DockerListener not connecting
333 views
Skip to first unread message
BlueAz
Jul 18, 2024, 5:57:46 AM7/18/24
to Wazuh | Mailing List
Hi team
I have some difficulties to connect the dockerlistener to my wazuh manager, and also to troubleshoot.
Wazuh Manager is on a VM1 on VLAN1
A Wazuh Agent is on another VM2 on VLAN2
FW is configured to let VM1 and VM2 discuss on port 1514 and 1515.
On the host (client):
I have installed docker pyhton package, with:
pip3 install docker --break-system-packages
Cause otherwise, without --break-system-packages, i have the comment for python venv
-- Maybe the documentation is not up to date?
-- Or maybe it is not the right thing to do?
Then, i added to ossec.conf the wodle:
<wodle name="docker-listener">
<interval>10m</interval>
<attempts>5</attempts>
<run_on_start>yes</run_on_start>
<disabled>no</disabled>
</wodle>
<wodle name="docker-listener">
<interval>10m</interval>
<attempts>5</attempts>
<run_on_start>yes</run_on_start>
<disabled>no</disabled>
</wodle>
Then, i restarted the wazuh-agent...
But when i try to see comm logs, here are the message:
$ sudo /var/ossec/wodles/docker/DockerListener
{"integration": "docker", "docker": {"Wodle event": "Started"}}
Docker service is not running.
{"integration": "docker", "docker": {"Wodle event": "Docker service is not running"}}
Reconnecting...
{"integration": "docker", "docker": {"Wodle event": "Started"}}
Docker service is not running.
{"integration": "docker", "docker": {"Wodle event": "Docker service is not running"}}
Reconnecting...
I of course followed your POC and some other guides, without any success.
I do not see how can i further troubleshoot and i am blocked.
May you please help me ?
May you please help me ?
Many Thanks in advance
Diego Mendez Sakugawa
Jul 18, 2024, 7:21:27 AM7/18/24
to Wazuh | Mailing List
Hello BlueAz,
What version of Wazuh are you using?
I would like to verify Docker is running on your Wazuh Agent environment. Could you please share with me the output of the following commands from the Wazuh Agent CLI?
systemctl status docker
sudo apt list --installed | grep -i docker
sudo yum list installed | grep -i docker
Let me know if you have any questions.
Looking forward to your response!
BlueAz
Jul 18, 2024, 7:56:11 AM7/18/24
to Wazuh | Mailing List
Oh sorry, yes, i am running wazuh 4.8.
Here are the outputs:
# systemctl status docker
● docker.service - Docker Application Container Engine
Loaded: loaded (/usr/lib/systemd/system/docker.service; enabled; preset: enabled)
Active: active (running) since Thu 2024-07-18 11:20:58 CEST; 2h 31min ago
TriggeredBy: ● docker.socket
Docs: https://docs.docker.com
Main PID: 816 (dockerd)
Tasks: 124
Memory: 135.2M (peak: 138.4M)
CPU: 14.565s
CGroup: /system.slice/docker.service
├─ 816 /usr/bin/dockerd -H fd:// --containerd=/run/containerd/containerd.sock
├─1268 /usr/bin/docker-proxy -proto tcp -host-ip 0.0.0.0 -host-port 8082 -container-ip IP.2 -container-port 8080
├─1276 /usr/bin/docker-proxy -proto tcp -host-ip :: -host-port 8082 -container-ip IP.2 -container-port 8080
├─1295 /usr/bin/docker-proxy -proto tcp -host-ip 127.0.0.1 -host-port 2375 -container-ip IP.254 -container-port 2375
├─1350 /usr/bin/docker-proxy -proto tcp -host-ip 0.0.0.0 -host-port 9000 -container-ip IP.3 -container-port 9000
├─1362 /usr/bin/docker-proxy -proto tcp -host-ip :: -host-port 9000 -container-ip IP.3 -container-port 9000
├─1403 /usr/bin/docker-proxy -proto tcp -host-ip 0.0.0.0 -host-port 80 -container-ip IP.4 -container-port 80
├─1409 /usr/bin/docker-proxy -proto tcp -host-ip :: -host-port 80 -container-ip IP.4 -container-port 80
├─1419 /usr/bin/docker-proxy -proto tcp -host-ip 0.0.0.0 -host-port 81 -container-ip IP.4 -container-port 81
├─1426 /usr/bin/docker-proxy -proto tcp -host-ip :: -host-port 81 -container-ip IP.4 -container-port 81
├─1435 /usr/bin/docker-proxy -proto tcp -host-ip 0.0.0.0 -host-port 443 -container-ip IP.4 -container-port 443
├─1443 /usr/bin/docker-proxy -proto tcp -host-ip :: -host-port 443 -container-ip IP.4 -container-port 443
├─1450 /usr/bin/docker-proxy -proto tcp -host-ip 0.0.0.0 -host-port 444 -container-ip IP.4 -container-port 444
└─1459 /usr/bin/docker-proxy -proto tcp -host-ip :: -host-port 444 -container-ip IP.4 -container-port 444
Jul 18 11:20:56 pxy-01 dockerd[816]: time="2024-07-18T11:20:56.646495159+02:00" level=warning msg="Security options with `:` as a separator are deprecated and will be completely unsupported>
Jul 18 11:20:56 pxy-01 dockerd[816]: time="2024-07-18T11:20:56.676615582+02:00" level=info msg="No non-localhost DNS nameservers are left in resolv.conf. Using default external servers"
Jul 18 11:20:56 pxy-01 dockerd[816]: time="2024-07-18T11:20:56.902919734+02:00" level=info msg="No non-localhost DNS nameservers are left in resolv.conf. Using default external servers"
Jul 18 11:20:57 pxy-01 dockerd[816]: time="2024-07-18T11:20:57.024505167+02:00" level=warning msg="Security options with `:` as a separator are deprecated and will be completely unsupported>
Jul 18 11:20:57 pxy-01 dockerd[816]: time="2024-07-18T11:20:57.190174379+02:00" level=warning msg="Security options with `:` as a separator are deprecated and will be completely unsupported>
Jul 18 11:20:57 pxy-01 dockerd[816]: time="2024-07-18T11:20:57.865133290+02:00" level=info msg="Loading containers: done."
Jul 18 11:20:58 pxy-01 dockerd[816]: time="2024-07-18T11:20:58.397802405+02:00" level=info msg="Docker daemon" commit=662f78c containerd-snapshotter=false storage-driver=overlay2 version=27>
Jul 18 11:20:58 pxy-01 dockerd[816]: time="2024-07-18T11:20:58.398726653+02:00" level=info msg="Daemon has completed initialization"
Jul 18 11:20:58 pxy-01 dockerd[816]: time="2024-07-18T11:20:58.519061819+02:00" level=info msg="API listen on /run/docker.sock"
Jul 18 11:20:58 pxy-01 systemd[1]: Started docker.service - Docker Application Container Engine.
● docker.service - Docker Application Container Engine
Loaded: loaded (/usr/lib/systemd/system/docker.service; enabled; preset: enabled)
Active: active (running) since Thu 2024-07-18 11:20:58 CEST; 2h 31min ago
TriggeredBy: ● docker.socket
Docs: https://docs.docker.com
Main PID: 816 (dockerd)
Tasks: 124
Memory: 135.2M (peak: 138.4M)
CPU: 14.565s
CGroup: /system.slice/docker.service
├─ 816 /usr/bin/dockerd -H fd:// --containerd=/run/containerd/containerd.sock
├─1268 /usr/bin/docker-proxy -proto tcp -host-ip 0.0.0.0 -host-port 8082 -container-ip IP.2 -container-port 8080
├─1276 /usr/bin/docker-proxy -proto tcp -host-ip :: -host-port 8082 -container-ip IP.2 -container-port 8080
├─1295 /usr/bin/docker-proxy -proto tcp -host-ip 127.0.0.1 -host-port 2375 -container-ip IP.254 -container-port 2375
├─1350 /usr/bin/docker-proxy -proto tcp -host-ip 0.0.0.0 -host-port 9000 -container-ip IP.3 -container-port 9000
├─1362 /usr/bin/docker-proxy -proto tcp -host-ip :: -host-port 9000 -container-ip IP.3 -container-port 9000
├─1403 /usr/bin/docker-proxy -proto tcp -host-ip 0.0.0.0 -host-port 80 -container-ip IP.4 -container-port 80
├─1409 /usr/bin/docker-proxy -proto tcp -host-ip :: -host-port 80 -container-ip IP.4 -container-port 80
├─1419 /usr/bin/docker-proxy -proto tcp -host-ip 0.0.0.0 -host-port 81 -container-ip IP.4 -container-port 81
├─1426 /usr/bin/docker-proxy -proto tcp -host-ip :: -host-port 81 -container-ip IP.4 -container-port 81
├─1435 /usr/bin/docker-proxy -proto tcp -host-ip 0.0.0.0 -host-port 443 -container-ip IP.4 -container-port 443
├─1443 /usr/bin/docker-proxy -proto tcp -host-ip :: -host-port 443 -container-ip IP.4 -container-port 443
├─1450 /usr/bin/docker-proxy -proto tcp -host-ip 0.0.0.0 -host-port 444 -container-ip IP.4 -container-port 444
└─1459 /usr/bin/docker-proxy -proto tcp -host-ip :: -host-port 444 -container-ip IP.4 -container-port 444
Jul 18 11:20:56 pxy-01 dockerd[816]: time="2024-07-18T11:20:56.646495159+02:00" level=warning msg="Security options with `:` as a separator are deprecated and will be completely unsupported>
Jul 18 11:20:56 pxy-01 dockerd[816]: time="2024-07-18T11:20:56.676615582+02:00" level=info msg="No non-localhost DNS nameservers are left in resolv.conf. Using default external servers"
Jul 18 11:20:56 pxy-01 dockerd[816]: time="2024-07-18T11:20:56.902919734+02:00" level=info msg="No non-localhost DNS nameservers are left in resolv.conf. Using default external servers"
Jul 18 11:20:57 pxy-01 dockerd[816]: time="2024-07-18T11:20:57.024505167+02:00" level=warning msg="Security options with `:` as a separator are deprecated and will be completely unsupported>
Jul 18 11:20:57 pxy-01 dockerd[816]: time="2024-07-18T11:20:57.190174379+02:00" level=warning msg="Security options with `:` as a separator are deprecated and will be completely unsupported>
Jul 18 11:20:57 pxy-01 dockerd[816]: time="2024-07-18T11:20:57.865133290+02:00" level=info msg="Loading containers: done."
Jul 18 11:20:58 pxy-01 dockerd[816]: time="2024-07-18T11:20:58.397802405+02:00" level=info msg="Docker daemon" commit=662f78c containerd-snapshotter=false storage-driver=overlay2 version=27>
Jul 18 11:20:58 pxy-01 dockerd[816]: time="2024-07-18T11:20:58.398726653+02:00" level=info msg="Daemon has completed initialization"
Jul 18 11:20:58 pxy-01 dockerd[816]: time="2024-07-18T11:20:58.519061819+02:00" level=info msg="API listen on /run/docker.sock"
Jul 18 11:20:58 pxy-01 systemd[1]: Started docker.service - Docker Application Container Engine.
---
# apt list --installed | grep -i docker
WARNING: apt does not have a stable CLI interface. Use with caution in scripts.
docker-buildx-plugin/noble,now 0.15.1-1~ubuntu.24.04~noble amd64 [installed]
docker-ce-cli/noble,now 5:27.0.3-1~ubuntu.24.04~noble amd64 [installed]
docker-ce-rootless-extras/noble,now 5:27.0.3-1~ubuntu.24.04~noble amd64 [installed,automatic]
docker-ce/noble,now 5:27.0.3-1~ubuntu.24.04~noble amd64 [installed]
docker-compose-plugin/noble,now 2.28.1-1~ubuntu.24.04~noble amd64 [installed]
WARNING: apt does not have a stable CLI interface. Use with caution in scripts.
docker-buildx-plugin/noble,now 0.15.1-1~ubuntu.24.04~noble amd64 [installed]
docker-ce-cli/noble,now 5:27.0.3-1~ubuntu.24.04~noble amd64 [installed]
docker-ce-rootless-extras/noble,now 5:27.0.3-1~ubuntu.24.04~noble amd64 [installed,automatic]
docker-ce/noble,now 5:27.0.3-1~ubuntu.24.04~noble amd64 [installed]
docker-compose-plugin/noble,now 2.28.1-1~ubuntu.24.04~noble amd64 [installed]
BlueAz
Jul 19, 2024, 4:29:03 AM7/19/24
to Wazuh | Mailing List
I forgot to mention the versions used (or tested) :
python3.12 tested packages :
- docker==7.1.0 (current), docker==6.0.0 (tested, not working)
- urllib3==2.0.7 (current), urllib3==1.26.18 (tested, not working)
I tested with venv (in root or user home), and without venv... nothing working
Note that in the documentation (container security page), it seems not applicable to python 3.12 :
What is really weird is that I have another vm, exactly the same apps, and this is working good, with docker 7.1.0 and urllib3 2.0.7 !
i do not really understand why ?!
how can i troubleshoot, or where are some logs i can retrieve to analyse the situation ?
PA
Jul 24, 2024, 5:13:47 AM7/24/24
to Wazuh | Mailing List
OK i figured out why it was not working.
I installed python package as user, instead of root !
I installed python package as user, instead of root !
In case somebody has some issues with DockerListener, packages should be installed as ROOT
Reply all
Reply to author
Forward
0 new messages