Wazuh Docker deployment

189 views
Skip to first unread message

Symeon Zapsis

unread,
Sep 6, 2024, 8:11:55 AM9/6/24
to Wazuh | Mailing List

Dear Wazuh Team,

I have been following the instructions provided in your documentation: Wazuh Docker deployment.

On my Ubuntu VirtualBox, the root directory (/) has only 1.5 GB of free space, while the /opt/ directory has 20 GB available. I would like to deploy the Wazuh volumes in /opt/wazuh/volumes instead of the default /var/lib/docker/volumes.

Before running the docker-compose up command, I modified the docker-compose.yml file as follows to adjust the volume mounts:

wazuh.manager:
    volumes:
      - /opt/wazuh/volumes/wazuh_api_configuration:/var/ossec/api/configuration
      - /opt/wazuh/volumes/wazuh_etc:/var/ossec/etc
      - /opt/wazuh/volumes/wazuh_logs:/var/ossec/logs
      - /opt/wazuh/volumes/wazuh_queue:/var/ossec/queue
      - /opt/wazuh/volumes/wazuh_var_multigroups:/var/ossec/var/multigroups
      - /opt/wazuh/volumes/wazuh_integrations:/var/ossec/integrations
      - /opt/wazuh/volumes/wazuh_active_response:/var/ossec/active-response/bin
      - /opt/wazuh/volumes/wazuh_agentless:/var/ossec/agentless
      - /opt/wazuh/volumes/wazuh_wodles:/var/ossec/wodles
      - /opt/wazuh/volumes/filebeat_etc:/etc/filebeat
      - /opt/wazuh/volumes/filebeat_var:/var/lib/filebeat

  wazuh.indexer:
    volumes:
      - /opt/wazuh/volumes/wazuh-indexer-data:/var/lib/wazuh-indexer

  wazuh.dashboard:
    volumes:
      - /opt/wazuh/volumes/wazuh-dashboard-config:/usr/share/wazuh-dashboard/data/wazuh/config
      - /opt/wazuh/volumes/wazuh-dashboard-custom:/usr/share/wazuh-dashboard/plugins/wazuh/public/assets/custom

After making these changes, I encountered the following issue:
The dashboard displays the message "Wazuh dashboard server is not ready yet" and in the logs, I see:
[ConnectionError]: connect ECONNREFUSED 172.18.0.3:9200.

Could you please advise on how to resolve this issue?

Thank you in advance for your support.

Best regards,
Symeon Zapsis



Openime Oniagbi

unread,
Sep 6, 2024, 8:57:44 AM9/6/24
to Wazuh | Mailing List
Hello Symeon,

Please can you share the logs from the Wazuh indexer container?

Symeon Zapsis

unread,
Sep 7, 2024, 2:00:33 AM9/7/24
to Wazuh | Mailing List
Hello,
please see attached log file.
Best regards.
Symeon
wazuh_indexer_logs.txt

Symeon Zapsis

unread,
Sep 9, 2024, 7:09:12 AM9/9/24
to Wazuh | Mailing List
Kind reminder.

Openime Oniagbi

unread,
Sep 9, 2024, 10:57:53 AM9/9/24
to Wazuh | Mailing List
Hello Symeon,

No logs indicate any critical issues with the indexer. Please can you confirm that the indexer is reachable on 172.18.0.3:9200? If that is the IP address of the host. 

Symeon Zapsis

unread,
Sep 10, 2024, 1:23:49 AM9/10/24
to Wazuh | Mailing List
Dear Supporter,

please see attached screenshot.

I’ve also attached the docker-compose.yml file, where you can see the detailed changes I made.

Best Regards,
Symeon
Screenshot from 2024-09-10 08-18-24.png
docker-compose.yml

Openime Oniagbi

unread,
Sep 10, 2024, 3:29:05 AM9/10/24
to Wazuh | Mailing List
Hello,

Please can you send the Wazuh dashboard logs also?

Symeon Zapsis

unread,
Sep 10, 2024, 4:27:19 AM9/10/24
to Wazuh | Mailing List
Please see attached log.
Also, I observed that the indexer container is always restarting every minute.
wazuh_dashboard_logs.txt

Openime Oniagbi

unread,
Sep 11, 2024, 9:10:14 AM9/11/24
to Wazuh | Mailing List

Hi Symeon,

I just wanted to let you know that the way you have used to specify the mount volumes is not the correct way to do so. This is because Wazuh mounts Docker volumes and in the case you are showing you are doing a mount bind of a directory, which for practical purposes is often the same. Still, it is not, especially in how Docker handles these volumes.

What I recommend you do in case you want to modify the path of the volumes is to create them with local-persist, a Docker plugin that allows you to modify the mount point of the created volumes. To do that you first have to install the plugin on the host machine and then modify the definition of the volumes, which is at the end of the docker-compose.yml file and which in our case has no definition since we let Docker manage it completely.

Here is an example of a definition of the wazuh_etc volume in line 103 for single-node deployment:

wazuh_etc: driver: local-persist driver_opts: mountpoint: /opt/wazuh/volumes/wazuh_etc

Remember that you first have to install the plugin to be able to use it.

Please let me know if this helps.

Symeon Zapsis

unread,
Sep 12, 2024, 8:37:28 AM9/12/24
to Wazuh | Mailing List
Yes, it works!! Thank you so much for your efforts. I really appreciate the time you spent answering my questions.

The var/lib/docker/overlay2 folder is taking up a lot of space. I will keep looking for a way to move it to the /opt/wazuh/overlay2 folder.

Once again, thank you very much!

Best Regards.
Symeon

Openime Oniagbi

unread,
Sep 12, 2024, 10:50:24 AM9/12/24
to Wazuh | Mailing List
Glad to hear that!

Cheers!

Reply all
Reply to author
Forward
0 new messages