Wazuh Docker deployment¶
Requirements¶
Container memory¶
It is recommended to set Docker host preferences to give at least 6GB memory for the host that created the containers (this doesn’t necessarily mean they all will use it, but Elasticsearch requires them to work properly).
Increase max_map_count on your host (Linux)¶
You need to increase
max_map_count
on your Docker host:# sysctl -w vm.max_map_count=262144
To set this value permanently, update the vm.max_map_count setting in
/etc/sysctl.conf
. To verify after rebooting, run “sysctl vm.max_map_count”.Warning
If you don’t set the max_map_count on your host, Elasticsearch will probably NOT work.
Increase max_map_count on your host (Windows)¶
You need to increase
max_map_count
on your Docker host:$ docker-machine ssh default # sysctl -w vm.max_map_count=262144 # exit
To set this value permanently, update the vm.max_map_count setting in
/var/lib/boot2docker/profile
:
2.1. Open the file
/var/lib/boot2docker/bootlocal.sh
for edition:$ docker-machine ssh default # vi /var/lib/boot2docker/bootlocal.sh2.2 Add the following line into the profile file:
sysctl -w vm.max_map_count=262144
2.3. Make the script runnable:
# chmod +x /var/lib/boot2docker/bootlocal.sh
2.4. To verify after rebooting, run “sysctl vm.max_map_count”.
Warning
If you don’t set the max_map_count on your host, Elasticsearch will probably NOT work.
SELinux¶
On distributions with SELinux enabled out-of-the-box, you will need to either re-context the files or put SELinux into Permissive mode for docker-elk to start properly. For example, on Red Hat and CentOS the following command will apply the proper context:
# chcon -R system_u:object_r:admin_home_t:s0 docker-elk/
Docker for OSX¶
In Docker for OSX, there is a default memory limit of 2GB, so in order to run docker-compose up successfully you have to change default memory settings from 2GB to at least 4 or 5GB. To do so, click on the Docker icon in the menu bar, then on “Preferences…”, go to the “Advanced” tab and set 5GB of memory, and finally click on “Apply & Restart” and run docker-compose up.
Usage¶
Demo deployment¶
This configuration is provided as-is for testing purposes only, it is designed for maximum ease of use to get you started fast with Wazuh. For real production environments see Production deployment.
Clone the Wazuh repository to your system:
$ git clone https://github.com/wazuh/wazuh-docker.git -b v4.0.4_1.11.0 --depth=1
Start Wazuh and Elastic Stack using docker-compose. From the directory where you have the
docker-compose.yml
file:Foreground:
$ docker-compose up
Background:
$ docker-compose up -d
Note
Wazuh-kibana container will run multiple queries to Elasticsearch API using curl, to learn when Elasticsearch is up. It is expected to see several Failed to connect to elasticsearch port 9200
log messages, until Elasticsearch is started. Then the set up process will continue normally.
Production deployment¶
These are the steps to deploy a production grade Wazuh cluster using the “Open Distro for Elasticsearch” Docker images.
Clone the Wazuh repository to your system:
$ git clone https://github.com/wazuh/wazuh-docker.git -b v4.0.4_1.11.0 --depth=1We’ll use
production-cluster.yml
as base for this deployment, all code snippets on this section come from this file.
Secure traffic by replacing demo certificates
2.1 Generate certificates for each node of the cluster
We made a Docker image to automate certificate generation using SearchGuard TLS Tool, modify the file
ssl_certs/certs.yml
and execute the following command to obtain the desired certificates:docker-compose -f generate-opendistro-certs.yml run --rm generatorThis will save the certificates into the ssl_certs directory as well as the config snippets for each one of the nodes.
2.2 Setup SSL certificates for Elasticsearch on the directory ssl_certs. Check out the section Docker Security from the Open Distro docs.
- ./ssl_certs/root-ca.pem:/usr/share/elasticsearch/config/root-ca.pem - ./ssl_certs/node.key:/usr/share/elasticsearch/config/node.key - ./ssl_certs/node.pem:/usr/share/elasticsearch/config/node.pem - ./elastic_opendistro/custom-elasticsearch.yml:/usr/share/elasticsearch/config/elasticsearch.yml - ./elastic_opendistro/internal_users.yml:/usr/share/elasticsearch/plugins/opendistro_security/securityconfig/internal_users.yml2.3 Use a secure password for the admin user on Elasticsearch
You have complete freedom to customize users on the Elasticsearch container by mounting your own
internal_users.yml
:- ./elastic_opendistro/internal_users.yml:/usr/share/elasticsearch/plugins/opendistro_security/securityconfig/internal_users.ymlIt is possible to generate a hash using the same Docker image, type in any password when prompted and replace the hash on
internal_users.yml
:docker run --rm -ti amazon/opendistro-for-elasticsearch:1.11.0 bash /usr/share/elasticsearch/plugins/opendistro_security/tools/hash.sh2.4 Setup SSL certificates for filebeat on the Wazuh container
environment: - FILEBEAT_SSL_VERIFICATION_MODE=full - SSL_CERTIFICATE_AUTHORITIES=/etc/filebeat/root-ca.pem - SSL_CERTIFICATE=/etc/filebeat/filebeat.pem - SSL_KEY=/etc/filebeat/filebeat.key volumes: - ./ssl_certs/root-ca.pem:/etc/filebeat/root-ca.pem - ./ssl_certs/filebeat.pem:/etc/filebeat/filebeat.pem - ./ssl_certs/filebeat.key:/etc/filebeat/filebeat.key2.4 Setup SSL certificates for Kibana
Copy your own certificate into the
kibana_od_ssl
directory and setSERVER_SSL_ENABLED
to true:environment: - SERVER_SSL_ENABLED=true - SERVER_SSL_CERTIFICATE=/usr/share/kibana/config/cert.pem - SERVER_SSL_KEY=/usr/share/kibana/config/key.pem volumes: - ./production_cluster/kibana_ssl/cert.pem:/usr/share/kibana/config/cert.pem - ./production_cluster/kibana_ssl/key.pem:/usr/share/kibana/config/key.pemNote
We provide an easy way to generate a self signed certificate by running
bash ./production_cluster/kibana_ssl/generate-self-signed-cert.sh
2.5 Setup SSL on the Nginx load balancer
SSL certificates for Nginx should be placed at
./production_cluster/nginx/ssl/
,cert.pem
andkey.pem
, this is customizable on the nginx configuration file at./production_cluster/nginx/nginx.conf
.nginx: ... volumes: - ./production_cluster/nginx/nginx.conf:/etc/nginx/nginx.conf:ro - ./production_cluster/nginx/ssl:/etc/nginx/ssl:roNote
We provide an easy way to generate a self signed certificate by running
bash ./production_cluster/nginx/ssl/generate-self-signed-cert.sh
Start Wazuh and Elastic Stack using
docker-compose
:Foreground:
$ docker-compose -f production-cluster.yml up
Background:
$ docker-compose -f production-cluster.yml up -d
Exposed ports¶
By default, the stack exposes the following ports:
1514 |
Wazuh TCP |
1515 |
Wazuh TCP |
514 |
Wazuh UDP |
55000 |
Wazuh API |
9200 |
Elasticsearch HTTP |
443 |
Kibana HTTPS |
Note
Configuration is not dynamically reloaded, so you will need to restart the stack after any change in the configuration of a component.