Docker Integration - Wazuh Dashboard Plugins

The Docker integration enables monitoring of Docker container activities, providing visibility into container lifecycle events and operations in your containerized infrastructure.

Overview

The Docker integration monitors and collects activity from Docker containers, tracking creation, running, starting, stopping, pausing events, and other container operations. All events are tagged with wazuh.integration.name: docker for filtering and analysis. Reference: plugins/main/common/wazuh-modules.ts:128

Key Features

Real-time container lifecycle monitoring
Container creation and destruction tracking
Image usage monitoring
Container state change detection
Network activity logging
Volume mount tracking
Docker daemon event collection
Resource usage monitoring

Data Source Configuration

The Docker data source uses the following configuration:

const DOCKER_GROUP_KEY = 'wazuh.integration.name';
const DOCKER_GROUP_VALUE = 'docker';

Reference: plugins/main/public/components/common/data-source/pattern/events/docker/docker-data-source.ts:5

Monitored Events

The Docker integration collects various container and image events:

Container Lifecycle Events

create - Container created
start - Container started
stop - Container stopped
restart - Container restarted
pause - Container paused
unpause - Container unpaused
die - Container stopped (exit code captured)
kill - Container killed
destroy - Container removed

Container Operations

attach - Attached to container
commit - Container committed to image
copy - Files copied to/from container
exec - Command executed in container
export - Container filesystem exported
resize - Container terminal resized
top - Container processes listed
update - Container configuration updated

Image Events

pull - Image pulled from registry
push - Image pushed to registry
tag - Image tagged
untag - Image tag removed
delete - Image deleted
import - Image imported
load - Image loaded from archive
save - Image saved to archive

Network Events

connect - Container connected to network
disconnect - Container disconnected from network
create - Network created
destroy - Network removed

Volume Events

create - Volume created
mount - Volume mounted
unmount - Volume unmounted
destroy - Volume removed

Event Fields

Docker events include the following key fields:

data.docker.Type - Event type (container, image, network, volume)
data.docker.Action - Action performed (start, stop, create, etc.)
data.docker.Actor.ID - Container or object ID
data.docker.Actor.Attributes.image - Container image name
data.docker.Actor.Attributes.name - Container name
data.docker.from - Parent image
data.docker.time - Event timestamp
data.docker.timeNano - High-precision timestamp

Reference: plugins/main/public/components/overview/docker/dashboards/dashboard-panels.ts:53

Setup and Configuration

Prerequisites

Docker Engine installed and running
Wazuh agent installed on Docker host
Access to Docker socket (/var/run/docker.sock)
Appropriate permissions for Wazuh agent

Configuration Steps

Configure Docker Socket Access Add Wazuh user to Docker group:
```
sudo usermod -aG docker wazuh
```
Or configure Docker socket permissions:
```
sudo chmod 666 /var/run/docker.sock
```

Configure Wazuh Agent Edit /var/ossec/etc/ossec.conf on the agent:

<wodle name="docker-listener">
  <disabled>no</disabled>
  <attempts>5</attempts>
  <run_on_start>yes</run_on_start>
  <interval>10m</interval>
</wodle>

Alternative: Remote Docker API For remote Docker daemon monitoring:

<wodle name="docker-listener">
  <disabled>no</disabled>
  <attempts>5</attempts>
  <run_on_start>yes</run_on_start>
  <interval>10m</interval>
  <url>tcp://remote-docker-host:2375</url>
</wodle>

Note: Ensure Docker API is secured with TLS in production.

TLS Configuration (Recommended) For secure remote monitoring:

<wodle name="docker-listener">
  <disabled>no</disabled>
  <url>tcp://remote-docker-host:2376</url>
  <ssl_verify_certificate>yes</ssl_verify_certificate>
  <ssl_ca_cert>/path/to/ca.pem</ssl_ca_cert>
  <ssl_cert>/path/to/cert.pem</ssl_cert>
  <ssl_key>/path/to/key.pem</ssl_key>
</wodle>

Verify Configuration
- Restart Wazuh agent: systemctl restart wazuh-agent
- Check agent logs: tail -f /var/ossec/logs/ossec.log
- Verify Docker events are being collected
- Check dashboard for Docker events

Dashboard Visualizations

The Docker integration includes pre-built visualizations:

Overview Dashboard

Top 5 Images - Most used container images
Top 5 Events - Most frequent Docker events
Events Over Time - Timeline of Docker activities
Container Actions - Distribution of container operations
Image Actions - Image-related operations

References:

plugins/main/public/components/overview/docker/dashboards/dashboard-panels.ts:4
plugins/main/public/components/overview/docker/dashboards/dashboard-panels.ts:68

Filtering Events

Filter Docker events in the dashboard:

wazuh.integration.name: "docker"

Additional filters:

By action: data.docker.Action: "start"
By image: data.docker.Actor.Attributes.image: "nginx:latest"
By container: data.docker.Actor.Attributes.name: "my-container"
By type: data.docker.Type: "container"

Use Cases

Container Security Monitoring

Runtime Security
- Detect unauthorized container creation
- Monitor privilege escalation attempts
- Track suspicious exec commands
- Identify unusual container behavior
Image Security
- Track image pull sources
- Monitor unauthorized image usage
- Detect unknown or unapproved images
- Identify outdated or vulnerable images
Access Control
- Monitor Docker socket access
- Track API authentication events
- Identify unauthorized operations
- Detect credential misuse

Compliance and Auditing

Change Management
- Container lifecycle audit trail
- Configuration change tracking
- Image version control
- Deployment verification
Regulatory Compliance
- PCI DSS container isolation requirements
- HIPAA container security monitoring
- SOC 2 change management controls
- NIST container security guidelines

Operational Monitoring

Availability Tracking
- Container crash detection
- Restart loop identification
- Failed container starts
- Service availability monitoring
Resource Management
- Container resource usage tracking
- Image storage consumption
- Volume usage monitoring
- Network usage analysis

DevOps and CI/CD

Deployment Monitoring
- Track container deployments
- Monitor rollout progress
- Identify deployment failures
- Verify configuration updates
Build Pipeline Security
- Monitor image builds
- Track registry pushes
- Verify image signatures
- Audit build artifacts

Common Security Scenarios

Detecting Cryptocurrency Mining

Monitor for:

Unexpected container creation
High CPU usage containers
Unknown base images
Containers with suspicious names

Identifying Container Escapes

Watch for:

Privileged container creation
Host namespace access
Unusual volume mounts
Docker socket mounting

Supply Chain Attacks

Track:

Image pull sources
Unknown registry usage
Image tag changes
Unverified image pulls

Insider Threats

Monitor:

After-hours container operations
Mass container creation/deletion
Sensitive data volume mounts
Unauthorized image exports

Troubleshooting

No Events Appearing

Permission Issues
- Check Wazuh user Docker group membership
- Verify Docker socket permissions
- Review SELinux/AppArmor policies
Configuration Issues
- Verify wodle is enabled
- Check Docker daemon is running
- Ensure Docker socket path is correct
- Review Wazuh agent logs

Connection Errors

Local Socket

# Test Docker socket access
sudo -u wazuh docker ps

# Check socket permissions
ls -l /var/run/docker.sock

Remote API

# Test API connectivity
curl https://remote-docker-host:2376/version

# Verify TLS certificates
openssl s_client -connect remote-docker-host:2376

Missing Specific Events

Verify Docker daemon is logging events
Check Docker daemon configuration
Ensure event types are not filtered
Review Docker version compatibility

Performance Issues

Adjust polling interval based on container activity
Implement event filtering at source
Monitor Wazuh agent resource usage
Consider dedicated monitoring agent for large deployments

Security Best Practices

Docker Daemon Security
- Use TLS for remote API access
- Implement authentication and authorization
- Limit Docker socket exposure
- Use rootless Docker when possible
Image Security
- Use trusted registries only
- Implement image scanning
- Enforce image signing
- Regular vulnerability assessments
Container Hardening
- Run containers as non-root
- Use read-only filesystems
- Limit container capabilities
- Implement resource constraints
Network Security
- Isolate container networks
- Use overlay networks for multi-host
- Implement network policies
- Monitor inter-container communication
Monitoring Strategy
- Alert on critical events (privileged containers, etc.)
- Regular audit log reviews
- Baseline normal behavior
- Implement anomaly detection

Advanced Configuration

Event Filtering

Filter specific event types:

<wodle name="docker-listener">
  <disabled>no</disabled>
  <run_on_start>yes</run_on_start>
  <interval>10m</interval>
  <filter_events>
    <container>create,start,stop,die,kill,destroy</container>
    <image>pull,delete</image>
  </filter_events>
</wodle>

High-Volume Environments

Optimize for large container deployments:

<wodle name="docker-listener">
  <disabled>no</disabled>
  <interval>5m</interval>
  <attempts>3</attempts>
  <run_on_start>no</run_on_start>
  <buffer_size>8192</buffer_size>
</wodle>

Multiple Docker Hosts

Deploy Wazuh agent on each Docker host:

Centralized event collection
Per-host event tagging
Aggregated dashboard views
Cross-host correlation

Integration with Orchestration

Kubernetes

For Kubernetes environments:

Deploy Wazuh agent as DaemonSet
Monitor Docker events on each node
Correlate with Kubernetes events
Track pod lifecycle events

Docker Swarm

For Docker Swarm clusters:

Monitor manager nodes
Track service deployments
Monitor stack operations
Audit secret usage

Docker Compose

For Docker Compose deployments:

Track compose stack operations
Monitor service dependencies
Audit configuration changes
Verify service health

Get Started

Core Concepts

Security Modules

Compliance

Cloud Integrations

Agent Management

Configuration

Development

​Overview

​Key Features

​Data Source Configuration

​Monitored Events

​Container Lifecycle Events

​Container Operations

​Image Events

​Network Events

​Volume Events

​Event Fields

​Setup and Configuration

​Prerequisites

​Configuration Steps

​Dashboard Visualizations

​Overview Dashboard

​Filtering Events

​Use Cases

​Container Security Monitoring

​Compliance and Auditing

​Operational Monitoring

​DevOps and CI/CD

​Common Security Scenarios

​Detecting Cryptocurrency Mining

​Identifying Container Escapes

​Supply Chain Attacks

​Insider Threats

​Troubleshooting

​No Events Appearing

​Connection Errors

​Missing Specific Events

​Performance Issues

​Security Best Practices

​Advanced Configuration

​Event Filtering

​High-Volume Environments

​Multiple Docker Hosts

​Integration with Orchestration

​Kubernetes

​Docker Swarm

​Docker Compose

​Related Resources

Build docs developers (and LLMs) love