cannot open zeek logs: Permission denied #3761

Dwijad · 2024-06-03T16:41:12Z

Dwijad
Jun 3, 2024

Hi
I am using docker compose to create a Zeek container. The docker creates a zeek container and is up/running. However, in the docker logs i can see the following errors.

zeek_1           | 1717431560.807398 error: loaded_scripts/Log::WRITER_ASCII: cannot open loaded_scripts.log: Permission denied
zeek_1           | 1717431560.807398 error: loaded_scripts/Log::WRITER_ASCII: terminating thread
zeek_1           | 1717431560.807398 error: packet_filter/Log::WRITER_ASCII: cannot open packet_filter.log: Permission denied
zeek_1           | 1717431560.807398 error: packet_filter/Log::WRITER_ASCII: terminating thread
zeek_1           | 1717431560.807398 error: stats/Log::WRITER_ASCII: cannot open stats.log: Permission denied
zeek_1           | 1717431560.807398 error: stats/Log::WRITER_ASCII: terminating thread
zeek_1           | 1717431560.810849 error: reporter/Log::WRITER_ASCII: cannot open reporter.log: Permission denied
zeek_1           | 1717431560.811250 error: reporter/Log::WRITER_ASCII: terminating thread

I looked at the similar issue described here but that solution did not worked out for me.

I am using filebeat to ship zeek logs to elasticsearch. In the filebeat container, i can see the zeek logs.

filebeat@e28a462fa141:/var/log/ids/slips/ens5_2024-06-03_11:06:03/zeek_files$ ls
analyzer.log  capture_loss.log	dhcp.log  dpd.log    http.log	      known_services.log  loaded_scripts.log  packet_filter.log  software.log  ssl.log	  weird.log
arp.log       conn.log		dns.log   files.log  known_hosts.log  ldap_search.log	  ntp.log	      reporter.log	 ssh.log       stats.log

This is my zeek configuration in the docker compose file

  zeek:
    build:
      context: ./services
      dockerfile: ./zeek/Dockerfile
    command: -i ens5
    privileged: true
    cap_add:
      - NET_ADMIN
      - NET_RAW
    volumes:
      - /var/log/zeek:/var/log/zeek:rw
      - ./services/zeek/config/local.zeek:/usr/local/zeek/share/zeek/site/local.zeek:ro
    environment:
      - TRUSTED_NET=["192.168.0.0/16","10.0.0.0/8"]
      - PGID=1000
      - PUID=1000
    network_mode: host

Dockerfile

# Use the zeekurity/zeek base image with version 5.0.10
FROM zeekurity/zeek:5.0.10

# Update package repositories and install required packages
RUN apt-get update && apt-get install -y tini gosu libcap2-bin

# Create a Zeek group and user with specific UID and GID
#RUN adduser -u 1000 -gid 1000 -d /usr/local/zeek -M -s /sbin/nologin --disabled-password zeek
RUN groupadd --gid 1000 zeek
RUN adduser --uid 1000 --gid 1000 --home /usr/local/zeek --disabled-password --gecos "" --shell /sbin/nologin zeek

# Install Zeek packages: ja3 and hassh
WORKDIR /usr/local/zeek/bin/
RUN ./zkg install --force ja3 hassh

# Create a volume for Zeek logs
VOLUME "/var/log/zeek"

# Set the ownership of the Zeek installation directory to the 'zeek' user
WORKDIR /usr/local
RUN chown -R zeek:zeek ./zeek

# Copy the entrypoint script to /usr/local/sbin
COPY ./zeek/entrypoint.sh /usr/local/sbin/entrypoint.sh

# Make the entrypoint script executable
RUN chmod +x /usr/local/sbin/entrypoint.sh

# Set the entrypoint command to run the entrypoint script with tini
ENTRYPOINT ["/usr/bin/tini", "--", "/usr/local/sbin/entrypoint.sh"]

Can anyone point me the cause for the above error ?

Answered by awelzel

Jun 4, 2024

@Dwijad - it might make sense to share your entrypoint.sh and local.zeek scripts. The one guess is that VOLUME "/var/log/zeek" is used for logging and root owned, so you might need to chown that.

View full answer

awelzel · 2024-06-04T15:50:05Z

awelzel
Jun 4, 2024
Maintainer

@Dwijad - it might make sense to share your entrypoint.sh and local.zeek scripts. The one guess is that VOLUME "/var/log/zeek" is used for logging and root owned, so you might need to chown that.

0 replies

Dwijad · 2024-06-05T15:22:44Z

Dwijad
Jun 5, 2024
Author

@awelzel You are right ! That was a permission issue. I reconfigured zeek to output logs to /usr/local/zeek/logs folder which is owned by the user "zeek" and zeek logs are now accumulating in this folder.

0 replies

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

cannot open zeek logs: Permission denied #3761

{{title}}

Replies: 2 comments

{{title}}

{{title}}

Select a reply

cannot open zeek logs: Permission denied #3761

Dwijad Jun 3, 2024

Dockerfile

Replies: 2 comments

awelzel Jun 4, 2024 Maintainer

Dwijad Jun 5, 2024 Author

Dwijad
Jun 3, 2024

awelzel
Jun 4, 2024
Maintainer

Dwijad
Jun 5, 2024
Author