Get Wazuh Docker Listener to Work
I recently set up Wazuh via Docker to monitor my server for vulnerabilities and attacks. The setup and agent installation were straightforward. I also wanted to monitor my Docker containers, which Wazuh supports but requires manual activation. I followed the official steps to enable the Docker listener, but it didnโt work immediately. Although the agent logs showed the listener was enabled, it silently failed, and no Docker container data appeared in the Wazuh Dashboard.
Here are the additional steps I had to take to get it working on my Debian 10 machine.
Install Python 3.8 ๐
The Docker listener that Wazuh provides is in the end just a simple Python script that hits the Docker API of the host we want to monitor. This script requires at least Python 3.8. My distro (Debian 10) only ships with Python 3.7, which requires that I manually install the required Python version for Wazuh.
I found a good guide here. After you have Python 3.8 installed, don't make the same mistake as me and set the newly installed Python version as the default for your system. For me, it broke multiple packages, like UFW.
Create venv for docker listener
Now create a new "venv" (virtual environment) for the docker listener script.
Make sure you have "python venv"installed:
python3.8 -h venv
# If venv is missing install it
pip3.8 install virtualenv
On my remote system, the Wazuh agent runs as root. The Docker listener script also gets executed as root, and thus the "venv", dependencies should be created and installed with the user the agent is running with.
su root
mkdir /opt/wazuh-docker-listener
cd /opt/wazuh-docker-listener/
python3.8 -m venv venv
source venv/bin/activate
pip3.8 install --upgrade pip
pip3.8 install docker==7.1.0 urllib3==1.26.20 requests==2.32.2
After creating a new venv
we need to update the DockerListener
script to use this specific environment.
# For user which use vi motions
vim /var/ossec/wodles/docker/DockerListener
# For everyone else
nano /var/ossec/wodles/docker/DockerListener
# Replace the first line from:
#!/usr/bin/env python3
# To the newly created venv:
#!/opt/wazuh-docker-listener/venv/bin/python3
Restart
Finally restart all services and check if it worked. ๐
# Restart daemon and agent
systemctl daemon-reload
systemctl restart wazuh-agent.service
# Service status should show spawned sub process for docker listener with new
# execution path of our venv
systemctl status wazuh-agent.service