Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Docker listener is unable to connect to docker daemon #20372

Closed
4 tasks done
santipadilla opened this issue Nov 22, 2023 · 2 comments · Fixed by wazuh/wazuh-documentation#6824
Closed
4 tasks done

Docker listener is unable to connect to docker daemon #20372

santipadilla opened this issue Nov 22, 2023 · 2 comments · Fixed by wazuh/wazuh-documentation#6824
Assignees
@GGP1
Labels
level/task type/bug Something isn't working

Comments

@santipadilla
Copy link
Member

santipadilla commented Nov 22, 2023
edited by GGP1
Loading

Wazuh version Component
4.6.0-40603 Docker listener

Description

Hi, I'm trying to follow this guide but I can't get docker events to appear, I can only see in the archives.log this event.

2023 Nov 17 12:57:02 (linux-agent) 172.16.1.10->Wazuh-Docker {"integration": "docker", "docker": {"Wodle event": "Started"}}
2023 Nov 17 12:57:02 (linux-agent) 172.16.1.10->Wazuh-Docker {"integration": "docker", "docker": {"Wodle event": "Docker service is not running"}}

I can do pull and I get this message but in the archives.log I get nothing.

Using default tag: latest
latest: Pulling from library/nginx
Digest: sha256:86e53c4c16a6a276b204b0fd3a8143d86547c967dc8258b3d47c3a21bb68d3c6
Status: Image is up to date for nginx:latest
docker.io/library/nginx:latest

The status of the docker daemon is green running, and the user is root with the following permissions.

root@wazuh-dashboard:/home/vagrant# groups
root
root@wazuh-dashboard:/home/vagrant# ls -l /var/run/docker.sock
srw-rw---- 1 root docker 0 Nov 20 10:55 /var/run/docker.sock
root@wazuh-dashboard:/home/vagrant#

Running the Docker-listener module, adding a print() in the exception of the check_docker_service() method I get the following:

root@wazuh-dashboard:/home/vagrant# 
root@wazuh-dashboard:/home/vagrant# /var/ossec/wodles/docker/DockerListener
{"integration": "docker", "docker": {"Wodle event": "Started"}}
Error checking Docker service: HTTPConnection.request() got an unexpected keyword argument 'chunked'
Docker service is not running.
{"integration": "docker", "docker": {"Wodle event": "Docker service is not running"}}
Error checking Docker service: HTTPConnection.request() got an unexpected keyword argument 'chunked'
Reconnecting...
Error checking Docker service: HTTPConnection.request() got an unexpected keyword argument 'chunked'
Reconnecting...
Error checking Docker service: HTTPConnection.request() got an unexpected keyword argument 'chunked'
Reconnecting...
Error checking Docker service: HTTPConnection.request() got an unexpected keyword argument 'chunked'
Reconnecting...
Error checking Docker service: HTTPConnection.request() got an unexpected keyword argument 'chunked'
Reconnecting...

The environment I am using and the versions of everything are the following. The package manager is updated.
Agent box: Ubuntu Jammy - generic/ubuntu2204
docker==4.2.0
urllib3==2.1.0
requests==2.31.0
python==3.10.12

Checks

The following elements have been updated or reviewed (should also be checked if no modification is required):

  • Tests (unit tests, API integration tests).
  • Changelog.
  • Documentation.
  • Integration test mapping (using api/test/integration/mapping/_test_mapping.py).
@santipadilla santipadilla added team/framework type/bug Something isn't working labels Nov 22, 2023
@GGP1 GGP1 self-assigned this Dec 1, 2023
@GGP1
Copy link
Member

GGP1 commented Dec 1, 2023
edited
Loading

Update

The issue was caused by an incompatibility between urllib3 and docker. I could reproduce the error in an agent but no in a manager.

The urllib3 version installed in the manager is 1.26.5 while the agent used 2.1.0 when installing docker==4.2.0. After changing the version on the agent to 1.26.5, the wodle worked as expected.

Another option is to install docker==6.1.1 which is compatible with urllib3==2.1.0.

I opened a pull request to force installing urllib3==1.26.5 in the documentation.

Related issue: docker/docker-py#3113

Manager

OS 
root@be499c120b52:/# cat /etc/os-release
PRETTY_NAME="Ubuntu 22.04.3 LTS"
NAME="Ubuntu"
VERSION_ID="22.04"
VERSION="22.04.3 LTS (Jammy Jellyfish)"
VERSION_CODENAME=jammy
ID=ubuntu
ID_LIKE=debian
UBUNTU_CODENAME=jammy
root@be499c120b52:/# docker --version
Docker version 24.0.7, build afdd53b
root@be499c120b52:/# python3 --version
Python 3.10.12
Configuration

Enabled integrator.debug=2.

<ossec_config>
  <global>
  	...
    <logall>yes</logall>
    <logall_json>yes</logall_json>
    ...
  </global>

  <wodle name="docker-listener">
    <interval>1m</interval>
    <attempts>5</attempts>
    <run_on_start>yes</run_on_start>
    <disabled>no</disabled>
  </wodle>

  ...
</ossec_config>
ossec.log 
root@be499c120b52:/# cat /var/ossec/logs/ossec.log | grep docker
2023/12/01 14:58:56 wazuh-modulesd:docker-listener: INFO: Module docker-listener started.
2023/12/01 14:58:56 wazuh-modulesd:docker-listener: INFO: Starting to listening Docker events.
docker commands 
root@be499c120b52:/# docker pull nginx 
Using default tag: latest
latest: Pulling from library/nginx
1f7ce2fa46ab: Pull complete 
9b16c94bb686: Pull complete 
9a59d19f9c5b: Pull complete 
9ea27b074f71: Pull complete 
c6edf33e2524: Pull complete 
84b1ff10387b: Pull complete 
517357831967: Pull complete 
Digest: sha256:10d1f5b58f74683ad34eb29287e07dab1e90f10af243f151bb50aa5dbb4d62ee
Status: Downloaded newer image for nginx:latest
docker.io/library/nginx:latest
root@be499c120b52:/# docker run -d -P --name nginx_container nginx
26d33a28c65307e8d251df562d8116c2c69878cfcfde42526c594d5d38093560
root@be499c120b52:/# docker exec -it nginx_container cat /etc/passwd
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/run/ircd:/usr/sbin/nologin
_apt:x:42:65534::/nonexistent:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
nginx:x:101:101:nginx user:/nonexistent:/bin/false
root@be499c120b52:/# docker exec -it nginx_container /bin/bash
root@26d33a28c653:/# exit
exit
archives.log 
2023 Dec 01 14:59:05 be499c120b52->wazuh-monitord ossec: Manager started.
2023 Dec 01 14:59:09 be499c120b52->rootcheck Ending rootcheck scan.
2023 Dec 01 15:03:48 be499c120b52->Wazuh-Docker {"integration": "docker", "docker": {"status": "pull", "id": "nginx:latest", "Type": "image", "Action": "pull", "Actor": {"ID": "nginx:latest", "Attributes": {"maintainer": "NGINX Docker Maintainers <docker-maint@nginx.com>", "name": "nginx"}}, "scope": "local", "time": 1701443028, "timeNano": 1701443028588266402}}
2023 Dec 01 15:04:51 be499c120b52->Wazuh-Docker {"integration": "docker", "docker": {"status": "create", "id": "26d33a28c65307e8d251df562d8116c2c69878cfcfde42526c594d5d38093560", "from": "nginx", "Type": "container", "Action": "create", "Actor": {"ID": "26d33a28c65307e8d251df562d8116c2c69878cfcfde42526c594d5d38093560", "Attributes": {"image": "nginx", "maintainer": "NGINX Docker Maintainers <docker-maint@nginx.com>", "name": "nginx_container"}}, "scope": "local", "time": 1701443091, "timeNano": 1701443091184612150}}
2023 Dec 01 15:04:51 be499c120b52->Wazuh-Docker {"integration": "docker", "docker": {"Type": "network", "Action": "connect", "Actor": {"ID": "226b2e6255690299858b2d634824c0ce6d7a0a3f4d87f30e9da6b6ecc54e999a", "Attributes": {"container": "26d33a28c65307e8d251df562d8116c2c69878cfcfde42526c594d5d38093560", "name": "bridge", "type": "bridge"}}, "scope": "local", "time": 1701443091, "timeNano": 1701443091219464151}}
2023 Dec 01 15:04:51 be499c120b52->Wazuh-Docker {"integration": "docker", "docker": {"status": "start", "id": "26d33a28c65307e8d251df562d8116c2c69878cfcfde42526c594d5d38093560", "from": "nginx", "Type": "container", "Action": "start", "Actor": {"ID": "26d33a28c65307e8d251df562d8116c2c69878cfcfde42526c594d5d38093560", "Attributes": {"image": "nginx", "maintainer": "NGINX Docker Maintainers <docker-maint@nginx.com>", "name": "nginx_container"}}, "scope": "local", "time": 1701443091, "timeNano": 1701443091380856246}}
2023 Dec 01 15:04:57 be499c120b52->df -P ossec: output: 'df -P': overlay                 121183936 92824268  22157712      81% /
2023 Dec 01 15:04:57 be499c120b52->df -P ossec: output: 'df -P': shm                         65536       80     65456       1% /dev/shm
2023 Dec 01 15:04:57 be499c120b52->df -P ossec: output: 'df -P': tmpfs                       65536        0     65536       0% /dev
2023 Dec 01 15:04:57 be499c120b52->df -P ossec: output: 'df -P': Filesystem            1024-blocks     Used Available Capacity Mounted on
2023 Dec 01 15:04:57 be499c120b52->df -P ossec: output: 'df -P': overlay                 121183936 92824268  22157712      81% /var/lib/docker/overlay2/ccc3cfb47c8f8ce7c3ee1451467793e0670a2e33b73f55f31a568f4ff8bf1f0f/merged
2023 Dec 01 15:04:57 be499c120b52->df -P ossec: output: 'df -P': /dev/mapper/data-root   121183936 92824268  22157712      81% /etc/hosts
2023 Dec 01 15:04:57 be499c120b52->last -n 20 ossec: output: 'last -n 20':
wtmp begins Thu Nov 30 14:24:04 2023
2023 Dec 01 15:04:59 be499c120b52->Wazuh-Docker {"integration": "docker", "docker": {"status": "exec_create: cat /etc/passwd", "id": "26d33a28c65307e8d251df562d8116c2c69878cfcfde42526c594d5d38093560", "from": "nginx", "Type": "container", "Action": "exec_create: cat /etc/passwd", "Actor": {"ID": "26d33a28c65307e8d251df562d8116c2c69878cfcfde42526c594d5d38093560", "Attributes": {"execID": "f696b3418de1a97948184f81afe07d2a3cb34dabdb5fe1aecd3973444a05c121", "image": "nginx", "maintainer": "NGINX Docker Maintainers <docker-maint@nginx.com>", "name": "nginx_container"}}, "scope": "local", "time": 1701443099, "timeNano": 1701443099998974295}}
2023 Dec 01 15:04:59 be499c120b52->Wazuh-Docker {"integration": "docker", "docker": {"status": "exec_start: cat /etc/passwd", "id": "26d33a28c65307e8d251df562d8116c2c69878cfcfde42526c594d5d38093560", "from": "nginx", "Type": "container", "Action": "exec_start: cat /etc/passwd", "Actor": {"ID": "26d33a28c65307e8d251df562d8116c2c69878cfcfde42526c594d5d38093560", "Attributes": {"execID": "f696b3418de1a97948184f81afe07d2a3cb34dabdb5fe1aecd3973444a05c121", "image": "nginx", "maintainer": "NGINX Docker Maintainers <docker-maint@nginx.com>", "name": "nginx_container"}}, "scope": "local", "time": 1701443099, "timeNano": 1701443099999324098}}
2023 Dec 01 15:05:00 be499c120b52->Wazuh-Docker {"integration": "docker", "docker": {"status": "exec_die", "id": "26d33a28c65307e8d251df562d8116c2c69878cfcfde42526c594d5d38093560", "from": "nginx", "Type": "container", "Action": "exec_die", "Actor": {"ID": "26d33a28c65307e8d251df562d8116c2c69878cfcfde42526c594d5d38093560", "Attributes": {"execID": "f696b3418de1a97948184f81afe07d2a3cb34dabdb5fe1aecd3973444a05c121", "exitCode": "0", "image": "nginx", "maintainer": "NGINX Docker Maintainers <docker-maint@nginx.com>", "name": "nginx_container"}}, "scope": "local", "time": 1701443100, "timeNano": 1701443100085532742}}
2023 Dec 01 15:05:09 be499c120b52->Wazuh-Docker {"integration": "docker", "docker": {"status": "exec_create: /bin/bash ", "id": "26d33a28c65307e8d251df562d8116c2c69878cfcfde42526c594d5d38093560", "from": "nginx", "Type": "container", "Action": "exec_create: /bin/bash ", "Actor": {"ID": "26d33a28c65307e8d251df562d8116c2c69878cfcfde42526c594d5d38093560", "Attributes": {"execID": "ac26194c17e472fd4923248bf5bee6db69d22162986e2f8aef7b2d51138f0f0b", "image": "nginx", "maintainer": "NGINX Docker Maintainers <docker-maint@nginx.com>", "name": "nginx_container"}}, "scope": "local", "time": 1701443109, "timeNano": 1701443109148978938}}
2023 Dec 01 15:05:09 be499c120b52->Wazuh-Docker {"integration": "docker", "docker": {"status": "exec_start: /bin/bash ", "id": "26d33a28c65307e8d251df562d8116c2c69878cfcfde42526c594d5d38093560", "from": "nginx", "Type": "container", "Action": "exec_start: /bin/bash ", "Actor": {"ID": "26d33a28c65307e8d251df562d8116c2c69878cfcfde42526c594d5d38093560", "Attributes": {"execID": "ac26194c17e472fd4923248bf5bee6db69d22162986e2f8aef7b2d51138f0f0b", "image": "nginx", "maintainer": "NGINX Docker Maintainers <docker-maint@nginx.com>", "name": "nginx_container"}}, "scope": "local", "time": 1701443109, "timeNano": 1701443109149257941}}
2023 Dec 01 15:05:13 be499c120b52->Wazuh-Docker {"integration": "docker", "docker": {"status": "exec_die", "id": "26d33a28c65307e8d251df562d8116c2c69878cfcfde42526c594d5d38093560", "from": "nginx", "Type": "container", "Action": "exec_die", "Actor": {"ID": "26d33a28c65307e8d251df562d8116c2c69878cfcfde42526c594d5d38093560", "Attributes": {"execID": "ac26194c17e472fd4923248bf5bee6db69d22162986e2f8aef7b2d51138f0f0b", "exitCode": "0", "image": "nginx", "maintainer": "NGINX Docker Maintainers <docker-maint@nginx.com>", "name": "nginx_container"}}, "scope": "local", "time": 1701443113, "timeNano": 1701443113829975076}}
archives.json 
root@be499c120b52:/# cat /var/ossec/logs/archives/archives.json
{"timestamp":"2023-12-01T14:58:54.251+0000","agent":{"id":"000","name":"be499c120b52"},"manager":{"name":"be499c120b52"},"id":"1701442734.0","full_log":"Starting rootcheck scan.","decoder":{"name":"rootcheck"},"data":{"title":"Starting rootcheck scan."},"location":"rootcheck"}
{"timestamp":"2023-12-01T14:58:54.293+0000","rule":{"level":7,"description":"Host-based anomaly detection event (rootcheck).","id":"510","firedtimes":1,"mail":false,"groups":["ossec","rootcheck"],"pci_dss":["10.6.1"],"gdpr":["IV_35.7.d"]},"agent":{"id":"000","name":"be499c120b52"},"manager":{"name":"be499c120b52"},"id":"1701442734.675424","full_log":"Trojaned version of file '/bin/diff' detected. Signature used: 'bash|^/bin/sh|file\\.h|proc\\.h|/dev/[^n]|^/bin/.*sh' (Generic).","decoder":{"name":"rootcheck"},"data":{"title":"Trojaned version of file detected.","file":"/bin/diff"},"location":"rootcheck"}
{"timestamp":"2023-12-01T14:58:54.304+0000","rule":{"level":7,"description":"Host-based anomaly detection event (rootcheck).","id":"510","firedtimes":2,"mail":false,"groups":["ossec","rootcheck"],"pci_dss":["10.6.1"],"gdpr":["IV_35.7.d"]},"agent":{"id":"000","name":"be499c120b52"},"manager":{"name":"be499c120b52"},"id":"1701442734.675805","full_log":"Trojaned version of file '/usr/bin/diff' detected. Signature used: 'bash|^/bin/sh|file\\.h|proc\\.h|/dev/[^n]|^/bin/.*sh' (Generic).","decoder":{"name":"rootcheck"},"data":{"title":"Trojaned version of file detected.","file":"/usr/bin/diff"},"location":"rootcheck"}
{"timestamp":"2023-12-01T14:58:56.995+0000","agent":{"id":"000","name":"be499c120b52"},"manager":{"name":"be499c120b52"},"id":"1701442736.675805","full_log":"{\"integration\": \"docker\", \"docker\": {\"Wodle event\": \"Started\"}}","decoder":{"name":"json"},"data":{"integration":"docker","docker":{"Wodle event":"Started"}},"location":"Wazuh-Docker"}
{"timestamp":"2023-12-01T14:58:57.002+0000","agent":{"id":"000","name":"be499c120b52"},"manager":{"name":"be499c120b52"},"id":"1701442737.675805","full_log":"{\"integration\": \"docker\", \"docker\": {\"Wodle event\": \"Connected to Docker service\"}}","decoder":{"name":"json"},"data":{"integration":"docker","docker":{"Wodle event":"Connected to Docker service"}},"location":"Wazuh-Docker"}
{"timestamp":"2023-12-01T14:58:57.812+0000","agent":{"id":"000","name":"be499c120b52"},"manager":{"name":"be499c120b52"},"id":"1701442737.675805","full_log":"ossec: output: 'df -P': Filesystem            1024-blocks     Used Available Capacity Mounted on","decoder":{"name":"ossec"},"location":"df -P"}
{"timestamp":"2023-12-01T14:58:57.812+0000","agent":{"id":"000","name":"be499c120b52"},"manager":{"name":"be499c120b52"},"id":"1701442737.675805","full_log":"ossec: output: 'df -P': tmpfs                       65536        0     65536       0% /dev","decoder":{"name":"ossec"},"location":"df -P"}
{"timestamp":"2023-12-01T14:58:57.812+0000","agent":{"id":"000","name":"be499c120b52"},"manager":{"name":"be499c120b52"},"id":"1701442737.675805","full_log":"ossec: output: 'df -P': shm                         65536       80     65456       1% /dev/shm","decoder":{"name":"ossec"},"location":"df -P"}
{"timestamp":"2023-12-01T14:58:57.812+0000","agent":{"id":"000","name":"be499c120b52"},"manager":{"name":"be499c120b52"},"id":"1701442737.675805","full_log":"ossec: output: 'df -P': overlay                 121183936 92626476  22355504      81% /","decoder":{"name":"ossec"},"location":"df -P"}
{"timestamp":"2023-12-01T14:58:57.812+0000","agent":{"id":"000","name":"be499c120b52"},"manager":{"name":"be499c120b52"},"id":"1701442737.675805","full_log":"ossec: output: 'last -n 20':\nwtmp begins Thu Nov 30 14:24:04 2023","decoder":{"name":"ossec"},"location":"last -n 20"}
{"timestamp":"2023-12-01T14:58:57.812+0000","agent":{"id":"000","name":"be499c120b52"},"manager":{"name":"be499c120b52"},"id":"1701442737.675805","full_log":"ossec: output: 'df -P': /dev/mapper/data-root   121183936 92626476  22355504      81% /etc/hosts","decoder":{"name":"ossec"},"location":"df -P"}
{"timestamp":"2023-12-01T14:59:00.990+0000","agent":{"id":"000","name":"be499c120b52"},"manager":{"name":"be499c120b52"},"id":"1701442740.675805","full_log":"{\"type\":\"summary\",\"scan_id\":557981783,\"name\":\"CIS Ubuntu Linux 22.04 LTS Benchmark v1.0.0.\",\"policy_id\":\"cis_ubuntu22-04\",\"file\":\"cis_ubuntu22-04.yml\",\"description\":\"This document provides prescriptive guidance for establishing a secure configuration posture for Ubuntu Linux 22.04 LTS based on CIS benchmark for Ubuntu Linux 22.04 LTS.\",\"references\":\"https://www.cisecurity.org/cis-benchmarks/\",\"passed\":50,\"failed\":82,\"invalid\":50,\"total_checks\":182,\"score\":37.878787994384766,\"start_time\":1701442736,\"end_time\":1701442737,\"hash\":\"06ad51e6d9ece5444a3ee9a6946639965c2d1bdf6f4936c60068f02cbf028fa4\",\"hash_file\":\"c556e25dbf15870af8df9f42fae47a269c545d7baf0f4bc87049074521061442\",\"first_scan\":1}","decoder":{"name":"sca"},"location":"sca"}
{"timestamp":"2023-12-01T14:59:01.000+0000","agent":{"id":"000","name":"be499c120b52"},"manager":{"name":"be499c120b52"},"id":"1701442741.675805","full_log":"{\"type\":\"policies\",\"policies\":[\"cis_ubuntu22-04\"]}","decoder":{"name":"sca"},"location":"sca"}
{"timestamp":"2023-12-01T14:59:05.808+0000","rule":{"level":3,"description":"Wazuh server started.","id":"502","firedtimes":1,"mail":false,"groups":["ossec"],"pci_dss":["10.6.1"],"gpg13":["10.1"],"gdpr":["IV_35.7.d"],"hipaa":["164.312.b"],"nist_800_53":["AU.6"],"tsc":["CC7.2","CC7.3"]},"agent":{"id":"000","name":"be499c120b52"},"manager":{"name":"be499c120b52"},"id":"1701442745.676194","full_log":"ossec: Manager started.","decoder":{"name":"ossec"},"location":"wazuh-monitord"}
{"timestamp":"2023-12-01T14:59:09.441+0000","agent":{"id":"000","name":"be499c120b52"},"manager":{"name":"be499c120b52"},"id":"1701442749.676194","full_log":"Ending rootcheck scan.","decoder":{"name":"rootcheck"},"data":{"title":"Ending rootcheck scan."},"location":"rootcheck"}
{"timestamp":"2023-12-01T15:03:48.588+0000","rule":{"level":3,"description":"Docker: Image or repository nginx pulled","id":"87932","firedtimes":1,"mail":false,"groups":["docker"],"pci_dss":["10.2.7"],"hipaa":["164.312.b"],"nist_800_53":["AU.14"],"tsc":["CC6.8","CC7.2","CC7.3"]},"agent":{"id":"000","name":"be499c120b52"},"manager":{"name":"be499c120b52"},"id":"1701443028.676194","full_log":"{\"integration\": \"docker\", \"docker\": {\"status\": \"pull\", \"id\": \"nginx:latest\", \"Type\": \"image\", \"Action\": \"pull\", \"Actor\": {\"ID\": \"nginx:latest\", \"Attributes\": {\"maintainer\": \"NGINX Docker Maintainers <docker-maint@nginx.com>\", \"name\": \"nginx\"}}, \"scope\": \"local\", \"time\": 1701443028, \"timeNano\": 1701443028588266402}}","decoder":{"name":"json"},"data":{"integration":"docker","docker":{"status":"pull","id":"nginx:latest","Type":"image","Action":"pull","Actor":{"ID":"nginx:latest","Attributes":{"maintainer":"NGINX Docker Maintainers <docker-maint@nginx.com>","name":"nginx"}},"scope":"local","time":"1701443028","timeNano":"1701443028588266496.000000"}},"location":"Wazuh-Docker"}
{"timestamp":"2023-12-01T15:04:51.185+0000","rule":{"level":3,"description":"Docker: Container nginx_container created","id":"87901","firedtimes":1,"mail":false,"groups":["docker"],"pci_dss":["10.2.7"],"hipaa":["164.312.b"],"nist_800_53":["AU.14"],"tsc":["CC6.8","CC7.2","CC7.3"]},"agent":{"id":"000","name":"be499c120b52"},"manager":{"name":"be499c120b52"},"id":"1701443091.677341","full_log":"{\"integration\": \"docker\", \"docker\": {\"status\": \"create\", \"id\": \"26d33a28c65307e8d251df562d8116c2c69878cfcfde42526c594d5d38093560\", \"from\": \"nginx\", \"Type\": \"container\", \"Action\": \"create\", \"Actor\": {\"ID\": \"26d33a28c65307e8d251df562d8116c2c69878cfcfde42526c594d5d38093560\", \"Attributes\": {\"image\": \"nginx\", \"maintainer\": \"NGINX Docker Maintainers <docker-maint@nginx.com>\", \"name\": \"nginx_container\"}}, \"scope\": \"local\", \"time\": 1701443091, \"timeNano\": 1701443091184612150}}","decoder":{"name":"json"},"data":{"integration":"docker","docker":{"status":"create","id":"26d33a28c65307e8d251df562d8116c2c69878cfcfde42526c594d5d38093560","from":"nginx","Type":"container","Action":"create","Actor":{"ID":"26d33a28c65307e8d251df562d8116c2c69878cfcfde42526c594d5d38093560","Attributes":{"image":"nginx","maintainer":"NGINX Docker Maintainers <docker-maint@nginx.com>","name":"nginx_container"}},"scope":"local","time":"1701443091","timeNano":"1701443091184612096.000000"}},"location":"Wazuh-Docker"}
{"timestamp":"2023-12-01T15:04:51.219+0000","rule":{"level":3,"description":"Docker: Network bridge connected","id":"87928","firedtimes":1,"mail":false,"groups":["docker"]},"agent":{"id":"000","name":"be499c120b52"},"manager":{"name":"be499c120b52"},"id":"1701443091.678571","full_log":"{\"integration\": \"docker\", \"docker\": {\"Type\": \"network\", \"Action\": \"connect\", \"Actor\": {\"ID\": \"226b2e6255690299858b2d634824c0ce6d7a0a3f4d87f30e9da6b6ecc54e999a\", \"Attributes\": {\"container\": \"26d33a28c65307e8d251df562d8116c2c69878cfcfde42526c594d5d38093560\", \"name\": \"bridge\", \"type\": \"bridge\"}}, \"scope\": \"local\", \"time\": 1701443091, \"timeNano\": 1701443091219464151}}","decoder":{"name":"json"},"data":{"integration":"docker","docker":{"Type":"network","Action":"connect","Actor":{"ID":"226b2e6255690299858b2d634824c0ce6d7a0a3f4d87f30e9da6b6ecc54e999a","Attributes":{"container":"26d33a28c65307e8d251df562d8116c2c69878cfcfde42526c594d5d38093560","name":"bridge","type":"bridge"}},"scope":"local","time":"1701443091","timeNano":"1701443091219464192.000000"}},"location":"Wazuh-Docker"}
{"timestamp":"2023-12-01T15:04:51.381+0000","rule":{"level":3,"description":"Docker: Container nginx_container started","id":"87903","firedtimes":1,"mail":false,"groups":["docker"]},"agent":{"id":"000","name":"be499c120b52"},"manager":{"name":"be499c120b52"},"id":"1701443091.679493","full_log":"{\"integration\": \"docker\", \"docker\": {\"status\": \"start\", \"id\": \"26d33a28c65307e8d251df562d8116c2c69878cfcfde42526c594d5d38093560\", \"from\": \"nginx\", \"Type\": \"container\", \"Action\": \"start\", \"Actor\": {\"ID\": \"26d33a28c65307e8d251df562d8116c2c69878cfcfde42526c594d5d38093560\", \"Attributes\": {\"image\": \"nginx\", \"maintainer\": \"NGINX Docker Maintainers <docker-maint@nginx.com>\", \"name\": \"nginx_container\"}}, \"scope\": \"local\", \"time\": 1701443091, \"timeNano\": 1701443091380856246}}","decoder":{"name":"json"},"data":{"integration":"docker","docker":{"status":"start","id":"26d33a28c65307e8d251df562d8116c2c69878cfcfde42526c594d5d38093560","from":"nginx","Type":"container","Action":"start","Actor":{"ID":"26d33a28c65307e8d251df562d8116c2c69878cfcfde42526c594d5d38093560","Attributes":{"image":"nginx","maintainer":"NGINX Docker Maintainers <docker-maint@nginx.com>","name":"nginx_container"}},"scope":"local","time":"1701443091","timeNano":"1701443091380856320.000000"}},"location":"Wazuh-Docker"}
{"timestamp":"2023-12-01T15:04:57.217+0000","agent":{"id":"000","name":"be499c120b52"},"manager":{"name":"be499c120b52"},"id":"1701443097.679493","full_log":"ossec: output: 'df -P': overlay                 121183936 92824268  22157712      81% /","decoder":{"name":"ossec"},"location":"df -P"}
{"timestamp":"2023-12-01T15:04:57.217+0000","agent":{"id":"000","name":"be499c120b52"},"manager":{"name":"be499c120b52"},"id":"1701443097.679493","full_log":"ossec: output: 'df -P': shm                         65536       80     65456       1% /dev/shm","decoder":{"name":"ossec"},"location":"df -P"}
{"timestamp":"2023-12-01T15:04:57.217+0000","agent":{"id":"000","name":"be499c120b52"},"manager":{"name":"be499c120b52"},"id":"1701443097.679493","full_log":"ossec: output: 'df -P': tmpfs                       65536        0     65536       0% /dev","decoder":{"name":"ossec"},"location":"df -P"}
{"timestamp":"2023-12-01T15:04:57.217+0000","agent":{"id":"000","name":"be499c120b52"},"manager":{"name":"be499c120b52"},"id":"1701443097.679493","full_log":"ossec: output: 'df -P': Filesystem            1024-blocks     Used Available Capacity Mounted on","decoder":{"name":"ossec"},"location":"df -P"}
{"timestamp":"2023-12-01T15:04:57.217+0000","agent":{"id":"000","name":"be499c120b52"},"manager":{"name":"be499c120b52"},"id":"1701443097.679493","full_log":"ossec: output: 'df -P': overlay                 121183936 92824268  22157712      81% /var/lib/docker/overlay2/ccc3cfb47c8f8ce7c3ee1451467793e0670a2e33b73f55f31a568f4ff8bf1f0f/merged","decoder":{"name":"ossec"},"location":"df -P"}
{"timestamp":"2023-12-01T15:04:57.217+0000","agent":{"id":"000","name":"be499c120b52"},"manager":{"name":"be499c120b52"},"id":"1701443097.679493","full_log":"ossec: output: 'df -P': /dev/mapper/data-root   121183936 92824268  22157712      81% /etc/hosts","decoder":{"name":"ossec"},"location":"df -P"}
{"timestamp":"2023-12-01T15:04:57.219+0000","agent":{"id":"000","name":"be499c120b52"},"manager":{"name":"be499c120b52"},"id":"1701443097.679493","full_log":"ossec: output: 'last -n 20':\nwtmp begins Thu Nov 30 14:24:04 2023","decoder":{"name":"ossec"},"location":"last -n 20"}
{"timestamp":"2023-12-01T15:04:59.999+0000","agent":{"id":"000","name":"be499c120b52"},"manager":{"name":"be499c120b52"},"id":"1701443099.679493","full_log":"{\"integration\": \"docker\", \"docker\": {\"status\": \"exec_create: cat /etc/passwd\", \"id\": \"26d33a28c65307e8d251df562d8116c2c69878cfcfde42526c594d5d38093560\", \"from\": \"nginx\", \"Type\": \"container\", \"Action\": \"exec_create: cat /etc/passwd\", \"Actor\": {\"ID\": \"26d33a28c65307e8d251df562d8116c2c69878cfcfde42526c594d5d38093560\", \"Attributes\": {\"execID\": \"f696b3418de1a97948184f81afe07d2a3cb34dabdb5fe1aecd3973444a05c121\", \"image\": \"nginx\", \"maintainer\": \"NGINX Docker Maintainers <docker-maint@nginx.com>\", \"name\": \"nginx_container\"}}, \"scope\": \"local\", \"time\": 1701443099, \"timeNano\": 1701443099998974295}}","decoder":{"name":"json"},"data":{"integration":"docker","docker":{"status":"exec_create: cat /etc/passwd","id":"26d33a28c65307e8d251df562d8116c2c69878cfcfde42526c594d5d38093560","from":"nginx","Type":"container","Action":"exec_create: cat /etc/passwd","Actor":{"ID":"26d33a28c65307e8d251df562d8116c2c69878cfcfde42526c594d5d38093560","Attributes":{"execID":"f696b3418de1a97948184f81afe07d2a3cb34dabdb5fe1aecd3973444a05c121","image":"nginx","maintainer":"NGINX Docker Maintainers <docker-maint@nginx.com>","name":"nginx_container"}},"scope":"local","time":"1701443099","timeNano":"1701443099998974208.000000"}},"location":"Wazuh-Docker"}
{"timestamp":"2023-12-01T15:04:59.999+0000","rule":{"level":3,"description":"Docker: Command launched in container nginx_container. Action: \"exec_start: cat /etc/passwd\"","id":"87907","firedtimes":1,"mail":false,"groups":["docker"],"gdpr":["IV_32.2"]},"agent":{"id":"000","name":"be499c120b52"},"manager":{"name":"be499c120b52"},"id":"1701443099.680640","full_log":"{\"integration\": \"docker\", \"docker\": {\"status\": \"exec_start: cat /etc/passwd\", \"id\": \"26d33a28c65307e8d251df562d8116c2c69878cfcfde42526c594d5d38093560\", \"from\": \"nginx\", \"Type\": \"container\", \"Action\": \"exec_start: cat /etc/passwd\", \"Actor\": {\"ID\": \"26d33a28c65307e8d251df562d8116c2c69878cfcfde42526c594d5d38093560\", \"Attributes\": {\"execID\": \"f696b3418de1a97948184f81afe07d2a3cb34dabdb5fe1aecd3973444a05c121\", \"image\": \"nginx\", \"maintainer\": \"NGINX Docker Maintainers <docker-maint@nginx.com>\", \"name\": \"nginx_container\"}}, \"scope\": \"local\", \"time\": 1701443099, \"timeNano\": 1701443099999324098}}","decoder":{"name":"json"},"data":{"integration":"docker","docker":{"status":"exec_start: cat /etc/passwd","id":"26d33a28c65307e8d251df562d8116c2c69878cfcfde42526c594d5d38093560","from":"nginx","Type":"container","Action":"exec_start: cat /etc/passwd","Actor":{"ID":"26d33a28c65307e8d251df562d8116c2c69878cfcfde42526c594d5d38093560","Attributes":{"execID":"f696b3418de1a97948184f81afe07d2a3cb34dabdb5fe1aecd3973444a05c121","image":"nginx","maintainer":"NGINX Docker Maintainers <docker-maint@nginx.com>","name":"nginx_container"}},"scope":"local","time":"1701443099","timeNano":"1701443099999324160.000000"}},"location":"Wazuh-Docker"}
{"timestamp":"2023-12-01T15:05:00.085+0000","agent":{"id":"000","name":"be499c120b52"},"manager":{"name":"be499c120b52"},"id":"1701443100.680640","full_log":"{\"integration\": \"docker\", \"docker\": {\"status\": \"exec_die\", \"id\": \"26d33a28c65307e8d251df562d8116c2c69878cfcfde42526c594d5d38093560\", \"from\": \"nginx\", \"Type\": \"container\", \"Action\": \"exec_die\", \"Actor\": {\"ID\": \"26d33a28c65307e8d251df562d8116c2c69878cfcfde42526c594d5d38093560\", \"Attributes\": {\"execID\": \"f696b3418de1a97948184f81afe07d2a3cb34dabdb5fe1aecd3973444a05c121\", \"exitCode\": \"0\", \"image\": \"nginx\", \"maintainer\": \"NGINX Docker Maintainers <docker-maint@nginx.com>\", \"name\": \"nginx_container\"}}, \"scope\": \"local\", \"time\": 1701443100, \"timeNano\": 1701443100085532742}}","decoder":{"name":"json"},"data":{"integration":"docker","docker":{"status":"exec_die","id":"26d33a28c65307e8d251df562d8116c2c69878cfcfde42526c594d5d38093560","from":"nginx","Type":"container","Action":"exec_die","Actor":{"ID":"26d33a28c65307e8d251df562d8116c2c69878cfcfde42526c594d5d38093560","Attributes":{"execID":"f696b3418de1a97948184f81afe07d2a3cb34dabdb5fe1aecd3973444a05c121","exitCode":"0","image":"nginx","maintainer":"NGINX Docker Maintainers <docker-maint@nginx.com>","name":"nginx_container"}},"scope":"local","time":"1701443100","timeNano":"1701443100085532672.000000"}},"location":"Wazuh-Docker"}
{"timestamp":"2023-12-01T15:05:09.149+0000","agent":{"id":"000","name":"be499c120b52"},"manager":{"name":"be499c120b52"},"id":"1701443109.680640","full_log":"{\"integration\": \"docker\", \"docker\": {\"status\": \"exec_create: /bin/bash \", \"id\": \"26d33a28c65307e8d251df562d8116c2c69878cfcfde42526c594d5d38093560\", \"from\": \"nginx\", \"Type\": \"container\", \"Action\": \"exec_create: /bin/bash \", \"Actor\": {\"ID\": \"26d33a28c65307e8d251df562d8116c2c69878cfcfde42526c594d5d38093560\", \"Attributes\": {\"execID\": \"ac26194c17e472fd4923248bf5bee6db69d22162986e2f8aef7b2d51138f0f0b\", \"image\": \"nginx\", \"maintainer\": \"NGINX Docker Maintainers <docker-maint@nginx.com>\", \"name\": \"nginx_container\"}}, \"scope\": \"local\", \"time\": 1701443109, \"timeNano\": 1701443109148978938}}","decoder":{"name":"json"},"data":{"integration":"docker","docker":{"status":"exec_create: /bin/bash ","id":"26d33a28c65307e8d251df562d8116c2c69878cfcfde42526c594d5d38093560","from":"nginx","Type":"container","Action":"exec_create: /bin/bash ","Actor":{"ID":"26d33a28c65307e8d251df562d8116c2c69878cfcfde42526c594d5d38093560","Attributes":{"execID":"ac26194c17e472fd4923248bf5bee6db69d22162986e2f8aef7b2d51138f0f0b","image":"nginx","maintainer":"NGINX Docker Maintainers <docker-maint@nginx.com>","name":"nginx_container"}},"scope":"local","time":"1701443109","timeNano":"1701443109148978944.000000"}},"location":"Wazuh-Docker"}
{"timestamp":"2023-12-01T15:05:09.149+0000","rule":{"level":5,"description":"Docker: Started shell session in container nginx_container","id":"87908","firedtimes":1,"mail":false,"groups":["docker"],"pci_dss":["10.2.7"],"gdpr":["IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14"],"tsc":["CC6.8","CC7.2","CC7.3"]},"agent":{"id":"000","name":"be499c120b52"},"manager":{"name":"be499c120b52"},"id":"1701443109.682114","full_log":"{\"integration\": \"docker\", \"docker\": {\"status\": \"exec_start: /bin/bash \", \"id\": \"26d33a28c65307e8d251df562d8116c2c69878cfcfde42526c594d5d38093560\", \"from\": \"nginx\", \"Type\": \"container\", \"Action\": \"exec_start: /bin/bash \", \"Actor\": {\"ID\": \"26d33a28c65307e8d251df562d8116c2c69878cfcfde42526c594d5d38093560\", \"Attributes\": {\"execID\": \"ac26194c17e472fd4923248bf5bee6db69d22162986e2f8aef7b2d51138f0f0b\", \"image\": \"nginx\", \"maintainer\": \"NGINX Docker Maintainers <docker-maint@nginx.com>\", \"name\": \"nginx_container\"}}, \"scope\": \"local\", \"time\": 1701443109, \"timeNano\": 1701443109149257941}}","decoder":{"name":"json"},"data":{"integration":"docker","docker":{"status":"exec_start: /bin/bash ","id":"26d33a28c65307e8d251df562d8116c2c69878cfcfde42526c594d5d38093560","from":"nginx","Type":"container","Action":"exec_start: /bin/bash ","Actor":{"ID":"26d33a28c65307e8d251df562d8116c2c69878cfcfde42526c594d5d38093560","Attributes":{"execID":"ac26194c17e472fd4923248bf5bee6db69d22162986e2f8aef7b2d51138f0f0b","image":"nginx","maintainer":"NGINX Docker Maintainers <docker-maint@nginx.com>","name":"nginx_container"}},"scope":"local","time":"1701443109","timeNano":"1701443109149257984.000000"}},"location":"Wazuh-Docker"}
{"timestamp":"2023-12-01T15:05:13.830+0000","agent":{"id":"000","name":"be499c120b52"},"manager":{"name":"be499c120b52"},"id":"1701443113.682114","full_log":"{\"integration\": \"docker\", \"docker\": {\"status\": \"exec_die\", \"id\": \"26d33a28c65307e8d251df562d8116c2c69878cfcfde42526c594d5d38093560\", \"from\": \"nginx\", \"Type\": \"container\", \"Action\": \"exec_die\", \"Actor\": {\"ID\": \"26d33a28c65307e8d251df562d8116c2c69878cfcfde42526c594d5d38093560\", \"Attributes\": {\"execID\": \"ac26194c17e472fd4923248bf5bee6db69d22162986e2f8aef7b2d51138f0f0b\", \"exitCode\": \"0\", \"image\": \"nginx\", \"maintainer\": \"NGINX Docker Maintainers <docker-maint@nginx.com>\", \"name\": \"nginx_container\"}}, \"scope\": \"local\", \"time\": 1701443113, \"timeNano\": 1701443113829975076}}","decoder":{"name":"json"},"data":{"integration":"docker","docker":{"status":"exec_die","id":"26d33a28c65307e8d251df562d8116c2c69878cfcfde42526c594d5d38093560","from":"nginx","Type":"container","Action":"exec_die","Actor":{"ID":"26d33a28c65307e8d251df562d8116c2c69878cfcfde42526c594d5d38093560","Attributes":{"execID":"ac26194c17e472fd4923248bf5bee6db69d22162986e2f8aef7b2d51138f0f0b","exitCode":"0","image":"nginx","maintainer":"NGINX Docker Maintainers <docker-maint@nginx.com>","name":"nginx_container"}},"scope":"local","time":"1701443113","timeNano":"1701443113829975040.000000"}},"location":"Wazuh-Docker"}
DockerListener execution 
root@be499c120b52:/# /var/ossec/wodles/docker/DockerListener
{"integration": "docker", "docker": {"Wodle event": "Started"}}
Docker service was started.
{"integration": "docker", "docker": {"Wodle event": "Connected to Docker service"}}

Agent

OS 
root@c82e021a91e7:/# cat /etc/os-release
PRETTY_NAME="Ubuntu 22.04.3 LTS"
NAME="Ubuntu"
VERSION_ID="22.04"
VERSION="22.04.3 LTS (Jammy Jellyfish)"
VERSION_CODENAME=jammy
ID=ubuntu
ID_LIKE=debian
UBUNTU_CODENAME=jammy
root@c82e021a91e7:/# docker --version
Docker version 24.0.7, build afdd53b
root@c82e021a91e7:/# python3 --version
Python 3.10.12
Configuration 
  <wodle name="docker-listener">
    <interval>10m</interval>
    <attempts>5</attempts>
    <run_on_start>yes</run_on_start>
    <disabled>no</disabled>
  </wodle>
docker 4.2.0 installation

docker==4.2.0 forces the installation of urllib3==2.1.0 which is not compatible and this causes the wodle to fail.

root@41c7beae5a36:/# pip3 install docker==4.2.0
Collecting docker==4.2.0
  Downloading docker-4.2.0-py2.py3-none-any.whl (143 kB)
     ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 143.9/143.9 kB 3.5 MB/s eta 0:00:00
Collecting six>=1.4.0 (from docker==4.2.0)
  Downloading six-1.16.0-py2.py3-none-any.whl (11 kB)
Collecting websocket-client>=0.32.0 (from docker==4.2.0)
  Downloading websocket_client-1.6.4-py3-none-any.whl.metadata (7.7 kB)
Collecting requests!=2.18.0,>=2.14.2 (from docker==4.2.0)
  Downloading requests-2.31.0-py3-none-any.whl.metadata (4.6 kB)
Collecting charset-normalizer<4,>=2 (from requests!=2.18.0,>=2.14.2->docker==4.2.0)
  Downloading charset_normalizer-3.3.2-cp310-cp310-manylinux_2_17_x86_64.manylinux2014_x86_64.whl.metadata (33 kB)
Collecting idna<4,>=2.5 (from requests!=2.18.0,>=2.14.2->docker==4.2.0)
  Downloading idna-3.6-py3-none-any.whl.metadata (9.9 kB)
Collecting urllib3<3,>=1.21.1 (from requests!=2.18.0,>=2.14.2->docker==4.2.0)
  Downloading urllib3-2.1.0-py3-none-any.whl.metadata (6.4 kB)
Collecting certifi>=2017.4.17 (from requests!=2.18.0,>=2.14.2->docker==4.2.0)
  Downloading certifi-2023.11.17-py3-none-any.whl.metadata (2.2 kB)
Downloading requests-2.31.0-py3-none-any.whl (62 kB)
   ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 62.6/62.6 kB 4.0 MB/s eta 0:00:00
Downloading websocket_client-1.6.4-py3-none-any.whl (57 kB)
   ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 57.3/57.3 kB 3.9 MB/s eta 0:00:00
Downloading certifi-2023.11.17-py3-none-any.whl (162 kB)
   ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 162.5/162.5 kB 5.1 MB/s eta 0:00:00
Downloading charset_normalizer-3.3.2-cp310-cp310-manylinux_2_17_x86_64.manylinux2014_x86_64.whl (142 kB)
   ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 142.1/142.1 kB 5.2 MB/s eta 0:00:00
Downloading idna-3.6-py3-none-any.whl (61 kB)
   ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 61.6/61.6 kB 3.8 MB/s eta 0:00:00
Downloading urllib3-2.1.0-py3-none-any.whl (104 kB)
   ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 104.6/104.6 kB 4.3 MB/s eta 0:00:00
Installing collected packages: websocket-client, urllib3, six, idna, charset-normalizer, certifi, requests, docker
Successfully installed certifi-2023.11.17 charset-normalizer-3.3.2 docker-4.2.0 idna-3.6 requests-2.31.0 six-1.16.0 urllib3-2.1.0 websocket-client-1.6.4
root@c82e021a91e7:/# pip3 freeze
certifi==2023.11.17
charset-normalizer==3.3.2
docker==4.2.0
idna==3.6
requests==2.31.0
six==1.16.0
supervisor==4.2.1
urllib3==2.1.0
websocket-client==1.6.4
DockerListener execution 
root@c82e021a91e7:/# /var/ossec/wodles/docker/DockerListener
{"integration": "docker", "docker": {"Wodle event": "Started"}}
Docker service is not running.
{"integration": "docker", "docker": {"Wodle event": "Docker service is not running"}}
Reconnecting...
Reconnecting...
Reconnecting...
Reconnecting...
Downgrading urllib3 from 2.1.0 to 1.26.5 
root@c82e021a91e7:/# pip3 install urllib3==1.26.5
Collecting urllib3==1.26.5
  Downloading urllib3-1.26.5-py2.py3-none-any.whl (138 kB)
     ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 138.1/138.1 kB 3.1 MB/s eta 0:00:00
Installing collected packages: urllib3
  Attempting uninstall: urllib3
    Found existing installation: urllib3 2.1.0
    Uninstalling urllib3-2.1.0:
      Successfully uninstalled urllib3-2.1.0
Successfully installed urllib3-1.26.5
root@c82e021a91e7:/# pip3 freeze
certifi==2023.11.17
charset-normalizer==3.3.2
docker==4.2.0
idna==3.6
packaging==23.2
requests==2.31.0
six==1.16.0
supervisor==4.2.1
urllib3==1.26.5
websocket-client==1.6.4
DockerListener execution

First window

root@c82e021a91e7:/# /var/ossec/wodles/docker/DockerListener
{"integration": "docker", "docker": {"Wodle event": "Started"}}
Docker service was started.
{"integration": "docker", "docker": {"Wodle event": "Connected to Docker service"}}
{"integration": "docker", "docker": {"status": "pull", "id": "nginx:latest", "Type": "image", "Action": "pull", "Actor": {"ID": "nginx:latest", "Attributes": {"maintainer": "NGINX Docker Maintainers <docker-maint@nginx.com>", "name": "nginx"}}, "scope": "local", "time": 1701445999, "timeNano": 1701445999256520368}}

Second window

root@c82e021a91e7:/# docker pull nginx
Using default tag: latest
latest: Pulling from library/nginx
Digest: sha256:10d1f5b58f74683ad34eb29287e07dab1e90f10af243f151bb50aa5dbb4d62ee
Status: Image is up to date for nginx:latest
docker.io/library/nginx:latest
Upgrading docker to 6.1.1 
root@c82e021a91e7:/# pip3 install docker==6.1.1
Requirement already satisfied: urllib3==2.1.0 in /usr/local/lib/python3.10/dist-packages (2.1.0)
Collecting docker==6.1.1
  Using cached docker-6.1.1-py3-none-any.whl (147 kB)
Installing collected packages: docker
  Attempting uninstall: docker
    Found existing installation: docker 4.2.0
    Uninstalling docker-4.2.0:
      Successfully uninstalled docker-4.2.0
Successfully installed docker-6.1.1
root@c82e021a91e7:/# pip3 freeze
certifi==2023.11.17
charset-normalizer==3.3.2
docker==6.1.1
idna==3.6
packaging==23.2
requests==2.31.0
six==1.16.0
supervisor==4.2.1
urllib3==2.1.0
websocket-client==1.6.4
DockerListener execution

First window

root@c82e021a91e7:/# /var/ossec/bin/wazuh-control restart
Killing wazuh-modulesd... 
Process wazuh-modulesd couldn't be terminated. It will be killed.
Killing wazuh-logcollector... 
Killing wazuh-syscheckd... 
Killing wazuh-agentd... 
Killing wazuh-execd... 
Wazuh v4.9.0 Stopped
Starting Wazuh v4.9.0...
Started wazuh-execd...
Started wazuh-agentd...
Started wazuh-syscheckd...
Started wazuh-logcollector...
Started wazuh-modulesd...
Completed.
root@c82e021a91e7:/# /var/ossec/wodles/docker/DockerListener
{"integration": "docker", "docker": {"Wodle event": "Started"}}
Docker service was started.
{"integration": "docker", "docker": {"Wodle event": "Connected to Docker service"}}
{"integration": "docker", "docker": {"status": "pull", "id": "alpine:latest", "Type": "image", "Action": "pull", "Actor": {"ID": "alpine:latest", "Attributes": {"name": "alpine"}}, "scope": "local", "time": 1701447259, "timeNano": 1701447259513098487}}
{"integration": "docker", "docker": {"status": "pull", "id": "debian:latest", "Type": "image", "Action": "pull", "Actor": {"ID": "debian:latest", "Attributes": {"name": "debian"}}, "scope": "local", "time": 1701447282, "timeNano": 1701447282875843647}}

Second window

root@c82e021a91e7:/# docker pull alpine
Using default tag: latest
latest: Pulling from library/alpine
Digest: sha256:34871e7290500828b39e22294660bee86d966bc0017544e848dd9a255cdf59e0
Status: Image is up to date for alpine:latest
docker.io/library/alpine:latest
root@c82e021a91e7:/# docker pull debian
Using default tag: latest
latest: Pulling from library/debian
90e5e7d8b87a: Pull complete 
Digest: sha256:133a1f2aa9e55d1c93d0ae1aaa7b94fb141265d0ee3ea677175cdb96f5f990e5
Status: Downloaded newer image for debian:latest
docker.io/library/debian:latest

@GGP1 GGP1 linked a pull request Dec 1, 2023 that will close this issue
Update urllib3 library version wazuh/wazuh-documentation#6824
Merged
7 tasks
@GGP1 GGP1 mentioned this issue Dec 4, 2023
Closed
4 tasks
@GGP1
Copy link
Member

GGP1 commented Dec 4, 2023
edited
Loading

Update

Changed the urllib3 library version to the one we are upgrading to in #20001 and created the issue #20617 to upgrade the docker library version.

Tests

Using urllib3==1.26.18 
root@47cef3479dcb:/# pip3 install urllib3==1.26.18
Collecting urllib3==1.26.18
  Downloading urllib3-1.26.18-py2.py3-none-any.whl (143 kB)
     ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 143.4/143.4 kB 3.1 MB/s eta 0:00:00
Installing collected packages: urllib3
  Attempting uninstall: urllib3
    Found existing installation: urllib3 2.1.0
    Uninstalling urllib3-2.1.0:
      Successfully uninstalled urllib3-2.1.0
Successfully installed urllib3-1.26.18
root@47cef3479dcb:/# pip3 freeze
certifi==2023.11.17
charset-normalizer==3.3.2
docker==4.2.0
idna==3.6
packaging==23.2
requests==2.31.0
six==1.16.0
supervisor==4.2.1
urllib3==1.26.18
websocket-client==1.6.4
DockerListener execution

First window

root@47cef3479dcb:/# /var/ossec/wodles/docker/DockerListener
{"integration": "docker", "docker": {"Wodle event": "Started"}}
Docker service was started.
{"integration": "docker", "docker": {"Wodle event": "Connected to Docker service"}}
{"integration": "docker", "docker": {"status": "pull", "id": "nginx:latest", "Type": "image", "Action": "pull", "Actor": {"ID": "nginx:latest", "Attributes": {"maintainer": "NGINX Docker Maintainers <docker-maint@nginx.com>", "name": "nginx"}}, "scope": "local", "time": 1701697978, "timeNano": 1701697978416520251}}

Second window

root@47cef3479dcb:/# docker pull nginx
Using default tag: latest
latest: Pulling from library/nginx
1f7ce2fa46ab: Pull complete 
9b16c94bb686: Pull complete 
9a59d19f9c5b: Pull complete 
9ea27b074f71: Pull complete 
c6edf33e2524: Pull complete 
84b1ff10387b: Pull complete 
517357831967: Pull complete 
Digest: sha256:10d1f5b58f74683ad34eb29287e07dab1e90f10af243f151bb50aa5dbb4d62ee
Status: Downloaded newer image for nginx:latest
docker.io/library/nginx:latest

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@GGP1 GGP1

Labels
level/task type/bug Something isn't working
Projects
No open projects
Release 4.7.2
Status: Done
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Update urllib3 library version wazuh/wazuh-documentation
3 participants
@Selutario @GGP1 @santipadilla