Enhancing Wazuh with Ollama: Cybersecurity Boost (Part 2)

Wazuh and Ollama: Part 2. Deploying the Wazuh Cluster

Now it’s time to set up Wazuh, which we will integrate with Ollama.

Why Docker Compose for Wazuh?

The fastest and easiest way to deploy a Wazuh cluster is by using Docker Compose. This approach provides:

• Quick deployment (minutes vs hours)
• Consistent environment across different systems
• Easy scaling and management
• Simplified updates and maintenance

Docker Compose orchestrates multiple containers as a single application stack, which is ideal for Wazuh because the platform requires several interconnected services: the Wazuh Manager, the Wazuh Indexer (OpenSearch), and the Wazuh Dashboard. Managing these components individually would require significant manual coordination, whereas Docker Compose handles service dependencies, networking, and volume management through a single declarative configuration file.

Cloning the Wazuh Docker Repository

Start by cloning the official wazuh-docker repository:

git clone -b v4.11.0 https://github.com/wazuh/wazuh-docker && cd wazuh-docker/multi-node

The multi-node directory contains the Docker Compose configuration for a production-like deployment with separate containers for each Wazuh component. For testing or development purposes, you could also use the single-node directory, which consolidates services but is not recommended for production workloads.

Generating Security Certificates

The next step is to create certificates for the configuration:

docker compose -f generate-indexer-certs.yml run --rm generator

This command generates TLS certificates that secure communication between all Wazuh components. The certificates are stored in a shared volume and are automatically referenced by each service during startup. Proper certificate generation is critical because the Wazuh Indexer will refuse connections from components presenting invalid or missing certificates.

Configuring Wazuh Agent

Once the certificates are generated, you can start the Wazuh cluster.

Before doing so, let’s add the agent.

To do this, open the docker-compose.yml file and add the following lines:

wazuh-agent:
    image: opennix/wazuh-agent:4.7.2
    hostname: wazuh-agent
    restart: always
    environment:
      - JOIN_MANAGER_MASTER_HOST=wazuh.manager
      - JOIN_MANAGER_WORKER_HOST=wazuh.manager
      - JOIN_MANAGER_USER=wazuh-wui
      - JOIN_MANAGER_PASSWORD=MyS3cr37P450r.*-
    depends_on:
       wazuh.manager:
         condition: service_healthy

The agent configuration above uses the docker-wazuh-agent image, which is a containerized Wazuh agent designed for Docker and Kubernetes environments. The depends_on directive with service_healthy condition ensures that the agent container only starts after the Wazuh Manager has completed its initialization and is ready to accept connections. The environment variables configure the agent to automatically register with the manager upon startup, eliminating the need for manual agent enrollment.

Deploying the Wazuh Cluster

Now let’s proceed with deploying and starting the Wazuh cluster:

docker compose up -d

The cluster deployment may take some time, depending on the power of your server/computer.

Verifying Deployment Status

Once the process is complete, you can check the status of all containers using the following command:

docker compose ps

All containers should show a “healthy” or “running” status. If any container shows “unhealthy” or “restarting”, proceed to the troubleshooting section below to diagnose the issue before continuing with the Ollama integration.

Accessing the Wazuh Dashboard

After successful deployment, access the Wazuh web interface at:

• URL: https://localhost
• Default credentials: admin / SecretPassword (change this immediately)

Upon first login, navigate to the Agents section to verify that the containerized agent has successfully registered and is reporting data. You should see the agent listed with an “Active” status. If the agent does not appear, verify the environment variables in the agent service configuration and check the manager logs for registration errors.

Deployment Troubleshooting

If an error occurs during deployment, it is recommended to check the logs for troubleshooting.

docker compose logs

Common deployment issues and their resolutions include:

• Indexer fails to start: This is typically caused by insufficient vm.max_map_count. Run sudo sysctl -w vm.max_map_count=262144 on the Docker host to resolve this. To make it persistent, add the setting to /etc/sysctl.conf.
• Certificate errors: If services cannot communicate due to TLS errors, regenerate certificates by removing the existing certificate volume and running the generator again.
• Memory constraints: The full Wazuh stack requires a minimum of 4GB of available RAM. On systems with limited memory, consider using the single-node deployment or adjusting the JVM heap sizes in the Docker Compose environment variables.
• Port conflicts: Ensure that ports 443 (Dashboard), 1514-1515 (agent communication), and 9200 (Indexer API) are not already in use by other services on the host.

Adding the Ollama Service

Now that the Wazuh cluster is deployed using Docker Compose, you are ready to begin the integration with Ollama and continue developing your project.

To do this, you need to make changes to the docker-compose.yml file and add the ollama service:

ollama:
    image: ollama/ollama:latest
    ports:
      - "127.0.0.1:11434:11434"
    volumes:
      - ./ollama:/root/.ollama
    restart: always
    environment:
      - OLLAMA_KEEP_ALIVE=24h
      - OLLAMA_HOST=0.0.0.0

Note that the port binding uses 127.0.0.1:11434:11434 rather than exposing the port on all interfaces. This restricts API access to the local host only, preventing external clients from sending queries to the model. The OLLAMA_KEEP_ALIVE=24h setting ensures the model remains loaded in memory for 24 hours after the last request, which reduces response latency for subsequent queries.

Now, let’s start all components together:

docker compose up -d

To fully utilize Ollama, you need to download the model using the following command:

docker compose exec -it ollama bash -c "ollama pull llama3.2"

Verifying the Ollama REST API

Checking the functionality of the Ollama REST API:

curl http://localhost:11434/api/chat -d '{
  "model": "llama3.2",
  "messages": [
    {
      "role": "user",
      "content": "What is it Wazuh?"
    }
  ],
  "stream": false
}'

Sample response:

{
   "model":"llama3.2",
   "created_at":"2025-02-28T09:10:16.97228853Z",
   "message":{
      "role":"assistant",
      "content":"Wazuh is an open-source security information and event management (SIEM) system. It's designed to collect, monitor, and analyze security-related data from various sources, such as logs, network devices, and applications.\n\nThe name \"Wazuh\" comes from the Latin word \"wazh,\" which means \"to be vigilant.\" This reflects the platform's focus on monitoring and analyzing security events to help organizations stay alert and responsive to potential threats.\n\nSome key features of Wazuh include:\n\n1. Log collection and management: Wazuh can collect logs from various sources, such as Linux systems, network devices, and applications.\n2. Event processing and correlation: The platform analyzes collected data to identify suspicious patterns and anomalies.\n3. Alerting and notification: Wazuh can send alerts to administrators or security teams when suspicious activity is detected.\n4. Compliance monitoring: The platform can help organizations monitor compliance with industry standards and regulations.\n\nWazuh is often used in conjunction with other security tools, such as intrusion detection systems (IDS) and antivirus software, to provide a comprehensive security posture for an organization.\n\nIn summary, Wazuh is a powerful SIEM system that helps organizations monitor and analyze security-related data to stay ahead of potential threats."
   },
   "done_reason":"stop",
   "done":true,
   "total_duration":14073914247,
   "load_duration":22507825,
   "prompt_eval_count":32,
   "prompt_eval_duration":241000000,
   "eval_count":254,
   "eval_duration":13808000000
}

Next Steps

With both the Wazuh cluster and Ollama service running within the same Docker Compose stack, all the infrastructure required for the integration is in place. The continuation of the integration will be covered in Part 3, where we will create the custom integration script that connects Wazuh alerts to the Ollama API. Stay tuned for updates!

Series Navigation:

• Part 1: Introduction to Integration
• Part 2: Deploying Wazuh (you are here)
• Part 3: Creating Integration
• Part 4: Configuration & Implementation
• Part 5: Local Ollama in Wazuh Dashboard

See also

• Wazuh + AWS Bedrock: AI Security in Docker (Part 1)
• From Wazuh Ambassador to AWS Community Builder
• Static Analysis Tool for Wazuh Decoder XML Files
• Ollama in Wazuh Dashboard: AI Security Analysis
• Only 1984 Tokens Remain: The Final Dissolution