docs/deployment-notes.md · SOC Automation Lab

44 lines · markdown

# Deployment notes
 
Things worth knowing before you run this somewhere real. The stack was brought up
and validated end to end on a single host (Wazuh indexer/manager/dashboard +
TheHive + Cassandra + Elasticsearch + Cortex), with a Linux agent enrolled and SSH
brute-force alerts flowing through to the dashboard.
 
## Credentials
 
The Wazuh indexer ships with the image's default users (`admin`, `kibanaserver`).
`.env` sets the passwords the manager and dashboard use to talk to it - keep
`INDEXER_PASSWORD` aligned with whatever the indexer actually has. For anything
beyond a lab, change the indexer passwords with the Wazuh password tool and update
`.env` to match. `config/wazuh/dashboard/wazuh.yml` holds the Wazuh API password the
dashboard uses for the manager (`wazuh-wui`); set it to your `WAZUH_API_PASSWORD`.
 
## Indexer compatibility
 
Filebeat 7.10 refuses to publish to an indexer that reports an OpenSearch 2.x
version, so the indexer config sets `compatibility.override_main_response_version:
true`. Without it the manager produces alerts but nothing reaches the indexer and the
dashboard stays empty.
 
## Running inside an unprivileged LXC
 
On bare metal or a normal VM the indexer and Elasticsearch lock memory
(`bootstrap.memory_lock=true`, `memlock: -1`), which is the right production setting
and what's committed here. Inside an unprivileged LXC container the kernel caps
locked memory (often 8 MB) and the containers fail to start with an rlimit error. If
that's your situation, set `bootstrap.memory_lock=false` and cap the `memlock`
ulimit at the container's limit via a `docker-compose.override.yml` rather than
editing the committed file.
 
`vm.max_map_count` must be at least 262144 on the host for the indexer and
Elasticsearch. On a normal host: `sysctl -w vm.max_map_count=262144`. In an LXC it's
inherited from the node, so set it on the node.
 
## CTI watchlists
 
The `cti-malicious-*` lists are seeded into the manager by `deploy.sh` after the
stack is up (CDB lists have to be writable so the manager can compile them, which
rules out bind-mounting them read-only). In the full setup these lists are owned by
the [CTI detection pipeline](../../cti-detection-automation), which regenerates and
promotes them on approval.

1	# Deployment notes
2
3	Things worth knowing before you run this somewhere real. The stack was brought up
4	and validated end to end on a single host (Wazuh indexer/manager/dashboard +
5	TheHive + Cassandra + Elasticsearch + Cortex), with a Linux agent enrolled and SSH
6	brute-force alerts flowing through to the dashboard.
7
8	## Credentials
9
10	The Wazuh indexer ships with the image's default users (`admin`, `kibanaserver`).
11	`.env` sets the passwords the manager and dashboard use to talk to it - keep
12	`INDEXER_PASSWORD` aligned with whatever the indexer actually has. For anything
13	beyond a lab, change the indexer passwords with the Wazuh password tool and update
14	`.env` to match. `config/wazuh/dashboard/wazuh.yml` holds the Wazuh API password the
15	dashboard uses for the manager (`wazuh-wui`); set it to your `WAZUH_API_PASSWORD`.
16
17	## Indexer compatibility
18
19	Filebeat 7.10 refuses to publish to an indexer that reports an OpenSearch 2.x
20	version, so the indexer config sets `compatibility.override_main_response_version:
21	true`. Without it the manager produces alerts but nothing reaches the indexer and the
22	dashboard stays empty.
23
24	## Running inside an unprivileged LXC
25
26	On bare metal or a normal VM the indexer and Elasticsearch lock memory
27	(`bootstrap.memory_lock=true`, `memlock: -1`), which is the right production setting
28	and what's committed here. Inside an unprivileged LXC container the kernel caps
29	locked memory (often 8 MB) and the containers fail to start with an rlimit error. If
30	that's your situation, set `bootstrap.memory_lock=false` and cap the `memlock`
31	ulimit at the container's limit via a `docker-compose.override.yml` rather than
32	editing the committed file.
33
34	`vm.max_map_count` must be at least 262144 on the host for the indexer and
35	Elasticsearch. On a normal host: `sysctl -w vm.max_map_count=262144`. In an LXC it's
36	inherited from the node, so set it on the node.
37
38	## CTI watchlists
39
40	The `cti-malicious-*` lists are seeded into the manager by `deploy.sh` after the
41	stack is up (CDB lists have to be writable so the manager can compile them, which
42	rules out bind-mounting them read-only). In the full setup these lists are owned by
43	the [CTI detection pipeline](../../cti-detection-automation), which regenerates and
44	promotes them on approval.