Building a SIEM Home Lab with Wazuh: My Setup & Lessons Learned

Why I Built This Lab

As a cybersecurity student, hands-on experience is everything. I wanted to go beyond theory and actually implement a Security Information and Event Management (SIEM) system from scratch. Wazuh — a free, open-source platform — was the perfect choice.

What is Wazuh?

Wazuh is an open-source security monitoring platform that provides threat detection, integrity monitoring, incident response, and compliance capabilities. It's widely used in enterprise environments and is an excellent learning tool.

Setting Up the Wazuh Server

I deployed the Wazuh server on a virtual machine running Ubuntu Server. The installation process involves setting up the Wazuh manager, Elasticsearch (or OpenSearch), and Kibana for the dashboard.

curl -sO https://packages.wazuh.com/4.7/wazuh-install.sh
sudo bash ./wazuh-install.sh -a

Deploying Agents on Endpoints

Once the server was running, I deployed Wazuh agents on other virtual machines (Windows and Linux) to start collecting security events and logs.

File Integrity Monitoring (FIM)

One of the most powerful features I configured was FIM — monitoring critical directories for unauthorized changes:

• /etc/passwd and /etc/shadow on Linux
• Windows registry keys
• Application configuration files

Any modification triggers an alert in the dashboard, which is exactly what you'd want in a real SOC environment.

Key Takeaways

• SIEM configuration requires patience — tuning rules to reduce false positives is an art.
• FIM is incredibly valuable for detecting insider threats and malware persistence.
• Wazuh's integration with MITRE ATT&CK framework makes threat classification much easier.