docker.recipes

Wazuh SIEM Platform

advanced

Wazuh security platform with SIEM, XDR, and compliance monitoring.

Overview

Wazuh is an open-source security platform that originated as a fork of OSSEC HIDS, evolving into a comprehensive SIEM, XDR, and security monitoring solution. The Wazuh manager serves as the central analysis engine that processes security events, performs log analysis, runs integrity checks, detects rootkits, and manages security policies across distributed environments. It integrates threat intelligence feeds, provides vulnerability detection, and offers compliance monitoring for standards like PCI DSS, GDPR, and HIPAA. This Docker stack combines three essential Wazuh components: the wazuh-indexer (based on OpenSearch) for data storage and search capabilities, the wazuh-manager for security analysis and agent coordination, and the wazuh-dashboard for visualization and management. Together, they create a unified security operations center that can monitor file integrity, detect intrusions, analyze logs in real-time, and provide comprehensive security reporting. The platform excels at correlating events across multiple data sources and provides both signature-based and behavioral analysis capabilities. Security teams, compliance officers, and system administrators benefit from this stack's ability to centralize security monitoring across hybrid infrastructure while providing detailed forensic capabilities. The combination offers enterprise-grade security intelligence with the flexibility of containerized deployment, making advanced threat detection and compliance monitoring accessible to organizations of all sizes without requiring extensive security expertise to get started.

Key Features

  • Real-time security event correlation engine with custom rule creation capabilities
  • Distributed agent architecture supporting Windows, Linux, macOS, and cloud workloads
  • Built-in compliance dashboards for PCI DSS, GDPR, HIPAA, and NIST frameworks
  • File integrity monitoring with baseline creation and change detection
  • Vulnerability assessment integration with CVE database correlation
  • Cloud security monitoring for AWS, Azure, and Google Cloud Platform
  • Active response capabilities for automated threat mitigation
  • RESTful API for integration with SOAR platforms and custom workflows

Common Use Cases

  • 1Enterprise SOC deployment for centralized security monitoring across multiple locations
  • 2Cloud security posture management and compliance reporting for regulated industries
  • 3Managed service provider offering security monitoring services to multiple clients
  • 4DevSecOps integration for container and Kubernetes security monitoring
  • 5Incident response team requiring detailed forensic analysis and threat hunting capabilities
  • 6Small to medium business SIEM implementation with limited security staff
  • 7Compliance audit preparation and ongoing regulatory requirement monitoring

Prerequisites

  • Minimum 4GB RAM allocated to Docker (indexer requires 1GB+ heap space)
  • Docker host with at least 20GB available storage for security event data
  • Understanding of security log formats and SIEM concepts for effective rule tuning
  • Network access planning for agent communication on ports 1514, 1515, and 55000
  • SSL certificate management knowledge for production dashboard deployment
  • Basic familiarity with OpenSearch/Elasticsearch for data retention configuration

For development & testing. Review security settings, change default credentials, and test thoroughly before production use. See Terms

docker-compose.yml

docker-compose.yml
1services: 
2  wazuh-indexer: 
3    image: wazuh/wazuh-indexer:4.7.0
4    container_name: wazuh-indexer
5    environment: 
6      - "OPENSEARCH_JAVA_OPTS=-Xms1g -Xmx1g"
7      - bootstrap.memory_lock=true
8    ulimits: 
9      memlock: 
10        soft: -1
11        hard: -1
12      nofile: 
13        soft: 65536
14        hard: 65536
15    volumes: 
16      - wazuh_indexer_data:/var/lib/wazuh-indexer
17    networks: 
18      - wazuh-network
19
20  wazuh-manager: 
21    image: wazuh/wazuh-manager:4.7.0
22    container_name: wazuh-manager
23    hostname: wazuh-manager
24    environment: 
25      - INDEXER_URL=https://wazuh-indexer:9200
26      - INDEXER_USERNAME=admin
27      - INDEXER_PASSWORD=${INDEXER_PASSWORD}
28      - FILEBEAT_SSL_VERIFICATION_MODE=full
29    volumes: 
30      - wazuh_api_config:/var/ossec/api/configuration
31      - wazuh_etc:/var/ossec/etc
32      - wazuh_logs:/var/ossec/logs
33      - wazuh_queue:/var/ossec/queue
34    ports: 
35      - "1514:1514"
36      - "1515:1515"
37      - "514:514/udp"
38      - "55000:55000"
39    depends_on: 
40      - wazuh-indexer
41    networks: 
42      - wazuh-network
43
44  wazuh-dashboard: 
45    image: wazuh/wazuh-dashboard:4.7.0
46    container_name: wazuh-dashboard
47    hostname: wazuh-dashboard
48    environment: 
49      - INDEXER_USERNAME=admin
50      - INDEXER_PASSWORD=${INDEXER_PASSWORD}
51      - WAZUH_API_URL=https://wazuh-manager
52      - DASHBOARD_USERNAME=kibanaserver
53      - DASHBOARD_PASSWORD=${DASHBOARD_PASSWORD}
54      - API_USERNAME=wazuh-wui
55      - API_PASSWORD=${API_PASSWORD}
56    volumes: 
57      - wazuh_dashboard_config:/usr/share/wazuh-dashboard/data/wazuh/config
58      - wazuh_dashboard_custom:/usr/share/wazuh-dashboard/plugins/wazuh/public/assets/custom
59    ports: 
60      - "443:5601"
61    depends_on: 
62      - wazuh-manager
63    networks: 
64      - wazuh-network
65
66volumes: 
67  wazuh_indexer_data: 
68  wazuh_api_config: 
69  wazuh_etc: 
70  wazuh_logs: 
71  wazuh_queue: 
72  wazuh_dashboard_config: 
73  wazuh_dashboard_custom: 
74
75networks: 
76  wazuh-network: 
77    driver: bridge

.env Template

.env
1# Wazuh
2INDEXER_PASSWORD=SecretPassword
3DASHBOARD_PASSWORD=SecretPassword
4API_PASSWORD=SecretPassword

Usage Notes

  1. 1Dashboard at https://localhost:443
  2. 2Default user: admin
  3. 3Install agents on monitored systems
  4. 4Compliance modules included
  5. 5Use official installer for production

Individual Services(3 services)

Copy individual services to mix and match with your existing compose files.

wazuh-indexer
wazuh-indexer:
  image: wazuh/wazuh-indexer:4.7.0
  container_name: wazuh-indexer
  environment:
    - OPENSEARCH_JAVA_OPTS=-Xms1g -Xmx1g
    - bootstrap.memory_lock=true
  ulimits:
    memlock:
      soft: -1
      hard: -1
    nofile:
      soft: 65536
      hard: 65536
  volumes:
    - wazuh_indexer_data:/var/lib/wazuh-indexer
  networks:
    - wazuh-network
wazuh-manager
wazuh-manager:
  image: wazuh/wazuh-manager:4.7.0
  container_name: wazuh-manager
  hostname: wazuh-manager
  environment:
    - INDEXER_URL=https://wazuh-indexer:9200
    - INDEXER_USERNAME=admin
    - INDEXER_PASSWORD=${INDEXER_PASSWORD}
    - FILEBEAT_SSL_VERIFICATION_MODE=full
  volumes:
    - wazuh_api_config:/var/ossec/api/configuration
    - wazuh_etc:/var/ossec/etc
    - wazuh_logs:/var/ossec/logs
    - wazuh_queue:/var/ossec/queue
  ports:
    - "1514:1514"
    - "1515:1515"
    - 514:514/udp
    - "55000:55000"
  depends_on:
    - wazuh-indexer
  networks:
    - wazuh-network
wazuh-dashboard
wazuh-dashboard:
  image: wazuh/wazuh-dashboard:4.7.0
  container_name: wazuh-dashboard
  hostname: wazuh-dashboard
  environment:
    - INDEXER_USERNAME=admin
    - INDEXER_PASSWORD=${INDEXER_PASSWORD}
    - WAZUH_API_URL=https://wazuh-manager
    - DASHBOARD_USERNAME=kibanaserver
    - DASHBOARD_PASSWORD=${DASHBOARD_PASSWORD}
    - API_USERNAME=wazuh-wui
    - API_PASSWORD=${API_PASSWORD}
  volumes:
    - wazuh_dashboard_config:/usr/share/wazuh-dashboard/data/wazuh/config
    - wazuh_dashboard_custom:/usr/share/wazuh-dashboard/plugins/wazuh/public/assets/custom
  ports:
    - "443:5601"
  depends_on:
    - wazuh-manager
  networks:
    - wazuh-network

Quick Start

terminal
1# 1. Create the compose file
2cat > docker-compose.yml << 'EOF'
3services:
4  wazuh-indexer:
5    image: wazuh/wazuh-indexer:4.7.0
6    container_name: wazuh-indexer
7    environment:
8      - "OPENSEARCH_JAVA_OPTS=-Xms1g -Xmx1g"
9      - bootstrap.memory_lock=true
10    ulimits:
11      memlock:
12        soft: -1
13        hard: -1
14      nofile:
15        soft: 65536
16        hard: 65536
17    volumes:
18      - wazuh_indexer_data:/var/lib/wazuh-indexer
19    networks:
20      - wazuh-network
21
22  wazuh-manager:
23    image: wazuh/wazuh-manager:4.7.0
24    container_name: wazuh-manager
25    hostname: wazuh-manager
26    environment:
27      - INDEXER_URL=https://wazuh-indexer:9200
28      - INDEXER_USERNAME=admin
29      - INDEXER_PASSWORD=${INDEXER_PASSWORD}
30      - FILEBEAT_SSL_VERIFICATION_MODE=full
31    volumes:
32      - wazuh_api_config:/var/ossec/api/configuration
33      - wazuh_etc:/var/ossec/etc
34      - wazuh_logs:/var/ossec/logs
35      - wazuh_queue:/var/ossec/queue
36    ports:
37      - "1514:1514"
38      - "1515:1515"
39      - "514:514/udp"
40      - "55000:55000"
41    depends_on:
42      - wazuh-indexer
43    networks:
44      - wazuh-network
45
46  wazuh-dashboard:
47    image: wazuh/wazuh-dashboard:4.7.0
48    container_name: wazuh-dashboard
49    hostname: wazuh-dashboard
50    environment:
51      - INDEXER_USERNAME=admin
52      - INDEXER_PASSWORD=${INDEXER_PASSWORD}
53      - WAZUH_API_URL=https://wazuh-manager
54      - DASHBOARD_USERNAME=kibanaserver
55      - DASHBOARD_PASSWORD=${DASHBOARD_PASSWORD}
56      - API_USERNAME=wazuh-wui
57      - API_PASSWORD=${API_PASSWORD}
58    volumes:
59      - wazuh_dashboard_config:/usr/share/wazuh-dashboard/data/wazuh/config
60      - wazuh_dashboard_custom:/usr/share/wazuh-dashboard/plugins/wazuh/public/assets/custom
61    ports:
62      - "443:5601"
63    depends_on:
64      - wazuh-manager
65    networks:
66      - wazuh-network
67
68volumes:
69  wazuh_indexer_data:
70  wazuh_api_config:
71  wazuh_etc:
72  wazuh_logs:
73  wazuh_queue:
74  wazuh_dashboard_config:
75  wazuh_dashboard_custom:
76
77networks:
78  wazuh-network:
79    driver: bridge
80EOF
81
82# 2. Create the .env file
83cat > .env << 'EOF'
84# Wazuh
85INDEXER_PASSWORD=SecretPassword
86DASHBOARD_PASSWORD=SecretPassword
87API_PASSWORD=SecretPassword
88EOF
89
90# 3. Start the services
91docker compose up -d
92
93# 4. View logs
94docker compose logs -f

One-Liner

Run this command to download and set up the recipe in one step:

terminal
1curl -fsSL https://docker.recipes/api/recipes/wazuh-siem/run | bash

Troubleshooting

  • Bootstrap check failures on indexer startup: Increase vm.max_map_count to 262144 on Docker host
  • Wazuh agents showing as disconnected: Verify firewall allows TCP 1514/1515 and agent manager IP configuration
  • Dashboard login fails with SSL errors: Check certificate validity and browser security settings for self-signed certificates
  • High memory usage causing container restarts: Adjust OPENSEARCH_JAVA_OPTS heap size based on available system resources
  • Missing security events in dashboard: Verify wazuh-manager to indexer connectivity and check filebeat SSL configuration
  • Agent enrollment failures: Ensure agent authentication key matches and manager hostname is resolvable from agent systems

Community Notes

Loading...
Loading notes...

Download Recipe Kit

Get all files in a ready-to-deploy package

Includes docker-compose.yml, .env template, README, and license

Components

wazuh-managerwazuh-indexerwazuh-dashboard

Tags

#wazuh#siem#security#compliance#xdr

Category

Security & Networking

Related Recipes

Ad Space