mirror of
https://github.com/wazuh/wazuh-docker.git
synced 2025-10-24 08:33:46 +00:00
6.6 KiB
6.6 KiB
Reference Manual - Glossary
This glossary defines key terms and concepts related to Wazuh, Docker, and their use together in the Wazuh-Docker project (version 5.0.0).
A
- Active Response: A Wazuh capability that allows automatic actions to be taken on an agent or manager in response to specific triggers or alerts (e.g., blocking an IP address, stopping a process).
- Agent (Wazuh Agent): Software installed on monitored endpoints (servers, workstations, cloud instances) that collects security data (logs, file integrity, configuration assessments, etc.) and forwards it to the Wazuh Manager.
- Alert: A notification generated by the Wazuh Manager when an event or a series of events matches a predefined rule, indicating a potential security issue, misconfiguration, or policy violation.
- API (Wazuh API): An application programming interface provided by the Wazuh Manager that allows for programmatic interaction with the Wazuh system, such as managing agents, retrieving alerts, updating rulesets, and checking system health.
C
- CDB List (Constant DataBase List): Key-value pair files used by Wazuh rules for fast lookups. Useful for whitelisting, blacklisting, or correlating events with known indicators.
- Cluster:
- Wazuh Indexer Cluster (OpenSearch/Elasticsearch Cluster): A group of interconnected Wazuh Indexer nodes that work together to store, index, and search data, providing scalability and high availability.
- Wazuh Manager Cluster: A group of Wazuh managers working together to provide load balancing and high availability for agent connections and event processing.
- Container (Docker Container): A lightweight, standalone, executable package of software that includes everything needed to run it: code, runtime, system tools, system libraries, and settings. Wazuh-Docker runs each Wazuh component (manager, indexer, dashboard) in its own container.
- Containerization: The process of packaging an application and its dependencies into a container.
D
- Dashboard (Wazuh Dashboard / OpenSearch Dashboards / Kibana): A web-based visualization tool used to explore, analyze, and visualize data stored in the Wazuh Indexer. It provides dashboards, visualizations, and a query interface for security events and alerts. For Wazuh 5.0.0, this is typically OpenSearch Dashboards.
- Decoder: A component in the Wazuh Manager that parses and extracts relevant information (fields) from raw log messages or event data.
- Docker: An open platform for developing, shipping, and running applications inside containers.
- Docker Compose: A tool for defining and running multi-container Docker applications. It uses a YAML file (
docker-compose.yml
) to configure the application's services, networks, and volumes. - Dockerfile: A text document that contains all the commands a user could call on the command line to assemble an image. Docker can build images automatically by reading the instructions from a Dockerfile.
- Docker Hub: A cloud-based registry service that allows you to link to code repositories, build your images and test them, stores manually pushed images, and links to Docker Cloud so you can deploy images to your hosts. Wazuh Docker images are often hosted here.
- Docker Image: A read-only template with instructions for creating a Docker container. Images are used to instantiate containers.
- Docker Volume: A mechanism for persisting data generated by and used by Docker containers. Volumes are managed by Docker and are stored on the host filesystem, separate from the container's lifecycle. Essential for storing Wazuh data, configurations, and logs.
E
- Endpoint: Any device (server, desktop, laptop, virtual machine, cloud instance) that is monitored by a Wazuh agent.
- Environment Variable: A variable whose value is set outside the program, typically by the operating system or a container runtime, and can be accessed by the program to modify its behavior. Used extensively in Wazuh-Docker for configuration.
F
- File Integrity Monitoring (FIM): A Wazuh capability that monitors files and directories for changes, additions, or deletions, helping to detect unauthorized modifications.
I
- Indexer (Wazuh Indexer / OpenSearch / Elasticsearch): The component responsible for storing, indexing, and making searchable the alerts and event data generated by the Wazuh Manager. For Wazuh 5.0.0, this is typically OpenSearch.
L
- Log Analysis: A core function of the Wazuh Manager, involving the collection, normalization, parsing, and analysis of log data from various sources.
M
- Manager (Wazuh Manager): The central component of the Wazuh platform. It collects data from agents, analyzes it using rules and decoders, generates alerts, and manages agents.
N
- Node:
- Wazuh Indexer Node: A single instance of a Wazuh Indexer (OpenSearch/Elasticsearch) process, typically running in a container. Multiple nodes can form a cluster.
- Wazuh Manager Node: A single instance of a Wazuh manager, which can operate standalone or as part of a manager cluster.
O
ossec.conf
: The main configuration file for the Wazuh Manager and Wazuh Agent.
R
- Rule: A set of conditions defined in the Wazuh Manager that, when met by an event or a sequence of events, trigger an alert.
- Ruleset: The collection of all rules and decoders used by the Wazuh Manager.
S
- Scalability: The ability of the system to handle a growing amount of work by adding resources. In Wazuh-Docker, this can refer to scaling the number of agents, or the capacity of the indexer/manager cluster.
- Security Information and Event Management (SIEM): A field of computer security that combines security information management (SIM) and security event management (SEM) to provide real-time analysis of security alerts generated by applications and network hardware. Wazuh is a SIEM solution.
- Service (Docker Compose Service): A definition of a container within a
docker-compose.yml
file, including its image, ports, volumes, environment variables, etc.
V
- Volume (Docker Volume): See Docker Volume.
W
- Wazuh: An open-source security platform that provides threat prevention, detection, and response.
- Wazuh API: See API.
- Wazuh Dashboard: See Dashboard.
- Wazuh Indexer: See Indexer.
- Wazuh Manager: See Manager.
This glossary provides a starting point. For more detailed definitions or terms not listed here, please refer to the official Wazuh and Docker documentation.