Following on my series of Kasm-related posts, here I extend this further to build a cyber lab for logging machine activity using Wazuh SIEM, and for conducting attacks with Caldera. With Docker, Kasm, and a few tweaks, we can spin up a disposable lab in a matter of minutes.
There are various tutorials online for trying to do similar setups to this — however, there are often snags and other issues that you find. Instead, this tutorial has been tested as of August 2025, and works with the Kasm Ubuntu VNC environments that I have been discussing in previous posts.
First we set up Wazuh Manager in a Docker container. We follow the guidance in their tutorial.
git clone https://github.com/wazuh/wazuh-docker.git -b v4.12.0
cd ./wazuh-docker/single-node/
docker-compose -f generate-indexer-certs.yml run --rm generator
Note: For those using ARM (e.g., Mac M processor) you will need to edit the docker-compose.yml file directly and add platform: linux/amd64 for each of the three services. An example for the manager is shown below:
services:
wazuh.manager:
image: wazuh/wazuh-manager:4.12.0
hostname: wazuh.manager
platform: linux/amd64
Once the docker compose file is ready, we can bring up the containers:
docker-compose up -d
You should now be able to log in to the web based Wazuh dashboard at https://localhost with the credentials admin and SecretPassword.
We want to create a new Docker network that we will attach all our containers to.
# Create a new network 172.20 that will connect all machines
docker network create --subnet 172.20.0.0/16 mycyberlab
# Connect the 3 Wazuh nodes
docker network connect mycyberlab single-node-wazuh.manager-1
docker network connect mycyberlab single-node-wazuh.indexer-1
docker network connect mycyberlab single-node-wazuh.dashboard-1
# Find the IP address of our manager node on our new network
docker container inspect single-node-wazuh.manager-1 | grep IPAddress
I can see two IP addresses (since we have a network that is set up with our Wazuh nodes, and a new network that we will use for connecting any monitored hosts).
We now know that the 172.20.0.2 address is how we can reach the manager system.
We fire up a new Ubuntu instance using the Kasm Docker images.
sudo docker run --rm -it --user root --platform linux/amd64 --name myubuntu --privileged --shm-size=512m -p 6901:6901 -e VNC_PW=password kasmweb/ubuntu-jammy-desktop-vpn:1.17.0
docker network connect mycyberlab myubuntu
# First update and install simple ping
apt update
apt install iputils-ping
We can see that we now have two network connections, and we should be able to ping our Wazuh manager successfully.
Note: we use the privileged flag here so that we have greater control over the container. This results in a less secure environment, but it will be fine for our testing needs. However, do always be cautious when using this flag!
Within this instance we set it up for logging:
# Add the Wazuh repository and update
curl -s https://packages.wazuh.com/key/GPG-KEY-WAZUH | gpg --no-default-keyring --keyring gnupg-ring:/usr/share/keyrings/wazuh.gpg --import && chmod 644 /usr/share/keyrings/wazuh.gpg
echo "deb [signed-by=/usr/share/keyrings/wazuh.gpg] https://packages.wazuh.com/4.x/apt/ stable main" | tee -a /etc/apt/sources.list.d/wazuh.list
apt update
# We now pull the Wazuh agent, configure, install and start
WAZUH_MANAGER='172.20.0.2'
WAZUH_AGENT_NAME='myubuntu'
apt-get install wazuh-agent
/var/ossec/bin/wazuh-control start
Note: If you get Invalid server address found: MANAGER_IP, then in /var/ossec/etc/ossec.conf, replace MANAGER_IP with the expected IP address (i.e., 172.20.0.2).
This deploys the agent and starts communicating with our server. All being good, we should see the agent appear in the Wazuh dashboard — we can restart the manager node if needed with:
docker container restart single-node-wazuh.manager-1
Note: We can see some logs however we need to explore how to get more useful and frequent logs from our system using tools like auditd, or how like sysmon would for Windows. Yes — there is also sysmonforlinux that we may add in here. Still playing around to decide our approach for the purpose of this exercise.
With our SIEM running, and our Ubuntu endpoint logging to our SIEM, we can now move on to our adversary so that we can see something interest to log!
As before, we can quickly spin up a Kali instance. We can also connect this to our network.
sudo docker run --rm -it --user root --platform linux/amd64 --name mykali --shm-size=512m -p 6905:6901 -e VNC_PW=password kasmweb/kali-rolling-desktop:1.17.0
docker network connect mycyberlab mykali
Within the Kali instance, we can then do the following to install Caldera:
# Apply the keyring fix that was recently published
sudo wget https://archive.kali.org/archive-keyring.gpg -O /usr/share/keyrings/kali-archive-keyring.gpg
# First update and some useful libraries
apt update
apt install iputils-ping
apt install python3-lxml
apt install npm
# Create a Python environment for running caldera
apt install python3.13-venv
python3 -m venv caldera-env
source ./caldera-env/bin/activate
# Pull caldera and install
git clone https://github.com/mitre/caldera.git --recursive
cd caldera
pip3 install -r requirements.txt
python3 server.py --insecure --build
Note: If your requirements install throws an error, you may want to comment out lxml in requirements.txt and install manually as added above.
Navigate to http://localhost:8888 within the Kali instance, and use the username/password credentials red and admin to log in.
We now have have 3 components:
All this, from essentially 5 minutes of command line scripts! Wow.
—
Some other articles relating to Wazuh, Caldera, and AI integrations that may also be of interest!