December 29, 2024 2 min to read

Streamline Security :Wazuh in Docker with Kali

Deploy wazuh in Docker for real-time Threat Detection & Compliance

If you’re a security professional,it might a chance you would be familier with SIEM aka Security Information Event Management used by SOC analyst or security engineers. In this homelab cybersecurity series I’m guiding you through step by step Wazuh as single node deployment using docker in Kali Machine.

Before that let’s understand Wazuh and It’s Architecture :-

Wazuh

Wazuh is open source security platform with unified XDR(Xtended Detection and Response) and SIEM platform which protects endpoints and cloud workloads.It has 3 major components

1. Wazuh Server:- mainlay used for Agent data collection
2. Wazuh Indexer:- for cluster communication
3. Wazuh Dashboard:- Web Interface

Features

• Endpoint Security: Config Management,Malware Detection, File Integrity Monitoring
• Threat Intelligence: Threat Hunting, Log Data Analysis, Vulnerability Detection.
• Security Operations: Incident Response, Regulatory Compliance, IT Hygiene
• Cloud Security: Container Security, Posture Management, Workload Protection

Now question comes, why do I use Docker for Wazuh installation?

Since I love flexibility, light weight and portability that’s why I’m using all Docker to utilise it’s all container features.

Prerequities:-

• Docker installed if not use below command after running sudo apt update && sudo apt upgrade -y

 sudo apt install docker.io 

• Docker compose is installed

 sudo docker-compose --version 

•  sudo systemctl start docker 
  

•  sudo systemctl enable docker
  

In this my homelab I’ll be using single node deployment. so let’s colne official wazuh github repo and change directory to single node.

1.  git clone https://github.com/wazuh/wazuh-docker.git -b v4.9.2
   

   

2. change directory to single node & Generate Self Signed Certificates

 docker-compose -f generate-indexer-certs.yml run --rm generator

3.Now run

 docker compose up -d or docker compose up 

4.Now check docker running serverice using

 sudo docker ps 

5.Visit favourite browser and type localhost or local ip :443 for wazuh dashboard. Default username is admin & Password as SecretPassword

6.Feel Free to change default password

7.Hover Hamburger Menu and click Endpoint Summary under server Management

8.Click on Deploy New Agent

9.In our case it’s kali machine which id Debaian based so select OS as per your configuration

10.Now Run the following commands

sudo systemctl daemon-reload
sudo systemctl enable wazuh-agent
sudo systemctl start wazuh-agent

11.After successful agent deployment dashboard will look like

12.Endpoint Dashboard will Look alike :-

.