jlruizmlg
commented
7 years ago Hi @dverbeek84 which OS are you using to mount the folder?
Closed dverbeek84 closed 6 years ago
jlruizmlg
commented
7 years ago Hi @dverbeek84 which OS are you using to mount the folder?
dverbeek84
commented
7 years ago CentOS Linux release 7.4.1708 (Core), running on AWS with a mounted EFS(NFSv4)
jlruizmlg
commented
7 years ago Hello @dverbeek84 sorry for the late response, we just release a new version with wazuh 2.1.1, could you try again?, the EFS is a AWS volume as well?
dverbeek84
commented
6 years ago It is working 👍
JPLachance
commented
5 years ago Hello @jlruizmlg !
I'm running Wazuh 3.6.1 in Kubernetes and I'm trying to mount an AWS EFS to the Wazuh Master manager, so Kubernetes can schedule the pod on any node.
My diff:
--- a/wazuh-master-sts.yaml
+++ b/wazuh-master-sts.yaml
@@ -30,6 +30,10 @@ spec:
filebeat_conf_cm_version: '@(filebeat_conf_cm_version)'
spec:
volumes:
+ - name: wazuh-master-efs
+ nfs:
+ path: /
+ server: {{ undef "<computed>" .efs_dns_name }}
- name: ossec-conf
secret:
secretName: wazuh-master-conf
@@ -87,9 +91,9 @@ spec:
mountPath: /etc/filebeat/filebeat.yml
subPath: filebeat.yml
readOnly: true
- - name: data
+ - name: wazuh-master-efs
mountPath: /var/ossec/data
- - name: data
+ - name: wazuh-master-efs
mountPath: /etc/postfix
ports:
- containerPort: 1515
@@ -98,14 +102,3 @@ spec:
name: cluster
- containerPort: {{ .api_port }}
name: api
- volumeClaimTemplates:
- - metadata:
- name: data
- namespace: '@(namespace)'
- spec:
- accessModes:
- - ReadWriteOnce
- storageClassName: gp2-encrypted-retained
- resources:
- requests:
- storage: 50GiOn boot, I get the following logs:
(wazuh_env) wks-000671:wazuh_manager jplachance$ kubectl logs wazuh-master-0 -f
rm: cannot remove '/var/ossec/queue/db/.template.db': No such file or directory
Identified Wazuh configuration files to mount...
'/wazuh-config-mount/etc/authd.pass' -> '/var/ossec/data/etc/authd.pass'
'/wazuh-config-mount/etc/ossec.conf' -> '/var/ossec/data/etc/ossec.conf'
'/wazuh-config-mount/etc/rules/local_rules.xml' -> '/var/ossec/data/etc/rules/local_rules.xml'
'/wazuh-config-mount/etc/shared/default/agent.conf' -> '/var/ossec/data/etc/shared/default/agent.conf'
Performing Wazuh API port and credentials setup
### Wazuh API Configuration ###
Using 55000 port.
Adding password for user wazuh-manager.
Configuration changed.
Restarting API.
### [Configuration changed] ###
sed: cannot rename /etc/filebeat/sed5XD4r4: Device or resource busy
*** Running /etc/my_init.d/00_regen_ssh_host_keys.sh...
*** Running /etc/my_init.d/10_syslog-ng.init...
May 29 01:45:10 wazuh-master-0 syslog-ng[62]: syslog-ng starting up; version='3.13.2'
*** Booting runit daemon...
*** Runit started as PID 71
WAZUH-API is already running.
Starting Wazuh v3.6.1 (maintained by Wazuh Inc.)...
WazuhAPI 2019-05-29 01:32:38
: [::ffff:100.97.72.192] GET /cluster/config? - 200 - error: '0'.
2019-05-29T01:45:11.083Z INFO instance/beat.go:611 Home path: [/usr/share/filebeat] Config path: [/etc/filebeat] Data path: [/var/lib/filebeat] Logs path: [/var/log/filebeat]
2019-05-29T01:45:11.094Z INFO instance/beat.go:618 Beat UUID: 01c8840b-7480-4011-b424-a7a5ce2fe505
2019-05-29T01:45:11.094Z INFO [beat] instance/beat.go:931 Beat info {"system_info": {"beat": {"path": {"config": "/etc/filebeat", "data": "/var/lib/filebeat", "home": "/usr/share/filebeat", "logs": "/var/log/filebeat"}, "type": "filebeat", "uuid": "01c8840b-7480-4011-b424-a7a5ce2fe505"}}}
2019-05-29T01:45:11.094Z INFO [beat] instance/beat.go:940 Build info {"system_info": {"build": {"commit": "1d55b4bd9dbf106a4ad4bc34fe9ee425d922363b", "libbeat": "6.7.1", "time": "2019-04-02T15:01:15.000Z", "version": "6.7.1"}}}
2019-05-29T01:45:11.094Z INFO [beat] instance/beat.go:943 Go runtime info {"system_info": {"go": {"os":"linux","arch":"amd64","max_procs":16,"version":"go1.10.8"}}}
May 29 01:45:11 wazuh-master-0 cron[77]: (CRON) INFO (pidfile fd = 3)
2019-05-29T01:45:11.095Z INFO [beat] instance/beat.go:947 Host info {"system_info": {"host": {"architecture":"x86_64","boot_time":"2019-05-28T14:06:27Z","containerized":true,"name":"wazuh-master-0","ip":["127.0.0.1/8","::1/128","100.96.206.27/32","fe80::b043:96ff:fef8:2c7f/64"],"kernel_version":"4.15.0-1035-aws","mac":["b2:43:96:f8:2c:7f"],"os":{"family":"debian","platform":"ubuntu","name":"Ubuntu","version":"18.04.2 LTS (Bionic Beaver)","major":18,"minor":4,"patch":2,"codename":"bionic"},"timezone":"UTC","timezone_offset_sec":0}}}
May 29 01:45:11 wazuh-master-0 cron[77]: (CRON) INFO (Running @reboot jobs)
2019-05-29T01:45:11.096Z INFO [beat] instance/beat.go:976 Process info {"system_info": {"process": {"capabilities": {"inheritable":["chown","dac_override","fowner","fsetid","kill","setgid","setuid","setpcap","net_bind_service","net_raw","sys_chroot","mknod","audit_write","setfcap"],"permitted":["chown","dac_override","fowner","fsetid","kill","setgid","setuid","setpcap","net_bind_service","net_raw","sys_chroot","mknod","audit_write","setfcap"],"effective":["chown","dac_override","fowner","fsetid","kill","setgid","setuid","setpcap","net_bind_service","net_raw","sys_chroot","mknod","audit_write","setfcap"],"bounding":["chown","dac_override","fowner","fsetid","kill","setgid","setuid","setpcap","net_bind_service","net_raw","sys_chroot","mknod","audit_write","setfcap"],"ambient":null}, "cwd": "/", "exe": "/usr/share/filebeat/bin/filebeat", "name": "filebeat", "pid": 108, "ppid": 102, "seccomp": {"mode":"disabled","no_new_privs":false}, "start_time": "2019-05-29T01:45:10.070Z"}}}
2019-05-29T01:45:11.096Z INFO instance/beat.go:280 Setup Beat: filebeat; Version: 6.7.1
2019-05-29T01:45:11.097Z INFO [publisher] pipeline/module.go:110 Beat name: wazuh-master-0
Config OK
tail: cannot open '/var/log/filebeat/filebeat' for reading: No such file or directory
tail: no files remaining
2019-05-29T01:45:12.127Z INFO instance/beat.go:611 Home path: [/usr/share/filebeat] Config path: [/etc/filebeat] Data path: [/var/lib/filebeat] Logs path: [/var/log/filebeat]
2019-05-29T01:45:12.127Z INFO instance/beat.go:618 Beat UUID: 01c8840b-7480-4011-b424-a7a5ce2fe505
2019-05-29T01:45:12.127Z INFO [beat] instance/beat.go:931 Beat info {"system_info": {"beat": {"path": {"config": "/etc/filebeat", "data": "/var/lib/filebeat", "home": "/usr/share/filebeat", "logs": "/var/log/filebeat"}, "type": "filebeat", "uuid": "01c8840b-7480-4011-b424-a7a5ce2fe505"}}}
2019-05-29T01:45:12.127Z INFO [beat] instance/beat.go:940 Build info {"system_info": {"build": {"commit": "1d55b4bd9dbf106a4ad4bc34fe9ee425d922363b", "libbeat": "6.7.1", "time": "2019-04-02T15:01:15.000Z", "version": "6.7.1"}}}
2019-05-29T01:45:12.127Z INFO [beat] instance/beat.go:943 Go runtime info {"system_info": {"go": {"os":"linux","arch":"amd64","max_procs":16,"version":"go1.10.8"}}}
2019-05-29T01:45:12.129Z INFO [beat] instance/beat.go:947 Host info {"system_info": {"host": {"architecture":"x86_64","boot_time":"2019-05-28T14:06:27Z","containerized":true,"name":"wazuh-master-0","ip":["127.0.0.1/8","::1/128","100.96.206.27/32","fe80::b043:96ff:fef8:2c7f/64"],"kernel_version":"4.15.0-1035-aws","mac":["b2:43:96:f8:2c:7f"],"os":{"family":"debian","platform":"ubuntu","name":"Ubuntu","version":"18.04.2 LTS (Bionic Beaver)","major":18,"minor":4,"patch":2,"codename":"bionic"},"timezone":"UTC","timezone_offset_sec":0}}}
2019-05-29T01:45:12.129Z INFO [beat] instance/beat.go:976 Process info {"system_info": {"process": {"capabilities": {"inheritable":["chown","dac_override","fowner","fsetid","kill","setgid","setuid","setpcap","net_bind_service","net_raw","sys_chroot","mknod","audit_write","setfcap"],"permitted":["chown","dac_override","fowner","fsetid","kill","setgid","setuid","setpcap","net_bind_service","net_raw","sys_chroot","mknod","audit_write","setfcap"],"effective":["chown","dac_override","fowner","fsetid","kill","setgid","setuid","setpcap","net_bind_service","net_raw","sys_chroot","mknod","audit_write","setfcap"],"bounding":["chown","dac_override","fowner","fsetid","kill","setgid","setuid","setpcap","net_bind_service","net_raw","sys_chroot","mknod","audit_write","setfcap"],"ambient":null}, "cwd": "/", "exe": "/usr/share/filebeat/bin/filebeat", "name": "filebeat", "pid": 146, "ppid": 145, "seccomp": {"mode":"disabled","no_new_privs":false}, "start_time": "2019-05-29T01:45:11.120Z"}}}
2019-05-29T01:45:12.129Z INFO instance/beat.go:280 Setup Beat: filebeat; Version: 6.7.1
2019-05-29T01:45:12.130Z INFO [publisher] pipeline/module.go:110 Beat name: wazuh-master-0
Config OK
/usr/share/filebeat/bin/filebeat-god already running.
2019-05-29T01:45:11.122Z INFO [publisher] pipeline/module.go:110 Beat name: wazuh-master-0
2019-05-29T01:45:11.122Z INFO instance/beat.go:402 filebeat start running.
2019-05-29T01:45:11.122Z INFO registrar/registrar.go:97 No registry file found under: /var/lib/filebeat/registry. Creating a new registry file.
2019-05-29T01:45:11.126Z INFO registrar/registrar.go:134 Loading registrar data from /var/lib/filebeat/registry
2019-05-29T01:45:11.126Z INFO registrar/registrar.go:141 States Loaded from registrar: 0
2019-05-29T01:45:11.126Z WARN beater/filebeat.go:367 Filebeat is unable to load the Ingest Node pipelines for the configured modules because the Elasticsearch output is not configured/enabled. If you have already loaded the Ingest Node pipelines or are using Logstash pipelines, you can ignore this warning.
2019-05-29T01:45:11.126Z INFO crawler/crawler.go:72 Loading Inputs: 1
2019-05-29T01:45:11.126Z INFO log/input.go:138 Configured paths: [/var/ossec/logs/alerts/alerts.json]
2019-05-29T01:45:11.126Z INFO input/input.go:114 Starting input of type: log; ID: 13571056894027297000
2019-05-29T01:45:11.126Z INFO crawler/crawler.go:106 Loading and starting Inputs completed. Enabled inputs: 1
WazuhAPI 2019-05-29 01:45:13 : Listening on: https://:::55000
Started ossec-authd...
wazuh-db: Process 2717 not used by ossec, removing...
Started wazuh-db...
ossec-execd: Process 2731 not used by ossec, removing...
Started ossec-execd...
ossec-analysisd: Process 2737 not used by ossec, removing...
Started ossec-analysisd...
ossec-syscheckd: Process 2742 not used by ossec, removing...
Started ossec-syscheckd...
ossec-remoted: Process 2748 not used by ossec, removing...
Started ossec-remoted...
ossec-logcollector: Process 2767 not used by ossec, removing...
Started ossec-logcollector...
ossec-monitord: Process 2771 not used by ossec, removing...
Started ossec-monitord...
wazuh-modulesd: Process 2775 not used by ossec, removing...
Started wazuh-modulesd...
Started wazuh-clusterd...
Completed.
2019/05/29 01:45:17 rootcheck: CRITICAL: (1211): Unable to access queue: '/var/ossec/queue/ossec/queue'. Giving up..
2019/05/29 01:45:17 ossec-analysisd: INFO: Reading rules file: 'ruleset/rules/0085-pam_rules.xml'
2019/05/29 01:45:17 ossec-analysisd: INFO: Reading rules file: 'ruleset/rules/0090-telnetd_rules.xml'
2019/05/29 01:45:17 ossec-analysisd: INFO: Reading rules file: 'ruleset/rules/0095-sshd_rules.xml'
2019/05/29 01:45:17 ossec-analysisd: INFO: Reading rules file: 'ruleset/rules/0100-solaris_bsm_rules.xml'
2019/05/29 01:45:17 ossec-analysisd: INFO: Reading rules file: 'ruleset/rules/0105-asterisk_rules.xml'
2019/05/29 01:45:17 ossec-analysisd: INFO: Reading rules file: 'ruleset/rules/0110-ms_dhcp_rules.xml'
2019/05/29 01:45:17 wazuh-modulesd: ERROR: (1210): Queue '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'.
2019/05/29 01:45:17 ossec-analysisd: INFO: Reading rules file: 'ruleset/rules/0115-arpwatch_rules.xml'
2019/05/29 01:45:17 ossec-analysisd: INFO: Reading rules file: 'ruleset/rules/0120-symantec-av_rules.xml'
2019/05/29 01:45:17 ossec-analysisd: INFO: Reading rules file: 'ruleset/rules/0125-symantec-ws_rules.xml'
2019/05/29 01:45:17 ossec-analysisd: INFO: Reading rules file: 'ruleset/rules/0130-trend-osce_rules.xml'
2019/05/29 01:45:18 ossec-analysisd: INFO: Reading rules file: 'ruleset/rules/0135-hordeimp_rules.xml'
2019/05/29 01:45:18 ossec-analysisd: INFO: Reading rules file: 'ruleset/rules/0140-roundcube_rules.xml'
2019/05/29 01:45:18 ossec-analysisd: INFO: Reading rules file: 'ruleset/rules/0145-wordpress_rules.xml'
2019/05/29 01:45:18 ossec-analysisd: INFO: Reading rules file: 'ruleset/rules/0150-cimserver_rules.xml'
2019/05/29 01:45:18 ossec-analysisd: INFO: Reading rules file: 'ruleset/rules/0155-dovecot_rules.xml'
2019/05/29 01:45:18 ossec-analysisd: INFO: Reading rules file: 'ruleset/rules/0160-vmpop3d_rules.xml'
2019/05/29 01:45:18 ossec-analysisd: INFO: Reading rules file: 'ruleset/rules/0165-vpopmail_rules.xml'
2019/05/29 01:45:18 ossec-analysisd: INFO: Reading rules file: 'ruleset/rules/0170-ftpd_rules.xml'
2019/05/29 01:45:18 ossec-analysisd: INFO: Reading rules file: 'ruleset/rules/0175-proftpd_rules.xml'
2019/05/29 01:45:18 ossec-analysisd: INFO: Reading rules file: 'ruleset/rules/0180-pure-ftpd_rules.xml'
2019/05/29 01:45:18 ossec-analysisd: INFO: Reading rules file: 'ruleset/rules/0185-vsftpd_rules.xml'
2019/05/29 01:45:18 ossec-remoted: ERROR: (1210): Queue '/queue/ossec/queue' not accessible: 'Connection refused'.
2019/05/29 01:45:18 ossec-analysisd: INFO: Reading rules file: 'ruleset/rules/0190-ms_ftpd_rules.xml'
2019/05/29 01:45:18 ossec-remoted: CRITICAL: (1211): Unable to access queue: '/queue/ossec/queue'. Giving up..
2019/05/29 01:45:18 ossec-analysisd: INFO: Reading rules file: 'ruleset/rules/0195-named_rules.xml'
2019/05/29 01:45:18 ossec-analysisd: INFO: Reading rules file: 'ruleset/rules/0200-smbd_rules.xml'
2019/05/29 01:45:18 ossec-analysisd: INFO: Reading rules file: 'ruleset/rules/0205-racoon_rules.xml'
2019/05/29 01:45:18 ossec-analysisd: INFO: Reading rules file: 'ruleset/rules/0210-vpn_concentrator_rules.xml'
2019/05/29 01:45:18 ossec-analysisd: INFO: Reading rules file: 'ruleset/rules/0220-msauth_rules.xml'
2019/05/29 01:45:18 ossec-analysisd: INFO: Reading rules file: 'ruleset/rules/0225-mcafee_av_rules.xml'
2019/05/29 01:45:18 ossec-analysisd: INFO: Reading rules file: 'ruleset/rules/0230-ms-se_rules.xml'
2019/05/29 01:45:18 ossec-analysisd: INFO: Reading rules file: 'ruleset/rules/0235-vmware_rules.xml'
2019/05/29 01:45:18 ossec-analysisd: INFO: Reading rules file: 'ruleset/rules/0240-ids_rules.xml'
2019/05/29 01:45:19 ossec-analysisd: INFO: Reading rules file: 'ruleset/rules/0245-web_rules.xml'
2019/05/29 01:45:19 ossec-analysisd: INFO: Reading rules file: 'ruleset/rules/0250-apache_rules.xml'
2019/05/29 01:45:19 ossec-analysisd: INFO: Reading rules file: 'ruleset/rules/0255-zeus_rules.xml'
2019/05/29 01:45:19 ossec-analysisd: INFO: Reading rules file: 'ruleset/rules/0260-nginx_rules.xml'
2019/05/29 01:45:19 ossec-analysisd: INFO: Reading rules file: 'ruleset/rules/0265-php_rules.xml'
2019/05/29 01:45:19 ossec-analysisd: INFO: Reading rules file: 'ruleset/rules/0270-web_appsec_rules.xml'
2019/05/29 01:45:19 ossec-analysisd: INFO: Reading rules file: 'ruleset/rules/0275-squid_rules.xml'
2019/05/29 01:45:19 ossec-analysisd: INFO: Reading rules file: 'ruleset/rules/0280-attack_rules.xml'
2019/05/29 01:45:19 ossec-analysisd: INFO: Reading rules file: 'ruleset/rules/0285-systemd_rules.xml'
2019/05/29 01:45:19 ossec-analysisd: INFO: Reading rules file: 'ruleset/rules/0290-firewalld_rules.xml'
2019/05/29 01:45:19 ossec-analysisd: INFO: Reading rules file: 'ruleset/rules/0295-mysql_rules.xml'
2019/05/29 01:45:19 ossec-analysisd: INFO: Reading rules file: 'ruleset/rules/0300-postgresql_rules.xml'
2019/05/29 01:45:19 ossec-analysisd: INFO: Reading rules file: 'ruleset/rules/0305-dropbear_rules.xml'
2019/05/29 01:45:19 ossec-analysisd: INFO: Reading rules file: 'ruleset/rules/0310-openbsd_rules.xml'
2019/05/29 01:45:19 ossec-analysisd: INFO: Reading rules file: 'ruleset/rules/0315-apparmor_rules.xml'
2019/05/29 01:45:19 ossec-analysisd: INFO: Reading rules file: 'ruleset/rules/0320-clam_av_rules.xml'
2019/05/29 01:45:19 ossec-analysisd: INFO: Reading rules file: 'ruleset/rules/0325-opensmtpd_rules.xml'
2019/05/29 01:45:19 ossec-analysisd: INFO: Reading rules file: 'ruleset/rules/0330-sysmon_rules.xml'
2019/05/29 01:45:19 ossec-analysisd: INFO: Reading rules file: 'ruleset/rules/0335-unbound_rules.xml'
2019/05/29 01:45:19 ossec-analysisd: INFO: Reading rules file: 'ruleset/rules/0340-puppet_rules.xml'
2019/05/29 01:45:19 ossec-analysisd: INFO: Reading rules file: 'ruleset/rules/0345-netscaler_rules.xml'
2019/05/29 01:45:20 ossec-analysisd: INFO: Reading rules file: 'ruleset/rules/0350-amazon_rules.xml'
2019/05/29 01:45:20 ossec-analysisd: INFO: Reading rules file: 'ruleset/rules/0360-serv-u_rules.xml'
2019/05/29 01:45:20 ossec-analysisd: INFO: Reading rules file: 'ruleset/rules/0365-auditd_rules.xml'
2019/05/29 01:45:20 ossec-analysisd: INFO: Reading rules file: 'ruleset/rules/0375-usb_rules.xml'
2019/05/29 01:45:20 ossec-analysisd: INFO: Reading rules file: 'ruleset/rules/0380-redis_rules.xml'
2019/05/29 01:45:20 ossec-analysisd: INFO: Reading rules file: 'ruleset/rules/0385-oscap_rules.xml'
2019/05/29 01:45:20 ossec-analysisd: INFO: Reading rules file: 'ruleset/rules/0390-fortigate_rules.xml'
2019/05/29 01:45:20 ossec-analysisd: INFO: Reading rules file: 'ruleset/rules/0395-hp_rules.xml'
2019/05/29 01:45:20 ossec-analysisd: INFO: Reading rules file: 'ruleset/rules/0400-openvpn_rules.xml'
2019/05/29 01:45:20 ossec-analysisd: INFO: Reading rules file: 'ruleset/rules/0405-rsa-auth-manager_rules.xml'
2019/05/29 01:45:20 ossec-analysisd: INFO: Reading rules file: 'ruleset/rules/0410-imperva_rules.xml'
2019/05/29 01:45:20 ossec-analysisd: INFO: Reading rules file: 'ruleset/rules/0415-sophos_rules.xml'
2019/05/29 01:45:20 ossec-analysisd: INFO: Reading rules file: 'ruleset/rules/0420-freeipa_rules.xml'
2019/05/29 01:45:20 ossec-analysisd: INFO: Reading rules file: 'ruleset/rules/0425-cisco-estreamer_rules.xml'
2019/05/29 01:45:20 ossec-analysisd: INFO: Reading rules file: 'ruleset/rules/0430-ms_wdefender_rules.xml'
2019/05/29 01:45:20 ossec-analysisd: INFO: Reading rules file: 'ruleset/rules/0435-ms_logs_rules.xml'
2019/05/29 01:45:20 ossec-analysisd: INFO: Reading rules file: 'ruleset/rules/0440-ms_sqlserver_rules.xml'
2019/05/29 01:45:20 ossec-analysisd: INFO: Reading rules file: 'ruleset/rules/0445-identity_guard_rules.xml'
2019/05/29 01:45:20 ossec-analysisd: INFO: Reading rules file: 'ruleset/rules/0450-mongodb_rules.xml'
2019/05/29 01:45:20 ossec-analysisd: INFO: Reading rules file: 'ruleset/rules/0455-docker_rules.xml'
2019/05/29 01:45:20 ossec-analysisd: INFO: Reading rules file: 'ruleset/rules/0460-jenkins_rules.xml'
2019/05/29 01:45:21 ossec-analysisd: INFO: Reading rules file: 'ruleset/rules/0470-vshell_rules.xml'
2019/05/29 01:45:21 ossec-analysisd: INFO: Reading rules file: 'ruleset/rules/0475-suricata_rules.xml'
2019/05/29 01:45:21 ossec-analysisd: INFO: Reading rules file: 'ruleset/rules/0480-qualysguard_rules.xml'
2019/05/29 01:45:21 ossec-analysisd: INFO: Reading rules file: 'ruleset/rules/0485-cylance_rules.xml'
2019/05/29 01:45:21 ossec-analysisd: INFO: Reading rules file: 'ruleset/rules/0490-virustotal_rules.xml'
2019/05/29 01:45:21 ossec-analysisd: INFO: Reading rules file: 'ruleset/rules/0495-proxmox-ve_rules.xml'
2019/05/29 01:45:21 ossec-analysisd: INFO: Reading rules file: 'ruleset/rules/0500-owncloud_rules.xml'
2019/05/29 01:45:21 ossec-analysisd: INFO: Reading rules file: 'ruleset/rules/0505-vuls_rules.xml'
2019/05/29 01:45:21 ossec-analysisd: INFO: Reading rules file: 'ruleset/rules/0510-ciscat_rules.xml'
2019/05/29 01:45:21 ossec-analysisd: INFO: Reading rules file: 'ruleset/rules/0515-exim_rules.xml'
2019/05/29 01:45:21 ossec-analysisd: INFO: Reading rules file: 'ruleset/rules/0520-vulnerability-detector.xml'
2019/05/29 01:45:21 ossec-analysisd: INFO: Reading rules file: 'ruleset/rules/0525-openvas_rules.xml'
2019/05/29 01:45:21 ossec-analysisd: INFO: Reading rules file: 'ruleset/rules/0530-mysql_audit_rules.xml'
2019/05/29 01:45:21 ossec-analysisd: INFO: Reading rules file: 'ruleset/rules/0535-mariadb_rules.xml'
2019/05/29 01:45:21 ossec-analysisd: INFO: Reading rules file: 'ruleset/rules/0540-pfsense_rules.xml'
2019/05/29 01:45:21 ossec-analysisd: INFO: Reading rules file: 'ruleset/rules/0545-osquery_rules.xml'
2019/05/29 01:45:21 ossec-analysisd: INFO: Reading rules file: 'ruleset/rules/0550-kaspersky_rules.xml'
2019/05/29 01:45:21 ossec-analysisd: INFO: Reading rules file: 'etc/rules/local_rules.xml'
2019/05/29 01:45:21 wazuh-modulesd: ERROR: (1210): Queue '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'.
2019/05/29 01:45:21 ossec-analysisd: INFO: Total rules enabled: '2178'
2019/05/29 01:45:21 ossec-analysisd: INFO: Ignoring file: '/etc/mtab'
2019/05/29 01:45:21 ossec-analysisd: INFO: Ignoring file: '/etc/hosts.deny'
2019/05/29 01:45:21 ossec-analysisd: INFO: Ignoring file: '/etc/mail/statistics'
2019/05/29 01:45:21 ossec-analysisd: INFO: Ignoring file: '/etc/random-seed'
2019/05/29 01:45:21 ossec-analysisd: INFO: Ignoring file: '/etc/random.seed'
2019/05/29 01:45:21 ossec-analysisd: INFO: Ignoring file: '/etc/adjtime'
2019/05/29 01:45:22 ossec-analysisd: INFO: Ignoring file: '/etc/httpd/logs'
2019/05/29 01:45:22 ossec-analysisd: INFO: Ignoring file: '/etc/utmpx'
2019/05/29 01:45:22 ossec-analysisd: INFO: Ignoring file: '/etc/wtmpx'
2019/05/29 01:45:22 ossec-analysisd: INFO: Ignoring file: '/etc/cups/certs'
2019/05/29 01:45:22 ossec-analysisd: INFO: Ignoring file: '/etc/dumpdates'
2019/05/29 01:45:22 ossec-analysisd: INFO: Ignoring file: '/etc/svc/volatile'
2019/05/29 01:45:22 ossec-analysisd: INFO: Ignoring file: '/sys/kernel/security'
2019/05/29 01:45:22 ossec-analysisd: INFO: Ignoring file: '/sys/kernel/debug'
2019/05/29 01:45:22 ossec-analysisd: INFO: Started (pid: 205).
2019/05/29 01:45:22 wazuh-modulesd:syscollector: INFO: Module started.
2019/05/29 01:45:23 ossec-logcollector: INFO: Monitoring output of command(360): df -P
2019/05/29 01:45:23 ossec-logcollector: INFO: Monitoring full output of command(360): netstat -tulpn | sed 's/\([[:alnum:]]\+\)\ \+[[:digit:]]\+\ \+[[:digit:]]\+\ \+\(.*\):\([[:digit:]]*\)\ \+\([0-9\.\:\*]\+\).\+\ \([[:digit:]]*\/[[:alnum:]\-]*\).*/\1 \2 == \3 == \4 \5/' | sort -k 4 -g | sed 's/ == \(.*\) ==/:\1/' | sed 1,2d
2019/05/29 01:45:23 ossec-logcollector: INFO: Monitoring full output of command(360): last -n 20
2019/05/29 01:45:23 ossec-logcollector: INFO: (1950): Analyzing file: '/var/ossec/logs/active-responses.log'.
2019/05/29 01:45:23 ossec-logcollector: INFO: (1950): Analyzing file: '/var/log/syslog'.
2019/05/29 01:45:23 ossec-logcollector: INFO: (1950): Analyzing file: '/var/log/dpkg.log'.
2019/05/29 01:45:23 ossec-logcollector: INFO: Started (pid: 227).
2019/05/29 01:45:23 wazuh-modulesd:syscollector: INFO: Starting evaluation.
2019/05/29 01:45:26 wazuh-modulesd:syscollector: INFO: Evaluation finished.
2019-05-29T01:45:31.180Z INFO log/harvester.go:255 Harvester started for file: /var/ossec/logs/alerts/alerts.json
2019-05-29T01:45:32.184Z INFO pipeline/output.go:95 Connecting to backoff(async(tcp://wazuh-logstash-1.wazuh-logstash.csec.svc.cluster.local:5000))
2019-05-29T01:45:32.184Z INFO pipeline/output.go:95 Connecting to backoff(async(tcp://wazuh-logstash-0.wazuh-logstash.csec.svc.cluster.local:5000))
2019-05-29T01:45:32.185Z INFO pipeline/output.go:95 Connecting to backoff(async(tcp://wazuh-logstash-0.wazuh-logstash.csec.svc.cluster.local:5000))
2019-05-29T01:45:32.185Z INFO pipeline/output.go:95 Connecting to backoff(async(tcp://wazuh-logstash-1.wazuh-logstash.csec.svc.cluster.local:5000))
2019-05-29T01:45:32.187Z INFO pipeline/output.go:105 Connection to backoff(async(tcp://wazuh-logstash-0.wazuh-logstash.csec.svc.cluster.local:5000)) established
2019-05-29T01:45:32.187Z INFO pipeline/output.go:105 Connection to backoff(async(tcp://wazuh-logstash-0.wazuh-logstash.csec.svc.cluster.local:5000)) established
2019-05-29T01:45:32.188Z INFO pipeline/output.go:105 Connection to backoff(async(tcp://wazuh-logstash-1.wazuh-logstash.csec.svc.cluster.local:5000)) established
2019-05-29T01:45:32.188Z INFO pipeline/output.go:105 Connection to backoff(async(tcp://wazuh-logstash-1.wazuh-logstash.csec.svc.cluster.local:5000)) establishedI feel like, because of the EFS slowness, some services are not starting as fast as they do when using an EBS and Queue '/queue/ossec/queue' is not accessible at the moment it should.
If I exec on the wazuh master pod and call /var/ossec/bin/ossec-control start, ossec-remoted starts as expected.
How can I make it work? :) Adding a second /var/ossec/bin/ossec-control start in the entrypoint would do the trick, but it doesn't look super clean :)
Thanks in advance for your help!
When i mount the /var/ossec/data folder is get the follow issue:
When i change
to
in the /tmp/run.sh, i don't have the issue. Yes i start is twice.