Wazuh Docker utilities

After installing the Wazuh-Docker containers, there are several tasks that you can do to benefit the most from your Wazuh installation.

Access to services and containers

  1. You may access the Kibana UI at the Docker host’s IP address, for example: https://localhost if you are in the Docker host.

    Note

    The certificate used for Kibana by default is a self-signed certificate, because of this your browser will warn that it cannot verify its authenticity.

  2. Agents may be registered by following the standard registration process and using the Docker host’s address as the manager’s address. For more information see: Registering agents

  3. We can list the containers we have created by executing docker-compose ps in the directory that contains the docker-compose.yml file:

    # docker-compose ps
    
                Name                          Command               State                                                    Ports
    --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
    wazuh-docker_elasticsearch_1   /usr/local/bin/docker-entr ...   Up      0.0.0.0:9200->9200/tcp, 9300/tcp, 9600/tcp, 9650/tcp
    wazuh-docker_kibana_1          /bin/sh -c ./entrypoint.sh       Up      0.0.0.0:443->5601/tcp
    wazuh-docker_wazuh_1           /init                            Up      0.0.0.0:1514->1514/tcp, 0.0.0.0:1515->1515/tcp, 1516/tcp, 0.0.0.0:514->514/udp, 0.0.0.0:55000->55000/tcp
    
  4. We can access the command line of each container by executing docker-compose exec <service name> /bin/bash from the directory where the docker-compose.yml file is located:

    # docker-compose exec <service name> /bin/bash
    

    Where service name is the name of each service in the docker-compose.yml file. By default (in our demo deployment):

    • wazuh

    • elasticsearch

    • kibana

Wazuh service data volumes

Wazuh configuration and log files can be configured to exist outside of their container. This will allow these files to persist after containers are removed and to provision custom configuration files to your containers.

Multiple volumes are required to ensure persistence on a Wazuh container, the following is an example of a docker-compose.yml with those defined:

services:
  wazuh:
    . . .
    volumes:
      - ossec_api_configuration:/var/ossec/api/configuration
      - ossec_etc:/var/ossec/etc
      - ossec_logs:/var/ossec/logs
      - ossec_queue:/var/ossec/queue
      - ossec_var_multigroups:/var/ossec/var/multigroups
      - ossec_integrations:/var/ossec/integrations
      - ossec_active_response:/var/ossec/active-response/bin
      - ossec_agentless:/var/ossec/agentless
      - ossec_wodles:/var/ossec/wodles
      - filebeat_etc:/etc/filebeat
      - filebeat_var:/var/lib/filebeat

volumes:
  ossec_api_configuration:
  ossec_etc:
  ossec_logs:
  ossec_queue:
  ossec_var_multigroups:
  ossec_integrations:
  ossec_active_response:
  ossec_agentless:
  ossec_wodles:
  filebeat_etc:
  filebeat_var:

These volumes can be listed with docker volume ls:

DRIVER              VOLUME NAME
local               wazuh-docker_filebeat_etc
local               wazuh-docker_filebeat_var
local               wazuh-docker_ossec_active_response
local               wazuh-docker_ossec_agentless
local               wazuh-docker_ossec_api_configuration
local               wazuh-docker_ossec_etc
local               wazuh-docker_ossec_integrations
local               wazuh-docker_ossec_logs
local               wazuh-docker_ossec_queue
local               wazuh-docker_ossec_var_multigroups
local               wazuh-docker_ossec_wodles

Before performing a container upgrade, it is recommended that you create these data volumes so that persistent information from the Wazuh service is not lost.

Storage volume for Elastic Stack components

Attaching a volume for the storage of Elasticsearch data is also possible. In order to do this we must add the volume to the elasticsearch service in docker-compose.yml:

  elasticsearch:
    . . .
     volumes:
       - elastic-data:/usr/share/elasticsearch/data
    . . .

volumes:
  elastic-data

You can get more information about using the Elasticsearch Docker image here.

Custom commands and scripts

To execute commands in the Wazuh manager container you may execute a shell:

docker run -it wazuh-opendistro bash

Remember any change made on this shell will persist as long as you have the data volumes configured correctly.