Hello,
I am trying to use Graylog to manage Wazuh Docker compose along with Graylog, so i did mixed both Graylog an Wazuh into same docker compose config .
All is starting up but graylog is having hard time to connect to elastic search i guess its the fact that its using https user password,
I will need help to set Graylog trust elastic cert ,how to add it in the docker-compose file
below you will find the doker compose config and error i got from Graylog docker.
Please advice
Thanks
docker-compose config
# Wazuh App Copyright (C) 2017, Wazuh Inc. (License GPLv2)
version: '3.7'
services:
wazuh.manager:
image: wazuh/wazuh-manager:4.3.10
hostname: wazuh.manager
restart: always
ports:
- "1514:1514"
- "1515:1515"
- "514:514/udp"
- "55000:55000"
environment:
- INDEXER_URL=https://wazuh.indexer:9200
- INDEXER_USERNAME=admin
- INDEXER_PASSWORD=SecretPassword
- FILEBEAT_SSL_VERIFICATION_MODE=full
- SSL_CERTIFICATE_AUTHORITIES=/etc/ssl/root-ca.pem
- SSL_CERTIFICATE=/etc/ssl/filebeat.pem
- SSL_KEY=/etc/ssl/filebeat.key
- API_USERNAME=wazuh-wui
- API_PASSWORD=MyS3cr37P450r.*-
volumes:
- wazuh_api_configuration:/var/ossec/api/configuration
- wazuh_etc:/var/ossec/etc
- wazuh_logs:/var/ossec/logs
- wazuh_queue:/var/ossec/queue
- wazuh_var_multigroups:/var/ossec/var/multigroups
- wazuh_integrations:/var/ossec/integrations
- wazuh_active_response:/var/ossec/active-response/bin
- wazuh_agentless:/var/ossec/agentless
- wazuh_wodles:/var/ossec/wodles
- filebeat_etc:/etc/filebeat
- filebeat_var:/var/lib/filebeat
- "/config/wazuh_indexer_ssl_certs/root-ca-manager.pem:/etc/ssl/root-ca.pem"
- "/config/wazuh_indexer_ssl_certs/wazuh.manager.pem:/etc/ssl/filebeat.pem"
- "/config/wazuh_indexer_ssl_certs/wazuh.manager-key.pem:/etc/ssl/filebeat.key"
- "/config/wazuh_cluster/wazuh_manager.conf:/wazuh-config-mount/etc/ossec.conf"
wazuh.indexer:
image: wazuh/wazuh-indexer:4.3.10
hostname: wazuh.indexer
restart: always
ports:
- "9200:9200"
environment:
- "OPENSEARCH_JAVA_OPTS=-Xms1024m -Xmx1024m"
ulimits:
memlock:
soft: -1
hard: -1
nofile:
soft: 65536
hard: 65536
volumes:
- wazuh-indexer-data:/var/lib/wazuh-indexer
- ./config/wazuh_indexer_ssl_certs/root-ca.pem:/usr/share/wazuh-indexer/config/certs/root-ca.pem
- ./config/wazuh_indexer_ssl_certs/wazuh.indexer-key.pem:/usr/share/wazuh-indexer/config/certs/wazuh.indexer.key
- ./config/wazuh_indexer_ssl_certs/wazuh.indexer.pem:/usr/share/wazuh-indexer/config/certs/wazuh.indexer.pem
- ./config/wazuh_indexer_ssl_certs/admin.pem:/usr/share/wazuh-indexer/config/certs/admin.pem
- ./config/wazuh_indexer_ssl_certs/admin-key.pem:/usr/share/wazuh-indexer/config/certs/admin-key.pem
- ./config/wazuh_indexer/wazuh.indexer.yml:/usr/share/wazuh-indexer/config/opensearch.yml
- ./config/wazuh_indexer/internal_users.yml:/usr/share/wazuh-indexer/plugins/opensearch-security/securityconfig/internal_users.yml
wazuh.dashboard:
image: wazuh/wazuh-dashboard:4.3.10
hostname: wazuh.dashboard
restart: always
ports:
- 443:5601
environment:
- INDEXER_USERNAME=admin
- INDEXER_PASSWORD=SecretPassword
- WAZUH_API_URL=https://wazuh.manager
- API_USERNAME=wazuh-wui
- API_PASSWORD=MyS3cr37P450r.*-
volumes:
- ./config/wazuh_indexer_ssl_certs/wazuh.dashboard.pem:/usr/share/wazuh-dashboard/certs/wazuh-dashboard.pem
- ./config/wazuh_indexer_ssl_certs/wazuh.dashboard-key.pem:/usr/share/wazuh-dashboard/certs/wazuh-dashboard-key.pem
- /config/wazuh_indexer_ssl_certs/root-ca.pem:/usr/share/wazuh-dashboard/certs/root-ca.pem
- ./config/wazuh_dashboard/opensearch_dashboards.yml:/usr/share/wazuh-dashboard/config/opensearch_dashboards.yml
- ./config/wazuh_dashboard/wazuh.yml:/usr/share/wazuh-dashboard/data/wazuh/config/wazuh.yml
depends_on:
- wazuh.indexer
links:
- wazuh.indexer:wazuh.indexer
- wazuh.manager:wazuh.manager
mongodb:
image: mongo:6.0.3
#networks:
# - graylog
#DB in share for persistence
volumes:
- ./mongo_data:/data/db
graylog:
image: graylog/graylog:4.3-jre11
#journal and config directories in local NFS share for persistence
volumes:
- ./graylog_journal:/usr/share/graylog/data/journal
environment:
# CHANGE ME (must be at least 16 characters)!
- GRAYLOG_PASSWORD_SECRET=OQGWOEcM6R027M8rUnoZ
# Password: admin
- GRAYLOG_ROOT_PASSWORD_SHA2=cc98fd7aec95a055a76fd10c8d0cfa6e314b1a1fc5d6141544d29a0c1ba64945
- GRAYLOG_HTTP_EXTERNAL_URI=http://0.0.0.0:9000/
- GRAYLOG_ELASTICSEARCH_HOSTS="https://admin:SecretPassword@wazuh.indexer:9200"
entrypoint: /usr/bin/tini -- wait-for-it https://wazuh.indexer:9200 -- /docker-entrypoint.sh
#networks:
# - graylog
links:
- mongodb:mongo
- wazuh.indexer
restart: always
depends_on:
- mongodb
- wazuh.indexer
ports:
# Graylog web interface and REST API
- 9000:9000
# Syslog TCP
- 1516:1514
# Syslog UDP
- 1516:1514/udp
# GELF TCP
- 12201:12201
# GELF UDP
- 12201:12201/udp
volumes:
wazuh_api_configuration:
wazuh_etc:
wazuh_logs:
wazuh_queue:
wazuh_var_multigroups:
wazuh_integrations:
wazuh_active_response:
wazuh_agentless:
wazuh_wodles:
filebeat_etc:
filebeat_var:
wazuh-indexer-data:
mongo_data:
driver: local
es_data:
driver: local
graylog_journal:
driver: local
networks:
graylog:
driver: bridge
error
Warning can not change owner to graylog:graylog
OpenJDK 64-Bit Server VM warning: Option UseConcMarkSweepGC was deprecated in version 9.0 and will likely be removed in a future release.
WARNING: sun.reflect.Reflection.getCallerClass is not supported. This will impact performance.
2022-11-26 21:08:50,768 INFO : org.graylog2.featureflag.ImmutableFeatureFlagsCollector - Following feature flags are used: {}
2022-11-26 21:08:51,115 ERROR: org.graylog2.bootstrap.CmdLineTool - Invalid configuration
com.github.joschi.jadconfig.ParameterException: Couldn't convert value for parameter "elasticsearch_hosts"
at com.github.joschi.jadconfig.JadConfig.processClassFields(JadConfig.java:141) ~[graylog.jar:?]
at com.github.joschi.jadconfig.JadConfig.process(JadConfig.java:99) ~[graylog.jar:?]
at org.graylog2.bootstrap.CmdLineTool.processConfiguration(CmdLineTool.java:465) [graylog.jar:?]
at org.graylog2.bootstrap.CmdLineTool.run(CmdLineTool.java:271) [graylog.jar:?]
at org.graylog2.bootstrap.Main.main(Main.java:45) [graylog.jar:?]
Caused by: com.github.joschi.jadconfig.ParameterException: Illegal character in scheme name at index 0: "https://admin:SecretPassword@wazuh.indexer:9200"
at org.graylog2.configuration.converters.URIListConverter.constructURIFromString(URIListConverter.java:66) ~[graylog.jar:?]
at java.util.stream.ReferencePipeline$3$1.accept(Unknown Source) ~[?:?]
at java.util.Iterator.forEachRemaining(Unknown Source) ~[?:?]
at java.util.Spliterators$IteratorSpliterator.forEachRemaining(Unknown Source) ~[?:?]
at java.util.stream.AbstractPipeline.copyInto(Unknown Source) ~[?:?]
at java.util.stream.AbstractPipeline.wrapAndCopyInto(Unknown Source) ~[?:?]
at java.util.stream.ReduceOps$ReduceOp.evaluateSequential(Unknown Source) ~[?:?]
at java.util.stream.AbstractPipeline.evaluate(Unknown Source) ~[?:?]
at java.util.stream.ReferencePipeline.collect(Unknown Source) ~[?:?]
at org.graylog2.configuration.converters.URIListConverter.convertFrom(URIListConverter.java:48) ~[graylog.jar:?]
at org.graylog2.configuration.converters.URIListConverter.convertFrom(URIListConverter.java:32) ~[graylog.jar:?]
at com.github.joschi.jadconfig.JadConfig.convertStringValue(JadConfig.java:167) ~[graylog.jar:?]
at com.github.joschi.jadconfig.JadConfig.processClassFields(JadConfig.java:139) ~[graylog.jar:?]
... 4 more
Caused by: java.net.URISyntaxException: Illegal character in scheme name at index 0: "https://admin:SecretPassword@wazuh.indexer:9200"
at java.net.URI$Parser.fail(Unknown Source) ~[?:?]
at java.net.URI$Parser.checkChars(Unknown Source) ~[?:?]
at java.net.URI$Parser.checkChar(Unknown Source) ~[?:?]
at java.net.URI$Parser.parse(Unknown Source) ~[?:?]
at java.net.URI.<init>(Unknown Source) ~[?:?]
at org.graylog2.configuration.converters.URIListConverter.constructURIFromString(URIListConverter.java:64) ~[graylog.jar:?]
at java.util.stream.ReferencePipeline$3$1.accept(Unknown Source) ~[?:?]
at java.util.Iterator.forEachRemaining(Unknown Source) ~[?:?]
at java.util.Spliterators$IteratorSpliterator.forEachRemaining(Unknown Source) ~[?:?]
at java.util.stream.AbstractPipeline.copyInto(Unknown Source) ~[?:?]
at java.util.stream.AbstractPipeline.wrapAndCopyInto(Unknown Source) ~[?:?]
at java.util.stream.ReduceOps$ReduceOp.evaluateSequential(Unknown Source) ~[?:?]
at java.util.stream.AbstractPipeline.evaluate(Unknown Source) ~[?:?]
at java.util.stream.ReferencePipeline.collect(Unknown Source) ~[?:?]
at org.graylog2.configuration.converters.URIListConverter.convertFrom(URIListConverter.java:48) ~[graylog.jar:?]
at org.graylog2.configuration.converters.URIListConverter.convertFrom(URIListConverter.java:32) ~[graylog.jar:?]
at com.github.joschi.jadconfig.JadConfig.convertStringValue(JadConfig.java:167) ~[graylog.jar:?]
at com.github.joschi.jadconfig.JadConfig.processClassFields(JadConfig.java:139) ~[graylog.jar:?]
... 4 more
wait-for-it: waiting 15 seconds for https://wazuh.indexer
wait-for-it: timeout occurred after waiting 15 seconds for https://wazuh.indexer
chown: changing ownership of '/usr/share/graylog/data/journal': Operation not permitted