Easiest SIEM Install — Wazuh, Elasticsearch, Kibana, and Filebeat Docker Install

Why?

This allows us to deploy a full SIEM stack within minutes, on one VM, rather than dedicating one VM per service (Wazuh, Elasticsearch, Kibana, etc.). We can persist data, scale up and scale down as needed, and upgrade the applications efficiently.

Steps

  • Install Docker
  • Install Docker Compose
  • Getting the VM Ready
  • SSL Certificate Generation (Elasticsearch, Kibana, Nginx)
  • Internal Users
  • Deployment of the stack

Install Docker

A Docker install script can be ran to install Docker onto a Linux machine:

curl -sSL https://get.docker.com/ | sh

You can manually install Docker here: https://docs.docker.com/get-docker/

Start Docker and enable the service to run at boot time:

systemctl start docker
systemctl enable docker

Install Docker Compose

Docker Compose allows us to run Wazuh, Elasticsearch, Kibana, Filebeat, and Nginx all with one command and runs them within the same environment so that all applications can talk to one another.

curl -L "https://github.com/docker/compose/releases/download/1.28.3/docker-compose-$(uname -s)-$(uname -m)" -o /usr/local/bin/docker-composechmod +x /usr/local/bin/docker-composesudo ln -s /usr/local/bin/docker-compose /usr/bin/docker-composedocker-compose --version

Getting the VM Ready

sysctl -w vm.max_map_count=262144

To set this value permanently, update the vm.max_map_count setting in /etc/sysctl.conf.

Clone The Repo

git clone https://github.com/wazuh/wazuh-docker.git -b v4.2.6 --depth=1

Generate Certs

Elasticsearch

docker-compose -f generate-opendistro-certs.yml run --rm generator

Kibana

bash ./production_cluster/kibana_ssl/generate-self-signed-cert.sh

Nginx

bash ./production_cluster/nginx/ssl/generate-self-signed-cert.sh

Internal Users

./elastic_opendistro/internal_users.yml:/usr/share/elasticsearch/plugins/opendistro_security/securityconfig/internal_users.yml

It is possible to generate a hash using the same Docker image, type in any password when prompted and replace the hash on internal_users.yml:

docker run --rm -ti amazon/opendistro-for-elasticsearch:1.13.2 bash /usr/share/elasticsearch/plugins/opendistro_security/tools/hash.sh

Deployment Of The Stack

docker-compose -f production-cluster.yml up -d

Need Help?

Website: https://www.socfortress.co/

Platform Demo: https://www.socfortress.co/demo_access.html

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
SOCFortress

SOCFortress is a SaaS company that unifies Observability, Security Monitoring, Threat Intelligence and Security Orchestration, Automation, and Response (SOAR).