How to Build a Free SIEM with Wazuh: Getting Started Guide

by

Reading time: ~10 minutes | Difficulty: Intermediate

A Security Information and Event Management (SIEM) system is the backbone of any serious security monitoring program. Enterprise SIEMs like Splunk or Microsoft Sentinel can cost tens of thousands of dollars per year. Wazuh is a free, open-source alternative that gives you 80% of the capability for $0 in licensing costs.

In this guide, we’ll cover what Wazuh is, how it works, and how to get your first deployment up and running.

What Is Wazuh?

Wazuh is a free, open-source security platform that provides:

  • SIEM — Log collection, normalization, correlation, and alerting
  • HIDS (Host-based Intrusion Detection) — Real-time monitoring of files, processes, network connections, and Windows Registry
  • Vulnerability Detection — Scans installed packages against CVE databases
  • Compliance Monitoring — Built-in rules for PCI-DSS, HIPAA, GDPR, NIST
  • Cloud Security — Monitoring for AWS, Azure, and GCP
  • Incident Response — Active responses (block IP, quarantine file, kill process)
Who uses Wazuh? While it’s popular with SMBs and home labs, Wazuh is also used by major enterprises and government agencies. It’s genuinely production-grade software, not just a toy.

Wazuh Architecture: The Basics

Wazuh has three main components:

  • Wazuh Agent — Lightweight software installed on each endpoint you want to monitor (Windows, Linux, macOS). Collects logs and sends them to the manager.
  • Wazuh Manager — The server that receives data from agents, applies rules, generates alerts. This is the brain of your SIEM.
  • Wazuh Dashboard — A web-based Kibana/OpenSearch Dashboard interface for viewing alerts, running searches, and generating reports.

Think of it as: Agents collect data → Manager processes and alerts → Dashboard visualizes everything.

System Requirements

ComponentMinimumRecommended (small org)
Wazuh Manager + Dashboard4 CPU, 8GB RAM, 50GB disk8 CPU, 16GB RAM, 200GB disk
Wazuh AgentAny modern endpointAny modern endpoint
OS (Manager)Ubuntu 20.04/22.04 LTSUbuntu 22.04 LTS (recommended)

For a home lab or very small environment (under 10 endpoints), a $20/month VPS or even a local VM works fine.

Installation: Wazuh All-in-One (Quickstart)

Wazuh provides an official quickstart script that installs everything (manager, indexer, and dashboard) on a single server. This is the fastest way to get started.

Step 1: Prepare Your Ubuntu Server

# Update the system first
sudo apt update && sudo apt upgrade -y

# Ensure curl is installed
sudo apt install curl -y

# Check your server meets requirements
free -h  # Check RAM
df -h    # Check disk space
nproc    # Check CPU count

Step 2: Run the Wazuh Installation Script

# Download and run the Wazuh installation assistant
curl -sO https://packages.wazuh.com/4.x/wazuh-install.sh
curl -sO https://packages.wazuh.com/4.x/config.yml

# Edit config.yml to set your server's IP/hostname, then run:
sudo bash wazuh-install.sh -a

# The -a flag installs all components (indexer, manager, dashboard)
# Installation takes 5-15 minutes depending on hardware

At the end of the installation, the script outputs your admin credentials. Save these immediately.

Step 3: Access the Dashboard

Open a browser and navigate to https://YOUR-SERVER-IP (use HTTPS, not HTTP). Accept the self-signed certificate warning and log in with the credentials from Step 2.

⚠️ Security Note: Never expose your Wazuh dashboard directly to the internet. Put it behind a VPN or at minimum restrict access by IP using UFW firewall rules:

sudo ufw allow from YOUR-MANAGEMENT-IP to any port 443
sudo ufw deny 443

Installing Wazuh Agents

On Linux (Debian/Ubuntu)

# Add the Wazuh repository
curl -s https://packages.wazuh.com/key/GPG-KEY-WAZUH | gpg --no-default-keyring --keyring gnupg-ring:/usr/share/keyrings/wazuh.gpg --import && chmod 644 /usr/share/keyrings/wazuh.gpg

echo "deb [signed-by=/usr/share/keyrings/wazuh.gpg] https://packages.wazuh.com/4.x/apt/ stable main" | tee -a /etc/apt/sources.list.d/wazuh.list

apt-get update

# Install agent and point it to your manager
WAZUH_MANAGER="YOUR-MANAGER-IP" apt-get install wazuh-agent -y

# Start and enable the agent
systemctl daemon-reload
systemctl enable wazuh-agent
systemctl start wazuh-agent

On Windows

Download the MSI installer from the Wazuh packages page. During installation, you’ll be prompted for the Manager IP address. Alternatively, install silently via PowerShell:

# PowerShell - Run as Administrator
# Download installer
Invoke-WebRequest -Uri https://packages.wazuh.com/4.x/windows/wazuh-agent-4.x.x-1.msi -OutFile wazuh-agent.msi

# Install silently with manager address
msiexec.exe /i wazuh-agent.msi /q WAZUH_MANAGER="YOUR-MANAGER-IP" WAZUH_AGENT_NAME="workstation-01"

# Start the service
NET START WazuhSvc

Key Detections Out of the Box

Once agents are connected, Wazuh immediately starts detecting threats. Here are some things it finds without any custom configuration:

  • Brute force attacks — Multiple failed SSH or RDP login attempts
  • Rootkit detection — Suspicious hidden processes and kernel modifications
  • File integrity monitoring — Any change to critical system files (like /etc/passwd or Windows SAM database)
  • Log injection attacks — Attempts to forge log entries
  • Known malware — Matching against YARA rules and known bad hashes
  • Vulnerability exposure — Software with known CVEs that needs patching
  • Compliance violations — Missing patches, insecure configurations

Wazuh vs Splunk vs Elastic: Quick Comparison

FeatureWazuhSplunkElastic SIEM
License costFree (open source)$$$$ (very expensive)Free tier available
Agent supportWindows, Linux, macOSWindows, Linux, macOSWindows, Linux, macOS
Built-in HIDSYesNo (needs add-ons)Partial
Compliance dashboardsBuilt-in (PCI, HIPAA, etc)Available (paid add-ons)Available
Setup complexityMediumLow (cloud), High (on-prem)Medium-High
Best forSMB, budget-conscious teamsEnterprise with large budgetTeams comfortable with Elastic

Next Steps After Basic Setup

  • Enable File Integrity Monitoring (FIM) — Configure which directories to monitor for unauthorized changes
  • Tune alerts — Reduce false positives by adjusting rule levels for your environment
  • Set up email or Slack notifications — Get alerted in real-time when critical events occur
  • Integrate with VirusTotal — Automatically check suspicious file hashes
  • Enable Active Response — Automatically block IPs after brute force attempts
  • Deploy Sysmon on Windows — Massively improves visibility into Windows process creation, network connections, and registry changes

Common Pitfalls to Avoid

  • Don’t underestimate storage requirements — logs grow fast. Set up log rotation from day one.
  • Don’t expose the Wazuh dashboard on a public IP without authentication protection.
  • Don’t ignore high-volume alerts without investigating — alert fatigue is real, but so are real incidents hiding in the noise.
  • Do update Wazuh regularly — like any security tool, it needs patching.

In follow-up articles, we’ll cover custom rule writing, integrating Windows Sysmon, and building compliance dashboards for PCI-DSS and HIPAA.

Related: How Ransomware Attacks Work | Penetration Testing Explained

Leave a Comment