Easiest SIEM Install — Wazuh, Elasticsearch, Kibana, and Filebeat Docker Install
Why?
Containers work a little like VMs, but in a far more specific and granular way. They isolate a single application and its dependencies — all of the external software libraries the app requires to run — both from the underlying operating system and from other containers.
This allows us to deploy a full SIEM stack within minutes, on one VM, rather than dedicating one VM per service (Wazuh, Elasticsearch, Kibana, etc.). We can persist data, scale up and scale down as needed, and upgrade the applications efficiently.
Steps
This post will cover the below steps to install Docker and deploy our SIEM stack.
- Install Docker
- Install Docker Compose
- Getting the VM Ready
- SSL Certificate Generation (Elasticsearch, Kibana, Nginx)
- Internal Users
- Deployment of the stack
Install Docker
We first need to install Docker since this is the software that allows us to deploy our software within containers.
A Docker install script can be ran to install Docker onto a Linux machine:
curl -sSL https://get.docker.com/ | shYou can manually install Docker here: https://docs.docker.com/get-docker/
Start Docker and enable the service to run at boot time:
systemctl start docker
systemctl enable dockerInstall Docker Compose
Docker Compose is a tool for defining and running multi-container Docker applications. With Compose, you use a YAML file to configure your application’s services. Then, with a single command, you create and start all the services from your configuration. To learn more about all the features of Compose, see the list of features.
Docker Compose allows us to run Wazuh, Elasticsearch, Kibana, Filebeat, and Nginx all with one command and runs them within the same environment so that all applications can talk to one another.
curl -L "https://github.com/docker/compose/releases/download/1.28.3/docker-compose-$(uname -s)-$(uname -m)" -o /usr/local/bin/docker-composechmod +x /usr/local/bin/docker-composesudo ln -s /usr/local/bin/docker-compose /usr/bin/docker-composedocker-compose --version
Getting the VM Ready
It is recommended to configure the Docker host preferences to give at least 6GB of memory for the host that created the containers (this does not necessarily mean that everyone uses them, but Elasticsearch requires them to work properly).
sysctl -w vm.max_map_count=262144To set this value permanently, update the vm.max_map_count setting in /etc/sysctl.conf.
Clone The Repo
We are now ready to clone the Wazuh Docker repo. The Wazuh team have provided a YAML file and scripts that we will use to quickly deploy our SIEM stack.
git clone https://github.com/wazuh/wazuh-docker.git -b v4.2.6 --depth=1Generate Certs
We need to generate SSL Certs to secure Elasticsearch, Kibana, and Nginx traffic.
Elasticsearch
docker-compose -f generate-opendistro-certs.yml run --rm generatorKibana
bash ./production_cluster/kibana_ssl/generate-self-signed-cert.shNginx
bash ./production_cluster/nginx/ssl/generate-self-signed-cert.shInternal Users
You can customize users on the Elasticsearch container by mounting your own internal_users.yml:
./elastic_opendistro/internal_users.yml:/usr/share/elasticsearch/plugins/opendistro_security/securityconfig/internal_users.ymlIt is possible to generate a hash using the same Docker image, type in any password when prompted and replace the hash on internal_users.yml:
docker run --rm -ti amazon/opendistro-for-elasticsearch:1.13.2 bash /usr/share/elasticsearch/plugins/opendistro_security/tools/hash.shDeployment Of The Stack
We are now ready to deploy our stack. This will deploy 1 Wazuh master and 1 Wazuh worker, 3 Elasticsearch nodes, 1 Kibana instance, and 1 Nginx instance.
docker-compose -f production-cluster.yml up -dNeed Help?
The functionality discussed in this post, and so much more, are available via the SOCFortress platform. Let SOCFortress help you and your team keep your infrastructure secure.
Website: https://www.socfortress.co/
Platform Demo: https://www.socfortress.co/demo_access.html
