Ofline
Most Wazuh tutorials stop at "here's how to spin up the containers." That's fine for a demo, but getting it to actually monitor your infrastructure — with meaningful alerts, automated agent deployment, and cloud integrations — is a different story.
I spent a few weeks assembling everything into a single repo: wazuh-docker-monitoring-platform. Here's what it includes and why I built each piece.
The problem with most Wazuh setups
Out of the box, Wazuh gives you generic Linux alerts. Useful, but noisy. What I needed was:
- Detection rules tuned for Docker container abuse (privileged runs, suspicious mounts, crypto-mining)
- VMware vCenter monitoring — snapshot abuse, vMotion events, auth brute force
- AWS CloudTrail and GCP Audit Log anomalies mapped to Wazuh rules
- A way to deploy agents at scale without SSHing into 30 machines one by one
- Something that works in both a lab (4GB RAM) and production
What the stack looks like
Код:
┌─────────────────────────────────┐
│ Wazuh Manager :1514 / :55000 │
│ Wazuh Indexer :9200 │
│ Wazuh Dashboard :5601 │
│ NGINX (optional reverse proxy) │
└─────────────────────────────────┘
↑ agents on port 1514
Linux servers · Windows servers · Docker hosts · vCenter
↑ log forwarding
AWS CloudTrail (S3) · GCP Pub/SubEverything runs via
docker compose. There's also a docker-compose.lab.yml overlay that cuts resource usage for testing.Custom detection rules
This is the part I'm most proud of. The
rules/ directory has rules for:Docker (
rules/docker/)- Container exec events
- Privileged container creation
- Host namespace abuse (
--pid=host,--network=host) - Suspicious bind mounts (
/etc,/var/run/docker.sock) - Crypto-mining signatures
VMware (
rules/vmware/)- VM power state changes
- Snapshot creation/deletion (ransomware indicator)
- Host disconnect events
- vCenter login brute force
AWS (
rules/aws/)- IAM policy changes
- Security group opened to 0.0.0.0/0
- Console login without MFA
- CloudTrail disabled or deleted
GCP (
rules/gcp/)- Public bucket created
- Firewall rule opened to 0.0.0.0/0
- IAM policy changes
- Compute instance created outside allowed regions
Ansible agent deployment
Instead of deploying agents manually, the repo includes Ansible playbooks that handle everything:
Код:
# Deploy to all Linux hosts in inventory
ansible-playbook -i inventories/production playbooks/deploy-linux-agent.yml
# Windows too (via WinRM)
ansible-playbook -i inventories/production playbooks/deploy-windows-agent.ymlThere's also a network discovery script that scans a subnet, generates an Ansible inventory, and feeds it straight into the deployment pipeline:
Код:
make onboard SUBNET=10.0.0.0/24One command: scan → discover → deploy agents → verify.
Getting started
Код:
git clone https://github.com/GiulioSavini/wazuh-docker-monitoring-platform.git
cd wazuh-docker-monitoring-platform
make preflight # validate Docker, kernel params, disk, ports
cp .env.example .env # set your passwords
make init # generate TLS certs
make deploy # bring up the stackDashboard is at
https://localhost:5601 in a few minutes.Lab vs production mode
Running this on a homelab with limited RAM? Use the lab overlay:
Код:
docker compose -f docker-compose.yml -f docker-compose.lab.yml up -dIt reduces the Wazuh Indexer heap and manager memory limits to fit on a 8GB machine.
What's next
The repo roadmap includes:
- Wazuh cluster mode (multi-node manager)
- Kubernetes Helm chart
- SOAR integration (Shuffle / TheHive)
- Sigma rule auto-import
- Automated compliance dashboards (PCI-DSS, CIS)
If you're running VMware, Docker, or any cloud infrastructure and want proper security visibility without paying for a commercial SIEM, give it a try. PRs and rule contributions welcome.
→ github.com/GiulioSavini/wazuh-docker-monitoring-platform