Docker events only generate network bridge connect/disconnect alerts – missing container action alerts (eg. pause/unpause/start)
Robby Hunters
Hello Wazuh Team,
I am currently testing Docker monitoring using Wazuh Agent with docker-listener enabled, and I would like to confirm whether there has been a change in Docker event field mapping or rules behavior in recent versions.
Environment-
Wazuh version: 4.14.1
-
Docker version: Docker 29.1.3
-
Deployment: Centralized agent configuration (agent.conf via manager)
-
docker-listener: enabled and running successfully
The docker listener starts correctly:
-
In Wazuh Alerts, I only receive alerts related to Docker network events, such as:
-
Docker: Network bridge connected
-
Docker: Network bridge disconnected
-
-
Container lifecycle events (pause, unpause, start, stop, delete) do NOT generate alerts, even though:
-
Docker events are visible using:
docker eventsExample:
container pause container unpause -
The raw Docker events are present in Wazuh logs, for example:
{ "integration": "docker", "docker": { "Type": "container", "Action": "unpause", "Actor": { "Attributes": { "image": "httpd", "name": "test-container" } } } }
-
-
When testing with wazuh-logtest, I noticed:
-
The event is decoded correctly
-
It matches the base rule:
rule id: 87900 description: Docker alerts: container level: 0 -
However, child rules that rely on docker.status (e.g. pause, unpause, delete) are not triggered automatically.
-
I checked the default ruleset and found rules like:
But the incoming events contain:
-
docker.Action
-
NOT docker.status
This suggests a field mismatch between docker-listener output and the existing ruleset.
Question
Could you please clarify:
-
Has there been a change in recent Wazuh or Docker versions where docker.status is no longer populated and replaced by docker.Action?
-
Is this expected behavior with newer Docker versions (e.g. Docker 29.x)?
-
Should users update or create custom rules to match docker.Action instead of docker.status?
-
Are there plans to update the default Docker ruleset to align with the current Docker event format?
-
When manually crafting a log with docker.status=delete, the corresponding rule (e.g. rule ID 87921) triggers correctly in wazuh-logtest.
-
This indicates the rules themselves work, but the runtime Docker events no longer match the expected field names.
Thank you for your support.
Looking forward to your clarification.
Best regards,
Robby
hasitha.u...@wazuh.com
Please allow me some time; I’m currently looking into this and will get back to you with an update as soon as possible.
hasitha.u...@wazuh.com
Yes, you are correct. I will create a GitHub issue regarding this.
However, as a workaround, I suggest you overwrite the default Docker rules with the expected rule triggering for your case.
Navigate to the Server management -> Rules -> Custom rules -> Add new rules file -> Copy below rules to the file -> Provide the file name (ex: local_docker_rules) -> Save -> Reload
- <group name="docker,">
- <rule id="87905" level="3" overwrite="yes">
- <if_sid>87900</if_sid>
- <field name="docker.Action">^pause$</field>
- <options>no_full_log</options>
- </rule>
- <rule id="87906" level="3" overwrite="yes">
- <if_sid>87900</if_sid>
- <field name="docker.Action">^unpause$</field>
- <options>no_full_log</options>
- </rule>
- <rule id="87903" level="3" overwrite="yes">
- <if_sid>87900</if_sid>
- <field name="docker.Action">^start$</field>
- <options>no_full_log</options>
- </rule>
- <rule id="87904" level="3" overwrite="yes">
- <if_sid>87900</if_sid>
- <field name="docker.Action">^stop$</field>
- <options>no_full_log</options>
- </rule>
- </group>
For more details regarding overwriting existing default rules, please check this guide.
Let me know if you need further assistance on this.