Wazuh SIEM: Open-Source Security Monitoring for Your Homelab
Set up enterprise-grade security monitoring in your homelab with Wazuh SIEM. Learn to deploy, configure, and use intrusion detection, file integrity monitoring, and vulnerability assessment.
Table of Contents
- Your Homelab Is a Real Network, Act Like It
- What Is Wazuh and Why Should Homelabbers Care?
- Key Features That Matter for Homelabs
- File Integrity Monitoring (FIM)
- Intrusion Detection (HIDS)
- Vulnerability Detection
- Container Security
- Deploying Wazuh with Docker
- Prerequisites
- Single-Node Deployment
- Agent Deployment
- Port Reference
- Practical Use Cases for Your Homelab
- Scenario 1: SSH Brute Force Detection
- Scenario 2: Container Escape Detection
- Scenario 3: File Integrity for Configuration Management
- Scenario 4: NAS Monitoring
- Scenario 5: Compliance Practice
- Proxmox Integration
- Tuning for Homelab Scale
- Next Steps: From Deployment to Operational
- Conclusion
Your Homelab Is a Real Network, Act Like It
You’ve got Plex, Nextcloud, Home Assistant, and a dozen other services running on hardware you paid for with your own money. You’ve painstakingly configured reverse proxies, VLANs, and backup strategies. But here’s the uncomfortable truth: you have no idea what’s actually happening inside your network.
Most homelabbers obsess over uptime and storage. We monitor disk space and CPU temps like our lives depend on it. But when it comes to security monitoring? Crickets. We assume that because it’s “just a home network,” nobody’s interested. Wrong. Your NAS with default credentials, your IoT devices with firmware from 2019, and your exposed services are all attractive targets.
The good news? Enterprise-grade security monitoring isn’t reserved for Fortune 500 companies anymore. Wazuh brings SIEM (Security Information and Event Management) and XDR (Extended Detection and Response) capabilities to your homelab—for free.
What Is Wazuh and Why Should Homelabbers Care?
Wazuh is an open-source cybersecurity platform that combines threat detection, compliance monitoring, and incident response in a single tool. Originally forked from the OSSEC project, it’s evolved into a comprehensive security platform used by thousands of organizations worldwide.
For homelabbers, Wazuh solves a critical problem: visibility. It tells you when someone attempts to brute-force your SSH server, when a container behaves suspiciously, or when a file changes that shouldn’t have. It’s the difference between thinking your network is secure and knowing it.
Unlike proprietary SIEM solutions that cost thousands per year, Wazuh is completely free and open-source. You own your data, you control the infrastructure, and you can customize it to your heart’s content.
Key Features That Matter for Homelabs
File Integrity Monitoring (FIM)
FIM tracks changes to critical files and directories in real-time. When your /etc/passwd changes or a binary in /usr/bin gets modified, Wazuh knows about it immediately.
Configuration is straightforward:
<ossec_config>
<syscheck>
<directories whodata="yes" check_all="yes" report_changes="yes">
/etc,/usr/bin,/usr/sbin
</directories>
<directories check_all="yes">/bin,/sbin,/boot</directories>
<frequency>43200</frequency>
</syscheck>
</ossec_config>The whodata="yes" attribute uses Linux auditd to track who made changes—not just that changes occurred. This is invaluable when you’re troubleshooting whether a deployment script went rogue or if something more sinister happened.
Intrusion Detection (HIDS)
Wazuh’s Host-based Intrusion Detection System (HIDS) monitors for rootkits, malware, and suspicious system behavior. It includes:
- Rootcheck: Scans for known rootkits and system anomalies
- Security Configuration Assessment (SCA): Checks compliance against security baselines
- Anomaly detection: Identifies unusual patterns in system behavior
The SCA module alone is worth the installation. It checks your systems against CIS benchmarks and other security standards, giving you a clear picture of what needs hardening.
Vulnerability Detection
This is where Wazuh really shines for Docker-heavy homelabs. It maintains a software inventory of all your endpoints and cross-references it against the CVE database. When a new vulnerability drops (remember Log4j?), you’ll know within hours if your infrastructure is affected.
Container Security
Since most modern homelabs run on Docker or Kubernetes, Wazuh’s container security features are essential:
- Real-time monitoring of Docker events
- Detection of privileged containers
- Alerts when shells execute inside containers
- Integration with Trivy for image vulnerability scanning
If you’re running a lot of containers from random Docker Hub images (we’ve all done it), this gives you some peace of mind.
Deploying Wazuh with Docker
Wazuh’s official Docker deployment is clean and well-documented. Here’s the fastest path to a working SIEM.
Prerequisites
Before deploying, set the required kernel parameter:
sudo sysctl -w vm.max_map_count=262144Add this to /etc/sysctl.conf to make it persistent:
echo "vm.max_map_count=262144" | sudo tee -a /etc/sysctl.confYou’ll need at least:
- 4 CPU cores
- 8GB RAM (16GB recommended)
- 50GB storage
Single-Node Deployment
For most homelabs, the single-node stack is sufficient:
# Clone the repository
git clone https://github.com/wazuh/wazuh-docker.git -b v4.14.4
cd wazuh-docker/single-node/
# Generate certificates
docker compose -f generate-indexer-certs.yml run --rm generator
# Deploy the stack
docker compose up -dAfter deployment:
- Dashboard:
https://<your-server-ip> - Username:
admin - Password:
SecretPassword(change this immediately)
Agent Deployment
With the server running, deploy agents to monitor your endpoints:
cd wazuh-docker/wazuh-agent
# Edit docker-compose.yml and set WAZUH_MANAGER_SERVER to your Wazuh server IP
# Then deploy:
docker compose up -dFor bare-metal hosts, download the appropriate agent package from the Wazuh dashboard and follow the OS-specific installation instructions.
Port Reference
| Port | Purpose |
|---|---|
| 1514/1515 | Agent communication (TCP) |
| 514 | Syslog (UDP) |
| 55000 | Wazuh API |
| 9200 | Indexer API |
| 443 | Dashboard HTTPS |
Practical Use Cases for Your Homelab
Scenario 1: SSH Brute Force Detection
Out of the box, Wazuh detects multiple failed SSH login attempts and can automatically block offending IPs. No more manual fail2ban configuration—Wazuh handles it through its active response module.
Scenario 2: Container Escape Detection
When a container attempts to access the host filesystem or spawn a privileged process, Wazuh generates an alert. This catches misconfigured containers before they become security incidents.
Scenario 3: File Integrity for Configuration Management
Track changes to your Traefik, Nginx, or Docker Compose configs. When a deployment goes wrong, you can quickly see what changed and when.
Scenario 4: NAS Monitoring
Install agents on your TrueNAS or Unraid systems to monitor SMB access, detect ransomware patterns, and alert on unusual file activity.
Scenario 5: Compliance Practice
If you’re studying for security certifications (CISSP, Security+, etc.), Wazuh gives you hands-on experience with SIEM operations, compliance reporting, and incident response workflows.
Proxmox Integration
For Proxmox users, installing the Wazuh agent on your hypervisor nodes provides visibility into:
- VM and container creation/deletion events
- Resource utilization anomalies
- Authentication logs for the web interface
- Storage and network configuration changes
This bridges the gap between your virtual infrastructure and your security monitoring.
Tuning for Homelab Scale
Wazuh’s default configuration is designed for enterprise environments. For homelab use, you’ll want to tune a few things:
- Reduce log verbosity: Edit
/var/ossec/etc/ossec.confto disable unnecessary modules - Adjust scan frequencies: Increase FIM scan intervals from real-time to every few hours for non-critical paths
- Filter noise: Create custom rules to suppress alerts from expected homelab behavior (automated backups, health checks)
- Set retention: Configure the indexer to keep only 30-90 days of logs depending on your storage
Next Steps: From Deployment to Operational
Getting Wazuh running is the easy part. Making it useful requires ongoing effort:
- Baseline your environment: Let it run for a week to learn what’s “normal” in your lab
- Review daily: Check the dashboard for 10 minutes each day to understand the alert patterns
- Tune aggressively: False positives will numb you to real threats—fix them
- Integrate notifications: Connect Wazuh to Slack, Discord, or email for immediate alerting
- Practice incident response: When an alert fires, walk through your response process
Your homelab is a production environment for your learning. Treat its security with the same seriousness you’d bring to a real job.
Conclusion
Wazuh transforms your homelab from a blind network into a monitored environment with enterprise-grade visibility. The Docker deployment makes it accessible, the open-source licensing makes it affordable, and the feature set makes it genuinely useful.
Start with the single-node Docker deployment, add agents to your critical systems, and spend a few weeks tuning the alerts. The investment pays off the first time you catch something you would have otherwise missed.
Security isn’t a product you buy—it’s a practice you develop. Wazuh gives you the tools. The rest is up to you.
Ready to secure your homelab? Deploy Wazuh this weekend and start building your security monitoring muscle memory.
Comments
Powered by GitHub Discussions