Skip to main content

Documentation Index

Fetch the complete documentation index at: https://mintlify.com/rsol9000-01/wazuh/llms.txt

Use this file to discover all available pages before exploring further.

The Wazuh Docker Stack is a fully containerized, production-ready security monitoring platform built on Wazuh 4.14.5 and orchestrated with Docker Compose for the Simovilab environment. It bundles all four core Wazuh components — Indexer, Manager, Dashboard, and Agent — into a single docker-compose.yml file, backed by 15 persistent named volumes and mutual TLS authentication between services. Every image is sourced directly from the official wazuh/* Docker Hub registry, so no custom builds, Dockerfiles, or image registries are required to get started. The stack is designed to run on a single Linux host, making it ideal for lab environments, on-premises deployments, and development setups that demand real security-event collection without the overhead of a full cluster.
The stack uses only official wazuh/* images pulled directly from Docker Hub — wazuh/wazuh-indexer:4.14.5, wazuh/wazuh-manager:4.14.5, wazuh/wazuh-dashboard:4.14.5, and wazuh/wazuh-agent:4.14.5. No custom builds or private image registries are required.

Core Components

Wazuh Indexer

OpenSearch-based data store that indexes and retains all security alerts and events generated by the Manager. Exposes the REST API on port 9200.

Wazuh Manager

The central analysis and detection engine. Receives agent events, runs decoders and rules, triggers active responses, and forwards processed alerts to the Indexer via Filebeat.

Wazuh Dashboard

OpenSearch Dashboards-based web interface for visualizing alerts, managing agents, and exploring security data. Accessible on port 6443 (mapped from internal 5601).

Wazuh Agent

Lightweight monitoring agent deployed as a privileged container on the Docker host. Collects host logs, monitors the Docker socket, and ships events to the Manager on port 1514.

Components

Wazuh Indexer (wazuh/wazuh-indexer:4.14.5) is the storage and search backend, built on OpenSearch. It receives processed alerts from the Manager via Filebeat over HTTPS, stores them in persistent indices, and serves query results to the Dashboard. The Indexer is configured as a single-node master and requires vm.max_map_count=262144 on the host for stable operation. Wazuh Manager (wazuh/wazuh-manager:4.14.5) is the core analysis server. It accepts connections from registered Wazuh Agents on port 1514 (event forwarding) and port 1515 (agent enrollment/authentication). The Manager decodes raw events, evaluates them against its ruleset, and pushes normalized alerts to the Indexer using Filebeat with full TLS verification. Its REST API is available on port 55000. Wazuh Dashboard (wazuh/wazuh-dashboard:4.14.5) is the browser-based interface for security analysts and administrators. It communicates with the Indexer to retrieve alert data and with the Manager API to manage agents and configuration. It is exposed on host port 6443, mapped to the container’s internal port 5601. Wazuh Agent (wazuh/wazuh-agent:4.14.5) runs as a privileged container on the same Docker host. It mounts /var/log and /var/run/docker.sock (read-only) to collect host system logs and Docker container activity. The agent registers with and forwards events to wazuh.manager over port 1514. Its hostname is configurable via the LOCAL_AGENT_HOSTNAME environment variable.

Port Reference

All network bindings are defined in docker-compose.yml. The following ports must be available on the host:
PortProtocolServicePurpose
1514TCPWazuh ManagerAgent event forwarding — agents ship collected logs and events to the Manager
1515TCPWazuh ManagerAgent registration and authentication — new agents enroll through this port
514UDPWazuh ManagerSyslog ingestion — network devices and external systems send syslog messages
55000TCPWazuh ManagerManager REST API — used by the Dashboard and external tooling for management
9200TCPWazuh IndexerIndexer REST API — OpenSearch HTTP endpoint for queries and index management
6443TCPWazuh DashboardWeb UI (HTTPS) — host port 6443 is forwarded to container port 5601

Persistent Volumes

All data survives container restarts and upgrades through Docker named volumes. The following 15 volumes are declared in docker-compose.yml:
Volume NameContainerInternal PathPurpose
wazuh_api_configurationwazuh.manager/var/ossec/api/configurationManager REST API configuration and keys
wazuh_etcwazuh.manager/var/ossec/etcManager runtime configuration (ossec.conf, agent groups, decoders, rules)
wazuh_logswazuh.manager/var/ossec/logsManager log files and alert archives
wazuh_queuewazuh.manager/var/ossec/queueInternal event queues between Manager components
wazuh_var_multigroupswazuh.manager/var/ossec/var/multigroupsMulti-group configuration state for agent grouping
wazuh_integrationswazuh.manager/var/ossec/integrationsThird-party integration scripts (PagerDuty, Slack, etc.)
wazuh_active_responsewazuh.manager/var/ossec/active-response/binActive response scripts triggered by alerts
wazuh_agentlesswazuh.manager/var/ossec/agentlessAgentless monitoring configuration and scripts
wazuh_wodleswazuh.manager/var/ossec/wodlesWazuh modules (wodles) for extended monitoring capabilities
filebeat_etcwazuh.manager/etc/filebeatFilebeat configuration for forwarding alerts to the Indexer
filebeat_varwazuh.manager/var/lib/filebeatFilebeat state, registry, and pipeline data
wazuh-indexer-datawazuh.indexer/var/lib/wazuh-indexerOpenSearch index data — all stored alerts and event documents
wazuh-dashboard-configwazuh.dashboard/usr/share/wazuh-dashboard/data/wazuh/configDashboard persistent configuration (API credentials, settings)
wazuh-dashboard-customwazuh.dashboard/usr/share/wazuh-dashboard/plugins/wazuh/public/assets/customCustom branding assets (logos, CSS overrides)
wazuh_https_certs(reserved)Reserved volume for HTTPS certificate storage

Prerequisites

Before deploying the Wazuh Docker Stack, ensure the following requirements are met on your Linux host:
  • Docker Engine 20.10 or later — required for Compose v2 plugin support and modern networking features
  • Docker Compose 2.0 or later — the stack uses docker compose (V2 syntax); legacy docker-compose (V1) is not supported
  • Linux host — the Wazuh Indexer (OpenSearch) requires the kernel parameter vm.max_map_count to be at least 262144; this is a Linux-only tunable and cannot be set on macOS or Windows Docker Desktop hosts without additional configuration
  • Available host ports — ports 1514, 1515, 514/udp, 55000, 9200, and 6443 must not be in use by other services
  • Sufficient memory — the Indexer JVM is configured with -Xms1g -Xmx1g; plan for at least 4 GB of available RAM across all four containers
  • curl installed on the host — the wazuh-dev.sh deployment script uses curl for health checks and will attempt to install it automatically via apt-get if missing

Build docs developers (and LLMs) love