Monitoring containers activity
The Docker wodle collects events on Docker containers such as starting, stopping or pausing.
Configuration
Note
In the following examples, the configuration is done in the Docker host that collects the events sent from the Docker containers. This may be either a server with a Wazuh Agent or Manager installed.
In order to use the Docker listener module it is only necessary to enable the wodle
in the /var/ossec/etc/ossec.conf
file of the server running docker, or this can also be done through Centralized Configuration. It will start a new thread to listen to Docker events.
<wodle name="docker-listener">
<disabled>no</disabled>
</wodle>
Then, it is necessary to restart the Wazuh service (where the listener will be running).
Use cases
Below, you can see some examples of alerts caused by containers activity.
Start a Docker container
The command docker start apache
, which start a container called apache, generates the following alert:
{
"timestamp": "2018-10-05T17:15:33.892+0200",
"rule": {
"level": 3,
"description": "Container apache started",
"id": "87903",
"mail": false,
"groups": [
"docker"
]
},
"agent": {
"id": "002",
"name": "agent001",
"ip": "192.168.122.19"
},
"manager": {
"name": "localhost.localdomain"
},
"id": "1538752533.76076",
"cluster": {
"name": "wazuh",
"node": "master"
},
"full_log": "{\"integration\": \"docker\", \"docker\": {\"status\": \"start\", \"id\": \"018205fa7e170e32578b8487e3b7040aad00b8accedb983bc2ad029238ca3620\", \"from\": \"httpd\", \"Type\": \"container\", \"Action\": \"start\", \"Actor\": {\"ID\": \"018205fa7e170e32578b8487e3b7040aad00b8accedb983bc2ad029238ca3620\", \"Attributes\": {\"image\": \"httpd\", \"name\": \"apache\"}}, \"time\": 1538752533, \"timeNano\": 1538752533877226210}}",
"decoder": {
"name": "json"
},
"data": {
"integration": "docker",
"docker": {
"status": "start",
"id": "018205fa7e170e32578b8487e3b7040aad00b8accedb983bc2ad029238ca3620",
"from": "httpd",
"Type": "container",
"Action": "start",
"Actor": {
"ID": "018205fa7e170e32578b8487e3b7040aad00b8accedb983bc2ad029238ca3620",
"Attributes": {
"image": "httpd",
"name": "apache"
}
},
"time": "1538752533",
"timeNano": "1538752533877226240.000000"
}
},
"location": "Wazuh-Docker"
}
Stop a Docker container
This alert is generated by using the command docker stop apache
:
{
"timestamp": "2018-10-05T17:16:53.412+0200",
"rule": {
"level": 3,
"description": "Container apache stopped",
"id": "87904",
"mail": false,
"groups": [
"docker"
]
},
"agent": {
"id": "002",
"name": "agent001",
"ip": "192.168.122.19"
},
"manager": {
"name": "localhost.localdomain"
},
"id": "1538752613.100231",
"cluster": {
"name": "wazuh",
"node": "master"
},
"full_log": "{\"integration\": \"docker\", \"docker\": {\"status\": \"stop\", \"id\": \"018205fa7e170e32578b8487e3b7040aad00b8accedb983bc2ad029238ca3620\", \"from\": \"httpd\", \"Type\": \"container\", \"Action\": \"stop\", \"Actor\": {\"ID\": \"018205fa7e170e32578b8487e3b7040aad00b8accedb983bc2ad029238ca3620\", \"Attributes\": {\"image\": \"httpd\", \"name\": \"apache\"}}, \"time\": 1538752613, \"timeNano\": 1538752613407075872}}",
"decoder": {
"name": "json"
},
"data": {
"integration": "docker",
"docker": {
"status": "stop",
"id": "018205fa7e170e32578b8487e3b7040aad00b8accedb983bc2ad029238ca3620",
"from": "httpd",
"Type": "container",
"Action": "stop",
"Actor": {
"ID": "018205fa7e170e32578b8487e3b7040aad00b8accedb983bc2ad029238ca3620",
"Attributes": {
"image": "httpd",
"name": "apache"
}
},
"time": "1538752613",
"timeNano": "1538752613407075840.000000"
}
},
"location": "Wazuh-Docker"
}
Pause a Docker container
With the command docker pause apache
:
{
"timestamp": "2018-10-05T17:17:54.988+0200",
"rule": {
"level": 3,
"description": "Container apache paused",
"id": "87905",
"mail": false,
"groups": [
"docker"
]
},
"agent": {
"id": "002",
"name": "agent001",
"ip": "192.168.122.19"
},
"manager": {
"name": "localhost.localdomain"
},
"id": "1538752674.104889",
"cluster": {
"name": "wazuh",
"node": "master"
},
"full_log": "{\"integration\": \"docker\", \"docker\": {\"status\": \"pause\", \"id\": \"018205fa7e170e32578b8487e3b7040aad00b8accedb983bc2ad029238ca3620\", \"from\": \"httpd\", \"Type\": \"container\", \"Action\": \"pause\", \"Actor\": {\"ID\": \"018205fa7e170e32578b8487e3b7040aad00b8accedb983bc2ad029238ca3620\", \"Attributes\": {\"image\": \"httpd\", \"name\": \"apache\"}}, \"time\": 1538752674, \"timeNano\": 1538752674984734790}}",
"decoder": {
"name": "json"
},
"data": {
"integration": "docker",
"docker": {
"status": "pause",
"id": "018205fa7e170e32578b8487e3b7040aad00b8accedb983bc2ad029238ca3620",
"from": "httpd",
"Type": "container",
"Action": "pause",
"Actor": {
"ID": "018205fa7e170e32578b8487e3b7040aad00b8accedb983bc2ad029238ca3620",
"Attributes": {
"image": "httpd",
"name": "apache"
}
},
"time": "1538752674",
"timeNano": "1538752674984734720.000000"
}
},
"location": "Wazuh-Docker"
}
Unpause a Docker container
This is the alert for docker unpause apache
command:
{
"timestamp": "2018-10-05T17:18:35.373+0200",
"rule": {
"level": 3,
"description": "Container apache unpaused",
"id": "87906",
"mail": false,
"groups": [
"docker"
]
},
"agent": {
"id": "002",
"name": "agent001",
"ip": "192.168.122.19"
},
"manager": {
"name": "localhost.localdomain"
},
"id": "1538752715.105822",
"cluster": {
"name": "wazuh",
"node": "master"
},
"full_log": "{\"integration\": \"docker\", \"docker\": {\"status\": \"unpause\", \"id\": \"018205fa7e170e32578b8487e3b7040aad00b8accedb983bc2ad029238ca3620\", \"from\": \"httpd\", \"Type\": \"container\", \"Action\": \"unpause\", \"Actor\": {\"ID\": \"018205fa7e170e32578b8487e3b7040aad00b8accedb983bc2ad029238ca3620\", \"Attributes\": {\"image\": \"httpd\", \"name\": \"apache\"}}, \"time\": 1538752715, \"timeNano\": 1538752715369717277}}",
"decoder": {
"name": "json"
},
"data": {
"integration": "docker",
"docker": {
"status": "unpause",
"id": "018205fa7e170e32578b8487e3b7040aad00b8accedb983bc2ad029238ca3620",
"from": "httpd",
"Type": "container",
"Action": "unpause",
"Actor": {
"ID": "018205fa7e170e32578b8487e3b7040aad00b8accedb983bc2ad029238ca3620",
"Attributes": {
"image": "httpd",
"name": "apache"
}
},
"time": "1538752715",
"timeNano": "1538752715369717248.000000"
}
},
"location": "Wazuh-Docker"
}