Docker Ossec Server

OSSEC server docker image
Alternatives To Docker Ossec Server
Project NameStarsDownloadsRepos Using ThisPackages Using ThisMost Recent CommitTotal ReleasesLatest ReleaseOpen IssuesLicenseLanguage
7 hours ago5August 18, 20223,503otherTypeScript
The communications platform that puts data protection first.
8 hours ago49September 14, 2022655bsd-3-clauseTypeScript
Secure Backend Server for Web, Mobile & Flutter Developers 🚀 AKA the 100% open-source Firebase alternative.
Hydra13,87283 days ago1May 08, 201973apache-2.0Go
OpenID Certified™ OpenID Connect and OAuth Provider written in Go - cloud native, security-first, open source API security for your infrastructure. SDKs for any language. Works with Hardware Security Modules. Compatible with MITREid.
7 days ago100otherTypeScript
Scalable PaaS (automated Docker+nginx) - aka Heroku on Steroids
Rap2 Delos7,400
5 months ago73mitTypeScript
Jupyterhub7,10525511514 hours ago66June 06, 2022182otherPython
Multi-user server for Jupyter notebooks
Nakama6,936110 hours ago72November 28, 2020102apache-2.0Go
Distributed server for social and realtime games and apps.
2 years agoJuly 12, 202218apache-2.0Lua
Docker + Minecraft = Dockercraft
12 days ago23mitPHP
An Application dashboard and launcher
Docker Ipsec Vpn Server5,316
22 days ago2otherShell
Docker image to run an IPsec VPN server, with IPsec/L2TP, Cisco IPsec and IKEv2
Alternatives To Docker Ossec Server
Select To Compare

Alternative Project Comparisons


An ossec-server image with the ability to separate the ossec configuration/data from the container, meaning easy container replacements. This image is designed to be as turn key as possible, supporting out of the box:

  1. Automatic enrollment for agents, using ossec-authd
  2. Remote syslog forwarding for the ossec server messages
  3. SMTP notifications (requires no-auth SMTP server)

The following directories are externalized under /var/ossec/data which allow the container to be replaced without configuration or data loss: logs, etc, stats,rules, and queue. In addition to those directories, the bin/.process_list file is symlink'ed to process_list in the data volume.

Quick Start

To get an up and running ossec server that supports auto-enrollment and sends HIDS notifications a syslog server, use.

 docker run --name ossec-server -d -p 1514:1514/udp -p 1515:1515\
  -v /somepath/ossec_mnt:/var/ossec/data xetusoss/ossec-server

Once the system starts up, you can execute the standard ossec commands using docker. For example, to list active agents.

docker exec -ti ossec-server /var/ossec/bin/list_agents -a

Available Configuration Parameters

  • AUTO_ENROLLMENT_ENABLED: Specifies whether or not to enable auto-enrollment via ossec-authd. Defaults to true;
  • AUTHD_OPTIONS: Options to passed ossec-authd, other than -p and -g. Defaults to empty;
  • SMTP_ENABLED: Whether or not to enable SMTP notifications. Defaults to true if ALERTS_TO_EMAIL is specified, otherwise false
  • SMTP_RELAY_HOST: The relay host for SMTP messages, required for SMTP notifications. This host must support non-authenticated SMTP (see this thread). No default.
  • ALERTS_FROM_EMAIL: The email address the alerts should come from. Defaults to [email protected]$HOSTNAME.
  • ALERTS_TO_EMAIL: The destination email address for SMTP notifications, required for SMTP notifications. No default.
  • SYSLOG_FORWADING_ENABLED: Specify whether syslog forwarding is enabled or not. Defaults to false.
  • SYSLOG_FORWARDING_SERVER_IP: The IP for the syslog server to send messagse to, required for syslog fowarding. No default.
  • SYSLOG_FORWARDING_SERVER_PORT: The destination port for syslog messages. Default is 514.
  • SYSLOG_FORWARDING_FORMAT: The syslog message format to use. Default is default.

Please note: All the SMTP and SYSLOG configuration variables are only applicable to the first time setup. Once the container's data volume has been initialized, all the configuration options for OSSEC can be changed.

Known Issues / Warnings

ossec-execd is not enabled

Since this is a docker container, ossec-execd really isn't a great idea anyway. Having a log server, such as graylog, react based on log entries is the recommended approach.

A default localhost agent is added

On first launch, the ossec server will not start up properly and bind to port 1514, unless at least one agent to be present in the client.keys file. To avoid that issue, a local agent is setup by default. See this bug with OSSEC.

Running on OS X using Docker For Mac

The osxfs integration used for volume binding on Mac OS X causes an issue resolving symlinks in the container. To work around this issue, just don't bind /var/ossec/data to a host directory. Instead, use a regular docker volume and execute a shell in the container to inspect the data. All the typical docker volume management tricks apply, of course.

# To start the container on OS X
docker run --name ossec-server -d -p 1514:1514/udp -p 1515:1515\
  -v /var/ossec/data xetusoss/ossec-server

Issues / Pull Requests

Since this image has become the de-facto standard for OSSEC on docker hub, I wanted to be very clear that we intend to maintain this image with the interest of the community in mind. If you have issues, please file them. If you have made changes you'd like to see included, pull requests are welcome!

Popular Docker Projects
Popular Server Projects
Popular Virtualization Categories
Related Searches

Get A Weekly Email With Trending Projects For These Categories
No Spam. Unsubscribe easily at any time.
Security Tools