Get Wazuh Docker Listener to Work

Linux Docker security
๐Ÿ“Œ
This guide assumes that you already have set up the Docker listener based on the official documentation and updated the configurations on both the manager and the agent to use the listener.

I recently set up Wazuh via Docker to monitor my server for vulnerabilities and attacks. The setup and agent installation were straightforward. I also wanted to monitor my Docker containers, which Wazuh supports but requires manual activation. I followed the official steps to enable the Docker listener, but it didnโ€™t work immediately. Although the agent logs showed the listener was enabled, it silently failed, and no Docker container data appeared in the Wazuh Dashboard.

Here are the additional steps I had to take to get it working on my Debian 10 machine.

Install Python 3.8 ๐Ÿ

The Docker listener that Wazuh provides is in the end just a simple Python script that hits the Docker API of the host we want to monitor. This script requires at least Python 3.8. My distro (Debian 10) only ships with Python 3.7, which requires that I manually install the required Python version for Wazuh.

I found a good guide here. After you have Python 3.8 installed, don't make the same mistake as me and set the newly installed Python version as the default for your system. For me, it broke multiple packages, like UFW.

Create venv for docker listener

Now create a new "venv" (virtual environment) for the docker listener script.
Make sure you have "python venv"installed:

python3.8 -h venv

# If venv is missing install it
pip3.8 install virtualenv

On my remote system, the Wazuh agent runs as root. The Docker listener script also gets executed as root, and thus the "venv", dependencies should be created and installed with the user the agent is running with.

su root

mkdir /opt/wazuh-docker-listener
cd /opt/wazuh-docker-listener/

python3.8 -m venv venv
source venv/bin/activate

pip3.8 install --upgrade pip

pip3.8 install docker==7.1.0 urllib3==1.26.20 requests==2.32.2

After creating a new venv we need to update the DockerListener script to use this specific environment.

# For user which use vi motions
vim /var/ossec/wodles/docker/DockerListener

# For everyone else
nano /var/ossec/wodles/docker/DockerListener

# Replace the first line from:
#!/usr/bin/env python3

# To the newly created venv:
#!/opt/wazuh-docker-listener/venv/bin/python3

Restart

Finally restart all services and check if it worked. ๐Ÿš€

# Restart daemon and agent
systemctl daemon-reload
systemctl restart wazuh-agent.service

# Service status should show spawned sub process for docker listener with new
# execution path of our venv
systemctl status wazuh-agent.service

๐Ÿ”– Resources