Wazuh Docker deployment
Wazuh consists of a multi-platform Wazuh agent and three central components: the Wazuh server, the Wazuh indexer, and the Wazuh dashboard. Refer to the Wazuh components documentation for more information.
Deployment options
Wazuh supports the deployment of the central components on Docker.
You can deploy Wazuh central components as a single-node or multi-node stack.
Single-node stack: Runs one Wazuh manager, indexer, and dashboard node on the Docker host. Supports persistent storage and configurable certificates for secure communications.
Multi-node stack: Runs two Wazuh manager nodes (one master, one worker), three indexer nodes, one dashboard, and one nginx node. Includes persistence, secure communication configuration, and high availability.
Wazuh central components
Follow the steps below to deploy the Wazuh central components in a single-node and multi-node stack.
Cloning the repository
Clone the Wazuh Docker repository to your system:
# git clone https://github.com/wazuh/wazuh-docker.git -b v4.12.0
Select the stack you want:
Single-node
Navigate to the
single-node
directory to execute all the following commands.# cd wazuh-docker/single-node/
Multi-node
Navigate to the
multi-node
directory to execute all the following commands.# cd wazuh-docker/multi-node/
Certificate generation
You must provide certificates for each node to secure communication between them in the Wazuh stack. You have two alternatives:
Wazuh self-signed certificates
Your own certificates
You must use the wazuh-certs-generator
Docker image to generate self-signed certificates for each node of the stack.
Optional: Add the following to the
generate-indexer-certs.yml
file if your system uses a proxy. If not, skip this step. Replace<YOUR_PROXY_ADDRESS_OR_DNS>
with your proxy information.# Wazuh App Copyright (C) 2017, Wazuh Inc. (License GPLv2) services: generator: image: wazuh/wazuh-certs-generator:0.0.2 hostname: wazuh-certs-generator volumes: - ./config/wazuh_indexer_ssl_certs/:/certificates/ - ./config/certs.yml:/config/certs.yml environment: - HTTP_PROXY=<YOUR_PROXY_ADDRESS_OR_DNS>
Run the following command to generate the desired certificates:
# docker-compose -f generate-indexer-certs.yml run --rm generator
The generated certificates will be stored in the config/wazuh_indexer_ssl_certs
directory.
If you already have valid certificates for each node, place them in the config/wazuh_indexer_ssl_certs/
directory using the following file names. Note your stack for the right path.
Wazuh indexer:
config/wazuh_indexer_ssl_certs/root-ca.pem
config/wazuh_indexer_ssl_certs/wazuh.indexer-key.pem
config/wazuh_indexer_ssl_certs/wazuh.indexer.pem
config/wazuh_indexer_ssl_certs/admin.pem
config/wazuh_indexer_ssl_certs/admin-key.pem
Wazuh manager:
config/wazuh_indexer_ssl_certs/root-ca-manager.pem
config/wazuh_indexer_ssl_certs/wazuh.manager.pem
config/wazuh_indexer_ssl_certs/wazuh.manager-key.pem
Wazuh dashboard:
config/wazuh_indexer_ssl_certs/wazuh.dashboard.pem
config/wazuh_indexer_ssl_certs/wazuh.dashboard-key.pem
config/wazuh_indexer_ssl_certs/root-ca.pem
Note
Use the exact filenames shown above, as the containers are configured to reference these specific names.
Deployment
Start the Wazuh Docker deployment using
docker-compose
:Background:
# docker-compose up -d
Foreground:
# docker-compose up
Exposed ports
By default, the stack exposes the following ports:
1514 |
Wazuh TCP |
1515 |
Wazuh TCP |
514 |
Wazuh UDP |
55000 |
Wazuh server API |
9200 |
Wazuh indexer API |
443 |
Wazuh dashboard HTTPS |
Note
Docker does not dynamically reload the configuration. After changing a component's configuration, you need to restart the stack.
Accessing the Wazuh dashboard
After deploying the Docker stack, you can access the Wazuh dashboard using your Docker host’s IP address.
https://<DOCKER_HOST_IP>
Note
If you use a self-signed certificate, your browser will warn you that it cannot verify its authenticity.
This is the default username and password to access the Wazuh dashboard:
Username:
admin
Password:
SecretPassword
Refer to the Change the default password of Wazuh users section to learn more about additional security.
Note
To determine when the Wazuh indexer is up, the Wazuh dashboard container uses curl
to repeatedly send queries to the Wazuh indexer API (port 9200). You can expect to see several Failed to connect to Wazuh indexer port 9200
log messages or Wazuh dashboard server is not ready yet
until the Wazuh indexer is started. Then the setup process continues normally. It takes about 1 minute for the Wazuh indexer to start up. You can find the default Wazuh indexer credentials in the docker-compose.yml
file.
Change the default password of Wazuh users
We recommend changing the default Wazuh user's password to improve security.
There are two types of users on Wazuh Docker environments:
Wazuh indexer users
Wazuh server API users
Follow the steps below to change the password of these Wazuh users.
Note
Depending on your Wazuh Docker stack, you must run the commands from the wazuh-docker/single-node
or wazuh-docker/multi-node
directory.
Wazuh indexer users
The Wazuh indexer creates the admin
and kibanaserver
users by default. Follow the steps below to change their passwords.
Warning
You can only change one user’s password at a time.
If you have custom users, add them to the
config/wazuh_indexer/internal_users.yml
file in the deployment model directory. Otherwise, executing this procedure deletes them.
Logging out of your Wazuh dashboard
You need to log out of your Wazuh dashboard before starting the password change process. If you don't log out, persistent session cookies will cause errors when accessing Wazuh after changing user passwords.
Setting a new hash
Note
If your password contains the $
character, you must escape it by doubling it. For example, to set the password Secret$Password
in the docker-compose.yml
file, write it as Secret$$Password
.
Stop the stack if it’s running:
# docker-compose down
Run this command to generate the hash of your new password:
# docker run --rm -ti wazuh/wazuh-indexer:4.12.0 bash /usr/share/wazuh-indexer/plugins/opensearch-security/tools/hash.sh
Once the container launches, input the new password and press Enter.
Copy the generated hash.
Open the
config/wazuh_indexer/internal_users.yml
file. Locate the block for the user whose password you want to change.Replace
<NEW_HASH>
with your hash values.admin
user... admin: hash: "<NEW_HASH>" reserved: true backend_roles: - "admin" description: "Demo admin user" ...
kibanaserver
user... kibanaserver: hash: "<NEW_HASH>" reserved: true description: "Demo kibanaserver user" ...
Setting the new password
Open the
docker-compose.yml
file. Change all occurrences of the old password with the new one. For example, for a single-node stack:admin
user... services: wazuh.manager: ... environment: - INDEXER_URL=https://wazuh.indexer:9200 - INDEXER_USERNAME=admin - INDEXER_PASSWORD=SecretPassword - FILEBEAT_SSL_VERIFICATION_MODE=full - SSL_CERTIFICATE_AUTHORITIES=/etc/ssl/root-ca.pem - SSL_CERTIFICATE=/etc/ssl/filebeat.pem - SSL_KEY=/etc/ssl/filebeat.key - API_USERNAME=wazuh-wui - API_PASSWORD=MyS3cr37P450r.*- ... wazuh.indexer: ... environment: - "OPENSEARCH_JAVA_OPTS=-Xms1024m -Xmx1024m" ... wazuh.dashboard: ... environment: - INDEXER_USERNAME=admin - INDEXER_PASSWORD=SecretPassword - WAZUH_API_URL=https://wazuh.manager - DASHBOARD_USERNAME=kibanaserver - DASHBOARD_PASSWORD=kibanaserver - API_USERNAME=wazuh-wui - API_PASSWORD=MyS3cr37P450r.*- ...
kibanaserver
user... services: wazuh.dashboard: ... environment: - INDEXER_USERNAME=admin - INDEXER_PASSWORD=SecretPassword - WAZUH_API_URL=https://wazuh.manager - DASHBOARD_USERNAME=kibanaserver - DASHBOARD_PASSWORD=kibanaserver - API_USERNAME=wazuh-wui - API_PASSWORD=MyS3cr37P450r.*- ...
Applying the changes
After updating docker-compose.yml
file, restart the Wazuh Docker stack and reapply settings using the securityadmin.sh
tool.
Start the deployment stack.
# docker-compose up -d
Run
docker ps
and note the name of the first Wazuh indexer container. For example,single-node-wazuh.indexer-1
, ormulti-node-wazuh1.indexer-1
.Run
docker exec -it <WAZUH_INDEXER_CONTAINER_NAME> bash
to enter the container, where<WAZUH_INDEXER_CONTAINER_NAME>
is the name of the Wazuh indexer container. Usesingle-node-wazuh.indexer-1
for the single-node stack andmulti-node-wazuh1.indexer-1
for the multi-node stack:# docker exec -it single-node-wazuh.indexer-1 bash
Set the following variables:
export INSTALLATION_DIR=/usr/share/wazuh-indexer CACERT=$INSTALLATION_DIR/certs/root-ca.pem KEY=$INSTALLATION_DIR/certs/admin-key.pem CERT=$INSTALLATION_DIR/certs/admin.pem export JAVA_HOME=/usr/share/wazuh-indexer/jdk
Wait for the Wazuh indexer to initialize properly. The waiting time can vary from one to five minutes. It depends on the size of the cluster, the assigned resources, and the network speed. Then, run the
securityadmin.sh
script to apply all changes.Single-node stack
$ bash /usr/share/wazuh-indexer/plugins/opensearch-security/tools/securityadmin.sh -cd /usr/share/wazuh-indexer/opensearch-security/ -nhnv -cacert $CACERT -cert $CERT -key $KEY -p 9200 -icl
Multi-node stack
$ HOST=$(grep node.name $INSTALLATION_DIR/opensearch.yml | awk '{printf $2}') $ bash /usr/share/wazuh-indexer/plugins/opensearch-security/tools/securityadmin.sh -cd /usr/share/wazuh-indexer/opensearch-security/ -nhnv -cacert $CACERT -cert $CERT -key $KEY -p 9200 -icl -h $HOST
Note
When working on Docker Desktop with a multi-node stack, use the
multi-node-wazuh1.indexer-1
IP address instead of the$HOST
variable.
Exit the Wazuh indexer container. Refresh the Wazuh dashboard and log in with the new credentials.
Wazuh server API users
The wazuh-wui
user is the default user for connecting to the Wazuh server API. Follow these steps to change the password.
Warning
The password for Wazuh server API users must be between 8 and 64 characters long and contain at least one uppercase and lowercase letter, number, and symbol. The Wazuh manager service will fail to start if these requirements are unmet.
Open the file
config/wazuh_dashboard/wazuh.yml
and modify the value ofpassword
parameter.... hosts: - 1513629884013: url: "https://wazuh.manager" port: 55000 username: wazuh-wui password: "MyS3cr37P450r.*-" run_as: false ...
Open the
docker-compose.yml
file. Change all occurrences of the old password with the new one.... services: wazuh.manager: ... environment: - INDEXER_URL=https://wazuh.indexer:9200 - INDEXER_USERNAME=admin - INDEXER_PASSWORD=SecretPassword - FILEBEAT_SSL_VERIFICATION_MODE=full - SSL_CERTIFICATE_AUTHORITIES=/etc/ssl/root-ca.pem - SSL_CERTIFICATE=/etc/ssl/filebeat.pem - SSL_KEY=/etc/ssl/filebeat.key - API_USERNAME=wazuh-wui - API_PASSWORD=MyS3cr37P450r.*- ... wazuh.dashboard: ... environment: - INDEXER_USERNAME=admin - INDEXER_PASSWORD=SecretPassword - WAZUH_API_URL=https://wazuh.manager - DASHBOARD_USERNAME=kibanaserver - DASHBOARD_PASSWORD=kibanaserver - API_USERNAME=wazuh-wui - API_PASSWORD=MyS3cr37P450r.*- ...
Recreate the Wazuh containers:
# docker-compose down # docker-compose up -d
Refer to log in to the Wazuh server API via the command line to learn more.