Wazuh is an open‑source SIEM and XDR platform that provides centralized collection, analysis, and correlation of security events from endpoints, network devices, and cloud services. Thanks to its modular architecture and combined agent‑based and agentless approach, it is ideal for home labs, education, and smaller production environments.
Setting up a home SIEM is an excellent way to understand real security processes: log collection, event correlation, anomaly detection, and incident response. This guide walks through the entire process — from preparing the virtual machine to ingesting logs from endpoints and firewalls.
For the Wazuh server, a Linux distribution such as Ubuntu Server or Debian is recommended. A minimal configuration for a home lab includes:
- 4 GB RAM
- 2 CPU cores
- 20–40 GB disk space
- stable network connection (bridged or NAT)
According to Wazuh documentation, resource consumption scales linearly with the number of agents. Each agent generates its own volume of events (authentication logs, system changes, FIM entries, processes, network activity). This means CPU, RAM, and disk must scale based on the number of endpoints. A small home lab with a few agents can run on 2–4 GB RAM, while environments with ten or more agents require more resources to keep indexing and event processing stable.
After creating the VM in VirtualBox, VMware, or Proxmox, install the operating system and assign a static IP address so the Wazuh server is easily reachable by other devices.
Wazuh provides a simple installation script that automatically deploys Elasticsearch, Kibana, and the Wazuh server. This is the fastest and most stable method for home use.
On a fresh OS installation, run:
curl -sO https://packages.wazuh.com/4.7/wazuh-install.sh
sudo bash wazuh-install.sh -a
The installation takes a few minutes. Once complete, the Wazuh dashboard is available in your browser (typically at https://IP-address:5601). Log in using the initial credentials generated by the installation script.
Wazuh agents collect logs from Windows, Linux, and macOS systems. On Windows, the agent is installed via an MSI installer; on Linux, via the package manager.
In the Wazuh dashboard, open Agents → Deploy new agent, choose the operating system, and follow the instructions. Key parameters include:
- Wazuh server IP address
- agent key (generated automatically)
- agent name (hostname)
Once installed, the agent registers automatically and begins sending logs: system events, authentications, file changes, processes, network activity, and other security‑relevant data.
Wazuh can receive Syslog events from any firewall capable of sending logs to a remote Syslog server. Since Wazuh includes a built‑in Syslog listener, the firewall can send logs directly to Wazuh without any intermediate server.
When the firewall sends events, Wazuh stores them in /var/ossec/logs/archives/archives.log in raw form under agent ID 000, because this is an agentless source. As the document states: “You can see all your logs (in raw form) in the file /var/ossec/logs/archives/archives.log.”
If logs do not appear, enable log archiving in ossec.conf:
<global>
<alerts_log>yes</alerts_log>
<logall>yes</logall>
<logall_json>yes</logall_json>
</global>
Then restart the manager:
sudo systemctl restart wazuh-manager
If logs appear in archives.log but not in the dashboard, Wazuh needs a decoder to interpret the structure of the firewall events.
Add a decoder to:
/var/ossec/etc/decoders/local_decoder.xml
Example generic decoder (adaptable to any firewall log format):
<decoder name="Firewall_Generic">
<type>syslog</type>
<prematch>device_name="</prematch>
</decoder>
<decoder name="Firewall_Generic_child">
<parent>Firewall_Generic</parent>
<regex>device_name="(\S+)" timestamp="([^"]+)" log_type="([^"]+)" src_ip="([^"]+)" dst_ip="([^"]+)" protocol="([^"]+)" src_port=(\d+) dst_port=(\d+)"</regex>
<order>device_name,timestamp,log_type,src_ip,dst_ip,protocol,src_port,dst_port</order>
</decoder>
Rules are added to:
/var/ossec/etc/rules/local_rules.xml
Example:
<group name="custom_firewall">
<rule id="100040" level="3">
<decoded_as>Firewall_Generic</decoded_as>
<description>Firewall Log Event</description>
</rule>
</group>
Wazuh includes a built‑in tool for testing decoders and rules. The document notes: “It’s important that you see the fields in Phase 2 and the alert in Phase 3.”
Run:
/var/ossec/bin/wazuh-logtest
Paste a firewall log (without the timestamp prefix added by rsyslog), for example:
device_name="FW" timestamp="2024-01-01T12:00:00+0100" log_type="Firewall" src_ip="1.2.3.4" dst_ip="5.6.7.8" protocol="TCP" src_port=1234 dst_port=443
If everything is correct:
Phase 1: pre-decoding Phase 2: all fields extracted (decoder works) Phase 3: rule triggered (alert generated)
Then restart the manager:
sudo systemctl restart wazuh-manager
Firewall logs will now appear in the Wazuh dashboard.
A home SIEM is not just an educational project — it provides real visibility into the security events occurring in your network. Wazuh is powerful enough for professional use, yet simple enough for a home lab. With proper configuration, you can monitor everything from endpoint activity to firewall traffic.
Throughout this series, we will explore additional configuration topics related to Wazuh, as well as other security products, to build a complete, sustainable, and understandable security ecosystem.
Security can’t be bought in a box. Yet many organizations behave as if it can. Slickly packaged security software is often sold as an instant solution — but without expert handling, it becomes just “shelfware.”
In today’s cybersecurity landscape, the phenomenon of “tool sprawl” is increasingly common — an obsessive race to buy more and more security solutions, hoping that quantity equals protection. Vendors pitch shiny dashboards and catchy acronyms, resellers promise perfect layered defenses, and executives with little technical insight sign purchase orders like they’re collecting stickers.
But the truth is simple: without proper integration, dedicated experts, management, and strategy, more tools often means less security.
Every security tool brings its own agents, rules, logs, and alerts. Multiply that by ten or twenty systems, and you get chaos instead of control. Many tools overlap in functionality, clash with each other, or operate in isolation without sharing context.
In some environments, tools literally fight each other. Firewalls block legitimate traffic flagged by another tool. DLP and backup systems clash over file access. One tool raises an alert, but the SIEM can’t correlate it due to incompatible formats. In other words, excessive complexity undermines visibility and the effectiveness of defenses. It’s not uncommon for a third of newly purchased security tools to go unused or only partially implemented.
The result? Security gaps. Missed alerts. Frustrated teams. Slower incident response. And in the worst-case scenario — a false sense of security.
Security vendors feed on fear, uncertainty, and doubt. They show grim breach statistics, offer expensive “silver bullets,” and suggest your company will be the next victim without their solution.
This sales model often works — not because the tools are bad (some are excellent!) — but because decision-makers often lack technical leadership. Executives without trusted advisors may approve tool purchases they don’t understand, don’t need, or can’t integrate.
It’s not unusual for organizations to spend hundreds of thousands of euros on security tools, only for many to remain unused or poorly configured. Shelfware is everywhere. Budgets are spent. Security hasn’t improved.
Cybersecurity is a chain. Every component must communicate, support, and strengthen the others. If any part is out of sync — a directory that doesn’t synchronize, an unprotected endpoint, a misconfigured IDS — the chain breaks.
Fragmented tooling increases attack surface. More tools mean greater complexity, more patching, more integration effort, and more chances for misconfiguration.
Instead of orchestrated defense, many companies end up with a noisy, fragmented system. Security teams juggle consoles, alerts get lost in the noise, and attackers exploit the gaps between tools.
Another overlooked element? The end user. Tools protect people, yet many security strategies ignore the real users of the system.
Users aren’t security experts. If a tool is overly invasive, confusing, or poorly explained, users will bypass it, disable it, or make mistakes. It doesn’t matter how many vendors are involved — if the system isn’t designed with the user in mind, it won’t work.
Security tools cost money — for good reason. Development, maintenance, and support are demanding. Vendors deserve to make a profit.
But with power comes responsibility.
Security shouldn’t be driven by short-term profit and fear tactics. Instead, the goal must be to educate users, assess risk, and align technology, processes, and people to truly reduce risk.
Vendors who act as partners, not just sellers, will earn more trust and business in the long run. Competent technical advisors play a critical role. Whether internal (your CISO, security architect) or external consultants, it’s crucial to have someone who sees the big picture and isn’t blinded by sales targets. These advisors can assess the full chain, identify real weak links, and propose solutions — procedural or technological — that strengthen those links without weakening others. Their job is to be the voice of reason that says “no” when a tool is unnecessary, or “yes, but under these integration conditions” when a solution is being considered. Sadly, that voice is sometimes drowned out by marketing noise. But organizations that listen and act on it will build far more resilient defenses.
Before you buy the next “silver bullet,” fix what you already have.
Patch your systems. Review configurations. Train your people. Remove legacy accounts. Implement MFA. Monitor the tools already in place.
Most breaches don’t happen because the latest tool wasn’t purchased — they happen because a server was left exposed, a password was stolen, or a setting was misconfigured.
Security starts with hygiene, not hardware.
Security isn’t about buying tools — it’s about making them work together, through strategy and expertise.
Cyber defense isn’t a shopping list. More doesn’t mean better. Sometimes it means more confusion, cost, and vulnerability.
Let’s shift the mindset: from spend-spend-spend to connect-integrate-harden. That’s where true security lives.