Wazuh single-node deployment with docker

The easiest stack uses dockers inside a single node in a VM, with Wazuh manager for ingesting logs, Elasticsearch to write logs and alerts to (storage backend), and Kibana as webUI to interact with the Elastick stack views, build a dashboard, and a user interface into all the alerts. Single-node, and locally, with self-signed certs.


A local QEMU/KVM guest, with 8GB RAM, 50GB memory and Ubuntu Server 22.04.3 without any additional packages.


Using the Docker install script to install Docker (alternatively, install it manually, it is available for all platforms):

curl -sSL https://get.docker.com/ | sh

get docker

This takes awhile …

get docker

Starting Docker and enable the service to run at boot time:

systemctl start docker

Check it works:

systemctl status docker



systemctl enable docker

Docker Compose

For running Wazuh, Elasticsearch, Kibana, Filebeat, and Nginx, with one command within the same environment so that all applications can talk to one another (choose release version):

sudo curl -L "https://github.com/docker/compose/releases/download/2.21.0/docker-compose-$(uname -s)-$(uname -m)" -o /usr/local/bin/docker-compose

get compose

Make executable and create a symlink:

sudo chmod +x /usr/local/bin/docker-compose
sudo ln -s /usr/local/bin/docker-compose /usr/bin/docker-compose

Check it works:

version check on compose

Preparing the VM

Configuring the VM host preferences to give at least 6 GB of memory to the host that creates the containers (this does not necessarily mean that it is used, but Elasticsearch requires it to work):

sudo sysctl -w vm.max_map_count=262144

Set memory

To set this value permanently, update the vm.max_map_count setting in /etc/sysctl.conf. Scroll down to the bottom and add it:

sudo nano /etc/sysctl.conf

Set memory

Cloning the Wazuh repo

For cloning the Wazuh Docker repo, the Wazuh team have provided YAML files and scripts that can be used to quickly deploy a SIEM stack (choose release version):

git clone https://github.com/wazuh/wazuh-docker.git -b v4.5.2 --depth=1

Clone the wazuh docker

Generate certs

Generating SSL Certs to secure Elasticsearch, Kibana, and Nginx traffic.


In the wazuh-docker/single-node directory:

sudo docker compose -f generate-indexer-certs.yml run --rm generator

Certs generation


sudo docker compose up


When the JobSweeper starts, which by default will keep going, pointing browser to the IP of the server VM gives:


Next up is installing a multi-node and agent enrollment.