Docker listener setting is not available in 4.8.0 in Server Managment > Settings

[pro-akim]

Describe the bug

Docker listener setting is not available in 4.8.0 in Server Managment > Settings in the Manager Dashboard

To Reproduce Following the instructions at https://documentation.wazuh.com/current/user-manual/capabilities/container-security/monitoring-docker.html. Connecting an agent with docker, with the referred dependencies and activating the docker listener.

Expected behavior You should allow Docker listener activation from Server Management > Settings or the option should not appear directly

Screenshots

Additional context

Events raised on the agent by manipulating docker following this documentation https://documentation.wazuh.com/current/user-manual/capabilities/container-security/use-cases.html do not work

Querying the API with GET /agents//config/wmodules/wmodules

The following result could be obtained:

``` { "data": { "wmodules": [ { "agent-upgrade": { "enabled": "yes", "ca_verification": "yes", "ca_store": [ "etc/wpk_root.pem" ] } }, { "docker-listener": { "interval": 60, "disabled": "no", "run_on_start": "no", "attempts": 5 } }, { "cis-cat": { "disabled": "yes", "scan-on-start": "yes", "interval": 86400, "java_path": "wodles/java", "ciscat_path": "wodles/ciscat", "ciscat_binary": "CIS-CAT.sh", "timeout": 1800 } }, { "osquery": { "disabled": "yes", "run_daemon": "yes", "add_labels": "yes", "log_path": "/var/log/osquery/osqueryd.results.log", "config_path": "/etc/osquery/osquery.conf" } }, { "syscollector": { "disabled": "no", "scan-on-start": "yes", "interval": 3600, "network": "yes", "os": "yes", "hardware": "yes", "packages": "yes", "ports": "yes", "ports_all": "no", "processes": "yes", "sync_max_eps": 10 } }, { "sca": { "interval": 43200, "enabled": "yes", "scan_on_start": "yes", "skip_nfs": "yes", "policies": [ "/var/ossec/ruleset/sca/cis_ubuntu20-04.yml" ] } }, { "wazuh_control": { "enabled": "yes" } } ] }, "error": 0 } ```

In the agent you can also observe the activation

root@mediumubuntu:/home/vagrant# cat /var/ossec/logs/ossec.log | grep docker
2024/06/20 11:40:16 wazuh-modulesd:docker-listener: INFO: Module docker-listener started.
2024/06/20 11:41:16 wazuh-modulesd:docker-listener: INFO: Starting to listening Docker events.

However, in the manager the result of the use case replication was:

[root@wazuh-server wazuh-user]# cat /var/ossec/logs/alerts/alerts.json | grep container
{"timestamp":"2024-06-20T12:37:38.774+0000","rule":{"level":3,"description":"CIS Ubuntu Linux 20.04 LTS Benchmark v2.0.0: Ensure nftables base chains exist.","id":"19009","firedtimes":7,"mail":false,"groups":["sca"],"gdpr":["IV_35.7.d"],"pci_dss":["2.2"],"nist_800_53":["CM.1"],"tsc":["CC7.1","CC7.2"],"cis":["3.4.2.5"],"cis_csc_v8":["4.4","4.5"],"cis_csc_v7":["9.4"],"iso_27001-2013":["A.13.1.1"],"mitre_tactics":["TA0005"],"mitre_techniques":["T1562","T1562.004"],"nist_sp_800-53":["SC-7(5)"],"soc_2":["CC6.6"]},"agent":{"id":"002","name":"ubunt","ip":"10.0.2.15"},"manager":{"name":"wazuh-server"},"id":"1718887058.326785","decoder":{"name":"sca"},"data":{"sca":{"type":"check","scan_id":"797803356","policy":"CIS Ubuntu Linux 20.04 LTS Benchmark v2.0.0","check":{"id":"19088","title":"Ensure nftables base chains exist.","description":"Chains are containers for rules. They exist in two kinds, base chains and regular chains. A base chain is an entry point for packets from the networking stack, a regular chain may be used as jump target and is used for better rule organization.","rationale":"If a base chain doesn't exist with a hook for input, forward, and delete, packets that would flow through those chains will not be touched by nftables.","remediation":"Run the following command to create the base chains: # nft create chain inet <table name> <base chain name> { type filter hook <(input|forward|output)> priority 0 \\; } Example: # nft create chain inet filter input { type filter hook input priority 0 \\; } # nft create chain inet filter forward { type filter hook forward priority 0 \\; } # nft create chain inet filter output { type filter hook output priority 0 \\; }.","compliance":{"cis":"3.4.2.5","cis_csc_v8":"4.4,4.5","cis_csc_v7":"9.4","cmmc_v2":{"0":"AC.L1-3.1.20,CM.L2-3.4.7,SC.L1-3.13.1,SC.L2-3.13.6"},"iso_27001-2013":"A.13.1.1","mitre_tactics":"TA0005","mitre_techniques":"T1562,T1562.004","nist_sp_800-53":"SC-7(5)","pci_dss_v3":{"2":{"1":"1.1.4,1.3.1,1.4"}},"pci_dss_v4":{"0":"1.2.1,1.4.1"},"soc_2":"CC6.6"},"command":["nft list ruleset"],"result":"not applicable","reason":"Invalid path or wrong permissions to run command 'nft list ruleset'"}}},"location":"sca"}
[root@wazuh-server wazuh-user]# cat /var/ossec/logs/alerts/alerts.json | grep docker
[root@wazuh-server wazuh-user]# cat /var/ossec/logs/alerts/alerts.json | grep httpd

[Desvelao]

The Settings application displays the configuration of the Wazuh servers.

You commented you configured a Wazuh agent enabling the Docker listener module and you installed the required dependencies.

If you intended to see the configuration of Docker listener for the agent, this is accesible from Endpoints summary application, selecting an agent from the overview table and then go to Configuration in the top right side of the agent view.

The view of the shared screenshot only displays the configuration for the Wazuh server or Wazuh agent. The modules can not be enabled/disabled from this view.

You can edit the configuration from the Wazuh server or agent group configuration from UI, editing the configuration file.

If you configured correctly the Docker listener for a Wazuh agent and you can not get alerts on the Wazuh server, could indicate a problem in the monitoring of Docker on the Wazuh agent side, or the analyzed logs related to Docker of the Wazuh agent are not matching any rule on the Wazuh server.

[Desvelao]

Research

I deployed 4.8.0 and I configured following a Wazuh agent enabling the Docker listener and installing the required dependencies.

Regarding the configuration of Docker listener for the agent, this is visible on the specific configuration view of the agent accessible through the Endpoints Summary:

I enabled the logall_json option of the Wazuh server, and I am getting some events related to the Wazuh agent with Docekr listener enabled, but the level of the rules is lower than the threshold, and this avoids the rule is generated. I guess if you are not getting alerts on the Wazuh server, it is related to the actions done in Docker that is not matching any rule defined on the ruleset. I was testing some things with Docker, and I could not get to work some of built-in rules but I am not sure if I am doing the expected action that matches with the rule.

Getting events (archives) related to Docker of the configurated Wazuh agent

```console root@server:/home/vagrant# cat /var/ossec/logs/archives/archives.json | grep 001 | grep '\["docker"' | head -n5 {"timestamp":"2024-06-21T14:50:16.511+0000","rule":{"level":1,"description":"Docker: Information message","id":"86001","firedtimes":1,"mail":false,"groups":["docker","docker-info"]},"agent":{"id":"001","name":"ubuntu_2204","ip":"192.168.56.10"},"manager":{"name":"server"},"id":"1718981416.1337203","full_log":"Jun 21 14:50:14 machine2 containerd[10656]: time=\"2024-06-21T14:50:14.509512289Z\" level=info msg=\"loading plugin \\\"io.containerd.event.v1.publisher\\\"...\" runtime=io.containerd.runc.v2 type=io.containerd.event.v1","predecoder":{"program_name":"containerd","timestamp":"Jun 21 14:50:14","hostname":"machine2"},"decoder":{"name":"docker"},"data":{"docker":{"level":"info","message":"loading plugin \\"}},"location":"/var/log/syslog"} {"timestamp":"2024-06-21T14:50:16.511+0000","rule":{"level":1,"description":"Docker: Information message","id":"86001","firedtimes":2,"mail":false,"groups":["docker","docker-info"]},"agent":{"id":"001","name":"ubuntu_2204","ip":"192.168.56.10"},"manager":{"name":"server"},"id":"1718981416.1337203","full_log":"Jun 21 14:50:14 machine2 containerd[10656]: time=\"2024-06-21T14:50:14.510837104Z\" level=info msg=\"loading plugin \\\"io.containerd.internal.v1.shutdown\\\"...\" runtime=io.containerd.runc.v2 type=io.containerd.internal.v1","predecoder":{"program_name":"containerd","timestamp":"Jun 21 14:50:14","hostname":"machine2"},"decoder":{"name":"docker"},"data":{"docker":{"level":"info","message":"loading plugin \\"}},"location":"/var/log/syslog"} {"timestamp":"2024-06-21T14:50:16.513+0000","rule":{"level":1,"description":"Docker: Information message","id":"86001","firedtimes":3,"mail":false,"groups":["docker","docker-info"]},"agent":{"id":"001","name":"ubuntu_2204","ip":"192.168.56.10"},"manager":{"name":"server"},"id":"1718981416.1337203","full_log":"Jun 21 14:50:14 machine2 containerd[10656]: time=\"2024-06-21T14:50:14.510848435Z\" level=info msg=\"loading plugin \\\"io.containerd.ttrpc.v1.task\\\"...\" runtime=io.containerd.runc.v2 type=io.containerd.ttrpc.v1","predecoder":{"program_name":"containerd","timestamp":"Jun 21 14:50:14","hostname":"machine2"},"decoder":{"name":"docker"},"data":{"docker":{"level":"info","message":"loading plugin \\"}},"location":"/var/log/syslog"} {"timestamp":"2024-06-21T14:50:16.515+0000","rule":{"level":1,"description":"Docker: Information message","id":"86001","firedtimes":4,"mail":false,"groups":["docker","docker-info"]},"agent":{"id":"001","name":"ubuntu_2204","ip":"192.168.56.10"},"manager":{"name":"server"},"id":"1718981416.1337203","full_log":"Jun 21 14:50:14 machine2 containerd[10656]: time=\"2024-06-21T14:50:14.511098875Z\" level=info msg=\"starting signal loop\" namespace=moby path=/run/containerd/io.containerd.runtime.v2.task/moby/168619107aa8dba095f30413e89cdccb2a093ba35be21027462c3defd09c4f69 pid=20505 runtime=io.containerd.runc.v2","predecoder":{"program_name":"containerd","timestamp":"Jun 21 14:50:14","hostname":"machine2"},"decoder":{"name":"docker"},"data":{"docker":{"level":"info","message":"starting signal loop"}},"location":"/var/log/syslog"} {"timestamp":"2024-06-21T14:50:16.534+0000","rule":{"level":1,"description":"Docker: Warning message","id":"86002","firedtimes":1,"mail":false,"groups":["docker","docker-warning"]},"agent":{"id":"001","name":"ubuntu_2204","ip":"192.168.56.10"},"manager":{"name":"server"},"id":"1718981416.1337203","full_log":"Jun 21 14:50:14 machine2 containerd[10656]: time=\"2024-06-21T14:50:14.711296214Z\" level=warning msg=\"error from *cgroupsv2.Manager.EventChan\" error=\"failed to add inotify watch for \\\"/sys/fs/cgroup/system.slice/docker-168619107aa8dba095f30413e89cdccb2a093ba35be21027462c3defd09c4f69.scope/memory.events\\\": no such file or directory\"","predecoder":{"program_name":"containerd","timestamp":"Jun 21 14:50:14","hostname":"machine2"},"decoder":{"name":"docker"},"data":{"docker":{"level":"warning","message":"error from *cgroupsv2.Manager.EventChan"}},"location":"/var/log/syslog"} ``` In the logs, I see an event that matches with the rule with ID `86001`, but its level is 1, so the alert is not generated. 

[pro-akim]

Update

Thank you very much @Desvelao for the information, I found that with the change of screens in version 4.8.0 and the update of the documentation, it is difficult to understand that there is a docker listener for the manager and another for the agent quickly.

On the other hand, by repeating the use-case attached in the official documentation, I cannot reproduce the same alerts, so some change will probably have to be made.

I will be checking if the absence of events that reach the alert level is due to some change or failure. Taking this into account, I will inform you if any documentation changes will have to be made or this situation will have to be addressed to a fix.

[gdiazlo]

@pro-akim we will close this issue, as there is no action to take. Re-open it if there is further information.

[chirill]

Hi, i installed ubuntu 22.04 lts with wazuh 4.8.0, this is the server, another ubuntu 22.04 lts with docker, in linux with docker i installed wazuh agent and linked it to server, in /var/ossec/etc/ossec.conf i added: `

no

` and restarted the agent. In wazuh server i dont have any events from docker. Anything else need to be enabled anywhere else? thank you

[badcat1215]

Hi, i installed ubuntu 22.04 lts with wazuh 4.8.0, this is the server, another ubuntu 22.04 lts with docker, in linux with docker i installed wazuh agent and linked it to server, in /var/ossec/etc/ossec.conf i added: <wodle name="docker-listener"> <disabled>no</disabled> </wodle> and restarted the agent. In wazuh server i dont have any events from docker. Anything else need to be enabled anywhere else? thank you

I met same problem