Agent Installation on Containers

[Dinie Rosli]

I found the official documentation for Docker installation but it's only for the Wazuh Manager (single-node or multi-node). 

https://documentation.wazuh.com/current/deployment-options/docker/wazuh-container.html

If I want to install Wazuh AGENT instead on a docker host or it's containers, do I just run the basic wazuh agent installation as normal with no differences? Or do I only need to install the AGENT on the host and not the containers? 

[Dinie Rosli]

https://documentation.wazuh.com/current/container-security/docker-monitor/monitoring-containers-activity.html

This means that if I have my Manager running on an entirely separate AWS Account on an EC2 instance, I need to do the standard installation of agent on the containers, and edit the ossec.conf in the AGENT (container) to enable the wodle for docker? 

<ossec_config>
    <wodle name="docker-listener">
        <interval>10m</interval>
        <attempts>5</attempts>
        <run_on_start>yes</run_on_start>
        <disabled>no</disabled>
    </wodle>
</ossec_config>

What about the hosts of the containers? 

And for the dependencies, there is this Warning:

(Warning: The Wazuh manager includes all dependencies installed, these steps are only necessary when configuring the integration in a Wazuh agent.)
Does this mean if I follow standard agent installation on the containers, I don't have to bother with these dependencies? Or do I still need to install it? 

[Jorge Eduardo Molas]

Hi! Thanks for using Wazuh!

• As you exposed, the first link (wazuh-container)is about Wazuh stack deployment over Docker. This means getting all Wazuh components (Manager, Indexer, Dashboard) into containers.
• The second link (monitoring-containers-activity) describes the way to monitor containers that are placed into a Docker host. For example,  if you have any instance with Docker runtime installed, you be able to use the Wazuh agent in this host to monitor all containers within it.  Is not necessary to install the Wazuh agent in each Docker container to reach this goal.
• The warning indicates that if you monitor the Docker host on the same host that you installed Wazuh Docker on, you don't need to install all the dependencies because they were already installed when you followed the steps to install Wazuh Docker.
  

I hope it is useful for you.
Regards!

[Dinie Rosli]

Hi Jorge,

Thanks for the answers! Just one last thing wanted to clarify on the warning part. So if I need to install the wazuh agent on a Docker host that does NOT have Wazuh Docker on, does that mean I HAVE to install all the dependencies to make it work? Or can I simply follow the standard agent installation guide? 

[Jorge Eduardo Molas]

Hi!! sorry for the delay. If you have a fresh install with a Docker Host, in order to monitor Docker containers, you need to install all dependencies, because are necessary in order to monitor Docker.

[Dinie Rosli]

Thanks so much Jorge!! I got it working now and it's monitoring the docker container. However, if there is multiple containers in the docker host,  is there a way I can register the Host agent with multiple names for those containers? 
An example would be if 1 container is GLPI open source, and another container is a Tomcat. Is there a way to register the Host as Agent and have it display twice, with different name, one as GLPI and another as Tomcat in the Wazuh Dashboard?