Hi Vinod.
After doing some research, there are two ways to monitor a docker environment.
The first approach involves using Docker Listener to monitor Docker events on an endpoint hosting Docker containers. This method provides alerts related to various Docker engine activities, such as container creation, container removal, and network attachments. These alerts are generated based on how the endpoint manages the containers. In this case, audit or system logs are not necessary, but the information about the Docker engine not about what you run inside the container. You can find more information in the use case "Monitoring Docker Events" (
https://documentation.wazuh.com/current/proof-of-concept-guide/monitoring-docker.html)
The second approach involves sharing a volume where applications, such as Apache or any other installed software, write their logs (from the container to the endpoint).
This setup allows the Wazuh agent to analyze these logs from any specified endpoint path. However, it is crucial to ensure that logs are being generated and made available so that Wazuh can receive them and apply its rules to trigger alerts. You can find a similar use case in "Monitoring Docker container logs with Wazuh" (
https://wazuh.com/blog/monitoring-docker-container-logs-with-wazuh/).
To recap, as mentioned, Wazuh operates by reading incoming logs and triggering alerts based on predefined rules. Therefore, if you are seeking specific information, it is essential to ensure that this information is being logged in a file. Without these logs, Wazuh cannot process the data or generate the corresponding alerts.
Best regards,
EJ