Öffentlicher Leitfaden

Deploy the VM and Host Scanner

Ingest OSSEC and Wazuh host intrusion detection alerts into the platform for correlation with cloud and container findings. Works with Docker Compose, systemd, or ECS Fargate. Zielgruppe: Security operations teams, infrastructure engineers. Typische Einrichtungszeit: 3 minutes.

Bevor Sie beginnen

Confirm OSSEC or Wazuh is running and writing alerts to a JSON file (alerts.json).
Default alert path: /var/ossec/logs/alerts/alerts.json
Create an ingestion API key in Settings → API Keys with Ingestion scope.

Schritt für Schritt

Schritt 1

Quick start with Docker Compose

Mount the OSSEC alerts file and start the scanner container in under a minute.

Add the docker-compose.yml snippet from the Developer Guide next to your Wazuh or OSSEC installation.
Set SECPLATFORM_API_URL, SECPLATFORM_API_KEY, and OSSEC_ALERTS_FILE in the environment section.
Mount /var/ossec/logs/alerts as read-only into the container.
Run: docker compose up -d && curl http://localhost:8080/health

Schritt 2

Production: systemd sidecar or ECS

For production fleets, run as a systemd service with a secure env file, or as an ECS Fargate task.

systemd: create /etc/secplatform/env (mode 600), copy the unit file from the Developer Guide, run: systemctl enable --now secplatform-vms-scanner
ECS Fargate: register the task definition from the Developer Guide, pass SECPLATFORM_API_KEY from Secrets Manager via the secrets array.
GCP: deploy as a Cloud Run service with --min-instances 1 to keep it always running.
The scanner tracks its file offset across restarts — no duplicate alerts on container restart.

Schritt 3

Verify alert ingestion

Confirm alerts are flowing into the platform and correlating with cloud findings.

Check health: curl http://localhost:8080/health — look for findings_ingested_total > 0
Open the platform Findings view and filter by scanner=vms.
Trigger a test OSSEC alert and confirm it appears within the SCAN_INTERVAL_SECONDS window.
Review correlated findings — the platform links host alerts to related cloud and container findings.

Ausführen

Docker Compose quick start

yaml

services:
  secplatform-vms-scanner:
    image: ghcr.io/your-org/secplatform-vms-scanner:latest
    restart: unless-stopped
    environment:
      SECPLATFORM_API_URL: "https://api.yourdomain.com"
      SECPLATFORM_API_KEY: "sp_xxxx"
      OSSEC_ALERTS_FILE: /alerts/alerts.json
      SCAN_INTERVAL_SECONDS: "60"
      LOG_LEVEL: INFO
    volumes:
      - /var/ossec/logs/alerts:/alerts:ro
    ports:
      - "8080:8080"
    healthcheck:
      test: ["CMD", "curl", "-f", "http://localhost:8080/health"]
      interval: 30s
      timeout: 5s
      retries: 3

systemd sidecar install

bash

# Create secure env file (root-only)
install -d -m 750 /etc/secplatform
install -m 600 /dev/null /etc/secplatform/env
cat > /etc/secplatform/env << 'EOF'
SECPLATFORM_API_URL=https://api.yourdomain.com
SECPLATFORM_API_KEY=sp_xxxx
OSSEC_ALERTS_FILE=/var/ossec/logs/alerts/alerts.json
SCAN_INTERVAL_SECONDS=60
EOF

# Create and enable service
cat > /etc/systemd/system/secplatform-vms-scanner.service << 'EOF'
[Unit]
Description=SecPlatform VM Scanner
After=docker.service
Requires=docker.service

[Service]
Restart=always
EnvironmentFile=/etc/secplatform/env
ExecStartPre=-/usr/bin/docker rm -f secplatform-vms-scanner
ExecStart=/usr/bin/docker run --rm --name secplatform-vms-scanner \
  --env-file /etc/secplatform/env \
  -v /var/ossec/logs/alerts:/var/ossec/logs/alerts:ro \
  -p 8080:8080 \
  ghcr.io/your-org/secplatform-vms-scanner:latest

[Install]
WantedBy=multi-user.target
EOF

systemctl daemon-reload
systemctl enable --now secplatform-vms-scanner

Erfolgskontrollen

curl http://localhost:8080/health returns status: healthy.
findings_ingested_total increases after OSSEC/Wazuh generates an alert.
Findings appear in the platform Findings view with scanner=vms.

Nächste Schritte

Open API Keys View Findings All Deployment Guides