The Wazuh Docker Stack is a fully containerized, production-ready security monitoring platform built on Wazuh 4.14.5 and orchestrated with Docker Compose for the Simovilab environment. It bundles all four core Wazuh components — Indexer, Manager, Dashboard, and Agent — into a singleDocumentation Index
Fetch the complete documentation index at: https://mintlify.com/rsol9000-01/wazuh/llms.txt
Use this file to discover all available pages before exploring further.
docker-compose.yml file, backed by 15 persistent named volumes and mutual TLS authentication between services. Every image is sourced directly from the official wazuh/* Docker Hub registry, so no custom builds, Dockerfiles, or image registries are required to get started. The stack is designed to run on a single Linux host, making it ideal for lab environments, on-premises deployments, and development setups that demand real security-event collection without the overhead of a full cluster.
The stack uses only official
wazuh/* images pulled directly from Docker Hub — wazuh/wazuh-indexer:4.14.5, wazuh/wazuh-manager:4.14.5, wazuh/wazuh-dashboard:4.14.5, and wazuh/wazuh-agent:4.14.5. No custom builds or private image registries are required.Core Components
Wazuh Indexer
OpenSearch-based data store that indexes and retains all security alerts and events generated by the Manager. Exposes the REST API on port 9200.
Wazuh Manager
The central analysis and detection engine. Receives agent events, runs decoders and rules, triggers active responses, and forwards processed alerts to the Indexer via Filebeat.
Wazuh Dashboard
OpenSearch Dashboards-based web interface for visualizing alerts, managing agents, and exploring security data. Accessible on port 6443 (mapped from internal 5601).
Wazuh Agent
Lightweight monitoring agent deployed as a privileged container on the Docker host. Collects host logs, monitors the Docker socket, and ships events to the Manager on port 1514.
Components
Wazuh Indexer (wazuh/wazuh-indexer:4.14.5) is the storage and search backend, built on OpenSearch. It receives processed alerts from the Manager via Filebeat over HTTPS, stores them in persistent indices, and serves query results to the Dashboard. The Indexer is configured as a single-node master and requires vm.max_map_count=262144 on the host for stable operation.
Wazuh Manager (wazuh/wazuh-manager:4.14.5) is the core analysis server. It accepts connections from registered Wazuh Agents on port 1514 (event forwarding) and port 1515 (agent enrollment/authentication). The Manager decodes raw events, evaluates them against its ruleset, and pushes normalized alerts to the Indexer using Filebeat with full TLS verification. Its REST API is available on port 55000.
Wazuh Dashboard (wazuh/wazuh-dashboard:4.14.5) is the browser-based interface for security analysts and administrators. It communicates with the Indexer to retrieve alert data and with the Manager API to manage agents and configuration. It is exposed on host port 6443, mapped to the container’s internal port 5601.
Wazuh Agent (wazuh/wazuh-agent:4.14.5) runs as a privileged container on the same Docker host. It mounts /var/log and /var/run/docker.sock (read-only) to collect host system logs and Docker container activity. The agent registers with and forwards events to wazuh.manager over port 1514. Its hostname is configurable via the LOCAL_AGENT_HOSTNAME environment variable.
Port Reference
All network bindings are defined indocker-compose.yml. The following ports must be available on the host:
| Port | Protocol | Service | Purpose |
|---|---|---|---|
1514 | TCP | Wazuh Manager | Agent event forwarding — agents ship collected logs and events to the Manager |
1515 | TCP | Wazuh Manager | Agent registration and authentication — new agents enroll through this port |
514 | UDP | Wazuh Manager | Syslog ingestion — network devices and external systems send syslog messages |
55000 | TCP | Wazuh Manager | Manager REST API — used by the Dashboard and external tooling for management |
9200 | TCP | Wazuh Indexer | Indexer REST API — OpenSearch HTTP endpoint for queries and index management |
6443 | TCP | Wazuh Dashboard | Web UI (HTTPS) — host port 6443 is forwarded to container port 5601 |
Persistent Volumes
All data survives container restarts and upgrades through Docker named volumes. The following 15 volumes are declared indocker-compose.yml:
| Volume Name | Container | Internal Path | Purpose |
|---|---|---|---|
wazuh_api_configuration | wazuh.manager | /var/ossec/api/configuration | Manager REST API configuration and keys |
wazuh_etc | wazuh.manager | /var/ossec/etc | Manager runtime configuration (ossec.conf, agent groups, decoders, rules) |
wazuh_logs | wazuh.manager | /var/ossec/logs | Manager log files and alert archives |
wazuh_queue | wazuh.manager | /var/ossec/queue | Internal event queues between Manager components |
wazuh_var_multigroups | wazuh.manager | /var/ossec/var/multigroups | Multi-group configuration state for agent grouping |
wazuh_integrations | wazuh.manager | /var/ossec/integrations | Third-party integration scripts (PagerDuty, Slack, etc.) |
wazuh_active_response | wazuh.manager | /var/ossec/active-response/bin | Active response scripts triggered by alerts |
wazuh_agentless | wazuh.manager | /var/ossec/agentless | Agentless monitoring configuration and scripts |
wazuh_wodles | wazuh.manager | /var/ossec/wodles | Wazuh modules (wodles) for extended monitoring capabilities |
filebeat_etc | wazuh.manager | /etc/filebeat | Filebeat configuration for forwarding alerts to the Indexer |
filebeat_var | wazuh.manager | /var/lib/filebeat | Filebeat state, registry, and pipeline data |
wazuh-indexer-data | wazuh.indexer | /var/lib/wazuh-indexer | OpenSearch index data — all stored alerts and event documents |
wazuh-dashboard-config | wazuh.dashboard | /usr/share/wazuh-dashboard/data/wazuh/config | Dashboard persistent configuration (API credentials, settings) |
wazuh-dashboard-custom | wazuh.dashboard | /usr/share/wazuh-dashboard/plugins/wazuh/public/assets/custom | Custom branding assets (logos, CSS overrides) |
wazuh_https_certs | (reserved) | — | Reserved volume for HTTPS certificate storage |
Prerequisites
Before deploying the Wazuh Docker Stack, ensure the following requirements are met on your Linux host:- Docker Engine 20.10 or later — required for Compose v2 plugin support and modern networking features
- Docker Compose 2.0 or later — the stack uses
docker compose(V2 syntax); legacydocker-compose(V1) is not supported - Linux host — the Wazuh Indexer (OpenSearch) requires the kernel parameter
vm.max_map_countto be at least262144; this is a Linux-only tunable and cannot be set on macOS or Windows Docker Desktop hosts without additional configuration - Available host ports — ports
1514,1515,514/udp,55000,9200, and6443must not be in use by other services - Sufficient memory — the Indexer JVM is configured with
-Xms1g -Xmx1g; plan for at least 4 GB of available RAM across all four containers curlinstalled on the host — thewazuh-dev.shdeployment script usescurlfor health checks and will attempt to install it automatically viaapt-getif missing