Skip to content

Instantly share code, notes, and snippets.

@williamzujkowski

williamzujkowski/wazuh-docker-compose.yml

Created November 18, 2025 01:30
Show Gist options

  • Select an option

    Learn more about clone URLs
  • Save williamzujkowski/79146ef623363155e85d244a91c383cf to your computer and use it in GitHub Desktop.

Select an option

Learn more about clone URLs
Save williamzujkowski/79146ef623363155e85d244a91c383cf to your computer and use it in GitHub Desktop.
Download ZIP
SIEM Deployment - Wazuh and Graylog Docker Compose
Raw
wazuh-docker-compose.yml
# Wazuh Docker Compose Deployment
version: '3.8'
services:
wazuh-manager:
image: wazuh/wazuh-manager:4.9.0
hostname: wazuh-manager
restart: always
ports:
- "1514:1514"
- "1515:1515"
- "514:514/udp"
- "55000:55000"
environment:
- INDEXER_URL=https://wazuh-indexer:9200
- INDEXER_USERNAME=admin
- INDEXER_PASSWORD=SecurePassword123!
- FILEBEAT_SSL_VERIFICATION_MODE=full
- SSL_CERTIFICATE_AUTHORITIES=/etc/ssl/root-ca.pem
- SSL_CERTIFICATE=/etc/ssl/filebeat.pem
- SSL_KEY=/etc/ssl/filebeat.key
- API_USERNAME=wazuh-admin
- API_PASSWORD=Wazuh@Admin123!
volumes:
- wazuh_api_configuration:/var/ossec/api/configuration
- wazuh_etc:/var/ossec/etc
- wazuh_logs:/var/ossec/logs
- wazuh_queue:/var/ossec/queue
- wazuh_var_multigroups:/var/ossec/var/multigroups
- wazuh_integrations:/var/ossec/integrations
- wazuh_active_response:/var/ossec/active-response/bin
- wazuh_agentless:/var/ossec/agentless
- wazuh_wodles:/var/ossec/wodles
- filebeat_etc:/etc/filebeat
- filebeat_var:/var/lib/filebeat
wazuh-indexer:
image: wazuh/wazuh-indexer:4.9.0
hostname: wazuh-indexer
restart: always
ports:
- "9200:9200"
environment:
- "OPENSEARCH_JAVA_OPTS=-Xms4g -Xmx4g"
- "bootstrap.memory_lock=true"
- "discovery.type=single-node"
ulimits:
memlock:
soft: -1
hard: -1
nofile:
soft: 65536
hard: 65536
volumes:
- wazuh-indexer-data:/var/lib/wazuh-indexer
wazuh-dashboard:
image: wazuh/wazuh-dashboard:4.9.0
hostname: wazuh-dashboard
restart: always
ports:
- "443:5601"
environment:
- INDEXER_USERNAME=admin
- INDEXER_PASSWORD=SecurePassword123!
- WAZUH_API_URL=https://wazuh-manager
- API_USERNAME=wazuh-admin
- API_PASSWORD=Wazuh@Admin123!
volumes:
- wazuh-dashboard-config:/usr/share/wazuh-dashboard/data/wazuh/config
- wazuh-dashboard-custom:/usr/share/wazuh-dashboard/plugins/wazuh/public/assets/custom
depends_on:
- wazuh-indexer
links:
- wazuh-indexer:wazuh-indexer
- wazuh-manager:wazuh-manager
volumes:
wazuh_api_configuration:
wazuh_etc:
wazuh_logs:
wazuh_queue:
wazuh_var_multigroups:
wazuh_integrations:
wazuh_active_response:
wazuh_agentless:
wazuh_wodles:
filebeat_etc:
filebeat_var:
wazuh-indexer-data:
wazuh-dashboard-config:
wazuh-dashboard-custom:
# Graylog Docker Compose Deployment
---
version: '3.8'
services:
mongodb:
image: mongo:6.0
hostname: mongodb
restart: always
volumes:
- mongo_data:/data/db
networks:
- graylog
elasticsearch:
image: docker.elastic.co/elasticsearch/elasticsearch:8.11.0
hostname: elasticsearch
restart: always
environment:
- discovery.type=single-node
- "ES_JAVA_OPTS=-Xms2g -Xmx2g"
- xpack.security.enabled=false
ulimits:
memlock:
soft: -1
hard: -1
volumes:
- es_data:/usr/share/elasticsearch/data
networks:
- graylog
graylog:
image: graylog/graylog:5.2
hostname: graylog
restart: always
environment:
- GRAYLOG_PASSWORD_SECRET=somepasswordpepper
- GRAYLOG_ROOT_PASSWORD_SHA2=8c6976e5b5410415bde908bd4dee15dfb167a9c873fc4bb8a81f6f2ab448a918
- GRAYLOG_HTTP_EXTERNAL_URI=http://localhost:9000/
- GRAYLOG_ELASTICSEARCH_HOSTS=http://elasticsearch:9200
- GRAYLOG_MONGODB_URI=mongodb://mongodb:27017/graylog
ports:
- "9000:9000" # Graylog web interface
- "1514:1514/tcp" # Syslog TCP
- "1514:1514/udp" # Syslog UDP
- "12201:12201" # GELF TCP
- "12201:12201/udp" # GELF UDP
volumes:
- graylog_data:/usr/share/graylog/data
networks:
- graylog
depends_on:
- mongodb
- elasticsearch
networks:
graylog:
driver: bridge
volumes:
mongo_data:
es_data:
graylog_data:
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment