paulmataruso/wazuh-docker-orginal
1
0
Fork 0
mirror of https://github.com/wazuh/wazuh-docker.git synced 2025-11-01 12:33:44 +00:00
Code Issues Packages Projects Releases Wiki Activity

Revert "BACKPORT: Agent Docker images code"

Browse Source
This commit is contained in:
Victor Ereñú
2025-05-21 00:40:56 +10:00
committed by GitHub
parent ee23975bd7
commit 34679bc91b
12 changed files with 21 additions and 469 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
.github/.goss.yaml vendored
View File

@@ -56,7 +56,7 @@ package:
wazuh-manager:
installed: true
versions:
- 4.10.2
- 4.10.2-1
port:
tcp:1514:
listening: true

4
.github/workflows/Procedure_push_docker_images.yml vendored
View File

@@ -14,7 +14,7 @@ on:
required: false
products:
description: 'Comma-separated list of the image names to build and push'
default: 'wazuh-manager,wazuh-dashboard,wazuh-indexer,wazuh-agent'
default: 'wazuh-manager,wazuh-dashboard,wazuh-indexer'
required: true
filebeat_module_version:
description: 'Filebeat module version'
@@ -52,7 +52,7 @@ on:
type: string
products:
description: 'Comma-separated list of the image names to build and push'
default: 'wazuh-manager,wazuh-dashboard,wazuh-indexer,wazuh-agent'
default: 'wazuh-manager,wazuh-dashboard,wazuh-indexer'
required: true
type: string
filebeat_module_version:

78
.github/workflows/push.yml vendored
View File

@@ -8,7 +8,7 @@ jobs:
steps:
- name: Check out code
uses: actions/checkout@v4
uses: actions/checkout@v3
- name: Install docker-compose
run: |
@@ -27,36 +27,28 @@ jobs:
docker save wazuh/wazuh-manager:${{env.WAZUH_IMAGE_VERSION}} -o /home/runner/work/wazuh-docker/wazuh-docker/docker-images/wazuh-manager.tar
docker save wazuh/wazuh-indexer:${{env.WAZUH_IMAGE_VERSION}} -o /home/runner/work/wazuh-docker/wazuh-docker/docker-images/wazuh-indexer.tar
docker save wazuh/wazuh-dashboard:${{env.WAZUH_IMAGE_VERSION}} -o /home/runner/work/wazuh-docker/wazuh-docker/docker-images/wazuh-dashboard.tar
docker save wazuh/wazuh-agent:${{env.WAZUH_IMAGE_VERSION}} -o /home/runner/work/wazuh-docker/wazuh-docker/docker-images/wazuh-agent.tar
- name: Temporarily save Wazuh manager Docker image
uses: actions/upload-artifact@v4
uses: actions/upload-artifact@v3
with:
name: docker-artifact-manager
path: /home/runner/work/wazuh-docker/wazuh-docker/docker-images/wazuh-manager.tar
retention-days: 1
- name: Temporarily save Wazuh indexer Docker image
uses: actions/upload-artifact@v4
uses: actions/upload-artifact@v3
with:
name: docker-artifact-indexer
path: /home/runner/work/wazuh-docker/wazuh-docker/docker-images/wazuh-indexer.tar
retention-days: 1
- name: Temporarily save Wazuh dashboard Docker image
uses: actions/upload-artifact@v4
uses: actions/upload-artifact@v3
with:
name: docker-artifact-dashboard
path: /home/runner/work/wazuh-docker/wazuh-docker/docker-images/wazuh-dashboard.tar
retention-days: 1
- name: Temporarily save Wazuh agent Docker image
uses: actions/upload-artifact@v4
with:
name: docker-artifact-agent
path: /home/runner/work/wazuh-docker/wazuh-docker/docker-images/wazuh-agent.tar
retention-days: 1
- name: Install Goss
uses: e1himself/goss-installation-action@v1.0.3
with:
@@ -74,7 +66,7 @@ jobs:
steps:
- name: Check out code
uses: actions/checkout@v4
uses: actions/checkout@v3
- name: Install docker-compose
run: |
@@ -85,31 +77,26 @@ jobs:
run: cat .env > $GITHUB_ENV
- name: Retrieve saved Wazuh indexer Docker image
uses: actions/download-artifact@v4
uses: actions/download-artifact@v3
with:
name: docker-artifact-indexer
- name: Retrieve saved Wazuh manager Docker image
uses: actions/download-artifact@v4
uses: actions/download-artifact@v3
with:
name: docker-artifact-manager
- name: Retrieve saved Wazuh dashboard Docker image
uses: actions/download-artifact@v4
uses: actions/download-artifact@v3
with:
name: docker-artifact-dashboard
- name: Retrieve saved Wazuh agent Docker image
uses: actions/download-artifact@v4
with:
name: docker-artifact-agent
- name: Docker load
run: |
docker load --input ./wazuh-indexer.tar
docker load --input ./wazuh-dashboard.tar
docker load --input ./wazuh-manager.tar
docker load --input ./wazuh-agent.tar
- name: Create single node certficates
run: docker-compose -f single-node/generate-indexer-certs.yml run --rm generator
@@ -198,20 +185,7 @@ jobs:
exit 1
fi
- name: Modify Docker endpoint into Wazuh agent docker-compose.yml file
run: sed -i "s/<WAZUH_MANAGER_IP>/$(ip addr show docker0 | grep 'inet ' | awk '{print $2}' | cut -d'/' -f1)/g" wazuh-agent/docker-compose.yml
- name: Start Wazuh agent
run: docker-compose -f wazuh-agent/docker-compose.yml up -d
- name: Check Wazuh agent enrollment
run: |
sleep 20
curl -k -s -X GET "https://localhost:55000/agents?pretty=true" -H "Authorization: Bearer ${{env.TOKEN}}"
env:
TOKEN: $(curl -s -u wazuh-wui:MyS3cr37P450r.*- -k -X GET "https://0.0.0.0:55000/security/user/authenticate?raw=true")
- name: Check errors in ossec.log for Wazuh manager
- name: Check errors in ossec.log
run: ./.github/single-node-log-check.sh
check-multi-node:
@@ -220,7 +194,7 @@ jobs:
steps:
- name: Check out code
uses: actions/checkout@v4
uses: actions/checkout@v3
- name: Install docker-compose
run: |
@@ -235,35 +209,30 @@ jobs:
sudo swapoff -a
sudo rm -f /swapfile
sudo apt clean
docker rmi $(docker image ls -aq)
df -h
- name: Retrieve saved Wazuh dashboard Docker image
uses: actions/download-artifact@v4
uses: actions/download-artifact@v3
with:
name: docker-artifact-dashboard
- name: Retrieve saved Wazuh manager Docker image
uses: actions/download-artifact@v4
uses: actions/download-artifact@v3
with:
name: docker-artifact-manager
- name: Retrieve saved Wazuh indexer Docker image
uses: actions/download-artifact@v4
uses: actions/download-artifact@v3
with:
name: docker-artifact-indexer
- name: Retrieve saved Wazuh agent Docker image
uses: actions/download-artifact@v4
with:
name: docker-artifact-agent
- name: Docker load
run: |
docker load --input ./wazuh-manager.tar
docker load --input ./wazuh-indexer.tar
docker load --input ./wazuh-dashboard.tar
docker load --input ./wazuh-agent.tar
rm -rf wazuh-manager.tar wazuh-indexer.tar wazuh-dashboard.tar wazuh-agent.tar
rm -rf wazuh-manager.tar wazuh-indexer.tar wazuh-dashboard.tar
- name: Create multi node certficates
run: docker-compose -f multi-node/generate-indexer-certs.yml run --rm generator
@@ -370,18 +339,5 @@ jobs:
exit 1
fi
- name: Modify Docker endpoint into Wazuh agent docker-compose.yml file
run: sed -i "s/<WAZUH_MANAGER_IP>/$(ip addr show docker0 | grep 'inet ' | awk '{print $2}' | cut -d'/' -f1)/g" wazuh-agent/docker-compose.yml
- name: Start Wazuh agent
run: docker-compose -f wazuh-agent/docker-compose.yml up -d
- name: Check Wazuh agent enrollment
run: |
sleep 20
curl -k -s -X GET "https://localhost:55000/agents?pretty=true" -H "Authorization: Bearer ${{env.TOKEN}}"
env:
TOKEN: $(curl -s -u wazuh-wui:MyS3cr37P450r.*- -k -X GET "https://0.0.0.0:55000/security/user/authenticate?raw=true")
- name: Check errors in ossec.log for Wazuh manager
- name: Check errors in ossec.log
run: ./.github/multi-node-log-check.sh

2
CHANGELOG.md
View File

@@ -5,7 +5,7 @@ All notable changes to this project will be documented in this file.
### Added
- BACKPORT: Agent Docker images code ([#1807](https://github.com/wazuh/wazuh-docker/pull/1807))
- None
### Changed

10
build-docker-images/build-images.yml
View File

@@ -36,16 +36,6 @@ services:
- filebeat_etc:/etc/filebeat
- filebeat_var:/var/lib/filebeat
wazuh.agent:
build:
context: wazuh-agent/
args:
WAZUH_VERSION: ${WAZUH_VERSION}
WAZUH_TAG_REVISION: ${WAZUH_TAG_REVISION}
image: wazuh/wazuh-agent:${WAZUH_IMAGE_VERSION}
hostname: wazuh.manager
restart: always
wazuh.indexer:
build:
context: wazuh-indexer/

36
build-docker-images/wazuh-agent/Dockerfile
View File

@@ -1,36 +0,0 @@
# Wazuh Docker Copyright (C) 2017, Wazuh Inc. (License GPLv2)
FROM amazonlinux:2023
RUN rm /bin/sh && ln -s /bin/bash /bin/sh
ARG WAZUH_VERSION
ARG WAZUH_TAG_REVISION
ARG S6_VERSION="v2.2.0.3"
ARG WAZUH_MANAGER='CHANGE_MANAGER_IP'
ARG WAZUH_MANAGER_PORT='CHANGE_MANAGER_PORT'
ARG WAZUH_REGISTRATION_SERVER='CHANGE_ENROLL_IP'
ARG WAZUH_REGISTRATION_PORT='CHANGE_ENROLL_PORT'
ARG WAZUH_AGENT_NAME='CHANGEE_AGENT_NAME'
COPY config/check_repository.sh /
RUN yum install curl-minimal tar gzip procps -y &&\
yum clean all
RUN chmod 775 /check_repository.sh
RUN source /check_repository.sh
RUN yum install wazuh-agent-${WAZUH_VERSION}-${WAZUH_TAG_REVISION} -y && \
yum clean all && \
sed -i '/<authorization_pass_path>/d' /var/ossec/etc/ossec.conf && \
curl --fail --silent -L https://github.com/just-containers/s6-overlay/releases/download/${S6_VERSION}/s6-overlay-amd64.tar.gz \
-o /tmp/s6-overlay-amd64.tar.gz && \
tar xzf /tmp/s6-overlay-amd64.tar.gz -C / --exclude="./bin" && \
tar xzf /tmp/s6-overlay-amd64.tar.gz -C /usr ./bin && \
rm /tmp/s6-overlay-amd64.tar.gz
COPY config/etc/ /etc/
RUN rm /etc/yum.repos.d/wazuh.repo
ENTRYPOINT [ "/init" ]

15
build-docker-images/wazuh-agent/config/check_repository.sh
View File

@@ -1,15 +0,0 @@
## variables
APT_KEY=https://packages-dev.wazuh.com/key/GPG-KEY-WAZUH
GPG_SIGN="gpgcheck=1\ngpgkey=${APT_KEY}]"
REPOSITORY="[wazuh]\n${GPG_SIGN}\nenabled=1\nname=EL-\$releasever - Wazuh\nbaseurl=https://packages-dev.wazuh.com/pre-release/yum/\nprotect=1"
WAZUH_TAG=$(curl --silent https://api.github.com/repos/wazuh/wazuh/git/refs/tags | grep '["]ref["]:' | sed -E 's/.*\"([^\"]+)\".*/\1/' | cut -c 11- | grep ^v${WAZUH_VERSION}$)
## check tag to use the correct repository
if [[ -n "${WAZUH_TAG}" ]]; then
APT_KEY=https://packages.wazuh.com/key/GPG-KEY-WAZUH
GPG_SIGN="gpgcheck=1\ngpgkey=${APT_KEY}]"
REPOSITORY="[wazuh]\n${GPG_SIGN}\nenabled=1\nname=EL-\$releasever - Wazuh\nbaseurl=https://packages.wazuh.com/4.x/yum/\nprotect=1"
fi
rpm --import "${APT_KEY}"
echo -e "${REPOSITORY}" | tee /etc/yum.repos.d/wazuh.repo

90
build-docker-images/wazuh-agent/config/etc/cont-init.d/0-wazuh-init
View File

@@ -1,90 +0,0 @@
#!/usr/bin/with-contenv bash
# Wazuh App Copyright (C) 2017, Wazuh Inc. (License GPLv2)
WAZUH_INSTALL_PATH=/var/ossec
WAZUH_CONFIG_MOUNT=/wazuh-config-mount
WAZUH_MANAGER_SERVER=$WAZUH_MANAGER_SERVER
WAZUH_MANAGER_PORT=${WAZUH_MANAGER_PORT:-"1514"}
WAZUH_REGISTRATION_SERVER=${WAZUH_REGISTRATION_SERVER:-$WAZUH_MANAGER_SERVER}
WAZUH_REGISTRATION_PORT=${WAZUH_REGISTRATION_PORT:-"1515"}
WAZUH_REGISTRATION_PASSWORD=$WAZUH_REGISTRATION_PASSWORD
WAZUH_AGENT_NAME=${WAZUH_AGENT_NAME:-"wazuh-agent-$HOSTNAME"}
##############################################################################
# Aux functions
##############################################################################
print() {
echo -e $1
}
error_and_exit() {
echo "Error executing command: '$1'."
echo 'Exiting.'
exit 1
}
exec_cmd() {
eval $1 > /dev/null 2>&1 || error_and_exit "$1"
}
exec_cmd_stdout() {
eval $1 2>&1 || error_and_exit "$1"
}
##############################################################################
# Copy all files from $WAZUH_CONFIG_MOUNT to $WAZUH_INSTALL_PATH and respect
# destination files permissions
#
# For example, to mount the file /var/ossec/data/etc/ossec.conf, mount it at
# $WAZUH_CONFIG_MOUNT/etc/ossec.conf in your container and this code will
# replace the ossec.conf file in /var/ossec/data/etc with yours.
##############################################################################
mount_files() {
if [ -e "$WAZUH_CONFIG_MOUNT" ]
then
print "Identified Wazuh configuration files to mount..."
exec_cmd_stdout "cp --verbose -r $WAZUH_CONFIG_MOUNT/* $WAZUH_INSTALL_PATH"
else
print "No Wazuh configuration files to mount..."
fi
}
##############################################################################
# Allow users to set the manager ip and port, enrollment ip and port and
# enroll dynamically on container start.
#
# To use this:
# 1. Create your own ossec.conf file
# 2. In your ossec.conf file, use the <agent> configuration
# 3. Mount your custom ossec.conf file at $WAZUH_CONFIG_MOUNT/etc/ossec.conf
##############################################################################
set_manager_conn() {
echo "ossec.conf configuration"
sed -i "s#<address>CHANGE_MANAGER_IP</address>#<address>$WAZUH_MANAGER_SERVER</address>#g" ${WAZUH_INSTALL_PATH}/etc/ossec.conf
sed -i "s#<port>CHANGE_MANAGER_PORT</port>#<port>$WAZUH_MANAGER_PORT</port>#g" ${WAZUH_INSTALL_PATH}/etc/ossec.conf
sed -i "s#<manager_address>CHANGE_ENROLL_IP</manager_address>#<manager_address>$WAZUH_REGISTRATION_SERVER</manager_address>#g" ${WAZUH_INSTALL_PATH}/etc/ossec.conf
sed -i "s#<port>CHANGE_ENROLL_PORT</port>#<port>$WAZUH_REGISTRATION_PORT</port>#g" ${WAZUH_INSTALL_PATH}/etc/ossec.conf
sed -i "s#<agent_name>CHANGEE_AGENT_NAME</agent_name>#<agent_name>$WAZUH_AGENT_NAME</agent_name>#g" ${WAZUH_INSTALL_PATH}/etc/ossec.conf
[ -n "$WAZUH_REGISTRATION_PASSWORD" ] && \
echo "$WAZUH_REGISTRATION_PASSWORD" > ${WAZUH_INSTALL_PATH}/etc/authd.pass && \
chown root:wazuh ${WAZUH_INSTALL_PATH}/etc/authd.pass && \
chmod 640 ${WAZUH_INSTALL_PATH}/etc/authd.pass
}
##############################################################################
# Main function
##############################################################################
main() {
# Mount selected files (WAZUH_CONFIG_MOUNT) to container
mount_files
# Configure agent variables
set_manager_conn
}
main

44
build-docker-images/wazuh-agent/config/etc/cont-init.d/1-agent
View File

@@ -1,44 +0,0 @@
#!/usr/bin/with-contenv bash
##############################################################################
# Migration sequence
# Detect if there is a mounted volume on /wazuh-migration and copy the data
# to /var/ossec, finally it will create a flag ".migration-completed" inside
# the mounted volume
##############################################################################
function __colortext()
{
echo -e " \e[1;$2m$1\e[0m"
}
function echogreen()
{
echo $(__colortext "$1" "32")
}
function echoyellow()
{
echo $(__colortext "$1" "33")
}
function echored()
{
echo $(__colortext "$1" "31")
}
function_entrypoint_scripts() {
# It will run every .sh script located in entrypoint-scripts folder in lexicographical order
if [ -d "/entrypoint-scripts/" ]
then
for script in `ls /entrypoint-scripts/*.sh | sort -n`; do
bash "$script"
done
fi
}
# run entrypoint scripts
function_entrypoint_scripts
# Start Wazuh
/var/ossec/bin/wazuh-control start

4
build-docker-images/wazuh-agent/config/etc/services.d/ossec-logs/run
View File

@@ -1,4 +0,0 @@
#!/usr/bin/with-contenv sh
# dumping ossec.log to standard output
exec tail -F /var/ossec/logs/ossec.log

194
wazuh-agent/config/wazuh-agent-conf
View File

@@ -1,194 +0,0 @@
<!--
Wazuh - Agent - Default configuration for amzn 2023
More info at: https://documentation.wazuh.com
Mailing list: https://groups.google.com/forum/#!forum/wazuh
-->
<ossec_config>
<client>
<server>
<address>CHANGE_MANAGER_IP</address>
<port>CHANGE_MANAGER_PORT</port>
<protocol>tcp</protocol>
</server>
<config-profile>amzn, amzn2023</config-profile>
<notify_time>10</notify_time>
<time-reconnect>60</time-reconnect>
<auto_restart>yes</auto_restart>
<crypto_method>aes</crypto_method>
<enrollment>
<enabled>yes</enabled>
<manager_address>CHANGE_ENROLL_IP</manager_address>
<port>CHANGE_ENROLL_PORT</port>
<agent_name>CHANGEE_AGENT_NAME</agent_name>
<authorization_pass_path>etc/authd.pass</authorization_pass_path>
</enrollment>
</client>
<client_buffer>
<!-- Agent buffer options -->
<disabled>no</disabled>
<queue_size>5000</queue_size>
<events_per_second>500</events_per_second>
</client_buffer>
<!-- Policy monitoring -->
<rootcheck>
<disabled>no</disabled>
<check_files>yes</check_files>
<check_trojans>yes</check_trojans>
<check_dev>yes</check_dev>
<check_sys>yes</check_sys>
<check_pids>yes</check_pids>
<check_ports>yes</check_ports>
<check_if>yes</check_if>
<!-- Frequency that rootcheck is executed - every 12 hours -->
<frequency>43200</frequency>
<rootkit_files>etc/shared/rootkit_files.txt</rootkit_files>
<rootkit_trojans>etc/shared/rootkit_trojans.txt</rootkit_trojans>
<skip_nfs>yes</skip_nfs>
<ignore>/var/lib/containerd</ignore>
<ignore>/var/lib/docker/overlay2</ignore>
</rootcheck>
<wodle name="cis-cat">
<disabled>yes</disabled>
<timeout>1800</timeout>
<interval>1d</interval>
<scan-on-start>yes</scan-on-start>
<java_path>wodles/java</java_path>
<ciscat_path>wodles/ciscat</ciscat_path>
</wodle>
<!-- Osquery integration -->
<wodle name="osquery">
<disabled>yes</disabled>
<run_daemon>yes</run_daemon>
<log_path>/var/log/osquery/osqueryd.results.log</log_path>
<config_path>/etc/osquery/osquery.conf</config_path>
<add_labels>yes</add_labels>
</wodle>
<!-- System inventory -->
<wodle name="syscollector">
<disabled>no</disabled>
<interval>1h</interval>
<scan_on_start>yes</scan_on_start>
<hardware>yes</hardware>
<os>yes</os>
<network>yes</network>
<packages>yes</packages>
<ports all="no">yes</ports>
<processes>yes</processes>
<!-- Database synchronization settings -->
<synchronization>
<max_eps>10</max_eps>
</synchronization>
</wodle>
<sca>
<enabled>yes</enabled>
<scan_on_start>yes</scan_on_start>
<interval>12h</interval>
<skip_nfs>yes</skip_nfs>
</sca>
<!-- File integrity monitoring -->
<syscheck>
<disabled>no</disabled>
<!-- Frequency that syscheck is executed default every 12 hours -->
<frequency>43200</frequency>
<scan_on_start>yes</scan_on_start>
<!-- Directories to check (perform all possible verifications) -->
<directories>/etc,/usr/bin,/usr/sbin</directories>
<directories>/bin,/sbin,/boot</directories>
<!-- Files/directories to ignore -->
<ignore>/etc/mtab</ignore>
<ignore>/etc/hosts.deny</ignore>
<ignore>/etc/mail/statistics</ignore>
<ignore>/etc/random-seed</ignore>
<ignore>/etc/random.seed</ignore>
<ignore>/etc/adjtime</ignore>
<ignore>/etc/httpd/logs</ignore>
<ignore>/etc/utmpx</ignore>
<ignore>/etc/wtmpx</ignore>
<ignore>/etc/cups/certs</ignore>
<ignore>/etc/dumpdates</ignore>
<ignore>/etc/svc/volatile</ignore>
<!-- File types to ignore -->
<ignore type="sregex">.log$|.swp$</ignore>
<!-- Check the file, but never compute the diff -->
<nodiff>/etc/ssl/private.key</nodiff>
<skip_nfs>yes</skip_nfs>
<skip_dev>yes</skip_dev>
<skip_proc>yes</skip_proc>
<skip_sys>yes</skip_sys>
<!-- Nice value for Syscheck process -->
<process_priority>10</process_priority>
<!-- Maximum output throughput -->
<max_eps>50</max_eps>
<!-- Database synchronization settings -->
<synchronization>
<enabled>yes</enabled>
<interval>5m</interval>
<max_eps>10</max_eps>
</synchronization>
</syscheck>
<!-- Log analysis -->
<localfile>
<log_format>command</log_format>
<command>df -P</command>
<frequency>360</frequency>
</localfile>
<localfile>
<log_format>full_command</log_format>
<command>netstat -tulpn | sed 's/\([[:alnum:]]\+\)\ \+[[:digit:]]\+\ \+[[:digit:]]\+\ \+\(.*\):\([[:digit:]]*\)\ \+\([0-9\.\:\*]\+\).\+\ \([[:digit:]]*\/[[:alnum:]\-]*\).*/\1 \2 == \3 == \4 \5/' | sort -k 4 -g | sed 's/ == \(.*\) ==/:\1/' | sed 1,2d</command>
<alias>netstat listening ports</alias>
<frequency>360</frequency>
</localfile>
<localfile>
<log_format>full_command</log_format>
<command>last -n 20</command>
<frequency>360</frequency>
</localfile>
<!-- Active response -->
<active-response>
<disabled>no</disabled>
<ca_store>etc/wpk_root.pem</ca_store>
<ca_verification>yes</ca_verification>
</active-response>
<!-- Choose between "plain", "json", or "plain,json" for the format of internal logs -->
<logging>
<log_format>plain</log_format>
</logging>
</ossec_config>
<ossec_config>
<localfile>
<log_format>syslog</log_format>
<location>/var/ossec/logs/active-responses.log</location>
</localfile>
</ossec_config>

11
wazuh-agent/docker-compose.yml
View File

@@ -1,11 +0,0 @@
# Wazuh App Copyright (C) 2017, Wazuh Inc. (License GPLv2)
version: '3.7'
services:
wazuh.agent:
image: wazuh/wazuh-agent:4.10.2
restart: always
environment:
- WAZUH_MANAGER_SERVER=172.17.0.1
volumes:
- ./config/wazuh-agent-conf:/wazuh-config-mount/etc/ossec.conf