This project demonstrates the deployment of Wazuh, an open-source, industry-recognized SIEM and host-based intrusion detection platform, in a virtualized lab environment. Wazuh was selected for this project due to its wide adoption in security operations, strong community support, and alignment with real-world SOC practices.
A Wazuh Manager was installed on an Ubuntu system and configured to centrally monitor three endpoints: Windows, Kali Linux, and Ubuntu. Each endpoint was successfully enrolled as a Wazuh agent and configured to forward system logs and security events to the manager for analysis.
The project validates end-to-end log collection and visibility through the Wazuh web dashboard, demonstrating how security events from multiple operating systems can be centrally analyzed. This setup reflects a realistic enterprise monitoring scenario and highlights the effectiveness of Wazuh as a cost-effective, open-source security monitoring solution used across modern SOC environments.
Wazuh was deployed on Ubuntu Server using the official all-in-one installation script, following the Wazuh deployment guide. Read here
curl -sO https://packages.wazuh.com/4.14/wazuh-install.sh && sudo bash ./wazuh-install.sh -aThis command installs all required dependencies along with the Wazuh Manager, Indexer, and Dashboard. Upon completion of the installation, a username and password are automatically generated for accessing the Wazuh web interface.
Press enter or click to view image in full size
The firewall on the Wazuh server was configured to allow all Wazuh components to communicate properly, including agents, the dashboard, indexer, and Syslog. The following UFW rules were applied:
# Essential Wazuh ports
sudo ufw allow 1514/tcp # Agent → Manager communication
sudo ufw allow 1515/tcp # Agent enrollment
sudo ufw allow 443/tcp # Wazuh Web Dashboard (HTTPS)# Optional ports for future use
sudo ufw allow 55000/tcp # Wazuh API
sudo ufw allow 514/tcp # Syslog collector
sudo ufw allow 22/tcp # SSH access to server
sudo ufw enable - Enables the UFW firewall
sudo ufw status numbered - Displays the current firewall status and lists all active rules with numbering
Accessing the Wazuh Web Interface
After the firewall was configured to allow all essential ports, the Wazuh web dashboard was accessed via a web browser. This interface provides centralized visibility into all connected agents, system events, and security alerts.
https://192.168.79.145:443Press enter or click to view image in full size
Log in using the username and password generated during installation.
To enroll an agent, navigate to Endpoints, Deploy new agents.
Agent 1: Windows
Step 1: Select windows architecture
Join Medium for free to get updates from this writer.
Step 2: Enter the Wazuh Manager IP Address
Press enter or click to view image in full size
Step 3: Set agent name (optional)
Press enter or click to view image in full size
Step 4: Copy and Run the Installation Command in Powershell. Run Powershell with administrator privileges
Invoke-WebRequest -Uri https://packages.wazuh.com/4.x/windows/wazuh-agent-4.14.2-1.msi -OutFile $env:tmp\wazuh-agent; msiexec.exe /i $env:tmp\wazuh-agent /q WAZUH_MANAGER='192.168.79.145' WAZUH_AGENT_GROUP='default' WAZUH_AGENT_NAME='Windows'Step 5: Still in Powershell, run this command to start Wazuh agent
NET START WazuhPress enter or click to view image in full size
Press enter or click to view image in full size
Agent 2: Kali Linux
On the Deploy new agent;
Step 1: Select the Operating System
Step 2: Assign Server Address
Step 3: Set Agent Name (Optional)
Step 4: Copy and run the installation command
wget https://packages.wazuh.com/4.x/apt/pool/main/w/wazuh-agent/wazuh-agent_4.14.2-1_amd64.deb && sudo WAZUH_MANAGER='192.168.79.145' WAZUH_AGENT_GROUP='default' WAZUH_AGENT_NAME='Kali' dpkg -i ./wazuh-agent_4.14.2–1_amd64.debStep 5: Start and Enable the Agent
Run the following commands to activate the agent:
sudo systemctl daemon-reload
sudo systemctl enable wazuh-agent
sudo systemctl start wazuh-agentPress enter or click to view image in full size
Agent 3: Ubuntu
Repeat the same steps as Agent 2
Copy and run the installation command
wget https://packages.wazuh.com/4.x/apt/pool/main/w/wazuh-agent/wazuh-agent_4.14.2-1_amd64.deb && sudo WAZUH_MANAGER='192.168.79.145' WAZUH_AGENT_GROUP='default' WAZUH_AGENT_NAME='Ubuntu' dpkg -i ./wazuh-agent_4.14.2-1_amd64.debStart and Enable the Agent
Run the following commands to activate the agent:
sudo systemctl daemon-reload
sudo systemctl enable wazuh-agent
sudo systemctl start wazuh-agentDashboard of all Enrolled Agents
Press enter or click to view image in full size
Through the deployment and configuration of Wazuh, I successfully set up a centralized security monitoring environment with multiple agents across Windows, Kali Linux, and Ubuntu. Wazuh provides real-time visibility into system events, log collection, and threat detection, making it a robust and open-source industry-standard SIEM solution. Beyond log monitoring, Wazuh can be leveraged for File Integrity Monitoring (FIM) to track changes in critical files and directories, detect unauthorized modifications, and alert security teams.
Additionally, it integrates seamlessly with other security tools and services, such as Syslog for centralized logging, SSH for remote administration, and custom APIs for automated workflows, enabling comprehensive and proactive security operations.
This setup serves as a foundation for future projects, where I plan to expand Wazuh’s capabilities with additional agents, advanced detection rules, integrations with threat intelligence feeds, and custom security automation workflows to simulate real-world SOC scenarios.
Many thanks to
🫡