Reading time: ~16 minutes Audience: Homelab and self-hosting enthusiasts
What Is Wazuh?
Overview
Wazuh is an open-source security platform that provides unified XDR (Extended Detection and Response) and SIEM (Security Information and Event Management) capabilities. It combines host-based intrusion detection (HIDS), log analysis, file integrity monitoring (FIM), vulnerability detection, and configuration assessment into a single agent-server architecture. Originally forked from OSSEC in 2015, Wazuh has evolved into a comprehensive security monitoring platform with native integration with the Elastic Stack and OpenSearch.
A Brief History
Wazuh began as an OSSEC fork in 2015, driven by the need for a more modern architecture and broader platform support. The project introduced RESTful APIs, native cloud integration, and a web dashboard via Kibana/OpenSearch Dashboards. Wazuh 4.x brought significant improvements to the ruleset, decoders, and the Wazuh Indexer (a fork of OpenSearch). Today, Wazuh is used by enterprises, MSSPs, and security-conscious homelab operators who want professional-grade monitoring without licensing costs.
Why Use Wazuh in Your Homelab?
Host-Based Intrusion Detection
Wazuh agents monitor system calls, file changes, and network connections in real-time. If an attacker modifies a critical file (e.g., /etc/passwd), installs a rootkit, or opens a suspicious network connection, Wazuh triggers an alert immediately. This is foundational security for any internet-facing homelab.
Vulnerability Detection
Wazuh continuously scans installed packages against the NVD (National Vulnerability Database) and vendor security feeds. It generates a dashboard of CVEs ranked by severity, with direct links to remediation guidance. For homelab operators who run dozens of containers and services, this is an automated security audit.
File Integrity Monitoring (FIM)
FIM monitors critical files and directories for unauthorized changes. You can monitor system binaries, configuration files, web roots, and Docker volumes. If a file is modified, added, or deleted, Wazuh logs the hash, user, and timestamp. This is essential for detecting supply-chain attacks and configuration drift.
Configuration Assessment (CIS Benchmarks)
Wazuh includes CIS (Center for Internet Security) benchmark policies for Ubuntu, Debian, Windows, and Docker. It scans your systems against hardening guidelines and reports compliance scores. For homelab operators learning security, this is a practical, hands-on education.
Installation
Prerequisites
- A Linux server with 4+ vCPUs, 8 GB RAM, and 100 GB SSD (Wazuh is resource-intensive)
- Docker and Docker Compose (simpler deployment)
- Or: Ubuntu 22.04/24.04 for bare-metal installation
- Sufficient network bandwidth for agent-server communication
Method 1: Docker Compose (Recommended for Homelab)
Wazuh provides official Docker images for the manager, indexer, and dashboard. The AIO (all-in-one) Compose file is the fastest path to a working SIEM.
version: "3.8"
services:
wazuh-manager:
image: wazuh/wazuh-manager:4.9.0
container_name: wazuh-manager
restart: always
hostname: wazuh-manager
ports:
- "1514:1514"
- "1515:1515"
- "514:514/udp"
- "55000:55000"
volumes:
- wazuh-api-data:/var/ossec/api/configuration
- wazuh-manager-data:/var/ossec/var
- wazuh-etc:/var/ossec/etc
- wazuh-logs:/var/ossec/logs
- wazuh-queue:/var/ossec/queue
- wazuh-agentless:/var/ossec/agentless
- wazuh-ruleset:/var/ossec/etc/rules
environment:
- INDEXER_URL=https://wazuh-indexer:9200
- INDEXER_USERNAME=admin
- INDEXER_PASSWORD=*** - FILEBEAT_SSL_VERIFICATION_MODE=full
networks:
- wazuh
wazuh-indexer:
image: wazuh/wazuh-indexer:4.9.0
container_name: wazuh-indexer
restart: always
ports:
- "9200:9200"
environment:
- "OPENSEARCH_JAVA_OPTS=-Xms1g -Xmx1g"
- "bootstrap.memory_lock=true"
ulimits:
memlock:
soft: -1
hard: -1
nofile:
soft: 65536
hard: 65536
volumes:
- wazuh-indexer-data:/var/lib/wazuh-indexer
networks:
- wazuh
wazuh-dashboard:
image: wazuh/wazuh-dashboard:4.9.0
container_name: wazuh-dashboard
restart: always
ports:
- "5601:5601"
environment:
- INDEXER_URL=https://wazuh-indexer:9200
- INDEXER_USERNAME=admin
- INDEXER_PASSWORD=*** - WAZUH_API_URL=https://wazuh-manager:55000
- API_USERNAME=wazuh-wui
- API_PASSWORD=*** depends_on:
- wazuh-indexer
- wazuh-manager
networks:
- wazuh
volumes:
wazuh-api-data:
wazuh-manager-data:
wazuh-etc:
wazuh-logs:
wazuh-queue:
wazuh-agentless:
wazuh-ruleset:
wazuh-indexer-data:
networks:
wazuh:
driver: bridge
Deploy:
docker compose up -d
Access the dashboard at http://your-server:5601. Default credentials are in the environment variables.
Method 2: Bare Metal / VM Installation
For maximum performance and agent capacity, install Wazuh natively on Ubuntu:
# Install Wazuh manager
curl -sO https://packages.wazuh.com/4.9/wazuh-install.sh
sudo bash ./wazuh-install.sh -a -i
The -a flag installs the manager, indexer, and dashboard. The -i flag ignores hardware checks (useful for smaller homelab VMs). After installation, the script prints the dashboard URL and admin password.
Basic Setup and Configuration
Step 1: Deploy the First Agent
Install the Wazuh agent on a Linux server:
# Download and install the agent
curl -sO https://packages.wazuh.com/4.9/wazuh-agent.deb
sudo dpkg -i wazuh-agent.deb
# Configure the agent to point to the manager
sudo sed -i 's/MANAGER_IP/192.168.1.10/' /var/ossec/etc/ossec.conf
# Start the agent
sudo systemctl start wazuh-agent
sudo systemctl enable wazuh-agent
For Docker environments, use the Wazuh Docker agent:
docker run -d \
--name wazuh-agent \
--restart=always \
--network host \
-e WAZUH_MANAGER='192.168.1.10' \
-v /var/run/docker.sock:/var/run/docker.sock \
wazuh/wazuh-agent:4.9.0
Step 2: Verify Agent Registration
In the Wazuh dashboard, go to Agents and confirm the agent appears with status Active. The agent communicates on port 1514 (UDP or TCP). If the agent is gray, check the firewall and the agent’s ossec.conf.
Step 3: Enable Key Modules
In the Wazuh dashboard, enable these modules via Management → Configuration:
- Vulnerability Detection: scans installed packages
- File Integrity Monitoring: monitor
/etc,/usr/bin, web roots - Rootcheck: detects rootkits, trojans, and system anomalies
- Syscollector: inventory hardware, software, and network
Apply configuration changes and restart the manager:
docker exec -it wazuh-manager /var/ossec/bin/wazuh-control restart
Advanced Features
Custom Rules and Decoders
Wazuh’s ruleset is XML-based and extensible. Create custom rules in /var/ossec/etc/rules/local_rules.xml:
<group name="local,syslog,">
<rule id="100001" level="7">
<if_sid>5716</if_sid>
<srcip>1.1.1.1</srcip>
<description>SSH login from unexpected IP</description>
<group>invalid_login,authentication_failed,</group>
</rule>
</group>
This example triggers an alert when SSH login occurs from a specific IP. Use this for geo-blocking, time-based access, or honeypot detection.
Active Response
Wazuh can execute automatic actions when an alert fires. Examples include:
- Blocking an IP with
iptablesorfirewall-cmd - Disabling a user account
- Running a custom script to isolate a container
Enable in ossec.conf:
<active-response>
<disabled>no</disabled>
<command>host-deny</command>
<location>local</location>
<rules_id>5712</rules_id>
<timeout>600</timeout>
</active-response>
This blocks an IP for 10 minutes after a brute-force alert (rule 5712).
Integration with TheHive / Shuffle SOAR
For incident response, forward Wazuh alerts to TheHive (case management) or Shuffle (SOAR). Use the Wazuh custom integration framework:
<integration>
<name>thehive</name>
<hook_url>https://thehive.example.com/api/alert</hook_url>
<api_key>YOUR_API_KEY</api_key>
<alert_format>json</alert_format>
</integration>
Docker Security Monitoring
Wazuh agents can monitor Docker events (container creation, privilege escalation, volume mounts). Enable the Docker module in the agent’s ossec.conf:
<wodle name="docker-listener">
<disabled>no</disabled>
</wodle>
This alerts when a container runs with --privileged or mounts the Docker socket.
Integrating with Your Homelab
Log Aggregation with Loki / ELK
While Wazuh has its own indexer, you may want to forward raw logs to a centralized log stack. Use Filebeat or Logstash to ship Wazuh archives to Grafana Loki or Elasticsearch.
Alerting to Telegram / Slack / Matrix
Use the Wazuh custom integration framework to POST alerts to a webhook:
<integration>
<name>slack</name>
<hook_url>https://hooks.slack.com/services/YOUR/WEBHOOK/URL</hook_url>
<alert_format>json</alert_format>
</integration>
For a homelab, a Telegram bot or Matrix webhook is often the most convenient.
Network Segmentation Monitoring
Place Wazuh agents on each VLAN or subnet. Use the dashboard to compare security posture across segments. If your IoT VLAN shows brute-force attempts, you can isolate it at the switch level without affecting your main network.
Alternatives to Consider
Security Onion
Security Onion is a full network security monitoring (NSM) platform with Zeek, Suricata, and Elasticsearch. It is stronger on network traffic analysis (packet capture) while Wazuh is stronger on host analysis. Many security professionals run both.
Graylog
Graylog is a log management platform, not a SIEM. It excels at collecting, parsing, and searching logs but lacks Wazuh’s built-in intrusion detection, FIM, and vulnerability scanning. Use Graylog if you already have a separate IDS (Suricata, Zeek).
Splunk / Elastic Security (Commercial)
Splunk and Elastic Security are enterprise-grade SIEMs with advanced UEBA (User and Entity Behavior Analytics) and threat intelligence integrations. They are powerful but expensive. For homelab use, Wazuh provides 80% of the functionality at zero cost.
| Tool | Best For | IDS | FIM | Vuln Scan | Cost |
|---|---|---|---|---|---|
| Wazuh | Homelab, XDR | HIDS | Yes | Yes | Free |
| Security Onion | Network forensics | NIDS | No | No | Free |
| Graylog | Log aggregation | No | No | No | Free/Enterprise |
| Splunk | Enterprise SIEM | Add-on | Add-on | Add-on | Expensive |
Frequently Asked Questions
How much RAM does Wazuh need?
The Wazuh Indexer (OpenSearch) requires 1 GB minimum, 2 GB recommended. The manager requires 1 GB. In a Docker AIO setup, allocate 4 GB total for a comfortable homelab experience. For 10+ agents, scale to 8 GB.
Can I run Wazuh on a Raspberry Pi?
The Wazuh manager and indexer are too heavy for a Raspberry Pi. However, you can run a Wazuh agent on a Pi to monitor it. The manager should be on a x86 server or a cloud VPS.
How do I update Wazuh?
For Docker: pull the latest images and recreate. For bare metal: use the package manager (apt upgrade) or the Wazuh installation assistant. Always back up the indexer data before major upgrades.
Does Wazuh replace a firewall?
No. Wazuh detects and alerts; it does not prevent attacks by default (unless you use Active Response). Combine Wazuh with a proper firewall (OPNsense, pfSense, iptables) for defense in depth.
Conclusion
Summary
Wazuh is the most capable open-source SIEM and XDR platform for homelab use. It provides enterprise-grade intrusion detection, vulnerability scanning, file integrity monitoring, and configuration assessment — all without licensing fees. With Docker, it deploys in minutes. With agents on every host, you gain visibility into the security posture of your entire infrastructure.
Next Steps
- Deploy Wazuh agents on all homelab servers
- Enable FIM for critical directories
- Configure custom rules for your threat model
- Set up alerting via Telegram or Slack
Affiliate Opportunities
- installation: hosting — VPS for Wazuh manager deployment
- integration: tool — TheHive or Shuffle SOAR platforms
- alternatives: tool — Security Onion hardware (network tap, managed switch)
Internal Linking Strategy
installation→ setup_guide: Docker Compose for beginnersintegration→ related_guide: Grafana Loki log aggregation guidealternatives→ comparison: Wazuh vs Graylog
CTA
- [comment] Do you run a SIEM in your homelab? What are your most common alerts?
- [newsletter] Subscribe for weekly security hardening and homelab defense guides.
- [internal_link] Next: read our Grafana + Prometheus monitoring stack guide