docker.recipes

Security Monitoring Stack (SIEM)

advanced

Wazuh SIEM with Elasticsearch for log analysis, threat detection, and compliance monitoring

Overview

Wazuh is an open-source security monitoring platform that evolved from OSSEC, providing comprehensive threat detection, incident response, and compliance monitoring capabilities. The Wazuh manager serves as the central component that collects, analyzes, and correlates security events from agents deployed across your infrastructure, while also performing vulnerability assessments, configuration assessments, and file integrity monitoring. This stack combines the Wazuh manager with Wazuh indexer (based on OpenSearch) for scalable log storage and analysis, plus the Wazuh dashboard for visualization and management of security events, creating a complete SIEM solution. The integration enables real-time threat detection through rule-based analysis, machine learning algorithms, and threat intelligence feeds, while automatically correlating events across multiple sources to identify complex attack patterns. This configuration is ideal for security teams, compliance officers, and system administrators who need enterprise-grade security monitoring without the licensing costs of commercial SIEM solutions, offering capabilities comparable to tools like Splunk or QRadar while maintaining full control over sensitive security data.

Key Features

  • Real-time log analysis and correlation using Wazuh's rule engine with over 3,000 pre-built detection rules
  • Host-based intrusion detection with rootkit detection, file integrity monitoring, and system call analysis
  • Vulnerability assessment scanning with integration to CVE databases and OVAL definitions
  • Compliance monitoring for PCI DSS, GDPR, HIPAA, NIST 800-53, and SOC 2 frameworks
  • Active response capabilities allowing automated threat mitigation through custom scripts
  • Threat intelligence integration with feeds from VirusTotal, AlienVault OTX, and custom IoC sources
  • OpenSearch-based indexing providing fast search capabilities across terabytes of security logs
  • Multi-tenant architecture supporting agent groups and role-based access control

Common Use Cases

  • 1Security operations center (SOC) deployment for centralized threat monitoring and incident response
  • 2Compliance auditing and reporting for organizations requiring regulatory adherence documentation
  • 3Cloud security monitoring for AWS, Azure, and GCP environments with API-based log collection
  • 4Network security monitoring through integration with firewalls, IDS/IPS, and network devices
  • 5Endpoint detection and response (EDR) for workstations and servers across hybrid infrastructures
  • 6DevSecOps integration providing security monitoring for containerized applications and CI/CD pipelines
  • 7Managed security service provider (MSSP) deployments supporting multiple client environments

Prerequisites

  • Minimum 8GB RAM allocated to Docker (4GB for indexer, 2GB for manager, 2GB for dashboard)
  • At least 50GB available disk space for log storage and indexer data retention
  • Ports 1514/TCP, 1515/TCP, 514/UDP, 55000/TCP, and 5601/TCP available for agent communication and web access
  • Basic understanding of security event analysis, log parsing, and SIEM concepts
  • Network connectivity from monitored hosts to the Wazuh manager for agent enrollment and communication
  • SSL certificate management knowledge for production deployments requiring encrypted communication

For development & testing. Review security settings, change default credentials, and test thoroughly before production use. See Terms

docker-compose.yml

docker-compose.yml
1services: 
2  wazuh-indexer: 
3    image: wazuh/wazuh-indexer:latest
4    container_name: wazuh-indexer
5    restart: unless-stopped
6    environment: 
7      - "OPENSEARCH_JAVA_OPTS=-Xms1g -Xmx1g"
8      - "bootstrap.memory_lock=true"
9      - "discovery.type=single-node"
10      - "plugins.security.ssl.http.enabled=false"
11    ulimits: 
12      memlock: 
13        soft: -1
14        hard: -1
15      nofile: 
16        soft: 65536
17        hard: 65536
18    volumes: 
19      - wazuh_indexer_data:/var/lib/wazuh-indexer
20
21  wazuh-manager: 
22    image: wazuh/wazuh-manager:latest
23    container_name: wazuh-manager
24    restart: unless-stopped
25    ports: 
26      - "1514:1514"
27      - "1515:1515"
28      - "514:514/udp"
29      - "55000:55000"
30    environment: 
31      - INDEXER_URL=https://wazuh-indexer:9200
32      - INDEXER_USERNAME=admin
33      - INDEXER_PASSWORD=${INDEXER_PASSWORD}
34      - FILEBEAT_SSL_VERIFICATION_MODE=none
35    volumes: 
36      - wazuh_api_config:/var/ossec/api/configuration
37      - wazuh_etc:/var/ossec/etc
38      - wazuh_logs:/var/ossec/logs
39      - wazuh_queue:/var/ossec/queue
40      - wazuh_var_multigroups:/var/ossec/var/multigroups
41      - wazuh_integrations:/var/ossec/integrations
42      - wazuh_active_response:/var/ossec/active-response/bin
43      - wazuh_agentless:/var/ossec/agentless
44      - wazuh_wodles:/var/ossec/wodles
45      - filebeat_etc:/etc/filebeat
46      - filebeat_var:/var/lib/filebeat
47    depends_on: 
48      - wazuh-indexer
49
50  wazuh-dashboard: 
51    image: wazuh/wazuh-dashboard:latest
52    container_name: wazuh-dashboard
53    restart: unless-stopped
54    ports: 
55      - "${DASHBOARD_PORT:-5601}:5601"
56    environment: 
57      - INDEXER_USERNAME=admin
58      - INDEXER_PASSWORD=${INDEXER_PASSWORD}
59      - WAZUH_API_URL=https://wazuh-manager
60      - DASHBOARD_USERNAME=kibanaserver
61      - DASHBOARD_PASSWORD=${DASHBOARD_PASSWORD}
62      - API_USERNAME=wazuh-wui
63      - API_PASSWORD=${API_PASSWORD}
64    depends_on: 
65      - wazuh-indexer
66      - wazuh-manager
67
68volumes: 
69  wazuh_indexer_data: 
70  wazuh_api_config: 
71  wazuh_etc: 
72  wazuh_logs: 
73  wazuh_queue: 
74  wazuh_var_multigroups: 
75  wazuh_integrations: 
76  wazuh_active_response: 
77  wazuh_agentless: 
78  wazuh_wodles: 
79  filebeat_etc: 
80  filebeat_var:

.env Template

.env
1# Wazuh SIEM Stack
2DASHBOARD_PORT=5601
3
4# Passwords (change these!)
5INDEXER_PASSWORD=SecretPassword
6DASHBOARD_PASSWORD=SecretPassword
7API_PASSWORD=SecretPassword

Usage Notes

  1. 1Wazuh Dashboard at http://localhost:5601
  2. 2Default login: admin / SecretPassword
  3. 3Install Wazuh agents on hosts to monitor
  4. 4Agents connect to port 1514 (TCP) or 1515 (TCP)
  5. 5Syslog collection on port 514 (UDP)
  6. 6API accessible at port 55000

Individual Services(3 services)

Copy individual services to mix and match with your existing compose files.

wazuh-indexer
wazuh-indexer:
  image: wazuh/wazuh-indexer:latest
  container_name: wazuh-indexer
  restart: unless-stopped
  environment:
    - OPENSEARCH_JAVA_OPTS=-Xms1g -Xmx1g
    - bootstrap.memory_lock=true
    - discovery.type=single-node
    - plugins.security.ssl.http.enabled=false
  ulimits:
    memlock:
      soft: -1
      hard: -1
    nofile:
      soft: 65536
      hard: 65536
  volumes:
    - wazuh_indexer_data:/var/lib/wazuh-indexer
wazuh-manager
wazuh-manager:
  image: wazuh/wazuh-manager:latest
  container_name: wazuh-manager
  restart: unless-stopped
  ports:
    - "1514:1514"
    - "1515:1515"
    - 514:514/udp
    - "55000:55000"
  environment:
    - INDEXER_URL=https://wazuh-indexer:9200
    - INDEXER_USERNAME=admin
    - INDEXER_PASSWORD=${INDEXER_PASSWORD}
    - FILEBEAT_SSL_VERIFICATION_MODE=none
  volumes:
    - wazuh_api_config:/var/ossec/api/configuration
    - wazuh_etc:/var/ossec/etc
    - wazuh_logs:/var/ossec/logs
    - wazuh_queue:/var/ossec/queue
    - wazuh_var_multigroups:/var/ossec/var/multigroups
    - wazuh_integrations:/var/ossec/integrations
    - wazuh_active_response:/var/ossec/active-response/bin
    - wazuh_agentless:/var/ossec/agentless
    - wazuh_wodles:/var/ossec/wodles
    - filebeat_etc:/etc/filebeat
    - filebeat_var:/var/lib/filebeat
  depends_on:
    - wazuh-indexer
wazuh-dashboard
wazuh-dashboard:
  image: wazuh/wazuh-dashboard:latest
  container_name: wazuh-dashboard
  restart: unless-stopped
  ports:
    - ${DASHBOARD_PORT:-5601}:5601
  environment:
    - INDEXER_USERNAME=admin
    - INDEXER_PASSWORD=${INDEXER_PASSWORD}
    - WAZUH_API_URL=https://wazuh-manager
    - DASHBOARD_USERNAME=kibanaserver
    - DASHBOARD_PASSWORD=${DASHBOARD_PASSWORD}
    - API_USERNAME=wazuh-wui
    - API_PASSWORD=${API_PASSWORD}
  depends_on:
    - wazuh-indexer
    - wazuh-manager

Quick Start

terminal
1# 1. Create the compose file
2cat > docker-compose.yml << 'EOF'
3services:
4  wazuh-indexer:
5    image: wazuh/wazuh-indexer:latest
6    container_name: wazuh-indexer
7    restart: unless-stopped
8    environment:
9      - "OPENSEARCH_JAVA_OPTS=-Xms1g -Xmx1g"
10      - "bootstrap.memory_lock=true"
11      - "discovery.type=single-node"
12      - "plugins.security.ssl.http.enabled=false"
13    ulimits:
14      memlock:
15        soft: -1
16        hard: -1
17      nofile:
18        soft: 65536
19        hard: 65536
20    volumes:
21      - wazuh_indexer_data:/var/lib/wazuh-indexer
22
23  wazuh-manager:
24    image: wazuh/wazuh-manager:latest
25    container_name: wazuh-manager
26    restart: unless-stopped
27    ports:
28      - "1514:1514"
29      - "1515:1515"
30      - "514:514/udp"
31      - "55000:55000"
32    environment:
33      - INDEXER_URL=https://wazuh-indexer:9200
34      - INDEXER_USERNAME=admin
35      - INDEXER_PASSWORD=${INDEXER_PASSWORD}
36      - FILEBEAT_SSL_VERIFICATION_MODE=none
37    volumes:
38      - wazuh_api_config:/var/ossec/api/configuration
39      - wazuh_etc:/var/ossec/etc
40      - wazuh_logs:/var/ossec/logs
41      - wazuh_queue:/var/ossec/queue
42      - wazuh_var_multigroups:/var/ossec/var/multigroups
43      - wazuh_integrations:/var/ossec/integrations
44      - wazuh_active_response:/var/ossec/active-response/bin
45      - wazuh_agentless:/var/ossec/agentless
46      - wazuh_wodles:/var/ossec/wodles
47      - filebeat_etc:/etc/filebeat
48      - filebeat_var:/var/lib/filebeat
49    depends_on:
50      - wazuh-indexer
51
52  wazuh-dashboard:
53    image: wazuh/wazuh-dashboard:latest
54    container_name: wazuh-dashboard
55    restart: unless-stopped
56    ports:
57      - "${DASHBOARD_PORT:-5601}:5601"
58    environment:
59      - INDEXER_USERNAME=admin
60      - INDEXER_PASSWORD=${INDEXER_PASSWORD}
61      - WAZUH_API_URL=https://wazuh-manager
62      - DASHBOARD_USERNAME=kibanaserver
63      - DASHBOARD_PASSWORD=${DASHBOARD_PASSWORD}
64      - API_USERNAME=wazuh-wui
65      - API_PASSWORD=${API_PASSWORD}
66    depends_on:
67      - wazuh-indexer
68      - wazuh-manager
69
70volumes:
71  wazuh_indexer_data:
72  wazuh_api_config:
73  wazuh_etc:
74  wazuh_logs:
75  wazuh_queue:
76  wazuh_var_multigroups:
77  wazuh_integrations:
78  wazuh_active_response:
79  wazuh_agentless:
80  wazuh_wodles:
81  filebeat_etc:
82  filebeat_var:
83EOF
84
85# 2. Create the .env file
86cat > .env << 'EOF'
87# Wazuh SIEM Stack
88DASHBOARD_PORT=5601
89
90# Passwords (change these!)
91INDEXER_PASSWORD=SecretPassword
92DASHBOARD_PASSWORD=SecretPassword
93API_PASSWORD=SecretPassword
94EOF
95
96# 3. Start the services
97docker compose up -d
98
99# 4. View logs
100docker compose logs -f

One-Liner

Run this command to download and set up the recipe in one step:

terminal
1curl -fsSL https://docker.recipes/api/recipes/security-siem-stack/run | bash

Troubleshooting

  • Wazuh indexer failing to start with memory errors: Increase Docker memory allocation or reduce OPENSEARCH_JAVA_OPTS heap size from 1g to 512m
  • Agents showing as disconnected in dashboard: Verify firewall rules allow connections to ports 1514/1515 and check agent configuration file for correct manager IP
  • Dashboard login failing with authentication errors: Reset passwords using docker exec wazuh-manager /var/ossec/bin/wazuh-keystore and restart containers
  • High CPU usage on wazuh-manager: Review active rules in /var/ossec/etc/rules and disable unnecessary decoders or reduce log verbosity
  • Indexer running out of disk space: Configure index lifecycle policies in dashboard under Management > Index Management to automatically rotate old indices
  • Missing security events in dashboard: Check filebeat configuration and verify log parsing by examining /var/ossec/logs/alerts/alerts.log for raw events

Community Notes

Loading...
Loading notes...

Download Recipe Kit

Get all files in a ready-to-deploy package

Includes docker-compose.yml, .env template, README, and license

Components

wazuh-managerwazuh-indexerwazuh-dashboardfilebeat

Tags

#wazuh#siem#security#elasticsearch#threat-detection#compliance

Category

Security & Networking

Related Recipes

Ad Space