This repository provides a comprehensive, step-by-step guide for deploying a Wazuh Security Operations Center (SOC) using the official OVA.
This guide is designed for beginners and students building their first home lab. It specifically addresses the hidden hurdles of virtualized networking, SSL browser warnings, and the critical resource optimizations required to run enterprise security tools on computers with limited RAM (4GBโ8GB).
Before booting the downloaded Wazuh OVA, you must fix the virtual network. By default, both VirtualBox and VMware set new VMs to NAT. In NAT mode, your VM can access the internet, but your Windows host computer cannot reach the VM to view the dashboard.
1. Change the Network Adapter:
- Open VirtualBox, right-click your Wazuh VM, and select Settings.
- Navigate to the Network tab.
- Change "Attached to:" from NAT to Bridged Adapter.
- Click OK.
1. Change the Network Adapter:
- Open VMware, right-click your Wazuh VM, and select Settings.
- Select the Network Adapter entry.
- Change the network connection from NAT to Bridged Adapter.
- Click OK.
(This allows the VM to connect directly to your home router and get a reachable IP address).
Start your VM. Once it finishes booting to the black terminal screen, follow these steps to find its address.
1. Log into the Virtual Machine:
- Username:
wazuh-user - Password:
wazuh
2. Discover the VM's IP Address:
You need this IP to access the web dashboard and connect your endpoints.
ip aLook for the inet address under the eth0 or enp0s3 interface (e.g., 192.168.5.135). Write this down.
Open Chrome or Edge on your Windows computer and type https://<YOUR_VM_IP>.
You will immediately hit a red screen stating "Your connection is not private." Do not panicโyou haven't been hacked. This happens because Wazuh uses a self-signed lab certificate rather than a paid, public web certificate.
- Click the Advanced button.
- Click Proceed to [IP Address] (unsafe).
- If the page loads the Blue Wazuh Login Screen: Log in with
admin/admin. You are done! Skip to Phase 6.
- If the page says "Wazuh dashboard server is not ready yet": Proceed to Phase 4.
If the dashboard refuses to load, the backend database (Wazuh Indexer) ran out of memory and crashed. By default, Wazuh tries to claim 4GB of RAM. If your VM only has 4GBโ8GB total, Linux will violently kill the database.
We will use a text editor called nano. To save and exit a file in nano, always use this exact keyboard sequence:
- Press
Ctrl + O(the letter O) to save. - Press
Enterto confirm the file name. - Press
Ctrl + Xto exit.
We must force the database to operate within a smaller memory footprint.
1. Open the configuration file:
sudo nano /etc/wazuh-indexer/jvm.options2. Modify the Heap Values:
Scroll down past the lines starting with ##. Locate the active lines (usually -Xms4g and -Xmx4g or -Xms3972m) and change them to exactly 1 Gigabyte:
-Xms1g
-Xmx1g
Save and exit using the sequence above.
Because local VMs have slower hard drives, the database takes longer to start. We need to give it 20 minutes instead of the default 90 seconds.
1. Open the Timeout Override File:
sudo nano /etc/systemd/system/wazuh-indexer.service.d/startup-timeout.conf2. Inject the Timeout Rule:
[Service]
TimeoutStartSec=1200Save and exit.
3. Apply the System Rules:
sudo systemctl daemon-reloadAfter a crash, zombie processes are left behind. The cleanest way to apply your new fixes is to configure the services to start automatically, then perform a full system reboot.
Ensure the core components automatically turn on whenever you boot the VM:
sudo systemctl enable wazuh-indexer
sudo systemctl enable wazuh-manager
sudo systemctl enable wazuh-dashboardsudo rebootIf you ever need to manually restart the platform, always start the database (indexer) first, wait 2 minutes, and then start the manager and dashboard.
Manual Start Commands:
sudo systemctl start wazuh-indexer
sudo ss -tulpn | grep 9200 # Wait until you see port 9200 "LISTEN"
sudo systemctl start wazuh-manager
sudo systemctl start wazuh-dashboard
Navigate back to
https://<YOUR_VM_IP>and log in with credentials username: admin and password: admin
To monitor your Windows machine and pull its security logs, you must install the Wazuh Agent.
Before trying to install anything, ensure your Windows computer can actually communicate with the Linux VM.
- Open the Command Prompt on Windows.
- Type
ping <YOUR_VM_IP>. - If you see "Reply from...", the network is perfect. If it says "Destination host unreachable," go back to Phase 1 and check your Bridged Adapter settings.
- Log into the Wazuh Dashboard.
- Navigate to Wazuh โ Add Agent.
- Select Windows, enter the Wazuh VM's IP address, and copy the generated PowerShell command.
- Open PowerShell as Administrator on your Windows machine.
- Paste and run the copied script to silently install the agent.
- Start the agent background service and set it to run automatically on Windows boot:
NET START WazuhSvc
Set-Service -Name WazuhSvc -StartupType AutomaticIf the dashboard reports "Agent registered but not connected", the initial handshake succeeded (Port 1515), but the log data pipeline failed (Port 1514).
Check if your Windows machine can reach the log ingestion port:
Test-NetConnection -ComputerName <YOUR_VM_IP> -Port 1514(If this returns False, check if your Windows Defender Firewall is blocking outbound traffic).
Restart-Service -Name WazuhSvcOpen Notepad as Administrator and read the bottom lines of:
C:\Program Files (x86)\ossec-agent\ossec.log
Documented for home lab engineering, digital forensics, and SOC infrastructure setups.














