Wazuh provides enterprise-grade SIEM and XDR capabilities for your homelab — free, open-source, and fully self-hosted. This guide walks you through deploying Wazuh with Docker Compose, enrolling agents, and configuring security monitoring.
For the complete deployment guide with docker-compose.yml, agent setup, and troubleshooting, see our Wazuh Docker Compose Setup.
What You Get with Wazuh
- SIEM: Centralized log collection and analysis from all homelab endpoints
- XDR: Extended detection and response across servers, containers, and cloud
- FIM: Real-time file integrity monitoring for critical system files
- Vulnerability Scanning: Automated CVE detection for installed packages
- CIS Compliance: Configuration assessment against industry benchmarks
Requirements
- Linux host (Debian 12, Ubuntu 24.04, or Proxmox LXC)
- Docker Engine 24.x+ and Docker Compose v2+
- 4GB RAM minimum (8GB recommended)
- 50GB+ storage for security event logs
Quick Deployment
# Set kernel parameter for OpenSearch
sysctl -w vm.max_map_count=262144
echo "vm.max_map_count=262144" >> /etc/sysctl.conf
# Deploy Wazuh stack
mkdir -p ~/docker/wazuh && cd ~/docker/wazuh
# Add docker-compose.yml from the main guide
docker compose up -d
Get Started
Follow the Wazuh Docker Compose Setup guide for the full deployment walkthrough, including agent installation for Linux, Windows, and Docker endpoints.