Wazuh is a free, open-source security platform that gives you the kind of threat detection and event monitoring that enterprise security teams use โ running right in your home lab. In this guide I’ll walk through creating an Ubuntu Server VM in Proxmox, installing the Wazuh single-node stack, accessing the dashboard, and deploying an agent to a Windows 11 machine so you can see real security events across your network.
Reboot after updates complete:
This takes 10โ15 minutes. At the end of the install the script prints your admin credentials. Copy the password immediately โ you’ll need it to log into the dashboard.
๐ฅ Watch the Video Tutorial
๐ก What Is Wazuh and Why Run It in a Home Lab?
Wazuh is a SIEM โ Security Information and Event Management system. It collects logs and events from every machine you connect it to, runs them through detection rules, and surfaces alerts in a centralised dashboard. Failed logins, file integrity changes, unusual process activity, compliance checks โ it catches all of it. Most home labs have zero visibility into what’s actually happening on the network. Wazuh changes that, and it’s genuinely the same tooling used in professional SOC environments. Running it yourself is both practically useful and excellent hands-on security experience.โน๏ธ Note: Hardware used in this guide: Dell Latitude 5411 running Proxmox VE. The Wazuh VM runs on Ubuntu Server 24.04 with 4 vCPUs, 8GB RAM, and 50GB disk โ the minimum Wazuh recommends for a single-node install.
๐ What You’ll Need
- Proxmox VE installed and accessible โ see: Proxmox VE Home Lab Setup
- Ubuntu Server 24.04 ISO uploaded to Proxmox
- A Windows 11 machine (VM or physical) to deploy the agent to
- Internet access on the Ubuntu VM for downloading Wazuh packages
- wazuh.com โ official documentation
๐ Step-by-Step Setup
1. Create the Ubuntu Server VM in Proxmox
In the Proxmox web UI, select your node and click Create VM. Configure it as follows โ these are Wazuh’s minimum recommended specs for a single-node install:- OS: Ubuntu Server 24.04 ISO
- System: Leave defaults (SeaBIOS, no TPM needed)
- Disk: 50 GB โ increase from the default. Set to SATA for broader compatibility
- CPU: 4 cores
- Memory: 8192 MB (8 GB)
- Network: Leave as default bridge (
vmbr0)
- Language: English
- Skip the installer update โ you’ll run updates manually after boot
- Storage: use the entire disk, no LVM group needed for a home lab (easier to expand disks later without LVM)
- Set your server name (e.g.
wazuh) and a username - Enable OpenSSH โ tick this during install so you can connect remotely
- No additional snaps needed
2. Update the operating system
Log in and run updates before installing anything else:sudo apt update && sudo apt upgrade -y
sudo reboot
3. Install Wazuh prerequisites
After rebooting, log back in and install the required packages:sudo apt install -y curl apt-transport-https software-properties-common gnupg
4. Disable the firewall
For a home lab installation, disable UFW before running the Wazuh installer โ it configures its own rules and UFW can interfere:sudo ufw disable
โ ๏ธ Warning: In a production environment you would keep the firewall enabled and open only the required ports. For a home lab this shortcut is fine, but remember to re-enable UFW and configure port rules after installation if you want the extra layer of protection.
5. Download and run the Wazuh installer
Download the official Wazuh install script, make it executable, and run it with the-a flag to install all components โ indexer, server, and dashboard โ in a single pass:
curl -sO https://packages.wazuh.com/4.x/wazuh-install.sh\nsudo chmod +x wazuh-install.sh\nsudo ./wazuh-install.sh -a
๐ก Tip: If you missed the password during install, retrieve it with:
sudo tar -O -xvf wazuh-install-files.tar wazuh-install-files/wazuh-passwords.txt6. Access the Wazuh dashboard
Once the installer finishes, it shows the dashboard URL. From any machine on your network open a browser and open it Accept the self-signed certificate warning. Log in with:- Username:
admin - Password: the password printed at the end of the install
7. Deploy a Wazuh agent to Windows 11
In the Wazuh dashboard go to Agents โ Deploy new agent. Configure the deployment:- Select Windows as the operating system
- Enter your Wazuh server’s IP address as the manager address
- Give the agent a name (e.g.
windows11-lab) - Tick Remember server address for future agent deployments
NET START WazuhSvc
8. Verify the agent in the dashboard
Switch back to the Wazuh dashboard and go to Agents. Within a minute your Windows 11 machine should appear with status Active. Click through to the agent to see its security events โ failed logins, process activity, file changes, and more will start populating immediately.๐ก Tip: Add agents to every machine in your lab โ Ubuntu VMs, Raspberry Pis, Windows machines. The single-node Wazuh server handles dozens of agents comfortably for a home lab environment.