When I decided to break into cybersecurity, I kept running into the same wall: every entry-level SOC analyst job wanted experience operating a SIEM. Hard to get experience without a job, hard to get a job without experience. The solution was a homelab — and Wazuh turned out to be the best free SIEM I could find for simulating a real SOC environment.
This post covers exactly how I built it, what broke, and what I'd do differently if I was starting today.
What is Wazuh?
Wazuh is a free, open-source security platform that handles log collection, threat detection, integrity monitoring, and incident response. It is built on the ELK stack (Elasticsearch, Logstash, Kibana) and is widely used by real SOC teams — meaning hands-on time with it is directly relevant to job interviews.
My Lab Hardware
You do not need anything fancy. My setup ran on a single machine:
- Host OS: Windows 11
- Hypervisor: VirtualBox (free)
- Wazuh Manager VM: Ubuntu Server 22.04 — 4 vCPUs, 8GB RAM, 50GB disk
- Agent VMs: Ubuntu Desktop, Windows 10 — 2 vCPUs, 4GB RAM each
Tip: Wazuh's manager is the hungry one. Give it at least 6–8GB RAM or Elasticsearch will crash under load.
Step 1 — Install the Wazuh Manager
Wazuh provides a single-command installer that sets up the manager, indexer (Elasticsearch), and dashboard in one go.
curl -sO https://packages.wazuh.com/4.7/wazuh-install.sh
sudo bash wazuh-install.sh -aAfter ~15 minutes the installer prints your dashboard credentials. Navigate to https://<manager-ip> and you should see the Wazuh dashboard. At this point no agents are connected — the dashboard is empty.
Step 2 — Deploy Agents
Each endpoint you want to monitor needs the Wazuh agent installed. For the Ubuntu agent:
curl -s https://packages.wazuh.com/key/GPG-KEY-WAZUH | gpg --no-default-keyring \
--keyring gnupg-ring:/usr/share/keyrings/wazuh.gpg --import
echo "deb [signed-by=/usr/share/keyrings/wazuh.gpg] \
https://packages.wazuh.com/4.x/apt/ stable main" | sudo tee /etc/apt/sources.list.d/wazuh.list
sudo apt update && sudo apt install wazuh-agent
sudo WAZUH_MANAGER="<your-manager-ip>" systemctl start wazuh-agentFor the Windows agent I used the MSI installer from the Wazuh dashboard deploy wizard — it auto-registers the agent with your manager IP. Within two minutes both agents appeared in the dashboard as Active.
Step 3 — Simulate Attacks and Watch Alerts
An empty SIEM teaches you nothing. I generated events deliberately:
- Brute-force SSH: Used
hydrafrom Kali against the Ubuntu agent and watched Wazuh fire Rule 5763 (multiple failed SSH logins) - File integrity: Modified
/etc/passwdon the Ubuntu VM — Wazuh's FIM module flagged it instantly - Mimikatz simulation: Ran Atomic Red Team on Windows — Wazuh caught credential dumping attempts via Sysmon events
Step 4 — Custom Alert Rules
Default rules are good but writing your own is where you actually learn. Wazuh rules are XML. I wrote a rule to alert any time a new user account was created on the Windows VM:
<rule id="100001" level="10">
<if_sid>60106</if_sid>
<field name="win.system.eventID">4720</field>
<description>New user account created on Windows endpoint</description>
<group>authentication,account_management</group>
</rule>What I'd Do Differently
- Start with the Wazuh Cloud trial first — eliminates all the infrastructure headaches and lets you focus on the SIEM itself
- Install Sysmon on the Windows agent before anything else — the event quality difference is enormous
- Document every alert you investigate in a mock incident report from day one — these become portfolio pieces
What This Did for My Job Search
This project now sits at the top of my portfolio with a GitHub link showing my custom rules and investigation notes. In two interviews I was asked directly about SIEM experience and was able to describe specific alert scenarios, triage steps, and rule logic. Neither interviewer expected that level of detail from an entry-level candidate.
If you are trying to break into a SOC role and have not built a Wazuh lab yet, stop reading and start installing. It is free, it runs on consumer hardware, and it will give you more talking points in interviews than any certification alone.