Docker Listener Rule Help
57 views
Skip to first unread message
Andrew A
Oct 13, 2022, 10:53:20 AM10/13/22
to Wazuh mailing list
Hello,
I have docker listener configured and I want to trigger an alert specifically for containers that die with an error.
From what I can tell when a container dies with an error the json contains this:
data.docker.Actor.Attributes.exitCode 1
When it dies without an error it gives exit code 0.
So, I made the following rule:
<group name="gdpr_IV_32.2,">
<rule id="100201" level="7">
<if_sid>87900</if_sid>
<field name="docker.status">^kill$|^die$</field>
<field name="data.docker.Actor.Attributes.exitCode">^1$</field>
<description>Docker: Container $(docker.Actor.Attributes.name) received the action: $(docker.status) with an error.</description>
<options>no_full_log</options>
</rule>
</group>
<rule id="100201" level="7">
<if_sid>87900</if_sid>
<field name="docker.status">^kill$|^die$</field>
<field name="data.docker.Actor.Attributes.exitCode">^1$</field>
<description>Docker: Container $(docker.Actor.Attributes.name) received the action: $(docker.status) with an error.</description>
<options>no_full_log</options>
</rule>
</group>
I have tried with both fields, and I have tried with just the data.docker.Actor field. It refuses to trigger an alert based on my field configuration.
Any ideas?
Thanks,
Andrew
Andrew A
Oct 13, 2022, 12:48:16 PM10/13/22
to Wazuh mailing list
Figured this one out --- even remove the data portion of your field names even if its listed as such in the json.
Andrew A
Oct 13, 2022, 12:55:04 PM10/13/22
to Wazuh mailing list
remove the data portion** sorry I had a seizure there
Reply all
Reply to author
Forward
0 new messages