Installing Wazuh with Docker Compose
UPDATE: I removed the guide for version 3 that I had here before since it no longer worked. I did not have the time to test this yet - but here (copy below) is the new official guide for using Wazuh with Docker.
Deployment
You can deploy Wazuh as a single-node or multi-node stack.
- Single-node deployment: Deploys one Wazuh manager, indexer, and dashboard node.
- Multi-node deployment: Deploys two Wazuh manager nodes (one master and one worker), three Wazuh indexer nodes, and a Wazuh dashboard node.
Both deployments use persistence and allow configuring certificates to secure communications between nodes. The multi-node stack is the only deployment that contains high availability.
Single-node Deployment
Clone the Wazuh repository to your system:
git clone https://github.com/wazuh/wazuh-docker.git -b stable --single-branch
cd wazuh-docker/single-node
-
Then enter into the
single-nodedirectory to execute all the commands described below within this directory. -
Provide a group of certificates for each node in the stack to secure communication between the nodes. You have two alternatives to provide these certificates. We have created a Docker image to automate certificate generation using the Wazuh certs gen tool. If your system uses a proxy, add the following to the
generate-indexer-certs.ymlfile. If not, skip this particular step:
environment:
- HTTP_PROXY=YOUR_PROXY_ADDRESS_OR_DNS
A completed example looks like:
# Wazuh App Copyright (C) 2021 Wazuh Inc. (License GPLv2)
version: '3'
services:
generator:
image: wazuh/wazuh-certs-generator:0.0.1
hostname: wazuh-certs-generator
volumes:
- ./config/wazuh_indexer_ssl_certs/:/certificates/
- ./config/certs.yml:/config/certs.yml
environment:
- HTTP_PROXY=YOUR_PROXY_ADDRESS_OR_DNS
Execute the following command to get the desired certificates:
docker-compose -f generate-indexer-certs.yml run --rm generator
This saves the certificates into the config/wazuh_indexer_ssl_certs directory. In case you have your own certificates, provision them as follows in the config/wazuh_indexer_ssl_certs directory:
Wazuh indexer:
config/wazuh_indexer_ssl_certs/root-ca.pem
config/wazuh_indexer_ssl_certs/wazuh.indexer-key.pem
config/wazuh_indexer_ssl_certs/wazuh.indexer.pem
config/wazuh_indexer_ssl_certs/admin.pem
config/wazuh_indexer_ssl_certs/admin-key.pem
Wazuh manager:
config/wazuh_indexer_ssl_certs/root-ca-manager.pem
config/wazuh_indexer_ssl_certs/wazuh.manager.pem
config/wazuh_indexer_ssl_certs/wazuh.manager-key.pem
Wazuh dashboard:
config/wazuh_indexer_ssl_certs/wazuh.dashboard.pem
config/wazuh_indexer_ssl_certs/wazuh.dashboard-key.pem
config/wazuh_indexer_ssl_certs/root-ca.pem
- Start the Wazuh single-node deployment using docker-compose:
- Foreground:
docker-compose up
- Background:
docker-compose up -d
The default username and password for the Wazuh dashboard are admin and SecretPassword. For :ref:additional security <change-pwd-existing-usr>, you can change the default password for the Wazuh indexer admin user.
To know when the Wazuh indexer is up, the Wazuh dashboard container uses
curlto run multiple queries to the Wazuh indexer API. You can expect to see severalFailed to connect to Wazuh indexer port 9200log messages or “ Wazuh dashboard server is not ready yet ” until the Wazuh indexer is started. Then the setup process continues normally. It takes about 1 minute for the Wazuh indexer to start up. You can find the default Wazuh indexer credentials in thedocker-compose.ymlfile.
Exposed ports
By default, the stack exposes the following ports:
| Port | Description |
|---|---|
| 1514 | Wazuh TCP |
| 1515 | Wazuh TCP |
| 514 | Wazuh UDP |
| 55000 | Wazuh API |
| 9200 | Wazuh indexer HTTPS |
| 443 | Wazuh dashboard HTTPS |