Unlock powerful cybersecurity in minutes with Wazuh Docker Compose! Discover how to deploy Wazuh using Docker with ease—no more complex setups. Act now and secure your systems the smart way before threats strike! #centlinux #docker #wazuh
Introduction to Wazuh with Docker Compose
Wazuh is a powerful open-source security platform that combines threat detection, incident response, and compliance management in one neat package. If you’re serious about monitoring your infrastructure for threats and vulnerabilities, Wazuh is a name you need to know. But installing and maintaining it the traditional way can be a bit… well, painful. That’s where Docker Compose comes in.
Docker Compose simplifies the process by allowing you to manage multi-container applications like Wazuh with just a few commands. You can spin up your entire Wazuh stack — including the manager, agents, and the web interface — without going through a tedious setup process for each component.
In this guide, we’ll walk you through everything you need to know to deploy Wazuh using Docker Compose. Whether you’re a security engineer, system admin, or just curious about cybersecurity tools, you’re going to love how easy and efficient this method is.
Why should you care? Because automation saves time, reduces errors, and helps you scale faster. Let’s dive in.

Understanding Wazuh Architecture
Before we jump into the technical how-to, it’s important to understand how Wazuh works under the hood. Think of Wazuh as a security nerve center — it collects data, analyzes it, and helps you act on security threats in real time.
Here are the main components of the Wazuh architecture:
- Wazuh Manager: The brain of the operation. It collects data from agents, processes rules, and generates alerts.
- Wazuh Agents: Installed on the endpoints (like servers or desktops), these guys collect logs and security data.
- Elastic Stack (ELK): This includes Elasticsearch, Logstash, and Kibana. It’s used for data indexing, storage, and visualization.
- Wazuh Dashboard: A customized version of Kibana that makes it easier to view alerts and configurations.
When containerized, each of these components is spun up as a separate Docker container. Docker Compose acts like a conductor, orchestrating all these containers to work in harmony.
You don’t need to install Elasticsearch or Kibana manually; the Wazuh Docker project bundles everything for you. The default setup will create a container for the Wazuh manager, Filebeat, Elasticsearch, and the Wazuh dashboard — all connected via a Docker-defined network.
The beauty of this modular architecture is flexibility. You can scale each component independently, replace parts without downtime, and debug isolated services if something breaks. That’s the magic of containers.
Recommended Training: Docker Mastery: with Kubernetes +Swarm from a Docker Captain

Benefits of Deploying Wazuh with Docker Compose
Installing Wazuh the traditional way — manually installing agents, configuring dependencies, editing long YAML files — is like assembling IKEA furniture without a manual. It works, but there’s a better way.
Here’s why Docker Compose is the smart move:
1. Simplified Deployment
Docker Compose allows you to define your entire Wazuh setup in a single docker-compose.yml
file. With just one command (docker-compose up
), you launch the entire stack. No more juggling multiple installs or troubleshooting dependency hell.
2. Scalability and Portability
Want to run Wazuh on your laptop for testing, then move it to production on a cloud server? No problem. Docker Compose makes your deployment consistent across environments, which means fewer surprises when you go live.
3. Easier Management and Updates
Updating Wazuh components is as easy as pulling the latest Docker images and restarting the containers. You can also shut down and spin up services without touching your host machine.
4. Isolation and Security
Each Wazuh component runs in its own container. This separation helps with security and ensures that bugs in one service don’t take down the whole stack.
5. Fast Rollbacks
If something breaks, rolling back to a previous version is as simple as changing the image tag in your compose file.
Real-life scenario: Let’s say your company is scaling up and needs more agents. With Docker Compose, you can duplicate and scale agent containers effortlessly without reconfiguring everything from scratch.
Bottom line? Docker Compose helps you get Wazuh up and running in minutes instead of hours, with fewer headaches.
Prerequisites Before You Begin
Okay, before we get into the nitty-gritty of commands and configuration, let’s make sure you have all the tools and setup ready.
1. System Requirements
You don’t need a data center to run Wazuh in Docker, but some system power helps. Here’s what you’ll need:
- Minimum RAM: 4 GB (8 GB recommended for smooth ELK performance)
- CPU: Dual-core (Quad-core preferred)
- Disk Space: At least 10 GB free
- Operating System: Linux (Ubuntu/Debian/CentOS), MacOS, or Windows with WSL2
2. Tools You Must Have Installed
- Docker Engine: The runtime that handles containers.
- Docker Compose: Orchestration tool for multi-container apps.
- Git: To clone the official Wazuh Docker repository.
- curl or wget: For downloading additional scripts or configs.
Make sure Docker is running by typing:
docker --version
docker-compose --version
If those commands return version numbers, you’re good to go.
3. Install Docker and Docker Compose
If you don’t have them yet:
For Ubuntu:
sudo apt update
sudo apt install docker.io docker-compose
sudo systemctl enable docker
sudo systemctl start docker
For Mac/Windows:
Download Docker Desktop from docker.com and follow the installation wizard.
For Linux:
You can either install Podman on Linux or install Docker by following our previous tutorials.
sudo dnf -y update
sudo dnf -y install podman
sudo systemctl enable docker
sudo systemctl start docker
Pro Tip: Add your user to the Docker group to avoid using sudo
every time:
sudo usermod -aG docker $USER
Log out and log back in afterward.
Setting Up Wazuh with Docker Compose
With the stage set and tools installed, it’s time to begin the fun part — deploying Wazuh using Docker Compose.
1. Clone the Official Wazuh Docker Repository
Open your terminal and run:
git clone https://github.com/wazuh/wazuh-docker.git
cd wazuh-docker
You now have all the Docker Compose files, scripts, and pre-made configurations needed for the deployment.
2. Explore the Directory Structure
Inside the wazuh-docker
folder, you’ll find several directories and files:
docker-compose.yml
: The core file that defines your containers.config/
: Contains configurations for each component (Wazuh manager, Elasticsearch, Kibana).extensions/
: Custom extensions and volumes.certs/
: SSL certificates for secure communication.
Take a few minutes to explore — it helps to know what’s under the hood.
3. Configuration Files
The key files you’ll often modify:
config/wazuh_manager/wazuh.yml
config/wazuh_dashboard/opensearch_dashboards.yml
.env
– optional file to override environment variables
These files define port settings, memory limits, authentication credentials, and more.
Once you understand these, deploying Wazuh becomes like flipping a switch.
Step-by-Step Guide to Deploy Wazuh
Deploying Wazuh using Docker Compose is like cooking with a pre-made meal kit — everything’s prepped, and all you have to do is follow the steps. Let’s break it down:
Step 1: Clone the Git Repository
This is your starting point. You’ll be grabbing the official Wazuh Docker deployment files.
git clone https://github.com/wazuh/wazuh-docker.git
cd wazuh-docker
This will give you a structured project with everything you need, including a docker-compose.yml
file and all necessary config files.
Step 2: Modify Configuration Files (Optional but Recommended)
While you can launch the containers with the default settings, tweaking a few parameters ensures better control:
- Change dashboard credentials:
Openconfig/wazuh_dashboard/opensearch_dashboards.yml
and modify theusername
andpassword
fields. - Adjust memory limits:
Indocker-compose.yml
, you’ll see memory settings for Elasticsearch and Wazuh. You can raise or lower them depending on your hardware. - Enable/disable features:
Want to turn off Filebeat? You can comment it out in the compose file.
Step 3: Launch the Containers
Here’s where the magic happens:
docker-compose -f generate-indexer-certs.yml run --rm generator
docker-compose up -d
The first command generates TLS certificates. The second brings up your full Wazuh stack.
Wait a couple of minutes — Elasticsearch and Wazuh take a bit to initialize fully.
Step 4: Access the Wazuh Dashboard
Once all containers are up, access the dashboard in your browser:
https://:5601
Use the credentials you set (or the default: admin/admin). You’ll land on the Wazuh dashboard where you can view alerts, logs, and system metrics.
If you see a “Wazuh is initializing” screen, don’t panic — it just needs another minute or two.
Customizing Your Wazuh Docker Setup
One of the coolest things about Docker Compose is how easy it is to tweak things without breaking the system. Let’s look at how to personalize your Wazuh deployment.
1. Changing Default Settings
Don’t want to use port 5601 for the dashboard? No problem. Open docker-compose.yml
and modify this section:
ports:
- "5601:5601"
Change it to something like:
ports:
- "8080:5601"
Now you’ll access your dashboard on https://
.
Want to change Wazuh rules or add custom decoders? Go to:
config/wazuh_manager/
Add your files there and they’ll be automatically applied when the container restarts.
2. Adding More Agents
You can install Wazuh agents on remote servers and point them to your Docker-hosted Wazuh manager.
On the agent server:
curl -s https://packages.wazuh.com/install.sh | bash
/var/ossec/bin/manage_agents
Then link them to your manager’s IP and port (default: 1514 for UDP/TCP).
3. Securing Your Deployment
Security is critical. Here are a few must-dos:
- Update default credentials for all containers.
- Use HTTPS to access the dashboard.
- Restrict exposed ports in the compose file — only expose what’s needed.
- Enable firewalls and security groups to limit access.
Also, if your stack is internet-facing, consider placing it behind a reverse proxy like Nginx with Let’s Encrypt SSL.
Customization is where your Wazuh setup starts to reflect your actual environment. Don’t skip this step.
Managing and Monitoring Wazuh Containers
Once Wazuh is up and running, you’ll want to keep an eye on its health and performance. Docker makes this easy, but only if you know the right tools.
1. Basic Docker Commands
These are your bread and butter:
docker ps # List running containers
docker logs wazuh.manager # View logs of the Wazuh manager
docker exec -it wazuh.manager bash # Enter the container shell
Need to restart a container?
docker restart wazuh.manager
Or stop everything:
docker-compose down
2. Checking Logs and Health
Each container spits out its own logs. The manager logs are often the most insightful.
docker logs wazuh.manager
Look for errors like misconfigured agents or rule parsing failures.
You can also check Elasticsearch health:
curl -XGET https://localhost:9200/_cluster/health?pretty
If it’s green
or yellow
, you’re okay. If it’s red
, something’s broken.
3. Monitoring with the Wazuh Dashboard
From the dashboard, you can:
- View agent status and alerts
- Search logs
- Monitor system metrics
- Customize dashboards
The Wazuh dashboard is your command center, especially for day-to-day operations. Bookmark it and use it often.
Updating and Maintaining Your Wazuh Setup
No matter how stable your system is, updates are inevitable. Thankfully, Docker makes updating a breeze — but you should know what you’re doing.
1. Pulling the Latest Docker Images
To update any Wazuh component:
docker-compose pull
This command pulls the latest versions of the containers specified in your Compose file. Meanwhile, you can also set up a Private Docker registry for faster, more efficient image management.
2. Rebuilding and Restarting
After pulling, restart the stack:
docker-compose down
docker-compose up -d
Note: down
removes containers but not volumes or config files. It’s safe.
If you made changes to the configuration, rebuild like this:
docker-compose build --no-cache
docker-compose up -d
3. Backup and Restore
Always back up your data before major updates. Here’s how:
- Volumes: Use
docker volume ls
to list all volumes. - Backup:
docker run --rm -v wazuh-docker_elasticsearch-data:/data -v $(pwd):/backup busybox \
tar czvf /backup/es_backup.tar.gz /data
- Restore: Reverse the above process to restore.
Regular backups ensure you don’t lose critical logs or alerts. Set up cron jobs for automation if needed.
Advanced Configuration Options
Once you’ve got the basic setup running smoothly, it’s time to level up. Advanced configuration gives you more control over security, performance, and integrations.
1. Integrating with the ELK Stack
Wazuh uses its own modified Elastic Stack, but you can still connect it to an external ELK setup if needed. You’ll mainly work with Filebeat for log forwarding.
In your docker-compose.yml
, ensure Filebeat is configured correctly to push logs to your preferred Elasticsearch or Logstash instance.
You can also integrate with:
2. Enabling Email Alerts
Want email notifications for critical alerts? You can configure Wazuh to send them.
Steps:
- Edit the
ossec.conf
file in the Wazuh manager container. - Add your SMTP server settings.
- Restart the manager container.
Example:
yes
security@yourdomain.com
smtp.yourmail.com
3. Using External Volumes
By default, data is stored inside Docker volumes. But for better data control, you can mount external volumes like so:
volumes:
- /path/on/host:/var/ossec/data
This ensures that data persists even if you remove containers or the Docker service restarts.
Tip: You can also store logs, certificates, or even config files externally for easier backup and management.
Advanced configs are where power users thrive. Don’t be afraid to experiment, especially in a test environment.
Security Best Practices for Wazuh in Docker
Security is Wazuh’s main game, so it makes sense that your deployment of Wazuh should be equally secure. Here are best practices to harden your setup.
1. Hardening Containers
- Always use the latest stable Docker images.
- Remove unused services from the
docker-compose.yml
to reduce your attack surface. - Set resource limits (
mem_limit
,cpu_limit
) to prevent container abuse.
2. Role-Based Access Control (RBAC)
Kibana (or the Wazuh dashboard) allows for RBAC. You can configure roles for:
- Admin
- Analyst
- Read-only users
Set these in internal_users.yml
and roles.yml
in the OpenSearch configuration directory.
Restrict who can access what. Least privilege is your best friend here.
3. SSL/TLS Configuration
When exposing Wazuh externally, encrypt communication:
- Use
generate-indexer-certs.yml
to create TLS certificates. - Ensure HTTPS is enabled for both OpenSearch and the Wazuh dashboard.
- Replace self-signed certs with Let’s Encrypt or your own CA for production use.
4. Regular Updates and Monitoring
- Schedule image updates and monitor container health with tools like Portainer or Watchtower.
- Scan container images for vulnerabilities using tools like Trivy or Clair.
Security isn’t a one-time job. Make it a continuous habit.
Real-World Use Cases of Wazuh in Docker
You’ve set it up, secured it, and optimized it. But how does Wazuh in Docker actually get used in the real world? Let’s look at a few scenarios.
1. Enterprise Environments
Large organizations use Wazuh in Docker to:
- Monitor multiple branches or remote locations.
- Meet compliance requirements like PCI DSS or HIPAA.
- Integrate with existing security ecosystems (SIEMs, firewalls, ticketing systems).
The containerized approach allows fast scaling and consistent deployments across datacenters or clouds.
2. DevSecOps Pipelines
Security engineers use Wazuh in CI/CD pipelines to:
- Automatically scan code for vulnerabilities.
- Monitor changes to files or configurations.
- Alert dev teams on real-time threats.
Since everything is containerized, integration with Jenkins, GitLab CI, or GitHub Actions is straightforward.
3. Cloud-Native Deployments
Organizations migrating to AWS, Azure, or GCP deploy Wazuh using:
- ECS or EKS for Kubernetes-based orchestration
- Terraform or Ansible for IaC
- S3 buckets for log storage
Using Docker Compose locally helps teams prototype before scaling out to Kubernetes or cloud-based platforms.
Wazuh in Docker isn’t just a cool tech trick — it solves real problems and adapts to real environments.
Performance Tuning and Optimization
Running Wazuh efficiently means better detection, faster response, and less resource consumption. Here’s how to optimize performance.
1. Resource Allocation
Modify Docker Compose to give more CPU or RAM to resource-hungry containers:
deploy:
resources:
limits:
cpus: '2.0'
memory: 4G
Elasticsearch and the Wazuh manager benefit the most from these tweaks.
2. Load Balancing
If you’re running hundreds or thousands of agents:
- Use multiple Wazuh managers behind a load balancer.
- Set up agent clusters and distribute loads.
Docker Swarm or Kubernetes can help manage this kind of scale more effectively than plain Docker Compose.
3. Log Rotation and Storage Management
Wazuh logs can grow fast. Enable log rotation to avoid filling your disk:
- Inside the Wazuh manager container, configure
logrotate
. - Offload old logs to external storage or cloud buckets.
4. Elasticsearch Index Management
Elasticsearch can eat disk space like candy. Set up index lifecycle management (ILM):
- Retain only X days/weeks of logs.
- Compress older indices.
- Archive to cheap storage.
An optimized system means you spend less time firefighting and more time securing.
Common Issues and Their Fixes
Let’s face it: even with the best setup, things go wrong. Here’s how to fix the most common issues.
1. Container Fails to Start
Check logs:
docker logs
Look for:
- Port conflicts
- Missing volumes
- Memory limits exceeded
Also verify Docker is running and system resources are available.
2. Dashboard Not Loading
Common reasons:
- Elasticsearch not fully initialized
- Wrong credentials
- Firewall or SELinux blocking access
Fixes:
- Wait a few more minutes
- Restart containers
- Check browser console for SSL or CORS errors
3. Agent Connectivity Problems
Symptoms: Agent shows “disconnected” or doesn’t send logs.
Steps:
- Check if port 1514/1515 is open.
- Confirm the agent’s config points to the right IP.
- View Wazuh manager logs for errors.
If all else fails:
/var/ossec/bin/manage_agents
Use this tool to verify agent keys and IPs.
Troubleshooting is easier when each component is containerized — you can isolate, inspect, and fix fast.
Conclusion: Wazuh Docker Compose
Deploying Wazuh using Docker Compose is not just a modern approach—it’s an incredibly efficient, scalable, and secure way to run one of the most powerful open-source security platforms out there. Instead of battling with complex installations and manual configurations, Docker Compose allows you to deploy the full Wazuh stack—complete with the Wazuh manager, agents, Elasticsearch, and the dashboard—with a few straightforward commands.
Throughout this guide, we’ve covered everything from understanding Wazuh’s architecture to securing and customizing your deployment. You’ve learned how to launch the environment, manage containers, troubleshoot issues, and fine-tune performance. Whether you’re an enterprise IT admin or a solo security enthusiast, these steps put you in control of a robust security monitoring solution.
Wazuh continues to evolve rapidly, and with containerization, you’ll always have the flexibility to upgrade, scale, and experiment with new integrations. In short, if you’re serious about system security, compliance monitoring, or intrusion detection, Wazuh in Docker is an unbeatable combo.
So, ready to level up your cybersecurity stack? Go ahead—clone that repo, fire up Docker Compose, and take command of your infrastructure’s safety like a pro.
Frequently Asked Questions (FAQs)
1. Can Wazuh run without Docker?
Yes, Wazuh can be installed directly on Linux servers using packages or scripts. However, manual installation is more complex, time-consuming, and error-prone. Docker simplifies everything into a reproducible, containerized workflow.
2. How many agents can Wazuh handle?
A single Wazuh manager can typically handle up to 1,000–3,000 agents, depending on your hardware. For larger deployments, clustering multiple managers or distributing agents across nodes is recommended.
3. Is Wazuh free and open-source?
Absolutely. Wazuh is fully open-source under the GPLv2 license. There’s also a commercial support offering, but the core functionality is completely free.
4. Can I integrate Wazuh with AWS or Azure?
Yes. Wazuh supports cloud integrations through modules for AWS, Azure, and GCP. These allow for monitoring cloud services, user activities, and threat intelligence feeds.
5. What’s the best way to monitor Wazuh logs?
The Wazuh dashboard is your go-to. You can filter logs, create custom alerts, and visualize agent data. For deeper analysis, use Filebeat to forward logs to external log management tools like Graylog or Splunk.