Running Wazuh Agents in Docker – From Traditional HIDS to Ingest Agents

2 minute read
k8s , Life , Linux , Security
, , ,

Wazuh

Wazuh is a powerful open-source security platform built to monitor systems for threats, intrusions, and anomalies. Traditionally, the Wazuh agent is installed on physical or virtual Linux servers to perform host-based intrusion detection (HIDS). It passively monitors the system and reports any suspicious changes or activity to the Wazuh manager.

This works well in environments where systems are treated as immutable infrastructure — where servers are expected to remain unchanged. Any deviation from the expected system state triggers an alert, which aligns perfectly with the Wazuh philosophy.

However, the landscape of modern infrastructure has evolved.

The Challenge: Pets vs. Cattle

In today’s cloud-native environments, we often treat our servers like “cattle” instead of “pets” — frequently spinning them up and down, running applications in short-lived containers or pods. This approach poses a challenge to traditional Wazuh agents, which expect a consistent, long-lived system state.

As of now, Wazuh doesn’t officially provide a Docker-native agent, making it a bit tricky to integrate into containerized environments — until now.

Introducing: Dockerized Wazuh Agents

Since I run nearly all of my infrastructure in containers, I needed a Wazuh agent that could integrate seamlessly into my Docker and Kubernetes environments. So I built one.

My Dockerized Wazuh agent is designed to provision itself against the Wazuh manager automatically. This means you can drop it into any Docker Compose file or Kubernetes deployment and have it running in minutes across multiple servers or clusters.

Not Just a HIDS – Using Wazuh as an Ingest Agent

Instead of using the agent to monitor the filesystem directly (which is still possible via mounted volumes), I’ve repurposed it into an ingest agent.

What does this mean?

I’ve added a lightweight API script to the agent container, allowing it to receive logs in JSON format from external services. These logs are then forwarded to the Wazuh manager for analysis and alerting.

This setup allows you to:

  • Centralize log ingestion from any service that can send JSON logs.
  • Use Wazuh’s alerting engine without tying the agent to a specific system or container lifecycle.
  • Seamlessly integrate with Docker- or Kubernetes-based workflows.

Why This Matters

Running Wazuh in Docker opens up several possibilities:

  • Portable and repeatable deployments: Add the agent to your stack via Docker Compose or Helm charts.
  • Scalability: Deploy across nodes without manually configuring each one.
  • Flexibility: Use the agent as a log forwarder or traditional HIDS agent, depending on your needs.

Try It Yourself

The Dockerized Wazuh agent, including the ingest API, is available on GitHub:

https://github.com/samma-io/wazuh-agent

Feel free to fork it, use it, and adapt it to your infrastructure.

Final Thoughts

Using Wazuh as a containerized ingest agent is a modern, flexible way to extend your security monitoring. Whether you’re running a Kubernetes cluster or a few Docker-based services on edge nodes, this approach simplifies deployment and broadens what Wazuh can monitor.

Security should scale with your infrastructure — and now, with Wazuh in Docker, it can.