Monitoring Docker Containers on Amazon ECS
357 views
Skip to first unread message
John Doe
Oct 17, 2023, 3:44:06 PM10/17/23
to Wazuh | Mailing List
Hello,
We are running our Wazuh Manager on a seperate VPS (Linode) and we would like to know how we can deploy the agents to monitor the docker containers deployed in Amazon ECS.
Thank you,
Thank you,
Jose Camargo
Oct 17, 2023, 8:07:02 PM10/17/23
to Wazuh | Mailing List
Hi,
For more information on how to monitor Docker, you can check the following documents:
First of all, you need to check module of docker listener is active or not. Go to Wazuh > Settings and under the “Threat Detection and Response” tab, there is “Docker listener”. Enable it.
Now, install the Wazuh Agent on the container and then enable the Wazuh Docker listener adding this config to the agent's /var/ossec/etc/ossec.conf file:
<ossec_config>
...
<wodle name="docker-listener">
<interval>10m</interval>
<attempts>5</attempts>
<run_on_start>yes</run_on_start>
<disabled>no</disabled>
</wodle>
...
</ossec_config>
...
<wodle name="docker-listener">
<interval>10m</interval>
<attempts>5</attempts>
<run_on_start>yes</run_on_start>
<disabled>no</disabled>
</wodle>
...
</ossec_config>
After that change in the config file, save it and then we need to restart the wazuh agent:
systemctl restart wazuh-agent
Python docker library is required by the wodle, you have to deploy it to test device for monitoring
pip install docker
Now, you'll be able to see the agent on the Dashboard.
Please let me know if you run into any issues, I'll be glad to help
Regards,
Jose Camargo
Message has been deleted
John Doe
Oct 18, 2023, 2:00:28 PM10/18/23
to Wazuh | Mailing List
Jose Camargo
Oct 19, 2023, 4:08:25 PM10/19/23
to Wazuh | Mailing List
Hi,
Sorry for the delay. You must install the Wazuh agent on the host where the containers are in. It is not necessary to do it on each container. The docker-listener module will get the logs generated by the containers and ingest them. Once you do, you can send the docker-listener module to all agents using centralized configuration as explained here: https://documentation.wazuh.com/current/user-manual/reference/centralized-configuration.html
I'll be awaiting your comments.
Regards,
Jose Camargo
Julio Cesar Biset
Oct 19, 2023, 4:19:13 PM10/19/23
to Wazuh | Mailing List
Hi John.
I recommend following the strategy that José proposes, if the host of the containers you have can be accessed, it would be to install the agent there.
If this is not possible, reading the features of AWS ECS (https://aws.amazon.com/es/ecs/features/?pg=ln&sec=gs), there, it may be useful to use monitoring as a strategy. service-based AWS, perhaps using CloudTrail (https://documentation.wazuh.com/current/cloud-security/amazon/services/supported-services/cloudtrail.html#amazon-cloudtrail) or CloudWatch (https:// documentation.wazuh.com/current/cloud-security/amazon/services/supported-services/cloudwatchlogs.html#aws-cloudwatchlogs) depending on what you want to monitor.
If this is not possible, reading the features of AWS ECS (https://aws.amazon.com/es/ecs/features/?pg=ln&sec=gs), there, it may be useful to use monitoring as a strategy. service-based AWS, perhaps using CloudTrail (https://documentation.wazuh.com/current/cloud-security/amazon/services/supported-services/cloudtrail.html#amazon-cloudtrail) or CloudWatch (https:// documentation.wazuh.com/current/cloud-security/amazon/services/supported-services/cloudwatchlogs.html#aws-cloudwatchlogs) depending on what you want to monitor.
Regards!
Reply all
Reply to author
Forward
0 new messages