I've been running Grafana and Prometheus on my homelab for about a year. CPU usage, RAM, disk, container uptime — the usual infrastructure metrics. I thought that was monitoring.
Then I deployed Wazuh and found out I had no idea what was happening on my network.
What Wazuh Is
Wazuh is an open-source SIEM (Security Information and Event Management) and XDR platform. It collects logs and events from agents you deploy on your systems, runs them through detection rules, and alerts you when something looks wrong. It's the same class of tool that security teams use in production environments — and it's free.
The key mental model: Grafana asks "is this working?" Wazuh asks "is this being abused?" You need both questions answered.
The Setup
I'm running a 3-node Proxmox VE 8.x cluster. Wazuh 4.9.2 all-in-one lives in LXC 107 on my main node (nx-core-01). Container specs: 4 vCPU, 8GB RAM, 50GB disk. Wazuh is memory-hungry — don't go below 6GB or the indexer will struggle.
The all-in-one install script handles the indexer, server, and dashboard:
curl -sO https://packages.wazuh.com/4.9/wazuh-install.sh
bash wazuh-install.sh -a
About 15 minutes. Dashboard on HTTPS port 443. Default credentials are in /home/admin/.wazuh-install-files/wazuh-passwords.txt.
One gotcha for LXC: Wazuh needs to read system audit logs. Some LXC security profiles block this. If ossec-logcollector can't read /var/log/audit/audit.log, check your container's capability settings.
Enrolling Agents
I enrolled 7 agents: the main Proxmox node plus the LXC containers I care most about — the web server, Traefik, the monitoring stack, uptime-kuma, and Garrison (my AI orchestrator).
Per-agent on each host:
curl -s https://packages.wazuh.com/key/GPG-KEY-WAZUH | apt-key add -
echo "deb https://packages.wazuh.com/4.x/apt/ stable main" \
> /etc/apt/sources.list.d/wazuh.list
apt-get update && apt-get install wazuh-agent
WAZUH_MANAGER="<wazuh-ip>" WAZUH_AGENT_NAME="$(hostname)" \
systemctl enable --now wazuh-agent
Custom Detection Rules
Wazuh ships with thousands of built-in rules. I added custom rules for things specific to my setup in /var/ossec/etc/rules/local_rules.xml:
<!-- SSH brute force — T1110 -->
<rule id="100001" level="10">
<if_group>syslog</if_group>
<match>pam_unix.*authentication failure</match>
<same_source_ip />
<frequency>5</frequency>
<timeframe>120</timeframe>
<description>Multiple SSH auth failures from same IP</description>
<mitre><id>T1110</id></mitre>
</rule>
<!-- Root SSH login — should never happen -->
<rule id="100002" level="15">
<if_sid>5715</if_sid>
<match>^Accepted.*root@</match>
<description>Root login via SSH detected</description>
<mitre><id>T1078</id></mitre>
</rule>
Mapping rules to MITRE ATT&CK IDs is worth the extra minute. It surfaces in the Wazuh dashboard and makes it easier to reason about what class of attack you're detecting.
Email Alerts
Wazuh can send email alerts directly. I use msmtp as a relay with a Gmail app password. In ossec.conf:
<email_notification>yes</email_notification>
<smtp_server>localhost</smtp_server>
<email_from>wazuh@homelab.local</email_from>
<email_to>you@yourdomain.com</email_to>
<email_maxperhour>12</email_maxperhour>
<email_alert_level>10</email_alert_level>
Level 10+ fires an email. Root login would be level 15 — that's a middle-of-the-night wake-up.
What It Found on Day One
This is the part that made me feel like I'd been flying blind.
SSH brute-force from 4 external IPs. This was ongoing. My SSH is on the default port (yes, I know — now I've moved it) and there were continuous auth attempts from IPs in Ukraine, China, and Romania. None of this was in Grafana. It wasn't breaking anything, but I wasn't informed.
A container service in a restart loop. One of my LXC containers had a service that was failing and restarting every few minutes. The container showed as "running" in Uptime Kuma. The service itself was not. Wazuh caught it in the syslog stream.
Two containers with outdated packages. Wazuh's rootcheck module audits package state. Both flagged containers had packages with known CVEs. Neither was critical, but I wouldn't have known without a scan.
Grafana + Wazuh: Better Together
This isn't an either/or. Grafana tells me if my services are healthy. Wazuh tells me if my systems are being probed, if accounts are being misused, if files are changing unexpectedly.
The combined setup is a proper monitoring stack for a homelab that's exposed to the internet — even partially.
If you're running self-hosted infrastructure and haven't added a SIEM layer, Wazuh is the most accessible path to getting there. The all-in-one install makes it genuinely feasible without a dedicated security team.
I've documented the full Proxmox cluster setup, monitoring stack, and security hardening approach at sjvik-labs.stevenjvik.tech/guides if you want to go deeper.
Top comments (0)