFO eslegclient/connection.go:99 elasticsearch url: https://wazuh.indexer:9200 2024-10-03T11:00:20.258Z INFO [publisher] pipeline/module.go:113 Beat name: wazuh.manager 2024-10-03T11:00:20.260Z INFO beater/filebeat.go:117 Enabled modules/filesets: wazuh (alerts), () 2024-10-03T11:00:20.261Z INFO instance/beat.go:455 filebeat start running. 2024-10-03T11:00:20.261Z INFO memlog/store.go:119 Loading data file of '/var/lib/filebeat/registry/filebeat' succeeded. Active transaction id=0 2024-10-03T11:00:20.262Z INFO memlog/store.go:124 Finished loading transaction log file for '/var/lib/filebeat/registry/filebeat'. Active transaction id=17 2024-10-03T11:00:20.264Z INFO [registrar] registrar/registrar.go:109 States Loaded from registrar: 1 2024-10-03T11:00:20.265Z INFO [crawler] beater/crawler.go:71 Loading Inputs: 1 2024-10-03T11:00:20.266Z INFO log/input.go:157 Configured paths: [/var/ossec/logs/alerts/alerts.json] 2024-10-03T11:00:20.266Z INFO [crawler] beater/crawler.go:141 Starting input (ID: 9132358592892857476) 2024-10-03T11:00:20.266Z INFO [crawler] beater/crawler.go:108 Loading and starting Inputs completed. Enabled inputs: 1 2024-10-03T11:00:30.268Z INFO log/harvester.go:302 Harvester started for file: /var/ossec/logs/alerts/alerts.json 2024/10/03 11:00:30 sca: INFO: Evaluation finished for policy '/var/ossec/ruleset/sca/cis_amazon_linux_2023.yml' 2024/10/03 11:00:30 sca: INFO: Security Configuration Assessment scan finished. Duration: 14 seconds. 2024-10-03T11:00:31.269Z INFO [publisher_pipeline_output] pipeline/output.go:143 Connecting to backoff(elasticsearch(https://wazuh.indexer:9200)) 2024-10-03T11:00:31.269Z INFO [publisher] pipeline/retry.go:219 retryer: send unwait signal to consumer 2024-10-03T11:00:31.269Z INFO [publisher] pipeline/retry.go:223 done 2024-10-03T11:00:32.552Z ERROR [publisher_pipeline_output] pipeline/output.go:154 Failed to connect to backoff(elasticsearch(https://wazuh.indexer:9200)): Get "https://wazuh.indexer:9200": dial tcp 172.18.0.3:9200: connect: connection refused 2024-10-03T11:00:32.552Z INFO [publisher_pipeline_output] pipeline/output.go:145 Attempting to reconnect to backoff(elasticsearch(https://wazuh.indexer:9200)) with 1 reconnect attempt(s) 2024-10-03T11:00:32.552Z INFO [publisher] pipeline/retry.go:219 retryer: send unwait signal to consumer 2024-10-03T11:00:32.552Z INFO [publisher] pipeline/retry.go:223 done 2024-10-03T11:00:36.038Z ERROR [publisher_pipeline_output] pipeline/output.go:154 Failed to connect to backoff(elasticsearch(https://wazuh.indexer:9200)): Get "https://wazuh.indexer:9200": dial tcp 172.18.0.3:9200: connect: connection refused 2024-10-03T11:00:36.038Z INFO [publisher_pipeline_output] pipeline/output.go:145 Attempting to reconnect to backoff(elasticsearch(https://wazuh.indexer:9200)) with 2 reconnect attempt(s) 2024-10-03T11:00:36.038Z INFO [publisher] pipeline/retry.go:219 retryer: send unwait signal to consumer 2024-10-03T11:00:36.039Z INFO [publisher] pipeline/retry.go:223 done 2024-10-03T11:00:41.118Z ERROR [publisher_pipeline_output] pipeline/output.go:154 Failed to connect to backoff(elasticsearch(https://wazuh.indexer:9200)): Get "https://wazuh.indexer:9200": dial tcp 172.18.0.3:9200: connect: connection refused 2024-10-03T11:00:41.118Z INFO [publisher_pipeline_output] pipeline/output.go:145 Attempting to reconnect to backoff(elasticsearch(https://wazuh.indexer:9200)) with 3 reconnect attempt(s) 2024-10-03T11:00:41.119Z INFO [publisher] pipeline/retry.go:219 retryer: send unwait signal to consumer 2024-10-03T11:00:41.119Z INFO [publisher] pipeline/retry.go:223 done 2024/10/03 11:00:42 rootcheck: INFO: Ending rootcheck scan. 2024-10-03T11:00:54.466Z ERROR [publisher_pipeline_output] pipeline/output.go:154 Failed to connect to backoff(elasticsearch(https://wazuh.indexer:9200)): Get "https://wazuh.indexer:9200": dial tcp 172.18.0.3:9200: connect: connection refused 2024-10-03T11:00:54.466Z INFO [publisher_pipeline_output] pipeline/output.go:145 Attempting to reconnect to backoff(elasticsearch(https://wazuh.indexer:9200)) with 4 reconnect attempt(s) 2024-10-03T11:00:54.467Z INFO [publisher] pipeline/retry.go:219 retryer: send unwait signal to consumer 2024-10-03T11:00:54.467Z INFO [publisher] pipeline/retry.go:223 done 2024-10-03T11:00:55.056Z INFO [esclientleg] eslegclient/connection.go:314 Attempting to connect to Elasticsearch version 7.10.2 2024-10-03T11:00:55.061Z INFO [esclientleg] eslegclient/connection.go:314 Attempting to connect to Elasticsearch version 7.10.2 2024-10-03T11:00:55.075Z INFO template/load.go:183 Existing template will be overwritten, as overwrite is enabled. 2024-10-03T11:00:55.078Z INFO template/load.go:117 Try loading template wazuh to Elasticsearch 2024-10-03T11:00:55.287Z INFO template/load.go:109 template with name 'wazuh' loaded. 2024-10-03T11:00:55.287Z INFO [index-management] idxmgmt/std.go:298 Loaded index template. 2024-10-03T11:00:55.306Z INFO [publisher_pipeline_output] pipeline/output.go:151 Connection to backoff(elasticsearch(https://wazuh.indexer:9200)) established 2024/10/03 11:01:19 indexer-connector: INFO: IndexerConnector initialized successfully for index: wazuh-states-vulnerabilities-wazuh.manager. ```

Restart the Wazuh manager container

```console root@ip-172-31-44-77:/home/ubuntu/wazuh-docker/single-node# docker restart single-node-wazuh.manager-1 single-node-wazuh.manager-1 root@ip-172-31-44-77:/home/ubuntu/wazuh-docker/single-node# docker logs single-node-wazuh.manager-1 -f [s6-init] making user provided files available at /var/run/s6/etc...exited 0. [s6-init] ensuring user provided files have correct perms...exited 0. [fix-attrs.d] applying ownership & permissions fixes... [fix-attrs.d] done. [cont-init.d] executing container initialization scripts... [cont-init.d] 0-wazuh-init: executing... /var/ossec/data_tmp/permanent/var/ossec/api/configuration/ The path /var/ossec/api/configuration is already mounted /var/ossec/data_tmp/permanent/var/ossec/etc/ The path /var/ossec/etc is already mounted /var/ossec/data_tmp/permanent/var/ossec/logs/ The path /var/ossec/logs is already mounted /var/ossec/data_tmp/permanent/var/ossec/queue/ The path /var/ossec/queue is already mounted /var/ossec/data_tmp/permanent/var/ossec/agentless/ The path /var/ossec/agentless is already mounted /var/ossec/data_tmp/permanent/var/ossec/var/multigroups/ The path /var/ossec/var/multigroups is empty, skiped /var/ossec/data_tmp/permanent/var/ossec/integrations/ The path /var/ossec/integrations is already mounted /var/ossec/data_tmp/permanent/var/ossec/active-response/bin/ The path /var/ossec/active-response/bin is already mounted /var/ossec/data_tmp/permanent/var/ossec/wodles/ The path /var/ossec/wodles is already mounted /var/ossec/data_tmp/permanent/etc/filebeat/ The path /etc/filebeat is already mounted Updating /var/ossec/etc/internal_options.conf Updating /var/ossec/integrations/slack Updating /var/ossec/integrations/slack.py Updating /var/ossec/integrations/virustotal Updating /var/ossec/integrations/virustotal.py Updating /var/ossec/integrations/shuffle Updating /var/ossec/integrations/shuffle.py Updating /var/ossec/integrations/pagerduty Updating /var/ossec/integrations/pagerduty.py Updating /var/ossec/integrations/maltiverse Updating /var/ossec/integrations/maltiverse.py Updating /var/ossec/active-response/bin/default-firewall-drop Updating /var/ossec/active-response/bin/disable-account Updating /var/ossec/active-response/bin/firewalld-drop Updating /var/ossec/active-response/bin/firewall-drop Updating /var/ossec/active-response/bin/host-deny Updating /var/ossec/active-response/bin/ip-customblock Updating /var/ossec/active-response/bin/ipfw Updating /var/ossec/active-response/bin/kaspersky.py Updating /var/ossec/active-response/bin/kaspersky Updating /var/ossec/active-response/bin/npf Updating /var/ossec/active-response/bin/wazuh-slack Updating /var/ossec/active-response/bin/pf Updating /var/ossec/active-response/bin/restart-wazuh Updating /var/ossec/active-response/bin/restart.sh Updating /var/ossec/active-response/bin/route-null Updating /var/ossec/agentless/sshlogin.exp Updating /var/ossec/agentless/ssh_pixconfig_diff Updating /var/ossec/agentless/ssh_asa-fwsmconfig_diff Updating /var/ossec/agentless/ssh_integrity_check_bsd Updating /var/ossec/agentless/main.exp Updating /var/ossec/agentless/su.exp Updating /var/ossec/agentless/ssh_integrity_check_linux Updating /var/ossec/agentless/register_host.sh Updating /var/ossec/agentless/ssh_generic_diff Updating /var/ossec/agentless/ssh_foundry_diff Updating /var/ossec/agentless/ssh_nopass.exp Updating /var/ossec/agentless/ssh.exp Updating /var/ossec/wodles/utils.py Updating /var/ossec/wodles/aws/aws-s3 Updating /var/ossec/wodles/aws/aws-s3.py Updating /var/ossec/wodles/aws/__init__.py Updating /var/ossec/wodles/aws/aws_tools.py Updating /var/ossec/wodles/aws/wazuh_integration.py Updating /var/ossec/wodles/aws/buckets_s3/__init__.py Updating /var/ossec/wodles/aws/buckets_s3/aws_bucket.py Updating /var/ossec/wodles/aws/buckets_s3/cloudtrail.py Updating /var/ossec/wodles/aws/buckets_s3/config.py Updating /var/ossec/wodles/aws/buckets_s3/guardduty.py Updating /var/ossec/wodles/aws/buckets_s3/load_balancers.py Updating /var/ossec/wodles/aws/buckets_s3/server_access.py Updating /var/ossec/wodles/aws/buckets_s3/umbrella.py Updating /var/ossec/wodles/aws/buckets_s3/vpcflow.py Updating /var/ossec/wodles/aws/buckets_s3/waf.py Updating /var/ossec/wodles/aws/services/__init__.py Updating /var/ossec/wodles/aws/services/aws_service.py Updating /var/ossec/wodles/aws/services/cloudwatchlogs.py Updating /var/ossec/wodles/aws/services/inspector.py Updating /var/ossec/wodles/aws/subscribers/__init__.py Updating /var/ossec/wodles/aws/subscribers/s3_log_handler.py Updating /var/ossec/wodles/aws/subscribers/sqs_message_processor.py Updating /var/ossec/wodles/aws/subscribers/sqs_queue.py Updating /var/ossec/wodles/azure/azure-logs Updating /var/ossec/wodles/azure/azure-logs.py Updating /var/ossec/wodles/azure/db/orm.py Updating /var/ossec/wodles/azure/db/utils.py Updating /var/ossec/wodles/azure/db/__init__.py Updating /var/ossec/wodles/docker/DockerListener Updating /var/ossec/wodles/docker/DockerListener.py Updating /var/ossec/wodles/gcloud/gcloud Updating /var/ossec/wodles/gcloud/gcloud.py Updating /var/ossec/wodles/gcloud/integration.py Updating /var/ossec/wodles/gcloud/tools.py Updating /var/ossec/wodles/gcloud/exceptions.py find: '/proc/372/task/372/fd/6': No such file or directory find: '/proc/372/task/372/fdinfo/6': No such file or directory find: '/proc/372/fd/5': No such file or directory find: '/proc/372/fdinfo/5': No such file or directory find: '/proc/373/task/373/fd/6': No such file or directory find: '/proc/373/task/373/fdinfo/6': No such file or directory find: '/proc/373/fd/5': No such file or directory find: '/proc/373/fdinfo/5': No such file or directory find: '/proc/374/task/374/fd/6': No such file or directory find: '/proc/374/task/374/fdinfo/6': No such file or directory find: '/proc/374/fd/5': No such file or directory find: '/proc/374/fdinfo/5': No such file or directory Identified Wazuh configuration files to mount... '/wazuh-config-mount/etc/ossec.conf' -> '/var/ossec/etc/ossec.conf' [cont-init.d] 0-wazuh-init: exited 0. [cont-init.d] 1-config-filebeat: executing... Customize Elasticsearch ouput IP Configuring username. Configuring password. Configuring SSL verification mode. Configuring Certificate Authorities. Configuring SSL Certificate. Configuring SSL Key. [cont-init.d] 1-config-filebeat: exited 0. [cont-init.d] 2-manager: executing... Configuring password. 2024/10/03 10:59:57 wazuh-modulesd:router: INFO: Loaded router module. 2024/10/03 10:59:57 wazuh-modulesd:content_manager: INFO: Loaded content_manager module. Starting Wazuh v4.9.1... Started wazuh-apid... Started wazuh-csyslogd... Started wazuh-dbd... 2024/10/03 11:00:07 wazuh-integratord: INFO: Remote integrations not configured. Clean exit. Started wazuh-integratord... Started wazuh-agentlessd... Started wazuh-authd... Started wazuh-db... Started wazuh-execd... Started wazuh-analysisd... Started wazuh-syscheckd... Started wazuh-remoted... Started wazuh-logcollector... Started wazuh-monitord... 2024/10/03 11:00:16 wazuh-modulesd:router: INFO: Loaded router module. 2024/10/03 11:00:16 wazuh-modulesd:content_manager: INFO: Loaded content_manager module. Started wazuh-modulesd... Completed. [cont-init.d] 2-manager: exited 0. [cont-init.d] done. [services.d] starting services starting Filebeat 2024/10/03 11:00:16 wazuh-modulesd:task-manager: INFO: (8200): Module Task Manager started. 2024/10/03 11:00:16 wazuh-modulesd:agent-upgrade: INFO: (8153): Module Agent Upgrade started. 2024/10/03 11:00:16 sca: INFO: Starting evaluation of policy: '/var/ossec/ruleset/sca/cis_amazon_linux_2023.yml' 2024/10/03 11:00:16 wazuh-modulesd:syscollector: INFO: Module started. 2024/10/03 11:00:16 wazuh-modulesd:syscollector: INFO: Starting evaluation. 2024/10/03 11:00:16 wazuh-syscheckd: INFO: (6009): File integrity monitoring scan ended. 2024/10/03 11:00:16 wazuh-syscheckd: INFO: FIM sync module started. 2024/10/03 11:00:17 wazuh-modulesd:syscollector: INFO: Evaluation finished. 2024/10/03 11:00:17 indexer-connector: WARNING: IndexerConnector initialization failed for index 'wazuh-states-vulnerabilities-wazuh.manager', retrying until the connection is successful. 2024/10/03 11:00:18 wazuh-modulesd:vulnerability-scanner: INFO: Vulnerability scanner module started. [services.d] done. 2024-10-03T11:00:20.191Z INFO instance/beat.go:645 Home path: [/usr/share/filebeat] Config path: [/etc/filebeat] Data path: [/var/lib/filebeat] Logs path: [/var/log/filebeat] 2024-10-03T11:00:20.192Z INFO instance/beat.go:653 Beat ID: 27a53eee-e8b6-46c4-b31d-2786026d6ebf 2024-10-03T11:00:20.193Z INFO [seccomp] seccomp/seccomp.go:124 Syscall filter successfully installed 2024-10-03T11:00:20.193Z INFO [beat] instance/beat.go:981 Beat info {"system_info": {"beat": {"path": {"config": "/etc/filebeat", "data": "/var/lib/filebeat", "home": "/usr/share/filebeat", "logs": "/var/log/filebeat"}, "type": "filebeat", "uuid": "27a53eee-e8b6-46c4-b31d-2786026d6ebf"}}} 2024-10-03T11:00:20.193Z INFO [beat] instance/beat.go:990 Build info {"system_info": {"build": {"commit": "aacf9ecd9c494aa0908f61fbca82c906b16562a8", "libbeat": "7.10.2", "time": "2021-01-12T22:10:33.000Z", "version": "7.10.2"}}} 2024-10-03T11:00:20.193Z INFO [beat] instance/beat.go:993 Go runtime info {"system_info": {"go": {"os":"linux","arch":"amd64","max_procs":2,"version":"go1.14.12"}}} 2024-10-03T11:00:20.195Z INFO [beat] instance/beat.go:997 Host info {"system_info": {"host": {"architecture":"x86_64","boot_time":"2024-10-03T08:48:34Z","containerized":false,"name":"wazuh.manager","ip":["127.0.0.1/8","::1/128","172.18.0.2/16"],"kernel_version":"5.19.0-1025-aws","mac":["02:42:ac:12:00:02"],"os":{"family":"redhat","platform":"amzn","name":"Amazon Linux","version":"2023","major":2023,"minor":5,"patch":20240916},"timezone":"UTC","timezone_offset_sec":0}}} 2024-10-03T11:00:20.196Z INFO [beat] instance/beat.go:1026 Process info {"system_info": {"process": {"capabilities": {"inheritable":null,"permitted":["chown","dac_override","fowner","fsetid","kill","setgid","setuid","setpcap","net_bind_service","net_raw","sys_chroot","mknod","audit_write","setfcap"],"effective":["chown","dac_override","fowner","fsetid","kill","setgid","setuid","setpcap","net_bind_service","net_raw","sys_chroot","mknod","audit_write","setfcap"],"bounding":["chown","dac_override","fowner","fsetid","kill","setgid","setuid","setpcap","net_bind_service","net_raw","sys_chroot","mknod","audit_write","setfcap"],"ambient":null}, "cwd": "/run/s6/services/filebeat", "exe": "/usr/share/filebeat/bin/filebeat", "name": "filebeat", "pid": 1266, "ppid": 1262, "seccomp": {"mode":"filter","no_new_privs":true}, "start_time": "2024-10-03T11:00:19.500Z"}}} 2024-10-03T11:00:20.196Z INFO instance/beat.go:299 Setup Beat: filebeat; Version: 7.10.2 2024-10-03T11:00:20.197Z INFO eslegclient/connection.go:99 elasticsearch url: https://wazuh.indexer:9200 2024-10-03T11:00:20.258Z INFO [publisher] pipeline/module.go:113 Beat name: wazuh.manager 2024-10-03T11:00:20.260Z INFO beater/filebeat.go:117 Enabled modules/filesets: wazuh (alerts), () 2024-10-03T11:00:20.261Z INFO instance/beat.go:455 filebeat start running. 2024-10-03T11:00:20.261Z INFO memlog/store.go:119 Loading data file of '/var/lib/filebeat/registry/filebeat' succeeded. Active transaction id=0 2024-10-03T11:00:20.262Z INFO memlog/store.go:124 Finished loading transaction log file for '/var/lib/filebeat/registry/filebeat'. Active transaction id=17 2024-10-03T11:00:20.264Z INFO [registrar] registrar/registrar.go:109 States Loaded from registrar: 1 2024-10-03T11:00:20.265Z INFO [crawler] beater/crawler.go:71 Loading Inputs: 1 2024-10-03T11:00:20.266Z INFO log/input.go:157 Configured paths: [/var/ossec/logs/alerts/alerts.json] 2024-10-03T11:00:20.266Z INFO [crawler] beater/crawler.go:141 Starting input (ID: 9132358592892857476) 2024-10-03T11:00:20.266Z INFO [crawler] beater/crawler.go:108 Loading and starting Inputs completed. Enabled inputs: 1 2024-10-03T11:00:30.268Z INFO log/harvester.go:302 Harvester started for file: /var/ossec/logs/alerts/alerts.json 2024/10/03 11:00:30 sca: INFO: Evaluation finished for policy '/var/ossec/ruleset/sca/cis_amazon_linux_2023.yml' 2024/10/03 11:00:30 sca: INFO: Security Configuration Assessment scan finished. Duration: 14 seconds. 2024-10-03T11:00:31.269Z INFO [publisher_pipeline_output] pipeline/output.go:143 Connecting to backoff(elasticsearch(https://wazuh.indexer:9200)) 2024-10-03T11:00:31.269Z INFO [publisher] pipeline/retry.go:219 retryer: send unwait signal to consumer 2024-10-03T11:00:31.269Z INFO [publisher] pipeline/retry.go:223 done 2024-10-03T11:00:32.552Z ERROR [publisher_pipeline_output] pipeline/output.go:154 Failed to connect to backoff(elasticsearch(https://wazuh.indexer:9200)): Get "https://wazuh.indexer:9200": dial tcp 172.18.0.3:9200: connect: connection refused 2024-10-03T11:00:32.552Z INFO [publisher_pipeline_output] pipeline/output.go:145 Attempting to reconnect to backoff(elasticsearch(https://wazuh.indexer:9200)) with 1 reconnect attempt(s) 2024-10-03T11:00:32.552Z INFO [publisher] pipeline/retry.go:219 retryer: send unwait signal to consumer 2024-10-03T11:00:32.552Z INFO [publisher] pipeline/retry.go:223 done 2024-10-03T11:00:36.038Z ERROR [publisher_pipeline_output] pipeline/output.go:154 Failed to connect to backoff(elasticsearch(https://wazuh.indexer:9200)): Get "https://wazuh.indexer:9200": dial tcp 172.18.0.3:9200: connect: connection refused 2024-10-03T11:00:36.038Z INFO [publisher_pipeline_output] pipeline/output.go:145 Attempting to reconnect to backoff(elasticsearch(https://wazuh.indexer:9200)) with 2 reconnect attempt(s) 2024-10-03T11:00:36.038Z INFO [publisher] pipeline/retry.go:219 retryer: send unwait signal to consumer 2024-10-03T11:00:36.039Z INFO [publisher] pipeline/retry.go:223 done 2024-10-03T11:00:41.118Z ERROR [publisher_pipeline_output] pipeline/output.go:154 Failed to connect to backoff(elasticsearch(https://wazuh.indexer:9200)): Get "https://wazuh.indexer:9200": dial tcp 172.18.0.3:9200: connect: connection refused 2024-10-03T11:00:41.118Z INFO [publisher_pipeline_output] pipeline/output.go:145 Attempting to reconnect to backoff(elasticsearch(https://wazuh.indexer:9200)) with 3 reconnect attempt(s) 2024-10-03T11:00:41.119Z INFO [publisher] pipeline/retry.go:219 retryer: send unwait signal to consumer 2024-10-03T11:00:41.119Z INFO [publisher] pipeline/retry.go:223 done 2024/10/03 11:00:42 rootcheck: INFO: Ending rootcheck scan. 2024-10-03T11:00:54.466Z ERROR [publisher_pipeline_output] pipeline/output.go:154 Failed to connect to backoff(elasticsearch(https://wazuh.indexer:9200)): Get "https://wazuh.indexer:9200": dial tcp 172.18.0.3:9200: connect: connection refused 2024-10-03T11:00:54.466Z INFO [publisher_pipeline_output] pipeline/output.go:145 Attempting to reconnect to backoff(elasticsearch(https://wazuh.indexer:9200)) with 4 reconnect attempt(s) 2024-10-03T11:00:54.467Z INFO [publisher] pipeline/retry.go:219 retryer: send unwait signal to consumer 2024-10-03T11:00:54.467Z INFO [publisher] pipeline/retry.go:223 done 2024-10-03T11:00:55.056Z INFO [esclientleg] eslegclient/connection.go:314 Attempting to connect to Elasticsearch version 7.10.2 2024-10-03T11:00:55.061Z INFO [esclientleg] eslegclient/connection.go:314 Attempting to connect to Elasticsearch version 7.10.2 2024-10-03T11:00:55.075Z INFO template/load.go:183 Existing template will be overwritten, as overwrite is enabled. 2024-10-03T11:00:55.078Z INFO template/load.go:117 Try loading template wazuh to Elasticsearch 2024-10-03T11:00:55.287Z INFO template/load.go:109 template with name 'wazuh' loaded. 2024-10-03T11:00:55.287Z INFO [index-management] idxmgmt/std.go:298 Loaded index template. 2024-10-03T11:00:55.306Z INFO [publisher_pipeline_output] pipeline/output.go:151 Connection to backoff(elasticsearch(https://wazuh.indexer:9200)) established 2024/10/03 11:01:19 indexer-connector: INFO: IndexerConnector initialized successfully for index: wazuh-states-vulnerabilities-wazuh.manager. 2024-10-03T11:02:43.158Z INFO beater/filebeat.go:515 Stopping filebeat 2024-10-03T11:02:43.158Z INFO beater/crawler.go:148 Stopping Crawler 2024-10-03T11:02:43.158Z INFO beater/crawler.go:158 Stopping 1 inputs 2024-10-03T11:02:43.158Z INFO [crawler] beater/crawler.go:163 Stopping input: 9132358592892857476 2024-10-03T11:02:43.158Z INFO input/input.go:136 input ticker stopped 2024-10-03T11:02:43.158Z INFO log/harvester.go:329 Reader was closed: /var/ossec/logs/alerts/alerts.json. Closing. 2024-10-03T11:02:43.158Z INFO beater/crawler.go:178 Crawler stopped 2024-10-03T11:02:43.158Z INFO [registrar] registrar/registrar.go:132 Stopping Registrar 2024-10-03T11:02:43.158Z INFO [registrar] registrar/registrar.go:166 Ending Registrar 2024-10-03T11:02:43.158Z INFO [registrar] registrar/registrar.go:137 Registrar stopped 2024-10-03T11:02:43.162Z INFO instance/beat.go:461 filebeat stopped. Filebeat exited. code=0 [cont-finish.d] executing container finish scripts... [cont-finish.d] done. [s6-finish] waiting for services. [s6-finish] sending all processes the TERM signal. [s6-finish] sending all processes the KILL signal and exiting. [s6-init] making user provided files available at /var/run/s6/etc...exited 0. [s6-init] ensuring user provided files have correct perms...exited 0. [fix-attrs.d] applying ownership & permissions fixes... [fix-attrs.d] done. [cont-init.d] executing container initialization scripts... [cont-init.d] 0-wazuh-init: executing... /var/ossec/data_tmp/permanent/var/ossec/api/configuration/ The path /var/ossec/api/configuration is already mounted /var/ossec/data_tmp/permanent/var/ossec/etc/ The path /var/ossec/etc is already mounted /var/ossec/data_tmp/permanent/var/ossec/logs/ The path /var/ossec/logs is already mounted /var/ossec/data_tmp/permanent/var/ossec/queue/ The path /var/ossec/queue is already mounted /var/ossec/data_tmp/permanent/var/ossec/agentless/ The path /var/ossec/agentless is already mounted /var/ossec/data_tmp/permanent/var/ossec/var/multigroups/ find: '/var/ossec/data_tmp/permanent/var/ossec/var/multigroups/': No such file or directory The path /var/ossec/var/multigroups is empty, skiped /var/ossec/data_tmp/permanent/var/ossec/integrations/ The path /var/ossec/integrations is already mounted /var/ossec/data_tmp/permanent/var/ossec/active-response/bin/ The path /var/ossec/active-response/bin is already mounted /var/ossec/data_tmp/permanent/var/ossec/wodles/ The path /var/ossec/wodles is already mounted /var/ossec/data_tmp/permanent/etc/filebeat/ The path /etc/filebeat is already mounted find: '/proc/227/task/227/fd/6': No such file or directory find: '/proc/227/task/227/fdinfo/6': No such file or directory find: '/proc/227/fd/5': No such file or directory find: '/proc/227/fdinfo/5': No such file or directory find: '/proc/228/task/228/fd/6': No such file or directory find: '/proc/228/task/228/fdinfo/6': No such file or directory find: '/proc/228/fd/5': No such file or directory find: '/proc/228/fdinfo/5': No such file or directory find: '/proc/229/task/229/fd/6': No such file or directory find: '/proc/229/task/229/fdinfo/6': No such file or directory find: '/proc/229/fd/5': No such file or directory find: '/proc/229/fdinfo/5': No such file or directory Identified Wazuh configuration files to mount... '/wazuh-config-mount/etc/ossec.conf' -> '/var/ossec/etc/ossec.conf' [cont-init.d] 0-wazuh-init: exited 0. [cont-init.d] 1-config-filebeat: executing... Customize Elasticsearch ouput IP Configuring username. Configuring password. Configuring SSL verification mode. Configuring Certificate Authorities. Configuring SSL Certificate. Configuring SSL Key. [cont-init.d] 1-config-filebeat: exited 0. [cont-init.d] 2-manager: executing... Configuring password. 2024/10/03 11:02:54 wazuh-modulesd:router: INFO: Loaded router module. 2024/10/03 11:02:54 wazuh-modulesd:content_manager: INFO: Loaded content_manager module. Starting Wazuh v4.9.1... wazuh-apid: Process 542 not used by Wazuh, removing... wazuh-apid: Non existent process 543, removing from /var/ossec/var/run... wazuh-apid: Non existent process 546, removing from /var/ossec/var/run... wazuh-apid: Non existent process 549, removing from /var/ossec/var/run... wazuh-apid: Non existent process 543, removing from /var/ossec/var/run... wazuh-apid: Non existent process 546, removing from /var/ossec/var/run... wazuh-apid: Non existent process 549, removing from /var/ossec/var/run... wazuh-apid: Non existent process 543, removing from /var/ossec/var/run... wazuh-apid: Non existent process 546, removing from /var/ossec/var/run... wazuh-apid: Non existent process 549, removing from /var/ossec/var/run... Started wazuh-apid... Started wazuh-csyslogd... Started wazuh-dbd... 2024/10/03 11:02:59 wazuh-integratord: INFO: Remote integrations not configured. Clean exit. Started wazuh-integratord... Started wazuh-agentlessd... Started wazuh-authd... Started wazuh-db... Started wazuh-execd... Started wazuh-analysisd... Started wazuh-syscheckd... Started wazuh-remoted... Started wazuh-logcollector... Started wazuh-monitord... wazuh-modulesd: Process 789 not used by Wazuh, removing... 2024/10/03 11:03:07 wazuh-modulesd:router: INFO: Loaded router module. 2024/10/03 11:03:07 wazuh-modulesd:content_manager: INFO: Loaded content_manager module. Started wazuh-modulesd... Completed. [cont-init.d] 2-manager: exited 0. [cont-init.d] done. [services.d] starting services 2024/10/03 11:03:08 sca: INFO: Loaded policy '/var/ossec/ruleset/sca/cis_amazon_linux_2023.yml' 2024/10/03 11:03:08 wazuh-modulesd:agent-upgrade: INFO: (8153): Module Agent Upgrade started. 2024/10/03 11:03:08 sca: INFO: Starting Security Configuration Assessment scan. 2024/10/03 11:03:08 wazuh-modulesd:task-manager: INFO: (8200): Module Task Manager started. 2024/10/03 11:03:08 sca: INFO: Starting evaluation of policy: '/var/ossec/ruleset/sca/cis_amazon_linux_2023.yml' 2024/10/03 11:03:08 wazuh-modulesd:syscollector: INFO: Module started. 2024/10/03 11:03:08 wazuh-modulesd:syscollector: INFO: Starting evaluation. 2024/10/03 11:03:08 wazuh-modulesd:syscollector: INFO: Evaluation finished. 2024/10/03 11:03:08 indexer-connector: INFO: IndexerConnector initialized successfully for index: wazuh-states-vulnerabilities-wazuh.manager. 2024/10/03 11:03:09 wazuh-modulesd:vulnerability-scanner: INFO: Vulnerability scanner module started. starting Filebeat [services.d] done. 2024-10-03T11:03:11.203Z INFO instance/beat.go:645 Home path: [/usr/share/filebeat] Config path: [/etc/filebeat] Data path: [/var/lib/filebeat] Logs path: [/var/log/filebeat] 2024-10-03T11:03:11.204Z INFO instance/beat.go:653 Beat ID: 27a53eee-e8b6-46c4-b31d-2786026d6ebf 2024-10-03T11:03:11.206Z INFO [seccomp] seccomp/seccomp.go:124 Syscall filter successfully installed 2024-10-03T11:03:11.206Z INFO [beat] instance/beat.go:981 Beat info {"system_info": {"beat": {"path": {"config": "/etc/filebeat", "data": "/var/lib/filebeat", "home": "/usr/share/filebeat", "logs": "/var/log/filebeat"}, "type": "filebeat", "uuid": "27a53eee-e8b6-46c4-b31d-2786026d6ebf"}}} 2024-10-03T11:03:11.207Z INFO [beat] instance/beat.go:990 Build info {"system_info": {"build": {"commit": "aacf9ecd9c494aa0908f61fbca82c906b16562a8", "libbeat": "7.10.2", "time": "2021-01-12T22:10:33.000Z", "version": "7.10.2"}}} 2024-10-03T11:03:11.207Z INFO [beat] instance/beat.go:993 Go runtime info {"system_info": {"go": {"os":"linux","arch":"amd64","max_procs":2,"version":"go1.14.12"}}} 2024-10-03T11:03:11.209Z INFO [beat] instance/beat.go:997 Host info {"system_info": {"host": {"architecture":"x86_64","boot_time":"2024-10-03T08:48:34Z","containerized":false,"name":"wazuh.manager","ip":["127.0.0.1/8","::1/128","172.18.0.2/16"],"kernel_version":"5.19.0-1025-aws","mac":["02:42:ac:12:00:02"],"os":{"family":"redhat","platform":"amzn","name":"Amazon Linux","version":"2023","major":2023,"minor":5,"patch":20240916},"timezone":"UTC","timezone_offset_sec":0}}} 2024-10-03T11:03:11.210Z INFO [beat] instance/beat.go:1026 Process info {"system_info": {"process": {"capabilities": {"inheritable":null,"permitted":["chown","dac_override","fowner","fsetid","kill","setgid","setuid","setpcap","net_bind_service","net_raw","sys_chroot","mknod","audit_write","setfcap"],"effective":["chown","dac_override","fowner","fsetid","kill","setgid","setuid","setpcap","net_bind_service","net_raw","sys_chroot","mknod","audit_write","setfcap"],"bounding":["chown","dac_override","fowner","fsetid","kill","setgid","setuid","setpcap","net_bind_service","net_raw","sys_chroot","mknod","audit_write","setfcap"],"ambient":null}, "cwd": "/run/s6/services/filebeat", "exe": "/usr/share/filebeat/bin/filebeat", "name": "filebeat", "pid": 1483, "ppid": 1479, "seccomp": {"mode":"filter","no_new_privs":true}, "start_time": "2024-10-03T11:03:10.580Z"}}} 2024-10-03T11:03:11.211Z INFO instance/beat.go:299 Setup Beat: filebeat; Version: 7.10.2 2024-10-03T11:03:11.212Z INFO eslegclient/connection.go:99 elasticsearch url: https://wazuh.indexer:9200 2024-10-03T11:03:11.213Z INFO [publisher] pipeline/module.go:113 Beat name: wazuh.manager 2024-10-03T11:03:11.215Z INFO beater/filebeat.go:117 Enabled modules/filesets: wazuh (alerts), () 2024-10-03T11:03:11.217Z INFO instance/beat.go:455 filebeat start running. 2024-10-03T11:03:11.217Z INFO memlog/store.go:119 Loading data file of '/var/lib/filebeat/registry/filebeat' succeeded. Active transaction id=0 2024-10-03T11:03:11.219Z INFO memlog/store.go:124 Finished loading transaction log file for '/var/lib/filebeat/registry/filebeat'. Active transaction id=21 2024-10-03T11:03:11.219Z INFO [registrar] registrar/registrar.go:109 States Loaded from registrar: 1 2024-10-03T11:03:11.220Z INFO [crawler] beater/crawler.go:71 Loading Inputs: 1 2024-10-03T11:03:11.221Z INFO log/input.go:157 Configured paths: [/var/ossec/logs/alerts/alerts.json] 2024-10-03T11:03:11.221Z INFO [crawler] beater/crawler.go:141 Starting input (ID: 9132358592892857476) 2024-10-03T11:03:11.222Z INFO [crawler] beater/crawler.go:108 Loading and starting Inputs completed. Enabled inputs: 1 2024/10/03 11:03:14 sca: INFO: Evaluation finished for policy '/var/ossec/ruleset/sca/cis_amazon_linux_2023.yml' 2024/10/03 11:03:14 sca: INFO: Security Configuration Assessment scan finished. Duration: 6 seconds. 2024-10-03T11:03:21.224Z INFO log/harvester.go:302 Harvester started for file: /var/ossec/logs/alerts/alerts.json 2024-10-03T11:03:22.225Z INFO [publisher_pipeline_output] pipeline/output.go:143 Connecting to backoff(elasticsearch(https://wazuh.indexer:9200)) 2024-10-03T11:03:22.225Z INFO [publisher] pipeline/retry.go:219 retryer: send unwait signal to consumer 2024-10-03T11:03:22.225Z INFO [publisher] pipeline/retry.go:223 done 2024-10-03T11:03:22.251Z INFO [esclientleg] eslegclient/connection.go:314 Attempting to connect to Elasticsearch version 7.10.2 2024-10-03T11:03:22.256Z INFO [esclientleg] eslegclient/connection.go:314 Attempting to connect to Elasticsearch version 7.10.2 2024-10-03T11:03:22.261Z INFO template/load.go:183 Existing template will be overwritten, as overwrite is enabled. 2024-10-03T11:03:22.265Z INFO template/load.go:117 Try loading template wazuh to Elasticsearch 2024-10-03T11:03:22.374Z INFO template/load.go:109 template with name 'wazuh' loaded. 2024-10-03T11:03:22.374Z INFO [index-management] idxmgmt/std.go:298 Loaded index template. 2024-10-03T11:03:22.384Z INFO [publisher_pipeline_output] pipeline/output.go:151 Connection to backoff(elasticsearch(https://wazuh.indexer:9200)) established 2024/10/03 11:03:24 rootcheck: INFO: Ending rootcheck scan. ```

enekux commented 1 month ago

Hi @Enaraque or @Rolly-M I am still having the same problem in 4.9.1-rc3. How can I apply a fix? Thank you

teddytpc1 commented 1 month ago

@enekux, you can use the 4.9.1-rc4 images.

enekux commented 1 month ago

Hi @teddytpc1, now it is working thanks

wazuh / wazuh-docker

Wazuh server container restarting in loop #1554

Update report