This page covers day-to-day operational commands for the Wazuh Docker Stack — starting, stopping, inspecting, and querying each service. Commands are organized by function: theDocumentation Index
Fetch the complete documentation index at: https://mintlify.com/rsol9000-01/wazuh/llms.txt
Use this file to discover all available pages before exploring further.
wazuh-dev.sh helper script for opinionated deployments, raw Docker Compose lifecycle management, log inspection, REST API queries against both the Manager and the Indexer, interactive shell access into containers, and volume backup/restore procedures.
wazuh-dev.sh Usage
Thescripts/wazuh-dev.sh helper script wraps Docker Compose with pre-flight validation, automatic vm.max_map_count tuning, credential hashing, and cert generation. It is the recommended entry point for deploying and managing the stack in the Simovilab environment.
Interface:
| Argument | Values | Description |
|---|---|---|
server | — | Operates on docker-compose.yml (full Wazuh stack) |
agent | — | Operates on agent/docker-compose-agent.yml (agent only) |
action | up (default), down, logs, ps, restart | Compose lifecycle action to perform |
What server up does
When you run sudo bash scripts/wazuh-dev.sh server up, the script performs the following steps in order:
- Docker GID detection — runs
getent group docker | cut -d: -f3to find the host Docker group ID and exports it asDOCKER_GIDso the agent container can access/var/run/docker.sock. vm.max_map_countenforcement — reads/proc/sys/vm/max_map_count; if the value is below262144, runssysctl -w vm.max_map_count=262144to satisfy OpenSearch requirements.- Dependency check — verifies
dockerandcurlare installed and onPATH. .envvalidation — checks that a.envfile exists; if not, copies.env.exampleas a starting point and exits with a warning.- Compose file check — confirms
docker-compose.ymlis present in the repo root. internal_users.ymlcheck — confirmsconfig/wazuh_indexer/internal_users.ymlexists.- Cert file check — confirms
generate-indexer-certs.ymlis present. - Post-install script check — validates that
SCRIPT_POST_INSTALLfrom.envpoints to an existing file (server mode only). - Agent hostname resolution — reads
LOCAL_AGENT_HOSTNAMEfrom.env; if the value islocalhost, replaces it with the actual FQDN fromhostname -f. $character validation — exits with an error ifAPI_PASSWORDorAPI_USERNAMEin.envcontain the$character (unsupported by the sed-based substitution).wazuh.ymlcredential sync — updatesconfig/wazuh_dashboard/wazuh.ymlwith theAPI_USERNAMEandAPI_PASSWORDvalues from.envusingsedin-place substitution.- Password hashing — reads
MY_USERNAMEandMY_PASSWORDfrom.env, runs the Indexer’shash.shtool viadocker runto produce a bcrypt hash, and upserts the user intoconfig/wazuh_indexer/internal_users.yml. - Certificate generation — runs
docker compose -f generate-indexer-certs.yml run --rm generatorto produce fresh TLS certs in./config/wazuh_indexer_ssl_certs/. - Stack start — runs
docker compose -f docker-compose.yml --env-file .env up -d.
Stack Lifecycle (Docker Compose)
Use these commands when you want direct control over the stack without the pre-flight validation thatwazuh-dev.sh performs. Ensure .env is sourced and vm.max_map_count is already set before using these commands cold.
Log Inspection
All containers write structured output to Docker’s log driver. Usedocker compose logs to stream or retrieve them.
Wazuh REST API
The Wazuh Manager exposes a REST API on port55000. Authentication is a two-step process: first POST to /security/user/authenticate?raw=true with HTTP Basic credentials to receive a short-lived JWT token, then supply that token as a Bearer header on subsequent requests.
The API credentials are set via the API_USERNAME and API_PASSWORD variables in your .env file. Replace <your-password> in the examples below with your actual API_PASSWORD value.
Waiting for the API to become available
Thewazuh-conf-en.sh post-install script uses a retry loop — a pattern you can reuse in your own automation — that polls the API endpoint and waits until it returns HTTP 200 or 401 before proceeding:
200 response means authentication succeeded; a 401 means the API is up but credentials were rejected — both indicate the API process is healthy and accepting connections.
Wazuh Indexer API
The Wazuh Indexer (OpenSearch) exposes its HTTP API on port9200. Authentication uses the admin user configured in config/wazuh_indexer/internal_users.yml. Replace <your-password> with your actual INDEXER_PASSWORD value from .env.
Port
9200 is mapped directly to the host in docker-compose.yml. In production, consider blocking this port from external access with a firewall rule — see Security for details.Container Exec (Shell Access)
Usedocker exec to run commands inside a running container or open an interactive shell for in-depth debugging.
Data Backup and Restore
All persistent data lives in named Docker volumes defined indocker-compose.yml. The stack defines 15 named volumes: wazuh_api_configuration, wazuh_etc, wazuh_logs, wazuh_queue, wazuh_var_multigroups, wazuh_integrations, wazuh_active_response, wazuh_agentless, wazuh_wodles, filebeat_etc, filebeat_var, wazuh-indexer-data, wazuh-dashboard-config, wazuh-dashboard-custom, and wazuh_https_certs. Back up volumes by mounting them alongside a scratch Alpine container.
Stop the relevant containers before restoring volumes to avoid data corruption:
sudo docker compose stop wazuh.manager before restoring wazuh_etc, for example.