Configure and Deploy Wazuh SIEM with Docker Compose Container

Do you want to configure and deploy Wazuh with Docker Compose? This guide teaches Wazuh SIEM installation and how to do it with Docker Compose container. You’ll use an example installation setup of the Wazuh with a Docker container with all the necessary code samples needed for Wazuh SIEM security configurations.

What you Will Learn:

Along this Wazuh Docker setup, you will learn:

• How to deploy a single-node Wazuh SIEM app to Docker using Docker Compose. This deployment will use a docker-compose.yml file with one Wazuh manager container, one Wazuh indexer container, and one Wazuh dashboard container.
• Use the Wazuh SIEM with Docker Compose container to deploy a live Agent to Wazuh.
• Manage Wazuh alerts and notification.
• Create a Multi-node Wazuh SIEM with Docker deployment. This allows you to run multiple SIEM instances with multiple manager nodes. In this case, you will have a master and a worker node. You will use Docker Compose to deploy three Wazuh indexers and access your Wazuh Docker setup using the Wazuh dashboard.

What is Wazuh and Why you Need a Wazuh Docker Container

Wazuh is an open-source Security Information and Event Management (SIEM) application. You need SIEM to detect and respond to security threats and incidents within your Containers. Wazuh is a go-to monitor. It has capabilities for intrusion detection, vulnerability detection, log analysis, and threat intelligence capabilities.

As DevOpSec, SIEM is critical and Wazuh is an awesome tool to have at your disposal to enhance the security of your Docker infrastructure.

Docker is one good choice to manage your infrastructure. It gives you easier deployment and management. This is an ideal container strategy to get a Wazuh Docker container up and running.

Let’s dive into this guide, install and deploy Wazuh with Docker Compose Containers.

What You Need to Run Wazuh SIEM with Docker

To run Wazuh with Docker, ensure:

• You have a running server; the remote, the better. I use an AWS ECS instance in this guide. However, this is not limited to local machines; you can also use it.
• Ensure you have Docker installed and running on your server/machine.
• You are Deploying Wazuh with Docker Compose. Make sure you have it ready. You will need to run the following command once you have Docker installed:

curl -L "https://github.com/docker/compose/releases/download/v2.12.2/docker-compose-$(uname -s)-$(uname -m)" -o /usr/local/bin/docker-compose

Then grant Docker Compose execution permissions:

chmod +x /usr/local/bin/docker-compose

If set, everything should be fine when you run docker-compose --version.

• And remember to increase max_map_count on your Docker host, so Wazuh indexer can work as expected:

sysctl -w vm.max_map_count=262144

Installing Wazuh

First, you need Wazuh installation templates. You don’t have to create one from scratch. So go ahead and clone Wazuh using the following command:

This will create a wazuh-docker directory with all the start code you need.

git clone https://github.com/wazuh/wazuh-docker.git -b stable --single-branch

Deploy Wazuh Docker in Single Node Configuration

The above-cloned template will create any configuration you need to run your Wazuh Docker container.

Here is its overview of the wazuh-docker directory on a text editor:

The goal is to spin up a single node, so go ahead and change the directory to single-node:

cd wazuh-docker/single-node

Wazuh is a security platform; therefore, it has all the security measures for accessing it. It has certs to access Wazuh over SSL. This configuration is saved on generate-indexer-certs.yml as follows:

version: '3'

services:
  generator:
    image: wazuh/wazuh-certs-generator:0.0.1
    hostname: wazuh-certs-generator
    volumes:
      - ./config/wazuh_indexer_ssl_certs/:/certificates/
      - ./config/certs.yml:/config/certs.yml

This will allow Docker to self-signed certificates for your node. So, if you have a proxy, you must add the following to your generate-indexer-certs.yml file:

environment:
  - HTTP_PROXY=YOUR_PROXY_ADDRESS_OR_DNS

If you are using nano run:

nano generate-indexer-certs.yml

Your file should be updated as follows:

Then run the following command to apply the changes:

docker-compose -f generate-indexer-certs.yml run --rm generator

Provision Wazuh with Docker Compose

Now ensure you’re in your wazuh-docker/single-node run the following Docker Compose command to get your Wazuh SIEM single node up and running:

docker-compose up -d

Docker will download all the images Wazuh needs and create your containers:

You can confirm if your services are running using either of the following commands:

docker-compose ps
docker ps

You should have a Wazuh SIEM manager, indexer, and dashboard running within your Docker container.

Running Wazuh Docker Container

You now have deployed Wazuh to Docker using Docker Compose successfully. To access it, use your Server IP address or the domain name if you have one. Ensure you add https alias:

The following should be the first visual or a successfully deployed Wazuh container:

This will serve you a login dashboard as follows:

Use:

• admin as username and,
• SecretPassword is the Wazuh password.

And there you have your first Wazuh Docker container up and running:

Before proceeding, you must change your login details and use your preferred credentials for additional security measures. Here is a complete guide to changing Wazuh password and user. Or you can just use the Docker Deployed Wazuh dashboard to do so:

Deploying an Agent to Wazuh SIEM Docker Container

Wazuh will only keep security records and monitor a deployed Agent. So, you need to have one.

This process is basically the process of enrolling Wazuh agents as authorized members who need security monitoring. Wazuh will encrypt communication with your agents and assign any new agent a unique key so you can validate and manage them individually.

At the moment, you don’t have any Agent. To deploy one, Click on Add Agent:

You will add a new agent as follows:

• Choose your operating system and add your agent address. In this case, add the IP address of the server you are running:

You must add your Agen name as follows:

This will generate the above commands that you need to copy and run as follows:

Remember to enable, start, and reload your Agents:

sudo systemctl daemon-reload
sudo systemctl enable wazuh-agent
sudo systemctl start wazuh-agent

For Wazuh to detect your Agent, ensure you have the right port forwarding. Wazuh uses the following ports:

They must be configured as such. In case you are using AWS ECS, you need to create a security group with a port range of 1514 to 1515 as follows:

Now refresh your Wazuh agent:

And there you have it. You should be able to get the same on your home Wazuh dashboard:

Checking Your Agents

Now that your Agent is running, you can manage it and access every associated security monitoring.

Navigate to your Agent (click the Agent’s name):

Check the agent vulnerability scans.

Check any security events as follows:

These are just a few things you can check out. Be sure to play with your Docker deployed Wazuh and find out more.

Managing Your Agents

Wazuh allows you to create custom configurations to enhance your security experience. For example, you can create:

• Notification channels.
• Alert rules to create and remove triggers.
• Indexes.
• Create reports, etc.

For example, you can add any notification channel of your choice:

If, for example, you chose Slack, you only need to add your channel name and Slack WEB HOOK URL:

This way, Wazuh will allow sending security and vulnerability alerts on time. You can choose to set the minimum severity level to send the alerts.

Conclusion

Along this Wazuh SIEM Docker setup, you learned:

• How to deploy a single-node Wazuh app to Docker using Docker Compose. This deployment will use a docker-compose.yml file with one Wazuh manager container, one Wazuh indexer container, and one Wazuh dashboard container.
• Deploy a live Agent to Wazuh.
• Manage Wazuh alerts and notification.

I hope you found this helpful!