Wazuh SIEM Home Lab (Ubuntu + Windows Agent)

I referred to this video: https://youtu.be/QT81wcuoRFY?si=pCHkYRG6_Avr41gZ

Introduction

In this lab, I set up a Wazuh SIEM environment using:

• Ubuntu Server as the Wazuh Manager

• Windows 11 as a monitored endpoint (agent)

The goal of this lab was to:

• Understand how Wazuh agents connect to the manager

• Troubleshoot common installation and version issues

• Verify successful monitoring using File Integrity Monitoring (FIM)

This lab helped me understand how a real SOC environment detects changes on endpoints.

Lab Environment

• Wazuh Manager: Ubuntu Server (VMware)

• Wazuh Agent: Windows 11 Home

• Wazuh Version: 4.7.5

• Network: NAT (local lab)

Wazuh Manager Setup (Ubuntu)

The Wazuh Manager was installed on an Ubuntu Server using the official Wazuh installation assistant, which deploys the manager, indexer, and dashboard in a single command.

Add Wazuh GPG Key:

curl -s https://packages.wazuh.com/key/GPG-KEY-WAZUH | sudo gpg --dearmor -o
/usr/share/keyrings/wazuh-archive-keyring.gpg

Installation script:

curl -sO https://packages.wazuh.com/4.7/wazuh-install.sh
sudo bash wazuh-install.sh -a

After installation, check your Ubuntu IP address:

ip a

The dashboard becomes available at:

https://<your_ubuntu_ip>

Wazuh Agent Setup (Windows)

Download the Wazuh agent MSI installer from the official documentation: https://documentation.wazuh.com/current/installation-guide/wazuh-agent/wazuh-agent-package-windows.html

Make sure Wazuh Agent using the same version as the manger. As my Wazuh Manager is 4.7.5, I installed Wazuh Agent with the same version as well.

Agent Registration

The Windows agent was manually registered on the Wazuh Manager using the manage_agents utility:

sudo /var/ossec/bin/manage_agents

• Select A to add an agent.

• Assign name (WINDOWS-AGENT).

• Put your Window's IP address

• After creation, select E to extract the key.

Apply the key in Windows Agent by open the Wazuh Agent GUI.

• Add Ubuntu manager's IP address

• Apply the key.

• Save and restart the agent service.

File Integrity Monitoring (FIM)

Edit Agent Configuration

Open the following configuration file:

C:\Program Files (x86)\ossec-agent\ossec.conf

Add the following entry inside the Directory block:

<directories realtime="yes">C:\Users\abc\Test</directories>

FIM Testing

To validate monitoring, I performed a simple test:

• Created a file in Documents

• Deleted the file

Wazuh detected both actions:

• File added

• File deleted

Key Takeaways

• Version compatibility between Wazuh Manager and agents is critical

• ossec.log is the primary source for troubleshooting agent issues

• File Integrity Monitoring provides immediate visibility into endpoint changes

• Proper agent configuration is required for real-time monitoring

Conclusion

This lab gave me hands-on experience with:

• SIEM deployment

• Endpoint monitoring

• Troubleshooting version and enrollment issues