Simplify Your Security: How to Deploy Wazuh Using Docker Compose
In today’s complex digital landscape, robust security monitoring is no longer a luxury—it’s a necessity. Wazuh stands out as a powerful, open-source security platform, offering comprehensive Security Information and Event Management (SIEM) and Extended Detection and Response (XDR) capabilities. While its power is immense, deploying it can seem daunting. Fortunately, using Docker Compose transforms this process into a streamlined, efficient, and highly manageable task.
This guide provides a clear, step-by-step walkthrough for deploying a full Wazuh stack using Docker Compose, empowering you to bolster your security posture in minutes.
Why Use Docker Compose for Your Wazuh Deployment?
Before diving into the “how,” let’s understand the “why.” Deploying Wazuh with Docker Compose offers several significant advantages:
- Simplicity and Speed: Instead of manually configuring and launching multiple components, Docker Compose uses a single YAML file to define and run the entire Wazuh environment—including the indexer, manager, and dashboard.
- Consistency: Docker ensures your Wazuh deployment is consistent across any environment, from a local development machine to a production server. This eliminates “it works on my machine” issues.
- Scalability: While this guide covers a single-node deployment, the containerized architecture makes it easier to scale components as your monitoring needs grow.
- Easy Management: Starting, stopping, and updating your Wazuh stack is as simple as running a single command.
Prerequisites
To get started, you only need two things installed on your host system:
- Docker: The underlying containerization engine.
- Docker Compose: The tool for defining and running multi-container Docker applications.
Ensure both are up to date to avoid potential compatibility issues.
Step-by-Step Wazuh Deployment Guide
Follow these steps to get your Wazuh environment up and running quickly.
Step 1: Obtain the Official Docker Compose Configuration
First, you need the official Wazuh Docker project files. The easiest way to get them is by cloning the repository from GitHub. Open your terminal and run the following command:
git clone https://github.com/wazuh/wazuh-docker.git -b v4.7.4 --depth=1
Navigate into the newly created directory for a single-node deployment:
cd wazuh-docker/single-node
This directory contains the docker-compose.yml file and other necessary configurations.
Step 2: Generate Security Certificates
Wazuh components communicate over a secure, encrypted channel. To enable this, you must first generate the required SSL/TLS certificates. The repository includes a helper script for this exact purpose.
Run the following command to generate the certificates. This process may take a few moments.
docker-compose -f generate-certs.yml run --rm generator
This command temporarily runs a generator container that creates the certificates and places them in the appropriate directories, which are automatically mapped as Docker volumes for the other Wazuh services to use.
Step 3: Launch the Wazuh Stack
With the certificates in place, you are ready to launch the entire Wazuh platform. This single command will download the necessary container images (if you don’t have them already) and start the Wazuh indexer, manager, and dashboard services.
Execute the following command to start the services in the background:
docker-compose up -d
The -d flag runs the containers in detached mode, meaning they will continue to run in the background after you close your terminal.
Step 4: Verify the Deployment
To confirm that everything is running correctly, you can list the active containers managed by Docker Compose.
docker-compose ps
You should see three containers listed with a “running” or “up” status: single-node_wazuh.indexer_1, single-node_wazuh.manager_1, and single-node_wazuh.dashboard_1.
Accessing the Wazuh Dashboard and Finding Your Password
Once the containers are running, the Wazuh web interface is ready to be accessed.
Open your web browser and navigate to:
https://localhost
You will likely see a browser warning about a self-signed certificate. This is expected since you generated the certificates yourself. You can safely proceed to the website.
You will be prompted for a username and password. The default username is admin.
To retrieve the randomly generated, secure initial password, run the following command in your terminal from the single-node directory:
docker-compose logs wazuh.manager | grep -i "admin_password"
This command searches the logs of the Wazuh manager container for the initial password. Copy the password displayed in the output and use it to log in.
Actionable Security Tips and Next Steps
Your Wazuh instance is now live. Here are some crucial next steps and security best practices:
- Change the Default Password Immediately: Once you log in for the first time, your top priority should be to change the
adminpassword to something secure and memorable for you. - Deploy Wazuh Agents: A Wazuh server is only useful when it receives data. The next logical step is to install and configure Wazuh agents on the endpoints (servers, workstations, cloud instances) you want to monitor. The dashboard provides easy-to-follow instructions for deploying agents on various operating systems.
- Manage Resources: Keep an eye on the CPU and memory usage of your Docker host. A production Wazuh deployment, especially the indexer, can be resource-intensive as you add more agents.
- Understand Data Persistence: The provided
docker-compose.ymlfile uses Docker volumes to persist your data. This is critical, as it ensures your configurations and collected security data are not lost if you stop or restart the containers.
By following this guide, you have successfully leveraged Docker Compose to deploy a powerful security monitoring platform. This streamlined approach not only saves time but also provides a stable and replicable foundation for protecting your critical infrastructure.
Source: https://centlinux.com/wazuh-docker-compose/
