Easiest SIEM Install — Wazuh, Elasticsearch, Kibana, and Filebeat Docker Install

Why?

Containers work a little like VMs, but in a far more specific and granular way. They isolate a single application and its dependencies — all of the external software libraries the app requires to run — both from the underlying operating system and from other containers.

This allows us to deploy a full SIEM stack within minutes, on one VM, rather than dedicating one VM per service (Wazuh, Elasticsearch, Kibana, etc.). We can persist data, scale up and scale down as needed, and upgrade the applications efficiently.

Steps

This post will cover the below steps to install Docker and deploy our SIEM stack.

• Install Docker
• Install Docker Compose
• Getting the VM Ready
• SSL Certificate Generation (Elasticsearch, Kibana, Nginx)
• Internal Users
• Deployment of the stack

Install Docker

We first need to install Docker since this is the software that allows us to deploy our software within containers.

A Docker install script can be ran to install Docker onto a Linux machine:

curl -sSL https://get.docker.com/ | sh

You can manually install Docker here: https://docs.docker.com/get-docker/

Start Docker and enable the service to run at boot time:

systemctl start docker
systemctl enable docker

Install Docker Compose

Docker Compose is a tool for defining and running multi-container Docker applications. With Compose, you use a YAML file to configure your application’s services. Then, with a single command, you create and start all the services from your configuration. To learn more about all the features of Compose, see the list of features.

Docker Compose allows us to run Wazuh, Elasticsearch, Kibana, Filebeat, and Nginx all with one command and runs them within the same environment so that all applications can talk to one another.

curl -L "https://github.com/docker/compose/releases/download/1.28.3/docker-compose-$(uname -s)-$(uname -m)" -o /usr/local/bin/docker-compose
chmod +x /usr/local/bin/docker-compose
sudo ln -s /usr/local/bin/docker-compose /usr/bin/docker-compose
docker-compose --version

Getting the VM Ready

It is recommended to configure the Docker host preferences to give at least 6GB of memory for the host that created the containers (this does not necessarily mean that everyone uses them, but Elasticsearch requires them to work properly).

sysctl -w vm.max_map_count=262144

To set this value permanently, update the vm.max_map_count setting in /etc/sysctl.conf.

Clone The Repo

We are now ready to clone the Wazuh Docker repo. The Wazuh team have provided a YAML file and scripts that we will use to quickly deploy our SIEM stack.

git clone https://github.com/wazuh/wazuh-docker.git -b v4.2.6 --depth=1

Generate Certs

We need to generate SSL Certs to secure Elasticsearch, Kibana, and Nginx traffic.

Elasticsearch

docker-compose -f generate-opendistro-certs.yml run --rm generator

Kibana

bash ./production_cluster/kibana_ssl/generate-self-signed-cert.sh

Nginx

bash ./production_cluster/nginx/ssl/generate-self-signed-cert.sh

Internal Users

You can customize users on the Elasticsearch container by mounting your own internal_users.yml:

./elastic_opendistro/internal_users.yml:/usr/share/elasticsearch/plugins/opendistro_security/securityconfig/internal_users.yml

It is possible to generate a hash using the same Docker image, type in any password when prompted and replace the hash on internal_users.yml:

docker run --rm -ti amazon/opendistro-for-elasticsearch:1.13.2 bash /usr/share/elasticsearch/plugins/opendistro_security/tools/hash.sh

Deployment Of The Stack

We are now ready to deploy our stack. This will deploy 1 Wazuh master and 1 Wazuh worker, 3 Elasticsearch nodes, 1 Kibana instance, and 1 Nginx instance.

docker-compose -f production-cluster.yml up -d

Need Help?

The functionality discussed in this post, and so much more, are available via the SOCFortress platform. Let SOCFortress help you and your team keep your infrastructure secure.

Website: https://www.socfortress.co/

Platform Demo: https://www.socfortress.co/demo_access.html