Skip to content

siddhesh-001/Wazuh-SIEM-Lab

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

Β 

History

66 Commits
Test_Results_WAZUH
Test_Results_WAZUH
Β 
Β 
LICENSE
LICENSE
Β 
Β 
Project Notes (troubleshooting_steps_ssh_alerts_hidden)
Project Notes (troubleshooting_steps_ssh_alerts_hidden)
Β 
Β 
README.md
README.md
Β 
Β 

Repository files navigation

πŸ›‘οΈ Wazuh SIEM Lab β€” Stack Installation, Configuration & Agent Deployment

(Latest wazuh_branch="4.14.4")

This project demonstrates the deployment of a Wazuh SIEM (Security Information and Event Management) system in a lab environment.

The lab simulates a real-world security monitoring setup where:

  • Logs are generated on an endpoint
  • Collected by an agent
  • Sent to a SIEM
  • Analyzed and visualized in a dashboard

Project Overview

Wazuh is an open-source security platform that provides:

  • Log Analysis
  • Host-based Intrusion Detection System (HIDS)
  • File Integrity Monitoring (FIM)
  • Malware Detection
  • Compliance Monitoring

Lab Environment

Component Role
Kali Purple Wazuh SIEM Server
Kali Linux Endpoint (Victim System)
Wazuh Manager Log analysis
Wazuh Agent Log collection
Wazuh Indexer Data storage
Wazuh Dashboard Visualization

System Requirements

Resource Minimum Recommended
Disk 50 GB 100+ GB
RAM 8 GB 16 GB
CPU 2 vCPU 4 vCPU

This lab using 16GB and 4 processors for kali purple & 8GB and 2 processors for kali linux

🟒 Phase 1 β€” Initial Setup

Snapshot Setup

Take VM snapshots before starting to allow rollback.

Update Systems

sudo apt update && sudo apt upgrade -y

Set Hostnames

On Kali Purple:

sudo hostnamectl set-hostname wazuh-siem

# also change old host name in editor: sudo nano /etc/hosts -> then change old host name to new.

On Kali Linux:

sudo hostnamectl set-hostname victim-endpoint

# also change old host name in editor: sudo nano /etc/hosts -> then change old host name to new.

Verify:

hostname

Verify Connectivity

ping <target_ip>

Both systems must communicate successfully.

🟒 Phase 2 β€” Prepare Wazuh Server

Install Required Packages

sudo apt install -y curl apt-transport-https lsb-release gnupg2
Install Required Base Packages_01

Disable Sleep Mode (SIEM servers should never sleep)

sudo systemctl mask sleep.target suspend.target hibernate.target hybrid-sleep.target
Disable Automatic Sleep-Suspend_02

Configure Time Synchronization (Logs without correct time is useless)

sudo apt install -y chrony
sudo systemctl enable chrony
sudo systemctl start chrony

##Verify-
timedatectl
Set Proper Time Synchronization_03

Open Required Firewall Ports

#-	Install UFW if not present (ufw is a simple firewall manager)
sudo apt install -y ufw

sudo ufw allow 1514/tcp
sudo ufw allow 1515/tcp
sudo ufw allow 443/tcp
sudo ufw allow 55000/tcp
sudo ufw enable
Open Required Firewall Ports_04

🟒 Phase 3 β€” Install Wazuh Stack (On Kali Purple)

Download Installer (check for latest branch [https://documentation.wazuh.com/current/quickstart.html])

curl -sO https://packages.wazuh.com/4.14/wazuh-install.sh
chmod +x wazuh-install.sh

Run Installation (single-node)

sudo ./wazuh-install.sh -a
# Installation time: ~10–20 minutes, depending on system specs.
Run single-node installation_05

--At the end of the successful installation, the terminal will give a dashboard URL, including username and password to access the Wazuh dashboard. Save the credentials in a text file (or) in a nano text file.--

- nano wazuh-creds.txt

Verify Services

sudo systemctl status wazuh-manager
sudo systemctl status wazuh-indexer
sudo systemctl status wazuh-dashboard

All services should be active and running.

Verify services_001 Verify services_002 Verify services_003

Access Dashboard

https://<YOUR_IP>

Login using generated credentials.

Wazuh Dashboard_06

🟒 Phase 4 β€” Deploy Wazuh Agent

Generate Agent Command

Navigate in dashboard:

1. Agents Management β†’ Deploy New Agent

2.	Select Operating System and pakage
    To check the system specs of linux based system:
   -	Check Distribution pakage: cat /etc/os-release
   -	Check Architecture: uname -m

3.	Enter Agent name (Example: victim-endpoint)

4.	Copy the Generated Command

5.  Paste and Run the Command on Kali linux (Victim system) to install the agent.

Agent Deployment Page

P4_Open Agent Deployment Page _07

Running generated command on kali linux

P4_Copy the Generated Command_08

Start Agent

sudo systemctl daemon-reload
sudo systemctl enable wazuh-agent
sudo systemctl start wazuh-agent

Verify Agent

sudo systemctl status wazuh-agent
image

Confirm agent appears in dashboard.

image

Follow the link to see detection results and troubleshooting:

#(Troubleshooting notes)
https://github.com/siddhesh-001/Wazuh-SIEM-Lab/blob/main/Project%20Notes%20(troubleshooting_steps_ssh_alerts_hidden)

#(Test Results)
https://github.com/siddhesh-001/Wazuh-SIEM-Lab/blob/main/Test_Results_WAZUH/ssh-brute-force.md

Wazuh Alert Levels

Wazuh rates every alert from Level 0 to Level 15

Open the dashboard β†’ go to Security Events Click on any alert to expand it

Level Range Severity Example Event
0–3 Informational System startup, successful login
4–7 Low Single failed login attempt
8–11 Medium Multiple failed login attempts
12–14 High Brute-force attack detected
15 Critical Rootkit or system takeover

Key Learning Outcomes

This project demonstrates:

  • SIEM deployment and configuration
  • Log collection and analysis pipeline
  • Endpoint monitoring using agents
  • Security event detection workflow
  • SOC-style investigation process

About

Wazuh is a free, open-source security platform that unifies SIEM and XDR. It is designed to protect endpoints, such as servers, virtual machines, and cloud workloads, by monitoring them for threats.

github.com/siddhesh-001/Wazuh-SIEM-Lab/tree/main

Topics

wazuh wazuh-agent wazuh-manager wazuh-hids wazuh-server wazuh-siem

Resources

Readme

License

MIT license
Activity

Stars

0 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

 
 
 

Contributors