Reading time: ~14 minutes Audience: Homelabbers wanting enterprise-grade security monitoring

What Is Wazuh?

Overview

Wazuh is a free, open-source security platform that unifies SIEM (Security Information and Event Management) and XDR (Extended Detection and Response) capabilities. It protects endpoints, cloud workloads, and containers by collecting security events, analyzing them for threats, and alerting you to suspicious activity.

Key Benefits

Benefit Detail
Log analysis Collect and parse logs from Linux, Windows, macOS, and containers
Intrusion detection File integrity monitoring (FIM) and rootkit detection
Vulnerability detection CVE scanning for installed packages
Configuration assessment CIS benchmark compliance checks
Malware detection YARA integration and threat intelligence feeds
Cloud security Monitor AWS, Azure, and GCP environments
Container security Docker and Kubernetes monitoring
Alerting Email, Slack, webhook, and syslog notifications
Dashboard Built-in OpenSearch Dashboards for visualization

Prerequisites

Hardware Requirements

  • Host with 4GB RAM minimum (8GB recommended for small homelabs)
  • 50GB storage for Wazuh Indexer (grows with log volume)
  • 2 CPU cores minimum

Software Requirements

  • Docker Engine 24.x+ and Docker Compose v2+
  • Linux host (Debian 12, Ubuntu 22.04/24.04, or Proxmox LXC)
  • vm.max_map_count ≥ 262144 (required for Wazuh Indexer)

Knowledge Prerequisites

  • Docker Compose basics
  • Linux command line
  • Basic networking and security concepts

Step 1: Prepare the Host

Objective

Set required kernel parameters and create the Wazuh project directory.

Step-by-Step Instructions

  1. Increase vm.max_map_count (required for OpenSearch):
# Temporary (until reboot)
sysctl -w vm.max_map_count=262144

# Permanent
echo "vm.max_map_count=262144" >> /etc/sysctl.conf
sysctl -p
  1. Verify:
sysctl vm.max_map_count
# Output: vm.max_map_count = 262144
  1. Create the project directory:
mkdir -p ~/docker/wazuh && cd ~/docker/wazuh

Step 2: Deploy Wazuh with Docker Compose

Objective

Run the full Wazuh stack: Manager, Indexer, Dashboard, and Agent enrollment.

Step-by-Step Instructions

  1. Create docker-compose.yml:
services:
  wazuh.manager:
    image: wazuh/wazuh-manager:4.9.0
    container_name: wazuh-manager
    hostname: wazuh.manager
    restart: unless-stopped
    ports:
      - "1514:1514"
      - "1515:1515"
      - "514:514/udp"
      - "55000:55000"
    volumes:
      - wazuh-api-data:/var/ossec/api/configuration
      - wazuh-var:/var/ossec/var
      - wazuh-etc:/var/ossec/etc
      - wazuh-logs:/var/ossec/logs
      - wazuh-queue:/var/ossec/queue
    networks:
      - wazuh

  wazuh.indexer:
    image: wazuh/wazuh-indexer:4.9.0
    container_name: wazuh-indexer
    hostname: wazuh.indexer
    restart: unless-stopped
    ports:
      - "9200:9200"
    environment:
      - "OPENSEARCH_JAVA_OPTS=-Xms1g -Xmx1g"
      - "bootstrap.memory_lock=true"
    ulimits:
      memlock:
        soft: -1
        hard: -1
      nofile:
        soft: 65536
        hard: 65536
    volumes:
      - wazuh-indexer-data:/var/lib/wazuh-indexer
    networks:
      - wazuh

  wazuh.dashboard:
    image: wazuh/wazuh-dashboard:4.9.0
    container_name: wazuh-dashboard
    hostname: wazuh.dashboard
    restart: unless-stopped
    ports:
      - "5601:5601"
    environment:
      - WAZUH_INDEXER_URL=https://wazuh.indexer:9200
      - WAZUH_API_URL=https://wazuh.manager:55000
    volumes:
      - wazuh-dashboard-data:/data
    depends_on:
      - wazuh.indexer
    networks:
      - wazuh

volumes:
  wazuh-api-data:
  wazuh-var:
  wazuh-etc:
  wazuh-logs:
  wazuh-queue:
  wazuh-indexer-data:
  wazuh-dashboard-data:

networks:
  wazuh:
    driver: bridge
  1. Deploy:
docker compose up -d

  1. Wait 2–3 minutes for services to initialize.

  2. Generate enrollment credentials:

docker exec wazuh-manager /var/ossec/bin/wazuh-apid -f
# Default dashboard login: admin / admin
# Change password after first login
  1. Access Wazuh Dashboard:
  2. URL: https://your-server-ip:5601
  3. Default credentials: admin / admin
  4. Change the password immediately after first login

Step 3: Install Wazuh Agent on Endpoints

Objective

Collect security events from your homelab servers, VMs, and containers.

Step-by-Step Instructions

Linux Agent Installation:

# Download and install the agent
curl -s https://packages.wazuh.com/key/GPG-KEY-WAZUH | gpg --no-default-keyring --keyring gnupg-ring:/usr/share/keyrings/wazuh.gpg --import && chmod 644 /usr/share/keyrings/wazuh.gpg
echo "deb [signed-by=/usr/share/keyrings/wazuh.gpg] https://packages.wazuh.com/4.x/apt/ stable main" | tee /etc/apt/sources.list.d/wazuh.list
apt update
apt install -y wazuh-agent

# Register the agent with the manager
/var/ossec/bin/agent-auth -m wazuh.manager -p 1515

# Set the manager address
sed -i 's/<ADDRESS>YOUR_MANAGER_IP</<ADDRESS>wazuh.manager</' /etc/ossec/etc/ossec.conf

# Start the agent
systemctl enable wazuh-agent
systemctl start wazuh-agent

Windows Agent Installation: 1. Download the MSI from https://packages.wazuh.com/4.x/windows/wazuh-agent-4.9.0-1.msi 2. Install with: msiexec /i wazuh-agent-4.9.0-1.msi /q WAZUH_MANAGER="wazuh.manager" 3. Start the service: NET START WazuhSvc

Docker Agent (Container Monitoring):

docker run --name wazuh-agent \
  --network wazuh \
  -v /var/run/docker.sock:/var/run/docker.sock \
  -v /:/host:ro \
  wazuh/wazuh-agent:4.9.0

Step 4: Enable Key Security Features

Objective

Configure FIM, vulnerability detection, and CIS benchmarks.

Step-by-Step Instructions

  1. File Integrity Monitoring (FIM):
  2. Go to Management → Configuration (edit agent or manager)
  3. Under syscheck, add directories to monitor:
<syscheck>
  <directories>/etc,/usr/bin,/usr/sbin</directories>
  <directories>/bin,/sbin,/boot</directories>
  <directories check_all="yes">/home,/root</directories>
</syscheck>
  1. Vulnerability Detection:
  2. In Wazuh Manager configuration, enable:
<vulnerability-detection>
  <enabled>yes</enabled>
  <index-status>yes</index-status>
  <feed-update-interval>60m</feed-update-interval>
</vulnerability-detection>
  1. Configuration Assessment (CIS Benchmarks):
  2. Enabled by default. View results in Security Events → Configuration Assessment
  3. Check compliance scores for Ubuntu, Debian, CentOS, or Windows

Pro Tips

Tip 1: Use a Reverse Proxy for HTTPS

Expose Wazuh Dashboard through NGINX Proxy Manager with a valid SSL certificate:

https://wazuh.yourdomain.com → http://wazuh-dashboard:5601

Tip 2: Backup Wazuh Data

Back up the named volumes regularly:

cd ~/docker/wazuh
docker compose stop
tar czvf wazuh-backup-$(date +%F).tar.gz /var/lib/docker/volumes/wazuh-*
docker compose start

Tip 3: Reduce Resource Usage for Small Homelabs

If running on a mini PC with 8GB RAM, reduce Indexer memory:

environment:
  - "OPENSEARCH_JAVA_OPTS=-Xms512m -Xmx512m"

Tip 4: Integrate with TheHive or Shuffle

Send Wazuh alerts to TheHive (case management) or Shuffle (SOAR automation) for advanced incident response.

Troubleshooting Common Issues

Problem 1: “Indexer Fails to Start — vm.max_map_count”

Cause: Kernel parameter not set correctly.

Fix:

sysctl -w vm.max_map_count=262144
echo "vm.max_map_count=262144" >> /etc/sysctl.conf
# Restart the container
docker compose restart wazuh.indexer

Problem 2: “Agent Not Appearing in Dashboard”

Cause: Agent registration failed, or firewall blocking port 1514/1515.

Fix:

# Check agent registration on manager
docker exec wazuh-manager /var/ossec/bin/agent_control -l

# Check agent logs on the endpoint
tail -f /var/ossec/logs/ossec.log

Problem 3: “Dashboard Shows No Alerts”

Cause: Rules not loaded, or no agents reporting.

Fix: - Verify agents are active in Management → Agents - Check that the manager is receiving events: docker logs wazuh-manager - Restart manager: docker compose restart wazuh-manager

Conclusion

Summary

Wazuh is the most powerful free security platform for homelabs. With Docker Compose, you can deploy a full SIEM/XDR stack in minutes. Monitor file integrity, detect vulnerabilities, assess CIS compliance, and respond to threats — all from a single dashboard.

Next Steps

  1. Install agents on all your homelab servers and VMs
  2. Configure Grafana for custom security dashboards
  3. Compare Wazuh with Splunk for enterprise context

Affiliate Opportunities

  • Beelink Mini S12 Pro: Mini PC for running Wazuh + other services
  • Samsung 990 EVO: NVMe SSD for fast indexer performance

Internal Linking Strategy

  • introwazuh-vs-splunk for SIEM comparison
  • tip-4grafana-docker-compose for dashboard visualization
  • conclusionhomelab-security-monitoring for security monitoring overview

CTA

  • [comment] Are you running Wazuh in your homelab? Share your alert rules and agent count!
  • [newsletter] Subscribe for weekly homelab security and SIEM setup guides.