Setting Up Your Free Wazuh SEIM from Scratch
This guide is for home lab enthusiasts, aspiring SOC analysts, or cybersecurity students looking for hands-on learning with a real SEIM tool. We'll take a major step forward from a single cybersecurity VM to running a full SEIM (Security Information and Event Management) environment for free using Wazuh. A SEIM system is the cornerstone of any Security Operations Center (SOC), collecting and analyzing security data across your network to detect threats, investigate incidents, and maintain compliance.
Environment Layout
Step 1: Prepare Your Server
Start with a fresh Ubuntu VM in VMware Workstation Pro. Your VM should have a minimum of 4 vCPUs, 8 GB RAM, and 50 GB storage to support up to 25 agents with a 90-day log retention period.
Step 2: Install the Wazuh Server
Use the official one-liner installation script to deploy the Wazuh SEIM server, web interface, and a default agent.
curl -sO https://packages.wazuh.com/4.13/wazuh-install.sh && sudo bash ./wazuh-install.sh -a
The installation takes approximately 5 minutes. Once it's complete, get your server IP and log in to the dashboard at https://<server-ip> using the provided admin credentials.
Deploying Agents
Step 3: Deploy a Linux Agent
Spin up another Ubuntu VM to act as your agent. From the Wazuh dashboard, copy the agent oneliner and run it on the agent VM. This will connect the agent to your server. Start the agent service and verify its status in the Wazuh dashboard.
Step 4: Explore Linux Agent Data
Once the agent is reporting, you can check for vulnerability detection, explore compliance reports, and monitor MITRE ATT&CK events such as logins, sudo escalation, and commands executed.
To generate test events, run commands like:
whoami
sudo ls /root
These actions will appear as events in your dashboard.
Step 5: Deploy a Windows Agent
Spin up a Windows 10 or 11 VM and use the oneliner from the Wazuh dashboard to deploy the agent. Once the agent is installed, start the service and verify its connection. The Windows agent will provide vulnerability detection, CIS benchmarking, file integrity monitoring, and MITRE ATT&CK events.
Common Pitfalls and Best Practices
- Misconfigured Agents: Agents may not report correctly if installed or configured incorrectly. Always double-check the installation commands and dashboard status.
- VM Resource Limits: Underpowered VMs may affect SEIM performance and log retention. Ensure your server VM meets the minimum specifications.
- Active Response: Wazuh’s Active Response module allows you to automate defensive actions like blocking IPs or removing malware. This is a great next step after getting your agents reporting.
Key Takeaways
You now have a fully functional home SEIM lab using Wazuh, complete with Linux and Windows agents, file integrity monitoring, and vulnerability detection. This setup provides a strong foundation for learning SOC operations, threat hunting, and cybersecurity automation.
Additional Resources
Want to learn more? Experiment, explore the interface, and expand your lab to simulate real-world environments to solidify your knowledge.