Open Source Security Blogs

Monitor Docker Containers Resources using Wazuh

Use case:

Monitor CPU and memory usage of docker containers using Wazuh.

Wazuh Configuration:

Within the Wazuh UI, Navigate to Management -> Groups then edit the group configuration to add:

<localfile>
  <command>docker stats --format "{{.Container}} {{.Name}} {{.CPUPerc}} {{.MemUsage}}" --no-stream</command>
  <frequency>60</frequency>
  <log_format>command</log_format>
  <out_format>$(timestamp) $(hostname) docker: $(log)</out_format>
 </localfile>

The above command will be executed every minute to send an update about the resources to the Wazuh manager.

Then add the decoders and rules to parse and convey the needed information.

Decoders:

<decoder name="dockerR">
    <program_name>docker</program_name>
</decoder>

<decoder name="docker-resouces">
  <parent>dockerR</parent>
  <prematch>ossec: output: 'docker stats --format "{{.Container}} {{.Name}} {{.CPUPerc}} {{.MemUsage}}" --no-stream':</prematch>
  <regex offset="after_prematch"> (\S+) (\S+) (\S+) (\S+) / (\S+)</regex>
  <order>ContainerID, ContainerName, ContainerCPU, ContainerMemoryUsage, ContainerMemroyAvailable </order>
</decoder>

Rule:

<group name="docker">
<rule id="100005" level="5">
    <decoded_as>dockerR</decoded_as>
    <description>alert docker ressources</description> 
  </rule>
</group>

Result:

DEMO:

I hope you find it useful 🙂

EL WALI KARKOUB

,
, , , ,

12 responses to “Monitor Docker Containers Resources using Wazuh”

  1. An interesting discussion is price comment. I think that you must write more on this topic, it may not be a taboo topic but usually individuals are not enough to talk on such topics. To the next. Cheers

Leave a Reply

Your email address will not be published. Required fields are marked *