Monitoring Docker events on Wazuh 4.14

[ACH. MUQODDAM]

Hi everyone,

I have several servers running multiple Docker containers (as shown in the attached image). Currently, my Wazuh setup is not detecting any activity or security events from these containers. What are the necessary configurations on both the Wazuh Manager and the Wazuh Agent to enable full monitoring and threat detection for all Docker containers across my infrastructure?

my server configure wazuh-agent:

node7:~# cat /var/ossec/etc/ossec.conf
<!--
  Wazuh - Agent - Default configuration for ubuntu 22.04
  More info at: https://documentation.wazuh.com
  Mailing list: https://groups.google.com/forum/#!forum/wazuh
-->

<ossec_config>
  <client>
    <server>
      <address>x.x.x.x</address>
      <port>1514</port>
      <protocol>tcp</protocol>
    </server>
    <config-profile>ubuntu, ubuntu22, ubuntu22.04</config-profile>
    <notify_time>10</notify_time>
    <time-reconnect>60</time-reconnect>
    <auto_restart>yes</auto_restart>
    <crypto_method>aes</crypto_method>
    <enrollment>
      <enabled>yes</enabled>
      <agent_name>node7</agent_name>
      <groups>default</groups>
      <authorization_pass_path>etc/authd.pass</authorization_pass_path>
    </enrollment>
  </client>

  <client_buffer>
    <!-- Agent buffer options -->
    <disabled>no</disabled>
    <queue_size>5000</queue_size>
    <events_per_second>500</events_per_second>
  </client_buffer>

  <!-- Policy monitoring -->
  <rootcheck>
    <disabled>no</disabled>
    <check_files>yes</check_files>
    <check_trojans>yes</check_trojans>
    <check_dev>yes</check_dev>
    <check_sys>yes</check_sys>
    <check_pids>yes</check_pids>
    <check_ports>yes</check_ports>
    <check_if>yes</check_if>

    <!-- Frequency that rootcheck is executed - every 12 hours -->
    <frequency>43200</frequency>

    <rootkit_files>etc/shared/rootkit_files.txt</rootkit_files>
    <rootkit_trojans>etc/shared/rootkit_trojans.txt</rootkit_trojans>

    <skip_nfs>yes</skip_nfs>

    <ignore>/var/lib/containerd</ignore>
    <ignore>/var/lib/docker/overlay2</ignore>
  </rootcheck>

  <wodle name="cis-cat">
    <disabled>yes</disabled>
    <timeout>1800</timeout>
    <interval>1d</interval>
    <scan-on-start>yes</scan-on-start>

    <java_path>wodles/java</java_path>
    <ciscat_path>wodles/ciscat</ciscat_path>
  </wodle>

  <!-- Osquery integration -->
  <wodle name="osquery">
    <disabled>yes</disabled>
    <run_daemon>yes</run_daemon>
    <log_path>/var/log/osquery/osqueryd.results.log</log_path>
    <config_path>/etc/osquery/osquery.conf</config_path>
    <add_labels>yes</add_labels>
  </wodle>

  <!-- System inventory -->
  <wodle name="syscollector">
    <disabled>no</disabled>
    <interval>1h</interval>
    <scan_on_start>yes</scan_on_start>
    <hardware>yes</hardware>
    <os>yes</os>
    <network>yes</network>
    <packages>yes</packages>
    <ports all="no">yes</ports>
    <processes>yes</processes>

    <!-- Database synchronization settings -->
    <synchronization>
      <max_eps>10</max_eps>
    </synchronization>
  </wodle>

  <!-- Monitoring Docker events -->
  <wodle name="docker-listener">
    <interval>10m</interval>
    <attempts>5</attempts>
    <run_on_start>yes</run_on_start>
    <disabled>no</disabled>
  </wodle>

  <sca>
    <enabled>yes</enabled>
    <scan_on_start>yes</scan_on_start>
    <interval>12h</interval>
    <skip_nfs>yes</skip_nfs>
  </sca>

  <!-- File integrity monitoring -->
  <syscheck>
    <disabled>no</disabled>

    <!-- Frequency that syscheck is executed default every 12 hours -->
    <frequency>43200</frequency>

    <scan_on_start>yes</scan_on_start>

    <!-- Directories to check  (perform all possible verifications) -->
    <directories>/etc,/usr/bin,/usr/sbin</directories>
    <directories>/bin,/sbin,/boot</directories>

    <!-- Files/directories to ignore -->
    <ignore>/etc/mtab</ignore>
    <ignore>/etc/hosts.deny</ignore>
    <ignore>/etc/mail/statistics</ignore>
    <ignore>/etc/random-seed</ignore>
    <ignore>/etc/random.seed</ignore>
    <ignore>/etc/adjtime</ignore>
    <ignore>/etc/httpd/logs</ignore>
    <ignore>/etc/utmpx</ignore>
    <ignore>/etc/wtmpx</ignore>
    <ignore>/etc/cups/certs</ignore>
    <ignore>/etc/dumpdates</ignore>
    <ignore>/etc/svc/volatile</ignore>

    <!-- File types to ignore -->
    <ignore type="sregex">.log$|.swp$</ignore>

    <!-- Check the file, but never compute the diff -->
    <nodiff>/etc/ssl/private.key</nodiff>

    <skip_nfs>yes</skip_nfs>
    <skip_dev>yes</skip_dev>
    <skip_proc>yes</skip_proc>
    <skip_sys>yes</skip_sys>

    <!-- Nice value for Syscheck process -->
    <process_priority>10</process_priority>

    <!-- Maximum output throughput -->
    <max_eps>50</max_eps>

    <!-- Database synchronization settings -->
    <synchronization>
      <enabled>yes</enabled>
      <interval>5m</interval>
      <max_eps>10</max_eps>
    </synchronization>
  </syscheck>

  <!-- Log analysis -->
  <localfile>
    <log_format>command</log_format>
    <command>df -P</command>
    <frequency>360</frequency>
  </localfile>

  <localfile>
    <log_format>full_command</log_format>
    <command>netstat -tulpn | sed 's/\([[:alnum:]]\+\)\ \+[[:digit:]]\+\ \+[[:digit:]]\+\ \+\(.*\):\([[:digit:]]*\)\ \+\([0-9\.\:\*]\+\).\+\ \([[:digit:]]*\/[[:alnum:]\-]*\).*/\1 \2 == \3 == \4 \5/' | sort -k 4 -g | sed 's/ == \(.*\) ==/:\1/' | sed 1,2d</command>
    <alias>netstat listening ports</alias>
    <frequency>360</frequency>
  </localfile>

  <localfile>
    <log_format>full_command</log_format>
    <command>last -n 20</command>
    <frequency>360</frequency>
  </localfile>

  <!-- Active response -->
  <active-response>
    <disabled>no</disabled>
    <ca_store>etc/wpk_root.pem</ca_store>
    <ca_verification>yes</ca_verification>
  </active-response>

  <!-- Choose between "plain", "json", or "plain,json" for the format of internal logs -->
  <logging>
    <log_format>plain</log_format>
  </logging>

</ossec_config>

<ossec_config>
  <localfile>
    <log_format>journald</log_format>
    <location>journald</location>
  </localfile>

  <localfile>
    <log_format>apache</log_format>
    <location>/var/log/nginx/access.log</location>
  </localfile>

  <localfile>
    <log_format>apache</log_format>
    <location>/var/log/nginx/error.log</location>
  </localfile>

  <localfile>
    <log_format>syslog</log_format>
    <location>/var/ossec/logs/active-responses.log</location>
  </localfile>

  <localfile>
    <log_format>syslog</log_format>
    <location>/var/log/dpkg.log</location>
  </localfile>

</ossec_config>

I am securing a Microservices ecosystem consisting of ReactJS (Frontend), PHP (Backend APIs), various Databases, Nginx (Web Servers), NPM (Proxy-Manager), and a CI/CD pipeline. All services are containerized in Docker.

[Stuti Gupta]

Hi  MUQODDAM,

To monitor the containers activivty you need to install the agent on the host. Then enable the Wazuh Docker listener. The Docker listener runs on the endpoint, collects and forwards Docker-related logs to the Wazuh server.

For that, please refer to https://documentation.wazuh.com/current/user-manual/capabilities/container-security/monitoring-docker.html#enable-the-wazuh-docker-listener and follow all the steps carefully.

In case after enabling it, if you are still unable to see the events related to Docker.

Then please share the following:
Wazuh agent version
wazuh agent logs /var/ossec/logs/ossec.log

[Stuti Gupta]

Sorry for noticing it late, but I have noticed that you have already enabled Docker monitoring. Please check the archives.log, along with the agent logs and the agent version. 
Also, please make sure the manager version is equal to or higher than the wazuh-agent version for compatibility. 

To enable the archives, you can refer to https://documentation.wazuh.com/current/user-manual/manager/event-logging.html
Note: that enabling this is not advisable in the production environment, as it consumes lots of disk space. Make sure to disable it, you got the logs

After that, run the following command:
cat /var/ossec/logs/archives/archives.json | grep docker

Check if you have any related Docker monitoring logs present there.

[ACH. MUQODDAM]

Hello,

<!-- Docker listener module -->
  <wodle name="docker-listener">
    <disabled>no</disabled>

    <interval>10m</interval>
    <attempts>5</attempts>
    <run_on_start>yes</run_on_start>

  </wodle>

I have successfully enabled the docker-listener module on my Wazuh agent(be-node1), and I can see system-level events such as command executions (chmod, chown) inside my containers (see attached screenshot).

However, I need to detect application-layer attacks such as SQL Injection (SQLi), Cross-Site Scripting (XSS), and Shellshock targeting my microservices (ReactJS frontend, PHP backend, and Nginx).

My current configuration only shows Docker engine events. What additional steps or decoders do I need to implement to analyze the actual application logs (Nginx access logs, PHP-FPM logs) from within these containers to detect these specific security threats

[Stuti Gupta]

Your current Docker-listener configuration is working correctly, as it only collects Docker engine events such as container start, stop, restart, and command execution. It does not read or analyze logs generated by applications running inside the container. That is why you only see container activity and not SQL Injection, XSS, or Shellshock attacks.

If Apache is running in a Docker container, the container's logs are not visible on the host machine. The Wazuh agent can only monitor files that exist on the host.

Docker must be configured so that Apache logs are available outside the container. This can be done using bind mounts, Docker volumes, or logging drivers. You can refer to:
https://docs.docker.com/storage/bind-mounts/
https://docs.docker.com/storage/volumes/
https://docs.docker.com/config/containers/logging/configure/

To detect SQLi or XSS, Wazuh must read Apache access logs.

Apache logs every HTTP request in files such as:

/var/log/apache2/access.log
or
/var/log/httpd/access_log

For configuring log collection, you can refer to: https://documentation.wazuh.com/current/user-manual/capabilities/log-data-collection/monitoring-log-files.html

For example, once the Apache access log is accessible on the host, edit: /var/ossec/etc/ossec.conf, and add:

<localfile>
 <log_format>apache</log_format>
 <location>/var/log/apache2/access.log</location>
</localfile> 

Restart the agent: systemctl restart wazuh-agent

You can refer to:
https://wazuh.com/blog/detecting-web-attacks-with-wazuh/
https://documentation.wazuh.com/current/proof-of-concept-guide/detect-web-attack-sql-injection.html

Wazuh already includes built-in decoders and rules for common web attacks. The files are located on the manager:
/var/ossec/ruleset/decoders/
/var/ossec/ruleset/rules/

If logs are not parsed correctly, you can test them on the manager using:
/var/ossec/bin/wazuh-logtest

Paste a sample Apache log line and check which decoder and rule match it.

If it is not giving satisfactory results, you need to create custom rules and decoders. You can refer to:
https://documentation.wazuh.com/current/user-manual/ruleset/index.html

For analyzing ModSecurity events, you can refer to:
https://wazuh.com/blog/analyzing-modsecurity-events-with-wazuh/

If ModSecurity is enabled, you canadd another localfile entry:

<localfile>
 <log_format>syslog</log_format>
 <location>/var/log/modsec_audit.log</location>
</localfile>

Restart the agent again: systemctl restart wazuh-agent

If no alerts appear and you want to confirm whether logs are reaching the manager, you can enable archive logging. Do not enable it for long in production because it consumes a large amount of disk space. You can refer to:

https://documentation.wazuh.com/current/user-manual/manager/event-logging.html

Wazuh detects SQLi, XSS, and similar attacks by analyzing Apache and security logs. The main requirement is that those logs must be accessible on the host and properly configured in <localfile> so the Wazuh agent can read them.

Let me know if you need any help with this.