DEV Community

Shoban Chiddarth
Shoban Chiddarth

Posted on

I finished the SIEM Wazuh Home lab

Introduction

Continuing from this post, the SIEM Wazuh lab is done.

You can check it out here: GitHub repo

Demo Video

Further reducing the scope

I dropped pfSense as a log source because setting up syslog on network devices was never a requirement for this lab as well as the bigger project I am building. This is something that will be managed by security analysts, and also there is a limitation with that as everything that will hit :514 will be collected under agent 000 so differentiating between network devices that send logs would be another hectic job.

I just decided not to worry about that and set up Wazuh agents on Windows and Debian and did File Integrity Monitoring, sudo to ROOT privilege escalation monitoring, and SSH brute force detection. I also filtered the logs by providing queries, which is the core focus of the lab for the bigger project I am building. For details on all of that, you can check out the GitHub repo I shared earlier.

Now the network architecture would look like this:

network-architecture-3

Reducing the size of VMs for video recording

I had to reduce the RAM of Kali VM from 12 GB to 4 GB, and Windows from 8 GB to 4 GB. Now if I run all VMs at once without Brave Browser, VSCodium and Obsidian, I would have enough RAM left to run OBS in order to do the demo video and capture it.

Fortunately my PC did not hang and I was able to record it in OBS, edit and render it in Kdenlive for publishing on YouTube. I didn't do any advanced video editing, just basic trimming and merging and then I published it on YouTube (link above).

Future of this project

After submitting all these in the Monday weekly review I am gonna do the exact same thing on AWS using Terraform. Except I won't have a Windows EC2 instance, that is costly and not available for free tier.

In the AWS Hosted lab I plan to set up a web server and make wazuh agent on the webserver monitor the webserver logs as well, and host a vulnerable web application and attack it with Kali. Then the logs for each type of attack will be on Wazuh dashboard, another server will host Wazuh server. And there will be another EC2 which acts as a user's desktop but is not really a desktop.

The reason for hosting the lab in AWS is, we wan't a one click deploy button to spin up the lab from any computer in the world. The core idea of the project is to build on top of a lab. So we need to make the spinning up of the lab as seamless as possible.

After that a chatbot interface making use of Wazuh API to write and query logs can be built and easily integrated into the existing lab.

Conclusion

My first 100% pure Cybersecurity project is done. All other projects I did touched Cybersecurity to some extent, some more and some less. This is the first project that is purely Cybersecurity that I have done. I now understand Cybersecurity deeper than I did earlier. And I will do more.

Top comments (0)