RETURN_TO_INDEX
[OP_02]// PERSONAL LAB // ra-sys-io/GitHub
Wazuh Home Lab — SIEM/XDR
Four-machine home lab built around Wazuh. An Ubuntu-hosted SIEM/XDR watches a Docker-based Debian web server running OWASP Juice Shop. Windows 11 endpoint and Kali attacker are next on the roadmap.
YEAR
2025
DURATION
In progress
ROLE
Solo — Architect → Deploy → Instrument → Attack Sim (WIP)
SCOPE
Wazuh SIEM/XDR · 4-VM architecture · Docker · OWASP Juice Shop
4-VM
ARCHITECTURE
6
MILESTONES_DONE
WIP
ROADMAP_ACTIVE
[01]
Briefing
Purpose: build a hands-on SOC learning environment that covers the full detection lifecycle — log ingest → detect → triage → respond. Wazuh gives me an open-source, fully-inspectable SIEM/XDR stack to grow with.
[02]
Approach
- 01Architecture: designed a 4-machine model — Wazuh Server (SIEM), Debian web server (target), Windows 11 endpoint (planned), Kali Linux (attacker).
- 02SIEM stack: deployed Wazuh Manager + Indexer + Dashboard on Ubuntu Server. All three components healthy and reachable.
- 03Target build-out: stood up Debian web server, hardened, then layered Docker, an NGINX reverse proxy, and OWASP Juice Shop as a purposely-vulnerable web app for detection practice.
- 04Agent instrumentation: installed and configured the Wazuh Agent on the web server. Logs flow into the SIEM in real time.
- 05Next milestones (roadmap): Windows 11 + Sysmon, Kali attacker, Suricata NIDS, custom Wazuh rules, web + Windows attack simulations, threat hunting scenarios, MITRE ATT&CK mapping, and active response.
[03]
Outcome
- Fully-deployed Wazuh SIEM/XDR platform (Manager + Indexer + Dashboard) on Ubuntu.
- Debian web server operational with Docker + NGINX reverse proxy fronting OWASP Juice Shop.
- Wazuh Agent instrumented and reporting; SIEM ingesting live web-server telemetry.
- Architecture diagram and step-by-step deployment guides committed to the repo for reproducibility.
[04]
Testimonial
“SIEM isn't just a tool — it's a discipline. This lab is where the discipline gets its reps.”