Enabling Docker Listerner in Wazuh

 To Enable Docker Listener in Wazuh

1. Install the dependencies on the docker server :

(run each line Separately)

sudo apt-get update && sudo apt-get install python3
sudo apt-get install python3-pip -y
pip3 install docker==4.2.0 urllib3==1.26.18

2. Edit the File using sudo nano /var/ossec/etc/ossec.conf and add the following:
 

<!-- Docker Container Runtime configuration -->
<wodle name="docker-listener">
  <interval>10m</interval>
  <attempts>5</attempts>
  <run_on_start>yes</run_on_start>
  <disabled>no</disabled>
</wodle>

3. To monitor the logs of the container add the text below to the "<!-- Log analysis -->" section:

<localfile>
  <log_format>syslog</log_format>
  <location>/var/lib/docker/containers/*/*-json.log</location>
</localfile>

4. Restart the wazuh-agent service:

sudo systemctl restart wazuh-agent

5. Edit the Decoder File in /var/ossec/etc/decoders/local_decoder.xml on the Wazuh Server and add:

 

 <decoder name="web-accesslog-docker">
  <parent>json</parent>
  <type>web-log</type>
  <use_own_name>true</use_own_name>
  <prematch offset="after_parent">^log":"\S+ \S+ \S+ \.*[\S+ \S\d+] \.*"\w+ \S+ HTTP\S+" \d+</prematch>
  <regex offset="after_parent">^log":"(\S+) \S+ \S+ \.*[\S+ \S\d+] \.*"(\w+) (\S+) HTTP\S+" (\d+)</regex>
  <order>srcip,protocol,url,id</order>
</decoder>

<decoder name="json">
  <parent>json</parent>
  <use_own_name>true</use_own_name>
  <plugin_decoder>JSON_Decoder</plugin_decoder>
</decoder>

6.Restart the Wazuh-Manager:

sudo systemctl restart wazuh-manager