Unable to monitor Docker containers
42 views
Skip to first unread message
Krishna Prasad Bhandary
Oct 14, 2025, 10:56:00 AM (5 days ago) Oct 14
to Wazuh | Mailing List
Hi all,
I am running a very basic setup, a single node installation of Wazuh 4.11.2 and a single agent (Ubuntu 22.04) running a containerised version of Greenbone OpenVAS. I have added the docker listener with the following code below
<wodle name="docker-listener">
<interval>5m</interval>
<attempts>5</attempts>
<run_on_start>yes</run_on_start>
<disabled>no</disabled>
</wodle>
I have also added the docker container paths to monitor for logs
<localfile>
<log_format>syslog</log_format>
<location>/var/lib/docker/containers/*/*-json.log</location>
</localfile>
And on the server's decoder I have added the provided decoders from the documentation
<decoder name="web-accesslog-docker">
<parent>json</parent>
<type>web-log</type>
<use_own_name>true</use_own_name>
<prematch offset="after_parent">^log":"\S+ \S+ \S+ \.*[\S+ \S\d+] \.*"\w+ \S+ HTTP\S+" \d+</prematch>
<regex offset="after_parent">^log":"(\S+) \S+ \S+ \.*[\S+ \S\d+] \.*"(\w+) (\S+) HTTP\S+" (\d+)</regex>
<order>srcip,protocol,url,id</order>
</decoder>
<decoder name="json">
<parent>json</parent>
<use_own_name>true</use_own_name>
<plugin_decoder>JSON_Decoder</plugin_decoder>
</decoder>
However I was unable to monitor my OpenVAS deployment. Thinking it to be a OpenVAS issue I followed the steps in the Wazuh docs with a test container (linked here) and still was unable to see any logs let alone those with the docker rule group.
(Note: I have also installed Python and all the requisite packages for Docker monitoring as well and Docker is added to the sudo group of users)
I have restarted the agents, the server and the agent and server machines as well to no avail. I probably have missed a step or dont have something configured I just dont know what. Would appreciate help in tackling this issue
I am running a very basic setup, a single node installation of Wazuh 4.11.2 and a single agent (Ubuntu 22.04) running a containerised version of Greenbone OpenVAS. I have added the docker listener with the following code below
<wodle name="docker-listener">
<interval>5m</interval>
<attempts>5</attempts>
<run_on_start>yes</run_on_start>
<disabled>no</disabled>
</wodle>
I have also added the docker container paths to monitor for logs
<localfile>
<log_format>syslog</log_format>
<location>/var/lib/docker/containers/*/*-json.log</location>
</localfile>
And on the server's decoder I have added the provided decoders from the documentation
<decoder name="web-accesslog-docker">
<parent>json</parent>
<type>web-log</type>
<use_own_name>true</use_own_name>
<prematch offset="after_parent">^log":"\S+ \S+ \S+ \.*[\S+ \S\d+] \.*"\w+ \S+ HTTP\S+" \d+</prematch>
<regex offset="after_parent">^log":"(\S+) \S+ \S+ \.*[\S+ \S\d+] \.*"(\w+) (\S+) HTTP\S+" (\d+)</regex>
<order>srcip,protocol,url,id</order>
</decoder>
<decoder name="json">
<parent>json</parent>
<use_own_name>true</use_own_name>
<plugin_decoder>JSON_Decoder</plugin_decoder>
</decoder>
However I was unable to monitor my OpenVAS deployment. Thinking it to be a OpenVAS issue I followed the steps in the Wazuh docs with a test container (linked here) and still was unable to see any logs let alone those with the docker rule group.
(Note: I have also installed Python and all the requisite packages for Docker monitoring as well and Docker is added to the sudo group of users)
I have restarted the agents, the server and the agent and server machines as well to no avail. I probably have missed a step or dont have something configured I just dont know what. Would appreciate help in tackling this issue
Bony V John
Oct 14, 2025, 11:41:52 PM (4 days ago) Oct 14
to Wazuh | Mailing List
Hi,
Please allow me some time — I’m currently working on this and will get back to you with an update as soon as possible.
Bony V John
Oct 15, 2025, 1:07:21 AM (4 days ago) Oct 15
to Wazuh | Mailing List
Hi,
Based on your input, I have tested the Docker container monitor on my end, and it is working fine.
If you have followed the steps from the Wazuh documentation with a test container and still cannot see any Docker-related alerts on the Wazuh dashboard, the issue might be related to the Docker listener setup.
First, ensure that the required Python Docker libraries are properly installed:
1. Verify Python and pip installationpython3 --version
pip3 --version
If pip is not installed, run the following command:
apt install python3-pip
2. Install the required Docker libraries
pip3 install --break-system-packages docker==7.1.0 requests==2.32.2
Make sure the installation completes successfully without any errors.
3. Configure the Docker listener in the Wazuh agentEdit the /var/ossec/etc/ossec.conf file on the Wazuh agent and add the following configuration:
<wodle name="docker-listener">
<interval>1m</interval>
<interval>1m</interval>
<attempts>5</attempts>
<run_on_start>yes</run_on_start>
<disabled>no</disabled>
</wodle>
You can adjust the configuration parameters (such as interval and attempts) based on your requirements.
For more details, refer to the Wazuh documentation on Docker listener configuration.
systemctl restart wazuh-agent
After a few minutes, perform the test again on your server and check whether Docker alerts appear on the Wazuh dashboard.
You can refer to the Wazuh guide for Docker monitoring tests for detailed testing steps.
I have attached a screenshot of my testing for your reference.
If the issue persist, please share the Wazuh agent log file: /var/ossec/logs/ossec.log
Krishna Prasad Bhandary
Oct 16, 2025, 2:53:32 AM (3 days ago) Oct 16
to Wazuh | Mailing List
Hi,
I have already checked my Python and pip versions and followed the steps to create the listener (modified the interval to be 1 min now) and have also performed the steps in the Docker monitoring tests part of the Wazuh docs but I am still unable to see any Docker events.
I am attaching my ossec.log but I cant seem to find what is causing the issue.
ossec.log
2025/10/16 00:00:10 wazuh-agentd: INFO: Starting new log after rotation.
2025/10/16 00:46:55 wazuh-modulesd:syscollector: INFO: Starting evaluation.
2025/10/16 00:47:10 wazuh-modulesd:syscollector: INFO: Evaluation finished.
2025/10/16 01:47:11 wazuh-modulesd:syscollector: INFO: Starting evaluation.
2025/10/16 01:47:22 wazuh-modulesd:syscollector: INFO: Evaluation finished.
2025/10/16 02:47:23 wazuh-modulesd:syscollector: INFO: Starting evaluation.
2025/10/16 02:47:34 wazuh-modulesd:syscollector: INFO: Evaluation finished.
2025/10/16 03:47:35 wazuh-modulesd:syscollector: INFO: Starting evaluation.
2025/10/16 03:47:46 wazuh-modulesd:syscollector: INFO: Evaluation finished.
2025/10/16 04:47:47 wazuh-modulesd:syscollector: INFO: Starting evaluation.
2025/10/16 04:47:58 wazuh-modulesd:syscollector: INFO: Evaluation finished.
2025/10/16 05:24:36 wazuh-modulesd:syscollector: INFO: Stop received for Syscollector.
2025/10/16 05:24:36 wazuh-modulesd:syscollector: INFO: Module finished.
2025/10/16 05:24:36 wazuh-modulesd:docker-listener: INFO: Module finished.
2025/10/16 05:24:36 wazuh-modulesd:docker-listener: WARNING: Docker-listener finished unexpectedly (code 0). Retrying to run in next scheduled time...
2025/10/16 05:24:36 wazuh-modulesd:docker-listener: WARNING: Interval overtaken.
2025/10/16 05:24:36 wazuh-modulesd:docker-listener: INFO: Starting to listening Docker events.
2025/10/16 05:24:36 wazuh-logcollector: INFO: (1225): SIGNAL [(15)-(Terminated)] Received. Exit Cleaning...
2025/10/16 05:24:37 wazuh-syscheckd: INFO: (1756): Shutdown received. Releasing resources.
2025/10/16 05:24:37 wazuh-syscheckd: INFO: (1225): SIGNAL [(15)-(Terminated)] Received. Exit Cleaning...
2025/10/16 05:24:37 wazuh-agentd: INFO: (1225): SIGNAL [(15)-(Terminated)] Received. Exit Cleaning...
2025/10/16 05:24:37 wazuh-execd: INFO: (1314): Shutdown received. Deleting responses.
2025/10/16 05:24:37 wazuh-execd: INFO: (1225): SIGNAL [(15)-(Terminated)] Received. Exit Cleaning...
2025/10/16 05:24:37 wazuh-execd: INFO: Started (pid: 966181).
2025/10/16 05:24:38 wazuh-agentd: INFO: (1410): Reading authentication keys file.
2025/10/16 05:24:38 wazuh-agentd: INFO: Using notify time: 10 and max time to reconnect: 60
2025/10/16 05:24:38 wazuh-agentd: INFO: Version detected -> Linux |system2 |5.15.0-157-generic |#167-Ubuntu SMP Wed Sep 17 21:35:53 UTC 2025 |x86_64 [Ubuntu|ubuntu: 22.04.5 LTS (Jammy Jellyfish)] - Wazuh v4.11.2
2025/10/16 05:24:38 wazuh-agentd: INFO: Started (pid: 966195).
2025/10/16 05:24:38 wazuh-agentd: INFO: Using AES as encryption method.
2025/10/16 05:24:38 wazuh-agentd: INFO: Trying to connect to server ([10.75.37.187]:1514/tcp).
2025/10/16 05:24:38 wazuh-agentd: INFO: (4102): Connected to the server ([10.75.37.187]:1514/tcp).
2025/10/16 05:24:40 wazuh-syscheckd: INFO: Started (pid: 966209).
2025/10/16 05:24:40 wazuh-syscheckd: INFO: (6003): Monitoring path: '/bin', with options 'size | permissions | owner | group | mtime | inode | hash_md5 | hash_sha1 | hash_sha256 | scheduled'.
2025/10/16 05:24:40 wazuh-syscheckd: INFO: (6003): Monitoring path: '/boot', with options 'size | permissions | owner | group | mtime | inode | hash_md5 | hash_sha1 | hash_sha256 | scheduled'.
2025/10/16 05:24:40 wazuh-syscheckd: INFO: (6003): Monitoring path: '/etc', with options 'size | permissions | owner | group | mtime | inode | hash_md5 | hash_sha1 | hash_sha256 | scheduled'.
2025/10/16 05:24:40 wazuh-syscheckd: INFO: (6003): Monitoring path: '/sbin', with options 'size | permissions | owner | group | mtime | inode | hash_md5 | hash_sha1 | hash_sha256 | scheduled'.
2025/10/16 05:24:40 wazuh-syscheckd: INFO: (6003): Monitoring path: '/usr/bin', with options 'size | permissions | owner | group | mtime | inode | hash_md5 | hash_sha1 | hash_sha256 | scheduled'.
2025/10/16 05:24:40 wazuh-syscheckd: INFO: (6003): Monitoring path: '/usr/sbin', with options 'size | permissions | owner | group | mtime | inode | hash_md5 | hash_sha1 | hash_sha256 | scheduled'.
2025/10/16 05:24:40 wazuh-syscheckd: INFO: (6206): Ignore 'file' entry '/etc/mtab'
2025/10/16 05:24:40 wazuh-syscheckd: INFO: (6206): Ignore 'file' entry '/etc/hosts.deny'
2025/10/16 05:24:40 wazuh-syscheckd: INFO: (6206): Ignore 'file' entry '/etc/mail/statistics'
2025/10/16 05:24:40 wazuh-syscheckd: INFO: (6206): Ignore 'file' entry '/etc/random-seed'
2025/10/16 05:24:40 wazuh-syscheckd: INFO: (6206): Ignore 'file' entry '/etc/random.seed'
2025/10/16 05:24:40 wazuh-syscheckd: INFO: (6206): Ignore 'file' entry '/etc/adjtime'
2025/10/16 05:24:40 wazuh-syscheckd: INFO: (6206): Ignore 'file' entry '/etc/httpd/logs'
2025/10/16 05:24:40 wazuh-syscheckd: INFO: (6206): Ignore 'file' entry '/etc/utmpx'
2025/10/16 05:24:40 wazuh-syscheckd: INFO: (6206): Ignore 'file' entry '/etc/wtmpx'
2025/10/16 05:24:40 wazuh-syscheckd: INFO: (6206): Ignore 'file' entry '/etc/cups/certs'
2025/10/16 05:24:40 wazuh-syscheckd: INFO: (6206): Ignore 'file' entry '/etc/dumpdates'
2025/10/16 05:24:40 wazuh-syscheckd: INFO: (6206): Ignore 'file' entry '/etc/svc/volatile'
2025/10/16 05:24:40 wazuh-syscheckd: INFO: (6207): Ignore 'file' sregex '.log$|.swp$'
2025/10/16 05:24:40 wazuh-syscheckd: INFO: (6004): No diff for file: '/etc/ssl/private.key'
2025/10/16 05:24:40 wazuh-syscheckd: INFO: (6000): Starting daemon...
2025/10/16 05:24:40 wazuh-syscheckd: INFO: (6010): File integrity monitoring scan frequency: 43200 seconds
2025/10/16 05:24:40 wazuh-syscheckd: INFO: (6008): File integrity monitoring scan started.
2025/10/16 05:24:40 rootcheck: INFO: Starting rootcheck scan.
2025/10/16 05:24:42 wazuh-modulesd: INFO: Started (pid: 966234).
2025/10/16 05:24:42 wazuh-modulesd:agent-upgrade: INFO: (8153): Module Agent Upgrade started.
2025/10/16 05:24:42 wazuh-modulesd:ciscat: INFO: Module disabled. Exiting...
2025/10/16 05:24:42 wazuh-modulesd:osquery: INFO: Module disabled. Exiting...
2025/10/16 05:24:42 wazuh-modulesd:control: INFO: Starting control thread.
2025/10/16 05:24:42 wazuh-modulesd:docker-listener: INFO: Module docker-listener started.
2025/10/16 05:24:42 wazuh-modulesd:docker-listener: INFO: Starting to listening Docker events.
2025/10/16 05:24:42 sca: INFO: Module started.
2025/10/16 05:24:42 sca: INFO: Loaded policy '/var/ossec/ruleset/sca/cis_ubuntu22-04.yml'
2025/10/16 05:24:42 sca: INFO: Starting Security Configuration Assessment scan.
2025/10/16 05:24:42 wazuh-modulesd:syscollector: INFO: Module started.
2025/10/16 05:24:42 wazuh-modulesd:syscollector: INFO: Starting evaluation.
2025/10/16 05:24:42 sca: INFO: Starting evaluation of policy: '/var/ossec/ruleset/sca/cis_ubuntu22-04.yml'
2025/10/16 05:24:42 wazuh-modulesd:syscollector: INFO: Evaluation finished.
2025/10/16 05:24:49 sca: INFO: Evaluation finished for policy '/var/ossec/ruleset/sca/cis_ubuntu22-04.yml'
2025/10/16 05:24:49 sca: INFO: Security Configuration Assessment scan finished. Duration: 7 seconds.
2025/10/16 05:24:55 wazuh-syscheckd: INFO: (6009): File integrity monitoring scan ended.
2025/10/16 05:24:55 wazuh-syscheckd: INFO: FIM sync module started.
2025/10/16 05:25:43 rootcheck: INFO: Ending rootcheck scan.
2025/10/16 05:25:56 wazuh-logcollector: INFO: Monitoring output of command(360): df -P
2025/10/16 05:25:56 wazuh-logcollector: INFO: Monitoring full output of command(360): netstat -tulpn | sed 's/\([[:alnum:]]\+\)\ \+[[:digit:]]\+\ \+[[:digit:]]\+\ \+\(.*\):\([[:digit:]]*\)\ \+\([0-9\.\:\*]\+\).\+\ \([[:digit:]]*\/[[:alnum:]\-]*\).*/\1 \2 == \3 == \4 \5/' | sort -k 4 -g | sed 's/ == \(.*\) ==/:\1/' | sed 1,2d
2025/10/16 05:25:56 wazuh-logcollector: INFO: Monitoring full output of command(360): last -n 20
2025/10/16 05:25:56 wazuh-logcollector: INFO: (1950): Analyzing file: '/var/ossec/logs/active-responses.log'.
2025/10/16 05:25:56 wazuh-logcollector: INFO: (1950): Analyzing file: '/var/log/dpkg.log'.
2025/10/16 05:25:56 wazuh-logcollector: INFO: Started (pid: 966224).
2025/10/16 05:25:58 wazuh-logcollector: INFO: (9203): Monitoring journal entries.
Logs grepped for Docker/docker
2025/10/16 05:24:36 wazuh-modulesd:docker-listener: WARNING: Docker-listener finished unexpectedly (code 0). Retrying to run in next scheduled time...
2025/10/16 05:24:36 wazuh-modulesd:docker-listener: INFO: Starting to listening Docker events.
2025/10/16 05:24:42 wazuh-modulesd:docker-listener: INFO: Starting to listening Docker events.
2025/10/16 05:24:36 wazuh-modulesd:docker-listener: INFO: Module finished.
2025/10/16 05:24:36 wazuh-modulesd:docker-listener: WARNING: Docker-listener finished unexpectedly (code 0). Retrying to run in next scheduled time...
2025/10/16 05:24:36 wazuh-modulesd:docker-listener: WARNING: Interval overtaken.
2025/10/16 05:24:36 wazuh-modulesd:docker-listener: INFO: Starting to listening Docker events.
2025/10/16 05:24:42 wazuh-modulesd:docker-listener: INFO: Module docker-listener started.
2025/10/16 05:24:42 wazuh-modulesd:docker-listener: INFO: Starting to listening Docker events.
I have already checked my Python and pip versions and followed the steps to create the listener (modified the interval to be 1 min now) and have also performed the steps in the Docker monitoring tests part of the Wazuh docs but I am still unable to see any Docker events.
I am attaching my ossec.log but I cant seem to find what is causing the issue.
ossec.log
2025/10/16 00:00:10 wazuh-agentd: INFO: Starting new log after rotation.
2025/10/16 00:46:55 wazuh-modulesd:syscollector: INFO: Starting evaluation.
2025/10/16 00:47:10 wazuh-modulesd:syscollector: INFO: Evaluation finished.
2025/10/16 01:47:11 wazuh-modulesd:syscollector: INFO: Starting evaluation.
2025/10/16 01:47:22 wazuh-modulesd:syscollector: INFO: Evaluation finished.
2025/10/16 02:47:23 wazuh-modulesd:syscollector: INFO: Starting evaluation.
2025/10/16 02:47:34 wazuh-modulesd:syscollector: INFO: Evaluation finished.
2025/10/16 03:47:35 wazuh-modulesd:syscollector: INFO: Starting evaluation.
2025/10/16 03:47:46 wazuh-modulesd:syscollector: INFO: Evaluation finished.
2025/10/16 04:47:47 wazuh-modulesd:syscollector: INFO: Starting evaluation.
2025/10/16 04:47:58 wazuh-modulesd:syscollector: INFO: Evaluation finished.
2025/10/16 05:24:36 wazuh-modulesd:syscollector: INFO: Stop received for Syscollector.
2025/10/16 05:24:36 wazuh-modulesd:syscollector: INFO: Module finished.
2025/10/16 05:24:36 wazuh-modulesd:docker-listener: INFO: Module finished.
2025/10/16 05:24:36 wazuh-modulesd:docker-listener: WARNING: Docker-listener finished unexpectedly (code 0). Retrying to run in next scheduled time...
2025/10/16 05:24:36 wazuh-modulesd:docker-listener: WARNING: Interval overtaken.
2025/10/16 05:24:36 wazuh-modulesd:docker-listener: INFO: Starting to listening Docker events.
2025/10/16 05:24:36 wazuh-logcollector: INFO: (1225): SIGNAL [(15)-(Terminated)] Received. Exit Cleaning...
2025/10/16 05:24:37 wazuh-syscheckd: INFO: (1756): Shutdown received. Releasing resources.
2025/10/16 05:24:37 wazuh-syscheckd: INFO: (1225): SIGNAL [(15)-(Terminated)] Received. Exit Cleaning...
2025/10/16 05:24:37 wazuh-agentd: INFO: (1225): SIGNAL [(15)-(Terminated)] Received. Exit Cleaning...
2025/10/16 05:24:37 wazuh-execd: INFO: (1314): Shutdown received. Deleting responses.
2025/10/16 05:24:37 wazuh-execd: INFO: (1225): SIGNAL [(15)-(Terminated)] Received. Exit Cleaning...
2025/10/16 05:24:37 wazuh-execd: INFO: Started (pid: 966181).
2025/10/16 05:24:38 wazuh-agentd: INFO: (1410): Reading authentication keys file.
2025/10/16 05:24:38 wazuh-agentd: INFO: Using notify time: 10 and max time to reconnect: 60
2025/10/16 05:24:38 wazuh-agentd: INFO: Version detected -> Linux |system2 |5.15.0-157-generic |#167-Ubuntu SMP Wed Sep 17 21:35:53 UTC 2025 |x86_64 [Ubuntu|ubuntu: 22.04.5 LTS (Jammy Jellyfish)] - Wazuh v4.11.2
2025/10/16 05:24:38 wazuh-agentd: INFO: Started (pid: 966195).
2025/10/16 05:24:38 wazuh-agentd: INFO: Using AES as encryption method.
2025/10/16 05:24:38 wazuh-agentd: INFO: Trying to connect to server ([10.75.37.187]:1514/tcp).
2025/10/16 05:24:38 wazuh-agentd: INFO: (4102): Connected to the server ([10.75.37.187]:1514/tcp).
2025/10/16 05:24:40 wazuh-syscheckd: INFO: Started (pid: 966209).
2025/10/16 05:24:40 wazuh-syscheckd: INFO: (6003): Monitoring path: '/bin', with options 'size | permissions | owner | group | mtime | inode | hash_md5 | hash_sha1 | hash_sha256 | scheduled'.
2025/10/16 05:24:40 wazuh-syscheckd: INFO: (6003): Monitoring path: '/boot', with options 'size | permissions | owner | group | mtime | inode | hash_md5 | hash_sha1 | hash_sha256 | scheduled'.
2025/10/16 05:24:40 wazuh-syscheckd: INFO: (6003): Monitoring path: '/etc', with options 'size | permissions | owner | group | mtime | inode | hash_md5 | hash_sha1 | hash_sha256 | scheduled'.
2025/10/16 05:24:40 wazuh-syscheckd: INFO: (6003): Monitoring path: '/sbin', with options 'size | permissions | owner | group | mtime | inode | hash_md5 | hash_sha1 | hash_sha256 | scheduled'.
2025/10/16 05:24:40 wazuh-syscheckd: INFO: (6003): Monitoring path: '/usr/bin', with options 'size | permissions | owner | group | mtime | inode | hash_md5 | hash_sha1 | hash_sha256 | scheduled'.
2025/10/16 05:24:40 wazuh-syscheckd: INFO: (6003): Monitoring path: '/usr/sbin', with options 'size | permissions | owner | group | mtime | inode | hash_md5 | hash_sha1 | hash_sha256 | scheduled'.
2025/10/16 05:24:40 wazuh-syscheckd: INFO: (6206): Ignore 'file' entry '/etc/mtab'
2025/10/16 05:24:40 wazuh-syscheckd: INFO: (6206): Ignore 'file' entry '/etc/hosts.deny'
2025/10/16 05:24:40 wazuh-syscheckd: INFO: (6206): Ignore 'file' entry '/etc/mail/statistics'
2025/10/16 05:24:40 wazuh-syscheckd: INFO: (6206): Ignore 'file' entry '/etc/random-seed'
2025/10/16 05:24:40 wazuh-syscheckd: INFO: (6206): Ignore 'file' entry '/etc/random.seed'
2025/10/16 05:24:40 wazuh-syscheckd: INFO: (6206): Ignore 'file' entry '/etc/adjtime'
2025/10/16 05:24:40 wazuh-syscheckd: INFO: (6206): Ignore 'file' entry '/etc/httpd/logs'
2025/10/16 05:24:40 wazuh-syscheckd: INFO: (6206): Ignore 'file' entry '/etc/utmpx'
2025/10/16 05:24:40 wazuh-syscheckd: INFO: (6206): Ignore 'file' entry '/etc/wtmpx'
2025/10/16 05:24:40 wazuh-syscheckd: INFO: (6206): Ignore 'file' entry '/etc/cups/certs'
2025/10/16 05:24:40 wazuh-syscheckd: INFO: (6206): Ignore 'file' entry '/etc/dumpdates'
2025/10/16 05:24:40 wazuh-syscheckd: INFO: (6206): Ignore 'file' entry '/etc/svc/volatile'
2025/10/16 05:24:40 wazuh-syscheckd: INFO: (6207): Ignore 'file' sregex '.log$|.swp$'
2025/10/16 05:24:40 wazuh-syscheckd: INFO: (6004): No diff for file: '/etc/ssl/private.key'
2025/10/16 05:24:40 wazuh-syscheckd: INFO: (6000): Starting daemon...
2025/10/16 05:24:40 wazuh-syscheckd: INFO: (6010): File integrity monitoring scan frequency: 43200 seconds
2025/10/16 05:24:40 wazuh-syscheckd: INFO: (6008): File integrity monitoring scan started.
2025/10/16 05:24:40 rootcheck: INFO: Starting rootcheck scan.
2025/10/16 05:24:42 wazuh-modulesd: INFO: Started (pid: 966234).
2025/10/16 05:24:42 wazuh-modulesd:agent-upgrade: INFO: (8153): Module Agent Upgrade started.
2025/10/16 05:24:42 wazuh-modulesd:ciscat: INFO: Module disabled. Exiting...
2025/10/16 05:24:42 wazuh-modulesd:osquery: INFO: Module disabled. Exiting...
2025/10/16 05:24:42 wazuh-modulesd:control: INFO: Starting control thread.
2025/10/16 05:24:42 wazuh-modulesd:docker-listener: INFO: Module docker-listener started.
2025/10/16 05:24:42 wazuh-modulesd:docker-listener: INFO: Starting to listening Docker events.
2025/10/16 05:24:42 sca: INFO: Module started.
2025/10/16 05:24:42 sca: INFO: Loaded policy '/var/ossec/ruleset/sca/cis_ubuntu22-04.yml'
2025/10/16 05:24:42 sca: INFO: Starting Security Configuration Assessment scan.
2025/10/16 05:24:42 wazuh-modulesd:syscollector: INFO: Module started.
2025/10/16 05:24:42 wazuh-modulesd:syscollector: INFO: Starting evaluation.
2025/10/16 05:24:42 sca: INFO: Starting evaluation of policy: '/var/ossec/ruleset/sca/cis_ubuntu22-04.yml'
2025/10/16 05:24:42 wazuh-modulesd:syscollector: INFO: Evaluation finished.
2025/10/16 05:24:49 sca: INFO: Evaluation finished for policy '/var/ossec/ruleset/sca/cis_ubuntu22-04.yml'
2025/10/16 05:24:49 sca: INFO: Security Configuration Assessment scan finished. Duration: 7 seconds.
2025/10/16 05:24:55 wazuh-syscheckd: INFO: (6009): File integrity monitoring scan ended.
2025/10/16 05:24:55 wazuh-syscheckd: INFO: FIM sync module started.
2025/10/16 05:25:43 rootcheck: INFO: Ending rootcheck scan.
2025/10/16 05:25:56 wazuh-logcollector: INFO: Monitoring output of command(360): df -P
2025/10/16 05:25:56 wazuh-logcollector: INFO: Monitoring full output of command(360): netstat -tulpn | sed 's/\([[:alnum:]]\+\)\ \+[[:digit:]]\+\ \+[[:digit:]]\+\ \+\(.*\):\([[:digit:]]*\)\ \+\([0-9\.\:\*]\+\).\+\ \([[:digit:]]*\/[[:alnum:]\-]*\).*/\1 \2 == \3 == \4 \5/' | sort -k 4 -g | sed 's/ == \(.*\) ==/:\1/' | sed 1,2d
2025/10/16 05:25:56 wazuh-logcollector: INFO: Monitoring full output of command(360): last -n 20
2025/10/16 05:25:56 wazuh-logcollector: INFO: (1950): Analyzing file: '/var/ossec/logs/active-responses.log'.
2025/10/16 05:25:56 wazuh-logcollector: INFO: (1950): Analyzing file: '/var/log/dpkg.log'.
2025/10/16 05:25:56 wazuh-logcollector: INFO: Started (pid: 966224).
2025/10/16 05:25:58 wazuh-logcollector: INFO: (9203): Monitoring journal entries.
Logs grepped for Docker/docker
2025/10/16 05:24:36 wazuh-modulesd:docker-listener: WARNING: Docker-listener finished unexpectedly (code 0). Retrying to run in next scheduled time...
2025/10/16 05:24:36 wazuh-modulesd:docker-listener: INFO: Starting to listening Docker events.
2025/10/16 05:24:42 wazuh-modulesd:docker-listener: INFO: Starting to listening Docker events.
2025/10/16 05:24:36 wazuh-modulesd:docker-listener: INFO: Module finished.
2025/10/16 05:24:36 wazuh-modulesd:docker-listener: WARNING: Docker-listener finished unexpectedly (code 0). Retrying to run in next scheduled time...
2025/10/16 05:24:36 wazuh-modulesd:docker-listener: WARNING: Interval overtaken.
2025/10/16 05:24:36 wazuh-modulesd:docker-listener: INFO: Starting to listening Docker events.
2025/10/16 05:24:42 wazuh-modulesd:docker-listener: INFO: Module docker-listener started.
2025/10/16 05:24:42 wazuh-modulesd:docker-listener: INFO: Starting to listening Docker events.
Krishna Prasad Bhandary
Oct 16, 2025, 7:59:50 AM (3 days ago) Oct 16
to Wazuh | Mailing List
Hi,
I was able to solve the issue by prompting with Claude. I realized the main issue was I had not given the wazuh user permission to docker. I ended up giving the wazuh user docker access and also root access since my docker logs are restricted, this can pose security risks as it is giving the wazuh user more access than required but I found this easier to do than to give the files access to the Wazuh users.
Will be changing this in the future, this was a proof of concept and will be changed but, if possible, I would like to suggest a change to the docs to ensure that there is a mention for these permissions, because while it is obvious it's a step that can be overlooked.
I was able to solve the issue by prompting with Claude. I realized the main issue was I had not given the wazuh user permission to docker. I ended up giving the wazuh user docker access and also root access since my docker logs are restricted, this can pose security risks as it is giving the wazuh user more access than required but I found this easier to do than to give the files access to the Wazuh users.
Will be changing this in the future, this was a proof of concept and will be changed but, if possible, I would like to suggest a change to the docs to ensure that there is a mention for these permissions, because while it is obvious it's a step that can be overlooked.
I also changed the logs to read as a json format and changed the localfile config to look like this.
<localfile>
<log_format>json</log_format>
<location>/var/lib/docker/containers/*/*.log</location>
</localfile>
<localfile>
<log_format>json</log_format>
<location>/var/lib/docker/containers/*/*.log</location>
</localfile>
Reply all
Reply to author
Forward
0 new messages