Build Your Own SIEM with Open-Source Tools

In this comprehensive project guide, we'll build a fully functional Security Information and Event Management (SIEM) system using open-source tools. By the end, you'll have enterprise-grade security monitoring for your homelab or small business.

Project Overview

What We're Building

┌─────────────────────────────────────────────────────────────┐
│                        SIEM Architecture                      │
├─────────────────────────────────────────────────────────────┤
│                                                               │
│  ┌─────────┐  ┌─────────┐  ┌─────────┐  ┌─────────┐         │
│  │ Windows │  │  Linux  │  │ Network │  │  Cloud  │         │
│  │ Agents  │  │ Agents  │  │ Devices │  │  Logs   │         │
│  └────┬────┘  └────┬────┘  └────┬────┘  └────┬────┘         │
│       │            │            │            │               │
│       └────────────┴─────┬──────┴────────────┘               │
│                          │                                    │
│                   ┌──────▼──────┐                            │
│                   │   Wazuh     │                            │
│                   │   Manager   │                            │
│                   └──────┬──────┘                            │
│                          │                                    │
│            ┌─────────────┼─────────────┐                     │
│            │             │             │                     │
│     ┌──────▼──────┐ ┌────▼────┐ ┌─────▼─────┐              │
│     │ Elasticsearch│ │ Wazuh  │ │  Grafana  │              │
│     │   Cluster    │ │Dashboard│ │ Dashboards│              │
│     └─────────────┘ └─────────┘ └───────────┘              │
│                                                               │
└─────────────────────────────────────────────────────────────┘

Prerequisites

Before starting, ensure you have:

[ ] Linux server (Ubuntu 22.04+ recommended)
[ ] Minimum 8GB RAM (16GB recommended)
[ ] 100GB+ storage
[ ] Docker and Docker Compose installed
[ ] Basic Linux command line knowledge

Part 1: Infrastructure Setup

Step 1: Prepare the Server

# Update system
sudo apt update && sudo apt upgrade -y
 
# Install dependencies
sudo apt install -y curl wget gnupg2 apt-transport-https
 
# Install Docker
curl -fsSL https://get.docker.com | sh
sudo usermod -aG docker $USER
 
# Install Docker Compose
sudo curl -L "https://github.com/docker/compose/releases/latest/download/docker-compose-$(uname -s)-$(uname -m)" -o /usr/local/bin/docker-compose
sudo chmod +x /usr/local/bin/docker-compose

Step 2: Create Project Structure

mkdir -p ~/siem/{wazuh,elastic,grafana,config}
cd ~/siem

Part 2: Deploy Wazuh

Wazuh is our core SIEM platform, providing threat detection, integrity monitoring, and compliance.

Docker Compose Configuration

# docker-compose.yml
version: '3.8'
 
services:
  wazuh-manager:
    image: wazuh/wazuh-manager:4.7.0
    hostname: wazuh-manager
    restart: always
    ports:
      - "1514:1514/udp"
      - "1515:1515"
      - "514:514/udp"
      - "55000:55000"
    environment:
      - INDEXER_URL=https://wazuh-indexer:9200
      - INDEXER_USERNAME=admin
      - INDEXER_PASSWORD=SecretPassword123!
      - FILEBEAT_SSL_VERIFICATION_MODE=none
    volumes:
      - wazuh-manager-config:/var/ossec/etc
      - wazuh-manager-logs:/var/ossec/logs
      - wazuh-manager-queue:/var/ossec/queue
      - wazuh-manager-var:/var/ossec/var
      - wazuh-manager-integrations:/var/ossec/integrations
    networks:
      - siem-network
 
  wazuh-indexer:
    image: wazuh/wazuh-indexer:4.7.0
    hostname: wazuh-indexer
    restart: always
    environment:
      - "OPENSEARCH_JAVA_OPTS=-Xms1g -Xmx1g"
      - "bootstrap.memory_lock=true"
    ulimits:
      memlock:
        soft: -1
        hard: -1
      nofile:
        soft: 65536
        hard: 65536
    volumes:
      - wazuh-indexer-data:/var/lib/wazuh-indexer
    networks:
      - siem-network
 
  wazuh-dashboard:
    image: wazuh/wazuh-dashboard:4.7.0
    hostname: wazuh-dashboard
    restart: always
    ports:
      - "443:5601"
    environment:
      - INDEXER_USERNAME=admin
      - INDEXER_PASSWORD=SecretPassword123!
      - WAZUH_API_URL=https://wazuh-manager
      - API_USERNAME=wazuh-wui
      - API_PASSWORD=MyS3cr3tP4ssw0rd!
    depends_on:
      - wazuh-indexer
      - wazuh-manager
    networks:
      - siem-network
 
networks:
  siem-network:
    driver: bridge
 
volumes:
  wazuh-manager-config:
  wazuh-manager-logs:
  wazuh-manager-queue:
  wazuh-manager-var:
  wazuh-manager-integrations:
  wazuh-indexer-data:

Deploy the Stack

# Set vm.max_map_count for Elasticsearch
sudo sysctl -w vm.max_map_count=262144
echo "vm.max_map_count=262144" | sudo tee -a /etc/sysctl.conf
 
# Start the SIEM stack
docker-compose up -d
 
# Check status
docker-compose ps

Part 3: Install Wazuh Agents

Linux Agent Installation

# Add Wazuh repository
curl -s https://packages.wazuh.com/key/GPG-KEY-WAZUH | gpg --dearmor | sudo tee /usr/share/keyrings/wazuh.gpg
 
echo "deb [signed-by=/usr/share/keyrings/wazuh.gpg] https://packages.wazuh.com/4.x/apt/ stable main" | sudo tee /etc/apt/sources.list.d/wazuh.list
 
# Install agent
sudo apt update
sudo WAZUH_MANAGER='YOUR_MANAGER_IP' apt install wazuh-agent
 
# Start agent
sudo systemctl daemon-reload
sudo systemctl enable wazuh-agent
sudo systemctl start wazuh-agent

Windows Agent Installation

# Download and install
Invoke-WebRequest -Uri https://packages.wazuh.com/4.x/windows/wazuh-agent-4.7.0-1.msi -OutFile wazuh-agent.msi
 
Start-Process msiexec.exe -ArgumentList '/i wazuh-agent.msi /q WAZUH_MANAGER="YOUR_MANAGER_IP"' -Wait
 
# Start service
Start-Service WazuhSvc

Part 4: Configure Detection Rules

Custom Rule Example

Create custom rules to detect specific threats:

<!-- /var/ossec/etc/rules/local_rules.xml -->
<group name="custom,">
 
  <!-- Detect brute force SSH attempts -->
  <rule id="100001" level="10">
    <if_sid>5710</if_sid>
    <match>Failed password</match>
    <description>SSH brute force attempt detected</description>
    <mitre>
      <id>T1110</id>
    </mitre>
  </rule>
 
  <!-- Detect suspicious PowerShell -->
  <rule id="100002" level="12">
    <if_sid>60010</if_sid>
    <field name="win.eventdata.commandLine">-enc|encodedcommand|bypass</field>
    <description>Suspicious PowerShell execution detected</description>
    <mitre>
      <id>T1059.001</id>
    </mitre>
  </rule>
 
</group>

Part 5: Add Grafana Dashboards

For enhanced visualization, add Grafana:

# Add to docker-compose.yml
  grafana:
    image: grafana/grafana:latest
    hostname: grafana
    restart: always
    ports:
      - "3000:3000"
    environment:
      - GF_SECURITY_ADMIN_PASSWORD=admin
      - GF_INSTALL_PLUGINS=grafana-clock-panel,grafana-piechart-panel
    volumes:
      - grafana-data:/var/lib/grafana
    networks:
      - siem-network

Verification Checklist

After deployment, verify everything is working:

[ ] Wazuh Dashboard accessible at https://your-ip:443
[ ] Agents connecting and reporting
[ ] Events being indexed
[ ] Alerts generating for test events
[ ] Grafana dashboards showing data

Troubleshooting

Common Issues

Agents not connecting:

# Check agent status
sudo /var/ossec/bin/agent_control -l
 
# Check manager logs
docker logs wazuh-manager 2>&1 | tail -50

High memory usage:

# Adjust Elasticsearch heap
# In docker-compose.yml, modify:
OPENSEARCH_JAVA_OPTS=-Xms512m -Xmx512m

Next Steps

Now that your SIEM is operational:

Configure email alerts for critical events
Integrate with threat intelligence feeds
Set up automated response actions
Create custom dashboards for your environment
Implement log retention policies

Resources

Questions about this project? Join our Discord community for support!

Tools & Technologies