Wazuh

Why use it

Wazuh combines log analysis, file integrity monitoring, vulnerability detection, and configuration assessment in a single open-source stack. The Cyentrix team uses it as the centrepiece of every home SOC build because it ships with agents that work cross-platform out of the box.

What you get

• Centralised log collection from Linux, Windows, macOS and cloud services
• File integrity monitoring (FIM) with real-time alerts
• Vulnerability detection using NVD and vendor feeds
• CIS benchmark compliance scanning per host
• MITRE ATT&CK mapping and rule-based alerting
• Built-in Kibana-based dashboard via Wazuh Indexer

System requirements

Installation

The all-in-one installer is the fastest path: curl -sO https://packages.wazuh.com/4.7/wazuh-install.sh && sudo bash ./wazuh-install.sh -a. Docker Compose is the cleanest option for homelab use — clone wazuh/wazuh-docker and run docker compose up -d. Agents install via a one-line command per host generated by the manager UI.

Suggested configuration

Enable FIM on /etc, /usr/bin and /usr/sbin on every Linux host. On Windows, monitor C:\Windows\System32 and PowerShell history. Enable the vulnerability-detector module and schedule weekly scans. Forward Wazuh alerts to a Telegram or Slack webhook for high-severity rules (level 12+). Tune false positives by adding local_rules.xml overrides rather than editing core rules.

Integration ideas

• Send alerts to MISP for IoC enrichment
• Forward high-severity events to TheHive for case management
• Pull Suricata alerts into the same index for unified detection
• Use VirusTotal active response for hash lookups

Alternatives

• Graylog — Stronger search UX, lacks the built-in agent ecosystem.
• Security Onion — Bundles Wazuh + Suricata + Zeek but heavier; better for full NSM.
• Elastic Security — More polished UI; free tier limits some detection rules.