Aug 3, 2023 5 min read

How To Set Up Wazuh SIEM With Docker

Wazuh SIEM platform comes with many features such as threat intelligence, security ops, endpoint security, and cloud security. Let's dive into the steps to deploy Wazuh with Docker and connect Wazuh agents to operating systems.

How To Set Up Wazuh SIEM With Docker
Table of Contents

Wazuh is an open-source security information and event management (SIEM) solution that helps you to detect, investigate, and respond to security threats. It is a comprehensive platform that is easy to deploy and self-host in order to achieve security goals. This platform comes with many features such as threat intelligence, security ops, endpoint security, and cloud security. Let's dive into the steps to deploy Wazuh with Docker and connect Wazuh agents to operating systems.

Clone Wazuh Docker Github Repo And Generate Certificates

The first step is to clone the Wazuh Docker repository to your docker host that you want to deploy Wazuh Server to and then navigate to the single-node directory in the wazuh-docker directory.

GitHub - wazuh/wazuh-docker: Wazuh - Docker containers
Wazuh - Docker containers. Contribute to wazuh/wazuh-docker development by creating an account on GitHub.

Once in the singe-node repo run the following command to generate the certificates. docker-compose -f generate-indexer-certs.yml run --rm generator - you should see similar CLI output like the below image.

Wazuh Docker Compose Deployment

Once the certificate generation is completed successfully go ahead and run docker-compose up -d to deploy the Wazuh Server containers. The docker-compose file in the cloned repo should look similar to the below docker-compose script.

version: '3.7'

    image: wazuh/wazuh-manager:4.4.5
    hostname: wazuh.manager
    restart: always
      - "1514:1514"
      - "1515:1515"
      - "514:514/udp"
      - "55000:55000"
      - INDEXER_URL=https://wazuh.indexer:9200
      - INDEXER_USERNAME=admin
      - INDEXER_PASSWORD=SecretPassword
      - SSL_CERTIFICATE_AUTHORITIES=/etc/ssl/root-ca.pem
      - SSL_CERTIFICATE=/etc/ssl/filebeat.pem
      - SSL_KEY=/etc/ssl/filebeat.key
      - API_USERNAME=wazuh-wui
      - API_PASSWORD=MyS3cr37P450r.*-
      - wazuh_api_configuration:/var/ossec/api/configuration
      - wazuh_etc:/var/ossec/etc
      - wazuh_logs:/var/ossec/logs
      - wazuh_queue:/var/ossec/queue
      - wazuh_var_multigroups:/var/ossec/var/multigroups
      - wazuh_integrations:/var/ossec/integrations
      - wazuh_active_response:/var/ossec/active-response/bin
      - wazuh_agentless:/var/ossec/agentless
      - wazuh_wodles:/var/ossec/wodles
      - filebeat_etc:/etc/filebeat
      - filebeat_var:/var/lib/filebeat
      - ./config/wazuh_indexer_ssl_certs/root-ca-manager.pem:/etc/ssl/root-ca.pem
      - ./config/wazuh_indexer_ssl_certs/wazuh.manager.pem:/etc/ssl/filebeat.pem
      - ./config/wazuh_indexer_ssl_certs/wazuh.manager-key.pem:/etc/ssl/filebeat.key
      - ./config/wazuh_cluster/wazuh_manager.conf:/wazuh-config-mount/etc/ossec.conf

    image: wazuh/wazuh-indexer:4.4.5
    hostname: wazuh.indexer
    restart: always
      - "9200:9200"
      - "OPENSEARCH_JAVA_OPTS=-Xms512m -Xmx512m"
        soft: -1
        hard: -1
        soft: 65536
        hard: 65536
      - wazuh-indexer-data:/var/lib/wazuh-indexer
      - ./config/wazuh_indexer_ssl_certs/root-ca.pem:/usr/share/wazuh-indexer/certs/root-ca.pem
      - ./config/wazuh_indexer_ssl_certs/wazuh.indexer-key.pem:/usr/share/wazuh-indexer/certs/wazuh.indexer.key
      - ./config/wazuh_indexer_ssl_certs/wazuh.indexer.pem:/usr/share/wazuh-indexer/certs/wazuh.indexer.pem
      - ./config/wazuh_indexer_ssl_certs/admin.pem:/usr/share/wazuh-indexer/certs/admin.pem
      - ./config/wazuh_indexer_ssl_certs/admin-key.pem:/usr/share/wazuh-indexer/certs/admin-key.pem
      - ./config/wazuh_indexer/wazuh.indexer.yml:/usr/share/wazuh-indexer/opensearch.yml
      - ./config/wazuh_indexer/internal_users.yml:/usr/share/wazuh-indexer/opensearch-security/internal_users.yml

    image: wazuh/wazuh-dashboard:4.4.5
    hostname: wazuh.dashboard
    restart: always
      - 443:5601
      - INDEXER_USERNAME=admin
      - INDEXER_PASSWORD=SecretPassword
      - WAZUH_API_URL=https://wazuh.manager
      - DASHBOARD_USERNAME=kibanaserver
      - DASHBOARD_PASSWORD=kibanaserver
      - API_USERNAME=wazuh-wui
      - API_PASSWORD=MyS3cr37P450r.*-
      - ./config/wazuh_indexer_ssl_certs/wazuh.dashboard.pem:/usr/share/wazuh-dashboard/certs/wazuh-dashboard.pem
      - ./config/wazuh_indexer_ssl_certs/wazuh.dashboard-key.pem:/usr/share/wazuh-dashboard/certs/wazuh-dashboard-key.pem
      - ./config/wazuh_indexer_ssl_certs/root-ca.pem:/usr/share/wazuh-dashboard/certs/root-ca.pem
      - ./config/wazuh_dashboard/opensearch_dashboards.yml:/usr/share/wazuh-dashboard/config/opensearch_dashboards.yml
      - ./config/wazuh_dashboard/wazuh.yml:/usr/share/wazuh-dashboard/data/wazuh/config/wazuh.yml
      - wazuh.indexer
      - wazuh.indexer:wazuh.indexer
      - wazuh.manager:wazuh.manager


Once the Wazuh containers deployment is completed successfully you should see a similar output on the CLI.

docker compuse wazuh

Once you confirm that your Wazuh containers are up and running you need to create a local DNS record depending on where you deploy it. In my capacity, I am self-hosting it inside my local network and creating a DNS record called wazuh.local and pointing it to the IP address of the docker host. Navigate to the web dashboard https://wazuh.local and you should be able to access it with the following default username and password depending if you changed it in your docker-compose.yml.

Username: admin
Password: SecretPassword

Wazuh Login
Wazuh SIEM Dashboard

Deploy Wazuh Agent To An Operating System

Once logged into the admin dashboard we are going to go ahead and deploy our first by clicking on the Add agent button.

Deploy New Wazuh Agent

I am deploying an Ubuntu agent and once clicked on the Ubuntu button you will be prompted for the OS version and architecture and follow the rest of the prompts like in the example below specifying the Wazuh server address and agent name.

![[Pasted image 20230723211820.png]]

Copy the command below that you get once selecting all the above options and run it on the system you want to deploy the Wazuh agent.

Once your Wazuh agent is installed successfully run the below commands to start the agent daemon and enable automatic startup of the service at startup.

sudo systemctl daemon-reload
sudo systemctl enable wazuh-agent
sudo systemctl start wazuh-agent

It will take a few minutes to sync with Wazuh and once it starts syncing you can log in to the dashboard and view your client under the agent tab. Wazuh will summarize security events, integrity monitoring, and vulnerabilities, generate steps to become more compliant and secure, and much more.


In conclusion, Wazuh is an incredible free and open-source SIEM platform utilized by even enterprise companies globally. Set up Wazuh and agents and experiment with the flexibility and rich features of the SIEM platform. If you enjoyed this article consider signing up for our newsletter and don't forget to share it with people that would find it useful. Leave a comment below with a tutorial you would like us to cover.

Great! You’ve successfully signed up.
Welcome back! You've successfully signed in.
You've successfully subscribed to Opensource Geeks.
Your link has expired.
Success! Check your email for magic link to sign-in.
Success! Your billing info has been updated.
Your billing was not updated.