Wazuh Docker utilities

After installing the Wazuh-Docker containers, there are several tasks you can do to benefit the most from your Wazuh installation.

Access to services and containers

  1. Access the Wazuh dashboard using the Docker host IP address. For example, https://localhost, if you are on the Docker host.

    Note

    In case you use a self-signed certificate, your browser will warn that it cannot verify its authenticity.

  2. Enroll the agents by following the standard enrollment process and using the Docker host address as the manager address. For more information, see the Wazuh agent enrollment documentation.

  3. List the containers in the directory where the Wazuh docker-compose.yml file is located:

    # docker-compose ps

    NAME                            COMMAND                  SERVICE             STATUS              PORTS
single-node-wazuh.dashboard-1   "/entrypoint.sh"         wazuh.dashboard     running             443/tcp, 0.0.0.0:443->5601/tcp
single-node-wazuh.indexer-1     "/entrypoint.sh open…"   wazuh.indexer       running             0.0.0.0:9200->9200/tcp
single-node-wazuh.manager-1     "/init"                  wazuh.manager       running             0.0.0.0:1514-1515->1514-1515/tcp, 0.0.0.0:514->514/udp, 0.0.0.0:55000->55000/tcp, 1516/tcp

  4. Run the command below from the directory where the docker-compose.yml file is located to access the command line of each container:

    # docker-compose -it exec <container name> bash

Wazuh service data volumes

You can set Wazuh configuration and log files to exist outside their containers. This allows the files to persist after removing containers, and you can provision custom configuration files to your containers.

You need multiple volumes to ensure persistence on a Wazuh container. The following is an example of a docker-compose.yml with persistent volumes:

services:
  wazuh:
    . . .
    volumes:
      - wazuh_api_configuration:/var/ossec/api/configuration

volumes:
  wazuh_api_configuration:

You can list persistent volumes with docker volume ls:

DRIVER              VOLUME NAME
local               single-node_wazuh_api_configuration

Storage volume for Wazuh indexer and dashboard

Attaching a volume for the storage of Wazuh indexer data is also possible. By default, the single-node and multi-node deployments already have volumes configured. An example of a single-node wazuh indexer volume is shown in the docker-compose.yml below:

wazuh.indexer:
    . . .
     volumes:
       - wazuh-indexer-data:/var/lib/wazuh-indexer

    . . .

volumes:
  wazuh-indexer-data

Custom commands and scripts

To execute commands in the Wazuh manager container, you can execute a shell:

# docker exec -it single-node-wazuh.manager-1 bash

Every change made on this shell persists as long as you have the data volumes configured correctly.