Wazuh Docker utilities

After deploying Wazuh with Docker, you can perform several tasks to manage and customize your installation. Wazuh components are deployed as separate containers built from their corresponding Docker image. You can access these containers using the service names defined in your docker-compose.yml file, which are specific to your deployment type.

Access to services and containers

This section explains how to interact with your Wazuh deployment by accessing service logs and shell instances of running containers.

Access the Wazuh dashboard using the Docker host IP address.
Enroll agents through the standard Wazuh agent enrollment process. Use the Docker host address as the Wazuh manager address.

List the containers in the directory where the Wazuh docker-compose.yml file is located:

# docker compose ps

NAME                            COMMAND                  SERVICE             STATUS              PORTS
single-node-wazuh.dashboard-1   "/entrypoint.sh"         wazuh.dashboard     running             443/tcp, 0.0.0.0:443->5601/tcp
single-node-wazuh.indexer-1     "/entrypoint.sh open…"   wazuh.indexer       running             0.0.0.0:9200->9200/tcp
single-node-wazuh.manager-1     "/init"                  wazuh.manager       running             0.0.0.0:1514-1515->1514-1515/tcp, 0.0.0.0:514->514/udp, 0.0.0.0:55000->55000/tcp, 1516/tcp

Run the command below from the directory where the docker-compose.yml file is located to open a shell inside the container:
```
# docker compose exec <SERVICE> bash
```

Wazuh service data volumes

You can set Wazuh configuration and log files to exist outside their containers on the host system. This allows the files to persist after containers are removed, and you can provision custom configuration files to your containers.

Listing existing volumes

Run the following to see the persistent volumes on your Docker host:

# docker volume ls

DRIVER    VOLUME NAME
local     single-node_wazuh_api_configuration

You can also view these volumes in the volumes section directly from the docker-compose.yml file.

Adding a custom volume

You need multiple volumes to ensure persistence on the Wazuh server, Wazuh indexer, and Wazuh dashboard containers. Investigate the volumes section in your docker-compose.yml file and modify it to include your custom volumes:

services:
  wazuh.manager:
    . . .
    volumes:
      - wazuh_api_configuration:/var/ossec/api/configuration
    . . .
volumes:
  wazuh_api_configuration:

Custom commands and scripts

Run the command below to execute commands inside the containers. We use the Wazuh manager single-node-wazuh.manager-1 container in this example:

# docker exec -it single-node-wazuh.manager-1 bash

Every change made on this shell persists because of the data volumes.

Note

The actions you can perform inside the containers are limited.

Modifying the Wazuh configuration file

To customize the Wazuh configuration file /var/ossec/etc/ossec.conf, modify the appropriate configuration file on the Docker host according to your business needs. These local files are mounted into the containers at runtime, allowing your custom settings to persist across container restarts or rebuilds.

Run the following command in your deployment directory to stop the running containers:
```
# docker compose down
```
The following are the locations of the Wazuh configuration files on the Docker host that you can modify:
wazuh-docker/single-node/config/wazuh_cluster/wazuh_manager.conf
- Manager: wazuh-docker/multi-node/config/wazuh_cluster/wazuh_manager.conf
- Worker: wazuh-docker/multi-node/config/wazuh_cluster/wazuh_worker.conf
Save the changes made in the configuration files.
Restart the stack:
```
# docker compose up -d
```

These files are mounted into the container at runtime (wazuh-config-mount/etc/ossec.conf), ensuring your changes take effect when the containers start.

Tuning Wazuh services

Tuning the Wazuh indexer and dashboard is optional. You can apply custom configurations only if you need to adjust performance, customize the dashboard interface, or override default settings.

The Wazuh indexer reads its configuration from the file(s) in the config/wazuh_indexer/ directory in your respective deployment stack. Edit the appropriate configuration file(s) with your desired parameters, and ensure any changes made are properly mapped in your docker-compose.yml so the container loads the updated configuration.
The Wazuh dashboard reads its configuration from the config/wazuh_dashboard/opensearch_dashboards.yml file. You can adjust dashboard behavior or appearance by modifying parameters in this file. Refer to the OpenSearch documentation on Modifying the YAML files for details about the available variables you can override in this configuration.