wazuh-helm opennix/wazuh-agent:4.11.1 has no No analysisd binary

-rw-r----- 1 root k3os-2883 [~]$ total 20 drwxr-x--- 1 wazuh wazuh 4096 Mar 17 drwxr-x--- 1 wazuh wazuh 4096 Mar 17 drwxr-x--- 1 wazuh k3os-2883 [~]$ kubectl exec -n total 12 drwxrwx--- 1 wazuh drwxr-x--- 1 wazuh wazuh 4096 Mar 17 srw-rw---- 1 root wazuh srw-rw---- 1 root wazuh /var/ossec/queue/syscoll /var/ossec/queue/logcoll k3os-2883 [~]$ strings /var/ossec/queue " /bin/bash: line k3os-2883 [~]$ k3os-2883 [~]$ k3os-2883 [~]$ echo 'Testing real-time BEFORE=$(date +%s) touch /etc/fim_realtime_\$BEFORE.txt echo 'File created. for i in {1..10}; do tail -n 5 /var/ossec/logs/ossec.log sleep 1 done tail -n 20 /var/ossec/logs/ossec.log " Testing real-time FIM monitoring... File created. Monitoring command terminated with exit code 1 k3os-2883 [~]$ 180 <scan_on_start>yes /var/lib/rancher /run/k3s/containerd /var/lib/rancher /var/lib/rancher .< <alert_new_files>y <auto_ignore>yes&l <skip_nfs>yes</skip_nfs> <log_format>syslog /var/log/messages <log_format>syslog /var/log/dmesg <log_format>json&l /var/log/conta <log_format>syslog /var/log/k3s.log <log_format>syslog /var/log/k3s-s k3os-2883 [~]$ USER PID %CPU %MEM root 1 root 45 0.0 0.0 root 46 0.0 0.0 root 53 0.0 0.0 wazuh 54 0.0 0.0 root 66 0.0 0.0 root 67 0.0 0.0 root 76 0.0 0.0 root 79 0.0 0.0 root 93 0.0 0.0 root 94 0.0 0.0 root 101 0.0 0.0 root 312 0.0 0.0 root 413 0.0 0.0 root 415 0.0 0.0 root 416 0.0 0.0 root 1101 0.0 0.0 root 1102 0.0 0.0 root 1109 0.0 0.0 wazuh 1110 0.0 0.0 root 1123 0.0 0.0 root 1124 0.1 0.0 root 1133 0.0 0.0 root 1134 0.0 0.0 root 1143 0.0 0.0 root 1144 0.0 0.0 root 1152 0.0 0.0 root 1951 0.0 0.0 root 1985 0.0 0.0 root 5446 0.0 0.0 root 5447 0.0 0.0 root 5457 0.0 0.0 wazuh 5458 0.0 0.0 root 5471 0.0 0.0 root 5472 0.1 0.0 root 5484 0.0 0.0 root 5485 0.0 0.0 root 5495 0.0 0.0 root 5498 0.0 0.0 root 5504 0.0 0.0 root 6188 0.0 0.0 root 6222 0.0 0.0 root 6536 0.0 0.0 root 6537 0.0 0.0 root 6547 0.0 0.0 wazuh 6548 0.0 0.0 root 6561 0.0 0.0 root 6562 0.0 0.0 root 6574 0.0 0.0 root 6575 0.0 0.0 root 6591 0.0 0.0 root 6592 0.0 0.0 root 6600 0.0 0.0 root 8027 0.0 0.0 root 8028 0.0 0.0 root 8035 0.0 0.0 wazuh 8036 0.0 0.0 root 8049 0.0 0.0 root 8050 0.3 0.0 root 8059 0.0 0.0 root 8060 0.0 0.0 root 8066 0.0 0.0 root 8067 0.0 0.0 root 8079 0.0 0.0 root 8982 0.0 0.0 root 9014 0.0 0.0 root 10812 0.0 0.0 root 10844 0.0 0.0 root 12269 0.0 0.0 root 12270 0.0 0.0 root 12280 0.0 0.0 wazuh 12281 0.0 0.0 root 12294 0.0 0.0 root 12295 0.0 0.0 root 12304 0.0 0.0 root 12305 0.0 0.0 root 12314 0.0 0.0 root 12315 0.0 0.0 root 12322 0.0 0.0 root 12556 0.0 0.0 root 12653 0.0 0.0 root 12656 0.0 0.0 root 12657 0.0 0.0 root 13600 0.0 0.0 root 15052 0.0 0.0 root 15053 0.0 0.0 root 15063 0.0 0.0 wazuh 15064 0.0 0.0 root 15077 0.0 0.0 root 15078 0.0 0.0 root 15090 0.0 0.0 root 15091 0.0 0.0 root 15100 0.0 0.0 root 15101 0.0 0.0 root 15106 0.0 0.0 root 15957 0.0 0.0 root 15989 0.0 0.0 root 16864 0.0 0.0 root 16865 0.0 0.0 root 16872 0.0 0.0 wazuh 16873 0.0 0.0 root 16886 0.0 0.0 root 16887 0.0 0.0 root 16896 0.0 0.0 root 16897 0.0 0.0 root 16913 0.0 0.0 root 16914 0.0 0.0 root 16923 0.0 0.0 root 17559 0.0 0.0 root 17591 0.0 0.0 root 19197 0.0 0.0 root 19198 0.0 0.0 root 19208 0.0 0.0 wazuh 19209 0.0 0.0 root 19222 0.0 0.0 root 19223 0.1 0.0 root 19232 0.0 0.0 root 19233 0.0 0.0 root 19242 0.0 0.0 root 19243 0.0 0.0 root 19251 0.0 0.0 root 19539 0.0 0.0 root 20093 0.0 0.0 root 20125 0.0 0.0 root 22036 0.0 0.0 root 22039 root 22047 0.0 0.0 wazuh 22048 root 22061 0.0 0.0 root 22062 root 22071 0.0 0.0 root 22072 root 22081 0.0 0.0 root 22082 root 22088 root 23867 0.0 0.0 root 23868 0.0 0.0 root 23875 0.0 0.0 wazuh 23876 0.0 0.0 root 23889 0.0 0.0 root 23890 0.0 0.0 root 23902 0.0 0.0 root 23903 0.0 0.0 root 23919 0.0 0.0 root 23920 0.0 0.0 root 23934 0.0 0.0 root 24075 5.2 0.0 root 25003 0.0 0.0 root 25035 0.0 0.0 root 26157 0.0 0.0 root 26158 0.0 0.0 root 26165 0.0 0.0 wazuh 26166 0.0 0.0 root 26179 0.0 0.0 root 26180 0.2 0.0 root 26189 0.0 0.0 root 26190 0.0 0.0 root 26196 0.0 0.0 root 26199 0.0 0.0 root 26205 0.0 0.0 root 26972 0.0 0.0 root 27006 0.0 0.0 root 27347 0.0 0.0 root 28732 0.0 0.0 root 31055 0.0 0.0 root 31056 0.0 0.0 root 31066 0.0 0.0 wazuh 31067 0.0 0.0 root 31080 0.0 0.0 root 31083 0.0 0.0 root 31093 0.0 0.0 root 31095 0.0 0.0 root 31110 0.0 0.0 root 31111 0.0 0.0 root 31123 0.0 0.0 root 31858 0.0 0.0 root 31890 0.0 0.0 k3os-2883 [~]$ k3os-2883 [~]$ Note: The defunct

ubectl exec -n wazuh pvy-security-wazuh-agent-92jqj -- find /var/ossec/queue/fim/ -type f -name ".db" -exec ls -la {} ; 2>/dev/null || echo "No FIM database files found" wazuh 6078464 Nov 24 05:25 /var/ossec/queue/fim/db/fim.db kubectl exec -n wazuh pvy-security-wazuh-agent-92jqj -- ls -la /var/ossec/queue/fim/ 2025 . 2025 .. wazuh 4096 Nov 23 19:54 db kubectl exec -n wazuh pvy-security-wazuh-agent-92jqj -- ls -la /var/ossec/queue/alerts/ wazuh pvy-security-wazuh-agent-92jqj -- find /var/ossec/queue/ -name ".json" -o -name ".txt" | head -10 wazuh 4096 Nov 23 19:54 . 2025 .. 0 Nov 23 19:54 cfgaq 0 Nov 23 19:54 execq ector/norm_config.json ector/file_status.json kubectl exec -n wazuh pvy-security-wazuh-agent-92jqj -- /bin/bash -c " /fim/db/fim.db | grep -i 'test.conf|fim_test' | head -10 2: strings: command not found kubectl exec -n wazuh pvy-security-wazuh-agent-92jqj -- ps aux | grep analysisd kubectl exec -n wazuh pvy-security-wazuh-agent-92jqj -- tail -n 50 /var/ossec/logs/ossec.log | grep -i 'analysisd' kubectl exec -n wazuh pvy-security-wazuh-agent-92jqj -- /bin/bash -c " FIM monitoring...' Monitoring for real-time detection (10 seconds)...' | grep -q 'fim_realtime_\$BEFORE' && echo 'REAL-TIME DETECTED!' && break | grep -i 'fim_realtime\|syscheck.debug' for real-time detection (10 seconds)... kubectl exec -n wazuh pvy-security-wazuh-agent-92jqj -- grep -A 20 'syscheck' /var/ossec/etc/shared/agent.conf </scan_on_start> report_changes="yes" check_all="yes">/etc report_changes="yes" check_all="yes">/var/lib/rancher/k3s report_changes="yes" check_all="yes">/opt report_changes="yes" check_all="yes">/boot report_changes="yes" check_all="yes">/usr report_changes="yes" check_all="yes">/var/log and symlinked directories --> /k3s/data /k3s/agent/containerd /k3s/agent/etc /ignore>.log$|..tmp$|.swp$|..gz$ es</alert_new_files> t;/auto_ignore> </log_format> </log_format> t;/log_format> iners/.log </log_format> </log_format> ervice.log kubectl exec -n wazuh pvy-security-wazuh-agent-92jqj -- ps aux VSZ RSS TTY STAT START TIME COMMAND 0.0 0.2 43656 38112 ? Ss Nov22 0:17 python3 ./register_agent.py 0 0 ? Zs Nov22 0:00 [wazuh-execd] 0 0 ? Z Nov22 0:00 [wazuh-execd] 0 0 ? Zs Nov22 0:00 [wazuh-agentd] 0 0 ? Z Nov22 0:00 [wazuh-agentd] 0 0 ? Zs Nov22 0:00 [wazuh-syscheckd] 0 0 ? ZN Nov22 0:03 [wazuh-syscheckd] 0 0 ? Zs Nov22 0:00 [wazuh-logcollec] 0 0 ? Z Nov22 0:00 [wazuh-logcollec] 0 0 ? Zs Nov22 0:00 [wazuh-modulesd] 0 0 ? Z Nov22 0:00 [wazuh-modulesd] 0 0 ? Zs Nov22 0:00 [python3] 0 0 ? Z Nov22 0:00 [restart.sh] 0 0 ? Zs Nov22 0:00 [wazuh-modulesd] 0 0 ? Z Nov22 0:00 [wazuh-modulesd] 0 0 ? Z Nov22 0:00 [wazuh-modulesd] 0 0 ? Zs Nov23 0:00 [wazuh-execd] 0 0 ? Z Nov23 0:00 [wazuh-execd] 0 0 ? Zs Nov23 0:00 [wazuh-agentd] 0 0 ? Z Nov23 0:00 [wazuh-agentd] 0 0 ? Zs Nov23 0:00 [wazuh-syscheckd] 0 0 ? ZN Nov23 0:45 [wazuh-syscheckd] 0 0 ? Zs Nov23 0:00 [wazuh-logcollec] 0 0 ? Z Nov23 0:12 [wazuh-logcollec] 0 0 ? Zs Nov23 0:00 [wazuh-modulesd] 0 0 ? Z Nov23 0:00 [wazuh-modulesd] 0 0 ? Zs Nov23 0:00 [python3] 0 0 ? Z Nov23 0:00 [restart.sh] 0 0 ? Z Nov23 0:00 [wazuh-modulesd] 0 0 ? Zs Nov23 0:00 [wazuh-execd] 0 0 ? Z Nov23 0:00 [wazuh-execd] 0 0 ? Zs Nov23 0:00 [wazuh-agentd] 0 0 ? Z Nov23 0:00 [wazuh-agentd] 0 0 ? Zs Nov23 0:00 [wazuh-syscheckd] 0 0 ? ZN Nov23 0:53 [wazuh-syscheckd] 0 0 ? Zs Nov23 0:00 [wazuh-logcollec] 0 0 ? Z Nov23 0:14 [wazuh-logcollec] 0 0 ? Zs Nov23 0:00 [wazuh-modulesd] 0 0 ? Z Nov23 0:00 [wazuh-modulesd] 0 0 ? Zs Nov23 0:00 [python3] 0 0 ? Z Nov23 0:00 [restart.sh] 0 0 ? Z Nov23 0:00 [wazuh-modulesd] 0 0 ? Zs Nov22 0:00 [wazuh-execd] 0 0 ? Z Nov22 0:02 [wazuh-execd] 0 0 ? Zs Nov22 0:00 [wazuh-agentd] 0 0 ? Z Nov22 0:19 [wazuh-agentd] 0 0 ? Zs Nov22 0:00 [wazuh-syscheckd] 0 0 ? ZN Nov22 1:12 [wazuh-syscheckd] 0 0 ? Zs Nov22 0:00 [wazuh-logcollec] 0 0 ? Z Nov22 0:09 [wazuh-logcollec] 0 0 ? Zs Nov22 0:00 [wazuh-modulesd] 0 0 ? Z Nov22 0:07 [wazuh-modulesd] 0 0 ? Zs Nov22 0:23 [python3] 0 0 ? Zs Nov23 0:00 [wazuh-execd] 0 0 ? Z Nov23 0:00 [wazuh-execd] 0 0 ? Zs Nov23 0:00 [wazuh-agentd] 0 0 ? Z Nov23 0:03 [wazuh-agentd] 0 0 ? Zs Nov23 0:00 [wazuh-syscheckd] 0 0 ? ZN Nov23 1:54 [wazuh-syscheckd] 0 0 ? Zs Nov23 0:00 [wazuh-logcollec] 0 0 ? Z Nov23 0:14 [wazuh-logcollec] 0 0 ? Zs Nov23 0:00 [wazuh-modulesd] 0 0 ? Z Nov23 0:00 [wazuh-modulesd] 0 0 ? Zs Nov23 0:00 [python3] 0 0 ? Z Nov23 0:00 [restart.sh] 0 0 ? Z Nov23 0:00 [wazuh-modulesd] 0 0 ? Z Nov23 0:00 [restart.sh] 0 0 ? Z Nov23 0:00 [wazuh-modulesd] 0 0 ? Zs Nov23 0:00 [wazuh-execd] 0 0 ? Z Nov23 0:00 [wazuh-execd] 0 0 ? Zs Nov23 0:00 [wazuh-agentd] 0 0 ? Z Nov23 0:00 [wazuh-agentd] 0 0 ? Zs Nov23 0:00 [wazuh-syscheckd] 0 0 ? ZN Nov23 0:15 [wazuh-syscheckd] 0 0 ? Zs Nov23 0:00 [wazuh-logcollec] 0 0 ? Z Nov23 0:02 [wazuh-logcollec] 0 0 ? Zs Nov23 0:00 [wazuh-modulesd] 0 0 ? Z Nov23 0:00 [wazuh-modulesd] 0 0 ? Zs Nov23 0:00 [python3] 0 0 ? Z Nov23 0:00 [restart.sh] 0 0 ? ZNs Nov23 0:00 [wazuh-modulesd] 0 0 ? Z Nov23 0:00 [wazuh-modulesd] 0 0 ? Z Nov23 0:00 [wazuh-modulesd] 0 0 ? Z Nov23 0:00 [restart.sh] 0 0 ? Zs Nov23 0:00 [wazuh-execd] 0 0 ? Z Nov23 0:00 [wazuh-execd] 0 0 ? Zs Nov23 0:00 [wazuh-agentd] 0 0 ? Z Nov23 0:00 [wazuh-agentd] 0 0 ? Zs Nov23 0:00 [wazuh-syscheckd] 0 0 ? ZN Nov23 0:34 [wazuh-syscheckd] 0 0 ? Zs Nov23 0:00 [wazuh-logcollec] 0 0 ? Z Nov23 0:09 [wazuh-logcollec] 0 0 ? Zs Nov23 0:00 [wazuh-modulesd] 0 0 ? Z Nov23 0:00 [wazuh-modulesd] 0 0 ? Zs Nov23 0:00 [python3] 0 0 ? Z Nov23 0:00 [restart.sh] 0 0 ? Z Nov23 0:00 [wazuh-modulesd] 0 0 ? Zs Nov23 0:00 [wazuh-execd] 0 0 ? Z Nov23 0:00 [wazuh-execd] 0 0 ? Zs Nov23 0:00 [wazuh-agentd] 0 0 ? Z Nov23 0:00 [wazuh-agentd] 0 0 ? Zs Nov23 0:00 [wazuh-syscheckd] 0 0 ? ZN Nov23 0:04 [wazuh-syscheckd] 0 0 ? Zs Nov23 0:00 [wazuh-logcollec] 0 0 ? Z Nov23 0:00 [wazuh-logcollec] 0 0 ? Zs Nov23 0:00 [wazuh-modulesd] 0 0 ? Z Nov23 0:00 [wazuh-modulesd] 0 0 ? Zs Nov23 0:00 [python3] 0 0 ? Z Nov23 0:00 [restart.sh] 0 0 ? Z Nov23 0:00 [wazuh-modulesd] 0 0 ? Zs Nov23 0:00 [wazuh-execd] 0 0 ? Z Nov23 0:00 [wazuh-execd] 0 0 ? Zs Nov23 0:00 [wazuh-agentd] 0 0 ? Z Nov23 0:00 [wazuh-agentd] 0 0 ? Zs Nov23 0:00 [wazuh-syscheckd] 0 0 ? ZN Nov23 0:47 [wazuh-syscheckd] 0 0 ? Zs Nov23 0:00 [wazuh-logcollec] 0 0 ? Z Nov23 0:14 [wazuh-logcollec] 0 0 ? Zs Nov23 0:00 [wazuh-modulesd] 0 0 ? Z Nov23 0:00 [wazuh-modulesd] 0 0 ? Zs Nov23 0:01 [python3] 0 0 ? Z Nov23 0:00 [restart.sh] 0 0 ? Z Nov23 0:00 [restart.sh] 0 0 ? Z Nov23 0:00 [wazuh-modulesd] 0 0 ? Zs Nov23 0:00 [wazuh-execd] 0.0 0.0 25236 3676 ? Sl Nov23 0:01 /var/ossec/bin/wazuh-execd 0 0 ? Zs Nov23 0:00 [wazuh-agentd] 0.0 0.0 312600 8584 ? Sl Nov23 0:10 /var/ossec/bin/wazuh-agentd 0 0 ? Zs Nov23 0:00 [wazuh-syscheckd] 3.8 0.0 410700 14088 ? RNl Nov23 22:16 /var/ossec/bin/wazuh-syscheckd 0 0 ? Zs Nov23 0:00 [wazuh-logcollec] 0.0 0.0 533312 7156 ? Sl Nov23 0:18 /var/ossec/bin/wazuh-logcollector 0 0 ? Zs Nov23 0:00 [wazuh-modulesd] 0.0 0.1 1312896 17828 ? Sl Nov23 0:03 /var/ossec/bin/wazuh-modulesd 0.0 0.2 48540 42328 ? Ss Nov23 0:09 python3 wodles/docker/DockerListener 0 0 ? Zs Nov23 0:00 [wazuh-execd] 0 0 ? Z Nov23 0:00 [wazuh-execd] 0 0 ? Zs Nov23 0:00 [wazuh-agentd] 0 0 ? Z Nov23 0:03 [wazuh-agentd] 0 0 ? Zs Nov23 0:00 [wazuh-syscheckd] 0 0 ? ZN Nov23 0:06 [wazuh-syscheckd] 0 0 ? Zs Nov23 0:00 [wazuh-logcollec] 0 0 ? Z Nov23 0:01 [wazuh-logcollec] 0 0 ? Zs Nov23 0:00 [wazuh-modulesd] 0 0 ? Z Nov23 0:01 [wazuh-modulesd] 2508 892 ? Ss 05:16 0:00 tail -f /var/ossec/logs/ossec.log 8080 3940 ? Rs 05:34 0:00 ps aux 0 0 ? Z Nov23 0:00 [restart.sh] 0 0 ? Z Nov23 0:00 [wazuh-modulesd] 0 0 ? Zs Nov23 0:00 [wazuh-execd] 0 0 ? Z Nov23 0:00 [wazuh-execd] 0 0 ? Zs Nov23 0:00 [wazuh-agentd] 0 0 ? Z Nov23 0:00 [wazuh-agentd] 0 0 ? Zs Nov23 0:00 [wazuh-syscheckd] 0 0 ? ZN Nov23 1:35 [wazuh-syscheckd] 0 0 ? Zs Nov23 0:00 [wazuh-logcollec] 0 0 ? Z Nov23 0:28 [wazuh-logcollec] 0 0 ? Zs Nov23 0:00 [wazuh-modulesd] 0 0 ? Z Nov23 0:00 [wazuh-modulesd] 0 0 ? Zs Nov23 0:00 [python3] 0 0 ? Z Nov23 0:00 [restart.sh] 0 0 ? Z Nov23 0:00 [wazuh-modulesd] 0 0 ? Z Nov23 0:00 [restart.sh] 0 0 ? Z Nov23 0:00 [restart.sh] 0 0 ? Zs Nov23 0:00 [wazuh-execd] 0 0 ? Z Nov23 0:00 [wazuh-execd] 0 0 ? Zs Nov23 0:00 [wazuh-agentd] 0 0 ? Z Nov23 0:00 [wazuh-agentd] 0 0 ? Zs Nov23 0:00 [wazuh-syscheckd] 0 0 ? ZN Nov23 0:14 [wazuh-syscheckd] 0 0 ? Zs Nov23 0:00 [wazuh-logcollec] 0 0 ? Z Nov23 0:00 [wazuh-logcollec] 0 0 ? Zs Nov23 0:00 [wazuh-modulesd] 0 0 ? Z Nov23 0:00 [wazuh-modulesd] 0 0 ? Zs Nov23 0:00 [python3] 0 0 ? Z Nov23 0:00 [restart.sh] 0 0 ? Z Nov23 0:00 [wazuh-modulesd] kubectl exec -n wazuh pvy-security-wazuh-agent-92jqj -- ls -la /var/ossec/bin/ | grep analysis kubectl exec -n wazuh pvy-security-wazuh-agent-92jqj -- cat /var/ossec/etc/local_internal_options.conf | grep -i analysis / restart was due playing around with agent group configs.

Nov 24 '25 05:11 pvyswiss

Interesting findings, and maybe some one can advise me here:

kubectl exec -n wazuh pvy-security-wazuh-manager-master-0 -- grep -r "550|553|554" /var/ossec/etc/rules/ | head -5 Defaulted container "wazuh-manager" out of: wazuh-manager, update-index (init) command terminated with exit code 1 k3os-2883 [~]$ kubectl exec -n wazuh pvy-security-wazuh-manager-master-0 -- /var/ossec/bin/analysisd -t Defaulted container "wazuh-manager" out of: wazuh-manager, update-index (init) error: Internal error occurred: error executing command in container: failed to exec in container: failed to start exec "11d0dac9386844eeb15e9ae4fd7dde78c09a09db3ba3d8c5f2af69726d835bde": OCI runtime exec failed: exec failed: container_linux.go:380: starting container process caused: exec: "/var/ossec/bin/analysisd": stat /var/ossec/bin/analysisd: no such file or directory: unknown k3os-2883 [~]$ for agent_pod in pvy-security-wazuh-agent-92jqj pvy-security-wazuh-agent-wxc2q pvy-security-wazuh-agent-sm7fm; do echo "=== $agent_pod ===" kubectl exec -n wazuh $agent_pod -- tail -n 5 /var/ossec/logs/ossec.log | grep -i "syscheck" | tail -1 done === pvy-security-wazuh-agent-92jqj === 2025/11/24 06:06:32 wazuh-syscheckd: INFO: (6008): File integrity monitoring scan started. === pvy-security-wazuh-agent-wxc2q === 2025/11/24 06:05:26 wazuh-syscheckd: INFO: (6008): File integrity monitoring scan started. === pvy-security-wazuh-agent-sm7fm === 2025/11/24 06:04:36 wazuh-syscheckd: INFO: (6009): File integrity monitoring scan ended. k3os-2883 [~]$ kubectl exec -n wazuh pvy-security-wazuh-manager-master-0 -- ls -la /var/ossec/bin/ | head -10 Defaulted container "wazuh-manager" out of: wazuh-manager, update-index (init) total 15496 drwxr-x--- 2 root wazuh 4096 Nov 12 14:33 . drwxr-x--- 1 root wazuh 4096 Nov 22 11:24 .. -rwxr-x--- 1 root root 258000 Nov 8 12:01 agent_control -rwxr-x--- 1 root wazuh 1045 Nov 8 12:01 agent_groups -rwxr-x--- 1 root wazuh 1045 Nov 8 12:01 agent_upgrade -rwxr-x--- 1 root root 101376 Nov 8 12:01 clear_stats -rwxr-x--- 1 root wazuh 1045 Nov 8 12:01 cluster_control -rwxr-x--- 1 root root 270320 Nov 8 12:01 manage_agents -rwxr-x--- 1 root wazuh 1045 Nov 8 12:01 rbac_control k3os-2883 [~]$ kubectl exec -n wazuh pvy-security-wazuh-manager-master-0 -- ps aux | head -10 Defaulted container "wazuh-manager" out of: wazuh-manager, update-index (init) USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND root 1 0.0 0.0 196 4 ? Ss Nov22 0:00 s6-svscan -t0 /var/run/s6/services root 35 0.0 0.0 196 4 ? S Nov22 0:00 s6-supervise s6-fdholderd root 2220 0.0 0.0 196 4 ? S Nov22 0:00 s6-supervise ossec-logs root 2222 0.0 0.0 196 4 ? S Nov22 0:00 s6-supervise filebeat root 2224 0.0 0.0 2318804 46476 ? SLsl Nov22 0:32 /usr/share/filebeat/bin/filebeat -e -c /etc/filebeat/filebeat.yml -path.home /usr/share/filebeat -path.config /etc/filebeat -path.data /var/lib/filebeat -path.logs /var/log/filebeat root 2226 0.0 0.0 4948 1364 ? Ss Nov22 0:10 /usr/bin/coreutils --coreutils-prog-shebang=tail /usr/bin/tail -F /var/ossec/logs/ossec.log wazuh 9138 0.2 0.3 1034128 150148 ? Sl Nov22 7:07 /var/ossec/framework/python/bin/python3 /var/ossec/api/scripts/wazuh_apid.py wazuh 9139 0.0 0.1 152224 72348 ? S Nov22 1:34 /var/ossec/framework/python/bin/python3 /var/ossec/api/scripts/wazuh_apid.py wazuh 9140 0.0 0.1 152244 72404 ? S Nov22 1:36 /var/ossec/framework/python/bin/python3 /var/ossec/api/scripts/wazuh_apid.py k3os-2883 [~]$ kubectl exec -n wazuh pvy-security-wazuh-agent-92jqj -- /bin/bash -c " echo '=== Testing FIM on k3os-2883 ===' touch /etc/fim_k3os_test_$(date +%s).txt echo 'File created. Checking logs...' tail -n 10 /var/ossec/logs/ossec.log | grep -i 'syscheck' echo 'Checking queue for events...' find /var/ossec/queue/ -name '.txt' -o -name '.json' 2>/dev/null | head -5 " === Testing FIM on k3os-2883 === File created. Checking logs... 2025/11/24 05:53:58 wazuh-syscheckd: INFO: (6009): File integrity monitoring scan ended. 2025/11/24 05:56:59 wazuh-syscheckd: INFO: (6008): File integrity monitoring scan started. 2025/11/24 05:58:46 wazuh-syscheckd: INFO: (6009): File integrity monitoring scan ended. 2025/11/24 06:01:47 wazuh-syscheckd: INFO: (6008): File integrity monitoring scan started. 2025/11/24 06:03:31 wazuh-syscheckd: INFO: (6009): File integrity monitoring scan ended. 2025/11/24 06:06:32 wazuh-syscheckd: INFO: (6008): File integrity monitoring scan started. 2025/11/24 06:08:17 wazuh-syscheckd: INFO: (6009): File integrity monitoring scan ended. Checking queue for events... /var/ossec/queue/syscollector/norm_config.json /var/ossec/queue/logcollector/file_status.json k3os-2883 [~]$ kubectl exec -n wazuh pvy-security-wazuh-manager-master-0 -- tail -n 50 /var/ossec/logs/ossec.log | grep -i "agent.*connected|received" | head -10 Defaulted container "wazuh-manager" out of: wazuh-manager, update-index (init)

FIM: Recent events are being created, if we modify content INSIDE the container. So with the current agent config (attached) it is monitoring the container itself.

Means, the Agent Pod volumeMounts and Volumes you define in the chart are not taking in effect by classical /etc/ refererence I tried then to add a host prefix: /host/etc/ but then, I see no FIM Events Dedection at all:

default(k3s).yaml

Nov 24 '25 06:11 pvyswiss

k3os-2883 [/etc]$ touch fim_real_host_test.txt k3os-2883 [/etc]$ kubectl exec -n wazuh pvy-security-wazuh-agent-92jqj -- ls -la /host/etc/fim_real_host_test.txt -rw-r--r-- 1 1000 1000 0 Nov 24 06:54 /host/etc/fim_real_host_test.txt k3os-2883 [/etc]$ kubectl exec -n wazuh pvy-security-wazuh-agent-92jqj -- tail -n 20 /var/ossec/logs/ossec.log | grep -i "fim_real_host_test" k3os-2883 [/etc]$ kubectl exec -n wazuh pvy-security-wazuh-agent-92jqj -- tail -n 20 /var/ossec/logs/ossec.log | grep -i "fim_real_host_test" k3os-2883 [/etc]$ kubectl exec -n wazuh pvy-security-wazuh-agent-92jqj -- grep -A 5 "directories" /var/ossec/etc/shared/agent.conf /host/etc /host/var/lib/rancher/k3s /host/opt /host/boot /host/usr /host/var/log /host/var/lib/rancher/k3s/data /host/run/k3s/containerd /host/var/lib/rancher/k3s/agent/containerd /host/var/lib/rancher/k3s/agent/etc k3os-2883 [/etc]$ kubectl exec -n wazuh pvy-security-wazuh-agent-92jqj -- tail -n 30 /var/ossec/logs/ossec.log | grep -i "scan|host" 2025/11/24 06:57:44 wazuh-syscheckd: ERROR: in w_compress_gzfile(): fopen error /host/usr/bin/pipe_progress (2):'No such file or directory' 2025/11/24 06:57:44 wazuh-syscheckd: WARNING: (6914): Cannot create a snapshot of file '/host/usr/bin/pipe_progress' 2025/11/24 06:57:50 wazuh-syscheckd: ERROR: in w_compress_gzfile(): fopen error /host/usr/bin/pscan (2):'No such file or directory' 2025/11/24 06:57:50 wazuh-syscheckd: WARNING: (6914): Cannot create a snapshot of file '/host/usr/bin/pscan' 2025/11/24 06:57:50 wazuh-syscheckd: ERROR: in w_compress_gzfile(): fopen error /host/usr/bin/pstree (2):'No such file or directory' 2025/11/24 06:57:50 wazuh-syscheckd: WARNING: (6914): Cannot create a snapshot of file '/host/usr/bin/pstree' 2025/11/24 06:57:59 wazuh-syscheckd: ERROR: in w_compress_gzfile(): fopen error /host/usr/bin/reformime (2):'No such file or directory' 2025/11/24 06:57:59 wazuh-syscheckd: WARNING: (6914): Cannot create a snapshot of file '/host/usr/bin/reformime' 2025/11/24 06:57:59 wazuh-syscheckd: ERROR: in w_compress_gzfile(): fopen error /host/usr/bin/resize (2):'No such file or directory' 2025/11/24 06:57:59 wazuh-syscheckd: WARNING: (6914): Cannot create a snapshot of file '/host/usr/bin/resize' 2025/11/24 06:57:59 wazuh-syscheckd: ERROR: in w_compress_gzfile(): fopen error /host/usr/bin/rev (2):'No such file or directory' 2025/11/24 06:57:59 wazuh-syscheckd: WARNING: (6914): Cannot create a snapshot of file '/host/usr/bin/rev' 2025/11/24 06:58:04 wazuh-syscheckd: ERROR: in w_compress_gzfile(): fopen error /host/usr/bin/run-parts (2):'No such file or directory' 2025/11/24 06:58:04 wazuh-syscheckd: WARNING: (6914): Cannot create a snapshot of file '/host/usr/bin/run-parts' 2025/11/24 06:58:18 wazuh-syscheckd: ERROR: in w_compress_gzfile(): fopen error /host/usr/bin/sed (2):'No such file or directory' 2025/11/24 06:58:18 wazuh-syscheckd: WARNING: (6914): Cannot create a snapshot of file '/host/usr/bin/sed' 2025/11/24 06:58:20 wazuh-syscheckd: ERROR: in w_compress_gzfile(): fopen error /host/usr/bin/setkeycodes (2):'No such file or directory' 2025/11/24 06:58:20 wazuh-syscheckd: WARNING: (6914): Cannot create a snapshot of file '/host/usr/bin/setkeycodes' 2025/11/24 06:58:20 wazuh-syscheckd: ERROR: in w_compress_gzfile(): fopen error /host/usr/bin/setpriv (2):'No such file or directory' 2025/11/24 06:58:20 wazuh-syscheckd: WARNING: (6914): Cannot create a snapshot of file '/host/usr/bin/setpriv' 2025/11/24 06:58:20 wazuh-syscheckd: ERROR: in w_compress_gzfile(): fopen error /host/usr/bin/setserial (2):'No such file or directory' 2025/11/24 06:58:20 wazuh-syscheckd: WARNING: (6914): Cannot create a snapshot of file '/host/usr/bin/setserial' 2025/11/24 06:58:20 wazuh-syscheckd: ERROR: in w_compress_gzfile(): fopen error /host/usr/bin/sh (2):'No such file or directory' 2025/11/24 06:58:20 wazuh-syscheckd: WARNING: (6914): Cannot create a snapshot of file '/host/usr/bin/sh' 2025/11/24 06:58:28 wazuh-syscheckd: ERROR: in w_compress_gzfile(): fopen error /host/usr/bin/sha3sum (2):'No such file or directory' 2025/11/24 06:58:28 wazuh-syscheckd: WARNING: (6914): Cannot create a snapshot of file '/host/usr/bin/sha3sum' 2025/11/24 06:58:30 wazuh-syscheckd: ERROR: in w_compress_gzfile(): fopen error /host/usr/bin/showkey (2):'No such file or directory' 2025/11/24 06:58:30 wazuh-syscheckd: WARNING: (6914): Cannot create a snapshot of file '/host/usr/bin/showkey' 2025/11/24 06:58:53 wazuh-syscheckd: ERROR: in w_compress_gzfile(): fopen error /host/usr/bin/strings (2):'No such file or directory' 2025/11/24 06:58:53 wazuh-syscheckd: WARNING: (6914): Cannot create a snapshot of file '/host/usr/bin/strings' k3os-2883 [/etc]$ kubectl exec -n wazuh pvy-security-wazuh-agent-92jqj -- ps aux | grep syscheck root 66 0.0 0.0 0 0 ? Zs Nov22 0:00 [wazuh-syscheckd] root 67 0.0 0.0 0 0 ? ZN Nov22 0:03 [wazuh-syscheckd] root 1123 0.0 0.0 0 0 ? Zs Nov23 0:00 [wazuh-syscheckd] root 1124 0.1 0.0 0 0 ? ZN Nov23 0:45 [wazuh-syscheckd] root 5471 0.0 0.0 0 0 ? Zs Nov23 0:00 [wazuh-syscheckd] root 5472 0.1 0.0 0 0 ? ZN Nov23 0:53 [wazuh-syscheckd] root 6561 0.0 0.0 0 0 ? Zs Nov22 0:00 [wazuh-syscheckd] root 6562 0.0 0.0 0 0 ? ZN Nov22 1:12 [wazuh-syscheckd] root 8049 0.0 0.0 0 0 ? Zs Nov23 0:00 [wazuh-syscheckd] root 8050 0.2 0.0 0 0 ? ZN Nov23 1:54 [wazuh-syscheckd] root 12294 0.0 0.0 0 0 ? Zs Nov23 0:00 [wazuh-syscheckd] root 12295 0.0 0.0 0 0 ? ZN Nov23 0:15 [wazuh-syscheckd] root 15077 0.0 0.0 0 0 ? Zs Nov23 0:00 [wazuh-syscheckd] root 15078 0.0 0.0 0 0 ? ZN Nov23 0:34 [wazuh-syscheckd] root 16886 0.0 0.0 0 0 ? Zs Nov23 0:00 [wazuh-syscheckd] root 16887 0.0 0.0 0 0 ? ZN Nov23 0:04 [wazuh-syscheckd] root 19222 0.0 0.0 0 0 ? Zs Nov23 0:00 [wazuh-syscheckd] root 19223 0.0 0.0 0 0 ? ZN Nov23 0:47 [wazuh-syscheckd] root 22061 0.0 0.0 0 0 ? Zs Nov23 0:00 [wazuh-syscheckd] root 22062 3.7 0.0 0 0 ? ZN Nov23 24:53 [wazuh-syscheckd] root 23889 0.0 0.0 0 0 ? Zs Nov23 0:00 [wazuh-syscheckd] root 23890 0.0 0.0 0 0 ? ZN Nov23 0:06 [wazuh-syscheckd] root 26179 0.0 0.0 0 0 ? Zs Nov23 0:00 [wazuh-syscheckd] root 26180 0.2 0.0 0 0 ? ZN Nov23 1:35 [wazuh-syscheckd] root 30364 0.0 0.0 0 0 ? Zs 06:52 0:00 [wazuh-syscheckd] root 30365 6.5 0.0 122216 11916 ? RNl 06:52 0:26 /var/ossec/bin/wazuh-syscheckd root 31080 0.0 0.0 0 0 ? Zs Nov23 0:00 [wazuh-syscheckd] root 31083 0.0 0.0 0 0 ? ZN Nov23 0:14 [wazuh-syscheckd] k3os-2883 [/etc]$

Nov 24 '25 06:11 pvyswiss

Another Issue: If you kill an agent pod over kubectl, to have clean one after debugging, the new one takes the config from the Chart/ ConfigMap. Not from the dedicated Agent Group Configuration. He never checks, until you push the Group Config "default" newly with an iteration! Looking after the Group Agent Config is being loaded, we see: kubectl exec -n wazuh pvy-security-wazuh-agent-mxp4p -- /bin/bash -c " echo '=== All Configuration Files ===' find /var/ossec/etc -name '*.conf' -type f | head -10 echo '=== ossec.conf content ===' grep -A 20 'syscheck' /var/ossec/etc/ossec.conf 2>/dev/null || echo 'No syscheck in ossec.conf' echo '=== merged.conf content ===' grep -A 20 'syscheck' /var/ossec/etc/merged.conf 2>/dev/null || echo 'No merged.conf' " === All Configuration Files === /var/ossec/etc/shared/agent.conf /var/ossec/etc/shared/ar.conf /var/ossec/etc/ossec.conf /var/ossec/etc/internal_options.conf /var/ossec/etc/local_internal_options.conf === ossec.conf content === syscheck <alert_format>json</alert_format>

no 1h yes yes yes yes yes yes yes yes yes 12h -- no

<!-- Frequency that syscheck is executed default every 12 hours -->
<frequency>900</frequency>

<scan_on_start>yes</scan_on_start>

<!-- Directories to check  (perform all possible verifications) -->
<directories>/etc,/usr/bin,/usr/sbin</directories>
<directories>/bin,/sbin,/boot</directories>
<directories check_all="yes" realtime="yes">/media/user/software</directories>
<directories check_all="yes" realtime="yes">/home</directories>
<directories check_all="yes" realtime="yes">/etc</directories>

<!-- Files/directories to ignore -->
<ignore>/etc/mtab</ignore>
<ignore>/etc/hosts.deny</ignore>
<ignore>/etc/mail/statistics</ignore>
<ignore>/etc/random-seed</ignore>
<ignore>/etc/random.seed</ignore>
<ignore>/etc/adjtime</ignore>
<ignore>/etc/httpd/logs</ignore>
<ignore>/etc/utmpx</ignore>

--

apache /var/log/nginx/access.log apache /var/log/nginx/error.log syslog /var/ossec/logs/active-responses.log syslog /var/log/auth.log === merged.conf content === No merged.conf k3os-2883 [~]$ kubectl exec -n wazuh pvy-security-wazuh-agent-mxp4p -- /bin/bash -c " echo '=== All Configuration Files ===' find /var/ossec/etc -name '*.conf' -type f | head -10 echo '=== ossec.conf content ===' grep -A 20 'syscheck' /var/ossec/etc/ossec.conf 2>/dev/null || echo 'No syscheck in ossec.conf' echo '=== merged.conf content ===' grep -A 20 'syscheck' /var/ossec/etc/merged.conf 2>/dev/null || echo 'No merged.conf' " === All Configuration Files === /var/ossec/etc/shared/agent.conf /var/ossec/etc/shared/ar.conf /var/ossec/etc/ossec.conf /var/ossec/etc/internal_options.conf /var/ossec/etc/local_internal_options.conf === ossec.conf content === syscheck json no 1h yes yes yes yes yes yes yes yes yes 12h -- no

<!-- Frequency that syscheck is executed default every 12 hours -->
<frequency>900</frequency>

<scan_on_start>yes</scan_on_start>

<!-- Directories to check  (perform all possible verifications) -->
<directories>/etc,/usr/bin,/usr/sbin</directories>
<directories>/bin,/sbin,/boot</directories>
<directories check_all="yes" realtime="yes">/media/user/software</directories>
<directories check_all="yes" realtime="yes">/home</directories>
<directories check_all="yes" realtime="yes">/etc</directories>

<!-- Files/directories to ignore -->
<ignore>/etc/mtab</ignore>
<ignore>/etc/hosts.deny</ignore>
<ignore>/etc/mail/statistics</ignore>
<ignore>/etc/random-seed</ignore>
<ignore>/etc/random.seed</ignore>
<ignore>/etc/adjtime</ignore>
<ignore>/etc/httpd/logs</ignore>
<ignore>/etc/utmpx</ignore>

--

apache /var/log/nginx/access.log apache /var/log/nginx/error.log syslog /var/ossec/logs/active-responses.log syslog /var/log/auth.log === merged.conf content === No merged.conf SysCheck is only set to Container internal directories, non of our agent-group.conf given paths: no

<!-- Frequency that syscheck is executed default every 12 hours -->
<frequency>900</frequency>

<scan_on_start>yes</scan_on_start>

<!-- Directories to check  (perform all possible verifications) -->
<directories>/etc,/usr/bin,/usr/sbin</directories>
<directories>/bin,/sbin,/boot</directories>
<directories check_all="yes" realtime="yes">/media/user/software</directories>
<directories check_all="yes" realtime="yes">/home</directories>
<directories check_all="yes" realtime="yes">/etc</directories>

<!-- Files/directories to ignore -->
<ignore>/etc/mtab</ignore>
<ignore>/etc/hosts.deny</ignore>
<ignore>/etc/mail/statistics</ignore>
<ignore>/etc/random-seed</ignore>
<ignore>/etc/random.seed</ignore>
<ignore>/etc/adjtime</ignore>
<ignore>/etc/httpd/logs</ignore>
<ignore>/etc/utmpx</ignore>

--

Nov 24 '25 09:11 pvyswiss

Dedection is here, but FIM Events fails: kubectl exec -n wazuh pvy-security-wazuh-agent-mxp4p -- /bin/bash -c " echo '=== FIM IS WORKING! ===' echo 'Currently monitored paths:' tail -n 100 /var/ossec/logs/ossec.log | grep 'Directory set for real time monitoring' | grep '/host' | tail -5 echo '' echo '=== TEST: Create file in /host/etc ===' touch /host/etc/fim-direct-test-$(date +%s).txt sleep 3 echo '=== CHECK FOR FIM EVENTS ===' tail -n 30 /var/ossec/logs/ossec.log | grep -E 'added.*fim-direct-test' | tail -3 " === FIM IS WORKING! === Currently monitored paths: 2025/11/24 09:47:39 wazuh-syscheckd: INFO: (6016): Directory set for real time monitoring: '/host/boot'. 2025/11/24 09:47:39 wazuh-syscheckd: INFO: (6016): Directory set for real time monitoring: '/host/etc'.

=== TEST: Create file in /host/etc === touch: cannot touch '/host/etc/fim-direct-test-1763978788.txt': Read-only file system === CHECK FOR FIM EVENTS === k3os-2883 [~]$ touch /etc/fim-real-host-test-$(date +%s).txt k3os-2883 [~]$ kubectl exec -n wazuh pvy-security-wazuh-agent-mxp4p -- /bin/bash -c " echo '=== CHECKING HOST FILE DETECTION ===' ls -la /host/etc/fim-real-host-test-*.txt 2>/dev/null || echo 'File not visible through container' echo '' echo 'FIM events:' tail -n 50 /var/ossec/logs/ossec.log | grep -E 'added.*fim-real-host-test' | tail -3 " === CHECKING HOST FILE DETECTION === -rw-r--r-- 1 1000 1000 0 Nov 24 10:06 /host/etc/fim-real-host-test-1763978819.txt

FIM events:

Nov 24 '25 10:11 pvyswiss

Update: Since K30s is an minimal - imutable OS, it does not include and officially also not support audit.d, which is the base for File Integrity / Checksum based System Audits. The only option is to configure a Sidecar Solution, means additional Pod. The rest I got working. If there is an interest, since you may want to monitor any config/key/cert changes on a critical system as kubernetes cluster, I can make an example for it:

wazuh-module-agents-003-fim-1764001578.pdf

Nov 24 '25 16:11 pvyswiss