The Kibana default configuration is stored in
kibana: ... volumes: - ./custom_kibana.yml:/usr/share/kibana/config/kibana.yml
Read here to know more about the variables you can use on this image.
The Elasticsearch container uses the default configuration and it is not exposed by default.
If you want to override the default configuration, create a file
elasticsearch/config/elasticsearch.yml and put your custom version of the configuration in it.
Then map your configuration file inside the container in the
docker-compose.yml. Update the elasticsearch container declaration to:
elasticsearch: image: wazuh/wazuh-elasticsearch:latest ports: - "9200:9200" - "9300:9300" environment: ES_JAVA_OPTS: "-Xms1g -Xmx1g" networks: - docker_elk
The data stored in Wazuh will persist after container reboots but not after container removal.
In order to preserve Wazuh data even after removing the Wazuh container, you’ll have to mount a volume on your Docker host. Update the Wazuh container declaration in the
docker-compose.yml to look like this:
wazuh: ... volumes: - ossec_api_configuration:/var/ossec/api/configuration - ossec_etc:/var/ossec/etc - ossec_logs:/var/ossec/logs - ossec_queue:/var/ossec/queue - ossec_var_multigroups:/var/ossec/var/multigroups - ossec_integrations:/var/ossec/integrations - ossec_active_response:/var/ossec/active-response/bin - ossec_agentless:/var/ossec/agentless - ossec_wodles:/var/ossec/wodles - filebeat_etc:/etc/filebeat - filebeat_var:/var/lib/filebeat
This will store Wazuh data inside these volumes in the Docker host’s local file system.
The data stored in Elasticsearch will persist after container reboots but not after container removal.
In order to preserve Elasticsearch data even after removing the Elasticsearch container, you’ll have to mount a volume on your Docker host. Update the elasticsearch container declaration in the
docker-compose.yml file to look like this:
elasticsearch: ... volumes: - elastic-data:/usr/share/elasticsearch/data
This will store elasticsearch data inside
elastic-data volume in the Docker host’s local file system.
Wazuh expects an SMTP relay in the config, usually on a VM you can install it on the same host (as described on this blog post), but in a container environment an individual service is recommended.
The role of an SMTP relay is to forward the mail notifications from Wazuh to a valid mail server, in this example we are accepting unauthenticated mail from the manager and forwarding it to the SMTP service by using valid credentials.
You may use a docker image for SMTP relay as the following example:
We are using eeacms/postfix but there are several options available.
postfix: image: eeacms/postfix:2.10-3.6 hostname: wazuh-smtp restart: unless-stopped environment: - MTP_RELAY=mymail.example.com - MTP_PORT=25 - MTP_USER=username - MTP_PASS=password - MTP_HOST=mymail.example.com
You could also use a third party service like Sendgrid:
postfix: image: eeacms/postfix:2.10-3.6 hostname: wazuh-smtp restart: unless-stopped environment: - MTP_RELAY=smtp.sendgrid.net - MTP_PORT=587 - MTP_USER=apikey - MTP_PASS=secret-key - MTP_HOST=mailer.example.com