Back to Blog

What I Learned Deploying Wazuh at Home

December 1, 20252 min read
#Wazuh#Homelab#SOC Notes

What I Learned Deploying Wazuh at Home

Starting a home lab is often recommended for aspiring SOC analysts, and for good reason. Reading about SIEMs is one thing; troubleshooting an agent that refuses to connect because of a firewall rule is another.

Here are the top takeaways from my recent deployment of Wazuh.

1. It's Loud Out of the Box

The moment you turn on a SIEM, you feel like a superhero seeing everything. Five minutes later, you feel like a tired sysadmin.

  • False Positives: Windows generates an insane amount of "Security" events that look scary but are normal.
  • Tuning: I spent 80% of my time writing exclusions. If you don't tune, you will ignore the dashboard.

2. Linux Permissions Matter (A Lot)

Deploying agents on Linux forced me to brush up on:

  • chmod and chown
  • The wazuh user needs read access to logs like /var/log/auth.log.
  • SELinux can silently block your best efforts.

3. The Power of "Active Response"

Wazuh’s active response feature (automatically blocking an IP after failed logins) is powerful but dangerous. I locked myself out once. It was a great lesson in availability vs. security.

Final Thoughts

Building this detection lab taught me more about enterprise security architecture than any multiple-choice exam. It’s a messy, complex, and rewarding process.