Docker listener not working
836 views
Skip to first unread message
Abhishek Mishra
Jan 10, 2022, 1:47:15 AM1/10/22
to Wazuh mailing list
Hello Team,
I was try to configure the docker listener and I have done all the step mention in the wazuh docker listener documentation. I am also done woddle configuration in agent.conf file but still not reflect any event in docker listener section.
carlos...@wazuh.com
Jan 10, 2022, 4:49:55 AM1/10/22
to Wazuh mailing list
Hello,
In addition to that, try the following:
Enable debug mode and look for error messages
First of all, please enable debug mode the modules to see if there is any error or warning messages. You can easily enable it by adding the following line to the "{wazuh-path}/etc/local_internal_options.conf" file:
wazuh_modules.debug=2
After that, restart the wazuh service and look for Docker related messages in the "{wazuh-path}/logs/ossec.log" log file. Please, run the following command for a few minutes after restarting and paste here the output, removing any sensitive information if needed:
tail -f {wazuh-path}/logs/ossec.log | grep docker
Don't forget to replace "{wazuh-path}" with the path you have Wazuh installed on. By default, it is "/var/ossec/".
Enable logall option and check the events
It is possible to check if the module is generating the expected events but for some reasons these events are not triggering any alert. Let me clarify this topic.
When a log is processed it is sent to "Analysisd" as an "event". If any given event is matched with any rule available an "alert" will be raised and it will appear in the Wazuh UI.
Using the logall option it is possible to check every event sent to analysisd (which means, every processed log regardless of if it triggered a rule or not) by looking at the "{wazuh-path}/logs/archives/archives.log" log file. Don't forget to restart the Wazuh manager once you enable this option.
This will allow you to check if the module is working (it sends events) but no alerts are being raised.
Finally, I'm assuming you are trying to monitor the containers activity, as explained in the documentation. If that's the case, try to run the following command to check if any event or alert is raised:
docker start apache
With this information we will be able to help you further.
Enable debug mode and look for error messages
First of all, please enable debug mode the modules to see if there is any error or warning messages. You can easily enable it by adding the following line to the "{wazuh-path}/etc/local_internal_options.conf" file:
wazuh_modules.debug=2
After that, restart the wazuh service and look for Docker related messages in the "{wazuh-path}/logs/ossec.log" log file. Please, run the following command for a few minutes after restarting and paste here the output, removing any sensitive information if needed:
tail -f {wazuh-path}/logs/ossec.log | grep docker
Don't forget to replace "{wazuh-path}" with the path you have Wazuh installed on. By default, it is "/var/ossec/".
Enable logall option and check the events
It is possible to check if the module is generating the expected events but for some reasons these events are not triggering any alert. Let me clarify this topic.
When a log is processed it is sent to "Analysisd" as an "event". If any given event is matched with any rule available an "alert" will be raised and it will appear in the Wazuh UI.
Using the logall option it is possible to check every event sent to analysisd (which means, every processed log regardless of if it triggered a rule or not) by looking at the "{wazuh-path}/logs/archives/archives.log" log file. Don't forget to restart the Wazuh manager once you enable this option.
This will allow you to check if the module is working (it sends events) but no alerts are being raised.
Finally, I'm assuming you are trying to monitor the containers activity, as explained in the documentation. If that's the case, try to run the following command to check if any event or alert is raised:
docker start apache
With this information we will be able to help you further.
Reply all
Reply to author
Forward
0 new messages