Wazuh SIEM (managed Linux)¶
Role: Security event correlation, FIM, vuln detection on managed Linux hosts.
Deploy: Docker stack services/wazuh/ on infra-services (GitOps).
Central syslog: Graylog for UDM/UniFi — separate path.
Scope¶
| Host | Agent | Notes |
|---|---|---|
| prox | Wazuh agent | Hypervisor OS logs, SSH, sudo |
| infra-services | Wazuh agent | Docker host + compose logs via Loki separately |
| saltierpoop | Wazuh agent | OS-layer only (Saltbox containers unchanged) |
Do not duplicate full syslog to Graylog on these three hosts.
Deploy stack¶
On infra-services:
cd /opt/homelab/services/wazuh
cp compose.env.example compose.env # set passwords via SOPS / owner
docker compose --env-file compose.env up -d
Traefik routes dashboard at wazuh.infra.realemail.app (internal-only optional).
Agent install¶
After manager is up, register agents (Ansible playbook TBD — manual for first cut):
# Example on each managed host (manager IP 192.168.6.17)
curl -so wazuh-agent.deb https://packages.wazuh.com/4.x/apt/pool/main/w/wazuh-agent/wazuh-agent_4.x_amd64.deb
WAZUH_MANAGER=192.168.6.17 dpkg -i wazuh-agent.deb
systemctl enable --now wazuh-agent
Verify deliberate failed SSH generates alert in Wazuh dashboard.
Active response¶
Disabled by default in homelab. Enable only with owner approval.
Related¶
- services/wazuh/README.md
- README Owner TODO — split Graylog syslog + Wazuh SIEM rows