How to build a detection pipeline that catches real threats. We cover the full Wazuh + Elastic setup and work through writing detection logic from scratch.
A SIEM — Security Information and Event Management — is the central nervous system of a detection operation. It collects logs from every system you care about, correlates them, and surfaces the things worth looking at.
The problem is that most enterprise SIEMs cost six figures a year. Wazuh paired with the Elastic Stack gives you 80% of that capability for free. That's what we're building in this room.
You'll need a Linux machine (physical or VM) with at least 4GB RAM and 20GB disk. Ubuntu 22.04 LTS works well. Everything else we install from scratch.
Wazuh has a one-line installer that handles the manager, indexer, and dashboard. Run this on a clean Ubuntu machine:
curl -sO https://packages.wazuh.com/4.7/wazuh-install.sh
sudo bash wazuh-install.sh -a
The -a flag installs all three components on the same machine. For production you'd split them,
but for a lab environment this is fine.
sudo systemctl status wazuh-manager
sudo systemctl status wazuh-indexer
sudo systemctl status wazuh-dashboardAll three should show active (running). If any fail, check the logs at
/var/ossec/logs/ossec.log.