公开指南

Deploy the VM and Host Scanner

Ingest OSSEC and Wazuh host intrusion detection alerts into the platform for correlation with cloud and container findings. Works with Docker Compose, systemd, or ECS Fargate. 受众: Security operations teams, infrastructure engineers. 典型配置时长: 3 minutes.

开始之前

Confirm OSSEC or Wazuh is running and writing alerts to a JSON file (alerts.json).
Default alert path: /var/ossec/logs/alerts/alerts.json
Create an ingestion API key in Settings → API Keys with Ingestion scope.

分步说明

步骤 1

Quick start with Docker Compose

Mount the OSSEC alerts file and start the scanner container in under a minute.

Add the docker-compose.yml snippet from the Developer Guide next to your Wazuh or OSSEC installation.
Set SECPLATFORM_API_URL, SECPLATFORM_API_KEY, and OSSEC_ALERTS_FILE in the environment section.
Mount /var/ossec/logs/alerts as read-only into the container.
Run: docker compose up -d && curl http://localhost:8080/health

步骤 2

Production: systemd sidecar or ECS

For production fleets, run as a systemd service with a secure env file, or as an ECS Fargate task.

systemd: create /etc/secplatform/env (mode 600), copy the unit file from the Developer Guide, run: systemctl enable --now secplatform-vms-scanner
ECS Fargate: register the task definition from the Developer Guide, pass SECPLATFORM_API_KEY from Secrets Manager via the secrets array.
GCP: deploy as a Cloud Run service with --min-instances 1 to keep it always running.
The scanner tracks its file offset across restarts — no duplicate alerts on container restart.

步骤 3

Verify alert ingestion

Confirm alerts are flowing into the platform and correlating with cloud findings.

Check health: curl http://localhost:8080/health — look for findings_ingested_total > 0
Open the platform Findings view and filter by scanner=vms.
Trigger a test OSSEC alert and confirm it appears within the SCAN_INTERVAL_SECONDS window.
Review correlated findings — the platform links host alerts to related cloud and container findings.

运行命令

Docker Compose quick start

yaml

services:
  secplatform-vms-scanner:
    image: ghcr.io/your-org/secplatform-vms-scanner:latest
    restart: unless-stopped
    environment:
      SECPLATFORM_API_URL: "https://api.yourdomain.com"
      SECPLATFORM_API_KEY: "sp_xxxx"
      OSSEC_ALERTS_FILE: /alerts/alerts.json
      SCAN_INTERVAL_SECONDS: "60"
      LOG_LEVEL: INFO
    volumes:
      - /var/ossec/logs/alerts:/alerts:ro
    ports:
      - "8080:8080"
    healthcheck:
      test: ["CMD", "curl", "-f", "http://localhost:8080/health"]
      interval: 30s
      timeout: 5s
      retries: 3

systemd sidecar install

bash

# Create secure env file (root-only)
install -d -m 750 /etc/secplatform
install -m 600 /dev/null /etc/secplatform/env
cat > /etc/secplatform/env << 'EOF'
SECPLATFORM_API_URL=https://api.yourdomain.com
SECPLATFORM_API_KEY=sp_xxxx
OSSEC_ALERTS_FILE=/var/ossec/logs/alerts/alerts.json
SCAN_INTERVAL_SECONDS=60
EOF

# Create and enable service
cat > /etc/systemd/system/secplatform-vms-scanner.service << 'EOF'
[Unit]
Description=SecPlatform VM Scanner
After=docker.service
Requires=docker.service

[Service]
Restart=always
EnvironmentFile=/etc/secplatform/env
ExecStartPre=-/usr/bin/docker rm -f secplatform-vms-scanner
ExecStart=/usr/bin/docker run --rm --name secplatform-vms-scanner \
  --env-file /etc/secplatform/env \
  -v /var/ossec/logs/alerts:/var/ossec/logs/alerts:ro \
  -p 8080:8080 \
  ghcr.io/your-org/secplatform-vms-scanner:latest

[Install]
WantedBy=multi-user.target
EOF

systemctl daemon-reload
systemctl enable --now secplatform-vms-scanner

成功检查

curl http://localhost:8080/health returns status: healthy.
findings_ingested_total increases after OSSEC/Wazuh generates an alert.
Findings appear in the platform Findings view with scanner=vms.

后续操作

Open API Keys View Findings All Deployment Guides