Add information to documentation about changing file ownership. #9133
Description
📌 Request Details
Required Information
- Target version: 4.x
- Request type
- Product update
- Fixes or corrections
- Improvement
- Other:
- Affected Documentation
- Documentation section(s): Modify default decoders
- Specific page URLs: https://documentation.wazuh.com/current/user-manual/ruleset/decoders/custom.html#modify-default-decoders
Description
The current documentation outlines steps for copying a default decoder file (e.g., /var/ossec/ruleset/decoders/0310-ssh_decoders.xml) to the user directory (/var/ossec/etc/decoders/), editing it, excluding the original from loading, and restarting the Wazuh manager. However, it does not mention that files created or copied under the root user will default to root:root ownership. This can prevent the Wazuh manager service (which runs as the wazuh user) from reading the file, leading to a failed restart.
To address this, add a new numbered step after step 1 (copying the file) and before step 2 (editing ossec.conf). This ensures users set the correct ownership before proceeding, avoiding common troubleshooting issues.
i.e
-
Copy the decoder file /var/ossec/ruleset/decoders/0310-ssh_decoders.xml to the user directory /var/ossec/etc/decoders/. This ensures that your changes are saved when upgrading to a newer version.
-
Change the ownership and permission of the copied file to wazuh:wazuh to ensure the Wazuh manager service can read it:
# chown wazuh:wazuh /var/ossec/etc/decoders/0310-ssh_decoders.xml
# chown 660 /var/ossec/etc/decoders/0310-ssh_decoders.xml
Additional examples/references (screenshots, code samples, links)
🛠 Additional Details
Reference: #9106