Wazuh agent is not working is wazuh

[samba1112]

HI,
Can you please provide wazuh-agent daemonset &other wazuh resources manifest file need to be applied with wazuh agent

When i test pods of wazuh agent getting this error

/entrypoint.sh: line 4: /var/ossec/bin/ossec-control: No such file or directory
Failed to start agent: 127

My Dockerfile

FROM debian:11.5-slim

LABEL maintainer "Noenv"
LABEL version "4.2.7"
LABEL description "Wazuh Agent"

COPY entrypoint.sh ossec.conf /

RUN apt-get update && apt-get install -y \
  procps curl apt-transport-https gnupg2 inotify-tools python3-docker && \
  curl -s https://packages.wazuh.com/key/GPG-KEY-WAZUH | apt-key add - && \
  echo "deb https://packages.wazuh.com/4.x/apt/ stable main" | tee /etc/apt/sources.list.d/wazuh.list && \
  apt-get update && \
  apt-get install -y wazuh-agent=4.2.7-1 && \
  mv /ossec.conf /var/ossec/etc/ && \
  rm -rf /var/lib/apt/lists/*

ENTRYPOINT ["/entrypoint.sh"]

Ossec.conf i have given wazuh manager service

<ossec_config>
  <client>
    <server>
      <address>wazuh-workers.wazuh.svc.cluster.local</address>
      <port>1514</port>
      <protocol>udp</protocol>
    </server>
    <enrollment>
      <enabled>yes</enabled>
      <manager_address>wazuh-workers.wazuh.svc.cluster.local</manager_address>
      <groups>default</groups>
    </enrollment>
    <notify_time>60</notify_time>
    <time-reconnect>120</time-reconnect>
    <auto_restart>yes</auto_restart>
    <crypto_method>aes</crypto_method>
  </client>
</ossec_config>

[zyclonite]

what is the docker command you are using to run the agent?

[samba1112]

@zyclonite i am using it in Kubernetes pod

[zyclonite]

then what's the arguments you are running the pod with and what files do you mount and how...

[samba1112]

@zyclonite Can you pls provide manifest file of daemonset of wazuh-agent if any with specific mount paths

[zyclonite]

i did never run it on k8s sorry

[samba1112]

@zyclonite somehow i have given volume mounts(mentioned below) getting this error.Can you suggest if any required

2022/11/01 05:28:10 ossec-execd: CRITICAL: (1226): Error reading XML file '/var/ossec/etc/ossec.conf':  (line 0).
ossec-execd: Configuration error. Exiting
Failed to start agent: 1

        volumeMounts:
        - mountPath: /var/run/docker.sock
          name: docker-socket-mount
        - mountPath: /etc/os-release
          name: etc-os-rel  
        - mountPath: /var/ossec/etc
          name: ossec-conf

      volumes:
      - name: docker-socket-mount
        hostPath:
          path: /var/run/docker.sock
      - name: etc-os-rel
        hostPath:
          path: /etc/os-release
      - name: ossec-conf
        hostPath:
          path: /var/ossec

  ossec.conf

<ossec_config>
 <client>
   <server>
     <address>wazuh-workers.wazuh.svc.cluster.local</address>
     <port>1514</port>
     <protocol>tcp</protocol>
   </server>
   <enrollment>
     <enabled>yes</enabled>
     <manager_address>wazuh.wazuh.svc.cluster.local</manager_address>
     <groups>default</groups>
   </enrollment>
   <notify_time>60</notify_time>
   <time-reconnect>120</time-reconnect>
   <auto_restart>yes</auto_restart>
   <crypto_method>aes</crypto_method>
 </client>
</ossec_config>

[zyclonite]

seems that section

      - name: ossec-conf
        hostPath:
          path: /var/ossec

should be

      - name: ossec-conf
        hostPath:
          path: /var/ossec/etc

or at least be consistent with the volumeMounts section...
the error could be related to an empty file