Skip to main content
HashnodeHastyTurn

Command Palette

Search for a command to run...

SIEM installation

Updated
2 min read
L
Lee Jones

Today’s focus was expanding the home lab by deploying Wazuh SIEM on a second laptop. To keep things flexible, I opted for a Docker container deployment. Since this is a testing phase, I’m not overly concerned about potential issues; I plan to have a more permanent, dedicated system in place by the time the lab goes "production."

For now, the Dockerized Wazuh will be a "start-and-stop" process. This allows me to keep the laptop available for lab expansions while still having enough resources to stay on top of my university coursework.

The Hurdles: Passwords and Architectures

The first major struggle today was a stubborn authentication issue. For some reason, Wazuh refused to let me change the default admin password. From a security standpoint, leaving default credentials active is a massive red flag, so I spent a good chunk of time troubleshooting until it finally took.

Next came the agent deployment. A small but critical detail the Wazuh dashboard doesn't explicitly highlight is the architecture difference for certain devices. When deploying to my Raspberry Pi, the default "AMD64" code failed. I had to manually swap amd64 to arm64 in the installation string. Once that simple edit was made, the agent connected instantly without further issues.

The Long Road Ahead: Vulnerability Triage

The biggest task—and likely the most time-consuming—is tackling the mountain of vulnerabilities Wazuh just handed me:

  • 40 Critical/High

  • 72 Medium

  • 4 Low

It’s an intimidating list at first glance, but a quick deep-dive reveals some interesting context. Looking at the first few "High" alerts, I found that Debian (the OS on my Pi) has actually marked some of these as "<ignored>".

In many cases, the security team deems the risk "Minor" or "Local only," meaning a user would have to manually run a very specific, obscure command for the vulnerability to even be a threat. It’s a good reminder that SIEM alerts require a human touch to separate real risks from "paper" vulnerabilities.

Next Steps

Over the next few days, I’ll be balancing three plates:

  1. Dissertation Prep: Mapping out my initial ideas and research.

  2. Lab Hardening: Continuing to build out the environment.

  3. Vulnerability Triage: Methodically working through the Wazuh list to see what needs a patch and what is just "noise."

#cybersecurity#homelab#raspberry-pi#wazuh#siem#student#job-hunting#docker

More from this blog

HastyTurn

2 posts