Building an Open Source SIEM Stack with Docker: A Step-by-Step Guide

SOCFortress
3 min readOct 16, 2024

--

In this tutorial, we’ll walk through how to quickly set up a home-lab version of an open-source SIEM (Security Information and Event Management) stack using Docker. This stack includes tools like Wazuh, Graylog, Grafana, and Velociraptor, among others, to help security professionals experiment and tinker with powerful open-source monitoring and logging solutions. Before we dive into the process, please note that this setup is for learning purposes and is not intended for production environments.

Prerequisites

Before setting up the SIEM stack, ensure you have the following installed on your machine:

  • Docker: For containerization and easy deployment of services.
  • Git: To clone the necessary repositories.

This guide assumes that you are working on a Debian-based system. The tutorial begins after installing Docker and Git, the basic requirements.

VIDEO WALKTHROUGH

Step 1: Clone the Git Repository

To get started, clone the Git repository that contains all the configurations needed to set up the stack. Move to the opt directory and clone the repository:

cd /opt
git clone https://github.com/socfortress/OSSIEM.git

After cloning, move to the Wazuh directory within the repository to access the necessary configuration files.

Step 2: Generate SSL Certificates

To ensure secure communication between various components like Graylog and Wazuh, SSL certificates are required. Use Docker to generate these certificates:

sysctl -w vm.max_map_count=262144
docker-compose -f generate-indexer-certs.yml run --rm generator

This command will pull down a Docker image, run it, and generate the required certificates. Once generated, copy the root-ca.pem certificate to the Graylog directory for mounting.

After copying the certificate, update the ownership of the files within the Graylog directory:

sudo chown 1100:1100 *

Step 3: Bring Up the Stack

The next step is to start up all the services using Docker. These services include Wazuh, Graylog, Grafana, Velociraptor, and more. In the docker-compose.yml file, you can see the list of services that will be deployed.

Run the following command to start the stack:

docker-compose up -d

This command will pull all the necessary Docker images and start the containers. After the containers are running, you’ll need to configure Graylog to trust the SSL certificate.

Step 4: Configure Graylog

Once Graylog is running, get a shell into the Graylog container:

docker exec -it graylog bash
cp /opt/java/openjdk/lib/security/cacerts /usr/share/graylog/data/config/
cd /usr/share/graylog/data/config/
keytool -importcert -keystore cacerts -storepass changeit -alias wazuh_root_ca -file root-ca.pem

After adding the certificate, restart the Graylog container:

docker restart graylog

Now, Graylog should be able to communicate securely with the Wazuh-Indexer.

Step 5: Download and Apply Custom Rules

To enhance the functionality of Wazuh, download a set of custom rules provided by the tutorial repository. This step isn’t mandatory but is highly recommended to extend Wazuh’s capabilities.

docker exec -it wazuh.manager /bin/bash
dnf install git -y
curl -so ~/wazuh_socfortress_rules.sh https://raw.githubusercontent.com/socfortress/OSSIEM/main/wazuh_socfortress_rules.sh && bash ~/wazuh_socfortress_rules.sh

After downloading the rules, restart the Wazuh Manager service.

This ensures that the custom rules are loaded and applied to your Wazuh instance.

Step 6: Set Up CoPilot and Velociraptor

Next, configure CoPilot and Velociraptor to integrate with the rest of the stack. The CoPilot component helps manage and monitor different tools within the SIEM environment, while Velociraptor provides advanced endpoint monitoring and digital forensics capabilities.

Log into CoPilot using the provided credentials and configure the connectors for each service. You will also need to upload an api.config.yml file to connect CoPilot to Velociraptor.

Step 7: Monitor Your SIEM Stack

See the Video Walkthrough for first start!

Final Thoughts

This tutorial gives you a functional SIEM stack for educational purposes, allowing you to explore the capabilities of popular open-source tools in the security monitoring space. However, it’s important to note that this stack is not designed for production use. If you need a scalable and robust SIEM solution, consider seeking professional services or utilizing a production-ready version of these tools.

Huge thanks to dLoProdz for the contribution to this project!

Need Help?

The functionality discussed in this post, and so much more, are available via the SOCFortress platform. Let SOCFortress help you and your team keep your infrastructure secure.

Website: https://www.socfortress.co/

Contact Us: https://www.socfortress.co/contact_form.html

--

--

SOCFortress
SOCFortress

Written by SOCFortress

SOCFortress is a SaaS company that unifies Observability, Security Monitoring, Threat Intelligence and Security Orchestration, Automation, and Response (SOAR).

No responses yet