Wazuh single-node deployment with docker

The easiest stack uses dockers inside a single node in a VM, with Wazuh manager for ingesting logs, Elasticsearch to write logs and alerts to (storage backend), and Kibana as webUI to interact with the Elastick stack views, build a dashboard, and a user interface into all the alerts. Single-node, and locally, with self-signed certs.

VM

A local QEMU/KVM guest, with 8GB RAM, 50GB memory and Ubuntu Server 22.04.3 without any additional packages.

Docker

Using the Docker install script to install Docker (alternatively, install it manually, it is available for all platforms):

curl -sSL https://get.docker.com/ | sh

get docker

This takes awhile …

get docker

Starting Docker and enable the service to run at boot time:

systemctl start docker

Check it works:

systemctl status docker

systemctl

Permanently:

systemctl enable docker

Docker Compose

For running Wazuh, Elasticsearch, Kibana, Filebeat, and Nginx, with one command within the same environment so that all applications can talk to one another (choose release version):

sudo curl -L "https://github.com/docker/compose/releases/download/2.21.0/docker-compose-$(uname -s)-$(uname -m)" -o /usr/local/bin/docker-compose

get compose

Make executable and create a symlink:

sudo chmod +x /usr/local/bin/docker-compose
sudo ln -s /usr/local/bin/docker-compose /usr/bin/docker-compose

Check it works:

version check on compose

Preparing the VM

Configuring the VM host preferences to give at least 6 GB of memory to the host that creates the containers (this does not necessarily mean that it is used, but Elasticsearch requires it to work):

sudo sysctl -w vm.max_map_count=262144

Set memory

To set this value permanently, update the vm.max_map_count setting in /etc/sysctl.conf. Scroll down to the bottom and add it:

sudo nano /etc/sysctl.conf

Set memory

Cloning the Wazuh repo

For cloning the Wazuh Docker repo, the Wazuh team have provided YAML files and scripts that can be used to quickly deploy a SIEM stack (choose release version):

git clone https://github.com/wazuh/wazuh-docker.git -b v4.5.2 --depth=1

Clone the wazuh docker

Generate certs

Generating SSL Certs to secure Elasticsearch, Kibana, and Nginx traffic.

Self-signed

In the wazuh-docker/single-node directory:

sudo docker compose -f generate-indexer-certs.yml run --rm generator

Certs generation

Deployment

sudo docker compose up

Up!

When the JobSweeper starts, which by default will keep going, pointing browser to the IP of the server VM gives:

Up!

Next up is installing a multi-node and agent enrollment.

Resources