Wazuh Docker deployment

Requirements

Container memory

It is recommended to set Docker host preferences to give at least 6GB memory for the host that created the containers (this doesn't necessarily mean they all will use it, but Elasticsearch requires them to work properly).

Increase max_map_count on your host (Linux)

  1. You need to increase max_map_count on your Docker host:

    # sysctl -w vm.max_map_count=262144
    
  2. To set this value permanently, update the vm.max_map_count setting in /etc/sysctl.conf. To verify after rebooting, run "sysctl vm.max_map_count".

    Warning

    If you don't set the max_map_count on your host, Elasticsearch will probably NOT work.

Increase max_map_count on your host (Windows)

  1. You need to increase max_map_count on your Docker host:

    $ docker-machine ssh default
    # sysctl -w vm.max_map_count=262144
    # exit
    
  2. To set this value permanently, update the vm.max_map_count setting in /var/lib/boot2docker/profile:

2.1. Open the file /var/lib/boot2docker/bootlocal.sh for edition:

$ docker-machine ssh default
# vi /var/lib/boot2docker/bootlocal.sh

2.2 Add the following line into the profile file:

sysctl -w vm.max_map_count=262144

2.3. Make the script runnable:

# chmod +x /var/lib/boot2docker/bootlocal.sh

2.4. To verify after rebooting, run "sysctl vm.max_map_count".

Warning

If you don't set the max_map_count on your host, Elasticsearch will probably NOT work.

SELinux

On distributions with SELinux enabled out-of-the-box, you will need to either re-context the files or put SELinux into Permissive mode for docker-elk to start properly. For example, on Red Hat and CentOS the following command will apply the proper context:

# chcon -R system_u:object_r:admin_home_t:s0 docker-elk/

Docker for OSX

In Docker for OSX, there is a default memory limit of 2GB, so in order to run docker-compose up successfully you have to change default memory settings from 2GB to at least 4 or 5GB. To do so, click on the Docker icon in the menu bar, then on "Preferences...", go to the "Advanced" tab and set 5GB of memory, and finally click on "Apply & Restart" and run docker-compose up.

Usage

  1. Get the docker-compose.yml file to your system:

    1. Only the file:

      $ curl -so docker-compose.yml https://raw.githubusercontent.com/wazuh/wazuh-docker/3.9.5_7.2.1/docker-compose.yml
      
    2. Get the Wazuh repository:

      $ git clone https://github.com/wazuh/wazuh-docker.git -b 3.9.5_7.2.1 --single-branch
      
  2. Start Wazuh, Elastic Stack and Nginx using docker-compose. From the directory where you have the docker-compose.yml file:

    1. Foreground:

      $ docker-compose up
      
    2. Background:

      $ docker-compose up -d
      

Note

Wazuh-kibana container will run multiple queries to Elasticsearch API using curl, to learn when Elasticsearch is up. It is expected to see several Failed to connect to elasticsearch port 9200 log messages, until Elasticsearch is started. Then the set up process will continue normally.

Note

Kibana container can take a few minutes to install Wazuh plugin, this takes place after Optimizing and caching browser bundles... is printed out.

Exposed ports

By default, the stack exposes the following ports:

1514

Wazuh UDP

1515

Wazuh TCP

514

Wazuh UDP

55000

Wazuh API

9200

Elasticsearch HTTP

80

Nginx http

443

Nginx https

Note

Configuration is not dynamically reloaded, so you will need to restart the stack after any change in the configuration of a component.