Note: There is no official Docker image for OSSEC from the OSSEC project. Community-maintained images are available.
# Example community image (verify before use)
docker pull ossec/ossec-hids:latest
# Or use Wazuh (OSSEC fork with Docker support)
docker pull wazuh/wazuh-manager:latest
Wazuh is a fork of OSSEC with active development and Docker support:
version: '3.8'
services:
wazuh-manager:
image: wazuh/wazuh-manager:latest
container_name: wazuh-manager
hostname: wazuh-manager
ports:
- "1514:1514"
- "1515:1515"
- "55000:55000"
volumes:
- wazuh-api-configuration:/var/ossec/api/configuration
- wazuh-etc:/var/ossec/etc
- wazuh-logs:/var/ossec/logs
- wazuh-queue:/var/ossec/queue
- wazuh-var-multigroups:/var/ossec/var/multigroups
- wazuh-integrations:/var/ossec/integrations
- wazuh-active-response:/var/ossec/active-response/bin
- wazuh-agentless:/var/ossec/agentless
- wazuh-wodles:/var/ossec/wodles
- filebeat-etc:/etc/filebeat
- filebeat-var:/var/lib/filebeat
environment:
- INDEXER_URL=https://wazuh-indexer:9200
- INDEXER_USERNAME=admin
- INDEXER_PASSWORD=SecretPassword
restart: unless-stopped
volumes:
wazuh-api-configuration:
wazuh-etc:
wazuh-logs:
wazuh-queue:
wazuh-var-multigroups:
wazuh-integrations:
wazuh-active-response:
wazuh-agentless:
wazuh-wodles:
filebeat-etc:
filebeat-var:
For host-based intrusion detection, installing directly on the host is recommended:
# Download and install OSSEC
wget https://github.com/ossec/ossec-hids/archive/refs/tags/3.6.0.tar.gz
tar -xzf 3.6.0.tar.gz
cd ossec-hids-3.6.0
sudo ./install.sh
See OSSEC Setup for installation instructions.