Post

Wazuh

Posted
Preview Image
By Brad Jones
2 min read
Wazuh

Wazuh

Purpose

Wazuh is an open-source intrusion detection and prevention system (IDS/IPS) that monitors and analyzes logs from various sources to detect potential threats. This Docker container provides a robust platform for deploying Wazuh on your local machine or cloud environment, enhancing security by providing real-time monitoring and alerting.

Prerequisites

  • Docker: Ensure you have Docker installed on your system.
  • Network Configuration: Make sure the necessary ports are open for communication between Wazuh and the network devices or applications you want to monitor.

Steps to Deploy

  1. Pull the Wazuh Image: Start by pulling the official Wazuh Docker image from Docker Hub:
    1

      docker pull wazuh/wazuh-manager
  2. Create a Configuration Directory: Create a directory to store configuration files for Wazuh. This is typically named /etc/wazuh. You can create it using the following command:
    1

      sudo mkdir -p /etc/wazuh
  3. Copy Wazuh Configuration Files: Copy the necessary Wazuh configuration files from a pre-configured directory to your new configuration directory. This might include wazuh.conf, ossec.conf, and any other required files:
    1

      sudo cp -r /path/to/preconfigured/wazuh/etc/* /etc/wazuh/
  4. Start the Wazuh Container: Use Docker to start a container with Wazuh running, mounting your configuration directory into the container:
    1
2
3
4
5
6

      docker run -d --name wazuh \
    -v /etc/wazuh:/etc/wazuh \
    --restart unless-stopped \
    -p 1514:1514/udp \
    -p 10050:10050 \
    wazuh/wazuh-manager

    Here’s a breakdown of the command:

    • -d: Run the container in detached mode.
    • --name wazuh: Name the container as “wazuh”.
    • -v /etc/wazuh:/etc/wazuh: Mount the local /etc/wazuh directory into the container at /etc/wazuh.
    • --restart unless-stopped: Ensure the container restarts automatically if it stops.
    • -p 1514:1514/udp: Map port 1514 from the host to port 1514 in the container for communication with agents.
    • -p 10050:10050: Map port 10050 from the host to port 10050 in the container for web interface access.
  5. Access the Wazuh Web Interface: Once the container is running, you can access the Wazuh web interface by navigating to http://localhost:10050 in your web browser. Use the default credentials (admin/admin) to log in and start monitoring your network and systems.

Notes

  • Agent Installation: Ensure that any Wazuh agents are properly configured and registered with the Wazuh manager.
  • Logging Configuration: Customize logging settings in wazuh.conf to suit your needs, including rotation policies and output targets.
  • Security Considerations: Regularly update Wazuh and its components to ensure security patches are applied.

For more detailed instructions or troubleshooting, refer to the Wazuh documentation.

Conclusion

Wazuh provides a comprehensive solution for monitoring and securing your network infrastructure. By deploying it using Docker, you gain flexibility in deployment options and easy access to powerful security features. Happy monitoring with Wazuh!

homelab
homelab self-hosted security docker wazuh
This post is licensed under CC BY 4.0 by the author.