How I built a production-ready Wazuh SIEM on Docker (with custom rules for VMware, AWS and GCP)

Source: Dev.to

The problem with most Wazuh setups

Out of the box, Wazuh gives you generic Linux alerts. Useful, but noisy. What I needed was:

• Detection rules tuned for Docker container abuse (privileged runs, suspicious mounts, crypto‑mining)
• VMware vCenter monitoring – snapshot abuse, vMotion events, auth brute force
• AWS CloudTrail and GCP Audit Log anomalies mapped to Wazuh rules
• A way to deploy agents at scale without SSHing into dozens of machines one by one
• Something that works in both a lab (4 GB RAM) and production

What the stack looks

┌─────────────────────────────────┐
│  Wazuh Manager  :1514 / :55000 │
│  Wazuh Indexer  :9200          │
│  Wazuh Dashboard :5601        │
│  NGINX (optional reverse proxy)│
└─────────────────────────────────┘
         ↑ agents on port 1514
Linux servers · Windows servers · Docker hosts · vCenter
         ↑ log forwarding
AWS CloudTrail (S3) · GCP Pub/Sub

Everything runs via docker compose. There is also a docker-compose.lab.yml overlay that reduces resource usage for testing.

Custom detection rules

The rules/ directory contains rule sets for each environment.

Docker (rules/docker/)

• Container exec events
• Privileged container creation
• Host namespace abuse (--pid=host, --network=host)
• Suspicious bind mounts (/etc, /var/run/docker.sock)
• Crypto‑mining signatures

VMware (rules/vmware/)

• VM power state changes
• Snapshot creation/deletion (ransomware indicator)
• Host disconnect events
• vCenter login brute force

AWS (rules/aws/)

• IAM policy changes
• Security group opened to 0.0.0.0/0
• Console login without MFA
• CloudTrail disabled or deleted

GCP (rules/gcp/)

• Public bucket created
• Firewall rule opened to 0.0.0.0/0
• IAM policy changes
• Compute instance created outside allowed regions

Ansible agent deployment

The repository includes Ansible playbooks to automate agent installation.

# Deploy to all Linux hosts in inventory
ansible-playbook -i inventories/production playbooks/deploy-linux-agent.yml

# Windows hosts (via WinRM)
ansible-playbook -i inventories/production playbooks/deploy-windows-agent.yml

A network discovery script scans a subnet, generates an Ansible inventory, and feeds it directly into the deployment pipeline:

make onboard SUBNET=10.0.0.0/24

One command: scan → discover → deploy agents → verify.

Getting started

git clone https://github.com/GiulioSavini/wazuh-docker-monitoring-platform.git
cd wazuh-docker-monitoring-platform

make preflight        # validate Docker, kernel params, disk, ports
cp .env.example .env  # set your passwords
make init             # generate TLS certs
make deploy           # bring up the stack

The dashboard will be available at https://localhost:5601 after a few minutes.

Lab vs production mode

Running on a homelab with limited RAM? Use the lab overlay:

docker compose -f docker-compose.yml -f docker-compose.lab.yml up -d

This reduces the Wazuh Indexer heap and manager memory limits to fit on an 8 GB machine.

What’s next

Planned roadmap:

• Wazuh cluster mode (multi‑node manager)
• Kubernetes Helm chart
• SOAR integration (Shuffle / TheHive)
• Sigma rule auto‑import
• Automated compliance dashboards (PCI‑DSS, CIS)

If you’re using VMware, Docker, or any cloud infrastructure and want proper security visibility without a commercial SIEM, give it a try. PRs and rule contributions are welcome.

→ https://github.com/GiulioSavini/wazuh-docker-monitoring-platform