Docker monitoring
16 views
Skip to first unread message
M G
Dec 5, 2025, 7:56:45 AM (2 days ago) Dec 5
to Wazuh | Mailing List
Hello,
I'm trying to integrate Wazuh agents with Docker
Wazuh version (agent and manager): 4.13.1
Docker version 26.1.3,
python3 version Python 3.6.8
$ systemctl status wazuh-agent.service
● wazuh-agent.service - Wazuh agent
Loaded: loaded (/usr/lib/systemd/system/wazuh-agent.service; enabled; vendor preset: disabled)
Active: active (running) since Fri 2025-12-05 12:54:21 CET; 6min ago
Process: 3717 ExecStop=/usr/bin/env /var/ossec/bin/wazuh-control stop (code=exited, status=0/SUCCESS)
Process: 4379 ExecStart=/usr/bin/env /var/ossec/bin/wazuh-control start (code=exited, status=0/SUCCESS)
Tasks: 37 (limit: 100620)
Memory: 1.4G
CGroup: /system.slice/wazuh-agent.service
├─2291 python3 wodles/docker/DockerListener
├─4406 /var/ossec/bin/wazuh-execd
├─4415 /var/ossec/bin/wazuh-agentd
├─4430 /var/ossec/bin/wazuh-syscheckd
├─4441 /var/ossec/bin/wazuh-logcollector
├─4449 /var/ossec/bin/wazuh-modulesd
└─4461 python3 wodles/docker/DockerListener
Dec 05 12:54:17 host systemd[1]: Starting Wazuh agent...
Dec 05 12:54:17 host env[4379]: Starting Wazuh v4.13.1...
Dec 05 12:54:17 host env[4379]: Started wazuh-execd...
Dec 05 12:54:18 host env[4379]: Started wazuh-agentd...
Dec 05 12:54:18 host env[4379]: Started wazuh-syscheckd...
Dec 05 12:54:18 host env[4379]: Started wazuh-logcollector...
Dec 05 12:54:19 host env[4379]: Started wazuh-modulesd...
Dec 05 12:54:21 host env[4379]: Completed.
Dec 05 12:54:21 host systemd[1]: Started Wazuh agent.
$ ps -p 4461
PID TTY TIME CMD
4461 ? 00:00:00 python3
$ grep -i 'docker' /var/ossec/logs/ossec.log
2025/12/05 12:45:40 wazuh-modulesd:docker-listener: INFO: Module docker-listener started.
2025/12/05 12:45:40 wazuh-modulesd:docker-listener: INFO: Starting to listening Docker events.
2025/12/05 12:50:52 wazuh-modulesd:docker-listener: INFO: Module finished.
2025/12/05 12:51:28 wazuh-modulesd:docker-listener: INFO: Module docker-listener started.
2025/12/05 12:51:28 wazuh-modulesd:docker-listener: INFO: Starting to listening Docker events.
2025/12/05 12:54:18 wazuh-modulesd:docker-listener: INFO: Module docker-listener started.
2025/12/05 12:54:18 wazuh-modulesd:docker-listener: INFO: Starting to listening Docker events.
$ cat /var/ossec/etc/ossec.conf
<wodle name="docker-listener">
<interval>10m</interval>
<attempts>5</attempts>
<run_on_start>yes</run_on_start>
<disabled>no</disabled>
</wodle>
<localfile>
<log_format>syslog</log_format>
<location>/var/lib/docker/containers/*/*-json.log</location>
I'm trying to integrate Wazuh agents with Docker
Wazuh version (agent and manager): 4.13.1
Docker version 26.1.3,
python3 version Python 3.6.8
$ systemctl status wazuh-agent.service
● wazuh-agent.service - Wazuh agent
Loaded: loaded (/usr/lib/systemd/system/wazuh-agent.service; enabled; vendor preset: disabled)
Active: active (running) since Fri 2025-12-05 12:54:21 CET; 6min ago
Process: 3717 ExecStop=/usr/bin/env /var/ossec/bin/wazuh-control stop (code=exited, status=0/SUCCESS)
Process: 4379 ExecStart=/usr/bin/env /var/ossec/bin/wazuh-control start (code=exited, status=0/SUCCESS)
Tasks: 37 (limit: 100620)
Memory: 1.4G
CGroup: /system.slice/wazuh-agent.service
├─2291 python3 wodles/docker/DockerListener
├─4406 /var/ossec/bin/wazuh-execd
├─4415 /var/ossec/bin/wazuh-agentd
├─4430 /var/ossec/bin/wazuh-syscheckd
├─4441 /var/ossec/bin/wazuh-logcollector
├─4449 /var/ossec/bin/wazuh-modulesd
└─4461 python3 wodles/docker/DockerListener
Dec 05 12:54:17 host systemd[1]: Starting Wazuh agent...
Dec 05 12:54:17 host env[4379]: Starting Wazuh v4.13.1...
Dec 05 12:54:17 host env[4379]: Started wazuh-execd...
Dec 05 12:54:18 host env[4379]: Started wazuh-agentd...
Dec 05 12:54:18 host env[4379]: Started wazuh-syscheckd...
Dec 05 12:54:18 host env[4379]: Started wazuh-logcollector...
Dec 05 12:54:19 host env[4379]: Started wazuh-modulesd...
Dec 05 12:54:21 host env[4379]: Completed.
Dec 05 12:54:21 host systemd[1]: Started Wazuh agent.
$ ps -p 4461
PID TTY TIME CMD
4461 ? 00:00:00 python3
$ grep -i 'docker' /var/ossec/logs/ossec.log
2025/12/05 12:45:40 wazuh-modulesd:docker-listener: INFO: Module docker-listener started.
2025/12/05 12:45:40 wazuh-modulesd:docker-listener: INFO: Starting to listening Docker events.
2025/12/05 12:50:52 wazuh-modulesd:docker-listener: INFO: Module finished.
2025/12/05 12:51:28 wazuh-modulesd:docker-listener: INFO: Module docker-listener started.
2025/12/05 12:51:28 wazuh-modulesd:docker-listener: INFO: Starting to listening Docker events.
2025/12/05 12:54:18 wazuh-modulesd:docker-listener: INFO: Module docker-listener started.
2025/12/05 12:54:18 wazuh-modulesd:docker-listener: INFO: Starting to listening Docker events.
$ cat /var/ossec/etc/ossec.conf
<wodle name="docker-listener">
<interval>10m</interval>
<attempts>5</attempts>
<run_on_start>yes</run_on_start>
<disabled>no</disabled>
</wodle>
<localfile>
<log_format>syslog</log_format>
<location>/var/lib/docker/containers/*/*-json.log</location>
</localfile>
<localfile>
<location>/var/lib/docker/containers/87830c66600e925c65098f2e47323d5dbda8ef51c0a3e19b143b4c4d2b4cf305/87830c66600e925c65098f2e47323d5dbda8ef51c0a3e19b143b4c4d2b4cf305-json.log</location>
<localfile>
<location>/var/lib/docker/containers/87830c66600e925c65098f2e47323d5dbda8ef51c0a3e19b143b4c4d2b4cf305/87830c66600e925c65098f2e47323d5dbda8ef51c0a3e19b143b4c4d2b4cf305-json.log</location>
</localfile>
$ cat /var/lib/docker/containers/
87830c66600e925c65098f2e47323d5dbda8ef51c0a3e19b143b4c4d2b4cf305/ f53a2425e46503712b187cafe873f38ad796d667a9805351a42e4f931575c4b1/
b0a93eb822685e0613a452731d27f2f865367b4a68ed29989f6fb7dbc2971183/
$ ls -lsa
148 -rw-r-----. 1 root root 146046 Dec 5 13:47 /var/lib/docker/containers/87830c66600e925c65098f2e47323d5dbda8ef51c0a3e19b143b4c4d2b4cf305/87830c66600e925c65098f2e47323d5dbda8ef51c0a3e19b143b4c4d2b4cf305-json.log
But I don't get any events on wazuh manager
Can I ask for help on what to check and what I might be doing wrong?
Regards
Mateusz
$ cat /var/lib/docker/containers/
87830c66600e925c65098f2e47323d5dbda8ef51c0a3e19b143b4c4d2b4cf305/ f53a2425e46503712b187cafe873f38ad796d667a9805351a42e4f931575c4b1/
b0a93eb822685e0613a452731d27f2f865367b4a68ed29989f6fb7dbc2971183/
$ ls -lsa
148 -rw-r-----. 1 root root 146046 Dec 5 13:47 /var/lib/docker/containers/87830c66600e925c65098f2e47323d5dbda8ef51c0a3e19b143b4c4d2b4cf305/87830c66600e925c65098f2e47323d5dbda8ef51c0a3e19b143b4c4d2b4cf305-json.log
But I don't get any events on wazuh manager
Can I ask for help on what to check and what I might be doing wrong?
Regards
Mateusz
Francis Timilehin Jeremiah
Dec 5, 2025, 8:28:28 AM (2 days ago) Dec 5
to Wazuh | Mailing List
Hello, if I understand you correctly, you want to monitor the Docker host and container logs. You can see Docker runtime events right? As for the container logs, you are not seeing events because you haven't configured custom decoders and rules yet. Also, for monitoring logs, use something like the config below so that you can monitor all Docker logs and make sure the log format is correct.
<localfile>
<log_format>json</log_format>
<location>/var/log/docker/*</location>
</localfile>
<log_format>json</log_format>
<location>/var/log/docker/*</location>
</localfile>
Take a look at this blog post to have an idea - https://wazuh.com/blog/monitoring-docker-container-logs-with-wazuh/
Reply all
Reply to author
Forward
0 new messages