Wazuh Docker deployment
Usage
Wazuh can be deployed as a single-node or multi-node stack:
Single-node deployment: A Wazuh manager node, Wazuh indexer node, and Wazuh dashboard node will be deployed.
Multi-node deployment: Two Wazuh manager nodes (one master and one worker), three Wazuh indexer nodes, and a Wazuh dashboard node will be deployed.
Both deployments use persistence and allow configuring certificates to secure communications between nodes. The multi-node stack is the only deployment that contains high availability.
Single-node Deployment
Clone the Wazuh repository to your system:
$ git clone https://github.com/wazuh/wazuh-docker.git -b v4.3.6 --depth=1
Then enter into the
single-nodedirectory. All the commands described below are executed within this directory. For additional security, the default password for the Wazuh indexer administrator user can be changed.Secure traffic between the deployment nodes using certificates:
To secure communication between the nodes, you need to provide a group of certificates for each node in the stack. There are two alternatives to provide these certificates:
Generate self-signed certificates for each node of the cluster.
We have created a Docker image to automate certificate generation using the Wazuh certs gen tool. If your system uses a proxy, add the following to the
generate-indexer-certs.ymlfile. If not, skip this particular step:environment: - HTTP_PROXY=YOUR_PROXY_ADDRESS_OR_DNS
A completed example looks like:
# Wazuh App Copyright (C) 2021 Wazuh Inc. (License GPLv2) version: '3' services: generator: image: wazuh/wazuh-certs-generator:0.0.1 hostname: wazuh-certs-generator volumes: - ./config/wazuh_indexer_ssl_certs/:/certificates/ - ./config/certs.yml:/config/certs.yml environment: - HTTP_PROXY=YOUR_PROXY_ADDRESS_OR_DNS
Modify the file
config/certs.ymland execute the following command to obtain the desired certificates:$ docker-compose -f generate-indexer-certs.yml run --rm generatorThis will save the certificates into the
config/wazuh_indexer_ssl_certsdirectory.Provide your own certificates for each node.
In the case of having your own certificates, they must be provisioned as follows:
Wazuh Indexer:
config/wazuh_indexer_ssl_certs/root-ca.pem config/wazuh_indexer_ssl_certs/wazuh.indexer-key.pem config/wazuh_indexer_ssl_certs/wazuh.indexer.pem config/wazuh_indexer_ssl_certs/admin.pem config/wazuh_indexer_ssl_certs/admin-key.pem
Wazuh Manager:
config/wazuh_indexer_ssl_certs/root-ca-manager.pem config/wazuh_indexer_ssl_certs/wazuh.manager.pem config/wazuh_indexer_ssl_certs/wazuh.manager-key.pem
Wazuh Dashboard:
config/wazuh_indexer_ssl_certs/wazuh.dashboard.pem config/wazuh_indexer_ssl_certs/wazuh.dashboard-key.pem config/wazuh_indexer_ssl_certs/root-ca.pem
Check that there is a
docker-compose.ymlfile. Start Wazuh usingdocker-compose:Foreground:
$ docker-compose up
Background:
$ docker-compose up -d
The default username and password for the Wazuh dashboard are “admin” and “SecretPassword”.
Note
The Wazuh dashboard container will run multiple queries to the Wazuh indexer API using curl, to verify if the Wazuh indexer is up. It is expected to see several Failed to connect to Wazuh indexer port 9200 log messages or “Wazuh dashboard server is not ready yet” until the Wazuh indexer is started. Then the setup process will continue normally, it takes about 1 minute for the Wazuh indexer to start up. The default Wazuh indexer credentials are in the docker-compose.yml file.
Multi-node deployment
Clone the Wazuh repository to your system:
$ git clone https://github.com/wazuh/wazuh-docker.git -b v4.3.6 --depth=1
Then enter into the
multi-nodedirectory, all the commands described below are executed within this directory. For additional security, the default password for the Wazuh indexer admin user can be changed.
Secure traffic between the deployment nodes using certificates:
To secure communications between the nodes, you need to provide a group of certificates for each node in the stack. There are two alternatives to provide these certificates:
Generate self-signed certificates for each node of the cluster.
We have created a Docker image to automate certificate generation using the Wazuh certs gen tool. If your system uses a proxy, add the following to the
generate-indexer-certs.ymlfile. If not skip to skip this particular step:environment: - HTTP_PROXY=YOUR_PROXY_ADDRESS_OR_DNS
A completed example looks like:
# Wazuh App Copyright (C) 2021 Wazuh Inc. (License GPLv2) version: '3' services: generator: image: wazuh/wazuh-certs-generator:0.0.1 hostname: wazuh-certs-generator volumes: - ./config/wazuh_indexer_ssl_certs/:/certificates/ - ./config/certs.yml:/config/certs.yml environment: - HTTP_PROXY=YOUR_PROXY_ADDRESS_OR_DNS
Modify the file
config/certs.ymland execute the following command to obtain the desired certificates:$ docker-compose -f generate-indexer-certs.yml run --rm generatorThis will save the certificates into the
config/wazuh_indexer_ssl_certsdirectory.Provide your own certificates for each node.
In the case of having your own certificates, they must be provisioned as follows:
Wazuh Indexer:
config/wazuh_indexer_ssl_certs/root-ca.pem config/wazuh_indexer_ssl_certs/wazuh1.indexer-key.pem config/wazuh_indexer_ssl_certs/wazuh1.indexer.pem config/wazuh_indexer_ssl_certs/wazuh2.indexer-key.pem config/wazuh_indexer_ssl_certs/wazuh2.indexer.pem config/wazuh_indexer_ssl_certs/wazuh3.indexer-key.pem config/wazuh_indexer_ssl_certs/wazuh3.indexer.pem config/wazuh_indexer_ssl_certs/admin.pem config/wazuh_indexer_ssl_certs/admin-key.pem
Wazuh Manager:
config/wazuh_indexer_ssl_certs/root-ca-manager.pem config/wazuh_indexer_ssl_certs/wazuh.master.pem config/wazuh_indexer_ssl_certs/wazuh.master-key.pem config/wazuh_indexer_ssl_certs/wazuh.worker.pem config/wazuh_indexer_ssl_certs/wazuh.worker-key.pem
Wazuh Dashboard:
config/wazuh_indexer_ssl_certs/wazuh.dashboard.pem config/wazuh_indexer_ssl_certs/wazuh.dashboard-key.pem config/wazuh_indexer_ssl_certs/root-ca.pem
Check that there is a
docker-compose.ymlfile. Start Wazuh usingdocker-compose:Foreground:
$ docker-compose up
Background:
$ docker-compose up -d
The default username and password for the Wazuh dashboard are “admin” and “SecretPassword”.
Note
The Wazuh dashboard container will run multiple queries to the Wazuh indexer API using curl, to verify if the Wazuh indexer is up. It is expected to see several Failed to connect to Wazuh indexer port 9200 log messages or “Wazuh dashboard server is not ready yet”, until the Wazuh indexer is started. Then the setup process will continue normally, it takes about 1 minute for the Wazuh indexer to start up. The default Wazuh indexer credentials are in the docker-compose.yml file.
Build docker images locally
The Wazuh manager, indexer, and dashboard images can be modified and built locally.
Clone the Wazuh repository to your system:
$ git clone https://github.com/wazuh/wazuh-docker.git -b v4.3.6 --depth=1
Enter into the
build-docker-imagesdirectory and build the Wazuh manager, indexer, and dashboard images:
$ docker-compose build
Customize default users
You can customize users on the Wazuh indexer container by mounting your own internal_users.yml. The default password for the Wazuh indexer administrator user can be changed to provide additional security:
- ./config/wazuh-indexer/internal_users.yml:/usr/share/wazuh-indexer/plugins/opensearch-security/securityconfig/internal_users.yml
It is possible to generate a hash using the same Docker image, type in a secure password when prompted and replace the hash in internal_users.yml:
docker run --rm -ti wazuh/wazuh-indexer:4.3.6 bash /usr/share/wazuh-indexer/plugins/opensearch-security/tools/hash.sh
Exposed ports
By default, the stack exposes the following ports:
1514 |
Wazuh TCP |
1515 |
Wazuh TCP |
514 |
Wazuh UDP |
55000 |
Wazuh API |
9200 |
Wazuh indexer HTTPS |
443 |
Wazuh dashboard HTTPS |
Note
Configuration is not dynamically reloaded, so it is necessary to restart the stack after changing the configuration of a component.