Wazuh Google Cloud integration error

[kanwalpreetd]

I have deployed Wazuh based on the kubernetes manifests in this repo (using v4.7.5). I have made some adjustments to the manifests, and everything works as expected. I have been able to integrate Wazuh agents, integrate AWS cloudwatch logs, but am running into an issue for Google cloud integration.

I am trying to integrate Wazuh with Google Cloud Pub/Sub messaging and ingestion service using the Wazuh module for Google Cloud Pub/Sub. I setup everything on Google Cloud and Wazuh's side using the steps mentioned at: pubsub.html.

While looking at logs (after enabling debug logging), I saw the following logs messages:

Nov 4, 2024 @ 16:38:50.000 wazuh-modulesd:gcp-pubsub DEBUG  Starting fetching of logs.
Nov 4, 2024 @ 16:38:50.000 wazuh-modulesd:gcp-pubsub DEBUG  Create argument list
Nov 4, 2024 @ 16:38:50.000 wazuh-modulesd:gcp-pubsub DEBUG  Launching command: wodles/gcloud/gcloud --integration_type pubsub --project wazuhproject-139305 --subscription_id gcpfindings --credentials_file /var/ossec/wodles/gcloud/credentials.json --max_messages 100 --num_threads 1 --log_level 2
Nov 4, 2024 @ 16:38:51.000 wazuh-modulesd:gcp-pubsub WARNING  Command returned exit code 1
Nov 4, 2024 @ 16:38:51.000 wazuh-modulesd:gcp-pubsub DEBUG  Fetching logs finished.
Nov 4, 2024 @ 16:38:51.000 wazuh-modulesd:gcp-pubsub DEBUG  Sleeping until: 2024/11/05 00:39:50

Since this log didn't show a useful error message, I attached to the running container for wazuh-manager, and ran the following command:

root@wazuh-manager-master-0:/var/ossec# wodles/gcloud/gcloud --integration_type pubsub --project wazuhproject-439604 --subscription_id gcpfindings-sub --credentials_file /var/ossec/wodles/gcloud/credentials.json --max_messages 100 --num_threads 1 --log_level 2
Traceback (most recent call last):
  File "/var/ossec/wodles/gcloud/gcloud.py", line 12, in <module>
    import exceptions
ModuleNotFoundError: No module named 'exceptions'
root@wazuh-manager-master-0:/var/ossec#

As you can see, it seems that the google cloud module script doesn't have the necessary Python dependencies installed in the wazuh-manager container. Does it seem correct, or am I missing something?

Note: I have also tried with kubernetes manifest versions v4.7.0 and v4.5.0, and gotten same results.

[dptaf]

We're seeing a similar issue with our setup. Running the latest version in a GKE cluster. Here's our issue, would love some help.

[MarijnMB]

Are you running kubernetes perhaps?

I ran into this error as well. For me the fix was the location of the credentials file: the guide tells you to put the credentials file in /var/ossec/wodles/gcloud/credentials.json, which is actually a directory. When the credentials file is mounted in that directory, the modules aren't installed properly for some reason (I'm seeing the same behaviour with custom rules mounted in /var/ossec/etc/rules/gcp_posture.xml).

Mount your credentials file in /creds.json or some other location outside of the /var/ossec dir to fix this/have a workaround.

Side note: mounting the rules after an initial startup / filling of the storage works too. Not sure if the same can be said for the credentials file.

[vcerenu]

Regarding the errors related to Python scripts used by the Gcloud integration, we had a bug in the v4.10.0 release, which was fixed in v4.10.1 and the error should no longer be generated:

• Add exceptions into PERMANENT_DATA script wazuh-docker#1674

If you cannot update to v4.10.1, you can apply this change to the wazuh-docker repository in v4.10.0, generate your own images and test it.

Regarding the mounting of the credentails.json file, inside the Wazuh manager image we have the /wazuh-config-mount/ directory, which copies all the directories and files that are mounted at startup into the /var/ossec/ directory. An example of this is how we mount the /var/ossec/etc/ossec.conf file in Docker:

- ./config/wazuh_cluster/wazuh_manager.conf:/wazuh-config-mount/etc/ossec.conf

Mounting the credentials.json file in /wazuh-config-mount/wodles/gcloud/credentials.json will generate the corresponding permissions within the directory they need.

[MarijnMB]

Mounting the credentials.json file in /wazuh-config-mount/wodles/gcloud/credentials.json will generate the corresponding permissions within the directory they need.

Thank you for this piece of information. Did I miss something in the docs, or is this not documented?

[dptaf]

This bug feels like it predates 4.10.0. I'm on 4.9.0 and have the same issue.

[vcerenu]

@MarijnMB

Mounting the credentials.json file in /wazuh-config-mount/wodles/gcloud/credentials.json will generate the corresponding permissions within the directory they need.

Thank you for this piece of information. Did I miss something in the docs, or is this not documented?

We don't have any information specifically regarding deployment customization except for information related to communication between Wazuh components, but we are working on that.

@dptaf

This bug feels like it predates 4.10.0. I'm on 4.9.0 and have the same issue.

You have the same problem, so the solution regarding modifying the build of the images and creating your own images may also be useful for you.

[kanwalpreetd]

Thank you, the issue was fixed by updating to v4.10.1. This can be closed.