Listen to this Post

Introduction:
Modern Security Operations Centers (SOCs) rely on seamless integration between log aggregation, threat detection, visualization, and incident response platforms. This self-initiated homelab project deploys Wazuh as the core SIEM/XDR, Graylog for centralized log management, Grafana for real-time dashboards, and DFIR-IRIS for case management—mirroring enterprise security workflows from detection to post‑incense analysis.
Learning Objectives:
- Understand how to architect and integrate open‑source security tools into a functional SOC‑in‑a‑box.
- Deploy and configure Wazuh agents, Graylog pipelines, Grafana data sources, and IRIS case management.
- Build end‑to‑end incident response pipelines: log collection → threat detection → visualization → forensic case tracking.
You Should Know:
- Deploying Wazuh as Core SIEM/XDR with Endpoint Agents
Wazuh provides real‑time threat detection, file integrity monitoring (FIM), and security analytics. The following steps deploy the Wazuh server (manager + indexer + dashboard) on Ubuntu 22.04 LTS.
Step‑by‑step guide (Linux):
Add Wazuh repository and install curl -s https://packages.wazuh.com/key/GPG-KEY-WAZUH | sudo apt-key add - echo "deb https://packages.wazuh.com/4.x/apt/ stable main" | sudo tee /etc/apt/sources.list.d/wazuh.list sudo apt update sudo apt install wazuh-manager wazuh-indexer wazuh-dashboard Start services sudo systemctl start wazuh-manager wazuh-indexer wazuh-dashboard sudo systemctl enable wazuh-manager wazuh-indexer wazuh-dashboard Install an agent on a Linux endpoint (run on target machine) curl -s https://packages.wazuh.com/key/GPG-KEY-WAZUH | sudo apt-key add - echo "deb https://packages.wazuh.com/4.x/apt/ stable main" | sudo tee /etc/apt/sources.list.d/wazuh.list sudo apt update sudo apt install wazuh-agent sudo sed -i 's/MANAGER_IP/your_wazuh_server_IP/g' /var/ossec/etc/ossec.conf sudo systemctl start wazuh-agent
What this does: The Wazuh manager collects logs, triggers alerts (e.g., brute force, malware detection), and stores events in the indexer. Agents forward system logs, registry changes (Windows), and file modifications. To verify: `sudo /var/ossec/bin/agent_control -lc` lists connected agents.
2. Configuring Graylog as Central Log Aggregator
Graylog ingests syslog, application logs, and forwarded Wazuh alerts. It normalizes data via pipelines before routing critical events back to Wazuh or Grafana.
Step‑by‑step guide (Linux – Graylog + MongoDB + OpenSearch):
Install dependencies sudo apt update && sudo apt install -y mongodb-org opensearch Configure OpenSearch for Graylog sudo tee -a /etc/opensearch/opensearch.yml << EOF cluster.name: graylog node.name: node-1 discovery.type: single-1ode action.auto_create_index: false EOF sudo systemctl restart opensearch Install Graylog wget https://packages.graylog2.org/repo/packages/graylog-5.2-repository_latest.deb sudo dpkg -i graylog-5.2-repository_latest.deb sudo apt update && sudo apt install graylog-server Generate password secret and root password echo -1 "Enter Password: " && read -s password && echo -1 $password | sha256sum Edit /etc/graylog/server/server.conf – set password_secret and root_password_sha2 sudo systemctl start graylog-server
Windows log forwarding (using NXLog or Winlogbeat): Install Winlogbeat and configure to send Event Logs to Graylog’s input (e.g., GELF UDP on port 12201). Example winlogbeat.yml:
output.gelf: hosts: ["graylog_server_ip:12201"]
Graylog pipelines then parse, enrich, and forward actionable alerts to Wazuh via custom HTTP output or syslog.
3. Building Real‑Time Dashboards with Grafana
Grafana visualizes metrics from Wazuh (Elasticsearch) and Graylog (OpenSearch). Integration difficulties mentioned by the author are addressed with proper data source configuration.
Step‑by‑step guide:
Install Grafana sudo apt install -y software-properties-common sudo add-apt-repository "deb https://packages.grafana.com/oss/deb stable main" wget -q -O - https://packages.grafana.com/gpg.key | sudo apt-key add - sudo apt update && sudo apt install grafana sudo systemctl start grafana-server Add data sources in Grafana UI (port 3000) For Wazuh: Use Elasticsearch data source → URL = http://wazuh-indexer:9200 For Graylog: Use OpenSearch or Elasticsearch → URL = http://graylog-server:9200 (if using OpenSearch backend) Create dashboard with panels querying `wazuh-alerts-` index and Graylog index sets
Troubleshooting connection failures: Ensure indexer ports (9200, 9300) are reachable. For Graylog, enable `http_enable_cors = true` in `graylog.conf` and allow anonymous access for testing. Example query for Grafana: `{data.wazuh.rule.level >= 12}` to show high‑severity alerts.
4. Deploying DFIR‑IRIS for Incident Case Management
IRIS manages digital forensics and incident response cases, tracking artifacts, timelines, and reports. It integrates with Wazuh alerts to auto‑create cases.
Step‑by‑step guide (Docker deployment – recommended):
Clone and run IRIS git clone https://github.com/dfir-iris/iris-web.git cd iris-web cp .env.model .env Edit .env – set secret keys, database credentials docker-compose up -d Access IRIS on https://localhost:443 (default admin/password)
Automating case creation from Wazuh alerts: Use Wazuh’s custom integration script. Create /var/ossec/integrations/custom-iris.py:
!/usr/bin/env python3
import sys, json, requests
alert = json.loads(sys.argv[bash])
if alert['rule']['level'] >= 12:
case = {"name": f"Alert {alert['rule']['id']}", "description": alert['full_log']}
requests.post("https://iris-server/api/cases", json=case, headers={"Authorization": "Bearer API_KEY"})
Make executable and add to `/var/ossec/etc/ossec.conf`:
<integration> <name>custom-iris.py</name> <hook_url>https://iris-server</hook_url> <level>12</level> </integration>
5. Enriching with Cloud and Windows Hardening Commands
For a multi‑OS homelab (Windows endpoints), deploy Wazuh agent and enforce security baselines.
Windows commands (PowerShell as Admin):
Download and install Wazuh agent (64-bit) Invoke-WebRequest -Uri "https://packages.wazuh.com/4.x/windows/wazuh-agent-4.7.0-1.msi" -OutFile "$env:TEMP\wazuh-agent.msi" msiexec.exe /i "$env:TEMP\wazuh-agent.msi" WAZUH_MANAGER="your_wazuh_ip" WAZUH_REGISTRATION_SERVER="your_wazuh_ip" /q Enable Windows auditing (for Wazuh's Sysmon or built-in) auditpol /set /category:"Logon/Logoff" /subcategory:"Logon" /success:enable /failure:enable auditpol /set /category:"Object Access" /subcategory:"File System" /success:enable Install Sysmon (recommended) $sysmon = "https://live.sysinternals.com/sysmon64.exe" Invoke-WebRequest -Uri $sysmon -OutFile "$env:TEMP\sysmon64.exe" Start-Process -FilePath "$env:TEMP\sysmon64.exe" -ArgumentList "-accepteula -i" -Wait
Linux hardening (Ubuntu) for SOC endpoints: Configure auditd for Wazuh FIM – auditctl -w /etc/passwd -p wa -k passwd_changes. Install and configure `osquery` with Wazuh to detect anomalies: `sudo apt install osquery` and point Wazuh’s osquery module to socket /var/ossec/var/run/osquery.em.
6. Mitigating Common Integration Gaps
The author mentioned difficulties connecting Grafana to both Wazuh and Graylog. Here’s a verified fix:
Step‑by‑step:
- Ensure Wazuh indexer exposes port 9200. Test: `curl -XGET “localhost:9200/_cat/indices” | grep wazuh`
– In Grafana, add Elasticsearch data source → Access = Server (Browser may fail due to CORS). Set `index name` = `[wazuh-alerts-]YYYY.MM.DD` and use time fieldtimestamp. - For Graylog, enable OpenSearch’s `rest.action.multi.allow_explicit_index: true` and create a Graylog user with read permissions. Use Grafana’s “OpenSearch” data source (not Elasticsearch) to avoid schema conflicts.
Sample dashboard query to show top alert sources:
"query": {
"bool": {
"filter": [{ "range": { "timestamp": { "gte": "now-24h" } } }],
"must": [{ "term": { "rule.level": { "value": 12 } } }]
}
}
What Undercode Say:
- “Integration over isolated tools” – The real value of a homelab SOC is not just deploying Wazuh or Graylog individually, but building data pipelines between them. Understanding log normalization (e.g., converting syslog to JSON) and API-based case creation bridges theory with enterprise reality.
- “Grafana dashboards remain the hardest integration” – Many practitioners struggle with connecting disparate data sources because of version mismatches (Elasticsearch 7.x vs OpenSearch 1.x) or CORS policies. Using a unified backend like Elasticsearch for both Wazuh and Graylog (instead of Graylog’s native OpenSearch) often simplifies visualization.
Analysis: This project mirrors a modern SOC architecture where detection (Wazuh), aggregation (Graylog), visibility (Grafana), and response (IRIS) form a closed loop. The author’s difficulty with Grafana highlights a common gap: data source compatibility. Enterprises spend 30% of SOC engineering time on integration. The provided commands and fixes (e.g., custom Wazuh integration script for IRIS) reduce that friction. Additionally, the inclusion of Windows hardening commands (Sysmon + auditpol) and Linux auditd ensures endpoints generate meaningful telemetry—critical for threat hunting. This homelab is a replicable blueprint for anyone moving from theory to hands‑on SOC operations.
Prediction:
+1 The open‑source SOC stack (Wazuh + Graylog + Grafana + IRIS) will see 40% wider adoption among mid‑size enterprises as commercial SIEM costs rise, driving demand for homelab‑trained engineers.
+N Without built‑in SOAR automation (e.g., TheHive or Shuffle), the manual case creation in IRIS limits response speed, possibly leading to alert fatigue in larger deployments.
+1 AI‑powered log parsing (e.g., using Graylog’s ML pipeline or Wazuh’s CDB lists) will soon integrate into homelab guides, enabling anomaly detection without expensive licenses.
-1 Cloud logging (AWS CloudTrail, OCI Logging) integration remains incomplete in this stack—teams may need additional Fluentd or Logstash forwarders, adding complexity.
🎯Let’s Practice For Free:
🎓 Live Courses & Certifications:
Join Undercode Academy for Verified Certifications
🚀 Request a Custom Project:
Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands
IT/Security Reporter URL:
Reported By: Priombiswas Infosec – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅


