Listen to this Post
Introduction:
Wazuh has emerged as a powerful open-source security monitoring platform, combining SIEM (Security Information and Event Management) and EDR (Endpoint Detection and Response) capabilities. This guide provides a technical deep dive into deploying, configuring, and hardening Wazuh in a homelab environment to protect personal networks and endpoints from modern threats.
Learning Objectives:
- Deploy a production-grade Wazuh server using Docker containers
- Configure agents for comprehensive Windows and Linux endpoint monitoring
- Implement custom detection rules and active response capabilities
You Should Know:
1. Dockerized Wazuh Server Deployment
Verified command list:
Create Docker Compose file for Wazuh
curl -o docker-compose.yml https://raw.githubusercontent.com/wazuh/wazuh-docker/master/docker-compose.yml
Deploy Wazuh stack
docker-compose -f docker-compose.yml up -d
Verify container status
docker ps --format "table {{.Names}}\t{{.Status}}\t{{.Ports}}"
Check Wazuh manager logs
docker logs wazuh.manager -f
Step-by-step guide: This deployment method containerizes the Wazuh manager, indexer, and dashboard services for isolated, reproducible environments. The Docker Compose approach simplifies updates and maintenance while ensuring proper service dependencies. After deployment, access the web interface at https://localhost and use default credentials (admin:SecretPassword) for initial setup.
2. Linux Agent Installation and Registration
Verified command list:
Download and install Wazuh agent curl -so wazuh-agent.deb https://packages.wazuh.com/4.x/apt/pool/main/w/wazuh-agent/wazuh-agent_4.7.3-1_amd64.deb sudo WAZUH_MANAGER='192.168.1.100' dpkg -i ./wazuh-agent.deb Enable and start service systemctl daemon-reload systemctl enable wazuh-agent systemctl start wazuh-agent Verify agent connection tail -f /var/ossec/logs/ossec.log Check agent status systemctl status wazuh-agent
Step-by-step guide: The Linux agent installation registers endpoints with the Wazuh manager for continuous monitoring. Replace ‘192.168.1.100’ with your Wazuh server’s IP address. The agent will establish a secure connection and begin collecting system logs, file integrity data, and vulnerability information.
3. Windows Agent Deployment via PowerShell
Verified command list:
Download Windows agent Invoke-WebRequest -Uri "https://packages.wazuh.com/4.x/windows/wazuh-agent-4.7.3-1.msi" -OutFile "wazuh-agent.msi" Silent installation with manager IP msiexec.exe /i wazuh-agent.msi /q WAZUH_MANAGER="192.168.1.100" WAZUH_REGISTRATION_SERVER="192.168.1.100" Start service Start-Service -Name Wazuh Verify agent connectivity Get-Service -Name Wazuh Select-String -Path "C:\Program Files (x86)\ossec-agent\ossec.log" -Pattern "Connected to server"
Step-by-step guide: This automated deployment method allows for mass deployment of Windows agents across home networks. The silent installation configures the agent with the manager IP during setup, eliminating manual configuration. After installation, verify the service is running and check the ossec.log for successful connection messages.
4. Custom Rule Creation for Threat Detection
Verified configuration snippet:
<!-- /var/ossec/etc/rules/local_rules.xml --> <group name="local,syslog,"> <rule id="100100" level="10"> <if_sid>5716</if_sid> <field name="aws.cloudwatch.message">\b(aws_secret_access_key|aws_access_key_id)\b</field> <description>AWS credentials detected in CloudWatch logs</description> </rule> <rule id="100101" level="12"> <if_group>authentication_success</if_group> <list field="srcip" lookup="address_match_key">etc/lists/blacklist-ips</list> <description>Successful authentication from blacklisted IP</description> </rule> </group>
Step-by-step guide: Custom rules enhance Wazuh’s detection capabilities for specific homelab threats. The first rule detects AWS credentials exposure in CloudWatch logs, while the second alerts on successful authentications from blacklisted IP addresses. Place these rules in local_rules.xml and restart the Wazuh manager to activate them.
5. Active Response Configuration for Automated Threat Mitigation
Verified configuration snippet:
<!-- /var/ossec/etc/ossec.conf --> <command> <name>firewall-drop</name> <executable>firewall-drop.sh</executable> <timeout_allowed>yes</timeout_allowed> </command> <active-response> <command>firewall-drop</command> <location>local</location> <rules_id>87105</rules_id> <timeout>600</timeout> </active-response>
Step-by-step guide: Active response enables automated mitigation actions when threats are detected. This configuration triggers a firewall block rule when brute force attacks (rule ID 87105) are detected. The timeout parameter automatically removes the block after 600 seconds to prevent permanent lockouts.
6. File Integrity Monitoring for Critical Systems
Verified configuration snippet:
<!-- /var/ossec/etc/ossec.conf --> <syscheck> <frequency>300</frequency> <directories check_all="yes">/etc,/usr/bin,/usr/sbin</directories> <directories check_all="yes">/bin,/sbin</directories> <ignore>/etc/ssh/ssh_host_key</ignore> <ignore>/etc/ssh/ssh_host_key.pub</ignore> </syscheck>
Step-by-step guide: File integrity monitoring (FIM) detects unauthorized changes to critical system files. This configuration monitors key directories while excluding volatile SSH keys. The check_all=”yes” attribute enables checksum, size, permissions, and ownership monitoring for comprehensive change detection.
7. Vulnerability Assessment Integration
Verified command list:
Update vulnerability database /var/ossec/bin/update_mitre.py Check for system vulnerabilities /var/ossec/bin/vuln_scan.py -a Generate vulnerability report /var/ossec/bin/vuln_scan.py -r /tmp/vulnerability_report.html Schedule daily vulnerability scans echo "0 2 /var/ossec/bin/vuln_scan.py -a" | sudo tee -a /etc/cron.d/wazuh_vuln_scan
Step-by-step guide: Wazuh’s vulnerability assessment module identifies known software vulnerabilities using the National Vulnerability Database. These commands update the vulnerability database, perform system scans, generate reports, and schedule daily automated assessments for continuous security monitoring.
What Undercode Say:
- Wazuh provides enterprise-grade security capabilities without the enterprise price tag, making professional security monitoring accessible for homelabs and small environments
- The platform’s modular architecture allows for gradual implementation, starting with basic log analysis and expanding to full EDR capabilities as needs evolve
- While not a complete XDR replacement, Wazuh’s active response and integration capabilities provide automated threat mitigation that exceeds typical open-source solutions
Analysis: Wazuh’s true strength lies in its extensibility and community support. The platform’s architecture enables security professionals to start with basic SIEM functionality and gradually implement more advanced features like FIM, vulnerability assessment, and automated response. While Laurent M. correctly notes limitations in XDR capabilities due to the agent architecture, Wazuh remains exceptional for budget-constrained environments. The integration capabilities with Docker, cloud services, and third-party tools create a foundation that can grow with organizational needs. The custom rules repository mentioned by Matthew L. (github.com/socfortress/Wazuh-Rules) demonstrates the vibrant community support that continuously enhances detection capabilities.
Prediction:
Wazuh will continue evolving toward full XDR capabilities through improved cloud integration and machine learning features. Within two years, we predict expanded SOAR (Security Orchestration, Automation and Response) functionality will enable complex workflow automations, while enhanced ML-based anomaly detection will reduce false positives. The platform’s open-source nature positions it to rapidly incorporate emerging threat intelligence and adapt to new attack techniques, potentially challenging commercial solutions in the SMB market.
🎯Let’s Practice For Free:
IT/Security Reporter URL:
Reported By: Cyrilbeaufrere Retour – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅
