Wazuh Docker utilities
There are multiple possibilities in the use of Wazuh-Docker containers, below we show some of the most significant cases.
Access to containers and services
We can list the containers we have created as follows. From the directory where you have the
docker-compose.yml
file:$ docker-compose ps
Name Command State Ports wazuhdocker_elasticsearch_1 /usr/local/bin/docker-entr ... Up 0.0.0.0:9200->9200/tcp, 9300/tcp wazuhdocker_kibana_1 /bin/sh -c /entrypoint.sh Up 5601/tcp wazuhdocker_nginx_1 /bin/sh -c /entrypoint.sh Up 0.0.0.0:443->443/tcp, 0.0.0.0:80->80/tcp wazuhdocker_wazuh_1 /entrypoint.sh Up 0.0.0.0:1514->1514/udp, 0.0.0.0:1515->1515/tcp, 1516/tcp, 0.0.0.0:514->514/udp, 0.0.0.0:55000->55000/tcp
We can get access to each container with the following command. From the directory where you have the
docker-compose.yml
file:docker-compose exec <service name> /bin/bash
Where service name
is the name of each service in the docker-compose.yml
file. By default:
wazuh
elasticsearch
kibana
nginx
Then access the Kibana UI through Nginx by hitting https://localhost with a web browser if you are in the Docker host. By default, the username "foo" and the password "bar" are used.
You can also access through the IP of the Docker host. For example, if you have a virtual machine where you have created the containers whose IP address is 192.168.20.220
you will be able to access through https://192.168.20.220
.
Note
You may need to add an exception to the certificate in your browser.
Registering agents
Registering agents in a Wazuh manager deployed through Docker is quite simple, we only have to indicate the IP address of the host that has the containers working.
Adapt the agent configuration file:
<ossec_config> <client> <server> <address>MANAGER_IP</address> <port>1514</port> <protocol>udp</protocol> </server> <config-profile>ubuntu, ubuntu16, ubuntu16.04</config-profile> <notify_time>10</notify_time> <time-reconnect>60</time-reconnect> <auto_restart>yes</auto_restart> <crypto_method>aes</crypto_method> </client> . . .
If for example we had launched the command
docker-compose up
on host with IP address 192.168.50.75, we would have the following configuration:<ossec_config> <client> <server> <address>192.168.50.75</address> <port>1514</port> <protocol>udp</protocol> </server> <config-profile>ubuntu, ubuntu16, ubuntu16.04</config-profile> <notify_time>10</notify_time> <time-reconnect>60</time-reconnect> <auto_restart>yes</auto_restart> <crypto_method>aes</crypto_method> </client> . . .
Agent registration:
Register the agent using
authd
:$ /var/ossec/bin/agent-auth -m MANAGER_IP
If we continue with our example, the command to launch would be the following one:
$ /var/ossec/bin/agent-auth -m 192.168.50.75
Mount custom Wazuh configuration files
To mount custom Wazuh configuration files in the Wazuh manager container, mount them in the /wazuh-config-mount
folder. For example, to mount a custom ossec.conf
file, mount it in /wazuh-config-mount/etc/ossec.conf
and the entrypoint.sh script will copy the file at the right place on boot while respecting the destination file permissions.
Here is an example of a /wazuh-config-mount
folder used to mount some common custom configuration files:
root@wazuh-manager:/# tree /wazuh-config-mount/
/wazuh-config-mount/
└── etc
├── ossec.conf
├── rules
│ └── local_rules.xml
└── shared
└── default
└── agent.conf
In that case, you will see this in the Wazuh manager logs on boot.
To add a custom manager configuration:
'/wazuh-config-mount/etc/ossec.conf' -> '/var/ossec/data/etc/ossec.conf'
To add local rules that are not in the ruleset and to be able to use them:
'/wazuh-config-mount/etc/rules/local_rules.xml' -> '/var/ossec/data/etc/rules/local_rules.xml'
To add a custom configuration for Wazuh agents, pushed from the manager:
'/wazuh-config-mount/etc/shared/default/agent.conf' -> '/var/ossec/data/etc/shared/default/agent.conf'
Mount storage for Elastic Stack components
Assembling volumes for the storage of Elastic Stack components is also feasible when deploying with Docker-compose. For example, we have the option of mounting persistent volumes both externally and locally. Simply add the path indicated in the volume specific entry.
If we wanted to mount the volume for Elasticsearch, we would change the volume entry in our docker-compose.yml
:
elasticsearch:
. . .
volumes:
- my-path:/usr/share/elasticsearch/data:Z
. . .
Establishing the routes that we want:
elasticsearch:
. . .
volumes:
- /home/my/local/volume:/usr/share/elasticsearch/data:Z
. . .
elasticsearch:
. . .
volumes:
- external-volume:/usr/share/elasticsearch/data:Z
. . .
Note
The container runs Elasticsearch as user elasticsearch using uid:gid 1000:1000.
If you are bind-mounting a local directory or file, ensure it is readable by this user, while the data and log dirs additionally require write access. You can get more information here.
Custom commands and scripts
To execute commands in the Wazuh manager container after configuration is placed but before the Wazuh API and manager are started, pass the commands as the docker commands/arguments, for example:
docker run -it --rm wazuh/wazuh:latest "/var/ossec/bin/ossec-control enable debug"
Upgrades
Performing container updates differs from performing normal updates. For this we recommend the use of volumes.
For example if we want upgrade the Wazuh manager, we should export the container information to one volume. For this purpose, we would decomment the volume options in our docker-compose.yml
file and add the path to export <my-path>
. In this way, the next time the container is created, you will get the exported information in the external volume:
volumes:
- /home/my/custom/path:/var/ossec/data:Z
# - my-path:/etc/postfix:Z
# - my-path:/etc/filebeat
# - my-custom-config-path/ossec.conf:/wazuh-config-mount/etc/ossec.conf