Wazuh is an open-source platform that combines XDR (Extended Detection and Response) and SIEM (Security Information and Event Management) capabilities. In this guide, you will deploy a single-node setup with Docker and configure your first agent on an Oracle Cloud (OCI) instance.
Prerequisites and required ports
Before starting, make sure your firewall and security list allow these ports:
| Port | Protocol | Service | Description |
|---|---|---|---|
| 1514 | TCP | Wazuh Agent | Agent communication |
| 1515 | TCP | Enrollment | New agent registration |
| 514 | UDP | Syslog | Syslog log collection |
| 55000 | TCP | Manager API | Interaction with manager API |
| 9200 | TCP | Indexer API | Communication with indexer |
| 443 | TCP | Dashboard | HTTPS web interface |
Infrastructure tip: map container port 443 to host port 4443 to avoid conflicts with Nginx or Apache.
Preparing the Docker environment
# Create working directory
mkdir -p /opt/docker/wazuh
cd /opt/docker/wazuh
# Clone official repository (version 4.14.3)
git clone https://github.com/wazuh/wazuh-docker.git -b v4.14.3
cd wazuh-docker/single-node/Generating certificates
Wazuh requires certificates for secure communication between indexer, dashboard, and server:
docker compose -f generate-indexer-certs.yml run --rm generatorStarting the stack
Optional HTTPS port adjustment in compose:
sed -i 's/443/4443/g' docker-compose.ymlStart services:
docker compose up -d
docker psAccess: https://YOUR_IP:4443
OCI agent deployment
On Always Free instances, adding swap can improve installation stability.
Temporary memory tuning
# Create and enable 2GB swap
sudo dd if=/dev/zero of=/swapfile bs=1M count=2048
sudo chmod 600 /swapfile
sudo mkswap /swapfile
sudo swapon /swapfile
# Temporary memory overcommit tuning
sudo sysctl -w vm.overcommit_memory=1Agent installation
In the Wazuh Dashboard, go to Deploy new agent, choose the operating system, and copy the generated command. Example for Oracle Linux/RHEL:
curl -o wazuh-agent-4.14.3-1.x86_64.rpm https://packages.wazuh.com/4.x/yum/wazuh-agent-4.14.3-1.x86_64.rpm && \
sudo WAZUH_MANAGER='YOUR_IP_OR_DOMAIN' WAZUH_AGENT_GROUP='default' WAZUH_AGENT_NAME='machine01' \
rpm -ihv wazuh-agent-4.14.3-1.x86_64.rpm --forceService startup
sudo systemctl daemon-reload
sudo systemctl enable wazuh-agent
sudo systemctl start wazuh-agent
sudo systemctl status wazuh-agentConfirm status is active (running).
Revert temporary memory tuning
sudo sysctl -w vm.overcommit_memory=0Dashboard validation
Open Agents management > Summary and confirm your instance appears as Active.
From here you can monitor:
- real-time logs
- file integrity monitoring (FIM)
- vulnerabilities
With this baseline, you already have a functional security observability stack. Next steps: alert rules, Slack and email integrations, or automation with AI and N8N.
Critical certificate troubleshooting
Two recurring production errors:
not a directoryduring certificate bind mount;Non-string key at top level: 404when running cert generation compose.
not a directory
Usually means Docker mounted a host path as directory because expected file path did not exist yet.
ls -ld config/wazuh_indexer_ssl_certs/*.pem404 masquerading as YAML
If downloaded compose file is actually an HTML 404 page, parser fails.
head -n 5 generate-indexer-certs.ymlSafe recovery flow
docker compose down
rm -rf wazuh-certificates/
git clone https://github.com/wazuh/wazuh-docker.git -b v4.14.3 wazuh-docker-cleanThen regenerate certificates using files from the same Wazuh tag as your stack.
This post is licensed under CC BY-NC.
Comments
Join the discussion below.
Comments are not configured yet. Add Cusdis settings in /assets/json/config/blog-comments-config.json.