Wazuh On Kubernetes using Helm

2 minute read
docker , eks , k8s , Linux , Security
, , , ,

From OSSEC to Wazuh: My Journey and Kubernetes Setup

I started a long time ago using OSSEC, and eventually transitioned over to Wazuh—back when it still relied on Elasticsearch for storage and search.

Recently, when I returned to Wazuh for a new project, I was surprised to find that there was no simple way to deploy Wazuh into a local Kubernetes cluster for testing. So, I decided to revive and modernize an old Helm chart I had built a while back.

The result is a lightweight and functional setup that makes it easy to deploy a complete Wazuh stack into your own Kubernetes environment with minimal fuss.

Testing Rules with a Custom Wazuh Docker Agent

I use this local setup to test custom rules and alerts. Alongside the Kubernetes deployment, I also built a dedicated Wazuh Docker agent container that can be quickly spun up to connect to the Wazuh manager inside the cluster.

It’s great for simulating events and running detection logic without touching production systems.

Deploying with Helm

To deploy Wazuh into your cluster, you can use the Helm chart I’ve published here:

https://github.com/samma-io/wazuh-helm/tree/main

Dealing with TLS Certificates

One of the challenges I faced was setting up TLS certificates. Wazuh requires TLS for secure communication between its internal services, and generating those certificates wasn’t entirely straightforward.

In the end, I manually created the necessary certs using Wazuh’s certificate generation tools and added them to Kubernetes as secrets.

At some point, I plan to integrate cert-manager to make certificate management cleaner and automated.

Agent Registration: A Small Gotcha

While connecting my custom Docker agent, I noticed that I had to configure different endpoints for registration and manager communication. Once I figured that out, everything connected and worked as expected.

Custom Wazuh Docker Agent

You can find the Wazuh Docker agent I created here:

https://github.com/samma-io/wazuh-agent

This agent integrates smoothly with the Kubernetes-deployed Wazuh stack and is ideal for testing or automation scenarios.

Conclusion

This setup has become my go-to environment for experimenting with detection rules, building custom alerts, and validating my security logic. It’s lightweight, reliable, and tailored for local development with Wazuh.

If you’re exploring Wazuh or want to test your own security rules in a controlled Kubernetes setup, this might be exactly what you need.