Wazuh Docker deployment
Requirements
Container memory
It is recommended to set Docker host preferences to give at least 6GB memory for the host that created the containers (this doesn't necessarily mean they all will use it, but Elasticsearch requires them to work properly).
Increase max_map_count on your host (Linux)
You need to increase
max_map_count
on your Docker host:# sysctl -w vm.max_map_count=262144
To set this value permanently, update the vm.max_map_count setting in
/etc/sysctl.conf
. To verify after rebooting, run "sysctl vm.max_map_count".Warning
If you don't set the max_map_count on your host, Elasticsearch will probably NOT work.
Increase max_map_count on your host (Windows)
You need to increase
max_map_count
on your Docker host:$ docker-machine ssh default # sysctl -w vm.max_map_count=262144 # exit
To set this value permanently, update the vm.max_map_count setting in
/var/lib/boot2docker/profile
:
2.1. Open the file
/var/lib/boot2docker/bootlocal.sh
for edition:$ docker-machine ssh default # vi /var/lib/boot2docker/bootlocal.sh2.2 Add the following line into the profile file:
sysctl -w vm.max_map_count=262144
2.3. Make the script runnable:
# chmod +x /var/lib/boot2docker/bootlocal.sh2.4. To verify after rebooting, run "sysctl vm.max_map_count".
Warning
If you don't set the max_map_count on your host, Elasticsearch will probably NOT work.
SELinux
On distributions with SELinux enabled out-of-the-box, you will need to either re-context the files or put SELinux into Permissive mode for docker-elk to start properly. For example, on Red Hat and CentOS the following command will apply the proper context:
# chcon -R system_u:object_r:admin_home_t:s0 docker-elk/
Docker for OSX
In Docker for OSX, there is a default memory limit of 2GB, so in order to run docker-compose up successfully you have to change default memory settings from 2GB to at least 4 or 5GB. To do so, click on the Docker icon in the menu bar, then on "Preferences...", go to the "Advanced" tab and set 5GB of memory, and finally click on "Apply & Restart" and run docker-compose up.
Usage
Get the
docker-compose.yml
file to your system:Only the file:
$ curl -so docker-compose.yml https://raw.githubusercontent.com/wazuh/wazuh-docker/3.9.5_7.2.1/docker-compose.yml
Get the Wazuh repository:
$ git clone https://github.com/wazuh/wazuh-docker.git -b 3.9.5_7.2.1 --single-branch
Start Wazuh, Elastic Stack and Nginx using docker-compose. From the directory where you have the
docker-compose.yml
file:Foreground:
$ docker-compose up
Background:
$ docker-compose up -d
Note
Wazuh-kibana container will run multiple queries to Elasticsearch API using curl, to learn when Elasticsearch is up. It is expected to see several Failed to connect to elasticsearch port 9200
log messages, until Elasticsearch is started. Then the set up process will continue normally.
Note
Kibana container can take a few minutes to install Wazuh plugin, this takes place after Optimizing and caching browser bundles...
is printed out.
Exposed ports
By default, the stack exposes the following ports:
1514 |
Wazuh UDP |
1515 |
Wazuh TCP |
514 |
Wazuh UDP |
55000 |
Wazuh API |
9200 |
Elasticsearch HTTP |
80 |
Nginx http |
443 |
Nginx https |
Note
Configuration is not dynamically reloaded, so you will need to restart the stack after any change in the configuration of a component.