Monitoring Docker

Docker automates the deployment of different applications inside software containers. The Wazuh module for Docker is a subscriber to the Docker Engine API that identifies security incidents across containers and alerts in real time.

See the Monitoring container activity section of the documentation to learn more about monitoring Docker and the Docker wodle.


Configure your environment as follows to test the PoC.

  1. Configure the Docker listener in the /var/ossec/etc/ossec.conf configuration file at the Ubuntu 20 endpoint.

        <wodle name="docker-listener">
  2. Restart the Wazuh agent to apply the changes.

    # systemctl restart wazuh-agent

Steps to generate the alerts

  1. Pull a Docker image, start the container, run a Docker command and delete the container.

    # docker stop `docker ps -a -q` && docker rm `docker ps -a -q`
    # docker pull nginx
    # docker run -d -P --name nginx_container nginx
    # docker exec -ti nginx_container cat /etc/passwd
    # docker exec -ti nginx_container /bin/bash
    # exit
    # docker stop nginx_container
    # docker rm nginx_container

Query the alerts

You can visualize the alert data in the Wazuh dashboard. To do this, go to the Security events module and add the filters in the search bar to query the alerts.

  • rule.groups: "docker"

  • Additionally, the data.docker.Action field states which action was performed.


  • Error in the agent log file /var/ossec/logs/ossec.log:

    wazuh-modulesd:docker-listener: ERROR: /usr/bin/env: ‘python’: No such file or directory

This can be solved by creating a symbolic link.

# ln -s /usr/bin/python3 /usr/bin/python
  • Error in the agent log file /var/ossec/logs/ossec.log:

    wazuh-modulesd:docker-listener: ERROR: 'docker' module needs to be installed. Execute 'pip install docker' to do it.

This can be solved by running the following command.

# pip3 install docker