Skip to main content

The SIEM-phony of My Cyber Lab

 

I chose to use Wazuh for my home lab for a few reasons.

·        Easy to use, though my last experience was uncertain. The intuitive interface ensures that even beginners can navigate the system with minimal training, although occasional uncertainties may still arise.

 

·        Being a free and open source makes Wazuh an ideal solution to learn and master the basics of a SIEM. This accessibility allows individuals and organizations to experiment and develop their security monitoring skills without financial barriers.

 

·        Scalable, allowing the SIEM solution to grow with my cyber needs. As your organization expands and the complexity of your cybersecurity demands increases, this SIEM solution can easily accommodate additional data sources and increased workloads.

 

·        Comprehensive features, offering flexibility to explore and learn as desired. It includes a wide range of tools and functionalities that cater to various aspects of security information and event management, providing users with the opportunity to deepen their knowledge and expertise.

What I did.

Today I decided to have another go at trying to get the Wazuh dashboard to connect to my linux endpoints in my home cyber lab after last time where I couldn’t make it work I was fully invested for an uphill battle but with a different approach this wasn’t to be the case, I decided to approach the problem differently this time, I opened virtual box and started my fedora, mint and the Wazuh manager VM’s.

A screenshot of a computer program AI-generated content may be incorrect.

The picture shows a virtual box running three VMs. Each VM operates as an independent system within the virtual box, allowing for various configurations and setups. These virtual machines can simulate different operating environments, enabling testing and development without affecting the host system. The flexibility of VMs makes them valuable in tasks such as software testing, security analysis, and server virtualization.

 

Setting up on linux mint

I logged in to the web based dashboard using Firefox in my  linux mint VM and To add an endpoint, all you need is the Wazuh manager's IP address and a unique name for the endpoint, the first step is to choose the correct type of linux. For mint I chose the DEB amd64 option then put the IP address and name in to the relevant boxes and the CLI commands were generated and they just need to be copied and pasted in to the terminal, there are two one is for downloading and setting up the Wazuh agent and the other restarts the agent on the end point, and everything is set up. You don’t need to alter the .conf file which is something I may have had issues with the last time I tried to do this.

A screenshot of a computer AI-generated content may be incorrect. 

This image depicts the initial section of the web dashboard utilized for configuring a new endpoint. The dashboard is designed to provide an intuitive interface for users to easily set up and manage endpoints. It includes various options and settings that allow for customization, security configurations, and performance monitoring. By using this dashboard, users can ensure that their endpoints are configured correctly and optimized for their specific needs.

 

After successfully setting up the Wazuh agent on Linux Mint, I was greeted by a web dashboard interface that simplified the process immensely. This picture shows the initial steps for configuring a new endpoint on the web dashboard. By entering the IP address of the Wazuh manager and a unique name for the endpoint, the dashboard generated the necessary CLI commands for downloading and setting up the Wazuh agent. Once these commands were copied into the terminal, the agent was seamlessly downloaded and restarted, without the need to manually edit the .conf file, which I found to be a stumbling block in previous attempts. This streamlined method not only saved time but also reduced the chance for errors, thus ensuring that the setup was both efficient and effective. And less running round in CLI circles for me!

A computer screen shot of a black screen AI-generated content may be incorrect.

This image displays the terminal on Linux Mint during the download process of the agent. You can see a series of commands being executed, highlighting the steps involved in retrieving and installing the software. The terminal output shows the progress of the download along with detailed information such as file sizes, download speeds, and completion percentages. This visual representation helps convey the procedural aspect of working within a Linux environment and illustrates how users interact with the system through command-line interfaces.

A screenshot of a computer AI-generated content may be incorrect.

 

The image above depicts the dashboard with one active endpoint. The dashboard provides a comprehensive overview of your system's performance, displaying critical metrics such as response times, error rates, and throughput. You can monitor real-time data, identify trends, and pinpoint areas that require attention. Additionally, it offers customizable widgets and alert settings, enabling you to tailor the interface to meet your specific monitoring needs.

Moving on from how easy it was to set up with linux mint I decided to try with fedora as this was the distro that cause me a lot of issues with the set up the last time I tried, and I was hoping with the different approach that it wouldn’t be the same this time.

Setting up on Fedora

After successfully setting up the agent on Linux Mint, I proceeded to do the same for Fedora. I selected the RPM amd64 option and executed the commands in a similar manner as I did for Linux Mint by copying and pasting them accordingly.

This picture shows the Fedora terminal during the download process of the Wazuh agent. The terminal displays a series of commands being executed, highlighting the steps involved in retrieving and installing the software. You can observe detailed progress indicators such as file sizes, download speeds, and completion percentages. This visual representation emphasizes the precision and procedural aspect of working within a Linux environment, showcasing how users interact with the system through command-line interfaces to achieve successful configurations. The comprehensive output provides insight into the methodical nature of software installation and the reliability of executing commands for accurate setup. Which was a lot easier than the last time I tried to do this!

 

After I had completed the steps required, I checked the wed dashboard and saw that there were now 2 endpoints active

A screenshot of a computer AI-generated content may be incorrect.

The picture illustrates the dashboard showcasing two active endpoints. The interface provides a detailed and user-friendly overview of the system’s operational metrics. Users can observe critical performance indicators such as response times, error rates, and data throughput. This comprehensive display facilitates real-time monitoring and trend analysis, helping identify potential issues promptly. The dashboard’s customizable widgets and alert settings allow users to tailor their monitoring experience to suit specific requirements, thus enhancing the efficiency and effectiveness of system management.

In conclusion, my experience setting up Wazuh this time was much smoother than my previous attempts, largely due to a different approach. This process highlighted the importance of flexibility and experimentation in tackling technical challenges. While following established methods can be helpful, it is equally valuable to explore alternative solutions that may simplify the task at hand.

The web dashboard proved to be an invaluable asset, streamlining configurations and significantly reducing the need for manual adjustments. This automation not only saved time but also minimized the potential for errors, ensuring a more reliable setup. The success of this endeavour has fuelled my enthusiasm for further exploration and learning, reinforcing the notion that there is always room for improvement and innovation.

I am eager to keep growing my technical skills. This experience will guide my future projects. Next, I plan to connect my endpoints to Wazuh and integrate pfsense into my home lab, aiming to create a virtual SOC later. By implementing pfsense, I will enhance my network security, ensuring robust protection against potential threats. Setting up a virtual Security Operations Centre (SOC) will allow me to monitor, detect, and respond to security incidents in a simulated environment, giving me valuable hands-on experience in cybersecurity management. This endeavour will not only solidify my understanding of network security principles but also prepare me for more complex challenges in the future.

Comments

Post a Comment

Popular posts from this blog

Root of the Problem: Linux Flaws That Give Attackers Admin Rights

 I realised that I haven’t posted to my blog in a long time and this week an article about CVE’s in linux caught my eye and that was the perfect excuse to write another blog post. Cybersecurity researchers at Qualys have uncovered two critical local privilege escalation (LPE) flaws that are shaking the foundations of Linux security. These aren't your run-of-the-mill vulnerabilities; we're talking about direct, express lanes to full root access on major Linux distributions. If you use Ubuntu, Debian, Fedora, openSUSE Leap 15, or SUSE Linux Enterprise 15, you need to pay close attention. The Double Threat: CVE-2025-6018 & CVE-2025-6019 An article detailing the CVE’s can be found at the link below ( CVE-2025-6018 and CVE-2025-6019 Vulnerability Exploitation: Chaining Local Privilege Escalation Flaws Lets Attackers Gain Root Access on Most Linux Distributions | SOC Prime )     Qualys has pulled back the curtain on two distinct, yet chainable, vulnerabilit...
Post a Comment
Read more

From OVA to Rocky: My Wazuh Upgrade Story

  In this blog post I will be covering something I’ve covered in a previous blog post, but I’ve decided to change my home lab and put my Wazuh SIEM on a standalone rocky linux, there are several reasons I chose to do this, Performance & Scalability: The OVA VM is a pre-built virtual machine that may not be optimized for high availability or scalability. A dedicated instance on Rocky Linux allows for better resource allocation and tuning. Customization & Flexibility: The OVA VM comes with predefined configurations. Running Wazuh on Rocky Linux gives you full control over system settings, security policies, and software updates. Compatibility & Stability: Rocky Linux is a stable, enterprise-grade OS, and Wazuh has been tested for compatibility with newer versions like Rocky Linux 9.3. This ensures long-term support and reliability. Security & Isolation: A dedicated instance provides better security isolation compared to a shared virtualized environment. You can impl...
Post a Comment
Read more

Up the Wazuh: A SIEM-ple Adventure in Troubleshooting

Initial setup To start  I downloaded the .osa file from the  wazuh website ( https://wazuh.com ) and then installed it in my virtualbox hypervisor. Then I booted up my fedora linux VM and the wazuh VM with the dashboard and manager on.  After I had logged in to the wazuh VM with the default credentials I used the ip a command to find out the ip address of the wazuh VM. As from reading the documentation I’d need this later. In my fedora VM I opened a terminal and used the commands on the wazuh website to install the agent on the VM. After some time the installation was completed and I had to update the. conf file with the IP address of the wazuh manager. This is important because  the file is a generic file that needs to be modified to make it specific to each individual setup.  All was going well up to this point. I tried to get the fedora VM to talk to the wazuh VM. The problems I encountered It was here the problems started when I tried to pi...
Post a Comment
Read more