Building a Wazuh SIEM Lab Using VirtualBox on a Windows 11 Host
A Hands-On Guide to Understanding and Deploying Open-Source SIEM for Real-World Cybersecurity Practice
Building a Wazuh SIEM Lab Using VirtualBox on a Windows 11 Host
Introduction
Let’s face it: the cyber threat landscape is evolving faster than ever. With more devices, more data, and more vulnerabilities, staying ahead of attackers is a serious challenge. That’s where SIEM (Security Information and Event Management) solutions come into play. These tools are like the central nervous system of modern cybersecurity operations—collecting, analyzing, and responding to security data in real-time.
In this guide, we’ll explore how to deploy one of the most popular open-source SIEM platforms: Wazuh. But this isn’t just a technical manual. We’ll dig into the what, why, and how of Wazuh, walk you through a real-world lab setup using VirtualBox, and make sure you’re not just following commands—but truly understanding the power of what you’re building.
What Exactly is Wazuh?
Imagine having eyes and ears on every server, desktop, and device in your network. That’s what Wazuh does. It’s an open-source security monitoring platform born from the original OSSEC project but now fully evolved into a modern SIEM powerhouse. Wazuh monitors your systems, detects intrusions, enforces compliance policies, analyzes logs, and helps you respond to incidents—all from one central dashboard.
Behind the scenes, Wazuh works like a well-coordinated orchestra. It has lightweight agents that sit on each machine, keeping tabs on system activity. These agents send data to a manager component that processes everything using a ruleset. Then, the indexer (a customized Elasticsearch fork) stores and structures that data, and finally, the dashboard (based on Kibana) lets you visualize and interact with the alerts and events.
Wazuh can be deployed in the cloud, on-premises, or in hybrid environments. It supports Windows, Linux, macOS, and even Docker containers. Whether you’re monitoring a few endpoints or thousands, Wazuh is built to scale.
Why Wazuh and Not Something Else?
There are plenty of commercial SIEMs out there—Splunk, QRadar, ArcSight to name a few. But here’s the kicker: they can be expensive, complex to license, and not always customizable. Wazuh flips the script. It’s free, open-source, and incredibly powerful. You get full control over your SIEM stack with no vendor lock-in.
On top of that, Wazuh integrates seamlessly with the Elastic Stack, so you can leverage the speed and scalability of Elasticsearch along with the visualization power of Kibana. And with features like active response, compliance auditing, and file integrity monitoring baked in, it’s more than just a log collector—it’s a full-fledged security operations platform.
How Wazuh Works – The Magic Behind the Curtain
Think of Wazuh as a five-layer system. First, you have the Wazuh Agents, tiny programs installed on endpoints that watch everything—logins, file changes, system events. They talk securely to the Wazuh Manager, which processes all that juicy data, comparing it against known rules and generating alerts when something fishy happens.
Next comes Filebeat, a log shipper that ferries the alerts from the manager to the Wazuh Indexer. This indexer is like a giant library that catalogs every alert and log entry so you can search, filter, and analyze them in real time. Finally, the Wazuh Dashboard gives you a sleek web interface to visualize it all. Pie charts, timelines, filters—you name it. It’s like your security command center.
Altogether, these components create a closed-loop system that detects, processes, stores, and visualizes every event across your network.
Why Build This Lab?
If you want to understand cybersecurity, theory isn’t enough. You need practice. This lab simulates a real-world enterprise setup with multiple endpoints, a firewall, and centralized SIEM monitoring. You’ll not only install Wazuh, but configure a firewall (pfSense), generate network traffic, simulate attacks, and watch the alerts pop up live.
It’s the perfect playground for students, aspiring SOC analysts, blue teamers, or IT admins making the leap into cybersecurity. And since we’re using VirtualBox, you don’t need expensive hardware or cloud infrastructure. Just a decent PC and some time to tinker.
The Lab Setup – What You’re Building
We’re building a mini enterprise network inside your Windows 11 machine using VirtualBox. Picture this: your host machine is running four virtual machines. One is a firewall to segment the network and simulate real-world conditions. Two are Wazuh components—one for the indexer and one for the server/dashboard. And then you’ve got two endpoints—a Linux desktop and a Windows machine—to act as monitored systems.
The internal network is set to 10.10.20.0/24. The firewall has IP 10.10.20.1 and connects to the internet via NAT. The Wazuh Indexer gets 10.10.20.10, and the Server/Dashboard takes 10.10.20.11. The endpoints get their IPs via DHCP. Each VM is carefully configured with realistic resource allocations to mimic production behavior.
Getting Started – Prepare the Playground
First, install VirtualBox and its Extension Pack from the official website. You’ll also need the ISO files for Ubuntu Server, Ubuntu Desktop, Windows 10 or 11, and pfSense. Create a host-only network in VirtualBox to simulate your internal lab network. Let’s call it vboxnet0. Disable its DHCP server—we’ll assign static IPs manually for consistency.
Start by setting up the pfSense firewall. Give it two network adapters: one NAT (for internet access) and one on vboxnet0 for LAN. Install pfSense, configure interfaces, and assign the LAN IP to 10.10.20.1.
Next, create the Wazuh Indexer VM. Use Ubuntu Server, allocate 3GB RAM and 2 CPUs. Assign it IP 10.10.20.10 and install the Wazuh Indexer using official packages. Repeat the process for the Wazuh Server/Dashboard VM, assigning IP 10.10.20.11 and installing the Wazuh manager, Filebeat, and the dashboard.
Finally, spin up your Linux and Windows endpoints. Use DHCP to assign them IPs automatically. These will serve as monitored systems, where you’ll install the Wazuh agent and simulate events.
Installing the Pieces – Step by Step
On the Wazuh Indexer VM:
sudo apt update && sudo apt install wazuh-indexer -y
On the Wazuh Server/Dashboard VM:
sudo apt update && sudo apt install wazuh-manager filebeat wazuh-dashboard -y
Enable and start the services, then access the dashboard via https://10.10.20.11. Default login is admin/admin. Make sure to change the password after logging in.
On your Linux endpoint:
curl -sO https://packages.wazuh.com/4.x/apt/install.sh
sudo bash install.sh --agent
sudo /var/ossec/bin/agent-auth -m 10.10.20.11
sudo systemctl enable --now wazuh-agent
On the Windows endpoint, download the agent installer from the Wazuh site, install it, and configure it to point to the manager’s IP.
Watching It All Come Together
Log in to your Wazuh dashboard and navigate to the Agents tab. If everything’s working, you’ll see your endpoints listed and connected. Trigger some events—like modifying system files, creating users, or installing software—and watch the alerts roll in.
This is the real magic of Wazuh. You get full visibility across your systems, real-time alerting, and an intuitive dashboard to manage everything.
Where to Go From Here
Once your lab is running, don’t stop there. Try integrating threat intelligence feeds. Tune the rules to reduce false positives. Enable email or Slack notifications. You can also explore advanced log pipelines using Logstash, or even forward logs from cloud services into Wazuh.
This lab is just the beginning. Mastering Wazuh means diving deep into alert tuning, detection engineering, and automation. It’s your first step into the world of blue team operations.
References
Wazuh Official Docs: https://documentation.wazuh.com
Elastic Stack Overview: https://www.elastic.co/what-is/elk-stack
Wazuh GitHub: https://github.com/wazuh/wazuh
pfSense Firewall: https://www.pfsense.org/download/
Filebeat Documentation: https://www.elastic.co/guide/en/beats/filebeat/current/index.html
OSSEC Project: https://www.ossec.net
SANS SIEM White Papers: https://www.sans.org/white-papers/siem/
Compliance Features: https://documentation.wazuh.com/current/compliance/index.html
This guide is designed to empower curious minds to build real security solutions with real tools. Stay tuned for upcoming posts on detection tuning, active response, and cloud SIEM integration.