Security infrastructure case study

SIEM HomeLab:
Wazuh + Graylog

Current public scope: a staged SIEM HomeLab with a Wazuh Indexer, Wazuh Dashboard, Graylog Server, Wazuh Manager, and initial Debian 12 and Windows Server 2025 endpoint agents in VMware Workstation. The repository documents TLS setup, single-node indexer tuning, dashboard deployment, Graylog 7.0.5 with MongoDB 8.0 and Java 21, manager-to-Graylog forwarding through Fluent Bit, dashboard-manager integration, Sysmon on Windows, Packetbeat on Debian, and endpoint telemetry validation. Graylog parsing, routing, Grafana, alerting, and finalized pipeline artifacts remain planned for later parts.

Repository Indexer guide Dashboard guide Graylog guide Manager guide Agents guide

6 hosts Dedicated VMs for Wazuh components, Graylog, Debian 12 telemetry, and Windows Server 2025 telemetry.

192.168.71.100 Static IP for the single-node Wazuh Indexer and OpenSearch-compatible backend.

192.168.71.103 Static IP for the Wazuh Dashboard with browser access over HTTPS.

192.168.71.101:9000 Graylog Server web interface verified after MongoDB, Java, TLS, and backend setup.

192.168.71.102 Wazuh Manager forwards raw alerts to Graylog with Fluent Bit over TCP port 5555.

Current scope

Task: Build and document the first five stages of a SIEM HomeLab using Wazuh, Graylog, Fluent Bit, Sysmon, and Packetbeat.
Environment: VMware Workstation NAT network on 192.168.71.0/24 with separate server VMs and monitored Debian 12 and Windows Server 2025 endpoints.
Completed: Indexer, Dashboard, Graylog Server, Wazuh Manager, Graylog TCP input, Fluent Bit forwarding, Linux and Windows agent groups, Debian and Windows agents, Sysmon, and Packetbeat.
Artifacts: Public deployment guides for Parts 1-5, architecture diagrams, screenshot-backed troubleshooting notes, and written verification steps in the GitHub repo.
Still planned: Graylog parsing, streams, routing, retention policy, Grafana, alerting, downstream dashboards, and finalized pipeline artifacts.

Verification and issues

Graylog server deployment

Graylog 7.0.5 is deployed on a dedicated VM with MongoDB 8.0, Java 21, generated secrets, backend truststore setup, and successful web UI login.

Manager to Graylog forwarding

A Raw/Plaintext TCP input on Graylog listens on port 5555, and Fluent Bit forwards Wazuh Manager alert output from alerts.json.

Endpoint telemetry

Debian 12 and Windows Server 2025 agents are onboarded, with Packetbeat adding Linux network flow records and Sysmon adding Windows endpoint telemetry.

Current limit

Raw Wazuh, Sysmon, and Packetbeat messages are being collected, but Graylog parsing, routing, dashboards, and alerting are still future work.

Documented architecture

The current public build has the Wazuh server components online, the Wazuh Dashboard connected to the manager API, and two monitored endpoints feeding telemetry through the manager. Graylog receives raw Wazuh output through Fluent Bit; parsing and downstream routing are the next phase.

Current network: VMware NAT on 192.168.71.0/24. Publicly documented access points include the Wazuh Dashboard at https://192.168.71.103, Graylog at http://192.168.71.101:9000, the Wazuh Manager at 192.168.71.102, and Indexer backend access on 9200.

Configuration artifact

This excerpt reflects values documented in the public deployment guides, not local config snapshots.

# Wazuh Indexer
network.host: 192.168.71.100
node.name: wazuh-indexer
cluster.initial_master_nodes: ["wazuh-indexer"]
bootstrap.memory_lock: true
# compatibility.override_main_response_version: true

# JVM sizing
-Xms4g
-Xmx4g

# Wazuh Dashboard
server.host: 192.168.71.103
opensearch.hosts: ["https://wazuh-indexer:9200"]

# Graylog Server
http_bind_address = 0.0.0.0:9000
elasticsearch_hosts = https://graylog:REDACTED@192.168.71.100:9200
GRAYLOG_SERVER_JAVA_OPTS includes:
-Djavax.net.ssl.trustStore=/etc/graylog/server/certs/cacerts

# Wazuh Manager
manager host: 192.168.71.102
agent registration: TCP 1515
agent event traffic: TCP 1514
Fluent Bit output: 192.168.71.101:5555
Wazuh alert source: /var/ossec/logs/alerts/alerts.json

# Endpoint telemetry
debian12-1: 192.168.71.201, Wazuh agent, Packetbeat JSON
windows-server-2025-1: 192.168.71.202, Wazuh agent, Sysmon eventchannel

Earlier Graylog setup records a TLS hostname/SAN mismatch fix by connecting Graylog to 192.168.71.100 instead of wazuh-indexer, plus the backend compatibility override correction.

Recorded verification steps

Check	What was verified
Indexer	`indexer-security-init.sh` completed and the Wazuh Indexer service was verified active.
Dashboard	The Wazuh Dashboard login page was reached at `https://192.168.71.103`.
MongoDB	MongoDB 8.0 installation, service enablement, restart, and active-state verification are recorded.
Graylog	The Graylog web UI was reached after login at `http://192.168.71.101:9000`, and TCP input `5555` was verified listening.
Manager	Wazuh Manager was installed, hardened with registration password support, connected to the Dashboard, and forwarding raw messages to Graylog through Fluent Bit.
Agents	Debian 12 and Windows Server 2025 agents were deployed, with registration on `1515` and event traffic on `1514`.
Telemetry	Sysmon events were collected from Windows, Packetbeat JSON flow records were generated on Debian, and endpoint events were confirmed from Wazuh Manager logs.

Current limitations

The single-node Wazuh Indexer has no high availability or replica resilience.
The Graylog Server and MongoDB deployment is single-node and suitable for lab learning, not production availability.
The Graylog Raw/Plaintext TCP input is acceptable for lab traffic, but production forwarding should use TLS.
Raw Wazuh, Sysmon, and Packetbeat messages still need parsing into searchable Graylog fields.
Streams, pipelines, routing behavior, retention policy, Grafana, and alerting still need to be configured.