DELTAX37-cyb/wazuh-soc-homelab

# Wazuh SOC Homelab # Wazuh SOC Homelab **Status:** 🔧 In progress ## Overview This project involves building a functional Security Operations Centre (SOC) environment from scratch on a home machine. The goal is to gain practical experience with industry-standard tools used in real SOC environments — including log ingestion, file integrity monitoring, endpoint telemetry via Sysmon, and simulated attack detection. ## Lab Architecture | Component | Host | Role | |---|---|---| | Wazuh Manager | Ubuntu Server 22.04.5 LTS (VMware) | Collects, indexes, and analyzes security events | | Wazuh Agent | Windows 11 (host machine) | Sends logs and system events to the manager | | Sysmon | Windows 11 (host machine) | Provides detailed Windows telemetry | **VM Specs:** - RAM: 10 GB - CPU: 6 cores - Storage: 80 GB - Networking: NAT ## Phases | Phase | Description | Status | |---|---|---| | 1 | Environment Setup | ✅ Complete | | 2 | Wazuh Manager Installation | ✅ Complete | | 3 | Wazuh Agent Setup (Windows) | ✅ Complete | | 4 | Sysmon Integration | 🔧 In progress | | 5 | File Integrity Monitoring | ⏳ Pending | | 6 | Attack Simulation & Detection | ⏳ Pending | ## Deployment Notes # Initial Deployment Failure — Ubuntu 26.04 The initial Wazuh deployment was performed on Ubuntu Server 26.04 LTS. Although the installer completed several setup stages successfully, the deployment became non-functional due to repeated `wazuh-indexer` service crashes. #### Symptoms - Wazuh dashboard unable to connect to backend services - `Connection refused` errors during dashboard initialization - `wazuh-indexer` service exiting with fatal exceptions - OpenSearch security cluster initialization failures #### Troubleshooting Process The issue was investigated using: sudo systemctl status wazuh-indexer ## References - [Wazuh Official Documentation](https://documentation.wazuh.com) - [Wazuh Installation Guide](https://documentation.wazuh.com/current/installation-guide/index.html) - [Sysmon - Microsoft Sysinternals](https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon) - [Lab guide by Royden Rebello (The Social Dork)](https://youtu.be/QT81wcuoRFY)