4. Finally, a stable build

12.10.2025

With renewed vigor and motivation, I attacked the problem the way any sane IT worker would — reformat everything and try again!

Armed with my experience from my previous failures, I deleted every trace and instance of Docker and Wazuh and built the whole thing again from scratch.

I finally got the Wazuh Docker stack up and running and hardened the basic settings.

I struggled for over an hour because their documentation was out of date and I thought I could only connect to the API using wazuh:wazuh. At least, I think so because I couldn't find any single trace of an account named simply "wazuh" anywhere in my config files or dashboard.

But I managed to change the default credentials for the admin account and API account, and reduce the attack surface by only pointing the Docker network interface to my local server's IP.

I even deployed agents to my main 3 endpoints — my daily driver Win11 laptop (Tsuki), my Apache Ubuntu webserver (Kazan), and my new Docker Ubuntu host server (Taiyo). The deployment process is quite easy, although I wish they offered more options to pre-configure the agent before deployment.

I also managed to set up File Integrity monitoring on my laptop's download files, just for testing purposes, but quickly realized it bogs up the alerts. Need to modify or remove it later.

It was overwhelming at first to implement such a complex app (Wazuh) inside another complex app (Docker Compose). This being the first time ever using Docker or even messing with a SIEM I think I did a decent job throwing it all together.

It's easy to see how a large company would be totally drowning in logs. Even in my tiny home lab with 3 endpoints I have over 1300 alerts, and I just started.