Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Wazuh manager fails in case some directories do not exist or are not accessible #16315

Open
zbalkan opened this issue Mar 2, 2023 · 2 comments · May be fixed by #22515
Open

Wazuh manager fails in case some directories do not exist or are not accessible #16315

zbalkan opened this issue Mar 2, 2023 · 2 comments · May be fixed by #22515
Labels
level/task module/analysis Issues related to the Analysis daemon reporter/community type/enhancement/reliability type/enhancement New feature or request

Comments

@zbalkan
Copy link
Contributor

zbalkan commented Mar 2, 2023
edited
Loading

Wazuh version Component Install type Install method Platform
4.3.10 Wazuh manager Manager N/A Linux / RHEL8

Summary

When default log directories (/var/ossec/logs/alerts or /var/ossec/logs/archives, and subdirectories) are removed or directory permissions are changed, Wazuh manager fails.

Expected behavior

  • When those directories are removed, instead of creating a CRITICAL severity logs, the wazuh-manager can create the folders if they do not exist, then create a log with ERROR severity, so that it can continue running reliably.
  • If the permissions are incorrect, wazuh-manager can fix the ownership and file permissions, then create a log with ERROR severity, so that it can continue running reliably.

Note

Wazuh components can run preflight checks for integrity on start such as:

  • Existence of important directories and files
  • Permissions of important directories and files

This was discussed in #15741 before.
@zbalkan
Copy link
Contributor Author

zbalkan commented Mar 2, 2023
edited
Loading

As a side note, locking the directories would highly improve the integrity:

# for /var/ossec/logs/archives
touch /var/ossec/logs/archives/.lock
chattr +i /var/ossec/logs/archives/.lock

# for /var/ossec/logs/alerts
touch /var/ossec/logs/alerts/.lock
chattr +i /var/ossec/logs/alerts/.lock

@zbalkan
Copy link
Contributor Author

zbalkan commented Mar 2, 2023

In case of CRITICAL errors, it is probably better to crash instead of running in an unreliable state. This is an issue with other problems such as running under a system with no free space (#15493).

@zbalkan zbalkan linked a pull request Mar 14, 2024 that will close this issue
Open
28 tasks
@GGP1 GGP1 linked a pull request Apr 15, 2024 that will close this issue
Fix Wazuh manager failure due to log directory existence or permission issues #22515
Open
28 tasks
@vikman90 vikman90 added type/enhancement New feature or request level/task labels Apr 16, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
level/task module/analysis Issues related to the Analysis daemon reporter/community type/enhancement/reliability type/enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Fix Wazuh manager failure due to log directory existence or permission issues zbalkan/wazuh
3 participants
@vikman90 @chemamartinez @zbalkan