Enhancing Wazuh with Ollama: Boosting Cybersecurity (Part 2)

 Posted on February 26, 2025  (Last modified on March 5, 2025)  |  3 minutes  |  519 words  |  pyToshka  β€’ Other languages: ru

Wazuh and Ollama: Part 2. Deploying the Wazuh Cluster

Now it’s time to set up Wazuh, which we will integrate with Ollama.

The fastest and easiest way to deploy a Wazuh cluster is by using Docker Compose.

Start by cloning the official wazuh-docker repository:

git clone -b v4.11.0 https://github.com/wazuh/wazuh-docker && cd wazuh-docker/multi-node

The next step is to create certificates for the configuration.

docker compose -f generate-indexer-certs.yml run --rm generator

Once the certificates are generated, you can start the Wazuh cluster.

Before doing so, let’s add the agent.

To do this, open the docker-compose.yml file and add the following lines:

wazuh-agent:
    image: opennix/wazuh-agent:4.7.2
    hostname: wazuh-agent
    restart: always
    environment:
      - JOIN_MANAGER_MASTER_HOST=wazuh.manager
      - JOIN_MANAGER_WORKER_HOST=wazuh.manager
      - JOIN_MANAGER_USER=wazuh-wui
      - JOIN_MANAGER_PASSWORD=MyS3cr37P450r.*-
    depends_on:
       wazuh.manager:
         condition: service_healthy

Now let’s proceed with deploying and starting the Wazuh cluster:

docker compose up -d

The cluster deployment may take some time, depending on the power of your server/computer.

Once the process is complete, you can check the status of all containers using the following command:

docker compose ps

If an error occurs during deployment, it is recommended to check the logs for troubleshooting.

docker compose logs

Now that the Wazuh cluster is deployed using Docker Compose, you are ready to begin the integration with Ollama and continue developing your project.

To do this, you need to make changes to the docker-compose.yml file and add the ollama service:

ollama:
    image: ollama/ollama:latest
    ports:
      - "127.0.0.1:11434:11434"
    volumes:
      - ./ollama:/root/.ollama
    restart: always
    environment:
      - OLLAMA_KEEP_ALIVE=24h
      - OLLAMA_HOST=0.0.0.0

Now, let’s start all components together:

docker compose up -d

To fully utilize Ollama, you need to download the model using the following command:

docker compose exec -it ollama bash -c "ollama pull llama3.2"

Checking the functionality of the Ollama REST API:

curl http://localhost:11434/api/chat -d '{
  "model": "llama3.2",
  "messages": [
    {
      "role": "user",
      "content": "What is it Wazuh?"
    }
  ],
  "stream": false
}'

Sample response:

{
   "model":"llama3.2",
   "created_at":"2025-02-28T09:10:16.97228853Z",
   "message":{
      "role":"assistant",
      "content":"Wazuh is an open-source security information and event management (SIEM) system. It's designed to collect, monitor, and analyze security-related data from various sources, such as logs, network devices, and applications.\n\nThe name \"Wazuh\" comes from the Latin word \"wazh,\" which means \"to be vigilant.\" This reflects the platform's focus on monitoring and analyzing security events to help organizations stay alert and responsive to potential threats.\n\nSome key features of Wazuh include:\n\n1. Log collection and management: Wazuh can collect logs from various sources, such as Linux systems, network devices, and applications.\n2. Event processing and correlation: The platform analyzes collected data to identify suspicious patterns and anomalies.\n3. Alerting and notification: Wazuh can send alerts to administrators or security teams when suspicious activity is detected.\n4. Compliance monitoring: The platform can help organizations monitor compliance with industry standards and regulations.\n\nWazuh is often used in conjunction with other security tools, such as intrusion detection systems (IDS) and antivirus software, to provide a comprehensive security posture for an organization.\n\nIn summary, Wazuh is a powerful SIEM system that helps organizations monitor and analyze security-related data to stay ahead of potential threats."
   },
   "done_reason":"stop",
   "done":true,
   "total_duration":14073914247,
   "load_duration":22507825,
   "prompt_eval_count":32,
   "prompt_eval_duration":241000000,
   "eval_count":254,
   "eval_duration":13808000000
}

The continuation of the integration will be covered in upcoming posts. Stay tuned for updates!

devsecops  wazuh  security  research  devops  llm  ollama  machine learning  cybersecurity  automation  monitoring  incident response  threat intelligence  security operations  log analysis  ai 

See also