Skip to main content

Wazuh Security Operation Center Home Lab

This project involved designing and deploying a NGFW, all ingesting logs into a wazuh graylog grafana stack.

Visit website
  • System Administration
  • System Design
  • Dev Ops
  • Cyber Security
The Wazuh web application showing a selected user annotation.

Bringing it together

Starting with Proxmox as my instrument for orchestratian. Deployed a VM with wazuh application (indexer, manager, dashboard, filebeat). For greater log enrichment I use MISP (malware information sharing platform), VirusTotal, GreyNoise along with host of other third party API's to increase the liklehood of catching an intrusion attempt. All of which is documented on my medium pages

Our solution was to allow users to be invited to a layer, where they can see others’ annotations and make their own.

The layers sidebar design, now with user profiles.

Visualize Big Data

After the wazuh is ingesting various data sources, network connections and processes. Instead of using the cumbersome Kibana interface, I decided to use Grafana to visualize the data. Grafana is a powerful tool that allows for the creation of dashboards that can be shared with other users. This is a great way to visualize the data and make it more accessible to other users. I made the grafana dashboards available to the world via the web interface. Click here to view the dashboards.

The new My Slides tab in slice, showing annotated and favorited slides.

The Journey

I documented my journey of through two sources, articles I uploaded to this site, and the other avenue was through medium articles. I found that the articles on this site were more technical and detailed, while the medium articles were more high level simple venting. Orginally My security stack was with graylog and wazuh, but graylog 5.0+ & wazuh 4.4+ are not compatible and my stack broke. I then decided to use Grafana which still provide good dashboards but I found graylog more powerful for enrich log data.

Project outcomes & Video Demostration

The project was a success, I was able to get the stack up and running. I was able to see the logs from my NGFW, and the logs from my wazuh stack. I was able to see the logs from my MISP and VirusTotal API's. I was able to see the logs from my GreyNoise API. I was able to see the logs from my filebeat agents ( enriched with geoip information). I was able to see the logs from my windows and linux servers.