wazuh
Wazuh Docker deployment
What is Wazuh ?
The Wazuh Security Information and Event Management (SIEM) solution is a centralized platform for aggregating and analyzing telemetry in real time for threat detection and compliance. Wazuh collects event data from various sources like endpoints, network devices, cloud workloads, and applications for broader security coverage.
Requirements
Container memory
We recommend configuring the Docker host with at least 6 GB of memory. Depending on the deployment and usage, Wazuh indexer memory consumption varies. Therefore, allocate the recommended memory for a complete stack deployment to work properly.
Increase max_map_count
Wazuh indexer creates many memory-mapped areas. So you need to set the kernel to give a process at least 262,144 memory-mapped areas.
- Update the
vm.max_map_countsetting in/etc/sysctl.confto set this value permanently.1
vm.max_map_count=262144 - To apply the changes, run
1
sudo sysctl -p
- To verify, run
1
sysctl vm.max_map_count
If you don’t set the
max_map_counton your host, the Wazuh indexer will NOT work properly.
Docker engine
Docker compose
Single-node Deployment
- Clone the Wazuh repository to your system
1
git clone https://github.com/wazuh/wazuh-docker.git -b v4.9.2 - enter into the single-node directory
1
cd wazuh-docker/single-node - Generate self-signed certificates
1
docker-compose -f generate-indexer-certs.yml run --rm generator
- Start the Wazuh single-node deployment using docker-compose
1
docker-compose up -dThe default username and password for the Wazuh dashboard are
adminandSecretPassword. For additional security, you can change the default password for the Wazuh indexer admin user.
Exposed ports
By default, the stack exposes the following ports
| Name | Port |
|---|---|
| Wazuh TCP | 1514 |
| Wazuh TCP | 1515 |
| Wazuh UDP | 514 |
| Wazuh API | 55000 |
| Wazuh indexer HTTPS | 9200 |
| Wazuh dashboard HTTPS | 443 |