Skip to main content
COSMICBYTEZLABS
NewsSecurityHOWTOsToolsStudyTraining
ProjectsChecklistsAI RankingsNewsletterStatusTagsAbout
Subscribe

Press Enter to search or Esc to close

News
Security
HOWTOs
Tools
Study
Training
Projects
Checklists
AI Rankings
Newsletter
Status
Tags
About
RSS Feed
Reading List
Subscribe

Stay in the Loop

Get the latest security alerts, tutorials, and tech insights delivered to your inbox.

Subscribe NowFree forever. No spam.
COSMICBYTEZLABS

Your trusted source for IT intelligence, cybersecurity insights, and hands-on technical guides.

429+ Articles
114+ Guides

CONTENT

  • Latest News
  • Security Alerts
  • HOWTOs
  • Projects
  • Exam Prep

RESOURCES

  • Search
  • Browse Tags
  • Newsletter Archive
  • Reading List
  • RSS Feed

COMPANY

  • About Us
  • Contact
  • Privacy Policy
  • Terms of Service

© 2026 CosmicBytez Labs. All rights reserved.

System Status: Operational
  1. Home
  2. Projects
  3. Build Your Own SIEM with Open-Source Tools
Build Your Own SIEM with Open-Source Tools
PROJECTAdvanced

Build Your Own SIEM with Open-Source Tools

Step-by-step project guide for building a functional SIEM using Wazuh, Elastic, and Grafana. Perfect for homelabs and small businesses.

Dylan H.

Security Engineer

February 1, 2026
4 min read
8-12 hours

Tools & Technologies

DockerWazuhElasticsearchGrafanaLinux

Build Your Own SIEM with Open-Source Tools

In this comprehensive project guide, we'll build a fully functional Security Information and Event Management (SIEM) system using open-source tools. By the end, you'll have enterprise-grade security monitoring for your homelab or small business.

Project Overview

What We're Building

┌───────────────────────────────────────────────────────────┐
│                     SIEM Architecture                     │
├───────────────────────────────────────────────────────────┤
│                                                           │
│  ┌─────────┐  ┌─────────┐  ┌─────────┐  ┌─────────┐      │
│  │ Windows │  │  Linux  │  │ Network │  │  Cloud  │      │
│  │ Agents  │  │ Agents  │  │ Devices │  │  Logs   │      │
│  └────┬────┘  └────┬────┘  └────┬────┘  └────┬────┘      │
│       │            │            │            │            │
│       └────────────┴─────┬──────┴────────────┘            │
│                          │                                │
│                   ┌──────▼──────┐                         │
│                   │    Wazuh    │                         │
│                   │   Manager   │                         │
│                   └──────┬──────┘                         │
│                          │                                │
│           ┌──────────────┼──────────────┐                 │
│           │              │              │                 │
│    ┌──────▼──────┐ ┌─────▼─────┐ ┌──────▼──────┐         │
│    │Elasticsearch│ │   Wazuh   │ │   Grafana   │         │
│    │   Cluster   │ │ Dashboard │ │  Dashboards │         │
│    └─────────────┘ └───────────┘ └─────────────┘         │
│                                                           │
└───────────────────────────────────────────────────────────┘

Prerequisites

Before starting, ensure you have:

  • Linux server (Ubuntu 22.04+ recommended)
  • Minimum 8GB RAM (16GB recommended)
  • 100GB+ storage
  • Docker and Docker Compose installed
  • Basic Linux command line knowledge

Part 1: Infrastructure Setup

Step 1: Prepare the Server

# Update system
sudo apt update && sudo apt upgrade -y
 
# Install dependencies
sudo apt install -y curl wget gnupg2 apt-transport-https
 
# Install Docker
curl -fsSL https://get.docker.com | sh
sudo usermod -aG docker $USER
 
# Install Docker Compose
sudo curl -L "https://github.com/docker/compose/releases/latest/download/docker-compose-$(uname -s)-$(uname -m)" -o /usr/local/bin/docker-compose
sudo chmod +x /usr/local/bin/docker-compose

Step 2: Create Project Structure

mkdir -p ~/siem/{wazuh,elastic,grafana,config}
cd ~/siem

Part 2: Deploy Wazuh

Wazuh is our core SIEM platform, providing threat detection, integrity monitoring, and compliance.

Docker Compose Configuration

# docker-compose.yml
version: '3.8'
 
services:
  wazuh-manager:
    image: wazuh/wazuh-manager:4.7.0
    hostname: wazuh-manager
    restart: always
    ports:
      - "1514:1514/udp"
      - "1515:1515"
      - "514:514/udp"
      - "55000:55000"
    environment:
      - INDEXER_URL=https://wazuh-indexer:9200
      - INDEXER_USERNAME=admin
      - INDEXER_PASSWORD=SecretPassword123!
      - FILEBEAT_SSL_VERIFICATION_MODE=none
    volumes:
      - wazuh-manager-config:/var/ossec/etc
      - wazuh-manager-logs:/var/ossec/logs
      - wazuh-manager-queue:/var/ossec/queue
      - wazuh-manager-var:/var/ossec/var
      - wazuh-manager-integrations:/var/ossec/integrations
    networks:
      - siem-network
 
  wazuh-indexer:
    image: wazuh/wazuh-indexer:4.7.0
    hostname: wazuh-indexer
    restart: always
    environment:
      - "OPENSEARCH_JAVA_OPTS=-Xms1g -Xmx1g"
      - "bootstrap.memory_lock=true"
    ulimits:
      memlock:
        soft: -1
        hard: -1
      nofile:
        soft: 65536
        hard: 65536
    volumes:
      - wazuh-indexer-data:/var/lib/wazuh-indexer
    networks:
      - siem-network
 
  wazuh-dashboard:
    image: wazuh/wazuh-dashboard:4.7.0
    hostname: wazuh-dashboard
    restart: always
    ports:
      - "443:5601"
    environment:
      - INDEXER_USERNAME=admin
      - INDEXER_PASSWORD=SecretPassword123!
      - WAZUH_API_URL=https://wazuh-manager
      - API_USERNAME=wazuh-wui
      - API_PASSWORD=MyS3cr3tP4ssw0rd!
    depends_on:
      - wazuh-indexer
      - wazuh-manager
    networks:
      - siem-network
 
networks:
  siem-network:
    driver: bridge
 
volumes:
  wazuh-manager-config:
  wazuh-manager-logs:
  wazuh-manager-queue:
  wazuh-manager-var:
  wazuh-manager-integrations:
  wazuh-indexer-data:

Deploy the Stack

# Set vm.max_map_count for Elasticsearch
sudo sysctl -w vm.max_map_count=262144
echo "vm.max_map_count=262144" | sudo tee -a /etc/sysctl.conf
 
# Start the SIEM stack
docker-compose up -d
 
# Check status
docker-compose ps

Part 3: Install Wazuh Agents

Linux Agent Installation

# Add Wazuh repository
curl -s https://packages.wazuh.com/key/GPG-KEY-WAZUH | gpg --dearmor | sudo tee /usr/share/keyrings/wazuh.gpg
 
echo "deb [signed-by=/usr/share/keyrings/wazuh.gpg] https://packages.wazuh.com/4.x/apt/ stable main" | sudo tee /etc/apt/sources.list.d/wazuh.list
 
# Install agent
sudo apt update
sudo WAZUH_MANAGER='YOUR_MANAGER_IP' apt install wazuh-agent
 
# Start agent
sudo systemctl daemon-reload
sudo systemctl enable wazuh-agent
sudo systemctl start wazuh-agent

Windows Agent Installation

# Download and install
Invoke-WebRequest -Uri https://packages.wazuh.com/4.x/windows/wazuh-agent-4.7.0-1.msi -OutFile wazuh-agent.msi
 
Start-Process msiexec.exe -ArgumentList '/i wazuh-agent.msi /q WAZUH_MANAGER="YOUR_MANAGER_IP"' -Wait
 
# Start service
Start-Service WazuhSvc

Part 4: Configure Detection Rules

Custom Rule Example

Create custom rules to detect specific threats:

<!-- /var/ossec/etc/rules/local_rules.xml -->
<group name="custom,">
 
  <!-- Detect brute force SSH attempts -->
  <rule id="100001" level="10">
    <if_sid>5710</if_sid>
    <match>Failed password</match>
    <description>SSH brute force attempt detected</description>
    <mitre>
      <id>T1110</id>
    </mitre>
  </rule>
 
  <!-- Detect suspicious PowerShell -->
  <rule id="100002" level="12">
    <if_sid>60010</if_sid>
    <field name="win.eventdata.commandLine">-enc|encodedcommand|bypass</field>
    <description>Suspicious PowerShell execution detected</description>
    <mitre>
      <id>T1059.001</id>
    </mitre>
  </rule>
 
</group>

Part 5: Add Grafana Dashboards

For enhanced visualization, add Grafana:

# Add to docker-compose.yml
  grafana:
    image: grafana/grafana:latest
    hostname: grafana
    restart: always
    ports:
      - "3000:3000"
    environment:
      - GF_SECURITY_ADMIN_PASSWORD=admin
      - GF_INSTALL_PLUGINS=grafana-clock-panel,grafana-piechart-panel
    volumes:
      - grafana-data:/var/lib/grafana
    networks:
      - siem-network

Verification Checklist

After deployment, verify everything is working:

  • Wazuh Dashboard accessible at https://your-ip:443
  • Agents connecting and reporting
  • Events being indexed
  • Alerts generating for test events
  • Grafana dashboards showing data

Troubleshooting

Common Issues

Agents not connecting:

# Check agent status
sudo /var/ossec/bin/agent_control -l
 
# Check manager logs
docker logs wazuh-manager 2>&1 | tail -50

High memory usage:

# Adjust Elasticsearch heap
# In docker-compose.yml, modify:
OPENSEARCH_JAVA_OPTS=-Xms512m -Xmx512m

Next Steps

Now that your SIEM is operational:

  1. Configure email alerts for critical events
  2. Integrate with threat intelligence feeds
  3. Set up automated response actions
  4. Create custom dashboards for your environment
  5. Implement log retention policies

Resources

  • Wazuh Documentation
  • MITRE ATT&CK Framework
  • Sigma Rules Repository

Questions about this project? Join our Discord community for support!

#SIEM#Wazuh#Elastic#Security Monitoring#Open Source

Related Articles

Azure Sentinel SIEM Implementation

Deploy Microsoft Sentinel as your cloud-native SIEM with data connectors, analytics rules, workbooks, and SOAR automation for comprehensive security operations.

19 min read

Build a Collaborative IPS with CrowdSec

Deploy CrowdSec on a Linux server to get community-powered intrusion prevention — block brute-force attacks, credential stuffing, and vulnerability scanners using crowd-sourced threat intelligence and automatic firewall enforcement.

10 min read

Keycloak SSO: Self-Hosted Identity Provider for Your Homelab

Deploy Keycloak with Docker Compose and PostgreSQL to build a centralised single sign-on platform for your homelab services, with OIDC integration for...

11 min read
Back to all Projects