Tools

Tools: How I Added SIEM to My Homelab With Wazuh — and What It Found on Day One - Expert Insights

2026-04-01 0 views admin
Tools: How I Added SIEM to My Homelab With Wazuh — and What It Found on Day One - Expert Insights

What Wazuh Is

The Setup

Enrolling Agents

Custom Detection Rules

Email Alerts

What It Found on Day One

Grafana + Wazuh: Better Together I've been running Grafana and Prometheus on my homelab for about a year. CPU usage, RAM, disk, container uptime — the usual infrastructure metrics. I thought that was monitoring. Then I deployed Wazuh and found out I had no idea what was happening on my network. Wazuh is an open-source SIEM (Security Information and Event Management) and XDR platform. It collects logs and events from agents you deploy on your systems, runs them through detection rules, and alerts you when something looks wrong. It's the same class of tool that security teams use in production environments — and it's free. The key mental model: Grafana asks "is this working?" Wazuh asks "is this being abused?" You need both questions answered. I'm running a 3-node Proxmox VE 8.x cluster. Wazuh 4.9.2 all-in-one lives in LXC 107 on my main node (nx-core-01). Container specs: 4 vCPU, 8GB RAM, 50GB disk. Wazuh is memory-hungry — don't go below 6GB or the indexer will struggle. The all-in-one install script handles the indexer, server, and dashboard: About 15 minutes. Dashboard on HTTPS port 443. Default credentials are in /home/admin/.wazuh-install-files/wazuh-passwords.txt. One gotcha for LXC: Wazuh needs to read system audit logs. Some LXC security profiles block this. If ossec-logcollector can't read /var/log/audit/audit.log, check your container's capability settings. I enrolled 7 agents: the main Proxmox node plus the LXC containers I care most about — the web server, Traefik, the monitoring stack, uptime-kuma, and Garrison (my AI orchestrator). Per-agent on each host: Wazuh ships with thousands of built-in rules. I added custom rules for things specific to my setup in /var/ossec/etc/rules/local_rules.xml: Mapping rules to MITRE ATT&CK IDs is worth the extra minute. It surfaces in the Wazuh dashboard and makes it easier to reason about what class of attack you're detecting. Wazuh can send email alerts directly. I use msmtp as a relay with a Gmail app password. In ossec.conf: Level 10+ fires an email. Root login would be level 15 — that's a middle-of-the-night wake-up. This is the part that made me feel like I'd been flying blind. SSH brute-force from 4 external IPs. This was ongoing. My SSH is on the default port (yes, I know — now I've moved it) and there were continuous auth attempts from IPs in Ukraine, China, and Romania. None of this was in Grafana. It wasn't breaking anything, but I wasn't informed. A container service in a restart loop. One of my LXC containers had a service that was failing and restarting every few minutes. The container showed as "running" in Uptime Kuma. The service itself was not. Wazuh caught it in the syslog stream. Two containers with outdated packages. Wazuh's rootcheck module audits package state. Both flagged containers had packages with known CVEs. Neither was critical, but I wouldn't have known without a scan. This isn't an either/or. Grafana tells me if my services are healthy. Wazuh tells me if my systems are being probed, if accounts are being misused, if files are changing unexpectedly. The combined setup is a proper monitoring stack for a homelab that's exposed to the internet — even partially. If you're running self-hosted infrastructure and haven't added a SIEM layer, Wazuh is the most accessible path to getting there. The all-in-one install makes it genuinely feasible without a dedicated security team. I've documented the full Proxmox cluster setup, monitoring stack, and security hardening approach at sjvik-labs.stevenjvik.tech/guides if you want to go deeper. Templates let you quickly answer FAQs or store snippets for re-use. Are you sure you want to ? It will become hidden in your post, but will still be visible via the comment's permalink. Hide child comments as well For further actions, you may consider blocking this person and/or reporting abuse

Command

Copy

$ -weight: 500;">curl -sO https://packages.wazuh.com/4.9/wazuh--weight: 500;">install.sh bash wazuh--weight: 500;">install.sh -a -weight: 500;">curl -sO https://packages.wazuh.com/4.9/wazuh--weight: 500;">install.sh bash wazuh--weight: 500;">install.sh -a -weight: 500;">curl -sO https://packages.wazuh.com/4.9/wazuh--weight: 500;">install.sh bash wazuh--weight: 500;">install.sh -a /home/admin/.wazuh--weight: 500;">install-files/wazuh-passwords.txt /var/log/audit/audit.log -weight: 500;">curl -s https://packages.wazuh.com/key/GPG-KEY-WAZUH | -weight: 500;">apt-key add - echo "deb https://packages.wazuh.com/4.x/-weight: 500;">apt/ stable main" \ > /etc/-weight: 500;">apt/sources.list.d/wazuh.list -weight: 500;">apt-get -weight: 500;">update && -weight: 500;">apt-get -weight: 500;">install wazuh-agent WAZUH_MANAGER="<wazuh-ip>" WAZUH_AGENT_NAME="$(hostname)" \ -weight: 500;">systemctl -weight: 500;">enable --now wazuh-agent -weight: 500;">curl -s https://packages.wazuh.com/key/GPG-KEY-WAZUH | -weight: 500;">apt-key add - echo "deb https://packages.wazuh.com/4.x/-weight: 500;">apt/ stable main" \ > /etc/-weight: 500;">apt/sources.list.d/wazuh.list -weight: 500;">apt-get -weight: 500;">update && -weight: 500;">apt-get -weight: 500;">install wazuh-agent WAZUH_MANAGER="<wazuh-ip>" WAZUH_AGENT_NAME="$(hostname)" \ -weight: 500;">systemctl -weight: 500;">enable --now wazuh-agent -weight: 500;">curl -s https://packages.wazuh.com/key/GPG-KEY-WAZUH | -weight: 500;">apt-key add - echo "deb https://packages.wazuh.com/4.x/-weight: 500;">apt/ stable main" \ > /etc/-weight: 500;">apt/sources.list.d/wazuh.list -weight: 500;">apt-get -weight: 500;">update && -weight: 500;">apt-get -weight: 500;">install wazuh-agent WAZUH_MANAGER="<wazuh-ip>" WAZUH_AGENT_NAME="$(hostname)" \ -weight: 500;">systemctl -weight: 500;">enable --now wazuh-agent /var/ossec/etc/rules/local_rules.xml <!-- SSH brute force — T1110 --> <rule id="100001" level="10"> <if_group>syslog</if_group> <match>pam_unix.*authentication failure</match> <same_source_ip /> <frequency>5</frequency> <timeframe>120</timeframe> <description>Multiple SSH auth failures from same IP</description> <mitre><id>T1110</id></mitre> </rule> <!-- Root SSH login — should never happen --> <rule id="100002" level="15"> <if_sid>5715</if_sid> <match>^Accepted.*root@</match> <description>Root login via SSH detected</description> <mitre><id>T1078</id></mitre> </rule> <!-- SSH brute force — T1110 --> <rule id="100001" level="10"> <if_group>syslog</if_group> <match>pam_unix.*authentication failure</match> <same_source_ip /> <frequency>5</frequency> <timeframe>120</timeframe> <description>Multiple SSH auth failures from same IP</description> <mitre><id>T1110</id></mitre> </rule> <!-- Root SSH login — should never happen --> <rule id="100002" level="15"> <if_sid>5715</if_sid> <match>^Accepted.*root@</match> <description>Root login via SSH detected</description> <mitre><id>T1078</id></mitre> </rule> <!-- SSH brute force — T1110 --> <rule id="100001" level="10"> <if_group>syslog</if_group> <match>pam_unix.*authentication failure</match> <same_source_ip /> <frequency>5</frequency> <timeframe>120</timeframe> <description>Multiple SSH auth failures from same IP</description> <mitre><id>T1110</id></mitre> </rule> <!-- Root SSH login — should never happen --> <rule id="100002" level="15"> <if_sid>5715</if_sid> <match>^Accepted.*root@</match> <description>Root login via SSH detected</description> <mitre><id>T1078</id></mitre> </rule> <email_notification>yes</email_notification> <smtp_server>localhost</smtp_server> <email_from>[email protected]</email_from> <email_to>[email protected]</email_to> <email_maxperhour>12</email_maxperhour> <email_alert_level>10</email_alert_level> <email_notification>yes</email_notification> <smtp_server>localhost</smtp_server> <email_from>[email protected]</email_from> <email_to>[email protected]</email_to> <email_maxperhour>12</email_maxperhour> <email_alert_level>10</email_alert_level> <email_notification>yes</email_notification> <smtp_server>localhost</smtp_server> <email_from>[email protected]</email_from> <email_to>[email protected]</email_to> <email_maxperhour>12</email_maxperhour> <email_alert_level>10</email_alert_level>

🏷️ Tags

toolsutilitiessecurity toolsaddedhomelabwazuhfoundexpertinsightsrce

More from Tools

Tools: I built a portable SIEM detection toolkit that converts Sigma rules to Splunk, Elastic, and Kibana queries (2026)

Tools: I built a portable SIEM detection toolkit that converts Sigma rules to Splunk, Elastic, and Kibana queries (2026)

2026-04-01 0
Tools: I ran incident response on my own homelab. Here's the postmortem. - 2025 Update

Tools: I ran incident response on my own homelab. Here's the postmortem. - 2025 Update

2026-04-01 0
Tools: Docker Containers with Unraid NFS: Fix Stale File Handle Errors - 2025 Update

Tools: Docker Containers with Unraid NFS: Fix Stale File Handle Errors - 2025 Update

2026-04-01 0
Tools: Ultimate Guide: Claude Code Hidden Features You Probably Missed

Tools: Ultimate Guide: Claude Code Hidden Features You Probably Missed

2026-04-01 0

Trending

1

CVE-2025-61481: Critical Remote Code Execution Vulnerability in MikroTik RouterOS & SwitchOS

2025-10-27 • 189 views
2

CVE-2025-43939: Dell Unity OS Command Injection (High)

2025-10-30 • 148 views
3

Google disputes false claims of massive Gmail data breach

2025-10-30 • 130 views
4

Microsoft: DNS outage impacts Azure and Microsoft 365 services

2025-10-30 • 88 views
5

3.5B Accounts, 1 Critical Flaw: Meta Closes WhatsApp Data-Harvesting

2025-11-25 • 81 views